From 723fe533c452eb258a5a7e0b808d714bbbc7cb01 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Thu, 23 Oct 2014 18:22:33 +0100 Subject: Add event for inbound cert visibility --- src/src/globals.c | 14 +++++++------- src/src/tls-gnu.c | 17 +++++++++++++---- src/src/tls-openssl.c | 15 +++++++-------- 3 files changed, 27 insertions(+), 19 deletions(-) (limited to 'src') diff --git a/src/src/globals.c b/src/src/globals.c index 1eae4a830..fb705d9d8 100644 --- a/src/src/globals.c +++ b/src/src/globals.c @@ -668,6 +668,13 @@ uschar *errors_copy = NULL; int error_handling = ERRORS_SENDER; uschar *errors_reply_to = NULL; int errors_sender_rc = EXIT_FAILURE; +#ifdef EXPERIMENTAL_EVENT +uschar *event_action = NULL; /* expansion for delivery events */ +uschar *event_data = NULL; /* auxilary data variable for event */ +int event_defer_errno = 0; +uschar *event_name = NULL; /* event name variable */ +#endif + gid_t exim_gid = EXIM_GID; BOOL exim_gid_set = TRUE; /* This gid is always set */ @@ -1336,13 +1343,6 @@ int thismessage_size_limit = 0; int timeout_frozen_after = 0; BOOL timestamps_utc = FALSE; -#ifdef EXPERIMENTAL_EVENT -uschar *event_action = NULL; /* expansion for delivery events */ -uschar *event_data = NULL; /* auxilary data variable for event */ -int event_defer_errno = 0; -uschar *event_name = NULL; /* event name variable */ -#endif - transport_instance *transports = NULL; transport_instance transport_defaults = { diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c index 20e11cae1..1966c557d 100644 --- a/src/src/tls-gnu.c +++ b/src/src/tls-gnu.c @@ -1545,15 +1545,15 @@ return 0; #ifdef EXPERIMENTAL_EVENT /* We use this callback to get observability and detail-level control -for an exim client TLS connection, raising a tls:cert event -for each cert in the chain presented by the server. Any event +for an exim TLS connection (either direction), raising a tls:cert event +for each cert in the chain presented by the peer. Any event can deny verification. Return 0 for the handshake to continue or non-zero to terminate. */ static int -client_verify_cb(gnutls_session_t session) +verify_cb(gnutls_session_t session) { const gnutls_datum * cert_list; unsigned int cert_list_size = 0; @@ -1664,6 +1664,15 @@ else gnutls_certificate_server_set_request(state->session, GNUTLS_CERT_IGNORE); } +#ifdef EXPERIMENTAL_EVENT +if (event_action) + { + state->event_action = event_action; + gnutls_session_set_ptr(state->session, state); + gnutls_certificate_set_verify_function(state->x509_cred, verify_cb); + } +#endif + /* Register SNI handling; always, even if not in tls_certificate, so that the expansion variable $tls_sni is always available. */ @@ -1890,7 +1899,7 @@ if (tb->event_action) { state->event_action = tb->event_action; gnutls_session_set_ptr(state->session, state); - gnutls_certificate_set_verify_function(state->x509_cred, client_verify_cb); + gnutls_certificate_set_verify_function(state->x509_cred, verify_cb); } #endif diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 13a3cd076..4de3cad51 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -287,6 +287,7 @@ verify_callback(int state, X509_STORE_CTX *x509ctx, { X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx); int depth = X509_STORE_CTX_get_error_depth(x509ctx); +uschar * ev; static uschar txt[256]; X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); @@ -323,11 +324,11 @@ else if (depth != 0) } #endif #ifdef EXPERIMENTAL_EVENT - if (tlsp == &tls_out && client_static_cbinfo->event_action) + ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action; + if (ev) { tlsp->peercert = X509_dup(cert); - if (event_raise(client_static_cbinfo->event_action, - US"tls:cert", string_sprintf("%d", depth)) == DEFER) + if (event_raise(ev, US"tls:cert", string_sprintf("%d", depth)) == DEFER) { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " "depth=%d cert=%s", depth, txt); @@ -392,10 +393,9 @@ else #endif /*EXPERIMENTAL_CERTNAMES*/ #ifdef EXPERIMENTAL_EVENT - if (tlsp == &tls_out) - { - if (event_raise(client_static_cbinfo->event_action, - US"tls:cert", US"0") == DEFER) + ev = tlsp == &tls_out ? client_static_cbinfo->event_action : event_action; + if (ev) + if (event_raise(ev, US"tls:cert", US"0") == DEFER) { log_write(0, LOG_MAIN, "SSL verify denied by event-action: " "depth=0 cert=%s", txt); @@ -403,7 +403,6 @@ else *calledp = TRUE; return 0; /* reject */ } - } #endif DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n", -- cgit v1.2.3