| |
@@ -95,7 +95,6 @@
|
| |
#define CIPHER_SET_ALLOWWEAKDHPARAM 0x200 /* allowWeakDhParam is on */
|
| |
#define CIPHER_SET_DISALLOWWEAKDHPARAM 0x400 /* allowWeakDhParam is off */
|
| |
|
| |
-
|
| |
#define CIPHER_SET_ISDEFAULT(flag) \
|
| |
(((flag)&CIPHER_SET_DEFAULT) ? PR_TRUE : PR_FALSE)
|
| |
#define CIPHER_SET_ISALL(flag) \
|
| |
@@ -694,10 +693,12 @@
|
| |
active = 0;
|
| |
break;
|
| |
default:
|
| |
- PR_snprintf(err, sizeof(err), "invalid ciphers <%s>: format is "
|
| |
- "+cipher1,-cipher2...",
|
| |
- raw);
|
| |
- return slapi_ch_strdup(err);
|
| |
+ if (strlen(raw) > MAGNUS_ERROR_LEN) {
|
| |
+ PR_snprintf(err, sizeof(err) - 3, "%s...", raw);
|
| |
+ return slapi_ch_smprintf("invalid ciphers <%s>: format is +cipher1,-cipher2...", err);
|
| |
+ } else {
|
| |
+ return slapi_ch_smprintf("invalid ciphers <%s>: format is +cipher1,-cipher2...", raw);
|
| |
+ }
|
| |
}
|
| |
if ((t = strchr(setciphers, ',')))
|
| |
*t++ = '\0';
|
| |
@@ -1694,7 +1695,6 @@
|
| |
PRUint16 NSSVersionMax = enabledNSSVersions.max;
|
| |
char mymin[VERSION_STR_LENGTH], mymax[VERSION_STR_LENGTH];
|
| |
char newmax[VERSION_STR_LENGTH];
|
| |
- char cipher_string[1024];
|
| |
int allowweakcipher = CIPHER_SET_DEFAULTWEAKCIPHER;
|
| |
int_fast16_t renegotiation = (int_fast16_t)SSL_RENEGOTIATE_REQUIRES_XTN;
|
| |
|
| |
@@ -1735,21 +1735,17 @@
|
| |
"Ignoring it and set it to default.", val, configDN);
|
| |
}
|
| |
}
|
| |
- slapi_ch_free((void **)&val);
|
| |
+ slapi_ch_free_string(&val);
|
| |
|
| |
/* Set SSL cipher preferences */
|
| |
- *cipher_string = 0;
|
| |
- if (ciphers && (*ciphers) && PL_strcmp(ciphers, "blank"))
|
| |
- PL_strncpyz(cipher_string, ciphers, sizeof(cipher_string));
|
| |
- slapi_ch_free((void **)&ciphers);
|
| |
-
|
| |
- if (NULL != (val = _conf_setciphers(cipher_string, allowweakcipher))) {
|
| |
+ if (NULL != (val = _conf_setciphers(ciphers, allowweakcipher))) {
|
| |
errorCode = PR_GetError();
|
| |
slapd_SSL_warn("Failed to set SSL cipher "
|
| |
"preference information: %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
| |
val, errorCode, slapd_pr_strerror(errorCode));
|
| |
- slapi_ch_free((void **)&val);
|
| |
+ slapi_ch_free_string(&val);
|
| |
}
|
| |
+ slapi_ch_free_string(&ciphers);
|
| |
freeConfigEntry(&e);
|
| |
|
| |
/* Import pr fd into SSL */
|
| |
@@ -1820,12 +1816,12 @@
|
| |
activation = slapi_entry_attr_get_charptr(e, "nssslactivation");
|
| |
if ((!activation) || (!PL_strcasecmp(activation, "off"))) {
|
| |
/* this family was turned off, goto next */
|
| |
- slapi_ch_free((void **)&activation);
|
| |
+ slapi_ch_free_string(&activation);
|
| |
freeConfigEntry(&e);
|
| |
continue;
|
| |
}
|
| |
|
| |
- slapi_ch_free((void **)&activation);
|
| |
+ slapi_ch_free_string(&activation);
|
| |
|
| |
token = slapi_entry_attr_get_charptr(e, "nsssltoken");
|
| |
personality = slapi_entry_attr_get_charptr(e, "nssslpersonalityssl");
|
| |
@@ -1842,8 +1838,8 @@
|
| |
"family information. Missing nsssltoken or"
|
| |
"nssslpersonalityssl in %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
| |
*family, errorCode, slapd_pr_strerror(errorCode));
|
| |
- slapi_ch_free((void **)&token);
|
| |
- slapi_ch_free((void **)&personality);
|
| |
+ slapi_ch_free_string(&token);
|
| |
+ slapi_ch_free_string(&personality);
|
| |
freeConfigEntry(&e);
|
| |
continue;
|
| |
}
|
| |
@@ -1870,7 +1866,7 @@
|
| |
"private key for cert %s of family %s (" SLAPI_COMPONENT_NAME_NSPR " error %d - %s)",
|
| |
cert_name, *family,
|
| |
errorCode, slapd_pr_strerror(errorCode));
|
| |
- slapi_ch_free((void **)&personality);
|
| |
+ slapi_ch_free_string(&personality);
|
| |
CERT_DestroyCertificate(cert);
|
| |
cert = NULL;
|
| |
freeConfigEntry(&e);
|
| |
Maybe I'm missing it, but how is ciphers allocated / reallocated to ensure it's large enough?