[openssl-commits] [openssl] master update
Matt Caswell
matt at openssl.org
Thu Apr 19 07:56:55 UTC 2018
The branch master has been updated
via 7f6dfa19dfbd1d009bf3ab36805b8d132d4ecd56 (commit)
via 1c705121af8a0f8095d7cb36419e1166f42cc1e6 (commit)
from c324ecfb2d4a6608d7a5f848968180c7995fc9a6 (commit)
- Log -----------------------------------------------------------------
commit 7f6dfa19dfbd1d009bf3ab36805b8d132d4ecd56
Author: Matt Caswell <matt at openssl.org>
Date: Wed Apr 18 14:22:36 2018 +0100
Add a test for a NULL X509_STORE in X509_STORE_CTX_init
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)
commit 1c705121af8a0f8095d7cb36419e1166f42cc1e6
Author: Matt Caswell <matt at openssl.org>
Date: Wed Apr 18 14:20:29 2018 +0100
Don't crash if there are no trusted certs
The X509_STORE_CTX_init() docs explicitly allow a NULL parameter for the
X509_STORE. Therefore we shouldn't crash if we subsequently call
X509_verify_cert() and no X509_STORE has been set.
Fixes #2462
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/6001)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x509_lu.c | 15 +++++++++++++--
test/verify_extra_test.c | 38 ++++++++++++++++++++++++++++++++++++++
2 files changed, 51 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/x509_lu.c b/crypto/x509/x509_lu.c
index a7da7d2..7407005 100644
--- a/crypto/x509/x509_lu.c
+++ b/crypto/x509/x509_lu.c
@@ -264,6 +264,9 @@ int X509_STORE_CTX_get_by_subject(X509_STORE_CTX *vs, X509_LOOKUP_TYPE type,
X509_OBJECT stmp, *tmp;
int i, j;
+ if (ctx == NULL)
+ return 0;
+
CRYPTO_THREAD_write_lock(ctx->lock);
tmp = X509_OBJECT_retrieve_by_subject(ctx->objs, type, name);
CRYPTO_THREAD_unlock(ctx->lock);
@@ -473,6 +476,9 @@ STACK_OF(X509) *X509_STORE_CTX_get1_certs(X509_STORE_CTX *ctx, X509_NAME *nm)
X509 *x;
X509_OBJECT *obj;
+ if (ctx->ctx == NULL)
+ return NULL;
+
CRYPTO_THREAD_write_lock(ctx->ctx->lock);
idx = x509_object_idx_cnt(ctx->ctx->objs, X509_LU_X509, nm, &cnt);
if (idx < 0) {
@@ -522,8 +528,10 @@ STACK_OF(X509_CRL) *X509_STORE_CTX_get1_crls(X509_STORE_CTX *ctx, X509_NAME *nm)
X509_OBJECT *obj, *xobj = X509_OBJECT_new();
/* Always do lookup to possibly add new CRLs to cache */
- if (sk == NULL || xobj == NULL ||
- !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) {
+ if (sk == NULL
+ || xobj == NULL
+ || ctx->ctx == NULL
+ || !X509_STORE_CTX_get_by_subject(ctx, X509_LU_CRL, nm, xobj)) {
X509_OBJECT_free(xobj);
sk_X509_CRL_free(sk);
return NULL;
@@ -617,6 +625,9 @@ int X509_STORE_CTX_get1_issuer(X509 **issuer, X509_STORE_CTX *ctx, X509 *x)
}
X509_OBJECT_free(obj);
+ if (ctx->ctx == NULL)
+ return 0;
+
/* Else find index of first cert accepted by 'check_issued' */
ret = 0;
CRYPTO_THREAD_write_lock(ctx->ctx->lock);
diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c
index 83d93cd..5d46542 100644
--- a/test/verify_extra_test.c
+++ b/test/verify_extra_test.c
@@ -138,6 +138,43 @@ static int test_alt_chains_cert_forgery(void)
return ret;
}
+static int test_store_ctx(void)
+{
+ X509_STORE_CTX *sctx = NULL;
+ X509 *x = NULL;
+ BIO *bio = NULL;
+ int testresult = 0, ret;
+
+ bio = BIO_new_file(bad_f, "r");
+ if (bio == NULL)
+ goto err;
+
+ x = PEM_read_bio_X509(bio, NULL, 0, NULL);
+ if (x == NULL)
+ goto err;
+
+ sctx = X509_STORE_CTX_new();
+ if (sctx == NULL)
+ goto err;
+
+ if (!X509_STORE_CTX_init(sctx, NULL, x, NULL))
+ goto err;
+
+ /* Verifying a cert where we have no trusted certs should fail */
+ ret = X509_verify_cert(sctx);
+
+ if (ret == 0) {
+ /* This is the result we were expecting: Test passed */
+ testresult = 1;
+ }
+
+ err:
+ X509_STORE_CTX_free(sctx);
+ X509_free(x);
+ BIO_free(bio);
+ return testresult;
+}
+
int setup_tests(void)
{
if (!TEST_ptr(roots_f = test_get_argument(0))
@@ -148,5 +185,6 @@ int setup_tests(void)
}
ADD_TEST(test_alt_chains_cert_forgery);
+ ADD_TEST(test_store_ctx);
return 1;
}
More information about the openssl-commits
mailing list