From: erbsland-dev Date: Fri, 21 Jun 2024 13:16:10 +0000 (+0200) Subject: Replace and Deprecate TS_VERIFY_CTX Functions X-Git-Tag: openssl-3.4.0-alpha1~378 X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=6f811d839fd637fa5dea0ee4286722847ab74b98;p=thirdparty%2Fopenssl.git Replace and Deprecate TS_VERIFY_CTX Functions Fixes #18854 Replace and deprecate the functions `TS_VERIFY_CTX_set_data`, `TS_VERIFY_CTX_set_store`, `TS_VERIFY_CTX_set_certs`, `TS_VERIFY_CTX_set_imprint` with new versions: `TS_VERIFY_CTX_set0_data`, `TS_VERIFY_CTX_set0_store`, `TS_VERIFY_CTX_set0_certs` and `TS_VERIFY_CTX_set0_imprint`. The previous functions had poorly documented memory handling, potentially leading to memory leaks. The new functions improve memory management and provide clearer usage. Also, update existing code to use the new function calls instead of the deprecated ones. Reviewed-by: Neil Horman Reviewed-by: Tomas Mraz (Merged from https://github.com/openssl/openssl/pull/24701) --- diff --git a/apps/ts.c b/apps/ts.c index 18df7d5ace3..71b8df19979 100644 --- a/apps/ts.c +++ b/apps/ts.c @@ -920,7 +920,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest, f |= TS_VFY_DATA; if ((out = BIO_new_file(data, "rb")) == NULL) goto err; - if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) { + if (!TS_VERIFY_CTX_set0_data(ctx, out)) { BIO_free_all(out); goto err; } @@ -928,7 +928,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest, long imprint_len; unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len); f |= TS_VFY_IMPRINT; - if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) { + if (!TS_VERIFY_CTX_set0_imprint(ctx, hexstr, imprint_len)) { BIO_printf(bio_err, "invalid digest string\n"); goto err; } @@ -949,16 +949,15 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest, TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE); /* Initialising the X509_STORE object. */ - if (TS_VERIFY_CTX_set_store(ctx, - create_cert_store(CApath, CAfile, CAstore, vpm)) - == NULL) + if (!TS_VERIFY_CTX_set0_store(ctx, create_cert_store(CApath, CAfile, + CAstore, vpm))) goto err; /* Loading any extra untrusted certificates. */ if (untrusted != NULL) { certs = load_certs_multifile(untrusted, NULL, "extra untrusted certs", vpm); - if (certs == NULL || TS_VERIFY_CTX_set_certs(ctx, certs) == NULL) + if (certs == NULL || !TS_VERIFY_CTX_set0_certs(ctx, certs)) goto err; } ret = 1; diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c index 6dbba3df506..4b6a3ada9b2 100644 --- a/crypto/ts/ts_verify_ctx.c +++ b/crypto/ts/ts_verify_ctx.c @@ -1,5 +1,5 @@ /* - * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the Apache License 2.0 (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -46,25 +46,53 @@ int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f) return ctx->flags; } +#ifndef OPENSSL_NO_DEPRECATED_3_4 BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b) { ctx->data = b; return ctx->data; } +#endif +int TS_VERIFY_CTX_set0_data(TS_VERIFY_CTX *ctx, BIO *b) +{ + BIO_free_all(ctx->data); + ctx->data = b; + return 1; +} + +#ifndef OPENSSL_NO_DEPRECATED_3_4 X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s) { ctx->store = s; return ctx->store; } +#endif +int TS_VERIFY_CTX_set0_store(TS_VERIFY_CTX *ctx, X509_STORE *s) +{ + X509_STORE_free(ctx->store); + ctx->store = s; + return 1; +} + +#ifndef OPENSSL_NO_DEPRECATED_3_4 STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs) { ctx->certs = certs; return ctx->certs; } +#endif +int TS_VERIFY_CTX_set0_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs) +{ + OSSL_STACK_OF_X509_free(ctx->certs); + ctx->certs = certs; + return 1; +} + +#ifndef OPENSSL_NO_DEPRECATED_3_4 unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *hexstr, long len) { @@ -73,6 +101,16 @@ unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, ctx->imprint_len = len; return ctx->imprint; } +#endif + +int TS_VERIFY_CTX_set0_imprint(TS_VERIFY_CTX *ctx, + unsigned char *hexstr, long len) +{ + OPENSSL_free(ctx->imprint); + ctx->imprint = hexstr; + ctx->imprint_len = len; + return 1; +} void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx) { diff --git a/include/openssl/ts.h b/include/openssl/ts.h index b09b646dffe..7feb45fd4ba 100644 --- a/include/openssl/ts.h +++ b/include/openssl/ts.h @@ -418,14 +418,31 @@ void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx); void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx); int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f); int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f); +# ifndef OPENSSL_NO_DEPRECATED_3_4 +OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_data().") BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b); +# endif +int TS_VERIFY_CTX_set0_data(TS_VERIFY_CTX *ctx, BIO *b); +# ifndef OPENSSL_NO_DEPRECATED_3_4 +OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_imprint().") unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx, unsigned char *hexstr, long len); +# endif +int TS_VERIFY_CTX_set0_imprint(TS_VERIFY_CTX *ctx, + unsigned char *hexstr, long len); +# ifndef OPENSSL_NO_DEPRECATED_3_4 +OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_store().") X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s); +# endif +int TS_VERIFY_CTX_set0_store(TS_VERIFY_CTX *ctx, X509_STORE *s); # ifndef OPENSSL_NO_DEPRECATED_3_0 # define TS_VERIFY_CTS_set_certs(ctx, cert) TS_VERIFY_CTX_set_certs(ctx,cert) # endif +# ifndef OPENSSL_NO_DEPRECATED_3_4 +OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_certs().") STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs); +# endif +int TS_VERIFY_CTX_set0_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs); /*- * If ctx is NULL, it allocates and returns a new object, otherwise