From 7bb196a71adef8440b6152b6174651a9c25588f1 Mon Sep 17 00:00:00 2001 From: Matt Caswell Date: Mon, 7 Dec 2015 16:50:38 +0000 Subject: Handle SSL_shutdown while in init more appropriately Calling SSL_shutdown while in init previously gave a "1" response, meaning everything was successfully closed down (even though it wasn't). Better is to send our close_notify, but fail when trying to receive one. The problem with doing a shutdown while in the middle of a handshake is that once our close_notify is sent we shouldn't really do anything else (including process handshake/CCS messages) until we've received a close_notify back from the peer. However the peer might send a CCS before acting on our close_notify - so we won't be able to read it because we're not acting on CCS messages! Reviewed-by: Viktor Dukhovni --- ssl/ssl_err.c | 2 ++ 1 file changed, 2 insertions(+) (limited to 'ssl/ssl_err.c') diff --git a/ssl/ssl_err.c b/ssl/ssl_err.c index 2abd0155e6..a112ad41e8 100644 --- a/ssl/ssl_err.c +++ b/ssl/ssl_err.c @@ -128,6 +128,7 @@ static ERR_STRING_DATA SSL_str_functs[] = { {ERR_FUNC(SSL_F_SSL3_SETUP_KEY_BLOCK), "ssl3_setup_key_block"}, {ERR_FUNC(SSL_F_SSL3_SETUP_READ_BUFFER), "ssl3_setup_read_buffer"}, {ERR_FUNC(SSL_F_SSL3_SETUP_WRITE_BUFFER), "ssl3_setup_write_buffer"}, + {ERR_FUNC(SSL_F_SSL3_SHUTDOWN), "ssl3_shutdown"}, {ERR_FUNC(SSL_F_SSL3_WRITE_BYTES), "ssl3_write_bytes"}, {ERR_FUNC(SSL_F_SSL3_WRITE_PENDING), "ssl3_write_pending"}, {ERR_FUNC(SSL_F_SSL_ACCEPT), "SSL_accept"}, @@ -577,6 +578,7 @@ static ERR_STRING_DATA SSL_str_reasons[] = { {ERR_REASON(SSL_R_SERVERHELLO_TLSEXT), "serverhello tlsext"}, {ERR_REASON(SSL_R_SESSION_ID_CONTEXT_UNINITIALIZED), "session id context uninitialized"}, + {ERR_REASON(SSL_R_SHUTDOWN_WHILE_IN_INIT), "shutdown while in init"}, {ERR_REASON(SSL_R_SIGNATURE_ALGORITHMS_ERROR), "signature algorithms error"}, {ERR_REASON(SSL_R_SIGNATURE_FOR_NON_SIGNING_CERTIFICATE), -- cgit v1.2.3