From: Stefan Eissing <stefan@eissing.org>
Date: Wed, 22 May 2024 08:35:51 +0000 (+0200)
Subject: mbedtls: send close-notify on close
X-Git-Tag: curl-8_9_0~413
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=1c4813c769ea65c128c067004d0711433288aa05;p=thirdparty%2Fcurl.git

mbedtls: send close-notify on close

- send the TLS close notify message when cloding down
  the mbedtls connection filter
- this is a "least" effort version and, as other TLS filters,
  is lacking a graceful send/receive/timeout for a really
  clean shutdown.

Closes #13745
---

diff --git a/lib/vtls/mbedtls.c b/lib/vtls/mbedtls.c
index 98a4ea01b1..875f3319dc 100644
--- a/lib/vtls/mbedtls.c
+++ b/lib/vtls/mbedtls.c
@@ -110,6 +110,7 @@ struct mbed_ssl_backend_data {
   const char *protocols[3];
 #endif
   int *ciphersuites;
+  BIT(initialized); /* mbedtls_ssl_context is initialized */
 };
 
 /* apply threading? */
@@ -504,6 +505,7 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
   char errorbuf[128];
 
   DEBUGASSERT(backend);
+  DEBUGASSERT(!backend->initialized);
 
   if((conn_config->version == CURL_SSLVERSION_SSLv2) ||
      (conn_config->version == CURL_SSLVERSION_SSLv3)) {
@@ -739,6 +741,7 @@ mbed_connect_step1(struct Curl_cfilter *cf, struct Curl_easy *data)
   }
 
   mbedtls_ssl_init(&backend->ssl);
+  backend->initialized = TRUE;
 
   /* new profile with RSA min key len = 1024 ... */
   mbedtls_ssl_conf_cert_profile(&backend->config,
@@ -1164,28 +1167,34 @@ static void mbedtls_close(struct Curl_cfilter *cf, struct Curl_easy *data)
   struct ssl_connect_data *connssl = cf->ctx;
   struct mbed_ssl_backend_data *backend =
     (struct mbed_ssl_backend_data *)connssl->backend;
-  char buf[32];
 
   (void)data;
   DEBUGASSERT(backend);
+  if(backend->initialized) {
+    char buf[32];
+    int ret;
 
-  /* Maybe the server has already sent a close notify alert.
-     Read it to avoid an RST on the TCP connection. */
-  (void)mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf, sizeof(buf));
+    /* Maybe the server has already sent a close notify alert.
+       Read it to avoid an RST on the TCP connection. */
+    (void)mbedtls_ssl_read(&backend->ssl, (unsigned char *)buf, sizeof(buf));
+    ret = mbedtls_ssl_close_notify(&backend->ssl);
+    CURL_TRC_CF(data, cf, "close_notify() -> %x", ret);
 
-  mbedtls_pk_free(&backend->pk);
-  mbedtls_x509_crt_free(&backend->clicert);
-  mbedtls_x509_crt_free(&backend->cacert);
+    mbedtls_pk_free(&backend->pk);
+    mbedtls_x509_crt_free(&backend->clicert);
+    mbedtls_x509_crt_free(&backend->cacert);
 #ifdef MBEDTLS_X509_CRL_PARSE_C
-  mbedtls_x509_crl_free(&backend->crl);
+    mbedtls_x509_crl_free(&backend->crl);
 #endif
-  Curl_safefree(backend->ciphersuites);
-  mbedtls_ssl_config_free(&backend->config);
-  mbedtls_ssl_free(&backend->ssl);
-  mbedtls_ctr_drbg_free(&backend->ctr_drbg);
+    Curl_safefree(backend->ciphersuites);
+    mbedtls_ssl_config_free(&backend->config);
+    mbedtls_ssl_free(&backend->ssl);
+    mbedtls_ctr_drbg_free(&backend->ctr_drbg);
 #ifndef THREADING_SUPPORT
-  mbedtls_entropy_free(&backend->entropy);
+    mbedtls_entropy_free(&backend->entropy);
 #endif /* THREADING_SUPPORT */
+    backend->initialized = FALSE;
+  }
 }
 
 static ssize_t mbed_recv(struct Curl_cfilter *cf, struct Curl_easy *data,