git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
Hintsdb: fix build config phase for sqlite
[exim.git]
/
src
/
src
/
tls.c
diff --git
a/src/src/tls.c
b/src/src/tls.c
index 825313a9a25de7f25792fab31deb8ecabda96941..a1ae1abd1063d13c06c6bdfa0606cb39150b6ede 100644
(file)
--- a/
src/src/tls.c
+++ b/
src/src/tls.c
@@
-2,7
+2,7
@@
* Exim - an Internet mail transport agent *
*************************************************/
* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) The Exim Maintainers 2020 - 202
2
*/
+/* Copyright (c) The Exim Maintainers 2020 - 202
4
*/
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
/* SPDX-License-Identifier: GPL-2.0-or-later */
@@
-40,13
+40,16
@@
functions from the OpenSSL or GNU TLS libraries. */
static void tls_per_lib_daemon_init(void);
static void tls_per_lib_daemon_tick(void);
static unsigned tls_server_creds_init(void);
static void tls_per_lib_daemon_init(void);
static void tls_per_lib_daemon_tick(void);
static unsigned tls_server_creds_init(void);
-static void tls_server_creds_invalidate(void);
static void tls_client_creds_init(transport_instance *, BOOL);
static void tls_client_creds_init(transport_instance *, BOOL);
-static void tls_client_creds_invalidate(transport_instance *);
static void tls_daemon_creds_reload(void);
static BOOL opt_set_and_noexpand(const uschar *);
static BOOL opt_unset_or_noexpand(const uschar *);
static void tls_daemon_creds_reload(void);
static BOOL opt_set_and_noexpand(const uschar *);
static BOOL opt_unset_or_noexpand(const uschar *);
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+static void tls_server_creds_invalidate(void);
+static void tls_client_creds_invalidate(transport_instance *);
+#endif
+
/* This module is compiled only when it is specifically requested in the
/* This module is compiled only when it is specifically requested in the
@@
-105,7
+108,10
@@
expand_check(const uschar * s, const uschar * name,
uschar ** result, uschar ** errstr)
{
if (!s)
uschar ** result, uschar ** errstr)
{
if (!s)
+ {
+ f.expand_string_forcedfail = FALSE;
*result = NULL;
*result = NULL;
+ }
else if ( !(*result = expand_string(US s)) /* need to clean up const more */
&& !f.expand_string_forcedfail
)
else if ( !(*result = expand_string(US s)) /* need to clean up const more */
&& !f.expand_string_forcedfail
)
@@
-321,7
+327,9
@@
tls_client_creds_reload(BOOL watch)
for(transport_instance * t = transports; t; t = t->next)
if (Ustrcmp(t->driver_name, "smtp") == 0)
{
for(transport_instance * t = transports; t; t = t->next)
if (Ustrcmp(t->driver_name, "smtp") == 0)
{
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
tls_client_creds_invalidate(t);
tls_client_creds_invalidate(t);
+#endif
tls_client_creds_init(t, watch);
}
}
tls_client_creds_init(t, watch);
}
}
@@
-357,7
+365,9
@@
unsigned lifetime;
tls_watch_invalidate();
#endif
tls_watch_invalidate();
#endif
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
tls_server_creds_invalidate();
tls_server_creds_invalidate();
+#endif
/* _expire is for a time-limited selfsign server cert */
tls_creds_expire = (lifetime = tls_server_creds_init())
/* _expire is for a time-limited selfsign server cert */
tls_creds_expire = (lifetime = tls_server_creds_init())
@@
-670,21
+680,24
@@
Returns:
BOOL
tls_is_name_for_cert(const uschar * namelist, void * cert)
{
BOOL
tls_is_name_for_cert(const uschar * namelist, void * cert)
{
-uschar * altnames = tls_cert_subject_altname(cert, US"dns");
-uschar * subjdn;
-uschar * certname;
+uschar * altnames, * subjdn, * certname, * cmpname;
int cmp_sep = 0;
int cmp_sep = 0;
-uschar * cmpname;
if ((altnames = tls_cert_subject_altname(cert, US"dns")))
{
int alt_sep = '\n';
if ((altnames = tls_cert_subject_altname(cert, US"dns")))
{
int alt_sep = '\n';
+ DEBUG(D_tls|D_lookup) debug_printf_indent("cert has SAN\n");
while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
{
const uschar * an = altnames;
while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
{
const uschar * an = altnames;
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" %s in SANs?", cmpname);
while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
if (is_name_match(cmpname, certname))
while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
if (is_name_match(cmpname, certname))
+ {
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" yes (matched %s)\n", certname);
return TRUE;
return TRUE;
+ }
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" no (end of SAN list)\n");
}
}
}
}
@@
-696,13
+709,18
@@
else if ((subjdn = tls_cert_subject(cert, NULL)))
while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
{
const uschar * sn = subjdn;
while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
{
const uschar * sn = subjdn;
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" %s in SN?", cmpname);
while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
if ( *certname++ == 'C'
&& *certname++ == 'N'
&& *certname++ == '='
&& is_name_match(cmpname, certname)
)
while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
if ( *certname++ == 'C'
&& *certname++ == 'N'
&& *certname++ == '='
&& is_name_match(cmpname, certname)
)
+ {
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" yes (matched %s)\n", certname);
return TRUE;
return TRUE;
+ }
+ DEBUG(D_tls|D_lookup) debug_printf_indent(" no (end of CN)\n");
}
}
return FALSE;
}
}
return FALSE;