diff options
| author | Matt Caswell <matt@openssl.org> | 2015-04-30 11:50:08 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2015-05-05 19:45:59 +0100 |
| commit | cefc93910c4c0f7fa9f8c1f8f7aad084a7fa87d2 (patch) | |
| tree | ef440136b62c7458a0f5ed63cf0536302e37f641 | |
| parent | cc273a93617a5c1e69cb5db6f655e463f8e31806 (diff) | |
Add more error state transitions (DTLS)
Ensure all fatal errors transition into the new error state for DTLS.
Reviewed-by: Rich Salz <rsalz@openssl.org>
| -rw-r--r-- | ssl/d1_clnt.c | 10 | ||||
| -rw-r--r-- | ssl/d1_srvr.c | 13 |
2 files changed, 22 insertions, 1 deletions
diff --git a/ssl/d1_clnt.c b/ssl/d1_clnt.c index b8efa88e7b..142438ac1d 100644 --- a/ssl/d1_clnt.c +++ b/ssl/d1_clnt.c @@ -230,6 +230,7 @@ int dtls1_connect(SSL *s) (s->version & 0xff00) != (DTLS1_BAD_VER & 0xff00)) { SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR); ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -239,10 +240,12 @@ int dtls1_connect(SSL *s) if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { ret = -1; + s->state = SSL_ST_ERR; goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } s->init_buf = buf; @@ -251,12 +254,14 @@ int dtls1_connect(SSL *s) if (!ssl3_setup_buffers(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } /* setup buffing BIO */ if (!ssl_init_wbio_buffer(s, 0)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -435,6 +440,7 @@ int dtls1_connect(SSL *s) */ if (!ssl3_check_cert_and_algorithm(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } break; @@ -566,6 +572,7 @@ int dtls1_connect(SSL *s) #endif if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -573,6 +580,7 @@ int dtls1_connect(SSL *s) SSL3_CHANGE_CIPHER_CLIENT_WRITE)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } #ifndef OPENSSL_NO_SCTP @@ -746,6 +754,7 @@ int dtls1_connect(SSL *s) goto end; /* break; */ + case SSL_ST_ERR: default: SSLerr(SSL_F_DTLS1_CONNECT, SSL_R_UNKNOWN_STATE); ret = -1; @@ -826,5 +835,6 @@ static int dtls1_get_hello_verify(SSL *s) f_err: ssl3_send_alert(s, SSL3_AL_FATAL, al); + s->state = SSL_ST_ERR; return -1; } diff --git a/ssl/d1_srvr.c b/ssl/d1_srvr.c index 663f118103..cc4874f239 100644 --- a/ssl/d1_srvr.c +++ b/ssl/d1_srvr.c @@ -238,11 +238,13 @@ int dtls1_accept(SSL *s) if (s->init_buf == NULL) { if ((buf = BUF_MEM_new()) == NULL) { ret = -1; + s->state = SSL_ST_ERR; goto end; } if (!BUF_MEM_grow(buf, SSL3_RT_MAX_PLAIN_LENGTH)) { BUF_MEM_free(buf); ret = -1; + s->state = SSL_ST_ERR; goto end; } s->init_buf = buf; @@ -250,6 +252,7 @@ int dtls1_accept(SSL *s) if (!ssl3_setup_buffers(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -271,6 +274,7 @@ int dtls1_accept(SSL *s) #endif if (!ssl_init_wbio_buffer(s, 1)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -643,6 +647,7 @@ int dtls1_accept(SSL *s) break; if (!s->s3->handshake_buffer) { SSLerr(SSL_F_DTLS1_ACCEPT, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return -1; } /* @@ -651,8 +656,10 @@ int dtls1_accept(SSL *s) */ if (!(s->s3->flags & SSL_SESS_FLAG_EXTMS)) { s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE; - if (!ssl3_digest_cached_records(s)) + if (!ssl3_digest_cached_records(s)) { + s->state = SSL_ST_ERR; return -1; + } } } else { s->state = SSL3_ST_SR_CERT_VRFY_A; @@ -755,6 +762,7 @@ int dtls1_accept(SSL *s) s->session->cipher = s->s3->tmp.new_cipher; if (!s->method->ssl3_enc->setup_key_block(s)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -783,6 +791,7 @@ int dtls1_accept(SSL *s) SSL3_CHANGE_CIPHER_SERVER_WRITE)) { ret = -1; + s->state = SSL_ST_ERR; goto end; } @@ -858,6 +867,7 @@ int dtls1_accept(SSL *s) goto end; /* break; */ + case SSL_ST_ERR: default: SSLerr(SSL_F_DTLS1_ACCEPT, SSL_R_UNKNOWN_STATE); ret = -1; @@ -916,6 +926,7 @@ int dtls1_send_hello_verify_request(SSL *s) &(s->d1->cookie_len)) == 0) { SSLerr(SSL_F_DTLS1_SEND_HELLO_VERIFY_REQUEST, ERR_R_INTERNAL_ERROR); + s->state = SSL_ST_ERR; return 0; } |