aboutsummaryrefslogtreecommitdiff
path: root/openssl/src
diff options
context:
space:
mode:
authorSteven Fackler <[email protected]>2016-08-17 19:30:57 -0700
committerSteven Fackler <[email protected]>2016-08-17 19:30:57 -0700
commitcd69343d67081ab9c070f21d58918433a44f97bf (patch)
tree34367513c37714a94cad3ccd0326f82ee796795b /openssl/src
parentIgnore flickering test on windows (diff)
downloadrust-openssl-cd69343d67081ab9c070f21d58918433a44f97bf.tar.xz
rust-openssl-cd69343d67081ab9c070f21d58918433a44f97bf.zip
Fix SslContext::add_extra_chain_cert
SSL_CTX_add_extra_chain_cert assumes ownership of the certificate, so the method really needs to take an X509 by value. Work around this by manually cloning the cert. This method has been around for over a year but I'm guessing nobody actually used it since it produces a nice double free into segfault!
Diffstat (limited to 'openssl/src')
-rw-r--r--openssl/src/ssl/mod.rs11
-rw-r--r--openssl/src/ssl/tests/mod.rs8
-rw-r--r--openssl/src/x509/mod.rs11
3 files changed, 27 insertions, 3 deletions
diff --git a/openssl/src/ssl/mod.rs b/openssl/src/ssl/mod.rs
index 64a2ccaf..6e365af6 100644
--- a/openssl/src/ssl/mod.rs
+++ b/openssl/src/ssl/mod.rs
@@ -535,9 +535,14 @@ impl<'a> SslContextRef<'a> {
/// Adds a certificate to the certificate chain presented together with the
/// certificate specified using set_certificate()
pub fn add_extra_chain_cert(&mut self, cert: &X509Ref) -> Result<(), ErrorStack> {
- wrap_ssl_result(unsafe {
- ffi::SSL_CTX_add_extra_chain_cert(self.as_ptr(), cert.as_ptr()) as c_int
- })
+ // FIXME this should really just take an X509 by value
+ let der = try!(cert.to_der());
+ let cert = try!(X509::from_der(&der));
+ unsafe {
+ try_ssl!(ffi::SSL_CTX_add_extra_chain_cert(self.as_ptr(), cert.as_ptr()));
+ }
+ mem::forget(cert);
+ Ok(())
}
/// Specifies the file that contains private key
diff --git a/openssl/src/ssl/tests/mod.rs b/openssl/src/ssl/tests/mod.rs
index 2881d4fe..3bbbed03 100644
--- a/openssl/src/ssl/tests/mod.rs
+++ b/openssl/src/ssl/tests/mod.rs
@@ -1081,3 +1081,11 @@ fn default_verify_paths() {
assert!(result.starts_with(b"HTTP/1.0"));
assert!(result.ends_with(b"</HTML>\r\n") || result.ends_with(b"</html>"));
}
+
+#[test]
+fn add_extra_chain_cert() {
+ let cert = include_bytes!("../../../test/cert.pem");
+ let cert = X509::from_pem(cert).unwrap();
+ let mut ctx = SslContext::new(SslMethod::Sslv23).unwrap();
+ ctx.add_extra_chain_cert(&cert).unwrap();
+}
diff --git a/openssl/src/x509/mod.rs b/openssl/src/x509/mod.rs
index 1319b75c..f5369447 100644
--- a/openssl/src/x509/mod.rs
+++ b/openssl/src/x509/mod.rs
@@ -1,4 +1,5 @@
use libc::{c_char, c_int, c_long, c_ulong, c_void};
+use std::cmp;
use std::ffi::CString;
use std::mem;
use std::ptr;
@@ -492,6 +493,16 @@ impl X509 {
X509::from_ptr(x509)
}
+ /// Reads a certificate from DER.
+ pub fn from_der(buf: &[u8]) -> Result<X509, ErrorStack> {
+ unsafe {
+ let mut ptr = buf.as_ptr() as *mut _;
+ let len = cmp::min(buf.len(), c_long::max_value() as usize) as c_long;
+ let x509 = try_ssl_null!(ffi::d2i_X509(ptr::null_mut(), &mut ptr, len));
+ Ok(X509::from_ptr(x509))
+ }
+ }
+
/// Reads a certificate from PEM.
pub fn from_pem(buf: &[u8]) -> Result<X509, ErrorStack> {
let mem_bio = try!(MemBioSlice::new(buf));
generated by cgit v1.2.3 (git 2.25.1) at 2026-03-21 21:21:37 +0000