Ensure that a client context has been connected before attempting to

complete a TLS handshake.

2 files changed, 12 insertions, 4 deletions

diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index 0e519684ef..b92490f25d 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.41 2017/04/10 17:11:13 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.42 2017/05/07 03:27:06 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -230,6 +230,8 @@ tls_connect_common(struct tls *ctx, const char *servername)
                         goto err;
                 }
         }
+
+        ctx->state |= TLS_CONNECTED;
         rv = 0;
 
  err:
@@ -297,6 +299,11 @@ tls_handshake_client(struct tls *ctx)
                 goto err;
         }
 
+        if ((ctx->state & TLS_CONNECTED) == 0) {
+                tls_set_errorx(ctx, "context not connected");
+                goto err;
+        }
+
         ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
 
         ERR_clear_error();
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index ba007a6714..2b451697dc 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.59 2017/05/06 20:59:28 jsing Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.60 2017/05/07 03:27:06 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -124,8 +124,9 @@ struct tls_conninfo {
 #define TLS_SERVER_CONN         (1 << 2)
 
 #define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0)
-#define TLS_HANDSHAKE_COMPLETE  (1 << 1)
-#define TLS_SSL_NEEDS_SHUTDOWN  (1 << 2)
+#define TLS_CONNECTED           (1 << 1)
+#define TLS_HANDSHAKE_COMPLETE  (1 << 2)
+#define TLS_SSL_NEEDS_SHUTDOWN  (1 << 3)
 
 struct tls_ocsp_result {
         const char *result_msg;