[exim-cvs] More tls_sni support: outbound, logging.

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] More tls_sni support: outbound, logging.
Gitweb: http://git.exim.org/exim.git/commitdiff/3f0945ffae8acee547d11ae53d38fbdf9a2cc81f
Commit:     3f0945ffae8acee547d11ae53d38fbdf9a2cc81f
Parent:     7be682ca5ebd9571a01b762195b11c34cd231830
Author:     Phil Pennock <pdp@???>
AuthorDate: Fri May 4 08:27:09 2012 -0700
Committer:  Phil Pennock <pdp@???>
CommitDate: Fri May 4 08:27:09 2012 -0700


    More tls_sni support: outbound, logging.


    tls_sni as SMTP transport option.
    Use correct storage pool for copying tls_sni, so survives for life of process.
    Add +tls_sni log-selector, for inbound tls_sni.
    Update exipick to handle -tls_sni in spool files.


    Also reset tls_bits at start of outbound connection (was missing).
---
 doc/doc-docbook/spec.xfpt   |   36 ++++++++++++++++++++++++++++++++++--
 doc/doc-txt/ChangeLog       |    2 ++
 doc/doc-txt/NewStuff        |    7 +++++++
 doc/doc-txt/OptionLists.txt |    1 +
 src/src/exipick.src         |    6 ++++++
 src/src/functions.h         |    2 +-
 src/src/globals.c           |    3 ++-
 src/src/local_scan.h        |    2 +-
 src/src/macros.h            |    3 ++-
 src/src/receive.c           |    5 +++++
 src/src/smtp_in.c           |    5 +++++
 src/src/string.c            |    2 +-
 src/src/tls-gnu.c           |    6 ++++--
 src/src/tls-openssl.c       |   37 ++++++++++++++++++++++++++++++-------
 src/src/transports/smtp.c   |   10 ++++++++--
 src/src/transports/smtp.h   |    1 +
 16 files changed, 110 insertions(+), 18 deletions(-)


diff --git a/doc/doc-docbook/spec.xfpt b/doc/doc-docbook/spec.xfpt
index 32e24ca..ea4e040 100644
--- a/doc/doc-docbook/spec.xfpt
+++ b/doc/doc-docbook/spec.xfpt
@@ -11899,8 +11899,8 @@ If the variable appears in &%tls_certificate%& then this option and
a different certificate to be presented (and optionally a different key to be
used) to the client, based upon the value of the SNI extension.

-The value will be retained for the lifetime of the message, and not changed
-during outbound SMTP.
+The value will be retained for the lifetime of the message. During outbound
+SMTP deliveries, it reflects the value of the tls_sni option on the transport.

This is currently only available when using OpenSSL, built with support for
SNI.
@@ -15627,6 +15627,12 @@ receiving incoming messages as a server. If you want to supply certificates for
use when sending messages as a client, you must set the &%tls_certificate%&
option in the relevant &(smtp)& transport.

+.new
+If the option contains &$tls_sni$& and Exim is built against OpenSSL, then
+if the OpenSSL build supports TLS extensions and the TLS client sends the
+Server Name Indication extension, then this option and &%tls_privatekey%&
+will be re-expanded.
+.wen

.option tls_crl main string&!! unset
.cindex "TLS" "server certificate revocation list"
@@ -15659,6 +15665,11 @@ the expansion is forced to fail, or the result is an empty string, the private
key is assumed to be in the same file as the server's certificates. See chapter
&<<CHAPTLS>>& for further details.

+.new
+See &%tls_certificate%& discussion of &$tls_sni$& for when this option may be
+re-expanded.
+.wen
+

.option tls_remember_esmtp main boolean false
.cindex "TLS" "esmtp state; remembering"
@@ -22371,6 +22382,20 @@ ciphers is a preference order.



+.new
+.option tls_sni smtp string&!! unset
+.cindex "TLS" "Server Name Indication"
+.vindex "&$tls_sni$&"
+If this option is set then it sets the $tls_sni variable and causes any
+TLS session to pass this value as the Server Name Indication extension to
+the remote side, which can be used by the remote side to select an appropriate
+certificate and private key for the session.
+
+OpenSSL only, also requiring a build of OpenSSL that supports TLS extensions.
+.wen
+
+
+
 .option tls_tempfail_tryclear smtp boolean true
 .cindex "4&'xx'& responses" "to STARTTLS"
 When the server host is not in &%hosts_require_tls%&, and there is a problem in
@@ -33155,6 +33180,7 @@ selection marked by asterisks:
 &` tls_certificate_verified   `&  certificate verification status
 &`*tls_cipher                 `&  TLS cipher suite on <= and => lines
 &` tls_peerdn                 `&  TLS peer DN on <= and => lines
+&` tls_sni                    `&  TLS SNI on <= lines
 &` unknown_in_list            `&  DNS lookup failed in list match


 &` all                        `&  all of the above
@@ -33450,6 +33476,12 @@ connection, the cipher suite used is added to the log line, preceded by X=.
 connection, and a certificate is supplied by the remote host, the peer DN is
 added to the log line, preceded by DN=.
 .next
+.cindex "log" "TLS SNI"
+.cindex "TLS" "logging SNI"
+&%tls_sni%&: When a message is received over an encrypted connection, and
+the remote host provided the Server Name Indication extension, the SNI is
+added to the log line, preceded by SNI=.
+.next
 .cindex "log" "DNS failure in list"
 &%unknown_in_list%&: This setting causes a log entry to be written when the
 result of a list match is failure because a DNS lookup failed.
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 4ad79c2..55cde6d 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -75,6 +75,8 @@ PP/16 Removed "dont_insert_empty_fragments" fron "openssl_options".


 PP/17 OpenSSL: new expansion var $tls_sni, which if used in tls_certificate
       lets Exim select keys and certificates based upon TLS SNI from client.
+      Also option tls_sni on SMTP Transports.  Also clear $tls_bits correctly
+      before an outbound SMTP session.  New log_selector, +tls_sni.



 Exim version 4.77
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index b788b45..2872d24 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -47,6 +47,13 @@ Version 4.78
     sends the TLS Server Name Indication extension, to permit choosing a
     different certificate; tls_privatekey will also be re-expanded.  You must
     still set these options to expand to valid files when $tls_sni is not set.
+
+    The SMTP Transport has gained the option tls_sni, which will set a hostname
+    for outbound TLS sessions, and set $tls_sni too.
+
+    A new log_selector, +tls_sni, has been added, to log received SNI values
+    for Exim as a server.
+
     Currently OpenSSL only.



diff --git a/doc/doc-txt/OptionLists.txt b/doc/doc-txt/OptionLists.txt
index b10f3f1..52a24b1 100644
--- a/doc/doc-txt/OptionLists.txt
+++ b/doc/doc-txt/OptionLists.txt
@@ -554,6 +554,7 @@ tls_privatekey                       string*         unset         main
 tls_remember_emstp                   boolean         false         main              4.21
 tls_require_ciphers                  string*         unset         smtp              4.00 replaces tls_verify_ciphers
                                      string*         unset         main              4.33
+tls_sni                              string*         unset         main              4.78
 tls_tempfail_tryclear                boolean         true          smtp              4.05
 tls_try_verify_hosts                 host list       unset         main              4.00
 tls_verify_certificates              string*         unset         main              3.20
diff --git a/src/src/exipick.src b/src/src/exipick.src
index 811092d..ed3b661 100644
--- a/src/src/exipick.src
+++ b/src/src/exipick.src
@@ -955,6 +955,8 @@ sub _parse_header {
         $self->{_vars}{tls_cipher} = $arg;
       } elsif ($tag eq '-tls_peerdn') {
         $self->{_vars}{tls_peerdn} = $arg;
+      } elsif ($tag eq '-tls_sni') {
+        $self->{_vars}{tls_sni} = $arg;
       } elsif ($tag eq '-host_address') {
         $self->{_vars}{sender_host_port} = $self->_get_host_and_port(\$arg);
         $self->{_vars}{sender_host_address} = $arg;
@@ -1793,6 +1795,10 @@ The cipher suite that was negotiated for encrypted SMTP connections.


The value of the Distinguished Name of the certificate if Exim is configured to request one

+=item S . $tls_sni
+
+The value of the Server Name Indication TLS extension sent by a client, if one was sent.
+
=item N + $warning_count

 The number of delay warnings which have been sent for this message.
diff --git a/src/src/functions.h b/src/src/functions.h
index f1af42e..2202352 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -23,7 +23,7 @@ extern uschar *init_perl(uschar *);
 #ifdef SUPPORT_TLS
 extern int     tls_client_start(int, host_item *, address_item *, uschar *,
                  uschar *, uschar *, uschar *, uschar *, uschar *, uschar *,
-                 uschar *, uschar *, int);
+                 uschar *, uschar *, uschar *, int);
 extern void    tls_close(BOOL);
 extern int     tls_feof(void);
 extern int     tls_ferror(void);
diff --git a/src/src/globals.c b/src/src/globals.c
index 7985cd3..f11c7c2 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -697,7 +697,7 @@ uschar *log_file_path          = US LOG_FILE_PATH
 /* Those log options with L_xxx identifiers have values less than 0x800000 and
 are the ones that get put into log_write_selector. They can be used in calls to
 log_write() to test for the bit. The options with LX_xxx identifiers have
-values greater than 0x80000000 and are put int log_extra_selector (without the
+values greater than 0x80000000 and are put into log_extra_selector (without the
 top bit). They are never used in calls to log_write(), but are tested
 independently. This separation became necessary when the number of log
 selectors was getting close to filling a 32-bit word. */
@@ -746,6 +746,7 @@ bit_table log_options[]        = {
   { US"tls_certificate_verified",     LX_tls_certificate_verified },
   { US"tls_cipher",                   LX_tls_cipher },
   { US"tls_peerdn",                   LX_tls_peerdn },
+  { US"tls_sni",                      LX_tls_sni },
   { US"unknown_in_list",              LX_unknown_in_list }
 };


diff --git a/src/src/local_scan.h b/src/src/local_scan.h
index 25b1944..aedfc9f 100644
--- a/src/src/local_scan.h
+++ b/src/src/local_scan.h
@@ -186,7 +186,7 @@ extern uschar *rfc2047_decode(uschar *, BOOL, uschar *, int, int *, uschar **);
 extern int     smtp_fflush(void);
 extern void    smtp_printf(const char *, ...) PRINTF_FUNCTION(1,2);
 extern void    smtp_vprintf(const char *, va_list);
-extern uschar *string_copy(uschar *);
+extern uschar *string_copy(const uschar *);
 extern uschar *string_copyn(uschar *, int);
 extern uschar *string_sprintf(const char *, ...) PRINTF_FUNCTION(1,2);


diff --git a/src/src/macros.h b/src/src/macros.h
index c1c4cc3..9b41226 100644
--- a/src/src/macros.h
+++ b/src/src/macros.h
@@ -407,7 +407,8 @@ set all the bits in a multi-word selector. */
 #define LX_tls_certificate_verified    0x80100000
 #define LX_tls_cipher                  0x80200000
 #define LX_tls_peerdn                  0x80400000
-#define LX_unknown_in_list             0x80800000
+#define LX_tls_sni                     0x80800000
+#define LX_unknown_in_list             0x81000000


 #define L_default     (L_connection_reject        | \
                        L_delay_delivery           | \
diff --git a/src/src/receive.c b/src/src/receive.c
index 7105265..aaaf64c 100644
--- a/src/src/receive.c
+++ b/src/src/receive.c
@@ -3488,6 +3488,11 @@ if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
 if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_peerdn != NULL)
   s = string_append(s, &size, &sptr, 3, US" DN=\"",
     string_printing(tls_peerdn), US"\"");
+#ifndef USE_GNUTLS
+if ((log_extra_selector & LX_tls_sni) != 0 && tls_sni != NULL)
+  s = string_append(s, &size, &sptr, 3, US" SNI=\"",
+    string_printing(tls_sni), US"\"");
+#endif
 #endif


 if (sender_host_authenticated != NULL)
diff --git a/src/src/smtp_in.c b/src/src/smtp_in.c
index 23bc531..d1c10f0 100644
--- a/src/src/smtp_in.c
+++ b/src/src/smtp_in.c
@@ -841,6 +841,11 @@ if ((log_extra_selector & LX_tls_certificate_verified) != 0 &&
 if ((log_extra_selector & LX_tls_peerdn) != 0 && tls_peerdn != NULL)
   s = string_append(s, &size, &ptr, 3, US" DN=\"",
     string_printing(tls_peerdn), US"\"");
+#ifndef USE_GNUTLS
+if ((log_extra_selector & LX_tls_sni) != 0 && tls_sni != NULL)
+  s = string_append(s, &size, &ptr, 3, US" SNI=\"",
+    string_printing(tls_sni), US"\"");
+#endif
 #endif


sep = (smtp_connection_had[SMTP_HBUFF_SIZE-1] != SCH_NONE)?
diff --git a/src/src/string.c b/src/src/string.c
index 0a321ee..3fea7c0 100644
--- a/src/src/string.c
+++ b/src/src/string.c
@@ -415,7 +415,7 @@ Returns: copy of string in new store
*/

 uschar *
-string_copy(uschar *s)
+string_copy(const uschar *s)
 {
 int len = Ustrlen(s) + 1;
 uschar *ss = store_get(len);
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 2f952e4..7e87dde 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1055,6 +1055,7 @@ Arguments:
   dhparam           DH parameter file
   certificate       certificate file
   privatekey        private key file
+  sni               TLS SNI to send to remote host
   verify_certs      file for certificate verify
   verify_crl        CRL for verify
   require_ciphers   list of allowed ciphers or NULL
@@ -1069,8 +1070,9 @@ Returns:            OK/DEFER/FAIL (because using common functions),


int
tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
- uschar *certificate, uschar *privatekey, uschar *verify_certs,
- uschar *verify_crl, uschar *require_ciphers, uschar *require_mac,
+ uschar *certificate, uschar *privatekey, uschar *sni ARG_UNUSED,
+ uschar *verify_certs, uschar *verify_crl,
+ uschar *require_ciphers, uschar *require_mac,
uschar *require_kx, uschar *require_proto, int timeout)
{
const gnutls_datum *server_certs;
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 8cc2457..e609670 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -385,15 +385,18 @@ tls_servername_cb(SSL *s, int *ad ARG_UNUSED, void *arg)
const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
const tls_ext_ctx_cb *cbinfo = (tls_ext_ctx_cb *) arg;
int rc;
+int old_pool = store_pool;

if (!servername)
return SSL_TLSEXT_ERR_OK;

-DEBUG(D_tls) debug_printf("TLS SNI: %s%s\n", servername,
+DEBUG(D_tls) debug_printf("Received TLS SNI \"%s\"%s\n", servername,
     reexpand_tls_files_for_sni ? "" : " (unused for certificate selection)");


/* Make the extension value available for expansion */
-tls_sni = servername;
+store_pool = POOL_PERM;
+tls_sni = string_copy(US servername);
+store_pool = old_pool;

if (!reexpand_tls_files_for_sni)
return SSL_TLSEXT_ERR_OK;
@@ -550,10 +553,13 @@ if (rc != OK) return rc;

/* If we need to handle SNI, do so */
#if OPENSSL_VERSION_NUMBER >= 0x0090806fL && !defined(OPENSSL_NO_TLSEXT)
-/* We always do this, so that $tls_sni is available even if not used in
-tls_certificate */
-SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
-SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
+if (host == NULL)
+ {
+ /* We always do this, so that $tls_sni is available even if not used in
+ tls_certificate */
+ SSL_CTX_set_tlsext_servername_callback(ctx, tls_servername_cb);
+ SSL_CTX_set_tlsext_servername_arg(ctx, cbinfo);
+ }
#endif

 /* Set up the RSA callback */
@@ -944,6 +950,7 @@ Argument:
   dhparam          DH parameter file
   certificate      certificate file
   privatekey       private key file
+  sni              TLS SNI to send to remote host
   verify_certs     file for certificate verify
   crl              file containing CRL
   require_ciphers  list of allowed ciphers
@@ -961,7 +968,8 @@ Returns:           OK on success


int
tls_client_start(int fd, host_item *host, address_item *addr, uschar *dhparam,
- uschar *certificate, uschar *privatekey, uschar *verify_certs, uschar *crl,
+ uschar *certificate, uschar *privatekey, uschar *sni,
+ uschar *verify_certs, uschar *crl,
uschar *require_ciphers, uschar *require_mac, uschar *require_kx,
uschar *require_proto, int timeout)
{
@@ -1000,6 +1008,19 @@ SSL_set_session_id_context(ssl, sid_ctx, Ustrlen(sid_ctx));
SSL_set_fd(ssl, fd);
SSL_set_connect_state(ssl);

+if (sni)
+  {
+  if (!expand_check(sni, US"tls_sni", &tls_sni))
+    return FAIL;
+  if (!Ustrlen(tls_sni))
+    tls_sni = NULL;
+  else
+    {
+    DEBUG(D_tls) debug_printf("Setting TLS SNI \"%s\"\n", tls_sni);
+    SSL_set_tlsext_host_name(ssl, tls_sni);
+    }
+  }
+
 /* There doesn't seem to be a built-in timeout on connection. */


 DEBUG(D_tls) debug_printf("Calling SSL_connect\n");
@@ -1078,8 +1099,10 @@ if (ssl_xfer_buffer_lwm >= ssl_xfer_buffer_hwm)
     SSL_free(ssl);
     ssl = NULL;
     tls_active = -1;
+    tls_bits = 0;
     tls_cipher = NULL;
     tls_peerdn = NULL;
+    tls_sni = NULL;


     return smtp_getc();
     }
diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c
index c571d87..b1fedd2 100644
--- a/src/src/transports/smtp.c
+++ b/src/src/transports/smtp.c
@@ -128,8 +128,10 @@ optionlist smtp_transport_options[] = {
       (void *)offsetof(smtp_transport_options_block, tls_crl) },
   { "tls_privatekey",       opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_privatekey) },
-  { "tls_require_ciphers",   opt_stringptr,
+  { "tls_require_ciphers",  opt_stringptr,
       (void *)offsetof(smtp_transport_options_block, tls_require_ciphers) },
+  { "tls_sni",              opt_stringptr,
+      (void *)offsetof(smtp_transport_options_block, tls_sni) },
   { "tls_tempfail_tryclear", opt_bool,
       (void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) },
   { "tls_verify_certificates", opt_stringptr,
@@ -191,7 +193,8 @@ smtp_transport_options_block smtp_transport_option_defaults = {
   NULL,                /* gnutls_require_mac */
   NULL,                /* gnutls_require_proto */
   NULL,                /* tls_verify_certificates */
-  TRUE                 /* tls_tempfail_tryclear */
+  TRUE,                /* tls_tempfail_tryclear */
+  NULL                 /* tls_sni */
 #endif
 #ifndef DISABLE_DKIM
  ,NULL,                /* dkim_canon */
@@ -889,8 +892,10 @@ outblock.authenticating = FALSE;


/* Reset the parameters of a TLS session. */

+tls_bits = 0;
tls_cipher = NULL;
tls_peerdn = NULL;
+tls_sni = NULL;

 /* If an authenticated_sender override has been specified for this transport
 instance, expand it. If the expansion is forced to fail, and there was already
@@ -1122,6 +1127,7 @@ if (tls_offered && !suppress_tls &&
       NULL,                    /* No DH param */
       ob->tls_certificate,
       ob->tls_privatekey,
+      ob->tls_sni,
       ob->tls_verify_certificates,
       ob->tls_crl,
       ob->tls_require_ciphers,
diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h
index a2ea4ff..605be48 100644
--- a/src/src/transports/smtp.h
+++ b/src/src/transports/smtp.h
@@ -54,6 +54,7 @@ typedef struct {
   uschar *gnutls_require_proto;
   uschar *tls_verify_certificates;
   BOOL    tls_tempfail_tryclear;
+  uschar *tls_sni;
   #endif
   #ifndef DISABLE_DKIM
   uschar *dkim_domain;