for the required condition. When using a buffering BIO, like a BIO pair, data
must be written into or retrieved out of the BIO before being able to continue.
+L<SSL_pending(3)|SSL_pending(3)> can be used to find out whether there
+are buffered bytes available for immediate retrieval. In this case
+SSL_read() can be called without blocking or actually receiving new
+data from the underlying socket.
+
=head1 WARNING
When an SSL_read() operation has to be repeated because of
L<SSL_CTX_set_mode(3)|SSL_CTX_set_mode(3)>, L<SSL_CTX_new(3)|SSL_CTX_new(3)>,
L<SSL_connect(3)|SSL_connect(3)>, L<SSL_accept(3)|SSL_accept(3)>
L<SSL_set_connect_state(3)|SSL_set_connect_state(3)>,
+L<SSL_pending(3)|SSL_pending(3)>,
L<SSL_shutdown(3)|SSL_shutdown(3)>, L<SSL_set_shutdown(3)|SSL_set_shutdown(3)>,
L<ssl(3)|ssl(3)>, L<bio(3)|bio(3)>
#ifdef OPENSSL_SYS_WIN32
#ifndef OPENSSL_NO_CAPIENG
+
#include <windows.h>
+
+#ifndef _WIN32_WINNT
+#define _WIN32_WINNT 0x0400
+#endif
+
#include <wincrypt.h>
#undef X509_EXTENSIONS
#undef X509_CERT_PAIR
+/* Definitions which may be missing from earlier version of headers */
+#ifndef CERT_STORE_OPEN_EXISTING_FLAG
+#define CERT_STORE_OPEN_EXISTING_FLAG 0x00004000
+#endif
+
+#ifndef CERT_STORE_CREATE_NEW_FLAG
+#define CERT_STORE_CREATE_NEW_FLAG 0x00002000
+#endif
+
#include <openssl/engine.h>
#include <openssl/pem.h>
+#include <openssl/x509v3.h>
#include "e_capi_err.h"
#include "e_capi_err.c"
/* Certificate store name to use */
LPTSTR storename;
LPTSTR ssl_client_store;
+ /* System store flags */
+ DWORD store_flags;
/* Lookup string meanings in load_private_key */
/* Substring of subject: uses "storename" */
#define CAPI_CMD_LIST_OPTIONS (ENGINE_CMD_BASE + 10)
#define CAPI_CMD_LOOKUP_METHOD (ENGINE_CMD_BASE + 11)
#define CAPI_CMD_STORE_NAME (ENGINE_CMD_BASE + 12)
+#define CAPI_CMD_STORE_FLAGS (ENGINE_CMD_BASE + 13)
static const ENGINE_CMD_DEFN capi_cmd_defns[] = {
{CAPI_CMD_LIST_CERTS,
"store_name",
"certificate store name, default \"MY\"",
ENGINE_CMD_FLAG_STRING},
+ {CAPI_CMD_STORE_FLAGS,
+ "store_flags",
+ "Certificate store flags: 1 = system store",
+ ENGINE_CMD_FLAG_NUMERIC},
{0, NULL, NULL, 0}
};
CAPI_trace(ctx, "Setting store name to %s\n", p);
break;
+ case CAPI_CMD_STORE_FLAGS:
+ if (i & 1)
+ {
+ ctx->store_flags |= CERT_SYSTEM_STORE_LOCAL_MACHINE;
+ ctx->store_flags &= ~CERT_SYSTEM_STORE_CURRENT_USER;
+ }
+ else
+ {
+ ctx->store_flags |= CERT_SYSTEM_STORE_CURRENT_USER;
+ ctx->store_flags &= ~CERT_SYSTEM_STORE_LOCAL_MACHINE;
+ }
+ CAPI_trace(ctx, "Setting flags to %d\n", i);
+ break;
+
case CAPI_CMD_DEBUG_LEVEL:
ctx->debug_level = (int)i;
CAPI_trace(ctx, "Setting debug level to %d\n", ctx->debug_level);
storename = "MY";
CAPI_trace(ctx, "Opening certificate store %s\n", storename);
- hstore = CertOpenSystemStore(0, storename);
+ hstore = CertOpenStore(CERT_STORE_PROV_SYSTEM_A, 0, 0,
+ ctx->store_flags, storename);
if (!hstore)
{
CAPIerr(CAPI_F_CAPI_OPEN_STORE, CAPI_R_ERROR_OPENING_STORE);
static CAPI_KEY *capi_get_cert_key(CAPI_CTX *ctx, PCCERT_CONTEXT cert)
{
- CAPI_KEY *key;
+ CAPI_KEY *key = NULL;
CRYPT_KEY_PROV_INFO *pinfo = NULL;
char *provname = NULL, *contname = NULL;
pinfo = capi_get_prov_info(ctx, cert);
provname = wide_to_asc(pinfo->pwszProvName);
contname = wide_to_asc(pinfo->pwszContainerName);
if (!provname || !contname)
- return 0;
-
+ goto err;
key = capi_get_key(ctx, contname, provname,
pinfo->dwProvType, pinfo->dwKeySpec);
ctx->keytype = AT_KEYEXCHANGE;
ctx->storename = NULL;
ctx->ssl_client_store = NULL;
+ ctx->store_flags = CERT_STORE_OPEN_EXISTING_FLAG |
+ CERT_STORE_READONLY_FLAG |
+ CERT_SYSTEM_STORE_CURRENT_USER;
ctx->lookup_method = CAPI_LU_SUBSTR;
ctx->debug_level = 0;
ctx->debug_file = NULL;
CAPI_trace(ctx, "Can't Parse Certificate %d\n", i);
continue;
}
- if (cert_issuer_match(ca_dn, x))
+ if (cert_issuer_match(ca_dn, x)
+ && X509_check_purpose(x, X509_PURPOSE_SSL_CLIENT, 0))
{
key = capi_get_cert_key(ctx, cert);
if (!key)
+ {
+ X509_free(x);
continue;
+ }
/* Match found: attach extra data to it so
* we can retrieve the key later.
*/
* CryptUIDlgSelectCertificateFromStore() to produce a dialog box.
*/
-#include <PrSht.h>
-#include <cryptuiapi.h>
+/* Definitions which are in cryptuiapi.h but this is not present in older
+ * versions of headers.
+ */
+
+#ifndef CRYPTUI_SELECT_LOCATION_COLUMN
+#define CRYPTUI_SELECT_LOCATION_COLUMN 0x000000010
+#define CRYPTUI_SELECT_INTENDEDUSE_COLUMN 0x000000004
+#endif
#define dlg_title L"OpenSSL Application SSL Client Certificate Selection"
#define dlg_prompt L"Select a certificate to use for authentication"
}
}
- hwnd = GetActiveWindow();
+ hwnd = GetForegroundWindow();
+ if (!hwnd)
+ hwnd = GetActiveWindow();
if (!hwnd && ctx->getconswindow)
hwnd = ctx->getconswindow();
/* Call dialog to select one */
}
#endif
+#endif
+#else /* !WIN32 */
+#include <openssl/engine.h>
+#ifndef OPENSSL_NO_DYNAMIC_ENGINE
+OPENSSL_EXPORT
+int bind_engine(ENGINE *e, const char *id, const dynamic_fns *fns) { return 0; }
+IMPLEMENT_DYNAMIC_CHECK_FN()
#endif
#endif
projects / openssl / commitdiff