Move the TLSv1.3 code that interfaces with the legacy APIs/stack into a

separate file. Discussed with beck@ and tb@
author: jsing <> 2020-02-15 14:40:38 +0000
committer: jsing <> 2020-02-15 14:40:38 +0000
commit: facbfa56f3358d503aff3e7bd6136e5589043c37 (patch)
tree: 2df4db86b53ba15e614df804d9fd2d0131a7b683 /src/lib/libssl/tls13_lib.c
parent: d7e17944af879ef1407ee0a89ab05a1f52dc47b8 (diff)
download: openbsd-facbfa56f3358d503aff3e7bd6136e5589043c37.tar.gz
openbsd-facbfa56f3358d503aff3e7bd6136e5589043c37.tar.bz2
openbsd-facbfa56f3358d503aff3e7bd6136e5589043c37.zip
1 files changed, 1 insertions, 308 deletions
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 92743ef4b3..bdf547c8d9 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
-/*      $OpenBSD: tls13_lib.c,v 1.33 2020/02/05 06:12:43 tb Exp $ */
+/*      $OpenBSD: tls13_lib.c,v 1.34 2020/02/15 14:40:38 jsing Exp $ */
 /*
 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -16,7 +16,6 @@
 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
 */
-#include <limits.h>
 #include <stddef.h>
 #include <openssl/evp.h>
@@ -24,11 +23,6 @@
 #include "ssl_locl.h"
 #include "tls13_internal.h"
-SSL3_ENC_METHOD TLSv1_3_enc_data = {
-        .enc = NULL,
-        .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS,
-};
 /*
 * RFC 8446 section 4.1.3, magic values which must be set by the
 * server in server random if it is willing to downgrade but supports
@@ -317,307 +311,6 @@ tls13_ctx_free(struct tls13_ctx *ctx)
        freezero(ctx, sizeof(struct tls13_ctx));
 }
-static ssize_t
-tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
-{
-        int n;
-        if (ssl->rbio == NULL) {
-                SSLerror(ssl, SSL_R_BIO_NOT_SET);
-                return TLS13_IO_FAILURE;
-        }
-        ssl->internal->rwstate = SSL_READING;
-        if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
-                if (BIO_should_read(ssl->rbio))
-                        return TLS13_IO_WANT_POLLIN;
-                if (BIO_should_write(ssl->rbio))
-                        return TLS13_IO_WANT_POLLOUT;
-                if (n == 0)
-                        return TLS13_IO_EOF;
-                return TLS13_IO_FAILURE;
-        }
-        if (n == len)
-                ssl->internal->rwstate = SSL_NOTHING;
-        return n;
-}
-ssize_t
-tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        return tls13_legacy_wire_read(ctx->ssl, buf, n);
-}
-static ssize_t
-tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
-{
-        int n;
-        if (ssl->wbio == NULL) {
-                SSLerror(ssl, SSL_R_BIO_NOT_SET);
-                return TLS13_IO_FAILURE;
-        }
-        ssl->internal->rwstate = SSL_WRITING;
-        if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
-                if (BIO_should_read(ssl->wbio))
-                        return TLS13_IO_WANT_POLLIN;
-                if (BIO_should_write(ssl->wbio))
-                        return TLS13_IO_WANT_POLLOUT;
-                return TLS13_IO_FAILURE;
-        }
-        if (n == len)
-                ssl->internal->rwstate = SSL_NOTHING;
-        return n;
-}
-ssize_t
-tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
-{
-        struct tls13_ctx *ctx = arg;
-        return tls13_legacy_wire_write(ctx->ssl, buf, n);
-}
-static void
-tls13_legacy_error(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        int reason = SSL_R_UNKNOWN;
-        /* If we received a fatal alert we already put an error on the stack. */
-        if (S3I(ssl)->fatal_alert != 0)
-                return;
-        switch (ctx->error.code) {
-        case TLS13_ERR_VERIFY_FAILED:
-                reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
-                break;
-        case TLS13_ERR_HRR_FAILED:
-                reason = SSL_R_NO_CIPHERS_AVAILABLE;
-                break;
-        case TLS13_ERR_TRAILING_DATA:
-                reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
-                break;
-        case TLS13_ERR_NO_SHARED_CIPHER:
-                reason = SSL_R_NO_SHARED_CIPHER;
-                break;
-        }
-        /* Something (probably libcrypto) already pushed an error on the stack. */
-        if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
-                return;
-        ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
-            ctx->error.line);
-}
-int
-tls13_legacy_return_code(SSL *ssl, ssize_t ret)
-{
-        if (ret > INT_MAX) {
-                SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        /* A successful read, write or other operation. */
-        if (ret > 0)
-                return ret;
-        ssl->internal->rwstate = SSL_NOTHING;
-        switch (ret) {
-        case TLS13_IO_EOF:
-                return 0;
-        case TLS13_IO_FAILURE:
-                tls13_legacy_error(ssl);
-                return -1;
-        case TLS13_IO_ALERT:
-                tls13_legacy_error(ssl);
-                return -1;
-        case TLS13_IO_WANT_POLLIN:
-                BIO_set_retry_read(ssl->rbio);
-                ssl->internal->rwstate = SSL_READING;
-                return -1;
-        case TLS13_IO_WANT_POLLOUT:
-                BIO_set_retry_write(ssl->wbio);
-                ssl->internal->rwstate = SSL_WRITING;
-                return -1;
-        case TLS13_IO_WANT_RETRY:
-                SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-                return -1;
-        }
-        SSLerror(ssl, ERR_R_INTERNAL_ERROR);
-        return -1;
-}
-int
-tls13_legacy_pending(const SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        ssize_t ret;
-        if (ctx == NULL)
-                return 0;
-        ret = tls13_pending_application_data(ctx->rl);
-        if (ret < 0 || ret > INT_MAX)
-                return 0;
-        return ret;
-}
-int
-tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        ssize_t ret;
-        if (ctx == NULL || !ctx->handshake_completed) {
-                if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
-                        return ret;
-                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
-        }
-        if (type != SSL3_RT_APPLICATION_DATA) {
-                SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return -1;
-        }
-        if (len < 0) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH); 
-                return -1;
-        }
-        if (peek)
-                ret = tls13_peek_application_data(ctx->rl, buf, len);
-        else
-                ret = tls13_read_application_data(ctx->rl, buf, len);
-        return tls13_legacy_return_code(ssl, ret);
-}
-int
-tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        const uint8_t *buf = vbuf;
-        size_t n, sent;
-        ssize_t ret;
-        if (ctx == NULL || !ctx->handshake_completed) {
-                if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
-                        return ret;
-                return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
-        }
-        if (type != SSL3_RT_APPLICATION_DATA) {
-                SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
-                return -1;
-        }
-        if (len < 0) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH); 
-                return -1;
-        }
-        /*
-         * The TLSv1.3 record layer write behaviour is the same as
-         * SSL_MODE_ENABLE_PARTIAL_WRITE.
-         */
-        if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
-                ret = tls13_write_application_data(ctx->rl, buf, len);
-                return tls13_legacy_return_code(ssl, ret);
-        }
-        /*
-         * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
-         * we have written out all of the requested data.
-         */
-        sent = S3I(ssl)->wnum;
-        if (len < sent) {
-                SSLerror(ssl, SSL_R_BAD_LENGTH); 
-                return -1;
-        }
-        n = len - sent;
-        for (;;) {
-                if (n == 0) {
-                        S3I(ssl)->wnum = 0;
-                        return sent;
-                }
-                if ((ret = tls13_write_application_data(ctx->rl,
-                    &buf[sent], n)) <= 0) {
-                        S3I(ssl)->wnum = sent;
-                        return tls13_legacy_return_code(ssl, ret);
-                }
-                sent += ret;
-                n -= ret;
-        }
-}
-int
-tls13_legacy_shutdown(SSL *ssl)
-{
-        struct tls13_ctx *ctx = ssl->internal->tls13;
-        uint8_t buf[512]; /* XXX */
-        ssize_t ret;
-        /*
-         * We need to return 0 when we have sent a close-notify but have not
-         * yet received one. We return 1 only once we have sent and received
-         * close-notify alerts. All other cases return -1 and set internal
-         * state appropriately.
-         */
-        if (ctx == NULL || ssl->internal->quiet_shutdown) {
-                ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
-                return 1;
-        }
-        /* Send close notify. */
-        if (!ctx->close_notify_sent) {
-                ctx->close_notify_sent = 1;
-                if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0)
-                        return tls13_legacy_return_code(ssl, ret);
-        }
-        /* Ensure close notify has been sent. */
-        if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS)
-                return tls13_legacy_return_code(ssl, ret);
-        /* Receive close notify. */
-        if (!ctx->close_notify_recv) {
-                /*
-                 * If there is still application data pending then we have no
-                 * option but to discard it here. The application should have
-                 * continued to call SSL_read() instead of SSL_shutdown().
-                 */
-                /* XXX - tls13_drain_application_data()? */
-                if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0)
-                        ret = TLS13_IO_WANT_POLLIN;
-                if (ret != TLS13_IO_EOF)
-                        return tls13_legacy_return_code(ssl, ret);
-        }
-        if (ctx->close_notify_recv)
-                return 1;
-        return 0;
-}
 /*
 * Certificate Verify padding - RFC 8446 section 4.4.3.
 */
author	jsing <>	2020-02-15 14:40:38 +0000
committer	jsing <>	2020-02-15 14:40:38 +0000
commit	facbfa56f3358d503aff3e7bd6136e5589043c37 (patch)
tree	2df4db86b53ba15e614df804d9fd2d0131a7b683 /src/lib/libssl/tls13_lib.c
parent	d7e17944af879ef1407ee0a89ab05a1f52dc47b8 (diff)
download	openbsd-facbfa56f3358d503aff3e7bd6136e5589043c37.tar.gz openbsd-facbfa56f3358d503aff3e7bd6136e5589043c37.tar.bz2 openbsd-facbfa56f3358d503aff3e7bd6136e5589043c37.zip

diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c index 92743ef4b3..bdf547c8d9 100644 --- a/src/lib/libssl/tls13_lib.c +++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1	/* $OpenBSD: tls13_lib.c,v 1.33 2020/02/05 06:12:43 tb Exp $ */	1	/* $OpenBSD: tls13_lib.c,v 1.34 2020/02/15 14:40:38 jsing Exp $ */
2	/*	2	/*
3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>	3	* Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>	4	* Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -16,7 +16,6 @@
16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.	16	* OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17	*/	17	*/
18		18
19	#include <limits.h>
20	#include <stddef.h>	19	#include <stddef.h>
21		20
22	#include <openssl/evp.h>	21	#include <openssl/evp.h>
@@ -24,11 +23,6 @@
24	#include "ssl_locl.h"	23	#include "ssl_locl.h"
25	#include "tls13_internal.h"	24	#include "tls13_internal.h"
26		25
27	SSL3_ENC_METHOD TLSv1_3_enc_data = {
28	.enc = NULL,
29	.enc_flags = SSL_ENC_FLAG_SIGALGS\|SSL_ENC_FLAG_TLS1_3_CIPHERS,
30	};
31
32	/*	26	/*
33	* RFC 8446 section 4.1.3, magic values which must be set by the	27	* RFC 8446 section 4.1.3, magic values which must be set by the
34	* server in server random if it is willing to downgrade but supports	28	* server in server random if it is willing to downgrade but supports
@@ -317,307 +311,6 @@ tls13_ctx_free(struct tls13_ctx *ctx)
317	freezero(ctx, sizeof(struct tls13_ctx));	311	freezero(ctx, sizeof(struct tls13_ctx));
318	}	312	}
319		313
320	static ssize_t
321	tls13_legacy_wire_read(SSL ssl, uint8_t buf, size_t len)
322	{
323	int n;
324
325	if (ssl->rbio == NULL) {
326	SSLerror(ssl, SSL_R_BIO_NOT_SET);
327	return TLS13_IO_FAILURE;
328	}
329
330	ssl->internal->rwstate = SSL_READING;
331
332	if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
333	if (BIO_should_read(ssl->rbio))
334	return TLS13_IO_WANT_POLLIN;
335	if (BIO_should_write(ssl->rbio))
336	return TLS13_IO_WANT_POLLOUT;
337	if (n == 0)
338	return TLS13_IO_EOF;
339
340	return TLS13_IO_FAILURE;
341	}
342
343	if (n == len)
344	ssl->internal->rwstate = SSL_NOTHING;
345
346	return n;
347	}
348
349	ssize_t
350	tls13_legacy_wire_read_cb(void buf, size_t n, void arg)
351	{
352	struct tls13_ctx *ctx = arg;
353
354	return tls13_legacy_wire_read(ctx->ssl, buf, n);
355	}
356
357	static ssize_t
358	tls13_legacy_wire_write(SSL ssl, const uint8_t buf, size_t len)
359	{
360	int n;
361
362	if (ssl->wbio == NULL) {
363	SSLerror(ssl, SSL_R_BIO_NOT_SET);
364	return TLS13_IO_FAILURE;
365	}
366
367	ssl->internal->rwstate = SSL_WRITING;
368
369	if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
370	if (BIO_should_read(ssl->wbio))
371	return TLS13_IO_WANT_POLLIN;
372	if (BIO_should_write(ssl->wbio))
373	return TLS13_IO_WANT_POLLOUT;
374
375	return TLS13_IO_FAILURE;
376	}
377
378	if (n == len)
379	ssl->internal->rwstate = SSL_NOTHING;
380
381	return n;
382	}
383
384	ssize_t
385	tls13_legacy_wire_write_cb(const void buf, size_t n, void arg)
386	{
387	struct tls13_ctx *ctx = arg;
388
389	return tls13_legacy_wire_write(ctx->ssl, buf, n);
390	}
391
392	static void
393	tls13_legacy_error(SSL *ssl)
394	{
395	struct tls13_ctx *ctx = ssl->internal->tls13;
396	int reason = SSL_R_UNKNOWN;
397
398	/* If we received a fatal alert we already put an error on the stack. */
399	if (S3I(ssl)->fatal_alert != 0)
400	return;
401
402	switch (ctx->error.code) {
403	case TLS13_ERR_VERIFY_FAILED:
404	reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
405	break;
406	case TLS13_ERR_HRR_FAILED:
407	reason = SSL_R_NO_CIPHERS_AVAILABLE;
408	break;
409	case TLS13_ERR_TRAILING_DATA:
410	reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
411	break;
412	case TLS13_ERR_NO_SHARED_CIPHER:
413	reason = SSL_R_NO_SHARED_CIPHER;
414	break;
415	}
416
417	/* Something (probably libcrypto) already pushed an error on the stack. */
418	if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
419	return;
420
421	ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
422	ctx->error.line);
423	}
424
425	int
426	tls13_legacy_return_code(SSL *ssl, ssize_t ret)
427	{
428	if (ret > INT_MAX) {
429	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
430	return -1;
431	}
432
433	/* A successful read, write or other operation. */
434	if (ret > 0)
435	return ret;
436
437	ssl->internal->rwstate = SSL_NOTHING;
438
439	switch (ret) {
440	case TLS13_IO_EOF:
441	return 0;
442
443	case TLS13_IO_FAILURE:
444	tls13_legacy_error(ssl);
445	return -1;
446
447	case TLS13_IO_ALERT:
448	tls13_legacy_error(ssl);
449	return -1;
450
451	case TLS13_IO_WANT_POLLIN:
452	BIO_set_retry_read(ssl->rbio);
453	ssl->internal->rwstate = SSL_READING;
454	return -1;
455
456	case TLS13_IO_WANT_POLLOUT:
457	BIO_set_retry_write(ssl->wbio);
458	ssl->internal->rwstate = SSL_WRITING;
459	return -1;
460
461	case TLS13_IO_WANT_RETRY:
462	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
463	return -1;
464	}
465
466	SSLerror(ssl, ERR_R_INTERNAL_ERROR);
467	return -1;
468	}
469
470	int
471	tls13_legacy_pending(const SSL *ssl)
472	{
473	struct tls13_ctx *ctx = ssl->internal->tls13;
474	ssize_t ret;
475
476	if (ctx == NULL)
477	return 0;
478
479	ret = tls13_pending_application_data(ctx->rl);
480	if (ret < 0 \|\| ret > INT_MAX)
481	return 0;
482
483	return ret;
484	}
485
486	int
487	tls13_legacy_read_bytes(SSL ssl, int type, unsigned char buf, int len, int peek)
488	{
489	struct tls13_ctx *ctx = ssl->internal->tls13;
490	ssize_t ret;
491
492	if (ctx == NULL \|\| !ctx->handshake_completed) {
493	if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
494	return ret;
495	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
496	}
497
498	if (type != SSL3_RT_APPLICATION_DATA) {
499	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
500	return -1;
501	}
502	if (len < 0) {
503	SSLerror(ssl, SSL_R_BAD_LENGTH);
504	return -1;
505	}
506
507	if (peek)
508	ret = tls13_peek_application_data(ctx->rl, buf, len);
509	else
510	ret = tls13_read_application_data(ctx->rl, buf, len);
511
512	return tls13_legacy_return_code(ssl, ret);
513	}
514
515	int
516	tls13_legacy_write_bytes(SSL ssl, int type, const void vbuf, int len)
517	{
518	struct tls13_ctx *ctx = ssl->internal->tls13;
519	const uint8_t *buf = vbuf;
520	size_t n, sent;
521	ssize_t ret;
522
523	if (ctx == NULL \|\| !ctx->handshake_completed) {
524	if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
525	return ret;
526	return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
527	}
528
529	if (type != SSL3_RT_APPLICATION_DATA) {
530	SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
531	return -1;
532	}
533	if (len < 0) {
534	SSLerror(ssl, SSL_R_BAD_LENGTH);
535	return -1;
536	}
537
538	/*
539	* The TLSv1.3 record layer write behaviour is the same as
540	* SSL_MODE_ENABLE_PARTIAL_WRITE.
541	*/
542	if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
543	ret = tls13_write_application_data(ctx->rl, buf, len);
544	return tls13_legacy_return_code(ssl, ret);
545	}
546
547	/*
548	* In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
549	* we have written out all of the requested data.
550	*/
551	sent = S3I(ssl)->wnum;
552	if (len < sent) {
553	SSLerror(ssl, SSL_R_BAD_LENGTH);
554	return -1;
555	}
556	n = len - sent;
557	for (;;) {
558	if (n == 0) {
559	S3I(ssl)->wnum = 0;
560	return sent;
561	}
562	if ((ret = tls13_write_application_data(ctx->rl,
563	&buf[sent], n)) <= 0) {
564	S3I(ssl)->wnum = sent;
565	return tls13_legacy_return_code(ssl, ret);
566	}
567	sent += ret;
568	n -= ret;
569	}
570	}
571
572	int
573	tls13_legacy_shutdown(SSL *ssl)
574	{
575	struct tls13_ctx *ctx = ssl->internal->tls13;
576	uint8_t buf[512]; /* XXX */
577	ssize_t ret;
578
579	/*
580	* We need to return 0 when we have sent a close-notify but have not
581	* yet received one. We return 1 only once we have sent and received
582	* close-notify alerts. All other cases return -1 and set internal
583	* state appropriately.
584	*/
585	if (ctx == NULL \|\| ssl->internal->quiet_shutdown) {
586	ssl->internal->shutdown = SSL_SENT_SHUTDOWN \| SSL_RECEIVED_SHUTDOWN;
587	return 1;
588	}
589
590	/* Send close notify. */
591	if (!ctx->close_notify_sent) {
592	ctx->close_notify_sent = 1;
593	if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0)
594	return tls13_legacy_return_code(ssl, ret);
595	}
596
597	/* Ensure close notify has been sent. */
598	if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS)
599	return tls13_legacy_return_code(ssl, ret);
600
601	/* Receive close notify. */
602	if (!ctx->close_notify_recv) {
603	/*
604	* If there is still application data pending then we have no
605	* option but to discard it here. The application should have
606	* continued to call SSL_read() instead of SSL_shutdown().
607	*/
608	/* XXX - tls13_drain_application_data()? */
609	if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0)
610	ret = TLS13_IO_WANT_POLLIN;
611	if (ret != TLS13_IO_EOF)
612	return tls13_legacy_return_code(ssl, ret);
613	}
614
615	if (ctx->close_notify_recv)
616	return 1;
617
618	return 0;
619	}
620
621	/*	314	/*
622	* Certificate Verify padding - RFC 8446 section 4.4.3.	315	* Certificate Verify padding - RFC 8446 section 4.4.3.
623	*/	316	*/