Add a regression test for error handling and hash_dir
See bug.
Bug: 708
Change-Id: Ic7a8ab069a9149b085480094f434e36cb13b4908
Reviewed-on: https://boringssl-review.googlesource.com/c/boringssl/+/66987
Auto-Submit: David Benjamin <davidben@google.com>
Reviewed-by: Bob Beck <bbe@google.com>
Commit-Queue: David Benjamin <davidben@google.com>
diff --git a/crypto/x509/x509_test.cc b/crypto/x509/x509_test.cc
index 6f08611..d7f4313 100644
--- a/crypto/x509/x509_test.cc
+++ b/crypto/x509/x509_test.cc
@@ -8150,9 +8150,16 @@
EXPECT_EQ(X509_V_OK, test_issuer(old_collide_name2));
// Test a certificate not in the store.
+ ERR_clear_error();
EXPECT_EQ(X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY,
test_issuer("Not In Store"));
+ // Although, internally, this hits the filesystem and finds that a file does
+ // not exist, there should not be anything on the error queue about a
+ // missing file. |X509_verify_cert| generally does not use the error queue,
+ // so it will be empty. See https://crbug.com/boringssl/708.
+ EXPECT_EQ(ERR_get_error(), 0u);
+
// Test CRL handling. First, if we cannot find a CRL, verification will
// fail.
//
diff --git a/include/openssl/x509.h b/include/openssl/x509.h
index 0bff5c3..32e0933 100644
--- a/include/openssl/x509.h
+++ b/include/openssl/x509.h
@@ -3022,6 +3022,9 @@
// |X509_STORE_CTX_get1_chain| may be used to return the verified certificate
// chain. On error, |X509_STORE_CTX_get_error| may be used to return additional
// error information.
+//
+// WARNING: Most failure conditions from this function do not use the error
+// queue. Use |X509_STORE_CTX_get_error| to determine the cause of the error.
OPENSSL_EXPORT int X509_verify_cert(X509_STORE_CTX *ctx);
// X509_STORE_CTX_get0_chain, after a successful |X509_verify_cert| call,