From: Christopher Faulet <cfaulet@haproxy.com>
Date: Fri, 26 Jul 2024 14:47:15 +0000 (+0200)
Subject: BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
X-Git-Tag: v3.1-dev5~72
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=46b1fec0e9a6afe2c12fd4dff7c8a0d788aa6dd4;p=thirdparty%2Fhaproxy.git

BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature

When the signature included in a JWT is verified, if an error occurred, one
or more SSL errors are queued and never cleared. These errors may be then
caught by the SSL stack and a fatal SSL error may be erroneously reported
during a SSL received or send.

So we must take care to clear the SSL error queue when the signature
verification failed.

This patch should fix issue #2643. It must be backported as far as 2.6.
---

diff --git a/src/jwt.c b/src/jwt.c
index 6c4cbd3102..aa5367ceba 100644
--- a/src/jwt.c
+++ b/src/jwt.c
@@ -364,6 +364,13 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
 
 end:
 	EVP_MD_CTX_free(evp_md_ctx);
+	if (retval != JWT_VRFY_OK) {
+		/* Don't forget to remove SSL errors to be sure they cannot be
+		 * caught elsewhere. The error queue is cleared because it seems
+		 * at least 2 errors are produced.
+		 */
+		ERR_clear_error();
+	}
 	return retval;
 }