crypto: fix handling of root_cert_store #9409
Closed
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
nodejs-github-bot
added
the
c++
|
/cc @nodejs/crypto |
|
Would you mind adding some tests that verify the corrected behavior? |
I don't really know Javascript I'm afraid, but I've amended the change with a monkey-see-monkey-do test that checks the most obvious of the issues (that adding a CA can alter other SecureContexts). That test fails on |
indutny
suggested changes
Nov 4, 2016
| @@ -121,6 +121,7 @@ const char* const root_certs[] = { | |||
| }; | |||
|
|
|||
| X509_STORE* root_cert_store; | |||
| std::vector<X509 *>* root_certs_vector; | |||
There was a problem hiding this comment.
May I ask you to make it X509* here? We generally try to keep asterisk with the type name.
| CRYPTO_add(&cert->references, 1, CRYPTO_LOCK_X509); | ||
| return 1; | ||
| } | ||
| #endif |
There was a problem hiding this comment.
Probably needs a // comment with the condition at #if
|
|
||
| static X509_STORE* NewRootCertStore() { | ||
| if (!root_certs_vector) { | ||
| root_certs_vector = new std::vector<X509 *>; |
| // certificate. | ||
| clientOptions.secureContext = contextWithoutCert; | ||
| clientOptions.port = server.address().port; | ||
| var client = tls.connect(clientOptions, common.fail); |
There was a problem hiding this comment.
With ES6 we try to always use const/let instead of var.
| key: loadPEM('agent1-key'), | ||
| cert: loadPEM('agent1-cert'), | ||
| }; | ||
| var server = tls.createServer(serverOptions, function() { }); |
| // This time it should connect because contextWithCert includes the needed | ||
| // CA certificate. | ||
| clientOptions.secureContext = contextWithCert; | ||
| var client2 = tls.connect(clientOptions, function() { |
| @@ -141,3 +141,7 @@ assert.throws(function() { | |||
|
|
|||
| // Make sure memory isn't released before being returned | |||
| console.log(crypto.randomBytes(16)); | |||
|
|
|||
| assert.throws(function() { | |||
| tls.createSecureContext({crl: 'not a CRL'}); | |||
| @@ -725,55 +773,43 @@ void SecureContext::AddCRL(const FunctionCallbackInfo<Value>& args) { | |||
| if (!bio) | |||
| return; | |||
|
|
|||
| X509_CRL *x509 = | |||
| X509_CRL *crl = | |||
There was a problem hiding this comment.
I know it was this way before, but let's put asterisk to the left here too.
| X509_free(x509); | ||
| cert_count += 1; | ||
| X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_); | ||
| while (X509 *x509 = |
|
|
||
| for (size_t i = 0; i < arraysize(root_certs); i++) { | ||
| BIO* bp = NodeBIO::NewFixed(root_certs[i], strlen(root_certs[i])); | ||
| X509 *x509 = PEM_read_bio_X509(bp, nullptr, CryptoPemCallback, nullptr); |
agl
force-pushed
the
certstore
branch
2 times, most recently
from
bfc983a
to
03ee8ec
Compare
shigeki
suggested changes
Nov 7, 2016
| #if OPENSSL_VERSION_NUMBER >= 0x10002000L | ||
| CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE); | ||
| #else | ||
| // Prior to OpenSSL 1.0.2, the reference count for an X509_STORE was ignored |
There was a problem hiding this comment.
We need not to support openssl-1.0.1 or before.
There was a problem hiding this comment.
Ok, I'll remove this. (I only included it because 1.0.1 will still be able to compile this code, but it'll corrupt memory. Hopefully the rest of this code won't compile with 1.0.1.)
There was a problem hiding this comment.
We did not check openssl version explicitly. It will need to be considered in the future major upgrade.
There was a problem hiding this comment.
(I've removed the check for 1.0.1 in the latest version.)
shigeki
reviewed
Nov 7, 2016
| X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_); | ||
| while (X509* x509 = | ||
| PEM_read_bio_X509(bio, nullptr, CryptoPemCallback, nullptr)) { | ||
| if (cert_store == root_cert_store) { |
There was a problem hiding this comment.
Is there any reason to put this in while loop. It seems that both are not updated more than twice.
There was a problem hiding this comment.
I'll write it whichever way you prefer, but the thought was that, if no CA certificates are found then we can save making an new X509_STORE. (This was explicitly done in the previous version of the code; see cert_count.)
There was a problem hiding this comment.
I got that secureContext.context.addCACert('') has that code path. Please leave this as is.
shigeki
reviewed
Nov 7, 2016
| if (!sc->ca_store_) { | ||
| sc->ca_store_ = X509_STORE_new(); | ||
| SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); | ||
| if (cert_store == root_cert_store) { |
There was a problem hiding this comment.
(Same intent as in the previous case.)
indutny
approved these changes
Nov 7, 2016
agl
commented
Nov 7, 2016
| #if OPENSSL_VERSION_NUMBER >= 0x10002000L | ||
| CRYPTO_add(&store->references, 1, CRYPTO_LOCK_X509_STORE); | ||
| #else | ||
| // Prior to OpenSSL 1.0.2, the reference count for an X509_STORE was ignored |
There was a problem hiding this comment.
Ok, I'll remove this. (I only included it because 1.0.1 will still be able to compile this code, but it'll corrupt memory. Hopefully the rest of this code won't compile with 1.0.1.)
| X509_STORE* cert_store = SSL_CTX_get_cert_store(sc->ctx_); | ||
| while (X509* x509 = | ||
| PEM_read_bio_X509(bio, nullptr, CryptoPemCallback, nullptr)) { | ||
| if (cert_store == root_cert_store) { |
There was a problem hiding this comment.
I'll write it whichever way you prefer, but the thought was that, if no CA certificates are found then we can save making an new X509_STORE. (This was explicitly done in the previous version of the code; see cert_count.)
| if (!sc->ca_store_) { | ||
| sc->ca_store_ = X509_STORE_new(); | ||
| SSL_CTX_set_cert_store(sc->ctx_, sc->ca_store_); | ||
| if (cert_store == root_cert_store) { |
There was a problem hiding this comment.
(Same intent as in the previous case.)
shigeki
reviewed
Nov 8, 2016
| @@ -141,3 +141,8 @@ assert.throws(function() { | |||
|
|
|||
| // Make sure memory isn't released before being returned | |||
| console.log(crypto.randomBytes(16)); | |||
|
|
|||
| assert.throws(function() { | |||
| common.fail(); | |||
There was a problem hiding this comment.
This causes a lint error.
146:7 error Expected indentation of 2 spaces but found 6 indent
There was a problem hiding this comment.
Thank you. (That was actually something that I should have removed before committing.)
shigeki
reviewed
Nov 8, 2016
| client2.on('error', (e) => { | ||
| console.log(e); | ||
| }); | ||
| })) |
There was a problem hiding this comment.
Also this has a lint error.
59:6 error Missing semicolon semi
Setting reference count at the time of setting cert_store instead of trying to manage it by modifying internal states in destructor. PR-URL: nodejs#8334
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs.
shigeki
approved these changes
Nov 9, 2016
|
CI is running on https://ci.nodejs.org/job/node-test-pull-request/4810/ |
|
This PR includes the commit of 8dbe1aa written by @AdamMajer . Do we need his permission? |
|
@sam-github Okay, thanks for your answer. |
|
@shigeki thanks for your careful review |
MylesBorins
pushed a commit
that referenced
this pull request
Jan 24, 2017
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
MylesBorins
pushed a commit
that referenced
this pull request
Jan 24, 2017
Fix leaking the BIO in the error path. Introduced in commit 34febfb ("crypto: fix handling of root_cert_store"). PR-URL: #9604 Refs: #9409 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Rod Vagg <rod@vagg.org>
MylesBorins
pushed a commit
that referenced
this pull request
Jan 24, 2017
Setting reference count at the time of setting cert_store instead of trying to manage it by modifying internal states in destructor. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
MylesBorins
pushed a commit
that referenced
this pull request
Jan 31, 2017
Setting reference count at the time of setting cert_store instead of trying to manage it by modifying internal states in destructor. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
MylesBorins
pushed a commit
that referenced
this pull request
Jan 31, 2017
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
MylesBorins
pushed a commit
that referenced
this pull request
Jan 31, 2017
Fix leaking the BIO in the error path. Introduced in commit 34febfb ("crypto: fix handling of root_cert_store"). PR-URL: #9604 Refs: #9409 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Rod Vagg <rod@vagg.org>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 1, 2017
Setting reference count at the time of setting cert_store instead of trying to manage it by modifying internal states in destructor. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
sam-github
pushed a commit
to sam-github/node
that referenced
this pull request
Feb 14, 2017
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs. PR-URL: nodejs#9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
sam-github
pushed a commit
to sam-github/node
that referenced
this pull request
Feb 14, 2017
Fix leaking the BIO in the error path. Introduced in commit 34febfb ("crypto: fix handling of root_cert_store"). PR-URL: nodejs#9604 Refs: nodejs#9409 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Rod Vagg <rod@vagg.org>
sam-github
added a commit
to sam-github/node
that referenced
this pull request
Feb 14, 2017
Use of abort() was added in 34febfb, and changed to ABORT() in 21826ef, but conditional+ABORT() is better expressesed using a CHECK_xxx() macro. See: nodejs#9409 (comment) PR-URL: nodejs#10413 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 21, 2017
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 21, 2017
Fix leaking the BIO in the error path. Introduced in commit 34febfb ("crypto: fix handling of root_cert_store"). PR-URL: #9604 Refs: #9409 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Rod Vagg <rod@vagg.org>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 21, 2017
Use of abort() was added in 34febfb, and changed to ABORT() in 21826ef, but conditional+ABORT() is better expressesed using a CHECK_xxx() macro. See: #9409 (comment) PR-URL: #10413 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 22, 2017
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 22, 2017
Fix leaking the BIO in the error path. Introduced in commit 34febfb ("crypto: fix handling of root_cert_store"). PR-URL: #9604 Refs: #9409 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Rod Vagg <rod@vagg.org>
MylesBorins
pushed a commit
that referenced
this pull request
Feb 22, 2017
Use of abort() was added in 34febfb, and changed to ABORT() in 21826ef, but conditional+ABORT() is better expressesed using a CHECK_xxx() macro. See: #9409 (comment) PR-URL: #10413 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 7, 2017
Use of abort() was added in 34febfb, and changed to ABORT() in 21826ef, but conditional+ABORT() is better expressesed using a CHECK_xxx() macro. See: #9409 (comment) PR-URL: #10413 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 9, 2017
Use of abort() was added in 34febfb, and changed to ABORT() in 21826ef, but conditional+ABORT() is better expressesed using a CHECK_xxx() macro. See: #9409 (comment) PR-URL: #10413 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 9, 2017
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues: 1. SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts. 2. AddCRL would crash if neither AddRootCerts nor AddCACert had been called first. 3. Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE. 4. AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected. The following, non-obvious behaviour remains: calling AddRootCerts doesn't /add/ them, rather it sets the CA certs to be the root set and overrides any previous CA certificates. Points 1–3 are probably unimportant because the SecureContext is typically configured by `createSecureContext` in `lib/_tls_common.js`. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs. PR-URL: #9409 Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: Shigeki Ohtsu <ohtsu@ohtsu.org>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 9, 2017
Fix leaking the BIO in the error path. Introduced in commit 34febfb ("crypto: fix handling of root_cert_store"). PR-URL: #9604 Refs: #9409 Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Fedor Indutny <fedor@indutny.com> Reviewed-By: James M Snell <jasnell@gmail.com> Reviewed-By: Jeremiah Senkpiel <fishrock123@rocketmail.com> Reviewed-By: Michael Dawson <michael_dawson@ca.ibm.com> Reviewed-By: Rod Vagg <rod@vagg.org>
MylesBorins
pushed a commit
that referenced
this pull request
Mar 9, 2017
Use of abort() was added in 34febfb, and changed to ABORT() in 21826ef, but conditional+ABORT() is better expressesed using a CHECK_xxx() macro. See: #9409 (comment) PR-URL: #10413 Reviewed-By: Colin Ihrig <cjihrig@gmail.com> Reviewed-By: Gibson Fahnestock <gibfahn@gmail.com> Reviewed-By: Ben Noordhuis <info@bnoordhuis.nl> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: James M Snell <jasnell@gmail.com>
Merged
2 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Checklist
make -j8 test(UNIX), orvcbuild test nosign(Windows) passesAffected core subsystem(s)
crypto
Description of change
crypto: fix handling of root_cert_store.
SecureContext::AddRootCerts only parses the root certificates once and keeps the result in root_cert_store, a global X509_STORE. This change addresses the following issues:
SecureContext::AddCACert would add certificates to whatever X509_STORE was being used, even if that happened to be root_cert_store. Thus adding a CA certificate to a SecureContext would also cause it to be included in unrelated SecureContexts.
AddCRL would crash if neither AddRootCerts nor AddCACert had been called first.
Calling AddCACert without calling AddRootCerts first, and with an input that didn't contain any certificates, would leak an X509_STORE.
AddCRL would add the CRL to whatever X509_STORE was being used. Thus, like AddCACert, unrelated SecureContext objects could be affected.
The following, non-obvious behaviour remains: calling AddRootCerts doesn't add them, rather it sets the CA certs to be the root set and overrides any previous CA certificates.
Points 1–3 are probably unimportant because the SecureContext is typically configured by
createSecureContextinlib/_tls_common.js. This function either calls AddCACert or AddRootCerts and only calls AddCRL after setting up CA certificates. Point four could still apply in the unlikely case that someone configures a CRL without explicitly configuring the CAs.