X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/3d040d098384c48be39e47862d55cac1bc0c578c..a85c067ba6c6940512cf57ec213277a370d87e70:/src/src/tls.c diff --git a/src/src/tls.c b/src/src/tls.c index a988c7505..9e20b5bca 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -2,9 +2,10 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) University of Cambridge 1995 - 2018 */ /* Copyright (c) The Exim Maintainers 2020 - 2022 */ +/* Copyright (c) University of Cambridge 1995 - 2018 */ /* See the file NOTICE for conditions of use and distribution. */ +/* SPDX-License-Identifier: GPL-2.0-only */ /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is based on a patch that was originally contributed by Steve Haslam. It was @@ -143,15 +144,29 @@ static BOOL tls_set_one_watch(const uschar * filename) # ifdef EXIM_HAVE_INOTIFY { +uschar buf[PATH_MAX]; +ssize_t len; uschar * s; if (Ustrcmp(filename, "system,cache") == 0) return TRUE; - if (!(s = Ustrrchr(filename, '/'))) return FALSE; + +for (unsigned loop = 20; + (len = readlink(CCS filename, CS buf, sizeof(buf))) >= 0; ) + { /* a symlink */ + if (--loop == 0) { errno = ELOOP; return FALSE; } + filename = buf[0] == '/' + ? string_copyn(buf, (unsigned)len) /* mem released by tls_set_watch */ + : string_sprintf("%.*s/%.*s", (int)(s - filename), filename, (int)len, buf); + s = Ustrrchr(filename, '/'); + } +if (errno != EINVAL) + return FALSE; /* other error */ + +/* not a symlink */ s = string_copyn(filename, s - filename); /* mem released by tls_set_watch */ -DEBUG(D_tls) debug_printf("watch dir '%s'\n", s); -/*XXX unclear what effect symlinked files will have for inotify */ +DEBUG(D_tls) debug_printf("watch dir '%s'\n", s); if (inotify_add_watch(tls_watch_fd, CCS s, IN_ONESHOT | IN_CLOSE_WRITE | IN_DELETE | IN_DELETE_SELF @@ -347,6 +362,8 @@ tls_watch_invalidate(); #endif tls_server_creds_invalidate(); + +/* _expire is for a time-limited selfsign server cert */ tls_creds_expire = (lifetime = tls_server_creds_init()) ? time(NULL) + lifetime : 0; @@ -800,38 +817,39 @@ static void tls_client_resmption_key(tls_support * tlsp, smtp_connect_args * conn_args, smtp_transport_options_block * ob) { +#ifndef DISABLE_TLS_RESUME hctx * h = &tlsp->resume_hctx; blob b; gstring * g; -#ifdef EXIM_HAVE_SHA2 +DEBUG(D_tls) if (conn_args->host_lbserver) + debug_printf("TLS: lbserver '%s'\n", conn_args->host_lbserver); + +# ifdef EXIM_HAVE_SHA2 exim_sha_init(h, HASH_SHA2_256); -#else +# else exim_sha_init(h, HASH_SHA1); -#endif - -// TODO: word from server EHLO resp /* how, fer gossakes? Add item to conn_args or tls_support? */ - +# endif +exim_sha_update_string(h, conn_args->host_lbserver); +# ifdef SUPPORT_DANE if (conn_args->dane) - exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer)); -exim_sha_update(h, conn_args->host->address, Ustrlen(conn_args->host->address)); + exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer)); +# endif +exim_sha_update_string(h, conn_args->host->address); exim_sha_update(h, CUS &conn_args->host->port, sizeof(conn_args->host->port)); -exim_sha_update(h, conn_args->sending_ip_address, Ustrlen(conn_args->sending_ip_address)); -if (openssl_options) - exim_sha_update(h, openssl_options, Ustrlen(openssl_options)); -if (ob->tls_require_ciphers) - exim_sha_update(h, ob->tls_require_ciphers, Ustrlen(ob->tls_require_ciphers)); -if (tlsp->sni) - exim_sha_update(h, tlsp->sni, Ustrlen(tlsp->sni)); -#ifdef EXIM_HAVE_ALPN -if (ob->tls_alpn) - exim_sha_update(h, ob->tls_alpn, Ustrlen(ob->tls_alpn)); -#endif +exim_sha_update_string(h, conn_args->sending_ip_address); +exim_sha_update_string(h, openssl_options); +exim_sha_update_string(h, ob->tls_require_ciphers); +exim_sha_update_string(h, tlsp->sni); +# ifdef EXIM_HAVE_ALPN +exim_sha_update_string(h, ob->tls_alpn); +# endif exim_sha_finish(h, &b); for (g = string_get(b.len*2+1); b.len-- > 0; ) g = string_fmt_append(g, "%02x", *b.data++); tlsp->resume_index = string_from_gstring(g); DEBUG(D_tls) debug_printf("TLS: resume session index %s\n", tlsp->resume_index); +#endif } #endif /*!DISABLE_TLS*/