Rework the "by store" X509_LOOKUP method to open the given URI early [3.3] #27551
Conversation
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
levitte
added
approval: review pending
|
Making this a draft for the moment. Need to check the test suite |
The cached X509_LOOKUP method data is no longer just the URI, but now includes the OSSL_STORE_CTX pointer, and required parameters to reopen the URI at any time. cache_objects() is modified to handle this, and only (re)open the URI when it wasn't previously opened, or when it was closed by an earlier call. This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and get to see possible errors when the URI is loaded. This assumes that if the URI could be opened once, it can be opened again. Fixes openssl#27461 Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#27529) (cherry picked from commit 0c48ee2)
Originally from openssl#27507, with some changes. Co-authored-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from openssl#27529) (cherry picked from commit 927deba)
It was used to pass libctx and propq, which would override the corresponding values passed to by_store_ctrl_ex(). This wasn't really reasonable to do either way, as it could potentially be a surprise to the user, who can reasonably expect that the URI is opened with the libctx and propq that was passed with the URI, and not with those passed later. Reviewed-by: David von Oheimb <david.von.oheimb@siemens.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from openssl#27529) (cherry picked from commit af5952d)
|
I've just verified that this cherry-picks cleanly to OpenSSL 3.2 |
|
I've also verified that this cherry-picks cleanly to OpenSSL 3.0, |
levitte
added
branch: 3.0
|
Style needed to be waived here too, for the same reason as in #27529 |
|
close/open to kick the workflows |
t8m
approved these changes
May 5, 2025
|
I had a look at the changes and would have liked to approve them, but feel that I do not have sufficient familiarity with |
beldmit
added
approval: done
openssl-machine
added
approval: ready to merge
|
This pull request is ready to merge |
|
Thank you @openssl-machine. Merging now |
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
The cached X509_LOOKUP method data is no longer just the URI, but now includes the OSSL_STORE_CTX pointer, and required parameters to reopen the URI at any time. cache_objects() is modified to handle this, and only (re)open the URI when it wasn't previously opened, or when it was closed by an earlier call. This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and get to see possible errors when the URI is loaded. This assumes that if the URI could be opened once, it can be opened again. Fixes #27461 (cherry picked from commit 0c48ee2) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #27551)
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
It was used to pass libctx and propq, which would override the corresponding values passed to by_store_ctrl_ex(). This wasn't really reasonable to do either way, as it could potentially be a surprise to the user, who can reasonably expect that the URI is opened with the libctx and propq that was passed with the URI, and not with those passed later. (cherry picked from commit af5952d) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #27551)
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
The cached X509_LOOKUP method data is no longer just the URI, but now includes the OSSL_STORE_CTX pointer, and required parameters to reopen the URI at any time. cache_objects() is modified to handle this, and only (re)open the URI when it wasn't previously opened, or when it was closed by an earlier call. This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and get to see possible errors when the URI is loaded. This assumes that if the URI could be opened once, it can be opened again. Fixes #27461 (cherry picked from commit 0c48ee2) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #27551) (cherry picked from commit 08220ef)
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
Originally from #27507, with some changes. Co-authored-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 927deba) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #27551) (cherry picked from commit 6143e70)
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
It was used to pass libctx and propq, which would override the corresponding values passed to by_store_ctrl_ex(). This wasn't really reasonable to do either way, as it could potentially be a surprise to the user, who can reasonably expect that the URI is opened with the libctx and propq that was passed with the URI, and not with those passed later. (cherry picked from commit af5952d) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #27551) (cherry picked from commit 8bc0f67)
|
Merged 3.3: 08220ef Rework the "by store" X509_LOOKUP method to open the given URI early 3.2: 1432e85 Rework the "by store" X509_LOOKUP method to open the given URI early 3.0: 340383f Rework the "by store" X509_LOOKUP method to open the given URI early |
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
The cached X509_LOOKUP method data is no longer just the URI, but now includes the OSSL_STORE_CTX pointer, and required parameters to reopen the URI at any time. cache_objects() is modified to handle this, and only (re)open the URI when it wasn't previously opened, or when it was closed by an earlier call. This way, we can call OSSL_STORE_open_ex() in by_store_ctrl_ex(), and get to see possible errors when the URI is loaded. This assumes that if the URI could be opened once, it can be opened again. Fixes #27461 (cherry picked from commit 0c48ee2) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #27551) (cherry picked from commit 08220ef)
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
Originally from #27507, with some changes. Co-authored-by: Richard Levitte <levitte@openssl.org> (cherry picked from commit 927deba) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from #27551) (cherry picked from commit 6143e70)
openssl-machine
pushed a commit
that referenced
this pull request
May 20, 2025
It was used to pass libctx and propq, which would override the corresponding values passed to by_store_ctrl_ex(). This wasn't really reasonable to do either way, as it could potentially be a surprise to the user, who can reasonably expect that the URI is opened with the libctx and propq that was passed with the URI, and not with those passed later. (cherry picked from commit af5952d) Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from #27551) (cherry picked from commit 8bc0f67)
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
This is a backport of #27529 to OpenSSL 3.3