X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/cf8734c3fd0823053ae3605beb8681d0957cf4a6..3d040d098384c48be39e47862d55cac1bc0c578c:/src/src/tls.c diff --git a/src/src/tls.c b/src/src/tls.c index e073eadbe..a988c7505 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -3,7 +3,7 @@ *************************************************/ /* Copyright (c) University of Cambridge 1995 - 2018 */ -/* Copyright (c) The Exim Maintainers 2020 */ +/* Copyright (c) The Exim Maintainers 2020 - 2022 */ /* See the file NOTICE for conditions of use and distribution. */ /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is @@ -25,6 +25,11 @@ functions from the OpenSSL or GNU TLS libraries. */ #endif +/* Forward decl. */ +static void tls_client_resmption_key(tls_support *, smtp_connect_args *, + smtp_transport_options_block *); + + #if defined(MACRO_PREDEF) && !defined(DISABLE_TLS) # include "macro_predef.h" # ifdef USE_GNUTLS @@ -158,8 +163,8 @@ return FALSE; # endif # ifdef EXIM_HAVE_KEVENT { -uschar * s; -int fd1, fd2, i, cnt = 0; +uschar * s, * t; +int fd1, fd2, i, j, cnt = 0; struct stat sb; #ifdef OpenBSD struct kevent k_dummy; @@ -185,8 +190,8 @@ for (;;) { if ((fd1 = open(CCS filename, O_RDONLY | O_NOFOLLOW)) < 0) { s = US"open file"; goto bad; } - DEBUG(D_tls) debug_printf("watch file '%s'\n", filename); - EV_SET(&kev[++kev_used], + DEBUG(D_tls) debug_printf("watch file '%s':\t%d\n", filename, fd1); + EV_SET(&kev[kev_used++], (uintptr_t)fd1, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, @@ -196,8 +201,8 @@ for (;;) NULL); cnt++; } - DEBUG(D_tls) debug_printf("watch dir '%s'\n", s); - EV_SET(&kev[++kev_used], + DEBUG(D_tls) debug_printf("watch dir '%s':\t%d\n", s, fd2); + EV_SET(&kev[kev_used++], (uintptr_t)fd2, EVFILT_VNODE, EV_ADD | EV_ENABLE | EV_ONESHOT, @@ -209,11 +214,14 @@ for (;;) if (!(S_ISLNK(sb.st_mode))) break; - s = store_get(1024, FALSE); - if ((i = readlink(CCS filename, (void *)s, 1024)) < 0) { s = US"readlink"; goto bad; } - filename = s; - *(s += i) = '\0'; - store_release_above(s+1); + t = store_get(1024, GET_UNTAINTED); + Ustrncpy(t, s, 1022); + j = Ustrlen(s); + t[j++] = '/'; + if ((i = readlink(CCS filename, (void *)(t+j), 1023-j)) < 0) { s = US"readlink"; goto bad; } + filename = t; + *(t += i+j) = '\0'; + store_release_above(t+1); } #ifdef OpenBSD @@ -317,6 +325,7 @@ if (tls_watch_fd < 0) return; /* Close the files we had open for kevent */ for (int i = 0; i < kev_used; i++) { + DEBUG(D_tls) debug_printf("closing watch fd: %d\n", (int) kev[i].ident); (void) close((int) kev[i].ident); kev[i].ident = (uintptr_t)-1; } @@ -356,11 +365,18 @@ opt_unset_or_noexpand(const uschar * opt) -/* Called every time round the daemon loop */ +/* Called every time round the daemon loop. -void +If we reloaded fd-watcher, return the old watch fd +having modified the global for the new one. Otherwise +return -1. +*/ + +int tls_daemon_tick(void) { +int old_watch_fd = tls_watch_fd; + tls_per_lib_daemon_tick(); #if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT) if (tls_creds_expire && time(NULL) >= tls_creds_expire) @@ -372,6 +388,7 @@ if (tls_creds_expire && time(NULL) >= tls_creds_expire) DEBUG(D_tls) debug_printf("selfsign cert rotate\n"); tls_creds_expire = 0; tls_daemon_creds_reload(); + return old_watch_fd; } else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5) { @@ -383,8 +400,10 @@ else if (tls_watch_trigger_time && time(NULL) >= tls_watch_trigger_time + 5) DEBUG(D_tls) debug_printf("watch triggered\n"); tls_watch_trigger_time = tls_creds_expire = 0; tls_daemon_creds_reload(); + return old_watch_fd; } #endif +return -1; } /* Called once at daemon startup */ @@ -672,7 +691,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) return FALSE; } - /* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment and writes a file by that name. Our OpenSSL code does the same, using keying info from the library API. @@ -778,6 +796,44 @@ return status == 0; +static void +tls_client_resmption_key(tls_support * tlsp, smtp_connect_args * conn_args, + smtp_transport_options_block * ob) +{ +hctx * h = &tlsp->resume_hctx; +blob b; +gstring * g; + +#ifdef EXIM_HAVE_SHA2 +exim_sha_init(h, HASH_SHA2_256); +#else +exim_sha_init(h, HASH_SHA1); +#endif + +// TODO: word from server EHLO resp /* how, fer gossakes? Add item to conn_args or tls_support? */ + +if (conn_args->dane) + exim_sha_update(h, CUS &conn_args->tlsa_dnsa, sizeof(dns_answer)); +exim_sha_update(h, conn_args->host->address, Ustrlen(conn_args->host->address)); +exim_sha_update(h, CUS &conn_args->host->port, sizeof(conn_args->host->port)); +exim_sha_update(h, conn_args->sending_ip_address, Ustrlen(conn_args->sending_ip_address)); +if (openssl_options) + exim_sha_update(h, openssl_options, Ustrlen(openssl_options)); +if (ob->tls_require_ciphers) + exim_sha_update(h, ob->tls_require_ciphers, Ustrlen(ob->tls_require_ciphers)); +if (tlsp->sni) + exim_sha_update(h, tlsp->sni, Ustrlen(tlsp->sni)); +#ifdef EXIM_HAVE_ALPN +if (ob->tls_alpn) + exim_sha_update(h, ob->tls_alpn, Ustrlen(ob->tls_alpn)); +#endif +exim_sha_finish(h, &b); +for (g = string_get(b.len*2+1); b.len-- > 0; ) + g = string_fmt_append(g, "%02x", *b.data++); +tlsp->resume_index = string_from_gstring(g); +DEBUG(D_tls) debug_printf("TLS: resume session index %s\n", tlsp->resume_index); +} + #endif /*!DISABLE_TLS*/ #endif /*!MACRO_PREDEF*/