[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Tue Nov 10 23:04:48 UTC 2015
The branch master has been updated
via a974e64aaaa8a6f99f55a68d28c07c04ecea2f50 (commit)
from 6329b6092b28b656be8a1e4a8363d2e3bcc32053 (commit)
- Log -----------------------------------------------------------------
commit a974e64aaaa8a6f99f55a68d28c07c04ecea2f50
Author: Matt Caswell <matt at openssl.org>
Date: Mon Nov 9 14:38:59 2015 +0000
Fix SSL_use_certificate_chain_file
The new function SSL_use_certificate_chain_file was always crashing in
the internal function use_certificate_chain_file because it would pass a
NULL value for SSL_CTX *, but use_certificate_chain_file would
unconditionally try to dereference it.
Reviewed-by: Stephen Henson <steve at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
doc/ssl/SSL_CTX_set_default_passwd_cb.pod | 12 +++++++++---
include/openssl/ssl.h | 2 ++
ssl/ssl_lib.c | 16 ++++++++++++++++
ssl/ssl_locl.h | 6 ++++++
ssl/ssl_rsa.c | 21 +++++++++++++++------
util/ssleay.num | 2 ++
6 files changed, 50 insertions(+), 9 deletions(-)
diff --git a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
index 9455139..452737f 100644
--- a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
+++ b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
@@ -2,7 +2,9 @@
=head1 NAME
-SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling
+SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata,
+SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata - set passwd
+callback for encrypted PEM file handling
=head1 SYNOPSIS
@@ -10,6 +12,8 @@ SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set pass
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+ void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
+ void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
@@ -21,6 +25,9 @@ when loading/storing a PEM certificate with encryption.
SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
will be provided to the password callback on invocation.
+SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata() perform the
+same function as their SSL_CTX counterparts, but using an SSL object.
+
The pem_passwd_cb(), which must be provided by the application, hands back the
password to be used during decryption. On invocation a pointer to B<userdata>
is provided. The pem_passwd_cb must write the password into the provided buffer
@@ -51,8 +58,7 @@ however not usual, as certificate information is considered public.
=head1 RETURN VALUES
-SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata()
-do not provide diagnostic information.
+These functions do not provide diagnostic information.
=head1 EXAMPLES
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 28322eb..cf9f83a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1514,6 +1514,8 @@ __owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
+void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
__owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
__owur int SSL_check_private_key(const SSL *ctx);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b6e5127..d8d2244 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -366,6 +366,9 @@ SSL *SSL_new(SSL_CTX *ctx)
s->verify_result = X509_V_OK;
+ s->default_passwd_callback = ctx->default_passwd_callback;
+ s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
+
s->method = ctx->method;
if (!s->method->ssl_new(s))
@@ -1846,6 +1849,16 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
ctx->default_passwd_callback_userdata = u;
}
+void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
+{
+ s->default_passwd_callback = cb;
+}
+
+void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
+{
+ s->default_passwd_callback_userdata = u;
+}
+
void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
int (*cb) (X509_STORE_CTX *, void *),
void *arg)
@@ -2535,6 +2548,9 @@ SSL *SSL_dup(SSL *s)
* ret->init_off */
ret->hit = s->hit;
+ ret->default_passwd_callback = s->default_passwd_callback;
+ ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata;
+
X509_VERIFY_PARAM_inherit(ret->param, s->param);
/* dup the cipher_list and cipher_list_by_id stacks */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e174def..03bc35c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1193,6 +1193,12 @@ struct ssl_st {
int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
RECORD_LAYER rlayer;
+
+ /* Default password callback. */
+ pem_password_cb *default_passwd_callback;
+
+ /* Default password callback user data. */
+ void *default_passwd_callback_userdata;
};
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 9e172b5..be552c1 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -644,10 +644,20 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
BIO *in;
int ret = 0;
X509 *x = NULL;
+ pem_password_cb *passwd_callback;
+ void *passwd_callback_userdata;
ERR_clear_error(); /* clear error stack for
* SSL_CTX_use_certificate() */
+ if (ctx != NULL) {
+ passwd_callback = ctx->default_passwd_callback;
+ passwd_callback_userdata = ctx->default_passwd_callback_userdata;
+ } else {
+ passwd_callback = ssl->default_passwd_callback;
+ passwd_callback_userdata = ssl->default_passwd_callback_userdata;
+ }
+
in = BIO_new(BIO_s_file());
if (in == NULL) {
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
@@ -659,8 +669,8 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
goto end;
}
- x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata);
+ x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
+ passwd_callback_userdata);
if (x == NULL) {
SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
goto end;
@@ -693,10 +703,9 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
goto end;
}
- while ((ca = PEM_read_bio_X509(in, NULL,
- ctx->default_passwd_callback,
- ctx->default_passwd_callback_userdata))
- != NULL) {
+ while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
+ passwd_callback_userdata))
+ != NULL) {
if (ctx)
r = SSL_CTX_add0_chain_cert(ctx, ca);
else
diff --git a/util/ssleay.num b/util/ssleay.num
index b3f6324..be4c940 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -409,3 +409,5 @@ SSL_in_init 443 EXIST::FUNCTION:
SSL_in_before 444 EXIST::FUNCTION:
SSL_is_init_finished 445 EXIST::FUNCTION:
SSL_get_state 446 EXIST::FUNCTION:
+SSL_set_default_passwd_cb 447 EXIST::FUNCTION:
+SSL_set_default_passwd_cb_userdata 448 EXIST::FUNCTION:
More information about the openssl-commits
mailing list