feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix for handling OCSP with non-blocking. The HashInput function was being called on the re-entry, which produced a bad mac response from server. Also cleanup for some of the WC_PENDING_E logic for the non-async cases to reduce code size.

Browse Source
This commit is contained in:
David Garske
2018-03-16 12:02:36 -07:00
parent f70351242b
commit fa73f7bc55
5 changed files with 85 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

35
examples/client/client.c
View File

@@ -40,6 +40,7 @@
#include <wolfssl/test.h> #include <wolfssl/test.h>
#include <examples/client/client.h> #include <examples/client/client.h>
#include <wolfssl/error-ssl.h>
#ifndef NO_WOLFSSL_CLIENT #ifndef NO_WOLFSSL_CLIENT
@@ -99,31 +100,41 @@ static int NonBlockingSSL_Connect(WOLFSSL* ssl)
error = wolfSSL_get_error(ssl, 0); error = wolfSSL_get_error(ssl, 0);
sockfd = (SOCKET_T)wolfSSL_get_fd(ssl); sockfd = (SOCKET_T)wolfSSL_get_fd(ssl);
while (ret != WOLFSSL_SUCCESS && (error == WOLFSSL_ERROR_WANT_READ || while (ret != WOLFSSL_SUCCESS &&
error == WOLFSSL_ERROR_WANT_WRITE || (error == WOLFSSL_ERROR_WANT_READ || error == WOLFSSL_ERROR_WANT_WRITE
error == WC_PENDING_E)) { #ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
#ifdef WOLFSSL_NONBLOCK_OCSP
|| error == OCSP_WANT_READ
#endif
)) {
int currTimeout = 1; int currTimeout = 1;
if (error == WOLFSSL_ERROR_WANT_READ) if (error == WOLFSSL_ERROR_WANT_READ)
printf("... client would read block\n"); printf("... client would read block\n");
else if (error == WOLFSSL_ERROR_WANT_WRITE) else if (error == WOLFSSL_ERROR_WANT_WRITE)
printf("... client would write block\n"); printf("... client would write block\n");
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
else if (error == WC_PENDING_E) { if (error == WC_PENDING_E) {
ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW);
if (ret < 0) break; if (ret < 0) break;
} }
else
#endif #endif
{
if (error != WC_PENDING_E) {
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
currTimeout = wolfSSL_dtls_get_current_timeout(ssl); currTimeout = wolfSSL_dtls_get_current_timeout(ssl);
#endif #endif
select_ret = tcp_select(sockfd, currTimeout); select_ret = tcp_select(sockfd, currTimeout);
} }
if ((select_ret == TEST_RECV_READY) || if ((select_ret == TEST_RECV_READY) || (select_ret == TEST_ERROR_READY)
(select_ret == TEST_ERROR_READY) || error == WC_PENDING_E) { #ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
) {
#ifndef WOLFSSL_CALLBACKS #ifndef WOLFSSL_CALLBACKS
ret = wolfSSL_connect(ssl); ret = wolfSSL_connect(ssl);
#else #else
@@ -635,7 +646,11 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead)
err_sys("SSL_read failed"); err_sys("SSL_read failed");
} }
} }
} while (err == WC_PENDING_E || (mustRead && err == WOLFSSL_ERROR_WANT_READ)); } while ((mustRead && err == WOLFSSL_ERROR_WANT_READ)
#ifdef WOLFSSL_ASYNC_CRYPT
|| err == WC_PENDING_E
#endif
);
if (ret > 0) { if (ret > 0) {
reply[ret] = 0; reply[ret] = 0;
printf("%s\n", reply); printf("%s\n", reply);

25
examples/server/server.c
View File

@@ -126,9 +126,12 @@ static int NonBlockingSSL_Accept(SSL* ssl)
SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl); SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl);
int select_ret = 0; int select_ret = 0;
while (ret != WOLFSSL_SUCCESS && (error == WOLFSSL_ERROR_WANT_READ || while (ret != WOLFSSL_SUCCESS &&
error == WOLFSSL_ERROR_WANT_WRITE || (error == WOLFSSL_ERROR_WANT_READ || error == WOLFSSL_ERROR_WANT_WRITE
error == WC_PENDING_E)) { #ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
)) {
int currTimeout = 1; int currTimeout = 1;
if (error == WOLFSSL_ERROR_WANT_READ) { if (error == WOLFSSL_ERROR_WANT_READ) {
@@ -137,22 +140,26 @@ static int NonBlockingSSL_Accept(SSL* ssl)
else if (error == WOLFSSL_ERROR_WANT_WRITE) { else if (error == WOLFSSL_ERROR_WANT_WRITE) {
/* printf("... server would write block\n"); */ /* printf("... server would write block\n"); */
} }
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
else if (error == WC_PENDING_E) { if (error == WC_PENDING_E) {
ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW); ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW);
if (ret < 0) break; if (ret < 0) break;
} }
else
#endif #endif
{
if (error != WC_PENDING_E) {
#ifdef CYASSL_DTLS #ifdef CYASSL_DTLS
currTimeout = CyaSSL_dtls_get_current_timeout(ssl); currTimeout = CyaSSL_dtls_get_current_timeout(ssl);
#endif #endif
select_ret = tcp_select(sockfd, currTimeout); select_ret = tcp_select(sockfd, currTimeout);
} }
if ((select_ret == TEST_RECV_READY) || if ((select_ret == TEST_RECV_READY) || (select_ret == TEST_ERROR_READY)
(select_ret == TEST_ERROR_READY) || error == WC_PENDING_E) { #ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
) {
#ifndef CYASSL_CALLBACKS #ifndef CYASSL_CALLBACKS
ret = SSL_accept(ssl); ret = SSL_accept(ssl);
#else #else
@@ -217,7 +224,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int throughput)
else else
#endif #endif
if (err != WOLFSSL_ERROR_WANT_READ && if (err != WOLFSSL_ERROR_WANT_READ &&
err != WOLFSSL_ERROR_ZERO_RETURN) { err != WOLFSSL_ERROR_ZERO_RETURN) {
printf("SSL_read echo error %d\n", err); printf("SSL_read echo error %d\n", err);
err_sys_ex(runWithErrors, "SSL_read failed"); err_sys_ex(runWithErrors, "SSL_read failed");
} }

2
scripts/ocsp.test
View File

@@ -13,7 +13,7 @@ RESULT=$?
[ $RESULT -ne 0 ] && exit 0 [ $RESULT -ne 0 ] && exit 0
# client test against the server # client test against the server
./examples/client/client -X -C -h $server -p 443 -A $ca -g -o ./examples/client/client -X -C -h $server -p 443 -A $ca -g -o -N
RESULT=$? RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1 [ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1

53
src/internal.c
View File

@@ -8069,9 +8069,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = ParseCertRelative(args->dCert, CERT_TYPE, 0, ret = ParseCertRelative(args->dCert, CERT_TYPE, 0,
ssl->ctx->cm); ssl->ctx->cm);
if (ret != 0 && ret != WC_PENDING_E)
goto exit_ppc;
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) { if (ret == WC_PENDING_E) {
ret = wolfSSL_AsyncPush(ssl, ret = wolfSSL_AsyncPush(ssl,
@@ -8079,6 +8076,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
goto exit_ppc; goto exit_ppc;
} }
#endif #endif
if (ret != 0)
goto exit_ppc;
#ifndef NO_SKID #ifndef NO_SKID
if (args->dCert->extAuthKeyIdSet) { if (args->dCert->extAuthKeyIdSet) {
@@ -8137,9 +8136,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = ParseCertRelative(args->dCert, CERT_TYPE, 0, ret = ParseCertRelative(args->dCert, CERT_TYPE, 0,
ssl->ctx->cm); ssl->ctx->cm);
if (ret != 0 && ret != WC_PENDING_E) {
goto exit_ppc;
}
#ifdef WOLFSSL_ASYNC_CRYPT #ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) { if (ret == WC_PENDING_E) {
ret = wolfSSL_AsyncPush(ssl, ret = wolfSSL_AsyncPush(ssl,
@@ -8147,6 +8143,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
goto exit_ppc; goto exit_ppc;
} }
#endif #endif
if (ret != 0) {
goto exit_ppc;
}
#ifndef NO_SKID #ifndef NO_SKID
subjectHash = args->dCert->extSubjKeyId; subjectHash = args->dCert->extSubjKeyId;
@@ -9935,8 +9934,14 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Also, skip hashing the client_hello message here for DTLS. It will be /* Also, skip hashing the client_hello message here for DTLS. It will be
* hashed later if the DTLS cookie is correct. */ * hashed later if the DTLS cookie is correct. */
if (type != hello_request && if (type != hello_request &&
!(IsDtlsNotSctpMode(ssl) && type == client_hello) && !(IsDtlsNotSctpMode(ssl) && type == client_hello)
ssl->error != WC_PENDING_E) { #ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_PENDING_E
#endif
#ifdef WOLFSSL_NONBLOCK_OCSP
&& ssl->error != OCSP_WANT_READ
#endif
) {
ret = HashInput(ssl, input + *inOutIdx, size); ret = HashInput(ssl, input + *inOutIdx, size);
if (ret != 0) return ret; if (ret != 0) return ret;
} }
@@ -10064,11 +10069,6 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
} }
#endif #endif
} }
#ifdef WOLFSSL_NONBLOCK_OCSP
if (ret == OCSP_WANT_READ) {
ret = WANT_READ; /* treat as normal WANT_READ for non-block handling */
}
#endif
#endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */ #endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
WOLFSSL_LEAVE("DoHandShakeMsgType()", ret); WOLFSSL_LEAVE("DoHandShakeMsgType()", ret);
@@ -10427,10 +10427,12 @@ static int DtlsMsgDrain(WOLFSSL* ssl)
ssl->keys.dtls_expected_peer_handshake_number++; ssl->keys.dtls_expected_peer_handshake_number++;
ret = DoHandShakeMsgType(ssl, item->msg, ret = DoHandShakeMsgType(ssl, item->msg,
&idx, item->type, item->sz, item->sz); &idx, item->type, item->sz, item->sz);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) { if (ret == WC_PENDING_E) {
ssl->keys.dtls_expected_peer_handshake_number--; ssl->keys.dtls_expected_peer_handshake_number--;
break; break;
} }
#endif
ssl->dtls_rx_msg_list = item->next; ssl->dtls_rx_msg_list = item->next;
DtlsMsgDelete(item, ssl->heap); DtlsMsgDelete(item, ssl->heap);
item = ssl->dtls_rx_msg_list; item = ssl->dtls_rx_msg_list;
@@ -12046,8 +12048,14 @@ int ProcessReply(WOLFSSL* ssl)
atomicUser = 1; atomicUser = 1;
#endif #endif
if (ssl->error != 0 && ssl->error != WANT_READ && if (ssl->error != 0 && ssl->error != WANT_READ && ssl->error != WANT_WRITE
ssl->error != WANT_WRITE && ssl->error != WC_PENDING_E) { #ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_PENDING_E
#endif
#ifdef WOLFSSL_NONBLOCK_OCSP
&& ssl->error != OCSP_WANT_READ
#endif
) {
WOLFSSL_MSG("ProcessReply retry in error state, not allowed"); WOLFSSL_MSG("ProcessReply retry in error state, not allowed");
return ssl->error; return ssl->error;
} }
@@ -14198,8 +14206,13 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
ret, ret,
dtlsExtra = 0; dtlsExtra = 0;
if (ssl->error == WANT_WRITE || ssl->error == WC_PENDING_E) if (ssl->error == WANT_WRITE
#ifdef WOLFSSL_ASYNC_CRYPT
|| ssl->error == WC_PENDING_E
#endif
) {
ssl->error = 0; ssl->error = 0;
}
#ifdef WOLFSSL_DTLS #ifdef WOLFSSL_DTLS
if (ssl->options.dtls) { if (ssl->options.dtls) {
@@ -14223,10 +14236,12 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
int err; int err;
WOLFSSL_MSG("handshake not complete, trying to finish"); WOLFSSL_MSG("handshake not complete, trying to finish");
if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) { if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
#ifdef WOLFSSL_ASYNC_CRYPT
/* if async would block return WANT_WRITE */ /* if async would block return WANT_WRITE */
if (ssl->error == WC_PENDING_E) { if (ssl->error == WC_PENDING_E) {
return WOLFSSL_CBIO_ERR_WANT_WRITE; return WOLFSSL_CBIO_ERR_WANT_WRITE;
} }
#endif
return err; return err;
} }
} }
@@ -14353,7 +14368,11 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
WOLFSSL_ENTER("ReceiveData()"); WOLFSSL_ENTER("ReceiveData()");
/* reset error state */ /* reset error state */
if (ssl->error == WANT_READ || ssl->error == WC_PENDING_E) { if (ssl->error == WANT_READ
#ifdef WOLFSSL_ASYNC_CRYPT
|| ssl->error == WC_PENDING_E
#endif
) {
ssl->error = 0; ssl->error = 0;
} }

11
src/ssl.c
View File

@@ -1725,8 +1725,11 @@ static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek)
#ifdef HAVE_WRITE_DUP #ifdef HAVE_WRITE_DUP
if (ssl->dupWrite) { if (ssl->dupWrite) {
if (ssl->error != 0 && ssl->error != WANT_READ && if (ssl->error != 0 && ssl->error != WANT_READ
ssl->error != WC_PENDING_E) { #ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_PENDING_E
#endif
) {
int notifyErr; int notifyErr;
WOLFSSL_MSG("Notifying write side of fatal read error"); WOLFSSL_MSG("Notifying write side of fatal read error");
@@ -7787,7 +7790,7 @@ static int wolfSSL_EVP_Digest(unsigned char* in, int inSz, unsigned char* out,
if (XSTRNCMP("SHA384", evp, 6) == 0) { if (XSTRNCMP("SHA384", evp, 6) == 0) {
hash = WC_HASH_TYPE_SHA384; hash = WC_HASH_TYPE_SHA384;
} }
else else
#endif #endif
#ifdef WOLFSSL_SHA512 #ifdef WOLFSSL_SHA512
if (XSTRNCMP("SHA512", evp, 6) == 0) { if (XSTRNCMP("SHA512", evp, 6) == 0) {
@@ -15217,7 +15220,7 @@ WOLFSSL_X509* wolfSSL_X509_d2i(WOLFSSL_X509** x509, const byte* in, int len)
return newX509; return newX509;
} }
#endif /* KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA || #endif /* KEEP_PEER_CERT || SESSION_CERTS || OPENSSL_EXTRA ||
OPENSSL_EXTRA_X509_SMALL */ OPENSSL_EXTRA_X509_SMALL */
#if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS) #if defined(KEEP_PEER_CERT) || defined(SESSION_CERTS)