From 810729815324406169b00f976dceaf34caefadc0 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Mon, 14 Sep 2015 12:20:40 +0000
Subject: Return an error if tls_handshake() or tls_close() is called on a
 context for which they are not valid operations.

ok beck@
---
 src/lib/libtls/tls.c | 15 +++++++++++++--
 1 file changed, 13 insertions(+), 2 deletions(-)

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 3012ea62a6..cb2833cb54 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.29 2015/09/13 15:39:15 beck Exp $ */
+/* $OpenBSD: tls.c,v 1.30 2015/09/14 12:20:40 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -380,6 +380,11 @@ tls_handshake(struct tls *ctx)
 {
 	int rv = -1;
 
+	if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
+		tls_set_errorx(ctx, "invalid operation for context");
+		goto out;
+	}
+
 	if (ctx->conninfo == NULL &&
 	    (ctx->conninfo = calloc(1, sizeof(*ctx->conninfo))) == NULL)
 		goto out;
@@ -393,7 +398,7 @@ tls_handshake(struct tls *ctx)
 	    (ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn)) &&
 	    (tls_get_conninfo(ctx) == -1))
 		rv = -1;
-out:
+ out:
 	/* Prevent callers from performing incorrect error handling */
 	errno = 0;
 	return (rv);
@@ -463,6 +468,12 @@ tls_close(struct tls *ctx)
 	int ssl_ret;
 	int rv = 0;
 
+	if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
+		tls_set_errorx(ctx, "invalid operation for context");
+		rv = -1;
+		goto out;
+	}
+
 	if (ctx->ssl_conn != NULL) {
 		ERR_clear_error();
 		ssl_ret = SSL_shutdown(ctx->ssl_conn);
-- 
cgit v1.2.3-55-g6feb