[openssl] master update
dev at ddvo.net
dev at ddvo.net
Thu Sep 24 12:42:05 UTC 2020
The branch master has been updated
via 4e0723bc93373da6affd1c2ce7dcad39281ebb9b (commit)
via 1061baf64662aaa16e9e086f469126e1819e0805 (commit)
via 29844ea5b3d2b7240d99b043a0d82cb177f0762d (commit)
via 50eb2a507732b4d32879709dbfa335ccb542f676 (commit)
from 254b5dcabd205b2229439020c768a0c9da0d8d7b (commit)
- Log -----------------------------------------------------------------
commit 4e0723bc93373da6affd1c2ce7dcad39281ebb9b
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Fri Sep 18 10:36:15 2020 +0200
Test.pm: Some clarifications added to the documentation
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
commit 1061baf64662aaa16e9e086f469126e1819e0805
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Sep 17 09:55:28 2020 +0200
apps/ca.c: Rename confusing variable 'req' to 'template_cert' in certify_cert()
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
commit 29844ea5b3d2b7240d99b043a0d82cb177f0762d
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Wed Sep 16 12:52:09 2020 +0200
Prune low-level ASN.1 parse errors from error queue in decoder_process()
Fixes #12840
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
commit 50eb2a507732b4d32879709dbfa335ccb542f676
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Thu Sep 17 01:39:00 2020 +0200
load_key_certs_crls(): Restore output of fatal errors
Also improve credentials loading diagnostics for many apps.
Fixes #12840
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
Reviewed-by: Richard Levitte <levitte at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/12893)
-----------------------------------------------------------------------
Summary of changes:
apps/ca.c | 17 +++---
apps/cms.c | 4 +-
apps/dgst.c | 4 +-
apps/dsa.c | 4 +-
apps/ec.c | 4 +-
apps/lib/apps.c | 65 +++++++++++++++-------
apps/lib/s_cb.c | 6 +-
apps/pkeyutl.c | 6 +-
apps/req.c | 2 +-
apps/rsa.c | 4 +-
apps/rsautl.c | 4 +-
apps/s_client.c | 4 +-
apps/s_server.c | 12 ++--
apps/smime.c | 4 +-
apps/x509.c | 10 ++--
crypto/dh/dh_ameth.c | 4 +-
crypto/ec/ec_ameth.c | 4 +-
crypto/ec/ec_asn1.c | 7 +--
crypto/ec/ec_err.c | 4 --
crypto/err/openssl.txt | 5 --
crypto/evp/evp_err.c | 1 -
crypto/evp/evp_pbe.c | 7 +--
crypto/pkcs12/p12_decr.c | 10 +---
crypto/pkcs12/p12_kiss.c | 6 +-
crypto/pkcs12/pk12err.c | 4 --
crypto/rsa/rsa_ameth.c | 8 +--
crypto/store/store_result.c | 10 +++-
include/openssl/ecerr.h | 2 -
include/openssl/evperr.h | 1 -
include/openssl/pkcs12err.h | 2 -
.../implementations/encode_decode/decode_der2key.c | 17 +++++-
.../implementations/storemgmt/file_store_der2obj.c | 17 +++++-
test/recipes/25-test_x509.t | 26 ++++++++-
util/perl/OpenSSL/Test.pm | 14 +++--
34 files changed, 175 insertions(+), 124 deletions(-)
diff --git a/apps/ca.c b/apps/ca.c
index 74113cdd67..58126b95a0 100644
--- a/apps/ca.c
+++ b/apps/ca.c
@@ -1269,7 +1269,8 @@ end_of_options:
} else {
X509 *revcert;
- revcert = load_cert_pass(infile, certformat, passin, infile);
+ revcert = load_cert_pass(infile, certformat, passin,
+ "certificate to be revoked");
if (revcert == NULL)
goto end;
if (dorevoke == 2)
@@ -1398,23 +1399,23 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
CONF *lconf, int verbose, unsigned long certopt,
unsigned long nameopt, int default_op, int ext_copy)
{
- X509 *req = NULL;
+ X509 *template_cert = NULL;
X509_REQ *rreq = NULL;
EVP_PKEY *pktmp = NULL;
int ok = -1, i;
- if ((req = load_cert_pass(infile, certformat, passin, infile)) == NULL)
+ if ((template_cert = load_cert_pass(infile, certformat, passin, "template certificate")) == NULL)
goto end;
if (verbose)
- X509_print(bio_err, req);
+ X509_print(bio_err, template_cert);
BIO_printf(bio_err, "Check that the request matches the signature\n");
- if ((pktmp = X509_get0_pubkey(req)) == NULL) {
+ if ((pktmp = X509_get0_pubkey(template_cert)) == NULL) {
BIO_printf(bio_err, "error unpacking public key\n");
goto end;
}
- i = do_X509_verify(req, pktmp, vfyopts);
+ i = do_X509_verify(template_cert, pktmp, vfyopts);
if (i < 0) {
ok = 0;
BIO_printf(bio_err, "Signature verification problems....\n");
@@ -1428,7 +1429,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
BIO_printf(bio_err, "Signature ok\n");
}
- if ((rreq = X509_to_X509_REQ(req, NULL, NULL)) == NULL)
+ if ((rreq = X509_to_X509_REQ(template_cert, NULL, NULL)) == NULL)
goto end;
ok = do_body(xret, pkey, x509, dgst, sigopts, policy, db, serial, subj,
@@ -1438,7 +1439,7 @@ static int certify_cert(X509 **xret, const char *infile, int certformat,
end:
X509_REQ_free(rreq);
- X509_free(req);
+ X509_free(template_cert);
return ok;
}
diff --git a/apps/cms.c b/apps/cms.c
index 178c441f1a..ad8f64fcaa 100644
--- a/apps/cms.c
+++ b/apps/cms.c
@@ -857,7 +857,7 @@ int cms_main(int argc, char **argv)
}
if (keyfile != NULL) {
- key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
+ key = load_key(keyfile, keyform, 0, passin, e, "signing key");
if (key == NULL)
goto end;
@@ -1060,7 +1060,7 @@ int cms_main(int argc, char **argv)
ret = 2;
goto end;
}
- key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
+ key = load_key(keyfile, keyform, 0, passin, e, "signing key");
if (key == NULL) {
ret = 2;
goto end;
diff --git a/apps/dgst.c b/apps/dgst.c
index 650115b468..badcfdf0e2 100644
--- a/apps/dgst.c
+++ b/apps/dgst.c
@@ -268,9 +268,9 @@ int dgst_main(int argc, char **argv)
int type;
if (want_pub)
- sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "key file");
+ sigkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key");
else
- sigkey = load_key(keyfile, keyform, 0, passin, e, "key file");
+ sigkey = load_key(keyfile, keyform, 0, passin, e, "private key");
if (sigkey == NULL) {
/*
* load_[pub]key() has already printed an appropriate message
diff --git a/apps/dsa.c b/apps/dsa.c
index 8ef802e0da..75a0504548 100644
--- a/apps/dsa.c
+++ b/apps/dsa.c
@@ -165,9 +165,9 @@ int dsa_main(int argc, char **argv)
BIO_printf(bio_err, "read DSA key\n");
if (pubin)
- pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
+ pkey = load_pubkey(infile, informat, 1, passin, e, "public key");
else
- pkey = load_key(infile, informat, 1, passin, e, "Private Key");
+ pkey = load_key(infile, informat, 1, passin, e, "private key");
if (pkey != NULL)
dsa = EVP_PKEY_get1_DSA(pkey);
diff --git a/apps/ec.c b/apps/ec.c
index 43e2be1346..79951cc8d6 100644
--- a/apps/ec.c
+++ b/apps/ec.c
@@ -194,9 +194,9 @@ int ec_main(int argc, char **argv)
} else if (informat == FORMAT_ENGINE) {
EVP_PKEY *pkey;
if (pubin)
- pkey = load_pubkey(infile, informat, 1, passin, e, "Public Key");
+ pkey = load_pubkey(infile, informat, 1, passin, e, "public key");
else
- pkey = load_key(infile, informat, 1, passin, e, "Private Key");
+ pkey = load_key(infile, informat, 1, passin, e, "private key");
if (pkey != NULL) {
eckey = EVP_PKEY_get1_EC_KEY(pkey);
EVP_PKEY_free(pkey);
diff --git a/apps/lib/apps.c b/apps/lib/apps.c
index c0c56d9c22..fa015aa4ea 100644
--- a/apps/lib/apps.c
+++ b/apps/lib/apps.c
@@ -708,7 +708,10 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
const char *propq = app_get0_propq();
int ncerts = 0;
int ncrls = 0;
- const char *failed = "any";
+ const char *failed =
+ ppkey != NULL ? "key" : ppubkey != NULL ? "public key" :
+ pcert != NULL ? "cert" : pcrl != NULL ? "CRL" :
+ pcerts != NULL ? "certs" : pcrls != NULL ? "CRLs" : NULL;
/* TODO make use of the engine reference 'eng' when loading pkeys */
if (ppkey != NULL)
@@ -717,33 +720,36 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
*ppubkey = NULL;
if (pcert != NULL)
*pcert = NULL;
+ if (failed == NULL) {
+ BIO_printf(bio_err, "Internal error: nothing to load into from %s\n",
+ uri != NULL ? uri : "<stdin>");
+ return 0;
+ }
+
if (pcerts != NULL && *pcerts == NULL
&& (*pcerts = sk_X509_new_null()) == NULL) {
- BIO_printf(bio_err, "Out of memory");
+ BIO_printf(bio_err, "Out of memory loading");
goto end;
}
if (pcrl != NULL)
*pcrl = NULL;
if (pcrls != NULL && *pcrls == NULL
&& (*pcrls = sk_X509_CRL_new_null()) == NULL) {
- BIO_printf(bio_err, "Out of memory");
+ BIO_printf(bio_err, "Out of memory loading");
goto end;
}
- if (desc == NULL)
- desc = "key/certificate/CRL";
uidata.password = pass;
uidata.prompt_info = uri;
if (uri == NULL) {
BIO *bio;
- uri = "<stdin>";
if (!maybe_stdin) {
- BIO_printf(bio_err, "No filename or uri specified for loading %s\n",
- desc);
+ BIO_printf(bio_err, "No filename or uri specified for loading");
goto end;
}
+ uri = "<stdin>";
unbuffer(stdin);
bio = BIO_new_fp(stdin, 0);
if (bio != NULL)
@@ -754,17 +760,18 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
&uidata, NULL, NULL);
}
if (ctx == NULL) {
- BIO_printf(bio_err, "Could not open file or uri %s for loading %s\n",
- uri, desc);
+ BIO_printf(bio_err, "Could not open file or uri for loading");
goto end;
}
failed = NULL;
while (!OSSL_STORE_eof(ctx)) {
OSSL_STORE_INFO *info = OSSL_STORE_load(ctx);
- int type = info == NULL ? 0 : OSSL_STORE_INFO_get_type(info);
- int ok = 1;
+ int type, ok = 1;
+ if (info == NULL)
+ break;
+ type = OSSL_STORE_INFO_get_type(info);
switch (type) {
case OSSL_STORE_INFO_PKEY:
if (ppkey != NULL && *ppkey == NULL)
@@ -805,8 +812,7 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
OSSL_STORE_INFO_free(info);
if (!ok) {
failed = info == NULL ? NULL : OSSL_STORE_INFO_type_string(type);
- BIO_printf(bio_err, "Error reading %s of %s from %s\n",
- failed, desc, uri);
+ BIO_printf(bio_err, "Error reading");
break;
}
}
@@ -814,18 +820,37 @@ int load_key_certs_crls(const char *uri, int maybe_stdin,
end:
OSSL_STORE_close(ctx);
if (failed == NULL) {
- if (ppkey != NULL && *ppkey == NULL)
+ int any = 0;
+
+ if (ppkey != NULL && *ppkey == NULL) {
failed = "key";
- else if ((pcert != NULL || pcerts != NULL) && ncerts == 0)
+ } else if ((pcert != NULL || pcerts != NULL) && ncerts == 0) {
+ if (pcert == NULL)
+ any = 1;
failed = "cert";
- else if ((pcrl != NULL || pcrls != NULL) && ncrls == 0)
+ } else if ((pcrl != NULL || pcrls != NULL) && ncrls == 0) {
+ if (pcrl == NULL)
+ any = 1;
failed = "CRL";
+ }
if (failed != NULL)
- BIO_printf(bio_err, "Could not read any %s of %s from %s\n",
- failed, desc, uri);
+ BIO_printf(bio_err, "Could not read");
+ if (any)
+ BIO_printf(bio_err, " any");
}
- if (failed != NULL)
+ if (failed != NULL) {
+ if (desc != NULL && strstr(desc, failed) != NULL) {
+ BIO_printf(bio_err, " %s", desc);
+ } else {
+ BIO_printf(bio_err, " %s", failed);
+ if (desc != NULL)
+ BIO_printf(bio_err, " of %s", desc);
+ }
+ if (uri != NULL)
+ BIO_printf(bio_err, " from %s", uri);
+ BIO_printf(bio_err, "\n");
ERR_print_errors(bio_err);
+ }
return failed == NULL;
}
diff --git a/apps/lib/s_cb.c b/apps/lib/s_cb.c
index 72fb98402d..142659d05e 100644
--- a/apps/lib/s_cb.c
+++ b/apps/lib/s_cb.c
@@ -1047,15 +1047,15 @@ int load_excert(SSL_EXCERT **pexc)
return 0;
if (exc->keyfile != NULL) {
exc->key = load_key(exc->keyfile, exc->keyform,
- 0, NULL, NULL, "Server Key");
+ 0, NULL, NULL, "server key");
} else {
exc->key = load_key(exc->certfile, exc->certform,
- 0, NULL, NULL, "Server Key");
+ 0, NULL, NULL, "server key");
}
if (exc->key == NULL)
return 0;
if (exc->chainfile != NULL) {
- if (!load_certs(exc->chainfile, &exc->chain, NULL, "Server Chain"))
+ if (!load_certs(exc->chainfile, &exc->chain, NULL, "server chain"))
return 0;
}
}
diff --git a/apps/pkeyutl.c b/apps/pkeyutl.c
index 5f53867790..61f9130175 100644
--- a/apps/pkeyutl.c
+++ b/apps/pkeyutl.c
@@ -532,11 +532,11 @@ static EVP_PKEY_CTX *init_ctx(const char *kdfalg, int *pkeysize,
}
switch (key_type) {
case KEY_PRIVKEY:
- pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
+ pkey = load_key(keyfile, keyform, 0, passin, e, "private key");
break;
case KEY_PUBKEY:
- pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "Public Key");
+ pkey = load_pubkey(keyfile, keyform, 0, NULL, e, "public key");
break;
case KEY_CERT:
@@ -644,7 +644,7 @@ static int setup_peer(EVP_PKEY_CTX *ctx, int peerform, const char *file,
if (peerform == FORMAT_ENGINE)
engine = e;
- peer = load_pubkey(file, peerform, 0, NULL, engine, "Peer Key");
+ peer = load_pubkey(file, peerform, 0, NULL, engine, "peer key");
if (peer == NULL) {
BIO_printf(bio_err, "Error reading peer key %s\n", file);
ERR_print_errors(bio_err);
diff --git a/apps/req.c b/apps/req.c
index cb5850c6b5..62abf226ac 100644
--- a/apps/req.c
+++ b/apps/req.c
@@ -591,7 +591,7 @@ int req_main(int argc, char **argv)
}
if (keyfile != NULL) {
- pkey = load_key(keyfile, keyform, 0, passin, e, "Private Key");
+ pkey = load_key(keyfile, keyform, 0, passin, e, "private key");
if (pkey == NULL)
goto end;
app_RAND_load_conf(req_conf, section);
diff --git a/apps/rsa.c b/apps/rsa.c
index fdee96d570..558b126560 100644
--- a/apps/rsa.c
+++ b/apps/rsa.c
@@ -198,9 +198,9 @@ int rsa_main(int argc, char **argv)
tmpformat = informat;
}
- pkey = load_pubkey(infile, tmpformat, 1, passin, e, "Public Key");
+ pkey = load_pubkey(infile, tmpformat, 1, passin, e, "public key");
} else {
- pkey = load_key(infile, informat, 1, passin, e, "Private Key");
+ pkey = load_key(infile, informat, 1, passin, e, "private key");
}
if (pkey != NULL)
diff --git a/apps/rsautl.c b/apps/rsautl.c
index 0f9789c39c..49d9fcfea4 100644
--- a/apps/rsautl.c
+++ b/apps/rsautl.c
@@ -189,11 +189,11 @@ int rsautl_main(int argc, char **argv)
switch (key_type) {
case KEY_PRIVKEY:
- pkey = load_key(keyfile, keyformat, 0, passin, e, "Private Key");
+ pkey = load_key(keyfile, keyformat, 0, passin, e, "private key");
break;
case KEY_PUBKEY:
- pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "Public Key");
+ pkey = load_pubkey(keyfile, keyformat, 0, NULL, e, "public key");
break;
case KEY_CERT:
diff --git a/apps/s_client.c b/apps/s_client.c
index ca9891aba8..513beeaa9a 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -1728,13 +1728,13 @@ int s_client_main(int argc, char **argv)
if (key_file != NULL) {
key = load_key(key_file, key_format, 0, pass, e,
- "client certificate private key file");
+ "client certificate private key");
if (key == NULL)
goto end;
}
if (cert_file != NULL) {
- cert = load_cert_pass(cert_file, cert_format, pass, "client certificate file");
+ cert = load_cert_pass(cert_file, cert_format, pass, "client certificate");
if (cert == NULL)
goto end;
}
diff --git a/apps/s_server.c b/apps/s_server.c
index dde0ee60c0..dee38584c4 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1740,12 +1740,12 @@ int s_server_main(int argc, char *argv[])
if (nocert == 0) {
s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
- "server certificate private key file");
+ "server certificate private key");
if (s_key == NULL)
goto end;
s_cert = load_cert_pass(s_cert_file, s_cert_format, pass,
- "server certificate file");
+ "server certificate");
if (s_cert == NULL)
goto end;
@@ -1757,12 +1757,12 @@ int s_server_main(int argc, char *argv[])
if (tlsextcbp.servername != NULL) {
s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
- "second server certificate private key file");
+ "second server certificate private key");
if (s_key2 == NULL)
goto end;
s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, pass,
- "second server certificate file");
+ "second server certificate");
if (s_cert2 == NULL)
goto end;
@@ -1802,12 +1802,12 @@ int s_server_main(int argc, char *argv[])
s_dkey_file = s_dcert_file;
s_dkey = load_key(s_dkey_file, s_dkey_format,
- 0, dpass, engine, "second certificate private key file");
+ 0, dpass, engine, "second certificate private key");
if (s_dkey == NULL)
goto end;
s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, dpass,
- "second server certificate file");
+ "second server certificate");
if (s_dcert == NULL) {
ERR_print_errors(bio_err);
diff --git a/apps/smime.c b/apps/smime.c
index 9113038db7..e6d539457e 100644
--- a/apps/smime.c
+++ b/apps/smime.c
@@ -471,7 +471,7 @@ int smime_main(int argc, char **argv)
}
if (keyfile != NULL) {
- key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
+ key = load_key(keyfile, keyform, 0, passin, e, "signing key");
if (key == NULL)
goto end;
@@ -573,7 +573,7 @@ int smime_main(int argc, char **argv)
"signer certificate");
if (signer == NULL)
goto end;
- key = load_key(keyfile, keyform, 0, passin, e, "signing key file");
+ key = load_key(keyfile, keyform, 0, passin, e, "signing key");
if (key == NULL)
goto end;
diff --git a/apps/x509.c b/apps/x509.c
index 5627bd9dbe..367cbf45f1 100644
--- a/apps/x509.c
+++ b/apps/x509.c
@@ -522,7 +522,7 @@ int x509_main(int argc, char **argv)
goto end;
}
if (fkeyfile != NULL) {
- fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "Forced key");
+ fkey = load_pubkey(fkeyfile, keyformat, 0, NULL, e, "forced key");
if (fkey == NULL)
goto end;
}
@@ -629,7 +629,7 @@ int x509_main(int argc, char **argv)
if (!X509_set_pubkey(x, fkey != NULL ? fkey : X509_REQ_get0_pubkey(req)))
goto end;
} else {
- x = load_cert_pass(infile, FORMAT_UNDEF, passin, "Certificate");
+ x = load_cert_pass(infile, FORMAT_UNDEF, passin, "certificate");
if (x == NULL)
goto end;
if (fkey != NULL && !X509_set_pubkey(x, fkey))
@@ -639,7 +639,7 @@ int x509_main(int argc, char **argv)
}
if (CA_flag) {
- xca = load_cert_pass(CAfile, CAformat, passin, "CA Certificate");
+ xca = load_cert_pass(CAfile, CAformat, passin, "CA certificate");
if (xca == NULL)
goto end;
}
@@ -846,7 +846,7 @@ int x509_main(int argc, char **argv)
BIO_printf(bio_err, "Getting Private key\n");
if (Upkey == NULL) {
Upkey = load_key(keyfile, keyformat, 0,
- passin, e, "Private key");
+ passin, e, "private key");
if (Upkey == NULL)
goto end;
}
@@ -858,7 +858,7 @@ int x509_main(int argc, char **argv)
BIO_printf(bio_err, "Getting CA Private Key\n");
if (CAkeyfile != NULL) {
CApkey = load_key(CAkeyfile, CAkeyformat,
- 0, passin, e, "CA Private Key");
+ 0, passin, e, "CA private key");
if (CApkey == NULL)
goto end;
}
diff --git a/crypto/dh/dh_ameth.c b/crypto/dh/dh_ameth.c
index 3d4605ae11..f89dd44ffd 100644
--- a/crypto/dh/dh_ameth.c
+++ b/crypto/dh/dh_ameth.c
@@ -269,10 +269,8 @@ static int dh_param_decode(EVP_PKEY *pkey,
{
DH *dh;
- if ((dh = d2i_dhp(pkey, pder, derlen)) == NULL) {
- DHerr(DH_F_DH_PARAM_DECODE, ERR_R_DH_LIB);
+ if ((dh = d2i_dhp(pkey, pder, derlen)) == NULL)
return 0;
- }
dh->dirty_cnt++;
EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, dh);
return 1;
diff --git a/crypto/ec/ec_ameth.c b/crypto/ec/ec_ameth.c
index 75f82739ec..b586a43539 100644
--- a/crypto/ec/ec_ameth.c
+++ b/crypto/ec/ec_ameth.c
@@ -438,10 +438,8 @@ static int eckey_param_decode(EVP_PKEY *pkey,
{
EC_KEY *eckey;
- if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL) {
- ECerr(EC_F_ECKEY_PARAM_DECODE, ERR_R_EC_LIB);
+ if ((eckey = d2i_ECParameters(NULL, pder, derlen)) == NULL)
return 0;
- }
EVP_PKEY_assign_EC_KEY(pkey, eckey);
return 1;
}
diff --git a/crypto/ec/ec_asn1.c b/crypto/ec/ec_asn1.c
index 9454f580d5..b50e2edbc8 100644
--- a/crypto/ec/ec_asn1.c
+++ b/crypto/ec/ec_asn1.c
@@ -885,13 +885,11 @@ EC_GROUP *d2i_ECPKParameters(EC_GROUP **a, const unsigned char **in, long len)
const unsigned char *p = *in;
if ((params = d2i_ECPKPARAMETERS(NULL, &p, len)) == NULL) {
- ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_D2I_ECPKPARAMETERS_FAILURE);
ECPKPARAMETERS_free(params);
return NULL;
}
if ((group = EC_GROUP_new_from_ecpkparameters(params)) == NULL) {
- ECerr(EC_F_D2I_ECPKPARAMETERS, EC_R_PKPARAMETERS2GROUP_FAILURE);
ECPKPARAMETERS_free(params);
return NULL;
}
@@ -934,10 +932,8 @@ EC_KEY *d2i_ECPrivateKey(EC_KEY **a, const unsigned char **in, long len)
EC_PRIVATEKEY *priv_key = NULL;
const unsigned char *p = *in;
- if ((priv_key = d2i_EC_PRIVATEKEY(NULL, &p, len)) == NULL) {
- ECerr(EC_F_D2I_ECPRIVATEKEY, ERR_R_EC_LIB);
+ if ((priv_key = d2i_EC_PRIVATEKEY(NULL, &p, len)) == NULL)
return NULL;
- }
if (a == NULL || *a == NULL) {
if ((ret = EC_KEY_new()) == NULL) {
@@ -1110,7 +1106,6 @@ EC_KEY *d2i_ECParameters(EC_KEY **a, const unsigned char **in, long len)
ret = *a;
if (!d2i_ECPKParameters(&ret->group, in, len)) {
- ECerr(EC_F_D2I_ECPARAMETERS, ERR_R_EC_LIB);
if (a == NULL || *a != ret)
EC_KEY_free(ret);
else
diff --git a/crypto/ec/ec_err.c b/crypto/ec/ec_err.c
index 7112cbc21f..35cf7d158f 100644
--- a/crypto/ec/ec_err.c
+++ b/crypto/ec/ec_err.c
@@ -27,8 +27,6 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
"curve does not support ecdsa"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING),
"curve does not support signing"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_D2I_ECPKPARAMETERS_FAILURE),
- "d2i ecpkparameters failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_DECODE_ERROR), "decode error"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_DISCRIMINANT_IS_ZERO),
"discriminant is zero"},
@@ -93,8 +91,6 @@ static const ERR_STRING_DATA EC_str_reasons[] = {
{ERR_PACK(ERR_LIB_EC, 0, EC_R_PASSED_NULL_PARAMETER),
"passed null parameter"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_PEER_KEY_ERROR), "peer key error"},
- {ERR_PACK(ERR_LIB_EC, 0, EC_R_PKPARAMETERS2GROUP_FAILURE),
- "pkparameters2group failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_ARITHMETIC_FAILURE),
"point arithmetic failure"},
{ERR_PACK(ERR_LIB_EC, 0, EC_R_POINT_AT_INFINITY), "point at infinity"},
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 1d9dd9366f..45f315c383 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -2412,7 +2412,6 @@ EC_R_COORDINATES_OUT_OF_RANGE:146:coordinates out of range
EC_R_CURVE_DOES_NOT_SUPPORT_ECDH:160:curve does not support ecdh
EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA:170:curve does not support ecdsa
EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING:159:curve does not support signing
-EC_R_D2I_ECPKPARAMETERS_FAILURE:117:d2i ecpkparameters failure
EC_R_DECODE_ERROR:142:decode error
EC_R_DISCRIMINANT_IS_ZERO:118:discriminant is zero
EC_R_EC_GROUP_NEW_BY_NAME_FAILURE:119:ec group new by name failure
@@ -2462,7 +2461,6 @@ EC_R_NO_PRIVATE_VALUE:154:no private value
EC_R_OPERATION_NOT_SUPPORTED:152:operation not supported
EC_R_PASSED_NULL_PARAMETER:134:passed null parameter
EC_R_PEER_KEY_ERROR:149:peer key error
-EC_R_PKPARAMETERS2GROUP_FAILURE:127:pkparameters2group failure
EC_R_POINT_ARITHMETIC_FAILURE:155:point arithmetic failure
EC_R_POINT_AT_INFINITY:106:point at infinity
EC_R_POINT_COORDINATES_BLIND_FAILURE:163:point coordinates blind failure
@@ -2571,7 +2569,6 @@ EVP_R_INVALID_SALT_LENGTH:186:invalid salt length
EVP_R_INVALID_SECRET_LENGTH:223:invalid secret length
EVP_R_INVALID_SEED_LENGTH:220:invalid seed length
EVP_R_INVALID_VALUE:222:invalid value
-EVP_R_KEYGEN_FAILURE:120:keygen failure
EVP_R_KEYMGMT_EXPORT_FAILURE:205:keymgmt export failure
EVP_R_KEY_SETUP_FAILED:180:key setup failed
EVP_R_LOCKING_NOT_SUPPORTED:213:locking not supported
@@ -2791,9 +2788,7 @@ PKCS12_R_MAC_SETUP_ERROR:110:mac setup error
PKCS12_R_MAC_STRING_SET_ERROR:111:mac string set error
PKCS12_R_MAC_VERIFY_FAILURE:113:mac verify failure
PKCS12_R_PARSE_ERROR:114:parse error
-PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR:115:pkcs12 algor cipherinit error
PKCS12_R_PKCS12_CIPHERFINAL_ERROR:116:pkcs12 cipherfinal error
-PKCS12_R_PKCS12_PBE_CRYPT_ERROR:117:pkcs12 pbe crypt error
PKCS12_R_UNKNOWN_DIGEST_ALGORITHM:118:unknown digest algorithm
PKCS12_R_UNSUPPORTED_PKCS12_MODE:119:unsupported pkcs12 mode
PKCS7_R_CERTIFICATE_VERIFY_ERROR:117:certificate verify error
diff --git a/crypto/evp/evp_err.c b/crypto/evp/evp_err.c
index 09351f2434..52a224a517 100644
--- a/crypto/evp/evp_err.c
+++ b/crypto/evp/evp_err.c
@@ -103,7 +103,6 @@ static const ERR_STRING_DATA EVP_str_reasons[] = {
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_SEED_LENGTH),
"invalid seed length"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_INVALID_VALUE), "invalid value"},
- {ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEYGEN_FAILURE), "keygen failure"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEYMGMT_EXPORT_FAILURE),
"keymgmt export failure"},
{ERR_PACK(ERR_LIB_EVP, 0, EVP_R_KEY_SETUP_FAILED), "key setup failed"},
diff --git a/crypto/evp/evp_pbe.c b/crypto/evp/evp_pbe.c
index a9f94bd5bc..5dae42b6a1 100644
--- a/crypto/evp/evp_pbe.c
+++ b/crypto/evp/evp_pbe.c
@@ -114,6 +114,7 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
cipher = EVP_get_cipherbynid(cipher_nid);
if (!cipher) {
EVPerr(EVP_F_EVP_PBE_CIPHERINIT, EVP_R_UNKNOWN_CIPHER);
+ ERR_add_error_data(1, OBJ_nid2sn(cipher_nid));
return 0;
}
}
@@ -128,11 +129,7 @@ int EVP_PBE_CipherInit(ASN1_OBJECT *pbe_obj, const char *pass, int passlen,
}
}
- if (!keygen(ctx, pass, passlen, param, cipher, md, en_de)) {
- EVPerr(EVP_F_EVP_PBE_CIPHERINIT, EVP_R_KEYGEN_FAILURE);
- return 0;
- }
- return 1;
+ return keygen(ctx, pass, passlen, param, cipher, md, en_de);
}
DECLARE_OBJ_BSEARCH_CMP_FN(EVP_PBE_CTL, EVP_PBE_CTL, pbe2);
diff --git a/crypto/pkcs12/p12_decr.c b/crypto/pkcs12/p12_decr.c
index 32e5597e06..37c8e40194 100644
--- a/crypto/pkcs12/p12_decr.c
+++ b/crypto/pkcs12/p12_decr.c
@@ -33,11 +33,8 @@ unsigned char *PKCS12_pbe_crypt(const X509_ALGOR *algor,
/* Process data */
if (!EVP_PBE_CipherInit(algor->algorithm, pass, passlen,
- algor->parameter, ctx, en_de)) {
- PKCS12err(PKCS12_F_PKCS12_PBE_CRYPT,
- PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR);
+ algor->parameter, ctx, en_de))
goto err;
- }
/*
* GOST algorithm specifics:
@@ -125,11 +122,8 @@ void *PKCS12_item_decrypt_d2i(const X509_ALGOR *algor, const ASN1_ITEM *it,
int outlen = 0;
if (!PKCS12_pbe_crypt(algor, pass, passlen, oct->data, oct->length,
- &out, &outlen, 0)) {
- PKCS12err(PKCS12_F_PKCS12_ITEM_DECRYPT_D2I,
- PKCS12_R_PKCS12_PBE_CRYPT_ERROR);
+ &out, &outlen, 0))
return NULL;
- }
p = out;
OSSL_TRACE_BEGIN(PKCS12_DECRYPT) {
BIO_printf(trc_out, "\n");
diff --git a/crypto/pkcs12/p12_kiss.c b/crypto/pkcs12/p12_kiss.c
index 126a6ce94b..ad1f4ee1ed 100644
--- a/crypto/pkcs12/p12_kiss.c
+++ b/crypto/pkcs12/p12_kiss.c
@@ -80,7 +80,11 @@ int PKCS12_parse(PKCS12 *p12, const char *pass, EVP_PKEY **pkey, X509 **cert,
}
if (!parse_pk12(p12, pass, -1, pkey, ocerts)) {
- PKCS12err(PKCS12_F_PKCS12_PARSE, PKCS12_R_PARSE_ERROR);
+ int err = ERR_peek_last_error();
+
+ if (ERR_GET_LIB(err) != ERR_LIB_EVP
+ && ERR_GET_REASON(err) != EVP_R_UNSUPPORTED_ALGORITHM)
+ PKCS12err(0, PKCS12_R_PARSE_ERROR);
goto err;
}
diff --git a/crypto/pkcs12/pk12err.c b/crypto/pkcs12/pk12err.c
index f7789dc8d3..ae835c57be 100644
--- a/crypto/pkcs12/pk12err.c
+++ b/crypto/pkcs12/pk12err.c
@@ -39,12 +39,8 @@ static const ERR_STRING_DATA PKCS12_str_reasons[] = {
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_MAC_VERIFY_FAILURE),
"mac verify failure"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PARSE_ERROR), "parse error"},
- {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR),
- "pkcs12 algor cipherinit error"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PKCS12_CIPHERFINAL_ERROR),
"pkcs12 cipherfinal error"},
- {ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_PKCS12_PBE_CRYPT_ERROR),
- "pkcs12 pbe crypt error"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_UNKNOWN_DIGEST_ALGORITHM),
"unknown digest algorithm"},
{ERR_PACK(ERR_LIB_PKCS12, 0, PKCS12_R_UNSUPPORTED_PKCS12_MODE),
diff --git a/crypto/rsa/rsa_ameth.c b/crypto/rsa/rsa_ameth.c
index 814452f27d..aab237aecd 100644
--- a/crypto/rsa/rsa_ameth.c
+++ b/crypto/rsa/rsa_ameth.c
@@ -113,10 +113,8 @@ static int rsa_pub_decode(EVP_PKEY *pkey, const X509_PUBKEY *pubkey)
if (!X509_PUBKEY_get0_param(NULL, &p, &pklen, &alg, pubkey))
return 0;
- if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL) {
- RSAerr(RSA_F_RSA_PUB_DECODE, ERR_R_RSA_LIB);
+ if ((rsa = d2i_RSAPublicKey(NULL, &p, pklen)) == NULL)
return 0;
- }
if (!rsa_param_decode(rsa, alg)) {
RSA_free(rsa);
return 0;
@@ -164,10 +162,8 @@ static int old_rsa_priv_decode(EVP_PKEY *pkey,
{
RSA *rsa;
- if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL) {
- RSAerr(RSA_F_OLD_RSA_PRIV_DECODE, ERR_R_RSA_LIB);
+ if ((rsa = d2i_RSAPrivateKey(NULL, pder, derlen)) == NULL)
return 0;
- }
EVP_PKEY_assign(pkey, pkey->ameth->pkey_id, rsa);
return 1;
}
diff --git a/crypto/store/store_result.c b/crypto/store/store_result.c
index 0c78e94ec4..a309acc115 100644
--- a/crypto/store/store_result.c
+++ b/crypto/store/store_result.c
@@ -87,7 +87,8 @@ static int try_pkcs12(struct extracted_param_data_st *, OSSL_STORE_INFO **,
int err = ERR_peek_last_error(); \
\
if (ERR_GET_LIB(err) == ERR_LIB_ASN1 \
- && ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR) \
+ && (ERR_GET_REASON(err) == ASN1_R_UNKNOWN_PUBLIC_KEY_TYPE \
+ || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR)) \
ERR_pop_to_mark(); \
else \
ERR_clear_last_mark(); \
@@ -279,11 +280,13 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
const unsigned char *der = data->octet_data, *derp;
long der_len = (long)data->octet_data_size;
+ SET_ERR_MARK();
/* Try PUBKEY first, that's a real easy target */
derp = der;
pk = d2i_PUBKEY_ex(NULL, &derp, der_len, libctx, propq);
if (pk != NULL)
*store_info_new = OSSL_STORE_INFO_new_PUBKEY;
+ RESET_ERR_MARK();
/* Try private keys next */
if (pk == NULL) {
@@ -319,6 +322,7 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
}
X509_SIG_free(p8);
}
+ RESET_ERR_MARK();
/*
* If the encrypted PKCS#8 couldn't be decrypted,
@@ -328,6 +332,7 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
/* Try to unpack an unencrypted PKCS#8, that's easy */
derp = der;
p8info = d2i_PKCS8_PRIV_KEY_INFO(NULL, &derp, der_len);
+ RESET_ERR_MARK();
if (p8info != NULL) {
pk = EVP_PKCS82PKEY_with_libctx(p8info, libctx, propq);
PKCS8_PRIV_KEY_INFO_free(p8info);
@@ -344,6 +349,7 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
pk = d2i_PrivateKey_ex(EVP_PKEY_SM2, NULL,
&derp, der_len,
libctx, NULL);
+ RESET_ERR_MARK();
}
}
@@ -363,9 +369,11 @@ static EVP_PKEY *try_key_value_legacy(struct extracted_param_data_st *data,
if (pk == NULL) {
derp = der;
pk = d2i_KeyParams(EVP_PKEY_SM2, NULL, &derp, der_len);
+ RESET_ERR_MARK();
if (pk != NULL)
*store_info_new = OSSL_STORE_INFO_new_PARAMS;
}
+ CLEAR_ERR_MARK();
return pk;
}
diff --git a/include/openssl/ecerr.h b/include/openssl/ecerr.h
index bbed2b4b7c..60677d8560 100644
--- a/include/openssl/ecerr.h
+++ b/include/openssl/ecerr.h
@@ -233,7 +233,6 @@ int ERR_load_EC_strings(void);
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDH 160
# define EC_R_CURVE_DOES_NOT_SUPPORT_ECDSA 170
# define EC_R_CURVE_DOES_NOT_SUPPORT_SIGNING 159
-# define EC_R_D2I_ECPKPARAMETERS_FAILURE 117
# define EC_R_DECODE_ERROR 142
# define EC_R_DISCRIMINANT_IS_ZERO 118
# define EC_R_EC_GROUP_NEW_BY_NAME_FAILURE 119
@@ -283,7 +282,6 @@ int ERR_load_EC_strings(void);
# define EC_R_OPERATION_NOT_SUPPORTED 152
# define EC_R_PASSED_NULL_PARAMETER 134
# define EC_R_PEER_KEY_ERROR 149
-# define EC_R_PKPARAMETERS2GROUP_FAILURE 127
# define EC_R_POINT_ARITHMETIC_FAILURE 155
# define EC_R_POINT_AT_INFINITY 106
# define EC_R_POINT_COORDINATES_BLIND_FAILURE 163
diff --git a/include/openssl/evperr.h b/include/openssl/evperr.h
index ef74c10243..1a3f5b6fbd 100644
--- a/include/openssl/evperr.h
+++ b/include/openssl/evperr.h
@@ -214,7 +214,6 @@ int ERR_load_EVP_strings(void);
# define EVP_R_INVALID_SECRET_LENGTH 223
# define EVP_R_INVALID_SEED_LENGTH 220
# define EVP_R_INVALID_VALUE 222
-# define EVP_R_KEYGEN_FAILURE 120
# define EVP_R_KEYMGMT_EXPORT_FAILURE 205
# define EVP_R_KEY_SETUP_FAILED 180
# define EVP_R_LOCKING_NOT_SUPPORTED 213
diff --git a/include/openssl/pkcs12err.h b/include/openssl/pkcs12err.h
index 0a3f42bd62..60369447de 100644
--- a/include/openssl/pkcs12err.h
+++ b/include/openssl/pkcs12err.h
@@ -77,9 +77,7 @@ int ERR_load_PKCS12_strings(void);
# define PKCS12_R_MAC_STRING_SET_ERROR 111
# define PKCS12_R_MAC_VERIFY_FAILURE 113
# define PKCS12_R_PARSE_ERROR 114
-# define PKCS12_R_PKCS12_ALGOR_CIPHERINIT_ERROR 115
# define PKCS12_R_PKCS12_CIPHERFINAL_ERROR 116
-# define PKCS12_R_PKCS12_PBE_CRYPT_ERROR 117
# define PKCS12_R_UNKNOWN_DIGEST_ALGORITHM 118
# define PKCS12_R_UNSUPPORTED_PKCS12_MODE 119
diff --git a/providers/implementations/encode_decode/decode_der2key.c b/providers/implementations/encode_decode/decode_der2key.c
index 011f05803d..f75faf2d11 100644
--- a/providers/implementations/encode_decode/decode_der2key.c
+++ b/providers/implementations/encode_decode/decode_der2key.c
@@ -165,10 +165,11 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin,
long new_der_len;
EVP_PKEY *pkey = NULL;
void *key = NULL;
- int ok = 0;
+ int err, ok = 0;
+ ERR_set_mark();
if (!read_der(ctx->provctx, cin, &der, &der_len))
- return 0;
+ goto err;
/*
* Opportunistic attempt to decrypt. If it doesn't work, we try to
@@ -192,6 +193,18 @@ static int der2key_decode(void *vctx, OSSL_CORE_BIO *cin,
derp = der;
pkey = d2i_KeyParams(ctx->desc->type, NULL, &derp, der_len);
}
+ err:
+ /*
+ * Prune low-level ASN.1 parse errors from error queue, assuming that
+ * this is called by decoder_process() in a loop trying several formats.
+ */
+ err = ERR_peek_last_error();
+ if (ERR_GET_LIB(err) == ERR_LIB_ASN1
+ && (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG
+ || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR))
+ ERR_pop_to_mark();
+ else
+ ERR_clear_last_mark();
if (pkey != NULL) {
/*
diff --git a/providers/implementations/storemgmt/file_store_der2obj.c b/providers/implementations/storemgmt/file_store_der2obj.c
index c7388a9d14..6613c8b5f2 100644
--- a/providers/implementations/storemgmt/file_store_der2obj.c
+++ b/providers/implementations/storemgmt/file_store_der2obj.c
@@ -27,6 +27,8 @@
#include <openssl/core_object.h>
#include <openssl/bio.h>
#include <openssl/buffer.h>
+#include <openssl/err.h>
+#include <openssl/asn1err.h>
#include <openssl/params.h>
#include "internal/asn1.h"
#include "prov/bio.h"
@@ -85,8 +87,21 @@ static int der2obj_decode(void *provctx, OSSL_CORE_BIO *cin,
*/
BIO *in = (BIO *)cin;
BUF_MEM *mem = NULL;
- int ok = (asn1_d2i_read_bio(in, &mem) >= 0);
+ int err, ok;
+ ERR_set_mark();
+ ok = (asn1_d2i_read_bio(in, &mem) >= 0);
+ /*
+ * Prune low-level ASN.1 parse errors from error queue, assuming that
+ * this is called by decoder_process() in a loop trying several formats.
+ */
+ err = ERR_peek_last_error();
+ if (ERR_GET_LIB(err) == ERR_LIB_ASN1
+ && (ERR_GET_REASON(err) == ASN1_R_HEADER_TOO_LONG
+ || ERR_GET_REASON(err) == ERR_R_NESTED_ASN1_ERROR))
+ ERR_pop_to_mark();
+ else
+ ERR_clear_last_mark();
if (ok) {
OSSL_PARAM params[3];
int object_type = OSSL_OBJECT_UNKNOWN;
diff --git a/test/recipes/25-test_x509.t b/test/recipes/25-test_x509.t
index 3cfcb2290c..4b37ee6464 100644
--- a/test/recipes/25-test_x509.t
+++ b/test/recipes/25-test_x509.t
@@ -16,7 +16,7 @@ use OpenSSL::Test qw/:DEFAULT srctop_file/;
setup("test_x509");
-plan tests => 12;
+plan tests => 14;
require_ok(srctop_file('test','recipes','tconversion.pl'));
@@ -100,3 +100,27 @@ sub has_doctor_id {
close(DATA);
return m/2.16.528.1.1003.1.3.5.5.2-1-0000006666-Z-12345678-01.015-12345678/;
}
+
+sub test_errors { # actually tests diagnostics of OSSL_STORE
+ my ($expected, $cert, @opts) = @_;
+ my $infile = srctop_file('test', 'certs', $cert);
+ my @args = qw(openssl x509 -in);
+ push(@args, "$infile", @opts);
+ my $tmpfile = 'out.txt';
+ my $res = !run(app([@args], stderr => $tmpfile));
+ my $found = 0;
+ open(my $in, '<', $tmpfile) or die "Could not open file $tmpfile";
+ while(<$in>) {
+ print; # this may help debugging
+ $res &&= !m/asn1 encoding/; # output must not include ASN.1 parse errors
+ $found = 1 if m/$expected/; # output must include $expected
+ }
+ close $in;
+ unlink $tmpfile;
+ return $res && $found;
+}
+
+ok(test_errors("Can't open any-dir/", "root-cert.pem", '-out', 'any-dir/'),
+ "load root-cert errors");
+ok(test_errors("RC2-40-CBC", "v3-certs-RC2.p12", '-passin', 'pass:v3-certs'),
+ "load v3-certs-RC2 no asn1 errors");
diff --git a/util/perl/OpenSSL/Test.pm b/util/perl/OpenSSL/Test.pm
index b40283fe34..c44eca301c 100644
--- a/util/perl/OpenSSL/Test.pm
+++ b/util/perl/OpenSSL/Test.pm
@@ -221,7 +221,8 @@ used (currently only on Unix).
It returns a CODEREF to be used by C<run>, C<pipe> or C<cmdstr>.
-The options that C<cmd> can take are in the form of hash values:
+The options that C<cmd> (as well as its derivatives described below) can take
+are in the form of hash values:
=over 4
@@ -389,7 +390,7 @@ derivatives, anything else will most likely cause an error unless you
know what you're doing.
C<run> executes the command returned by CODEREF and return either the
-resulting output (if the option C<capture> is set true) or a boolean
+resulting standard output (if the option C<capture> is set true) or a boolean
indicating if the command succeeded or not.
The options that C<run> can take are in the form of hash values:
@@ -398,10 +399,10 @@ The options that C<run> can take are in the form of hash values:
=item B<capture =E<gt> 0|1>
-If true, the command will be executed with a perl backtick, and C<run> will
-return the resulting output as an array of lines. If false or not given,
-the command will be executed with C<system()>, and C<run> will return 1 if
-the command was successful or 0 if it wasn't.
+If true, the command will be executed with a perl backtick,
+and C<run> will return the resulting standard output as an array of lines.
+If false or not given, the command will be executed with C<system()>,
+and C<run> will return 1 if the command was successful or 0 if it wasn't.
=item B<prefix =E<gt> EXPR>
@@ -417,6 +418,7 @@ particularly useful together with B<capture>.
=back
+Usually 1 indicates that the command was successful and 0 indicates failure.
For further discussion on what is considered a successful command or not, see
the function C<with> further down.
More information about the openssl-commits
mailing list