summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/functions.h2
-rw-r--r--src/src/globals.h2
-rw-r--r--src/src/tls-gnu.c10
-rw-r--r--src/src/tls-openssl.c21
-rw-r--r--src/src/tls.c14
-rw-r--r--src/src/verify.c5
6 files changed, 25 insertions, 29 deletions
diff --git a/src/src/functions.h b/src/src/functions.h
index bc61f31c8..02d152ad6 100644
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -36,7 +36,7 @@ extern int tls_read(BOOL, uschar *, size_t);
extern int tls_server_start(const uschar *);
extern BOOL tls_smtp_buffered(void);
extern int tls_ungetc(int);
-extern int tls_write(BOOL, int, const uschar *, size_t);
+extern int tls_write(BOOL, const uschar *, size_t);
extern uschar *tls_validate_require_cipher(void);
extern void tls_version_report(FILE *);
#ifndef USE_GNUTLS
diff --git a/src/src/globals.h b/src/src/globals.h
index 7ed9d5ab6..e910dbe1b 100644
--- a/src/src/globals.h
+++ b/src/src/globals.h
@@ -82,9 +82,7 @@ typedef struct {
BOOL on_connect; /* For older MTAs that don't STARTTLS */
uschar *on_connect_ports; /* Ports always tls-on-connect */
uschar *peerdn; /* DN from peer */
-#ifndef USE_GNUTLS
uschar *sni; /* Server Name Indication */
-#endif
} tls_support;
extern tls_support tls_in;
extern tls_support tls_out;
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 8a133c5af..f8172e76b 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -63,7 +63,7 @@ Some of these correspond to variables in globals.c; those variables will
be set to point to content in one of these instances, as appropriate for
the stage of the process lifetime.
-Not handled here: global tls_channelbinding_b64. /*XXX JGH */
+Not handled here: global tls_channelbinding_b64.
*/
typedef struct exim_gnutls_state {
@@ -94,7 +94,7 @@ typedef struct exim_gnutls_state {
uschar *exp_tls_crl;
uschar *exp_tls_require_ciphers;
- tls_support *tlsp;
+ tls_support *tlsp; /* set in tls_init() */
uschar *xfer_buffer;
int xfer_buffer_lwm;
@@ -966,7 +966,7 @@ if (rc != OK) return rc;
/* set SNI in client, only */
if (host)
{
- if (!expand_check_tlsvar(state->tlsp->sni))
+ if (!expand_check(state->tlsp->sni, "tls_sni", &state->exp_tls_sni))
return DEFER;
if (state->exp_tls_sni && *state->exp_tls_sni)
{
@@ -1641,7 +1641,7 @@ tls_close(BOOL is_server, BOOL shutdown)
{
exim_gnutls_state_st *state = is_server ? &state_server : &state_client;
-if (state->tlsp->active < 0) return; /* TLS was not active */
+if (!state->tlsp || state->tlsp->active < 0) return; /* TLS was not active */
if (shutdown)
{
@@ -1651,6 +1651,7 @@ if (shutdown)
gnutls_deinit(state->session);
+state->tlsp->active = -1;
memcpy(state, &exim_gnutls_state_init, sizeof(exim_gnutls_state_init));
if ((state_server.session == NULL) && (state_client.session == NULL))
@@ -1659,7 +1660,6 @@ if ((state_server.session == NULL) && (state_client.session == NULL))
exim_gnutls_base_init_done = FALSE;
}
-state->tlsp->active = -1;
}
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index bbf6855ff..d5b31e72c 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -50,6 +50,7 @@ static SSL_CTX *client_ctx = NULL;
static SSL_CTX *server_ctx = NULL;
static SSL *client_ssl = NULL;
static SSL *server_ssl = NULL;
+
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
static SSL_CTX *client_sni = NULL;
static SSL_CTX *server_sni = NULL;
@@ -317,11 +318,7 @@ Returns: TRUE if OK (nothing to set up, or setup worked)
*/
static BOOL
-<<<<<<< HEAD
init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
-=======
-init_dh(SSL_CTX *ctx, uschar *dhparam, host_item *host)
->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
{
BIO *bio;
DH *dh;
@@ -683,7 +680,7 @@ OCSP information. */
rc = tls_expand_session_files(server_sni, cbinfo);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
-rc = init_dh(ctx_sni, cbinfo->dhparam, NULL);
+rc = init_dh(server_sni, cbinfo->dhparam, NULL);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
DEBUG(D_tls) debug_printf("Switching SSL context.\n");
@@ -852,11 +849,7 @@ else
/* Initialize with DH parameters if supplied */
-<<<<<<< HEAD
-if (!init_dh(ctx, dhparam, host)) return DEFER;
-=======
if (!init_dh(*ctxp, dhparam, host)) return DEFER;
->>>>>>> Dual-tls - split management of TLS into in- and out-bound connection-handling.
/* Set up certificate and key (and perhaps OCSP info) */
@@ -1493,16 +1486,17 @@ Only used by the client-side TLS.
*/
int
-tls_read(uschar *buff, size_t len)
+tls_read(BOOL is_server, uschar *buff, size_t len)
{
+SSL *ssl = is_server ? server_ssl : client_ssl;
int inbytes;
int error;
-DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", client_ssl,
+DEBUG(D_tls) debug_printf("Calling SSL_read(%p, %p, %u)\n", ssl,
buff, (unsigned int)len);
-inbytes = SSL_read(client_ssl, CS buff, len);
-error = SSL_get_error(client_ssl, inbytes);
+inbytes = SSL_read(ssl, CS buff, len);
+error = SSL_get_error(ssl, inbytes);
if (error == SSL_ERROR_ZERO_RETURN)
{
@@ -1601,6 +1595,7 @@ void
tls_close(BOOL is_server, BOOL shutdown)
{
SSL **sslp = is_server ? &server_ssl : &client_ssl;
+int *fdp = is_server ? &tls_in.active : &tls_out.active;
if (*fdp < 0) return; /* TLS was not active */
diff --git a/src/src/tls.c b/src/src/tls.c
index 0c98aeba9..0625c48b8 100644
--- a/src/src/tls.c
+++ b/src/src/tls.c
@@ -86,11 +86,11 @@ return TRUE;
#ifdef USE_GNUTLS
#include "tls-gnu.c"
-#define ssl_xfer_buffer (current_global_tls_state->xfer_buffer)
-#define ssl_xfer_buffer_lwm (current_global_tls_state->xfer_buffer_lwm)
-#define ssl_xfer_buffer_hwm (current_global_tls_state->xfer_buffer_hwm)
-#define ssl_xfer_eof (current_global_tls_state->xfer_eof)
-#define ssl_xfer_error (current_global_tls_state->xfer_error)
+#define ssl_xfer_buffer (state_server.xfer_buffer)
+#define ssl_xfer_buffer_lwm (state_server.xfer_buffer_lwm)
+#define ssl_xfer_buffer_hwm (state_server.xfer_buffer_hwm)
+#define ssl_xfer_eof (state_server.xfer_eof)
+#define ssl_xfer_error (state_server.xfer_error)
#else
#include "tls-openssl.c"
@@ -104,6 +104,7 @@ return TRUE;
/* Puts a character back in the input buffer. Only ever
called once.
+Only used by the server-side TLS.
Arguments:
ch the character
@@ -125,6 +126,7 @@ return ch;
*************************************************/
/* Tests for a previous EOF
+Only used by the server-side TLS.
Arguments: none
Returns: non-zero if the eof flag is set
@@ -144,6 +146,7 @@ return ssl_xfer_eof;
/* Tests for a previous read error, and returns with errno
restored to what it was when the error was detected.
+Only used by the server-side TLS.
>>>>> Hmm. Errno not handled yet. Where do we get it from? >>>>>
@@ -163,6 +166,7 @@ return ssl_xfer_error;
*************************************************/
/* Tests for unused chars in the TLS input buffer.
+Only used by the server-side TLS.
Arguments: none
Returns: TRUE/FALSE
diff --git a/src/src/verify.c b/src/src/verify.c
index 6d31b8256..6e3e6a3af 100644
--- a/src/src/verify.c
+++ b/src/src/verify.c
@@ -498,7 +498,7 @@ else
tls_retry_connection:
inblock.sock = outblock.sock =
- smtp_connect(host, host_af, port, interface, callout_connect, TRUE);
+ smtp_connect(host, host_af, port, interface, callout_connect, TRUE, NULL);
/* reconsider DSCP here */
if (inblock.sock < 0)
{
@@ -635,8 +635,7 @@ else
ob->tls_certificate, ob->tls_privatekey,
ob->tls_sni,
ob->tls_verify_certificates, ob->tls_crl,
- ob->tls_require_ciphers,
- ob->gnutls_require_mac, ob->gnutls_require_kx, ob->gnutls_require_proto,
+ ob->tls_require_ciphers, ob->tls_dh_min_bits,
callout);
/* TLS negotiation failed; give an error. Try in clear on a new connection,