From: tb <tb@openbsd.org>
Date: Wed, 7 Apr 2021 21:48:23 +0000 (+0000)
Subject: Avoid clobbering the error code when sending an alert
X-Git-Url: http://artulab.com/gitweb/?a=commitdiff_plain;h=caffe9b53bbba8abff2fd1c0df83b8e76a6ef282;p=openbsd

Avoid clobbering the error code when sending an alert

In order to fail gracefully on encountering a self-signed cert, curl looks
at the top-most error on the stack and needs specific SSL_R_ error codes.
This mechanism was broken when the tls13_alert_sent_cb() was added after
people complained about unhelpful unknown errors. Fix this by only setting
the error code from a fatal alert if no error has been set previously.

Issue reported by Christopher Reid

ok jsing
---

diff --git a/lib/libssl/tls13_lib.c b/lib/libssl/tls13_lib.c
index 9dbb7d64303..f064521c8b5 100644
--- a/lib/libssl/tls13_lib.c
+++ b/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*	$OpenBSD: tls13_lib.c,v 1.58 2021/03/21 18:36:34 jsing Exp $ */
+/*	$OpenBSD: tls13_lib.c,v 1.59 2021/04/07 21:48:23 tb Exp $ */
 /*
  * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
  * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -147,7 +147,8 @@ tls13_alert_sent_cb(uint8_t alert_desc, void *arg)
 	}
 
 	/* All other alerts are treated as fatal in TLSv1.3. */
-	SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
+	if (ctx->error.code == 0)
+		SSLerror(ctx->ssl, SSL_AD_REASON_OFFSET + alert_desc);
 }
 
 static void