From afdb5e9cf07fa49e26e128d8d5d2e3cab7a5fe42 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 21 Jun 2018 00:04:25 +0100 Subject: Expansions: A tls option on ${readsocket }. Bug 2282 --- src/src/expand.c | 97 +++++++++++++++++++++++++++++++++++++++++++-------- src/src/ip.c | 3 +- src/src/tls-gnu.c | 15 ++++---- src/src/tls-openssl.c | 23 ++++++------ 4 files changed, 105 insertions(+), 33 deletions(-) (limited to 'src') diff --git a/src/src/expand.c b/src/src/expand.c index b9eeb7c46..596fb2404 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -3550,6 +3550,26 @@ return yield; } +#ifdef SUPPORT_TLS +static gstring * +cat_file_tls(void * tls_ctx, gstring * yield, uschar * eol) +{ +int rc; +uschar * s; +uschar buffer[1024]; + +while ((rc = tls_read(tls_ctx, buffer, sizeof(buffer))) > 0) + for (s = buffer; rc--; s++) + yield = eol && *s == '\n' + ? string_cat(yield, eol) : string_catn(yield, s, 1); + +/* We assume that all errors, and any returns of zero bytes, +are actually EOF. */ + +(void) string_from_gstring(yield); +return yield; +} +#endif /************************************************* @@ -4801,9 +4821,15 @@ while (*s != 0) int timeout = 5; int save_ptr = yield->ptr; FILE *f; - uschar *arg; - uschar *sub_arg[4]; + uschar * arg; + uschar * sub_arg[4]; + uschar * server_name = NULL; + host_item host; BOOL do_shutdown = TRUE; +#ifdef SUPPORT_TLS + BOOL do_tls = FALSE; + void * tls_ctx = NULL; +#endif blob reqstr; if (expand_forbid & RDO_READSOCK) @@ -4846,10 +4872,14 @@ while (*s != 0) while ((item = string_nextinlist(&list, &sep, NULL, 0))) if (Ustrncmp(item, US"shutdown=", 9) == 0) - if (Ustrcmp(item + 9, US"no") == 0) - do_shutdown = FALSE; + { if (Ustrcmp(item + 9, US"no") == 0) do_shutdown = FALSE; } +#ifdef SUPPORT_TLS + else if (Ustrncmp(item, US"tls=", 4) == 0) + { if (Ustrcmp(item + 9, US"no") != 0) do_tls = TRUE; } +#endif } - else sub_arg[3] = NULL; /* No eol if no timeout */ + else + sub_arg[3] = NULL; /* No eol if no timeout */ /* If skipping, we don't actually do anything. Otherwise, arrange to connect to either an IP or a Unix socket. */ @@ -4861,8 +4891,10 @@ while (*s != 0) if (Ustrncmp(sub_arg[0], "inet:", 5) == 0) { int port; - uschar * server_name = sub_arg[0] + 5; - uschar * port_name = Ustrrchr(server_name, ':'); + uschar * port_name; + + server_name = sub_arg[0] + 5; + port_name = Ustrrchr(server_name, ':'); /* Sort out the port */ @@ -4898,11 +4930,12 @@ while (*s != 0) } fd = ip_connectedsocket(SOCK_STREAM, server_name, port, port, - timeout, NULL, &expand_string_message, &reqstr); + timeout, &host, &expand_string_message, + do_tls ? NULL : &reqstr); callout_address = NULL; if (fd < 0) goto SOCK_FAIL; - reqstr.len = 0; + if (!do_tls) reqstr.len = 0; } /* Handle a Unix domain socket */ @@ -4922,6 +4955,7 @@ while (*s != 0) sockun.sun_family = AF_UNIX; sprintf(sockun.sun_path, "%.*s", (int)(sizeof(sockun.sun_path)-1), sub_arg[0]); + server_name = sockun.sun_path; sigalrm_seen = FALSE; alarm(timeout); @@ -4938,10 +4972,27 @@ while (*s != 0) "%s: %s", sub_arg[0], strerror(errno)); goto SOCK_FAIL; } + host.name = server_name; + host.address = US""; } DEBUG(D_expand) debug_printf_indent("connected to socket %s\n", sub_arg[0]); +#ifdef SUPPORT_TLS + if (do_tls) + { + tls_support tls_dummy = {0}; + uschar * errstr; + + if (!(tls_ctx = tls_client_start(fd, &host, NULL, NULL, NULL, + &tls_dummy, &errstr))) + { + expand_string_message = string_sprintf("TLS connect failed: %s", errstr); + goto SOCK_FAIL; + } + } +#endif + /* Allow sequencing of test actions */ if (running_in_test_harness) millisleep(100); @@ -4951,7 +5002,11 @@ while (*s != 0) { DEBUG(D_expand) debug_printf_indent("writing \"%s\" to socket\n", reqstr.data); - if (write(fd, reqstr.data, reqstr.len) != reqstr.len) + if ( ( +#ifdef SUPPORT_TLS + tls_ctx ? tls_write(tls_ctx, reqstr.data, reqstr.len, FALSE) : +#endif + write(fd, reqstr.data, reqstr.len)) != reqstr.len) { expand_string_message = string_sprintf("request write to socket " "failed: %s", strerror(errno)); @@ -4964,7 +5019,7 @@ while (*s != 0) system doesn't have this function, make it conditional. */ #ifdef SHUT_WR - if (do_shutdown) shutdown(fd, SHUT_WR); + if (!tls_ctx && do_shutdown) shutdown(fd, SHUT_WR); #endif if (running_in_test_harness) millisleep(100); @@ -4972,12 +5027,26 @@ while (*s != 0) /* Now we need to read from the socket, under a timeout. The function that reads a file can be used. */ - f = fdopen(fd, "rb"); + if (!tls_ctx) + f = fdopen(fd, "rb"); sigalrm_seen = FALSE; alarm(timeout); - yield = cat_file(f, yield, sub_arg[3]); + yield = +#ifdef SUPPORT_TLS + tls_ctx ? cat_file_tls(tls_ctx, yield, sub_arg[3]) : +#endif + cat_file(f, yield, sub_arg[3]); alarm(0); - (void)fclose(f); + +#ifdef SUPPORT_TLS + if (tls_ctx) + { + tls_close(tls_ctx, TRUE); + close(fd); + } + else +#endif + (void)fclose(f); /* After a timeout, we restore the pointer in the result, that is, make sure we add nothing from the socket. */ diff --git a/src/src/ip.c b/src/src/ip.c index 555dc2d84..82876c62e 100644 --- a/src/src/ip.c +++ b/src/src/ip.c @@ -262,6 +262,7 @@ if (fastopen_blob && tcp_fastopen_ok) DEBUG(D_transport|D_v) debug_printf("non-TFO mode connection attempt to %s, %lu data\n", address, (unsigned long)fastopen_blob->len); + /*XXX also seen on successful TFO, sigh */ tcp_out_fastopen = fastopen_blob->len > 0 ? 2 : 1; } else if (errno == EINPROGRESS) /* expected if we had no cookie for peer */ @@ -339,7 +340,7 @@ return -1; Arguments: type SOCK_DGRAM or SOCK_STREAM af AF_INET6 or AF_INET for the socket type - address the remote address, in text form + hostname host name, or ip address (as text) portlo,porthi the remote port range timeout a timeout connhost if not NULL, host_item to be filled in with connection details diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 12c9fdb38..dfe09200b 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -125,7 +125,7 @@ typedef struct exim_gnutls_state { BOOL trigger_sni_changes; BOOL have_set_peerdn; const struct host_item *host; - gnutls_x509_crt_t peercert; + gnutls_x509_crt_t peercert; uschar *peerdn; uschar *ciphersuite; uschar *received_sni; @@ -2241,7 +2241,7 @@ return TRUE; Arguments: fd the fd of the connection - host connected host (for messages) + host connected host (for messages and option-tests) addr the first address (not used) tb transport (always smtp) tlsa_dnsa non-NULL, either request or require dane for this host, and @@ -2264,8 +2264,9 @@ tls_client_start(int fd, host_item *host, #endif tls_support * tlsp, uschar ** errstr) { -smtp_transport_options_block *ob = - (smtp_transport_options_block *)tb->options_block; +smtp_transport_options_block *ob = tb + ? (smtp_transport_options_block *)tb->options_block + : &smtp_transport_option_defaults; int rc; exim_gnutls_state_st * state = NULL; uschar *cipher_list = NULL; @@ -2375,7 +2376,7 @@ if (request_ocsp) #endif #ifndef DISABLE_EVENT -if (tb->event_action) +if (tb && tb->event_action) { state->event_action = tb->event_action; gnutls_session_set_ptr(state->session, state); @@ -2477,7 +2478,7 @@ would tamper with the TLS session in the parent process). Arguments: ct_ctx client context pointer, or NULL for the one global server context shutdown 1 if TLS close-alert is to be sent, - 2 if also response to be waited for + 2 if also response to be waited for Returns: nothing */ @@ -2678,7 +2679,7 @@ Arguments: len size of buffer Returns: the number of bytes read - -1 after a failed read + -1 after a failed read, including EOF */ int diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index adabc963e..d8c8101cc 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -436,7 +436,7 @@ else if ( tlsp == &tls_out && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames))) - /* client, wanting hostname check */ + /* client, wanting hostname check */ { #ifdef EXIM_HAVE_OPENSSL_CHECKHOST @@ -1094,7 +1094,7 @@ if (!cbinfo->certificate) { if (!cbinfo->is_server) /* client */ return OK; - /* server */ + /* server */ if (tls_install_selfsign(sctx, errstr) != OK) return DEFER; } @@ -2032,14 +2032,14 @@ server_verify_callback_called = FALSE; if (verify_check_host(&tls_verify_hosts) == OK) { rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, - FALSE, verify_callback_server, errstr); + FALSE, verify_callback_server, errstr); if (rc != OK) return rc; server_verify_optional = FALSE; } else if (verify_check_host(&tls_try_verify_hosts) == OK) { rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, - TRUE, verify_callback_server, errstr); + TRUE, verify_callback_server, errstr); if (rc != OK) return rc; server_verify_optional = TRUE; } @@ -2251,11 +2251,11 @@ return DEFER; Argument: fd the fd of the connection - host connected host (for messages) - addr the first address + host connected host (for messages and option-tests) + addr the first address (for some randomness; can be NULL) tb transport (always smtp) tlsa_dnsa tlsa lookup, if DANE, else null - tlsp record details of channel configuration + tlsp record details of channel configuration here; must be non-NULL errstr error string pointer Returns: Pointer to TLS session context, or NULL on error @@ -2269,8 +2269,9 @@ tls_client_start(int fd, host_item *host, address_item *addr, #endif tls_support * tlsp, uschar ** errstr) { -smtp_transport_options_block * ob = - (smtp_transport_options_block *)tb->options_block; +smtp_transport_options_block * ob = tb + ? (smtp_transport_options_block *)tb->options_block + : &smtp_transport_option_defaults; exim_openssl_client_tls_ctx * exim_client_ctx; static uschar peerdn[256]; uschar * expciphers; @@ -2457,7 +2458,7 @@ if (request_ocsp) #endif #ifndef DISABLE_EVENT -client_static_cbinfo->event_action = tb->event_action; +client_static_cbinfo->event_action = tb ? tb->event_action : NULL; #endif /* There doesn't seem to be a built-in timeout on connection. */ @@ -2666,7 +2667,7 @@ Arguments: len size of buffer Returns: the number of bytes read - -1 after a failed read + -1 after a failed read, including EOF Only used by the client-side TLS. */ -- cgit v1.2.3