[openssl-commits] [openssl] master update

Tue Sep 4 10:14:25 UTC 2018

The branch master has been updated
       via  f273ff953abfafbb5fc4d68904469f862fbeae8a (commit)
      from  785e614a95a134831f213749332bcf40c4920f69 (commit)


- Log -----------------------------------------------------------------
commit f273ff953abfafbb5fc4d68904469f862fbeae8a
Author: Matt Caswell <matt at openssl.org>
Date:   Mon Aug 13 20:18:32 2018 +0100

    Ignore EPIPE when sending NewSessionTickets in TLSv1.3
    
    If a client sends data to a server and then immediately closes without
    waiting to read the NewSessionTickets then the server can receive EPIPE
    when trying to write the tickets and never gets the opportunity to read
    the data that was sent. Therefore we ignore EPIPE when writing out the
    tickets in TLSv1.3
    
    Fixes #6904
    
    Reviewed-by: Tim Hudson <tjh at openssl.org>
    (Merged from https://github.com/openssl/openssl/pull/6944)

-----------------------------------------------------------------------

Summary of changes:
 ssl/statem/statem_srvr.c | 33 ++++++++++++++++++++++++++++++++-
 1 file changed, 32 insertions(+), 1 deletion(-)

diff --git a/ssl/statem/statem_srvr.c b/ssl/statem/statem_srvr.c
index db5aafe..346b1e3 100644
--- a/ssl/statem/statem_srvr.c
+++ b/ssl/statem/statem_srvr.c
@@ -764,6 +764,22 @@ WORK_STATE ossl_statem_server_pre_work(SSL *s, WORK_STATE wst)
     return WORK_FINISHED_CONTINUE;
 }
 
+static ossl_inline int conn_is_closed(void)
+{
+    switch (get_last_sys_error()) {
+#if defined(EPIPE)
+    case EPIPE:
+        return 1;
+#endif
+#if defined(ECONNRESET)
+    case ECONNRESET:
+        return 1;
+#endif
+    default:
+        return 0;
+    }
+}
+
 /*
  * Perform any work that needs to be done after sending a message from the
  * server to the client.
@@ -939,8 +955,23 @@ WORK_STATE ossl_statem_server_post_work(SSL *s, WORK_STATE wst)
         break;
 
     case TLS_ST_SW_SESSION_TICKET:
-        if (SSL_IS_TLS13(s) && statem_flush(s) != 1)
+        clear_sys_error();
+        if (SSL_IS_TLS13(s) && statem_flush(s) != 1) {
+            if (SSL_get_error(s, 0) == SSL_ERROR_SYSCALL
+                    && conn_is_closed()) {
+                /*
+                 * We ignore connection closed errors in TLSv1.3 when sending a
+                 * NewSessionTicket and behave as if we were successful. This is
+                 * so that we are still able to read data sent to us by a client
+                 * that closes soon after the end of the handshake without
+                 * waiting to read our post-handshake NewSessionTickets.
+                 */
+                s->rwstate = SSL_NOTHING;
+                break;
+            }
+
             return WORK_MORE_A;
+        }
         break;
     }
 
