Gitweb:
https://git.exim.org/exim.git/commitdiff/2e5d9e711eef27badbff206e17238661d14cc7c2
Commit: 2e5d9e711eef27badbff206e17238661d14cc7c2
Parent: 6b5cbf740022f7f57a425d212499f156b1641d49
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Tue Oct 15 21:28:20 2019 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Tue Oct 15 21:28:20 2019 +0100
OpenSSL: SSLKEYLOGFILE support
---
doc/doc-txt/NewStuff | 7 +++++++
src/src/environment.c | 17 +++++++++++++----
src/src/tls-openssl.c | 6 ++++++
src/src/tls.c | 11 ++++++++---
test/aux-var-src/tls_conf_prefix | 3 ++-
5 files changed, 36 insertions(+), 8 deletions(-)
diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff
index 4caa897..4ca28bb 100644
--- a/doc/doc-txt/NewStuff
+++ b/doc/doc-txt/NewStuff
@@ -41,6 +41,13 @@ Version 4.93
14: An smtp:ehlo transport event, for observability of the remote offered features.
+15: Support under OpenSSL for writing NSS-style key files for packet-capture
+ decode. The environment variable SSLKEYLOGFILE is used; if an absolute path
+ it must indicate a file under the spool directory; if relative the the spool
+ directory is prepended. Works on the server side only. Support under
+ GnuTLS was already there, being done purely by the library (server side
+ only, and exim must be run as root).
+
Version 4.92
--------------
diff --git a/src/src/environment.c b/src/src/environment.c
index f3a9066..cef82df 100644
--- a/src/src/environment.c
+++ b/src/src/environment.c
@@ -24,6 +24,9 @@ Returns: TRUE if successful
BOOL
cleanup_environment()
{
+int old_pool = store_pool;
+store_pool = POOL_PERM; /* Need perm memory for any created env vars */
+
if (!keep_environment || *keep_environment == '\0')
{
/* From: https://github.com/dovecot/core/blob/master/src/lib/env-util.c#L55
@@ -59,17 +62,23 @@ else if (Ustrcmp(keep_environment, "*") != 0)
}
store_reset(reset_point);
}
-#ifndef DISABLE_TLS
-tls_clean_env();
-#endif
if (add_environment)
{
uschar * p;
int sep = 0;
const uschar * envlist = add_environment;
+ int old_pool = store_pool;
- while ((p = string_nextinlist(&envlist, &sep, NULL, 0))) putenv(CS p);
+ while ((p = string_nextinlist(&envlist, &sep, NULL, 0)))
+ {
+ DEBUG(D_expand) debug_printf("adding %s\n", p);
+ putenv(CS p);
+ }
}
+#ifndef DISABLE_TLS
+tls_clean_env();
+#endif
+store_pool = old_pool;
return TRUE;
}
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 8e1f559..67a35d4 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -841,7 +841,13 @@ DEBUG(D_tls)
static void
keylog_callback(const SSL *ssl, const char *line)
{
+char * filename;
+FILE * fp;
DEBUG(D_tls) debug_printf("%.200s\n", line);
+if (!(filename = getenv("SSLKEYLOGFILE"))) return;
+if (!(fp = fopen(filename, "a"))) return;
+fprintf(fp, "%s\n", line);
+fclose(fp);
}
#endif
diff --git a/src/src/tls.c b/src/src/tls.c
index 63d98c8..9c587e5 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -371,9 +371,14 @@ return FALSE;
}
-/* Environment cleanup: The GnuTLS library spots SSLKEYLOGFILE in the envonment
-and writes a file by that name. We might make the OpenSSL support do the same,
-in some future release. Restrict that filename to be under the spool directory.
+/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
+and writes a file by that name. Our OpenSSL code does the same, using keying
+info from the library API.
+The GnuTLS support only works if exim is run by root, not taking advantage of
+the setuid bit.
+You can use either the external environment (modulo the keep_environment config)
+or the add_environment config option for SSLKEYLOGFILE; the latter takes
+precedence.
If the path is absolute, require it starts with the spooldir; otherwise delete
the env variable. If relative, prefix the spooldir.
diff --git a/test/aux-var-src/tls_conf_prefix b/test/aux-var-src/tls_conf_prefix
index ad9501e..5418176 100644
--- a/test/aux-var-src/tls_conf_prefix
+++ b/test/aux-var-src/tls_conf_prefix
@@ -1,4 +1,5 @@
-keep_environment = PATH:SSLKEYLOGFILE:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK
+keep_environment = PATH:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK
+add_environment = SSLKEYLOGFILE=DIR/spool/sslkeys
exim_path = EXIM_PATH
host_lookup_order = bydns
spool_directory = DIR/spool