void OpenSSL::pushFunc()
{
int wantwrite;
size_t wantread;
int frombio;
int tobio;
while( ( wantwrite = BIO_ctrl_pending( m_nbio ) ) > 0 )
{
if( wantwrite > m_bufsize )
wantwrite = m_bufsize;
if( !wantwrite )
break;
frombio = BIO_read( m_nbio, m_buf, wantwrite );
if( m_handler )
m_handler->handleEncryptedData( this, std::string( m_buf, frombio ) );
}
while( ( wantread = BIO_ctrl_get_read_request( m_nbio ) ) > 0 )
{
if( wantread > m_recvBuffer.length() )
wantread = m_recvBuffer.length();
if( !wantread )
break;
tobio = BIO_write( m_nbio, m_recvBuffer.c_str(), wantread );
m_recvBuffer.erase( 0, tobio );
}
}
/*
* The interface layer between network and BIO-pair. The BIO-pair buffers
* the data to/from the TLS layer.
*/
void SSLManager::_flushNetworkBIO(SSLConnection* conn){
char buffer[BUFFER_SIZE];
int wantWrite;
/*
* Write the complete contents of the buffer. Leaving the buffer
* unflushed could cause a deadlock.
*/
while ((wantWrite = BIO_ctrl_pending(conn->networkBIO)) > 0) {
if (wantWrite > BUFFER_SIZE) {
wantWrite = BUFFER_SIZE;
}
int fromBIO = BIO_read(conn->networkBIO, buffer, wantWrite);
int writePos = 0;
do {
int numWrite = fromBIO - writePos;
numWrite = send(conn->socket->rawFD(), buffer + writePos, numWrite, portSendFlags);
if (numWrite < 0) {
conn->socket->handleSendError(numWrite, "");
}
writePos += numWrite;
} while (writePos < fromBIO);
}
int wantRead;
while ((wantRead = BIO_ctrl_get_read_request(conn->networkBIO)) > 0)
{
if (wantRead > BUFFER_SIZE) {
wantRead = BUFFER_SIZE;
}
int numRead = recv(conn->socket->rawFD(), buffer, wantRead, portRecvFlags);
if (numRead <= 0) {
conn->socket->handleRecvError(numRead, wantRead);
continue;
}
int toBIO = BIO_write(conn->networkBIO, buffer, numRead);
if (toBIO != numRead) {
LOG(3) << "Failed to write network data to the SSL BIO layer";
throw SocketException(SocketException::RECV_ERROR , conn->socket->remoteString());
}
}
}
static int network_biopair_interop(ACL_SOCKET fd, int timeout, BIO *network_bio)
{
const char *myname = "network_biopair_interop";
int want_write;
int num_write;
int write_pos;
int from_bio;
int want_read;
int num_read;
int to_bio;
char buffer[NETLAYER_BUFFERSIZE];
/*
* To avoid deadlock, write all pending data to the network before
* attempting to read from the network.
*/
while ((want_write = (int) BIO_ctrl_pending(network_bio)) > 0) {
if (want_write > (int) sizeof(buffer))
want_write = (int) sizeof(buffer);
from_bio = BIO_read(network_bio, buffer, want_write);
/*
* Write the complete buffer contents to the network.
*/
for (write_pos = 0; write_pos < from_bio; /* see below */ ) {
if (timeout > 0 && acl_write_wait(fd, timeout) < 0)
return (-1);
num_write = acl_socket_write(fd, buffer + write_pos, from_bio - write_pos, 0, 0, 0);
if (num_write <= 0) {
if ((num_write < 0) && (timeout > 0) && (errno == ACL_EAGAIN || errno == ACL_EINTR)) {
acl_msg_warn("%s: write() returns EAGAIN on a writable file descriptor!", myname);
acl_msg_warn("%s: pausing to avoid going into a tight select/write loop!", myname);
sleep(1);
} else {
acl_msg_warn("%s: error writing %d bytes to the network: %s",
myname, from_bio - write_pos, acl_last_serror());
return (-1);
}
} else {
write_pos += num_write;
}
}
}
/*
* Read data from the network into the BIO pair.
*/
while ((want_read = (int) BIO_ctrl_get_read_request(network_bio)) > 0) {
if (want_read > (int) sizeof(buffer))
want_read = (int) sizeof(buffer);
if (timeout > 0 && acl_read_wait(fd, timeout) < 0)
return (-1);
num_read = acl_socket_read(fd, buffer, want_read, 0, 0, 0);
if (num_read == 0)
/* FIX 200412 Cannot return a zero read count. */
return (-1);
if (num_read < 0) {
if ((num_read < 0) && (timeout > 0) && (errno == ACL_EAGAIN || errno == ACL_EINTR)) {
acl_msg_warn("%s: read() returns EAGAIN on a readable file descriptor!", myname);
acl_msg_warn("%s: pausing to avoid going into a tight select/write loop!", myname);
sleep(1);
} else {
acl_msg_warn("%s: error reading %d bytes from the network: %s",
myname, want_read, acl_last_serror());
return (-1);
}
} else {
to_bio = BIO_write(network_bio, buffer, num_read);
if (to_bio != num_read)
acl_msg_panic("%s: BIO_write error: to_bio != num_read", myname);
}
}
return (0);
}
int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
clock_t *s_time, clock_t *c_time)
{
long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
int ret = 1;
size_t bufsiz = 256; /* small buffer for testing */
if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
goto err;
if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
goto err;
s_ssl_bio = BIO_new(BIO_f_ssl());
if (!s_ssl_bio)
goto err;
c_ssl_bio = BIO_new(BIO_f_ssl());
if (!c_ssl_bio)
goto err;
SSL_set_connect_state(c_ssl);
SSL_set_bio(c_ssl, client, client);
(void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl, server, server);
(void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
do
{
/* c_ssl_bio: SSL filter BIO
*
* client: pseudo-I/O for SSL library
*
* client_io: client's SSL communication; usually to be
* relayed over some I/O facility, but in this
* test program, we're the server, too:
*
* server_io: server's SSL communication
*
* server: pseudo-I/O for SSL library
*
* s_ssl_bio: SSL filter BIO
*
* The client and the server each employ a "BIO pair":
* client + client_io, server + server_io.
* BIO pairs are symmetric. A BIO pair behaves similar
* to a non-blocking socketpair (but both endpoints must
* be handled by the same thread).
* [Here we could connect client and server to the ends
* of a single BIO pair, but then this code would be less
* suitable as an example for BIO pairs in general.]
*
* Useful functions for querying the state of BIO pair endpoints:
*
* BIO_ctrl_pending(bio) number of bytes we can read now
* BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
* other side's read attempt
* BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
*
* ..._read_request is never more than ..._write_guarantee;
* it depends on the application which one you should use.
*/
/* We have non-blocking behaviour throughout this test program, but
* can be sure that there is *some* progress in each iteration; so
* we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
* -- we just try everything in each iteration
*/
{
/* CLIENT */
MS_STATIC char cbuf[1024*8];
int i, r;
clock_t c_clock = clock();
memset(cbuf, 0, sizeof(cbuf));
if (debug)
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
if (cw_num > 0)
{
/* Write to server. */
if (cw_num > (long)sizeof cbuf)
i = sizeof cbuf;
else
i = (int)cw_num;
r = BIO_write(c_ssl_bio, cbuf, i);
if (r < 0)
{
if (!BIO_should_retry(c_ssl_bio))
{
fprintf(stderr,"ERROR in CLIENT\n");
goto err;
}
/* BIO_should_retry(...) can just be ignored here.
* The library expects us to call BIO_write with
* the same arguments again, and that's what we will
* do in the next iteration. */
}
else if (r == 0)
{
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
goto err;
}
else
{
if (debug)
printf("client wrote %d\n", r);
cw_num -= r;
}
}
if (cr_num > 0)
{
/* Read from server. */
r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
if (r < 0)
{
if (!BIO_should_retry(c_ssl_bio))
{
fprintf(stderr,"ERROR in CLIENT\n");
goto err;
}
/* Again, "BIO_should_retry" can be ignored. */
}
else if (r == 0)
{
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
goto err;
}
else
{
if (debug)
printf("client read %d\n", r);
cr_num -= r;
}
}
/* c_time and s_time increments will typically be very small
* (depending on machine speed and clock tick intervals),
* but sampling over a large number of connections should
* result in fairly accurate figures. We cannot guarantee
* a lot, however -- if each connection lasts for exactly
* one clock tick, it will be counted only for the client
* or only for the server or even not at all.
*/
*c_time += (clock() - c_clock);
}
{
/* SERVER */
MS_STATIC char sbuf[1024*8];
int i, r;
clock_t s_clock = clock();
memset(sbuf, 0, sizeof(sbuf));
if (debug)
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
if (sw_num > 0)
{
/* Write to client. */
if (sw_num > (long)sizeof sbuf)
i = sizeof sbuf;
else
i = (int)sw_num;
r = BIO_write(s_ssl_bio, sbuf, i);
if (r < 0)
{
if (!BIO_should_retry(s_ssl_bio))
{
fprintf(stderr,"ERROR in SERVER\n");
goto err;
}
/* Ignore "BIO_should_retry". */
}
else if (r == 0)
{
fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
goto err;
}
else
{
if (debug)
printf("server wrote %d\n", r);
sw_num -= r;
}
}
if (sr_num > 0)
{
/* Read from client. */
r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
if (r < 0)
{
if (!BIO_should_retry(s_ssl_bio))
{
fprintf(stderr,"ERROR in SERVER\n");
goto err;
}
/* blah, blah */
}
else if (r == 0)
{
fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
goto err;
}
else
{
if (debug)
printf("server read %d\n", r);
sr_num -= r;
}
}
*s_time += (clock() - s_clock);
}
{
/* "I/O" BETWEEN CLIENT AND SERVER. */
size_t r1, r2;
BIO *io1 = server_io, *io2 = client_io;
/* we use the non-copying interface for io1
* and the standard BIO_write/BIO_read interface for io2
*/
static int prev_progress = 1;
int progress = 0;
/* io1 to io2 */
do
{
size_t num;
int r;
r1 = BIO_ctrl_pending(io1);
r2 = BIO_ctrl_get_write_guarantee(io2);
num = r1;
if (r2 < num)
num = r2;
if (num)
{
char *dataptr;
if (INT_MAX < num) /* yeah, right */
num = INT_MAX;
r = BIO_nread(io1, &dataptr, (int)num);
assert(r > 0);
assert(r <= (int)num);
/* possibly r < num (non-contiguous data) */
num = r;
r = BIO_write(io2, dataptr, (int)num);
if (r != (int)num) /* can't happen */
{
fprintf(stderr, "ERROR: BIO_write could not write "
"BIO_ctrl_get_write_guarantee() bytes");
goto err;
}
progress = 1;
if (debug)
printf((io1 == client_io) ?
"C->S relaying: %d bytes\n" :
"S->C relaying: %d bytes\n",
(int)num);
}
}
while (r1 && r2);
/* io2 to io1 */
{
size_t num;
int r;
r1 = BIO_ctrl_pending(io2);
r2 = BIO_ctrl_get_read_request(io1);
/* here we could use ..._get_write_guarantee instead of
* ..._get_read_request, but by using the latter
* we test restartability of the SSL implementation
* more thoroughly */
num = r1;
if (r2 < num)
num = r2;
if (num)
{
char *dataptr;
if (INT_MAX < num)
num = INT_MAX;
if (num > 1)
--num; /* test restartability even more thoroughly */
r = BIO_nwrite0(io1, &dataptr);
assert(r > 0);
if (r < (int)num)
num = r;
r = BIO_read(io2, dataptr, (int)num);
if (r != (int)num) /* can't happen */
{
fprintf(stderr, "ERROR: BIO_read could not read "
"BIO_ctrl_pending() bytes");
goto err;
}
progress = 1;
r = BIO_nwrite(io1, &dataptr, (int)num);
if (r != (int)num) /* can't happen */
{
fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
"BIO_nwrite0() bytes");
goto err;
}
if (debug)
printf((io2 == client_io) ?
"C->S relaying: %d bytes\n" :
"S->C relaying: %d bytes\n",
(int)num);
}
} /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
if (!progress && !prev_progress)
if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
{
fprintf(stderr, "ERROR: got stuck\n");
if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
{
fprintf(stderr, "This can happen for SSL2 because "
"CLIENT-FINISHED and SERVER-VERIFY are written \n"
"concurrently ...");
if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
&& strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
{
fprintf(stderr, " ok.\n");
goto end;
}
}
fprintf(stderr, " ERROR.\n");
goto err;
}
prev_progress = progress;
}
}
while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
if (verbose)
print_details(c_ssl, "DONE via BIO pair: ");
end:
ret = 0;
err:
ERR_print_errors(bio_err);
if (server)
BIO_free(server);
if (server_io)
BIO_free(server_io);
if (client)
BIO_free(client);
if (client_io)
BIO_free(client_io);
if (s_ssl_bio)
BIO_free(s_ssl_bio);
if (c_ssl_bio)
BIO_free(c_ssl_bio);
return ret;
}
