[openssl] master update

dev at ddvo.net dev at ddvo.net
Tue Apr 20 08:47:42 UTC 2021


The branch master has been updated
       via  1c0eede9827b0962f1d752fa4ab5d436fa039da4 (commit)
      from  a78c7c0bfe56d67022ca18cfabefc73926dde0ae (commit)


- Log -----------------------------------------------------------------
commit 1c0eede9827b0962f1d752fa4ab5d436fa039da4
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date:   Mon Dec 28 21:33:09 2020 +0100

    Improve ossl_cmp_build_cert_chain(); publish it as X509_build_chain()
    
    Reviewed-by: Tomas Mraz <tomas at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/14128)

-----------------------------------------------------------------------

Summary of changes:
 crypto/cmp/cmp_client.c                    |  5 +--
 crypto/cmp/cmp_ctx.c                       |  4 +-
 crypto/cmp/cmp_local.h                     |  4 --
 crypto/cmp/cmp_protect.c                   |  5 +--
 crypto/cmp/cmp_util.c                      | 61 ------------------------------
 crypto/x509/x509_vfy.c                     | 42 ++++++++++++++++++++
 crypto/x509/x_x509.c                       |  2 +-
 doc/internal/man3/ossl_cmp_msg_protect.pod | 20 ----------
 doc/man3/X509_verify_cert.pod              | 27 +++++++++++--
 include/openssl/x509_vfy.h.in              |  3 ++
 test/cmp_ctx_test.c                        |  1 -
 test/cmp_protect_test.c                    | 39 ++++++++++++++++---
 test/verify_extra_test.c                   |  3 +-
 util/libcrypto.num                         |  1 +
 14 files changed, 112 insertions(+), 105 deletions(-)

diff --git a/crypto/cmp/cmp_client.c b/crypto/cmp/cmp_client.c
index 728ec21968..54c8f5094b 100644
--- a/crypto/cmp/cmp_client.c
+++ b/crypto/cmp/cmp_client.c
@@ -496,9 +496,8 @@ int OSSL_CMP_certConf_cb(OSSL_CMP_CTX *ctx, X509 *cert, int fail_info,
         return fail_info;
 
     ossl_cmp_debug(ctx, "trying to build chain for newly enrolled cert");
-    chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
-                                      out_trusted /* may be NULL */,
-                                      ctx->untrusted, cert);
+    chain = X509_build_chain(cert, ctx->untrusted, out_trusted /* maybe NULL */,
+                             0, ctx->libctx, ctx->propq);
     if (sk_X509_num(chain) > 0)
         X509_free(sk_X509_shift(chain)); /* remove leaf (EE) cert */
     if (out_trusted != NULL) {
diff --git a/crypto/cmp/cmp_ctx.c b/crypto/cmp/cmp_ctx.c
index 110361320d..7e7af63b4a 100644
--- a/crypto/cmp/cmp_ctx.c
+++ b/crypto/cmp/cmp_ctx.c
@@ -735,8 +735,8 @@ int OSSL_CMP_CTX_build_cert_chain(OSSL_CMP_CTX *ctx, X509_STORE *own_trusted,
         return 0;
 
     ossl_cmp_debug(ctx, "trying to build chain for own CMP signer cert");
-    chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, own_trusted,
-                                      ctx->untrusted, ctx->cert);
+    chain = X509_build_chain(ctx->cert, ctx->untrusted, own_trusted, 0,
+                             ctx->libctx, ctx->propq);
     if (chain == NULL) {
         ERR_raise(ERR_LIB_CMP, CMP_R_FAILED_BUILDING_OWN_CHAIN);
         return 0;
diff --git a/crypto/cmp/cmp_local.h b/crypto/cmp/cmp_local.h
index 1ec16d4b2b..b2a3382079 100644
--- a/crypto/cmp/cmp_local.h
+++ b/crypto/cmp/cmp_local.h
@@ -749,10 +749,6 @@ int ossl_cmp_asn1_octet_string_set1(ASN1_OCTET_STRING **tgt,
                                     const ASN1_OCTET_STRING *src);
 int ossl_cmp_asn1_octet_string_set1_bytes(ASN1_OCTET_STRING **tgt,
                                           const unsigned char *bytes, int len);
-STACK_OF(X509)
-    *ossl_cmp_build_cert_chain(OSSL_LIB_CTX *libctx, const char *propq,
-                               X509_STORE *store,
-                               STACK_OF(X509) *certs, X509 *cert);
 
 /* from cmp_ctx.c */
 int ossl_cmp_print_log(OSSL_CMP_severity level, const OSSL_CMP_CTX *ctx,
diff --git a/crypto/cmp/cmp_protect.c b/crypto/cmp/cmp_protect.c
index 45bea73d13..36a6597145 100644
--- a/crypto/cmp/cmp_protect.c
+++ b/crypto/cmp/cmp_protect.c
@@ -144,9 +144,8 @@ int ossl_cmp_msg_add_extraCerts(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg)
         if (ctx->chain == NULL) {
             ossl_cmp_debug(ctx,
                            "trying to build chain for own CMP signer cert");
-            ctx->chain =
-                ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL,
-                                          ctx->untrusted, ctx->cert);
+            ctx->chain = X509_build_chain(ctx->cert, ctx->untrusted, NULL, 0,
+                                          ctx->libctx, ctx->propq);
             if (ctx->chain != NULL) {
                 ossl_cmp_debug(ctx,
                                "success building chain for own CMP signer cert");
diff --git a/crypto/cmp/cmp_util.c b/crypto/cmp/cmp_util.c
index 56f2b0eeb8..fbb8d1e249 100644
--- a/crypto/cmp/cmp_util.c
+++ b/crypto/cmp/cmp_util.c
@@ -220,67 +220,6 @@ int ossl_cmp_X509_STORE_add1_certs(X509_STORE *store, STACK_OF(X509) *certs,
     return 1;
 }
 
-/*-
- * Builds a certificate chain starting from <cert>
- * using the optional list of intermediate CA certificates <certs>.
- * If <store> is NULL builds the chain as far down as possible, ignoring errors.
- * Else the chain must reach a trust anchor contained in <store>.
- *
- * Returns NULL on error, else a pointer to a stack of (up_ref'ed) certificates
- * starting with given EE certificate and followed by all available intermediate
- * certificates down towards any trust anchor but without including the latter.
- *
- * NOTE: If a non-NULL stack is returned the caller is responsible for freeing.
- * NOTE: In case there is more than one possibility for the chain,
- * OpenSSL seems to take the first one; check X509_verify_cert() for details.
- */
-/* TODO this should be of more general interest and thus be exported. */
-STACK_OF(X509)
-    *ossl_cmp_build_cert_chain(OSSL_LIB_CTX *libctx, const char *propq,
-                               X509_STORE *store,
-                               STACK_OF(X509) *certs, X509 *cert)
-{
-    STACK_OF(X509) *chain = NULL, *result = NULL;
-    X509_STORE *ts = store == NULL ? X509_STORE_new() : store;
-    X509_STORE_CTX *csc = NULL;
-
-    if (ts == NULL || cert == NULL) {
-        ERR_raise(ERR_LIB_CMP, CMP_R_NULL_ARGUMENT);
-        goto err;
-    }
-
-    if ((csc = X509_STORE_CTX_new_ex(libctx, propq)) == NULL)
-        goto err;
-    if (store == NULL && certs != NULL
-            && !ossl_cmp_X509_STORE_add1_certs(ts, certs, 0))
-        goto err;
-    if (!X509_STORE_CTX_init(csc, ts, cert,
-                             store == NULL ? NULL : certs))
-        goto err;
-    /* disable any cert status/revocation checking etc. */
-    X509_VERIFY_PARAM_clear_flags(X509_STORE_CTX_get0_param(csc),
-                                  ~(X509_V_FLAG_USE_CHECK_TIME
-                                    | X509_V_FLAG_NO_CHECK_TIME));
-
-    if (X509_verify_cert(csc) <= 0 && store != NULL)
-        goto err;
-    chain = X509_STORE_CTX_get0_chain(csc);
-
-    /* result list to store the up_ref'ed not self-signed certificates */
-    if (!ossl_x509_add_certs_new(&result, chain,
-                                 X509_ADD_FLAG_UP_REF | X509_ADD_FLAG_NO_DUP
-                                 | X509_ADD_FLAG_NO_SS)) {
-        sk_X509_free(result);
-        result = NULL;
-    }
-
- err:
-    if (store == NULL)
-        X509_STORE_free(ts);
-    X509_STORE_CTX_free(csc);
-    return result;
-}
-
 int ossl_cmp_sk_ASN1_UTF8STRING_push_str(STACK_OF(ASN1_UTF8STRING) *sk,
                                          const char *text)
 {
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 01871b9090..cb541084df 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -3322,6 +3322,48 @@ static int build_chain(X509_STORE_CTX *ctx)
     return -1;
 }
 
+STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
+                                 X509_STORE *store, int with_self_signed,
+                                 OSSL_LIB_CTX *libctx, const char *propq)
+{
+    int finish_chain = store != NULL;
+    X509_STORE_CTX *ctx;
+    int flags = X509_ADD_FLAG_UP_REF;
+    STACK_OF(X509) *result = NULL;
+
+    if (target == NULL) {
+        ERR_raise(ERR_LIB_X509, ERR_R_PASSED_NULL_PARAMETER);
+        return NULL;
+    }
+
+    if ((ctx = X509_STORE_CTX_new_ex(libctx, propq)) == NULL)
+        return NULL;
+    if (!X509_STORE_CTX_init(ctx, store, target, finish_chain ? certs : NULL))
+        goto err;
+    if (!finish_chain)
+        X509_STORE_CTX_set0_trusted_stack(ctx, certs);
+    if (!ossl_x509_add_cert_new(&ctx->chain, target, X509_ADD_FLAG_UP_REF)) {
+        ctx->error = X509_V_ERR_OUT_OF_MEM;
+        goto err;
+    }
+    ctx->num_untrusted = 1;
+
+    if (!build_chain(ctx) && finish_chain)
+        goto err;
+
+    /* result list to store the up_ref'ed certificates */
+    if (sk_X509_num(ctx->chain) > 1 && !with_self_signed)
+        flags |= X509_ADD_FLAG_NO_SS;
+    if (!ossl_x509_add_certs_new(&result, ctx->chain, flags)) {
+        sk_X509_free(result);
+        result = NULL;
+    }
+
+ err:
+    X509_STORE_CTX_free(ctx);
+    return result;
+}
+
 static const int minbits_table[] = { 80, 112, 128, 192, 256 };
 static const int NUM_AUTH_LEVELS = OSSL_NELEM(minbits_table);
 
diff --git a/crypto/x509/x_x509.c b/crypto/x509/x_x509.c
index a4a169a97e..529d701bbb 100644
--- a/crypto/x509/x_x509.c
+++ b/crypto/x509/x_x509.c
@@ -129,7 +129,7 @@ X509 *d2i_X509(X509 **a, const unsigned char **in, long len)
 
     cert = (X509 *)ASN1_item_d2i((ASN1_VALUE **)a, in, len, (X509_it()));
     /* Only cache the extensions if the cert object was passed in */
-    if (cert != NULL && a != NULL) {
+    if (cert != NULL && a != NULL) { /* then cert == *a */
         if (!ossl_x509v3_cache_extensions(cert)) {
             if (free_on_error)
                 X509_free(cert);
diff --git a/doc/internal/man3/ossl_cmp_msg_protect.pod b/doc/internal/man3/ossl_cmp_msg_protect.pod
index 681d572af5..11a7a02901 100644
--- a/doc/internal/man3/ossl_cmp_msg_protect.pod
+++ b/doc/internal/man3/ossl_cmp_msg_protect.pod
@@ -2,7 +2,6 @@
 
 =head1 NAME
 
-ossl_cmp_build_cert_chain,
 ossl_cmp_calc_protection,
 ossl_cmp_msg_protect,
 ossl_cmp_msg_add_extraCerts
@@ -12,10 +11,6 @@ ossl_cmp_msg_add_extraCerts
 
  #include "cmp_local.h"
 
- STACK_OF(X509)
-     *ossl_cmp_build_cert_chain(OSSL_LIB_CTX *libctx, const char *propq,
-                                X509_STORE *store,
-                                STACK_OF(X509) *certs, X509 *cert);
  ASN1_BIT_STRING *ossl_cmp_calc_protection(const OSSL_CMP_CTX *ctx,
                                            const OSSL_CMP_MSG *msg);
  int ossl_cmp_msg_protect(OSSL_CMP_CTX *ctx, OSSL_CMP_MSG *msg);
@@ -23,16 +18,6 @@ ossl_cmp_msg_add_extraCerts
 
 =head1 DESCRIPTION
 
-ossl_cmp_build_cert_chain() builds a certificate chain starting from I<cert>
-using the optional list of intermediate CA certificates I<certs>.
-If I<store> is NULL builds the chain as far down as possible, ignoring errors.
-Else the chain must reach a trust anchor contained in I<store>.
-It internally uses a B<X509_STORE_CTX> structure associated with the library
-context I<libctx> and property query string I<propq>, both of which may be NULL.
-If a non-NULL stack is returned the caller is responsible for freeing it.
-In case there is more than one possibility for the chain,
-OpenSSL seems to take the first one; check L<X509_verify_cert(3)> for details.
-
 ossl_cmp_calc_protection() calculates the protection for the given I<msg>
 according to the algorithm and parameters in the message header's protectionAlg
 using the credentials, library context, and property criteria in the I<ctx>.
@@ -57,11 +42,6 @@ CMP is defined in RFC 4210 (and CRMF in RFC 4211).
 
 =head1 RETURN VALUES
 
-ossl_cmp_build_cert_chain() returns NULL on error,
-else a pointer to a stack of (up_ref'ed) certificates
-starting with given EE certificate and followed by all available intermediate
-certificates down towards (but excluding) any trusted root certificate.
-
 ossl_cmp_calc_protection() returns the protection on success, else NULL.
 
 All other functions return 1 on success, 0 on error.
diff --git a/doc/man3/X509_verify_cert.pod b/doc/man3/X509_verify_cert.pod
index deb6b15869..a14a0b25c4 100644
--- a/doc/man3/X509_verify_cert.pod
+++ b/doc/man3/X509_verify_cert.pod
@@ -2,18 +2,36 @@
 
 =head1 NAME
 
+X509_build_chain,
 X509_verify_cert,
-X509_STORE_CTX_verify - discover and verify X509 certificate chain
+X509_STORE_CTX_verify - build and verify X509 certificate chain
 
 =head1 SYNOPSIS
 
  #include <openssl/x509_vfy.h>
 
+ STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
+                                  X509_STORE *store, int with_self_signed,
+                                  OSSL_LIB_CTX *libctx, const char *propq);
  int X509_verify_cert(X509_STORE_CTX *ctx);
  int X509_STORE_CTX_verify(X509_STORE_CTX *ctx);
 
 =head1 DESCRIPTION
 
+X509_build_chain() builds a certificate chain starting from I<target>
+using the optional list of intermediate CA certificates I<certs>.
+If I<store> is NULL it builds the chain as far down as possible, ignoring errors.
+Else the chain must reach a trust anchor contained in I<store>.
+It internally uses a B<X509_STORE_CTX> structure associated with the library
+context I<libctx> and property query string I<propq>, both of which may be NULL.
+In case there is more than one possibility for the chain, only one is taken.
+
+On success it returns a pointer to a new stack of (up_ref'ed) certificates
+starting with I<target> and followed by all available intermediate certificates.
+A self-signed trust anchor is included only if I<target> is the trust anchor
+of I<with_self_signed> is 1.
+If a non-NULL stack is returned the caller is responsible for freeing it.
+
 The X509_verify_cert() function attempts to discover and validate a
 certificate chain based on parameters in I<ctx>.
 The verification context, of type B<X509_STORE_CTX>, can be constructed
@@ -45,7 +63,10 @@ in I<ctx> unless a target certificate is set explicitly.
 
 =head1 RETURN VALUES
 
-Both functions return 1 if a complete chain can be built and validated,
+X509_build_chain() returns NULL on error, else a stack of certificates.
+
+Both X509_verify_cert() and X509_STORE_CTX_verify()
+return 1 if a complete chain can be built and validated,
 otherwise they return 0, and in exceptional circumstances (such as malloc
 failure and internal errors) they can also return a negative code.
 
@@ -66,7 +87,7 @@ L<X509_STORE_CTX_get_error(3)>
 
 =head1 HISTORY
 
-X509_STORE_CTX_verify() was added in OpenSSL 3.0.
+X509_build_chain() and X509_STORE_CTX_verify() were added in OpenSSL 3.0.
 
 =head1 COPYRIGHT
 
diff --git a/include/openssl/x509_vfy.h.in b/include/openssl/x509_vfy.h.in
index 662a8b6ab8..126c1d658a 100644
--- a/include/openssl/x509_vfy.h.in
+++ b/include/openssl/x509_vfy.h.in
@@ -72,6 +72,9 @@ typedef enum {
     .generate_stack_macros("X509_VERIFY_PARAM");
 -}
 
+STACK_OF(X509) *X509_build_chain(X509 *target, STACK_OF(X509) *certs,
+                                 X509_STORE *store, int with_self_signed,
+                                 OSSL_LIB_CTX *libctx, const char *propq);
 int X509_verify_cert(X509_STORE_CTX *ctx);
 int X509_STORE_CTX_verify(X509_STORE_CTX *ctx);
 
diff --git a/test/cmp_ctx_test.c b/test/cmp_ctx_test.c
index 96b0f1b511..2ca2c26dd5 100644
--- a/test/cmp_ctx_test.c
+++ b/test/cmp_ctx_test.c
@@ -874,6 +874,5 @@ int setup_tests(void)
     ADD_TEST(test_CTX_set1_get0_transactionID);
     ADD_TEST(test_CTX_set1_get0_senderNonce);
     ADD_TEST(test_CTX_set1_get0_recipNonce);
-    /* ossl_cmp_build_cert_chain() is tested in cmp_protect.c */
     return 1;
 }
diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c
index 543ff10dca..5fafb69475 100644
--- a/test/cmp_protect_test.c
+++ b/test/cmp_protect_test.c
@@ -27,6 +27,7 @@ typedef struct test_fixture {
     X509 *cert;
     STACK_OF(X509) *certs;
     STACK_OF(X509) *chain;
+    int with_ss;
     int callback_arg;
     int expected;
 } CMP_PROTECT_TEST_FIXTURE;
@@ -333,8 +334,8 @@ static int execute_cmp_build_cert_chain_test(CMP_PROTECT_TEST_FIXTURE *fixture)
     OSSL_CMP_CTX *ctx = fixture->cmp_ctx;
     X509_STORE *store;
     STACK_OF(X509) *chain =
-        ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq, NULL,
-                                  fixture->certs, fixture->cert);
+        X509_build_chain(fixture->cert, fixture->certs, NULL,
+                         fixture->with_ss, ctx->libctx, ctx->propq);
 
     if (TEST_ptr(chain)) {
         /* Check whether chain built is equal to the expected one */
@@ -348,8 +349,8 @@ static int execute_cmp_build_cert_chain_test(CMP_PROTECT_TEST_FIXTURE *fixture)
             && TEST_true(X509_STORE_add_cert(store, root))) {
         X509_VERIFY_PARAM_set_flags(X509_STORE_get0_param(store),
                                     X509_V_FLAG_NO_CHECK_TIME);
-        chain = ossl_cmp_build_cert_chain(ctx->libctx, ctx->propq,
-                                          store, fixture->certs, fixture->cert);
+        chain = X509_build_chain(fixture->cert, fixture->certs, store,
+                                 fixture->with_ss, ctx->libctx, ctx->propq);
         ret = TEST_int_eq(fixture->expected, chain != NULL);
         if (ret && chain != NULL) {
             /* Check whether chain built is equal to the expected one */
@@ -365,6 +366,7 @@ static int test_cmp_build_cert_chain(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
     fixture->expected = 1;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -376,7 +378,13 @@ static int test_cmp_build_cert_chain(void)
         tear_down(fixture);
         fixture = NULL;
     }
-    EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
+    if (fixture != NULL) {
+        result = execute_cmp_build_cert_chain_test(fixture);
+        fixture->with_ss = 1;
+        if (result && TEST_true(sk_X509_push(fixture->chain, root)))
+            result = execute_cmp_build_cert_chain_test(fixture);
+    }
+    tear_down(fixture);
     return result;
 }
 
@@ -384,6 +392,7 @@ static int test_cmp_build_cert_chain_missing_intermediate(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
     fixture->expected = 0;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -401,6 +410,7 @@ static int test_cmp_build_cert_chain_no_root(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
     fixture->expected = 1;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -415,10 +425,28 @@ static int test_cmp_build_cert_chain_no_root(void)
     return result;
 }
 
+static int test_cmp_build_cert_chain_only_root(void)
+{
+    SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
+    fixture->expected = 1;
+    fixture->with_ss = 0; /* still chain must include the only cert (root) */
+    fixture->cert = root;
+    if (!TEST_ptr(fixture->certs = sk_X509_new_null())
+            || !TEST_ptr(fixture->chain = sk_X509_new_null())
+            || !TEST_true(sk_X509_push(fixture->certs, root))
+            || !TEST_true(sk_X509_push(fixture->chain, root))) {
+        tear_down(fixture);
+        fixture = NULL;
+    }
+    EXECUTE_TEST(execute_cmp_build_cert_chain_test, tear_down);
+    return result;
+}
+
 static int test_cmp_build_cert_chain_no_certs(void)
 {
     SETUP_TEST_FIXTURE(CMP_PROTECT_TEST_FIXTURE, set_up);
     fixture->expected = 0;
+    fixture->with_ss = 0;
     fixture->cert = endentity2;
     if (!TEST_ptr(fixture->certs = sk_X509_new_null())
             || !TEST_ptr(fixture->chain = sk_X509_new_null())
@@ -576,6 +604,7 @@ int setup_tests(void)
 
 #ifndef OPENSSL_NO_EC
     ADD_TEST(test_cmp_build_cert_chain);
+    ADD_TEST(test_cmp_build_cert_chain_only_root);
     ADD_TEST(test_cmp_build_cert_chain_no_root);
     ADD_TEST(test_cmp_build_cert_chain_missing_intermediate);
     ADD_TEST(test_cmp_build_cert_chain_no_certs);
diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c
index 758a1a4971..6ab779671f 100644
--- a/test/verify_extra_test.c
+++ b/test/verify_extra_test.c
@@ -177,12 +177,11 @@ static int test_req_distinguishing_id(void)
 
 static int test_self_signed(const char *filename, int use_trusted, int expected)
 {
-    X509 *cert;
+    X509 *cert = load_cert_from_file(filename); /* may result in NULL */
     STACK_OF(X509) *trusted = sk_X509_new_null();
     X509_STORE_CTX *ctx = X509_STORE_CTX_new();
     int ret;
 
-    cert = load_cert_from_file(filename); /* may result in NULL */
     ret = TEST_int_eq(X509_self_signed(cert, 1), expected);
 
     if (cert != NULL) {
diff --git a/util/libcrypto.num b/util/libcrypto.num
index a059aecd5e..9237bdcd4b 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -5097,6 +5097,7 @@ X509_STORE_load_file_ex                 ?	3_0_0	EXIST::FUNCTION:
 X509_STORE_load_store_ex                ?	3_0_0	EXIST::FUNCTION:
 X509_STORE_load_locations_ex            ?	3_0_0	EXIST::FUNCTION:
 X509_STORE_set_default_paths_ex         ?	3_0_0	EXIST::FUNCTION:
+X509_build_chain                        ?	3_0_0	EXIST::FUNCTION:
 X509V3_set_issuer_pkey                  ?	3_0_0	EXIST::FUNCTION:
 i2s_ASN1_UTF8STRING                     ?	3_0_0	EXIST::FUNCTION:
 s2i_ASN1_UTF8STRING                     ?	3_0_0	EXIST::FUNCTION:


More information about the openssl-commits mailing list