Check-in [1b7959d27a]

Many hyperlinks are disabled.
Use anonymous login to enable hyperlinks.

Overview
Comment:Made repeated failures to handshake return fatal errors and made handshake code use the same logic as the rest of the OpenSSL read error checking
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1:1b7959d27a6a7279dd1528df51829142d9b37a66
User & Date: rkeene 2016-12-13 15:43:19
Context
2016-12-13
16:00
Updated to return soft errors on during SSL negotiation retries on reads and hard errors on SSL negotiation during writes or handshake commands check-in: b9557ba691 user: rkeene tags: trunk
15:43
Made repeated failures to handshake return fatal errors and made handshake code use the same logic as the rest of the OpenSSL read error checking check-in: 1b7959d27a user: rkeene tags: trunk
15:29
Reverted [f79122ae17] check-in: 50d8da007b user: rkeene tags: trunk
Changes

Changes to tlsIO.c.

806
807
808
809
810
811
812

813
814
815
816
817
818
819
820
821
822
823
824
825
826
827
828
829
...
893
894
895
896
897
898
899
900
901
902
903













904
905
906
907
908
909
910
911
912
913
914
	if (!(statePtr->flags & TLS_TCL_INIT)) {
		dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success");
		*errorCodePtr = 0;
		return(0);
	}

	if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {

		/*
		 * We choose ECONNRESET over ECONNABORTED here because some server
		 * side code, on the wiki for example, sets up a read handler that
		 * does a read and if eof closes the channel. There is no catch/try
		 * around the reads so exceptions will result in potentially many
		 * dangling channels hanging around that should have been closed.
		 * (Backgroun: ECONNABORTED maps to a Tcl exception and 
		 * ECONNRESET maps to graceful EOF).
		 */
		*errorCodePtr = ECONNRESET;
		return(-1);
	}

	for (;;) {
		/* Not initialized yet! */
		if (statePtr->flags & TLS_TCL_SERVER) {
			dprintf("Calling SSL_accept()");
................................................................................
			dprintf("The connection is up");
			break;
		case SSL_ERROR_ZERO_RETURN:
			dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...")
			return(-1);
		case SSL_ERROR_SYSCALL:
			backingError = ERR_get_error();
			dprintf("I/O error occured");

			if (backingError == 0 && err == 0) {
				dprintf("EOF reached")













			}

			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
			*errorCodePtr = ECONNRESET;
			return(-1);
		case SSL_ERROR_SSL:
			dprintf("Got permanent fatal SSL error, aborting immediately");
			Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error()));
			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
			*errorCodePtr = ECONNABORTED;
			return(-1);







>

<
|
|
<
<
<
<

|







 







<



>
>
>
>
>
>
>
>
>
>
>
>
>



|







806
807
808
809
810
811
812
813
814

815
816




817
818
819
820
821
822
823
824
825
...
889
890
891
892
893
894
895

896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914
915
916
917
918
919
920
921
922
	if (!(statePtr->flags & TLS_TCL_INIT)) {
		dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success");
		*errorCodePtr = 0;
		return(0);
	}

	if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
		dprintf("Asked to wait for a TLS handshake that has already failed.  Returning fatal error");
		/*

		 * If we get here, we've already returned a soft-failure once.
		 * Return a hard failure now.




		 */
		*errorCodePtr = ECONNABORTED;
		return(-1);
	}

	for (;;) {
		/* Not initialized yet! */
		if (statePtr->flags & TLS_TCL_SERVER) {
			dprintf("Calling SSL_accept()");
................................................................................
			dprintf("The connection is up");
			break;
		case SSL_ERROR_ZERO_RETURN:
			dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...")
			return(-1);
		case SSL_ERROR_SYSCALL:
			backingError = ERR_get_error();


			if (backingError == 0 && err == 0) {
				dprintf("EOF reached")
				*errorCodePtr = ECONNRESET;
			} else if (backingError == 0 && err == -1) {
				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
				*errorCodePtr = Tcl_GetErrno();
				if (*errorCodePtr == ECONNRESET) {
					*errorCodePtr = ECONNABORTED;
				}
			} else {
				dprintf("I/O error occured (backingError = %lu)", backingError);
				*errorCodePtr = backingError;
				if (*errorCodePtr == ECONNRESET) {
					*errorCodePtr = ECONNABORTED;
				}
			}

			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;

			return(-1);
		case SSL_ERROR_SSL:
			dprintf("Got permanent fatal SSL error, aborting immediately");
			Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error()));
			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
			*errorCodePtr = ECONNABORTED;
			return(-1);