1 /*************************************************
2 * Exim - an Internet mail transport agent *
3 *************************************************/
5 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
6 /* Copyright (c) University of Cambridge 1995 - 2018 */
7 /* See the file NOTICE for conditions of use and distribution. */
8 /* SPDX-License-Identifier: GPL-2.0-or-later */
10 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
11 based on a patch that was originally contributed by Steve Haslam. It was
12 adapted from stunnel, a GPL program by Michal Trojnara. The code for GNU TLS is
13 based on a patch contributed by Nikos Mavrogiannopoulos. Because these packages
14 are so very different, the functions for each are kept in separate files. The
15 relevant file is #included as required, after any any common functions.
17 No cryptographic code is included in Exim. All this module does is to call
18 functions from the OpenSSL or GNU TLS libraries. */
22 #include "transports/smtp.h"
24 #if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
25 # error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
30 static void tls_client_resmption_key(tls_support *, smtp_connect_args *,
31 smtp_transport_options_block *);
34 #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
35 # include "macro_predef.h"
39 # include "tls-openssl.c"
45 static void tls_per_lib_daemon_init(void);
46 static void tls_per_lib_daemon_tick(void);
47 static unsigned tls_server_creds_init(void);
48 static void tls_server_creds_invalidate(void);
49 static void tls_client_creds_init(transport_instance *, BOOL);
50 static void tls_client_creds_invalidate(transport_instance *);
51 static void tls_daemon_creds_reload(void);
52 static BOOL opt_set_and_noexpand(const uschar *);
53 static BOOL opt_unset_or_noexpand(const uschar *);
57 /* This module is compiled only when it is specifically requested in the
58 build-time configuration. However, some compilers don't like compiling empty
59 modules, so keep them happy with a dummy when skipping the rest. Make it
60 reference itself to stop picky compilers complaining that it is unused, and put
61 in a dummy argument to stop even pickier compilers complaining about infinite
65 static void dummy(int x) { dummy(x-1); }
66 #else /* most of the rest of the file */
68 const exim_tlslib_state null_tls_preload = {0};
70 /* Static variables that are used for buffering data by both sets of
71 functions and the common functions below.
73 We're moving away from this; GnuTLS is already using a state, which
74 can switch, so we can do TLS callouts during ACLs. */
76 static const int ssl_xfer_buffer_size = 4096;
78 static uschar *ssl_xfer_buffer = NULL;
79 static int ssl_xfer_buffer_lwm = 0;
80 static int ssl_xfer_buffer_hwm = 0;
81 static int ssl_xfer_eof = FALSE;
82 static BOOL ssl_xfer_error = FALSE;
85 #ifdef EXIM_HAVE_KEVENT
86 # define KEV_SIZE 16 /* Eight file,dir pairs */
87 static struct kevent kev[KEV_SIZE];
88 static int kev_used = 0;
91 static unsigned tls_creds_expire = 0;
93 /*************************************************
94 * Expand string; give error on failure *
95 *************************************************/
97 /* If expansion is forced to fail, set the result NULL and return TRUE.
98 Other failures return FALSE. For a server, an SMTP response is given.
101 s the string to expand; if NULL just return TRUE
102 name name of string being expanded (for error)
103 result where to put the result
105 Returns: TRUE if OK; result may still be NULL after forced failure
109 expand_check(const uschar * s, const uschar * name,
110 uschar ** result, uschar ** errstr)
114 else if ( !(*result = expand_string(US s)) /* need to clean up const more */
115 && !f.expand_string_forcedfail
118 *errstr = US"Internal error";
119 log_write(0, LOG_MAIN|LOG_PANIC, "expansion of %s failed: %s", name,
120 expand_string_message);
127 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
128 /* Add the directory for a filename to the inotify handle, creating that if
129 needed. This is enough to see changes to files in that dir.
130 Return boolean success.
132 The word "system" fails, which is on the safe side as we don't know what
133 directory it implies nor if the TLS library handles a watch for us.
135 The string "system,cache" is recognised and explicitly accepted without
136 setting a watch. This permits the system CA bundle to be cached even though
137 we have no way to tell when it gets modified by an update.
138 The call chain for OpenSSL uses a (undocumented) call into the library
139 to discover the actual file. We don't know what GnuTLS uses.
141 A full set of caching including the CAs takes 35ms output off of the
142 server tls_init() (GnuTLS, Fedora 32, 2018-class x86_64 laptop hardware).
145 tls_set_one_watch(const uschar * filename)
146 # ifdef EXIM_HAVE_INOTIFY
148 uschar buf[PATH_MAX];
152 if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
153 if (!(s = Ustrrchr(filename, '/'))) return FALSE;
155 for (unsigned loop = 20;
156 (len = readlink(CCS filename, CS buf, sizeof(buf))) >= 0; )
158 if (--loop == 0) { errno = ELOOP; return FALSE; }
159 filename = buf[0] == '/'
160 ? string_copyn(buf, (unsigned)len) /* mem released by tls_set_watch */
161 : string_sprintf("%.*s/%.*s", (int)(s - filename), filename, (int)len, buf);
162 s = Ustrrchr(filename, '/');
165 return FALSE; /* other error */
168 s = string_copyn(filename, s - filename); /* mem released by tls_set_watch */
170 DEBUG(D_tls) debug_printf("watch dir '%s'\n", s);
172 if (inotify_add_watch(tls_watch_fd, CCS s,
173 IN_ONESHOT | IN_CLOSE_WRITE | IN_DELETE | IN_DELETE_SELF
174 | IN_MOVED_FROM | IN_MOVED_TO | IN_MOVE_SELF) >= 0)
176 DEBUG(D_tls) debug_printf("notify_add_watch: %s\n", strerror(errno));
180 # ifdef EXIM_HAVE_KEVENT
183 int fd1, fd2, i, j, cnt = 0;
186 struct kevent k_dummy;
187 struct timespec ts = {0};
191 if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
195 if (kev_used > KEV_SIZE-2) { s = US"out of kev space"; goto bad; }
196 if (!(s = Ustrrchr(filename, '/'))) return FALSE;
197 s = string_copyn(filename, s - filename); /* mem released by tls_set_watch */
199 /* The dir open will fail if there is a symlink on the path. Fine; it's too
200 much effort to handle all possible cases; just refuse the preload. */
202 if ((fd2 = open(CCS s, O_RDONLY | O_NOFOLLOW)) < 0) { s = US"open dir"; goto bad; }
204 if ((lstat(CCS filename, &sb)) < 0) { s = US"lstat"; goto bad; }
205 if (!S_ISLNK(sb.st_mode))
207 if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0)
208 { s = US"open file"; goto bad; }
209 DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1);
210 EV_SET(&kev[kev_used++],
213 EV_ADD | EV_ENABLE | EV_ONESHOT,
214 NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
215 | NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
220 DEBUG(D_tls) debug_printf("watch dir '%s':\t%d\n", s, fd2);
221 EV_SET(&kev[kev_used++],
224 EV_ADD | EV_ENABLE | EV_ONESHOT,
225 NOTE_DELETE | NOTE_WRITE | NOTE_EXTEND
226 | NOTE_ATTRIB | NOTE_RENAME | NOTE_REVOKE,
231 if (!(S_ISLNK(sb.st_mode))) break;
233 t = store_get(1024, GET_UNTAINTED);
234 Ustrncpy(t, s, 1022);
237 if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; }
240 store_release_above(t+1);
244 if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, &k_dummy, 1, &ts) >= 0)
247 if (kevent(tls_watch_fd, &kev[kev_used-cnt], cnt, NULL, 0, NULL) >= 0)
255 debug_printf("%s: %s: %s\n", __FUNCTION__, s, strerror(errno));
257 debug_printf("%s: %s\n", __FUNCTION__, s);
260 # endif /*EXIM_HAVE_KEVENT*/
263 /* Create an inotify facility if needed.
264 Then set watches on the dir containing the given file or (optionally)
265 list of files. Return boolean success. */
268 tls_set_watch(const uschar * filename, BOOL list)
273 if (!filename || !*filename) return TRUE;
274 if (Ustrncmp(filename, "system", 6) == 0) return TRUE;
276 DEBUG(D_tls) debug_printf("tls_set_watch: '%s'\n", filename);
278 if ( tls_watch_fd < 0
279 # ifdef EXIM_HAVE_INOTIFY
280 && (tls_watch_fd = inotify_init1(O_CLOEXEC)) < 0
282 # ifdef EXIM_HAVE_KEVENT
283 && (tls_watch_fd = kqueue()) < 0
287 DEBUG(D_tls) debug_printf("inotify_init: %s\n", strerror(errno));
296 for (uschar * s; s = string_nextinlist(&filename, &sep, NULL, 0); )
297 if (!(rc = tls_set_one_watch(s))) break;
300 rc = tls_set_one_watch(filename);
303 if (!rc) DEBUG(D_tls) debug_printf("tls_set_watch() fail on '%s': %s\n", filename, strerror(errno));
309 tls_watch_discard_event(int fd)
311 #ifdef EXIM_HAVE_INOTIFY
312 (void) read(fd, big_buffer, big_buffer_size);
314 #ifdef EXIM_HAVE_KEVENT
316 struct timespec t = {0};
317 (void) kevent(fd, NULL, 0, &kev, 1, &t);
320 #endif /*EXIM_HAVE_INOTIFY*/
324 tls_client_creds_reload(BOOL watch)
326 for(transport_instance * t = transports; t; t = t->next)
327 if (Ustrcmp(t->driver_name, "smtp") == 0)
329 tls_client_creds_invalidate(t);
330 tls_client_creds_init(t, watch);
336 tls_watch_invalidate(void)
338 if (tls_watch_fd < 0) return;
340 #ifdef EXIM_HAVE_KEVENT
341 /* Close the files we had open for kevent */
342 for (int i = 0; i < kev_used; i++)
344 DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident);
345 (void) close((int) kev[i].ident);
346 kev[i].ident = (uintptr_t)-1;
357 tls_daemon_creds_reload(void)
361 #ifdef EXIM_HAVE_KEVENT
362 tls_watch_invalidate();
365 tls_server_creds_invalidate();
367 /* _expire is for a time-limited selfsign server cert */
368 tls_creds_expire = (lifetime = tls_server_creds_init())
369 ? time(NULL) + lifetime : 0;
371 tls_client_creds_reload(TRUE);
375 /* Utility predicates for use by the per-library code */
377 opt_set_and_noexpand(const uschar * opt)
378 { return opt && *opt && Ustrchr(opt, '$') == NULL; }
381 opt_unset_or_noexpand(const uschar * opt)
382 { return !opt || Ustrchr(opt, '$') == NULL; }
386 /* Called every time round the daemon loop.
388 If we reloaded fd-watcher, return the old watch fd
389 having modified the global for the new one. Otherwise
394 tls_daemon_tick(void)
396 int old_watch_fd = tls_watch_fd;
398 tls_per_lib_daemon_tick();
399 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
400 if (tls_creds_expire && time(NULL) >= tls_creds_expire)
402 /* The server cert is a selfsign, with limited lifetime. Dump it and
403 generate a new one. Reload the rest of the creds also as the machinery
406 DEBUG(D_tls) debug_printf("selfsign cert rotate\n");
407 tls_creds_expire = 0;
408 tls_daemon_creds_reload();
411 else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
413 /* Called, after a delay for multiple file ops to get done, from
414 the daemon when any of the watches added (above) fire.
415 Dump the set of watches and arrange to reload cached creds (which
416 will set up new watches). */
418 DEBUG(D_tls) debug_printf("watch triggered\n");
419 tls_watch_trigger_time = tls_creds_expire = 0;
420 tls_daemon_creds_reload();
427 /* Called once at daemon startup */
430 tls_daemon_init(void)
432 tls_per_lib_daemon_init();
436 /*************************************************
437 * Timezone environment flipping *
438 *************************************************/
443 uschar * old = US getenv("TZ");
444 (void) setenv("TZ", CCS tz, 1);
450 restore_tz(uschar * tz)
453 (void) setenv("TZ", CCS tz, 1);
455 (void) os_unsetenv(US"TZ");
459 /*************************************************
460 * Many functions are package-specific *
461 *************************************************/
464 # include "tls-gnu.c"
465 # include "tlscert-gnu.c"
466 # define ssl_xfer_buffer (state_server.xfer_buffer)
467 # define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
468 # define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
469 # define ssl_xfer_eof (state_server.xfer_eof)
470 # define ssl_xfer_error (state_server.xfer_error)
474 # include "tls-openssl.c"
475 # include "tlscert-openssl.c"
480 /*************************************************
481 * TLS version of ungetc *
482 *************************************************/
484 /* Puts a character back in the input buffer. Only ever
486 Only used by the server-side TLS.
491 Returns: the character
497 if (ssl_xfer_buffer_lwm <= 0)
498 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc");
500 ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch;
506 /*************************************************
507 * TLS version of feof *
508 *************************************************/
510 /* Tests for a previous EOF
511 Only used by the server-side TLS.
514 Returns: non-zero if the eof flag is set
520 return (int)ssl_xfer_eof;
525 /*************************************************
526 * TLS version of ferror *
527 *************************************************/
529 /* Tests for a previous read error, and returns with errno
530 restored to what it was when the error was detected.
531 Only used by the server-side TLS.
533 >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
536 Returns: non-zero if the error flag is set
542 return (int)ssl_xfer_error;
546 /*************************************************
547 * TLS version of smtp_buffered *
548 *************************************************/
550 /* Tests for unused chars in the TLS input buffer.
551 Only used by the server-side TLS.
558 tls_smtp_buffered(void)
560 return ssl_xfer_buffer_lwm < ssl_xfer_buffer_hwm;
564 #endif /*DISABLE_TLS*/
567 tls_modify_variables(tls_support * dest_tsp)
569 modify_variable(US"tls_bits", &dest_tsp->bits);
570 modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
571 modify_variable(US"tls_cipher", &dest_tsp->cipher);
572 modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
574 modify_variable(US"tls_sni", &dest_tsp->sni);
580 /************************************************
581 * TLS certificate name operations *
582 ************************************************/
584 /* Convert an rfc4514 DN to an exim comma-sep list.
585 Backslashed commas need to be replaced by doublecomma
586 for Exim's list quoting. We modify the given string
591 dn_to_list(uschar * dn)
593 for (uschar * cp = dn; *cp; cp++)
594 if (cp[0] == '\\' && cp[1] == ',')
599 /* Extract fields of a given type from an RFC4514-
600 format Distinguished Name. Return an Exim list.
601 NOTE: We modify the supplied dn string during operation.
604 dn Distinguished Name string
605 mod list containing optional output list-sep and
606 field selector match, comma-separated
608 allocated string with list of matching fields,
613 tls_field_from_dn(uschar * dn, const uschar * mod)
616 uschar outsep = '\n';
618 uschar * match = NULL;
620 gstring * list = NULL;
622 while ((ele = string_nextinlist(&mod, &insep, NULL, 0)))
624 match = ele; /* field tag to match */
626 outsep = ele[1]; /* nondefault output separator */
630 len = match ? Ustrlen(match) : -1;
631 while ((ele = string_nextinlist(CUSS &dn, &insep, NULL, 0)))
633 || Ustrncmp(ele, match, len) == 0 && ele[len] == '='
635 list = string_append_listele(list, outsep, ele+len+1);
636 return string_from_gstring(list);
640 /* Compare a domain name with a possibly-wildcarded name. Wildcards
641 are restricted to a single one, as the first element of patterns
642 having at least three dot-separated elements. Case-independent.
643 Return TRUE for a match
646 is_name_match(const uschar * name, const uschar * pat)
649 return *pat == '*' /* possible wildcard match */
650 ? *++pat == '.' /* starts star, dot */
651 && !Ustrchr(++pat, '*') /* has no more stars */
652 && Ustrchr(pat, '.') /* and has another dot. */
653 && (cp = Ustrchr(name, '.'))/* The name has at least one dot */
654 && strcmpic(++cp, pat) == 0 /* and we only compare after it. */
655 : !Ustrchr(pat+1, '*')
656 && strcmpic(name, pat) == 0;
659 /* Compare a list of names with the dnsname elements
660 of the Subject Alternate Name, if any, and the
664 namelist names to compare
672 tls_is_name_for_cert(const uschar * namelist, void * cert)
674 uschar * altnames = tls_cert_subject_altname(cert, US"dns");
680 if ((altnames = tls_cert_subject_altname(cert, US"dns")))
683 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
685 const uschar * an = altnames;
686 while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
687 if (is_name_match(cmpname, certname))
692 else if ((subjdn = tls_cert_subject(cert, NULL)))
697 while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
699 const uschar * sn = subjdn;
700 while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
701 if ( *certname++ == 'C'
702 && *certname++ == 'N'
703 && *certname++ == '='
704 && is_name_match(cmpname, certname)
712 /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
713 and writes a file by that name. Our OpenSSL code does the same, using keying
714 info from the library API.
715 The GnuTLS support only works if exim is run by root, not taking advantage of
717 You can use either the external environment (modulo the keep_environment config)
718 or the add_environment config option for SSLKEYLOGFILE; the latter takes
721 If the path is absolute, require it starts with the spooldir; otherwise delete
722 the env variable. If relative, prefix the spooldir.
727 uschar * path = US getenv("SSLKEYLOGFILE");
730 unsetenv("SSLKEYLOGFILE");
731 else if (*path != '/')
734 debug_printf("prepending spooldir to env SSLKEYLOGFILE\n");
735 setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
737 else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
740 debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
741 unsetenv("SSLKEYLOGFILE");
745 /*************************************************
746 * Drop privs for checking TLS config *
747 *************************************************/
749 /* We want to validate TLS options during readconf, but do not want to be
750 root when we call into the TLS library, in case of library linkage errors
751 which cause segfaults; before this check, those were always done as the Exim
752 runtime user and it makes sense to continue with that.
754 Assumes: tls_require_ciphers has been set, if it will be
755 exim_user has been set, if it will be
756 exim_group has been set, if it will be
758 Returns: bool for "okay"; false will cause caller to immediately exit.
762 tls_dropprivs_validate_require_cipher(BOOL nowarn)
764 const uschar *errmsg;
767 void (*oldsignal)(int);
769 /* If TLS will never be used, no point checking ciphers */
771 if ( !tls_advertise_hosts
772 || !*tls_advertise_hosts
773 || Ustrcmp(tls_advertise_hosts, ":") == 0
776 else if (!nowarn && !tls_certificate)
777 log_write(0, LOG_MAIN,
778 "Warning: No server certificate defined; will use a selfsigned one.\n"
779 " Suggested action: either install a certificate or change tls_advertise_hosts option");
781 oldsignal = signal(SIGCHLD, SIG_DFL);
784 if ((pid = exim_fork(US"cipher-validate")) < 0)
785 log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check");
789 /* in some modes, will have dropped privilege already */
791 exim_setugid(exim_uid, exim_gid, FALSE,
792 US"calling tls_validate_require_cipher");
794 if ((errmsg = tls_validate_require_cipher()))
795 log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
796 "tls_require_ciphers invalid: %s", errmsg);
798 exim_underbar_exit(EXIT_SUCCESS);
802 rc = waitpid(pid, &status, 0);
803 } while (rc < 0 && errno == EINTR);
806 debug_printf("tls_validate_require_cipher child %d ended: status=0x%x\n",
809 signal(SIGCHLD, oldsignal);
818 tls_client_resmption_key(tls_support * tlsp, smtp_connect_args * conn_args,
819 smtp_transport_options_block * ob)
821 #ifndef DISABLE_TLS_RESUME
822 hctx * h = &tlsp->resume_hctx;
826 DEBUG(D_tls) if (conn_args->host_lbserver)
827 debug_printf("TLS: lbserver '%s'\n", conn_args->host_lbserver);
829 # ifdef EXIM_HAVE_SHA2
830 exim_sha_init(h, HASH_SHA2_256);
832 exim_sha_init(h, HASH_SHA1);
834 exim_sha_update_string(h, conn_args->host_lbserver);
837 exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer));
839 exim_sha_update_string(h, conn_args->host->address);
840 exim_sha_update(h, CUS &conn_args->host->port, sizeof(conn_args->host->port));
841 exim_sha_update_string(h, conn_args->sending_ip_address);
842 exim_sha_update_string(h, openssl_options);
843 exim_sha_update_string(h, ob->tls_require_ciphers);
844 exim_sha_update_string(h, tlsp->sni);
845 # ifdef EXIM_HAVE_ALPN
846 exim_sha_update_string(h, ob->tls_alpn);
848 exim_sha_finish(h, &b);
849 for (g = string_get(b.len*2+1); b.len-- > 0; )
850 g = string_fmt_append(g, "%02x", *b.data++);
851 tlsp->resume_index = string_from_gstring(g);
852 DEBUG(D_tls) debug_printf("TLS: resume session index %s\n", tlsp->resume_index);
856 #endif /*!DISABLE_TLS*/
857 #endif /*!MACRO_PREDEF*/