1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
9 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
10 based on a patch that was originally contributed by Steve Haslam. It was
11 adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is
12 based on a patch contributed by Nikos Mavrogiannopoulos. Because these packages
13 are so very different, the functions for each are kept in separate files. The
14 relevant file is #included as required, after any any common functions.
16 No cryptographic code is included in Exim. All this module does is to call
17 functions from the OpenSSL or GNU TLS libraries. */
21 #include "transports/smtp.h"
23 #if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
24 # error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
29 static void tls_client_resmption_key(tls_support *, smtp_connect_args *,
30 smtp_transport_options_block *);
33 #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
34 # include "macro_predef.h"
38 # include "tls-openssl.c"
44 static void tls_per_lib_daemon_init(void);
45 static void tls_per_lib_daemon_tick(void);
46 static unsigned tls_server_creds_init(void);
47 static void tls_server_creds_invalidate(void);
48 static void tls_client_creds_init(transport_instance *, BOOL);
49 static void tls_client_creds_invalidate(transport_instance *);
50 static void tls_daemon_creds_reload(void);
51 static BOOL opt_set_and_noexpand(const uschar *);
52 static BOOL opt_unset_or_noexpand(const uschar *);
56 /* This module is compiled only when it is specifically requested in the
57 build-time configuration. However, some compilers don't like compiling empty
58 modules, so keep them happy with a dummy when skipping the rest. Make it
59 reference itself to stop picky compilers complaining that it is unused, and put
60 in a dummy argument to stop even pickier compilers complaining about infinite
64 static void dummy(int x) { dummy(x-1); }
65 #else /* most of the rest of the file */
67 const exim_tlslib_state null_tls_preload = {0};
69 /* Static variables that are used for buffering data by both sets of
70 functions and the common functions below.
72 We're moving away from this; GnuTLS is already using a state, which
73 can switch, so we can do TLS callouts during ACLs. */
75 static const int ssl_xfer_buffer_size = 4096;
77 static uschar *ssl_xfer_buffer = NULL;
78 static int ssl_xfer_buffer_lwm = 0;
79 static int ssl_xfer_buffer_hwm = 0;
80 static int ssl_xfer_eof = FALSE;
81 static BOOL ssl_xfer_error = FALSE;
84 #ifdef EXIM_HAVE_KEVENT
85 # define KEV_SIZE 16 /* Eight file,dir pairs */
86 static struct kevent kev[KEV_SIZE];
87 static int kev_used = 0;
90 static unsigned tls_creds_expire = 0;
92 /*************************************************
93 * Expand string; give error on failure *
94 *************************************************/
96 /* If expansion is forced to fail, set the result NULL and return TRUE.
97 Other failures return FALSE. For a server, an SMTP response is given.
100 s the string to expand; if NULL just return TRUE
101 name name of string being expanded (for error)
102 result where to put the result
104 Returns: TRUE if OK; result may still be NULL after forced failure
108 expand_check(const uschar *s, const uschar *name, uschar **result, uschar ** errstr)
112 else if ( !(*result = expand_string(US s)) /* need to clean up const more */
113 && !f.expand_string_forcedfail
116 *errstr = US"Internal error";
117 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
118 expand_string_message);
125 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
126 /* Add the directory for a filename to the inotify handle, creating that if
127 needed. This is enough to see changes to files in that dir.
128 Return boolean success.
130 The word "system" fails, which is on the safe side as we don't know what
131 directory it implies nor if the TLS library handles a watch for us.
133 The string "system,cache" is recognised and explicitly accepted without
134 setting a watch. This permits the system CA bundle to be cached even though
135 we have no way to tell when it gets modified by an update.
136 The call chain for OpenSSL uses a (undocumented) call into the library
137 to discover the actual file. We don't know what GnuTLS uses.
139 A full set of caching including the CAs takes 35ms output off of the
140 server tls_init() (GnuTLS, Fedora 32, 2018-class x86_64 laptop hardware).
143 tls_set_one_watch(const uschar * filename)
144 # ifdef EXIM_HAVE_INOTIFY
148 if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
150 if (!(s = Ustrrchr(filename, '/'))) return FALSE;
151 s = string_copyn(filename, s - filename); /* mem released by tls_set_watch */
152 DEBUG(D_tls) debug_printf("watch dir '%s'\n", s);
154 /*XXX unclear what effect symlinked files will have for inotify */
156 if (inotify_add_watch(tls_watch_fd, CCS s,
157 IN_ONESHOT | IN_CLOSE_WRITE | IN_DELETE | IN_DELETE_SELF
158 | IN_MOVED_FROM | IN_MOVED_TO | IN_MOVE_SELF) >= 0)
160 DEBUG(D_tls) debug_printf("notify_add_watch: %s\n", strerror(errno));
164 # ifdef EXIM_HAVE_KEVENT
167 int fd1, fd2, i, j, cnt = 0;
170 struct kevent k_dummy;
171 struct timespec ts = {0};
175 if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
179 if (kev_used > KEV_SIZE-2) { s = US"out of kev space"; goto bad; }
180 if (!(s = Ustrrchr(filename, '/'))) return FALSE;
181 s = string_copyn(filename, s - filename); /* mem released by tls_set_watch */
183 /* The dir open will fail if there is a symlink on the path. Fine; it's too
184 much effort to handle all possible cases; just refuse the preload. */
186 if ((fd2 = open(CCS s, O_RDONLY | O_NOFOLLOW)) < 0) { s = US"open dir"; goto bad; }
188 if ((lstat(CCS filename, &sb)) < 0) { s = US"lstat"; goto bad; }
189 if (!S_ISLNK(sb.st_mode))
191 if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0)
192 { s = US"open file"; goto bad; }
193 DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1);
194 EV_SET(&kev[kev_used++],
197 EV_ADD | EV_ENABLE | EV_ONESHOT,
198 NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
199 | NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
204 DEBUG(D_tls) debug_printf("watch dir '%s':\t%d\n", s, fd2);
205 EV_SET(&kev[kev_used++],
208 EV_ADD | EV_ENABLE | EV_ONESHOT,
209 NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
210 | NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
215 if (!(S_ISLNK(sb.st_mode))) break;
217 t = store_get(1024, GET_UNTAINTED);
218 Ustrncpy(t, s, 1022);
221 if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; }
224 store_release_above(t+1);
228 if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, &k_dummy, 1, &ts) >= 0)
231 if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, NULL, 0, NULL) >= 0)
239 debug_printf("%s: %s: %s\n", __FUNCTION__, s, strerror(errno));
241 debug_printf("%s: %s\n", __FUNCTION__, s);
244 # endif /*EXIM_HAVE_KEVENT*/
247 /* Create an inotify facility if needed.
248 Then set watches on the dir containing the given file or (optionally)
249 list of files. Return boolean success. */
252 tls_set_watch(const uschar * filename, BOOL list)
257 if (!filename || !*filename) return TRUE;
258 if (Ustrncmp(filename, "system", 6) == 0) return TRUE;
260 DEBUG(D_tls) debug_printf("tls_set_watch: '%s'\n", filename);
262 if ( tls_watch_fd < 0
263 # ifdef EXIM_HAVE_INOTIFY
264 && (tls_watch_fd = inotify_init1(O_CLOEXEC)) < 0
266 # ifdef EXIM_HAVE_KEVENT
267 && (tls_watch_fd = kqueue()) < 0
271 DEBUG(D_tls) debug_printf("inotify_init: %s\n", strerror(errno));
280 for (uschar * s; s = string_nextinlist(&filename, &sep, NULL, 0); )
281 if (!(rc = tls_set_one_watch(s))) break;
284 rc = tls_set_one_watch(filename);
287 if (!rc) DEBUG(D_tls) debug_printf("tls_set_watch() fail on '%s': %s\n", filename, strerror(errno));
293 tls_watch_discard_event(int fd)
295 #ifdef EXIM_HAVE_INOTIFY
296 (void) read(fd, big_buffer, big_buffer_size);
298 #ifdef EXIM_HAVE_KEVENT
300 struct timespec t = {0};
301 (void) kevent(fd, NULL, 0, &kev, 1, &t);
304 #endif /*EXIM_HAVE_INOTIFY*/
308 tls_client_creds_reload(BOOL watch)
310 for(transport_instance * t = transports; t; t = t->next)
311 if (Ustrcmp(t->driver_name, "smtp") == 0)
313 tls_client_creds_invalidate(t);
314 tls_client_creds_init(t, watch);
320 tls_watch_invalidate(void)
322 if (tls_watch_fd < 0) return;
324 #ifdef EXIM_HAVE_KEVENT
325 /* Close the files we had open for kevent */
326 for (int i = 0; i < kev_used; i++)
328 DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident);
329 (void) close((int) kev[i].ident);
330 kev[i].ident = (uintptr_t)-1;
341 tls_daemon_creds_reload(void)
345 #ifdef EXIM_HAVE_KEVENT
346 tls_watch_invalidate();
349 tls_server_creds_invalidate();
350 tls_creds_expire = (lifetime = tls_server_creds_init())
351 ? time(NULL) + lifetime : 0;
353 tls_client_creds_reload(TRUE);
357 /* Utility predicates for use by the per-library code */
359 opt_set_and_noexpand(const uschar * opt)
360 { return opt && *opt && Ustrchr(opt, '$') == NULL; }
363 opt_unset_or_noexpand(const uschar * opt)
364 { return !opt || Ustrchr(opt, '$') == NULL; }
368 /* Called every time round the daemon loop.
370 If we reloaded fd-watcher, return the old watch fd
371 having modified the global for the new one. Otherwise
376 tls_daemon_tick(void)
378 int old_watch_fd = tls_watch_fd;
380 tls_per_lib_daemon_tick();
381 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
382 if (tls_creds_expire && time(NULL) >= tls_creds_expire)
384 /* The server cert is a selfsign, with limited lifetime. Dump it and
385 generate a new one. Reload the rest of the creds also as the machinery
388 DEBUG(D_tls) debug_printf("selfsign cert rotate\n");
389 tls_creds_expire = 0;
390 tls_daemon_creds_reload();
393 else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
395 /* Called, after a delay for multiple file ops to get done, from
396 the daemon when any of the watches added (above) fire.
397 Dump the set of watches and arrange to reload cached creds (which
398 will set up new watches). */
400 DEBUG(D_tls) debug_printf("watch triggered\n");
401 tls_watch_trigger_time = tls_creds_expire = 0;
402 tls_daemon_creds_reload();
409 /* Called once at daemon startup */
412 tls_daemon_init(void)
414 tls_per_lib_daemon_init();
418 /*************************************************
419 * Timezone environment flipping *
420 *************************************************/
425 uschar * old = US getenv("TZ");
426 (void) setenv("TZ", CCS tz, 1);
432 restore_tz(uschar * tz)
435 (void) setenv("TZ", CCS tz, 1);
437 (void) os_unsetenv(US"TZ");
441 /*************************************************
442 * Many functions are package-specific *
443 *************************************************/
446 # include "tls-gnu.c"
447 # include "tlscert-gnu.c"
448 # define ssl_xfer_buffer (state_server.xfer_buffer)
449 # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
450 # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
451 # define ssl_xfer_eof (state_server.xfer_eof)
452 # define ssl_xfer_error (state_server.xfer_error)
456 # include "tls-openssl.c"
457 # include "tlscert-openssl.c"
462 /*************************************************
463 * TLS version of ungetc *
464 *************************************************/
466 /* Puts a character back in the input buffer. Only ever
468 Only used by the server-side TLS.
473 Returns: the character
479 if (ssl_xfer_buffer_lwm <= 0)
480 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
482 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
488 /*************************************************
489 * TLS version of feof *
490 *************************************************/
492 /* Tests for a previous EOF
493 Only used by the server-side TLS.
496 Returns: non-zero if the eof flag is set
502 return (int)ssl_xfer_eof;
507 /*************************************************
508 * TLS version of ferror *
509 *************************************************/
511 /* Tests for a previous read error, and returns with errno
512 restored to what it was when the error was detected.
513 Only used by the server-side TLS.
515 >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
518 Returns: non-zero if the error flag is set
524 return (int)ssl_xfer_error;
528 /*************************************************
529 * TLS version of smtp_buffered *
530 *************************************************/
532 /* Tests for unused chars in the TLS input buffer.
533 Only used by the server-side TLS.
540 tls_smtp_buffered(void)
542 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
546 #endif /*DISABLE_TLS*/
549 tls_modify_variables(tls_support * dest_tsp)
551 modify_variable(US"tls_bits", &dest_tsp->bits);
552 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
553 modify_variable(US"tls_cipher", &dest_tsp->cipher);
554 modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
556 modify_variable(US"tls_sni", &dest_tsp->sni);
562 /************************************************
563 * TLS certificate name operations *
564 ************************************************/
566 /* Convert an rfc4514 DN to an exim comma-sep list.
567 Backslashed commas need to be replaced by doublecomma
568 for Exim's list quoting. We modify the given string
573 dn_to_list(uschar * dn)
575 for (uschar * cp = dn; *cp; cp++)
576 if (cp[0] == '\\' && cp[1] == ',')
581 /* Extract fields of a given type from an RFC4514-
582 format Distinguished Name. Return an Exim list.
583 NOTE: We modify the supplied dn string during operation.
586 dn Distinguished Name string
587 mod list containing optional output list-sep and
588 field selector match, comma-separated
590 allocated string with list of matching fields,
595 tls_field_from_dn(uschar * dn, const uschar * mod)
598 uschar outsep = '\n';
600 uschar * match = NULL;
602 gstring * list = NULL;
604 while ((ele = string_nextinlist(&mod, &insep, NULL, 0)))
606 match = ele; /* field tag to match */
608 outsep = ele[1]; /* nondefault output separator */
612 len = match ? Ustrlen(match) : -1;
613 while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0)))
615 || Ustrncmp(ele, match, len) == 0 && ele[len] == '='
617 list = string_append_listele(list, outsep, ele+len+1);
618 return string_from_gstring(list);
622 /* Compare a domain name with a possibly-wildcarded name. Wildcards
623 are restricted to a single one, as the first element of patterns
624 having at least three dot-separated elements. Case-independent.
625 Return TRUE for a match
628 is_name_match(const uschar * name, const uschar * pat)
631 return *pat == '*' /* possible wildcard match */
632 ? *++pat == '.' /* starts star, dot */
633 && !Ustrchr(++pat, '*') /* has no more stars */
634 && Ustrchr(pat, '.') /* and has another dot. */
635 && (cp = Ustrchr(name, '.'))/* The name has at least one dot */
636 && strcmpic(++cp, pat) == 0 /* and we only compare after it. */
637 : !Ustrchr(pat+1, '*')
638 && strcmpic(name, pat) == 0;
641 /* Compare a list of names with the dnsname elements
642 of the Subject Alternate Name, if any, and the
646 namelist names to compare
654 tls_is_name_for_cert(const uschar * namelist, void * cert)
656 uschar * altnames = tls_cert_subject_altname(cert, US"dns");
662 if ((altnames = tls_cert_subject_altname(cert, US"dns")))
665 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
667 const uschar * an = altnames;
668 while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
669 if (is_name_match(cmpname, certname))
674 else if ((subjdn = tls_cert_subject(cert, NULL)))
679 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
681 const uschar * sn = subjdn;
682 while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
683 if ( *certname++ == 'C'
684 && *certname++ == 'N'
685 && *certname++ == '='
686 && is_name_match(cmpname, certname)
694 /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
695 and writes a file by that name. Our OpenSSL code does the same, using keying
696 info from the library API.
697 The GnuTLS support only works if exim is run by root, not taking advantage of
699 You can use either the external environment (modulo the keep_environment config)
700 or the add_environment config option for SSLKEYLOGFILE; the latter takes
703 If the path is absolute, require it starts with the spooldir; otherwise delete
704 the env variable. If relative, prefix the spooldir.
709 uschar * path = US getenv("SSLKEYLOGFILE");
712 unsetenv("SSLKEYLOGFILE");
713 else if (*path != '/')
716 debug_printf("prepending spooldir to env SSLKEYLOGFILE\n");
717 setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
719 else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
722 debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
723 unsetenv("SSLKEYLOGFILE");
727 /*************************************************
728 * Drop privs for checking TLS config *
729 *************************************************/
731 /* We want to validate TLS options during readconf, but do not want to be
732 root when we call into the TLS library, in case of library linkage errors
733 which cause segfaults; before this check, those were always done as the Exim
734 runtime user and it makes sense to continue with that.
736 Assumes: tls_require_ciphers has been set, if it will be
737 exim_user has been set, if it will be
738 exim_group has been set, if it will be
740 Returns: bool for "okay"; false will cause caller to immediately exit.
744 tls_dropprivs_validate_require_cipher(BOOL nowarn)
746 const uschar *errmsg;
749 void (*oldsignal)(int);
751 /* If TLS will never be used, no point checking ciphers */
753 if ( !tls_advertise_hosts
754 || !*tls_advertise_hosts
755 || Ustrcmp(tls_advertise_hosts, ":") == 0
758 else if (!nowarn && !tls_certificate)
759 log_write(0, LOG_MAIN,
760 "Warning: No server certificate defined; will use a selfsigned one.\n"
761 " Suggested action: either install a certificate or change tls_advertise_hosts option");
763 oldsignal = signal(SIGCHLD, SIG_DFL);
766 if ((pid = exim_fork(US"cipher-validate")) < 0)
767 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check");
771 /* in some modes, will have dropped privilege already */
773 exim_setugid(exim_uid, exim_gid, FALSE,
774 US"calling tls_validate_require_cipher");
776 if ((errmsg = tls_validate_require_cipher()))
777 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
778 "tls_require_ciphers invalid: %s", errmsg);
780 exim_underbar_exit(EXIT_SUCCESS);
784 rc = waitpid(pid, &status, 0);
785 } while (rc < 0 && errno == EINTR);
788 debug_printf("tls_validate_require_cipher child %d ended: status=0x%x\n",
791 signal(SIGCHLD, oldsignal);
800 tls_client_resmption_key(tls_support * tlsp, smtp_connect_args * conn_args,
801 smtp_transport_options_block * ob)
803 hctx * h = &tlsp->resume_hctx;
807 DEBUG(D_tls) if (conn_args->host_lbserver)
808 debug_printf("TLS: lbserver '%s'\n", conn_args->host_lbserver);
810 #ifdef EXIM_HAVE_SHA2
811 exim_sha_init(h, HASH_SHA2_256);
813 exim_sha_init(h, HASH_SHA1);
815 exim_sha_update_string(h, conn_args->host_lbserver);
818 exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer));
820 exim_sha_update_string(h, conn_args->host->address);
821 exim_sha_update(h, CUS &conn_args->host->port, sizeof(conn_args->host->port));
822 exim_sha_update_string(h, conn_args->sending_ip_address);
823 exim_sha_update_string(h, openssl_options);
824 exim_sha_update_string(h, ob->tls_require_ciphers);
825 exim_sha_update_string(h, tlsp->sni);
826 #ifdef EXIM_HAVE_ALPN
827 exim_sha_update_string(h, ob->tls_alpn);
829 exim_sha_finish(h, &b);
830 for (g = string_get(b.len*2+1); b.len-- > 0; )
831 g = string_fmt_append(g, "%02x", *b.data++);
832 tlsp->resume_index = string_from_gstring(g);
833 DEBUG(D_tls) debug_printf("TLS: resume session index %s\n", tlsp->resume_index);
836 #endif /*!DISABLE_TLS*/
837 #endif /*!MACRO_PREDEF*/