DKIM: use tainted mem for dns lookup

[exim.git] / src / src / tls-openssl.c
diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c

index ea30ff7cad2ce8ac6e701a902b4194a470db9f67..d6867200c9e6cdd2810b364186c329cdbb4a1895 100644 (file)
--- a/src/src/tls-openssl.c
+++ b/src/src/tls-openssl.c
@@ -148,7 +148,7 @@ Plus SSL_OP_NO_TLSv1_3 for 1.1.2-dev
  static exim_openssl_option exim_openssl_options[] = {
  /* KEEP SORTED ALPHABETICALLY! */
  #ifdef SSL_OP_ALL
-  { US"all", SSL_OP_ALL },
+  { US"all", (long) SSL_OP_ALL },
  #endif
  #ifdef SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION
    { US"allow_unsafe_legacy_renegotiation", SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION },
@@ -2790,7 +2790,7 @@ if (SSL_SESSION_is_resumable(ss))         /* 1.1.1 */
    {
    int len = i2d_SSL_SESSION(ss, NULL);
    int dlen = sizeof(dbdata_tls_session) + len;
-  dbdata_tls_session * dt = store_get(dlen);
+  dbdata_tls_session * dt = store_get(dlen, TRUE);
    uschar * s = dt->session;
    open_db dbblock, * dbm_file;
  
@@ -2908,7 +2908,7 @@ BOOL require_ocsp = FALSE;
  
  rc = store_pool;
  store_pool = POOL_PERM;
-exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx));
+exim_client_ctx = store_get(sizeof(exim_openssl_client_tls_ctx), FALSE);
  exim_client_ctx->corked = NULL;
  store_pool = rc;
  
@@ -3189,32 +3189,10 @@ switch(error)
    case SSL_ERROR_ZERO_RETURN:
      DEBUG(D_tls) debug_printf("Got SSL_ERROR_ZERO_RETURN\n");
  
-    receive_getc = smtp_getc;
-    receive_getbuf = smtp_getbuf;
-    receive_get_cache = smtp_get_cache;
-    receive_ungetc = smtp_ungetc;
-    receive_feof = smtp_feof;
-    receive_ferror = smtp_ferror;
-    receive_smtp_buffered = smtp_buffered;
-
      if (SSL_get_shutdown(server_ssl) == SSL_RECEIVED_SHUTDOWN)
           SSL_shutdown(server_ssl);
  
-#ifndef DISABLE_OCSP
-    sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
-    server_static_cbinfo->verify_stack = NULL;
-#endif
-    SSL_free(server_ssl);
-    SSL_CTX_free(server_ctx);
-    server_ctx = NULL;
-    server_ssl = NULL;
-    tls_in.active.sock = -1;
-    tls_in.active.tls_ctx = NULL;
-    tls_in.bits = 0;
-    tls_in.cipher = NULL;
-    tls_in.peerdn = NULL;
-    tls_in.sni = NULL;
-
+    tls_close(NULL, TLS_NO_SHUTDOWN);
      return FALSE;
  
    /* Handle genuine errors */
@@ -3503,14 +3481,25 @@ if (shutdown)
      }
    }
  
-#ifndef DISABLE_OCSP
  if (!o_ctx)            /* server side */
    {
+#ifndef DISABLE_OCSP
    sk_X509_pop_free(server_static_cbinfo->verify_stack, X509_free);
    server_static_cbinfo->verify_stack = NULL;
-  }
  #endif
  
+  receive_getc =       smtp_getc;
+  receive_getbuf =     smtp_getbuf;
+  receive_get_cache =  smtp_get_cache;
+  receive_ungetc =     smtp_ungetc;
+  receive_feof =       smtp_feof;
+  receive_ferror =     smtp_ferror;
+  receive_smtp_buffered = smtp_buffered;
+  tls_in.active.tls_ctx = NULL;
+  tls_in.sni = NULL;
+  /* Leave bits, peercert, cipher, peerdn, certificate_verified set, for logging */
+  }
+
  SSL_CTX_free(*ctxp);
  SSL_free(*sslp);
  *ctxp = NULL;