# include <gnutls/dane.h>
#endif
+#include "tls-cipher-stdname.c"
+
+
/* GnuTLS 2 vs 3
GnuTLS 3 only:
static const int ssl_session_timeout = 200;
-static const char * const exim_default_gnutls_priority = "NORMAL";
+static const uschar * const exim_default_gnutls_priority = US"NORMAL";
/* Guard library core initialisation */
# define EXIM_SERVER_DH_BITS_PRE2_12 1024
#endif
-#define exim_gnutls_err_check(rc, Label) do { \
- if ((rc) != GNUTLS_E_SUCCESS) \
- return tls_error((Label), US gnutls_strerror(rc), host, errstr); \
- } while (0)
-
#define expand_check_tlsvar(Varname, errstr) \
expand_check(state->Varname, US #Varname, &state->exp_##Varname, errstr)
}
+static int
+tls_error_gnu(const uschar *prefix, int err, const host_item *host,
+ uschar ** errstr)
+{
+return tls_error(prefix, US gnutls_strerror(err), host, errstr);
+}
+
+static int
+tls_error_sys(const uschar *prefix, int err, const host_item *host,
+ uschar ** errstr)
+{
+return tls_error(prefix, US strerror(err), host, errstr);
+}
/*************************************************
state the current GnuTLS exim state container
rc the GnuTLS error code, or 0 if it's a local error
when text identifying read or write
- text local error text when ec is 0
+ text local error text when rc is 0
Returns: nothing
*/
uschar * errstr;
if (rc == GNUTLS_E_FATAL_ALERT_RECEIVED)
- msg = string_sprintf("%s: %s", US gnutls_strerror(rc),
+ msg = string_sprintf("A TLS fatal alert has been received: %s",
US gnutls_alert_get_name(gnutls_alert_get(state->session)));
else
msg = US gnutls_strerror(rc);
size_t sz;
uschar *exp_tls_dhparam;
BOOL use_file_in_spool = FALSE;
-BOOL use_fixed_file = FALSE;
host_item *host = NULL; /* dummy for macros */
DEBUG(D_tls) debug_printf("Initialising GnuTLS server params.\n");
-rc = gnutls_dh_params_init(&dh_server_params);
-exim_gnutls_err_check(rc, US"gnutls_dh_params_init");
+if ((rc = gnutls_dh_params_init(&dh_server_params)))
+ return tls_error_gnu(US"gnutls_dh_params_init", rc, host, errstr);
m.data = NULL;
m.size = 0;
m.size = Ustrlen(m.data);
}
else
- {
- use_fixed_file = TRUE;
filename = exp_tls_dhparam;
- }
if (m.data)
{
- rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
- exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
+ if ((rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM)))
+ return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
DEBUG(D_tls) debug_printf("Loaded fixed standard D-H parameters\n");
return OK;
}
#ifdef HAVE_GNUTLS_SEC_PARAM_CONSTANTS
/* If you change this constant, also change dh_param_fn_ext so that we can use a
different filename and ensure we have sufficient bits. */
-dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL);
-if (!dh_bits)
+
+if (!(dh_bits = gnutls_sec_param_to_pk_bits(GNUTLS_PK_DH, GNUTLS_SEC_PARAM_NORMAL)))
return tls_error(US"gnutls_sec_param_to_pk_bits() failed", NULL, NULL, errstr);
DEBUG(D_tls)
debug_printf("GnuTLS tells us that for D-H PK, NORMAL is %d bits.\n",
{
saved_errno = errno;
(void)close(fd);
- return tls_error(US"TLS cache stat failed", US strerror(saved_errno), NULL, errstr);
+ return tls_error_sys(US"TLS cache stat failed", saved_errno, NULL, errstr);
}
if (!S_ISREG(statbuf.st_mode))
{
{
saved_errno = errno;
(void)close(fd);
- return tls_error(US"fdopen(TLS cache stat fd) failed",
- US strerror(saved_errno), NULL, errstr);
+ return tls_error_sys(US"fdopen(TLS cache stat fd) failed",
+ saved_errno, NULL, errstr);
}
m.size = statbuf.st_size;
if (!(m.data = malloc(m.size)))
{
fclose(fp);
- return tls_error(US"malloc failed", US strerror(errno), NULL, errstr);
+ return tls_error_sys(US"malloc failed", errno, NULL, errstr);
}
if (!(sz = fread(m.data, m.size, 1, fp)))
{
saved_errno = errno;
fclose(fp);
free(m.data);
- return tls_error(US"fread failed", US strerror(saved_errno), NULL, errstr);
+ return tls_error_sys(US"fread failed", saved_errno, NULL, errstr);
}
fclose(fp);
rc = gnutls_dh_params_import_pkcs3(dh_server_params, &m, GNUTLS_X509_FMT_PEM);
free(m.data);
- exim_gnutls_err_check(rc, US"gnutls_dh_params_import_pkcs3");
+ if (rc)
+ return tls_error_gnu(US"gnutls_dh_params_import_pkcs3", rc, host, errstr);
DEBUG(D_tls) debug_printf("read D-H parameters from file \"%s\"\n", filename);
}
temp_fn = string_copy(US"%s.XXXXXXX");
if ((fd = mkstemp(CS temp_fn)) < 0) /* modifies temp_fn */
- return tls_error(US"Unable to open temp file", US strerror(errno), NULL, errstr);
- (void)fchown(fd, exim_uid, exim_gid); /* Probably not necessary */
+ return tls_error_sys(US"Unable to open temp file", errno, NULL, errstr);
+ (void)exim_chown(temp_fn, exim_uid, exim_gid); /* Probably not necessary */
/* GnuTLS overshoots!
* If we ask for 2236, we might get 2237 or more.
DEBUG(D_tls)
debug_printf("requesting generation of %d bit Diffie-Hellman prime ...\n",
dh_bits_gen);
- rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen);
- exim_gnutls_err_check(rc, US"gnutls_dh_params_generate2");
+ if ((rc = gnutls_dh_params_generate2(dh_server_params, dh_bits_gen)))
+ return tls_error_gnu(US"gnutls_dh_params_generate2", rc, host, errstr);
/* gnutls_dh_params_export_pkcs3() will tell us the exact size, every time,
and I confirmed that a NULL call to get the size first is how the GnuTLS
sz = 0;
m.data = NULL;
- rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
- m.data, &sz);
- if (rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
- exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3(NULL) sizing");
+ if ( (rc = gnutls_dh_params_export_pkcs3(dh_server_params,
+ GNUTLS_X509_FMT_PEM, m.data, &sz))
+ && rc != GNUTLS_E_SHORT_MEMORY_BUFFER)
+ return tls_error_gnu(US"gnutls_dh_params_export_pkcs3(NULL) sizing",
+ rc, host, errstr);
m.size = sz;
if (!(m.data = malloc(m.size)))
- return tls_error(US"memory allocation failed", US strerror(errno), NULL, errstr);
+ return tls_error_sys(US"memory allocation failed", errno, NULL, errstr);
/* this will return a size 1 less than the allocation size above */
- rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
- m.data, &sz);
- if (rc != GNUTLS_E_SUCCESS)
+ if ((rc = gnutls_dh_params_export_pkcs3(dh_server_params, GNUTLS_X509_FMT_PEM,
+ m.data, &sz)))
{
free(m.data);
- exim_gnutls_err_check(rc, US"gnutls_dh_params_export_pkcs3() real");
+ return tls_error_gnu(US"gnutls_dh_params_export_pkcs3() real", rc, host, errstr);
}
m.size = sz; /* shrink by 1, probably */
if ((sz = write_to_fd_buf(fd, m.data, (size_t) m.size)) != m.size)
{
free(m.data);
- return tls_error(US"TLS cache write D-H params failed",
- US strerror(errno), NULL, errstr);
+ return tls_error_sys(US"TLS cache write D-H params failed",
+ errno, NULL, errstr);
}
free(m.data);
if ((sz = write_to_fd_buf(fd, US"\n", 1)) != 1)
- return tls_error(US"TLS cache write D-H params final newline failed",
- US strerror(errno), NULL, errstr);
+ return tls_error_sys(US"TLS cache write D-H params final newline failed",
+ errno, NULL, errstr);
if ((rc = close(fd)))
- return tls_error(US"TLS cache write close() failed", US strerror(errno), NULL, errstr);
+ return tls_error_sys(US"TLS cache write close() failed", errno, NULL, errstr);
if (Urename(temp_fn, filename) < 0)
- return tls_error(string_sprintf("failed to rename \"%s\" as \"%s\"",
- temp_fn, filename), US strerror(errno), NULL, errstr);
+ return tls_error_sys(string_sprintf("failed to rename \"%s\" as \"%s\"",
+ temp_fn, filename), errno, NULL, errstr);
DEBUG(D_tls) debug_printf("wrote D-H parameters to file \"%s\"\n", filename);
}
return rc;
err:
- rc = tls_error(where, US gnutls_strerror(rc), NULL, errstr);
+ rc = tls_error_gnu(where, rc, NULL, errstr);
goto out;
}
int rc = gnutls_certificate_set_x509_key_file(state->x509_cred,
CS certfile, CS keyfile, GNUTLS_X509_FMT_PEM);
if (rc < 0)
- return tls_error(
+ return tls_error_gnu(
string_sprintf("cert/key setup: cert=%s key=%s", certfile, keyfile),
- US gnutls_strerror(rc), host, errstr);
+ rc, host, errstr);
return -rc;
}
saved_tls_crl = state->exp_tls_crl;
}
-rc = gnutls_certificate_allocate_credentials(&state->x509_cred);
-exim_gnutls_err_check(rc, US"gnutls_certificate_allocate_credentials");
+if ((rc = gnutls_certificate_allocate_credentials(&state->x509_cred)))
+ return tls_error_gnu(US"gnutls_certificate_allocate_credentials",
+ rc, host, errstr);
#ifdef SUPPORT_SRV_OCSP_STACK
gnutls_certificate_set_flags(state->x509_cred, GNUTLS_CERTIFICATE_API_V2);
or watch datestamp. */
# ifdef SUPPORT_SRV_OCSP_STACK
- rc = gnutls_certificate_set_ocsp_status_request_function2(
- state->x509_cred, gnutls_cert_index,
- server_ocsp_stapling_cb, ofile);
-
- exim_gnutls_err_check(rc,
- US"gnutls_certificate_set_ocsp_status_request_function2");
+ if ((rc = gnutls_certificate_set_ocsp_status_request_function2(
+ state->x509_cred, gnutls_cert_index,
+ server_ocsp_stapling_cb, ofile)))
+ return tls_error_gnu(
+ US"gnutls_certificate_set_ocsp_status_request_function2",
+ rc, host, errstr);
# else
if (cnt++ > 0)
{
}
if (cert_count < 0)
- {
- rc = cert_count;
- exim_gnutls_err_check(rc, US"setting certificate trust");
- }
-DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
+ return tls_error_gnu(US"setting certificate trust", cert_count, host, errstr);
+DEBUG(D_tls)
+ debug_printf("Added %d certificate authorities.\n", cert_count);
if (state->tls_crl && *state->tls_crl &&
state->exp_tls_crl && *state->exp_tls_crl)
{
DEBUG(D_tls) debug_printf("loading CRL file = %s\n", state->exp_tls_crl);
- cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
- CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM);
- if (cert_count < 0)
- {
- rc = cert_count;
- exim_gnutls_err_check(rc, US"gnutls_certificate_set_x509_crl_file");
- }
+ if ((cert_count = gnutls_certificate_set_x509_crl_file(state->x509_cred,
+ CS state->exp_tls_crl, GNUTLS_X509_FMT_PEM)) < 0)
+ return tls_error_gnu(US"gnutls_certificate_set_x509_crl_file",
+ cert_count, host, errstr);
+
DEBUG(D_tls) debug_printf("Processed %d CRLs.\n", cert_count);
}
if (!state->host)
{
if (!dh_server_params)
- {
- rc = init_server_dh(errstr);
- if (rc != OK) return rc;
- }
+ if ((rc = init_server_dh(errstr)) != OK) return rc;
gnutls_certificate_set_dh_params(state->x509_cred, dh_server_params);
}
/* Link the credentials to the session. */
-rc = gnutls_credentials_set(state->session, GNUTLS_CRD_CERTIFICATE, state->x509_cred);
-exim_gnutls_err_check(rc, US"gnutls_credentials_set");
+if ((rc = gnutls_credentials_set(state->session,
+ GNUTLS_CRD_CERTIFICATE, state->x509_cred)))
+ return tls_error_gnu(US"gnutls_credentials_set", rc, host, errstr);
return OK;
}
tls_support * tlsp,
uschar ** errstr)
{
-exim_gnutls_state_st *state;
+exim_gnutls_state_st * state;
int rc;
size_t sz;
-const char *errpos;
-uschar *p;
-BOOL want_default_priorities;
+const char * errpos;
+const uschar * p;
if (!exim_gnutls_base_init_done)
{
environment variables are used and so breaks for users calling mailq.
To prevent this, we init PKCS11 first, which is the documented approach. */
if (!gnutls_allow_auto_pkcs11)
- {
- rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
- exim_gnutls_err_check(rc, US"gnutls_pkcs11_init");
- }
+ if ((rc = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL)))
+ return tls_error_gnu(US"gnutls_pkcs11_init", rc, host, errstr);
#endif
- rc = gnutls_global_init();
- exim_gnutls_err_check(rc, US"gnutls_global_init");
+ if ((rc = gnutls_global_init()))
+ return tls_error_gnu(US"gnutls_global_init", rc, host, errstr);
#if EXIM_GNUTLS_LIBRARY_LOG_LEVEL >= 0
DEBUG(D_tls)
DEBUG(D_tls) debug_printf("initialising GnuTLS server session\n");
rc = gnutls_init(&state->session, GNUTLS_SERVER);
}
-exim_gnutls_err_check(rc, US"gnutls_init");
+if (rc)
+ return tls_error_gnu(US"gnutls_init", rc, host, errstr);
state->host = host;
DEBUG(D_tls)
debug_printf("Setting TLS client SNI to \"%s\"\n", state->tlsp->sni);
sz = Ustrlen(state->tlsp->sni);
- rc = gnutls_server_name_set(state->session,
- GNUTLS_NAME_DNS, state->tlsp->sni, sz);
- exim_gnutls_err_check(rc, US"gnutls_server_name_set");
+ if ((rc = gnutls_server_name_set(state->session,
+ GNUTLS_NAME_DNS, state->tlsp->sni, sz)))
+ return tls_error_gnu(US"gnutls_server_name_set", rc, host, errstr);
}
}
else if (state->tls_sni)
This was backwards incompatible, but means Exim no longer needs to track
all algorithms and provide string forms for them. */
-want_default_priorities = TRUE;
-
+p = NULL;
if (state->tls_require_ciphers && *state->tls_require_ciphers)
{
if (!expand_check_tlsvar(tls_require_ciphers, errstr))
return DEFER;
if (state->exp_tls_require_ciphers && *state->exp_tls_require_ciphers)
{
- DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n",
- state->exp_tls_require_ciphers);
-
- rc = gnutls_priority_init(&state->priority_cache,
- CS state->exp_tls_require_ciphers, &errpos);
- want_default_priorities = FALSE;
p = state->exp_tls_require_ciphers;
+ DEBUG(D_tls) debug_printf("GnuTLS session cipher/priority \"%s\"\n", p);
}
}
-if (want_default_priorities)
+if (!p)
{
+ p = exim_default_gnutls_priority;
DEBUG(D_tls)
- debug_printf("GnuTLS using default session cipher/priority \"%s\"\n",
- exim_default_gnutls_priority);
- rc = gnutls_priority_init(&state->priority_cache,
- exim_default_gnutls_priority, &errpos);
- p = US exim_default_gnutls_priority;
+ debug_printf("GnuTLS using default session cipher/priority \"%s\"\n", p);
}
-exim_gnutls_err_check(rc, string_sprintf(
- "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
- p, errpos - CS p, errpos));
+if ((rc = gnutls_priority_init(&state->priority_cache, CCS p, &errpos)))
+ return tls_error_gnu(string_sprintf(
+ "gnutls_priority_init(%s) failed at offset %ld, \"%.6s..\"",
+ p, errpos - CS p, errpos),
+ rc, host, errstr);
-rc = gnutls_priority_set(state->session, state->priority_cache);
-exim_gnutls_err_check(rc, US"gnutls_priority_set");
+if ((rc = gnutls_priority_set(state->session, state->priority_cache)))
+ return tls_error_gnu(US"gnutls_priority_set", rc, host, errstr);
gnutls_db_set_cache_expiration(state->session, ssl_session_timeout);
* Extract peer information *
*************************************************/
+static const uschar *
+cipher_stdname_kcm(gnutls_kx_algorithm_t kx, gnutls_cipher_algorithm_t cipher,
+ gnutls_mac_algorithm_t mac)
+{
+uschar cs_id[2];
+gnutls_kx_algorithm_t kx_i;
+gnutls_cipher_algorithm_t cipher_i;
+gnutls_mac_algorithm_t mac_i;
+
+for (size_t i = 0;
+ gnutls_cipher_suite_info(i, cs_id, &kx_i, &cipher_i, &mac_i, NULL);
+ i++)
+ if (kx_i == kx && cipher_i == cipher && mac_i == mac)
+ return cipher_stdname(cs_id[0], cs_id[1]);
+return NULL;
+}
+
+
+
/* Called from both server and client code.
Only this is allowed to set state->peerdn and state->have_set_peerdn
and we use that to detect double-calls.
static int
peer_status(exim_gnutls_state_st *state, uschar ** errstr)
{
-uschar cipherbuf[256];
const gnutls_datum_t *cert_list;
int old_pool, rc;
unsigned int cert_list_size = 0;
mac = gnutls_mac_get(state->session);
kx = gnutls_kx_get(state->session);
-string_format(cipherbuf, sizeof(cipherbuf),
- "%s:%s:%d",
- gnutls_protocol_get_name(protocol),
- gnutls_cipher_suite_get_name(kx, cipher, mac),
- (int) gnutls_cipher_get_key_size(cipher) * 8);
-
-/* I don't see a way that spaces could occur, in the current GnuTLS
-code base, but it was a concern in the old code and perhaps older GnuTLS
-releases did return "TLS 1.0"; play it safe, just in case. */
-for (uschar * p = cipherbuf; *p != '\0'; ++p)
- if (isspace(*p))
- *p = '-';
old_pool = store_pool;
-store_pool = POOL_PERM;
-state->ciphersuite = string_copy(cipherbuf);
+ {
+ store_pool = POOL_PERM;
+ state->ciphersuite = string_sprintf("%s:%s:%d",
+ gnutls_protocol_get_name(protocol),
+ gnutls_cipher_suite_get_name(kx, cipher, mac),
+ (int) gnutls_cipher_get_key_size(cipher) * 8);
+
+ /* I don't see a way that spaces could occur, in the current GnuTLS
+ code base, but it was a concern in the old code and perhaps older GnuTLS
+ releases did return "TLS 1.0"; play it safe, just in case. */
+
+ for (uschar * p = state->ciphersuite; *p; p++) if (isspace(*p)) *p = '-';
+ state->tlsp->cipher = state->ciphersuite;
+
+ state->tlsp->cipher_stdname = cipher_stdname_kcm(kx, cipher, mac);
+ }
store_pool = old_pool;
-state->tlsp->cipher = state->ciphersuite;
/* tls_peerdn */
cert_list = gnutls_certificate_get_peers(state->session, &cert_list_size);
-if (cert_list == NULL || cert_list_size == 0)
+if (!cert_list || cert_list_size == 0)
{
DEBUG(D_tls) debug_printf("TLS: no certificate from peer (%p & %d)\n",
cert_list, cert_list_size);
return OK;
}
-ct = gnutls_certificate_type_get(state->session);
-if (ct != GNUTLS_CRT_X509)
+if ((ct = gnutls_certificate_type_get(state->session)) != GNUTLS_CRT_X509)
{
- const uschar *ctn = US gnutls_certificate_type_get_name(ct);
+ const uschar * ctn = US gnutls_certificate_type_get_name(ct);
DEBUG(D_tls)
debug_printf("TLS: peer cert not X.509 but instead \"%s\"\n", ctn);
if (state->verify_requirement >= VERIFY_REQUIRED)
DEBUG(D_tls) debug_printf("TLS: peer cert problem: %s: %s\n", \
(Label), gnutls_strerror(rc)); \
if (state->verify_requirement >= VERIFY_REQUIRED) \
- return tls_error((Label), US gnutls_strerror(rc), state->host, errstr); \
+ return tls_error_gnu((Label), rc, state->host, errstr); \
return OK; \
} \
} while (0)
DEBUG(D_tls) debug_printf("TLS: checking peer certificate\n");
*errstr = NULL;
-if ((rc = peer_status(state, errstr)) != OK)
+if ((rc = peer_status(state, errstr)) != OK || !state->peerdn)
{
verify = GNUTLS_CERT_INVALID;
*errstr = US"certificate not supplied";
}
else
{
- tls_error(US"gnutls_handshake", US gnutls_strerror(rc), NULL, errstr);
+ tls_error_gnu(US"gnutls_handshake", rc, NULL, errstr);
(void) gnutls_alert_send_appropriate(state->session, rc);
gnutls_deinit(state->session);
gnutls_certificate_free_credentials(state->x509_cred);
/* Called from the smtp transport after STARTTLS has been accepted.
Arguments:
- fd the fd of the connection
- host connected host (for messages and option-tests)
- addr the first address (not used)
- tb transport (always smtp)
- tlsa_dnsa non-NULL, either request or require dane for this host, and
- a TLSA record found. Therefore, dane verify required.
- Which implies cert must be requested and supplied, dane
- verify must pass, and cert verify irrelevant (incl.
- hostnames), and (caller handled) require_tls
- tlsp record details of channel configuration
- errstr error string pointer
-
-Returns: Pointer to TLS session context, or NULL on error
+ cctx connection context
+ conn_args connection details
+ cookie datum for randomness (not used)
+ tlsp record details of channel configuration here; must be non-NULL
+ errstr error string pointer
+
+Returns: TRUE for success with TLS session context set in smtp context,
+ FALSE on error
*/
-void *
-tls_client_start(int fd, host_item *host,
- address_item *addr ARG_UNUSED,
- transport_instance * tb,
-#ifdef SUPPORT_DANE
- dns_answer * tlsa_dnsa,
-#endif
- tls_support * tlsp, uschar ** errstr)
+BOOL
+tls_client_start(client_conn_ctx * cctx, smtp_connect_args * conn_args,
+ void * cookie ARG_UNUSED,
+ tls_support * tlsp, uschar ** errstr)
{
-smtp_transport_options_block *ob = tb
+host_item * host = conn_args->host; /* for msgs and option-tests */
+transport_instance * tb = conn_args->tblock; /* always smtp or NULL */
+smtp_transport_options_block * ob = tb
? (smtp_transport_options_block *)tb->options_block
: &smtp_transport_option_defaults;
int rc;
exim_gnutls_state_st * state = NULL;
-uschar *cipher_list = NULL;
+uschar * cipher_list = NULL;
#ifndef DISABLE_OCSP
BOOL require_ocsp =
: verify_check_given_host(CUSS &ob->hosts_request_ocsp, host) == OK;
#endif
-DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd);
+DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", cctx->sock);
#ifdef SUPPORT_DANE
-if (tlsa_dnsa && ob->dane_require_tls_ciphers)
+/* If dane is flagged, have either request or require dane for this host, and
+a TLSA record found. Therefore, dane verify required. Which implies cert must
+be requested and supplied, dane verify must pass, and cert verify irrelevant
+(incl. hostnames), and (caller handled) require_tls */
+
+if (conn_args->dane && ob->dane_require_tls_ciphers)
{
/* not using expand_check_tlsvar because not yet in state */
if (!expand_check(ob->dane_require_tls_ciphers, US"dane_require_tls_ciphers",
&cipher_list, errstr))
- return NULL;
+ return FALSE;
cipher_list = cipher_list && *cipher_list
? ob->dane_require_tls_ciphers : ob->tls_require_ciphers;
}
if (tls_init(host, ob->tls_certificate, ob->tls_privatekey,
ob->tls_sni, ob->tls_verify_certificates, ob->tls_crl,
cipher_list, &state, tlsp, errstr) != OK)
- return NULL;
+ return FALSE;
{
int dh_min_bits = ob->tls_dh_min_bits;
the specified host patterns if one of them is defined */
#ifdef SUPPORT_DANE
-if (tlsa_dnsa && dane_tlsa_load(state, tlsa_dnsa))
+if (conn_args->dane && dane_tlsa_load(state, &conn_args->tlsa_dnsa))
{
DEBUG(D_tls)
debug_printf("TLS: server certificate DANE required.\n");
if ((rc = gnutls_ocsp_status_request_enable_client(state->session,
NULL, 0, NULL)) != OK)
{
- tls_error(US"cert-status-req", US gnutls_strerror(rc), state->host, errstr);
- return NULL;
+ tls_error_gnu(US"cert-status-req", rc, state->host, errstr);
+ return FALSE;
}
tlsp->ocsp = OCSP_NOT_RESP;
}
}
#endif
-gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
-state->fd_in = fd;
-state->fd_out = fd;
+gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) cctx->sock);
+state->fd_in = cctx->sock;
+state->fd_out = cctx->sock;
DEBUG(D_tls) debug_printf("about to gnutls_handshake\n");
/* There doesn't seem to be a built-in timeout on connection. */
tls_error(US"gnutls_handshake", US"timed out", state->host, errstr);
}
else
- tls_error(US"gnutls_handshake", US gnutls_strerror(rc), state->host, errstr);
- return NULL;
+ tls_error_gnu(US"gnutls_handshake", rc, state->host, errstr);
+ return FALSE;
}
DEBUG(D_tls)
if (!verify_certificate(state, errstr))
{
tls_error(US"certificate verification failed", *errstr, state->host, errstr);
- return NULL;
+ return FALSE;
}
#ifndef DISABLE_OCSP
gnutls_free(printed.data);
}
else
- (void) tls_error(US"ocsp decode", US gnutls_strerror(rc), state->host, errstr);
+ (void) tls_error_gnu(US"ocsp decode", rc, state->host, errstr);
}
if (gnutls_ocsp_status_request_is_checked(state->session, 0) == 0)
{
tlsp->ocsp = OCSP_FAILED;
tls_error(US"certificate status check failed", NULL, state->host, errstr);
- return NULL;
+ return FALSE;
}
DEBUG(D_tls) debug_printf("Passed OCSP checking\n");
tlsp->ocsp = OCSP_VFIED;
/* Figure out peer DN, and if authenticated, etc. */
if (peer_status(state, errstr) != OK)
- return NULL;
+ return FALSE;
/* Sets various Exim expansion variables; may need to adjust for ACL callouts */
extract_exim_vars_from_tls_state(state);
-return state;
+cctx->tls_ctx = state;
+return TRUE;
}
else if (inbytes < 0)
{
- DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__);
+ DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
record_io_error(state, (int) inbytes, US"recv", NULL);
state->xfer_error = TRUE;
return FALSE;
}
else
{
- DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv(\n", __FUNCTION__);
+ DEBUG(D_tls) debug_printf("%s: err from gnutls_record_recv\n", __FUNCTION__);
record_io_error(state, (int)inbytes, US"recv", NULL);
}