File openssl-CVE-2019-1559.patch of Package openssl.11276

commit e4f77bf1833245d2b6aa4ce6a16c85e1cdf78589
Author: Matt Caswell <matt@openssl.org>
Date:   Thu Apr 23 20:01:33 2015 +0100

    Add Error state
    
    Reusing an SSL object when it has encountered a fatal error can
    have bad consequences. This is a bug in application code not libssl
    but libssl should be more forgiving and not crash.
    
    Reviewed-by: Rich Salz <rsalz@openssl.org>
    (cherry picked from commit a89db885e0d8aac3a9df1bbccb0c1ddfd8b2e10a)
    
    Conflicts:
            ssl/s3_srvr.c
            ssl/ssl_stat.c

Index: openssl-1.0.1i/ssl/s3_srvr.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s3_srvr.c
+++ openssl-1.0.1i/ssl/s3_srvr.c
@@ -270,6 +270,7 @@ int ssl3_accept(SSL *s)
 			if ((s->version>>8) != 3)
 				{
 				SSLerr(SSL_F_SSL3_ACCEPT, ERR_R_INTERNAL_ERROR);
+				s->state = SSL_ST_ERR;
 				return -1;
 				}
 			s->type=SSL_ST_ACCEPT;
@@ -279,11 +280,13 @@ int ssl3_accept(SSL *s)
 				if ((buf=BUF_MEM_new()) == NULL)
 					{
 					ret= -1;
+					s->state = SSL_ST_ERR;
 					goto end;
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
 					ret= -1;
+					s->state = SSL_ST_ERR;
 					goto end;
 					}
 				s->init_buf=buf;
@@ -292,6 +295,7 @@ int ssl3_accept(SSL *s)
 			if (!ssl3_setup_buffers(s))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 
@@ -303,7 +307,11 @@ int ssl3_accept(SSL *s)
 				/* Ok, we now need to push on a buffering BIO so that
 				 * the output is sent in a way that TCP likes :-)
 				 */
-				if (!ssl_init_wbio_buffer(s,1)) { ret= -1; goto end; }
+				if (!ssl_init_wbio_buffer(s,1)) {
+				    ret= -1;
+				    s->state = SSL_ST_ERR;
+				    goto end;
+				}
 				
 				ssl3_init_finished_mac(s);
 				s->state=SSL3_ST_SR_CLNT_HELLO_A;
@@ -319,6 +327,7 @@ int ssl3_accept(SSL *s)
 				SSLerr(SSL_F_SSL3_ACCEPT, SSL_R_UNSAFE_LEGACY_RENEGOTIATION_DISABLED);
 				ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_HANDSHAKE_FAILURE);
 				ret = -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 			else
@@ -375,6 +384,7 @@ int ssl3_accept(SSL *s)
 					SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_CLIENTHELLO_TLSEXT);			
 				ret = SSL_TLSEXT_ERR_ALERT_FATAL;			
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;	
 				}
 			}
@@ -515,9 +525,12 @@ int ssl3_accept(SSL *s)
 				skip=1;
 				s->s3->tmp.cert_request=0;
 				s->state=SSL3_ST_SW_SRVR_DONE_A;
-				if (s->s3->handshake_buffer)
-					if (!ssl3_digest_cached_records(s))
-						return -1;
+				if (s->s3->handshake_buffer) {
+				    if (!ssl3_digest_cached_records(s)) {
+					s->state = SSL_ST_ERR;
+					return -1;
+				    }
+				}
 				}
 			else
 				{
@@ -622,11 +635,14 @@ int ssl3_accept(SSL *s)
 				if (!s->s3->handshake_buffer)
 					{
 					SSLerr(SSL_F_SSL3_ACCEPT,ERR_R_INTERNAL_ERROR);
+					s->state = SSL_ST_ERR;
 					return -1;
 					}
 				s->s3->flags |= TLS1_FLAGS_KEEP_HANDSHAKE;
-				if (!ssl3_digest_cached_records(s))
-					return -1;
+				if (!ssl3_digest_cached_records(s)) {
+				    s->state = SSL_ST_ERR;
+				    return -1;
+				}
 				}
 			else
 				{
@@ -641,9 +657,12 @@ int ssl3_accept(SSL *s)
 				 * FIXME - digest processing for CertificateVerify
 				 * should be generalized. But it is next step
 				 */
-				if (s->s3->handshake_buffer)
-					if (!ssl3_digest_cached_records(s))
-						return -1;
+				if (s->s3->handshake_buffer) {
+				    if (!ssl3_digest_cached_records(s)) {
+					s->state = SSL_ST_ERR;
+					return -1;
+				    }
+				}
 				for (dgst_num=0; dgst_num<SSL_MAX_DIGEST;dgst_num++)	
 					if (s->s3->handshake_dgst[dgst_num]) 
 						{
@@ -653,6 +672,7 @@ int ssl3_accept(SSL *s)
 						dgst_size=EVP_MD_CTX_size(s->s3->handshake_dgst[dgst_num]);
 						if (dgst_size < 0)
 							{
+							s->state = SSL_ST_ERR;
 							ret = -1;
 							goto end;
 							}
@@ -730,8 +750,11 @@ int ssl3_accept(SSL *s)
 		case SSL3_ST_SW_CHANGE_B:
 
 			s->session->cipher=s->s3->tmp.new_cipher;
-			if (!s->method->ssl3_enc->setup_key_block(s))
-				{ ret= -1; goto end; }
+			if (!s->method->ssl3_enc->setup_key_block(s)) {
+			    ret= -1;
+			    s->state = SSL_ST_ERR;
+			    goto end;
+			}
 
 			ret=ssl3_send_change_cipher_spec(s,
 				SSL3_ST_SW_CHANGE_A,SSL3_ST_SW_CHANGE_B);
@@ -744,6 +767,7 @@ int ssl3_accept(SSL *s)
 				SSL3_CHANGE_CIPHER_SERVER_WRITE))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 
@@ -806,6 +830,7 @@ int ssl3_accept(SSL *s)
 			goto end;
 			/* break; */
 
+		case SSL_ST_ERR:
 		default:
 			SSLerr(SSL_F_SSL3_ACCEPT,SSL_R_UNKNOWN_STATE);
 			ret= -1;
@@ -1417,8 +1442,9 @@ int ssl3_get_client_hello(SSL *s)
 		{
 f_err:
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
-		}
 err:
+		s->state = SSL_ST_ERR;
+		}
 	if (ciphers != NULL) sk_SSL_CIPHER_free(ciphers);
 	return(ret);
 	}
@@ -1435,8 +1461,10 @@ int ssl3_send_server_hello(SSL *s)
 		buf=(unsigned char *)s->init_buf->data;
 #ifdef OPENSSL_NO_TLSEXT
 		p=s->s3->server_random;
-		if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0)
-			return -1;
+		if (ssl_fill_hello_random(s, 1, p, SSL3_RANDOM_SIZE) <= 0) {
+		    s->state = SSL_ST_ERR;
+		    return -1;
+		}
 #endif
 		/* Do the message type and length last */
 		d=p= &(buf[4]);
@@ -1471,6 +1499,7 @@ int ssl3_send_server_hello(SSL *s)
 		if (sl > (int)sizeof(s->session->session_id))
 			{
 			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO, ERR_R_INTERNAL_ERROR);
+			s->state = SSL_ST_ERR;
 			return -1;
 			}
 		*(p++)=sl;
@@ -1494,11 +1523,13 @@ int ssl3_send_server_hello(SSL *s)
 		if (ssl_prepare_serverhello_tlsext(s) <= 0)
 			{
 			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,SSL_R_SERVERHELLO_TLSEXT);
+			s->state = SSL_ST_ERR;
 			return -1;
 			}
 		if ((p = ssl_add_serverhello_tlsext(s, p, buf+SSL3_RT_MAX_PLAIN_LENGTH)) == NULL)
 			{
 			SSLerr(SSL_F_SSL3_SEND_SERVER_HELLO,ERR_R_INTERNAL_ERROR);
+			s->state = SSL_ST_ERR;
 			return -1;
 			}
 #endif
@@ -2012,6 +2043,7 @@ err:
 	BN_CTX_free(bn_ctx);
 #endif
 	EVP_MD_CTX_cleanup(&md_ctx);
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -2114,6 +2146,7 @@ int ssl3_send_certificate_request(SSL *s
 	/* SSL3_ST_SW_CERT_REQ_B */
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 err:
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -2959,6 +2992,7 @@ err:
 		EC_KEY_free(srvr_ecdh);
 	BN_CTX_free(bn_ctx);
 #endif
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -3207,6 +3241,7 @@ fprintf(stderr, "USING TLSv1.2 HASH %s\n
 		{
 f_err:
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
+		s->state = SSL_ST_ERR;
 		}
 end:
 	if (s->s3->handshake_buffer)
@@ -3375,8 +3410,9 @@ int ssl3_get_client_certificate(SSL *s)
 		{
 f_err:
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
-		}
 err:
+		s->state = SSL_ST_ERR;
+		}
 	if (x != NULL) X509_free(x);
 	if (sk != NULL) sk_X509_pop_free(sk,X509_free);
 	return(ret);
@@ -3397,6 +3433,7 @@ int ssl3_send_server_certificate(SSL *s)
 			    (s->s3->tmp.new_cipher->algorithm_mkey & SSL_kKRB5))
 				{
 				SSLerr(SSL_F_SSL3_SEND_SERVER_CERTIFICATE,ERR_R_INTERNAL_ERROR);
+				s->state = SSL_ST_ERR;
 				return(0);
 				}
 			}
@@ -3414,16 +3451,18 @@ int ssl3_send_server_certificate(SSL *s)
 #ifndef OPENSSL_NO_TLSEXT
 /* send a new session ticket (not necessarily for a new session) */
 int ssl3_send_newsession_ticket(SSL *s)
-	{
+{
+        unsigned char *senc = NULL;
+        EVP_CIPHER_CTX ctx;
+        HMAC_CTX hctx;
+
 	if (s->state == SSL3_ST_SW_SESSION_TICKET_A)
 		{
-		unsigned char *p, *senc, *macstart;
+		unsigned char *p, *macstart;
 		const unsigned char *const_p;
 		int len, slen_full, slen;
 		SSL_SESSION *sess;
 		unsigned int hlen;
-		EVP_CIPHER_CTX ctx;
-		HMAC_CTX hctx;
 		SSL_CTX *tctx = s->initial_ctx;
 		unsigned char iv[EVP_MAX_IV_LENGTH];
 		unsigned char key_name[16];
@@ -3433,32 +3472,40 @@ int ssl3_send_newsession_ticket(SSL *s)
 		/* Some length values are 16 bits, so forget it if session is
  		 * too long
  		 */
-		if (slen_full > 0xFF00)
-			return -1;
+		if (slen_full == 0 || slen_full > 0xFF00) {
+		    s->state = SSL_ST_ERR;
+		    return -1;
+		}
 		senc = OPENSSL_malloc(slen_full);
-		if (!senc)
-			return -1;
+		if (!senc) {
+		    s->state = SSL_ST_ERR;
+		    return -1;
+		}
+
+		EVP_CIPHER_CTX_init(&ctx);
+		HMAC_CTX_init(&hctx);
+
 		p = senc;
-		i2d_SSL_SESSION(s->session, &p);
+		if (!i2d_SSL_SESSION(s->session, &p))
+		    goto err;
 
 		/* create a fresh copy (not shared with other threads) to clean up */
 		const_p = senc;
 		sess = d2i_SSL_SESSION(NULL, &const_p, slen_full);
 		if (sess == NULL)
-			{
-			OPENSSL_free(senc);
-			return -1;
-			}
+		    goto err;
 		sess->session_id_length = 0; /* ID is irrelevant for the ticket */
 
 		slen = i2d_SSL_SESSION(sess, NULL);
-		if (slen > slen_full) /* shouldn't ever happen */
-			{
-			OPENSSL_free(senc);
-			return -1;
-			}
+		if (slen == 0 || slen > slen_full) { /* shouldn't ever happen */
+		    SSL_SESSION_free(sess);
+		    goto err;
+		}
 		p = senc;
-		i2d_SSL_SESSION(sess, &p);
+		if (!i2d_SSL_SESSION(sess, &p)) {
+		    SSL_SESSION_free(sess);
+		    goto err;
+		}
 		SSL_SESSION_free(sess);
 
 		/* Grow buffer if need be: the length calculation is as
@@ -3471,15 +3518,13 @@ int ssl3_send_newsession_ticket(SSL *s)
 		if (!BUF_MEM_grow(s->init_buf,
 			26 + EVP_MAX_IV_LENGTH + EVP_MAX_BLOCK_LENGTH +
 			EVP_MAX_MD_SIZE + slen))
-			return -1;
+			goto err;
 
 		p=(unsigned char *)s->init_buf->data;
 		/* do the header */
 		*(p++)=SSL3_MT_NEWSESSION_TICKET;
 		/* Skip message length for now */
 		p += 3;
-		EVP_CIPHER_CTX_init(&ctx);
-		HMAC_CTX_init(&hctx);
 		/* Initialize HMAC and cipher contexts. If callback present
 		 * it does all the work otherwise use generated values
 		 * from parent ctx.
@@ -3488,18 +3533,18 @@ int ssl3_send_newsession_ticket(SSL *s)
 			{
 			if (tctx->tlsext_ticket_key_cb(s, key_name, iv, &ctx,
 							 &hctx, 1) < 0)
-				{
-				OPENSSL_free(senc);
-				return -1;
-				}
+			    goto err;
 			}
 		else
 			{
-			RAND_pseudo_bytes(iv, 16);
-			EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
-					tctx->tlsext_tick_aes_key, iv);
-			HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
-					tlsext_tick_md(), NULL);
+			if (RAND_bytes(iv, 16) <= 0)
+			    goto err;
+			if (!EVP_EncryptInit_ex(&ctx, EVP_aes_128_cbc(), NULL,
+						tctx->tlsext_tick_aes_key, iv))
+			    goto err;
+			if (!HMAC_Init_ex(&hctx, tctx->tlsext_tick_hmac_key, 16,
+					  tlsext_tick_md(), NULL))
+			    goto err;
 			memcpy(key_name, tctx->tlsext_tick_key_name, 16);
 			}
 
@@ -3519,14 +3564,19 @@ int ssl3_send_newsession_ticket(SSL *s)
 		memcpy(p, iv, EVP_CIPHER_CTX_iv_length(&ctx));
 		p += EVP_CIPHER_CTX_iv_length(&ctx);
 		/* Encrypt session data */
-		EVP_EncryptUpdate(&ctx, p, &len, senc, slen);
+		if (!EVP_EncryptUpdate(&ctx, p, &len, senc, slen))
+		    goto err;
 		p += len;
-		EVP_EncryptFinal(&ctx, p, &len);
+		if (!EVP_EncryptFinal(&ctx, p, &len))
+		    goto err;
 		p += len;
-		EVP_CIPHER_CTX_cleanup(&ctx);
 
-		HMAC_Update(&hctx, macstart, p - macstart);
-		HMAC_Final(&hctx, p, &hlen);
+		if (!HMAC_Update(&hctx, macstart, p - macstart))
+		    goto err;
+		if (!HMAC_Final(&hctx, p, &hlen))
+		    goto err;
+
+		EVP_CIPHER_CTX_cleanup(&ctx);
 		HMAC_CTX_cleanup(&hctx);
 
 		p += hlen;
@@ -3547,6 +3597,13 @@ int ssl3_send_newsession_ticket(SSL *s)
 
 	/* SSL3_ST_SW_SESSION_TICKET_B */
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
+ err:
+	if (senc)
+	    OPENSSL_free(senc);
+	EVP_CIPHER_CTX_cleanup(&ctx);
+	HMAC_CTX_cleanup(&hctx);
+       s->state = SSL_ST_ERR;
+	return -1;
 	}
 
 int ssl3_send_cert_status(SSL *s)
@@ -3559,8 +3616,10 @@ int ssl3_send_cert_status(SSL *s)
  		 * 1 (ocsp response type) + 3 (ocsp response length)
  		 * + (ocsp response)
  		 */
-		if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen))
-			return -1;
+		if (!BUF_MEM_grow(s->init_buf, 8 + s->tlsext_ocsp_resplen)) {
+		    s->state = SSL_ST_ERR;
+		    return -1;
+		}
 
 		p=(unsigned char *)s->init_buf->data;
 
@@ -3599,6 +3658,7 @@ int ssl3_get_next_proto(SSL *s)
 	if (!s->s3->next_proto_neg_seen)
 		{
 		SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_WITHOUT_EXTENSION);
+		s->state = SSL_ST_ERR;
 		return -1;
 		}
 
@@ -3618,11 +3678,14 @@ int ssl3_get_next_proto(SSL *s)
 	if (!s->s3->change_cipher_spec)
 		{
 		SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,SSL_R_GOT_NEXT_PROTO_BEFORE_A_CCS);
+		s->state = SSL_ST_ERR;
 		return -1;
 		}
 
-	if (n < 2)
-		return 0;  /* The body must be > 1 bytes long */
+	if (n < 2) {
+	    s->state = SSL_ST_ERR;
+	    return 0;  /* The body must be > 1 bytes long */
+	}
 
 	p=(unsigned char *)s->init_msg;
 
@@ -3633,16 +3696,21 @@ int ssl3_get_next_proto(SSL *s)
 	 *   uint8 padding[padding_len];
 	 */
 	proto_len = p[0];
-	if (proto_len + 2 > s->init_num)
-		return 0;
+	if (proto_len + 2 > s->init_num) {
+	    s->state = SSL_ST_ERR;
+	    return 0;
+	}
 	padding_len = p[proto_len + 1];
-	if (proto_len + padding_len + 2 != s->init_num)
-		return 0;
+	if (proto_len + padding_len + 2 != s->init_num) {
+	    s->state = SSL_ST_ERR;
+	    return 0;
+	}
 
 	s->next_proto_negotiated = OPENSSL_malloc(proto_len);
 	if (!s->next_proto_negotiated)
 		{
 		SSLerr(SSL_F_SSL3_GET_NEXT_PROTO,ERR_R_MALLOC_FAILURE);
+		s->state = SSL_ST_ERR;
 		return 0;
 		}
 	memcpy(s->next_proto_negotiated, p + 1, proto_len);
Index: openssl-1.0.1i/ssl/ssl.h
===================================================================
--- openssl-1.0.1i.orig/ssl/ssl.h
+++ openssl-1.0.1i/ssl/ssl.h
@@ -1413,6 +1413,7 @@ extern "C" {
 #define SSL_ST_BEFORE			0x4000
 #define SSL_ST_OK			0x03
 #define SSL_ST_RENEGOTIATE		(0x04|SSL_ST_INIT)
+#define SSL_ST_ERR			(0x05|SSL_ST_INIT)
 
 #define SSL_CB_LOOP			0x01
 #define SSL_CB_EXIT			0x02
Index: openssl-1.0.1i/ssl/ssl_stat.c
===================================================================
--- openssl-1.0.1i.orig/ssl/ssl_stat.c
+++ openssl-1.0.1i/ssl/ssl_stat.c
@@ -100,6 +100,7 @@ case SSL_ST_BEFORE|SSL_ST_CONNECT: str="
 case SSL_ST_OK|SSL_ST_CONNECT: str="ok/connect SSL initialization"; break;
 case SSL_ST_BEFORE|SSL_ST_ACCEPT: str="before/accept initialization"; break;
 case SSL_ST_OK|SSL_ST_ACCEPT: str="ok/accept SSL initialization"; break;
+case SSL_ST_ERR: str="error"; break;
 #ifndef OPENSSL_NO_SSL2
 case SSL2_ST_CLIENT_START_ENCRYPTION: str="SSLv2 client start encryption"; break;
 case SSL2_ST_SERVER_START_ENCRYPTION: str="SSLv2 server start encryption"; break;
@@ -257,6 +258,7 @@ case SSL_ST_BEFORE:				str="PINIT "; bre
 case SSL_ST_ACCEPT:				str="AINIT "; break;
 case SSL_ST_CONNECT:				str="CINIT "; break;
 case SSL_ST_OK:			 		str="SSLOK "; break;
+case SSL_ST_ERR:                            	str="SSLERR"; break;
 #ifndef OPENSSL_NO_SSL2
 case SSL2_ST_CLIENT_START_ENCRYPTION:		str="2CSENC"; break;
 case SSL2_ST_SERVER_START_ENCRYPTION:		str="2SSENC"; break;
Index: openssl-1.0.1i/ssl/s3_clnt.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s3_clnt.c
+++ openssl-1.0.1i/ssl/s3_clnt.c
@@ -237,6 +237,7 @@ int ssl3_connect(SSL *s)
 			if ((s->version & 0xff00 ) != 0x0300)
 				{
 				SSLerr(SSL_F_SSL3_CONNECT, ERR_R_INTERNAL_ERROR);
+				s->state = SSL_ST_ERR;
 				ret = -1;
 				goto end;
 				}
@@ -249,11 +250,13 @@ int ssl3_connect(SSL *s)
 				if ((buf=BUF_MEM_new()) == NULL)
 					{
 					ret= -1;
+					s->state = SSL_ST_ERR;
 					goto end;
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
 					ret= -1;
+					s->state = SSL_ST_ERR;
 					goto end;
 					}
 				s->init_buf=buf;
@@ -263,7 +266,11 @@ int ssl3_connect(SSL *s)
 			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
 
 			/* setup buffing BIO */
-			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
+			if (!ssl_init_wbio_buffer(s,0)) {
+				ret= -1;
+				s->state = SSL_ST_ERR;
+				goto end;
+			}
 
 			/* don't push the buffering BIO quite yet */
 
@@ -366,6 +373,7 @@ int ssl3_connect(SSL *s)
 			if (!ssl3_check_cert_and_algorithm(s))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 			break;
@@ -389,6 +397,7 @@ int ssl3_connect(SSL *s)
 					{
 					SSLerr(SSL_F_SSL3_CONNECT,SSL_R_SRP_A_CALC);
 					ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_INTERNAL_ERROR);
+					s->state = SSL_ST_ERR;
 					goto end;
 					}
 				}
@@ -482,6 +491,7 @@ int ssl3_connect(SSL *s)
 			if (!s->method->ssl3_enc->setup_key_block(s))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 
@@ -489,6 +499,7 @@ int ssl3_connect(SSL *s)
 				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 
@@ -615,7 +626,8 @@ int ssl3_connect(SSL *s)
 
 			goto end;
 			/* break; */
-			
+
+		case SSL_ST_ERR:
 		default:
 			SSLerr(SSL_F_SSL3_CONNECT,SSL_R_UNKNOWN_STATE);
 			ret= -1;
@@ -814,6 +826,7 @@ int ssl3_client_hello(SSL *s)
 	/* SSL3_ST_CW_CLNT_HELLO_B */
 	return(ssl3_do_write(s,SSL3_RT_HANDSHAKE));
 err:
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -1081,6 +1094,7 @@ int ssl3_get_server_hello(SSL *s)
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -1268,8 +1282,9 @@ int ssl3_get_server_certificate(SSL *s)
 		{
 f_err:
 		ssl3_send_alert(s,SSL3_AL_FATAL,al);
-		}
 err:
+		s->state = SSL_ST_ERR;
+		}
 	EVP_PKEY_free(pkey);
 	X509_free(x);
 	sk_X509_pop_free(sk,X509_free);
@@ -1887,6 +1902,7 @@ err:
 		EC_KEY_free(ecdh);
 #endif
 	EVP_MD_CTX_cleanup(&md_ctx);
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -2060,7 +2076,10 @@ cont:
 	ca_sk=NULL;
 
 	ret=1;
+	goto done;
 err:
+	s->state = SSL_ST_ERR;
+done:
 	if (ca_sk != NULL) sk_X509_NAME_pop_free(ca_sk,X509_NAME_free);
 	return(ret);
 	}
@@ -2188,6 +2207,7 @@ int ssl3_get_new_session_ticket(SSL *s)
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
 err:
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -2256,6 +2276,7 @@ int ssl3_get_cert_status(SSL *s)
 	return 1;
 f_err:
 	ssl3_send_alert(s,SSL3_AL_FATAL,al);
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 #endif
@@ -2278,6 +2299,7 @@ int ssl3_get_server_done(SSL *s)
 		/* should contain no data */
 		ssl3_send_alert(s,SSL3_AL_FATAL,SSL_AD_DECODE_ERROR);
 		SSLerr(SSL_F_SSL3_GET_SERVER_DONE,SSL_R_LENGTH_MISMATCH);
+		s->state = SSL_ST_ERR;
 		return -1;
 		}
 	ret=1;
@@ -3041,6 +3063,7 @@ err:
 		EC_KEY_free(clnt_ecdh);
 	EVP_PKEY_free(srvr_pub_pkey);
 #endif
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
@@ -3199,6 +3222,7 @@ int ssl3_send_client_verify(SSL *s)
 err:
 	EVP_MD_CTX_cleanup(&mctx);
 	EVP_PKEY_CTX_free(pctx);
+	s->state = SSL_ST_ERR;
 	return(-1);
 	}
 
Index: openssl-1.0.1i/ssl/d1_clnt.c
===================================================================
--- openssl-1.0.1i.orig/ssl/d1_clnt.c
+++ openssl-1.0.1i/ssl/d1_clnt.c
@@ -213,6 +213,7 @@ int dtls1_connect(SSL *s)
 				{
 				SSLerr(SSL_F_DTLS1_CONNECT, ERR_R_INTERNAL_ERROR);
 				ret = -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 				
@@ -224,21 +225,31 @@ int dtls1_connect(SSL *s)
 				if ((buf=BUF_MEM_new()) == NULL)
 					{
 					ret= -1;
+					s->state = SSL_ST_ERR;
 					goto end;
 					}
 				if (!BUF_MEM_grow(buf,SSL3_RT_MAX_PLAIN_LENGTH))
 					{
 					ret= -1;
+					s->state = SSL_ST_ERR;
 					goto end;
 					}
 				s->init_buf=buf;
 				buf=NULL;
 				}
 
-			if (!ssl3_setup_buffers(s)) { ret= -1; goto end; }
+			if (!ssl3_setup_buffers(s)) {
+				ret= -1;
+				s->state = SSL_ST_ERR;
+				goto end;
+			}
 
 			/* setup buffing BIO */
-			if (!ssl_init_wbio_buffer(s,0)) { ret= -1; goto end; }
+			if (!ssl_init_wbio_buffer(s,0)) {
+				ret= -1;
+				s->state = SSL_ST_ERR;
+				goto end;
+			}
 
 			/* don't push the buffering BIO quite yet */
 
@@ -338,9 +349,13 @@ int dtls1_connect(SSL *s)
 					snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
 					         DTLS1_SCTP_AUTH_LABEL);
 
-					SSL_export_keying_material(s, sctpauthkey,
+					if (SSL_export_keying_material(s, sctpauthkey,
 					                           sizeof(sctpauthkey), labelbuffer,
-					                           sizeof(labelbuffer), NULL, 0, 0);
+								   sizeof(labelbuffer), NULL, 0, 0) <= 0){
+						ret = -1;
+						s->state = SSL_ST_ERR;
+						goto end;
+					}
 
 					BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
 							 sizeof(sctpauthkey), sctpauthkey);
@@ -423,6 +438,7 @@ int dtls1_connect(SSL *s)
 			if (!ssl3_check_cert_and_algorithm(s))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 			break;
@@ -479,9 +495,13 @@ int dtls1_connect(SSL *s)
 			snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
 			         DTLS1_SCTP_AUTH_LABEL);
 
-			SSL_export_keying_material(s, sctpauthkey,
+			if (SSL_export_keying_material(s, sctpauthkey,
 			                           sizeof(sctpauthkey), labelbuffer,
-			                           sizeof(labelbuffer), NULL, 0, 0);
+						   sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+				ret = -1;
+				s->state = SSL_ST_ERR;
+				goto end;
+			}
 
 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
 					 sizeof(sctpauthkey), sctpauthkey);
@@ -554,6 +574,7 @@ int dtls1_connect(SSL *s)
 			if (!s->method->ssl3_enc->setup_key_block(s))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 
@@ -561,6 +582,7 @@ int dtls1_connect(SSL *s)
 				SSL3_CHANGE_CIPHER_CLIENT_WRITE))
 				{
 				ret= -1;
+				s->state = SSL_ST_ERR;
 				goto end;
 				}
 			
@@ -734,7 +756,8 @@ int dtls1_connect(SSL *s)
 			dtls1_clear_received_buffer(s);
 			goto end;
 			/* break; */
-			
+
+		case SSL_ST_ERR:
 		default:
 			SSLerr(SSL_F_DTLS1_CONNECT,SSL_R_UNKNOWN_STATE);
 			ret= -1;
@@ -958,6 +981,7 @@ static int dtls1_get_hello_verify(SSL *s
 
 f_err:
 	ssl3_send_alert(s, SSL3_AL_FATAL, al);
+	s->state = SSL_ST_ERR;
 	return -1;
 	}
 
Index: openssl-1.0.1i/ssl/d1_pkt.c
===================================================================
--- openssl-1.0.1i.orig/ssl/d1_pkt.c
+++ openssl-1.0.1i/ssl/d1_pkt.c
@@ -1252,6 +1252,7 @@ start:
 			ERR_add_error_data(2,"SSL alert number ",tmp);
 			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
 			SSL_CTX_remove_session(s->ctx,s->session);
+			s->state = SSL_ST_ERR;
 			return(0);
 			}
 		else
Index: openssl-1.0.1i/ssl/s3_pkt.c
===================================================================
--- openssl-1.0.1i.orig/ssl/s3_pkt.c
+++ openssl-1.0.1i/ssl/s3_pkt.c
@@ -1294,6 +1294,7 @@ start:
 			ERR_add_error_data(2,"SSL alert number ",tmp);
 			s->shutdown|=SSL_RECEIVED_SHUTDOWN;
 			SSL_CTX_remove_session(s->ctx,s->session);
+			s->state = SSL_ST_ERR;
 			return(0);
 			}
 		else
@@ -1523,9 +1524,12 @@ int ssl3_send_alert(SSL *s, int level, i
 	if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION)
 		desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */
 	if (desc < 0) return -1;
-	/* If a fatal one, remove from cache */
-	if ((level == 2) && (s->session != NULL))
-		SSL_CTX_remove_session(s->ctx,s->session);
+	/* If a fatal one, remove from cache and go into the error state */
+	if (level == SSL3_AL_FATAL) {
+	    if (s->session != NULL)
+		SSL_CTX_remove_session(s->session_ctx, s->session);
+	    s->state = SSL_ST_ERR;
+	}
 
 	s->s3->alert_dispatch=1;
 	s->s3->send_alert[0]=level;
Index: openssl-1.0.1i/ssl/d1_srvr.c
===================================================================
--- openssl-1.0.1i.orig/ssl/d1_srvr.c
+++ openssl-1.0.1i/ssl/d1_srvr.c
@@ -395,10 +395,14 @@ int dtls1_accept(SSL *s)
 				snprintf((char*) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
 				         DTLS1_SCTP_AUTH_LABEL);
 
-				SSL_export_keying_material(s, sctpauthkey,
+				if (SSL_export_keying_material(s, sctpauthkey,
 				                           sizeof(sctpauthkey), labelbuffer,
-				                           sizeof(labelbuffer), NULL, 0, 0);
-				
+							   sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+					ret = -1;
+					s->state = SSL_ST_ERR;
+					goto end;
+				}
+
 				BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
                          sizeof(sctpauthkey), sctpauthkey);
 #endif
@@ -610,9 +614,13 @@ int dtls1_accept(SSL *s)
 			snprintf((char *) labelbuffer, sizeof(DTLS1_SCTP_AUTH_LABEL),
 			         DTLS1_SCTP_AUTH_LABEL);
 
-			SSL_export_keying_material(s, sctpauthkey,
+			if (SSL_export_keying_material(s, sctpauthkey,
 			                           sizeof(sctpauthkey), labelbuffer,
-			                           sizeof(labelbuffer), NULL, 0, 0);
+						   sizeof(labelbuffer), NULL, 0, 0) <= 0) {
+				ret = -1;
+				s->state = SSL_ST_ERR;
+				goto end;
+			}
 
 			BIO_ctrl(SSL_get_wbio(s), BIO_CTRL_DGRAM_SCTP_ADD_AUTH_KEY,
 			         sizeof(sctpauthkey), sctpauthkey);
openSUSE Build Service is sponsored by