[exim-cvs] OpenSSL: Fix tls_eccurve on earlier versions than…

Top Page
Delete this message
Reply to this message
Author: Exim Git Commits Mailing List
Date:  
To: exim-cvs
Subject: [exim-cvs] OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0. Bug 2954
Gitweb: https://git.exim.org/exim.git/commitdiff/7fa5764c203f2f4a900898a79ed02d674075313f
Commit:     7fa5764c203f2f4a900898a79ed02d674075313f
Parent:     b77f1b5c34fd54dd2f05d698410523e0427992b3
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon Jan 2 15:04:14 2023 +0000
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon Jan 2 15:15:36 2023 +0000


    OpenSSL: Fix tls_eccurve on earlier versions than 3.0.0.  Bug 2954


    Broken-by: ca4014de81e6
---
 src/src/tls-openssl.c          |  7 ++++---
 test/log/2149                  | 28 ++++++++++++++--------------
 test/runtest                   |  3 +++
 test/scripts/2100-OpenSSL/2149 | 22 ++++++++++++----------
 4 files changed, 33 insertions(+), 27 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 4d0f99ea9..e063d29bd 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -786,8 +786,9 @@ if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
 #   endif
    )
   {
-  tls_error(string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve),
-    NULL, NULL, errstr);
+  uschar * s = string_sprintf("Unknown curve name tls_eccurve '%s'", exp_curve);
+  DEBUG(D_tls) debug_printf("TLS error '%s'\n", s);
+  if (errstr) *errstr = s;
   return FALSE;
   }


@@ -803,7 +804,7 @@ if (  (nid = OBJ_sn2nid       (CCS exp_curve)) == NID_undef
   /* The "tmp" in the name here refers to setting a temporary key
   not to the stability of the interface. */


-  if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh) == 0))
+  if ((rc = SSL_CTX_set_tmp_ecdh(sctx, ecdh)) == 0)
     tls_error(string_sprintf("Error enabling '%s' curve", exp_curve), NULL, NULL, errstr);
   else
     DEBUG(D_tls) debug_printf(" ECDH: enabled '%s' curve\n", exp_curve);
diff --git a/test/log/2149 b/test/log/2149
index 0d4235846..3832ba076 100644
--- a/test/log/2149
+++ b/test/log/2149
@@ -1,45 +1,45 @@
 1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaX-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 => optnotpresent@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmaY-0005vi-00"
 1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmaZ-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
+1999-03-02 09:44:33 10HmaZ-0005vi-00 => explicitauto@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbA-0005vi-00"
 1999-03-02 09:44:33 10HmaZ-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbB-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbB-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
+1999-03-02 09:44:33 10HmbB-0005vi-00 => explicitempty@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbC-0005vi-00"
 1999-03-02 09:44:33 10HmbB-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbD-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbD-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
+1999-03-02 09:44:33 10HmbD-0005vi-00 => prime256v1@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbE-0005vi-00"
 1999-03-02 09:44:33 10HmbD-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbF-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
-1999-03-02 09:44:33 10HmbF-0005vi-00 => userx@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
+1999-03-02 09:44:33 10HmbF-0005vi-00 => secp384r1@??? R=client T=send_to_server H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=yes C="250 OK id=10HmbG-0005vi-00"
 1999-03-02 09:44:33 10HmbF-0005vi-00 Completed
 1999-03-02 09:44:33 10HmbH-0005vi-00 <= CALLER@??? U=CALLER P=local S=sss
 1999-03-02 09:44:33 10HmbH-0005vi-00 H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
-1999-03-02 09:44:33 10HmbH-0005vi-00 == userx@??? R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
-1999-03-02 09:44:33 10HmbH-0005vi-00 ** userx@???: retry timeout exceeded
-1999-03-02 09:44:33 10HmbH-0005vi-00 userx@???: error ignored
+1999-03-02 09:44:33 10HmbH-0005vi-00 == user_fail@??? R=client T=send_to_server defer (-38) H=127.0.0.1 [127.0.0.1]: a TLS session is required, but an attempt to start TLS failed
+1999-03-02 09:44:33 10HmbH-0005vi-00 ** user_fail@???: retry timeout exceeded
+1999-03-02 09:44:33 10HmbH-0005vi-00 user_fail@???: error ignored
 1999-03-02 09:44:33 10HmbH-0005vi-00 Completed


 ******** SERVER ********
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1234, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaX-0005vi-00@???
-1999-03-02 09:44:33 10HmaY-0005vi-00 => userx <userx@???> R=server T=local_delivery
+1999-03-02 09:44:33 10HmaY-0005vi-00 => optnotpresent <optnotpresent@???> R=server T=local_delivery
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1235, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbA-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmaZ-0005vi-00@???
-1999-03-02 09:44:33 10HmbA-0005vi-00 => userx <userx@???> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbA-0005vi-00 => explicitauto <explicitauto@???> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbA-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1236, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbC-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbB-0005vi-00@???
-1999-03-02 09:44:33 10HmbC-0005vi-00 => userx <userx@???> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbC-0005vi-00 => explicitempty <explicitempty@???> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbC-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1237, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbE-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbD-0005vi-00@???
-1999-03-02 09:44:33 10HmbE-0005vi-00 => userx <userx@???> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbE-0005vi-00 => prime256v1 <prime256v1@???> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbE-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1238, no queue runs, listening for SMTP on port PORT_D
 1999-03-02 09:44:33 10HmbG-0005vi-00 <= <> H=localhost (myhost.test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no S=sss id=E10HmbF-0005vi-00@???
-1999-03-02 09:44:33 10HmbG-0005vi-00 => userx <userx@???> R=server T=local_delivery
+1999-03-02 09:44:33 10HmbG-0005vi-00 => secp384r1 <secp384r1@???> R=server T=local_delivery
 1999-03-02 09:44:33 10HmbG-0005vi-00 Completed
 1999-03-02 09:44:33 exim x.yz daemon started: pid=p1239, no queue runs, listening for SMTP on port PORT_D
-1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] (Unknown curve name tls_eccurve 'bogus'): error:00000000:lib(0)::reason(0)
+1999-03-02 09:44:33 TLS error on connection from localhost (myhost.test.ex) [127.0.0.1] Unknown curve name tls_eccurve 'bogus'
diff --git a/test/runtest b/test/runtest
index c518c1080..900fc7bbb 100755
--- a/test/runtest
+++ b/test/runtest
@@ -1165,6 +1165,9 @@ RESET_AFTER_EXTRA_LINE_READ:
     next if /^TLS: not preloading (CA bundle|cipher list) for server$/;
     next if /^TLS: not preloading server certs$/;


+    # some plaatforms are missing the standard CA bundle file
+    next if /^tls_set_watch\(\) fail on '\/usr\/lib\/ssl\/cert.pem': No such file or directory$/;
+
     # drop lookups
     next if /^$time_pid?(?: Lookups\ \(built-in\):
                     | Loading\ lookup\ modules\ from
diff --git a/test/scripts/2100-OpenSSL/2149 b/test/scripts/2100-OpenSSL/2149
index 59263df81..f1af49907 100644
--- a/test/scripts/2100-OpenSSL/2149
+++ b/test/scripts/2100-OpenSSL/2149
@@ -6,14 +6,14 @@
 # Baseline: tls_eccurve option not present
 exim -DSERVER=server -bd -oX PORT_D
 ****
-exim -odf userx@???
+exim -odf optnotpresent@???
 ****
 killdaemon
 #
 # Explicit tls_eccurve setting of "auto"
 exim -DSERVER=server -DDATA=auto -bd -oX PORT_D
 ****
-exim -odf userx@???
+exim -odf explicitauto@???
 ****
 killdaemon
 #
@@ -21,30 +21,32 @@ killdaemon
 # - unclear this works.  At least with OpenSSL 3.0.5 we still get an x25519 keyshare in the Server Hello
 exim -DSERVER=server -DDATA= -bd -oX PORT_D
 ****
-exim -odf userx@???
+exim -odf explicitempty@???
 ****
 killdaemon
 #
 # prime256v1
+# Oddly,  3.0.5 packets show an EC-groups negotiation of C:x255519 S:secp256r1 C:secp384r1 S:secp384r1.
+# Hoever, note that RFC 8446 (TLS1.3) does NOT include prime256v1 as one of the allowable
+# supported groups (and it's not in the client "supported groups" extension, so what we see seems good.
 exim -DSERVER=server -DDATA=prime256v1 -bd -oX PORT_D
 ****
-exim -odf userx@???
+exim -odf prime256v1@???
 ****
 killdaemon
 #
-# X448
-# Client Hello offers an x25519 keyshare, server says "Hello Retry Request" with a KeyShare extension "X448"
-# and the client retries Client Hello with that in the KeyShare.
-exim -DSERVER=server -DDATA=X448 -bd -oX PORT_D
+# secp384r1
+# C:x25519 S:secp384r1
+exim -DSERVER=server -DDATA=secp384r1 -bd -oX PORT_D
 ****
-exim -odf userx@???
+exim -odf secp384r1@???
 ****
 killdaemon
 #
 # "bogus".  Should fail to make connection.
 exim -DSERVER=server -DDATA=bogus -bd -oX PORT_D
 ****
-exim -odf userx@???
+exim -odf user_fail@???
 ****
 killdaemon
 #