diff options
Diffstat (limited to 'src/network_openssl.c')
-rw-r--r-- | src/network_openssl.c | 136 |
1 files changed, 78 insertions, 58 deletions
diff --git a/src/network_openssl.c b/src/network_openssl.c index b6a1b2f..7bed710 100644 --- a/src/network_openssl.c +++ b/src/network_openssl.c @@ -1,6 +1,12 @@ #include "network_backends.h" #ifdef USE_OPENSSL + +#include "network.h" +#include "fdevent.h" +#include "log.h" +#include "stat_cache.h" + #include <sys/types.h> #include <sys/socket.h> #include <sys/stat.h> @@ -18,22 +24,16 @@ #include <stdlib.h> #include <assert.h> -#include "network.h" -#include "fdevent.h" -#include "log.h" -#include "stat_cache.h" - -# include <openssl/ssl.h> -# include <openssl/err.h> +# include <openssl/ssl.h> +# include <openssl/err.h> -int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq) { +int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chunkqueue *cq, off_t max_bytes) { int ssl_r; chunk *c; - size_t chunks_written = 0; /* this is a 64k sendbuffer * - * it has to stay at the same location all the time to satisfy the needs + * it has to stay at the same location all the time to satisfy the needs * of SSL_write to pass the SAME parameter in case of a _WANT_WRITE * * the buffer is allocated once, is NOT realloced and is NOT freed at shutdown @@ -43,14 +43,14 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu * In reality we would like to use mmap() but we don't have a guarantee that * we get the same mmap() address for each call. On openbsd the mmap() address * even randomized. - * That means either we keep the mmap() open or we do a read() into a - * constant buffer + * That means either we keep the mmap() open or we do a read() into a + * constant buffer * */ #define LOCAL_SEND_BUFSIZE (64 * 1024) static char *local_send_buffer = NULL; /* the remote side closed the connection before without shutdown request - * - IE + * - IE * - wget * if keep-alive is disabled */ @@ -58,34 +58,43 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN); } - for(c = cq->first; c; c = c->next) { + for(c = cq->first; (max_bytes > 0) && (NULL != c); c = c->next) { int chunk_finished = 0; - + switch(c->type) { case MEM_CHUNK: { char * offset; - size_t toSend; + off_t toSend; ssize_t r; - - if (c->mem->used == 0) { + + if (c->mem->used == 0 || c->mem->used == 1) { chunk_finished = 1; break; } - + offset = c->mem->ptr + c->offset; toSend = c->mem->used - 1 - c->offset; - + if (toSend > max_bytes) toSend = max_bytes; + /** * SSL_write man-page - * + * * WARNING * When an SSL_write() operation has to be repeated because of * SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, it must be * repeated with the same arguments. - * + * */ - - if ((r = SSL_write(ssl, offset, toSend)) <= 0) { + + ERR_clear_error(); + r = SSL_write(ssl, offset, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -95,7 +104,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu /* perhaps we have error waiting in our error-queue */ if (0 != (err = ERR_get_error())) { do { - log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, r, ERR_error_string(err, NULL)); } while((err = ERR_get_error())); @@ -103,45 +112,47 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu /* no, but we have errno */ switch(errno) { case EPIPE: + case ECONNRESET: return -2; default: - log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:", ssl_r, r, errno, strerror(errno)); break; } } else { /* neither error-queue nor errno ? */ - log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):", + log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):", ssl_r, r, errno, strerror(errno)); } - + return -1; case SSL_ERROR_ZERO_RETURN: /* clean shutdown on the remote side */ - + if (r == 0) return -2; - + /* fall through */ default: while((err = ERR_get_error())) { - log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, r, ERR_error_string(err, NULL)); } - + return -1; } } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } - + if (c->offset == (off_t)c->mem->used - 1) { chunk_finished = 1; } - + break; } case FILE_CHUNK: { @@ -150,7 +161,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu stat_cache_entry *sce = NULL; int ifd; int write_wait = 0; - + if (HANDLER_ERROR == stat_cache_get_entry(srv, con, c->file.name, &sce)) { log_error_write(srv, __FILE__, __LINE__, "sb", strerror(errno), c->file.name); @@ -164,13 +175,14 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu do { off_t offset = c->file.start + c->offset; - off_t toSend = c->file.length - c->offset; + off_t toSend = c->file.length - c->offset; + if (toSend > max_bytes) toSend = max_bytes; if (toSend > LOCAL_SEND_BUFSIZE) toSend = LOCAL_SEND_BUFSIZE; - + if (-1 == (ifd = open(c->file.name->ptr, O_RDONLY))) { log_error_write(srv, __FILE__, __LINE__, "ss", "open failed:", strerror(errno)); - + return -1; } @@ -183,10 +195,18 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu } s = local_send_buffer; - + close(ifd); - - if ((r = SSL_write(ssl, s, toSend)) <= 0) { + + ERR_clear_error(); + r = SSL_write(ssl, s, toSend); + + if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) { + log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client"); + return -1; + } + + if (r <= 0) { unsigned long err; switch ((ssl_r = SSL_get_error(ssl, r))) { @@ -197,7 +217,7 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu /* perhaps we have error waiting in our error-queue */ if (0 != (err = ERR_get_error())) { do { - log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, r, ERR_error_string(err, NULL)); } while((err = ERR_get_error())); @@ -205,64 +225,64 @@ int network_write_chunkqueue_openssl(server *srv, connection *con, SSL *ssl, chu /* no, but we have errno */ switch(errno) { case EPIPE: + case ECONNRESET: return -2; default: - log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL:", ssl_r, r, errno, strerror(errno)); break; } } else { /* neither error-queue nor errno ? */ - log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):", + log_error_write(srv, __FILE__, __LINE__, "sddds", "SSL (error):", ssl_r, r, errno, strerror(errno)); } - + return -1; case SSL_ERROR_ZERO_RETURN: /* clean shutdown on the remote side */ - + if (r == 0) return -2; - + /* fall thourgh */ default: while((err = ERR_get_error())) { - log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", + log_error_write(srv, __FILE__, __LINE__, "sdds", "SSL:", ssl_r, r, ERR_error_string(err, NULL)); } - + return -1; } } else { c->offset += r; cq->bytes_out += r; + max_bytes -= r; } - + if (c->offset == c->file.length) { chunk_finished = 1; } - } while(!chunk_finished && !write_wait); - + } while (!chunk_finished && !write_wait && max_bytes > 0); + break; } default: log_error_write(srv, __FILE__, __LINE__, "s", "type not known"); - + return -1; } - + if (!chunk_finished) { /* not finished yet */ - + break; } - - chunks_written++; } - return chunks_written; + return 0; } #endif |