Fix SSL_use_certificate_chain_file

The new function SSL_use_certificate_chain_file was always crashing in the internal function use_certificate_chain_file because it would pass a NULL value for SSL_CTX *, but use_certificate_chain_file would unconditionally try to dereference it. Reviewed-by: Stephen Henson <steve@openssl.org>
author: Matt Caswell <matt@openssl.org> 2015-11-09 14:38:59 +0000
committer: Matt Caswell <matt@openssl.org> 2015-11-10 23:02:44 +0000
commit: a974e64aaaa8a6f99f55a68d28c07c04ecea2f50 (patch)
tree: 8813cd92bec23d1c450f4303c0ee72b743d68a95
parent: 6329b6092b28b656be8a1e4a8363d2e3bcc32053 (diff)
download: openssl-a974e64aaaa8a6f99f55a68d28c07c04ecea2f50.zip
openssl-a974e64aaaa8a6f99f55a68d28c07c04ecea2f50.tar.gz
openssl-a974e64aaaa8a6f99f55a68d28c07c04ecea2f50.tar.bz2
6 files changed, 50 insertions, 9 deletions
diff --git a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
index 9455139..452737f 100644
--- a/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
+++ b/doc/ssl/SSL_CTX_set_default_passwd_cb.pod
@@ -2,7 +2,9 @@
 
 =head1 NAME
 
-SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set passwd callback for encrypted PEM file handling
+SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata,
+SSL_set_default_passwd_cb, SSL_set_default_passwd_cb_userdata - set passwd
+callback for encrypted PEM file handling
 
 =head1 SYNOPSIS
 
@@ -10,6 +12,8 @@ SSL_CTX_set_default_passwd_cb, SSL_CTX_set_default_passwd_cb_userdata - set pass
 
  void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
  void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+ void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
+ void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
 
  int pem_passwd_cb(char *buf, int size, int rwflag, void *userdata);
 
@@ -21,6 +25,9 @@ when loading/storing a PEM certificate with encryption.
 SSL_CTX_set_default_passwd_cb_userdata() sets a pointer to B<userdata> which
 will be provided to the password callback on invocation.
 
+SSL_set_default_passwd_cb() and SSL_set_default_passwd_cb_userdata() perform the
+same function as their SSL_CTX counterparts, but using an SSL object.
+
 The pem_passwd_cb(), which must be provided by the application, hands back the
 password to be used during decryption. On invocation a pointer to B<userdata>
 is provided. The pem_passwd_cb must write the password into the provided buffer
@@ -51,8 +58,7 @@ however not usual, as certificate information is considered public.
 
 =head1 RETURN VALUES
 
-SSL_CTX_set_default_passwd_cb() and SSL_CTX_set_default_passwd_cb_userdata()
-do not provide diagnostic information.
+These functions do not provide diagnostic information.
 
 =head1 EXAMPLES
 
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 28322eb..cf9f83a 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1514,6 +1514,8 @@ __owur int SSL_CTX_use_certificate_ASN1(SSL_CTX *ctx, int len,
 
 void SSL_CTX_set_default_passwd_cb(SSL_CTX *ctx, pem_password_cb *cb);
 void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u);
+void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb);
+void SSL_set_default_passwd_cb_userdata(SSL *s, void *u);
 
 __owur int SSL_CTX_check_private_key(const SSL_CTX *ctx);
 __owur int SSL_check_private_key(const SSL *ctx);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index b6e5127..d8d2244 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -366,6 +366,9 @@ SSL *SSL_new(SSL_CTX *ctx)
 
     s->verify_result = X509_V_OK;
 
+    s->default_passwd_callback = ctx->default_passwd_callback;
+    s->default_passwd_callback_userdata = ctx->default_passwd_callback_userdata;
+
     s->method = ctx->method;
 
     if (!s->method->ssl_new(s))
@@ -1846,6 +1849,16 @@ void SSL_CTX_set_default_passwd_cb_userdata(SSL_CTX *ctx, void *u)
     ctx->default_passwd_callback_userdata = u;
 }
 
+void SSL_set_default_passwd_cb(SSL *s, pem_password_cb *cb)
+{
+    s->default_passwd_callback = cb;
+}
+
+void SSL_set_default_passwd_cb_userdata(SSL *s, void *u)
+{
+    s->default_passwd_callback_userdata = u;
+}
+
 void SSL_CTX_set_cert_verify_callback(SSL_CTX *ctx,
                                       int (*cb) (X509_STORE_CTX *, void *),
                                       void *arg)
@@ -2535,6 +2548,9 @@ SSL *SSL_dup(SSL *s)
                                  * ret->init_off */
     ret->hit = s->hit;
 
+    ret->default_passwd_callback = s->default_passwd_callback;
+    ret->default_passwd_callback_userdata = s->default_passwd_callback_userdata;
+
     X509_VERIFY_PARAM_inherit(ret->param, s->param);
 
     /* dup the cipher_list and cipher_list_by_id stacks */
diff --git a/ssl/ssl_locl.h b/ssl/ssl_locl.h
index e174def..03bc35c 100644
--- a/ssl/ssl_locl.h
+++ b/ssl/ssl_locl.h
@@ -1193,6 +1193,12 @@ struct ssl_st {
     int (*not_resumable_session_cb) (SSL *ssl, int is_forward_secure);
     
     RECORD_LAYER rlayer;
+
+    /* Default password callback. */
+    pem_password_cb *default_passwd_callback;
+
+    /* Default password callback user data. */
+    void *default_passwd_callback_userdata;
 };
 
 
diff --git a/ssl/ssl_rsa.c b/ssl/ssl_rsa.c
index 9e172b5..be552c1 100644
--- a/ssl/ssl_rsa.c
+++ b/ssl/ssl_rsa.c
@@ -644,10 +644,20 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
     BIO *in;
     int ret = 0;
     X509 *x = NULL;
+    pem_password_cb *passwd_callback;
+    void *passwd_callback_userdata;
 
     ERR_clear_error();          /* clear error stack for
                                  * SSL_CTX_use_certificate() */
 
+    if (ctx != NULL) {
+        passwd_callback = ctx->default_passwd_callback;
+        passwd_callback_userdata = ctx->default_passwd_callback_userdata;
+    } else {
+        passwd_callback = ssl->default_passwd_callback;
+        passwd_callback_userdata = ssl->default_passwd_callback_userdata;
+    }
+
     in = BIO_new(BIO_s_file());
     if (in == NULL) {
         SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_BUF_LIB);
@@ -659,8 +669,8 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
         goto end;
     }
 
-    x = PEM_read_bio_X509_AUX(in, NULL, ctx->default_passwd_callback,
-                              ctx->default_passwd_callback_userdata);
+    x = PEM_read_bio_X509_AUX(in, NULL, passwd_callback,
+                              passwd_callback_userdata);
     if (x == NULL) {
         SSLerr(SSL_F_USE_CERTIFICATE_CHAIN_FILE, ERR_R_PEM_LIB);
         goto end;
@@ -693,10 +703,9 @@ static int use_certificate_chain_file(SSL_CTX *ctx, SSL *ssl, const char *file)
             goto end;
         }
 
-        while ((ca = PEM_read_bio_X509(in, NULL,
-                                       ctx->default_passwd_callback,
-                                       ctx->default_passwd_callback_userdata))
-               != NULL) {
+        while ((ca = PEM_read_bio_X509(in, NULL, passwd_callback,
+                                       passwd_callback_userdata))
+                != NULL) {
             if (ctx)
                 r = SSL_CTX_add0_chain_cert(ctx, ca);
             else
diff --git a/util/ssleay.num b/util/ssleay.num
index b3f6324..be4c940 100755
--- a/util/ssleay.num
+++ b/util/ssleay.num
@@ -409,3 +409,5 @@ SSL_in_init                             443	EXIST::FUNCTION:
 SSL_in_before                           444	EXIST::FUNCTION:
 SSL_is_init_finished                    445	EXIST::FUNCTION:
 SSL_get_state                           446	EXIST::FUNCTION:
+SSL_set_default_passwd_cb               447	EXIST::FUNCTION:
+SSL_set_default_passwd_cb_userdata      448	EXIST::FUNCTION:
author	Matt Caswell <matt@openssl.org>	2015-11-09 14:38:59 +0000
committer	Matt Caswell <matt@openssl.org>	2015-11-10 23:02:44 +0000
commit	a974e64aaaa8a6f99f55a68d28c07c04ecea2f50 (patch)
tree	8813cd92bec23d1c450f4303c0ee72b743d68a95
parent	6329b6092b28b656be8a1e4a8363d2e3bcc32053 (diff)
download	openssl-a974e64aaaa8a6f99f55a68d28c07c04ecea2f50.zip openssl-a974e64aaaa8a6f99f55a68d28c07c04ecea2f50.tar.gz openssl-a974e64aaaa8a6f99f55a68d28c07c04ecea2f50.tar.bz2