X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=crypto%2Fstore%2Fstore_result.c;h=8ba4f8880c3bec72f59629ae4e0b417c23d2bc1f;hp=9df29cec0aa118ce2cffbd83aec07086f19a7981;hb=70c06aafa691a77861bd3d3aaf93afa2a55e04ce;hpb=16feca71544681cabf873fecd3f860f9853bdf07 diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c index 9df29cec0a..8ba4f8880c 100644 --- a/crypto/store/store_result.c +++ b/crypto/store/store_result.c @@ -59,8 +59,6 @@ * reference. */ -DEFINE_STACK_OF(X509) - struct extracted_param_data_st { int object_type; const char *data_type; @@ -83,6 +81,25 @@ static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **, static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **, OSSL_STORE_CTX *, OPENSSL_CTX *, const char *); +#define SET_ERR_MARK() ERR_set_mark() +#define CLEAR_ERR_MARK() \ + do { \ + int err = ERR_peek_last_error(); \ + \ + if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \ + && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE \ + || ERR_GET_REASON(err) == ASN1_R_NO_MATCHING_CHOICE_TYPE \ + || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) \ + ERR_pop_to_mark(); \ + else \ + ERR_clear_last_mark(); \ + } while(0) +#define RESET_ERR_MARK() \ + do { \ + CLEAR_ERR_MARK(); \ + SET_ERR_MARK(); \ + } while(0) + int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg) { struct ossl_load_result_data_st *cbdata = arg; @@ -123,14 +140,26 @@ int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg) * The helper functions return 0 on actual errors, otherwise 1, even if * they didn't fill out |*v|. */ - if (!try_name(&helper_data, v) - || !try_key(&helper_data, v, ctx, provider, libctx, propq) - || !try_cert(&helper_data, v, libctx, propq) - || !try_crl(&helper_data, v, libctx, propq) - || !try_pkcs12(&helper_data, v, ctx, libctx, propq)) - return 0; + SET_ERR_MARK(); + if (!try_name(&helper_data, v)) + goto err; + RESET_ERR_MARK(); + if (!try_key(&helper_data, v, ctx, provider, libctx, propq)) + goto err; + RESET_ERR_MARK(); + if (!try_cert(&helper_data, v, libctx, propq)) + goto err; + RESET_ERR_MARK(); + if (!try_crl(&helper_data, v, libctx, propq)) + goto err; + RESET_ERR_MARK(); + if (!try_pkcs12(&helper_data, v, ctx, libctx, propq)) + goto err; + CLEAR_ERR_MARK(); return (*v != NULL); + err: + return 0; } static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v) @@ -228,7 +257,8 @@ static EVP_PKEY *try_key_value(struct extracted_param_data_st *data, if (membio == NULL) return 0; - decoderctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", libctx, propq); + decoderctx = + OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", NULL, libctx, propq); (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg); /* No error if this couldn't be decoded */ @@ -252,11 +282,13 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, const unsigned char *der = data->octet_data, *derp; long der_len = (long)data->octet_data_size; + SET_ERR_MARK(); /* Try PUBKEY first, that's a real easy target */ derp = der; pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq); if (pk != NULL) *store_info_new = OSSL_STORE_INFO_new_PUBKEY; + RESET_ERR_MARK(); /* Try private keys next */ if (pk == NULL) { @@ -292,6 +324,7 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, } X509_SIG_free(p8); } + RESET_ERR_MARK(); /* * If the encrypted PKCS#8 couldn't be decrypted, @@ -301,23 +334,11 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, /* Try to unpack an unencrypted PKCS#8, that's easy */ derp = der; p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len); + RESET_ERR_MARK(); if (p8info != NULL) { - pk = EVP_PKCS82PKEY_with_libctx(p8info, libctx, propq); + pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq); PKCS8_PRIV_KEY_INFO_free(p8info); } - - /* - * It wasn't PKCS#8, so we must try the hard way. - * However, we can cheat a little bit, because we know - * what's not yet fully supported in out decoders. - * TODO(3.0) Eliminate these when we have decoder support. - */ - if (pk == NULL) { - derp = der; - pk = d2i_PrivateKey_ex(EVP_PKEY_SM2, NULL, - &derp, der_len, - libctx, NULL); - } } if (pk != NULL) @@ -327,18 +348,7 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data, der = data->octet_data; der_len = (long)data->octet_data_size; } - - /* - * Last, we try parameters. We cheat the same way we do for - * private keys above. - * TODO(3.0) Eliminate these when we have decoder support. - */ - if (pk == NULL) { - derp = der; - pk = d2i_KeyParams(EVP_PKEY_SM2, NULL, &derp, der_len); - if (pk != NULL) - *store_info_new = OSSL_STORE_INFO_new_PARAMS; - } + CLEAR_ERR_MARK(); return pk; }