diff options
| author | Matt Caswell <matt@openssl.org> | 2018-06-25 14:51:11 +0100 |
|---|---|---|
| committer | Matt Caswell <matt@openssl.org> | 2018-06-27 10:03:37 +0100 |
| commit | 358ffa05cd3a088822c7d06256bc87516d918798 (patch) | |
| tree | 59682167c740c52c35fa4b55b859cee2499bc16b /ssl | |
| parent | ba70904949d2f9eec160043bf9a97182b33a2b82 (diff) | |
Return a fatal error if application data is encountered during shutdown
Currently if you encounter application data while waiting for a
close_notify from the peer, and you have called SSL_shutdown() then
you will get a -1 return (fatal error) and SSL_ERROR_SYSCALL from
SSL_get_error(). This isn't accurate (it should be SSL_ERROR_SSL) and
isn't persistent (you can call SSL_shutdown() again and it might then work).
We change this into a proper fatal error that is persistent.
Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
Diffstat (limited to 'ssl')
| -rw-r--r-- | ssl/record/rec_layer_s3.c | 15 | ||||
| -rw-r--r-- | ssl/ssl_err.c | 2 |
2 files changed, 13 insertions, 4 deletions
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c index e12a2178a4..1628ac8f9a 100644 --- a/ssl/record/rec_layer_s3.c +++ b/ssl/record/rec_layer_s3.c @@ -1573,11 +1573,18 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, rbio = SSL_get_rbio(s); BIO_clear_retry_flags(rbio); BIO_set_retry_read(rbio); - return -1; + } else { + /* + * The peer is continuing to send application data, but we have + * already sent close_notify. If this was expected we should have + * been called via SSL_read() and this would have been handled + * above. + * No alert sent because we already sent close_notify + */ + SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES, + SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY); } - - s->rwstate = SSL_NOTHING; - return 0; + return -1; } /* diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 03c5bf255e..9ce643ae8e 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -726,6 +726,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = { }; static const ERR_STRING_DATA SSL_str_reasons[] = { + {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY), + "application data after close notify"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE), "app data in handshake"}, {ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT), |