Fix OpenSSL errors during (re-)negotiation

fixes #6724
This commit is contained in:
Gunnar Beutner 2014-08-01 14:28:32 +02:00
parent 72d66e4f17
commit 3f647bb779
3 changed files with 30 additions and 36 deletions

View File

@ -35,7 +35,7 @@ bool I2_EXPORT TlsStream::m_SSLIndexInitialized = false;
* @param role The role of the client.
* @param sslContext The SSL context for the client.
*/
TlsStream::TlsStream(const Socket::Ptr& socket, ConnectionRole role, shared_ptr<SSL_CTX> sslContext)
TlsStream::TlsStream(const Socket::Ptr& socket, ConnectionRole role, const shared_ptr<SSL_CTX>& sslContext)
: m_Socket(socket), m_Role(role)
{
m_SSL = shared_ptr<SSL>(SSL_new(sslContext.get()), SSL_free);
@ -61,9 +61,7 @@ TlsStream::TlsStream(const Socket::Ptr& socket, ConnectionRole role, shared_ptr<
socket->MakeNonBlocking();
m_BIO = BIO_new_socket(socket->GetFD(), 0);
BIO_set_nbio(m_BIO, 1);
SSL_set_bio(m_SSL.get(), m_BIO, m_BIO);
SSL_set_fd(m_SSL.get(), socket->GetFD());
if (m_Role == RoleServer)
SSL_set_accept_state(m_SSL.get());
@ -96,15 +94,12 @@ void TlsStream::Handshake(void)
for (;;) {
int rc, err;
{
boost::mutex::scoped_lock lock(m_SSLLock);
rc = SSL_do_handshake(m_SSL.get());
if (rc > 0)
break;
err = SSL_get_error(m_SSL.get(), rc);
}
switch (err) {
case SSL_ERROR_WANT_READ:
@ -142,13 +137,10 @@ size_t TlsStream::Read(void *buffer, size_t count)
while (left > 0) {
int rc, err;
{
boost::mutex::scoped_lock lock(m_SSLLock);
rc = SSL_read(m_SSL.get(), ((char *)buffer) + (count - left), left);
if (rc <= 0)
err = SSL_get_error(m_SSL.get(), rc);
}
if (rc <= 0) {
switch (err) {
@ -189,13 +181,10 @@ void TlsStream::Write(const void *buffer, size_t count)
while (left > 0) {
int rc, err;
{
boost::mutex::scoped_lock lock(m_SSLLock);
rc = SSL_write(m_SSL.get(), ((const char *)buffer) + (count - left), left);
if (rc <= 0)
err = SSL_get_error(m_SSL.get(), rc);
}
if (rc <= 0) {
switch (err) {
@ -235,9 +224,6 @@ void TlsStream::Close(void)
for (;;) {
int rc, err;
{
boost::mutex::scoped_lock lock(m_SSLLock);
do {
rc = SSL_shutdown(m_SSL.get());
} while (rc == 0);
@ -246,7 +232,6 @@ void TlsStream::Close(void)
break;
err = SSL_get_error(m_SSL.get(), rc);
}
switch (err) {
case SSL_ERROR_WANT_READ:

View File

@ -38,7 +38,7 @@ class I2_BASE_API TlsStream : public Stream
public:
DECLARE_PTR_TYPEDEFS(TlsStream);
TlsStream(const Socket::Ptr& socket, ConnectionRole role, shared_ptr<SSL_CTX> sslContext);
TlsStream(const Socket::Ptr& socket, ConnectionRole role, const shared_ptr<SSL_CTX>& sslContext);
shared_ptr<X509> GetClientCertificate(void) const;
shared_ptr<X509> GetPeerCertificate(void) const;
@ -53,7 +53,6 @@ public:
virtual bool IsEof(void) const;
private:
boost::mutex m_SSLLock;
shared_ptr<SSL> m_SSL;
BIO *m_BIO;

View File

@ -33,6 +33,15 @@ static void OpenSSLLockingCallback(int mode, int type, const char *, int)
l_Mutexes[type].unlock();
}
static unsigned long OpenSSLIDCallback(void)
{
#ifdef _WIN32
return static_cast<unsigned long>(GetCurrentThreadId());
#else /* _WIN32 */
return static_cast<unsigned long>(pthread_self());
#endif /* _WIN32 */
}
/**
* Initializes the OpenSSL library.
*/
@ -48,6 +57,7 @@ static void InitializeOpenSSL(void)
l_Mutexes = new boost::mutex[CRYPTO_num_locks()];
CRYPTO_set_locking_callback(&OpenSSLLockingCallback);
CRYPTO_set_id_callback(&OpenSSLIDCallback);
l_SSLInitialized = true;
}
@ -66,7 +76,7 @@ shared_ptr<SSL_CTX> MakeSSLContext(const String& pubkey, const String& privkey,
shared_ptr<SSL_CTX> sslContext = shared_ptr<SSL_CTX>(SSL_CTX_new(TLSv1_method()), SSL_CTX_free);
SSL_CTX_set_mode(sslContext.get(), SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER | SSL_MODE_AUTO_RETRY);
SSL_CTX_set_mode(sslContext.get(), SSL_MODE_ENABLE_PARTIAL_WRITE | SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER);
if (!SSL_CTX_use_certificate_chain_file(sslContext.get(), pubkey.CStr())) {
BOOST_THROW_EXCEPTION(openssl_error()