From: Heiko Schlittermann (HS12-RIPE) Date: Fri, 30 Aug 2019 11:44:01 +0000 (+0200) Subject: Always check return from tls_export_cert() X-Git-Url: https://git.exim.org/users/heiko/exim.git/commitdiff_plain/2944124ccb62cbf64e44bc8e0894fb30307514da Always check return from tls_export_cert() Invert the meaning of the return. --- diff --git a/src/src/deliver.c b/src/src/deliver.c index a82a04f42..59fbeeaf9 100644 --- a/src/src/deliver.c +++ b/src/src/deliver.c @@ -4826,7 +4826,7 @@ all pipes, so I do not see a reason to use non-blocking IO here if (addr->peercert) { ptr = big_buffer; - if (!tls_export_cert(ptr, big_buffer_size-2, addr->peercert)) + if (tls_export_cert(ptr, big_buffer_size-2, addr->peercert)) while(*ptr++); else *ptr++ = 0; @@ -4835,7 +4835,7 @@ all pipes, so I do not see a reason to use non-blocking IO here if (addr->ourcert) { ptr = big_buffer; - if (!tls_export_cert(ptr, big_buffer_size-2, addr->ourcert)) + if (tls_export_cert(ptr, big_buffer_size-2, addr->ourcert)) while(*ptr++); else *ptr++ = 0; diff --git a/src/src/functions.h b/src/src/functions.h index ee0ad139e..b9af77dde 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -52,7 +52,7 @@ extern BOOL tls_client_start(client_conn_ctx *, smtp_connect_args *, extern void tls_close(void *, int); extern BOOL tls_could_read(void); extern void tls_daemon_init(void); -extern int tls_export_cert(uschar *, size_t, void *); +extern BOOL tls_export_cert(uschar *, size_t, void *); extern int tls_feof(void); extern int tls_ferror(void); extern void tls_free_cert(void **); diff --git a/src/src/spool_out.c b/src/src/spool_out.c index 0dfa4de52..acc6c7b5f 100644 --- a/src/src/spool_out.c +++ b/src/src/spool_out.c @@ -249,15 +249,15 @@ if (tls_in.certificate_verified) fprintf(fp, "-tls_certificate_verified\n"); if (tls_in.cipher) spool_var_write(fp, US"tls_cipher", tls_in.cipher); if (tls_in.peercert) { - (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert); - fprintf(fp, "--tls_peercert %s\n", CS big_buffer); + if (tls_export_cert(big_buffer, big_buffer_size, tls_in.peercert)) + fprintf(fp, "--tls_peercert %s\n", CS big_buffer); } if (tls_in.peerdn) spool_var_write(fp, US"tls_peerdn", string_printing(tls_in.peerdn)); if (tls_in.sni) spool_var_write(fp, US"tls_sni", string_printing(tls_in.sni)); if (tls_in.ourcert) { - (void) tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert); - fprintf(fp, "-tls_ourcert %s\n", CS big_buffer); + if (tls_export_cert(big_buffer, big_buffer_size, tls_in.ourcert)) + fprintf(fp, "-tls_ourcert %s\n", CS big_buffer); } if (tls_in.ocsp) fprintf(fp, "-tls_ocsp %d\n", tls_in.ocsp); # ifdef EXPERIMENTAL_TLS_RESUME diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c index 45135814c..f4d53601f 100644 --- a/src/src/tlscert-gnu.c +++ b/src/src/tlscert-gnu.c @@ -21,12 +21,12 @@ tls.c when USE_GNUTLS has been set. /***************************************************** * Export/import a certificate, binary/printable *****************************************************/ -int +BOOL tls_export_cert(uschar * buf, size_t buflen, void * cert) { size_t sz = buflen; rmark reset_point = store_mark(); -int fail; +BOOL fail; const uschar * cp; if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, @@ -34,7 +34,7 @@ if ((fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, { log_write(0, LOG_MAIN, "TLS error in certificate export: %s", gnutls_strerror(fail)); - return 1; + return 0; } if ((cp = string_printing(buf)) != buf) { @@ -43,7 +43,7 @@ if ((cp = string_printing(buf)) != buf) fail = 1; } store_reset(reset_point); -return fail; +return !fail; } int diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c index 0aa65c886..845c3014f 100644 --- a/src/src/tlscert-openssl.c +++ b/src/src/tlscert-openssl.c @@ -34,11 +34,11 @@ library. It is #included into the tls.c file when that library is used. /***************************************************** * Export/import a certificate, binary/printable *****************************************************/ -int +BOOL tls_export_cert(uschar * buf, size_t buflen, void * cert) { BIO * bp = BIO_new(BIO_s_mem()); -int fail; +BOOL fail; if ((fail = PEM_write_bio_X509(bp, (X509 *)cert) ? 0 : 1)) log_write(0, LOG_MAIN, "TLS error in certificate export: %s", @@ -59,7 +59,7 @@ else } BIO_free(bp); -return fail; +return !fail; } int