Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

fix(certinel): do not return nil client cert #10

Merged
merged 1 commit into from May 13, 2020
Merged

fix(certinel): do not return nil client cert #10

merged 1 commit into from May 13, 2020

Conversation

gofish
Copy link
Contributor

@gofish gofish commented May 13, 2020

The documentation and requirements for the methods GetCertificate and
GetClientCertificate are slightly different. The latter must not return
nil and should instead return an empty tls.Certificate, or else
trigger a nil-dereference in crypto/tls during the client handshake.

panic: runtime error: invalid memory address or nil pointer dereference
[signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x65df22]

goroutine 39 [running]:
crypto/tls.(*clientHandshakeStateTLS13).sendClientCertificate(0xc0001ebe20, 0x0, 0x0)
    /usr/local/go/src/crypto/tls/handshake_client_tls13.go:537 +0x122
crypto/tls.(*clientHandshakeStateTLS13).handshake(0xc0001ebe20, 0xc000200100, 0x0)
    /usr/local/go/src/crypto/tls/handshake_client_tls13.go:91 +0x230
crypto/tls.(*Conn).clientHandshake(0xc00020a000, 0x0, 0x0)
    /usr/local/go/src/crypto/tls/handshake_client.go:196 +0x4d9
crypto/tls.(*Conn).Handshake(0xc00020a000, 0x0, 0x0)
    /usr/local/go/src/crypto/tls/conn.go:1340 +0xcc
net/http.(*persistConn).addTLS.func2(0x0, 0xc00020a000, 0x0, 0xc000186480)
    /usr/local/go/src/net/http/transport.go:1453 +0x42
created by net/http.(*persistConn).addTLS
    /usr/local/go/src/net/http/transport.go:1449 +0x1aa
FAIL    github.com/cloudflare/certinel  0.018s
ok      github.com/cloudflare/certinel/fswatcher        (cached)
FAIL

terinjokes
terinjokes reviewed May 13, 2020
View reviewed changes
certinel_test.go Outdated Show resolved Hide resolved
@gofish
fix(certinel): do not return nil client cert
d7d8766 
The documentation and requirements for the methods `GetCertificate` and
`GetClientCertificate` are slightly different. The latter must not return
`nil` and should instead return an empty `*tls.Certificate`, or else
trigger a nil-dereference in `crypto/tls` during the client handshake.

    panic: runtime error: invalid memory address or nil pointer dereference
    [signal SIGSEGV: segmentation violation code=0x1 addr=0x0 pc=0x65df22]

    goroutine 39 [running]:
    crypto/tls.(*clientHandshakeStateTLS13).sendClientCertificate(0xc0001ebe20, 0x0, 0x0)
	    /usr/local/go/src/crypto/tls/handshake_client_tls13.go:537 +0x122
    crypto/tls.(*clientHandshakeStateTLS13).handshake(0xc0001ebe20, 0xc000200100, 0x0)
	    /usr/local/go/src/crypto/tls/handshake_client_tls13.go:91 +0x230
    crypto/tls.(*Conn).clientHandshake(0xc00020a000, 0x0, 0x0)
	    /usr/local/go/src/crypto/tls/handshake_client.go:196 +0x4d9
    crypto/tls.(*Conn).Handshake(0xc00020a000, 0x0, 0x0)
	    /usr/local/go/src/crypto/tls/conn.go:1340 +0xcc
    net/http.(*persistConn).addTLS.func2(0x0, 0xc00020a000, 0x0, 0xc000186480)
	    /usr/local/go/src/net/http/transport.go:1453 +0x42
    created by net/http.(*persistConn).addTLS
	    /usr/local/go/src/net/http/transport.go:1449 +0x1aa
    FAIL    github.com/cloudflare/certinel  0.018s
    ok      github.com/cloudflare/certinel/fswatcher        (cached)
    FAIL
@terinjokes terinjokes merged commit cb169af into cloudflare:master May 13, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@terinjokes terinjokes terinjokes approved these changes

@cbroglie cbroglie cbroglie approved these changes

Assignees
No one assigned
Labels
None yet
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
3 participants
@gofish @terinjokes @cbroglie