Make dmarc code c89 compliant

[exim.git] / src / src / tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index b273fff75fcccc5551a0a2d80927bcbc96f5a062..a64f85dea25afe91caf16515b9e0350ba0db4fba 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2,7 +2,7 @@
 *     Exim - an Internet mail transport agent    *
 *************************************************/
 
-/* Copyright (c) University of Cambridge 1995 - 2012 */
+/* Copyright (c) University of Cambridge 1995 - 2013 */
 /* See the file NOTICE for conditions of use and distribution. */
 
 /* Portions Copyright (c) The OpenSSL Project 1999 */
@@ -1137,37 +1137,9 @@ construct_cipher_name(SSL *ssl, uschar *cipherbuf, int bsize, int *bits)
 yet reflect that.  It should be a safe change anyway, even 0.9.8 versions have
 the accessor functions use const in the prototype. */
 const SSL_CIPHER *c;
-uschar *ver;
+const uschar *ver;
 
-switch (ssl->session->ssl_version)
-  {
-  case SSL2_VERSION:
-  ver = US"SSLv2";
-  break;
-
-  case SSL3_VERSION:
-  ver = US"SSLv3";
-  break;
-
-  case TLS1_VERSION:
-  ver = US"TLSv1";
-  break;
-
-#ifdef TLS1_1_VERSION
-  case TLS1_1_VERSION:
-  ver = US"TLSv1.1";
-  break;
-#endif
-
-#ifdef TLS1_2_VERSION
-  case TLS1_2_VERSION:
-  ver = US"TLSv1.2";
-  break;
-#endif
-
-  default:
-  ver = US"UNKNOWN";
-  }
+ver = (const uschar *)SSL_get_version(ssl);
 
 c = (const SSL_CIPHER *) SSL_get_current_cipher(ssl);
 SSL_CIPHER_get_bits(c, bits);
@@ -1504,6 +1476,8 @@ Argument:
   dh_min_bits      minimum number of bits acceptable in server's DH prime
                    (unused in OpenSSL)
   timeout          startup timeout
+  verify_hosts     mandatory client verification 
+  try_verify_hosts optional client verification
 
 Returns:           OK on success
                    FAIL otherwise - note that tls_error() will not give DEFER
@@ -1518,7 +1492,8 @@ tls_client_start(int fd, host_item *host, address_item *addr,
 #ifdef EXPERIMENTAL_OCSP
   uschar *hosts_require_ocsp,
 #endif
-  int dh_min_bits ARG_UNUSED, int timeout)
+  int dh_min_bits ARG_UNUSED, int timeout,
+  uschar *verify_hosts, uschar *try_verify_hosts)
 {
 static uschar txt[256];
 uschar *expciphers;
@@ -1556,8 +1531,22 @@ if (expciphers != NULL)
     return tls_error(US"SSL_CTX_set_cipher_list", host, NULL);
   }
 
-rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, verify_callback_client);
-if (rc != OK) return rc;
+/* stick to the old behaviour for compatibility if tls_verify_certificates is 
+   set but both tls_verify_hosts and tls_try_verify_hosts is not set. Check only 
+   the specified host patterns if one of them is defined */
+if (((verify_hosts == NULL) && (try_verify_hosts == NULL)) ||
+    (verify_check_host(&verify_hosts) == OK))
+  {
+  rc = setup_certs(client_ctx, verify_certs, crl, host, FALSE, verify_callback_client);
+  if (rc != OK) return rc;
+  client_verify_optional = FALSE;
+  }
+else if (verify_check_host(&try_verify_hosts) == OK)
+  {
+  rc = setup_certs(client_ctx, verify_certs, crl, host, TRUE, verify_callback_client);
+  if (rc != OK) return rc;
+  client_verify_optional = TRUE;
+  }
 
 if ((client_ssl = SSL_new(client_ctx)) == NULL) return tls_error(US"SSL_new", host, NULL);
 SSL_set_session_id_context(client_ssl, sid_ctx, Ustrlen(sid_ctx));