From patchwork Wed Sep 11 03:19:07 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: "ralf_lici (Code Review)" X-Patchwork-Id: 3822 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:6bd4:b0:5b9:581e:f939 with SMTP id c20csp2456606max; Tue, 10 Sep 2024 20:19:35 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCWT+A0kQRK14tVAK+EwkP0gIaTVeCMkII0fUhwTe5tCJK88EmN7YKWdMTr0iRQpB4OVGSBtfPkEqB4=@openvpn.net X-Google-Smtp-Source: AGHT+IGqW7qXqRa2LnEIfRLHZmU/WIy5gTmedJxCdRvlSR98WZlcfWWCWBHZaaW7W5nyk9QCRuxM X-Received: by 2002:a92:190b:0:b0:39d:3c87:1435 with SMTP id e9e14a558f8ab-3a074bf2326mr10793415ab.1.1726024775410; Tue, 10 Sep 2024 20:19:35 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726024775; cv=none; d=google.com; s=arc-20240605; b=FfLIpbfAboHxInunt17AG+Mn4RKGXje4d5ddaxMKMZzWjIKwaz81PtOzA/HUMLuNBY mzexC68uRTAVJ622wgaaxXySlOc1XvAc0lSb/Yu2CNosX2ldA6Xi1W44IxRJScoRsgBj ClCblDLRCSO/+aMQs8bzKlgPpZU3NafED7ZeUhF/dZFQWKbl/NZA/iEt00o3m7dwK05E BY/OQ6GtmTmLQ5j/6bTOlVS6IdRcvAVk/I6FljwJhJuNCgLh5qbT6WFwjTJmrw2ulkLe PyPTq5ljF4Zn+O+AxZOehN+jp/XzT6ugo2yWI8WQychT1O2st6iwMud+BSGBhWj615oq OK8Q== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:cc:reply-to:list-subscribe:list-help:list-post :list-archive:list-unsubscribe:list-id:precedence:subject:user-agent :mime-version:message-id:references:auto-submitted:to:date:from :dkim-signature:dkim-signature:dkim-signature; bh=zpa5okHKjFeRtRf9vGgZksbLPwelR6xBKRLaccivHYU=; fh=U7wEyxtwz2o5+UdevFSA47vNeG9knhWH0KV//QhD5a0=; b=ArRGbP4w6YpHSOfRcSwxe2CVr/KOm0m9acMoahIXr5X0TgiSZjyvli5tDpT2UNZJiT C5TUuhMk0rZAT4odtP6+aKr87SOh2K03lchiuLoc+6zhiAXAiuH02wwHn5U/nPxP5/Y9 zBkQ/4i3BW3XOCam+zlRsARwztrhn6MV0cfVf3isj78int4ypGY5wQ5WLytqChj3i/9C sEVkYCAyHwc2B5Rc+hMx8S5r3m6jXJMOJ/AdpTCWg1EZzLkbUtTbgPup0RkmaBlrw+La EJ7QOhLengssVQGpK8Lf8ZH3POdTm1M14iie149cWOFoklegShJnSrJ/ILnx3i7aYoLJ hJGw==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=at0xuHGA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hk9SBwzS; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=JAVvTDcI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 8926c6da1cb9f-4d09465303esi4027348173.171.2024.09.10.20.19.35 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Tue, 10 Sep 2024 20:19:35 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=at0xuHGA; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=hk9SBwzS; dkim=neutral (body hash did not verify) header.i=@openvpn.net header.s=google header.b=JAVvTDcI; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=openvpn.net; dara=fail header.i=@openvpn.net Received: from [127.0.0.1] (helo=sfs-ml-3.v29.lw.sourceforge.com) by sfs-ml-3.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1soDt5-0001Hf-Jf; Wed, 11 Sep 2024 03:19:23 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-3.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1soDt3-0001HX-Nu for openvpn-devel@lists.sourceforge.net; Wed, 11 Sep 2024 03:19:21 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Type:Content-Transfer-Encoding:MIME-Version :Message-ID:Reply-To:References:Subject:List-Unsubscribe:List-Id:Cc:To:Date: From:Sender:Content-ID:Content-Description:Resent-Date:Resent-From: Resent-Sender:Resent-To:Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help: List-Subscribe:List-Post:List-Owner:List-Archive; bh=Btbj6YTfS5S8mhbJdVihwJnonGxpuIO/1dJvF1TXCDw=; b=at0xuHGAx4MZHNk3xqHYq7lxga vWabReohm4gnnBjIoe6bipECt8+VD2OCecBgcnMbVeZGqU5W3ECqrpwTZTx3hC29ntepWmnq/dDCP d0s+FfixVYg0U+6HfFU4UzVPNNz3cVgGNSmJACiLZIc9xDiVwECz+NX+d4cPADBSsGFQ=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Type:Content-Transfer-Encoding:MIME-Version:Message-ID:Reply-To: References:Subject:List-Unsubscribe:List-Id:Cc:To:Date:From:Sender:Content-ID :Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To: Resent-Cc:Resent-Message-ID:In-Reply-To:List-Help:List-Subscribe:List-Post: List-Owner:List-Archive; bh=Btbj6YTfS5S8mhbJdVihwJnonGxpuIO/1dJvF1TXCDw=; b=h k9SBwzSba+kfA//rqMa2grDKPzlMOwGElUTnoTw1ILpj1am0E3fGD++8oddrs8WFBNI8D/y2ylVhW 8/bKZsJ00t4Y/EiKpT9OpyFKARjv/bSudhDPGeVSgs33siPWYOLJ5mpwGt2IEKI80qBSjtahRrA7N NnerRinWlzOge8NQ=; Received: from mail-wr1-f53.google.com ([209.85.221.53]) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES128-GCM-SHA256:128) (Exim 4.95) id 1soDt2-0007gi-3g for openvpn-devel@lists.sourceforge.net; Wed, 11 Sep 2024 03:19:21 +0000 Received: by mail-wr1-f53.google.com with SMTP id ffacd0b85a97d-374c1963cb6so3955407f8f.3 for ; Tue, 10 Sep 2024 20:19:20 -0700 (PDT) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=openvpn.net; s=google; t=1726024748; x=1726629548; darn=lists.sourceforge.net; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from:from:to:cc :subject:date:message-id:reply-to; bh=Btbj6YTfS5S8mhbJdVihwJnonGxpuIO/1dJvF1TXCDw=; b=JAVvTDcIA9OTqDoukwmoKcFcetRzDy3Fvk/T99AIPE5NDnFZlgG1gCIqgL2YNuFsi8 VfIEk8qnaFB8R5uvhrKrNirHKHQ8FkiSxN27Do++I9BsihEOVERZCpYKRFPJwAve03B1 uKsxkjiubif9ob3qJYPyqw8xbLEOF7qODy3iRCIjPkolmKDrAxzj5JN4+qNLwo+nur4t hWILLb0y1+rLQ28adKHi/9skHhGAP3mn+T52XjDJDNxN9NarufLokB0tMClzmsVDbPGh Fg/Dy/u3TRHhSPXyGCRVXhB3JRXLxIjwk6WSaQoCt1Qvjn5zPe/Y3pWxVsqVA1g+DDcz /A3A== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20230601; t=1726024748; x=1726629548; h=user-agent:content-disposition:content-transfer-encoding :mime-version:message-id:reply-to:references:subject :list-unsubscribe:list-id:auto-submitted:cc:to:date:from :x-gm-message-state:from:to:cc:subject:date:message-id:reply-to; bh=Btbj6YTfS5S8mhbJdVihwJnonGxpuIO/1dJvF1TXCDw=; b=A+7itEfO7T0+URU9+iXNujSjdoDSOIwOASQjdmZtuS+XbeOcpTaDV3gzjbGDDfeRwm FoDlE6MBQLYp4QPnecq0EOZ792iAikZ2mKBnsSKgtF+pH3QAUMupzLwPcTDsQqnZqAZN XHifEEP0XTAHuMOyfAg2p3Dkq8buS6qEs/kbvYC2qCPd70Kv7i4fOwcLgUJj2bAV2SnV oen/yplxLDX/HLm4J4rx8Mg0+Be5+eEP+0/HCLXKiKEkzWf935d1+mhCay9InbaQg6K+ t4yRrKWv5AArTsmY6rpLcCPfLOySVy8H2DQYooNPlOHHE88LWU31fkK/jIHLaugT4d/G WsLA== X-Gm-Message-State: AOJu0YzjJECqPysJocEAidA4J4HzCvUFl5UZD2YCv/cPjKyNaEX4ZzE7 17LEhoE6WIkR6/b7+T1T4vCpqeR2GlZvuFz1B3uW+0BGzTXu9ARhRlymmJ1W1ZI= X-Received: by 2002:adf:fac4:0:b0:374:c287:2af9 with SMTP id ffacd0b85a97d-3788967a59dmr9724511f8f.46.1726024748470; Tue, 10 Sep 2024 20:19:08 -0700 (PDT) Received: from gerrit.openvpn.in (ec2-18-159-0-78.eu-central-1.compute.amazonaws.com. [18.159.0.78]) by smtp.gmail.com with ESMTPSA id ffacd0b85a97d-3789564a195sm10237019f8f.19.2024.09.10.20.19.07 (version=TLS1_3 cipher=TLS_AES_256_GCM_SHA384 bits=256/256); Tue, 10 Sep 2024 20:19:08 -0700 (PDT) From: "selvanair (Code Review)" X-Google-Original-From: "selvanair (Code Review)" X-Gerrit-PatchSet: 1 Date: Wed, 11 Sep 2024 03:19:07 +0000 To: plaisthos , flichtenheld Auto-Submitted: auto-generated X-Gerrit-MessageType: newchange X-Gerrit-Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 X-Gerrit-Change-Number: 742 X-Gerrit-Project: openvpn X-Gerrit-ChangeURL: X-Gerrit-Commit: eeb93301c28e49b1394abd39f1f252dbd48a0d9c References: Message-ID: <3ba839f6d29460d1c132a0beee5f11cfaa93aac8-HTML@gerrit.openvpn.net> MIME-Version: 1.0 User-Agent: Gerrit/3.8.2 X-Spam-Score: -0.2 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit Content analysis details: (-0.2 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 RCVD_IN_DNSWL_NONE RBL: Sender listed at https://www.dnswl.org/, no trust [209.85.221.53 listed in list.dnswl.org] -0.0 RCVD_IN_MSPIKE_H2 RBL: Average reputation (+2) [209.85.221.53 listed in wl.mailspike.net] -0.0 SPF_PASS SPF: sender matches SPF record 0.0 SPF_HELO_NONE SPF: HELO does not publish an SPF Record 0.0 WEIRD_PORT URI: Uses non-standard port number for HTTP 0.0 HTML_MESSAGE BODY: HTML included in message -0.1 DKIM_VALID_AU Message has a valid DKIM or DK signature from author's domain -0.1 DKIM_VALID_EF Message has a valid DKIM or DK signature from envelope-from domain 0.1 DKIM_SIGNED Message has a DKIM or DK signature, not necessarily valid -0.1 DKIM_VALID Message has at least one valid DKIM or DK signature 0.0 T_KAM_HTML_FONT_INVALID Test for Invalidly Named or Formatted Colors in HTML X-Headers-End: 1soDt2-0007gi-3g Subject: [Openvpn-devel] [S] Change in openvpn[master]: Do not stop reading from file/uri when OPENSSL_STORE_load() returns e... X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Reply-To: selva.nair@gmail.com, arne-openvpn@rfc2549.org, openvpn-devel@lists.sourceforge.net, frank@lichtenheld.com Cc: openvpn-devel Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1809868154672211486?= X-GMAIL-MSGID: =?utf-8?q?1809868154672211486?= X-getmail-filter-classifier: gerrit message type newchange Attention is currently required from: flichtenheld, plaisthos. Hello plaisthos, flichtenheld, I'd like you to do a code review. Please visit http://gerrit.openvpn.net/c/openvpn/+/742?usp=email to review the following change. Change subject: Do not stop reading from file/uri when OPENSSL_STORE_load() returns error ...................................................................... Do not stop reading from file/uri when OPENSSL_STORE_load() returns error OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left. Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Signed-off-by: Selva Nair --- M src/openvpn/ssl_openssl.c 1 file changed, 42 insertions(+), 5 deletions(-) git pull ssh://gerrit.openvpn.net:29418/openvpn refs/changes/42/742/1 diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0d845f4..5fd6572 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -813,6 +813,15 @@ } return 0; } + +static void +clear_ossl_store_error(OSSL_STORE_CTX *store_ctx) +{ + if (OSSL_STORE_error(store_ctx)) + { + ERR_clear_error(); + } +} #endif /* defined(HAVE_OPENSSL_STORE_API) */ /** @@ -864,7 +873,19 @@ { goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1099,7 +1120,19 @@ goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached. + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1120,9 +1153,14 @@ OSSL_STORE_INFO_free(info); /* iterate through the store and add extra certificates if any to the chain */ - info = OSSL_STORE_load(store_ctx); - while (info && !OSSL_STORE_eof(store_ctx)) + while (!OSSL_STORE_eof(store_ctx)) { + info = OSSL_STORE_load(store_ctx); + if (!info) + { + clear_ossl_store_error(store_ctx); + continue; + } x = OSSL_STORE_INFO_get1_CERT(info); if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) { @@ -1131,7 +1169,6 @@ break; } OSSL_STORE_INFO_free(info); - info = OSSL_STORE_load(store_ctx); } end: