1 files changed, 15 insertions, 14 deletions
diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c
index 7e6949e21c..bb14e72806 100644
--- a/src/lib/libcrypto/x509/by_dir.c
+++ b/src/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: by_dir.c,v 1.46 2023/12/29 05:33:32 tb Exp $ */
+/* $OpenBSD: by_dir.c,v 1.47 2024/03/25 00:05:49 beck Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
 * All rights reserved.
 *
@@ -56,9 +56,6 @@
 * [including the GNU Public Licence.]
 */
-#include <sys/stat.h>
-#include <sys/types.h>
 #include <errno.h>
 #include <stdio.h>
 #include <string.h>
@@ -331,23 +328,27 @@ get_cert_by_subject(X509_LOOKUP *xl, int type, X509_NAME *name,
                for (;;) {
                        (void) snprintf(b->data, b->max, "%s/%08lx.%s%d",
                            ent->dir, h, postfix, k);
+                        /*
-                        {
+                         * Found one. Attempt to load it. This could fail for
-                                struct stat st;
+                         * any number of reasons from the file can't be opened,
-                                if (stat(b->data, &st) < 0)
+                         * the file contains garbage, etc. Clear the error stack
-                                        break;
+                         * to avoid exposing the lower level error. These all
-                        }
+                         * boil down to "we could not find CA/CRL".
-                        /* found one. */
+                         */
                        if (type == X509_LU_X509) {
                                if ((X509_load_cert_file(xl, b->data,
-                                    ent->dir_type)) == 0)
+                                    ent->dir_type)) == 0) {
+                                        ERR_clear_error();
                                        break;
+                                }
                        } else if (type == X509_LU_CRL) {
                                if ((X509_load_crl_file(xl, b->data,
-                                    ent->dir_type)) == 0)
+                                    ent->dir_type)) == 0) {
+                                        ERR_clear_error();
                                        break;
+                                }
                        }
-                        /* else case will caught higher up */
+                        /* The lack of a CA or CRL will be caught higher up. */
                        k++;
                }

diff --git a/src/lib/libcrypto/x509/by_dir.c b/src/lib/libcrypto/x509/by_dir.c index 7e6949e21c..bb14e72806 100644 --- a/src/lib/libcrypto/x509/by_dir.c +++ b/src/lib/libcrypto/x509/by_dir.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: by_dir.c,v 1.46 2023/12/29 05:33:32 tb Exp $ */	1	/* $OpenBSD: by_dir.c,v 1.47 2024/03/25 00:05:49 beck Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.	3	* All rights reserved.
4	*	4	*
@@ -56,9 +56,6 @@
56	* [including the GNU Public Licence.]	56	* [including the GNU Public Licence.]
57	*/	57	*/
58		58
59	#include <sys/stat.h>
60	#include <sys/types.h>
61
62	#include <errno.h>	59	#include <errno.h>
63	#include <stdio.h>	60	#include <stdio.h>
64	#include <string.h>	61	#include <string.h>
@@ -331,23 +328,27 @@ get_cert_by_subject(X509_LOOKUP xl, int type, X509_NAME name,
331	for (;;) {	328	for (;;) {
332	(void) snprintf(b->data, b->max, "%s/%08lx.%s%d",	329	(void) snprintf(b->data, b->max, "%s/%08lx.%s%d",
333	ent->dir, h, postfix, k);	330	ent->dir, h, postfix, k);
334		331	/*
335	{	332	* Found one. Attempt to load it. This could fail for
336	struct stat st;	333	* any number of reasons from the file can't be opened,
337	if (stat(b->data, &st) < 0)	334	* the file contains garbage, etc. Clear the error stack
338	break;	335	* to avoid exposing the lower level error. These all
339	}	336	* boil down to "we could not find CA/CRL".
340	/* found one. */	337	*/
341	if (type == X509_LU_X509) {	338	if (type == X509_LU_X509) {
342	if ((X509_load_cert_file(xl, b->data,	339	if ((X509_load_cert_file(xl, b->data,
343	ent->dir_type)) == 0)	340	ent->dir_type)) == 0) {
		341	ERR_clear_error();
344	break;	342	break;
		343	}
345	} else if (type == X509_LU_CRL) {	344	} else if (type == X509_LU_CRL) {
346	if ((X509_load_crl_file(xl, b->data,	345	if ((X509_load_crl_file(xl, b->data,
347	ent->dir_type)) == 0)	346	ent->dir_type)) == 0) {
		347	ERR_clear_error();
348	break;	348	break;
		349	}
349	}	350	}
350	/* else case will caught higher up */	351	/* The lack of a CA or CRL will be caught higher up. */
351	k++;	352	k++;
352	}	353	}
353		354