Use a flag to track when we need to call SSL_shutdown(). This avoids an

issue where by calling tls_close() on a TLS context that has not attempted a handshake, results in an unexpected failure. Reported by Vinay Sajip. ok beck@
libressl · Jan 26, 2017 · 6be5c4c · 6be5c4c
1 parent dd784a9
commit 6be5c4c
Show file tree

Hide file tree

Showing 4 changed files with 11 additions and 5 deletions.
diff --git a/src/lib/libtls/tls.c b/src/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.57 2017/01/13 17:09:51 deraadt Exp $ */
+/* $OpenBSD: tls.c,v 1.58 2017/01/22 08:27:50 claudio Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <[email protected]>
  *
@@ -649,7 +649,7 @@ tls_close(struct tls *ctx)
 		goto out;
 	}
 
-	if (ctx->ssl_conn != NULL) {
+	if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN) {
 		ERR_clear_error();
 		ssl_ret = SSL_shutdown(ctx->ssl_conn);
 		if (ssl_ret < 0) {
@@ -658,6 +658,7 @@ tls_close(struct tls *ctx)
 			if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT)
 				goto out;
 		}
+		ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN;
 	}
 
 	if (ctx->socket != -1) {

diff --git a/src/lib/libtls/tls_client.c b/src/lib/libtls/tls_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_client.c,v 1.38 2016/12/26 16:20:58 jsing Exp $ */
+/* $OpenBSD: tls_client.c,v 1.39 2017/01/12 16:15:58 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <[email protected]>
  *
@@ -297,6 +297,8 @@ tls_handshake_client(struct tls *ctx)
 		goto err;
 	}
 
+	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
+
 	ERR_clear_error();
 	if ((ssl_ret = SSL_connect(ctx->ssl_conn)) != 1) {
 		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");

diff --git a/src/lib/libtls/tls_internal.h b/src/lib/libtls/tls_internal.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_internal.h,v 1.50 2016/11/05 15:13:26 beck Exp $ */
+/* $OpenBSD: tls_internal.h,v 1.51 2017/01/24 01:48:05 claudio Exp $ */
 /*
  * Copyright (c) 2014 Jeremie Courreges-Anglas <[email protected]>
  * Copyright (c) 2014 Joel Sing <[email protected]>
@@ -118,6 +118,7 @@ struct tls_conninfo {
 
 #define TLS_EOF_NO_CLOSE_NOTIFY	(1 << 0)
 #define TLS_HANDSHAKE_COMPLETE	(1 << 1)
+#define TLS_SSL_NEEDS_SHUTDOWN  (1 << 2)
 
 struct tls_ocsp_result {
 	const char *result_msg;

diff --git a/src/lib/libtls/tls_server.c b/src/lib/libtls/tls_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls_server.c,v 1.32 2017/01/12 16:15:58 jsing Exp $ */
+/* $OpenBSD: tls_server.c,v 1.33 2017/01/24 01:48:05 claudio Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <[email protected]>
  *
@@ -457,6 +457,8 @@ tls_handshake_server(struct tls *ctx)
 		goto err;
 	}
 
+	ctx->state |= TLS_SSL_NEEDS_SHUTDOWN;
+
 	ERR_clear_error();
 	if ((ssl_ret = SSL_accept(ctx->ssl_conn)) != 1) {
 		rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "handshake");