ph10 2006/02/14 14:12:07 GMT
Modified files:
exim-doc/doc-txt ChangeLog NewStuff
exim-src/src tls-gnu.c tls-openssl.c
Log:
Fix GnuTLS privatekey forced fail bug; in both TLS's treat an empty
privatekey as unset.
Revision Changes Path
1.297 +4 -0 exim/exim-doc/doc-txt/ChangeLog
1.84 +3 -0 exim/exim-doc/doc-txt/NewStuff
1.12 +8 -1 exim/exim-src/src/tls-gnu.c
1.7 +7 -3 exim/exim-src/src/tls-openssl.c
Index: ChangeLog
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/ChangeLog,v
retrieving revision 1.296
retrieving revision 1.297
diff -u -r1.296 -r1.297
--- ChangeLog 14 Feb 2006 10:26:26 -0000 1.296
+++ ChangeLog 14 Feb 2006 14:12:06 -0000 1.297
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.296 2006/02/14 10:26:26 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/ChangeLog,v 1.297 2006/02/14 14:12:06 ph10 Exp $
Change log file for Exim from version 4.21
-------------------------------------------
@@ -153,6 +153,10 @@
allows the sender and the authenticated sender to be set when
submitting a message from within Exim. Since child_open_exim() is
documented for local_scan(), the new function should be too.
+
+PH/29 In GnuTLS, a forced expansion failure for tls_privatekey was not being
+ ignored. In both GnuTLS and OpenSSL, an expansion of tls_privatekey that
+ results in an empty string is now treated as unset.
Exim version 4.60
Index: NewStuff
===================================================================
RCS file: /home/cvs/exim/exim-doc/doc-txt/NewStuff,v
retrieving revision 1.83
retrieving revision 1.84
diff -u -r1.83 -r1.84
--- NewStuff 13 Feb 2006 12:02:59 -0000 1.83
+++ NewStuff 14 Feb 2006 14:12:06 -0000 1.84
@@ -1,4 +1,4 @@
-$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.83 2006/02/13 12:02:59 ph10 Exp $
+$Cambridge: exim/exim-doc/doc-txt/NewStuff,v 1.84 2006/02/14 14:12:06 ph10 Exp $
New Features in Exim
--------------------
@@ -45,6 +45,9 @@
message (that is, nobody is told about the freezing), provided all the
"control=freeze" modifiers that are obeyed in the current message have
the /no_tell option.
+
+PH/06 In both GnuTLS and OpenSSL, an expansion of tls_privatekey that results
+ in an empty string is now treated as unset.
Version 4.60
Index: tls-gnu.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/tls-gnu.c,v
retrieving revision 1.11
retrieving revision 1.12
diff -u -r1.11 -r1.12
--- tls-gnu.c 7 Feb 2006 11:19:00 -0000 1.11
+++ tls-gnu.c 14 Feb 2006 14:12:07 -0000 1.12
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.11 2006/02/07 11:19:00 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/tls-gnu.c,v 1.12 2006/02/14 14:12:07 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -455,12 +455,19 @@
if (!expand_check(certificate, US"tls_certificate", &cert_expanded))
return DEFER;
+key_expanded = NULL;
if (privatekey != NULL)
{
if (!expand_check(privatekey, US"tls_privatekey", &key_expanded))
return DEFER;
}
-else key_expanded = cert_expanded;
+
+/* If expansion was forced to fail, key_expanded will be NULL. If the result of
+the expansion is an empty string, ignore it also, and assume that the private
+key is in the same file as the certificate. */
+
+if (key_expanded == NULL || *key_expanded == 0)
+ key_expanded = cert_expanded;
/* Set the certificate and private keys */
Index: tls-openssl.c
===================================================================
RCS file: /home/cvs/exim/exim-src/src/tls-openssl.c,v
retrieving revision 1.6
retrieving revision 1.7
diff -u -r1.6 -r1.7
--- tls-openssl.c 7 Feb 2006 11:19:00 -0000 1.6
+++ tls-openssl.c 14 Feb 2006 14:12:07 -0000 1.7
@@ -1,4 +1,4 @@
-/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.6 2006/02/07 11:19:00 ph10 Exp $ */
+/* $Cambridge: exim/exim-src/src/tls-openssl.c,v 1.7 2006/02/14 14:12:07 ph10 Exp $ */
/*************************************************
* Exim - an Internet mail transport agent *
@@ -290,8 +290,8 @@
*/
static int
-tls_init(host_item *host, uschar *dhparam, uschar *certificate, uschar *privatekey,
- address_item *addr)
+tls_init(host_item *host, uschar *dhparam, uschar *certificate,
+ uschar *privatekey, address_item *addr)
{
SSL_load_error_strings(); /* basic set up */
OpenSSL_add_ssl_algorithms();
@@ -386,7 +386,11 @@
!expand_check(privatekey, US"tls_privatekey", &expanded))
return DEFER;
- if (expanded != NULL)
+ /* If expansion was forced to fail, key_expanded will be NULL. If the result
+ of the expansion is an empty string, ignore it also, and assume the private
+ key is in the same file as the certificate. */
+
+ if (expanded != NULL && *expanded != 0)
{
DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded);
if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM))
