X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Fdane-openssl.c;h=6345b39ca459cd1461985fa5c8d6edb7d2212cb3;hb=a1bccd48f3956b50a13a34f5aed4b72c658c61af;hp=4a177807accc8d6a9fd79e7ecdc67df288092008;hpb=6634ac8dc1c8fa3f429835a4735adfeb1bcc4390;p=user%2Fhenk%2Fcode%2Fexim.git diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index 4a177807a..6345b39ca 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -202,9 +202,9 @@ for(matched = 0; !matched && slist; slist = slist->next) { dane_mtype_list m; unsigned char mdbuf[EVP_MAX_MD_SIZE]; - unsigned char *buf; + unsigned char *buf = NULL; unsigned char *buf2; - unsigned int len; + unsigned int len = 0; /* * Extract ASN.1 DER form of certificate or public key. @@ -679,6 +679,7 @@ int matched; matched = match(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF], cert, 0); if(matched > 0) if(!ctx->chain) + { if( (ctx->chain = sk_X509_new_null()) && sk_X509_push(ctx->chain, cert)) CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); @@ -687,6 +688,7 @@ if(matched > 0) DANEerr(DANE_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE); return -1; } + } return matched; } @@ -714,12 +716,14 @@ for(hosts = dane->hosts; hosts; hosts = hosts->next) * Sub-domain match: certid is any sub-domain of hostname. */ if(match_subdomain) + { if( (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1 && certid[idlen - domlen - 1] == '.' && !strcasecmp(certid + (idlen - domlen), domain)) return 1; else continue; + } /* * Exact match and initial "*" match. The initial "*" in a certid @@ -859,7 +863,7 @@ X509 *cert = ctx->cert; /* XXX: accessor? */ int matched = 0; int chain_length = sk_X509_num(ctx->chain); -DEBUG(D_tls) debug_printf("Dane library verify_chain fn called\n"); +DEBUG(D_tls) debug_printf("Dane verify-chain\n"); issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER]; leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF]; @@ -952,7 +956,7 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb; int matched; X509 *cert = ctx->cert; /* XXX: accessor? */ -DEBUG(D_tls) debug_printf("Dane library verify_cert fn called\n"); +DEBUG(D_tls) debug_printf("Dane verify-cert\n"); if(ssl_idx < 0) ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx(); @@ -1084,7 +1088,7 @@ DANESSL_cleanup(SSL *ssl) ssl_dane *dane; int u; -DEBUG(D_tls) debug_printf("Dane library cleanup fn called\n"); +DEBUG(D_tls) debug_printf("Dane lib-cleanup\n"); if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) return; @@ -1106,7 +1110,6 @@ if(dane->roots) if(dane->chain) sk_X509_pop_free(dane->chain, X509_free); OPENSSL_free(dane); -DEBUG(D_tls) debug_printf("Dane library cleanup fn return\n"); } static dane_host_list @@ -1162,7 +1165,8 @@ dane_cert_list xlist = 0; dane_pkey_list klist = 0; const EVP_MD *md = 0; -DEBUG(D_tls) debug_printf("Dane add_tlsa\n"); +DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n", + usage, selector, mdname); if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx))) { @@ -1317,7 +1321,7 @@ call this with NULL. Arguments: ssl Connection handle sni_domain Optional peer server name - hostnames ?? list of names - but what names? + hostnames list of names to chack against peer cert Return -1 on fatal error @@ -1340,7 +1344,7 @@ if(sctx->app_verify_callback != verify_cert) return -1; } #else -DEBUG(D_tls) debug_printf("Dane ssl_init\n"); +DEBUG(D_tls) debug_printf("Dane ssl-init\n"); if(dane_idx < 0) { DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT); @@ -1362,7 +1366,6 @@ if(!SSL_set_ex_data(ssl, dane_idx, dane)) OPENSSL_free(dane); return 0; } -DEBUG(D_tls) debug_printf("Dane ssl-init: new dane struct: %p\n", dane); dane->verify = 0; dane->hosts = 0;