isa/sudo
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Fix checking of SSL_{read,write}_ex() return value.

Browse Source 
These have a boolean-style return value.  However, our emulated
versions can return -1 on error, which we need to preserve for older
versions of SSL_get_error() which expect it.
This commit is contained in:
Todd C. Miller
2023-08-08 10:18:57 -06:00
parent 5f2a0a70e5
commit 1e6c5f3e79
5 changed files with 37 additions and 29 deletions
Download Patch File Download Diff File Expand all files Collapse all files

8
lib/ssl_compat/ssl_compat.c
View File

@@ -34,6 +34,10 @@
# include "sudo_compat.h"
# include "sudo_ssl_compat.h"
/*
* Emulate SSL_read_ex() using SSL_read().
* Unlike the real SSL_read_ex(), this can return -1 on error.
*/
int
SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes)
{
@@ -44,6 +48,10 @@ SSL_read_ex(SSL *ssl, void *buf, size_t num, size_t *readbytes)
return 1;
}
/*
* Emulate SSL_write_ex() using SSL_write().
* Unlike the real SSL_write_ex(), this can return -1 on error.
*/
int
SSL_write_ex(SSL *ssl, const void *buf, size_t num, size_t *written)
{

14
logsrvd/logsrvd.c
View File

@@ -938,11 +938,11 @@ server_msg_cb(int fd, int what, void *v)
#if defined(HAVE_OPENSSL)
if (closure->ssl != NULL) {
int err = SSL_write_ex(closure->ssl, buf->data + buf->off,
const int result = SSL_write_ex(closure->ssl, buf->data + buf->off,
buf->len - buf->off, &nwritten);
if (err) {
if (result <= 0) {
const char *errstr;
switch (SSL_get_error(closure->ssl, err)) {
switch (SSL_get_error(closure->ssl, result)) {
case SSL_ERROR_WANT_READ:
/* ssl wants to read, read event always active */
sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO,
@@ -1030,11 +1030,11 @@ client_msg_cb(int fd, int what, void *v)
#if defined(HAVE_OPENSSL)
if (closure->ssl != NULL) {
int err = SSL_read_ex(closure->ssl, buf->data + buf->len, buf->size,
&nread);
if (err) {
const int result = SSL_read_ex(closure->ssl, buf->data + buf->len,
buf->size, &nread);
if (result <= 0) {
const char *errstr;
switch (SSL_get_error(closure->ssl, err)) {
switch (SSL_get_error(closure->ssl, result)) {
case SSL_ERROR_ZERO_RETURN:
/* ssl connection shutdown cleanly */
nread = 0;

16
logsrvd/logsrvd_relay.c
View File

@@ -716,18 +716,18 @@ relay_server_msg_cb(int fd, int what, void *v)
#if defined(HAVE_OPENSSL)
if (relay_closure->tls_client.ssl != NULL) {
SSL *ssl = relay_closure->tls_client.ssl;
int err;
int result;
sudo_debug_printf(SUDO_DEBUG_INFO,
"%s: ServerMessage from relay %s (%s) [TLS]", __func__,
relay_closure->relay_name.name, relay_closure->relay_name.ipaddr);
err = SSL_read_ex(ssl, buf->data + buf->len, buf->size - buf->len,
result = SSL_read_ex(ssl, buf->data + buf->len, buf->size - buf->len,
&nread);
if (err) {
if (result <= 0) {
unsigned long errcode;
const char *errstr;
switch (SSL_get_error(ssl, err)) {
switch (SSL_get_error(ssl, result)) {
case SSL_ERROR_ZERO_RETURN:
/* ssl connection shutdown cleanly */
nread = 0;
@@ -928,12 +928,12 @@ relay_client_msg_cb(int fd, int what, void *v)
#if defined(HAVE_OPENSSL)
if (relay_closure->tls_client.ssl != NULL) {
SSL *ssl = relay_closure->tls_client.ssl;
int err = SSL_write_ex(ssl, buf->data + buf->off, buf->len - buf->off,
&nwritten);
if (err) {
const int result = SSL_write_ex(ssl, buf->data + buf->off,
buf->len - buf->off, &nwritten);
if (result <= 0) {
const char *errstr;
switch (SSL_get_error(ssl, err)) {
switch (SSL_get_error(ssl, result)) {
case SSL_ERROR_ZERO_RETURN:
/* ssl connection shutdown cleanly */
shutdown(relay_closure->sock, SHUT_RDWR);

16
logsrvd/sendlog.c
View File

@@ -1279,15 +1279,15 @@ server_msg_cb(int fd, int what, void *v)
#if defined(HAVE_OPENSSL)
if (cert != NULL) {
SSL *ssl = closure->tls_client.ssl;
int err;
int result;
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: reading ServerMessage (TLS)", __func__);
err = SSL_read_ex(ssl, buf->data + buf->len, buf->size - buf->len,
result = SSL_read_ex(ssl, buf->data + buf->len, buf->size - buf->len,
&nread);
if (err) {
if (result <= 0) {
unsigned long errcode;
const char *errstr;
switch (SSL_get_error(ssl, err)) {
switch (SSL_get_error(ssl, result)) {
case SSL_ERROR_ZERO_RETURN:
/* ssl connection shutdown cleanly */
nread = 0;
@@ -1436,12 +1436,12 @@ client_msg_cb(int fd, int what, void *v)
#if defined(HAVE_OPENSSL)
if (cert != NULL) {
SSL *ssl = closure->tls_client.ssl;
int err = SSL_write_ex(ssl, buf->data + buf->off, buf->len - buf->off,
&nwritten);
if (err) {
const int result = SSL_write_ex(ssl, buf->data + buf->off,
buf->len - buf->off, &nwritten);
if (result <= 0) {
const char *errstr;
switch (SSL_get_error(ssl, err)) {
switch (SSL_get_error(ssl, result)) {
case SSL_ERROR_ZERO_RETURN:
/* ssl connection shutdown */
goto bad;

12
plugins/sudoers/log_client.c
View File

@@ -1696,13 +1696,13 @@ server_msg_cb(int fd, int what, void *v)
sudo_debug_printf(SUDO_DEBUG_INFO, "%s: reading ServerMessage", __func__);
#if defined(HAVE_OPENSSL)
if (closure->ssl != NULL) {
int err = SSL_read_ex(closure->ssl, buf->data + buf->len,
const int result = SSL_read_ex(closure->ssl, buf->data + buf->len,
buf->size - buf->len, &nread);
if (err) {
if (result <= 0) {
unsigned long errcode;
const char *errstr;
switch (SSL_get_error(closure->ssl, err)) {
switch (SSL_get_error(closure->ssl, result)) {
case SSL_ERROR_ZERO_RETURN:
/* TLS connection shutdown cleanly */
sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO,
@@ -1862,12 +1862,12 @@ client_msg_cb(int fd, int what, void *v)
#if defined(HAVE_OPENSSL)
if (closure->ssl != NULL) {
int err = SSL_write_ex(closure->ssl, buf->data + buf->off,
const int result = SSL_write_ex(closure->ssl, buf->data + buf->off,
buf->len - buf->off, &nwritten);
if (err) {
if (result <= 0) {
const char *errstr;
switch (SSL_get_error(closure->ssl, err)) {
switch (SSL_get_error(closure->ssl, result)) {
case SSL_ERROR_ZERO_RETURN:
/* TLS connection shutdown cleanly */
sudo_debug_printf(SUDO_DEBUG_NOTICE|SUDO_DEBUG_LINENO,