#if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP)
# define SUPPORT_SRV_OCSP_STACK
#endif
+#if GNUTLS_VERSION_NUMBER >= 0x030603
+# define EXIM_HAVE_TLS1_3
+# define SUPPORT_GNUTLS_EXT_RAW_PARSE
+# define GNUTLS_OCSP_STATUS_REQUEST_GET2
+#endif
#ifdef SUPPORT_DANE
# if GNUTLS_VERSION_NUMBER >= 0x030000
# endif
#endif
+#ifdef EXPERIMENTAL_TLS_RESUME
+# if GNUTLS_VERSION_NUMBER < 0x030603
+# error GNUTLS version too early for session-resumption
+# endif
+#endif
+
#ifndef DISABLE_OCSP
# include <gnutls/ocsp.h>
#endif
# ifdef EXPERIMENTAL_TLS_RESUME
builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING );
# endif
+# ifdef EXIM_HAVE_TLS1_3
+builtin_macro_create(US"_HAVE_TLS1_3");
+# endif
}
#else
static gnutls_dh_params_t dh_server_params = NULL;
-static int ssl_session_timeout = 3600; /* One hour */
+static int ssl_session_timeout = 7200; /* Two hours */
static const uschar * const exim_default_gnutls_priority = US"NORMAL";
#ifndef DISABLE_OCSP
static BOOL gnutls_buggy_ocsp = FALSE;
+static BOOL exim_testharness_disable_ocsp_validity_check = FALSE;
#endif
#ifdef EXPERIMENTAL_TLS_RESUME
static int exim_sni_handling_cb(gnutls_session_t session);
-#ifndef DISABLE_OCSP
-static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
- gnutls_datum_t * ocsp_response);
+#ifdef EXPERIMENTAL_TLS_RESUME
+static int
+tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when,
+ unsigned incoming, const gnutls_datum_t * msg);
#endif
-
/* Daemon one-time initialisation */
void
tls_daemon_init(void)
}
m.size = statbuf.st_size;
- if (!(m.data = malloc(m.size)))
+ if (!(m.data = store_malloc(m.size)))
{
fclose(fp);
return tls_error_sys(US"malloc failed", errno, NULL, errstr);
{
saved_errno = errno;
fclose(fp);
- free(m.data);
+ store_free(m.data);
return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
}
fclose(fp);
rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
- free(m.data);
+ store_free(m.data);
if (rc)
return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
rc, host, errstr);
m.size = sz;
- if (!(m.data = malloc(m.size)))
+ if (!(m.data = store_malloc(m.size)))
return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
/* this will return a size 1 less than the allocation size above */
if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
m.data, &sz)))
{
- free(m.data);
+ store_free(m.data);
return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
}
m.size = sz; /* shrink by 1, probably */
if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
{
- free(m.data);
+ store_free(m.data);
return tls_error_sys(US"TLS cache write D-H params failed",
errno, NULL, errstr);
}
- free(m.data);
+ store_free(m.data);
if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
return tls_error_sys(US"TLS cache write D-H params final newline failed",
errno, NULL, errstr);
}
+#if !defined(DISABLE_OCSP) && !defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+/* Load an OCSP proof from file for sending by the server. Called
+on getting a status-request handshake message, for earlier versions
+of GnuTLS. */
+
+static int
+server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
+ gnutls_datum_t * ocsp_response)
+{
+int ret;
+DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
+
+if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
+ {
+ DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
+ CS ptr);
+ tls_in.ocsp = OCSP_NOT_RESP;
+ return GNUTLS_E_NO_CERTIFICATE_STATUS;
+ }
+
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+return 0;
+}
+#endif
+
+
+#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+/* Make a note that we saw a status-request */
+static int
+tls_server_clienthello_ext(void * ctx, unsigned tls_id,
+ const unsigned char *data, unsigned size)
+{
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (tls_id == 5) /* status_request */
+ {
+ DEBUG(D_tls) debug_printf("Seen status_request extension from client\n");
+ tls_in.ocsp = OCSP_NOT_RESP;
+ }
+return 0;
+}
+
+/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype,
+ unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen. 3.6.3 onwards */
+return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg,
+ GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO);
+}
+
+
+/* Make a note that we saw a status-response */
+static int
+tls_server_servercerts_ext(void * ctx, unsigned tls_id,
+ const unsigned char *data, unsigned size)
+{
+/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */
+/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */
+if (FALSE && tls_id == 5) /* status_request */
+ {
+ DEBUG(D_tls) debug_printf("Seen status_request extension\n");
+ tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+ ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
+ }
+return 0;
+}
+
+/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */
+static int
+tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype,
+ unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+/* Call fn for each extension seen. 3.6.3 onwards */
+#ifdef notdef
+/*XXX crashes */
+return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0);
+#endif
+}
+#endif
+
+/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the
+ "Handshake Protocol: Certificate" record.
+So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s)
+
+This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term).
+*/
+
+#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+/* Callback for certificate-status, on server. We sent stapled OCSP. */
+static int
+tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype,
+ unsigned when, unsigned int incoming, const gnutls_datum_t * msg)
+{
+DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */
+#ifdef SUPPORT_SRV_OCSP_STACK
+tls_in.ocsp = exim_testharness_disable_ocsp_validity_check
+ ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */
+#else
+tls_in.ocsp = OCSP_VFY_NOT_TRIED;
+#endif
+return 0;
+}
+
+/* Callback for handshake messages, on server */
+static int
+tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when,
+ unsigned incoming, const gnutls_datum_t * msg)
+{
+/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */
+switch (htype)
+ {
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+ case GNUTLS_HANDSHAKE_CLIENT_HELLO:
+ return tls_server_clienthello_cb(sess, htype, when, incoming, msg);
+ case GNUTLS_HANDSHAKE_CERTIFICATE_PKT:
+ return tls_server_servercerts_cb(sess, htype, when, incoming, msg);
+# endif
+ case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS:
+ return tls_server_certstatus_cb(sess, htype, when, incoming, msg);
+# ifdef EXPERIMENTAL_TLS_RESUME
+ case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET:
+ return tls_server_ticket_cb(sess, htype, when, incoming, msg);
+# endif
+ default:
+ return 0;
+ }
+}
+#endif
+
+
+#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+static void
+tls_server_testharness_ocsp_fiddle(void)
+{
+extern char ** environ;
+if (environ) for (uschar ** p = USS environ; *p; p++)
+ if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+ {
+ DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n");
+ exim_testharness_disable_ocsp_validity_check = TRUE;
+ }
+}
+#endif
+
/*************************************************
* Variables re-expanded post-SNI *
*************************************************/
#ifdef SUPPORT_SRV_OCSP_STACK
gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
+
+# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE)
+if (!host && tls_ocsp_file)
+ {
+ if (f.running_in_test_harness)
+ tls_server_testharness_ocsp_fiddle();
+
+ if (exim_testharness_disable_ocsp_validity_check)
+ gnutls_certificate_set_flags(state->x509_cred,
+ GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK);
+ }
+# endif
#endif
/* remember: expand_check_tlsvar() is expand_check() but fiddling with
/* tls_privatekey is optional, defaulting to same file as certificate */
-if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0')
+if (!state->tls_privatekey || !*state->tls_privatekey)
{
state->tls_privatekey = state->tls_certificate;
state->exp_tls_privatekey = state->exp_tls_certificate;
const uschar * olist;
int csep = 0, ksep = 0, osep = 0, cnt = 0;
uschar * cfile, * kfile, * ofile;
-
#ifndef DISABLE_OCSP
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+ gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER;
+# endif
+
if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr))
return DEFER;
olist = ofile;
else
{
int gnutls_cert_index = -rc;
- DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile);
-
- /* Set the OCSP stapling server info */
+ DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n",
+ gnutls_cert_index, cfile);
#ifndef DISABLE_OCSP
if (tls_ocsp_file)
+ {
+ /* Set the OCSP stapling server info */
if (gnutls_buggy_ocsp)
{
DEBUG(D_tls)
}
else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0)))
{
- /* Use the full callback method for stapling just to get
- observability. More efficient would be to read the file once only,
- if it never changed (due to SNI). Would need restart on file update,
- or watch datestamp. */
+ DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n",
+ gnutls_cert_index, ofile);
+# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE
+ if (Ustrncmp(ofile, US"PEM ", 4) == 0)
+ {
+ ocsp_fmt = GNUTLS_X509_FMT_PEM;
+ ofile += 4;
+ }
+ else if (Ustrncmp(ofile, US"DER ", 4) == 0)
+ {
+ ocsp_fmt = GNUTLS_X509_FMT_DER;
+ ofile += 4;
+ }
-# ifdef SUPPORT_SRV_OCSP_STACK
- if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
- state->x509_cred, gnutls_cert_index,
- server_ocsp_stapling_cb, ofile)))
+ if ((rc = gnutls_certificate_set_ocsp_status_request_file2(
+ state->x509_cred, CCS ofile, gnutls_cert_index,
+ ocsp_fmt)) < 0)
return tls_error_gnu(
- US"gnutls_certificate_set_ocsp_status_request_function2",
+ US"gnutls_certificate_set_ocsp_status_request_file2",
rc, host, errstr);
+ DEBUG(D_tls)
+ debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":"");
+
+ /* Arrange callbacks for OCSP request observability */
+
+ gnutls_handshake_set_hook_function(state->session,
+ GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
+
# else
- if (cnt++ > 0)
+# if defined(SUPPORT_SRV_OCSP_STACK)
+ if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
+ state->x509_cred, gnutls_cert_index,
+ server_ocsp_stapling_cb, ofile)))
+ return tls_error_gnu(
+ US"gnutls_certificate_set_ocsp_status_request_function2",
+ rc, host, errstr);
+ else
+# endif
{
- DEBUG(D_tls)
- debug_printf("oops; multiple OCSP files not supported\n");
- break;
- }
+ if (cnt++ > 0)
+ {
+ DEBUG(D_tls)
+ debug_printf("oops; multiple OCSP files not supported\n");
+ break;
+ }
gnutls_certificate_set_ocsp_status_request_function(
state->x509_cred, server_ocsp_stapling_cb, ofile);
-# endif
-
- DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile);
+ }
+# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */
}
else
DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n");
-#endif
+ }
+#endif /* DISABLE_OCSP */
}
}
- else
+ else /* client */
{
if (0 < (rc = tls_add_certfile(state, host,
state->exp_tls_certificate, state->exp_tls_privatekey, errstr)))
{
if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
{
- log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
+ log_write(0, LOG_MAIN|LOG_PANIC, "could not stat '%s' "
"(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
strerror(errno));
return DEFER;
#endif
gnutls_certificate_set_x509_trust_file(state->x509_cred,
CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+
+#ifdef SUPPORT_CA_DIR
+ /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list
+ when using the directory-of-certs config model. */
+
+ if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+ gnutls_certificate_send_x509_rdn_sequence(state->session, 1);
+#endif
}
if (cert_count < 0)
several in parallel. */
int old_pool = store_pool;
store_pool = POOL_PERM;
- state = store_get(sizeof(exim_gnutls_state_st));
+ state = store_get(sizeof(exim_gnutls_state_st), FALSE);
store_pool = old_pool;
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
exim_gnutls_peer_err(US"getting size for cert DN failed");
return FAIL; /* should not happen */
}
-dn_buf = store_get_perm(sz);
+dn_buf = store_get_perm(sz, TRUE); /* tainted */
rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz);
exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]");
for(nrec = 0; state->dane_data_len[nrec]; ) nrec++;
nrec++;
- dd = store_get(nrec * sizeof(uschar *));
- ddl = store_get(nrec * sizeof(int));
+ dd = store_get(nrec * sizeof(uschar *), FALSE);
+ ddl = store_get(nrec * sizeof(int), FALSE);
nrec--;
if ((rc = dane_state_init(&s, 0)))
rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0);
if (rc != GNUTLS_E_SUCCESS)
{
- DEBUG(D_tls) {
+ DEBUG(D_tls)
if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
debug_printf("TLS: no SNI presented in handshake.\n");
else
debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n",
gnutls_strerror(rc), rc);
- }
return 0;
}
/* We now have a UTF-8 string in sni_name */
old_pool = store_pool;
store_pool = POOL_PERM;
-state->received_sni = string_copyn(US sni_name, data_len);
+state->received_sni = string_copy_taint(US sni_name, TRUE);
store_pool = old_pool;
/* We set this one now so that variable expansions below will work */
-#ifndef DISABLE_OCSP
-
-static int
-server_ocsp_stapling_cb(gnutls_session_t session, void * ptr,
- gnutls_datum_t * ocsp_response)
-{
-int ret;
-DEBUG(D_tls) debug_printf("OCSP stapling callback: %s\n", US ptr);
-
-if ((ret = gnutls_load_file(ptr, ocsp_response)) < 0)
- {
- DEBUG(D_tls) debug_printf("Failed to load ocsp stapling file %s\n",
- CS ptr);
- tls_in.ocsp = OCSP_NOT_RESP;
- return GNUTLS_E_NO_CERTIFICATE_STATUS;
- }
-
-tls_in.ocsp = OCSP_VFY_NOT_TRIED;
-return 0;
-}
-
-#endif
-
-
#ifndef DISABLE_EVENT
/*
We use this callback to get observability and detail-level control
debug_printf("%s\n", gnutls_session_get_desc(state->session));
#endif
#ifdef SUPPORT_GNUTLS_KEYLOG
-# ifdef GNUTLS_TLS1_3
+
+# ifdef EXIM_HAVE_TLS1_3
if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3)
#else
if (TRUE)
" set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n"
" add SSLKEYLOGFILE to keep_environment in the exim config\n"
" run exim as root\n"
- " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n");
+ " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"
+ " (works for TLS1.2 also, and saves cut-paste into file)\n");
#endif
}
/* Try to tell if we see a ticket request */
gnutls_handshake_set_hook_function(state->session,
- GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb);
+ GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb);
}
}
rr = dns_next_rr(dnsa, &dnss, RESET_NEXT)
) if (rr->type == T_TLSA) i++;
-dane_data = store_get(i * sizeof(uschar *));
-dane_data_len = store_get(i * sizeof(int));
+dane_data = store_get(i * sizeof(uschar *), FALSE);
+dane_data_len = store_get(i * sizeof(int), FALSE);
i = 0;
for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr;
) if (rr->type == T_TLSA && rr->size > 3)
{
const uschar * p = rr->data;
+/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */
uint8_t usage = p[0], sel = p[1], type = p[2];
DEBUG(D_tls)
tlsp->resumption |= RESUME_CLIENT_REQUESTED;
if ((dbm_file = dbfn_open(US"tls", O_RDONLY, &dbblock, FALSE, FALSE)))
{
- /* key for the db is the IP */
+ /* Key for the db is the IP. We'd like to filter the retrieved session
+ for ticket advisory expiry, but 3.6.1 seems to give no access to that */
+
if ((dt = dbfn_read_with_length(dbm_file, host->address, &len)))
if (!(rc = gnutls_session_set_data(session,
CUS dt->session, (size_t)len - sizeof(dbdata_tls_session))))
Keep both calls as the session data cannot be extracted before handshake
completes. */
-#ifdef GNUTLS_SFLAGS_SESSION_TICKET
if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET)
{
gnutls_datum_t tkt;
{
open_db dbblock, * dbm_file;
int dlen = sizeof(dbdata_tls_session) + tkt.size;
- dbdata_tls_session * dt = store_get(dlen);
+ dbdata_tls_session * dt = store_get(dlen, TRUE);
DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size);
memcpy(dt->session, tkt.data, tkt.size);
else DEBUG(D_tls)
debug_printf("extract session data: %s\n", US gnutls_strerror(rc));
}
-#endif
}
}
#ifndef DISABLE_OCSP
-if (require_ocsp)
+if (request_ocsp)
{
DEBUG(D_tls)
{
gnutls_datum_t stapling;
gnutls_ocsp_resp_t resp;
gnutls_datum_t printed;
- if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0
- && (rc= gnutls_ocsp_resp_init(&resp)) == 0
- && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
- && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
- )
- {
- debug_printf("%.4096s", printed.data);
- gnutls_free(printed.data);
- }
- else
+ unsigned idx = 0;
+
+ for (;
+# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2
+ (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0;
+#else
+ (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0;
+#endif
+ idx++)
+ if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0
+ && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
+ && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0
+ )
+ {
+ debug_printf("%.4096s", printed.data);
+ gnutls_free(printed.data);
+ }
+ else
+ (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
+ if (idx == 0 && rc)
(void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
}
{
tlsp->ocsp = OCSP_FAILED;
tls_error(US"certificate status check failed", NULL, state->host, errstr);
- return FALSE;
+ if (require_ocsp)
+ return FALSE;
+ }
+ else
+ {
+ DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
+ tlsp->ocsp = OCSP_VFIED;
}
- DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
- tlsp->ocsp = OCSP_VFIED;
}
#endif
tls_close(void * ct_ctx, int shutdown)
{
exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server;
+tls_support * tlsp = state->tlsp;
-if (!state->tlsp || state->tlsp->active.sock < 0) return; /* TLS was not active */
+if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */
if (shutdown)
{
ALARM_CLR(0);
}
+if (!ct_ctx) /* server */
+ {
+ receive_getc = smtp_getc;
+ receive_getbuf = smtp_getbuf;
+ receive_get_cache = smtp_get_cache;
+ receive_ungetc = smtp_ungetc;
+ receive_feof = smtp_feof;
+ receive_ferror = smtp_ferror;
+ receive_smtp_buffered = smtp_buffered;
+ }
+
gnutls_deinit(state->session);
gnutls_certificate_free_credentials(state->x509_cred);
+tlsp->active.sock = -1;
+tlsp->active.tls_ctx = NULL;
+/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+tls_channelbinding_b64 = NULL;
+
-state->tlsp->active.sock = -1;
-state->tlsp->active.tls_ctx = NULL;
if (state->xfer_buffer) store_free(state->xfer_buffer);
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
}
else if (inbytes == 0)
{
DEBUG(D_tls) debug_printf("Got TLS_EOF\n");
-
- receive_getc = smtp_getc;
- receive_getbuf = smtp_getbuf;
- receive_get_cache = smtp_get_cache;
- receive_ungetc = smtp_ungetc;
- receive_feof = smtp_feof;
- receive_ferror = smtp_ferror;
- receive_smtp_buffered = smtp_buffered;
-
- gnutls_deinit(state->session);
- gnutls_certificate_free_credentials(state->x509_cred);
-
- state->session = NULL;
- state->tlsp->active.sock = -1;
- state->tlsp->active.tls_ctx = NULL;
- state->tlsp->bits = 0;
- state->tlsp->certificate_verified = FALSE;
- tls_channelbinding_b64 = NULL;
- state->tlsp->cipher = NULL;
- state->tlsp->peercert = NULL;
- state->tlsp->peerdn = NULL;
-
+ tls_close(NULL, TLS_NO_SHUTDOWN);
return FALSE;
}
git://git.exim.org / exim.git / blobdiff