From b70929d8816a98e03f2a44de9ee1c07edde90382 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 23 Jan 2020 02:49:38 +0000 Subject: Add a TLS13_IO_ALERT return value so that we can explicitly signal when we sent or received a fatal alert. Pull the fatal_alert check up into tls13_legacy_error(). Also, if sending an alert resulted in EOF, do not propagate this back since we do not want to signal EOF to the caller (rather we want to indicate failure). ok beck@ tb@ --- src/lib/libssl/tls13_lib.c | 13 ++++++++++--- 1 file changed, 10 insertions(+), 3 deletions(-) (limited to 'src/lib/libssl/tls13_lib.c') diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 51a2a383ed..727f617471 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.21 2020/01/22 13:10:51 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.22 2020/01/23 02:49:38 jsing Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -349,6 +349,10 @@ tls13_legacy_error(SSL *ssl) struct tls13_ctx *ctx = ssl->internal->tls13; int reason = SSL_R_UNKNOWN; + /* If we received a fatal alert we already put an error on the stack. */ + if (S3I(ssl)->fatal_alert != 0) + return; + switch (ctx->error.code) { case TLS13_ERR_VERIFY_FAILED: reason = SSL_R_CERTIFICATE_VERIFY_FAILED; @@ -384,8 +388,11 @@ tls13_legacy_return_code(SSL *ssl, ssize_t ret) return 0; case TLS13_IO_FAILURE: - if (S3I(ssl)->fatal_alert == 0) - tls13_legacy_error(ssl); + tls13_legacy_error(ssl); + return -1; + + case TLS13_IO_ALERT: + tls13_legacy_error(ssl); return -1; case TLS13_IO_WANT_POLLIN: -- cgit v1.2.3-55-g6feb