summaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorJeremy Harris <jgh146exb@wizmail.org>2012-06-04 13:36:19 +0100
committerJeremy Harris <jgh146exb@wizmail.org>2012-06-04 14:57:04 +0100
commit389ca47a59cc0247fcee8a50da42aa00af5f7a90 (patch)
tree2584518852c04f168b4d9a284714943b2e8ed4b2
parentb32ddfaa2ca5e305c1edfbbc8facc7b4d4f538b7 (diff)
Fix post-rebase merge issues.
-rw-r--r--src/src/functions.h2
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/tls-gnu.c10
-rw-r--r--src/src/tls-openssl.c21
-rw-r--r--src/src/tls.c14
-rw-r--r--src/src/verify.c5
-rw-r--r--test/log/54204
-rw-r--r--test/stderr/54202
8 files changed, 28 insertions, 32 deletions
diff --git a/src/src/functions.h b/src/src/functions.h
index bc61f31c8..02d152ad6 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -36,7 +36,7 @@ extern int tls_read(BOOL, uschar *, size_t);
extern int tls_server_start(const uschar *);
extern BOOL tls_smtp_buffered(void);
extern int tls_ungetc(int);
-extern int tls_write(BOOL, int, const uschar *, size_t);
+extern int tls_write(BOOL, const uschar *, size_t);
extern uschar *tls_validate_require_cipher(void);
extern void tls_version_report(FILE *);
#ifndef USE_GNUTLS
diff --git a/src/src/globals.h b/src/src/globals.h
index 7ed9d5ab6..e910dbe1b 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -82,9 +82,7 @@ typedef struct {
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
uschar *peerdn; /* DN from peer */
-#ifndef USE_GNUTLS
uschar *sni; /* Server Name Indication */
-#endif
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 8a133c5af..f8172e76b 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -63,7 +63,7 @@ Some of these correspond to variables in globals.c; those variables will
be set to point to content in one of these instances, as appropriate for
the stage of the process lifetime.
-Not handled here: global tls_channelbinding_b64. /*XXX JGH */
+Not handled here: global tls_channelbinding_b64.
*/
typedef struct exim_gnutls_state {
@@ -94,7 +94,7 @@ typedef struct exim_gnutls_state {
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
- tls_support *tlsp;
+ tls_support *tlsp; /* set in tls_init() */
uschar *xfer_buffer;
int xfer_buffer_lwm;
@@ -966,7 +966,7 @@ if (rc != OK) return rc;
/* set SNI in client, only */
if (host)
{
- if (!expand_check_tlsvar(state->tlsp->sni))
+ if (!expand_check(state->tlsp->sni, "tls_sni", &state->exp_tls_sni))
return DEFER;
if (state->exp_tls_sni && *state->exp_tls_sni)
{
@@ -1641,7 +1641,7 @@ tls_close(BOOL is_server, BOOL shutdown)
{
exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
-if (state->tlsp->active < 0) return; /* TLS was not active */
+if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
if (shutdown)
{
@@ -1651,6 +1651,7 @@ if (shutdown)
gnutls_deinit(state->session);
+state->tlsp->active = -1;
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
if ((state_server.session == NULL) && (state_client.session == NULL))
@@ -1659,7 +1660,6 @@ if ((state_server.session == NULL) && (state_client.session == NULL))
exim_gnutls_base_init_done = FALSE;
}
-state->tlsp->active = -1;
}
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bbf6855ff..d5b31e72c 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -50,6 +50,7 @@ static SSL_CTX *client_ctx = NULL;
static SSL_CTX *server_ctx = NULL;
static SSL *client_ssl = NULL;
static SSL *server_ssl = NULL;
+
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
static SSL_CTX *client_sni = NULL;
static SSL_CTX *server_sni = NULL;
@@ -317,11 +318,7 @@ Returns: TRUE if OK (nothing to set up, or setup worked)
*/
static BOOL
-<<<<<<< HEAD
init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
-=======
-init_dh(SSL_CTX *ctx, uschar *dhparam, host_item *host)
->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
{
BIO *bio;
DH *dh;
@@ -683,7 +680,7 @@ OCSP information. */
rc = tls_expand_session_files(server_sni, cbinfo);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
-rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
+rc = init_dh(server_sni, cbinfo->dhparam, NULL);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
DEBUG(D_tls) debug_printf("Switching SSL context.\n");
@@ -852,11 +849,7 @@ else
/* Initialize with DH parameters if supplied */
-<<<<<<< HEAD
-if (!init_dh(ctx, dhparam, host)) return DEFER;
-=======
if (!init_dh(*ctxp, dhparam, host)) return DEFER;
->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
/* Set up certificate and key (and perhaps OCSP info) */
@@ -1493,16 +1486,17 @@ Only used by the client-side TLS.
*/
int
-tls_read(uschar *buff, size_t len)
+tls_read(BOOL is_server, uschar *buff, size_t len)
{
+SSL *ssl = is_server ? server_ssl : client_ssl;
int inbytes;
int error;
-DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", client_ssl,
+DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
buff, (unsigned int)len);
-inbytes = SSL_read(client_ssl, CS buff, len);
-error = SSL_get_error(client_ssl, inbytes);
+inbytes = SSL_read(ssl, CS buff, len);
+error = SSL_get_error(ssl, inbytes);
if (error == SSL_ERROR_ZERO_RETURN)
{
@@ -1601,6 +1595,7 @@ void
tls_close(BOOL is_server, BOOL shutdown)
{
SSL **sslp = is_server ? &server_ssl : &client_ssl;
+int *fdp = is_server ? &tls_in.active : &tls_out.active;
if (*fdp < 0) return; /* TLS was not active */
diff --git a/src/src/tls.c b/src/src/tls.c
index 0c98aeba9..0625c48b8 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -86,11 +86,11 @@ return TRUE;
#ifdef USE_GNUTLS
#include "tls-gnu.c"
-#define ssl_xfer_buffer (current_global_tls_state->xfer_buffer)
-#define ssl_xfer_buffer_lwm (current_global_tls_state->xfer_buffer_lwm)
-#define ssl_xfer_buffer_hwm (current_global_tls_state->xfer_buffer_hwm)
-#define ssl_xfer_eof (current_global_tls_state->xfer_eof)
-#define ssl_xfer_error (current_global_tls_state->xfer_error)
+#define ssl_xfer_buffer (state_server.xfer_buffer)
+#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
+#define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
+#define ssl_xfer_eof (state_server.xfer_eof)
+#define ssl_xfer_error (state_server.xfer_error)
#else
#include "tls-openssl.c"
@@ -104,6 +104,7 @@ return TRUE;
/* Puts a character back in the input buffer. Only ever
called once.
+Only used by the server-side TLS.
Arguments:
ch the character
@@ -125,6 +126,7 @@ return ch;
*************************************************/
/* Tests for a previous EOF
+Only used by the server-side TLS.
Arguments: none
Returns: non-zero if the eof flag is set
@@ -144,6 +146,7 @@ return ssl_xfer_eof;
/* Tests for a previous read error, and returns with errno
restored to what it was when the error was detected.
+Only used by the server-side TLS.
>>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
@@ -163,6 +166,7 @@ return ssl_xfer_error;
*************************************************/
/* Tests for unused chars in the TLS input buffer.
+Only used by the server-side TLS.
Arguments: none
Returns: TRUE/FALSE
diff --git a/src/src/verify.c b/src/src/verify.c
index 6d31b8256..6e3e6a3af 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -498,7 +498,7 @@ else
tls_retry_connection:
inblock.sock = outblock.sock =
- smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
+ smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
/* reconsider DSCP here */
if (inblock.sock < 0)
{
@@ -635,8 +635,7 @@ else
ob->tls_certificate, ob->tls_privatekey,
ob->tls_sni,
ob->tls_verify_certificates, ob->tls_crl,
- ob->tls_require_ciphers,
- ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto,
+ ob->tls_require_ciphers, ob->tls_dh_min_bits,
callout);
/* TLS negotiation failed; give an error. Try in clear on a new connection,
diff --git a/test/log/5420 b/test/log/5420
index 2e117cbfe..e85916237 100644
--- a/test/log/5420
+++ b/test/log/5420
@@ -1,7 +1,7 @@
1999-03-02 09:44:33 exim x.yz daemon started: pid=pppp, no queue runs, listening for SMTP on port 1225
-1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.2:RSA_AES_256_CBC_SHA1:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
+1999-03-02 09:44:33 10HmaX-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtps X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 S=sss id=E10HmaY-0005vi-00@myhost.test.ex
1999-03-02 09:44:33 10HmaX-0005vi-00 no immediate delivery: queued by ACL
-1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00"
+1999-03-02 09:44:33 10HmaY-0005vi-00 >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"
1999-03-02 09:44:33 10HmaY-0005vi-00 <= CALLER@myhost.test.ex U=CALLER P=local-esmtp S=sss
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 10HmaZ-0005vi-00 <= CALLER@myhost.test.ex H=the.local.host.name (myhost.test.ex) [ip4.ip4.ip4.ip4] P=esmtp S=sss id=E10HmbA-0005vi-00@myhost.test.ex
diff --git a/test/stderr/5420 b/test/stderr/5420
index 626e9d159..90592286b 100644
--- a/test/stderr/5420
+++ b/test/stderr/5420
@@ -128,7 +128,7 @@ expanding: ${tod_full}
SMTP>> .
SMTP<< 250 OK id=10HmaX-0005vi-00
LOG: MAIN
- >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.2:RSA_AES_256_CBC_SHA1:256 C="250 OK id=10HmaX-0005vi-00"
+ >> userx@domain.com R=all T=smtp H=127.0.0.1 [127.0.0.1] X=TLS1.x:xxxxRSA_AES_256_CBC_SHAnnn:256 C="250 OK id=10HmaX-0005vi-00"
SMTP>> QUIT
----------- cutthrough shutdown (delivered) ------------
LOG: MAIN