Go into the error state if a fatal alert is sent or received

If an application calls SSL_shutdown after a fatal alert has occured and then behaves different based on error codes from that function then the application may be vulnerable to a padding oracle. CVE-2019-1559 Reviewed-by: Richard Levitte <levitte@openssl.org>
2025-05-03 13:09:38 +00:00 · 2018-12-14 07:28:30 +00:00 · 2018-12-14 07:28:30 +00:00 · e9bbefbf0f
commit e9bbefbf0f
parent c81f16952b
2 changed files with 8 additions and 3 deletions
--- a/ssl/d1_pkt.c
+++ b/ssl/d1_pkt.c
@ -1309,6 +1309,7 @@ int dtls1_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
            ERR_add_error_data(2, "SSL alert number ", tmp);
            s->shutdown |= SSL_RECEIVED_SHUTDOWN;
            SSL_CTX_remove_session(s->session_ctx, s->session);
+            s->state = SSL_ST_ERR;
            return (0);
        } else {
            al = SSL_AD_ILLEGAL_PARAMETER;
--- a/ssl/s3_pkt.c
+++ b/ssl/s3_pkt.c
@ -1500,6 +1500,7 @@ int ssl3_read_bytes(SSL *s, int type, unsigned char *buf, int len, int peek)
            ERR_add_error_data(2, "SSL alert number ", tmp);
            s->shutdown |= SSL_RECEIVED_SHUTDOWN;
            SSL_CTX_remove_session(s->session_ctx, s->session);
+            s->state = SSL_ST_ERR;
            return (0);
        } else {
            al = SSL_AD_ILLEGAL_PARAMETER;
@ -1719,9 +1720,12 @@ int ssl3_send_alert(SSL *s, int level, int desc)
                                          * protocol_version alerts */
    if (desc < 0)
        return -1;
-    /* If a fatal one, remove from cache */
-    if ((level == 2) && (s->session != NULL))
-        SSL_CTX_remove_session(s->session_ctx, s->session);
+    /* If a fatal one, remove from cache and go into the error state */
+    if (level == SSL3_AL_FATAL) {
+        if (s->session != NULL)
+            SSL_CTX_remove_session(s->session_ctx, s->session);
+        s->state = SSL_ST_ERR;
+    }

    s->s3->alert_dispatch = 1;
    s->s3->send_alert[0] = level;