diff options
| author | tb <> | 2020-08-31 14:04:51 +0000 |
|---|---|---|
| committer | tb <> | 2020-08-31 14:04:51 +0000 |
| commit | f551307b25934acd84205155d6286b2d937e2479 (patch) | |
| tree | 724850986fbe9b93cfd38e922f1d17205d123b6b /src/lib/libssl/ssl_sess.c | |
| parent | 09997f3d41692022beb138f1e238f51af93a8024 (diff) | |
| download | openbsd-f551307b25934acd84205155d6286b2d937e2479.tar.gz openbsd-f551307b25934acd84205155d6286b2d937e2479.tar.bz2 openbsd-f551307b25934acd84205155d6286b2d937e2479.zip | |
Send alert on ssl_get_prev_session failure
ssl_get_prev_session() can fail for various reasons some of which
may be internal_error others decode_error alerts. Propagate the
appropriate alert up to the caller so we can abort the handshake
by sending a fatal alert instead of rudely closing the pipe.
Currently only 28 of 292 test cases of tlsfuzzer's test-extension.py pass.
With this diff, 272 pass. The rest will require fixes elsewhere.
ok beck inoguchi jsing
Diffstat (limited to 'src/lib/libssl/ssl_sess.c')
| -rw-r--r-- | src/lib/libssl/ssl_sess.c | 13 |
1 files changed, 7 insertions, 6 deletions
diff --git a/src/lib/libssl/ssl_sess.c b/src/lib/libssl/ssl_sess.c index 16b4b75bc4..827360176b 100644 --- a/src/lib/libssl/ssl_sess.c +++ b/src/lib/libssl/ssl_sess.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: ssl_sess.c,v 1.85 2019/04/22 15:12:20 jsing Exp $ */ | 1 | /* $OpenBSD: ssl_sess.c,v 1.86 2020/08/31 14:04:51 tb Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -435,10 +435,10 @@ sess_id_done: | |||
| 435 | * to 1 if the server should issue a new session ticket (to 0 otherwise). | 435 | * to 1 if the server should issue a new session ticket (to 0 otherwise). |
| 436 | */ | 436 | */ |
| 437 | int | 437 | int |
| 438 | ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block) | 438 | ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block, int *alert) |
| 439 | { | 439 | { |
| 440 | SSL_SESSION *ret = NULL; | 440 | SSL_SESSION *ret = NULL; |
| 441 | int fatal = 0; | 441 | int alert_desc = SSL_AD_INTERNAL_ERROR, fatal = 0; |
| 442 | int try_session_cache = 1; | 442 | int try_session_cache = 1; |
| 443 | int r; | 443 | int r; |
| 444 | 444 | ||
| @@ -451,7 +451,7 @@ ssl_get_prev_session(SSL *s, CBS *session_id, CBS *ext_block) | |||
| 451 | try_session_cache = 0; | 451 | try_session_cache = 0; |
| 452 | 452 | ||
| 453 | /* Sets s->internal->tlsext_ticket_expected. */ | 453 | /* Sets s->internal->tlsext_ticket_expected. */ |
| 454 | r = tls1_process_ticket(s, session_id, ext_block, &ret); | 454 | r = tls1_process_ticket(s, session_id, ext_block, &alert_desc, &ret); |
| 455 | switch (r) { | 455 | switch (r) { |
| 456 | case -1: /* Error during processing */ | 456 | case -1: /* Error during processing */ |
| 457 | fatal = 1; | 457 | fatal = 1; |
| @@ -591,9 +591,10 @@ err: | |||
| 591 | s->internal->tlsext_ticket_expected = 1; | 591 | s->internal->tlsext_ticket_expected = 1; |
| 592 | } | 592 | } |
| 593 | } | 593 | } |
| 594 | if (fatal) | 594 | if (fatal) { |
| 595 | *alert = alert_desc; | ||
| 595 | return -1; | 596 | return -1; |
| 596 | else | 597 | } else |
| 597 | return 0; | 598 | return 0; |
| 598 | } | 599 | } |
| 599 | 600 | ||