Rework the "by store" X509_LOOKUP method to open the given URI early [3.4]#27550
Closed
levitte wants to merge 4 commits intoopenssl:openssl-3.4from
Closed
Rework the "by store" X509_LOOKUP method to open the given URI early [3.4]#27550levitte wants to merge 4 commits intoopenssl:openssl-3.4from
levitte wants to merge 4 commits intoopenssl:openssl-3.4from
Conversation
The cached X509_LOOKUP method data is no longer just the URI, but now includes the OSSL_STORE_CTX pointer, and required parameters to reopen the URI at any time. cache_objects() is modified to handle this, and only (re)open the URI when it wasn't previously opened, or when it was closed by an earlier call. This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and get to see possible errors when the URI is loaded. This assumes that if the URI could be opened once, it can be opened again. Fixes openssl#27461 Reviewed-by: David von Oheimb <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#27529) (cherry picked from commit 0c48ee2)
Originally from openssl#27507, with some changes. Co-authored-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from openssl#27529) (cherry picked from commit 927deba)
It was used to pass libctx and propq, which would override the corresponding values passed to by_store_ctrl_ex(). This wasn't really reasonable to do either way, as it could potentially be a surprise to the user, who can reasonably expect that the URI is opened with the libctx and propq that was passed with the URI, and not with those passed later. Reviewed-by: David von Oheimb <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from openssl#27529) (cherry picked from commit af5952d)
levitte
added
approval: review pending
Member
Author
|
Ah, this suffers from the same code style check failure as #27529 did. Ok, waiving style |
Member
Author
|
Close/open to kick the workflows |
This was referenced May 5, 2025
Closed
t8m
approved these changes
May 5, 2025
DDvO
approved these changes
May 5, 2025
DDvO
added
approval: done
openssl-machine
added
approval: ready to merge
Collaborator
|
This pull request is ready to merge |
Member
Author
openssl-machine
pushed a commit
that referenced
this pull request
May 6, 2025
The cached X509_LOOKUP method data is no longer just the URI, but now includes the OSSL_STORE_CTX pointer, and required parameters to reopen the URI at any time. cache_objects() is modified to handle this, and only (re)open the URI when it wasn't previously opened, or when it was closed by an earlier call. This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and get to see possible errors when the URI is loaded. This assumes that if the URI could be opened once, it can be opened again. Fixes #27461 Reviewed-by: David von Oheimb <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #27550)
openssl-machine
pushed a commit
that referenced
this pull request
May 6, 2025
Originally from #27507, with some changes. Co-authored-by: Richard Levitte <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> Reviewed-by: Richard Levitte <[email protected]> (Merged from #27550)
openssl-machine
pushed a commit
that referenced
this pull request
May 6, 2025
It was used to pass libctx and propq, which would override the corresponding values passed to by_store_ctrl_ex(). This wasn't really reasonable to do either way, as it could potentially be a surprise to the user, who can reasonably expect that the URI is opened with the libctx and propq that was passed with the URI, and not with those passed later. Reviewed-by: David von Oheimb <[email protected]> Reviewed-by: Tomas Mraz <[email protected]> (Merged from #27550)
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
This is a backport of #27529 to OpenSSL 3.4, with test fixup