+ return tls_error_gnu(state, US"setting certificate trust", cert_count, errstr);
+DEBUG(D_tls)
+ debug_printf("Added %d certificate authorities\n", cert_count);
+
+return OK;
+}
+
+
+static int
+creds_load_crl(exim_gnutls_state_st * state, const uschar * crl, uschar ** errstr)
+{
+int cert_count;
+DEBUG(D_tls) debug_printf("loading CRL file = %s\n", crl);
+if ((cert_count = gnutls_certificate_set_x509_crl_file(state->lib_state.x509_cred,
+ CS crl, GNUTLS_X509_FMT_PEM)) < 0)
+ return tls_error_gnu(state, US"gnutls_certificate_set_x509_crl_file",
+ cert_count, errstr);
+
+DEBUG(D_tls) debug_printf("Processed %d CRLs\n", cert_count);
+return OK;
+}
+
+
+static int
+creds_load_pristring(exim_gnutls_state_st * state, const uschar * p,
+ const char ** errpos)
+{
+if (!p)
+ {
+ p = exim_default_gnutls_priority;
+ DEBUG(D_tls)
+ debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
+ }
+return gnutls_priority_init( (gnutls_priority_t *) &state->lib_state.pri_cache,
+ CCS p, errpos);
+}
+
+static unsigned
+tls_server_creds_init(void)
+{
+uschar * dummy_errstr;
+unsigned lifetime = 0;
+
+state_server.lib_state = null_tls_preload;
+if (gnutls_certificate_allocate_credentials(
+ (gnutls_certificate_credentials_t *) &state_server.lib_state.x509_cred))
+ {
+ state_server.lib_state.x509_cred = NULL;
+ return lifetime;
+ }
+creds_basic_init(state_server.lib_state.x509_cred, TRUE);
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* If tls_certificate has any $ indicating expansions, it is not good.
+If tls_privatekey is set but has $, not good. Likewise for tls_ocsp_file.
+If all good (and tls_certificate set), load the cert(s). */
+
+if ( opt_set_and_noexpand(tls_certificate)
+# ifndef DISABLE_OCSP
+ && opt_unset_or_noexpand(tls_ocsp_file)
+# endif
+ && opt_unset_or_noexpand(tls_privatekey))
+ {
+ /* Set watches on the filenames. The implementation does de-duplication
+ so we can just blindly do them all.
+ */
+
+ if ( tls_set_watch(tls_certificate, TRUE)
+# ifndef DISABLE_OCSP
+ && tls_set_watch(tls_ocsp_file, TRUE)
+# endif
+ && tls_set_watch(tls_privatekey, TRUE))
+ {
+ DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
+ if (creds_load_server_certs(&state_server, tls_certificate,
+ tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
+# ifdef DISABLE_OCSP
+ NULL,
+# else
+ tls_ocsp_file,
+# endif
+ &dummy_errstr) == 0)
+ state_server.lib_state.conn_certs = TRUE;
+ }
+ }
+else if ( !tls_certificate && !tls_privatekey
+# ifndef DISABLE_OCSP
+ && !tls_ocsp_file
+# endif
+ )
+ { /* Generate & preload a selfsigned cert. No files to watch. */
+ if ((tls_install_selfsign(&state_server, &dummy_errstr)) == OK)
+ {
+ state_server.lib_state.conn_certs = TRUE;
+ lifetime = f.running_in_test_harness ? 2 : 60 * 60; /* 1 hour */
+ }
+ }
+else
+ DEBUG(D_tls) debug_printf("TLS: not preloading server certs\n");
+
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if ( opt_set_and_noexpand(tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ && Ustrcmp(tls_verify_certificates, "system") != 0
+#endif
+ )
+ {
+ if (tls_set_watch(tls_verify_certificates, FALSE))
+ {
+ DEBUG(D_tls) debug_printf("TLS: preloading CA bundle for server\n");
+ if (creds_load_cabundle(&state_server, tls_verify_certificates,
+ NULL, &dummy_errstr) != OK)
+ return lifetime;
+ state_server.lib_state.cabundle = TRUE;
+
+ /* If CAs loaded and tls_crl is non-empty and has no $, load it */
+
+ if (opt_set_and_noexpand(tls_crl))
+ {
+ if (tls_set_watch(tls_crl, FALSE))
+ {
+ DEBUG(D_tls) debug_printf("TLS: preloading CRL for server\n");
+ if (creds_load_crl(&state_server, tls_crl, &dummy_errstr) != OK)
+ return lifetime;
+ state_server.lib_state.crl = TRUE;
+ }
+ }
+ else
+ DEBUG(D_tls) debug_printf("TLS: not preloading CRL for server\n");
+ }
+ }
+else
+ DEBUG(D_tls) debug_printf("TLS: not preloading CA bundle for server\n");
+#endif /* EXIM_HAVE_INOTIFY */
+
+/* If tls_require_ciphers is non-empty and has no $, load the
+ciphers priority cache. If unset, load with the default.
+(server-only as the client one depends on non/DANE) */
+
+if (!tls_require_ciphers || opt_set_and_noexpand(tls_require_ciphers))
+ {
+ const char * dummy_errpos;
+ DEBUG(D_tls) debug_printf("TLS: preloading cipher list for server: %s\n",
+ tls_require_ciphers);
+ if ( creds_load_pristring(&state_server, tls_require_ciphers, &dummy_errpos)
+ == OK)
+ state_server.lib_state.pri_string = TRUE;
+ }
+else
+ DEBUG(D_tls) debug_printf("TLS: not preloading cipher list for server\n");
+return lifetime;
+}
+
+
+/* Preload whatever creds are static, onto a transport. The client can then
+just copy the pointer as it starts up. */
+
+/*XXX this is not called for a cmdline send. But one needing to use >1 conn would benefit,
+and there seems little downside. */
+
+static void
+tls_client_creds_init(transport_instance * t, BOOL watch)
+{
+smtp_transport_options_block * ob = t->drinst.options_block;
+const uschar * trname = t->drinst.name;
+exim_gnutls_state_st tpt_dummy_state;
+host_item * dummy_host = (host_item *)1;
+uschar * dummy_errstr;
+
+if ( !exim_gnutls_base_init_done
+ && tls_g_init(&dummy_errstr) != OK)
+ return;
+
+ob->tls_preload = null_tls_preload;
+if (gnutls_certificate_allocate_credentials(
+ (struct gnutls_certificate_credentials_st **)&ob->tls_preload.x509_cred))
+ {
+ ob->tls_preload.x509_cred = NULL;
+ return;
+ }
+creds_basic_init(ob->tls_preload.x509_cred, FALSE);
+
+tpt_dummy_state.session = NULL;
+tpt_dummy_state.lib_state = ob->tls_preload;
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+if ( opt_set_and_noexpand(ob->tls_certificate)
+ && opt_unset_or_noexpand(ob->tls_privatekey))
+ {
+ if ( !watch
+ || ( tls_set_watch(ob->tls_certificate, FALSE)
+ && tls_set_watch(ob->tls_privatekey, FALSE)
+ ) )
+ {
+ const uschar * pkey = ob->tls_privatekey;
+
+ DEBUG(D_tls)
+ debug_printf("TLS: preloading client certs for transport '%s'\n", trname);
+
+ /* The state->lib_state.x509_cred is used for the certs load, and is the sole
+ structure element used. So we can set up a dummy. The hoat arg only
+ selects a retcode in case of fail, so any value */
+
+ if (creds_load_client_certs(&tpt_dummy_state, dummy_host,
+ ob->tls_certificate, pkey ? pkey : ob->tls_certificate,
+ &dummy_errstr) == OK)
+ ob->tls_preload.conn_certs = TRUE;
+ }
+ }
+else
+ DEBUG(D_tls)
+ debug_printf("TLS: not preloading client certs, for transport '%s'\n", trname);
+
+/* If tls_verify_certificates is non-empty and has no $, load CAs.
+If none was configured and we can't handle "system", treat as empty. */
+
+if ( opt_set_and_noexpand(ob->tls_verify_certificates)
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+ && Ustrcmp(ob->tls_verify_certificates, "system") != 0
+#endif
+ )
+ {
+ if (!watch || tls_set_watch(ob->tls_verify_certificates, FALSE))
+ {
+ DEBUG(D_tls)
+ debug_printf("TLS: preloading CA bundle for transport '%s'\n", trname);
+ if (creds_load_cabundle(&tpt_dummy_state, ob->tls_verify_certificates,
+ dummy_host, &dummy_errstr) != OK)
+ return;
+ ob->tls_preload.cabundle = TRUE;
+
+ if (opt_set_and_noexpand(ob->tls_crl))
+ {
+ if (!watch || tls_set_watch(ob->tls_crl, FALSE))
+ {
+ DEBUG(D_tls) debug_printf("TLS: preloading CRL for transport '%s'\n", trname);
+ if (creds_load_crl(&tpt_dummy_state, ob->tls_crl, &dummy_errstr) != OK)
+ return;
+ ob->tls_preload.crl = TRUE;
+ }
+ }
+ else
+ DEBUG(D_tls) debug_printf("TLS: not preloading CRL, for transport '%s'\n", trname);
+ }
+ }
+else
+ DEBUG(D_tls)
+ debug_printf("TLS: not preloading CA bundle, for transport '%s'\n", trname);
+
+/* We do not preload tls_require_ciphers to to the transport as it implicitly
+depends on DANE or plain usage. */
+
+#endif
+}
+
+
+#if defined(EXIM_HAVE_INOTIFY) || defined(EXIM_HAVE_KEVENT)
+/* Invalidate the creds cached, by dropping the current ones.
+Call when we notice one of the source files has changed. */
+
+static void
+tls_server_creds_invalidate(void)
+{
+if (state_server.lib_state.pri_cache)
+ gnutls_priority_deinit(state_server.lib_state.pri_cache);
+state_server.lib_state.pri_cache = NULL;
+
+if (state_server.lib_state.x509_cred)
+ gnutls_certificate_free_credentials(state_server.lib_state.x509_cred);
+state_server.lib_state = null_tls_preload;
+}
+
+
+static void
+tls_client_creds_invalidate(transport_instance * t)
+{
+smtp_transport_options_block * ob = t->drinst.options_block;
+if (ob->tls_preload.x509_cred)
+ gnutls_certificate_free_credentials(ob->tls_preload.x509_cred);
+ob->tls_preload = null_tls_preload;
+}
+#endif
+
+
+/*************************************************
+* Variables re-expanded post-SNI *
+*************************************************/
+
+/* Called from both server and client code, via tls_init(), and also from
+the SNI callback after receiving an SNI, if tls_certificate includes "tls_sni".
+
+We can tell the two apart by state->received_sni being non-NULL in callback.
+
+The callback should not call us unless state->trigger_sni_changes is true,
+which we are responsible for setting on the first pass through.
+
+Arguments:
+ state exim_gnutls_state_st *
+ errstr error string pointer
+
+Returns: OK/DEFER/FAIL
+*/
+
+static int
+tls_expand_session_files(exim_gnutls_state_st * state, uschar ** errstr)
+{
+int rc;
+const host_item *host = state->host; /* macro should be reconsidered? */
+const uschar *saved_tls_certificate = NULL;
+const uschar *saved_tls_privatekey = NULL;
+const uschar *saved_tls_verify_certificates = NULL;
+const uschar *saved_tls_crl = NULL;
+int cert_count;
+
+/* We check for tls_sni *before* expansion. */
+if (!host) /* server */
+ if (!state->received_sni)
+ {
+ if ( state->tls_certificate
+ && ( Ustrstr(state->tls_certificate, US"tls_sni")
+ || Ustrstr(state->tls_certificate, US"tls_in_sni")
+ || Ustrstr(state->tls_certificate, US"tls_out_sni")
+ ) )
+ {
+ DEBUG(D_tls) debug_printf("We will re-expand TLS session files if we receive SNI\n");
+ state->trigger_sni_changes = TRUE;
+ }
+ }
+ else /* SNI callback case */
+ {
+ /* useful for debugging */
+ saved_tls_certificate = state->exp_tls_certificate;
+ saved_tls_privatekey = state->exp_tls_privatekey;
+ saved_tls_verify_certificates = state->exp_tls_verify_certificates;
+ saved_tls_crl = state->exp_tls_crl;
+ }
+
+if (!state->lib_state.x509_cred)
+ {
+ if ((rc = gnutls_certificate_allocate_credentials(
+ (gnutls_certificate_credentials_t *) &state->lib_state.x509_cred)))
+ return tls_error_gnu(state, US"gnutls_certificate_allocate_credentials",
+ rc, errstr);
+ creds_basic_init(state->lib_state.x509_cred, !host);
+ }
+
+
+/* remember: Expand_check_tlsvar() is expand_check() but fiddling with
+state members, assuming consistent naming; and expand_check() returns
+false if expansion failed, unless expansion was forced to fail. */
+
+/* check if we at least have a certificate, before doing expensive
+D-H generation. */
+
+if (!state->lib_state.conn_certs)
+ {
+ if ( !Expand_check_tlsvar(tls_certificate, errstr)
+ || f.expand_string_forcedfail)
+ {
+ if (f.expand_string_forcedfail)
+ *errstr = US"expansion of tls_certificate failed";
+ return DEFER;
+ }
+
+ /* certificate is mandatory in server, optional in client */
+
+ if ( !state->exp_tls_certificate
+ || !*state->exp_tls_certificate
+ )
+ if (!host)
+ return tls_install_selfsign(state, errstr);
+ else
+ DEBUG(D_tls) debug_printf("TLS: no client certificate specified; okay\n");
+
+ if ( state->tls_privatekey && !Expand_check_tlsvar(tls_privatekey, errstr)
+ || f.expand_string_forcedfail
+ )
+ {
+ if (f.expand_string_forcedfail)
+ *errstr = US"expansion of tls_privatekey failed";
+ return DEFER;
+ }
+
+ /* tls_privatekey is optional, defaulting to same file as certificate */
+
+ if (!state->tls_privatekey || !*state->tls_privatekey)
+ {
+ state->tls_privatekey = state->tls_certificate;
+ state->exp_tls_privatekey = state->exp_tls_certificate;
+ }
+
+ if (state->exp_tls_certificate && *state->exp_tls_certificate)
+ {
+ BOOL load = TRUE;
+ DEBUG(D_tls) debug_printf("certificate file = %s\nkey file = %s\n",
+ state->exp_tls_certificate, state->exp_tls_privatekey);
+
+ if (state->received_sni)
+ if ( Ustrcmp(state->exp_tls_certificate, saved_tls_certificate) == 0
+ && Ustrcmp(state->exp_tls_privatekey, saved_tls_privatekey) == 0
+ )
+ {
+ DEBUG(D_tls) debug_printf("TLS SNI: cert and key unchanged\n");
+ load = FALSE; /* avoid re-loading the same certs */
+ }
+ else /* unload the pre-SNI certs before loading new ones */
+ {
+ DEBUG(D_tls) debug_printf("TLS SNI: have a changed cert/key pair\n");
+ gnutls_certificate_free_keys(state->lib_state.x509_cred);
+ }
+
+ if ( load
+ && (rc = host
+ ? creds_load_client_certs(state, host, state->exp_tls_certificate,
+ state->exp_tls_privatekey, errstr)
+ : creds_load_server_certs(state, state->exp_tls_certificate,
+ state->exp_tls_privatekey,
+#ifdef DISABLE_OCSP
+ NULL,
+#else
+ tls_ocsp_file,
+#endif
+ errstr)
+ ) )
+ {
+ DEBUG(D_tls) debug_printf("load-cert: '%s'\n", *errstr);
+ return rc;
+ }
+ }
+ }
+else