You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by cl...@apache.org on 2022/08/03 06:11:03 UTC
[qpid-proton] branch main updated: PROTON-2586: TLS OpenSSL library - incomplete decryption/encryption of staged buffers
This is an automated email from the ASF dual-hosted git repository.
cliffjansen pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git
The following commit(s) were added to refs/heads/main by this push:
new b9fe1739d PROTON-2586: TLS OpenSSL library - incomplete decryption/encryption of staged buffers
b9fe1739d is described below
commit b9fe1739d4f2ba59c136a7f5e87b30bab5950e5a
Author: Clifford Jansen <cl...@apache.org>
AuthorDate: Tue Aug 2 22:59:23 2022 -0700
PROTON-2586: TLS OpenSSL library - incomplete decryption/encryption of staged buffers
PROTON-2586: TLS OpenSSL library - incomplete decryption/encryption of staged buffers
---
c/src/tls/openssl.c | 17 +++++++++++------
1 file changed, 11 insertions(+), 6 deletions(-)
diff --git a/c/src/tls/openssl.c b/c/src/tls/openssl.c
index 39d865d2d..d36232604 100644
--- a/c/src/tls/openssl.c
+++ b/c/src/tls/openssl.c
@@ -1949,10 +1949,12 @@ static void encrypt(pn_tls_t *tls) {
while (true) {
// Insert unencrypted data into BIO.
+ // This loop must run even if tls->pn_tls_err, in order to extract the error message for the peer.
// OpenSSL maps each write to a separate TLS record.
// The SSL can take 16KB + a bit before blocking.
// TODO: consider allowing application to configure BIO buffer size on encrypt side.
- while (pending && !tls->enc_wblocked && tls->can_shutdown && !tls->pn_tls_err) {
+
+ while (pending && !tls->enc_wblocked && tls->can_shutdown) {
size_t n = pending->size - tls->encrypt_pending_offset;
if (n) {
char *bytes = pending->bytes + pending->offset + tls->encrypt_pending_offset;
@@ -2012,8 +2014,9 @@ static void encrypt(pn_tls_t *tls) {
}
}
- // Done if output buffers exhausted or all available encrypted bytes drained from BIO.
- if (!curr_result || tls->enc_rblocked)
+ // Done if not possible to move any more bytes from input to output bufs
+ if ((!pending || tls->enc_wblocked || !tls->can_shutdown) // write side
+ && (!curr_result || tls->enc_rblocked)) // read side
break;
}
}
@@ -2095,8 +2098,10 @@ static void decrypt(pn_tls_t *tls) {
}
}
- // Done if outbufs exhausted or all inbufs decrypted
- if (!curr_result || tls->dec_rblocked || tls->dec_closed)
+ // Done if not possible to move any more bytes from input to output bufs
+ if (tls->dec_closed) break;
+ if ((!pending || tls->dec_wblocked) // write side
+ && (!curr_result || tls->dec_rblocked)) // read side
break;
}
@@ -2124,7 +2129,7 @@ int pn_tls_process(pn_tls_t* tls) {
decrypt(tls); // Do this first. May generate handshake or other on encrypt side.
if (tls->validating) validate_strict(tls);
}
- // We keep sending if there is a "minor" error that may result in an error message for the peer
+ // We keep sending as long as we might generate an error message for the peer
if (!(tls->pn_tls_err && tls->openssl_err_type == SSL_ERROR_SYSCALL)) {
encrypt(tls);
if (tls->validating) validate_strict(tls);
---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org