Improves CTLOG_STORE setters

crypto/ct/ct_policy.c

@@ -30,21 +30,29 @@ CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void)
 
 void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx)
 {
+    X509_free(ctx->cert);
+    X509_free(ctx->issuer);
     OPENSSL_free(ctx);
 }
 
-void CT_POLICY_EVAL_CTX_set0_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert)
+int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert)
 {
+    if (!X509_up_ref(cert))
+        return 0;
     ctx->cert = cert;
+    return 1;
 }
 
-void CT_POLICY_EVAL_CTX_set0_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer)
+int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer)
 {
+    if (!X509_up_ref(issuer))
+        return 0;
     ctx->issuer = issuer;
+    return 1;
 }
 
-void CT_POLICY_EVAL_CTX_set0_log_store(CT_POLICY_EVAL_CTX *ctx,
-                                       CTLOG_STORE *log_store)
+void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
+                                               CTLOG_STORE *log_store)
 {
     ctx->log_store = log_store;
 }

include/openssl/ct.h

@@ -64,27 +64,35 @@ DEFINE_STACK_OF(CTLOG)
 /* Creates a new, empty policy evaluation context */
 CT_POLICY_EVAL_CTX *CT_POLICY_EVAL_CTX_new(void);
 
-/* Deletes a policy evaluation context */
+/* Deletes a policy evaluation context and anything it owns. */
 void CT_POLICY_EVAL_CTX_free(CT_POLICY_EVAL_CTX *ctx);
 
 /* Gets the peer certificate that the SCTs are for */
 X509* CT_POLICY_EVAL_CTX_get0_cert(const CT_POLICY_EVAL_CTX *ctx);
 
-/* Sets the certificate associated with the received SCTs */
-void CT_POLICY_EVAL_CTX_set0_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
+/*
+ * Sets the certificate associated with the received SCTs.
+ * Incremenets the reference count of cert.
+ * Returns 1 on success, 0 otherwise.
+ */
+int CT_POLICY_EVAL_CTX_set1_cert(CT_POLICY_EVAL_CTX *ctx, X509 *cert);
 
 /* Gets the issuer of the aforementioned certificate */
 X509* CT_POLICY_EVAL_CTX_get0_issuer(const CT_POLICY_EVAL_CTX *ctx);
 
-/* Sets the issuer of the certificate associated with the received SCTs */
-void CT_POLICY_EVAL_CTX_set0_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer);
+/*
+ * Sets the issuer of the certificate associated with the received SCTs.
+ * Increments the reference count of issuer.
+ * Returns 1 on success, 0 otherwise.
+ */
+int CT_POLICY_EVAL_CTX_set1_issuer(CT_POLICY_EVAL_CTX *ctx, X509 *issuer);
 
 /* Gets the CT logs that are trusted sources of SCTs */
 const CTLOG_STORE *CT_POLICY_EVAL_CTX_get0_log_store(const CT_POLICY_EVAL_CTX *ctx);
 
-/* Sets the log store that is in use */
-void CT_POLICY_EVAL_CTX_set0_log_store(CT_POLICY_EVAL_CTX *ctx,
-                                       CTLOG_STORE *log_store);
+/* Sets the log store that is in use. It must outlive the CT_POLICY_EVAL_CTX. */
+void CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(CT_POLICY_EVAL_CTX *ctx,
+                                               CTLOG_STORE *log_store);
 
 /*****************
  * SCT functions *

ssl/ssl_lib.c

@@ -4171,9 +4171,9 @@ int ssl_validate_ct(SSL *s)
     }
 
     issuer = sk_X509_value(s->verified_chain, 1);
-    CT_POLICY_EVAL_CTX_set0_cert(ctx, cert);
-    CT_POLICY_EVAL_CTX_set0_issuer(ctx, issuer);
-    CT_POLICY_EVAL_CTX_set0_log_store(ctx, s->ctx->ctlog_store);
+    CT_POLICY_EVAL_CTX_set1_cert(ctx, cert);
+    CT_POLICY_EVAL_CTX_set1_issuer(ctx, issuer);
+    CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(ctx, s->ctx->ctlog_store);
 
     scts = SSL_get0_peer_scts(s);
 

test/ct_test.c

@@ -294,7 +294,8 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
         expected_sct_text[sct_text_len] = '\0';
     }
 
-    CT_POLICY_EVAL_CTX_set0_log_store(ct_policy_ctx, fixture.ctlog_store);
+    CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE(
+            ct_policy_ctx, fixture.ctlog_store);
 
     if (fixture.certificate_file != NULL) {
         int sct_extension_index;
@@ -307,7 +308,7 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
             goto end;
         }
 
-        CT_POLICY_EVAL_CTX_set0_cert(ct_policy_ctx, cert);
+        CT_POLICY_EVAL_CTX_set1_cert(ct_policy_ctx, cert);
 
         if (fixture.issuer_file != NULL) {
             issuer = load_pem_cert(fixture.certs_dir, fixture.issuer_file);
@@ -318,7 +319,7 @@ static int execute_cert_test(CT_TEST_FIXTURE fixture)
                 goto end;
             }
 
-            CT_POLICY_EVAL_CTX_set0_issuer(ct_policy_ctx, issuer);
+            CT_POLICY_EVAL_CTX_set1_issuer(ct_policy_ctx, issuer);
         }
 
         sct_extension_index =

util/libcrypto.num

@@ -291,7 +291,7 @@ CRYPTO_gcm128_setiv                     291	1_1_0	EXIST::FUNCTION:
 ASN1_PCTX_set_oid_flags                 292	1_1_0	EXIST::FUNCTION:
 d2i_ASN1_INTEGER                        293	1_1_0	EXIST::FUNCTION:
 i2d_PKCS7_ENCRYPT                       294	1_1_0	EXIST::FUNCTION:
-CT_POLICY_EVAL_CTX_set0_issuer          295	1_1_0	EXIST::FUNCTION:CT
+CT_POLICY_EVAL_CTX_set1_issuer          295	1_1_0	EXIST::FUNCTION:CT
 X509_NAME_ENTRY_set                     296	1_1_0	EXIST::FUNCTION:
 PKCS8_set0_pbe                          297	1_1_0	EXIST::FUNCTION:
 PEM_write_bio_DSA_PUBKEY                298	1_1_0	EXIST::FUNCTION:DSA
@@ -457,7 +457,7 @@ DH_new_method                           457	1_1_0	EXIST::FUNCTION:DH
 BF_ecb_encrypt                          458	1_1_0	EXIST::FUNCTION:BF
 PEM_write_bio_DHparams                  459	1_1_0	EXIST::FUNCTION:DH
 EVP_DigestFinal                         460	1_1_0	EXIST::FUNCTION:
-CT_POLICY_EVAL_CTX_set0_log_store       461	1_1_0	EXIST::FUNCTION:CT
+CT_POLICY_EVAL_CTX_set_shared_CTLOG_STORE 461	1_1_0	EXIST::FUNCTION:CT
 X509v3_asid_add_id_or_range             462	1_1_0	EXIST::FUNCTION:RFC3779
 X509_NAME_ENTRY_create_by_NID           463	1_1_0	EXIST::FUNCTION:
 EC_KEY_METHOD_get_init                  464	1_1_0	EXIST::FUNCTION:EC
@@ -1390,7 +1390,7 @@ EVP_PKEY_asn1_free                      1375	1_1_0	EXIST::FUNCTION:
 ENGINE_unregister_DH                    1376	1_1_0	EXIST::FUNCTION:ENGINE
 PROXY_CERT_INFO_EXTENSION_it            1377	1_1_0	EXIST:!EXPORT_VAR_AS_FUNCTION:VARIABLE:
 PROXY_CERT_INFO_EXTENSION_it            1377	1_1_0	EXIST:EXPORT_VAR_AS_FUNCTION:FUNCTION:
-CT_POLICY_EVAL_CTX_set0_cert            1378	1_1_0	EXIST::FUNCTION:CT
+CT_POLICY_EVAL_CTX_set1_cert            1378	1_1_0	EXIST::FUNCTION:CT
 X509_NAME_hash                          1379	1_1_0	EXIST::FUNCTION:
 SCT_set_timestamp                       1380	1_1_0	EXIST::FUNCTION:CT
 UI_new                                  1381	1_1_0	EXIST::FUNCTION:UI