#endif
+/*************************************************
+* Handle TLS error *
+*************************************************/
+
+/* Called from lots of places when errors occur before actually starting to do
+the TLS handshake, that is, while the session is still in clear. Always returns
+DEFER for a server and FAIL for a client so that most calls can use "return
+tls_error(...)" to do this processing and then give an appropriate return. A
+single function is used for both server and client, because it is called from
+some shared functions.
+
+Argument:
+ prefix text to include in the logged error
+ msg additional error string (may be NULL)
+ usually obtained from gnutls_strerror()
+ host NULL if setting up a server;
+ the connected host if setting up a client
+ errstr pointer to returned error string
+
+Returns: OK/DEFER/FAIL
+*/
+
+static int
+tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
+ uschar ** errstr)
+{
+if (errstr)
+ *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
+return host ? FAIL : DEFER;
+}
+
+
+static int
+tls_error_gnu(const uschar *prefix, int err, const host_item *host,
+ uschar ** errstr)
+{
+return tls_error(prefix, US gnutls_strerror(err), host, errstr);
+}
+
+static int
+tls_error_sys(const uschar *prefix, int err, const host_item *host,
+ uschar ** errstr)
+{
+return tls_error(prefix, US strerror(err), host, errstr);
+}
+
+
/* ------------------------------------------------------------------------ */
/* Initialisation */
#endif
-static void
-tls_g_init(void)
+static int
+tls_g_init(uschar ** errstr)
{
+int rc;
DEBUG(D_tls) debug_printf("GnuTLS global init required\n");
#if defined(HAVE_GNUTLS_PKCS11) && !defined(GNUTLS_AUTO_PKCS11_MANUAL)
if (!gnutls_allow_auto_pkcs11)
if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
- return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
+ return tls_error_gnu(US"gnutls_pkcs11_init", rc, NULL, errstr);
#endif
#ifndef GNUTLS_AUTO_GLOBAL_INIT
if ((rc = gnutls_global_init()))
- return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
+ return tls_error_gnu(US"gnutls_global_init", rc, NULL, errstr);
#endif
#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
#endif
exim_gnutls_base_init_done = TRUE;
+return OK;
}
static void
tls_per_lib_daemon_init(void)
{
+uschar * dummy_errstr;
static BOOL once = FALSE;
if (!exim_gnutls_base_init_done)
- tls_g_init();
+ tls_g_init(&dummy_errstr);
if (!once)
{
}
/* ------------------------------------------------------------------------ */
-/* Static functions */
-
-/*************************************************
-* Handle TLS error *
-*************************************************/
-
-/* Called from lots of places when errors occur before actually starting to do
-the TLS handshake, that is, while the session is still in clear. Always returns
-DEFER for a server and FAIL for a client so that most calls can use "return
-tls_error(...)" to do this processing and then give an appropriate return. A
-single function is used for both server and client, because it is called from
-some shared functions.
-
-Argument:
- prefix text to include in the logged error
- msg additional error string (may be NULL)
- usually obtained from gnutls_strerror()
- host NULL if setting up a server;
- the connected host if setting up a client
- errstr pointer to returned error string
-
-Returns: OK/DEFER/FAIL
-*/
-
-static int
-tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
- uschar ** errstr)
-{
-if (errstr)
- *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
-return host ? FAIL : DEFER;
-}
-
-
-static int
-tls_error_gnu(const uschar *prefix, int err, const host_item *host,
- uschar ** errstr)
-{
-return tls_error(prefix, US gnutls_strerror(err), host, errstr);
-}
-
-static int
-tls_error_sys(const uschar *prefix, int err, const host_item *host,
- uschar ** errstr)
-{
-return tls_error(prefix, US strerror(err), host, errstr);
-}
-
/*************************************************
* Deal with logging errors during I/O *
}
+# ifdef notdef_crashes
/* Make a note that we saw a status-response */
static int
tls_server_servercerts_ext(void * ctx, unsigned tls_id,
}
return 0;
}
+# endif
/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
static int
unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
{
/* Call fn for each extension seen. 3.6.3 onwards */
-#ifdef notdef
-/*XXX crashes */
+# ifdef notdef_crashes
+ /*XXX crashes */
return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
-#endif
+# endif
}
-#endif
+#endif /*SUPPORT_GNUTLS_EXT_RAW_PARSE*/
/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
"Handshake Protocol: Certificate" record.
XXX will want to do that later though) due to the lifetime/expiry issue. */
if ( opt_set_and_noexpand(tls_certificate)
- && opt_unset_or_noexpand(tls_privatekey)
- && opt_unset_or_noexpand(tls_ocsp_file))
+# ifndef DISABLE_OCSP
+ && opt_unset_or_noexpand(tls_ocsp_file)
+# endif
+ && opt_unset_or_noexpand(tls_privatekey))
{
/* Set watches on the filenames. The implementation does de-duplication
so we can just blindly do them all.
*/
if ( tls_set_watch(tls_certificate, TRUE)
- && tls_set_watch(tls_privatekey, TRUE)
+# ifndef DISABLE_OCSP
&& tls_set_watch(tls_ocsp_file, TRUE)
- )
+# endif
+ && tls_set_watch(tls_privatekey, TRUE))
{
DEBUG(D_tls) debug_printf("TLS: preloading server certs\n");
if (creds_load_server_certs(&state_server, tls_certificate,
tls_privatekey && *tls_privatekey ? tls_privatekey : tls_certificate,
- tls_ocsp_file, &dummy_errstr) == 0)
+# ifdef DISABLE_OCSP
+ NULL,
+# else
+ tls_ocsp_file,
+# endif
+ &dummy_errstr) == 0)
state_server.lib_state.conn_certs = TRUE;
}
}
host_item * dummy_host = (host_item *)1;
uschar * dummy_errstr;
-if (!exim_gnutls_base_init_done)
- tls_g_init();
+if ( !exim_gnutls_base_init_done
+ && tls_g_init(&dummy_errstr) != OK)
+ return;
ob->tls_preload = null_tls_preload;
if (gnutls_certificate_allocate_credentials(
? creds_load_client_certs(state, host, state->exp_tls_certificate,
state->exp_tls_privatekey, errstr)
: creds_load_server_certs(state, state->exp_tls_certificate,
- state->exp_tls_privatekey, tls_ocsp_file, errstr)
+ state->exp_tls_privatekey,
+#ifdef DISABLE_OCSP
+ NULL,
+#else
+ tls_ocsp_file,
+#endif
+ errstr)
) ) return rc;
}
}
state->exp_tls_certificate = US state->tls_certificate;
state->exp_tls_privatekey = US state->tls_privatekey;
+#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
if (state->lib_state.ocsp_hook)
gnutls_handshake_set_hook_function(state->session,
GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+#endif
}
if (!state->host)
{
-/*XXX DDD done-bit */
if (!dh_server_params)
if ((rc = init_server_dh(errstr)) != OK) return rc;
/* Unnecessary & discouraged with 3.6.0 or later */
- gnutls_certificate_set_dh_params(state->.lib_statex509_cred, dh_server_params);
+ gnutls_certificate_set_dh_params(state->lib_state.x509_cred, dh_server_params);
}
#endif
int rc;
size_t sz;
-if (!exim_gnutls_base_init_done)
- tls_g_init();
+if ( !exim_gnutls_base_init_done
+ && (rc = tls_g_init(errstr)) != OK)
+ return rc;
if (host)
{
git://git.exim.org / exim.git / blobdiff