Capture the knowlege that verification succeeded

[exim.git] / src / src / tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 0014034944934106832a2de0f2f4bec89c0e598a..e37b1add5001ad6ba8b6a2f02f07dee08f8b34df 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -361,7 +361,7 @@ else
       return 0;                                /* reject */
       }
 # endif
-#endif
+#endif /*EXPERIMENTAL_CERTNAMES*/
 
   DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
     *calledp ? "" : " authenticated", txt);
@@ -385,6 +385,28 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called,
 }
 
 
+#ifdef EXPERIMENTAL_DANE
+/* This gets called *by* the dane library verify callback, which interposes
+itself.
+*/
+static int
+verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx)
+{
+X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
+static uschar txt[256];
+
+X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
+
+DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt);
+tls_out.peerdn = txt;
+tls_out.peercert = X509_dup(cert);
+
+if (state == 1)
+  tls_out.certificate_verified = TRUE;
+return 1;
+}
+#endif
+
 
 /*************************************************
 *           Information callback                 *
@@ -999,7 +1021,6 @@ return i;
 #endif /*!DISABLE_OCSP*/
 
 
-
 /*************************************************
 *            Initialize for TLS                  *
 *************************************************/
@@ -1713,6 +1734,8 @@ if (expciphers != NULL)
 #ifdef EXPERIMENTAL_DANE
 if (dane)
   {
+  SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane);
+
   if (!DANESSL_library_init())
     return tls_error(US"library init", host, NULL);
   if (DANESSL_CTX_init(client_ctx) <= 0)