X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/dea4b5684c694c41105215bdb25f8e91b7c35c5d..e326959e5e455e1b46124b023e0b202e4892e501:/src/src/tls-gnu.c diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index df07c536c..52128b940 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -76,6 +76,11 @@ require current GnuTLS, then we'll drop support for the ancient libraries). #if GNUTLS_VERSION_NUMBER >= 0x030506 && !defined(DISABLE_OCSP) # define SUPPORT_SRV_OCSP_STACK #endif +#if GNUTLS_VERSION_NUMBER >= 0x030603 +# define EXIM_HAVE_TLS1_3 +# define SUPPORT_GNUTLS_EXT_RAW_PARSE +# define GNUTLS_OCSP_STATUS_REQUEST_GET2 +#endif #ifdef SUPPORT_DANE # if GNUTLS_VERSION_NUMBER >= 0x030000 @@ -112,6 +117,9 @@ options_tls(void) # ifdef EXPERIMENTAL_TLS_RESUME builtin_macro_create_var(US"_RESUME_DECODE", RESUME_DECODE_STRING ); # endif +# ifdef EXIM_HAVE_TLS1_3 +builtin_macro_create(US"_HAVE_TLS1_3"); +# endif } #else @@ -225,6 +233,7 @@ static BOOL exim_gnutls_base_init_done = FALSE; #ifndef DISABLE_OCSP static BOOL gnutls_buggy_ocsp = FALSE; +static BOOL exim_testharness_disable_ocsp_validity_check = FALSE; #endif #ifdef EXPERIMENTAL_TLS_RESUME @@ -287,11 +296,16 @@ static void exim_gnutls_logger_cb(int level, const char *message); static int exim_sni_handling_cb(gnutls_session_t session); -#ifndef DISABLE_OCSP +#if !defined(DISABLE_OCSP) static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, gnutls_datum_t * ocsp_response); #endif +#ifdef EXPERIMENTAL_TLS_RESUME +static int +tls_server_ticket_cb(gnutls_session_t sess, u_int htype, unsigned when, + unsigned incoming, const gnutls_datum_t * msg); +#endif /* Daemon one-time initialisation */ @@ -648,7 +662,7 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0) } m.size = statbuf.st_size; - if (!(m.data = malloc(m.size))) + if (!(m.data = store_malloc(m.size))) { fclose(fp); return tls_error_sys(US"malloc failed", errno, NULL, errstr); @@ -657,13 +671,13 @@ if ((fd = Uopen(filename, O_RDONLY, 0)) >= 0) { saved_errno = errno; fclose(fp); - free(m.data); + store_free(m.data); return tls_error_sys(US"fread failed", saved_errno, NULL, errstr); } fclose(fp); rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM); - free(m.data); + store_free(m.data); if (rc) return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr); DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename); @@ -736,25 +750,25 @@ if (rc < 0) return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing", rc, host, errstr); m.size = sz; - if (!(m.data = malloc(m.size))) + if (!(m.data = store_malloc(m.size))) return tls_error_sys(US"memory allocation failed", errno, NULL, errstr); /* this will return a size 1 less than the allocation size above */ if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM, m.data, &sz))) { - free(m.data); + store_free(m.data); return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr); } m.size = sz; /* shrink by 1, probably */ if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size) { - free(m.data); + store_free(m.data); return tls_error_sys(US"TLS cache write D-H params failed", errno, NULL, errstr); } - free(m.data); + store_free(m.data); if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1) return tls_error_sys(US"TLS cache write D-H params final newline failed", errno, NULL, errstr); @@ -868,6 +882,125 @@ return -rc; } +#ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE +/* Make a note that we saw a status-request */ +static int +tls_server_clienthello_ext(void * ctx, unsigned tls_id, + const unsigned char *data, unsigned size) +{ +/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ +if (tls_id == 5) /* status_request */ + { + DEBUG(D_tls) debug_printf("Seen status_request extension from client\n"); + tls_in.ocsp = OCSP_NOT_RESP; + } +return 0; +} + +/* Callback for client-hello, on server, if we think we might serve stapled-OCSP */ +static int +tls_server_clienthello_cb(gnutls_session_t session, unsigned int htype, + unsigned when, unsigned int incoming, const gnutls_datum_t * msg) +{ +/* Call fn for each extension seen. 3.6.3 onwards */ +return gnutls_ext_raw_parse(NULL, tls_server_clienthello_ext, msg, + GNUTLS_EXT_RAW_FLAG_TLS_CLIENT_HELLO); +} + + +/* Make a note that we saw a status-response */ +static int +tls_server_servercerts_ext(void * ctx, unsigned tls_id, + const unsigned char *data, unsigned size) +{ +/* debug_printf("%s %u\n", __FUNCTION__, tls_id); */ +/* https://www.iana.org/assignments/tls-extensiontype-values/tls-extensiontype-values.xhtml */ +if (FALSE && tls_id == 5) /* status_request */ + { + DEBUG(D_tls) debug_printf("Seen status_request extension\n"); + tls_in.ocsp = exim_testharness_disable_ocsp_validity_check + ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */ + } +return 0; +} + +/* Callback for certificates packet, on server, if we think we might serve stapled-OCSP */ +static int +tls_server_servercerts_cb(gnutls_session_t session, unsigned int htype, + unsigned when, unsigned int incoming, const gnutls_datum_t * msg) +{ +/* Call fn for each extension seen. 3.6.3 onwards */ +#ifdef notdef +/*XXX crashes */ +return gnutls_ext_raw_parse(NULL, tls_server_servercerts_ext, msg, 0); +#endif +} +#endif + +/*XXX in tls1.3 the cert-status travel as an extension next to the cert, in the + "Handshake Protocol: Certificate" record. +So we need to spot the Certificate handshake message, parse it and spot any status_request extension(s) + +This is different to tls1.2 - where it is a separate record (wireshake term) / handshake message (gnutls term). +*/ + +#if defined(EXPERIMENTAL_TLS_RESUME) || defined(SUPPORT_GNUTLS_EXT_RAW_PARSE) +/* Callback for certificate-status, on server. We sent stapled OCSP. */ +static int +tls_server_certstatus_cb(gnutls_session_t session, unsigned int htype, + unsigned when, unsigned int incoming, const gnutls_datum_t * msg) +{ +DEBUG(D_tls) debug_printf("Sending certificate-status\n"); /*XXX we get this for tls1.2 but not for 1.3 */ +#ifdef SUPPORT_SRV_OCSP_STACK +tls_in.ocsp = exim_testharness_disable_ocsp_validity_check + ? OCSP_VFY_NOT_TRIED : OCSP_VFIED; /* We know that GnuTLS verifies responses */ +#else +tls_in.ocsp = OCSP_VFY_NOT_TRIED; +#endif +return 0; +} + +/* Callback for handshake messages, on server */ +static int +tls_server_hook_cb(gnutls_session_t sess, u_int htype, unsigned when, + unsigned incoming, const gnutls_datum_t * msg) +{ +/* debug_printf("%s: htype %u\n", __FUNCTION__, htype); */ +switch (htype) + { +# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE + case GNUTLS_HANDSHAKE_CLIENT_HELLO: + return tls_server_clienthello_cb(sess, htype, when, incoming, msg); + case GNUTLS_HANDSHAKE_CERTIFICATE_PKT: + return tls_server_servercerts_cb(sess, htype, when, incoming, msg); +# endif + case GNUTLS_HANDSHAKE_CERTIFICATE_STATUS: + return tls_server_certstatus_cb(sess, htype, when, incoming, msg); +# ifdef EXPERIMENTAL_TLS_RESUME + case GNUTLS_HANDSHAKE_NEW_SESSION_TICKET: + return tls_server_ticket_cb(sess, htype, when, incoming, msg); +# endif + default: + return 0; + } +} +#endif + + +#if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE) +static void +tls_server_testharness_ocsp_fiddle(void) +{ +extern char ** environ; +if (environ) for (uschar ** p = USS environ; *p; p++) + if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0) + { + DEBUG(D_tls) debug_printf("Permitting known bad OCSP response\n"); + exim_testharness_disable_ocsp_validity_check = TRUE; + } +} +#endif + /************************************************* * Variables re-expanded post-SNI * *************************************************/ @@ -928,6 +1061,18 @@ if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred))) #ifdef SUPPORT_SRV_OCSP_STACK gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2); + +# if !defined(DISABLE_OCSP) && defined(SUPPORT_GNUTLS_EXT_RAW_PARSE) +if (!host && tls_ocsp_file) + { + if (f.running_in_test_harness) + tls_server_testharness_ocsp_fiddle(); + + if (exim_testharness_disable_ocsp_validity_check) + gnutls_certificate_set_flags(state->x509_cred, + GNUTLS_CERTIFICATE_API_V2 | GNUTLS_CERTIFICATE_SKIP_OCSP_RESPONSE_CHECK); + } +# endif #endif /* remember: expand_check_tlsvar() is expand_check() but fiddling with @@ -955,7 +1100,7 @@ if (state->tls_privatekey && !expand_check_tlsvar(tls_privatekey, errstr)) /* tls_privatekey is optional, defaulting to same file as certificate */ -if (state->tls_privatekey == NULL || *state->tls_privatekey == '\0') +if (!state->tls_privatekey || !*state->tls_privatekey) { state->tls_privatekey = state->tls_certificate; state->exp_tls_privatekey = state->exp_tls_certificate; @@ -986,8 +1131,11 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) const uschar * olist; int csep = 0, ksep = 0, osep = 0, cnt = 0; uschar * cfile, * kfile, * ofile; - #ifndef DISABLE_OCSP +# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE + gnutls_x509_crt_fmt_t ocsp_fmt = GNUTLS_X509_FMT_DER; +# endif + if (!expand_check(tls_ocsp_file, US"tls_ocsp_file", &ofile, errstr)) return DEFER; olist = ofile; @@ -1002,12 +1150,13 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) else { int gnutls_cert_index = -rc; - DEBUG(D_tls) debug_printf("TLS: cert/key %s registered\n", cfile); - - /* Set the OCSP stapling server info */ + DEBUG(D_tls) debug_printf("TLS: cert/key %d %s registered\n", + gnutls_cert_index, cfile); #ifndef DISABLE_OCSP if (tls_ocsp_file) + { + /* Set the OCSP stapling server info */ if (gnutls_buggy_ocsp) { DEBUG(D_tls) @@ -1015,37 +1164,63 @@ if (state->exp_tls_certificate && *state->exp_tls_certificate) } else if ((ofile = string_nextinlist(&olist, &osep, NULL, 0))) { - /* Use the full callback method for stapling just to get - observability. More efficient would be to read the file once only, - if it never changed (due to SNI). Would need restart on file update, - or watch datestamp. */ + DEBUG(D_tls) debug_printf("OCSP response file %d = %s\n", + gnutls_cert_index, ofile); +# ifdef SUPPORT_GNUTLS_EXT_RAW_PARSE + if (Ustrncmp(ofile, US"PEM ", 4) == 0) + { + ocsp_fmt = GNUTLS_X509_FMT_PEM; + ofile += 4; + } + else if (Ustrncmp(ofile, US"DER ", 4) == 0) + { + ocsp_fmt = GNUTLS_X509_FMT_DER; + ofile += 4; + } -# ifdef SUPPORT_SRV_OCSP_STACK - if ((rc = gnutls_certificate_set_ocsp_status_request_function2( - state->x509_cred, gnutls_cert_index, - server_ocsp_stapling_cb, ofile))) + if ((rc = gnutls_certificate_set_ocsp_status_request_file2( + state->x509_cred, CCS ofile, gnutls_cert_index, + ocsp_fmt)) < 0) return tls_error_gnu( - US"gnutls_certificate_set_ocsp_status_request_function2", + US"gnutls_certificate_set_ocsp_status_request_file2", rc, host, errstr); + DEBUG(D_tls) + debug_printf(" %d response%s loaded\n", rc, rc>1 ? "s":""); + + /* Arrange callbacks for OCSP request observability */ + + gnutls_handshake_set_hook_function(state->session, + GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb); + # else - if (cnt++ > 0) +# if defined(SUPPORT_SRV_OCSP_STACK) + if ((rc = gnutls_certificate_set_ocsp_status_request_function2( + state->x509_cred, gnutls_cert_index, + server_ocsp_stapling_cb, ofile))) + return tls_error_gnu( + US"gnutls_certificate_set_ocsp_status_request_function2", + rc, host, errstr); + else +# endif { - DEBUG(D_tls) - debug_printf("oops; multiple OCSP files not supported\n"); - break; + if (cnt++ > 0) + { + DEBUG(D_tls) + debug_printf("oops; multiple OCSP files not supported\n"); + break; + } + gnutls_certificate_set_ocsp_status_request_function( + state->x509_cred, server_ocsp_stapling_cb, ofile); } - gnutls_certificate_set_ocsp_status_request_function( - state->x509_cred, server_ocsp_stapling_cb, ofile); -# endif - - DEBUG(D_tls) debug_printf("OCSP response file = %s\n", ofile); +# endif /* SUPPORT_GNUTLS_EXT_RAW_PARSE */ } else DEBUG(D_tls) debug_printf("ran out of OCSP response files in list\n"); -#endif + } +#endif /* DISABLE_OCSP */ } } - else + else /* client */ { if (0 < (rc = tls_add_certfile(state, host, state->exp_tls_certificate, state->exp_tls_privatekey, errstr))) @@ -1143,6 +1318,14 @@ else #endif gnutls_certificate_set_x509_trust_file(state->x509_cred, CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM); + +#ifdef SUPPORT_CA_DIR + /* Mimic the behaviour with OpenSSL of not advertising a usable-cert list + when using the directory-of-certs config model. */ + + if ((statbuf.st_mode & S_IFMT) == S_IFDIR) + gnutls_certificate_send_x509_rdn_sequence(state->session, 1); +#endif } if (cert_count < 0) @@ -1324,7 +1507,7 @@ if (host) several in parallel. */ int old_pool = store_pool; store_pool = POOL_PERM; - state = store_get(sizeof(exim_gnutls_state_st)); + state = store_get(sizeof(exim_gnutls_state_st), FALSE); store_pool = old_pool; memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init)); @@ -1621,7 +1804,7 @@ if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER) exim_gnutls_peer_err(US"getting size for cert DN failed"); return FAIL; /* should not happen */ } -dn_buf = store_get_perm(sz); +dn_buf = store_get_perm(sz, TRUE); /* tainted */ rc = gnutls_x509_crt_get_dn(crt, CS dn_buf, &sz); exim_gnutls_peer_err(US"failed to extract certificate DN [gnutls_x509_crt_get_dn(cert 0)]"); @@ -1701,8 +1884,8 @@ else for(nrec = 0; state->dane_data_len[nrec]; ) nrec++; nrec++; - dd = store_get(nrec * sizeof(uschar *)); - ddl = store_get(nrec * sizeof(int)); + dd = store_get(nrec * sizeof(uschar *), FALSE); + ddl = store_get(nrec * sizeof(int), FALSE); nrec--; if ((rc = dane_state_init(&s, 0))) @@ -1930,13 +2113,12 @@ uschar * dummy_errstr; rc = gnutls_server_name_get(session, sni_name, &data_len, &sni_type, 0); if (rc != GNUTLS_E_SUCCESS) { - DEBUG(D_tls) { + DEBUG(D_tls) if (rc == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) debug_printf("TLS: no SNI presented in handshake.\n"); else debug_printf("TLS failure: gnutls_server_name_get(): %s [%d]\n", gnutls_strerror(rc), rc); - } return 0; } @@ -1949,7 +2131,7 @@ if (sni_type != GNUTLS_NAME_DNS) /* We now have a UTF-8 string in sni_name */ old_pool = store_pool; store_pool = POOL_PERM; -state->received_sni = string_copyn(US sni_name, data_len); +state->received_sni = string_copy_taint(US sni_name, TRUE); store_pool = old_pool; /* We set this one now so that variable expansions below will work */ @@ -1976,7 +2158,7 @@ return 0; -#ifndef DISABLE_OCSP +#if !defined(DISABLE_OCSP) static int server_ocsp_stapling_cb(gnutls_session_t session, void * ptr, @@ -2068,7 +2250,8 @@ post_handshake_debug(exim_gnutls_state_st * state) debug_printf("%s\n", gnutls_session_get_desc(state->session)); #endif #ifdef SUPPORT_GNUTLS_KEYLOG -# ifdef GNUTLS_TLS1_3 + +# ifdef EXIM_HAVE_TLS1_3 if (gnutls_protocol_get_version(state->session) < GNUTLS_TLS1_3) #else if (TRUE) @@ -2088,7 +2271,8 @@ else " set environment variable SSLKEYLOGFILE to a filename writable by uid exim\n" " add SSLKEYLOGFILE to keep_environment in the exim config\n" " run exim as root\n" - " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n"); + " if using sudo, add SSLKEYLOGFILE to env_keep in /etc/sudoers\n" + " (works for TLS1.2 also, and saves cut-paste into file)\n"); #endif } @@ -2126,7 +2310,7 @@ if (verify_check_host(&tls_resumption_hosts) == OK) /* Try to tell if we see a ticket request */ gnutls_handshake_set_hook_function(state->session, - GNUTLS_HANDSHAKE_NEW_SESSION_TICKET, GNUTLS_HOOK_POST, tls_server_ticket_cb); + GNUTLS_HANDSHAKE_ANY, GNUTLS_HOOK_POST, tls_server_hook_cb); } } @@ -2384,8 +2568,8 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; rr = dns_next_rr(dnsa, &dnss, RESET_NEXT) ) if (rr->type == T_TLSA) i++; -dane_data = store_get(i * sizeof(uschar *)); -dane_data_len = store_get(i * sizeof(int)); +dane_data = store_get(i * sizeof(uschar *), FALSE); +dane_data_len = store_get(i * sizeof(int), FALSE); i = 0; for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; @@ -2393,6 +2577,7 @@ for (dns_record * rr = dns_next_rr(dnsa, &dnss, RESET_ANSWERS); rr; ) if (rr->type == T_TLSA && rr->size > 3) { const uschar * p = rr->data; +/*XXX need somehow to mark rr and its data as tainted. Doues this mean copying it? */ uint8_t usage = p[0], sel = p[1], type = p[2]; DEBUG(D_tls) @@ -2497,7 +2682,7 @@ if (gnutls_session_get_flags(session) & GNUTLS_SFLAGS_SESSION_TICKET) { open_db dbblock, * dbm_file; int dlen = sizeof(dbdata_tls_session) + tkt.size; - dbdata_tls_session * dt = store_get(dlen); + dbdata_tls_session * dt = store_get(dlen, TRUE); DEBUG(D_tls) debug_printf("session data size %u\n", (unsigned)tkt.size); memcpy(dt->session, tkt.data, tkt.size); @@ -2757,23 +2942,33 @@ if (!verify_certificate(state, errstr)) } #ifndef DISABLE_OCSP -if (require_ocsp) +if (request_ocsp) { DEBUG(D_tls) { gnutls_datum_t stapling; gnutls_ocsp_resp_t resp; gnutls_datum_t printed; - if ( (rc= gnutls_ocsp_status_request_get(state->session, &stapling)) == 0 - && (rc= gnutls_ocsp_resp_init(&resp)) == 0 - && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0 - && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0 - ) - { - debug_printf("%.4096s", printed.data); - gnutls_free(printed.data); - } - else + unsigned idx = 0; + + for (; +# ifdef GNUTLS_OCSP_STATUS_REQUEST_GET2 + (rc = gnutls_ocsp_status_request_get2(state->session, idx, &stapling)) == 0; +#else + (rc = gnutls_ocsp_status_request_get(state->session, &stapling)) == 0; +#endif + idx++) + if ( (rc= gnutls_ocsp_resp_init(&resp)) == 0 + && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0 + && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_COMPACT, &printed)) == 0 + ) + { + debug_printf("%.4096s", printed.data); + gnutls_free(printed.data); + } + else + (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr); + if (idx == 0 && rc) (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr); } @@ -2781,10 +2976,14 @@ if (require_ocsp) { tlsp->ocsp = OCSP_FAILED; tls_error(US"certificate status check failed", NULL, state->host, errstr); - return FALSE; + if (require_ocsp) + return FALSE; + } + else + { + DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); + tlsp->ocsp = OCSP_VFIED; } - DEBUG(D_tls) debug_printf("Passed OCSP checking\n"); - tlsp->ocsp = OCSP_VFIED; } #endif @@ -2823,8 +3022,9 @@ void tls_close(void * ct_ctx, int shutdown) { exim_gnutls_state_st * state = ct_ctx ? ct_ctx : &state_server; +tls_support * tlsp = state->tlsp; -if (!state->tlsp || state->tlsp->active.sock < 0) return; /* TLS was not active */ +if (!tlsp || tlsp->active.sock < 0) return; /* TLS was not active */ if (shutdown) { @@ -2836,12 +3036,26 @@ if (shutdown) ALARM_CLR(0); } +if (!ct_ctx) /* server */ + { + receive_getc = smtp_getc; + receive_getbuf = smtp_getbuf; + receive_get_cache = smtp_get_cache; + receive_ungetc = smtp_ungetc; + receive_feof = smtp_feof; + receive_ferror = smtp_ferror; + receive_smtp_buffered = smtp_buffered; + } + gnutls_deinit(state->session); gnutls_certificate_free_credentials(state->x509_cred); +tlsp->active.sock = -1; +tlsp->active.tls_ctx = NULL; +/* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */ +tls_channelbinding_b64 = NULL; + -state->tlsp->active.sock = -1; -state->tlsp->active.tls_ctx = NULL; if (state->xfer_buffer) store_free(state->xfer_buffer); memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init)); } @@ -2891,28 +3105,7 @@ if (sigalrm_seen) else if (inbytes == 0) { DEBUG(D_tls) debug_printf("Got TLS_EOF\n"); - - receive_getc = smtp_getc; - receive_getbuf = smtp_getbuf; - receive_get_cache = smtp_get_cache; - receive_ungetc = smtp_ungetc; - receive_feof = smtp_feof; - receive_ferror = smtp_ferror; - receive_smtp_buffered = smtp_buffered; - - gnutls_deinit(state->session); - gnutls_certificate_free_credentials(state->x509_cred); - - state->session = NULL; - state->tlsp->active.sock = -1; - state->tlsp->active.tls_ctx = NULL; - state->tlsp->bits = 0; - state->tlsp->certificate_verified = FALSE; - tls_channelbinding_b64 = NULL; - state->tlsp->cipher = NULL; - state->tlsp->peercert = NULL; - state->tlsp->peerdn = NULL; - + tls_close(NULL, TLS_NO_SHUTDOWN); return FALSE; }