Copyright updates:

[exim.git] / src / src / tls.c

diff --git a/src/src/tls.c b/src/src/tls.c
index 531d679503c2a0bea50187b9c87c079b3da13383..e5aabc6b4b65823b40b9664c119b14784fcd0cd6 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -3,6 +3,7 @@
 *************************************************/
 
 /* Copyright (c) University of Cambridge 1995 - 2018 */
 *************************************************/
 
 /* Copyright (c) University of Cambridge 1995 - 2018 */

+/* Copyright (c) The Exim Maintainers 2020 */

 /* See the file NOTICE for conditions of use and distribution. */
 
 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* This module provides TLS (aka SSL) support for Exim. The code for OpenSSL is


@@ -61,8 +62,6 @@ static int ssl_xfer_eof = FALSE;
 static BOOL ssl_xfer_error = FALSE;
 #endif
 
 static BOOL ssl_xfer_error = FALSE;
 #endif
 

-uschar *tls_channelbinding_b64 = NULL;
-

 
 /*************************************************
 *       Expand string; give error on failure     *
 
 /*************************************************
 *       Expand string; give error on failure     *


@@ -371,6 +370,38 @@ return FALSE;
 }
 
 
 }
 
 

+/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
+and writes a file by that name.  Our OpenSSL code does the same, using keying
+info from the library API.
+The GnuTLS support only works if exim is run by root, not taking advantage of
+the setuid bit.
+You can use either the external environment (modulo the keep_environment config)
+or the add_environment config option for SSLKEYLOGFILE; the latter takes
+precedence.
+
+If the path is absolute, require it starts with the spooldir; otherwise delete
+the env variable.  If relative, prefix the spooldir.
+*/
+void
+tls_clean_env(void)
+{
+uschar * path = US getenv("SSLKEYLOGFILE");
+if (path)
+  if (!*path)
+    unsetenv("SSLKEYLOGFILE");
+  else if (*path != '/')
+    {
+    DEBUG(D_tls)
+      debug_printf("prepending spooldir to  env SSLKEYLOGFILE\n");
+    setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
+    }
+  else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
+    {
+    DEBUG(D_tls)
+      debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
+    unsetenv("SSLKEYLOGFILE");
+    }
+}

 
 /*************************************************
 *       Drop privs for checking TLS config      *
 
 /*************************************************
 *       Drop privs for checking TLS config      *


@@ -411,7 +442,7 @@ else if (!nowarn && !tls_certificate)
 oldsignal = signal(SIGCHLD, SIG_DFL);
 
 fflush(NULL);
 oldsignal = signal(SIGCHLD, SIG_DFL);
 
 fflush(NULL);

-if ((pid = fork()) < 0)
+if ((pid = exim_fork(US"cipher-validate")) < 0)

   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check");
 
 if (pid == 0)
   log_write(0, LOG_MAIN|LOG_PANIC_DIE, "fork failed for TLS check");
 
 if (pid == 0)


@@ -425,7 +456,7 @@ if (pid == 0)
     log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
         "tls_require_ciphers invalid: %s", errmsg);
   fflush(NULL);
     log_write(0, LOG_PANIC_DIE|LOG_CONFIG,
         "tls_require_ciphers invalid: %s", errmsg);
   fflush(NULL);

-  exim_underbar_exit(0);
+  exim_underbar_exit(EXIT_SUCCESS);

   }
 
 do {
   }
 
 do {