* Exim - an Internet mail transport agent *
*************************************************/
-/* Copyright (c) University of Cambridge 1995 - 2014 */
+/* Copyright (c) University of Cambridge 1995 - 2015 */
/* See the file NOTICE for conditions of use and distribution. */
/* Copyright (c) Phil Pennock 2012 */
# warning "GnuTLS library version too old; define DISABLE_OCSP in Makefile"
# define DISABLE_OCSP
#endif
-#if GNUTLS_VERSION_NUMBER < 0x020a00 && defined(EXPERIMENTAL_EVENT)
+#if GNUTLS_VERSION_NUMBER < 0x020a00 && !defined(DISABLE_EVENT)
# warning "GnuTLS library version too old; tls:cert event unsupported"
-# undef EXPERIMENTAL_EVENT
+# define DISABLE_EVENT
#endif
#if GNUTLS_VERSION_NUMBER >= 0x030306
# define SUPPORT_CA_DIR
#else
# undef SUPPORT_CA_DIR
#endif
-#if GNUTLS_VERSION_NUMBER >= 0x030314
+#if GNUTLS_VERSION_NUMBER >= 0x030014
# define SUPPORT_SYSDEFAULT_CABUNDLE
#endif
uschar *exp_tls_require_ciphers;
uschar *exp_tls_ocsp_file;
const uschar *exp_tls_verify_cert_hostnames;
-#ifdef EXPERIMENTAL_EVENT
+#ifndef DISABLE_EVENT
uschar *event_action;
#endif
NULL, NULL, NULL, NULL, NULL, NULL,
NULL, NULL, NULL, NULL, NULL, NULL, NULL,
NULL,
-#ifdef EXPERIMENTAL_EVENT
+#ifndef DISABLE_EVENT
NULL,
#endif
NULL,
static BOOL exim_gnutls_base_init_done = FALSE;
+#ifndef DISABLE_OCSP
+static BOOL gnutls_buggy_ocsp = FALSE;
+#endif
+
/* ------------------------------------------------------------------------ */
/* macros */
} while (0)
static int
-import_cert(const gnutls_datum * cert, gnutls_x509_crt_t * crtp)
+import_cert(const gnutls_datum_t * cert, gnutls_x509_crt_t * crtp)
{
int rc;
} else {
old_pool = store_pool;
store_pool = POOL_PERM;
- tls_channelbinding_b64 = auth_b64encode(channel.data, (int)channel.size);
+ tls_channelbinding_b64 = b64encode(channel.data, (int)channel.size);
store_pool = old_pool;
DEBUG(D_tls) debug_printf("Have channel bindings cached for possible auth usage.\n");
}
/* record our certificate */
{
- const gnutls_datum * cert = gnutls_certificate_get_ours(state->session);
+ const gnutls_datum_t * cert = gnutls_certificate_get_ours(state->session);
gnutls_x509_crt_t crt;
tlsp->ourcert = cert && import_cert(cert, &crt)==0 ? crt : NULL;
{
int fd, rc;
unsigned int dh_bits;
-gnutls_datum m;
+gnutls_datum_t m;
uschar filename_buf[PATH_MAX];
uschar *filename = NULL;
size_t sz;
&& tls_ocsp_file
)
{
- if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
- &state->exp_tls_ocsp_file))
- return DEFER;
+ if (gnutls_buggy_ocsp)
+ {
+ DEBUG(D_tls) debug_printf("GnuTLS library is buggy for OCSP; avoiding\n");
+ }
+ else
+ {
+ if (!expand_check(tls_ocsp_file, US"tls_ocsp_file",
+ &state->exp_tls_ocsp_file))
+ return DEFER;
- /* Use the full callback method for stapling just to get observability.
- More efficient would be to read the file once only, if it never changed
- (due to SNI). Would need restart on file update, or watch datestamp. */
+ /* Use the full callback method for stapling just to get observability.
+ More efficient would be to read the file once only, if it never changed
+ (due to SNI). Would need restart on file update, or watch datestamp. */
- gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
- server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
+ gnutls_certificate_set_ocsp_status_request_function(state->x509_cred,
+ server_ocsp_stapling_cb, state->exp_tls_ocsp_file);
- DEBUG(D_tls) debug_printf("Set OCSP response file %s\n", &state->exp_tls_ocsp_file);
+ DEBUG(D_tls) debug_printf("OCSP response file = %s\n", state->exp_tls_ocsp_file);
+ }
}
#endif
* Initialize for GnuTLS *
*************************************************/
+
+#ifndef DISABLE_OCSP
+
+static BOOL
+tls_is_buggy_ocsp(void)
+{
+const uschar * s;
+uschar maj, mid, mic;
+
+s = CUS gnutls_check_version(NULL);
+maj = atoi(CCS s);
+if (maj == 3)
+ {
+ while (*s && *s != '.') s++;
+ mid = atoi(CCS ++s);
+ if (mid <= 2)
+ return TRUE;
+ else if (mid >= 5)
+ return FALSE;
+ else
+ {
+ while (*s && *s != '.') s++;
+ mic = atoi(CCS ++s);
+ return mic <= (mid == 3 ? 16 : 3);
+ }
+ }
+return FALSE;
+}
+
+#endif
+
+
/* Called from both server and client code. In the case of a server, errors
before actual TLS negotiation return DEFER.
}
#endif
+#ifndef DISABLE_OCSP
+ if (tls_ocsp_file && (gnutls_buggy_ocsp = tls_is_buggy_ocsp()))
+ log_write(0, LOG_MAIN, "OCSP unusable with this GnuTLS library version");
+#endif
+
exim_gnutls_base_init_done = TRUE;
}
peer_status(exim_gnutls_state_st *state)
{
uschar cipherbuf[256];
-const gnutls_datum *cert_list;
+const gnutls_datum_t *cert_list;
int old_pool, rc;
unsigned int cert_list_size = 0;
gnutls_protocol_t protocol;
#endif
-#ifdef EXPERIMENTAL_EVENT
+#ifndef DISABLE_EVENT
/*
We use this callback to get observability and detail-level control
for an exim TLS connection (either direction), raising a tls:cert event
static int
verify_cb(gnutls_session_t session)
{
-const gnutls_datum * cert_list;
+const gnutls_datum_t * cert_list;
unsigned int cert_list_size = 0;
gnutls_x509_crt_t crt;
int rc;
gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
}
-#ifdef EXPERIMENTAL_EVENT
+#ifndef DISABLE_EVENT
if (event_action)
{
state->event_action = event_action;
that the GnuTLS library doesn't. */
gnutls_transport_set_ptr2(state->session,
- (gnutls_transport_ptr)(long) fileno(smtp_in),
- (gnutls_transport_ptr)(long) fileno(smtp_out));
+ (gnutls_transport_ptr_t)(long) fileno(smtp_in),
+ (gnutls_transport_ptr_t)(long) fileno(smtp_out));
state->fd_in = fileno(smtp_in);
state->fd_out = fileno(smtp_out);
if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
{
state->exp_tls_verify_cert_hostnames =
-#ifdef EXPERIMENTAL_INTERNATIONAL
+#ifdef SUPPORT_I18N
string_domain_utf8_to_alabel(host->name, NULL);
#else
host->name;
gnutls_dh_set_prime_bits(state->session, dh_min_bits);
}
-/* Stick to the old behaviour for compatibility if tls_verify_certificates is
+/* Stick to the old behaviour for compatibility if tls_verify_certificates is
set but both tls_verify_hosts and tls_try_verify_hosts are unset. Check only
the specified host patterns if one of them is defined */
}
#endif
-#ifdef EXPERIMENTAL_EVENT
+#ifndef DISABLE_EVENT
if (tb->event_action)
{
state->event_action = tb->event_action;
}
#endif
-gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr)(long) fd);
+gnutls_transport_set_ptr(state->session, (gnutls_transport_ptr_t)(long) fd);
state->fd_in = fd;
state->fd_out = fd;
projects / exim.git / blobdiff