tidying

[exim.git] / src / src / dane-openssl.c

diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index 97acccb5ab9fa1e7395b60991edd6004ecd2902a..6ed3529293257d73f432540eda4497654ccd40ab 100644 (file)
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -2,7 +2,7 @@
  *  Author: Viktor Dukhovni
  *  License: THIS CODE IS IN THE PUBLIC DOMAIN.
  *
- * Copyright (c) The Exim Maintainers 2014 - 2016
+ * Copyright (c) The Exim Maintainers 2014 - 2019
  */
 #include <stdio.h>
 #include <string.h>
@@ -25,9 +25,18 @@
 #if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
 # define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
 #endif
+
+/* LibreSSL 2.9.0 and later - 2.9.0 has removed a number of macros ... */
+#ifdef LIBRESSL_VERSION_NUMBER
+# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+#  define EXIM_HAVE_ASN1_MACROS
+# endif
+#endif
+/* OpenSSL */
 #if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
 # define EXIM_HAVE_ASN1_MACROS
 # define EXIM_OPAQUE_X509
+/* Older OpenSSL and all LibreSSL */
 #else
 # define X509_STORE_CTX_get_verify(ctx)                (ctx)->verify
 # define X509_STORE_CTX_get_verify_cb(ctx)     (ctx)->verify_cb
@@ -84,6 +93,7 @@ typedef int CRYPTO_ONCE;
 #ifndef OPENSSL_NO_ERR
 #define        DANESSL_F_PLACEHOLDER           0               /* FIRST! Value TBD */
 static ERR_STRING_DATA dane_str_functs[] = {
+    /* error                           string */
     {DANESSL_F_PLACEHOLDER,            "DANE library"},        /* FIRST!!! */
     {DANESSL_F_ADD_SKID,               "add_skid"},
     {DANESSL_F_ADD_TLSA,               "DANESSL_add_tlsa"},
@@ -101,6 +111,7 @@ static ERR_STRING_DATA dane_str_functs[] = {
     {0,                                        NULL}
 };
 static ERR_STRING_DATA dane_str_reasons[] = {
+    /* error                           string */
     {DANESSL_R_BAD_CERT,       "Bad TLSA record certificate"},
     {DANESSL_R_BAD_CERT_PKEY,  "Bad TLSA record certificate public key"},
     {DANESSL_R_BAD_DATA_LENGTH,        "Bad TLSA record digest length"},
@@ -118,7 +129,7 @@ static ERR_STRING_DATA dane_str_reasons[] = {
 };
 #endif
 
-#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FILE__, __LINE__)
+#define DANEerr(f, r) ERR_PUT_error(err_lib_dane, (f), (r), __FUNCTION__, __LINE__)
 
 static int err_lib_dane = -1;
 static int dane_idx = -1;
@@ -238,7 +249,6 @@ int matched;
  */
 for (matched = 0; !matched && slist; slist = slist->next)
   {
-  dane_mtype_list m;
   unsigned char mdbuf[EVP_MAX_MD_SIZE];
   unsigned char *buf = NULL;
   unsigned char *buf2;
@@ -251,12 +261,12 @@ for (matched = 0; !matched && slist; slist = slist->next)
     {
     case DANESSL_SELECTOR_CERT:
       len = i2d_X509(cert, NULL);
-      buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
+      buf2 = buf = US  OPENSSL_malloc(len);
       if(buf) i2d_X509(cert, &buf2);
       break;
     case DANESSL_SELECTOR_SPKI:
       len = i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), NULL);
-      buf2 = buf = (unsigned char *) OPENSSL_malloc(len);
+      buf2 = buf = US  OPENSSL_malloc(len);
       if(buf) i2d_X509_PUBKEY(X509_get_X509_PUBKEY(cert), &buf2);
       break;
     }
@@ -271,9 +281,8 @@ for (matched = 0; !matched && slist; slist = slist->next)
   /*
    * Loop over each mtype and data element
    */
-  for (m = slist->value->mtype; !matched && m; m = m->next)
+  for (dane_mtype_list m = slist->value->mtype; !matched && m; m = m->next)
     {
-    dane_data_list d;
     unsigned char *cmpbuf = buf;
     unsigned int cmplen = len;
 
@@ -287,7 +296,7 @@ for (matched = 0; !matched && slist; slist = slist->next)
       if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
          matched = -1;
       }
-    for (d = m->value->data; !matched && d; d = d->next)
+    for (dane_data_list d = m->value->data; !matched && d; d = d->next)
        if (  cmplen == d->value->datalen
           && memcmp(cmpbuf, d->value->data, cmplen) == 0)
            matched = slist->value->selector + 1;
@@ -392,10 +401,9 @@ akid_issuer_name(AUTHORITY_KEYID *akid)
 {
 if (akid && akid->issuer)
   {
-  int     i;
   GENERAL_NAMES *gens = akid->issuer;
 
-  for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
+  for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
     {
     GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
 
@@ -407,16 +415,16 @@ return 0;
 }
 
 static int
-set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
+set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
 {
 X509_NAME *name = akid_issuer_name(akid);
 
 /*
- * If subject's akid specifies an authority key identifer issuer name, we
+ * If subject's akid specifies an authority key identifier issuer name, we
  * must use that.
  */
 return X509_set_issuer_name(cert,
-                           name ? name : X509_get_subject_name(cert));
+                           name ? name : subj);
 }
 
 static int
@@ -498,7 +506,7 @@ akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
  */
 if (  !X509_set_version(cert, 2)
    || !set_serial(cert, akid, subject)
-   || !set_issuer_name(cert, akid)
+   || !set_issuer_name(cert, akid, name)
    || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
    || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
    || !X509_set_subject_name(cert, name)
@@ -543,8 +551,6 @@ return 0;
 static int
 ta_signed(ssl_dane *dane, X509 *cert, int depth)
 {
-dane_cert_list x;
-dane_pkey_list k;
 EVP_PKEY *pk;
 int done = 0;
 
@@ -555,7 +561,7 @@ int done = 0;
  * first (name comparisons), before we bother with signature checks
  * (public key operations).
  */
-for (x = dane->certs; !done && x; x = x->next)
+for (dane_cert_list x = dane->certs; !done && x; x = x->next)
   {
   if (X509_check_issued(x->value, cert) == X509_V_OK)
     {
@@ -595,7 +601,7 @@ for (x = dane->certs; !done && x; x = x->next)
  * This may push errors onto the stack when the certificate signature is
  * not of the right type or length, throw these away,
  */
-for (k = dane->pkeys; !done && k; k = k->next)
+for (dane_pkey_list k = dane->pkeys; !done && k; k = k->next)
   if (X509_verify(cert, k->value) > 0)
     done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
   else
@@ -608,8 +614,6 @@ static int
 set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
 {
 int matched = 0;
-int n;
-int i;
 int depth = 0;
 EVP_PKEY *takey;
 X509 *ca;
@@ -645,8 +649,9 @@ if (!(in = sk_X509_dup(in)))
  *
  * Caller ensures that the initial certificate is not self-signed.
  */
-for (n = sk_X509_num(in); n > 0; --n, ++depth)
+for (int n = sk_X509_num(in); n > 0; --n, ++depth)
   {
+  int i;
   for (i = 0; i < n; ++i)
     if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
       break;
@@ -747,9 +752,8 @@ static int
 match_name(const char *certid, ssl_dane *dane)
 {
 int multi = dane->multi;
-dane_host_list hosts;
 
-for (hosts = dane->hosts; hosts; hosts = hosts->next)
+for (dane_host_list hosts = dane->hosts; hosts; hosts = hosts->next)
   {
   int match_subdomain = 0;
   const char *domain = hosts->value;
@@ -822,7 +826,7 @@ if (gn->type != GEN_DNS)
   return 0;
 if (ASN1_STRING_type(gn->d.ia5) != V_ASN1_IA5STRING)
   return 0;
-return check_name((const char *) ASN1_STRING_get0_data(gn->d.ia5),
+return check_name(CCS  ASN1_STRING_get0_data(gn->d.ia5),
                  ASN1_STRING_length(gn->d.ia5));
 }
 
@@ -846,12 +850,12 @@ if (!(entry_str = X509_NAME_ENTRY_get_data(entry)))
 
 if ((len = ASN1_STRING_to_UTF8(&namebuf, entry_str)) < 0)
   return 0;
-if (len <= 0 || check_name((char *) namebuf, len) == 0)
+if (len <= 0 || check_name(CS  namebuf, len) == 0)
   {
   OPENSSL_free(namebuf);
   return 0;
   }
-return (char *) namebuf;
+return CS  namebuf;
 }
 
 static int
@@ -865,9 +869,8 @@ gens = X509_get_ext_d2i(cert, NID_subject_alt_name, 0, 0);
 if (gens)
   {
   int n = sk_GENERAL_NAME_num(gens);
-  int i;
 
-  for (i = 0; i < n; ++i)
+  for (int i = 0; i < n; ++i)
     {
     const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
     const char *certid;
@@ -1082,52 +1085,52 @@ if (dane->selectors[DANESSL_USAGE_DANE_EE])
     }
   }
 
-  if (dane->selectors[DANESSL_USAGE_DANE_TA])
+if (dane->selectors[DANESSL_USAGE_DANE_TA])
+  {
+  if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
     {
-    if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
-      {
-      X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
-      return -1;
-      }
-    if (matched)
-      {
-      /*
-       * Check that setting the untrusted chain updates the expected
-       * structure member at the expected offset.
-       */
-      X509_STORE_CTX_trusted_stack(ctx, dane->roots);
-      X509_STORE_CTX_set_chain(ctx, dane->chain);
-      OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
-      }
+    X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
+    return -1;
     }
+  if (matched)
+    {
+    /*
+     * Check that setting the untrusted chain updates the expected
+     * structure member at the expected offset.
+     */
+    X509_STORE_CTX_trusted_stack(ctx, dane->roots);
+    X509_STORE_CTX_set_chain(ctx, dane->chain);
+    OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
+    }
+  }
 
-  /*
-   * Name checks and usage 0/1 constraint enforcement are delayed until
-   * X509_verify_cert() builds the full chain and calls our verify_chain()
-   * wrapper.
-   */
-  dane->verify = X509_STORE_CTX_get_verify(ctx);
-  X509_STORE_CTX_set_verify(ctx, verify_chain);
+/*
+ * Name checks and usage 0/1 constraint enforcement are delayed until
+ * X509_verify_cert() builds the full chain and calls our verify_chain()
+ * wrapper.
+ */
+dane->verify = X509_STORE_CTX_get_verify(ctx);
+X509_STORE_CTX_set_verify(ctx, verify_chain);
 
-  if (X509_verify_cert(ctx))
-    return 1;
+if (X509_verify_cert(ctx))
+  return 1;
 
-  /*
-   * If the chain is invalid, clear any matching cert or hostname, to
-   * protect callers that might erroneously rely on these alone without
-   * checking the validation status.
-   */
-  if (dane->match)
-    {
-    X509_free(dane->match);
-    dane->match = 0;
-    }
-  if (dane->mhost)
-    {
-    OPENSSL_free(dane->mhost);
-    dane->mhost = 0;
-    }
-   return 0;
+/*
+ * If the chain is invalid, clear any matching cert or hostname, to
+ * protect callers that might erroneously rely on these alone without
+ * checking the validation status.
+ */
+if (dane->match)
+  {
+  X509_free(dane->match);
+  dane->match = 0;
+  }
+if (dane->mhost)
+  {
+  OPENSSL_free(dane->mhost);
+  dane->mhost = 0;
+  }
+ return 0;
 }
 
 static dane_list
@@ -1155,10 +1158,9 @@ return l;
 static void
 list_free(void *list, void (*f)(void *))
 {
-dane_list head;
 dane_list next;
 
-for (head = (dane_list) list; head; head = next)
+for (dane_list head = (dane_list) list; head; head = next)
   {
   next = head->next;
   if (f && head->value)
@@ -1207,7 +1209,6 @@ void
 DANESSL_cleanup(SSL *ssl)
 {
 ssl_dane *dane;
-int u;
 
 DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
 
@@ -1218,7 +1219,7 @@ if (dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
 dane_reset(dane);
 if (dane->hosts)
   list_free(dane->hosts, ossl_free);
-for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
+for (int u = 0; u <= DANESSL_USAGE_LAST; ++u)
   if (dane->selectors[u])
     list_free(dane->selectors[u], dane_selector_free);
 if (dane->pkeys)
@@ -1368,38 +1369,38 @@ if (selector > DANESSL_SELECTOR_LAST)
   return 0;
   }
 
-    /* Support built-in standard one-digit mtypes */
-  if (mdname && *mdname && mdname[1] == '\0')
-    switch (*mdname - '0')
-    {
-    case DANESSL_MATCHING_FULL: mdname = 0;       break;
-    case DANESSL_MATCHING_2256: mdname = "sha256"; break;
-    case DANESSL_MATCHING_2512: mdname = "sha512"; break;
-    }
-  if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
-    {
-    DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
-    return 0;
-    }
-  if (mdname && *mdname && dlen != EVP_MD_size(md))
-    {
-    DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
-    return 0;
-    }
-  if (!data)
-    {
-    DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
-    return 0;
-    }
+/* Support built-in standard one-digit mtypes */
+if (mdname && *mdname && mdname[1] == '\0')
+  switch (*mdname - '0')
+  {
+  case DANESSL_MATCHING_FULL: mdname = 0;         break;
+  case DANESSL_MATCHING_2256: mdname = "sha256"; break;
+  case DANESSL_MATCHING_2512: mdname = "sha512"; break;
+  }
+if (mdname && *mdname && !(md = EVP_get_digestbyname(mdname)))
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
+  return 0;
+  }
+if (mdname && *mdname && dlen != EVP_MD_size(md))
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
+  return 0;
+  }
+if (!data)
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
+  return 0;
+  }
 
-  /*
-   * Full Certificate or Public Key when NULL or empty digest name
-   */
-  if (!mdname || !*mdname)
-    {
-    X509 *x = 0;
-    EVP_PKEY *k = 0;
-    const unsigned char *p = data;
+/*
+ * Full Certificate or Public Key when NULL or empty digest name
+ */
+if (!mdname || !*mdname)
+  {
+  X509 *x = 0;
+  EVP_PKEY *k = 0;
+  const unsigned char *p = data;
 
 #define xklistinit(lvar, ltype, var, freeFunc) do { \
          (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \
@@ -1534,7 +1535,6 @@ int
 DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
 {
 ssl_dane *dane;
-int i;
 
 DEBUG(D_tls) debug_printf("Dane ssl_init\n");
 if (dane_idx < 0)
@@ -1573,7 +1573,7 @@ dane->multi = 0;                  /* Future SSL control interface */
 dane->count = 0;
 dane->hosts = 0;
 
-for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
+for (int i = 0; i <= DANESSL_USAGE_LAST; ++i)
   dane->selectors[i] = 0;
 
 if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)