From: Jim Jagielski <jim@apache.org>
Date: Mon, 21 Nov 2016 12:17:46 +0000 (+0000)
Subject: Merge r1769332 from trunk:
X-Git-Tag: 2.4.24~117
X-Git-Url: http://git.ipfire.org/cgi-bin/gitweb.cgi?a=commitdiff_plain;h=87d8774489d998541365e968548afc7df5061baa;p=thirdparty%2Fapache%2Fhttpd.git

Merge r1769332 from trunk:

ssl: clear the error queue before SSL_read/write/accept()

If other modules or libraries do not clear the OpenSSL error queue after
a failed operation, other code that relies on SSL_get_error() -- in
particular, code that deals with SSL_ERROR_WANT_READ/WRITE logic -- will
malfunction later on. To prevent this, explicitly clear the error queue
before calls like SSL_read/write/accept().

PR: 60223
Submitted by: Paul Spangler <paul.spangler ni.com>
Submitted by: jchampion
Reviewed/backported by: jim


git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/branches/2.4.x@1770673 13f79535-47bb-0310-9956-ffa450edef68
---

diff --git a/STATUS b/STATUS
index 83b38971bb1..869f2e80212 100644
--- a/STATUS
+++ b/STATUS
@@ -117,11 +117,6 @@ RELEASE SHOWSTOPPERS:
 PATCHES ACCEPTED TO BACKPORT FROM TRUNK:
   [ start all new proposals below, under PATCHES PROPOSED. ]
 
-  *) ssl: clear the error queue before SSL_read/write/accept(). PR60223
-     trunk patch: http://svn.apache.org/r1769332
-     2.4.x patch: https://home.apache.org/~jchampion/patches/2.4.x-ssl-error-queue.patch
-     +1: jchampion, rpluem, wrowe
-
   *) CMake: fix various issues for Windows/Visual Studio build environments.
      PR59685.
      trunk patch: http://svn.apache.org/r1752331
diff --git a/modules/ssl/ssl_engine_io.c b/modules/ssl/ssl_engine_io.c
index 20e9136048d..82953ad0ac8 100644
--- a/modules/ssl/ssl_engine_io.c
+++ b/modules/ssl/ssl_engine_io.c
@@ -602,6 +602,11 @@ static apr_status_t ssl_io_input_read(bio_filter_in_ctx_t *inctx,
             break;
         }
 
+        /* We rely on SSL_get_error() after the read, which requires an empty
+         * error queue before the read in order to work properly.
+         */
+        ERR_clear_error();
+
         /* SSL_read may not read because we haven't taken enough data
          * from the stack.  This is where we want to consider all of
          * the blocking and SPECULATIVE semantics
@@ -779,6 +784,11 @@ static apr_status_t ssl_filter_write(ap_filter_t *f,
         return APR_EGENERAL;
     }
 
+    /* We rely on SSL_get_error() after the write, which requires an empty error
+     * queue before the write in order to work properly.
+     */
+    ERR_clear_error();
+
     outctx = (bio_filter_out_ctx_t *)filter_ctx->pbioWrite->ptr;
     res = SSL_write(filter_ctx->pssl, (unsigned char *)data, len);
 
@@ -1250,6 +1260,11 @@ static apr_status_t ssl_io_filter_handshake(ssl_filter_ctx_t *filter_ctx)
         return APR_SUCCESS;
     }
 
+    /* We rely on SSL_get_error() after the accept, which requires an empty
+     * error queue before the accept in order to work properly.
+     */
+    ERR_clear_error();
+
     if ((n = SSL_accept(filter_ctx->pssl)) <= 0) {
         bio_filter_in_ctx_t *inctx = (bio_filter_in_ctx_t *)
                                      (filter_ctx->pbioRead->ptr);