summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/src/configure.default3
-rw-r--r--src/src/dane-openssl.c82
-rw-r--r--src/src/expand.c7
3 files changed, 45 insertions, 47 deletions
diff --git a/src/src/configure.default b/src/src/configure.default
index 424c8df6b..d23ca3c66 100644
--- a/src/src/configure.default
+++ b/src/src/configure.default
@@ -663,9 +663,6 @@ smarthost:
transport = smarthost_smtp
route_data = ROUTER_SMARTHOST
ignore_target_hosts = <; 0.0.0.0 ; 127.0.0.0/8 ; ::1
-.ifdef _HAVE_DNSSEC
- dnssec_request_domains = *
-.endif
no_more
.else
diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index 9b86a488b..6ed352929 100644
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -1085,52 +1085,52 @@ if (dane->selectors[DANESSL_USAGE_DANE_EE])
}
}
- if (dane->selectors[DANESSL_USAGE_DANE_TA])
+if (dane->selectors[DANESSL_USAGE_DANE_TA])
+ {
+ if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
{
- if ((matched = set_trust_anchor(ctx, dane, cert)) < 0)
- {
- X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
- return -1;
- }
- if (matched)
- {
- /*
- * Check that setting the untrusted chain updates the expected
- * structure member at the expected offset.
- */
- X509_STORE_CTX_trusted_stack(ctx, dane->roots);
- X509_STORE_CTX_set_chain(ctx, dane->chain);
- OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
- }
+ X509_STORE_CTX_set_error(ctx, X509_V_ERR_OUT_OF_MEM);
+ return -1;
}
+ if (matched)
+ {
+ /*
+ * Check that setting the untrusted chain updates the expected
+ * structure member at the expected offset.
+ */
+ X509_STORE_CTX_trusted_stack(ctx, dane->roots);
+ X509_STORE_CTX_set_chain(ctx, dane->chain);
+ OPENSSL_assert(dane->chain == X509_STORE_CTX_get0_untrusted(ctx));
+ }
+ }
- /*
- * Name checks and usage 0/1 constraint enforcement are delayed until
- * X509_verify_cert() builds the full chain and calls our verify_chain()
- * wrapper.
- */
- dane->verify = X509_STORE_CTX_get_verify(ctx);
- X509_STORE_CTX_set_verify(ctx, verify_chain);
+/*
+ * Name checks and usage 0/1 constraint enforcement are delayed until
+ * X509_verify_cert() builds the full chain and calls our verify_chain()
+ * wrapper.
+ */
+dane->verify = X509_STORE_CTX_get_verify(ctx);
+X509_STORE_CTX_set_verify(ctx, verify_chain);
- if (X509_verify_cert(ctx))
- return 1;
+if (X509_verify_cert(ctx))
+ return 1;
- /*
- * If the chain is invalid, clear any matching cert or hostname, to
- * protect callers that might erroneously rely on these alone without
- * checking the validation status.
- */
- if (dane->match)
- {
- X509_free(dane->match);
- dane->match = 0;
- }
- if (dane->mhost)
- {
- OPENSSL_free(dane->mhost);
- dane->mhost = 0;
- }
- return 0;
+/*
+ * If the chain is invalid, clear any matching cert or hostname, to
+ * protect callers that might erroneously rely on these alone without
+ * checking the validation status.
+ */
+if (dane->match)
+ {
+ X509_free(dane->match);
+ dane->match = 0;
+ }
+if (dane->mhost)
+ {
+ OPENSSL_free(dane->mhost);
+ dane->mhost = 0;
+ }
+ return 0;
}
static dane_list
diff --git a/src/src/expand.c b/src/src/expand.c
index 8be10c14f..9706f2a6b 100644
--- a/src/src/expand.c
+++ b/src/src/expand.c
@@ -3516,7 +3516,7 @@ Returns: nothing
*/
static void
-chash_start(int type, void *base)
+chash_start(int type, void * base)
{
if (type == HMAC_MD5)
md5_start((md5 *)base);
@@ -3525,7 +3525,7 @@ else
}
static void
-chash_mid(int type, void *base, uschar *string)
+chash_mid(int type, void * base, const uschar * string)
{
if (type == HMAC_MD5)
md5_mid((md5 *)base, string);
@@ -3534,7 +3534,8 @@ else
}
static void
-chash_end(int type, void *base, uschar *string, int length, uschar *digest)
+chash_end(int type, void * base, const uschar * string, int length,
+ uschar * digest)
{
if (type == HMAC_MD5)
md5_end((md5 *)base, string, length, digest);