You are viewing a plain text version of this content. The canonical link for it is here.
Posted to commits@qpid.apache.org by cl...@apache.org on 2023/05/29 16:57:13 UTC

[qpid-proton] branch main updated: PROTON-2736: tls library - restore fixes backed out by mistake in previous jaeger/oltp commit

This is an automated email from the ASF dual-hosted git repository.

cliffjansen pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/qpid-proton.git


The following commit(s) were added to refs/heads/main by this push:
     new 0585bfde4 PROTON-2736: tls library - restore fixes backed out by mistake in previous jaeger/oltp commit
0585bfde4 is described below

commit 0585bfde42171e12bc209537f74245c898a04964
Author: Clifford Jansen <cl...@apache.org>
AuthorDate: Mon May 29 09:56:12 2023 -0700

    PROTON-2736: tls library - restore fixes backed out by mistake in previous jaeger/oltp commit
---
 c/src/tls/openssl.c | 38 ++++++++++++++++++++++++--------------
 1 file changed, 24 insertions(+), 14 deletions(-)

diff --git a/c/src/tls/openssl.c b/c/src/tls/openssl.c
index 8c96a35d6..0c3b6bd66 100644
--- a/c/src/tls/openssl.c
+++ b/c/src/tls/openssl.c
@@ -2112,7 +2112,8 @@ static void decrypt(pn_tls_t *tls) {
   pbuffer_t *pending = next_decrypt_pending(tls);
   bool peek_needed = false;
 
-  while (true) {
+  bool decrypt_done = false;
+  while (!decrypt_done) {
     if (tls->pn_tls_err)
       return;
 
@@ -2166,23 +2167,32 @@ static void decrypt(pn_tls_t *tls) {
     }
 
     // Done if not possible to move any more bytes from input to output bufs
-    if (tls->dec_closed) break;
-    if ((!pending || tls->dec_wblocked) // write side
-        && (!curr_result || tls->dec_rblocked)) // read side
-      break;
-  }
+    if ( (tls->dec_closed || !pending || tls->dec_wblocked) /* write side */ &&
+         (!curr_result || tls->dec_rblocked) ) /* read side */ {
+      decrypt_done = true;
+      if (peek_needed && !tls->pn_tls_err && !tls->dec_closed) {
+        // Set dec_rpending.
+        // Make OpenSSL process input to at least first decrypted byte (if any)
+        char unused;
+        int pcount = SSL_peek(tls->ssl, &unused, 1);
+        tls->dec_rpending = (pcount == 1);
+        if (pcount <= 0) {
+          check_error_reason(tls, pcount);
+        }
 
-  if (!tls->pn_tls_err && peek_needed) {
-    // Make OpenSSL examine the next buffered TLS record (if exists and complete)
-    char unused;
-    int pcount = SSL_peek(tls->ssl, &unused, 1);
-    tls->dec_rpending = (pcount == 1);
-    if (pcount <= 0) {
-      check_error_reason(tls, pcount);
+        // Peek may have made more room in buffer (i.e. handshake followed by large
+        // incomplete application record and dec_wblocked). If we did not process an
+        // application record, we must have processed at least one non-app record.
+        // No longer write blocked after peek.  PROTON-2736.
+        if (!tls->dec_rpending && tls->dec_wblocked) {
+          decrypt_done = false;
+          tls->dec_wblocked = false;
+        }
+      }
     }
   }
 
-  if (!tls->pn_tls_err && !tls->handshake_ok && SSL_do_handshake(tls->ssl) == 1) {
+  if (!tls->handshake_ok && SSL_do_handshake(tls->ssl) == 1) {
     tls->handshake_ok = true;
     tls->can_shutdown = true;
   }


---------------------------------------------------------------------
To unsubscribe, e-mail: commits-unsubscribe@qpid.apache.org
For additional commands, e-mail: commits-help@qpid.apache.org