[openssl-commits] [openssl] master update
Richard Levitte
levitte at openssl.org
Sat Jan 28 19:07:33 UTC 2017
The branch master has been updated
via 929860d0e6112f5c7766d9ea036c3f8bd8d3d719 (commit)
via 2d60c923141e7853c268364f26195343a5e995bf (commit)
via 6195848b2eea627c47f74b63eb2ba3dc3d5b6436 (commit)
from 63414e64e66e376654e993ac966e3b2f9d849d3b (commit)
- Log -----------------------------------------------------------------
commit 929860d0e6112f5c7766d9ea036c3f8bd8d3d719
Author: Richard Levitte <levitte at openssl.org>
Date: Sat Jan 28 18:24:40 2017 +0100
Add a couple of test to check CRL fingerprint
Reviewed-by: Kurt Roeckx <kurt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
commit 2d60c923141e7853c268364f26195343a5e995bf
Author: Richard Levitte <levitte at openssl.org>
Date: Sat Jan 28 18:02:12 2017 +0100
Document what EXFLAG_SET is for in x509v3.h
Reviewed-by: Kurt Roeckx <kurt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436
Author: Richard Levitte <levitte at openssl.org>
Date: Sat Jan 28 17:43:17 2017 +0100
X509_CRL_digest() - ensure precomputed sha1 hash before returning it
X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
present. This also makes sure there's an appropriate flag to check.
Reviewed-by: Kurt Roeckx <kurt at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2314)
-----------------------------------------------------------------------
Summary of changes:
crypto/x509/x_all.c | 2 +-
crypto/x509/x_crl.c | 2 ++
include/openssl/x509v3.h | 1 +
test/recipes/25-test_crl.t | 19 ++++++++++++++++++-
4 files changed, 22 insertions(+), 2 deletions(-)
diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 59f96a5..124dd2d 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -377,7 +377,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
unsigned char *md, unsigned int *len)
{
- if (type == EVP_sha1()) {
+ if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
/* Asking for SHA1; always computed in CRL d2i. */
if (len != NULL)
*len = sizeof(data->sha1_hash);
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index da9c6b6..dbed850 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -226,6 +226,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
if (crl->meth->crl_init(crl) == 0)
return 0;
}
+
+ crl->flags |= EXFLAG_SET;
break;
case ASN1_OP_FREE_POST:
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index f21ce7c..1d8ef87 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -355,6 +355,7 @@ struct ISSUING_DIST_POINT_st {
# define EXFLAG_SI 0x20
# define EXFLAG_V1 0x40
# define EXFLAG_INVALID 0x80
+/* EXFLAG_SET is set to indicate that some values have been precomputed */
# define EXFLAG_SET 0x100
# define EXFLAG_CRITICAL 0x200
# define EXFLAG_PROXY 0x400
diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t
index 872138e..e8ce5f8 100644
--- a/test/recipes/25-test_crl.t
+++ b/test/recipes/25-test_crl.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_crl");
-plan tests => 3;
+plan tests => 5;
require_ok(srctop_file('test','recipes','tconversion.pl'));
@@ -24,3 +24,20 @@ subtest 'crl conversions' => sub {
};
ok(run(test(['crltest'])));
+
+ok(compare1stline([qw{openssl crl -noout -fingerprint -in},
+ srctop_file('test', 'testcrl.pem')],
+ 'SHA1 Fingerprint=BA:F4:1B:AD:7A:9B:2F:09:16:BC:60:A7:0E:CE:79:2E:36:00:E7:B2'));
+ok(compare1stline([qw{openssl crl -noout -fingerprint -sha256 -in},
+ srctop_file('test', 'testcrl.pem')],
+ 'SHA256 Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B'));
+
+sub compare1stline {
+ my ($cmdarray, $str) = @_;
+ my @lines = run(app($cmdarray), capture => 1);
+
+ return 1 if $lines[0] =~ m|^\Q${str}\E\R$|;
+ note "Got ", $lines[0];
+ note "Expected ", $str;
+ return 0;
+}
More information about the openssl-commits
mailing list