diff options
| author |   jsing <jsing@openbsd.org> | 2015-08-27 14:34:46 +0000 |
|---|---|---|
| committer | jsing <jsing@openbsd.org> | 2015-08-27 14:34:46 +0000 |
| commit | 93310cfa04ecb20aee67669b31aaf7bb7c7ae493 (patch) | |
| tree | aae8a4731a3a658c34348cac094b612b2f8caa7b /lib/libtls | |
| parent | Change AEAD out_len argument to size_t instead of ssize_t - while here, (diff) | |
| download | wireguard-openbsd-93310cfa04ecb20aee67669b31aaf7bb7c7ae493.tar.xz wireguard-openbsd-93310cfa04ecb20aee67669b31aaf7bb7c7ae493.zip | |
Split the persistent/configuration flags from temporary state flags and
ensure that the temporary state flags get cleared in tls_reset(). Fixes a
bug spotted by Marko Kreen whereby TLS_CONNECTING could remain on reset.
While here, also move the TLS_STATE_CONNECTING check to after the
TLS_CLIENT check - if TLS_STATE_CONNECTING was ever set on any other
context type it would allow a bypass.
ok bluhm@
Diffstat (limited to 'lib/libtls')
| -rw-r--r-- | lib/libtls/tls.c | 3 | ||||
| -rw-r--r-- | lib/libtls/tls_client.c | 14 | ||||
| -rw-r--r-- | lib/libtls/tls_internal.h | 8 |
3 files changed, 14 insertions, 11 deletions
diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c index 4536bae1837..c79191ee157 100644 --- a/lib/libtls/tls.c +++ b/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.13 2015/08/22 14:20:53 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.14 2015/08/27 14:34:46 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -233,6 +233,7 @@ tls_reset(struct tls *ctx) ctx->ssl_ctx = NULL; ctx->socket = -1; + ctx->state = 0; ctx->err = 0; free(ctx->errmsg); diff --git a/lib/libtls/tls_client.c b/lib/libtls/tls_client.c index 442ba4321ef..241c506676e 100644 --- a/lib/libtls/tls_client.c +++ b/lib/libtls/tls_client.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_client.c,v 1.19 2015/08/22 14:51:34 jsing Exp $ */ +/* $OpenBSD: tls_client.c,v 1.20 2015/08/27 14:34:46 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> * @@ -168,14 +168,14 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, X509 *cert = NULL; int ret, err; - if (ctx->flags & TLS_CONNECTING) - goto connecting; - if ((ctx->flags & TLS_CLIENT) == 0) { tls_set_error(ctx, "not a client context"); goto err; } + if (ctx->state & TLS_STATE_CONNECTING) + goto connecting; + if (fd_read < 0 || fd_write < 0) { tls_set_error(ctx, "invalid file descriptors"); return (-1); @@ -248,16 +248,16 @@ tls_connect_fds(struct tls *ctx, int fd_read, int fd_write, } } - connecting: +connecting: if ((ret = SSL_connect(ctx->ssl_conn)) != 1) { err = tls_ssl_error(ctx, ctx->ssl_conn, ret, "connect"); if (err == TLS_READ_AGAIN || err == TLS_WRITE_AGAIN) { - ctx->flags |= TLS_CONNECTING; + ctx->state |= TLS_STATE_CONNECTING; return (err); } goto err; } - ctx->flags &= ~TLS_CONNECTING; + ctx->state &= ~TLS_STATE_CONNECTING; if (ctx->config->verify_name) { cert = SSL_get_peer_certificate(ctx->ssl_conn); diff --git a/lib/libtls/tls_internal.h b/lib/libtls/tls_internal.h index ba37e136e66..cf4a8e28ad3 100644 --- a/lib/libtls/tls_internal.h +++ b/lib/libtls/tls_internal.h @@ -1,4 +1,4 @@ -/* $OpenBSD: tls_internal.h,v 1.12 2015/03/31 12:21:27 jsing Exp $ */ +/* $OpenBSD: tls_internal.h,v 1.13 2015/08/27 14:34:46 jsing Exp $ */ /* * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org> * Copyright (c) 2014 Joel Sing <jsing@openbsd.org> @@ -51,11 +51,13 @@ struct tls_config { #define TLS_CLIENT (1 << 0) #define TLS_SERVER (1 << 1) #define TLS_SERVER_CONN (1 << 2) -#define TLS_CONNECTING (1 << 3) + +#define TLS_STATE_CONNECTING (1 << 0) struct tls { struct tls_config *config; - uint64_t flags; + uint32_t flags; + uint32_t state; int err; char *errmsg; |