[openssl] master update

Richard Levitte levitte at openssl.org
Thu Jul 16 07:09:39 UTC 2020


The branch master has been updated
       via  8c2bfd25129aea1b1f1b66ec753b21955f8ed523 (commit)
      from  55affcadbe4aac7d4832448b8c071b582da4e344 (commit)


- Log -----------------------------------------------------------------
commit 8c2bfd25129aea1b1f1b66ec753b21955f8ed523
Author: Todd Short <tshort at akamai.com>
Date:   Thu Apr 11 10:47:13 2019 -0400

    Add SSL_get[01]_peer_certificate()
    
    Deprecate SSL_get_peer_certificte() and replace with
    SSL_get1_peer_certificate().
    Add SSL_get0_peer_certificate.
    
    Reviewed-by: Paul Dale <paul.dale at oracle.com>
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>
    Reviewed-by: Dmitry Belyavskiy <beldmit at gmail.com>
    Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
    (Merged from https://github.com/openssl/openssl/pull/8730)

-----------------------------------------------------------------------

Summary of changes:
 apps/lib/s_cb.c                       |  3 +--
 apps/s_client.c                       |  3 +--
 apps/s_server.c                       |  6 ++----
 doc/man3/SSL_get_peer_certificate.pod | 27 +++++++++++++++++++++------
 include/openssl/ssl.h                 |  7 ++++++-
 ssl/ssl_lib.c                         | 23 ++++++++++++-----------
 ssl/statem/statem_clnt.c              |  2 +-
 ssl/statem/statem_lib.c               |  2 +-
 test/handshake_helper.c               | 10 +++-------
 test/ossl_shim/ossl_shim.cc           |  2 +-
 test/sslapitest.c                     |  8 +++-----
 test/ssltest_old.c                    |  3 +--
 util/libssl.num                       |  4 +++-
 util/other.syms                       |  1 +
 14 files changed, 57 insertions(+), 44 deletions(-)

diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 5bddde5b03..de72bde9ed 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -1227,7 +1227,7 @@ void print_ssl_summary(SSL *s)
     c = SSL_get_current_cipher(s);
     BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
     do_print_sigalgs(bio_err, s, 0);
-    peer = SSL_get_peer_certificate(s);
+    peer = SSL_get0_peer_certificate(s);
     if (peer != NULL) {
         int nid;
 
@@ -1243,7 +1243,6 @@ void print_ssl_summary(SSL *s)
     } else {
         BIO_puts(bio_err, "No peer certificate\n");
     }
-    X509_free(peer);
 #ifndef OPENSSL_NO_EC
     ssl_print_point_formats(bio_err, s);
     if (SSL_is_server(s))
diff --git a/apps/s_client.c b/apps/s_client.c
index 5a5a40c927..91b21003fb 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -3241,7 +3241,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         }
 
         BIO_printf(bio, "---\n");
-        peer = SSL_get_peer_certificate(s);
+        peer = SSL_get0_peer_certificate(s);
         if (peer != NULL) {
             BIO_printf(bio, "Server certificate\n");
 
@@ -3421,7 +3421,6 @@ static void print_stuff(BIO *bio, SSL *s, int full)
         OPENSSL_free(exportedkeymat);
     }
     BIO_printf(bio, "---\n");
-    X509_free(peer);
     /* flush, or debugging output gets mixed with http response */
     (void)BIO_flush(bio);
 }
diff --git a/apps/s_server.c b/apps/s_server.c
index 9995953526..15d479ce0e 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -2939,12 +2939,11 @@ static void print_connection_info(SSL *con)
 
     PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
 
-    peer = SSL_get_peer_certificate(con);
+    peer = SSL_get0_peer_certificate(con);
     if (peer != NULL) {
         BIO_printf(bio_s_out, "Client certificate\n");
         PEM_write_bio_X509(bio_s_out, peer);
         dump_cert_text(bio_s_out, peer);
-        X509_free(peer);
         peer = NULL;
     }
 
@@ -3265,12 +3264,11 @@ static int www_body(int s, int stype, int prot, unsigned char *context)
             BIO_printf(io, "---\n");
             print_stats(io, SSL_get_SSL_CTX(con));
             BIO_printf(io, "---\n");
-            peer = SSL_get_peer_certificate(con);
+            peer = SSL_get0_peer_certificate(con);
             if (peer != NULL) {
                 BIO_printf(io, "Client certificate\n");
                 X509_print(io, peer);
                 PEM_write_bio_X509(io, peer);
-                X509_free(peer);
                 peer = NULL;
             } else {
                 BIO_puts(io, "no client certificate available\n");
diff --git a/doc/man3/SSL_get_peer_certificate.pod b/doc/man3/SSL_get_peer_certificate.pod
index e21e3e4fd4..b695edc689 100644
--- a/doc/man3/SSL_get_peer_certificate.pod
+++ b/doc/man3/SSL_get_peer_certificate.pod
@@ -2,17 +2,21 @@
 
 =head1 NAME
 
-SSL_get_peer_certificate - get the X509 certificate of the peer
+SSL_get_peer_certificate,
+SSL_get0_peer_certificate,
+SSL_get1_peer_certificate - get the X509 certificate of the peer
 
 =head1 SYNOPSIS
 
  #include <openssl/ssl.h>
 
  X509 *SSL_get_peer_certificate(const SSL *ssl);
+ X509 *SSL_get0_peer_certificate(const SSL *ssl);
+ X509 *SSL_get1_peer_certificate(const SSL *ssl);
 
 =head1 DESCRIPTION
 
-SSL_get_peer_certificate() returns a pointer to the X509 certificate the
+These functions return a pointer to the X509 certificate the
 peer presented. If the peer did not present a certificate, NULL is returned.
 
 =head1 NOTES
@@ -27,9 +31,15 @@ That a certificate is returned does not indicate information about the
 verification state, use L<SSL_get_verify_result(3)>
 to check the verification state.
 
-The reference count of the X509 object is incremented by one, so that it
-will not be destroyed when the session containing the peer certificate is
-freed. The X509 object must be explicitly freed using X509_free().
+The reference count of the X509 object returned by SSL_get1_peer_certificate()
+is incremented by one, so that it will not be destroyed when the session
+containing the peer certificate is freed. The X509 object must be explicitly
+freed using X509_free().
+
+The reference count of the X509 object returned by SSL_get0_peer_certificate()
+is not incremented, and must not be freed.
+
+SSL_get_peer_certificate() is an alias of SSL_get1_peer_certificate().
 
 =head1 RETURN VALUES
 
@@ -52,9 +62,14 @@ The return value points to the certificate presented by the peer.
 L<ssl(7)>, L<SSL_get_verify_result(3)>,
 L<SSL_CTX_set_verify(3)>
 
+=head1 HISTORY
+
+SSL_get0_peer_certificate() and SSL_get1_peer_certificate() were added in 3.0.0.
+SSL_get_peer_certificate() was deprecated in 3.0.0.
+
 =head1 COPYRIGHT
 
-Copyright 2000-2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2000-2020 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 8d96f0d85a..53664229c2 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1706,7 +1706,12 @@ SSL_SESSION *d2i_SSL_SESSION(SSL_SESSION **a, const unsigned char **pp,
                              long length);
 
 # ifdef OPENSSL_X509_H
-__owur X509 *SSL_get_peer_certificate(const SSL *s);
+__owur X509 *SSL_get0_peer_certificate(const SSL *s);
+__owur X509 *SSL_get1_peer_certificate(const SSL *s);
+/* Deprecated in 3.0.0 */
+#  ifndef OPENSSL_NO_DEPRECATED_3_0
+#   define SSL_get_peer_certificate SSL_get1_peer_certifiate
+#  endif
 # endif
 
 __owur STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index c3174a7c91..243c0ed7c9 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1524,23 +1524,24 @@ int SSL_has_pending(const SSL *s)
     return RECORD_LAYER_read_pending(&s->rlayer);
 }
 
-X509 *SSL_get_peer_certificate(const SSL *s)
+X509 *SSL_get1_peer_certificate(const SSL *s)
 {
-    X509 *r;
+    X509 *r = SSL_get0_peer_certificate(s);
 
-    if ((s == NULL) || (s->session == NULL))
-        r = NULL;
-    else
-        r = s->session->peer;
-
-    if (r == NULL)
-        return r;
-
-    X509_up_ref(r);
+    if (r != NULL)
+        X509_up_ref(r);
 
     return r;
 }
 
+X509 *SSL_get0_peer_certificate(const SSL *s)
+{
+    if ((s == NULL) || (s->session == NULL))
+        return NULL;
+    else
+        return s->session->peer;
+}
+
 STACK_OF(X509) *SSL_get_peer_cert_chain(const SSL *s)
 {
     STACK_OF(X509) *r;
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c
index 7189940a62..9bee9cb3af 100644
--- a/ssl/statem/statem_clnt.c
+++ b/ssl/statem/statem_clnt.c
@@ -2551,7 +2551,7 @@ MSG_PROCESS_RETURN tls_process_certificate_request(SSL *s, PACKET *pkt)
      * after the CertificateVerify message has been received. This is because
      * in TLSv1.3 the CertificateRequest arrives before the Certificate message
      * but in TLSv1.2 it is the other way around. We want to make sure that
-     * SSL_get_peer_certificate() returns something sensible in
+     * SSL_get1_peer_certificate() returns something sensible in
      * client_cert_cb.
      */
     if (SSL_IS_TLS13(s) && s->post_handshake_auth != SSL_PHA_REQUESTED)
diff --git a/ssl/statem/statem_lib.c b/ssl/statem/statem_lib.c
index 36cdc1be58..de8212747f 100644
--- a/ssl/statem/statem_lib.c
+++ b/ssl/statem/statem_lib.c
@@ -537,7 +537,7 @@ MSG_PROCESS_RETURN tls_process_cert_verify(SSL *s, PACKET *pkt)
      * certificate after the CertVerify instead of when we get the
      * CertificateRequest. This is because in TLSv1.3 the CertificateRequest
      * comes *before* the Certificate message. In TLSv1.2 it comes after. We
-     * want to make sure that SSL_get_peer_certificate() will return the actual
+     * want to make sure that SSL_get1_peer_certificate() will return the actual
      * server certificate from the client_cert_cb callback.
      */
     if (!s->server && SSL_IS_TLS13(s) && s->s3.tmp.cert_req == 1)
diff --git a/test/handshake_helper.c b/test/handshake_helper.c
index 2dfded5c11..bc6762d475 100644
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@@ -1285,14 +1285,10 @@ static int pkey_type(EVP_PKEY *pkey)
 
 static int peer_pkey_type(SSL *s)
 {
-    X509 *x = SSL_get_peer_certificate(s);
+    X509 *x = SSL_get0_peer_certificate(s);
 
-    if (x != NULL) {
-        int nid = pkey_type(X509_get0_pubkey(x));
-
-        X509_free(x);
-        return nid;
-    }
+    if (x != NULL)
+        return pkey_type(X509_get0_pubkey(x));
     return NID_undef;
 }
 
diff --git a/test/ossl_shim/ossl_shim.cc b/test/ossl_shim/ossl_shim.cc
index 0184778d4f..d4d7cf1454 100644
--- a/test/ossl_shim/ossl_shim.cc
+++ b/test/ossl_shim/ossl_shim.cc
@@ -894,7 +894,7 @@ static bool CheckHandshakeProperties(SSL *ssl, bool is_resume) {
       return false;
     }
   } else if (!config->is_server || config->require_any_client_certificate) {
-    if (SSL_get_peer_certificate(ssl) == nullptr) {
+    if (SSL_get0_peer_certificate(ssl) == nullptr) {
       fprintf(stderr, "Received no peer certificate but expected one.\n");
       return false;
     }
diff --git a/test/sslapitest.c b/test/sslapitest.c
index afc4ea8d40..1a91f96fb9 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -7623,15 +7623,13 @@ static int test_cert_cb(int tst)
 
 static int client_cert_cb(SSL *ssl, X509 **x509, EVP_PKEY **pkey)
 {
-    X509 *xcert, *peer;
+    X509 *xcert;
     EVP_PKEY *privpkey;
     BIO *in = NULL;
 
-    /* Check that SSL_get_peer_certificate() returns something sensible */
-    peer = SSL_get_peer_certificate(ssl);
-    if (!TEST_ptr(peer))
+    /* Check that SSL_get0_peer_certificate() returns something sensible */
+    if (!TEST_ptr(SSL_get0_peer_certificate(ssl)))
         return 0;
-    X509_free(peer);
 
     in = BIO_new_file(cert, "r");
     if (!TEST_ptr(in))
diff --git a/test/ssltest_old.c b/test/ssltest_old.c
index d45b2786d3..4f340fc2e0 100644
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@@ -781,7 +781,7 @@ static void print_details(SSL *c_ssl, const char *prefix)
                prefix,
                SSL_get_version(c_ssl),
                SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
-    cert = SSL_get_peer_certificate(c_ssl);
+    cert = SSL_get0_peer_certificate(c_ssl);
     if (cert != NULL) {
         EVP_PKEY* pubkey = X509_get0_pubkey(cert);
 
@@ -789,7 +789,6 @@ static void print_details(SSL *c_ssl, const char *prefix)
             BIO_puts(bio_stdout, ", ");
             print_key_details(bio_stdout, pubkey);
         }
-        X509_free(cert);
     }
     if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
         BIO_puts(bio_stdout, ", temp key: ");
diff --git a/util/libssl.num b/util/libssl.num
index d638088dde..637e088704 100644
--- a/util/libssl.num
+++ b/util/libssl.num
@@ -79,7 +79,7 @@ SSL_SESSION_print                       79	3_0_0	EXIST::FUNCTION:
 SSL_get_client_ciphers                  80	3_0_0	EXIST::FUNCTION:
 SSL_get_srtp_profiles                   81	3_0_0	EXIST::FUNCTION:SRTP
 SSL_use_certificate_ASN1                82	3_0_0	EXIST::FUNCTION:
-SSL_get_peer_certificate                83	3_0_0	EXIST::FUNCTION:
+SSL_get_peer_certificate                83	3_0_0	NOEXIST::FUNCTION:
 DTLSv1_2_server_method                  84	3_0_0	EXIST::FUNCTION:DEPRECATEDIN_1_1_0,DTLS1_2_METHOD
 SSL_set_cert_cb                         85	3_0_0	EXIST::FUNCTION:
 SSL_CTX_set_cookie_verify_cb            86	3_0_0	EXIST::FUNCTION:
@@ -514,3 +514,5 @@ SSL_CTX_load_verify_store               ?	3_0_0	EXIST::FUNCTION:
 SSL_CTX_set_tlsext_ticket_key_evp_cb    ?	3_0_0	EXIST::FUNCTION:
 SSL_CTX_new_with_libctx                 ?	3_0_0	EXIST::FUNCTION:
 SSL_new_session_ticket                  ?	3_0_0	EXIST::FUNCTION:
+SSL_get0_peer_certificate               ?	3_0_0	EXIST::FUNCTION:
+SSL_get1_peer_certificate               ?	3_0_0	EXIST::FUNCTION:
diff --git a/util/other.syms b/util/other.syms
index ab60424a8f..351cffa933 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -505,6 +505,7 @@ SSL_get_max_cert_list                   define
 SSL_get_max_proto_version               define
 SSL_get_min_proto_version               define
 SSL_get_mode                            define
+SSL_get_peer_certificate                define deprecated 3.0.0
 SSL_get_peer_signature_nid              define
 SSL_get_peer_tmp_key                    define
 SSL_get_secure_renegotiation_support    define


More information about the openssl-commits mailing list