BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature
When the signature included in a JWT is verified, if an error occurred, one or more SSL errors are queued and never cleared. These errors may be then caught by the SSL stack and a fatal SSL error may be erroneously reported during a SSL received or send. So we must take care to clear the SSL error queue when the signature verification failed. This patch should fix issue #2643. It must be backported as far as 2.6. (cherry picked from commit 46b1fec0e9a6afe2c12fd4dff7c8a0d788aa6dd4) Signed-off-by: Willy Tarreau <w@1wt.eu>
This commit is contained in:
Christopher Faulet
committed by
Willy Tarreau
Willy Tarreau
parent
3b51c3db6f
commit
22ef1a993a
@ -364,6 +364,13 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
|
||||
|
||||
end:
|
||||
EVP_MD_CTX_free(evp_md_ctx);
|
||||
if (retval != JWT_VRFY_OK) {
|
||||
/* Don't forget to remove SSL errors to be sure they cannot be
|
||||
* caught elsewhere. The error queue is cleared because it seems
|
||||
* at least 2 errors are produced.
|
||||
*/
|
||||
ERR_clear_error();
|
||||
}
|
||||
return retval;
|
||||
}
|
||||
|
||||
|
||||
Reference in New Issue
Block a user