From 29048f09f31c8ae2fd81a3d7888fea2d0539ec62 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Sun, 7 May 2017 01:59:34 +0000
Subject: Return an error if tls_handshake() is called on a TLS context that
 has already completed a TLS handshake.

---
 src/lib/libtls/tls.c | 7 ++++++-
 1 file changed, 6 insertions(+), 1 deletion(-)

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index b639873df4..7906788b08 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.62 2017/05/06 20:59:28 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.63 2017/05/07 01:59:34 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -627,6 +627,11 @@ tls_handshake(struct tls *ctx)
 		goto out;
 	}
 
+	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
+		tls_set_errorx(ctx, "handshake already completed");
+		goto out;
+	}
+
 	if ((ctx->flags & TLS_CLIENT) != 0)
 		rv = tls_handshake_client(ctx);
 	else if ((ctx->flags & TLS_SERVER_CONN) != 0)
-- 
cgit v1.2.3-55-g6feb