Commit 2f949642a1 for openssl.org
commit 2f949642a11098a46cc47a8df5911d2d90433209
Author: Dr. David von Oheimb <dev@ddvo.net>
Date: Mon Apr 14 21:00:35 2025 +0200
apps/lib/apps.c: fix load_certs_multifile() and load_certstore() w.r.t. password source vs. actual password
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
Reviewed-by: Norbert Pocs <norbertp@openssl.org>
Reviewed-by: Paul Dale <paul.dale@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/28477)
diff --git a/apps/include/apps.h b/apps/include/apps.h
index 74fca51a2c..504d80c250 100644
--- a/apps/include/apps.h
+++ b/apps/include/apps.h
@@ -145,11 +145,10 @@ char *process_additional_mac_key_arguments(const char *arg);
char *get_str_from_file(const char *filename);
int load_cert_certs(const char *uri,
X509 **pcert, STACK_OF(X509) **pcerts,
- int exclude_http, const char *pass, const char *desc,
- X509_VERIFY_PARAM *vpm);
-STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
+ int exclude_http, const char *pass, const char *desc, X509_VERIFY_PARAM *vpm);
+STACK_OF(X509) *load_certs_multifile(char *files, const char *source,
const char *desc, X509_VERIFY_PARAM *vpm);
-X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
+X509_STORE *load_certstore(char *input, const char *source, const char *desc,
X509_VERIFY_PARAM *vpm);
int load_certs(const char *uri, int maybe_stdin, STACK_OF(X509) **certs,
const char *pass, const char *desc);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index e57ac3398e..85c9ce524f 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -729,9 +729,10 @@ int load_cert_certs(const char *uri,
return ret;
}
-STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
+STACK_OF(X509) *load_certs_multifile(char *files, const char *source,
const char *desc, X509_VERIFY_PARAM *vpm)
{
+ char *pass = get_passwd(source, desc);
STACK_OF(X509) *certs = NULL;
STACK_OF(X509) *result = sk_X509_new_null();
@@ -752,11 +753,13 @@ STACK_OF(X509) *load_certs_multifile(char *files, const char *pass,
certs = NULL;
files = next;
}
+ clear_free(pass);
return result;
oom:
BIO_printf(bio_err, "out of memory\n");
err:
+ clear_free(pass);
OSSL_STACK_OF_X509_free(certs);
OSSL_STACK_OF_X509_free(result);
return NULL;
@@ -784,9 +787,10 @@ static X509_STORE *sk_X509_to_store(X509_STORE *store /* may be NULL */,
* Create cert store structure with certificates read from given file(s).
* Returns pointer to created X509_STORE on success, NULL on error.
*/
-X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
+X509_STORE *load_certstore(char *input, const char *source, const char *desc,
X509_VERIFY_PARAM *vpm)
{
+ char *pass = get_passwd(source, desc);
X509_STORE *store = NULL;
STACK_OF(X509) *certs = NULL;
@@ -796,15 +800,19 @@ X509_STORE *load_certstore(char *input, const char *pass, const char *desc,
if (!load_cert_certs(input, NULL, &certs, 1, pass, desc, vpm)) {
X509_STORE_free(store);
- return NULL;
+ store = NULL;
+ goto end;
}
ok = (store = sk_X509_to_store(store, certs)) != NULL;
OSSL_STACK_OF_X509_free(certs);
certs = NULL;
if (!ok)
- return NULL;
+ goto end;
input = next;
}
+
+end:
+ clear_free(pass);
return store;
}