git://git.exim.org
/
exim.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
TLS: fix resumption for TLS-on-connect
[exim.git]
/
src
/
src
/
tls-gnu.c
diff --git
a/src/src/tls-gnu.c
b/src/src/tls-gnu.c
index efa6004a38d1b7af1b45530c1d82cd7abfd0ebee..56ea93935ee7d204bdc3442f97dce58c51ade0b0 100644
(file)
--- a/
src/src/tls-gnu.c
+++ b/
src/src/tls-gnu.c
@@
-2851,7
+2851,7
@@
static int
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg)
{
tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
unsigned incoming, const gnutls_datum_t * msg)
{
-DEBUG(D_tls) debug_printf("newticket cb\n");
+DEBUG(D_tls) debug_printf("newticket cb
(on server)
\n");
tls_in.resumption |= RESUME_CLIENT_REQUESTED;
return 0;
}
tls_in.resumption |= RESUME_CLIENT_REQUESTED;
return 0;
}
@@
-2888,9
+2888,12
@@
tls_server_resume_posthandshake(exim_gnutls_state_st * state)
{
if (gnutls_session_resumption_requested(state->session))
{
{
if (gnutls_session_resumption_requested(state->session))
{
- /* This tells us the client sent a full ticket. We use a
+ /* This tells us the client sent a full
(?)
ticket. We use a
callback on session-ticket request, elsewhere, to tell
callback on session-ticket request, elsewhere, to tell
- if a client asked for a ticket. */
+ if a client asked for a ticket.
+ XXX As of GnuTLS 3.0.1 it seems to be returning true even for
+ a pure ticket-req (a zero-length Session Ticket extension
+ in the Client Hello, for 1.2) which mucks up our logic. */
tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
DEBUG(D_tls) debug_printf("client requested resumption\n");
tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
DEBUG(D_tls) debug_printf("client requested resumption\n");
@@
-3000,7
+3003,7
@@
exim_gnutls_state_st * state = NULL;
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
if (tls_in.active.sock >= 0)
{
tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
- smtp_printf("554 Already in TLS\r\n",
FALS
E);
+ smtp_printf("554 Already in TLS\r\n",
SP_NO_MOR
E);
return FAIL;
}
return FAIL;
}
@@
-3079,7
+3082,7
@@
mode, the fflush() happens when smtp_getc() is called. */
if (!state->tlsp->on_connect)
{
if (!state->tlsp->on_connect)
{
- smtp_printf("220 TLS go ahead\r\n",
FALS
E);
+ smtp_printf("220 TLS go ahead\r\n",
SP_NO_MOR
E);
fflush(smtp_out);
}
fflush(smtp_out);
}
@@
-3319,7
+3322,8
@@
tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
tlsp->resumption = RESUME_SUPPORTED;
if (!conn_args->have_lbserver)
tlsp->resumption = RESUME_SUPPORTED;
if (!conn_args->have_lbserver)
- { DEBUG(D_tls) debug_printf("resumption not supported on continued-connection\n"); }
+ { DEBUG(D_tls) debug_printf(
+ "resumption not supported: no LB detection done (continued-conn?)\n"); }
else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
{
dbdata_tls_session * dt;
else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host) == OK)
{
dbdata_tls_session * dt;
@@
-3347,6
+3351,7
@@
else if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, conn_args->host
dbfn_close(dbm_file);
}
}
dbfn_close(dbm_file);
}
}
+else DEBUG(D_tls) debug_printf("no resumption for this host\n");
}
}
@@
-3374,7
+3379,7
@@
if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
int dlen = sizeof(dbdata_tls_session) + tkt.size;
dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
int dlen = sizeof(dbdata_tls_session) + tkt.size;
dbdata_tls_session * dt = store_get(dlen, GET_TAINTED);
- DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
+ DEBUG(D_tls) debug_printf("
session data size %u\n", (unsigned)tkt.size);
memcpy(dt->session, tkt.data, tkt.size);
gnutls_free(tkt.data);
memcpy(dt->session, tkt.data, tkt.size);
gnutls_free(tkt.data);
@@
-3385,11
+3390,15
@@
if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
dbfn_close(dbm_file);
DEBUG(D_tls)
dbfn_close(dbm_file);
DEBUG(D_tls)
- debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
+ debug_printf("
wrote session db (len %u)\n", (unsigned)dlen);
}
}
}
}
- else DEBUG(D_tls)
- debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
+ else
+ { DEBUG(D_tls)
+ debug_printf(" extract session data: %s\n", US gnutls_strerror(rc));
+ }
+ else DEBUG(D_tls)
+ debug_printf(" host not resmable; not saving ticket\n");
}
}
}
}
@@
-3406,7
+3415,7
@@
tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
tls_support * tlsp = state->tlsp;
exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
tls_support * tlsp = state->tlsp;
-DEBUG(D_tls) debug_printf("newticket cb\n");
+DEBUG(D_tls) debug_printf("newticket cb
(on client)
\n");
if (!tlsp->ticket_received)
tls_save_session(tlsp, sess, state->host);
if (!tlsp->ticket_received)
tls_save_session(tlsp, sess, state->host);