Fix SSL_use_certificate_chain_file
The new function SSL_use_certificate_chain_file was always crashing in the internal function use_certificate_chain_file because it would pass a NULL value for SSL_CTX *, but use_certificate_chain_file would unconditionally try to dereference it. Reviewed-by: Stephen Henson <steve@openssl.org>
This commit is contained in:
parent
6329b6092b
commit
a974e64aaa
6 changed files with 50 additions and 9 deletions
|
@ -2,7 +2,9 @@
|
||||||
|
|
||||||
=head1 NAME
|
=head1 NAME
|
||||||
|
|
||||||
SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling
|
SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata,
|
||||||
|
SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata - set passwd
|
||||||
|
callback for encrypted PEM file handling
|
||||||
|
|
||||||
=head1 SYNOPSIS
|
=head1 SYNOPSIS
|
||||||
|
|
||||||
|
@ -10,6 +12,8 @@ SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set pass
|
||||||
|
|
||||||
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
|
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
|
||||||
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
|
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
|
||||||
|
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
|
||||||
|
void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
|
||||||
|
|
||||||
int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
|
int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
|
||||||
|
|
||||||
|
@ -21,6 +25,9 @@ when loading/storing a PEM certificate with encryption.
|
||||||
SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
|
SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
|
||||||
will be provided to the password callback on invocation.
|
will be provided to the password callback on invocation.
|
||||||
|
|
||||||
|
SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata() perform the
|
||||||
|
same function as their SSL_CTX counterparts, but using an SSL object.
|
||||||
|
|
||||||
The pem_passwd_cb(), which must be provided by the application, hands back the
|
The pem_passwd_cb(), which must be provided by the application, hands back the
|
||||||
password to be used during decryption. On invocation a pointer to B<userdata>
|
password to be used during decryption. On invocation a pointer to B<userdata>
|
||||||
is provided. The pem_passwd_cb must write the password into the provided buffer
|
is provided. The pem_passwd_cb must write the password into the provided buffer
|
||||||
|
@ -51,8 +58,7 @@ however not usual, as certificate information is considered public.
|
||||||
|
|
||||||
=head1 RETURN VALUES
|
=head1 RETURN VALUES
|
||||||
|
|
||||||
SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata()
|
These functions do not provide diagnostic information.
|
||||||
do not provide diagnostic information.
|
|
||||||
|
|
||||||
=head1 EXAMPLES
|
=head1 EXAMPLES
|
||||||
|
|
||||||
|
|
|
@ -1514,6 +1514,8 @@ __owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
|
||||||
|
|
||||||
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
|
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
|
||||||
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
|
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
|
||||||
|
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
|
||||||
|
void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
|
||||||
|
|
||||||
__owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
|
__owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
|
||||||
__owur int SSL_check_private_key(const SSL *ctx);
|
__owur int SSL_check_private_key(const SSL *ctx);
|
||||||
|
|
|
@ -366,6 +366,9 @@ SSL *SSL_new(SSL_CTX *ctx)
|
||||||
|
|
||||||
s->verify_result = X509_V_OK;
|
s->verify_result = X509_V_OK;
|
||||||
|
|
||||||
|
s->default_passwd_callback = ctx->default_passwd_callback;
|
||||||
|
s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
|
||||||
|
|
||||||
s->method = ctx->method;
|
s->method = ctx->method;
|
||||||
|
|
||||||
if (!s->method->ssl_new(s))
|
if (!s->method->ssl_new(s))
|
||||||
|
@ -1846,6 +1849,16 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
|
||||||
ctx->default_passwd_callback_userdata = u;
|
ctx->default_passwd_callback_userdata = u;
|
||||||
}
|
}
|
||||||
|
|
||||||
|
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
|
||||||
|
{
|
||||||
|
s->default_passwd_callback = cb;
|
||||||
|
}
|
||||||
|
|
||||||
|
void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
|
||||||
|
{
|
||||||
|
s->default_passwd_callback_userdata = u;
|
||||||
|
}
|
||||||
|
|
||||||
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
|
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
|
||||||
int (*cb) (X509_STORE_CTX *, void *),
|
int (*cb) (X509_STORE_CTX *, void *),
|
||||||
void *arg)
|
void *arg)
|
||||||
|
@ -2535,6 +2548,9 @@ SSL *SSL_dup(SSL *s)
|
||||||
* ret->init_off */
|
* ret->init_off */
|
||||||
ret->hit = s->hit;
|
ret->hit = s->hit;
|
||||||
|
|
||||||
|
ret->default_passwd_callback = s->default_passwd_callback;
|
||||||
|
ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata;
|
||||||
|
|
||||||
X509_VERIFY_PARAM_inherit(ret->param, s->param);
|
X509_VERIFY_PARAM_inherit(ret->param, s->param);
|
||||||
|
|
||||||
/* dup the cipher_list and cipher_list_by_id stacks */
|
/* dup the cipher_list and cipher_list_by_id stacks */
|
||||||
|
|
|
@ -1193,6 +1193,12 @@ struct ssl_st {
|
||||||
int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
|
int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
|
||||||
|
|
||||||
RECORD_LAYER rlayer;
|
RECORD_LAYER rlayer;
|
||||||
|
|
||||||
|
/* Default password callback. */
|
||||||
|
pem_password_cb *default_passwd_callback;
|
||||||
|
|
||||||
|
/* Default password callback user data. */
|
||||||
|
void *default_passwd_callback_userdata;
|
||||||
};
|
};
|
||||||
|
|
||||||
|
|
||||||
|
|
|
@ -644,10 +644,20 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
|
||||||
BIO *in;
|
BIO *in;
|
||||||
int ret = 0;
|
int ret = 0;
|
||||||
X509 *x = NULL;
|
X509 *x = NULL;
|
||||||
|
pem_password_cb *passwd_callback;
|
||||||
|
void *passwd_callback_userdata;
|
||||||
|
|
||||||
ERR_clear_error(); /* clear error stack for
|
ERR_clear_error(); /* clear error stack for
|
||||||
* SSL_CTX_use_certificate() */
|
* SSL_CTX_use_certificate() */
|
||||||
|
|
||||||
|
if (ctx != NULL) {
|
||||||
|
passwd_callback = ctx->default_passwd_callback;
|
||||||
|
passwd_callback_userdata = ctx->default_passwd_callback_userdata;
|
||||||
|
} else {
|
||||||
|
passwd_callback = ssl->default_passwd_callback;
|
||||||
|
passwd_callback_userdata = ssl->default_passwd_callback_userdata;
|
||||||
|
}
|
||||||
|
|
||||||
in = BIO_new(BIO_s_file());
|
in = BIO_new(BIO_s_file());
|
||||||
if (in == NULL) {
|
if (in == NULL) {
|
||||||
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
|
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
|
||||||
|
@ -659,8 +669,8 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
|
x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
|
||||||
ctx->default_passwd_callback_userdata);
|
passwd_callback_userdata);
|
||||||
if (x == NULL) {
|
if (x == NULL) {
|
||||||
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
|
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
|
||||||
goto end;
|
goto end;
|
||||||
|
@ -693,9 +703,8 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
|
||||||
goto end;
|
goto end;
|
||||||
}
|
}
|
||||||
|
|
||||||
while ((ca = PEM_read_bio_X509(in, NULL,
|
while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
|
||||||
ctx->default_passwd_callback,
|
passwd_callback_userdata))
|
||||||
ctx->default_passwd_callback_userdata))
|
|
||||||
!= NULL) {
|
!= NULL) {
|
||||||
if (ctx)
|
if (ctx)
|
||||||
r = SSL_CTX_add0_chain_cert(ctx, ca);
|
r = SSL_CTX_add0_chain_cert(ctx, ca);
|
||||||
|
|
|
@ -409,3 +409,5 @@ SSL_in_init 443 EXIST::FUNCTION:
|
||||||
SSL_in_before 444 EXIST::FUNCTION:
|
SSL_in_before 444 EXIST::FUNCTION:
|
||||||
SSL_is_init_finished 445 EXIST::FUNCTION:
|
SSL_is_init_finished 445 EXIST::FUNCTION:
|
||||||
SSL_get_state 446 EXIST::FUNCTION:
|
SSL_get_state 446 EXIST::FUNCTION:
|
||||||
|
SSL_set_default_passwd_cb 447 EXIST::FUNCTION:
|
||||||
|
SSL_set_default_passwd_cb_userdata 448 EXIST::FUNCTION:
|
||||||
|
|
Loading…
Reference in a new issue