X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Ftls-gnu.c;h=8b28d55664d779d1e6e01db346779511866298f5;hb=476be7e27122963451a53c9693f09d6d8a068fd8;hp=bdc032f35ca3d1e92a08db13b2c9a961eaed7382;hpb=5130845bf966ffc7a531dc3a9a99f24ea1e04588;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/tls-gnu.c b/src/src/tls-gnu.c
index bdc032f35..8b28d5566 100644
--- a/src/src/tls-gnu.c
+++ b/src/src/tls-gnu.c
@@ -56,6 +56,9 @@ require current GnuTLS, then we'll drop support for the ancient libraries).
 #else
 # undef  SUPPORT_CA_DIR
 #endif
+#if GNUTLS_VERSION_NUMBER >= 0x030314
+# define SUPPORT_SYSDEFAULT_CABUNDLE
+#endif
 
 #ifndef DISABLE_OCSP
 # include <gnutls/ocsp.h>
@@ -117,9 +120,7 @@ typedef struct exim_gnutls_state {
   uschar *exp_tls_crl;
   uschar *exp_tls_require_ciphers;
   uschar *exp_tls_ocsp_file;
-#ifdef EXPERIMENTAL_CERTNAMES
   uschar *exp_tls_verify_cert_hostnames;
-#endif
 #ifdef EXPERIMENTAL_EVENT
   uschar *event_action;
 #endif
@@ -138,9 +139,7 @@ static const exim_gnutls_state_st exim_gnutls_state_init = {
   NULL, NULL, NULL, NULL,
   NULL, NULL, NULL, NULL, NULL, NULL,
   NULL, NULL, NULL, NULL, NULL, NULL, NULL,
-#ifdef EXPERIMENTAL_CERTNAMES
-                                            NULL,
-#endif
+  NULL,
 #ifdef EXPERIMENTAL_EVENT
                                             NULL,
 #endif
@@ -858,6 +857,10 @@ if (state->tls_verify_certificates && *state->tls_verify_certificates)
   {
   if (!expand_check_tlsvar(tls_verify_certificates))
     return DEFER;
+#ifndef SUPPORT_SYSDEFAULT_CABUNDLE
+  if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+    state->exp_tls_verify_certificates = NULL;
+#endif
   if (state->tls_crl && *state->tls_crl)
     if (!expand_check_tlsvar(tls_crl))
       return DEFER;
@@ -878,58 +881,65 @@ else
   return OK;
   }
 
-if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
+#ifdef SUPPORT_SYSDEFAULT_CABUNDLE
+if (Ustrcmp(state->exp_tls_verify_certificates, "system") == 0)
+  cert_count = gnutls_certificate_set_x509_system_trust(state->x509_cred);
+else
+#endif
   {
-  log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
-      "(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
-      strerror(errno));
-  return DEFER;
-  }
+  if (Ustat(state->exp_tls_verify_certificates, &statbuf) < 0)
+    {
+    log_write(0, LOG_MAIN|LOG_PANIC, "could not stat %s "
+	"(tls_verify_certificates): %s", state->exp_tls_verify_certificates,
+	strerror(errno));
+    return DEFER;
+    }
 
 #ifndef SUPPORT_CA_DIR
-/* The test suite passes in /dev/null; we could check for that path explicitly,
-but who knows if someone has some weird FIFO which always dumps some certs, or
-other weirdness.  The thing we really want to check is that it's not a
-directory, since while OpenSSL supports that, GnuTLS does not.
-So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
-if (S_ISDIR(statbuf.st_mode))
-  {
-  DEBUG(D_tls)
-    debug_printf("verify certificates path is a dir: \"%s\"\n",
-        state->exp_tls_verify_certificates);
-  log_write(0, LOG_MAIN|LOG_PANIC,
-      "tls_verify_certificates \"%s\" is a directory",
-      state->exp_tls_verify_certificates);
-  return DEFER;
-  }
+  /* The test suite passes in /dev/null; we could check for that path explicitly,
+  but who knows if someone has some weird FIFO which always dumps some certs, or
+  other weirdness.  The thing we really want to check is that it's not a
+  directory, since while OpenSSL supports that, GnuTLS does not.
+  So s/!S_ISREG/S_ISDIR/ and change some messsaging ... */
+  if (S_ISDIR(statbuf.st_mode))
+    {
+    DEBUG(D_tls)
+      debug_printf("verify certificates path is a dir: \"%s\"\n",
+	  state->exp_tls_verify_certificates);
+    log_write(0, LOG_MAIN|LOG_PANIC,
+	"tls_verify_certificates \"%s\" is a directory",
+	state->exp_tls_verify_certificates);
+    return DEFER;
+    }
 #endif
 
-DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
-        state->exp_tls_verify_certificates, statbuf.st_size);
+  DEBUG(D_tls) debug_printf("verify certificates = %s size=" OFF_T_FMT "\n",
+	  state->exp_tls_verify_certificates, statbuf.st_size);
 
-if (statbuf.st_size == 0)
-  {
-  DEBUG(D_tls)
-    debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
-  return OK;
-  }
+  if (statbuf.st_size == 0)
+    {
+    DEBUG(D_tls)
+      debug_printf("cert file empty, no certs, no verification, ignoring any CRL\n");
+    return OK;
+    }
 
-cert_count =
+  cert_count =
 
 #ifdef SUPPORT_CA_DIR
-  (statbuf.st_mode & S_IFMT) == S_IFDIR
-  ?
-  gnutls_certificate_set_x509_trust_dir(state->x509_cred,
-    CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
-  :
+    (statbuf.st_mode & S_IFMT) == S_IFDIR
+    ?
+    gnutls_certificate_set_x509_trust_dir(state->x509_cred,
+      CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM)
+    :
 #endif
-  gnutls_certificate_set_x509_trust_file(state->x509_cred,
-    CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+    gnutls_certificate_set_x509_trust_file(state->x509_cred,
+      CS state->exp_tls_verify_certificates, GNUTLS_X509_FMT_PEM);
+  }
 
 if (cert_count < 0)
   {
   rc = cert_count;
-  exim_gnutls_err_check(US"gnutls_certificate_set_x509_trust_file");
+  exim_gnutls_err_check(US"setting certificate trust");
   }
 DEBUG(D_tls) debug_printf("Added %d certificate authorities.\n", cert_count);
 
@@ -1385,7 +1395,6 @@ if (rc < 0 ||
 
 else
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   if (state->exp_tls_verify_cert_hostnames)
     {
     int sep = 0;
@@ -1407,7 +1416,6 @@ else
       return TRUE;
       }
     }
-#endif
   state->peer_cert_verified = TRUE;
   DEBUG(D_tls) debug_printf("TLS certificate verified: peerdn=\"%s\"\n",
       state->peerdn ? state->peerdn : US"<unset>");
@@ -1771,7 +1779,6 @@ return OK;
 
 
 
-#ifdef EXPERIMENTAL_CERTNAMES
 static void
 tls_client_setup_hostname_checks(host_item * host, exim_gnutls_state_st * state,
   smtp_transport_options_block * ob)
@@ -1784,7 +1791,6 @@ if (verify_check_given_host(&ob->tls_verify_cert_hostnames, host) == OK)
 		    state->exp_tls_verify_cert_hostnames);
   }
 }
-#endif
 
 
 /*************************************************
@@ -1854,14 +1860,12 @@ the specified host patterns if one of them is defined */
 
 if (  (  state->exp_tls_verify_certificates
       && !ob->tls_verify_hosts
-      && !ob->tls_try_verify_hosts
+      && (!ob->tls_try_verify_hosts || !*ob->tls_try_verify_hosts)
       )
     || verify_check_given_host(&ob->tls_verify_hosts, host) == OK
    )
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   tls_client_setup_hostname_checks(host, state, ob);
-#endif
   DEBUG(D_tls)
     debug_printf("TLS: server certificate verification required.\n");
   state->verify_requirement = VERIFY_REQUIRED;
@@ -1869,9 +1873,7 @@ if (  (  state->exp_tls_verify_certificates
   }
 else if (verify_check_given_host(&ob->tls_try_verify_hosts, host) == OK)
   {
-#ifdef EXPERIMENTAL_CERTNAMES
   tls_client_setup_hostname_checks(host, state, ob);
-#endif
   DEBUG(D_tls)
     debug_printf("TLS: server certificate verification optional.\n");
   state->verify_requirement = VERIFY_OPTIONAL;