diff options
author | Philip Hazel <ph10@hermes.cam.ac.uk> | 2006-02-14 14:12:06 +0000 |
---|---|---|
committer | Philip Hazel <ph10@hermes.cam.ac.uk> | 2006-02-14 14:12:06 +0000 |
commit | c91535f35c1f54bb30e5611791c93e78f2efd5d0 (patch) | |
tree | b99fe068f11ede1b35f766392501616040d68b3e /src | |
parent | 5977a0b30ed5509ec131bbc2e7d2a3f44e3a692e (diff) |
Fix GnuTLS privatekey forced fail bug; in both TLS's treat an empty
privatekey as unset.
Diffstat (limited to 'src')
-rw-r--r-- | src/src/tls-gnu.c | 11 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 12 |
2 files changed, 17 insertions, 6 deletions
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index fa3073642..31f226b4e 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-gnu.c,v 1.11 2006/02/07 11:19:00 ph10 Exp $ */ +/* $Cambridge: exim/src/src/tls-gnu.c,v 1.12 2006/02/14 14:12:07 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -455,12 +455,19 @@ may be required for different sessions. */ if (!expand_check(certificate, US"tls_certificate", &cert_expanded)) return DEFER; +key_expanded = NULL; if (privatekey != NULL) { if (!expand_check(privatekey, US"tls_privatekey", &key_expanded)) return DEFER; } -else key_expanded = cert_expanded; + +/* If expansion was forced to fail, key_expanded will be NULL. If the result of +the expansion is an empty string, ignore it also, and assume that the private +key is in the same file as the certificate. */ + +if (key_expanded == NULL || *key_expanded == 0) + key_expanded = cert_expanded; /* Set the certificate and private keys */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index f20c6f4f0..146cb6293 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-openssl.c,v 1.6 2006/02/07 11:19:00 ph10 Exp $ */ +/* $Cambridge: exim/src/src/tls-openssl.c,v 1.7 2006/02/14 14:12:07 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -290,8 +290,8 @@ Returns: OK/DEFER/FAIL */ static int -tls_init(host_item *host, uschar *dhparam, uschar *certificate, uschar *privatekey, - address_item *addr) +tls_init(host_item *host, uschar *dhparam, uschar *certificate, + uschar *privatekey, address_item *addr) { SSL_load_error_strings(); /* basic set up */ OpenSSL_add_ssl_algorithms(); @@ -386,7 +386,11 @@ if (certificate != NULL) !expand_check(privatekey, US"tls_privatekey", &expanded)) return DEFER; - if (expanded != NULL) + /* If expansion was forced to fail, key_expanded will be NULL. If the result + of the expansion is an empty string, ignore it also, and assume the private + key is in the same file as the certificate. */ + + if (expanded != NULL && *expanded != 0) { DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded); if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM)) |