diff options
author | Tomas Mraz <tomas@openssl.org> | 2021-05-12 19:15:27 +0200 |
---|---|---|
committer | Tomas Mraz <tomas@openssl.org> | 2021-05-13 19:26:06 +0200 |
commit | afecd85db1359b5a62c037b8a507b928541c779c (patch) | |
tree | 26c1def792b0e9e80a8042ef87e9d5cfbc9093d1 | |
parent | 2bdec3b037264540014120a02217fc67bf355f11 (diff) |
Replace some of the ERR_clear_error() calls with mark calls
Fixes #15219
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Paul Dale <pauli@openssl.org>
Reviewed-by: Shane Lontis <shane.lontis@oracle.com>
(Merged from https://github.com/openssl/openssl/pull/15253)
-rw-r--r-- | crypto/asn1/a_d2i_fp.c | 7 | ||||
-rw-r--r-- | crypto/asn1/p5_pbev2.c | 3 | ||||
-rw-r--r-- | crypto/bio/bio_lib.c | 8 | ||||
-rw-r--r-- | crypto/bio/bss_conn.c | 8 | ||||
-rw-r--r-- | crypto/ec/ec2_oct.c | 8 | ||||
-rw-r--r-- | crypto/ec/ecp_oct.c | 10 | ||||
-rw-r--r-- | crypto/pkcs12/p12_add.c | 3 | ||||
-rw-r--r-- | crypto/pkcs12/p12_p8e.c | 22 | ||||
-rw-r--r-- | crypto/x509/by_file.c | 6 |
9 files changed, 44 insertions, 31 deletions
diff --git a/crypto/asn1/a_d2i_fp.c b/crypto/asn1/a_d2i_fp.c index 2c7acb34e0..f1e96b2eaf 100644 --- a/crypto/asn1/a_d2i_fp.c +++ b/crypto/asn1/a_d2i_fp.c @@ -115,7 +115,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) return -1; } - ERR_clear_error(); + ERR_set_mark(); for (;;) { diff = len - off; if (want >= diff) { @@ -149,10 +149,10 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) if (inf & 0x80) { unsigned long e; - e = ERR_GET_REASON(ERR_peek_error()); + e = ERR_GET_REASON(ERR_peek_last_error()); if (e != ASN1_R_TOO_LONG) goto err; - ERR_clear_error(); + ERR_pop_to_mark(); } i = q - p; /* header length */ off += i; /* end of data */ @@ -235,6 +235,7 @@ int asn1_d2i_read_bio(BIO *in, BUF_MEM **pb) *pb = b; return off; err: + ERR_clear_last_mark(); BUF_MEM_free(b); return -1; } diff --git a/crypto/asn1/p5_pbev2.c b/crypto/asn1/p5_pbev2.c index da227b96e2..c9d9d31cc2 100644 --- a/crypto/asn1/p5_pbev2.c +++ b/crypto/asn1/p5_pbev2.c @@ -88,11 +88,12 @@ X509_ALGOR *PKCS5_pbe2_set_iv_ex(const EVP_CIPHER *cipher, int iter, * If prf NID unspecified see if cipher has a preference. An error is OK * here: just means use default PRF. */ + ERR_set_mark(); if ((prf_nid == -1) && EVP_CIPHER_CTX_ctrl(ctx, EVP_CTRL_PBE_PRF_NID, 0, &prf_nid) <= 0) { - ERR_clear_error(); prf_nid = NID_hmacWithSHA256; } + ERR_pop_to_mark(); EVP_CIPHER_CTX_free(ctx); ctx = NULL; diff --git a/crypto/bio/bio_lib.c b/crypto/bio/bio_lib.c index 5cdd6d7cfd..575107634c 100644 --- a/crypto/bio/bio_lib.c +++ b/crypto/bio/bio_lib.c @@ -870,7 +870,8 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds) BIO_set_nbio(bio, !blocking); retry: - rv = BIO_do_connect(bio); /* This may indirectly call ERR_clear_error(); */ + ERR_set_mark(); + rv = BIO_do_connect(bio); if (rv <= 0) { /* could be timeout or retryable error or fatal error */ int err = ERR_peek_last_error(); @@ -897,7 +898,7 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds) } } if (timeout >= 0 && do_retry) { - ERR_clear_error(); /* using ERR_pop_to_mark() would be cleaner */ + ERR_pop_to_mark(); /* will not actually wait if timeout == 0 (i.e., blocking BIO): */ rv = bio_wait(bio, max_time, nap_milliseconds); if (rv > 0) @@ -905,11 +906,14 @@ int BIO_do_connect_retry(BIO *bio, int timeout, int nap_milliseconds) ERR_raise(ERR_LIB_BIO, rv == 0 ? BIO_R_CONNECT_TIMEOUT : BIO_R_CONNECT_ERROR); } else { + ERR_clear_last_mark(); rv = -1; if (err == 0) /* missing error queue entry */ /* workaround: general error */ ERR_raise(ERR_LIB_BIO, BIO_R_CONNECT_ERROR); } + } else { + ERR_clear_last_mark(); } return rv; diff --git a/crypto/bio/bss_conn.c b/crypto/bio/bss_conn.c index 7aaae65bc2..3ab2c0d4ba 100644 --- a/crypto/bio/bss_conn.c +++ b/crypto/bio/bss_conn.c @@ -155,6 +155,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) case BIO_CONN_S_CONNECT: BIO_clear_retry_flags(b); + ERR_set_mark(); ret = BIO_connect(b->num, BIO_ADDRINFO_address(c->addr_iter), BIO_SOCK_KEEPALIVE | c->connect_mode); b->retry_reason = 0; @@ -163,7 +164,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) BIO_set_retry_special(b); c->state = BIO_CONN_S_BLOCKED_CONNECT; b->retry_reason = BIO_RR_CONNECT; - ERR_clear_error(); + ERR_pop_to_mark(); } else if ((c->addr_iter = BIO_ADDRINFO_next(c->addr_iter)) != NULL) { /* @@ -171,9 +172,10 @@ static int conn_state(BIO *b, BIO_CONNECT *c) */ BIO_closesocket(b->num); c->state = BIO_CONN_S_CREATE_SOCKET; - ERR_clear_error(); + ERR_pop_to_mark(); break; } else { + ERR_clear_last_mark(); ERR_raise_data(ERR_LIB_SYS, get_last_socket_error(), "calling connect(%s, %s)", c->param_hostname, c->param_service); @@ -182,6 +184,7 @@ static int conn_state(BIO *b, BIO_CONNECT *c) } goto exit_loop; } else { + ERR_clear_last_mark(); c->state = BIO_CONN_S_OK; } break; @@ -196,7 +199,6 @@ static int conn_state(BIO *b, BIO_CONNECT *c) */ BIO_closesocket(b->num); c->state = BIO_CONN_S_CREATE_SOCKET; - ERR_clear_error(); break; } ERR_raise_data(ERR_LIB_SYS, i, diff --git a/crypto/ec/ec2_oct.c b/crypto/ec/ec2_oct.c index 1970efd65c..10a4932591 100644 --- a/crypto/ec/ec2_oct.c +++ b/crypto/ec/ec2_oct.c @@ -46,9 +46,6 @@ int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, #ifndef FIPS_MODULE BN_CTX *new_ctx = NULL; - /* clear error queue */ - ERR_clear_error(); - if (ctx == NULL) { ctx = new_ctx = BN_CTX_new(); if (ctx == NULL) @@ -80,21 +77,24 @@ int ossl_ec_GF2m_simple_set_compressed_coordinates(const EC_GROUP *group, goto err; if (!BN_GF2m_add(tmp, x, tmp)) goto err; + ERR_set_mark(); if (!BN_GF2m_mod_solve_quad_arr(z, tmp, group->poly, ctx)) { #ifndef FIPS_MODULE unsigned long err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NO_SOLUTION) { - ERR_clear_error(); + ERR_pop_to_mark(); ERR_raise(ERR_LIB_EC, EC_R_INVALID_COMPRESSED_POINT); } else #endif { + ERR_clear_last_mark(); ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); } goto err; } + ERR_clear_last_mark(); z0 = (BN_is_odd(z)) ? 1 : 0; if (!group->meth->field_mul(group, y, x, z, ctx)) goto err; diff --git a/crypto/ec/ecp_oct.c b/crypto/ec/ecp_oct.c index b10947d714..68943e521e 100644 --- a/crypto/ec/ecp_oct.c +++ b/crypto/ec/ecp_oct.c @@ -28,11 +28,6 @@ int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, BIGNUM *tmp1, *tmp2, *x, *y; int ret = 0; -#ifndef FIPS_MODULE - /* clear error queue */ - ERR_clear_error(); -#endif - if (ctx == NULL) { ctx = new_ctx = BN_CTX_new_ex(group->libctx); if (ctx == NULL) @@ -106,21 +101,24 @@ int ossl_ec_GFp_simple_set_compressed_coordinates(const EC_GROUP *group, goto err; } + ERR_set_mark(); if (!BN_mod_sqrt(y, tmp1, group->field, ctx)) { #ifndef FIPS_MODULE unsigned long err = ERR_peek_last_error(); if (ERR_GET_LIB(err) == ERR_LIB_BN && ERR_GET_REASON(err) == BN_R_NOT_A_SQUARE) { - ERR_clear_error(); + ERR_pop_to_mark(); ERR_raise(ERR_LIB_EC, EC_R_INVALID_COMPRESSED_POINT); } else #endif { + ERR_clear_last_mark(); ERR_raise(ERR_LIB_EC, ERR_R_BN_LIB); } goto err; } + ERR_clear_last_mark(); if (y_bit != BN_is_odd(y)) { if (BN_is_zero(y)) { diff --git a/crypto/pkcs12/p12_add.c b/crypto/pkcs12/p12_add.c index b644834f33..6fd4184af5 100644 --- a/crypto/pkcs12/p12_add.c +++ b/crypto/pkcs12/p12_add.c @@ -102,14 +102,15 @@ PKCS7 *PKCS12_pack_p7encdata_ex(int pbe_nid, const char *pass, int passlen, goto err; } + ERR_set_mark(); pbe_ciph = pbe_ciph_fetch = EVP_CIPHER_fetch(ctx, OBJ_nid2sn(pbe_nid), propq); if (pbe_ciph == NULL) pbe_ciph = EVP_get_cipherbynid(pbe_nid); + ERR_pop_to_mark(); if (pbe_ciph != NULL) { pbe = PKCS5_pbe2_set_iv_ex(pbe_ciph, iter, salt, saltlen, NULL, -1, ctx); } else { - ERR_clear_error(); pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, ctx); } diff --git a/crypto/pkcs12/p12_p8e.c b/crypto/pkcs12/p12_p8e.c index e357f310a6..9c27534017 100644 --- a/crypto/pkcs12/p12_p8e.c +++ b/crypto/pkcs12/p12_p8e.c @@ -29,16 +29,20 @@ X509_SIG *PKCS8_encrypt_ex(int pbe_nid, const EVP_CIPHER *cipher, } pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, -1, libctx); - } else if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) { - if (cipher == NULL) { - ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER); - return NULL; - } - pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, pbe_nid, - libctx); } else { - ERR_clear_error(); - pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, libctx); + ERR_set_mark(); + if (EVP_PBE_find(EVP_PBE_TYPE_PRF, pbe_nid, NULL, NULL, 0)) { + ERR_clear_last_mark(); + if (cipher == NULL) { + ERR_raise(ERR_LIB_PKCS12, ERR_R_PASSED_NULL_PARAMETER); + return NULL; + } + pbe = PKCS5_pbe2_set_iv_ex(cipher, iter, salt, saltlen, NULL, + pbe_nid, libctx); + } else { + ERR_pop_to_mark(); + pbe = PKCS5_pbe_set_ex(pbe_nid, iter, salt, saltlen, libctx); + } } if (pbe == NULL) { ERR_raise(ERR_LIB_PKCS12, ERR_R_ASN1_LIB); diff --git a/crypto/x509/by_file.c b/crypto/x509/by_file.c index eed902b649..c6fd3db50a 100644 --- a/crypto/x509/by_file.c +++ b/crypto/x509/by_file.c @@ -113,16 +113,18 @@ int X509_load_cert_file_ex(X509_LOOKUP *ctx, const char *file, int type, if (type == X509_FILETYPE_PEM) { for (;;) { + ERR_set_mark(); if (PEM_read_bio_X509_AUX(in, &x, NULL, "") == NULL) { if ((ERR_GET_REASON(ERR_peek_last_error()) == PEM_R_NO_START_LINE) && (count > 0)) { - ERR_clear_error(); + ERR_pop_to_mark(); break; } else { - ERR_raise(ERR_LIB_X509, ERR_R_PEM_LIB); + ERR_clear_last_mark(); goto err; } } + ERR_clear_last_mark(); i = X509_STORE_add_cert(ctx->store_ctx, x); if (!i) goto err; |