OpenSSL: more info on accept zero-error

[users/heiko/exim.git] / src / src / tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index f7ff459b03ff0b235979b7e3eb2bfeb9306dfd0c..3d0e84f6d2d64d843f4631760b98ac7986f482d5 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -3,6 +3,7 @@
 *************************************************/
 
 /* Copyright (c) University of Cambridge 1995 - 2019 */
+/* Copyright (c) The Exim Maintainers 2020 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Portions Copyright (c) The OpenSSL Project 1999 */
@@ -115,7 +116,7 @@ change this guard and punt the issue for a while longer. */
 # define DISABLE_OCSP
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 # if OPENSSL_VERSION_NUMBER < 0x0101010L
 #  error OpenSSL version too old for session-resumption
 # endif
@@ -291,7 +292,7 @@ for (struct exim_openssl_option * o = exim_openssl_options;
   builtin_macro_create(buf);
   }
 
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
 # endif
 # ifdef SSL_OP_NO_TLSv1_3
@@ -421,7 +422,7 @@ static int tls_server_stapling_cb(SSL *s, void *arg);
 
 
 /* Daemon-called, before every connection, key create/rotate */
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 static void tk_init(void);
 static int tls_exdata_idx = -1;
 #endif
@@ -429,7 +430,7 @@ static int tls_exdata_idx = -1;
 void
 tls_daemon_init(void)
 {
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tk_init();
 #endif
 return;
@@ -890,7 +891,7 @@ fclose(fp);
 #endif
 
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 /* Manage the keysets used for encrypting the session tickets, on the server. */
 
 typedef struct {                       /* Session ticket encryption key */
@@ -2175,12 +2176,12 @@ availability of the option value macros from OpenSSL.  */
 if (!tls_openssl_options_parse(openssl_options, &init_options))
   return tls_error(US"openssl_options parsing failed", host, NULL, errstr);
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tlsp->resumption = RESUME_SUPPORTED;
 #endif
 if (init_options)
   {
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
   /* Should the server offer session resumption? */
   if (!host && verify_check_host(&tls_resumption_hosts) == OK)
     {
@@ -2684,12 +2685,12 @@ else if (verify_check_host(&tls_try_verify_hosts) == OK)
   server_verify_optional = TRUE;
   }
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 SSL_CTX_set_tlsext_ticket_key_cb(server_ctx, ticket_key_callback);
 /* despite working, appears to always return failure, so ignoring */
 #endif
 #ifdef OPENSSL_HAVE_NUM_TICKETS
-# ifdef EXPERIMENTAL_TLS_RESUME
+# ifndef DISABLE_TLS_RESUME
 SSL_CTX_set_num_tickets(server_ctx, tls_in.host_resumable ? 1 : 0);
 # else
 SSL_CTX_set_num_tickets(server_ctx, 0);        /* send no TLS1.3 stateful-tickets */
@@ -2737,6 +2738,7 @@ SSL_set_accept_state(server_ssl);
 
 DEBUG(D_tls) debug_printf("Calling SSL_accept\n");
 
+ERR_clear_error();
 sigalrm_seen = FALSE;
 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 rc = SSL_accept(server_ssl);
@@ -2786,7 +2788,10 @@ if (rc <= 0)
          }
        DEBUG(D_tls) debug_printf(" - syscall %s\n", strerror(errno));
        }
-      (void) tls_error(US"SSL_accept", NULL, sigalrm_seen ? US"timed out" : NULL, errstr);
+      (void) tls_error(US"SSL_accept", NULL,
+                     sigalrm_seen ? US"timed out"
+                     : ERR_peek_error() ? NULL : string_sprintf("ret %d", error),
+                     errstr);
       return FAIL;
     }
   }
@@ -2795,7 +2800,7 @@ DEBUG(D_tls) debug_printf("SSL_accept was successful\n");
 ERR_clear_error();     /* Even success can leave errors in the stack. Seen with
                        anon-authentication ciphersuite negotiated. */
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 if (SSL_session_reused(server_ssl))
   {
   tls_in.resumption |= RESUME_USED;
@@ -2982,7 +2987,7 @@ return DEFER;
 
 
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 /* On the client, get any stashed session for the given IP from hints db
 and apply it to the ssl-connection for attempted resumption. */
 
@@ -3144,7 +3149,7 @@ if (SSL_session_reused(exim_client_ctx->ssl))
   tlsp->resumption |= RESUME_USED;
   }
 }
-#endif /* EXPERIMENTAL_TLS_RESUME */
+#endif /* !DISABLE_TLS_RESUME */
 
 
 /*************************************************
@@ -3293,7 +3298,7 @@ else
        client_static_cbinfo, errstr) != OK)
     return FALSE;
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_client_ctx_resume_prehandshake(exim_client_ctx, tlsp, ob, host);
 #endif
 
@@ -3364,7 +3369,7 @@ if (request_ocsp)
   }
 #endif
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 if (!tls_client_ssl_resume_prehandshake(exim_client_ctx->ssl, tlsp, host,
       errstr))
   return FALSE;
@@ -3405,7 +3410,7 @@ DEBUG(D_tls)
 #endif
   }
 
-#ifdef EXPERIMENTAL_TLS_RESUME
+#ifndef DISABLE_TLS_RESUME
 tls_client_resume_posthandshake(exim_client_ctx, tlsp);
 #endif
 
@@ -3457,6 +3462,7 @@ int inbytes;
 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", server_ssl,
   ssl_xfer_buffer, ssl_xfer_buffer_size);
 
+ERR_clear_error();
 if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 inbytes = SSL_read(server_ssl, CS ssl_xfer_buffer,
                  MIN(ssl_xfer_buffer_size, lim));
@@ -3606,6 +3612,7 @@ int error;
 DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
   buff, (unsigned int)len);
 
+ERR_clear_error();
 inbytes = SSL_read(ssl, CS buff, len);
 error = SSL_get_error(ssl, inbytes);
 
@@ -3695,6 +3702,7 @@ if ((more || corked))
 for (int left = len; left > 0;)
   {
   DEBUG(D_tls) debug_printf("SSL_write(%p, %p, %d)\n", ssl, buff, left);
+  ERR_clear_error();
   outbytes = SSL_write(ssl, CS buff, left);
   error = SSL_get_error(ssl, outbytes);
   DEBUG(D_tls) debug_printf("outbytes=%d error=%d\n", outbytes, error);