X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/02af313dc5374b79f04fd9961b74835dcc0389e8..01a4a5c5cbaa40ca618d3e233991ce183b551477:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index c23ac031f..7c66775c0 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -123,10 +123,7 @@ typedef struct tls_ext_ctx_cb { uschar *server_cipher_list; /* only passed down to tls_error: */ host_item *host; - -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif #ifdef EXPERIMENTAL_EVENT uschar * event_action; #endif @@ -354,14 +351,11 @@ else if (depth != 0) } else { -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif tlsp->peerdn = txt; tlsp->peercert = X509_dup(cert); -#ifdef EXPERIMENTAL_CERTNAMES if ( tlsp == &tls_out && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames))) /* client, wanting hostname check */ @@ -413,7 +407,6 @@ else "tls_try_verify_hosts)\n"); } # endif -#endif /*EXPERIMENTAL_CERTNAMES*/ #ifdef EXPERIMENTAL_EVENT ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action; @@ -1289,9 +1282,7 @@ else /* client */ # endif #endif -#ifdef EXPERIMENTAL_CERTNAMES cbinfo->verify_cert_hostnames = NULL; -#endif /* Set up the RSA callback */ @@ -1672,10 +1663,7 @@ return OK; static int tls_client_basic_ctx_init(SSL_CTX * ctx, - host_item * host, smtp_transport_options_block * ob -#ifdef EXPERIMENTAL_CERTNAMES - , tls_ext_ctx_cb * cbinfo -#endif + host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo ) { int rc; @@ -1684,12 +1672,10 @@ int rc; the specified host patterns if one of them is defined */ if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) - || (verify_check_this_host(&ob->tls_verify_hosts, NULL, - host->name, host->address, NULL) == OK) + || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK) ) client_verify_optional = FALSE; -else if (verify_check_this_host(&ob->tls_try_verify_hosts, NULL, - host->name, host->address, NULL) == OK) +else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK) client_verify_optional = TRUE; else return OK; @@ -1698,15 +1684,12 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates, ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK) return rc; -#ifdef EXPERIMENTAL_CERTNAMES -if (verify_check_this_host(&ob->tls_verify_cert_hostnames, NULL, - host->name, host->address, NULL) == OK) +if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) { cbinfo->verify_cert_hostnames = host->name; DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", cbinfo->verify_cert_hostnames); } -#endif return OK; } @@ -1829,15 +1812,15 @@ tls_out.tlsa_usage = 0; } # endif - if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK)) + if ((require_ocsp = + verify_check_given_host(&ob->hosts_require_ocsp, host) == OK)) request_ocsp = TRUE; else # ifdef EXPERIMENTAL_DANE if (!request_ocsp) # endif - request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + request_ocsp = + verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; } #endif @@ -1885,11 +1868,8 @@ else #endif - if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob -#ifdef EXPERIMENTAL_CERTNAMES - , client_static_cbinfo -#endif - )) != OK) + if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo)) + != OK) return rc; if ((client_ssl = SSL_new(client_ctx)) == NULL) @@ -1940,11 +1920,9 @@ if (request_ocsp) { /* Re-eval now $tls_out_tlsa_usage is populated. If this means we avoid the OCSP request, we wasted the setup cost in tls_init(). */ - require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK; - request_ocsp = require_ocsp ? TRUE - : verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK; + request_ocsp = require_ocsp + || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; } } # endif