Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src: mark/pop OpenSSL errors in NewRootCertStore #35514

Closed
wants to merge 3 commits into from

Conversation

danbev
Copy link
Member

@danbev danbev commented Oct 6, 2020

This commit sets the OpenSSL error mark before calling
X509_STORE_load_locations and pops the error mark afterwards.

The motivation for this is that it is possible that
X509_STORE_load_locations can produce errors if the configuration
option --openssl-system-ca-path file does not exist. Later if a
different function is called which calls an OpenSSL function it could
fail because these errors might still be on the OpenSSL error queue.

Currently, all functions that call NewRootCertStore clear the
OpenSSL error queue upon returning, but this was not the case for
example in v12.18.0.

Fixes: #35456

Checklist
  • make -j4 test (UNIX), or vcbuild test (Windows) passes
  • tests and/or benchmarks are included
  • commit message follows commit guidelines

@nodejs-github-bot
Copy link
Collaborator

Review requested:

  • @nodejs/crypto

@nodejs-github-bot nodejs-github-bot added build Issues and PRs related to build files or the CI. c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem. labels Oct 6, 2020
@Trott Trott added the request-ci Add this label to start a Jenkins CI on a PR. label Oct 6, 2020
@nodejs-github-bot
Copy link
Collaborator

@github-actions github-actions bot removed the request-ci Add this label to start a Jenkins CI on a PR. label Oct 6, 2020
@nodejs-github-bot
Copy link
Collaborator

@Trott
Copy link
Member

Trott commented Oct 6, 2020

@nodejs/platform-smartos This isn't compiling successfully on SmartOS (and there's now a commit to add code to skip SmartOS). Thoughts? You can see the compilation failure in either of the first two CI runs above.

@cjihrig
Copy link
Contributor

cjihrig commented Oct 6, 2020

I haven't tried to debug this locally, but would #include'ing the .h file instead of the .cc file in the test make any difference?

@danbev
Copy link
Member Author

danbev commented Oct 6, 2020

I haven't tried to debug this locally, but would #include'ing the .h file instead of the .cc file in the test make any difference?

The function node::crypto::NewRootCertStore is static so including the header would not provide access to it unfortunately.

@cjihrig
Copy link
Contributor

cjihrig commented Oct 6, 2020

The function node::crypto::NewRootCertStore is static so including the header would not provide access to it unfortunately.

Does it need to remain static?

@nodejs-github-bot
Copy link
Collaborator

@danbev
Copy link
Member Author

danbev commented Oct 7, 2020

Does it need to remain static?

Good question, I'm not really sure if it does or not.

This commit sets the OpenSSL error mark before calling
X509_STORE_load_locations and pops the error mark afterwards.

The motivation for this is that it is possible that
X509_STORE_load_locations can produce errors if the configuration
option --openssl-system-ca-path file does not exist. Later if a
different function is called which calls an OpenSSL function it could
fail because these errors might still be on the OpenSSL error stack.

Currently, all functions that call NewRootCertStore clear the
OpenSSL error queue upon returning, but this was not the case for
example in v12.18.0.

Fixes: nodejs#35456
@jasnell
Copy link
Member

jasnell commented Oct 15, 2020

I think it would be fine to move the declaration into the header file

@danbev
Copy link
Member Author

danbev commented Oct 17, 2020

@cjihrig @jasnell Sounds good to me, I'll move it into the header. Thanks

@nodejs-github-bot
Copy link
Collaborator

@codecov-io
Copy link

Codecov Report

Merging #35514 into master will decrease coverage by 0.47%.
The diff coverage is n/a.

Impacted file tree graph

@@            Coverage Diff             @@
##           master   #35514      +/-   ##
==========================================
- Coverage   96.87%   96.40%   -0.48%     
==========================================
  Files         212      220       +8     
  Lines       69641    73681    +4040     
==========================================
+ Hits        67466    71031    +3565     
- Misses       2175     2650     +475     
Impacted Files Coverage Δ
lib/internal/crypto/scrypt.js 28.33% <0.00%> (-71.67%) ⬇️
lib/internal/crypto/diffiehellman.js 92.47% <0.00%> (-6.50%) ⬇️
lib/internal/crypto/keys.js 94.99% <0.00%> (-4.22%) ⬇️
lib/internal/crypto/util.js 96.79% <0.00%> (-3.21%) ⬇️
lib/internal/crypto/sig.js 97.54% <0.00%> (-2.46%) ⬇️
lib/internal/source_map/prepare_stack_trace.js 94.95% <0.00%> (-1.69%) ⬇️
lib/internal/crypto/keygen.js 99.20% <0.00%> (-0.49%) ⬇️
lib/internal/modules/cjs/loader.js 94.39% <0.00%> (-0.28%) ⬇️
lib/_http_server.js 98.34% <0.00%> (-0.19%) ⬇️
lib/fs.js 94.13% <0.00%> (-0.13%) ⬇️
... and 52 more

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dcf708d...9117d4f. Read the comment docs.

@nodejs-github-bot
Copy link
Collaborator

@danbev
Copy link
Member Author

danbev commented Oct 19, 2020

Re-run of failing node-test-commit-linux-containered/ ✔️

@nodejs-github-bot
Copy link
Collaborator

danbev added a commit that referenced this pull request Oct 21, 2020
This commit sets the OpenSSL error mark before calling
X509_STORE_load_locations and pops the error mark afterwards.

The motivation for this is that it is possible that
X509_STORE_load_locations can produce errors if the configuration
option --openssl-system-ca-path file does not exist. Later if a
different function is called which calls an OpenSSL function it could
fail because these errors might still be on the OpenSSL error stack.

Currently, all functions that call NewRootCertStore clear the
OpenSSL error queue upon returning, but this was not the case for
example in v12.18.0.

PR-URL: #35514
Fixes: #35456
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
@danbev
Copy link
Member Author

danbev commented Oct 21, 2020

Landed in 610c68c.

@danbev danbev closed this Oct 21, 2020
@danbev danbev deleted the crypto_system_cert_path branch October 21, 2020 12:36
BethGriggs pushed a commit that referenced this pull request Oct 21, 2020
This commit sets the OpenSSL error mark before calling
X509_STORE_load_locations and pops the error mark afterwards.

The motivation for this is that it is possible that
X509_STORE_load_locations can produce errors if the configuration
option --openssl-system-ca-path file does not exist. Later if a
different function is called which calls an OpenSSL function it could
fail because these errors might still be on the OpenSSL error stack.

Currently, all functions that call NewRootCertStore clear the
OpenSSL error queue upon returning, but this was not the case for
example in v12.18.0.

PR-URL: #35514
Fixes: #35456
Reviewed-By: Rich Trott <rtrott@gmail.com>
Reviewed-By: Anna Henningsen <anna@addaleax.net>
Reviewed-By: Colin Ihrig <cjihrig@gmail.com>
@BethGriggs BethGriggs mentioned this pull request Oct 21, 2020
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Labels
build Issues and PRs related to build files or the CI. c++ Issues and PRs that require attention from people who are familiar with C++. crypto Issues and PRs related to the crypto subsystem.
Projects
None yet
Development

Successfully merging this pull request may close these issues.

Unexpected openssl error with Node 12.18.0 custom build
8 participants