Caching the X509v3 extensions requires an explicit libctx. We do that
where required in libssl.
Reviewed-by: Tomas Mraz <tmraz@fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/11409)
#include <openssl/dh.h>
#include <openssl/rand.h>
#include <openssl/trace.h>
#include <openssl/dh.h>
#include <openssl/rand.h>
#include <openssl/trace.h>
+#include <openssl/x509v3.h>
#include "internal/cryptlib.h"
#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
#include "internal/cryptlib.h"
#define TLS13_NUM_CIPHERS OSSL_NELEM(tls13_ciphers)
+ if (!X509v3_cache_extensions((X509 *)parg, ctx->libctx, ctx->propq)) {
+ SSLerr(0, ERR_LIB_X509);
+ return 0;
+ }
if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
if (!sk_X509_push(ctx->extra_certs, (X509 *)parg)) {
SSLerr(SSL_F_SSL3_CTX_CTRL, ERR_R_MALLOC_FAILURE);
return 0;
int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
{
int i, r;
int ssl_cert_set0_chain(SSL *s, SSL_CTX *ctx, STACK_OF(X509) *chain)
{
int i, r;
- CERT_PKEY *cpk = s ? s->cert->key : ctx->cert->key;
+ CERT_PKEY *cpk = s != NULL ? s->cert->key : ctx->cert->key;
+ SSL_CTX *realctx = s != NULL ? s->ctx : ctx;
+
if (!cpk)
return 0;
for (i = 0; i < sk_X509_num(chain); i++) {
if (!cpk)
return 0;
for (i = 0; i < sk_X509_num(chain); i++) {
- r = ssl_security_cert(s, ctx, sk_X509_value(chain, i), 0, 0);
+ X509 *x = sk_X509_value(chain, i);
+
+ if (!X509v3_cache_extensions(x, realctx->libctx, realctx->propq)) {
+ SSLerr(0, ERR_LIB_X509);
+ return 0;
+ }
+
+ r = ssl_security_cert(s, ctx, x, 0, 0);
if (r != 1) {
SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r);
return 0;
if (r != 1) {
SSLerr(SSL_F_SSL_CERT_SET0_CHAIN, r);
return 0;
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
#include <openssl/objects.h>
#include <openssl/evp.h>
#include <openssl/x509.h>
+#include <openssl/x509v3.h>
#include <openssl/pem.h>
static int ssl_set_cert(CERT *c, X509 *x509);
#include <openssl/pem.h>
static int ssl_set_cert(CERT *c, X509 *x509);
SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
SSLerr(SSL_F_SSL_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
+ if (!X509v3_cache_extensions(x, ssl->ctx->libctx, ssl->ctx->propq)) {
+ SSLerr(0, ERR_LIB_X509);
+ return 0;
+ }
rv = ssl_security_cert(ssl, NULL, x, 0, 1);
if (rv != 1) {
SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
rv = ssl_security_cert(ssl, NULL, x, 0, 1);
if (rv != 1) {
SSLerr(SSL_F_SSL_USE_CERTIFICATE, rv);
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, ERR_R_PASSED_NULL_PARAMETER);
return 0;
}
+ if (!X509v3_cache_extensions(x, ctx->libctx, ctx->propq)) {
+ SSLerr(0, ERR_LIB_X509);
+ return 0;
+ }
rv = ssl_security_cert(NULL, ctx, x, 0, 1);
if (rv != 1) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);
rv = ssl_security_cert(NULL, ctx, x, 0, 1);
if (rv != 1) {
SSLerr(SSL_F_SSL_CTX_USE_CERTIFICATE, rv);