[openssl-commits] [openssl] master update

Matt Caswell matt at openssl.org
Mon Feb 8 09:35:42 UTC 2016 

The branch master has been updated
       via  64f9f40696f993406e53c16d7c9d815004afd8ad (commit)
      from  a173a7ee3f51af71c27490247f9a65ff03553e2c (commit)


- Log -----------------------------------------------------------------
commit 64f9f40696f993406e53c16d7c9d815004afd8ad
Author: Matt Caswell <matt at openssl.org>
Date:   Tue Feb 2 10:05:43 2016 +0000

    Handle SSL_shutdown while in init more appropriately #2
    
    Previous commit 7bb196a71 attempted to "fix" a problem with the way
    SSL_shutdown() behaved whilst in mid-handshake. The original behaviour had
    SSL_shutdown() return immediately having taken no action if called mid-
    handshake with a return value of 1 (meaning everything was shutdown
    successfully). In fact the shutdown has not been successful.
    
    Commit 7bb196a71 changed that to send a close_notify anyway and then
    return. This seems to be causing some problems for some applications so
    perhaps a better (much simpler) approach is revert to the previous
    behaviour (no attempt at a shutdown), but return -1 (meaning the shutdown
    was not successful).
    
    This also fixes a bug where SSL_shutdown always returns 0 when shutdown
    *very* early in the handshake (i.e. we are still using SSLv23_method).
    
    Reviewed-by: Viktor Dukhovni <viktor at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 include/openssl/ssl.h |  1 -
 ssl/s3_lib.c          | 15 ---------------
 ssl/ssl_err.c         |  1 -
 ssl/ssl_lib.c         | 21 ++++++++++++---------
 4 files changed, 12 insertions(+), 26 deletions(-)

diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index 659ab96..cffd199 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -1993,7 +1993,6 @@ void ERR_load_SSL_strings(void);
 # define SSL_F_SSL3_SETUP_KEY_BLOCK                       157
 # define SSL_F_SSL3_SETUP_READ_BUFFER                     156
 # define SSL_F_SSL3_SETUP_WRITE_BUFFER                    291
-# define SSL_F_SSL3_SHUTDOWN                              396
 # define SSL_F_SSL3_WRITE_BYTES                           158
 # define SSL_F_SSL3_WRITE_PENDING                         159
 # define SSL_F_SSL_ACCEPT                                 390
diff --git a/ssl/s3_lib.c b/ssl/s3_lib.c
index 5252d04..1121b8b 100644
--- a/ssl/s3_lib.c
+++ b/ssl/s3_lib.c
@@ -4327,21 +4327,6 @@ int ssl3_shutdown(SSL *s)
             return (ret);
         }
     } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
-        if (SSL_in_init(s)) {
-            /*
-             * We can't shutdown properly if we are in the middle of a
-             * handshake. Doing so is problematic because the peer may send a
-             * CCS before it acts on our close_notify. However we should not
-             * continue to process received handshake messages or CCS once our
-             * close_notify has been sent. Therefore any close_notify from
-             * the peer will be unreadable because we have not moved to the next
-             * cipher state. Its best just to avoid this can-of-worms. Return
-             * an error if we are wanting to wait for a close_notify from the
-             * peer and we are in init.
-             */
-            SSLerr(SSL_F_SSL3_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
-            return -1;
-        }
         /*
          * If we are waiting for a close from our peer, we are closed
          */
diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c
index 67966ab..0d8bcd4 100644
--- a/ssl/ssl_err.c
+++ b/ssl/ssl_err.c
@@ -127,7 +127,6 @@ static ERR_STRING_DATA SSL_str_functs[] = {
     {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "ssl3_setup_key_block"},
     {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "ssl3_setup_read_buffer"},
     {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "ssl3_setup_write_buffer"},
-    {ERR_FUNC(SSL_F_SSL3_SHUTDOWN), "ssl3_shutdown"},
     {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "ssl3_write_bytes"},
     {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "ssl3_write_pending"},
     {ERR_FUNC(SSL_F_SSL_ACCEPT), "SSL_accept"},
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 197a37c..2339132 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -1578,19 +1578,22 @@ int SSL_shutdown(SSL *s)
         return -1;
     }
 
-    if((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
-        struct ssl_async_args args;
+    if (!SSL_in_init(s)) {
+        if((s->mode & SSL_MODE_ASYNC) && ASYNC_get_current_job() == NULL) {
+            struct ssl_async_args args;
 
-        args.s = s;
-        args.type = OTHERFUNC;
-        args.f.func_other = s->method->ssl_shutdown;
+            args.s = s;
+            args.type = OTHERFUNC;
+            args.f.func_other = s->method->ssl_shutdown;
 
-        return ssl_start_async_job(s, &args, ssl_io_intern);
+            return ssl_start_async_job(s, &args, ssl_io_intern);
+        } else {
+            return s->method->ssl_shutdown(s);
+        }
     } else {
-        return s->method->ssl_shutdown(s);
+        SSLerr(SSL_F_SSL_SHUTDOWN, SSL_R_SHUTDOWN_WHILE_IN_INIT);
+        return -1;
     }
-
-    return s->method->ssl_shutdown(s);
 }
 
 int SSL_renegotiate(SSL *s)

More information about the openssl-commits mailing list