src: mark/pop OpenSSL errors in NewRootCertStore

[danbev]

This commit sets the OpenSSL error mark before calling
X509_STORE_load_locations and pops the error mark afterwards.

The motivation for this is that it is possible that
X509_STORE_load_locations can produce errors if the configuration
option --openssl-system-ca-path file does not exist. Later if a
different function is called which calls an OpenSSL function it could
fail because these errors might still be on the OpenSSL error queue.

Currently, all functions that call NewRootCertStore clear the
OpenSSL error queue upon returning, but this was not the case for
example in v12.18.0.

Fixes: #35456

Checklist

• make -j4 test (UNIX), or vcbuild test (Windows) passes
• tests and/or benchmarks are included
• commit message follows commit guidelines

[nodejs-github-bot]

Review requested:

• @nodejs/crypto

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/33425/

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/33426/

[Trott]

@nodejs/platform-smartos This isn't compiling successfully on SmartOS (and there's now a commit to add code to skip SmartOS). Thoughts? You can see the compilation failure in either of the first two CI runs above.

[cjihrig]

I haven't tried to debug this locally, but would #include'ing the .h file instead of the .cc file in the test make any difference?

[danbev]

I haven't tried to debug this locally, but would #include'ing the .h file instead of the .cc file in the test make any difference?

The function node::crypto::NewRootCertStore is static so including the header would not provide access to it unfortunately.

[cjihrig]

The function node::crypto::NewRootCertStore is static so including the header would not provide access to it unfortunately.

Does it need to remain static?

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/33444/

[danbev]

Does it need to remain static?

Good question, I'm not really sure if it does or not.

[jasnell]

I think it would be fine to move the declaration into the header file

[danbev]

@cjihrig @jasnell Sounds good to me, I'll move it into the header. Thanks

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/33698/

[codecov-io]

Codecov Report

Merging #35514 into master will decrease coverage by 0.47%.
The diff coverage is n/a.

@@            Coverage Diff             @@
##           master   #35514      +/-   ##
==========================================
- Coverage   96.87%   96.40%   -0.48%     
==========================================
  Files         212      220       +8     
  Lines       69641    73681    +4040     
==========================================
+ Hits        67466    71031    +3565     
- Misses       2175     2650     +475     

Impacted Files	Coverage Δ
lib/internal/crypto/scrypt.js	28.33% <0.00%> (-71.67%)	⬇️
lib/internal/crypto/diffiehellman.js	92.47% <0.00%> (-6.50%)	⬇️
lib/internal/crypto/keys.js	94.99% <0.00%> (-4.22%)	⬇️
lib/internal/crypto/util.js	96.79% <0.00%> (-3.21%)	⬇️
lib/internal/crypto/sig.js	97.54% <0.00%> (-2.46%)	⬇️
lib/internal/source_map/prepare_stack_trace.js	94.95% <0.00%> (-1.69%)	⬇️
lib/internal/crypto/keygen.js	99.20% <0.00%> (-0.49%)	⬇️
lib/internal/modules/cjs/loader.js	94.39% <0.00%> (-0.28%)	⬇️
lib/_http_server.js	98.34% <0.00%> (-0.19%)	⬇️
lib/fs.js	94.13% <0.00%> (-0.13%)	⬇️
... and 52 more

---

Continue to review full report at Codecov.

Legend - Click here to learn more
Δ = absolute <relative> (impact), ø = not affected, ? = missing data
Powered by Codecov. Last update dcf708d...9117d4f. Read the comment docs.

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/33705/

[danbev]

Re-run of failing node-test-commit-linux-containered/ ✔️

[nodejs-github-bot]

CI: https://ci.nodejs.org/job/node-test-pull-request/33714/

[danbev]

Landed in 610c68c.