git://git.exim.org
/
exim.git
/ commitdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
| commitdiff |
tree
raw
|
patch
|
inline
| side by side (parent:
6814cb2
)
OpenSSL: fix verify-certs stack initialization
author
Jeremy Harris
<jgh146exb@wizmail.org>
Thu, 17 Jun 2021 19:45:32 +0000
(20:45 +0100)
committer
Jeremy Harris
<jgh146exb@wizmail.org>
Thu, 17 Jun 2021 19:45:32 +0000
(20:45 +0100)
src/src/tls-openssl.c
patch
|
blob
|
history
diff --git
a/src/src/tls-openssl.c
b/src/src/tls-openssl.c
index 906c98cefa460b383b65f45ec4b4a15a487eb147..4d6eeaab3795776e90dee8b8e325ee4565cc1d12 100644
(file)
--- a/
src/src/tls-openssl.c
+++ b/
src/src/tls-openssl.c
@@
-2760,18
+2760,23
@@
if (tlsp->peercert)
/* Load certs from file, return TRUE on success */
static BOOL
/* Load certs from file, return TRUE on success */
static BOOL
-chain_from_pem_file(const uschar * file, STACK_OF(X509) *
verify_stack
)
+chain_from_pem_file(const uschar * file, STACK_OF(X509) *
* vp
)
{
BIO * bp;
{
BIO * bp;
+STACK_OF(X509) * verify_stack = *vp;
X509 * x;
X509 * x;
-while (sk_X509_num(verify_stack) > 0)
- X509_free(sk_X509_pop(verify_stack));
+if (verify_stack)
+ while (sk_X509_num(verify_stack) > 0)
+ X509_free(sk_X509_pop(verify_stack));
+else
+ verify_stack = sk_X509_new_null();
if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
if (!(bp = BIO_new_file(CS file, "r"))) return FALSE;
-
while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL))
)
+
for (X509 * x; x = PEM_read_bio_X509(bp, NULL, 0, NULL);
)
sk_X509_push(verify_stack, x);
BIO_free(bp);
sk_X509_push(verify_stack, x);
BIO_free(bp);
+*vp = verify_stack;
return TRUE;
}
#endif
return TRUE;
}
#endif
@@
-2826,6
+2831,13
@@
if (expcerts && *expcerts)
{ file = NULL; dir = expcerts; }
else
{
{ file = NULL; dir = expcerts; }
else
{
+ STACK_OF(X509) * verify_stack =
+#ifndef DISABLE_OCSP
+ !host ? state_server.verify_stack :
+#endif
+ NULL;
+ STACK_OF(X509) ** vp = &verify_stack;
+
file = expcerts; dir = NULL;
#ifndef DISABLE_OCSP
/* In the server if we will be offering an OCSP proof, load chain from
file = expcerts; dir = NULL;
#ifndef DISABLE_OCSP
/* In the server if we will be offering an OCSP proof, load chain from
@@
-2834,11
+2846,10
@@
if (expcerts && *expcerts)
/*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
This is inconsistent with the need to verify the OCSP proof of the server cert.
*/
/*XXX Glitch! The file here is tls_verify_certs: the chain for verifying the client cert.
This is inconsistent with the need to verify the OCSP proof of the server cert.
*/
-
if ( !host
&& statbuf.st_size > 0
&& state_server.u_ocsp.server.file
if ( !host
&& statbuf.st_size > 0
&& state_server.u_ocsp.server.file
- && !chain_from_pem_file(file,
state_server.verify_stack
)
+ && !chain_from_pem_file(file,
vp
)
)
{
log_write(0, LOG_MAIN|LOG_PANIC,
)
{
log_write(0, LOG_MAIN|LOG_PANIC,