X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/65fe26cc962035dbe3b4462f330f6959c3b78417..b07d141af23f2ab160eba2b58a834baee513b3f8:/src/src/tls.c diff --git a/src/src/tls.c b/src/src/tls.c index ddee95de2..e6b1bf7a7 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -3,7 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ -/* Copyright (c) The Exim Maintainers 2020 */ +/* Copyright (c) The Exim Maintainers 2020 - 2021 */ /* See the file NOTICE for conditions of use and distribution. */ /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is @@ -158,8 +158,8 @@ return FALSE; # endif # ifdef EXIM_HAVE_KEVENT { -uschar * s; -int fd1, fd2, i, cnt = 0; +uschar * s, * t; +int fd1, fd2, i, j, cnt = 0; struct stat sb; #ifdef OpenBSD struct kevent k_dummy; @@ -185,8 +185,8 @@ for (;;) { if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0) { s = US"open file"; goto bad; } - DEBUG(D_tls) debug_printf("watch file '%s'\n", filename); - EV_SET(&kev[++kev_used], + DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1); + EV_SET(&kev[kev_used++], (uintptr_t)fd1, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, @@ -196,8 +196,8 @@ for (;;) NULL); cnt++; } - DEBUG(D_tls) debug_printf("watch dir '%s'\n", s); - EV_SET(&kev[++kev_used], + DEBUG(D_tls) debug_printf("watch dir '%s':\t%d\n", s, fd2); + EV_SET(&kev[kev_used++], (uintptr_t)fd2, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, @@ -209,11 +209,14 @@ for (;;) if (!(S_ISLNK(sb.st_mode))) break; - s = store_get(1024, FALSE); - if ((i = readlink(CCS filename, (void *)s, 1024)) < 0) { s = US"readlink"; goto bad; } - filename = s; - *(s += i) = '\0'; - store_release_above(s+1); + t = store_get(1024, FALSE); + Ustrncpy(t, s, 1022); + j = Ustrlen(s); + t[j++] = '/'; + if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; } + filename = t; + *(t += i+j) = '\0'; + store_release_above(t+1); } #ifdef OpenBSD @@ -317,6 +320,7 @@ if (tls_watch_fd < 0) return; /* Close the files we had open for kevent */ for (int i = 0; i < kev_used; i++) { + DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident); (void) close((int) kev[i].ident); kev[i].ident = (uintptr_t)-1; } @@ -356,11 +360,18 @@ opt_unset_or_noexpand(const uschar * opt) -/* Called every time round the daemon loop */ +/* Called every time round the daemon loop. -void +If we reloaded fd-watcher, return the old watch fd +having modified the global for the new one. Otherwise +return -1. +*/ + +int tls_daemon_tick(void) { +int old_watch_fd = tls_watch_fd; + tls_per_lib_daemon_tick(); #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) if (tls_creds_expire && time(NULL) >= tls_creds_expire) @@ -372,6 +383,7 @@ if (tls_creds_expire && time(NULL) >= tls_creds_expire) DEBUG(D_tls) debug_printf("selfsign cert rotate\n"); tls_creds_expire = 0; tls_daemon_creds_reload(); + return old_watch_fd; } else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5) { @@ -383,8 +395,10 @@ else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5) DEBUG(D_tls) debug_printf("watch triggered\n"); tls_watch_trigger_time = tls_creds_expire = 0; tls_daemon_creds_reload(); + return old_watch_fd; } #endif +return -1; } /* Called once at daemon startup */ @@ -457,6 +471,9 @@ Returns: the character int tls_ungetc(int ch) { +if (ssl_xfer_buffer_lwm <= 0) + log_write(0, LOG_MAIN|LOG_PANIC_DIE, "buffer underflow in tls_ungetc"); + ssl_xfer_buffer[--ssl_xfer_buffer_lwm] = ch; return ch; } @@ -669,7 +686,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) return FALSE; } - /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment and writes a file by that name. Our OpenSSL code does the same, using keying info from the library API.