Expose EOF without close-notify via tls_close().

Make tls_read(3)/tls_write(3) follow read(2)/write(2) like semantics and return 0 on EOF with and without close-notify. However, if we saw an EOF from the underlying file descriptors without getting a close-notify, save this and make it visible when tls_close(3) is called. This keeps the semantics we want, but makes it possible to detect truncation at higher layers, if necessary. ok beck@ guenther@
author: jsing <> 2015-09-14 12:29:16 +0000
committer: jsing <> 2015-09-14 12:29:16 +0000
commit: f861bb3b4f20cad63c964522d211fc74d292c839 (patch)
tree: d9e7087f85cb2eecaf2b0f3bb3c3af52e7665111 /src/lib
parent: 810729815324406169b00f976dceaf34caefadc0 (diff)
download: openbsd-f861bb3b4f20cad63c964522d211fc74d292c839.tar.gz
openbsd-f861bb3b4f20cad63c964522d211fc74d292c839.tar.bz2
openbsd-f861bb3b4f20cad63c964522d211fc74d292c839.zip
2 files changed, 14 insertions, 6 deletions
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index cb2833cb54..236ed9185b 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.30 2015/09/14 12:20:40 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.31 2015/09/14 12:29:16 jsing Exp $ */
 /*
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
 *
@@ -352,7 +352,8 @@ tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
                if ((err = ERR_peek_error()) != 0) {
                        errstr = ERR_error_string(err, NULL);
                } else if (ssl_ret == 0) {
-                        errstr = "EOF";
+                        ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY;
+                        return (0);
                } else if (ssl_ret == -1) {
                        errstr = strerror(errno);
                }
@@ -421,7 +422,7 @@ tls_read(struct tls *ctx, void *buf, size_t buflen)
        }
        ERR_clear_error();
-        if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) >= 0) {
+        if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
                rv = (ssize_t)ssl_ret;
                goto out;
        }
@@ -450,7 +451,7 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen)
        }
        ERR_clear_error();
-        if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) >= 0) {
+        if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {
                rv = (ssize_t)ssl_ret;
                goto out;
        }
@@ -501,6 +502,12 @@ tls_close(struct tls *ctx)
                }
                ctx->socket = -1;
        }
+        if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) {
+                tls_set_errorx(ctx, "EOF without close notify");
+                rv = -1;
+        }
 out:
        /* Prevent callers from performing incorrect error handling */
        errno = 0;
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index d7878a75e3..320f1fbfaa 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.22 2015/09/13 10:32:46 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.23 2015/09/14 12:29:16 jsing Exp $ */
 /*
 * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -62,7 +62,8 @@ struct tls_conninfo {
 #define TLS_SERVER              (1 << 1)
 #define TLS_SERVER_CONN         (1 << 2)
-#define TLS_HANDSHAKE_COMPLETE  (1 << 0)
+#define TLS_EOF_NO_CLOSE_NOTIFY (1 << 0)
+#define TLS_HANDSHAKE_COMPLETE  (1 << 1)
 struct tls {
        struct tls_config *config;
author	jsing <>	2015-09-14 12:29:16 +0000
committer	jsing <>	2015-09-14 12:29:16 +0000
commit	f861bb3b4f20cad63c964522d211fc74d292c839 (patch)
tree	d9e7087f85cb2eecaf2b0f3bb3c3af52e7665111 /src/lib
parent	810729815324406169b00f976dceaf34caefadc0 (diff)
download	openbsd-f861bb3b4f20cad63c964522d211fc74d292c839.tar.gz openbsd-f861bb3b4f20cad63c964522d211fc74d292c839.tar.bz2 openbsd-f861bb3b4f20cad63c964522d211fc74d292c839.zip