diff options
| -rw-r--r-- | lib/libssl/tls13_internal.h | 9 | ||||
| -rw-r--r-- | lib/libssl/tls13_lib.c | 13 | ||||
| -rw-r--r-- | lib/libssl/tls13_record_layer.c | 11 |
3 files changed, 22 insertions, 11 deletions
diff --git a/lib/libssl/tls13_internal.h b/lib/libssl/tls13_internal.h index d8a74ef67a1..4d6d6264338 100644 --- a/lib/libssl/tls13_internal.h +++ b/lib/libssl/tls13_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_internal.h,v 1.46 2020/01/23 02:24:38 jsing Exp $ */ +/* $OpenBSD: tls13_internal.h,v 1.47 2020/01/23 02:49:38 jsing Exp $ */ /* * Copyright (c) 2018 Bob Beck <beck@openbsd.org> * Copyright (c) 2018 Theo Buehler <tb@openbsd.org> @@ -33,9 +33,10 @@ __BEGIN_HIDDEN_DECLS #define TLS13_IO_SUCCESS 1 #define TLS13_IO_EOF 0 #define TLS13_IO_FAILURE -1 -#define TLS13_IO_WANT_POLLIN -2 -#define TLS13_IO_WANT_POLLOUT -3 -#define TLS13_IO_USE_LEGACY -4 +#define TLS13_IO_ALERT -2 +#define TLS13_IO_WANT_POLLIN -3 +#define TLS13_IO_WANT_POLLOUT -4 +#define TLS13_IO_USE_LEGACY -5 #define TLS13_ERR_VERIFY_FAILED 16 #define TLS13_ERR_HRR_FAILED 17 diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c index 51a2a383ed2..727f617471c 100644 --- a/lib/libssl/tls13_lib.c +++ b/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.21 2020/01/22 13:10:51 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.22 2020/01/23 02:49:38 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * Copyright (c) 2019 Bob Beck <beck@openbsd.org> @@ -349,6 +349,10 @@ tls13_legacy_error(SSL *ssl) struct tls13_ctx *ctx = ssl->internal->tls13; int reason = SSL_R_UNKNOWN; + /* If we received a fatal alert we already put an error on the stack. */ + if (S3I(ssl)->fatal_alert != 0) + return; + switch (ctx->error.code) { case TLS13_ERR_VERIFY_FAILED: reason = SSL_R_CERTIFICATE_VERIFY_FAILED; @@ -384,8 +388,11 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) return 0; case TLS13_IO_FAILURE: - if (S3I(ssl)->fatal_alert == 0) - tls13_legacy_error(ssl); + tls13_legacy_error(ssl); + return -1; + + case TLS13_IO_ALERT: + tls13_legacy_error(ssl); return -1; case TLS13_IO_WANT_POLLIN: diff --git a/lib/libssl/tls13_record_layer.c b/lib/libssl/tls13_record_layer.c index 4de73409994..f6dbbf1550b 100644 --- a/lib/libssl/tls13_record_layer.c +++ b/lib/libssl/tls13_record_layer.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_record_layer.c,v 1.22 2020/01/22 06:23:00 jsing Exp $ */ +/* $OpenBSD: tls13_record_layer.c,v 1.23 2020/01/23 02:49:38 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> * @@ -278,7 +278,7 @@ tls13_record_layer_process_alert(struct tls13_record_layer *rl) } else if (alert_level == SSL3_AL_FATAL) { rl->read_closed = 1; rl->write_closed = 1; - ret = TLS13_IO_FAILURE; /* XXX - ALERT? */ + ret = TLS13_IO_ALERT; } else return tls13_send_alert(rl, SSL_AD_ILLEGAL_PARAMETER); @@ -293,8 +293,11 @@ tls13_record_layer_send_alert(struct tls13_record_layer *rl) /* This has to fit into a single record, per RFC 8446 section 5.1. */ if ((ret = tls13_record_layer_write_record(rl, SSL3_RT_ALERT, - rl->alert_data, rl->alert_len)) != rl->alert_len) + rl->alert_data, rl->alert_len)) != rl->alert_len) { + if (ret == TLS13_IO_EOF) + ret = TLS13_IO_ALERT; return ret; + } freezero(rl->alert_data, rl->alert_len); rl->alert_data = NULL; @@ -309,7 +312,7 @@ tls13_record_layer_send_alert(struct tls13_record_layer *rl) } else { rl->read_closed = 1; rl->write_closed = 1; - ret = TLS13_IO_SUCCESS; /* XXX - ALERT? */ + ret = TLS13_IO_ALERT; } return ret; |