Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

SSL_get_tlsext_status_ocsp_resp expects pointer to non-const pointer #3477

Closed
pps83 opened this issue Jan 15, 2019 · 2 comments
Closed

SSL_get_tlsext_status_ocsp_resp expects pointer to non-const pointer #3477

pps83 opened this issue Jan 15, 2019 · 2 comments
Labels

Comments

@pps83
Copy link
Contributor

pps83 commented Jan 15, 2019

vtsls/openssl.c:

const unsigned char *p;
...
long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);

However, SSL_get_tlsext_status_ocsp_resp is declared as long SSL_get_tlsext_status_ocsp_resp(ssl, unsigned char **resp);

SSL_get_tlsext_status_ocsp_resp is preprocessed into a call to long SSL_ctrl(SSL *ssl, int cmd, long larg, void *parg); where parg is the last p argument. Effectively, const gets lost if const unsigned char** gets converted to void*. In ms compiler that results in a compilation error.
If I change declaration to unsigned char *p; then it fails to compile on linux a few lines below:

openssl.c:1712:33: error: passing 'unsigned char **' to parameter of type 'const unsigned char **' discards qualifiers in nested pointer types

const unsigned char *p;

@bagder
Copy link
Member

bagder commented Jan 15, 2019

How about this?

diff --git a/lib/vtls/openssl.c b/lib/vtls/openssl.c
index 45e72d6a3..9d11b89e5 100644
--- a/lib/vtls/openssl.c
+++ b/lib/vtls/openssl.c
@@ -1690,27 +1690,28 @@ static CURLcode verifyhost(struct connectdata *conn, X509 *server_cert)
     !defined(OPENSSL_NO_OCSP)
 static CURLcode verifystatus(struct connectdata *conn,
                              struct ssl_connect_data *connssl)
 {
   int i, ocsp_status;
+  unsigned char *status;
   const unsigned char *p;
   CURLcode result = CURLE_OK;
   struct Curl_easy *data = conn->data;
 
   OCSP_RESPONSE *rsp = NULL;
   OCSP_BASICRESP *br = NULL;
   X509_STORE     *st = NULL;
   STACK_OF(X509) *ch = NULL;
 
-  long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &p);
+  long len = SSL_get_tlsext_status_ocsp_resp(BACKEND->handle, &status);
 
-  if(!p) {
+  if(!status) {
     failf(data, "No OCSP response received");
     result = CURLE_SSL_INVALIDCERTSTATUS;
     goto end;
   }
-
+  p = status;
   rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
   if(!rsp) {
     failf(data, "Invalid OCSP response");
     result = CURLE_SSL_INVALIDCERTSTATUS;
     goto end;

@bagder bagder added the TLS label Jan 15, 2019
bagder added a commit that referenced this issue Jan 15, 2019
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
@pps83
Copy link
Contributor Author

pps83 commented Jan 15, 2019

yes, this will work

@pps83 pps83 closed this as completed Jan 15, 2019
bagder added a commit that referenced this issue Jan 16, 2019
.... to not pass in a const in the second argument as that's not how it
is supposed to be used and might cause compiler warnings.

Reported-by: Pavel Pavlov
Fixes #3477
Closes #3478
@lock lock bot locked as resolved and limited conversation to collaborators Apr 16, 2019
Sign up for free to subscribe to this conversation on GitHub. Already have an account? Sign in.
Labels
Development

Successfully merging a pull request may close this issue.

2 participants