*/
static int
-verify_callback(int state, X509_STORE_CTX *x509ctx, tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
+verify_callback(int state, X509_STORE_CTX *x509ctx,
+ tls_support *tlsp, BOOL *calledp, BOOL *optionalp)
{
+X509 * cert = X509_STORE_CTX_get_current_cert(x509ctx);
static uschar txt[256];
-X509_NAME_oneline(X509_get_subject_name(x509ctx->current_cert),
+X509_NAME_oneline(X509_get_subject_name(cert),
CS txt, sizeof(txt));
if (state == 0)
{
log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s",
- x509ctx->error_depth,
- X509_verify_cert_error_string(x509ctx->error),
+ X509_STORE_CTX_get_error_depth(x509ctx),
+ X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)),
txt);
tlsp->certificate_verified = FALSE;
*calledp = TRUE;
if (!*optionalp)
{
- tlsp->peercert = X509_dup(x509ctx->current_cert);
+ tlsp->peercert = X509_dup(cert);
return 0; /* reject */
}
DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
"tls_try_verify_hosts)\n");
- return 1; /* accept */
}
-if (x509ctx->error_depth != 0)
+else if (X509_STORE_CTX_get_error_depth(x509ctx) != 0)
{
- DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
- x509ctx->error_depth, txt);
+ DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
+ X509_STORE_CTX_get_error_depth(x509ctx), txt);
#ifdef EXPERIMENTAL_OCSP
if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
{ /* client, wanting stapling */
for the verification of the OCSP stapled information. */
if (!X509_STORE_add_cert(client_static_cbinfo->u_ocsp.client.verify_store,
- x509ctx->current_cert))
+ cert))
ERR_clear_error();
}
#endif
}
else
{
- DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
- *calledp ? "" : " authenticated", txt);
tlsp->peerdn = txt;
- tlsp->peercert = X509_dup(x509ctx->current_cert);
+ tlsp->peercert = X509_dup(cert);
+ DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+ *calledp ? "" : " authenticated", txt);
+ if (!*calledp) tlsp->certificate_verified = TRUE;
+ *calledp = TRUE;
}
-/*XXX JGH: this looks bogus - we set "verified" first time through, which
-will be for the root CS cert (calls work down the chain). Why should it
-not be on the last call, where we're setting peerdn?
-
-To test: set up a chain anchored by a good root-CA but with a bad server cert.
-Does certificate_verified get set?
-*/
-if (!*calledp) tlsp->certificate_verified = TRUE;
-*calledp = TRUE;
-
return 1; /* accept */
}
}
supply_response:
-cbinfo->u_ocsp.server.response = resp;
+ cbinfo->u_ocsp.server.response = resp;
return;
bad:
-if (running_in_test_harness)
- {
- extern char ** environ;
- uschar ** p;
- for (p = USS environ; *p != NULL; p++)
- if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
- {
- DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
- goto supply_response;
- }
- }
+ if (running_in_test_harness)
+ {
+ extern char ** environ;
+ uschar ** p;
+ for (p = USS environ; *p != NULL; p++)
+ if (Ustrncmp(*p, "EXIM_TESTHARNESS_DISABLE_OCSPVALIDITYCHECK", 42) == 0)
+ {
+ DEBUG(D_tls) debug_printf("Supplying known bad OCSP response\n");
+ goto supply_response;
+ }
+ }
return;
}
#endif /*EXPERIMENTAL_OCSP*/
uschar *response_der;
int response_der_len;
-if (log_extra_selector & LX_tls_cipher)
- log_write(0, LOG_MAIN, "[%s] Recieved OCSP stapling req;%s responding",
- sender_host_address, cbinfo->u_ocsp.server.response ? "":" not");
-else
- DEBUG(D_tls) debug_printf("Received TLS status request (OCSP stapling); %s response.",
+DEBUG(D_tls)
+ debug_printf("Received TLS status request (OCSP stapling); %s response.",
cbinfo->u_ocsp.server.response ? "have" : "lack");
tls_in.ocsp = OCSP_NOT_RESP;
DEBUG(D_tls) debug_printf(" null\n");
return cbinfo->u_ocsp.client.verify_required ? 0 : 1;
}
-tls_out.ocsp = OCSP_NOT_VFY;
+
if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
{
+ tls_out.ocsp = OCSP_FAILED;
if (log_extra_selector & LX_tls_cipher)
log_write(0, LOG_MAIN, "Received TLS status response, parse error");
else
if(!(bs = OCSP_response_get1_basic(rsp)))
{
+ tls_out.ocsp = OCSP_FAILED;
if (log_extra_selector & LX_tls_cipher)
log_write(0, LOG_MAIN, "Received TLS status response, error parsing response");
else
/* We'd check the nonce here if we'd put one in the request. */
/* However that would defeat cacheability on the server so we don't. */
-
/* This section of code reworked from OpenSSL apps source;
The OpenSSL Project retains copyright:
Copyright (c) 1999 The OpenSSL Project. All rights reserved.
*/
{
BIO * bp = NULL;
- OCSP_CERTID *id;
int status, reason;
ASN1_GENERALIZEDTIME *rev, *thisupd, *nextupd;
if ((i = OCSP_basic_verify(bs, NULL,
cbinfo->u_ocsp.client.verify_store, 0)) <= 0)
{
+ tls_out.ocsp = OCSP_FAILED;
BIO_printf(bp, "OCSP response verify failure\n");
ERR_print_errors(bp);
i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
if (sk_OCSP_SINGLERESP_num(sresp) != 1)
{
+ tls_out.ocsp = OCSP_FAILED;
log_write(0, LOG_MAIN, "OCSP stapling "
"with multiple responses not handled");
i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
if (!OCSP_check_validity(thisupd, nextupd,
EXIM_OCSP_SKEW_SECONDS, EXIM_OCSP_MAX_AGE))
{
+ tls_out.ocsp = OCSP_FAILED;
DEBUG(D_tls) ERR_print_errors(bp);
log_write(0, LOG_MAIN, "Server OSCP dates invalid");
i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
switch(status)
{
case V_OCSP_CERTSTATUS_GOOD:
- i = 1;
tls_out.ocsp = OCSP_VFIED;
+ i = 1;
break;
case V_OCSP_CERTSTATUS_REVOKED:
+ tls_out.ocsp = OCSP_FAILED;
log_write(0, LOG_MAIN, "Server certificate revoked%s%s",
reason != -1 ? "; reason: " : "",
reason != -1 ? OCSP_crl_reason_str(reason) : "");
i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
break;
default:
+ tls_out.ocsp = OCSP_FAILED;
log_write(0, LOG_MAIN,
"Server certificate status unknown, in OCSP stapling");
i = cbinfo->u_ocsp.client.verify_required ? 0 : 1;
projects / user / henk / code / exim.git / blobdiff