Return SSL_ERROR_WANT_READ if SSL_shutdown() encounters handshake data

In the case where we are shutdown for writing and awaiting a close_notify
back from a subsequent SSL_shutdown() call we skip over handshake data
that is received. This should not be treated as an error - instead it
should be signalled with SSL_ERROR_WANT_READ.

Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: Kurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)

1 files changed, 15 insertions, 5 deletions

diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 5e12c53806..e12a2178a4 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1553,20 +1553,30 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
      * If we've sent a close_notify but not yet received one back then ditch
      * anything we read.
      */
-    if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0 ) {
+    if ((s->shutdown & SSL_SENT_SHUTDOWN) != 0) {
         /*
          * In TLSv1.3 this could get problematic if we receive a KeyUpdate
          * message after we sent a close_notify because we're about to ditch it,
          * so we won't be able to read a close_notify sent afterwards! We don't
          * support that.
          */
-        s->rwstate = SSL_NOTHING;
         SSL3_RECORD_set_length(rr, 0);
         SSL3_RECORD_set_read(rr);
 
-        if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE
-                && (s->mode & SSL_MODE_AUTO_RETRY) != 0)
-            goto start;
+        if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {
+            BIO *rbio;
+
+            if ((s->mode & SSL_MODE_AUTO_RETRY) != 0)
+                goto start;
+
+            s->rwstate = SSL_READING;
+            rbio = SSL_get_rbio(s);
+            BIO_clear_retry_flags(rbio);
+            BIO_set_retry_read(rbio);
+            return -1;
+        }
+
+        s->rwstate = SSL_NOTHING;
         return 0;
     }