Ignore dups in X509_STORE_add_*

X509_STORE_add_cert and X509_STORE_add_crl are changed to return
success if the object to be added was already found in the store, rather
than returning an error.

Raise errors if empty or malformed files are read when loading certificates
and CRLs.

Remove NULL checks and allow a segv to occur.
Add error handing for all calls to X509_STORE_add_c{ert|tl}

Refactor these two routines into one.

Bring the unit test for duplicate certificates up to date using the test
framework.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2830)

3 files changed, 71 insertions, 1 deletions

diff --git a/test/build.info b/test/build.info
index 4525362a08..4bfa6f4f20 100644
--- a/test/build.info
+++ b/test/build.info
@@ -29,7 +29,7 @@ IF[{- !$disabled{tests} -}]
           ssl_test_ctx_test ssl_test x509aux cipherlist_test asynciotest \
           bioprinttest sslapitest dtlstest sslcorrupttest bio_enc_test \
           pkey_meth_test uitest cipherbytes_test asn1_encode_test \
-          x509_time_test recordlentest
+          x509_time_test x509_dup_cert_test recordlentest
 
   SOURCE[aborttest]=aborttest.c
   INCLUDE[aborttest]=../include
@@ -296,6 +296,10 @@ IF[{- !$disabled{tests} -}]
   INCLUDE[recordlentest]=../include .
   DEPEND[recordlentest]=../libcrypto ../libssl
 
+  SOURCE[x509_dup_cert_test]=x509_dup_cert_test.c testutil.c test_main_custom.c
+  INCLUDE[x509_dup_cert_test]=../include
+  DEPEND[x509_dup_cert_test]=../libcrypto
+
   IF[{- !$disabled{psk} -}]
     PROGRAMS_NO_INST=dtls_mtu_test
     SOURCE[dtls_mtu_test]=dtls_mtu_test.c ssltestlib.c
diff --git a/test/recipes/60-test_x509_dup_cert.t b/test/recipes/60-test_x509_dup_cert.t
new file mode 100644
index 0000000000..7588d8dbb7
--- /dev/null
+++ b/test/recipes/60-test_x509_dup_cert.t
@@ -0,0 +1,19 @@
+#! /usr/bin/env perl
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+#
+# ======================================================================
+# Copyright (c) 2017 Oracle and/or its affiliates.  All rights reserved.
+
+
+use OpenSSL::Test qw/:DEFAULT srctop_file/;
+
+setup("test_x509_dup_cert");
+
+plan tests => 1;
+
+ok(run(test(["x509_dup_cert_test", srctop_file("test", "certs", "leaf.pem")])));
diff --git a/test/x509_dup_cert_test.c b/test/x509_dup_cert_test.c
new file mode 100644
index 0000000000..05899aaa56
--- /dev/null
+++ b/test/x509_dup_cert_test.c
@@ -0,0 +1,47 @@
+/*
+ * Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+ *
+ * Licensed under the OpenSSL license (the "License").  You may not use
+ * this file except in compliance with the License.  You can obtain a copy
+ * in the file LICENSE in the source distribution or at
+ * https://www.openssl.org/source/license.html
+ */
+
+/* ====================================================================
+ * Copyright (c) 2017 Oracle and/or its affiliates.  All rights reserved.
+ */
+
+#include <stdio.h>
+#include <openssl/err.h>
+#include <openssl/x509_vfy.h>
+
+#include "test_main_custom.h"
+#include "testutil.h"
+
+static int test_509_dup_cert(const char *cert_f)
+{
+    int ret = 0;
+    X509_STORE_CTX *sctx = NULL;
+    X509_STORE *store = NULL;
+    X509_LOOKUP *lookup = NULL;
+
+    if (TEST_ptr(store = X509_STORE_new())
+        && TEST_ptr(lookup = X509_STORE_add_lookup(store, X509_LOOKUP_file()))
+        && TEST_true(X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM))
+        && TEST_true(X509_load_cert_file(lookup, cert_f, X509_FILETYPE_PEM)))
+        ret = 1;
+
+    X509_STORE_CTX_free(sctx);
+    X509_STORE_free(store);
+    return ret;
+}
+
+int test_main(int argc, char **argv)
+{
+    if (!TEST_int_eq(argc, 2)) {
+        TEST_info("usage: x509_dup_cert_test cert.pem");
+        return 1;
+    }
+
+    return !test_509_dup_cert(argv[1]);
+}