Browse Source

[TLS] read all available records from SSL_read()

read all available records from SSL_read(), even if larger than
MAX_READ_LIMIT, since the data is already in memory.  openssl is
configured with SSL_MODE_RELEASE_BUFFERS and will release openssl
buffers once records have been read.

Without reading available data, there was a chance that the connection
would hang waiting for a read event on the fd, even though all the
data had already been read from kernel socket buffers and was in openssl
memory waiting to be read with SSL_read().

(thx glen and avij)
personal/stbuehler/mod-csrf-old
Glenn Strauss 5 years ago
parent
commit
a95aaa9de9
  1. 17
      src/connections-glue.c

17
src/connections-glue.c

@ -100,7 +100,7 @@ static void dump_packet(const unsigned char *data, size_t len) {
static int connection_handle_read_ssl(server *srv, connection *con) {
#ifdef USE_OPENSSL
int r, ssl_err, len, count = 0;
int r, ssl_err, len;
char *mem = NULL;
size_t mem_len = 0;
@ -115,20 +115,19 @@ static int connection_handle_read_ssl(server *srv, connection *con) {
#endif
len = SSL_read(con->ssl, mem, mem_len);
chunkqueue_use_memory(con->read_queue, len > 0 ? len : 0);
if (len > 0) {
chunkqueue_use_memory(con->read_queue, len);
con->bytes_read += len;
} else {
chunkqueue_use_memory(con->read_queue, 0);
}
if (con->renegotiations > 1 && con->conf.ssl_disable_client_renegotiation) {
log_error_write(srv, __FILE__, __LINE__, "s", "SSL: renegotiation initiated by client, killing connection");
connection_set_state(srv, con, CON_STATE_ERROR);
return -1;
}
if (len > 0) {
con->bytes_read += len;
count += len;
}
} while (len == (ssize_t) mem_len && count < MAX_READ_LIMIT);
} while (len > 0);
if (len < 0) {
int oerrno = errno;

Loading…
Cancel
Save