int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) {
int ssl_r;
chunk *c;
/* this is a 64k sendbuffer
*
* it has to stay at the same location all the time to satisfy the needs
* of SSL_write to pass the SAME parameter in case of a _WANT_WRITE
*
* the buffer is allocated once, is NOT realloced and is NOT freed at shutdown
* -> we expect a 64k block to 'leak' in valgrind
*
*
* In reality we would like to use mmap() but we don't have a guarantee that
* we get the same mmap() address for each call. On openbsd the mmap() address
* even randomized.
* That means either we keep the mmap() open or we do a read() into a
* constant buffer
* */
#define LOCAL_SEND_BUFSIZE (64 * 1024)
static char *local_send_buffer = NULL;
/* the remote side closed the connection before without shutdown request
* - IE
* - wget
* if keep-alive is disabled */
if (con->keep_alive == 0) {
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
}
for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) {
int chunk_finished = 0;
switch(c->type) {
case MEM_CHUNK: {
char * offset;
off_t toSend;
ssize_t r;
if (c->mem->used == 0 || c->mem->used == 1) {
chunk_finished = 1;
break;
}
offset = c->mem->ptr + c->offset;
toSend = c->mem->used - 1 - c->offset;
if (toSend > max_bytes) toSend = max_bytes;
/**
* SSL_write man-page
*
* WARNING
* When an SSL_write() operation has to be repeated because of
* SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be
* repeated with the same arguments.
*
*/
ERR_clear_error();
r = SSL_write(ssl, offset, toSend);
if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
return -1;
}
if (r <= 0) {
unsigned long err;
switch ((ssl_r = SSL_get_error(ssl, r))) {
case SSL_ERROR_WANT_WRITE:
break;
case SSL_ERROR_SYSCALL:
/* perhaps we have error waiting in our error-queue */
if (0 != (err = ERR_get_error())) {
do {
log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
ssl_r, r,
ERR_error_string(err, NULL));
} while((err = ERR_get_error()));
} else if (r == -1) {
/* no, but we have errno */
switch(errno) {
case EPIPE:
case ECONNRESET:
return -2;
default:
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:",
ssl_r, r, errno,
strerror(errno));
break;
}
} else {
/* neither error-queue nor errno ? */
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
ssl_r, r, errno,
strerror(errno));
}
return -1;
case SSL_ERROR_ZERO_RETURN:
/* clean shutdown on the remote side */
if (r == 0) return -2;
/* fall through */
default:
while((err = ERR_get_error())) {
log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
ssl_r, r,
ERR_error_string(err, NULL));
}
return -1;
}
} else {
c->offset += r;
cq->bytes_out += r;
max_bytes -= r;
}
if (c->offset == (off_t)c->mem->used - 1) {
chunk_finished = 1;
}
break;
}
case FILE_CHUNK: {
char *s;
ssize_t r;
stat_cache_entry *sce = NULL;
int ifd;
int write_wait = 0;
if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) {
log_error_write(srv, __FILE__, __LINE__, "sb",
strerror(errno), c->file.name);
return -1;
}
if (NULL == local_send_buffer) {
local_send_buffer = malloc(LOCAL_SEND_BUFSIZE);
force_assert(local_send_buffer);
}
do {
off_t offset = c->file.start + c->offset;
off_t toSend = c->file.length - c->offset;
if (toSend > max_bytes) toSend = max_bytes;
if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE;
if (-1 == (ifd = open(c->file.name->ptr, O_RDONLY))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "open failed:", strerror(errno));
return -1;
}
if (-1 == lseek(ifd, offset, SEEK_SET)) {
log_error_write(srv, __FILE__, __LINE__, "ss", "lseek failed:", strerror(errno));
close(ifd);
return -1;
}
if (-1 == (toSend = read(ifd, local_send_buffer, toSend))) {
log_error_write(srv, __FILE__, __LINE__, "ss", "read failed:", strerror(errno));
close(ifd);
return -1;
}
s = local_send_buffer;
close(ifd);
ERR_clear_error();
r = SSL_write(ssl, s, toSend);
if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
return -1;
}
if (r <= 0) {
unsigned long err;
switch ((ssl_r = SSL_get_error(ssl, r))) {
case SSL_ERROR_WANT_WRITE:
write_wait = 1;
break;
case SSL_ERROR_SYSCALL:
/* perhaps we have error waiting in our error-queue */
if (0 != (err = ERR_get_error())) {
do {
log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
ssl_r, r,
ERR_error_string(err, NULL));
} while((err = ERR_get_error()));
} else if (r == -1) {
/* no, but we have errno */
switch(errno) {
case EPIPE:
case ECONNRESET:
return -2;
default:
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:",
ssl_r, r, errno,
strerror(errno));
break;
}
} else {
/* neither error-queue nor errno ? */
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
ssl_r, r, errno,
strerror(errno));
}
return -1;
case SSL_ERROR_ZERO_RETURN:
/* clean shutdown on the remote side */
if (r == 0) return -2;
/* fall thourgh */
default:
while((err = ERR_get_error())) {
log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
ssl_r, r,
ERR_error_string(err, NULL));
}
return -1;
}
} else {
c->offset += r;
cq->bytes_out += r;
max_bytes -= r;
}
if (c->offset == c->file.length) {
chunk_finished = 1;
}
} while (!chunk_finished && !write_wait && max_bytes > 0);
break;
}
default:
log_error_write(srv, __FILE__, __LINE__, "s", "type not known");
return -1;
}
if (!chunk_finished) {
/* not finished yet */
break;
}
}
return 0;
}
int doit(char *ctx[4])
{
SSL_CTX *s_ctx,*c_ctx;
static char cbuf[200],sbuf[200];
SSL *c_ssl=NULL;
SSL *s_ssl=NULL;
BIO *c_to_s=NULL;
BIO *s_to_c=NULL;
BIO *c_bio=NULL;
BIO *s_bio=NULL;
int c_r,c_w,s_r,s_w;
int c_want,s_want;
int i;
int done=0;
int c_write,s_write;
int do_server=0,do_client=0;
s_ctx=(SSL_CTX *)ctx[0];
c_ctx=(SSL_CTX *)ctx[1];
if (ctx[2] != NULL)
s_ssl=(SSL *)ctx[2];
else
s_ssl=SSL_new(s_ctx);
if (ctx[3] != NULL)
c_ssl=(SSL *)ctx[3];
else
c_ssl=SSL_new(c_ctx);
if ((s_ssl == NULL) || (c_ssl == NULL)) goto err;
c_to_s=BIO_new(BIO_s_mem());
s_to_c=BIO_new(BIO_s_mem());
if ((s_to_c == NULL) || (c_to_s == NULL)) goto err;
c_bio=BIO_new(BIO_f_ssl());
s_bio=BIO_new(BIO_f_ssl());
if ((c_bio == NULL) || (s_bio == NULL)) goto err;
SSL_set_connect_state(c_ssl);
SSL_set_bio(c_ssl,s_to_c,c_to_s);
BIO_set_ssl(c_bio,c_ssl,(ctx[2] == NULL)?BIO_CLOSE:BIO_NOCLOSE);
SSL_set_accept_state(s_ssl);
SSL_set_bio(s_ssl,c_to_s,s_to_c);
BIO_set_ssl(s_bio,s_ssl,(ctx[3] == NULL)?BIO_CLOSE:BIO_NOCLOSE);
c_r=0; s_r=1;
c_w=1; s_w=0;
c_want=W_WRITE;
s_want=0;
c_write=1,s_write=0;
/* We can always do writes */
for (;;)
{
do_server=0;
do_client=0;
i=(int)BIO_pending(s_bio);
if ((i && s_r) || s_w) do_server=1;
i=(int)BIO_pending(c_bio);
if ((i && c_r) || c_w) do_client=1;
if (do_server && verbose)
{
if (SSL_in_init(s_ssl))
printf("server waiting in SSL_accept - %s\n",
SSL_state_string_long(s_ssl));
else if (s_write)
printf("server:SSL_write()\n");
else
printf("server:SSL_read()\n");
}
if (do_client && verbose)
{
if (SSL_in_init(c_ssl))
printf("client waiting in SSL_connect - %s\n",
SSL_state_string_long(c_ssl));
else if (c_write)
printf("client:SSL_write()\n");
else
printf("client:SSL_read()\n");
}
if (!do_client && !do_server)
{
fprintf(stdout,"ERROR IN STARTUP\n");
break;
}
if (do_client && !(done & C_DONE))
{
if (c_write)
{
i=BIO_write(c_bio,"hello from client\n",18);
if (i < 0)
{
c_r=0;
c_w=0;
if (BIO_should_retry(c_bio))
{
if (BIO_should_read(c_bio))
c_r=1;
if (BIO_should_write(c_bio))
c_w=1;
}
else
{
fprintf(stderr,"ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return(1);
}
}
else if (i == 0)
{
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
return(1);
}
else
{
/* ok */
c_write=0;
}
}
else
{
i=BIO_read(c_bio,cbuf,100);
if (i < 0)
{
c_r=0;
c_w=0;
if (BIO_should_retry(c_bio))
{
if (BIO_should_read(c_bio))
c_r=1;
if (BIO_should_write(c_bio))
c_w=1;
}
else
{
fprintf(stderr,"ERROR in CLIENT\n");
ERR_print_errors_fp(stderr);
return(1);
}
}
else if (i == 0)
{
fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
return(1);
}
else
{
done|=C_DONE;
#ifdef undef
fprintf(stdout,"CLIENT:from server:");
fwrite(cbuf,1,i,stdout);
fflush(stdout);
#endif
}
}
}
if (do_server && !(done & S_DONE))
{
if (!s_write)
{
i=BIO_read(s_bio,sbuf,100);
if (i < 0)
{
s_r=0;
s_w=0;
if (BIO_should_retry(s_bio))
{
if (BIO_should_read(s_bio))
s_r=1;
if (BIO_should_write(s_bio))
s_w=1;
}
else
{
fprintf(stderr,"ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return(1);
}
}
else if (i == 0)
{
fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
return(1);
}
else
{
s_write=1;
s_w=1;
#ifdef undef
fprintf(stdout,"SERVER:from client:");
fwrite(sbuf,1,i,stdout);
fflush(stdout);
#endif
}
}
else
{
i=BIO_write(s_bio,"hello from server\n",18);
if (i < 0)
{
s_r=0;
s_w=0;
if (BIO_should_retry(s_bio))
{
if (BIO_should_read(s_bio))
s_r=1;
if (BIO_should_write(s_bio))
s_w=1;
}
else
{
fprintf(stderr,"ERROR in SERVER\n");
ERR_print_errors_fp(stderr);
return(1);
}
}
else if (i == 0)
{
fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
return(1);
}
else
{
s_write=0;
s_r=1;
done|=S_DONE;
}
}
}
if ((done & S_DONE) && (done & C_DONE)) break;
# if defined(OPENSSL_SYS_NETWARE)
ThreadSwitchWithDelay();
# endif
}
SSL_set_shutdown(c_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_set_shutdown(s_ssl,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
#ifdef undef
fprintf(stdout,"DONE\n");
#endif
err:
/* We have to set the BIO's to NULL otherwise they will be
* free()ed twice. Once when th s_ssl is SSL_free()ed and
* again when c_ssl is SSL_free()ed.
* This is a hack required because s_ssl and c_ssl are sharing the same
* BIO structure and SSL_set_bio() and SSL_free() automatically
* BIO_free non NULL entries.
* You should not normally do this or be required to do this */
if (s_ssl != NULL)
{
s_ssl->rbio=NULL;
s_ssl->wbio=NULL;
}
if (c_ssl != NULL)
{
c_ssl->rbio=NULL;
c_ssl->wbio=NULL;
}
/* The SSL's are optionally freed in the following calls */
if (c_to_s != NULL) BIO_free(c_to_s);
if (s_to_c != NULL) BIO_free(s_to_c);
if (c_bio != NULL) BIO_free(c_bio);
if (s_bio != NULL) BIO_free(s_bio);
return(0);
}
int MAIN(int argc, char **argv)
{
double totalTime = 0.0;
int nConn = 0;
SSL *scon = NULL;
long finishtime = 0;
int ret = 1, i;
char buf[1024 * 8];
int ver;
apps_startup();
s_time_init();
if (bio_err == NULL)
bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
s_time_meth = SSLv23_client_method();
/* parse the command line arguments */
if (parseArgs(argc, argv) < 0)
goto end;
OpenSSL_add_ssl_algorithms();
if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL)
return (1);
SSL_CTX_set_quiet_shutdown(tm_ctx, 1);
if (st_bugs)
SSL_CTX_set_options(tm_ctx, SSL_OP_ALL);
if(!SSL_CTX_set_cipher_list(tm_ctx, tm_cipher))
goto end;
if (!set_cert_stuff(tm_ctx, t_cert_file, t_key_file))
goto end;
SSL_load_error_strings();
if ((!SSL_CTX_load_verify_locations(tm_ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(tm_ctx))) {
/*
* BIO_printf(bio_err,"error setting default verify locations\n");
*/
ERR_print_errors(bio_err);
/* goto end; */
}
if (tm_cipher == NULL)
tm_cipher = getenv("SSL_CIPHER");
if (tm_cipher == NULL) {
fprintf(stderr, "No CIPHER specified\n");
}
if (!(perform & 1))
goto next;
printf("Collecting connection statistics for %d seconds\n", maxTime);
/* Loop and time how long it takes to make connections */
bytes_read = 0;
finishtime = (long)time(NULL) + maxTime;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
#ifdef WIN32_STUFF
if (flushWinMsgs(0) == -1)
goto end;
if (waitingToDie || exitNow) /* we're dead */
goto end;
#endif
if ((scon = doConnection(NULL)) == NULL)
goto end;
if (s_www_path != NULL) {
BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
s_www_path);
if(SSL_write(scon, buf, strlen(buf)) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
SHUTDOWN2(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
SSL_free(scon);
scon = NULL;
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
i = (int)((long)time(NULL) - finishtime + maxTime);
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxTime, bytes_read / nConn);
/*
* Now loop and time connections using the same session id over and over
*/
next:
if (!(perform & 2))
goto end;
printf("\n\nNow timing with session id reuse.\n");
/* Get an SSL object so we can reuse the session id */
if ((scon = doConnection(NULL)) == NULL) {
fprintf(stderr, "Unable to get connection\n");
goto end;
}
if (s_www_path != NULL) {
BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", s_www_path);
if(SSL_write(scon, buf, strlen(buf)) <= 0)
goto end;
while (SSL_read(scon, buf, sizeof(buf)) > 0) ;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
SHUTDOWN2(SSL_get_fd(scon));
nConn = 0;
totalTime = 0.0;
finishtime = (long)time(NULL) + maxTime;
printf("starting\n");
bytes_read = 0;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
#ifdef WIN32_STUFF
if (flushWinMsgs(0) == -1)
goto end;
if (waitingToDie || exitNow) /* we're dead */
goto end;
#endif
if ((doConnection(scon)) == NULL)
goto end;
if (s_www_path) {
BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
s_www_path);
if(SSL_write(scon, buf, strlen(buf)) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
SHUTDOWN2(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxTime,
bytes_read / (nConn?nConn:1));
ret = 0;
end:
if (scon != NULL)
SSL_free(scon);
if (tm_ctx != NULL) {
SSL_CTX_free(tm_ctx);
tm_ctx = NULL;
}
apps_shutdown();
OPENSSL_EXIT(ret);
}
/*
* close_connection
* Close the physical connection. This function must make
* MyConnect(client_p) == FALSE, and set client_p->from == NULL.
*/
void
close_connection(struct Client *client_p)
{
struct ConfItem *conf;
struct AccessItem *aconf;
struct ClassItem *aclass;
assert(NULL != client_p);
if (!IsDead(client_p))
{
/* attempt to flush any pending dbufs. Evil, but .. -- adrian */
/* there is still a chance that we might send data to this socket
* even if it is marked as blocked (COMM_SELECT_READ handler is called
* before COMM_SELECT_WRITE). Let's try, nothing to lose.. -adx
*/
ClearSendqBlocked(client_p);
send_queued_write(client_p);
}
if (IsServer(client_p))
{
++ServerStats.is_sv;
ServerStats.is_sbs += client_p->localClient->send.bytes;
ServerStats.is_sbr += client_p->localClient->recv.bytes;
ServerStats.is_sti += CurrentTime - client_p->firsttime;
/* XXX Does this even make any sense at all anymore?
* scheduling a 'quick' reconnect could cause a pile of
* nick collides under TSora protocol... -db
*/
/*
* If the connection has been up for a long amount of time, schedule
* a 'quick' reconnect, else reset the next-connect cycle.
*/
if ((conf = find_conf_exact(SERVER_TYPE,
client_p->name, client_p->username,
client_p->host)))
{
/*
* Reschedule a faster reconnect, if this was a automatically
* connected configuration entry. (Note that if we have had
* a rehash in between, the status has been changed to
* CONF_ILLEGAL). But only do this if it was a "good" link.
*/
aconf = (struct AccessItem *)map_to_conf(conf);
aclass = (struct ClassItem *)map_to_conf(aconf->class_ptr);
aconf->hold = time(NULL);
aconf->hold += (aconf->hold - client_p->since > HANGONGOODLINK) ?
HANGONRETRYDELAY : ConFreq(aclass);
if (nextconnect > aconf->hold)
nextconnect = aconf->hold;
}
}
else if (IsClient(client_p))
{
++ServerStats.is_cl;
ServerStats.is_cbs += client_p->localClient->send.bytes;
ServerStats.is_cbr += client_p->localClient->recv.bytes;
ServerStats.is_cti += CurrentTime - client_p->firsttime;
}
else
++ServerStats.is_ni;
#ifdef HAVE_LIBCRYPTO
if (client_p->localClient->fd.ssl)
{
SSL_set_shutdown(client_p->localClient->fd.ssl, SSL_RECEIVED_SHUTDOWN);
if (!SSL_shutdown(client_p->localClient->fd.ssl))
SSL_shutdown(client_p->localClient->fd.ssl);
}
#endif
if (client_p->localClient->fd.flags.open)
fd_close(&client_p->localClient->fd);
if (HasServlink(client_p))
{
if (client_p->localClient->ctrlfd.flags.open)
fd_close(&client_p->localClient->ctrlfd);
}
dbuf_clear(&client_p->localClient->buf_sendq);
dbuf_clear(&client_p->localClient->buf_recvq);
MyFree(client_p->localClient->passwd);
detach_conf(client_p, CONF_TYPE);
client_p->from = NULL; /* ...this should catch them! >:) --msa */
}
openssl_con *
openssl_accept_fd(openssl_env *env, int fd, int timeout, struct redir_conn_t *conn) {
openssl_con *c = (openssl_con *)calloc(1, sizeof(openssl_con));
int rc;
if (!c) return 0;
if (!env || !env->ready) {
syslog(LOG_ERR, "SSL not available!");
openssl_free(c);
return 0;
}
c->env = env;
#ifdef HAVE_OPENSSL
c->con = (SSL *)SSL_new(env->ctx);
#elif HAVE_MATRIXSSL
c->con = (SSL *)SSL_new(env->keys, SSL_FLAGS_SERVER);
#endif
c->sock = fd;
c->timeout = timeout;
SSL_set_fd(c->con, c->sock);
#ifdef HAVE_OPENSSL
#ifdef HAVE_OPENSSL_ENGINE
SSL_clear(c->con);
#endif
#ifdef HAVE_OPENSSL_ENGINE
SSL_set_app_data(c->con, c);
#endif
SSL_set_accept_state(c->con);
#ifdef HAVE_OPENSSL_ENGINE
SSL_set_verify_result(c->con, X509_V_OK);
#endif
if ((rc = openssl_check_accept(c, conn)) < 0) {
SSL_set_shutdown(c->con, SSL_RECEIVED_SHUTDOWN);
openssl_free(c);
return 0;
}
#elif HAVE_MATRIXSSL
/* ndelay_off(c->sock); */
matrixSslSetCertValidator(c->con->ssl, certValidator, c->con->keys);
if ((rc = SSL_accept2(c->con)) < 0) {
syslog(LOG_ERR, "%s: SSL accept failure %s", strerror(errno), c->con->status);
openssl_free(c);
return 0;
}
SSL_is_init_finished(c->con);
/* ndelay_on(c->sock);*/
#else
#error NO SSL SUPPORT
#endif
return c;
}
/****************************** transfer data */
static int transfer(CLI *c) {
int num, err;
int check_SSL_pending;
enum {CL_OPEN, CL_INIT, CL_RETRY, CL_CLOSED} ssl_closing=CL_OPEN;
int watchdog=0; /* a counter to detect an infinite loop */
c->sock_ptr=c->ssl_ptr=0;
sock_rd=sock_wr=ssl_rd=ssl_wr=1;
c->sock_bytes=c->ssl_bytes=0;
do { /* main loop */
/* set flag to try and read any buffered SSL data
* if we made room in the buffer by writing to the socket */
check_SSL_pending=0;
/****************************** setup c->fds structure */
s_poll_zero(&c->fds); /* Initialize the structure */
if(sock_rd && c->sock_ptr<BUFFSIZE) /* socket input buffer not full*/
s_poll_add(&c->fds, c->sock_rfd->fd, 1, 0);
if((ssl_rd && c->ssl_ptr<BUFFSIZE) || /* SSL input buffer not full */
((c->sock_ptr || ssl_closing==CL_RETRY) && want_rd))
/* want to SSL_write or SSL_shutdown but read from the
* underlying socket needed for the SSL protocol */
s_poll_add(&c->fds, c->ssl_rfd->fd, 1, 0);
if(c->ssl_ptr) /* SSL input buffer not empty */
s_poll_add(&c->fds, c->sock_wfd->fd, 0, 1);
if(c->sock_ptr || /* socket input buffer not empty */
ssl_closing==CL_INIT /* need to send close_notify */ ||
((c->ssl_ptr<BUFFSIZE || ssl_closing==CL_RETRY) && want_wr))
/* want to SSL_read or SSL_shutdown but write to the
* underlying socket needed for the SSL protocol */
s_poll_add(&c->fds, c->ssl_wfd->fd, 0, 1);
/****************************** wait for an event */
err=s_poll_wait(&c->fds, (sock_rd && ssl_rd) /* both peers open */ ||
c->ssl_ptr /* data buffered to write to socket */ ||
c->sock_ptr /* data buffered to write to SSL */ ?
c->opt->timeout_idle : c->opt->timeout_close);
switch(err) {
case -1:
sockerror("transfer: s_poll_wait");
return -1;
case 0: /* timeout */
if((sock_rd && ssl_rd) || c->ssl_ptr || c->sock_ptr) {
s_log(LOG_INFO, "s_poll_wait timeout: connection reset");
return -1;
} else { /* already closing connection */
s_log(LOG_INFO, "s_poll_wait timeout: connection close");
return 0; /* OK */
}
}
if(!(sock_can_rd || sock_can_wr || ssl_can_rd || ssl_can_wr)) {
s_log(LOG_ERR, "INTERNAL ERROR: "
"s_poll_wait returned %d, but no descriptor is ready", err);
return -1;
}
/****************************** send SSL close_notify message */
if(ssl_closing==CL_INIT || (ssl_closing==CL_RETRY &&
((want_rd && ssl_can_rd) || (want_wr && ssl_can_wr)))) {
switch(SSL_shutdown(c->ssl)) { /* Send close_notify */
case 1: /* the shutdown was successfully completed */
s_log(LOG_INFO, "SSL_shutdown successfully sent close_notify");
ssl_closing=CL_CLOSED; /* done! */
break;
case 0: /* the shutdown is not yet finished */
s_log(LOG_DEBUG, "SSL_shutdown retrying");
ssl_closing=CL_RETRY; /* retry next time */
break;
case -1: /* a fatal error occurred */
sslerror("SSL_shutdown");
return -1;
}
}
/****************************** write to socket */
if(sock_wr && sock_can_wr) {
/* for stunnel to tell web server the remote ip address */
add_remote_ip_to_header(c);
num=writesocket(c->sock_wfd->fd, c->ssl_buff, c->ssl_ptr);
switch(num) {
case -1: /* error */
if(parse_socket_error("writesocket"))
return -1;
break;
case 0:
s_log(LOG_DEBUG, "No data written to the socket: retrying");
break;
default:
memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
if(c->ssl_ptr==BUFFSIZE) /* buffer was previously full */
check_SSL_pending=1; /* check for data buffered by SSL */
c->ssl_ptr-=num;
c->sock_bytes+=num;
watchdog=0; /* reset watchdog */
}
}
/****************************** write to SSL */
if(ssl_wr && c->sock_ptr && ( /* output buffer not empty */
ssl_can_wr || (want_rd && ssl_can_rd)
/* SSL_write wants to read from the underlying descriptor */
)) {
num=SSL_write(c->ssl, c->sock_buff, c->sock_ptr);
switch(err=SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
memmove(c->sock_buff, c->sock_buff+num, c->sock_ptr-num);
c->sock_ptr-=num;
c->ssl_bytes+=num;
watchdog=0; /* reset watchdog */
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG, "SSL_write returned WANT_WRITE: retrying");
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG, "SSL_write returned WANT_READ: retrying");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_write returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL: /* really an error */
if(num && parse_socket_error("SSL_write"))
return -1;
break;
case SSL_ERROR_ZERO_RETURN: /* close_notify received */
s_log(LOG_DEBUG, "SSL closed on SSL_write");
ssl_rd=0;
break;
case SSL_ERROR_SSL:
sslerror("SSL_write");
return -1;
default:
s_log(LOG_ERR, "SSL_write/SSL_get_error returned %d", err);
return -1;
}
}
/****************************** read from socket */
if(sock_rd && sock_can_rd) {
num=readsocket(c->sock_rfd->fd,
c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
switch(num) {
case -1:
if(parse_socket_error("readsocket"))
return -1;
break;
case 0: /* close */
s_log(LOG_DEBUG, "Socket closed on read");
sock_rd=0;
break;
default:
c->sock_ptr+=num;
watchdog=0; /* reset watchdog */
}
}
/****************************** read from SSL */
if(ssl_rd && c->ssl_ptr<BUFFSIZE && ( /* input buffer not full */
ssl_can_rd || (want_wr && ssl_can_wr) ||
/* SSL_read wants to write to the underlying descriptor */
(check_SSL_pending && SSL_pending(c->ssl))
/* write made space from full buffer */
)) {
num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
switch(err=SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
c->ssl_ptr+=num;
watchdog=0; /* reset watchdog */
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG, "SSL_read returned WANT_WRITE: retrying");
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG, "SSL_read returned WANT_READ: retrying");
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_read returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL:
if(!num) { /* EOF */
if(c->sock_ptr) {
s_log(LOG_ERR,
"SSL socket closed with %d byte(s) in buffer",
c->sock_ptr);
return -1; /* reset the socket */
}
s_log(LOG_DEBUG, "SSL socket closed on SSL_read");
ssl_rd=ssl_wr=0; /* buggy or SSLv2 peer: no close_notify */
ssl_closing=CL_CLOSED; /* don't try to send it back */
} else if(parse_socket_error("SSL_read"))
return -1;
break;
case SSL_ERROR_ZERO_RETURN: /* close_notify received */
s_log(LOG_DEBUG, "SSL closed on SSL_read");
ssl_rd=0;
break;
case SSL_ERROR_SSL:
sslerror("SSL_read");
return -1;
default:
s_log(LOG_ERR, "SSL_read/SSL_get_error returned %d", err);
return -1;
}
}
/****************************** check write shutdown conditions */
if(sock_wr && !ssl_rd && !c->ssl_ptr) {
s_log(LOG_DEBUG, "Socket write shutdown");
sock_wr=0; /* no further write allowed */
shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
}
if(ssl_wr && (!sock_rd || SSL_get_shutdown(c->ssl)) && !c->sock_ptr) {
s_log(LOG_DEBUG, "SSL write shutdown");
ssl_wr=0; /* no further write allowed */
if(strcmp(SSL_get_version(c->ssl), "SSLv2")) { /* SSLv3, TLSv1 */
ssl_closing=CL_INIT; /* initiate close_notify */
} else { /* no alerts in SSLv2 including close_notify alert */
shutdown(c->sock_rfd->fd, SHUT_RD); /* notify the kernel */
shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
SSL_set_shutdown(c->ssl, /* notify the OpenSSL library */
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
ssl_rd=0; /* no further read allowed */
ssl_closing=CL_CLOSED; /* closed */
}
}
if(ssl_closing==CL_RETRY) { /* SSL shutdown */
if(!want_rd && !want_wr) { /* close_notify alert was received */
s_log(LOG_DEBUG, "SSL doesn't need to read or write");
ssl_closing=CL_CLOSED;
}
if(watchdog>5) {
s_log(LOG_NOTICE, "Too many retries on SSL shutdown");
ssl_closing=CL_CLOSED;
}
}
/****************************** check watchdog */
if(++watchdog>100) { /* loop executes without transferring any data */
s_log(LOG_ERR,
"transfer() loop executes not transferring any data");
s_log(LOG_ERR,
"please report the problem to [email protected]");
s_log(LOG_ERR, "socket open: rd=%s wr=%s, ssl open: rd=%s wr=%s",
sock_rd ? "yes" : "no", sock_wr ? "yes" : "no",
ssl_rd ? "yes" : "no", ssl_wr ? "yes" : "no");
s_log(LOG_ERR, "socket ready: rd=%s wr=%s, ssl ready: rd=%s wr=%s",
sock_can_rd ? "yes" : "no", sock_can_wr ? "yes" : "no",
ssl_can_rd ? "yes" : "no", ssl_can_wr ? "yes" : "no");
s_log(LOG_ERR, "ssl want: rd=%s wr=%s",
want_rd ? "yes" : "no", want_wr ? "yes" : "no");
s_log(LOG_ERR, "socket input buffer: %d byte(s), "
"ssl input buffer: %d byte(s)", c->sock_ptr, c->ssl_ptr);
s_log(LOG_ERR, "check_SSL_pending=%d, ssl_closing=%d",
check_SSL_pending, ssl_closing);
return -1;
}
} while(sock_wr || ssl_closing!=CL_CLOSED);
return 0; /* OK */
}
ngx_int_t ngx_ssl_shutdown(ngx_connection_t *c)
{
int n, sslerr;
ngx_uint_t again;
if (c->timedout) {
SSL_set_shutdown(c->ssl->ssl, SSL_RECEIVED_SHUTDOWN|SSL_SENT_SHUTDOWN);
} else {
if (c->ssl->no_rcv_shut) {
SSL_set_shutdown(c->ssl->ssl, SSL_RECEIVED_SHUTDOWN);
}
if (c->ssl->no_send_shut) {
SSL_set_shutdown(c->ssl->ssl, SSL_SENT_SHUTDOWN);
}
}
again = 0;
for ( ;; ) {
n = SSL_shutdown(c->ssl->ssl);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0, "SSL_shutdown: %d", n);
if (n == 0) {
again = 1;
break;
}
if (n == 1) {
SSL_free(c->ssl->ssl);
c->ssl = NULL;
return NGX_OK;
}
break;
}
if (!again) {
sslerr = SSL_get_error(c->ssl->ssl, n);
ngx_log_debug1(NGX_LOG_DEBUG_EVENT, c->log, 0,
"SSL_get_error: %d", sslerr);
}
if (again || sslerr == SSL_ERROR_WANT_READ) {
ngx_add_timer(c->read, 10000);
if (ngx_handle_read_event(c->read, 0) == NGX_ERROR) {
return NGX_ERROR;
}
return NGX_AGAIN;
}
if (sslerr == SSL_ERROR_WANT_WRITE) {
if (ngx_handle_write_event(c->write, 0) == NGX_ERROR) {
return NGX_ERROR;
}
return NGX_AGAIN;
}
ngx_ssl_error(NGX_LOG_ALERT, c->log, 0, "SSL_shutdown() failed");
return NGX_ERROR;
}
int s_time_main(int argc, char **argv)
{
char buf[1024 * 8];
SSL *scon = NULL;
SSL_CTX *ctx = NULL;
const SSL_METHOD *meth = NULL;
char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *www_path = NULL;
char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog;
double totalTime = 0.0;
int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs =
0, ver;
long bytes_read = 0, finishtime = 0;
OPTION_CHOICE o;
#ifdef OPENSSL_SYS_WIN32
int exitNow = 0; /* Set when it's time to exit main */
#endif
meth = TLS_client_method();
verify_depth = 0;
verify_error = X509_V_OK;
prog = opt_init(argc, argv, s_time_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(s_time_options);
ret = 0;
goto end;
case OPT_CONNECT:
host = opt_arg();
break;
case OPT_REUSE:
perform = 2;
break;
case OPT_NEW:
perform = 1;
break;
case OPT_VERIFY:
if (!opt_int(opt_arg(), &verify_depth))
goto opthelp;
BIO_printf(bio_err, "%s: verify depth is %d\n",
prog, verify_depth);
break;
case OPT_CERT:
certfile = opt_arg();
break;
case OPT_KEY:
keyfile = opt_arg();
break;
case OPT_CAPATH:
CApath = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
case OPT_CIPHER:
cipher = opt_arg();
break;
case OPT_BUGS:
st_bugs = 1;
break;
case OPT_TIME:
if (!opt_int(opt_arg(), &maxtime))
goto opthelp;
break;
case OPT_WWW:
www_path = opt_arg();
if (strlen(www_path) > MYBUFSIZ - 100) {
BIO_printf(bio_err, "%s: -www option too long\n", prog);
goto end;
}
break;
case OPT_SSL3:
#ifndef OPENSSL_NO_SSL3
meth = SSLv3_client_method();
#endif
break;
}
}
argc = opt_num_rest();
argv = opt_rest();
if (cipher == NULL)
cipher = getenv("SSL_CIPHER");
if (cipher == NULL) {
BIO_printf(bio_err, "No CIPHER specified\n");
goto end;
}
if ((ctx = SSL_CTX_new(meth)) == NULL)
goto end;
SSL_CTX_set_quiet_shutdown(ctx, 1);
if (st_bugs)
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (!SSL_CTX_set_cipher_list(ctx, cipher))
goto end;
if (!set_cert_stuff(ctx, certfile, keyfile))
goto end;
if (!ctx_set_verify_locations(ctx, CAfile, CApath)) {
ERR_print_errors(bio_err);
goto end;
}
if (!(perform & 1))
goto next;
printf("Collecting connection statistics for %d seconds\n", maxtime);
/* Loop and time how long it takes to make connections */
bytes_read = 0;
finishtime = (long)time(NULL) + maxtime;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
#ifdef WIN32_STUFF
if (flushWinMsgs(0) == -1)
goto end;
if (waitingToDie || exitNow) /* we're dead */
goto end;
#endif
if ((scon = doConnection(NULL, host, ctx)) == NULL)
goto end;
if (www_path != NULL) {
BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
www_path);
if (SSL_write(scon, buf, strlen(buf)) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
SHUTDOWN2(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
SSL_free(scon);
scon = NULL;
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
i = (int)((long)time(NULL) - finishtime + maxtime);
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
/*
* Now loop and time connections using the same session id over and over
*/
next:
if (!(perform & 2))
goto end;
printf("\n\nNow timing with session id reuse.\n");
/* Get an SSL object so we can reuse the session id */
if ((scon = doConnection(NULL, host, ctx)) == NULL) {
BIO_printf(bio_err, "Unable to get connection\n");
goto end;
}
if (www_path != NULL) {
BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n", www_path);
if (SSL_write(scon, buf, strlen(buf)) <= 0)
goto end;
while (SSL_read(scon, buf, sizeof(buf)) > 0)
continue;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
SHUTDOWN2(SSL_get_fd(scon));
nConn = 0;
totalTime = 0.0;
finishtime = (long)time(NULL) + maxtime;
printf("starting\n");
bytes_read = 0;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
#ifdef WIN32_STUFF
if (flushWinMsgs(0) == -1)
goto end;
if (waitingToDie || exitNow) /* we're dead */
goto end;
#endif
if ((doConnection(scon, host, ctx)) == NULL)
goto end;
if (www_path) {
BIO_snprintf(buf, sizeof buf, "GET %s HTTP/1.0\r\n\r\n",
www_path);
if (SSL_write(scon, buf, strlen(buf)) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
SHUTDOWN2(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
ret = 0;
end:
SSL_free(scon);
SSL_CTX_free(ctx);
return (ret);
}
static int create_new_connected_udp_socket(
dtls_listener_relay_server_type* server, ioa_socket_handle s)
{
evutil_socket_t udp_fd = socket(s->local_addr.ss.sa_family, CLIENT_DGRAM_SOCKET_TYPE, CLIENT_DGRAM_SOCKET_PROTOCOL);
if (udp_fd < 0) {
perror("socket");
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR, "%s: Cannot allocate new socket\n",
__FUNCTION__);
return -1;
}
if (sock_bind_to_device(udp_fd, (unsigned char*) (s->e->relay_ifname))
< 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot bind udp server socket to device %s\n",
(char*) (s->e->relay_ifname));
}
ioa_socket_handle ret = (ioa_socket*) turn_malloc(sizeof(ioa_socket));
if (!ret) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"%s: Cannot allocate new socket structure\n", __FUNCTION__);
close(udp_fd);
return -1;
}
ns_bzero(ret, sizeof(ioa_socket));
ret->magic = SOCKET_MAGIC;
ret->fd = udp_fd;
ret->family = s->family;
ret->st = s->st;
ret->sat = CLIENT_SOCKET;
ret->local_addr_known = 1;
addr_cpy(&(ret->local_addr), &(s->local_addr));
if (addr_bind(udp_fd,&(s->local_addr),1,1,UDP_SOCKET) < 0) {
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot bind new detached udp server socket to local addr\n");
IOA_CLOSE_SOCKET(ret);
return -1;
}
ret->bound = 1;
{
int connect_err = 0;
if (addr_connect(udp_fd, &(server->sm.m.sm.nd.src_addr), &connect_err) < 0) {
char sl[129];
char sr[129];
addr_to_string(&(ret->local_addr),(u08bits*)sl);
addr_to_string(&(server->sm.m.sm.nd.src_addr),(u08bits*)sr);
TURN_LOG_FUNC(TURN_LOG_LEVEL_ERROR,
"Cannot connect new detached udp client socket from local addr %s to remote addr %s\n",sl,sr);
IOA_CLOSE_SOCKET(ret);
return -1;
}
}
ret->connected = 1;
addr_cpy(&(ret->remote_addr), &(server->sm.m.sm.nd.src_addr));
set_socket_options(ret);
ret->current_ttl = s->current_ttl;
ret->default_ttl = s->default_ttl;
ret->current_tos = s->current_tos;
ret->default_tos = s->default_tos;
#if DTLS_SUPPORTED
if (!turn_params.no_dtls
&& is_dtls_handshake_message(
ioa_network_buffer_data(server->sm.m.sm.nd.nbh),
(int) ioa_network_buffer_get_size(
server->sm.m.sm.nd.nbh))) {
SSL* connecting_ssl = NULL;
BIO *wbio = NULL;
struct timeval timeout;
/* Create BIO */
wbio = BIO_new_dgram(ret->fd, BIO_NOCLOSE);
(void) BIO_dgram_set_peer(wbio, (struct sockaddr*) &(server->sm.m.sm.nd.src_addr));
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_CONNECTED, 0, &(server->sm.m.sm.nd.src_addr));
/* Set and activate timeouts */
timeout.tv_sec = DTLS_MAX_RECV_TIMEOUT;
timeout.tv_usec = 0;
BIO_ctrl(wbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
#if DTLSv1_2_SUPPORTED
if(get_dtls_version(ioa_network_buffer_data(server->sm.m.sm.nd.nbh),
(int)ioa_network_buffer_get_size(server->sm.m.sm.nd.nbh)) == 1) {
connecting_ssl = SSL_NEW(server->dtls_ctx_v1_2);
} else {
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#else
{
connecting_ssl = SSL_NEW(server->dtls_ctx);
}
#endif
SSL_set_accept_state(connecting_ssl);
SSL_set_bio(connecting_ssl, NULL, wbio);
SSL_set_options(connecting_ssl, SSL_OP_COOKIE_EXCHANGE);
SSL_set_max_cert_list(connecting_ssl, 655350);
int rc = ssl_read(ret->fd, connecting_ssl, server->sm.m.sm.nd.nbh,
server->verbose);
if (rc < 0) {
if (!(SSL_get_shutdown(connecting_ssl) & SSL_SENT_SHUTDOWN)) {
SSL_set_shutdown(connecting_ssl, SSL_RECEIVED_SHUTDOWN);
SSL_shutdown(connecting_ssl);
}
SSL_FREE(connecting_ssl);
IOA_CLOSE_SOCKET(ret);
return -1;
}
addr_debug_print(server->verbose, &(server->sm.m.sm.nd.src_addr),
"Accepted DTLS connection from");
ret->ssl = connecting_ssl;
ioa_network_buffer_delete(server->e, server->sm.m.sm.nd.nbh);
server->sm.m.sm.nd.nbh = NULL;
ret->st = DTLS_SOCKET;
}
#endif
server->sm.m.sm.s = ret;
return server->connect_cb(server->e, &(server->sm));
}
void SslSocket::setShutDown(int mode)
{
SSL_set_shutdown(this->_ssl, mode);
}
/***********************************************************************
* MAIN - main processing area for client
* real name depends on MONOLITH
*/
int
s_time_main(int argc, char **argv)
{
double totalTime = 0.0;
int nConn = 0;
SSL *scon = NULL;
long finishtime = 0;
int ret = 1, i;
char buf[1024 * 8];
int ver;
s_time_meth = SSLv23_client_method();
verify_depth = 0;
verify_error = X509_V_OK;
memset(&s_time_config, 0, sizeof(s_time_config));
s_time_config.host = SSL_CONNECT_NAME;
s_time_config.maxtime = SECONDS;
s_time_config.perform = 3;
s_time_config.verify = SSL_VERIFY_NONE;
s_time_config.verify_depth = -1;
if (options_parse(argc, argv, s_time_options, NULL, NULL) != 0) {
s_time_usage();
goto end;
}
if (s_time_config.verify_depth >= 0) {
s_time_config.verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
verify_depth = s_time_config.verify_depth;
BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
}
if (s_time_config.www_path != NULL &&
strlen(s_time_config.www_path) > MYBUFSIZ - 100) {
BIO_printf(bio_err, "-www option too long\n");
goto end;
}
if ((tm_ctx = SSL_CTX_new(s_time_meth)) == NULL)
return (1);
SSL_CTX_set_quiet_shutdown(tm_ctx, 1);
if (s_time_config.bugs)
SSL_CTX_set_options(tm_ctx, SSL_OP_ALL);
if (s_time_config.cipher != NULL) {
if (!SSL_CTX_set_cipher_list(tm_ctx, s_time_config.cipher)) {
BIO_printf(bio_err, "error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
}
if (!set_cert_stuff(tm_ctx, s_time_config.certfile,
s_time_config.keyfile))
goto end;
if ((!SSL_CTX_load_verify_locations(tm_ctx, s_time_config.CAfile,
s_time_config.CApath)) ||
(!SSL_CTX_set_default_verify_paths(tm_ctx))) {
/*
* BIO_printf(bio_err,"error setting default verify
* locations\n");
*/
ERR_print_errors(bio_err);
/* goto end; */
}
if (!(s_time_config.perform & 1))
goto next;
printf("Collecting connection statistics for %d seconds\n",
s_time_config.maxtime);
/* Loop and time how long it takes to make connections */
bytes_read = 0;
finishtime = (long) time(NULL) + s_time_config.maxtime;
tm_Time_F(START);
for (;;) {
if (finishtime < (long) time(NULL))
break;
if ((scon = doConnection(NULL)) == NULL)
goto end;
if (s_time_config.www_path != NULL) {
int retval = snprintf(buf, sizeof buf,
"GET %s HTTP/1.0\r\n\r\n", s_time_config.www_path);
if ((size_t)retval >= sizeof buf) {
fprintf(stderr, "URL too long\n");
goto end;
}
SSL_write(scon, buf, strlen(buf));
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
shutdown(SSL_get_fd(scon), SHUT_RDWR);
close(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else if (ver == SSL2_VERSION)
ver = '2';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
SSL_free(scon);
scon = NULL;
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
i = (int) ((long) time(NULL) - finishtime + s_time_config.maxtime);
printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double) nConn / totalTime), bytes_read);
printf("%d connections in %ld real seconds, %ld bytes read per connection\n", nConn, (long) time(NULL) - finishtime + s_time_config.maxtime, bytes_read / nConn);
/*
* Now loop and time connections using the same session id over and
* over
*/
next:
if (!(s_time_config.perform & 2))
goto end;
printf("\n\nNow timing with session id reuse.\n");
/* Get an SSL object so we can reuse the session id */
if ((scon = doConnection(NULL)) == NULL) {
fprintf(stderr, "Unable to get connection\n");
goto end;
}
if (s_time_config.www_path != NULL) {
int retval = snprintf(buf, sizeof buf,
"GET %s HTTP/1.0\r\n\r\n", s_time_config.www_path);
if ((size_t)retval >= sizeof buf) {
fprintf(stderr, "URL too long\n");
goto end;
}
SSL_write(scon, buf, strlen(buf));
while (SSL_read(scon, buf, sizeof(buf)) > 0);
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
shutdown(SSL_get_fd(scon), SHUT_RDWR);
close(SSL_get_fd(scon));
nConn = 0;
totalTime = 0.0;
finishtime = (long) time(NULL) + s_time_config.maxtime;
printf("starting\n");
bytes_read = 0;
tm_Time_F(START);
for (;;) {
if (finishtime < (long) time(NULL))
break;
if ((doConnection(scon)) == NULL)
goto end;
if (s_time_config.www_path) {
int retval = snprintf(buf, sizeof buf,
"GET %s HTTP/1.0\r\n\r\n", s_time_config.www_path);
if ((size_t)retval >= sizeof buf) {
fprintf(stderr, "URL too long\n");
goto end;
}
SSL_write(scon, buf, strlen(buf));
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
#ifdef NO_SHUTDOWN
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(scon);
#endif
shutdown(SSL_get_fd(scon), SHUT_RDWR);
close(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon))
ver = 'r';
else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else if (ver == SSL2_VERSION)
ver = '2';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n", nConn, totalTime, ((double) nConn / totalTime), bytes_read);
printf("%d connections in %ld real seconds, %ld bytes read per connection\n", nConn, (long) time(NULL) - finishtime + s_time_config.maxtime, bytes_read / nConn);
ret = 0;
end:
if (scon != NULL)
SSL_free(scon);
if (tm_ctx != NULL) {
SSL_CTX_free(tm_ctx);
tm_ctx = NULL;
}
return (ret);
}
/****************************** transfer data */
NOEXPORT void transfer(CLI *c) {
int watchdog=0; /* a counter to detect an infinite loop */
int num, err;
/* logical channels (not file descriptors!) open for read or write */
int sock_open_rd=1, sock_open_wr=1;
/* awaited conditions on SSL file descriptors */
int shutdown_wants_read=0, shutdown_wants_write=0;
int read_wants_read=0, read_wants_write=0;
int write_wants_read=0, write_wants_write=0;
/* actual conditions on file descriptors */
int sock_can_rd, sock_can_wr, ssl_can_rd, ssl_can_wr;
c->sock_ptr=c->ssl_ptr=0;
do { /* main loop of client data transfer */
/****************************** initialize *_wants_* */
read_wants_read|=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)
&& c->ssl_ptr<BUFFSIZE && !read_wants_write;
write_wants_write|=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN)
&& c->sock_ptr && !write_wants_read;
/****************************** setup c->fds structure */
s_poll_init(c->fds); /* initialize the structure */
/* for plain socket open data strem = open file descriptor */
/* make sure to add each open socket to receive exceptions! */
if(sock_open_rd) /* only poll if the read file descriptor is open */
s_poll_add(c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0);
if(sock_open_wr) /* only poll if the write file descriptor is open */
s_poll_add(c->fds, c->sock_wfd->fd, 0, c->ssl_ptr);
/* poll SSL file descriptors unless SSL shutdown was completed */
if(SSL_get_shutdown(c->ssl)!=
(SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) {
s_poll_add(c->fds, c->ssl_rfd->fd,
read_wants_read || write_wants_read || shutdown_wants_read, 0);
s_poll_add(c->fds, c->ssl_wfd->fd, 0,
read_wants_write || write_wants_write || shutdown_wants_write);
}
/****************************** wait for an event */
err=s_poll_wait(c->fds,
(sock_open_rd && /* both peers open */
!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)) ||
c->ssl_ptr /* data buffered to write to socket */ ||
c->sock_ptr /* data buffered to write to SSL */ ?
c->opt->timeout_idle : c->opt->timeout_close, 0);
switch(err) {
case -1:
sockerror("transfer: s_poll_wait");
longjmp(c->err, 1);
case 0: /* timeout */
if((sock_open_rd &&
!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)) ||
c->ssl_ptr || c->sock_ptr) {
s_log(LOG_INFO, "transfer: s_poll_wait:"
" TIMEOUTidle exceeded: sending reset");
longjmp(c->err, 1);
} else { /* already closing connection */
s_log(LOG_ERR, "transfer: s_poll_wait:"
" TIMEOUTclose exceeded: closing");
return; /* OK */
}
}
/****************************** check for errors on sockets */
err=s_poll_error(c->fds, c->sock_rfd->fd);
if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) {
s_log(LOG_NOTICE, "Read socket error: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
if(c->sock_wfd->fd!=c->sock_rfd->fd) { /* performance optimization */
err=s_poll_error(c->fds, c->sock_wfd->fd);
if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) {
s_log(LOG_NOTICE, "Write socket error: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
}
err=s_poll_error(c->fds, c->ssl_rfd->fd);
if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) {
s_log(LOG_NOTICE, "SSL socket error: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
if(c->ssl_wfd->fd!=c->ssl_rfd->fd) { /* performance optimization */
err=s_poll_error(c->fds, c->ssl_wfd->fd);
if(err && err!=S_EWOULDBLOCK && err!=S_EAGAIN) {
s_log(LOG_NOTICE, "SSL socket error: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
}
/****************************** check for hangup conditions */
if(s_poll_hup(c->fds, c->sock_rfd->fd)) {
s_log(LOG_INFO, "Read socket closed (hangup)");
sock_open_rd=0;
}
if(s_poll_hup(c->fds, c->sock_wfd->fd)) {
if(c->ssl_ptr) {
s_log(LOG_ERR,
"Write socket closed (hangup) with %d unsent byte(s)",
c->ssl_ptr);
longjmp(c->err, 1); /* reset the socket */
}
s_log(LOG_INFO, "Write socket closed (hangup)");
sock_open_wr=0;
}
if(s_poll_hup(c->fds, c->ssl_rfd->fd) ||
s_poll_hup(c->fds, c->ssl_wfd->fd)) {
/* hangup -> buggy (e.g. Microsoft) peer:
* SSL socket closed without close_notify alert */
if(c->sock_ptr || write_wants_write) {
s_log(LOG_ERR,
"SSL socket closed (hangup) with %d unsent byte(s)",
c->sock_ptr);
longjmp(c->err, 1); /* reset the socket */
}
s_log(LOG_INFO, "SSL socket closed (hangup)");
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
}
/****************************** retrieve results from c->fds */
sock_can_rd=s_poll_canread(c->fds, c->sock_rfd->fd);
sock_can_wr=s_poll_canwrite(c->fds, c->sock_wfd->fd);
ssl_can_rd=s_poll_canread(c->fds, c->ssl_rfd->fd);
ssl_can_wr=s_poll_canwrite(c->fds, c->ssl_wfd->fd);
/****************************** checks for internal failures */
/* please report any internal errors to stunnel-users mailing list */
if(!(sock_can_rd || sock_can_wr || ssl_can_rd || ssl_can_wr)) {
s_log(LOG_ERR, "INTERNAL ERROR: "
"s_poll_wait returned %d, but no descriptor is ready", err);
longjmp(c->err, 1);
}
if(c->reneg_state==RENEG_DETECTED && !c->opt->option.renegotiation) {
s_log(LOG_ERR, "Aborting due to renegotiation request");
longjmp(c->err, 1);
}
/****************************** send SSL close_notify alert */
if(shutdown_wants_read || shutdown_wants_write) {
num=SSL_shutdown(c->ssl); /* send close_notify alert */
if(num<0) /* -1 - not completed */
err=SSL_get_error(c->ssl, num);
else /* 0 or 1 - success */
err=SSL_ERROR_NONE;
switch(err) {
case SSL_ERROR_NONE: /* the shutdown was successfully completed */
s_log(LOG_INFO, "SSL_shutdown successfully sent close_notify alert");
shutdown_wants_read=shutdown_wants_write=0;
break;
case SSL_ERROR_SYSCALL: /* socket error */
if(parse_socket_error(c, "SSL_shutdown"))
break; /* a non-critical error: retry */
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
shutdown_wants_read=shutdown_wants_write=0;
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG, "SSL_shutdown returned WANT_WRITE: retrying");
shutdown_wants_read=0;
shutdown_wants_write=1;
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG, "SSL_shutdown returned WANT_READ: retrying");
shutdown_wants_read=1;
shutdown_wants_write=0;
break;
case SSL_ERROR_SSL: /* SSL error */
sslerror("SSL_shutdown");
longjmp(c->err, 1);
default:
s_log(LOG_ERR, "SSL_shutdown/SSL_get_error returned %d", err);
longjmp(c->err, 1);
}
}
/****************************** read from socket */
if(sock_open_rd && sock_can_rd) {
num=readsocket(c->sock_rfd->fd,
c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
switch(num) {
case -1:
if(parse_socket_error(c, "readsocket"))
break; /* a non-critical error: retry */
sock_open_rd=sock_open_wr=0;
break;
case 0: /* close */
s_log(LOG_INFO, "Read socket closed (readsocket)");
sock_open_rd=0;
break;
default:
c->sock_ptr+=num;
watchdog=0; /* reset watchdog */
}
}
/****************************** write to socket */
if(sock_open_wr && sock_can_wr) {
num=writesocket(c->sock_wfd->fd, c->ssl_buff, c->ssl_ptr);
switch(num) {
case -1: /* error */
if(parse_socket_error(c, "writesocket"))
break; /* a non-critical error: retry */
sock_open_rd=sock_open_wr=0;
break;
default:
memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
c->ssl_ptr-=num;
c->sock_bytes+=num;
watchdog=0; /* reset watchdog */
}
}
/****************************** update *_wants_* based on new *_ptr */
/* this update is also required for SSL_pending() to be used */
read_wants_read|=!(SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN)
&& c->ssl_ptr<BUFFSIZE && !read_wants_write;
write_wants_write|=!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN)
&& c->sock_ptr && !write_wants_read;
/****************************** read from SSL */
if((read_wants_read && (ssl_can_rd || SSL_pending(c->ssl))) ||
/* it may be possible to read some pending data after
* writesocket() above made some room in c->ssl_buff */
(read_wants_write && ssl_can_wr)) {
read_wants_read=0;
read_wants_write=0;
num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
switch(err=SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
if(num==0)
s_log(LOG_DEBUG, "SSL_read returned 0");
c->ssl_ptr+=num;
watchdog=0; /* reset watchdog */
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG, "SSL_read returned WANT_WRITE: retrying");
read_wants_write=1;
break;
case SSL_ERROR_WANT_READ: /* is it possible? */
s_log(LOG_DEBUG, "SSL_read returned WANT_READ: retrying");
read_wants_read=1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_read returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL:
if(num && parse_socket_error(c, "SSL_read"))
break; /* a non-critical error: retry */
/* EOF -> buggy (e.g. Microsoft) peer:
* SSL socket closed without close_notify alert */
if(c->sock_ptr || write_wants_write) {
s_log(LOG_ERR,
"SSL socket closed (SSL_read) with %d unsent byte(s)",
c->sock_ptr);
longjmp(c->err, 1); /* reset the socket */
}
s_log(LOG_INFO, "SSL socket closed (SSL_read)");
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_ZERO_RETURN: /* close_notify alert received */
s_log(LOG_INFO, "SSL closed (SSL_read)");
if(SSL_version(c->ssl)==SSL2_VERSION)
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_SSL:
sslerror("SSL_read");
longjmp(c->err, 1);
default:
s_log(LOG_ERR, "SSL_read/SSL_get_error returned %d", err);
longjmp(c->err, 1);
}
}
/****************************** write to SSL */
if((write_wants_read && ssl_can_rd) ||
(write_wants_write && ssl_can_wr)) {
write_wants_read=0;
write_wants_write=0;
num=SSL_write(c->ssl, c->sock_buff, c->sock_ptr);
switch(err=SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
if(num==0)
s_log(LOG_DEBUG, "SSL_write returned 0");
memmove(c->sock_buff, c->sock_buff+num, c->sock_ptr-num);
c->sock_ptr-=num;
c->ssl_bytes+=num;
watchdog=0; /* reset watchdog */
break;
case SSL_ERROR_WANT_WRITE: /* buffered data? */
s_log(LOG_DEBUG, "SSL_write returned WANT_WRITE: retrying");
write_wants_write=1;
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG, "SSL_write returned WANT_READ: retrying");
write_wants_read=1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_write returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL: /* socket error */
if(num && parse_socket_error(c, "SSL_write"))
break; /* a non-critical error: retry */
/* EOF -> buggy (e.g. Microsoft) peer:
* SSL socket closed without close_notify alert */
if(c->sock_ptr) { /* TODO: what about buffered data? */
s_log(LOG_ERR,
"SSL socket closed (SSL_write) with %d unsent byte(s)",
c->sock_ptr);
longjmp(c->err, 1); /* reset the socket */
}
s_log(LOG_INFO, "SSL socket closed (SSL_write)");
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_ZERO_RETURN: /* close_notify alert received */
s_log(LOG_INFO, "SSL closed (SSL_write)");
if(SSL_version(c->ssl)==SSL2_VERSION)
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_SSL:
sslerror("SSL_write");
longjmp(c->err, 1);
default:
s_log(LOG_ERR, "SSL_write/SSL_get_error returned %d", err);
longjmp(c->err, 1);
}
}
/****************************** check write shutdown conditions */
if(sock_open_wr && SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN &&
!c->ssl_ptr) {
sock_open_wr=0; /* no further write allowed */
if(!c->sock_wfd->is_socket) {
s_log(LOG_DEBUG, "Closing the file descriptor");
sock_open_rd=0; /* file descriptor is ready to be closed */
} else if(!shutdown(c->sock_wfd->fd, SHUT_WR)) { /* send TCP FIN */
s_log(LOG_DEBUG, "Sent socket write shutdown");
} else {
s_log(LOG_DEBUG, "Failed to send socket write shutdown");
sock_open_rd=0; /* file descriptor is ready to be closed */
}
}
if(!(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) && !sock_open_rd &&
!c->sock_ptr && !write_wants_write) {
if(SSL_version(c->ssl)!=SSL2_VERSION) {
s_log(LOG_DEBUG, "Sending close_notify alert");
shutdown_wants_write=1;
} else { /* no alerts in SSLv2, including the close_notify alert */
s_log(LOG_DEBUG, "Closing SSLv2 socket");
if(c->ssl_rfd->is_socket)
shutdown(c->ssl_rfd->fd, SHUT_RD); /* notify the kernel */
if(c->ssl_wfd->is_socket)
shutdown(c->ssl_wfd->fd, SHUT_WR); /* send TCP FIN */
/* notify the OpenSSL library */
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
}
}
/****************************** check watchdog */
if(++watchdog>100) { /* loop executes without transferring any data */
s_log(LOG_ERR,
"transfer() loop executes not transferring any data");
s_log(LOG_ERR,
"please report the problem to [email protected]");
stunnel_info(LOG_ERR);
s_log(LOG_ERR, "protocol=%s, SSL_pending=%d",
SSL_get_version(c->ssl), SSL_pending(c->ssl));
s_log(LOG_ERR, "sock_open_rd=%s, sock_open_wr=%s",
sock_open_rd ? "Y" : "n", sock_open_wr ? "Y" : "n");
s_log(LOG_ERR, "SSL_RECEIVED_SHUTDOWN=%s, SSL_SENT_SHUTDOWN=%s",
SSL_get_shutdown(c->ssl)&SSL_RECEIVED_SHUTDOWN ? "Y" : "n",
SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN ? "Y" : "n");
s_log(LOG_ERR, "sock_can_rd=%s, sock_can_wr=%s",
sock_can_rd ? "Y" : "n", sock_can_wr ? "Y" : "n");
s_log(LOG_ERR, "ssl_can_rd=%s, ssl_can_wr=%s",
ssl_can_rd ? "Y" : "n", ssl_can_wr ? "Y" : "n");
s_log(LOG_ERR, "read_wants_read=%s, read_wants_write=%s",
read_wants_read ? "Y" : "n", read_wants_write ? "Y" : "n");
s_log(LOG_ERR, "write_wants_read=%s, write_wants_write=%s",
write_wants_read ? "Y" : "n", write_wants_write ? "Y" : "n");
s_log(LOG_ERR, "shutdown_wants_read=%s, shutdown_wants_write=%s",
shutdown_wants_read ? "Y" : "n",
shutdown_wants_write ? "Y" : "n");
s_log(LOG_ERR, "socket input buffer: %d byte(s), "
"ssl input buffer: %d byte(s)", c->sock_ptr, c->ssl_ptr);
longjmp(c->err, 1);
}
} while(sock_open_wr || !(SSL_get_shutdown(c->ssl)&SSL_SENT_SHUTDOWN) ||
shutdown_wants_read || shutdown_wants_write);
}
static void client_run(CLI * c)
{
int error;
c->remote_fd.fd = -1;
c->fd = -1;
c->ssl = NULL;
c->sock_bytes = c->ssl_bytes = 0;
c->fds = s_poll_alloc();
c->connect_addr.num = 0;
c->connect_addr.addr = NULL;
error = setjmp(c->err);
if (!error)
client_try(c);
s_log(LOG_NOTICE,
"Connection %s: %d byte(s) sent to SSL, %d byte(s) sent to socket",
error == 1 ? "reset" : "closed", c->ssl_bytes, c->sock_bytes);
if (c->fd >= 0)
closesocket(c->fd);
c->fd = -1;
if (c->ssl) {
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
SSL_free(c->ssl);
c->ssl = NULL;
ERR_remove_state(0);
}
if (c->remote_fd.fd >= 0) {
if (error == 1 && c->remote_fd.is_socket)
reset(c->remote_fd.fd, "linger (remote)");
closesocket(c->remote_fd.fd);
s_log(LOG_DEBUG, "Remote socket (FD=%d) closed",
c->remote_fd.fd);
c->remote_fd.fd = -1;
}
if (c->local_rfd.fd >= 0) {
if (c->local_rfd.fd == c->local_wfd.fd) {
if (error == 1 && c->local_rfd.is_socket)
reset(c->local_rfd.fd, "linger (local)");
closesocket(c->local_rfd.fd);
s_log(LOG_DEBUG, "Local socket (FD=%d) closed",
c->local_rfd.fd);
} else {
if (error == 1 && c->local_rfd.is_socket)
reset(c->local_rfd.fd, "linger (local_rfd)");
if (error == 1 && c->local_wfd.is_socket)
reset(c->local_wfd.fd, "linger (local_wfd)");
}
c->local_rfd.fd = c->local_wfd.fd = -1;
}
s_log(LOG_DEBUG, "Service [%s] finished", c->opt->servname);
if (c->connect_addr.addr)
str_free(c->connect_addr.addr);
s_poll_free(c->fds);
c->fds = NULL;
}
static void transfer(CLI * c)
{
int watchdog = 0;
int num, err;
int sock_open_rd = 1, sock_open_wr = 1;
int shutdown_wants_read = 0, shutdown_wants_write = 0;
int read_wants_read, read_wants_write = 0;
int write_wants_read = 0, write_wants_write;
int sock_can_rd, sock_can_wr, ssl_can_rd, ssl_can_wr;
c->sock_ptr = c->ssl_ptr = 0;
do {
read_wants_read =
!(SSL_get_shutdown(c->ssl) & SSL_RECEIVED_SHUTDOWN)
&& c->ssl_ptr < BUFFSIZE && !read_wants_write;
write_wants_write =
!(SSL_get_shutdown(c->ssl) & SSL_SENT_SHUTDOWN)
&& c->sock_ptr && !write_wants_read;
s_poll_init(c->fds);
if (sock_open_rd)
s_poll_add(c->fds, c->sock_rfd->fd,
c->sock_ptr < BUFFSIZE, 0);
if (sock_open_wr)
s_poll_add(c->fds, c->sock_wfd->fd, 0, c->ssl_ptr);
if (read_wants_read || write_wants_read || shutdown_wants_read)
s_poll_add(c->fds, c->ssl_rfd->fd, 1, 0);
if (read_wants_write || write_wants_write
|| shutdown_wants_write)
s_poll_add(c->fds, c->ssl_wfd->fd, 0, 1);
err = s_poll_wait(c->fds, (sock_open_rd &&
!(SSL_get_shutdown(c->ssl) &
SSL_RECEIVED_SHUTDOWN))
|| c->ssl_ptr
||
c->sock_ptr
?
c->opt->timeout_idle : c->opt->timeout_close,
0);
switch (err) {
case -1:
sockerror("transfer: s_poll_wait");
longjmp(c->err, 1);
case 0:
if ((sock_open_rd &&
!(SSL_get_shutdown(c->ssl) &
SSL_RECEIVED_SHUTDOWN)) || c->ssl_ptr
|| c->sock_ptr) {
s_log(LOG_INFO,
"transfer: s_poll_wait:"
" TIMEOUTidle exceeded: sending reset");
longjmp(c->err, 1);
} else {
s_log(LOG_ERR, "transfer: s_poll_wait:"
" TIMEOUTclose exceeded: closing");
return;
}
}
err = s_poll_error(c->fds, c->sock_rfd);
if (err) {
s_log(LOG_NOTICE,
"Error detected on socket (read) file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
if (c->sock_wfd->fd != c->sock_rfd->fd) {
err = s_poll_error(c->fds, c->sock_wfd);
if (err) {
s_log(LOG_NOTICE,
"Error detected on socket write file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
}
err = s_poll_error(c->fds, c->ssl_rfd);
if (err) {
s_log(LOG_NOTICE,
"Error detected on SSL (read) file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
if (c->ssl_wfd->fd != c->ssl_rfd->fd) {
err = s_poll_error(c->fds, c->ssl_wfd);
if (err) {
s_log(LOG_NOTICE,
"Error detected on SSL write file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
}
sock_can_rd = s_poll_canread(c->fds, c->sock_rfd->fd);
sock_can_wr = s_poll_canwrite(c->fds, c->sock_wfd->fd);
ssl_can_rd = s_poll_canread(c->fds, c->ssl_rfd->fd);
ssl_can_wr = s_poll_canwrite(c->fds, c->ssl_wfd->fd);
if (!(sock_can_rd || sock_can_wr || ssl_can_rd || ssl_can_wr)) {
s_log(LOG_ERR, "INTERNAL ERROR: "
"s_poll_wait returned %d, but no descriptor is ready",
err);
longjmp(c->err, 1);
}
if (shutdown_wants_read || shutdown_wants_write) {
num = SSL_shutdown(c->ssl);
if (num < 0)
err = SSL_get_error(c->ssl, num);
else
err = SSL_ERROR_NONE;
switch (err) {
case SSL_ERROR_NONE:
s_log(LOG_INFO,
"SSL_shutdown successfully sent close_notify alert");
shutdown_wants_read = shutdown_wants_write = 0;
break;
case SSL_ERROR_SYSCALL:
if (parse_socket_error(c, "SSL_shutdown"))
break;
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN |
SSL_RECEIVED_SHUTDOWN);
shutdown_wants_read = shutdown_wants_write = 0;
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG,
"SSL_shutdown returned WANT_WRITE: retrying");
shutdown_wants_read = 0;
shutdown_wants_write = 1;
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG,
"SSL_shutdown returned WANT_READ: retrying");
shutdown_wants_read = 1;
shutdown_wants_write = 0;
break;
case SSL_ERROR_SSL:
sslerror("SSL_shutdown");
longjmp(c->err, 1);
default:
s_log(LOG_ERR,
"SSL_shutdown/SSL_get_error returned %d",
err);
longjmp(c->err, 1);
}
}
if (sock_open_rd && sock_can_rd) {
num = readsocket(c->sock_rfd->fd,
c->sock_buff + c->sock_ptr,
BUFFSIZE - c->sock_ptr);
switch (num) {
case -1:
if (parse_socket_error(c, "readsocket"))
break;
case 0:
s_log(LOG_DEBUG, "Socket closed on read");
sock_open_rd = 0;
break;
default:
c->sock_ptr += num;
watchdog = 0;
}
}
if (sock_open_wr && sock_can_wr) {
num =
writesocket(c->sock_wfd->fd, c->ssl_buff,
c->ssl_ptr);
switch (num) {
case -1:
if (parse_socket_error(c, "writesocket"))
break;
case 0:
s_log(LOG_DEBUG, "Socket closed on write");
sock_open_rd = sock_open_wr = 0;
break;
default:
memmove(c->ssl_buff, c->ssl_buff + num,
c->ssl_ptr - num);
c->ssl_ptr -= num;
c->sock_bytes += num;
watchdog = 0;
}
}
read_wants_read =
!(SSL_get_shutdown(c->ssl) & SSL_RECEIVED_SHUTDOWN)
&& c->ssl_ptr < BUFFSIZE && !read_wants_write;
write_wants_write =
!(SSL_get_shutdown(c->ssl) & SSL_SENT_SHUTDOWN)
&& c->sock_ptr && !write_wants_read;
if ((read_wants_read && (ssl_can_rd || SSL_pending(c->ssl))) ||
(read_wants_write && ssl_can_wr)) {
read_wants_write = 0;
num =
SSL_read(c->ssl, c->ssl_buff + c->ssl_ptr,
BUFFSIZE - c->ssl_ptr);
switch (err = SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
if (num == 0)
s_log(LOG_DEBUG, "SSL_read returned 0");
c->ssl_ptr += num;
watchdog = 0;
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG,
"SSL_read returned WANT_WRITE: retrying");
read_wants_write = 1;
break;
case SSL_ERROR_WANT_READ:
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_read returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL:
if (num && parse_socket_error(c, "SSL_read"))
break;
if (c->sock_ptr) {
s_log(LOG_ERR,
"SSL socket closed on SSL_read with %d unsent byte(s)",
c->sock_ptr);
longjmp(c->err, 1);
}
s_log(LOG_DEBUG,
"SSL socket closed on SSL_read");
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN |
SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_ZERO_RETURN:
s_log(LOG_DEBUG, "SSL closed on SSL_read");
if (SSL_version(c->ssl) == SSL2_VERSION)
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN |
SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_SSL:
sslerror("SSL_read");
longjmp(c->err, 1);
default:
s_log(LOG_ERR,
"SSL_read/SSL_get_error returned %d",
err);
longjmp(c->err, 1);
}
}
if ((write_wants_read && ssl_can_rd) ||
(write_wants_write && ssl_can_wr)) {
write_wants_read = 0;
num = SSL_write(c->ssl, c->sock_buff, c->sock_ptr);
switch (err = SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
if (num == 0)
s_log(LOG_DEBUG,
"SSL_write returned 0");
memmove(c->sock_buff, c->sock_buff + num,
c->sock_ptr - num);
c->sock_ptr -= num;
c->ssl_bytes += num;
watchdog = 0;
break;
case SSL_ERROR_WANT_WRITE:
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG,
"SSL_write returned WANT_READ: retrying");
write_wants_read = 1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_write returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL:
if (num && parse_socket_error(c, "SSL_write"))
break;
if (c->sock_ptr) {
s_log(LOG_ERR,
"SSL socket closed on SSL_write with %d unsent byte(s)",
c->sock_ptr);
longjmp(c->err, 1);
}
s_log(LOG_DEBUG,
"SSL socket closed on SSL_write");
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN |
SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_ZERO_RETURN:
s_log(LOG_DEBUG, "SSL closed on SSL_write");
if (SSL_version(c->ssl) == SSL2_VERSION)
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN |
SSL_RECEIVED_SHUTDOWN);
break;
case SSL_ERROR_SSL:
sslerror("SSL_write");
longjmp(c->err, 1);
default:
s_log(LOG_ERR,
"SSL_write/SSL_get_error returned %d",
err);
longjmp(c->err, 1);
}
}
if (sock_open_wr
&& SSL_get_shutdown(c->ssl) & SSL_RECEIVED_SHUTDOWN
&& !c->ssl_ptr) {
sock_open_wr = 0;
if (!c->sock_wfd->is_socket) {
s_log(LOG_DEBUG,
"Closing the socket file descriptor");
sock_open_rd = 0;
} else if (!shutdown(c->sock_wfd->fd, SHUT_WR)) {
s_log(LOG_DEBUG, "Sent socket write shutdown");
} else {
s_log(LOG_DEBUG,
"Failed to send socket write shutdown");
sock_open_rd = 0;
}
}
if (!(SSL_get_shutdown(c->ssl) & SSL_SENT_SHUTDOWN)
&& !sock_open_rd && !c->sock_ptr) {
if (SSL_version(c->ssl) != SSL2_VERSION) {
s_log(LOG_DEBUG, "Sending close_notify alert");
shutdown_wants_write = 1;
} else {
s_log(LOG_DEBUG, "Closing SSLv2 socket");
if (c->ssl_rfd->is_socket)
shutdown(c->ssl_rfd->fd, SHUT_RD);
if (c->ssl_wfd->is_socket)
shutdown(c->ssl_wfd->fd, SHUT_WR);
SSL_set_shutdown(c->ssl,
SSL_SENT_SHUTDOWN |
SSL_RECEIVED_SHUTDOWN);
}
}
if (++watchdog > 100) {
s_log(LOG_ERR,
"transfer() loop executes not transferring any data");
wifisec_info(LOG_ERR);
s_log(LOG_ERR, "protocol=%s, SSL_pending=%d",
SSL_get_version(c->ssl), SSL_pending(c->ssl));
s_log(LOG_ERR, "sock_open_rd=%s, sock_open_wr=%s",
sock_open_rd ? "Y" : "n",
sock_open_wr ? "Y" : "n");
s_log(LOG_ERR,
"SSL_RECEIVED_SHUTDOWN=%s, SSL_SENT_SHUTDOWN=%s",
SSL_get_shutdown(c->ssl) & SSL_RECEIVED_SHUTDOWN ?
"Y" : "n",
SSL_get_shutdown(c->ssl) & SSL_SENT_SHUTDOWN ? "Y"
: "n");
s_log(LOG_ERR, "sock_can_rd=%s, sock_can_wr=%s",
sock_can_rd ? "Y" : "n", sock_can_wr ? "Y" : "n");
s_log(LOG_ERR, "ssl_can_rd=%s, ssl_can_wr=%s",
ssl_can_rd ? "Y" : "n", ssl_can_wr ? "Y" : "n");
s_log(LOG_ERR,
"read_wants_read=%s, read_wants_write=%s",
read_wants_read ? "Y" : "n",
read_wants_write ? "Y" : "n");
s_log(LOG_ERR,
"write_wants_read=%s, write_wants_write=%s",
write_wants_read ? "Y" : "n",
write_wants_write ? "Y" : "n");
s_log(LOG_ERR,
"shutdown_wants_read=%s, shutdown_wants_write=%s",
shutdown_wants_read ? "Y" : "n",
shutdown_wants_write ? "Y" : "n");
s_log(LOG_ERR,
"socket input buffer: %d byte(s), "
"ssl input buffer: %d byte(s)", c->sock_ptr,
c->ssl_ptr);
longjmp(c->err, 1);
}
} while (sock_open_wr || !(SSL_get_shutdown(c->ssl) & SSL_SENT_SHUTDOWN)
|| shutdown_wants_read || shutdown_wants_write);
}
int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) {
/* the remote side closed the connection before without shutdown request
* - IE
* - wget
* if keep-alive is disabled */
if (con->keep_alive == 0) {
SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN);
}
chunkqueue_remove_finished_chunks(cq);
while (max_bytes > 0 && NULL != cq->first) {
const char *data;
size_t data_len;
int r;
if (0 != load_next_chunk(srv, con, cq, max_bytes, &data, &data_len)) return -1;
/**
* SSL_write man-page
*
* WARNING
* When an SSL_write() operation has to be repeated because of
* SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be
* repeated with the same arguments.
*/
ERR_clear_error();
r = SSL_write(ssl, data, data_len);
if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
return -1;
}
if (r <= 0) {
int ssl_r;
unsigned long err;
switch ((ssl_r = SSL_get_error(ssl, r))) {
case SSL_ERROR_WANT_READ:
con->is_readable = -1;
return 0; /* try again later */
case SSL_ERROR_WANT_WRITE:
con->is_writable = -1;
return 0; /* try again later */
case SSL_ERROR_SYSCALL:
/* perhaps we have error waiting in our error-queue */
if (0 != (err = ERR_get_error())) {
do {
log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
ssl_r, r,
ERR_error_string(err, NULL));
} while((err = ERR_get_error()));
} else if (r == -1) {
/* no, but we have errno */
switch(errno) {
case EPIPE:
case ECONNRESET:
return -2;
default:
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:",
ssl_r, r, errno,
strerror(errno));
break;
}
} else {
/* neither error-queue nor errno ? */
log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):",
ssl_r, r, errno,
strerror(errno));
}
break;
case SSL_ERROR_ZERO_RETURN:
/* clean shutdown on the remote side */
if (r == 0) return -2;
/* fall through */
default:
while((err = ERR_get_error())) {
log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:",
ssl_r, r,
ERR_error_string(err, NULL));
}
break;
}
return -1;
}
chunkqueue_mark_written(cq, r);
max_bytes -= r;
if ((size_t) r < data_len) break; /* try again later */
}
return 0;
}
static void client_run(CLI *c) {
int error;
#ifndef USE_FORK
enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */
++num_clients;
leave_critical_section(CRIT_CLIENTS);
#endif
c->remote_fd.fd=-1;
c->fd=-1;
c->ssl=NULL;
c->sock_bytes=c->ssl_bytes=0;
c->fds=s_poll_alloc();
c->connect_addr.num=0;
c->connect_addr.addr=NULL;
error=setjmp(c->err);
if(!error)
client_try(c);
s_log(LOG_NOTICE,
"Connection %s: %d byte(s) sent to SSL, %d byte(s) sent to socket",
error==1 ? "reset" : "closed", c->ssl_bytes, c->sock_bytes);
/* cleanup temporary (e.g. IDENT) socket */
if(c->fd>=0)
closesocket(c->fd);
c->fd=-1;
/* cleanup SSL */
if(c->ssl) { /* SSL initialized */
SSL_set_shutdown(c->ssl, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
SSL_free(c->ssl);
c->ssl=NULL;
ERR_remove_state(0);
}
/* cleanup remote socket */
if(c->remote_fd.fd>=0) { /* remote socket initialized */
if(error==1 && c->remote_fd.is_socket) /* reset */
reset(c->remote_fd.fd, "linger (remote)");
closesocket(c->remote_fd.fd);
s_log(LOG_DEBUG, "Remote socket (FD=%d) closed", c->remote_fd.fd);
c->remote_fd.fd=-1;
}
/* cleanup local socket */
if(c->local_rfd.fd>=0) { /* local socket initialized */
if(c->local_rfd.fd==c->local_wfd.fd) {
if(error==1 && c->local_rfd.is_socket)
reset(c->local_rfd.fd, "linger (local)");
closesocket(c->local_rfd.fd);
s_log(LOG_DEBUG, "Local socket (FD=%d) closed", c->local_rfd.fd);
} else { /* stdin/stdout */
if(error==1 && c->local_rfd.is_socket)
reset(c->local_rfd.fd, "linger (local_rfd)");
if(error==1 && c->local_wfd.is_socket)
reset(c->local_wfd.fd, "linger (local_wfd)");
}
c->local_rfd.fd=c->local_wfd.fd=-1;
}
#ifdef USE_FORK
/* display child return code if it managed to arrive on time */
/* otherwise it will be retrieved by the init process and ignored */
if(c->opt->option.program) /* 'exec' specified */
child_status(); /* null SIGCHLD handler was used */
s_log(LOG_DEBUG, "Service [%s] finished", c->opt->servname);
#else
enter_critical_section(CRIT_CLIENTS); /* for multi-cpu machines */
s_log(LOG_DEBUG, "Service [%s] finished (%d left)",
c->opt->servname, --num_clients);
leave_critical_section(CRIT_CLIENTS);
#endif
/* free remaining memory structures */
if(c->connect_addr.addr)
str_free(c->connect_addr.addr);
s_poll_free(c->fds);
c->fds=NULL;
}
bool SSLSocket::handleError(int64_t nr_bytes, bool is_init) {
char esbuf[512];
string ebuf;
unsigned long ecode;
bool retry = true;
int err = SSL_get_error(m_handle, nr_bytes);
switch (err) {
case SSL_ERROR_ZERO_RETURN:
/* SSL terminated (but socket may still be active) */
retry = false;
break;
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_WRITE:
/* re-negotiation, or perhaps the SSL layer needs more
* packets: retry in next iteration */
errno = EAGAIN;
retry = (is_init || m_is_blocked);
break;
case SSL_ERROR_SYSCALL:
if (ERR_peek_error() == 0) {
if (nr_bytes == 0) {
if (ERR_get_error()) {
raise_warning("SSL: fatal protocol error");
}
SSL_set_shutdown(m_handle, SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
m_eof = true;
retry = false;
} else {
string estr = Util::safe_strerror(errno);
raise_warning("SSL: %s", estr.c_str());
retry = false;
}
break;
}
/* fall through */
default:
/* some other error */
ecode = ERR_get_error();
switch (ERR_GET_REASON(ecode)) {
case SSL_R_NO_SHARED_CIPHER:
raise_warning("SSL_R_NO_SHARED_CIPHER: no suitable shared cipher "
"could be used. This could be because the server is "
"missing an SSL certificate (local_cert context "
"option)");
retry = false;
break;
default:
do {
// NULL is automatically added
ERR_error_string_n(ecode, esbuf, sizeof(esbuf));
if (!ebuf.empty()) {
ebuf += '\n';
}
ebuf += esbuf;
} while ((ecode = ERR_get_error()) != 0);
raise_warning("SSL operation failed with code %d. %s%s",
err, !ebuf.empty() ? "OpenSSL Error messages:\n" : "",
!ebuf.empty() ? ebuf.c_str() : "");
}
retry = false;
errno = 0;
}
return retry;
}
/****************************** transfer data */
static void transfer(CLI *c) {
int watchdog=0; /* a counter to detect an infinite loop */
int num, err;
/* logical channels (not file descriptors!) open for read or write */
int sock_open_rd=1, sock_open_wr=1, ssl_open_rd=1, ssl_open_wr=1;
/* awaited conditions on SSL file descriptors */
int shutdown_wants_read=0, shutdown_wants_write=0;
int read_wants_read, read_wants_write=0;
int write_wants_read=0, write_wants_write;
/* actual conditions on file descriptors */
int sock_can_rd, sock_can_wr, ssl_can_rd, ssl_can_wr;
c->sock_ptr=c->ssl_ptr=0;
do { /* main loop of client data transfer */
/****************************** initialize *_wants_* */
read_wants_read=
ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write;
write_wants_write=
ssl_open_wr && c->sock_ptr && !write_wants_read;
/****************************** setup c->fds structure */
s_poll_init(&c->fds); /* initialize the structure */
/* for plain socket open data strem = open file descriptor */
/* make sure to add each open socket to receive exceptions! */
if(sock_open_rd)
s_poll_add(&c->fds, c->sock_rfd->fd, c->sock_ptr<BUFFSIZE, 0);
if(sock_open_wr)
s_poll_add(&c->fds, c->sock_wfd->fd, 0, c->ssl_ptr);
/* for SSL assume that sockets are open if there any pending requests */
if(read_wants_read || write_wants_read || shutdown_wants_read)
s_poll_add(&c->fds, c->ssl_rfd->fd, 1, 0);
if(read_wants_write || write_wants_write || shutdown_wants_write)
s_poll_add(&c->fds, c->ssl_wfd->fd, 0, 1);
/****************************** wait for an event */
err=s_poll_wait(&c->fds,
(sock_open_rd && ssl_open_rd) /* both peers open */ ||
c->ssl_ptr /* data buffered to write to socket */ ||
c->sock_ptr /* data buffered to write to SSL */ ?
c->opt->timeout_idle : c->opt->timeout_close, 0);
switch(err) {
case -1:
sockerror("transfer: s_poll_wait");
longjmp(c->err, 1);
case 0: /* timeout */
if((sock_open_rd && ssl_open_rd) || c->ssl_ptr || c->sock_ptr) {
s_log(LOG_INFO, "transfer: s_poll_wait:"
" TIMEOUTidle exceeded: sending reset");
longjmp(c->err, 1);
} else { /* already closing connection */
s_log(LOG_ERR, "transfer: s_poll_wait:"
" TIMEOUTclose exceeded: closing");
return; /* OK */
}
}
/****************************** check for errors on sockets */
err=s_poll_error(&c->fds, c->sock_rfd->fd);
if(err) {
s_log(LOG_NOTICE,
"Error detected on socket (read) file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
if(c->sock_wfd->fd != c->sock_rfd->fd) { /* performance optimization */
err=s_poll_error(&c->fds, c->sock_wfd->fd);
if(err) {
s_log(LOG_NOTICE,
"Error detected on socket write file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
}
err=s_poll_error(&c->fds, c->ssl_rfd->fd);
if(err) {
s_log(LOG_NOTICE,
"Error detected on SSL (read) file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
if(c->ssl_wfd->fd != c->ssl_rfd->fd) { /* performance optimization */
err=s_poll_error(&c->fds, c->ssl_wfd->fd);
if(err) {
s_log(LOG_NOTICE,
"Error detected on SSL write file descriptor: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
}
/****************************** retrieve results from c->fds */
sock_can_rd=s_poll_canread(&c->fds, c->sock_rfd->fd);
sock_can_wr=s_poll_canwrite(&c->fds, c->sock_wfd->fd);
ssl_can_rd=s_poll_canread(&c->fds, c->ssl_rfd->fd);
ssl_can_wr=s_poll_canwrite(&c->fds, c->ssl_wfd->fd);
/****************************** checks for internal failures */
/* please report any internal errors to stunnel-users mailing list */
if(!(sock_can_rd || sock_can_wr || ssl_can_rd || ssl_can_wr)) {
s_log(LOG_ERR, "INTERNAL ERROR: "
"s_poll_wait returned %d, but no descriptor is ready", err);
longjmp(c->err, 1);
}
/* these checks should no longer be needed */
/* I'm going to remove them soon */
if(!sock_open_rd && sock_can_rd) {
err=get_socket_error(c->sock_rfd->fd);
if(err) { /* really an error? */
s_log(LOG_ERR, "INTERNAL ERROR: "
"Closed socket ready to read: %s (%d)",
s_strerror(err), err);
longjmp(c->err, 1);
}
if(c->ssl_ptr) { /* anything left to write */
s_log(LOG_ERR, "INTERNAL ERROR: "
"Closed socket ready to read: sending reset");
longjmp(c->err, 1);
}
s_log(LOG_ERR, "INTERNAL ERROR: "
"Closed socket ready to read: write close");
sock_open_wr=0; /* no further write allowed */
shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
}
/****************************** send SSL close_notify message */
if(shutdown_wants_read || shutdown_wants_write) {
shutdown_wants_read=shutdown_wants_write=0;
num=SSL_shutdown(c->ssl); /* send close_notify */
if(num<0) /* -1 - not completed */
err=SSL_get_error(c->ssl, num);
else /* 0 or 1 - success */
err=SSL_ERROR_NONE;
switch(err) {
case SSL_ERROR_NONE: /* the shutdown was successfully completed */
s_log(LOG_INFO, "SSL_shutdown successfully sent close_notify");
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG, "SSL_shutdown returned WANT_WRITE: retrying");
shutdown_wants_write=1;
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG, "SSL_shutdown returned WANT_READ: retrying");
shutdown_wants_read=1;
break;
case SSL_ERROR_SYSCALL: /* socket error */
parse_socket_error(c, "SSL_shutdown");
break;
case SSL_ERROR_SSL: /* SSL error */
sslerror("SSL_shutdown");
longjmp(c->err, 1);
default:
s_log(LOG_ERR, "SSL_shutdown/SSL_get_error returned %d", err);
longjmp(c->err, 1);
}
}
/****************************** read from socket */
if(sock_open_rd && sock_can_rd) {
num=readsocket(c->sock_rfd->fd,
c->sock_buff+c->sock_ptr, BUFFSIZE-c->sock_ptr);
switch(num) {
case -1:
parse_socket_error(c, "readsocket");
break;
case 0: /* close */
s_log(LOG_DEBUG, "Socket closed on read");
sock_open_rd=0;
break;
default:
c->sock_ptr+=num;
watchdog=0; /* reset watchdog */
}
}
/****************************** write to socket */
if(sock_open_wr && sock_can_wr) {
num=writesocket(c->sock_wfd->fd, c->ssl_buff, c->ssl_ptr);
switch(num) {
case -1: /* error */
parse_socket_error(c, "writesocket");
break;
case 0:
s_log(LOG_DEBUG, "No data written to the socket: retrying");
break;
default:
memmove(c->ssl_buff, c->ssl_buff+num, c->ssl_ptr-num);
c->ssl_ptr-=num;
c->sock_bytes+=num;
watchdog=0; /* reset watchdog */
}
}
/****************************** update *_wants_* based on new *_ptr */
/* this update is also required for SSL_pending() to be used */
read_wants_read=
ssl_open_rd && c->ssl_ptr<BUFFSIZE && !read_wants_write;
write_wants_write=
ssl_open_wr && c->sock_ptr && !write_wants_read;
/****************************** read from SSL */
if((read_wants_read && (ssl_can_rd || SSL_pending(c->ssl))) ||
/* it may be possible to read some pending data after
* writesocket() above made some room in c->ssl_buff */
(read_wants_write && ssl_can_wr)) {
read_wants_write=0;
num=SSL_read(c->ssl, c->ssl_buff+c->ssl_ptr, BUFFSIZE-c->ssl_ptr);
switch(err=SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
c->ssl_ptr+=num;
watchdog=0; /* reset watchdog */
break;
case SSL_ERROR_WANT_WRITE:
s_log(LOG_DEBUG, "SSL_read returned WANT_WRITE: retrying");
read_wants_write=1;
break;
case SSL_ERROR_WANT_READ: /* nothing unexpected */
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_read returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL:
if(!num) { /* EOF */
if(c->sock_ptr) {
s_log(LOG_ERR,
"SSL socket closed on SSL_read "
"with %d byte(s) in buffer",
c->sock_ptr);
longjmp(c->err, 1); /* reset the socket */
}
s_log(LOG_DEBUG, "SSL socket closed on SSL_read");
ssl_open_rd=ssl_open_wr=0; /* buggy peer: no close_notify */
} else
parse_socket_error(c, "SSL_read");
break;
case SSL_ERROR_ZERO_RETURN: /* close_notify received */
s_log(LOG_DEBUG, "SSL closed on SSL_read");
ssl_open_rd=0;
if(!strcmp(SSL_get_version(c->ssl), "SSLv2"))
ssl_open_wr=0;
break;
case SSL_ERROR_SSL:
sslerror("SSL_read");
longjmp(c->err, 1);
default:
s_log(LOG_ERR, "SSL_read/SSL_get_error returned %d", err);
longjmp(c->err, 1);
}
}
/****************************** write to SSL */
if((write_wants_read && ssl_can_rd) ||
(write_wants_write && ssl_can_wr)) {
write_wants_read=0;
num=SSL_write(c->ssl, c->sock_buff, c->sock_ptr);
switch(err=SSL_get_error(c->ssl, num)) {
case SSL_ERROR_NONE:
memmove(c->sock_buff, c->sock_buff+num, c->sock_ptr-num);
c->sock_ptr-=num;
c->ssl_bytes+=num;
watchdog=0; /* reset watchdog */
break;
case SSL_ERROR_WANT_WRITE: /* nothing unexpected */
break;
case SSL_ERROR_WANT_READ:
s_log(LOG_DEBUG, "SSL_write returned WANT_READ: retrying");
write_wants_read=1;
break;
case SSL_ERROR_WANT_X509_LOOKUP:
s_log(LOG_DEBUG,
"SSL_write returned WANT_X509_LOOKUP: retrying");
break;
case SSL_ERROR_SYSCALL: /* socket error */
if(!num) { /* EOF */
if(c->sock_ptr) {
s_log(LOG_ERR,
"SSL socket closed on SSL_write "
"with %d byte(s) in buffer",
c->sock_ptr);
longjmp(c->err, 1); /* reset the socket */
}
s_log(LOG_DEBUG, "SSL socket closed on SSL_write");
ssl_open_rd=ssl_open_wr=0; /* buggy peer: no close_notify */
} else
parse_socket_error(c, "SSL_write");
break;
case SSL_ERROR_ZERO_RETURN: /* close_notify received */
s_log(LOG_DEBUG, "SSL closed on SSL_write");
ssl_open_rd=0;
if(!strcmp(SSL_get_version(c->ssl), "SSLv2"))
ssl_open_wr=0;
break;
case SSL_ERROR_SSL:
sslerror("SSL_write");
longjmp(c->err, 1);
default:
s_log(LOG_ERR, "SSL_write/SSL_get_error returned %d", err);
longjmp(c->err, 1);
}
}
/****************************** check write shutdown conditions */
if(sock_open_wr && !ssl_open_rd && !c->ssl_ptr) {
s_log(LOG_DEBUG, "Sending socket write shutdown");
sock_open_wr=0; /* no further write allowed */
shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
}
if(ssl_open_wr && !sock_open_rd && !c->sock_ptr) {
s_log(LOG_DEBUG, "Sending SSL write shutdown");
ssl_open_wr=0; /* no further write allowed */
if(strcmp(SSL_get_version(c->ssl), "SSLv2")) { /* SSLv3, TLSv1 */
shutdown_wants_write=1; /* initiate close_notify */
} else { /* no alerts in SSLv2 including close_notify alert */
shutdown(c->sock_rfd->fd, SHUT_RD); /* notify the kernel */
shutdown(c->sock_wfd->fd, SHUT_WR); /* send TCP FIN */
SSL_set_shutdown(c->ssl, /* notify the OpenSSL library */
SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
ssl_open_rd=0; /* no further read allowed */
}
}
/****************************** check watchdog */
if(++watchdog>100) { /* loop executes without transferring any data */
s_log(LOG_ERR,
"transfer() loop executes not transferring any data");
s_log(LOG_ERR,
"please report the problem to [email protected]");
stunnel_info(LOG_ERR);
s_log(LOG_ERR, "protocol=%s, SSL_pending=%d",
SSL_get_version(c->ssl), SSL_pending(c->ssl));
s_log(LOG_ERR, "sock_open_rd=%s, sock_open_wr=%s, "
"ssl_open_rd=%s, ssl_open_wr=%s",
sock_open_rd ? "Y" : "n", sock_open_wr ? "Y" : "n",
ssl_open_rd ? "Y" : "n", ssl_open_wr ? "Y" : "n");
s_log(LOG_ERR, "sock_can_rd=%s, sock_can_wr=%s, "
"ssl_can_rd=%s, ssl_can_wr=%s",
sock_can_rd ? "Y" : "n", sock_can_wr ? "Y" : "n",
ssl_can_rd ? "Y" : "n", ssl_can_wr ? "Y" : "n");
s_log(LOG_ERR, "read_wants_read=%s, read_wants_write=%s",
read_wants_read ? "Y" : "n",
read_wants_write ? "Y" : "n");
s_log(LOG_ERR, "write_wants_read=%s, write_wants_write=%s",
write_wants_read ? "Y" : "n",
write_wants_write ? "Y" : "n");
s_log(LOG_ERR, "shutdown_wants_read=%s, shutdown_wants_write=%s",
shutdown_wants_read ? "Y" : "n",
shutdown_wants_write ? "Y" : "n");
s_log(LOG_ERR, "socket input buffer: %d byte(s), "
"ssl input buffer: %d byte(s)", c->sock_ptr, c->ssl_ptr);
longjmp(c->err, 1);
}
} while(sock_open_wr || ssl_open_wr ||
shutdown_wants_read || shutdown_wants_write);
}
int s_time_main(int argc, char **argv)
{
char buf[1024 * 8];
SSL *scon = NULL;
SSL_CTX *ctx = NULL;
const SSL_METHOD *meth = NULL;
char *CApath = NULL, *CAfile = NULL, *cipher = NULL, *ciphersuites = NULL;
char *www_path = NULL;
char *host = SSL_CONNECT_NAME, *certfile = NULL, *keyfile = NULL, *prog;
double totalTime = 0.0;
int noCApath = 0, noCAfile = 0;
int maxtime = SECONDS, nConn = 0, perform = 3, ret = 1, i, st_bugs = 0;
long bytes_read = 0, finishtime = 0;
OPTION_CHOICE o;
int max_version = 0, ver, buf_len;
size_t buf_size;
meth = TLS_client_method();
prog = opt_init(argc, argv, s_time_options);
while ((o = opt_next()) != OPT_EOF) {
switch (o) {
case OPT_EOF:
case OPT_ERR:
opthelp:
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
goto end;
case OPT_HELP:
opt_help(s_time_options);
ret = 0;
goto end;
case OPT_CONNECT:
host = opt_arg();
break;
case OPT_REUSE:
perform = 2;
break;
case OPT_NEW:
perform = 1;
break;
case OPT_VERIFY:
if (!opt_int(opt_arg(), &verify_args.depth))
goto opthelp;
BIO_printf(bio_err, "%s: verify depth is %d\n",
prog, verify_args.depth);
break;
case OPT_CERT:
certfile = opt_arg();
break;
case OPT_NAMEOPT:
if (!set_nameopt(opt_arg()))
goto end;
break;
case OPT_KEY:
keyfile = opt_arg();
break;
case OPT_CAPATH:
CApath = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
case OPT_NOCAPATH:
noCApath = 1;
break;
case OPT_NOCAFILE:
noCAfile = 1;
break;
case OPT_CIPHER:
cipher = opt_arg();
break;
case OPT_CIPHERSUITES:
ciphersuites = opt_arg();
break;
case OPT_BUGS:
st_bugs = 1;
break;
case OPT_TIME:
if (!opt_int(opt_arg(), &maxtime))
goto opthelp;
break;
case OPT_WWW:
www_path = opt_arg();
buf_size = strlen(www_path) + fmt_http_get_cmd_size;
if (buf_size > sizeof(buf)) {
BIO_printf(bio_err, "%s: -www option is too long\n", prog);
goto end;
}
break;
case OPT_SSL3:
max_version = SSL3_VERSION;
break;
}
}
argc = opt_num_rest();
if (argc != 0)
goto opthelp;
if (cipher == NULL)
cipher = getenv("SSL_CIPHER");
if ((ctx = SSL_CTX_new(meth)) == NULL)
goto end;
SSL_CTX_set_mode(ctx, SSL_MODE_AUTO_RETRY);
SSL_CTX_set_quiet_shutdown(ctx, 1);
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
goto end;
if (st_bugs)
SSL_CTX_set_options(ctx, SSL_OP_ALL);
if (cipher != NULL && !SSL_CTX_set_cipher_list(ctx, cipher))
goto end;
if (ciphersuites != NULL && !SSL_CTX_set_ciphersuites(ctx, ciphersuites))
goto end;
if (!set_cert_stuff(ctx, certfile, keyfile))
goto end;
if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
ERR_print_errors(bio_err);
goto end;
}
if (!(perform & 1))
goto next;
printf("Collecting connection statistics for %d seconds\n", maxtime);
/* Loop and time how long it takes to make connections */
bytes_read = 0;
finishtime = (long)time(NULL) + maxtime;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
if ((scon = doConnection(NULL, host, ctx)) == NULL)
goto end;
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd,
www_path);
if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
BIO_closesocket(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon)) {
ver = 'r';
} else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
SSL_free(scon);
scon = NULL;
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
i = (int)((long)time(NULL) - finishtime + maxtime);
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
/*
* Now loop and time connections using the same session id over and over
*/
next:
if (!(perform & 2))
goto end;
printf("\n\nNow timing with session id reuse.\n");
/* Get an SSL object so we can reuse the session id */
if ((scon = doConnection(NULL, host, ctx)) == NULL) {
BIO_printf(bio_err, "Unable to get connection\n");
goto end;
}
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd, www_path);
if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
continue;
}
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
BIO_closesocket(SSL_get_fd(scon));
nConn = 0;
totalTime = 0.0;
finishtime = (long)time(NULL) + maxtime;
printf("starting\n");
bytes_read = 0;
tm_Time_F(START);
for (;;) {
if (finishtime < (long)time(NULL))
break;
if ((doConnection(scon, host, ctx)) == NULL)
goto end;
if (www_path != NULL) {
buf_len = BIO_snprintf(buf, sizeof(buf), fmt_http_get_cmd,
www_path);
if (buf_len <= 0 || SSL_write(scon, buf, buf_len) <= 0)
goto end;
while ((i = SSL_read(scon, buf, sizeof(buf))) > 0)
bytes_read += i;
}
SSL_set_shutdown(scon, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
BIO_closesocket(SSL_get_fd(scon));
nConn += 1;
if (SSL_session_reused(scon)) {
ver = 'r';
} else {
ver = SSL_version(scon);
if (ver == TLS1_VERSION)
ver = 't';
else if (ver == SSL3_VERSION)
ver = '3';
else
ver = '*';
}
fputc(ver, stdout);
fflush(stdout);
}
totalTime += tm_Time_F(STOP); /* Add the time for this iteration */
printf
("\n\n%d connections in %.2fs; %.2f connections/user sec, bytes read %ld\n",
nConn, totalTime, ((double)nConn / totalTime), bytes_read);
printf
("%d connections in %ld real seconds, %ld bytes read per connection\n",
nConn, (long)time(NULL) - finishtime + maxtime, bytes_read / nConn);
ret = 0;
end:
SSL_free(scon);
SSL_CTX_free(ctx);
return ret;
}
int dtls_get_data (int s, SSL_CTX *ctx)
{
char *buf = NULL;
fd_set readfds;
int ret = 1, width = 0;
int i = 0;
SSL *con = NULL;
BIO *sbio = NULL;
int bufsize = BUFSIZ;
bio_err = BIO_new_fp (stderr, BIO_NOCLOSE);
bio_s_out = BIO_new_fp (stderr, BIO_NOCLOSE);
if ((buf = OPENSSL_malloc (bufsize)) == NULL)
{
BIO_printf (bio_err, "out of memory\n");
goto ERR;
}
if (con == NULL)
{
con = SSL_new(ctx);
}
SSL_clear (con);
if (SSL_version (con) == DTLS1_VERSION)
{
struct timeval timeout;
sbio = BIO_new_dgram (s, BIO_NOCLOSE);
timeout.tv_sec = 5;
timeout.tv_usec = 0;
BIO_ctrl (sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
timeout.tv_sec = 5;
timeout.tv_usec = 0;
BIO_ctrl (sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
/* want to do MTU discovery */
BIO_ctrl (sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
/* turn on cookie exchange */
SSL_set_options (con, SSL_OP_COOKIE_EXCHANGE);
// fprintf (stderr, "%s: %s(): DTLSv1 Initialization done\n", __FILE__, __func__);
}
SSL_set_bio (con, sbio, sbio);
SSL_set_accept_state (con);
/* SSL_set_fd(con,s); */
width = s + 1;
for (;;)
{
int read_from_terminal;
int read_from_sslcon;
read_from_terminal = 0;
read_from_sslcon = SSL_pending (con);
if (!read_from_sslcon)
{
struct timeval tv;
FD_ZERO(&readfds);
FD_SET(s, &readfds);
tv.tv_sec = 1;
tv.tv_usec = 0;
i = select(width, (void *)&readfds, NULL, NULL, &tv);
if (i < 0)
{
continue;
}
if (FD_ISSET (s, &readfds))
{
read_from_sslcon = 1;
}
else
{
ret = 2;
goto shut;
}
}
if (read_from_sslcon)
{
if (!SSL_is_init_finished(con))
{
i = init_ssl_connection(con);
if (i < 0)
{
ret = 0;
goto ERR;
}
else if (i == 0)
{
ret = 1;
goto ERR;
}
}
else
{
AGAIN:
i = SSL_read (con, (char *) buf, bufsize);
switch (SSL_get_error (con, i))
{
case SSL_ERROR_NONE:
write (fileno (stdout), buf, (unsigned int) i);
if (SSL_pending(con))
{
fprintf (stderr, "%s: %s(): Some more seems to be coming... "\
"letz wait for that\n", __FILE__, __func__);
goto AGAIN;
}
else
fprintf (stderr, "%s(): Hey, itz all over boss... do finishing "\
"ceremony\n", __func__);
ret = 0;
goto ERR;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf(bio_s_out,"Read BLOCK\n");
break;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
BIO_printf(bio_s_out,"ERROR\n");
ERR_print_errors(bio_err);
ret = 1;
goto ERR;
case SSL_ERROR_ZERO_RETURN:
BIO_printf(bio_s_out,"\nDONE\n");
ret = 0;
goto ERR;
}
}
}
}
ERR:
if (0 == ret)
{
char temp [] = "ACK from SERVER: READ SUCCESSFULLY DONE\n";
for (;;)
{
i = SSL_write (con, temp, strlen (temp));
switch (SSL_get_error (con, i))
{
case SSL_ERROR_NONE:
if (SSL_pending (con))
break;
else
goto WRITEDONE;
case SSL_ERROR_WANT_WRITE:
case SSL_ERROR_WANT_READ:
case SSL_ERROR_WANT_X509_LOOKUP:
BIO_printf (bio_s_out, "Write BLOCK\n");
break;
case SSL_ERROR_SYSCALL:
case SSL_ERROR_SSL:
BIO_printf (bio_s_out, "ERROR\n");
ERR_print_errors (bio_err);
ret = 1;
goto WRITEDONE;
case SSL_ERROR_ZERO_RETURN:
BIO_printf (bio_s_out, "\nDONE\n");
ret = 1;
goto WRITEDONE;
}
}
}
WRITEDONE:
#ifdef DEBUG
BIO_printf (bio_s_out, "shutting down SSL\n");
print_stats (bio_s_out, ctx);
#endif
#if 1
SSL_set_shutdown (con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
#else
SSL_shutdown(con);
#endif
shut:
if (con != NULL) SSL_free (con);
if (2 != ret)
BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
if (buf != NULL)
{
OPENSSL_cleanse (buf, bufsize);
OPENSSL_free (buf);
}
if ((ret >= 0) && (2 != ret))
BIO_printf (bio_s_out, "ACCEPT\n");
return(ret);
}