From f2f92a2f5098f67338df0882b17ec3f65d4364d0 Mon Sep 17 00:00:00 2001 From: jsing <> Date: Thu, 2 Apr 2015 13:19:15 +0000 Subject: Handle the case where multiple calls to SSL_shutdown() are required to close the connection. Also correctly handle the error on failure. Diff from cookieandscream via github. --- src/lib/libtls/tls.c | 15 +++++++++------ src/lib/libtls/tls_init.3 | 7 +++++-- 2 files changed, 14 insertions(+), 8 deletions(-) (limited to 'src/lib') diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c index b7b6570ff9..d942c35fec 100644 --- a/src/lib/libtls/tls.c +++ b/src/lib/libtls/tls.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls.c,v 1.8 2015/03/31 12:21:27 jsing Exp $ */ +/* $OpenBSD: tls.c,v 1.9 2015/04/02 13:19:15 jsing Exp $ */ /* * Copyright (c) 2014 Joel Sing * @@ -326,12 +326,15 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen) int tls_close(struct tls *ctx) { - /* XXX - handle case where multiple calls are required. */ + int ssl_ret; + if (ctx->ssl_conn != NULL) { - if (SSL_shutdown(ctx->ssl_conn) == -1) { - tls_set_error(ctx, "SSL shutdown failed"); - goto err; - } + ssl_ret = SSL_shutdown(ctx->ssl_conn); + if (ssl_ret == 0) + ssl_ret = SSL_shutdown(ctx->ssl_conn); + if (ssl_ret < 0) + return tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, + "shutdown"); } if (ctx->socket != -1) { diff --git a/src/lib/libtls/tls_init.3 b/src/lib/libtls/tls_init.3 index 8df1d204ff..1ec8865075 100644 --- a/src/lib/libtls/tls_init.3 +++ b/src/lib/libtls/tls_init.3 @@ -1,4 +1,4 @@ -.\" $OpenBSD: tls_init.3,v 1.21 2015/04/02 05:54:22 jsing Exp $ +.\" $OpenBSD: tls_init.3,v 1.22 2015/04/02 13:19:15 jsing Exp $ .\" .\" Copyright (c) 2014 Ted Unangst .\" @@ -407,6 +407,7 @@ will return 0 on success and -1 on error. Functions that return a pointer will return NULL on error. .Pp The +.Fn tls_close , .Fn tls_read and .Fn tls_write @@ -424,8 +425,10 @@ A write operation is necessary to continue. .El .Pp The caller should call the appropriate function, or in the case of the +.Fn tls_close +and the .Fn tls_accept -or +and .Fn tls_connect function families, repeat the call. .Sh ERRORS -- cgit v1.2.3-55-g6feb