diff options
Diffstat (limited to 'debian/patches/75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch')
| -rw-r--r-- | debian/patches/75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch | 92 |
1 files changed, 92 insertions, 0 deletions
diff --git a/debian/patches/75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch b/debian/patches/75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch new file mode 100644 index 0000000..ced0ce9 --- /dev/null +++ b/debian/patches/75_77-GnuTLS-fix-crash-with-tls_dhparam-none.patch @@ -0,0 +1,92 @@ +From 8e9770348dc4173ab83657ee023c22f479ebb712 Mon Sep 17 00:00:00 2001 +From: Jeremy Harris <jgh146exb@wizmail.org> +Date: Mon, 24 Jul 2023 13:30:40 +0100 +Subject: [PATCH] GnuTLS: fix crash with "tls_dhparam = none" + +--- + doc/ChangeLog | 4 ++++ + src/tls-gnu.c | 16 +++++++++------- + test/log/2049 | 7 +++++++ + test/scripts/2000-GnuTLS/2049 | 8 ++++++++ + 4 files changed, 28 insertions(+), 7 deletions(-) + +--- a/doc/ChangeLog ++++ b/doc/ChangeLog +@@ -73,10 +73,14 @@ JH/28 Bug 2996: Fix a crash in the smtp + + JH/31 Bug 2998: Fix ${utf8clean:...} to disallow UTF-16 surrogate codepoints. + Found and fixed by Jasen Betts. No testcase for this as my usual text + editor insists on emitting only valid UTF-8. + ++JH/32 Fix "tls_dhparam = none" under GnuTLS. At least with 3.7.9 this gave ++ a null-indireciton SIGSEGV for the receive process. ++ ++ + Exim version 4.96 + ----------------- + + JH/01 Move the wait-for-next-tick (needed for unique message IDs) from + after reception to before a subsequent reception. This should +--- a/src/tls-gnu.c ++++ b/src/tls-gnu.c +@@ -712,11 +712,11 @@ exist, we generate them. This means that + The new file is written as a temporary file and renamed, so that an incomplete + file is never present. If two processes both compute some new parameters, you + waste a bit of effort, but it doesn't seem worth messing around with locking to + prevent this. + +-Returns: OK/DEFER/FAIL ++Returns: OK/DEFER (expansion issue)/FAIL (requested none) + */ + + static int + init_server_dh(uschar ** errstr) + { +@@ -750,11 +750,11 @@ if (!exp_tls_dhparam) + else if (Ustrcmp(exp_tls_dhparam, "historic") == 0) + use_file_in_spool = TRUE; + else if (Ustrcmp(exp_tls_dhparam, "none") == 0) + { + DEBUG(D_tls) debug_printf("Requested no DH parameters\n"); +- return OK; ++ return FAIL; + } + else if (exp_tls_dhparam[0] != '/') + { + if (!(m.data = US std_dh_prime_named(exp_tls_dhparam))) + return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr); +@@ -1971,27 +1971,29 @@ Arguments: + + Returns: OK/DEFER/FAIL + */ + + static int +-tls_set_remaining_x509(exim_gnutls_state_st *state, uschar ** errstr) ++tls_set_remaining_x509(exim_gnutls_state_st * state, uschar ** errstr) + { +-int rc; +-const host_item *host = state->host; /* macro should be reconsidered? */ ++int rc = OK; ++const host_item * host = state->host; /* macro should be reconsidered? */ + + /* Create D-H parameters, or read them from the cache file. This function does + its own SMTP error messaging. This only happens for the server, TLS D-H ignores + client-side params. */ + + if (!state->host) + { + if (!dh_server_params) +- if ((rc = init_server_dh(errstr)) != OK) return rc; ++ if ((rc = init_server_dh(errstr)) == DEFER) return rc; + + /* Unnecessary & discouraged with 3.6.0 or later, according to docs. But without it, + no DHE- ciphers are advertised. */ +- gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params); ++ ++ if (rc == OK) ++ gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params); + } + + /* Link the credentials to the session. */ + + if ((rc = gnutls_credentials_set(state->session, |