X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/6ebd79ec02c66e273975e48b481714768080790b..93a6fce2ebf117f490d7ee11f066f75280d32386:/src/src/tls-openssl.c diff --git a/src/src/tls-openssl.c b/src/src/tls-openssl.c index 24ae3ea7e..ee16bdc9e 100644 --- a/src/src/tls-openssl.c +++ b/src/src/tls-openssl.c @@ -123,7 +123,7 @@ typedef struct tls_ext_ctx_cb { uschar *server_cipher_list; /* only passed down to tls_error: */ host_item *host; - uschar * verify_cert_hostnames; + const uschar * verify_cert_hostnames; #ifdef EXPERIMENTAL_EVENT uschar * event_action; #endif @@ -245,6 +245,7 @@ for(i= 0; idata.x509; X509_NAME_oneline(X509_get_subject_name(current_cert), CS name, sizeof(name)); + txt[sizeof(name)-1] = '\0'; debug_printf(" %s\n", name); } } @@ -298,10 +299,12 @@ uschar * yield; #endif X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); +txt[sizeof(txt)-1] = '\0'; if (state == 0) { - log_write(0, LOG_MAIN, "SSL verify error: depth=%d error=%s cert=%s", + log_write(0, LOG_MAIN, "[%s] SSL verify error: depth=%d error=%s cert=%s", + tlsp == &tls_out ? deliver_host_address : sender_host_address, depth, X509_verify_cert_error_string(X509_STORE_CTX_get_error(x509ctx)), txt); @@ -336,8 +339,10 @@ else if (depth != 0) tlsp->peercert = X509_dup(cert); if ((yield = event_raise(ev, US"tls:cert", string_sprintf("%d", depth)))) { - log_write(0, LOG_MAIN, "SSL verify denied by event-action: " - "depth=%d cert=%s: %s", depth, txt, yield); + log_write(0, LOG_MAIN, "[%s] SSL verify denied by event-action: " + "depth=%d cert=%s: %s", + tlsp == &tls_out ? deliver_host_address : sender_host_address, + depth, txt, yield); *calledp = TRUE; if (!*optionalp) return 0; /* reject */ @@ -351,7 +356,7 @@ else if (depth != 0) } else { - uschar * verify_cert_hostnames; + const uschar * verify_cert_hostnames; tlsp->peerdn = txt; tlsp->peercert = X509_dup(cert); @@ -369,7 +374,7 @@ else # endif { int sep = 0; - uschar * list = verify_cert_hostnames; + const uschar * list = verify_cert_hostnames; uschar * name; int rc; while ((name = string_nextinlist(&list, &sep, NULL, 0))) @@ -379,7 +384,8 @@ else { if (rc < 0) { - log_write(0, LOG_MAIN, "SSL verify error: internal error\n"); + log_write(0, LOG_MAIN, "[%s] SSL verify error: internal error", + tlsp == &tls_out ? deliver_host_address : sender_host_address); name = NULL; } break; @@ -387,7 +393,9 @@ else if (!name) { log_write(0, LOG_MAIN, - "SSL verify error: certificate name mismatch: \"%s\"\n", txt); + "[%s] SSL verify error: certificate name mismatch: \"%s\"", + tlsp == &tls_out ? deliver_host_address : sender_host_address, + txt); *calledp = TRUE; if (!*optionalp) return 0; /* reject */ @@ -399,7 +407,9 @@ else if (!tls_is_name_for_cert(verify_cert_hostnames, cert)) { log_write(0, LOG_MAIN, - "SSL verify error: certificate name mismatch: \"%s\"\n", txt); + "[%s] SSL verify error: certificate name mismatch: \"%s\"", + tlsp == &tls_out ? deliver_host_address : sender_host_address, + txt); *calledp = TRUE; if (!*optionalp) return 0; /* reject */ @@ -413,8 +423,10 @@ else if (ev) if ((yield = event_raise(ev, US"tls:cert", US"0"))) { - log_write(0, LOG_MAIN, "SSL verify denied by event-action: " - "depth=0 cert=%s: %s", txt, yield); + log_write(0, LOG_MAIN, "[%s] SSL verify denied by event-action: " + "depth=0 cert=%s: %s", + tlsp == &tls_out ? deliver_host_address : sender_host_address, + txt, yield); *calledp = TRUE; if (!*optionalp) return 0; /* reject */ @@ -461,6 +473,7 @@ uschar * yield; #endif X509_NAME_oneline(X509_get_subject_name(cert), CS txt, sizeof(txt)); +txt[sizeof(txt)-1] = '\0'; DEBUG(D_tls) debug_printf("verify_callback_client_dane: %s\n", txt); tls_out.peerdn = txt; @@ -1981,6 +1994,7 @@ if (server_cert) { tls_out.peerdn = US X509_NAME_oneline(X509_get_subject_name(server_cert), CS txt, sizeof(txt)); + txt[sizeof(txt)-1] = '\0'; tls_out.peerdn = txt; /*XXX a static buffer... */ } else