From faeda34edddb798c605b02be985707c383fc2619 Mon Sep 17 00:00:00 2001
From: jsing <>
Date: Thu, 26 Jan 2017 12:56:37 +0000
Subject: Use a flag to track when we need to call SSL_shutdown(). This avoids
 an issue where by calling tls_close() on a TLS context that has not attempted
 a handshake, results in an unexpected failure.

Reported by Vinay Sajip.

ok beck@
---
 src/lib/libtls/tls.c          | 5 +++--
 src/lib/libtls/tls_client.c   | 4 +++-
 src/lib/libtls/tls_internal.h | 3 ++-
 src/lib/libtls/tls_server.c   | 4 +++-
 4 files changed, 11 insertions(+), 5 deletions(-)

(limited to 'src')

diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
index c028d19539..9b03c2b6f0 100644
--- a/src/lib/libtls/tls.c
+++ b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.58 2017/01/22 08:27:50 claudio Exp $ */
+/* $OpenBSD: tls.c,v 1.59 2017/01/26 12:56:37 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -649,7 +649,7 @@ tls_close(struct tls *ctx)
 		goto out;
 	}
 
-	if (ctx->ssl_conn != NULL) {
+	if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN) {
 		ERR_clear_error();
 		ssl_ret = SSL_shutdown(ctx->ssl_conn);
 		if (ssl_ret < 0) {
@@ -658,6 +658,7 @@ tls_close(struct tls *ctx)
 			if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT)
 				goto out;
 		}
+		ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN;
 	}
 
 	if (ctx->socket != -1) {
diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
index d22a8a95ce..a1e2caa717 100644
--- a/src/lib/libtls/tls_client.c
+++ b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.39 2017/01/12 16:15:58 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.40 2017/01/26 12:56:37 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -297,6 +297,8 @@ tls_handshake_client(struct tls *ctx)
 		goto err;
 	}
 
+	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
+
 	ERR_clear_error();
 	if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
 		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
index 3650ca9462..37737c3499 100644
--- a/src/lib/libtls/tls_internal.h
+++ b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.51 2017/01/24 01:48:05 claudio Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.52 2017/01/26 12:56:37 jsing Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <jca@openbsd.org>
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
@@ -118,6 +118,7 @@ struct tls_conninfo {
 
 #define TLS_EOF_NO_CLOSE_NOTIFY	(1 << 0)
 #define TLS_HANDSHAKE_COMPLETE	(1 << 1)
+#define TLS_SSL_NEEDS_SHUTDOWN  (1 << 2)
 
 struct tls_ocsp_result {
 	const char *result_msg;
diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
index 5bf87552cb..1a1a48a169 100644
--- a/src/lib/libtls/tls_server.c
+++ b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.33 2017/01/24 01:48:05 claudio Exp $ */
+/* $OpenBSD: tls_server.c,v 1.34 2017/01/26 12:56:37 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -457,6 +457,8 @@ tls_handshake_server(struct tls *ctx)
 		goto err;
 	}
 
+	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
+
 	ERR_clear_error();
 	if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
 		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");
-- 
cgit v1.2.3-55-g6feb