From: Brian Morris <bmorris2@cisco.com>
Date: Tue, 24 Jun 2025 20:55:29 +0000 (+0000)
Subject: tls: check error when SSL_shutdown fails
X-Git-Tag: v26.02-rc0~216
X-Git-Url: https://gerrit.fd.io/r/gitweb?a=commitdiff_plain;h=refs%2Fchanges%2F87%2F43287%2F3;p=vpp.git

tls: check error when SSL_shutdown fails

this pulls the error from the per-thread error queue, which if not empty could cause the wrong error to be returned elsewhere

Type: fix

Change-Id: Ie8741f32de61ef1f469e694ac27ee937a45f5b01
Signed-off-by: Brian Morris <bmorris2@cisco.com>
---

diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c
index a5b6b062c8f..651053b33c6 100644
--- a/src/plugins/tlsopenssl/tls_openssl.c
+++ b/src/plugins/tlsopenssl/tls_openssl.c
@@ -74,7 +74,11 @@ openssl_ctx_free (tls_ctx_t * ctx)
     {
       if (SSL_is_init_finished (oc->ssl) &&
 	  !(ctx->flags & TLS_CONN_F_PASSIVE_CLOSE))
-	SSL_shutdown (oc->ssl);
+	{
+	  int rv = SSL_shutdown (oc->ssl);
+	  if (rv < 0)
+	    SSL_get_error (oc->ssl, rv);
+	}
 
       if (openssl_main.async)
 	tls_async_evts_free_list (ctx);
@@ -187,6 +191,8 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t *f, tls_ctx_t *ctx, u32 max_len)
   read = SSL_read (ssl, fs[0].data, fs[0].len);
   if (read <= 0)
     {
+      ossl_check_err_is_fatal (ssl, read);
+
       if (openssl_main.async && SSL_want_async (oc->ssl))
 	{
 	  session_t *tls_session =
@@ -195,7 +201,6 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t *f, tls_ctx_t *ctx, u32 max_len)
 				    tls_session, SSL_ASYNC_EVT_RD, NULL, 0);
 	  return 0;
 	}
-      ossl_check_err_is_fatal (ssl, read);
       return 0;
     }
 
@@ -421,7 +426,9 @@ void
 openssl_confirm_app_close (tls_ctx_t *ctx)
 {
   openssl_ctx_t *oc = (openssl_ctx_t *) ctx;
-  SSL_shutdown (oc->ssl);
+  int rv = SSL_shutdown (oc->ssl);
+  if (rv < 0)
+    SSL_get_error (oc->ssl, rv);
   if (ctx->flags & TLS_CONN_F_SHUTDOWN_TRANSPORT)
     tls_shutdown_transport (ctx);
   else