/* read/write callback that sends the requests and reads the ocsp response */ void ocsp_callback(int fd, short event, void *arg) { struct iked_ocsp *ocsp = arg; struct iked_socket *sock = ocsp->ocsp_sock; OCSP_RESPONSE *resp = NULL; /* * Only call OCSP_sendreq_nbio() if should_read/write is * either not requested or read/write can be called. */ if ((!BIO_should_read(ocsp->ocsp_cbio) || (event & EV_READ)) && (!BIO_should_write(ocsp->ocsp_cbio) || (event & EV_WRITE)) && OCSP_sendreq_nbio(&resp, ocsp->ocsp_req_ctx) != -1 ) { ocsp_parse_response(ocsp, resp); return; } if (BIO_should_read(ocsp->ocsp_cbio)) event_set(&sock->sock_ev, sock->sock_fd, EV_READ, ocsp_callback, ocsp); else if (BIO_should_write(ocsp->ocsp_cbio)) event_set(&sock->sock_ev, sock->sock_fd, EV_WRITE, ocsp_callback, ocsp); event_add(&sock->sock_ev, NULL); }
static int transport_bio_buffered_write(BIO* bio, const char* buf, int num) { int i, ret; int status; int nchunks; int committedBytes; DataChunk chunks[2]; WINPR_BIO_BUFFERED_SOCKET* ptr = (WINPR_BIO_BUFFERED_SOCKET*) bio->ptr; ret = num; ptr->writeBlocked = FALSE; BIO_clear_flags(bio, BIO_FLAGS_WRITE); /* we directly append extra bytes in the xmit buffer, this could be prevented * but for now it makes the code more simple. */ if (buf && num && !ringbuffer_write(&ptr->xmitBuffer, (const BYTE*) buf, num)) { WLog_ERR(TAG, "an error occured when writing (num: %d)", num); return -1; } committedBytes = 0; nchunks = ringbuffer_peek(&ptr->xmitBuffer, chunks, ringbuffer_used(&ptr->xmitBuffer)); for (i = 0; i < nchunks; i++) { while (chunks[i].size) { status = BIO_write(bio->next_bio, chunks[i].data, chunks[i].size); if (status <= 0) { if (!BIO_should_retry(bio->next_bio)) { BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY); ret = -1; /* fatal error */ goto out; } if (BIO_should_write(bio->next_bio)) { BIO_set_flags(bio, BIO_FLAGS_WRITE); ptr->writeBlocked = TRUE; goto out; /* EWOULDBLOCK */ } } committedBytes += status; chunks[i].size -= status; chunks[i].data += status; } } out: ringbuffer_commit_read_bytes(&ptr->xmitBuffer, committedBytes); return ret; }
static int transport_bio_buffered_write(BIO* bio, const char* buf, int num) { int status, ret; rdpTcp* tcp = (rdpTcp*) bio->ptr; int nchunks, committedBytes, i; DataChunk chunks[2]; ret = num; tcp->writeBlocked = FALSE; BIO_clear_flags(bio, BIO_FLAGS_WRITE); /* we directly append extra bytes in the xmit buffer, this could be prevented * but for now it makes the code more simple. */ if (buf && num && !ringbuffer_write(&tcp->xmitBuffer, (const BYTE*) buf, num)) { fprintf(stderr, "%s: an error occured when writing(toWrite=%d)\n", __FUNCTION__, num); return -1; } committedBytes = 0; nchunks = ringbuffer_peek(&tcp->xmitBuffer, chunks, ringbuffer_used(&tcp->xmitBuffer)); for (i = 0; i < nchunks; i++) { while (chunks[i].size) { status = BIO_write(bio->next_bio, chunks[i].data, chunks[i].size); if (status <= 0) { if (!BIO_should_retry(bio->next_bio)) { BIO_clear_flags(bio, BIO_FLAGS_SHOULD_RETRY); ret = -1; /* fatal error */ goto out; } if (BIO_should_write(bio->next_bio)) { BIO_set_flags(bio, BIO_FLAGS_WRITE); tcp->writeBlocked = TRUE; goto out; /* EWOULDBLOCK */ } } committedBytes += status; chunks[i].size -= status; chunks[i].data += status; } } out: ringbuffer_commit_read_bytes(&tcp->xmitBuffer, committedBytes); return ret; }
static OCSP_RESPONSE *ocsp_get_response(CLI *c, OCSP_REQUEST *req) { BIO *bio=NULL; OCSP_REQ_CTX *req_ctx=NULL; OCSP_RESPONSE *resp=NULL; int err; /* connect specified OCSP server (responder) */ c->fd=s_socket(c->opt->ocsp_addr.sa.sa_family, SOCK_STREAM, 0, 1, "OCSP: socket (auth_user)"); if(c->fd<0) goto cleanup; if(connect_blocking(c, &c->opt->ocsp_addr, addr_len(&c->opt->ocsp_addr))) goto cleanup; bio=BIO_new_fd(c->fd, BIO_NOCLOSE); if(!bio) goto cleanup; s_log(LOG_DEBUG, "OCSP: server connected"); /* OCSP protocol communication loop */ req_ctx=OCSP_sendreq_new(bio, c->opt->ocsp_path, req, -1); if(!req_ctx) { sslerror("OCSP: OCSP_sendreq_new"); goto cleanup; } while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) { s_poll_init(c->fds); s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio)); err=s_poll_wait(c->fds, c->opt->timeout_busy, 0); if(err==-1) sockerror("OCSP: s_poll_wait"); if(err==0) s_log(LOG_INFO, "OCSP: s_poll_wait: TIMEOUTbusy exceeded"); if(err<=0) goto cleanup; } /* s_log(LOG_DEBUG, "OCSP: context state: 0x%x", *(int *)req_ctx); */ /* http://www.mail-archive.com/[email protected]/msg61691.html */ if(!resp) { if(ERR_peek_error()) sslerror("OCSP: OCSP_sendreq_nbio"); else /* OpenSSL error: OCSP_sendreq_nbio does not use OCSPerr */ s_log(LOG_ERR, "OCSP: OCSP_sendreq_nbio: OpenSSL internal error"); } cleanup: if(req_ctx) OCSP_REQ_CTX_free(req_ctx); if(bio) BIO_free_all(bio); if(c->fd>=0) { closesocket(c->fd); c->fd=-1; /* avoid double close on cleanup */ } return resp; }
static LUA_FUNCTION(openssl_bio_retry) { BIO* bio = CHECK_OBJECT(1, BIO, "openssl.bio"); int retry = BIO_should_retry(bio); if (retry) { lua_pushboolean(L, 1); lua_pushboolean(L, BIO_should_read(bio)); lua_pushboolean(L, BIO_should_write(bio)); lua_pushboolean(L, BIO_should_io_special(bio)); return 4; } else lua_pushboolean(L, 0); return 1; }
/* Return -1 on hard error (abort), 0 on timeout, >= 1 on successful wakeup */ static int _BIO_wait(BIO *cbio, int msecs) { int result; if (!BIO_should_retry(cbio)) { return (-1); } struct pollfd pfd; BIO_get_fd(cbio, &pfd.fd); pfd.events = 0; pfd.revents = 0; if (BIO_should_io_special(cbio)) { pfd.events = POLLOUT | POLLWRBAND; } else if (BIO_should_read(cbio)) { pfd.events = POLLIN | POLLPRI | POLLRDBAND; } else if (BIO_should_write(cbio)) { pfd.events = POLLOUT | POLLWRBAND; } else { return (-1); } if (msecs < 0) { /* POSIX requires -1 for "no timeout" although some libcs accept any negative value. */ msecs = -1; } do { result = poll(&pfd, 1, msecs); } while (result == -1 && errno == EINTR); /* Timeout or poll internal error */ if (result <= 0) { return (result); } if (pfd.revents & POLLERR) { return -1; } /* Return 1 if the event was not an error */ return (pfd.revents & pfd.events ? 1 : -1); }
/* * Handle errors raised by BIO functions. * * Arguments: bio - The BIO object * ret - The return value of the BIO_ function. * Returns: None, the calling function should return NULL; */ static void handle_bio_errors(BIO* bio, int ret) { if (BIO_should_retry(bio)) { if (BIO_should_read(bio)) { PyErr_SetNone(ssl_WantReadError); } else if (BIO_should_write(bio)) { PyErr_SetNone(ssl_WantWriteError); } else if (BIO_should_io_special(bio)) { /* * It's somewhat unclear what this means. From the OpenSSL source, * it seems like it should not be triggered by the memory BIO, so * for the time being, this case shouldn't come up. The SSL BIO * (which I think should be named the socket BIO) may trigger this * case if its socket is not yet connected or it is busy doing * something related to x509. */ PyErr_SetString(PyExc_ValueError, "BIO_should_io_special"); } else { /* * I hope this is dead code. The BIO documentation suggests that * one of the above three checks should always be true. */ PyErr_SetString(PyExc_ValueError, "unknown bio failure"); } } else { /* * If we aren't to retry, it's really an error, so fall back to the * normal error reporting code. However, the BIO interface does not * specify a uniform error reporting mechanism. We can only hope that * the code which triggered the error also kindly pushed something onto * the error stack. */ exception_from_error_queue(ssl_Error); } }
int doit(char *ctx[4]) { SSL_CTX *s_ctx, *c_ctx; static char cbuf[200], sbuf[200]; SSL *c_ssl = NULL; SSL *s_ssl = NULL; BIO *c_to_s = NULL; BIO *s_to_c = NULL; BIO *c_bio = NULL; BIO *s_bio = NULL; int c_r, c_w, s_r, s_w; int c_want, s_want; int i; int done = 0; int c_write, s_write; int do_server = 0, do_client = 0; s_ctx = (SSL_CTX *)ctx[0]; c_ctx = (SSL_CTX *)ctx[1]; if (ctx[2] != NULL) s_ssl = (SSL *)ctx[2]; else s_ssl = SSL_new(s_ctx); if (ctx[3] != NULL) c_ssl = (SSL *)ctx[3]; else c_ssl = SSL_new(c_ctx); if ((s_ssl == NULL) || (c_ssl == NULL)) goto err; c_to_s = BIO_new(BIO_s_mem()); s_to_c = BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) goto err; c_bio = BIO_new(BIO_f_ssl()); s_bio = BIO_new(BIO_f_ssl()); if ((c_bio == NULL) || (s_bio == NULL)) goto err; SSL_set_connect_state(c_ssl); SSL_set_bio(c_ssl, s_to_c, c_to_s); BIO_set_ssl(c_bio, c_ssl, (ctx[2] == NULL) ? BIO_CLOSE : BIO_NOCLOSE); SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl, c_to_s, s_to_c); BIO_set_ssl(s_bio, s_ssl, (ctx[3] == NULL) ? BIO_CLOSE : BIO_NOCLOSE); c_r = 0; s_r = 1; c_w = 1; s_w = 0; c_want = W_WRITE; s_want = 0; c_write = 1, s_write = 0; /* We can always do writes */ for (;;) { do_server = 0; do_client = 0; i = (int)BIO_pending(s_bio); if ((i && s_r) || s_w) do_server = 1; i = (int)BIO_pending(c_bio); if ((i && c_r) || c_w) do_client = 1; if (do_server && verbose) { if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); else if (s_write) printf("server:SSL_write()\n"); else printf("server:SSL_read()\n"); } if (do_client && verbose) { if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); else if (c_write) printf("client:SSL_write()\n"); else printf("client:SSL_read()\n"); } if (!do_client && !do_server) { fprintf(stdout, "ERROR IN STARTUP\n"); break; } if (do_client && !(done & C_DONE)) { if (c_write) { i = BIO_write(c_bio, "hello from client\n", 18); if (i < 0) { c_r = 0; c_w = 0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r = 1; if (BIO_should_write(c_bio)) c_w = 1; } else { fprintf(stderr, "ERROR in CLIENT\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); return (1); } else { /* ok */ c_write = 0; } } else { i = BIO_read(c_bio, cbuf, 100); if (i < 0) { c_r = 0; c_w = 0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r = 1; if (BIO_should_write(c_bio)) c_w = 1; } else { fprintf(stderr, "ERROR in CLIENT\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); return (1); } else { done |= C_DONE; #ifdef undef fprintf(stdout, "CLIENT:from server:"); fwrite(cbuf, 1, i, stdout); fflush(stdout); #endif } } } if (do_server && !(done & S_DONE)) { if (!s_write) { i = BIO_read(s_bio, sbuf, 100); if (i < 0) { s_r = 0; s_w = 0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r = 1; if (BIO_should_write(s_bio)) s_w = 1; } else { fprintf(stderr, "ERROR in SERVER\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); return (1); } else { s_write = 1; s_w = 1; #ifdef undef fprintf(stdout, "SERVER:from client:"); fwrite(sbuf, 1, i, stdout); fflush(stdout); #endif } } else { i = BIO_write(s_bio, "hello from server\n", 18); if (i < 0) { s_r = 0; s_w = 0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r = 1; if (BIO_should_write(s_bio)) s_w = 1; } else { fprintf(stderr, "ERROR in SERVER\n"); ERR_print_errors_fp(stderr); return (1); } } else if (i == 0) { fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); return (1); } else { s_write = 0; s_r = 1; done |= S_DONE; } } } if ((done & S_DONE) && (done & C_DONE)) break; #if defined(OPENSSL_SYS_NETWARE) ThreadSwitchWithDelay(); #endif } SSL_set_shutdown(c_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); SSL_set_shutdown(s_ssl, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN); #ifdef undef fprintf(stdout, "DONE\n"); #endif err: /* * We have to set the BIO's to NULL otherwise they will be free()ed * twice. Once when th s_ssl is SSL_free()ed and again when c_ssl is * SSL_free()ed. This is a hack required because s_ssl and c_ssl are * sharing the same BIO structure and SSL_set_bio() and SSL_free() * automatically BIO_free non NULL entries. You should not normally do * this or be required to do this */ if (s_ssl != NULL) { s_ssl->rbio = NULL; s_ssl->wbio = NULL; } if (c_ssl != NULL) { c_ssl->rbio = NULL; c_ssl->wbio = NULL; } /* The SSL's are optionally freed in the following calls */ if (c_to_s != NULL) BIO_free(c_to_s); if (s_to_c != NULL) BIO_free(s_to_c); if (c_bio != NULL) BIO_free(c_bio); if (s_bio != NULL) BIO_free(s_bio); return (0); }
// take data from the network, and pass it into SSL. Attempt to read decrypted data from // SSL socket and pass it to the application. static ssize_t process_input_ssl( pn_transport_t *transport, unsigned int layer, const char *input_data, size_t available) { pni_ssl_t *ssl = transport->ssl; if (ssl->ssl == NULL && init_ssl_socket(transport, ssl)) return PN_EOS; ssl_log( transport, "process_input_ssl( data size=%d )",available ); ssize_t consumed = 0; bool work_pending; bool shutdown_input = (available == 0); // caller is closed do { work_pending = false; // Write to network bio as much as possible, consuming bytes/available if (available > 0) { int written = BIO_write( ssl->bio_net_io, input_data, available ); if (written > 0) { input_data += written; available -= written; consumed += written; ssl->read_blocked = false; work_pending = (available > 0); ssl_log( transport, "Wrote %d bytes to BIO Layer, %d left over", written, available ); } } else if (shutdown_input) { // lower layer (caller) has closed. Close the WRITE side of the BIO. This will cause // an EOF to be passed to SSL once all pending inbound data has been consumed. ssl_log( transport, "Lower layer closed - shutting down BIO write side"); (void)BIO_shutdown_wr( ssl->bio_net_io ); shutdown_input = false; } // Read all available data from the SSL socket if (!ssl->ssl_closed && ssl->in_count < ssl->in_size) { int read = BIO_read( ssl->bio_ssl, &ssl->inbuf[ssl->in_count], ssl->in_size - ssl->in_count ); if (read > 0) { ssl_log( transport, "Read %d bytes from SSL socket for app", read ); ssl_log_clear_data(transport, &ssl->inbuf[ssl->in_count], read ); ssl->in_count += read; work_pending = true; } else { if (!BIO_should_retry(ssl->bio_ssl)) { int reason = SSL_get_error( ssl->ssl, read ); switch (reason) { case SSL_ERROR_ZERO_RETURN: // SSL closed cleanly ssl_log(transport, "SSL connection has closed"); start_ssl_shutdown(transport); // KAG: not sure - this may not be necessary ssl->ssl_closed = true; break; default: // unexpected error return (ssize_t)ssl_failed(transport); } } else { if (BIO_should_write( ssl->bio_ssl )) { ssl->write_blocked = true; ssl_log(transport, "Detected write-blocked"); } if (BIO_should_read( ssl->bio_ssl )) { ssl->read_blocked = true; ssl_log(transport, "Detected read-blocked"); } } } } // write incoming data to app layer if (!ssl->app_input_closed) { if (ssl->in_count > 0 || ssl->ssl_closed) { /* if ssl_closed, send 0 count */ ssize_t consumed = transport->io_layers[layer+1]->process_input(transport, layer+1, ssl->inbuf, ssl->in_count); if (consumed > 0) { ssl->in_count -= consumed; if (ssl->in_count) memmove( ssl->inbuf, ssl->inbuf + consumed, ssl->in_count ); work_pending = true; ssl_log( transport, "Application consumed %d bytes from peer", (int) consumed ); } else if (consumed < 0) { ssl_log(transport, "Application layer closed its input, error=%d (discarding %d bytes)", (int) consumed, (int)ssl->in_count); ssl->in_count = 0; // discard any pending input ssl->app_input_closed = consumed; if (ssl->app_output_closed && ssl->out_count == 0) { // both sides of app closed, and no more app output pending: start_ssl_shutdown(transport); } } else { // app did not consume any bytes, must be waiting for a full frame if (ssl->in_count == ssl->in_size) { // but the buffer is full, not enough room for a full frame. // can we grow the buffer? uint32_t max_frame = pn_transport_get_max_frame(transport); if (!max_frame) max_frame = ssl->in_size * 2; // no limit if (ssl->in_size < max_frame) { // no max frame limit - grow it. size_t newsize = pn_min(max_frame, ssl->in_size * 2); char *newbuf = (char *)realloc( ssl->inbuf, newsize ); if (newbuf) { ssl->in_size = newsize; ssl->inbuf = newbuf; work_pending = true; // can we get more input? } } else { // can't gather any more input, but app needs more? // This is a bug - since SSL can buffer up to max-frame, // the application _must_ have enough data to process. If // this is an oversized frame, the app _must_ handle it // by returning an error code to SSL. pn_transport_log(transport, "Error: application unable to consume input."); } } } } } } while (work_pending); //_log(ssl, "ssl_closed=%d in_count=%d app_input_closed=%d app_output_closed=%d", // ssl->ssl_closed, ssl->in_count, ssl->app_input_closed, ssl->app_output_closed ); // PROTON-82: Instead, close the input side as soon as we've completed enough of the SSL // shutdown handshake to send the close_notify. We're not requiring the response, as // some implementations never reply. // --- // tell transport our input side is closed if the SSL socket cannot be read from any // longer, AND any pending input has been written up to the application (or the // application is closed) //if (ssl->ssl_closed && ssl->app_input_closed) { // consumed = ssl->app_input_closed; //} if (ssl->app_input_closed && (SSL_get_shutdown(ssl->ssl) & SSL_SENT_SHUTDOWN) ) { consumed = ssl->app_input_closed; if (transport->io_layers[layer]==&ssl_output_closed_layer) { transport->io_layers[layer] = &ssl_closed_layer; } else { transport->io_layers[layer] = &ssl_input_closed_layer; } } ssl_log(transport, "process_input_ssl() returning %d", (int) consumed); return consumed; }
static ssize_t process_output_ssl( pn_transport_t *transport, unsigned int layer, char *buffer, size_t max_len) { pni_ssl_t *ssl = transport->ssl; if (!ssl) return PN_EOS; if (ssl->ssl == NULL && init_ssl_socket(transport, ssl)) return PN_EOS; ssize_t written = 0; bool work_pending; do { work_pending = false; // first, get any pending application output, if possible if (!ssl->app_output_closed && ssl->out_count < ssl->out_size) { ssize_t app_bytes = transport->io_layers[layer+1]->process_output(transport, layer+1, &ssl->outbuf[ssl->out_count], ssl->out_size - ssl->out_count); if (app_bytes > 0) { ssl->out_count += app_bytes; work_pending = true; ssl_log(transport, "Gathered %d bytes from app to send to peer", app_bytes ); } else { if (app_bytes < 0) { ssl_log(transport, "Application layer closed its output, error=%d (%d bytes pending send)", (int) app_bytes, (int) ssl->out_count); ssl->app_output_closed = app_bytes; } } } // now push any pending app data into the socket if (!ssl->ssl_closed) { char *data = ssl->outbuf; if (ssl->out_count > 0) { int wrote = BIO_write( ssl->bio_ssl, data, ssl->out_count ); if (wrote > 0) { data += wrote; ssl->out_count -= wrote; work_pending = true; ssl_log( transport, "Wrote %d bytes from app to socket", wrote ); } else { if (!BIO_should_retry(ssl->bio_ssl)) { int reason = SSL_get_error( ssl->ssl, wrote ); switch (reason) { case SSL_ERROR_ZERO_RETURN: // SSL closed cleanly ssl_log(transport, "SSL connection has closed"); start_ssl_shutdown(transport); // KAG: not sure - this may not be necessary ssl->out_count = 0; // can no longer write to socket, so erase app output data ssl->ssl_closed = true; break; default: // unexpected error return (ssize_t)ssl_failed(transport); } } else { if (BIO_should_read( ssl->bio_ssl )) { ssl->read_blocked = true; ssl_log(transport, "Detected read-blocked"); } if (BIO_should_write( ssl->bio_ssl )) { ssl->write_blocked = true; ssl_log(transport, "Detected write-blocked"); } } } } if (ssl->out_count == 0) { if (ssl->app_input_closed && ssl->app_output_closed) { // application is done sending/receiving data, and all buffered output data has // been written to the SSL socket start_ssl_shutdown(transport); } } else if (data != ssl->outbuf) { memmove( ssl->outbuf, data, ssl->out_count ); } } // read from the network bio as much as possible, filling the buffer if (max_len) { int available = BIO_read( ssl->bio_net_io, buffer, max_len ); if (available > 0) { max_len -= available; buffer += available; written += available; ssl->write_blocked = false; work_pending = work_pending || max_len > 0; ssl_log(transport, "Read %d bytes from BIO Layer", available ); } } } while (work_pending); //_log(ssl, "written=%d ssl_closed=%d in_count=%d app_input_closed=%d app_output_closed=%d bio_pend=%d", // written, ssl->ssl_closed, ssl->in_count, ssl->app_input_closed, ssl->app_output_closed, BIO_pending(ssl->bio_net_io) ); // PROTON-82: close the output side as soon as we've sent the SSL close_notify. // We're not requiring the response, as some implementations never reply. // ---- // Once no more data is available "below" the SSL socket, tell the transport we are // done. //if (written == 0 && ssl->ssl_closed && BIO_pending(ssl->bio_net_io) == 0) { // written = ssl->app_output_closed ? ssl->app_output_closed : PN_EOS; //} if (written == 0 && (SSL_get_shutdown(ssl->ssl) & SSL_SENT_SHUTDOWN) && BIO_pending(ssl->bio_net_io) == 0) { written = ssl->app_output_closed ? ssl->app_output_closed : PN_EOS; if (transport->io_layers[layer]==&ssl_input_closed_layer) { transport->io_layers[layer] = &ssl_closed_layer; } else { transport->io_layers[layer] = &ssl_output_closed_layer; } } ssl_log(transport, "process_output_ssl() returning %d", (int) written); return written; }
void *netConnectHttpsThread(void *threadParam) /* use a thread to run socket back to user */ { /* child */ struct netConnectHttpsParams *params = threadParam; pthread_detach(params->thread); // this thread will never join back with it's progenitor int fd=0; char hostnameProto[256]; BIO *sbio; SSL_CTX *ctx; SSL *ssl; openSslInit(); ctx = SSL_CTX_new(SSLv23_client_method()); fd_set readfds; fd_set writefds; int err; struct timeval tv; /* TODO checking certificates char *certFile = NULL; char *certPath = NULL; if (certFile || certPath) { SSL_CTX_load_verify_locations(ctx,certFile,certPath); #if (OPENSSL_VERSION_NUMBER < 0x0090600fL) SSL_CTX_set_verify_depth(ctx,1); #endif } // verify paths and mode. */ sbio = BIO_new_ssl_connect(ctx); BIO_get_ssl(sbio, &ssl); if(!ssl) { xerr("Can't locate SSL pointer"); goto cleanup; } /* Don't want any retries since we are non-blocking bio now */ //SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); safef(hostnameProto,sizeof(hostnameProto),"%s:%d",params->hostName,params->port); BIO_set_conn_hostname(sbio, hostnameProto); BIO_set_nbio(sbio, 1); /* non-blocking mode */ while (1) { if (BIO_do_connect(sbio) == 1) { break; /* Connected */ } if (! BIO_should_retry(sbio)) { xerr("BIO_do_connect() failed"); char s[256]; safef(s, sizeof s, "SSL error: %s", ERR_reason_error_string(ERR_get_error())); xerr(s); goto cleanup; } fd = BIO_get_fd(sbio, NULL); if (fd == -1) { xerr("unable to get BIO descriptor"); goto cleanup; } FD_ZERO(&readfds); FD_ZERO(&writefds); if (BIO_should_read(sbio)) { FD_SET(fd, &readfds); } else if (BIO_should_write(sbio)) { FD_SET(fd, &writefds); } else { /* BIO_should_io_special() */ FD_SET(fd, &readfds); FD_SET(fd, &writefds); } tv.tv_sec = 10; // timeout tv.tv_usec = 0; err = select(fd + 1, &readfds, &writefds, NULL, &tv); if (err < 0) { xerr("select() error"); goto cleanup; } if (err == 0) { char s[256]; safef(s, sizeof s, "connection timeout to %s", params->hostName); xerr(s); goto cleanup; } } /* TODO checking certificates if (certFile || certPath) if (!check_cert(ssl, host)) return -1; */ /* we need to wait on both the user's socket and the BIO SSL socket * to see if we need to ferry data from one to the other */ char sbuf[32768]; // socket buffer sv[1] to user char bbuf[32768]; // bio buffer int srd = 0; int swt = 0; int brd = 0; int bwt = 0; while (1) { // Do NOT move this outside the while loop. /* Get underlying file descriptor, needed for select call */ fd = BIO_get_fd(sbio, NULL); if (fd == -1) { xerr("BIO doesn't seem to be initialized in https, unable to get descriptor."); goto cleanup; } FD_ZERO(&readfds); FD_ZERO(&writefds); if (brd == 0) FD_SET(fd, &readfds); if (swt < srd) FD_SET(fd, &writefds); if (srd == 0) FD_SET(params->sv[1], &readfds); tv.tv_sec = 10; // timeout tv.tv_usec = 0; err = select(max(fd,params->sv[1]) + 1, &readfds, &writefds, NULL, &tv); /* Evaluate select() return code */ if (err < 0) { xerr("error during select()"); goto cleanup; } else if (err == 0) { /* Timed out - just quit */ xerr("https timeout expired"); goto cleanup; } else { if (FD_ISSET(params->sv[1], &readfds)) { swt = 0; srd = read(params->sv[1], sbuf, 32768); if (srd == -1) { if (errno != 104) // udcCache often closes causing "Connection reset by peer" xerrno("error reading https socket"); goto cleanup; } if (srd == 0) break; // user closed socket, we are done } if (FD_ISSET(fd, &writefds)) { int swtx = BIO_write(sbio, sbuf+swt, srd-swt); if (swtx <= 0) { if (!BIO_should_write(sbio)) { ERR_print_errors_fp(stderr); xerr("Error writing SSL connection"); goto cleanup; } } else { swt += swtx; if (swt >= srd) { swt = 0; srd = 0; } } } if (FD_ISSET(fd, &readfds)) { bwt = 0; brd = BIO_read(sbio, bbuf, 32768); if (brd <= 0) { if (BIO_should_read(sbio)) { brd = 0; continue; } else { if (brd == 0) break; ERR_print_errors_fp(stderr); xerr("Error reading SSL connection"); goto cleanup; } } // write the https data received immediately back on socket to user, and it's ok if it blocks. while(bwt < brd) { int bwtx = write(params->sv[1], bbuf+bwt, brd-bwt); if (bwtx == -1) { if ((errno != 104) // udcCache often closes causing "Connection reset by peer" && (errno != 32)) // udcCache often closes causing "Broken pipe" xerrno("error writing https data back to user socket"); goto cleanup; } bwt += bwtx; } brd = 0; bwt = 0; } } } cleanup: BIO_free_all(sbio); close(params->sv[1]); /* we are done with it */ return NULL; }
/* This function reads a decrypted stream and returns an encrypted stream. */ static apr_status_t ssl_encrypt(void *baton, apr_size_t bufsize, char *buf, apr_size_t *len) { const char *data; apr_size_t interim_bufsize; serf_ssl_context_t *ctx = baton; apr_status_t status; #ifdef SSL_VERBOSE printf("ssl_encrypt: begin %d\n", bufsize); #endif /* Try to read already encrypted but unread data first. */ status = serf_bucket_read(ctx->encrypt.pending, bufsize, &data, len); if (SERF_BUCKET_READ_ERROR(status)) { return status; } /* Aha, we read something. Return that now. */ if (*len) { memcpy(buf, data, *len); if (APR_STATUS_IS_EOF(status)) { status = APR_SUCCESS; } #ifdef SSL_VERBOSE printf("ssl_encrypt: %d %d %d (quick read)\n", status, *len, BIO_get_retry_flags(ctx->bio)); #endif return status; } if (BIO_should_retry(ctx->bio) && BIO_should_write(ctx->bio)) { #ifdef SSL_VERBOSE printf("ssl_encrypt: %d %d %d (should write exit)\n", status, *len, BIO_get_retry_flags(ctx->bio)); #endif return APR_EAGAIN; } /* If we were previously blocked, unblock ourselves now. */ if (BIO_should_read(ctx->bio)) { #ifdef SSL_VERBOSE printf("ssl_encrypt: reset %d %d (%d %d %d)\n", status, ctx->encrypt.status, BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio), BIO_get_retry_flags(ctx->bio)); #endif ctx->encrypt.status = APR_SUCCESS; ctx->encrypt.exhausted_reset = 0; } /* Oh well, read from our stream now. */ interim_bufsize = bufsize; do { apr_size_t interim_len; if (!ctx->encrypt.status) { struct iovec vecs[64]; int vecs_read; status = serf_bucket_read_iovec(ctx->encrypt.stream, interim_bufsize, 64, vecs, &vecs_read); if (!SERF_BUCKET_READ_ERROR(status) && vecs_read) { char *vecs_data; int i, cur, vecs_data_len; int ssl_len; /* Combine the buffers of the iovec into one buffer, as that is with SSL_write requires. */ vecs_data_len = 0; for (i = 0; i < vecs_read; i++) { vecs_data_len += vecs[i].iov_len; } vecs_data = serf_bucket_mem_alloc(ctx->allocator, vecs_data_len); cur = 0; for (i = 0; i < vecs_read; i++) { memcpy(vecs_data + cur, vecs[i].iov_base, vecs[i].iov_len); cur += vecs[i].iov_len; } interim_bufsize -= vecs_data_len; interim_len = vecs_data_len; #ifdef SSL_VERBOSE printf("ssl_encrypt: bucket read %d bytes; status %d\n", interim_len, status); printf("---\n%s\n-(%d)-\n", vecs_data, interim_len); #endif /* Stash our status away. */ ctx->encrypt.status = status; ssl_len = SSL_write(ctx->ssl, vecs_data, interim_len); #ifdef SSL_VERBOSE printf("ssl_encrypt: SSL write: %d\n", ssl_len); #endif /* We're done. */ serf_bucket_mem_free(ctx->allocator, vecs_data); /* If we failed to write... */ if (ssl_len < 0) { int ssl_err; /* Ah, bugger. We need to put that data back. */ serf_bucket_aggregate_prepend_iovec(ctx->encrypt.stream, vecs, vecs_read); ssl_err = SSL_get_error(ctx->ssl, ssl_len); #ifdef SSL_VERBOSE printf("ssl_encrypt: SSL write error: %d\n", ssl_err); #endif if (ssl_err == SSL_ERROR_SYSCALL) { status = ctx->encrypt.status; if (SERF_BUCKET_READ_ERROR(status)) { return status; } } else { /* Oh, no. */ if (ssl_err == SSL_ERROR_WANT_READ) { status = SERF_ERROR_WAIT_CONN; } else { status = APR_EGENERAL; } } #ifdef SSL_VERBOSE printf("ssl_encrypt: SSL write error: %d %d\n", status, *len); #endif } } } else { interim_len = 0; *len = 0; status = ctx->encrypt.status; } } while (!status && interim_bufsize); /* Okay, we exhausted our underlying stream. */ if (!SERF_BUCKET_READ_ERROR(status)) { apr_status_t agg_status; struct iovec vecs[64]; int vecs_read, i; /* We read something! */ agg_status = serf_bucket_read_iovec(ctx->encrypt.pending, bufsize, 64, vecs, &vecs_read); *len = 0; for (i = 0; i < vecs_read; i++) { memcpy(buf + *len, vecs[i].iov_base, vecs[i].iov_len); *len += vecs[i].iov_len; } #ifdef SSL_VERBOSE printf("ssl_encrypt read agg: %d %d %d %d\n", status, agg_status, ctx->encrypt.status, *len); #endif if (!agg_status) { status = agg_status; } } if (status == SERF_ERROR_WAIT_CONN && BIO_should_retry(ctx->bio) && BIO_should_read(ctx->bio)) { ctx->encrypt.exhausted = ctx->encrypt.status; ctx->encrypt.status = SERF_ERROR_WAIT_CONN; } #ifdef SSL_VERBOSE printf("ssl_encrypt finished: %d %d (%d %d %d)\n", status, *len, BIO_should_retry(ctx->bio), BIO_should_read(ctx->bio), BIO_get_retry_flags(ctx->bio)); #endif return status; }
/** * oh_ssl_connect * @hostname: Name of target host. Format: * "hostname:port" or "IPaddress:port" * @ctx: pointer to SSL_CTX as returned by oh_ssl_ctx_init() * @timeout: maximum number of seconds to wait for a connection to * hostname, or zero to wait forever * * Create and open a new ssl conection to the specified host. * * Return value: pointer to BIO, or NULL for failure **/ BIO *oh_ssl_connect(char *hostname, SSL_CTX *ctx, long timeout) { BIO *bio; SSL *ssl; fd_set readfds; fd_set writefds; struct timeval tv; int fd; int err; if (hostname == NULL) { err("NULL hostname in oh_ssl_connect()"); return(NULL); } if (ctx == NULL) { err("NULL ctx in oh_ssl_connect()"); return(NULL); } if (timeout < 0) { err("inappropriate timeout in oh_ssl_connect()"); return(NULL); } /* Start with a new SSL BIO */ bio = BIO_new_ssl_connect(ctx); if (bio == NULL) { err("BIO_new_ssl_connect() failed"); return(NULL); } /* Set up connection parameters for this BIO */ BIO_set_conn_hostname(bio, hostname); BIO_set_nbio(bio, 1); /* Set underlying socket to * non-blocking mode */ /* Set up SSL session parameters */ BIO_get_ssl(bio, &ssl); if (ssl == NULL) { err("BIO_get_ssl() failed"); BIO_free_all(bio); return(NULL); } SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE); /* Ready to open the connection. Note that this call will probably * take a while, so we need to retry it, watching for a timeout. */ while (1) { if (BIO_do_connect(bio) == 1) { break; /* Connection established */ } if (! BIO_should_retry(bio)) { /* Hard error? */ err("BIO_do_connect() failed"); err("SSL error: %s", ERR_reason_error_string(ERR_get_error())); BIO_free_all(bio); return(NULL); } /* Wait until there's a change in the socket's status or until * the timeout period. * * Get underlying file descriptor, needed for the select call. */ fd = BIO_get_fd(bio, NULL); if (fd == -1) { err("BIO isn't initialized in oh_ssl_connect()"); BIO_free_all(bio); return(NULL); } FD_ZERO(&readfds); FD_ZERO(&writefds); if (BIO_should_read(bio)) { FD_SET(fd, &readfds); } else if (BIO_should_write(bio)) { FD_SET(fd, &writefds); } else { /* This is BIO_should_io_special(). * Not sure what "special" needs to * wait for, but both read and write * seems to work without unnecessary * retries. */ FD_SET(fd, &readfds); FD_SET(fd, &writefds); } if (timeout) { tv.tv_sec = timeout; tv.tv_usec = 0; err = select(fd + 1, &readfds, &writefds, NULL, &tv); } else { /* No timeout */ err = select(fd + 1, &readfds, &writefds, NULL, NULL); } /* Evaluate select() return code */ if (err < 0) { err("error during select()"); BIO_free_all(bio); return(NULL); } if (err == 0) { err("connection timeout to %s", hostname); BIO_free_all(bio); return(NULL); /* Timeout */ } } /* TODO: Do I need to set the client or server mode here? I don't * think so. */ return(bio); }
NOEXPORT OCSP_RESPONSE *ocsp_get_response(CLI *c, OCSP_REQUEST *req, char *url) { BIO *bio=NULL; OCSP_REQ_CTX *req_ctx=NULL; OCSP_RESPONSE *resp=NULL; int err; char *host=NULL, *port=NULL, *path=NULL; SOCKADDR_UNION addr; int ssl; /* parse the OCSP URL */ if(!OCSP_parse_url(url, &host, &port, &path, &ssl)) { s_log(LOG_ERR, "OCSP: Failed to parse the OCSP URL"); goto cleanup; } if(ssl) { s_log(LOG_ERR, "OCSP: SSL not supported for OCSP" " - additional stunnel service needs to be defined"); goto cleanup; } memset(&addr, 0, sizeof addr); addr.in.sin_family=AF_INET; if(!hostport2addr(&addr, host, port)) { s_log(LOG_ERR, "OCSP: Failed to resolve the OCSP server address"); goto cleanup; } /* connect specified OCSP server (responder) */ c->fd=s_socket(addr.sa.sa_family, SOCK_STREAM, 0, 1, "OCSP: socket"); if(c->fd<0) goto cleanup; if(s_connect(c, &addr, addr_len(&addr))) goto cleanup; bio=BIO_new_fd(c->fd, BIO_NOCLOSE); if(!bio) goto cleanup; s_log(LOG_DEBUG, "OCSP: response retrieved"); /* OCSP protocol communication loop */ req_ctx=OCSP_sendreq_new(bio, path, req, -1); if(!req_ctx) { sslerror("OCSP: OCSP_sendreq_new"); goto cleanup; } while(OCSP_sendreq_nbio(&resp, req_ctx)==-1) { s_poll_init(c->fds); s_poll_add(c->fds, c->fd, BIO_should_read(bio), BIO_should_write(bio)); err=s_poll_wait(c->fds, c->opt->timeout_busy, 0); if(err==-1) sockerror("OCSP: s_poll_wait"); if(err==0) s_log(LOG_INFO, "OCSP: s_poll_wait: TIMEOUTbusy exceeded"); if(err<=0) goto cleanup; } #if 0 s_log(LOG_DEBUG, "OCSP: context state: 0x%x", *(int *)req_ctx); #endif /* http://www.mail-archive.com/[email protected]/msg61691.html */ if(resp) { s_log(LOG_DEBUG, "OCSP: request completed"); } else { if(ERR_peek_error()) sslerror("OCSP: OCSP_sendreq_nbio"); else /* OpenSSL error: OCSP_sendreq_nbio does not use OCSPerr */ s_log(LOG_ERR, "OCSP: OCSP_sendreq_nbio: OpenSSL internal error"); } cleanup: if(req_ctx) OCSP_REQ_CTX_free(req_ctx); if(bio) BIO_free_all(bio); if(c->fd>=0) { closesocket(c->fd); c->fd=-1; /* avoid double close on cleanup */ } if(host) OPENSSL_free(host); if(port) OPENSSL_free(port); if(path) OPENSSL_free(path); return resp; }
static int watchccs_write(BIO *bio, const char *in, int inl) { int ret = 0; BIO *next = BIO_next(bio); PACKET pkt, msg, msgbody, sessionid; unsigned int rectype, recvers, msgtype, expectedrecvers; if (inl <= 0) return 0; if (next == NULL) return 0; BIO_clear_retry_flags(bio); if (!PACKET_buf_init(&pkt, (const unsigned char *)in, inl)) return 0; /* We assume that we always write complete records each time */ while (PACKET_remaining(&pkt)) { if (!PACKET_get_1(&pkt, &rectype) || !PACKET_get_net_2(&pkt, &recvers) || !PACKET_get_length_prefixed_2(&pkt, &msg)) return 0; expectedrecvers = TLS1_2_VERSION; if (rectype == SSL3_RT_HANDSHAKE) { if (!PACKET_get_1(&msg, &msgtype) || !PACKET_get_length_prefixed_3(&msg, &msgbody)) return 0; if (msgtype == SSL3_MT_CLIENT_HELLO) { chseen++; /* * Skip legacy_version (2 bytes) and Random (32 bytes) to read * session_id. */ if (!PACKET_forward(&msgbody, 34) || !PACKET_get_length_prefixed_1(&msgbody, &sessionid)) return 0; if (chseen == 1) { expectedrecvers = TLS1_VERSION; /* Save the session id for later */ chsessidlen = PACKET_remaining(&sessionid); if (!PACKET_copy_bytes(&sessionid, chsessid, chsessidlen)) return 0; } else { /* * Check the session id for the second ClientHello is the * same as the first one. */ if (PACKET_remaining(&sessionid) != chsessidlen || (chsessidlen > 0 && memcmp(chsessid, PACKET_data(&sessionid), chsessidlen) != 0)) badsessid = 1; } } else if (msgtype == SSL3_MT_SERVER_HELLO) { shseen++; /* * Skip legacy_version (2 bytes) and Random (32 bytes) to read * session_id. */ if (!PACKET_forward(&msgbody, 34) || !PACKET_get_length_prefixed_1(&msgbody, &sessionid)) return 0; /* * Check the session id is the same as the one in the * ClientHello */ if (PACKET_remaining(&sessionid) != chsessidlen || (chsessidlen > 0 && memcmp(chsessid, PACKET_data(&sessionid), chsessidlen) != 0)) badsessid = 1; } } else if (rectype == SSL3_RT_CHANGE_CIPHER_SPEC) { if (bio == s_to_c_fbio) { /* * Server writing. We shouldn't have written any app data * yet, and we should have seen both the ClientHello and the * ServerHello */ if (!sappdataseen && chseen == 1 && shseen == 1 && !sccsseen) sccsseen = 1; else badccs = 1; } else if (!cappdataseen) { /* * Client writing. We shouldn't have written any app data * yet, and we should have seen the ClientHello */ if (shseen == 1 && !ccsaftersh) ccsaftersh = 1; else if (shseen == 0 && !ccsbeforesh) ccsbeforesh = 1; else badccs = 1; } else { badccs = 1; } } else if(rectype == SSL3_RT_APPLICATION_DATA) { if (bio == s_to_c_fbio) sappdataseen = 1; else cappdataseen = 1; } if (recvers != expectedrecvers) badvers = 1; } ret = BIO_write(next, in, inl); if (ret <= 0 && BIO_should_write(next)) BIO_set_retry_write(bio); return ret; }
int doit(SSL *s_ssl, SSL *c_ssl, long count) { MS_STATIC char cbuf[1024*8],sbuf[1024*8]; long cw_num=count,cr_num=count; long sw_num=count,sr_num=count; int ret=1; BIO *c_to_s=NULL; BIO *s_to_c=NULL; BIO *c_bio=NULL; BIO *s_bio=NULL; int c_r,c_w,s_r,s_w; int c_want,s_want; int i,j; int done=0; int c_write,s_write; int do_server=0,do_client=0; memset(cbuf,0,sizeof(cbuf)); memset(sbuf,0,sizeof(sbuf)); c_to_s=BIO_new(BIO_s_mem()); s_to_c=BIO_new(BIO_s_mem()); if ((s_to_c == NULL) || (c_to_s == NULL)) { ERR_print_errors(bio_err); goto err; } c_bio=BIO_new(BIO_f_ssl()); s_bio=BIO_new(BIO_f_ssl()); if ((c_bio == NULL) || (s_bio == NULL)) { ERR_print_errors(bio_err); goto err; } SSL_set_connect_state(c_ssl); SSL_set_bio(c_ssl,s_to_c,c_to_s); BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE); SSL_set_accept_state(s_ssl); SSL_set_bio(s_ssl,c_to_s,s_to_c); BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE); c_r=0; s_r=1; c_w=1; s_w=0; c_want=W_WRITE; s_want=0; c_write=1,s_write=0; /* We can always do writes */ for (;;) { do_server=0; do_client=0; i=(int)BIO_pending(s_bio); if ((i && s_r) || s_w) do_server=1; i=(int)BIO_pending(c_bio); if ((i && c_r) || c_w) do_client=1; if (do_server && debug) { if (SSL_in_init(s_ssl)) printf("server waiting in SSL_accept - %s\n", SSL_state_string_long(s_ssl)); /* else if (s_write) printf("server:SSL_write()\n"); else printf("server:SSL_read()\n"); */ } if (do_client && debug) { if (SSL_in_init(c_ssl)) printf("client waiting in SSL_connect - %s\n", SSL_state_string_long(c_ssl)); /* else if (c_write) printf("client:SSL_write()\n"); else printf("client:SSL_read()\n"); */ } if (!do_client && !do_server) { fprintf(stdout,"ERROR IN STARTUP\n"); ERR_print_errors(bio_err); break; } if (do_client && !(done & C_DONE)) { if (c_write) { j=(cw_num > (long)sizeof(cbuf)) ?sizeof(cbuf):(int)cw_num; i=BIO_write(c_bio,cbuf,j); if (i < 0) { c_r=0; c_w=0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r=1; if (BIO_should_write(c_bio)) c_w=1; } else { fprintf(stderr,"ERROR in CLIENT\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); goto err; } else { if (debug) printf("client wrote %d\n",i); /* ok */ s_r=1; c_write=0; cw_num-=i; } } else { i=BIO_read(c_bio,cbuf,sizeof(cbuf)); if (i < 0) { c_r=0; c_w=0; if (BIO_should_retry(c_bio)) { if (BIO_should_read(c_bio)) c_r=1; if (BIO_should_write(c_bio)) c_w=1; } else { fprintf(stderr,"ERROR in CLIENT\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); goto err; } else { if (debug) printf("client read %d\n",i); cr_num-=i; if (sw_num > 0) { s_write=1; s_w=1; } if (cr_num <= 0) { s_write=1; s_w=1; done=S_DONE|C_DONE; } } } } if (do_server && !(done & S_DONE)) { if (!s_write) { i=BIO_read(s_bio,sbuf,sizeof(cbuf)); if (i < 0) { s_r=0; s_w=0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r=1; if (BIO_should_write(s_bio)) s_w=1; } else { fprintf(stderr,"ERROR in SERVER\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { ERR_print_errors(bio_err); fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n"); goto err; } else { if (debug) printf("server read %d\n",i); sr_num-=i; if (cw_num > 0) { c_write=1; c_w=1; } if (sr_num <= 0) { s_write=1; s_w=1; c_write=0; } } } else { j=(sw_num > (long)sizeof(sbuf))? sizeof(sbuf):(int)sw_num; i=BIO_write(s_bio,sbuf,j); if (i < 0) { s_r=0; s_w=0; if (BIO_should_retry(s_bio)) { if (BIO_should_read(s_bio)) s_r=1; if (BIO_should_write(s_bio)) s_w=1; } else { fprintf(stderr,"ERROR in SERVER\n"); ERR_print_errors(bio_err); goto err; } } else if (i == 0) { ERR_print_errors(bio_err); fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n"); goto err; } else { if (debug) printf("server wrote %d\n",i); sw_num-=i; s_write=0; c_r=1; if (sw_num <= 0) done|=S_DONE; } } } if ((done & S_DONE) && (done & C_DONE)) break; } if (verbose) print_details(c_ssl, "DONE: "); ret=0; err: /* We have to set the BIO's to NULL otherwise they will be * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and * again when c_ssl is SSL_free()ed. * This is a hack required because s_ssl and c_ssl are sharing the same * BIO structure and SSL_set_bio() and SSL_free() automatically * BIO_free non NULL entries. * You should not normally do this or be required to do this */ if (s_ssl != NULL) { s_ssl->rbio=NULL; s_ssl->wbio=NULL; } if (c_ssl != NULL) { c_ssl->rbio=NULL; c_ssl->wbio=NULL; } if (c_to_s != NULL) BIO_free(c_to_s); if (s_to_c != NULL) BIO_free(s_to_c); if (c_bio != NULL) BIO_free_all(c_bio); if (s_bio != NULL) BIO_free_all(s_bio); return(ret); }