[exim-cvs] GnuTLS: fix for clients offering no TLS extension…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] GnuTLS: fix for clients offering no TLS extensions
Gitweb: https://git.exim.org/exim.git/commitdiff/ece23f05d6a430a461a75639197271c23f6858ec
Commit:     ece23f05d6a430a461a75639197271c23f6858ec
Parent:     8338ea45ce618ae72502c63aba5812155ca53052
Author:     Jasen Betts <jasen@???>
AuthorDate: Fri Sep 30 13:49:41 2022 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri Sep 30 13:56:12 2022 +0100


    GnuTLS: fix for clients offering no TLS extensions
---
 doc/doc-txt/ChangeLog              |  3 +++
 src/src/tls-gnu.c                  |  3 ++-
 src/src/tls-openssl.c              | 39 +++++++++++++++++++-------------------
 test/confs/2091                    |  1 +
 test/log/2091                      |  3 +++
 test/scripts/2090-GnuTLS-ALPN/2091 | 19 +++++++++++++++++++
 test/stdout/2091                   | 21 ++++++++++++++++++++
 7 files changed, 68 insertions(+), 21 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index 2720fb819..a662540fe 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -40,6 +40,9 @@ JH/09 Fix ${filter } for conditions that modify $value.  Previously the
       modified version would be used in construction the result, and a memory
       error would occur.


+JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all.
+      Find and fix by Jasen Betts.
+


 Exim version 4.96
 -----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 7a6db94e1..1fc7828cf 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1142,8 +1142,9 @@ tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
   unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
 {
 /* Call fn for each extension seen.  3.6.3 onwards */
-return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
                GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc;
 }



diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 043755c84..0129fb93e 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -951,36 +951,35 @@ Returns:    nothing
 */


 static void
-info_callback(SSL *s, int where, int ret)
+info_callback(SSL * s, int where, int ret)
 {
 DEBUG(D_tls)
   {
-  const uschar * str;
-
-  if (where & SSL_ST_CONNECT)
-     str = US"SSL_connect";
-  else if (where & SSL_ST_ACCEPT)
-     str = US"SSL_accept";
-  else
-     str = US"SSL info (undefined)";
+  gstring * g = NULL;
+
+  if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect");
+  if (where & SSL_ST_ACCEPT)  g = string_append_listele(g, ',', US"SSL_accept");
+  if (where & SSL_CB_LOOP)    g = string_append_listele(g, ',', US"state_chg");
+  if (where & SSL_CB_EXIT)    g = string_append_listele(g, ',', US"hshake_exit");
+  if (where & SSL_CB_READ)    g = string_append_listele(g, ',', US"read");
+  if (where & SSL_CB_WRITE)   g = string_append_listele(g, ',', US"write");
+  if (where & SSL_CB_ALERT)   g = string_append_listele(g, ',', US"alert");
+  if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start");
+  if (where & SSL_CB_HANDSHAKE_DONE)  g = string_append_listele(g, ',', US"hshake_done");


   if (where & SSL_CB_LOOP)
-     debug_printf("%s: %s\n", str, SSL_state_string_long(s));
+     debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
   else if (where & SSL_CB_ALERT)
-    debug_printf("SSL3 alert %s:%s:%s\n",
-      str = where & SSL_CB_READ ? US"read" : US"write",
+    debug_printf("SSL %s %s:%s\n", g->s,
       SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret));
   else if (where & SSL_CB_EXIT)
     {
-    if (ret == 0)
-      debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s));
-    else if (ret < 0)
-      debug_printf("%s: error in %s\n", str, SSL_state_string_long(s));
+    if (ret <= 0)
+      debug_printf("SSL %s: %s in %s\n", g->s,
+    ret == 0 ? "failed" : "error", SSL_state_string_long(s));
     }
-  else if (where & SSL_CB_HANDSHAKE_START)
-     debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s));
-  else if (where & SSL_CB_HANDSHAKE_DONE)
-     debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s));
+  else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE))
+     debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s));
   }
 }


diff --git a/test/confs/2091 b/test/confs/2091
new file mode 120000
index 000000000..9aba31b86
--- /dev/null
+++ b/test/confs/2091
@@ -0,0 +1 @@
+2090
\ No newline at end of file
diff --git a/test/log/2091 b/test/log/2091
new file mode 100644
index 000000000..61b05e67f
--- /dev/null
+++ b/test/log/2091
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
diff --git a/test/scripts/2090-GnuTLS-ALPN/2091 b/test/scripts/2090-GnuTLS-ALPN/2091
new file mode 100644
index 000000000..de34a1a94
--- /dev/null
+++ b/test/scripts/2090-GnuTLS-ALPN/2091
@@ -0,0 +1,19 @@
+# TLS: ALPN: IOT client
+# Check server connection survives a TLS client offering no TLS extensions at all (including ALPN)
+gnutls
+exim -DSERVER=server -bd -oX PORT_D
+****
+client 127.0.0.1 PORT_D
+??? 220
+EHLO IOTtester
+??? 250-
+??? 250-SIZE
+??? 250-8BITMIME
+??? 250-PIPELINING
+??? 250-STARTTLS
+??? 250 HELP
+STARTTLS
+??? 220
+>>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
+****
+killdaemon
diff --git a/test/stdout/2091 b/test/stdout/2091
new file mode 100644
index 000000000..fbddb3578
--- /dev/null
+++ b/test/stdout/2091
@@ -0,0 +1,21 @@
+Connecting to 127.0.0.1 port 1225 ... connected
+??? 220
+<<< 220 myhost.test.ex ESMTP Exim x.yz Tue, 2 Mar 1999 09:44:33 +0000
+>>> EHLO IOTtester
+??? 250-
+<<< 250-myhost.test.ex Hello IOTtester [127.0.0.1]
+??? 250-SIZE
+<<< 250-SIZE 52428800
+??? 250-8BITMIME
+<<< 250-8BITMIME
+??? 250-PIPELINING
+<<< 250-PIPELINING
+??? 250-STARTTLS
+<<< 250-STARTTLS
+??? 250 HELP
+<<< 250 HELP
+>>> STARTTLS
+??? 220
+<<< 220 TLS go ahead
+>>> \x16\x03\x00\x00\x43\x01\x00\x00\x3f\x03\x02\xff\xff\xff\xff\x92\x3e\x99\x88\xd0\x2b\x8f\xc2\x76\xbd\xcf\x02\xcc\xb6\xfc\x39\x00\xd0\x52\x82\x8c\x65\x0c\xcd\x8c\x02\x00\x40\x00\x00\x18\x00\x33\x00\x39\x00\x45\x00\x88\x00\x16\x00\x35\x00\x84\x00\x2f\x00\x41\x00\x0a\x00\x05\x00\x04\x01\x00
+End of script