OpenSSL: Fix server side PKCS#12 processing with extra certificates
Fix a possible null pointer dereference in tls_parse_pkcs12() when loading a PKCS#12 file for the server keys and the file includes extra certificates. Signed-off-by: Ayala Beker <ayala.beker@intel.com>
This commit is contained in:
parent
443c8e18de
commit
dda091cf51
1 changed files with 17 additions and 5 deletions
|
@ -2463,13 +2463,18 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
|
|||
|
||||
if (certs) {
|
||||
#if OPENSSL_VERSION_NUMBER >= 0x10002000L && !defined(LIBRESSL_VERSION_NUMBER)
|
||||
if (ssl)
|
||||
SSL_clear_chain_certs(ssl);
|
||||
else
|
||||
SSL_CTX_clear_chain_certs(data->ssl);
|
||||
while ((cert = sk_X509_pop(certs)) != NULL) {
|
||||
X509_NAME_oneline(X509_get_subject_name(cert), buf,
|
||||
sizeof(buf));
|
||||
wpa_printf(MSG_DEBUG, "TLS: additional certificate"
|
||||
" from PKCS12: subject='%s'", buf);
|
||||
if (SSL_add1_chain_cert(ssl, cert) != 1) {
|
||||
if ((ssl && SSL_add1_chain_cert(ssl, cert) != 1) ||
|
||||
(!ssl && SSL_CTX_add1_chain_cert(data->ssl,
|
||||
cert) != 1)) {
|
||||
tls_show_errors(MSG_DEBUG, __func__,
|
||||
"Failed to add additional certificate");
|
||||
res = -1;
|
||||
|
@ -2481,7 +2486,14 @@ static int tls_parse_pkcs12(struct tls_data *data, SSL *ssl, PKCS12 *p12,
|
|||
}
|
||||
sk_X509_free(certs);
|
||||
#ifndef OPENSSL_IS_BORINGSSL
|
||||
res = SSL_build_cert_chain(ssl,
|
||||
if (ssl)
|
||||
res = SSL_build_cert_chain(
|
||||
ssl,
|
||||
SSL_BUILD_CHAIN_FLAG_CHECK |
|
||||
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
|
||||
else
|
||||
res = SSL_CTX_build_cert_chain(
|
||||
data->ssl,
|
||||
SSL_BUILD_CHAIN_FLAG_CHECK |
|
||||
SSL_BUILD_CHAIN_FLAG_IGNORE_ERROR);
|
||||
if (!res) {
|
||||
|
|
Loading…
Reference in a new issue