BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
When the signature included in a JWT is verified, if an error occurred, one
or more SSL errors are queued and never cleared. These errors may be then
caught by the SSL stack and a fatal SSL error may be erroneously reported
during a SSL received or send.
So we must take care to clear the SSL error queue when the signature
verification failed.
This patch should fix issue #2643. It must be backported as far as 2.6.
(cherry picked from commit 46b1fec0e9a6afe2c12fd4dff7c8a0d788aa6dd4)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 22ef1a993a16f22085353a5e585d259fd518ac4e)
Signed-off-by: Willy Tarreau <w@1wt.eu>
(cherry picked from commit 036adea78f623ae7ee43bf98b8a17040b8a4ce5a)
Signed-off-by: Willy Tarreau <w@1wt.eu>
diff --git a/src/jwt.c b/src/jwt.c
index 6c4cbd3..aa5367c 100644
--- a/src/jwt.c
+++ b/src/jwt.c
@@ -364,6 +364,13 @@
end:
EVP_MD_CTX_free(evp_md_ctx);
+ if (retval != JWT_VRFY_OK) {
+ /* Don't forget to remove SSL errors to be sure they cannot be
+ * caught elsewhere. The error queue is cleared because it seems
+ * at least 2 errors are produced.
+ */
+ ERR_clear_error();
+ }
return retval;
}