nic-6443 commented on code in PR #11305:
URL: https://github.com/apache/apisix/pull/11305#discussion_r1619704867
##########
apisix/ssl.lua:
##########
@@ -153,6 +159,9 @@ local function aes_decrypt_pkey(origin, field)
for _, aes_128_cbc_with_iv in ipairs(aes_128_cbc_with_iv_tbl) do
local decrypted = aes_128_cbc_with_iv:decrypt(decoded_key)
if decrypted then
+ if C.ERR_peek_error() then
+ C.ERR_clear_error()
+ end
Review Comment:
I feel that it is more appropriate to pop up an error when decryption fails.
Currently, there may be two unexpected behaviors:
1. When all keys fail to decrypt, the resulting error will be stored in
OpenSSL's error queue, which may affect subsequent error checks.
2. When the first key decrypts successfully, no actual error occurs during
decryption, but we still pop all errors from the queue.
--
This is an automated message from the Apache Git Service.
To respond to the message, please log on to GitHub and use the
URL above to go to the specific comment.
To unsubscribe, e-mail: [email protected]
For queries about this service, please contact Infrastructure at:
[email protected]
