From ff56e555abdbd443db192535c105b2cbd374e85f Mon Sep 17 00:00:00 2001 From: Samuel Chiang Date: Wed, 2 Oct 2024 07:07:27 -0700 Subject: [PATCH] Fix OCSP timebomb in tests (#1891) Resolves https://github.com/aws/aws-lc/issues/1889 It turns out the first call to `OCSP_check_validity` in `TestGoodOCSP` will emit two additional errors on to the error stack once the "this update" field is outdated. Clearing the previous additional errors on the stack allows us to check for which specific errors were emitted more accurately. By submitting this pull request, I confirm that my contribution is made under the terms of the Apache 2.0 license and the ISC license. --- crypto/ocsp/ocsp_test.cc | 1 + 1 file changed, 1 insertion(+) diff --git a/crypto/ocsp/ocsp_test.cc b/crypto/ocsp/ocsp_test.cc index 357e5bf564..31ac1f6d7b 100644 --- a/crypto/ocsp/ocsp_test.cc +++ b/crypto/ocsp/ocsp_test.cc @@ -416,6 +416,7 @@ TEST(OCSPTest, TestGoodOCSP) { // This will cause the function to fail in two places, once when checking // if "(current_time + nsec) > thisupd [Status Not Yet Valid]", and a second // time when checking if "nextupd > (current_time - nsec) [Status Expired]". + ERR_clear_error(); EXPECT_FALSE(OCSP_check_validity(thisupd, nextupd, -time(nullptr), -1)); err = ERR_get_error(); EXPECT_EQ(OCSP_R_STATUS_NOT_YET_VALID, ERR_GET_REASON(err));