DANE: fix type-2xx TLSA under older OpenSSL versions Bug 2198

[exim.git] / src / src / dane-openssl.c

diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index 0a74f1f281714d043498c151a1b295d9bcc2b7f8..bb3763a4866328f74849ded861f41043783800f3 100644 (file)
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -2,7 +2,7 @@
  *  Author: Viktor Dukhovni
  *  License: THIS CODE IS IN THE PUBLIC DOMAIN.
  *
- * Copyright (c) The Exim Maintainers 2014 - 2016
+ * Copyright (c) The Exim Maintainers 2014 - 2017
  */
 #include <stdio.h>
 #include <string.h>
@@ -409,7 +409,7 @@ return 0;
 }
 
 static int
-set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid)
+set_issuer_name(X509 *cert, AUTHORITY_KEYID *akid, X509_NAME *subj)
 {
 X509_NAME *name = akid_issuer_name(akid);
 
@@ -418,7 +418,7 @@ X509_NAME *name = akid_issuer_name(akid);
  * must use that.
  */
 return X509_set_issuer_name(cert,
-                           name ? name : X509_get_subject_name(cert));
+                           name ? name : subj);
 }
 
 static int
@@ -500,7 +500,7 @@ akid = X509_get_ext_d2i(subject, NID_authority_key_identifier, 0, 0);
  */
 if (  !X509_set_version(cert, 2)
    || !set_serial(cert, akid, subject)
-   || !set_issuer_name(cert, akid)
+   || !set_issuer_name(cert, akid, name)
    || !X509_gmtime_adj(X509_getm_notBefore(cert), -30 * 86400L)
    || !X509_gmtime_adj(X509_getm_notAfter(cert), 30 * 86400L)
    || !X509_set_subject_name(cert, name)
@@ -1370,38 +1370,38 @@ if (selector > DANESSL_SELECTOR_LAST)
   return 0;
   }
 
-    /* Support built-in standard one-digit mtypes */
-  if (mdname && *mdname && mdname[1] == '\0')
-    switch (*mdname - '0')
-    {
-    case DANESSL_MATCHING_FULL: mdname = 0;       break;
-    case DANESSL_MATCHING_2256: mdname = "sha256"; break;
-    case DANESSL_MATCHING_2512: mdname = "sha512"; break;
-    }
-  if (mdname && *mdname && (md = EVP_get_digestbyname(mdname)) == 0)
-    {
-    DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
-    return 0;
-    }
-  if (mdname && *mdname && dlen != EVP_MD_size(md))
-    {
-    DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
-    return 0;
-    }
-  if (!data)
-    {
-    DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
-    return 0;
-    }
+/* Support built-in standard one-digit mtypes */
+if (mdname && *mdname && mdname[1] == '\0')
+  switch (*mdname - '0')
+  {
+  case DANESSL_MATCHING_FULL: mdname = 0;         break;
+  case DANESSL_MATCHING_2256: mdname = "sha256"; break;
+  case DANESSL_MATCHING_2512: mdname = "sha512"; break;
+  }
+if (mdname && *mdname && !(md = EVP_get_digestbyname(mdname)))
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DIGEST);
+  return 0;
+  }
+if (mdname && *mdname && dlen != EVP_MD_size(md))
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_DATA_LENGTH);
+  return 0;
+  }
+if (!data)
+  {
+  DANEerr(DANESSL_F_ADD_TLSA, DANESSL_R_BAD_NULL_DATA);
+  return 0;
+  }
 
-  /*
-   * Full Certificate or Public Key when NULL or empty digest name
-   */
-  if (!mdname || !*mdname)
-    {
-    X509 *x = 0;
-    EVP_PKEY *k = 0;
-    const unsigned char *p = data;
+/*
+ * Full Certificate or Public Key when NULL or empty digest name
+ */
+if (!mdname || !*mdname)
+  {
+  X509 *x = 0;
+  EVP_PKEY *k = 0;
+  const unsigned char *p = data;
 
 #define xklistinit(lvar, ltype, var, freeFunc) do { \
          (lvar) = (ltype) OPENSSL_malloc(sizeof(*(lvar))); \