From fe20f8fe25ef06646f4b68b5565ce35f209b59ee Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 14 Aug 2018 12:49:19 +0200 Subject: [PATCH 1/2] Do not remove errors from the OpenSSL error queue in toresult() dst__openssl_toresult3() first calls toresult() and subsequently uses ERR_get_error_line_data() in a loop. Given this, it is a mistake to use ERR_get_error() in toresult() because it causes the retrieved error to be removed from the OpenSSL error queue, thus preventing it from being retrieved by the subsequent ERR_get_error_line_data() calls. Fix by using ERR_peek_error() instead of ERR_get_error() in toresult(). --- lib/dns/openssl_link.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/lib/dns/openssl_link.c b/lib/dns/openssl_link.c index 8d49899ef7..d24b4f438c 100644 --- a/lib/dns/openssl_link.c +++ b/lib/dns/openssl_link.c @@ -270,7 +270,7 @@ dst__openssl_destroy(void) { static isc_result_t toresult(isc_result_t fallback) { isc_result_t result = fallback; - unsigned long err = ERR_get_error(); + unsigned long err = ERR_peek_error(); #if defined(ECDSA_R_RANDOM_NUMBER_GENERATION_FAILED) int lib = ERR_GET_LIB(err); #endif From cab7c34fbdba36019ac6383abb45a3966f24b2a9 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Micha=C5=82=20K=C4=99pie=C5=84?= Date: Tue, 14 Aug 2018 12:49:19 +0200 Subject: [PATCH 2/2] Add CHANGES entry 5009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL error queue was not logged. [GL #476] --- CHANGES | 3 +++ 1 file changed, 3 insertions(+) diff --git a/CHANGES b/CHANGES index 1464989720..6956376258 100644 --- a/CHANGES +++ b/CHANGES @@ -1,3 +1,6 @@ +5009. [bug] Upon an OpenSSL failure, the first error in the OpenSSL + error queue was not logged. [GL #476] + 5008. [bug] "rndc signing -nsec3param ..." requests were silently ignored for zones which were not yet loaded or transferred. [GL #468]