posttls-finger.c

[詳解]

/*++
/* NAME
/*  posttls-finger 1
/* SUMMARY
/*  Probe the TLS properties of an ESMTP or LMTP server.
/* SYNOPSIS
/*  \fBposttls-finger\fR [\fIoptions\fR] [\fBinet:\fR]\fIdomain\fR[:\fIport\fR] [\fImatch ...\fR]
/* .br
/*  \fBposttls-finger\fR -S [\fIoptions\fR] \fBunix:\fIpathname\fR [\fImatch ...\fR]
/* DESCRIPTION
/*  \fBposttls-finger\fR(1) connects to the specified destination
/*  and reports TLS-related information about the server. With SMTP, the
/*  destination is a domainname; with LMTP it is either a domainname
/*  prefixed with \fBinet:\fR or a pathname prefixed with \fBunix:\fR.  If
/*  Postfix is built without TLS support, the resulting posttls-finger
/*  program has very limited functionality, and only the \fB-a\fR, \fB-c\fR,
/*  \fB-h\fR, \fB-o\fR, \fB-S\fR, \fB-t\fR, \fB-T\fR and \fB-v\fR options
/*  are available.
/*
/*  Note: this is an unsupported test program. No attempt is made
/*  to maintain compatibility between successive versions.
/*
/*  For SMTP servers that don't support ESMTP, only the greeting banner
/*  and the negative EHLO response are reported. Otherwise, the reported
/*  EHLO response details further server capabilities.
/*
/*  If TLS support is enabled when \fBposttls-finger\fR(1) is compiled, and
/*  the server supports \fBSTARTTLS\fR, a TLS handshake is attempted.
/*
/*  If DNSSEC support is available, the connection TLS security level
/*  (\fB-l\fR option) defaults to \fBdane\fR; see TLS_README for
/*  details. Otherwise, it defaults to \fBsecure\fR.  This setting
/*  determines the certificate matching policy.
/*
/*  If TLS negotiation succeeds, the TLS protocol and cipher details are
/*  reported. The server certificate is then verified in accordance with
/*  the policy at the chosen (or default) security level.  With public
/*  CA-based trust, when the \fB-L\fR option includes \fBcertmatch\fR,
/*  (true by default) name matching is performed even if the certificate
/*  chain is not trusted.  This logs the names found in the remote SMTP
/*  server certificate and which if any would match, were the certificate
/*  chain trusted.
/*
/*  Note: \fBposttls-finger\fR(1) does not perform any table lookups, so
/*  the TLS policy table and obsolete per-site tables are not consulted.
/*  It does not communicate with the \fBtlsmgr\fR(8) daemon (or any other
/*  Postfix daemons); its TLS session cache is held in private memory, and
/*  disappears when the process exits.
/*
/*  With the \fB-r \fIdelay\fR option, if the server assigns a TLS
/*  session id, the TLS session is cached. The connection is then closed
/*  and re-opened after the specified delay, and \fBposttls-finger\fR(1)
/*  then reports whether the cached TLS session was re-used.
/*
/*  When the destination is a load balancer, it may be distributing
/*  load between multiple server caches. Typically, each server returns
/*  its unique name in its EHLO response. If, upon reconnecting with
/*  \fB-r\fR, a new server name is detected, another session is cached
/*  for the new server, and the reconnect is repeated up to a maximum
/*  number of times (default 5) that can be specified via the \fB-m\fR
/*  option.
/*
/*  The choice of SMTP or LMTP (\fB-S\fR option) determines the syntax of
/*  the destination argument. With SMTP, one can specify a service on a
/*  non-default port as \fIhost\fR:\fIservice\fR, and disable MX (mail
/*  exchanger) DNS lookups with [\fIhost\fR] or [\fIhost\fR]:\fIport\fR.
/*  The [] form is required when you specify an IP address instead of a
/*  hostname.  An IPv6 address takes the form [\fBipv6:\fIaddress\fR].
/*  The default port for SMTP is taken from the \fBsmtp/tcp\fR entry in
/*  /etc/services, defaulting to 25 if the entry is not found.
/*
/*  With LMTP, specify \fBunix:\fIpathname\fR to connect to a local server
/*  listening on a unix-domain socket bound to the specified pathname;
/*  otherwise, specify an optional \fBinet:\fR prefix followed by a
/*  \fIdomain\fR and an optional port, with the same syntax as for
/*  SMTP. The default TCP port for LMTP is 24.
/*
/*  Arguments:
/* .IP "\fB-a\fR \fIfamily\fR (default: \fBany\fR)"
/*  Address family preference: \fBipv4\fR, \fBipv6\fR or \fBany\fR.  When
/*  using \fBany\fR, posttls-finger will randomly select one of the two as
/*  the more preferred, and exhaust all MX preferences for the first
/*  address family before trying any addresses for the other.
/* .IP "\fB-A\fR \fItrust-anchor.pem\fR (default: none)"
/*  A list of PEM trust-anchor files that overrides CAfile and CApath
/*  trust chain verification.  Specify the option multiple times to
/*  specify multiple files.  See the main.cf documentation for
/*  smtp_tls_trust_anchor_file for details.
/* .IP "\fB-c\fR"
/*  Disable SMTP chat logging; only TLS-related information is logged.
/* .IP "\fB-C\fR"
/*  Print the remote SMTP server certificate trust chain in PEM format.
/*  The issuer DN, subject DN, certificate and public key fingerprints
/*  (see \fB-d \fImdalg\fR option below) are printed above each PEM
/*  certificate block.  If you specify \fB-F \fICAfile\fR or
/*  \fB-P \fICApath\fR, the OpenSSL library may augment the chain with
/*  missing issuer certificates.  To see the actual chain sent by the
/*  remote SMTP server leave \fICAfile\fR and \fICApath\fR unset.
/* .IP "\fB-d \fImdalg\fR (default: \fBsha1\fR)"
/*  The message digest algorithm to use for reporting remote SMTP server
/*  fingerprints and matching against user provided certificate
/*  fingerprints (with DANE TLSA records the algorithm is specified
/*  in the DNS).
/* .IP "\fB-f\fR"
/*  Lookup the associated DANE TLSA RRset even when a hostname is not an
/*  alias and its address records lie in an unsigned zone.  See
/*  smtp_tls_force_insecure_host_tlsa_lookup for details.
/* .IP "\fB-F \fICAfile.pem\fR (default: none)"
/*  The PEM formatted CAfile for remote SMTP server certificate
/*  verification.  By default no CAfile is used and no public CAs
/*  are trusted.
/* .IP "\fB-g \fIgrade\fR (default: medium)"
/*  The minimum TLS cipher grade used by posttls-finger.  See
/*  smtp_tls_mandatory_ciphers for details.
/* .IP "\fB-h \fIhost_lookup\fR (default: \fBdns\fR)"
/*  The hostname lookup methods used for the connection.  See the
/*  documentation of smtp_host_lookup for syntax and semantics.
/* .IP "\fB-k \fIcertfile\fR (default: \fIkeyfile\fR)\fR"
/*  File with PEM-encoded TLS client certificate chain. This
/*  defaults to \fIkeyfile\fR if one is specified.
/* .IP "\fB-K \fIkeyfile\fR (default: \fIcertfile\fR)"
/*  File with PEM-encoded TLS client private key.
/*  This defaults to \fIcertfile\fR if one is specified.
/* .IP "\fB-l \fIlevel\fR (default: \fBdane\fR or \fBsecure\fR)"
/*  The security level for the connection, default \fBdane\fR or
/*  \fBsecure\fR depending on whether DNSSEC is available.  For syntax
/*  and semantics, see the documentation of smtp_tls_security_level.
/*  When \fBdane\fR or \fBdane-only\fR is supported and selected, if no
/*  TLSA records are found, or all the records found are unusable, the
/*  \fIsecure\fR level will be used instead.  The \fBfingerprint\fR
/*  security level allows you to test certificate or public-key
/*  fingerprint matches before you deploy them in the policy table.
/* .IP
/*  Note, since \fBposttls-finger\fR does not actually deliver any email,
/*  the \fBnone\fR, \fBmay\fR and \fBencrypt\fR security levels are not
/*  very useful.  Since \fBmay\fR and \fBencrypt\fR don't require peer
/*  certificates, they will often negotiate anonymous TLS ciphersuites,
/*  so you won't learn much about the remote SMTP server's certificates
/*  at these levels if it also supports anonymous TLS (though you may
/*  learn that the server supports anonymous TLS).
/* .IP "\fB-L \fIlogopts\fR (default: \fBroutine,certmatch\fR)"
/*  Fine-grained TLS logging options. To tune the TLS features logged
/*  during the TLS handshake, specify one or more of:
/* .RS
/* .IP "\fB0, none\fR"
/*  These yield no TLS logging; you'll generally want more, but this
/*  is handy if you just want the trust chain:
/* .RS
/* .ad
/* .nf
/*  $ posttls-finger -cC -L none destination
/* .fi
/* .RE
/* .IP "\fB1, routine, summary\fR"
/*  These synonymous values yield a normal one-line summary of the TLS
/*  connection.
/* .IP "\fB2, debug\fR"
/*  These synonymous values combine routine, ssl-debug, cache and verbose.
/* .IP "\fB3, ssl-expert\fR"
/*  These synonymous values combine debug with ssl-handshake-packet-dump.
/*  For experts only.
/* .IP "\fB4, ssl-developer\fR"
/*  These synonymous values combine ssl-expert with ssl-session-packet-dump.
/*  For experts only, and in most cases, use wireshark instead.
/* .IP "\fBssl-debug\fR"
/*  Turn on OpenSSL logging of the progress of the SSL handshake.
/* .IP "\fBssl-handshake-packet-dump\fR"
/*  Log hexadecimal packet dumps of the SSL handshake; for experts only.
/* .IP "\fBssl-session-packet-dump\fR"
/*  Log hexadecimal packet dumps of the entire SSL session; only useful
/*  to those who can debug SSL protocol problems from hex dumps.
/* .IP "\fBuntrusted\fR"
/*  Logs trust chain verification problems.  This is turned on
/*  automatically at security levels that use peer names signed
/*  by Certification Authorities to validate certificates.  So while
/*  this setting is recognized, you should never need to set it
/*  explicitly.
/* .IP "\fBpeercert\fR"
/*  This logs a one line summary of the remote SMTP server certificate
/*  subject, issuer, and fingerprints.
/* .IP "\fBcertmatch\fR"
/*  This logs remote SMTP server certificate matching, showing the CN
/*  and each subjectAltName and which name matched.  With DANE, logs
/*  matching of TLSA record trust-anchor and end-entity certificates.
/* .IP "\fBcache\fR"
/*  This logs session cache operations, showing whether session caching
/*  is effective with the remote SMTP server.  Automatically used when
/*  reconnecting with the \fB-r\fR option; rarely needs to be set
/*  explicitly.
/* .IP "\fBverbose\fR"
/*  Enables verbose logging in the Postfix TLS driver; includes all of
/*  peercert..cache and more.
/* .RE
/* .IP
/*  The default is \fBroutine,certmatch\fR. After a reconnect,
/*  \fBpeercert\fR, \fBcertmatch\fR and \fBverbose\fR are automatically
/*  disabled while \fBcache\fR and \fBsummary\fR are enabled.
/* .IP "\fB-m \fIcount\fR (default: \fB5\fR)"
/*  When the \fB-r \fIdelay\fR option is specified, the \fB-m\fR option
/*  determines the maximum number of reconnect attempts to use with
/*  a server behind a load balancer, to see whether connection caching
/*  is likely to be effective for this destination.  Some MTAs
/*  don't expose the underlying server identity in their EHLO
/*  response; with these servers there will never be more than
/*  1 reconnection attempt.
/* .IP "\fB-M \fIinsecure_mx_policy\fR (default: \fBdane\fR)"
/*  The TLS policy for MX hosts with "secure" TLSA records when the
/*  nexthop destination security level is \fBdane\fR, but the MX
/*  record was found via an "insecure" MX lookup.  See the main.cf
/*  documentation for smtp_tls_insecure_mx_policy for details.
/* .IP "\fB-o \fIname=value\fR"
/*  Specify zero or more times to override the value of the main.cf
/*  parameter \fIname\fR with \fIvalue\fR.  Possible use-cases include
/*  overriding the values of TLS library parameters, or "myhostname" to
/*  configure the SMTP EHLO name sent to the remote server.
/* .IP "\fB-p \fIprotocols\fR (default: !SSLv2)"
/*  List of TLS protocols that posttls-finger will exclude or include.  See
/*  smtp_tls_mandatory_protocols for details.
/* .IP "\fB-P \fICApath/\fR (default: none)"
/*  The OpenSSL CApath/ directory (indexed via c_rehash(1)) for remote
/*  SMTP server certificate verification.  By default no CApath is used
/*  and no public CAs are trusted.
/* .IP "\fB-r \fIdelay\fR"
/*  With a cacheable TLS session, disconnect and reconnect after \fIdelay\fR
/*  seconds. Report whether the session is re-used. Retry if a new server
/*  is encountered, up to 5 times or as specified with the \fB-m\fR option.
/*  By default reconnection is disabled, specify a positive delay to
/*  enable this behavior.
/* .IP "\fB-S\fR"
/*  Disable SMTP; that is, connect to an LMTP server. The default port for
/*  LMTP over TCP is 24.  Alternative ports can specified by appending
/*  "\fI:servicename\fR" or ":\fIportnumber\fR" to the destination
/*  argument.
/* .IP "\fB-t \fItimeout\fR (default: \fB30\fR)"
/*  The TCP connection timeout to use.  This is also the timeout for
/*  reading the remote server's 220 banner.
/* .IP "\fB-T \fItimeout\fR (default: \fB30\fR)"
/*  The SMTP/LMTP command timeout for EHLO/LHLO, STARTTLS and QUIT.
/* .IP "\fB-v\fR"
/*  Enable verbose Postfix logging.  Specify more than once to increase
/*  the level of verbose logging.
/* .IP "\fB-w\fR"
/*  Enable outgoing TLS wrapper mode, or SMTPS support.  This is typically
/*  provided on port 465 by servers that are compatible with the ad-hoc
/*  SMTP in SSL protocol, rather than the standard STARTTLS protocol.
/*  The destination \fIdomain\fR:\fIport\fR should of course provide such
/*  a service.
/* .IP "[\fBinet:\fR]\fIdomain\fR[:\fIport\fR]"
/*  Connect via TCP to domain \fIdomain\fR, port \fIport\fR. The default
/*  port is \fBsmtp\fR (or 24 with LMTP).  With SMTP an MX lookup is
/*  performed to resolve the domain to a host, unless the domain is
/*  enclosed in \fB[]\fR.  If you want to connect to a specific MX host,
/*  for instance \fImx1.example.com\fR, specify [\fImx1.example.com\fR]
/*  as the destination and \fIexample.com\fR as a \fBmatch\fR argument.
/*  When using DNS, the destination domain is assumed fully qualified
/*  and no default domain or search suffixes are applied; you must use
/*  fully-qualified names or also enable \fBnative\fR host lookups
/*  (these don't support \fBdane\fR or \fBdane-only\fR as no DNSSEC
/*  validation information is available via \fBnative\fR lookups).
/* .IP "\fBunix:\fIpathname\fR"
/*  Connect to the UNIX-domain socket at \fIpathname\fR. LMTP only.
/* .IP "\fBmatch ...\fR"
/*  With no match arguments specified, certificate peername matching uses
/*  the compiled-in default strategies for each security level.  If you
/*  specify one or more arguments, these will be used as the list of
/*  certificate or public-key digests to match for the \fBfingerprint\fR
/*  level, or as the list of DNS names to match in the certificate at the
/*  \fBverify\fR and \fBsecure\fR levels.  If the security level is
/*  \fBdane\fR, or \fBdane-only\fR the match names are ignored, and
/*  \fBhostname, nexthop\fR strategies are used.
/* .ad
/* .fi
/* ENVIRONMENT
/* .ad
/* .fi
/* .IP \fBMAIL_CONFIG\fR
/*  Read configuration parameters from a non-default location.
/* .IP \fBMAIL_VERBOSE\fR
/*  Same as \fB-v\fR option.
/* SEE ALSO
/*  smtp-source(1), SMTP/LMTP message source
/*  smtp-sink(1), SMTP/LMTP message dump
/*
/* README FILES
/* .ad
/* .fi
/*  Use "\fBpostconf readme_directory\fR" or "\fBpostconf
/*  html_directory\fR" to locate this information.
/* .na
/* .nf
/*  TLS_README, Postfix STARTTLS howto
/* LICENSE
/* .ad
/* .fi
/*  The Secure Mailer license must be distributed with this software.
/* AUTHOR(S)
/*  Wietse Venema
/*  IBM T.J. Watson Research
/*  P.O. Box 704
/*  Yorktown Heights, NY 10598, USA
/*
/*  Viktor Dukhovni
/*--*/

 /*
  * System library.
  */
#include <sys_defs.h>
#include <stdarg.h>
#include <string.h>
#include <ctype.h>
#include <stdlib.h>
#include <unistd.h>
#include <signal.h>
#include <fcntl.h>
#include <errno.h>
#include <sys/socket.h>
#include <sys/un.h>
#include <netinet/in.h>
#include <arpa/inet.h>

#ifdef STRCASECMP_IN_STRINGS_H
#include <strings.h>
#endif

 /*
  * Utility library.
  */
#include <msg.h>
#include <msg_vstream.h>
#include <vstring.h>
#include <vstream.h>
#include <vstring_vstream.h>
#include <mymalloc.h>
#include <stringops.h>
#include <argv.h>
#include <name_mask.h>
#include <name_code.h>
#include <chroot_uid.h>
#include <host_port.h>
#include <inet_proto.h>
#include <iostuff.h>
#include <timed_connect.h>
#include <sane_connect.h>
#include <myaddrinfo.h>
#include <sock_addr.h>
#include <midna_domain.h>
#include <clean_env.h>

#define STR(x)      vstring_str(x)

 /*
  * Global library.
  */
#include <mail_params.h>
#include <mail_conf.h>
#include <smtp_stream.h>
#include <dsn_buf.h>
#include <mail_parm_split.h>

/* DNS library. */

#include <dns.h>

 /*
  * master library
  */
#include <mail_server.h>

 /*
  * TLS Library
  */
#define TLS_INTERNAL
#include <tls.h>

#ifdef USE_TLS
#include <openssl/engine.h>
#endif

 /*
  * Application specific
  */
#include "tlsmgrmem.h"

static int conn_tmout = 30;
static int smtp_tmout = 30;

#define HOST_FLAG_DNS       (1<<0)
#define HOST_FLAG_NATIVE    (1<<1)

#define MISC_FLAG_PREF_IPV6 (1<<0)
#define MISC_FLAG_PREF_IPV4 (1<<1)

static const NAME_MASK lookup_masks[] = {
    "dns", HOST_FLAG_DNS,
    "native", HOST_FLAG_NATIVE,
    0,
};

static const NAME_CODE addr_pref_map[] = {
    INET_PROTO_NAME_IPV6, MISC_FLAG_PREF_IPV6,
    INET_PROTO_NAME_IPV4, MISC_FLAG_PREF_IPV4,
    INET_PROTO_NAME_ANY, 0,
    0, -1,
};

typedef struct OPTIONS {
    char   *logopts;
    char   *level;
    ARGV   *tas;
    char   *host_lookup;
    char   *addr_pref;
} OPTIONS;

 /*
  * Per-session data structure with state.
  * 
  * This software can maintain multiple parallel connections to the same SMTP
  * server. However, it makes no more than one connection request at a time
  * to avoid overwhelming the server with SYN packets and having to back off.
  * Back-off would screw up the benchmark. Pending connection requests are
  * kept in a linear list.
  */
typedef struct STATE {
    int     smtp;           /* SMTP or LMTP? */
    int     host_lookup;        /* dns|native|dns,native */
    int     addr_pref;          /* v4, v6, both */
    int     log_mask;           /* via tls_log_mask() */
    int     reconnect;          /* -r option */
    int     max_reconnect;      /* -m option */
    int     force_tlsa;         /* -f option */
    unsigned port;          /* TCP port */
    char   *dest;           /* Full destination spec */
    char   *addrport;           /* [addr]:port */
    char   *namaddrport;        /* name[addr]:port */
    char   *nexthop;            /* Nexthop domain for verification */
    char   *hostname;           /* Hostname for verification */
    DNS_RR *addr;           /* IPv[46] Address to (re)connect to */
    DNS_RR *mx;             /* MX RRset qname, rname, valid */
    int     pass;           /* Pass number, 2 for reconnect */
    int     nochat;         /* disable chat logging */
    char   *helo;           /* Server name from EHLO reply */
    DSN_BUF *why;           /* SMTP-style error message */
    VSTRING *buffer;            /* Response buffer */
    VSTREAM *stream;            /* Open connection */
    int     level;          /* TLS security level */
    int     wrapper_mode;       /* SMTPS support */
#ifdef USE_TLS
    char   *mdalg;          /* fingerprint digest algorithm */
    char   *CAfile;         /* Trusted public CAs */
    char   *CApath;         /* Trusted public CAs */
    char   *certfile;           /* TLS client certificate file */
    char   *keyfile;            /* TLS client key file */
    ARGV   *match;          /* match arguments */
    int     print_trust;        /* -C option */
    BIO    *tls_bio;            /* BIO wrapper for stdout */
    TLS_APPL_STATE *tls_ctx;        /* Application TLS context */
    TLS_SESS_STATE *tls_context;    /* Session TLS context */
    TLS_DANE *dane;         /* DANE TLSA validation structure */
    TLS_DANE *ddane;            /* DANE TLSA from DNS */
    char   *grade;          /* Minimum cipher grade */
    char   *protocols;          /* Protocol inclusion/exclusion */
    int     mxinsec_level;      /* DANE for insecure MX RRs? */
#endif
    OPTIONS options;            /* JCL */
} STATE;

static DNS_RR *host_addr(STATE *, const char *);

#define HNAME(addr) (addr->qname)

 /*
  * Structure with broken-up SMTP server response.
  */
typedef struct {            /* server response */
    int     code;           /* status */
    char   *str;            /* text */
    VSTRING *buf;           /* origin of text */
} RESPONSE;


/* command - send an SMTP command */

static void PRINTFLIKE(3, 4) command(STATE *state, int verbose, char *fmt,...)
{
    VSTREAM *stream = state->stream;
    VSTRING *buf;
    va_list ap;
    char   *line;

    buf = vstring_alloc(100);
    va_start(ap, fmt);
    vstring_vsprintf(buf, fmt, ap);
    va_end(ap);
    line = vstring_str(buf);

    while (line && *line) {
    char   *nextline = strchr(line, '\n');

    if (nextline)
        *nextline++ = '\0';
    if (verbose && !state->nochat)
        msg_info("> %s", line);
    smtp_printf(stream, "%s", line);
    line = nextline;
    }

    vstring_free(buf);
}

/* response - read and process SMTP server response */

static RESPONSE *response(STATE *state, int verbose)
{
    VSTREAM *stream = state->stream;
    VSTRING *buf = state->buffer;
    static RESPONSE rdata;
    int     more;
    char   *cp;

    /*
     * Initialize the response data buffer. Defend against a denial of
     * service attack by limiting the amount of multi-line text that we are
     * willing to store.
     */
    if (rdata.buf == 0) {
    rdata.buf = vstring_alloc(100);
    vstring_ctl(rdata.buf, CA_VSTRING_CTL_MAXLEN(var_line_limit), 0);
    }

    /*
     * Censor out non-printable characters in server responses. Concatenate
     * multi-line server responses. Separate the status code from the text.
     * Leave further parsing up to the application.
     */
#define BUF ((char *) vstring_str(buf))
    VSTRING_RESET(rdata.buf);
    for (;;) {
    smtp_get(buf, stream, var_line_limit, SMTP_GET_FLAG_SKIP);
    for (cp = BUF; *cp != 0; cp++)
        if (!ISPRINT(*cp) && !ISSPACE(*cp))
        *cp = '?';
    cp = BUF;
    if (verbose && !state->nochat)
        msg_info("< %s", cp);
    while (ISDIGIT(*cp))
        cp++;
    rdata.code = (cp - BUF == 3 ? atoi(BUF) : 0);
    if ((more = (*cp == '-')) != 0)
        cp++;
    while (ISSPACE(*cp))
        cp++;
    vstring_strcat(rdata.buf, cp);
    if (more == 0)
        break;
    VSTRING_ADDCH(rdata.buf, '\n');
    }
    VSTRING_TERMINATE(rdata.buf);
    rdata.str = vstring_str(rdata.buf);
    return (&rdata);
}

/* exception_text - translate exceptions from the smtp_stream module */

static char *exception_text(int except)
{
    switch (except) {
    case SMTP_ERR_EOF:
    return ("lost connection");
    case SMTP_ERR_TIME:
    return ("timeout");
    default:
    msg_panic("exception_text: unknown exception %d", except);
    }
}

/* greeting - read server's 220 greeting */

static int greeting(STATE *state)
{
    VSTREAM *stream = state->stream;
    int     except;
    RESPONSE *resp;

    /*
     * Prepare for disaster.
     */
    smtp_stream_setup(stream, conn_tmout, 1);
    if ((except = vstream_setjmp(stream)) != 0) {
    msg_info("%s while reading server greeting", exception_text(except));
    return (1);
    }

    /*
     * Read and parse the server's SMTP greeting banner.
     */
    if (((resp = response(state, 1))->code / 100) != 2) {
    msg_info("SMTP service not available: %d %s", resp->code, resp->str);
    return (1);
    }
    return (0);
}

/* ehlo - send EHLO/LHLO */

static RESPONSE *ehlo(STATE *state)
{
    int     except;
    int     verbose;
    volatile char *ehlo = state->smtp ? "EHLO" : "LHLO";
    VSTREAM *stream = state->stream;
    RESPONSE *resp;

#ifdef USE_TLS
    verbose = (state->pass == 1 && state->nochat == 0);
#else
    verbose = 1;
#endif

    /*
     * Send the standard greeting with our hostname
     */
    if ((except = vstream_setjmp(stream)) != 0) {
    msg_info("%s while sending %s", exception_text(except), ehlo);
    return (0);
    }
    command(state, verbose, "%s %s", ehlo, var_myhostname);

    resp = response(state, verbose);
    if (resp->code / 100 != 2) {
    msg_info("%s rejected: %d %s", ehlo, resp->code, resp->str);
    return (0);
    }
    return resp;
}

#ifdef USE_TLS

static void print_stack(STATE *state, x509_stack_t *sk, int trustout)
{
    int     i;

    for (i = 0; i < sk_X509_num(sk); i++) {
    X509   *cert = sk_X509_value(sk, i);
    char    buf[CCERT_BUFSIZ];
    X509_NAME *xn;
    char   *digest;

    if ((xn = X509_get_subject_name(cert)) != 0) {
        X509_NAME_oneline(xn, buf, sizeof buf);
        BIO_printf(state->tls_bio, "%2d subject: %s\n", i, buf);
    }
    if ((xn = X509_get_issuer_name(cert)) != 0) {
        X509_NAME_oneline(xn, buf, sizeof buf);
        BIO_printf(state->tls_bio, "    issuer: %s\n", buf);
    }
    digest = tls_cert_fprint(cert, state->mdalg);
    BIO_printf(state->tls_bio, "   cert digest=%s\n", digest);
    myfree(digest);

    digest = tls_pkey_fprint(cert, state->mdalg);
    BIO_printf(state->tls_bio, "   pkey digest=%s\n", digest);
    myfree(digest);

    if (trustout)
        PEM_write_bio_X509_AUX(state->tls_bio, cert);
    else
        PEM_write_bio_X509(state->tls_bio, cert);
    }
}

static void print_trust_info(STATE *state)
{
    x509_stack_t *sk = SSL_get_peer_cert_chain(state->tls_context->con);

    if (sk != 0) {
    BIO_printf(state->tls_bio, "\n---\nCertificate chain\n");
    print_stack(state, sk, 0);
    }
#ifdef dane_verify_debug
    /* print internally constructed untrusted chain */
    if ((sk = state->tls_context->untrusted) != 0) {
    BIO_printf(state->tls_bio, "\n---\nUntrusted chain\n");
    print_stack(state, sk, 0);
    }
    /* print associated root CA */
    if ((sk = state->tls_context->trusted) != 0) {
    BIO_printf(state->tls_bio, "\n---\nTrusted chain\n");
    print_stack(state, sk, 1);
    }
#endif
}

/* starttls - SMTP STARTTLS handshake */

static int starttls(STATE *state)
{
    VSTRING *cipher_exclusions;
    int     except;
    RESPONSE *resp;
    VSTREAM *stream = state->stream;
    TLS_CLIENT_START_PROPS tls_props;

    if (state->wrapper_mode == 0) {
    /* SMTP stream with deadline timeouts */
    smtp_stream_setup(stream, smtp_tmout, 1);
    if ((except = vstream_setjmp(stream)) != 0) {
        msg_fatal("%s while sending STARTTLS", exception_text(except));
        return (1);
    }
    command(state, state->pass == 1, "STARTTLS");

    resp = response(state, state->pass == 1);
    if (resp->code / 100 != 2) {
        msg_info("STARTTLS rejected: %d %s", resp->code, resp->str);
        return (1);
    }

    /*
     * Discard any plain-text data that may be piggybacked after the
     * server's 220 STARTTLS reply. Should we abort the session instead?
     */
    vstream_fpurge(stream, VSTREAM_PURGE_READ);
    }
#define ADD_EXCLUDE(vstr, str) \
    do { \
    if (*(str)) \
        vstring_sprintf_append((vstr), "%s%s", \
                   VSTRING_LEN(vstr) ? " " : "", (str)); \
    } while (0)

    cipher_exclusions = vstring_alloc(10);
    ADD_EXCLUDE(cipher_exclusions, DEF_SMTP_TLS_EXCL_CIPH);
    if (TLS_REQUIRED(state->level))
    ADD_EXCLUDE(cipher_exclusions, DEF_SMTP_TLS_MAND_EXCL);

    /*
     * If we're authenticating suppress anonymous ciphersuites, otherwise at
     * least encrypt, not much point in doing neither.
     */
    if (TLS_MUST_MATCH(state->level))
    ADD_EXCLUDE(cipher_exclusions, "aNULL");
    else
    ADD_EXCLUDE(cipher_exclusions, "eNULL");

    state->tls_context =
    TLS_CLIENT_START(&tls_props,
             ctx = state->tls_ctx,
             stream = stream,
             timeout = smtp_tmout,
             tls_level = state->level,
             nexthop = state->nexthop,
             host = state->hostname,
             namaddr = state->namaddrport,
             serverid = state->addrport,
             helo = state->helo ? state->helo : "",
             protocols = state->protocols,
             cipher_grade = state->grade,
             cipher_exclusions
             = vstring_str(cipher_exclusions),
             matchargv = state->match,
             mdalg = state->mdalg,
             dane = state->ddane ? state->ddane : state->dane);
    vstring_free(cipher_exclusions);
    if (state->helo) {
    myfree(state->helo);
    state->helo = 0;
    }
    if (state->tls_context == 0) {
    /* We must avoid further I/O, the peer is in an undefined state. */
    (void) vstream_fpurge(stream, VSTREAM_PURGE_BOTH);
    (void) vstream_fclose(stream);
    state->stream = 0;
    return (1);
    }
    if (state->wrapper_mode && greeting(state) != 0)
    return (1);

    if (state->pass == 1) {
    ehlo(state);
    if (!TLS_CERT_IS_PRESENT(state->tls_context))
        msg_info("Server is anonymous");
    else if (state->print_trust)
        print_trust_info(state);
    state->log_mask &= ~(TLS_LOG_CERTMATCH | TLS_LOG_PEERCERT |
                 TLS_LOG_VERBOSE | TLS_LOG_UNTRUSTED);
    state->log_mask |= TLS_LOG_CACHE | TLS_LOG_SUMMARY;
    tls_update_app_logmask(state->tls_ctx, state->log_mask);
    }
    return (0);
}

#endif

/* doproto - do SMTP handshake */

static int doproto(STATE *state)
{
    VSTREAM *stream = state->stream;
    RESPONSE *resp;
    int     except;
    int     n;
    char   *lines;
    char   *words = 0;
    char   *word;

    if (!state->wrapper_mode) {
    if (greeting(state) != 0)
        return (1);
    if ((resp = ehlo(state)) == 0)
        return (1);

    lines = resp->str;
    for (n = 0; (words = mystrtok(&lines, "\n")) != 0; ++n) {
        if ((word = mystrtok(&words, " \t=")) != 0) {
        if (n == 0)
            state->helo = mystrdup(word);
        if (strcasecmp(word, "STARTTLS") == 0)
            break;
        }
    }
    }
#ifdef USE_TLS
    if ((state->wrapper_mode || words) && state->tls_ctx)
    if (starttls(state))
        return (1);
#endif

    /*
     * Prepare for disaster.
     */
    smtp_stream_setup(stream, smtp_tmout, 1);
    if ((except = vstream_setjmp(stream)) != 0) {
    msg_warn("%s while sending QUIT command", exception_text(except));
    return (0);
    }
    command(state, 1, "QUIT");
    (void) response(state, 1);
    return (0);
}

/* connect_sock - connect a socket over some transport */

static VSTREAM *connect_sock(int sock, struct sockaddr *sa, int salen,
                   const char *name, const char *addr, STATE *state)
{
    DSN_BUF *why = state->why;
    int     conn_stat;
    int     saved_errno;
    VSTREAM *stream;

    if (conn_tmout > 0) {
    non_blocking(sock, NON_BLOCKING);
    conn_stat = timed_connect(sock, sa, salen, conn_tmout);
    saved_errno = errno;
    non_blocking(sock, BLOCKING);
    errno = saved_errno;
    } else {
    conn_stat = sane_connect(sock, sa, salen);
    }
    if (conn_stat < 0) {
    if (state->port)
        dsb_simple(why, "4.4.1", "connect to %s[%s]:%d: %m",
               name, addr, ntohs(state->port));
    else
        dsb_simple(why, "4.4.1", "connect to %s[%s]: %m", name, addr);
    close(sock);
    return (0);
    }
    stream = vstream_fdopen(sock, O_RDWR);
    state->namaddrport =
    vstring_export(state->port == 0 ?
          vstring_sprintf(vstring_alloc(10), "%s[%s]", name, addr) :
               vstring_sprintf(vstring_alloc(10), "%s[%s]:%u",
                       name, addr, ntohs(state->port)));
    state->addrport =
    vstring_export(state->port == 0 ?
               vstring_sprintf(vstring_alloc(10), "%s", addr) :
               vstring_sprintf(vstring_alloc(10), "[%s]:%u",
                       addr, ntohs(state->port)));

    /*
     * Avoid poor performance when TCP MSS > VSTREAM_BUFSIZE.
     */
    if (sa->sa_family == AF_INET
#ifdef AF_INET6
    || sa->sa_family == AF_INET6
#endif
    )
    vstream_tweak_tcp(stream);

    return (stream);
}

/* connect_unix - connect to a unix-domain socket */

static VSTREAM *connect_unix(STATE *state, const char *path)
{
    static const char *myname = "connect_unix";
    DSN_BUF *why = state->why;
    struct sockaddr_un sock_un;
    int     len = strlen(path);
    int     sock;

    if (!state->nexthop)
    state->nexthop = mystrdup(var_myhostname);
    state->hostname = mystrdup(var_myhostname);

    dsb_reset(why);             /* Paranoia */

    /*
     * Sanity checks.
     */
    if (len >= (int) sizeof(sock_un.sun_path)) {
    dsb_simple(why, "4.3.5", "unix-domain name too long: %s", path);
    return (0);
    }

    /*
     * Initialize.
     */
    memset((void *) &sock_un, 0, sizeof(sock_un));
    sock_un.sun_family = AF_UNIX;
#ifdef HAS_SUN_LEN
    sock_un.sun_len = len + 1;
#endif
    memcpy(sock_un.sun_path, path, len + 1);

    /*
     * Create a client socket.
     */
    if ((sock = socket(AF_UNIX, SOCK_STREAM, 0)) < 0)
    msg_fatal("%s: socket: %m", myname);

    /*
     * Connect to the server.
     */
    if (msg_verbose)
    msg_info("%s: trying: %s...", myname, path);

    return (connect_sock(sock, (struct sockaddr *) &sock_un, sizeof(sock_un),
             var_myhostname, path, state));
}

/* connect_addr - connect to explicit address */

static VSTREAM *connect_addr(STATE *state, DNS_RR *addr)
{
    static const char *myname = "connect_addr";
    DSN_BUF *why = state->why;
    struct sockaddr_storage ss;     /* remote */
    struct sockaddr *sa = (struct sockaddr *) &ss;
    SOCKADDR_SIZE salen = sizeof(ss);
    MAI_HOSTADDR_STR hostaddr;
    int     sock;

    dsb_reset(why);             /* Paranoia */

    /*
     * Sanity checks.
     */
    if (dns_rr_to_sa(addr, state->port, sa, &salen) != 0) {
    msg_warn("%s: skip address type %s: %m",
         myname, dns_strtype(addr->type));
    dsb_simple(why, "4.4.0", "network address conversion failed: %m");
    return (0);
    }

    /*
     * Initialize.
     */
    if ((sock = socket(sa->sa_family, SOCK_STREAM, 0)) < 0)
    msg_fatal("%s: socket: %m", myname);

    if (inet_windowsize > 0)
    set_inet_windowsize(sock, inet_windowsize);

    /*
     * Connect to the server.
     */
    SOCKADDR_TO_HOSTADDR(sa, salen, &hostaddr, (MAI_SERVPORT_STR *) 0, 0);
    if (msg_verbose)
    msg_info("%s: trying: %s[%s] port %d...",
         myname, HNAME(addr), hostaddr.buf, ntohs(state->port));

    return (connect_sock(sock, sa, salen, HNAME(addr), hostaddr.buf, state));
}

#define HAS_DSN(why)        (STR((why)->status)[0] != 0)
#define HAS_SOFT_DSN(why)   (STR((why)->status)[0] == '4')
#define HAS_HARD_DSN(why)   (STR((why)->status)[0] == '5')
#define HAS_LOOP_DSN(why) \
    (HAS_DSN(why) && strcmp(STR((why)->status) + 1, ".4.6") == 0)

#define SET_SOFT_DSN(why)   (STR((why)->status)[0] = '4')
#define SET_HARD_DSN(why)   (STR((why)->status)[0] = '5')

/* addr_one - address lookup for one host name */

static DNS_RR *addr_one(STATE *state, DNS_RR *addr_list, const char *host,
                    int res_opt, unsigned pref)
{
    static const char *myname = "addr_one";
    DSN_BUF *why = state->why;
    DNS_RR *addr = 0;
    DNS_RR *rr;
    int     aierr;
    struct addrinfo *res0;
    struct addrinfo *res;
    INET_PROTO_INFO *proto_info = inet_proto_info();
    int     found;

    if (msg_verbose)
    msg_info("%s: host %s", myname, host);

    /*
     * Interpret a numerical name as an address.
     */
    if (hostaddr_to_sockaddr(host, (char *) 0, 0, &res0) == 0
     && strchr((char *) proto_info->sa_family_list, res0->ai_family) != 0) {
    if ((addr = dns_sa_to_rr(host, pref, res0->ai_addr)) == 0)
        msg_fatal("host %s: conversion error for address family %d: %m",
            host, ((struct sockaddr *) (res0->ai_addr))->sa_family);
    addr_list = dns_rr_append(addr_list, addr);
    freeaddrinfo(res0);
    return (addr_list);
    }

    /*
     * Use DNS lookup, but keep the option open to use native name service.
     * 
     * XXX A soft error dominates past and future hard errors. Therefore we
     * should not clobber a soft error text and status code.
     */
    if (state->host_lookup & HOST_FLAG_DNS) {
    switch (dns_lookup_v(host, res_opt, &addr, (VSTRING *) 0,
                 why->reason, DNS_REQ_FLAG_NONE,
                 proto_info->dns_atype_list)) {
    case DNS_OK:
        for (rr = addr; rr; rr = rr->next)
        rr->pref = pref;
        addr_list = dns_rr_append(addr_list, addr);
        return (addr_list);
    default:
        dsb_status(why, "4.4.3");
        return (addr_list);
    case DNS_FAIL:
        dsb_status(why, HAS_SOFT_DSN(why) ? "4.4.3" : "5.4.3");
        return (addr_list);
    case DNS_INVAL:
        dsb_status(why, HAS_SOFT_DSN(why) ? "4.4.4" : "5.4.4");
        return (addr_list);
    case DNS_NOTFOUND:
        dsb_status(why, HAS_SOFT_DSN(why) ? "4.4.4" : "5.4.4");
        /* maybe native naming service will succeed */
        break;
    }
    }

    /*
     * Use the native name service which also looks in /etc/hosts.
     * 
     * XXX A soft error dominates past and future hard errors. Therefore we
     * should not clobber a soft error text and status code.
     */
#define RETRY_AI_ERROR(e) \
        ((e) == EAI_AGAIN || (e) == EAI_MEMORY || (e) == EAI_SYSTEM)
#ifdef EAI_NODATA
#define DSN_NOHOST(e) \
    ((e) == EAI_AGAIN || (e) == EAI_NODATA || (e) == EAI_NONAME)
#else
#define DSN_NOHOST(e) \
    ((e) == EAI_AGAIN || (e) == EAI_NONAME)
#endif

    if (state->host_lookup & HOST_FLAG_NATIVE) {
    if ((aierr = hostname_to_sockaddr(host, (char *) 0, 0, &res0)) != 0) {
        dsb_simple(why, (HAS_SOFT_DSN(why) || RETRY_AI_ERROR(aierr)) ?
               (DSN_NOHOST(aierr) ? "4.4.4" : "4.3.0") :
               (DSN_NOHOST(aierr) ? "5.4.4" : "5.3.0"),
               "unable to look up host %s: %s",
               host, MAI_STRERROR(aierr));
    } else {
        for (found = 0, res = res0; res != 0; res = res->ai_next) {
        if (strchr((char *) proto_info->sa_family_list, res->ai_family) == 0) {
            msg_info("skipping address family %d for host %s",
                 res->ai_family, host);
            continue;
        }
        found++;
        if ((addr = dns_sa_to_rr(host, pref, res->ai_addr)) == 0)
            msg_fatal("host %s: conversion error for address family %d: %m",
            host, ((struct sockaddr *) (res0->ai_addr))->sa_family);
        addr_list = dns_rr_append(addr_list, addr);
        }
        freeaddrinfo(res0);
        if (found == 0) {
        dsb_simple(why, HAS_SOFT_DSN(why) ? "4.4.4" : "5.4.4",
               "%s: host not found", host);
        }
        return (addr_list);
    }
    }

    /*
     * No further alternatives for host lookup.
     */
    return (addr_list);
}

/* mx_addr_list - address lookup for a list of mail exchangers */

static DNS_RR *mx_addr_list(STATE *state, DNS_RR *mx_names)
{
    static const char *myname = "mx_addr_list";
    DNS_RR *addr_list = 0;
    DNS_RR *rr;
    int     res_opt = 0;

    if (mx_names->dnssec_valid)
    res_opt = RES_USE_DNSSEC;
#ifdef USE_TLS
    else if (state->mxinsec_level > TLS_LEV_MAY)
    res_opt = RES_USE_DNSSEC;
#endif

    for (rr = mx_names; rr; rr = rr->next) {
    if (rr->type != T_MX)
        msg_panic("%s: bad resource type: %d", myname, rr->type);
    addr_list = addr_one(state, addr_list, (char *) rr->data, res_opt,
                 rr->pref);
    }
    return (addr_list);
}

/* smtp_domain_addr - mail exchanger address lookup */

static DNS_RR *domain_addr(STATE *state, char *domain)
{
    DNS_RR *mx_names;
    DNS_RR *addr_list = 0;
    int     r = 0;          /* Resolver flags */
    const char *aname;

    dsb_reset(state->why);

#if (RES_USE_DNSSEC != 0) && (RES_USE_EDNS0 != 0)
    r |= RES_USE_DNSSEC;
#endif

    /*
     * IDNA support.
     */
#ifndef NO_EAI
    if (!allascii(domain) && (aname = midna_domain_to_ascii(domain)) != 0) {
    msg_info("%s asciified to %s", domain, aname);
    } else
#endif
    aname = domain;

    switch (dns_lookup(aname, T_MX, r, &mx_names, (VSTRING *) 0,
               state->why->reason)) {
    default:
    dsb_status(state->why, "4.4.3");
    break;
    case DNS_INVAL:
    dsb_status(state->why, "5.4.4");
    break;
    case DNS_NULLMX:
    dsb_status(state->why, "5.1.0");
    break;
    case DNS_FAIL:
    dsb_status(state->why, "5.4.3");
    break;
    case DNS_OK:
    mx_names = dns_rr_sort(mx_names, dns_rr_compare_pref_any);
    addr_list = mx_addr_list(state, mx_names);
    state->mx = dns_rr_copy(mx_names);
    dns_rr_free(mx_names);
    if (addr_list == 0) {
        msg_warn("no MX host for %s has a valid address record", domain);
        break;
    }
#define COMPARE_ADDR(flags) \
    ((flags & MISC_FLAG_PREF_IPV6) ? dns_rr_compare_pref_ipv6 : \
     (flags & MISC_FLAG_PREF_IPV4) ? dns_rr_compare_pref_ipv4 : \
     dns_rr_compare_pref_any)
    if (addr_list && addr_list->next) {
        addr_list = dns_rr_shuffle(addr_list);
        addr_list = dns_rr_sort(addr_list, COMPARE_ADDR(state->addr_pref));
    }
    break;
    case DNS_NOTFOUND:
    addr_list = host_addr(state, domain);
    break;
    }

    return (addr_list);
}

/* host_addr - direct host lookup */

static DNS_RR *host_addr(STATE *state, const char *host)
{
    DSN_BUF *why = state->why;
    DNS_RR *addr_list;
    int     res_opt = 0;
    const char *ahost;

    dsb_reset(why);             /* Paranoia */

#if (RES_USE_DNSSEC != 0) && (RES_USE_EDNS0 != 0)
    res_opt |= RES_USE_DNSSEC;
#endif

    /*
     * IDNA support.
     */
#ifndef NO_EAI
    if (!allascii(host) && (ahost = midna_domain_to_ascii(host)) != 0) {
    msg_info("%s asciified to %s", host, ahost);
    } else
#endif
    ahost = host;

#define PREF0   0
    addr_list = addr_one(state, (DNS_RR *) 0, ahost, res_opt, PREF0);
    if (addr_list && addr_list->next) {
    addr_list = dns_rr_shuffle(addr_list);
    if (inet_proto_info()->ai_family_list[1] != 0)
        addr_list = dns_rr_sort(addr_list, COMPARE_ADDR(state->addr_pref));
    }
    return (addr_list);
}

/* dane_host_level - canidate host "dane" or degraded security level */

static int dane_host_level(STATE *state, DNS_RR *addr)
{
    int     level = state->level;

#ifdef USE_TLS
    if (TLS_DANE_BASED(level)) {
    if (state->mx == 0 || state->mx->dnssec_valid ||
        state->mxinsec_level > TLS_LEV_MAY) {
        if (state->log_mask & (TLS_LOG_CERTMATCH | TLS_LOG_VERBOSE))
        tls_dane_verbose(1);
        else
        tls_dane_verbose(0);

        /* See addr loop in connect_remote() */
        if (state->ddane)
        tls_dane_free(state->ddane);

        /*
         * When TLSA lookups fail, next host.  If unusable or not found,
         * fallback to "secure"
         */
        state->ddane = tls_dane_resolve(state->port, "tcp", addr,
                        state->force_tlsa);
        if (!state->ddane) {
        dsb_simple(state->why, "4.7.5",
               "TLSA lookup error for %s:%u",
               HNAME(addr), ntohs(state->port));
        level = TLS_LEV_INVALID;
        } else if (tls_dane_notfound(state->ddane)
               || tls_dane_unusable(state->ddane)) {
        if (msg_verbose || level == TLS_LEV_DANE_ONLY)
            msg_info("no %sTLSA records found, "
                 "resorting to \"secure\"",
                 tls_dane_unusable(state->ddane) ?
                 "usable " : "");
        level = TLS_LEV_SECURE;
        } else if (!TLS_DANE_HASTA(state->ddane)
               && !TLS_DANE_HASEE(state->ddane)) {
        msg_panic("DANE activated with no TLSA records to match");
        } else if (state->mx && !state->mx->dnssec_valid &&
               state->mxinsec_level == TLS_LEV_ENCRYPT) {
        msg_info("TLSA RRs found, MX RRset insecure: just encrypt");
        tls_dane_free(state->ddane);
        state->ddane = 0;
        level = TLS_LEV_ENCRYPT;
        } else {
        if (state->match)
            argv_free(state->match);
        argv_add(state->match = argv_alloc(2),
             state->ddane->base_domain, ARGV_END);
        if (state->mx) {
            if (!state->mx->dnssec_valid) {
            msg_info("MX RRset insecure: log verified as trusted");
            level = TLS_LEV_HALF_DANE;
            }
            if (strcmp(state->mx->qname, state->mx->rname) == 0)
            argv_add(state->match, state->mx->qname, ARGV_END);
            else
            argv_add(state->match, state->mx->rname,
                 state->mx->qname, ARGV_END);
        }
        }
    } else if (state->mx && !state->mx->dnssec_valid &&
           state->mxinsec_level == TLS_LEV_MAY) {
        msg_info("MX RRset is insecure: try to encrypt");
        level = TLS_LEV_MAY;
    } else {
        level = TLS_LEV_SECURE;
    }
    }
#endif

    return (level);
}

/* parse_destination - parse host/port destination */

static char *parse_destination(char *destination, char *def_service,
                           char **hostp, unsigned *portp)
{
    char   *buf = mystrdup(destination);
    char   *service;
    struct servent *sp;
    char   *protocol = "tcp";
    unsigned port;
    const char *err;

    if (msg_verbose)
    msg_info("parse_destination: %s %s", destination, def_service);

    /*
     * Parse the host/port information. We're working with a copy of the
     * destination argument so the parsing can be destructive.
     */
    if ((err = host_port(buf, hostp, (char *) 0, &service, def_service)) != 0)
    msg_fatal("%s in server description: %s", err, destination);

    /*
     * Convert service to port number, network byte order.
     */
    if (alldig(service)) {
    if ((port = atoi(service)) >= 65536 || port == 0)
        msg_fatal("bad network port in destination: %s", destination);
    *portp = htons(port);
    } else {
    if ((sp = getservbyname(service, protocol)) != 0)
        *portp = sp->s_port;
    else if (strcmp(service, "smtp") == 0)
        *portp = htons(25);
    else
        msg_fatal("unknown service: %s/%s", service, protocol);
    }
    return (buf);
}

/* connect_remote - connect to TCP destination or log an error */

static void connect_remote(STATE *state, char *dest)
{
    DNS_RR *addr;
    char   *buf;
    char   *domain;

    /* When reconnecting use IP address of previous session */
    if (state->addr == 0) {
    buf = parse_destination(dest, state->smtp ? "smtp" : "24",
                &domain, &state->port);
    if (!state->nexthop)
        state->nexthop = mystrdup(domain);
    if (state->smtp == 0 || *dest == '[')
        state->addr = host_addr(state, domain);
    else
        state->addr = domain_addr(state, domain);
    myfree(buf);

    if (state->addr == 0) {
        msg_info("Destination address lookup failed: %s",
             vstring_str(state->why->reason));
        return;
    }
    }
    for (addr = state->addr; addr; addr = addr->next) {
    int     level = dane_host_level(state, addr);

    if (level == TLS_LEV_INVALID
        || (state->stream = connect_addr(state, addr)) == 0) {
        msg_info("Failed to establish session to %s via %s: %s",
             dest, HNAME(addr), vstring_str(state->why->reason));
        continue;
    }
    /* We have a connection */
    state->level = level;
    state->hostname = mystrdup(HNAME(addr));

    /* We use the same address when reconnecting, so flush the rest. */
    addr = dns_rr_copy(addr);
    dns_rr_free(state->addr);
    state->addr = addr;
    break;
    }
}

/* connect_dest - connect to given inet: or unix: destination */

static int connect_dest(STATE *state)
{
    char   *dest = state->dest;

    /*
     * With LMTP we have direct-to-host delivery only. The destination may
     * have multiple IP addresses.
     */
    if (state->smtp == 0) {
    if (strncmp(dest, "unix:", 5) == 0) {
        connect_unix(state, dest + 5);
        if (!state->stream)
        msg_info("Failed to establish session to %s: %s",
             dest, vstring_str(state->why->reason));
        return (1);
    }
    if (strncmp(dest, "inet:", 5) == 0)
        dest += 5;
    }
    connect_remote(state, dest);

    return (state->stream == 0);
}

static void disconnect_dest(STATE *state)
{
#ifdef USE_TLS
    if (state->tls_context)
    tls_client_stop(state->tls_ctx, state->stream,
            smtp_tmout, 0, state->tls_context);
    state->tls_context = 0;
    if (state->ddane)
    tls_dane_free(state->ddane);
    state->ddane = 0;
#endif

    if (state->stream)
    vstream_fclose(state->stream);
    state->stream = 0;

    if (state->namaddrport)
    myfree(state->namaddrport);
    state->namaddrport = 0;

    if (state->addrport)
    myfree(state->addrport);
    state->addrport = 0;

    /* Reused on reconnect */
    if (state->reconnect <= 0) {
    if (state->addr)
        dns_rr_free(state->addr);
    state->addr = 0;
    if (state->mx)
        dns_rr_free(state->mx);
    state->mx = 0;

    if (state->nexthop)
        myfree(state->nexthop);
    state->nexthop = 0;
    }
    if (state->hostname)
    myfree(state->hostname);
    state->hostname = 0;

    dsb_free(state->why);
    vstring_free(state->buffer);
}

static int finger(STATE *state)
{
    int     err;

    /*
     * Make sure the SMTP server cannot run us out of memory by sending
     * never-ending lines of text.
     */
    state->buffer = vstring_alloc(100);
    vstring_ctl(state->buffer, CA_VSTRING_CTL_MAXLEN(var_line_limit), 0);
    state->why = dsb_create();

    if (!(err = connect_dest(state))) {
    if (state->pass == 1 && !state->nochat)
        msg_info("Connected to %s", state->namaddrport);
    err = doproto(state);
    }
    disconnect_dest(state);

    if (err != 0)
    return (1);

#ifdef USE_TLS
    if (state->reconnect > 0) {
    int     cache_enabled;
    int     cache_count;
    int     cache_hits;

    tlsmgrmem_status(&cache_enabled, &cache_count, &cache_hits);
    if (cache_enabled && cache_count == 0) {
        msg_info("Server declined session caching. Done reconnecting.");
        state->reconnect = 0;
    } else if (cache_hits > 0 && (state->log_mask & TLS_LOG_CACHE) != 0) {
        msg_info("Found a previously used server.  Done reconnecting.");
        state->reconnect = 0;
    } else if (state->max_reconnect-- <= 0) {
        msg_info("Maximum reconnect count reached.");
        state->reconnect = 0;
    }
    }
#endif

    return (0);
}

#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L

/* ssl_cleanup - free memory allocated in the OpenSSL library */

static void ssl_cleanup(void)
{
#if OPENSSL_VERSION_NUMBER >= 0x10000000L
    ERR_remove_thread_state(0);     /* Thread-id is now a pointer */
#else
    ERR_remove_state(0);        /* Deprecated with OpenSSL 1.0.0 */
#endif
    ENGINE_cleanup();
    CONF_modules_unload(1);
    ERR_free_strings();
    EVP_cleanup();
    CRYPTO_cleanup_all_ex_data();
}

#endif                  /* USE_TLS && OPENSSL_VERSION_NUMBER
                     * < 0x10100000L */

/* run - do what we were asked to do. */

static int run(STATE *state)
{

    while (1) {
    if (finger(state) != 0)
        break;
    if (state->reconnect <= 0)
        break;
    msg_info("Reconnecting after %d seconds", state->reconnect);
    ++state->pass;
    sleep(state->reconnect);
    }

    return (0);
}

/* cleanup - free memory allocated in main */

static void cleanup(STATE *state)
{
#ifdef USE_TLS
    if (state->tls_ctx != 0)
    tls_free_app_context(state->tls_ctx);
    if (state->tls_bio)
    (void) BIO_free(state->tls_bio);
    state->tls_bio = 0;

    myfree(state->mdalg);
    myfree(state->CApath);
    myfree(state->CAfile);
    myfree(state->certfile);
    myfree(state->keyfile);
    if (state->options.level)
    myfree(state->options.level);
    myfree(state->options.logopts);
    if (state->match)
    argv_free(state->match);
    if (state->options.tas)
    argv_free(state->options.tas);
    if (state->dane)
    tls_dane_free(state->dane);

    /* Flush and free DANE TLSA cache */
    tls_dane_flush();
    /* Flush and free memory tlsmgr cache */
    tlsmgrmem_flush();
    myfree(state->grade);
    myfree(state->protocols);
#endif
    myfree(state->options.host_lookup);
    myfree(state->dest);

    mail_conf_flush();
}

/* usage - explain */

static void usage(void)
{
#ifdef USE_TLS
    fprintf(stderr, "usage: %s %s \\\n\t%s \\\n\t%s \\\n\t%s"
        " destination [match ...]\n", var_procname,
        "[-acCfSvw] [-t conn_tmout] [-T cmd_tmout] [-L logopts]",
     "[-h host_lookup] [-l level] [-d mdalg] [-g grade] [-p protocols]",
        "[-A tafile] [-F CAfile.pem] [-P CApath/] "
        "[-k certfile [-K keyfile]] [-m count] [-r delay]",
        "[-o name=value]");
#else
    fprintf(stderr, "usage: %s [-acStTv] [-h host_lookup] [-o name=value] destination\n",
        var_procname);
#endif
    exit(1);
}

/* tls_init - initialize application TLS library context */

static void tls_init(STATE *state)
{
#ifdef USE_TLS
    TLS_CLIENT_INIT_PROPS props;

    if (state->level <= TLS_LEV_NONE)
    return;

    state->tls_ctx =
    TLS_CLIENT_INIT(&props,
            log_param = "-L option",
            log_level = state->options.logopts,
            verifydepth = DEF_SMTP_TLS_SCERT_VD,
            cache_type = "memory",
            cert_file = state->certfile,
            key_file = state->keyfile,
            dcert_file = "",
            dkey_file = "",
            eccert_file = "",
            eckey_file = "",
            CAfile = state->CAfile,
            CApath = state->CApath,
            mdalg = state->mdalg);
#endif
}

/* override - update main.cf parameter */

static void override(const char *nameval)
{
    char   *param_name;
    char   *param_value;
    char   *save = mystrdup(nameval);

    if (split_nameval(save, &param_name, &param_value) != 0)
    usage();
    mail_conf_update(param_name, param_value);
    myfree(save);
}

/* parse_options - (argc, argv) -> state */

static void parse_options(STATE *state, int argc, char *argv[])
{
    int     c;

    state->smtp = 1;
    state->pass = 1;
    state->reconnect = -1;
    state->max_reconnect = 5;
    state->wrapper_mode = 0;
#ifdef USE_TLS
    state->protocols = mystrdup("!SSLv2");
    state->grade = mystrdup("medium");
#endif
    memset((void *) &state->options, 0, sizeof(state->options));
    state->options.host_lookup = mystrdup("dns");

#define OPTS "a:ch:o:St:T:v"
#ifdef USE_TLS
#define TLSOPTS "A:Cd:fF:g:k:K:l:L:m:M:p:P:r:w"

    state->mdalg = mystrdup("sha1");
    state->CApath = mystrdup("");
    state->CAfile = mystrdup("");
    state->certfile = mystrdup("");
    state->keyfile = mystrdup("");
    state->options.tas = argv_alloc(1);
    state->options.logopts = 0;
    state->level = TLS_LEV_DANE;
    state->mxinsec_level = TLS_LEV_DANE;
#else
#define TLSOPTS ""
    state->level = TLS_LEV_NONE;
#endif

    while ((c = GETOPT(argc, argv, OPTS TLSOPTS)) > 0) {
    switch (c) {
    default:
        usage();
        break;
    case 'a':
        state->options.addr_pref = mystrdup(optarg);
        break;
    case 'c':
        state->nochat = 1;
        break;
    case 'h':
        myfree(state->options.host_lookup);
        state->options.host_lookup = mystrdup(optarg);
        break;
    case 'o':
        override(optarg);
        break;
    case 'S':
        state->smtp = 0;
        break;
    case 't':
        conn_tmout = atoi(optarg);
        break;
    case 'T':
        smtp_tmout = atoi(optarg);
        break;
    case 'v':
        msg_verbose++;
        break;
#ifdef USE_TLS
    case 'A':
        argv_add(state->options.tas, optarg, ARGV_END);
        break;
    case 'C':
        state->print_trust = 1;
        break;
    case 'd':
        myfree(state->mdalg);
        state->mdalg = mystrdup(optarg);
        break;
    case 'f':
        state->force_tlsa = 1;
        break;
    case 'F':
        myfree(state->CAfile);
        state->CAfile = mystrdup(optarg);
        break;
    case 'g':
        myfree(state->grade);
        state->grade = mystrdup(optarg);
        break;
    case 'k':
        myfree(state->certfile);
        state->certfile = mystrdup(optarg);
        if (!*state->keyfile) {
        myfree(state->keyfile);
        state->keyfile = mystrdup(optarg);
        }
        break;
    case 'K':
        myfree(state->keyfile);
        state->keyfile = mystrdup(optarg);
        if (!*state->certfile) {
        myfree(state->certfile);
        state->certfile = mystrdup(optarg);
        }
        break;
    case 'l':
        if (state->options.level)
        myfree(state->options.level);
        state->options.level = mystrdup(optarg);
        break;
    case 'L':
        if (state->options.logopts)
        myfree(state->options.logopts);
        state->options.logopts = mystrdup(optarg);
        break;
    case 'm':
        state->max_reconnect = atoi(optarg);
        break;
    case 'M':
        switch (state->mxinsec_level = tls_level_lookup(optarg)) {
        case TLS_LEV_MAY:
        case TLS_LEV_ENCRYPT:
        case TLS_LEV_DANE:
        break;
        default:
        msg_fatal("bad '-M' option value: %s", optarg);
        }
        break;
    case 'p':
        myfree(state->protocols);
        state->protocols = mystrdup(optarg);
        break;
    case 'P':
        myfree(state->CApath);
        state->CApath = mystrdup(optarg);
        break;
    case 'r':
        state->reconnect = atoi(optarg);
        break;
    case 'w':
        state->wrapper_mode = 1;
        break;
#endif
    }
    }

    /*
     * Address family preference.
     */
    state->addr_pref =
    name_code(addr_pref_map, NAME_CODE_FLAG_NONE, state->options.addr_pref ?
          state->options.addr_pref : "any");
    if (state->addr_pref < 0)
    msg_fatal("bad '-a' option value: %s", state->options.addr_pref);

    /*
     * Select hostname lookup mechanisms.
     */
    state->host_lookup =
    name_mask("-h option", lookup_masks, state->options.host_lookup ?
          state->options.host_lookup : "dns");

#ifdef USE_TLS

    if (state->reconnect < 0)
    tlsmgrmem_disable();

    if (state->options.logopts == 0)
    state->options.logopts = mystrdup("routine,certmatch");
    state->log_mask = tls_log_mask("-L option", state->options.logopts);

    if (state->options.level) {
    state->level = tls_level_lookup(state->options.level);

    switch (state->level) {
    case TLS_LEV_NONE:
        if (state->wrapper_mode)
        msg_fatal("SSL wrapper mode requires that TLS not be disabled");
        return;
    case TLS_LEV_INVALID:
        msg_fatal("Invalid TLS level \"%s\"", state->options.level);
    }
    }

    /*
     * We first call tls_init(), which ultimately calls SSL_library_init(),
     * since otherwise we can't tell whether we have the message digests
     * required for DANE support.
     */
    tls_init(state);
    if (TLS_DANE_BASED(state->level) && !tls_dane_avail()) {
    msg_warn("DANE TLS support is not available, resorting to \"secure\"");
    state->level = TLS_LEV_SECURE;
    }
    state->tls_bio = 0;
    if (state->print_trust)
    state->tls_bio = BIO_new_fp(stdout, BIO_NOCLOSE);

#endif
}

/* parse_match - process match arguments */

static void parse_match(STATE *state, int argc, char *argv[])
{
#ifdef USE_TLS

    switch (state->level) {
    case TLS_LEV_SECURE:
    state->match = argv_alloc(2);
    while (*argv)
        argv_split_append(state->match, *argv++, "");
    if (state->match->argc == 0)
        argv_add(state->match, "nexthop", "dot-nexthop", ARGV_END);
    break;
    case TLS_LEV_VERIFY:
    state->match = argv_alloc(1);
    while (*argv)
        argv_split_append(state->match, *argv++, "");
    if (state->match->argc == 0)
        argv_add(state->match, "hostname", ARGV_END);
    break;
    case TLS_LEV_FPRINT:
    state->dane = tls_dane_alloc();
    while (*argv)
        tls_dane_add_ee_digests((TLS_DANE *) state->dane,
                    state->mdalg, *argv++, "");
    break;
    case TLS_LEV_DANE:
    case TLS_LEV_DANE_ONLY:
    state->match = argv_alloc(2);
    argv_add(state->match, "nexthop", "hostname", ARGV_END);
    break;
    }
#endif
}

/* parse_tas - process '-A' trust anchor file option */

static void parse_tas(STATE *state)
{
#ifdef USE_TLS
    char  **file;

    if (!state->options.tas->argc)
    return;

    switch (state->level) {
    default:
    return;
    case TLS_LEV_SECURE:
    case TLS_LEV_VERIFY:
    state->dane = tls_dane_alloc();
    for (file = state->options.tas->argv; *file; ++file) {
        if (!tls_dane_load_trustfile((TLS_DANE *) state->dane, *file))
        break;
    }
    if (*file)
        msg_fatal("Failed to load trust anchor file: %s", *file);
    break;
    }
#endif
}


int     main(int argc, char *argv[])
{
    static STATE state;
    char   *loopenv = getenv("VALGRINDLOOP");
    int     loop = loopenv ? atoi(loopenv) : 1;
    ARGV   *import_env;

    /* Don't die when a peer goes away unexpectedly. */
    signal(SIGPIPE, SIG_IGN);

    /* We're a diagnostic utility, so diagnostic messages go to stdout. */
    var_procname = mystrdup(basename(argv[0]));
    set_mail_conf_str(VAR_PROCNAME, var_procname);
    msg_vstream_init(var_procname, VSTREAM_OUT);

    /*
     * Load main.cf, parse command-line options, then process main.cf
     * settings plus any command-line "-o" overrides.
     */
    mail_conf_suck();
    parse_options(&state, argc, argv);
    mail_params_init();
    parse_tas(&state);

    /* Enforce consistent operation of different Postfix parts. */
    import_env = mail_parm_split(VAR_IMPORT_ENVIRON, var_import_environ);
    update_env(import_env->argv);
    argv_free(import_env);

    argc -= optind;
    argv += optind;

    /* The first non-option argument is the destination. */
    if (!argc)
    usage();

    state.dest = mystrdup(argv[0]);
    parse_match(&state, --argc, ++argv);

    /* Don't talk to remote systems as root */
    if (!geteuid())
    chroot_uid(0, var_mail_owner);

    while (loop-- > 0)
    run(&state);

    /* Be valgrind friendly and clean-up */
    cleanup(&state);

    /* OpenSSL 1.1.0 and later (de)initialization is implicit */
#if defined(USE_TLS) && OPENSSL_VERSION_NUMBER < 0x10100000L
    ssl_cleanup();
#endif

    return (0);
}