From 8c74b00980bc7e3e479e8dfcd7c0008b2ac3f543 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 19 May 2022 14:23:02 +0100 Subject: [PATCH 1/2] GnuTLS: Do not free the cached creds on transport connection close. Bug 2886 --- doc/ChangeLog | 4 ++ src/tls-gnu.c | 8 ++-- test/confs/2011 | 72 +++++++++++++++++++++++++++++++++++ test/log/2011 | 13 +++++++ test/rejectlog/2011 | 3 ++ test/scripts/2000-GnuTLS/2011 | 20 ++++++++++ 6 files changed, 115 insertions(+), 5 deletions(-) create mode 100644 test/confs/2011 create mode 100644 test/log/2011 create mode 100644 test/rejectlog/2011 create mode 100644 test/scripts/2000-GnuTLS/2011 --- a/doc/ChangeLog +++ b/doc/ChangeLog @@ -14,10 +14,14 @@ JH/18 Bug 2751: Fix include_directory in redirect routers. Previously a bad comparison between the option value and the name of the file to be included was done, and a mismatch was wrongly identified. 4.88 to 4.95 are affected. +JH/31 Bug 2886: GnuTLS: Do not free the cached creds on transport connection + close; it may be needed for a subsequent connection. This caused a + SEGV on primary-MX defer. Found/investigated by Gedalya & Andreas. + Exim version 4.95 ----------------- JH/01 Bug 1329: Fix format of Maildir-format filenames to match other mail- --- a/src/tls-gnu.c +++ b/src/tls-gnu.c @@ -1584,10 +1584,13 @@ /* Preload whatever creds are static, onto a transport. The client can then just copy the pointer as it starts up. */ +/*XXX this is not called for a cmdline send. But one needing to use >1 conn would benefit, +and there seems little downside. */ + static void tls_client_creds_init(transport_instance * t, BOOL watch) { smtp_transport_options_block * ob = t->options_block; exim_gnutls_state_st tpt_dummy_state; @@ -3059,12 +3062,10 @@ else { tls_error_gnu(state, US"gnutls_handshake", rc, errstr); (void) gnutls_alert_send_appropriate(state->session, rc); gnutls_deinit(state->session); - gnutls_certificate_free_credentials(state->lib_state.x509_cred); - state->lib_state = null_tls_preload; millisleep(500); shutdown(state->fd_out, SHUT_WR); for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--; /* drain skt */ (void)fclose(smtp_out); (void)fclose(smtp_in); @@ -3747,13 +3748,10 @@ receive_ferror = smtp_ferror; receive_smtp_buffered = smtp_buffered; } gnutls_deinit(state->session); -gnutls_certificate_free_credentials(state->lib_state.x509_cred); -state->lib_state = null_tls_preload; - tlsp->active.sock = -1; tlsp->active.tls_ctx = NULL; /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */ tlsp->channelbinding = NULL;