From 389ca47a59cc0247fcee8a50da42aa00af5f7a90 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 4 Jun 2012 13:36:19 +0100 Subject: [PATCH 1/1] Fix post-rebase merge issues. --- src/src/functions.h | 2 +- src/src/globals.h | 2 -- src/src/tls-gnu.c | 10 +++++----- src/src/tls-openssl.c | 21 ++++++++------------- src/src/tls.c | 14 +++++++++----- src/src/verify.c | 5 ++--- test/log/5420 | 4 ++-- test/stderr/5420 | 2 +- 8 files changed, 28 insertions(+), 32 deletions(-) diff --git a/src/src/functions.h b/src/src/functions.h index bc61f31c8..02d152ad6 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -36,7 +36,7 @@ extern int tls_read(BOOL, uschar *, size_t); extern int tls_server_start(const uschar *); extern BOOL tls_smtp_buffered(void); extern int tls_ungetc(int); -extern int tls_write(BOOL, int, const uschar *, size_t); +extern int tls_write(BOOL, const uschar *, size_t); extern uschar *tls_validate_require_cipher(void); extern void tls_version_report(FILE *); #ifndef USE_GNUTLS diff --git a/src/src/globals.h b/src/src/globals.h index 7ed9d5ab6..e910dbe1b 100644 --- a/src/src/globals.h +++ b/src/src/globals.h @@ -82,9 +82,7 @@ typedef struct { BOOL on_connect; /* For older MTAs that don't STARTTLS */ uschar *on_connect_ports; /* Ports always tls-on-connect */ uschar *peerdn; /* DN from peer */ -#ifndef USE_GNUTLS uschar *sni; /* Server Name Indication */ -#endif } tls_support; extern tls_support tls_in; extern tls_support tls_out; diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 8a133c5af..f8172e76b 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -63,7 +63,7 @@ Some of these correspond to variables in globals.c; those variables will be set to point to content in one of these instances, as appropriate for the stage of the process lifetime. -Not handled here: global tls_channelbinding_b64. /*XXX JGH */ +Not handled here: global tls_channelbinding_b64. */ typedef struct exim_gnutls_state { @@ -94,7 +94,7 @@ typedef struct exim_gnutls_state { uschar *exp_tls_crl; uschar *exp_tls_require_ciphers; - tls_support *tlsp; + tls_support *tlsp; /* set in tls_init() */ uschar *xfer_buffer; int xfer_buffer_lwm; @@ -966,7 +966,7 @@ if (rc != OK) return rc; /* set SNI in client, only */ if (host) { - if (!expand_check_tlsvar(state->tlsp->sni)) + if (!expand_check(state->tlsp->sni, "tls_sni", &state->exp_tls_sni)) return DEFER; if (state->exp_tls_sni && *state->exp_tls_sni) { @@ -1641,7 +1641,7 @@ tls_close(BOOL is_server, BOOL shutdown) { exim_gnutls_state_st *state = is_server ? &state_server : &state_client; -if (state->tlsp->active < 0) return; /* TLS was not active */ +if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */ if (shutdown) { @@ -1651,6 +1651,7 @@ if (shutdown) gnutls_deinit(state->session); +state->tlsp->active = -1; memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init)); if ((state_server.session == NULL) && (state_client.session == NULL)) @@ -1659,7 +1660,6 @@ if ((state_server.session == NULL) && (state_client.session == NULL)) exim_gnutls_base_init_done = FALSE; } -state->tlsp->active = -1; } diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index bbf6855ff..d5b31e72c 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -50,6 +50,7 @@ static SSL_CTX *client_ctx = NULL; static SSL_CTX *server_ctx = NULL; static SSL *client_ssl = NULL; static SSL *server_ssl = NULL; + #ifdef EXIM_HAVE_OPENSSL_TLSEXT static SSL_CTX *client_sni = NULL; static SSL_CTX *server_sni = NULL; @@ -317,11 +318,7 @@ Returns: TRUE if OK (nothing to set up, or setup worked) */ static BOOL -<<<<<<< HEAD init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host) -======= -init_dh(SSL_CTX *ctx, uschar *dhparam, host_item *host) ->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling. { BIO *bio; DH *dh; @@ -683,7 +680,7 @@ OCSP information. */ rc = tls_expand_session_files(server_sni, cbinfo); if (rc != OK) return SSL_TLSEXT_ERR_NOACK; -rc = init_dh(ctx_sni, cbinfo->dhparam, NULL); +rc = init_dh(server_sni, cbinfo->dhparam, NULL); if (rc != OK) return SSL_TLSEXT_ERR_NOACK; DEBUG(D_tls) debug_printf("Switching SSL context.\n"); @@ -852,11 +849,7 @@ else /* Initialize with DH parameters if supplied */ -<<<<<<< HEAD -if (!init_dh(ctx, dhparam, host)) return DEFER; -======= if (!init_dh(*ctxp, dhparam, host)) return DEFER; ->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling. /* Set up certificate and key (and perhaps OCSP info) */ @@ -1493,16 +1486,17 @@ Only used by the client-side TLS. */ int -tls_read(uschar *buff, size_t len) +tls_read(BOOL is_server, uschar *buff, size_t len) { +SSL *ssl = is_server ? server_ssl : client_ssl; int inbytes; int error; -DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", client_ssl, +DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl, buff, (unsigned int)len); -inbytes = SSL_read(client_ssl, CS buff, len); -error = SSL_get_error(client_ssl, inbytes); +inbytes = SSL_read(ssl, CS buff, len); +error = SSL_get_error(ssl, inbytes); if (error == SSL_ERROR_ZERO_RETURN) { @@ -1601,6 +1595,7 @@ void tls_close(BOOL is_server, BOOL shutdown) { SSL **sslp = is_server ? &server_ssl : &client_ssl; +int *fdp = is_server ? &tls_in.active : &tls_out.active; if (*fdp < 0) return; /* TLS was not active */ diff --git a/src/src/tls.c b/src/src/tls.c index 0c98aeba9..0625c48b8 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -86,11 +86,11 @@ return TRUE; #ifdef USE_GNUTLS #include "tls-gnu.c" -#define ssl_xfer_buffer (current_global_tls_state->xfer_buffer) -#define ssl_xfer_buffer_lwm (current_global_tls_state->xfer_buffer_lwm) -#define ssl_xfer_buffer_hwm (current_global_tls_state->xfer_buffer_hwm) -#define ssl_xfer_eof (current_global_tls_state->xfer_eof) -#define ssl_xfer_error (current_global_tls_state->xfer_error) +#define ssl_xfer_buffer (state_server.xfer_buffer) +#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm) +#define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm) +#define ssl_xfer_eof (state_server.xfer_eof) +#define ssl_xfer_error (state_server.xfer_error) #else #include "tls-openssl.c" @@ -104,6 +104,7 @@ return TRUE; /* Puts a character back in the input buffer. Only ever called once. +Only used by the server-side TLS. Arguments: ch the character @@ -125,6 +126,7 @@ return ch; *************************************************/ /* Tests for a previous EOF +Only used by the server-side TLS. Arguments: none Returns: non-zero if the eof flag is set @@ -144,6 +146,7 @@ return ssl_xfer_eof; /* Tests for a previous read error, and returns with errno restored to what it was when the error was detected. +Only used by the server-side TLS. >>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>> @@ -163,6 +166,7 @@ return ssl_xfer_error; *************************************************/ /* Tests for unused chars in the TLS input buffer. +Only used by the server-side TLS. Arguments: none Returns: TRUE/FALSE diff --git a/src/src/verify.c b/src/src/verify.c index 6d31b8256..6e3e6a3af 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -498,7 +498,7 @@ else tls_retry_connection: inblock.sock = outblock.sock = - smtp_connect(host, host_af, port, interface, callout_connect, TRUE); + smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL); /* reconsider DSCP here */ if (inblock.sock < 0) { @@ -635,8 +635,7 @@ else ob->tls_certificate, ob->tls_privatekey, ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl, - ob->tls_require_ciphers, - ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto, + ob->tls_require_ciphers, ob->tls_dh_min_bits, callout); /* TLS negotiation failed; give an error. Try in clear on a new connection, diff --git a/test/log/5420 b/test/log/5420 index 2e117cbfe..e85916237 100644 --- a/test/log/5420 +++ b/test/log/5420 @@ -1,7 +1,7 @@ 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225 -1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_AES_256_CBC_SHA1:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex +1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex 1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL -1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00" +1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00" 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex diff --git a/test/stderr/5420 b/test/stderr/5420 index 626e9d159..90592286b 100644 --- a/test/stderr/5420 +++ b/test/stderr/5420 @@ -128,7 +128,7 @@ expanding: ${tod_full} SMTP>> . SMTP<< 250 OK id=10HmaX-0005vi-00 LOG: MAIN - >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00" + >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00" SMTP>> QUIT ----------- cutthrough shutdown (delivered) ------------ LOG: MAIN -- 2.30.2