Replace and Deprecate TS_VERIFY_CTX Functions

Fixes #18854 Replace and deprecate the functions `TS_VERIFY_CTX_set_data`, `TS_VERIFY_CTX_set_store`, `TS_VERIFY_CTX_set_certs`, `TS_VERIFY_CTX_set_imprint` with new versions: `TS_VERIFY_CTX_set0_data`, `TS_VERIFY_CTX_set0_store`, `TS_VERIFY_CTX_set0_certs` and `TS_VERIFY_CTX_set0_imprint`. The previous functions had poorly documented memory handling, potentially leading to memory leaks. The new functions improve memory management and provide clearer usage. Also, update existing code to use the new function calls instead of the deprecated ones. Reviewed-by: Neil Horman <nhorman@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/24701)
author: erbsland-dev <github@erbsland.dev> 2024-06-21 15:16:10 +0200
committer: Tomas Mraz <tomas@openssl.org> 2024-07-10 09:39:53 +0200
commit: 6f811d839fd637fa5dea0ee4286722847ab74b98 (patch)
tree: dbad6a017880dbbda8266009d6e1cc7f44e6e7fe
parent: Clarify supported curves in the s_client/s_server documentation (diff)
download: openssl-6f811d839fd637fa5dea0ee4286722847ab74b98.tar.xz
openssl-6f811d839fd637fa5dea0ee4286722847ab74b98.zip
3 files changed, 61 insertions, 7 deletions
diff --git a/apps/ts.c b/apps/ts.c
index 18df7d5ace..71b8df1997 100644
--- a/apps/ts.c
+++ b/apps/ts.c
@@ -920,7 +920,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
             f |= TS_VFY_DATA;
             if ((out = BIO_new_file(data, "rb")) == NULL)
                 goto err;
-            if (TS_VERIFY_CTX_set_data(ctx, out) == NULL) {
+            if (!TS_VERIFY_CTX_set0_data(ctx, out)) {
                 BIO_free_all(out);
                 goto err;
             }
@@ -928,7 +928,7 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
             long imprint_len;
             unsigned char *hexstr = OPENSSL_hexstr2buf(digest, &imprint_len);
             f |= TS_VFY_IMPRINT;
-            if (TS_VERIFY_CTX_set_imprint(ctx, hexstr, imprint_len) == NULL) {
+            if (!TS_VERIFY_CTX_set0_imprint(ctx, hexstr, imprint_len)) {
                 BIO_printf(bio_err, "invalid digest string\n");
                 goto err;
             }
@@ -949,16 +949,15 @@ static TS_VERIFY_CTX *create_verify_ctx(const char *data, const char *digest,
     TS_VERIFY_CTX_add_flags(ctx, f | TS_VFY_SIGNATURE);
 
     /* Initialising the X509_STORE object. */
-    if (TS_VERIFY_CTX_set_store(ctx,
-                                create_cert_store(CApath, CAfile, CAstore, vpm))
-            == NULL)
+    if (!TS_VERIFY_CTX_set0_store(ctx, create_cert_store(CApath, CAfile,
+                                                            CAstore, vpm)))
         goto err;
 
     /* Loading any extra untrusted certificates. */
     if (untrusted != NULL) {
         certs = load_certs_multifile(untrusted, NULL, "extra untrusted certs",
                                      vpm);
-        if (certs == NULL || TS_VERIFY_CTX_set_certs(ctx, certs) == NULL)
+        if (certs == NULL || !TS_VERIFY_CTX_set0_certs(ctx, certs))
             goto err;
     }
     ret = 1;
diff --git a/crypto/ts/ts_verify_ctx.c b/crypto/ts/ts_verify_ctx.c
index 6dbba3df50..4b6a3ada9b 100644
--- a/crypto/ts/ts_verify_ctx.c
+++ b/crypto/ts/ts_verify_ctx.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 2006-2021 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2006-2024 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -46,25 +46,53 @@ int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f)
     return ctx->flags;
 }
 
+#ifndef OPENSSL_NO_DEPRECATED_3_4
 BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b)
 {
     ctx->data = b;
     return ctx->data;
 }
+#endif
 
+int TS_VERIFY_CTX_set0_data(TS_VERIFY_CTX *ctx, BIO *b)
+{
+    BIO_free_all(ctx->data);
+    ctx->data = b;
+    return 1;
+}
+
+#ifndef OPENSSL_NO_DEPRECATED_3_4
 X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s)
 {
     ctx->store = s;
     return ctx->store;
 }
+#endif
 
+int TS_VERIFY_CTX_set0_store(TS_VERIFY_CTX *ctx, X509_STORE *s)
+{
+    X509_STORE_free(ctx->store);
+    ctx->store = s;
+    return 1;
+}
+
+#ifndef OPENSSL_NO_DEPRECATED_3_4
 STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx,
                                         STACK_OF(X509) *certs)
 {
     ctx->certs = certs;
     return ctx->certs;
 }
+#endif
 
+int TS_VERIFY_CTX_set0_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs)
+{
+    OSSL_STACK_OF_X509_free(ctx->certs);
+    ctx->certs = certs;
+    return 1;
+}
+
+#ifndef OPENSSL_NO_DEPRECATED_3_4
 unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
                                          unsigned char *hexstr, long len)
 {
@@ -73,6 +101,16 @@ unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
     ctx->imprint_len = len;
     return ctx->imprint;
 }
+#endif
+
+int TS_VERIFY_CTX_set0_imprint(TS_VERIFY_CTX *ctx,
+                              unsigned char *hexstr, long len)
+{
+    OPENSSL_free(ctx->imprint);
+    ctx->imprint = hexstr;
+    ctx->imprint_len = len;
+    return 1;
+}
 
 void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx)
 {
diff --git a/include/openssl/ts.h b/include/openssl/ts.h
index b09b646dff..7feb45fd4b 100644
--- a/include/openssl/ts.h
+++ b/include/openssl/ts.h
@@ -418,14 +418,31 @@ void TS_VERIFY_CTX_free(TS_VERIFY_CTX *ctx);
 void TS_VERIFY_CTX_cleanup(TS_VERIFY_CTX *ctx);
 int TS_VERIFY_CTX_set_flags(TS_VERIFY_CTX *ctx, int f);
 int TS_VERIFY_CTX_add_flags(TS_VERIFY_CTX *ctx, int f);
+# ifndef OPENSSL_NO_DEPRECATED_3_4
+OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_data().")
 BIO *TS_VERIFY_CTX_set_data(TS_VERIFY_CTX *ctx, BIO *b);
+# endif
+int TS_VERIFY_CTX_set0_data(TS_VERIFY_CTX *ctx, BIO *b);
+# ifndef OPENSSL_NO_DEPRECATED_3_4
+OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_imprint().")
 unsigned char *TS_VERIFY_CTX_set_imprint(TS_VERIFY_CTX *ctx,
                                          unsigned char *hexstr, long len);
+# endif
+int TS_VERIFY_CTX_set0_imprint(TS_VERIFY_CTX *ctx,
+                               unsigned char *hexstr, long len);
+# ifndef OPENSSL_NO_DEPRECATED_3_4
+OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_store().")
 X509_STORE *TS_VERIFY_CTX_set_store(TS_VERIFY_CTX *ctx, X509_STORE *s);
+# endif
+int TS_VERIFY_CTX_set0_store(TS_VERIFY_CTX *ctx, X509_STORE *s);
 # ifndef OPENSSL_NO_DEPRECATED_3_0
 #  define TS_VERIFY_CTS_set_certs(ctx, cert) TS_VERIFY_CTX_set_certs(ctx,cert)
 # endif
+# ifndef OPENSSL_NO_DEPRECATED_3_4
+OSSL_DEPRECATEDIN_3_4_FOR("Unclear semantics, replace with TS_VERIFY_CTX_set0_certs().")
 STACK_OF(X509) *TS_VERIFY_CTX_set_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs);
+# endif
+int TS_VERIFY_CTX_set0_certs(TS_VERIFY_CTX *ctx, STACK_OF(X509) *certs);
 
 /*-
  * If ctx is NULL, it allocates and returns a new object, otherwise
author	erbsland-dev <github@erbsland.dev>	2024-06-21 15:16:10 +0200
committer	Tomas Mraz <tomas@openssl.org>	2024-07-10 09:39:53 +0200
commit	6f811d839fd637fa5dea0ee4286722847ab74b98 (patch)
tree	dbad6a017880dbbda8266009d6e1cc7f44e6e7fe
parent	Clarify supported curves in the s_client/s_server documentation (diff)
download	openssl-6f811d839fd637fa5dea0ee4286722847ab74b98.tar.xz openssl-6f811d839fd637fa5dea0ee4286722847ab74b98.zip