Support PIPECONNECT with helo_data using the local IP, when interface is known.

[exim.git] / src / src / tls.c

diff --git a/src/src/tls.c b/src/src/tls.c
index e073eadbeb3f47a4c12ed72ce1246324a6589888..bc3261ad2a0eda32f757fac9d04d3a2a2aab6ebc 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -3,7 +3,7 @@
 *************************************************/
 
 /* Copyright (c) University of Cambridge 1995 - 2018 */
 *************************************************/
 
 /* Copyright (c) University of Cambridge 1995 - 2018 */

-/* Copyright (c) The Exim Maintainers 2020 */
+/* Copyright (c) The Exim Maintainers 2020 - 2021 */

 /* See the file NOTICE for conditions of use and distribution. */
 
 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is


@@ -158,8 +158,8 @@ return FALSE;
 # endif
 # ifdef EXIM_HAVE_KEVENT
 {
 # endif
 # ifdef EXIM_HAVE_KEVENT
 {

-uschar * s;
-int fd1, fd2, i, cnt = 0;
+uschar * s, * t;
+int fd1, fd2, i, j, cnt = 0;

 struct stat sb;
 #ifdef OpenBSD
 struct kevent k_dummy;
 struct stat sb;
 #ifdef OpenBSD
 struct kevent k_dummy;


@@ -185,8 +185,8 @@ for (;;)
     {
     if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0)
       { s = US"open file"; goto bad; }
     {
     if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0)
       { s = US"open file"; goto bad; }

-    DEBUG(D_tls) debug_printf("watch file '%s'\n", filename);
-    EV_SET(&kev[++kev_used],
+    DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1);
+    EV_SET(&kev[kev_used++],

        (uintptr_t)fd1,
        EVFILT_VNODE,
        EV_ADD | EV_ENABLE | EV_ONESHOT,
        (uintptr_t)fd1,
        EVFILT_VNODE,
        EV_ADD | EV_ENABLE | EV_ONESHOT,


@@ -196,8 +196,8 @@ for (;;)
        NULL);
     cnt++;
     }
        NULL);
     cnt++;
     }

-  DEBUG(D_tls) debug_printf("watch dir  '%s'\n", s);
-  EV_SET(&kev[++kev_used],
+  DEBUG(D_tls) debug_printf("watch dir  '%s':\t%d\n", s, fd2);
+  EV_SET(&kev[kev_used++],

        (uintptr_t)fd2,
        EVFILT_VNODE,
        EV_ADD | EV_ENABLE | EV_ONESHOT,
        (uintptr_t)fd2,
        EVFILT_VNODE,
        EV_ADD | EV_ENABLE | EV_ONESHOT,


@@ -209,11 +209,14 @@ for (;;)
 
   if (!(S_ISLNK(sb.st_mode))) break;
 
 
   if (!(S_ISLNK(sb.st_mode))) break;
 

-  s = store_get(1024, FALSE);
-  if ((i = readlink(CCS filename, (void *)s, 1024)) < 0) { s = US"readlink"; goto bad; }
-  filename = s;
-  *(s += i) = '\0';
-  store_release_above(s+1);
+  t = store_get(1024, GET_UNTAINTED);
+  Ustrncpy(t, s, 1022);
+  j = Ustrlen(s);
+  t[j++] = '/';
+  if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; }
+  filename = t;
+  *(t += i+j) = '\0';
+  store_release_above(t+1);

   }
 
 #ifdef OpenBSD
   }
 
 #ifdef OpenBSD


@@ -317,6 +320,7 @@ if (tls_watch_fd < 0) return;
 /* Close the files we had open for kevent */
 for (int i = 0; i < kev_used; i++)
   {
 /* Close the files we had open for kevent */
 for (int i = 0; i < kev_used; i++)
   {

+  DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident);

   (void) close((int) kev[i].ident);
   kev[i].ident = (uintptr_t)-1;
   }
   (void) close((int) kev[i].ident);
   kev[i].ident = (uintptr_t)-1;
   }


@@ -356,11 +360,18 @@ opt_unset_or_noexpand(const uschar * opt)
 
 
 
 
 
 

-/* Called every time round the daemon loop */
+/* Called every time round the daemon loop.

 
 

-void
+If we reloaded fd-watcher, return the old watch fd
+having modified the global for the new one. Otherwise
+return -1.
+*/
+
+int

 tls_daemon_tick(void)
 {
 tls_daemon_tick(void)
 {

+int old_watch_fd = tls_watch_fd;
+

 tls_per_lib_daemon_tick();
 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
 if (tls_creds_expire && time(NULL) >= tls_creds_expire)
 tls_per_lib_daemon_tick();
 #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
 if (tls_creds_expire && time(NULL) >= tls_creds_expire)


@@ -372,6 +383,7 @@ if (tls_creds_expire && time(NULL) >= tls_creds_expire)
   DEBUG(D_tls) debug_printf("selfsign cert rotate\n");
   tls_creds_expire = 0;
   tls_daemon_creds_reload();
   DEBUG(D_tls) debug_printf("selfsign cert rotate\n");
   tls_creds_expire = 0;
   tls_daemon_creds_reload();

+  return old_watch_fd;

   }
 else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
   {
   }
 else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
   {


@@ -383,8 +395,10 @@ else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5)
   DEBUG(D_tls) debug_printf("watch triggered\n");
   tls_watch_trigger_time = tls_creds_expire = 0;
   tls_daemon_creds_reload();
   DEBUG(D_tls) debug_printf("watch triggered\n");
   tls_watch_trigger_time = tls_creds_expire = 0;
   tls_daemon_creds_reload();

+  return old_watch_fd;

   }
 #endif
   }
 #endif

+return -1;

 }
 
 /* Called once at daemon startup */
 }
 
 /* Called once at daemon startup */


@@ -672,7 +686,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL)))
 return FALSE;
 }
 
 return FALSE;
 }
 

-

 /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
 and writes a file by that name.  Our OpenSSL code does the same, using keying
 info from the library API.
 /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
 and writes a file by that name.  Our OpenSSL code does the same, using keying
 info from the library API.