static void log_state (GstDtlsConnection * self, const gchar * str) { GstDtlsConnectionPrivate *priv = self->priv; guint states = 0; states |= (! !SSL_is_init_finished (priv->ssl) << 0); states |= (! !SSL_in_init (priv->ssl) << 4); states |= (! !SSL_in_before (priv->ssl) << 8); states |= (! !SSL_in_connect_init (priv->ssl) << 12); states |= (! !SSL_in_accept_init (priv->ssl) << 16); states |= (! !SSL_want_write (priv->ssl) << 20); states |= (! !SSL_want_read (priv->ssl) << 24); #if OPENSSL_VERSION_NUMBER < 0x10100001L GST_LOG_OBJECT (self, "%s: role=%s buf=(%d,%p:%d/%d) %x|%x %s", str, priv->is_client ? "client" : "server", pqueue_size (priv->ssl->d1->sent_messages), priv->bio_buffer, priv->bio_buffer_offset, priv->bio_buffer_len, states, SSL_get_state (priv->ssl), SSL_state_string_long (priv->ssl)); #else GST_LOG_OBJECT (self, "%s: role=%s buf=(%p:%d/%d) %x|%x %s", str, priv->is_client ? "client" : "server", priv->bio_buffer, priv->bio_buffer_offset, priv->bio_buffer_len, states, SSL_get_state (priv->ssl), SSL_state_string_long (priv->ssl)); #endif }
int ACE_SSL_SOCK_Acceptor::ssl_accept (ACE_SSL_SOCK_Stream &new_stream) const { if (SSL_is_init_finished (new_stream.ssl ())) return 0; if (!SSL_in_accept_init (new_stream.ssl ())) ::SSL_set_accept_state (new_stream.ssl ()); int status = ::SSL_accept (new_stream.ssl ()); switch (::SSL_get_error (new_stream.ssl (), status)) { case SSL_ERROR_NONE: break; case SSL_ERROR_ZERO_RETURN: // The peer has notified us that it is shutting down via // the SSL "close_notify" message so we need to // shutdown, too. (void) new_stream.close (); return -1; default: ACE_SSL_Context::report_error (); return -1; } return 0; }
static long bio_rdp_tls_ctrl(BIO* bio, int cmd, long num, void* ptr) { BIO* ssl_rbio; BIO* ssl_wbio; BIO* next_bio; int status = -1; BIO_RDP_TLS* tls = (BIO_RDP_TLS*) BIO_get_data(bio); if (!tls) return 0; if (!tls->ssl && (cmd != BIO_C_SET_SSL)) return 0; next_bio = BIO_next(bio); ssl_rbio = tls->ssl ? SSL_get_rbio(tls->ssl) : NULL; ssl_wbio = tls->ssl ? SSL_get_wbio(tls->ssl) : NULL; switch (cmd) { case BIO_CTRL_RESET: SSL_shutdown(tls->ssl); if (SSL_in_connect_init(tls->ssl)) SSL_set_connect_state(tls->ssl); else if (SSL_in_accept_init(tls->ssl)) SSL_set_accept_state(tls->ssl); SSL_clear(tls->ssl); if (next_bio) status = BIO_ctrl(next_bio, cmd, num, ptr); else if (ssl_rbio) status = BIO_ctrl(ssl_rbio, cmd, num, ptr); else status = 1; break; case BIO_C_GET_FD: status = BIO_ctrl(ssl_rbio, cmd, num, ptr); break; case BIO_CTRL_INFO: status = 0; break; case BIO_CTRL_SET_CALLBACK: status = 0; break; case BIO_CTRL_GET_CALLBACK: *((ULONG_PTR*) ptr) = (ULONG_PTR) SSL_get_info_callback(tls->ssl); status = 1; break; case BIO_C_SSL_MODE: if (num) SSL_set_connect_state(tls->ssl); else SSL_set_accept_state(tls->ssl); status = 1; break; case BIO_CTRL_GET_CLOSE: status = BIO_get_shutdown(bio); break; case BIO_CTRL_SET_CLOSE: BIO_set_shutdown(bio, (int) num); status = 1; break; case BIO_CTRL_WPENDING: status = BIO_ctrl(ssl_wbio, cmd, num, ptr); break; case BIO_CTRL_PENDING: status = SSL_pending(tls->ssl); if (status == 0) status = BIO_pending(ssl_rbio); break; case BIO_CTRL_FLUSH: BIO_clear_retry_flags(bio); status = BIO_ctrl(ssl_wbio, cmd, num, ptr); BIO_copy_next_retry(bio); status = 1; break; case BIO_CTRL_PUSH: if (next_bio && (next_bio != ssl_rbio)) { #if OPENSSL_VERSION_NUMBER < 0x10100000L SSL_set_bio(tls->ssl, next_bio, next_bio); CRYPTO_add(&(bio->next_bio->references), 1, CRYPTO_LOCK_BIO); #else /* * We are going to pass ownership of next to the SSL object...but * we don't own a reference to pass yet - so up ref */ BIO_up_ref(next_bio); SSL_set_bio(tls->ssl, next_bio, next_bio); #endif } status = 1; break; case BIO_CTRL_POP: /* Only detach if we are the BIO explicitly being popped */ if (bio == ptr) { if (ssl_rbio != ssl_wbio) BIO_free_all(ssl_wbio); #if OPENSSL_VERSION_NUMBER < 0x10100000L if (next_bio) CRYPTO_add(&(bio->next_bio->references), -1, CRYPTO_LOCK_BIO); tls->ssl->wbio = tls->ssl->rbio = NULL; #else /* OpenSSL 1.1: This will also clear the reference we obtained during push */ SSL_set_bio(tls->ssl, NULL, NULL); #endif } status = 1; break; case BIO_C_GET_SSL: if (ptr) { *((SSL**) ptr) = tls->ssl; status = 1; } break; case BIO_C_SET_SSL: BIO_set_shutdown(bio, (int) num); if (ptr) { tls->ssl = (SSL*) ptr; ssl_rbio = SSL_get_rbio(tls->ssl); ssl_wbio = SSL_get_wbio(tls->ssl); } if (ssl_rbio) { if (next_bio) BIO_push(ssl_rbio, next_bio); BIO_set_next(bio, ssl_rbio); #if OPENSSL_VERSION_NUMBER < 0x10100000L CRYPTO_add(&(ssl_rbio->references), 1, CRYPTO_LOCK_BIO); #else BIO_up_ref(ssl_rbio); #endif } BIO_set_init(bio, 1); status = 1; break; case BIO_C_DO_STATE_MACHINE: BIO_clear_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_WRITE | BIO_FLAGS_IO_SPECIAL); BIO_set_retry_reason(bio, 0); status = SSL_do_handshake(tls->ssl); if (status <= 0) { switch (SSL_get_error(tls->ssl, status)) { case SSL_ERROR_WANT_READ: BIO_set_flags(bio, BIO_FLAGS_READ | BIO_FLAGS_SHOULD_RETRY); break; case SSL_ERROR_WANT_WRITE: BIO_set_flags(bio, BIO_FLAGS_WRITE | BIO_FLAGS_SHOULD_RETRY); break; case SSL_ERROR_WANT_CONNECT: BIO_set_flags(bio, BIO_FLAGS_IO_SPECIAL | BIO_FLAGS_SHOULD_RETRY); BIO_set_retry_reason(bio, BIO_get_retry_reason(next_bio)); break; default: BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY); break; } } break; default: status = BIO_ctrl(ssl_rbio, cmd, num, ptr); break; } return status; }
int ACE_SSL_SOCK_Acceptor::ssl_accept (ACE_SSL_SOCK_Stream &new_stream, ACE_Time_Value *timeout) const { SSL *ssl = new_stream.ssl (); if (SSL_is_init_finished (ssl)) return 0; if (!SSL_in_accept_init (ssl)) ::SSL_set_accept_state (ssl); // Register an event handler to complete the non-blocking SSL // accept. A specialized event handler is necessary since since // the ACE Acceptor strategies are not designed for protocols // that require additional handshakes after the initial accept. ACE_SSL_Accept_Handler eh (new_stream); const ACE_Reactor_Mask reactor_mask = ACE_Event_Handler::READ_MASK | ACE_Event_Handler::WRITE_MASK; // In case a thread other than the one running the Reactor event // loop performs the passive SSL connection establishment, transfer // ownership of the Reactor to the current thread. Control will be // passed back to the previous owner when accepting or rejecting the // passive SSL connection. ACE_thread_t old_owner; if (this->reactor_->owner (ACE_Thread::self (), &old_owner) != 0) return -1; // Failed to transfer ownership! Should never happen! if (this->reactor_->register_handler ( new_stream.get_handle (), &eh, reactor_mask) == -1) return -1; // Have the Reactor complete the SSL passive connection. Run the // event loop until the passive connection is completed. Since // the Reactor is used, this isn't a busy wait. while (!SSL_is_init_finished (ssl)) { // Before blocking in the Reactor, do an SSL_accept() in case // OpenSSL buffered additional data sent within an SSL record // during session negotiation. The buffered data must be // handled prior to entering the Reactor event loop since the // Reactor may end up waiting indefinitely for data that has // already arrived. int status = ::SSL_accept (ssl); switch (::SSL_get_error (ssl, status)) { case SSL_ERROR_NONE: break; case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_READ: // No data buffered by OpenSSL, so wait for data in the // Reactor. if (this->reactor_->handle_events (timeout) == -1 || new_stream.get_handle () == ACE_INVALID_HANDLE) { (void) this->reactor_->remove_handler (&eh, reactor_mask); (void) this->reactor_->owner (old_owner); return -1; } break; case SSL_ERROR_ZERO_RETURN: // The peer has notified us that it is shutting down via // the SSL "close_notify" message so we need to // shutdown, too. // // Removing the event handler from the Reactor causes the // SSL stream to be shutdown. (void) this->reactor_->remove_handler (&eh, reactor_mask); (void) this->reactor_->owner (old_owner); return -1; case SSL_ERROR_SYSCALL: // On some platforms (e.g. MS Windows) OpenSSL does not // store the last error in errno so explicitly do so. ACE_OS::set_errno_to_last_error (); default: ACE_SSL_Context::report_error (); (void) this->reactor_->remove_handler (&eh, reactor_mask); (void) this->reactor_->owner (old_owner); return -1; } } // SSL passive connection was completed. Deregister the event // handler from the Reactor, but don't close it. (void) this->reactor_->remove_handler (&eh, reactor_mask | ACE_Event_Handler::DONT_CALL); // Transfer control of the Reactor to the previous owner. return this->reactor_->owner (old_owner); }
int ACE_SSL_SOCK_Acceptor::ssl_accept (ACE_SSL_SOCK_Stream &new_stream, ACE_Time_Value *timeout) const { SSL *ssl = new_stream.ssl (); if (SSL_is_init_finished (ssl)) return 0; if (!SSL_in_accept_init (ssl)) ::SSL_set_accept_state (ssl); ACE_HANDLE handle = new_stream.get_handle (); // We're going to call SSL_accept, optionally doing ACE::select and // retrying the SSL_accept, until the SSL handshake is done or // it fails. // To get the timeout affect, set the socket to nonblocking mode // before beginning if there is a timeout specified. If the timeout // is 0 (wait as long as it takes) then don't worry about the blocking // status; we'll block in SSL_accept if the socket is blocking, and // block in ACE::select if not. int reset_blocking_mode = 0; if (timeout != 0) { reset_blocking_mode = ACE_BIT_DISABLED (ACE::get_flags (handle), ACE_NONBLOCK); // Set the handle into non-blocking mode if it's not already // in it. if (reset_blocking_mode && ACE::set_flags (handle, ACE_NONBLOCK) == -1) return -1; } // Take into account the time between each select() call below. ACE_Countdown_Time countdown (timeout); int status; do { // These handle sets are used to set up for whatever SSL_accept // says it wants next. They're reset on each pass around the loop. ACE_Handle_Set rd_handle; ACE_Handle_Set wr_handle; status = ::SSL_accept (ssl); switch (::SSL_get_error (ssl, status)) { case SSL_ERROR_NONE: status = 0; // To tell caller about success break; // Done case SSL_ERROR_WANT_WRITE: wr_handle.set_bit (handle); status = 1; // Wait for more activity break; case SSL_ERROR_WANT_READ: rd_handle.set_bit (handle); status = 1; // Wait for more activity break; case SSL_ERROR_ZERO_RETURN: // The peer has notified us that it is shutting down via // the SSL "close_notify" message so we need to // shutdown, too. status = -1; break; case SSL_ERROR_SYSCALL: // On some platforms (e.g. MS Windows) OpenSSL does not // store the last error in errno so explicitly do so. // // Explicitly check for EWOULDBLOCK since it doesn't get // converted to an SSL_ERROR_WANT_{READ,WRITE} on some // platforms. If SSL_accept failed outright, though, don't // bother checking more. This can happen if the socket gets // closed during the handshake. if (ACE_OS::set_errno_to_last_error () == EWOULDBLOCK && status == -1) { // Although the SSL_ERROR_WANT_READ/WRITE isn't getting // set correctly, the read/write state should be valid. // Use that to decide what to do. status = 1; // Wait for more activity if (SSL_want_write (ssl)) wr_handle.set_bit (handle); else if (SSL_want_read (ssl)) rd_handle.set_bit (handle); else status = -1; // Doesn't want anything - bail out } else status = -1; break; default: ACE_SSL_Context::report_error (); status = -1; break; } if (status == 1) { // Must have at least one handle to wait for at this point. ACE_ASSERT (rd_handle.num_set() == 1 || wr_handle.num_set () == 1); status = ACE::select (int (handle) + 1, &rd_handle, &wr_handle, 0, timeout); (void) countdown.update (); // 0 is timeout, so we're done. // -1 is error, so we're done. // Could be both handles set (same handle in both masks) so // set to 1. if (status >= 1) status = 1; else // Timeout or failure status = -1; } } while (status == 1 && !SSL_is_init_finished (ssl)); if (reset_blocking_mode) { ACE_Errno_Guard eguard (errno); ACE::clr_flags (handle, ACE_NONBLOCK); } return (status == -1 ? -1 : 0); }