[openssl] master update

tomas at openssl.org tomas at openssl.org
Thu May 13 17:26:30 UTC 2021


The branch master has been updated
       via  afecd85db1359b5a62c037b8a507b928541c779c (commit)
      from  2bdec3b037264540014120a02217fc67bf355f11 (commit)


- Log -----------------------------------------------------------------
commit afecd85db1359b5a62c037b8a507b928541c779c
Author: Tomas Mraz <tomas at openssl.org>
Date:   Wed May 12 19:15:27 2021 +0200

    Replace some of the ERR_clear_error() calls with mark calls
    
    Fixes #15219
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>
    Reviewed-by: Paul Dale <pauli at openssl.org>
    Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
    (Merged from https://github.com/openssl/openssl/pull/15253)

-----------------------------------------------------------------------

Summary of changes:
 crypto/asn1/a_d2i_fp.c  |  7 ++++---
 crypto/asn1/p5_pbev2.c  |  3 ++-
 crypto/bio/bio_lib.c    |  8 ++++++--
 crypto/bio/bss_conn.c   |  8 +++++---
 crypto/ec/ec2_oct.c     |  8 ++++----
 crypto/ec/ecp_oct.c     | 10 ++++------
 crypto/pkcs12/p12_add.c |  3 ++-
 crypto/pkcs12/p12_p8e.c | 22 +++++++++++++---------
 crypto/x509/by_file.c   |  6 ++++--
 9 files changed, 44 insertions(+), 31 deletions(-)

diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c
index 2c7acb34e0..f1e96b2eaf 100644
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -115,7 +115,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
         return -1;
     }
 
-    ERR_clear_error();
+    ERR_set_mark();
     for (;;) {
         diff = len - off;
         if (want >= diff) {
@@ -149,10 +149,10 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
         if (inf & 0x80) {
             unsigned long e;
 
-            e = ERR_GET_REASON(ERR_peek_error());
+            e = ERR_GET_REASON(ERR_peek_last_error());
             if (e != ASN1_R_TOO_LONG)
                 goto err;
-            ERR_clear_error();
+            ERR_pop_to_mark();
         }
         i = q - p;            /* header length */
         off += i;               /* end of data */
@@ -235,6 +235,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
     *pb = b;
     return off;
  err:
+    ERR_clear_last_mark();
     BUF_MEM_free(b);
     return -1;
 }
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index da227b96e2..c9d9d31cc2 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -88,11 +88,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter,
      * If prf NID unspecified see if cipher has a preference. An error is OK
      * here: just means use default PRF.
      */
+    ERR_set_mark();
     if ((prf_nid == -1) &&
         EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
-        ERR_clear_error();
         prf_nid = NID_hmacWithSHA256;
     }
+    ERR_pop_to_mark();
     EVP_CIPHER_CTX_free(ctx);
     ctx = NULL;
 
diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c
index 5cdd6d7cfd..575107634c 100644
--- a/crypto/bio/bio_lib.c
+++ b/crypto/bio/bio_lib.c
@@ -870,7 +870,8 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds)
     BIO_set_nbio(bio, !blocking);
 
  retry:
-    rv = BIO_do_connect(bio); /* This may indirectly call ERR_clear_error(); */
+    ERR_set_mark();
+    rv = BIO_do_connect(bio);
 
     if (rv <= 0) { /* could be timeout or retryable error or fatal error */
         int err = ERR_peek_last_error();
@@ -897,7 +898,7 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds)
             }
         }
         if (timeout >= 0 && do_retry) {
-            ERR_clear_error(); /* using ERR_pop_to_mark() would be cleaner */
+            ERR_pop_to_mark();
             /* will not actually wait if timeout == 0 (i.e., blocking BIO): */
             rv = bio_wait(bio, max_time, nap_milliseconds);
             if (rv > 0)
@@ -905,11 +906,14 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds)
             ERR_raise(ERR_LIB_BIO,
                       rv == 0 ? BIO_R_CONNECT_TIMEOUT : BIO_R_CONNECT_ERROR);
         } else {
+            ERR_clear_last_mark();
             rv = -1;
             if (err == 0) /* missing error queue entry */
                 /* workaround: general error */
                 ERR_raise(ERR_LIB_BIO, BIO_R_CONNECT_ERROR);
         }
+    } else {
+        ERR_clear_last_mark();
     }
 
     return rv;
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index 7aaae65bc2..3ab2c0d4ba 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -155,6 +155,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
 
         case BIO_CONN_S_CONNECT:
             BIO_clear_retry_flags(b);
+            ERR_set_mark();
             ret = BIO_connect(b->num, BIO_ADDRINFO_address(c->addr_iter),
                               BIO_SOCK_KEEPALIVE | c->connect_mode);
             b->retry_reason = 0;
@@ -163,7 +164,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
                     BIO_set_retry_special(b);
                     c->state = BIO_CONN_S_BLOCKED_CONNECT;
                     b->retry_reason = BIO_RR_CONNECT;
-                    ERR_clear_error();
+                    ERR_pop_to_mark();
                 } else if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter))
                            != NULL) {
                     /*
@@ -171,9 +172,10 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
                      */
                     BIO_closesocket(b->num);
                     c->state = BIO_CONN_S_CREATE_SOCKET;
-                    ERR_clear_error();
+                    ERR_pop_to_mark();
                     break;
                 } else {
+                    ERR_clear_last_mark();
                     ERR_raise_data(ERR_LIB_SYS, get_last_socket_error(),
                                    "calling connect(%s, %s)",
                                     c->param_hostname, c->param_service);
@@ -182,6 +184,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
                 }
                 goto exit_loop;
             } else {
+                ERR_clear_last_mark();
                 c->state = BIO_CONN_S_OK;
             }
             break;
@@ -196,7 +199,6 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
                      */
                     BIO_closesocket(b->num);
                     c->state = BIO_CONN_S_CREATE_SOCKET;
-                    ERR_clear_error();
                     break;
                 }
                 ERR_raise_data(ERR_LIB_SYS, i,
diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c
index 1970efd65c..10a4932591 100644
--- a/crypto/ec/ec2_oct.c
+++ b/crypto/ec/ec2_oct.c
@@ -46,9 +46,6 @@ int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group,
 #ifndef FIPS_MODULE
     BN_CTX *new_ctx = NULL;
 
-    /* clear error queue */
-    ERR_clear_error();
-
     if (ctx == NULL) {
         ctx = new_ctx = BN_CTX_new();
         if (ctx == NULL)
@@ -80,21 +77,24 @@ int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group,
             goto err;
         if (!BN_GF2m_add(tmp, x, tmp))
             goto err;
+        ERR_set_mark();
         if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) {
 #ifndef FIPS_MODULE
             unsigned long err = ERR_peek_last_error();
 
             if (ERR_GET_LIB(err) == ERR_LIB_BN
                 && ERR_GET_REASON(err) == BN_R_NO_SOLUTION) {
-                ERR_clear_error();
+                ERR_pop_to_mark();
                 ERR_raise(ERR_LIB_EC, EC_R_INVALID_COMPRESSED_POINT);
             } else
 #endif
             {
+                ERR_clear_last_mark();
                 ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
             }
             goto err;
         }
+        ERR_clear_last_mark();
         z0 = (BN_is_odd(z)) ? 1 : 0;
         if (!group->meth->field_mul(group, y, x, z, ctx))
             goto err;
diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c
index b10947d714..68943e521e 100644
--- a/crypto/ec/ecp_oct.c
+++ b/crypto/ec/ecp_oct.c
@@ -28,11 +28,6 @@ int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
     BIGNUM *tmp1, *tmp2, *x, *y;
     int ret = 0;
 
-#ifndef FIPS_MODULE
-    /* clear error queue */
-    ERR_clear_error();
-#endif
-
     if (ctx == NULL) {
         ctx = new_ctx = BN_CTX_new_ex(group->libctx);
         if (ctx == NULL)
@@ -106,21 +101,24 @@ int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
             goto err;
     }
 
+    ERR_set_mark();
     if (!BN_mod_sqrt(y, tmp1, group->field, ctx)) {
 #ifndef FIPS_MODULE
         unsigned long err = ERR_peek_last_error();
 
         if (ERR_GET_LIB(err) == ERR_LIB_BN
             && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
-            ERR_clear_error();
+            ERR_pop_to_mark();
             ERR_raise(ERR_LIB_EC, EC_R_INVALID_COMPRESSED_POINT);
         } else
 #endif
         {
+            ERR_clear_last_mark();
             ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
         }
         goto err;
     }
+    ERR_clear_last_mark();
 
     if (y_bit != BN_is_odd(y)) {
         if (BN_is_zero(y)) {
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index b644834f33..6fd4184af5 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -102,14 +102,15 @@ PKCS7 *PKCS12_pack_p7encdata_ex(int pbe_nid, const char *pass, int passlen,
         goto err;
     }
 
+    ERR_set_mark();
     pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq);
     if (pbe_ciph == NULL)
         pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+    ERR_pop_to_mark();
 
     if (pbe_ciph != NULL) {
         pbe = PKCS5_pbe2_set_iv_ex(pbe_ciph, iter, salt, saltlen, NULL, -1, ctx);
     } else {
-        ERR_clear_error();
         pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, ctx);
     }
 
diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c
index e357f310a6..9c27534017 100644
--- a/crypto/pkcs12/p12_p8e.c
+++ b/crypto/pkcs12/p12_p8e.c
@@ -29,16 +29,20 @@ X509_SIG *PKCS8_encrypt_ex(int pbe_nid, const EVP_CIPHER *cipher,
         }
         pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, -1,
                                    libctx);
-    } else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
-        if (cipher == NULL) {
-            ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
-            return NULL;
-        }
-        pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, pbe_nid,
-                                   libctx);
     } else {
-        ERR_clear_error();
-        pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, libctx);
+        ERR_set_mark();
+        if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
+            ERR_clear_last_mark();
+            if (cipher == NULL) {
+                ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
+                return NULL;
+            }
+            pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL,
+                                       pbe_nid, libctx);
+        } else {
+            ERR_pop_to_mark();
+            pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, libctx);
+        }
     }
     if (pbe == NULL) {
         ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index eed902b649..c6fd3db50a 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -113,16 +113,18 @@ int X509_load_cert_file_ex(X509_LOOKUP *ctx, const char *file, int type,
 
     if (type == X509_FILETYPE_PEM) {
         for (;;) {
+            ERR_set_mark();
             if (PEM_read_bio_X509_AUX(in, &x, NULL, "") == NULL) {
                 if ((ERR_GET_REASON(ERR_peek_last_error()) ==
                      PEM_R_NO_START_LINE) && (count > 0)) {
-                    ERR_clear_error();
+                    ERR_pop_to_mark();
                     break;
                 } else {
-                    ERR_raise(ERR_LIB_X509, ERR_R_PEM_LIB);
+                    ERR_clear_last_mark();
                     goto err;
                 }
             }
+            ERR_clear_last_mark();
             i = X509_STORE_add_cert(ctx->store_ctx, x);
             if (!i)
                 goto err;


More information about the openssl-commits mailing list