]> Cypherpunks repositories - gostls13.git/commitdiff
projects / gostls13.git / commitdiff
summary | shortlog | log | commit | commitdiff | tree
raw | patch | inline | side by side (parent: a7e76b8)
crypto/x509/internal/macos: return errors when CFRef might be NULL
authorFilippo Valsorda <filippo@golang.org>
Tue, 22 Mar 2022 17:35:11 +0000 (13:35 -0400)
committerFilippo Valsorda <filippo@golang.org>
Wed, 30 Mar 2022 18:03:55 +0000 (18:03 +0000)
Updates #51759

Change-Id: Ib73fa5ec62d90c7e595150217b048158789f1afd
Reviewed-on: https://go-review.googlesource.com/c/go/+/394674
Run-TryBot: Filippo Valsorda <filippo@golang.org>
Trust: Josh Bleecher Snyder <josharian@gmail.com>
TryBot-Result: Gopher Robot <gobot@golang.org>
Reviewed-by: Roland Shoemaker <roland@golang.org>
src/crypto/x509/internal/macos/corefoundation.go patch | blob | history
src/crypto/x509/internal/macos/security.go patch | blob | history
src/crypto/x509/root_darwin.go patch | blob | history

diff --git a/src/crypto/x509/internal/macos/corefoundation.go b/src/crypto/x509/internal/macos/corefoundation.go
index 75c212910b67cfa6e31c36a74c861b03ac8ca4c9..eb91a5db6e0ae2b6c5ed089afcd55af5989c720a 100644 (file)
--- a/src/crypto/x509/internal/macos/corefoundation.go
+++ b/src/crypto/x509/internal/macos/corefoundation.go
@@ -37,9 +37,12 @@ func CFDataToSlice(data CFRef) []byte {
 }
 
 // CFStringToString returns a Go string representation of the passed
-// in CFString.
+// in CFString, or an empty string if it's invalid.
 func CFStringToString(ref CFRef) string {
-       data := CFStringCreateExternalRepresentation(ref)
+       data, err := CFStringCreateExternalRepresentation(ref)
+       if err != nil {
+               return ""
+       }
        b := CFDataToSlice(data)
        CFRelease(data)
        return string(b)
@@ -186,9 +189,12 @@ func x509_CFErrorCopyDescription_trampoline()
 
 //go:cgo_import_dynamic x509_CFStringCreateExternalRepresentation CFStringCreateExternalRepresentation "/System/Library/Frameworks/CoreFoundation.framework/Versions/A/CoreFoundation"
 
-func CFStringCreateExternalRepresentation(strRef CFRef) CFRef {
+func CFStringCreateExternalRepresentation(strRef CFRef) (CFRef, error) {
        ret := syscall(abi.FuncPCABI0(x509_CFStringCreateExternalRepresentation_trampoline), kCFAllocatorDefault, uintptr(strRef), kCFStringEncodingUTF8, 0, 0, 0)
-       return CFRef(ret)
+       if ret == 0 {
+               return 0, errors.New("string can't be represented as UTF-8")
+       }
+       return CFRef(ret), nil
 }
 func x509_CFStringCreateExternalRepresentation_trampoline()
 
diff --git a/src/crypto/x509/internal/macos/security.go b/src/crypto/x509/internal/macos/security.go
index ef64bda49fd258bf42807b3792d913076e6781a4..381d918a94f6a367189fc0048ebedeb450ed7675 100644 (file)
--- a/src/crypto/x509/internal/macos/security.go
+++ b/src/crypto/x509/internal/macos/security.go
@@ -131,11 +131,16 @@ func x509_SecTrustCreateWithCertificates_trampoline()
 
 //go:cgo_import_dynamic x509_SecCertificateCreateWithData SecCertificateCreateWithData "/System/Library/Frameworks/Security.framework/Versions/A/Security"
 
-func SecCertificateCreateWithData(b []byte) CFRef {
+func SecCertificateCreateWithData(b []byte) (CFRef, error) {
        data := BytesToCFData(b)
+       defer CFRelease(data)
        ret := syscall(abi.FuncPCABI0(x509_SecCertificateCreateWithData_trampoline), kCFAllocatorDefault, uintptr(data), 0, 0, 0, 0)
-       CFRelease(data)
-       return CFRef(ret)
+       // Returns NULL if the data passed in the data parameter is not a valid
+       // DER-encoded X.509 certificate.
+       if ret == 0 {
+               return 0, errors.New("SecCertificateCreateWithData: invalid certificate")
+       }
+       return CFRef(ret), nil
 }
 func x509_SecCertificateCreateWithData_trampoline()
 
diff --git a/src/crypto/x509/root_darwin.go b/src/crypto/x509/root_darwin.go
index ad365f577e79634644672a03a47294931776e5d7..47594626537d06b7811cd2c98c249dbec9f9c60f 100644 (file)
--- a/src/crypto/x509/root_darwin.go
+++ b/src/crypto/x509/root_darwin.go
@@ -12,8 +12,8 @@ import (
 func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate, err error) {
        certs := macOS.CFArrayCreateMutable()
        defer macOS.ReleaseCFArray(certs)
-       leaf := macOS.SecCertificateCreateWithData(c.Raw)
-       if leaf == 0 {
+       leaf, err := macOS.SecCertificateCreateWithData(c.Raw)
+       if err != nil {
                return nil, errors.New("invalid leaf certificate")
        }
        macOS.CFArrayAppendValue(certs, leaf)
@@ -23,8 +23,8 @@ func (c *Certificate) systemVerify(opts *VerifyOptions) (chains [][]*Certificate
                        if err != nil {
                                return nil, err
                        }
-                       sc := macOS.SecCertificateCreateWithData(c.Raw)
-                       if sc != 0 {
+                       sc, err := macOS.SecCertificateCreateWithData(c.Raw)
+                       if err == nil {
                                macOS.CFArrayAppendValue(certs, sc)
                        }
                }
Go GOST TLS 1.3