Add support for loading root CAs from Windows crypto API

[openssl.git] / crypto / x509 / by_dir.c

diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 965625973cdbcfac51291dff264e7c894561ffc7..8d61c27d701137ba4d1c675abaed8ef65f3a08fd 100644 (file)
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
  *
  * Licensed under the Apache License 2.0 (the "License").  You may not use
  * this file except in compliance with the License.  You can obtain a copy
@@ -7,7 +7,16 @@
  * https://www.openssl.org/source/license.html
  */
 
-#include "e_os.h"
+#if defined (__TANDEM) && defined (_SPT_MODEL_)
+  /*
+   * These definitions have to come first in SPT due to scoping of the
+   * declarations in c99 associated with SPT use of stat.
+   */
+# include <sys/types.h>
+# include <sys/stat.h>
+#endif
+
+#include "internal/e_os.h"
 #include "internal/cryptlib.h"
 #include <stdio.h>
 #include <time.h>
@@ -79,13 +88,18 @@ static int dir_ctrl(X509_LOOKUP *ctx, int cmd, const char *argp, long argl,
     switch (cmd) {
     case X509_L_ADD_DIR:
         if (argl == X509_FILETYPE_DEFAULT) {
-            const char *dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
+            /* If SSL_CERT_PATH is provided and non-empty, use that. */
+            const char *dir = ossl_safe_getenv(X509_get_default_cert_path_env());
+
+            /* Fallback to SSL_CERT_DIR. */
+            if (dir == NULL)
+                dir = ossl_safe_getenv(X509_get_default_cert_dir_env());
 
-            if (dir)
-                ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
-            else
-                ret = add_cert_dir(ld, X509_get_default_cert_dir(),
-                                   X509_FILETYPE_PEM);
+            /* Fallback to built-in default. */
+            if (dir == NULL)
+                dir = X509_get_default_cert_dir();
+
+            ret = add_cert_dir(ld, dir, X509_FILETYPE_PEM);
             if (!ret) {
                 ERR_raise(ERR_LIB_X509, X509_R_LOADING_CERT_DIR);
             }
@@ -252,8 +266,9 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
     }
 
     ctx = (BY_DIR *)xl->method_data;
-
-    h = X509_NAME_hash(name);
+    h = X509_NAME_hash_ex(name, libctx, propq, &i);
+    if (i == 0)
+        goto finish;
     for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) {
         BY_DIR_ENTRY *ent;
         int idx;
@@ -267,7 +282,8 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
         }
         if (type == X509_LU_CRL && ent->hashes) {
             htmp.hash = h;
-            CRYPTO_THREAD_read_lock(ctx->lock);
+            if (!CRYPTO_THREAD_read_lock(ctx->lock))
+                goto finish;
             idx = sk_BY_DIR_HASH_find(ent->hashes, &htmp);
             if (idx >= 0) {
                 hent = sk_BY_DIR_HASH_value(ent->hashes, idx);
@@ -345,7 +361,8 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
         /* If a CRL, update the last file suffix added for this */
 
         if (type == X509_LU_CRL) {
-            CRYPTO_THREAD_write_lock(ctx->lock);
+            if (!CRYPTO_THREAD_write_lock(ctx->lock))
+                goto finish;
             /*
              * Look for entry again in case another thread added an entry
              * first.