Please review this patch for inclusion in openssl-0.9.8b, maybe it also works with 0.9.7 too.
This patch maybe incomplete. As in I would like someone with more knowledge than me to confirm that:
* s->method->ssl_dispatch_alert(s) already sets up the WANT_WRITE situation if it returns -1 (this is an untested case)
* s->method->ssl_read_bytes(s,0,NULL,0,0); already sets up the WANT_READ situation if it returns -1 (this is tested and working)
Where and why does the SSL_ERROR_SYSCALL occur (the man page talks about), in my testing I correctly get WANT_READ that I expect (as per man page) ? I have not got this to occur.
This patch allows the SSL_shutdown() to return a 0 just once, for a non-blocking socket. It is possible for the application to obtain if a send shutdown has sent already been signaled (to OpenSSL by application) with SSL_get_shutdown() so there no need to keep returning 0, as its not possible for non-blocking IO to know its waiting for IO. Unless we start to put tricks in my application to detect it returning 0 more than one in succession, Yuk!
Do you want me to any other versions of SSL ? I think TLS1 is SSL3 ?? and SSL2 already has a dummy function for shutdown.
Thanks Darryl
diff -u -r -N -x '*~' openssl-0.9.8b/ssl/s3_lib.c openssl-0.9.8b-me/ssl/s3_lib.c --- openssl-0.9.8b/ssl/s3_lib.c 2006-01-15 07:14:38.000000000 +0000 +++ openssl-0.9.8b-me/ssl/s3_lib.c 2006-06-22 17:45:46.000000000 +0100 @@ -2071,6 +2071,7 @@ int ssl3_shutdown(SSL *s) { + int ret; /* Don't do anything much if we have not done the handshake or * we don't want to send messages :-) */ @@ -2093,13 +2094,21 @@ { /* resend it if not sent */ #if 1 - s->method->ssl_dispatch_alert(s); + ret=s->method->ssl_dispatch_alert(s); + if(ret == -1) { + /* we only get to return -1 here the 2nd/Nth + * invocation, we must have already signalled + * return 0 upon a previous invoation */ + return(ret); + } #endif } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) { /* If we are waiting for a close from our peer, we are closed */ - s->method->ssl_read_bytes(s,0,NULL,0,0); + ret=s->method->ssl_read_bytes(s,0,NULL,0,0); + if(ret == -1) + return(ret); } if ((s->shutdown == (SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN)) && diff -u -r -N -x '*~' openssl-0.9.8b/ssl/s3_pkt.c openssl-0.9.8b-me/ssl/s3_pkt.c --- openssl-0.9.8b/ssl/s3_pkt.c 2005-10-01 00:38:20.000000000 +0100 +++ openssl-0.9.8b-me/ssl/s3_pkt.c 2006-06-22 17:45:46.000000000 +0100 @@ -1258,13 +1258,13 @@ return(1); } -void ssl3_send_alert(SSL *s, int level, int desc) +int ssl3_send_alert(SSL *s, int level, int desc) { /* Map tls/ssl alert value to correct one */ desc=s->method->ssl3_enc->alert_value(desc); if (s->version == SSL3_VERSION && desc == SSL_AD_PROTOCOL_VERSION) desc = SSL_AD_HANDSHAKE_FAILURE; /* SSL 3.0 does not have protocol_version alerts */ - if (desc < 0) return; + if (desc < 0) return -1; /* If a fatal one, remove from cache */ if ((level == 2) && (s->session != NULL)) SSL_CTX_remove_session(s->ctx,s->session); @@ -1273,9 +1273,10 @@ s->s3->send_alert[0]=level; s->s3->send_alert[1]=desc; if (s->s3->wbuf.left == 0) /* data still being written out? */ - s->method->ssl_dispatch_alert(s); + return s->method->ssl_dispatch_alert(s); /* else data is still being written out, we will get written * some time in the future */ + return -1; } int ssl3_dispatch_alert(SSL *s) diff -u -r -N -x '*~' openssl-0.9.8b/ssl/ssl_locl.h openssl-0.9.8b-me/ssl/ssl_locl.h --- openssl-0.9.8b/ssl/ssl_locl.h 2005-08-22 00:06:51.000000000 +0100 +++ openssl-0.9.8b-me/ssl/ssl_locl.h 2006-06-22 17:45:46.000000000 +0100 @@ -780,7 +780,7 @@ int ssl3_change_cipher_state(SSL *s,int which); void ssl3_cleanup_key_block(SSL *s); int ssl3_do_write(SSL *s,int type); -void ssl3_send_alert(SSL *s,int level, int desc); +int ssl3_send_alert(SSL *s,int level, int desc); int ssl3_generate_master_secret(SSL *s, unsigned char *out, unsigned char *p, int len); int ssl3_get_req_cert_type(SSL *s,unsigned char *p);