From: tb Date: Fri, 26 May 2023 13:44:05 +0000 (+0000) Subject: Move verified_chain from SSL to SSL_HANDSHAKE X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=57f93a0c9b9e238370e028633aa58de8fdcf4bca;p=openbsd Move verified_chain from SSL to SSL_HANDSHAKE This is a better version of the fix for the missing pointer invalidation but a bit larger, so errata got the minimal fix. tested by jcs ok jsing --- diff --git a/lib/libssl/s3_lib.c b/lib/libssl/s3_lib.c index 4229b2e9e3d..37ca7bd113b 100644 --- a/lib/libssl/s3_lib.c +++ b/lib/libssl/s3_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: s3_lib.c,v 1.243 2023/05/16 14:10:43 jcs Exp $ */ +/* $OpenBSD: s3_lib.c,v 1.244 2023/05/26 13:44:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -1570,6 +1570,7 @@ ssl3_free(SSL *s) freezero(s->s3->hs.sigalgs, s->s3->hs.sigalgs_len); sk_X509_pop_free(s->s3->hs.peer_certs, X509_free); sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); + sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); tls_key_share_free(s->s3->hs.key_share); tls13_secrets_destroy(s->s3->hs.tls13.secrets); @@ -1579,8 +1580,6 @@ ssl3_free(SSL *s) tls_buffer_free(s->s3->hs.tls13.quic_read_buffer); sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); - sk_X509_pop_free(s->verified_chain, X509_free); - s->verified_chain = NULL; tls1_transcript_free(s); tls1_transcript_hash_free(s); @@ -1603,8 +1602,6 @@ ssl3_clear(SSL *s) tls1_cleanup_key_block(s); sk_X509_NAME_pop_free(s->s3->hs.tls12.ca_names, X509_NAME_free); - sk_X509_pop_free(s->verified_chain, X509_free); - s->verified_chain = NULL; tls_buffer_free(s->s3->alert_fragment); s->s3->alert_fragment = NULL; @@ -1619,6 +1616,8 @@ ssl3_clear(SSL *s) s->s3->hs.peer_certs = NULL; sk_X509_pop_free(s->s3->hs.peer_certs_no_leaf, X509_free); s->s3->hs.peer_certs_no_leaf = NULL; + sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); + s->s3->hs.verified_chain = NULL; tls_key_share_free(s->s3->hs.key_share); s->s3->hs.key_share = NULL; diff --git a/lib/libssl/ssl_cert.c b/lib/libssl/ssl_cert.c index 4fe805212b6..8a333b42789 100644 --- a/lib/libssl/ssl_cert.c +++ b/lib/libssl/ssl_cert.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_cert.c,v 1.105 2022/11/26 16:08:55 tb Exp $ */ +/* $OpenBSD: ssl_cert.c,v 1.106 2023/05/26 13:44:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -440,11 +440,11 @@ ssl_verify_cert_chain(SSL *s, STACK_OF(X509) *certs) ret = X509_verify_cert(ctx); s->verify_result = X509_STORE_CTX_get_error(ctx); - sk_X509_pop_free(s->verified_chain, X509_free); - s->verified_chain = NULL; + sk_X509_pop_free(s->s3->hs.verified_chain, X509_free); + s->s3->hs.verified_chain = NULL; if (X509_STORE_CTX_get0_chain(ctx) != NULL) { - s->verified_chain = X509_STORE_CTX_get1_chain(ctx); - if (s->verified_chain == NULL) { + s->s3->hs.verified_chain = X509_STORE_CTX_get1_chain(ctx); + if (s->s3->hs.verified_chain == NULL) { SSLerrorx(ERR_R_MALLOC_FAILURE); ret = 0; } diff --git a/lib/libssl/ssl_lib.c b/lib/libssl/ssl_lib.c index 68e60a54812..f6c94061391 100644 --- a/lib/libssl/ssl_lib.c +++ b/lib/libssl/ssl_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_lib.c,v 1.309 2023/04/23 18:51:53 tb Exp $ */ +/* $OpenBSD: ssl_lib.c,v 1.310 2023/05/26 13:44:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -900,7 +900,9 @@ SSL_get_peer_cert_chain(const SSL *s) STACK_OF(X509) * SSL_get0_verified_chain(const SSL *s) { - return s->verified_chain; + if (s->s3 == NULL) + return NULL; + return s->s3->hs.verified_chain; } /* diff --git a/lib/libssl/ssl_local.h b/lib/libssl/ssl_local.h index 876a5e46571..cb38e5f91c1 100644 --- a/lib/libssl/ssl_local.h +++ b/lib/libssl/ssl_local.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_local.h,v 1.5 2023/04/25 07:48:15 tb Exp $ */ +/* $OpenBSD: ssl_local.h,v 1.6 2023/05/26 13:44:05 tb Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -651,6 +651,9 @@ typedef struct ssl_handshake_st { STACK_OF(X509) *peer_certs; STACK_OF(X509) *peer_certs_no_leaf; + /* Certificate chain resulting from X.509 verification. */ + STACK_OF(X509) *verified_chain; + SSL_HANDSHAKE_TLS12 tls12; SSL_HANDSHAKE_TLS13 tls13; } SSL_HANDSHAKE; @@ -1130,7 +1133,6 @@ struct ssl_st { int empty_record_count; size_t num_tickets; /* Unused, for OpenSSL compatibility */ - STACK_OF(X509) *verified_chain; }; typedef struct ssl3_record_internal_st {