X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/51894f20e0c03113b4c4e07898ac5e955b21ec41..3f77bd134b64c532748b83c3931df07058268b5e:/src/src/tls-openssl.c

diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index ef11de593..34612adea 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -77,9 +77,9 @@ change this guard and punt the issue for a while longer. */
 #  define EXIM_HAVE_OPENSSL_KEYLOG
 #  define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
 #  define EXIM_HAVE_SESSION_TICKET
-#  define EXIM_HAVE_OPESSL_TRACE
-#  define EXIM_HAVE_OPESSL_GET0_SERIAL
-#  define EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+#  define EXIM_HAVE_OPENSSL_TRACE
+#  define EXIM_HAVE_OPENSSL_GET0_SERIAL
+#  define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_CERTS
 #  define EXIM_HAVE_SSL_GET0_VERIFIED_CHAIN
 #  ifndef DISABLE_OCSP
 #   define EXIM_HAVE_OCSP
@@ -97,6 +97,9 @@ change this guard and punt the issue for a while longer. */
 #if LIBRESSL_VERSION_NUMBER >= 0x3040000fL
 # define EXIM_HAVE_OPENSSL_CIPHER_GET_ID
 #endif
+#if LIBRESSL_VERSION_NUMBER >= 0x3050000fL
+# define EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_CERTS
+#endif
 
 #if !defined(LIBRESSL_VERSION_NUMBER) && (OPENSSL_VERSION_NUMBER >= 0x030000000L)
 # define EXIM_HAVE_EXPORT_CHNL_BNGNG
@@ -1756,7 +1759,7 @@ level. */
 DEBUG(D_tls)
   {
   SSL_CTX_set_info_callback(ctx, info_callback);
-#if defined(EXIM_HAVE_OPESSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
+#if defined(EXIM_HAVE_OPENSSL_TRACE) && !defined(OPENSSL_NO_SSL_TRACE)
   /* this needs a debug build of OpenSSL */
   SSL_CTX_set_msg_callback(ctx, SSL_trace);
 #endif
@@ -2442,7 +2445,7 @@ tls_in.ocsp = OCSP_NOT_RESP;
 if (!olist)
   return SSL_TLSEXT_ERR_NOACK;
 
-#ifdef EXIM_HAVE_OPESSL_GET0_SERIAL
+#ifdef EXIM_HAVE_OPENSSL_GET0_SERIAL
  {
   const X509 * cert_sent = SSL_get_certificate(s);
   const ASN1_INTEGER * cert_serial = X509_get0_serialNumber(cert_sent);
@@ -2605,7 +2608,7 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
     asking for certificate-status under DANE, so this callback won't run for
     that combination. It still will for non-DANE. */
 
-#ifdef EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER
+#if defined(EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_SIGNER) && defined(SUPPORT_DANE)
     X509 * signer;
 
     if (  tls_out.dane_verified
@@ -2646,7 +2649,7 @@ if (!(bs = OCSP_response_get1_basic(rsp)))
 
       debug_printf("certs contained in basicresp:\n");
       x509_stack_dump_cert_s_names(
-#ifdef EXIM_HAVE_OPESSL_OCSP_RESP_GET0_CERTS
+#ifdef EXIM_HAVE_OPENSSL_OCSP_RESP_GET0_CERTS
 	OCSP_resp_get0_certs(bs)
 #else
 	bs->certs
@@ -5167,8 +5170,7 @@ if (!expand_check(option_spec, US"openssl_options", &exp, &end))
 
 for (uschar * s = exp; *s; /**/)
   {
-  while (isspace(*s)) ++s;
-  if (*s == '\0')
+  if (!Uskip_whitespace(&s))
     break;
   if (*s != '+' && *s != '-')
     {
@@ -5177,7 +5179,8 @@ for (uschar * s = exp; *s; /**/)
     return FALSE;
     }
   adding = *s++ == '+';
-  for (end = s; *end && !isspace(*end); ) end++;
+  end = s;
+  Uskip_nonwhite(&end);
   item_parsed = tls_openssl_one_option_parse(string_copyn(s, end-s), &item);
   if (!item_parsed)
     {