search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
update libressl to v2.7.4
[unleashed.git] / lib / libtls / tls.c
blob467db164d5d1caa37f73b56051bae2dc9c2cf313
1 /* $OpenBSD: tls.c,v 1.79 2018/03/19 16:34:47 jsing Exp $ */
2 /*
3 * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4 *
5 * Permission to use, copy, modify, and distribute this software for any
6 * purpose with or without fee is hereby granted, provided that the above
7 * copyright notice and this permission notice appear in all copies.
8 *
9 * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10 * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11 * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12 * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13 * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14 * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15 * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16 */
17
18 #include <sys/socket.h>
19
20 #include <errno.h>
21 #include <limits.h>
22 #include <pthread.h>
23 #include <stdlib.h>
24 #include <unistd.h>
25
26 #include <openssl/bio.h>
27 #include <openssl/err.h>
28 #include <openssl/evp.h>
29 #include <openssl/pem.h>
30 #include <openssl/safestack.h>
31 #include <openssl/ssl.h>
32 #include <openssl/x509.h>
33
34 #include <tls.h>
35 #include "tls_internal.h"
36
37 static struct tls_config *tls_config_default;
38
39 static int tls_init_rv = -1;
40
41 static void
42 tls_do_init(void)
43 {
44 SSL_load_error_strings();
45 SSL_library_init();
46
47 if (BIO_sock_init() != 1)
48 return;
49
50 if ((tls_config_default = tls_config_new_internal()) == NULL)
51 return;
52
53 tls_config_default->refcount++;
54
55 tls_init_rv = 0;
56 }
57
58 int
59 tls_init(void)
60 {
61 static pthread_once_t once = PTHREAD_ONCE_INIT;
62
63 if (pthread_once(&once, tls_do_init) != 0)
64 return -1;
65
66 return tls_init_rv;
67 }
68
69 const char *
70 tls_error(struct tls *ctx)
71 {
72 return ctx->error.msg;
73 }
74
75 void
76 tls_error_clear(struct tls_error *error)
77 {
78 free(error->msg);
79 error->msg = NULL;
80 error->num = 0;
81 error->tls = 0;
82 }
83
84 static int
85 tls_error_vset(struct tls_error *error, int errnum, const char *fmt, va_list ap)
86 {
87 char *errmsg = NULL;
88 int rv = -1;
89
90 tls_error_clear(error);
91
92 error->num = errnum;
93 error->tls = 1;
94
95 if (vasprintf(&errmsg, fmt, ap) == -1) {
96 errmsg = NULL;
97 goto err;
98 }
99
100 if (errnum == -1) {
101 error->msg = errmsg;
102 return (0);
103 }
104
105 if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
106 error->msg = NULL;
107 goto err;
108 }
109 rv = 0;
110
111 err:
112 free(errmsg);
113
114 return (rv);
115 }
116
117 int
118 tls_error_set(struct tls_error *error, const char *fmt, ...)
119 {
120 va_list ap;
121 int errnum, rv;
122
123 errnum = errno;
124
125 va_start(ap, fmt);
126 rv = tls_error_vset(error, errnum, fmt, ap);
127 va_end(ap);
128
129 return (rv);
130 }
131
132 int
133 tls_error_setx(struct tls_error *error, const char *fmt, ...)
134 {
135 va_list ap;
136 int rv;
137
138 va_start(ap, fmt);
139 rv = tls_error_vset(error, -1, fmt, ap);
140 va_end(ap);
141
142 return (rv);
143 }
144
145 int
146 tls_config_set_error(struct tls_config *config, const char *fmt, ...)
147 {
148 va_list ap;
149 int errnum, rv;
150
151 errnum = errno;
152
153 va_start(ap, fmt);
154 rv = tls_error_vset(&config->error, errnum, fmt, ap);
155 va_end(ap);
156
157 return (rv);
158 }
159
160 int
161 tls_config_set_errorx(struct tls_config *config, const char *fmt, ...)
162 {
163 va_list ap;
164 int rv;
165
166 va_start(ap, fmt);
167 rv = tls_error_vset(&config->error, -1, fmt, ap);
168 va_end(ap);
169
170 return (rv);
171 }
172
173 int
174 tls_set_error(struct tls *ctx, const char *fmt, ...)
175 {
176 va_list ap;
177 int errnum, rv;
178
179 errnum = errno;
180
181 va_start(ap, fmt);
182 rv = tls_error_vset(&ctx->error, errnum, fmt, ap);
183 va_end(ap);
184
185 return (rv);
186 }
187
188 int
189 tls_set_errorx(struct tls *ctx, const char *fmt, ...)
190 {
191 va_list ap;
192 int rv;
193
194 va_start(ap, fmt);
195 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
196 va_end(ap);
197
198 return (rv);
199 }
200
201 int
202 tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
203 {
204 va_list ap;
205 int rv;
206
207 /* Only set an error if a more specific one does not already exist. */
208 if (ctx->error.tls != 0)
209 return (0);
210
211 va_start(ap, fmt);
212 rv = tls_error_vset(&ctx->error, -1, fmt, ap);
213 va_end(ap);
214
215 return (rv);
216 }
217
218 struct tls_sni_ctx *
219 tls_sni_ctx_new(void)
220 {
221 return (calloc(1, sizeof(struct tls_sni_ctx)));
222 }
223
224 void
225 tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx)
226 {
227 if (sni_ctx == NULL)
228 return;
229
230 SSL_CTX_free(sni_ctx->ssl_ctx);
231 X509_free(sni_ctx->ssl_cert);
232
233 free(sni_ctx);
234 }
235
236 struct tls *
237 tls_new(void)
238 {
239 struct tls *ctx;
240
241 if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
242 return (NULL);
243
244 tls_reset(ctx);
245
246 if (tls_configure(ctx, tls_config_default) == -1) {
247 free(ctx);
248 return NULL;
249 }
250
251 return (ctx);
252 }
253
254 int
255 tls_configure(struct tls *ctx, struct tls_config *config)
256 {
257 if (config == NULL)
258 config = tls_config_default;
259
260 config->refcount++;
261
262 tls_config_free(ctx->config);
263
264 ctx->config = config;
265 ctx->keypair = config->keypair;
266
267 if ((ctx->flags & TLS_SERVER) != 0)
268 return (tls_configure_server(ctx));
269
270 return (0);
271 }
272
273 int
274 tls_cert_hash(X509 *cert, char **hash)
275 {
276 char d[EVP_MAX_MD_SIZE], *dhex = NULL;
277 int dlen, rv = -1;
278
279 free(*hash);
280 *hash = NULL;
281
282 if (X509_digest(cert, EVP_sha256(), d, &dlen) != 1)
283 goto err;
284
285 if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
286 goto err;
287
288 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
289 *hash = NULL;
290 goto err;
291 }
292
293 rv = 0;
294 err:
295 free(dhex);
296
297 return (rv);
298 }
299
300 int
301 tls_cert_pubkey_hash(X509 *cert, char **hash)
302 {
303 char d[EVP_MAX_MD_SIZE], *dhex = NULL;
304 int dlen, rv = -1;
305
306 free(*hash);
307 *hash = NULL;
308
309 if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
310 goto err;
311
312 if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
313 goto err;
314
315 if (asprintf(hash, "SHA256:%s", dhex) == -1) {
316 *hash = NULL;
317 goto err;
318 }
319
320 rv = 0;
321
322 err:
323 free(dhex);
324
325 return (rv);
326 }
327
328 int
329 tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
330 struct tls_keypair *keypair, int required)
331 {
332 EVP_PKEY *pkey = NULL;
333 BIO *bio = NULL;
334
335 if (!required &&
336 keypair->cert_mem == NULL &&
337 keypair->key_mem == NULL)
338 return(0);
339
340 if (keypair->cert_mem != NULL) {
341 if (keypair->cert_len > INT_MAX) {
342 tls_set_errorx(ctx, "certificate too long");
343 goto err;
344 }
345
346 if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
347 keypair->cert_mem, keypair->cert_len) != 1) {
348 tls_set_errorx(ctx, "failed to load certificate");
349 goto err;
350 }
351 }
352
353 if (keypair->key_mem != NULL) {
354 if (keypair->key_len > INT_MAX) {
355 tls_set_errorx(ctx, "key too long");
356 goto err;
357 }
358
359 if ((bio = BIO_new_mem_buf(keypair->key_mem,
360 keypair->key_len)) == NULL) {
361 tls_set_errorx(ctx, "failed to create buffer");
362 goto err;
363 }
364 if ((pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
365 NULL)) == NULL) {
366 tls_set_errorx(ctx, "failed to read private key");
367 goto err;
368 }
369
370 if (keypair->pubkey_hash != NULL) {
371 RSA *rsa;
372 /* XXX only RSA for now for relayd privsep */
373 if ((rsa = EVP_PKEY_get1_RSA(pkey)) != NULL) {
374 RSA_set_ex_data(rsa, 0, keypair->pubkey_hash);
375 RSA_free(rsa);
376 }
377 }
378
379 if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
380 tls_set_errorx(ctx, "failed to load private key");
381 goto err;
382 }
383 BIO_free(bio);
384 bio = NULL;
385 EVP_PKEY_free(pkey);
386 pkey = NULL;
387 }
388
389 if (!ctx->config->skip_private_key_check &&
390 SSL_CTX_check_private_key(ssl_ctx) != 1) {
391 tls_set_errorx(ctx, "private/public key mismatch");
392 goto err;
393 }
394
395 return (0);
396
397 err:
398 EVP_PKEY_free(pkey);
399 BIO_free(bio);
400
401 return (1);
402 }
403
404 int
405 tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
406 {
407 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
408 SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
409
410 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
411 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
412
413 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
414 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
415 SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
416
417 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
418 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
419 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
420 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
421 if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
422 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
423
424 if (ctx->config->alpn != NULL) {
425 if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
426 ctx->config->alpn_len) != 0) {
427 tls_set_errorx(ctx, "failed to set alpn");
428 goto err;
429 }
430 }
431
432 if (ctx->config->ciphers != NULL) {
433 if (SSL_CTX_set_cipher_list(ssl_ctx,
434 ctx->config->ciphers) != 1) {
435 tls_set_errorx(ctx, "failed to set ciphers");
436 goto err;
437 }
438 }
439
440 if (ctx->config->verify_time == 0) {
441 X509_VERIFY_PARAM_set_flags(ssl_ctx->param,
442 X509_V_FLAG_NO_CHECK_TIME);
443 }
444
445 /* Disable any form of session caching by default */
446 SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF);
447 SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
448
449 return (0);
450
451 err:
452 return (-1);
453 }
454
455 static int
456 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
457 {
458 struct tls *ctx = arg;
459 int x509_err;
460
461 if (ctx->config->verify_cert == 0)
462 return (1);
463
464 if ((X509_verify_cert(x509_ctx)) < 0) {
465 tls_set_errorx(ctx, "X509 verify cert failed");
466 return (0);
467 }
468
469 x509_err = X509_STORE_CTX_get_error(x509_ctx);
470 if (x509_err == X509_V_OK)
471 return (1);
472
473 tls_set_errorx(ctx, "certificate verification failed: %s",
474 X509_verify_cert_error_string(x509_err));
475
476 return (0);
477 }
478
479 int
480 tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
481 {
482 size_t ca_len = ctx->config->ca_len;
483 char *ca_mem = ctx->config->ca_mem;
484 char *crl_mem = ctx->config->crl_mem;
485 size_t crl_len = ctx->config->crl_len;
486 char *ca_free = NULL;
487 STACK_OF(X509_INFO) *xis = NULL;
488 X509_STORE *store;
489 X509_INFO *xi;
490 BIO *bio = NULL;
491 int rv = -1;
492 int i;
493
494 SSL_CTX_set_verify(ssl_ctx, verify, NULL);
495 SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
496
497 if (ctx->config->verify_depth >= 0)
498 SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
499
500 if (ctx->config->verify_cert == 0)
501 goto done;
502
503 /* If no CA has been specified, attempt to load the default. */
504 if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
505 if (tls_config_load_file(&ctx->error, "CA", _PATH_SSL_CA_FILE,
506 &ca_mem, &ca_len) != 0)
507 goto err;
508 ca_free = ca_mem;
509 }
510
511 if (ca_mem != NULL) {
512 if (ca_len > INT_MAX) {
513 tls_set_errorx(ctx, "ca too long");
514 goto err;
515 }
516 if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
517 tls_set_errorx(ctx, "ssl verify memory setup failure");
518 goto err;
519 }
520 } else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
521 ctx->config->ca_path) != 1) {
522 tls_set_errorx(ctx, "ssl verify locations failure");
523 goto err;
524 }
525
526 if (crl_mem != NULL) {
527 if (crl_len > INT_MAX) {
528 tls_set_errorx(ctx, "crl too long");
529 goto err;
530 }
531 if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
532 tls_set_errorx(ctx, "failed to create buffer");
533 goto err;
534 }
535 if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
536 NULL)) == NULL) {
537 tls_set_errorx(ctx, "failed to parse crl");
538 goto err;
539 }
540 store = SSL_CTX_get_cert_store(ssl_ctx);
541 for (i = 0; i < sk_X509_INFO_num(xis); i++) {
542 xi = sk_X509_INFO_value(xis, i);
543 if (xi->crl == NULL)
544 continue;
545 if (!X509_STORE_add_crl(store, xi->crl)) {
546 tls_set_error(ctx, "failed to add crl");
547 goto err;
548 }
549 xi->crl = NULL;
550 }
551 X509_VERIFY_PARAM_set_flags(store->param,
552 X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
553 }
554
555 done:
556 rv = 0;
557
558 err:
559 sk_X509_INFO_pop_free(xis, X509_INFO_free);
560 BIO_free(bio);
561 free(ca_free);
562
563 return (rv);
564 }
565
566 void
567 tls_free(struct tls *ctx)
568 {
569 if (ctx == NULL)
570 return;
571
572 tls_reset(ctx);
573
574 free(ctx);
575 }
576
577 void
578 tls_reset(struct tls *ctx)
579 {
580 struct tls_sni_ctx *sni, *nsni;
581
582 tls_config_free(ctx->config);
583 ctx->config = NULL;
584
585 SSL_CTX_free(ctx->ssl_ctx);
586 SSL_free(ctx->ssl_conn);
587 X509_free(ctx->ssl_peer_cert);
588
589 ctx->ssl_conn = NULL;
590 ctx->ssl_ctx = NULL;
591 ctx->ssl_peer_cert = NULL;
592 /* X509 objects in chain are freed with the SSL */
593 ctx->ssl_peer_chain = NULL;
594
595 ctx->socket = -1;
596 ctx->state = 0;
597
598 free(ctx->servername);
599 ctx->servername = NULL;
600
601 free(ctx->error.msg);
602 ctx->error.msg = NULL;
603 ctx->error.num = -1;
604
605 tls_conninfo_free(ctx->conninfo);
606 ctx->conninfo = NULL;
607
608 tls_ocsp_free(ctx->ocsp);
609 ctx->ocsp = NULL;
610
611 for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
612 nsni = sni->next;
613 tls_sni_ctx_free(sni);
614 }
615 ctx->sni_ctx = NULL;
616
617 ctx->read_cb = NULL;
618 ctx->write_cb = NULL;
619 ctx->cb_arg = NULL;
620 }
621
622 int
623 tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
624 {
625 const char *errstr = "unknown error";
626 unsigned long err;
627 int ssl_err;
628
629 ssl_err = SSL_get_error(ssl_conn, ssl_ret);
630 switch (ssl_err) {
631 case SSL_ERROR_NONE:
632 case SSL_ERROR_ZERO_RETURN:
633 return (0);
634
635 case SSL_ERROR_WANT_READ:
636 return (TLS_WANT_POLLIN);
637
638 case SSL_ERROR_WANT_WRITE:
639 return (TLS_WANT_POLLOUT);
640
641 case SSL_ERROR_SYSCALL:
642 if ((err = ERR_peek_error()) != 0) {
643 errstr = ERR_error_string(err, NULL);
644 } else if (ssl_ret == 0) {
645 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
646 ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY;
647 return (0);
648 }
649 errstr = "unexpected EOF";
650 } else if (ssl_ret == -1) {
651 errstr = strerror(errno);
652 }
653 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
654 return (-1);
655
656 case SSL_ERROR_SSL:
657 if ((err = ERR_peek_error()) != 0) {
658 errstr = ERR_error_string(err, NULL);
659 }
660 tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
661 return (-1);
662
663 case SSL_ERROR_WANT_CONNECT:
664 case SSL_ERROR_WANT_ACCEPT:
665 case SSL_ERROR_WANT_X509_LOOKUP:
666 default:
667 tls_set_ssl_errorx(ctx, "%s failed (%i)", prefix, ssl_err);
668 return (-1);
669 }
670 }
671
672 int
673 tls_handshake(struct tls *ctx)
674 {
675 int rv = -1;
676
677 tls_error_clear(&ctx->error);
678
679 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
680 tls_set_errorx(ctx, "invalid operation for context");
681 goto out;
682 }
683
684 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
685 tls_set_errorx(ctx, "handshake already completed");
686 goto out;
687 }
688
689 if ((ctx->flags & TLS_CLIENT) != 0)
690 rv = tls_handshake_client(ctx);
691 else if ((ctx->flags & TLS_SERVER_CONN) != 0)
692 rv = tls_handshake_server(ctx);
693
694 if (rv == 0) {
695 ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
696 ctx->ssl_peer_chain = SSL_get_peer_cert_chain(ctx->ssl_conn);
697 if (tls_conninfo_populate(ctx) == -1)
698 rv = -1;
699 if (ctx->ocsp == NULL)
700 ctx->ocsp = tls_ocsp_setup_from_peer(ctx);
701 }
702 out:
703 /* Prevent callers from performing incorrect error handling */
704 errno = 0;
705 return (rv);
706 }
707
708 ssize_t
709 tls_read(struct tls *ctx, void *buf, size_t buflen)
710 {
711 ssize_t rv = -1;
712 int ssl_ret;
713
714 tls_error_clear(&ctx->error);
715
716 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
717 if ((rv = tls_handshake(ctx)) != 0)
718 goto out;
719 }
720
721 if (buflen > INT_MAX) {
722 tls_set_errorx(ctx, "buflen too long");
723 goto out;
724 }
725
726 ERR_clear_error();
727 if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
728 rv = (ssize_t)ssl_ret;
729 goto out;
730 }
731 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");
732
733 out:
734 /* Prevent callers from performing incorrect error handling */
735 errno = 0;
736 return (rv);
737 }
738
739 ssize_t
740 tls_write(struct tls *ctx, const void *buf, size_t buflen)
741 {
742 ssize_t rv = -1;
743 int ssl_ret;
744
745 tls_error_clear(&ctx->error);
746
747 if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
748 if ((rv = tls_handshake(ctx)) != 0)
749 goto out;
750 }
751
752 if (buflen > INT_MAX) {
753 tls_set_errorx(ctx, "buflen too long");
754 goto out;
755 }
756
757 ERR_clear_error();
758 if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {
759 rv = (ssize_t)ssl_ret;
760 goto out;
761 }
762 rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write");
763
764 out:
765 /* Prevent callers from performing incorrect error handling */
766 errno = 0;
767 return (rv);
768 }
769
770 int
771 tls_close(struct tls *ctx)
772 {
773 int ssl_ret;
774 int rv = 0;
775
776 tls_error_clear(&ctx->error);
777
778 if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
779 tls_set_errorx(ctx, "invalid operation for context");
780 rv = -1;
781 goto out;
782 }
783
784 if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN) {
785 ERR_clear_error();
786 ssl_ret = SSL_shutdown(ctx->ssl_conn);
787 if (ssl_ret < 0) {
788 rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
789 "shutdown");
790 if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT)
791 goto out;
792 }
793 ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN;
794 }
795
796 if (ctx->socket != -1) {
797 if (shutdown(ctx->socket, SHUT_RDWR) != 0) {
798 if (rv == 0 &&
799 errno != ENOTCONN && errno != ECONNRESET) {
800 tls_set_error(ctx, "shutdown");
801 rv = -1;
802 }
803 }
804 if (close(ctx->socket) != 0) {
805 if (rv == 0) {
806 tls_set_error(ctx, "close");
807 rv = -1;
808 }
809 }
810 ctx->socket = -1;
811 }
812
813 if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) {
814 tls_set_errorx(ctx, "EOF without close notify");
815 rv = -1;
816 }
817
818 out:
819 /* Prevent callers from performing incorrect error handling */
820 errno = 0;
821 return (rv);
822 }
Unleashed OS