Fix SSL_CTX client_CA list locking.
ctx->cached_x509_client_CA needs to be protected under a lock since SSL_CTX_get_client_CA_list is a logically const operation. The fallback in SSL_get_client_CA_list was not using this lock. Change-Id: I2431218492d1a853cc1a59c0678b0b50cd9beab2 Reviewed-on: https://boringssl-review.googlesource.com/19765 Reviewed-by: Steven Valdez <svaldez@google.com> Commit-Queue: David Benjamin <davidben@google.com> CQ-Verified: CQ bot account: commit-bot@chromium.org <commit-bot@chromium.org>
This commit is contained in:
parent
c79ae7aa8b
commit
66d49b4952
@ -1158,12 +1158,13 @@ STACK_OF(X509_NAME) *SSL_get_client_CA_list(const SSL *ssl) {
|
|||||||
return buffer_names_to_x509(
|
return buffer_names_to_x509(
|
||||||
ssl->client_CA, (STACK_OF(X509_NAME) **)&ssl->cached_x509_client_CA);
|
ssl->client_CA, (STACK_OF(X509_NAME) **)&ssl->cached_x509_client_CA);
|
||||||
}
|
}
|
||||||
return buffer_names_to_x509(ssl->ctx->client_CA,
|
return SSL_CTX_get_client_CA_list(ssl->ctx);
|
||||||
&ssl->ctx->cached_x509_client_CA);
|
|
||||||
}
|
}
|
||||||
|
|
||||||
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
|
STACK_OF(X509_NAME) *SSL_CTX_get_client_CA_list(const SSL_CTX *ctx) {
|
||||||
check_ssl_ctx_x509_method(ctx);
|
check_ssl_ctx_x509_method(ctx);
|
||||||
|
/* This is a logically const operation that may be called on multiple threads,
|
||||||
|
* so it needs to lock around updating |cached_x509_client_CA|. */
|
||||||
CRYPTO_MUTEX_lock_write((CRYPTO_MUTEX *) &ctx->lock);
|
CRYPTO_MUTEX_lock_write((CRYPTO_MUTEX *) &ctx->lock);
|
||||||
STACK_OF(X509_NAME) *ret = buffer_names_to_x509(
|
STACK_OF(X509_NAME) *ret = buffer_names_to_x509(
|
||||||
ctx->client_CA, (STACK_OF(X509_NAME) **)&ctx->cached_x509_client_CA);
|
ctx->client_CA, (STACK_OF(X509_NAME) **)&ctx->cached_x509_client_CA);
|
||||||
|
Loading…
Reference in New Issue
Block a user