Use a flag to track when we need to call SSL_shutdown(). This avoids an

issue where by calling tls_close() on a TLS context that has not attempted
a handshake, results in an unexpected failure.

Reported by Vinay Sajip.

ok beck@

1 files changed, 3 insertions, 2 deletions

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index c028d19539..9b03c2b6f0 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.58 2017/01/22 08:27:50 claudio Exp $ */
+/* $OpenBSD: tls.c,v 1.59 2017/01/26 12:56:37 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -649,7 +649,7 @@ tls_close(struct tls *ctx)
                 goto out;
         }
 
-        if (ctx->ssl_conn != NULL) {
+        if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN) {
                 ERR_clear_error();
                 ssl_ret = SSL_shutdown(ctx->ssl_conn);
                 if (ssl_ret < 0) {
@@ -658,6 +658,7 @@ tls_close(struct tls *ctx)
                         if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT)
                                 goto out;
                 }
+                ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN;
         }
 
         if (ctx->socket != -1) {