Merge pull request #5373 from haydenroche5/error_queue_fix

Fix backwards behavior for various wolfSSL_ERR* functions.
2022-07-21 09:35:21 -06:00 · 2022-07-21 09:35:21 -06:00 · 1281d97b1e
commit 1281d97b1e
parent a4e3dc9638 e6da540fb3
3 changed files with 51 additions and 23 deletions
--- a/src/internal.c
+++ b/src/internal.c
@ -17858,7 +17858,13 @@ static int DoAlert(WOLFSSL* ssl, byte* input, word32* inOutIdx, int* type)
    if (*type == close_notify) {
        ssl->options.closeNotify = 1;
    }
-    WOLFSSL_ERROR(*type);
+    else {
+        /*
+         * A close_notify alert doesn't mean there's been an error, so we only
+         * add other types of alerts to the error queue
+         */
+        WOLFSSL_ERROR(*type);
+    }

    if (IsEncryptionOn(ssl, 0)) {
        *inOutIdx += ssl->keys.padSz;
@ -21508,7 +21514,6 @@ startScr:

    while (ssl->buffers.clearOutputBuffer.length == 0) {
        if ( (ssl->error = ProcessReply(ssl)) < 0) {
-            WOLFSSL_ERROR(ssl->error);
            if (ssl->error == ZERO_RETURN) {
                WOLFSSL_MSG("Zero return, no more data coming");
                return 0; /* no more data coming */
@ -21521,6 +21526,7 @@ startScr:
                    return 0; /* peer reset or closed */
                }
            }
+            WOLFSSL_ERROR(ssl->error);
            return ssl->error;
        }

--- a/src/ssl.c
+++ b/src/ssl.c
@ -16167,36 +16167,35 @@ cleanup:

    unsigned long wolfSSL_ERR_get_error(void)
    {
+        int ret;
+
        WOLFSSL_ENTER("wolfSSL_ERR_get_error");

 #ifdef WOLFSSL_HAVE_ERROR_QUEUE
-#if defined(OPENSSL_ALL) || defined(WOLFSSL_NGINX) || defined(WOLFSSL_HAPROXY)
-        {
-            unsigned long ret = wolfSSL_ERR_peek_error_line_data(NULL, NULL,
-                                                                 NULL, NULL);
-            wc_RemoveErrorNode(-1);
-            return ret;
-        }
-#else
-        {
-            int ret = wc_PullErrorNode(NULL, NULL, NULL);
-
-            if (ret < 0) {
-                if (ret == BAD_STATE_E) return 0; /* no errors in queue */
+        ret = wc_PullErrorNode(NULL, NULL, NULL);
+        if (ret < 0) {
+            if (ret == BAD_STATE_E) {
+                ret = 0; /* no errors in queue */
+            }
+            else {
                WOLFSSL_MSG("Error with pulling error node!");
                WOLFSSL_LEAVE("wolfSSL_ERR_get_error", ret);
                ret = 0 - ret; /* return absolute value of error */
-
                /* panic and try to clear out nodes */
                wc_ClearErrorNodes();
            }
-
-            return (unsigned long)ret;
        }
-#endif
+        else {
+            wc_RemoveErrorNode(0);
+        }
+
+        return ret;
 #else
+
+        (void)ret;
+
        return (unsigned long)(0 - NOT_COMPILED_IN);
-#endif
+#endif /* WOLFSSL_HAVE_ERROR_QUEUE */
    }

 #ifdef WOLFSSL_HAVE_ERROR_QUEUE
@ -18556,7 +18555,6 @@ size_t wolfSSL_get_client_random(const WOLFSSL* ssl, unsigned char* out,
 #endif /* DEBUG_WOLFSSL */


-    /* @TODO when having an error queue this needs to push to the queue */
    void wolfSSL_ERR_put_error(int lib, int fun, int err, const char* file,
            int line)
    {
@ -32356,7 +32354,7 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line,
        int ret = 0;

        while (1) {
-            ret = wc_PeekErrorNode(-1, file, NULL, line);
+            ret = wc_PeekErrorNode(0, file, NULL, line);
            if (ret == BAD_MUTEX_E || ret == BAD_FUNC_ARG || ret == BAD_STATE_E) {
                WOLFSSL_MSG("Issue peeking at error node in queue");
                return 0;
@ -32383,7 +32381,7 @@ unsigned long wolfSSL_ERR_peek_error_line_data(const char **file, int *line,
                    ret != -SOCKET_PEER_CLOSED_E && ret != -SOCKET_ERROR_E)
                break;

-            wc_RemoveErrorNode(-1);
+            wc_RemoveErrorNode(0);
        }

        return (unsigned long)ret;
--- a/tests/api.c
+++ b/tests/api.c
@ -38086,6 +38086,29 @@ static void test_wolfSSL_ERR_put_error(void)
    #endif
 }

+/*
+ * This is a regression test for a bug where the peek/get error functions were
+ * drawing from the end of the queue rather than the front.
+ */
+static void test_wolfSSL_ERR_get_error_order(void)
+{
+#ifdef WOLFSSL_HAVE_ERROR_QUEUE
+    printf(testingFmt, "test_wolfSSL_ERR_get_error_order");
+
+    /* Empty the queue. */
+    wolfSSL_ERR_clear_error();
+
+    wolfSSL_ERR_put_error(0, 0, ASN_NO_SIGNER_E, "test", 0);
+    wolfSSL_ERR_put_error(0, 0, ASN_SELF_SIGNED_E, "test", 0);
+
+    AssertIntEQ(wolfSSL_ERR_peek_error(), -ASN_NO_SIGNER_E);
+    AssertIntEQ(wolfSSL_ERR_get_error(), -ASN_NO_SIGNER_E);
+    AssertIntEQ(wolfSSL_ERR_peek_error(), -ASN_SELF_SIGNED_E);
+    AssertIntEQ(wolfSSL_ERR_get_error(), -ASN_SELF_SIGNED_E);
+
+    printf(resultFmt, passed);
+#endif /* WOLFSSL_HAVE_ERROR_QUEUE */
+}

 #ifndef NO_BIO

@ -56069,6 +56092,7 @@ void ApiTest(void)
    test_wolfSSL_PKCS8_d2i();
    test_error_queue_per_thread();
    test_wolfSSL_ERR_put_error();
+    test_wolfSSL_ERR_get_error_order();
 #ifndef NO_BIO
    test_wolfSSL_ERR_print_errors();
 #endif