Commit b6eb715075 for openssl.org

commit b6eb715075c1e7d005e543122d82946dc7cc3b08
Author: Dr. David von Oheimb <dev@ddvo.net>
Date:   Thu Oct 23 21:27:43 2025 +0200

    cmp_vfy.c: prevent needless and confusing duplication of diagnostic output on failure validating CMP messages

    Reviewed-by: Daniel Kubec <kubec@openssl.foundation>
    Reviewed-by: Milan Broz <mbroz@openssl.org>
    Reviewed-by: Eugene Syromiatnikov <esyr@openssl.org>
    MergeDate: Wed Jun 10 06:39:00 2026
    (Merged from https://github.com/openssl/openssl/pull/28986)

diff --git a/crypto/cmp/cmp_vfy.c b/crypto/cmp/cmp_vfy.c
index 0c18e8fb29..588649c800 100644
--- a/crypto/cmp/cmp_vfy.c
+++ b/crypto/cmp/cmp_vfy.c
@@ -521,14 +521,14 @@ static int check_msg_find_cert(OSSL_CMP_CTX *ctx, const OSSL_CMP_MSG *msg)

     res = check_msg_all_certs(ctx, msg, 0 /* using ctx->trusted */)
         || check_msg_all_certs(ctx, msg, 1 /* 3gpp */);
-    ctx->log_cb = backup_log_cb;
-    if (res) {
-        /* discard any diagnostic information on trying to use certs */
-        (void)ERR_pop_to_mark();
+
+    ctx->log_cb = backup_log_cb; /* re-enable logging */
+    /* discard any previous diagnostic information on trying to use certs */
+    (void)ERR_pop_to_mark();
+
+    if (res)
         goto end;
-    }
     /* failed finding a sender cert that verifies the message signature */
-    (void)ERR_clear_last_mark();

     sname = X509_NAME_oneline(sender->d.directoryName, NULL, 0);
     skid_str = skid == NULL ? NULL : i2s_ASN1_OCTET_STRING(NULL, skid);