feedc0de/wolfssl
1
0
Fork 0
forked from wolfSSL/wolfssl
Code Pull Requests Activity

Fix for handling OCSP with non-blocking. The HashInput function was being called on the re-entry, which produced a bad mac response from server. Also cleanup for some of the WC_PENDING_E logic for the non-async cases to reduce code size.

Browse Source
This commit is contained in:
David Garske
2018-03-16 12:02:36 -07:00
parent f70351242b
commit fa73f7bc55
5 changed files with 85 additions and 41 deletions
Download Patch File Download Diff File Expand all files Collapse all files

33
examples/client/client.c
View File

@@ -40,6 +40,7 @@
#include <wolfssl/test.h>
#include <examples/client/client.h>
#include <wolfssl/error-ssl.h>
#ifndef NO_WOLFSSL_CLIENT
@@ -99,31 +100,41 @@ static int NonBlockingSSL_Connect(WOLFSSL* ssl)
error = wolfSSL_get_error(ssl, 0);
sockfd = (SOCKET_T)wolfSSL_get_fd(ssl);
while (ret != WOLFSSL_SUCCESS && (error == WOLFSSL_ERROR_WANT_READ ||
error == WOLFSSL_ERROR_WANT_WRITE ||
error == WC_PENDING_E)) {
while (ret != WOLFSSL_SUCCESS &&
(error == WOLFSSL_ERROR_WANT_READ || error == WOLFSSL_ERROR_WANT_WRITE
#ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
#ifdef WOLFSSL_NONBLOCK_OCSP
|| error == OCSP_WANT_READ
#endif
)) {
int currTimeout = 1;
if (error == WOLFSSL_ERROR_WANT_READ)
printf("... client would read block\n");
else if (error == WOLFSSL_ERROR_WANT_WRITE)
printf("... client would write block\n");
#ifdef WOLFSSL_ASYNC_CRYPT
else if (error == WC_PENDING_E) {
if (error == WC_PENDING_E) {
ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW);
if (ret < 0) break;
}
else
#endif
if (error != WC_PENDING_E) {
{
#ifdef WOLFSSL_DTLS
currTimeout = wolfSSL_dtls_get_current_timeout(ssl);
#endif
select_ret = tcp_select(sockfd, currTimeout);
}
if ((select_ret == TEST_RECV_READY) ||
(select_ret == TEST_ERROR_READY) || error == WC_PENDING_E) {
if ((select_ret == TEST_RECV_READY) || (select_ret == TEST_ERROR_READY)
#ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
) {
#ifndef WOLFSSL_CALLBACKS
ret = wolfSSL_connect(ssl);
#else
@@ -635,7 +646,11 @@ static void ClientRead(WOLFSSL* ssl, char* reply, int replyLen, int mustRead)
err_sys("SSL_read failed");
}
}
} while (err == WC_PENDING_E || (mustRead && err == WOLFSSL_ERROR_WANT_READ));
} while ((mustRead && err == WOLFSSL_ERROR_WANT_READ)
#ifdef WOLFSSL_ASYNC_CRYPT
|| err == WC_PENDING_E
#endif
);
if (ret > 0) {
reply[ret] = 0;
printf("%s\n", reply);

25
examples/server/server.c
View File

@@ -126,9 +126,12 @@ static int NonBlockingSSL_Accept(SSL* ssl)
SOCKET_T sockfd = (SOCKET_T)CyaSSL_get_fd(ssl);
int select_ret = 0;
while (ret != WOLFSSL_SUCCESS && (error == WOLFSSL_ERROR_WANT_READ ||
error == WOLFSSL_ERROR_WANT_WRITE ||
error == WC_PENDING_E)) {
while (ret != WOLFSSL_SUCCESS &&
(error == WOLFSSL_ERROR_WANT_READ || error == WOLFSSL_ERROR_WANT_WRITE
#ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
)) {
int currTimeout = 1;
if (error == WOLFSSL_ERROR_WANT_READ) {
@@ -137,22 +140,26 @@ static int NonBlockingSSL_Accept(SSL* ssl)
else if (error == WOLFSSL_ERROR_WANT_WRITE) {
/* printf("... server would write block\n"); */
}
#ifdef WOLFSSL_ASYNC_CRYPT
else if (error == WC_PENDING_E) {
if (error == WC_PENDING_E) {
ret = wolfSSL_AsyncPoll(ssl, WOLF_POLL_FLAG_CHECK_HW);
if (ret < 0) break;
}
else
#endif
if (error != WC_PENDING_E) {
{
#ifdef CYASSL_DTLS
currTimeout = CyaSSL_dtls_get_current_timeout(ssl);
#endif
select_ret = tcp_select(sockfd, currTimeout);
}
if ((select_ret == TEST_RECV_READY) ||
(select_ret == TEST_ERROR_READY) || error == WC_PENDING_E) {
if ((select_ret == TEST_RECV_READY) || (select_ret == TEST_ERROR_READY)
#ifdef WOLFSSL_ASYNC_CRYPT
|| error == WC_PENDING_E
#endif
) {
#ifndef CYASSL_CALLBACKS
ret = SSL_accept(ssl);
#else
@@ -217,7 +224,7 @@ int ServerEchoData(SSL* ssl, int clientfd, int echoData, int throughput)
else
#endif
if (err != WOLFSSL_ERROR_WANT_READ &&
err != WOLFSSL_ERROR_ZERO_RETURN) {
err != WOLFSSL_ERROR_ZERO_RETURN) {
printf("SSL_read echo error %d\n", err);
err_sys_ex(runWithErrors, "SSL_read failed");
}

2
scripts/ocsp.test
View File

@@ -13,7 +13,7 @@ RESULT=$?
[ $RESULT -ne 0 ] && exit 0
# client test against the server
./examples/client/client -X -C -h $server -p 443 -A $ca -g -o
./examples/client/client -X -C -h $server -p 443 -A $ca -g -o -N
RESULT=$?
[ $RESULT -ne 0 ] && echo -e "\n\nClient connection failed" && exit 1

53
src/internal.c
View File

@@ -8069,9 +8069,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = ParseCertRelative(args->dCert, CERT_TYPE, 0,
ssl->ctx->cm);
if (ret != 0 && ret != WC_PENDING_E)
goto exit_ppc;
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) {
ret = wolfSSL_AsyncPush(ssl,
@@ -8079,6 +8076,8 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
goto exit_ppc;
}
#endif
if (ret != 0)
goto exit_ppc;
#ifndef NO_SKID
if (args->dCert->extAuthKeyIdSet) {
@@ -8137,9 +8136,6 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
ret = ParseCertRelative(args->dCert, CERT_TYPE, 0,
ssl->ctx->cm);
if (ret != 0 && ret != WC_PENDING_E) {
goto exit_ppc;
}
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) {
ret = wolfSSL_AsyncPush(ssl,
@@ -8147,6 +8143,9 @@ int ProcessPeerCerts(WOLFSSL* ssl, byte* input, word32* inOutIdx,
goto exit_ppc;
}
#endif
if (ret != 0) {
goto exit_ppc;
}
#ifndef NO_SKID
subjectHash = args->dCert->extSubjKeyId;
@@ -9935,8 +9934,14 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
/* Also, skip hashing the client_hello message here for DTLS. It will be
* hashed later if the DTLS cookie is correct. */
if (type != hello_request &&
!(IsDtlsNotSctpMode(ssl) && type == client_hello) &&
ssl->error != WC_PENDING_E) {
!(IsDtlsNotSctpMode(ssl) && type == client_hello)
#ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_PENDING_E
#endif
#ifdef WOLFSSL_NONBLOCK_OCSP
&& ssl->error != OCSP_WANT_READ
#endif
) {
ret = HashInput(ssl, input + *inOutIdx, size);
if (ret != 0) return ret;
}
@@ -10064,11 +10069,6 @@ static int DoHandShakeMsgType(WOLFSSL* ssl, byte* input, word32* inOutIdx,
}
#endif
}
#ifdef WOLFSSL_NONBLOCK_OCSP
if (ret == OCSP_WANT_READ) {
ret = WANT_READ; /* treat as normal WANT_READ for non-block handling */
}
#endif
#endif /* WOLFSSL_ASYNC_CRYPT || WOLFSSL_NONBLOCK_OCSP */
WOLFSSL_LEAVE("DoHandShakeMsgType()", ret);
@@ -10427,10 +10427,12 @@ static int DtlsMsgDrain(WOLFSSL* ssl)
ssl->keys.dtls_expected_peer_handshake_number++;
ret = DoHandShakeMsgType(ssl, item->msg,
&idx, item->type, item->sz, item->sz);
#ifdef WOLFSSL_ASYNC_CRYPT
if (ret == WC_PENDING_E) {
ssl->keys.dtls_expected_peer_handshake_number--;
break;
}
#endif
ssl->dtls_rx_msg_list = item->next;
DtlsMsgDelete(item, ssl->heap);
item = ssl->dtls_rx_msg_list;
@@ -12046,8 +12048,14 @@ int ProcessReply(WOLFSSL* ssl)
atomicUser = 1;
#endif
if (ssl->error != 0 && ssl->error != WANT_READ &&
ssl->error != WANT_WRITE && ssl->error != WC_PENDING_E) {
if (ssl->error != 0 && ssl->error != WANT_READ && ssl->error != WANT_WRITE
#ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_PENDING_E
#endif
#ifdef WOLFSSL_NONBLOCK_OCSP
&& ssl->error != OCSP_WANT_READ
#endif
) {
WOLFSSL_MSG("ProcessReply retry in error state, not allowed");
return ssl->error;
}
@@ -14198,8 +14206,13 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
ret,
dtlsExtra = 0;
if (ssl->error == WANT_WRITE || ssl->error == WC_PENDING_E)
if (ssl->error == WANT_WRITE
#ifdef WOLFSSL_ASYNC_CRYPT
|| ssl->error == WC_PENDING_E
#endif
) {
ssl->error = 0;
}
#ifdef WOLFSSL_DTLS
if (ssl->options.dtls) {
@@ -14223,10 +14236,12 @@ int SendData(WOLFSSL* ssl, const void* data, int sz)
int err;
WOLFSSL_MSG("handshake not complete, trying to finish");
if ( (err = wolfSSL_negotiate(ssl)) != WOLFSSL_SUCCESS) {
#ifdef WOLFSSL_ASYNC_CRYPT
/* if async would block return WANT_WRITE */
if (ssl->error == WC_PENDING_E) {
return WOLFSSL_CBIO_ERR_WANT_WRITE;
}
#endif
return err;
}
}
@@ -14353,7 +14368,11 @@ int ReceiveData(WOLFSSL* ssl, byte* output, int sz, int peek)
WOLFSSL_ENTER("ReceiveData()");
/* reset error state */
if (ssl->error == WANT_READ || ssl->error == WC_PENDING_E) {
if (ssl->error == WANT_READ
#ifdef WOLFSSL_ASYNC_CRYPT
|| ssl->error == WC_PENDING_E
#endif
) {
ssl->error = 0;
}

7
src/ssl.c
View File

@@ -1725,8 +1725,11 @@ static int wolfSSL_read_internal(WOLFSSL* ssl, void* data, int sz, int peek)
#ifdef HAVE_WRITE_DUP
if (ssl->dupWrite) {
if (ssl->error != 0 && ssl->error != WANT_READ &&
ssl->error != WC_PENDING_E) {
if (ssl->error != 0 && ssl->error != WANT_READ
#ifdef WOLFSSL_ASYNC_CRYPT
&& ssl->error != WC_PENDING_E
#endif
) {
int notifyErr;
WOLFSSL_MSG("Notifying write side of fatal read error");