From ebdc0278bd38036b6f3a440ae378b750417dfff5 Mon Sep 17 00:00:00 2001 From: tb Date: Tue, 25 Jan 2022 15:00:09 +0000 Subject: [PATCH] Fix another return 0 bug in SSL_shutdown() If tls13_recod_layer_send_pending() returns TLS13_IO_EOF, we will bubble this up to the caller via tls13_legacy_return_code(), which translates TLS13_IO_EOF to 0. This can happen if we have pending post handshake-handshake data and the peer closes the pipe. Presumably tls13_legacy_shutdown() should be rewritten yet again. ok jsing --- lib/libssl/tls13_legacy.c | 14 ++++++++------ 1 file changed, 8 insertions(+), 6 deletions(-) diff --git a/lib/libssl/tls13_legacy.c b/lib/libssl/tls13_legacy.c index 7327311c7b7..a62e936ccb5 100644 --- a/lib/libssl/tls13_legacy.c +++ b/lib/libssl/tls13_legacy.c @@ -1,4 +1,4 @@ -/* $OpenBSD: tls13_legacy.c,v 1.34 2022/01/25 14:51:54 tb Exp $ */ +/* $OpenBSD: tls13_legacy.c,v 1.35 2022/01/25 15:00:09 tb Exp $ */ /* * Copyright (c) 2018, 2019 Joel Sing * @@ -483,9 +483,9 @@ tls13_legacy_shutdown(SSL *ssl) ssize_t ret; /* - * We need to return 0 when we have sent a close-notify but have not - * yet received one. We return 1 only once we have sent and received - * close-notify alerts. All other cases return -1 and set internal + * We need to return 0 at the point that we have completed sending a + * close-notify. We return 1 when we have sent and received close-notify + * alerts. All other cases, including EOF, return -1 and set internal * state appropriately. */ if (ctx == NULL || ssl->internal->quiet_shutdown) { @@ -501,8 +501,10 @@ tls13_legacy_shutdown(SSL *ssl) TLS13_ALERT_CLOSE_NOTIFY)) < 0) return tls13_legacy_return_code(ssl, ret); } - if ((ret = tls13_record_layer_send_pending(ctx->rl)) != - TLS13_IO_SUCCESS) + ret = tls13_record_layer_send_pending(ctx->rl); + if (ret == TLS13_IO_EOF) + return -1; + if (ret != TLS13_IO_SUCCESS) return tls13_legacy_return_code(ssl, ret); } else if (!ctx->close_notify_recv) { /* -- 2.20.1