[exim-cvs] Errorcheck TLS library calls

Página superior
Eliminar este mensaje
Responder a este mensaje
Autor: Exim Git Commits Mailing List
Fecha:  
A: exim-cvs
Asunto: [exim-cvs] Errorcheck TLS library calls
Gitweb: http://git.exim.org/exim.git/commitdiff/c03fae8adf341e26f2c4c8f068a60a72d8504963
Commit:     c03fae8adf341e26f2c4c8f068a60a72d8504963
Parent:     d8e7834aeddc637bd49730444f4d257eb8267135
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Mon May 26 11:47:30 2014 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Mon May 26 11:47:30 2014 +0100


    Errorcheck TLS library calls
---
 src/src/tlscert-gnu.c     |   36 +++++++++++++++++++++++++------
 src/src/tlscert-openssl.c |   51 ++++++++++++++++++++++++++++++++++++++------
 2 files changed, 73 insertions(+), 14 deletions(-)


diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c
index 7376373..3261c4e 100644
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -26,12 +26,16 @@ tls_export_cert(uschar * buf, size_t buflen, void * cert)
{
size_t sz = buflen;
void * reset_point = store_get(0);
-int fail = 0;
+int fail;
uschar * cp;

-if (gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
-    GNUTLS_X509_FMT_PEM, buf, &sz))
+if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+    GNUTLS_X509_FMT_PEM, buf, &sz)))
+  {
+  log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+    gnutls_strerror(fail));
   return 1;
+  }
 if ((cp = string_printing(buf)) != buf)
   {
   Ustrncpy(buf, cp, buflen);
@@ -55,8 +59,12 @@ gnutls_x509_crt_init(&crt);


 datum.data = string_unprinting(US buf);
 datum.size = Ustrlen(datum.data);
-if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))
+if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
+  {
+  log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+    gnutls_strerror(fail));
   fail = 1;
+  }
 else
   *cert = (void *)crt;


@@ -74,6 +82,9 @@ gnutls_global_deinit();
/*****************************************************
* Certificate field extraction routines
*****************************************************/
+
+/* First, some internal service functions */
+
static uschar *
g_err(const char * tag, const char * from, int gnutls_err)
{
@@ -99,7 +110,16 @@ len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
return len > 0 ? cp : NULL;
}

+
 /**/
+/* Now the extractors, called from expand.c
+Arguments:
+  cert        The certificate
+  mod        Optional modifiers for the operator
+
+Return:
+  Allocated string with extracted value
+*/


 uschar *
 tls_cert_issuer(void * cert, uschar * mod)
@@ -142,10 +162,12 @@ uschar bin[50], txt[150];
 size_t sz = sizeof(bin);
 uschar * sp;
 uschar * dp;
+int ret;
+
+if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
+    bin, &sz)))
+  return g_err("gs0", __FUNCTION__, ret);


-if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
-    bin, &sz) || sz > sizeof(bin))
-  return NULL;
 for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
   sprintf(dp, "%.2x", *sp);
 for(sp = txt; sp[0]=='0' && sp[1]; ) sp++;    /* leading zeroes */
diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c
index 0614b40..2411dea 100644
--- a/src/src/tlscert-openssl.c
+++ b/src/src/tlscert-openssl.c
@@ -56,12 +56,15 @@ void * reset_point = store_get(0);
 const uschar * cp = string_unprinting(US buf);
 BIO * bp;
 X509 * x;
+int fail = 0;


 bp = BIO_new_mem_buf(US cp, -1);
-x = PEM_read_bio_X509(bp, NULL, 0, NULL);
-int fail = 0;
-if (!x)
+if (!(x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
+  {
+  log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+    ERR_error_string(ERR_get_error(), NULL));
   fail = 1;
+  }
 else
   *cert = (void *)x;
 BIO_free(bp);
@@ -75,9 +78,20 @@ tls_free_cert(void * cert)
 X509_free((X509 *)cert);
 }


+
/*****************************************************
* Certificate field extraction routines
*****************************************************/
+
+/* First, some internal service functions */
+
+static uschar *
+badalloc(void)
+{
+expand_string_message = US"allocation failure";
+return NULL;
+}
+
static uschar *
bio_string_copy(BIO * bp, int len)
{
@@ -105,7 +119,11 @@ static uschar *
asn1_time_copy(const ASN1_TIME * time, uschar * mod)
{
BIO * bp = BIO_new(BIO_s_mem());
-int len = ASN1_TIME_print(bp, time);
+int len;
+
+if (!bp) return badalloc();
+
+len = ASN1_TIME_print(bp, time);
return mod && Ustrcmp(mod, "int") == 0
? bio_string_time_to_int(bp, len)
: bio_string_copy(bp, len);
@@ -115,13 +133,25 @@ static uschar *
x509_name_copy(X509_NAME * name)
{
BIO * bp = BIO_new(BIO_s_mem());
-int len_good =
+int len_good;
+
+if (!bp) return badalloc();
+
+len_good =
X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0
? 1 : 0;
return bio_string_copy(bp, len_good);
}

 /**/
+/* Now the extractors, called from expand.c
+Arguments:
+  cert        The certificate
+  mod        Optional modifiers for the operator
+
+Return:
+  Allocated string with extracted value
+*/


uschar *
tls_cert_issuer(void * cert, uschar * mod)
@@ -147,8 +177,11 @@ tls_cert_serial_number(void * cert, uschar * mod)
{
uschar txt[256];
BIO * bp = BIO_new(BIO_s_mem());
-int len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
+int len;
+
+if (!bp) return badalloc();

+len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
 if (len < sizeof(txt))
   BIO_read(bp, txt, len);
 else
@@ -160,8 +193,10 @@ return string_copynlc(txt, len);    /* lowercase */
 uschar *
 tls_cert_signature(void * cert, uschar * mod)
 {
-BIO * bp = BIO_new(BIO_s_mem());
 uschar * cp = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+
+if (!bp) return badalloc();


if (X509_print_ex(bp, (X509 *)cert, 0,
X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL |
@@ -209,6 +244,8 @@ uschar * cp1;
uschar * cp2;
uschar * cp3;

+if (!bp) return badalloc();
+
M_ASN1_OCTET_STRING_print(bp, adata);
/* binary data, DER encoded */