]> git.ipfire.org Git - thirdparty/openssl.git/blob - crypto/store/store_result.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Update copyright year
[thirdparty/openssl.git] / crypto / store / store_result.c
1 /*
2 * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 #include "e_os.h"
11 #include <string.h>
12
13 #include <openssl/core.h>
14 #include <openssl/core_names.h>
15 #include <openssl/core_object.h>
16 #include <openssl/err.h>
17 #include <openssl/pkcs12.h>
18 #include <openssl/provider.h>
19 #include <openssl/decoder.h>
20 #include <openssl/store.h>
21 #include "internal/provider.h"
22 #include "internal/passphrase.h"
23 #include "crypto/evp.h"
24 #include "crypto/x509.h"
25 #include "store_local.h"
26
27 #ifndef OSSL_OBJECT_PKCS12
28 /*
29 * The object abstraction doesn't know PKCS#12, but we want to indicate
30 * it anyway, so we create our own. Since the public macros use positive
31 * numbers, negative ones should be fine. They must never slip out from
32 * this translation unit anyway.
33 */
34 # define OSSL_OBJECT_PKCS12 -1
35 #endif
36
37 /*
38 * ossl_store_handle_load_result() is initially written to be a companion
39 * to our 'file:' scheme provider implementation, but has been made generic
40 * to serve others as well.
41 *
42 * This result handler takes any object abstraction (see provider-object(7))
43 * and does the best it can with it. If the object is passed by value (not
44 * by reference), the contents are currently expected to be DER encoded.
45 * If an object type is specified, that will be respected; otherwise, this
46 * handler will guess the contents, by trying the following in order:
47 *
48 * 1. Decode it into an EVP_PKEY, using OSSL_DECODER.
49 * 2. Decode it into an X.509 certificate, using d2i_X509 / d2i_X509_AUX.
50 * 3. Decode it into an X.509 CRL, using d2i_X509_CRL.
51 * 4. Decode it into a PKCS#12 structure, using d2i_PKCS12 (*).
52 *
53 * For the 'file:' scheme implementation, this is division of labor. Since
54 * the libcrypto <-> provider interface currently doesn't support certain
55 * structures as first class objects, they must be unpacked from DER here
56 * rather than in the provider. The current exception is asymmetric keys,
57 * which can reside within the provider boundary, most of all thanks to
58 * OSSL_FUNC_keymgmt_load(), which allows loading the key material by
59 * reference.
60 */
61
62 struct extracted_param_data_st {
63 int object_type;
64 const char *data_type;
65 const char *utf8_data;
66 const void *octet_data;
67 size_t octet_data_size;
68 const void *ref;
69 size_t ref_size;
70 const char *desc;
71 };
72
73 static int try_name(struct extracted_param_data_st *, OSSL_STORE_INFO **);
74 static int try_key(struct extracted_param_data_st *, OSSL_STORE_INFO **,
75 OSSL_STORE_CTX *, const OSSL_PROVIDER *,
76 OSSL_LIB_CTX *, const char *);
77 static int try_cert(struct extracted_param_data_st *, OSSL_STORE_INFO **,
78 OSSL_LIB_CTX *, const char *);
79 static int try_crl(struct extracted_param_data_st *, OSSL_STORE_INFO **,
80 OSSL_LIB_CTX *, const char *);
81 static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
82 OSSL_STORE_CTX *, OSSL_LIB_CTX *, const char *);
83
84 #define SET_ERR_MARK() ERR_set_mark()
85 #define CLEAR_ERR_MARK() \
86 do { \
87 int err = ERR_peek_last_error(); \
88 \
89 if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \
90 && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE \
91 || ERR_GET_REASON(err) == ASN1_R_NO_MATCHING_CHOICE_TYPE \
92 || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) \
93 ERR_pop_to_mark(); \
94 else \
95 ERR_clear_last_mark(); \
96 } while(0)
97 #define RESET_ERR_MARK() \
98 do { \
99 CLEAR_ERR_MARK(); \
100 SET_ERR_MARK(); \
101 } while(0)
102
103 int ossl_store_handle_load_result(const OSSL_PARAM params[], void *arg)
104 {
105 struct ossl_load_result_data_st *cbdata = arg;
106 OSSL_STORE_INFO **v = &cbdata->v;
107 OSSL_STORE_CTX *ctx = cbdata->ctx;
108 const OSSL_PROVIDER *provider =
109 OSSL_STORE_LOADER_provider(ctx->fetched_loader);
110 OSSL_LIB_CTX *libctx = ossl_provider_libctx(provider);
111 const char *propq = ctx->properties;
112 const OSSL_PARAM *p;
113 struct extracted_param_data_st helper_data;
114
115 memset(&helper_data, 0, sizeof(helper_data));
116 helper_data.object_type = OSSL_OBJECT_UNKNOWN;
117
118 if ((p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_TYPE)) != NULL
119 && !OSSL_PARAM_get_int(p, &helper_data.object_type))
120 return 0;
121 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA_TYPE);
122 if (p != NULL
123 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.data_type))
124 return 0;
125 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DATA);
126 if (p != NULL
127 && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.octet_data,
128 &helper_data.octet_data_size)
129 && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.utf8_data))
130 return 0;
131 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_REFERENCE);
132 if (p != NULL && !OSSL_PARAM_get_octet_string_ptr(p, &helper_data.ref,
133 &helper_data.ref_size))
134 return 0;
135 p = OSSL_PARAM_locate_const(params, OSSL_OBJECT_PARAM_DESC);
136 if (p != NULL && !OSSL_PARAM_get_utf8_string_ptr(p, &helper_data.desc))
137 return 0;
138
139 /*
140 * The helper functions return 0 on actual errors, otherwise 1, even if
141 * they didn't fill out |*v|.
142 */
143 SET_ERR_MARK();
144 if (!try_name(&helper_data, v))
145 goto err;
146 RESET_ERR_MARK();
147 if (!try_key(&helper_data, v, ctx, provider, libctx, propq))
148 goto err;
149 RESET_ERR_MARK();
150 if (!try_cert(&helper_data, v, libctx, propq))
151 goto err;
152 RESET_ERR_MARK();
153 if (!try_crl(&helper_data, v, libctx, propq))
154 goto err;
155 RESET_ERR_MARK();
156 if (!try_pkcs12(&helper_data, v, ctx, libctx, propq))
157 goto err;
158 CLEAR_ERR_MARK();
159
160 return (*v != NULL);
161 err:
162 return 0;
163 }
164
165 static int try_name(struct extracted_param_data_st *data, OSSL_STORE_INFO **v)
166 {
167 if (data->object_type == OSSL_OBJECT_NAME) {
168 char *newname = NULL, *newdesc = NULL;
169
170 if (data->utf8_data == NULL)
171 return 0;
172 if ((newname = OPENSSL_strdup(data->utf8_data)) == NULL
173 || (data->desc != NULL
174 && (newdesc = OPENSSL_strdup(data->desc)) == NULL)
175 || (*v = OSSL_STORE_INFO_new_NAME(newname)) == NULL) {
176 OPENSSL_free(newname);
177 OPENSSL_free(newdesc);
178 return 0;
179 }
180 OSSL_STORE_INFO_set0_NAME_description(*v, newdesc);
181 }
182 return 1;
183 }
184
185 /*
186 * For the rest of the object types, the provider code may not know what
187 * type of data it gave us, so we may need to figure that out on our own.
188 * Therefore, we do check for OSSL_OBJECT_UNKNOWN everywhere below, and
189 * only return 0 on error if the object type is known.
190 */
191
192 static EVP_PKEY *try_key_ref(struct extracted_param_data_st *data,
193 OSSL_STORE_CTX *ctx,
194 const OSSL_PROVIDER *provider,
195 OSSL_LIB_CTX *libctx, const char *propq)
196 {
197 EVP_PKEY *pk = NULL;
198 EVP_KEYMGMT *keymgmt = NULL;
199 void *keydata = NULL;
200
201 /* If we have an object reference, we must have a data type */
202 if (data->data_type == NULL)
203 return 0;
204
205 keymgmt = EVP_KEYMGMT_fetch(libctx, data->data_type, propq);
206 if (keymgmt != NULL) {
207 /*
208 * There are two possible cases
209 *
210 * 1. The keymgmt is from the same provider as the loader,
211 * so we can use evp_keymgmt_load()
212 * 2. The keymgmt is from another provider, then we must
213 * do the export/import dance.
214 */
215 if (EVP_KEYMGMT_provider(keymgmt) == provider) {
216 keydata = evp_keymgmt_load(keymgmt, data->ref, data->ref_size);
217 } else {
218 struct evp_keymgmt_util_try_import_data_st import_data;
219 OSSL_FUNC_store_export_object_fn *export_object =
220 ctx->fetched_loader->p_export_object;
221
222 import_data.keymgmt = keymgmt;
223 import_data.keydata = NULL;
224 import_data.selection = OSSL_KEYMGMT_SELECT_ALL;
225
226 if (export_object != NULL) {
227 /*
228 * No need to check for errors here, the value of
229 * |import_data.keydata| is as much an indicator.
230 */
231 (void)export_object(ctx->loader_ctx,
232 data->ref, data->ref_size,
233 &evp_keymgmt_util_try_import,
234 &import_data);
235 }
236
237 keydata = import_data.keydata;
238 }
239 }
240 if (keydata != NULL)
241 pk = evp_keymgmt_util_make_pkey(keymgmt, keydata);
242 EVP_KEYMGMT_free(keymgmt);
243
244 return pk;
245 }
246
247 static EVP_PKEY *try_key_value(struct extracted_param_data_st *data,
248 OSSL_STORE_CTX *ctx,
249 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
250 OSSL_LIB_CTX *libctx, const char *propq)
251 {
252 EVP_PKEY *pk = NULL;
253 OSSL_DECODER_CTX *decoderctx = NULL;
254 const unsigned char *pdata = data->octet_data;
255 size_t pdatalen = data->octet_data_size;
256 int selection = 0;
257
258 switch (ctx->expected_type) {
259 case 0:
260 break;
261 case OSSL_STORE_INFO_PARAMS:
262 selection = OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
263 break;
264 case OSSL_STORE_INFO_PUBKEY:
265 selection =
266 OSSL_KEYMGMT_SELECT_PUBLIC_KEY
267 | OSSL_KEYMGMT_SELECT_ALL_PARAMETERS;
268 break;
269 case OSSL_STORE_INFO_PKEY:
270 selection = OSSL_KEYMGMT_SELECT_ALL;
271 break;
272 default:
273 return NULL;
274 }
275
276 decoderctx =
277 OSSL_DECODER_CTX_new_for_pkey(&pk, "DER", NULL, data->data_type,
278 selection, libctx, propq);
279 (void)OSSL_DECODER_CTX_set_passphrase_cb(decoderctx, cb, cbarg);
280
281 /* No error if this couldn't be decoded */
282 (void)OSSL_DECODER_from_data(decoderctx, &pdata, &pdatalen);
283
284 OSSL_DECODER_CTX_free(decoderctx);
285
286 return pk;
287 }
288
289 typedef OSSL_STORE_INFO *store_info_new_fn(EVP_PKEY *);
290
291 static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
292 store_info_new_fn **store_info_new,
293 OSSL_STORE_CTX *ctx,
294 OSSL_PASSPHRASE_CALLBACK *cb, void *cbarg,
295 OSSL_LIB_CTX *libctx, const char *propq)
296 {
297 EVP_PKEY *pk = NULL;
298 const unsigned char *der = data->octet_data, *derp;
299 long der_len = (long)data->octet_data_size;
300
301 SET_ERR_MARK();
302 /* Try PUBKEY first, that's a real easy target */
303 if (ctx->expected_type == 0
304 || ctx->expected_type == OSSL_STORE_INFO_PUBKEY) {
305 derp = der;
306 pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
307 if (pk != NULL)
308 *store_info_new = OSSL_STORE_INFO_new_PUBKEY;
309
310 RESET_ERR_MARK();
311 }
312
313 /* Try private keys next */
314 if (pk == NULL
315 && (ctx->expected_type == 0
316 || ctx->expected_type == OSSL_STORE_INFO_PKEY)) {
317 unsigned char *new_der = NULL;
318 X509_SIG *p8 = NULL;
319 PKCS8_PRIV_KEY_INFO *p8info = NULL;
320
321 /* See if it's an encrypted PKCS#8 and decrypt it */
322 derp = der;
323 if ((p8 = d2i_X509_SIG(NULL, &derp, der_len)) != NULL) {
324 char pbuf[PEM_BUFSIZE];
325 size_t plen = 0;
326
327 if (!cb(pbuf, sizeof(pbuf), &plen, NULL, cbarg)) {
328 ERR_raise(ERR_LIB_OSSL_STORE, OSSL_STORE_R_BAD_PASSWORD_READ);
329 } else {
330 const X509_ALGOR *alg = NULL;
331 const ASN1_OCTET_STRING *oct = NULL;
332 int len = 0;
333
334 X509_SIG_get0(p8, &alg, &oct);
335
336 /*
337 * No need to check the returned value, |new_der|
338 * will be NULL on error anyway.
339 */
340 PKCS12_pbe_crypt(alg, pbuf, plen,
341 oct->data, oct->length,
342 &new_der, &len, 0);
343 der_len = len;
344 der = new_der;
345 }
346 X509_SIG_free(p8);
347 }
348 RESET_ERR_MARK();
349
350 /*
351 * If the encrypted PKCS#8 couldn't be decrypted,
352 * |der| is NULL
353 */
354 if (der != NULL) {
355 /* Try to unpack an unencrypted PKCS#8, that's easy */
356 derp = der;
357 p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
358 RESET_ERR_MARK();
359 if (p8info != NULL) {
360 pk = EVP_PKCS82PKEY_ex(p8info, libctx, propq);
361 PKCS8_PRIV_KEY_INFO_free(p8info);
362 }
363 }
364
365 if (pk != NULL)
366 *store_info_new = OSSL_STORE_INFO_new_PKEY;
367
368 OPENSSL_free(new_der);
369 }
370 CLEAR_ERR_MARK();
371
372 return pk;
373 }
374
375 static int try_key(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
376 OSSL_STORE_CTX *ctx, const OSSL_PROVIDER *provider,
377 OSSL_LIB_CTX *libctx, const char *propq)
378 {
379 store_info_new_fn *store_info_new = NULL;
380
381 if (data->object_type == OSSL_OBJECT_UNKNOWN
382 || data->object_type == OSSL_OBJECT_PKEY) {
383 EVP_PKEY *pk = NULL;
384
385 /* Prefer key by reference than key by value */
386 if (data->object_type == OSSL_OBJECT_PKEY && data->ref != NULL) {
387 pk = try_key_ref(data, ctx, provider, libctx, propq);
388
389 /*
390 * If for some reason we couldn't get a key, it's an error.
391 * It indicates that while decoders could make a key reference,
392 * the keymgmt somehow couldn't handle it, or doesn't have a
393 * OSSL_FUNC_keymgmt_load function.
394 */
395 if (pk == NULL)
396 return 0;
397 } else if (data->octet_data != NULL) {
398 OSSL_PASSPHRASE_CALLBACK *cb = ossl_pw_passphrase_callback_dec;
399 void *cbarg = &ctx->pwdata;
400
401 pk = try_key_value(data, ctx, cb, cbarg, libctx, propq);
402
403 /*
404 * Desperate last maneuver, in case the decoders don't support
405 * the data we have, then we try on our own to at least get a
406 * legacy key.
407 * This is the same as der2key_decode() does, but in a limited
408 * way and within the walls of libcrypto.
409 *
410 * TODO Remove this when #legacy keys are gone
411 */
412 if (pk == NULL)
413 pk = try_key_value_legacy(data, &store_info_new, ctx,
414 cb, cbarg, libctx, propq);
415 }
416
417 if (pk != NULL) {
418 data->object_type = OSSL_OBJECT_PKEY;
419
420 if (store_info_new == NULL) {
421 /*
422 * We determined the object type for OSSL_STORE_INFO, which
423 * makes an explicit difference between an EVP_PKEY with just
424 * (domain) parameters and an EVP_PKEY with actual key
425 * material.
426 * The logic is that an EVP_PKEY with actual key material
427 * always has the public half.
428 */
429 if (evp_keymgmt_util_has(pk, OSSL_KEYMGMT_SELECT_PRIVATE_KEY))
430 store_info_new = OSSL_STORE_INFO_new_PKEY;
431 else if (evp_keymgmt_util_has(pk,
432 OSSL_KEYMGMT_SELECT_PUBLIC_KEY))
433 store_info_new = OSSL_STORE_INFO_new_PUBKEY;
434 else
435 store_info_new = OSSL_STORE_INFO_new_PARAMS;
436 }
437 *v = store_info_new(pk);
438 }
439
440 if (*v == NULL)
441 EVP_PKEY_free(pk);
442 }
443
444 return 1;
445 }
446
447 static int try_cert(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
448 OSSL_LIB_CTX *libctx, const char *propq)
449 {
450 if (data->object_type == OSSL_OBJECT_UNKNOWN
451 || data->object_type == OSSL_OBJECT_CERT) {
452 X509 *cert;
453
454 /*
455 * In most cases, we can try to interpret the serialized
456 * data as a trusted cert (X509 + X509_AUX) and fall back
457 * to reading it as a normal cert (just X509), but if
458 * |data_type| (the PEM name) specifically declares it as a
459 * trusted cert, then no fallback should be engaged.
460 * |ignore_trusted| tells if the fallback can be used (1)
461 * or not (0).
462 */
463 int ignore_trusted = 1;
464
465 /* If we have a data type, it should be a PEM name */
466 if (data->data_type != NULL
467 && (strcasecmp(data->data_type, PEM_STRING_X509_TRUSTED) == 0))
468 ignore_trusted = 0;
469
470 cert = d2i_X509_AUX(NULL, (const unsigned char **)&data->octet_data,
471 data->octet_data_size);
472 if (cert == NULL && ignore_trusted)
473 cert = d2i_X509(NULL, (const unsigned char **)&data->octet_data,
474 data->octet_data_size);
475
476 if (cert != NULL)
477 /* We determined the object type */
478 data->object_type = OSSL_OBJECT_CERT;
479
480 if (cert != NULL && !x509_set0_libctx(cert, libctx, propq)) {
481 X509_free(cert);
482 cert = NULL;
483 }
484
485 if (cert != NULL)
486 *v = OSSL_STORE_INFO_new_CERT(cert);
487 if (*v == NULL)
488 X509_free(cert);
489 }
490
491 return 1;
492 }
493
494 static int try_crl(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
495 OSSL_LIB_CTX *libctx, const char *propq)
496 {
497 if (data->object_type == OSSL_OBJECT_UNKNOWN
498 || data->object_type == OSSL_OBJECT_CRL) {
499 X509_CRL *crl;
500
501 crl = d2i_X509_CRL(NULL, (const unsigned char **)&data->octet_data,
502 data->octet_data_size);
503 if (crl != NULL)
504 /* We determined the object type */
505 data->object_type = OSSL_OBJECT_CRL;
506
507 if (crl != NULL && !x509_crl_set0_libctx(crl, libctx, propq)) {
508 X509_CRL_free(crl);
509 crl = NULL;
510 }
511
512 if (crl != NULL)
513 *v = OSSL_STORE_INFO_new_CRL(crl);
514 if (*v == NULL)
515 X509_CRL_free(crl);
516 }
517
518 return 1;
519 }
520
521 static int try_pkcs12(struct extracted_param_data_st *data, OSSL_STORE_INFO **v,
522 OSSL_STORE_CTX *ctx,
523 OSSL_LIB_CTX *libctx, const char *propq)
524 {
525 /* There is no specific object type for PKCS12 */
526 if (data->object_type == OSSL_OBJECT_UNKNOWN) {
527 /* Initial parsing */
528 PKCS12 *p12;
529
530 if ((p12 = d2i_PKCS12(NULL, (const unsigned char **)&data->octet_data,
531 data->octet_data_size)) != NULL) {
532 char *pass = NULL;
533 char tpass[PEM_BUFSIZE];
534 size_t tpass_len;
535 EVP_PKEY *pkey = NULL;
536 X509 *cert = NULL;
537 STACK_OF(X509) *chain = NULL;
538
539 data->object_type = OSSL_OBJECT_PKCS12;
540
541 if (PKCS12_verify_mac(p12, "", 0)
542 || PKCS12_verify_mac(p12, NULL, 0)) {
543 pass = "";
544 } else {
545 static char prompt_info[] = "PKCS12 import pass phrase";
546 OSSL_PARAM pw_params[] = {
547 OSSL_PARAM_utf8_string(OSSL_PASSPHRASE_PARAM_INFO,
548 prompt_info,
549 sizeof(prompt_info) - 1),
550 OSSL_PARAM_END
551 };
552
553 if (!ossl_pw_get_passphrase(tpass, sizeof(tpass), &tpass_len,
554 pw_params, 0, &ctx->pwdata)) {
555 ERR_raise(ERR_LIB_OSSL_STORE,
556 OSSL_STORE_R_PASSPHRASE_CALLBACK_ERROR);
557 goto p12_end;
558 }
559 pass = tpass;
560 if (!PKCS12_verify_mac(p12, pass, strlen(pass))) {
561 ERR_raise(ERR_LIB_OSSL_STORE,
562 OSSL_STORE_R_ERROR_VERIFYING_PKCS12_MAC);
563 goto p12_end;
564 }
565 }
566
567 if (PKCS12_parse(p12, pass, &pkey, &cert, &chain)) {
568 STACK_OF(OSSL_STORE_INFO) *infos = NULL;
569 OSSL_STORE_INFO *osi_pkey = NULL;
570 OSSL_STORE_INFO *osi_cert = NULL;
571 OSSL_STORE_INFO *osi_ca = NULL;
572 int ok = 1;
573
574 if ((infos = sk_OSSL_STORE_INFO_new_null()) != NULL) {
575 if (pkey != NULL) {
576 if ((osi_pkey = OSSL_STORE_INFO_new_PKEY(pkey)) != NULL
577 /* clearing pkey here avoids case distinctions */
578 && (pkey = NULL) == NULL
579 && sk_OSSL_STORE_INFO_push(infos, osi_pkey) != 0)
580 osi_pkey = NULL;
581 else
582 ok = 0;
583 }
584 if (ok && cert != NULL) {
585 if ((osi_cert = OSSL_STORE_INFO_new_CERT(cert)) != NULL
586 /* clearing cert here avoids case distinctions */
587 && (cert = NULL) == NULL
588 && sk_OSSL_STORE_INFO_push(infos, osi_cert) != 0)
589 osi_cert = NULL;
590 else
591 ok = 0;
592 }
593 while (ok && sk_X509_num(chain) > 0) {
594 X509 *ca = sk_X509_value(chain, 0);
595
596 if ((osi_ca = OSSL_STORE_INFO_new_CERT(ca)) != NULL
597 && sk_X509_shift(chain) != NULL
598 && sk_OSSL_STORE_INFO_push(infos, osi_ca) != 0)
599 osi_ca = NULL;
600 else
601 ok = 0;
602 }
603 }
604 EVP_PKEY_free(pkey);
605 X509_free(cert);
606 sk_X509_pop_free(chain, X509_free);
607 OSSL_STORE_INFO_free(osi_pkey);
608 OSSL_STORE_INFO_free(osi_cert);
609 OSSL_STORE_INFO_free(osi_ca);
610 if (!ok) {
611 sk_OSSL_STORE_INFO_pop_free(infos, OSSL_STORE_INFO_free);
612 infos = NULL;
613 }
614 ctx->cached_info = infos;
615 }
616 }
617 p12_end:
618 PKCS12_free(p12);
619 *v = sk_OSSL_STORE_INFO_shift(ctx->cached_info);
620 }
621
622 return 1;
623 }
A mirror of the official openssl repository