Prepare to provide TS_VERIFY_CTX accessors

The setters make no sense since they do not free the old members and return what was passed in instead of returning the old struct member so that the caller has a chance of freeing them. This has the side effect that calling a setter a second time will likely result in a leak. TS_VERIFY_CTX_set_imprint() was "fixed" upstream by adding a free() but the other three setters were missed since discussing the contributor's CLA was more important. Also missed was that adding frees will result in double frees: careful consumers like openssl/ruby have workarounds for the strange existing semantics. Add a compat #define for TS_VERIF_CTS_set_certs() that made it into the public API with a typo. A good illustration of the amount of thought and care that went into the OpenSSL 1.1 API by both the implementers and the reviewers. Amazing job overall. We will be stuck with this nonsense for a long time. ok jsing kn
author: tb <> 2022-07-24 19:54:46 +0000
committer: tb <> 2022-07-24 19:54:46 +0000
commit: 021a0df656198d44dcff8cb51f4509bc8aec75ac (patch)
tree: e0e2d08b866bf914e76fefcb9b310301fa5d8e0e /src
parent: 6b0d6b3789b6b50cd891b1a4664051804e6a7af5 (diff)
download: openbsd-021a0df656198d44dcff8cb51f4509bc8aec75ac.tar.gz
openbsd-021a0df656198d44dcff8cb51f4509bc8aec75ac.tar.bz2
openbsd-021a0df656198d44dcff8cb51f4509bc8aec75ac.zip
2 files changed, 79 insertions, 2 deletions
diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h
index 3c6baf82e0..83bd6829ae 100644
--- a/src/lib/libcrypto/ts/ts.h
+++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts.h,v 1.16 2022/07/24 19:25:36 tb Exp $ */
+/* $OpenBSD: ts.h,v 1.17 2022/07/24 19:54:46 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
 * project 2002, 2003, 2004.
 */
@@ -682,6 +682,19 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
+#if defined(LIBRESSL_INTERNAL)
+int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
+int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
+BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio);
+X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store);
+/* R$ special */
+#define TS_VERIFY_CTS_set_certs TS_VERIFY_CTX_set_certs
+STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
+    STACK_OF(X509) *certs);
+unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
+    unsigned char *imprint, long imprint_len);
+#endif
 /*
 * If ctx is NULL, it allocates and returns a new object, otherwise
 * it returns ctx. It initialises all the members as follows:
diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c
index 83ef54a894..ef0ec6ca7f 100644
--- a/src/lib/libcrypto/ts/ts_verify_ctx.c
+++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ts_verify_ctx.c,v 1.10 2022/07/24 08:16:47 tb Exp $ */
+/* $OpenBSD: ts_verify_ctx.c,v 1.11 2022/07/24 19:54:46 tb Exp $ */
 /* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
 * project 2003.
 */
@@ -114,6 +114,70 @@ TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
        TS_VERIFY_CTX_init(ctx);
 }
+/*
+ * XXX: The following accessors demonstrate the amount of care and thought that
+ * went into OpenSSL 1.1 API design and the review thereof: for whatever reason
+ * these functions return what was passed in. Correct memory management is left
+ * as an exercise for the reader... Unfortunately, careful consumers like
+ * openssl-ruby assume this behavior, so we're stuck with this insanity. The
+ * cherry on top is the TS_VERIFY_CTS_set_certs() [sic!] function that made it
+ * into the public API.
+ *
+ * Outstanding job, R$ and tjh, A+.
+ */
+int
+TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags)
+{
+        ctx->flags |= flags;
+        return ctx->flags;
+}
+int
+TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags)
+{
+        ctx->flags = flags;
+        return ctx->flags;
+}
+BIO *
+TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *bio)
+{
+        ctx->data = bio;
+        return ctx->data;
+}
+X509_STORE *
+TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *store)
+{
+        ctx->store = store;
+        return ctx->store;
+}
+STACK_OF(X509) *
+TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs)
+{
+        ctx->certs = certs;
+        return ctx->certs;
+}
+unsigned char *
+TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *imprint,
+    long imprint_len)
+{
+        free(ctx->imprint);
+        ctx->imprint = imprint;
+        ctx->imprint_len = imprint_len;
+        return ctx->imprint;
+}
 TS_VERIFY_CTX *
 TS_REQ_to_TS_VERIFY_CTX(TS_REQ *req, TS_VERIFY_CTX *ctx)
 {
author	tb <>	2022-07-24 19:54:46 +0000
committer	tb <>	2022-07-24 19:54:46 +0000
commit	021a0df656198d44dcff8cb51f4509bc8aec75ac (patch)
tree	e0e2d08b866bf914e76fefcb9b310301fa5d8e0e /src
parent	6b0d6b3789b6b50cd891b1a4664051804e6a7af5 (diff)
download	openbsd-021a0df656198d44dcff8cb51f4509bc8aec75ac.tar.gz openbsd-021a0df656198d44dcff8cb51f4509bc8aec75ac.tar.bz2 openbsd-021a0df656198d44dcff8cb51f4509bc8aec75ac.zip

diff --git a/src/lib/libcrypto/ts/ts.h b/src/lib/libcrypto/ts/ts.h index 3c6baf82e0..83bd6829ae 100644 --- a/src/lib/libcrypto/ts/ts.h +++ b/src/lib/libcrypto/ts/ts.h
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts.h,v 1.16 2022/07/24 19:25:36 tb Exp $ */	1	/* $OpenBSD: ts.h,v 1.17 2022/07/24 19:54:46 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@opentsa.org) for the OpenSSL
3	* project 2002, 2003, 2004.	3	* project 2002, 2003, 2004.
4	*/	4	*/
@@ -682,6 +682,19 @@ void TS_VERIFY_CTX_init(TS_VERIFY_CTX *ctx);
682	void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);	682	void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
683	void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);	683	void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
684		684
		685	#if defined(LIBRESSL_INTERNAL)
		686	int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags);
		687	int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags);
		688	BIO TS_VERIFY_CTX_set_data(TS_VERIFY_CTX ctx, BIO *bio);
		689	X509_STORE TS_VERIFY_CTX_set_store(TS_VERIFY_CTX ctx, X509_STORE *store);
		690	/* R$ special */
		691	#define TS_VERIFY_CTS_set_certs TS_VERIFY_CTX_set_certs
		692	STACK_OF(X509) TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX ctx,
		693	STACK_OF(X509) *certs);
		694	unsigned char TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx,
		695	unsigned char *imprint, long imprint_len);
		696	#endif
		697
685	/*	698	/*
686	* If ctx is NULL, it allocates and returns a new object, otherwise	699	* If ctx is NULL, it allocates and returns a new object, otherwise
687	* it returns ctx. It initialises all the members as follows:	700	* it returns ctx. It initialises all the members as follows:


diff --git a/src/lib/libcrypto/ts/ts_verify_ctx.c b/src/lib/libcrypto/ts/ts_verify_ctx.c index 83ef54a894..ef0ec6ca7f 100644 --- a/src/lib/libcrypto/ts/ts_verify_ctx.c +++ b/src/lib/libcrypto/ts/ts_verify_ctx.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: ts_verify_ctx.c,v 1.10 2022/07/24 08:16:47 tb Exp $ */	1	/* $OpenBSD: ts_verify_ctx.c,v 1.11 2022/07/24 19:54:46 tb Exp $ */
2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL	2	/* Written by Zoltan Glozik (zglozik@stones.com) for the OpenSSL
3	* project 2003.	3	* project 2003.
4	*/	4	*/
@@ -114,6 +114,70 @@ TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
114	TS_VERIFY_CTX_init(ctx);	114	TS_VERIFY_CTX_init(ctx);
115	}	115	}
116		116
		117	/*
		118	* XXX: The following accessors demonstrate the amount of care and thought that
		119	* went into OpenSSL 1.1 API design and the review thereof: for whatever reason
		120	* these functions return what was passed in. Correct memory management is left
		121	* as an exercise for the reader... Unfortunately, careful consumers like
		122	* openssl-ruby assume this behavior, so we're stuck with this insanity. The
		123	* cherry on top is the TS_VERIFY_CTS_set_certs() [sic!] function that made it
		124	* into the public API.
		125	*
		126	* Outstanding job, R$ and tjh, A+.
		127	*/
		128
		129	int
		130	TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int flags)
		131	{
		132	ctx->flags \|= flags;
		133
		134	return ctx->flags;
		135	}
		136
		137	int
		138	TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int flags)
		139	{
		140	ctx->flags = flags;
		141
		142	return ctx->flags;
		143	}
		144
		145	BIO *
		146	TS_VERIFY_CTX_set_data(TS_VERIFY_CTX ctx, BIO bio)
		147	{
		148	ctx->data = bio;
		149
		150	return ctx->data;
		151	}
		152
		153	X509_STORE *
		154	TS_VERIFY_CTX_set_store(TS_VERIFY_CTX ctx, X509_STORE store)
		155	{
		156	ctx->store = store;
		157
		158	return ctx->store;
		159	}
		160
		161	STACK_OF(X509) *
		162	TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX ctx, STACK_OF(X509) certs)
		163	{
		164	ctx->certs = certs;
		165
		166	return ctx->certs;
		167	}
		168
		169	unsigned char *
		170	TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX ctx, unsigned char imprint,
		171	long imprint_len)
		172	{
		173	free(ctx->imprint);
		174
		175	ctx->imprint = imprint;
		176	ctx->imprint_len = imprint_len;
		177
		178	return ctx->imprint;
		179	}
		180
117	TS_VERIFY_CTX *	181	TS_VERIFY_CTX *
118	TS_REQ_to_TS_VERIFY_CTX(TS_REQ req, TS_VERIFY_CTX ctx)	182	TS_REQ_to_TS_VERIFY_CTX(TS_REQ req, TS_VERIFY_CTX ctx)
119	{	183	{