From c91535f35c1f54bb30e5611791c93e78f2efd5d0 Mon Sep 17 00:00:00 2001 From: Philip Hazel Date: Tue, 14 Feb 2006 14:12:06 +0000 Subject: [PATCH] Fix GnuTLS privatekey forced fail bug; in both TLS's treat an empty privatekey as unset. --- doc/doc-txt/ChangeLog | 6 +++++- doc/doc-txt/NewStuff | 5 ++++- src/src/tls-gnu.c | 11 +++++++++-- src/src/tls-openssl.c | 12 ++++++++---- 4 files changed, 26 insertions(+), 8 deletions(-) diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog index 522adcb0c..7c3a03f51 100644 --- a/doc/doc-txt/ChangeLog +++ b/doc/doc-txt/ChangeLog @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.296 2006/02/14 10:26:26 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/ChangeLog,v 1.297 2006/02/14 14:12:06 ph10 Exp $ Change log file for Exim from version 4.21 ------------------------------------------- @@ -154,6 +154,10 @@ PH/28 An enabling patch from MH: add new function child_open_exim2() which submitting a message from within Exim. Since child_open_exim() is documented for local_scan(), the new function should be too. +PH/29 In GnuTLS, a forced expansion failure for tls_privatekey was not being + ignored. In both GnuTLS and OpenSSL, an expansion of tls_privatekey that + results in an empty string is now treated as unset. + Exim version 4.60 ----------------- diff --git a/doc/doc-txt/NewStuff b/doc/doc-txt/NewStuff index 0cc752e52..d4c307cff 100644 --- a/doc/doc-txt/NewStuff +++ b/doc/doc-txt/NewStuff @@ -1,4 +1,4 @@ -$Cambridge: exim/doc/doc-txt/NewStuff,v 1.83 2006/02/13 12:02:59 ph10 Exp $ +$Cambridge: exim/doc/doc-txt/NewStuff,v 1.84 2006/02/14 14:12:06 ph10 Exp $ New Features in Exim -------------------- @@ -46,6 +46,9 @@ PH/05 The "control=freeze" ACL modifier can now be followed by /no_tell. If "control=freeze" modifiers that are obeyed in the current message have the /no_tell option. +PH/06 In both GnuTLS and OpenSSL, an expansion of tls_privatekey that results + in an empty string is now treated as unset. + Version 4.60 ------------ diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index fa3073642..31f226b4e 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-gnu.c,v 1.11 2006/02/07 11:19:00 ph10 Exp $ */ +/* $Cambridge: exim/src/src/tls-gnu.c,v 1.12 2006/02/14 14:12:07 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -455,12 +455,19 @@ may be required for different sessions. */ if (!expand_check(certificate, US"tls_certificate", &cert_expanded)) return DEFER; +key_expanded = NULL; if (privatekey != NULL) { if (!expand_check(privatekey, US"tls_privatekey", &key_expanded)) return DEFER; } -else key_expanded = cert_expanded; + +/* If expansion was forced to fail, key_expanded will be NULL. If the result of +the expansion is an empty string, ignore it also, and assume that the private +key is in the same file as the certificate. */ + +if (key_expanded == NULL || *key_expanded == 0) + key_expanded = cert_expanded; /* Set the certificate and private keys */ diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index f20c6f4f0..146cb6293 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1,4 +1,4 @@ -/* $Cambridge: exim/src/src/tls-openssl.c,v 1.6 2006/02/07 11:19:00 ph10 Exp $ */ +/* $Cambridge: exim/src/src/tls-openssl.c,v 1.7 2006/02/14 14:12:07 ph10 Exp $ */ /************************************************* * Exim - an Internet mail transport agent * @@ -290,8 +290,8 @@ Returns: OK/DEFER/FAIL */ static int -tls_init(host_item *host, uschar *dhparam, uschar *certificate, uschar *privatekey, - address_item *addr) +tls_init(host_item *host, uschar *dhparam, uschar *certificate, + uschar *privatekey, address_item *addr) { SSL_load_error_strings(); /* basic set up */ OpenSSL_add_ssl_algorithms(); @@ -386,7 +386,11 @@ if (certificate != NULL) !expand_check(privatekey, US"tls_privatekey", &expanded)) return DEFER; - if (expanded != NULL) + /* If expansion was forced to fail, key_expanded will be NULL. If the result + of the expansion is an empty string, ignore it also, and assume the private + key is in the same file as the certificate. */ + + if (expanded != NULL && *expanded != 0) { DEBUG(D_tls) debug_printf("tls_privatekey file %s\n", expanded); if (!SSL_CTX_use_PrivateKey_file(ctx, CS expanded, SSL_FILETYPE_PEM)) -- 2.25.1