openssl: Clear error queue after an incomplete SSL_shutdown

If the SSL_shutdown-call fails (e.g. because the underlaying socket has
already been closed) OpenSSL puts the corresponding error into the
queue. We don't care about details so we need to clear the queue.

Otherwise the error will be pulled while error checking the next OpenSSL
call of an unrelated connection.

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index 1e8417dcda4ec3d69913987e0257eab9fa536cd4..b22d746c6788d17cc4d2db922986a6d00886f355 100644 (file)
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -299,7 +299,11 @@ static void openssl_iostream_unref(struct ssl_iostream *ssl_io)
 
 static void openssl_iostream_destroy(struct ssl_iostream *ssl_io)
 {
-       (void)SSL_shutdown(ssl_io->ssl);
+       if (SSL_shutdown(ssl_io->ssl) != 1) {
+               /* if bidirectional shutdown fails we need to clear
+                  the error queue */
+               openssl_iostream_clear_errors();
+       }
        (void)openssl_iostream_more(ssl_io);
        (void)o_stream_flush(ssl_io->plain_output);
        /* close the plain i/o streams, because their fd may be closed soon,

diff --git a/src/login-common/ssl-proxy-openssl.c b/src/login-common/ssl-proxy-openssl.c
index a17ce6629097db2b9cea442d7705f49e049ca246..c6bbb78e2fea0c04b8de8ac4acf02876e8b8cd74 100644 (file)
--- a/src/login-common/ssl-proxy-openssl.c
+++ b/src/login-common/ssl-proxy-openssl.c
@@ -716,7 +716,11 @@ void ssl_proxy_destroy(struct ssl_proxy *proxy)
        if (proxy->io_plain_write != NULL)
                io_remove(&proxy->io_plain_write);
 
-       (void)SSL_shutdown(proxy->ssl);
+       if (SSL_shutdown(proxy->ssl) != 1) {
+               /* if bidirectional shutdown fails we need to clear
+                  the error queue. */
+               openssl_iostream_clear_errors();
+       }
 
        net_disconnect(proxy->fd_ssl);
        net_disconnect(proxy->fd_plain);