X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/63deec8a3ba77fcabf405d9c30fdd65a8b909526..107077d7fd6736711bf5cd980221723401d37c51:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index f3f70d2e0..efa6004a3 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -2,7 +2,7 @@ * Exim - an Internet mail transport agent * *************************************************/ -/* Copyright (c) The Exim Maintainers 2020 - 2022 */ +/* Copyright (c) The Exim Maintainers 2020 - 2023 */ /* Copyright (c) University of Cambridge 1995 - 2018 */ /* Copyright (c) Phil Pennock 2012 */ /* See the file NOTICE for conditions of use and distribution. */ @@ -727,7 +727,7 @@ file is never present. If two processes both compute some new parameters, you waste a bit of effort, but it doesn't seem worth messing around with locking to prevent this. -Returns: OK/DEFER/FAIL +Returns: OK/DEFER (expansion issue)/FAIL (requested none) */ static int @@ -765,7 +765,7 @@ else if (Ustrcmp(exp_tls_dhparam, "historic") == 0) else if (Ustrcmp(exp_tls_dhparam, "none") == 0) { DEBUG(D_tls) debug_printf("Requested no DH parameters\n"); - return OK; + return FAIL; } else if (exp_tls_dhparam[0] != '/') { @@ -1016,7 +1016,7 @@ now = 1; if ( (rc = gnutls_x509_crt_set_version(cert, 3)) || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now))) || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL))) - || (rc = gnutls_x509_crt_set_expiration_time(cert, (long)2 * 60 * 60)) /* 2 hour */ + || (rc = gnutls_x509_crt_set_expiration_time(cert, now + (long)2 * 60 * 60)) /* 2 hour */ || (rc = gnutls_x509_crt_set_key(cert, pkey)) || (rc = gnutls_x509_crt_set_dn_by_oid(cert, @@ -1135,7 +1135,7 @@ switch (tls_id) DEBUG(D_tls) debug_printf("\n"); if (server_seen_alpn > 1) { - log_write(0, LOG_MAIN, "TLS ALPN (%s) rejected", string_from_gstring(g)); + log_write(0, LOG_MAIN, "TLS ALPN (%Y) rejected", g); DEBUG(D_tls) debug_printf("TLS: too many ALPNs presented in handshake\n"); return GNUTLS_E_NO_APPLICATION_PROTOCOL; } @@ -2002,10 +2002,10 @@ Returns: OK/DEFER/FAIL */ static int -tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr) +tls_set_remaining_x509(exim_gnutls_state_st * state, uschar ** errstr) { -int rc; -const host_item *host = state->host; /* macro should be reconsidered? */ +int rc = OK; +const host_item * host = state->host; /* macro should be reconsidered? */ /* Create D-H parameters, or read them from the cache file. This function does its own SMTP error messaging. This only happens for the server, TLS D-H ignores @@ -2014,11 +2014,13 @@ client-side params. */ if (!state->host) { if (!dh_server_params) - if ((rc = init_server_dh(errstr)) != OK) return rc; + if ((rc = init_server_dh(errstr)) == DEFER) return rc; /* Unnecessary & discouraged with 3.6.0 or later, according to docs. But without it, no DHE- ciphers are advertised. */ - gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params); + + if (rc == OK) + gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params); } /* Link the credentials to the session. */ @@ -2620,7 +2622,7 @@ else ) { DEBUG(D_tls) - debug_printf("TLS certificate verification failed: cert name mismatch\n"); + debug_printf("TLS certificate verification failed: cert name mismatch (per GnuTLS)\n"); if (state->verify_requirement >= VERIFY_REQUIRED) goto badcert; return TRUE;