Gitweb:
http://git.exim.org/exim.git/commitdiff/c03fae8adf341e26f2c4c8f068a60a72d8504963
Commit: c03fae8adf341e26f2c4c8f068a60a72d8504963
Parent: d8e7834aeddc637bd49730444f4d257eb8267135
Author: Jeremy Harris <jgh146exb@???>
AuthorDate: Mon May 26 11:47:30 2014 +0100
Committer: Jeremy Harris <jgh146exb@???>
CommitDate: Mon May 26 11:47:30 2014 +0100
Errorcheck TLS library calls
---
src/src/tlscert-gnu.c | 36 +++++++++++++++++++++++++------
src/src/tlscert-openssl.c | 51 ++++++++++++++++++++++++++++++++++++++------
2 files changed, 73 insertions(+), 14 deletions(-)
diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c
index 7376373..3261c4e 100644
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -26,12 +26,16 @@ tls_export_cert(uschar * buf, size_t buflen, void * cert)
{
size_t sz = buflen;
void * reset_point = store_get(0);
-int fail = 0;
+int fail;
uschar * cp;
-if (gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
- GNUTLS_X509_FMT_PEM, buf, &sz))
+if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
+ GNUTLS_X509_FMT_PEM, buf, &sz)))
+ {
+ log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
+ gnutls_strerror(fail));
return 1;
+ }
if ((cp = string_printing(buf)) != buf)
{
Ustrncpy(buf, cp, buflen);
@@ -55,8 +59,12 @@ gnutls_x509_crt_init(&crt);
datum.data = string_unprinting(US buf);
datum.size = Ustrlen(datum.data);
-if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))
+if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)))
+ {
+ log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+ gnutls_strerror(fail));
fail = 1;
+ }
else
*cert = (void *)crt;
@@ -74,6 +82,9 @@ gnutls_global_deinit();
/*****************************************************
* Certificate field extraction routines
*****************************************************/
+
+/* First, some internal service functions */
+
static uschar *
g_err(const char * tag, const char * from, int gnutls_err)
{
@@ -99,7 +110,16 @@ len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp);
return len > 0 ? cp : NULL;
}
+
/**/
+/* Now the extractors, called from expand.c
+Arguments:
+ cert The certificate
+ mod Optional modifiers for the operator
+
+Return:
+ Allocated string with extracted value
+*/
uschar *
tls_cert_issuer(void * cert, uschar * mod)
@@ -142,10 +162,12 @@ uschar bin[50], txt[150];
size_t sz = sizeof(bin);
uschar * sp;
uschar * dp;
+int ret;
+
+if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
+ bin, &sz)))
+ return g_err("gs0", __FUNCTION__, ret);
-if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert,
- bin, &sz) || sz > sizeof(bin))
- return NULL;
for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--)
sprintf(dp, "%.2x", *sp);
for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */
diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c
index 0614b40..2411dea 100644
--- a/src/src/tlscert-openssl.c
+++ b/src/src/tlscert-openssl.c
@@ -56,12 +56,15 @@ void * reset_point = store_get(0);
const uschar * cp = string_unprinting(US buf);
BIO * bp;
X509 * x;
+int fail = 0;
bp = BIO_new_mem_buf(US cp, -1);
-x = PEM_read_bio_X509(bp, NULL, 0, NULL);
-int fail = 0;
-if (!x)
+if (!(x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
+ {
+ log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+ ERR_error_string(ERR_get_error(), NULL));
fail = 1;
+ }
else
*cert = (void *)x;
BIO_free(bp);
@@ -75,9 +78,20 @@ tls_free_cert(void * cert)
X509_free((X509 *)cert);
}
+
/*****************************************************
* Certificate field extraction routines
*****************************************************/
+
+/* First, some internal service functions */
+
+static uschar *
+badalloc(void)
+{
+expand_string_message = US"allocation failure";
+return NULL;
+}
+
static uschar *
bio_string_copy(BIO * bp, int len)
{
@@ -105,7 +119,11 @@ static uschar *
asn1_time_copy(const ASN1_TIME * time, uschar * mod)
{
BIO * bp = BIO_new(BIO_s_mem());
-int len = ASN1_TIME_print(bp, time);
+int len;
+
+if (!bp) return badalloc();
+
+len = ASN1_TIME_print(bp, time);
return mod && Ustrcmp(mod, "int") == 0
? bio_string_time_to_int(bp, len)
: bio_string_copy(bp, len);
@@ -115,13 +133,25 @@ static uschar *
x509_name_copy(X509_NAME * name)
{
BIO * bp = BIO_new(BIO_s_mem());
-int len_good =
+int len_good;
+
+if (!bp) return badalloc();
+
+len_good =
X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0
? 1 : 0;
return bio_string_copy(bp, len_good);
}
/**/
+/* Now the extractors, called from expand.c
+Arguments:
+ cert The certificate
+ mod Optional modifiers for the operator
+
+Return:
+ Allocated string with extracted value
+*/
uschar *
tls_cert_issuer(void * cert, uschar * mod)
@@ -147,8 +177,11 @@ tls_cert_serial_number(void * cert, uschar * mod)
{
uschar txt[256];
BIO * bp = BIO_new(BIO_s_mem());
-int len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
+int len;
+
+if (!bp) return badalloc();
+len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
if (len < sizeof(txt))
BIO_read(bp, txt, len);
else
@@ -160,8 +193,10 @@ return string_copynlc(txt, len); /* lowercase */
uschar *
tls_cert_signature(void * cert, uschar * mod)
{
-BIO * bp = BIO_new(BIO_s_mem());
uschar * cp = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+
+if (!bp) return badalloc();
if (X509_print_ex(bp, (X509 *)cert, 0,
X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL |
@@ -209,6 +244,8 @@ uschar * cp1;
uschar * cp2;
uschar * cp3;
+if (!bp) return badalloc();
+
M_ASN1_OCTET_STRING_print(bp, adata);
/* binary data, DER encoded */