Don't keep the store open in by_store_ctrl_ex - 3.0

crypto/x509/by_store.c

@@ -17,7 +17,6 @@ typedef struct cached_store_st {
     char *uri;
     OSSL_LIB_CTX *libctx;
     char *propq;
-    OSSL_STORE_CTX *ctx;
 } CACHED_STORE;
 
 DEFINE_STACK_OF(CACHED_STORE)
@@ -27,14 +26,12 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
                          const OSSL_STORE_SEARCH *criterion, int depth)
 {
     int ok = 0;
-    OSSL_STORE_CTX *ctx = store->ctx;
+    OSSL_STORE_CTX *ctx;
     X509_STORE *xstore = X509_LOOKUP_get_store(lctx);
 
-    if (ctx == NULL
-        && (ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
-                                     NULL, NULL, NULL, NULL, NULL)) == NULL)
+    if ((ctx = OSSL_STORE_open_ex(store->uri, store->libctx, store->propq,
+                                  NULL, NULL, NULL, NULL, NULL)) == NULL)
         return 0;
-    store->ctx = ctx;
 
     /*
      * We try to set the criterion, but don't care if it was valid or not.
@@ -79,7 +76,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
                 substore.uri = (char *)OSSL_STORE_INFO_get0_NAME(info);
                 substore.libctx = store->libctx;
                 substore.propq = store->propq;
-                substore.ctx = NULL;
                 ok = cache_objects(lctx, &substore, criterion, depth - 1);
             }
         } else {
@@ -105,7 +101,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
             break;
     }
     OSSL_STORE_close(ctx);
-    store->ctx = NULL;
 
     return ok;
 }
@@ -114,7 +109,6 @@ static int cache_objects(X509_LOOKUP *lctx, CACHED_STORE *store,
 static void free_store(CACHED_STORE *store)
 {
     if (store != NULL) {
-        OSSL_STORE_close(store->ctx);
         OPENSSL_free(store->uri);
         OPENSSL_free(store->propq);
         OPENSSL_free(store);
@@ -148,6 +142,7 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
         {
             STACK_OF(CACHED_STORE) *stores = X509_LOOKUP_get_method_data(ctx);
             CACHED_STORE *store = OPENSSL_zalloc(sizeof(*store));
+            OSSL_STORE_CTX *sctx;
 
             if (store == NULL) {
                 return 0;
@@ -157,14 +152,20 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
             store->libctx = libctx;
             if (propq != NULL)
                 store->propq = OPENSSL_strdup(propq);
-            store->ctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
-                                           NULL, NULL, NULL);
-            if (store->ctx == NULL
+            /*
+             * We open this to check for errors now - so we can report those
+             * errors early.
+             */
+            sctx = OSSL_STORE_open_ex(argp, libctx, propq, NULL, NULL,
+                                      NULL, NULL, NULL);
+            if (sctx == NULL
                 || (propq != NULL && store->propq == NULL)
                 || store->uri == NULL) {
+                OSSL_STORE_close(sctx);
                 free_store(store);
                 return use_default;
             }
+            OSSL_STORE_close(sctx);
 
             if (stores == NULL) {
                 stores = sk_CACHED_STORE_new_null();
@@ -184,7 +185,6 @@ static int by_store_ctrl_ex(X509_LOOKUP *ctx, int cmd, const char *argp,
         store.uri = (char *)argp;
         store.libctx = libctx;
         store.propq = (char *)propq;
-        store.ctx = NULL;
         return cache_objects(ctx, &store, NULL, 0);
     }
     default:
@@ -230,8 +230,14 @@ static int by_store_subject(X509_LOOKUP *ctx, X509_LOOKUP_TYPE type,
 
     OSSL_STORE_SEARCH_free(criterion);
 
-    if (ok)
+    if (ok) {
+        X509_STORE *store = X509_LOOKUP_get_store(ctx);
+
+        if (!X509_STORE_lock(store))
+            return 0;
         tmp = X509_OBJECT_retrieve_by_subject(store_objects, type, name);
+        X509_STORE_unlock(store);
+    }
 
     ok = 0;
     if (tmp != NULL) {

test/recipes/90-test_threads_data/store/.gitignore

@@ -0,0 +1,3 @@
+#The top level .gitignore ignores certificate files with the .0 extension
+#But we actually want them in this directory, so we override the top level rule
+!*.0

test/recipes/90-test_threads_data/store/8489a545.0

@@ -0,0 +1,19 @@
+-----BEGIN CERTIFICATE-----
+MIIDFjCCAf6gAwIBAgIBATANBgkqhkiG9w0BAQsFADASMRAwDgYDVQQDDAdSb290
+IENBMCAXDTIwMTIxMjIwMTEzN1oYDzIxMjAxMjEzMjAxMTM3WjASMRAwDgYDVQQD
+DAdSb290IENBMIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEA4eYA9Qa8
+oEY4eQ8/HnEZE20C3yubdmv8rLAh7daRCEI7pWM17FJboKJKxdYAlAOXWj25ZyjS
+feMhXKTtxjyNjoTRnVTDPdl0opZ2Z3H5xhpQd7P9eO5b4OOMiSPCmiLsPtQ3ngfN
+wCtVERc6NEIcaQ06GLDtFZRexv2eh8Yc55QaksBfBcFzQ+UD3gmRySTO2I6Lfi7g
+MUjRhipqVSZ66As2Tpex4KTJ2lxpSwOACFaDox+yKrjBTP7FsU3UwAGq7b7OJb3u
+aa32B81uK6GJVPVo65gJ7clgZsszYkoDsGjWDqtfwTVVfv1G7rrr3Laio+2Ff3ff
+tWgiQ35mJCOvxQIDAQABo3UwczAPBgNVHRMBAf8EBTADAQH/MAsGA1UdDwQEAwIB
+BjAdBgNVHQ4EFgQUjvUlrx6ba4Q9fICayVOcTXL3o1IwHwYDVR0jBBgwFoAUjvUl
+rx6ba4Q9fICayVOcTXL3o1IwEwYDVR0lBAwwCgYIKwYBBQUHAwEwDQYJKoZIhvcN
+AQELBQADggEBABWUjaqtkdRDhVAJZTxkJVgohjRrBwp86Y0JZWdCDua/sErmEaGu
+nQVxWWFWIgu6sb8tyQo3/7dBIQl3Rpij9bsgKhToO1OzoG3Oi3d0+zRDHfY6xNrj
+TUE00FeLHGNWsgZSIvu99DrGApT/+uPdWfJgMu5szillqW+4hcCUPLjG9ekVNt1s
+KhdEklo6PrP6eMbm6s22EIVUxqGE6xxAmrvyhlY1zJH9BJ23Ps+xabjG6OeMRZzT
+0F/fU7XIFieSO7rqUcjgo1eYc3ghsDxNUJ6TPBgv5z4SPnstoOBj59rjpJ7Qkpyd
+L17VfEadezat37Cpeha7vGDduCsyMfN4kiw=
+-----END CERTIFICATE-----

test/threadstest.c

@@ -30,6 +30,7 @@
 
 static int do_fips = 0;
 static char *privkey;
+static char *storedir;
 static char *config_file = NULL;
 static int multidefault_run = 0;
 static const char *default_provider[] = { "default", NULL };
@@ -582,7 +583,6 @@ static int test_multi_default(void)
 {
     thread_t thread1, thread2;
     int testresult = 0;
-    OSSL_PROVIDER *prov = NULL;
 
     /* Avoid running this test twice */
     if (multidefault_run) {
@@ -593,9 +593,6 @@ static int test_multi_default(void)
 
     multi_success = 1;
     multi_libctx = NULL;
-    prov = OSSL_PROVIDER_load(multi_libctx, "default");
-    if (!TEST_ptr(prov))
-        goto err;
 
     if (!TEST_true(run_thread(&thread1, thread_multi_simple_fetch))
             || !TEST_true(run_thread(&thread2, thread_multi_simple_fetch)))
@@ -611,7 +608,6 @@ static int test_multi_default(void)
     testresult = 1;
 
  err:
-    OSSL_PROVIDER_unload(prov);
     return testresult;
 }
 
@@ -663,6 +659,62 @@ static int test_lib_ctx_load_config(void)
                            1, default_provider);
 }
 
+static X509_STORE *store = NULL;
+
+static void test_x509_store_by_subject(void)
+{
+    X509_STORE_CTX *ctx;
+    X509_OBJECT *obj = NULL;
+    X509_NAME *name = NULL;
+    int success = 0;
+
+    ctx = X509_STORE_CTX_new();
+    if (!TEST_ptr(ctx))
+        goto err;
+
+    if (!TEST_true(X509_STORE_CTX_init(ctx, store, NULL, NULL)))
+        goto err;
+
+    name = X509_NAME_new();
+    if (!TEST_ptr(name))
+        goto err;
+    if (!TEST_true(X509_NAME_add_entry_by_txt(name, "CN", MBSTRING_ASC,
+                                              (unsigned char *)"Root CA",
+                                              -1, -1, 0)))
+        goto err;
+    obj = X509_STORE_CTX_get_obj_by_subject(ctx, X509_LU_X509, name);
+    if (!TEST_ptr(obj))
+        goto err;
+
+    success = 1;
+ err:
+    X509_OBJECT_free(obj);
+    X509_STORE_CTX_free(ctx);
+    X509_NAME_free(name);
+    if (!success)
+        multi_success = 0;
+}
+
+/* Test accessing an X509_STORE from multiple threads */
+static int test_x509_store(void)
+{
+    int ret = 0;
+
+    store = X509_STORE_new();
+    if (!TEST_ptr(store))
+        return 0;
+    if (!TEST_true(X509_STORE_load_store(store, storedir)))
+        goto err;
+
+    ret = thread_run_test(&test_x509_store_by_subject, MAXIMUM_THREADS,
+                          &test_x509_store_by_subject, 0, NULL);
+
+ err:
+    X509_STORE_free(store);
+    store = NULL;
+    return ret;
+}
+
 typedef enum OPTION_choice {
     OPT_ERR = -1,
     OPT_EOF = 0,
@@ -709,20 +761,24 @@ int setup_tests(void)
     if (!TEST_ptr(privkey))
         return 0;
 
+    storedir = test_mk_file_path(datadir, "store");
+
     /* Keep first to validate auto creation of default library context */
     ADD_TEST(test_multi_default);
-
     ADD_TEST(test_lock);
     ADD_TEST(test_once);
     ADD_TEST(test_thread_local);
     ADD_TEST(test_atomic);
     ADD_TEST(test_multi_load);
+
     ADD_ALL_TESTS(test_multi, 6);
     ADD_TEST(test_lib_ctx_load_config);
+    ADD_TEST(test_x509_store);
     return 1;
 }
 
 void cleanup_tests(void)
 {
     OPENSSL_free(privkey);
+    OPENSSL_free(storedir);
 }