diff options
Diffstat (limited to '')
-rw-r--r-- | debian/patches/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch | 114 |
1 files changed, 114 insertions, 0 deletions
diff --git a/debian/patches/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch b/debian/patches/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch new file mode 100644 index 0000000..ae2fa16 --- /dev/null +++ b/debian/patches/75_16-GnuTLS-fix-for-clients-offering-no-TLS-extensions.patch @@ -0,0 +1,114 @@ +From ece23f05d6a430a461a75639197271c23f6858ec Mon Sep 17 00:00:00 2001 +From: Jasen Betts <jasen@xnet.co.nz> +Date: Fri, 30 Sep 2022 13:49:41 +0100 +Subject: [PATCH] GnuTLS: fix for clients offering no TLS extensions + +--- + doc/ChangeLog | 3 +++ + src/tls-gnu.c | 3 ++- + src/tls-openssl.c | 39 +++++++++++++++--------------- + test/confs/2091 | 1 + + test/log/2091 | 3 +++ + test/scripts/2090-GnuTLS-ALPN/2091 | 19 +++++++++++++++ + test/stdout/2091 | 21 ++++++++++++++++ + 7 files changed, 68 insertions(+), 21 deletions(-) + create mode 120000 test/confs/2091 + create mode 100644 test/log/2091 + create mode 100644 test/scripts/2090-GnuTLS-ALPN/2091 + create mode 100644 test/stdout/2091 + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -10,10 +10,14 @@ + more than one message arrived in a single connection a reference from + the earlier message could be re-used. Often a sigsegv resulted. + These variables were introduced in Exim 4.87. + Debug help from Graeme Fowler. + ++JH/10 GnuTLS: fix for (IOT?) clients offering no TLS extensions at all. ++ Find and fix by Jasen Betts. ++ ++ + + Exim version 4.96 + ----------------- + + JH/01 Move the wait-for-next-tick (needed for unique message IDs) from +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -1130,12 +1130,13 @@ + static int + tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype, + unsigned when, unsigned int incoming, const gnutls_datum_t * msg) + { + /* Call fn for each extension seen. 3.6.3 onwards */ +-return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, ++int rc = gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, + GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO); ++return rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE ? 0 : rc; + } + + + # ifdef notdef_crashes + /* Make a note that we saw a status-response */ +--- a/src/tls-openssl.c ++++ b/src/tls-openssl.c +@@ -940,40 +940,39 @@ + + Returns: nothing + */ + + static void +-info_callback(SSL *s, int where, int ret) ++info_callback(SSL * s, int where, int ret) + { + DEBUG(D_tls) + { +- const uschar * str; ++ gstring * g = NULL; + +- if (where & SSL_ST_CONNECT) +- str = US"SSL_connect"; +- else if (where & SSL_ST_ACCEPT) +- str = US"SSL_accept"; +- else +- str = US"SSL info (undefined)"; ++ if (where & SSL_ST_CONNECT) g = string_append_listele(g, ',', US"SSL_connect"); ++ if (where & SSL_ST_ACCEPT) g = string_append_listele(g, ',', US"SSL_accept"); ++ if (where & SSL_CB_LOOP) g = string_append_listele(g, ',', US"state_chg"); ++ if (where & SSL_CB_EXIT) g = string_append_listele(g, ',', US"hshake_exit"); ++ if (where & SSL_CB_READ) g = string_append_listele(g, ',', US"read"); ++ if (where & SSL_CB_WRITE) g = string_append_listele(g, ',', US"write"); ++ if (where & SSL_CB_ALERT) g = string_append_listele(g, ',', US"alert"); ++ if (where & SSL_CB_HANDSHAKE_START) g = string_append_listele(g, ',', US"hshake_start"); ++ if (where & SSL_CB_HANDSHAKE_DONE) g = string_append_listele(g, ',', US"hshake_done"); + + if (where & SSL_CB_LOOP) +- debug_printf("%s: %s\n", str, SSL_state_string_long(s)); ++ debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); + else if (where & SSL_CB_ALERT) +- debug_printf("SSL3 alert %s:%s:%s\n", +- str = where & SSL_CB_READ ? US"read" : US"write", ++ debug_printf("SSL %s %s:%s\n", g->s, + SSL_alert_type_string_long(ret), SSL_alert_desc_string_long(ret)); + else if (where & SSL_CB_EXIT) + { +- if (ret == 0) +- debug_printf("%s: failed in %s\n", str, SSL_state_string_long(s)); +- else if (ret < 0) +- debug_printf("%s: error in %s\n", str, SSL_state_string_long(s)); ++ if (ret <= 0) ++ debug_printf("SSL %s: %s in %s\n", g->s, ++ ret == 0 ? "failed" : "error", SSL_state_string_long(s)); + } +- else if (where & SSL_CB_HANDSHAKE_START) +- debug_printf("%s: hshake start: %s\n", str, SSL_state_string_long(s)); +- else if (where & SSL_CB_HANDSHAKE_DONE) +- debug_printf("%s: hshake done: %s\n", str, SSL_state_string_long(s)); ++ else if (where & (SSL_CB_HANDSHAKE_START | SSL_CB_HANDSHAKE_DONE)) ++ debug_printf("SSL %s: %s\n", g->s, SSL_state_string_long(s)); + } + } + + #ifdef OPENSSL_HAVE_KEYLOG_CB + static void |