op public repos

Blob

Date:: Wed Aug 23 17:38:49 2023 UTC
Message:: bundle libtls gmid (like all other daemons that want to do privsep crypto) has a very close relationship with libtls and need to stay in sync with it. OpenBSD' libtls was recently changed to use OpenSSL' EC_KEY_METHOD instead of the older ECDSA_METHOD, on the gmid side we have to do the same otherwise failures happens at runtime. In a similar manner, privsep crypto is silently broken in the current libretls (next version should fix it.) The proper solution would be to complete the signer APIs so that applications don't need to dive into the library' internals, but that's a mid-term goal, for the immediate bundling the 'little' libtls is the lesser evil. The configure script has gained a new (undocumented for the time being) flag `--with-libtls=bundled|system' to control which libtls to use. It defaults to `bundled' except for OpenBSD where it uses the `system' one. Note that OpenBSD versions before 7.3 (inclusive) ought to use --with-libtls=bundled too since they still do ECDSA_METHOD.
Actions:: History | Blame | Raw File
1 /* $OpenBSD: tls.c,v 1.97 2023/06/18 11:43:03 op Exp $ */
2 /*
3  * Copyright (c) 2014 Joel Sing <jsing@openbsd.org>
4  *
5  * Permission to use, copy, modify, and distribute this software for any
6  * purpose with or without fee is hereby granted, provided that the above
7  * copyright notice and this permission notice appear in all copies.
8  *
9  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
10  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
11  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
12  * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
13  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
14  * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
15  * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
16  */
17 
18 #include "config.h"
19 
20 #include <sys/socket.h>
21 
22 #include <errno.h>
23 #include <limits.h>
24 #include <stdlib.h>
25 #include <string.h>
26 #include <unistd.h>
27 
28 #include <openssl/bio.h>
29 #include <openssl/err.h>
30 #include <openssl/evp.h>
31 #include <openssl/pem.h>
32 #include <openssl/safestack.h>
33 #include <openssl/ssl.h>
34 #include <openssl/x509.h>
35 
36 #include <tls.h>
37 #include "tls_internal.h"
38 
39 static struct tls_config *tls_config_default;
40 
41 static int tls_init_rv = -1;
42 
43 static void
44 tls_do_init(void)
45 {
46 	OPENSSL_init_ssl(OPENSSL_INIT_NO_LOAD_CONFIG, NULL);
47 
48 	if (BIO_sock_init() != 1)
49 		return;
50 
51 	if ((tls_config_default = tls_config_new_internal()) == NULL)
52 		return;
53 
54 	tls_config_default->refcount++;
55 
56 	tls_init_rv = 0;
57 }
58 
59 int
60 tls_init(void)
61 {
62 	if (tls_init_rv == -1)
63 		tls_do_init();
64 	return tls_init_rv;
65 }
66 
67 const char *
68 tls_error(struct tls *ctx)
69 {
70 	return ctx->error.msg;
71 }
72 
73 void
74 tls_error_clear(struct tls_error *error)
75 {
76 	free(error->msg);
77 	error->msg = NULL;
78 	error->num = 0;
79 	error->tls = 0;
80 }
81 
82 static int
83 tls_error_vset(struct tls_error *error, int errnum, const char *fmt, va_list ap)
84 {
85 	char *errmsg = NULL;
86 	int rv = -1;
87 
88 	tls_error_clear(error);
89 
90 	error->num = errnum;
91 	error->tls = 1;
92 
93 	if (vasprintf(&errmsg, fmt, ap) == -1) {
94 		errmsg = NULL;
95 		goto err;
96 	}
97 
98 	if (errnum == -1) {
99 		error->msg = errmsg;
100 		return (0);
101 	}
102 
103 	if (asprintf(&error->msg, "%s: %s", errmsg, strerror(errnum)) == -1) {
104 		error->msg = NULL;
105 		goto err;
106 	}
107 	rv = 0;
108 
109  err:
110 	free(errmsg);
111 
112 	return (rv);
113 }
114 
115 int
116 tls_error_set(struct tls_error *error, const char *fmt, ...)
117 {
118 	va_list ap;
119 	int errnum, rv;
120 
121 	errnum = errno;
122 
123 	va_start(ap, fmt);
124 	rv = tls_error_vset(error, errnum, fmt, ap);
125 	va_end(ap);
126 
127 	return (rv);
128 }
129 
130 int
131 tls_error_setx(struct tls_error *error, const char *fmt, ...)
132 {
133 	va_list ap;
134 	int rv;
135 
136 	va_start(ap, fmt);
137 	rv = tls_error_vset(error, -1, fmt, ap);
138 	va_end(ap);
139 
140 	return (rv);
141 }
142 
143 int
144 tls_config_set_error(struct tls_config *config, const char *fmt, ...)
145 {
146 	va_list ap;
147 	int errnum, rv;
148 
149 	errnum = errno;
150 
151 	va_start(ap, fmt);
152 	rv = tls_error_vset(&config->error, errnum, fmt, ap);
153 	va_end(ap);
154 
155 	return (rv);
156 }
157 
158 int
159 tls_config_set_errorx(struct tls_config *config, const char *fmt, ...)
160 {
161 	va_list ap;
162 	int rv;
163 
164 	va_start(ap, fmt);
165 	rv = tls_error_vset(&config->error, -1, fmt, ap);
166 	va_end(ap);
167 
168 	return (rv);
169 }
170 
171 int
172 tls_set_error(struct tls *ctx, const char *fmt, ...)
173 {
174 	va_list ap;
175 	int errnum, rv;
176 
177 	errnum = errno;
178 
179 	va_start(ap, fmt);
180 	rv = tls_error_vset(&ctx->error, errnum, fmt, ap);
181 	va_end(ap);
182 
183 	return (rv);
184 }
185 
186 int
187 tls_set_errorx(struct tls *ctx, const char *fmt, ...)
188 {
189 	va_list ap;
190 	int rv;
191 
192 	va_start(ap, fmt);
193 	rv = tls_error_vset(&ctx->error, -1, fmt, ap);
194 	va_end(ap);
195 
196 	return (rv);
197 }
198 
199 int
200 tls_set_ssl_errorx(struct tls *ctx, const char *fmt, ...)
201 {
202 	va_list ap;
203 	int rv;
204 
205 	/* Only set an error if a more specific one does not already exist. */
206 	if (ctx->error.tls != 0)
207 		return (0);
208 
209 	va_start(ap, fmt);
210 	rv = tls_error_vset(&ctx->error, -1, fmt, ap);
211 	va_end(ap);
212 
213 	return (rv);
214 }
215 
216 struct tls_sni_ctx *
217 tls_sni_ctx_new(void)
218 {
219 	return (calloc(1, sizeof(struct tls_sni_ctx)));
220 }
221 
222 void
223 tls_sni_ctx_free(struct tls_sni_ctx *sni_ctx)
224 {
225 	if (sni_ctx == NULL)
226 		return;
227 
228 	SSL_CTX_free(sni_ctx->ssl_ctx);
229 	X509_free(sni_ctx->ssl_cert);
230 
231 	free(sni_ctx);
232 }
233 
234 struct tls *
235 tls_new(void)
236 {
237 	struct tls *ctx;
238 
239 	if ((ctx = calloc(1, sizeof(*ctx))) == NULL)
240 		return (NULL);
241 
242 	tls_reset(ctx);
243 
244 	if (tls_configure(ctx, tls_config_default) == -1) {
245 		free(ctx);
246 		return NULL;
247 	}
248 
249 	return (ctx);
250 }
251 
252 int
253 tls_configure(struct tls *ctx, struct tls_config *config)
254 {
255 	if (config == NULL)
256 		config = tls_config_default;
257 
258 	config->refcount++;
259 
260 	tls_config_free(ctx->config);
261 
262 	ctx->config = config;
263 	ctx->keypair = config->keypair;
264 
265 	if ((ctx->flags & TLS_SERVER) != 0)
266 		return (tls_configure_server(ctx));
267 
268 	return (0);
269 }
270 
271 int
272 tls_cert_hash(X509 *cert, char **hash)
273 {
274 	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
275 	int dlen, rv = -1;
276 
277 	free(*hash);
278 	*hash = NULL;
279 
280 	if (X509_digest(cert, EVP_sha256(), d, &dlen) != 1)
281 		goto err;
282 
283 	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
284 		goto err;
285 
286 	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
287 		*hash = NULL;
288 		goto err;
289 	}
290 
291 	rv = 0;
292  err:
293 	free(dhex);
294 
295 	return (rv);
296 }
297 
298 int
299 tls_cert_pubkey_hash(X509 *cert, char **hash)
300 {
301 	char d[EVP_MAX_MD_SIZE], *dhex = NULL;
302 	int dlen, rv = -1;
303 
304 	free(*hash);
305 	*hash = NULL;
306 
307 	if (X509_pubkey_digest(cert, EVP_sha256(), d, &dlen) != 1)
308 		goto err;
309 
310 	if (tls_hex_string(d, dlen, &dhex, NULL) != 0)
311 		goto err;
312 
313 	if (asprintf(hash, "SHA256:%s", dhex) == -1) {
314 		*hash = NULL;
315 		goto err;
316 	}
317 
318 	rv = 0;
319 
320  err:
321 	free(dhex);
322 
323 	return (rv);
324 }
325 
326 static int
327 tls_keypair_to_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY **pkey)
328 {
329 	BIO *bio = NULL;
330 	X509 *x509 = NULL;
331 	char *mem;
332 	size_t len;
333 	int ret = -1;
334 
335 	*pkey = NULL;
336 
337 	if (ctx->config->use_fake_private_key) {
338 		mem = keypair->cert_mem;
339 		len = keypair->cert_len;
340 	} else {
341 		mem = keypair->key_mem;
342 		len = keypair->key_len;
343 	}
344 
345 	if (mem == NULL)
346 		return (0);
347 
348 	if (len > INT_MAX) {
349 		tls_set_errorx(ctx, ctx->config->use_fake_private_key ?
350 		    "cert too long" : "key too long");
351 		goto err;
352 	}
353 
354 	if ((bio = BIO_new_mem_buf(mem, len)) == NULL) {
355 		tls_set_errorx(ctx, "failed to create buffer");
356 		goto err;
357 	}
358 
359 	if (ctx->config->use_fake_private_key) {
360 		if ((x509 = PEM_read_bio_X509(bio, NULL, tls_password_cb,
361 		    NULL)) == NULL) {
362 			tls_set_errorx(ctx, "failed to read X509 certificate");
363 			goto err;
364 		}
365 		if ((*pkey = X509_get_pubkey(x509)) == NULL) {
366 			tls_set_errorx(ctx, "failed to retrieve pubkey");
367 			goto err;
368 		}
369 	} else {
370 		if ((*pkey = PEM_read_bio_PrivateKey(bio, NULL, tls_password_cb,
371 		    NULL)) ==  NULL) {
372 			tls_set_errorx(ctx, "failed to read private key");
373 			goto err;
374 		}
375 	}
376 
377 	ret = 0;
378  err:
379 	BIO_free(bio);
380 	X509_free(x509);
381 	return (ret);
382 }
383 
384 static int
385 tls_keypair_setup_pkey(struct tls *ctx, struct tls_keypair *keypair, EVP_PKEY *pkey)
386 {
387 	RSA *rsa = NULL;
388 	EC_KEY *eckey = NULL;
389 	int ret = -1;
390 
391 	/* Only install the pubkey hash if fake private keys are used. */
392 	if (!ctx->config->skip_private_key_check)
393 		return (0);
394 
395 	if (keypair->pubkey_hash == NULL) {
396 		tls_set_errorx(ctx, "public key hash not set");
397 		goto err;
398 	}
399 
400 	switch (EVP_PKEY_id(pkey)) {
401 	case EVP_PKEY_RSA:
402 		if ((rsa = EVP_PKEY_get1_RSA(pkey)) == NULL ||
403 		    RSA_set_ex_data(rsa, 0, keypair->pubkey_hash) == 0 ||
404 		    EVP_PKEY_set1_RSA(pkey, rsa) == 0) {
405 			tls_set_errorx(ctx, "RSA key setup failure");
406 			goto err;
407 		}
408 		break;
409 	case EVP_PKEY_EC:
410 		if ((eckey = EVP_PKEY_get1_EC_KEY(pkey)) == NULL ||
411 		    EC_KEY_set_ex_data(eckey, 0, keypair->pubkey_hash) == 0 ||
412 		    EVP_PKEY_set1_EC_KEY(pkey, eckey) == 0) {
413 			tls_set_errorx(ctx, "EC key setup failure");
414 			goto err;
415 		}
416 		break;
417 	default:
418 		tls_set_errorx(ctx, "incorrect key type");
419 		goto err;
420 	}
421 
422 	ret = 0;
423 
424  err:
425 	RSA_free(rsa);
426 	EC_KEY_free(eckey);
427 	return (ret);
428 }
429 
430 int
431 tls_configure_ssl_keypair(struct tls *ctx, SSL_CTX *ssl_ctx,
432     struct tls_keypair *keypair, int required)
433 {
434 	EVP_PKEY *pkey = NULL;
435 
436 	if (!required &&
437 	    keypair->cert_mem == NULL &&
438 	    keypair->key_mem == NULL)
439 		return(0);
440 
441 	if (keypair->cert_mem != NULL) {
442 		if (keypair->cert_len > INT_MAX) {
443 			tls_set_errorx(ctx, "certificate too long");
444 			goto err;
445 		}
446 
447 		if (SSL_CTX_use_certificate_chain_mem(ssl_ctx,
448 		    keypair->cert_mem, keypair->cert_len) != 1) {
449 			tls_set_errorx(ctx, "failed to load certificate");
450 			goto err;
451 		}
452 	}
453 
454 	if (tls_keypair_to_pkey(ctx, keypair, &pkey) == -1)
455 		goto err;
456 	if (pkey != NULL) {
457 		if (tls_keypair_setup_pkey(ctx, keypair, pkey) == -1)
458 			goto err;
459 		if (SSL_CTX_use_PrivateKey(ssl_ctx, pkey) != 1) {
460 			tls_set_errorx(ctx, "failed to load private key");
461 			goto err;
462 		}
463 		EVP_PKEY_free(pkey);
464 		pkey = NULL;
465 	}
466 
467 	if (!ctx->config->skip_private_key_check &&
468 	    SSL_CTX_check_private_key(ssl_ctx) != 1) {
469 		tls_set_errorx(ctx, "private/public key mismatch");
470 		goto err;
471 	}
472 
473 	return (0);
474 
475  err:
476 	EVP_PKEY_free(pkey);
477 
478 	return (-1);
479 }
480 
481 int
482 tls_configure_ssl(struct tls *ctx, SSL_CTX *ssl_ctx)
483 {
484 	SSL_CTX_clear_mode(ssl_ctx, SSL_MODE_AUTO_RETRY);
485 
486 	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ENABLE_PARTIAL_WRITE);
487 	SSL_CTX_set_mode(ssl_ctx, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
488 
489 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv2);
490 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_SSLv3);
491 
492 	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1);
493 	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
494 	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
495 	SSL_CTX_clear_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
496 
497 	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_0) == 0)
498 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1);
499 	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_1) == 0)
500 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_1);
501 	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_2) == 0)
502 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_2);
503 	if ((ctx->config->protocols & TLS_PROTOCOL_TLSv1_3) == 0)
504 		SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TLSv1_3);
505 
506 	if (ctx->config->alpn != NULL) {
507 		if (SSL_CTX_set_alpn_protos(ssl_ctx, ctx->config->alpn,
508 		    ctx->config->alpn_len) != 0) {
509 			tls_set_errorx(ctx, "failed to set alpn");
510 			goto err;
511 		}
512 	}
513 
514 	if (ctx->config->ciphers != NULL) {
515 		if (SSL_CTX_set_cipher_list(ssl_ctx,
516 		    ctx->config->ciphers) != 1) {
517 			tls_set_errorx(ctx, "failed to set ciphers");
518 			goto err;
519 		}
520 	}
521 
522 	if (ctx->config->verify_time == 0) {
523 		X509_VERIFY_PARAM_set_flags(SSL_CTX_get0_param(ssl_ctx),
524 		    X509_V_FLAG_NO_CHECK_TIME);
525 	}
526 
527 	/* Disable any form of session caching by default */
528 	SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_OFF);
529 	SSL_CTX_set_options(ssl_ctx, SSL_OP_NO_TICKET);
530 
531 	return (0);
532 
533  err:
534 	return (-1);
535 }
536 
537 static int
538 tls_ssl_cert_verify_cb(X509_STORE_CTX *x509_ctx, void *arg)
539 {
540 	struct tls *ctx = arg;
541 	int x509_err;
542 
543 	if (ctx->config->verify_cert == 0)
544 		return (1);
545 
546 	if ((X509_verify_cert(x509_ctx)) < 0) {
547 		tls_set_errorx(ctx, "X509 verify cert failed");
548 		return (0);
549 	}
550 
551 	x509_err = X509_STORE_CTX_get_error(x509_ctx);
552 	if (x509_err == X509_V_OK)
553 		return (1);
554 
555 	tls_set_errorx(ctx, "certificate verification failed: %s",
556 	    X509_verify_cert_error_string(x509_err));
557 
558 	return (0);
559 }
560 
561 int
562 tls_configure_ssl_verify(struct tls *ctx, SSL_CTX *ssl_ctx, int verify)
563 {
564 	size_t ca_len = ctx->config->ca_len;
565 	char *ca_mem = ctx->config->ca_mem;
566 	char *crl_mem = ctx->config->crl_mem;
567 	size_t crl_len = ctx->config->crl_len;
568 	char *ca_free = NULL;
569 	STACK_OF(X509_INFO) *xis = NULL;
570 	X509_STORE *store;
571 	X509_INFO *xi;
572 	BIO *bio = NULL;
573 	int rv = -1;
574 	int i;
575 
576 	SSL_CTX_set_verify(ssl_ctx, verify, NULL);
577 	SSL_CTX_set_cert_verify_callback(ssl_ctx, tls_ssl_cert_verify_cb, ctx);
578 
579 	if (ctx->config->verify_depth >= 0)
580 		SSL_CTX_set_verify_depth(ssl_ctx, ctx->config->verify_depth);
581 
582 	if (ctx->config->verify_cert == 0)
583 		goto done;
584 
585 	/* If no CA has been specified, attempt to load the default. */
586 	if (ctx->config->ca_mem == NULL && ctx->config->ca_path == NULL) {
587 		if (tls_config_load_file(&ctx->error, "CA", tls_default_ca_cert_file(),
588 		    &ca_mem, &ca_len) != 0)
589 			goto err;
590 		ca_free = ca_mem;
591 	}
592 
593 	if (ca_mem != NULL) {
594 		if (ca_len > INT_MAX) {
595 			tls_set_errorx(ctx, "ca too long");
596 			goto err;
597 		}
598 		if (SSL_CTX_load_verify_mem(ssl_ctx, ca_mem, ca_len) != 1) {
599 			tls_set_errorx(ctx, "ssl verify memory setup failure");
600 			goto err;
601 		}
602 	} else if (SSL_CTX_load_verify_locations(ssl_ctx, NULL,
603 	    ctx->config->ca_path) != 1) {
604 		tls_set_errorx(ctx, "ssl verify locations failure");
605 		goto err;
606 	}
607 
608 	if (crl_mem != NULL) {
609 		if (crl_len > INT_MAX) {
610 			tls_set_errorx(ctx, "crl too long");
611 			goto err;
612 		}
613 		if ((bio = BIO_new_mem_buf(crl_mem, crl_len)) == NULL) {
614 			tls_set_errorx(ctx, "failed to create buffer");
615 			goto err;
616 		}
617 		if ((xis = PEM_X509_INFO_read_bio(bio, NULL, tls_password_cb,
618 		    NULL)) == NULL) {
619 			tls_set_errorx(ctx, "failed to parse crl");
620 			goto err;
621 		}
622 		store = SSL_CTX_get_cert_store(ssl_ctx);
623 		for (i = 0; i < sk_X509_INFO_num(xis); i++) {
624 			xi = sk_X509_INFO_value(xis, i);
625 			if (xi->crl == NULL)
626 				continue;
627 			if (!X509_STORE_add_crl(store, xi->crl)) {
628 				tls_set_error(ctx, "failed to add crl");
629 				goto err;
630 			}
631 		}
632 		X509_STORE_set_flags(store,
633 		    X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL);
634 	}
635 
636  done:
637 	rv = 0;
638 
639  err:
640 	sk_X509_INFO_pop_free(xis, X509_INFO_free);
641 	BIO_free(bio);
642 	free(ca_free);
643 
644 	return (rv);
645 }
646 
647 void
648 tls_free(struct tls *ctx)
649 {
650 	if (ctx == NULL)
651 		return;
652 
653 	tls_reset(ctx);
654 
655 	free(ctx);
656 }
657 
658 void
659 tls_reset(struct tls *ctx)
660 {
661 	struct tls_sni_ctx *sni, *nsni;
662 
663 	tls_config_free(ctx->config);
664 	ctx->config = NULL;
665 
666 	SSL_CTX_free(ctx->ssl_ctx);
667 	SSL_free(ctx->ssl_conn);
668 	X509_free(ctx->ssl_peer_cert);
669 
670 	ctx->ssl_conn = NULL;
671 	ctx->ssl_ctx = NULL;
672 	ctx->ssl_peer_cert = NULL;
673 	/* X509 objects in chain are freed with the SSL */
674 	ctx->ssl_peer_chain = NULL;
675 
676 	ctx->socket = -1;
677 	ctx->state = 0;
678 
679 	free(ctx->servername);
680 	ctx->servername = NULL;
681 
682 	free(ctx->error.msg);
683 	ctx->error.msg = NULL;
684 	ctx->error.num = -1;
685 
686 	tls_conninfo_free(ctx->conninfo);
687 	ctx->conninfo = NULL;
688 
689 	tls_ocsp_free(ctx->ocsp);
690 	ctx->ocsp = NULL;
691 
692 	for (sni = ctx->sni_ctx; sni != NULL; sni = nsni) {
693 		nsni = sni->next;
694 		tls_sni_ctx_free(sni);
695 	}
696 	ctx->sni_ctx = NULL;
697 
698 	ctx->read_cb = NULL;
699 	ctx->write_cb = NULL;
700 	ctx->cb_arg = NULL;
701 }
702 
703 int
704 tls_ssl_error(struct tls *ctx, SSL *ssl_conn, int ssl_ret, const char *prefix)
705 {
706 	const char *errstr = "unknown error";
707 	unsigned long err;
708 	int ssl_err;
709 
710 	ssl_err = SSL_get_error(ssl_conn, ssl_ret);
711 	switch (ssl_err) {
712 	case SSL_ERROR_NONE:
713 	case SSL_ERROR_ZERO_RETURN:
714 		return (0);
715 
716 	case SSL_ERROR_WANT_READ:
717 		return (TLS_WANT_POLLIN);
718 
719 	case SSL_ERROR_WANT_WRITE:
720 		return (TLS_WANT_POLLOUT);
721 
722 	case SSL_ERROR_SYSCALL:
723 		if ((err = ERR_peek_error()) != 0) {
724 			errstr = ERR_error_string(err, NULL);
725 		} else if (ssl_ret == 0) {
726 			if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
727 				ctx->state |= TLS_EOF_NO_CLOSE_NOTIFY;
728 				return (0);
729 			}
730 			errstr = "unexpected EOF";
731 		} else if (ssl_ret == -1) {
732 			errstr = strerror(errno);
733 		}
734 		tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
735 		return (-1);
736 
737 	case SSL_ERROR_SSL:
738 		if ((err = ERR_peek_error()) != 0) {
739 			errstr = ERR_error_string(err, NULL);
740 		}
741 		tls_set_ssl_errorx(ctx, "%s failed: %s", prefix, errstr);
742 		return (-1);
743 
744 	case SSL_ERROR_WANT_CONNECT:
745 	case SSL_ERROR_WANT_ACCEPT:
746 	case SSL_ERROR_WANT_X509_LOOKUP:
747 	default:
748 		tls_set_ssl_errorx(ctx, "%s failed (%d)", prefix, ssl_err);
749 		return (-1);
750 	}
751 }
752 
753 int
754 tls_handshake(struct tls *ctx)
755 {
756 	int rv = -1;
757 
758 	tls_error_clear(&ctx->error);
759 
760 	if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
761 		tls_set_errorx(ctx, "invalid operation for context");
762 		goto out;
763 	}
764 
765 	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) != 0) {
766 		tls_set_errorx(ctx, "handshake already completed");
767 		goto out;
768 	}
769 
770 	if ((ctx->flags & TLS_CLIENT) != 0)
771 		rv = tls_handshake_client(ctx);
772 	else if ((ctx->flags & TLS_SERVER_CONN) != 0)
773 		rv = tls_handshake_server(ctx);
774 
775 	if (rv == 0) {
776 		ctx->ssl_peer_cert = SSL_get_peer_certificate(ctx->ssl_conn);
777 		ctx->ssl_peer_chain = SSL_get_peer_cert_chain(ctx->ssl_conn);
778 		if (tls_conninfo_populate(ctx) == -1)
779 			rv = -1;
780 		if (ctx->ocsp == NULL)
781 			ctx->ocsp = tls_ocsp_setup_from_peer(ctx);
782 	}
783  out:
784 	/* Prevent callers from performing incorrect error handling */
785 	errno = 0;
786 	return (rv);
787 }
788 
789 ssize_t
790 tls_read(struct tls *ctx, void *buf, size_t buflen)
791 {
792 	ssize_t rv = -1;
793 	int ssl_ret;
794 
795 	tls_error_clear(&ctx->error);
796 
797 	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
798 		if ((rv = tls_handshake(ctx)) != 0)
799 			goto out;
800 	}
801 
802 	if (buflen > INT_MAX) {
803 		tls_set_errorx(ctx, "buflen too long");
804 		goto out;
805 	}
806 
807 	ERR_clear_error();
808 	if ((ssl_ret = SSL_read(ctx->ssl_conn, buf, buflen)) > 0) {
809 		rv = (ssize_t)ssl_ret;
810 		goto out;
811 	}
812 	rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "read");
813 
814  out:
815 	/* Prevent callers from performing incorrect error handling */
816 	errno = 0;
817 	return (rv);
818 }
819 
820 ssize_t
821 tls_write(struct tls *ctx, const void *buf, size_t buflen)
822 {
823 	ssize_t rv = -1;
824 	int ssl_ret;
825 
826 	tls_error_clear(&ctx->error);
827 
828 	if ((ctx->state & TLS_HANDSHAKE_COMPLETE) == 0) {
829 		if ((rv = tls_handshake(ctx)) != 0)
830 			goto out;
831 	}
832 
833 	if (buflen > INT_MAX) {
834 		tls_set_errorx(ctx, "buflen too long");
835 		goto out;
836 	}
837 
838 	ERR_clear_error();
839 	if ((ssl_ret = SSL_write(ctx->ssl_conn, buf, buflen)) > 0) {
840 		rv = (ssize_t)ssl_ret;
841 		goto out;
842 	}
843 	rv = (ssize_t)tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret, "write");
844 
845  out:
846 	/* Prevent callers from performing incorrect error handling */
847 	errno = 0;
848 	return (rv);
849 }
850 
851 int
852 tls_close(struct tls *ctx)
853 {
854 	int ssl_ret;
855 	int rv = 0;
856 
857 	tls_error_clear(&ctx->error);
858 
859 	if ((ctx->flags & (TLS_CLIENT | TLS_SERVER_CONN)) == 0) {
860 		tls_set_errorx(ctx, "invalid operation for context");
861 		rv = -1;
862 		goto out;
863 	}
864 
865 	if (ctx->state & TLS_SSL_NEEDS_SHUTDOWN) {
866 		ERR_clear_error();
867 		ssl_ret = SSL_shutdown(ctx->ssl_conn);
868 		if (ssl_ret < 0) {
869 			rv = tls_ssl_error(ctx, ctx->ssl_conn, ssl_ret,
870 			    "shutdown");
871 			if (rv == TLS_WANT_POLLIN || rv == TLS_WANT_POLLOUT)
872 				goto out;
873 		}
874 		ctx->state &= ~TLS_SSL_NEEDS_SHUTDOWN;
875 	}
876 
877 	if (ctx->socket != -1) {
878 		if (shutdown(ctx->socket, SHUT_RDWR) != 0) {
879 			if (rv == 0 &&
880 			    errno != ENOTCONN && errno != ECONNRESET) {
881 				tls_set_error(ctx, "shutdown");
882 				rv = -1;
883 			}
884 		}
885 		if (close(ctx->socket) != 0) {
886 			if (rv == 0) {
887 				tls_set_error(ctx, "close");
888 				rv = -1;
889 			}
890 		}
891 		ctx->socket = -1;
892 	}
893 
894 	if ((ctx->state & TLS_EOF_NO_CLOSE_NOTIFY) != 0) {
895 		tls_set_errorx(ctx, "EOF without close notify");
896 		rv = -1;
897 	}
898 
899  out:
900 	/* Prevent callers from performing incorrect error handling */
901 	errno = 0;
902 	return (rv);
903 }