Call initgroups() when dropping privilege, in order that Exim runs with

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index a3ecbeb10aee888ea9611fc53bdb64b32dfbe582..31f226b4e3b1db024dc0cb7e98875f517c67e997 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1,10 +1,10 @@
-/* $Cambridge: exim/src/src/tls-gnu.c,v 1.9 2005/06/27 14:29:44 ph10 Exp $ */
+/* $Cambridge: exim/src/src/tls-gnu.c,v 1.12 2006/02/14 14:12:07 ph10 Exp $ */
 
 /*************************************************
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2005 */
+/* Copyright (c) University of Cambridge 1995 - 2006 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* This module provides TLS (aka SSL) support for Exim using the GnuTLS
@@ -256,7 +256,7 @@ static int
 init_rsa_dh(host_item *host)
 {
 int fd;
-int ret = -1;
+int ret;
 gnutls_datum m;
 uschar filename[200];
 
@@ -299,6 +299,7 @@ if (fd >= 0)
   (void)close(fd);
 
   ret = gnutls_rsa_params_import_pkcs1(rsa_params, &m, GNUTLS_X509_FMT_PEM);
+
   if (ret < 0)
     {
     DEBUG(D_tls)
@@ -318,7 +319,13 @@ if (fd >= 0)
 /* If the file does not exist, fall through to compute new data and cache it.
 If there was any other opening error, it is serious. */
 
-else if (errno != ENOENT)
+else if (errno == ENOENT)
+  {
+  ret = -1;
+  DEBUG(D_tls)
+    debug_printf("parameter cache file %s does not exist\n", filename);
+  }
+else
   return tls_error(string_open_failed(errno, "%s for reading", filename),
     host, 0);
 
@@ -391,7 +398,8 @@ if (ret < 0)
     return tls_error(string_sprintf("failed to rename %s as %s: %s",
       tempfilename, filename, strerror(errno)), host, 0);
 
-  DEBUG(D_tls) debug_printf("wrote RSA and D-H parameters to file\n");
+  DEBUG(D_tls) debug_printf("wrote RSA and D-H parameters to file %s\n",
+    filename);
   }
 
 DEBUG(D_tls) debug_printf("initialized RSA and D-H parameters\n");
@@ -447,12 +455,19 @@ may be required for different sessions. */
 if (!expand_check(certificate, US"tls_certificate", &cert_expanded))
   return DEFER;
 
+key_expanded = NULL;
 if (privatekey != NULL)
   {
   if (!expand_check(privatekey, US"tls_privatekey", &key_expanded))
     return DEFER;
   }
-else key_expanded = cert_expanded;
+
+/* If expansion was forced to fail, key_expanded will be NULL. If the result of
+the expansion is an empty string, ignore it also, and assume that the private
+key is in the same file as the certificate. */
+
+if (key_expanded == NULL || *key_expanded == 0)
+  key_expanded = cert_expanded;
 
 /* Set the certificate and private keys */