summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2022-05-19 14:23:02 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2022-05-19 14:23:02 +0100
commit8c74b00980bc7e3e479e8dfcd7c0008b2ac3f543 (patch)
tree800bc3d1b95960827d855be118f3b24253042053
parentc9771b0f607127d89018dd79bab6febb14db3d6d (diff)
GnuTLS: Do not free the cached creds on transport connection close. Bug 2886
-rw-r--r--doc/doc-txt/ChangeLog4
-rw-r--r--src/src/tls-gnu.c8
-rw-r--r--test/confs/201172
-rw-r--r--test/log/201113
-rw-r--r--test/rejectlog/20113
-rw-r--r--test/scripts/2000-GnuTLS/201120
6 files changed, 115 insertions, 5 deletions
diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index ac5354c73..389968a90 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -136,6 +136,10 @@ JH/30 Fix string_copyn() for limit greater than actual string length.
overlapping memcpy for newly allocated destination soon after a
source string shorter than the limit. Found/investigated by KM.
+JH/31 Bug 2886: GnuTLS: Do not free the cached creds on transport connection
+ close; it may be needed for a subsequent connection. This caused a
+ SEGV on primary-MX defer. Found/investigated by Gedalya & Andreas.
+
Exim version 4.95
-----------------
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 875862cc1..30c8d40c0 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1600,6 +1600,9 @@ return lifetime;
/* Preload whatever creds are static, onto a transport. The client can then
just copy the pointer as it starts up. */
+/*XXX this is not called for a cmdline send. But one needing to use >1 conn would benefit,
+and there seems little downside. */
+
static void
tls_client_creds_init(transport_instance * t, BOOL watch)
{
@@ -3084,8 +3087,6 @@ if (rc != GNUTLS_E_SUCCESS)
#endif
(void) gnutls_alert_send_appropriate(state->session, rc);
gnutls_deinit(state->session);
- gnutls_certificate_free_credentials(state->lib_state.x509_cred);
- state->lib_state = null_tls_preload;
millisleep(500);
shutdown(state->fd_out, SHUT_WR);
for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */
@@ -3778,9 +3779,6 @@ if (!ct_ctx) /* server */
}
gnutls_deinit(state->session);
-gnutls_certificate_free_credentials(state->lib_state.x509_cred);
-state->lib_state = null_tls_preload;
-
tlsp->active.sock = -1;
tlsp->active.tls_ctx = NULL;
/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
diff --git a/test/confs/2011 b/test/confs/2011
new file mode 100644
index 000000000..eac8ccd4a
--- /dev/null
+++ b/test/confs/2011
@@ -0,0 +1,72 @@
+# Exim test configuration 2011
+
+SERVER=
+
+keep_environment = PATH:EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK
+add_environment = SSLKEYLOGFILE=DIR/spool/sslkeys
+exim_path = EXIM_PATH
+host_lookup_order = bydns
+spool_directory = DIR/spool
+
+.ifdef SERVER
+log_file_path = DIR/spool/log/SERVER%slog
+.else
+log_file_path = DIR/spool/log/%slog
+.endif
+
+gecos_pattern = ""
+gecos_name = CALLER_NAME
+dns_cname_loops = 9
+chunking_advertise_hosts = *
+
+.ifdef _HAVE_PIPE_CONNECT
+pipelining_connect_advertise_hosts = :
+.endif
+.ifdef _HAVE_DMARC
+dmarc_tld_file =
+.endif
+.ifdef _EXP_LIMITS
+limits_advertise_hosts = !*
+.endif
+
+primary_hostname = test.ex
+
+# ----- Main settings -----
+
+acl_smtp_rcpt = check_rcpt
+
+log_selector = +received_recipients +dkim_verbose
+queue_only
+queue_run_in_order
+
+# ----- ACL -----
+begin acl
+
+check_rcpt:
+ defer hosts = HOSTIPV4
+ accept
+
+# ----- Routers -----
+
+begin routers
+
+d0:
+ driver = manualroute
+ route_list = * "HOSTIPV4::PORT_D : 127.0.0.1::PORT_D"
+ self = send
+ transport = gsmtp
+
+# ----- Transports -----
+
+begin transports
+
+gsmtp:
+ driver = smtp
+ allow_localhost
+ tls_verify_certificates = system
+ hosts_require_tls = *
+
+begin retry
+* * F,5d,10s
+
+# End
diff --git a/test/log/2011 b/test/log/2011
new file mode 100644
index 000000000..f0fad261d
--- /dev/null
+++ b/test/log/2011
@@ -0,0 +1,13 @@
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@test.ex U=CALLER P=local S=sss for fred@test.net
+1999-03-02 09:44:33 Start queue run: pid=pppp
+1999-03-02 09:44:33 10HmaX-0005vi-00 H=ip4.ip4.ip4.ip4 [ip4.ip4.ip4.ip4]: SMTP error from remote mail server after RCPT TO:<fred@test.net>: 451 Temporary local problem - please try later
+1999-03-02 09:44:33 10HmaX-0005vi-00 => fred@test.net R=d0 T=gsmtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no K C="250- 3nn byte chunk, total 3nn\\n250 OK id=10HmaY-0005vi-00"
+1999-03-02 09:44:33 10HmaX-0005vi-00 Completed
+1999-03-02 09:44:33 End queue run: pid=pppp
+
+******** SERVER ********
+1999-03-02 09:44:33 Warning: No server certificate defined; will use a selfsigned one.
+ Suggested action: either install a certificate or change tls_advertise_hosts option
+1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port PORT_D
+1999-03-02 09:44:33 H=the.local.host.name (test.ex) [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no F=<CALLER@test.ex> temporarily rejected RCPT <fred@test.net>
+1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@test.ex H=localhost (test.ex) [127.0.0.1] P=esmtps X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no K S=sss id=E10HmaX-0005vi-00@test.ex for fred@test.net
diff --git a/test/rejectlog/2011 b/test/rejectlog/2011
new file mode 100644
index 000000000..b8ae22aa1
--- /dev/null
+++ b/test/rejectlog/2011
@@ -0,0 +1,3 @@
+
+******** SERVER ********
+1999-03-02 09:44:33 H=the.local.host.name (test.ex) [ip4.ip4.ip4.ip4] X=TLS1.x:ke-RSA-AES256-SHAnnn:xxx CV=no F=<CALLER@test.ex> temporarily rejected RCPT <fred@test.net>
diff --git a/test/scripts/2000-GnuTLS/2011 b/test/scripts/2000-GnuTLS/2011
new file mode 100644
index 000000000..c5504c341
--- /dev/null
+++ b/test/scripts/2000-GnuTLS/2011
@@ -0,0 +1,20 @@
+# Cached CA bundle re-use
+#
+# Preload a message into spool
+exim -odq fred@test.net
+Subject: test
+
+this is a test
+
+****
+#
+# Server to work against
+exim -DSERVER=server -bd -oX PORT_D
+****
+#
+# Send message from spool
+exim -q
+****
+#
+killdaemon
+no_msglog_check