Bug fix

tools/certverify.c

@@ -51,9 +51,9 @@ int certverify_main(int argc, char **argv)
 	char *cacertfile = NULL;
 	FILE *infp = stdin;
 	FILE *cacertfp = NULL;
-	uint8_t cert[1024];
+	uint8_t cert[8192];
 	size_t certlen;
-	uint8_t cacert[1024];
+	uint8_t cacert[8192];
 	size_t cacertlen;
 	char signer_id[SM2_MAX_ID_LENGTH + 1] = {0};
 	size_t signer_id_len = 0;
@@ -73,7 +73,7 @@ int certverify_main(int argc, char **argv)
 	size_t enc_subject_len;
 
 	int double_certs = 0;
-	uint8_t enc_cert[1024];
+	uint8_t enc_cert[8192];
 	size_t enc_cert_len;
 	int rv;
 

tools/cmsencrypt.c

@@ -103,6 +103,9 @@ int cmsencrypt_main(int argc, char **argv)
 	}
 	cert = rcpt_certs;
 
+	// FIXME: TOCTOU between file_size measurement and fread. If the file shrinks
+	// after measurement, the buffer is oversized but only actual bytes read are
+	// encrypted (inlen is updated by fread). If the file grows, data is truncated.
 	if (get_files_size(argc, argv, "-in", &inlen) != 1) {
 		goto end;
 	}

tools/ocspsign.c

@@ -452,6 +452,9 @@ bad:
 		fprintf(stderr, "%s: generate OCSPResponse failure\n", prog);
 		goto end;
 	}
+	// FIXME: resplen = 0 resets buffer capacity before second ocsp_sign call.
+	// If ocsp_sign() uses *outlen as input buffer capacity, passing 0 may
+	// allow buffer overflow. Proposed fix: resplen = sizeof(resp);
 	resplen = 0;
 	if (ocsp_sign(&ocsp_ctx, cert_status, revocation_time, this_update,
 		signer_cert, signer_cert_len, &sign_key,

tools/tlcp_server.c

@@ -331,17 +331,22 @@ restart:
 	if (tls_init(&conn, &ctx) != 1
 		|| tls_set_socket(&conn, conn_sock) != 1) {
 		error_print();
-		return -1;
+		tls_socket_close(conn_sock);
+		goto restart;
 	}
 
 	if (tls_socket_set_nonblocking(conn_sock, 1) != 1) {
 		error_print();
-		return -1;
+		tls_cleanup(&conn);
+		tls_socket_close(conn_sock);
+		goto restart;
 	}
 
 	if (do_handshake_select(&conn) != 1) {
 		error_print();
-		return -1;
+		tls_cleanup(&conn);
+		tls_socket_close(conn_sock);
+		goto restart;
 	}
 
 	for (;;) {