From: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Subject: [PATCH] libressl: convert x509name test to internal validation
To: tech@openbsd.org
Cc: Kenjiro Nakayama <nakayamakenjiro@gmail.com>
Date: Sun,  4 May 2025 17:37:16 +0900

The x509name test previously verified output by diffing against
x509name.expected. However, the portable repository currently lacks
a script in tests/ to run this test, so it always passes without
actually checking anything. While adding such a script to portable
would be possible, this change replaces the test with internal
validation that verifies both the printed X509_NAME string and the
RDN set numbers for each entry, making the test self-contained and
portable.

Remove the need for x509name.expected and simplify the Makefile.
---
 src/regress/lib/libcrypto/x509/Makefile       |   6 +-
 src/regress/lib/libcrypto/x509/x509name.c     | 106 +++++++++++++-----
 .../lib/libcrypto/x509/x509name.expected      |   3 -
 3 files changed, 80 insertions(+), 35 deletions(-)
 delete mode 100644 src/regress/lib/libcrypto/x509/x509name.expected

diff --git a/src/regress/lib/libcrypto/x509/Makefile b/src/regress/lib/libcrypto/x509/Makefile
index 19e65ef..c90c992 100644
--- a/src/regress/lib/libcrypto/x509/Makefile
+++ b/src/regress/lib/libcrypto/x509/Makefile
@@ -16,7 +16,7 @@ CFLAGS +=	-I${.CURDIR}/../../../../lib/libcrypto/bytestring
 
 SUBDIR += bettertls policy rfc3779
 
-CLEANFILES +=	x509name.result callback.out
+CLEANFILES +=	callback.out
 
 .if make(clean) || make(cleandir)
 . if ${.OBJDIR} != ${.CURDIR}
@@ -29,10 +29,6 @@ run-regress-verify: verify
 	perl ${.CURDIR}/make-dir-roots.pl ${.CURDIR}/../certs .
 	./verify ${.CURDIR}/../certs
 
-run-regress-x509name: x509name
-	./x509name > x509name.result
-	diff -u ${.CURDIR}/x509name.expected x509name.result
-
 run-regress-callback: callback
 	./callback ${.CURDIR}/../certs
 	perl ${.CURDIR}/callback.pl callback.out
diff --git a/src/regress/lib/libcrypto/x509/x509name.c b/src/regress/lib/libcrypto/x509/x509name.c
index 9deeeb2..2f3d4e4 100644
--- a/src/regress/lib/libcrypto/x509/x509name.c
+++ b/src/regress/lib/libcrypto/x509/x509name.c
@@ -17,46 +17,98 @@
 
 #include <err.h>
 #include <stdio.h>
+#include <string.h>
 
 #include <openssl/x509.h>
 
-static void	 debug_print(X509_NAME *);
+#define BUF_SIZE 256
 
-static void
-debug_print(X509_NAME *name)
+static const char *expected_outputs[] = {
+	"ST=BaWue, O=KIT",
+	"ST=BaWue, L=Karlsruhe, O=KIT",
+	"C=DE + ST=BaWue, L=Karlsruhe, O=KIT"
+};
+
+static const int expected_sets[][4] = {
+	{ 0, 1 },
+	{ 0, 1, 2 },
+	{ 0, 0, 1, 2 }
+};
+
+static int
+check_state(X509_NAME *name, const char *expected_str, const int *expected_set, int count)
 {
-	int loc;
-
-	for (loc = 0; loc < X509_NAME_entry_count(name); loc++)
-		printf("%d:",
-		    X509_NAME_ENTRY_set(X509_NAME_get_entry(name, loc)));
-	putchar(' ');
-	X509_NAME_print_ex_fp(stdout, name, 0, XN_FLAG_SEP_CPLUS_SPC);
-	putchar('\n');
+	BIO *bio = BIO_new(BIO_s_mem());
+	char buf[BUF_SIZE];
+	int len;
+	int failed = 1;
+
+	if (bio == NULL)
+		return 1;
+
+	if (X509_NAME_print_ex(bio, name, 0, XN_FLAG_SEP_CPLUS_SPC) < 0)
+		goto fail;
+
+	len = BIO_read(bio, buf, sizeof(buf) - 1);
+	if (len <= 0 || len >= BUF_SIZE)
+		goto fail;
+
+	buf[len] = '\0';
+
+	if (strcmp(buf, expected_str) != 0)
+		goto fail;
+
+	for (int loc = 0; loc < X509_NAME_entry_count(name); loc++) {
+		X509_NAME_ENTRY *e = X509_NAME_get_entry(name, loc);
+		if (e == NULL || X509_NAME_ENTRY_set(e) != expected_set[loc])
+			goto fail;
+	}
+
+	failed = 0;
+fail:
+	BIO_free(bio);
+	return failed;
 }
 
-int
-main(void)
+static int
+test_x509_name(void)
 {
-	X509_NAME *name;
+	X509_NAME *name = NULL;
+	int failed = 1;
 
 	if ((name = X509_NAME_new()) == NULL)
-		err(1, NULL);
-	X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_ASC,
-	    "BaWue", -1, -1, 0);
-	X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
-	    "KIT", -1, -1, 0);
-	debug_print(name);
+		return 1;
+
+	if (!X509_NAME_add_entry_by_txt(name, "ST", MBSTRING_ASC,
+	    (const unsigned char *)"BaWue", -1, -1, 0))
+		goto done;
+	if (!X509_NAME_add_entry_by_txt(name, "O", MBSTRING_ASC,
+	    (const unsigned char *)"KIT", -1, -1, 0))
+		goto done;
+	if (check_state(name, expected_outputs[0], expected_sets[0], 2))
+		goto done;
+
+	if (!X509_NAME_add_entry_by_txt(name, "L", MBSTRING_ASC,
+	    (const unsigned char *)"Karlsruhe", -1, 1, 0))
+		goto done;
+	if (check_state(name, expected_outputs[1], expected_sets[1], 3))
+		goto done;
 
-	X509_NAME_add_entry_by_txt(name, "L", MBSTRING_ASC,
-	    "Karlsruhe", -1, 1, 0);
-	debug_print(name);
+	if (!X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
+	    (const unsigned char *)"DE", -1, 0, 1))
+		goto done;
+	if (check_state(name, expected_outputs[2], expected_sets[2], 4))
+		goto done;
 
-	X509_NAME_add_entry_by_txt(name, "C", MBSTRING_ASC,
-	    "DE", -1, 0, 1);
-	debug_print(name);
+	failed = 0;
 
+done:
 	X509_NAME_free(name);
+	return failed;
+}
 
-	return 0;
+int
+main(void)
+{
+	return test_x509_name();
 }
diff --git a/src/regress/lib/libcrypto/x509/x509name.expected b/src/regress/lib/libcrypto/x509/x509name.expected
deleted file mode 100644
index 6cee7cc..0000000
--- a/src/regress/lib/libcrypto/x509/x509name.expected
+++ /dev/null
@@ -1,3 +0,0 @@
-0:1: ST=BaWue, O=KIT
-0:1:2: ST=BaWue, L=Karlsruhe, O=KIT
-0:0:1:2: C=DE + ST=BaWue, L=Karlsruhe, O=KIT
-- 
2.39.5 (Apple Git-154)