diff options
| author | tb <> | 2023-05-26 13:44:05 +0000 |
|---|---|---|
| committer | tb <> | 2023-05-26 13:44:05 +0000 |
| commit | 60f03123a4643b375e7e15b8d8dd32beeba4deac (patch) | |
| tree | daccb0dca5b73ba21fde8f92a694ce06f7aeebf4 | |
| parent | d9e5f520e02c69e7bb007ce9e7466dbf19dad201 (diff) | |
| download | openbsd-60f03123a4643b375e7e15b8d8dd32beeba4deac.tar.gz openbsd-60f03123a4643b375e7e15b8d8dd32beeba4deac.tar.bz2 openbsd-60f03123a4643b375e7e15b8d8dd32beeba4deac.zip | |
Move verified_chain from SSL to SSL_HANDSHAKE
This is a better version of the fix for the missing pointer invalidation
but a bit larger, so errata got the minimal fix.
tested by jcs
ok jsing
| -rw-r--r-- | src/lib/libssl/s3_lib.c | 9 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_cert.c | 10 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_lib.c | 6 | ||||
| -rw-r--r-- | src/lib/libssl/ssl_local.h | 6 |
4 files changed, 17 insertions, 14 deletions
diff --git a/src/lib/libssl/s3_lib.c b/src/lib/libssl/s3_lib.c index 4229b2e9e3..37ca7bd113 100644 --- a/src/lib/libssl/s3_lib.c +++ b/src/lib/libssl/s3_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s3_lib.c,v 1.243 2023/05/16 14:10:43 jcs Exp $ */ | 1 | /* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -1570,6 +1570,7 @@ ssl3_free(SSL *s) | |||
| 1570 | freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); | 1570 | freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); |
| 1571 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); | 1571 | sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); |
| 1572 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); | 1572 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); |
| 1573 | sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); | ||
| 1573 | tls_key_share_free(s->s3->hs.key_share); | 1574 | tls_key_share_free(s->s3->hs.key_share); |
| 1574 | 1575 | ||
| 1575 | tls13_secrets_destroy(s->s3->hs.tls13.secrets); | 1576 | tls13_secrets_destroy(s->s3->hs.tls13.secrets); |
| @@ -1579,8 +1580,6 @@ ssl3_free(SSL *s) | |||
| 1579 | tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); | 1580 | tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); |
| 1580 | 1581 | ||
| 1581 | sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); | 1582 | sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); |
| 1582 | sk_X509_pop_free(s->verified_chain, X509_free); | ||
| 1583 | s->verified_chain = NULL; | ||
| 1584 | 1583 | ||
| 1585 | tls1_transcript_free(s); | 1584 | tls1_transcript_free(s); |
| 1586 | tls1_transcript_hash_free(s); | 1585 | tls1_transcript_hash_free(s); |
| @@ -1603,8 +1602,6 @@ ssl3_clear(SSL *s) | |||
| 1603 | 1602 | ||
| 1604 | tls1_cleanup_key_block(s); | 1603 | tls1_cleanup_key_block(s); |
| 1605 | sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); | 1604 | sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); |
| 1606 | sk_X509_pop_free(s->verified_chain, X509_free); | ||
| 1607 | s->verified_chain = NULL; | ||
| 1608 | 1605 | ||
| 1609 | tls_buffer_free(s->s3->alert_fragment); | 1606 | tls_buffer_free(s->s3->alert_fragment); |
| 1610 | s->s3->alert_fragment = NULL; | 1607 | s->s3->alert_fragment = NULL; |
| @@ -1619,6 +1616,8 @@ ssl3_clear(SSL *s) | |||
| 1619 | s->s3->hs.peer_certs = NULL; | 1616 | s->s3->hs.peer_certs = NULL; |
| 1620 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); | 1617 | sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); |
| 1621 | s->s3->hs.peer_certs_no_leaf = NULL; | 1618 | s->s3->hs.peer_certs_no_leaf = NULL; |
| 1619 | sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); | ||
| 1620 | s->s3->hs.verified_chain = NULL; | ||
| 1622 | 1621 | ||
| 1623 | tls_key_share_free(s->s3->hs.key_share); | 1622 | tls_key_share_free(s->s3->hs.key_share); |
| 1624 | s->s3->hs.key_share = NULL; | 1623 | s->s3->hs.key_share = NULL; |
diff --git a/src/lib/libssl/ssl_cert.c b/src/lib/libssl/ssl_cert.c index 4fe805212b..8a333b4278 100644 --- a/src/lib/libssl/ssl_cert.c +++ b/src/lib/libssl/ssl_cert.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_cert.c,v 1.105 2022/11/26 16:08:55 tb Exp $ */ | 1 | /* $OpenBSD: ssl_cert.c,v 1.106 2023/05/26 13:44:05 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -440,11 +440,11 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs) | |||
| 440 | ret = X509_verify_cert(ctx); | 440 | ret = X509_verify_cert(ctx); |
| 441 | 441 | ||
| 442 | s->verify_result = X509_STORE_CTX_get_error(ctx); | 442 | s->verify_result = X509_STORE_CTX_get_error(ctx); |
| 443 | sk_X509_pop_free(s->verified_chain, X509_free); | 443 | sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); |
| 444 | s->verified_chain = NULL; | 444 | s->s3->hs.verified_chain = NULL; |
| 445 | if (X509_STORE_CTX_get0_chain(ctx) != NULL) { | 445 | if (X509_STORE_CTX_get0_chain(ctx) != NULL) { |
| 446 | s->verified_chain = X509_STORE_CTX_get1_chain(ctx); | 446 | s->s3->hs.verified_chain = X509_STORE_CTX_get1_chain(ctx); |
| 447 | if (s->verified_chain == NULL) { | 447 | if (s->s3->hs.verified_chain == NULL) { |
| 448 | SSLerrorx(ERR_R_MALLOC_FAILURE); | 448 | SSLerrorx(ERR_R_MALLOC_FAILURE); |
| 449 | ret = 0; | 449 | ret = 0; |
| 450 | } | 450 | } |
diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c index 68e60a5481..f6c9406139 100644 --- a/src/lib/libssl/ssl_lib.c +++ b/src/lib/libssl/ssl_lib.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_lib.c,v 1.309 2023/04/23 18:51:53 tb Exp $ */ | 1 | /* $OpenBSD: ssl_lib.c,v 1.310 2023/05/26 13:44:05 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -900,7 +900,9 @@ SSL_get_peer_cert_chain(const SSL *s) | |||
| 900 | STACK_OF(X509) * | 900 | STACK_OF(X509) * |
| 901 | SSL_get0_verified_chain(const SSL *s) | 901 | SSL_get0_verified_chain(const SSL *s) |
| 902 | { | 902 | { |
| 903 | return s->verified_chain; | 903 | if (s->s3 == NULL) |
| 904 | return NULL; | ||
| 905 | return s->s3->hs.verified_chain; | ||
| 904 | } | 906 | } |
| 905 | 907 | ||
| 906 | /* | 908 | /* |
diff --git a/src/lib/libssl/ssl_local.h b/src/lib/libssl/ssl_local.h index 876a5e4657..cb38e5f91c 100644 --- a/src/lib/libssl/ssl_local.h +++ b/src/lib/libssl/ssl_local.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_local.h,v 1.5 2023/04/25 07:48:15 tb Exp $ */ | 1 | /* $OpenBSD: ssl_local.h,v 1.6 2023/05/26 13:44:05 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -651,6 +651,9 @@ typedef struct ssl_handshake_st { | |||
| 651 | STACK_OF(X509) *peer_certs; | 651 | STACK_OF(X509) *peer_certs; |
| 652 | STACK_OF(X509) *peer_certs_no_leaf; | 652 | STACK_OF(X509) *peer_certs_no_leaf; |
| 653 | 653 | ||
| 654 | /* Certificate chain resulting from X.509 verification. */ | ||
| 655 | STACK_OF(X509) *verified_chain; | ||
| 656 | |||
| 654 | SSL_HANDSHAKE_TLS12 tls12; | 657 | SSL_HANDSHAKE_TLS12 tls12; |
| 655 | SSL_HANDSHAKE_TLS13 tls13; | 658 | SSL_HANDSHAKE_TLS13 tls13; |
| 656 | } SSL_HANDSHAKE; | 659 | } SSL_HANDSHAKE; |
| @@ -1130,7 +1133,6 @@ struct ssl_st { | |||
| 1130 | int empty_record_count; | 1133 | int empty_record_count; |
| 1131 | 1134 | ||
| 1132 | size_t num_tickets; /* Unused, for OpenSSL compatibility */ | 1135 | size_t num_tickets; /* Unused, for OpenSSL compatibility */ |
| 1133 | STACK_OF(X509) *verified_chain; | ||
| 1134 | }; | 1136 | }; |
| 1135 | 1137 | ||
| 1136 | typedef struct ssl3_record_internal_st { | 1138 | typedef struct ssl3_record_internal_st { |