diff options
| author | jsing <> | 2015-08-27 14:34:46 +0000 |
|---|---|---|
| committer | jsing <> | 2015-08-27 14:34:46 +0000 |
| commit | 9385a1fd21f3850678c58b5cc8702c3a54b91ead (patch) | |
| tree | c284333fe8898b330adf198552e397d905674dfe /src/lib/libtls/tls_client.c | |
| parent | 105f7d024b2a7f7397069b4f94f8319797f0b252 (diff) | |
| download | openbsd-9385a1fd21f3850678c58b5cc8702c3a54b91ead.tar.gz openbsd-9385a1fd21f3850678c58b5cc8702c3a54b91ead.tar.bz2 openbsd-9385a1fd21f3850678c58b5cc8702c3a54b91ead.zip | |
Split the persistent/configuration flags from temporary state flags and
ensure that the temporary state flags get cleared in tls_reset(). Fixes a
bug spotted by Marko Kreen whereby TLS_CONNECTING could remain on reset.
While here, also move the TLS_STATE_CONNECTING check to after the
TLS_CLIENT check - if TLS_STATE_CONNECTING was ever set on any other
context type it would allow a bypass.
ok bluhm@
Diffstat (limited to 'src/lib/libtls/tls_client.c')
| -rw-r--r-- | src/lib/libtls/tls_client.c | 14 |
1 files changed, 7 insertions, 7 deletions
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 442ba4321e..241c506676 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_client.c,v 1.19 2015/08/22 14:51:34 jsing Exp $ */ | 1 | /* $OpenBSD: tls_client.c,v 1.20 2015/08/27 14:34:46 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -168,14 +168,14 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, | |||
| 168 | X509 *cert = NULL; | 168 | X509 *cert = NULL; |
| 169 | int ret, err; | 169 | int ret, err; |
| 170 | 170 | ||
| 171 | if (ctx->flags & TLS_CONNECTING) | ||
| 172 | goto connecting; | ||
| 173 | |||
| 174 | if ((ctx->flags & TLS_CLIENT) == 0) { | 171 | if ((ctx->flags & TLS_CLIENT) == 0) { |
| 175 | tls_set_error(ctx, "not a client context"); | 172 | tls_set_error(ctx, "not a client context"); |
| 176 | goto err; | 173 | goto err; |
| 177 | } | 174 | } |
| 178 | 175 | ||
| 176 | if (ctx->state & TLS_STATE_CONNECTING) | ||
| 177 | goto connecting; | ||
| 178 | |||
| 179 | if (fd_read < 0 || fd_write < 0) { | 179 | if (fd_read < 0 || fd_write < 0) { |
| 180 | tls_set_error(ctx, "invalid file descriptors"); | 180 | tls_set_error(ctx, "invalid file descriptors"); |
| 181 | return (-1); | 181 | return (-1); |
| @@ -248,16 +248,16 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, | |||
| 248 | } | 248 | } |
| 249 | } | 249 | } |
| 250 | 250 | ||
| 251 | connecting: | 251 | connecting: |
| 252 | if ((ret = SSL_connect(ctx->ssl_conn)) != 1) { | 252 | if ((ret = SSL_connect(ctx->ssl_conn)) != 1) { |
| 253 | err = tls_ssl_error(ctx, ctx->ssl_conn, ret, "connect"); | 253 | err = tls_ssl_error(ctx, ctx->ssl_conn, ret, "connect"); |
| 254 | if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { | 254 | if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { |
| 255 | ctx->flags |= TLS_CONNECTING; | 255 | ctx->state |= TLS_STATE_CONNECTING; |
| 256 | return (err); | 256 | return (err); |
| 257 | } | 257 | } |
| 258 | goto err; | 258 | goto err; |
| 259 | } | 259 | } |
| 260 | ctx->flags &= ~TLS_CONNECTING; | 260 | ctx->state &= ~TLS_STATE_CONNECTING; |
| 261 | 261 | ||
| 262 | if (ctx->config->verify_name) { | 262 | if (ctx->config->verify_name) { |
| 263 | cert = SSL_get_peer_certificate(ctx->ssl_conn); | 263 | cert = SSL_get_peer_certificate(ctx->ssl_conn); |