Debug: feed startup "whats supported" info through normal debug channel

[exim.git] / src / src / tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 5130455fe6698f7abaf5d6926d5979293bb9be65..26279848653bea2c964432fa32bd2b8b5e1b0263 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2460,7 +2460,7 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
     STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
 #endif
 
     STACK_OF(OCSP_SINGLERESP) * sresp = bs->tbsResponseData->responses;
 #endif
 

-    DEBUG(D_tls) bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
+    DEBUG(D_tls) bp = BIO_new(BIO_s_mem());

 
     /*OCSP_RESPONSE_print(bp, rsp, 0);   extreme debug: stapling content */
 
 
     /*OCSP_RESPONSE_print(bp, rsp, 0);   extreme debug: stapling content */
 


@@ -2475,9 +2475,12 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
        if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
                "Received TLS cert status response, itself unverifiable: %s",
                ERR_reason_error_string(ERR_peek_error()));
        if (LOGGING(tls_cipher)) log_write(0, LOG_MAIN,
                "Received TLS cert status response, itself unverifiable: %s",
                ERR_reason_error_string(ERR_peek_error()));

-       BIO_printf(bp, "OCSP response verify failure\n");
-       ERR_print_errors(bp);
-       OCSP_RESPONSE_print(bp, rsp, 0);
+       DEBUG(D_tls)
+         {
+         BIO_printf(bp, "OCSP response verify failure\n");
+         ERR_print_errors(bp);
+         OCSP_RESPONSE_print(bp, rsp, 0);
+         }

        goto failed;
        }
       else
        goto failed;
        }
       else


@@ -2515,8 +2518,11 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
       status = OCSP_single_get0_status(single, &reason, &rev,
                  &thisupd, &nextupd);
 
       status = OCSP_single_get0_status(single, &reason, &rev,
                  &thisupd, &nextupd);
 

-      DEBUG(D_tls) time_print(bp, "This OCSP Update", thisupd);
-      DEBUG(D_tls) if(nextupd) time_print(bp, "Next OCSP Update", nextupd);
+      DEBUG(D_tls)
+       {
+       time_print(bp, "This OCSP Update", thisupd);
+       if (nextupd) time_print(bp, "Next OCSP Update", nextupd);
+       }

       if (!OCSP_check_validity(thisupd, nextupd,
            EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
        {
       if (!OCSP_check_validity(thisupd, nextupd,
            EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
        {


@@ -2555,6 +2561,11 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
     tls_out.ocsp = OCSP_FAILED;
     i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
   good:
     tls_out.ocsp = OCSP_FAILED;
     i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
   good:

+    {
+    uschar * s = NULL;
+    int len = (int) BIO_get_mem_data(bp, CSS &s);
+    if (len > 0) debug_printf("%.*s", len, s);
+    }

     BIO_free(bp);
   }
 
     BIO_free(bp);
   }
 


@@ -3130,6 +3141,21 @@ return OK;
 
 
 
 
 
 

+static void
+tls_dump_keylog(SSL * ssl)
+{
+#ifdef EXIM_HAVE_OPENSSL_KEYLOG
+  BIO * bp = BIO_new(BIO_s_mem());
+  uschar * s = NULL;
+  int len;
+  SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
+  len = (int) BIO_get_mem_data(bp, CSS &s);
+  if (len > 0) debug_printf("%.*s", len, s);
+  BIO_free(bp);
+#endif
+}
+
+

 /*************************************************
 *       Start a TLS session in a server          *
 *************************************************/
 /*************************************************
 *       Start a TLS session in a server          *
 *************************************************/


@@ -3314,7 +3340,7 @@ if (rc <= 0)
       (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
 
       if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)
       (void) event_raise(event_action, US"tls:fail:connect", *errstr, NULL);
 
       if (SSL_get_shutdown(ssl) == SSL_RECEIVED_SHUTDOWN)

-           SSL_shutdown(ssl);
+       SSL_shutdown(ssl);

 
       tls_close(NULL, TLS_NO_SHUTDOWN);
       return FAIL;
 
       tls_close(NULL, TLS_NO_SHUTDOWN);
       return FAIL;


@@ -3413,13 +3439,7 @@ DEBUG(D_tls)
   if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
     debug_printf("Shared ciphers: %s\n", buf);
 
   if (SSL_get_shared_ciphers(ssl, CS buf, sizeof(buf)))
     debug_printf("Shared ciphers: %s\n", buf);
 

-#ifdef EXIM_HAVE_OPENSSL_KEYLOG
-  {
-  BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
-  SSL_SESSION_print_keylog(bp, SSL_get_session(ssl));
-  BIO_free(bp);
-  }
-#endif
+  tls_dump_keylog(ssl);

 
 #ifdef EXIM_HAVE_SESSION_TICKET
   {
 
 #ifdef EXIM_HAVE_SESSION_TICKET
   {


@@ -4080,13 +4100,7 @@ if (rc <= 0)
 DEBUG(D_tls)
   {
   debug_printf("SSL_connect succeeded\n");
 DEBUG(D_tls)
   {
   debug_printf("SSL_connect succeeded\n");

-#ifdef EXIM_HAVE_OPENSSL_KEYLOG
-  {
-  BIO * bp = BIO_new_fp(debug_file, BIO_NOCLOSE);
-  SSL_SESSION_print_keylog(bp, SSL_get_session(exim_client_ctx->ssl));
-  BIO_free(bp);
-  }
-#endif
+  tls_dump_keylog(exim_client_ctx->ssl);

   }
 
 #ifndef DISABLE_TLS_RESUME
   }
 
 #ifndef DISABLE_TLS_RESUME


@@ -4516,6 +4530,9 @@ if (do_shutdown)
   if (  (rc = SSL_shutdown(*sslp)) == 0        /* send "close notify" alert */
      && do_shutdown > 1)
     {
   if (  (rc = SSL_shutdown(*sslp)) == 0        /* send "close notify" alert */
      && do_shutdown > 1)
     {

+#ifdef EXIM_TCP_CORK
+    (void) setsockopt(*fdp, IPPROTO_TCP, EXIM_TCP_CORK, US &off, sizeof(off));
+#endif

     ALARM(2);
     rc = SSL_shutdown(*sslp);          /* wait for response */
     ALARM_CLR(0);
     ALARM(2);
     rc = SSL_shutdown(*sslp);          /* wait for response */
     ALARM_CLR(0);


@@ -4621,21 +4638,22 @@ number/string, and the version date remains unchanged.  The _build_ date
 will change, so we can more usefully assist with version diagnosis by also
 reporting the build date.
 
 will change, so we can more usefully assist with version diagnosis by also
 reporting the build date.
 

-Arguments:   a FILE* to print the results to
-Returns:     nothing
+Arguments:   string to append to
+Returns:     string

 */
 
 */
 

-void
-tls_version_report(FILE *f)
+gstring *
+tls_version_report(gstring * g)

 {
 {

-fprintf(f, "Library version: OpenSSL: Compile: %s\n"
-           "                          Runtime: %s\n"
-           "                                 : %s\n",
-           OPENSSL_VERSION_TEXT,
-           SSLeay_version(SSLEAY_VERSION),
-           SSLeay_version(SSLEAY_BUILT_ON));
-/* third line is 38 characters for the %s and the line is 73 chars long;
-the OpenSSL output includes a "built on: " prefix already. */
+return string_fmt_append(g,
+    "Library version: OpenSSL: Compile: %s\n"
+    "                          Runtime: %s\n"
+    "                                 : %s\n",
+            OPENSSL_VERSION_TEXT,
+            SSLeay_version(SSLEAY_VERSION),
+            SSLeay_version(SSLEAY_BUILT_ON));
+  /* third line is 38 characters for the %s and the line is 73 chars long;
+  the OpenSSL output includes a "built on: " prefix already. */

 }
 
 
 }