X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Ftls-openssl.c;h=bb17821e474d37fc39c31ebd1fee204041b255c8;hb=cb1d783072c488a4a558607b2ee122efba95aa4b;hp=b1094b1c2a98feb2463c15fc8c944732ee76cc07;hpb=aa2a70baf1a7ae2d6c579094a188c1d30d3d5fd5;p=exim.git

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index b1094b1c2..bb17821e4 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -123,10 +123,7 @@ typedef struct tls_ext_ctx_cb {
   uschar *server_cipher_list;
   /* only passed down to tls_error: */
   host_item *host;
-
-#ifdef EXPERIMENTAL_CERTNAMES
   uschar * verify_cert_hostnames;
-#endif
 #ifdef EXPERIMENTAL_EVENT
   uschar * event_action;
 #endif
@@ -172,7 +169,7 @@ Returns:    OK/DEFER/FAIL
 */
 
 static int
-tls_error(uschar *prefix, host_item *host, uschar *msg)
+tls_error(uschar * prefix, const host_item * host, uschar *  msg)
 {
 if (!msg)
   {
@@ -354,14 +351,11 @@ else if (depth != 0)
   }
 else
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   uschar * verify_cert_hostnames;
-#endif
 
   tlsp->peerdn = txt;
   tlsp->peercert = X509_dup(cert);
 
-#ifdef EXPERIMENTAL_CERTNAMES
   if (  tlsp == &tls_out
      && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames)))
      	/* client, wanting hostname check */
@@ -413,7 +407,6 @@ else
 	"tls_try_verify_hosts)\n");
       }
 # endif
-#endif	/*EXPERIMENTAL_CERTNAMES*/
 
 #ifdef EXPERIMENTAL_EVENT
   ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
@@ -541,7 +534,7 @@ Returns:    TRUE if OK (nothing to set up, or setup worked)
 */
 
 static BOOL
-init_dh(SSL_CTX *sctx, uschar *dhparam, host_item *host)
+init_dh(SSL_CTX *sctx, uschar *dhparam, const host_item *host)
 {
 BIO *bio;
 DH *dh;
@@ -1289,9 +1282,7 @@ else			/* client */
 # endif
 #endif
 
-#ifdef EXPERIMENTAL_CERTNAMES
 cbinfo->verify_cert_hostnames = NULL;
-#endif
 
 /* Set up the RSA callback */
 
@@ -1375,50 +1366,65 @@ if (!expand_check(certs, US"tls_verify_certificates", &expcerts))
 
 if (expcerts != NULL && *expcerts != '\0')
   {
-  struct stat statbuf;
-  if (!SSL_CTX_set_default_verify_paths(sctx))
-    return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
-
-  if (Ustat(expcerts, &statbuf) < 0)
+  if (Ustrcmp(expcerts, "system") == 0)
     {
-    log_write(0, LOG_MAIN|LOG_PANIC,
-      "failed to stat %s for certificates", expcerts);
-    return DEFER;
+    /* Tell the library to use its compiled-in location for the system default
+    CA bundle, only */
+
+    if (!SSL_CTX_set_default_verify_paths(sctx))
+      return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
     }
   else
     {
-    uschar *file, *dir;
-    if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
-      { file = NULL; dir = expcerts; }
+    struct stat statbuf;
+
+    /* Tell the library to use its compiled-in location for the system default
+    CA bundle. Those given by the exim config are additional to these */
+
+    if (!SSL_CTX_set_default_verify_paths(sctx))
+      return tls_error(US"SSL_CTX_set_default_verify_paths", host, NULL);
+
+    if (Ustat(expcerts, &statbuf) < 0)
+      {
+      log_write(0, LOG_MAIN|LOG_PANIC,
+	"failed to stat %s for certificates", expcerts);
+      return DEFER;
+      }
     else
-      { file = expcerts; dir = NULL; }
-
-    /* If a certificate file is empty, the next function fails with an
-    unhelpful error message. If we skip it, we get the correct behaviour (no
-    certificates are recognized, but the error message is still misleading (it
-    says no certificate was supplied.) But this is better. */
-
-    if ((file == NULL || statbuf.st_size > 0) &&
-          !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
-      return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
-
-    /* Load the list of CAs for which we will accept certs, for sending
-    to the client.  This is only for the one-file tls_verify_certificates
-    variant.
-    If a list isn't loaded into the server, but
-    some verify locations are set, the server end appears to make
-    a wildcard reqest for client certs.
-    Meanwhile, the client library as deafult behaviour *ignores* the list
-    we send over the wire - see man SSL_CTX_set_client_cert_cb.
-    Because of this, and that the dir variant is likely only used for
-    the public-CA bundle (not for a private CA), not worth fixing.
-    */
-    if (file != NULL)
       {
-      STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
-DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
-				  sk_X509_NAME_num(names));
-      SSL_CTX_set_client_CA_list(sctx, names);
+      uschar *file, *dir;
+      if ((statbuf.st_mode & S_IFMT) == S_IFDIR)
+	{ file = NULL; dir = expcerts; }
+      else
+	{ file = expcerts; dir = NULL; }
+
+      /* If a certificate file is empty, the next function fails with an
+      unhelpful error message. If we skip it, we get the correct behaviour (no
+      certificates are recognized, but the error message is still misleading (it
+      says no certificate was supplied.) But this is better. */
+
+      if ((file == NULL || statbuf.st_size > 0) &&
+	    !SSL_CTX_load_verify_locations(sctx, CS file, CS dir))
+	return tls_error(US"SSL_CTX_load_verify_locations", host, NULL);
+
+      /* Load the list of CAs for which we will accept certs, for sending
+      to the client.  This is only for the one-file tls_verify_certificates
+      variant.
+      If a list isn't loaded into the server, but
+      some verify locations are set, the server end appears to make
+      a wildcard reqest for client certs.
+      Meanwhile, the client library as deafult behaviour *ignores* the list
+      we send over the wire - see man SSL_CTX_set_client_cert_cb.
+      Because of this, and that the dir variant is likely only used for
+      the public-CA bundle (not for a private CA), not worth fixing.
+      */
+      if (file != NULL)
+	{
+	STACK_OF(X509_NAME) * names = SSL_load_client_CA_file(CS file);
+  DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n",
+				    sk_X509_NAME_num(names));
+	SSL_CTX_set_client_CA_list(sctx, names);
+	}
       }
     }
 
@@ -1672,10 +1678,7 @@ return OK;
 
 static int
 tls_client_basic_ctx_init(SSL_CTX * ctx,
-    host_item * host, smtp_transport_options_block * ob
-#ifdef EXPERIMENTAL_CERTNAMES
-    , tls_ext_ctx_cb * cbinfo
-#endif
+    host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo
 			  )
 {
 int rc;
@@ -1684,12 +1687,10 @@ int rc;
    the specified host patterns if one of them is defined */
 
 if (  (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts)
-   || (verify_check_this_host(&ob->tls_verify_hosts, NULL,
-		host->name, host->address, NULL) == OK)
+   || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK)
    )
   client_verify_optional = FALSE;
-else if (verify_check_this_host(&ob->tls_try_verify_hosts, NULL,
-		host->name, host->address, NULL) == OK)
+else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
   client_verify_optional = TRUE;
 else
   return OK;
@@ -1698,15 +1699,12 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates,
       ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK)
   return rc;
 
-#ifdef EXPERIMENTAL_CERTNAMES
-if (verify_check_this_host(&ob->tls_verify_cert_hostnames, NULL,
-	      host->name, host->address, NULL) == OK)
+if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
   {
   cbinfo->verify_cert_hostnames = host->name;
   DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n",
 		    cbinfo->verify_cert_hostnames);
   }
-#endif
 return OK;
 }
 
@@ -1829,15 +1827,15 @@ tls_out.tlsa_usage = 0;
     }
 # endif
 
-  if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
-    NULL, host->name, host->address, NULL) == OK))
+  if ((require_ocsp =
+	verify_check_given_host(&ob->hosts_require_ocsp, host) == OK))
     request_ocsp = TRUE;
   else
 # ifdef EXPERIMENTAL_DANE
     if (!request_ocsp)
 # endif
-      request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp,
-	  NULL, host->name, host->address, NULL) == OK;
+      request_ocsp =
+	verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
   }
 #endif
 
@@ -1872,7 +1870,9 @@ if (expciphers != NULL)
 #ifdef EXPERIMENTAL_DANE
 if (tlsa_dnsa)
   {
-  SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
+  SSL_CTX_set_verify(client_ctx,
+    SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
+    verify_callback_client_dane);
 
   if (!DANESSL_library_init())
     return tls_error(US"library init", host, NULL);
@@ -1883,11 +1883,8 @@ else
 
 #endif
 
-  if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob
-#ifdef EXPERIMENTAL_CERTNAMES
-				, client_static_cbinfo
-#endif
-				)) != OK)
+  if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo))
+      != OK)
     return rc;
 
 if ((client_ssl = SSL_new(client_ctx)) == NULL)
@@ -1938,11 +1935,9 @@ if (request_ocsp)
     {	/* Re-eval now $tls_out_tlsa_usage is populated.  If
     	this means we avoid the OCSP request, we wasted the setup
 	cost in tls_init(). */
-    require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp,
-      NULL, host->name, host->address, NULL) == OK;
-    request_ocsp = require_ocsp ? TRUE
-      : verify_check_this_host(&ob->hosts_request_ocsp,
-	  NULL, host->name, host->address, NULL) == OK;
+    require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK;
+    request_ocsp = require_ocsp
+      || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK;
     }
   }
 # endif