From a4fede3dd4df29c213d7d3e5ba6b126d77af33b5 Mon Sep 17 00:00:00 2001
From: schwarze <>
Date: Fri, 18 Sep 2020 16:18:56 +0000
Subject: If ssl_cert_dup() fails in SSL_set_SSL_CTX(3), return failure rather
 than silently leaving a NULL pointer in ssl->cert. Kurt Roeckx fixed the same
 bug similarly in OpenSSL in 2015.

While here,
(1) make the code easier to read and more robust by returning right
away when ssl still uses the context it was created from and the ctx
argument is NULL, rather than doing a lot of work that changes
nothing unless data is already corrupt, and
(2) use the shorter and more inituitive SSL_CTX_up_ref(3) rather
than manually calling CRYPTO_add(3), which means no functional
change and is also in the OpenSSL 1.1 branch.

OK tb@
---
 src/lib/libssl/ssl_lib.c | 15 ++++++++++-----
 1 file changed, 10 insertions(+), 5 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libssl/ssl_lib.c b/src/lib/libssl/ssl_lib.c
index 73bc05e967..c184f75abe 100644
--- a/src/lib/libssl/ssl_lib.c
+++ b/src/lib/libssl/ssl_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: ssl_lib.c,v 1.229 2020/09/16 07:25:15 schwarze Exp $ */
+/* $OpenBSD: ssl_lib.c,v 1.230 2020/09/18 16:18:56 schwarze Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -2726,17 +2726,22 @@ SSL_get_SSL_CTX(const SSL *ssl)
 SSL_CTX *
 SSL_set_SSL_CTX(SSL *ssl, SSL_CTX* ctx)
 {
-	if (ssl->ctx == ctx)
-		return (ssl->ctx);
+	CERT *new_cert;
+
 	if (ctx == NULL)
 		ctx = ssl->initial_ctx;
+	if (ssl->ctx == ctx)
+		return (ssl->ctx);
 
+	if ((new_cert = ssl_cert_dup(ctx->internal->cert)) == NULL)
+		return NULL;
 	ssl_cert_free(ssl->cert);
-	ssl->cert = ssl_cert_dup(ctx->internal->cert);
+	ssl->cert = new_cert;
 
-	CRYPTO_add(&ctx->references, 1, CRYPTO_LOCK_SSL_CTX);
+	SSL_CTX_up_ref(ctx);
 	SSL_CTX_free(ssl->ctx); /* decrement reference count */
 	ssl->ctx = ctx;
+
 	return (ssl->ctx);
 }
 
-- 
cgit v1.2.3-55-g6feb