summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to '')
-rw-r--r--src/lib/libssl/Makefile3
-rw-r--r--src/lib/libssl/tls13_legacy.c327
-rw-r--r--src/lib/libssl/tls13_lib.c309
3 files changed, 330 insertions, 309 deletions
diff --git a/src/lib/libssl/Makefile b/src/lib/libssl/Makefile
index afbd6d148e..22209d574b 100644
--- a/src/lib/libssl/Makefile
+++ b/src/lib/libssl/Makefile
@@ -1,4 +1,4 @@
1# $OpenBSD: Makefile,v 1.62 2020/01/30 17:09:23 jsing Exp $ 1# $OpenBSD: Makefile,v 1.63 2020/02/15 14:40:38 jsing Exp $
2 2
3.include <bsd.own.mk> 3.include <bsd.own.mk>
4.ifndef NOMAN 4.ifndef NOMAN
@@ -74,6 +74,7 @@ SRCS= \
74 tls13_handshake_msg.c \ 74 tls13_handshake_msg.c \
75 tls13_key_schedule.c \ 75 tls13_key_schedule.c \
76 tls13_key_share.c \ 76 tls13_key_share.c \
77 tls13_legacy.c \
77 tls13_lib.c \ 78 tls13_lib.c \
78 tls13_record.c \ 79 tls13_record.c \
79 tls13_record_layer.c \ 80 tls13_record_layer.c \
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
new file mode 100644
index 0000000000..642374af92
--- /dev/null
+++ b/src/lib/libssl/tls13_legacy.c
@@ -0,0 +1,327 @@
1/* $OpenBSD: tls13_legacy.c,v 1.1 2020/02/15 14:40:38 jsing Exp $ */
2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18#include <limits.h>
19
20#include "ssl_locl.h"
21#include "tls13_internal.h"
22
23SSL3_ENC_METHOD TLSv1_3_enc_data = {
24 .enc = NULL,
25 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS,
26};
27
28static ssize_t
29tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
30{
31 int n;
32
33 if (ssl->rbio == NULL) {
34 SSLerror(ssl, SSL_R_BIO_NOT_SET);
35 return TLS13_IO_FAILURE;
36 }
37
38 ssl->internal->rwstate = SSL_READING;
39
40 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
41 if (BIO_should_read(ssl->rbio))
42 return TLS13_IO_WANT_POLLIN;
43 if (BIO_should_write(ssl->rbio))
44 return TLS13_IO_WANT_POLLOUT;
45 if (n == 0)
46 return TLS13_IO_EOF;
47
48 return TLS13_IO_FAILURE;
49 }
50
51 if (n == len)
52 ssl->internal->rwstate = SSL_NOTHING;
53
54 return n;
55}
56
57ssize_t
58tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
59{
60 struct tls13_ctx *ctx = arg;
61
62 return tls13_legacy_wire_read(ctx->ssl, buf, n);
63}
64
65static ssize_t
66tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
67{
68 int n;
69
70 if (ssl->wbio == NULL) {
71 SSLerror(ssl, SSL_R_BIO_NOT_SET);
72 return TLS13_IO_FAILURE;
73 }
74
75 ssl->internal->rwstate = SSL_WRITING;
76
77 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
78 if (BIO_should_read(ssl->wbio))
79 return TLS13_IO_WANT_POLLIN;
80 if (BIO_should_write(ssl->wbio))
81 return TLS13_IO_WANT_POLLOUT;
82
83 return TLS13_IO_FAILURE;
84 }
85
86 if (n == len)
87 ssl->internal->rwstate = SSL_NOTHING;
88
89 return n;
90}
91
92ssize_t
93tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
94{
95 struct tls13_ctx *ctx = arg;
96
97 return tls13_legacy_wire_write(ctx->ssl, buf, n);
98}
99
100static void
101tls13_legacy_error(SSL *ssl)
102{
103 struct tls13_ctx *ctx = ssl->internal->tls13;
104 int reason = SSL_R_UNKNOWN;
105
106 /* If we received a fatal alert we already put an error on the stack. */
107 if (S3I(ssl)->fatal_alert != 0)
108 return;
109
110 switch (ctx->error.code) {
111 case TLS13_ERR_VERIFY_FAILED:
112 reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
113 break;
114 case TLS13_ERR_HRR_FAILED:
115 reason = SSL_R_NO_CIPHERS_AVAILABLE;
116 break;
117 case TLS13_ERR_TRAILING_DATA:
118 reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
119 break;
120 case TLS13_ERR_NO_SHARED_CIPHER:
121 reason = SSL_R_NO_SHARED_CIPHER;
122 break;
123 }
124
125 /* Something (probably libcrypto) already pushed an error on the stack. */
126 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
127 return;
128
129 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
130 ctx->error.line);
131}
132
133int
134tls13_legacy_return_code(SSL *ssl, ssize_t ret)
135{
136 if (ret > INT_MAX) {
137 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
138 return -1;
139 }
140
141 /* A successful read, write or other operation. */
142 if (ret > 0)
143 return ret;
144
145 ssl->internal->rwstate = SSL_NOTHING;
146
147 switch (ret) {
148 case TLS13_IO_EOF:
149 return 0;
150
151 case TLS13_IO_FAILURE:
152 tls13_legacy_error(ssl);
153 return -1;
154
155 case TLS13_IO_ALERT:
156 tls13_legacy_error(ssl);
157 return -1;
158
159 case TLS13_IO_WANT_POLLIN:
160 BIO_set_retry_read(ssl->rbio);
161 ssl->internal->rwstate = SSL_READING;
162 return -1;
163
164 case TLS13_IO_WANT_POLLOUT:
165 BIO_set_retry_write(ssl->wbio);
166 ssl->internal->rwstate = SSL_WRITING;
167 return -1;
168
169 case TLS13_IO_WANT_RETRY:
170 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
171 return -1;
172 }
173
174 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
175 return -1;
176}
177
178int
179tls13_legacy_pending(const SSL *ssl)
180{
181 struct tls13_ctx *ctx = ssl->internal->tls13;
182 ssize_t ret;
183
184 if (ctx == NULL)
185 return 0;
186
187 ret = tls13_pending_application_data(ctx->rl);
188 if (ret < 0 || ret > INT_MAX)
189 return 0;
190
191 return ret;
192}
193
194int
195tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
196{
197 struct tls13_ctx *ctx = ssl->internal->tls13;
198 ssize_t ret;
199
200 if (ctx == NULL || !ctx->handshake_completed) {
201 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
202 return ret;
203 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
204 }
205
206 if (type != SSL3_RT_APPLICATION_DATA) {
207 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
208 return -1;
209 }
210 if (len < 0) {
211 SSLerror(ssl, SSL_R_BAD_LENGTH);
212 return -1;
213 }
214
215 if (peek)
216 ret = tls13_peek_application_data(ctx->rl, buf, len);
217 else
218 ret = tls13_read_application_data(ctx->rl, buf, len);
219
220 return tls13_legacy_return_code(ssl, ret);
221}
222
223int
224tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
225{
226 struct tls13_ctx *ctx = ssl->internal->tls13;
227 const uint8_t *buf = vbuf;
228 size_t n, sent;
229 ssize_t ret;
230
231 if (ctx == NULL || !ctx->handshake_completed) {
232 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
233 return ret;
234 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
235 }
236
237 if (type != SSL3_RT_APPLICATION_DATA) {
238 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
239 return -1;
240 }
241 if (len < 0) {
242 SSLerror(ssl, SSL_R_BAD_LENGTH);
243 return -1;
244 }
245
246 /*
247 * The TLSv1.3 record layer write behaviour is the same as
248 * SSL_MODE_ENABLE_PARTIAL_WRITE.
249 */
250 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
251 ret = tls13_write_application_data(ctx->rl, buf, len);
252 return tls13_legacy_return_code(ssl, ret);
253 }
254
255 /*
256 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
257 * we have written out all of the requested data.
258 */
259 sent = S3I(ssl)->wnum;
260 if (len < sent) {
261 SSLerror(ssl, SSL_R_BAD_LENGTH);
262 return -1;
263 }
264 n = len - sent;
265 for (;;) {
266 if (n == 0) {
267 S3I(ssl)->wnum = 0;
268 return sent;
269 }
270 if ((ret = tls13_write_application_data(ctx->rl,
271 &buf[sent], n)) <= 0) {
272 S3I(ssl)->wnum = sent;
273 return tls13_legacy_return_code(ssl, ret);
274 }
275 sent += ret;
276 n -= ret;
277 }
278}
279
280int
281tls13_legacy_shutdown(SSL *ssl)
282{
283 struct tls13_ctx *ctx = ssl->internal->tls13;
284 uint8_t buf[512]; /* XXX */
285 ssize_t ret;
286
287 /*
288 * We need to return 0 when we have sent a close-notify but have not
289 * yet received one. We return 1 only once we have sent and received
290 * close-notify alerts. All other cases return -1 and set internal
291 * state appropriately.
292 */
293 if (ctx == NULL || ssl->internal->quiet_shutdown) {
294 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
295 return 1;
296 }
297
298 /* Send close notify. */
299 if (!ctx->close_notify_sent) {
300 ctx->close_notify_sent = 1;
301 if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0)
302 return tls13_legacy_return_code(ssl, ret);
303 }
304
305 /* Ensure close notify has been sent. */
306 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS)
307 return tls13_legacy_return_code(ssl, ret);
308
309 /* Receive close notify. */
310 if (!ctx->close_notify_recv) {
311 /*
312 * If there is still application data pending then we have no
313 * option but to discard it here. The application should have
314 * continued to call SSL_read() instead of SSL_shutdown().
315 */
316 /* XXX - tls13_drain_application_data()? */
317 if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0)
318 ret = TLS13_IO_WANT_POLLIN;
319 if (ret != TLS13_IO_EOF)
320 return tls13_legacy_return_code(ssl, ret);
321 }
322
323 if (ctx->close_notify_recv)
324 return 1;
325
326 return 0;
327}
diff --git a/src/lib/libssl/tls13_lib.c b/src/lib/libssl/tls13_lib.c
index 92743ef4b3..bdf547c8d9 100644
--- a/src/lib/libssl/tls13_lib.c
+++ b/src/lib/libssl/tls13_lib.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_lib.c,v 1.33 2020/02/05 06:12:43 tb Exp $ */ 1/* $OpenBSD: tls13_lib.c,v 1.34 2020/02/15 14:40:38 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org> 4 * Copyright (c) 2019 Bob Beck <beck@openbsd.org>
@@ -16,7 +16,6 @@
16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. 16 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
17 */ 17 */
18 18
19#include <limits.h>
20#include <stddef.h> 19#include <stddef.h>
21 20
22#include <openssl/evp.h> 21#include <openssl/evp.h>
@@ -24,11 +23,6 @@
24#include "ssl_locl.h" 23#include "ssl_locl.h"
25#include "tls13_internal.h" 24#include "tls13_internal.h"
26 25
27SSL3_ENC_METHOD TLSv1_3_enc_data = {
28 .enc = NULL,
29 .enc_flags = SSL_ENC_FLAG_SIGALGS|SSL_ENC_FLAG_TLS1_3_CIPHERS,
30};
31
32/* 26/*
33 * RFC 8446 section 4.1.3, magic values which must be set by the 27 * RFC 8446 section 4.1.3, magic values which must be set by the
34 * server in server random if it is willing to downgrade but supports 28 * server in server random if it is willing to downgrade but supports
@@ -317,307 +311,6 @@ tls13_ctx_free(struct tls13_ctx *ctx)
317 freezero(ctx, sizeof(struct tls13_ctx)); 311 freezero(ctx, sizeof(struct tls13_ctx));
318} 312}
319 313
320static ssize_t
321tls13_legacy_wire_read(SSL *ssl, uint8_t *buf, size_t len)
322{
323 int n;
324
325 if (ssl->rbio == NULL) {
326 SSLerror(ssl, SSL_R_BIO_NOT_SET);
327 return TLS13_IO_FAILURE;
328 }
329
330 ssl->internal->rwstate = SSL_READING;
331
332 if ((n = BIO_read(ssl->rbio, buf, len)) <= 0) {
333 if (BIO_should_read(ssl->rbio))
334 return TLS13_IO_WANT_POLLIN;
335 if (BIO_should_write(ssl->rbio))
336 return TLS13_IO_WANT_POLLOUT;
337 if (n == 0)
338 return TLS13_IO_EOF;
339
340 return TLS13_IO_FAILURE;
341 }
342
343 if (n == len)
344 ssl->internal->rwstate = SSL_NOTHING;
345
346 return n;
347}
348
349ssize_t
350tls13_legacy_wire_read_cb(void *buf, size_t n, void *arg)
351{
352 struct tls13_ctx *ctx = arg;
353
354 return tls13_legacy_wire_read(ctx->ssl, buf, n);
355}
356
357static ssize_t
358tls13_legacy_wire_write(SSL *ssl, const uint8_t *buf, size_t len)
359{
360 int n;
361
362 if (ssl->wbio == NULL) {
363 SSLerror(ssl, SSL_R_BIO_NOT_SET);
364 return TLS13_IO_FAILURE;
365 }
366
367 ssl->internal->rwstate = SSL_WRITING;
368
369 if ((n = BIO_write(ssl->wbio, buf, len)) <= 0) {
370 if (BIO_should_read(ssl->wbio))
371 return TLS13_IO_WANT_POLLIN;
372 if (BIO_should_write(ssl->wbio))
373 return TLS13_IO_WANT_POLLOUT;
374
375 return TLS13_IO_FAILURE;
376 }
377
378 if (n == len)
379 ssl->internal->rwstate = SSL_NOTHING;
380
381 return n;
382}
383
384ssize_t
385tls13_legacy_wire_write_cb(const void *buf, size_t n, void *arg)
386{
387 struct tls13_ctx *ctx = arg;
388
389 return tls13_legacy_wire_write(ctx->ssl, buf, n);
390}
391
392static void
393tls13_legacy_error(SSL *ssl)
394{
395 struct tls13_ctx *ctx = ssl->internal->tls13;
396 int reason = SSL_R_UNKNOWN;
397
398 /* If we received a fatal alert we already put an error on the stack. */
399 if (S3I(ssl)->fatal_alert != 0)
400 return;
401
402 switch (ctx->error.code) {
403 case TLS13_ERR_VERIFY_FAILED:
404 reason = SSL_R_CERTIFICATE_VERIFY_FAILED;
405 break;
406 case TLS13_ERR_HRR_FAILED:
407 reason = SSL_R_NO_CIPHERS_AVAILABLE;
408 break;
409 case TLS13_ERR_TRAILING_DATA:
410 reason = SSL_R_EXTRA_DATA_IN_MESSAGE;
411 break;
412 case TLS13_ERR_NO_SHARED_CIPHER:
413 reason = SSL_R_NO_SHARED_CIPHER;
414 break;
415 }
416
417 /* Something (probably libcrypto) already pushed an error on the stack. */
418 if (reason == SSL_R_UNKNOWN && ERR_peek_error() != 0)
419 return;
420
421 ERR_put_error(ERR_LIB_SSL, (0xfff), reason, ctx->error.file,
422 ctx->error.line);
423}
424
425int
426tls13_legacy_return_code(SSL *ssl, ssize_t ret)
427{
428 if (ret > INT_MAX) {
429 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
430 return -1;
431 }
432
433 /* A successful read, write or other operation. */
434 if (ret > 0)
435 return ret;
436
437 ssl->internal->rwstate = SSL_NOTHING;
438
439 switch (ret) {
440 case TLS13_IO_EOF:
441 return 0;
442
443 case TLS13_IO_FAILURE:
444 tls13_legacy_error(ssl);
445 return -1;
446
447 case TLS13_IO_ALERT:
448 tls13_legacy_error(ssl);
449 return -1;
450
451 case TLS13_IO_WANT_POLLIN:
452 BIO_set_retry_read(ssl->rbio);
453 ssl->internal->rwstate = SSL_READING;
454 return -1;
455
456 case TLS13_IO_WANT_POLLOUT:
457 BIO_set_retry_write(ssl->wbio);
458 ssl->internal->rwstate = SSL_WRITING;
459 return -1;
460
461 case TLS13_IO_WANT_RETRY:
462 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
463 return -1;
464 }
465
466 SSLerror(ssl, ERR_R_INTERNAL_ERROR);
467 return -1;
468}
469
470int
471tls13_legacy_pending(const SSL *ssl)
472{
473 struct tls13_ctx *ctx = ssl->internal->tls13;
474 ssize_t ret;
475
476 if (ctx == NULL)
477 return 0;
478
479 ret = tls13_pending_application_data(ctx->rl);
480 if (ret < 0 || ret > INT_MAX)
481 return 0;
482
483 return ret;
484}
485
486int
487tls13_legacy_read_bytes(SSL *ssl, int type, unsigned char *buf, int len, int peek)
488{
489 struct tls13_ctx *ctx = ssl->internal->tls13;
490 ssize_t ret;
491
492 if (ctx == NULL || !ctx->handshake_completed) {
493 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
494 return ret;
495 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLIN);
496 }
497
498 if (type != SSL3_RT_APPLICATION_DATA) {
499 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
500 return -1;
501 }
502 if (len < 0) {
503 SSLerror(ssl, SSL_R_BAD_LENGTH);
504 return -1;
505 }
506
507 if (peek)
508 ret = tls13_peek_application_data(ctx->rl, buf, len);
509 else
510 ret = tls13_read_application_data(ctx->rl, buf, len);
511
512 return tls13_legacy_return_code(ssl, ret);
513}
514
515int
516tls13_legacy_write_bytes(SSL *ssl, int type, const void *vbuf, int len)
517{
518 struct tls13_ctx *ctx = ssl->internal->tls13;
519 const uint8_t *buf = vbuf;
520 size_t n, sent;
521 ssize_t ret;
522
523 if (ctx == NULL || !ctx->handshake_completed) {
524 if ((ret = ssl->internal->handshake_func(ssl)) <= 0)
525 return ret;
526 return tls13_legacy_return_code(ssl, TLS13_IO_WANT_POLLOUT);
527 }
528
529 if (type != SSL3_RT_APPLICATION_DATA) {
530 SSLerror(ssl, ERR_R_SHOULD_NOT_HAVE_BEEN_CALLED);
531 return -1;
532 }
533 if (len < 0) {
534 SSLerror(ssl, SSL_R_BAD_LENGTH);
535 return -1;
536 }
537
538 /*
539 * The TLSv1.3 record layer write behaviour is the same as
540 * SSL_MODE_ENABLE_PARTIAL_WRITE.
541 */
542 if (ssl->internal->mode & SSL_MODE_ENABLE_PARTIAL_WRITE) {
543 ret = tls13_write_application_data(ctx->rl, buf, len);
544 return tls13_legacy_return_code(ssl, ret);
545 }
546
547 /*
548 * In the non-SSL_MODE_ENABLE_PARTIAL_WRITE case we have to loop until
549 * we have written out all of the requested data.
550 */
551 sent = S3I(ssl)->wnum;
552 if (len < sent) {
553 SSLerror(ssl, SSL_R_BAD_LENGTH);
554 return -1;
555 }
556 n = len - sent;
557 for (;;) {
558 if (n == 0) {
559 S3I(ssl)->wnum = 0;
560 return sent;
561 }
562 if ((ret = tls13_write_application_data(ctx->rl,
563 &buf[sent], n)) <= 0) {
564 S3I(ssl)->wnum = sent;
565 return tls13_legacy_return_code(ssl, ret);
566 }
567 sent += ret;
568 n -= ret;
569 }
570}
571
572int
573tls13_legacy_shutdown(SSL *ssl)
574{
575 struct tls13_ctx *ctx = ssl->internal->tls13;
576 uint8_t buf[512]; /* XXX */
577 ssize_t ret;
578
579 /*
580 * We need to return 0 when we have sent a close-notify but have not
581 * yet received one. We return 1 only once we have sent and received
582 * close-notify alerts. All other cases return -1 and set internal
583 * state appropriately.
584 */
585 if (ctx == NULL || ssl->internal->quiet_shutdown) {
586 ssl->internal->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
587 return 1;
588 }
589
590 /* Send close notify. */
591 if (!ctx->close_notify_sent) {
592 ctx->close_notify_sent = 1;
593 if ((ret = tls13_send_alert(ctx->rl, SSL_AD_CLOSE_NOTIFY)) < 0)
594 return tls13_legacy_return_code(ssl, ret);
595 }
596
597 /* Ensure close notify has been sent. */
598 if ((ret = tls13_record_layer_send_pending(ctx->rl)) != TLS13_IO_SUCCESS)
599 return tls13_legacy_return_code(ssl, ret);
600
601 /* Receive close notify. */
602 if (!ctx->close_notify_recv) {
603 /*
604 * If there is still application data pending then we have no
605 * option but to discard it here. The application should have
606 * continued to call SSL_read() instead of SSL_shutdown().
607 */
608 /* XXX - tls13_drain_application_data()? */
609 if ((ret = tls13_read_application_data(ctx->rl, buf, sizeof(buf))) > 0)
610 ret = TLS13_IO_WANT_POLLIN;
611 if (ret != TLS13_IO_EOF)
612 return tls13_legacy_return_code(ssl, ret);
613 }
614
615 if (ctx->close_notify_recv)
616 return 1;
617
618 return 0;
619}
620
621/* 314/*
622 * Certificate Verify padding - RFC 8446 section 4.4.3. 315 * Certificate Verify padding - RFC 8446 section 4.4.3.
623 */ 316 */