diff options
| author | jsing <> | 2015-08-27 14:34:46 +0000 |
|---|---|---|
| committer | jsing <> | 2015-08-27 14:34:46 +0000 |
| commit | 9385a1fd21f3850678c58b5cc8702c3a54b91ead (patch) | |
| tree | c284333fe8898b330adf198552e397d905674dfe /src/lib | |
| parent | 105f7d024b2a7f7397069b4f94f8319797f0b252 (diff) | |
| download | openbsd-9385a1fd21f3850678c58b5cc8702c3a54b91ead.tar.gz openbsd-9385a1fd21f3850678c58b5cc8702c3a54b91ead.tar.bz2 openbsd-9385a1fd21f3850678c58b5cc8702c3a54b91ead.zip | |
Split the persistent/configuration flags from temporary state flags and
ensure that the temporary state flags get cleared in tls_reset(). Fixes a
bug spotted by Marko Kreen whereby TLS_CONNECTING could remain on reset.
While here, also move the TLS_STATE_CONNECTING check to after the
TLS_CLIENT check - if TLS_STATE_CONNECTING was ever set on any other
context type it would allow a bypass.
ok bluhm@
Diffstat (limited to 'src/lib')
| -rw-r--r-- | src/lib/libtls/tls.c | 3 | ||||
| -rw-r--r-- | src/lib/libtls/tls_client.c | 14 | ||||
| -rw-r--r-- | src/lib/libtls/tls_internal.h | 8 |
3 files changed, 14 insertions, 11 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index 4536bae183..c79191ee15 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls.c,v 1.13 2015/08/22 14:20:53 jsing Exp $ */ | 1 | /* $OpenBSD: tls.c,v 1.14 2015/08/27 14:34:46 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -233,6 +233,7 @@ tls_reset(struct tls *ctx) | |||
| 233 | ctx->ssl_ctx = NULL; | 233 | ctx->ssl_ctx = NULL; |
| 234 | 234 | ||
| 235 | ctx->socket = -1; | 235 | ctx->socket = -1; |
| 236 | ctx->state = 0; | ||
| 236 | 237 | ||
| 237 | ctx->err = 0; | 238 | ctx->err = 0; |
| 238 | free(ctx->errmsg); | 239 | free(ctx->errmsg); |
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c index 442ba4321e..241c506676 100644 --- a/src/lib/libtls/tls_client.c +++ b/src/lib/libtls/tls_client.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_client.c,v 1.19 2015/08/22 14:51:34 jsing Exp $ */ | 1 | /* $OpenBSD: tls_client.c,v 1.20 2015/08/27 14:34:46 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 3 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| 4 | * | 4 | * |
| @@ -168,14 +168,14 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, | |||
| 168 | X509 *cert = NULL; | 168 | X509 *cert = NULL; |
| 169 | int ret, err; | 169 | int ret, err; |
| 170 | 170 | ||
| 171 | if (ctx->flags & TLS_CONNECTING) | ||
| 172 | goto connecting; | ||
| 173 | |||
| 174 | if ((ctx->flags & TLS_CLIENT) == 0) { | 171 | if ((ctx->flags & TLS_CLIENT) == 0) { |
| 175 | tls_set_error(ctx, "not a client context"); | 172 | tls_set_error(ctx, "not a client context"); |
| 176 | goto err; | 173 | goto err; |
| 177 | } | 174 | } |
| 178 | 175 | ||
| 176 | if (ctx->state & TLS_STATE_CONNECTING) | ||
| 177 | goto connecting; | ||
| 178 | |||
| 179 | if (fd_read < 0 || fd_write < 0) { | 179 | if (fd_read < 0 || fd_write < 0) { |
| 180 | tls_set_error(ctx, "invalid file descriptors"); | 180 | tls_set_error(ctx, "invalid file descriptors"); |
| 181 | return (-1); | 181 | return (-1); |
| @@ -248,16 +248,16 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, | |||
| 248 | } | 248 | } |
| 249 | } | 249 | } |
| 250 | 250 | ||
| 251 | connecting: | 251 | connecting: |
| 252 | if ((ret = SSL_connect(ctx->ssl_conn)) != 1) { | 252 | if ((ret = SSL_connect(ctx->ssl_conn)) != 1) { |
| 253 | err = tls_ssl_error(ctx, ctx->ssl_conn, ret, "connect"); | 253 | err = tls_ssl_error(ctx, ctx->ssl_conn, ret, "connect"); |
| 254 | if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { | 254 | if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { |
| 255 | ctx->flags |= TLS_CONNECTING; | 255 | ctx->state |= TLS_STATE_CONNECTING; |
| 256 | return (err); | 256 | return (err); |
| 257 | } | 257 | } |
| 258 | goto err; | 258 | goto err; |
| 259 | } | 259 | } |
| 260 | ctx->flags &= ~TLS_CONNECTING; | 260 | ctx->state &= ~TLS_STATE_CONNECTING; |
| 261 | 261 | ||
| 262 | if (ctx->config->verify_name) { | 262 | if (ctx->config->verify_name) { |
| 263 | cert = SSL_get_peer_certificate(ctx->ssl_conn); | 263 | cert = SSL_get_peer_certificate(ctx->ssl_conn); |
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h index ba37e136e6..cf4a8e28ad 100644 --- a/src/lib/libtls/tls_internal.h +++ b/src/lib/libtls/tls_internal.h | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: tls_internal.h,v 1.12 2015/03/31 12:21:27 jsing Exp $ */ | 1 | /* $OpenBSD: tls_internal.h,v 1.13 2015/08/27 14:34:46 jsing Exp $ */ |
| 2 | /* | 2 | /* |
| 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> | 3 | * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> |
| 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> | 4 | * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> |
| @@ -51,11 +51,13 @@ struct tls_config { | |||
| 51 | #define TLS_CLIENT (1 << 0) | 51 | #define TLS_CLIENT (1 << 0) |
| 52 | #define TLS_SERVER (1 << 1) | 52 | #define TLS_SERVER (1 << 1) |
| 53 | #define TLS_SERVER_CONN (1 << 2) | 53 | #define TLS_SERVER_CONN (1 << 2) |
| 54 | #define TLS_CONNECTING (1 << 3) | 54 | |
| 55 | #define TLS_STATE_CONNECTING (1 << 0) | ||
| 55 | 56 | ||
| 56 | struct tls { | 57 | struct tls { |
| 57 | struct tls_config *config; | 58 | struct tls_config *config; |
| 58 | uint64_t flags; | 59 | uint32_t flags; |
| 60 | uint32_t state; | ||
| 59 | 61 | ||
| 60 | int err; | 62 | int err; |
| 61 | char *errmsg; | 63 | char *errmsg; |