static exim_openssl_option exim_openssl_options[] = {
/* KEEP SORTED ALPHABETICALLY! */
#ifdef SSL_OP_ALL
- { US"all", SSL_OP_ALL },
+ { US"all", (long) SSL_OP_ALL },
#endif
#ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
{ US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
# ifdef EXPERIMENTAL_TLS_RESUME
builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
# endif
+# ifdef SSL_OP_NO_TLSv1_3
+builtin_macro_create(US"_HAVE_TLS1_3");
+# endif
}
#else
if (!(key = tk_current())) /* current key doesn't exist or isn't valid */
return 0; /* key couldn't be created */
memcpy(key_name, key->name, 16);
- DEBUG(D_tls) debug_printf("STEK expire %ld\n", key->expire - time(NULL));
+ DEBUG(D_tls) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - time(NULL));
/*XXX will want these dependent on the ssl session strength */
HMAC_Init_ex(hctx, key->hmac_key, sizeof(key->hmac_key),
DEBUG(D_tls)
{
debug_printf("ticket not usable (%s)\n", key ? "expired" : "not found");
- if (key) debug_printf("STEK expire %ld\n", key->expire - now);
+ if (key) debug_printf("STEK expire " TIME_T_FMT "\n", key->expire - now);
}
return 0;
}
key->hmac_hash, NULL);
EVP_DecryptInit_ex(ctx, key->aes_cipher, NULL, key->aes_key, iv);
- DEBUG(D_tls) debug_printf("ticket usable, STEK expire %ld\n", key->expire - now);
+ DEBUG(D_tls) debug_printf("ticket usable, STEK expire " TIME_T_FMT "\n", key->expire - now);
/* The ticket lifetime and renewal are the same as the STEK lifetime and
renewal, which is overenthusiastic. A factor of, say, 3x longer STEK would
}
supply_response:
- cbinfo->u_ocsp.server.response = resp; /*XXX stack?*/
+ /*XXX stack? (these tag points are for multiple leaf-cert support for ocsp */
+ cbinfo->u_ocsp.server.response = resp;
return;
bad:
/* Make the extension value available for expansion */
store_pool = POOL_PERM;
-tls_in.sni = string_copy(US servername);
+tls_in.sni = string_copy_taint(US servername, TRUE);
store_pool = old_pool;
if (!reexpand_tls_files_for_sni)
debug_printf("decoding session: %s\n", ssl_errstring);
}
}
+#ifdef EXIM_HAVE_SESSION_TICKET
else if ( SSL_SESSION_get_ticket_lifetime_hint(ss) + dt->time_stamp
< time(NULL))
{
DEBUG(D_tls) debug_printf("session expired\n");
dbfn_delete(dbm_file, key);
}
+#endif
else if (!SSL_set_session(ssl, ss))
{
DEBUG(D_tls)
{
int len = i2d_SSL_SESSION(ss, NULL);
int dlen = sizeof(dbdata_tls_session) + len;
- dbdata_tls_session * dt = store_get(dlen);
+ dbdata_tls_session * dt = store_get(dlen, TRUE);
uschar * s = dt->session;
open_db dbblock, * dbm_file;
rc = store_pool;
store_pool = POOL_PERM;
-exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
+exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
exim_client_ctx->corked = NULL;
store_pool = rc;
case SSL_ERROR_ZERO_RETURN:
DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
- receive_getc = smtp_getc;
- receive_getbuf = smtp_getbuf;
- receive_get_cache = smtp_get_cache;
- receive_ungetc = smtp_ungetc;
- receive_feof = smtp_feof;
- receive_ferror = smtp_ferror;
- receive_smtp_buffered = smtp_buffered;
-
if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
SSL_shutdown(server_ssl);
-#ifndef DISABLE_OCSP
- sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
- server_static_cbinfo->verify_stack = NULL;
-#endif
- SSL_free(server_ssl);
- SSL_CTX_free(server_ctx);
- server_ctx = NULL;
- server_ssl = NULL;
- tls_in.active.sock = -1;
- tls_in.active.tls_ctx = NULL;
- tls_in.bits = 0;
- tls_in.cipher = NULL;
- tls_in.peerdn = NULL;
- tls_in.sni = NULL;
-
+ tls_close(NULL, TLS_NO_SHUTDOWN);
return FALSE;
/* Handle genuine errors */
if ((more || corked))
{
-#ifdef EXPERIMENTAL_PIPE_CONNECT
+#ifdef SUPPORT_PIPE_CONNECT
int save_pool = store_pool;
store_pool = POOL_PERM;
#endif
corked = string_catn(corked, buff, len);
-#ifdef EXPERIMENTAL_PIPE_CONNECT
+#ifdef SUPPORT_PIPE_CONNECT
store_pool = save_pool;
#endif
}
}
-#ifndef DISABLE_OCSP
if (!o_ctx) /* server side */
{
+#ifndef DISABLE_OCSP
sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
server_static_cbinfo->verify_stack = NULL;
- }
#endif
+ receive_getc = smtp_getc;
+ receive_getbuf = smtp_getbuf;
+ receive_get_cache = smtp_get_cache;
+ receive_ungetc = smtp_ungetc;
+ receive_feof = smtp_feof;
+ receive_ferror = smtp_ferror;
+ receive_smtp_buffered = smtp_buffered;
+ tls_in.active.tls_ctx = NULL;
+ tls_in.sni = NULL;
+ /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+ }
+
SSL_CTX_free(*ctxp);
SSL_free(*sslp);
*ctxp = NULL;