extern int tls_server_start(const uschar *);
extern BOOL tls_smtp_buffered(void);
extern int tls_ungetc(int);
-extern int tls_write(BOOL, int, const uschar *, size_t);
+extern int tls_write(BOOL, const uschar *, size_t);
extern uschar *tls_validate_require_cipher(void);
extern void tls_version_report(FILE *);
#ifndef USE_GNUTLS
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
uschar *peerdn; /* DN from peer */
-#ifndef USE_GNUTLS
uschar *sni; /* Server Name Indication */
-#endif
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
be set to point to content in one of these instances, as appropriate for
the stage of the process lifetime.
-Not handled here: global tls_channelbinding_b64. /*XXX JGH */
+Not handled here: global tls_channelbinding_b64.
*/
typedef struct exim_gnutls_state {
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
- tls_support *tlsp;
+ tls_support *tlsp; /* set in tls_init() */
uschar *xfer_buffer;
int xfer_buffer_lwm;
/* set SNI in client, only */
if (host)
{
- if (!expand_check_tlsvar(state->tlsp->sni))
+ if (!expand_check(state->tlsp->sni, "tls_sni", &state->exp_tls_sni))
return DEFER;
if (state->exp_tls_sni && *state->exp_tls_sni)
{
{
exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
-if (state->tlsp->active < 0) return; /* TLS was not active */
+if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
if (shutdown)
{
gnutls_deinit(state->session);
+state->tlsp->active = -1;
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
if ((state_server.session == NULL) && (state_client.session == NULL))
exim_gnutls_base_init_done = FALSE;
}
-state->tlsp->active = -1;
}
static SSL_CTX *server_ctx = NULL;
static SSL *client_ssl = NULL;
static SSL *server_ssl = NULL;
+
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
static SSL_CTX *client_sni = NULL;
static SSL_CTX *server_sni = NULL;
*/
static BOOL
-<<<<<<< HEAD
init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
-=======
-init_dh(SSL_CTX *ctx, uschar *dhparam, host_item *host)
->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
{
BIO *bio;
DH *dh;
rc = tls_expand_session_files(server_sni, cbinfo);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
-rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
+rc = init_dh(server_sni, cbinfo->dhparam, NULL);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
DEBUG(D_tls) debug_printf("Switching SSL context.\n");
/* Initialize with DH parameters if supplied */
-<<<<<<< HEAD
-if (!init_dh(ctx, dhparam, host)) return DEFER;
-=======
if (!init_dh(*ctxp, dhparam, host)) return DEFER;
->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
/* Set up certificate and key (and perhaps OCSP info) */
*/
int
-tls_read(uschar *buff, size_t len)
+tls_read(BOOL is_server, uschar *buff, size_t len)
{
+SSL *ssl = is_server ? server_ssl : client_ssl;
int inbytes;
int error;
-DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", client_ssl,
+DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
buff, (unsigned int)len);
-inbytes = SSL_read(client_ssl, CS buff, len);
-error = SSL_get_error(client_ssl, inbytes);
+inbytes = SSL_read(ssl, CS buff, len);
+error = SSL_get_error(ssl, inbytes);
if (error == SSL_ERROR_ZERO_RETURN)
{
tls_close(BOOL is_server, BOOL shutdown)
{
SSL **sslp = is_server ? &server_ssl : &client_ssl;
+int *fdp = is_server ? &tls_in.active : &tls_out.active;
if (*fdp < 0) return; /* TLS was not active */
#ifdef USE_GNUTLS
#include "tls-gnu.c"
-#define ssl_xfer_buffer (current_global_tls_state->xfer_buffer)
-#define ssl_xfer_buffer_lwm (current_global_tls_state->xfer_buffer_lwm)
-#define ssl_xfer_buffer_hwm (current_global_tls_state->xfer_buffer_hwm)
-#define ssl_xfer_eof (current_global_tls_state->xfer_eof)
-#define ssl_xfer_error (current_global_tls_state->xfer_error)
+#define ssl_xfer_buffer (state_server.xfer_buffer)
+#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
+#define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
+#define ssl_xfer_eof (state_server.xfer_eof)
+#define ssl_xfer_error (state_server.xfer_error)
#else
#include "tls-openssl.c"
/* Puts a character back in the input buffer. Only ever
called once.
+Only used by the server-side TLS.
Arguments:
ch the character
*************************************************/
/* Tests for a previous EOF
+Only used by the server-side TLS.
Arguments: none
Returns: non-zero if the eof flag is set
/* Tests for a previous read error, and returns with errno
restored to what it was when the error was detected.
+Only used by the server-side TLS.
>>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
*************************************************/
/* Tests for unused chars in the TLS input buffer.
+Only used by the server-side TLS.
Arguments: none
Returns: TRUE/FALSE
tls_retry_connection:
inblock.sock = outblock.sock =
- smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
+ smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
/* reconsider DSCP here */
if (inblock.sock < 0)
{
ob->tls_certificate, ob->tls_privatekey,
ob->tls_sni,
ob->tls_verify_certificates, ob->tls_crl,
- ob->tls_require_ciphers,
- ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto,
+ ob->tls_require_ciphers, ob->tls_dh_min_bits,
callout);
/* TLS negotiation failed; give an error. Try in clear on a new connection,
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_AES_256_CBC_SHA1:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL
-1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
SMTP>> .
SMTP<< 250 OK id=10HmaX-0005vi-00
LOG: MAIN
- >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00"
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"
SMTP>> QUIT
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN
git://git.exim.org / exim.git / commitdiff