]> git.ipfire.org Git - thirdparty/openssl.git/blame - crypto/store/store_result.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
load_key_certs_crls(): Restore output of fatal errors
[thirdparty/openssl.git] / crypto / store / store_result.c
CommitLineData
34b80d06
RL		 1/*
2 * Copyright 2020 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10#include "e_os.h"
11#include <string.h>
12
13#include <openssl/core.h>
14#include <openssl/core_names.h>
15#include <openssl/core_object.h>
16#include <openssl/err.h>
17#include <openssl/pkcs12.h>
18#include <openssl/provider.h>
19#include <openssl/decoder.h>
20#include <openssl/store.h>
21#include "internal/provider.h"
22#include "internal/passphrase.h"
23#include "crypto/evp.h"
24#include "crypto/x509.h"
25#include "store_local.h"
26
27#ifndef OSSL_OBJECT_PKCS12
28/*
29 * The object abstraction doesn't know PKCS#12, but we want to indicate
30 * it anyway, so we create our own. Since the public macros use positive
31 * numbers, negative ones should be fine. They must never slip out from
32 * this translation unit anyway.
33 */
34# define OSSL_OBJECT_PKCS12 -1
35#endif
36
37/*
38 * ossl_store_handle_load_result() is initially written to be a companion
39 * to our 'file:' scheme provider implementation, but has been made generic
40 * to serve others as well.
41 *
42 * This result handler takes any object abstraction (see provider-object(7))
43 * and does the best it can with it. If the object is passed by value (not
44 * by reference), the contents are currently expected to be DER encoded.
45 * If an object type is specified, that will be respected; otherwise, this
46 * handler will guess the contents, by trying the following in order:
47 *
48 * 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
49 * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
50 * 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
51 * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
52 *
53 * For the 'file:' scheme implementation, this is division of labor. Since
54 * the libcrypto <-> provider interface currently doesn't support certain
55 * structures as first class objects, they must be unpacked from DER here
56 * rather than in the provider. The current exception is asymmetric keys,
57 * which can reside within the provider boundary, most of all thanks to
58 * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
59 * reference.
60 */
61
34b80d06
RL		 62struct extracted_param_data_st {
63 int object_type;
64 const char *data_type;
65 const char *utf8_data;
66 const void *octet_data;
67 size_t octet_data_size;
68 const void *ref;
69 size_t ref_size;
70 const char *desc;
71};
72
73static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
74static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
75 OSSL_STORE_CTX *, const OSSL_PROVIDER *,
76 OPENSSL_CTX *, const char *);
77static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
78 OPENSSL_CTX *, const char *);
79static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
80 OPENSSL_CTX *, const char *);
81static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
82 OSSL_STORE_CTX *, OPENSSL_CTX *, const char *);
83
c2150f73
RL		 84#define SET_ERR_MARK() ERR_set_mark()
85#define CLEAR_ERR_MARK() \
86 do { \
87 int err = ERR_peek_last_error(); \
88 \
89 if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \
90 && ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR) \
91 ERR_pop_to_mark(); \
92 else \
93 ERR_clear_last_mark(); \
94 } while(0)
95#define RESET_ERR_MARK() \
96 do { \
97 CLEAR_ERR_MARK(); \
98 SET_ERR_MARK(); \
99 } while(0)
100
34b80d06
RL		 101int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
102{
103 struct ossl_load_result_data_st *cbdata = arg;
104 OSSL_STORE_INFO **v = &cbdata->v;
105 OSSL_STORE_CTX *ctx = cbdata->ctx;
106 const OSSL_PROVIDER *provider =
107 OSSL_STORE_LOADER_provider(ctx->fetched_loader);
108 OPENSSL_CTX *libctx = ossl_provider_library_context(provider);
109 const char *propq = ctx->properties;
110 const OSSL_PARAM *p;
111 struct extracted_param_data_st helper_data;
112
113 memset(&helper_data, 0, sizeof(helper_data));
114 helper_data.object_type = OSSL_OBJECT_UNKNOWN;
115
116 if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
117 && !OSSL_PARAM_get_int(p, &helper_data.object_type))
118 return 0;
119 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
120 if (p != NULL
121 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
122 return 0;
123 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
124 if (p != NULL
125 && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
126 &helper_data.octet_data_size)
127 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
128 return 0;
129 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
130 if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
131 &helper_data.ref_size))
132 return 0;
133 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
134 if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
135 return 0;
136
137 /*
138 * The helper functions return 0 on actual errors, otherwise 1, even if
139 * they didn't fill out |*v|.
140 */
c2150f73
RL		 141 SET_ERR_MARK();
142 if (!try_name(&helper_data, v))
143 goto err;
144 RESET_ERR_MARK();
145 if (!try_key(&helper_data, v, ctx, provider, libctx, propq))
146 goto err;
147 RESET_ERR_MARK();
148 if (!try_cert(&helper_data, v, libctx, propq))
149 goto err;
150 RESET_ERR_MARK();
151 if (!try_crl(&helper_data, v, libctx, propq))
152 goto err;
153 RESET_ERR_MARK();
154 if (!try_pkcs12(&helper_data, v, ctx, libctx, propq))
155 goto err;
156 CLEAR_ERR_MARK();
34b80d06
RL		 157
158 return (*v != NULL);
c2150f73
RL		 159 err:
160 return 0;
34b80d06
RL		 161}
162
163static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
164{
165 if (data->object_type == OSSL_OBJECT_NAME) {
166 char *newname = NULL, *newdesc = NULL;
167
168 if (data->utf8_data == NULL)
169 return 0;
170 if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
171 || (data->desc != NULL
172 && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
173 || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
174 OPENSSL_free(newname);
175 OPENSSL_free(newdesc);
176 return 0;
177 }
178 OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
179 }
180 return 1;
181}
182
183/*
184 * For the rest of the object types, the provider code may not know what
185 * type of data it gave us, so we may need to figure that out on our own.
186 * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
187 * only return 0 on error if the object type is known.
188 */
189
190static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
191 OSSL_STORE_CTX *ctx,
192 const OSSL_PROVIDER *provider,
193 OPENSSL_CTX *libctx, const char *propq)
194{
195 EVP_PKEY *pk = NULL;
196 EVP_KEYMGMT *keymgmt = NULL;
197 void *keydata = NULL;
198
199 /* If we have an object reference, we must have a data type */
200 if (data->data_type == NULL)
201 return 0;
202
203 keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
204 if (keymgmt != NULL) {
205 /*
206 * There are two possible cases
207 *
208 * 1. The keymgmt is from the same provider as the loader,
209 * so we can use evp_keymgmt_load()
210 * 2. The keymgmt is from another provider, then we must
211 * do the export/import dance.
212 */
213 if (EVP_KEYMGMT_provider(keymgmt) == provider) {
214 keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
215 } else {
216 struct evp_keymgmt_util_try_import_data_st import_data;
217 OSSL_FUNC_store_export_object_fn *export_object =
218 ctx->fetched_loader->p_export_object;
219
220 import_data.keymgmt = keymgmt;
221 import_data.keydata = NULL;
222 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
223
224 if (export_object != NULL) {
225 /*
226 * No need to check for errors here, the value of
227 * |import_data.keydata| is as much an indicator.
228 */
229 (void)export_object(ctx->loader_ctx,
230 data->ref, data->ref_size,
231 &evp_keymgmt_util_try_import,
232 &import_data);
233 }
234
235 keydata = import_data.keydata;
236 }
237 }
238 if (keydata != NULL)
239 pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
240 EVP_KEYMGMT_free(keymgmt);
241
242 return pk;
243}
244
245static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
246 OSSL_STORE_CTX *ctx,
247 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
248 OPENSSL_CTX *libctx, const char *propq)
249{
250 EVP_PKEY *pk = NULL;
251 OSSL_DECODER_CTX *decoderctx = NULL;
252 BIO *membio =
253 BIO_new_mem_buf(data->octet_data, (int)data->octet_data_size);
254
255 if (membio == NULL)
256 return 0;
257
258 decoderctx = OSSL_DECODER_CTX_new_by_EVP_PKEY(&pk, "DER", libctx, propq);
259 (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
260
261 /* No error if this couldn't be decoded */
262 (void)OSSL_DECODER_from_bio(decoderctx, membio);
263
264 OSSL_DECODER_CTX_free(decoderctx);
265 BIO_free(membio);
266
267 return pk;
268}
269
270typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);
271
272static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
273 store_info_new_fn **store_info_new,
274 OSSL_STORE_CTX *ctx,
275 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
276 OPENSSL_CTX *libctx, const char *propq)
277{
278 EVP_PKEY *pk = NULL;
279 const unsigned char *der = data->octet_data, *derp;
280 long der_len = (long)data->octet_data_size;
281
282 /* Try PUBKEY first, that's a real easy target */
283 derp = der;
284 pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
285 if (pk != NULL)
286 *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
287
288 /* Try private keys next */
289 if (pk == NULL) {
290 unsigned char *new_der = NULL;
291 X509_SIG *p8 = NULL;
292 PKCS8_PRIV_KEY_INFO *p8info = NULL;
293
294 /* See if it's an encrypted PKCS#8 and decrypt it */
295 derp = der;
296 if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
297 char pbuf[PEM_BUFSIZE];
298 size_t plen = 0;
299
300 if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
301 ERR_raise(ERR_LIB_OSSL_STORE,
302 OSSL_STORE_R_BAD_PASSWORD_READ);
303 } else {
304 const X509_ALGOR *alg = NULL;
305 const ASN1_OCTET_STRING *oct = NULL;
306 int len = 0;
307
308 X509_SIG_get0(p8, &alg, &oct);
309
310 /*
311 * No need to check the returned value, |new_der|
312 * will be NULL on error anyway.
313 */
314 PKCS12_pbe_crypt(alg, pbuf, plen,
315 oct->data, oct->length,
316 &new_der, &len, 0);
317 der_len = len;
318 der = new_der;
319 }
320 X509_SIG_free(p8);
321 }
322
323 /*
324 * If the encrypted PKCS#8 couldn't be decrypted,
325 * |der| is NULL
326 */
327 if (der != NULL) {
328 /* Try to unpack an unencrypted PKCS#8, that's easy */
329 derp = der;
330 p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
331 if (p8info != NULL) {
16feca71 332 pk = EVP_PKCS82PKEY_with_libctx(p8info, libctx, propq);
34b80d06
RL		 333 PKCS8_PRIV_KEY_INFO_free(p8info);
334 }
335
336 /*
337 * It wasn't PKCS#8, so we must try the hard way.
338 * However, we can cheat a little bit, because we know
339 * what's not yet fully supported in out decoders.
340 * TODO(3.0) Eliminate these when we have decoder support.
341 */
342 if (pk == NULL) {
343 derp = der;
344 pk = d2i_PrivateKey_ex(EVP_PKEY_SM2, NULL,
345 &derp, der_len,
346 libctx, NULL);
347 }
348 }
349
350 if (pk != NULL)
351 *store_info_new = OSSL_STORE_INFO_new_PKEY;
352
353 OPENSSL_free(new_der);
354 der = data->octet_data;
355 der_len = (long)data->octet_data_size;
356 }
357
358 /*
359 * Last, we try parameters. We cheat the same way we do for
360 * private keys above.
361 * TODO(3.0) Eliminate these when we have decoder support.
362 */
363 if (pk == NULL) {
364 derp = der;
365 pk = d2i_KeyParams(EVP_PKEY_SM2, NULL, &derp, der_len);
366 if (pk != NULL)
367 *store_info_new = OSSL_STORE_INFO_new_PARAMS;
368 }
369
370 return pk;
371}
372
373static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
374 OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
375 OPENSSL_CTX *libctx, const char *propq)
376{
377 store_info_new_fn *store_info_new = NULL;
378
379 if (data->object_type == OSSL_OBJECT_UNKNOWN
380 || data->object_type == OSSL_OBJECT_PKEY) {
381 EVP_PKEY *pk = NULL;
382
383 /* Prefer key by reference than key by value */
384 if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
385 pk = try_key_ref(data, ctx, provider, libctx, propq);
386
387 /*
388 * If for some reason we couldn't get a key, it's an error.
389 * It indicates that while decoders could make a key reference,
390 * the keymgmt somehow couldn't handle it, or doesn't have a
391 * OSSL_FUNC_keymgmt_load function.
392 */
393 if (pk == NULL)
394 return 0;
395 } else if (data->octet_data != NULL) {
396 OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
397 void *cbarg = &ctx->pwdata;
398
399 pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
400
401 /*
402 * Desperate last maneuver, in case the decoders don't support
403 * the data we have, then we try on our own to at least get a
404 * legacy key.
405 * This is the same as der2key_decode() does, but in a limited
406 * way and within the walls of libcrypto.
407 *
408 * TODO Remove this when #legacy keys are gone
409 */
410 if (pk == NULL)
411 pk = try_key_value_legacy(data, &store_info_new, ctx,
412 cb, cbarg, libctx, propq);
413 }
414
415 if (pk != NULL) {
416 data->object_type = OSSL_OBJECT_PKEY;
417
418 if (store_info_new == NULL) {
419 /*
420 * We determined the object type for OSSL_STORE_INFO, which
421 * makes an explicit difference between an EVP_PKEY with just
422 * (domain) parameters and an EVP_PKEY with actual key
423 * material.
424 * The logic is that an EVP_PKEY with actual key material
425 * always has the public half.
426 */
427 if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
428 store_info_new = OSSL_STORE_INFO_new_PKEY;
429 else if (evp_keymgmt_util_has(pk,
430 OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
431 store_info_new = OSSL_STORE_INFO_new_PUBKEY;
432 else
433 store_info_new = OSSL_STORE_INFO_new_PARAMS;
434 }
435 *v = store_info_new(pk);
436 }
437
438 if (*v == NULL)
439 EVP_PKEY_free(pk);
440 }
441
442 return 1;
443}
444
445static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
446 OPENSSL_CTX *libctx, const char *propq)
447{
448 if (data->object_type == OSSL_OBJECT_UNKNOWN
449 || data->object_type == OSSL_OBJECT_CERT) {
450 X509 *cert;
451
452 /*
453 * In most cases, we can try to interpret the serialized
454 * data as a trusted cert (X509 + X509_AUX) and fall back
455 * to reading it as a normal cert (just X509), but if
456 * |data_type| (the PEM name) specifically declares it as a
457 * trusted cert, then no fallback should be engaged.
458 * |ignore_trusted| tells if the fallback can be used (1)
459 * or not (0).
460 */
461 int ignore_trusted = 1;
462
463 /* If we have a data type, it should be a PEM name */
464 if (data->data_type != NULL
465 && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
466 ignore_trusted = 0;
467
468 cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
469 data->octet_data_size);
470 if (cert == NULL && ignore_trusted)
471 cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
472 data->octet_data_size);
473
474 if (cert != NULL)
475 /* We determined the object type */
476 data->object_type = OSSL_OBJECT_CERT;
477
478 if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
479 X509_free(cert);
480 cert = NULL;
481 }
482
483 if (cert != NULL)
484 *v = OSSL_STORE_INFO_new_CERT(cert);
485 if (*v == NULL)
486 X509_free(cert);
487 }
488
489 return 1;
490}
491
492static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
493 OPENSSL_CTX *libctx, const char *propq)
494{
495 if (data->object_type == OSSL_OBJECT_UNKNOWN
496 || data->object_type == OSSL_OBJECT_CRL) {
497 X509_CRL *crl;
498
499 crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
500 data->octet_data_size);
501 if (crl != NULL)
502 /* We determined the object type */
503 data->object_type = OSSL_OBJECT_CRL;
504
505 if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
506 X509_CRL_free(crl);
507 crl = NULL;
508 }
509
510 if (crl != NULL)
511 *v = OSSL_STORE_INFO_new_CRL(crl);
512 if (*v == NULL)
513 X509_CRL_free(crl);
514 }
515
516 return 1;
517}
518
519static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
520 OSSL_STORE_CTX *ctx,
521 OPENSSL_CTX *libctx, const char *propq)
522{
523 /* There is no specific object type for PKCS12 */
524 if (data->object_type == OSSL_OBJECT_UNKNOWN) {
525 /* Initial parsing */
526 PKCS12 *p12;
527
528 if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
529 data->octet_data_size)) != NULL) {
530 char *pass = NULL;
531 char tpass[PEM_BUFSIZE];
532 size_t tpass_len;
533 EVP_PKEY *pkey = NULL;
534 X509 *cert = NULL;
535 STACK_OF(X509) *chain = NULL;
536
537 data->object_type = OSSL_OBJECT_PKCS12;
538
539 if (PKCS12_verify_mac(p12, "", 0)
540 || PKCS12_verify_mac(p12, NULL, 0)) {
541 pass = "";
542 } else {
543 static char prompt_info[] = "PKCS12 import pass phrase";
544 OSSL_PARAM pw_params[] = {
545 OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
546 prompt_info,
547 sizeof(prompt_info) - 1),
548 OSSL_PARAM_END
549 };
550
551 if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
552 pw_params, 0, &ctx->pwdata)) {
553 ERR_raise(ERR_LIB_OSSL_STORE,
554 OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
555 goto p12_end;
556 }
557 pass = tpass;
558 if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
559 ERR_raise(ERR_LIB_OSSL_STORE,
560 OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
561 goto p12_end;
562 }
563 }
564
565 if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
566 STACK_OF(OSSL_STORE_INFO) *infos = NULL;
567 OSSL_STORE_INFO *osi_pkey = NULL;
568 OSSL_STORE_INFO *osi_cert = NULL;
569 OSSL_STORE_INFO *osi_ca = NULL;
570 int ok = 1;
571
572 if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
573 if (pkey != NULL) {
574 if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
575 /* clearing pkey here avoids case distinctions */
576 && (pkey = NULL) == NULL
577 && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
578 osi_pkey = NULL;
579 else
580 ok = 0;
581 }
582 if (ok && cert != NULL) {
583 if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
584 /* clearing cert here avoids case distinctions */
585 && (cert = NULL) == NULL
586 && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
587 osi_cert = NULL;
588 else
589 ok = 0;
590 }
591 while (ok && sk_X509_num(chain) > 0) {
592 X509 *ca = sk_X509_value(chain, 0);
593
594 if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
595 && sk_X509_shift(chain) != NULL
596 && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
597 osi_ca = NULL;
598 else
599 ok = 0;
600 }
601 }
602 EVP_PKEY_free(pkey);
603 X509_free(cert);
604 sk_X509_pop_free(chain, X509_free);
605 OSSL_STORE_INFO_free(osi_pkey);
606 OSSL_STORE_INFO_free(osi_cert);
607 OSSL_STORE_INFO_free(osi_ca);
608 if (!ok) {
609 sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
610 infos = NULL;
611 }
612 ctx->cached_info = infos;
613 }
614 }
615 p12_end:
616 PKCS12_free(p12);
617 *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
618 }
619
620 return 1;
621}
A mirror of the official openssl repository