[or-cvs] Fix "JAP-client" hideous ASN1 bug, twice. (Fix1: check more...

Nick Mathewson nickm at seul.org
Sat Apr 23 14:26:05 UTC 2005


Update of /home/or/cvsroot/tor/src/common
In directory moria.mit.edu:/tmp/cvs-serv24340/src/common

Modified Files:
	tortls.c tortls.h 
Log Message:
Fix "JAP-client" hideous ASN1 bug, twice. (Fix1: check more thoroughly for TLS errors when handling certs. Fix2: stop assert(0)ing on uncaught TLS errors.)

Index: tortls.c
===================================================================
RCS file: /home/or/cvsroot/tor/src/common/tortls.c,v
retrieving revision 1.90
retrieving revision 1.91
diff -u -d -r1.90 -r1.91
--- tortls.c	1 Apr 2005 20:15:54 -0000	1.90
+++ tortls.c	23 Apr 2005 14:26:02 -0000	1.91
@@ -251,12 +251,12 @@
 
   goto done;
  error:
-  tls_log_errors(LOG_WARN, "generating certificate");
   if (x509) {
     X509_free(x509);
     x509 = NULL;
   }
  done:
+  tls_log_errors(LOG_WARN, "generating certificate");
   if (sign_pkey)
     EVP_PKEY_free(sign_pkey);
   if (pkey)
@@ -421,13 +421,18 @@
   tor_assert(global_tls_context); /* make sure somebody made it first */
   ctx = use_no_cert ? global_tls_context->client_only_ctx
     : global_tls_context->ctx;
-  if (!(result->ssl = SSL_new(ctx)))
+  if (!(result->ssl = SSL_new(ctx))) {
+    tls_log_errors(LOG_WARN, "generating TLS context");
+    tor_free(result);
     return NULL;
+  }
   result->socket = sock;
   SSL_set_fd(result->ssl, sock);
   result->state = TOR_TLS_ST_HANDSHAKE;
   result->isServer = isServer;
   result->wantwrite_n = 0;
+  /* Not expected to get called. */
+  tls_log_errors(LOG_WARN, "generating TLS context");
   return result;
 }
 
@@ -603,7 +608,9 @@
 tor_tls_peer_has_cert(tor_tls *tls)
 {
   X509 *cert;
-  if (!(cert = SSL_get_peer_certificate(tls->ssl)))
+  cert = SSL_get_peer_certificate(tls->ssl);
+  tls_log_errors(LOG_WARN, "getting peer certificate");
+  if (!cert)
     return 0;
   X509_free(cert);
   return 1;
@@ -621,6 +628,7 @@
   X509_NAME *name = NULL;
   int nid;
   int lenout;
+  int r = -1;
 
   if (!(cert = SSL_get_peer_certificate(tls->ssl))) {
     log_fn(LOG_WARN, "Peer has no certificate");
@@ -643,13 +651,15 @@
       log_fn(LOG_WARN, "  (Maybe it is not really running Tor at its advertised OR port.)");
     goto error;
   }
-  X509_free(cert);
 
-  return 0;
+  r = 0;
+
  error:
   if (cert)
     X509_free(cert);
-  return -1;
+
+  tls_log_errors(LOG_WARN, "getting peer certificate nickname");
+  return r;
 }
 
 static void log_cert_lifetime(X509 *cert, const char *problem)
@@ -688,6 +698,8 @@
   log_fn(LOG_WARN, "(certificate lifetime runs from %s through %s. Your time is %s.)",s1,s2,mytime);
 
  end:
+  /* Not expected to get invoked */
+  tls_log_errors(LOG_WARN, "getting certificate lifetime");
   if (bio)
     BIO_free(bio);
   if (s1)
@@ -797,6 +809,8 @@
  done:
   if (cert)
     X509_free(cert);
+  /* Not expected to get invoked */
+  tls_log_errors(LOG_WARN, "checking certificate lifetime");
 
   return r;
 }
@@ -830,16 +844,14 @@
   return BIO_number_written(SSL_get_wbio(tls->ssl));
 }
 
-/** Implement assert_no_tls_errors: If there are any pending OpenSSL
+/** Implement check_no_tls_errors: If there are any pending OpenSSL
  * errors, log an error message and assert(0). */
-void _assert_no_tls_errors(const char *fname, int line)
+void _check_no_tls_errors(const char *fname, int line)
 {
   if (ERR_peek_error() == 0)
     return;
   log_fn(LOG_ERR, "Unhandled OpenSSL errors found at %s:%d: ",
          fname, line);
   tls_log_errors(LOG_ERR, NULL);
-
-  tor_assert(0);
 }
 

Index: tortls.h
===================================================================
RCS file: /home/or/cvsroot/tor/src/common/tortls.h,v
retrieving revision 1.26
retrieving revision 1.27
diff -u -d -r1.26 -r1.27
--- tortls.h	1 Apr 2005 20:15:54 -0000	1.26
+++ tortls.h	23 Apr 2005 14:26:02 -0000	1.27
@@ -46,9 +46,9 @@
 
 /* Log and abort if there are unhandled TLS errors in OpenSSL's error stack.
  */
-#define assert_no_tls_errors() _assert_no_tls_errors(_SHORT_FILE_,__LINE__)
+#define check_no_tls_errors() _check_no_tls_errors(_SHORT_FILE_,__LINE__)
 
-void _assert_no_tls_errors(const char *fname, int line);
+void _check_no_tls_errors(const char *fname, int line);
 
 #endif
 



More information about the tor-commits mailing list