Handle the case where multiple calls to SSL_shutdown() are required to

close the connection. Also correctly handle the error on failure.

Diff from cookieandscream via github.

2 files changed, 14 insertions, 8 deletions

diff --git a/lib/libtls/tls.c b/lib/libtls/tls.c
index b7b6570ff96..d942c35fecf 100644
--- a/lib/libtls/tls.c
+++ b/lib/libtls/tls.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: tls.c,v 1.8 2015/03/31 12:21:27 jsing Exp $ */
+/* $OpenBSD: tls.c,v 1.9 2015/04/02 13:19:15 jsing Exp $ */
 /*
  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
  *
@@ -326,12 +326,15 @@ tls_write(struct tls *ctx, const void *buf, size_t buflen, size_t *outlen)
 int
 tls_close(struct tls *ctx)
 {
-	/* XXX - handle case where multiple calls are required. */
+	int ssl_ret;
+
 	if (ctx->ssl_conn != NULL) {
-		if (SSL_shutdown(ctx->ssl_conn) == -1) {
-			tls_set_error(ctx, "SSL shutdown failed");
-			goto err;
-		}
+		ssl_ret = SSL_shutdown(ctx->ssl_conn);
+		if (ssl_ret == 0)
+			ssl_ret = SSL_shutdown(ctx->ssl_conn);
+		if (ssl_ret < 0)
+			return tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
+			    "shutdown");
 	}
 
 	if (ctx->socket != -1) {
diff --git a/lib/libtls/tls_init.3 b/lib/libtls/tls_init.3
index 8df1d204ffd..1ec8865075d 100644
--- a/lib/libtls/tls_init.3
+++ b/lib/libtls/tls_init.3
@@ -1,4 +1,4 @@
-.\" $OpenBSD: tls_init.3,v 1.21 2015/04/02 05:54:22 jsing Exp $
+.\" $OpenBSD: tls_init.3,v 1.22 2015/04/02 13:19:15 jsing Exp $
 .\"
 .\" Copyright (c) 2014 Ted Unangst <tedu@openbsd.org>
 .\"
@@ -407,6 +407,7 @@ will return 0 on success and -1 on error.
 Functions that return a pointer will return NULL on error.
 .Pp
 The
+.Fn tls_close ,
 .Fn tls_read
 and
 .Fn tls_write
@@ -424,8 +425,10 @@ A write operation is necessary to continue.
 .El
 .Pp
 The caller should call the appropriate function, or in the case of the
+.Fn tls_close
+and the
 .Fn tls_accept
-or
+and
 .Fn tls_connect
 function families, repeat the call.
 .Sh ERRORS