-
Notifications
You must be signed in to change notification settings - Fork 30.3k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
src: mark/pop OpenSSL errors in NewRootCertStore #35514
Conversation
Review requested:
|
@nodejs/platform-smartos This isn't compiling successfully on SmartOS (and there's now a commit to add code to skip SmartOS). Thoughts? You can see the compilation failure in either of the first two CI runs above. |
I haven't tried to debug this locally, but would |
The function |
Does it need to remain static? |
Good question, I'm not really sure if it does or not. |
This commit sets the OpenSSL error mark before calling X509_STORE_load_locations and pops the error mark afterwards. The motivation for this is that it is possible that X509_STORE_load_locations can produce errors if the configuration option --openssl-system-ca-path file does not exist. Later if a different function is called which calls an OpenSSL function it could fail because these errors might still be on the OpenSSL error stack. Currently, all functions that call NewRootCertStore clear the OpenSSL error queue upon returning, but this was not the case for example in v12.18.0. Fixes: nodejs#35456
d806af4
to
0ab510b
Compare
I think it would be fine to move the declaration into the header file |
503f592
to
9117d4f
Compare
Codecov Report
@@ Coverage Diff @@
## master #35514 +/- ##
==========================================
- Coverage 96.87% 96.40% -0.48%
==========================================
Files 212 220 +8
Lines 69641 73681 +4040
==========================================
+ Hits 67466 71031 +3565
- Misses 2175 2650 +475
Continue to review full report at Codecov.
|
Re-run of failing node-test-commit-linux-containered/ ✔️ |
This commit sets the OpenSSL error mark before calling X509_STORE_load_locations and pops the error mark afterwards. The motivation for this is that it is possible that X509_STORE_load_locations can produce errors if the configuration option --openssl-system-ca-path file does not exist. Later if a different function is called which calls an OpenSSL function it could fail because these errors might still be on the OpenSSL error stack. Currently, all functions that call NewRootCertStore clear the OpenSSL error queue upon returning, but this was not the case for example in v12.18.0. PR-URL: #35514 Fixes: #35456 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
Landed in 610c68c. |
This commit sets the OpenSSL error mark before calling X509_STORE_load_locations and pops the error mark afterwards. The motivation for this is that it is possible that X509_STORE_load_locations can produce errors if the configuration option --openssl-system-ca-path file does not exist. Later if a different function is called which calls an OpenSSL function it could fail because these errors might still be on the OpenSSL error stack. Currently, all functions that call NewRootCertStore clear the OpenSSL error queue upon returning, but this was not the case for example in v12.18.0. PR-URL: #35514 Fixes: #35456 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
This commit sets the OpenSSL error mark before calling
X509_STORE_load_locations
and pops the error mark afterwards.The motivation for this is that it is possible that
X509_STORE_load_locations
can produce errors if the configurationoption
--openssl-system-ca-path
file does not exist. Later if adifferent function is called which calls an OpenSSL function it could
fail because these errors might still be on the OpenSSL error queue.
Currently, all functions that call
NewRootCertStore
clear theOpenSSL error queue upon returning, but this was not the case for
example in v12.18.0.
Fixes: #35456
Checklist
make -j4 test
(UNIX), orvcbuild test
(Windows) passes