-
-
Notifications
You must be signed in to change notification settings - Fork 9.9k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Fix loading more than one certificate in PEM format in the X509_load_cert_file_ex() function #22885
Conversation
…cert_file_ex() function
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Would you be able to add a testcase? There are already files with multiple certs in them in test/certs - for example the leaf-chain.pem file.
38f3489
to
ca9a5d2
Compare
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Good, just nits
ca9a5d2
to
de4d64f
Compare
test/x509_load_cert_file_test.c
Outdated
X509_STORE *store = NULL; | ||
X509_LOOKUP *lookup = NULL; | ||
STACK_OF(X509) *certs = NULL; | ||
const char *chain = test_get_argument(n); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is a misuse of the n
parameter. The argument to this function is the index of the test. The test will be repeated a given number of times and n
tells you which iteration this is.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Actually this is only a partial misuse - there could be a loop going through all arguments here. On the other hand this requires all the test PEM files having 4 certificates because this is hardcoded below so I am not quite sure it is that useful to loop.
test/x509_load_cert_file_test.c
Outdated
if (!TEST_int_gt(n, 0)) | ||
return 0; | ||
|
||
ADD_ALL_TESTS(test_load_cert_file, n); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should just use ADD_TEST
here. The last argument to ADD_ALL_TESTS
is the number of times that the test should be repeated. But we only want to run the test once.
test/x509_load_cert_file_test.c
Outdated
|
||
#include "testutil.h" | ||
|
||
const char *chain; |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This must be static const char *chain;
return 0; | ||
} | ||
|
||
chain = test_get_argument(0); |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
You should check that chain != NULL
.
23694bc
to
877aa3f
Compare
This pull request is ready to merge |
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #22885)
Merged to the master and 3.2 branches. Thank you for your contribution. |
…_file_ex() Fixes #22895 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) Signed-off-by: fly2x <fly2x@hitls.org>
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) Signed-off-by: fly2x <fly2x@hitls.org>
…_file_ex() Fixes #22895 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) (cherry picked from commit 20c680de9c435534be48fa85b2a975067a4e7c9d) Signed-off-by: fly2x <fly2x@hitls.org>
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) (cherry picked from commit d6961af1acbdf29b684f3307578bd03890a26a9c) Signed-off-by: fly2x <fly2x@hitls.org>
…_file_ex() Fixes openssl#22895 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22885)
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22885)
X509_load_cert_file_ex()
was broken by commit ae29622 in PR #21545.The following code shows this error.
The
ca-certificates.crt
file contains 5 sample certificates in PEM format.This PoC shows that there is only one certificate in the store, the last one in the file.
My PR fixes this by freeing an X509 object before any further use.
Additionally, it allocates and initializes an X509 structure with a library context and property query for all certificates.
Fix #22895