summaryrefslogtreecommitdiff
path: root/src/lib/libcrypto/x509/x509_lu.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Unexport the weird X509_OBJECT_up_ref_count()tb10 days1-3/+4
| | | | | | | | It's only used in x509_lu.c, so move it there. X509_OBJECT is not itself refcounted. This API bumps the refcount of its cert or CRL member. This isn't really useful outside of the library. ok jsing
* const correct X509_LOOKUP_METHODtb2024-08-311-3/+3
| | | | | | | With this another family of global tables becomes const as it should always have been. ok beck jsing
* Simplify X509_STORE_free()tb2024-03-221-11/+3
| | | | | | | This had an inlined version of sk_pop_free(). We can just call it the right way. ok jsing
* Garbage collect most of the public LOOKUP APItb2024-03-021-49/+3
| | | | | | | | Yet another bit of extensibility that no one ever really used. X509_LOOKUP_free() needs to stay because of ... rust-openssl (and kdelibs4support). ok jsing
* Prepare to provide X509_STORE_get1_objects()tb2024-02-231-1/+66
| | | | | | | | | | | | | | | | | | | | | | | | | | | | The OpenSSL 1.1 API X509_STORE_get0_objects() is not thread safe. It exposes a naked internal pointer containing certificates, CRLs and cached objects added by X509_LOOKUP_hash_dir(). Thus, if the store is shared between threads, it is not possible to inspect this pointer safely since another thread could concurrently add to it. This may happen in particular during certificate verification. This API led to security issues in rust-openssl and is also problematic in current Python. Other consumers of X509_STORE_get0_objects() are haproxy, isync, openvpn. The solution is to take a snapshot of the state under a lock and return that. This is what X509_STORE_get1_objects() does. It returns a newly allocated stack that needs to be freed with sk_X509_OBJECT_pop_free(), passing X509_OBJECT_free as a second argument. Based on a diff by David Benjamin for BoringSSL. https://boringssl-review.googlesource.com/c/boringssl/+/65787 ok beck jsing PS: Variants of this have landed in Python and OpenSSL 3 as well. There the sk_*deep_copy() API is used, which in OpenSSL relies on evaluating function pointers after casts (BoringSSL fixed that). Instead of using this macro insanity and exposing that garbage in public, we can do this by implementing a pedestrian, static sk_X509_OBJECT_deep_copy() by hand.
* X509_LOOKUP_shutdown() became a noop.tb2023-12-271-2/+1
| | | | | | | That we are still calling this (NB without error check because heritage), made coverity unhappy. CID 471705
* Remove unused X509_LOOKUP_METHODstb2023-12-251-16/+8
| | | | | | | | None of these function pointers were ever set. Now that the structure is opaque they won't ever be, so time for them to hit the bitbucket. Infinite extensibility of the toolkit results in complications, bugs, and dead code. ok jsing
* X509_STORE_get1_{certs,crls} become X509_STORE_CTX_*tb2023-04-251-19/+1
| | | | This matches the OpenSSL 1.1 API a bit better.
* Prepare addition of X509_STORE_CTX_get1_{certs,crls}(3)tb2023-04-161-1/+19
| | | | | | | | | | | | | | | X509_STORE_get1_{certs,crls}(3) was added to the OpenSSL 1.1 API with the usual care. At some point later it was noticed that they didn't deal with an X509_STORE at all, but rather with an X509_STORE_CTX, so were misnamed. The fact that X509_STORE_CTX and X509_STORE have their roles reversed when compared to other FOO vs FOO_CTX in this API may or may not be related. Anyway, the X509_STORE versions will be demoted to compat defines and the X509_STORE_CTX will be added to match OpenSSL 1.1 API more closely. This was pointed out by schwarze a long time ago and missed in a few bumps. Hopefully we'll manage to do it this time around. ok jsing
* libressl *_namespace.h: adjust *_ALIAS() to require a semicolontb2023-02-161-43/+43
| | | | | | | | | | LCRYPTO_ALIAS() and LSSL_ALIAS() contained a trailing semicolon. This does not conform to style(9), breaks editors and ctags and (most importantly) my workflow. Fix this by neutering them with asm("") so that -Wpedantic doesn't complain. There's precedent in libc's namespace.h fix suggested by & ok jsing
* Make internal header file names consistenttb2022-11-261-2/+2
| | | | | | | | | | | | | | | | Libcrypto currently has a mess of *_lcl.h, *_locl.h, and *_local.h names used for internal headers. Move all these headers we inherited from OpenSSL to *_local.h, reserving the name *_internal.h for our own code. Similarly, move dtls_locl.h and ssl_locl.h to dtls_local and ssl_local.h. constant_time_locl.h is moved to constant_time.h since it's special. Adjust all .c files in libcrypto, libssl and regress. The diff is mechanical with the exception of tls13_quic.c, where #include <ssl_locl.h> was fixed manually. discussed with jsing, no objection bcook
* Hide public symbols in libcrypto/x509 .c filesbeck2022-11-141-1/+43
| | | | ok tb@
* Remove X509_OBJECT_free_contentstb2022-01-141-17/+10
| | | | | | | | Inline X509_OBJECT_free_contents() in X509_OBJECT_free() and remove this dangerous API. It was left over when x509_vfy.h was made opaque. ok inoguchi jsing
* Prepare to provide X509_{set,get}_verify() and X509_STORE_get_verify_cb()tb2022-01-051-4/+21
| | | | | | | | | as well as the X509_STORE_CTX_verify_cb and X509_STORE_CTX_verify_fn types This will fix the X509_STORE_set_verify_func macro which is currently broken, as pointed out by schwarze. ok inoguchi jsing
* As long as X509_OBJECT_free_contents(3) is a public API function,schwarze2021-11-191-1/+3
| | | | | | | | | | | | | | | make sure it fully re-initializes the object rather than leaving behind a stale pointer and a stale type in the object. The old behaviour was dangerous because X509_OBJECT_get_type(3) would then return the stale type to the user and one of X509_OBJECT_get0_X509(3) or X509_OBJECT_get0_X509_CRL(3) would then return the stale pointer to the user, provoking a use-after-free bug in the application program. Having these functions return X509_LU_NONE and NULL is better because those are the documented return values for these functions when the object is empty. OK tb@
* In X509_STORE_CTX, rename the X509_STORE store rather than ctx.tb2021-11-071-8/+8
| | | | ok gnezdo jsing
* Start cleaning up X509_STORE_get1_issuer()tb2021-11-061-15/+37
| | | | | | | | | | | | | | Get rid of the last X509_OBJECT_free_contents() call by moving the object from the stack to the heap. I deliberately kept the obj variable to keep obj and pobj separate. Rename the out parameter from issuer to out_issuer to ensure that we only assign it when we have acquired a reference that we can return. Add a new X509 *issuer. In the first part of the function, acquire an extra reference before check_issuer/check_time. In the second part of the function, acquire a reference inside the lock to avoid a race. Deal with ret only in one place. ok jsing
* In X509_STORE_get1_issuer() do not call the verify callback fromtb2021-11-061-3/+3
| | | | | | x509_check_cert_time(). Matches a change made in OpenSSL 70dd3c65. ok jsing
* Refactor X509_STORE_get1_certs()tb2021-11-061-27/+30
| | | | | | | | Split the retrieval of the certs in the store's cache that match the desired subject into a separate function. This greatly simplifies locking, error handling and the flow of the function. with/ok jsing
* First pass of streamlining X509_STORE_get1_{certs,crls}()tb2021-11-051-66/+77
| | | | | | | | | | | | | | These functions are quite messy. On top of the tricky logic querying the cache, then refreshing the cache (unconditionally or not), then querying again, then extracting a list of certs/crls and bumping their refcounts, things are intermixed with locking and needlessly early allocations that then need to be cleaned up again. Use X509_STORE_CTX_get_obj_by_subject() to avoid using an object on the stack and defer allocation of the returned stack of certs to later. Flatten the logic a bit and prepare for further refactoring. ok jsing
* Trade an abort() neutered by a comment for a blank line elsewhere.tb2021-11-051-2/+2
|
* Clean up X509_STORE_add_{cert,crl}().tb2021-11-051-69/+41
| | | | | | | | | | | | | | | | | | | | Add a X509_STORE_add_object() function that adds an X509 object to the store and takes care of locking and cleaning up. This way we can set up an X509_OBJECT for both the cert and CRL case and hand over to the new function. There is one intentional change of behavior: if there is an attempt to add an object which is already present in the store, succeed instead of throwing an error. This makes sense and is also the OpenSSL behavior. As pointed out by jsing, this is a partial fix for the long standing GH issue #100 on libtls where connections would fail if the store contains duplicate certificates. Also: remove the internal X509_OBJECT_dec_ref_count(), which is no longer used. ok jsing
* Unify variable names in X509_STORE_{free,up_ref,add_lookup}().tb2021-11-051-29/+26
| | | | | | simplify the flow of X509_add_lookup(). ok jsing
* Rename the ret variable in X509_OBJECT_new() to obj..tb2021-11-051-5/+5
| | | | ok jsing
* Garbage collect the unused skip member of X509_LOOKUP andtb2021-11-051-3/+1
| | | | | | the unused cache member of X509_STORE. ok jsing
* Use calloc() to remove the need of silly zeroing of most members.tb2021-11-051-28/+18
| | | | | | | Check for allocation failures and if one happens push an error on the stack and clean up using X509_STORE_free(). ok jsing
* Streamline and shorten x509_object_cmp() a bit.tb2021-11-051-11/+6
| | | | ok jsing
* Drop a bunch of unnecesary parentheses and unify the order in whichtb2021-11-051-17/+13
| | | | | | callbacks are called. ok jsing
* Cleanup X509_LOOKUP_new()tb2021-11-051-12/+11
| | | | | | | Switch from malloc() to calloc() and drop a bunch of initializations to 0. Call the returned object lu instead of the generic ret. ok jsing
* Garbage collect xobj->data.{ptr,pkey}tb2021-11-051-6/+6
| | | | | | | | | Both these are essentially unused. Remove the last use of data.ptr by initializing and copying the X509_OBJECT using memset() and struct assignment in X509_STORE_CTX_get_subject_by_name() and add a missing error check for X509_OBJECT_up_ref_count() while there. ok beck
* In X509_STORE_CTX_get_obj_from_subject() rename X509_OBJECT fromtb2021-11-011-6/+6
| | | | | | the generic 'ret' to obj' in X509. Requested by jsing
* Prepare to provide X509_STORE_CTX_get_obj_by_subject(), a wrappertb2021-10-311-1/+17
| | | | | | | around X509_STORE_get_by_subject() that eliminates the need of allocating an object on the heap by hand. ok beck inoguchi jsing
* Switch various X509 API to use the new X509_LOOKUP_TYPE to matchtb2021-10-311-15/+16
| | | | | | OpenSSL's signatures. ok beck inoguchi jsing
* Prepare to provide X509_OBJECT_{new,free}()tb2021-10-241-2/+20
| | | | ok beck inoguchi jsing
* Simplify a return value check for X509_STORE_get_by_subject() nowtb2021-10-211-18/+7
| | | | | | | that we know that it only returns 0 or 1. Eliminate the last uses of X509_LU_{FAIL,RETRY}. ok jsing
* Sync parts of X509_STORE_get_by_subject() with OpenSSLtb2021-10-211-13/+7
| | | | | | | | | | | Initialize stmp.type and stmp.data.ptr so that a user-defined lookup method need not take responsibility of initializing those. Get rid of current_method, which was never really used. Stop potentially returning a negative value since most callers assume Boolean return values already. In addition, garbage collect the pointless j variable. ok jsing
* X509_STORE_CTX_init() allows the store to be NULL on init. Add checksclaudio2021-10-061-1/+11
| | | | | | | | for a NULL ctx->ctx in the lookup functions using X509_STORE_CTX. This affects X509_STORE_get1_certs(), X509_STORE_get1_crls(), X509_STORE_CTX_get1_issuer() and X509_STORE_get_by_subject(). With this X509_verify_cert() no longer crashes with a NULL store. With and OK tb@
* Make X509_OBJECT_up_ref_count return an int.tb2018-08-241-7/+5
| | | | | | | Based on OpenSSL commit c5ebfcab713a82a1d46a51c8c2668c419425b387 tested in a bulk by sthen ok jsing
* X509_LOOKUP_by_alias() now takes a 'const char str *' andtb2018-05-181-4/+4
| | | | | | | X509_LOOKUP_by_fingerprint() 'const unsigned char *bytes'. tested in a bulk build by sthen ok jsing
* Provide X509_STORE_get0_param()tb2018-03-171-1/+7
| | | | ok jsing
* Provide X509_OBJECT_get_type(). Instead of the X509_LOOKUP_TYPE enumtb2018-03-171-1/+7
| | | | | | (which we don't have) it returns a plain int. ok jsing
* Provide X509_STORE_get0_objects(), X509_STORE_get_ex_data() andjsing2018-02-221-1/+19
| | | | X509_STORE_set_ex_data().
* Provide X509_OBJECT_get0_X509() and X509_OBJECT_get0_X509_CRL().jsing2018-02-221-2/+17
|
* Provide X509_STORE_up_ref().jsing2018-02-221-1/+8
|
* Send the function codes from the error functions to the bit bucket,beck2017-01-291-13/+8
| | | | | | as was done earlier in libssl. Thanks inoguchi@ for noticing libssl had more reacharounds into this. ok jsing@ inoguchi@
* Fix previous change to X509_STORE_add_{cert,crl} to not free the inputmiod2016-11-131-3/+7
| | | | object in the error path - we don't own it.
* Check for stack push failure, and correctly destroy the object we failedmiod2016-11-081-20/+47
| | | | | | | to push in that case. While there replace an inline version of X509_OBJECT_free_contents() by a call to said function. ok beck@
* Don't ignore the reference count in X509_STORE_free.doug2015-04-251-1/+5
| | | | | | | | | Based on this upstream commit: bff9ce4db38b297c72a6d84617d71ae2934450f7 which didn't make it into a release until 1.0.2. Thanks to william at 25thandclement dot com for reporting this! ok deraadt@ jsing@ beck@
* Remove more IMPLEMENT_STACK_OF noops that have been hiding for the lastjsing2015-02-101-4/+1
| | | | 15 years.
* X509_STORE_new(): do not leak memory upon error.miod2014-09-261-14/+17
| | | | | | | X509_STORE_get1_certs(), X509_STORE_get1_crls(): check the result of allocations. ok tedu@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-03-19 20:22:19 +0000