This is a wrapper around OSSL_STORE.
This also adds necessary support functions:
- X509_STORE_load_file
- X509_STORE_load_path
- X509_STORE_load_store
- SSL_add_store_cert_subjects_to_stack
- SSL_CTX_set_default_verify_store
- SSL_CTX_load_verify_file
- SSL_CTX_load_verify_dir
- SSL_CTX_load_verify_store
and deprecates X509_STORE_load_locations and SSL_CTX_load_verify_locations,
as they aren't extensible.
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/8442)
X509_F_DANE_I2D:107:dane_i2d
X509_F_DIR_CTRL:102:dir_ctrl
X509_F_GET_CERT_BY_SUBJECT:103:get_cert_by_subject
+X509_F_CACHE_OBJECTS:163:cache_objects
X509_F_I2D_X509_AUX:151:i2d_X509_AUX
X509_F_LOOKUP_CERTS_SK:152:lookup_certs_sk
X509_F_NETSCAPE_SPKI_B64_DECODE:129:NETSCAPE_SPKI_b64_decode
x509_set.c x509cset.c x509rset.c x509_err.c \
x509name.c x509_v3.c x509_ext.c x509_att.c \
x509type.c x509_meth.c x509_lu.c x_all.c x509_txt.c \
- x509_trs.c by_file.c by_dir.c x509_vpm.c \
+ x509_trs.c by_file.c by_dir.c by_store.c x509_vpm.c \
x_crl.c t_crl.c x_req.c t_req.c x_x509.c t_x509.c \
x_pubkey.c x_x509a.c x_attrib.c x_exten.c x_name.c \
v3_bcons.c v3_bitst.c v3_conf.c v3_extku.c v3_ia5.c v3_lib.c \
--- /dev/null
+/*
+ * Copyright 2018 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <openssl/store.h>
+#include "internal/cryptlib.h"
+#include "crypto/x509.h"
+#include "x509_local.h"
+
+/* Generic object loader, given expected type and criterion */
+static int cache_objects(X509_LOOKUP *lctx, const char *uri,
+ const OSSL_STORE_SEARCH *criterion,
+ int depth)
+{
+ int ok = 0;
+ OSSL_STORE_CTX *ctx = NULL;
+ X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
+
+ if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
+ return 0;
+
+ /*
+ * We try to set the criterion, but don't care if it was valid or not.
+ * For a OSSL_STORE, it merely serves as an optimization, the expectation
+ * being that if the criterion couldn't be used, we will get *everything*
+ * from the container that the URI represents rather than the subset that
+ * the criterion indicates, so the biggest harm is that we cache more
+ * objects certs and CRLs than we may expect, but that's ok.
+ *
+ * Specifically for OpenSSL's own file: scheme, the only workable
+ * criterion is the BY_NAME one, which it can only apply on directories,
+ * but it's possible that the URI is a single file rather than a directory,
+ * and in that case, the BY_NAME criterion is pointless.
+ *
+ * We could very simply not apply any criterion at all here, and just let
+ * the code that selects certs and CRLs from the cached objects do its job,
+ * but it's a nice optimization when it can be applied (such as on an
+ * actual directory with a thousand CA certs).
+ */
+ if (criterion != NULL)
+ OSSL_STORE_find(ctx, criterion);
+
+ for (;;) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
+ int infotype;
+
+ /* NULL means error or "end of file". Either way, we break. */
+ if (info == NULL)
+ break;
+
+ infotype = OSSL_STORE_INFO_get_type(info);
+ ok = 0;
+
+ if (infotype == OSSL_STORE_INFO_NAME) {
+ /*
+ * This is an entry in the "directory" represented by the current
+ * uri. if |depth| allows, dive into it.
+ */
+ if (depth > 0)
+ ok = cache_objects(lctx, OSSL_STORE_INFO_get0_NAME(info),
+ criterion, depth - 1);
+ } else {
+ /*
+ * We know that X509_STORE_add_{cert|crl} increments the object's
+ * refcount, so we can safely use OSSL_STORE_INFO_get0_{cert,crl}
+ * to get them.
+ */
+ switch (infotype) {
+ case OSSL_STORE_INFO_CERT:
+ ok = X509_STORE_add_cert(xstore,
+ OSSL_STORE_INFO_get0_CERT(info));
+ break;
+ case OSSL_STORE_INFO_CRL:
+ ok = X509_STORE_add_crl(xstore,
+ OSSL_STORE_INFO_get0_CRL(info));
+ break;
+ }
+ }
+
+ OSSL_STORE_INFO_free(info);
+ if (!ok)
+ break;
+ }
+ OSSL_STORE_close(ctx);
+
+ return ok;
+}
+
+
+/* Because OPENSSL_free is a macro and for C type match */
+static void free_uri(OPENSSL_STRING data)
+{
+ OPENSSL_free(data);
+}
+
+static void by_store_free(X509_LOOKUP *ctx)
+{
+ STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
+ sk_OPENSSL_STRING_pop_free(uris, free_uri);
+}
+
+static int by_store_ctrl(X509_LOOKUP *ctx, int cmd,
+ const char *argp, long argl,
+ char **retp)
+{
+ switch (cmd) {
+ case X509_L_ADD_STORE:
+ /* If no URI is given, use the default cert dir as default URI */
+ if (argp == NULL)
+ argp = ossl_safe_getenv(X509_get_default_cert_dir_env());
+ if (argp == NULL)
+ argp = X509_get_default_cert_dir();
+
+ {
+ STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
+
+ if (uris == NULL) {
+ uris = sk_OPENSSL_STRING_new_null();
+ X509_LOOKUP_set_method_data(ctx, uris);
+ }
+ return sk_OPENSSL_STRING_push(uris, OPENSSL_strdup(argp)) > 0;
+ }
+ case X509_L_LOAD_STORE:
+ /* This is a shortcut for quick loading of specific containers */
+ return cache_objects(ctx, argp, NULL, 0);
+ }
+
+ return 0;
+}
+
+static int by_store(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ const OSSL_STORE_SEARCH *criterion, X509_OBJECT *ret)
+{
+ STACK_OF(OPENSSL_STRING) *uris = X509_LOOKUP_get_method_data(ctx);
+ int i;
+ int ok = 0;
+
+ for (i = 0; i < sk_OPENSSL_STRING_num(uris); i++) {
+ ok = cache_objects(ctx, sk_OPENSSL_STRING_value(uris, i), criterion,
+ 1 /* depth */);
+
+ if (ok)
+ break;
+ }
+ return ok;
+}
+
+static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
+ X509_NAME *name, X509_OBJECT *ret)
+{
+ OSSL_STORE_SEARCH *criterion = OSSL_STORE_SEARCH_by_name(name);
+ int ok = by_store(ctx, type, criterion, ret);
+ STACK_OF(X509_OBJECT) *store_objects =
+ X509_STORE_get0_objects(X509_LOOKUP_get_store(ctx));
+ X509_OBJECT *tmp = NULL;
+
+ OSSL_STORE_SEARCH_free(criterion);
+
+ if (ok)
+ tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
+
+ ok = 0;
+ if (tmp != NULL) {
+ /*
+ * This could also be done like this:
+ *
+ * if (tmp != NULL) {
+ * *ret = *tmp;
+ * ok = 1;
+ * }
+ *
+ * However, we want to exercise the documented API to the max, so
+ * we do it the hard way.
+ *
+ * To be noted is that X509_OBJECT_set1_* increment the refcount,
+ * but so does X509_STORE_CTX_get_by_subject upon return of this
+ * function, so we must ensure the the refcount is decremented
+ * before we return, or we will get a refcount leak. We cannot do
+ * this with X509_OBJECT_free(), though, as that will free a bit
+ * too much.
+ */
+ switch (type) {
+ case X509_LU_X509:
+ ok = X509_OBJECT_set1_X509(ret, tmp->data.x509);
+ if (ok)
+ X509_free(tmp->data.x509);
+ break;
+ case X509_LU_CRL:
+ ok = X509_OBJECT_set1_X509_CRL(ret, tmp->data.crl);
+ if (ok)
+ X509_CRL_free(tmp->data.crl);
+ break;
+ case X509_LU_NONE:
+ break;
+ }
+ }
+ return ok;
+}
+
+/*
+ * We lack the implementations for get_by_issuer_serial, get_by_fingerprint
+ * and get_by_alias. There's simply not enough support in the X509_LOOKUP
+ * or X509_STORE APIs.
+ */
+
+static X509_LOOKUP_METHOD x509_store_lookup = {
+ "Load certs from STORE URIs",
+ NULL, /* new_item */
+ by_store_free, /* free */
+ NULL, /* init */
+ NULL, /* shutdown */
+ by_store_ctrl, /* ctrl */
+ by_store_subject, /* get_by_subject */
+ NULL, /* get_by_issuer_serial */
+ NULL, /* get_by_fingerprint */
+ NULL, /* get_by_alias */
+};
+
+X509_LOOKUP_METHOD *X509_LOOKUP_store(void)
+{
+ return &x509_store_lookup;
+}
return 0;
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
+ lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_store());
+ if (lookup == NULL)
+ return 0;
+ X509_LOOKUP_add_store(lookup, NULL);
+
/* clear any errors */
ERR_clear_error();
return 1;
}
-int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
- const char *path)
+int X509_STORE_load_file(X509_STORE *ctx, const char *file)
+{
+ X509_LOOKUP *lookup;
+
+ if (file == NULL
+ || (lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file())) == NULL
+ || X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM) == 0)
+ return 0;
+
+ return 1;
+}
+
+int X509_STORE_load_path(X509_STORE *ctx, const char *path)
{
X509_LOOKUP *lookup;
- if (file != NULL) {
- lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_file());
- if (lookup == NULL)
- return 0;
- if (X509_LOOKUP_load_file(lookup, file, X509_FILETYPE_PEM) != 1)
- return 0;
- }
- if (path != NULL) {
- lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir());
- if (lookup == NULL)
- return 0;
- if (X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) != 1)
- return 0;
- }
- if ((path == NULL) && (file == NULL))
+ if (path == NULL
+ || (lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_hash_dir())) == NULL
+ || X509_LOOKUP_add_dir(lookup, path, X509_FILETYPE_PEM) == 0)
+ return 0;
+
+ return 1;
+}
+
+int X509_STORE_load_store(X509_STORE *ctx, const char *uri)
+{
+ X509_LOOKUP *lookup;
+
+ if (uri == NULL
+ || (lookup = X509_STORE_add_lookup(ctx, X509_LOOKUP_store())) == NULL
+ || X509_LOOKUP_add_store(lookup, uri) == 0)
+ return 0;
+
+ return 1;
+}
+
+/* Deprecated */
+#if OPENSSL_API_LEVEL < 3
+int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
+ const char *path)
+{
+ if (file == NULL && path == NULL)
+ return 0;
+ if (file != NULL && !X509_STORE_load_file(ctx, file))
+ return 0;
+ if (path != NULL && !X509_STORE_load_path(ctx, path))
return 0;
return 1;
}
+#endif
# define SSL_CONF_TYPE_FILE 0x2
# define SSL_CONF_TYPE_DIR 0x3
# define SSL_CONF_TYPE_NONE 0x4
+# define SSL_CONF_TYPE_STORE 0x5
/* Maximum length of the application-controlled segment of a a TLSv1.3 cookie */
# define SSL_COOKIE_LENGTH 4096
const char *file);
int SSL_add_dir_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
const char *dir);
+int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stackCAs,
+ const char *uri);
# if !OPENSSL_API_1_1_0
# define SSL_load_error_strings() \
__owur int SSL_CTX_set_default_verify_paths(SSL_CTX *ctx);
__owur int SSL_CTX_set_default_verify_dir(SSL_CTX *ctx);
__owur int SSL_CTX_set_default_verify_file(SSL_CTX *ctx);
-__owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
- const char *CApath);
+__owur int SSL_CTX_set_default_verify_store(SSL_CTX *ctx);
+__owur int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile);
+__owur int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath);
+__owur int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore);
+DEPRECATEDIN_3(__owur int SSL_CTX_load_verify_locations(SSL_CTX *ctx,
+ const char *CAfile,
+ const char *CApath))
# define SSL_get0_session SSL_get_session/* just peek at pointer */
__owur SSL_SESSION *SSL_get_session(const SSL *ssl);
__owur SSL_SESSION *SSL_get1_session(SSL *ssl); /* obtain a reference count */
# define X509_L_FILE_LOAD 1
# define X509_L_ADD_DIR 2
+# define X509_L_ADD_STORE 3
+# define X509_L_LOAD_STORE 4
# define X509_LOOKUP_load_file(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_FILE_LOAD,(name),(long)(type),NULL)
# define X509_LOOKUP_add_dir(x,name,type) \
X509_LOOKUP_ctrl((x),X509_L_ADD_DIR,(name),(long)(type),NULL)
+# define X509_LOOKUP_add_store(x,name) \
+ X509_LOOKUP_ctrl((x),X509_L_ADD_STORE,(name),0,NULL)
+
+# define X509_LOOKUP_load_store(x,name) \
+ X509_LOOKUP_ctrl((x),X509_L_LOAD_STORE,(name),0,NULL)
+
# define X509_V_OK 0
# define X509_V_ERR_UNSPECIFIED 1
# define X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT 2
X509_LOOKUP *X509_STORE_add_lookup(X509_STORE *v, X509_LOOKUP_METHOD *m);
X509_LOOKUP_METHOD *X509_LOOKUP_hash_dir(void);
X509_LOOKUP_METHOD *X509_LOOKUP_file(void);
+X509_LOOKUP_METHOD *X509_LOOKUP_store(void);
typedef int (*X509_LOOKUP_ctrl_fn)(X509_LOOKUP *ctx, int cmd, const char *argc,
long argl, char **ret);
X509_STORE *X509_LOOKUP_get_store(const X509_LOOKUP *ctx);
int X509_LOOKUP_shutdown(X509_LOOKUP *ctx);
-int X509_STORE_load_locations(X509_STORE *ctx,
- const char *file, const char *dir);
+int X509_STORE_load_file(X509_STORE *ctx, const char *file);
+int X509_STORE_load_path(X509_STORE *ctx, const char *path);
+int X509_STORE_load_store(X509_STORE *ctx, const char *store);
+DEPRECATEDIN_3(int X509_STORE_load_locations(X509_STORE *ctx, const char *file,
+ const char *dir))
int X509_STORE_set_default_paths(X509_STORE *ctx);
#define X509_STORE_CTX_get_ex_new_index(l, p, newf, dupf, freef) \
#include "internal/o_dir.h"
#include <openssl/bio.h>
#include <openssl/pem.h>
+#include <openssl/store.h>
#include <openssl/x509v3.h>
#include <openssl/dh.h>
#include <openssl/bn.h>
return ret;
}
+/**
+ * Add a container of certs to a stack.
+ * \param stack the stack to add to.
+ * \param file the file to add from. All certs in this file that are not
+ * already in the stack will be added.
+ * \return 1 for success, 0 for failure. Note that in the case of failure some
+ * certs may have been added to \c stack.
+ */
+
+static int add_uris_recursive(STACK_OF(X509_NAME) *stack,
+ const char *uri, int depth)
+{
+ int ok = 1;
+ OSSL_STORE_CTX *ctx = NULL;
+ X509 *x = NULL;
+ X509_NAME *xn = NULL;
+
+ if ((ctx = OSSL_STORE_open(uri, NULL, NULL, NULL, NULL)) == NULL)
+ goto err;
+
+ while (!OSSL_STORE_eof(ctx) && !OSSL_STORE_error(ctx)) {
+ OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
+ int infotype = info == 0 ? 0 : OSSL_STORE_INFO_get_type(info);
+
+ if (info == NULL)
+ continue;
+
+ if (infotype == OSSL_STORE_INFO_NAME) {
+ /*
+ * This is an entry in the "directory" represented by the current
+ * uri. if |depth| allows, dive into it.
+ */
+ if (depth == 0)
+ ok = add_uris_recursive(stack, uri, depth - 1);
+ } else if (infotype == OSSL_STORE_INFO_CERT) {
+ if ((x = OSSL_STORE_INFO_get0_CERT(info)) == NULL
+ || (xn = X509_get_subject_name(x)) == NULL
+ || (xn = X509_NAME_dup(xn)) == NULL)
+ goto err;
+ if (sk_X509_NAME_find(stack, xn) >= 0) {
+ /* Duplicate. */
+ X509_NAME_free(xn);
+ } else if (!sk_X509_NAME_push(stack, xn)) {
+ X509_NAME_free(xn);
+ goto err;
+ }
+ }
+
+ OSSL_STORE_INFO_free(info);
+ }
+
+ ERR_clear_error();
+ goto done;
+
+ err:
+ ok = 0;
+ done:
+ OSSL_STORE_close(ctx);
+
+ return ok;
+}
+
+int SSL_add_store_cert_subjects_to_stack(STACK_OF(X509_NAME) *stack,
+ const char *store)
+{
+ int (*oldcmp) (const X509_NAME *const *a, const X509_NAME *const *b)
+ = sk_X509_NAME_set_cmp_func(stack, xname_sk_cmp);
+ int ret = add_uris_recursive(stack, store, 1);
+
+ (void)sk_X509_NAME_set_cmp_func(stack, oldcmp);
+ return ret;
+}
+
/* Build a certificate chain for current certificate */
int ssl_build_cert_chain(SSL *s, SSL_CTX *ctx, int flags)
{
}
static int do_store(SSL_CONF_CTX *cctx,
- const char *CAfile, const char *CApath, int verify_store)
+ const char *CAfile, const char *CApath, const char *CAstore,
+ int verify_store)
{
CERT *cert;
X509_STORE **st;
+
if (cctx->ctx)
cert = cctx->ctx->cert;
else if (cctx->ssl)
if (*st == NULL)
return 0;
}
- return X509_STORE_load_locations(*st, CAfile, CApath) > 0;
+
+ if (CAfile != NULL && !X509_STORE_load_file(*st, CAfile))
+ return 0;
+ if (CApath != NULL && !X509_STORE_load_path(*st, CApath))
+ return 0;
+ if (CAstore != NULL && !X509_STORE_load_store(*st, CAstore))
+ return 0;
+ return 1;
}
static int cmd_ChainCAPath(SSL_CONF_CTX *cctx, const char *value)
{
- return do_store(cctx, NULL, value, 0);
+ return do_store(cctx, NULL, value, NULL, 0);
}
static int cmd_ChainCAFile(SSL_CONF_CTX *cctx, const char *value)
{
- return do_store(cctx, value, NULL, 0);
+ return do_store(cctx, value, NULL, NULL, 0);
+}
+
+static int cmd_ChainCAStore(SSL_CONF_CTX *cctx, const char *value)
+{
+ return do_store(cctx, NULL, NULL, value, 0);
}
static int cmd_VerifyCAPath(SSL_CONF_CTX *cctx, const char *value)
{
- return do_store(cctx, NULL, value, 1);
+ return do_store(cctx, NULL, value, NULL, 1);
}
static int cmd_VerifyCAFile(SSL_CONF_CTX *cctx, const char *value)
{
- return do_store(cctx, value, NULL, 1);
+ return do_store(cctx, value, NULL, NULL, 1);
+}
+
+static int cmd_VerifyCAStore(SSL_CONF_CTX *cctx, const char *value)
+{
+ return do_store(cctx, NULL, NULL, value, 1);
}
static int cmd_RequestCAFile(SSL_CONF_CTX *cctx, const char *value)
return cmd_RequestCAPath(cctx, value);
}
+static int cmd_RequestCAStore(SSL_CONF_CTX *cctx, const char *value)
+{
+ if (cctx->canames == NULL)
+ cctx->canames = sk_X509_NAME_new_null();
+ if (cctx->canames == NULL)
+ return 0;
+ return SSL_add_store_cert_subjects_to_stack(cctx->canames, value);
+}
+
+static int cmd_ClientCAStore(SSL_CONF_CTX *cctx, const char *value)
+{
+ return cmd_RequestCAStore(cctx, value);
+}
+
#ifndef OPENSSL_NO_DH
static int cmd_DHParameters(SSL_CONF_CTX *cctx, const char *value)
{
SSL_CONF_TYPE_DIR),
SSL_CONF_CMD(ChainCAFile, "chainCAfile", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
+ SSL_CONF_CMD(ChainCAStore, "chainCAstore", SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_STORE),
SSL_CONF_CMD(VerifyCAPath, "verifyCApath", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_DIR),
SSL_CONF_CMD(VerifyCAFile, "verifyCAfile", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
+ SSL_CONF_CMD(VerifyCAStore, "verifyCAstore", SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_STORE),
SSL_CONF_CMD(RequestCAFile, "requestCAFile", SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_FILE),
SSL_CONF_CMD(ClientCAFile, NULL,
SSL_CONF_CMD(ClientCAPath, NULL,
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
SSL_CONF_TYPE_DIR),
+ SSL_CONF_CMD(RequestCAStore, "requestCAStore", SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_STORE),
+ SSL_CONF_CMD(ClientCAStore, NULL,
+ SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
+ SSL_CONF_TYPE_STORE),
#ifndef OPENSSL_NO_DH
SSL_CONF_CMD(DHParameters, "dhparam",
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CERTIFICATE,
lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_hash_dir());
if (lookup == NULL)
return 0;
+
+ /* We ignore errors, in case the directory doesn't exist */
+ ERR_set_mark();
+
X509_LOOKUP_add_dir(lookup, NULL, X509_FILETYPE_DEFAULT);
- /* Clear any errors if the default directory does not exist */
- ERR_clear_error();
+ ERR_pop_to_mark();
return 1;
}
if (lookup == NULL)
return 0;
+ /* We ignore errors, in case the directory doesn't exist */
+ ERR_set_mark();
+
X509_LOOKUP_load_file(lookup, NULL, X509_FILETYPE_DEFAULT);
- /* Clear any errors if the default file does not exist */
- ERR_clear_error();
+ ERR_pop_to_mark();
return 1;
}
+int SSL_CTX_set_default_verify_store(SSL_CTX *ctx)
+{
+ X509_LOOKUP *lookup;
+
+ lookup = X509_STORE_add_lookup(ctx->cert_store, X509_LOOKUP_store());
+ if (lookup == NULL)
+ return 0;
+
+ /* We ignore errors, in case the directory doesn't exist */
+ ERR_set_mark();
+
+ X509_LOOKUP_add_store(lookup, NULL);
+
+ ERR_pop_to_mark();
+
+ return 1;
+}
+
+int SSL_CTX_load_verify_file(SSL_CTX *ctx, const char *CAfile)
+{
+ return X509_STORE_load_file(ctx->cert_store, CAfile);
+}
+
+int SSL_CTX_load_verify_dir(SSL_CTX *ctx, const char *CApath)
+{
+ return X509_STORE_load_path(ctx->cert_store, CApath);
+}
+
+int SSL_CTX_load_verify_store(SSL_CTX *ctx, const char *CAstore)
+{
+ return X509_STORE_load_store(ctx->cert_store, CAstore);
+}
+
+#if OPENSSL_API_LEVEL < 3
int SSL_CTX_load_verify_locations(SSL_CTX *ctx, const char *CAfile,
const char *CApath)
{
- return X509_STORE_load_locations(ctx->cert_store, CAfile, CApath);
+ if (CAfile == NULL && CApath == NULL)
+ return 0;
+ if (CAfile != NULL && !SSL_CTX_load_verify_file(ctx, CAfile))
+ return 0;
+ if (CApath != NULL && !SSL_CTX_load_verify_dir(ctx, CApath))
+ return 0;
+ return 1;
}
+#endif
void SSL_set_info_callback(SSL *ssl,
void (*cb) (const SSL *ssl, int type, int val))
i2d_RSAPrivateKey 2169 3_0_0 EXIST::FUNCTION:RSA
d2i_CERTIFICATEPOLICIES 2170 3_0_0 EXIST::FUNCTION:
CMAC_CTX_get0_cipher_ctx 2171 3_0_0 EXIST::FUNCTION:CMAC
-X509_STORE_load_locations 2172 3_0_0 EXIST::FUNCTION:
+X509_STORE_load_locations 2172 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3
OBJ_find_sigid_algs 2173 3_0_0 EXIST::FUNCTION:
TS_RESP_CTX_set_accuracy 2174 3_0_0 EXIST::FUNCTION:TS
NETSCAPE_SPKI_get_pubkey 2175 3_0_0 EXIST::FUNCTION:
OSSL_CMP_CTX_snprint_PKIStatus 4970 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_HDR_get0_transactionID 4971 3_0_0 EXIST::FUNCTION:CMP
OSSL_CMP_HDR_get0_recipNonce 4972 3_0_0 EXIST::FUNCTION:CMP
+X509_LOOKUP_store 4973 3_0_0 EXIST::FUNCTION:
+X509_STORE_load_file 4974 3_0_0 EXIST::FUNCTION:
+X509_STORE_load_path 4975 3_0_0 EXIST::FUNCTION:
+X509_STORE_load_store 4976 3_0_0 EXIST::FUNCTION:
SSL_new 355 3_0_0 EXIST::FUNCTION:
TLSv1_1_method 356 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_1_1_0,TLS1_1_METHOD
SSL_CTX_get_cert_store 357 3_0_0 EXIST::FUNCTION:
-SSL_CTX_load_verify_locations 358 3_0_0 EXIST::FUNCTION:
+SSL_CTX_load_verify_locations 358 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3
SSL_SESSION_print_fp 359 3_0_0 EXIST::FUNCTION:STDIO
SSL_get0_dane_tlsa 360 3_0_0 EXIST::FUNCTION:
SSL_CTX_set_generate_session_id 361 3_0_0 EXIST::FUNCTION:
SSL_sendfile 507 3_0_0 EXIST::FUNCTION:
OSSL_default_cipher_list 508 3_0_0 EXIST::FUNCTION:
OSSL_default_ciphersuites 509 3_0_0 EXIST::FUNCTION:
+SSL_add_store_cert_subjects_to_stack 510 3_0_0 EXIST::FUNCTION:
+SSL_CTX_set_default_verify_store 511 3_0_0 EXIST::FUNCTION:
+SSL_CTX_load_verify_file 512 3_0_0 EXIST::FUNCTION:
+SSL_CTX_load_verify_dir 513 3_0_0 EXIST::FUNCTION:
+SSL_CTX_load_verify_store 514 3_0_0 EXIST::FUNCTION: