# define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
#endif
-#ifdef LIBRESSL_VERSION_NUMBER /* LibreSSL */
+/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
+#ifdef LIBRESSL_VERSION_NUMBER
# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
# define EXIM_HAVE_ASN1_MACROS
# endif
-#else /* OpenSSL */
-# if OPENSSL_VERSION_NUMBER >= 0x10100000L
-# define EXIM_HAVE_ASN1_MACROS
-# define EXIM_OPAQUE_X509
-# else
-# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
-# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
-# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
-# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
-# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
-
-# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
-# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
-# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
-# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
-
-# define ASN1_STRING_get0_data ASN1_STRING_data
-# define X509_getm_notBefore X509_get_notBefore
-# define X509_getm_notAfter X509_get_notAfter
-
-# define CRYPTO_ONCE_STATIC_INIT 0
-# define CRYPTO_THREAD_run_once run_once
+#endif
+/* OpenSSL */
+#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
+# define EXIM_HAVE_ASN1_MACROS
+# define EXIM_OPAQUE_X509
+/* Older OpenSSL and all LibreSSL */
+#else
+# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
+# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
+# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
+# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
+# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
+
+# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
+# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
+# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
+# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
+
+# define ASN1_STRING_get0_data ASN1_STRING_data
+# define X509_getm_notBefore X509_get_notBefore
+# define X509_getm_notAfter X509_get_notAfter
+
+# define CRYPTO_ONCE_STATIC_INIT 0
+# define CRYPTO_THREAD_run_once run_once
typedef int CRYPTO_ONCE;
-# endif
#endif
};
#endif
-#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
+#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__)
static int err_lib_dane = -1;
static int dane_idx = -1;
}
}
- if (dane->selectors[DANESSL_USAGE_DANE_TA])
+if (dane->selectors[DANESSL_USAGE_DANE_TA])
+ {
+ if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
{
- if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
- {
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
- return -1;
- }
- if (matched)
- {
- /*
- * Check that setting the untrusted chain updates the expected
- * structure member at the expected offset.
- */
- X509_STORE_CTX_trusted_stack(ctx, dane->roots);
- X509_STORE_CTX_set_chain(ctx, dane->chain);
- OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
- }
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
+ return -1;
}
+ if (matched)
+ {
+ /*
+ * Check that setting the untrusted chain updates the expected
+ * structure member at the expected offset.
+ */
+ X509_STORE_CTX_trusted_stack(ctx, dane->roots);
+ X509_STORE_CTX_set_chain(ctx, dane->chain);
+ OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
+ }
+ }
- /*
- * Name checks and usage 0/1 constraint enforcement are delayed until
- * X509_verify_cert() builds the full chain and calls our verify_chain()
- * wrapper.
- */
- dane->verify = X509_STORE_CTX_get_verify(ctx);
- X509_STORE_CTX_set_verify(ctx, verify_chain);
+/*
+ * Name checks and usage 0/1 constraint enforcement are delayed until
+ * X509_verify_cert() builds the full chain and calls our verify_chain()
+ * wrapper.
+ */
+dane->verify = X509_STORE_CTX_get_verify(ctx);
+X509_STORE_CTX_set_verify(ctx, verify_chain);
- if (X509_verify_cert(ctx))
- return 1;
+if (X509_verify_cert(ctx))
+ return 1;
- /*
- * If the chain is invalid, clear any matching cert or hostname, to
- * protect callers that might erroneously rely on these alone without
- * checking the validation status.
- */
- if (dane->match)
- {
- X509_free(dane->match);
- dane->match = 0;
- }
- if (dane->mhost)
- {
- OPENSSL_free(dane->mhost);
- dane->mhost = 0;
- }
- return 0;
+/*
+ * If the chain is invalid, clear any matching cert or hostname, to
+ * protect callers that might erroneously rely on these alone without
+ * checking the validation status.
+ */
+if (dane->match)
+ {
+ X509_free(dane->match);
+ dane->match = 0;
+ }
+if (dane->mhost)
+ {
+ OPENSSL_free(dane->mhost);
+ dane->mhost = 0;
+ }
+ return 0;
}
static dane_list
projects / exim.git / blobdiff