X-Git-Url: https://vcs.fsf.org/?a=blobdiff_plain;f=src%2Fsrc%2Fdane-openssl.c;h=6ed3529293257d73f432540eda4497654ccd40ab;hb=dc8380bb68f615c89345eff1855a1a2e6f8cbf8a;hp=4ac5747c9a5a2bfb91aa2f7c81dd2e7194d90a9e;hpb=1fbf41cdf61bc864662c7b766a1db38ae888db20;p=exim.git diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index 4ac5747c9..6ed352929 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -26,34 +26,36 @@ # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509) #endif -#ifdef LIBRESSL_VERSION_NUMBER /* LibreSSL */ +/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */ +#ifdef LIBRESSL_VERSION_NUMBER # if LIBRESSL_VERSION_NUMBER >= 0x2090000fL # define EXIM_HAVE_ASN1_MACROS # endif -#else /* OpenSSL */ -# if OPENSSL_VERSION_NUMBER >= 0x10100000L -# define EXIM_HAVE_ASN1_MACROS -# define EXIM_OPAQUE_X509 -# else -# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify -# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb -# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert -# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain -# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted - -# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain) -# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk) -# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val) -# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert) - -# define ASN1_STRING_get0_data ASN1_STRING_data -# define X509_getm_notBefore X509_get_notBefore -# define X509_getm_notAfter X509_get_notAfter - -# define CRYPTO_ONCE_STATIC_INIT 0 -# define CRYPTO_THREAD_run_once run_once +#endif +/* OpenSSL */ +#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER) +# define EXIM_HAVE_ASN1_MACROS +# define EXIM_OPAQUE_X509 +/* Older OpenSSL and all LibreSSL */ +#else +# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify +# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb +# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert +# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain +# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted + +# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain) +# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk) +# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val) +# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert) + +# define ASN1_STRING_get0_data ASN1_STRING_data +# define X509_getm_notBefore X509_get_notBefore +# define X509_getm_notAfter X509_get_notAfter + +# define CRYPTO_ONCE_STATIC_INIT 0 +# define CRYPTO_THREAD_run_once run_once typedef int CRYPTO_ONCE; -# endif #endif @@ -127,7 +129,7 @@ static ERR_STRING_DATA dane_str_reasons[] = { }; #endif -#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__) +#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__) static int err_lib_dane = -1; static int dane_idx = -1; @@ -1083,52 +1085,52 @@ if (dane->selectors[DANESSL_USAGE_DANE_EE]) } } - if (dane->selectors[DANESSL_USAGE_DANE_TA]) +if (dane->selectors[DANESSL_USAGE_DANE_TA]) + { + if ((matched = set_trust_anchor(ctx, dane, cert)) < 0) { - if ((matched = set_trust_anchor(ctx, dane, cert)) < 0) - { - X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); - return -1; - } - if (matched) - { - /* - * Check that setting the untrusted chain updates the expected - * structure member at the expected offset. - */ - X509_STORE_CTX_trusted_stack(ctx, dane->roots); - X509_STORE_CTX_set_chain(ctx, dane->chain); - OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx)); - } + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); + return -1; } + if (matched) + { + /* + * Check that setting the untrusted chain updates the expected + * structure member at the expected offset. + */ + X509_STORE_CTX_trusted_stack(ctx, dane->roots); + X509_STORE_CTX_set_chain(ctx, dane->chain); + OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx)); + } + } - /* - * Name checks and usage 0/1 constraint enforcement are delayed until - * X509_verify_cert() builds the full chain and calls our verify_chain() - * wrapper. - */ - dane->verify = X509_STORE_CTX_get_verify(ctx); - X509_STORE_CTX_set_verify(ctx, verify_chain); +/* + * Name checks and usage 0/1 constraint enforcement are delayed until + * X509_verify_cert() builds the full chain and calls our verify_chain() + * wrapper. + */ +dane->verify = X509_STORE_CTX_get_verify(ctx); +X509_STORE_CTX_set_verify(ctx, verify_chain); - if (X509_verify_cert(ctx)) - return 1; +if (X509_verify_cert(ctx)) + return 1; - /* - * If the chain is invalid, clear any matching cert or hostname, to - * protect callers that might erroneously rely on these alone without - * checking the validation status. - */ - if (dane->match) - { - X509_free(dane->match); - dane->match = 0; - } - if (dane->mhost) - { - OPENSSL_free(dane->mhost); - dane->mhost = 0; - } - return 0; +/* + * If the chain is invalid, clear any matching cert or hostname, to + * protect callers that might erroneously rely on these alone without + * checking the validation status. + */ +if (dane->match) + { + X509_free(dane->match); + dane->match = 0; + } +if (dane->mhost) + { + OPENSSL_free(dane->mhost); + dane->mhost = 0; + } + return 0; } static dane_list