[exim-cvs] GnuTLS: Fix certextract expansion

Páxina inicial
Borrar esta mensaxe
Responder a esta mensaxe
Autor: Exim Git Commits Mailing List
Data:  
Para: exim-cvs
Asunto: [exim-cvs] GnuTLS: Fix certextract expansion
Gitweb: https://git.exim.org/exim.git/commitdiff/e8e7fafabffe61077794a2f1e5febd7b96b01116
Commit:     e8e7fafabffe61077794a2f1e5febd7b96b01116
Parent:     fbe8578a39505c146223ffcf2c63a5ba8bb0d9a4
Author:     Jeremy Harris <jgh146exb@???>
AuthorDate: Sun Jul 11 12:21:54 2021 +0100
Committer:  Jeremy Harris <jgh146exb@???>
CommitDate: Sun Jul 11 12:21:54 2021 +0100


    GnuTLS: Fix certextract expansion
---
 doc/doc-txt/ChangeLog |  3 +++
 src/src/tlscert-gnu.c | 10 +++++-----
 test/confs/5710       |  4 ++++
 test/confs/5720       |  3 +++
 test/log/5710         |  6 ++++++
 test/log/5720         |  4 ++++
 6 files changed, 25 insertions(+), 5 deletions(-)


diff --git a/doc/doc-txt/ChangeLog b/doc/doc-txt/ChangeLog
index dc9d9d8..d5634a8 100644
--- a/doc/doc-txt/ChangeLog
+++ b/doc/doc-txt/ChangeLog
@@ -324,6 +324,9 @@ JH/57 Fix control=fakreject for a custom message containing tainted data.
       Previously this resulted in a log complaint, due to a re-expansion present
       since fakereject was originally introduced.


+JH/58 GnuTLS: Fix certextract expansion.  If a second modifier after a tag
+      modifier was given, a loop resulted.
+


Exim version 4.94
-----------------
diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c
index a09fda0..8ea7023 100644
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -288,13 +288,13 @@ uschar * tag = US"";
uschar * ele;
int match = -1;

-while (mod)
+if (mod) while (*mod)
{
if (*mod == '>' && *++mod) sep = *mod++;
- else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
- else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
- else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
- else continue;
+ else if (Ustrncmp(mod, "dns", 3)==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
+ else if (Ustrncmp(mod, "uri", 3)==0) { match = GNUTLS_SAN_URI; mod += 3; }
+ else if (Ustrncmp(mod, "mail", 4)==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
+ else break;

   if (*mod++ != ',')
     break;
diff --git a/test/confs/5710 b/test/confs/5710
index f6b9794..250cfe4 100644
--- a/test/confs/5710
+++ b/test/confs/5710
@@ -63,6 +63,10 @@ ev_msg:
      logwrite =       ${certextract {subj_altname}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}
 #     logwrite =       ${certextract {ocsp_uri}    {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
      logwrite =       ${certextract {crl_uri}    {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
+     logwrite =
+     # output list separator changes
+     logwrite =       ${certextract {subj_altname,>:,dns}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}
+     logwrite =       ${certextract {subj_altname,dns,>:}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}


 logger:
   accept condition = ${if eq {msg} {${listextract{1}{$event_name}}}}
diff --git a/test/confs/5720 b/test/confs/5720
index 2c0e327..281fb8f 100644
--- a/test/confs/5720
+++ b/test/confs/5720
@@ -63,6 +63,9 @@ ev_msg:
      logwrite = ${certextract {subj_altname,>;}{$tls_out_peercert}{SAN <$value>}{(no SAN)}}
      logwrite =       ${certextract {ocsp_uri}    {$tls_out_peercert} {OCU <$value>}{(no OCU)}}
      logwrite =       ${certextract {crl_uri}    {$tls_out_peercert} {CRU <$value>}{(no CRU)}}
+     # output list separator changes
+     logwrite =       ${certextract {subj_altname,>:,dns}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}
+     logwrite =       ${certextract {subj_altname,dns,>:}  {$tls_out_peercert}{SAN <$value>}{(no SAN)}}


logger:
accept condition = ${if eq {msg} {${listextract{1}{$event_name}}}}
diff --git a/test/log/5710 b/test/log/5710
index 73ac2ec..946bcbf 100644
--- a/test/log/5710
+++ b/test/log/5710
@@ -19,6 +19,9 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 SG <96 29 b8 21 7e 2e 40 8f 4c c0 a3 e4 08 cc d0 06 80 cd 02 cc 06 3e 48 09 f8 58 83 b7 8e f5 82 ca da c7 f9 9f 02 9b 68 47 d1 69 72 08 e6 d1 7e 2b 1c be 26 66 e1 04 05 47 e4 5d 48 bd 2a 65 58 80 a3 5c f1 85 1b 3f fe 09 7e aa e2 a8 a6 23 8e 69 76 41 56 8b 61 70 40 ff ea e2 7f 1e 07 18 18 43 5f fc 31 8f ad 93 f4 d6 af 19 36 dc f5 e9 ae 76 87 90 85 0d 8b f5 76 70 b2 1c 48 ce 41 22 d4 35 e9 74 6b 65 06 04 c7 cf 86 16 81 6e 54 6f 3b d3 df 7c 55 36 bd 04 5c a3 1d 42 cc 23 1a f5 b2 3d 30 22 19 0e a0 10 e5 8f eb a5 a0 29 9b 34 de 3c 86 5c 09 77 26 f1 38 46 06 52 79 bf 7f 35 70 15 d0 06 1f 5a 54 16 d2 a3 df 38 a1 43 da 03 9e f9 90 10 dc 35 04 ea ca dc 94 f0 6a 60 3e d2 c5 53 a2 0a a6 62 bd 95 21 22 f2 24 b9 66 10 08 7b 16 88 75 8c 6c e2 ed 92 c1 c8 ba ac 6d 76 61 fe c3>
1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex>
1999-03-02 09:44:33 10HmaX-0005vi-00 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 10HmaX-0005vi-00
+1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <alternatename2.server1.example.com:server1.example.com:alternatename.server1.example.com:*.test.ex>
+1999-03-02 09:44:33 10HmaX-0005vi-00 SAN <alternatename2.server1.example.com:server1.example.com:alternatename.server1.example.com:*.test.ex>
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (certificate verification failed): certificate invalid: delivering unencrypted to H=127.0.0.1 [127.0.0.1] (not in hosts_require_tls)
1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_ TLS1.x:ke_RSA_WITH_ci_mac
@@ -50,6 +53,9 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 SG <96 29 b8 21 7e 2e 40 8f 4c c0 a3 e4 08 cc d0 06 80 cd 02 cc 06 3e 48 09 f8 58 83 b7 8e f5 82 ca da c7 f9 9f 02 9b 68 47 d1 69 72 08 e6 d1 7e 2b 1c be 26 66 e1 04 05 47 e4 5d 48 bd 2a 65 58 80 a3 5c f1 85 1b 3f fe 09 7e aa e2 a8 a6 23 8e 69 76 41 56 8b 61 70 40 ff ea e2 7f 1e 07 18 18 43 5f fc 31 8f ad 93 f4 d6 af 19 36 dc f5 e9 ae 76 87 90 85 0d 8b f5 76 70 b2 1c 48 ce 41 22 d4 35 e9 74 6b 65 06 04 c7 cf 86 16 81 6e 54 6f 3b d3 df 7c 55 36 bd 04 5c a3 1d 42 cc 23 1a f5 b2 3d 30 22 19 0e a0 10 e5 8f eb a5 a0 29 9b 34 de 3c 86 5c 09 77 26 f1 38 46 06 52 79 bf 7f 35 70 15 d0 06 1f 5a 54 16 d2 a3 df 38 a1 43 da 03 9e f9 90 10 dc 35 04 ea ca dc 94 f0 6a 60 3e d2 c5 53 a2 0a a6 62 bd 95 21 22 f2 24 b9 66 10 08 7b 16 88 75 8c 6c e2 ed 92 c1 c8 ba ac 6d 76 61 fe c3>
1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=alternatename2.server1.example.com\nDNS=server1.example.com\nDNS=alternatename.server1.example.com\nDNS=*.test.ex>
1999-03-02 09:44:33 10HmaY-0005vi-00 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 10HmaY-0005vi-00
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <alternatename2.server1.example.com:server1.example.com:alternatename.server1.example.com:*.test.ex>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <alternatename2.server1.example.com:server1.example.com:alternatename.server1.example.com:*.test.ex>
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf

diff --git a/test/log/5720 b/test/log/5720
index 4ecc5f8..b959d23 100644
--- a/test/log/5720
+++ b/test/log/5720
@@ -20,6 +20,8 @@
1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN)
1999-03-02 09:44:33 10HmaX-0005vi-00 (no OCU)
1999-03-02 09:44:33 10HmaX-0005vi-00 (no CRU)
+1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN)
+1999-03-02 09:44:33 10HmaX-0005vi-00 (no SAN)
1999-03-02 09:44:33 10HmaX-0005vi-00 TLS session: (SSL_connect): error: <<detail omitted>>
1999-03-02 09:44:33 10HmaX-0005vi-00 smtp:ehlo 250-myhost.test.ex Hello localhost [127.0.0.1]\n250-SIZE 52428800\n250-8BITMIME\n250-PIPELINING\n250-STARTTLS\n250 HELP
1999-03-02 09:44:33 10HmaX-0005vi-00 cipher_
@@ -54,6 +56,8 @@
1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <DNS=*.test.ex;DNS=alternatename.server1.example.com;DNS=server1.example.com;DNS=alternatename2.server1.example.com>
1999-03-02 09:44:33 10HmaY-0005vi-00 OCU <http://oscp.example.com/>
1999-03-02 09:44:33 10HmaY-0005vi-00 CRU <http://crl.example.com/latest.crl>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <*.test.ex:alternatename.server1.example.com:server1.example.com:alternatename2.server1.example.com>
+1999-03-02 09:44:33 10HmaY-0005vi-00 SAN <*.test.ex:alternatename.server1.example.com:server1.example.com:alternatename2.server1.example.com>
1999-03-02 09:44:33 10HmaY-0005vi-00 Completed
1999-03-02 09:44:33 End queue run: pid=pppp -qf