[openssl-commits] [openssl] OpenSSL_1_1_0-stable update

Richard Levitte levitte at openssl.org
Sat Jan 28 19:08:29 UTC 2017 

The branch OpenSSL_1_1_0-stable has been updated
       via  b649ffcaea38864270ad6c2362ed0ef639749707 (commit)
       via  f5c1ee58c1cc246dc2f0b9b50f40c659fc302ad0 (commit)
       via  b431b094330da3e54805c49fb262192e34bc3864 (commit)
      from  6f2de02624ec55d29f74c4c38994b56ec3250a10 (commit)


- Log -----------------------------------------------------------------
commit b649ffcaea38864270ad6c2362ed0ef639749707
Author: Richard Levitte <levitte at openssl.org>
Date:   Sat Jan 28 18:24:40 2017 +0100

    Add a couple of test to check CRL fingerprint
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2314)
    (cherry picked from commit 929860d0e6112f5c7766d9ea036c3f8bd8d3d719)

commit f5c1ee58c1cc246dc2f0b9b50f40c659fc302ad0
Author: Richard Levitte <levitte at openssl.org>
Date:   Sat Jan 28 18:02:12 2017 +0100

    Document what EXFLAG_SET is for in x509v3.h
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2314)
    (cherry picked from commit 2d60c923141e7853c268364f26195343a5e995bf)

commit b431b094330da3e54805c49fb262192e34bc3864
Author: Richard Levitte <levitte at openssl.org>
Date:   Sat Jan 28 17:43:17 2017 +0100

    X509_CRL_digest() - ensure precomputed sha1 hash before returning it
    
    X509_CRL_digest() didn't check if the precomputed sha1 hash was actually
    present.  This also makes sure there's an appropriate flag to check.
    
    Reviewed-by: Kurt Roeckx <kurt at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/2314)
    (cherry picked from commit 6195848b2eea627c47f74b63eb2ba3dc3d5b6436)

-----------------------------------------------------------------------

Summary of changes:
 crypto/x509/x_all.c        |  2 +-
 crypto/x509/x_crl.c        |  2 ++
 include/openssl/x509v3.h   |  1 +
 test/recipes/25-test_crl.t | 19 ++++++++++++++++++-
 4 files changed, 22 insertions(+), 2 deletions(-)

diff --git a/crypto/x509/x_all.c b/crypto/x509/x_all.c
index 59f96a5..124dd2d 100644
--- a/crypto/x509/x_all.c
+++ b/crypto/x509/x_all.c
@@ -377,7 +377,7 @@ int X509_digest(const X509 *data, const EVP_MD *type, unsigned char *md,
 int X509_CRL_digest(const X509_CRL *data, const EVP_MD *type,
                     unsigned char *md, unsigned int *len)
 {
-    if (type == EVP_sha1()) {
+    if (type == EVP_sha1() && (data->flags & EXFLAG_SET) != 0) {
         /* Asking for SHA1; always computed in CRL d2i. */
         if (len != NULL)
             *len = sizeof(data->sha1_hash);
diff --git a/crypto/x509/x_crl.c b/crypto/x509/x_crl.c
index da9c6b6..dbed850 100644
--- a/crypto/x509/x_crl.c
+++ b/crypto/x509/x_crl.c
@@ -226,6 +226,8 @@ static int crl_cb(int operation, ASN1_VALUE **pval, const ASN1_ITEM *it,
             if (crl->meth->crl_init(crl) == 0)
                 return 0;
         }
+
+        crl->flags |= EXFLAG_SET;
         break;
 
     case ASN1_OP_FREE_POST:
diff --git a/include/openssl/x509v3.h b/include/openssl/x509v3.h
index f21ce7c..1d8ef87 100644
--- a/include/openssl/x509v3.h
+++ b/include/openssl/x509v3.h
@@ -355,6 +355,7 @@ struct ISSUING_DIST_POINT_st {
 # define EXFLAG_SI               0x20
 # define EXFLAG_V1               0x40
 # define EXFLAG_INVALID          0x80
+/* EXFLAG_SET is set to indicate that some values have been precomputed */
 # define EXFLAG_SET              0x100
 # define EXFLAG_CRITICAL         0x200
 # define EXFLAG_PROXY            0x400
diff --git a/test/recipes/25-test_crl.t b/test/recipes/25-test_crl.t
index 872138e..e8ce5f8 100644
--- a/test/recipes/25-test_crl.t
+++ b/test/recipes/25-test_crl.t
@@ -15,7 +15,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
 
 setup("test_crl");
 
-plan tests => 3;
+plan tests => 5;
 
 require_ok(srctop_file('test','recipes','tconversion.pl'));
 
@@ -24,3 +24,20 @@ subtest 'crl conversions' => sub {
 };
 
 ok(run(test(['crltest'])));
+
+ok(compare1stline([qw{openssl crl -noout -fingerprint -in},
+                   srctop_file('test', 'testcrl.pem')],
+                  'SHA1 Fingerprint=BA:F4:1B:AD:7A:9B:2F:09:16:BC:60:A7:0E:CE:79:2E:36:00:E7:B2'));
+ok(compare1stline([qw{openssl crl -noout -fingerprint -sha256 -in},
+                   srctop_file('test', 'testcrl.pem')],
+                  'SHA256 Fingerprint=B3:A9:FD:A7:2E:8C:3D:DF:D0:F1:C3:1A:96:60:B5:FD:B0:99:7C:7F:0E:E4:34:F5:DB:87:62:36:BC:F1:BC:1B'));
+
+sub compare1stline {
+    my ($cmdarray, $str) = @_;
+    my @lines = run(app($cmdarray), capture => 1);
+
+    return 1 if $lines[0] =~ m|^\Q${str}\E\R$|;
+    note "Got      ", $lines[0];
+    note "Expected ", $str;
+    return 0;
+}

More information about the openssl-commits mailing list