From 59b87190a41a0ac34aee74edfff9184785a73485 Mon Sep 17 00:00:00 2001 From: Jeremy Harris Date: Wed, 30 Dec 2015 20:39:45 +0000 Subject: Support certificates in base64 expansion operator. Bug 1762 --- src/src/expand.c | 15 +++++++++------ src/src/functions.h | 1 + src/src/tlscert-gnu.c | 22 ++++++++++++++++++++++ src/src/tlscert-openssl.c | 20 ++++++++++++++++++++ 4 files changed, 52 insertions(+), 6 deletions(-) (limited to 'src') diff --git a/src/src/expand.c b/src/src/expand.c index fad8cc7c7..4d3dd6fd5 100644 --- a/src/src/expand.c +++ b/src/src/expand.c @@ -6043,6 +6043,7 @@ while (*s != 0) case EOP_MD5: case EOP_SHA1: case EOP_SHA256: + case EOP_BASE64: if (s[1] == '$') { const uschar * s1 = s; @@ -6888,15 +6889,17 @@ while (*s != 0) case EOP_STR2B64: case EOP_BASE64: - { - uschar *encstr = b64encode(sub, Ustrlen(sub)); - yield = string_cat(yield, &size, &ptr, encstr, Ustrlen(encstr)); - continue; - } + { + uschar * s = vp && *(void **)vp->value + ? tls_cert_der_b64(*(void **)vp->value) + : b64encode(sub, Ustrlen(sub)); + yield = string_cat(yield, &size, &ptr, s, Ustrlen(s)); + continue; + } case EOP_BASE64D: { - uschar *s; + uschar * s; int len = b64decode(sub, &s); if (len < 0) { diff --git a/src/src/functions.h b/src/src/functions.h index d37b7489b..1d2d6b8ae 100644 --- a/src/src/functions.h +++ b/src/src/functions.h @@ -39,6 +39,7 @@ extern uschar * tls_cert_subject(void *, uschar * mod); extern uschar * tls_cert_subject_altname(void *, uschar * mod); extern uschar * tls_cert_version(void *, uschar * mod); +extern uschar * tls_cert_der_b64(void * cert); extern uschar * tls_cert_fprt_md5(void *); extern uschar * tls_cert_fprt_sha1(void *); extern uschar * tls_cert_fprt_sha256(void *); diff --git a/src/src/tlscert-gnu.c b/src/src/tlscert-gnu.c index d00258b9e..80b6fb142 100644 --- a/src/src/tlscert-gnu.c +++ b/src/src/tlscert-gnu.c @@ -418,6 +418,28 @@ for(index = 0;; index++) /***************************************************** * Certificate operator routines *****************************************************/ +uschar * +tls_cert_der_b64(void * cert) +{ +size_t len = 0; +uschar * cp = NULL; +int fail; + +if ( (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, + GNUTLS_X509_FMT_DER, cp, &len)) != GNUTLS_E_SHORT_MEMORY_BUFFER + || !(cp = store_get((int)len)) + || (fail = gnutls_x509_crt_export((gnutls_x509_crt_t)cert, + GNUTLS_X509_FMT_DER, cp, &len)) + ) + { + log_write(0, LOG_MAIN, "TLS error in certificate export: %s", + gnutls_strerror(fail)); + return NULL; + } +return b64encode(cp, (int)len); +} + + static uschar * fingerprint(gnutls_x509_crt_t cert, gnutls_digest_algorithm_t algo) { diff --git a/src/src/tlscert-openssl.c b/src/src/tlscert-openssl.c index 94534d808..4d45ad9f9 100644 --- a/src/src/tlscert-openssl.c +++ b/src/src/tlscert-openssl.c @@ -464,6 +464,26 @@ return list; /***************************************************** * Certificate operator routines *****************************************************/ +uschar * +tls_cert_der_b64(void * cert) +{ +BIO * bp = BIO_new(BIO_s_mem()); +uschar * cp = NULL; + +if (!i2d_X509_bio(bp, (X509 *)cert)) + log_write(0, LOG_MAIN, "TLS error in certificate export: %s", + ERR_error_string(ERR_get_error(), NULL)); +else + { + long len = BIO_get_mem_data(bp, &cp); + cp = b64encode(cp, (int)len); + } + +BIO_free(bp); +return cp; +} + + static uschar * fingerprint(X509 * cert, const EVP_MD * fdig) { -- cgit v1.2.3