OpenSSL: tls_eccurves list support. Bug 2955

[exim.git] / src / src / dane-openssl.c

diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index c967a73d1c70c5e04f313ff59fd3967e7c597865..6ed3529293257d73f432540eda4497654ccd40ab 100644 (file)
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -2,7 +2,7 @@
  *  Author: Viktor Dukhovni
  *  License: THIS CODE IS IN THE PUBLIC DOMAIN.
  *
  *  Author: Viktor Dukhovni
  *  License: THIS CODE IS IN THE PUBLIC DOMAIN.
  *

- * Copyright (c) The Exim Maintainers 2014 - 2018
+ * Copyright (c) The Exim Maintainers 2014 - 2019

  */
 #include <stdio.h>
 #include <string.h>
  */
 #include <stdio.h>
 #include <string.h>


@@ -25,9 +25,18 @@
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
 #endif
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
 #endif

+
+/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
+#ifdef LIBRESSL_VERSION_NUMBER
+# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+#  define EXIM_HAVE_ASN1_MACROS
+# endif
+#endif
+/* OpenSSL */

 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 # define EXIM_HAVE_ASN1_MACROS
 # define EXIM_OPAQUE_X509
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 # define EXIM_HAVE_ASN1_MACROS
 # define EXIM_OPAQUE_X509

+/* Older OpenSSL and all LibreSSL */

 #else
 # define X509_STORE_CTX_get_verify(ctx)                (ctx)->verify
 # define X509_STORE_CTX_get_verify_cb(ctx)     (ctx)->verify_cb
 #else
 # define X509_STORE_CTX_get_verify(ctx)                (ctx)->verify
 # define X509_STORE_CTX_get_verify_cb(ctx)     (ctx)->verify_cb


@@ -120,7 +129,7 @@ static ERR_STRING_DATA dane_str_reasons[] = {
 };
 #endif
 
 };
 #endif
 

-#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
+#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__)

 
 static int err_lib_dane = -1;
 static int dane_idx = -1;
 
 static int err_lib_dane = -1;
 static int dane_idx = -1;


@@ -411,7 +420,7 @@ set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
 X509_NAME *name = akid_issuer_name(akid);
 
 /*
 X509_NAME *name = akid_issuer_name(akid);
 
 /*

- * If subject's akid specifies an authority key identifer issuer name, we
+ * If subject's akid specifies an authority key identifier issuer name, we

  * must use that.
  */
 return X509_set_issuer_name(cert,
  * must use that.
  */
 return X509_set_issuer_name(cert,


@@ -1076,52 +1085,52 @@ if (dane->selectors[DANESSL_USAGE_DANE_EE])
     }
   }
 
     }
   }
 

-  if (dane->selectors[DANESSL_USAGE_DANE_TA])
+if (dane->selectors[DANESSL_USAGE_DANE_TA])
+  {
+  if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)

     {
     {

-    if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
-      {
-      X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
-      return -1;
-      }
-    if (matched)
-      {
-      /*
-       * Check that setting the untrusted chain updates the expected
-       * structure member at the expected offset.
-       */
-      X509_STORE_CTX_trusted_stack(ctx, dane->roots);
-      X509_STORE_CTX_set_chain(ctx, dane->chain);
-      OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
-      }
+    X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
+    return -1;
+    }
+  if (matched)
+    {
+    /*
+     * Check that setting the untrusted chain updates the expected
+     * structure member at the expected offset.
+     */
+    X509_STORE_CTX_trusted_stack(ctx, dane->roots);
+    X509_STORE_CTX_set_chain(ctx, dane->chain);
+    OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));

     }
     }

+  }

 
 

-  /*
-   * Name checks and usage 0/1 constraint enforcement are delayed until
-   * X509_verify_cert() builds the full chain and calls our verify_chain()
-   * wrapper.
-   */
-  dane->verify = X509_STORE_CTX_get_verify(ctx);
-  X509_STORE_CTX_set_verify(ctx, verify_chain);
+/*
+ * Name checks and usage 0/1 constraint enforcement are delayed until
+ * X509_verify_cert() builds the full chain and calls our verify_chain()
+ * wrapper.
+ */
+dane->verify = X509_STORE_CTX_get_verify(ctx);
+X509_STORE_CTX_set_verify(ctx, verify_chain);

 
 

-  if (X509_verify_cert(ctx))
-    return 1;
+if (X509_verify_cert(ctx))
+  return 1;

 
 

-  /*
-   * If the chain is invalid, clear any matching cert or hostname, to
-   * protect callers that might erroneously rely on these alone without
-   * checking the validation status.
-   */
-  if (dane->match)
-    {
-    X509_free(dane->match);
-    dane->match = 0;
-    }
-  if (dane->mhost)
-    {
-    OPENSSL_free(dane->mhost);
-    dane->mhost = 0;
-    }
-   return 0;
+/*
+ * If the chain is invalid, clear any matching cert or hostname, to
+ * protect callers that might erroneously rely on these alone without
+ * checking the validation status.
+ */
+if (dane->match)
+  {
+  X509_free(dane->match);
+  dane->match = 0;
+  }
+if (dane->mhost)
+  {
+  OPENSSL_free(dane->mhost);
+  dane->mhost = 0;
+  }
+ return 0;

 }
 
 static dane_list
 }
 
 static dane_list