|
 |
52ec1f |
From 2cfe657672636aa5d7d2a14cfcb0a6ab9d1f00cf Mon Sep 17 00:00:00 2001
|
|
|
52ec1f |
From: Rainer Gerhards <rgerhards@adiscon.com>
|
|
|
52ec1f |
Date: Tue, 20 Mar 2018 12:30:12 +0100
|
|
|
52ec1f |
Subject: [PATCH] unify error message generation
|
|
|
52ec1f |
|
|
|
52ec1f |
---
|
|
|
52ec1f |
src/tcp.c | 38 +++++++++++++++++++++++++++++++++-----
|
|
|
52ec1f |
1 file changed, 33 insertions(+), 5 deletions(-)
|
|
|
52ec1f |
|
|
|
52ec1f |
diff --git a/src/tcp.c b/src/tcp.c
|
|
|
52ec1f |
index a587627..d2d48f5 100644
|
|
|
52ec1f |
--- a/src/tcp.c
|
|
|
52ec1f |
+++ b/src/tcp.c
|
|
|
52ec1f |
@@ -1172,9 +1172,35 @@ relpTcpGetCN(relpTcp_t *pThis, gnutls_x509_crt_t cert, char *namebuf, int lenNam
|
|
|
52ec1f |
return r;
|
|
|
52ec1f |
}
|
|
|
52ec1f |
|
|
|
52ec1f |
+
|
|
|
52ec1f |
+/* helper to consistently add names to error message buffer */
|
|
|
52ec1f |
+static int
|
|
|
52ec1f |
+relpTcpAddToCertNamesBuffer(relpTcp_t *const pThis,
|
|
|
52ec1f |
+ char *const buf,
|
|
|
52ec1f |
+ const size_t buflen,
|
|
|
52ec1f |
+ int *p_currIdx,
|
|
|
52ec1f |
+ const char *const certName)
|
|
|
52ec1f |
+{
|
|
|
52ec1f |
+ int r = 0;
|
|
|
52ec1f |
+ assert(buf != NULL);
|
|
|
52ec1f |
+ assert(p_currIdx != NULL);
|
|
|
52ec1f |
+ const int currIdx = *p_currIdx;
|
|
|
52ec1f |
+ const int n = snprintf(buf + currIdx, buflen - currIdx,
|
|
|
52ec1f |
+ "DNSname: %s; ", certName);
|
|
|
52ec1f |
+ if(n < 0 || n >= (int) (buflen - currIdx)) {
|
|
|
52ec1f |
+ callOnAuthErr(pThis, "", "certificate validation failed, names "
|
|
|
52ec1f |
+ "inside certifcate are way to long (> 32KiB)",
|
|
|
52ec1f |
+ RELP_RET_AUTH_CERT_INVL);
|
|
|
52ec1f |
+ r = GNUTLS_E_CERTIFICATE_ERROR;
|
|
|
52ec1f |
+ } else {
|
|
|
52ec1f |
+ *p_currIdx += n;
|
|
|
52ec1f |
+ }
|
|
|
52ec1f |
+ return r;
|
|
|
52ec1f |
+}
|
|
|
52ec1f |
+
|
|
|
52ec1f |
/* Check the peer's ID in name auth mode. */
|
|
|
52ec1f |
static int
|
|
|
52ec1f |
-relpTcpChkPeerName(relpTcp_t *pThis, gnutls_x509_crt_t cert)
|
|
|
52ec1f |
+relpTcpChkPeerName(relpTcp_t *const pThis, gnutls_x509_crt_t cert)
|
|
|
52ec1f |
{
|
|
|
52ec1f |
int r = 0;
|
|
|
52ec1f |
int ret;
|
|
|
52ec1f |
@@ -1213,8 +1239,9 @@ relpTcpChkPeerName(relpTcp_t *pThis, gnutls_x509_crt_t cert)
|
|
|
52ec1f |
break;
|
|
|
52ec1f |
else if(gnuRet == GNUTLS_SAN_DNSNAME) {
|
|
|
52ec1f |
pThis->pEngine->dbgprint("librelp: subject alt dnsName: '%s'\n", szAltName);
|
|
|
52ec1f |
- iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames,
|
|
|
52ec1f |
- "DNSname: %s; ", szAltName);
|
|
|
52ec1f |
+ r = relpTcpAddToCertNamesBuffer(pThis, allNames, sizeof(allNames),
|
|
|
52ec1f |
+ &iAllNames, szAltName);
|
|
|
52ec1f |
+ if(r != 0) goto done;
|
|
|
52ec1f |
relpTcpChkOnePeerName(pThis, szAltName, &bFoundPositiveMatch);
|
|
|
52ec1f |
/* do NOT break, because there may be multiple dNSName's! */
|
|
|
52ec1f |
}
|
|
|
52ec1f |
@@ -1225,8 +1252,9 @@ relpTcpChkPeerName(relpTcp_t *pThis, gnutls_x509_crt_t cert)
|
|
|
52ec1f |
/* if we did not succeed so far, we try the CN part of the DN... */
|
|
|
52ec1f |
if(relpTcpGetCN(pThis, cert, cnBuf, sizeof(cnBuf)) == 0) {
|
|
|
52ec1f |
pThis->pEngine->dbgprint("librelp: relpTcp now checking auth for CN '%s'\n", cnBuf);
|
|
|
52ec1f |
- iAllNames += snprintf(allNames+iAllNames, sizeof(allNames)-iAllNames,
|
|
|
52ec1f |
- "CN: %s; ", cnBuf);
|
|
|
52ec1f |
+ r = relpTcpAddToCertNamesBuffer(pThis, allNames, sizeof(allNames),
|
|
|
52ec1f |
+ &iAllNames, cnBuf);
|
|
|
52ec1f |
+ if(r != 0) goto done;
|
|
|
52ec1f |
relpTcpChkOnePeerName(pThis, cnBuf, &bFoundPositiveMatch);
|
|
|
52ec1f |
}
|
|
|
52ec1f |
}
|