83 lines
3.9 KiB
Diff
83 lines
3.9 KiB
Diff
Index: openssl-1.0.2p/doc/ssl/SSL_get_error.pod
|
|
===================================================================
|
|
--- openssl-1.0.2p.orig/doc/ssl/SSL_get_error.pod 2018-08-14 14:48:58.000000000 +0200
|
|
+++ openssl-1.0.2p/doc/ssl/SSL_get_error.pod 2019-03-05 12:28:29.722943831 +0100
|
|
@@ -90,14 +90,17 @@ Details depend on the application.
|
|
|
|
=item SSL_ERROR_SYSCALL
|
|
|
|
-Some non-recoverable I/O error occurred.
|
|
-The OpenSSL error queue may contain more information on the error.
|
|
-For socket I/O on Unix systems, consult B<errno> for details.
|
|
+Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
|
|
+contain more information on the error. For socket I/O on Unix systems, consult
|
|
+B<errno> for details. If this error occurs then no further I/O operations should
|
|
+be performed on the connection and SSL_shutdown() must not be called.
|
|
|
|
=item SSL_ERROR_SSL
|
|
|
|
-A failure in the SSL library occurred, usually a protocol error. The
|
|
-OpenSSL error queue contains more information on the error.
|
|
+A non-recoverable, fatal error in the SSL library occurred, usually a protocol
|
|
+error. The OpenSSL error queue contains more information on the error. If this
|
|
+error occurs then no further I/O operations should be performed on the
|
|
+connection and SSL_shutdown() must not be called.
|
|
|
|
=back
|
|
|
|
Index: openssl-1.0.2p/doc/ssl/SSL_shutdown.pod
|
|
===================================================================
|
|
--- openssl-1.0.2p.orig/doc/ssl/SSL_shutdown.pod 2018-08-14 14:48:58.000000000 +0200
|
|
+++ openssl-1.0.2p/doc/ssl/SSL_shutdown.pod 2019-03-05 12:28:29.722943831 +0100
|
|
@@ -22,6 +22,10 @@ Whether the operation succeeds or not, t
|
|
a currently open session is considered closed and good and will be kept in the
|
|
session cache for further reuse.
|
|
|
|
+Note that SSL_shutdown() must not be called if a previous fatal error has
|
|
+occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL
|
|
+or SSL_ERROR_SSL.
|
|
+
|
|
The shutdown procedure consists of 2 steps: the sending of the "close notify"
|
|
shutdown alert and the reception of the peer's "close notify" shutdown
|
|
alert. According to the TLS standard, it is acceptable for an application
|
|
Index: openssl-1.0.2p/ssl/d1_pkt.c
|
|
===================================================================
|
|
--- openssl-1.0.2p.orig/ssl/d1_pkt.c 2018-08-14 14:48:59.000000000 +0200
|
|
+++ openssl-1.0.2p/ssl/d1_pkt.c 2019-03-05 12:28:29.722943831 +0100
|
|
@@ -1311,6 +1311,7 @@ int dtls1_read_bytes(SSL *s, int type, u
|
|
ERR_add_error_data(2, "SSL alert number ", tmp);
|
|
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
|
|
SSL_CTX_remove_session(s->session_ctx, s->session);
|
|
+ s->state = SSL_ST_ERR;
|
|
return (0);
|
|
} else {
|
|
al = SSL_AD_ILLEGAL_PARAMETER;
|
|
Index: openssl-1.0.2p/ssl/s3_pkt.c
|
|
===================================================================
|
|
--- openssl-1.0.2p.orig/ssl/s3_pkt.c 2018-08-14 14:48:59.000000000 +0200
|
|
+++ openssl-1.0.2p/ssl/s3_pkt.c 2019-03-05 12:28:29.722943831 +0100
|
|
@@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, un
|
|
ERR_add_error_data(2, "SSL alert number ", tmp);
|
|
s->shutdown |= SSL_RECEIVED_SHUTDOWN;
|
|
SSL_CTX_remove_session(s->session_ctx, s->session);
|
|
+ s->state = SSL_ST_ERR;
|
|
return (0);
|
|
} else {
|
|
al = SSL_AD_ILLEGAL_PARAMETER;
|
|
@@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, i
|
|
* protocol_version alerts */
|
|
if (desc < 0)
|
|
return -1;
|
|
- /* If a fatal one, remove from cache */
|
|
- if ((level == 2) && (s->session != NULL))
|
|
- SSL_CTX_remove_session(s->session_ctx, s->session);
|
|
+ /* If a fatal one, remove from cache and go into the error state */
|
|
+ if (level == SSL3_AL_FATAL) {
|
|
+ if (s->session != NULL)
|
|
+ SSL_CTX_remove_session(s->session_ctx, s->session);
|
|
+ s->state = SSL_ST_ERR;
|
|
+ }
|
|
|
|
s->s3->alert_dispatch = 1;
|
|
s->s3->send_alert[0] = level;
|