tidying

[exim.git] / src / src / tls-gnu.c

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 9f166691a0221e56d4a497046effc87f2d472a63..22f7fe5489434b3980812e4fa363500a4d7179d5 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2017 */
+/* Copyright (c) University of Cambridge 1995 - 2018 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Copyright (c) Phil Pennock 2012 */
@@ -39,6 +39,7 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #include <gnutls/x509.h>
 /* man-page is incorrect, gnutls_rnd() is not in gnutls.h: */
 #include <gnutls/crypto.h>
+
 /* needed to disable PKCS11 autoload unless requested */
 #if GNUTLS_VERSION_NUMBER >= 0x020c00
 # include <gnutls/pkcs11.h>
@@ -60,14 +61,43 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #if GNUTLS_VERSION_NUMBER >= 0x030014
 # define SUPPORT_SYSDEFAULT_CABUNDLE
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030104
+# define GNUTLS_CERT_VFY_STATUS_PRINT
+#endif
 #if GNUTLS_VERSION_NUMBER >= 0x030109
 # define SUPPORT_CORK
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x03010a
+# define SUPPORT_GNUTLS_SESS_DESC
+#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030500
+# define SUPPORT_GNUTLS_KEYLOG
+#endif
 #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
 # define SUPPORT_SRV_OCSP_STACK
 #endif
-#if GNUTLS_VERSION_NUMBER >= 0x030000 && defined(EXPERIMENTAL_DANE)
-# define SUPPORT_DANE
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+# define EXIM_HAVE_TLS1_3
+# define SUPPORT_GNUTLS_EXT_RAW_PARSE
+# define GNUTLS_OCSP_STATUS_REQUEST_GET2
+#endif
+
+#ifdef SUPPORT_DANE
+# if GNUTLS_VERSION_NUMBER >= 0x030000
+#  define DANESSL_USAGE_DANE_TA 2
+#  define DANESSL_USAGE_DANE_EE 3
+# else
+#  error GnuTLS version too early for DANE
+# endif
+# if GNUTLS_VERSION_NUMBER < 0x999999
+#  define GNUTLS_BROKEN_DANE_VALIDATION
+# endif
+#endif
+
+#ifdef EXPERIMENTAL_TLS_RESUME
+# if GNUTLS_VERSION_NUMBER < 0x030603
+#  error GNUTLS version too early for session-resumption
+# endif
 #endif
 
 #ifndef DISABLE_OCSP
@@ -77,6 +107,23 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 # include <gnutls/dane.h>
 #endif
 
+#include "tls-cipher-stdname.c"
+
+
+#ifdef MACRO_PREDEF
+void
+options_tls(void)
+{
+# ifdef EXPERIMENTAL_TLS_RESUME
+builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
+# endif
+# ifdef EXIM_HAVE_TLS1_3
+builtin_macro_create(US"_HAVE_TLS1_3");
+# endif
+}
+#else
+
+
 /* GnuTLS 2 vs 3
 
 GnuTLS 3 only:
@@ -115,8 +162,8 @@ typedef struct exim_gnutls_state {
   BOOL                 peer_dane_verified;
   BOOL                 trigger_sni_changes;
   BOOL                 have_set_peerdn;
-  const struct host_item *host;
-  gnutls_x509_crt_t    peercert;
+  const struct host_item *host;                /* NULL if server */
+  gnutls_x509_crt_t    peercert;
   uschar               *peerdn;
   uschar               *ciphersuite;
   uschar               *received_sni;
@@ -147,50 +194,14 @@ typedef struct exim_gnutls_state {
   uschar *xfer_buffer;
   int xfer_buffer_lwm;
   int xfer_buffer_hwm;
-  int xfer_eof;
-  int xfer_error;
+  BOOL xfer_eof;       /*XXX never gets set! */
+  BOOL xfer_error;
 } exim_gnutls_state_st;
 
 static const exim_gnutls_state_st exim_gnutls_state_init = {
-  .session =           NULL,
-  .x509_cred =         NULL,
-  .priority_cache =    NULL,
-  .verify_requirement =        VERIFY_NONE,
+  /* all elements not explicitly intialised here get 0/NULL/FALSE */
   .fd_in =             -1,
   .fd_out =            -1,
-  .peer_cert_verified =        FALSE,
-  .peer_dane_verified =        FALSE,
-  .trigger_sni_changes =FALSE,
-  .have_set_peerdn =   FALSE,
-  .host =              NULL,
-  .peercert =          NULL,
-  .peerdn =            NULL,
-  .ciphersuite =       NULL,
-  .received_sni =      NULL,
-
-  .tls_certificate =   NULL,
-  .tls_privatekey =    NULL,
-  .tls_sni =           NULL,
-  .tls_verify_certificates = NULL,
-  .tls_crl =           NULL,
-  .tls_require_ciphers =NULL,
-
-  .exp_tls_certificate = NULL,
-  .exp_tls_privatekey =        NULL,
-  .exp_tls_verify_certificates = NULL,
-  .exp_tls_crl =       NULL,
-  .exp_tls_require_ciphers = NULL,
-  .exp_tls_verify_cert_hostnames = NULL,
-#ifndef DISABLE_EVENT
-  .event_action =      NULL,
-#endif
-  .tlsp =              NULL,
-
-  .xfer_buffer =       NULL,
-  .xfer_buffer_lwm =   0,
-  .xfer_buffer_hwm =   0,
-  .xfer_eof =          0,
-  .xfer_error =                0,
 };
 
 /* Not only do we have our own APIs which don't pass around state, assuming
@@ -204,7 +215,7 @@ second connection.
 XXX But see gnutls_session_get_ptr()
 */
 
-static exim_gnutls_state_st state_server, state_client;
+static exim_gnutls_state_st state_server;
 
 /* dh_params are initialised once within the lifetime of a process using TLS;
 if we used TLS in a long-lived daemon, we'd have to reconsider this.  But we
@@ -212,11 +223,9 @@ don't want to repeat this. */
 
 static gnutls_dh_params_t dh_server_params = NULL;
 
-/* No idea how this value was chosen; preserving it.  Default is 3600. */
-
-static const int ssl_session_timeout = 200;
+static int ssl_session_timeout = 7200; /* Two hours */
 
-static const char * const exim_default_gnutls_priority = "NORMAL";
+static const uschar * const exim_default_gnutls_priority = US"NORMAL";
 
 /* Guard library core initialisation */
 
@@ -224,8 +233,12 @@ static BOOL exim_gnutls_base_init_done = FALSE;
 
 #ifndef DISABLE_OCSP
 static BOOL gnutls_buggy_ocsp = FALSE;
+static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
 #endif
 
+#ifdef EXPERIMENTAL_TLS_RESUME
+static gnutls_datum_t server_sessticket_key;
+#endif
 
 /* ------------------------------------------------------------------------ */
 /* macros */
@@ -234,8 +247,10 @@ static BOOL gnutls_buggy_ocsp = FALSE;
 
 /* Set this to control gnutls_global_set_log_level(); values 0 to 9 will setup
 the library logging; a value less than 0 disables the calls to set up logging
-callbacks.  Possibly GNuTLS also looks for an environment variable
-"GNUTLS_DEBUG_LEVEL". */
+callbacks.  GNuTLS also looks for an environment variable - except not for
+setuid binaries, making it useless - "GNUTLS_DEBUG_LEVEL".
+Allegedly the testscript line "GNUTLS_DEBUG_LEVEL=9 sudo exim ..." would work,
+but the env var must be added to /etc/sudoers too. */
 #ifndef EXIM_GNUTLS_LIBRARY_LOG_LEVEL
 # define EXIM_GNUTLS_LIBRARY_LOG_LEVEL -1
 #endif
@@ -251,11 +266,6 @@ before, for now. */
 # define EXIM_SERVER_DH_BITS_PRE2_12 1024
 #endif
 
-#define exim_gnutls_err_check(rc, Label) do { \
-  if ((rc) != GNUTLS_E_SUCCESS) \
-    return tls_error((Label), gnutls_strerror(rc), host, errstr); \
-  } while (0)
-
 #define expand_check_tlsvar(Varname, errstr) \
   expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
 
@@ -286,12 +296,30 @@ static void exim_gnutls_logger_cb(int level, const char *message);
 
 static int exim_sni_handling_cb(gnutls_session_t session);
 
-#ifndef DISABLE_OCSP
-static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
-  gnutls_datum_t * ocsp_response);
+#ifdef EXPERIMENTAL_TLS_RESUME
+static int
+tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg);
 #endif
 
 
+/* Daemon one-time initialisation */
+void
+tls_daemon_init(void)
+{
+#ifdef EXPERIMENTAL_TLS_RESUME
+/* We are dependent on the GnuTLS implementation of the Session Ticket
+encryption; both the strength and the key rotation period.  We hope that
+the strength at least matches that of the ciphersuite (but GnuTLS does not
+document this). */
+
+static BOOL once = FALSE;
+if (once) return;
+once = TRUE;
+gnutls_session_ticket_key_generate(&server_sessticket_key);    /* >= 2.10.0 */
+if (f.running_in_test_harness) ssl_session_timeout = 6;
+#endif
+}
 
 /* ------------------------------------------------------------------------ */
 /* Static functions */
@@ -319,15 +347,28 @@ Returns:    OK/DEFER/FAIL
 */
 
 static int
-tls_error(const uschar *prefix, const char *msg, const host_item *host,
+tls_error(const uschar *prefix, const uschar *msg, const host_item *host,
   uschar ** errstr)
 {
 if (errstr)
-  *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : "");
+  *errstr = string_sprintf("(%s)%s%s", prefix, msg ? ": " : "", msg ? msg : US"");
 return host ? FAIL : DEFER;
 }
 
 
+static int
+tls_error_gnu(const uschar *prefix, int err, const host_item *host,
+  uschar ** errstr)
+{
+return tls_error(prefix, US gnutls_strerror(err), host, errstr);
+}
+
+static int
+tls_error_sys(const uschar *prefix, int err, const host_item *host,
+  uschar ** errstr)
+{
+return tls_error(prefix, US strerror(err), host, errstr);
+}
 
 
 /*************************************************
@@ -340,7 +381,7 @@ Argument:
   state    the current GnuTLS exim state container
   rc       the GnuTLS error code, or 0 if it's a local error
   when     text identifying read or write
-  text     local error text when ec is 0
+  text     local error text when rc is 0
 
 Returns:   nothing
 */
@@ -348,14 +389,14 @@ Returns:   nothing
 static void
 record_io_error(exim_gnutls_state_st *state, int rc, uschar *when, uschar *text)
 {
-const char * msg;
+const uschar * msg;
 uschar * errstr;
 
 if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
-  msg = CS string_sprintf("%s: %s", US gnutls_strerror(rc),
+  msg = string_sprintf("A TLS fatal alert has been received: %s",
     US gnutls_alert_get_name(gnutls_alert_get(state->session)));
 else
-  msg = gnutls_strerror(rc);
+  msg = US gnutls_strerror(rc);
 
 (void) tls_error(when, msg, state->host, &errstr);
 
@@ -431,7 +472,6 @@ Argument:
 static void
 extract_exim_vars_from_tls_state(exim_gnutls_state_st * state)
 {
-gnutls_cipher_algorithm_t cipher;
 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
 int old_pool;
 int rc;
@@ -439,13 +479,8 @@ gnutls_datum_t channel;
 #endif
 tls_support * tlsp = state->tlsp;
 
-tlsp->active = state->fd_out;
-
-cipher = gnutls_cipher_get(state->session);
-/* returns size in "bytes" */
-tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
-
-tlsp->cipher = state->ciphersuite;
+tlsp->active.sock = state->fd_out;
+tlsp->active.tls_ctx = state;
 
 DEBUG(D_tls) debug_printf("cipher: %s\n", state->ciphersuite);
 
@@ -461,16 +496,16 @@ tls_channelbinding_b64 = NULL;
 #ifdef HAVE_GNUTLS_SESSION_CHANNEL_BINDING
 channel.data = NULL;
 channel.size = 0;
-rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel);
-if (rc) {
-  DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc));
-} else {
+if ((rc = gnutls_session_channel_binding(state->session, GNUTLS_CB_TLS_UNIQUE, &channel)))
+  { DEBUG(D_tls) debug_printf("Channel binding error: %s\n", gnutls_strerror(rc)); }
+else
+  {
   old_pool = store_pool;
   store_pool = POOL_PERM;
-  tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
+  tls_channelbinding_b64 = b64encode(CUS channel.data, (int)channel.size);
   store_pool = old_pool;
   DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
-}
+  }
 #endif
 
 /* peercert is set in peer_status() */
@@ -517,13 +552,12 @@ uschar *filename = NULL;
 size_t sz;
 uschar *exp_tls_dhparam;
 BOOL use_file_in_spool = FALSE;
-BOOL use_fixed_file = FALSE;
 host_item *host = NULL; /* dummy for macros */
 
 DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
 
-rc = gnutls_dh_params_init(&dh_server_params);
-exim_gnutls_err_check(rc, US"gnutls_dh_params_init");
+if ((rc = gnutls_dh_params_init(&dh_server_params)))
+  return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
 
 m.data = NULL;
 m.size = 0;
@@ -547,19 +581,16 @@ else if (Ustrcmp(exp_tls_dhparam, "none") == 0)
 else if (exp_tls_dhparam[0] != '/')
   {
   if (!(m.data = US std_dh_prime_named(exp_tls_dhparam)))
-    return tls_error(US"No standard prime named", CS exp_tls_dhparam, NULL, errstr);
+    return tls_error(US"No standard prime named", exp_tls_dhparam, NULL, errstr);
   m.size = Ustrlen(m.data);
   }
 else
-  {
-  use_fixed_file = TRUE;
   filename = exp_tls_dhparam;
-  }
 
 if (m.data)
   {
-  rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
-  exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
+  if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
+    return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
   DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
   return OK;
   }
@@ -567,8 +598,8 @@ if (m.data)
 #ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
 /* If you change this constant, also change dh_param_fn_ext so that we can use a
 different filename and ensure we have sufficient bits. */
-dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
-if (!dh_bits)
+
+if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
   return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
 DEBUG(D_tls)
   debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
@@ -610,7 +641,7 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
     {
     saved_errno = errno;
     (void)close(fd);
-    return tls_error(US"TLS cache stat failed", strerror(saved_errno), NULL, errstr);
+    return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
     }
   if (!S_ISREG(statbuf.st_mode))
     {
@@ -621,28 +652,29 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0)
     {
     saved_errno = errno;
     (void)close(fd);
-    return tls_error(US"fdopen(TLS cache stat fd) failed",
-        strerror(saved_errno), NULL, errstr);
+    return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
+        saved_errno, NULL, errstr);
     }
 
   m.size = statbuf.st_size;
-  if (!(m.data = malloc(m.size)))
+  if (!(m.data = store_malloc(m.size)))
     {
     fclose(fp);
-    return tls_error(US"malloc failed", strerror(errno), NULL, errstr);
+    return tls_error_sys(US"malloc failed", errno, NULL, errstr);
     }
   if (!(sz = fread(m.data, m.size, 1, fp)))
     {
     saved_errno = errno;
     fclose(fp);
-    free(m.data);
-    return tls_error(US"fread failed", strerror(saved_errno), NULL, errstr);
+    store_free(m.data);
+    return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
     }
   fclose(fp);
 
   rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
-  free(m.data);
-  exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
+  store_free(m.data);
+  if (rc)
+    return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
   DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
   }
 
@@ -672,12 +704,12 @@ if (rc < 0)
 
   if ((PATH_MAX - Ustrlen(filename)) < 10)
     return tls_error(US"Filename too long to generate replacement",
-        CS filename, NULL, errstr);
+        filename, NULL, errstr);
 
-  temp_fn = string_copy(US "%s.XXXXXXX");
+  temp_fn = string_copy(US"%s.XXXXXXX");
   if ((fd = mkstemp(CS temp_fn)) < 0)  /* modifies temp_fn */
-    return tls_error(US"Unable to open temp file", strerror(errno), NULL, errstr);
-  (void)fchown(fd, exim_uid, exim_gid);   /* Probably not necessary */
+    return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
+  (void)exim_chown(temp_fn, exim_uid, exim_gid);   /* Probably not necessary */
 
   /* GnuTLS overshoots!
    * If we ask for 2236, we might get 2237 or more.
@@ -698,8 +730,8 @@ if (rc < 0)
   DEBUG(D_tls)
     debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
         dh_bits_gen);
-  rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
-  exim_gnutls_err_check(rc, US"gnutls_dh_params_generate2");
+  if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
+    return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
 
   /* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
   and I confirmed that a NULL call to get the size first is how the GnuTLS
@@ -707,41 +739,41 @@ if (rc < 0)
 
   sz = 0;
   m.data = NULL;
-  rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
-      m.data, &sz);
-  if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
-    exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing");
+  if (  (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
+               GNUTLS_X509_FMT_PEM, m.data, &sz))
+     && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
+    return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
+             rc, host, errstr);
   m.size = sz;
-  if (!(m.data = malloc(m.size)))
-    return tls_error(US"memory allocation failed", strerror(errno), NULL, errstr);
+  if (!(m.data = store_malloc(m.size)))
+    return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
 
   /* this will return a size 1 less than the allocation size above */
-  rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
-      m.data, &sz);
-  if (rc != GNUTLS_E_SUCCESS)
+  if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
+      m.data, &sz)))
     {
-    free(m.data);
-    exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3() real");
+    store_free(m.data);
+    return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
     }
   m.size = sz; /* shrink by 1, probably */
 
   if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
     {
-    free(m.data);
-    return tls_error(US"TLS cache write D-H params failed",
-        strerror(errno), NULL, errstr);
+    store_free(m.data);
+    return tls_error_sys(US"TLS cache write D-H params failed",
+        errno, NULL, errstr);
     }
-  free(m.data);
+  store_free(m.data);
   if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
-    return tls_error(US"TLS cache write D-H params final newline failed",
-        strerror(errno), NULL, errstr);
+    return tls_error_sys(US"TLS cache write D-H params final newline failed",
+        errno, NULL, errstr);
 
   if ((rc = close(fd)))
-    return tls_error(US"TLS cache write close() failed", strerror(errno), NULL, errstr);
+    return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
 
   if (Urename(temp_fn, filename) < 0)
-    return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
-          temp_fn, filename), strerror(errno), NULL, errstr);
+    return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
+          temp_fn, filename), errno, NULL, errstr);
 
   DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
   }
@@ -773,15 +805,18 @@ if ((rc = gnutls_x509_crt_init(&cert))) goto err;
 where = US"generating pkey";
 if ((rc = gnutls_x509_privkey_generate(pkey, GNUTLS_PK_RSA,
 #ifdef SUPPORT_PARAM_TO_PK_BITS
-           gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_LOW),
+# ifndef GNUTLS_SEC_PARAM_MEDIUM
+#  define GNUTLS_SEC_PARAM_MEDIUM GNUTLS_SEC_PARAM_HIGH
+# endif
+           gnutls_sec_param_to_pk_bits(GNUTLS_PK_RSA, GNUTLS_SEC_PARAM_MEDIUM),
 #else
-           1024,
+           2048,
 #endif
            0)))
   goto err;
 
 where = US"configuring cert";
-now = 0;
+now = 1;
 if (  (rc = gnutls_x509_crt_set_version(cert, 3))
    || (rc = gnutls_x509_crt_set_serial(cert, &now, sizeof(now)))
    || (rc = gnutls_x509_crt_set_activation_time(cert, now = time(NULL)))
@@ -814,7 +849,7 @@ out:
   return rc;
 
 err:
-  rc = tls_error(where, gnutls_strerror(rc), NULL, errstr);
+  rc = tls_error_gnu(where, rc, NULL, errstr);
   goto out;
 }
 
@@ -835,13 +870,158 @@ tls_add_certfile(exim_gnutls_state_st * state, const host_item * host,
 int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
     CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
 if (rc < 0)
-  return tls_error(
+  return tls_error_gnu(
     string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
-    gnutls_strerror(rc), host, errstr);
+    rc, host, errstr);
 return -rc;
 }
 
 
+#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+/* Load an OCSP proof from file for sending by the server.  Called
+on getting a status-request handshake message, for earlier versions
+of GnuTLS. */
+
+static int
+server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+  gnutls_datum_t * ocsp_response)
+{
+int ret;
+DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
+
+if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
+  {
+  DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
+                             CS ptr);
+  tls_in.ocsp = OCSP_NOT_RESP;
+  return GNUTLS_E_NO_CERTIFICATE_STATUS;
+  }
+
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+return 0;
+}
+#endif
+
+
+#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+/* Make a note that we saw a status-request */
+static int
+tls_server_clienthello_ext(void * ctx, unsigned tls_id,
+  const unsigned char *data, unsigned size)
+{
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (tls_id == 5)       /* status_request */
+  {
+  DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
+  tls_in.ocsp = OCSP_NOT_RESP;
+  }
+return 0;
+}
+
+/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen.  3.6.3 onwards */
+return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+                          GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+}
+
+
+/* Make a note that we saw a status-response */
+static int
+tls_server_servercerts_ext(void * ctx, unsigned tls_id,
+  const unsigned char *data, unsigned size)
+{
+/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (FALSE && tls_id == 5)      /* status_request */
+  {
+  DEBUG(D_tls) debug_printf("Seen status_request extension\n");
+  tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+    ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
+  }
+return 0;
+}
+
+/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen.  3.6.3 onwards */
+#ifdef notdef
+/*XXX crashes */
+return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
+#endif
+}
+#endif
+
+/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
+ "Handshake Protocol: Certificate" record.
+So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
+
+This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
+*/
+
+#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+/* Callback for certificate-status, on server. We sent stapled OCSP. */
+static int
+tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
+  unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("Sending certificate-status\n");             /*XXX we get this for tls1.2 but not for 1.3 */
+#ifdef SUPPORT_SRV_OCSP_STACK
+tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+  ? OCSP_VFY_NOT_TRIED : OCSP_VFIED;   /* We know that GnuTLS verifies responses */
+#else
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+#endif
+return 0;
+}
+
+/* Callback for handshake messages, on server */
+static int
+tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
+switch (htype)
+  {
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+  case GNUTLS_HANDSHAKE_CLIENT_HELLO:
+    return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
+  case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
+    return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
+# endif
+  case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+    return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
+# ifdef EXPERIMENTAL_TLS_RESUME
+  case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
+    return tls_server_ticket_cb(sess, htype, when, incoming, msg);
+# endif
+  default:
+    return 0;
+  }
+}
+#endif
+
+
+#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+static void
+tls_server_testharness_ocsp_fiddle(void)
+{
+extern char ** environ;
+if (environ) for (uschar ** p = USS environ; *p; p++)
+  if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+    {
+    DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
+    exim_testharness_disable_ocsp_validity_check = TRUE;
+    }
+}
+#endif
+
 /*************************************************
 *       Variables re-expanded post-SNI           *
 *************************************************/
@@ -896,11 +1076,24 @@ if (!host)       /* server */
     saved_tls_crl = state->exp_tls_crl;
     }
 
-rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
-exim_gnutls_err_check(rc, US"gnutls_certificate_allocate_credentials");
+if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
+  return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
+           rc, host, errstr);
 
 #ifdef SUPPORT_SRV_OCSP_STACK
 gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
+
+# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+if (!host && tls_ocsp_file)
+  {
+  if (f.running_in_test_harness)
+    tls_server_testharness_ocsp_fiddle();
+
+  if (exim_testharness_disable_ocsp_validity_check)
+    gnutls_certificate_set_flags(state->x509_cred,
+      GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+  }
+# endif
 #endif
 
 /* remember: expand_check_tlsvar() is expand_check() but fiddling with
@@ -928,7 +1121,7 @@ if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr))
 
 /* tls_privatekey is optional, defaulting to same file as certificate */
 
-if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
+if (!state->tls_privatekey || !*state->tls_privatekey)
   {
   state->tls_privatekey = state->tls_certificate;
   state->exp_tls_privatekey = state->exp_tls_certificate;
@@ -959,8 +1152,11 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
     const uschar * olist;
     int csep = 0, ksep = 0, osep = 0, cnt = 0;
     uschar * cfile, * kfile, * ofile;
-
 #ifndef DISABLE_OCSP
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+    gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
+# endif
+
     if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
       return DEFER;
     olist = ofile;
@@ -975,12 +1171,13 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
       else
        {
        int gnutls_cert_index = -rc;
-       DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
-
-       /* Set the OCSP stapling server info */
+       DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
+                                 gnutls_cert_index, cfile);
 
 #ifndef DISABLE_OCSP
        if (tls_ocsp_file)
+         {
+         /* Set the OCSP stapling server info */
          if (gnutls_buggy_ocsp)
            {
            DEBUG(D_tls)
@@ -988,37 +1185,63 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate)
            }
          else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
            {
-           /* Use the full callback method for stapling just to get
-           observability.  More efficient would be to read the file once only,
-           if it never changed (due to SNI). Would need restart on file update,
-           or watch datestamp.  */
-
-# ifdef SUPPORT_SRV_OCSP_STACK
-           rc = gnutls_certificate_set_ocsp_status_request_function2(
-             state->x509_cred, gnutls_cert_index,
-             server_ocsp_stapling_cb, ofile);
-
-           exim_gnutls_err_check(rc,
-             US"gnutls_certificate_set_ocsp_status_request_function2");
-# else
-           if (cnt++ > 0)
+           DEBUG(D_tls) debug_printf("OCSP response file %d  = %s\n",
+                                     gnutls_cert_index, ofile);
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+           if (Ustrncmp(ofile, US"PEM ", 4) == 0)
              {
-             DEBUG(D_tls)
-               debug_printf("oops; multiple OCSP files not supported\n");
-             break;
+             ocsp_fmt = GNUTLS_X509_FMT_PEM;
+             ofile += 4;
              }
+           else if (Ustrncmp(ofile, US"DER ", 4) == 0)
+             {
+             ocsp_fmt = GNUTLS_X509_FMT_DER;
+             ofile += 4;
+             }
+
+           if  ((rc = gnutls_certificate_set_ocsp_status_request_file2(
+                     state->x509_cred, CCS ofile, gnutls_cert_index,
+                     ocsp_fmt)) < 0)
+             return tls_error_gnu(
+                     US"gnutls_certificate_set_ocsp_status_request_file2",
+                     rc, host, errstr);
+           DEBUG(D_tls)
+             debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
+
+           /* Arrange callbacks for OCSP request observability */
+
+           gnutls_handshake_set_hook_function(state->session,
+             GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+
+# else
+#  if defined(SUPPORT_SRV_OCSP_STACK)
+           if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
+                        state->x509_cred, gnutls_cert_index,
+                        server_ocsp_stapling_cb, ofile)))
+               return tls_error_gnu(
+                     US"gnutls_certificate_set_ocsp_status_request_function2",
+                     rc, host, errstr);
+           else
+#  endif
+             {
+             if (cnt++ > 0)
+               {
+               DEBUG(D_tls)
+                 debug_printf("oops; multiple OCSP files not supported\n");
+               break;
+               }
              gnutls_certificate_set_ocsp_status_request_function(
                state->x509_cred, server_ocsp_stapling_cb, ofile);
-# endif
-
-           DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
+             }
+# endif        /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
            }
          else
            DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
-#endif
+         }
+#endif /* DISABLE_OCSP */
        }
     }
-  else
+  else /* client */
     {
     if (0 < (rc = tls_add_certfile(state, host,
                state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
@@ -1071,7 +1294,7 @@ else
   {
   if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
     {
-    log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
+    log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
        "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
        strerror(errno));
     return DEFER;
@@ -1116,26 +1339,30 @@ else
 #endif
     gnutls_certificate_set_x509_trust_file(state->x509_cred,
       CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+  /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+  when using the directory-of-certs config model. */
+
+  if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+    gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
   }
 
 if (cert_count < 0)
-  {
-  rc = cert_count;
-  exim_gnutls_err_check(rc, US"setting certificate trust");
-  }
-DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
+  return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
+DEBUG(D_tls)
+  debug_printf("Added %d certificate authorities.\n", cert_count);
 
 if (state->tls_crl && *state->tls_crl &&
     state->exp_tls_crl && *state->exp_tls_crl)
   {
   DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
-  cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
-      CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
-  if (cert_count < 0)
-    {
-    rc = cert_count;
-    exim_gnutls_err_check(rc, US"gnutls_certificate_set_x509_crl_file");
-    }
+  if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
+      CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
+    return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
+             cert_count, host, errstr);
+
   DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
   }
 
@@ -1175,17 +1402,15 @@ client-side params. */
 if (!state->host)
   {
   if (!dh_server_params)
-    {
-    rc = init_server_dh(errstr);
-    if (rc != OK) return rc;
-    }
+    if ((rc = init_server_dh(errstr)) != OK) return rc;
   gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
   }
 
 /* Link the credentials to the session. */
 
-rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
-exim_gnutls_err_check(rc, US"gnutls_credentials_set");
+if ((rc = gnutls_credentials_set(state->session,
+           GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
+  return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
 
 return OK;
 }
@@ -1253,14 +1478,14 @@ tls_init(
     const uschar *crl,
     const uschar *require_ciphers,
     exim_gnutls_state_st **caller_state,
+    tls_support * tlsp,
     uschar ** errstr)
 {
-exim_gnutls_state_st *state;
+exim_gnutls_state_st * state;
 int rc;
 size_t sz;
-const char *errpos;
-uschar *p;
-BOOL want_default_priorities;
+const char * errpos;
+const uschar * p;
 
 if (!exim_gnutls_base_init_done)
   {
@@ -1273,20 +1498,18 @@ if (!exim_gnutls_base_init_done)
   environment variables are used and so breaks for users calling mailq.
   To prevent this, we init PKCS11 first, which is the documented approach. */
   if (!gnutls_allow_auto_pkcs11)
-    {
-    rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
-    exim_gnutls_err_check(rc, US"gnutls_pkcs11_init");
-    }
+    if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
+      return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
 #endif
 
-  rc = gnutls_global_init();
-  exim_gnutls_err_check(rc, US"gnutls_global_init");
+  if ((rc = gnutls_global_init()))
+    return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
 
 #if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
   DEBUG(D_tls)
     {
     gnutls_global_set_log_function(exim_gnutls_logger_cb);
-    /* arbitrarily chosen level; bump upto 9 for more */
+    /* arbitrarily chosen level; bump up to 9 for more */
     gnutls_global_set_log_level(EXIM_GNUTLS_LIBRARY_LOG_LEVEL);
     }
 #endif
@@ -1301,9 +1524,15 @@ if (!exim_gnutls_base_init_done)
 
 if (host)
   {
-  state = &state_client;
+  /* For client-side sessions we allocate a context. This lets us run
+  several in parallel. */
+  int old_pool = store_pool;
+  store_pool = POOL_PERM;
+  state = store_get(sizeof(exim_gnutls_state_st), FALSE);
+  store_pool = old_pool;
+
   memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
-  state->tlsp = &tls_out;
+  state->tlsp = tlsp;
   DEBUG(D_tls) debug_printf("initialising GnuTLS client session\n");
   rc = gnutls_init(&state->session, GNUTLS_CLIENT);
   }
@@ -1311,11 +1540,12 @@ else
   {
   state = &state_server;
   memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
-  state->tlsp = &tls_in;
+  state->tlsp = tlsp;
   DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
   rc = gnutls_init(&state->session, GNUTLS_SERVER);
   }
-exim_gnutls_err_check(rc, US"gnutls_init");
+if (rc)
+  return tls_error_gnu(US"gnutls_init", rc, host, errstr);
 
 state->host = host;
 
@@ -1348,9 +1578,9 @@ if (host)
     DEBUG(D_tls)
       debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
     sz = Ustrlen(state->tlsp->sni);
-    rc = gnutls_server_name_set(state->session,
-        GNUTLS_NAME_DNS, state->tlsp->sni, sz);
-    exim_gnutls_err_check(rc, US"gnutls_server_name_set");
+    if ((rc = gnutls_server_name_set(state->session,
+         GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
+      return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
     }
   }
 else if (state->tls_sni)
@@ -1363,39 +1593,35 @@ and replaces gnutls_require_kx, gnutls_require_mac & gnutls_require_protocols.
 This was backwards incompatible, but means Exim no longer needs to track
 all algorithms and provide string forms for them. */
 
-want_default_priorities = TRUE;
-
+p = NULL;
 if (state->tls_require_ciphers && *state->tls_require_ciphers)
   {
   if (!expand_check_tlsvar(tls_require_ciphers, errstr))
     return DEFER;
   if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
     {
-    DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
-        state->exp_tls_require_ciphers);
-
-    rc = gnutls_priority_init(&state->priority_cache,
-        CS state->exp_tls_require_ciphers, &errpos);
-    want_default_priorities = FALSE;
     p = state->exp_tls_require_ciphers;
+    DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
     }
   }
-if (want_default_priorities)
+if (!p)
   {
+  p = exim_default_gnutls_priority;
   DEBUG(D_tls)
-    debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
-        exim_default_gnutls_priority);
-  rc = gnutls_priority_init(&state->priority_cache,
-      exim_default_gnutls_priority, &errpos);
-  p = US exim_default_gnutls_priority;
+    debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
   }
 
-exim_gnutls_err_check(rc, string_sprintf(
-      "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
-      p, errpos - CS p, errpos));
+if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
+  return tls_error_gnu(string_sprintf(
+                     "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
+                     p, errpos - CS p, errpos),
+                 rc, host, errstr);
+
+if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
+  return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
 
-rc = gnutls_priority_set(state->session, state->priority_cache);
-exim_gnutls_err_check(rc, US"gnutls_priority_set");
+/* This also sets the server ticket expiration time to the same, and
+the STEK rotation time to 3x. */
 
 gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
 
@@ -1421,6 +1647,25 @@ return OK;
 *            Extract peer information            *
 *************************************************/
 
+static const uschar *
+cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
+  gnutls_mac_algorithm_t mac)
+{
+uschar cs_id[2];
+gnutls_kx_algorithm_t kx_i;
+gnutls_cipher_algorithm_t cipher_i;
+gnutls_mac_algorithm_t mac_i;
+
+for (size_t i = 0;
+     gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
+     i++)
+  if (kx_i == kx && cipher_i == cipher && mac_i == mac)
+    return cipher_stdname(cs_id[0], cs_id[1]);
+return NULL;
+}
+
+
+
 /* Called from both server and client code.
 Only this is allowed to set state->peerdn and state->have_set_peerdn
 and we use that to detect double-calls.
@@ -1447,10 +1692,10 @@ Returns:          OK/DEFER/FAIL
 */
 
 static int
-peer_status(exim_gnutls_state_st *state, uschar ** errstr)
+peer_status(exim_gnutls_state_st * state, uschar ** errstr)
 {
-uschar cipherbuf[256];
-const gnutls_datum_t *cert_list;
+gnutls_session_t session = state->session;
+const gnutls_datum_t * cert_list;
 int old_pool, rc;
 unsigned int cert_list_size = 0;
 gnutls_protocol_t protocol;
@@ -1459,7 +1704,7 @@ gnutls_kx_algorithm_t kx;
 gnutls_mac_algorithm_t mac;
 gnutls_certificate_type_t ct;
 gnutls_x509_crt_t crt;
-uschar *p, *dn_buf;
+uschar * dn_buf;
 size_t sz;
 
 if (state->have_set_peerdn)
@@ -1469,46 +1714,85 @@ state->have_set_peerdn = TRUE;
 state->peerdn = NULL;
 
 /* tls_cipher */
-cipher = gnutls_cipher_get(state->session);
-protocol = gnutls_protocol_get_version(state->session);
-mac = gnutls_mac_get(state->session);
-kx = gnutls_kx_get(state->session);
-
-string_format(cipherbuf, sizeof(cipherbuf),
-    "%s:%s:%d",
-    gnutls_protocol_get_name(protocol),
-    gnutls_cipher_suite_get_name(kx, cipher, mac),
-    (int) gnutls_cipher_get_key_size(cipher) * 8);
-
-/* I don't see a way that spaces could occur, in the current GnuTLS
-code base, but it was a concern in the old code and perhaps older GnuTLS
-releases did return "TLS 1.0"; play it safe, just in case. */
-for (p = cipherbuf; *p != '\0'; ++p)
-  if (isspace(*p))
-    *p = '-';
+cipher = gnutls_cipher_get(session);
+protocol = gnutls_protocol_get_version(session);
+mac = gnutls_mac_get(session);
+kx =
+#ifdef GNUTLS_TLS1_3
+    protocol >= GNUTLS_TLS1_3 ? 0 :
+#endif
+  gnutls_kx_get(session);
+
 old_pool = store_pool;
-store_pool = POOL_PERM;
-state->ciphersuite = string_copy(cipherbuf);
+  {
+  tls_support * tlsp = state->tlsp;
+  store_pool = POOL_PERM;
+
+#ifdef SUPPORT_GNUTLS_SESS_DESC
+    {
+    gstring * g = NULL;
+    uschar * s = US gnutls_session_get_desc(session), c;
+
+    /* Nikos M suggests we use this by preference.  It returns like:
+    (TLS1.3)-(ECDHE-SECP256R1)-(RSA-PSS-RSAE-SHA256)-(AES-256-GCM)
+
+    For partial back-compat, put a colon after the TLS version, replace the
+    )-( grouping with __, replace in-group - with _ and append the :keysize. */
+
+    /* debug_printf("peer_status: gnutls_session_get_desc %s\n", s); */
+
+    for (s++; (c = *s) && c != ')'; s++) g = string_catn(g, s, 1);
+    g = string_catn(g, US":", 1);
+    if (*s) s++;               /* now on _ between groups */
+    while ((c = *s))
+      {
+      for (*++s && ++s; (c = *s) && c != ')'; s++) g = string_catn(g, c == '-' ? US"_" : s, 1);
+      /* now on ) closing group */
+      if ((c = *s) && *++s == '-') g = string_catn(g, US"__", 2);
+      /* now on _ between groups */
+      }
+    g = string_catn(g, US":", 1);
+    g = string_cat(g, string_sprintf("%d", (int) gnutls_cipher_get_key_size(cipher) * 8));
+    state->ciphersuite = string_from_gstring(g);
+    }
+#else
+  state->ciphersuite = string_sprintf("%s:%s:%d",
+      gnutls_protocol_get_name(protocol),
+      gnutls_cipher_suite_get_name(kx, cipher, mac),
+      (int) gnutls_cipher_get_key_size(cipher) * 8);
+
+  /* I don't see a way that spaces could occur, in the current GnuTLS
+  code base, but it was a concern in the old code and perhaps older GnuTLS
+  releases did return "TLS 1.0"; play it safe, just in case. */
+
+  for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
+#endif
+
+/* debug_printf("peer_status: ciphersuite %s\n", state->ciphersuite); */
+
+  tlsp->cipher = state->ciphersuite;
+  tlsp->bits = gnutls_cipher_get_key_size(cipher) * 8;
+
+  tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
+  }
 store_pool = old_pool;
-state->tlsp->cipher = state->ciphersuite;
 
 /* tls_peerdn */
-cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
+cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
 
-if (cert_list == NULL || cert_list_size == 0)
+if (!cert_list || cert_list_size == 0)
   {
   DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
       cert_list, cert_list_size);
   if (state->verify_requirement >= VERIFY_REQUIRED)
     return tls_error(US"certificate verification failed",
-        "no certificate received from peer", state->host, errstr);
+        US"no certificate received from peer", state->host, errstr);
   return OK;
   }
 
-ct = gnutls_certificate_type_get(state->session);
-if (ct != GNUTLS_CRT_X509)
+if ((ct = gnutls_certificate_type_get(session)) != GNUTLS_CRT_X509)
   {
-  const char *ctn = gnutls_certificate_type_get_name(ct);
+  const uschar * ctn = US gnutls_certificate_type_get_name(ct);
   DEBUG(D_tls)
     debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
   if (state->verify_requirement >= VERIFY_REQUIRED)
@@ -1524,7 +1808,7 @@ if (ct != GNUTLS_CRT_X509)
       DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
        (Label), gnutls_strerror(rc)); \
       if (state->verify_requirement >= VERIFY_REQUIRED) \
-       return tls_error((Label), gnutls_strerror(rc), state->host, errstr); \
+       return tls_error_gnu((Label), rc, state->host, errstr); \
       return OK; \
       } \
     } while (0)
@@ -1541,7 +1825,7 @@ if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
   exim_gnutls_peer_err(US"getting size for cert DN failed");
   return FAIL; /* should not happen */
   }
-dn_buf = store_get_perm(sz);
+dn_buf = store_get_perm(sz, TRUE);     /* tainted */
 rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
 exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
 
@@ -1573,17 +1857,19 @@ Returns:
 */
 
 static BOOL
-verify_certificate(exim_gnutls_state_st *state, uschar ** errstr)
+verify_certificate(exim_gnutls_state_st * state, uschar ** errstr)
 {
 int rc;
 uint verify;
 
+DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
+*errstr = NULL;
+rc = peer_status(state, errstr);
+
 if (state->verify_requirement == VERIFY_NONE)
   return TRUE;
 
-*errstr = NULL;
-
-if ((rc = peer_status(state, errstr)) != OK)
+if (rc != OK || !state->peerdn)
   {
   verify = GNUTLS_CERT_INVALID;
   *errstr = US"certificate not supplied";
@@ -1600,47 +1886,149 @@ else
 
     dane_state_t s;
     dane_query_t r;
-    const gnutls_datum_t * certlist;
     uint lsize;
+    const gnutls_datum_t * certlist =
+      gnutls_certificate_get_peers(state->session, &lsize);
+    int usage = tls_out.tlsa_usage;
+
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+    /* Split the TLSA records into two sets, TA and EE selectors.  Run the
+    dane-verification separately so that we know which selector verified;
+    then we know whether to do name-verification (needed for TA but not EE). */
+
+    if (usage == ((1<<DANESSL_USAGE_DANE_TA) | (1<<DANESSL_USAGE_DANE_EE)))
+      {                                                /* a mixed-usage bundle */
+      int i, j, nrec;
+      const char ** dd;
+      int * ddl;
+
+      for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
+      nrec++;
+
+      dd = store_get(nrec * sizeof(uschar *), FALSE);
+      ddl = store_get(nrec * sizeof(int), FALSE);
+      nrec--;
+
+      if ((rc = dane_state_init(&s, 0)))
+       goto tlsa_prob;
+
+      for (usage = DANESSL_USAGE_DANE_EE;
+          usage >= DANESSL_USAGE_DANE_TA; usage--)
+       {                               /* take records with this usage */
+       for (j = i = 0; i < nrec; i++)
+         if (state->dane_data[i][0] == usage)
+           {
+           dd[j] = state->dane_data[i];
+           ddl[j++] = state->dane_data_len[i];
+           }
+       if (j)
+         {
+         dd[j] = NULL;
+         ddl[j] = 0;
+
+         if ((rc = dane_raw_tlsa(s, &r, (char * const *)dd, ddl, 1, 0)))
+           goto tlsa_prob;
+
+         if ((rc = dane_verify_crt_raw(s, certlist, lsize,
+                           gnutls_certificate_type_get(state->session),
+                           r, 0,
+                           usage == DANESSL_USAGE_DANE_EE
+                           ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
+                           &verify)))
+           {
+           DEBUG(D_tls)
+             debug_printf("TLSA record problem: %s\n", dane_strerror(rc));
+           }
+         else if (verify == 0) /* verification passed */
+           {
+           usage = 1 << usage;
+           break;
+           }
+         }
+       }
 
-    certlist = gnutls_certificate_get_peers(state->session, &lsize);
-
-    if (  (rc = dane_state_init(&s, 0))
-       || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
-                             1, 0))
-       || (rc = dane_verify_crt_raw(s, certlist, lsize,
-                             gnutls_certificate_type_get(state->session),
-                             r, 0, 0, &verify))
-       )
-
+       if (rc) goto tlsa_prob;
+      }
+    else
+# endif
       {
-      *errstr = string_sprintf("TLSA record problem: %s", dane_strerror(rc));
-      goto badcert;
+      if (  (rc = dane_state_init(&s, 0))
+        || (rc = dane_raw_tlsa(s, &r, state->dane_data, state->dane_data_len,
+                       1, 0))
+        || (rc = dane_verify_crt_raw(s, certlist, lsize,
+                       gnutls_certificate_type_get(state->session),
+                       r, 0,
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+                       usage == (1 << DANESSL_USAGE_DANE_EE)
+                       ? DANE_VFLAG_ONLY_CHECK_EE_USAGE : 0,
+# else
+                       0,
+# endif
+                       &verify))
+        )
+       goto tlsa_prob;
       }
-    if (verify != 0)
+
+    if (verify != 0)           /* verification failed */
       {
       gnutls_datum_t str;
       (void) dane_verification_status_print(verify, &str, 0);
       *errstr = US str.data;   /* don't bother to free */
       goto badcert;
       }
-    state->peer_dane_verified = TRUE;
+
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+    /* If a TA-mode TLSA record was used for verification we must additionally
+    verify the cert name (but not the CA chain).  For EE-mode, skip it. */
+
+    if (usage & (1 << DANESSL_USAGE_DANE_EE))
+# endif
+      {
+      state->peer_dane_verified = state->peer_cert_verified = TRUE;
+      goto goodcert;
+      }
+# ifdef GNUTLS_BROKEN_DANE_VALIDATION
+    /* Assume that the name on the A-record is the one that should be matching
+    the cert.  An alternate view is that the domain part of the email address
+    is also permissible. */
+
+    if (gnutls_x509_crt_check_hostname(state->tlsp->peercert,
+         CS state->host->name))
+      {
+      state->peer_dane_verified = state->peer_cert_verified = TRUE;
+      goto goodcert;
+      }
+# endif
     }
-#endif
+#endif /*SUPPORT_DANE*/
 
   rc = gnutls_certificate_verify_peers2(state->session, &verify);
   }
 
 /* Handle the result of verification. INVALID is set if any others are. */
 
-if (rc < 0 ||
-    verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED)
-   )
+if (rc < 0 || verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
   {
   state->peer_cert_verified = FALSE;
   if (!*errstr)
+    {
+#ifdef GNUTLS_CERT_VFY_STATUS_PRINT
+    DEBUG(D_tls)
+      {
+      gnutls_datum_t txt;
+
+      if (gnutls_certificate_verification_status_print(verify,
+           gnutls_certificate_type_get(state->session), &txt, 0)
+         == GNUTLS_E_SUCCESS)
+       {
+       debug_printf("%s\n", txt.data);
+       gnutls_free(txt.data);
+       }
+      }
+#endif
     *errstr = verify & GNUTLS_CERT_REVOKED
       ? US"certificate revoked" : US"certificate invalid";
+    }
 
   DEBUG(D_tls)
     debug_printf("TLS certificate verification failed (%s): peerdn=\"%s\"\n",
@@ -1654,30 +2042,37 @@ if (rc < 0 ||
 
 else
   {
-  if (state->exp_tls_verify_cert_hostnames)
+  /* Client side, check the server's certificate name versus the name on the
+  A-record for the connection we made.  What to do for server side - what name
+  to use for client?  We document that there is no such checking for server
+  side. */
+
+  if (  state->exp_tls_verify_cert_hostnames
+     && !gnutls_x509_crt_check_hostname(state->tlsp->peercert,
+               CS state->exp_tls_verify_cert_hostnames)
+     )
     {
-    int sep = 0;
-    const uschar * list = state->exp_tls_verify_cert_hostnames;
-    uschar * name;
-    while ((name = string_nextinlist(&list, &sep, NULL, 0)))
-      if (gnutls_x509_crt_check_hostname(state->tlsp->peercert, CS name))
-       break;
-    if (!name)
-      {
-      DEBUG(D_tls)
-       debug_printf("TLS certificate verification failed: cert name mismatch\n");
-      if (state->verify_requirement >= VERIFY_REQUIRED)
-       goto badcert;
-      return TRUE;
-      }
+    DEBUG(D_tls)
+      debug_printf("TLS certificate verification failed: cert name mismatch\n");
+    if (state->verify_requirement >= VERIFY_REQUIRED)
+      goto badcert;
+    return TRUE;
     }
+
   state->peer_cert_verified = TRUE;
   DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
       state->peerdn ? state->peerdn : US"<unset>");
   }
 
-state->tlsp->peerdn = state->peerdn;
-return TRUE;
+goodcert:
+  state->tlsp->peerdn = state->peerdn;
+  return TRUE;
+
+#ifdef SUPPORT_DANE
+tlsa_prob:
+  *errstr = string_sprintf("TLSA record problem: %s",
+    rc == DANE_E_REQUESTED_DATA_NOT_AVAILABLE ? "none usable" : dane_strerror(rc));
+#endif
 
 badcert:
   gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_BAD_CERTIFICATE);
@@ -1739,13 +2134,12 @@ uschar * dummy_errstr;
 rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
 if (rc != GNUTLS_E_SUCCESS)
   {
-  DEBUG(D_tls) {
+  DEBUG(D_tls)
     if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
       debug_printf("TLS: no SNI presented in handshake.\n");
     else
       debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
         gnutls_strerror(rc), rc);
-    }
   return 0;
   }
 
@@ -1758,7 +2152,7 @@ if (sni_type != GNUTLS_NAME_DNS)
 /* We now have a UTF-8 string in sni_name */
 old_pool = store_pool;
 store_pool = POOL_PERM;
-state->received_sni = string_copyn(US sni_name, data_len);
+state->received_sni = string_copy_taint(US sni_name, TRUE);
 store_pool = old_pool;
 
 /* We set this one now so that variable expansions below will work */
@@ -1785,30 +2179,6 @@ return 0;
 
 
 
-#ifndef DISABLE_OCSP
-
-static int
-server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
-  gnutls_datum_t * ocsp_response)
-{
-int ret;
-DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
-
-if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
-  {
-  DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
-                             CS ptr);
-  tls_in.ocsp = OCSP_NOT_RESP;
-  return GNUTLS_E_NO_CERTIFICATE_STATUS;
-  }
-
-tls_in.ocsp = OCSP_VFY_NOT_TRIED;
-return 0;
-}
-
-#endif
-
-
 #ifndef DISABLE_EVENT
 /*
 We use this callback to get observability and detail-level control
@@ -1829,12 +2199,10 @@ int rc;
 uschar * yield;
 exim_gnutls_state_st * state = gnutls_session_get_ptr(session);
 
-cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
-if (cert_list)
+if ((cert_list = gnutls_certificate_get_peers(session, &cert_list_size)))
   while (cert_list_size--)
   {
-  rc = import_cert(&cert_list[cert_list_size], &crt);
-  if (rc != GNUTLS_E_SUCCESS)
+  if ((rc = import_cert(&cert_list[cert_list_size], &crt)) != GNUTLS_E_SUCCESS)
     {
     DEBUG(D_tls) debug_printf("TLS: peer cert problem: depth %d: %s\n",
       cert_list_size, gnutls_strerror(rc));
@@ -1859,7 +2227,109 @@ return 0;
 #endif
 
 
+static gstring *
+ddump(gnutls_datum_t * d)
+{
+gstring * g = string_get((d->size+1) * 2);
+uschar * s = d->data;
+for (unsigned i = d->size; i > 0; i--, s++)
+  {
+  g = string_catn(g, US "0123456789abcdef" + (*s >> 4), 1);
+  g = string_catn(g, US "0123456789abcdef" + (*s & 0xf), 1);
+  }
+return g;
+}
+
+static void
+post_handshake_debug(exim_gnutls_state_st * state)
+{
+#ifdef SUPPORT_GNUTLS_SESS_DESC
+debug_printf("%s\n", gnutls_session_get_desc(state->session));
+#endif
+#ifdef SUPPORT_GNUTLS_KEYLOG
+
+# ifdef EXIM_HAVE_TLS1_3
+if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
+#else
+if (TRUE)
+#endif
+  {
+  gnutls_datum_t c, s;
+  gstring * gc, * gs;
+  /* we only want the client random and the master secret */
+  gnutls_session_get_random(state->session, &c, &s);
+  gnutls_session_get_master_secret(state->session, &s);
+  gc = ddump(&c);
+  gs = ddump(&s);
+  debug_printf("CLIENT_RANDOM %.*s %.*s\n", (int)gc->ptr, gc->s, (int)gs->ptr, gs->s);
+  }
+else
+  debug_printf("To get keying info for TLS1.3 is hard:\n"
+    " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
+    " add SSLKEYLOGFILE to keep_environment in the exim config\n"
+    " run exim as root\n"
+    " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
+    " (works for TLS1.2 also, and saves cut-paste into file)\n");
+#endif
+}
+
+
+#ifdef EXPERIMENTAL_TLS_RESUME
+static int
+tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("newticket cb\n");
+tls_in.resumption |= RESUME_CLIENT_REQUESTED;
+return 0;
+}
+
+static void
+tls_server_resume_prehandshake(exim_gnutls_state_st * state)
+{
+/* Should the server offer session resumption? */
+tls_in.resumption = RESUME_SUPPORTED;
+if (verify_check_host(&tls_resumption_hosts) == OK)
+  {
+  int rc;
+  /* GnuTLS appears to not do ticket overlap, but does emit a fresh ticket when
+  an offered resumption is unacceptable.  We lose one resumption per ticket
+  lifetime, and sessions cannot be indefinitely re-used.  There seems to be no
+  way (3.6.7) of changing the default number of 2 TLS1.3 tickets issued, but at
+  least they go out in a single packet. */
+
+  if (!(rc = gnutls_session_ticket_enable_server(state->session,
+             &server_sessticket_key)))
+    tls_in.resumption |= RESUME_SERVER_TICKET;
+  else
+    DEBUG(D_tls)
+      debug_printf("enabling session tickets: %s\n", US gnutls_strerror(rc));
+
+  /* Try to tell if we see a ticket request */
+  gnutls_handshake_set_hook_function(state->session,
+    GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+  }
+}
+
+static void
+tls_server_resume_posthandshake(exim_gnutls_state_st * state)
+{
+if (gnutls_session_resumption_requested(state->session))
+  {
+  /* This tells us the client sent a full ticket.  We use a
+  callback on session-ticket request, elsewhere, to tell
+  if a client asked for a ticket. */
 
+  tls_in.resumption |= RESUME_CLIENT_SUGGESTED;
+  DEBUG(D_tls) debug_printf("client requested resumption\n");
+  }
+if (gnutls_session_is_resumed(state->session))
+  {
+  tls_in.resumption |= RESUME_USED;
+  DEBUG(D_tls) debug_printf("Session resumed\n");
+  }
+}
+#endif
 /* ------------------------------------------------------------------------ */
 /* Exported functions */
 
@@ -1891,9 +2361,9 @@ int rc;
 exim_gnutls_state_st * state = NULL;
 
 /* Check for previous activation */
-if (tls_in.active >= 0)
+if (tls_in.active.sock >= 0)
   {
-  tls_error(US"STARTTLS received after TLS started", "", NULL, errstr);
+  tls_error(US"STARTTLS received after TLS started", US "", NULL, errstr);
   smtp_printf("554 Already in TLS\r\n", FALSE);
   return FAIL;
   }
@@ -1905,7 +2375,11 @@ DEBUG(D_tls) debug_printf("initialising GnuTLS as a server\n");
 
 if ((rc = tls_init(NULL, tls_certificate, tls_privatekey,
     NULL, tls_verify_certificates, tls_crl,
-    require_ciphers, &state, errstr)) != OK) return rc;
+    require_ciphers, &state, &tls_in, errstr)) != OK) return rc;
+
+#ifdef EXPERIMENTAL_TLS_RESUME
+tls_server_resume_prehandshake(state);
+#endif
 
 /* If this is a host for which certificate verification is mandatory or
 optional, set up appropriately. */
@@ -1960,7 +2434,10 @@ if (!state->tlsp->on_connect)
   }
 
 /* Now negotiate the TLS session. We put our own timer on it, since it seems
-that the GnuTLS library doesn't. */
+that the GnuTLS library doesn't.
+From 3.1.0 there is gnutls_handshake_set_timeout() - but it requires you
+to set (and clear down afterwards) up a pull-timeout callback function that does
+a select, so we're no better off unless avoiding signals becomes an issue. */
 
 gnutls_transport_set_ptr2(state->session,
     (gnutls_transport_ptr_t)(long) fileno(smtp_in),
@@ -1969,11 +2446,11 @@ state->fd_in = fileno(smtp_in);
 state->fd_out = fileno(smtp_out);
 
 sigalrm_seen = FALSE;
-if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
 do
   rc = gnutls_handshake(state->session);
 while (rc == GNUTLS_E_AGAIN ||  rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
-alarm(0);
+ALARM_CLR(0);
 
 if (rc != GNUTLS_E_SUCCESS)
   {
@@ -1983,18 +2460,18 @@ if (rc != GNUTLS_E_SUCCESS)
 
   if (sigalrm_seen)
     {
-    tls_error(US"gnutls_handshake", "timed out", NULL, errstr);
+    tls_error(US"gnutls_handshake", US"timed out", NULL, errstr);
     gnutls_db_remove_session(state->session);
     }
   else
     {
-    tls_error(US"gnutls_handshake", gnutls_strerror(rc), NULL, errstr);
+    tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
     (void) gnutls_alert_send_appropriate(state->session, rc);
     gnutls_deinit(state->session);
     gnutls_certificate_free_credentials(state->x509_cred);
     millisleep(500);
     shutdown(state->fd_out, SHUT_WR);
-    for (rc = 1024; fgetc(smtp_in) != EOF && rc > 0; ) rc--;   /* drain skt */
+    for (int i = 1024; fgetc(smtp_in) != EOF && i > 0; ) i--;  /* drain skt */
     (void)fclose(smtp_out);
     (void)fclose(smtp_in);
     smtp_out = smtp_in = NULL;
@@ -2003,7 +2480,11 @@ if (rc != GNUTLS_E_SUCCESS)
   return FAIL;
   }
 
-DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
+#ifdef EXPERIMENTAL_TLS_RESUME
+tls_server_resume_posthandshake(state);
+#endif
+
+DEBUG(D_tls) post_handshake_debug(state);
 
 /* Verify after the fact */
 
@@ -2019,10 +2500,6 @@ if (!verify_certificate(state, errstr))
        *errstr);
   }
 
-/* Figure out peer DN, and if authenticated, etc. */
-
-if ((rc = peer_status(state, NULL)) != OK) return rc;
-
 /* Sets various Exim expansion variables; always safe within server */
 
 extract_exim_vars_from_tls_state(state);
@@ -2050,7 +2527,7 @@ static void
 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
   smtp_transport_options_block * ob)
 {
-if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
+if (verify_check_given_host(CUSS &ob->tls_verify_cert_hostnames, host) == OK)
   {
   state->exp_tls_verify_cert_hostnames =
 #ifdef SUPPORT_I18N
@@ -2075,45 +2552,203 @@ use in DANE verification.
 We point at the dnsa data not copy it, so it must remain valid until
 after verification is done.*/
 
-static void
+static BOOL
 dane_tlsa_load(exim_gnutls_state_st * state, dns_answer * dnsa)
 {
-dns_record * rr;
 dns_scan dnss;
 int i;
 const char **  dane_data;
 int *          dane_data_len;
 
-for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 1;
-     rr;
+i = 1;
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
      rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
     ) if (rr->type == T_TLSA) i++;
 
-dane_data = store_get(i * sizeof(uschar *));
-dane_data_len = store_get(i * sizeof(int));
+dane_data = store_get(i * sizeof(uschar *), FALSE);
+dane_data_len = store_get(i * sizeof(int), FALSE);
 
-for (rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS), i = 0;
-     rr;
+i = 0;
+for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
      rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
-    ) if (rr->type == T_TLSA)
+    ) if (rr->type == T_TLSA && rr->size > 3)
   {
   const uschar * p = rr->data;
-  uint8_t usage = *p;
+/*XXX need somehow to mark rr and its data as tainted.  Doues this mean copying it? */
+  uint8_t usage = p[0], sel = p[1], type = p[2];
+
+  DEBUG(D_tls)
+    debug_printf("TLSA: %d %d %d size %d\n", usage, sel, type, rr->size);
+
+  if (  (usage != DANESSL_USAGE_DANE_TA && usage != DANESSL_USAGE_DANE_EE)
+     || (sel != 0 && sel != 1)
+     )
+    continue;
+  switch(type)
+    {
+    case 0:    /* Full: cannot check at present */
+               break;
+    case 1:    if (rr->size != 3 + 256/8) continue;    /* sha2-256 */
+               break;
+    case 2:    if (rr->size != 3 + 512/8) continue;    /* sha2-512 */
+               break;
+    default:   continue;
+    }
 
   tls_out.tlsa_usage |= 1<<usage;
-  dane_data[i] = p;
+  dane_data[i] = CS p;
   dane_data_len[i++] = rr->size;
   }
+
+if (!i) return FALSE;
+
 dane_data[i] = NULL;
 dane_data_len[i] = 0;
 
 state->dane_data = (char * const *)dane_data;
 state->dane_data_len = dane_data_len;
+return TRUE;
 }
 #endif
 
 
 
+#ifdef EXPERIMENTAL_TLS_RESUME
+/* On the client, get any stashed session for the given IP from hints db
+and apply it to the ssl-connection for attempted resumption.  Although
+there is a gnutls_session_ticket_enable_client() interface it is
+documented as unnecessary (as of 3.6.7) as "session tickets are emabled
+by deafult".  There seems to be no way to disable them, so even hosts not
+enabled by the transport option will be sent a ticket request.  We will
+however avoid storing and retrieving session information. */
+
+static void
+tls_retrieve_session(tls_support * tlsp, gnutls_session_t session,
+  host_item * host, smtp_transport_options_block * ob)
+{
+tlsp->resumption = RESUME_SUPPORTED;
+if (verify_check_given_host(CUSS &ob->tls_resumption_hosts, host) == OK)
+  {
+  dbdata_tls_session * dt;
+  int len, rc;
+  open_db dbblock, * dbm_file;
+
+  DEBUG(D_tls)
+    debug_printf("check for resumable session for %s\n", host->address);
+  tlsp->host_resumable = TRUE;
+  tlsp->resumption |= RESUME_CLIENT_REQUESTED;
+  if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
+    {
+    /* Key for the db is the IP.  We'd like to filter the retrieved session
+    for ticket advisory expiry, but 3.6.1 seems to give no access to that */
+
+    if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
+      if (!(rc = gnutls_session_set_data(session,
+                   CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
+       {
+       DEBUG(D_tls) debug_printf("good session\n");
+       tlsp->resumption |= RESUME_CLIENT_SUGGESTED;
+       }
+      else DEBUG(D_tls) debug_printf("setting session resumption data: %s\n",
+           US gnutls_strerror(rc));
+    dbfn_close(dbm_file);
+    }
+  }
+}
+
+
+static void
+tls_save_session(tls_support * tlsp, gnutls_session_t session, const host_item * host)
+{
+/* TLS 1.2 - we get both the callback and the direct posthandshake call,
+but this flag is not set until the second.  TLS 1.3 it's the other way about.
+Keep both calls as the session data cannot be extracted before handshake
+completes. */
+
+if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
+  {
+  gnutls_datum_t tkt;
+  int rc;
+
+  DEBUG(D_tls) debug_printf("server offered session ticket\n");
+  tlsp->ticket_received = TRUE;
+  tlsp->resumption |= RESUME_SERVER_TICKET;
+
+  if (tlsp->host_resumable)
+    if (!(rc = gnutls_session_get_data2(session, &tkt)))
+      {
+      open_db dbblock, * dbm_file;
+      int dlen = sizeof(dbdata_tls_session) + tkt.size;
+      dbdata_tls_session * dt = store_get(dlen, TRUE);
+
+      DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
+      memcpy(dt->session, tkt.data, tkt.size);
+      gnutls_free(tkt.data);
+
+      if ((dbm_file = dbfn_open(US"tls", O_RDWR, &dbblock, FALSE, FALSE)))
+       {
+       /* key for the db is the IP */
+       dbfn_delete(dbm_file, host->address);
+       dbfn_write(dbm_file, host->address, dt, dlen);
+       dbfn_close(dbm_file);
+
+       DEBUG(D_tls)
+         debug_printf("wrote session db (len %u)\n", (unsigned)dlen);
+       }
+      }
+    else DEBUG(D_tls)
+      debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
+  }
+}
+
+
+/* With a TLS1.3 session, the ticket(s) are not seen until
+the first data read is attempted.  And there's often two of them.
+Pick them up with this callback.  We are also called for 1.2
+but we do nothing.
+*/
+static int
+tls_client_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+  unsigned incoming, const gnutls_datum_t * msg)
+{
+exim_gnutls_state_st * state = gnutls_session_get_ptr(sess);
+tls_support * tlsp = state->tlsp;
+
+DEBUG(D_tls) debug_printf("newticket cb\n");
+
+if (!tlsp->ticket_received)
+  tls_save_session(tlsp, sess, state->host);
+return 0;
+}
+
+
+static void
+tls_client_resume_prehandshake(exim_gnutls_state_st * state,
+  tls_support * tlsp, host_item * host,
+  smtp_transport_options_block * ob)
+{
+gnutls_session_set_ptr(state->session, state);
+gnutls_handshake_set_hook_function(state->session,
+  GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_client_ticket_cb);
+
+tls_retrieve_session(tlsp, state->session, host, ob);
+}
+
+static void
+tls_client_resume_posthandshake(exim_gnutls_state_st * state,
+  tls_support * tlsp, host_item * host)
+{
+if (gnutls_session_is_resumed(state->session))
+  {
+  DEBUG(D_tls) debug_printf("Session resumed\n");
+  tlsp->resumption |= RESUME_USED;
+  }
+
+tls_save_session(tlsp, state->session, host);
+}
+#endif /* EXPERIMENTAL_TLS_RESUME */
+
+
 /*************************************************
 *    Start a TLS session in a client             *
 *************************************************/
@@ -2121,47 +2756,63 @@ state->dane_data_len = dane_data_len;
 /* Called from the smtp transport after STARTTLS has been accepted.
 
 Arguments:
-  fd                the fd of the connection
-  host              connected host (for messages)
-  addr              the first address (not used)
-  tb                transport (always smtp)
-  tlsa_dnsa        non-NULL, either request or require dane for this host, and
-                   a TLSA record found.  Therefore, dane verify required.
-                   Which implies cert must be requested and supplied, dane
-                   verify must pass, and cert verify irrelevant (incl.
-                   hostnames), and (caller handled) require_tls
-  errstr           error string pointer
-
-Returns:            OK/DEFER/FAIL (because using common functions),
-                    but for a client, DEFER and FAIL have the same meaning
+  cctx         connection context
+  conn_args    connection details
+  cookie       datum for randomness (not used)
+  tlsp          record details of channel configuration here; must be non-NULL
+  errstr        error string pointer
+
+Returns:        TRUE for success with TLS session context set in smtp context,
+               FALSE on error
 */
 
-int
-tls_client_start(int fd, host_item *host,
-    address_item *addr ARG_UNUSED,
-    transport_instance * tb,
-#ifdef EXPERIMENTAL_DANE
-    dns_answer * tlsa_dnsa,
-#endif
-    uschar ** errstr)
+BOOL
+tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
+  void * cookie ARG_UNUSED,
+  tls_support * tlsp, uschar ** errstr)
 {
-smtp_transport_options_block *ob =
-  (smtp_transport_options_block *)tb->options_block;
+host_item * host = conn_args->host;          /* for msgs and option-tests */
+transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
+smtp_transport_options_block * ob = tb
+  ? (smtp_transport_options_block *)tb->options_block
+  : &smtp_transport_option_defaults;
 int rc;
 exim_gnutls_state_st * state = NULL;
+uschar * cipher_list = NULL;
+
 #ifndef DISABLE_OCSP
 BOOL require_ocsp =
-  verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
+  verify_check_given_host(CUSS &ob->hosts_require_ocsp, host) == OK;
 BOOL request_ocsp = require_ocsp ? TRUE
-  : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
+  : verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
 #endif
 
-DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
+DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
 
-if ((rc = tls_init(host, ob->tls_certificate, ob->tls_privatekey,
+#ifdef SUPPORT_DANE
+/* If dane is flagged, have either request or require dane for this host, and
+a TLSA record found.  Therefore, dane verify required.  Which implies cert must
+be requested and supplied, dane verify must pass, and cert verify irrelevant
+(incl.  hostnames), and (caller handled) require_tls */
+
+if (conn_args->dane && ob->dane_require_tls_ciphers)
+  {
+  /* not using expand_check_tlsvar because not yet in state */
+  if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
+      &cipher_list, errstr))
+    return FALSE;
+  cipher_list = cipher_list && *cipher_list
+    ? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
+  }
+#endif
+
+if (!cipher_list)
+  cipher_list = ob->tls_require_ciphers;
+
+if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
     ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
-    ob->tls_require_ciphers, &state, errstr)) != OK)
-  return rc;
+    cipher_list, &state, tlsp, errstr) != OK)
+  return FALSE;
 
   {
   int dh_min_bits = ob->tls_dh_min_bits;
@@ -2185,13 +2836,12 @@ set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
 the specified host patterns if one of them is defined */
 
 #ifdef SUPPORT_DANE
-if (tlsa_dnsa)
+if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
   {
   DEBUG(D_tls)
     debug_printf("TLS: server certificate DANE required.\n");
   state->verify_requirement = VERIFY_DANE;
   gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
-  dane_tlsa_load(state, tlsa_dnsa);
   }
 else
 #endif
@@ -2199,7 +2849,7 @@ else
          && !ob->tls_verify_hosts
          && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
          )
-       || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
+       || verify_check_given_host(CUSS &ob->tls_verify_hosts, host) == OK
        )
   {
   tls_client_setup_hostname_checks(host, state, ob);
@@ -2208,7 +2858,7 @@ else
   state->verify_requirement = VERIFY_REQUIRED;
   gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE);
   }
-else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
+else if (verify_check_given_host(CUSS &ob->tls_try_verify_hosts, host) == OK)
   {
   tls_client_setup_hostname_checks(host, state, ob);
   DEBUG(D_tls)
@@ -2231,14 +2881,20 @@ if (request_ocsp)
   DEBUG(D_tls) debug_printf("TLS: will request OCSP stapling\n");
   if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
                    NULL, 0, NULL)) != OK)
-    return tls_error(US"cert-status-req",
-                   gnutls_strerror(rc), state->host, errstr);
-  tls_out.ocsp = OCSP_NOT_RESP;
+    {
+    tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
+    return FALSE;
+    }
+  tlsp->ocsp = OCSP_NOT_RESP;
   }
 #endif
 
+#ifdef EXPERIMENTAL_TLS_RESUME
+tls_client_resume_prehandshake(state, tlsp, host, ob);
+#endif
+
 #ifndef DISABLE_EVENT
-if (tb->event_action)
+if (tb && tb->event_action)
   {
   state->event_action = tb->event_action;
   gnutls_session_set_ptr(state->session, state);
@@ -2246,79 +2902,98 @@ if (tb->event_action)
   }
 #endif
 
-gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
-state->fd_in = fd;
-state->fd_out = fd;
+gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
+state->fd_in = cctx->sock;
+state->fd_out = cctx->sock;
 
 DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
 /* There doesn't seem to be a built-in timeout on connection. */
 
 sigalrm_seen = FALSE;
-alarm(ob->command_timeout);
+ALARM(ob->command_timeout);
 do
-  {
   rc = gnutls_handshake(state->session);
-  } while ((rc == GNUTLS_E_AGAIN) ||
-      (rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen));
-alarm(0);
+while (rc == GNUTLS_E_AGAIN || rc == GNUTLS_E_INTERRUPTED && !sigalrm_seen);
+ALARM_CLR(0);
 
 if (rc != GNUTLS_E_SUCCESS)
+  {
   if (sigalrm_seen)
     {
     gnutls_alert_send(state->session, GNUTLS_AL_FATAL, GNUTLS_A_USER_CANCELED);
-    return tls_error(US"gnutls_handshake", "timed out", state->host, errstr);
+    tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
     }
   else
-    return tls_error(US"gnutls_handshake", gnutls_strerror(rc), state->host, errstr);
+    tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
+  return FALSE;
+  }
 
-DEBUG(D_tls) debug_printf("gnutls_handshake was successful\n");
+DEBUG(D_tls) post_handshake_debug(state);
 
 /* Verify late */
 
 if (!verify_certificate(state, errstr))
-  return tls_error(US"certificate verification failed", *errstr, state->host, errstr);
+  {
+  tls_error(US"certificate verification failed", *errstr, state->host, errstr);
+  return FALSE;
+  }
 
 #ifndef DISABLE_OCSP
-if (require_ocsp)
+if (request_ocsp)
   {
   DEBUG(D_tls)
     {
     gnutls_datum_t stapling;
     gnutls_ocsp_resp_t resp;
     gnutls_datum_t printed;
-    if (  (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
-       && (rc= gnutls_ocsp_resp_init(&resp)) == 0
-       && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
-       && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
-       )
-      {
-      debug_printf("%.4096s", printed.data);
-      gnutls_free(printed.data);
-      }
-    else
-      (void) tls_error(US"ocsp decode", gnutls_strerror(rc), state->host, errstr);
+    unsigned idx = 0;
+
+    for (;
+# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
+        (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
+#else
+        (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
+#endif
+        idx++)
+      if (  (rc= gnutls_ocsp_resp_init(&resp)) == 0
+        && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
+        && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
+        )
+       {
+       debug_printf("%.4096s", printed.data);
+       gnutls_free(printed.data);
+       }
+      else
+       (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
+    if (idx == 0 && rc)
+      (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
     }
 
   if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
     {
-    tls_out.ocsp = OCSP_FAILED;
-    return tls_error(US"certificate status check failed", NULL, state->host, errstr);
+    tlsp->ocsp = OCSP_FAILED;
+    tls_error(US"certificate status check failed", NULL, state->host, errstr);
+    if (require_ocsp)
+      return FALSE;
+    }
+  else
+    {
+    DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+    tlsp->ocsp = OCSP_VFIED;
     }
-  DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
-  tls_out.ocsp = OCSP_VFIED;
   }
 #endif
 
-/* Figure out peer DN, and if authenticated, etc. */
-
-if ((rc = peer_status(state, errstr)) != OK)
-  return rc;
+#ifdef EXPERIMENTAL_TLS_RESUME
+tls_client_resume_posthandshake(state, tlsp, host);
+#endif
 
 /* Sets various Exim expansion variables; may need to adjust for ACL callouts */
 
 extract_exim_vars_from_tls_state(state);
 
-return OK;
+cctx->tls_ctx = state;
+return TRUE;
 }
 
 
@@ -2332,35 +3007,54 @@ return OK;
 daemon, to shut down the TLS library, without actually doing a shutdown (which
 would tamper with the TLS session in the parent process).
 
-Arguments:   TRUE if gnutls_bye is to be called
+Arguments:
+  ct_ctx       client context pointer, or NULL for the one global server context
+  shutdown     1 if TLS close-alert is to be sent,
+               2 if also response to be waited for
+
 Returns:     nothing
 */
 
 void
-tls_close(BOOL is_server, BOOL shutdown)
+tls_close(void * ct_ctx, int shutdown)
 {
-exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
+tls_support * tlsp = state->tlsp;
 
-if (!state->tlsp || state->tlsp->active < 0) return;  /* TLS was not active */
+if (!tlsp || tlsp->active.sock < 0) return;  /* TLS was not active */
 
 if (shutdown)
   {
-  DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS\n");
-  gnutls_bye(state->session, GNUTLS_SHUT_WR);
+  DEBUG(D_tls) debug_printf("tls_close(): shutting down TLS%s\n",
+    shutdown > 1 ? " (with response-wait)" : "");
+
+  ALARM(2);
+  gnutls_bye(state->session, shutdown > 1 ? GNUTLS_SHUT_RDWR : GNUTLS_SHUT_WR);
+  ALARM_CLR(0);
+  }
+
+if (!ct_ctx)   /* server */
+  {
+  receive_getc =       smtp_getc;
+  receive_getbuf =     smtp_getbuf;
+  receive_get_cache =  smtp_get_cache;
+  receive_ungetc =     smtp_ungetc;
+  receive_feof =       smtp_feof;
+  receive_ferror =     smtp_ferror;
+  receive_smtp_buffered = smtp_buffered;
   }
 
 gnutls_deinit(state->session);
 gnutls_certificate_free_credentials(state->x509_cred);
 
+tlsp->active.sock = -1;
+tlsp->active.tls_ctx = NULL;
+/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+tls_channelbinding_b64 = NULL;
 
-state->tlsp->active = -1;
-memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
 
-if ((state_server.session == NULL) && (state_client.session == NULL))
-  {
-  gnutls_global_deinit();
-  exim_gnutls_base_init_done = FALSE;
-  }
+if (state->xfer_buffer) store_free(state->xfer_buffer);
+memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
 }
 
 
@@ -2375,47 +3069,40 @@ ssize_t inbytes;
 DEBUG(D_tls) debug_printf("Calling gnutls_record_recv(%p, %p, %u)\n",
   state->session, state->xfer_buffer, ssl_xfer_buffer_size);
 
-if (smtp_receive_timeout > 0) alarm(smtp_receive_timeout);
-inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
-  MIN(ssl_xfer_buffer_size, lim));
-alarm(0);
+sigalrm_seen = FALSE;
+if (smtp_receive_timeout > 0) ALARM(smtp_receive_timeout);
+
+do
+  inbytes = gnutls_record_recv(state->session, state->xfer_buffer,
+    MIN(ssl_xfer_buffer_size, lim));
+while (inbytes == GNUTLS_E_AGAIN);
 
-/* Timeouts do not get this far; see command_timeout_handler().
-   A zero-byte return appears to mean that the TLS session has been
-   closed down, not that the socket itself has been closed down. Revert to
-   non-TLS handling. */
+if (smtp_receive_timeout > 0) ALARM_CLR(0);
+
+if (had_command_timeout)               /* set by signal handler */
+  smtp_command_timeout_exit();         /* does not return */
+if (had_command_sigterm)
+  smtp_command_sigterm_exit();
+if (had_data_timeout)
+  smtp_data_timeout_exit();
+if (had_data_sigint)
+  smtp_data_sigint_exit();
+
+/* Timeouts do not get this far.  A zero-byte return appears to mean that the
+TLS session has been closed down, not that the socket itself has been closed
+down. Revert to non-TLS handling. */
 
 if (sigalrm_seen)
   {
   DEBUG(D_tls) debug_printf("Got tls read timeout\n");
-  state->xfer_error = 1;
+  state->xfer_error = TRUE;
   return FALSE;
   }
 
 else if (inbytes == 0)
   {
   DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
-
-  receive_getc = smtp_getc;
-  receive_getbuf = smtp_getbuf;
-  receive_get_cache = smtp_get_cache;
-  receive_ungetc = smtp_ungetc;
-  receive_feof = smtp_feof;
-  receive_ferror = smtp_ferror;
-  receive_smtp_buffered = smtp_buffered;
-
-  gnutls_deinit(state->session);
-  gnutls_certificate_free_credentials(state->x509_cred);
-
-  state->session = NULL;
-  state->tlsp->active = -1;
-  state->tlsp->bits = 0;
-  state->tlsp->certificate_verified = FALSE;
-  tls_channelbinding_b64 = NULL;
-  state->tlsp->cipher = NULL;
-  state->tlsp->peercert = NULL;
-  state->tlsp->peerdn = NULL;
-
+  tls_close(NULL, TLS_NO_SHUTDOWN);
   return FALSE;
   }
 
@@ -2423,8 +3110,9 @@ else if (inbytes == 0)
 
 else if (inbytes < 0)
   {
+  DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
   record_io_error(state, (int) inbytes, US"recv", NULL);
-  state->xfer_error = 1;
+  state->xfer_error = TRUE;
   return FALSE;
   }
 #ifndef DISABLE_DKIM
@@ -2445,7 +3133,7 @@ Only used by the server-side TLS.
 
 This feeds DKIM and should be used for all message-body reads.
 
-Arguments:  lim                Maximum amount to read/bufffer
+Arguments:  lim                Maximum amount to read/buffer
 Returns:    the next character or EOF
 */
 
@@ -2517,17 +3205,18 @@ return state_server.xfer_buffer_lwm < state_server.xfer_buffer_hwm
 then the caller must feed DKIM.
 
 Arguments:
+  ct_ctx    client context pointer, or NULL for the one global server context
   buff      buffer of data
   len       size of buffer
 
 Returns:    the number of bytes read
-            -1 after a failed read
+            -1 after a failed read, including EOF
 */
 
 int
-tls_read(BOOL is_server, uschar *buff, size_t len)
+tls_read(void * ct_ctx, uschar *buff, size_t len)
 {
-exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
 ssize_t inbytes;
 
 if (len > INT_MAX)
@@ -2543,13 +3232,20 @@ DEBUG(D_tls)
   debug_printf("Calling gnutls_record_recv(%p, %p, " SIZE_T_FMT ")\n",
       state->session, buff, len);
 
-inbytes = gnutls_record_recv(state->session, buff, len);
+do
+  inbytes = gnutls_record_recv(state->session, buff, len);
+while (inbytes == GNUTLS_E_AGAIN);
+
 if (inbytes > 0) return inbytes;
 if (inbytes == 0)
   {
   DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
   }
-else record_io_error(state, (int)inbytes, US"recv", NULL);
+else
+  {
+  DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
+  record_io_error(state, (int)inbytes, US"recv", NULL);
+  }
 
 return -1;
 }
@@ -2563,7 +3259,7 @@ return -1;
 
 /*
 Arguments:
-  is_server channel specifier
+  ct_ctx    client context pointer, or NULL for the one global server context
   buff      buffer of data
   len       number of bytes
   more     more data expected soon
@@ -2573,11 +3269,11 @@ Returns:    the number of bytes after a successful write,
 */
 
 int
-tls_write(BOOL is_server, const uschar *buff, size_t len, BOOL more)
+tls_write(void * ct_ctx, const uschar * buff, size_t len, BOOL more)
 {
 ssize_t outbytes;
 size_t left = len;
-exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
+exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
 #ifdef SUPPORT_CORK
 static BOOL corked = FALSE;
 
@@ -2591,11 +3287,15 @@ while (left > 0)
   {
   DEBUG(D_tls) debug_printf("gnutls_record_send(SSL, %p, " SIZE_T_FMT ")\n",
       buff, left);
-  outbytes = gnutls_record_send(state->session, buff, left);
+
+  do
+    outbytes = gnutls_record_send(state->session, buff, left);
+  while (outbytes == GNUTLS_E_AGAIN);
 
   DEBUG(D_tls) debug_printf("outbytes=" SSIZE_T_FMT "\n", outbytes);
   if (outbytes < 0)
     {
+    DEBUG(D_tls) debug_printf("%s: gnutls_record_send err\n", __FUNCTION__);
     record_io_error(state, outbytes, US"send", NULL);
     return -1;
     }
@@ -2652,7 +3352,6 @@ vaguely_random_number(int max)
 {
 unsigned int r;
 int i, needed_len;
-uschar *p;
 uschar smallbuf[sizeof(r)];
 
 if (max <= 1)
@@ -2660,7 +3359,8 @@ if (max <= 1)
 
 needed_len = sizeof(r);
 /* Don't take 8 times more entropy than needed if int is 8 octets and we were
- * asked for a number less than 10. */
+asked for a number less than 10. */
+
 for (r = max, i = 0; r; ++i)
   r >>= 1;
 i = (i + 7) / 8;
@@ -2674,11 +3374,8 @@ if (i < 0)
   return vaguely_random_number_fallback(max);
   }
 r = 0;
-for (p = smallbuf; needed_len; --needed_len, ++p)
-  {
-  r *= 256;
-  r += *p;
-  }
+for (uschar * p = smallbuf; needed_len; --needed_len, ++p)
+  r = r * 256 + *p;
 
 /* We don't particularly care about weighted results; if someone wants
  * smooth distribution and cares enough then they should submit a patch then. */
@@ -2781,6 +3478,7 @@ fprintf(f, "Library version: GnuTLS: Compile: %s\n"
            gnutls_check_version(NULL));
 }
 
+#endif /*!MACRO_PREDEF*/
 /* vi: aw ai sw=2
 */
 /* End of tls-gnu.c */