[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Tue Nov 10 23:04:48 UTC 2015


The branch master has been updated
       via  a974e64aaaa8a6f99f55a68d28c07c04ecea2f50 (commit)
      from  6329b6092b28b656be8a1e4a8363d2e3bcc32053 (commit)


- Log -----------------------------------------------------------------
commit a974e64aaaa8a6f99f55a68d28c07c04ecea2f50
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Nov 9 14:38:59 2015 +0000

    Fix SSL_use_certificate_chain_file
    
    The new function SSL_use_certificate_chain_file was always crashing in
    the internal function use_certificate_chain_file because it would pass a
    NULL value for SSL_CTX *, but use_certificate_chain_file would
    unconditionally try to dereference it.
    
    Reviewed-by: Stephen Henson <steve at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_CTX_set_default_passwd_cb.pod | 12 +++++++++---
 include/openssl/ssl.h                     |  2 ++
 ssl/ssl_lib.c                             | 16 ++++++++++++++++
 ssl/ssl_locl.h                            |  6 ++++++
 ssl/ssl_rsa.c                             | 21 +++++++++++++++------
 util/ssleay.num                           |  2 ++
 6 files changed, 50 insertions(+), 9 deletions(-)

diff --git a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
index 9455139..452737f 100644
--- a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
+++ b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
@@ -2,7 +2,9 @@
 
 =head1 NAME
 
-SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling
+SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata,
+SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata - set passwd
+callback for encrypted PEM file handling
 
 =head1 SYNOPSIS
 
@@ -10,6 +12,8 @@ SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set pass
 
  void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
  void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+ void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
+ void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
 
  int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
 
@@ -21,6 +25,9 @@ when loading/storing a PEM certificate with encryption.
 SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
 will be provided to the password callback on invocation.
 
+SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata() perform the
+same function as their SSL_CTX counterparts, but using an SSL object.
+
 The pem_passwd_cb(), which must be provided by the application, hands back the
 password to be used during decryption. On invocation a pointer to B<userdata>
 is provided. The pem_passwd_cb must write the password into the provided buffer
@@ -51,8 +58,7 @@ however not usual, as certificate information is considered public.
 
 =head1 RETURN VALUES
 
-SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata()
-do not provide diagnostic information.
+These functions do not provide diagnostic information.
 
 =head1 EXAMPLES
 
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 28322eb..cf9f83a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1514,6 +1514,8 @@ __owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
 
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
+void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
 
 __owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
 __owur int SSL_check_private_key(const SSL *ctx);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b6e5127..d8d2244 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -366,6 +366,9 @@ SSL *SSL_new(SSL_CTX *ctx)
 
     s->verify_result = X509_V_OK;
 
+    s->default_passwd_callback = ctx->default_passwd_callback;
+    s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
+
     s->method = ctx->method;
 
     if (!s->method->ssl_new(s))
@@ -1846,6 +1849,16 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
     ctx->default_passwd_callback_userdata = u;
 }
 
+void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
+{
+    s->default_passwd_callback = cb;
+}
+
+void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
+{
+    s->default_passwd_callback_userdata = u;
+}
+
 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
                                       int (*cb) (X509_STORE_CTX *, void *),
                                       void *arg)
@@ -2535,6 +2548,9 @@ SSL *SSL_dup(SSL *s)
                                  * ret->init_off */
     ret->hit = s->hit;
 
+    ret->default_passwd_callback = s->default_passwd_callback;
+    ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata;
+
     X509_VERIFY_PARAM_inherit(ret->param, s->param);
 
     /* dup the cipher_list and cipher_list_by_id stacks */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e174def..03bc35c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1193,6 +1193,12 @@ struct ssl_st {
     int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
     
     RECORD_LAYER rlayer;
+
+    /* Default password callback. */
+    pem_password_cb *default_passwd_callback;
+
+    /* Default password callback user data. */
+    void *default_passwd_callback_userdata;
 };
 
 
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 9e172b5..be552c1 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -644,10 +644,20 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
     BIO *in;
     int ret = 0;
     X509 *x = NULL;
+    pem_password_cb *passwd_callback;
+    void *passwd_callback_userdata;
 
     ERR_clear_error();          /* clear error stack for
                                  * SSL_CTX_use_certificate() */
 
+    if (ctx != NULL) {
+        passwd_callback = ctx->default_passwd_callback;
+        passwd_callback_userdata = ctx->default_passwd_callback_userdata;
+    } else {
+        passwd_callback = ssl->default_passwd_callback;
+        passwd_callback_userdata = ssl->default_passwd_callback_userdata;
+    }
+
     in = BIO_new(BIO_s_file());
     if (in == NULL) {
         SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
@@ -659,8 +669,8 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
         goto end;
     }
 
-    x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-                              ctx->default_passwd_callback_userdata);
+    x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
+                              passwd_callback_userdata);
     if (x == NULL) {
         SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
         goto end;
@@ -693,10 +703,9 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
             goto end;
         }
 
-        while ((ca = PEM_read_bio_X509(in, NULL,
-                                       ctx->default_passwd_callback,
-                                       ctx->default_passwd_callback_userdata))
-               != NULL) {
+        while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
+                                       passwd_callback_userdata))
+                != NULL) {
             if (ctx)
                 r = SSL_CTX_add0_chain_cert(ctx, ca);
             else
diff --git a/util/ssleay.num b/util/ssleay.num
index b3f6324..be4c940 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -409,3 +409,5 @@ SSL_in_init                             443	EXIST::FUNCTION:
 SSL_in_before                           444	EXIST::FUNCTION:
 SSL_is_init_finished                    445	EXIST::FUNCTION:
 SSL_get_state                           446	EXIST::FUNCTION:
+SSL_set_default_passwd_cb               447	EXIST::FUNCTION:
+SSL_set_default_passwd_cb_userdata      448	EXIST::FUNCTION:


More information about the openssl-commits mailing list