From c6b61bddec1634e2d244575d39a9e88063218f88 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Wed, 6 Jul 2016 02:32:57 +0000
Subject: Correctly handle an EOF that occurs prior to the TLS handshake
 completing.

Reported by Vasily Kolobkov, based on a diff from Marko Kreen.

ok beck@
---
 src/lib/libtls/tls.c | 9 ++++++---
 1 file changed, 6 insertions(+), 3 deletions(-)

(limited to 'src/lib')

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index 76d00e53f3..783d320a9d 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.38 2016/05/27 14:38:40 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.39 2016/07/06 02:32:57 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -418,8 +418,11 @@ tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
 		if ((err = ERR_peek_error()) != 0) {
 			errstr = ERR_error_string(err, NULL);
 		} else if (ssl_ret == 0) {
-			ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY;
-			return (0);
+			if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
+				ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY;
+				return (0);
+			}
+			errstr = "unexpected EOF";
 		} else if (ssl_ret == -1) {
 			errstr = strerror(errno);
 		}
-- 
cgit v1.2.3-55-g6feb