-
Notifications
You must be signed in to change notification settings - Fork 171
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
make cert/crl/name/attr/revoked/ext/extfactory shareable when frozen #816
base: master
Are you sure you want to change the base?
Conversation
These classes need more careful review of each OpenSSL function. I haven't reviewed enough, but I can spot a few issues:
|
3fe1135
to
990b1d2
Compare
Added frozen check for the mentioned functions in ossl_x509cert.c.
Indeed. Zooming out a bit, perhaps we're better off just ensuring "shareable-when-frozen" only for certificates and crls? The whole point of the other objects is to use them to modify certs/crls via the setter methods that are now frozen-checked, so there doesn't seem to be a real usage for them outside of that use-case. LMK what you think. |
I have not reviewed other methods. Please check the manpage of each function and the implementation if necessary, as there are so many edge cases in OpenSSL. Not having "set" or "add" in a function name doesn't necessarily mean it is completely read-only.
I don't agree it's the whole point, except for |
990b1d2
to
4c72db5
Compare
Checked all openssl methods used in ossl_x509cert.c as well as ossl_x509crl.c , and found one method requiring frozen check (since fixed). Everything else seems to be safe (internal pointers, should not be freed by caller). Couldn't find documentation nor implementation for |
4c72db5
to
c4d6be6
Compare
@rhenium I reviewed the documentation of the remainder of openssl functions used in the scope of these attributes, and while I tweaked/removed some of the previous additions, didn't spot anything particularly dangerous about the assumptions. Implementations may hide some details, but I'm a bit out of my depth navigating openssl code to judge that. But the Name#to_der example you referred to, assuming you mean that it's unsafe due to the |
What's really annoying is that OpenSSL's man pages often don't go so much into details. I checked about the subject and issuer name in certificates. Some part of Please note that |
Looking at your last comment, I believe we could go with the following compromise:
WDYT? |
c4d6be6
to
6c1013d
Compare
removed |
Implementations for However, as I mentioned earlier, making them shareable isn't a prerequisite for making
The requirement is that it's not possible to trigger any C undefined behavior from Ruby. Unsafe getters may exist too (e.g., Allowing objects to become shareable when its
#817 was an attempt to solve the problem I mentioned in #803 (comment), which turned out to be unfixable with OpenSSL <= 1.1.1 or LibreSSL. Since it didn't work, we'll depend on |
Also,
|
6c1013d
to
3481a40
Compare
For certificates, this function seems to be in use, which seems safe. As you mentioned,
fixed, good catch.
Indeed, overlooked marking the setters. fixed that as well, let me know if it's good. |
Considering we're discussing the semantics of freezing Certs/CRLs here.