Fix bug with ssl_close_notify and non-blocking I/O

2014-08-19 16:14:04 +02:00 · 2014-08-19 16:14:04 +02:00 · a13500fdf7
--- a/2
+++ b/2
@ -14,6 +14,8 @@ Bugfix
     renegotation was pending, and on client when a HelloRequest was received.
   * Server-initiated renegotiation would fail with non-blocking I/O if the
     write callback returned WANT_WRITE when requesting renegotiation.
+   * ssl_close_notify() could send more than one message in some circumstances
+     with non-blocking I/O.

 Changes
   * Ciphersuites using SHA-256 or SHA-384 now require TLS 1.x (there is no
--- a/library/ssl_tls.c
+++ b/library/ssl_tls.c
@ -4501,11 +4501,8 @@ int ssl_close_notify( ssl_context *ssl )

    SSL_DEBUG_MSG( 2, ( "=> write close notify" ) );

-    if( ( ret = ssl_flush_output( ssl ) ) != 0 )
-    {
-        SSL_DEBUG_RET( 1, "ssl_flush_output", ret );
-        return( ret );
-    }
+    if( ssl->out_left != 0 )
+        return( ssl_flush_output( ssl ) );

    if( ssl->state == SSL_HANDSHAKE_OVER )
    {
@ -4513,13 +4510,14 @@ int ssl_close_notify( ssl_context *ssl )
                        SSL_ALERT_LEVEL_WARNING,
                        SSL_ALERT_MSG_CLOSE_NOTIFY ) ) != 0 )
        {
+            SSL_DEBUG_RET( 1, "ssl_send_alert_message", ret );
            return( ret );
        }
    }

    SSL_DEBUG_MSG( 2, ( "<= write close notify" ) );

-    return( ret );
+    return( 0 );
 }

 void ssl_transform_free( ssl_transform *transform )