* Author: Viktor Dukhovni
* License: THIS CODE IS IN THE PUBLIC DOMAIN.
*
- * Copyright (c) The Exim Maintainers 2014 - 2018
+ * Copyright (c) The Exim Maintainers 2014 - 2019
*/
#include <stdio.h>
#include <string.h>
#if OPENSSL_VERSION_NUMBER < 0x10100000L || defined(LIBRESSL_VERSION_NUMBER)
# define X509_up_ref(x) CRYPTO_add(&((x)->references), 1, CRYPTO_LOCK_X509)
#endif
-#if OPENSSL_VERSION_NUMBER >= 0x10100000L && !defined(LIBRESSL_VERSION_NUMBER)
-# define EXIM_HAVE_ASN1_MACROS
-# define EXIM_OPAQUE_X509
-#else
-# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
-# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
-# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
-# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
-# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
-
-# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
-# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
-# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
-# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
-
-# define ASN1_STRING_get0_data ASN1_STRING_data
-# define X509_getm_notBefore X509_get_notBefore
-# define X509_getm_notAfter X509_get_notAfter
-
-# define CRYPTO_ONCE_STATIC_INIT 0
-# define CRYPTO_THREAD_run_once run_once
+
+#ifdef LIBRESSL_VERSION_NUMBER /* LibreSSL */
+# if LIBRESSL_VERSION_NUMBER >= 0x2090000fL
+# define EXIM_HAVE_ASN1_MACROS
+# endif
+#else /* OpenSSL */
+# if OPENSSL_VERSION_NUMBER >= 0x10100000L
+# define EXIM_HAVE_ASN1_MACROS
+# define EXIM_OPAQUE_X509
+# else
+# define X509_STORE_CTX_get_verify(ctx) (ctx)->verify
+# define X509_STORE_CTX_get_verify_cb(ctx) (ctx)->verify_cb
+# define X509_STORE_CTX_get0_cert(ctx) (ctx)->cert
+# define X509_STORE_CTX_get0_chain(ctx) (ctx)->chain
+# define X509_STORE_CTX_get0_untrusted(ctx) (ctx)->untrusted
+
+# define X509_STORE_CTX_set_verify(ctx, verify_chain) (ctx)->verify = (verify_chain)
+# define X509_STORE_CTX_set0_verified_chain(ctx, sk) (ctx)->chain = (sk)
+# define X509_STORE_CTX_set_error_depth(ctx, val) (ctx)->error_depth = (val)
+# define X509_STORE_CTX_set_current_cert(ctx, cert) (ctx)->current_cert = (cert)
+
+# define ASN1_STRING_get0_data ASN1_STRING_data
+# define X509_getm_notBefore X509_get_notBefore
+# define X509_getm_notAfter X509_get_notAfter
+
+# define CRYPTO_ONCE_STATIC_INIT 0
+# define CRYPTO_THREAD_run_once run_once
typedef int CRYPTO_ONCE;
+# endif
#endif
*/
for (matched = 0; !matched && slist; slist = slist->next)
{
- dane_mtype_list m;
unsigned char mdbuf[EVP_MAX_MD_SIZE];
unsigned char *buf = NULL;
unsigned char *buf2;
/*
* Loop over each mtype and data element
*/
- for (m = slist->value->mtype; !matched && m; m = m->next)
+ for (dane_mtype_list m = slist->value->mtype; !matched && m; m = m->next)
{
- dane_data_list d;
unsigned char *cmpbuf = buf;
unsigned int cmplen = len;
if (!EVP_Digest(buf, len, cmpbuf, &cmplen, m->value->md, 0))
matched = -1;
}
- for (d = m->value->data; !matched && d; d = d->next)
+ for (dane_data_list d = m->value->data; !matched && d; d = d->next)
if ( cmplen == d->value->datalen
&& memcmp(cmpbuf, d->value->data, cmplen) == 0)
matched = slist->value->selector + 1;
{
if (akid && akid->issuer)
{
- int i;
GENERAL_NAMES *gens = akid->issuer;
- for (i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
+ for (int i = 0; i < sk_GENERAL_NAME_num(gens); ++i)
{
GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
X509_NAME *name = akid_issuer_name(akid);
/*
- * If subject's akid specifies an authority key identifer issuer name, we
+ * If subject's akid specifies an authority key identifier issuer name, we
* must use that.
*/
return X509_set_issuer_name(cert,
static int
ta_signed(ssl_dane *dane, X509 *cert, int depth)
{
-dane_cert_list x;
-dane_pkey_list k;
EVP_PKEY *pk;
int done = 0;
* first (name comparisons), before we bother with signature checks
* (public key operations).
*/
-for (x = dane->certs; !done && x; x = x->next)
+for (dane_cert_list x = dane->certs; !done && x; x = x->next)
{
if (X509_check_issued(x->value, cert) == X509_V_OK)
{
* This may push errors onto the stack when the certificate signature is
* not of the right type or length, throw these away,
*/
-for (k = dane->pkeys; !done && k; k = k->next)
+for (dane_pkey_list k = dane->pkeys; !done && k; k = k->next)
if (X509_verify(cert, k->value) > 0)
done = wrap_issuer(dane, k->value, cert, depth, WRAP_MID) ? 1 : -1;
else
set_trust_anchor(X509_STORE_CTX *ctx, ssl_dane *dane, X509 *cert)
{
int matched = 0;
-int n;
-int i;
int depth = 0;
EVP_PKEY *takey;
X509 *ca;
*
* Caller ensures that the initial certificate is not self-signed.
*/
-for (n = sk_X509_num(in); n > 0; --n, ++depth)
+for (int n = sk_X509_num(in); n > 0; --n, ++depth)
{
+ int i;
for (i = 0; i < n; ++i)
if (X509_check_issued(sk_X509_value(in, i), cert) == X509_V_OK)
break;
match_name(const char *certid, ssl_dane *dane)
{
int multi = dane->multi;
-dane_host_list hosts;
-for (hosts = dane->hosts; hosts; hosts = hosts->next)
+for (dane_host_list hosts = dane->hosts; hosts; hosts = hosts->next)
{
int match_subdomain = 0;
const char *domain = hosts->value;
if (gens)
{
int n = sk_GENERAL_NAME_num(gens);
- int i;
- for (i = 0; i < n; ++i)
+ for (int i = 0; i < n; ++i)
{
const GENERAL_NAME *gn = sk_GENERAL_NAME_value(gens, i);
const char *certid;
static void
list_free(void *list, void (*f)(void *))
{
-dane_list head;
dane_list next;
-for (head = (dane_list) list; head; head = next)
+for (dane_list head = (dane_list) list; head; head = next)
{
next = head->next;
if (f && head->value)
DANESSL_cleanup(SSL *ssl)
{
ssl_dane *dane;
-int u;
DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
dane_reset(dane);
if (dane->hosts)
list_free(dane->hosts, ossl_free);
-for (u = 0; u <= DANESSL_USAGE_LAST; ++u)
+for (int u = 0; u <= DANESSL_USAGE_LAST; ++u)
if (dane->selectors[u])
list_free(dane->selectors[u], dane_selector_free);
if (dane->pkeys)
DANESSL_init(SSL *ssl, const char *sni_domain, const char **hostnames)
{
ssl_dane *dane;
-int i;
DEBUG(D_tls) debug_printf("Dane ssl_init\n");
if (dane_idx < 0)
dane->count = 0;
dane->hosts = 0;
-for (i = 0; i <= DANESSL_USAGE_LAST; ++i)
+for (int i = 0; i <= DANESSL_USAGE_LAST; ++i)
dane->selectors[i] = 0;
if (hostnames && (dane->hosts = host_list_init(hostnames)) == 0)