[openssl] master update
dev at ddvo.net
dev at ddvo.net
Wed Jan 13 08:10:29 UTC 2021
The branch master has been updated
via 4dd009180a06ad973620c5beec28f2a6839c16ca (commit)
via 0cbb3602f542bb670d8f2f8d8d51ef8174af4994 (commit)
via 0b7368dda011611855c66543f0b9c66b5bd646d1 (commit)
via bf973d0697e61a44dc46d08b0421a08a8cb61887 (commit)
from 5a2d0ef36f4c130758a9d5e84f93004458e3ce60 (commit)
- Log -----------------------------------------------------------------
commit 4dd009180a06ad973620c5beec28f2a6839c16ca
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Dec 28 11:25:59 2020 +0100
x509_vfy.c: Fix a regression in find_issuer()
...in case the candidate issuer cert is identical to the target cert.
This is the v3.0.0 variant of #13749 fixing #13739 for v1.1.1.
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
commit 0cbb3602f542bb670d8f2f8d8d51ef8174af4994
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Tue Dec 29 12:37:05 2020 +0100
Make PEM_X509_INFO_read_bio_ex() conservative on the error queue
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
commit 0b7368dda011611855c66543f0b9c66b5bd646d1
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Dec 28 19:45:01 2020 +0100
TEST: move cert, key, and CSR loading aux functions to new testutil/load.c
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
commit bf973d0697e61a44dc46d08b0421a08a8cb61887
Author: Dr. David von Oheimb <David.von.Oheimb at siemens.com>
Date: Mon Dec 28 11:27:31 2020 +0100
Add X509_NAME_hash_ex() to be able to check if it failed due to unsupported SHA1
Deprecate X509_NAME_hash()
Document X509_NAME_hash_ex(), X509_NAME_hash(), X509_{subject,issuer}_name_hash()
Reviewed-by: Tomas Mraz <tmraz at fedoraproject.org>
(Merged from https://github.com/openssl/openssl/pull/13762)
-----------------------------------------------------------------------
Summary of changes:
apps/crl.c | 17 +++-
apps/rehash.c | 19 +++-
crypto/pem/pem_info.c | 13 ++-
crypto/x509/by_dir.c | 5 +-
crypto/x509/x509_cmp.c | 27 +++---
crypto/x509/x509_vfy.c | 19 ++--
doc/man3/X509_LOOKUP_hash_dir.pod | 4 +-
doc/man3/X509_get_subject_name.pod | 58 +++++++++---
engines/e_loader_attic.c | 3 +-
include/openssl/x509.h.in | 6 +-
providers/implementations/storemgmt/file_store.c | 7 +-
ssl/ssl_cert.c | 3 +-
test/build.info | 2 +-
test/cmp_client_test.c | 10 +-
test/cmp_msg_test.c | 10 +-
test/cmp_protect_test.c | 14 +--
test/cmp_vfy_test.c | 16 ++--
test/helpers/cmp_testlib.c | 42 ---------
test/helpers/cmp_testlib.h | 3 -
test/helpers/pkcs12.c | 16 ++--
test/http_test.c | 16 +---
test/testutil.h | 7 ++
test/testutil/load.c | 97 +++++++++++++++++++
test/verify_extra_test.c | 113 ++++++-----------------
util/find-doc-nits | 2 +-
util/libcrypto.num | 2 +-
util/missingcrypto.txt | 1 -
util/other.syms | 1 +
28 files changed, 296 insertions(+), 237 deletions(-)
create mode 100644 test/testutil/load.c
diff --git a/apps/crl.c b/apps/crl.c
index 0daded01e3..58d63e71d5 100644
--- a/apps/crl.c
+++ b/apps/crl.c
@@ -287,22 +287,33 @@ int crl_main(int argc, char **argv)
}
if (crlnumber == i) {
ASN1_INTEGER *crlnum;
+
crlnum = X509_CRL_get_ext_d2i(x, NID_crl_number, NULL, NULL);
BIO_printf(bio_out, "crlNumber=");
if (crlnum) {
BIO_puts(bio_out, "0x");
i2a_ASN1_INTEGER(bio_out, crlnum);
ASN1_INTEGER_free(crlnum);
- } else
+ } else {
BIO_puts(bio_out, "<NONE>");
+ }
BIO_printf(bio_out, "\n");
}
if (hash == i) {
- BIO_printf(bio_out, "%08lx\n",
- X509_NAME_hash(X509_CRL_get_issuer(x)));
+ int ok;
+ unsigned long hash_value =
+ X509_NAME_hash_ex(X509_CRL_get_issuer(x), app_get0_libctx(),
+ app_get0_propq(), &ok);
+
+ BIO_printf(bio_out, "issuer name hash=");
+ if (ok)
+ BIO_printf(bio_out, "%08lx\n", hash_value);
+ else
+ BIO_puts(bio_out, "<ERROR>");
}
#ifndef OPENSSL_NO_MD5
if (hash_old == i) {
+ BIO_printf(bio_out, "issuer name old hash=");
BIO_printf(bio_out, "%08lx\n",
X509_NAME_hash_old(X509_CRL_get_issuer(x)));
}
diff --git a/apps/rehash.c b/apps/rehash.c
index 2b867d43cc..29dc76bc38 100644
--- a/apps/rehash.c
+++ b/apps/rehash.c
@@ -291,10 +291,23 @@ static int do_file(const char *filename, const char *fullpath, enum Hash h)
goto end;
}
if (name != NULL) {
- if ((h == HASH_NEW) || (h == HASH_BOTH))
- errs += add_entry(type, X509_NAME_hash(name), filename, digest, 1, ~0);
+ if (h == HASH_NEW || h == HASH_BOTH) {
+ int ok;
+ unsigned long hash_value =
+ X509_NAME_hash_ex(name,
+ app_get0_libctx(), app_get0_propq(), &ok);
+
+ if (ok) {
+ errs += add_entry(type, hash_value, filename, digest, 1, ~0);
+ } else {
+ BIO_printf(bio_err, "%s: error calculating SHA1 hash value\n",
+ opt_getprog());
+ errs++;
+ }
+ }
if ((h == HASH_OLD) || (h == HASH_BOTH))
- errs += add_entry(type, X509_NAME_hash_old(name), filename, digest, 1, ~0);
+ errs += add_entry(type, X509_NAME_hash_old(name),
+ filename, digest, 1, ~0);
}
end:
diff --git a/crypto/pem/pem_info.c b/crypto/pem/pem_info.c
index 3911fdc5ee..3eda164121 100644
--- a/crypto/pem/pem_info.c
+++ b/crypto/pem/pem_info.c
@@ -48,10 +48,10 @@ STACK_OF(X509_INFO) *PEM_X509_INFO_read(FILE *fp, STACK_OF(X509_INFO) *sk,
}
#endif
-STACK_OF(X509_INFO)
-*PEM_X509_INFO_read_bio_ex(BIO *bp, STACK_OF(X509_INFO) *sk,
- pem_password_cb *cb, void *u, OSSL_LIB_CTX *libctx,
- const char *propq)
+STACK_OF(X509_INFO) *PEM_X509_INFO_read_bio_ex(BIO *bp, STACK_OF(X509_INFO) *sk,
+ pem_password_cb *cb, void *u,
+ OSSL_LIB_CTX *libctx,
+ const char *propq)
{
X509_INFO *xi = NULL;
char *name = NULL, *header = NULL;
@@ -77,15 +77,18 @@ STACK_OF(X509_INFO)
for (;;) {
raw = 0;
ptype = 0;
+ ERR_set_mark();
i = PEM_read_bio(bp, &name, &header, &data, &len);
if (i == 0) {
error = ERR_GET_REASON(ERR_peek_last_error());
if (error == PEM_R_NO_START_LINE) {
- ERR_clear_error();
+ ERR_pop_to_mark();
break;
}
+ ERR_clear_last_mark();
goto err;
}
+ ERR_clear_last_mark();
start:
if ((strcmp(name, PEM_STRING_X509) == 0) ||
(strcmp(name, PEM_STRING_X509_OLD) == 0)) {
diff --git a/crypto/x509/by_dir.c b/crypto/x509/by_dir.c
index 965625973c..ff1c875b4d 100644
--- a/crypto/x509/by_dir.c
+++ b/crypto/x509/by_dir.c
@@ -252,8 +252,9 @@ static int get_cert_by_subject_ex(X509_LOOKUP *xl, X509_LOOKUP_TYPE type,
}
ctx = (BY_DIR *)xl->method_data;
-
- h = X509_NAME_hash(name);
+ h = X509_NAME_hash_ex(name, libctx, propq, &i);
+ if (i == 0)
+ goto finish;
for (i = 0; i < sk_BY_DIR_ENTRY_num(ctx->dirs); i++) {
BY_DIR_ENTRY *ent;
int idx;
diff --git a/crypto/x509/x509_cmp.c b/crypto/x509/x509_cmp.c
index 9c968b49b0..1231fb4be1 100644
--- a/crypto/x509/x509_cmp.c
+++ b/crypto/x509/x509_cmp.c
@@ -93,7 +93,7 @@ X509_NAME *X509_get_issuer_name(const X509 *a)
unsigned long X509_issuer_name_hash(X509 *x)
{
- return X509_NAME_hash(x->cert_info.issuer);
+ return X509_NAME_hash_ex(x->cert_info.issuer, NULL, NULL, NULL);
}
#ifndef OPENSSL_NO_MD5
@@ -120,7 +120,7 @@ const ASN1_INTEGER *X509_get0_serialNumber(const X509 *a)
unsigned long X509_subject_name_hash(X509 *x)
{
- return X509_NAME_hash(x->cert_info.subject);
+ return X509_NAME_hash_ex(x->cert_info.subject, NULL, NULL, NULL);
}
#ifndef OPENSSL_NO_MD5
@@ -250,20 +250,26 @@ int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b)
return ret < 0 ? -1 : ret > 0;
}
-unsigned long X509_NAME_hash(const X509_NAME *x)
+unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx,
+ const char *propq, int *ok)
{
unsigned long ret = 0;
unsigned char md[SHA_DIGEST_LENGTH];
+ EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq);
/* Make sure X509_NAME structure contains valid cached encoding */
i2d_X509_NAME(x, NULL);
- if (!EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, EVP_sha1(),
- NULL))
- return 0;
-
- ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
- ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
- ) & 0xffffffffL;
+ if (ok != NULL)
+ *ok = 0;
+ if (sha1 != NULL
+ && EVP_Digest(x->canon_enc, x->canon_enclen, md, NULL, sha1, NULL)) {
+ ret = (((unsigned long)md[0]) | ((unsigned long)md[1] << 8L) |
+ ((unsigned long)md[2] << 16L) | ((unsigned long)md[3] << 24L)
+ ) & 0xffffffffL;
+ if (ok != NULL)
+ *ok = 1;
+ }
+ EVP_MD_free(sha1);
return ret;
}
@@ -272,7 +278,6 @@ unsigned long X509_NAME_hash(const X509_NAME *x)
* I now DER encode the name and hash it. Since I cache the DER encoding,
* this is reasonably efficient.
*/
-
unsigned long X509_NAME_hash_old(const X509_NAME *x)
{
EVP_MD *md5 = EVP_MD_fetch(NULL, OSSL_DIGEST_NAME_MD5, "-fips");
diff --git a/crypto/x509/x509_vfy.c b/crypto/x509/x509_vfy.c
index 3a5673b307..f5849a5603 100644
--- a/crypto/x509/x509_vfy.c
+++ b/crypto/x509/x509_vfy.c
@@ -136,7 +136,9 @@ static X509 *lookup_cert_match(X509_STORE_CTX *ctx, X509 *x)
X509 *xtmp = NULL;
int i;
/* Lookup all certs with matching subject name */
+ ERR_set_mark();
certs = ctx->lookup_certs(ctx, X509_get_subject_name(x));
+ ERR_pop_to_mark();
if (certs == NULL)
return NULL;
/* Look for exact match */
@@ -314,9 +316,10 @@ static int sk_X509_contains(STACK_OF(X509) *sk, X509 *cert)
}
/*
- * Find in given STACK_OF(X509) sk a non-expired issuer cert (if any) of given cert x.
- * The issuer must not be the same as x and must not yet be in ctx->chain, where the
- * exceptional case x is self-issued and ctx->chain has just one element is allowed.
+ * Find in given STACK_OF(X509) sk an issuer cert of given cert x.
+ * The issuer must not yet be in ctx->chain, where the exceptional case
+ * that x is self-issued and ctx->chain has just one element is allowed.
+ * Prefer the first one that is not expired, else take the last expired one.
*/
static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
{
@@ -325,16 +328,12 @@ static X509 *find_issuer(X509_STORE_CTX *ctx, STACK_OF(X509) *sk, X509 *x)
for (i = 0; i < sk_X509_num(sk); i++) {
issuer = sk_X509_value(sk, i);
- /*
- * Below check 'issuer != x' is an optimization and safety precaution:
- * Candidate issuer cert cannot be the same as the subject cert 'x'.
- */
- if (issuer != x && ctx->check_issued(ctx, x, issuer)
+ if (ctx->check_issued(ctx, x, issuer)
&& (((x->ex_flags & EXFLAG_SI) != 0 && sk_X509_num(ctx->chain) == 1)
|| !sk_X509_contains(ctx->chain, issuer))) {
+ if (x509_check_cert_time(ctx, issuer, -1))
+ return issuer;
rv = issuer;
- if (x509_check_cert_time(ctx, rv, -1))
- break;
}
}
return rv;
diff --git a/doc/man3/X509_LOOKUP_hash_dir.pod b/doc/man3/X509_LOOKUP_hash_dir.pod
index 5a660f100d..282b25807b 100644
--- a/doc/man3/X509_LOOKUP_hash_dir.pod
+++ b/doc/man3/X509_LOOKUP_hash_dir.pod
@@ -87,8 +87,8 @@ the directory.
The directory should contain one certificate or CRL per file in PEM format,
with a filename of the form I<hash>.I<N> for a certificate, or
I<hash>.B<r>I<N> for a CRL.
-The I<hash> is the value returned by the L<X509_NAME_hash(3)> function applied
-to the subject name for certificates or issuer name for CRLs.
+The I<hash> is the value returned by the L<X509_NAME_hash_ex(3)> function
+applied to the subject name for certificates or issuer name for CRLs.
The hash can also be obtained via the B<-hash> option of the
L<openssl-x509(1)> or L<openssl-crl(1)> commands.
diff --git a/doc/man3/X509_get_subject_name.pod b/doc/man3/X509_get_subject_name.pod
index a9c8fb1d87..5a4ff47554 100644
--- a/doc/man3/X509_get_subject_name.pod
+++ b/doc/man3/X509_get_subject_name.pod
@@ -2,20 +2,29 @@
=head1 NAME
-X509_get_subject_name, X509_set_subject_name, X509_get_issuer_name,
-X509_set_issuer_name, X509_REQ_get_subject_name, X509_REQ_set_subject_name,
-X509_CRL_get_issuer, X509_CRL_set_issuer_name - get and set issuer or
-subject names
+X509_NAME_hash_ex, X509_NAME_hash,
+X509_get_subject_name, X509_set_subject_name, X509_subject_name_hash,
+X509_get_issuer_name, X509_set_issuer_name, X509_issuer_name_hash,
+X509_REQ_get_subject_name, X509_REQ_set_subject_name,
+X509_CRL_get_issuer, X509_CRL_set_issuer_name -
+get X509_NAME hashes or get and set issuer or subject names
=head1 SYNOPSIS
#include <openssl/x509.h>
+ unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx,
+ const char *propq, int *ok);
+Deprecated since OpenSSL 3.0:
+ #define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL)
+
X509_NAME *X509_get_subject_name(const X509 *x);
int X509_set_subject_name(X509 *x, const X509_NAME *name);
+ unsigned long X509_subject_name_hash(X509 *x);
X509_NAME *X509_get_issuer_name(const X509 *x);
int X509_set_issuer_name(X509 *x, const X509_NAME *name);
+ unsigned long X509_issuer_name_hash(X509 *x);
X509_NAME *X509_REQ_get_subject_name(const X509_REQ *req);
int X509_REQ_set_subject_name(X509_REQ *req, const X509_NAME *name);
@@ -25,16 +34,29 @@ subject names
=head1 DESCRIPTION
-X509_get_subject_name() returns the subject name of certificate B<x>. The
+X509_NAME_hash_ex() returns a hash value of name I<x> or 0 on failure,
+using any given library context I<libctx> and property query I<propq>.
+The I<ok> result argument may be NULL
+or else is used to return 1 for success and 0 for failure.
+Failure may happen on malloc error or if no SHA1 implementation is available.
+
+X509_NAME_hash() returns a hash value of name I<x> or 0 on failure,
+using the default library context and default property query.
+
+X509_get_subject_name() returns the subject name of certificate I<x>. The
returned value is an internal pointer which B<MUST NOT> be freed.
-X509_set_subject_name() sets the issuer name of certificate B<x> to
-B<name>. The B<name> parameter is copied internally and should be freed
+X509_set_subject_name() sets the issuer name of certificate I<x> to
+I<name>. The I<name> parameter is copied internally and should be freed
up when it is no longer needed.
-X509_get_issuer_name() and X509_set_issuer_name() are identical to
-X509_get_subject_name() and X509_set_subject_name() except the get and
-set the issuer name of B<x>.
+X509_subject_name_hash() returns a hash value of the subject name of
+certificate I<x>.
+
+X509_get_issuer_name(), X509_set_issuer_name(), and X509_issuer_name_hash()
+are identical to
+X509_get_subject_name(), X509_set_subject_name(), and X509_subject_name_hash()
+except they relate to the issuer name of I<x>.
Similarly X509_REQ_get_subject_name(), X509_REQ_set_subject_name(),
X509_CRL_get_issuer() and X509_CRL_set_issuer_name() get or set the subject
@@ -45,9 +67,21 @@ or issuer names of certificate requests of CRLs respectively.
X509_get_subject_name(), X509_get_issuer_name(), X509_REQ_get_subject_name()
and X509_CRL_get_issuer() return an B<X509_NAME> pointer.
+X509_NAME_hash_ex(), X509_NAME_hash(),
+X509_subject_name_hash() and X509_issuer_name_hash()
+return the first four bytes of the SHA1 hash value,
+converted to B<unsigned long> in little endian order,
+or 0 on failure.
+
X509_set_subject_name(), X509_set_issuer_name(), X509_REQ_set_subject_name()
and X509_CRL_set_issuer_name() return 1 for success and 0 for failure.
+=head1 BUGS
+
+In case X509_NAME_hash(), X509_subject_name_hash(), or X509_issuer_name_hash()
+returns 0 it remains unclear if this is the real hash value or due to failure.
+Better use X509_NAME_hash_ex() instead.
+
=head1 SEE ALSO
L<d2i_X509(3)>,
@@ -74,9 +108,11 @@ earlier versions.
X509_CRL_get_issuer() is a function in OpenSSL 1.1.0. It was previously
added in OpenSSL 1.0.0 as a macro.
+X509_NAME_hash() was turned into a macro and deprecated in OpenSSL 3.0.
+
=head1 COPYRIGHT
-Copyright 2015-2020 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2015-2021 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the Apache License 2.0 (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/engines/e_loader_attic.c b/engines/e_loader_attic.c
index 586a21df41..0a738b0ff7 100644
--- a/engines/e_loader_attic.c
+++ b/engines/e_loader_attic.c
@@ -1155,7 +1155,8 @@ static int file_find(OSSL_STORE_LOADER_CTX *ctx,
return 0;
}
- hash = X509_NAME_hash(OSSL_STORE_SEARCH_get0_name(search));
+ hash = X509_NAME_hash_ex(OSSL_STORE_SEARCH_get0_name(search),
+ NULL, NULL, NULL);
BIO_snprintf(ctx->_.dir.search_name, sizeof(ctx->_.dir.search_name),
"%08lx", hash);
return 1;
diff --git a/include/openssl/x509.h.in b/include/openssl/x509.h.in
index 825c941aeb..1d9ca63405 100644
--- a/include/openssl/x509.h.in
+++ b/include/openssl/x509.h.in
@@ -824,7 +824,11 @@ int X509_add_certs(STACK_OF(X509) *sk, STACK_OF(X509) *certs, int flags);
int X509_cmp(const X509 *a, const X509 *b);
int X509_NAME_cmp(const X509_NAME *a, const X509_NAME *b);
-unsigned long X509_NAME_hash(const X509_NAME *x);
+#ifndef OPENSSL_NO_DEPRECATED_3_0
+# define X509_NAME_hash(x) X509_NAME_hash_ex(x, NULL, NULL, NULL)
+#endif
+unsigned long X509_NAME_hash_ex(const X509_NAME *x, OSSL_LIB_CTX *libctx,
+ const char *propq, int *ok);
unsigned long X509_NAME_hash_old(const X509_NAME *x);
int X509_CRL_cmp(const X509_CRL *a, const X509_CRL *b);
diff --git a/providers/implementations/storemgmt/file_store.c b/providers/implementations/storemgmt/file_store.c
index 5607f169cc..15af70218c 100644
--- a/providers/implementations/storemgmt/file_store.c
+++ b/providers/implementations/storemgmt/file_store.c
@@ -471,6 +471,7 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
size_t der_len = 0;
X509_NAME *x509_name;
unsigned long hash;
+ int ok;
if (ctx->type != IS_DIR) {
ERR_raise(ERR_LIB_PROV,
@@ -481,10 +482,14 @@ static int file_set_ctx_params(void *loaderctx, const OSSL_PARAM params[])
if (!OSSL_PARAM_get_octet_string_ptr(p, (const void **)&der, &der_len)
|| (x509_name = d2i_X509_NAME(NULL, &der, der_len)) == NULL)
return 0;
- hash = X509_NAME_hash(x509_name);
+ hash = X509_NAME_hash_ex(x509_name,
+ ossl_prov_ctx_get0_libctx(ctx->provctx), NULL,
+ &ok);
BIO_snprintf(ctx->_.dir.search_name, sizeof(ctx->_.dir.search_name),
"%08lx", hash);
X509_NAME_free(x509_name);
+ if (ok == 0)
+ return 0;
}
return 1;
}
diff --git a/ssl/ssl_cert.c b/ssl/ssl_cert.c
index 4f085dd7e6..967f004bb0 100644
--- a/ssl/ssl_cert.c
+++ b/ssl/ssl_cert.c
@@ -601,7 +601,8 @@ static int xname_sk_cmp(const X509_NAME *const *a, const X509_NAME *const *b)
static unsigned long xname_hash(const X509_NAME *a)
{
- return X509_NAME_hash((X509_NAME *)a);
+ /* This returns 0 also if SHA1 is not available */
+ return X509_NAME_hash_ex((X509_NAME *)a, NULL, NULL, NULL);
}
STACK_OF(X509_NAME) *SSL_load_client_CA_file_ex(const char *file,
diff --git a/test/build.info b/test/build.info
index 81f9b9cb66..a8f60c385b 100644
--- a/test/build.info
+++ b/test/build.info
@@ -20,7 +20,7 @@ IF[{- !$disabled{tests} -}]
LIBS{noinst,has_main}=libtestutil.a
SOURCE[libtestutil.a]=testutil/basic_output.c testutil/output.c \
testutil/driver.c testutil/tests.c testutil/cb.c testutil/stanza.c \
- testutil/format_output.c \
+ testutil/format_output.c testutil/load.c \
testutil/test_cleanup.c testutil/main.c testutil/testutil_init.c \
testutil/options.c testutil/test_options.c testutil/provider.c \
testutil/apps_mem.c testutil/random.c $LIBAPPSSRC
diff --git a/test/cmp_client_test.c b/test/cmp_client_test.c
index efb185402b..e2c0ca5534 100644
--- a/test/cmp_client_test.c
+++ b/test/cmp_client_test.c
@@ -226,7 +226,7 @@ static int test_exec_P10CR_ses(void)
SETUP_TEST_FIXTURE(CMP_SES_TEST_FIXTURE, set_up);
fixture->req_type = OSSL_CMP_P10CR;
fixture->expected = 1;
- if (!TEST_ptr(req = load_csr(pkcs10_f))
+ if (!TEST_ptr(req = load_csr_der(pkcs10_f))
|| !TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, req))) {
tear_down(fixture);
fixture = NULL;
@@ -369,10 +369,10 @@ int setup_tests(void)
if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 5, USAGE))
return 0;
- if (!TEST_ptr(server_key = load_pem_key(server_key_f, libctx))
- || !TEST_ptr(server_cert = load_pem_cert(server_cert_f, libctx))
- || !TEST_ptr(client_key = load_pem_key(client_key_f, libctx))
- || !TEST_ptr(client_cert = load_pem_cert(client_cert_f, libctx))
+ if (!TEST_ptr(server_key = load_pkey_pem(server_key_f, libctx))
+ || !TEST_ptr(server_cert = load_cert_pem(server_cert_f, libctx))
+ || !TEST_ptr(client_key = load_pkey_pem(client_key_f, libctx))
+ || !TEST_ptr(client_cert = load_cert_pem(client_cert_f, libctx))
|| !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref)))) {
cleanup_tests();
return 0;
diff --git a/test/cmp_msg_test.c b/test/cmp_msg_test.c
index 0b56d66d45..696679980f 100644
--- a/test/cmp_msg_test.c
+++ b/test/cmp_msg_test.c
@@ -226,7 +226,7 @@ static int test_cmp_create_p10cr(void)
fixture->bodytype = OSSL_CMP_PKIBODY_P10CR;
fixture->err_code = CMP_R_ERROR_CREATING_CERTREQ;
fixture->expected = 1;
- if (!TEST_ptr(p10cr = load_csr(pkcs10_f))
+ if (!TEST_ptr(p10cr = load_csr_der(pkcs10_f))
|| !TEST_true(set1_newPkey(ctx, newkey))
|| !TEST_true(OSSL_CMP_CTX_set1_p10CSR(ctx, p10cr))) {
tear_down(fixture);
@@ -504,8 +504,8 @@ static int test_cmp_pkimessage_create(int bodytype)
switch (fixture->bodytype = bodytype) {
case OSSL_CMP_PKIBODY_P10CR:
fixture->expected = 1;
- if (!TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx,
- p10cr = load_csr(pkcs10_f)))) {
+ p10cr = load_csr_der(pkcs10_f);
+ if (!TEST_true(OSSL_CMP_CTX_set1_p10CSR(fixture->cmp_ctx, p10cr))) {
tear_down(fixture);
fixture = NULL;
}
@@ -564,8 +564,8 @@ int setup_tests(void)
if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 3, USAGE))
return 0;
- if (!TEST_ptr(newkey = load_pem_key(newkey_f, libctx))
- || !TEST_ptr(cert = load_pem_cert(server_cert_f, libctx))
+ if (!TEST_ptr(newkey = load_pkey_pem(newkey_f, libctx))
+ || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx))
|| !TEST_int_eq(1, RAND_bytes_ex(libctx, ref, sizeof(ref)))) {
cleanup_tests();
return 0;
diff --git a/test/cmp_protect_test.c b/test/cmp_protect_test.c
index d4acb716e7..cc8aabb14d 100644
--- a/test/cmp_protect_test.c
+++ b/test/cmp_protect_test.c
@@ -541,21 +541,21 @@ int setup_tests(void)
if (!test_arg_libctx(&libctx, &default_null_provider, &provider, 10, USAGE))
return 0;
- if (!TEST_ptr(loadedkey = load_pem_key(server_key_f, libctx))
- || !TEST_ptr(cert = load_pem_cert(server_cert_f, libctx)))
+ if (!TEST_ptr(loadedkey = load_pkey_pem(server_key_f, libctx))
+ || !TEST_ptr(cert = load_cert_pem(server_cert_f, libctx)))
return 0;
- if (!TEST_ptr(loadedprivkey = load_pem_key(server_f, libctx)))
+ if (!TEST_ptr(loadedprivkey = load_pkey_pem(server_f, libctx)))
return 0;
if (TEST_true(EVP_PKEY_up_ref(loadedprivkey)))
loadedpubkey = loadedprivkey;
if (!TEST_ptr(ir_protected = load_pkimsg(ir_protected_f))
|| !TEST_ptr(ir_unprotected = load_pkimsg(ir_unprotected_f)))
return 0;
- if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, libctx))
- || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, libctx))
- || !TEST_ptr(root = load_pem_cert(root_f, libctx))
- || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, libctx)))
+ if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx))
+ || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx))
+ || !TEST_ptr(root = load_cert_pem(root_f, libctx))
+ || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx)))
return 0;
if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
return 0;
diff --git a/test/cmp_vfy_test.c b/test/cmp_vfy_test.c
index d45c938335..646d1a9aa1 100644
--- a/test/cmp_vfy_test.c
+++ b/test/cmp_vfy_test.c
@@ -604,19 +604,19 @@ int setup_tests(void)
return 0;
/* Load certificates for cert chain */
- if (!TEST_ptr(endentity1 = load_pem_cert(endentity1_f, libctx))
- || !TEST_ptr(endentity2 = load_pem_cert(endentity2_f, libctx))
- || !TEST_ptr(root = load_pem_cert(root_f, NULL))
- || !TEST_ptr(intermediate = load_pem_cert(intermediate_f, libctx)))
+ if (!TEST_ptr(endentity1 = load_cert_pem(endentity1_f, libctx))
+ || !TEST_ptr(endentity2 = load_cert_pem(endentity2_f, libctx))
+ || !TEST_ptr(root = load_cert_pem(root_f, NULL))
+ || !TEST_ptr(intermediate = load_cert_pem(intermediate_f, libctx)))
goto err;
- if (!TEST_ptr(insta_cert = load_pem_cert(instacert_f, libctx))
- || !TEST_ptr(instaca_cert = load_pem_cert(instaca_f, libctx)))
+ if (!TEST_ptr(insta_cert = load_cert_pem(instacert_f, libctx))
+ || !TEST_ptr(instaca_cert = load_cert_pem(instaca_f, libctx)))
goto err;
/* Load certificates for message validation */
- if (!TEST_ptr(srvcert = load_pem_cert(server_f, libctx))
- || !TEST_ptr(clcert = load_pem_cert(client_f, libctx)))
+ if (!TEST_ptr(srvcert = load_cert_pem(server_f, libctx))
+ || !TEST_ptr(clcert = load_cert_pem(client_f, libctx)))
goto err;
if (!TEST_int_eq(1, RAND_bytes(rand_data, OSSL_CMP_TRANSACTIONID_LENGTH)))
goto err;
diff --git a/test/helpers/cmp_testlib.c b/test/helpers/cmp_testlib.c
index 627b73c3b1..3c58f69b0c 100644
--- a/test/helpers/cmp_testlib.c
+++ b/test/helpers/cmp_testlib.c
@@ -12,36 +12,6 @@
#include "cmp_testlib.h"
#include <openssl/rsa.h> /* needed in case config no-deprecated */
-EVP_PKEY *load_pem_key(const char *file, OSSL_LIB_CTX *libctx)
-{
- EVP_PKEY *key = NULL;
- BIO *bio = NULL;
-
- if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
- return NULL;
- if (TEST_int_gt(BIO_read_filename(bio, file), 0))
- (void)TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL,
- libctx, NULL));
-
- BIO_free(bio);
- return key;
-}
-
-X509 *load_pem_cert(const char *file, OSSL_LIB_CTX *libctx)
-{
- X509 *cert = NULL;
- BIO *bio = NULL;
-
- if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
- return NULL;
- if (TEST_int_gt(BIO_read_filename(bio, file), 0)
- && TEST_ptr(cert = X509_new_ex(libctx, NULL)))
- (void)TEST_ptr(cert = PEM_read_bio_X509(bio, &cert, NULL, NULL));
-
- BIO_free(bio);
- return cert;
-}
-
OSSL_CMP_MSG *load_pkimsg(const char *file)
{
OSSL_CMP_MSG *msg;
@@ -50,18 +20,6 @@ OSSL_CMP_MSG *load_pkimsg(const char *file)
return msg;
}
-X509_REQ *load_csr(const char *file)
-{
- X509_REQ *csr = NULL;
- BIO *bio = NULL;
-
- if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb")))
- return NULL;
- (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL));
- BIO_free(bio);
- return csr;
-}
-
/*
* Checks whether the syntax of msg conforms to ASN.1
*/
diff --git a/test/helpers/cmp_testlib.h b/test/helpers/cmp_testlib.h
index 0bee099a67..b33c1b5400 100644
--- a/test/helpers/cmp_testlib.h
+++ b/test/helpers/cmp_testlib.h
@@ -22,9 +22,6 @@
# ifndef OPENSSL_NO_CMP
# define CMP_TEST_REFVALUE_LENGTH 15 /* arbitrary value */
-EVP_PKEY *load_pem_key(const char *file, OSSL_LIB_CTX *libctx);
-X509 *load_pem_cert(const char *file, OSSL_LIB_CTX *libctx);
-X509_REQ *load_csr(const char *file);
OSSL_CMP_MSG *load_pkimsg(const char *file);
int valid_asn1_encoding(const OSSL_CMP_MSG *msg);
int STACK_OF_X509_cmp(const STACK_OF(X509) *sk1, const STACK_OF(X509) *sk2);
diff --git a/test/helpers/pkcs12.c b/test/helpers/pkcs12.c
index 6489609d25..1c3a80c5c6 100644
--- a/test/helpers/pkcs12.c
+++ b/test/helpers/pkcs12.c
@@ -28,9 +28,6 @@ int write_files = 0;
* Local function declarations
*/
-static X509 *load_cert(const unsigned char *bytes, int len);
-static EVP_PKEY *load_pkey(const unsigned char *bytes, int len);
-
static int add_attributes(PKCS12_SAFEBAG *bag, const PKCS12_ATTR *attrs);
static void generate_p12(PKCS12_BUILDER *pb, const PKCS12_ENC *mac);
@@ -47,7 +44,7 @@ static int check_attrs(const STACK_OF(X509_ATTRIBUTE) *bag_attrs, const PKCS12_A
* Test data load functions
*/
-static X509 *load_cert(const unsigned char *bytes, int len)
+static X509 *load_cert_asn1(const unsigned char *bytes, int len)
{
X509 *cert = NULL;
@@ -58,7 +55,7 @@ err:
return cert;
}
-static EVP_PKEY *load_pkey(const unsigned char *bytes, int len)
+static EVP_PKEY *load_pkey_asn1(const unsigned char *bytes, int len)
{
EVP_PKEY *pkey = NULL;
@@ -69,7 +66,6 @@ err:
return pkey;
}
-
/* -------------------------------------------------------------------------
* PKCS12 builder
*/
@@ -333,7 +329,7 @@ void add_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
if (!pb->success)
return;
- cert = load_cert(bytes, len);
+ cert = load_cert_asn1(bytes, len);
if (!TEST_ptr(cert)) {
pb->success = 0;
return;
@@ -368,7 +364,7 @@ void add_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
TEST_info("Adding key");
- pkey = load_pkey(bytes, len);
+ pkey = load_pkey_asn1(bytes, len);
if (!TEST_ptr(pkey)) {
pb->success = 0;
return;
@@ -511,7 +507,7 @@ void check_certbag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
pb->success = 0;
goto err;
}
- ref_x509 = load_cert(bytes, len);
+ ref_x509 = load_cert_asn1(bytes, len);
if (!TEST_false(X509_cmp(x509, ref_x509)))
pb->success = 0;
err:
@@ -574,7 +570,7 @@ void check_keybag(PKCS12_BUILDER *pb, const unsigned char *bytes, int len,
}
/* PKEY compare returns 1 for match */
- ref_pkey = load_pkey(bytes, len);
+ ref_pkey = load_pkey_asn1(bytes, len);
if (!TEST_true(EVP_PKEY_eq(pkey, ref_pkey)))
pb->success = 0;
err:
diff --git a/test/http_test.c b/test/http_test.c
index 437fca97dc..e95249d21b 100644
--- a/test/http_test.c
+++ b/test/http_test.c
@@ -22,20 +22,6 @@ static X509 *x509 = NULL;
#define RPATH "path/any.crt"
static const char *rpath;
-static X509 *load_pem_cert(const char *file)
-{
- X509 *cert = NULL;
- BIO *bio = NULL;
-
- if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
- return NULL;
- if (TEST_int_gt(BIO_read_filename(bio, file), 0))
- (void)TEST_ptr(cert = PEM_read_bio_X509(bio, NULL, NULL, NULL));
-
- BIO_free(bio);
- return cert;
-}
-
/*
* pretty trivial HTTP mock server:
* for POST, copy request headers+body from mem BIO 'in' as response to 'out'
@@ -238,7 +224,7 @@ int setup_tests(void)
}
x509_it = ASN1_ITEM_rptr(X509);
- if (!TEST_ptr((x509 = load_pem_cert(test_get_argument(0)))))
+ if (!TEST_ptr((x509 = load_cert_pem(test_get_argument(0), NULL))))
return 1;
ADD_TEST(test_http_url_dns);
diff --git a/test/testutil.h b/test/testutil.h
index 91e4d4bdd9..73e522a817 100644
--- a/test/testutil.h
+++ b/test/testutil.h
@@ -16,6 +16,7 @@
# include <openssl/err.h>
# include <openssl/e_os2.h>
# include <openssl/bn.h>
+# include <openssl/x509.h>
# include "opt.h"
/*-
@@ -568,4 +569,10 @@ void test_random_seed(uint32_t sd);
/* Create a file path from a directory and a filename */
char *test_mk_file_path(const char *dir, const char *file);
+EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx);
+X509 *load_cert_pem(const char *file, OSSL_LIB_CTX *libctx);
+X509 *load_cert_der(const unsigned char *bytes, int len);
+STACK_OF(X509) *load_certs_pem(const char *file);
+X509_REQ *load_csr_der(const char *file);
+
#endif /* OSSL_TESTUTIL_H */
diff --git a/test/testutil/load.c b/test/testutil/load.c
new file mode 100644
index 0000000000..9b188eb8a6
--- /dev/null
+++ b/test/testutil/load.c
@@ -0,0 +1,97 @@
+/*
+ * Copyright 2020-2021 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the Apache License 2.0 (the "License"). You may not use
+ * this file except in compliance with the License. You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+#include <stdio.h>
+#include <stdlib.h>
+
+#include <openssl/x509.h>
+#include <openssl/pem.h>
+
+#include "../testutil.h"
+
+X509 *load_cert_pem(const char *file, OSSL_LIB_CTX *libctx)
+{
+ X509 *cert = NULL;
+ BIO *bio = NULL;
+
+ if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
+ return NULL;
+ if (TEST_int_gt(BIO_read_filename(bio, file), 0)
+ && TEST_ptr(cert = X509_new_ex(libctx, NULL)))
+ (void)TEST_ptr(cert = PEM_read_bio_X509(bio, &cert, NULL, NULL));
+
+ BIO_free(bio);
+ return cert;
+}
+
+STACK_OF(X509) *load_certs_pem(const char *filename)
+{
+ STACK_OF(X509) *certs;
+ BIO *bio;
+ X509 *x;
+
+ bio = BIO_new_file(filename, "r");
+
+ if (bio == NULL) {
+ return NULL;
+ }
+
+ certs = sk_X509_new_null();
+ if (certs == NULL) {
+ BIO_free(bio);
+ return NULL;
+ }
+
+ ERR_set_mark();
+ do {
+ x = PEM_read_bio_X509(bio, NULL, 0, NULL);
+ if (x != NULL && !sk_X509_push(certs, x)) {
+ sk_X509_pop_free(certs, X509_free);
+ BIO_free(bio);
+ return NULL;
+ } else if (x == NULL) {
+ /*
+ * We probably just ran out of certs, so ignore any errors
+ * generated
+ */
+ ERR_pop_to_mark();
+ }
+ } while (x != NULL);
+
+ BIO_free(bio);
+
+ return certs;
+}
+
+EVP_PKEY *load_pkey_pem(const char *file, OSSL_LIB_CTX *libctx)
+{
+ EVP_PKEY *key = NULL;
+ BIO *bio = NULL;
+
+ if (!TEST_ptr(bio = BIO_new(BIO_s_file())))
+ return NULL;
+ if (TEST_int_gt(BIO_read_filename(bio, file), 0))
+ (void)TEST_ptr(key = PEM_read_bio_PrivateKey_ex(bio, NULL, NULL, NULL,
+ libctx, NULL));
+
+ BIO_free(bio);
+ return key;
+}
+
+X509_REQ *load_csr_der(const char *file)
+{
+ X509_REQ *csr = NULL;
+ BIO *bio = NULL;
+
+ if (!TEST_ptr(file) || !TEST_ptr(bio = BIO_new_file(file, "rb")))
+ return NULL;
+ (void)TEST_ptr(csr = d2i_X509_REQ_bio(bio, NULL));
+ BIO_free(bio);
+ return csr;
+}
diff --git a/test/verify_extra_test.c b/test/verify_extra_test.c
index 668b62d408..1b308ca84b 100644
--- a/test/verify_extra_test.c
+++ b/test/verify_extra_test.c
@@ -22,58 +22,9 @@ static const char *untrusted_f;
static const char *bad_f;
static const char *req_f;
-static X509 *load_cert_from_file(const char *filename)
-{
- X509 *cert = NULL;
- BIO *bio;
-
- bio = BIO_new_file(filename, "r");
- if (bio != NULL)
- cert = PEM_read_bio_X509(bio, NULL, 0, NULL);
- BIO_free(bio);
- return cert;
-}
-
-static STACK_OF(X509) *load_certs_from_file(const char *filename)
-{
- STACK_OF(X509) *certs;
- BIO *bio;
- X509 *x;
-
- bio = BIO_new_file(filename, "r");
+#define load_cert_from_file(file) load_cert_pem(file, NULL)
- if (bio == NULL) {
- return NULL;
- }
-
- certs = sk_X509_new_null();
- if (certs == NULL) {
- BIO_free(bio);
- return NULL;
- }
-
- ERR_set_mark();
- do {
- x = PEM_read_bio_X509(bio, NULL, 0, NULL);
- if (x != NULL && !sk_X509_push(certs, x)) {
- sk_X509_pop_free(certs, X509_free);
- BIO_free(bio);
- return NULL;
- } else if (x == NULL) {
- /*
- * We probably just ran out of certs, so ignore any errors
- * generated
- */
- ERR_pop_to_mark();
- }
- } while (x != NULL);
-
- BIO_free(bio);
-
- return certs;
-}
-
-/*
+/*-
* Test for CVE-2015-1793 (Alternate Chains Certificate Forgery)
*
* Chain is as follows:
@@ -122,7 +73,7 @@ static int test_alt_chains_cert_forgery(void)
if (!X509_LOOKUP_load_file(lookup, roots_f, X509_FILETYPE_PEM))
goto err;
- untrusted = load_certs_from_file(untrusted_f);
+ untrusted = load_certs_pem(untrusted_f);
if ((x = load_cert_from_file(bad_f)) == NULL)
goto err;
@@ -148,37 +99,6 @@ static int test_alt_chains_cert_forgery(void)
return ret;
}
-static int test_store_ctx(void)
-{
- X509_STORE_CTX *sctx = NULL;
- X509 *x = NULL;
- int testresult = 0, ret;
-
- x = load_cert_from_file(bad_f);
- if (x == NULL)
- goto err;
-
- sctx = X509_STORE_CTX_new();
- if (sctx == NULL)
- goto err;
-
- if (!X509_STORE_CTX_init(sctx, NULL, x, NULL))
- goto err;
-
- /* Verifying a cert where we have no trusted certs should fail */
- ret = X509_verify_cert(sctx);
-
- if (ret == 0) {
- /* This is the result we were expecting: Test passed */
- testresult = 1;
- }
-
- err:
- X509_STORE_CTX_free(sctx);
- X509_free(x);
- return testresult;
-}
-
OPT_TEST_DECLARE_USAGE("roots.pem untrusted.pem bad.pem\n")
static int test_distinguishing_id(void)
@@ -255,30 +175,49 @@ static int test_req_distinguishing_id(void)
return ret;
}
-static int test_self_signed(const char *filename, int expected)
+static int test_self_signed(const char *filename, int use_trusted, int expected)
{
X509 *cert;
+ STACK_OF(X509) *trusted = sk_X509_new_null();
+ X509_STORE_CTX *ctx = X509_STORE_CTX_new();
int ret;
cert = load_cert_from_file(filename); /* may result in NULL */
ret = TEST_int_eq(X509_self_signed(cert, 1), expected);
+
+ if (cert != NULL) {
+ if (use_trusted)
+ ret = ret && TEST_true(sk_X509_push(trusted, cert));
+ ret = ret && TEST_true(X509_STORE_CTX_init(ctx, NULL, cert, NULL));
+ X509_STORE_CTX_set0_trusted_stack(ctx, trusted);
+ ret = ret && TEST_int_eq(X509_verify_cert(ctx), expected);
+ }
+
+ X509_STORE_CTX_free(ctx);
+ sk_X509_free(trusted);
X509_free(cert);
return ret;
}
static int test_self_signed_good(void)
{
- return test_self_signed(root_f, 1);
+ return test_self_signed(root_f, 1, 1);
}
static int test_self_signed_bad(void)
{
- return test_self_signed(bad_f, 0);
+ return test_self_signed(bad_f, 1, 0);
}
static int test_self_signed_error(void)
{
- return test_self_signed("nonexistent file name", -1);
+ return test_self_signed("nonexistent file name", 1, -1);
+}
+
+static int test_store_ctx(void)
+{
+ /* Verifying a cert where we have no trusted certs should fail */
+ return test_self_signed(bad_f, 0, 0);
}
int setup_tests(void)
diff --git a/util/find-doc-nits b/util/find-doc-nits
index 6d8b7144df..6c559ba05d 100755
--- a/util/find-doc-nits
+++ b/util/find-doc-nits
@@ -885,7 +885,7 @@ sub checkstate () {
err("$_ is supposedly public but is documented as internal")
if ( $declared_public && $name_map{$_} =~ /\/internal\// );
- err("$_ is supposedly internal but is documented as public")
+ err("$_ is supposedly internal (maybe missing from other.syms) but is documented as public")
if ( $declared_internal && $name_map{$_} !~ /\/internal\// );
}
}
diff --git a/util/libcrypto.num b/util/libcrypto.num
index 289a6672f9..aa35b4185c 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -1345,7 +1345,7 @@ EVP_PKEY_asn1_free 1375 3_0_0 EXIST::FUNCTION:
ENGINE_unregister_DH 1376 3_0_0 EXIST::FUNCTION:DEPRECATEDIN_3_0,ENGINE
PROXY_CERT_INFO_EXTENSION_it 1377 3_0_0 EXIST::FUNCTION:
CT_POLICY_EVAL_CTX_set1_cert 1378 3_0_0 EXIST::FUNCTION:CT
-X509_NAME_hash 1379 3_0_0 EXIST::FUNCTION:
+X509_NAME_hash_ex 1379 3_0_0 EXIST::FUNCTION:
SCT_set_timestamp 1380 3_0_0 EXIST::FUNCTION:CT
UI_new 1381 3_0_0 EXIST::FUNCTION:
TS_REQ_get_msg_imprint 1382 3_0_0 EXIST::FUNCTION:TS
diff --git a/util/missingcrypto.txt b/util/missingcrypto.txt
index 8a2c773e1d..b547e52858 100644
--- a/util/missingcrypto.txt
+++ b/util/missingcrypto.txt
@@ -1333,7 +1333,6 @@ X509_INFO_free(3)
X509_INFO_new(3)
X509_NAME_ENTRY_it(3)
X509_NAME_ENTRY_set(3)
-X509_NAME_hash(3)
X509_NAME_hash_old(3)
X509_NAME_it(3)
X509_NAME_set(3)
diff --git a/util/other.syms b/util/other.syms
index f35b354cbb..3ffbcb1005 100644
--- a/util/other.syms
+++ b/util/other.syms
@@ -588,6 +588,7 @@ X509_LOOKUP_load_file define
X509_LOOKUP_load_file_ex define
X509_LOOKUP_load_store define
X509_LOOKUP_load_store_ex define
+X509_NAME_hash define
X509_STORE_set_lookup_crls_cb define
X509_STORE_set_verify_func define
EVP_PKEY_CTX_set1_id define
More information about the openssl-commits
mailing list