OpenSSLPKI::x509_get_serial: Handle NULL result from BN_bn2dec

The BN_bn2dec() can return NULL if the input is not parseable.
This would cause the conversion of char* to std::string to throw
an exception. Instead check the result and return an empty string
on errors.

Signed-off-by: Frank Lichtenheld <[email protected]>

openvpn/openssl/pki/x509certinfo.hpp

@@ -198,20 +198,18 @@ static std::string x509_get_field(::X509 *cert, const int nid)
  */
 static std::string x509_get_serial(::X509 *cert)
 {
-    ASN1_INTEGER *asn1_i;
-    BIGNUM *bignum;
-    char *openssl_serial;
-
-    asn1_i = X509_get_serialNumber(cert);
-    bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
-    openssl_serial = BN_bn2dec(bignum);
-
-    const std::string ret = openssl_serial;
-
+    const ASN1_INTEGER *asn1_i = X509_get_serialNumber(cert);
+    BIGNUM *bignum = ASN1_INTEGER_to_BN(asn1_i, NULL);
+    char *openssl_serial = BN_bn2dec(bignum);
     BN_free(bignum);
-    OPENSSL_free(openssl_serial);
 
-    return ret;
+    if (openssl_serial)
+    {
+        const std::string ret = openssl_serial;
+        OPENSSL_free(openssl_serial);
+        return ret;
+    }
+    return std::string();
 }
 
 /**

openvpn/openssl/ssl/sslctx.hpp

@@ -1687,9 +1687,13 @@ class OpenSSLContext : public SSLFactoryAPI
                 switch (c.type)
                 {
                 case X509Track::SERIAL:
-                    xts.emplace_back(X509Track::SERIAL,
-                                     depth,
-                                     OpenSSLPKI::x509_get_serial(cert));
+                    {
+                        std::string serial = OpenSSLPKI::x509_get_serial(cert);
+                        if (!serial.empty())
+                            xts.emplace_back(X509Track::SERIAL,
+                                             depth,
+                                             serial);
+                    }
                     break;
                 case X509Track::SERIAL_HEX:
                     xts.emplace_back(X509Track::SERIAL_HEX,