The branch master has been updated via c9f51264d86b580ec3b3ab8a5317298c04bb1f3d (commit) via be6aeda6474a77e97b344f300334f5fe3612e4b4 (commit) via 5fcb97c61e6796b20c8ee1b0daab25151bf65bd0 (commit) via 6b1e5fa4873ff2f7741f996961f26ab9818ee190 (commit) from 9727f4e7fd02e55b637058249cd8e1bc80501c7f (commit)
- Log ----------------------------------------------------------------- commit c9f51264d86b580ec3b3ab8a5317298c04bb1f3d Author: Matt Caswell <m...@openssl.org> Date: Wed Mar 25 15:01:36 2020 +0000 Use the new OCSP functions in sslapitest.c At the moment we just use the default libctx - but a future PR will add support for running sslapitest with a non-default libctx. Reviewed-by: Shane Lontis <shane.lon...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11407) commit be6aeda6474a77e97b344f300334f5fe3612e4b4 Author: Matt Caswell <m...@openssl.org> Date: Fri Mar 20 14:54:55 2020 +0000 Add OCSP_RESPID_set_by_key_ex() and OCSP_RESPID_match_ex() OCSP_RESPID_set_by_key() calculates a SHA1 hash of the supplied certificate. We need to be able to specify which libctx and property query string is used to fetch that algorithm so we introduce OCSP_RESPID_set_by_key_ex() which does the same thing but enables you to speicfy the library context and propery query string explicitly. OCSP_RESPID_match() matches with certificates based on the SHA1 hash. Therefore for the same reason we introduce OCSP_RESPID_match_ex(). Reviewed-by: Shane Lontis <shane.lon...@oracle.com> (Merged from https://github.com/openssl/openssl/pull/11407) commit 5fcb97c61e6796b20c8ee1b0daab25151bf65bd0 Author: Matt Caswell <m...@openssl.org> Date: Fri Mar 20 12:00:12 2020 +0000 Ignore some fetch failures Some fetch failurs are ok and should be ignored. Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11405) commit 6b1e5fa4873ff2f7741f996961f26ab9818ee190 Author: Matt Caswell <m...@openssl.org> Date: Wed Mar 25 12:12:59 2020 +0000 Put an error on the stack in the event of a fetch failure Fetch failures are a common problem and it is useful to have detailed information about what was requested in the event of a failure. Reviewed-by: Tomas Mraz <tm...@fedoraproject.org> Reviewed-by: Richard Levitte <levi...@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11405) ----------------------------------------------------------------------- Summary of changes: crypto/context.c | 9 +++++ crypto/evp/evp_fetch.c | 54 +++++++++++++++++++++++++---- crypto/evp/pkey_mac.c | 6 +++- crypto/evp/pmeth_lib.c | 6 +++- crypto/ocsp/ocsp_srv.c | 57 +++++++++++++++++++++++-------- doc/man3/OCSP_response_status.pod | 72 ++++++++++++++++++++++++--------------- include/internal/cryptlib.h | 1 + include/openssl/ocsp.h | 4 +++ providers/common/provider_util.c | 11 ++++++ ssl/ssl_lib.c | 16 +++++++-- test/sslapitest.c | 4 +-- util/libcrypto.num | 2 ++ 12 files changed, 187 insertions(+), 55 deletions(-) diff --git a/crypto/context.c b/crypto/context.c index dcf960bfa7..35530174b8 100644 --- a/crypto/context.c +++ b/crypto/context.c @@ -172,6 +172,15 @@ OPENSSL_CTX *openssl_ctx_get_concrete(OPENSSL_CTX *ctx) return ctx; } +int openssl_ctx_is_default(OPENSSL_CTX *ctx) +{ +#ifndef FIPS_MODE + if (ctx == NULL || ctx == default_context) + return 1; +#endif + return 0; +} + static void openssl_ctx_generic_new(void *parent_ign, void *ptr_ign, CRYPTO_EX_DATA *ad, int index, long argl_ign, void *argp) diff --git a/crypto/evp/evp_fetch.c b/crypto/evp/evp_fetch.c index da7f33e95e..e808bf818f 100644 --- a/crypto/evp/evp_fetch.c +++ b/crypto/evp/evp_fetch.c @@ -294,9 +294,26 @@ void *evp_generic_fetch(OPENSSL_CTX *libctx, int operation_id, int (*up_ref_method)(void *), void (*free_method)(void *)) { - return inner_evp_generic_fetch(libctx, - operation_id, 0, name, properties, - new_method, up_ref_method, free_method); + void *ret = inner_evp_generic_fetch(libctx, + operation_id, 0, name, properties, + new_method, up_ref_method, free_method); + + if (ret == NULL) { + int code = EVP_R_FETCH_FAILED; + +#ifdef FIPS_MODE + ERR_raise(ERR_LIB_EVP, code); +#else + ERR_raise_data(ERR_LIB_EVP, code, + "%s, Algorithm (%s), Properties (%s)", + (openssl_ctx_is_default(libctx) + ? "Default library context" + : "Non-default library context"), + name = NULL ? "<null>" : name, + properties == NULL ? "<null>" : properties); +#endif + } + return ret; } /* @@ -314,9 +331,34 @@ void *evp_generic_fetch_by_number(OPENSSL_CTX *libctx, int operation_id, int (*up_ref_method)(void *), void (*free_method)(void *)) { - return inner_evp_generic_fetch(libctx, - operation_id, name_id, NULL, properties, - new_method, up_ref_method, free_method); + void *ret = inner_evp_generic_fetch(libctx, + operation_id, name_id, NULL, + properties, new_method, up_ref_method, + free_method); + + if (ret == NULL) { + int code = EVP_R_FETCH_FAILED; + +#ifdef FIPS_MODE + ERR_raise(ERR_LIB_EVP, code); +#else + { + OSSL_NAMEMAP *namemap = ossl_namemap_stored(libctx); + const char *name = (namemap == NULL) + ? NULL + : ossl_namemap_num2name(namemap, name_id, 0); + + ERR_raise_data(ERR_LIB_EVP, code, + "%s, Algorithm (%s), Properties (%s)", + (openssl_ctx_is_default(libctx) + ? "Default library context" + : "Non-default library context"), + name = NULL ? "<null>" : name, + properties == NULL ? "<null>" : properties); + } +#endif + } + return ret; } int EVP_set_default_properties(OPENSSL_CTX *libctx, const char *propq) diff --git a/crypto/evp/pkey_mac.c b/crypto/evp/pkey_mac.c index 7430b62b0b..7452e0320d 100644 --- a/crypto/evp/pkey_mac.c +++ b/crypto/evp/pkey_mac.c @@ -51,7 +51,11 @@ static int pkey_mac_init(EVP_PKEY_CTX *ctx) MAC_PKEY_CTX *hctx; /* We're being smart and using the same base NIDs for PKEY and for MAC */ int nid = ctx->pmeth->pkey_id; - EVP_MAC *mac = EVP_MAC_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propquery); + EVP_MAC *mac; + + ERR_set_mark(); + mac = EVP_MAC_fetch(ctx->libctx, OBJ_nid2sn(nid), ctx->propquery); + ERR_pop_to_mark(); /* * mac == NULL may actually be ok in some situations. In an diff --git a/crypto/evp/pmeth_lib.c b/crypto/evp/pmeth_lib.c index ecaaec41c7..da50ebf18a 100644 --- a/crypto/evp/pmeth_lib.c +++ b/crypto/evp/pmeth_lib.c @@ -226,8 +226,12 @@ static EVP_PKEY_CTX *int_ctx_new(OPENSSL_CTX *libctx, * If there's no engine and there's a name, we try fetching a provider * implementation. */ - if (e == NULL && keytype != NULL) + if (e == NULL && keytype != NULL) { + /* This could fail so ignore errors */ + ERR_set_mark(); keymgmt = EVP_KEYMGMT_fetch(libctx, keytype, propquery); + ERR_pop_to_mark(); + } ret = OPENSSL_zalloc(sizeof(*ret)); if (ret == NULL) { diff --git a/crypto/ocsp/ocsp_srv.c b/crypto/ocsp/ocsp_srv.c index 7e0aca169b..051747b445 100644 --- a/crypto/ocsp/ocsp_srv.c +++ b/crypto/ocsp/ocsp_srv.c @@ -259,45 +259,67 @@ int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert) return 1; } -int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) +int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, + OPENSSL_CTX *libctx, const char *propq) { ASN1_OCTET_STRING *byKey = NULL; unsigned char md[SHA_DIGEST_LENGTH]; + EVP_MD *sha1 = EVP_MD_fetch(libctx, "SHA1", propq); + int ret = 0; - /* RFC2560 requires SHA1 */ - if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL)) + if (sha1 == NULL) return 0; + /* RFC2560 requires SHA1 */ + if (!X509_pubkey_digest(cert, sha1, md, NULL)) + goto err; + byKey = ASN1_OCTET_STRING_new(); if (byKey == NULL) - return 0; + goto err; if (!(ASN1_OCTET_STRING_set(byKey, md, SHA_DIGEST_LENGTH))) { ASN1_OCTET_STRING_free(byKey); - return 0; + goto err; } respid->type = V_OCSP_RESPID_KEY; respid->value.byKey = byKey; - return 1; + ret = 1; + err: + EVP_MD_free(sha1); + return ret; } -int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) +int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert) { + return OCSP_RESPID_set_by_key_ex(respid, cert, NULL, NULL); +} + +int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx, + const char *propq) +{ + EVP_MD *sha1 = NULL; + int ret = 0; + if (respid->type == V_OCSP_RESPID_KEY) { unsigned char md[SHA_DIGEST_LENGTH]; + sha1 = EVP_MD_fetch(libctx, "SHA1", propq); + if (sha1 == NULL) + goto err; + if (respid->value.byKey == NULL) - return 0; + goto err; /* RFC2560 requires SHA1 */ - if (!X509_pubkey_digest(cert, EVP_sha1(), md, NULL)) - return 0; + if (!X509_pubkey_digest(cert, sha1, md, NULL)) + goto err; - return (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH) - && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md, - SHA_DIGEST_LENGTH) == 0); + ret = (ASN1_STRING_length(respid->value.byKey) == SHA_DIGEST_LENGTH) + && (memcmp(ASN1_STRING_get0_data(respid->value.byKey), md, + SHA_DIGEST_LENGTH) == 0); } else if (respid->type == V_OCSP_RESPID_NAME) { if (respid->value.byName == NULL) return 0; @@ -306,5 +328,12 @@ int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) X509_get_subject_name(cert)) == 0; } - return 0; + err: + EVP_MD_free(sha1); + return ret; +} + +int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert) +{ + return OCSP_RESPID_match_ex(respid, cert, NULL, NULL); } diff --git a/doc/man3/OCSP_response_status.pod b/doc/man3/OCSP_response_status.pod index c1de86b199..6c02b55fa1 100644 --- a/doc/man3/OCSP_response_status.pod +++ b/doc/man3/OCSP_response_status.pod @@ -4,8 +4,9 @@ OCSP_response_status, OCSP_response_get1_basic, OCSP_response_create, OCSP_RESPONSE_free, OCSP_RESPID_set_by_name, -OCSP_RESPID_set_by_key, OCSP_RESPID_match, -OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions +OCSP_RESPID_set_by_key_ex, OCSP_RESPID_set_by_key, OCSP_RESPID_match_ex, +OCSP_RESPID_match, OCSP_basic_sign, OCSP_basic_sign_ctx +- OCSP response functions =head1 SYNOPSIS @@ -17,7 +18,11 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions void OCSP_RESPONSE_free(OCSP_RESPONSE *resp); int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert); + int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, + OPENSSL_CTX *libctx, const char *propq); int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert); + int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx, + const char *propq); int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert); int OCSP_basic_sign(OCSP_BASICRESP *brsp, X509 *signer, EVP_PKEY *key, @@ -28,49 +33,60 @@ OCSP_basic_sign, OCSP_basic_sign_ctx - OCSP response functions =head1 DESCRIPTION -OCSP_response_status() returns the OCSP response status of B<resp>. It returns -one of the values: B<OCSP_RESPONSE_STATUS_SUCCESSFUL>, -B<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>, -B<OCSP_RESPONSE_STATUS_INTERNALERROR>, B<OCSP_RESPONSE_STATUS_TRYLATER> -B<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or B<OCSP_RESPONSE_STATUS_UNAUTHORIZED>. +OCSP_response_status() returns the OCSP response status of I<resp>. It returns +one of the values: I<OCSP_RESPONSE_STATUS_SUCCESSFUL>, +I<OCSP_RESPONSE_STATUS_MALFORMEDREQUEST>, +I<OCSP_RESPONSE_STATUS_INTERNALERROR>, I<OCSP_RESPONSE_STATUS_TRYLATER> +I<OCSP_RESPONSE_STATUS_SIGREQUIRED>, or I<OCSP_RESPONSE_STATUS_UNAUTHORIZED>. -OCSP_response_get1_basic() decodes and returns the B<OCSP_BASICRESP> structure -contained in B<resp>. +OCSP_response_get1_basic() decodes and returns the I<OCSP_BASICRESP> structure +contained in I<resp>. -OCSP_response_create() creates and returns an B<OCSP_RESPONSE> structure for -B<status> and optionally including basic response B<bs>. +OCSP_response_create() creates and returns an I<OCSP_RESPONSE> structure for +I<status> and optionally including basic response I<bs>. -OCSP_RESPONSE_free() frees up OCSP response B<resp>. +OCSP_RESPONSE_free() frees up OCSP response I<resp>. OCSP_RESPID_set_by_name() sets the name of the OCSP_RESPID to be the same as the -subject name in the supplied X509 certificate B<cert> for the OCSP responder. +subject name in the supplied X509 certificate I<cert> for the OCSP responder. -OCSP_RESPID_set_by_key() sets the key of the OCSP_RESPID to be the same as the -key in the supplied X509 certificate B<cert> for the OCSP responder. The key is -stored as a SHA1 hash. +OCSP_RESPID_set_by_key_ex() sets the key of the OCSP_RESPID to be the same as the +key in the supplied X509 certificate I<cert> for the OCSP responder. The key is +stored as a SHA1 hash. To calculate the hash the SHA1 algorithm is fetched using +the library ctx I<libctx> and the property query string I<propq> (see +L<provider(7)/Fetching algorithms> for further information). + +OCSP_RESPID_set_by_key() does the same as OCSP_RESPID_set_by_key_ex() except +that the default library context is used with an empty property query string. Note that an OCSP_RESPID can only have one of the name, or the key set. Calling OCSP_RESPID_set_by_name() or OCSP_RESPID_set_by_key() will clear any existing setting. -OCSP_RESPID_match() tests whether the OCSP_RESPID given in B<respid> matches -with the X509 certificate B<cert>. +OCSP_RESPID_match_ex() tests whether the OCSP_RESPID given in I<respid> matches +with the X509 certificate I<cert> based on the SHA1 hash. To calculate the hash +the SHA1 algorithm is fetched using the library ctx I<libctx> and the property +query string I<propq> (see L<provider(7)/Fetching algorithms> for further +information). + +OCSP_RESPID_match() does the same as OCSP_RESPID_match_ex() except that the +default library context is used with an empty property query string. -OCSP_basic_sign() signs OCSP response B<brsp> using certificate B<signer>, private key -B<key>, digest B<dgst> and additional certificates B<certs>. If the B<flags> option -B<OCSP_NOCERTS> is set then no certificates will be included in the response. If the -B<flags> option B<OCSP_RESPID_KEY> is set then the responder is identified by key ID -rather than by name. OCSP_basic_sign_ctx() also signs OCSP response B<brsp> but -uses the parameters contained in digest context B<ctx>. +OCSP_basic_sign() signs OCSP response I<brsp> using certificate I<signer>, private key +I<key>, digest I<dgst> and additional certificates I<certs>. If the I<flags> option +I<OCSP_NOCERTS> is set then no certificates will be included in the response. If the +I<flags> option I<OCSP_RESPID_KEY> is set then the responder is identified by key ID +rather than by name. OCSP_basic_sign_ctx() also signs OCSP response I<brsp> but +uses the parameters contained in digest context I<ctx>. =head1 RETURN VALUES OCSP_RESPONSE_status() returns a status value. -OCSP_response_get1_basic() returns an B<OCSP_BASICRESP> structure pointer or -B<NULL> if an error occurred. +OCSP_response_get1_basic() returns an I<OCSP_BASICRESP> structure pointer or +I<NULL> if an error occurred. -OCSP_response_create() returns an B<OCSP_RESPONSE> structure pointer or B<NULL> +OCSP_response_create() returns an I<OCSP_RESPONSE> structure pointer or I<NULL> if an error occurred. OCSP_RESPONSE_free() does not return a value. @@ -85,7 +101,7 @@ or 0 otherwise. =head1 NOTES OCSP_response_get1_basic() is only called if the status of a response is -B<OCSP_RESPONSE_STATUS_SUCCESSFUL>. +I<OCSP_RESPONSE_STATUS_SUCCESSFUL>. =head1 SEE ALSO diff --git a/include/internal/cryptlib.h b/include/internal/cryptlib.h index 19e2c9744e..9a60f413bf 100644 --- a/include/internal/cryptlib.h +++ b/include/internal/cryptlib.h @@ -165,6 +165,7 @@ typedef struct openssl_ctx_method { } OPENSSL_CTX_METHOD; OPENSSL_CTX *openssl_ctx_get_concrete(OPENSSL_CTX *ctx); +int openssl_ctx_is_default(OPENSSL_CTX *ctx); /* Functions to retrieve pointers to data by index */ void *openssl_ctx_get_data(OPENSSL_CTX *, int /* index */, diff --git a/include/openssl/ocsp.h b/include/openssl/ocsp.h index 5acd04b6ea..b9f55c0123 100644 --- a/include/openssl/ocsp.h +++ b/include/openssl/ocsp.h @@ -277,7 +277,11 @@ int OCSP_basic_sign_ctx(OCSP_BASICRESP *brsp, X509 *signer, EVP_MD_CTX *ctx, STACK_OF(X509) *certs, unsigned long flags); int OCSP_RESPID_set_by_name(OCSP_RESPID *respid, X509 *cert); +int OCSP_RESPID_set_by_key_ex(OCSP_RESPID *respid, X509 *cert, + OPENSSL_CTX *libctx, const char *propq); int OCSP_RESPID_set_by_key(OCSP_RESPID *respid, X509 *cert); +int OCSP_RESPID_match_ex(OCSP_RESPID *respid, X509 *cert, OPENSSL_CTX *libctx, + const char *propq); int OCSP_RESPID_match(OCSP_RESPID *respid, X509 *cert); X509_EXTENSION *OCSP_crlID_new(const char *url, long *n, char *tim); diff --git a/providers/common/provider_util.c b/providers/common/provider_util.c index 504463df19..041d64929d 100644 --- a/providers/common/provider_util.c +++ b/providers/common/provider_util.c @@ -9,6 +9,7 @@ #include <openssl/evp.h> #include <openssl/core_names.h> +#include <openssl/err.h> #include "prov/provider_util.h" void ossl_prov_cipher_reset(PROV_CIPHER *pc) @@ -76,12 +77,17 @@ int ossl_prov_cipher_load_from_params(PROV_CIPHER *pc, return 0; EVP_CIPHER_free(pc->alloc_cipher); + ERR_set_mark(); pc->cipher = pc->alloc_cipher = EVP_CIPHER_fetch(ctx, p->data, propquery); /* TODO legacy stuff, to be removed */ #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy ciphers */ if (pc->cipher == NULL) pc->cipher = EVP_get_cipherbyname(p->data); #endif + if (pc->cipher != NULL) + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); return pc->cipher != NULL; } @@ -131,12 +137,17 @@ int ossl_prov_digest_load_from_params(PROV_DIGEST *pd, return 0; EVP_MD_free(pd->alloc_md); + ERR_set_mark(); pd->md = pd->alloc_md = EVP_MD_fetch(ctx, p->data, propquery); /* TODO legacy stuff, to be removed */ #ifndef FIPS_MODE /* Inside the FIPS module, we don't support legacy digests */ if (pd->md == NULL) pd->md = EVP_get_digestbyname(p->data); #endif + if (pd->md != NULL) + ERR_pop_to_mark(); + else + ERR_clear_last_mark(); return pd->md != NULL; } diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c index a1c3987962..a08ddb138b 100644 --- a/ssl/ssl_lib.c +++ b/ssl/ssl_lib.c @@ -5848,6 +5848,8 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx, int nid, const char *properties) { + EVP_CIPHER *ciph; + #ifndef OPENSSL_NO_ENGINE ENGINE *eng; @@ -5862,8 +5864,11 @@ const EVP_CIPHER *ssl_evp_cipher_fetch(OPENSSL_CTX *libctx, } #endif - /* Otherwise we do an explicit fetch */ - return EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties); + /* Otherwise we do an explicit fetch. This may fail and that could be ok */ + ERR_set_mark(); + ciph = EVP_CIPHER_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_pop_to_mark(); + return ciph; } @@ -5898,6 +5903,8 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx, int nid, const char *properties) { + EVP_MD *md; + #ifndef OPENSSL_NO_ENGINE ENGINE *eng; @@ -5913,7 +5920,10 @@ const EVP_MD *ssl_evp_md_fetch(OPENSSL_CTX *libctx, #endif /* Otherwise we do an explicit fetch */ - return EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_set_mark(); + md = EVP_MD_fetch(libctx, OBJ_nid2sn(nid), properties); + ERR_pop_to_mark(); + return md; } int ssl_evp_md_up_ref(const EVP_MD *md) diff --git a/test/sslapitest.c b/test/sslapitest.c index 886ed9ad67..a9b7d20b3c 100644 --- a/test/sslapitest.c +++ b/test/sslapitest.c @@ -1278,7 +1278,7 @@ static int ocsp_server_cb(SSL *s, void *arg) return SSL_TLSEXT_ERR_ALERT_FATAL; id = sk_OCSP_RESPID_value(ids, 0); - if (id == NULL || !OCSP_RESPID_match(id, ocspcert)) + if (id == NULL || !OCSP_RESPID_match_ex(id, ocspcert, NULL, NULL)) return SSL_TLSEXT_ERR_ALERT_FATAL; } else if (*argi != 1) { return SSL_TLSEXT_ERR_ALERT_FATAL; @@ -1406,7 +1406,7 @@ static int test_tlsext_status_type(void) || !TEST_ptr(ids = sk_OCSP_RESPID_new_null()) || !TEST_ptr(ocspcert = PEM_read_bio_X509(certbio, NULL, NULL, NULL)) - || !TEST_true(OCSP_RESPID_set_by_key(id, ocspcert)) + || !TEST_true(OCSP_RESPID_set_by_key_ex(id, ocspcert, NULL, NULL)) || !TEST_true(sk_OCSP_RESPID_push(ids, id))) goto end; id = NULL; diff --git a/util/libcrypto.num b/util/libcrypto.num index ecc735cb94..6ff7179fc6 100644 --- a/util/libcrypto.num +++ b/util/libcrypto.num @@ -5001,3 +5001,5 @@ NCONF_new_with_libctx ? 3_0_0 EXIST::FUNCTION: CONF_modules_load_file_with_libctx ? 3_0_0 EXIST::FUNCTION: OPENSSL_CTX_load_config ? 3_0_0 EXIST::FUNCTION: EVP_PKEY_set_type_by_keymgmt ? 3_0_0 EXIST::FUNCTION: +OCSP_RESPID_set_by_key_ex ? 3_0_0 EXIST::FUNCTION:OCSP +OCSP_RESPID_match_ex ? 3_0_0 EXIST::FUNCTION:OCSP