X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;ds=sidebyside;f=ssl%2Fs3_pkt.c;h=39cdbaf8983c7b717218924b1a70c26168d478e7;hb=7321d7944e56e3cf7f5cf80679e6c88a130167f2;hp=7e3a7b480e7c4835ee32166c95922093a218d73c;hpb=fa4c374572e94f467900f5820cd1d00af2470a17;p=oweals%2Fopenssl.git

diff --git a/ssl/s3_pkt.c b/ssl/s3_pkt.c
index 7e3a7b480e..39cdbaf898 100644
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@@ -137,10 +137,7 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 static int ssl3_get_record(SSL *s);
 
 /*
- * Return values are as per SSL_read(), i.e.
- * >0 The number of read bytes
- *  0 Failure (not retryable)
- * <0 Failure (may be retryable)
+ * Return values are as per SSL_read()
  */
 int ssl3_read_n(SSL *s, int n, int max, int extend)
 {
@@ -269,7 +266,7 @@ int ssl3_read_n(SSL *s, int n, int max, int extend)
             if (s->mode & SSL_MODE_RELEASE_BUFFERS && !SSL_IS_DTLS(s))
                 if (len + left == 0)
                     ssl3_release_read_buffer(s);
-            return -1;
+            return (i);
         }
         left += i;
         /*
@@ -702,6 +699,7 @@ int ssl3_write_bytes(SSL *s, int type, const void *buf_, int len)
         len >= 4 * (int)(max_send_fragment = s->max_send_fragment) &&
         s->compress == NULL && s->msg_callback == NULL &&
         SSL_USE_EXPLICIT_IV(s) &&
+        s->enc_write_ctx != NULL &&
         EVP_CIPHER_flags(s->enc_write_ctx->cipher) &
         EVP_CIPH_FLAG_TLS1_1_MULTIBLOCK) {
         unsigned char aad[13];
@@ -1089,11 +1087,8 @@ static int do_ssl3_write(SSL *s, int type, const unsigned char *buf,
 }
 
 /* if s->s3->wbuf.left != 0, we need to call this
- * 
+ *
  * Return values are as per SSL_write(), i.e.
- * >0 The number of read bytes
- *  0 Failure (not retryable)
- * <0 Failure (may be retryable)
  */
 int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                        unsigned int len)
@@ -1134,7 +1129,7 @@ int ssl3_write_pending(SSL *s, int type, const unsigned char *buf,
                  */
                 wb->left = 0;
             }
-            return -1;
+            return i;
         }
         wb->offset += i;
         wb->left -= i;
@@ -1605,16 +1600,13 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
 
     switch (rr->type) {
     default:
-#ifndef OPENSSL_NO_TLS
         /*
-         * TLS up to v1.1 just ignores unknown message types: TLS v1.2 give
-         * an unexpected message alert.
+         * TLS 1.0 and 1.1 say you SHOULD ignore unrecognised record types, but
+         * TLS 1.2 says you MUST send an unexpected message alert. We use the
+         * TLS 1.2 behaviour for all protocol versions to prevent issues where
+         * no progress is being made and the peer continually sends unrecognised
+         * record types, using up resources processing them.
          */
-        if (s->version >= TLS1_VERSION && s->version <= TLS1_1_VERSION) {
-            rr->length = 0;
-            goto start;
-        }
-#endif
         al = SSL_AD_UNEXPECTED_MESSAGE;
         SSLerr(SSL_F_SSL3_READ_BYTES, SSL_R_UNEXPECTED_RECORD);
         goto f_err;