From: Timo Sirainen <timo.sirainen@open-xchange.com>
Date: Fri, 24 Oct 2025 09:32:41 +0000 (+0300)
Subject: lib-ssl-iostream: Fix potential busy loop when handshake has failed
X-Git-Tag: 2.4.2~14
X-Git-Url: http://git.ipfire.org/gitweb.cgi?a=commitdiff_plain;h=ea080c1778fa1bd3b7da0fb10edc7220b50e8612;p=thirdparty%2Fdovecot%2Fcore.git

lib-ssl-iostream: Fix potential busy loop when handshake has failed

If the stream is already destroyed, handshaking should return -1 as error
instead of "more data needed".

This fixes at least a potential busy loop when login-proxy tries to connect
to a remote server with mismatching SSL certificate name. It was timing
sensitive though, only seeming to happen when running with valgrind.

This code has been there since 9d0640616c30701bed286034840facfb386db90e
---

diff --git a/src/lib-ssl-iostream/iostream-openssl.c b/src/lib-ssl-iostream/iostream-openssl.c
index c0da08388e..3794354ec7 100644
--- a/src/lib-ssl-iostream/iostream-openssl.c
+++ b/src/lib-ssl-iostream/iostream-openssl.c
@@ -594,8 +594,10 @@ static int openssl_iostream_handshake(struct ssl_iostream *ssl_io)
 		return openssl_iostream_bio_sync(ssl_io, OPENSSL_IOSTREAM_SYNC_TYPE_HANDSHAKE);
 
 	/* we are being destroyed, so do not do any more handshaking */
-	if (ssl_io->destroyed)
-		return 0;
+	if (ssl_io->destroyed) {
+		errno = EPIPE;
+		return -1;
+	}
 
 	if (ssl_io->ctx->client_ctx) {
 		while ((ret = SSL_connect(ssl_io->ssl)) <= 0) {