Crypto/LibSSL Usage Fixes (#930)

* Check for errors when calling X509_get1_ocsp and handle them * Fix bug where we were reporting errors on post-2038 times even when 64-bit time is available.
circonus-labs · Aug 20, 2024 · d2dba29 · d2dba29
1 parent b7eb09f
commit d2dba29
Show file tree

Hide file tree

Showing 4 changed files with 28 additions and 23 deletions.
diff --git a/src/eventer/OETS_asn1_helper.c b/src/eventer/OETS_asn1_helper.c
@@ -85,14 +85,20 @@ static int pint(const char **s, int n, int min, int max, int *e)
     return retval;
 }
 
-time_t OETS_ASN1_TIME_get(ASN1_TIME *a, int *err)
+time_t OETS_ASN1_TIME_get(const ASN1_TIME *a, int *err)
 {
     int dummy;
     const char *s;
     int generalized;
     struct tm t;
-    int i, year, isleap, offset;
+    int i, isleap, offset;
+    // make year a time_t because we do multiplication with it and we want
+    // to make sure that it's using the right size in the answer... if you
+    // make year an int, it will compress to 32-bit even when time_t is
+    // 64-bit
+    time_t year;
     time_t retval;
+    int time_t_size = sizeof(time_t);
 
     if (err == NULL) err = &dummy;
     if (a->type == V_ASN1_GENERALIZEDTIME) {
@@ -175,7 +181,7 @@ time_t OETS_ASN1_TIME_get(ASN1_TIME *a, int *err)
     retval += t.tm_hour * 3600;
     retval += (t.tm_mday - 1) * 86400;
     year = t.tm_year + 1900;
-    if (sizeof(time_t) == 4) {
+    if (time_t_size == 4) {
         // This is just to avoid too big overflows being undetected, finer
         // overflow detection is done below.
         if (year < 1900 || year > 2040) *err = 2;
@@ -189,7 +195,7 @@ time_t OETS_ASN1_TIME_get(ASN1_TIME *a, int *err)
     retval += (year - 1970) * 31536000;
     if (year < 1970) {
         retval -= ((1970 - year + 2) / 4) * 86400;
-        if (sizeof(time_t) > 4) {
+        if (time_t_size > 4) {
             for (i = 1900; i >= year; i -= 100) {
                 if (i % 400 == 0) continue;
                 retval += 86400;
@@ -198,7 +204,7 @@ time_t OETS_ASN1_TIME_get(ASN1_TIME *a, int *err)
         if (retval >= 0) *err = 2;
     } else {
         retval += ((year - 1970 + 1) / 4) * 86400;
-        if (sizeof(time_t) > 4) {
+        if (time_t_size > 4) {
             for (i = 2100; i < year; i += 100) {
                 // The following condition is the reason to
                 // start with 2100 instead of 2000

diff --git a/src/eventer/OETS_asn1_helper.h b/src/eventer/OETS_asn1_helper.h
@@ -41,7 +41,7 @@
 #ifdef __cplusplus
 extern "C" {
 #endif
-time_t OETS_ASN1_TIME_get(ASN1_TIME *a, int *err);
+time_t OETS_ASN1_TIME_get(const ASN1_TIME *a, int *err);
 
 #ifdef __cplusplus
 }

diff --git a/src/eventer/eventer_SSL_fd_opset.c b/src/eventer/eventer_SSL_fd_opset.c
@@ -243,15 +243,13 @@ eventer_ssl_verify_dates(eventer_ssl_ctx_t *ctx, int ok,
   (void)closure;
   time_t now;
   int err;
-  X509 *peer;
-  ASN1_TIME *t;
   if(!x509ctx) return X509_V_ERR_APPLICATION_VERIFICATION;
-  peer = X509_STORE_CTX_get_current_cert(x509ctx);
+  const X509 *peer = X509_STORE_CTX_get_current_cert(x509ctx);
   time(&now);
-  t = X509_get_notBefore(peer);
+  const ASN1_TIME *t = X509_get0_notBefore(peer);
   ctx->start_time = OETS_ASN1_TIME_get(t, &err);
   if(X509_cmp_time(t, &now) > 0) return X509_V_ERR_CERT_NOT_YET_VALID;
-  t = X509_get_notAfter(peer);
+  t = X509_get0_notAfter(peer);
   ctx->end_time = OETS_ASN1_TIME_get(t, &err);
   if(X509_cmp_time(t, &now) < 0) return X509_V_ERR_CERT_HAS_EXPIRED;
   return 0;

diff --git a/src/modules/lua_mtev_crypto.c b/src/modules/lua_mtev_crypto.c
@@ -85,11 +85,6 @@ mtev_lua_crypto_x509_index_func(lua_State *L) {
   const char *k;
   void *udata;
   X509 *cert;
-#if OPENSSL_VERSION_NUMBER < _OPENSSL_VERSION_3_0_0
-  int j;
-#else
-  unsigned long j;
-#endif
 
   mtevAssert(lua_gettop(L) == 2);
   if(!luaL_checkudata(L, 1, "crypto.x509")) {
@@ -189,21 +184,27 @@ mtev_lua_crypto_x509_index_func(lua_State *L) {
     return 1;
   }
   if(!strcmp(k, "ocsp")) {
-    STACK_OF(OPENSSL_STRING) *emlst;
-    emlst = X509_get1_ocsp(cert);
+    STACK_OF(OPENSSL_STRING) *emlst = X509_get1_ocsp(cert);
+    if (!emlst) {
+      return 0;
+    }
 #if OPENSSL_VERSION_NUMBER < _OPENSSL_VERSION_3_0_0
-    for (j = 0; j < sk_OPENSSL_STRING_num((OPENSSL_STACK *)emlst); j++) {
+    int num_entries = sk_OPENSSL_STRING_num((OPENSSL_STACK *)emlst);
+    for (int j = 0; j < num_entries; j++) {
       lua_pushstring(L, sk_OPENSSL_STRING_value((OPENSSL_STACK *)emlst, j));
     }
 #else
-    for (j = 0; j < (size_t)sk_OPENSSL_STRING_num(emlst); j++) {
-      char *item = "<unknown>";
-      item = sk_OPENSSL_STRING_value(emlst, j);
+    int num_entries = sk_OPENSSL_STRING_num(emlst);
+    for (int j = 0; j < num_entries; j++) {
+      char *item = sk_OPENSSL_STRING_value(emlst, j);
+      if (!item) {
+        item = "<unknown>";
+      }
       lua_pushstring(L, item);
     }
 #endif
     X509_email_free(emlst);
-    return j;
+    return num_entries;
   }
   luaL_error(L, "crypto.x509 no such element: %s", k);
   return 0;