From 4f984a2fdb3815361f83013c23af0ff5d6d63d67 Mon Sep 17 00:00:00 2001
From: Nikita Popov <nikita.ppv@gmail.com>
Date: Tue, 5 Nov 2019 12:13:46 +0100
Subject: Fixed bug #78775

Clear the OpenSSL error queue before performing SSL stream operations.
As we don't control all code that could possibly be using OpenSSL,
we can't rely on the error queue being empty.
---
 NEWS                         |  4 ++++
 ext/curl/tests/bug78775.phpt | 34 ++++++++++++++++++++++++++++++++++
 ext/openssl/xp_ssl.c         |  2 ++
 3 files changed, 40 insertions(+)
 create mode 100644 ext/curl/tests/bug78775.phpt

diff --git a/NEWS b/NEWS
index b56409b4af..9f7bb04eeb 100644
--- a/NEWS
+++ b/NEWS
@@ -26,6 +26,10 @@ PHP                                                                        NEWS
     non-ascii characters). (mhagstrand)
   . Fixed bug #78747 (OpCache corrupts custom extension result). (Nikita)
 
+- OpenSSL:
+  . Fixed bug #78775 (TLS issues from HTTP request affecting other encrypted
+    connections). (Nikita)
+
 - Reflection:
   . Fixed bug #78697 (ReflectionClass::ImplementsInterface - inaccurate error 
     message with traits). (villfa)
diff --git a/ext/curl/tests/bug78775.phpt b/ext/curl/tests/bug78775.phpt
new file mode 100644
index 0000000000..490c168166
--- /dev/null
+++ b/ext/curl/tests/bug78775.phpt
@@ -0,0 +1,34 @@
+--TEST--
+Bug #78775: TLS issues from HTTP request affecting other encrypted connections
+--SKIPIF--
+<?php
+if (!extension_loaded('curl')) die('skip Requires curl');
+if (getenv('SKIP_ONLINE_TESTS')) die('skip Online test');
+?>
+--FILE--
+<?php
+
+$sock = fsockopen("tls://google.com", 443);
+
+var_dump($sock);
+
+$handle = curl_init('https://self-signed.badssl.com/');
+curl_setopt_array(
+    $handle,
+    [
+        CURLOPT_RETURNTRANSFER => true,
+        CURLOPT_SSL_VERIFYPEER => true,
+    ]
+);
+
+var_dump(curl_exec($handle));
+curl_close($handle);
+
+fwrite($sock, "GET / HTTP/1.0\n\n");
+var_dump(fread($sock, 8));
+
+?>
+--EXPECTF--
+resource(%d) of type (stream)
+bool(false)
+string(8) "HTTP/1.0"
diff --git a/ext/openssl/xp_ssl.c b/ext/openssl/xp_ssl.c
index 3df1a1889a..36939de8fe 100644
--- a/ext/openssl/xp_ssl.c
+++ b/ext/openssl/xp_ssl.c
@@ -1873,6 +1873,7 @@ static int php_openssl_enable_crypto(php_stream *stream,
 		do {
 			struct timeval cur_time, elapsed_time;
 
+			ERR_clear_error();
 			if (sslsock->is_client) {
 				n = SSL_connect(sslsock->ssl_handle);
 			} else {
@@ -2045,6 +2046,7 @@ static size_t php_openssl_sockop_io(int read, php_stream *stream, char *buf, siz
 			}
 
 			/* Now, do the IO operation. Don't block if we can't complete... */
+			ERR_clear_error();
 			if (read) {
 				nr_bytes = SSL_read(sslsock->ssl_handle, buf, (int)count);
 
-- 
cgit v1.2.1