Commit 6c41094a authored by Jim Jagielski's avatar Jim Jagielski
Browse files

Merge r1769332 from trunk: 

ssl: clear the error queue before SSL_read/write/accept()

If other modules or libraries do not clear the OpenSSL error queue after
a failed operation, other code that relies on SSL_get_error() -- in
particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will
malfunction later on. To prevent this, explicitly clear the error queue
before calls like SSL_read/write/accept().

PR: 60223
Submitted by: Paul Spangler <paul.spangler ni.com>
Submitted by: jchampion
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770673 13f79535-47bb-0310-9956-ffa450edef68
parent 26ae36eb

STATUS

+0 −5
Original line number Original line Diff line number Diff line
@@ -117,11 +117,6 @@ RELEASE SHOWSTOPPERS: 
PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

PATCHES ACCEPTED TO BACKPORT FROM TRUNK:

  [ start all new proposals below, under PATCHES PROPOSED. ]

  [ start all new proposals below, under PATCHES PROPOSED. ]





  *) ssl: clear the error queue before SSL_read/write/accept(). PR60223

     trunk patch: http://svn.apache.org/r1769332

     2.4.x patch: https://home.apache.org/~jchampion/patches/2.4.x-ssl-error-queue.patch

     +1: jchampion, rpluem, wrowe



  *) CMake: fix various issues for Windows/Visual Studio build environments.

  *) CMake: fix various issues for Windows/Visual Studio build environments.

     PR59685.

     PR59685.

     trunk patch: http://svn.apache.org/r1752331

     trunk patch: http://svn.apache.org/r1752331

modules/ssl/ssl_engine_io.c

+15 −0
Original line number Original line Diff line number Diff line
@@ -602,6 +602,11 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx, 
            break;

            break;

        }

        }





        /* We rely on SSL_get_error() after the read, which requires an empty

         * error queue before the read in order to work properly.

         */

        ERR_clear_error();



        /* SSL_read may not read because we haven't taken enough data

        /* SSL_read may not read because we haven't taken enough data

         * from the stack.  This is where we want to consider all of

         * from the stack.  This is where we want to consider all of

         * the blocking and SPECULATIVE semantics

         * the blocking and SPECULATIVE semantics
@@ -779,6 +784,11 @@ static apr_status_t ssl_filter_write(ap_filter_t *f, 
        return APR_EGENERAL;

        return APR_EGENERAL;

    }

    }





    /* We rely on SSL_get_error() after the write, which requires an empty error

     * queue before the write in order to work properly.

     */

    ERR_clear_error();



    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;

    outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;

    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);

    res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
@@ -1250,6 +1260,11 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx) 
        return APR_SUCCESS;

        return APR_SUCCESS;

    }

    }





    /* We rely on SSL_get_error() after the accept, which requires an empty

     * error queue before the accept in order to work properly.

     */

    ERR_clear_error();



    if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {

    if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {

        bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)

        bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)

                                     (filter_ctx->pbioRead->ptr);

                                     (filter_ctx->pbioRead->ptr);