diff options
-rw-r--r-- | src/src/functions.h | 1 | ||||
-rw-r--r-- | src/src/tls-gnu.c | 16 | ||||
-rw-r--r-- | src/src/tls-openssl.c | 25 | ||||
-rw-r--r-- | src/src/transports/smtp.c | 69 | ||||
-rw-r--r-- | src/src/verify.c | 33 |
5 files changed, 64 insertions, 80 deletions
diff --git a/src/src/functions.h b/src/src/functions.h index 32d2997d5..a74c94b83 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -452,6 +452,7 @@ extern int verify_check_headers(uschar **); extern int verify_check_header_names_ascii(uschar **); extern int verify_check_host(uschar **); extern int verify_check_notblind(void); +extern int verify_check_given_host(uschar **, host_item *); extern int verify_check_this_host(uschar **, unsigned int *, uschar*, uschar *, uschar **); extern address_item *verify_checked_sender(uschar *); diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 9d72ebc66..bdc032f35 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1776,8 +1776,7 @@ static void tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state, smtp_transport_options_block * ob) { -if (verify_check_this_host(&ob->tls_verify_cert_hostnames, NULL, - host->name, host->address, NULL) == OK) +if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) { state->exp_tls_verify_cert_hostnames = host->name; DEBUG(D_tls) @@ -1819,11 +1818,10 @@ int rc; const char *error; exim_gnutls_state_st *state = NULL; #ifndef DISABLE_OCSP -BOOL require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK; +BOOL require_ocsp = + verify_check_given_host(&ob->hosts_require_ocsp, host) == OK; BOOL request_ocsp = require_ocsp ? TRUE - : verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + : verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; #endif DEBUG(D_tls) debug_printf("initialising GnuTLS as a client on fd %d\n", fd); @@ -1858,8 +1856,7 @@ if ( ( state->exp_tls_verify_certificates && !ob->tls_verify_hosts && !ob->tls_try_verify_hosts ) - || verify_check_this_host(&ob->tls_verify_hosts, NULL, - host->name, host->address, NULL) == OK + || verify_check_given_host(&ob->tls_verify_hosts, host) == OK ) { #ifdef EXPERIMENTAL_CERTNAMES @@ -1870,8 +1867,7 @@ if ( ( state->exp_tls_verify_certificates state->verify_requirement = VERIFY_REQUIRED; gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_REQUIRE); } -else if (verify_check_this_host(&ob->tls_try_verify_hosts, NULL, - host->name, host->address, NULL) == OK) +else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK) { #ifdef EXPERIMENTAL_CERTNAMES tls_client_setup_hostname_checks(host, state, ob); diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index c23ac031f..43fbaa41a 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -1684,12 +1684,10 @@ int rc; the specified host patterns if one of them is defined */ if ( (!ob->tls_verify_hosts && !ob->tls_try_verify_hosts) - || (verify_check_this_host(&ob->tls_verify_hosts, NULL, - host->name, host->address, NULL) == OK) + || (verify_check_given_host(&ob->tls_verify_hosts, host) == OK) ) client_verify_optional = FALSE; -else if (verify_check_this_host(&ob->tls_try_verify_hosts, NULL, - host->name, host->address, NULL) == OK) +else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK) client_verify_optional = TRUE; else return OK; @@ -1699,8 +1697,7 @@ if ((rc = setup_certs(ctx, ob->tls_verify_certificates, return rc; #ifdef EXPERIMENTAL_CERTNAMES -if (verify_check_this_host(&ob->tls_verify_cert_hostnames, NULL, - host->name, host->address, NULL) == OK) +if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK) { cbinfo->verify_cert_hostnames = host->name; DEBUG(D_tls) debug_printf("Cert hostname to check: \"%s\"\n", @@ -1829,15 +1826,15 @@ tls_out.tlsa_usage = 0; } # endif - if ((require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK)) + if ((require_ocsp = + verify_check_given_host(&ob->hosts_require_ocsp, host) == OK)) request_ocsp = TRUE; else # ifdef EXPERIMENTAL_DANE if (!request_ocsp) # endif - request_ocsp = verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + request_ocsp = + verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; } #endif @@ -1940,11 +1937,9 @@ if (request_ocsp) { /* Re-eval now $tls_out_tlsa_usage is populated. If this means we avoid the OCSP request, we wasted the setup cost in tls_init(). */ - require_ocsp = verify_check_this_host(&ob->hosts_require_ocsp, - NULL, host->name, host->address, NULL) == OK; - request_ocsp = require_ocsp ? TRUE - : verify_check_this_host(&ob->hosts_request_ocsp, - NULL, host->name, host->address, NULL) == OK; + require_ocsp = verify_check_given_host(&ob->hosts_require_ocsp, host) == OK; + request_ocsp = require_ocsp + || verify_check_given_host(&ob->hosts_request_ocsp, host) == OK; } } # endif diff --git a/src/src/transports/smtp.c b/src/src/transports/smtp.c index 69bbc4d0c..f919508bc 100644 --- a/src/src/transports/smtp.c +++ b/src/src/transports/smtp.c @@ -976,8 +976,7 @@ uschar *fail_reason = US"server did not advertise AUTH support"; smtp_authenticated = FALSE; client_authenticator = client_authenticated_id = client_authenticated_sender = NULL; -require_auth = verify_check_this_host(&(ob->hosts_require_auth), NULL, - host->name, host->address, NULL); +require_auth = verify_check_given_host(&ob->hosts_require_auth, host); if (is_esmtp && !regex_AUTH) regex_AUTH = regex_must_compile(US"\\n250[\\s\\-]AUTH\\s+([\\-\\w\\s]+)(?:\\n|$)", @@ -992,8 +991,7 @@ if (is_esmtp && regex_match_and_setup(regex_AUTH, buffer, 0, -1)) regex match above. */ if (require_auth == OK || - verify_check_this_host(&(ob->hosts_try_auth), NULL, host->name, - host->address, NULL) == OK) + verify_check_given_host(&ob->hosts_try_auth, host) == OK) { auth_instance *au; fail_reason = US"no common mechanisms were found"; @@ -1379,14 +1377,12 @@ if (continue_hostname == NULL) tls_out.dane_verified = FALSE; tls_out.tlsa_usage = 0; - dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL, - host->name, host->address, NULL) == OK; + dane_required = verify_check_given_host(&ob->hosts_require_dane, host) == OK; if (host->dnssec == DS_YES) { if( dane_required - || verify_check_this_host(&ob->hosts_try_dane, NULL, - host->name, host->address, NULL) == OK + || verify_check_given_host(&ob->hosts_try_dane, host) == OK ) if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK) return rc; @@ -1482,8 +1478,7 @@ goto SEND_QUIT; mailers use upper case for some reason (the RFC is quite clear about case independence) so, for peace of mind, I gave in. */ - esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL, - host->name, host->address, NULL) != OK; + esmtp = verify_check_given_host(&ob->hosts_avoid_esmtp, host) != OK; /* Alas; be careful, since this goto is not an error-out, so conceivably we might set data between here and the target which we assume to exist @@ -1541,11 +1536,10 @@ goto SEND_QUIT; #endif #ifndef DISABLE_PRDR - prdr_offered = esmtp && - (pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(buffer), 0, - PCRE_EOPT, NULL, 0) >= 0) && - (verify_check_this_host(&(ob->hosts_try_prdr), NULL, host->name, - host->address, NULL) == OK); + prdr_offered = esmtp + && pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(buffer), 0, + PCRE_EOPT, NULL, 0) >= 0 + && verify_check_given_host(&ob->hosts_try_prdr, host) == OK; if (prdr_offered) {DEBUG(D_transport) debug_printf("PRDR usable\n");} @@ -1575,9 +1569,9 @@ the client not be required to use TLS. If the response is bad, copy the buffer for error analysis. */ #ifdef SUPPORT_TLS -if (tls_offered && !suppress_tls && - verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name, - host->address, NULL) != OK) +if ( tls_offered + && !suppress_tls + && verify_check_given_host(&ob->hosts_avoid_tls, host) != OK) { uschar buffer2[4096]; if (smtp_write_command(&outblock, FALSE, "STARTTLS\r\n") < 0) @@ -1695,8 +1689,7 @@ else if ( # ifdef EXPERIMENTAL_DANE dane || # endif - verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, - host->address, NULL) == OK + verify_check_given_host(&ob->hosts_require_tls, host) == OK ) { save_errno = ERRNO_TLSREQUIRED; @@ -1736,21 +1729,19 @@ if (continue_hostname == NULL the current host, esmtp will be false, so PIPELINING can never be used. If the current host matches hosts_avoid_pipelining, don't do it. */ - smtp_use_pipelining = esmtp && - verify_check_this_host(&(ob->hosts_avoid_pipelining), NULL, host->name, - host->address, NULL) != OK && - pcre_exec(regex_PIPELINING, NULL, CS buffer, Ustrlen(CS buffer), 0, - PCRE_EOPT, NULL, 0) >= 0; + smtp_use_pipelining = esmtp + && verify_check_given_host(&ob->hosts_avoid_pipelining, host) != OK + && pcre_exec(regex_PIPELINING, NULL, CS buffer, Ustrlen(CS buffer), 0, + PCRE_EOPT, NULL, 0) >= 0; DEBUG(D_transport) debug_printf("%susing PIPELINING\n", smtp_use_pipelining? "" : "not "); #ifndef DISABLE_PRDR - prdr_offered = esmtp && - pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(CS buffer), 0, - PCRE_EOPT, NULL, 0) >= 0 && - verify_check_this_host(&(ob->hosts_try_prdr), NULL, host->name, - host->address, NULL) == OK; + prdr_offered = esmtp + && pcre_exec(regex_PRDR, NULL, CS buffer, Ustrlen(CS buffer), 0, + PCRE_EOPT, NULL, 0) >= 0 + && verify_check_given_host(&ob->hosts_try_prdr, host) == OK; if (prdr_offered) {DEBUG(D_transport) debug_printf("PRDR usable\n");} @@ -2537,15 +2528,15 @@ DEBUG(D_transport) if (completed_address && ok && send_quit) { BOOL more; - if (first_addr != NULL || continue_more || - ( - (tls_out.active < 0 || - verify_check_this_host(&(ob->hosts_nopass_tls), NULL, host->name, - host->address, NULL) != OK) + if ( first_addr != NULL + || continue_more + || ( ( tls_out.active < 0 + || verify_check_given_host(&ob->hosts_nopass_tls, host) != OK + ) && transport_check_waiting(tblock->name, host->name, tblock->connection_max_messages, new_message_id, &more) - )) + ) ) { uschar *msg; BOOL pass_message; @@ -3260,8 +3251,7 @@ for (cutoff_retry = 0; expired && sending the message down a pre-existing connection. */ if (!continuing && - verify_check_this_host(&(ob->serialize_hosts), NULL, host->name, - host->address, NULL) == OK) + verify_check_given_host(&ob->serialize_hosts, host) == OK) { serialize_key = string_sprintf("host-serialize-%s", host->name); if (!enq_start(serialize_key)) @@ -3404,8 +3394,7 @@ for (cutoff_retry = 0; expired && if ( rc == DEFER && first_addr->basic_errno == ERRNO_TLSFAILURE && ob->tls_tempfail_tryclear - && verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, - host->address, NULL) != OK + && verify_check_given_host(&ob->hosts_require_tls, host) != OK ) { log_write(0, LOG_MAIN, "TLS session failure: delivering unencrypted " diff --git a/src/src/verify.c b/src/src/verify.c index b74d6ab5e..96740f8f3 100644 --- a/src/src/verify.c +++ b/src/src/verify.c @@ -491,14 +491,13 @@ else tls_out.dane_verified = FALSE; tls_out.tlsa_usage = 0; - dane_required = verify_check_this_host(&ob->hosts_require_dane, NULL, - host->name, host->address, NULL) == OK; + dane_required = + verify_check_given_host(&ob->hosts_require_dane, host) == OK; if (host->dnssec == DS_YES) { if( dane_required - || verify_check_this_host(&ob->hosts_try_dane, NULL, - host->name, host->address, NULL) == OK + || verify_check_given_host(&ob->hosts_try_dane, host) == OK ) if ((rc = tlsa_lookup(host, &tlsa_dnsa, dane_required, &dane)) != OK) return rc; @@ -598,8 +597,7 @@ else } /* Not worth checking greeting line for ESMTP support */ - if (!(esmtp = verify_check_this_host(&(ob->hosts_avoid_esmtp), NULL, - host->name, host->address, NULL) != OK)) + if (!(esmtp = verify_check_given_host(&(ob->hosts_avoid_esmtp), host) != OK)) DEBUG(D_transport) debug_printf("not sending EHLO (host matches hosts_avoid_esmtp)\n"); @@ -657,11 +655,9 @@ else for error analysis. */ #ifdef SUPPORT_TLS - if (tls_offered && - verify_check_this_host(&(ob->hosts_avoid_tls), NULL, host->name, - host->address, NULL) != OK && - verify_check_this_host(&(ob->hosts_verify_avoid_tls), NULL, host->name, - host->address, NULL) != OK + if ( tls_offered + && verify_check_given_host(&ob->hosts_avoid_tls, host) != OK + && verify_check_given_host(&ob->hosts_verify_avoid_tls, host) != OK ) { uschar buffer2[4096]; @@ -709,8 +705,7 @@ else if ( rc == DEFER && ob->tls_tempfail_tryclear && !smtps - && verify_check_this_host(&(ob->hosts_require_tls), NULL, - host->name, host->address, NULL) != OK + && verify_check_given_host(&ob->hosts_require_tls, host) != OK ) { (void)close(inblock.sock); @@ -749,8 +744,7 @@ else #ifdef EXPERIMENTAL_DANE dane || #endif - verify_check_this_host(&(ob->hosts_require_tls), NULL, host->name, - host->address, NULL) == OK + verify_check_given_host(&ob->hosts_require_tls, host) == OK ) { /*save_errno = ERRNO_TLSREQUIRED;*/ @@ -3163,6 +3157,15 @@ return rc; /************************************************* +* Check the given host item matches a list * +*************************************************/ +int +verify_check_given_host(uschar **listptr, host_item *host) +{ +return verify_check_this_host(listptr, NULL, host->name, host->address, NULL); +} + +/************************************************* * Check the remote host matches a list * *************************************************/ |