X-Git-Url: https://git.exim.org/exim.git/blobdiff_plain/790fbb71d92b47c6637892f3feedc0f99000f01e..4226691b79845d9b41041e2f64a3a241dcb99f4d:/src/src/tlscert-gnu.c diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c index 69ce27fc8..3c6953a99 100644 --- a/src/src/tlscert-gnu.c +++ b/src/src/tlscert-gnu.c @@ -142,12 +142,12 @@ uschar * cp = NULL; int ret; size_t siz = 0; -if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) +if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("gi0", __FUNCTION__, ret); cp = store_get(siz); -if ((ret = gnutls_x509_crt_get_issuer_dn(cert, cp, &siz)) < 0) +if ((ret = gnutls_x509_crt_get_issuer_dn(cert, CS cp, &siz)) < 0) return g_err("gi1", __FUNCTION__, ret); return mod ? tls_field_from_dn(cp, mod) : cp; @@ -183,7 +183,7 @@ if ((ret = gnutls_x509_crt_get_serial((gnutls_x509_crt_t)cert, return g_err("gs0", __FUNCTION__, ret); for(dp = txt, sp = bin; sz; dp += 2, sp++, sz--) - sprintf(dp, "%.2x", *sp); + sprintf(CS dp, "%.2x", *sp); for(sp = txt; sp[0]=='0' && sp[1]; ) sp++; /* leading zeroes */ return string_copy(sp); } @@ -197,16 +197,16 @@ uschar * cp3; size_t len = 0; int ret; -if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len)) +if ((ret = gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("gs0", __FUNCTION__, ret); cp1 = store_get(len*4+1); -if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, cp1, &len) != 0) +if (gnutls_x509_crt_get_signature((gnutls_x509_crt_t)cert, CS cp1, &len) != 0) return g_err("gs1", __FUNCTION__, ret); for(cp3 = cp2 = cp1+len; cp1 < cp2; cp3 += 3, cp1++) - sprintf(cp3, "%.2x ", *cp1); + sprintf(CS cp3, "%.2x ", *cp1); cp3[-1]= '\0'; return cp2; @@ -217,7 +217,7 @@ tls_cert_signature_algorithm(void * cert, uschar * mod) { gnutls_sign_algorithm_t algo = gnutls_x509_crt_get_signature_algorithm((gnutls_x509_crt_t)cert); -return algo < 0 ? NULL : string_copy(gnutls_sign_get_name(algo)); +return algo < 0 ? NULL : string_copy(US gnutls_sign_get_name(algo)); } uschar * @@ -227,12 +227,12 @@ uschar * cp = NULL; int ret; size_t siz = 0; -if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) +if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("gs0", __FUNCTION__, ret); cp = store_get(siz); -if ((ret = gnutls_x509_crt_get_dn(cert, cp, &siz)) < 0) +if ((ret = gnutls_x509_crt_get_dn(cert, CS cp, &siz)) < 0) return g_err("gs1", __FUNCTION__, ret); return mod ? tls_field_from_dn(cp, mod) : cp; @@ -255,14 +255,14 @@ unsigned int crit; int ret; ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert, - oid, idx, cp1, &siz, &crit); + oid, idx, CS cp1, &siz, &crit); if (ret != GNUTLS_E_SHORT_MEMORY_BUFFER) return g_err("ge0", __FUNCTION__, ret); cp1 = store_get(siz*4 + 1); ret = gnutls_x509_crt_get_extension_by_oid ((gnutls_x509_crt_t)cert, - oid, idx, cp1, &siz, &crit); + oid, idx, CS cp1, &siz, &crit); if (ret < 0) return g_err("ge1", __FUNCTION__, ret); @@ -270,7 +270,7 @@ if (ret < 0) /* just dump for now */ for(cp3 = cp2 = cp1+siz; cp1 < cp2; cp3 += 3, cp1++) - sprintf(cp3, "%.2x ", *cp1); + sprintf(CS cp3, "%.2x ", *cp1); cp3[-1]= '\0'; return cp2; @@ -280,6 +280,7 @@ uschar * tls_cert_subject_altname(void * cert, uschar * mod) { uschar * list = NULL; +int lsize = 0, llen = 0; int index; size_t siz; int ret; @@ -328,11 +329,11 @@ for(index = 0;; index++) switch (ret) { case GNUTLS_SAN_DNSNAME: tag = US"DNS"; break; - case GNUTLS_SAN_URI: tag = US"URI"; break; + case GNUTLS_SAN_URI: tag = US"URI"; break; case GNUTLS_SAN_RFC822NAME: tag = US"MAIL"; break; default: continue; /* ignore unrecognised types */ } - list = string_append_listele(list, sep, + list = string_append_listele(list, &lsize, &llen, sep, match == -1 ? string_sprintf("%s=%s", tag, ele) : ele); } /*NOTREACHED*/ @@ -347,6 +348,7 @@ int ret; uschar sep = '\n'; int index; uschar * list = NULL; +int lsize = 0, llen = 0; if (mod) if (*mod == '>' && *++mod) sep = *mod++; @@ -361,14 +363,14 @@ for(index = 0;; index++) if (ret < 0) return g_err("gai", __FUNCTION__, ret); - list = string_append_listele(list, sep, - string_copyn(uri.data, uri.size)); + list = string_append_listele_n(list, &lsize, &llen, sep, + uri.data, uri.size); } /*NOTREACHED*/ #else -expand_string_message = +expand_string_message = string_sprintf("%s: OCSP support with GnuTLS requires version 3.0.0\n", __FUNCTION__); return NULL; @@ -384,6 +386,7 @@ size_t siz; uschar sep = '\n'; int index; uschar * list = NULL; +int lsize = 0, llen = 0; uschar * ele; if (mod) @@ -403,13 +406,12 @@ for(index = 0;; index++) return g_err("gc0", __FUNCTION__, ret); } - ele = store_get(siz+1); + ele = store_get(siz); if ((ret = gnutls_x509_crt_get_crl_dist_points( (gnutls_x509_crt_t)cert, index, ele, &siz, NULL, NULL)) < 0) return g_err("gc1", __FUNCTION__, ret); - ele[siz] = '\0'; - list = string_append_listele(list, sep, ele); + list = string_append_listele_n(list, &lsize, &llen, sep, ele, siz); } /*NOTREACHED*/ } @@ -418,6 +420,28 @@ for(index = 0;; index++) /***************************************************** * Certificate operator routines *****************************************************/ +uschar * +tls_cert_der_b64(void * cert) +{ +size_t len = 0; +uschar * cp = NULL; +int fail; + +if ( (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, + GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER + || !(cp = store_get((int)len)) + || (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, + GNUTLS_X509_FMT_DER, cp, &len)) + ) + { + log_write(0, LOG_MAIN, "TLS error in certificate export: %s", + gnutls_strerror(fail)); + return NULL; + } +return b64encode(cp, (int)len); +} + + static uschar * fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo) { @@ -436,7 +460,7 @@ if ((ret = gnutls_x509_crt_get_fingerprint(cert, algo, cp, &siz)) < 0) return g_err("gf1", __FUNCTION__, ret); for (cp3 = cp2 = cp+siz; cp < cp2; cp++, cp3+=2) - sprintf(cp3, "%02X",*cp); + sprintf(CS cp3, "%02X",*cp); return cp2; }