From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 5 Nov 2019 11:13:46 +0000 (+0100)
Subject: Fixed bug #78775
X-Git-Tag: php-7.3.12RC1~2^2
X-Git-Url: https://granicus.if.org/sourcecode?a=commitdiff_plain;h=4f984a2fdb3815361f83013c23af0ff5d6d63d67;p=php

Fixed bug #78775

Clear the OpenSSL error queue before performing SSL stream operations.
As we don't control all code that could possibly be using OpenSSL,
we can't rely on the error queue being empty.
---

diff --git a/NEWS b/NEWS
index b56409b4af..9f7bb04eeb 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,10 @@ PHP                                                                        NEWS
     non-ascii characters). (mhagstrand)
   . Fixed bug #78747 (OpCache corrupts custom extension result). (Nikita)
 
+- OpenSSL:
+  . Fixed bug #78775 (TLS issues from HTTP request affecting other encrypted
+    connections). (Nikita)
+
 - Reflection:
   . Fixed bug #78697 (ReflectionClass::ImplementsInterface - inaccurate error 
     message with traits). (villfa)
diff --git a/ext/curl/tests/bug78775.phpt b/ext/curl/tests/bug78775.phpt
new file mode 100644
index 0000000000..490c168166
--- /dev/null
+++ b/ext/curl/tests/bug78775.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #78775: TLS issues from HTTP request affecting other encrypted connections
+--SKIPIF--
+<?php
+if (!extension_loaded('curl')) die('skip Requires curl');
+if (getenv('SKIP_ONLINE_TESTS')) die('skip Online test');
+?>
+--FILE--
+<?php
+
+$sock = fsockopen("tls://google.com", 443);
+
+var_dump($sock);
+
+$handle = curl_init('https://self-signed.badssl.com/');
+curl_setopt_array(
+    $handle,
+    [
+        CURLOPT_RETURNTRANSFER => true,
+        CURLOPT_SSL_VERIFYPEER => true,
+    ]
+);
+
+var_dump(curl_exec($handle));
+curl_close($handle);
+
+fwrite($sock, "GET / HTTP/1.0\n\n");
+var_dump(fread($sock, 8));
+
+?>
+--EXPECTF--
+resource(%d) of type (stream)
+bool(false)
+string(8) "HTTP/1.0"
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 3df1a1889a..36939de8fe 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -1873,6 +1873,7 @@ static int php_openssl_enable_crypto(php_stream *stream,
 		do {
 			struct timeval cur_time, elapsed_time;
 
+			ERR_clear_error();
 			if (sslsock->is_client) {
 				n = SSL_connect(sslsock->ssl_handle);
 			} else {
@@ -2045,6 +2046,7 @@ static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, siz
 			}
 
 			/* Now, do the IO operation. Don't block if we can't complete... */
+			ERR_clear_error();
 			if (read) {
 				nr_bytes = SSL_read(sslsock->ssl_handle, buf, (int)count);