From 1ff6ebe4aa0a51558d12a52b713d6dfdc4486249 Mon Sep 17 00:00:00 2001 From: tb <> Date: Wed, 7 Apr 2021 21:48:23 +0000 Subject: Avoid clobbering the error code when sending an alert In order to fail gracefully on encountering a self-signed cert, curl looks at the top-most error on the stack and needs specific SSL_R_ error codes. This mechanism was broken when the tls13_alert_sent_cb() was added after people complained about unhelpful unknown errors. Fix this by only setting the error code from a fatal alert if no error has been set previously. Issue reported by Christopher Reid ok jsing --- src/lib/libssl/tls13_lib.c | 5 +++-- 1 file changed, 3 insertions(+), 2 deletions(-) (limited to 'src') diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 9dbb7d6430..f064521c8b 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */ +/* $OpenBSD: tls13_lib.c,v 1.59 2021/04/07 21:48:23 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * Copyright (c) 2019 Bob Beck @@ -147,7 +147,8 @@ tls13_alert_sent_cb(uint8_t alert_desc, void *arg) } /* All other alerts are treated as fatal in TLSv1.3. */ - SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); + if (ctx->error.code == 0) + SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc); } static void -- cgit v1.2.3-55-g6feb