From 7d78cd722b63e53a668c7ec13b9eeb6e13e32f13 Mon Sep 17 00:00:00 2001 From: Neil Horman Date: Sun, 10 Aug 2025 17:53:28 -0400 Subject: [PATCH] Assert SSLFatal on keylog failure MIME-Version: 1.0 Content-Type: text/plain; charset=utf8 Content-Transfer-Encoding: 8bit We hit an check_failure assert during memfail testing in ssl_read_state_machine, based on a return of WORK_ERROR without an SSLFatal call being made. This occurs because, if we fail in ssl_log_secret (which we do due to memfail testing, we don't actually assert an SSL fatal error. Fix it by adding the SSLFatal call Reviewed-by: Tomas Mraz Reviewed-by: Saša Nedvědický (Merged from https://github.com/openssl/openssl/pull/28216) --- ssl/tls13_enc.c | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/ssl/tls13_enc.c b/ssl/tls13_enc.c index 0aa97648c4e..5953de32330 100644 --- a/ssl/tls13_enc.c +++ b/ssl/tls13_enc.c @@ -603,7 +603,7 @@ int tls13_change_cipher_state(SSL_CONNECTION *s, int which) if (!ssl_log_secret(s, EARLY_EXPORTER_SECRET_LABEL, s->early_exporter_master_secret, hashlen)) { - /* SSLfatal() already called */ + SSLfatal(s, SSL_AD_INTERNAL_ERROR, ERR_R_INTERNAL_ERROR); goto err; } } else if (which & SSL3_CC_HANDSHAKE) { -- 2.47.3