git://git.exim.org
/
users
/
heiko
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
f5d7868
)
tidying
hs12/ocsp_staple_rollup
origin/ocsp_staple_rollup
author
Jeremy Harris
<jgh146exb@wizmail.org>
Mon, 1 Apr 2013 21:25:45 +0000
(22:25 +0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Mon, 1 Apr 2013 21:25:45 +0000
(22:25 +0100)
src/src/tls-openssl.c
patch
|
blob
|
history
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index 93ee07967d9c26b1d702957b082ad0c696d65a64..8b70b13c5e9d76dc2be0665181a1b092c38788d0 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-115,7
+115,8
@@
tls_ext_ctx_cb *client_static_cbinfo = NULL;
tls_ext_ctx_cb *server_static_cbinfo = NULL;
static int
tls_ext_ctx_cb *server_static_cbinfo = NULL;
static int
-setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client);
+setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
+ int (*cert_vfy_cb)(int, X509_STORE_CTX *) );
/* Callbacks */
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
/* Callbacks */
#ifdef EXIM_HAVE_OPENSSL_TLSEXT
@@
-307,6
+308,9
@@
else
/*XXX JGH: this looks bogus - we set "verified" first time through, which
will be for the root CS cert (calls work down the chain). Why should it
not be on the last call, where we're setting peerdn?
/*XXX JGH: this looks bogus - we set "verified" first time through, which
will be for the root CS cert (calls work down the chain). Why should it
not be on the last call, where we're setting peerdn?
+
+To test: set up a chain anchored by a good root-CA but with a bad server cert.
+Does certificate_verified get set?
*/
if (!*calledp) tlsp->certificate_verified = TRUE;
*calledp = TRUE;
*/
if (!*calledp) tlsp->certificate_verified = TRUE;
*calledp = TRUE;
@@
-739,7
+743,7
@@
if (cbinfo->u_ocsp.server.file)
}
#endif
}
#endif
-rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
FALSE
);
+rc = setup_certs(server_sni, tls_verify_certificates, tls_crl, NULL, FALSE,
verify_callback_server
);
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
/* do this after setup_certs, because this can require the certs for verifying
if (rc != OK) return SSL_TLSEXT_ERR_NOACK;
/* do this after setup_certs, because this can require the certs for verifying
@@
-1191,13
+1195,14
@@
Arguments:
host NULL in a server; the remote host in a client
optional TRUE if called from a server for a host in tls_try_verify_hosts;
otherwise passed as FALSE
host NULL in a server; the remote host in a client
optional TRUE if called from a server for a host in tls_try_verify_hosts;
otherwise passed as FALSE
- c
lient TRUE if called for client startup, FALSE for server startup
+ c
ert_vfy_cb Callback function for certificate verification
Returns: OK/DEFER/FAIL
*/
static int
Returns: OK/DEFER/FAIL
*/
static int
-setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional, BOOL client)
+setup_certs(SSL_CTX *sctx, uschar *certs, uschar *crl, host_item *host, BOOL optional,
+ int (*cert_vfy_cb)(int, X509_STORE_CTX *) )
{
uschar *expcerts, *expcrl;
{
uschar *expcerts, *expcrl;
@@
-1296,7
+1301,7
@@
if (expcerts != NULL && *expcerts != '\0')
SSL_CTX_set_verify(sctx,
SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
SSL_CTX_set_verify(sctx,
SSL_VERIFY_PEER | (optional? 0 : SSL_VERIFY_FAIL_IF_NO_PEER_CERT),
- c
lient ? verify_callback_client : verify_callback_server
);
+ c
ert_vfy_cb
);
}
return OK;
}
return OK;
@@
-1375,13
+1380,15
@@
server_verify_callback_called = FALSE;
if (verify_check_host(&tls_verify_hosts) == OK)
{
if (verify_check_host(&tls_verify_hosts) == OK)
{
- rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, FALSE, FALSE);
+ rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
+ FALSE, verify_callback_server);
if (rc != OK) return rc;
server_verify_optional = FALSE;
}
else if (verify_check_host(&tls_try_verify_hosts) == OK)
{
if (rc != OK) return rc;
server_verify_optional = FALSE;
}
else if (verify_check_host(&tls_try_verify_hosts) == OK)
{
- rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL, TRUE, FALSE);
+ rc = setup_certs(server_ctx, tls_verify_certificates, tls_crl, NULL,
+ TRUE, verify_callback_server);
if (rc != OK) return rc;
server_verify_optional = TRUE;
}
if (rc != OK) return rc;
server_verify_optional = TRUE;
}
@@
-1549,7
+1556,7
@@
if (expciphers != NULL)
return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
}
return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
}
-rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE,
TRUE
);
+rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE,
verify_callback_client
);
if (rc != OK) return rc;
if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
if (rc != OK) return rc;
if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);