From patchwork Wed Sep 11 10:49:41 2024 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Gert Doering X-Patchwork-Id: 3823 Return-Path: Delivered-To: patchwork@openvpn.net Received: by 2002:a05:7000:24eb:b0:5b9:581e:f939 with SMTP id o11csp142235man; Wed, 11 Sep 2024 03:50:00 -0700 (PDT) X-Forwarded-Encrypted: i=2; AJvYcCX9YoAUjTEVC7buAW6GdJ5kBH8MTzbXsfjrmFY5VpmNZ9HHK+0HcdJfIl2YOXf96WWCas26G+Yv9eM=@openvpn.net X-Google-Smtp-Source: AGHT+IF4d2hIGSb15TiIAJd2qwVIHnMuEa20i9iMTDqZBeEhqyZeQEkMyHiWo3qRAk/Zkphik/7p X-Received: by 2002:a05:6830:6188:b0:709:2721:ad44 with SMTP id 46e09a7af769-710cc21d69bmr19464273a34.12.1726051800673; Wed, 11 Sep 2024 03:50:00 -0700 (PDT) ARC-Seal: i=1; a=rsa-sha256; t=1726051800; cv=none; d=google.com; s=arc-20240605; b=cyAqeQ+knoV1Ek0lGsz5JgXG+6kHK+Wig+aHXKhGhVqSs2kbcHX3DSSQHSBQ92ZPMv hlkp6yvm4UuD7WHFBq5ZOQSVZzMIcyDDHy0thBR1PuXLPQDj8B/HQJk3XmCqzhLPm4hQ DY6JIdZ8REWvpUZywNQMBWZZuGLOAGBOr5dFWSLfRb94p9Qv76RRudjR8Btg4MHLerOW wfsSoVBjT9WZeUB4EL5zwfWZSt4K8qBolsA8KGRjdeBepxz11V7tMlaiBuSMzlEpd0aD dxrENHr2jqOetRt0h3VFeCnhbm1t0Bq0wXA2Wfx3bzYE2vnSeOWVBNQ95PJTyfe7GDCv v/ag== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20240605; h=errors-to:content-transfer-encoding:list-subscribe:list-help :list-post:list-archive:list-unsubscribe:list-id:precedence:subject :mime-version:references:in-reply-to:message-id:date:to:from :dkim-signature:dkim-signature; bh=cVFttK7Es8JCqLTl6Zl2JWRAvZulbCu3P5fmEBAYnBg=; fh=4NbAC/LsuMLI0S0hprUlLSLCiHwg6SCAifhH718Jh0Q=; b=kDvXhjtE/0kCMhQRHQSg5fajrKvqYO0lcHdX0OgdSWk6f+HaQRE6j5UxEQejc1EgQx DTHacBnfLgJIMQ+RoTzFGUmlj6jgKGxdPOXnT5EfhfuRjxncIU2GpZ7uyzGPJ25Sc79C jQZjxSAfAKiMs16CYj8k2ybonahmuXjRs9PVCE+MA/rCuYB7tEmFqfLpHCn5HuZ4Lk6E fqTNxgTaekl1jsULCcudEaMe79hlwMEu6InGY26gu5AXnyf9iwVjQFYEjRO7ODiESqg1 KIcyN/5RKExgGFM3Q2OaqS/ONgVBlclks5eVkMJpp5AEoFRJJedi3r/LOye7eTDwSQFG +RVQ==; dara=google.com ARC-Authentication-Results: i=1; mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ETJ9SK+5; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=I32FAZAU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from lists.sourceforge.net (lists.sourceforge.net. [216.105.38.7]) by mx.google.com with ESMTPS id 46e09a7af769-710d9d4ae0csi3852265a34.112.2024.09.11.03.50.00 (version=TLS1_2 cipher=ECDHE-ECDSA-AES128-GCM-SHA256 bits=128/128); Wed, 11 Sep 2024 03:50:00 -0700 (PDT) Received-SPF: pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) client-ip=216.105.38.7; Authentication-Results: mx.google.com; dkim=neutral (body hash did not verify) header.i=@sourceforge.net header.s=x header.b=ETJ9SK+5; dkim=neutral (body hash did not verify) header.i=@sf.net header.s=x header.b=I32FAZAU; spf=pass (google.com: domain of openvpn-devel-bounces@lists.sourceforge.net designates 216.105.38.7 as permitted sender) smtp.mailfrom=openvpn-devel-bounces@lists.sourceforge.net; dmarc=fail (p=NONE sp=NONE dis=NONE) header.from=muc.de Received: from [127.0.0.1] (helo=sfs-ml-1.v29.lw.sourceforge.com) by sfs-ml-1.v29.lw.sourceforge.com with esmtp (Exim 4.95) (envelope-from ) id 1soKv5-0000y6-9s; Wed, 11 Sep 2024 10:49:56 +0000 Received: from [172.30.29.66] (helo=mx.sourceforge.net) by sfs-ml-1.v29.lw.sourceforge.com with esmtps (TLS1.2) tls TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384 (Exim 4.95) (envelope-from ) id 1soKv4-0000y0-GV for openvpn-devel@lists.sourceforge.net; Wed, 11 Sep 2024 10:49:55 +0000 DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sourceforge.net; s=x; h=Content-Transfer-Encoding:MIME-Version:References: In-Reply-To:Message-ID:Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=+YRFQbM28GjRlWsY70UA+PJPf1WDOdg57NtdVs4ZUH0=; b=ETJ9SK+5QLlSP258f/thVY7OLr Ru0iO2aiRD/pq6J4klgY+oAybGe551rNR+eWAyc68tHsEfKrt4l1a2ZJFSnjo5b7FPvA1tYZ+ZX5I SkIK+Y8bKmfo7G5/CG+JWEH+fwxw7OmLwtmFwsJva66k/xLhvAqtkv0mBnM3YZEt8Bno=; DKIM-Signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=sf.net; s=x ; h=Content-Transfer-Encoding:MIME-Version:References:In-Reply-To:Message-ID: Date:Subject:To:From:Sender:Reply-To:Cc:Content-Type:Content-ID: Content-Description:Resent-Date:Resent-From:Resent-Sender:Resent-To:Resent-Cc :Resent-Message-ID:List-Id:List-Help:List-Unsubscribe:List-Subscribe: List-Post:List-Owner:List-Archive; bh=+YRFQbM28GjRlWsY70UA+PJPf1WDOdg57NtdVs4ZUH0=; b=I32FAZAUQpWoIbwafePhzKQmwF ker83eypIjdWRSh6XCD+P+761LOhSiEyd7wo6G4e9aTiF6LioLn/9B+trweGzjE+vge6y++hgKrg3 QcUdaG48iIUHhmMWxeu8WVtayNwdcqchExAY/f0JxahW19+OaQrwEcLXXtlik3XN6KvI=; Received: from dhcp-174.greenie.muc.de ([193.149.48.174] helo=blue.greenie.muc.de) by sfi-mx-2.v28.lw.sourceforge.com with esmtps (TLS1.2:ECDHE-RSA-AES256-GCM-SHA384:256) (Exim 4.95) id 1soKv4-0003Fr-11 for openvpn-devel@lists.sourceforge.net; Wed, 11 Sep 2024 10:49:55 +0000 Received: from blue.greenie.muc.de (localhost [127.0.0.1]) by blue.greenie.muc.de (8.17.1.9/8.17.1.9) with ESMTP id 48BAngkw019439 for ; Wed, 11 Sep 2024 12:49:42 +0200 Received: (from gert@localhost) by blue.greenie.muc.de (8.17.1.9/8.17.1.9/Submit) id 48BAngLs019438 for openvpn-devel@lists.sourceforge.net; Wed, 11 Sep 2024 12:49:42 +0200 From: Gert Doering To: openvpn-devel@lists.sourceforge.net Date: Wed, 11 Sep 2024 12:49:41 +0200 Message-ID: <20240911104941.19429-1-gert@greenie.muc.de> X-Mailer: git-send-email 2.44.2 In-Reply-To: References: MIME-Version: 1.0 X-Spam-Score: -0.0 (/) X-Spam-Report: Spam detection software, running on the system "util-spamd-1.v13.lw.sourceforge.com", has NOT identified this incoming email as spam. The original message has been attached to this so you can view it or label similar future email. If you have any questions, see the administrator of that system for details. Content preview: From: Selva Nair OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left. Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Content analysis details: (-0.0 points, 6.0 required) pts rule name description ---- ---------------------- -------------------------------------------------- -0.0 SPF_PASS SPF: sender matches SPF record -0.0 SPF_HELO_PASS SPF: HELO matches SPF record X-Headers-End: 1soKv4-0003Fr-11 Subject: [Openvpn-devel] [PATCH v1] Do not stop reading from file/uri when OPENSSL_STORE_load() returns error X-BeenThere: openvpn-devel@lists.sourceforge.net X-Mailman-Version: 2.1.21 Precedence: list List-Id: List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , Errors-To: openvpn-devel-bounces@lists.sourceforge.net X-getmail-retrieved-from-mailbox: Inbox X-GMAIL-THRID: =?utf-8?q?1809896493273010381?= X-GMAIL-MSGID: =?utf-8?q?1809896493273010381?= From: Selva Nair OPENSSL_STORE_load() can error and return NULL even when the file or URI still has readable objects left. Fix by iterating until OPENSSL_STORE_eof(). Also clear such errors to avoid misleading messages printed at the end by crypto_print_openssl_errors(). Change-Id: I2bfa9ffbd17d0599014d38b2a2fd319766cdb1e3 Signed-off-by: Selva Nair Acked-by: Arne Schwabe --- This change was reviewed on Gerrit and approved by at least one developer. I request to merge it to master. Gerrit URL: https://gerrit.openvpn.net/c/openvpn/+/742 This mail reflects revision 1 of this Change. Acked-by according to Gerrit (reflected above): Arne Schwabe diff --git a/src/openvpn/ssl_openssl.c b/src/openvpn/ssl_openssl.c index 0d845f4..5fd6572 100644 --- a/src/openvpn/ssl_openssl.c +++ b/src/openvpn/ssl_openssl.c @@ -813,6 +813,15 @@ } return 0; } + +static void +clear_ossl_store_error(OSSL_STORE_CTX *store_ctx) +{ + if (OSSL_STORE_error(store_ctx)) + { + ERR_clear_error(); + } +} #endif /* defined(HAVE_OPENSSL_STORE_API) */ /** @@ -864,7 +873,19 @@ { goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1099,7 +1120,19 @@ goto end; } - info = OSSL_STORE_load(store_ctx); + while (1) + { + info = OSSL_STORE_load(store_ctx); + if (info || OSSL_STORE_eof(store_ctx)) + { + break; + } + /* OPENSSL_STORE_load can return error and still have usable objects to follow. + * ref: man OPENSSL_STORE_open + * Clear error and recurse through the file if info = NULL and eof not reached. + */ + clear_ossl_store_error(store_ctx); + } if (!info) { goto end; @@ -1120,9 +1153,14 @@ OSSL_STORE_INFO_free(info); /* iterate through the store and add extra certificates if any to the chain */ - info = OSSL_STORE_load(store_ctx); - while (info && !OSSL_STORE_eof(store_ctx)) + while (!OSSL_STORE_eof(store_ctx)) { + info = OSSL_STORE_load(store_ctx); + if (!info) + { + clear_ossl_store_error(store_ctx); + continue; + } x = OSSL_STORE_INFO_get1_CERT(info); if (x && SSL_CTX_add_extra_chain_cert(tls_ctx->ctx, x) != 1) { @@ -1131,7 +1169,6 @@ break; } OSSL_STORE_INFO_free(info); - info = OSSL_STORE_load(store_ctx); } end: