git:andrei/tcp_tls_changes: tls: SSL_shutdown() only fully established connections - sr-dev

16 Jun 2010

Module: sip-router
Branch: andrei/tcp_tls_changes
Commit: 3b5c6550ba6a308b6ac0da245dd594a65317d6a1
URL:    http://git.sip-router.org/cgi-bin/gitweb.cgi/sip-router/?a=commit;h=3b5c6550...
Author: Andrei Pelinescu-Onciul andrei@iptel.org
Committer: Andrei Pelinescu-Onciul andrei@iptel.org
Date:   Wed Jun 16 10:05:07 2010 +0200
tls: SSL_shutdown() only fully established connections
- do SSL_shutdown() only on established TLS connections
  (established here is from the SSL point of view  and not from
  the tcp one)
- minor warning fixes
---
modules/tls/tls_server.c |   20 +++++++++++++-------
 1 files changed, 13 insertions(+), 7 deletions(-)

diff --git a/modules/tls/tls_server.c b/modules/tls/tls_server.c
index 9028c5f..c99e6b3 100644
--- a/modules/tls/tls_server.c
+++ b/modules/tls/tls_server.c
@@ -233,7 +233,7 @@ static void tls_dump_cert_info(char* s, X509* cert)
  */
 int tls_accept(struct tcp_connection *c, int* error)
 {
-	int ret, ssl_err;
+	int ret;
    SSL *ssl;
    X509* cert;
    struct tls_extra_data* tls_c;
@@ -300,7 +300,7 @@ err:
 int tls_connect(struct tcp_connection *c, int* error)
 {
    SSL *ssl;
-	int ret, ssl_err;
+	int ret;
    X509* cert;
    struct tls_extra_data* tls_c;
    int tls_log;
@@ -362,14 +362,20 @@ err:
 static int tls_shutdown(struct tcp_connection *c)
 {
    int ret, err, ssl_err;
+	struct tls_extra_data* tls_c;
    SSL *ssl;
-	ssl = ((struct tls_extra_data*)c->extra_data)->ssl;
-	if (ssl == 0) {
+	tls_c=(struct tls_extra_data*)c->extra_data;
+	if (unlikely(tls_c == 0 || tls_c->ssl == 0)) {
    	ERR("No SSL data to perform tls_shutdown\n");
    	return -1;
    }
-	if (LOW_MEM_CONNECTED_TEST()){
+	ssl = tls_c->ssl;
+	/* it doesn't make sense to try a TLS level shutdown
+	   if the connection is not fully initialized */
+	if (unlikely(tls_c->state != S_TLS_ESTABLISHED))
+		return 0;
+	if (unlikely(LOW_MEM_CONNECTED_TEST())){
    	ERR("tls: ssl bug #1491 workaround: not enough memory for safe"
    			" operation: %lu\n", shm_available());
    	goto err;
@@ -1036,8 +1042,8 @@ ssl_read_skipped:
    									rd.used - rd.pos);
    			if (unlikely(enc_rd_buf == 0)) {
    				ERR("memory allocation error (%d bytes requested)\n",
-						sizeof(*enc_rd_buf) + sizeof(enc_rd_buf->buf) +
-										rd.used - rd.pos);
+						(int)(sizeof(*enc_rd_buf) + sizeof(enc_rd_buf->buf) +
+										rd.used - rd.pos));
    				goto error;
    			}
    			enc_rd_buf->pos = 0;

    