summaryrefslogtreecommitdiff
path: root/src/lib/libssl/ssl_init.c
diff options
context:
space:
mode:
authortb <>2024-02-23 10:39:07 +0000
committertb <>2024-02-23 10:39:07 +0000
commit537c1a694b071a8406ad517e0a2d5fecfbf350d7 (patch)
tree757f8cb1cb0fbfb3f9f6c1a21099d615a566c7fd /src/lib/libssl/ssl_init.c
parentd78c274075972a23443a6efc93ea8a8da7aed33e (diff)
downloadopenbsd-537c1a694b071a8406ad517e0a2d5fecfbf350d7.tar.gz
openbsd-537c1a694b071a8406ad517e0a2d5fecfbf350d7.tar.bz2
openbsd-537c1a694b071a8406ad517e0a2d5fecfbf350d7.zip
Prepare to provide X509_STORE_get1_objects()
The OpenSSL 1.1 API X509_STORE_get0_objects() is not thread safe. It exposes a naked internal pointer containing certificates, CRLs and cached objects added by X509_LOOKUP_hash_dir(). Thus, if the store is shared between threads, it is not possible to inspect this pointer safely since another thread could concurrently add to it. This may happen in particular during certificate verification. This API led to security issues in rust-openssl and is also problematic in current Python. Other consumers of X509_STORE_get0_objects() are haproxy, isync, openvpn. The solution is to take a snapshot of the state under a lock and return that. This is what X509_STORE_get1_objects() does. It returns a newly allocated stack that needs to be freed with sk_X509_OBJECT_pop_free(), passing X509_OBJECT_free as a second argument. Based on a diff by David Benjamin for BoringSSL. https://boringssl-review.googlesource.com/c/boringssl/+/65787 ok beck jsing PS: Variants of this have landed in Python and OpenSSL 3 as well. There the sk_*deep_copy() API is used, which in OpenSSL relies on evaluating function pointers after casts (BoringSSL fixed that). Instead of using this macro insanity and exposing that garbage in public, we can do this by implementing a pedestrian, static sk_X509_OBJECT_deep_copy() by hand.
Diffstat (limited to '')
0 files changed, 0 insertions, 0 deletions