[OpenWrt-Devel] [PATCH ustream-ssl] ustream-openssl: clear error stack before SSL_read/SSL_write

Fri, 13 Mar 2020 04:41:51 -0700 

The OpenSSL library uses a global error queue per thread which needs to
be cleared prior to calling I/O functions in order to get reliable error
results.

Failure to do so will lead to stray errors reported by SSL_get_error()
when an unrelated connection within the same thread encountered a TLS
error since the last SSL_read() or SSL_write() on the current connection.

This issue was frequently triggered by Google Chrome which usually
initiates simultaneous TLS connections (presumably for protocol support
probing) and subsequently closes most of them with a "certificate unknown"
TLS error, causing the next SSL_get_error() to report an SSL library error
instead of the expected SSL_WANT_READ or SSL_WANT_WRITE error states.

Solve this issue by invoking ERR_clear_error() prior to invoking SSL_read()
or SSL_write() to ensure that the subsequent SSL_get_error() returns
current valid results.

Signed-off-by: Jo-Philipp Wich <j...@mein.io>
---
 ustream-openssl.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ustream-openssl.c b/ustream-openssl.c
index 049aa40..f8e848d 100644
--- a/ustream-openssl.c
+++ b/ustream-openssl.c
@@ -266,6 +266,8 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct 
ustream_ssl *us)
        void *ssl = us->ssl;
        int r;
 
+       ERR_clear_error();
+
        if (us->server)
                r = SSL_accept(ssl);
        else
@@ -287,7 +289,11 @@ __hidden enum ssl_conn_status __ustream_ssl_connect(struct 
ustream_ssl *us)
 __hidden int __ustream_ssl_write(struct ustream_ssl *us, const char *buf, int 
len)
 {
        void *ssl = us->ssl;
-       int ret = SSL_write(ssl, buf, len);
+       int ret;
+
+       ERR_clear_error();
+
+       ret = SSL_write(ssl, buf, len);
 
        if (ret < 0) {
                int err = SSL_get_error(ssl, ret);
@@ -303,7 +309,11 @@ __hidden int __ustream_ssl_write(struct ustream_ssl *us, 
const char *buf, int le
 
 __hidden int __ustream_ssl_read(struct ustream_ssl *us, char *buf, int len)
 {
-       int ret = SSL_read(us->ssl, buf, len);
+       int ret;
+
+       ERR_clear_error();
+
+       ret = SSL_read(us->ssl, buf, len);
 
        if (ret < 0) {
                ret = SSL_get_error(us->ssl, ret);
-- 
2.25.1


_______________________________________________
openwrt-devel mailing list
openwrt-devel@lists.openwrt.org
https://lists.openwrt.org/mailman/listinfo/openwrt-devel

Reply via email to