GnuTLS: clear errno before any data i/o op, so error logging does not see stale values

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 6308f10df4d00bb29ef55b0f88c8365a200dbe3d..03af7d7dcedabece7dc729a0b1e3a0722d65a58d 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -429,9 +429,7 @@ msg = rc == GNUTLS_E_FATAL_ALERT_RECEIVED
       US gnutls_alert_get_name(gnutls_alert_get(state->session)))
 #ifdef GNUTLS_E_PREMATURE_TERMINATION
   : rc == GNUTLS_E_PREMATURE_TERMINATION && errno
-  ? errno == ECONNRESET                /* Outlook does this to us right after sending us QUIT */
-  ? string_sprintf("syscall: %s", strerror(errno))
-  : string_sprintf("%s: syscall: %s", US gnutls_strerror(rc), strerror(errno))
+  ? string_sprintf("%s: syscall: %s", US gnutls_strerror(rc), strerror(errno))
 #endif
   : US gnutls_strerror(rc);
 
@@ -552,7 +550,10 @@ else
 
 /* peercert is set in peer_status() */
 tlsp->peerdn = state->peerdn;
-tlsp->sni =    state->received_sni;
+
+/* do not corrupt sni sent by client; record sni rxd by server */
+if (!state->host)
+  tlsp->sni = state->received_sni;
 
 /* record our certificate */
   {
@@ -2870,7 +2871,7 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->so
 /* If dane is flagged, have either request or require dane for this host, and
 a TLSA record found.  Therefore, dane verify required.  Which implies cert must
 be requested and supplied, dane verify must pass, and cert verify irrelevant
-(incl.  hostnames), and (caller handled) require_tls */
+(incl.  hostnames), and (caller handled) require_tls and sni=$domain */
 
 if (conn_args->dane && ob->dane_require_tls_ciphers)
   {
@@ -2897,6 +2898,7 @@ if (!cipher_list)
       cipher_list, &state, tlsp, errstr) != OK)
     return FALSE;
 
+
 #ifdef MEASURE_TIMING
   report_time_since(&t0, US"client tls_init (delta)");
 #endif
@@ -3165,6 +3167,7 @@ DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, buf
 sigalrm_seen = FALSE;
 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 
+errno = 0;
 do
   inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
     MIN(ssl_xfer_buffer_size, lim));
@@ -3325,6 +3328,7 @@ DEBUG(D_tls)
   debug_printf("Calling gnutls_record_recv(session=%p, buffer=%p, len=" SIZE_T_FMT ")\n",
       state->session, buff, len);
 
+errno = 0;
 do
   inbytes = gnutls_record_recv(state->session, buff, len);
 while (inbytes == GNUTLS_E_AGAIN);
@@ -3388,6 +3392,7 @@ while (left > 0)
   DEBUG(D_tls) debug_printf("gnutls_record_send(session=%p, buffer=%p, left=" SIZE_T_FMT ")\n",
       state->session, buff, left);
 
+  errno = 0;
   do
     outbytes = gnutls_record_send(state->session, buff, left);
   while (outbytes == GNUTLS_E_AGAIN);
@@ -3396,8 +3401,24 @@ while (left > 0)
 
   if (outbytes < 0)
     {
-    DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
-    record_io_error(state, outbytes, US"send", NULL);
+#ifdef GNUTLS_E_PREMATURE_TERMINATION
+    if (  outbytes == GNUTLS_E_PREMATURE_TERMINATION && errno == ECONNRESET
+       && !ct_ctx && f.smtp_in_quit
+       )
+      {                                        /* Outlook, dammit */
+      if (LOGGING(protocol_detail))
+       log_write(0, LOG_MAIN, "[%s] after QUIT, client reset TCP before"
+         " SMTP response and TLS close\n", sender_host_address);
+      else
+       DEBUG(D_tls) debug_printf("[%s] SSL_write: after QUIT,"
+         " client reset TCP before TLS close\n", sender_host_address);
+      }
+    else
+#endif
+      {
+      DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
+      record_io_error(state, outbytes, US"send", NULL);
+      }
     return -1;
     }
   if (outbytes == 0)