From: Jasen Betts Date: Fri, 30 Sep 2022 12:49:41 +0000 (+0100) Subject: GnuTLS: fix for clients offering no TLS extensions X-Git-Tag: exim-4.97-RC0~236 X-Git-Url: https://git.exim.org/exim.git/commitdiff_plain/ece23f05d6a430a461a75639197271c23f6858ec GnuTLS: fix for clients offering no TLS extensions --- diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 2720fb819..a662540fe 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -40,6 +40,9 @@ JH/09 Fix ${filter } for conditions that modify $value. Previously the modified version would be used in construction the result, and a memory error would occur. +JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all. + Find and fix by Jasen Betts. + Exim version 4.96 ----------------- diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 7a6db94e1..1fc7828cf 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1142,8 +1142,9 @@ tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype, unsigned when, unsigned int incoming, const gnutls_datum_t * msg) { /* Call fn for each extension seen. 3.6.3 onwards */ -return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, +int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO); +return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc; } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 043755c84..0129fb93e 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -951,36 +951,35 @@ Returns: nothing */ static void -info_callback(SSL *s, int where, int ret) +info_callback(SSL * s, int where, int ret) { DEBUG(D_tls) { - const uschar * str; - - if (where & SSL_ST_CONNECT) - str = US"SSL_connect"; - else if (where & SSL_ST_ACCEPT) - str = US"SSL_accept"; - else - str = US"SSL info (undefined)"; + gstring * g = NULL; + + if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect"); + if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept"); + if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg"); + if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit"); + if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read"); + if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write"); + if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert"); + if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start"); + if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done"); if (where & SSL_CB_LOOP) - debug_printf("%s: %s\n", str, SSL_state_string_long(s)); + debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); else if (where & SSL_CB_ALERT) - debug_printf("SSL3 alert %s:%s:%s\n", - str = where & SSL_CB_READ ? US"read" : US"write", + debug_printf("SSL %s %s:%s\n", g->s, SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); else if (where & SSL_CB_EXIT) { - if (ret == 0) - debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s)); - else if (ret < 0) - debug_printf("%s: error in %s\n", str, SSL_state_string_long(s)); + if (ret <= 0) + debug_printf("SSL %s: %s in %s\n", g->s, + ret == 0 ? "failed" : "error", SSL_state_string_long(s)); } - else if (where & SSL_CB_HANDSHAKE_START) - debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s)); - else if (where & SSL_CB_HANDSHAKE_DONE) - debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s)); + else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE)) + debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); } } diff --git a/test/confs/2091 b/test/confs/2091 new file mode 120000 index 000000000..9aba31b86 --- /dev/null +++ b/test/confs/2091 @@ -0,0 +1 @@ +2090 \ No newline at end of file diff --git a/test/log/2091 b/test/log/2091 new file mode 100644 index 000000000..61b05e67f --- /dev/null +++ b/test/log/2091 @@ -0,0 +1,3 @@ + +******** SERVER ******** +1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D diff --git a/test/scripts/2090-GnuTLS-ALPN/2091 b/test/scripts/2090-GnuTLS-ALPN/2091 new file mode 100644 index 000000000..de34a1a94 --- /dev/null +++ b/test/scripts/2090-GnuTLS-ALPN/2091 @@ -0,0 +1,19 @@ +# TLS: ALPN: IOT client +# Check server connection survives a TLS client offering no TLS extensions at all (including ALPN) +gnutls +exim -DSERVER=server -bd -oX PORT_D +**** +client 127.0.0.1 PORT_D +??? 220 +EHLO IOTtester +??? 250- +??? 250-SIZE +??? 250-8BITMIME +??? 250-PIPELINING +??? 250-STARTTLS +??? 250 HELP +STARTTLS +??? 220 +>>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00 +**** +killdaemon diff --git a/test/stdout/2091 b/test/stdout/2091 new file mode 100644 index 000000000..fbddb3578 --- /dev/null +++ b/test/stdout/2091 @@ -0,0 +1,21 @@ +Connecting to 127.0.0.1 port 1225 ... connected +??? 220 +<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000 +>>> EHLO IOTtester +??? 250- +<<< 250-myhost.test.ex Hello IOTtester [127.0.0.1] +??? 250-SIZE +<<< 250-SIZE 52428800 +??? 250-8BITMIME +<<< 250-8BITMIME +??? 250-PIPELINING +<<< 250-PIPELINING +??? 250-STARTTLS +<<< 250-STARTTLS +??? 250 HELP +<<< 250 HELP +>>> STARTTLS +??? 220 +<<< 220 TLS go ahead +>>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00 +End of script