[openssl] master update

shane.lontis at oracle.com shane.lontis at oracle.com
Sun May 30 23:44:23 UTC 2021 

The branch master has been updated
       via  99be8ed331d884e77f658bb404b67a42405703e6 (commit)
      from  e43dc9b2438892f2adb7375ce9147e84b791ab97 (commit)


- Log -----------------------------------------------------------------
commit 99be8ed331d884e77f658bb404b67a42405703e6
Author: Matt Caswell <matt at openssl.org>
Date:   Fri May 21 16:45:58 2021 +0100

    Fix cert creation in the store
    
    When we create a cert in the store, make sure we do so with the libctx
    and propq associated.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/15523)

-----------------------------------------------------------------------

Summary of changes:
 crypto/store/store_result.c | 31 +++++++++++++++----------------
 1 file changed, 15 insertions(+), 16 deletions(-)

diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
index 82ec046763..7c48d182a8 100644
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@@ -442,8 +442,6 @@ static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
 {
     if (data->object_type == OSSL_OBJECT_UNKNOWN
         || data->object_type == OSSL_OBJECT_CERT) {
-        X509 *cert;
-
         /*
          * In most cases, we can try to interpret the serialized
          * data as a trusted cert (X509 + X509_AUX) and fall back
@@ -454,31 +452,32 @@ static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
          * or not (0).
          */
         int ignore_trusted = 1;
+        X509 *cert = X509_new_ex(libctx, propq);
+
+        if (cert == NULL)
+            return 0;
 
         /* If we have a data type, it should be a PEM name */
         if (data->data_type != NULL
             && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
             ignore_trusted = 0;
 
-        cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
-                            data->octet_data_size);
-        if (cert == NULL && ignore_trusted)
-            cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
-                            data->octet_data_size);
-
-        if (cert != NULL)
-            /* We determined the object type */
-            data->object_type = OSSL_OBJECT_CERT;
-
-        if (cert != NULL && !ossl_x509_set0_libctx(cert, libctx, propq)) {
+        if (d2i_X509_AUX(&cert, (const unsigned char **)&data->octet_data,
+                         data->octet_data_size) == NULL
+            && (!ignore_trusted
+                || d2i_X509(&cert, (const unsigned char **)&data->octet_data,
+                            data->octet_data_size) == NULL)) {
             X509_free(cert);
             cert = NULL;
         }
 
-        if (cert != NULL)
+        if (cert != NULL) {
+            /* We determined the object type */
+            data->object_type = OSSL_OBJECT_CERT;
             *v = OSSL_STORE_INFO_new_CERT(cert);
-        if (*v == NULL)
-            X509_free(cert);
+            if (*v == NULL)
+                X509_free(cert);
+        }
     }
 
     return 1;

More information about the openssl-commits mailing list