*************************************************/
/* Copyright (c) Jeremy Harris 2014 - 2018 */
+/* Copyright (c) The Exim Maintainers 2021 */
/* This file provides TLS/SSL support for Exim using the GnuTLS library,
one of the available supported implementations. This file is #included into
if (mod && Ustrcmp(mod, "int") == 0)
return string_sprintf("%u", (unsigned)t);
-cp = store_get(len, FALSE);
+cp = store_get(len, GET_UNTAINTED);
if (f.timestamps_utc)
{
uschar * tz = to_tz(US"GMT0");
!= GNUTLS_E_SHORT_MEMORY_BUFFER)
return g_err("gi0", __FUNCTION__, ret);
-cp = store_get(siz, TRUE);
+cp = store_get(siz, GET_TAINTED);
if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0)
return g_err("gi1", __FUNCTION__, ret);
!= GNUTLS_E_SHORT_MEMORY_BUFFER)
return g_err("gs0", __FUNCTION__, ret);
-cp1 = store_get(len*4+1, TRUE);
+cp1 = store_get(len*4+1, GET_TAINTED);
if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0)
return g_err("gs1", __FUNCTION__, ret);
!= GNUTLS_E_SHORT_MEMORY_BUFFER)
return g_err("gs0", __FUNCTION__, ret);
-cp = store_get(siz, TRUE);
+cp = store_get(siz, GET_TAINTED);
if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0)
return g_err("gs1", __FUNCTION__, ret);
if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER)
return g_err("ge0", __FUNCTION__, ret);
-cp1 = store_get(siz*4 + 1, TRUE);
+cp1 = store_get(siz*4 + 1, GET_TAINTED);
ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert,
CS oid, idx, CS cp1, &siz, &crit);
uschar * ele;
int match = -1;
-while (mod)
+if (mod) while (*mod)
{
if (*mod == '>' && *++mod) sep = *mod++;
- else if (Ustrcmp(mod, "dns")==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
- else if (Ustrcmp(mod, "uri")==0) { match = GNUTLS_SAN_URI; mod += 3; }
- else if (Ustrcmp(mod, "mail")==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
- else continue;
+ else if (Ustrncmp(mod, "dns", 3)==0) { match = GNUTLS_SAN_DNSNAME; mod += 3; }
+ else if (Ustrncmp(mod, "uri", 3)==0) { match = GNUTLS_SAN_URI; mod += 3; }
+ else if (Ustrncmp(mod, "mail", 4)==0) { match = GNUTLS_SAN_RFC822NAME; mod += 4; }
+ else break;
if (*mod++ != ',')
break;
return g_err("gs0", __FUNCTION__, ret);
}
- ele = store_get(siz+1, TRUE);
+ ele = store_get(siz+1, GET_TAINTED);
if ((ret = gnutls_x509_crt_get_subject_alt_name(
(gnutls_x509_crt_t)cert, index, ele, &siz, NULL)) < 0)
return g_err("gs1", __FUNCTION__, ret);
return g_err("gc0", __FUNCTION__, ret);
}
- ele = store_get(siz, TRUE);
+ ele = store_get(siz, GET_TAINTED);
if ((ret = gnutls_x509_crt_get_crl_dist_points(
(gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0)
return g_err("gc1", __FUNCTION__, ret);
if ( (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER
- || !(cp = store_get((int)len, TRUE), TRUE) /* tainted */
+ || !(cp = store_get((int)len, GET_TAINTED), TRUE) /* tainted */
|| (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
GNUTLS_X509_FMT_DER, cp, &len))
)
!= GNUTLS_E_SHORT_MEMORY_BUFFER)
return g_err("gf0", __FUNCTION__, ret);
-cp = store_get(siz*3+1, TRUE);
+cp = store_get(siz*3+1, GET_TAINTED);
if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0)
return g_err("gf1", __FUNCTION__, ret);