[openssl-commits] [openssl] master update
Rich Salz
rsalz at openssl.org
Mon Mar 7 19:45:19 UTC 2016
The branch master has been updated
via 3f3c7d26d577902a542bf226a091aab93ea1ff96 (commit)
via 4d482ee24fd4b4cec38671e0060e2131efc5de51 (commit)
via 1cb437bedb06b7d6518792a2f8e62041b6e6c88b (commit)
via 147e54a77ed43b1522f343114d79f8b4c8a6bfb2 (commit)
from c6912adf0c07227b18be3d8ef12d92ad7fc4318a (commit)
- Log -----------------------------------------------------------------
commit 3f3c7d26d577902a542bf226a091aab93ea1ff96
Author: Rob Percival <robpercival at google.com>
Date: Mon Mar 7 18:05:53 2016 +0000
Use s->session->peer instead of calling SSL_get_peer_certificate(s)
Avoids modifying certificate reference count, and thereby avoids locking.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 4d482ee24fd4b4cec38671e0060e2131efc5de51
Author: Rob Percival <robpercival at google.com>
Date: Mon Mar 7 18:03:34 2016 +0000
Lowercase name of SSL_validate_ct as it is an internal function
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 1cb437bedb06b7d6518792a2f8e62041b6e6c88b
Author: Rob Percival <robpercival at google.com>
Date: Mon Mar 7 17:23:39 2016 +0000
CT code now calls X509_free() after calling SSL_get_peer_certificate()
Without this, the peer certificate would never be deleted, resulting in
a memory leak.
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
commit 147e54a77ed43b1522f343114d79f8b4c8a6bfb2
Author: Rob Percival <robpercival at google.com>
Date: Mon Mar 7 12:38:49 2016 +0000
Fixes memory leaks in CT code
Reviewed-by: Emilia Käsper <emilia at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
-----------------------------------------------------------------------
Summary of changes:
crypto/ct/ct_sct.c | 2 +-
ssl/ssl_lib.c | 6 +++---
ssl/ssl_locl.h | 2 +-
ssl/statem/statem_clnt.c | 2 +-
test/ct_test.c | 10 +++++-----
5 files changed, 11 insertions(+), 11 deletions(-)
diff --git a/crypto/ct/ct_sct.c b/crypto/ct/ct_sct.c
index 35f8152..2b7211d 100644
--- a/crypto/ct/ct_sct.c
+++ b/crypto/ct/ct_sct.c
@@ -402,7 +402,7 @@ int SCT_validate(SCT *sct, const CT_POLICY_EVAL_CTX *ctx)
goto end;
}
- issuer_pkey = X509_get_pubkey(ctx->issuer);
+ issuer_pkey = X509_get0_pubkey(ctx->issuer);
if (X509_PUBKEY_set(&pub, issuer_pkey) != 1)
goto err;
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 40c4171..5dfb0fd 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -3931,7 +3931,7 @@ err:
static int ct_extract_x509v3_extension_scts(SSL *s)
{
int scts_extracted = 0;
- X509 *cert = SSL_get_peer_certificate(s);
+ X509 *cert = s->session != NULL ? s->session->peer : NULL;
if (cert != NULL) {
STACK_OF(SCT) *scts =
@@ -4028,10 +4028,10 @@ ct_validation_cb SSL_CTX_get_ct_validation_callback(const SSL_CTX *ctx)
return ctx->ct_validation_callback;
}
-int SSL_validate_ct(SSL *s)
+int ssl_validate_ct(SSL *s)
{
int ret = 0;
- X509 *cert = SSL_get_peer_certificate(s);
+ X509 *cert = s->session != NULL ? s->session->peer : NULL;
X509 *issuer = NULL;
CT_POLICY_EVAL_CTX *ctx = NULL;
const STACK_OF(SCT) *scts;
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index 4ea036d..6c7f47d 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -2072,7 +2072,7 @@ int tls1_check_chain(SSL *s, X509 *x, EVP_PKEY *pk, STACK_OF(X509) *chain,
void tls1_set_cert_validity(SSL *s);
#ifndef OPENSSL_NO_CT
-__owur int SSL_validate_ct(SSL *s);
+__owur int ssl_validate_ct(SSL *s);
#endif
# ifndef OPENSSL_NO_DH
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index b8ca82f..03f4a8f 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2060,7 +2060,7 @@ MSG_PROCESS_RETURN tls_process_server_done(SSL *s, PACKET *pkt)
#ifndef OPENSSL_NO_CT
if (s->ct_validation_callback != NULL) {
- if (!SSL_validate_ct(s)) {
+ if (!ssl_validate_ct(s)) {
ssl3_send_alert(s, SSL3_AL_FATAL, SSL_AD_HANDSHAKE_FAILURE);
return MSG_PROCESS_ERROR;
}
diff --git a/test/ct_test.c b/test/ct_test.c
index 99517a6..30e1ac6 100644
--- a/test/ct_test.c
+++ b/test/ct_test.c
@@ -80,7 +80,7 @@ typedef struct ct_test_fixture {
/* Set the following to test handling of SCTs in TLS format */
const uint8_t *tls_sct;
size_t tls_sct_len;
- const SCT *sct;
+ SCT *sct;
/*
* A file to load the expected SCT text from.
* This text will be compared to the actual text output during the test.
@@ -124,6 +124,7 @@ end:
static void tear_down(CT_TEST_FIXTURE fixture)
{
CTLOG_STORE_free(fixture.ctlog_store);
+ SCT_free(fixture.sct);
ERR_print_errors_fp(stderr);
}
@@ -237,6 +238,8 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
SCT *sct = NULL;
char expected_sct_text[CT_TEST_MAX_FILE_SIZE];
int sct_text_len = 0;
+ unsigned char *tls_sct = NULL;
+ size_t tls_sct_len = 0;
CT_POLICY_EVAL_CTX *ct_policy_ctx = CT_POLICY_EVAL_CTX_new();
if (fixture.sct_text_file_path != NULL) {
@@ -361,8 +364,6 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
if (fixture.tls_sct != NULL) {
const unsigned char *p = fixture.tls_sct;
- unsigned char *tls_sct;
- size_t tls_sct_len;
if (o2i_SCT(&sct, &p, fixture.tls_sct_len) == NULL) {
test_failed = 1;
fprintf(stderr, "Failed to decode SCT from TLS format\n");
@@ -403,6 +404,7 @@ end:
SCT_LIST_free(scts);
SCT_free(sct);
CT_POLICY_EVAL_CTX_free(ct_policy_ctx);
+ OPENSSL_free(tls_sct);
return test_failed;
}
@@ -502,8 +504,6 @@ static int test_encode_tls_sct()
fixture.sct = sct;
fixture.sct_text_file_path = "ct/tls1.sct";
EXECUTE_CT_TEST();
-
- SCT_free(sct);
}
int main(int argc, char *argv[])
More information about the openssl-commits
mailing list