diff options
| author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-08-10 16:57:15 +0100 |
|---|---|---|
| committer | Jeremy Harris <jgh146exb@wizmail.org> | 2014-08-10 16:57:15 +0100 |
| commit | e5cccda9bbf169ea7dc97fa3859735523dd4cec0 (patch) | |
| tree | 81dfef815f8b8d0849d3e0da9145eed1b6da3d5f /src | |
| parent | 101de4772d807b083287d84da97a356486792eab (diff) | |
Capture the knowlege that verification succeeded
Diffstat (limited to 'src')
| -rw-r--r-- | src/src/dane-openssl.c | 7 | ||||
| -rw-r--r-- | src/src/tls-openssl.c | 27 |
2 files changed, 28 insertions, 6 deletions
diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index aab32cabd..2430d475f 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -859,7 +859,7 @@ X509 *cert = ctx->cert; /* XXX: accessor? */ int matched = 0; int chain_length = sk_X509_num(ctx->chain); -DEBUG(D_tls) debug_printf("Dane verify_chain\n"); +DEBUG(D_tls) debug_printf("Dane verify-chain\n"); issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER]; leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF]; @@ -952,7 +952,7 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; int matched; X509 *cert = ctx->cert; /* XXX: accessor? */ -DEBUG(D_tls) debug_printf("Dane verify_cert\n"); +DEBUG(D_tls) debug_printf("Dane verify-cert\n"); if(ssl_idx < 0) ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); @@ -1084,7 +1084,7 @@ DANESSL_cleanup(SSL *ssl) ssl_dane *dane; int u; -DEBUG(D_tls) debug_printf("Dane library cleanup fn called\n"); +DEBUG(D_tls) debug_printf("Dane lib-cleanup\n"); if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) return; @@ -1106,7 +1106,6 @@ if(dane->roots) if(dane->chain) sk_X509_pop_free(dane->chain, X509_free); OPENSSL_free(dane); -DEBUG(D_tls) debug_printf("Dane library cleanup fn return\n"); } static dane_host_list diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 001403494..e37b1add5 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -361,7 +361,7 @@ else return 0; /* reject */ } # endif -#endif +#endif /*EXPERIMENTAL_CERTNAMES*/ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n", *calledp ? "" : " authenticated", txt); @@ -385,6 +385,28 @@ return verify_callback(state, x509ctx, &tls_in, &server_verify_callback_called, } +#ifdef EXPERIMENTAL_DANE +/* This gets called *by* the dane library verify callback, which interposes +itself. +*/ +static int +verify_callback_client_dane(int state, X509_STORE_CTX * x509ctx) +{ +X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); +static uschar txt[256]; + +X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); + +DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt); +tls_out.peerdn = txt; +tls_out.peercert = X509_dup(cert); + +if (state == 1) + tls_out.certificate_verified = TRUE; +return 1; +} +#endif + /************************************************* * Information callback * @@ -999,7 +1021,6 @@ return i; #endif /*!DISABLE_OCSP*/ - /************************************************* * Initialize for TLS * *************************************************/ @@ -1713,6 +1734,8 @@ if (expciphers != NULL) #ifdef EXPERIMENTAL_DANE if (dane) { + SSL_CTX_set_verify(client_ctx, SSL_VERIFY_PEER, verify_callback_client_dane); + if (!DANESSL_library_init()) return tls_error(US"library init", host, NULL); if (DANESSL_CTX_init(client_ctx) <= 0) |