Handle SSL_shutdown while in init more appropriately (7bb196a7) · Commits · CYBER - Cyber Security / TS 103 523 MSP / ETS / ETS OpenSSL

include/openssl/ssl.h

+2 −0

Original line number	Diff line number	Diff line
		@@ -1992,6 +1992,7 @@ void ERR_load_SSL_strings(void);
		# define SSL_F_SSL3_SETUP_KEY_BLOCK 157
		# define SSL_F_SSL3_SETUP_READ_BUFFER 156
		# define SSL_F_SSL3_SETUP_WRITE_BUFFER 291
		# define SSL_F_SSL3_SHUTDOWN 396
		# define SSL_F_SSL3_WRITE_BYTES 158
		# define SSL_F_SSL3_WRITE_PENDING 159
		# define SSL_F_SSL_ACCEPT 390
		@@ -2344,6 +2345,7 @@ void ERR_load_SSL_strings(void);
		# define SSL_R_SCSV_RECEIVED_WHEN_RENEGOTIATING 345
		# define SSL_R_SERVERHELLO_TLSEXT 275
		# define SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED 277
		# define SSL_R_SHUTDOWN_WHILE_IN_INIT 407
		# define SSL_R_SIGNATURE_ALGORITHMS_ERROR 360
		# define SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE 220
		# define SSL_R_SRP_A_CALC 361

+15 −0

Original line number	Diff line number	Diff line
		@@ -4328,6 +4328,21 @@ int ssl3_shutdown(SSL *s)
		return (ret);
		}
		} else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
		if (SSL_in_init(s)) {
		/*
		* We can't shutdown properly if we are in the middle of a
		* handshake. Doing so is problematic because the peer may send a
		* CCS before it acts on our close_notify. However we should not
		* continue to process received handshake messages or CCS once our
		* close_notify has been sent. Therefore any close_notify from
		* the peer will be unreadable because we have not moved to the next
		* cipher state. Its best just to avoid this can-of-worms. Return
		* an error if we are wanting to wait for a close_notify from the
		* peer and we are in init.
		*/
		SSLerr(SSL_F_SSL3_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
		return -1;
		}
		/*
		* If we are waiting for a close from our peer, we are closed
		*/

+2 −0

Original line number	Diff line number	Diff line
		@@ -128,6 +128,7 @@ static ERR_STRING_DATA SSL_str_functs[] = {
		{ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "ssl3_setup_key_block"},
		{ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "ssl3_setup_read_buffer"},
		{ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "ssl3_setup_write_buffer"},
		{ERR_FUNC(SSL_F_SSL3_SHUTDOWN), "ssl3_shutdown"},
		{ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "ssl3_write_bytes"},
		{ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "ssl3_write_pending"},
		{ERR_FUNC(SSL_F_SSL_ACCEPT), "SSL_accept"},
		@@ -577,6 +578,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = {
		{ERR_REASON(SSL_R_SERVERHELLO_TLSEXT), "serverhello tlsext"},
		{ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED),
		"session id context uninitialized"},
		{ERR_REASON(SSL_R_SHUTDOWN_WHILE_IN_INIT), "shutdown while in init"},
		{ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR),
		"signature algorithms error"},
		{ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE),

+1 −4

Original line number	Diff line number	Diff line
		@@ -1564,10 +1564,7 @@ int SSL_shutdown(SSL *s)
		return -1;
		}

		if (!SSL_in_init(s))
		return (s->method->ssl_shutdown(s));
		else
		return (1);
		return s->method->ssl_shutdown(s);
		}

		int SSL_renegotiate(SSL *s)