X-Git-Url: https://git.netwichtig.de/gitweb/?a=blobdiff_plain;f=src%2Fsrc%2Ftlscert-openssl.c;h=de6979a18b85b5b60acd8c3dde5ac72ecd37c9c8;hb=ac6652c8a0ac69fc0f46d7f8535aa537cd609c94;hp=29095782acd20d5643ff87c768732d7272d73556;hpb=25ba25448b55c2fd5ea9b1aeed82e02d59816a07;p=user%2Fhenk%2Fcode%2Fexim.git

diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c
index 29095782a..de6979a18 100644
--- a/src/src/tlscert-openssl.c
+++ b/src/src/tlscert-openssl.c
@@ -56,12 +56,15 @@ void * reset_point = store_get(0);
 const uschar * cp = string_unprinting(US buf);
 BIO * bp;
 X509 * x;
+int fail = 0;
 
 bp = BIO_new_mem_buf(US cp, -1);
-x = PEM_read_bio_X509(bp, NULL, 0, NULL);
-int fail = 0;
-if (!x)
+if (!(x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
+  {
+  log_write(0, LOG_MAIN, "TLS error in certificate import: %s",
+    ERR_error_string(ERR_get_error(), NULL));
   fail = 1;
+  }
 else
   *cert = (void *)x;
 BIO_free(bp);
@@ -75,53 +78,115 @@ tls_free_cert(void * cert)
 X509_free((X509 *)cert);
 }
 
+
 /*****************************************************
 *  Certificate field extraction routines
 *****************************************************/
+
+/* First, some internal service functions */
+
 static uschar *
-bio_string_copy(BIO * bp, int len)
+badalloc(void)
 {
-uschar * cp = US"";
-len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0;
-cp = string_copyn(cp, len);
-BIO_free(bp);
-return cp;
+expand_string_message = US"allocation failure";
+return NULL;
 }
 
 static uschar *
-bio_string_time_to_int(BIO * bp, int len)
+bio_string_copy(BIO * bp, int len)
 {
 uschar * cp = US"";
-struct tm t;
 len = len > 0 ? (int) BIO_get_mem_data(bp, &cp) : 0;
-/*XXX %Z might be glibc-specific? */
-(void) strptime(CS cp, "%b%t%e%t%T%t%Y%t%Z", &t);
+cp = string_copyn(cp, len);
 BIO_free(bp);
-/*XXX timegm might not be portable? */
-return string_sprintf("%u", (unsigned) timegm(&t));
+return cp;
 }
 
 static uschar *
-asn1_time_copy(const ASN1_TIME * time, uschar * mod)
+asn1_time_copy(const ASN1_TIME * asntime, uschar * mod)
 {
+uschar * s = NULL;
 BIO * bp = BIO_new(BIO_s_mem());
-int len = ASN1_TIME_print(bp, time);
-return mod &&  Ustrcmp(mod, "int") == 0
-  ? bio_string_time_to_int(bp, len)
-  : bio_string_copy(bp, len);
+int len;
+
+if (!bp)
+  return badalloc();
+len = ASN1_TIME_print(bp, asntime);
+len = len > 0 ? (int) BIO_get_mem_data(bp, &s) : 0;
+
+if (mod && Ustrcmp(mod, "raw") == 0)		/* native ASN */
+  s = string_copyn(s, len);
+else
+  {
+  struct tm tm;
+  struct tm * tm_p = &tm;
+  BOOL mod_tz;
+  uschar * tz = to_tz(US"GMT0");    /* need to call strptime with baseline TZ */
+
+  /* Parse OpenSSL ASN1_TIME_print output.  A shame there seems to
+  be no other interface for the times.
+  */
+
+  /*XXX %Z might be glibc-specific?  Solaris has it, at least*/
+  /*XXX should we switch to POSIX locale for this? */
+  tm.tm_isdst = 0;
+  if (!strptime(CCS s, "%b %e %T %Y %Z", &tm))
+    expand_string_message = US"failed time conversion";
+
+  else
+    {
+    time_t t = mktime(&tm);	/* make the tm self-consistent */
+
+    if (mod && Ustrcmp(mod, "int") == 0)	/* seconds since epoch */
+      s = string_sprintf("%u", t);
+
+    else
+      {
+      if (!timestamps_utc)	/* decoded string in local TZ */
+	{				/* shift to local TZ */
+	restore_tz(tz);
+	mod_tz = FALSE;
+	tm_p = localtime(&t);
+	}
+      /* "utc" is default, and rfc5280 says cert times should be Zulu */
+
+      /* convert to string in our format */
+      len = 32;
+      s = store_get(len);
+      strftime(CS s, (size_t)len, "%b %e %T %Y %z", tm_p);
+      }
+    }
+
+  if (mod_tz);
+    restore_tz(tz);
+  }
+BIO_free(bp);
+return s;
 }
 
 static uschar *
 x509_name_copy(X509_NAME * name)
 {
 BIO * bp = BIO_new(BIO_s_mem());
-int len_good =
+int len_good;
+
+if (!bp) return badalloc();
+
+len_good =
   X509_NAME_print_ex(bp, name, 0, XN_FLAG_RFC2253) >= 0
   ? 1 : 0;
 return bio_string_copy(bp, len_good);
 }
 
 /**/
+/* Now the extractors, called from expand.c
+Arguments:
+  cert		The certificate
+  mod		Optional modifiers for the operator
+
+Return:
+  Allocated string with extracted value
+*/
 
 uschar *
 tls_cert_issuer(void * cert, uschar * mod)
@@ -147,8 +212,11 @@ tls_cert_serial_number(void * cert, uschar * mod)
 {
 uschar txt[256];
 BIO * bp = BIO_new(BIO_s_mem());
-int len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
+int len;
 
+if (!bp) return badalloc();
+
+len = i2a_ASN1_INTEGER(bp, X509_get_serialNumber((X509 *)cert));
 if (len < sizeof(txt))
   BIO_read(bp, txt, len);
 else
@@ -160,8 +228,10 @@ return string_copynlc(txt, len);	/* lowercase */
 uschar *
 tls_cert_signature(void * cert, uschar * mod)
 {
-BIO * bp = BIO_new(BIO_s_mem());
 uschar * cp = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+
+if (!bp) return badalloc();
 
 if (X509_print_ex(bp, (X509 *)cert, 0,
   X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL | 
@@ -171,7 +241,11 @@ if (X509_print_ex(bp, (X509 *)cert, 0,
   X509_FLAG_NO_AUX) == 1)
   {
   long len = BIO_get_mem_data(bp, &cp);
-  cp = string_copyn(cp, len);
+
+  /* Strip leading "Signature Algorithm" line */
+  while (*cp && *cp != '\n') { cp++; len--; }
+
+  cp = string_copyn(cp+1, len-1);
   }
 BIO_free(bp);
 return cp;
@@ -180,7 +254,29 @@ return cp;
 uschar *
 tls_cert_signature_algorithm(void * cert, uschar * mod)
 {
-return string_copy(US OBJ_nid2ln(X509_get_signature_type((X509 *)cert)));
+uschar * cp = NULL;
+BIO * bp = BIO_new(BIO_s_mem());
+
+if (!bp) return badalloc();
+
+if (X509_print_ex(bp, (X509 *)cert, 0,
+  X509_FLAG_NO_HEADER | X509_FLAG_NO_VERSION | X509_FLAG_NO_SERIAL | 
+  /* X509_FLAG_NO_SIGNAME is the missing one */
+  X509_FLAG_NO_ISSUER | X509_FLAG_NO_VALIDITY | 
+  X509_FLAG_NO_SUBJECT | X509_FLAG_NO_PUBKEY | X509_FLAG_NO_EXTENSIONS | 
+  X509_FLAG_NO_SIGDUMP | X509_FLAG_NO_AUX) == 1)
+  {
+  long len = BIO_get_mem_data(bp, &cp);
+
+  /* Strip leading "    Signature Algorithm: " and trailing newline */
+  while (*cp && *cp != ':') { cp++; len--; }
+  do { cp++; len--; } while (*cp && *cp == ' ');
+  if (cp[len-1] == '\n') len--;
+
+  cp = string_copyn(cp, len);
+  }
+BIO_free(bp);
+return cp;
 }
 
 uschar *
@@ -209,6 +305,8 @@ uschar * cp1;
 uschar * cp2;
 uschar * cp3;
 
+if (!bp) return badalloc();
+
 M_ASN1_OCTET_STRING_print(bp, adata);
 /* binary data, DER encoded */
 
@@ -237,6 +335,7 @@ uschar sep = '\n';
 uschar * tag = US"";
 uschar * ele;
 int match = -1;
+int len;
 
 if (!san) return NULL;
 
@@ -262,19 +361,26 @@ while (sk_GENERAL_NAME_num(san) > 0)
     case GEN_DNS:
       tag = US"DNS";
       ele = ASN1_STRING_data(namePart->d.dNSName);
+      len = ASN1_STRING_length(namePart->d.dNSName);
       break;
     case GEN_URI:
       tag = US"URI";
       ele = ASN1_STRING_data(namePart->d.uniformResourceIdentifier);
+      len = ASN1_STRING_length(namePart->d.uniformResourceIdentifier);
       break;
     case GEN_EMAIL:
       tag = US"MAIL";
       ele = ASN1_STRING_data(namePart->d.rfc822Name);
+      len = ASN1_STRING_length(namePart->d.rfc822Name);
       break;
     default:
       continue;	/* ignore unrecognised types */
     }
-  list = string_append_listele(list, sep,
+  if (ele[len])	/* not nul-terminated */
+    ele = string_copyn(ele, len);
+
+  if (Ustrlen(ele) == len)	/* ignore any with embedded nul */
+    list = string_append_listele(list, sep,
 	  match == -1 ? string_sprintf("%s=%s", tag, ele) : ele);
   }