The branch master has been updated via 4e4ae84056133c863860e27ceedae8bd3fb0a402 (commit) from 81f9af3460dca0fe37d3a240cb385efbf0f0d362 (commit)
- Log ----------------------------------------------------------------- commit 4e4ae84056133c863860e27ceedae8bd3fb0a402 Author: Shane Lontis <shane.lon...@oracle.com> Date: Wed Feb 24 15:59:14 2021 +1000 Fix NULL access in ssl_build_cert_chain() when ctx is NULL. Fixes #14294 Reviewed-by: Tomas Mraz <to...@openssl.org> Reviewed-by: Paul Dale <pa...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14295) ----------------------------------------------------------------------- Summary of changes: ssl/ssl_cert.c | 2 +- .../Mock/signer.crt => certs/leaf-chain.pem} | 26 ++++++++-- test/sslapitest.c | 57 ++++++++++++++++++++++ 3 files changed, 79 insertions(+), 6 deletions(-) copy test/{recipes/80-test_cmp_http_data/Mock/signer.crt => certs/leaf-chain.pem} (75%) diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c index a9d9b9ca06..f78cb99c18 100644 --- a/ssl/ssl_cert.c +++ b/ssl/ssl_cert.c @@ -878,7 +878,7 @@ int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags) untrusted = cpk->chain; } - xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, ctx->propq); + xs_ctx = X509_STORE_CTX_new_ex(real_ctx->libctx, real_ctx->propq); if (xs_ctx == NULL) { ERR_raise(ERR_LIB_SSL, ERR_R_MALLOC_FAILURE); goto err; diff --git a/test/recipes/80-test_cmp_http_data/Mock/signer.crt b/test/certs/leaf-chain.pem similarity index 75% copy from test/recipes/80-test_cmp_http_data/Mock/signer.crt copy to test/certs/leaf-chain.pem index cb72e33bff..a2e4a50513 100644 --- a/test/recipes/80-test_cmp_http_data/Mock/signer.crt +++ b/test/certs/leaf-chain.pem @@ -1,4 +1,3 @@ -Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = leaf -----BEGIN CERTIFICATE----- MIIDfjCCAmagAwIBAgIJAKRNsDKacUqNMA0GCSqGSIb3DQEBCwUAMFoxCzAJBgNV BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX @@ -20,8 +19,6 @@ QhnMd0TtIrbKHaNQ4kNsmSY5fQolwB0LtNfTus7OEFdcZWhOXrWImKXN9jewPKdV mSG34NfXOnA6qx0eQg06z+TkdrptH6j1Va2vS1/bL+h1GxjpTHlvTGaZYxaloIjw y/EzY5jygRoABnR3eBm15CYZwwKL9izIq1H3OhymEi/Ycg== -----END CERTIFICATE----- - -Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = subinterCA -----BEGIN CERTIFICATE----- MIIDhDCCAmygAwIBAgIJAJkv2OGshkmUMA0GCSqGSIb3DQEBCwUAMFcxCzAJBgNV BAYTAkFVMRMwEQYDVQQIEwpTb21lLVN0YXRlMSEwHwYDVQQKExhJbnRlcm5ldCBX @@ -43,8 +40,6 @@ mC7DtilSZIgO2vwbTBL6ifmw9n1dd/Bl8Wdjnl7YJqTIf0Ozc2SZSMRUq9ryn4Wq YrjRl8NwioGb1LfjEJ0wJi2ngL3IgaN94qmDn10OJs8hlsufwP1n+Bca3fsl0m5U gUMG+CXxbF0kdCKZ9kQb1MJE4vOk6zfyBGQndmQnxHjt5botI/xpXg== -----END CERTIFICATE----- - -Subject: C = AU, ST = Some-State, O = Internet Widgits Pty Ltd, CN = interCA -----BEGIN CERTIFICATE----- MIIDgDCCAmigAwIBAgIJANnoWlLlEsTgMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX @@ -66,3 +61,24 @@ Hh5feKAyrqfmfsWF5QPjAmdj/MFdq+yMJVosDftkmUmaBHjzbvbcq1sWh/6drH8U e4jmcYiyZev22KXQudeHc4w6crWiEFkVspomn5PqDmza3rkdB3baXFVZ6sd23ufU wjkiKKtwRBwU+5tCCagQZoeQ5dZXQThkiH2XEIOCOLxyD/tb -----END CERTIFICATE----- +-----BEGIN CERTIFICATE----- +MIIDfzCCAmegAwIBAgIJAIhDKcvC6xWaMA0GCSqGSIb3DQEBCwUAMFYxCzAJBgNV +BAYTAkFVMRMwEQYDVQQIDApTb21lLVN0YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBX +aWRnaXRzIFB0eSBMdGQxDzANBgNVBAMMBnJvb3RDQTAeFw0xNTA3MDIxMzE1MTFa +Fw0zNTA3MDIxMzE1MTFaMFYxCzAJBgNVBAYTAkFVMRMwEQYDVQQIDApTb21lLVN0 +YXRlMSEwHwYDVQQKDBhJbnRlcm5ldCBXaWRnaXRzIFB0eSBMdGQxDzANBgNVBAMM +BnJvb3RDQTCCASIwDQYJKoZIhvcNAQEBBQADggEPADCCAQoCggEBAMDxa3eIrDXf ++3NTL5KAL3QWMk31ECBvbDqO0dxr4S4+wwQPv5vEyRLR5AtFl+UGzWY64eDiK9+i +xOx70z08iv9edKCrpwNqFlteksR+W3mKadS8g16uQpJ0pSvnAMGp3NWxUwcPc/eO +rRQ+JZ7lHubMkc2VDIBEIMP9F8+RPWMQHBRb+8OowYiyd/+c2/xqRERE94XsCCzU +34Gjecn+HpuTFlO3l6u+Txql4vpGBeQNnCqkzLkeIaBsxKtZsEA5u/mIrf3fjbQL +r35B4CE8yDNFSYQvkwbu/U/tT/O8m978JV5V1XXUxXs6QDUGn8SEtGyTDK83Wq+2 +QU0mIxy4ArMCAwEAAaNQME4wDAYDVR0TBAUwAwEB/zAdBgNVHQ4EFgQUhVaJNeKf +ABrhhgMLS692Emszbf0wHwYDVR0jBBgwFoAUhVaJNeKfABrhhgMLS692Emszbf0w +DQYJKoZIhvcNAQELBQADggEBADIKvyoK4rtPQ86I2lo5EDeAuzctXi2I3SZpnOe0 +mCCxJeZhWW0S7JuHvlfhEgXFBPEXzhS4HJLUlZUsWyiJ+3KcINMygaiF7MgIe6hZ +WzpsMatS4mbNFElc89M+YryRFrQc9d1Uqjxhl3ms5MhDNcMP/PNwHa/wnIoqkpNI +qtDoR741wcZ7bdr6XVdF8+pBjzbBPPRSf24x3bqavHBWcTjcSVcM/ZEXxeqH5SN0 +GbK2mQxrogX4UWjtl+DfYvl+ejpEcYNXKEmIabUUHtpG42544cuPtZizLW5bt/aT +JBQfpPZpvf9MUlACxUONFOLQdZ8SXpSJ0e93iX2J2Z52mSQ= +-----END CERTIFICATE----- diff --git a/test/sslapitest.c b/test/sslapitest.c index 3fa60538e9..06d8e80200 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -641,6 +641,61 @@ end: return testresult; } +static int test_ssl_build_cert_chain(void) +{ + int ret = 0; + SSL_CTX *ssl_ctx = NULL; + SSL *ssl = NULL; + char *skey = test_mk_file_path(certsdir, "leaf.key"); + char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem"); + + if (!TEST_ptr(ssl_ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) + goto end; + if (!TEST_ptr(ssl = SSL_new(ssl_ctx))) + goto end; + /* leaf_chain contains leaf + subinterCA + interCA + rootCA */ + if (!TEST_int_eq(SSL_use_certificate_chain_file(ssl, leaf_chain), 1) + || !TEST_int_eq(SSL_use_PrivateKey_file(ssl, skey, SSL_FILETYPE_PEM), 1) + || !TEST_int_eq(SSL_check_private_key(ssl), 1)) + goto end; + if (!TEST_true(SSL_build_cert_chain(ssl, SSL_BUILD_CHAIN_FLAG_NO_ROOT + | SSL_BUILD_CHAIN_FLAG_CHECK))) + goto end; + ret = 1; +end: + SSL_free(ssl); + SSL_CTX_free(ssl_ctx); + OPENSSL_free(leaf_chain); + OPENSSL_free(skey); + return ret; +} + +static int test_ssl_ctx_build_cert_chain(void) +{ + int ret = 0; + SSL_CTX *ctx = NULL; + char *skey = test_mk_file_path(certsdir, "leaf.key"); + char *leaf_chain = test_mk_file_path(certsdir, "leaf-chain.pem"); + + if (!TEST_ptr(ctx = SSL_CTX_new_ex(libctx, NULL, TLS_server_method()))) + goto end; + /* leaf_chain contains leaf + subinterCA + interCA + rootCA */ + if (!TEST_int_eq(SSL_CTX_use_certificate_chain_file(ctx, leaf_chain), 1) + || !TEST_int_eq(SSL_CTX_use_PrivateKey_file(ctx, skey, + SSL_FILETYPE_PEM), 1) + || !TEST_int_eq(SSL_CTX_check_private_key(ctx), 1)) + goto end; + if (!TEST_true(SSL_CTX_build_cert_chain(ctx, SSL_BUILD_CHAIN_FLAG_NO_ROOT + | SSL_BUILD_CHAIN_FLAG_CHECK))) + goto end; + ret = 1; +end: + SSL_CTX_free(ctx); + OPENSSL_free(leaf_chain); + OPENSSL_free(skey); + return ret; +} + #ifndef OPENSSL_NO_TLS1_2 static int full_client_hello_callback(SSL *s, int *al, void *arg) { @@ -8710,6 +8765,8 @@ int setup_tests(void) ADD_TEST(test_keylog_no_master_key); #endif ADD_TEST(test_client_cert_verify_cb); + ADD_TEST(test_ssl_build_cert_chain); + ADD_TEST(test_ssl_ctx_build_cert_chain); #ifndef OPENSSL_NO_TLS1_2 ADD_TEST(test_client_hello_cb); ADD_TEST(test_no_ems);