diff options
author | Shane Lontis <shane.lontis@oracle.com> | 2020-07-24 22:53:27 +1000 |
---|---|---|
committer | Shane Lontis <shane.lontis@oracle.com> | 2020-07-24 22:53:27 +1000 |
commit | 6725682d77510bf6d499957897d7be124d603f40 (patch) | |
tree | 447e5bce5607b4873f7f018df1b2e4c21a394e92 /ssl/statem | |
parent | ae89578be2930c726d6ef56451233757a89f224f (diff) |
Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
Diffstat (limited to 'ssl/statem')
-rw-r--r-- | ssl/statem/statem_clnt.c | 10 | ||||
-rw-r--r-- | ssl/statem/statem_srvr.c | 8 |
2 files changed, 16 insertions, 2 deletions
diff --git a/ssl/statem/statem_clnt.c b/ssl/statem/statem_clnt.c index d7722d76e0..4cd85ef609 100644 --- a/ssl/statem/statem_clnt.c +++ b/ssl/statem/statem_clnt.c @@ -1858,12 +1858,20 @@ MSG_PROCESS_RETURN tls_process_server_certificate(SSL *s, PACKET *pkt) } certstart = certbytes; - x = d2i_X509(NULL, (const unsigned char **)&certbytes, cert_len); + x = X509_new_with_libctx(s->ctx->libctx, s->ctx->propq); if (x == NULL) { + SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_MALLOC_FAILURE); + SSLerr(0, ERR_R_MALLOC_FAILURE); + goto err; + } + if (d2i_X509(&x, (const unsigned char **)&certbytes, + cert_len) == NULL) { SSLfatal(s, SSL_AD_BAD_CERTIFICATE, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, ERR_R_ASN1_LIB); goto err; } + if (certbytes != (certstart + cert_len)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_SERVER_CERTIFICATE, diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c index abffbd6326..b329e89379 100644 --- a/ssl/statem/statem_srvr.c +++ b/ssl/statem/statem_srvr.c @@ -3676,12 +3676,18 @@ MSG_PROCESS_RETURN tls_process_client_certificate(SSL *s, PACKET *pkt) } certstart = certbytes; - x = d2i_X509(NULL, (const unsigned char **)&certbytes, l); + x = X509_new_with_libctx(s->ctx->libctx, s->ctx->propq); if (x == NULL) { SSLfatal(s, SSL_AD_DECODE_ERROR, + SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_MALLOC_FAILURE); + goto err; + } + if (d2i_X509(&x, (const unsigned char **)&certbytes, l) == NULL) { + SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, ERR_R_ASN1_LIB); goto err; } + if (certbytes != (certstart + l)) { SSLfatal(s, SSL_AD_DECODE_ERROR, SSL_F_TLS_PROCESS_CLIENT_CERTIFICATE, |