diff options
author | Matt Caswell <matt@openssl.org> | 2015-04-23 20:01:33 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-05-05 20:07:48 +0100 |
commit | 189e20c68c2399782034fec9f65d6b9ee88aac3d (patch) | |
tree | d1ca8e73d224109ed1e121b4d1937dabf28603ee | |
parent | 4b771121f2b657f50e8c7a27e9fab0bb043f91bc (diff) |
Add Error state
Reusing an SSL object when it has encountered a fatal error can
have bad consequences. This is a bug in application code not libssl
but libssl should be more forgiving and not crash.
Reviewed-by: Rich Salz <rsalz@openssl.org>
(cherry picked from commit a89db885e0d8aac3a9df1bbccb0c1ddfd8b2e10a)
Conflicts:
ssl/s3_srvr.c
ssl/ssl_stat.c
-rw-r--r-- | ssl/s3_srvr.c | 5 | ||||
-rw-r--r-- | ssl/ssl.h | 1 | ||||
-rw-r--r-- | ssl/ssl_stat.c | 6 |
3 files changed, 11 insertions, 1 deletions
diff --git a/ssl/s3_srvr.c b/ssl/s3_srvr.c index 92acb0ab06..306959bcbe 100644 --- a/ssl/s3_srvr.c +++ b/ssl/s3_srvr.c @@ -857,6 +857,7 @@ int ssl3_accept(SSL *s) goto end; /* break; */ + case SSL_ST_ERR: default: SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNKNOWN_STATE); ret = -1; @@ -1489,8 +1490,10 @@ int ssl3_get_client_hello(SSL *s) if (0) { f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); - } err: + s->state = SSL_ST_ERR; + } + if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers); return (ret); @@ -1544,6 +1544,7 @@ extern "C" { # define SSL_ST_BEFORE 0x4000 # define SSL_ST_OK 0x03 # define SSL_ST_RENEGOTIATE (0x04|SSL_ST_INIT) +# define SSL_ST_ERR 0x05 # define SSL_CB_LOOP 0x01 # define SSL_CB_EXIT 0x02 diff --git a/ssl/ssl_stat.c b/ssl/ssl_stat.c index d725d78342..1b9069f978 100644 --- a/ssl/ssl_stat.c +++ b/ssl/ssl_stat.c @@ -117,6 +117,9 @@ const char *SSL_state_string_long(const SSL *s) case SSL_ST_OK | SSL_ST_ACCEPT: str = "ok/accept SSL initialization"; break; + case SSL_ST_ERR: + str = "error"; + break; #ifndef OPENSSL_NO_SSL2 case SSL2_ST_CLIENT_START_ENCRYPTION: str = "SSLv2 client start encryption"; @@ -496,6 +499,9 @@ const char *SSL_state_string(const SSL *s) case SSL_ST_OK: str = "SSLOK "; break; + case SSL_ST_ERR: + str = "SSLERR"; + break; #ifndef OPENSSL_NO_SSL2 case SSL2_ST_CLIENT_START_ENCRYPTION: str = "2CSENC"; |