Commit ba709049 authored by Matt Caswell's avatar Matt Caswell
Browse files

Return SSL_ERROR_WANT_READ if SSL_shutdown() encounters handshake data 



In the case where we are shutdown for writing and awaiting a close_notify
back from a subsequent SSL_shutdown() call we skip over handshake data
that is received. This should not be treated as an error - instead it
should be signalled with SSL_ERROR_WANT_READ.

Reviewed-by: default avatarBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: default avatarKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
parent c748834f

ssl/record/rec_layer_s3.c

+15 −5
Original line number Diff line number Diff line
@@ -1560,13 +1560,23 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf, 
         * so we won't be able to read a close_notify sent afterwards! We don't

         * support that.

         */

        s->rwstate = SSL_NOTHING;

        SSL3_RECORD_set_length(rr, 0);

        SSL3_RECORD_set_read(rr);



        if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE

                && (s->mode & SSL_MODE_AUTO_RETRY) != 0)

        if (SSL3_RECORD_get_type(rr) == SSL3_RT_HANDSHAKE) {

            BIO *rbio;



            if ((s->mode & SSL_MODE_AUTO_RETRY) != 0)

                goto start;



            s->rwstate = SSL_READING;

            rbio = SSL_get_rbio(s);

            BIO_clear_retry_flags(rbio);

            BIO_set_retry_read(rbio);

            return -1;

        }



        s->rwstate = SSL_NOTHING;

        return 0;

    }

test/sslapitest.c

+6 −6
Original line number Diff line number Diff line
@@ -5051,12 +5051,7 @@ static int test_shutdown(int tst) 
    }



    /* Writing on the client after sending close_notify shouldn't be possible */

    if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written))

               /*

                * Writing on the server after sending close_notify shouldn't be

                * possible.

                */

            || !TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))

    if (!TEST_false(SSL_write_ex(clientssl, msg, sizeof(msg), &written)))

        goto end;



    if (tst < 4) {
@@ -5066,6 +5061,11 @@ static int test_shutdown(int tst) 
         * yet.

         */

        if (!TEST_int_eq(SSL_shutdown(serverssl), 0)

                   /*

                    * Writing on the server after sending close_notify shouldn't

                    * be possible.

                    */

                || !TEST_false(SSL_write_ex(serverssl, msg, sizeof(msg), &written))

                || !TEST_int_eq(SSL_shutdown(clientssl), 1)

                || !TEST_int_eq(SSL_shutdown(serverssl), 1))

            goto end;