summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/lib/libssl/tls13_legacy.c37
1 files changed, 19 insertions, 18 deletions
diff --git a/src/lib/libssl/tls13_legacy.c b/src/lib/libssl/tls13_legacy.c
index 44959a3186..e5b451cb68 100644
--- a/src/lib/libssl/tls13_legacy.c
+++ b/src/lib/libssl/tls13_legacy.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: tls13_legacy.c,v 1.42 2024/01/27 14:31:01 jsing Exp $ */ 1/* $OpenBSD: tls13_legacy.c,v 1.43 2024/01/27 14:34:28 jsing Exp $ */
2/* 2/*
3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org> 3 * Copyright (c) 2018, 2019 Joel Sing <jsing@openbsd.org>
4 * 4 *
@@ -486,44 +486,45 @@ tls13_legacy_shutdown(SSL *ssl)
486 * We need to return 0 at the point that we have completed sending a 486 * We need to return 0 at the point that we have completed sending a
487 * close-notify. We return 1 when we have sent and received close-notify 487 * close-notify. We return 1 when we have sent and received close-notify
488 * alerts. All other cases, including EOF, return -1 and set internal 488 * alerts. All other cases, including EOF, return -1 and set internal
489 * state appropriately. 489 * state appropriately. Note that all of this insanity can also be
490 * externally controlled by manipulating the shutdown flags.
490 */ 491 */
491 if (ctx == NULL || ssl->quiet_shutdown) { 492 if (ctx == NULL || ssl->quiet_shutdown) {
492 ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN; 493 ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
493 return 1; 494 return 1;
494 } 495 }
495 496
496 if (!ctx->close_notify_sent) { 497 if ((ssl->shutdown & SSL_SENT_SHUTDOWN) == 0) {
497 /* Enqueue and send close notify. */ 498 ssl->shutdown |= SSL_SENT_SHUTDOWN;
498 if (!(ssl->shutdown & SSL_SENT_SHUTDOWN)) { 499 ret = tls13_send_alert(ctx->rl, TLS13_ALERT_CLOSE_NOTIFY);
499 ssl->shutdown |= SSL_SENT_SHUTDOWN;
500 if ((ret = tls13_send_alert(ctx->rl,
501 TLS13_ALERT_CLOSE_NOTIFY)) < 0)
502 return tls13_legacy_return_code(ssl, ret);
503 }
504 ret = tls13_record_layer_send_pending(ctx->rl);
505 if (ret == TLS13_IO_EOF) 500 if (ret == TLS13_IO_EOF)
506 return -1; 501 return -1;
507 if (ret != TLS13_IO_SUCCESS) 502 if (ret != TLS13_IO_SUCCESS)
508 return tls13_legacy_return_code(ssl, ret); 503 return tls13_legacy_return_code(ssl, ret);
509 } else if (!ctx->close_notify_recv) { 504 }
505
506 ret = tls13_record_layer_send_pending(ctx->rl);
507 if (ret == TLS13_IO_EOF)
508 return -1;
509 if (ret != TLS13_IO_SUCCESS)
510 return tls13_legacy_return_code(ssl, ret);
511
512 if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) == 0) {
510 /* 513 /*
511 * If there is no application data pending, attempt to read more 514 * If there is no application data pending, attempt to read more
512 * data in order to receive a close-notify. This should trigger 515 * data in order to receive a close-notify. This should trigger
513 * a record to be read from the wire, which may be application 516 * a record to be read from the wire, which may be application
514 * handshake or alert data. Only one attempt is made to match 517 * handshake or alert data. Only one attempt is made with no
515 * previous semantics. 518 * error handling, in order to match previous semantics.
516 */ 519 */
517 if (tls13_pending_application_data(ctx->rl) == 0) { 520 if (tls13_pending_application_data(ctx->rl) == 0) {
518 if ((ret = tls13_read_application_data(ctx->rl, buf, 521 (void)tls13_read_application_data(ctx->rl, buf, sizeof(buf));
519 sizeof(buf))) < 0)
520 return tls13_legacy_return_code(ssl, ret);
521 if (!ctx->close_notify_recv) 522 if (!ctx->close_notify_recv)
522 return -1; 523 return -1;
523 } 524 }
524 } 525 }
525 526
526 if (ctx->close_notify_recv) 527 if (ssl->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN))
527 return 1; 528 return 1;
528 529
529 return 0; 530 return 0;
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-01 09:33:46 +0000