diff options
| author |   jsing <jsing@openbsd.org> | 2018-11-08 20:26:45 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2018-11-08 20:26:45 +0000 |
| commit | d250fe7c04cbc0222adc918377d67575f80e001c (patch) | |
| tree | 654d939a5e494cb55a96c2f42cf5901ed8a7622a /lib/libssl | |
| parent | It isn't possible to specify buffer name to copy mode commands now, so (diff) | |
| download | wireguard-openbsd-d250fe7c04cbc0222adc918377d67575f80e001c.tar.xz wireguard-openbsd-d250fe7c04cbc0222adc918377d67575f80e001c.zip | |
Ensure the handshake transcript is cleaned up.
Add a check at the completion of the client/server handshake to ensure that
the handshake transcript has been freed. Fix the case where a server asks
the client for a certificate, but it does not have one, resulting in the
handshake transcript being left around post-handshake.
ok bcook@ tb@
Diffstat (limited to 'lib/libssl')
| -rw-r--r-- | lib/libssl/ssl_clnt.c | 15 | ||||
| -rw-r--r-- | lib/libssl/ssl_srvr.c | 8 |
2 files changed, 20 insertions, 3 deletions
diff --git a/lib/libssl/ssl_clnt.c b/lib/libssl/ssl_clnt.c index 77211b622b0..8c3ec800609 100644 --- a/lib/libssl/ssl_clnt.c +++ b/lib/libssl/ssl_clnt.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_clnt.c,v 1.34 2018/09/05 16:58:59 jsing Exp $ */ +/* $OpenBSD: ssl_clnt.c,v 1.35 2018/11/08 20:26:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -583,6 +583,12 @@ ssl3_connect(SSL *s) /* clean a few things up */ tls1_cleanup_key_block(s); + if (S3I(s)->handshake_buffer != NULL) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } + if (!SSL_IS_DTLS(s)) { BUF_MEM_free(s->internal->init_buf); s->internal->init_buf = NULL; @@ -2553,9 +2559,14 @@ ssl3_send_client_certificate(SSL *s) X509_free(x509); EVP_PKEY_free(pkey); - if (i == 0) + if (i == 0) { S3I(s)->tmp.cert_req = 2; + /* There is no client certificate to verify. */ + if (!tls1_digest_cached_records(s)) + goto err; + } + /* Ok, we have a cert */ S3I(s)->hs.state = SSL3_ST_CW_CERT_C; } diff --git a/lib/libssl/ssl_srvr.c b/lib/libssl/ssl_srvr.c index e046438cc04..f077140b906 100644 --- a/lib/libssl/ssl_srvr.c +++ b/lib/libssl/ssl_srvr.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ssl_srvr.c,v 1.48 2018/08/27 17:04:34 jsing Exp $ */ +/* $OpenBSD: ssl_srvr.c,v 1.49 2018/11/08 20:26:45 jsing Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -707,6 +707,12 @@ ssl3_accept(SSL *s) /* clean a few things up */ tls1_cleanup_key_block(s); + if (S3I(s)->handshake_buffer != NULL) { + SSLerror(s, ERR_R_INTERNAL_ERROR); + ret = -1; + goto end; + } + if (!SSL_IS_DTLS(s)) { BUF_MEM_free(s->internal->init_buf); s->internal->init_buf = NULL; |