From c03fae8adf341e26f2c4c8f068a60a72d8504963 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Mon, 26 May 2014 11:47:30 +0100 Subject: Errorcheck TLS library calls --- src/src/tlscert-gnu.c | 36 ++++++++++++++++++++++++++------- src/src/tlscert-openssl.c | 51 ++++++++++++++++++++++++++++++++++++++++------- 2 files changed, 73 insertions(+), 14 deletions(-) diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c index 737637302..3261c4e8d 100644 --- a/src/src/tlscert-gnu.c +++ b/src/src/tlscert-gnu.c @@ -26,12 +26,16 @@ tls_export_cert(uschar * buf, size_t buflen, void * cert) { size_t sz = buflen; void * reset_point = store_get(0); -int fail = 0; +int fail; uschar * cp; -if (gnutls_x509_crt_export((gnutls_x509_crt_t)cert, - GNUTLS_X509_FMT_PEM, buf, &sz)) +if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, + GNUTLS_X509_FMT_PEM, buf, &sz))) + { + log_write(0, LOG_MAIN, "TLS error in certificate export: %s", + gnutls_strerror(fail)); return 1; + } if ((cp = string_printing(buf)) != buf) { Ustrncpy(buf, cp, buflen); @@ -55,8 +59,12 @@ gnutls_x509_crt_init(&crt); datum.data = string_unprinting(US buf); datum.size = Ustrlen(datum.data); -if (gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM)) +if ((fail = gnutls_x509_crt_import(crt, &datum, GNUTLS_X509_FMT_PEM))) + { + log_write(0, LOG_MAIN, "TLS error in certificate import: %s", + gnutls_strerror(fail)); fail = 1; + } else *cert = (void *)crt; @@ -74,6 +82,9 @@ gnutls_global_deinit(); /***************************************************** * Certificate field extraction routines *****************************************************/ + +/* First, some internal service functions */ + static uschar * g_err(const char * tag, const char * from, int gnutls_err) { @@ -99,7 +110,16 @@ len = strftime(CS cp, 32, "%b %e %T %Y %Z", tp); return len > 0 ? cp : NULL; } + /**/ +/* Now the extractors, called from expand.c +Arguments: + cert The certificate + mod Optional modifiers for the operator + +Return: + Allocated string with extracted value +*/ uschar * tls_cert_issuer(void * cert, uschar * mod) @@ -142,10 +162,12 @@ uschar bin[50], txt[150]; size_t sz = sizeof(bin); uschar * sp; uschar * dp; +int ret; + +if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert, + bin, &sz))) + return g_err("gs0", __FUNCTION__, ret); -if (gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert, - bin, &sz) || sz > sizeof(bin)) - return NULL; for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--) sprintf(dp, "%.2x", *sp); for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */ diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c index 0614b4025..2411dea9e 100644 --- a/src/src/tlscert-openssl.c +++ b/src/src/tlscert-openssl.c @@ -56,12 +56,15 @@ void * reset_point = store_get(0); const uschar * cp = string_unprinting(US buf); BIO * bp; X509 * x; +int fail = 0; bp = BIO_new_mem_buf(US cp, -1); -x = PEM_read_bio_X509(bp, NULL, 0, NULL); -int fail = 0; -if (!x) +if (!(x = PEM_read_bio_X509(bp, NULL, 0, NULL))) + { + log_write(0, LOG_MAIN, "TLS error in certificate import: %s", + ERR_error_string(ERR_get_error(), NULL)); fail = 1; + } else *cert = (void *)x; BIO_free(bp); @@ -75,9 +78,20 @@ tls_free_cert(void * cert) X509_free((X509 *)cert); } + /***************************************************** * Certificate field extraction routines *****************************************************/ + +/* First, some internal service functions */ + +static uschar * +badalloc(void) +{ +expand_string_message = US"allocation failure"; +return NULL; +} + static uschar * bio_string_copy(BIO * bp, int len) { @@ -105,7 +119,11 @@ static uschar * asn1_time_copy(const ASN1_TIME * time, uschar * mod) { BIO * bp = BIO_new(BIO_s_mem()); -int len = ASN1_TIME_print(bp, time); +int len; + +if (!bp) return badalloc(); + +len = ASN1_TIME_print(bp, time); return mod && Ustrcmp(mod, "int") == 0 ? bio_string_time_to_int(bp, len) : bio_string_copy(bp, len); @@ -115,13 +133,25 @@ static uschar * x509_name_copy(X509_NAME * name) { BIO * bp = BIO_new(BIO_s_mem()); -int len_good = +int len_good; + +if (!bp) return badalloc(); + +len_good = X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0 ? 1 : 0; return bio_string_copy(bp, len_good); } /**/ +/* Now the extractors, called from expand.c +Arguments: + cert The certificate + mod Optional modifiers for the operator + +Return: + Allocated string with extracted value +*/ uschar * tls_cert_issuer(void * cert, uschar * mod) @@ -147,8 +177,11 @@ tls_cert_serial_number(void * cert, uschar * mod) { uschar txt[256]; BIO * bp = BIO_new(BIO_s_mem()); -int len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert)); +int len; + +if (!bp) return badalloc(); +len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert)); if (len < sizeof(txt)) BIO_read(bp, txt, len); else @@ -160,8 +193,10 @@ return string_copynlc(txt, len); /* lowercase */ uschar * tls_cert_signature(void * cert, uschar * mod) { -BIO * bp = BIO_new(BIO_s_mem()); uschar * cp = NULL; +BIO * bp = BIO_new(BIO_s_mem()); + +if (!bp) return badalloc(); if (X509_print_ex(bp, (X509 *)cert, 0, X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL | @@ -209,6 +244,8 @@ uschar * cp1; uschar * cp2; uschar * cp3; +if (!bp) return badalloc(); + M_ASN1_OCTET_STRING_print(bp, adata); /* binary data, DER encoded */ -- cgit v1.2.3