search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
dmake: do not set MAKEFLAGS=k
[unleashed/tickless.git] / lib / libtls / tls.c
blobf07c4c6deb0a0ec181d42512bae6d363c23c7a9f
1 /* $OpenBSD: tls.c,v 1.71 2017/09/20 17:05:17 jsing Exp $ */
2 /*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <sys/socket.h>
19
20 #include <errno.h>
21 #include <limits.h>
22 #include <stdlib.h>
23 #include <unistd.h>
24
25 #include <openssl/bio.h>
26 #include <openssl/err.h>
27 #include <openssl/evp.h>
28 #include <openssl/pem.h>
29 #include <openssl/safestack.h>
30 #include <openssl/ssl.h>
31 #include <openssl/x509.h>
32
33 #include <tls.h>
34 #include "tls_internal.h"
35
36 static struct tls_config *tls_config_default;
37
38 int
39 tls_init(void)
40 {
41 static int tls_initialised = 0;
42
43 if (tls_initialised)
44 return (0);
45
46 SSL_load_error_strings();
47 SSL_library_init();
48
49 if (BIO_sock_init() != 1)
50 return (-1);
51
52 if ((tls_config_default = tls_config_new()) == NULL)
53 return (-1);
54
55 tls_config_default->refcount++;
56
57 tls_initialised = 1;
58
59 return (0);
60 }
61
62 const char *
63 tls_error(struct tls *ctx)
64 {
65 return ctx->error.msg;
66 }
67
68 void
69 tls_error_clear(struct tls_error *error)
70 {
71 free(error->msg);
72 error->msg = NULL;
73 error->num = 0;
74 error->tls = 0;
75 }
76
77 static int
78 tls_error_vset(struct tls_error *error, int errnum, const char *fmt, va_list ap)
79 {
80 char *errmsg = NULL;
81 int rv = -1;
82
83 tls_error_clear(error);
84
85 error->num = errnum;
86 error->tls = 1;
87
88 if (vasprintf(&errmsg, fmt, ap) == -1) {
89 errmsg = NULL;
90 goto err;
91 }
92
93 if (errnum == -1) {
94 error->msg = errmsg;
95 return (0);
96 }
97
98 if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
99 error->msg = NULL;
100 goto err;
101 }
102 rv = 0;
103
104 err:
105 free(errmsg);
106
107 return (rv);
108 }
109
110 int
111 tls_error_set(struct tls_error *error, const char *fmt, ...)
112 {
113 va_list ap;
114 int errnum, rv;
115
116 errnum = errno;
117
118 va_start(ap, fmt);
119 rv = tls_error_vset(error, errnum, fmt, ap);
120 va_end(ap);
121
122 return (rv);
123 }
124
125 int
126 tls_error_setx(struct tls_error *error, const char *fmt, ...)
127 {
128 va_list ap;
129 int rv;
130
131 va_start(ap, fmt);
132 rv = tls_error_vset(error, -1, fmt, ap);
133 va_end(ap);
134
135 return (rv);
136 }
137
138 int
139 tls_config_set_error(struct tls_config *config, const char *fmt, ...)
140 {
141 va_list ap;
142 int errnum, rv;
143
144 errnum = errno;
145
146 va_start(ap, fmt);
147 rv = tls_error_vset(&config->error, errnum, fmt, ap);
148 va_end(ap);
149
150 return (rv);
151 }
152
153 int
154 tls_config_set_errorx(struct tls_config *config, const char *fmt, ...)
155 {
156 va_list ap;
157 int rv;
158
159 va_start(ap, fmt);
160 rv = tls_error_vset(&config->error, -1, fmt, ap);
161 va_end(ap);
162
163 return (rv);
164 }
165
166 int
167 tls_set_error(struct tls *ctx, const char *fmt, ...)
168 {
169 va_list ap;
170 int errnum, rv;
171
172 errnum = errno;
173
174 va_start(ap, fmt);
175 rv = tls_error_vset(&ctx->error, errnum, fmt, ap);
176 va_end(ap);
177
178 return (rv);
179 }
180
181 int
182 tls_set_errorx(struct tls *ctx, const char *fmt, ...)
183 {
184 va_list ap;
185 int rv;
186
187 va_start(ap, fmt);
188 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
189 va_end(ap);
190
191 return (rv);
192 }
193
194 int
195 tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
196 {
197 va_list ap;
198 int rv;
199
200 /* Only set an error if a more specific one does not already exist. */
201 if (ctx->error.tls != 0)
202 return (0);
203
204 va_start(ap, fmt);
205 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
206 va_end(ap);
207
208 return (rv);
209 }
210
211 struct tls_sni_ctx *
212 tls_sni_ctx_new(void)
213 {
214 return (calloc(1, sizeof(struct tls_sni_ctx)));
215 }
216
217 void
218 tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx)
219 {
220 if (sni_ctx == NULL)
221 return;
222
223 SSL_CTX_free(sni_ctx->ssl_ctx);
224 X509_free(sni_ctx->ssl_cert);
225
226 free(sni_ctx);
227 }
228
229 struct tls *
230 tls_new(void)
231 {
232 struct tls *ctx;
233
234 if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
235 return (NULL);
236
237 tls_reset(ctx);
238
239 if (tls_configure(ctx, tls_config_default) == -1) {
240 free(ctx);
241 return NULL;
242 }
243
244 return (ctx);
245 }
246
247 int
248 tls_configure(struct tls *ctx, struct tls_config *config)
249 {
250 if (config == NULL)
251 config = tls_config_default;
252
253 config->refcount++;
254
255 tls_config_free(ctx->config);
256
257 ctx->config = config;
258 ctx->keypair = config->keypair;
259
260 if ((ctx->flags & TLS_SERVER) != 0)
261 return (tls_configure_server(ctx));
262
263 return (0);
264 }
265
266 int
267 tls_cert_hash(X509 *cert, char **hash)
268 {
269 char d[EVP_MAX_MD_SIZE], *dhex = NULL;
270 int dlen, rv = -1;
271
272 *hash = NULL;
273 if (X509_digest(cert, EVP_sha256(), d, &dlen) != 1)
274 goto err;
275
276 if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
277 goto err;
278
279 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
280 *hash = NULL;
281 goto err;
282 }
283
284 rv = 0;
285 err:
286 free(dhex);
287
288 return (rv);
289 }
290
291 static int
292 tls_keypair_pubkey_hash(struct tls_keypair *keypair, char **hash)
293 {
294 BIO *membio = NULL;
295 X509 *cert = NULL;
296 char d[EVP_MAX_MD_SIZE], *dhex = NULL;
297 int dlen, rv = -1;
298
299 *hash = NULL;
300
301 if ((membio = BIO_new_mem_buf(keypair->cert_mem,
302 keypair->cert_len)) == NULL)
303 goto err;
304 if ((cert = PEM_read_bio_X509_AUX(membio, NULL, tls_password_cb,
305 NULL)) == NULL)
306 goto err;
307
308 if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
309 goto err;
310
311 if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
312 goto err;
313
314 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
315 *hash = NULL;
316 goto err;
317 }
318
319 rv = 0;
320
321 err:
322 free(dhex);
323 X509_free(cert);
324 BIO_free(membio);
325
326 return (rv);
327 }
328
329
330 int
331 tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
332 struct tls_keypair *keypair, int required)
333 {
334 EVP_PKEY *pkey = NULL;
335 BIO *bio = NULL;
336
337 if (!required &&
338 keypair->cert_mem == NULL &&
339 keypair->key_mem == NULL)
340 return(0);
341
342 if (keypair->cert_mem != NULL) {
343 if (keypair->cert_len > INT_MAX) {
344 tls_set_errorx(ctx, "certificate too long");
345 goto err;
346 }
347
348 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
349 keypair->cert_mem, keypair->cert_len) != 1) {
350 tls_set_errorx(ctx, "failed to load certificate");
351 goto err;
352 }
353 if (tls_keypair_pubkey_hash(keypair, &keypair->pubkey_hash) == -1)
354 goto err;
355 }
356
357 if (keypair->key_mem != NULL) {
358 if (keypair->key_len > INT_MAX) {
359 tls_set_errorx(ctx, "key too long");
360 goto err;
361 }
362
363 if ((bio = BIO_new_mem_buf(keypair->key_mem,
364 keypair->key_len)) == NULL) {
365 tls_set_errorx(ctx, "failed to create buffer");
366 goto err;
367 }
368 if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
369 NULL)) == NULL) {
370 tls_set_errorx(ctx, "failed to read private key");
371 goto err;
372 }
373
374 if (keypair->pubkey_hash != NULL) {
375 RSA *rsa;
376 /* XXX only RSA for now for relayd privsep */
377 if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
378 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash);
379 RSA_free(rsa);
380 }
381 }
382
383 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
384 tls_set_errorx(ctx, "failed to load private key");
385 goto err;
386 }
387 BIO_free(bio);
388 bio = NULL;
389 EVP_PKEY_free(pkey);
390 pkey = NULL;
391 }
392
393 if (!ctx->config->skip_private_key_check &&
394 SSL_CTX_check_private_key(ssl_ctx) != 1) {
395 tls_set_errorx(ctx, "private/public key mismatch");
396 goto err;
397 }
398
399 return (0);
400
401 err:
402 EVP_PKEY_free(pkey);
403 BIO_free(bio);
404
405 return (1);
406 }
407
408 int
409 tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
410 {
411 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
412 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
413
414 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
415 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
416
417 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
418 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
419 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
420
421 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
422 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
423 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
424 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
425 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
426 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
427
428 if (ctx->config->alpn != NULL) {
429 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
430 ctx->config->alpn_len) != 0) {
431 tls_set_errorx(ctx, "failed to set alpn");
432 goto err;
433 }
434 }
435
436 if (ctx->config->ciphers != NULL) {
437 if (SSL_CTX_set_cipher_list(ssl_ctx,
438 ctx->config->ciphers) != 1) {
439 tls_set_errorx(ctx, "failed to set ciphers");
440 goto err;
441 }
442 }
443
444 if (ctx->config->verify_time == 0) {
445 X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
446 X509_V_FLAG_NO_CHECK_TIME);
447 }
448
449 /* Disable any form of session caching by default */
450 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF);
451 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
452
453 return (0);
454
455 err:
456 return (-1);
457 }
458
459 static int
460 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
461 {
462 struct tls *ctx = arg;
463 int x509_err;
464
465 if (ctx->config->verify_cert == 0)
466 return (1);
467
468 if ((X509_verify_cert(x509_ctx)) < 0) {
469 tls_set_errorx(ctx, "X509 verify cert failed");
470 return (0);
471 }
472
473 x509_err = X509_STORE_CTX_get_error(x509_ctx);
474 if (x509_err == X509_V_OK)
475 return (1);
476
477 tls_set_errorx(ctx, "certificate verification failed: %s",
478 X509_verify_cert_error_string(x509_err));
479
480 return (0);
481 }
482
483 int
484 tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
485 {
486 size_t ca_len = ctx->config->ca_len;
487 char *ca_mem = ctx->config->ca_mem;
488 char *crl_mem = ctx->config->crl_mem;
489 size_t crl_len = ctx->config->crl_len;
490 char *ca_free = NULL;
491 STACK_OF(X509_INFO) *xis = NULL;
492 X509_STORE *store;
493 X509_INFO *xi;
494 BIO *bio = NULL;
495 int rv = -1;
496 int i;
497
498 SSL_CTX_set_verify(ssl_ctx, verify, NULL);
499 SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
500
501 if (ctx->config->verify_depth >= 0)
502 SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
503
504 if (ctx->config->verify_cert == 0)
505 goto done;
506
507 /* If no CA has been specified, attempt to load the default. */
508 if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
509 if (tls_config_load_file(&ctx->error, "CA", _PATH_SSL_CA_FILE,
510 &ca_mem, &ca_len) != 0)
511 goto err;
512 ca_free = ca_mem;
513 }
514
515 if (ca_mem != NULL) {
516 if (ca_len > INT_MAX) {
517 tls_set_errorx(ctx, "ca too long");
518 goto err;
519 }
520 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
521 tls_set_errorx(ctx, "ssl verify memory setup failure");
522 goto err;
523 }
524 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
525 ctx->config->ca_path) != 1) {
526 tls_set_errorx(ctx, "ssl verify locations failure");
527 goto err;
528 }
529
530 if (crl_mem != NULL) {
531 if (crl_len > INT_MAX) {
532 tls_set_errorx(ctx, "crl too long");
533 goto err;
534 }
535 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
536 tls_set_errorx(ctx, "failed to create buffer");
537 goto err;
538 }
539 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
540 NULL)) == NULL) {
541 tls_set_errorx(ctx, "failed to parse crl");
542 goto err;
543 }
544 store = SSL_CTX_get_cert_store(ssl_ctx);
545 for (i = 0; i < sk_X509_INFO_num(xis); i++) {
546 xi = sk_X509_INFO_value(xis, i);
547 if (xi->crl == NULL)
548 continue;
549 if (!X509_STORE_add_crl(store, xi->crl)) {
550 tls_set_error(ctx, "failed to add crl");
551 goto err;
552 }
553 xi->crl = NULL;
554 }
555 X509_VERIFY_PARAM_set_flags(store->param,
556 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
557 }
558
559 done:
560 rv = 0;
561
562 err:
563 sk_X509_INFO_pop_free(xis, X509_INFO_free);
564 BIO_free(bio);
565 free(ca_free);
566
567 return (rv);
568 }
569
570 void
571 tls_free(struct tls *ctx)
572 {
573 if (ctx == NULL)
574 return;
575
576 tls_reset(ctx);
577
578 free(ctx);
579 }
580
581 void
582 tls_reset(struct tls *ctx)
583 {
584 struct tls_sni_ctx *sni, *nsni;
585
586 tls_config_free(ctx->config);
587 ctx->config = NULL;
588
589 SSL_CTX_free(ctx->ssl_ctx);
590 SSL_free(ctx->ssl_conn);
591 X509_free(ctx->ssl_peer_cert);
592
593 ctx->ssl_conn = NULL;
594 ctx->ssl_ctx = NULL;
595 ctx->ssl_peer_cert = NULL;
596 /* X509 objects in chain are freed with the SSL */
597 ctx->ssl_peer_chain = NULL;
598
599 ctx->socket = -1;
600 ctx->state = 0;
601
602 free(ctx->servername);
603 ctx->servername = NULL;
604
605 free(ctx->error.msg);
606 ctx->error.msg = NULL;
607 ctx->error.num = -1;
608
609 tls_conninfo_free(ctx->conninfo);
610 ctx->conninfo = NULL;
611
612 tls_ocsp_free(ctx->ocsp);
613 ctx->ocsp = NULL;
614
615 for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
616 nsni = sni->next;
617 tls_sni_ctx_free(sni);
618 }
619 ctx->sni_ctx = NULL;
620
621 ctx->read_cb = NULL;
622 ctx->write_cb = NULL;
623 ctx->cb_arg = NULL;
624 }
625
626 int
627 tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
628 {
629 const char *errstr = "unknown error";
630 unsigned long err;
631 int ssl_err;
632
633 ssl_err = SSL_get_error(ssl_conn, ssl_ret);
634 switch (ssl_err) {
635 case SSL_ERROR_NONE:
636 case SSL_ERROR_ZERO_RETURN:
637 return (0);
638
639 case SSL_ERROR_WANT_READ:
640 return (TLS_WANT_POLLIN);
641
642 case SSL_ERROR_WANT_WRITE:
643 return (TLS_WANT_POLLOUT);
644
645 case SSL_ERROR_SYSCALL:
646 if ((err = ERR_peek_error()) != 0) {
647 errstr = ERR_error_string(err, NULL);
648 } else if (ssl_ret == 0) {
649 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
650 ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY;
651 return (0);
652 }
653 errstr = "unexpected EOF";
654 } else if (ssl_ret == -1) {
655 errstr = strerror(errno);
656 }
657 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
658 return (-1);
659
660 case SSL_ERROR_SSL:
661 if ((err = ERR_peek_error()) != 0) {
662 errstr = ERR_error_string(err, NULL);
663 }
664 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
665 return (-1);
666
667 case SSL_ERROR_WANT_CONNECT:
668 case SSL_ERROR_WANT_ACCEPT:
669 case SSL_ERROR_WANT_X509_LOOKUP:
670 default:
671 tls_set_ssl_errorx(ctx, "%s failed (%i)", prefix, ssl_err);
672 return (-1);
673 }
674 }
675
676 int
677 tls_handshake(struct tls *ctx)
678 {
679 int rv = -1;
680
681 tls_error_clear(&ctx->error);
682
683 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
684 tls_set_errorx(ctx, "invalid operation for context");
685 goto out;
686 }
687
688 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
689 tls_set_errorx(ctx, "handshake already completed");
690 goto out;
691 }
692
693 if ((ctx->flags & TLS_CLIENT) != 0)
694 rv = tls_handshake_client(ctx);
695 else if ((ctx->flags & TLS_SERVER_CONN) != 0)
696 rv = tls_handshake_server(ctx);
697
698 if (rv == 0) {
699 ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
700 ctx->ssl_peer_chain = SSL_get_peer_cert_chain(ctx->ssl_conn);
701 if (tls_conninfo_populate(ctx) == -1)
702 rv = -1;
703 if (ctx->ocsp == NULL)
704 ctx->ocsp = tls_ocsp_setup_from_peer(ctx);
705 }
706 out:
707 /* Prevent callers from performing incorrect error handling */
708 errno = 0;
709 return (rv);
710 }
711
712 ssize_t
713 tls_read(struct tls *ctx, void *buf, size_t buflen)
714 {
715 ssize_t rv = -1;
716 int ssl_ret;
717
718 tls_error_clear(&ctx->error);
719
720 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
721 if ((rv = tls_handshake(ctx)) != 0)
722 goto out;
723 }
724
725 if (buflen > INT_MAX) {
726 tls_set_errorx(ctx, "buflen too long");
727 goto out;
728 }
729
730 ERR_clear_error();
731 if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
732 rv = (ssize_t)ssl_ret;
733 goto out;
734 }
735 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");
736
737 out:
738 /* Prevent callers from performing incorrect error handling */
739 errno = 0;
740 return (rv);
741 }
742
743 ssize_t
744 tls_write(struct tls *ctx, const void *buf, size_t buflen)
745 {
746 ssize_t rv = -1;
747 int ssl_ret;
748
749 tls_error_clear(&ctx->error);
750
751 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
752 if ((rv = tls_handshake(ctx)) != 0)
753 goto out;
754 }
755
756 if (buflen > INT_MAX) {
757 tls_set_errorx(ctx, "buflen too long");
758 goto out;
759 }
760
761 ERR_clear_error();
762 if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {
763 rv = (ssize_t)ssl_ret;
764 goto out;
765 }
766 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write");
767
768 out:
769 /* Prevent callers from performing incorrect error handling */
770 errno = 0;
771 return (rv);
772 }
773
774 int
775 tls_close(struct tls *ctx)
776 {
777 int ssl_ret;
778 int rv = 0;
779
780 tls_error_clear(&ctx->error);
781
782 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
783 tls_set_errorx(ctx, "invalid operation for context");
784 rv = -1;
785 goto out;
786 }
787
788 if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN) {
789 ERR_clear_error();
790 ssl_ret = SSL_shutdown(ctx->ssl_conn);
791 if (ssl_ret < 0) {
792 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
793 "shutdown");
794 if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT)
795 goto out;
796 }
797 ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN;
798 }
799
800 if (ctx->socket != -1) {
801 if (shutdown(ctx->socket, SHUT_RDWR) != 0) {
802 if (rv == 0 &&
803 errno != ENOTCONN && errno != ECONNRESET) {
804 tls_set_error(ctx, "shutdown");
805 rv = -1;
806 }
807 }
808 if (close(ctx->socket) != 0) {
809 if (rv == 0) {
810 tls_set_error(ctx, "close");
811 rv = -1;
812 }
813 }
814 ctx->socket = -1;
815 }
816
817 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) {
818 tls_set_errorx(ctx, "EOF without close notify");
819 rv = -1;
820 }
821
822 out:
823 /* Prevent callers from performing incorrect error handling */
824 errno = 0;
825 return (rv);
826 }
unleashed repo fork