Fix loading more than one certificate in PEM format in the X509_load_cert_file_ex() function #22885
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
…cert_file_ex() function
t8m
reviewed
Nov 30, 2023
t8m
added
branch: master
olszomal
force-pushed
the
X509_load_cert_file
branch
from
38f3489
to
ca9a5d2
Compare
olszomal
force-pushed
the
X509_load_cert_file
branch
from
ca9a5d2
to
de4d64f
Compare
t8m
approved these changes
Nov 30, 2023
t8m
removed
the
approval: otc review pending
1 task
This was referenced Nov 30, 2023
mattcaswell
requested changes
Dec 1, 2023
test/x509_load_cert_file_test.c
Outdated
| X509_STORE *store = NULL; | ||
| X509_LOOKUP *lookup = NULL; | ||
| STACK_OF(X509) *certs = NULL; | ||
| const char *chain = test_get_argument(n); |
There was a problem hiding this comment.
This is a misuse of the n parameter. The argument to this function is the index of the test. The test will be repeated a given number of times and n tells you which iteration this is.
There was a problem hiding this comment.
Actually this is only a partial misuse - there could be a loop going through all arguments here. On the other hand this requires all the test PEM files having 4 certificates because this is hardcoded below so I am not quite sure it is that useful to loop.
test/x509_load_cert_file_test.c
Outdated
| if (!TEST_int_gt(n, 0)) | ||
| return 0; | ||
|
|
||
| ADD_ALL_TESTS(test_load_cert_file, n); |
There was a problem hiding this comment.
You should just use ADD_TEST here. The last argument to ADD_ALL_TESTS is the number of times that the test should be repeated. But we only want to run the test once.
t8m
requested changes
Dec 1, 2023
test/x509_load_cert_file_test.c
Outdated
|
|
||
| #include "testutil.h" | ||
|
|
||
| const char *chain; |
There was a problem hiding this comment.
This must be static const char *chain;
| return 0; | ||
| } | ||
|
|
||
| chain = test_get_argument(0); |
There was a problem hiding this comment.
You should check that chain != NULL.
olszomal
force-pushed
the
X509_load_cert_file
branch
from
23694bc
to
877aa3f
Compare
mattcaswell
approved these changes
Dec 1, 2023
t8m
approved these changes
Dec 1, 2023
t8m
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
openssl-machine
pushed a commit
that referenced
this pull request
Dec 4, 2023
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #22885)
|
Merged to the master and 3.2 branches. Thank you for your contribution. |
wanghao75
pushed a commit
to openeuler-mirror/openssl
that referenced
this pull request
Dec 7, 2023
…_file_ex() Fixes #22895 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) Signed-off-by: fly2x <fly2x@hitls.org>
wanghao75
pushed a commit
to openeuler-mirror/openssl
that referenced
this pull request
Dec 7, 2023
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) Signed-off-by: fly2x <fly2x@hitls.org>
wanghao75
pushed a commit
to openeuler-mirror/openssl
that referenced
this pull request
Dec 15, 2023
…_file_ex() Fixes #22895 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) (cherry picked from commit 20c680de9c435534be48fa85b2a975067a4e7c9d) Signed-off-by: fly2x <fly2x@hitls.org>
wanghao75
pushed a commit
to openeuler-mirror/openssl
that referenced
this pull request
Dec 15, 2023
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl/openssl#22885) (cherry picked from commit d6961af1acbdf29b684f3307578bd03890a26a9c) Signed-off-by: fly2x <fly2x@hitls.org>
wbeck10
pushed a commit
to wbeck10/openssl
that referenced
this pull request
Jan 8, 2024
…_file_ex() Fixes openssl#22895 Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22885)
wbeck10
pushed a commit
to wbeck10/openssl
that referenced
this pull request
Jan 8, 2024
Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#22885)
This was referenced Feb 27, 2024
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
X509_load_cert_file_ex()was broken by commit ae29622 in PR #21545.The following code shows this error.
The
ca-certificates.crtfile contains 5 sample certificates in PEM format.This PoC shows that there is only one certificate in the store, the last one in the file.
My PR fixes this by freeing an X509 object before any further use.
Additionally, it allocates and initializes an X509 structure with a library context and property query for all certificates.
Fix #22895