Check-in [1b7959d27a]
Overview
Comment:Made repeated failures to handshake return fatal errors and made handshake code use the same logic as the rest of the OpenSSL read error checking
Downloads: Tarball | ZIP archive | SQL archive
Timelines: family | ancestors | descendants | both | trunk
Files: files | file ages | folders
SHA1: 1b7959d27a6a7279dd1528df51829142d9b37a66
User & Date: rkeene on 2016-12-13 15:43:19
Other Links: manifest | tags
Context
2016-12-13
16:00
Updated to return soft errors on during SSL negotiation retries on reads and hard errors on SSL negotiation during writes or handshake commands check-in: b9557ba691 user: rkeene tags: trunk
15:43
Made repeated failures to handshake return fatal errors and made handshake code use the same logic as the rest of the OpenSSL read error checking check-in: 1b7959d27a user: rkeene tags: trunk
15:29
Reverted [f79122ae17] check-in: 50d8da007b user: rkeene tags: trunk
Changes

Modified tlsIO.c from [cd83a9c489] to [562862938f].

806
807
808
809
810
811
812

813
814
815
816


817
818
819
820
821
822

823
824
825
826
827
828
829
806
807
808
809
810
811
812
813
814



815
816




817

818
819
820
821
822
823
824
825







+

-
-
-
+
+
-
-
-
-

-
+







	if (!(statePtr->flags & TLS_TCL_INIT)) {
		dprintf("Tls_WaitForConnect called on already initialized channel -- returning with immediate success");
		*errorCodePtr = 0;
		return(0);
	}

	if (statePtr->flags & TLS_TCL_HANDSHAKE_FAILED) {
		dprintf("Asked to wait for a TLS handshake that has already failed.  Returning fatal error");
		/*
		 * We choose ECONNRESET over ECONNABORTED here because some server
		 * side code, on the wiki for example, sets up a read handler that
		 * does a read and if eof closes the channel. There is no catch/try
		 * If we get here, we've already returned a soft-failure once.
		 * Return a hard failure now.
		 * around the reads so exceptions will result in potentially many
		 * dangling channels hanging around that should have been closed.
		 * (Backgroun: ECONNABORTED maps to a Tcl exception and 
		 * ECONNRESET maps to graceful EOF).
		 */
		*errorCodePtr = ECONNRESET;
		*errorCodePtr = ECONNABORTED;
		return(-1);
	}

	for (;;) {
		/* Not initialized yet! */
		if (statePtr->flags & TLS_TCL_SERVER) {
			dprintf("Calling SSL_accept()");
893
894
895
896
897
898
899
900
901
902
903













904
905
906
907

908
909
910
911
912
913
914
889
890
891
892
893
894
895

896
897
898
899
900
901
902
903
904
905
906
907
908
909
910
911
912
913
914

915
916
917
918
919
920
921
922







-



+
+
+
+
+
+
+
+
+
+
+
+
+



-
+







			dprintf("The connection is up");
			break;
		case SSL_ERROR_ZERO_RETURN:
			dprintf("SSL_ERROR_ZERO_RETURN: Connect returned an invalid value...")
			return(-1);
		case SSL_ERROR_SYSCALL:
			backingError = ERR_get_error();
			dprintf("I/O error occured");

			if (backingError == 0 && err == 0) {
				dprintf("EOF reached")
				*errorCodePtr = ECONNRESET;
			} else if (backingError == 0 && err == -1) {
				dprintf("I/O error occured (errno = %lu)", (unsigned long) Tcl_GetErrno());
				*errorCodePtr = Tcl_GetErrno();
				if (*errorCodePtr == ECONNRESET) {
					*errorCodePtr = ECONNABORTED;
				}
			} else {
				dprintf("I/O error occured (backingError = %lu)", backingError);
				*errorCodePtr = backingError;
				if (*errorCodePtr == ECONNRESET) {
					*errorCodePtr = ECONNABORTED;
				}
			}

			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
			*errorCodePtr = ECONNRESET;

			return(-1);
		case SSL_ERROR_SSL:
			dprintf("Got permanent fatal SSL error, aborting immediately");
			Tls_Error(statePtr, (char *)ERR_reason_error_string(ERR_get_error()));
			statePtr->flags |= TLS_TCL_HANDSHAKE_FAILED;
			*errorCodePtr = ECONNABORTED;
			return(-1);