From 2e5d9e711eef27badbff206e17238661d14cc7c2 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Tue, 15 Oct 2019 21:28:20 +0100 Subject: [PATCH] OpenSSL: SSLKEYLOGFILE support --- doc/doc-txt/NewStuff | 7 +++++++ src/src/environment.c | 17 +++++++++++++---- src/src/tls-openssl.c | 6 ++++++ src/src/tls.c | 11 ++++++++--- test/aux-var-src/tls_conf_prefix | 3 ++- 5 files changed, 36 insertions(+), 8 deletions(-) diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 4caa897e3..4ca28bb13 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -41,6 +41,13 @@ Version 4.93 14: An smtp:ehlo transport event, for observability of the remote offered features. +15: Support under OpenSSL for writing NSS-style key files for packet-capture + decode. The environment variable SSLKEYLOGFILE is used; if an absolute path + it must indicate a file under the spool directory; if relative the the spool + directory is prepended. Works on the server side only. Support under + GnuTLS was already there, being done purely by the library (server side + only, and exim must be run as root). + Version 4.92 -------------- diff --git a/src/src/environment.c b/src/src/environment.c index f3a90660e..cef82dfb1 100644 --- a/src/src/environment.c +++ b/src/src/environment.c @@ -24,6 +24,9 @@ Returns: TRUE if successful BOOL cleanup_environment() { +int old_pool = store_pool; +store_pool = POOL_PERM; /* Need perm memory for any created env vars */ + if (!keep_environment || *keep_environment == '\0') { /* From: https://github.com/dovecot/core/blob/master/src/lib/env-util.c#L55 @@ -59,17 +62,23 @@ else if (Ustrcmp(keep_environment, "*") != 0) } store_reset(reset_point); } -#ifndef DISABLE_TLS -tls_clean_env(); -#endif if (add_environment) { uschar * p; int sep = 0; const uschar * envlist = add_environment; + int old_pool = store_pool; - while ((p = string_nextinlist(&envlist, &sep, NULL, 0))) putenv(CS p); + while ((p = string_nextinlist(&envlist, &sep, NULL, 0))) + { + DEBUG(D_expand) debug_printf("adding %s\n", p); + putenv(CS p); + } } +#ifndef DISABLE_TLS +tls_clean_env(); +#endif +store_pool = old_pool; return TRUE; } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 8e1f559af..67a35d489 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -841,7 +841,13 @@ DEBUG(D_tls) static void keylog_callback(const SSL *ssl, const char *line) { +char * filename; +FILE * fp; DEBUG(D_tls) debug_printf("%.200s\n", line); +if (!(filename = getenv("SSLKEYLOGFILE"))) return; +if (!(fp = fopen(filename, "a"))) return; +fprintf(fp, "%s\n", line); +fclose(fp); } #endif diff --git a/src/src/tls.c b/src/src/tls.c index 63d98c806..9c587e55d 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -371,9 +371,14 @@ return FALSE; } -/* Environment cleanup: The GnuTLS library spots SSLKEYLOGFILE in the envonment -and writes a file by that name. We might make the OpenSSL support do the same, -in some future release. Restrict that filename to be under the spool directory. +/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment +and writes a file by that name. Our OpenSSL code does the same, using keying +info from the library API. +The GnuTLS support only works if exim is run by root, not taking advantage of +the setuid bit. +You can use either the external environment (modulo the keep_environment config) +or the add_environment config option for SSLKEYLOGFILE; the latter takes +precedence. If the path is absolute, require it starts with the spooldir; otherwise delete the env variable. If relative, prefix the spooldir. diff --git a/test/aux-var-src/tls_conf_prefix b/test/aux-var-src/tls_conf_prefix index ad9501ed0..541817668 100644 --- a/test/aux-var-src/tls_conf_prefix +++ b/test/aux-var-src/tls_conf_prefix @@ -1,4 +1,5 @@ -keep_environment = PATH:SSLKEYLOGFILE:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK +keep_environment = PATH:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK +add_environment = SSLKEYLOGFILE=DIR/spool/sslkeys exim_path = EXIM_PATH host_lookup_order = bydns spool_directory = DIR/spool -- 2.25.1