From: hno <>
Date: Fri, 18 Mar 2005 23:06:10 +0000 (+0000)
Subject: From ssl-2.5 2004/04/18 01:09:07
X-Git-Tag: SQUID_3_0_PRE4~837
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=6de9e64be4c331271063d94df5f90909108fb9e5;p=thirdparty%2Fsquid.git

From ssl-2.5 2004/04/18 01:09:07

cleanup of error reporting
---

diff --git a/src/client_side.cc b/src/client_side.cc
index 146fb5b65e..9f75e71522 100644
--- a/src/client_side.cc
+++ b/src/client_side.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: client_side.cc,v 1.682 2005/03/18 14:41:21 hno Exp $
+ * $Id: client_side.cc,v 1.683 2005/03/18 16:06:10 hno Exp $
  *
  * DEBUG: section 33    Client-side Routines
  * AUTHOR: Duane Wessels
@@ -2912,8 +2912,33 @@ clientNegotiateSSL(int fd, void *data)
             commSetSelect(fd, COMM_SELECT_WRITE, clientNegotiateSSL, conn, 0);
             return;
 
+        case SSL_ERROR_SYSCALL:
+
+            if (ret == 0) {
+                debug(83, 2) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: Aborted by client\n", fd);
+                comm_close(fd);
+                return;
+            } else {
+                int hard = 1;
+
+                if (errno == ECONNRESET)
+                    hard = 0;
+
+                debug(83, hard ? 1 : 2) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d)\n",
+                                         fd, strerror(errno), errno);
+
+                comm_close(fd);
+
+                return;
+            }
+
+        case SSL_ERROR_ZERO_RETURN:
+            debug(83, 1) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: Closed by client\n", fd);
+            comm_close(fd);
+            return;
+
         default:
-            debug(81, 1) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d/%d)\n",
+            debug(83, 1) ("clientNegotiateSSL: Error negotiating SSL connection on FD %d: %s (%d/%d)\n",
                           fd, ERR_error_string(ERR_get_error(), NULL), ssl_error, ret);
             comm_close(fd);
             return;
@@ -2922,16 +2947,30 @@ clientNegotiateSSL(int fd, void *data)
         /* NOTREACHED */
     }
 
-    debug(83, 5) ("clientNegotiateSSL: FD %d negotiated cipher %s\n", fd,
-                  SSL_get_cipher(fd_table[fd].ssl));
+    if (SSL_session_reused(ssl)) {
+        debug(83, 2) ("clientNegotiateSSL: Session %p reused on FD %d (%s:%d)\n", SSL_get_session(ssl), fd, fd_table[fd].ipaddr, (int)fd_table[fd].remote_port);
+    } else {
+        if (do_debug(83, 4)) {
+            /* Write out the SSL session details.. actually the call below, but
+             * OpenSSL headers do strange typecasts confusing GCC.. */
+            /* PEM_write_SSL_SESSION(debug_log, SSL_get_session(ssl)); */
+            PEM_ASN1_write(i2d_SSL_SESSION, PEM_STRING_SSL_SESSION, debug_log, (char *)SSL_get_session(ssl), NULL,NULL,0,NULL,NULL);
+            /* Note: This does not automatically fflush the log file.. */
+        }
+
+        debug(83, 2) ("clientNegotiateSSL: New session %p on FD %d (%s:%d)\n", SSL_get_session(ssl), fd, fd_table[fd].ipaddr, (int)fd_table[fd].remote_port);
+    }
+
+    debug(83, 3) ("clientNegotiateSSL: FD %d negotiated cipher %s\n", fd,
+                  SSL_get_cipher(ssl));
 
-    client_cert = SSL_get_peer_certificate(fd_table[fd].ssl);
+    client_cert = SSL_get_peer_certificate(ssl);
 
     if (client_cert != NULL) {
-        debug(83, 5) ("clientNegotiateSSL: FD %d client certificate: subject: %s\n",
+        debug(83, 3) ("clientNegotiateSSL: FD %d client certificate: subject: %s\n",
                       fd, X509_NAME_oneline(X509_get_subject_name(client_cert), 0, 0));
 
-        debug(83, 5) ("clientNegotiateSSL: FD %d client certificate: issuer: %s\n",
+        debug(83, 3) ("clientNegotiateSSL: FD %d client certificate: issuer: %s\n",
                       fd, X509_NAME_oneline(X509_get_issuer_name(client_cert), 0, 0));
 
         X509_free(client_cert);
diff --git a/src/ssl_support.cc b/src/ssl_support.cc
index 7db0379feb..96880763ba 100644
--- a/src/ssl_support.cc
+++ b/src/ssl_support.cc
@@ -1,6 +1,6 @@
 
 /*
- * $Id: ssl_support.cc,v 1.24 2005/03/18 15:36:08 hno Exp $
+ * $Id: ssl_support.cc,v 1.25 2005/03/18 16:06:11 hno Exp $
  *
  * AUTHOR: Benno Rice
  * DEBUG: section 83    SSL accelerator support
@@ -781,11 +781,21 @@ sslCreateClientContext(const char *certfile, const char *keyfile, int version, c
 int
 ssl_read_method(int fd, char *buf, int len)
 {
+    SSL *ssl = fd_table[fd].ssl;
     int i;
 
-    i = SSL_read(fd_table[fd].ssl, buf, len);
+#if DONT_DO_THIS
+
+    if (!SSL_is_init_finished(ssl)) {
+        errno = ENOTCONN;
+        return -1;
+    }
 
-    if (i > 0 && SSL_pending(fd_table[fd].ssl) > 0) {
+#endif
+
+    i = SSL_read(ssl, buf, len);
+
+    if (i > 0 && SSL_pending(ssl) > 0) {
         debug(83, 2) ("SSL fd %d is pending\n", fd);
         fd_table[fd].flags.read_pending = 1;
     } else
@@ -797,7 +807,17 @@ ssl_read_method(int fd, char *buf, int len)
 int
 ssl_write_method(int fd, const char *buf, int len)
 {
-    return (SSL_write(fd_table[fd].ssl, buf, len));
+    SSL *ssl = fd_table[fd].ssl;
+    int i;
+
+    if (!SSL_is_init_finished(ssl)) {
+        errno = ENOTCONN;
+        return -1;
+    }
+
+    i = SSL_write(ssl, buf, len);
+
+    return i;
 }
 
 void