Always check return from tls_export_cert()

author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Fri, 30 Aug 2019 11:44:01 +0000 (13:44 +0200)

committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>

Fri, 30 Aug 2019 11:44:01 +0000 (13:44 +0200)
author Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Fri, 30 Aug 2019 11:44:01 +0000 (13:44 +0200)
committer Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
Fri, 30 Aug 2019 11:44:01 +0000 (13:44 +0200)
diff --git a/src/src/deliver.c b/src/src/deliver.c

index a82a04f42a27d7cb2b011786cf575bdb363969df..59fbeeaf9a18bc69694c1996a3e0970d114cac58 100644 (file)
--- a/src/src/deliver.c
+++ b/src/src/deliver.c
@@ -4826,7 +4826,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
        if (addr->peercert)
         {
          ptr = big_buffer;
        if (addr->peercert)
         {
          ptr = big_buffer;
-       if (!tls_export_cert(ptr, big_buffer_size-2, addr->peercert))
+       if (tls_export_cert(ptr, big_buffer_size-2, addr->peercert))
           while(*ptr++);
         else
           *ptr++ = 0;
           while(*ptr++);
         else
           *ptr++ = 0;
@@ -4835,7 +4835,7 @@ all pipes, so I do not see a reason to use non-blocking IO here
        if (addr->ourcert)
         {
          ptr = big_buffer;
        if (addr->ourcert)
         {
          ptr = big_buffer;
-       if (!tls_export_cert(ptr, big_buffer_size-2, addr->ourcert))
+       if (tls_export_cert(ptr, big_buffer_size-2, addr->ourcert))
           while(*ptr++);
         else
           *ptr++ = 0;
           while(*ptr++);
         else
           *ptr++ = 0;
diff --git a/src/src/functions.h b/src/src/functions.h

index ee0ad139ebc07c522168634ef0a0d0380b8f628c..b9af77dde8adbb77673b07d2163a54e17bd7fd8b 100644 (file)
--- a/src/src/functions.h
+++ b/src/src/functions.h
@@ -52,7 +52,7 @@ extern BOOL    tls_client_start(client_conn_ctx *, smtp_connect_args *,
  extern void    tls_close(void *, int);
  extern BOOL    tls_could_read(void);
  extern void    tls_daemon_init(void);
  extern void    tls_close(void *, int);
  extern BOOL    tls_could_read(void);
  extern void    tls_daemon_init(void);
-extern int     tls_export_cert(uschar *, size_t, void *);
+extern BOOL    tls_export_cert(uschar *, size_t, void *);
  extern int     tls_feof(void);
  extern int     tls_ferror(void);
  extern void    tls_free_cert(void **);
  extern int     tls_feof(void);
  extern int     tls_ferror(void);
  extern void    tls_free_cert(void **);
diff --git a/src/src/spool_out.c b/src/src/spool_out.c

index 0dfa4de525769829074484aabc18070262b0cb02..acc6c7b5f8ad08580df9cb61e18e7ec23cf37cc3 100644 (file)
--- a/src/src/spool_out.c
+++ b/src/src/spool_out.c
@@ -249,15 +249,15 @@ if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n");
  if (tls_in.cipher) spool_var_write(fp, US"tls_cipher", tls_in.cipher);
  if (tls_in.peercert)
    {
  if (tls_in.cipher) spool_var_write(fp, US"tls_cipher", tls_in.cipher);
  if (tls_in.peercert)
    {
-  (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert);
-  fprintf(fp, "--tls_peercert %s\n", CS big_buffer);
+  if (tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert))
+    fprintf(fp, "--tls_peercert %s\n", CS big_buffer);
    }
  if (tls_in.peerdn)       spool_var_write(fp, US"tls_peerdn", string_printing(tls_in.peerdn));
  if (tls_in.sni)                 spool_var_write(fp, US"tls_sni",    string_printing(tls_in.sni));
  if (tls_in.ourcert)
    {
    }
  if (tls_in.peerdn)       spool_var_write(fp, US"tls_peerdn", string_printing(tls_in.peerdn));
  if (tls_in.sni)                 spool_var_write(fp, US"tls_sni",    string_printing(tls_in.sni));
  if (tls_in.ourcert)
    {
-  (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert);
-  fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
+  if (tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert))
+    fprintf(fp, "-tls_ourcert %s\n", CS big_buffer);
    }
  if (tls_in.ocsp)        fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
  # ifdef EXPERIMENTAL_TLS_RESUME
    }
  if (tls_in.ocsp)        fprintf(fp, "-tls_ocsp %d\n",   tls_in.ocsp);
  # ifdef EXPERIMENTAL_TLS_RESUME
diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c

index 45135814ca912542af69e3bd39c67858f58ce290..f4d53601fa1ff00921e27f23661d1a8f65f482a1 100644 (file)
--- a/src/src/tlscert-gnu.c
+++ b/src/src/tlscert-gnu.c
@@ -21,12 +21,12 @@ tls.c when USE_GNUTLS has been set.
  /*****************************************************
  *  Export/import a certificate, binary/printable
  *****************************************************/
  /*****************************************************
  *  Export/import a certificate, binary/printable
  *****************************************************/
-int
+BOOL
  tls_export_cert(uschar * buf, size_t buflen, void * cert)
  {
  size_t sz = buflen;
  rmark reset_point = store_mark();
  tls_export_cert(uschar * buf, size_t buflen, void * cert)
  {
  size_t sz = buflen;
  rmark reset_point = store_mark();
-int fail;
+BOOL fail;
  const uschar * cp;
  
  if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
  const uschar * cp;
  
  if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
@@ -34,7 +34,7 @@ if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert,
    {
    log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
      gnutls_strerror(fail));
    {
    log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
      gnutls_strerror(fail));
-  return 1;
+  return 0;
    }
  if ((cp = string_printing(buf)) != buf)
    {
    }
  if ((cp = string_printing(buf)) != buf)
    {
@@ -43,7 +43,7 @@ if ((cp = string_printing(buf)) != buf)
      fail = 1;
    }
  store_reset(reset_point);
      fail = 1;
    }
  store_reset(reset_point);
-return fail;
+return !fail;
  }
  
  int
  }
  
  int
diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c

index 0aa65c8861cf3dbee82a676d50c7443f7febffb7..845c3014f0e856a6a7cec4a8b4d48b983857ec96 100644 (file)
--- a/src/src/tlscert-openssl.c
+++ b/src/src/tlscert-openssl.c
@@ -34,11 +34,11 @@ library. It is #included into the tls.c file when that library is used.
  /*****************************************************
  *  Export/import a certificate, binary/printable
  *****************************************************/
  /*****************************************************
  *  Export/import a certificate, binary/printable
  *****************************************************/
-int
+BOOL
  tls_export_cert(uschar * buf, size_t buflen, void * cert)
  {
  BIO * bp = BIO_new(BIO_s_mem());
  tls_export_cert(uschar * buf, size_t buflen, void * cert)
  {
  BIO * bp = BIO_new(BIO_s_mem());
-int fail;
+BOOL fail;
  
  if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1))
    log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
  
  if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1))
    log_write(0, LOG_MAIN, "TLS error in certificate export: %s",
@@ -59,7 +59,7 @@ else
    }
  
  BIO_free(bp);
    }
  
  BIO_free(bp);
-return fail;
+return !fail;
  }
  
  int
  }
  
  int
author	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Fri, 30 Aug 2019 11:44:01 +0000 (13:44 +0200)
committer	Heiko Schlittermann (HS12-RIPE) <hs@schlittermann.de>
	Fri, 30 Aug 2019 11:44:01 +0000 (13:44 +0200)
src/src/deliver.c		patch \| blob \| blame \| history
src/src/functions.h		patch \| blob \| blame \| history
src/src/spool_out.c		patch \| blob \| blame \| history
src/src/tlscert-gnu.c		patch \| blob \| blame \| history
src/src/tlscert-openssl.c		patch \| blob \| blame \| history