[openssl] master update
Matt Caswell
matt at openssl.org
Fri Mar 27 11:26:59 UTC 2020
The branch master has been updated
via c9f51264d86b580ec3b3ab8a5317298c04bb1f3d (commit)
via be6aeda6474a77e97b344f300334f5fe3612e4b4 (commit)
via 5fcb97c61e6796b20c8ee1b0daab25151bf65bd0 (commit)
via 6b1e5fa4873ff2f7741f996961f26ab9818ee190 (commit)
from 9727f4e7fd02e55b637058249cd8e1bc80501c7f (commit)
- Log -----------------------------------------------------------------
commit c9f51264d86b580ec3b3ab8a5317298c04bb1f3d
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 25 15:01:36 2020 +0000
Use the new OCSP functions in sslapitest.c
At the moment we just use the default libctx - but a future PR will add
support for running sslapitest with a non-default libctx.
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11407)
commit be6aeda6474a77e97b344f300334f5fe3612e4b4
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 20 14:54:55 2020 +0000
Add OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex()
OCSP_RESPID_set_by_key() calculates a SHA1 hash of the supplied
certificate. We need to be able to specify which libctx and property
query string is used to fetch that algorithm so we introduce
OCSP_RESPID_set_by_key_ex() which does the same thing but enables you to
speicfy the library context and propery query string explicitly.
OCSP_RESPID_match() matches with certificates based on the SHA1 hash.
Therefore for the same reason we introduce OCSP_RESPID_match_ex().
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/11407)
commit 5fcb97c61e6796b20c8ee1b0daab25151bf65bd0
Author: Matt Caswell <matt at openssl.org>
Date: Fri Mar 20 12:00:12 2020 +0000
Ignore some fetch failures
Some fetch failurs are ok and should be ignored.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11405)
commit 6b1e5fa4873ff2f7741f996961f26ab9818ee190
Author: Matt Caswell <matt at openssl.org>
Date: Wed Mar 25 12:12:59 2020 +0000
Put an error on the stack in the event of a fetch failure
Fetch failures are a common problem and it is useful to have detailed
information about what was requested in the event of a failure.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/11405)
-----------------------------------------------------------------------
Summary of changes:
crypto/context.c | 9 +++++
crypto/evp/evp_fetch.c | 54 +++++++++++++++++++++++++----
crypto/evp/pkey_mac.c | 6 +++-
crypto/evp/pmeth_lib.c | 6 +++-
crypto/ocsp/ocsp_srv.c | 57 +++++++++++++++++++++++--------
doc/man3/OCSP_response_status.pod | 72 ++++++++++++++++++++++++---------------
include/internal/cryptlib.h | 1 +
include/openssl/ocsp.h | 4 +++
providers/common/provider_util.c | 11 ++++++
ssl/ssl_lib.c | 16 +++++++--
test/sslapitest.c | 4 +--
util/libcrypto.num | 2 ++
12 files changed, 187 insertions(+), 55 deletions(-)
diff --git a/crypto/context.c b/crypto/context.c
index dcf960bfa7..35530174b8 100644
--- a/crypto/context.c
+++ b/crypto/context.c
@@ -172,6 +172,15 @@ OPENSSL_CTX *openssl_ctx_get_concrete(OPENSSL_CTX *ctx)
return ctx;
}
+int openssl_ctx_is_default(OPENSSL_CTX *ctx)
+{
+#ifndef FIPS_MODE
+ if (ctx == NULL || ctx == default_context)
+ return 1;
+#endif
+ return 0;
+}
+
static void openssl_ctx_generic_new(void *parent_ign, void *ptr_ign,
CRYPTO_EX_DATA *ad, int index,
long argl_ign, void *argp)
diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c
index da7f33e95e..e808bf818f 100644
--- a/crypto/evp/evp_fetch.c
+++ b/crypto/evp/evp_fetch.c
@@ -294,9 +294,26 @@ void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id,
int (*up_ref_method)(void *),
void (*free_method)(void *))
{
- return inner_evp_generic_fetch(libctx,
- operation_id, 0, name, properties,
- new_method, up_ref_method, free_method);
+ void *ret = inner_evp_generic_fetch(libctx,
+ operation_id, 0, name, properties,
+ new_method, up_ref_method, free_method);
+
+ if (ret == NULL) {
+ int code = EVP_R_FETCH_FAILED;
+
+#ifdef FIPS_MODE
+ ERR_raise(ERR_LIB_EVP, code);
+#else
+ ERR_raise_data(ERR_LIB_EVP, code,
+ "%s, Algorithm (%s), Properties (%s)",
+ (openssl_ctx_is_default(libctx)
+ ? "Default library context"
+ : "Non-default library context"),
+ name = NULL ? "<null>" : name,
+ properties == NULL ? "<null>" : properties);
+#endif
+ }
+ return ret;
}
/*
@@ -314,9 +331,34 @@ void *evp_generic_fetch_by_number(OPENSSL_CTX *libctx, int operation_id,
int (*up_ref_method)(void *),
void (*free_method)(void *))
{
- return inner_evp_generic_fetch(libctx,
- operation_id, name_id, NULL, properties,
- new_method, up_ref_method, free_method);
+ void *ret = inner_evp_generic_fetch(libctx,
+ operation_id, name_id, NULL,
+ properties, new_method, up_ref_method,
+ free_method);
+
+ if (ret == NULL) {
+ int code = EVP_R_FETCH_FAILED;
+
+#ifdef FIPS_MODE
+ ERR_raise(ERR_LIB_EVP, code);
+#else
+ {
+ OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx);
+ const char *name = (namemap == NULL)
+ ? NULL
+ : ossl_namemap_num2name(namemap, name_id, 0);
+
+ ERR_raise_data(ERR_LIB_EVP, code,
+ "%s, Algorithm (%s), Properties (%s)",
+ (openssl_ctx_is_default(libctx)
+ ? "Default library context"
+ : "Non-default library context"),
+ name = NULL ? "<null>" : name,
+ properties == NULL ? "<null>" : properties);
+ }
+#endif
+ }
+ return ret;
}
int EVP_set_default_properties(OPENSSL_CTX *libctx, const char *propq)
diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c
index 7430b62b0b..7452e0320d 100644
--- a/crypto/evp/pkey_mac.c
+++ b/crypto/evp/pkey_mac.c
@@ -51,7 +51,11 @@ static int pkey_mac_init(EVP_PKEY_CTX *ctx)
MAC_PKEY_CTX *hctx;
/* We're being smart and using the same base NIDs for PKEY and for MAC */
int nid = ctx->pmeth->pkey_id;
- EVP_MAC *mac = EVP_MAC_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propquery);
+ EVP_MAC *mac;
+
+ ERR_set_mark();
+ mac = EVP_MAC_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propquery);
+ ERR_pop_to_mark();
/*
* mac == NULL may actually be ok in some situations. In an
diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c
index ecaaec41c7..da50ebf18a 100644
--- a/crypto/evp/pmeth_lib.c
+++ b/crypto/evp/pmeth_lib.c
@@ -226,8 +226,12 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx,
* If there's no engine and there's a name, we try fetching a provider
* implementation.
*/
- if (e == NULL && keytype != NULL)
+ if (e == NULL && keytype != NULL) {
+ /* This could fail so ignore errors */
+ ERR_set_mark();
keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery);
+ ERR_pop_to_mark();
+ }
ret = OPENSSL_zalloc(sizeof(*ret));
if (ret == NULL) {
diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c
index 7e0aca169b..051747b445 100644
--- a/crypto/ocsp/ocsp_srv.c
+++ b/crypto/ocsp/ocsp_srv.c
@@ -259,45 +259,67 @@ int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert)
return 1;
}
-int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
+int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
+ OPENSSL_CTX *libctx, const char *propq)
{
ASN1_OCTET_STRING *byKey = NULL;
unsigned char md[SHA_DIGEST_LENGTH];
+ EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq);
+ int ret = 0;
- /* RFC2560 requires SHA1 */
- if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
+ if (sha1 == NULL)
return 0;
+ /* RFC2560 requires SHA1 */
+ if (!X509_pubkey_digest(cert, sha1, md, NULL))
+ goto err;
+
byKey = ASN1_OCTET_STRING_new();
if (byKey == NULL)
- return 0;
+ goto err;
if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) {
ASN1_OCTET_STRING_free(byKey);
- return 0;
+ goto err;
}
respid->type = V_OCSP_RESPID_KEY;
respid->value.byKey = byKey;
- return 1;
+ ret = 1;
+ err:
+ EVP_MD_free(sha1);
+ return ret;
}
-int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
+int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert)
{
+ return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL);
+}
+
+int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx,
+ const char *propq)
+{
+ EVP_MD *sha1 = NULL;
+ int ret = 0;
+
if (respid->type == V_OCSP_RESPID_KEY) {
unsigned char md[SHA_DIGEST_LENGTH];
+ sha1 = EVP_MD_fetch(libctx, "SHA1", propq);
+ if (sha1 == NULL)
+ goto err;
+
if (respid->value.byKey == NULL)
- return 0;
+ goto err;
/* RFC2560 requires SHA1 */
- if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL))
- return 0;
+ if (!X509_pubkey_digest(cert, sha1, md, NULL))
+ goto err;
- return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH)
- && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md,
- SHA_DIGEST_LENGTH) == 0);
+ ret = (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH)
+ && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md,
+ SHA_DIGEST_LENGTH) == 0);
} else if (respid->type == V_OCSP_RESPID_NAME) {
if (respid->value.byName == NULL)
return 0;
@@ -306,5 +328,12 @@ int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
X509_get_subject_name(cert)) == 0;
}
- return 0;
+ err:
+ EVP_MD_free(sha1);
+ return ret;
+}
+
+int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert)
+{
+ return OCSP_RESPID_match_ex(respid, cert, NULL, NULL);
}
diff --git a/doc/man3/OCSP_response_status.pod b/doc/man3/OCSP_response_status.pod
index c1de86b199..6c02b55fa1 100644
--- a/doc/man3/OCSP_response_status.pod
+++ b/doc/man3/OCSP_response_status.pod
@@ -4,8 +4,9 @@
OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create,
OCSP_RESPONSE_free, OCSP_RESPID_set_by_name,
-OCSP_RESPID_set_by_key, OCSP_RESPID_match,
-OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions
+OCSP_RESPID_set_by_key_ex, OCSP_RESPID_set_by_key, OCSP_RESPID_match_ex,
+OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx
+- OCSP response functions
=head1 SYNOPSIS
@@ -17,7 +18,11 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions
void OCSP_RESPONSE_free(OCSP_RESPONSE *resp);
int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
+ int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
+ OPENSSL_CTX *libctx, const char *propq);
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
+ int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx,
+ const char *propq);
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key,
@@ -28,49 +33,60 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions
=head1 DESCRIPTION
-OCSP_response_status() returns the OCSP response status of B<resp>. It returns
-one of the values: B<OCSP_RESPONSE_STATUS_SUCCESSFUL>,
-B<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>,
-B<OCSP_RESPONSE_STATUS_INTERNALERROR>, B<OCSP_RESPONSE_STATUS_TRYLATER>
-B<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or B<OCSP_RESPONSE_STATUS_UNAUTHORIZED>.
+OCSP_response_status() returns the OCSP response status of I<resp>. It returns
+one of the values: I<OCSP_RESPONSE_STATUS_SUCCESSFUL>,
+I<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>,
+I<OCSP_RESPONSE_STATUS_INTERNALERROR>, I<OCSP_RESPONSE_STATUS_TRYLATER>
+I<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or I<OCSP_RESPONSE_STATUS_UNAUTHORIZED>.
-OCSP_response_get1_basic() decodes and returns the B<OCSP_BASICRESP> structure
-contained in B<resp>.
+OCSP_response_get1_basic() decodes and returns the I<OCSP_BASICRESP> structure
+contained in I<resp>.
-OCSP_response_create() creates and returns an B<OCSP_RESPONSE> structure for
-B<status> and optionally including basic response B<bs>.
+OCSP_response_create() creates and returns an I<OCSP_RESPONSE> structure for
+I<status> and optionally including basic response I<bs>.
-OCSP_RESPONSE_free() frees up OCSP response B<resp>.
+OCSP_RESPONSE_free() frees up OCSP response I<resp>.
OCSP_RESPID_set_by_name() sets the name of the OCSP_RESPID to be the same as the
-subject name in the supplied X509 certificate B<cert> for the OCSP responder.
+subject name in the supplied X509 certificate I<cert> for the OCSP responder.
-OCSP_RESPID_set_by_key() sets the key of the OCSP_RESPID to be the same as the
-key in the supplied X509 certificate B<cert> for the OCSP responder. The key is
-stored as a SHA1 hash.
+OCSP_RESPID_set_by_key_ex() sets the key of the OCSP_RESPID to be the same as the
+key in the supplied X509 certificate I<cert> for the OCSP responder. The key is
+stored as a SHA1 hash. To calculate the hash the SHA1 algorithm is fetched using
+the library ctx I<libctx> and the property query string I<propq> (see
+L<provider(7)/Fetching algorithms> for further information).
+
+OCSP_RESPID_set_by_key() does the same as OCSP_RESPID_set_by_key_ex() except
+that the default library context is used with an empty property query string.
Note that an OCSP_RESPID can only have one of the name, or the key set. Calling
OCSP_RESPID_set_by_name() or OCSP_RESPID_set_by_key() will clear any existing
setting.
-OCSP_RESPID_match() tests whether the OCSP_RESPID given in B<respid> matches
-with the X509 certificate B<cert>.
+OCSP_RESPID_match_ex() tests whether the OCSP_RESPID given in I<respid> matches
+with the X509 certificate I<cert> based on the SHA1 hash. To calculate the hash
+the SHA1 algorithm is fetched using the library ctx I<libctx> and the property
+query string I<propq> (see L<provider(7)/Fetching algorithms> for further
+information).
+
+OCSP_RESPID_match() does the same as OCSP_RESPID_match_ex() except that the
+default library context is used with an empty property query string.
-OCSP_basic_sign() signs OCSP response B<brsp> using certificate B<signer>, private key
-B<key>, digest B<dgst> and additional certificates B<certs>. If the B<flags> option
-B<OCSP_NOCERTS> is set then no certificates will be included in the response. If the
-B<flags> option B<OCSP_RESPID_KEY> is set then the responder is identified by key ID
-rather than by name. OCSP_basic_sign_ctx() also signs OCSP response B<brsp> but
-uses the parameters contained in digest context B<ctx>.
+OCSP_basic_sign() signs OCSP response I<brsp> using certificate I<signer>, private key
+I<key>, digest I<dgst> and additional certificates I<certs>. If the I<flags> option
+I<OCSP_NOCERTS> is set then no certificates will be included in the response. If the
+I<flags> option I<OCSP_RESPID_KEY> is set then the responder is identified by key ID
+rather than by name. OCSP_basic_sign_ctx() also signs OCSP response I<brsp> but
+uses the parameters contained in digest context I<ctx>.
=head1 RETURN VALUES
OCSP_RESPONSE_status() returns a status value.
-OCSP_response_get1_basic() returns an B<OCSP_BASICRESP> structure pointer or
-B<NULL> if an error occurred.
+OCSP_response_get1_basic() returns an I<OCSP_BASICRESP> structure pointer or
+I<NULL> if an error occurred.
-OCSP_response_create() returns an B<OCSP_RESPONSE> structure pointer or B<NULL>
+OCSP_response_create() returns an I<OCSP_RESPONSE> structure pointer or I<NULL>
if an error occurred.
OCSP_RESPONSE_free() does not return a value.
@@ -85,7 +101,7 @@ or 0 otherwise.
=head1 NOTES
OCSP_response_get1_basic() is only called if the status of a response is
-B<OCSP_RESPONSE_STATUS_SUCCESSFUL>.
+I<OCSP_RESPONSE_STATUS_SUCCESSFUL>.
=head1 SEE ALSO
diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h
index 19e2c9744e..9a60f413bf 100644
--- a/include/internal/cryptlib.h
+++ b/include/internal/cryptlib.h
@@ -165,6 +165,7 @@ typedef struct openssl_ctx_method {
} OPENSSL_CTX_METHOD;
OPENSSL_CTX *openssl_ctx_get_concrete(OPENSSL_CTX *ctx);
+int openssl_ctx_is_default(OPENSSL_CTX *ctx);
/* Functions to retrieve pointers to data by index */
void *openssl_ctx_get_data(OPENSSL_CTX *, int /* index */,
diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h
index 5acd04b6ea..b9f55c0123 100644
--- a/include/openssl/ocsp.h
+++ b/include/openssl/ocsp.h
@@ -277,7 +277,11 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp,
X509 *signer, EVP_MD_CTX *ctx,
STACK_OF(X509) *certs, unsigned long flags);
int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert);
+int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert,
+ OPENSSL_CTX *libctx, const char *propq);
int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert);
+int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx,
+ const char *propq);
int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert);
X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim);
diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c
index 504463df19..041d64929d 100644
--- a/providers/common/provider_util.c
+++ b/providers/common/provider_util.c
@@ -9,6 +9,7 @@
#include <openssl/evp.h>
#include <openssl/core_names.h>
+#include <openssl/err.h>
#include "prov/provider_util.h"
void ossl_prov_cipher_reset(PROV_CIPHER *pc)
@@ -76,12 +77,17 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc,
return 0;
EVP_CIPHER_free(pc->alloc_cipher);
+ ERR_set_mark();
pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery);
/* TODO legacy stuff, to be removed */
#ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy ciphers */
if (pc->cipher == NULL)
pc->cipher = EVP_get_cipherbyname(p->data);
#endif
+ if (pc->cipher != NULL)
+ ERR_pop_to_mark();
+ else
+ ERR_clear_last_mark();
return pc->cipher != NULL;
}
@@ -131,12 +137,17 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd,
return 0;
EVP_MD_free(pd->alloc_md);
+ ERR_set_mark();
pd->md = pd->alloc_md = EVP_MD_fetch(ctx, p->data, propquery);
/* TODO legacy stuff, to be removed */
#ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy digests */
if (pd->md == NULL)
pd->md = EVP_get_digestbyname(p->data);
#endif
+ if (pd->md != NULL)
+ ERR_pop_to_mark();
+ else
+ ERR_clear_last_mark();
return pd->md != NULL;
}
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index a1c3987962..a08ddb138b 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -5848,6 +5848,8 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
int nid,
const char *properties)
{
+ EVP_CIPHER *ciph;
+
#ifndef OPENSSL_NO_ENGINE
ENGINE *eng;
@@ -5862,8 +5864,11 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx,
}
#endif
- /* Otherwise we do an explicit fetch */
- return EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
+ /* Otherwise we do an explicit fetch. This may fail and that could be ok */
+ ERR_set_mark();
+ ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties);
+ ERR_pop_to_mark();
+ return ciph;
}
@@ -5898,6 +5903,8 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
int nid,
const char *properties)
{
+ EVP_MD *md;
+
#ifndef OPENSSL_NO_ENGINE
ENGINE *eng;
@@ -5913,7 +5920,10 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx,
#endif
/* Otherwise we do an explicit fetch */
- return EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
+ ERR_set_mark();
+ md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties);
+ ERR_pop_to_mark();
+ return md;
}
int ssl_evp_md_up_ref(const EVP_MD *md)
diff --git a/test/sslapitest.c b/test/sslapitest.c
index 886ed9ad67..a9b7d20b3c 100644
--- a/test/sslapitest.c
+++ b/test/sslapitest.c
@@ -1278,7 +1278,7 @@ static int ocsp_server_cb(SSL *s, void *arg)
return SSL_TLSEXT_ERR_ALERT_FATAL;
id = sk_OCSP_RESPID_value(ids, 0);
- if (id == NULL || !OCSP_RESPID_match(id, ocspcert))
+ if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, NULL, NULL))
return SSL_TLSEXT_ERR_ALERT_FATAL;
} else if (*argi != 1) {
return SSL_TLSEXT_ERR_ALERT_FATAL;
@@ -1406,7 +1406,7 @@ static int test_tlsext_status_type(void)
|| !TEST_ptr(ids = sk_OCSP_RESPID_new_null())
|| !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio,
NULL, NULL, NULL))
- || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert))
+ || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, NULL, NULL))
|| !TEST_true(sk_OCSP_RESPID_push(ids, id)))
goto end;
id = NULL;
diff --git a/util/libcrypto.num b/util/libcrypto.num
index ecc735cb94..6ff7179fc6 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5001,3 +5001,5 @@ NCONF_new_with_libctx ? 3_0_0 EXIST::FUNCTION:
CONF_modules_load_file_with_libctx ? 3_0_0 EXIST::FUNCTION:
OPENSSL_CTX_load_config ? 3_0_0 EXIST::FUNCTION:
EVP_PKEY_set_type_by_keymgmt ? 3_0_0 EXIST::FUNCTION:
+OCSP_RESPID_set_by_key_ex ? 3_0_0 EXIST::FUNCTION:OCSP
+OCSP_RESPID_match_ex ? 3_0_0 EXIST::FUNCTION:OCSP
More information about the openssl-commits
mailing list