wbrawner/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Fix SSL_use_certificate_chain_file

Browse source 
The new function SSL_use_certificate_chain_file was always crashing in
the internal function use_certificate_chain_file because it would pass a
NULL value for SSL_CTX *, but use_certificate_chain_file would
unconditionally try to dereference it.

Reviewed-by: Stephen Henson <steve@openssl.org>
This commit is contained in:
Matt Caswell 2015-11-09 14:38:59 +00:00
parent 6329b6092b
commit a974e64aaa
6 changed files with 50 additions and 9 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

12
doc/ssl/SSL_CTX_set_default_passwd_cb.pod
View file

@ -2,7 +2,9 @@
=head1 NAME =head1 NAME
SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata,
SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata - set passwd
callback for encrypted PEM file handling
=head1 SYNOPSIS =head1 SYNOPSIS
@ -10,6 +12,8 @@ SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set pass
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata); int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
@ -21,6 +25,9 @@ when loading/storing a PEM certificate with encryption.
SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
will be provided to the password callback on invocation. will be provided to the password callback on invocation.
SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata() perform the
same function as their SSL_CTX counterparts, but using an SSL object.
The pem_passwd_cb(), which must be provided by the application, hands back the The pem_passwd_cb(), which must be provided by the application, hands back the
password to be used during decryption. On invocation a pointer to B<userdata> password to be used during decryption. On invocation a pointer to B<userdata>
is provided. The pem_passwd_cb must write the password into the provided buffer is provided. The pem_passwd_cb must write the password into the provided buffer
@ -51,8 +58,7 @@ however not usual, as certificate information is considered public.
=head1 RETURN VALUES =head1 RETURN VALUES
SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata() These functions do not provide diagnostic information.
do not provide diagnostic information.
=head1 EXAMPLES =head1 EXAMPLES

2
include/openssl/ssl.h
View file

@ -1514,6 +1514,8 @@ __owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb); void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u); void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
__owur int SSL_CTX_check_private_key(const SSL_CTX *ctx); __owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
__owur int SSL_check_private_key(const SSL *ctx); __owur int SSL_check_private_key(const SSL *ctx);

16
ssl/ssl_lib.c
View file

@ -366,6 +366,9 @@ SSL *SSL_new(SSL_CTX *ctx)
s->verify_result = X509_V_OK; s->verify_result = X509_V_OK;
s->default_passwd_callback = ctx->default_passwd_callback;
s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
s->method = ctx->method; s->method = ctx->method;
if (!s->method->ssl_new(s)) if (!s->method->ssl_new(s))
@ -1846,6 +1849,16 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
ctx->default_passwd_callback_userdata = u; ctx->default_passwd_callback_userdata = u;
} }
void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
{
s->default_passwd_callback = cb;
}
void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
{
s->default_passwd_callback_userdata = u;
}
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx, void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
int (*cb) (X509_STORE_CTX *, void *), int (*cb) (X509_STORE_CTX *, void *),
void *arg) void *arg)
@ -2535,6 +2548,9 @@ SSL *SSL_dup(SSL *s)
* ret->init_off */ * ret->init_off */
ret->hit = s->hit; ret->hit = s->hit;
ret->default_passwd_callback = s->default_passwd_callback;
ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata;
X509_VERIFY_PARAM_inherit(ret->param, s->param); X509_VERIFY_PARAM_inherit(ret->param, s->param);
/* dup the cipher_list and cipher_list_by_id stacks */ /* dup the cipher_list and cipher_list_by_id stacks */

6
ssl/ssl_locl.h
View file

@ -1193,6 +1193,12 @@ struct ssl_st {
int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure); int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
RECORD_LAYER rlayer; RECORD_LAYER rlayer;
/* Default password callback. */
pem_password_cb *default_passwd_callback;
/* Default password callback user data. */
void *default_passwd_callback_userdata;
}; };

21
ssl/ssl_rsa.c
View file

@ -644,10 +644,20 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
BIO *in; BIO *in;
int ret = 0; int ret = 0;
X509 *x = NULL; X509 *x = NULL;
pem_password_cb *passwd_callback;
void *passwd_callback_userdata;
ERR_clear_error(); /* clear error stack for ERR_clear_error(); /* clear error stack for
* SSL_CTX_use_certificate() */ * SSL_CTX_use_certificate() */
if (ctx != NULL) {
passwd_callback = ctx->default_passwd_callback;
passwd_callback_userdata = ctx->default_passwd_callback_userdata;
} else {
passwd_callback = ssl->default_passwd_callback;
passwd_callback_userdata = ssl->default_passwd_callback_userdata;
}
in = BIO_new(BIO_s_file()); in = BIO_new(BIO_s_file());
if (in == NULL) { if (in == NULL) {
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB); SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
@ -659,8 +669,8 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
goto end; goto end;
} }
x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback, x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
ctx->default_passwd_callback_userdata); passwd_callback_userdata);
if (x == NULL) { if (x == NULL) {
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB); SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
goto end; goto end;
@ -693,10 +703,9 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
goto end; goto end;
} }
while ((ca = PEM_read_bio_X509(in, NULL, while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
ctx->default_passwd_callback, passwd_callback_userdata))
ctx->default_passwd_callback_userdata)) != NULL) {
!= NULL) {
if (ctx) if (ctx)
r = SSL_CTX_add0_chain_cert(ctx, ca); r = SSL_CTX_add0_chain_cert(ctx, ca);
else else

2
util/ssleay.num
View file

@ -409,3 +409,5 @@ SSL_in_init 443 EXIST::FUNCTION:
SSL_in_before 444 EXIST::FUNCTION: SSL_in_before 444 EXIST::FUNCTION:
SSL_is_init_finished 445 EXIST::FUNCTION: SSL_is_init_finished 445 EXIST::FUNCTION:
SSL_get_state 446 EXIST::FUNCTION: SSL_get_state 446 EXIST::FUNCTION:
SSL_set_default_passwd_cb 447 EXIST::FUNCTION:
SSL_set_default_passwd_cb_userdata 448 EXIST::FUNCTION: