diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2014-11-22 19:16:19 +0000 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2015-01-12 18:58:33 +0000 |
commit | 01a4a5c5cbaa40ca618d3e233991ce183b551477 (patch) | |
tree | bbef9f6e942157f611d0db4d70dbbeabca9e0337 /src | |
parent | ad07e9add2a9959a2cc07c996452fcfc10ccab9f (diff) |
Move certificate name checking to mainline, default enabled
This is an exim client checking a server certificate.
Diffstat (limited to 'src')
-rw-r--r-- | src/src/config.h.defaults | 1 | ||||
-rw-r--r-- | src/src/exim.c | 3 | ||||
-rw-r--r-- | src/src/functions.h | 2 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 14 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 23 | ||||
-rw-r--r-- | src/src/tls.c | 2 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 8 | ||||
-rw-r--r-- | src/src/transports/smtp.h | 2 |
8 files changed, 6 insertions, 49 deletions
diff --git a/src/src/config.h.defaults b/src/src/config.h.defaults index a0997a01e..ec4322c70 100644 --- a/src/src/config.h.defaults +++ b/src/src/config.h.defaults @@ -167,7 +167,6 @@ it's a default value. */ /* EXPERIMENTAL features */ #define EXPERIMENTAL_BRIGHTMAIL -#define EXPERIMENTAL_CERTNAMES #define EXPERIMENTAL_DANE #define EXPERIMENTAL_DCC #define EXPERIMENTAL_DMARC diff --git a/src/src/exim.c b/src/src/exim.c index d6915d4ad..e0b754666 100644 --- a/src/src/exim.c +++ b/src/src/exim.c @@ -853,9 +853,6 @@ fprintf(f, "Support for:"); #ifdef EXPERIMENTAL_REDIS fprintf(f, " Experimental_Redis"); #endif -#ifdef EXPERIMENTAL_CERTNAMES - fprintf(f, " Experimental_Certnames"); -#endif #ifdef EXPERIMENTAL_DSN fprintf(f, " Experimental_DSN"); #endif diff --git a/src/src/functions.h b/src/src/functions.h index a74c94b83..68609f232 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -67,9 +67,7 @@ extern void tls_version_report(FILE *); extern BOOL tls_openssl_options_parse(uschar *, long *); # endif extern uschar * tls_field_from_dn(uschar *, uschar *); -# ifdef EXPERIMENTAL_CERTNAMES extern BOOL tls_is_name_for_cert(uschar *, void *); -# endif # ifdef EXPERIMENTAL_DANE extern int tlsa_lookup(const host_item *, dns_answer *, BOOL, BOOL *); diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index bdc032f35..b520ebfd8 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -117,9 +117,7 @@ typedef struct exim_gnutls_state { uschar *exp_tls_crl; uschar *exp_tls_require_ciphers; uschar *exp_tls_ocsp_file; -#ifdef EXPERIMENTAL_CERTNAMES uschar *exp_tls_verify_cert_hostnames; -#endif #ifdef EXPERIMENTAL_EVENT uschar *event_action; #endif @@ -138,9 +136,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = { NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, NULL, -#ifdef EXPERIMENTAL_CERTNAMES - NULL, -#endif + NULL, #ifdef EXPERIMENTAL_EVENT NULL, #endif @@ -1385,7 +1381,6 @@ if (rc < 0 || else { -#ifdef EXPERIMENTAL_CERTNAMES if (state->exp_tls_verify_cert_hostnames) { int sep = 0; @@ -1407,7 +1402,6 @@ else return TRUE; } } -#endif state->peer_cert_verified = TRUE; DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n", state->peerdn ? state->peerdn : US"<unset>"); @@ -1771,7 +1765,6 @@ return OK; -#ifdef EXPERIMENTAL_CERTNAMES static void tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state, smtp_transport_options_block * ob) @@ -1784,7 +1777,6 @@ if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) state->exp_tls_verify_cert_hostnames); } } -#endif /************************************************* @@ -1859,9 +1851,7 @@ if ( ( state->exp_tls_verify_certificates || verify_check_given_host(&ob->tls_verify_hosts, host) == OK ) { -#ifdef EXPERIMENTAL_CERTNAMES tls_client_setup_hostname_checks(host, state, ob); -#endif DEBUG(D_tls) debug_printf("TLS: server certificate verification required.\n"); state->verify_requirement = VERIFY_REQUIRED; @@ -1869,9 +1859,7 @@ if ( ( state->exp_tls_verify_certificates } else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK) { -#ifdef EXPERIMENTAL_CERTNAMES tls_client_setup_hostname_checks(host, state, ob); -#endif DEBUG(D_tls) debug_printf("TLS: server certificate verification optional.\n"); state->verify_requirement = VERIFY_OPTIONAL; diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 43fbaa41a..7c66775c0 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -123,10 +123,7 @@ typedef struct tls_ext_ctx_cb { uschar *server_cipher_list; /* only passed down to tls_error: */ host_item *host; - -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif #ifdef EXPERIMENTAL_EVENT uschar * event_action; #endif @@ -354,14 +351,11 @@ else if (depth != 0) } else { -#ifdef EXPERIMENTAL_CERTNAMES uschar * verify_cert_hostnames; -#endif tlsp->peerdn = txt; tlsp->peercert = X509_dup(cert); -#ifdef EXPERIMENTAL_CERTNAMES if ( tlsp == &tls_out && ((verify_cert_hostnames = client_static_cbinfo->verify_cert_hostnames))) /* client, wanting hostname check */ @@ -413,7 +407,6 @@ else "tls_try_verify_hosts)\n"); } # endif -#endif /*EXPERIMENTAL_CERTNAMES*/ #ifdef EXPERIMENTAL_EVENT ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action; @@ -1289,9 +1282,7 @@ else /* client */ # endif #endif -#ifdef EXPERIMENTAL_CERTNAMES cbinfo->verify_cert_hostnames = NULL; -#endif /* Set up the RSA callback */ @@ -1672,10 +1663,7 @@ return OK; static int tls_client_basic_ctx_init(SSL_CTX * ctx, - host_item * host, smtp_transport_options_block * ob -#ifdef EXPERIMENTAL_CERTNAMES - , tls_ext_ctx_cb * cbinfo -#endif + host_item * host, smtp_transport_options_block * ob, tls_ext_ctx_cb * cbinfo ) { int rc; @@ -1696,14 +1684,12 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates, ob->tls_crl, host, client_verify_optional, verify_callback_client)) != OK) return rc; -#ifdef EXPERIMENTAL_CERTNAMES if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) { cbinfo->verify_cert_hostnames = host->name; DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", cbinfo->verify_cert_hostnames); } -#endif return OK; } @@ -1882,11 +1868,8 @@ else #endif - if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob -#ifdef EXPERIMENTAL_CERTNAMES - , client_static_cbinfo -#endif - )) != OK) + if ((rc = tls_client_basic_ctx_init(client_ctx, host, ob, client_static_cbinfo)) + != OK) return rc; if ((client_ssl = SSL_new(client_ctx)) == NULL) diff --git a/src/src/tls.c b/src/src/tls.c index b3d088df3..11823795c 100644 --- a/src/src/tls.c +++ b/src/src/tls.c @@ -281,7 +281,6 @@ return list; } -# ifdef EXPERIMENTAL_CERTNAMES /* Compare a domain name with a possibly-wildcarded name. Wildcards are restricted to a single one, as the first element of patterns having at least three dot-separated elements. Case-independent. @@ -353,7 +352,6 @@ else if ((subjdn = tls_cert_subject(cert, NULL))) } return FALSE; } -# endif /*EXPERIMENTAL_CERTNAMES*/ #endif /*SUPPORT_TLS*/ /* vi: aw ai sw=2 diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 3dae1d2f2..f57ee69d0 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -176,10 +176,8 @@ optionlist smtp_transport_options[] = { (void *)offsetof(smtp_transport_options_block, tls_tempfail_tryclear) }, { "tls_try_verify_hosts", opt_stringptr, (void *)offsetof(smtp_transport_options_block, tls_try_verify_hosts) }, -#ifdef EXPERIMENTAL_CERTNAMES { "tls_verify_cert_hostnames", opt_stringptr, (void *)offsetof(smtp_transport_options_block,tls_verify_cert_hostnames)}, -#endif { "tls_verify_certificates", opt_stringptr, (void *)offsetof(smtp_transport_options_block, tls_verify_certificates) }, { "tls_verify_hosts", opt_stringptr, @@ -262,10 +260,8 @@ smtp_transport_options_block smtp_transport_option_defaults = { /* tls_dh_min_bits */ TRUE, /* tls_tempfail_tryclear */ NULL, /* tls_verify_hosts */ - NULL /* tls_try_verify_hosts */ -# ifdef EXPERIMENTAL_CERTNAMES - ,NULL /* tls_verify_cert_hostnames */ -# endif + NULL, /* tls_try_verify_hosts */ + US"*" /* tls_verify_cert_hostnames */ #endif #ifndef DISABLE_DKIM ,NULL, /* dkim_canon */ diff --git a/src/src/transports/smtp.h b/src/src/transports/smtp.h index 95e9195f4..1b51c133d 100644 --- a/src/src/transports/smtp.h +++ b/src/src/transports/smtp.h @@ -74,9 +74,7 @@ typedef struct { BOOL tls_tempfail_tryclear; uschar *tls_verify_hosts; uschar *tls_try_verify_hosts; -# ifdef EXPERIMENTAL_CERTNAMES uschar *tls_verify_cert_hostnames; -# endif #endif #ifndef DISABLE_DKIM uschar *dkim_domain; |