[openssl/openssl] 08cecb: Add X509_STORE_get1_objects

David Benjamin noreply at github.com
Mon Jan 15 15:32:58 UTC 2024 

  Branch: refs/heads/master
  Home:   https://github.com/openssl/openssl
  Commit: 08cecb4448e990f7914ec1df97b1ee0ca9031643
      https://github.com/openssl/openssl/commit/08cecb4448e990f7914ec1df97b1ee0ca9031643
  Author: David Benjamin <davidben at google.com>
  Date:   2024-01-15 (Mon, 15 Jan 2024)

  Changed paths:
    M crypto/x509/x509_lu.c
    M doc/man3/X509_STORE_get0_param.pod
    M include/openssl/x509_vfy.h.in
    M test/x509_load_cert_file_test.c
    M util/libcrypto.num

  Log Message:
  -----------
  Add X509_STORE_get1_objects

X509_STORE_get0_objects returns a pointer to the X509_STORE's storage,
but this function is a bit deceptive. It is practically unusable in a
multi-threaded program. See, for example, RUSTSEC-2023-0072, a security
vulnerability caused by this OpenSSL API.

One might think that, if no other threads are mutating the X509_STORE,
it is safe to read the resulting list. However, the documention does not
mention that other logically-const operations on the X509_STORE, notably
certifcate verifications when a hash_dir is installed, will, under a
lock, write to the X509_STORE. The X509_STORE also internally re-sorts
the list on the first query.

If the caller knows to call X509_STORE_lock and X509_STORE_unlock, it
can work around this. But this is not obvious, and the documentation
does not discuss how X509_STORE_lock is very rarely safe to use. E.g.
one cannot call any APIs like X509_STORE_add_cert or
X509_STORE_CTX_get1_issuer while holding the lock because those
functions internally expect to take the lock. (X509_STORE_lock is
another such API which is not safe to export as public API.)

Rather than leave all this to the caller to figure out, the API should
have returned a shallow copy of the list, refcounting the values. Then
it could be internally locked and the caller can freely inspect the
result without synchronization with the X509_STORE.

Reviewed-by: Neil Horman <nhorman at openssl.org>
Reviewed-by: Tomas Mraz <tomas at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/23224)

More information about the openssl-commits mailing list