diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-07-13 12:18:09 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-07-13 12:18:09 +0100 |
| commit | 0df4ab80579544db421576d92e8a9b783edb1a58 (patch) | |
| tree | 6c57f00d40e63168369b1cbb87a74be827617647 /src | |
| parent | 4b57b15d12942aff5360105a71f9c1b9d9a4edaf (diff) | |
Fix TLS SNI, and add regression test cases
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/tls-gnu.c | 11 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 21 |
2 files changed, 13 insertions, 19 deletions
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 5bdb21e6e..266ab8909 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -108,7 +108,6 @@ typedef struct exim_gnutls_state { uschar *exp_tls_certificate; uschar *exp_tls_privatekey; - uschar *exp_tls_sni; uschar *exp_tls_verify_certificates; uschar *exp_tls_crl; uschar *exp_tls_require_ciphers; @@ -1086,15 +1085,15 @@ if (rc != OK) return rc; /* set SNI in client, only */ if (host) { - if (!expand_check(state->tlsp->sni, US"tls_out_sni", &state->exp_tls_sni)) + if (!expand_check(sni, US"tls_out_sni", &state->tlsp->sni)) return DEFER; - if (state->exp_tls_sni && *state->exp_tls_sni) + if (state->tlsp->sni && *state->tlsp->sni) { DEBUG(D_tls) - debug_printf("Setting TLS client SNI to \"%s\"\n", state->exp_tls_sni); - sz = Ustrlen(state->exp_tls_sni); + debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni); + sz = Ustrlen(state->tlsp->sni); rc = gnutls_server_name_set(state->session, - GNUTLS_NAME_DNS, state->exp_tls_sni, sz); + GNUTLS_NAME_DNS, state->tlsp->sni, sz); exim_gnutls_err_check(US"gnutls_server_name_set"); } } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 9609d6252..18994eaa9 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -436,14 +436,11 @@ const char *pem; if (!expand_check(dhparam, US"tls_dhparam", &dhexpanded)) return FALSE; -if (dhexpanded == NULL || *dhexpanded == '\0') - { +if (!dhexpanded || !*dhexpanded) bio = BIO_new_mem_buf(CS std_dh_prime_default(), -1); - } else if (dhexpanded[0] == '/') { - bio = BIO_new_file(CS dhexpanded, "r"); - if (bio == NULL) + if (!(bio = BIO_new_file(CS dhexpanded, "r"))) { tls_error(string_sprintf("could not read dhparams file %s", dhexpanded), host, US strerror(errno)); @@ -458,8 +455,7 @@ else return TRUE; } - pem = std_dh_prime_named(dhexpanded); - if (!pem) + if (!(pem = std_dh_prime_named(dhexpanded))) { tls_error(string_sprintf("Unknown standard DH prime \"%s\"", dhexpanded), host, US strerror(errno)); @@ -468,8 +464,7 @@ else bio = BIO_new_mem_buf(CS pem, -1); } -dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL); -if (dh == NULL) +if (!(dh = PEM_read_bio_DHparams(bio, NULL, NULL, NULL))) { BIO_free(bio); tls_error(string_sprintf("Could not read tls_dhparams \"%s\"", dhexpanded), @@ -770,8 +765,7 @@ if (!reexpand_tls_files_for_sni) not confident that memcpy wouldn't break some internal reference counting. Especially since there's a references struct member, which would be off. */ -server_sni = SSL_CTX_new(SSLv23_server_method()); -if (!server_sni) +if (!(server_sni = SSL_CTX_new(SSLv23_server_method()))) { ERR_error_string(ERR_get_error(), ssl_errstring); DEBUG(D_tls) debug_printf("SSL_CTX_new() failed: %s\n", ssl_errstring); @@ -805,8 +799,8 @@ OCSP information. */ rc = tls_expand_session_files(server_sni, cbinfo); if (rc != OK) return SSL_TLSEXT_ERR_NOACK; -rc = init_dh(server_sni, cbinfo->dhparam, NULL); -if (rc != OK) return SSL_TLSEXT_ERR_NOACK; +if (!init_dh(server_sni, cbinfo->dhparam, NULL)) + return SSL_TLSEXT_ERR_NOACK; DEBUG(D_tls) debug_printf("Switching SSL context.\n"); SSL_set_SSL_CTX(s, server_sni); @@ -1052,6 +1046,7 @@ else cbinfo->u_ocsp.client.verify_store = NULL; #endif cbinfo->dhparam = dhparam; +cbinfo->server_cipher_list = NULL; cbinfo->host = host; SSL_load_error_strings(); /* basic set up */ |