diff --git a/lib/hx509/cert.c b/lib/hx509/cert.c index d9a08ae5d..dc5444d0a 100644 --- a/lib/hx509/cert.c +++ b/lib/hx509/cert.c @@ -2979,12 +2979,21 @@ hx509_query_match_expr(hx509_context context, hx509_query *q, const char *expr) if (expr == NULL) { q->match &= ~HX509_QUERY_MATCH_EXPR; - } else { - q->expr = _hx509_expr_parse(expr); - if (q->expr) - q->match |= HX509_QUERY_MATCH_EXPR; + return 0; } + q->expr = _hx509_expr_parse(expr); + if (q->expr == NULL) { + const char *reason = _hx509_expr_parse_error(); + + hx509_set_error_string(context, 0, EINVAL, + "Invalid certificate query match expression: " + "%s (%s)", expr, + reason ? reason : "syntax error"); + return EINVAL; + } + + q->match |= HX509_QUERY_MATCH_EXPR; return 0; } diff --git a/lib/hx509/hxtool.c b/lib/hx509/hxtool.c index d0c232392..09a96ab15 100644 --- a/lib/hx509/hxtool.c +++ b/lib/hx509/hxtool.c @@ -2873,9 +2873,9 @@ acert(struct acert_options *opt, int argc, char **argv) hx509_query *q = NULL; if (opt->expr_string) { - if ((ret = hx509_query_alloc(context, &q))) + if ((ret = hx509_query_alloc(context, &q)) || + (ret = hx509_query_match_expr(context, q, opt->expr_string))) hx509_err(context, 1, ret, "Could not initialize query"); - hx509_query_match_expr(context, q, opt->expr_string); if ((ret = hx509_certs_find(context, certs, q, &cert)) || !cert) hx509_err(context, 1, ret, "No matching certificate"); ret = acert1(opt, -1, cert, &matched); diff --git a/lib/hx509/sel.c b/lib/hx509/sel.c index 0dc2b38c5..bfd55e938 100644 --- a/lib/hx509/sel.c +++ b/lib/hx509/sel.c @@ -204,6 +204,7 @@ _hx509_expr_free(struct hx_expr *expr) free(expr); } +/* XXX Horrible, no good cause not thread-safe */ HX509_LIB_FUNCTION struct hx_expr * HX509_LIB_CALL _hx509_expr_parse(const char *buf) { @@ -222,6 +223,12 @@ _hx509_expr_parse(const char *buf) return _hx509_expr_input.expr; } +const char * +_hx509_expr_parse_error(void) +{ + return _hx509_expr_input.error; +} + void _hx509_sel_yyerror (const char *s) {