cron2 has submitted this change. ( http://gerrit.openvpn.net/c/openvpn/+/742?usp=email )
Change subject: Do not stop reading from file/uri when OPENSSL_STORE_load() returns error ...................................................................... Do not stop reading from file/uri when OPENSSL_STORE_load() returns error OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left. Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Signed-off-by: Selva Nair <selva.n...@gmail.com> Acked-by: Arne Schwabe <arne-open...@rfc2549.org> Message-Id: <20240911104941.19429-1-g...@greenie.muc.de> URL: https://www.mail-archive.com/openvpn-devel@lists.sourceforge.net/msg29187.html Signed-off-by: Gert Doering <g...@greenie.muc.de> --- M src/openvpn/ssl_openssl.c 1 file changed, 42 insertions(+), 5 deletions(-) diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0d845f4..5fd6572 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -813,6 +813,15 @@ } return 0; } + +static void +clear_ossl_store_error(OSSL_STORE_CTX *store_ctx) +{ + if (OSSL_STORE_error(store_ctx)) + { + ERR_clear_error(); + } +} #endif /* defined(HAVE_OPENSSL_STORE_API) */ /** @@ -864,7 +873,19 @@ { goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1099,7 +1120,19 @@ goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached. + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1120,9 +1153,14 @@ OSSL_STORE_INFO_free(info); /* iterate through the store and add extra certificates if any to the chain */ - info = OSSL_STORE_load(store_ctx); - while (info && !OSSL_STORE_eof(store_ctx)) + while (!OSSL_STORE_eof(store_ctx)) { + info = OSSL_STORE_load(store_ctx); + if (!info) + { + clear_ossl_store_error(store_ctx); + continue; + } x = OSSL_STORE_INFO_get1_CERT(info); if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) { @@ -1131,7 +1169,6 @@ break; } OSSL_STORE_INFO_free(info); - info = OSSL_STORE_load(store_ctx); } end: -- To view, visit http://gerrit.openvpn.net/c/openvpn/+/742?usp=email To unsubscribe, or for help writing mail filters, visit http://gerrit.openvpn.net/settings Gerrit-Project: openvpn Gerrit-Branch: master Gerrit-Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Gerrit-Change-Number: 742 Gerrit-PatchSet: 2 Gerrit-Owner: selvanair <selva.n...@gmail.com> Gerrit-Reviewer: flichtenheld <fr...@lichtenheld.com> Gerrit-Reviewer: plaisthos <arne-open...@rfc2549.org> Gerrit-CC: openvpn-devel <openvpn-devel@lists.sourceforge.net> Gerrit-MessageType: merged
_______________________________________________ Openvpn-devel mailing list Openvpn-devel@lists.sourceforge.net https://lists.sourceforge.net/lists/listinfo/openvpn-devel