|
 |
e9d329 |
From 36a8bdbc8417506513207daf4f36533a3d6632f3 Mon Sep 17 00:00:00 2001
|
|
|
e9d329 |
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
|
|
|
e9d329 |
Date: Mon, 13 Apr 2020 20:31:34 +0200
|
|
|
e9d329 |
Subject: [PATCH] OpenSSL: handle SSL_shutdown's errors properly
|
|
|
e9d329 |
|
|
|
e9d329 |
Do not call SSL_shutdown on a session that is in handshake state (SSL_in_init(s)
|
|
|
e9d329 |
returns 1). Also, do not call SSL_shutdown if a session encountered a fatal
|
|
|
e9d329 |
error (SSL_ERROR_SYSCALL or SSL_ERROR_SSL was found before). If SSL_shutdown
|
|
|
e9d329 |
was unsuccessful (returned code != 1), we have to clear the error(s) it queued.
|
|
|
e9d329 |
Unfortunately, SSL_in_init was a macro in OpenSSL 1.0.x. We have to
|
|
|
e9d329 |
resolve SSL_state to implement SSL_in_init.
|
|
|
e9d329 |
|
|
|
e9d329 |
Fixes: QTBUG-83450
|
|
|
e9d329 |
Change-Id: I6326119f4e79605429263045ac20605c30dccca3
|
|
|
e9d329 |
Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
|
|
|
e9d329 |
(cherry picked from commit 8907635da59c2ae0e8db01f27b24a841b830e655)
|
|
|
e9d329 |
(cherry picked from commit 8ddffc6ba4f38bb8dbeb0cf61b6b10ee73505bbb)
|
|
|
e9d329 |
---
|
|
|
e9d329 |
|
|
|
e9d329 |
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
|
|
|
e9d329 |
index 4f49a71..9f9eaf3 100644
|
|
|
e9d329 |
--- a/src/network/ssl/qsslsocket.cpp
|
|
|
e9d329 |
+++ b/src/network/ssl/qsslsocket.cpp
|
|
|
e9d329 |
@@ -2108,7 +2108,7 @@
|
|
|
e9d329 |
shutdown = false;
|
|
|
e9d329 |
pendingClose = false;
|
|
|
e9d329 |
flushTriggered = false;
|
|
|
e9d329 |
-
|
|
|
e9d329 |
+ systemOrSslErrorDetected = false;
|
|
|
e9d329 |
// we don't want to clear the ignoreErrorsList, so
|
|
|
e9d329 |
// that it is possible setting it before connecting
|
|
|
e9d329 |
// ignoreErrorsList.clear();
|
|
|
e9d329 |
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
|
|
|
e9d329 |
index ec772dd..c4abc1e 100644
|
|
|
e9d329 |
--- a/src/network/ssl/qsslsocket_openssl.cpp
|
|
|
e9d329 |
+++ b/src/network/ssl/qsslsocket_openssl.cpp
|
|
|
e9d329 |
@@ -471,10 +471,16 @@
|
|
|
e9d329 |
void QSslSocketBackendPrivate::destroySslContext()
|
|
|
e9d329 |
{
|
|
|
e9d329 |
if (ssl) {
|
|
|
e9d329 |
- // We do not send a shutdown alert here. Just mark the session as
|
|
|
e9d329 |
- // resumable for qhttpnetworkconnection's "optimization", otherwise
|
|
|
e9d329 |
- // OpenSSL won't start a session resumption.
|
|
|
e9d329 |
- q_SSL_shutdown(ssl);
|
|
|
e9d329 |
+ if (!q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
|
|
|
e9d329 |
+ // We do not send a shutdown alert here. Just mark the session as
|
|
|
e9d329 |
+ // resumable for qhttpnetworkconnection's "optimization", otherwise
|
|
|
e9d329 |
+ // OpenSSL won't start a session resumption.
|
|
|
e9d329 |
+ if (q_SSL_shutdown(ssl) != 1) {
|
|
|
e9d329 |
+ // Some error may be queued, clear it.
|
|
|
e9d329 |
+ const auto errors = getErrorsFromOpenSsl();
|
|
|
e9d329 |
+ Q_UNUSED(errors);
|
|
|
e9d329 |
+ }
|
|
|
e9d329 |
+ }
|
|
|
e9d329 |
q_SSL_free(ssl);
|
|
|
e9d329 |
ssl = nullptr;
|
|
|
e9d329 |
}
|
|
|
e9d329 |
@@ -909,6 +915,7 @@
|
|
|
e9d329 |
case SSL_ERROR_SSL: // error in the SSL library
|
|
|
e9d329 |
// we do not know exactly what the error is, nor whether we can recover from it,
|
|
|
e9d329 |
// so just return to prevent an endless loop in the outer "while" statement
|
|
|
e9d329 |
+ systemOrSslErrorDetected = true;
|
|
|
e9d329 |
{
|
|
|
e9d329 |
const ScopedBool bg(inSetAndEmitError, true);
|
|
|
e9d329 |
setErrorAndEmit(QAbstractSocket::SslInternalError,
|
|
|
e9d329 |
@@ -1309,8 +1316,12 @@
|
|
|
e9d329 |
void QSslSocketBackendPrivate::disconnectFromHost()
|
|
|
e9d329 |
{
|
|
|
e9d329 |
if (ssl) {
|
|
|
e9d329 |
- if (!shutdown) {
|
|
|
e9d329 |
- q_SSL_shutdown(ssl);
|
|
|
e9d329 |
+ if (!shutdown && !q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
|
|
|
e9d329 |
+ if (q_SSL_shutdown(ssl) != 1) {
|
|
|
e9d329 |
+ // Some error may be queued, clear it.
|
|
|
e9d329 |
+ const auto errors = getErrorsFromOpenSsl();
|
|
|
e9d329 |
+ Q_UNUSED(errors);
|
|
|
e9d329 |
+ }
|
|
|
e9d329 |
shutdown = true;
|
|
|
e9d329 |
transmit();
|
|
|
e9d329 |
}
|
|
|
e9d329 |
diff --git a/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/src/network/ssl/qsslsocket_openssl11_symbols_p.h
|
|
|
e9d329 |
index 0c32b0a..c80baa2 100644
|
|
|
e9d329 |
--- a/src/network/ssl/qsslsocket_openssl11_symbols_p.h
|
|
|
e9d329 |
+++ b/src/network/ssl/qsslsocket_openssl11_symbols_p.h
|
|
|
e9d329 |
@@ -186,4 +186,11 @@
|
|
|
e9d329 |
}
|
|
|
e9d329 |
void q_SSL_set_psk_use_session_callback(SSL *s, q_SSL_psk_use_session_cb_func_t);
|
|
|
e9d329 |
|
|
|
e9d329 |
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
|
|
e9d329 |
+// What a mess!
|
|
|
e9d329 |
+int q_SSL_in_init(SSL *s);
|
|
|
e9d329 |
+#else
|
|
|
e9d329 |
+int q_SSL_in_init(const SSL *s);
|
|
|
e9d329 |
+#endif // 1.1.1 or 1.1.0
|
|
|
e9d329 |
+
|
|
|
e9d329 |
#endif
|
|
|
e9d329 |
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
|
|
|
e9d329 |
index 62ac228..60ba3a0 100644
|
|
|
e9d329 |
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
|
|
|
e9d329 |
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
|
|
|
e9d329 |
@@ -161,6 +161,11 @@
|
|
|
e9d329 |
DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return)
|
|
|
e9d329 |
DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return)
|
|
|
e9d329 |
DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return)
|
|
|
e9d329 |
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
|
|
|
e9d329 |
+DEFINEFUNC(int, SSL_in_init, SSL *a, a, return 0, return)
|
|
|
e9d329 |
+#else
|
|
|
e9d329 |
+DEFINEFUNC(int, SSL_in_init, const SSL *a, a, return 0, return)
|
|
|
e9d329 |
+#endif
|
|
|
e9d329 |
#ifdef TLS1_3_VERSION
|
|
|
e9d329 |
DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return)
|
|
|
e9d329 |
DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG)
|
|
|
e9d329 |
@@ -213,6 +218,7 @@
|
|
|
e9d329 |
// Functions below are either deprecated or removed in OpenSSL >= 1.1:
|
|
|
e9d329 |
|
|
|
e9d329 |
DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return nullptr, return)
|
|
|
e9d329 |
+DEFINEFUNC(int, SSL_state, const SSL *a, a, return 0, return)
|
|
|
e9d329 |
|
|
|
e9d329 |
#ifdef SSLEAY_MACROS
|
|
|
e9d329 |
DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return nullptr, return)
|
|
|
e9d329 |
@@ -988,6 +994,7 @@
|
|
|
e9d329 |
#if QT_CONFIG(opensslv11)
|
|
|
e9d329 |
|
|
|
e9d329 |
RESOLVEFUNC(OPENSSL_init_ssl)
|
|
|
e9d329 |
+ RESOLVEFUNC(SSL_in_init)
|
|
|
e9d329 |
RESOLVEFUNC(OPENSSL_init_crypto)
|
|
|
e9d329 |
RESOLVEFUNC(ASN1_STRING_get0_data)
|
|
|
e9d329 |
RESOLVEFUNC(EVP_CIPHER_CTX_reset)
|
|
|
e9d329 |
@@ -1060,6 +1067,7 @@
|
|
|
e9d329 |
#else // !opensslv11
|
|
|
e9d329 |
|
|
|
e9d329 |
RESOLVEFUNC(ASN1_STRING_data)
|
|
|
e9d329 |
+ RESOLVEFUNC(SSL_state)
|
|
|
e9d329 |
|
|
|
e9d329 |
#ifdef SSLEAY_MACROS
|
|
|
e9d329 |
RESOLVEFUNC(ASN1_dup)
|
|
|
e9d329 |
diff --git a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
|
|
|
e9d329 |
index 48364ce..c139ecb 100644
|
|
|
e9d329 |
--- a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
|
|
|
e9d329 |
+++ b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
|
|
|
e9d329 |
@@ -132,6 +132,8 @@
|
|
|
e9d329 |
|
|
|
e9d329 |
int q_SSL_library_init();
|
|
|
e9d329 |
void q_SSL_load_error_strings();
|
|
|
e9d329 |
+int q_SSL_state(const SSL *a);
|
|
|
e9d329 |
+#define q_SSL_in_init(a) (q_SSL_state(a) & SSL_ST_INIT)
|
|
|
e9d329 |
|
|
|
e9d329 |
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
|
|
|
e9d329 |
int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
|
|
|
e9d329 |
diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h
|
|
|
e9d329 |
index 6f34c6c..e657987 100644
|
|
|
e9d329 |
--- a/src/network/ssl/qsslsocket_p.h
|
|
|
e9d329 |
+++ b/src/network/ssl/qsslsocket_p.h
|
|
|
e9d329 |
@@ -220,6 +220,7 @@
|
|
|
e9d329 |
bool verifyErrorsHaveBeenIgnored();
|
|
|
e9d329 |
bool paused;
|
|
|
e9d329 |
bool flushTriggered;
|
|
|
e9d329 |
+ bool systemOrSslErrorDetected = false;
|
|
|
e9d329 |
};
|
|
|
e9d329 |
|
|
|
e9d329 |
QT_END_NAMESPACE
|