shithub: riscv

Download patch

ref: cb1dc365c292e82a17b2e0a231b248b84773a14c
parent: efddf485006559bef5e8791b637e742d865df434
author: cinap_lenrek <cinap_lenrek@felloff.net>
date: Wed Mar 15 20:05:08 EDT 2017 

upas/fs: fix memory leaks in tls code, handle tls in a common wraptls() function


--- a/sys/src/cmd/upas/fs/dat.h
+++ b/sys/src/cmd/upas/fs/dat.h
@@ -216,6 +216,8 @@
 char		*flagmessages(int, char**);
 void		digestmessage(Mailbox*, Message*);
 
+int		wraptls(int);
+
 void		eprint(char*, ...);
 void		iprint(char *, ...);
 int		newid(void);
--- a/sys/src/cmd/upas/fs/imap.c
+++ b/sys/src/cmd/upas/fs/imap.c
@@ -60,8 +60,6 @@
 	int	nuid;
 	int	muid;
 
-	Thumbprint *thumb;
-
 	/* open network connection */
 	Biobuf	bin;
 	Biobuf	bout;
@@ -760,44 +758,6 @@
 	return buf;
 }
 
-static int
-starttls(Imap *imap, TLSconn *tls)
-{
-	char buf[Pathlen];
-	uchar digest[SHA1dlen];
-	int sfd, fd;
-
-	memset(tls, 0, sizeof *tls);
-	sfd = tlsClient(imap->fd, tls);
-	if(sfd < 0){
-		werrstr("tlsClient: %r");
-		return -1;
-	}
-	if(tls->cert == nil || tls->certlen <= 0){
-		close(sfd);
-		werrstr("server did not provide TLS certificate");
-		return -1;
-	}
-	sha1(tls->cert, tls->certlen, digest, nil);
-	if(!imap->thumb || !okThumbprint(digest, imap->thumb)){
-		close(sfd);
-		werrstr("server certificate %.*H not recognized",
-			SHA1dlen, digest);
-		return -1;
-	}
-	close(imap->fd);
-	imap->fd = sfd;
-
-	if(imap->flags & Fdebug){
-		snprint(buf, sizeof buf, "%s/ctl", tls->dir);
-		fd = open(buf, OWRITE);
-		fprint(fd, "debug");
-		close(fd);
-	}
-
-	return 1;
-}
-
 static void
 imap4disconnect(Imap *imap)
 {
@@ -806,8 +766,10 @@
 		Bterm(&imap->bout);
 		imap->binit = 0;
 	}
-	close(imap->fd);
-	imap->fd = -1;
+	if(imap->fd >= 0){
+		close(imap->fd);
+		imap->fd = -1;
+	}
 }
 
 char*
@@ -827,7 +789,6 @@
 imap4dial(Imap *imap)
 {
 	char *err, *port;
-	TLSconn conn;
 
 	if(imap->fd >= 0){
 		imap4cmd(imap, "noop");
@@ -841,9 +802,8 @@
 		port = "imap";
 	if((imap->fd = dial(netmkaddr(imap->host, "net", port), 0, 0, 0)) < 0)
 		return imaperrstr(imap->host, port);
-	if(imap->flags & Fssl && starttls(imap, &conn) == -1){
+	if(imap->flags & Fssl && (imap->fd = wraptls(imap->fd)) < 0){
 		err = imaperrstr(imap->host, port);
-		free(conn.cert);
 		imap4disconnect(imap);
 		return err;
 	}
@@ -1074,7 +1034,6 @@
 static char*
 imap4ctl(Mailbox *mb, int argc, char **argv)
 {
-	char *a, *b;
 	Imap *imap;
 
 	imap = mb->aux;
@@ -1085,26 +1044,6 @@
 		imap->flags ^= Fdebug;
 		return nil;
 	}
-	if(strcmp(argv[0], "thumbprint") == 0){
-		if(imap->thumb){
-			freeThumbprints(imap->thumb);
-			imap->thumb = 0;
-		}
-		a = "/sys/lib/tls/mail";
-		b = "/sys/lib/tls/mail.exclude";
-		switch(argc){
-		default:
-			return Eimap4ctl;
-		case 4:
-			b = argv[2];
-		case 3:
-			a = argv[1];
-		case 2:
-			break;
-		}
-		imap->thumb = initThumbprints(a, b);
-		return nil;
-	}
 	if(argc == 2 && strcmp(argv[0], "uid") == 0){
 		uvlong l;
 		Message *m;
@@ -1253,9 +1192,6 @@
 	else
 		imap->mbox = strdup(f[4]);
 	mkmbox(imap, mb->path, mb->path + sizeof mb->path);
-	if(imap->flags & Fssl)
-		imap->thumb = initThumbprints("/sys/lib/tls/mail", "/sys/lib/tls/mail.exclude");
-
 	mb->aux = imap;
 	mb->sync = imap4sync;
 	mb->close = imap4close;
--- a/sys/src/cmd/upas/fs/mkfile
+++ b/sys/src/cmd/upas/fs/mkfile
@@ -18,6 +18,7 @@
 	remove.$O\
 	rename.$O\
 	strtotm.$O\
+	tls.$O\
 
 LIB=../common/libcommon.a$O\
 
--- a/sys/src/cmd/upas/fs/pop3.c
+++ b/sys/src/cmd/upas/fs/pop3.c
@@ -32,7 +32,6 @@
 	Biobuf	bout;
 	int	fd;
 	char	*lastline;		/* from Brdstr */
-	Thumbprint *thumb;
 };
 
 static int
@@ -120,38 +119,6 @@
 	return 0;
 }
 
-static char*
-pop3pushtls(Pop *pop)
-{
-	int fd;
-	uchar digest[SHA1dlen];
-	TLSconn conn;
-
-	memset(&conn, 0, sizeof conn);
-	// conn.trace = pop3log;
-	fd = tlsClient(pop->fd, &conn);
-	if(fd < 0)
-		return "tls error";
-	if(conn.cert==nil || conn.certlen <= 0){
-		close(fd);
-		return "server did not provide TLS certificate";
-	}
-	sha1(conn.cert, conn.certlen, digest, nil);
-	if(!pop->thumb || !okThumbprint(digest, pop->thumb)){
-		close(fd);
-		free(conn.cert);
-		eprint("pop3: server certificate %.*H not recognized\n", SHA1dlen, digest);
-		return "bad server certificate";
-	}
-	free(conn.cert);
-	close(pop->fd);
-	pop->fd = fd;
-	pop->encrypted = 1;
-	Binit(&pop->bin, pop->fd, OREAD);
-	Binit(&pop->bout, pop->fd, OWRITE);
-	return nil;
-}
-
 /*
  *  get capability list, possibly start tls
  */
@@ -182,8 +149,13 @@
 		pop3cmd(pop, "STLS");
 		if(!isokay(s = pop3resp(pop)))
 			return s;
-		if((s = pop3pushtls(pop)) != nil)
-			return s;
+		Bterm(&pop->bin);
+		Bterm(&pop->bout);
+		if((pop->fd = wraptls(pop->fd)) < 0)
+			return geterrstr();
+		pop->encrypted = 1;
+		Binit(&pop->bin, pop->fd, OREAD);
+		Binit(&pop->bout, pop->fd, OWRITE);
 	}
 	return nil;
 }
@@ -265,15 +237,11 @@
 
 	if((pop->fd = dial(netmkaddr(pop->host, "net", pop->needssl ? "pop3s" : "pop3"), 0, 0, 0)) < 0)
 		return geterrstr();
-
-	if(pop->needssl){
-		if((err = pop3pushtls(pop)) != nil)
-			return err;
-	}else{
-		Binit(&pop->bin, pop->fd, OREAD);
-		Binit(&pop->bout, pop->fd, OWRITE);
-	}
-
+	if(pop->needssl && (pop->fd = wraptls(pop->fd)) < 0)
+		return geterrstr();
+	pop->encrypted = pop->needssl;
+	Binit(&pop->bin, pop->fd, OREAD);
+	Binit(&pop->bout, pop->fd, OWRITE);
 	if(err = pop3login(pop)) {
 		close(pop->fd);
 		return err;
@@ -607,11 +575,6 @@
 		return nil;
 	}
 
-	if(argc==1 && strcmp(argv[0], "thumbprint")==0){
-		if(pop->thumb)
-			freeThumbprints(pop->thumb);
-		pop->thumb = initThumbprints("/sys/lib/tls/mail", "/sys/lib/tls/mail.exclude");
-	}
 	if(strcmp(argv[0], "refresh")==0){
 		if(argc==1){
 			pop->refreshtime = 60;
@@ -693,8 +656,6 @@
 	pop->needtls = poptls || apoptls;
 	pop->refreshtime = 60;
 	pop->notls = popnotls || apopnotls;
-	pop->thumb = initThumbprints("/sys/lib/tls/mail", "/sys/lib/tls/mail.exclude");
-
 	mkmbox(pop, mb->path, mb->path + sizeof mb->path);
 	mb->aux = pop;
 	mb->sync = pop3sync;
@@ -704,4 +665,3 @@
 	mb->addfrom = 1;
 	return nil;
 }
-
--- /dev/null
+++ b/sys/src/cmd/upas/fs/tls.c
@@ -1,0 +1,39 @@
+#include "common.h"
+#include <libsec.h>
+#include <auth.h>
+#include "dat.h"
+
+int
+wraptls(int ofd)
+{
+	uchar digest[SHA1dlen];
+	Thumbprint *thumb;
+	TLSconn conn;
+	int fd;
+
+	memset(&conn, 0, sizeof conn);
+	fd = tlsClient(ofd, &conn);
+	if(fd < 0){
+		close(ofd);
+		return -1;
+	}
+	thumb = initThumbprints("/sys/lib/tls/mail", "/sys/lib/tls/mail.exclude");
+	if(thumb != nil){
+		if(conn.cert == nil || conn.certlen <= 0){
+			werrstr("server did not provide TLS certificate");
+			goto Err;
+		}
+		sha1(conn.cert, conn.certlen, digest, nil);
+		if(!okThumbprint(digest, thumb)){
+			werrstr("server certificate %.*H not recognized",
+				SHA1dlen, digest);
+		Err:
+			close(fd);
+			fd = -1;
+		}
+		freeThumbprints(thumb);
+	}
+	free(conn.cert);
+	free(conn.sessionID);
+	return fd;
+}