Fix post-rebase merge issues.

diff --git a/src/src/functions.h b/src/src/functions.h
index bc61f31c817022658a602d2d21f765600238decb..02d152ad6168b55f58ce7e0d2182b7bdc531df8a 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -36,7 +36,7 @@ extern int     tls_read(BOOL, uschar *, size_t);
 extern int     tls_server_start(const uschar *);
 extern BOOL    tls_smtp_buffered(void);
 extern int     tls_ungetc(int);
 extern int     tls_server_start(const uschar *);
 extern BOOL    tls_smtp_buffered(void);
 extern int     tls_ungetc(int);

-extern int     tls_write(BOOL, int, const uschar *, size_t);
+extern int     tls_write(BOOL, const uschar *, size_t);

 extern uschar *tls_validate_require_cipher(void);
 extern void    tls_version_report(FILE *);
 #ifndef USE_GNUTLS
 extern uschar *tls_validate_require_cipher(void);
 extern void    tls_version_report(FILE *);
 #ifndef USE_GNUTLS

diff --git a/src/src/globals.h b/src/src/globals.h
index 7ed9d5ab6d45e2270ef48f3891757f5dbe36fde6..e910dbe1beba88a108185890ad48d84e47d749e9 100644 (file)
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -82,9 +82,7 @@ typedef struct {
   BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
   uschar *on_connect_ports;   /* Ports always tls-on-connect */
   uschar *peerdn;             /* DN from peer */
   BOOL    on_connect;         /* For older MTAs that don't STARTTLS */
   uschar *on_connect_ports;   /* Ports always tls-on-connect */
   uschar *peerdn;             /* DN from peer */

-#ifndef USE_GNUTLS

   uschar *sni;                /* Server Name Indication */
   uschar *sni;                /* Server Name Indication */

-#endif

 } tls_support;
 extern tls_support tls_in;
 extern tls_support tls_out;
 } tls_support;
 extern tls_support tls_in;
 extern tls_support tls_out;

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 8a133c5af6538ce57095b6aa4e78957c515a4f2d..f8172e76b0398639ed29b2c1a3c23ad364803625 100644 (file)
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -63,7 +63,7 @@ Some of these correspond to variables in globals.c; those variables will
 be set to point to content in one of these instances, as appropriate for
 the stage of the process lifetime.
 
 be set to point to content in one of these instances, as appropriate for
 the stage of the process lifetime.
 

-Not handled here: global tls_channelbinding_b64.       /*XXX JGH */
+Not handled here: global tls_channelbinding_b64.

 */
 
 typedef struct exim_gnutls_state {
 */
 
 typedef struct exim_gnutls_state {


@@ -94,7 +94,7 @@ typedef struct exim_gnutls_state {
   uschar *exp_tls_crl;
   uschar *exp_tls_require_ciphers;
 
   uschar *exp_tls_crl;
   uschar *exp_tls_require_ciphers;
 

-  tls_support *tlsp;
+  tls_support *tlsp;   /* set in tls_init() */

 
   uschar *xfer_buffer;
   int xfer_buffer_lwm;
 
   uschar *xfer_buffer;
   int xfer_buffer_lwm;


@@ -966,7 +966,7 @@ if (rc != OK) return rc;
 /* set SNI in client, only */
 if (host)
   {
 /* set SNI in client, only */
 if (host)
   {

-  if (!expand_check_tlsvar(state->tlsp->sni))
+  if (!expand_check(state->tlsp->sni, "tls_sni", &state->exp_tls_sni))

     return DEFER;
   if (state->exp_tls_sni && *state->exp_tls_sni)
     {
     return DEFER;
   if (state->exp_tls_sni && *state->exp_tls_sni)
     {


@@ -1641,7 +1641,7 @@ tls_close(BOOL is_server, BOOL shutdown)
 {
 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
 
 {
 exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
 

-if (state->tlsp->active < 0) return;  /* TLS was not active */
+if (!state->tlsp || state->tlsp->active < 0) return;  /* TLS was not active */

 
 if (shutdown)
   {
 
 if (shutdown)
   {


@@ -1651,6 +1651,7 @@ if (shutdown)
 
 gnutls_deinit(state->session);
 
 
 gnutls_deinit(state->session);
 

+state->tlsp->active = -1;

 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
 
 if ((state_server.session == NULL) && (state_client.session == NULL))
 memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
 
 if ((state_server.session == NULL) && (state_client.session == NULL))


@@ -1659,7 +1660,6 @@ if ((state_server.session == NULL) && (state_client.session == NULL))
   exim_gnutls_base_init_done = FALSE;
   }
 
   exim_gnutls_base_init_done = FALSE;
   }
 

-state->tlsp->active = -1;

 }
 
 
 }
 
 

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bbf6855ffd0dc767f829f39e5f43430f2ff09353..d5b31e72c646167204f34088621664acb790a0ee 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -50,6 +50,7 @@ static SSL_CTX *client_ctx = NULL;
 static SSL_CTX *server_ctx = NULL;
 static SSL     *client_ssl = NULL;
 static SSL     *server_ssl = NULL;
 static SSL_CTX *server_ctx = NULL;
 static SSL     *client_ssl = NULL;
 static SSL     *server_ssl = NULL;

+

 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
 static SSL_CTX *client_sni = NULL;
 static SSL_CTX *server_sni = NULL;
 #ifdef EXIM_HAVE_OPENSSL_TLSEXT
 static SSL_CTX *client_sni = NULL;
 static SSL_CTX *server_sni = NULL;


@@ -317,11 +318,7 @@ Returns:    TRUE if OK (nothing to set up, or setup worked)
 */
 
 static BOOL
 */
 
 static BOOL

-<<<<<<< HEAD

 init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
 init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)

-=======
-init_dh(SSL_CTX *ctx, uschar *dhparam, host_item *host)
->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.

 {
 BIO *bio;
 DH *dh;
 {
 BIO *bio;
 DH *dh;


@@ -683,7 +680,7 @@ OCSP information. */
 rc = tls_expand_session_files(server_sni, cbinfo);
 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
 
 rc = tls_expand_session_files(server_sni, cbinfo);
 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
 

-rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
+rc = init_dh(server_sni, cbinfo->dhparam, NULL);

 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");
 if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
 
 DEBUG(D_tls) debug_printf("Switching SSL context.\n");


@@ -852,11 +849,7 @@ else
 
 /* Initialize with DH parameters if supplied */
 
 
 /* Initialize with DH parameters if supplied */
 

-<<<<<<< HEAD
-if (!init_dh(ctx, dhparam, host)) return DEFER;
-=======

 if (!init_dh(*ctxp, dhparam, host)) return DEFER;
 if (!init_dh(*ctxp, dhparam, host)) return DEFER;

->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.

 
 /* Set up certificate and key (and perhaps OCSP info) */
 
 
 /* Set up certificate and key (and perhaps OCSP info) */
 


@@ -1493,16 +1486,17 @@ Only used by the client-side TLS.
 */
 
 int
 */
 
 int

-tls_read(uschar *buff, size_t len)
+tls_read(BOOL is_server, uschar *buff, size_t len)

 {
 {

+SSL *ssl = is_server ? server_ssl : client_ssl;

 int inbytes;
 int error;
 
 int inbytes;
 int error;
 

-DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", client_ssl,
+DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,

   buff, (unsigned int)len);
 
   buff, (unsigned int)len);
 

-inbytes = SSL_read(client_ssl, CS buff, len);
-error = SSL_get_error(client_ssl, inbytes);
+inbytes = SSL_read(ssl, CS buff, len);
+error = SSL_get_error(ssl, inbytes);

 
 if (error == SSL_ERROR_ZERO_RETURN)
   {
 
 if (error == SSL_ERROR_ZERO_RETURN)
   {


@@ -1601,6 +1595,7 @@ void
 tls_close(BOOL is_server, BOOL shutdown)
 {
 SSL **sslp = is_server ? &server_ssl : &client_ssl;
 tls_close(BOOL is_server, BOOL shutdown)
 {
 SSL **sslp = is_server ? &server_ssl : &client_ssl;

+int *fdp = is_server ? &tls_in.active : &tls_out.active;

 
 if (*fdp < 0) return;  /* TLS was not active */
 
 
 if (*fdp < 0) return;  /* TLS was not active */
 

diff --git a/src/src/tls.c b/src/src/tls.c
index 0c98aeba96c4d6cae0e071a5695243f9f2fb8b7d..0625c48b84d93dda9c3f08aa852b9a4b876f3385 100644 (file)
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -86,11 +86,11 @@ return TRUE;
 #ifdef USE_GNUTLS
 #include "tls-gnu.c"
 
 #ifdef USE_GNUTLS
 #include "tls-gnu.c"
 

-#define ssl_xfer_buffer (current_global_tls_state->xfer_buffer)
-#define ssl_xfer_buffer_lwm (current_global_tls_state->xfer_buffer_lwm)
-#define ssl_xfer_buffer_hwm (current_global_tls_state->xfer_buffer_hwm)
-#define ssl_xfer_eof (current_global_tls_state->xfer_eof)
-#define ssl_xfer_error (current_global_tls_state->xfer_error)
+#define ssl_xfer_buffer (state_server.xfer_buffer)
+#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
+#define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
+#define ssl_xfer_eof (state_server.xfer_eof)
+#define ssl_xfer_error (state_server.xfer_error)

 
 #else
 #include "tls-openssl.c"
 
 #else
 #include "tls-openssl.c"


@@ -104,6 +104,7 @@ return TRUE;
 
 /* Puts a character back in the input buffer. Only ever
 called once.
 
 /* Puts a character back in the input buffer. Only ever
 called once.

+Only used by the server-side TLS.

 
 Arguments:
   ch           the character
 
 Arguments:
   ch           the character


@@ -125,6 +126,7 @@ return ch;
 *************************************************/
 
 /* Tests for a previous EOF
 *************************************************/
 
 /* Tests for a previous EOF

+Only used by the server-side TLS.

 
 Arguments:     none
 Returns:       non-zero if the eof flag is set
 
 Arguments:     none
 Returns:       non-zero if the eof flag is set


@@ -144,6 +146,7 @@ return ssl_xfer_eof;
 
 /* Tests for a previous read error, and returns with errno
 restored to what it was when the error was detected.
 
 /* Tests for a previous read error, and returns with errno
 restored to what it was when the error was detected.

+Only used by the server-side TLS.

 
 >>>>> Hmm. Errno not handled yet. Where do we get it from?  >>>>>
 
 
 >>>>> Hmm. Errno not handled yet. Where do we get it from?  >>>>>
 


@@ -163,6 +166,7 @@ return ssl_xfer_error;
 *************************************************/
 
 /* Tests for unused chars in the TLS input buffer.
 *************************************************/
 
 /* Tests for unused chars in the TLS input buffer.

+Only used by the server-side TLS.

 
 Arguments:     none
 Returns:       TRUE/FALSE
 
 Arguments:     none
 Returns:       TRUE/FALSE

diff --git a/src/src/verify.c b/src/src/verify.c
index 6d31b8256ceaead4619486171021d71ef0a60bf0..6e3e6a3afba7ca906fb2bd5e00bc62222e1e7193 100644 (file)
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -498,7 +498,7 @@ else
     tls_retry_connection:
 
     inblock.sock = outblock.sock =
     tls_retry_connection:
 
     inblock.sock = outblock.sock =

-      smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
+      smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);

     /* reconsider DSCP here */
     if (inblock.sock < 0)
       {
     /* reconsider DSCP here */
     if (inblock.sock < 0)
       {


@@ -635,8 +635,7 @@ else
         ob->tls_certificate, ob->tls_privatekey,
         ob->tls_sni,
         ob->tls_verify_certificates, ob->tls_crl,
         ob->tls_certificate, ob->tls_privatekey,
         ob->tls_sni,
         ob->tls_verify_certificates, ob->tls_crl,

-        ob->tls_require_ciphers,
-        ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto,
+        ob->tls_require_ciphers,     ob->tls_dh_min_bits,

         callout);
 
         /* TLS negotiation failed; give an error.  Try in clear on a new connection,
         callout);
 
         /* TLS negotiation failed; give an error.  Try in clear on a new connection,

diff --git a/test/log/5420 b/test/log/5420
index 2e117cbfeb7bc65a60dfe8f4e936bddbf1ebbc1b..e859162379d6790fbf8066d8f0eca7b54f7bd47d 100644 (file)
--- a/test/log/5420
+++ b/test/log/5420
@@ -1,7 +1,7 @@
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
 1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225

-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_AES_256_CBC_SHA1:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex

 1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL
 1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL

-1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"

 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
 1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
 1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
 1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex

diff --git a/test/stderr/5420 b/test/stderr/5420
index 626e9d159f40bc2b9e5d0719cd14907f532d4003..90592286b6c45c34aa6ad46774f380646f0451da 100644 (file)
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -128,7 +128,7 @@ expanding: ${tod_full}
   SMTP>> .
   SMTP<< 250 OK id=10HmaX-0005vi-00
 LOG: MAIN
   SMTP>> .
   SMTP<< 250 OK id=10HmaX-0005vi-00
 LOG: MAIN

-  >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00"
+  >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"

   SMTP>> QUIT
 ----------- cutthrough shutdown (delivered) ------------
 LOG: MAIN
   SMTP>> QUIT
 ----------- cutthrough shutdown (delivered) ------------
 LOG: MAIN