Permalink
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
Browse files
src: mark/pop OpenSSL errors in NewRootCertStore
This commit sets the OpenSSL error mark before calling X509_STORE_load_locations and pops the error mark afterwards. The motivation for this is that it is possible that X509_STORE_load_locations can produce errors if the configuration option --openssl-system-ca-path file does not exist. Later if a different function is called which calls an OpenSSL function it could fail because these errors might still be on the OpenSSL error stack. Currently, all functions that call NewRootCertStore clear the OpenSSL error queue upon returning, but this was not the case for example in v12.18.0. PR-URL: #35514 Fixes: #35456 Reviewed-By: Rich Trott <rtrott@gmail.com> Reviewed-By: Anna Henningsen <anna@addaleax.net> Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
- Loading branch information
1 parent
c509485
commit 6a7a61be7c58809990f42659c1d114233c9d1d3e
Showing
with
35 additions
and 3 deletions.
- +3 −0 node.gyp
- +7 −3 src/crypto/crypto_context.cc
- +2 −0 src/crypto/crypto_context.h
- +23 −0 test/cctest/test_node_crypto.cc
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -1360,6 +1360,9 @@ | ||
| 'defines': [ | ||
| 'HAVE_OPENSSL=1', | ||
| ], | ||
| 'sources': [ | ||
| 'test/cctest/test_node_crypto.cc', | ||
| ] | ||
| }], | ||
| [ 'node_use_openssl=="true" and experimental_quic==1', { | ||
| 'defines': [ | ||
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| @@ -0,0 +1,23 @@ | ||
| // This simulates specifying the configuration option --openssl-system-ca-path | ||
| // and settting it to a file that does not exist. | ||
| #define NODE_OPENSSL_SYSTEM_CERT_PATH "/missing/ca.pem" | ||
|
|
||
| #include "crypto/crypto_context.h" | ||
| #include "node_options.h" | ||
| #include "openssl/err.h" | ||
| #include "gtest/gtest.h" | ||
|
|
||
| /* | ||
| * This test verifies that a call to NewRootCertDir with the build time | ||
| * configuration option --openssl-system-ca-path set to an missing file, will | ||
| * not leave any OpenSSL errors on the OpenSSL error stack. | ||
| * See https://github.com/nodejs/node/issues/35456 for details. | ||
| */ | ||
| TEST(NodeCrypto, NewRootCertStore) { | ||
| node::per_process::cli_options->ssl_openssl_cert_store = true; | ||
| X509_STORE* store = node::crypto::NewRootCertStore(); | ||
| ASSERT_TRUE(store); | ||
| ASSERT_EQ(ERR_peek_error(), 0UL) << "NewRootCertStore should not have left " | ||
| "any errors on the OpenSSL error stack\n"; | ||
| X509_STORE_free(store); | ||
| } |