#include "exim.h"
#include "transports/smtp.h"
-#if defined(MACRO_PREDEF) && defined(SUPPORT_TLS)
+#if !defined(DISABLE_TLS) && !defined(USE_OPENSSL) && !defined(USE_GNUTLS)
+# error One of USE_OPENSSL or USE_GNUTLS must be defined for a TLS build
+#endif
+
+
+#if defined(MACRO_PREDEF) && !defined(DISABLE_TLS)
# include "macro_predef.h"
# ifdef USE_GNUTLS
# include "tls-gnu.c"
in a dummy argument to stop even pickier compilers complaining about infinite
loops. */
-#ifndef SUPPORT_TLS
+#ifdef DISABLE_TLS
static void dummy(int x) { dummy(x-1); }
#else
can switch, so we can do TLS callouts during ACLs. */
static const int ssl_xfer_buffer_size = 4096;
-#ifndef USE_GNUTLS
+#ifdef USE_OPENSSL
static uschar *ssl_xfer_buffer = NULL;
static int ssl_xfer_buffer_lwm = 0;
static int ssl_xfer_buffer_hwm = 0;
#ifdef USE_GNUTLS
# include "tls-gnu.c"
# include "tlscert-gnu.c"
-
# define ssl_xfer_buffer (state_server.xfer_buffer)
# define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
# define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
# define ssl_xfer_eof (state_server.xfer_eof)
# define ssl_xfer_error (state_server.xfer_error)
+#endif
-#else
+#ifdef USE_OPENSSL
# include "tls-openssl.c"
# include "tlscert-openssl.c"
#endif
}
-#endif /* SUPPORT_TLS */
+#endif /*DISABLE_TLS*/
void
tls_modify_variables(tls_support * dest_tsp)
modify_variable(US"tls_certificate_verified", &dest_tsp->certificate_verified);
modify_variable(US"tls_cipher", &dest_tsp->cipher);
modify_variable(US"tls_peerdn", &dest_tsp->peerdn);
-#if defined(SUPPORT_TLS) && !defined(USE_GNUTLS)
+#ifdef USE_OPENSSL
modify_variable(US"tls_sni", &dest_tsp->sni);
#endif
}
-#ifdef SUPPORT_TLS
+#ifndef DISABLE_TLS
/************************************************
* TLS certificate name operations *
************************************************/
}
return FALSE;
}
-#endif /*SUPPORT_TLS*/
+
+
+/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
+and writes a file by that name. Our OpenSSL code does the same, using keying
+info from the library API.
+The GnuTLS support only works if exim is run by root, not taking advantage of
+the setuid bit.
+You can use either the external environment (modulo the keep_environment config)
+or the add_environment config option for SSLKEYLOGFILE; the latter takes
+precedence.
+
+If the path is absolute, require it starts with the spooldir; otherwise delete
+the env variable. If relative, prefix the spooldir.
+*/
+void
+tls_clean_env(void)
+{
+uschar * path = US getenv("SSLKEYLOGFILE");
+if (path)
+ if (!*path)
+ unsetenv("SSLKEYLOGFILE");
+ else if (*path != '/')
+ {
+ DEBUG(D_tls)
+ debug_printf("prepending spooldir to env SSLKEYLOGFILE\n");
+ setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
+ }
+ else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
+ {
+ DEBUG(D_tls)
+ debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
+ unsetenv("SSLKEYLOGFILE");
+ }
+}
+#endif /*!DISABLE_TLS*/
#endif /*!MACRO_PREDEF*/
/* vi: aw ai sw=2