From 4a576c4736462d130e729d6ce5f7cf127a0b10dd Mon Sep 17 00:00:00 2001 From: Jouni Malinen Date: Tue, 1 May 2018 12:41:28 +0300 Subject: [PATCH] OpenSSL: Terminate TLS handshake if ClientHello cannot be generated OpenSSL 1.1.1 added cases where ClientHello generation may fail due to "no ciphers available". There is no point in sending out the resulting TLS Alert message to the server since the server does not know what to do with it before ClientHello. Instead, simply terminate the TLS handshake locally and report EAP failure to avoid getting stuck waiting for a timeout. Signed-off-by: Jouni Malinen --- src/crypto/tls_openssl.c | 15 +++++++++++++++ 1 file changed, 15 insertions(+) diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c index dd8022cdd..fe5f8c875 100644 --- a/src/crypto/tls_openssl.c +++ b/src/crypto/tls_openssl.c @@ -232,6 +232,7 @@ struct tls_connection { unsigned int server_cert_only:1; unsigned int invalid_hb_used:1; unsigned int success_data:1; + unsigned int client_hello_generated:1; u8 srv_cert_hash[32]; @@ -3597,9 +3598,23 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data, else { tls_show_errors(MSG_INFO, __func__, "SSL_connect"); conn->failed++; + if (!server && !conn->client_hello_generated) { + /* The server would not understand TLS Alert + * before ClientHello, so simply terminate + * handshake on this type of error case caused + * by a likely internal error like no ciphers + * available. */ + wpa_printf(MSG_DEBUG, + "OpenSSL: Could not generate ClientHello"); + conn->write_alerts++; + return NULL; + } } } + if (!server && !conn->failed) + conn->client_hello_generated = 1; + #ifdef CONFIG_SUITEB if ((conn->flags & TLS_CONN_SUITEB) && !server && os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&