From 5d69cc567c159641765c6279dc3b1543afd7b6e9 Mon Sep 17 00:00:00 2001 From: Emiel Bruijntjes Date: Fri, 27 Apr 2018 12:38:06 +0200 Subject: [PATCH] more calls to openssl::err_clear_error() to prevent that the error queue contains errors that are not related to the operations that is being checked --- src/linux_tcp/sslconnected.h | 26 ++++++++++++++------------ src/linux_tcp/sslhandshake.h | 4 ++++ src/linux_tcp/sslshutdown.h | 4 ++++ 3 files changed, 22 insertions(+), 12 deletions(-) diff --git a/src/linux_tcp/sslconnected.h b/src/linux_tcp/sslconnected.h index 8ff83bc..07d575f 100644 --- a/src/linux_tcp/sslconnected.h +++ b/src/linux_tcp/sslconnected.h @@ -259,6 +259,10 @@ private: // assume default state _state = state_idle; + // we are going to check for errors after the openssl operations, so we make + // sure that the error queue is currently completely empty + OpenSSL::ERR_clear_error(); + // because the output buffer contains a lot of small buffers, we can do multiple // operations till the buffer is empty (but only if the socket is not also // readable, because then we want to read that data first instead of endless writes @@ -270,9 +274,8 @@ private: // we may have to repeat the operation on failure if (result > 0) continue; - // Check for error and clear the error queue before the next TLS/SSL I/O operation + // check for error auto error = OpenSSL::SSL_get_error(_ssl, result); - OpenSSL::ERR_clear_error(); // the operation failed, we may have to repeat our call return repeat(monitor, state_sending, error); @@ -291,6 +294,10 @@ private: */ TcpState *receive(const Monitor &monitor, bool writable) { + // we are going to check for errors after the openssl operations, so we make + // sure that the error queue is currently completely empty + OpenSSL::ERR_clear_error(); + // start a loop do { @@ -301,14 +308,8 @@ private: auto result = _in.receivefrom(_ssl, _connection->expected()); // if this is a failure, we are going to repeat the operation - if (result <= 0) - { - // Check for error and clear the error queue before the next TLS/SSL I/O operation - auto error = OpenSSL::SSL_get_error(_ssl, result); - OpenSSL::ERR_clear_error(); + if (result <= 0) return repeat(monitor, state_receiving, OpenSSL::SSL_get_error(_ssl, result)); - return repeat(monitor, state_receiving, error); - } // go process the received data auto *nextstate = parse(monitor, result); @@ -406,6 +407,10 @@ public: // create an object to wait for the filedescriptor to becomes active Wait wait(_socket); + + // we are going to check for errors after the openssl operations, so we make + // sure that the error queue is currently completely empty + OpenSSL::ERR_clear_error(); // keep looping while we have an outgoing buffer while (_out) @@ -430,9 +435,6 @@ public: // error was returned, so we must investigate what is going on auto error = OpenSSL::SSL_get_error(_ssl, result); - // clear the error queue before the next TLS/SSL I/O operation - OpenSSL::ERR_clear_error(); - // get the next state given the error auto *nextstate = repeat(monitor, state_sending, error); diff --git a/src/linux_tcp/sslhandshake.h b/src/linux_tcp/sslhandshake.h index 064d181..bb5cf30 100644 --- a/src/linux_tcp/sslhandshake.h +++ b/src/linux_tcp/sslhandshake.h @@ -190,6 +190,10 @@ public: // must be the socket if (fd != _socket) return this; + // we are going to check for errors after the openssl operations, so we make + // sure that the error queue is currently completely empty + OpenSSL::ERR_clear_error(); + // start the ssl handshake int result = OpenSSL::SSL_do_handshake(_ssl); diff --git a/src/linux_tcp/sslshutdown.h b/src/linux_tcp/sslshutdown.h index 64791cf..bda7b70 100644 --- a/src/linux_tcp/sslshutdown.h +++ b/src/linux_tcp/sslshutdown.h @@ -186,6 +186,10 @@ public: { // the socket must be the one this connection writes to if (fd != _socket) return this; + + // we are going to check for errors after the openssl operations, so we make + // sure that the error queue is currently completely empty + OpenSSL::ERR_clear_error(); // close the connection auto result = OpenSSL::SSL_shutdown(_ssl);