[exim-cvs] OpenSSL: fix verify-certs stack initialization

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Asunto: [exim-cvs] OpenSSL: fix verify-certs stack initialization
Gitweb: https://git.exim.org/exim.git/commitdiff/1e2b1976ead627c662bf82042be742086ba0b2f3
Commit:     1e2b1976ead627c662bf82042be742086ba0b2f3
Parent:     6814cb2f15160a6171e7a55605ba8e80f58302a9
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Thu Jun 17 20:45:32 2021 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Thu Jun 17 20:45:32 2021 +0100


    OpenSSL: fix verify-certs stack initialization
---
 src/src/tls-openssl.c | 23 +++++++++++++++++------
 1 file changed, 17 insertions(+), 6 deletions(-)


diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c
index 906c98c..4d6eeaa 100644
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -2760,18 +2760,23 @@ if (tlsp->peercert)
/* Load certs from file, return TRUE on success */

static BOOL
-chain_from_pem_file(const uschar * file, STACK_OF(X509) * verify_stack)
+chain_from_pem_file(const uschar * file, STACK_OF(X509) ** vp)
{
BIO * bp;
+STACK_OF(X509) * verify_stack = *vp;
X509 * x;

-while (sk_X509_num(verify_stack) > 0)
-  X509_free(sk_X509_pop(verify_stack));
+if (verify_stack)
+  while (sk_X509_num(verify_stack) > 0)
+    X509_free(sk_X509_pop(verify_stack));
+else
+  verify_stack = sk_X509_new_null();


 if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
-while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
+for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL); )
   sk_X509_push(verify_stack, x);
 BIO_free(bp);
+*vp = verify_stack;
 return TRUE;
 }
 #endif
@@ -2826,6 +2831,13 @@ if (expcerts && *expcerts)
     { file = NULL; dir = expcerts; }
       else
     {
+    STACK_OF(X509) * verify_stack =
+#ifndef DISABLE_OCSP
+      !host ? state_server.verify_stack :
+#endif
+      NULL;
+    STACK_OF(X509) ** vp = &verify_stack;
+
     file = expcerts; dir = NULL;
 #ifndef DISABLE_OCSP
     /* In the server if we will be offering an OCSP proof, load chain from
@@ -2834,11 +2846,10 @@ if (expcerts && *expcerts)
 /*XXX Glitch!   The file here is tls_verify_certs: the chain for verifying the client cert.
 This is inconsistent with the need to verify the OCSP proof of the server cert.
 */
-
     if (  !host
        && statbuf.st_size > 0
        && state_server.u_ocsp.server.file
-       && !chain_from_pem_file(file, state_server.verify_stack)
+       && !chain_from_pem_file(file, vp)
        )
       {
       log_write(0, LOG_MAIN|LOG_PANIC,