Explicitly cache X509v3 extensions in libssl

Caching the X509v3 extensions requires an explicit libctx. We do that where required in libssl. Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org> (Merged from https://github.com/openssl/openssl/pull/11409)
2024-11-28 04:25:31 +08:00 · 2020-03-20 11:55:19 +00:00 · 2020-03-20 11:55:19 +00:00 · 9f0f53b7db
commit 9f0f53b7db
parent 33328581b8
3 changed files with 25 additions and 2 deletions
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@ -17,6 +17,7 @@
 #include <openssl/dh.h>
 #include <openssl/rand.h>
 #include <openssl/trace.h>
+#include <openssl/x509v3.h>
 #include "internal/cryptlib.h"

 #define TLS13_NUM_CIPHERS       OSSL_NELEM(tls13_ciphers)
@ -3947,6 +3948,10 @@ long ssl3_ctx_ctrl(SSL_CTX *ctx, int cmd, long larg, void *parg)
                return 0;
            }
        }
+        if (!X509v3_cache_extensions((X509 *)parg, ctx->libctx, ctx->propq)) {
+            SSLerr(0, ERR_LIB_X509);
+            return 0;
+        }
        if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) {
            SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
            return 0;
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@ -253,11 +253,20 @@ void ssl_cert_free(CERT *c)
 int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
 {
    int i, r;
-    CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
+    CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key;
+    SSL_CTX *realctx = s != NULL ? s->ctx : ctx;
+
    if (!cpk)
        return 0;
    for (i = 0; i < sk_X509_num(chain); i++) {
-        r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0);
+        X509 *x = sk_X509_value(chain, i);
+
+        if (!X509v3_cache_extensions(x, realctx->libctx, realctx->propq)) {
+            SSLerr(0, ERR_LIB_X509);
+            return 0;
+        }
+
+        r = ssl_security_cert(s, ctx, x, 0, 0);
        if (r != 1) {
            SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r);
            return 0;
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@ -14,6 +14,7 @@
 #include <openssl/objects.h>
 #include <openssl/evp.h>
 #include <openssl/x509.h>
+#include <openssl/x509v3.h>
 #include <openssl/pem.h>

 static int ssl_set_cert(CERT *c, X509 *x509);
@ -31,6 +32,10 @@ int SSL_use_certificate(SSL *ssl, X509 *x)
        SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
        return 0;
    }
+    if (!X509v3_cache_extensions(x, ssl->ctx->libctx, ssl->ctx->propq)) {
+        SSLerr(0, ERR_LIB_X509);
+        return 0;
+    }
    rv = ssl_security_cert(ssl, NULL, x, 0, 1);
    if (rv != 1) {
        SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
@ -305,6 +310,10 @@ int SSL_CTX_use_certificate(SSL_CTX *ctx, X509 *x)
        SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
        return 0;
    }
+    if (!X509v3_cache_extensions(x, ctx->libctx, ctx->propq)) {
+        SSLerr(0, ERR_LIB_X509);
+        return 0;
+    }
    rv = ssl_security_cert(NULL, ctx, x, 0, 1);
    if (rv != 1) {
        SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);