mirrors/openssl
0
0
Fork 0
mirror of https://github.com/openssl/openssl.git synced 2024-11-27 12:04:38 +08:00
Code Issues Packages Projects Releases Wiki Activity

Replace and Deprecate TS_VERIFY_CTX Functions

Browse Source 
Fixes #18854

Replace and deprecate the functions `TS_VERIFY_CTX_set_data`,
`TS_VERIFY_CTX_set_store`, `TS_VERIFY_CTX_set_certs`, `TS_VERIFY_CTX_set_imprint`
with new versions: `TS_VERIFY_CTX_set0_data`,
`TS_VERIFY_CTX_set0_store`, `TS_VERIFY_CTX_set0_certs` and `TS_VERIFY_CTX_set0_imprint`.

The previous functions had poorly documented memory handling, potentially
leading to memory leaks. The new functions improve memory management and provide
clearer usage.

Also, update existing code to use the new function calls instead of the deprecated
ones.

Reviewed-by: Neil Horman <nhorman@openssl.org>
Reviewed-by: Tomas Mraz <tomas@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/24701)
This commit is contained in:
erbsland-dev 2024-06-21 15:16:10 +02:00 committed by Tomas Mraz
parent 7751887025
commit 6f811d839f
3 changed files with 61 additions and 7 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

11
apps/ts.c
View File

@ -920,7 +920,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
f |= TS_VFY_DATA;
if ((out = BIO_new_file(data, "rb")) == NULL)
goto err;
if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) {
if (!TS_VERIFY_CTX_set0_data(ctx, out)) {
BIO_free_all(out);
goto err;
}
@ -928,7 +928,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
long imprint_len;
unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
f |= TS_VFY_IMPRINT;
if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
if (!TS_VERIFY_CTX_set0_imprint(ctx, hexstr, imprint_len)) {
BIO_printf(bio_err, "invalid digest string\n");
goto err;
}
@ -949,16 +949,15 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
/* Initialising the X509_STORE object. */
if (TS_VERIFY_CTX_set_store(ctx,
create_cert_store(CApath, CAfile, CAstore, vpm))
== NULL)
if (!TS_VERIFY_CTX_set0_store(ctx, create_cert_store(CApath, CAfile,
CAstore, vpm)))
goto err;
/* Loading any extra untrusted certificates. */
if (untrusted != NULL) {
certs = load_certs_multifile(untrusted, NULL, "extra untrusted certs",
vpm);
if (certs == NULL || TS_VERIFY_CTX_set_certs(ctx, certs) == NULL)
if (certs == NULL || !TS_VERIFY_CTX_set0_certs(ctx, certs))
goto err;
}
ret = 1;

40
crypto/ts/ts_verify_ctx.c
View File

@ -1,5 +1,5 @@
/*
* Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
@ -46,25 +46,53 @@ int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f)
return ctx->flags;
}
#ifndef OPENSSL_NO_DEPRECATED_3_4
BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b)
{
ctx->data = b;
return ctx->data;
}
#endif
int TS_VERIFY_CTX_set0_data(TS_VERIFY_CTX *ctx, BIO *b)
{
BIO_free_all(ctx->data);
ctx->data = b;
return 1;
}
#ifndef OPENSSL_NO_DEPRECATED_3_4
X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s)
{
ctx->store = s;
return ctx->store;
}
#endif
int TS_VERIFY_CTX_set0_store(TS_VERIFY_CTX *ctx, X509_STORE *s)
{
X509_STORE_free(ctx->store);
ctx->store = s;
return 1;
}
#ifndef OPENSSL_NO_DEPRECATED_3_4
STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
STACK_OF(X509) *certs)
{
ctx->certs = certs;
return ctx->certs;
}
#endif
int TS_VERIFY_CTX_set0_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs)
{
OSSL_STACK_OF_X509_free(ctx->certs);
ctx->certs = certs;
return 1;
}
#ifndef OPENSSL_NO_DEPRECATED_3_4
unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
unsigned char *hexstr, long len)
{
@ -73,6 +101,16 @@ unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
ctx->imprint_len = len;
return ctx->imprint;
}
#endif
int TS_VERIFY_CTX_set0_imprint(TS_VERIFY_CTX *ctx,
unsigned char *hexstr, long len)
{
OPENSSL_free(ctx->imprint);
ctx->imprint = hexstr;
ctx->imprint_len = len;
return 1;
}
void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
{

17
include/openssl/ts.h
View File

@ -418,14 +418,31 @@ void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f);
int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f);
# ifndef OPENSSL_NO_DEPRECATED_3_4
OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_data().")
BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b);
# endif
int TS_VERIFY_CTX_set0_data(TS_VERIFY_CTX *ctx, BIO *b);
# ifndef OPENSSL_NO_DEPRECATED_3_4
OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_imprint().")
unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
unsigned char *hexstr, long len);
# endif
int TS_VERIFY_CTX_set0_imprint(TS_VERIFY_CTX *ctx,
unsigned char *hexstr, long len);
# ifndef OPENSSL_NO_DEPRECATED_3_4
OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_store().")
X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s);
# endif
int TS_VERIFY_CTX_set0_store(TS_VERIFY_CTX *ctx, X509_STORE *s);
# ifndef OPENSSL_NO_DEPRECATED_3_0
# define TS_VERIFY_CTS_set_certs(ctx, cert) TS_VERIFY_CTX_set_certs(ctx,cert)
# endif
# ifndef OPENSSL_NO_DEPRECATED_3_4
OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_certs().")
STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs);
# endif
int TS_VERIFY_CTX_set0_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs);
/*-
* If ctx is NULL, it allocates and returns a new object, otherwise