Module: kamailio Branch: master Commit: 4ec11b1a851d321959a0a38041bc7a6ea8107f39 URL: https://github.com/kamailio/kamailio/commit/4ec11b1a851d321959a0a38041bc7a6e...

Author: Xenofon Karamanos xk@gilawa.com Committer: GitHub noreply@github.com Date: 2023-10-24T20:07:36+02:00

cdp: Add and apply cdp_openssl_clear_errors function (#3612)

* cdp: Add and apply cdp_openssl_clear_errors function - add new function to clear OpenSSL errors prior to any SSL_* call

---

Modified: src/modules/cdp/cdp_tls.c Modified: src/modules/cdp/cdp_tls.h Modified: src/modules/cdp/receiver.c

---

Diff: https://github.com/kamailio/kamailio/commit/4ec11b1a851d321959a0a38041bc7a6e... Patch: https://github.com/kamailio/kamailio/commit/4ec11b1a851d321959a0a38041bc7a6e...

---

diff --git a/src/modules/cdp/cdp_tls.c b/src/modules/cdp/cdp_tls.c index 903445b676d..3f1c15fd182 100644 --- a/src/modules/cdp/cdp_tls.c +++ b/src/modules/cdp/cdp_tls.c @@ -164,6 +164,22 @@ int load_certificates(SSL_CTX *ctx, str *cert, str *key) return 0; }

+/* + * Get any leftover errors from OpenSSL and print them. + * ERR_get_error() also removes the error from the OpenSSL error stack. + * This is useful to call before any SSL_* IO calls to make sure + * we don't have any leftover errors from previous calls (OpenSSL docs). + */ +void cdp_openssl_clear_errors(void) +{ + int i; + char err[256]; + while((i = ERR_get_error())) { + ERR_error_string(i, err); + LM_INFO("clearing leftover error before SSL_* calls: %s\n", err); + } +} + SSL *init_ssl_conn(int client_fd, SSL_CTX *ctx) { X509 *cert = NULL; @@ -184,6 +200,7 @@ SSL *init_ssl_conn(int client_fd, SSL_CTX *ctx) goto cleanup; } /* Perform the TLS handshake */ + cdp_openssl_clear_errors(); ssl_ret = SSL_connect(ssl); if(ssl_ret != 1) { error = SSL_get_error(ssl, ssl_ret); diff --git a/src/modules/cdp/cdp_tls.h b/src/modules/cdp/cdp_tls.h index b2e49408b34..a4981fbade9 100644 --- a/src/modules/cdp/cdp_tls.h +++ b/src/modules/cdp/cdp_tls.h @@ -67,6 +67,7 @@ static inline int tls_err_ret(char *s, SSL_CTX *ctx) } while(0)

int tls_parse_method(str *method); +void cdp_openssl_clear_errors(void); void init_ssl_methods(void); SSL_CTX *init_ssl_ctx(int method); SSL *init_ssl_conn(int client_fd, SSL_CTX *ctx); diff --git a/src/modules/cdp/receiver.c b/src/modules/cdp/receiver.c index ceee98127f6..223d14dd403 100644 --- a/src/modules/cdp/receiver.c +++ b/src/modules/cdp/receiver.c @@ -537,6 +537,7 @@ static inline int do_read(serviced_peer_t *sp, char *dst, int n) char *err_str;

if(sp->tls_conn) { + cdp_openssl_clear_errors(); cnt = SSL_read(sp->tls_conn, dst, n); if(unlikely(cnt < 0)) { ssl_err = SSL_get_error(sp->tls_conn, cnt); @@ -687,6 +688,7 @@ static int do_write(serviced_peer_t *sp, const void *buf, int num) char *err_str;

if(sp->tls_conn) { + cdp_openssl_clear_errors(); cnt = SSL_write(sp->tls_conn, buf, num); if(unlikely(cnt <= 0)) { ssl_err = SSL_get_error(sp->tls_conn, cnt);