Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL_get_tlsext_status_ocsp_resp expects pointer to non-const pointer #3477

Closed
pps83 opened this issue Jan 15, 2019 · 2 comments

Comments

Projects
None yet
2 participants
@pps83
Copy link
Contributor

commented Jan 15, 2019

vtsls/openssl.c:

const unsigned char *p;
...
long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);

However, SSL_get_tlsext_status_ocsp_resp is declared as long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);

SSL_get_tlsext_status_ocsp_resp is preprocessed into a call to long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); where parg is the last p argument. Effectively, const gets lost if const unsigned char** gets converted to void*. In ms compiler that results in a compilation error.
If I change declaration to unsigned char *p; then it fails to compile on linux a few lines below:

openssl.c:1712:33: error: passing 'unsigned char **' to parameter of type 'const unsigned char **' discards qualifiers in nested pointer types

const unsigned char *p;

@bagder

This comment has been minimized.

Copy link
Member

commented Jan 15, 2019

How about this?

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 45e72d6a3..9d11b89e5 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1690,27 +1690,28 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
     !defined(OPENSSL_NO_OCSP)
 static CURLcode verifystatus(struct connectdata *conn,
                              struct ssl_connect_data *connssl)
 {
   int i, ocsp_status;
+  unsigned char *status;
   const unsigned char *p;
   CURLcode result = CURLE_OK;
   struct Curl_easy *data = conn->data;
 
   OCSP_RESPONSE *rsp = NULL;
   OCSP_BASICRESP *br = NULL;
   X509_STORE     *st = NULL;
   STACK_OF(X509) *ch = NULL;
 
-  long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
+  long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &status);
 
-  if(!p) {
+  if(!status) {
     failf(data, "No OCSP response received");
     result = CURLE_SSL_INVALIDCERTSTATUS;
     goto end;
   }
-
+  p = status;
   rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
   if(!rsp) {
     failf(data, "Invalid OCSP response");
     result = CURLE_SSL_INVALIDCERTSTATUS;
     goto end;

@bagder bagder added the SSL/TLS label Jan 15, 2019

bagder added a commit that referenced this issue Jan 15, 2019

openssl: fix the SSL_get_tlsext_status_ocsp_resp call
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
@pps83

This comment has been minimized.

Copy link
Contributor Author

commented Jan 15, 2019

yes, this will work

@pps83 pps83 closed this Jan 15, 2019

bagder added a commit that referenced this issue Jan 16, 2019

openssl: fix the SSL_get_tlsext_status_ocsp_resp call
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478

@lock lock bot locked as resolved and limited conversation to collaborators Apr 16, 2019

Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
You can’t perform that action at this time.