提交 358ffa05 编写于 作者: M Matt Caswell

Return a fatal error if application data is encountered during shutdown

Currently if you encounter application data while waiting for a
close_notify from the peer, and you have called SSL_shutdown() then
you will get a -1 return (fatal error) and SSL_ERROR_SYSCALL from
SSL_get_error(). This isn't accurate (it should be SSL_ERROR_SSL) and
isn't persistent (you can call SSL_shutdown() again and it might then work).

We change this into a proper fatal error that is persistent.
Reviewed-by: NBernd Edlinger <bernd.edlinger@hotmail.de>
Reviewed-by: NKurt Roeckx <kurt@roeckx.be>
(Merged from https://github.com/openssl/openssl/pull/6340)
上级 ba709049
master OpenHarmony-2.2-Beta2 OpenHarmony-2.3-Beta OpenHarmony-3.0-LTS OpenHarmony-3.1-API8-SDK-Public OpenHarmony-3.1-API9-SDK-Canary OpenHarmony-3.1-Beta OpenHarmony-3.1-Release OpenHarmony-3.2-Beta1 OpenHarmony-3.2-Beta2 OpenHarmony-3.2-Beta3 OpenHarmony-3.2-Beta4 OpenHarmony-3.2-Beta5 OpenHarmony-3.2-Release OpenHarmony-4.0-Beta1 OpenHarmony-4.0-Beta2 OpenHarmony-v2.2-Beta OpenHarmony_1.0.1_release OpenHarmony_filemanager_develop_20220505 OpenHarmony_filemanager_develop_20220614 add_issus_pr_template_for_master add_issus_pr_template_for_release feature_IDL_20220811 master_dy monthly_20220614 monthly_20220816 monthly_20221018 monthly_20230815 revert-merge-109-master weekly_20220105 weekly_20220111 weekly_20220118 weekly_20220125 weekly_20220201 weekly_20220208 weekly_20220215 weekly_20220222 weekly_20220301 weekly_20220406 weekly_20220412 weekly_20220419 weekly_20220426 weekly_20220503 weekly_20220510 weekly_20220524 weekly_20220531 weekly_20220607 weekly_20220614 weekly_20220621 weekly_20220628 weekly_20220705 weekly_20220712 weekly_20220719 weekly_20220726 weekly_20220802 weekly_20220809 weekly_20220816 weekly_20220823 weekly_20220830 weekly_20220906 weekly_20220913 weekly_20220920 weekly_20220927 weekly_20221004 weekly_20221011 weekly_20221018 weekly_20221025 weekly_20221101 weekly_20221108 weekly_20221115 weekly_20221122 weekly_20221129 weekly_20221206 weekly_20221213 weekly_20221220 weekly_20221227 weekly_20230103 weekly_20230110 weekly_20230117 weekly_20230124 weekly_20230131 weekly_20230207 weekly_20230214 weekly_20230221 weekly_20230228 weekly_20230307 weekly_20230314 weekly_20230321 weekly_20230328 weekly_20230404 weekly_20230411 weekly_20230418 weekly_20230425 weekly_20230502 weekly_20230509 weekly_20230516 weekly_20230523 weekly_20230530 weekly_20230606 weekly_20230613 weekly_20230619 weekly_20230626 weekly_20230627 weekly_20230704 weekly_20230712 weekly_20230725 weekly_20230801 weekly_20230808 weekly_20230815 weekly_20230822 weekly_20230829 OpenHarmony_v1.1.1-LTS OpenHarmony_release_v1.1.0 OpenHarmony-v4.0-Beta2 OpenHarmony-v4.0-Beta1 OpenHarmony-v3.2.2-Release OpenHarmony-v3.2.1-Release OpenHarmony-v3.2-Release OpenHarmony-v3.2-Beta5 OpenHarmony-v3.2-Beta4 OpenHarmony-v3.2-Beta3 OpenHarmony-v3.2-Beta2 OpenHarmony-v3.2-Beta1 OpenHarmony-v3.1.7-Release OpenHarmony-v3.1.6-Release OpenHarmony-v3.1.5-Release OpenHarmony-v3.1.4-Release OpenHarmony-v3.1.3-Release OpenHarmony-v3.1.2-Release OpenHarmony-v3.1.1-Release OpenHarmony-v3.1-Release OpenHarmony-v3.1-Beta OpenHarmony-v3.0.8-LTS OpenHarmony-v3.0.7-LTS OpenHarmony-v3.0.6-LTS OpenHarmony-v3.0.5-LTS OpenHarmony-v3.0.3-LTS OpenHarmony-v3.0.2-LTS OpenHarmony-v3.0.1-LTS OpenHarmony-v3.0-LTS OpenHarmony-v3.0-Beta1 OpenHarmony-v2.2-Beta2 OpenHarmony-v1.1.5-LTS OpenHarmony-v1.1.4-LTS OpenHarmony-v1.1.3-LTS OpenHarmony-v1.1.2-LTS OpenHarmony-v1.1.1-LTS OpenHarmony-2.0-Canary OpenHarmony-1.0
无相关合并请求
......@@ -2544,6 +2544,8 @@ SM2_R_INVALID_ENCODING:104:invalid encoding
SM2_R_INVALID_FIELD:105:invalid field
SM2_R_NO_PARAMETERS_SET:109:no parameters set
SM2_R_USER_ID_TOO_LARGE:106:user id too large
SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY:291:\
application data after close notify
SSL_R_APP_DATA_IN_HANDSHAKE:100:app data in handshake
SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT:272:\
attempt to reuse session in different context
......
......@@ -449,6 +449,7 @@ int ERR_load_SSL_strings(void);
/*
* SSL reason codes.
*/
# define SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY 291
# define SSL_R_APP_DATA_IN_HANDSHAKE 100
# define SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT 272
# define SSL_R_AT_LEAST_TLS_1_0_NEEDED_IN_FIPS_MODE 143
......
......@@ -1573,11 +1573,18 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
rbio = SSL_get_rbio(s);
BIO_clear_retry_flags(rbio);
BIO_set_retry_read(rbio);
return -1;
} else {
/*
* The peer is continuing to send application data, but we have
* already sent close_notify. If this was expected we should have
* been called via SSL_read() and this would have been handled
* above.
* No alert sent because we already sent close_notify
*/
SSLfatal(s, SSL_AD_NO_ALERT, SSL_F_SSL3_READ_BYTES,
SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY);
}
s->rwstate = SSL_NOTHING;
return 0;
return -1;
}
/*
......
......@@ -726,6 +726,8 @@ static const ERR_STRING_DATA SSL_str_functs[] = {
};
static const ERR_STRING_DATA SSL_str_reasons[] = {
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APPLICATION_DATA_AFTER_CLOSE_NOTIFY),
"application data after close notify"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_APP_DATA_IN_HANDSHAKE),
"app data in handshake"},
{ERR_PACK(ERR_LIB_SSL, 0, SSL_R_ATTEMPT_TO_REUSE_SESSION_IN_DIFFERENT_CONTEXT),
......
......@@ -5069,18 +5069,25 @@ static int test_shutdown(int tst)
|| !TEST_int_eq(SSL_shutdown(clientssl), 1)
|| !TEST_int_eq(SSL_shutdown(serverssl), 1))
goto end;
} else {
} else if (tst == 4) {
/*
* In this test the client has sent close_notify and it has been
* received by the server which has responded with a close_notify. The
* client needs to read the close_notify sent by the server. When
* tst == 5, there is application data to be read first but this is
* discarded with a -1 return value.
* client needs to read the close_notify sent by the server.
*/
if (tst == 5 && !TEST_int_eq(SSL_shutdown(clientssl), -1))
goto end;
if (!TEST_int_eq(SSL_shutdown(clientssl), 1))
goto end;
} else {
/*
* tst == 5
*
* The client has sent close_notify and is expecting a close_notify
* back, but instead there is application data first. The shutdown
* should fail with a fatal error.
*/
if (!TEST_int_eq(SSL_shutdown(clientssl), -1)
|| !TEST_int_eq(SSL_get_error(clientssl, -1), SSL_ERROR_SSL))
goto end;
}
testresult = 1;
......
Markdown is supported
0% .
You are about to add 0 people to the discussion. Proceed with caution.
先完成此消息的编辑!
想要评论请 注册
反馈
建议
客服 返回
顶部