diff options
| author |   gilles <gilles@openbsd.org> | 2020-01-20 10:18:20 +0000 |
|---|---|---|
| committer | gilles <gilles@openbsd.org> | 2020-01-20 10:18:20 +0000 |
| commit | c81d35816293d44b72395d35db7c319845cdaaf3 (patch) | |
| tree | 6e9c600b87e981fc1c620c8605c2369e1d01a51c /usr.sbin/smtpd | |
| parent | Update libtls config regress to include TLSv1.3. (diff) | |
| download | wireguard-openbsd-c81d35816293d44b72395d35db7c319845cdaaf3.tar.xz wireguard-openbsd-c81d35816293d44b72395d35db7c319845cdaaf3.zip | |
opportunistic tls downgrade logic is more complex than it should and can in
some cases lead to a sanity check fatal() being hit. rework the logic so it
is simpler and makes the sanity check fatal() unreachable.
ok eric@ millert@
Diffstat (limited to 'usr.sbin/smtpd')
| -rw-r--r-- | usr.sbin/smtpd/mta_session.c | 32 |
1 files changed, 6 insertions, 26 deletions
diff --git a/usr.sbin/smtpd/mta_session.c b/usr.sbin/smtpd/mta_session.c index 3a7535d5988..9459d69275f 100644 --- a/usr.sbin/smtpd/mta_session.c +++ b/usr.sbin/smtpd/mta_session.c @@ -1,4 +1,4 @@ -/* $OpenBSD: mta_session.c,v 1.129 2020/01/08 00:05:38 gilles Exp $ */ +/* $OpenBSD: mta_session.c,v 1.130 2020/01/20 10:18:20 gilles Exp $ */ /* * Copyright (c) 2008 Pierre-Yves Ritschard <pyr@openbsd.org> @@ -1373,40 +1373,20 @@ mta_io(struct io *io, int evt, void *arg) break; case IO_ERROR: + case IO_TLSERROR: log_debug("debug: mta: %p: IO error: %s", s, io_error(io)); - if (!s->ready) { - mta_error(s, "IO Error: %s", io_error(io)); - mta_connect(s); - break; - } - else if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { - /* error in non-strict SSL negotiation, downgrade to plain */ - if (s->flags & MTA_TLS) { - log_info("smtp-out: Error on session %016"PRIx64 - ": opportunistic TLS failed, " - "downgrading to plain", s->id); - s->flags &= ~MTA_TLS; - s->flags |= MTA_DOWNGRADE_PLAIN; - mta_connect(s); - break; - } - } - mta_error(s, "IO Error: %s", io_error(io)); - mta_free(s); - break; - case IO_TLSERROR: - log_debug("debug: mta: %p: TLS IO error: %s", s, io_error(io)); - if (!(s->flags & (MTA_FORCE_TLS|MTA_FORCE_SMTPS|MTA_FORCE_ANYSSL))) { + if (s->state == MTA_STARTTLS && s->use_smtp_tls) { /* error in non-strict SSL negotiation, downgrade to plain */ - log_info("smtp-out: TLS Error on session %016"PRIx64 - ": TLS failed, " + log_info("smtp-out: Error on session %016"PRIx64 + ": opportunistic TLS failed, " "downgrading to plain", s->id); s->flags &= ~MTA_TLS; s->flags |= MTA_DOWNGRADE_PLAIN; mta_connect(s); break; } + mta_error(s, "IO Error: %s", io_error(io)); mta_free(s); break; |