[openssl-commits] [openssl] master update

Rich Salz rsalz at openssl.org
Mon Mar 7 19:45:19 UTC 2016


The branch master has been updated
       via  3f3c7d26d577902a542bf226a091aab93ea1ff96 (commit)
       via  4d482ee24fd4b4cec38671e0060e2131efc5de51 (commit)
       via  1cb437bedb06b7d6518792a2f8e62041b6e6c88b (commit)
       via  147e54a77ed43b1522f343114d79f8b4c8a6bfb2 (commit)
      from  c6912adf0c07227b18be3d8ef12d92ad7fc4318a (commit)


- Log -----------------------------------------------------------------
commit 3f3c7d26d577902a542bf226a091aab93ea1ff96
Author: Rob Percival <robpercival at google.com>
Date:   Mon Mar 7 18:05:53 2016 +0000

    Use s->session->peer instead of calling SSL_get_peer_certificate(s)
    
    Avoids modifying certificate reference count, and thereby avoids locking.
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 4d482ee24fd4b4cec38671e0060e2131efc5de51
Author: Rob Percival <robpercival at google.com>
Date:   Mon Mar 7 18:03:34 2016 +0000

    Lowercase name of SSL_validate_ct as it is an internal function
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 1cb437bedb06b7d6518792a2f8e62041b6e6c88b
Author: Rob Percival <robpercival at google.com>
Date:   Mon Mar 7 17:23:39 2016 +0000

    CT code now calls X509_free() after calling SSL_get_peer_certificate()
    
    Without this, the peer certificate would never be deleted, resulting in
    a memory leak.
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

commit 147e54a77ed43b1522f343114d79f8b4c8a6bfb2
Author: Rob Percival <robpercival at google.com>
Date:   Mon Mar 7 12:38:49 2016 +0000

    Fixes memory leaks in CT code
    
    Reviewed-by: Emilia Käsper <emilia at openssl.org>
    Reviewed-by: Rich Salz <rsalz at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 crypto/ct/ct_sct.c       |  2 +-
 ssl/ssl_lib.c            |  6 +++---
 ssl/ssl_locl.h           |  2 +-
 ssl/statem/statem_clnt.c |  2 +-
 test/ct_test.c           | 10 +++++-----
 5 files changed, 11 insertions(+), 11 deletions(-)

diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c
index 35f8152..2b7211d 100644
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@@ -402,7 +402,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
             goto end;
         }
 
-        issuer_pkey = X509_get_pubkey(ctx->issuer);
+        issuer_pkey = X509_get0_pubkey(ctx->issuer);
 
         if (X509_PUBKEY_set(&pub, issuer_pkey) != 1)
             goto err;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 40c4171..5dfb0fd 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3931,7 +3931,7 @@ err:
 static int ct_extract_x509v3_extension_scts(SSL *s)
 {
     int scts_extracted = 0;
-    X509 *cert = SSL_get_peer_certificate(s);
+    X509 *cert = s->session != NULL ? s->session->peer : NULL;
 
     if (cert != NULL) {
         STACK_OF(SCT) *scts =
@@ -4028,10 +4028,10 @@ ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx)
     return ctx->ct_validation_callback;
 }
 
-int SSL_validate_ct(SSL *s)
+int ssl_validate_ct(SSL *s)
 {
     int ret = 0;
-    X509 *cert = SSL_get_peer_certificate(s);
+    X509 *cert = s->session != NULL ? s->session->peer : NULL;
     X509 *issuer = NULL;
     CT_POLICY_EVAL_CTX *ctx = NULL;
     const STACK_OF(SCT) *scts;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4ea036d..6c7f47d 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2072,7 +2072,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
 void tls1_set_cert_validity(SSL *s);
 
 #ifndef OPENSSL_NO_CT
-__owur int SSL_validate_ct(SSL *s);
+__owur int ssl_validate_ct(SSL *s);
 #endif
 
 #  ifndef OPENSSL_NO_DH
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b8ca82f..03f4a8f 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2060,7 +2060,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
 
 #ifndef OPENSSL_NO_CT
     if (s->ct_validation_callback != NULL) {
-        if (!SSL_validate_ct(s)) {
+        if (!ssl_validate_ct(s)) {
             ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
             return MSG_PROCESS_ERROR;
         }
diff --git a/test/ct_test.c b/test/ct_test.c
index 99517a6..30e1ac6 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -80,7 +80,7 @@ typedef struct ct_test_fixture {
     /* Set the following to test handling of SCTs in TLS format */
     const uint8_t *tls_sct;
     size_t tls_sct_len;
-    const SCT *sct;
+    SCT *sct;
     /*
      * A file to load the expected SCT text from.
      * This text will be compared to the actual text output during the test.
@@ -124,6 +124,7 @@ end:
 static void tear_down(CT_TEST_FIXTURE fixture)
 {
     CTLOG_STORE_free(fixture.ctlog_store);
+    SCT_free(fixture.sct);
     ERR_print_errors_fp(stderr);
 }
 
@@ -237,6 +238,8 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
     SCT *sct = NULL;
     char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
     int sct_text_len = 0;
+    unsigned char *tls_sct = NULL;
+    size_t tls_sct_len = 0;
     CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
 
     if (fixture.sct_text_file_path != NULL) {
@@ -361,8 +364,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
 
     if (fixture.tls_sct != NULL) {
         const unsigned char *p = fixture.tls_sct;
-        unsigned char *tls_sct;
-        size_t tls_sct_len;
         if (o2i_SCT(&sct, &p, fixture.tls_sct_len) == NULL) {
             test_failed = 1;
             fprintf(stderr, "Failed to decode SCT from TLS format\n");
@@ -403,6 +404,7 @@ end:
     SCT_LIST_free(scts);
     SCT_free(sct);
     CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
+    OPENSSL_free(tls_sct);
     return test_failed;
 }
 
@@ -502,8 +504,6 @@ static int test_encode_tls_sct()
     fixture.sct = sct;
     fixture.sct_text_file_path = "ct/tls1.sct";
     EXECUTE_CT_TEST();
-
-    SCT_free(sct);
 }
 
 int main(int argc, char *argv[])


More information about the openssl-commits mailing list