diff options
author | Jeremy Harris <jgh146exb@wizmail.org> | 2019-10-07 13:32:44 +0100 |
---|---|---|
committer | Jeremy Harris <jgh146exb@wizmail.org> | 2019-10-19 20:52:36 +0100 |
commit | dc8380bb68f615c89345eff1855a1a2e6f8cbf8a (patch) | |
tree | 9b12ae012265aab320af8f34c573debf7d9a4393 | |
parent | 78a78accf3deee2bbde619882598a192cb0167c8 (diff) |
tidying
-rw-r--r-- | src/src/configure.default | 3 | ||||
-rw-r--r-- | src/src/dane-openssl.c | 82 | ||||
-rw-r--r-- | src/src/expand.c | 7 | ||||
-rwxr-xr-x | test/runtest | 2 |
4 files changed, 46 insertions, 48 deletions
diff --git a/src/src/configure.default b/src/src/configure.default index 424c8df6b..d23ca3c66 100644 --- a/src/src/configure.default +++ b/src/src/configure.default @@ -663,9 +663,6 @@ smarthost: transport = smarthost_smtp route_data = ROUTER_SMARTHOST ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1 -.ifdef _HAVE_DNSSEC - dnssec_request_domains = * -.endif no_more .else diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c index 9b86a488b..6ed352929 100644 --- a/src/src/dane-openssl.c +++ b/src/src/dane-openssl.c @@ -1085,52 +1085,52 @@ if (dane->selectors[DANESSL_USAGE_DANE_EE]) } } - if (dane->selectors[DANESSL_USAGE_DANE_TA]) +if (dane->selectors[DANESSL_USAGE_DANE_TA]) + { + if ((matched = set_trust_anchor(ctx, dane, cert)) < 0) { - if ((matched = set_trust_anchor(ctx, dane, cert)) < 0) - { - X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); - return -1; - } - if (matched) - { - /* - * Check that setting the untrusted chain updates the expected - * structure member at the expected offset. - */ - X509_STORE_CTX_trusted_stack(ctx, dane->roots); - X509_STORE_CTX_set_chain(ctx, dane->chain); - OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx)); - } + X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM); + return -1; } + if (matched) + { + /* + * Check that setting the untrusted chain updates the expected + * structure member at the expected offset. + */ + X509_STORE_CTX_trusted_stack(ctx, dane->roots); + X509_STORE_CTX_set_chain(ctx, dane->chain); + OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx)); + } + } - /* - * Name checks and usage 0/1 constraint enforcement are delayed until - * X509_verify_cert() builds the full chain and calls our verify_chain() - * wrapper. - */ - dane->verify = X509_STORE_CTX_get_verify(ctx); - X509_STORE_CTX_set_verify(ctx, verify_chain); +/* + * Name checks and usage 0/1 constraint enforcement are delayed until + * X509_verify_cert() builds the full chain and calls our verify_chain() + * wrapper. + */ +dane->verify = X509_STORE_CTX_get_verify(ctx); +X509_STORE_CTX_set_verify(ctx, verify_chain); - if (X509_verify_cert(ctx)) - return 1; +if (X509_verify_cert(ctx)) + return 1; - /* - * If the chain is invalid, clear any matching cert or hostname, to - * protect callers that might erroneously rely on these alone without - * checking the validation status. - */ - if (dane->match) - { - X509_free(dane->match); - dane->match = 0; - } - if (dane->mhost) - { - OPENSSL_free(dane->mhost); - dane->mhost = 0; - } - return 0; +/* + * If the chain is invalid, clear any matching cert or hostname, to + * protect callers that might erroneously rely on these alone without + * checking the validation status. + */ +if (dane->match) + { + X509_free(dane->match); + dane->match = 0; + } +if (dane->mhost) + { + OPENSSL_free(dane->mhost); + dane->mhost = 0; + } + return 0; } static dane_list diff --git a/src/src/expand.c b/src/src/expand.c index 8be10c14f..9706f2a6b 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -3516,7 +3516,7 @@ Returns: nothing */ static void -chash_start(int type, void *base) +chash_start(int type, void * base) { if (type == HMAC_MD5) md5_start((md5 *)base); @@ -3525,7 +3525,7 @@ else } static void -chash_mid(int type, void *base, uschar *string) +chash_mid(int type, void * base, const uschar * string) { if (type == HMAC_MD5) md5_mid((md5 *)base, string); @@ -3534,7 +3534,8 @@ else } static void -chash_end(int type, void *base, uschar *string, int length, uschar *digest) +chash_end(int type, void * base, const uschar * string, int length, + uschar * digest) { if (type == HMAC_MD5) md5_end((md5 *)base, string, length, digest); diff --git a/test/runtest b/test/runtest index 6319f5b81..095106b3a 100755 --- a/test/runtest +++ b/test/runtest @@ -3410,7 +3410,7 @@ while (not ($parm_ipv4 and $parm_ipv6) and defined($_ = <IFCONFIG>)) if (not $parm_ipv4 and /^\s*inet(?:\saddr)?:?\s?(\d+\.\d+\.\d+\.\d+)(?:\/\d+)?\s/i) { - # It would ne nice to be able to vary the /16 used for manyhome; we could take + # It would be nice to be able to vary the /16 used for manyhome; we could take # an option to runtest used here - but we'd also have to pass it on to fakens. # Possibly an environment variable? next if $1 eq '0.0.0.0' or $1 =~ /^(?:127|10\.250)\./; |