OpenSSL: Terminate TLS handshake if ClientHello cannot be generated

OpenSSL 1.1.1 added cases where ClientHello generation may fail due to
"no ciphers available". There is no point in sending out the resulting
TLS Alert message to the server since the server does not know what to
do with it before ClientHello. Instead, simply terminate the TLS
handshake locally and report EAP failure to avoid getting stuck waiting
for a timeout.

Signed-off-by: Jouni Malinen <j@w1.fi>

diff --git a/src/crypto/tls_openssl.c b/src/crypto/tls_openssl.c
index dd8022cdd81a544b02949469c94605fbb72b7743..fe5f8c87559bfea1e49d2d049dac1d4040154b13 100644 (file)
--- a/src/crypto/tls_openssl.c
+++ b/src/crypto/tls_openssl.c
@@ -232,6 +232,7 @@ struct tls_connection {
        unsigned int server_cert_only:1;
        unsigned int invalid_hb_used:1;
        unsigned int success_data:1;
+       unsigned int client_hello_generated:1;
 
        u8 srv_cert_hash[32];
 
@@ -3597,9 +3598,23 @@ openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data,
                else {
                        tls_show_errors(MSG_INFO, __func__, "SSL_connect");
                        conn->failed++;
+                       if (!server && !conn->client_hello_generated) {
+                               /* The server would not understand TLS Alert
+                                * before ClientHello, so simply terminate
+                                * handshake on this type of error case caused
+                                * by a likely internal error like no ciphers
+                                * available. */
+                               wpa_printf(MSG_DEBUG,
+                                          "OpenSSL: Could not generate ClientHello");
+                               conn->write_alerts++;
+                               return NULL;
+                       }
                }
        }
 
+       if (!server && !conn->failed)
+               conn->client_hello_generated = 1;
+
 #ifdef CONFIG_SUITEB
        if ((conn->flags & TLS_CONN_SUITEB) && !server &&
            os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&