[exim-cvs] Tidy certificate verification logic under OpenSSL

Αρχική Σελίδα
Delete this message
Reply to this message
Συντάκτης: Exim Git Commits Mailing List
Ημερομηνία:  
Προς: exim-cvs
Αντικείμενο: [exim-cvs] Tidy certificate verification logic under OpenSSL
Gitweb: http://git.exim.org/exim.git/commitdiff/93dcb1c245e78806b621bbc955b1a316f806e5a3
Commit:     93dcb1c245e78806b621bbc955b1a316f806e5a3
Parent:     25ba25448b55c2fd5ea9b1aeed82e02d59816a07
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Fri May 16 00:07:31 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Fri May 16 18:35:37 2014 +0100


    Tidy certificate verification logic under OpenSSL
---
 src/src/tls-openssl.c |   21 ++++++---------------
 1 files changed, 6 insertions(+), 15 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index db2544c..f6ded3c 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -284,12 +284,11 @@ if (state == 0)
     }
   DEBUG(D_tls) debug_printf("SSL verify failure overridden (host in "
     "tls_try_verify_hosts)\n");
-  return 1;                          /* accept */
   }


-if (x509ctx->error_depth != 0)
+else if (x509ctx->error_depth != 0)
   {
-  DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d cert=%s\n",
+  DEBUG(D_tls) debug_printf("SSL verify ok: depth=%d SN=%s\n",
      x509ctx->error_depth, txt);
 #ifdef EXPERIMENTAL_OCSP
   if (tlsp == &tls_out && client_static_cbinfo->u_ocsp.client.verify_store)
@@ -305,22 +304,14 @@ if (x509ctx->error_depth != 0)
   }
 else
   {
-  DEBUG(D_tls) debug_printf("SSL%s peer: %s\n",
-    *calledp ? "" : " authenticated", txt);
   tlsp->peerdn = txt;
   tlsp->peercert = X509_dup(x509ctx->current_cert);
+  DEBUG(D_tls) debug_printf("SSL%s verify ok: depth=0 SN=%s\n",
+    *calledp ? "" : " authenticated", txt);
+  if (!*calledp) tlsp->certificate_verified = TRUE;
+  *calledp = TRUE;
   }


-/*XXX JGH: this looks bogus - we set "verified" first time through, which
-will be for the root CS cert (calls work down the chain). Why should it
-not be on the last call, where we're setting peerdn?
-
-To test: set up a chain anchored by a good root-CA but with a bad server cert.
-Does certificate_verified get set?
-*/
-if (!*calledp) tlsp->certificate_verified = TRUE;
-*calledp = TRUE;
-
return 1; /* accept */
}