[openssl] master update
tomas at openssl.org
tomas at openssl.org
Thu May 13 17:26:30 UTC 2021
The branch master has been updated
via afecd85db1359b5a62c037b8a507b928541c779c (commit)
from 2bdec3b037264540014120a02217fc67bf355f11 (commit)
- Log -----------------------------------------------------------------
commit afecd85db1359b5a62c037b8a507b928541c779c
Author: Tomas Mraz <tomas at openssl.org>
Date: Wed May 12 19:15:27 2021 +0200
Replace some of the ERR_clear_error() calls with mark calls
Fixes #15219
Reviewed-by: Richard Levitte <levitte at openssl.org>
Reviewed-by: Paul Dale <pauli at openssl.org>
Reviewed-by: Shane Lontis <shane.lontis at oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15253)
-----------------------------------------------------------------------
Summary of changes:
crypto/asn1/a_d2i_fp.c | 7 ++++---
crypto/asn1/p5_pbev2.c | 3 ++-
crypto/bio/bio_lib.c | 8 ++++++--
crypto/bio/bss_conn.c | 8 +++++---
crypto/ec/ec2_oct.c | 8 ++++----
crypto/ec/ecp_oct.c | 10 ++++------
crypto/pkcs12/p12_add.c | 3 ++-
crypto/pkcs12/p12_p8e.c | 22 +++++++++++++---------
crypto/x509/by_file.c | 6 ++++--
9 files changed, 44 insertions(+), 31 deletions(-)
diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c
index 2c7acb34e0..f1e96b2eaf 100644
--- a/crypto/asn1/a_d2i_fp.c
+++ b/crypto/asn1/a_d2i_fp.c
@@ -115,7 +115,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
return -1;
}
- ERR_clear_error();
+ ERR_set_mark();
for (;;) {
diff = len - off;
if (want >= diff) {
@@ -149,10 +149,10 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
if (inf & 0x80) {
unsigned long e;
- e = ERR_GET_REASON(ERR_peek_error());
+ e = ERR_GET_REASON(ERR_peek_last_error());
if (e != ASN1_R_TOO_LONG)
goto err;
- ERR_clear_error();
+ ERR_pop_to_mark();
}
i = q - p; /* header length */
off += i; /* end of data */
@@ -235,6 +235,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb)
*pb = b;
return off;
err:
+ ERR_clear_last_mark();
BUF_MEM_free(b);
return -1;
}
diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c
index da227b96e2..c9d9d31cc2 100644
--- a/crypto/asn1/p5_pbev2.c
+++ b/crypto/asn1/p5_pbev2.c
@@ -88,11 +88,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter,
* If prf NID unspecified see if cipher has a preference. An error is OK
* here: just means use default PRF.
*/
+ ERR_set_mark();
if ((prf_nid == -1) &&
EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) {
- ERR_clear_error();
prf_nid = NID_hmacWithSHA256;
}
+ ERR_pop_to_mark();
EVP_CIPHER_CTX_free(ctx);
ctx = NULL;
diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c
index 5cdd6d7cfd..575107634c 100644
--- a/crypto/bio/bio_lib.c
+++ b/crypto/bio/bio_lib.c
@@ -870,7 +870,8 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds)
BIO_set_nbio(bio, !blocking);
retry:
- rv = BIO_do_connect(bio); /* This may indirectly call ERR_clear_error(); */
+ ERR_set_mark();
+ rv = BIO_do_connect(bio);
if (rv <= 0) { /* could be timeout or retryable error or fatal error */
int err = ERR_peek_last_error();
@@ -897,7 +898,7 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds)
}
}
if (timeout >= 0 && do_retry) {
- ERR_clear_error(); /* using ERR_pop_to_mark() would be cleaner */
+ ERR_pop_to_mark();
/* will not actually wait if timeout == 0 (i.e., blocking BIO): */
rv = bio_wait(bio, max_time, nap_milliseconds);
if (rv > 0)
@@ -905,11 +906,14 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds)
ERR_raise(ERR_LIB_BIO,
rv == 0 ? BIO_R_CONNECT_TIMEOUT : BIO_R_CONNECT_ERROR);
} else {
+ ERR_clear_last_mark();
rv = -1;
if (err == 0) /* missing error queue entry */
/* workaround: general error */
ERR_raise(ERR_LIB_BIO, BIO_R_CONNECT_ERROR);
}
+ } else {
+ ERR_clear_last_mark();
}
return rv;
diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c
index 7aaae65bc2..3ab2c0d4ba 100644
--- a/crypto/bio/bss_conn.c
+++ b/crypto/bio/bss_conn.c
@@ -155,6 +155,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
case BIO_CONN_S_CONNECT:
BIO_clear_retry_flags(b);
+ ERR_set_mark();
ret = BIO_connect(b->num, BIO_ADDRINFO_address(c->addr_iter),
BIO_SOCK_KEEPALIVE | c->connect_mode);
b->retry_reason = 0;
@@ -163,7 +164,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
BIO_set_retry_special(b);
c->state = BIO_CONN_S_BLOCKED_CONNECT;
b->retry_reason = BIO_RR_CONNECT;
- ERR_clear_error();
+ ERR_pop_to_mark();
} else if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter))
!= NULL) {
/*
@@ -171,9 +172,10 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
*/
BIO_closesocket(b->num);
c->state = BIO_CONN_S_CREATE_SOCKET;
- ERR_clear_error();
+ ERR_pop_to_mark();
break;
} else {
+ ERR_clear_last_mark();
ERR_raise_data(ERR_LIB_SYS, get_last_socket_error(),
"calling connect(%s, %s)",
c->param_hostname, c->param_service);
@@ -182,6 +184,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
}
goto exit_loop;
} else {
+ ERR_clear_last_mark();
c->state = BIO_CONN_S_OK;
}
break;
@@ -196,7 +199,6 @@ static int conn_state(BIO *b, BIO_CONNECT *c)
*/
BIO_closesocket(b->num);
c->state = BIO_CONN_S_CREATE_SOCKET;
- ERR_clear_error();
break;
}
ERR_raise_data(ERR_LIB_SYS, i,
diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c
index 1970efd65c..10a4932591 100644
--- a/crypto/ec/ec2_oct.c
+++ b/crypto/ec/ec2_oct.c
@@ -46,9 +46,6 @@ int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group,
#ifndef FIPS_MODULE
BN_CTX *new_ctx = NULL;
- /* clear error queue */
- ERR_clear_error();
-
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new();
if (ctx == NULL)
@@ -80,21 +77,24 @@ int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group,
goto err;
if (!BN_GF2m_add(tmp, x, tmp))
goto err;
+ ERR_set_mark();
if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) {
#ifndef FIPS_MODULE
unsigned long err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_BN
&& ERR_GET_REASON(err) == BN_R_NO_SOLUTION) {
- ERR_clear_error();
+ ERR_pop_to_mark();
ERR_raise(ERR_LIB_EC, EC_R_INVALID_COMPRESSED_POINT);
} else
#endif
{
+ ERR_clear_last_mark();
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
}
goto err;
}
+ ERR_clear_last_mark();
z0 = (BN_is_odd(z)) ? 1 : 0;
if (!group->meth->field_mul(group, y, x, z, ctx))
goto err;
diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c
index b10947d714..68943e521e 100644
--- a/crypto/ec/ecp_oct.c
+++ b/crypto/ec/ecp_oct.c
@@ -28,11 +28,6 @@ int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
BIGNUM *tmp1, *tmp2, *x, *y;
int ret = 0;
-#ifndef FIPS_MODULE
- /* clear error queue */
- ERR_clear_error();
-#endif
-
if (ctx == NULL) {
ctx = new_ctx = BN_CTX_new_ex(group->libctx);
if (ctx == NULL)
@@ -106,21 +101,24 @@ int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group,
goto err;
}
+ ERR_set_mark();
if (!BN_mod_sqrt(y, tmp1, group->field, ctx)) {
#ifndef FIPS_MODULE
unsigned long err = ERR_peek_last_error();
if (ERR_GET_LIB(err) == ERR_LIB_BN
&& ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) {
- ERR_clear_error();
+ ERR_pop_to_mark();
ERR_raise(ERR_LIB_EC, EC_R_INVALID_COMPRESSED_POINT);
} else
#endif
{
+ ERR_clear_last_mark();
ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB);
}
goto err;
}
+ ERR_clear_last_mark();
if (y_bit != BN_is_odd(y)) {
if (BN_is_zero(y)) {
diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c
index b644834f33..6fd4184af5 100644
--- a/crypto/pkcs12/p12_add.c
+++ b/crypto/pkcs12/p12_add.c
@@ -102,14 +102,15 @@ PKCS7 *PKCS12_pack_p7encdata_ex(int pbe_nid, const char *pass, int passlen,
goto err;
}
+ ERR_set_mark();
pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq);
if (pbe_ciph == NULL)
pbe_ciph = EVP_get_cipherbynid(pbe_nid);
+ ERR_pop_to_mark();
if (pbe_ciph != NULL) {
pbe = PKCS5_pbe2_set_iv_ex(pbe_ciph, iter, salt, saltlen, NULL, -1, ctx);
} else {
- ERR_clear_error();
pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, ctx);
}
diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c
index e357f310a6..9c27534017 100644
--- a/crypto/pkcs12/p12_p8e.c
+++ b/crypto/pkcs12/p12_p8e.c
@@ -29,16 +29,20 @@ X509_SIG *PKCS8_encrypt_ex(int pbe_nid, const EVP_CIPHER *cipher,
}
pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, -1,
libctx);
- } else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
- if (cipher == NULL) {
- ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
- return NULL;
- }
- pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, pbe_nid,
- libctx);
} else {
- ERR_clear_error();
- pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, libctx);
+ ERR_set_mark();
+ if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) {
+ ERR_clear_last_mark();
+ if (cipher == NULL) {
+ ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER);
+ return NULL;
+ }
+ pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL,
+ pbe_nid, libctx);
+ } else {
+ ERR_pop_to_mark();
+ pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, libctx);
+ }
}
if (pbe == NULL) {
ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB);
diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c
index eed902b649..c6fd3db50a 100644
--- a/crypto/x509/by_file.c
+++ b/crypto/x509/by_file.c
@@ -113,16 +113,18 @@ int X509_load_cert_file_ex(X509_LOOKUP *ctx, const char *file, int type,
if (type == X509_FILETYPE_PEM) {
for (;;) {
+ ERR_set_mark();
if (PEM_read_bio_X509_AUX(in, &x, NULL, "") == NULL) {
if ((ERR_GET_REASON(ERR_peek_last_error()) ==
PEM_R_NO_START_LINE) && (count > 0)) {
- ERR_clear_error();
+ ERR_pop_to_mark();
break;
} else {
- ERR_raise(ERR_LIB_X509, ERR_R_PEM_LIB);
+ ERR_clear_last_mark();
goto err;
}
}
+ ERR_clear_last_mark();
i = X509_STORE_add_cert(ctx->store_ctx, x);
if (!i)
goto err;
More information about the openssl-commits
mailing list