CVSROOT: /cvs
Module name: src
Changes by: [email protected] 2022/01/25 07:51:54
Modified files:
lib/libssl : tls13_legacy.c
Log message:
Avoid an infinite loop in SSL_shutdown()
If the peer closed the write side of the connection and we have not
yet received the close_notify, SSL_shutdown() makes an extra read to
try and read the peer's close_notify from the pipe. In that situation,
we receive EOF. The legacy stack will return -1 while the TLSv1.3
stack will end up returning 0.
Since the documentation is not super explicit about what should be
done if SSL_shutdown() returns 0, some applications will enter an
infinite loop. The code and documentation indicate that SSL_shutdown()
should only be called once more if it returned 0. Newer versions
of the OpenSSL documentation explicitly say that one should call
SSL_read() if SSL_shutdown() returns 0 in order to retrieve the
close_notify. Doing this would also have avoided this infinite loop.
Reported by Carsten Arzig and bluhm with a test case extracted from the
syslogd tests using IO::Socket::SSL, which has such an infinite loop.
ok bluhm jsing
