From 8bc04d9ea73c5c35abcc1093da24a73a9f0a360f Mon Sep 17 00:00:00 2001 From: Nanang Izzuddin Date: Thu, 26 Dec 2024 08:32:51 +0900 Subject: [PATCH] Fix SSL to continue decrypting data after renego completes (#4234) * Fix SSL to continue decrypting data after renego completes * Update SSL socket with OpenSSL backend to return PJ_EEOF only when renegotiation is needed (or not completed). --- pjlib/src/pj/ssl_sock_imp_common.c | 5 +++++ pjlib/src/pj/ssl_sock_ossl.c | 12 ++++++++---- 2 files changed, 13 insertions(+), 4 deletions(-) diff --git a/pjlib/src/pj/ssl_sock_imp_common.c b/pjlib/src/pj/ssl_sock_imp_common.c index f1d1db63dd..811c960fd1 100644 --- a/pjlib/src/pj/ssl_sock_imp_common.c +++ b/pjlib/src/pj/ssl_sock_imp_common.c @@ -867,6 +867,11 @@ static pj_bool_t ssock_on_data_read (pj_ssl_sock_t *ssock, "Failed to flush delayed send")); goto on_error; } + + /* If renego has been completed, continue reading data */ + if (status == PJ_SUCCESS) + continue; + } else if (status != PJ_EPENDING) { PJ_PERROR(1,(ssock->pool->obj_name, status, "Renegotiation failed")); diff --git a/pjlib/src/pj/ssl_sock_ossl.c b/pjlib/src/pj/ssl_sock_ossl.c index 67f386d00d..8524c43b79 100644 --- a/pjlib/src/pj/ssl_sock_ossl.c +++ b/pjlib/src/pj/ssl_sock_ossl.c @@ -2476,7 +2476,9 @@ static pj_status_t ssl_read(pj_ssl_sock_t *ssock, void *data, int *size) /* SSL might just return SSL_ERROR_WANT_READ in * re-negotiation. */ - if (err != SSL_ERROR_NONE && err != SSL_ERROR_WANT_READ) { + if (err != SSL_ERROR_NONE && err != SSL_ERROR_WANT_READ && + err != SSL_ERROR_ZERO_RETURN) + { if (err == SSL_ERROR_SYSCALL && size_ == -1 && ERR_peek_error() == 0 && errno == 0) { @@ -2499,9 +2501,11 @@ static pj_status_t ssl_read(pj_ssl_sock_t *ssock, void *data, int *size) } } - pj_lock_release(ssock->write_mutex); - /* Need renegotiation */ - return PJ_EEOF; + /* Return PJ_EEOF when SSL needs renegotiation */ + if (!SSL_is_init_finished(ossock->ossl_ssl)) { + pj_lock_release(ssock->write_mutex); + return PJ_EEOF; + } } pj_lock_release(ssock->write_mutex);