X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/3fb3231cf83c8a9328499ea17b3663c1618210dc..d3a0dde57754d2b434957c126e1a22e2094cbbf1:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 9fcb50dfe..af815d224 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -39,6 +39,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #include /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */ #include + /* needed to disable PKCS11 autoload unless requested */ #if GNUTLS_VERSION_NUMBER >= 0x020c00 # include @@ -60,9 +61,15 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x030014 # define SUPPORT_SYSDEFAULT_CABUNDLE #endif +#if GNUTLS_VERSION_NUMBER >= 0x030104 +# define GNUTLS_CERT_VFY_STATUS_PRINT +#endif #if GNUTLS_VERSION_NUMBER >= 0x030109 # define SUPPORT_CORK #endif +#if GNUTLS_VERSION_NUMBER >= 0x03010a +# define SUPPORT_GNUTLS_SESS_DESC +#endif #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP) # define SUPPORT_SRV_OCSP_STACK #endif @@ -124,7 +131,7 @@ typedef struct exim_gnutls_state { BOOL peer_dane_verified; BOOL trigger_sni_changes; BOOL have_set_peerdn; - const struct host_item *host; + const struct host_item *host; /* NULL if server */ gnutls_x509_crt_t peercert; uschar *peerdn; uschar *ciphersuite; @@ -225,7 +232,7 @@ static gnutls_dh_params_t dh_server_params = NULL; static const int ssl_session_timeout = 200; -static const char * const exim_default_gnutls_priority = "NORMAL"; +static const uschar * const exim_default_gnutls_priority = US"NORMAL"; /* Guard library core initialisation */ @@ -262,7 +269,7 @@ before, for now. */ #define exim_gnutls_err_check(rc, Label) do { \ if ((rc) != GNUTLS_E_SUCCESS) \ - return tls_error((Label), gnutls_strerror(rc), host, errstr); \ + return tls_error((Label), US gnutls_strerror(rc), host, errstr); \ } while (0) #define expand_check_tlsvar(Varname, errstr) \ @@ -328,11 +335,11 @@ Returns: OK/DEFER/FAIL */ static int -tls_error(const uschar *prefix, const char *msg, const host_item *host, +tls_error(const uschar *prefix, const uschar *msg, const host_item *host, uschar ** errstr) { if (errstr) - *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : ""); + *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US""); return host ? FAIL : DEFER; } @@ -357,14 +364,14 @@ Returns: nothing static void record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text) { -const char * msg; +const uschar * msg; uschar * errstr; if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED) - msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc), + msg = string_sprintf("%s: %s", US gnutls_strerror(rc), US gnutls_alert_get_name(gnutls_alert_get(state->session))); else - msg = gnutls_strerror(rc); + msg = US gnutls_strerror(rc); (void) tls_error(when, msg, state->host, &errstr); @@ -557,7 +564,7 @@ else if (Ustrcmp(exp_tls_dhparam, "none") == 0) else if (exp_tls_dhparam[0] != '/') { if (!(m.data = US std_dh_prime_named(exp_tls_dhparam))) - return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr); + return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr); m.size = Ustrlen(m.data); } else @@ -620,7 +627,7 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0) { saved_errno = errno; (void)close(fd); - return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr); + return tls_error(US"TLS cache stat failed", US strerror(saved_errno), NULL, errstr); } if (!S_ISREG(statbuf.st_mode)) { @@ -632,21 +639,21 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0) saved_errno = errno; (void)close(fd); return tls_error(US"fdopen(TLS cache stat fd) failed", - strerror(saved_errno), NULL, errstr); + US strerror(saved_errno), NULL, errstr); } m.size = statbuf.st_size; if (!(m.data = malloc(m.size))) { fclose(fp); - return tls_error(US"malloc failed", strerror(errno), NULL, errstr); + return tls_error(US"malloc failed", US strerror(errno), NULL, errstr); } if (!(sz = fread(m.data, m.size, 1, fp))) { saved_errno = errno; fclose(fp); free(m.data); - return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr); + return tls_error(US"fread failed", US strerror(saved_errno), NULL, errstr); } fclose(fp); @@ -682,11 +689,11 @@ if (rc < 0) if ((PATH_MAX - Ustrlen(filename)) < 10) return tls_error(US"Filename too long to generate replacement", - CS filename, NULL, errstr); + filename, NULL, errstr); - temp_fn = string_copy(US "%s.XXXXXXX"); + temp_fn = string_copy(US"%s.XXXXXXX"); if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */ - return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr); + return tls_error(US"Unable to open temp file", US strerror(errno), NULL, errstr); (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */ /* GnuTLS overshoots! @@ -723,7 +730,7 @@ if (rc < 0) exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing"); m.size = sz; if (!(m.data = malloc(m.size))) - return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr); + return tls_error(US"memory allocation failed", US strerror(errno), NULL, errstr); /* this will return a size 1 less than the allocation size above */ rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM, @@ -739,19 +746,19 @@ if (rc < 0) { free(m.data); return tls_error(US"TLS cache write D-H params failed", - strerror(errno), NULL, errstr); + US strerror(errno), NULL, errstr); } free(m.data); if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1) return tls_error(US"TLS cache write D-H params final newline failed", - strerror(errno), NULL, errstr); + US strerror(errno), NULL, errstr); if ((rc = close(fd))) - return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr); + return tls_error(US"TLS cache write close() failed", US strerror(errno), NULL, errstr); if (Urename(temp_fn, filename) < 0) return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"", - temp_fn, filename), strerror(errno), NULL, errstr); + temp_fn, filename), US strerror(errno), NULL, errstr); DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename); } @@ -783,9 +790,12 @@ if ((rc = gnutls_x509_crt_init(&cert))) goto err; where = US"generating pkey"; if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA, #ifdef SUPPORT_PARAM_TO_PK_BITS - gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW), +# ifndef GNUTLS_SEC_PARAM_MEDIUM +# define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH +# endif + gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM), #else - 1024, + 2048, #endif 0))) goto err; @@ -824,7 +834,7 @@ out: return rc; err: - rc = tls_error(where, gnutls_strerror(rc), NULL, errstr); + rc = tls_error(where, US gnutls_strerror(rc), NULL, errstr); goto out; } @@ -847,7 +857,7 @@ int rc = gnutls_certificate_set_x509_key_file(state->x509_cred, if (rc < 0) return tls_error( string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile), - gnutls_strerror(rc), host, errstr); + US gnutls_strerror(rc), host, errstr); return -rc; } @@ -1271,7 +1281,6 @@ int rc; size_t sz; const char *errpos; uschar *p; -BOOL want_default_priorities; if (!exim_gnutls_base_init_done) { @@ -1297,7 +1306,7 @@ if (!exim_gnutls_base_init_done) DEBUG(D_tls) { gnutls_global_set_log_function(exim_gnutls_logger_cb); - /* arbitrarily chosen level; bump upto 9 for more */ + /* arbitrarily chosen level; bump up to 9 for more */ gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL); } #endif @@ -1380,32 +1389,24 @@ and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols. This was backwards incompatible, but means Exim no longer needs to track all algorithms and provide string forms for them. */ -want_default_priorities = TRUE; - +p = NULL; if (state->tls_require_ciphers && *state->tls_require_ciphers) { if (!expand_check_tlsvar(tls_require_ciphers, errstr)) return DEFER; if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers) { - DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", - state->exp_tls_require_ciphers); - - rc = gnutls_priority_init(&state->priority_cache, - CS state->exp_tls_require_ciphers, &errpos); - want_default_priorities = FALSE; p = state->exp_tls_require_ciphers; + DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p); } } -if (want_default_priorities) +if (!p) { + p = exim_default_gnutls_priority; DEBUG(D_tls) - debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", - exim_default_gnutls_priority); - rc = gnutls_priority_init(&state->priority_cache, - exim_default_gnutls_priority, &errpos); - p = US exim_default_gnutls_priority; + debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p); } +rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos); exim_gnutls_err_check(rc, string_sprintf( "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"", @@ -1489,23 +1490,61 @@ state->peerdn = NULL; cipher = gnutls_cipher_get(state->session); protocol = gnutls_protocol_get_version(state->session); mac = gnutls_mac_get(state->session); -kx = gnutls_kx_get(state->session); - -string_format(cipherbuf, sizeof(cipherbuf), - "%s:%s:%d", - gnutls_protocol_get_name(protocol), - gnutls_cipher_suite_get_name(kx, cipher, mac), - (int) gnutls_cipher_get_key_size(cipher) * 8); - -/* I don't see a way that spaces could occur, in the current GnuTLS -code base, but it was a concern in the old code and perhaps older GnuTLS -releases did return "TLS 1.0"; play it safe, just in case. */ -for (p = cipherbuf; *p != '\0'; ++p) - if (isspace(*p)) - *p = '-'; +kx = +#ifdef GNUTLS_TLS1_3 + protocol >= GNUTLS_TLS1_3 ? 0 : +#endif + gnutls_kx_get(state->session); + old_pool = store_pool; -store_pool = POOL_PERM; -state->ciphersuite = string_copy(cipherbuf); + { + store_pool = POOL_PERM; + +#ifdef SUPPORT_GNUTLS_SESS_DESC + { + gstring * g = NULL; + uschar * s = US gnutls_session_get_desc(state->session), c; + + /* Nikos M suggests we use this by preference. It returns like: + (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM) + + For partial back-compat, put a colon after the TLS version, replace the + )-( grouping with __, replace in-group - with _ and append the :keysize. */ + + /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */ + + for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1); + g = string_catn(g, US":", 1); + if (*s) s++; /* now on _ between groups */ + while ((c = *s)) + { + for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1); + /* now on ) closing group */ + if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2); + /* now on _ between groups */ + } + g = string_catn(g, US":", 1); + g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8)); + state->ciphersuite = string_from_gstring(g); + } +#else + state->ciphersuite = string_sprintf("%s:%s:%d", + gnutls_protocol_get_name(protocol), + gnutls_cipher_suite_get_name(kx, cipher, mac), + (int) gnutls_cipher_get_key_size(cipher) * 8); + + /* I don't see a way that spaces could occur, in the current GnuTLS + code base, but it was a concern in the old code and perhaps older GnuTLS + releases did return "TLS 1.0"; play it safe, just in case. */ + + for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-'; +#endif + +/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */ + + state->tlsp->cipher = state->ciphersuite; + state->tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8; + } store_pool = old_pool; state->tlsp->cipher = state->ciphersuite; @@ -1518,14 +1557,14 @@ if (cert_list == NULL || cert_list_size == 0) cert_list, cert_list_size); if (state->verify_requirement >= VERIFY_REQUIRED) return tls_error(US"certificate verification failed", - "no certificate received from peer", state->host, errstr); + US"no certificate received from peer", state->host, errstr); return OK; } ct = gnutls_certificate_type_get(state->session); if (ct != GNUTLS_CRT_X509) { - const char *ctn = gnutls_certificate_type_get_name(ct); + const uschar *ctn = US gnutls_certificate_type_get_name(ct); DEBUG(D_tls) debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn); if (state->verify_requirement >= VERIFY_REQUIRED) @@ -1541,7 +1580,7 @@ if (ct != GNUTLS_CRT_X509) DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \ (Label), gnutls_strerror(rc)); \ if (state->verify_requirement >= VERIFY_REQUIRED) \ - return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \ + return tls_error((Label), US gnutls_strerror(rc), state->host, errstr); \ return OK; \ } \ } while (0) @@ -1598,6 +1637,7 @@ uint verify; if (state->verify_requirement == VERIFY_NONE) return TRUE; +DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n"); *errstr = NULL; if ((rc = peer_status(state, errstr)) != OK) @@ -1742,8 +1782,24 @@ if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) { state->peer_cert_verified = FALSE; if (!*errstr) + { +#ifdef GNUTLS_CERT_VFY_STATUS_PRINT + DEBUG(D_tls) + { + gnutls_datum_t txt; + + if (gnutls_certificate_verification_status_print(verify, + gnutls_certificate_type_get(state->session), &txt, 0) + == GNUTLS_E_SUCCESS) + { + debug_printf("%s\n", txt.data); + gnutls_free(txt.data); + } + } +#endif *errstr = verify & GNUTLS_CERT_REVOKED ? US"certificate revoked" : US"certificate invalid"; + } DEBUG(D_tls) debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n", @@ -1757,23 +1813,23 @@ if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)) else { - if (state->exp_tls_verify_cert_hostnames) + /* Client side, check the server's certificate name versus the name on the + A-record for the connection we made. What to do for server side - what name + to use for client? We document that there is no such checking for server + side. */ + + if ( state->exp_tls_verify_cert_hostnames + && !gnutls_x509_crt_check_hostname(state->tlsp->peercert, + CS state->exp_tls_verify_cert_hostnames) + ) { - int sep = 0; - const uschar * list = state->exp_tls_verify_cert_hostnames; - uschar * name; - while ((name = string_nextinlist(&list, &sep, NULL, 0))) - if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name)) - break; - if (!name) - { - DEBUG(D_tls) - debug_printf("TLS certificate verification failed: cert name mismatch\n"); - if (state->verify_requirement >= VERIFY_REQUIRED) - goto badcert; - return TRUE; - } + DEBUG(D_tls) + debug_printf("TLS certificate verification failed: cert name mismatch\n"); + if (state->verify_requirement >= VERIFY_REQUIRED) + goto badcert; + return TRUE; } + state->peer_cert_verified = TRUE; DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n", state->peerdn ? state->peerdn : US""); @@ -2001,7 +2057,7 @@ exim_gnutls_state_st * state = NULL; /* Check for previous activation */ if (tls_in.active.sock >= 0) { - tls_error(US"STARTTLS received after TLS started", "", NULL, errstr); + tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr); smtp_printf("554 Already in TLS\r\n", FALSE); return FAIL; } @@ -2068,7 +2124,10 @@ if (!state->tlsp->on_connect) } /* Now negotiate the TLS session. We put our own timer on it, since it seems -that the GnuTLS library doesn't. */ +that the GnuTLS library doesn't. +From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you +to set (and clear down afterwards) up a pull-timeout callback function that does +a select, so we're no better off unless avoiding signals becomes an issue. */ gnutls_transport_set_ptr2(state->session, (gnutls_transport_ptr_t)(long) fileno(smtp_in), @@ -2077,11 +2136,11 @@ state->fd_in = fileno(smtp_in); state->fd_out = fileno(smtp_out); sigalrm_seen = FALSE; -if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); +if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout); do rc = gnutls_handshake(state->session); while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen); -alarm(0); +ALARM_CLR(0); if (rc != GNUTLS_E_SUCCESS) { @@ -2091,12 +2150,12 @@ if (rc != GNUTLS_E_SUCCESS) if (sigalrm_seen) { - tls_error(US"gnutls_handshake", "timed out", NULL, errstr); + tls_error(US"gnutls_handshake", US"timed out", NULL, errstr); gnutls_db_remove_session(state->session); } else { - tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr); + tls_error(US"gnutls_handshake", US gnutls_strerror(rc), NULL, errstr); (void) gnutls_alert_send_appropriate(state->session, rc); gnutls_deinit(state->session); gnutls_certificate_free_credentials(state->x509_cred); @@ -2203,7 +2262,7 @@ dane_data_len = store_get(i * sizeof(int)); for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0; rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) - ) if (rr->type == T_TLSA) + ) if (rr->type == T_TLSA && rr->size > 3) { const uschar * p = rr->data; uint8_t usage = p[0], sel = p[1], type = p[2]; @@ -2227,7 +2286,7 @@ for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0; } tls_out.tlsa_usage |= 1<size; } @@ -2379,7 +2438,7 @@ if (request_ocsp) if ((rc = gnutls_ocsp_status_request_enable_client(state->session, NULL, 0, NULL)) != OK) { - tls_error(US"cert-status-req", gnutls_strerror(rc), state->host, errstr); + tls_error(US"cert-status-req", US gnutls_strerror(rc), state->host, errstr); return NULL; } tlsp->ocsp = OCSP_NOT_RESP; @@ -2403,21 +2462,21 @@ DEBUG(D_tls) debug_printf("about to gnutls_handshake\n"); /* There doesn't seem to be a built-in timeout on connection. */ sigalrm_seen = FALSE; -alarm(ob->command_timeout); +ALARM(ob->command_timeout); do rc = gnutls_handshake(state->session); while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen); -alarm(0); +ALARM_CLR(0); if (rc != GNUTLS_E_SUCCESS) { if (sigalrm_seen) { gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED); - tls_error(US"gnutls_handshake", "timed out", state->host, errstr); + tls_error(US"gnutls_handshake", US"timed out", state->host, errstr); } else - tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr); + tls_error(US"gnutls_handshake", US gnutls_strerror(rc), state->host, errstr); return NULL; } @@ -2449,7 +2508,7 @@ if (require_ocsp) gnutls_free(printed.data); } else - (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr); + (void) tls_error(US"ocsp decode", US gnutls_strerror(rc), state->host, errstr); } if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0) @@ -2506,9 +2565,9 @@ if (shutdown) DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n", shutdown > 1 ? " (with response-wait)" : ""); - alarm(2); + ALARM(2); gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR); - alarm(0); + ALARM_CLR(0); } gnutls_deinit(state->session); @@ -2534,10 +2593,14 @@ DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n", state->session, state->xfer_buffer, ssl_xfer_buffer_size); sigalrm_seen = FALSE; -if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout); -inbytes = gnutls_record_recv(state->session, state->xfer_buffer, - MIN(ssl_xfer_buffer_size, lim)); -if (smtp_receive_timeout > 0) alarm(0); +if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout); + +do + inbytes = gnutls_record_recv(state->session, state->xfer_buffer, + MIN(ssl_xfer_buffer_size, lim)); +while (inbytes == GNUTLS_E_AGAIN); + +if (smtp_receive_timeout > 0) ALARM_CLR(0); if (had_command_timeout) /* set by signal handler */ smtp_command_timeout_exit(); /* does not return */ @@ -2591,6 +2654,7 @@ else if (inbytes == 0) else if (inbytes < 0) { + DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__); record_io_error(state, (int) inbytes, US"recv", NULL); state->xfer_error = TRUE; return FALSE; @@ -2613,7 +2677,7 @@ Only used by the server-side TLS. This feeds DKIM and should be used for all message-body reads. -Arguments: lim Maximum amount to read/bufffer +Arguments: lim Maximum amount to read/buffer Returns: the next character or EOF */ @@ -2712,13 +2776,20 @@ DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n", state->session, buff, len); -inbytes = gnutls_record_recv(state->session, buff, len); +do + inbytes = gnutls_record_recv(state->session, buff, len); +while (inbytes == GNUTLS_E_AGAIN); + if (inbytes > 0) return inbytes; if (inbytes == 0) { DEBUG(D_tls) debug_printf("Got TLS_EOF\n"); } -else record_io_error(state, (int)inbytes, US"recv", NULL); +else + { + DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__); + record_io_error(state, (int)inbytes, US"recv", NULL); + } return -1; } @@ -2760,11 +2831,15 @@ while (left > 0) { DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n", buff, left); - outbytes = gnutls_record_send(state->session, buff, left); + + do + outbytes = gnutls_record_send(state->session, buff, left); + while (outbytes == GNUTLS_E_AGAIN); DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes); if (outbytes < 0) { + DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__); record_io_error(state, outbytes, US"send", NULL); return -1; }