OpenSSL: SSLKEYLOGFILE support

diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 4caa897e305a310171765a2aa9b654d0953de5bc..4ca28bb13e840c9003bfa967361fcf76e371b670 100644 (file)
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -41,6 +41,13 @@ Version 4.93
 
 14: An smtp:ehlo transport event, for observability of the remote offered features.
 
 
 14: An smtp:ehlo transport event, for observability of the remote offered features.
 

+15: Support under OpenSSL for writing NSS-style key files for packet-capture
+    decode.  The environment variable SSLKEYLOGFILE is used; if an absolute path
+    it must indicate a file under the spool directory; if relative the the spool
+    directory is prepended.  Works on the server side only.  Support under 
+    GnuTLS was already there, being done purely by the library (server side
+    only, and exim must be run as root).
+

 
 Version 4.92
 --------------
 
 Version 4.92
 --------------

diff --git a/src/src/environment.c b/src/src/environment.c
index f3a90660ee9722c5495f6663e3a644bf2dc70ba0..cef82dfb1aed6ae92326b2ca79e56fa17a55d5dc 100644 (file)
--- a/src/src/environment.c
+++ b/src/src/environment.c
@@ -24,6 +24,9 @@ Returns:    TRUE if successful
 BOOL
 cleanup_environment()
 {
 BOOL
 cleanup_environment()
 {

+int old_pool = store_pool;
+store_pool = POOL_PERM;                /* Need perm memory for any created env vars */
+

 if (!keep_environment || *keep_environment == '\0')
   {
   /* From: https://github.com/dovecot/core/blob/master/src/lib/env-util.c#L55
 if (!keep_environment || *keep_environment == '\0')
   {
   /* From: https://github.com/dovecot/core/blob/master/src/lib/env-util.c#L55


@@ -59,17 +62,23 @@ else if (Ustrcmp(keep_environment, "*") != 0)
     }
   store_reset(reset_point);
   }
     }
   store_reset(reset_point);
   }

-#ifndef DISABLE_TLS
-tls_clean_env();
-#endif

 if (add_environment)
   {
   uschar * p;
   int sep = 0;
   const uschar * envlist = add_environment;
 if (add_environment)
   {
   uschar * p;
   int sep = 0;
   const uschar * envlist = add_environment;

+  int old_pool = store_pool;

 
 

-  while ((p = string_nextinlist(&envlist, &sep, NULL, 0))) putenv(CS p);
+  while ((p = string_nextinlist(&envlist, &sep, NULL, 0)))
+    {
+    DEBUG(D_expand) debug_printf("adding %s\n", p);
+    putenv(CS p);
+    }

   }
   }

+#ifndef DISABLE_TLS
+tls_clean_env();
+#endif

 
 

+store_pool = old_pool;

 return TRUE;
 }
 return TRUE;
 }

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 8e1f559afb0c173efddbfb8bfeec6d0fdab740b5..67a35d489192f9440a5ff070f7ecca3802bb9d23 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -841,7 +841,13 @@ DEBUG(D_tls)
 static void
 keylog_callback(const SSL *ssl, const char *line)
 {
 static void
 keylog_callback(const SSL *ssl, const char *line)
 {

+char * filename;
+FILE * fp;

 DEBUG(D_tls) debug_printf("%.200s\n", line);
 DEBUG(D_tls) debug_printf("%.200s\n", line);

+if (!(filename = getenv("SSLKEYLOGFILE"))) return;
+if (!(fp = fopen(filename, "a"))) return;
+fprintf(fp, "%s\n", line);
+fclose(fp);

 }
 #endif
 
 }
 #endif
 

diff --git a/src/src/tls.c b/src/src/tls.c
index 63d98c806689fe39029e3471527feb62e2bf0631..9c587e55d35e340ed3030da5918ccdaaff79d76e 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -371,9 +371,14 @@ return FALSE;
 }
 
 
 }
 
 

-/* Environment cleanup: The GnuTLS library spots SSLKEYLOGFILE in the envonment
-and writes a file by that name.  We might make the OpenSSL support do the same,
-in some future release.  Restrict that filename to be under the spool directory.
+/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
+and writes a file by that name.  Our OpenSSL code does the same, using keying
+info from the library API.
+The GnuTLS support only works if exim is run by root, not taking advantage of
+the setuid bit.
+You can use either the external environment (modulo the keep_environment config)
+or the add_environment config option for SSLKEYLOGFILE; the latter takes
+precedence.

 
 If the path is absolute, require it starts with the spooldir; otherwise delete
 the env variable.  If relative, prefix the spooldir.
 
 If the path is absolute, require it starts with the spooldir; otherwise delete
 the env variable.  If relative, prefix the spooldir.

diff --git a/test/aux-var-src/tls_conf_prefix b/test/aux-var-src/tls_conf_prefix
index ad9501ed043c23ed7fb01051a2fa22938ffb40c2..541817668b0b57098e9583fe2c5f965b5f11ac32 100644 (file)
--- a/test/aux-var-src/tls_conf_prefix
+++ b/test/aux-var-src/tls_conf_prefix
@@ -1,4 +1,5 @@
-keep_environment = PATH:SSLKEYLOGFILE:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK
+keep_environment = PATH:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK
+add_environment = SSLKEYLOGFILE=DIR/spool/sslkeys

 exim_path = EXIM_PATH
 host_lookup_order = bydns
 spool_directory = DIR/spool
 exim_path = EXIM_PATH
 host_lookup_order = bydns
 spool_directory = DIR/spool