From: Selva Nair <selva.n...@gmail.com> OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left.
Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Signed-off-by: Selva Nair <selva.n...@gmail.com> Acked-by: Arne Schwabe <arne-open...@rfc2549.org> --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/742 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe <arne-open...@rfc2549.org> diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0d845f4..5fd6572 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -813,6 +813,15 @@ } return 0; } + +static void +clear_ossl_store_error(OSSL_STORE_CTX *store_ctx) +{ + if (OSSL_STORE_error(store_ctx)) + { + ERR_clear_error(); + } +} #endif /* defined(HAVE_OPENSSL_STORE_API) */ /** @@ -864,7 +873,19 @@ { goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1099,7 +1120,19 @@ goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached. + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1120,9 +1153,14 @@ OSSL_STORE_INFO_free(info); /* iterate through the store and add extra certificates if any to the chain */ - info = OSSL_STORE_load(store_ctx); - while (info && !OSSL_STORE_eof(store_ctx)) + while (!OSSL_STORE_eof(store_ctx)) { + info = OSSL_STORE_load(store_ctx); + if (!info) + { + clear_ossl_store_error(store_ctx); + continue; + } x = OSSL_STORE_INFO_get1_CERT(info); if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) { @@ -1131,7 +1169,6 @@ break; } OSSL_STORE_INFO_free(info); - info = OSSL_STORE_load(store_ctx); } end: _______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel