@@ -19,7 +19,7 @@ AlwaysBreakBeforeMultilineStrings: false

 AlwaysBreakTemplateDeclarations: MultiLine

 BinPackArguments: true

 BinPackParameters: true

-BraceWrapping:   

+BraceWrapping:

   AfterClass:      true

   AfterControlStatement: false

   AfterEnum:       false

@@ -55,12 +55,12 @@ DerivePointerAlignment: true

 DisableFormat:   false

 ExperimentalAutoDetectBinPacking: false

 FixNamespaceComments: true

-ForEachMacros:   

+ForEachMacros:

   - foreach

   - Q_FOREACH

   - BOOST_FOREACH

 IncludeBlocks:   Preserve

-IncludeCategories: 

+IncludeCategories:

   - Regex:           '^"(llvm|llvm-c|clang|clang-c)/'

     Priority:        2

   - Regex:           '^(<|"(gtest|gmock|isl|json)/)'

@@ -111,6 +111,9 @@ SpacesInCStyleCastParentheses: false

 SpacesInParentheses: false

 SpacesInSquareBrackets: false

 Standard:        Cpp11

+StatementMacros:

+  - Q_UNUSED

+  - QT_REQUIRE_VERSION

 TabWidth:        8

 UseTab:          Never

 ...

@@ -27,12 +27,36 @@ clamsubmit_SOURCES = \

     $(top_srcdir)/shared/getopt.h \

     $(top_srcdir)/shared/misc.c \

     $(top_srcdir)/shared/misc.h \

+    $(top_srcdir)/shared/cert_util.c \

+    $(top_srcdir)/shared/cert_util.h \

+    $(top_srcdir)/shared/cert_util_internal.h \

 	clamsubmit.c

+if MACOS

+    clamsubmit_SOURCES += \

+        $(top_srcdir)/shared/mac/cert_util_mac.m \

+        $(top_srcdir)/shared/cert_util.h

+endif

+if WINDOWS

+    clamsubmit_SOURCES += \

+        $(top_srcdir)/shared/win/cert_util_win.c \

+        $(top_srcdir)/shared/cert_util.h

+endif

+if LINUX

+    clamsubmit_SOURCES += \

+        $(top_srcdir)/shared/linux/cert_util_linux.c \

+        $(top_srcdir)/shared/cert_util.h

+endif

+

+

 AM_CFLAGS=@WERR_CFLAGS@ @CLAMSUBMIT_CFLAGS@

 DEFS = @DEFS@ -DCL_NOTHREADS

 AM_CPPFLAGS = -I$(top_srcdir) -I$(top_srcdir)/shared -I$(top_srcdir)/libclamav @SSL_CPPFLAGS@ @JSON_CPPFLAGS@ @PCRE_CPPFLAGS@

 LIBS = $(top_builddir)/libclamav/libclamav.la @CLAMSUBMIT_LIBS@ @THREAD_LIBS@ @JSON_LIBS@

+if MACOS

+AM_LDFLAGS = -framework CoreFoundation -framework Security

+endif

+

 AM_INSTALLCHECK_STD_OPTIONS_EXEMPT=clamsubmit$(EXEEXT)

 CLEANFILES=*.gcda *.gcno

@@ -16,6 +16,9 @@

 #include "libclamav/others.h"

 #include "shared/misc.h"

 #include "shared/getopt.h"

+#if defined(C_DARWIN) || defined(_WIN32)

+#include "shared/cert_util.h"

+#endif

 #define OPTS "e:p:n:N:V:H:h?v?d"

@@ -141,96 +144,6 @@ const char *presigned_get_string(json_object *ps_json_obj, char *key)

     return json_str;

 }

-#ifdef _WIN32

-CURLcode sslctx_function(CURL *curl, void *ssl_ctx, void *userptr)

-{

-    CURLcode status = CURLE_BAD_FUNCTION_ARGUMENT;

-

-    uint32_t numCertificatesFound = 0;

-

-    HCERTSTORE hStore              = NULL;

-    PCCERT_CONTEXT pWinCertContext = NULL;

-    X509 *x509                     = NULL;

-    X509_STORE *store              = SSL_CTX_get_cert_store((SSL_CTX *)ssl_ctx);

-

-    hStore = CertOpenSystemStoreA(NULL, "ROOT");

-

-    if (NULL == hStore) {

-        fprintf(stderr, "ERROR: Failed to open system certificate store.\n");

-        goto done;

-    }

-

-    while (NULL != (pWinCertContext = CertEnumCertificatesInStore(hStore, pWinCertContext))) {

-        int addCertResult                 = 0;

-        const unsigned char *encoded_cert = pWinCertContext->pbCertEncoded;

-

-        x509 = NULL;

-        x509 = d2i_X509(NULL, &encoded_cert, pWinCertContext->cbCertEncoded);

-        if (NULL == x509) {

-            fprintf(stderr, "ERROR: Failed to convert system certificate to x509.\n");

-            continue;

-        }

-

-        addCertResult = X509_STORE_add_cert(store, x509);

-        if (1 != addCertResult) {

-            fprintf(stderr, "ERROR: Failed to add x509 certificate to openssl certificate store.\n");

-            continue;

-        }

-

-        if (g_debug) {

-            char *issuer     = NULL;

-            size_t issuerLen = 0;

-            issuerLen        = CertGetNameStringA(pWinCertContext, CERT_NAME_FRIENDLY_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL, NULL, 0);

-

-            issuer = cli_malloc(issuerLen);

-            if (NULL == issuer) {

-                fprintf(stderr, "ERROR: Failed to allocate memory for certificate name.\n");

-                status = CURLE_OUT_OF_MEMORY;

-                goto done;

-            }

-

-            if (0 == CertGetNameStringA(pWinCertContext, CERT_NAME_FRIENDLY_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL, issuer, issuerLen)) {

-                fprintf(stderr, "ERROR: Failed to get friendly display name for certificate.\n");

-            } else {

-                fprintf(stdout, "Certificate loaded from Windows certificate store: %s\n", issuer);

-            }

-

-            free(issuer);

-        }

-

-        numCertificatesFound++;

-        X509_free(x509);

-    }

-

-    DWORD lastError = GetLastError();

-    switch (lastError) {

-        case E_INVALIDARG:

-            fprintf(stderr, "ERROR: The handle in the hCertStore parameter is not the same as that in the certificate context pointed to by pPrevCertContext.\n");

-            break;

-        case CRYPT_E_NOT_FOUND:

-        case ERROR_NO_MORE_FILES:

-            if (0 == numCertificatesFound) {

-                fprintf(stderr, "ERROR: No certificates were found.\n");

-            }

-            break;

-        default:

-            fprintf(stderr, "ERROR: Unexpected error code from CertEnumCertificatesInStore()\n");

-    }

-

-done:

-

-    if (NULL != pWinCertContext) {

-        CertFreeCertificateContext(pWinCertContext);

-    }

-    if (NULL != hStore) {

-        CertCloseStore(hStore, 0);

-    }

-

-    status = CURLE_OK;

-    return status;

-}

-#endif

-

 int main(int argc, char *argv[])

 {

     int status      = 1;

@@ -327,7 +240,7 @@ int main(int argc, char *argv[])

 		fprintf(stderr, "ERROR: Failed to set HTTP version to 1.1 (to prevent 2.0 responses which we don't yet parse properly)!\n");

 	}

-#ifdef _WIN32

+#if defined(C_DARWIN) || defined(_WIN32)

     if (CURLE_OK != curl_easy_setopt(clam_curl, CURLOPT_SSL_CTX_FUNCTION, *sslctx_function)) {

         fprintf(stderr, "ERROR: Failed to set SSL CTX function!\n");

     }

@@ -23,6 +23,8 @@ AC_PREREQ([2.59])

 dnl For a release change [devel] to the real version [0.xy]

 dnl also change VERSION below

 AC_INIT([ClamAV], [0.102.0-devel], [https://bugzilla.clamav.net/], [clamav], [https://www.clamav.net/])

+dnl put configure auxiliary into config

+AC_CONFIG_AUX_DIR([config])

 dnl put configure auxiliary into config

 AC_CONFIG_AUX_DIR([config])

@@ -155,6 +157,28 @@ else

     mspack_msg="External, $LIBMSPACK_CFLAGS $LIBMSPACK_LIBS"

 fi

+# Detect the target system

+build_linux=no

+build_windows=no

+build_mac=no

+

+case "${host_os}" in

+    cygwin*|mingw*)

+        build_windows=yes

+        ;;

+    darwin*)

+        AC_PROG_OBJC

+        build_mac=yes

+        ;;

+    *)

+        build_linux=yes

+        ;;

+esac

+

+AM_CONDITIONAL([LINUX], [test "$build_linux" = "yes"])

+AM_CONDITIONAL([WINDOWS], [test "$build_windows" = "yes"])

+AM_CONDITIONAL([MACOS], [test "$build_mac" = "yes"])

+

 AC_CONFIG_FILES([

 clamscan/Makefile

 database/Makefile

@@ -20,6 +20,10 @@ libfreshclam_la_LIBADD = $(top_builddir)/libclamav/libclamav.la @FRESHCLAM_LIBS@

 libfreshclam_la_DEPENDENCIES = @LTDLDEPS@

 libfreshclam_la_LDFLAGS = @CURL_LDFLAGS@ @SSL_LDFLAGS@ @TH_SAFE@ @JSON_LDFLAGS@ @ICONV_LDFLAGS@ $(XML_LIBS) -version-info @LIBFRESHCLAM_VERSION@ -no-undefined

+if MACOS

+libfreshclam_la_LDFLAGS += -framework CoreFoundation -framework Security

+endif

+

 if VERSIONSCRIPT

 libfreshclam_la_LDFLAGS += -Wl,@VERSIONSCRIPTFLAG@,@top_srcdir@/libfreshclam/libfreshclam.map

 endif

@@ -41,12 +45,31 @@ libfreshclam_la_SOURCES = \

     $(top_srcdir)/shared/cdiff.h \

     $(top_srcdir)/shared/tar.c \

     $(top_srcdir)/shared/tar.h \

+    $(top_srcdir)/shared/cert_util.c \

+    $(top_srcdir)/shared/cert_util.h \

+    $(top_srcdir)/shared/cert_util_internal.h \

     libfreshclam.c \

     libfreshclam_internal.c \

     libfreshclam_internal.h \

     dns.c \

     dns.h

+if MACOS

+    libfreshclam_la_SOURCES += \

+        $(top_srcdir)/shared/mac/cert_util_mac.m \

+        $(top_srcdir)/shared/cert_util.h

+endif

+if WINDOWS

+    libfreshclam_la_SOURCES += \

+        $(top_srcdir)/shared/win/cert_util_win.c \

+        $(top_srcdir)/shared/cert_util.h

+endif

+if LINUX

+    libfreshclam_la_SOURCES += \

+        $(top_srcdir)/shared/linux/cert_util_linux.c \

+        $(top_srcdir)/shared/cert_util.h

+endif

+

 lib_LTLIBRARIES = libfreshclam.la

@@ -65,8 +65,8 @@

 #include <zlib.h>

 #include <math.h>

-#ifdef _WIN32

-#include <wincrypt.h>

+#if defined(C_DARWIN) || defined(_WIN32)

+#include <cert_util.h>

 #endif

 #include <curl/curl.h>

@@ -82,6 +82,7 @@

 #include "shared/cdiff.h"

 #include "shared/tar.h"

 #include "shared/clamdcom.h"

+#include "shared/cert_util.h"

 #include "libclamav/clamav.h"

 #include "libclamav/others.h"

@@ -136,97 +137,6 @@ static int textrecordfield(const char *database)

     return 0;

 }

-#ifdef _WIN32

-CURLcode sslctx_function(CURL *curl, void *ssl_ctx, void *userptr)

-{

-    CURLcode status = CURLE_BAD_FUNCTION_ARGUMENT;

-

-    uint32_t numCertificatesFound = 0;

-    DWORD lastError;

-

-    HCERTSTORE hStore              = NULL;

-    PCCERT_CONTEXT pWinCertContext = NULL;

-    X509 *x509                     = NULL;

-    X509_STORE *store              = SSL_CTX_get_cert_store((SSL_CTX *)ssl_ctx);

-

-    hStore = CertOpenSystemStoreA(NULL, "ROOT");

-

-    if (NULL == hStore) {

-        logg("!Failed to open system certificate store.\n");

-        goto done;

-    }

-

-    while (NULL != (pWinCertContext = CertEnumCertificatesInStore(hStore, pWinCertContext))) {

-        int addCertResult                 = 0;

-        const unsigned char *encoded_cert = pWinCertContext->pbCertEncoded;

-

-        x509 = NULL;

-        x509 = d2i_X509(NULL, &encoded_cert, pWinCertContext->cbCertEncoded);

-        if (NULL == x509) {

-            logg("!Failed to convert system certificate to x509.\n");

-            continue;

-        }

-

-        addCertResult = X509_STORE_add_cert(store, x509);

-        if (1 != addCertResult) {

-            logg("!Failed to add x509 certificate to openssl certificate store.\n");

-            continue;

-        }

-

-        if (logg_verbose) {

-            char *issuer     = NULL;

-            size_t issuerLen = 0;

-            issuerLen        = CertGetNameStringA(pWinCertContext, CERT_NAME_FRIENDLY_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL, NULL, 0);

-

-            issuer = cli_malloc(issuerLen);

-            if (NULL == issuer) {

-                logg("!Failed to allocate memory for certificate name.\n");

-                status = CURLE_OUT_OF_MEMORY;

-                goto done;

-            }

-

-            if (0 == CertGetNameStringA(pWinCertContext, CERT_NAME_FRIENDLY_DISPLAY_TYPE, CERT_NAME_ISSUER_FLAG, NULL, issuer, issuerLen)) {

-                logg("!Failed to get friendly display name for certificate.\n");

-            } else {

-                logg("Certificate loaded from Windows certificate store: %s\n", issuer);

-            }

-

-            free(issuer);

-        }

-

-        numCertificatesFound++;

-        X509_free(x509);

-    }

-

-    lastError = GetLastError();

-    switch (lastError) {

-        case E_INVALIDARG:

-            logg("!The handle in the hCertStore parameter is not the same as that in the certificate context pointed to by pPrevCertContext.\n");

-            break;

-        case CRYPT_E_NOT_FOUND:

-        case ERROR_NO_MORE_FILES:

-            if (0 == numCertificatesFound) {

-                logg("!No certificates were found.\n");

-            }

-            break;

-        default:

-            logg("!Unexpected error code from CertEnumCertificatesInStore()\n");

-    }

-

-done:

-

-    if (NULL != pWinCertContext) {

-        CertFreeCertificateContext(pWinCertContext);

-    }

-    if (NULL != hStore) {

-        CertCloseStore(hStore, 0);

-    }

-

-    status = CURLE_OK;

-    return status;

-}

-#endif

-

 #if LIBCURL_VERSION_NUM >= 0x073d00

 /* In libcurl 7.61.0, support was added for extracting the time in plain

    microseconds. Older libcurl versions are stuck in using 'double' for this

@@ -497,7 +407,7 @@ static fc_error_t create_curl_handle(

         }

     }

-#ifdef _WIN32

+#if defined(C_DARWIN) || defined(_WIN32)

     if (CURLE_OK != curl_easy_setopt(curl, CURLOPT_SSL_CTX_FUNCTION, *sslctx_function)) {

         logg("!create_curl_handle: Failed to set SSL CTX function!\n");

     }

new file mode 100644

@@ -0,0 +1,546 @@

+/*

+ *  OpenSSL certificate caching.

+ *

+ *  Copyright (C) 2016-2019 Cisco Systems, Inc. and/or its affiliates. All rights reserved.

+ *

+ *  Authors: Russ Kubik

+ *

+ *  This program is free software; you can redistribute it and/or modify

+ *  it under the terms of the GNU General Public License version 2 as

+ *  published by the Free Software Foundation.

+ *

+ *  This program is distributed in the hope that it will be useful,

+ *  but WITHOUT ANY WARRANTY; without even the implied warranty of

+ *  MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.  See the

+ *  GNU General Public License for more details.

+ *

+ *  You should have received a copy of the GNU General Public License

+ *  along with this program; if not, write to the Free Software

+ *  Foundation, Inc., 51 Franklin Street, Fifth Floor, Boston,

+ *  MA 02110-1301, USA.

+ */

+

+#include <openssl/x509.h>

+#include <openssl/pem.h>

+#include <openssl/err.h>

+#include <string.h>

+#include <pthread.h>

+

+#include "cert_util.h"

+#include "cert_util_internal.h"

+

+#include "output.h"

+

+static cert_store_t _cert_store = {

+    .mutex = PTHREAD_MUTEX_INITIALIZER};

+

+static cl_error_t _x509_to_pem(X509 *cert,

+                               char **data,

+                               int *len)

+{

+    cl_error_t ret = CL_EFORMAT;

+

+    BIO *out       = NULL;

+    long pem_len   = 0;

+    char *pem_data = NULL;

+

+    if (cert == NULL || data == NULL || len == NULL) {

+        mprintf("!_x509_to_pem: Invalid argument\n");

+        goto done;

+    }

+

+    /* Output the certs to a new BIO using the PEM format */

+    out = BIO_new(BIO_s_mem());

+    if (!out) {

+        mprintf("!BIO_new failed\n");

+        goto done;

+    }

+

+    PEM_write_bio_X509(out, cert);

+

+    (void)BIO_flush(out);

+

+    /* Convert the BIO to char* */

+    pem_len = BIO_get_mem_data(out, &pem_data);

+    if (pem_len <= 0 || !pem_data) {

+        mprintf("!BIO_new: BIO_get_mem_data failed\n");

+        BIO_free_all(out);

+        goto done;

+    }

+

+    *data = calloc(1, pem_len + 1);

+    if (!*data) {

+        mprintf("!BIO_new: malloc failed\n");

+        BIO_free_all(out);

+        goto done;

+    }

+    memcpy(*data, pem_data, pem_len);

+    (*data)[pem_len] = '\0';

+

+    *len = (int)pem_len;

+

+    BIO_free_all(out);

+

+    ret = CL_SUCCESS;

+

+done:

+    return (0);

+}

+

+/**

+ * @brief This method will convert a X509 certificate to PEM format and append

+ *        it to a string buffer.

+ *

+ * @note If realloc fails to reserve memory for *cert_data it will free whatever

+ *       is currently in *cert_data before returning. total_buf_len is also set

+ *       to 0 (zero) in this case.

+ *

+ * @param[in] *ca_cert Pointer to CA certificate

+ * @param[out] **cert_data Pointer to allocated string buffer

+ * @param[out] *total_buf_len Total of string buffer length after appending

+ *                            CA certificate (ca_cert)

+ * @param[in,out] *remaining_buf_len Remaining data left allowed in CA certificate

+ *                                   chain after appending CA certificate

+ *                                   (ca_cert)

+ *

+ * @return 0 on success, -1 on error

+ */

+static cl_error_t _x509_to_pem_append(X509 *ca_cert,

+                                      char **cert_data,

+                                      int *total_buf_len,

+                                      size_t *remaining_buf_len)

+{

+    char *pem_data = NULL;

+    char *tmp;

+    int pem_data_len = 0;

+    cl_error_t ret   = CL_EOPEN;

+    int current_len  = 0;

+

+    if (ca_cert == NULL || total_buf_len == NULL ||

+        remaining_buf_len == NULL || *cert_data == NULL) {

+        mprintf("!NULL parameter given\n");

+        goto done;

+    }

+

+    current_len = *total_buf_len;

+

+    if (_x509_to_pem(ca_cert, &pem_data, &pem_data_len) != 0) {

+        mprintf("!Failed to convert x509 certificate to PEM\n");

+        goto done;

+    }

+

+    if (pem_data_len > (int)*remaining_buf_len) {

+        tmp = realloc(*cert_data, current_len + pem_data_len + 1);

+        if (tmp == NULL) {

+            mprintf("!Could not realloc enough memory for PEM "

+                    "certificate\n");

+

+            free(*cert_data);

+            *cert_data     = NULL;

+            *total_buf_len = 0;

+

+            goto done;

+        }

+        *cert_data         = tmp;

+        tmp                = NULL;

+        *remaining_buf_len = 0;

+    } else {

+        *remaining_buf_len -= pem_data_len;

+    }

+

+    memcpy(&((*cert_data)[current_len]), pem_data, pem_data_len);

+    *total_buf_len               = current_len + pem_data_len;

+    (*cert_data)[*total_buf_len] = '\0';

+

+    ret = CL_SUCCESS;

+

+done:

+

+    free(pem_data);

+    pem_data = NULL;

+    return ret;

+}

+

+cert_store_t *cert_store_get_int(void)

+{

+    return &_cert_store;

+}

+

+void cert_store_unload_int(void)

+{

+    if (_cert_store.loaded) {

+        cert_store_free_cert_list_int(&_cert_store.system_certs);

+        cert_store_free_cert_list_int(&_cert_store.trusted_certs);

+        _cert_store.loaded = false;

+    }

+}

+

+void cert_store_free_cert_list_int(cert_list_t *cert_list)

+{

+    size_t i;

+

+    if (cert_list && cert_list->certificates) {

+        for (i = 0; i < cert_list->count; ++i) {

+            X509_free(cert_list->certificates[i]);

+            cert_list->certificates[i] = NULL;

+        }

+

+        free(cert_list->certificates);

+        cert_list->certificates = NULL;

+        cert_list->count        = 0L;

+    }

+}

+

+void cert_store_unload(void)

+{

+    int pt_err;

+

+    pt_err = pthread_mutex_lock(&_cert_store.mutex);

+    if (pt_err) {

+        errno = pt_err;

+        mprintf("!Mutex lock failed\n");

+    }

+

+    cert_store_unload_int();

+

+    pt_err = pthread_mutex_unlock(&_cert_store.mutex);

+    if (pt_err) {

+        errno = pt_err;

+        mprintf("!Mutex unlock failed\n");

+    }

+}

+

+cl_error_t cert_store_export_pem(char **cert_data,

+                                 int *cert_data_len,

+                                 X509 *additional_ca_cert)

+{

+    const uint32_t STARTING_RAW_PEM_LENGTH = 350 * 1024;

+    uint32_t i;

+    cl_error_t ret = CL_EOPEN;

+    bool locked    = false;

+    int pt_err;

+

+    size_t remaining_buf_len    = STARTING_RAW_PEM_LENGTH;

+    bool add_additional_ca_cert = true;

+

+    if ((cert_data == NULL) || (cert_data_len == NULL)) {

+        mprintf("!One or more arguments are NULL\n");

+        goto done;

+    }

+

+    *cert_data = calloc(1, STARTING_RAW_PEM_LENGTH + 1);

+    if (*cert_data == NULL) {

+        mprintf("!Could not allocate memory for PEM certs\n");

+        goto done;

+    }

+    *cert_data_len = 0;

+

+    pt_err = pthread_mutex_lock(&_cert_store.mutex);

+    if (pt_err) {

+        errno = pt_err;

+        mprintf("!Mutex lock failed\n");

+    }

+    locked = true;

+

+    if (!_cert_store.loaded) {

+        goto done;

+    }

+

+    /* Load system root ca certs into list */

+    for (i = 0; i < _cert_store.system_certs.count; ++i) {

+        if (_x509_to_pem_append(_cert_store.system_certs.certificates[i],

+                                cert_data,

+                                cert_data_len,

+                                &remaining_buf_len) != 0) {

+            goto done;

+        }

+        /*

+         * Two certs by the same name can cause conflicts. Trust the

+         * one in the OS certificate/key store if the additional CA

+         * name matches that of one in the store.

+         */

+        if (additional_ca_cert && additional_ca_cert->cert_info &&

+            (strcmp(_cert_store.system_certs.certificates[i]->name,

+                    additional_ca_cert->name) == 0)) {

+            add_additional_ca_cert = false;

+        }

+    }

+

+    /* Load trusted ca certs into list */

+    for (i = 0; i < _cert_store.trusted_certs.count; ++i) {

+        if (_x509_to_pem_append(_cert_store.trusted_certs.certificates[i],

+                                cert_data,

+                                cert_data_len,

+                                &remaining_buf_len) != 0) {

+            goto done;

+        }

+        /*

+         * Two certs by the same name can cause conflicts. Trust the

+         * one in the OS certificate/key store if the additional CA

+         * name matches that of one in the store.

+         */

+        if (additional_ca_cert && additional_ca_cert->cert_info &&

+            (strcmp(_cert_store.trusted_certs.certificates[i]->name,

+                    additional_ca_cert->name) == 0)) {

+            add_additional_ca_cert = false;

+        }

+    }

+

+    /* End with the additional CA certificate if provided */

+    if (additional_ca_cert && add_additional_ca_cert && *cert_data) {

+        /* Return an error only if we were unable to allocate memory */

+        if (_x509_to_pem_append(additional_ca_cert,

+                                cert_data,

+                                cert_data_len,

+                                &remaining_buf_len) != 0) {

+            goto done;

+        }

+    }

+

+    ret = CL_SUCCESS;

+done:

+    if (locked) {

+        pt_err = pthread_mutex_unlock(&_cert_store.mutex);

+        if (pt_err) {

+            errno = pt_err;

+            mprintf("!Mutex unlock failed\n");

+        }

+        locked = false;

+    }

+

+    if (ret != CL_SUCCESS && cert_data && *cert_data) {

+        free(*cert_data);

+        *cert_data = NULL;

+    }

+

+    return ret;

+}

+

+cl_error_t cert_store_set_trusted_int(X509 **trusted_certs, size_t trusted_cert_count)

+{

+    cl_error_t ret = CL_EOPEN;

+    size_t i, j;

+    cert_list_t tmp_trusted = {0};

+

+    do {

+        if ((trusted_certs == NULL) || (trusted_cert_count == 0)) {

+            mprintf("!Empty trusted certificate list\n");

+            break;

+        }

+

+        tmp_trusted.certificates = calloc(trusted_cert_count,

+                                          sizeof(*tmp_trusted.certificates));

+        if (!tmp_trusted.certificates) {

+            mprintf("!Failed to reserve memory for trusted certs\n");

+            break;

+        }

+

+        for (i = 0; i < trusted_cert_count; ++i) {

+            bool found = false;

+

+            /* Check if certificate already exists in system root cert list */

+            for (j = 0; j < _cert_store.system_certs.count; ++j) {

+                if (X509_cmp(trusted_certs[i],

+                             _cert_store.system_certs.certificates[j]) == 0) {

+                    found = true;

+                }

+            }

+

+            if (found) {

+                continue; /* certificate is already found in cert store */

+            }

+

+            tmp_trusted.certificates[tmp_trusted.count] =

+                X509_dup(trusted_certs[i]);

+            if (!tmp_trusted.certificates[tmp_trusted.count]) {

+                mprintf("!X509_dup failed at index: %zu", i);

+                continue; /* continue on error */

+            }

+

+            tmp_trusted.count++;

+        }

+

+        cert_store_free_cert_list_int(&_cert_store.trusted_certs);

+

+        _cert_store.trusted_certs.certificates = tmp_trusted.certificates;

+        _cert_store.trusted_certs.count        = tmp_trusted.count;

+

+        tmp_trusted.certificates = NULL;

+        tmp_trusted.count        = 0;

+

+        ret = CL_SUCCESS;

+    } while (0);

+

+    return ret;

+}

+

+cl_error_t cert_store_set_trusted(X509 **trusted_certs, size_t trusted_cert_count)

+{

+    cl_error_t ret = CL_EOPEN;

+    int pt_err;

+

+    pt_err = pthread_mutex_lock(&_cert_store.mutex);

+    if (pt_err) {

+        errno = pt_err;

+        mprintf("!Mutex lock failed\n");

+    }

+

+    if (_cert_store.loaded) {

+        ret = cert_store_set_trusted_int(trusted_certs, trusted_cert_count);

+    }

+

+    pt_err = pthread_mutex_unlock(&_cert_store.mutex);

+    if (pt_err) {

+        errno = pt_err;

+        mprintf("!Mutex unlock failed\n");

+    }

+

+    return ret;

+}

+

+size_t cert_store_remove_trusted(void)

+{

+    size_t count = 0;

+    int pt_err;

+

+    pt_err = pthread_mutex_lock(&_cert_store.mutex);

+    if (pt_err) {

+        errno = pt_err;

+        mprintf("!Mutex lock failed\n");

+    }

+

+    if (_cert_store.loaded) {

+        count = _cert_store.trusted_certs.count;

+        cert_store_free_cert_list_int(&_cert_store.trusted_certs);

+    }

+

+    pt_err = pthread_mutex_unlock(&_cert_store.mutex);

+    if (pt_err) {

+        errno = pt_err;

+        mprintf("!Mutex unlock failed\n");

+    }

+

+    return count;

+}

+

+void cert_fill_X509_store(X509_STORE *store, X509 **certs, size_t cert_count)

+{

+    size_t i;

+    unsigned long err;

+

+    if (store && certs && cert_count > 0) {

+        for (i = 0; i < cert_count; ++i) {

+            if (!certs[i]) {

+                mprintf("!NULL cert at index %zu in X509 cert list; skipping", i);

+                continue;

+            }

+            if (X509_STORE_add_cert(store, certs[i]) != 1) {

+                err = ERR_get_error();

+                if (X509_R_CERT_ALREADY_IN_HASH_TABLE == ERR_GET_REASON(err)) {

+                    mprintf("*Certificate skipped; already exists in store: %s",

+                            (certs[i]->name ? certs[i]->name : ""));

+                } else {

+                    mprintf("!Failed to add certificate to store: %s (%lu) [%s]",

+                            ERR_error_string(err, NULL), err,

+                            (certs[i]->name ? certs[i]->name : ""));

+                }

+            }

+        }

+    }

+}

+

+void cert_store_export_certs(X509_STORE *store, X509 *additional_ca_cert)

+{

+    cert_store_t *cert_store = NULL;

+    int pt_err;

+

+    do {

+        if (!store) {

+            mprintf("!NULL X509 store\n");

+            break;

+        }

+

+        cert_store = cert_store_get_int();

+        if (!cert_store) {

+            mprintf("!Failed to retrieve cert store\n");

+            break;

+        }

+

+        pt_err = pthread_mutex_lock(&cert_store->mutex);

+        if (pt_err) {

+            errno = pt_err;

+            mprintf("!Mutex lock failed\n");

+        }

+

+        if (!cert_store->loaded) {

+            mprintf("!Cert store not loaded\n");

+            break;

+        }

+

+        /* On Linux, system certificates are loaded by OpenSSL */