diff options
author | Theo Buehler <tb@cvs.openbsd.org> | 2024-08-03 04:50:28 +0000 |
---|---|---|
committer | Theo Buehler <tb@cvs.openbsd.org> | 2024-08-03 04:50:28 +0000 |
commit | 8514f573f96fb4d8a8aebb22a89ad4476c163154 (patch) | |
tree | c2ae182d6ba163891cff0264c801e162584329ea | |
parent | 996d03b4385f4438bb3f86dc0cb6e4535c000391 (diff) |
Prepare to provide SSL_CTX_set1_cert_store()
SSL_CTX_set_cert_store() should have been called SSL_CTX_set0_cert_store()
since it takes ownership of the store argument. Apparently a few people ran
into the issue of not bumping the refcount themselves, leading to use after
frees about 10 years ago. This is a quite rarely used API and there are no
misuses in the ports tree, but since someone did the work of writing a diff,
we can still add it.
Needless to say that SSL_CTX_get_cert_store() obviously has the exact same
issue and nobody seems to have thought of adding a get0 or get1 version to
match...
Fixes https://github.com/libressl/openbsd/issues/71
From Kenjiro Nakayama
-rw-r--r-- | lib/libssl/hidden/openssl/ssl.h | 3 | ||||
-rw-r--r-- | lib/libssl/ssl.h | 5 | ||||
-rw-r--r-- | lib/libssl/ssl_lib.c | 12 |
3 files changed, 17 insertions, 3 deletions
diff --git a/lib/libssl/hidden/openssl/ssl.h b/lib/libssl/hidden/openssl/ssl.h index cff250ee755..6cf8d0c7972 100644 --- a/lib/libssl/hidden/openssl/ssl.h +++ b/lib/libssl/hidden/openssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.7 2024/07/14 15:39:36 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.8 2024/08/03 04:50:27 tb Exp $ */ /* * Copyright (c) 2023 Bob Beck <beck@openbsd.org> * @@ -105,6 +105,7 @@ LSSL_USED(SSL_CTX_set_timeout); LSSL_USED(SSL_CTX_get_timeout); LSSL_USED(SSL_CTX_get_cert_store); LSSL_USED(SSL_CTX_set_cert_store); +LSSL_USED(SSL_CTX_set1_cert_store); LSSL_USED(SSL_CTX_get0_certificate); LSSL_USED(SSL_CTX_get0_privatekey); LSSL_USED(SSL_want); diff --git a/lib/libssl/ssl.h b/lib/libssl/ssl.h index d8846a48516..7f9db94066e 100644 --- a/lib/libssl/ssl.h +++ b/lib/libssl/ssl.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl.h,v 1.239 2024/07/14 15:39:36 tb Exp $ */ +/* $OpenBSD: ssl.h,v 1.240 2024/08/03 04:50:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1107,6 +1107,9 @@ long SSL_CTX_set_timeout(SSL_CTX *ctx, long t); long SSL_CTX_get_timeout(const SSL_CTX *ctx); X509_STORE *SSL_CTX_get_cert_store(const SSL_CTX *); void SSL_CTX_set_cert_store(SSL_CTX *, X509_STORE *); +#if defined(LIBRESSL_INTERNAL) || defined(LIBRESSL_NEXT_API) +void SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store); +#endif X509 *SSL_CTX_get0_certificate(const SSL_CTX *ctx); EVP_PKEY *SSL_CTX_get0_privatekey(const SSL_CTX *ctx); int SSL_want(const SSL *s); diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 4cf5c46fda6..1a2bf369520 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.328 2024/07/20 04:04:23 jsing Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.329 2024/08/03 04:50:27 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -3403,6 +3403,16 @@ SSL_CTX_set_cert_store(SSL_CTX *ctx, X509_STORE *store) } LSSL_ALIAS(SSL_CTX_set_cert_store); +void +SSL_CTX_set1_cert_store(SSL_CTX *ctx, X509_STORE *store) +{ + if (store != NULL) + X509_STORE_up_ref(store); + + SSL_CTX_set_cert_store(ctx, store); +} +LSSL_ALIAS(SSL_CTX_set1_cert_store); + X509 * SSL_CTX_get0_certificate(const SSL_CTX *ctx) { |