public/openssl
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

X509_LOOKUP_store: new X509_LOOKUP_METHOD that works by OSSL_STORE URI

Browse source 
This is a wrapper around OSSL_STORE.

This also adds necessary support functions:

- X509_STORE_load_file
- X509_STORE_load_path
- X509_STORE_load_store
- SSL_add_store_cert_subjects_to_stack
- SSL_CTX_set_default_verify_store
- SSL_CTX_load_verify_file
- SSL_CTX_load_verify_dir
- SSL_CTX_load_verify_store

and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations,
as they aren't extensible.

Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8442)
This commit is contained in:
Richard Levitte 2019-03-06 23:34:19 +01:00
parent e3c4ad283b
commit 6dcb100f89
11 changed files with 486 additions and 35 deletions
Download patch file Download diff file Expand all files Collapse all files

1
crypto/err/openssl.txt
View file

@ -1828,6 +1828,7 @@ X509_F_COMMON_VERIFY_SM2:165:common_verify_sm2
X509_F_DANE_I2D:107:dane_i2d
X509_F_DIR_CTRL:102:dir_ctrl
X509_F_GET_CERT_BY_SUBJECT:103:get_cert_by_subject
X509_F_CACHE_OBJECTS:163:cache_objects
X509_F_I2D_X509_AUX:151:i2d_X509_AUX
X509_F_LOOKUP_CERTS_SK:152:lookup_certs_sk
X509_F_NETSCAPE_SPKI_B64_DECODE:129:NETSCAPE_SPKI_b64_decode

2
crypto/x509/build.info
View file

@ -5,7 +5,7 @@ SOURCE[../../libcrypto]=\
x509_set.c x509cset.c x509rset.c x509_err.c \
x509name.c x509_v3.c x509_ext.c x509_att.c \
x509type.c x509_meth.c x509_lu.c x_all.c x509_txt.c \
x509_trs.c by_file.c by_dir.c x509_vpm.c \
x509_trs.c by_file.c by_dir.c by_store.c x509_vpm.c \
x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \
x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c \
v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \

227
crypto/x509/by_store.c Normal file
View file

@ -0,0 +1,227 @@
/*
* Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
*
* Licensed under the Apache License 2.0 (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
*/
#include <openssl/store.h>
#include "internal/cryptlib.h"
#include "crypto/x509.h"
#include "x509_local.h"
/* Generic object loader, given expected type and criterion */
static int cache_objects(X509_LOOKUP *lctx, const char *uri,
const OSSL_STORE_SEARCH *criterion,
int depth)
{
int ok = 0;
OSSL_STORE_CTX *ctx = NULL;
X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
return 0;
/*
* We try to set the criterion, but don't care if it was valid or not.
* For a OSSL_STORE, it merely serves as an optimization, the expectation
* being that if the criterion couldn't be used, we will get *everything*
* from the container that the URI represents rather than the subset that
* the criterion indicates, so the biggest harm is that we cache more
* objects certs and CRLs than we may expect, but that's ok.
*
* Specifically for OpenSSL's own file: scheme, the only workable
* criterion is the BY_NAME one, which it can only apply on directories,
* but it's possible that the URI is a single file rather than a directory,
* and in that case, the BY_NAME criterion is pointless.
*
* We could very simply not apply any criterion at all here, and just let
* the code that selects certs and CRLs from the cached objects do its job,
* but it's a nice optimization when it can be applied (such as on an
* actual directory with a thousand CA certs).
*/
if (criterion != NULL)
OSSL_STORE_find(ctx, criterion);
for (;;) {
OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
int infotype;
/* NULL means error or "end of file". Either way, we break. */
if (info == NULL)
break;
infotype = OSSL_STORE_INFO_get_type(info);
ok = 0;
if (infotype == OSSL_STORE_INFO_NAME) {
/*
* This is an entry in the "directory" represented by the current
* uri. if |depth| allows, dive into it.
*/
if (depth > 0)
ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
criterion, depth - 1);
} else {
/*
* We know that X509_STORE_add_{cert|crl} increments the object's
* refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
* to get them.
*/
switch (infotype) {
case OSSL_STORE_INFO_CERT:
ok = X509_STORE_add_cert(xstore,
OSSL_STORE_INFO_get0_CERT(info));
break;
case OSSL_STORE_INFO_CRL:
ok = X509_STORE_add_crl(xstore,
OSSL_STORE_INFO_get0_CRL(info));
break;
}
}
OSSL_STORE_INFO_free(info);
if (!ok)
break;
}
OSSL_STORE_close(ctx);
return ok;
}
/* Because OPENSSL_free is a macro and for C type match */
static void free_uri(OPENSSL_STRING data)
{
OPENSSL_free(data);
}
static void by_store_free(X509_LOOKUP *ctx)
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
sk_OPENSSL_STRING_pop_free(uris, free_uri);
}
static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
const char *argp, long argl,
char **retp)
{
switch (cmd) {
case X509_L_ADD_STORE:
/* If no URI is given, use the default cert dir as default URI */
if (argp == NULL)
argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
if (argp == NULL)
argp = X509_get_default_cert_dir();
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
if (uris == NULL) {
uris = sk_OPENSSL_STRING_new_null();
X509_LOOKUP_set_method_data(ctx, uris);
}
return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0;
}
case X509_L_LOAD_STORE:
/* This is a shortcut for quick loading of specific containers */
return cache_objects(ctx, argp, NULL, 0);
}
return 0;
}
static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
{
STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
int i;
int ok = 0;
for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
1 /* depth */);
if (ok)
break;
}
return ok;
}
static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
X509_NAME *name, X509_OBJECT *ret)
{
OSSL_STORE_SEARCH *criterion = OSSL_STORE_SEARCH_by_name(name);
int ok = by_store(ctx, type, criterion, ret);
STACK_OF(X509_OBJECT) *store_objects =
X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
X509_OBJECT *tmp = NULL;
OSSL_STORE_SEARCH_free(criterion);
if (ok)
tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
ok = 0;
if (tmp != NULL) {
/*
* This could also be done like this:
*
* if (tmp != NULL) {
* *ret = *tmp;
* ok = 1;
* }
*
* However, we want to exercise the documented API to the max, so
* we do it the hard way.
*
* To be noted is that X509_OBJECT_set1_* increment the refcount,
* but so does X509_STORE_CTX_get_by_subject upon return of this
* function, so we must ensure the the refcount is decremented
* before we return, or we will get a refcount leak. We cannot do
* this with X509_OBJECT_free(), though, as that will free a bit
* too much.
*/
switch (type) {
case X509_LU_X509:
ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
if (ok)
X509_free(tmp->data.x509);
break;
case X509_LU_CRL:
ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
if (ok)
X509_CRL_free(tmp->data.crl);
break;
case X509_LU_NONE:
break;
}
}
return ok;
}
/*
* We lack the implementations for get_by_issuer_serial, get_by_fingerprint
* and get_by_alias. There's simply not enough support in the X509_LOOKUP
* or X509_STORE APIs.
*/
static X509_LOOKUP_METHOD x509_store_lookup = {
"Load certs from STORE URIs",
NULL, /* new_item */
by_store_free, /* free */
NULL, /* init */
NULL, /* shutdown */
by_store_ctrl, /* ctrl */
by_store_subject, /* get_by_subject */
NULL, /* get_by_issuer_serial */
NULL, /* get_by_fingerprint */
NULL, /* get_by_alias */
};
X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
{
return &x509_store_lookup;
}

58
crypto/x509/x509_d2.c
View file

@ -26,32 +26,64 @@ int X509_STORE_set_default_paths(X509_STORE *ctx)
return 0;
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_store());
if (lookup == NULL)
return 0;
X509_LOOKUP_add_store(lookup, NULL);
/* clear any errors */
ERR_clear_error();
return 1;
}
int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
const char *path)
int X509_STORE_load_file(X509_STORE *ctx, const char *file)
{
X509_LOOKUP *lookup;
if (file != NULL) {
lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file());
if (lookup == NULL)
if (file == NULL
|| (lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file())) == NULL
|| X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM) == 0)
return 0;
if (X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM) != 1)
return 1;
}
int X509_STORE_load_path(X509_STORE *ctx, const char *path)
{
X509_LOOKUP *lookup;
if (path == NULL
|| (lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir())) == NULL
|| X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) == 0)
return 0;
}
if (path != NULL) {
lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir());
if (lookup == NULL)
return 1;
}
int X509_STORE_load_store(X509_STORE *ctx, const char *uri)
{
X509_LOOKUP *lookup;
if (uri == NULL
|| (lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_store())) == NULL
|| X509_LOOKUP_add_store(lookup, uri) == 0)
return 0;
if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
return 1;
}
/* Deprecated */
#if OPENSSL_API_LEVEL < 3
int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
const char *path)
{
if (file == NULL && path == NULL)
return 0;
}
if ((path == NULL) && (file == NULL))
if (file != NULL && !X509_STORE_load_file(ctx, file))
return 0;
if (path != NULL && !X509_STORE_load_path(ctx, path))
return 0;
return 1;
}
#endif

12
include/openssl/ssl.h
View file

@ -598,6 +598,7 @@ typedef int (*SSL_async_callback_fn)(SSL *s, void *arg);
# define SSL_CONF_TYPE_FILE 0x2
# define SSL_CONF_TYPE_DIR 0x3
# define SSL_CONF_TYPE_NONE 0x4
# define SSL_CONF_TYPE_STORE 0x5
/* Maximum length of the application-controlled segment of a a TLSv1.3 cookie */
# define SSL_COOKIE_LENGTH 4096
@ -1626,6 +1627,8 @@ __owur int SSL_add_file_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *file);
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *dir);
int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *uri);
# if !OPENSSL_API_1_1_0
# define SSL_load_error_strings() \
@ -2013,8 +2016,13 @@ __owur int SSL_client_version(const SSL *s);
__owur int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
__owur int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
__owur int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
__owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath);
__owur int SSL_CTX_set_default_verify_store(SSL_CTX *ctx);
__owur int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile);
__owur int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
__owur int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore);
DEPRECATEDIN_3(__owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
const char *CAfile,
const char *CApath))
# define SSL_get0_session SSL_get_session/* just peek at pointer */
__owur SSL_SESSION *SSL_get_session(const SSL *ssl);
__owur SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */

16
include/openssl/x509_vfy.h
View file

@ -95,6 +95,8 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
# define X509_L_FILE_LOAD 1
# define X509_L_ADD_DIR 2
# define X509_L_ADD_STORE 3
# define X509_L_LOAD_STORE 4
# define X509_LOOKUP_load_file(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
@ -102,6 +104,12 @@ void X509_STORE_CTX_set_depth(X509_STORE_CTX *ctx, int depth);
# define X509_LOOKUP_add_dir(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
# define X509_LOOKUP_add_store(x,name) \
X509_LOOKUP_ctrl((x),X509_L_ADD_STORE,(name),0,NULL)
# define X509_LOOKUP_load_store(x,name) \
X509_LOOKUP_ctrl((x),X509_L_LOAD_STORE,(name),0,NULL)
# define X509_V_OK 0
# define X509_V_ERR_UNSPECIFIED 1
# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
@ -383,6 +391,7 @@ X509_STORE_CTX_cleanup_fn X509_STORE_CTX_get_cleanup(X509_STORE_CTX *ctx);
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
X509_LOOKUP_METHOD *X509_LOOKUP_store(void);
typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc,
long argl, char **ret);
@ -488,8 +497,11 @@ void *X509_LOOKUP_get_method_data(const X509_LOOKUP *ctx);
X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx);
int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
int X509_STORE_load_locations(X509_STORE *ctx,
const char *file, const char *dir);
int X509_STORE_load_file(X509_STORE *ctx, const char *file);
int X509_STORE_load_path(X509_STORE *ctx, const char *path);
int X509_STORE_load_store(X509_STORE *ctx, const char *store);
DEPRECATEDIN_3(int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
const char *dir))
int X509_STORE_set_default_paths(X509_STORE *ctx);
#define X509_STORE_CTX_get_ex_new_index(l, p, newf, dupf, freef) \

74
ssl/ssl_cert.c
View file

@ -15,6 +15,7 @@
#include "internal/o_dir.h"
#include <openssl/bio.h>
#include <openssl/pem.h>
#include <openssl/store.h>
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
@ -782,6 +783,79 @@ int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
return ret;
}
/**
* Add a container of certs to a stack.
* \param stack the stack to add to.
* \param file the file to add from. All certs in this file that are not
* already in the stack will be added.
* \return 1 for success, 0 for failure. Note that in the case of failure some
* certs may have been added to \c stack.
*/
static int add_uris_recursive(STACK_OF(X509_NAME) *stack,
const char *uri, int depth)
{
int ok = 1;
OSSL_STORE_CTX *ctx = NULL;
X509 *x = NULL;
X509_NAME *xn = NULL;
if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
goto err;
while (!OSSL_STORE_eof(ctx) && !OSSL_STORE_error(ctx)) {
OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
int infotype = info == 0 ? 0 : OSSL_STORE_INFO_get_type(info);
if (info == NULL)
continue;
if (infotype == OSSL_STORE_INFO_NAME) {
/*
* This is an entry in the "directory" represented by the current
* uri. if |depth| allows, dive into it.
*/
if (depth == 0)
ok = add_uris_recursive(stack, uri, depth - 1);
} else if (infotype == OSSL_STORE_INFO_CERT) {
if ((x = OSSL_STORE_INFO_get0_CERT(info)) == NULL
|| (xn = X509_get_subject_name(x)) == NULL
|| (xn = X509_NAME_dup(xn)) == NULL)
goto err;
if (sk_X509_NAME_find(stack, xn) >= 0) {
/* Duplicate. */
X509_NAME_free(xn);
} else if (!sk_X509_NAME_push(stack, xn)) {
X509_NAME_free(xn);
goto err;
}
}
OSSL_STORE_INFO_free(info);
}
ERR_clear_error();
goto done;
err:
ok = 0;
done:
OSSL_STORE_close(ctx);
return ok;
}
int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
const char *store)
{
int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b)
= sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp);
int ret = add_uris_recursive(stack, store, 1);
(void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
return ret;
}
/* Build a certificate chain for current certificate */
int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
{

54
ssl/ssl_conf.c
View file

@ -455,10 +455,12 @@ static int cmd_ServerInfoFile(SSL_CONF_CTX *cctx, const char *value)
}
static int do_store(SSL_CONF_CTX *cctx,
const char *CAfile, const char *CApath, int verify_store)
const char *CAfile, const char *CApath, const char *CAstore,
int verify_store)
{
CERT *cert;
X509_STORE **st;
if (cctx->ctx)
cert = cctx->ctx->cert;
else if (cctx->ssl)
@ -471,27 +473,44 @@ static int do_store(SSL_CONF_CTX *cctx,
if (*st == NULL)
return 0;
}
return X509_STORE_load_locations(*st, CAfile, CApath) > 0;
if (CAfile != NULL && !X509_STORE_load_file(*st, CAfile))
return 0;
if (CApath != NULL && !X509_STORE_load_path(*st, CApath))
return 0;
if (CAstore != NULL && !X509_STORE_load_store(*st, CAstore))
return 0;
return 1;
}
static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value)
{
return do_store(cctx, NULL, value, 0);
return do_store(cctx, NULL, value, NULL, 0);
}
static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value)
{
return do_store(cctx, value, NULL, 0);
return do_store(cctx, value, NULL, NULL, 0);
}
static int cmd_ChainCAStore(SSL_CONF_CTX *cctx, const char *value)
{
return do_store(cctx, NULL, NULL, value, 0);
}
static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value)
{
return do_store(cctx, NULL, value, 1);
return do_store(cctx, NULL, value, NULL, 1);
}
static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value)
{
return do_store(cctx, value, NULL, 1);
return do_store(cctx, value, NULL, NULL, 1);
}
static int cmd_VerifyCAStore(SSL_CONF_CTX *cctx, const char *value)
{
return do_store(cctx, NULL, NULL, value, 1);
}
static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value)
@ -522,6 +541,20 @@ static int cmd_ClientCAPath(SSL_CONF_CTX *cctx, const char *value)
return cmd_RequestCAPath(cctx, value);
}
static int cmd_RequestCAStore(SSL_CONF_CTX *cctx, const char *value)
{
if (cctx->canames == NULL)
cctx->canames = sk_X509_NAME_new_null();
if (cctx->canames == NULL)
return 0;
return SSL_add_store_cert_subjects_to_stack(cctx->canames, value);
}
static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value)
{
return cmd_RequestCAStore(cctx, value);
}
#ifndef OPENSSL_NO_DH
static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
{
@ -651,10 +684,14 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_TYPE_DIR),
SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(ChainCAStore, "chainCAstore", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_STORE),
SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_DIR),
SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(VerifyCAStore, "verifyCAstore", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_STORE),
SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(ClientCAFile, NULL,
@ -665,6 +702,11 @@ static const ssl_conf_cmd_tbl ssl_conf_cmds[] = {
SSL_CONF_CMD(ClientCAPath, NULL,
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_DIR),
SSL_CONF_CMD(RequestCAStore, "requestCAStore", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_STORE),
SSL_CONF_CMD(ClientCAStore, NULL,
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_STORE),
#ifndef OPENSSL_NO_DH
SSL_CONF_CMD(DHParameters, "dhparam",
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,

56
ssl/ssl_lib.c
View file

@ -4181,10 +4181,13 @@ int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx)
lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
return 0;
/* We ignore errors, in case the directory doesn't exist */
ERR_set_mark();
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
/* Clear any errors if the default directory does not exist */
ERR_clear_error();
ERR_pop_to_mark();
return 1;
}
@ -4197,19 +4200,62 @@ int SSL_CTX_set_default_verify_file(SSL_CTX *ctx)
if (lookup == NULL)
return 0;
/* We ignore errors, in case the directory doesn't exist */
ERR_set_mark();
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
/* Clear any errors if the default file does not exist */
ERR_clear_error();
ERR_pop_to_mark();
return 1;
}
int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
{
X509_LOOKUP *lookup;
lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
if (lookup == NULL)
return 0;
/* We ignore errors, in case the directory doesn't exist */
ERR_set_mark();
X509_LOOKUP_add_store(lookup, NULL);
ERR_pop_to_mark();
return 1;
}
int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
{
return X509_STORE_load_file(ctx->cert_store, CAfile);
}
int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
{
return X509_STORE_load_path(ctx->cert_store, CApath);
}
int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
{
return X509_STORE_load_store(ctx->cert_store, CAstore);
}
#if OPENSSL_API_LEVEL < 3
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath);
if (CAfile == NULL && CApath == NULL)
return 0;
if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
return 0;
if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
return 0;
return 1;
}
#endif
void SSL_set_info_callback(SSL *ssl,
void (*cb) (const SSL *ssl, int type, int val))

6
util/libcrypto.num
View file

@ -2122,7 +2122,7 @@ X509_EXTENSION_create_by_NID 2168 3_0_0 EXIST::FUNCTION:
i2d_RSAPrivateKey 2169 3_0_0 EXIST::FUNCTION:RSA
d2i_CERTIFICATEPOLICIES 2170 3_0_0 EXIST::FUNCTION:
CMAC_CTX_get0_cipher_ctx 2171 3_0_0 EXIST::FUNCTION:CMAC
X509_STORE_load_locations 2172 3_0_0 EXIST::FUNCTION:
X509_STORE_load_locations 2172 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3
OBJ_find_sigid_algs 2173 3_0_0 EXIST::FUNCTION:
TS_RESP_CTX_set_accuracy 2174 3_0_0 EXIST::FUNCTION:TS
NETSCAPE_SPKI_get_pubkey 2175 3_0_0 EXIST::FUNCTION:
@ -4853,3 +4853,7 @@ EVP_SIGNATURE_number 4969 3_0_0 EXIST::FUNCTION:
OSSL_CMP_CTX_snprint_PKIStatus 4970 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_HDR_get0_transactionID 4971 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_HDR_get0_recipNonce 4972 3_0_0 EXIST::FUNCTION:CMP
X509_LOOKUP_store 4973 3_0_0 EXIST::FUNCTION:
X509_STORE_load_file 4974 3_0_0 EXIST::FUNCTION:
X509_STORE_load_path 4975 3_0_0 EXIST::FUNCTION:
X509_STORE_load_store 4976 3_0_0 EXIST::FUNCTION:

7
util/libssl.num
View file

@ -354,7 +354,7 @@ SSL_set_session_id_context 354 3_0_0 EXIST::FUNCTION:
SSL_new 355 3_0_0 EXIST::FUNCTION:
TLSv1_1_method 356 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0,TLS1_1_METHOD
SSL_CTX_get_cert_store 357 3_0_0 EXIST::FUNCTION:
SSL_CTX_load_verify_locations 358 3_0_0 EXIST::FUNCTION:
SSL_CTX_load_verify_locations 358 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3
SSL_SESSION_print_fp 359 3_0_0 EXIST::FUNCTION:STDIO
SSL_get0_dane_tlsa 360 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_generate_session_id 361 3_0_0 EXIST::FUNCTION:
@ -506,3 +506,8 @@ SSL_get_async_status 506 3_0_0 EXIST::FUNCTION:
SSL_sendfile 507 3_0_0 EXIST::FUNCTION:
OSSL_default_cipher_list 508 3_0_0 EXIST::FUNCTION:
OSSL_default_ciphersuites 509 3_0_0 EXIST::FUNCTION:
SSL_add_store_cert_subjects_to_stack 510 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_default_verify_store 511 3_0_0 EXIST::FUNCTION:
SSL_CTX_load_verify_file 512 3_0_0 EXIST::FUNCTION:
SSL_CTX_load_verify_dir 513 3_0_0 EXIST::FUNCTION:
SSL_CTX_load_verify_store 514 3_0_0 EXIST::FUNCTION: