From e7c27873e31557998761af4542623352a6fd4524 Mon Sep 17 00:00:00 2001
From: Mikkel Krautz <mikkel@krautz.dk>
Date: Sun, 7 May 2017 21:48:31 +0200
Subject: selfSignedServerCert_SHA1_RSA_2048: nullify output variables on
 failure.

This commit ensures that we assign a null-valued QSslCertificate and
QSslKey on failure.
---
 src/murmur/Cert.cpp | 45 ++++++++++++++++++++++++++++-----------------
 1 file changed, 28 insertions(+), 17 deletions(-)

(limited to 'src/murmur/Cert.cpp')

diff --git a/src/murmur/Cert.cpp b/src/murmur/Cert.cpp
index 93a7d3a8d..1e71978e4 100644
--- a/src/murmur/Cert.cpp
+++ b/src/murmur/Cert.cpp
@@ -25,6 +25,8 @@ static int add_ext(X509 * crt, int nid, char *value) {
 }
 
 static bool selfSignedServerCert_SHA1_RSA_2048(QSslCertificate &qscCert, QSslKey &qskKey) {
+	bool ok = true;
+
 	CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
 
 	X509 *x509 = X509_new();
@@ -49,25 +51,36 @@ static bool selfSignedServerCert_SHA1_RSA_2048(QSslCertificate &qscCert, QSslKey
 
 	X509_sign(x509, pkey, EVP_sha1());
 
-	QByteArray crt;
-	crt.resize(i2d_X509(x509, NULL));
-	unsigned char *dptr=reinterpret_cast<unsigned char *>(crt.data());
-	i2d_X509(x509, &dptr);
+	{
+		QByteArray crt;
+		crt.resize(i2d_X509(x509, NULL));
+		unsigned char *dptr = reinterpret_cast<unsigned char *>(crt.data());
+		i2d_X509(x509, &dptr);
 
-	qscCert = QSslCertificate(crt, QSsl::Der);
-	if (qscCert.isNull())
-		return false;
+		qscCert = QSslCertificate(crt, QSsl::Der);
+		if (qscCert.isNull()) {
+			ok = false;
+		}
+	}
 
-	QByteArray key;
-	key.resize(i2d_PrivateKey(pkey, NULL));
-	dptr=reinterpret_cast<unsigned char *>(key.data());
-	i2d_PrivateKey(pkey, &dptr);
+	{
+		QByteArray key;
+		key.resize(i2d_PrivateKey(pkey, NULL));
+		unsigned char *dptr = reinterpret_cast<unsigned char *>(key.data());
+		i2d_PrivateKey(pkey, &dptr);
 
-	qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der);
-	if (qskKey.isNull())
-		return false;
+		qskKey = QSslKey(key, QSsl::Rsa, QSsl::Der);
+		if (qskKey.isNull()) {
+			ok = false;
+		}
+	}
+
+	if (!ok) {
+		qscCert = QSslCertificate();
+		qskKey = QSslKey();
+	}
 
-	return true;
+	return ok;
 }
 
 #if defined(USE_QSSLDIFFIEHELLMANPARAMETERS)
@@ -256,8 +269,6 @@ void Server::initializeCert() {
 
 			if (!selfSignedServerCert_SHA1_RSA_2048(qscCert, qskKey)) {
 				log("Certificate or key generation failed");
-				qscCert = QSslCertificate();
-				qskKey = QSslKey();
 			}
 
 			setConf("certificate", qscCert.toPem());
-- 
cgit v1.2.3