BTW, the mem leak came up experimenting how to use the OSSL_STORE API as requested by @mattcaswell for the CMP contribution chunk 11: #11470 (comment)

It indicates that the OSSL_STORE API is not sufficiently tested. In fact, I can't find any tests for it.

It indicates that the OSSL_STORE API is not sufficiently tested. In fact, I can't find any tests for it.

There are lots of store tests in 90-test_store.t - but they all test via the command line store app rather than the API directly.

It indicates that the OSSL_STORE API is not sufficiently tested. In fact, I can't find any tests for it.

There are lots of store tests in 90-test_store.t - but they all test via the command line store app rather than the API directly.

Ah, right.
I've made sure that these tests can run also if DSA and/or EC key generation does not work
(BTW, I had to disable tests based on pbeWithMD5AndDES-CBC apparently due to deprecation)
and added -chain -CAfile cacert.pem to the openssl pkcs12 -export calls
such that memory leaks etc. are caught also in case they are due to a non-empty chain.

Currently I always see one Travis CI failure like this:

 No space left on device at ./Configure line 1722.

No space left on device at ./Configure line 1722.

I'm not convinced that my mem leak fixes solved this 😜

I've meanwhile adapted OSSL_STORE_close() such that it succeeds gracefully when given a NULL argument, like any free() function does.

Note that I also fixed some issues in the OSSL_STORE documentation.

Regarding OSSL_STORE_close() being a kind of free(), it's semantically closer to fclose(). What's the result of fclose(NULL)? 😉

Regarding OSSL_STORE_close() being a kind of free(), it's semantically closer to fclose(). What's the result of fclose(NULL)? wink

I know that the semantics of fclose(NULL) is officially undefined,
and I believe that this is purely for historical reasons,
IMHO it is preferrable to define the behavior in this case as no-op.
For OSSL_STORE_close() we have the chance to do better 😄

I've just done the same enhancements of OSSL_STORE_open.pod as in #11912.

For commit messages, I disagree with "Allow NULL argument (as with *_free()) to OSSL_STORE_close()". Please make it "Allow NULL argument to OSSL_STORE_close()".
My reasoning is that although OSSL_STORE_close() does free its argument, it's semantically closer to fclose(), the freeing part is just an implementation detail.

The commit message can be amended without a re-review or even during the merge.

Meanwhile I've added also $use_des and successfully tested various combinations of
negating $use_md5, $use_des, $use_dsa, and $use_ecc.

I also found that, due to the so far 'successful' skip of the tests in case their init failed,
the test cert generation using the rather new CA configuration file test/ca-and-certs.cnf
went wrong without being noticed by its author (apparently @richsalz in commit 4e6e57c).
I've corrected this as well and made sure that the tests fail if their init fails,
to prevent such obscure failure issues for the future.

@levitte wrote:

Will need re-review

Yes. Now the PR is ready for that.

For some reason Travis build is not getting executed.

For some reason Travis build is not getting executed.

I kicked it by closing and re-opening the PR, but this did not help.
Apparently a more general issue?

It looks like Travis just had a delay starting up. It's running again.

There was Travis failure, which pointed out that PKCS#12 generation is not possible in case no-des.
Fixup committed.

It turns out that there was another init failure in case no-des, which I've handled now.
@levitte, I meanwhile understand why when authoring 90-test_store.t you took the shortcut of simply letting the tests 'pass' (for void) if anything went wrong in init() 😉
which had the negative effect that several regressions went unnoticed.

I'm confident that now all relevant algorithm exclusion cases are finally sorted out and ask you to re-confirm your approval.

24 hours has passed since 'approval: done' was set, but as this PR has been updated in that time the label 'approval: ready to merge' is not being automatically set. Please review the updates and set the label manually.

Thanks @levitte for the swift re-review and re-confirmation.
I've just rebased and squashed the fixups (to be merged on Monday morning).

Merged - thanks!