summaryrefslogtreecommitdiff
path: root/lib
diff options
context:
space:
mode:
authorTheo Buehler <tb@cvs.openbsd.org>2021-04-07 21:48:24 +0000
committerTheo Buehler <tb@cvs.openbsd.org>2021-04-07 21:48:24 +0000
commitc1bc734a64244859d65430f000adc25ed248d9f1 (patch)
tree0165070d5c187222724450e04bae8265cfe2d4a4 /lib
parent50d68127747a5c9aa2dac261206ee3e91e707991 (diff)
Avoid clobbering the error code when sending an alert
In order to fail gracefully on encountering a self-signed cert, curl looks at the top-most error on the stack and needs specific SSL_R_ error codes. This mechanism was broken when the tls13_alert_sent_cb() was added after people complained about unhelpful unknown errors. Fix this by only setting the error code from a fatal alert if no error has been set previously. Issue reported by Christopher Reid ok jsing
Diffstat (limited to 'lib')
-rw-r--r--lib/libssl/tls13_lib.c5
1 files changed, 3 insertions, 2 deletions
diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c
index 9dbb7d64303..f064521c8b5 100644
--- a/lib/libssl/tls13_lib.c
+++ b/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */
+/* $OpenBSD: tls13_lib.c,v 1.59 2021/04/07 21:48:23 tb Exp $ */
/*
* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -147,7 +147,8 @@ tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
}
/* All other alerts are treated as fatal in TLSv1.3. */
- SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
+ if (ctx->error.code == 0)
+ SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
}
static void