summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
authorPhil Pennock <pdp@exim.org>2012-05-17 23:04:36 -0400
committerPhil Pennock <pdp@exim.org>2012-05-17 23:04:36 -0400
commit619b2b25bb4e66b2b2a27d3cc84d6ba00ede0ba4 (patch)
treec99a0fde2a303a71338a54f2df0ea0f43356d18c /src
parent1ec3f27dbd09d889f2839d3c24a095dc4efa49ac (diff)
GnuTLS pretty much passes test suite.exim-4_80_RC1
Fixed assumption that tls_certificate non-NULL in server when TLS advertised. Weakened an !S_ISREG() to an S_ISDIR() to keep the test-suite happy. Using: do { rc = gnutls_handshake(state->session); } while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED)); is contra-indicated when you expect SIGALRM to be able to break you out of the loop. A little _too_ robust there. Switching last part to: (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen) is rather more productive. Only test not passing is 2025, which makes major assumptions about cipher suites and needs to be revisited to see what it's trying to achieve. We fail the test because we successfully deliver the message without expected errors, because other ciphersuites are available, since we're no longer limited to a *very* short list embedded in the Exim code. That sort of failure I can live with.
Diffstat (limited to 'src')
-rw-r--r--src/src/tls-gnu.c24
1 files changed, 14 insertions, 10 deletions
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index a9a82e88f..05a3e084c 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -578,7 +578,7 @@ if (!state->host)
{
if (!state->received_sni)
{
- if (Ustrstr(state->tls_certificate, US"tls_sni"))
+ if (state->tls_certificate && Ustrstr(state->tls_certificate, US"tls_sni"))
{
DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI.\n");
state->trigger_sni_changes = TRUE;
@@ -695,16 +695,18 @@ if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
return DEFER;
}
-if (!S_ISREG(statbuf.st_mode))
+/* The test suite passes in /dev/null; we could check for that path explicitly,
+but who knows if someone has some weird FIFO which always dumps some certs, or
+other weirdness. The thing we really want to check is that it's not a
+directory, since while OpenSSL supports that, GnuTLS does not.
+So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
+if (S_ISDIR(statbuf.st_mode))
{
DEBUG(D_tls)
- debug_printf("verify certificates path is not a file: \"%s\"\n%s\n",
- state->exp_tls_verify_certificates,
- S_ISDIR(statbuf.st_mode)
- ? " it's a directory, that's OpenSSL, this is GnuTLS"
- : " (not a directory either)");
+ debug_printf("verify certificates path is a dir: \"%s\"\n",
+ state->exp_tls_verify_certificates);
log_write(0, LOG_MAIN|LOG_PANIC,
- "tls_verify_certificates \"%s\" is not a file",
+ "tls_verify_certificates \"%s\" is a directory",
state->exp_tls_verify_certificates);
return DEFER;
}
@@ -1365,7 +1367,8 @@ if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
do
{
rc = gnutls_handshake(state->session);
- } while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
+ } while ((rc == GNUTLS_E_AGAIN) ||
+ (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
alarm(0);
if (rc != GNUTLS_E_SUCCESS)
@@ -1500,7 +1503,8 @@ alarm(timeout);
do
{
rc = gnutls_handshake(state->session);
- } while ((rc == GNUTLS_E_AGAIN) || (rc == GNUTLS_E_INTERRUPTED));
+ } while ((rc == GNUTLS_E_AGAIN) ||
+ (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
alarm(0);
if (rc != GNUTLS_E_SUCCESS)