X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/415c5379af11bf8777af1a082a336ad7c5369525..e8297f953ed9c8e42f1b406b5ecad4ccdd9d95d3:/src/src/tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 3873bbba3..db77a1274 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -5,6 +5,7 @@
 /* Copyright (c) The Exim Maintainers 2020 - 2022 */
 /* Copyright (c) University of Cambridge 1995 - 2019 */
 /* See the file NOTICE for conditions of use and distribution. */
+/* SPDX-License-Identifier: GPL-2.0-or-later */
 
 /* Portions Copyright (c) The OpenSSL Project 1999 */
 
@@ -78,6 +79,8 @@ change this guard and punt the issue for a while longer. */
 #  define EXIM_HAVE_SESSION_TICKET
 #  define EXIM_HAVE_OPESSL_TRACE
 #  define EXIM_HAVE_OPESSL_GET0_SERIAL
+#  define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+#  define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
 #  ifndef DISABLE_OCSP
 #   define EXIM_HAVE_OCSP
 #  endif
@@ -1956,7 +1959,7 @@ tls_client_creds_invalidate(transport_instance * t)
 static void
 debug_print_sn(const X509 * cert)
 {
-X509_NAME * sn = X509_get_subject_name(cert);
+X509_NAME * sn = X509_get_subject_name((X509 *)cert);
 static uschar name[256];
 if (X509_NAME_oneline(sn, CS name, sizeof(name)))
   {
@@ -1984,23 +1987,13 @@ static void
 x509_store_dump_cert_s_names(X509_STORE * store)
 {
 # ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
-STACK_OF(X509) * sk = X509_STORE_get1_all_certs(store);
-x509_stack_dump_cert_s_names(sk);
-sk_X509_pop_free(sk, X509_free);
-
-# else
 if (!store)
   debug_printf(" (no store)\n");
 else
   {
-  STACK_OF(X509_OBJECT) * objs = X509_STORE_get0_objects(store);
-  if (!objs)
-    debug_printf(" (null objectlist)\n");
-  else for (int i = 0; i < sk_X509_OBJECT_num(objs); i++)
-    {
-    X509 * cert = X509_OBJECT_get0_X509(sk_X509_OBJECT_value(objs, i));
-    if (cert) debug_print_sn(cert);
-    }
+  STACK_OF(X509) * sk = X509_STORE_get1_all_certs(store);
+  x509_stack_dump_cert_s_names(sk);
+  sk_X509_pop_free(sk, X509_free);
   }
 # endif
 }
@@ -2240,7 +2233,7 @@ if (lib_ctx_new(&server_sni, NULL, &dummy_errstr) != OK)
 /* Not sure how many of these are actually needed, since SSL object
 already exists.  Might even need this selfsame callback, for reneg? */
 
-  {
+ {
   SSL_CTX * ctx = state_server.lib_state.lib_ctx;
   SSL_CTX_set_info_callback(server_sni, SSL_CTX_get_info_callback(ctx));
   SSL_CTX_set_mode(server_sni, SSL_CTX_get_mode(ctx));
@@ -2252,7 +2245,7 @@ already exists.  Might even need this selfsame callback, for reneg? */
   SSL_CTX_set_timeout(server_sni, SSL_CTX_get_timeout(ctx));
   SSL_CTX_set_tlsext_servername_callback(server_sni, tls_servername_cb);
   SSL_CTX_set_tlsext_servername_arg(server_sni, state);
-  }
+ }
 
 if (  !init_dh(server_sni, state->dhparam, &dummy_errstr)
    || !init_ecdh(server_sni, &dummy_errstr)
@@ -2537,6 +2530,8 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
     DEBUG(D_tls) bp = BIO_new(BIO_s_mem());
 
     /* Use the CA & chain that verified the server cert to verify the stapled info */
+    /*XXX could we do an event here, for observability of ocsp?  What reasonable data could we give access to? */
+    /* Dates would be a start. Do we need another opaque variable type, as for certs, plus an extract expansion? */
 
    {
     /* If this routine is not available, we've avoided [in tls_client_start()]
@@ -2564,10 +2559,11 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
       SSL_get0_chain_certs(ssl, &verified_chain);
       add_chain_to_store(verify_store, verified_chain,
 			      "'current cert' per SSL_get0_chain_certs()");
-
+#ifdef EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
       verified_chain = SSL_get0_verified_chain(ssl);
       add_chain_to_store(verify_store, verified_chain,
 			      "SSL_get0_verified_chain()");
+#endif
       }
    }
 
@@ -2582,10 +2578,16 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
       /* OCSP_RESPONSE_print(bp, rsp, 0);   extreme debug: stapling content */
 
       debug_printf("certs contained in basicresp:\n");
-      x509_stack_dump_cert_s_names((STACK_OF(X509 *))OCSP_resp_get0_certs(bs));
+      x509_stack_dump_cert_s_names(
+#ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+	OCSP_resp_get0_certs(bs)
+#else
+	bs->certs
+#endif
+	);
 
-#ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS	/* else, could bodge via X509_STORE_get0_objects()
-						- but is OCSP_resp_get0_signer) avail? from 1.1.1 */
+#ifdef EXIM_HAVE_OPENSSL_X509_STORE_GET1_ALL_CERTS
+/* could do via X509_STORE_get0_objects(); not worth it just for debug info */
        {
 	X509 * signer;
 	if (OCSP_resp_get0_signer(bs, &signer, X509_STORE_get1_all_certs(verify_store)) == 1)
@@ -2623,11 +2625,14 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
 
     if ((i = OCSP_basic_verify(bs, SSL_get_peer_cert_chain(ssl),
 		verify_store,
+#ifdef SUPPORT_DANE
 		tls_out.dane_verified
 		? have_verified_OCSP_signer
 		  ? OCSP_NOVERIFY | OCSP_NOEXPLICIT
 		  : OCSP_PARTIAL_CHAIN | OCSP_NOEXPLICIT
-		: OCSP_NOEXPLICIT)) <= 0)
+		:
+#endif
+		OCSP_NOEXPLICIT)) <= 0)
       {
       DEBUG(D_tls) debug_printf("OCSP_basic_verify() fail: returned %d\n", i);
       if (ERR_peek_error())
@@ -3994,7 +3999,7 @@ if (tlsp->host_resumable)
     tls_error(US"set ex_data", host, NULL, errstr);
     return FALSE;
     }
-  debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state);
+  /* debug_printf("tls_exdata_idx %d cbinfo %p\n", tls_exdata_idx, client_static_state); */
   }
 
 tlsp->resumption = RESUME_SUPPORTED;