RepoMirrors
/
haproxy
mirror of http://git.haproxy.org/git/haproxy.git/
1
0
Fork 0
Code Issues Packages Projects Releases Wiki Activity

BUG/MEDIUM: jwt: Clear SSL error queue on error when checking the signature 

When the signature included in a JWT is verified, if an error occurred, one
or more SSL errors are queued and never cleared. These errors may be then
caught by the SSL stack and a fatal SSL error may be erroneously reported
during a SSL received or send.

So we must take care to clear the SSL error queue when the signature
verification failed.

This patch should fix issue #2643. It must be backported as far as 2.6.
This commit is contained in:
Christopher Faulet 2024-07-26 16:47:15 +02:00
parent 4abaadd842
commit 46b1fec0e9
1 changed files with 7 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
src/jwt.c
View File

@ -364,6 +364,13 @@ jwt_jwsverify_rsa_ecdsa(const struct jwt_ctx *ctx, struct buffer *decoded_signat
end:
EVP_MD_CTX_free(evp_md_ctx);
if (retval != JWT_VRFY_OK) {
/* Don't forget to remove SSL errors to be sure they cannot be
* caught elsewhere. The error queue is cleared because it seems
* at least 2 errors are produced.
*/
ERR_clear_error();
}
return retval;
}