Fix buffer overrun in spam= acl condition. Bug 1552

[exim.git] / src / src / dane-openssl.c

diff --git a/src/src/dane-openssl.c b/src/src/dane-openssl.c
index 407e6800da08ccba7deebd53cb93ca7220172467..6345b39ca459cd1461985fa5c8d6edb7d2212cb3 100644 (file)
--- a/src/src/dane-openssl.c
+++ b/src/src/dane-openssl.c
@@ -202,9 +202,9 @@ for(matched = 0; !matched && slist; slist = slist->next)
   {
   dane_mtype_list m;
   unsigned char mdbuf[EVP_MAX_MD_SIZE];
-  unsigned char *buf;
+  unsigned char *buf = NULL;
   unsigned char *buf2;
-  unsigned int len;
+  unsigned int len = 0;
 
   /*
    * Extract ASN.1 DER form of certificate or public key.
@@ -679,6 +679,7 @@ int matched;
 matched = match(dane->selectors[SSL_DANE_USAGE_FIXED_LEAF], cert, 0);
 if(matched > 0)
   if(!ctx->chain)
+    {
     if(  (ctx->chain = sk_X509_new_null())
       && sk_X509_push(ctx->chain, cert))
       CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509);
@@ -687,6 +688,7 @@ if(matched > 0)
       DANEerr(DANE_F_CHECK_END_ENTITY, ERR_R_MALLOC_FAILURE);
       return -1;
       }
+    }
 return matched;
 }
 
@@ -714,12 +716,14 @@ for(hosts = dane->hosts; hosts; hosts = hosts->next)
    * Sub-domain match: certid is any sub-domain of hostname.
    */
   if(match_subdomain)
+    {
     if(  (idlen = strlen(certid)) > (domlen = strlen(domain)) + 1
       && certid[idlen - domlen - 1] == '.'
       && !strcasecmp(certid + (idlen - domlen), domain))
       return 1;
     else
       continue;
+    }
 
   /*
    * Exact match and initial "*" match. The initial "*" in a certid
@@ -859,6 +863,8 @@ X509 *cert = ctx->cert;             /* XXX: accessor? */
 int matched = 0;
 int chain_length = sk_X509_num(ctx->chain);
 
+DEBUG(D_tls) debug_printf("Dane verify-chain\n");
+
 issuer_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_ISSUER];
 leaf_rrs = dane->selectors[SSL_DANE_USAGE_LIMIT_LEAF];
 ctx->verify = dane->verify;
@@ -950,6 +956,8 @@ int (*cb)(int, X509_STORE_CTX *) = ctx->verify_cb;
 int matched;
 X509 *cert = ctx->cert;             /* XXX: accessor? */
 
+DEBUG(D_tls) debug_printf("Dane verify-cert\n");
+
 if(ssl_idx < 0)
   ssl_idx = SSL_get_ex_data_X509_STORE_CTX_idx();
 if(dane_idx < 0)
@@ -1080,6 +1088,8 @@ DANESSL_cleanup(SSL *ssl)
 ssl_dane *dane;
 int u;
 
+DEBUG(D_tls) debug_printf("Dane lib-cleanup\n");
+
 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
   return;
 (void) SSL_set_ex_data(ssl, dane_idx, 0);
@@ -1155,6 +1165,9 @@ dane_cert_list xlist = 0;
 dane_pkey_list klist = 0;
 const EVP_MD *md = 0;
 
+DEBUG(D_tls) debug_printf("Dane add-tlsa: usage %u sel %u mdname \"%s\"\n",
+                         usage, selector, mdname);
+
 if(dane_idx < 0 || !(dane = SSL_get_ex_data(ssl, dane_idx)))
   {
   DANEerr(DANE_F_SSL_DANE_ADD_TLSA, DANE_R_DANE_INIT);
@@ -1308,7 +1321,7 @@ call this with NULL.
 Arguments:
   ssl          Connection handle
   sni_domain   Optional peer server name
-  hostnames    ?? list of names - but what names?
+  hostnames    list of names to chack against peer cert
 
 Return
   -1 on fatal error
@@ -1324,12 +1337,14 @@ int i;
 #ifdef OPENSSL_INTERNAL
 SSL_CTX *sctx = SSL_get_SSL_CTX(ssl);
 
+
 if(sctx->app_verify_callback != verify_cert)
   {
   DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_SCTX_INIT);
   return -1;
   }
 #else
+DEBUG(D_tls) debug_printf("Dane ssl-init\n");
 if(dane_idx < 0)
   {
   DANEerr(DANE_F_SSL_DANE_INIT, DANE_R_LIBRARY_INIT);
@@ -1352,6 +1367,9 @@ if(!SSL_set_ex_data(ssl, dane_idx, dane))
   return 0;
   }
 
+dane->verify = 0;
+dane->hosts = 0;
+dane->thost = 0;
 dane->pkeys = 0;
 dane->certs = 0;
 dane->chain = 0;
@@ -1396,6 +1414,7 @@ Return
 int
 DANESSL_CTX_init(SSL_CTX *ctx)
 {
+DEBUG(D_tls) debug_printf("Dane ctx-init\n");
 if(dane_idx >= 0)
   {
   SSL_CTX_set_cert_verify_callback(ctx, verify_cert, 0);
@@ -1481,6 +1500,7 @@ Return
 int
 DANESSL_library_init(void)
 {
+DEBUG(D_tls) debug_printf("Dane lib-init\n");
 if(err_lib_dane < 0)
   init_once(&err_lib_dane, ERR_get_next_error_library, dane_init);