From a834089f57b0df2804b7aa9e06b8cfb0e800412c Mon Sep 17 00:00:00 2001 From: Brian Morris Date: Tue, 24 Jun 2025 20:55:29 +0000 Subject: [PATCH] tls: check error when SSL_shutdown fails this pulls the error from the per-thread error queue, which if not empty could cause the wrong error to be returned elsewhere Type: fix Change-Id: Ie8741f32de61ef1f469e694ac27ee937a45f5b01 Signed-off-by: Brian Morris --- src/plugins/tlsopenssl/tls_openssl.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) diff --git a/src/plugins/tlsopenssl/tls_openssl.c b/src/plugins/tlsopenssl/tls_openssl.c index a5b6b062c8f..651053b33c6 100644 --- a/src/plugins/tlsopenssl/tls_openssl.c +++ b/src/plugins/tlsopenssl/tls_openssl.c @@ -74,7 +74,11 @@ openssl_ctx_free (tls_ctx_t * ctx) { if (SSL_is_init_finished (oc->ssl) && !(ctx->flags & TLS_CONN_F_PASSIVE_CLOSE)) - SSL_shutdown (oc->ssl); + { + int rv = SSL_shutdown (oc->ssl); + if (rv < 0) + SSL_get_error (oc->ssl, rv); + } if (openssl_main.async) tls_async_evts_free_list (ctx); @@ -187,6 +191,8 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t *f, tls_ctx_t *ctx, u32 max_len) read = SSL_read (ssl, fs[0].data, fs[0].len); if (read <= 0) { + ossl_check_err_is_fatal (ssl, read); + if (openssl_main.async && SSL_want_async (oc->ssl)) { session_t *tls_session = @@ -195,7 +201,6 @@ openssl_read_from_ssl_into_fifo (svm_fifo_t *f, tls_ctx_t *ctx, u32 max_len) tls_session, SSL_ASYNC_EVT_RD, NULL, 0); return 0; } - ossl_check_err_is_fatal (ssl, read); return 0; } @@ -421,7 +426,9 @@ void openssl_confirm_app_close (tls_ctx_t *ctx) { openssl_ctx_t *oc = (openssl_ctx_t *) ctx; - SSL_shutdown (oc->ssl); + int rv = SSL_shutdown (oc->ssl); + if (rv < 0) + SSL_get_error (oc->ssl, rv); if (ctx->flags & TLS_CONN_F_SHUTDOWN_TRANSPORT) tls_shutdown_transport (ctx); else -- 2.16.6