On Sat, Nov 09, 2019 at 08:07:51AM -0500, Wietse Venema wrote:

> What other examples of known-harmless content can people expect to
> see? Should the list be configurable? If all these blobs embedded
> beween lines
> 
> -----BEGIN TYPE OF OBJECT-----
> 
> -----END TYPE OF OBJECT-----
> 
> then it can be purely mechanical.

The OpenSSL PEM file parser already ignores content outside of
BEGIN/END boundaries, so the minimal patch to silently ignore
unexpected PEM data would be:

--- src/tls/tls_certkey.c
+++ src/tls/tls_certkey.c
@@ -412,9 +412,6 @@ static int load_pem_object(pem_load_state_t *st)
               || ((pkey_type = EVP_PKEY_DSA) != NID_undef
                   && strcmp(name, PEM_STRING_DSA) == 0)) {
        load_pkey(st, pkey_type, buf, buflen);
-    } else if (!st->mixed) {
-       msg_warn("error loading %s: unexpected PEM type: %s", st->source, name);
-       st->state = PEM_LOAD_STATE_NOGO;
     }
     OPENSSL_free(name);
     OPENSSL_free(header);

On an mostly unrelated note, OpenSSL 3.0 (~Q4 2020) is changing the
error API, so we'll eventually need:

--- src/tls/tls_misc.c
+++ src/tls/tls_misc.c
@@ -1332,6 +1332,18 @@ void    tls_print_errors(void)
     int     line;
     int     flags;
 
+#if defined(OPENSSL_VERSION_PREREQ) && OPENSSL_VERSION_PREREQ(3,0)
+    const char *func;
+
+    while ((err = ERR_get_error_all(&file, &line, &func, &data, &flags)) != 0) 
{
+       ERR_error_string_n(err, buffer, sizeof(buffer));
+       if (flags & ERR_TXT_STRING)
+           msg_warn("TLS library problem: %s:%s:%s:%d:%s:",
+                    buffer, file, func, line, data);
+       else
+           msg_warn("TLS library problem: %s:%s:%s:%d:", buffer, file, func, 
line);
+    }
+#else
     while ((err = ERR_get_error_line_data(&file, &line, &data, &flags)) != 0) {
        ERR_error_string_n(err, buffer, sizeof(buffer));
        if (flags & ERR_TXT_STRING)
@@ -1340,6 +1352,7 @@ void    tls_print_errors(void)
        else
            msg_warn("TLS library problem: %s:%s:%d:", buffer, file, line);
     }
+#endif
 }
 
 /* tls_info_callback - callback for logging SSL events via Postfix */

-- 
        Viktor.

Reply via email to