[openssl] OpenSSL_1_1_0-stable update

Matt Caswell matt at openssl.org
Tue Feb 26 14:37:45 UTC 2019 

The branch OpenSSL_1_1_0-stable has been updated
       via  c62896c2c0cbd47ab01693d403e37fe5fe15aab8 (commit)
       via  5741d5bb74797e4532acc9f42e54c44a2726c179 (commit)
      from  ad01b01c16b0b9d95de79c3b01398e3582a5105b (commit)


- Log -----------------------------------------------------------------
commit c62896c2c0cbd47ab01693d403e37fe5fe15aab8
Author: Matt Caswell <matt at openssl.org>
Date:   Wed Feb 20 14:21:36 2019 +0000

    Clarify that SSL_shutdown() must not be called after a fatal error
    
    Follow on from CVE-2019-1559
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

commit 5741d5bb74797e4532acc9f42e54c44a2726c179
Author: Matt Caswell <matt at openssl.org>
Date:   Thu Dec 13 17:16:55 2018 +0000

    Go into the error state if a fatal alert is sent or received
    
    1.1.0 is not impacted by CVE-2019-1559, but this commit is a follow on
    from that. That CVE was a result of applications calling SSL_shutdown
    after a fatal alert has occurred. By chance 1.1.0 is not vulnerable to
    that issue, but this change is additional hardening to prevent other
    similar issues.
    
    Reviewed-by: Richard Levitte <levitte at openssl.org>

-----------------------------------------------------------------------

Summary of changes:
 doc/ssl/SSL_get_error.pod | 13 ++++++++-----
 doc/ssl/SSL_shutdown.pod  |  4 ++++
 ssl/record/rec_layer_d1.c |  1 +
 ssl/record/rec_layer_s3.c |  1 +
 ssl/s3_msg.c              |  9 ++++++---
 ssl/statem/statem.c       |  1 +
 6 files changed, 21 insertions(+), 8 deletions(-)

diff --git a/doc/ssl/SSL_get_error.pod b/doc/ssl/SSL_get_error.pod
index 47d2358..9b432a1 100644
--- a/doc/ssl/SSL_get_error.pod
+++ b/doc/ssl/SSL_get_error.pod
@@ -112,14 +112,17 @@ thread has completed.
 
 =item SSL_ERROR_SYSCALL
 
-Some non-recoverable I/O error occurred.
-The OpenSSL error queue may contain more information on the error.
-For socket I/O on Unix systems, consult B<errno> for details.
+Some non-recoverable, fatal I/O error occurred. The OpenSSL error queue may
+contain more information on the error. For socket I/O on Unix systems, consult
+B<errno> for details. If this error occurs then no further I/O operations should
+be performed on the connection and SSL_shutdown() must not be called.
 
 =item SSL_ERROR_SSL
 
-A failure in the SSL library occurred, usually a protocol error.  The
-OpenSSL error queue contains more information on the error.
+A non-recoverable, fatal error in the SSL library occurred, usually a protocol
+error.  The OpenSSL error queue contains more information on the error. If this
+error occurs then no further I/O operations should be performed on the
+connection and SSL_shutdown() must not be called.
 
 =back
 
diff --git a/doc/ssl/SSL_shutdown.pod b/doc/ssl/SSL_shutdown.pod
index e8ec454..0e83cf9 100644
--- a/doc/ssl/SSL_shutdown.pod
+++ b/doc/ssl/SSL_shutdown.pod
@@ -22,6 +22,10 @@ Whether the operation succeeds or not, the SSL_SENT_SHUTDOWN flag is set and
 a currently open session is considered closed and good and will be kept in the
 session cache for further reuse.
 
+Note that SSL_shutdown() must not be called if a previous fatal error has
+occurred on a connection i.e. if SSL_get_error() has returned SSL_ERROR_SYSCALL
+or SSL_ERROR_SSL.
+
 The shutdown procedure consists of 2 steps: the sending of the "close notify"
 shutdown alert and the reception of the peer's "close notify" shutdown
 alert. According to the TLS standard, it is acceptable for an application
diff --git a/ssl/record/rec_layer_d1.c b/ssl/record/rec_layer_d1.c
index 6111a2e..4ee6e52 100644
--- a/ssl/record/rec_layer_d1.c
+++ b/ssl/record/rec_layer_d1.c
@@ -834,6 +834,7 @@ int dtls1_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
             s->shutdown |= SSL_RECEIVED_SHUTDOWN;
             SSL3_RECORD_set_read(rr);
             SSL_CTX_remove_session(s->session_ctx, s->session);
+            ossl_statem_set_error(s);
             return (0);
         } else {
             al = SSL_AD_ILLEGAL_PARAMETER;
diff --git a/ssl/record/rec_layer_s3.c b/ssl/record/rec_layer_s3.c
index 1ffc120..324102e 100644
--- a/ssl/record/rec_layer_s3.c
+++ b/ssl/record/rec_layer_s3.c
@@ -1410,6 +1410,7 @@ int ssl3_read_bytes(SSL *s, int type, int *recvd_type, unsigned char *buf,
             s->shutdown |= SSL_RECEIVED_SHUTDOWN;
             SSL3_RECORD_set_read(rr);
             SSL_CTX_remove_session(s->session_ctx, s->session);
+            ossl_statem_set_error(s);
             return (0);
         } else {
             al = SSL_AD_ILLEGAL_PARAMETER;
diff --git a/ssl/s3_msg.c b/ssl/s3_msg.c
index 4961cc8..c4a476c 100644
--- a/ssl/s3_msg.c
+++ b/ssl/s3_msg.c
@@ -46,9 +46,12 @@ int ssl3_send_alert(SSL *s, int level, int desc)
                                           * protocol_version alerts */
     if (desc < 0)
         return -1;
-    /* If a fatal one, remove from cache */
-    if ((level == SSL3_AL_FATAL) && (s->session != NULL))
-        SSL_CTX_remove_session(s->session_ctx, s->session);
+    /* If a fatal one, remove from cache and go into the error state */
+    if (level == SSL3_AL_FATAL) {
+        if (s->session != NULL)
+            SSL_CTX_remove_session(s->session_ctx, s->session);
+        ossl_statem_set_error(s);
+    }
 
     s->s3->alert_dispatch = 1;
     s->s3->send_alert[0] = level;
diff --git a/ssl/statem/statem.c b/ssl/statem/statem.c
index 69bb40f..36c9e98 100644
--- a/ssl/statem/statem.c
+++ b/ssl/statem/statem.c
@@ -115,6 +115,7 @@ void ossl_statem_set_renegotiate(SSL *s)
  */
 void ossl_statem_set_error(SSL *s)
 {
+    s->statem.in_init = 1;
     s->statem.state = MSG_FLOW_ERROR;
 }

More information about the openssl-commits mailing list