[openssl] master update
dev at ddvo.net
dev at ddvo.net
Sat Apr 17 09:39:44 UTC 2021
The branch master has been updated
via 44c75ba67df9588636649416e6fb120a9fc27489 (commit)
via cd69b4bd7cffa2f52ab35cdf47b6d95775a4a84b (commit)
from e494fac705057c91017b41fa761f9406c87f4cc5 (commit)
- Log -----------------------------------------------------------------
commit 44c75ba67df9588636649416e6fb120a9fc27489
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Apr 15 15:44:41 2021 +0200
apps/cmp.c: Fix TLS hostname checking in case -server provides more than hostname
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14889)
commit cd69b4bd7cffa2f52ab35cdf47b6d95775a4a84b
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Apr 13 09:08:07 2021 +0200
OSSL_CMP_CTX_new(): Fix distinction of out-of-memory and other errors
Reviewed-by: Paul Dale <pauli at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/14889)
-----------------------------------------------------------------------
Summary of changes:
apps/cmp.c | 20 ++++++++++----------
crypto/cmp/cmp_ctx.c | 7 ++++---
2 files changed, 14 insertions(+), 13 deletions(-)
diff --git a/apps/cmp.c b/apps/cmp.c
index 7cc8988b13..50282315d8 100644
--- a/apps/cmp.c
+++ b/apps/cmp.c
@@ -673,7 +673,7 @@ static X509_REQ *load_csr_autofmt(const char *infile, const char *desc)
}
/* set expected host name/IP addr and clears the email addr in the given ts */
-static int truststore_set_host_etc(X509_STORE *ts, char *host)
+static int truststore_set_host_etc(X509_STORE *ts, const char *host)
{
X509_VERIFY_PARAM *ts_vpm = X509_STORE_get0_param(ts);
@@ -1181,7 +1181,8 @@ static int setup_verification_ctx(OSSL_CMP_CTX *ctx)
* set up ssl_ctx for the OSSL_CMP_CTX based on options from config file/CLI.
* Returns pointer on success, NULL on error
*/
-static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
+static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, const char *host,
+ ENGINE *engine)
{
STACK_OF(X509) *untrusted = OSSL_CMP_CTX_get0_untrusted(ctx);
EVP_PKEY *pkey = NULL;
@@ -1313,8 +1314,7 @@ static SSL_CTX *setup_ssl_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_tls_trusted != NULL) {
/* enable and parameterize server hostname/IP address check */
if (!truststore_set_host_etc(trust_store,
- opt_tls_host != NULL ?
- opt_tls_host : opt_server))
+ opt_tls_host != NULL ? opt_tls_host : host))
/* TODO: is the server host name correct for TLS via proxy? */
goto err;
SSL_CTX_set_verify(ssl_ctx, SSL_VERIFY_PEER, NULL);
@@ -1767,7 +1767,7 @@ static int handle_opt_geninfo(OSSL_CMP_CTX *ctx)
static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
{
int ret = 0;
- char *server = NULL, *port = NULL, *path = NULL, *used_path;
+ char *host = NULL, *port = NULL, *path = NULL, *used_path;
int portnum, ssl;
char server_buf[200] = { '\0' };
char proxy_buf[200] = { '\0' };
@@ -1778,7 +1778,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
CMP_err("missing -server option");
goto err;
}
- if (!OSSL_HTTP_parse_url(opt_server, &ssl, NULL /* user */, &server, &port,
+ if (!OSSL_HTTP_parse_url(opt_server, &ssl, NULL /* user */, &host, &port,
&portnum, &path, NULL /* q */, NULL /* frag */)) {
CMP_err1("cannot parse -server URL: %s", opt_server);
goto err;
@@ -1789,7 +1789,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
}
BIO_snprintf(server_port, sizeof(server_port), "%s", port);
used_path = opt_path != NULL ? opt_path : path;
- if (!OSSL_CMP_CTX_set1_server(ctx, server)
+ if (!OSSL_CMP_CTX_set1_server(ctx, host)
|| !OSSL_CMP_CTX_set_serverPort(ctx, portnum)
|| !OSSL_CMP_CTX_set1_serverPath(ctx, used_path))
goto oom;
@@ -1798,7 +1798,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
if (opt_no_proxy != NULL && !OSSL_CMP_CTX_set1_no_proxy(ctx, opt_no_proxy))
goto oom;
(void)BIO_snprintf(server_buf, sizeof(server_buf), "http%s://%s:%s/%s",
- opt_tls_used ? "s" : "", server, port,
+ opt_tls_used ? "s" : "", host, port,
*used_path == '/' ? used_path + 1 : used_path);
if (opt_proxy != NULL)
@@ -1869,7 +1869,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
info->port = server_port;
info->use_proxy = opt_proxy != NULL;
info->timeout = OSSL_CMP_CTX_get_option(ctx, OSSL_CMP_OPT_MSG_TIMEOUT);
- info->ssl_ctx = setup_ssl_ctx(ctx, engine);
+ info->ssl_ctx = setup_ssl_ctx(ctx, host, engine);
if (info->ssl_ctx == NULL)
goto err;
(void)OSSL_CMP_CTX_set_http_cb(ctx, app_http_tls_cb);
@@ -1896,7 +1896,7 @@ static int setup_client_ctx(OSSL_CMP_CTX *ctx, ENGINE *engine)
ret = 1;
err:
- OPENSSL_free(server);
+ OPENSSL_free(host);
OPENSSL_free(port);
OPENSSL_free(path);
OPENSSL_free(proxy_host);
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 0016569356..110361320d 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -108,7 +108,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
ctx->libctx = libctx;
if (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)
- goto err;
+ goto oom;
ctx->log_verbosity = OSSL_CMP_LOG_INFO;
@@ -118,7 +118,7 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
ctx->msg_timeout = 2 * 60;
if ((ctx->untrusted = sk_X509_new_null()) == NULL)
- goto err;
+ goto oom;
ctx->pbm_slen = 16;
if (!cmp_ctx_set_md(ctx, &ctx->pbm_owf, NID_sha256))
@@ -134,9 +134,10 @@ OSSL_CMP_CTX *OSSL_CMP_CTX_new(OSSL_LIB_CTX *libctx, const char *propq)
/* all other elements are initialized to 0 or NULL, respectively */
return ctx;
+ oom:
+ ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
err:
OSSL_CMP_CTX_free(ctx);
- ERR_raise(ERR_LIB_X509, ERR_R_MALLOC_FAILURE);
return NULL;
}
More information about the openssl-commits
mailing list