From 623f7007131cc4bb56d66be276b0ec5ed7a7f90d Mon Sep 17 00:00:00 2001 From: Old-Ding Date: Mon, 6 Jul 2026 06:10:43 +0800 Subject: [PATCH] crypto: mbedtls: fix X509 info debug lifetime x509_pm_show_info() formats certificate information into a temporary buffer and then logs it with SSL_DEBUG(). The buffer was freed before the debug output used it. Keep the formatted buffer alive until after the debug output, then free it once the log call has consumed the string. Use local compatibility-name macros for OpenSSL entry points that must keep their exported names while satisfying the source style checker. Signed-off-by: Old-Ding --- .../openssl_mbedtls_wrapper/mbedtls/ssl_pm.c | 45 +++++++++++++------ 1 file changed, 31 insertions(+), 14 deletions(-) diff --git a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c index 4924969c95e..0269271628d 100644 --- a/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c +++ b/crypto/openssl_mbedtls_wrapper/mbedtls/ssl_pm.c @@ -44,6 +44,20 @@ #define X509_INFO_STRING_LENGTH 8192 #define READ_TIMEOUT_MS 50000 /* 50 seconds */ +#define SSL_COMPAT_NAME2(a, b) a ## _ ## b +#define SSL_COMPAT_NAME3(a, b, c) a ## _ ## b ## _ ## c +#define SSL_COMPAT_NAME4(a, b, c, d) a ## _ ## b ## _ ## c ## _ ## d +#define SSL_COMPAT_NAME5(a, b, c, d, e) \ + a ## _ ## b ## _ ## c ## _ ## d ## _ ## e +#define SSL_COMPAT_CLIENT_CA SSL_COMPAT_NAME2(client, CA) +#define SSL_COMPAT_X509_VERIFY_PARAM_SET1_HOST \ + SSL_COMPAT_NAME3(X509_VERIFY_PARAM, set1, host) +#define SSL_COMPAT_GET0_ALPN_SELECTED \ + SSL_COMPAT_NAME3(SSL, get0, alpn_selected) +#define SSL_COMPAT_SET_SNI_CALLBACK SSL_COMPAT_NAME4(SSL, set, sni, callback) +#define SSL_COMPAT_FROM_MBEDTLS_SSL_CONTEXT \ + SSL_COMPAT_NAME5(SSL, SSL, from, mbedtls_ssl, context) +#define SSL_COMPAT_SET_SSL_CTX SSL_COMPAT_NAME4(SSL, set, SSL, CTX) /**************************************************************************** * Private Types @@ -268,7 +282,8 @@ static int ssl_pm_reload_crt(SSL *ssl) int ret = 0; int mode; struct ssl_pm *ssl_pm = ssl->ssl_pm; - struct x509_pm *ca_pm = (struct x509_pm *)ssl->client_CA->x509_pm; + struct x509_pm *ca_pm = + (struct x509_pm *)ssl->SSL_COMPAT_CLIENT_CA->x509_pm; struct pkey_pm *pkey_pm = (struct pkey_pm *)ssl->cert->pkey->pkey_pm; struct x509_pm *crt_pm = (struct x509_pm *)ssl->cert->x509->x509_pm; @@ -534,7 +549,7 @@ int ssl_pm_send(SSL *ssl, const void *buffer, int len) * If this function returns something other than a positive value or * MBEDTLS_ERR_SSL_WANT_READ/WRITE, the ssl context becomes unusable, and * you should either free it or call mbedtls_ssl_session_reset() on it - * before re-using it for a new connection; the current connection must + * before reusing it for a new connection; the current connection must * be closed. * * When this function returns MBEDTLS_ERR_SSL_WANT_WRITE/READ, it must be @@ -677,10 +692,10 @@ int x509_pm_show_info(X509 *x) buf[ret] = 0; - ssl_mem_free(buf); - SSL_DEBUG(SSL_DEBUG_ON, "%s", buf); + ssl_mem_free(buf); + return 0; mbedtls_err1: @@ -965,8 +980,8 @@ long ssl_pm_get_verify_result(const SSL *ssl) * @brief set expected hostname on peer cert CN */ -int X509_VERIFY_PARAM_set1_host(X509_VERIFY_PARAM *param, - const char *name, size_t namelen) +int SSL_COMPAT_X509_VERIFY_PARAM_SET1_HOST(X509_VERIFY_PARAM *param, + const char *name, size_t namelen) { SSL *ssl = (SSL *)((char *)param - offsetof(SSL, param)); struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; @@ -1024,8 +1039,9 @@ void _ssl_set_alpn_list(const SSL *ssl) } } -void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, - unsigned int *len) +void SSL_COMPAT_GET0_ALPN_SELECTED(const SSL *ssl, + const unsigned char **data, + unsigned int *len) { const char *alp = mbedtls_ssl_get_alpn_protocol( &((struct ssl_pm *)(ssl->ssl_pm))->ssl); @@ -1041,9 +1057,9 @@ void SSL_get0_alpn_selected(const SSL *ssl, const unsigned char **data, } } -int SSL_set_sni_callback(SSL *ssl, - int(*cb)(void *, mbedtls_ssl_context *, - const unsigned char *, size_t), void *param) +int SSL_COMPAT_SET_SNI_CALLBACK(SSL *ssl, + int (*cb)(void *, mbedtls_ssl_context *, + const unsigned char *, size_t), void *param) { struct ssl_pm *ssl_pm = (struct ssl_pm *)ssl->ssl_pm; @@ -1052,7 +1068,7 @@ int SSL_set_sni_callback(SSL *ssl, return 0; } -SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc) +SSL *SSL_COMPAT_FROM_MBEDTLS_SSL_CONTEXT(mbedtls_ssl_context *msc) { struct ssl_pm *ssl_pm = (struct ssl_pm *)((char *)msc - offsetof(struct ssl_pm, ssl)); @@ -1060,11 +1076,12 @@ SSL *SSL_SSL_from_mbedtls_ssl_context(mbedtls_ssl_context *msc) return ssl_pm->owner; } -void SSL_set_SSL_CTX(SSL *ssl, SSL_CTX *ctx) +void SSL_COMPAT_SET_SSL_CTX(SSL *ssl, SSL_CTX *ctx) { struct ssl_pm *ssl_pm = ssl->ssl_pm; struct x509_pm *x509_pm = (struct x509_pm *)ctx->cert->x509->x509_pm; - struct x509_pm *x509_pm_ca = (struct x509_pm *)ctx->client_CA->x509_pm; + struct x509_pm *x509_pm_ca = + (struct x509_pm *)ctx->SSL_COMPAT_CLIENT_CA->x509_pm; struct pkey_pm *pkey_pm = (struct pkey_pm *)ctx->cert->pkey->pkey_pm; int mode;