X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/c8f419afe4b673ce93b7db07eb3093d8a07afb5f..443245384239776d29f5386050f56247c7404c1e:/src/src/dane-openssl.c diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index a6792d1ae..6ed352929 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -2,7 +2,7 @@ * Author: Viktor Dukhovni * License: THIS CODE IS IN THE PUBLIC DOMAIN. * - * Copyright (c) The Exim Maintainers 2014 - 2018 + * Copyright (c) The Exim Maintainers 2014 - 2019 */ #include #include @@ -25,9 +25,18 @@ #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER) # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) #endif + +/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */ +#ifdef LIBRESSL_VERSION_NUMBER +# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL +# define EXIM_HAVE_ASN1_MACROS +# endif +#endif +/* OpenSSL */ #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) # define EXIM_HAVE_ASN1_MACROS # define EXIM_OPAQUE_X509 +/* Older OpenSSL and all LibreSSL */ #else # define X509_STORE_CTX_get_verify(ctx) (ctx)->verify # define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb @@ -120,7 +129,7 @@ static ERR_STRING_DATA dane_str_reasons[] = { }; #endif -#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__) +#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__) static int err_lib_dane = -1; static int dane_idx = -1; @@ -1076,52 +1085,52 @@ if (dane->selectors[DANESSL_USAGE_DANE_EE]) } } - if (dane->selectors[DANESSL_USAGE_DANE_TA]) +if (dane->selectors[DANESSL_USAGE_DANE_TA]) + { + if ((matched = set_trust_anchor(ctx, dane, cert)) < 0) { - if ((matched = set_trust_anchor(ctx, dane, cert)) < 0) - { - X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); - return -1; - } - if (matched) - { - /* - * Check that setting the untrusted chain updates the expected - * structure member at the expected offset. - */ - X509_STORE_CTX_trusted_stack(ctx, dane->roots); - X509_STORE_CTX_set_chain(ctx, dane->chain); - OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx)); - } + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); + return -1; + } + if (matched) + { + /* + * Check that setting the untrusted chain updates the expected + * structure member at the expected offset. + */ + X509_STORE_CTX_trusted_stack(ctx, dane->roots); + X509_STORE_CTX_set_chain(ctx, dane->chain); + OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx)); } + } - /* - * Name checks and usage 0/1 constraint enforcement are delayed until - * X509_verify_cert() builds the full chain and calls our verify_chain() - * wrapper. - */ - dane->verify = X509_STORE_CTX_get_verify(ctx); - X509_STORE_CTX_set_verify(ctx, verify_chain); +/* + * Name checks and usage 0/1 constraint enforcement are delayed until + * X509_verify_cert() builds the full chain and calls our verify_chain() + * wrapper. + */ +dane->verify = X509_STORE_CTX_get_verify(ctx); +X509_STORE_CTX_set_verify(ctx, verify_chain); - if (X509_verify_cert(ctx)) - return 1; +if (X509_verify_cert(ctx)) + return 1; - /* - * If the chain is invalid, clear any matching cert or hostname, to - * protect callers that might erroneously rely on these alone without - * checking the validation status. - */ - if (dane->match) - { - X509_free(dane->match); - dane->match = 0; - } - if (dane->mhost) - { - OPENSSL_free(dane->mhost); - dane->mhost = 0; - } - return 0; +/* + * If the chain is invalid, clear any matching cert or hostname, to + * protect callers that might erroneously rely on these alone without + * checking the validation status. + */ +if (dane->match) + { + X509_free(dane->match); + dane->match = 0; + } +if (dane->mhost) + { + OPENSSL_free(dane->mhost); + dane->mhost = 0; + } + return 0; } static dane_list