Add event for inbound cert visibility

author: Jeremy Harris <jgh146exb@wizmail.org> 2014-10-23 18:22:33 +0100
committer: Jeremy Harris <jgh146exb@wizmail.org> 2014-10-25 21:37:59 +0100
commit: 723fe533c452eb258a5a7e0b808d714bbbc7cb01 (patch)
tree: 04c92fbf113c6b6ab142e18f3e47994f4c7a0e4f /src
parent: aec45841f9139404fd61122e3db1401b13ebb0a8 (diff)
3 files changed, 27 insertions, 19 deletions
diff --git a/src/src/globals.c b/src/src/globals.c
index 1eae4a830..fb705d9d8 100644
--- a/src/src/globals.c
+++ b/src/src/globals.c
@@ -668,6 +668,13 @@ uschar *errors_copy            = NULL;
 int     error_handling         = ERRORS_SENDER;
 uschar *errors_reply_to        = NULL;
 int     errors_sender_rc       = EXIT_FAILURE;
+#ifdef EXPERIMENTAL_EVENT
+uschar *event_action             = NULL;	/* expansion for delivery events */
+uschar *event_data               = NULL;	/* auxilary data variable for event */
+int     event_defer_errno        = 0;
+uschar *event_name               = NULL;	/* event name variable */
+#endif
+
 
 gid_t   exim_gid               = EXIM_GID;
 BOOL    exim_gid_set           = TRUE;          /* This gid is always set */
@@ -1336,13 +1343,6 @@ int     thismessage_size_limit = 0;
 int     timeout_frozen_after   = 0;
 BOOL    timestamps_utc         = FALSE;
 
-#ifdef EXPERIMENTAL_EVENT
-uschar *event_action             = NULL;	/* expansion for delivery events */
-uschar *event_data               = NULL;	/* auxilary data variable for event */
-int     event_defer_errno        = 0;
-uschar *event_name               = NULL;	/* event name variable */
-#endif
-
 transport_instance  *transports = NULL;
 
 transport_instance  transport_defaults = {
diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index 20e11cae1..1966c557d 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -1545,15 +1545,15 @@ return 0;
 #ifdef EXPERIMENTAL_EVENT
 /*
 We use this callback to get observability and detail-level control
-for an exim client TLS connection, raising a tls:cert event
-for each cert in the chain presented by the server.  Any event
+for an exim TLS connection (either direction), raising a tls:cert event
+for each cert in the chain presented by the peer.  Any event
 can deny verification.
 
 Return 0 for the handshake to continue or non-zero to terminate.
 */
 
 static int
-client_verify_cb(gnutls_session_t session)
+verify_cb(gnutls_session_t session)
 {
 const gnutls_datum * cert_list;
 unsigned int cert_list_size = 0;
@@ -1664,6 +1664,15 @@ else
   gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE);
   }
 
+#ifdef EXPERIMENTAL_EVENT
+if (event_action)
+  {
+  state->event_action = event_action;
+  gnutls_session_set_ptr(state->session, state);
+  gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
+  }
+#endif
+
 /* Register SNI handling; always, even if not in tls_certificate, so that the
 expansion variable $tls_sni is always available. */
 
@@ -1890,7 +1899,7 @@ if (tb->event_action)
   {
   state->event_action = tb->event_action;
   gnutls_session_set_ptr(state->session, state);
-  gnutls_certificate_set_verify_function(state->x509_cred, client_verify_cb);
+  gnutls_certificate_set_verify_function(state->x509_cred, verify_cb);
   }
 #endif
 
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 13a3cd076..4de3cad51 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -287,6 +287,7 @@ verify_callback(int state, X509_STORE_CTX *x509ctx,
 {
 X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
 int depth = X509_STORE_CTX_get_error_depth(x509ctx);
+uschar * ev;
 static uschar txt[256];
 
 X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt));
@@ -323,11 +324,11 @@ else if (depth != 0)
     }
 #endif
 #ifdef EXPERIMENTAL_EVENT
-  if (tlsp == &tls_out && client_static_cbinfo->event_action)
+  ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
+  if (ev)
     {
     tlsp->peercert = X509_dup(cert);
-    if (event_raise(client_static_cbinfo->event_action,
-		    US"tls:cert", string_sprintf("%d", depth)) == DEFER)
+    if (event_raise(ev, US"tls:cert", string_sprintf("%d", depth)) == DEFER)
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
 			      "depth=%d cert=%s", depth, txt);
@@ -392,10 +393,9 @@ else
 #endif	/*EXPERIMENTAL_CERTNAMES*/
 
 #ifdef EXPERIMENTAL_EVENT
-  if (tlsp == &tls_out)
-    {
-    if (event_raise(client_static_cbinfo->event_action,
-		    US"tls:cert", US"0") == DEFER)
+  ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action;
+  if (ev)
+    if (event_raise(ev, US"tls:cert", US"0") == DEFER)
       {
       log_write(0, LOG_MAIN, "SSL verify denied by event-action: "
 			      "depth=0 cert=%s", txt);
@@ -403,7 +403,6 @@ else
       *calledp = TRUE;
       return 0;			    /* reject */
       }
-    }
 #endif
 
   DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
author	Jeremy Harris <jgh146exb@wizmail.org>	2014-10-23 18:22:33 +0100
committer	Jeremy Harris <jgh146exb@wizmail.org>	2014-10-25 21:37:59 +0100
commit	723fe533c452eb258a5a7e0b808d714bbbc7cb01 (patch)
tree	04c92fbf113c6b6ab142e18f3e47994f4c7a0e4f /src
parent	aec45841f9139404fd61122e3db1401b13ebb0a8 (diff)