Various functions cause the results of processing extensions to be
cached. The processing itself requires a libctx, and so this implicit
caching means that the default ctx is used which can lead to failures.
By explicitly caching the extensions we can specify the libctx to be used.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)
#include "crypto/x509.h"
#include "internal/tsan_assist.h"
#include "crypto/x509.h"
#include "internal/tsan_assist.h"
-static void x509v3_cache_extensions(X509 *x);
-
static int check_ssl_ca(const X509 *x);
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
int ca);
static int check_ssl_ca(const X509 *x);
static int check_purpose_ssl_client(const X509_PURPOSE *xp, const X509 *x,
int ca);
int idx;
const X509_PURPOSE *pt;
int idx;
const X509_PURPOSE *pt;
- x509v3_cache_extensions(x);
- if (x->ex_flags & EXFLAG_INVALID)
+ if (!X509v3_cache_extensions(x, NULL, NULL))
return -1;
/* Return if side-effect only call */
return -1;
/* Return if side-effect only call */
#define ns_reject(x, usage) \
(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
#define ns_reject(x, usage) \
(((x)->ex_flags & EXFLAG_NSCERT) && !((x)->ex_nscert & (usage)))
-static void x509v3_cache_extensions(X509 *x)
+int X509v3_cache_extensions(X509 *x, OPENSSL_CTX *libctx, const char *propq)
{
BASIC_CONSTRAINTS *bs;
PROXY_CERT_INFO_EXTENSION *pci;
{
BASIC_CONSTRAINTS *bs;
PROXY_CERT_INFO_EXTENSION *pci;
EXTENDED_KEY_USAGE *extusage;
X509_EXTENSION *ex;
int i;
EXTENDED_KEY_USAGE *extusage;
X509_EXTENSION *ex;
int i;
#ifdef tsan_ld_acq
/* fast lock-free check, see end of the function for details. */
if (tsan_ld_acq((TSAN_QUALIFIER int *)&x->ex_cached))
#ifdef tsan_ld_acq
/* fast lock-free check, see end of the function for details. */
if (tsan_ld_acq((TSAN_QUALIFIER int *)&x->ex_cached))
+ return (x->ex_flags & EXFLAG_INVALID) == 0;
#endif
CRYPTO_THREAD_write_lock(x->lock);
if (x->ex_flags & EXFLAG_SET) {
CRYPTO_THREAD_unlock(x->lock);
#endif
CRYPTO_THREAD_write_lock(x->lock);
if (x->ex_flags & EXFLAG_SET) {
CRYPTO_THREAD_unlock(x->lock);
+ return (x->ex_flags & EXFLAG_INVALID) == 0;
- if (!X509_digest(x, EVP_sha1(), x->sha1_hash, NULL))
- x->ex_flags |= EXFLAG_INVALID;
+ sha1 = EVP_MD_fetch(libctx, "SHA1", propq);
+ if (sha1 == NULL || !X509_digest(x, sha1, x->sha1_hash, NULL))
+ x->ex_flags |= EXFLAG_INVALID;
+ EVP_MD_free(sha1);
+
/* V1 should mean no extensions ... */
if (!X509_get_version(x))
x->ex_flags |= EXFLAG_V1;
/* V1 should mean no extensions ... */
if (!X509_get_version(x))
x->ex_flags |= EXFLAG_V1;
*/
#endif
CRYPTO_THREAD_unlock(x->lock);
*/
#endif
CRYPTO_THREAD_unlock(x->lock);
+
+ return (x->ex_flags & EXFLAG_INVALID) == 0;
int X509_check_ca(X509 *x)
{
int X509_check_ca(X509 *x)
{
- x509v3_cache_extensions(x);
+ /* Note 0 normally means "not a CA" - but in this case means error. */
+ if (!X509v3_cache_extensions(x, NULL, NULL))
+ return 0;
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
X509_get_issuer_name(subject)))
return X509_V_ERR_SUBJECT_ISSUER_MISMATCH;
- x509v3_cache_extensions(issuer);
- if (issuer->ex_flags & EXFLAG_INVALID)
- return X509_V_ERR_UNSPECIFIED;
- x509v3_cache_extensions(subject);
- if (subject->ex_flags & EXFLAG_INVALID)
+ if (!X509v3_cache_extensions(issuer, NULL, NULL)
+ || !X509v3_cache_extensions(subject, NULL, NULL))
return X509_V_ERR_UNSPECIFIED;
if (subject->akid) {
return X509_V_ERR_UNSPECIFIED;
if (subject->akid) {
B<basicConstraints>, and 5 if it has outdated Netscape Certificate Type
extension telling that it is CA certificate.
B<basicConstraints>, and 5 if it has outdated Netscape Certificate Type
extension telling that it is CA certificate.
+This function will also return 0 on error.
+
Actually, any nonzero value means that this certificate could have been
used to sign other certificates.
Actually, any nonzero value means that this certificate could have been
used to sign other certificates.
const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, CONF_VALUE *cnf,
int is_nc);
const X509V3_EXT_METHOD *method,
X509V3_CTX *ctx, CONF_VALUE *cnf,
int is_nc);
+
+int X509v3_cache_extensions(X509 *x, OPENSSL_CTX *libctx, const char *propq);
+
void X509V3_conf_free(CONF_VALUE *val);
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
void X509V3_conf_free(CONF_VALUE *val);
X509_EXTENSION *X509V3_EXT_nconf_nid(CONF *conf, X509V3_CTX *ctx, int ext_nid,
SRP_Calc_u_ex ? 3_0_0 EXIST::FUNCTION:SRP
SRP_Calc_x_ex ? 3_0_0 EXIST::FUNCTION:SRP
SRP_Calc_client_key_ex ? 3_0_0 EXIST::FUNCTION:SRP
SRP_Calc_u_ex ? 3_0_0 EXIST::FUNCTION:SRP
SRP_Calc_x_ex ? 3_0_0 EXIST::FUNCTION:SRP
SRP_Calc_client_key_ex ? 3_0_0 EXIST::FUNCTION:SRP
+X509v3_cache_extensions ? 3_0_0 EXIST::FUNCTION: