/* read/write callback that sends the requests and reads the ocsp response */
void
ocsp_callback(int fd, short event, void *arg)
{
struct iked_ocsp *ocsp = arg;
struct iked_socket *sock = ocsp->ocsp_sock;
OCSP_RESPONSE *resp = NULL;
/*
* Only call OCSP_sendreq_nbio() if should_read/write is
* either not requested or read/write can be called.
*/
if ((!BIO_should_read(ocsp->ocsp_cbio) || (event & EV_READ)) &&
(!BIO_should_write(ocsp->ocsp_cbio) || (event & EV_WRITE)) &&
OCSP_sendreq_nbio(&resp, ocsp->ocsp_req_ctx) != -1 ) {
ocsp_parse_response(ocsp, resp);
return;
}
if (BIO_should_read(ocsp->ocsp_cbio))
event_set(&sock->sock_ev, sock->sock_fd, EV_READ,
ocsp_callback, ocsp);
else if (BIO_should_write(ocsp->ocsp_cbio))
event_set(&sock->sock_ev, sock->sock_fd, EV_WRITE,
ocsp_callback, ocsp);
event_add(&sock->sock_ev, NULL);
}
static int transport_bio_buffered_write(BIO* bio, const char* buf, int num)
{
int i, ret;
int status;
int nchunks;
int committedBytes;
DataChunk chunks[2];
WINPR_BIO_BUFFERED_SOCKET* ptr = (WINPR_BIO_BUFFERED_SOCKET*) bio->ptr;
ret = num;
ptr->writeBlocked = FALSE;
BIO_clear_flags(bio, BIO_FLAGS_WRITE);
/* we directly append extra bytes in the xmit buffer, this could be prevented
* but for now it makes the code more simple.
*/
if (buf && num && !ringbuffer_write(&ptr->xmitBuffer, (const BYTE*) buf, num))
{
WLog_ERR(TAG, "an error occured when writing (num: %d)", num);
return -1;
}
committedBytes = 0;
nchunks = ringbuffer_peek(&ptr->xmitBuffer, chunks, ringbuffer_used(&ptr->xmitBuffer));
for (i = 0; i < nchunks; i++)
{
while (chunks[i].size)
{
status = BIO_write(bio->next_bio, chunks[i].data, chunks[i].size);
if (status <= 0)
{
if (!BIO_should_retry(bio->next_bio))
{
BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
ret = -1; /* fatal error */
goto out;
}
if (BIO_should_write(bio->next_bio))
{
BIO_set_flags(bio, BIO_FLAGS_WRITE);
ptr->writeBlocked = TRUE;
goto out; /* EWOULDBLOCK */
}
}
committedBytes += status;
chunks[i].size -= status;
chunks[i].data += status;
}
}
out:
ringbuffer_commit_read_bytes(&ptr->xmitBuffer, committedBytes);
return ret;
}
static int transport_bio_buffered_write(BIO* bio, const char* buf, int num)
{
int status, ret;
rdpTcp* tcp = (rdpTcp*) bio->ptr;
int nchunks, committedBytes, i;
DataChunk chunks[2];
ret = num;
tcp->writeBlocked = FALSE;
BIO_clear_flags(bio, BIO_FLAGS_WRITE);
/* we directly append extra bytes in the xmit buffer, this could be prevented
* but for now it makes the code more simple.
*/
if (buf && num && !ringbuffer_write(&tcp->xmitBuffer, (const BYTE*) buf, num))
{
fprintf(stderr, "%s: an error occured when writing(toWrite=%d)\n", __FUNCTION__, num);
return -1;
}
committedBytes = 0;
nchunks = ringbuffer_peek(&tcp->xmitBuffer, chunks, ringbuffer_used(&tcp->xmitBuffer));
for (i = 0; i < nchunks; i++)
{
while (chunks[i].size)
{
status = BIO_write(bio->next_bio, chunks[i].data, chunks[i].size);
if (status <= 0)
{
if (!BIO_should_retry(bio->next_bio))
{
BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY);
ret = -1; /* fatal error */
goto out;
}
if (BIO_should_write(bio->next_bio))
{
BIO_set_flags(bio, BIO_FLAGS_WRITE);
tcp->writeBlocked = TRUE;
goto out; /* EWOULDBLOCK */
}
}
committedBytes += status;
chunks[i].size -= status;
chunks[i].data += status;
}
}
out:
ringbuffer_commit_read_bytes(&tcp->xmitBuffer, committedBytes);
return ret;
}
static OCSP_RESPONSE *ocsp_get_response(CLI *c, OCSP_REQUEST *req) {
BIO *bio=NULL;
OCSP_REQ_CTX *req_ctx=NULL;
OCSP_RESPONSE *resp=NULL;
int err;
/* connect specified OCSP server (responder) */
c->fd=s_socket(c->opt->ocsp_addr.sa.sa_family, SOCK_STREAM, 0,
1, "OCSP: socket (auth_user)");
if(c->fd<0)
goto cleanup;
if(connect_blocking(c, &c->opt->ocsp_addr, addr_len(&c->opt->ocsp_addr)))
goto cleanup;
bio=BIO_new_fd(c->fd, BIO_NOCLOSE);
if(!bio)
goto cleanup;
s_log(LOG_DEBUG, "OCSP: server connected");
/* OCSP protocol communication loop */
req_ctx=OCSP_sendreq_new(bio, c->opt->ocsp_path, req, -1);
if(!req_ctx) {
sslerror("OCSP: OCSP_sendreq_new");
goto cleanup;
}
while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {
s_poll_init(c->fds);
s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));
err=s_poll_wait(c->fds, c->opt->timeout_busy, 0);
if(err==-1)
sockerror("OCSP: s_poll_wait");
if(err==0)
s_log(LOG_INFO, "OCSP: s_poll_wait: TIMEOUTbusy exceeded");
if(err<=0)
goto cleanup;
}
/* s_log(LOG_DEBUG, "OCSP: context state: 0x%x", *(int *)req_ctx); */
/* http://www.mail-archive.com/[email protected]/msg61691.html */
if(!resp) {
if(ERR_peek_error())
sslerror("OCSP: OCSP_sendreq_nbio");
else /* OpenSSL error: OCSP_sendreq_nbio does not use OCSPerr */
s_log(LOG_ERR, "OCSP: OCSP_sendreq_nbio: OpenSSL internal error");
}
cleanup:
if(req_ctx)
OCSP_REQ_CTX_free(req_ctx);
if(bio)
BIO_free_all(bio);
if(c->fd>=0) {
closesocket(c->fd);
c->fd=-1; /* avoid double close on cleanup */
}
return resp;
}
static LUA_FUNCTION(openssl_bio_retry)
{
BIO* bio = CHECK_OBJECT(1, BIO, "openssl.bio");
int retry = BIO_should_retry(bio);
if (retry)
{
lua_pushboolean(L, 1);
lua_pushboolean(L, BIO_should_read(bio));
lua_pushboolean(L, BIO_should_write(bio));
lua_pushboolean(L, BIO_should_io_special(bio));
return 4;
}
else
lua_pushboolean(L, 0);
return 1;
}
/* Return -1 on hard error (abort), 0 on timeout, >= 1 on successful wakeup */
static int
_BIO_wait(BIO *cbio, int msecs)
{
int result;
if (!BIO_should_retry(cbio)) {
return (-1);
}
struct pollfd pfd;
BIO_get_fd(cbio, &pfd.fd);
pfd.events = 0;
pfd.revents = 0;
if (BIO_should_io_special(cbio)) {
pfd.events = POLLOUT | POLLWRBAND;
} else if (BIO_should_read(cbio)) {
pfd.events = POLLIN | POLLPRI | POLLRDBAND;
} else if (BIO_should_write(cbio)) {
pfd.events = POLLOUT | POLLWRBAND;
} else {
return (-1);
}
if (msecs < 0) {
/* POSIX requires -1 for "no timeout" although some libcs
accept any negative value. */
msecs = -1;
}
do {
result = poll(&pfd, 1, msecs);
} while (result == -1 && errno == EINTR);
/* Timeout or poll internal error */
if (result <= 0) {
return (result);
}
if (pfd.revents & POLLERR) {
return -1;
}
/* Return 1 if the event was not an error */
return (pfd.revents & pfd.events ? 1 : -1);
}
/*
* Handle errors raised by BIO functions.
*
* Arguments: bio - The BIO object
* ret - The return value of the BIO_ function.
* Returns: None, the calling function should return NULL;
*/
static void
handle_bio_errors(BIO* bio, int ret)
{
if (BIO_should_retry(bio)) {
if (BIO_should_read(bio)) {
PyErr_SetNone(ssl_WantReadError);
} else if (BIO_should_write(bio)) {
PyErr_SetNone(ssl_WantWriteError);
} else if (BIO_should_io_special(bio)) {
/*
* It's somewhat unclear what this means. From the OpenSSL source,
* it seems like it should not be triggered by the memory BIO, so
* for the time being, this case shouldn't come up. The SSL BIO
* (which I think should be named the socket BIO) may trigger this
* case if its socket is not yet connected or it is busy doing
* something related to x509.
*/
PyErr_SetString(PyExc_ValueError, "BIO_should_io_special");
} else {
/*
* I hope this is dead code. The BIO documentation suggests that
* one of the above three checks should always be true.
*/
PyErr_SetString(PyExc_ValueError, "unknown bio failure");
}
} else {
/*
* If we aren't to retry, it's really an error, so fall back to the
* normal error reporting code. However, the BIO interface does not
* specify a uniform error reporting mechanism. We can only hope that
* the code which triggered the error also kindly pushed something onto
* the error stack.
*/
exception_from_error_queue(ssl_Error);
}
}
int doit(char *ctx[4])
{
SSL_CTX *s_ctx, *c_ctx;
static char cbuf[200], sbuf[200];
SSL *c_ssl = NULL;
SSL *s_ssl = NULL;
BIO *c_to_s = NULL;
BIO *s_to_c = NULL;
BIO *c_bio = NULL;
BIO *s_bio = NULL;
int c_r, c_w, s_r, s_w;
int c_want, s_want;
int i;
int done = 0;
int c_write, s_write;
int do_server = 0, do_client = 0;
s_ctx = (SSL_CTX *)ctx[0];
c_ctx = (SSL_CTX *)ctx[1];
if (ctx[2] != NULL)
s_ssl = (SSL *)ctx[2];
else
s_ssl = SSL_new(s_ctx);
if (ctx[3] != NULL)
c_ssl = (SSL *)ctx[3];
else
c_ssl = SSL_new(c_ctx);
if ((s_ssl == NULL) || (c_ssl == NULL))
goto err;
c_to_s = BIO_new(BIO_s_mem());
s_to_c = BIO_new(BIO_s_mem());
if ((s_to_c == NULL) || (c_to_s == NULL))
goto err;
c_bio = BIO_new(BIO_f_ssl());
s_bio = BIO_new(BIO_f_ssl());
if ((c_bio == NULL) || (s_bio == NULL))
goto err;
SSL_set_connect_state(c_ssl);
SSL_set_bio(c_ssl, s_to_c, c_to_s);
BIO_set_ssl(c_bio, c_ssl, (ctx[2] == NULL) ? BIO_CLOSE : BIO_NOCLOSE);
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl, c_to_s, s_to_c);
BIO_set_ssl(s_bio, s_ssl, (ctx[3] == NULL) ? BIO_CLOSE : BIO_NOCLOSE);
c_r = 0;
s_r = 1;
c_w = 1;
s_w = 0;
c_want = W_WRITE;
s_want = 0;
c_write = 1, s_write = 0;
/* We can always do writes */
for (;;) {
do_server = 0;
do_client = 0;
i = (int)BIO_pending(s_bio);
if ((i && s_r) || s_w)
do_server = 1;
i = (int)BIO_pending(c_bio);
if ((i && c_r) || c_w)
do_client = 1;
if (do_server && verbose) {
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
else if (s_write)
printf("server:SSL_write()\n");
else
printf("server:SSL_read()\n");
}
if (do_client && verbose) {
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
else if (c_write)
printf("client:SSL_write()\n");
else
printf("client:SSL_read()\n");
}
if (!do_client && !do_server) {
fprintf(stdout, "ERROR IN STARTUP\n");
break;
}
if (do_client && !(done & C_DONE)) {
if (c_write) {
i = BIO_write(c_bio, "hello from client\n", 18);
if (i < 0) {
c_r = 0;
c_w = 0;
if (BIO_should_retry(c_bio)) {
if (BIO_should_read(c_bio))
c_r = 1;
if (BIO_should_write(c_bio))
c_w = 1;
} else {
fprintf(stderr, "ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
return (1);
} else {
/* ok */
c_write = 0;
}
} else {
i = BIO_read(c_bio, cbuf, 100);
if (i < 0) {
c_r = 0;
c_w = 0;
if (BIO_should_retry(c_bio)) {
if (BIO_should_read(c_bio))
c_r = 1;
if (BIO_should_write(c_bio))
c_w = 1;
} else {
fprintf(stderr, "ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
return (1);
} else {
done |= C_DONE;
#ifdef undef
fprintf(stdout, "CLIENT:from server:");
fwrite(cbuf, 1, i, stdout);
fflush(stdout);
#endif
}
}
}
if (do_server && !(done & S_DONE)) {
if (!s_write) {
i = BIO_read(s_bio, sbuf, 100);
if (i < 0) {
s_r = 0;
s_w = 0;
if (BIO_should_retry(s_bio)) {
if (BIO_should_read(s_bio))
s_r = 1;
if (BIO_should_write(s_bio))
s_w = 1;
} else {
fprintf(stderr, "ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
return (1);
} else {
s_write = 1;
s_w = 1;
#ifdef undef
fprintf(stdout, "SERVER:from client:");
fwrite(sbuf, 1, i, stdout);
fflush(stdout);
#endif
}
} else {
i = BIO_write(s_bio, "hello from server\n", 18);
if (i < 0) {
s_r = 0;
s_w = 0;
if (BIO_should_retry(s_bio)) {
if (BIO_should_read(s_bio))
s_r = 1;
if (BIO_should_write(s_bio))
s_w = 1;
} else {
fprintf(stderr, "ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return (1);
}
} else if (i == 0) {
fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
return (1);
} else {
s_write = 0;
s_r = 1;
done |= S_DONE;
}
}
}
if ((done & S_DONE) && (done & C_DONE))
break;
#if defined(OPENSSL_SYS_NETWARE)
ThreadSwitchWithDelay();
#endif
}
SSL_set_shutdown(c_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
SSL_set_shutdown(s_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#ifdef undef
fprintf(stdout, "DONE\n");
#endif
err:
/*
* We have to set the BIO's to NULL otherwise they will be free()ed
* twice. Once when th s_ssl is SSL_free()ed and again when c_ssl is
* SSL_free()ed. This is a hack required because s_ssl and c_ssl are
* sharing the same BIO structure and SSL_set_bio() and SSL_free()
* automatically BIO_free non NULL entries. You should not normally do
* this or be required to do this
*/
if (s_ssl != NULL) {
s_ssl->rbio = NULL;
s_ssl->wbio = NULL;
}
if (c_ssl != NULL) {
c_ssl->rbio = NULL;
c_ssl->wbio = NULL;
}
/* The SSL's are optionally freed in the following calls */
if (c_to_s != NULL)
BIO_free(c_to_s);
if (s_to_c != NULL)
BIO_free(s_to_c);
if (c_bio != NULL)
BIO_free(c_bio);
if (s_bio != NULL)
BIO_free(s_bio);
return (0);
}
// take data from the network, and pass it into SSL. Attempt to read decrypted data from
// SSL socket and pass it to the application.
static ssize_t process_input_ssl( pn_transport_t *transport, unsigned int layer, const char *input_data, size_t available)
{
pni_ssl_t *ssl = transport->ssl;
if (ssl->ssl == NULL && init_ssl_socket(transport, ssl)) return PN_EOS;
ssl_log( transport, "process_input_ssl( data size=%d )",available );
ssize_t consumed = 0;
bool work_pending;
bool shutdown_input = (available == 0); // caller is closed
do {
work_pending = false;
// Write to network bio as much as possible, consuming bytes/available
if (available > 0) {
int written = BIO_write( ssl->bio_net_io, input_data, available );
if (written > 0) {
input_data += written;
available -= written;
consumed += written;
ssl->read_blocked = false;
work_pending = (available > 0);
ssl_log( transport, "Wrote %d bytes to BIO Layer, %d left over", written, available );
}
} else if (shutdown_input) {
// lower layer (caller) has closed. Close the WRITE side of the BIO. This will cause
// an EOF to be passed to SSL once all pending inbound data has been consumed.
ssl_log( transport, "Lower layer closed - shutting down BIO write side");
(void)BIO_shutdown_wr( ssl->bio_net_io );
shutdown_input = false;
}
// Read all available data from the SSL socket
if (!ssl->ssl_closed && ssl->in_count < ssl->in_size) {
int read = BIO_read( ssl->bio_ssl, &ssl->inbuf[ssl->in_count], ssl->in_size - ssl->in_count );
if (read > 0) {
ssl_log( transport, "Read %d bytes from SSL socket for app", read );
ssl_log_clear_data(transport, &ssl->inbuf[ssl->in_count], read );
ssl->in_count += read;
work_pending = true;
} else {
if (!BIO_should_retry(ssl->bio_ssl)) {
int reason = SSL_get_error( ssl->ssl, read );
switch (reason) {
case SSL_ERROR_ZERO_RETURN:
// SSL closed cleanly
ssl_log(transport, "SSL connection has closed");
start_ssl_shutdown(transport); // KAG: not sure - this may not be necessary
ssl->ssl_closed = true;
break;
default:
// unexpected error
return (ssize_t)ssl_failed(transport);
}
} else {
if (BIO_should_write( ssl->bio_ssl )) {
ssl->write_blocked = true;
ssl_log(transport, "Detected write-blocked");
}
if (BIO_should_read( ssl->bio_ssl )) {
ssl->read_blocked = true;
ssl_log(transport, "Detected read-blocked");
}
}
}
}
// write incoming data to app layer
if (!ssl->app_input_closed) {
if (ssl->in_count > 0 || ssl->ssl_closed) { /* if ssl_closed, send 0 count */
ssize_t consumed = transport->io_layers[layer+1]->process_input(transport, layer+1, ssl->inbuf, ssl->in_count);
if (consumed > 0) {
ssl->in_count -= consumed;
if (ssl->in_count)
memmove( ssl->inbuf, ssl->inbuf + consumed, ssl->in_count );
work_pending = true;
ssl_log( transport, "Application consumed %d bytes from peer", (int) consumed );
} else if (consumed < 0) {
ssl_log(transport, "Application layer closed its input, error=%d (discarding %d bytes)",
(int) consumed, (int)ssl->in_count);
ssl->in_count = 0; // discard any pending input
ssl->app_input_closed = consumed;
if (ssl->app_output_closed && ssl->out_count == 0) {
// both sides of app closed, and no more app output pending:
start_ssl_shutdown(transport);
}
} else {
// app did not consume any bytes, must be waiting for a full frame
if (ssl->in_count == ssl->in_size) {
// but the buffer is full, not enough room for a full frame.
// can we grow the buffer?
uint32_t max_frame = pn_transport_get_max_frame(transport);
if (!max_frame) max_frame = ssl->in_size * 2; // no limit
if (ssl->in_size < max_frame) {
// no max frame limit - grow it.
size_t newsize = pn_min(max_frame, ssl->in_size * 2);
char *newbuf = (char *)realloc( ssl->inbuf, newsize );
if (newbuf) {
ssl->in_size = newsize;
ssl->inbuf = newbuf;
work_pending = true; // can we get more input?
}
} else {
// can't gather any more input, but app needs more?
// This is a bug - since SSL can buffer up to max-frame,
// the application _must_ have enough data to process. If
// this is an oversized frame, the app _must_ handle it
// by returning an error code to SSL.
pn_transport_log(transport, "Error: application unable to consume input.");
}
}
}
}
}
} while (work_pending);
//_log(ssl, "ssl_closed=%d in_count=%d app_input_closed=%d app_output_closed=%d",
// ssl->ssl_closed, ssl->in_count, ssl->app_input_closed, ssl->app_output_closed );
// PROTON-82: Instead, close the input side as soon as we've completed enough of the SSL
// shutdown handshake to send the close_notify. We're not requiring the response, as
// some implementations never reply.
// ---
// tell transport our input side is closed if the SSL socket cannot be read from any
// longer, AND any pending input has been written up to the application (or the
// application is closed)
//if (ssl->ssl_closed && ssl->app_input_closed) {
// consumed = ssl->app_input_closed;
//}
if (ssl->app_input_closed && (SSL_get_shutdown(ssl->ssl) & SSL_SENT_SHUTDOWN) ) {
consumed = ssl->app_input_closed;
if (transport->io_layers[layer]==&ssl_output_closed_layer) {
transport->io_layers[layer] = &ssl_closed_layer;
} else {
transport->io_layers[layer] = &ssl_input_closed_layer;
}
}
ssl_log(transport, "process_input_ssl() returning %d", (int) consumed);
return consumed;
}
static ssize_t process_output_ssl( pn_transport_t *transport, unsigned int layer, char *buffer, size_t max_len)
{
pni_ssl_t *ssl = transport->ssl;
if (!ssl) return PN_EOS;
if (ssl->ssl == NULL && init_ssl_socket(transport, ssl)) return PN_EOS;
ssize_t written = 0;
bool work_pending;
do {
work_pending = false;
// first, get any pending application output, if possible
if (!ssl->app_output_closed && ssl->out_count < ssl->out_size) {
ssize_t app_bytes = transport->io_layers[layer+1]->process_output(transport, layer+1, &ssl->outbuf[ssl->out_count], ssl->out_size - ssl->out_count);
if (app_bytes > 0) {
ssl->out_count += app_bytes;
work_pending = true;
ssl_log(transport, "Gathered %d bytes from app to send to peer", app_bytes );
} else {
if (app_bytes < 0) {
ssl_log(transport, "Application layer closed its output, error=%d (%d bytes pending send)",
(int) app_bytes, (int) ssl->out_count);
ssl->app_output_closed = app_bytes;
}
}
}
// now push any pending app data into the socket
if (!ssl->ssl_closed) {
char *data = ssl->outbuf;
if (ssl->out_count > 0) {
int wrote = BIO_write( ssl->bio_ssl, data, ssl->out_count );
if (wrote > 0) {
data += wrote;
ssl->out_count -= wrote;
work_pending = true;
ssl_log( transport, "Wrote %d bytes from app to socket", wrote );
} else {
if (!BIO_should_retry(ssl->bio_ssl)) {
int reason = SSL_get_error( ssl->ssl, wrote );
switch (reason) {
case SSL_ERROR_ZERO_RETURN:
// SSL closed cleanly
ssl_log(transport, "SSL connection has closed");
start_ssl_shutdown(transport); // KAG: not sure - this may not be necessary
ssl->out_count = 0; // can no longer write to socket, so erase app output data
ssl->ssl_closed = true;
break;
default:
// unexpected error
return (ssize_t)ssl_failed(transport);
}
} else {
if (BIO_should_read( ssl->bio_ssl )) {
ssl->read_blocked = true;
ssl_log(transport, "Detected read-blocked");
}
if (BIO_should_write( ssl->bio_ssl )) {
ssl->write_blocked = true;
ssl_log(transport, "Detected write-blocked");
}
}
}
}
if (ssl->out_count == 0) {
if (ssl->app_input_closed && ssl->app_output_closed) {
// application is done sending/receiving data, and all buffered output data has
// been written to the SSL socket
start_ssl_shutdown(transport);
}
} else if (data != ssl->outbuf) {
memmove( ssl->outbuf, data, ssl->out_count );
}
}
// read from the network bio as much as possible, filling the buffer
if (max_len) {
int available = BIO_read( ssl->bio_net_io, buffer, max_len );
if (available > 0) {
max_len -= available;
buffer += available;
written += available;
ssl->write_blocked = false;
work_pending = work_pending || max_len > 0;
ssl_log(transport, "Read %d bytes from BIO Layer", available );
}
}
} while (work_pending);
//_log(ssl, "written=%d ssl_closed=%d in_count=%d app_input_closed=%d app_output_closed=%d bio_pend=%d",
// written, ssl->ssl_closed, ssl->in_count, ssl->app_input_closed, ssl->app_output_closed, BIO_pending(ssl->bio_net_io) );
// PROTON-82: close the output side as soon as we've sent the SSL close_notify.
// We're not requiring the response, as some implementations never reply.
// ----
// Once no more data is available "below" the SSL socket, tell the transport we are
// done.
//if (written == 0 && ssl->ssl_closed && BIO_pending(ssl->bio_net_io) == 0) {
// written = ssl->app_output_closed ? ssl->app_output_closed : PN_EOS;
//}
if (written == 0 && (SSL_get_shutdown(ssl->ssl) & SSL_SENT_SHUTDOWN) && BIO_pending(ssl->bio_net_io) == 0) {
written = ssl->app_output_closed ? ssl->app_output_closed : PN_EOS;
if (transport->io_layers[layer]==&ssl_input_closed_layer) {
transport->io_layers[layer] = &ssl_closed_layer;
} else {
transport->io_layers[layer] = &ssl_output_closed_layer;
}
}
ssl_log(transport, "process_output_ssl() returning %d", (int) written);
return written;
}
void *netConnectHttpsThread(void *threadParam)
/* use a thread to run socket back to user */
{
/* child */
struct netConnectHttpsParams *params = threadParam;
pthread_detach(params->thread); // this thread will never join back with it's progenitor
int fd=0;
char hostnameProto[256];
BIO *sbio;
SSL_CTX *ctx;
SSL *ssl;
openSslInit();
ctx = SSL_CTX_new(SSLv23_client_method());
fd_set readfds;
fd_set writefds;
int err;
struct timeval tv;
/* TODO checking certificates
char *certFile = NULL;
char *certPath = NULL;
if (certFile || certPath)
{
SSL_CTX_load_verify_locations(ctx,certFile,certPath);
#if (OPENSSL_VERSION_NUMBER < 0x0090600fL)
SSL_CTX_set_verify_depth(ctx,1);
#endif
}
// verify paths and mode.
*/
sbio = BIO_new_ssl_connect(ctx);
BIO_get_ssl(sbio, &ssl);
if(!ssl)
{
xerr("Can't locate SSL pointer");
goto cleanup;
}
/* Don't want any retries since we are non-blocking bio now */
//SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
safef(hostnameProto,sizeof(hostnameProto),"%s:%d",params->hostName,params->port);
BIO_set_conn_hostname(sbio, hostnameProto);
BIO_set_nbio(sbio, 1); /* non-blocking mode */
while (1)
{
if (BIO_do_connect(sbio) == 1)
{
break; /* Connected */
}
if (! BIO_should_retry(sbio))
{
xerr("BIO_do_connect() failed");
char s[256];
safef(s, sizeof s, "SSL error: %s", ERR_reason_error_string(ERR_get_error()));
xerr(s);
goto cleanup;
}
fd = BIO_get_fd(sbio, NULL);
if (fd == -1)
{
xerr("unable to get BIO descriptor");
goto cleanup;
}
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (BIO_should_read(sbio))
{
FD_SET(fd, &readfds);
}
else if (BIO_should_write(sbio))
{
FD_SET(fd, &writefds);
}
else
{ /* BIO_should_io_special() */
FD_SET(fd, &readfds);
FD_SET(fd, &writefds);
}
tv.tv_sec = 10; // timeout
tv.tv_usec = 0;
err = select(fd + 1, &readfds, &writefds, NULL, &tv);
if (err < 0)
{
xerr("select() error");
goto cleanup;
}
if (err == 0)
{
char s[256];
safef(s, sizeof s, "connection timeout to %s", params->hostName);
xerr(s);
goto cleanup;
}
}
/* TODO checking certificates
if (certFile || certPath)
if (!check_cert(ssl, host))
return -1;
*/
/* we need to wait on both the user's socket and the BIO SSL socket
* to see if we need to ferry data from one to the other */
char sbuf[32768]; // socket buffer sv[1] to user
char bbuf[32768]; // bio buffer
int srd = 0;
int swt = 0;
int brd = 0;
int bwt = 0;
while (1)
{
// Do NOT move this outside the while loop.
/* Get underlying file descriptor, needed for select call */
fd = BIO_get_fd(sbio, NULL);
if (fd == -1)
{
xerr("BIO doesn't seem to be initialized in https, unable to get descriptor.");
goto cleanup;
}
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (brd == 0)
FD_SET(fd, &readfds);
if (swt < srd)
FD_SET(fd, &writefds);
if (srd == 0)
FD_SET(params->sv[1], &readfds);
tv.tv_sec = 10; // timeout
tv.tv_usec = 0;
err = select(max(fd,params->sv[1]) + 1, &readfds, &writefds, NULL, &tv);
/* Evaluate select() return code */
if (err < 0)
{
xerr("error during select()");
goto cleanup;
}
else if (err == 0)
{
/* Timed out - just quit */
xerr("https timeout expired");
goto cleanup;
}
else
{
if (FD_ISSET(params->sv[1], &readfds))
{
swt = 0;
srd = read(params->sv[1], sbuf, 32768);
if (srd == -1)
{
if (errno != 104) // udcCache often closes causing "Connection reset by peer"
xerrno("error reading https socket");
goto cleanup;
}
if (srd == 0)
break; // user closed socket, we are done
}
if (FD_ISSET(fd, &writefds))
{
int swtx = BIO_write(sbio, sbuf+swt, srd-swt);
if (swtx <= 0)
{
if (!BIO_should_write(sbio))
{
ERR_print_errors_fp(stderr);
xerr("Error writing SSL connection");
goto cleanup;
}
}
else
{
swt += swtx;
if (swt >= srd)
{
swt = 0;
srd = 0;
}
}
}
if (FD_ISSET(fd, &readfds))
{
bwt = 0;
brd = BIO_read(sbio, bbuf, 32768);
if (brd <= 0)
{
if (BIO_should_read(sbio))
{
brd = 0;
continue;
}
else
{
if (brd == 0) break;
ERR_print_errors_fp(stderr);
xerr("Error reading SSL connection");
goto cleanup;
}
}
// write the https data received immediately back on socket to user, and it's ok if it blocks.
while(bwt < brd)
{
int bwtx = write(params->sv[1], bbuf+bwt, brd-bwt);
if (bwtx == -1)
{
if ((errno != 104) // udcCache often closes causing "Connection reset by peer"
&& (errno != 32)) // udcCache often closes causing "Broken pipe"
xerrno("error writing https data back to user socket");
goto cleanup;
}
bwt += bwtx;
}
brd = 0;
bwt = 0;
}
}
}
cleanup:
BIO_free_all(sbio);
close(params->sv[1]); /* we are done with it */
return NULL;
}
/* This function reads a decrypted stream and returns an encrypted stream. */
static apr_status_t ssl_encrypt(void *baton, apr_size_t bufsize,
char *buf, apr_size_t *len)
{
const char *data;
apr_size_t interim_bufsize;
serf_ssl_context_t *ctx = baton;
apr_status_t status;
#ifdef SSL_VERBOSE
printf("ssl_encrypt: begin %d\n", bufsize);
#endif
/* Try to read already encrypted but unread data first. */
status = serf_bucket_read(ctx->encrypt.pending, bufsize, &data, len);
if (SERF_BUCKET_READ_ERROR(status)) {
return status;
}
/* Aha, we read something. Return that now. */
if (*len) {
memcpy(buf, data, *len);
if (APR_STATUS_IS_EOF(status)) {
status = APR_SUCCESS;
}
#ifdef SSL_VERBOSE
printf("ssl_encrypt: %d %d %d (quick read)\n", status, *len,
BIO_get_retry_flags(ctx->bio));
#endif
return status;
}
if (BIO_should_retry(ctx->bio) && BIO_should_write(ctx->bio)) {
#ifdef SSL_VERBOSE
printf("ssl_encrypt: %d %d %d (should write exit)\n", status, *len,
BIO_get_retry_flags(ctx->bio));
#endif
return APR_EAGAIN;
}
/* If we were previously blocked, unblock ourselves now. */
if (BIO_should_read(ctx->bio)) {
#ifdef SSL_VERBOSE
printf("ssl_encrypt: reset %d %d (%d %d %d)\n", status,
ctx->encrypt.status,
BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio),
BIO_get_retry_flags(ctx->bio));
#endif
ctx->encrypt.status = APR_SUCCESS;
ctx->encrypt.exhausted_reset = 0;
}
/* Oh well, read from our stream now. */
interim_bufsize = bufsize;
do {
apr_size_t interim_len;
if (!ctx->encrypt.status) {
struct iovec vecs[64];
int vecs_read;
status = serf_bucket_read_iovec(ctx->encrypt.stream,
interim_bufsize, 64, vecs,
&vecs_read);
if (!SERF_BUCKET_READ_ERROR(status) && vecs_read) {
char *vecs_data;
int i, cur, vecs_data_len;
int ssl_len;
/* Combine the buffers of the iovec into one buffer, as
that is with SSL_write requires. */
vecs_data_len = 0;
for (i = 0; i < vecs_read; i++) {
vecs_data_len += vecs[i].iov_len;
}
vecs_data = serf_bucket_mem_alloc(ctx->allocator,
vecs_data_len);
cur = 0;
for (i = 0; i < vecs_read; i++) {
memcpy(vecs_data + cur, vecs[i].iov_base, vecs[i].iov_len);
cur += vecs[i].iov_len;
}
interim_bufsize -= vecs_data_len;
interim_len = vecs_data_len;
#ifdef SSL_VERBOSE
printf("ssl_encrypt: bucket read %d bytes; status %d\n",
interim_len, status);
printf("---\n%s\n-(%d)-\n", vecs_data, interim_len);
#endif
/* Stash our status away. */
ctx->encrypt.status = status;
ssl_len = SSL_write(ctx->ssl, vecs_data, interim_len);
#ifdef SSL_VERBOSE
printf("ssl_encrypt: SSL write: %d\n", ssl_len);
#endif
/* We're done. */
serf_bucket_mem_free(ctx->allocator, vecs_data);
/* If we failed to write... */
if (ssl_len < 0) {
int ssl_err;
/* Ah, bugger. We need to put that data back. */
serf_bucket_aggregate_prepend_iovec(ctx->encrypt.stream,
vecs, vecs_read);
ssl_err = SSL_get_error(ctx->ssl, ssl_len);
#ifdef SSL_VERBOSE
printf("ssl_encrypt: SSL write error: %d\n", ssl_err);
#endif
if (ssl_err == SSL_ERROR_SYSCALL) {
status = ctx->encrypt.status;
if (SERF_BUCKET_READ_ERROR(status)) {
return status;
}
}
else {
/* Oh, no. */
if (ssl_err == SSL_ERROR_WANT_READ) {
status = SERF_ERROR_WAIT_CONN;
}
else {
status = APR_EGENERAL;
}
}
#ifdef SSL_VERBOSE
printf("ssl_encrypt: SSL write error: %d %d\n", status, *len);
#endif
}
}
}
else {
interim_len = 0;
*len = 0;
status = ctx->encrypt.status;
}
} while (!status && interim_bufsize);
/* Okay, we exhausted our underlying stream. */
if (!SERF_BUCKET_READ_ERROR(status)) {
apr_status_t agg_status;
struct iovec vecs[64];
int vecs_read, i;
/* We read something! */
agg_status = serf_bucket_read_iovec(ctx->encrypt.pending, bufsize,
64, vecs, &vecs_read);
*len = 0;
for (i = 0; i < vecs_read; i++) {
memcpy(buf + *len, vecs[i].iov_base, vecs[i].iov_len);
*len += vecs[i].iov_len;
}
#ifdef SSL_VERBOSE
printf("ssl_encrypt read agg: %d %d %d %d\n", status, agg_status,
ctx->encrypt.status, *len);
#endif
if (!agg_status) {
status = agg_status;
}
}
if (status == SERF_ERROR_WAIT_CONN
&& BIO_should_retry(ctx->bio) && BIO_should_read(ctx->bio)) {
ctx->encrypt.exhausted = ctx->encrypt.status;
ctx->encrypt.status = SERF_ERROR_WAIT_CONN;
}
#ifdef SSL_VERBOSE
printf("ssl_encrypt finished: %d %d (%d %d %d)\n", status, *len,
BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio),
BIO_get_retry_flags(ctx->bio));
#endif
return status;
}
/**
* oh_ssl_connect
* @hostname: Name of target host. Format:
* "hostname:port" or "IPaddress:port"
* @ctx: pointer to SSL_CTX as returned by oh_ssl_ctx_init()
* @timeout: maximum number of seconds to wait for a connection to
* hostname, or zero to wait forever
*
* Create and open a new ssl conection to the specified host.
*
* Return value: pointer to BIO, or NULL for failure
**/
BIO *oh_ssl_connect(char *hostname, SSL_CTX *ctx, long timeout)
{
BIO *bio;
SSL *ssl;
fd_set readfds;
fd_set writefds;
struct timeval tv;
int fd;
int err;
if (hostname == NULL) {
err("NULL hostname in oh_ssl_connect()");
return(NULL);
}
if (ctx == NULL) {
err("NULL ctx in oh_ssl_connect()");
return(NULL);
}
if (timeout < 0) {
err("inappropriate timeout in oh_ssl_connect()");
return(NULL);
}
/* Start with a new SSL BIO */
bio = BIO_new_ssl_connect(ctx);
if (bio == NULL) {
err("BIO_new_ssl_connect() failed");
return(NULL);
}
/* Set up connection parameters for this BIO */
BIO_set_conn_hostname(bio, hostname);
BIO_set_nbio(bio, 1); /* Set underlying socket to
* non-blocking mode
*/
/* Set up SSL session parameters */
BIO_get_ssl(bio, &ssl);
if (ssl == NULL) {
err("BIO_get_ssl() failed");
BIO_free_all(bio);
return(NULL);
}
SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);
/* Ready to open the connection. Note that this call will probably
* take a while, so we need to retry it, watching for a timeout.
*/
while (1) {
if (BIO_do_connect(bio) == 1) {
break; /* Connection established */
}
if (! BIO_should_retry(bio)) { /* Hard error? */
err("BIO_do_connect() failed");
err("SSL error: %s",
ERR_reason_error_string(ERR_get_error()));
BIO_free_all(bio);
return(NULL);
}
/* Wait until there's a change in the socket's status or until
* the timeout period.
*
* Get underlying file descriptor, needed for the select call.
*/
fd = BIO_get_fd(bio, NULL);
if (fd == -1) {
err("BIO isn't initialized in oh_ssl_connect()");
BIO_free_all(bio);
return(NULL);
}
FD_ZERO(&readfds);
FD_ZERO(&writefds);
if (BIO_should_read(bio)) {
FD_SET(fd, &readfds);
}
else if (BIO_should_write(bio)) {
FD_SET(fd, &writefds);
}
else { /* This is BIO_should_io_special().
* Not sure what "special" needs to
* wait for, but both read and write
* seems to work without unnecessary
* retries.
*/
FD_SET(fd, &readfds);
FD_SET(fd, &writefds);
}
if (timeout) {
tv.tv_sec = timeout;
tv.tv_usec = 0;
err = select(fd + 1, &readfds, &writefds, NULL, &tv);
}
else { /* No timeout */
err = select(fd + 1, &readfds, &writefds, NULL, NULL);
}
/* Evaluate select() return code */
if (err < 0) {
err("error during select()");
BIO_free_all(bio);
return(NULL);
}
if (err == 0) {
err("connection timeout to %s", hostname);
BIO_free_all(bio);
return(NULL); /* Timeout */
}
}
/* TODO: Do I need to set the client or server mode here? I don't
* think so.
*/
return(bio);
}
NOEXPORT OCSP_RESPONSE *ocsp_get_response(CLI *c,
OCSP_REQUEST *req, char *url) {
BIO *bio=NULL;
OCSP_REQ_CTX *req_ctx=NULL;
OCSP_RESPONSE *resp=NULL;
int err;
char *host=NULL, *port=NULL, *path=NULL;
SOCKADDR_UNION addr;
int ssl;
/* parse the OCSP URL */
if(!OCSP_parse_url(url, &host, &port, &path, &ssl)) {
s_log(LOG_ERR, "OCSP: Failed to parse the OCSP URL");
goto cleanup;
}
if(ssl) {
s_log(LOG_ERR, "OCSP: SSL not supported for OCSP"
" - additional stunnel service needs to be defined");
goto cleanup;
}
memset(&addr, 0, sizeof addr);
addr.in.sin_family=AF_INET;
if(!hostport2addr(&addr, host, port)) {
s_log(LOG_ERR, "OCSP: Failed to resolve the OCSP server address");
goto cleanup;
}
/* connect specified OCSP server (responder) */
c->fd=s_socket(addr.sa.sa_family, SOCK_STREAM, 0, 1, "OCSP: socket");
if(c->fd<0)
goto cleanup;
if(s_connect(c, &addr, addr_len(&addr)))
goto cleanup;
bio=BIO_new_fd(c->fd, BIO_NOCLOSE);
if(!bio)
goto cleanup;
s_log(LOG_DEBUG, "OCSP: response retrieved");
/* OCSP protocol communication loop */
req_ctx=OCSP_sendreq_new(bio, path, req, -1);
if(!req_ctx) {
sslerror("OCSP: OCSP_sendreq_new");
goto cleanup;
}
while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) {
s_poll_init(c->fds);
s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio));
err=s_poll_wait(c->fds, c->opt->timeout_busy, 0);
if(err==-1)
sockerror("OCSP: s_poll_wait");
if(err==0)
s_log(LOG_INFO, "OCSP: s_poll_wait: TIMEOUTbusy exceeded");
if(err<=0)
goto cleanup;
}
#if 0
s_log(LOG_DEBUG, "OCSP: context state: 0x%x", *(int *)req_ctx);
#endif
/* http://www.mail-archive.com/[email protected]/msg61691.html */
if(resp) {
s_log(LOG_DEBUG, "OCSP: request completed");
} else {
if(ERR_peek_error())
sslerror("OCSP: OCSP_sendreq_nbio");
else /* OpenSSL error: OCSP_sendreq_nbio does not use OCSPerr */
s_log(LOG_ERR, "OCSP: OCSP_sendreq_nbio: OpenSSL internal error");
}
cleanup:
if(req_ctx)
OCSP_REQ_CTX_free(req_ctx);
if(bio)
BIO_free_all(bio);
if(c->fd>=0) {
closesocket(c->fd);
c->fd=-1; /* avoid double close on cleanup */
}
if(host)
OPENSSL_free(host);
if(port)
OPENSSL_free(port);
if(path)
OPENSSL_free(path);
return resp;
}
static int watchccs_write(BIO *bio, const char *in, int inl)
{
int ret = 0;
BIO *next = BIO_next(bio);
PACKET pkt, msg, msgbody, sessionid;
unsigned int rectype, recvers, msgtype, expectedrecvers;
if (inl <= 0)
return 0;
if (next == NULL)
return 0;
BIO_clear_retry_flags(bio);
if (!PACKET_buf_init(&pkt, (const unsigned char *)in, inl))
return 0;
/* We assume that we always write complete records each time */
while (PACKET_remaining(&pkt)) {
if (!PACKET_get_1(&pkt, &rectype)
|| !PACKET_get_net_2(&pkt, &recvers)
|| !PACKET_get_length_prefixed_2(&pkt, &msg))
return 0;
expectedrecvers = TLS1_2_VERSION;
if (rectype == SSL3_RT_HANDSHAKE) {
if (!PACKET_get_1(&msg, &msgtype)
|| !PACKET_get_length_prefixed_3(&msg, &msgbody))
return 0;
if (msgtype == SSL3_MT_CLIENT_HELLO) {
chseen++;
/*
* Skip legacy_version (2 bytes) and Random (32 bytes) to read
* session_id.
*/
if (!PACKET_forward(&msgbody, 34)
|| !PACKET_get_length_prefixed_1(&msgbody, &sessionid))
return 0;
if (chseen == 1) {
expectedrecvers = TLS1_VERSION;
/* Save the session id for later */
chsessidlen = PACKET_remaining(&sessionid);
if (!PACKET_copy_bytes(&sessionid, chsessid, chsessidlen))
return 0;
} else {
/*
* Check the session id for the second ClientHello is the
* same as the first one.
*/
if (PACKET_remaining(&sessionid) != chsessidlen
|| (chsessidlen > 0
&& memcmp(chsessid, PACKET_data(&sessionid),
chsessidlen) != 0))
badsessid = 1;
}
} else if (msgtype == SSL3_MT_SERVER_HELLO) {
shseen++;
/*
* Skip legacy_version (2 bytes) and Random (32 bytes) to read
* session_id.
*/
if (!PACKET_forward(&msgbody, 34)
|| !PACKET_get_length_prefixed_1(&msgbody, &sessionid))
return 0;
/*
* Check the session id is the same as the one in the
* ClientHello
*/
if (PACKET_remaining(&sessionid) != chsessidlen
|| (chsessidlen > 0
&& memcmp(chsessid, PACKET_data(&sessionid),
chsessidlen) != 0))
badsessid = 1;
}
} else if (rectype == SSL3_RT_CHANGE_CIPHER_SPEC) {
if (bio == s_to_c_fbio) {
/*
* Server writing. We shouldn't have written any app data
* yet, and we should have seen both the ClientHello and the
* ServerHello
*/
if (!sappdataseen
&& chseen == 1
&& shseen == 1
&& !sccsseen)
sccsseen = 1;
else
badccs = 1;
} else if (!cappdataseen) {
/*
* Client writing. We shouldn't have written any app data
* yet, and we should have seen the ClientHello
*/
if (shseen == 1 && !ccsaftersh)
ccsaftersh = 1;
else if (shseen == 0 && !ccsbeforesh)
ccsbeforesh = 1;
else
badccs = 1;
} else {
badccs = 1;
}
} else if(rectype == SSL3_RT_APPLICATION_DATA) {
if (bio == s_to_c_fbio)
sappdataseen = 1;
else
cappdataseen = 1;
}
if (recvers != expectedrecvers)
badvers = 1;
}
ret = BIO_write(next, in, inl);
if (ret <= 0 && BIO_should_write(next))
BIO_set_retry_write(bio);
return ret;
}
int doit(SSL *s_ssl, SSL *c_ssl, long count)
{
MS_STATIC char cbuf[1024*8],sbuf[1024*8];
long cw_num=count,cr_num=count;
long sw_num=count,sr_num=count;
int ret=1;
BIO *c_to_s=NULL;
BIO *s_to_c=NULL;
BIO *c_bio=NULL;
BIO *s_bio=NULL;
int c_r,c_w,s_r,s_w;
int c_want,s_want;
int i,j;
int done=0;
int c_write,s_write;
int do_server=0,do_client=0;
memset(cbuf,0,sizeof(cbuf));
memset(sbuf,0,sizeof(sbuf));
c_to_s=BIO_new(BIO_s_mem());
s_to_c=BIO_new(BIO_s_mem());
if ((s_to_c == NULL) || (c_to_s == NULL))
{
ERR_print_errors(bio_err);
goto err;
}
c_bio=BIO_new(BIO_f_ssl());
s_bio=BIO_new(BIO_f_ssl());
if ((c_bio == NULL) || (s_bio == NULL))
{
ERR_print_errors(bio_err);
goto err;
}
SSL_set_connect_state(c_ssl);
SSL_set_bio(c_ssl,s_to_c,c_to_s);
BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl,c_to_s,s_to_c);
BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
c_r=0; s_r=1;
c_w=1; s_w=0;
c_want=W_WRITE;
s_want=0;
c_write=1,s_write=0;
/* We can always do writes */
for (;;)
{
do_server=0;
do_client=0;
i=(int)BIO_pending(s_bio);
if ((i && s_r) || s_w) do_server=1;
i=(int)BIO_pending(c_bio);
if ((i && c_r) || c_w) do_client=1;
if (do_server && debug)
{
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
/* else if (s_write)
printf("server:SSL_write()\n");
else
printf("server:SSL_read()\n"); */
}
if (do_client && debug)
{
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
/* else if (c_write)
printf("client:SSL_write()\n");
else
printf("client:SSL_read()\n"); */
}
if (!do_client && !do_server)
{
fprintf(stdout,"ERROR IN STARTUP\n");
ERR_print_errors(bio_err);
break;
}
if (do_client && !(done & C_DONE))
{
if (c_write)
{
j=(cw_num > (long)sizeof(cbuf))
?sizeof(cbuf):(int)cw_num;
i=BIO_write(c_bio,cbuf,j);
if (i < 0)
{
c_r=0;
c_w=0;
if (BIO_should_retry(c_bio))
{
if (BIO_should_read(c_bio))
c_r=1;
if (BIO_should_write(c_bio))
c_w=1;
}
else
{
fprintf(stderr,"ERROR in CLIENT\n");
ERR_print_errors(bio_err);
goto err;
}
}
else if (i == 0)
{
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
goto err;
}
else
{
if (debug)
printf("client wrote %d\n",i);
/* ok */
s_r=1;
c_write=0;
cw_num-=i;
}
}
else
{
i=BIO_read(c_bio,cbuf,sizeof(cbuf));
if (i < 0)
{
c_r=0;
c_w=0;
if (BIO_should_retry(c_bio))
{
if (BIO_should_read(c_bio))
c_r=1;
if (BIO_should_write(c_bio))
c_w=1;
}
else
{
fprintf(stderr,"ERROR in CLIENT\n");
ERR_print_errors(bio_err);
goto err;
}
}
else if (i == 0)
{
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
goto err;
}
else
{
if (debug)
printf("client read %d\n",i);
cr_num-=i;
if (sw_num > 0)
{
s_write=1;
s_w=1;
}
if (cr_num <= 0)
{
s_write=1;
s_w=1;
done=S_DONE|C_DONE;
}
}
}
}
if (do_server && !(done & S_DONE))
{
if (!s_write)
{
i=BIO_read(s_bio,sbuf,sizeof(cbuf));
if (i < 0)
{
s_r=0;
s_w=0;
if (BIO_should_retry(s_bio))
{
if (BIO_should_read(s_bio))
s_r=1;
if (BIO_should_write(s_bio))
s_w=1;
}
else
{
fprintf(stderr,"ERROR in SERVER\n");
ERR_print_errors(bio_err);
goto err;
}
}
else if (i == 0)
{
ERR_print_errors(bio_err);
fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
goto err;
}
else
{
if (debug)
printf("server read %d\n",i);
sr_num-=i;
if (cw_num > 0)
{
c_write=1;
c_w=1;
}
if (sr_num <= 0)
{
s_write=1;
s_w=1;
c_write=0;
}
}
}
else
{
j=(sw_num > (long)sizeof(sbuf))?
sizeof(sbuf):(int)sw_num;
i=BIO_write(s_bio,sbuf,j);
if (i < 0)
{
s_r=0;
s_w=0;
if (BIO_should_retry(s_bio))
{
if (BIO_should_read(s_bio))
s_r=1;
if (BIO_should_write(s_bio))
s_w=1;
}
else
{
fprintf(stderr,"ERROR in SERVER\n");
ERR_print_errors(bio_err);
goto err;
}
}
else if (i == 0)
{
ERR_print_errors(bio_err);
fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
goto err;
}
else
{
if (debug)
printf("server wrote %d\n",i);
sw_num-=i;
s_write=0;
c_r=1;
if (sw_num <= 0)
done|=S_DONE;
}
}
}
if ((done & S_DONE) && (done & C_DONE)) break;
}
if (verbose)
print_details(c_ssl, "DONE: ");
ret=0;
err:
/* We have to set the BIO's to NULL otherwise they will be
* OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
* again when c_ssl is SSL_free()ed.
* This is a hack required because s_ssl and c_ssl are sharing the same
* BIO structure and SSL_set_bio() and SSL_free() automatically
* BIO_free non NULL entries.
* You should not normally do this or be required to do this */
if (s_ssl != NULL)
{
s_ssl->rbio=NULL;
s_ssl->wbio=NULL;
}
if (c_ssl != NULL)
{
c_ssl->rbio=NULL;
c_ssl->wbio=NULL;
}
if (c_to_s != NULL) BIO_free(c_to_s);
if (s_to_c != NULL) BIO_free(s_to_c);
if (c_bio != NULL) BIO_free_all(c_bio);
if (s_bio != NULL) BIO_free_all(s_bio);
return(ret);
}
