+Arguments:
+ namelist names to compare
+ cert certificate
+
+Returns:
+ TRUE/FALSE
+*/
+
+BOOL
+tls_is_name_for_cert(const uschar * namelist, void * cert)
+{
+uschar * altnames = tls_cert_subject_altname(cert, US"dns");
+uschar * subjdn;
+uschar * certname;
+int cmp_sep = 0;
+uschar * cmpname;
+
+if ((altnames = tls_cert_subject_altname(cert, US"dns")))
+ {
+ int alt_sep = '\n';
+ while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
+ {
+ const uschar * an = altnames;
+ while ((certname = string_nextinlist(&an, &alt_sep, NULL, 0)))
+ if (is_name_match(cmpname, certname))
+ return TRUE;
+ }
+ }
+
+else if ((subjdn = tls_cert_subject(cert, NULL)))
+ {
+ int sn_sep = ',';
+
+ dn_to_list(subjdn);
+ while ((cmpname = string_nextinlist(&namelist, &cmp_sep, NULL, 0)))
+ {
+ const uschar * sn = subjdn;
+ while ((certname = string_nextinlist(&sn, &sn_sep, NULL, 0)))
+ if ( *certname++ == 'C'
+ && *certname++ == 'N'
+ && *certname++ == '='
+ && is_name_match(cmpname, certname)
+ )
+ return TRUE;
+ }
+ }
+return FALSE;
+}
+
+
+/* Environment cleanup: The GnuTLS library uses SSLKEYLOGFILE in the environment
+and writes a file by that name. Our OpenSSL code does the same, using keying
+info from the library API.
+The GnuTLS support only works if exim is run by root, not taking advantage of
+the setuid bit.
+You can use either the external environment (modulo the keep_environment config)
+or the add_environment config option for SSLKEYLOGFILE; the latter takes
+precedence.
+
+If the path is absolute, require it starts with the spooldir; otherwise delete
+the env variable. If relative, prefix the spooldir.
+*/
+void
+tls_clean_env(void)
+{
+uschar * path = US getenv("SSLKEYLOGFILE");
+if (path)
+ if (!*path)
+ unsetenv("SSLKEYLOGFILE");
+ else if (*path != '/')
+ {
+ DEBUG(D_tls)
+ debug_printf("prepending spooldir to env SSLKEYLOGFILE\n");
+ setenv("SSLKEYLOGFILE", CCS string_sprintf("%s/%s", spool_directory, path), 1);
+ }
+ else if (Ustrncmp(path, spool_directory, Ustrlen(spool_directory)) != 0)
+ {
+ DEBUG(D_tls)
+ debug_printf("removing env SSLKEYLOGFILE=%s: not under spooldir\n", path);
+ unsetenv("SSLKEYLOGFILE");
+ }
+}
+#endif /*!DISABLE_TLS*/
+#endif /*!MACRO_PREDEF*/