[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Fri Apr 30 06:08:25 UTC 2021


The branch master has been updated
       via  455f2542526ba3aa0db16dc8c4a5289d7f3e6b50 (commit)
       via  857c223bf73f6d3ec91567cf341c5267392a3e66 (commit)
       via  e9d62da6c305d947530d91e412fdb21a8d8e3510 (commit)
      from  9ac653d81a857a5452f9f25278a24e1dfb226905 (commit)


- Log -----------------------------------------------------------------
commit 455f2542526ba3aa0db16dc8c4a5289d7f3e6b50
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Wed Apr 28 17:51:15 2021 +1000

    Update OSSL_STORE_attach() documentation to indicate it increases the ref_count of the passed in bio
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15058)

commit 857c223bf73f6d3ec91567cf341c5267392a3e66
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Wed Apr 28 17:22:50 2021 +1000

    Fix memory leak in load_key_certs_crls() when using stdin.
    
    A newly created BIO object within this function calls
    OSSL_STORE_attach() which increases the ref count to 2.
    OSSL_STORE_close() then decrements the ref count by 1, so the BIO still
    remains.
    
    The following new test was picking up this leak using..
    > valgrind openssl crl -hash -noout < test/testcrl.pem
    
    Not quite sure why the existing tests were not picking this up
    since they appear to run through a similiar path.. such as
    > valgrind openssl pkey < test-runs/test_rsa/rsa-pkcs8-ff.dd
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15058)

commit e9d62da6c305d947530d91e412fdb21a8d8e3510
Author: Shane Lontis <shane.lontis at oracle.com>
Date:   Wed Apr 28 12:51:49 2021 +1000

    Fix CRL app so that stdin works.
    
    Fixes #15031
    
    The maybe_stdin needed to be passed to load_key_certs_crls().
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/15058)

-----------------------------------------------------------------------

Summary of changes:
 apps/crl.c                     |  6 +++---
 apps/include/apps.h            |  2 +-
 apps/lib/apps.c                | 12 +++++++-----
 apps/s_client.c                |  2 +-
 apps/s_server.c                |  2 +-
 doc/man3/OSSL_STORE_attach.pod |  5 +++--
 test/recipes/25-test_crl.t     | 17 ++++++++++++++++-
 7 files changed, 32 insertions(+), 14 deletions(-)

diff --git a/apps/crl.c b/apps/crl.c
index fbdd2a896c..8a0dc3605d 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -211,7 +211,7 @@ int crl_main(int argc, char **argv)
         if (!opt_md(digestname, &digest))
             goto opthelp;
     }
-    x = load_crl(infile, "CRL");
+    x = load_crl(infile, 1, "CRL");
     if (x == NULL)
         goto end;
 
@@ -250,13 +250,13 @@ int crl_main(int argc, char **argv)
             BIO_printf(bio_err, "verify OK\n");
     }
 
-    if (crldiff) {
+    if (crldiff != NULL) {
         X509_CRL *newcrl, *delta;
         if (!keyfile) {
             BIO_puts(bio_err, "Missing CRL signing key\n");
             goto end;
         }
-        newcrl = load_crl(crldiff, "other CRL");
+        newcrl = load_crl(crldiff, 0, "other CRL");
         if (!newcrl)
             goto end;
         pkey = load_key(keyfile, keyformat, 0, NULL, NULL, "CRL signing key");
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 2d102246f8..9532d396eb 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -111,7 +111,7 @@ X509_REQ *load_csr(const char *file, int format, const char *desc);
 X509 *load_cert_pass(const char *uri, int maybe_stdin,
                      const char *pass, const char *desc);
 #define load_cert(uri, desc) load_cert_pass(uri, 1, NULL, desc)
-X509_CRL *load_crl(const char *uri, const char *desc);
+X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc);
 void cleanse(char *str);
 void clear_free(char *str);
 EVP_PKEY *load_key(const char *uri, int format, int maybe_stdin,
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 4b7b38cf5c..d715e25ff1 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -499,7 +499,7 @@ X509 *load_cert_pass(const char *uri, int maybe_stdin,
     return cert;
 }
 
-X509_CRL *load_crl(const char *uri, const char *desc)
+X509_CRL *load_crl(const char *uri, int maybe_stdin, const char *desc)
 {
     X509_CRL *crl = NULL;
 
@@ -510,7 +510,7 @@ X509_CRL *load_crl(const char *uri, const char *desc)
     else if (IS_HTTP(uri))
         crl = X509_CRL_load_http(uri, NULL, NULL, 0 /* timeout */);
     else
-        (void)load_key_certs_crls(uri, 0, NULL, desc,
+        (void)load_key_certs_crls(uri, maybe_stdin, NULL, desc,
                                   NULL, NULL,  NULL, NULL, NULL, &crl, NULL);
     if (crl == NULL) {
         BIO_printf(bio_err, "Unable to load %s\n", desc);
@@ -924,9 +924,11 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
         uri = "<stdin>";
         unbuffer(stdin);
         bio = BIO_new_fp(stdin, 0);
-        if (bio != NULL)
+        if (bio != NULL) {
             ctx = OSSL_STORE_attach(bio, "file", libctx, propq,
                                     get_ui_method(), &uidata, NULL, NULL);
+            BIO_free(bio);
+        }
     } else {
         ctx = OSSL_STORE_open_ex(uri, libctx, propq, get_ui_method(), &uidata,
                                  NULL, NULL);
@@ -2318,8 +2320,8 @@ static X509_CRL *load_crl_crldp(STACK_OF(DIST_POINT) *crldp)
     for (i = 0; i < sk_DIST_POINT_num(crldp); i++) {
         DIST_POINT *dp = sk_DIST_POINT_value(crldp, i);
         urlptr = get_dp_url(dp);
-        if (urlptr)
-            return load_crl(urlptr, "CRL via CDP");
+        if (urlptr != NULL)
+            return load_crl(urlptr, 0, "CRL via CDP");
     }
     return NULL;
 }
diff --git a/apps/s_client.c b/apps/s_client.c
index 7b3cf87620..dfc38b6659 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1632,7 +1632,7 @@ int s_client_main(int argc, char **argv)
 
     if (crl_file != NULL) {
         X509_CRL *crl;
-        crl = load_crl(crl_file, "CRL");
+        crl = load_crl(crl_file, 0, "CRL");
         if (crl == NULL)
             goto end;
         crls = sk_X509_CRL_new_null();
diff --git a/apps/s_server.c b/apps/s_server.c
index b00303630f..9ffd499a0a 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1726,7 +1726,7 @@ int s_server_main(int argc, char *argv[])
 
     if (crl_file != NULL) {
         X509_CRL *crl;
-        crl = load_crl(crl_file, "CRL");
+        crl = load_crl(crl_file, 0, "CRL");
         if (crl == NULL)
             goto end;
         crls = sk_X509_CRL_new_null();
diff --git a/doc/man3/OSSL_STORE_attach.pod b/doc/man3/OSSL_STORE_attach.pod
index 87910e434e..9ad53af81a 100644
--- a/doc/man3/OSSL_STORE_attach.pod
+++ b/doc/man3/OSSL_STORE_attach.pod
@@ -18,7 +18,8 @@ OSSL_STORE_attach - Functions to read objects from a BIO
 
 OSSL_STORE_attach() works like L<OSSL_STORE_open(3)>, except it takes a B<BIO>
 I<bio> instead of a I<uri>, along with a I<scheme> to determine what loader
-should be used to process the data.
+should be used to process the data. The reference count of the B<BIO> object
+is increased by 1 if the call is successful.
 
 =head1 RETURN VALUES
 
@@ -35,7 +36,7 @@ OSSL_STORE_attach() was added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
-Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
 
 Licensed under the Apache License 2.0 (the "License").  You may not use
 this file except in compliance with the License.  You can obtain a copy
diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t
index a17383f043..1d6200e6d4 100644
--- a/test/recipes/25-test_crl.t
+++ b/test/recipes/25-test_crl.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_crl");
 
-plan tests => 8;
+plan tests => 9;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
@@ -39,6 +39,11 @@ ok(compare1stline([qw{openssl crl -noout -hash -in},
                    srctop_file('test', 'testcrl.pem')],
                   '106cd822'));
 
+ok(compare1stline_stdin([qw{openssl crl -hash -noout}],
+                        srctop_file("test","testcrl.pem"),
+                        '106cd822'),
+   "crl piped input test");
+
 ok(run(app(["openssl", "crl", "-text", "-in", $pem, "-out", $out,
             "-nameopt", "utf8"])));
 is(cmp_text($out, srctop_file("test/certs", "cyrillic_crl.utf8")),
@@ -53,3 +58,13 @@ sub compare1stline {
     note "Expected ", $str;
     return 0;
 }
+
+sub compare1stline_stdin {
+    my ($cmdarray, $infile, $str) = @_;
+    my @lines = run(app($cmdarray, stdin => $infile), capture => 1);
+
+    return 1 if $lines[0] =~ m|^\Q${str}\E\R$|;
+    note "Got      ", $lines[0];
+    note "Expected ", $str;
+    return 0;
+}


More information about the openssl-commits mailing list