Implement dane_require_tls_ciphers (theoretically)

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 6de0f023ad771521f2b6419882b50360da172059..0d20fea34ba3df75c876c4a940cbeb54e610dc21 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -156,8 +156,8 @@ typedef struct exim_gnutls_state {
   uschar *xfer_buffer;
   int xfer_buffer_lwm;
   int xfer_buffer_hwm;
-  int xfer_eof;
-  int xfer_error;
+  BOOL xfer_eof;       /*XXX never gets set! */
+  BOOL xfer_error;
 } exim_gnutls_state_st;
 
 static const exim_gnutls_state_st exim_gnutls_state_init = {
@@ -198,8 +198,8 @@ static const exim_gnutls_state_st exim_gnutls_state_init = {
   .xfer_buffer =       NULL,
   .xfer_buffer_lwm =   0,
   .xfer_buffer_hwm =   0,
-  .xfer_eof =          0,
-  .xfer_error =                0,
+  .xfer_eof =          FALSE,
+  .xfer_error =                FALSE,
 };
 
 /* Not only do we have our own APIs which don't pass around state, assuming
@@ -1681,7 +1681,7 @@ else
                        1, 0))
         || (rc = dane_verify_crt_raw(s, certlist, lsize,
                        gnutls_certificate_type_get(state->session),
-                       r, 0, 
+                       r, 0,
 # ifdef GNUTLS_BROKEN_DANE_VALIDATION
                        usage == (1 << DANESSL_USAGE_DANE_EE)
                        ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
@@ -2260,6 +2260,7 @@ smtp_transport_options_block *ob =
   (smtp_transport_options_block *)tb->options_block;
 int rc;
 exim_gnutls_state_st * state = NULL;
+uschar *cipher_list = NULL;
 #ifndef DISABLE_OCSP
 BOOL require_ocsp =
   verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
@@ -2269,9 +2270,26 @@ BOOL request_ocsp = require_ocsp ? TRUE
 
 DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
 
+#ifdef SUPPORT_DANE
+if (ob->dane_require_tls_ciphers)
+  {
+  /* not using expand_check_tlsvar because not yet in state */
+  if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
+      &cipher_list, errstr))
+    return DEFER;
+  if (cipher_list && *cipher_list)
+    cipher_list = ob->dane_require_tls_ciphers;
+  else
+    cipher_list = ob->tls_require_ciphers;
+  }
+#endif
+
+if (!cipher_list)
+  cipher_list = ob->tls_require_ciphers;
+
 if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
     ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
-    ob->tls_require_ciphers, &state, errstr)) != OK)
+    cipher_list, &state, errstr)) != OK)
   return rc;
 
   {
@@ -2505,7 +2523,7 @@ alarm(0);
 if (sigalrm_seen)
   {
   DEBUG(D_tls) debug_printf("Got tls read timeout\n");
-  state->xfer_error = 1;
+  state->xfer_error = TRUE;
   return FALSE;
   }
 
@@ -2541,7 +2559,7 @@ else if (inbytes == 0)
 else if (inbytes < 0)
   {
   record_io_error(state, (int) inbytes, US"recv", NULL);
-  state->xfer_error = 1;
+  state->xfer_error = TRUE;
   return FALSE;
   }
 #ifndef DISABLE_DKIM