diff options
| author | Shane Lontis <shane.lontis@oracle.com> | 2020-07-24 22:53:27 +1000 |
|---|---|---|
| committer | Shane Lontis <shane.lontis@oracle.com> | 2020-07-24 22:53:27 +1000 |
| commit | 6725682d77510bf6d499957897d7be124d603f40 (patch) | |
| tree | 447e5bce5607b4873f7f018df1b2e4c21a394e92 /crypto | |
| parent | ae89578be2930c726d6ef56451233757a89f224f (diff) | |
Add X509 related libctx changes.
- In order to not add many X509_XXXX_with_libctx() functions the libctx and propq may be stored in the X509 object via a call to X509_new_with_libctx().
- Loading via PEM_read_bio_X509() or d2i_X509() should pass in a created cert using X509_new_with_libctx().
- Renamed some XXXX_ex() to XXX_with_libctx() for X509 API's.
- Removed the extra parameters in check_purpose..
- X509_digest() has been modified so that it expects a const EVP_MD object() and then internally it does the fetch when it needs to (via ASN1_item_digest_with_libctx()).
- Added API's that set the libctx when they load such as X509_STORE_new_with_libctx() so that the cert chains can be verified.
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12153)
Diffstat (limited to 'crypto')
| -rw-r--r-- | crypto/asn1/a_digest.c | 40 | ||||
| -rw-r--r-- | crypto/ess/ess_lib.c | 5 | ||||
| -rw-r--r-- | crypto/pem/pem_info.c | 40 | ||||
| -rw-r--r-- | crypto/pem/pem_pkey.c | 9 | ||||
| -rw-r--r-- | crypto/store/loader_file.c | 98 | ||||
| -rw-r--r-- | crypto/store/store_lib.c | 32 | ||||
| -rw-r--r-- | crypto/store/store_local.h | 1 | ||||
| -rw-r--r-- | crypto/store/store_register.c | 1 | ||||
| -rw-r--r-- | crypto/x509/by_dir.c | 56 | ||||
| -rw-r--r-- | crypto/x509/by_file.c | 95 | ||||
| -rw-r--r-- | crypto/x509/by_store.c | 42 | ||||
| -rw-r--r-- | crypto/x509/v3_purp.c | 31 | ||||
| -rw-r--r-- | crypto/x509/x509_d2.c | 48 | ||||
| -rw-r--r-- | crypto/x509/x509_local.h | 9 | ||||
| -rw-r--r-- | crypto/x509/x509_lu.c | 53 | ||||
| -rw-r--r-- | crypto/x509/x509_vfy.c | 30 | ||||
| -rw-r--r-- | crypto/x509/x_all.c | 31 | ||||
| -rw-r--r-- | crypto/x509/x_x509.c | 31 |
18 files changed, 429 insertions, 223 deletions
diff --git a/crypto/asn1/a_digest.c b/crypto/asn1/a_digest.c index caf2f6c34f..c0c1cda272 100644 --- a/crypto/asn1/a_digest.c +++ b/crypto/asn1/a_digest.c @@ -7,16 +7,21 @@ * https://www.openssl.org/source/license.html */ +/* We need to use some engine deprecated APIs */ +#define OPENSSL_SUPPRESS_DEPRECATED + #include <stdio.h> #include <time.h> #include <sys/types.h> #include "internal/cryptlib.h" +#include <openssl/engine.h> #include <openssl/err.h> #include <openssl/evp.h> #include <openssl/buffer.h> #include <openssl/x509.h> +#include "crypto/x509.h" #ifndef OPENSSL_NO_DEPRECATED_3_0 @@ -48,20 +53,39 @@ int ASN1_digest(i2d_of_void *i2d, const EVP_MD *type, char *data, #endif -int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *type, void *asn, - unsigned char *md, unsigned int *len) +int asn1_item_digest_with_libctx(const ASN1_ITEM *it, const EVP_MD *md, + void *asn, unsigned char *data, + unsigned int *len, OPENSSL_CTX *libctx, + const char *propq) { - int i; + int i, ret = 0; unsigned char *str = NULL; + EVP_MD *fetched_md = (EVP_MD *)md; i = ASN1_item_i2d(asn, &str, it); - if (!str) + if (str == NULL) return 0; - if (!EVP_Digest(str, i, md, len, type, NULL)) { - OPENSSL_free(str); - return 0; + if (EVP_MD_provider(md) == NULL) { +#if !defined(OPENSSL_NO_ENGINE) + if (ENGINE_get_digest_engine(EVP_MD_type(md)) == NULL) +#endif + fetched_md = EVP_MD_fetch(libctx, EVP_MD_name(md), propq); } + if (fetched_md == NULL) + goto err; + + ret = EVP_Digest(str, i, data, len, fetched_md, NULL); +err: OPENSSL_free(str); - return 1; + if (fetched_md != md) + EVP_MD_free(fetched_md); + return ret; } + +int ASN1_item_digest(const ASN1_ITEM *it, const EVP_MD *md, void *asn, + unsigned char *data, unsigned int *len) +{ + return asn1_item_digest_with_libctx(it, md, asn, data, len, NULL, NULL); +} + diff --git a/crypto/ess/ess_lib.c b/crypto/ess/ess_lib.c index 4a7a2632ba..ad0d6f332c 100644 --- a/crypto/ess/ess_lib.c +++ b/crypto/ess/ess_lib.c @@ -12,6 +12,7 @@ #include <openssl/err.h> #include <openssl/ess.h> #include "crypto/ess.h" +#include "crypto/x509.h" DEFINE_STACK_OF(ESS_CERT_ID) DEFINE_STACK_OF(ESS_CERT_ID_V2) @@ -61,7 +62,7 @@ static ESS_CERT_ID *ESS_CERT_ID_new_init(X509 *cert, int issuer_needed) unsigned char cert_sha1[SHA_DIGEST_LENGTH]; /* Call for side-effect of computing hash and caching extensions */ - if (!X509v3_cache_extensions(cert, NULL, NULL)) + if (!x509v3_cache_extensions(cert)) return NULL; if ((cid = ESS_CERT_ID_new()) == NULL) @@ -304,7 +305,7 @@ int ess_find_cert(const STACK_OF(ESS_CERT_ID) *cert_ids, X509 *cert) return -1; /* Recompute SHA1 hash of certificate if necessary (side effect). */ - if (!X509v3_cache_extensions(cert, NULL, NULL)) + if (!x509v3_cache_extensions(cert)) return -1; /* TODO(3.0): fetch sha1 algorithm from providers */ diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c index f6a5dedc48..a3981c9dda 100644 --- a/crypto/pem/pem_info.c +++ b/crypto/pem/pem_info.c @@ -26,25 +26,35 @@ DEFINE_STACK_OF(X509_INFO) #ifndef OPENSSL_NO_STDIO -STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, - pem_password_cb *cb, void *u) +STACK_OF(X509_INFO) +*PEM_X509_INFO_read_with_libctx(FILE *fp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u, + OPENSSL_CTX *libctx, const char *propq) { BIO *b; STACK_OF(X509_INFO) *ret; if ((b = BIO_new(BIO_s_file())) == NULL) { - PEMerr(PEM_F_PEM_X509_INFO_READ, ERR_R_BUF_LIB); + PEMerr(0, ERR_R_BUF_LIB); return 0; } BIO_set_fp(b, fp, BIO_NOCLOSE); - ret = PEM_X509_INFO_read_bio(b, sk, cb, u); + ret = PEM_X509_INFO_read_bio_with_libctx(b, sk, cb, u, libctx, propq); BIO_free(b); return ret; } + +STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u) +{ + return PEM_X509_INFO_read_with_libctx(fp, sk, cb, u, NULL, NULL); +} #endif -STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, - pem_password_cb *cb, void *u) +STACK_OF(X509_INFO) +*PEM_X509_INFO_read_bio_with_libctx(BIO *bp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u, + OPENSSL_CTX *libctx, const char *propq) { X509_INFO *xi = NULL; char *name = NULL, *header = NULL; @@ -59,7 +69,7 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, if (sk == NULL) { if ((ret = sk_X509_INFO_new_null()) == NULL) { - PEMerr(PEM_F_PEM_X509_INFO_READ_BIO, ERR_R_MALLOC_FAILURE); + PEMerr(0, ERR_R_MALLOC_FAILURE); goto err; } } else @@ -90,6 +100,9 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, goto err; goto start; } + xi->x509 = X509_new_with_libctx(libctx, propq); + if (xi->x509 == NULL) + goto err; pp = &(xi->x509); } else if ((strcmp(name, PEM_STRING_X509_TRUSTED) == 0)) { d2i = (D2I_OF(void)) d2i_X509_AUX; @@ -100,6 +113,9 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, goto err; goto start; } + xi->x509 = X509_new_with_libctx(libctx, propq); + if (xi->x509 == NULL) + goto err; pp = &(xi->x509); } else if (strcmp(name, PEM_STRING_X509_CRL) == 0) { d2i = (D2I_OF(void)) d2i_X509_CRL; @@ -197,11 +213,11 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, p = data; if (ptype) { if (!d2i_PrivateKey(ptype, pp, &p, len)) { - PEMerr(PEM_F_PEM_X509_INFO_READ_BIO, ERR_R_ASN1_LIB); + PEMerr(0, ERR_R_ASN1_LIB); goto err; } } else if (d2i(pp, &p, len) == NULL) { - PEMerr(PEM_F_PEM_X509_INFO_READ_BIO, ERR_R_ASN1_LIB); + PEMerr(0, ERR_R_ASN1_LIB); goto err; } } else { /* encrypted RSA data */ @@ -251,6 +267,12 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, return ret; } +STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio(BIO *bp, STACK_OF(X509_INFO) *sk, + pem_password_cb *cb, void *u) +{ + return PEM_X509_INFO_read_bio_with_libctx(bp, sk, cb, u, NULL, NULL); +} + /* A TJH addition */ int PEM_X509_INFO_write_bio(BIO *bp, const X509_INFO *xi, EVP_CIPHER *enc, const unsigned char *kstr, int klen, diff --git a/crypto/pem/pem_pkey.c b/crypto/pem/pem_pkey.c index ee9b6764a6..c60eed97c0 100644 --- a/crypto/pem/pem_pkey.c +++ b/crypto/pem/pem_pkey.c @@ -39,7 +39,7 @@ EVP_PKEY *PEM_read_bio_PrivateKey_ex(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, if ((ui_method = UI_UTIL_wrap_read_pem_callback(cb, 0)) == NULL) return NULL; - if ((ctx = OSSL_STORE_attach(bp, libctx, "file", propq, ui_method, u, + if ((ctx = OSSL_STORE_attach(bp, "file", libctx, propq, ui_method, u, NULL, NULL)) == NULL) goto err; #ifndef OPENSSL_NO_SECURE_HEAP @@ -50,7 +50,8 @@ EVP_PKEY *PEM_read_bio_PrivateKey_ex(BIO *bp, EVP_PKEY **x, pem_password_cb *cb, } #endif - while (!OSSL_STORE_eof(ctx) && (info = OSSL_STORE_load(ctx)) != NULL) { + while (!OSSL_STORE_eof(ctx) + && (info = OSSL_STORE_load(ctx)) != NULL) { if (OSSL_STORE_INFO_get_type(info) == OSSL_STORE_INFO_PKEY) { ret = OSSL_STORE_INFO_get1_PKEY(info); break; @@ -106,7 +107,7 @@ EVP_PKEY *PEM_read_bio_Parameters(BIO *bp, EVP_PKEY **x) OSSL_STORE_CTX *ctx = NULL; OSSL_STORE_INFO *info = NULL; - if ((ctx = OSSL_STORE_attach(bp, NULL, "file", NULL, UI_null(), NULL, + if ((ctx = OSSL_STORE_attach(bp, "file", NULL, NULL, UI_null(), NULL, NULL, NULL)) == NULL) goto err; @@ -201,7 +202,7 @@ DH *PEM_read_bio_DHparams(BIO *bp, DH **x, pem_password_cb *cb, void *u) if ((ui_method = UI_UTIL_wrap_read_pem_callback(cb, 0)) == NULL) return NULL; - if ((ctx = OSSL_STORE_attach(bp, NULL, "file", NULL, ui_method, u, + if ((ctx = OSSL_STORE_attach(bp, "file", NULL, NULL, ui_method, u, NULL, NULL)) == NULL) goto err; diff --git a/crypto/store/loader_file.c b/crypto/store/loader_file.c index 30f4e6ecaf..5ff93e33ab 100644 --- a/crypto/store/loader_file.c +++ b/crypto/store/loader_file.c @@ -693,8 +693,12 @@ static OSSL_STORE_INFO *try_decode_X509Certificate(const char *pem_name, *matchcount = 1; } - if ((cert = d2i_X509_AUX(NULL, &blob, len)) != NULL - || (ignore_trusted && (cert = d2i_X509(NULL, &blob, len)) != NULL)) { + cert = X509_new_with_libctx(libctx, propq); + if (cert == NULL) + return NULL; + + if ((d2i_X509_AUX(&cert, &blob, len)) != NULL + || (ignore_trusted && (d2i_X509(&cert, &blob, len)) != NULL)) { *matchcount = 1; store_info = OSSL_STORE_INFO_new_CERT(cert); } @@ -813,7 +817,6 @@ struct ossl_store_loader_ctx_st { /* Expected object type. May be unspecified */ int expected_type; - OPENSSL_CTX *libctx; char *propq; }; @@ -823,6 +826,7 @@ static void OSSL_STORE_LOADER_CTX_free(OSSL_STORE_LOADER_CTX *ctx) if (ctx == NULL) return; + OPENSSL_free(ctx->propq); OPENSSL_free(ctx->uri); if (ctx->type != is_dir) { if (ctx->_.file.last_handler != NULL) { @@ -831,7 +835,6 @@ static void OSSL_STORE_LOADER_CTX_free(OSSL_STORE_LOADER_CTX *ctx) ctx->_.file.last_handler = NULL; } } - OPENSSL_free(ctx->propq); OPENSSL_free(ctx); } @@ -852,10 +855,10 @@ static int file_find_type(OSSL_STORE_LOADER_CTX *ctx) return 1; } -static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, - const char *uri, - const UI_METHOD *ui_method, - void *ui_data) +static OSSL_STORE_LOADER_CTX *file_open_with_libctx + (const OSSL_STORE_LOADER *loader, const char *uri, + OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data) { OSSL_STORE_LOADER_CTX *ctx = NULL; struct stat st; @@ -888,8 +891,7 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, } else if (uri[7] == '/') { p = &uri[7]; } else { - OSSL_STOREerr(OSSL_STORE_F_FILE_OPEN, - OSSL_STORE_R_URI_AUTHORITY_UNSUPPORTED); + OSSL_STOREerr(0, OSSL_STORE_R_URI_AUTHORITY_UNSUPPORTED); return NULL; } } @@ -917,8 +919,7 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, * be absolute. So says RFC 8089 */ if (path_data[i].check_absolute && path_data[i].path[0] != '/') { - OSSL_STOREerr(OSSL_STORE_F_FILE_OPEN, - OSSL_STORE_R_PATH_MUST_BE_ABSOLUTE); + OSSL_STOREerr(0, OSSL_STORE_R_PATH_MUST_BE_ABSOLUTE); ERR_add_error_data(1, path_data[i].path); return NULL; } @@ -940,12 +941,12 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, ctx = OPENSSL_zalloc(sizeof(*ctx)); if (ctx == NULL) { - OSSL_STOREerr(OSSL_STORE_F_FILE_OPEN, ERR_R_MALLOC_FAILURE); + OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE); return NULL; } ctx->uri = OPENSSL_strdup(uri); if (ctx->uri == NULL) { - OSSL_STOREerr(OSSL_STORE_F_FILE_OPEN, ERR_R_MALLOC_FAILURE); + OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE); goto err; } @@ -956,7 +957,7 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, if (ctx->_.dir.last_entry == NULL) { if (ctx->_.dir.last_errno != 0) { char errbuf[256]; - OSSL_STOREerr(OSSL_STORE_F_FILE_OPEN, ERR_R_SYS_LIB); + OSSL_STOREerr(0, ERR_R_SYS_LIB); errno = ctx->_.dir.last_errno; if (openssl_strerror_r(errno, errbuf, sizeof(errbuf))) ERR_add_error_data(1, errbuf); @@ -969,6 +970,14 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, BIO_free_all(ctx->_.file.file); goto err; } + if (propq != NULL) { + ctx->propq = OPENSSL_strdup(propq); + if (ctx->propq == NULL) { + OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE); + goto err; + } + } + ctx->libctx = libctx; return ctx; err: @@ -976,32 +985,44 @@ static OSSL_STORE_LOADER_CTX *file_open(const OSSL_STORE_LOADER *loader, return NULL; } -static OSSL_STORE_LOADER_CTX *file_attach(const OSSL_STORE_LOADER *loader, - BIO *bp, OPENSSL_CTX *libctx, - const char *propq, - const UI_METHOD *ui_method, - void *ui_data) +static OSSL_STORE_LOADER_CTX *file_open + (const OSSL_STORE_LOADER *loader, const char *uri, + const UI_METHOD *ui_method, void *ui_data) { - OSSL_STORE_LOADER_CTX *ctx; + return file_open_with_libctx(loader, uri, NULL, NULL, ui_method, ui_data); +} - if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL - || (propq != NULL && (ctx->propq = OPENSSL_strdup(propq)) == NULL)) { - OSSL_STOREerr(OSSL_STORE_F_FILE_ATTACH, ERR_R_MALLOC_FAILURE); - OSSL_STORE_LOADER_CTX_free(ctx); - return NULL; +static OSSL_STORE_LOADER_CTX *file_attach + (const OSSL_STORE_LOADER *loader, BIO *bp, + OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data) +{ + OSSL_STORE_LOADER_CTX *ctx = NULL; + + if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) { + OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE); + goto err; } + if (propq != NULL) { + ctx->propq = OPENSSL_strdup(propq); + if (ctx->propq == NULL) { + OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE); + goto err; + } + } ctx->libctx = libctx; ctx->flags |= FILE_FLAG_ATTACHED; ctx->_.file.file = bp; if (!file_find_type(ctx)) { /* Safety measure */ ctx->_.file.file = NULL; - OSSL_STORE_LOADER_CTX_free(ctx); - ctx = NULL; + goto err; } - return ctx; +err: + OSSL_STORE_LOADER_CTX_free(ctx); + return NULL; } static int file_ctrl(OSSL_STORE_LOADER_CTX *ctx, int cmd, va_list args) @@ -1021,8 +1042,7 @@ static int file_ctrl(OSSL_STORE_LOADER_CTX *ctx, int cmd, va_list args) ctx->flags |= FILE_FLAG_SECMEM; break; default: - OSSL_STOREerr(OSSL_STORE_F_FILE_CTRL, - ERR_R_PASSED_INVALID_ARGUMENT); + OSSL_STOREerr(0, ERR_R_PASSED_INVALID_ARGUMENT); ret = 0; break; } @@ -1422,7 +1442,8 @@ static int file_name_check(OSSL_STORE_LOADER_CTX *ctx, const char *name) static int file_eof(OSSL_STORE_LOADER_CTX *ctx); static int file_error(OSSL_STORE_LOADER_CTX *ctx); static OSSL_STORE_INFO *file_load(OSSL_STORE_LOADER_CTX *ctx, - const UI_METHOD *ui_method, void *ui_data) + const UI_METHOD *ui_method, + void *ui_data) { OSSL_STORE_INFO *result = NULL; @@ -1437,7 +1458,7 @@ static OSSL_STORE_INFO *file_load(OSSL_STORE_LOADER_CTX *ctx, if (!ctx->_.dir.end_reached) { char errbuf[256]; assert(ctx->_.dir.last_errno != 0); - OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, ERR_R_SYS_LIB); + OSSL_STOREerr(0, ERR_R_SYS_LIB); errno = ctx->_.dir.last_errno; ctx->errcnt++; if (openssl_strerror_r(errno, errbuf, sizeof(errbuf))) @@ -1465,7 +1486,7 @@ static OSSL_STORE_INFO *file_load(OSSL_STORE_LOADER_CTX *ctx, if (newname != NULL && (result = OSSL_STORE_INFO_new_NAME(newname)) == NULL) { OPENSSL_free(newname); - OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, ERR_R_OSSL_STORE_LIB); + OSSL_STOREerr(0, ERR_R_OSSL_STORE_LIB); return NULL; } } while (result == NULL && !file_eof(ctx)); @@ -1524,16 +1545,14 @@ static OSSL_STORE_INFO *file_load(OSSL_STORE_LOADER_CTX *ctx, } if (matchcount > 1) { - OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, - OSSL_STORE_R_AMBIGUOUS_CONTENT_TYPE); + OSSL_STOREerr(0, OSSL_STORE_R_AMBIGUOUS_CONTENT_TYPE); } else if (matchcount == 1) { /* * If there are other errors on the stack, they already show * what the problem is. */ if (ERR_peek_error() == 0) { - OSSL_STOREerr(OSSL_STORE_F_FILE_LOAD, - OSSL_STORE_R_UNSUPPORTED_CONTENT_TYPE); + OSSL_STOREerr(0, OSSL_STORE_R_UNSUPPORTED_CONTENT_TYPE); if (pem_name != NULL) ERR_add_error_data(3, "PEM type is '", pem_name, "'"); } @@ -1617,7 +1636,8 @@ static OSSL_STORE_LOADER file_loader = file_load, file_eof, file_error, - file_close + file_close, + file_open_with_libctx, }; static void store_file_loader_deinit(void) diff --git a/crypto/store/store_lib.c b/crypto/store/store_lib.c index e1fc591894..2878358245 100644 --- a/crypto/store/store_lib.c +++ b/crypto/store/store_lib.c @@ -11,9 +11,6 @@ #include <stdlib.h> #include <string.h> #include <assert.h> - -#include "e_os.h" - #include <openssl/crypto.h> #include <openssl/err.h> #include <openssl/trace.h> @@ -35,10 +32,10 @@ struct ossl_store_ctx_st { int loading; }; -OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, - void *ui_data, - OSSL_STORE_post_process_info_fn post_process, - void *post_process_data) +OSSL_STORE_CTX *OSSL_STORE_open_with_libctx( + const char *uri, OPENSSL_CTX *libctx, const char *propq, + const UI_METHOD *ui_method, void *ui_data, + OSSL_STORE_post_process_info_fn post_process, void *post_process_data) { const OSSL_STORE_LOADER *loader = NULL; OSSL_STORE_LOADER_CTX *loader_ctx = NULL; @@ -78,7 +75,11 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, OSSL_TRACE1(STORE, "Looking up scheme %s\n", schemes[i]); if ((loader = ossl_store_get0_loader_int(schemes[i])) != NULL) { OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]); - loader_ctx = loader->open(loader, uri, ui_method, ui_data); + if (loader->open_with_libctx != NULL) + loader_ctx = loader->open_with_libctx(loader, uri, libctx, propq, + ui_method, ui_data); + else + loader_ctx = loader->open(loader, uri, ui_method, ui_data); OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx); } } @@ -87,7 +88,7 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, goto err; if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) { - OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_OPEN, ERR_R_MALLOC_FAILURE); + OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE); goto err; } @@ -120,6 +121,15 @@ OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, return NULL; } +OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, + const UI_METHOD *ui_method, void *ui_data, + OSSL_STORE_post_process_info_fn post_process, + void *post_process_data) +{ + return OSSL_STORE_open_with_libctx(uri, NULL, NULL, ui_method, ui_data, + post_process, post_process_data); +} + int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ...) { va_list args; @@ -653,8 +663,8 @@ char *ossl_store_info_get0_EMBEDDED_pem_name(OSSL_STORE_INFO *info) return NULL; } -OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, OPENSSL_CTX *libctx, - const char *scheme, const char *propq, +OSSL_STORE_CTX *OSSL_STORE_attach(BIO *bp, const char *scheme, + OPENSSL_CTX *libctx, const char *propq, const UI_METHOD *ui_method, void *ui_data, OSSL_STORE_post_process_info_fn post_process, void *post_process_data) diff --git a/crypto/store/store_local.h b/crypto/store/store_local.h index 31e04d13ad..c9592c38ce 100644 --- a/crypto/store/store_local.h +++ b/crypto/store/store_local.h @@ -110,6 +110,7 @@ struct ossl_store_loader_st { OSSL_STORE_eof_fn eof; OSSL_STORE_error_fn error; OSSL_STORE_close_fn close; + OSSL_STORE_open_with_libctx_fn open_with_libctx; }; DEFINE_LHASH_OF(OSSL_STORE_LOADER); diff --git a/crypto/store/store_register.c b/crypto/store/store_register.c index 12efb3e89b..4fbf459afa 100644 --- a/crypto/store/store_register.c +++ b/crypto/store/store_register.c @@ -220,6 +220,7 @@ const OSSL_STORE_LOADER *ossl_store_get0_loader_int(const char *scheme) template.load = NULL; template.eof = NULL; template.close = NULL; + template.open_with_libctx = NULL; if (!ossl_store_init_once()) return NULL; diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c index 43b175e2dc..ff6e4cf03c 100644 --- a/crypto/x509/by_dir.c +++ b/crypto/x509/by_dir.c @@ -42,23 +42,32 @@ typedef struct lookup_dir_st { } BY_DIR; static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl, - char **ret); + char **retp); + static int new_dir(X509_LOOKUP *lu); static void free_dir(X509_LOOKUP *lu); static int add_cert_dir(BY_DIR *ctx, const char *dir, int type); static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, const X509_NAME *name, X509_OBJECT *ret); +static int get_cert_by_subject_with_libctx(X509_LOOKUP *xl, + X509_LOOKUP_TYPE type, + const X509_NAME *name, + X509_OBJECT *ret, + OPENSSL_CTX *libctx, + const char *propq); static X509_LOOKUP_METHOD x509_dir_lookup = { "Load certs from files in a directory", - new_dir, /* new_item */ - free_dir, /* free */ - NULL, /* init */ - NULL, /* shutdown */ - dir_ctrl, /* ctrl */ - get_cert_by_subject, /* get_by_subject */ - NULL, /* get_by_issuer_serial */ - NULL, /* get_by_fingerprint */ - NULL, /* get_by_alias */ + new_dir, /* new_item */ + free_dir, /* free */ + NULL, /* init */ + NULL, /* shutdown */ + dir_ctrl, /* ctrl */ + get_cert_by_subject, /* get_by_subject */ + NULL, /* get_by_issuer_serial */ + NULL, /* get_by_fingerprint */ + NULL, /* get_by_alias */ + get_cert_by_subject_with_libctx, /* get_by_subject_with_libctx */ + NULL, /* ctrl_with_libctx */ }; X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void) @@ -210,8 +219,12 @@ static int add_cert_dir(BY_DIR *ctx, const char *dir, int type) return 1; } -static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, - const X509_NAME *name, X509_OBJECT *ret) +static int get_cert_by_subject_with_libctx(X509_LOOKUP *xl, + X509_LOOKUP_TYPE type, + const X509_NAME *name, + X509_OBJECT *ret, + OPENSSL_CTX *libctx, + const char *propq) { BY_DIR *ctx; union { @@ -238,12 +251,12 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, stmp.data.crl = &data.crl; postfix = "r"; } else { - X509err(X509_F_GET_CERT_BY_SUBJECT, X509_R_WRONG_LOOKUP_TYPE); + X509err(0, X509_R_WRONG_LOOKUP_TYPE); goto finish; } if ((b = BUF_MEM_new()) == NULL) { - X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_BUF_LIB); + X509err(0, ERR_R_BUF_LIB); goto finish; } @@ -258,7 +271,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, ent = sk_BY_DIR_ENTRY_value(ctx->dirs, i); j = strlen(ent->dir) + 1 + 8 + 6 + 1 + 1; if (!BUF_MEM_grow(b, j)) { - X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); + X509err(0, ERR_R_MALLOC_FAILURE); goto finish; } if (type == X509_LU_CRL && ent->hashes) { @@ -316,7 +329,8 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, #endif /* found one. */ if (type == X509_LU_X509) { - if ((X509_load_cert_file(xl, b->data, ent->dir_type)) == 0) + if ((X509_load_cert_file_with_libctx(xl, b->data, ent->dir_type, + libctx, propq)) == 0) break; } else if (type == X509_LU_CRL) { if ((X509_load_crl_file(xl, b->data, ent->dir_type)) == 0) @@ -351,7 +365,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, hent = OPENSSL_malloc(sizeof(*hent)); if (hent == NULL) { CRYPTO_THREAD_unlock(ctx->lock); - X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); + X509err(0, ERR_R_MALLOC_FAILURE); ok = 0; goto finish; } @@ -360,7 +374,7 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, if (!sk_BY_DIR_HASH_push(ent->hashes, hent)) { CRYPTO_THREAD_unlock(ctx->lock); OPENSSL_free(hent); - X509err(X509_F_GET_CERT_BY_SUBJECT, ERR_R_MALLOC_FAILURE); + X509err(0, ERR_R_MALLOC_FAILURE); ok = 0; goto finish; } @@ -390,3 +404,9 @@ static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, BUF_MEM_free(b); return ok; } + +static int get_cert_by_subject(X509_LOOKUP *xl, X509_LOOKUP_TYPE type, + const X509_NAME *name, X509_OBJECT *ret) +{ + return get_cert_by_subject_with_libctx(xl, type, name, ret, NULL, NULL); +} diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index f9e1e73fc4..d5e6dde4f8 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -21,6 +21,11 @@ DEFINE_STACK_OF(X509_INFO) static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argc, long argl, char **ret); +static int by_file_ctrl_with_libctx(X509_LOOKUP *ctx, int cmd, + const char *argc, long argl, char **ret, + OPENSSL_CTX *libctx, const char *propq); + + static X509_LOOKUP_METHOD x509_file_lookup = { "Load file into cache", NULL, /* new_item */ @@ -32,6 +37,8 @@ static X509_LOOKUP_METHOD x509_file_lookup = { NULL, /* get_by_issuer_serial */ NULL, /* get_by_fingerprint */ NULL, /* get_by_alias */ + NULL, /* get_by_subject_with_libctx */ + by_file_ctrl_with_libctx, /* ctrl_with_libctx */ }; X509_LOOKUP_METHOD *X509_LOOKUP_file(void) @@ -39,8 +46,9 @@ X509_LOOKUP_METHOD *X509_LOOKUP_file(void) return &x509_file_lookup; } -static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, - long argl, char **ret) +static int by_file_ctrl_with_libctx(X509_LOOKUP *ctx, int cmd, + const char *argp, long argl, char **ret, + OPENSSL_CTX *libctx, const char *propq) { int ok = 0; const char *file; @@ -50,30 +58,40 @@ static int by_file_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, if (argl == X509_FILETYPE_DEFAULT) { file = ossl_safe_getenv(X509_get_default_cert_file_env()); if (file) - ok = (X509_load_cert_crl_file(ctx, file, - X509_FILETYPE_PEM) != 0); + ok = (X509_load_cert_crl_file_with_libctx(ctx, file, + X509_FILETYPE_PEM, + libctx, propq) != 0); else - ok = (X509_load_cert_crl_file - (ctx, X509_get_default_cert_file(), - X509_FILETYPE_PEM) != 0); + ok = (X509_load_cert_crl_file_with_libctx( + ctx, X509_get_default_cert_file(), + X509_FILETYPE_PEM, libctx, propq) != 0); if (!ok) { - X509err(X509_F_BY_FILE_CTRL, X509_R_LOADING_DEFAULTS); |