LIBS=../../libcrypto
SOURCE[../../libcrypto]=\
- store_err.c store_init.c store_lib.c store_register.c store_strings.c \
- store_meth.c loader_file.c
+ store_err.c store_lib.c store_result.c store_strings.c store_meth.c \
+ store_init.c store_register.c loader_file.c
* https://www.openssl.org/source/license.html
*/
-#include "e_os.h"
#include <stdlib.h>
#include <string.h>
#include <assert.h>
+
+#include "e_os.h"
+
#include <openssl/crypto.h>
#include <openssl/err.h>
#include <openssl/trace.h>
+#include <openssl/core_names.h>
+#include <openssl/provider.h>
+#include <openssl/param_build.h>
#include <openssl/store.h>
#include "internal/thread_once.h"
+#include "internal/cryptlib.h"
+#include "internal/provider.h"
#include "crypto/store.h"
#include "store_local.h"
-struct ossl_store_ctx_st {
- const OSSL_STORE_LOADER *loader;
- OSSL_STORE_LOADER_CTX *loader_ctx;
- const UI_METHOD *ui_method;
- void *ui_data;
- OSSL_STORE_post_process_info_fn post_process;
- void *post_process_data;
- int expected_type;
-
- /* 0 before the first STORE_load(), 1 otherwise */
- int loading;
-};
+static int ossl_store_close_it(OSSL_STORE_CTX *ctx);
-OSSL_STORE_CTX *OSSL_STORE_open_with_libctx(
- const char *uri, OPENSSL_CTX *libctx, const char *propq,
- const UI_METHOD *ui_method, void *ui_data,
- OSSL_STORE_post_process_info_fn post_process, void *post_process_data)
+OSSL_STORE_CTX *
+OSSL_STORE_open_with_libctx(const char *uri,
+ OPENSSL_CTX *libctx, const char *propq,
+ const UI_METHOD *ui_method, void *ui_data,
+ OSSL_STORE_post_process_info_fn post_process,
+ void *post_process_data)
{
const OSSL_STORE_LOADER *loader = NULL;
+ OSSL_STORE_LOADER *fetched_loader = NULL;
OSSL_STORE_LOADER_CTX *loader_ctx = NULL;
OSSL_STORE_CTX *ctx = NULL;
+ char *propq_copy = NULL;
char scheme_copy[256], *p, *schemes[2];
size_t schemes_n = 0;
size_t i;
ERR_set_mark();
- /* Try each scheme until we find one that could open the URI */
+ /*
+ * Try each scheme until we find one that could open the URI.
+ *
+ * For each scheme, we look for the engine implementation first, and
+ * failing that, we then try to fetch a provided implementation.
+ * This is consistent with how we handle legacy / engine implementations
+ * elsewhere.
+ */
for (i = 0; loader_ctx == NULL && i < schemes_n; i++) {
OSSL_TRACE1(STORE, "Looking up scheme %s\n", schemes[i]);
if ((loader = ossl_store_get0_loader_int(schemes[i])) != NULL) {
- OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]);
if (loader->open_with_libctx != NULL)
loader_ctx = loader->open_with_libctx(loader, uri, libctx, propq,
ui_method, ui_data);
else
loader_ctx = loader->open(loader, uri, ui_method, ui_data);
- OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx);
+ }
+ if (loader == NULL
+ && (fetched_loader =
+ OSSL_STORE_LOADER_fetch(schemes[i], libctx, propq)) != NULL) {
+ const OSSL_PROVIDER *provider =
+ OSSL_STORE_LOADER_provider(fetched_loader);
+ void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider);
+
+ loader_ctx = fetched_loader->p_open(provctx, uri);
+ if (loader_ctx == NULL) {
+ OSSL_STORE_LOADER_free(fetched_loader);
+ fetched_loader = NULL;
+ } else if (propq != NULL) {
+ OSSL_PARAM params[] = {
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES,
+ NULL, 0),
+ OSSL_PARAM_END
+ };
+
+ params[0].data = (void *)propq;
+ if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) {
+ (void)fetched_loader->p_close(loader_ctx);
+ OSSL_STORE_LOADER_free(fetched_loader);
+ fetched_loader = NULL;
+ }
+ }
+ loader = fetched_loader;
}
}
+ if (loader != NULL)
+ OSSL_TRACE1(STORE, "Found loader for scheme %s\n", schemes[i]);
+
if (loader_ctx == NULL)
goto err;
- if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
+ OSSL_TRACE2(STORE, "Opened %s => %p\n", uri, (void *)loader_ctx);
+
+ if ((propq != NULL && (propq_copy = OPENSSL_strdup(propq)) == NULL)
+ || (ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
OSSL_STOREerr(0, ERR_R_MALLOC_FAILURE);
goto err;
}
+ if ((ui_method != NULL
+ && !ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data))
+ || !ossl_pw_enable_passphrase_caching(&ctx->pwdata)) {
+ ERR_raise(ERR_LIB_OSSL_STORE, ERR_R_CRYPTO_LIB);
+ goto err;
+ }
+ ctx->properties = propq_copy;
+ ctx->fetched_loader = fetched_loader;
ctx->loader = loader;
ctx->loader_ctx = loader_ctx;
- ctx->ui_method = ui_method;
- ctx->ui_data = ui_data;
ctx->post_process = post_process;
ctx->post_process_data = post_process_data;
err:
ERR_clear_last_mark();
if (loader_ctx != NULL) {
+ /*
+ * Temporary structure so OSSL_STORE_close() can work even when
+ * |ctx| couldn't be allocated properly
+ */
+ OSSL_STORE_CTX tmpctx = { NULL, };
+
+ tmpctx.fetched_loader = fetched_loader;
+ tmpctx.loader = loader;
+ tmpctx.loader_ctx = loader_ctx;
+
/*
* We ignore a returned error because we will return NULL anyway in
* this case, so if something goes wrong when closing, that'll simply
* just add another entry on the error stack.
*/
- (void)loader->close(loader_ctx);
+ (void)ossl_store_close_it(&tmpctx);
}
+ OSSL_STORE_LOADER_free(fetched_loader);
+ OPENSSL_free(propq_copy);
return NULL;
}
int OSSL_STORE_vctrl(OSSL_STORE_CTX *ctx, int cmd, va_list args)
{
- if (ctx->loader->ctrl != NULL)
+ if (ctx->fetched_loader != NULL) {
+ if (ctx->fetched_loader->p_set_ctx_params != NULL) {
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+
+ switch (cmd) {
+ case OSSL_STORE_C_USE_SECMEM:
+ {
+ int on = *(va_arg(args, int *));
+
+ params[0] = OSSL_PARAM_construct_int("use_secmem", &on);
+ }
+ break;
+ default:
+ break;
+ }
+
+ return ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx,
+ params);
+ }
+ } else if (ctx->loader->ctrl != NULL) {
return ctx->loader->ctrl(ctx->loader_ctx, cmd, args);
- return 0;
+ }
+
+ /*
+ * If the fetched loader doesn't have a set_ctx_params or a ctrl, it's as
+ * if there was one that ignored our params, which usually returns 1.
+ */
+ return 1;
}
int OSSL_STORE_expect(OSSL_STORE_CTX *ctx, int expected_type)
{
+ int ret = 1;
+
if (ctx->loading) {
OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_EXPECT,
OSSL_STORE_R_LOADING_STARTED);
}
ctx->expected_type = expected_type;
- if (ctx->loader->expect != NULL)
- return ctx->loader->expect(ctx->loader_ctx, expected_type);
- return 1;
+ if (ctx->fetched_loader != NULL
+ && ctx->fetched_loader->p_set_ctx_params != NULL) {
+ OSSL_PARAM params[2] = { OSSL_PARAM_END, OSSL_PARAM_END };
+
+ params[0] =
+ OSSL_PARAM_construct_int(OSSL_STORE_PARAM_EXPECT, &expected_type);
+ ret = ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx, params);
+ }
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+ if (ctx->fetched_loader == NULL
+ && ctx->loader->expect != NULL) {
+ ret = ctx->loader->expect(ctx->loader_ctx, expected_type);
+ }
+#endif
+ return ret;
}
int OSSL_STORE_find(OSSL_STORE_CTX *ctx, const OSSL_STORE_SEARCH *search)
{
+ int ret = 1;
+
if (ctx->loading) {
OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND,
OSSL_STORE_R_LOADING_STARTED);
return 0;
}
- if (ctx->loader->find == NULL) {
- OSSL_STOREerr(OSSL_STORE_F_OSSL_STORE_FIND,
- OSSL_STORE_R_UNSUPPORTED_OPERATION);
- return 0;
+
+ if (ctx->fetched_loader != NULL) {
+ OSSL_PARAM_BLD *bld;
+ OSSL_PARAM *params;
+ /* OSSL_STORE_SEARCH_BY_NAME, OSSL_STORE_SEARCH_BY_ISSUER_SERIAL*/
+ void *name_der = NULL;
+ int name_der_sz;
+ /* OSSL_STORE_SEARCH_BY_ISSUER_SERIAL */
+ BIGNUM *number = NULL;
+
+ if (ctx->fetched_loader->p_set_ctx_params == NULL) {
+ OSSL_STOREerr(ERR_LIB_OSSL_STORE,
+ OSSL_STORE_R_UNSUPPORTED_OPERATION);
+ return 0;
+ }
+
+ if ((bld = OSSL_PARAM_BLD_new()) == NULL) {
+ OSSL_STOREerr(ERR_LIB_OSSL_STORE, ERR_R_MALLOC_FAILURE);
+ return 0;
+ }
+
+ ret = 0; /* Assume the worst */
+
+ switch (search->search_type) {
+ case OSSL_STORE_SEARCH_BY_NAME:
+ if ((name_der_sz = i2d_X509_NAME(search->name,
+ (unsigned char **)&name_der)) > 0
+ && OSSL_PARAM_BLD_push_octet_string(bld,
+ OSSL_STORE_PARAM_SUBJECT,
+ name_der, name_der_sz))
+ ret = 1;
+ break;
+ case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:
+ if ((name_der_sz = i2d_X509_NAME(search->name,
+ (unsigned char **)&name_der)) > 0
+ && (number = ASN1_INTEGER_to_BN(search->serial, NULL)) != NULL
+ && OSSL_PARAM_BLD_push_octet_string(bld,
+ OSSL_STORE_PARAM_ISSUER,
+ name_der, name_der_sz)
+ && OSSL_PARAM_BLD_push_BN(bld, OSSL_STORE_PARAM_SERIAL,
+ number))
+ ret = 1;
+ break;
+ case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:
+ if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_STORE_PARAM_DIGEST,
+ EVP_MD_name(search->digest), 0)
+ && OSSL_PARAM_BLD_push_octet_string(bld,
+ OSSL_STORE_PARAM_FINGERPRINT,
+ search->string,
+ search->stringlength))
+ ret = 1;
+ break;
+ case OSSL_STORE_SEARCH_BY_ALIAS:
+ if (OSSL_PARAM_BLD_push_utf8_string(bld, OSSL_STORE_PARAM_ALIAS,
+ (char *)search->string,
+ search->stringlength))
+ ret = 1;
+ break;
+ }
+ if (ret) {
+ params = OSSL_PARAM_BLD_to_param(bld);
+ ret = ctx->fetched_loader->p_set_ctx_params(ctx->loader_ctx,
+ params);
+ OSSL_PARAM_BLD_free_params(params);
+ }
+ OSSL_PARAM_BLD_free(bld);
+ OPENSSL_free(name_der);
+ BN_free(number);
+ } else {
+ /* legacy loader section */
+ if (ctx->loader->find == NULL) {
+ OSSL_STOREerr(ERR_LIB_OSSL_STORE,
+ OSSL_STORE_R_UNSUPPORTED_OPERATION);
+ return 0;
+ }
+ ret = ctx->loader->find(ctx->loader_ctx, search);
}
- return ctx->loader->find(ctx->loader_ctx, search);
+ return ret;
}
OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx)
if (OSSL_STORE_eof(ctx))
return NULL;
- OSSL_TRACE(STORE, "Loading next object\n");
- v = ctx->loader->load(ctx->loader_ctx, ctx->ui_method, ctx->ui_data);
+ if (ctx->loader != NULL)
+ OSSL_TRACE(STORE, "Loading next object\n");
+
+ if (ctx->cached_info != NULL
+ && sk_OSSL_STORE_INFO_num(ctx->cached_info) == 0) {
+ sk_OSSL_STORE_INFO_free(ctx->cached_info);
+ ctx->cached_info = NULL;
+ }
+
+ if (ctx->cached_info != NULL) {
+ v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
+ } else {
+ if (ctx->fetched_loader != NULL) {
+ struct ossl_load_result_data_st load_data;
+
+ load_data.v = NULL;
+ load_data.ctx = ctx;
+
+ if (!ctx->fetched_loader->p_load(ctx->loader_ctx,
+ ossl_store_handle_load_result,
+ &load_data,
+ ossl_pw_passphrase_callback_dec,
+ &ctx->pwdata)) {
+ if (!OSSL_STORE_eof(ctx))
+ ctx->error_flag = 1;
+ return NULL;
+ }
+ v = load_data.v;
+ }
+ if (ctx->fetched_loader == NULL)
+ v = ctx->loader->load(ctx->loader_ctx,
+ ctx->pwdata._.ui_method.ui_method,
+ ctx->pwdata._.ui_method.ui_method_data);
+ }
if (ctx->post_process != NULL && v != NULL) {
v = ctx->post_process(v, ctx->post_process_data);
int returned_type = OSSL_STORE_INFO_get_type(v);
if (returned_type != OSSL_STORE_INFO_NAME && returned_type != 0) {
- /*
- * Soft assert here so those who want to harsly weed out faulty
- * loaders can do so using a debugging version of libcrypto.
- */
- if (ctx->loader->expect != NULL)
- assert(ctx->expected_type == returned_type);
-
if (ctx->expected_type != returned_type) {
OSSL_STORE_INFO_free(v);
goto again;
}
}
+ ossl_pw_clear_passphrase_cache(&ctx->pwdata);
if (v != NULL)
OSSL_TRACE1(STORE, "Got a %s\n",
OSSL_STORE_INFO_type_string(OSSL_STORE_INFO_get_type(v)));
int OSSL_STORE_error(OSSL_STORE_CTX *ctx)
{
- return ctx->loader->error(ctx->loader_ctx);
+ int ret = 1;
+
+ if (ctx->fetched_loader != NULL)
+ ret = ctx->error_flag;
+ if (ctx->fetched_loader == NULL)
+ ret = ctx->loader->error(ctx->loader_ctx);
+ return ret;
}
int OSSL_STORE_eof(OSSL_STORE_CTX *ctx)
{
- return ctx->loader->eof(ctx->loader_ctx);
+ int ret = 1;
+
+ if (ctx->fetched_loader != NULL)
+ ret = ctx->loader->p_eof(ctx->loader_ctx);
+ if (ctx->fetched_loader == NULL)
+ ret = ctx->loader->eof(ctx->loader_ctx);
+ return ret;
}
-int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
+static int ossl_store_close_it(OSSL_STORE_CTX *ctx)
{
- int loader_ret;
+ int ret = 0;
if (ctx == NULL)
return 1;
OSSL_TRACE1(STORE, "Closing %p\n", (void *)ctx->loader_ctx);
- loader_ret = ctx->loader->close(ctx->loader_ctx);
+
+ if (ctx->fetched_loader != NULL)
+ ret = ctx->loader->p_close(ctx->loader_ctx);
+ if (ctx->fetched_loader == NULL)
+ ret = ctx->loader->close(ctx->loader_ctx);
+
+ sk_OSSL_STORE_INFO_pop_free(ctx->cached_info, OSSL_STORE_INFO_free);
+ OSSL_STORE_LOADER_free(ctx->fetched_loader);
+ OPENSSL_free(ctx->properties);
+ return ret;
+}
+
+int OSSL_STORE_close(OSSL_STORE_CTX *ctx)
+{
+ int ret = ossl_store_close_it(ctx);
OPENSSL_free(ctx);
- return loader_ret;
+ return ret;
}
/*
int OSSL_STORE_supports_search(OSSL_STORE_CTX *ctx, int search_type)
{
- OSSL_STORE_SEARCH tmp_search;
+ int ret = 0;
+
+ if (ctx->fetched_loader != NULL) {
+ void *provctx =
+ ossl_provider_ctx(OSSL_STORE_LOADER_provider(ctx->fetched_loader));
+ const OSSL_PARAM *params;
+ const OSSL_PARAM *p_subject = NULL;
+ const OSSL_PARAM *p_issuer = NULL;
+ const OSSL_PARAM *p_serial = NULL;
+ const OSSL_PARAM *p_fingerprint = NULL;
+ const OSSL_PARAM *p_alias = NULL;
+
+ if (ctx->fetched_loader->p_settable_ctx_params == NULL)
+ return 0;
+
+ params = ctx->fetched_loader->p_settable_ctx_params(provctx);
+ p_subject = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SUBJECT);
+ p_issuer = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_ISSUER);
+ p_serial = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_SERIAL);
+ p_fingerprint =
+ OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_FINGERPRINT);
+ p_alias = OSSL_PARAM_locate_const(params, OSSL_STORE_PARAM_ALIAS);
+
+ switch (search_type) {
+ case OSSL_STORE_SEARCH_BY_NAME:
+ ret = (p_subject != NULL);
+ break;
+ case OSSL_STORE_SEARCH_BY_ISSUER_SERIAL:
+ ret = (p_issuer != NULL && p_serial != NULL);
+ break;
+ case OSSL_STORE_SEARCH_BY_KEY_FINGERPRINT:
+ ret = (p_fingerprint != NULL);
+ break;
+ case OSSL_STORE_SEARCH_BY_ALIAS:
+ ret = (p_alias != NULL);
+ break;
+ }
+ }
+ if (ctx->fetched_loader == NULL) {
+ OSSL_STORE_SEARCH tmp_search;
- if (ctx->loader->find == NULL)
- return 0;
- tmp_search.search_type = search_type;
- return ctx->loader->find(NULL, &tmp_search);
+ if (ctx->loader->find == NULL)
+ return 0;
+ tmp_search.search_type = search_type;
+ ret = ctx->loader->find(NULL, &tmp_search);
+ }
+ return ret;
}
/* Search term constructors */
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data)
{
- OSSL_STORE_CTX *ctx = NULL;
const OSSL_STORE_LOADER *loader = NULL;
+ OSSL_STORE_LOADER *fetched_loader = NULL;
OSSL_STORE_LOADER_CTX *loader_ctx = NULL;
+ OSSL_STORE_CTX *ctx = NULL;
- if ((loader =
- ossl_store_get0_loader_int(scheme != NULL ? scheme : "file")) == NULL
- || (loader_ctx = loader->attach(loader, bp, libctx, propq,
- ui_method, ui_data)) == NULL)
+ if (scheme == NULL)
+ scheme = "file";
+
+ OSSL_TRACE1(STORE, "Looking up scheme %s\n", scheme);
+ if ((loader = ossl_store_get0_loader_int(scheme)) != NULL)
+ loader_ctx = loader->attach(loader, bp, libctx, propq,
+ ui_method, ui_data);
+ if (loader == NULL
+ && (fetched_loader =
+ OSSL_STORE_LOADER_fetch(scheme, libctx, propq)) != NULL) {
+ const OSSL_PROVIDER *provider =
+ OSSL_STORE_LOADER_provider(fetched_loader);
+ void *provctx = OSSL_PROVIDER_get0_provider_ctx(provider);
+
+ if ((loader_ctx =
+ fetched_loader->p_attach(provctx, (OSSL_CORE_BIO *)bp)) == NULL) {
+ OSSL_STORE_LOADER_free(fetched_loader);
+ fetched_loader = NULL;
+ } else if (propq != NULL) {
+ OSSL_PARAM params[] = {
+ OSSL_PARAM_utf8_string(OSSL_STORE_PARAM_PROPERTIES,
+ NULL, 0),
+ OSSL_PARAM_END
+ };
+
+ params[0].data = (void *)propq;
+ if (!fetched_loader->p_set_ctx_params(loader_ctx, params)) {
+ (void)fetched_loader->p_close(loader_ctx);
+ OSSL_STORE_LOADER_free(fetched_loader);
+ fetched_loader = NULL;
+ }
+ }
+ loader = fetched_loader;
+ }
+
+ if (loader_ctx == NULL)
return NULL;
if ((ctx = OPENSSL_zalloc(sizeof(*ctx))) == NULL) {
return NULL;
}
+ (void)ossl_pw_set_ui_method(&ctx->pwdata, ui_method, ui_data);
+ ctx->fetched_loader = fetched_loader;
ctx->loader = loader;
ctx->loader_ctx = loader_ctx;
- ctx->ui_method = ui_method;
- ctx->ui_data = ui_data;
ctx->post_process = post_process;
ctx->post_process_data = post_process_data;
#include <openssl/lhash.h>
#include <openssl/x509.h>
#include <openssl/store.h>
+#include "internal/passphrase.h"
/*-
* OSSL_STORE_INFO stuff
const OSSL_STORE_LOADER *ossl_store_get0_loader_int(const char *scheme);
void ossl_store_destroy_loaders_int(void);
+/*-
+ * OSSL_STORE_CTX stuff
+ * ---------------------
+ */
+
+struct ossl_store_ctx_st {
+ const OSSL_STORE_LOADER *loader; /* legacy */
+ OSSL_STORE_LOADER *fetched_loader;
+ OSSL_STORE_LOADER_CTX *loader_ctx;
+ OSSL_STORE_post_process_info_fn post_process;
+ void *post_process_data;
+ int expected_type;
+
+ char *properties;
+
+ /* 0 before the first STORE_load(), 1 otherwise */
+ int loading;
+ /* 1 on load error, only valid for fetched loaders */
+ int error_flag;
+
+ /*
+ * Cache of stuff, to be able to return the contents of a PKCS#12
+ * blob, one object at a time.
+ */
+ STACK_OF(OSSL_STORE_INFO) *cached_info;
+
+ struct ossl_passphrase_data_st pwdata;
+};
+
/*-
* OSSL_STORE init stuff
* ---------------------
OSSL_STORE_LOADER *ossl_store_loader_fetch_by_number(OPENSSL_CTX *libctx,
int scheme_id,
const char *properties);
+
+/* Standard function to handle the result from OSSL_FUNC_store_load() */
+struct ossl_load_result_data_st {
+ OSSL_STORE_INFO *v; /* To be filled in */
+ OSSL_STORE_CTX *ctx;
+};
+OSSL_CALLBACK ossl_store_handle_load_result;
--- /dev/null
+/*
+ * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include "e_os.h"
+#include <string.h>
+
+#include <openssl/core.h>
+#include <openssl/core_names.h>
+#include <openssl/core_object.h>
+#include <openssl/err.h>
+#include <openssl/pkcs12.h>
+#include <openssl/provider.h>
+#include <openssl/decoder.h>
+#include <openssl/store.h>
+#include "internal/provider.h"
+#include "internal/passphrase.h"
+#include "crypto/evp.h"
+#include "crypto/x509.h"
+#include "store_local.h"
+
+#ifndef OSSL_OBJECT_PKCS12
+/*
+ * The object abstraction doesn't know PKCS#12, but we want to indicate
+ * it anyway, so we create our own. Since the public macros use positive
+ * numbers, negative ones should be fine. They must never slip out from
+ * this translation unit anyway.
+ */
+# define OSSL_OBJECT_PKCS12 -1
+#endif
+
+/*
+ * ossl_store_handle_load_result() is initially written to be a companion
+ * to our 'file:' scheme provider implementation, but has been made generic
+ * to serve others as well.
+ *
+ * This result handler takes any object abstraction (see provider-object(7))
+ * and does the best it can with it. If the object is passed by value (not
+ * by reference), the contents are currently expected to be DER encoded.
+ * If an object type is specified, that will be respected; otherwise, this
+ * handler will guess the contents, by trying the following in order:
+ *
+ * 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
+ * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
+ * 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
+ * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
+ *
+ * For the 'file:' scheme implementation, this is division of labor. Since
+ * the libcrypto <-> provider interface currently doesn't support certain
+ * structures as first class objects, they must be unpacked from DER here
+ * rather than in the provider. The current exception is asymmetric keys,
+ * which can reside within the provider boundary, most of all thanks to
+ * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
+ * reference.
+ */
+
+DEFINE_STACK_OF(X509)
+
+struct extracted_param_data_st {
+ int object_type;
+ const char *data_type;
+ const char *utf8_data;
+ const void *octet_data;
+ size_t octet_data_size;
+ const void *ref;
+ size_t ref_size;
+ const char *desc;
+};
+
+static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
+static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
+ OSSL_STORE_CTX *, const OSSL_PROVIDER *,
+ OPENSSL_CTX *, const char *);
+static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
+ OPENSSL_CTX *, const char *);
+static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
+ OPENSSL_CTX *, const char *);
+static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
+ OSSL_STORE_CTX *, OPENSSL_CTX *, const char *);
+
+int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
+{
+ struct ossl_load_result_data_st *cbdata = arg;
+ OSSL_STORE_INFO **v = &cbdata->v;
+ OSSL_STORE_CTX *ctx = cbdata->ctx;
+ const OSSL_PROVIDER *provider =
+ OSSL_STORE_LOADER_provider(ctx->fetched_loader);
+ OPENSSL_CTX *libctx = ossl_provider_library_context(provider);
+ const char *propq = ctx->properties;
+ const OSSL_PARAM *p;
+ struct extracted_param_data_st helper_data;
+
+ memset(&helper_data, 0, sizeof(helper_data));
+ helper_data.object_type = OSSL_OBJECT_UNKNOWN;
+
+ if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
+ && !OSSL_PARAM_get_int(p, &helper_data.object_type))
+ return 0;
+ p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
+ if (p != NULL
+ && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
+ return 0;
+ p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
+ if (p != NULL
+ && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
+ &helper_data.octet_data_size)
+ && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
+ return 0;
+ p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
+ if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
+ &helper_data.ref_size))
+ return 0;
+ p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
+ if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
+ return 0;
+
+ /*
+ * The helper functions return 0 on actual errors, otherwise 1, even if
+ * they didn't fill out |*v|.
+ */
+ if (!try_name(&helper_data, v)
+ || !try_key(&helper_data, v, ctx, provider, libctx, propq)
+ || !try_cert(&helper_data, v, libctx, propq)
+ || !try_crl(&helper_data, v, libctx, propq)
+ || !try_pkcs12(&helper_data, v, ctx, libctx, propq))
+ return 0;
+
+ return (*v != NULL);
+}
+
+static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
+{
+ if (data->object_type == OSSL_OBJECT_NAME) {
+ char *newname = NULL, *newdesc = NULL;
+
+ if (data->utf8_data == NULL)
+ return 0;
+ if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
+ || (data->desc != NULL
+ && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
+ || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
+ OPENSSL_free(newname);
+ OPENSSL_free(newdesc);
+ return 0;
+ }
+ OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
+ }
+ return 1;
+}
+
+/*
+ * For the rest of the object types, the provider code may not know what
+ * type of data it gave us, so we may need to figure that out on our own.
+ * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
+ * only return 0 on error if the object type is known.
+ */
+
+static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
+ OSSL_STORE_CTX *ctx,
+ const OSSL_PROVIDER *provider,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ EVP_PKEY *pk = NULL;
+ EVP_KEYMGMT *keymgmt = NULL;
+ void *keydata = NULL;
+
+ /* If we have an object reference, we must have a data type */
+ if (data->data_type == NULL)
+ return 0;
+
+ keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
+ if (keymgmt != NULL) {
+ /*
+ * There are two possible cases
+ *
+ * 1. The keymgmt is from the same provider as the loader,
+ * so we can use evp_keymgmt_load()
+ * 2. The keymgmt is from another provider, then we must
+ * do the export/import dance.
+ */
+ if (EVP_KEYMGMT_provider(keymgmt) == provider) {
+ keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
+ } else {
+ struct evp_keymgmt_util_try_import_data_st import_data;
+ OSSL_FUNC_store_export_object_fn *export_object =
+ ctx->fetched_loader->p_export_object;
+
+ import_data.keymgmt = keymgmt;
+ import_data.keydata = NULL;
+ import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
+
+ if (export_object != NULL) {
+ /*
+ * No need to check for errors here, the value of
+ * |import_data.keydata| is as much an indicator.
+ */
+ (void)export_object(ctx->loader_ctx,
+ data->ref, data->ref_size,
+ &evp_keymgmt_util_try_import,
+ &import_data);
+ }
+
+ keydata = import_data.keydata;
+ }
+ }
+ if (keydata != NULL)
+ pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
+ EVP_KEYMGMT_free(keymgmt);
+
+ return pk;
+}
+
+static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
+ OSSL_STORE_CTX *ctx,
+ OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ EVP_PKEY *pk = NULL;
+ OSSL_DECODER_CTX *decoderctx = NULL;
+ BIO *membio =
+ BIO_new_mem_buf(data->octet_data, (int)data->octet_data_size);
+
+ if (membio == NULL)
+ return 0;
+
+ decoderctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", libctx, propq);
+ (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
+
+ /* No error if this couldn't be decoded */
+ (void)OSSL_DECODER_from_bio(decoderctx, membio);
+
+ OSSL_DECODER_CTX_free(decoderctx);
+ BIO_free(membio);
+
+ return pk;
+}
+
+typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);
+
+static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
+ store_info_new_fn **store_info_new,
+ OSSL_STORE_CTX *ctx,
+ OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ EVP_PKEY *pk = NULL;
+ const unsigned char *der = data->octet_data, *derp;
+ long der_len = (long)data->octet_data_size;
+
+ /* Try PUBKEY first, that's a real easy target */
+ derp = der;
+ pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
+ if (pk != NULL)
+ *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
+
+ /* Try private keys next */
+ if (pk == NULL) {
+ unsigned char *new_der = NULL;
+ X509_SIG *p8 = NULL;
+ PKCS8_PRIV_KEY_INFO *p8info = NULL;
+
+ /* See if it's an encrypted PKCS#8 and decrypt it */
+ derp = der;
+ if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
+ char pbuf[PEM_BUFSIZE];
+ size_t plen = 0;
+
+ if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
+ ERR_raise(ERR_LIB_OSSL_STORE,
+ OSSL_STORE_R_BAD_PASSWORD_READ);
+ } else {
+ const X509_ALGOR *alg = NULL;
+ const ASN1_OCTET_STRING *oct = NULL;
+ int len = 0;
+
+ X509_SIG_get0(p8, &alg, &oct);
+
+ /*
+ * No need to check the returned value, |new_der|
+ * will be NULL on error anyway.
+ */
+ PKCS12_pbe_crypt(alg, pbuf, plen,
+ oct->data, oct->length,
+ &new_der, &len, 0);
+ der_len = len;
+ der = new_der;
+ }
+ X509_SIG_free(p8);
+ }
+
+ /*
+ * If the encrypted PKCS#8 couldn't be decrypted,
+ * |der| is NULL
+ */
+ if (der != NULL) {
+ /* Try to unpack an unencrypted PKCS#8, that's easy */
+ derp = der;
+ p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
+ if (p8info != NULL) {
+ pk = evp_pkcs82pkey_int(p8info, libctx, propq);
+ PKCS8_PRIV_KEY_INFO_free(p8info);
+ }
+
+ /*
+ * It wasn't PKCS#8, so we must try the hard way.
+ * However, we can cheat a little bit, because we know
+ * what's not yet fully supported in out decoders.
+ * TODO(3.0) Eliminate these when we have decoder support.
+ */
+ if (pk == NULL) {
+ derp = der;
+ pk = d2i_PrivateKey_ex(EVP_PKEY_SM2, NULL,
+ &derp, der_len,
+ libctx, NULL);
+ }
+ }
+
+ if (pk != NULL)
+ *store_info_new = OSSL_STORE_INFO_new_PKEY;
+
+ OPENSSL_free(new_der);
+ der = data->octet_data;
+ der_len = (long)data->octet_data_size;
+ }
+
+ /*
+ * Last, we try parameters. We cheat the same way we do for
+ * private keys above.
+ * TODO(3.0) Eliminate these when we have decoder support.
+ */
+ if (pk == NULL) {
+ derp = der;
+ pk = d2i_KeyParams(EVP_PKEY_SM2, NULL, &derp, der_len);
+ if (pk != NULL)
+ *store_info_new = OSSL_STORE_INFO_new_PARAMS;
+ }
+
+ return pk;
+}
+
+static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
+ OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ store_info_new_fn *store_info_new = NULL;
+
+ if (data->object_type == OSSL_OBJECT_UNKNOWN
+ || data->object_type == OSSL_OBJECT_PKEY) {
+ EVP_PKEY *pk = NULL;
+
+ /* Prefer key by reference than key by value */
+ if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
+ pk = try_key_ref(data, ctx, provider, libctx, propq);
+
+ /*
+ * If for some reason we couldn't get a key, it's an error.
+ * It indicates that while decoders could make a key reference,
+ * the keymgmt somehow couldn't handle it, or doesn't have a
+ * OSSL_FUNC_keymgmt_load function.
+ */
+ if (pk == NULL)
+ return 0;
+ } else if (data->octet_data != NULL) {
+ OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
+ void *cbarg = &ctx->pwdata;
+
+ pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
+
+ /*
+ * Desperate last maneuver, in case the decoders don't support
+ * the data we have, then we try on our own to at least get a
+ * legacy key.
+ * This is the same as der2key_decode() does, but in a limited
+ * way and within the walls of libcrypto.
+ *
+ * TODO Remove this when #legacy keys are gone
+ */
+ if (pk == NULL)
+ pk = try_key_value_legacy(data, &store_info_new, ctx,
+ cb, cbarg, libctx, propq);
+ }
+
+ if (pk != NULL) {
+ data->object_type = OSSL_OBJECT_PKEY;
+
+ if (store_info_new == NULL) {
+ /*
+ * We determined the object type for OSSL_STORE_INFO, which
+ * makes an explicit difference between an EVP_PKEY with just
+ * (domain) parameters and an EVP_PKEY with actual key
+ * material.
+ * The logic is that an EVP_PKEY with actual key material
+ * always has the public half.
+ */
+ if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
+ store_info_new = OSSL_STORE_INFO_new_PKEY;
+ else if (evp_keymgmt_util_has(pk,
+ OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
+ store_info_new = OSSL_STORE_INFO_new_PUBKEY;
+ else
+ store_info_new = OSSL_STORE_INFO_new_PARAMS;
+ }
+ *v = store_info_new(pk);
+ }
+
+ if (*v == NULL)
+ EVP_PKEY_free(pk);
+ }
+
+ return 1;
+}
+
+static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ if (data->object_type == OSSL_OBJECT_UNKNOWN
+ || data->object_type == OSSL_OBJECT_CERT) {
+ X509 *cert;
+
+ /*
+ * In most cases, we can try to interpret the serialized
+ * data as a trusted cert (X509 + X509_AUX) and fall back
+ * to reading it as a normal cert (just X509), but if
+ * |data_type| (the PEM name) specifically declares it as a
+ * trusted cert, then no fallback should be engaged.
+ * |ignore_trusted| tells if the fallback can be used (1)
+ * or not (0).
+ */
+ int ignore_trusted = 1;
+
+ /* If we have a data type, it should be a PEM name */
+ if (data->data_type != NULL
+ && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
+ ignore_trusted = 0;
+
+ cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
+ data->octet_data_size);
+ if (cert == NULL && ignore_trusted)
+ cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
+ data->octet_data_size);
+
+ if (cert != NULL)
+ /* We determined the object type */
+ data->object_type = OSSL_OBJECT_CERT;
+
+ if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
+ X509_free(cert);
+ cert = NULL;
+ }
+
+ if (cert != NULL)
+ *v = OSSL_STORE_INFO_new_CERT(cert);
+ if (*v == NULL)
+ X509_free(cert);
+ }
+
+ return 1;
+}
+
+static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ if (data->object_type == OSSL_OBJECT_UNKNOWN
+ || data->object_type == OSSL_OBJECT_CRL) {
+ X509_CRL *crl;
+
+ crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
+ data->octet_data_size);
+ if (crl != NULL)
+ /* We determined the object type */
+ data->object_type = OSSL_OBJECT_CRL;
+
+ if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
+ X509_CRL_free(crl);
+ crl = NULL;
+ }
+
+ if (crl != NULL)
+ *v = OSSL_STORE_INFO_new_CRL(crl);
+ if (*v == NULL)
+ X509_CRL_free(crl);
+ }
+
+ return 1;
+}
+
+static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
+ OSSL_STORE_CTX *ctx,
+ OPENSSL_CTX *libctx, const char *propq)
+{
+ /* There is no specific object type for PKCS12 */
+ if (data->object_type == OSSL_OBJECT_UNKNOWN) {
+ /* Initial parsing */
+ PKCS12 *p12;
+
+ if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
+ data->octet_data_size)) != NULL) {
+ char *pass = NULL;
+ char tpass[PEM_BUFSIZE];
+ size_t tpass_len;
+ EVP_PKEY *pkey = NULL;
+ X509 *cert = NULL;
+ STACK_OF(X509) *chain = NULL;
+
+ data->object_type = OSSL_OBJECT_PKCS12;
+
+ if (PKCS12_verify_mac(p12, "", 0)
+ || PKCS12_verify_mac(p12, NULL, 0)) {
+ pass = "";
+ } else {
+ static char prompt_info[] = "PKCS12 import pass phrase";
+ OSSL_PARAM pw_params[] = {
+ OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
+ prompt_info,
+ sizeof(prompt_info) - 1),
+ OSSL_PARAM_END
+ };
+
+ if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
+ pw_params, 0, &ctx->pwdata)) {
+ ERR_raise(ERR_LIB_OSSL_STORE,
+ OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
+ goto p12_end;
+ }
+ pass = tpass;
+ if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
+ ERR_raise(ERR_LIB_OSSL_STORE,
+ OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
+ goto p12_end;
+ }
+ }
+
+ if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
+ STACK_OF(OSSL_STORE_INFO) *infos = NULL;
+ OSSL_STORE_INFO *osi_pkey = NULL;
+ OSSL_STORE_INFO *osi_cert = NULL;
+ OSSL_STORE_INFO *osi_ca = NULL;
+ int ok = 1;
+
+ if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
+ if (pkey != NULL) {
+ if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
+ /* clearing pkey here avoids case distinctions */
+ && (pkey = NULL) == NULL
+ && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
+ osi_pkey = NULL;
+ else
+ ok = 0;
+ }
+ if (ok && cert != NULL) {
+ if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
+ /* clearing cert here avoids case distinctions */
+ && (cert = NULL) == NULL
+ && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
+ osi_cert = NULL;
+ else
+ ok = 0;
+ }
+ while (ok && sk_X509_num(chain) > 0) {
+ X509 *ca = sk_X509_value(chain, 0);
+
+ if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
+ && sk_X509_shift(chain) != NULL
+ && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
+ osi_ca = NULL;
+ else
+ ok = 0;
+ }
+ }
+ EVP_PKEY_free(pkey);
+ X509_free(cert);
+ sk_X509_pop_free(chain, X509_free);
+ OSSL_STORE_INFO_free(osi_pkey);
+ OSSL_STORE_INFO_free(osi_cert);
+ OSSL_STORE_INFO_free(osi_ca);
+ if (!ok) {
+ sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
+ infos = NULL;
+ }
+ ctx->cached_info = infos;
+ }
+ }
+ p12_end:
+ PKCS12_free(p12);
+ *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
+ }
+
+ return 1;
+}
{
return crl->meth_data;
}
+
+int x509_crl_set0_libctx(X509_CRL *x, OPENSSL_CTX *libctx, const char *propq)
+{
+ if (x != NULL) {
+ x->libctx = libctx;
+ x->propq = propq;
+ }
+ return 1;
+}
void *ui_data,
OSSL_STORE_post_process_info_fn post_process,
void *post_process_data);
- OSSL_STORE_CTX *OSSL_STORE_open_with_libctx
- (const char *uri, OPENSSL_CTX *libctx, const char *propq,
- const UI_METHOD *ui_method, void *ui_data,
- OSSL_STORE_post_process_info_fn post_process, void *post_process_data);
-
+ OSSL_STORE_CTX *
+ OSSL_STORE_open_with_libctx(const char *uri,
+ OPENSSL_CTX *libctx, const char *propq,
+ const UI_METHOD *ui_method, void *ui_data,
+ OSSL_STORE_post_process_info_fn post_process,
+ void *post_process_data);
int OSSL_STORE_ctrl(OSSL_STORE_CTX *ctx, int cmd, ... /* args */);
OSSL_STORE_INFO *OSSL_STORE_load(OSSL_STORE_CTX *ctx);
int OSSL_STORE_eof(OSSL_STORE_CTX *ctx);
OSSL_STORE_open_with_libctx() takes a uri or path I<uri>, password UI method
I<ui_method> with associated data I<ui_data>, and post processing
callback I<post_process> with associated data I<post_process_data>,
-a library context I<libctx> with an associated property query <propq>,
+a library context I<libctx> with an associated property query I<propq>,
and opens a channel to the data located at the URI and returns a
B<OSSL_STORE_CTX> with all necessary internal information.
The given I<ui_method> and I<ui_data> will be reused by all
NULL, or the end of data is reached as indicated by OSSL_STORE_eof().
OSSL_STORE_open() is similar to OSSL_STORE_open_with_libctx() but uses NULL for
-the library context I<libctx> and property query <propq>.
+the library context I<libctx> and property query I<propq>.
OSSL_STORE_ctrl() takes a B<OSSL_STORE_CTX>, and command number I<cmd> and
more arguments not specified here.
Controls if the loader should attempt to use secure memory for any
allocated B<OSSL_STORE_INFO> and its contents.
-This control expects one argument, a pointer to an B<int> that is expected to
+This control expects one argument, a pointer to an I<int> that is expected to
have the value 1 (yes) or 0 (no).
Any other value is an error.
Handling of NULL I<ctx> argument for OSSL_STORE_close()
was introduced in OpenSSL 1.1.1h.
+OSSL_STORE_open_with_libctx() was added in OpenSSL 3.0.
+
=head1 COPYRIGHT
Copyright 2016-2020 The OpenSSL Project Authors. All Rights Reserved.
const X509_CRL_METHOD *meth;
void *meth_data;
CRYPTO_RWLOCK *lock;
+
+ OPENSSL_CTX *libctx;
+ const char *propq;
};
struct x509_revoked_st {
int x509_print_ex_brief(BIO *bio, X509 *cert, unsigned long neg_cflags);
int x509v3_cache_extensions(X509 *x);
int x509_set0_libctx(X509 *x, OPENSSL_CTX *libctx, const char *propq);
+int x509_crl_set0_libctx(X509_CRL *x, OPENSSL_CTX *libctx, const char *propq);
void x509_init_sig_info(X509 *x);
int asn1_item_digest_with_libctx(const ASN1_ITEM *it, const EVP_MD *type,
void *data, unsigned char *md,
# define ERR_R_DSA_LIB ERR_LIB_DSA/* 10 */
# define ERR_R_X509_LIB ERR_LIB_X509/* 11 */
# define ERR_R_ASN1_LIB ERR_LIB_ASN1/* 13 */
+# define ERR_R_CRYPTO_LIB ERR_LIB_CRYPTO/* 15 */
# define ERR_R_EC_LIB ERR_LIB_EC/* 16 */
# define ERR_R_BIO_LIB ERR_LIB_BIO/* 32 */
# define ERR_R_PKCS7_LIB ERR_LIB_PKCS7/* 33 */
* Returns a context reference which represents the channel to communicate
* through.
*/
-OSSL_STORE_CTX *OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method,
- void *ui_data,
- OSSL_STORE_post_process_info_fn post_process,
- void *post_process_data);
-
-OSSL_STORE_CTX *OSSL_STORE_open_with_libctx
- (const char *uri, OPENSSL_CTX *libctx, const char *propq,
- const UI_METHOD *ui_method, void *ui_data,
- OSSL_STORE_post_process_info_fn post_process, void *post_process_data);
+OSSL_STORE_CTX *
+OSSL_STORE_open(const char *uri, const UI_METHOD *ui_method, void *ui_data,
+ OSSL_STORE_post_process_info_fn post_process,
+ void *post_process_data);
+OSSL_STORE_CTX *
+OSSL_STORE_open_with_libctx(const char *uri,
+ OPENSSL_CTX *libctx, const char *propq,
+ const UI_METHOD *ui_method, void *ui_data,
+ OSSL_STORE_post_process_info_fn post_process,
+ void *post_process_data);
/*
* Control / fine tune the OSSL_STORE channel. |cmd| determines what is to be