X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/31f5b3492bde6a055c0c349a3d46718bd5a7e4f0..cb45303cf2a8d9922702f13db42b3285c48f6aa7:/src/src/tls.c diff --git a/src/src/tls.c b/src/src/tls.c index e073eadbe..bc3261ad2 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -3,7 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ -/* Copyright (c) The Exim Maintainers 2020 */ +/* Copyright (c) The Exim Maintainers 2020 - 2021 */ /* See the file NOTICE for conditions of use and distribution. */ /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is @@ -158,8 +158,8 @@ return FALSE; # endif # ifdef EXIM_HAVE_KEVENT { -uschar * s; -int fd1, fd2, i, cnt = 0; +uschar * s, * t; +int fd1, fd2, i, j, cnt = 0; struct stat sb; #ifdef OpenBSD struct kevent k_dummy; @@ -185,8 +185,8 @@ for (;;) { if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0) { s = US"open file"; goto bad; } - DEBUG(D_tls) debug_printf("watch file '%s'\n", filename); - EV_SET(&kev[++kev_used], + DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1); + EV_SET(&kev[kev_used++], (uintptr_t)fd1, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, @@ -196,8 +196,8 @@ for (;;) NULL); cnt++; } - DEBUG(D_tls) debug_printf("watch dir '%s'\n", s); - EV_SET(&kev[++kev_used], + DEBUG(D_tls) debug_printf("watch dir '%s':\t%d\n", s, fd2); + EV_SET(&kev[kev_used++], (uintptr_t)fd2, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, @@ -209,11 +209,14 @@ for (;;) if (!(S_ISLNK(sb.st_mode))) break; - s = store_get(1024, FALSE); - if ((i = readlink(CCS filename, (void *)s, 1024)) < 0) { s = US"readlink"; goto bad; } - filename = s; - *(s += i) = '\0'; - store_release_above(s+1); + t = store_get(1024, GET_UNTAINTED); + Ustrncpy(t, s, 1022); + j = Ustrlen(s); + t[j++] = '/'; + if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; } + filename = t; + *(t += i+j) = '\0'; + store_release_above(t+1); } #ifdef OpenBSD @@ -317,6 +320,7 @@ if (tls_watch_fd < 0) return; /* Close the files we had open for kevent */ for (int i = 0; i < kev_used; i++) { + DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident); (void) close((int) kev[i].ident); kev[i].ident = (uintptr_t)-1; } @@ -356,11 +360,18 @@ opt_unset_or_noexpand(const uschar * opt) -/* Called every time round the daemon loop */ +/* Called every time round the daemon loop. -void +If we reloaded fd-watcher, return the old watch fd +having modified the global for the new one. Otherwise +return -1. +*/ + +int tls_daemon_tick(void) { +int old_watch_fd = tls_watch_fd; + tls_per_lib_daemon_tick(); #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) if (tls_creds_expire && time(NULL) >= tls_creds_expire) @@ -372,6 +383,7 @@ if (tls_creds_expire && time(NULL) >= tls_creds_expire) DEBUG(D_tls) debug_printf("selfsign cert rotate\n"); tls_creds_expire = 0; tls_daemon_creds_reload(); + return old_watch_fd; } else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5) { @@ -383,8 +395,10 @@ else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5) DEBUG(D_tls) debug_printf("watch triggered\n"); tls_watch_trigger_time = tls_creds_expire = 0; tls_daemon_creds_reload(); + return old_watch_fd; } #endif +return -1; } /* Called once at daemon startup */ @@ -672,7 +686,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) return FALSE; } - /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment and writes a file by that name. Our OpenSSL code does the same, using keying info from the library API.