[openssl] master update
The branch master has been updated via 2080da84a49b0c52fc8c6e6caef5d373235bd3e4 (commit) from 7c78bd4be810ddceb8f13585a921946cc98f5fbd (commit) - Log - commit 2080da84a49b0c52fc8c6e6caef5d373235bd3e4 Author: Michael Baentsch Date: Mon Dec 20 11:01:00 2021 +0100 improving tests for adding sigalg with empty digest Reviewed-by: Tomas Mraz Reviewed-by: Paul Dale (Merged from https://github.com/openssl/openssl/pull/17315) --- Summary of changes: test/upcallstest.c | 13 +++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/test/upcallstest.c b/test/upcallstest.c index 76899fee3d..c4ef714713 100644 --- a/test/upcallstest.c +++ b/test/upcallstest.c @@ -71,11 +71,12 @@ static int obj_provider_init(const OSSL_CORE_HANDLE *handle, /* additional tests checking empty digest algs are accepted, too */ if (!c_obj_add_sigid(handle, SIGALG_OID, "", SIG_LN)) return 0; -if (!c_obj_add_sigid(handle, SIGALG_OID, NULL, SIG_LN)) -return 0; /* checking wrong digest alg name is rejected: */ if (c_obj_add_sigid(handle, SIGALG_OID, "NonsenseAlg", SIG_LN)) return 0; +/* Testing actual triplet addition under separate sig alg */ +if (!c_obj_add_sigid(handle, SIG_OID, NULL, SIG_LN)) +return 0; return 1; } @@ -105,6 +106,14 @@ static int obj_create_test(void) || !TEST_int_eq(signid, OBJ_ln2nid(SIG_LN))) goto err; +/* Check empty digest alg storage capability */ +sigalgnid = OBJ_txt2nid(SIG_OID); +if (!TEST_int_ne(sigalgnid, NID_undef) +|| !TEST_true(OBJ_find_sigid_algs(sigalgnid, , )) +|| !TEST_int_eq(digestnid, NID_undef) +|| !TEST_int_ne(signid, NID_undef)) +goto err; + testresult = 1; err: OSSL_PROVIDER_unload(objprov);
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via a9c02a552153eabfb5a1a01ecdeb03e7b2920f4b (commit)
from 317bedd656e76b1162a6b29ed19a78303f362a78 (commit)
- Log -
commit a9c02a552153eabfb5a1a01ecdeb03e7b2920f4b
Author: Kan
Date: Fri Dec 17 00:35:32 2021 +0800
Add static check in BN_hex2bn
Fixes #17298
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17299)
(cherry picked from commit 7c78bd4be810ddceb8f13585a921946cc98f5fbd)
---
Summary of changes:
crypto/bn/bn_conv.c | 4
1 file changed, 4 insertions(+)
diff --git a/crypto/bn/bn_conv.c b/crypto/bn/bn_conv.c
index 6757f3d0aa..75054f5d6a 100644
--- a/crypto/bn/bn_conv.c
+++ b/crypto/bn/bn_conv.c
@@ -154,6 +154,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
return 0;
} else {
ret = *bn;
+if (BN_get_flags(ret, BN_FLG_STATIC_DATA)) {
+ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
+return 0;
+}
BN_zero(ret);
}
[openssl] master update
The branch master has been updated
via 7c78bd4be810ddceb8f13585a921946cc98f5fbd (commit)
from a595e3286ae9f033c56452967b3add2145f9085f (commit)
- Log -
commit 7c78bd4be810ddceb8f13585a921946cc98f5fbd
Author: Kan
Date: Fri Dec 17 00:35:32 2021 +0800
Add static check in BN_hex2bn
Fixes #17298
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17299)
---
Summary of changes:
crypto/bn/bn_conv.c | 4
1 file changed, 4 insertions(+)
diff --git a/crypto/bn/bn_conv.c b/crypto/bn/bn_conv.c
index 6757f3d0aa..75054f5d6a 100644
--- a/crypto/bn/bn_conv.c
+++ b/crypto/bn/bn_conv.c
@@ -154,6 +154,10 @@ int BN_hex2bn(BIGNUM **bn, const char *a)
return 0;
} else {
ret = *bn;
+if (BN_get_flags(ret, BN_FLG_STATIC_DATA)) {
+ERR_raise(ERR_LIB_BN, ERR_R_PASSED_INVALID_ARGUMENT);
+return 0;
+}
BN_zero(ret);
}
[openssl] OpenSSL_1_1_1-stable update
The branch OpenSSL_1_1_1-stable has been updated
via 8a5dbc182d85eeb5778dcfd17cab945f7061c5ef (commit)
from f2f7cff20377f7402b132a19d953a9d998be26aa (commit)
- Log -
commit 8a5dbc182d85eeb5778dcfd17cab945f7061c5ef
Author: Alexandros Roussos
Date: Mon Dec 20 19:14:57 2021 +0100
Fix Configure variable spill
* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop
CLA: trivial
Fixes gh-17321
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17322)
(cherry picked from commit a595e3286ae9f033c56452967b3add2145f9085f)
---
Summary of changes:
Configure | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/Configure b/Configure
index faf57b155a..4bea49d7da 100755
--- a/Configure
+++ b/Configure
@@ -3161,25 +3161,25 @@ sub resolve_config {
}
}
-foreach (sort keys %all_keys) {
-my $previous = $combined_inheritance{$_};
+foreach my $key (sort keys %all_keys) {
+my $previous = $combined_inheritance{$key};
# Current target doesn't have a value for the current key?
# Assign it the default combiner, the rest of this loop body
# will handle it just like any other coderef.
-if (!exists $table{$target}->{$_}) {
-$table{$target}->{$_} = $default_combiner;
+if (!exists $table{$target}->{$key}) {
+$table{$target}->{$key} = $default_combiner;
}
-$table{$target}->{$_} = process_values($table{$target}->{$_},
- $combined_inheritance{$_},
- $target, $_);
-unless(defined($table{$target}->{$_})) {
-delete $table{$target}->{$_};
+$table{$target}->{$key} = process_values($table{$target}->{$key},
+ $combined_inheritance{$key},
+ $target, $key);
+unless(defined($table{$target}->{$key})) {
+delete $table{$target}->{$key};
}
#if ($extra_checks &&
-#$previous && !($add_called || $previous ~~
$table{$target}->{$_})) {
-#warn "$_ got replaced in $target\n";
+#$previous && !($add_called || $previous ~~
$table{$target}->{$key})) {
+#warn "$key got replaced in $target\n";
#}
}
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via 317bedd656e76b1162a6b29ed19a78303f362a78 (commit)
from ceeb92f7b52fbbb349cca8d9560a0708d948936a (commit)
- Log -
commit 317bedd656e76b1162a6b29ed19a78303f362a78
Author: Alexandros Roussos
Date: Mon Dec 20 19:14:57 2021 +0100
Fix Configure variable spill
* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop
CLA: trivial
Fixes gh-17321
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17322)
(cherry picked from commit a595e3286ae9f033c56452967b3add2145f9085f)
---
Summary of changes:
Configure | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/Configure b/Configure
index b00b91ac63..df7232d551 100755
--- a/Configure
+++ b/Configure
@@ -3169,25 +3169,25 @@ sub resolve_config {
}
}
-foreach (sort keys %all_keys) {
-my $previous = $combined_inheritance{$_};
+foreach my $key (sort keys %all_keys) {
+my $previous = $combined_inheritance{$key};
# Current target doesn't have a value for the current key?
# Assign it the default combiner, the rest of this loop body
# will handle it just like any other coderef.
-if (!exists $table{$target}->{$_}) {
-$table{$target}->{$_} = $default_combiner;
+if (!exists $table{$target}->{$key}) {
+$table{$target}->{$key} = $default_combiner;
}
-$table{$target}->{$_} = process_values($table{$target}->{$_},
- $combined_inheritance{$_},
- $target, $_);
-unless(defined($table{$target}->{$_})) {
-delete $table{$target}->{$_};
+$table{$target}->{$key} = process_values($table{$target}->{$key},
+ $combined_inheritance{$key},
+ $target, $key);
+unless(defined($table{$target}->{$key})) {
+delete $table{$target}->{$key};
}
#if ($extra_checks &&
-#$previous && !($add_called || $previous ~~
$table{$target}->{$_})) {
-#warn "$_ got replaced in $target\n";
+#$previous && !($add_called || $previous ~~
$table{$target}->{$key})) {
+#warn "$key got replaced in $target\n";
#}
}
[openssl] master update
The branch master has been updated
via a595e3286ae9f033c56452967b3add2145f9085f (commit)
from 7a85dd46e0b2f67b341c777509f0126e3252938d (commit)
- Log -
commit a595e3286ae9f033c56452967b3add2145f9085f
Author: Alexandros Roussos
Date: Mon Dec 20 19:14:57 2021 +0100
Fix Configure variable spill
* Evaluating code-refs in Configure can sometimes set the default
variable `$_`
* Prevent spillage influencing the target property by using named
variable in loop
CLA: trivial
Fixes gh-17321
Reviewed-by: Tomas Mraz
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17322)
---
Summary of changes:
Configure | 22 +++---
1 file changed, 11 insertions(+), 11 deletions(-)
diff --git a/Configure b/Configure
index f48b7ab075..bf6c568a4c 100755
--- a/Configure
+++ b/Configure
@@ -3169,25 +3169,25 @@ sub resolve_config {
}
}
-foreach (sort keys %all_keys) {
-my $previous = $combined_inheritance{$_};
+foreach my $key (sort keys %all_keys) {
+my $previous = $combined_inheritance{$key};
# Current target doesn't have a value for the current key?
# Assign it the default combiner, the rest of this loop body
# will handle it just like any other coderef.
-if (!exists $table{$target}->{$_}) {
-$table{$target}->{$_} = $default_combiner;
+if (!exists $table{$target}->{$key}) {
+$table{$target}->{$key} = $default_combiner;
}
-$table{$target}->{$_} = process_values($table{$target}->{$_},
- $combined_inheritance{$_},
- $target, $_);
-unless(defined($table{$target}->{$_})) {
-delete $table{$target}->{$_};
+$table{$target}->{$key} = process_values($table{$target}->{$key},
+ $combined_inheritance{$key},
+ $target, $key);
+unless(defined($table{$target}->{$key})) {
+delete $table{$target}->{$key};
}
#if ($extra_checks &&
-#$previous && !($add_called || $previous ~~
$table{$target}->{$_})) {
-#warn "$_ got replaced in $target\n";
+#$previous && !($add_called || $previous ~~
$table{$target}->{$key})) {
+#warn "$key got replaced in $target\n";
#}
}
Coverity Scan: Analysis completed for openssl/openssl
Your request for analysis of openssl/openssl has been completed successfully. The results are available at https://u15810271.ct.sendgrid.net/ls/click?upn=HRESupC-2F2Czv4BOaCWWCy7my0P0qcxCbhZ31OYv50yoN-2BQSVjTtaSz8wS4wOr7HlekBtV1P4YRtWclMVkCdvAA-3D-3D4qYN_MulOTlHne1IxTRELXXnGni8d68xSVF-2BUCe3a7Ux-2BjeE7JdX8mOCoTlBmOzfOsrNUGn0i-2BubSXQ8yIEsMxFcs9-2BrAcd5p2ALLDj-2FdY3CTdDonwXvKaLxKQrt-2B2gQkEzRxSK1hCKjnp7bcqEgqI6TLeJAzoL-2BT8Anp0dE-2FVjsIwCSSx8LZITVhkI590j9ACzLFpPTzF-2BxtY1hdhncwu2UiLKWcyNFKDgf2fJdAegSrFZQ-3D Build ID: 425131 Analysis Summary: New defects found: 0 Defects eliminated: 0
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via ceeb92f7b52fbbb349cca8d9560a0708d948936a (commit)
from e0314df5f21dd537602d4ea8d9272a21aac66356 (commit)
- Log -
commit ceeb92f7b52fbbb349cca8d9560a0708d948936a
Author: Pauli
Date: Tue Dec 21 10:17:04 2021 +1100
namemap: handle a NULL return when looking for a non-legacy cipher/MD
Fixes #17313
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17324)
(cherry picked from commit 7a85dd46e0b2f67b341c777509f0126e3252938d)
---
Summary of changes:
crypto/core_namemap.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c
index e1da724bd2..2bee5ef194 100644
--- a/crypto/core_namemap.c
+++ b/crypto/core_namemap.c
@@ -409,14 +409,16 @@ static void get_legacy_cipher_names(const OBJ_NAME *on,
void *arg)
{
const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
-get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg);
+if (cipher != NULL)
+get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL,
arg);
}
static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
{
const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
-get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
+if (md != NULL)
+get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
}
static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
[openssl] master update
The branch master has been updated
via 7a85dd46e0b2f67b341c777509f0126e3252938d (commit)
from cdaf072f90399efb9e8e19ee4f387d1425f12274 (commit)
- Log -
commit 7a85dd46e0b2f67b341c777509f0126e3252938d
Author: Pauli
Date: Tue Dec 21 10:17:04 2021 +1100
namemap: handle a NULL return when looking for a non-legacy cipher/MD
Fixes #17313
Reviewed-by: Tomas Mraz
(Merged from https://github.com/openssl/openssl/pull/17324)
---
Summary of changes:
crypto/core_namemap.c | 6 --
1 file changed, 4 insertions(+), 2 deletions(-)
diff --git a/crypto/core_namemap.c b/crypto/core_namemap.c
index e1da724bd2..2bee5ef194 100644
--- a/crypto/core_namemap.c
+++ b/crypto/core_namemap.c
@@ -409,14 +409,16 @@ static void get_legacy_cipher_names(const OBJ_NAME *on,
void *arg)
{
const EVP_CIPHER *cipher = (void *)OBJ_NAME_get(on->name, on->type);
-get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL, arg);
+if (cipher != NULL)
+get_legacy_evp_names(NID_undef, EVP_CIPHER_get_type(cipher), NULL,
arg);
}
static void get_legacy_md_names(const OBJ_NAME *on, void *arg)
{
const EVP_MD *md = (void *)OBJ_NAME_get(on->name, on->type);
-get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
+if (md != NULL)
+get_legacy_evp_names(0, EVP_MD_get_type(md), NULL, arg);
}
static void get_legacy_pkey_meth_names(const EVP_PKEY_ASN1_METHOD *ameth,
[openssl] openssl-3.0 update
The branch openssl-3.0 has been updated
via e0314df5f21dd537602d4ea8d9272a21aac66356 (commit)
from fbadef597c906711d82d8bfd9c4d5276ea981db7 (commit)
- Log -
commit e0314df5f21dd537602d4ea8d9272a21aac66356
Author: Dr. David von Oheimb
Date: Sun Nov 21 20:55:35 2021 +0100
HTTP client: Fix cleanup of TLS BIO via 'bio_update_fn' callback function
Make app_http_tls_cb() tidy up on disconnect the SSL BIO it pushes on
connect.
Make OSSL_HTTP_close() respect this.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17318)
(cherry picked from commit cdaf072f90399efb9e8e19ee4f387d1425f12274)
---
Summary of changes:
apps/lib/apps.c | 33 -
crypto/http/http_client.c | 12 +---
doc/man3/OSSL_HTTP_transfer.pod | 18 +-
3 files changed, 42 insertions(+), 21 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index e01633c5b5..6a762b7668 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2442,7 +2442,7 @@ static const char *tls_error_hint(void)
}
/* HTTP callback function that supports TLS connection also via HTTPS proxy */
-BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
@@ -2451,7 +2451,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
BIO *sbio = NULL;
if ((info->use_proxy
- && !OSSL_HTTP_proxy_connect(hbio, info->server, info->port,
+ && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
info->timeout, bio_err,
opt_getprog()))
|| (sbio = BIO_new(BIO_f_ssl())) == NULL) {
@@ -2467,18 +2467,25 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
-hbio = BIO_push(sbio, hbio);
-} else if (!connect && !detail) { /* disconnecting after error */
-const char *hint = tls_error_hint();
-
-if (hint != NULL)
-ERR_add_error_data(2, " : ", hint);
-/*
- * If we pop sbio and BIO_free() it this may lead to libssl double
free.
- * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c
- */
+bio = BIO_push(sbio, bio);
}
-return hbio;
+if (!connect) {
+const char *hint;
+BIO *cbio;
+
+if (!detail) { /* disconnecting after error */
+hint = tls_error_hint();
+if (hint != NULL)
+ERR_add_error_data(2, " : ", hint);
+}
+(void)ERR_set_mark();
+BIO_ssl_shutdown(bio);
+cbio = BIO_pop(bio); /* connect+HTTP BIO */
+BIO_free(bio); /* SSL BIO */
+(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
+bio = cbio;
+}
+return bio;
}
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index 7f8d8fc8d7..c80d4fe519 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1197,11 +1197,17 @@ BIO *OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX **prctx,
int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok)
{
+BIO *wbio;
int ret = 1;
-/* callback can be used to clean up TLS session on disconnect */
-if (rctx != NULL && rctx->upd_fn != NULL)
-ret = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg, 0, ok) != NULL;
+/* callback can be used to finish TLS session and free its BIO */
+if (rctx != NULL && rctx->upd_fn != NULL) {
+wbio = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg,
+ 0 /* disconnect */, ok);
+ret = wbio != NULL;
+if (ret)
+rctx->wbio = wbio;
+}
OSSL_HTTP_REQ_CTX_free(rctx);
return ret;
}
diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod
index 7fcd71dbe0..7e823db3ea 100644
--- a/doc/man3/OSSL_HTTP_transfer.pod
+++ b/doc/man3/OSSL_HTTP_transfer.pod
@@ -113,17 +113,25 @@ or NULL to indicate failure, in which case it should not
modify the BIO.
Here is a simple example that supports TLS connections (but not via a proxy):
- BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+ BIO *http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
SSL_CTX *ctx = (SSL_CTX *)arg;
BIO *sbio = BIO_new_ssl(ctx, 1);
- hbio = sbio != NULL ? BIO_push(sbio, hbio) : NULL;
- } else if
[openssl] master update
The branch master has been updated
via cdaf072f90399efb9e8e19ee4f387d1425f12274 (commit)
from c2d1ad0e048dd3bfa60e6aa0b5ee343cc6d97a15 (commit)
- Log -
commit cdaf072f90399efb9e8e19ee4f387d1425f12274
Author: Dr. David von Oheimb
Date: Sun Nov 21 20:55:35 2021 +0100
HTTP client: Fix cleanup of TLS BIO via 'bio_update_fn' callback function
Make app_http_tls_cb() tidy up on disconnect the SSL BIO it pushes on
connect.
Make OSSL_HTTP_close() respect this.
Reviewed-by: Paul Dale
(Merged from https://github.com/openssl/openssl/pull/17318)
---
Summary of changes:
apps/lib/apps.c | 33 -
crypto/http/http_client.c | 12 +---
doc/man3/OSSL_HTTP_transfer.pod | 18 +-
3 files changed, 42 insertions(+), 21 deletions(-)
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index 88c4f7b97a..034fd45c4b 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -2462,7 +2462,7 @@ static const char *tls_error_hint(void)
}
/* HTTP callback function that supports TLS connection also via HTTPS proxy */
-BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+BIO *app_http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
APP_HTTP_TLS_INFO *info = (APP_HTTP_TLS_INFO *)arg;
@@ -2471,7 +2471,7 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
BIO *sbio = NULL;
if ((info->use_proxy
- && !OSSL_HTTP_proxy_connect(hbio, info->server, info->port,
+ && !OSSL_HTTP_proxy_connect(bio, info->server, info->port,
NULL, NULL, /* no proxy credentials */
info->timeout, bio_err,
opt_getprog()))
|| (sbio = BIO_new(BIO_f_ssl())) == NULL) {
@@ -2487,18 +2487,25 @@ BIO *app_http_tls_cb(BIO *hbio, void *arg, int connect,
int detail)
SSL_set_connect_state(ssl);
BIO_set_ssl(sbio, ssl, BIO_CLOSE);
-hbio = BIO_push(sbio, hbio);
-} else if (!connect && !detail) { /* disconnecting after error */
-const char *hint = tls_error_hint();
-
-if (hint != NULL)
-ERR_add_error_data(2, " : ", hint);
-/*
- * If we pop sbio and BIO_free() it this may lead to libssl double
free.
- * Rely on BIO_free_all() done by OSSL_HTTP_transfer() in http_client.c
- */
+bio = BIO_push(sbio, bio);
}
-return hbio;
+if (!connect) {
+const char *hint;
+BIO *cbio;
+
+if (!detail) { /* disconnecting after error */
+hint = tls_error_hint();
+if (hint != NULL)
+ERR_add_error_data(2, " : ", hint);
+}
+(void)ERR_set_mark();
+BIO_ssl_shutdown(bio);
+cbio = BIO_pop(bio); /* connect+HTTP BIO */
+BIO_free(bio); /* SSL BIO */
+(void)ERR_pop_to_mark(); /* hide SSL_R_READ_BIO_NOT_SET etc. */
+bio = cbio;
+}
+return bio;
}
void APP_HTTP_TLS_INFO_free(APP_HTTP_TLS_INFO *info)
diff --git a/crypto/http/http_client.c b/crypto/http/http_client.c
index ef0114240b..f786f831bf 100644
--- a/crypto/http/http_client.c
+++ b/crypto/http/http_client.c
@@ -1196,11 +1196,17 @@ BIO *OSSL_HTTP_transfer(OSSL_HTTP_REQ_CTX **prctx,
int OSSL_HTTP_close(OSSL_HTTP_REQ_CTX *rctx, int ok)
{
+BIO *wbio;
int ret = 1;
-/* callback can be used to clean up TLS session on disconnect */
-if (rctx != NULL && rctx->upd_fn != NULL)
-ret = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg, 0, ok) != NULL;
+/* callback can be used to finish TLS session and free its BIO */
+if (rctx != NULL && rctx->upd_fn != NULL) {
+wbio = (*rctx->upd_fn)(rctx->wbio, rctx->upd_arg,
+ 0 /* disconnect */, ok);
+ret = wbio != NULL;
+if (ret)
+rctx->wbio = wbio;
+}
OSSL_HTTP_REQ_CTX_free(rctx);
return ret;
}
diff --git a/doc/man3/OSSL_HTTP_transfer.pod b/doc/man3/OSSL_HTTP_transfer.pod
index 7fcd71dbe0..7e823db3ea 100644
--- a/doc/man3/OSSL_HTTP_transfer.pod
+++ b/doc/man3/OSSL_HTTP_transfer.pod
@@ -113,17 +113,25 @@ or NULL to indicate failure, in which case it should not
modify the BIO.
Here is a simple example that supports TLS connections (but not via a proxy):
- BIO *http_tls_cb(BIO *hbio, void *arg, int connect, int detail)
+ BIO *http_tls_cb(BIO *bio, void *arg, int connect, int detail)
{
if (connect && detail) { /* connecting with TLS */
SSL_CTX *ctx = (SSL_CTX *)arg;
BIO *sbio = BIO_new_ssl(ctx, 1);
- hbio = sbio != NULL ? BIO_push(sbio, hbio) : NULL;
- } else if (!connect && !detail) { /* disconnecting after error */
- /* optionally add
