* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2018 */
/* Copyright (c) The Exim Maintainers 2020 - 2022 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
/* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-only */
/* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
based on a patch that was originally contributed by Steve Haslam. It was
tls_set_one_watch(const uschar * filename)
# ifdef EXIM_HAVE_INOTIFY
{
+uschar buf[PATH_MAX];
+ssize_t len;
uschar * s;
if (Ustrcmp(filename, "system,cache") == 0) return TRUE;
-
if (!(s = Ustrrchr(filename, '/'))) return FALSE;
+
+for (unsigned loop = 20;
+ (len = readlink(CCS filename, CS buf, sizeof(buf))) >= 0; )
+ { /* a symlink */
+ if (--loop == 0) { errno = ELOOP; return FALSE; }
+ filename = buf[0] == '/'
+ ? string_copyn(buf, (unsigned)len) /* mem released by tls_set_watch */
+ : string_sprintf("%.*s/%.*s", (int)(s - filename), filename, (int)len, buf);
+ s = Ustrrchr(filename, '/');
+ }
+if (errno != EINVAL)
+ return FALSE; /* other error */
+
+/* not a symlink */
s = string_copyn(filename, s - filename); /* mem released by tls_set_watch */
-DEBUG(D_tls) debug_printf("watch dir '%s'\n", s);
-/*XXX unclear what effect symlinked files will have for inotify */
+DEBUG(D_tls) debug_printf("watch dir '%s'\n", s);
if (inotify_add_watch(tls_watch_fd, CCS s,
IN_ONESHOT | IN_CLOSE_WRITE | IN_DELETE | IN_DELETE_SELF
#endif
tls_server_creds_invalidate();
+
+/* _expire is for a time-limited selfsign server cert */
tls_creds_expire = (lifetime = tls_server_creds_init())
? time(NULL) + lifetime : 0;
tls_client_resmption_key(tls_support * tlsp, smtp_connect_args * conn_args,
smtp_transport_options_block * ob)
{
+#ifndef DISABLE_TLS_RESUME
hctx * h = &tlsp->resume_hctx;
blob b;
gstring * g;
-#ifdef EXIM_HAVE_SHA2
+DEBUG(D_tls) if (conn_args->host_lbserver)
+ debug_printf("TLS: lbserver '%s'\n", conn_args->host_lbserver);
+
+# ifdef EXIM_HAVE_SHA2
exim_sha_init(h, HASH_SHA2_256);
-#else
+# else
exim_sha_init(h, HASH_SHA1);
-#endif
-
-// TODO: word from server EHLO resp /* how, fer gossakes? Add item to conn_args or tls_support? */
-
+# endif
+exim_sha_update_string(h, conn_args->host_lbserver);
+# ifdef SUPPORT_DANE
if (conn_args->dane)
exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer));
+# endif
exim_sha_update_string(h, conn_args->host->address);
exim_sha_update(h, CUS &conn_args->host->port, sizeof(conn_args->host->port));
exim_sha_update_string(h, conn_args->sending_ip_address);
exim_sha_update_string(h, openssl_options);
exim_sha_update_string(h, ob->tls_require_ciphers);
exim_sha_update_string(h, tlsp->sni);
-#ifdef EXIM_HAVE_ALPN
+# ifdef EXIM_HAVE_ALPN
exim_sha_update_string(h, ob->tls_alpn);
-#endif
+# endif
exim_sha_finish(h, &b);
for (g = string_get(b.len*2+1); b.len-- > 0; )
g = string_fmt_append(g, "%02x", *b.data++);
tlsp->resume_index = string_from_gstring(g);
DEBUG(D_tls) debug_printf("TLS: resume session index %s\n", tlsp->resume_index);
+#endif
}
#endif /*!DISABLE_TLS*/
git://git.exim.org / exim.git / blobdiff