Return an error if tls_handshake() or tls_close() is called on a context

for which they are not valid operations.

ok beck@

1 files changed, 13 insertions, 2 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 3012ea62a6..cb2833cb54 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.29 2015/09/13 15:39:15 beck Exp $ */
+/* $OpenBSD: tls.c,v 1.30 2015/09/14 12:20:40 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -380,6 +380,11 @@ tls_handshake(struct tls *ctx)
 {
         int rv = -1;
 
+        if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
+                tls_set_errorx(ctx, "invalid operation for context");
+                goto out;
+        }
+
         if (ctx->conninfo == NULL &&
             (ctx->conninfo = calloc(1, sizeof(*ctx->conninfo))) == NULL)
                 goto out;
@@ -393,7 +398,7 @@ tls_handshake(struct tls *ctx)
             (ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn)) &&
             (tls_get_conninfo(ctx) == -1))
                 rv = -1;
-out:
+ out:
         /* Prevent callers from performing incorrect error handling */
         errno = 0;
         return (rv);
@@ -463,6 +468,12 @@ tls_close(struct tls *ctx)
         int ssl_ret;
         int rv = 0;
 
+        if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
+                tls_set_errorx(ctx, "invalid operation for context");
+                rv = -1;
+                goto out;
+        }
+
         if (ctx->ssl_conn != NULL) {
                 ERR_clear_error();
                 ssl_ret = SSL_shutdown(ctx->ssl_conn);