Chromium Code Reviews Chromium Code Reviews
Issue 12025040:
When reading from an SSL socket, attempt to fully fill the caller's buffer (Closed)
Base URL: svn://svn.chromium.org/chrome/trunk/src| OLD | NEW |
|---|---|
| 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. | 1 // Copyright (c) 2012 The Chromium Authors. All rights reserved. |
| 2 // Use of this source code is governed by a BSD-style license that can be | 2 // Use of this source code is governed by a BSD-style license that can be |
| 3 // found in the LICENSE file. | 3 // found in the LICENSE file. |
| 4 | 4 |
| 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle | 5 // OpenSSL binding for SSLClientSocket. The class layout and general principle |
| 6 // of operation is derived from SSLClientSocketNSS. | 6 // of operation is derived from SSLClientSocketNSS. |
| 7 | 7 |
| 8 #include "net/socket/ssl_client_socket_openssl.h" | 8 #include "net/socket/ssl_client_socket_openssl.h" |
| 9 | 9 |
| 10 #include <openssl/ssl.h> | 10 #include <openssl/ssl.h> |
| (...skipping 24 matching lines...) Expand all Loading... | |
| 35 #if 0 | 35 #if 0 |
| 36 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \ | 36 #define GotoState(s) do { DVLOG(2) << (void *)this << " " << __FUNCTION__ << \ |
| 37 " jump to state " << s; \ | 37 " jump to state " << s; \ |
| 38 next_handshake_state_ = s; } while (0) | 38 next_handshake_state_ = s; } while (0) |
| 39 #else | 39 #else |
| 40 #define GotoState(s) next_handshake_state_ = s | 40 #define GotoState(s) next_handshake_state_ = s |
| 41 #endif | 41 #endif |
| 42 | 42 |
| 43 const int kSessionCacheTimeoutSeconds = 60 * 60; | 43 const int kSessionCacheTimeoutSeconds = 60 * 60; |
| 44 const size_t kSessionCacheMaxEntires = 1024; | 44 const size_t kSessionCacheMaxEntires = 1024; |
| 45 const int kNoPendingReadResult = 1; | |
| 45 | 46 |
| 46 // If a client doesn't have a list of protocols that it supports, but | 47 // If a client doesn't have a list of protocols that it supports, but |
| 47 // the server supports NPN, choosing "http/1.1" is the best answer. | 48 // the server supports NPN, choosing "http/1.1" is the best answer. |
| 48 const char kDefaultSupportedNPNProtocol[] = "http/1.1"; | 49 const char kDefaultSupportedNPNProtocol[] = "http/1.1"; |
| 49 | 50 |
| 50 #if OPENSSL_VERSION_NUMBER < 0x1000103fL | 51 #if OPENSSL_VERSION_NUMBER < 0x1000103fL |
| 51 // This method doesn't seem to have made it into the OpenSSL headers. | 52 // This method doesn't seem to have made it into the OpenSSL headers. |
| 52 unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; } | 53 unsigned long SSL_CIPHER_get_id(const SSL_CIPHER* cipher) { return cipher->id; } |
| 53 #endif | 54 #endif |
| 54 | 55 |
| (...skipping 363 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 418 } | 419 } |
| 419 | 420 |
| 420 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( | 421 SSLClientSocketOpenSSL::SSLClientSocketOpenSSL( |
| 421 ClientSocketHandle* transport_socket, | 422 ClientSocketHandle* transport_socket, |
| 422 const HostPortPair& host_and_port, | 423 const HostPortPair& host_and_port, |
| 423 const SSLConfig& ssl_config, | 424 const SSLConfig& ssl_config, |
| 424 const SSLClientSocketContext& context) | 425 const SSLClientSocketContext& context) |
| 425 : transport_send_busy_(false), | 426 : transport_send_busy_(false), |
| 426 transport_recv_busy_(false), | 427 transport_recv_busy_(false), |
| 427 transport_recv_eof_(false), | 428 transport_recv_eof_(false), |
| 429 pending_read_error_(kNoPendingReadResult), | |
| 428 completed_handshake_(false), | 430 completed_handshake_(false), |
| 429 client_auth_cert_needed_(false), | 431 client_auth_cert_needed_(false), |
| 430 cert_verifier_(context.cert_verifier), | 432 cert_verifier_(context.cert_verifier), |
| 431 ssl_(NULL), | 433 ssl_(NULL), |
| 432 transport_bio_(NULL), | 434 transport_bio_(NULL), |
| 433 transport_(transport_socket), | 435 transport_(transport_socket), |
| 434 host_and_port_(host_and_port), | 436 host_and_port_(host_and_port), |
| 435 ssl_config_(ssl_config), | 437 ssl_config_(ssl_config), |
| 436 ssl_session_cache_shard_(context.ssl_session_cache_shard), | 438 ssl_session_cache_shard_(context.ssl_session_cache_shard), |
| 437 trying_cached_session_(false), | 439 trying_cached_session_(false), |
| (...skipping 895 matching lines...) Expand 10 before | Expand all | Expand 10 after Loading... | |
| 1333 bool SSLClientSocketOpenSSL::SetReceiveBufferSize(int32 size) { | 1335 bool SSLClientSocketOpenSSL::SetReceiveBufferSize(int32 size) { |
| 1334 return transport_->socket()->SetReceiveBufferSize(size); | 1336 return transport_->socket()->SetReceiveBufferSize(size); |
| 1335 } | 1337 } |
| 1336 | 1338 |
| 1337 bool SSLClientSocketOpenSSL::SetSendBufferSize(int32 size) { | 1339 bool SSLClientSocketOpenSSL::SetSendBufferSize(int32 size) { |
| 1338 return transport_->socket()->SetSendBufferSize(size); | 1340 return transport_->socket()->SetSendBufferSize(size); |
| 1339 } | 1341 } |
| 1340 | 1342 |
| 1341 int SSLClientSocketOpenSSL::DoPayloadRead() { | 1343 int SSLClientSocketOpenSSL::DoPayloadRead() { |
| 1342 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 1344 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 1343 int rv = SSL_read(ssl_, user_read_buf_->data(), user_read_buf_len_); | 1345 |
| 1344 // We don't need to invalidate the non-client-authenticated SSL session | 1346 int rv; |
| 1345 // because the server will renegotiate anyway. | 1347 if (pending_read_error_ != kNoPendingReadResult) { |
| 1346 if (client_auth_cert_needed_) | 1348 rv = pending_read_error_; |
| 1347 return ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | 1349 pending_read_error_ = kNoPendingReadResult; |
| 1350 if (rv == 0) { | |
| 1351 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, | |
| 1352 rv, user_read_buf_->data()); | |
| 1353 } | |
| 1354 return rv; | |
| 1355 } | |
| 1356 | |
| 1357 int total_bytes_read = 0; | |
| 1358 do { | |
| 1359 rv = SSL_read(ssl_, user_read_buf_->data() + total_bytes_read, | |
| 1360 user_read_buf_len_ - total_bytes_read); | |
| 1361 if (rv > 0) | |
| 1362 total_bytes_read += rv; | |
| 1363 } while (total_bytes_read < user_read_buf_len_ && rv > 0); | |
| 1364 | |
| 1365 if (total_bytes_read == user_read_buf_len_) { | |
| 1366 rv = total_bytes_read; | |
| 1367 } else { | |
| 1368 // Otherwise, an error occurred (rv <= 0). The error needs to be handled | |
| 1369 // immediately, while the OpenSSL errors are still available in | |
| 1370 // thread-local storage. However, the handled/remapped error code should | |
|
wtc
2013/02/15 23:14:49
SSL_get_error() takes ssl_ as input. So perhaps th
Ryan Sleevi
2013/02/16 00:20:16
No, SSL_get_error() uses the ERR stack (eg: ERR_pe
| |
| 1371 // only be returned if no application data was already read; if it was, the | |
| 1372 // error code should be deferred until the next call of DoPayloadRead. | |
| 1373 // | |
| 1374 // If no data was read, |*next_result| will point to the return value of | |
| 1375 // this function. If at least some data was read, |*next_result| will point | |
| 1376 // to |pending_read_error_|, to be returned in a future call to | |
| 1377 // DoPayloadRead() (e.g.: after the current data is handled). | |
| 1378 int *next_result = &rv; | |
| 1379 if (total_bytes_read > 0) { | |
| 1380 pending_read_error_ = rv; | |
| 1381 rv = total_bytes_read; | |
| 1382 next_result = &pending_read_error_; | |
| 1383 } | |
| 1384 | |
| 1385 if (client_auth_cert_needed_) { | |
| 1386 *next_result = ERR_SSL_CLIENT_AUTH_CERT_NEEDED; | |
| 1387 } else if (*next_result < 0) { | |
| 1388 int err = SSL_get_error(ssl_, *next_result); | |
| 1389 *next_result = MapOpenSSLError(err, err_tracer); | |
| 1390 if (rv > 0 && *next_result == ERR_IO_PENDING) { | |
| 1391 // If at least some data was read from SSL_read(), do not treat | |
| 1392 // insufficient data as an error to return in the next call to | |
| 1393 // DoPayloadRead() - instead, let the call fall through to check | |
| 1394 // SSL_read() again. This is because DoTransportIO() may complete | |
| 1395 // in between the next call to DoPayloadRead(), and thus it is | |
| 1396 // important to check SSL_read() on subsequent invocations to see | |
| 1397 // if a complete record may now be read. | |
| 1398 *next_result = kNoPendingReadResult; | |
| 1399 } | |
| 1400 } | |
| 1401 } | |
| 1348 | 1402 |
| 1349 if (rv >= 0) { | 1403 if (rv >= 0) { |
| 1350 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, | 1404 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_RECEIVED, rv, |
| 1351 user_read_buf_->data()); | 1405 user_read_buf_->data()); |
| 1352 return rv; | |
| 1353 } | 1406 } |
| 1354 | 1407 return rv; |
| 1355 int err = SSL_get_error(ssl_, rv); | |
| 1356 return MapOpenSSLError(err, err_tracer); | |
| 1357 } | 1408 } |
| 1358 | 1409 |
| 1359 int SSLClientSocketOpenSSL::DoPayloadWrite() { | 1410 int SSLClientSocketOpenSSL::DoPayloadWrite() { |
| 1360 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); | 1411 crypto::OpenSSLErrStackTracer err_tracer(FROM_HERE); |
| 1361 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); | 1412 int rv = SSL_write(ssl_, user_write_buf_->data(), user_write_buf_len_); |
| 1362 | 1413 |
| 1363 if (rv >= 0) { | 1414 if (rv >= 0) { |
| 1364 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, | 1415 net_log_.AddByteTransferEvent(NetLog::TYPE_SSL_SOCKET_BYTES_SENT, rv, |
| 1365 user_write_buf_->data()); | 1416 user_write_buf_->data()); |
| 1366 return rv; | 1417 return rv; |
| 1367 } | 1418 } |
| 1368 | 1419 |
| 1369 int err = SSL_get_error(ssl_, rv); | 1420 int err = SSL_get_error(ssl_, rv); |
| 1370 return MapOpenSSLError(err, err_tracer); | 1421 return MapOpenSSLError(err, err_tracer); |
| 1371 } | 1422 } |
| 1372 | 1423 |
| 1373 } // namespace net | 1424 } // namespace net |
| OLD | NEW |
