Document a bunch of core functions in ssl.h.
Unfortunately, these are also some of the worst APIs in the SSL stack.
I've tried to capture all the things they expose to the caller. 0 vs -1
is intentionally left unexpanded on for now. Upstream's documentation
says 0 means transport EOF, which is a nice idea but isn't true. (A lot
of random functions return 0 on error and pass it up to the caller.)
https://crbug.com/466303 tracks fixing that.
SSL_set_bio is intentionally documented to NOT be usable when they're
already configured. The function tries to behave in this case and even
with additional cases when |rbio| and/or |wbio| are unchanged, but this
is buggy. For instance, this will explode:
SSL_set_bio(ssl, bio1, bio1);
SSL_set_bio(ssl, bio2, SSL_get_wbio(ssl));
As will this, though it's less clear this is part of the API contract
due to SSL taking ownership.
SSL_set_bio(ssl, bio1, bio2);
SSL_set_bio(ssl, bio2, bio1);
It also tries to handle ssl->bbio already existing, but I doubt it quite
works. Hopefully we can drop ssl->bbio eventually. (Why is this so
complicated...)
Change-Id: I5f9f3043915bffc67e2ebd282813e04afbe076e6
Reviewed-on: https://boringssl-review.googlesource.com/5872
Reviewed-by: Adam Langley <agl@google.com>
diff --git a/include/openssl/ssl.h b/include/openssl/ssl.h
index ab702ee..f0e2257 100644
--- a/include/openssl/ssl.h
+++ b/include/openssl/ssl.h
@@ -295,6 +295,174 @@
/* SSL_set_accept_state configures |ssl| to be a server. */
OPENSSL_EXPORT void SSL_set_accept_state(SSL *ssl);
+/* SSL_set_bio configures |ssl| to read from |rbio| and write to |wbio|. |ssl|
+ * takes ownership of the two |BIO|s. If |rbio| and |wbio| are the same, |ssl|
+ * only takes ownership of one reference.
+ *
+ * Calling this function on an already-configured |ssl| is deprecated. */
+OPENSSL_EXPORT void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio);
+
+/* SSL_get_rbio returns the |BIO| that |ssl| reads from. */
+OPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *ssl);
+
+/* SSL_get_wbio returns the |BIO| that |ssl| writes to. */
+OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *ssl);
+
+/* SSL_do_handshake continues the current handshake. If there is none or the
+ * handshake has completed or False Started, it returns one. Otherwise, it
+ * returns <= 0. The caller should pass the value into |SSL_get_error| to
+ * determine how to proceed.
+ *
+ * TODO(davidben): Ensure 0 is only returned on transport EOF.
+ * https://crbug.com/466303. */
+OPENSSL_EXPORT int SSL_do_handshake(SSL *ssl);
+
+/* SSL_connect configures |ssl| as a client, if unconfigured, and calls
+ * |SSL_do_handshake|. */
+OPENSSL_EXPORT int SSL_connect(SSL *ssl);
+
+/* SSL_accept configures |ssl| as a server, if unconfigured, and calls
+ * |SSL_do_handshake|. */
+OPENSSL_EXPORT int SSL_accept(SSL *ssl);
+
+/* SSL_read reads up to |num| bytes from |ssl| into |buf|. It implicitly runs
+ * any pending handshakes, including renegotiations when enabled. On success, it
+ * returns the number of bytes read. Otherwise, it returns <= 0. The caller
+ * should pass the value into |SSL_get_error| to determine how to proceed.
+ *
+ * TODO(davidben): Ensure 0 is only returned on transport EOF.
+ * https://crbug.com/466303. */
+OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num);
+
+/* SSL_peek behaves like |SSL_read| but does not consume any bytes returned. */
+OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);
+
+/* SSL_write writes up to |num| bytes from |buf| into |ssl|. It implicitly runs
+ * any pending handshakes, including renegotiations when enabled. On success, it
+ * returns the number of bytes read. Otherwise, it returns <= 0. The caller
+ * should pass the value into |SSL_get_error| to determine how to proceed.
+ *
+ * A non-blocking |SSL_write| differs from non-blocking |write| in that a failed
+ * |SSL_write| still commits to the data passed in. When retrying, the caller
+ * must supply the original write buffer (or a larger one containing the
+ * original as a prefix). By default, retries will fail if they also do not
+ * reuse the same |buf| pointer. This may be relaxed with
+ * |SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER|, but the buffer contents still must be
+ * unchanged.
+ *
+ * By default, |SSL_write| will not return success until all |num| bytes are
+ * written. This may be relaxed with |SSL_MODE_ENABLE_PARTIAL_WRITE|. It allows
+ * |SSL_write| to complete with a partial result when only part of the input was
+ * written in a single record.
+ *
+ * TODO(davidben): Ensure 0 is only returned on transport EOF.
+ * https://crbug.com/466303. */
+OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num);
+
+/* SSL_shutdown shuts down |ssl|. On success, it completes in two stages. First,
+ * it returns 0 if |ssl| completed uni-directional shutdown; close_notify has
+ * been sent, but the peer's close_notify has not been received. Most callers
+ * may stop at this point. For bi-directional shutdown, call |SSL_shutdown|
+ * again. It returns 1 if close_notify has been both sent and received.
+ *
+ * If the peer's close_notify arrived first, the first stage is skipped.
+ * |SSL_shutdown| will return 1 once close_notify is sent and skip 0. Callers
+ * only interested in uni-directional shutdown must therefore allow for the
+ * first stage returning either 0 or 1.
+ *
+ * |SSL_shutdown| returns -1 on failure. The caller should pass the return value
+ * into |SSL_get_error| to determine how to proceed. If the underlying |BIO| is
+ * non-blocking, both stages may require retry.
+ *
+ * |SSL_shutdown| must be called to retain |ssl|'s session in the session
+ * cache. Use |SSL_CTX_set_quiet_shutdown| to configure |SSL_shutdown| to
+ * neither send nor wait for close_notify but still retain the session.
+ *
+ * TODO(davidben): Is there any point in the session cache interaction? Remove
+ * it? */
+OPENSSL_EXPORT int SSL_shutdown(SSL *ssl);
+
+/* SSL_get_error returns a |SSL_ERROR_*| value for the most recent operation on
+ * |ssl|. It should be called after an operation failed to determine. */
+OPENSSL_EXPORT int SSL_get_error(const SSL *ssl, int ret_code);
+
+/* SSL_ERROR_NONE indicates the operation succeeded. */
+#define SSL_ERROR_NONE 0
+
+/* SSL_ERROR_SSL indicates the operation failed within the library. The caller
+ * may inspect the error queue for more information. */
+#define SSL_ERROR_SSL 1
+
+/* SSL_ERROR_WANT_READ indicates the operation failed attempting to read from
+ * the transport. The caller may retry the operation when the transport is ready
+ * for reading. */
+#define SSL_ERROR_WANT_READ 2
+
+/* SSL_ERROR_WANT_READ indicates the operation failed attempting to write to
+ * the transport. The caller may retry the operation when the transport is ready
+ * for writing. */
+#define SSL_ERROR_WANT_WRITE 3
+
+/* SSL_ERROR_WANT_X509_LOOKUP indicates the operation failed in calling the
+ * |cert_cb| or |client_cert_cb|. The caller may retry the operation when the
+ * callback is ready to return a certificate or one has been configured
+ * externally.
+ *
+ * See also |SSL_CTX_set_cert_cb| and |SSL_CTX_set_client_cert_cb|. */
+#define SSL_ERROR_WANT_X509_LOOKUP 4
+
+/* SSL_ERROR_WANT_SYSCALL indicates the operation failed externally to the
+ * library. The caller should consult the system-specific error mechanism. This
+ * is typically |errno| but may be something custom if using a custom |BIO|. It
+ * may also be signaled if the transport returned EOF, in which case the
+ * operation's return value will be zero. */
+#define SSL_ERROR_SYSCALL 5
+
+/* SSL_ERROR_ZERO_RETURN indicates the operation failed because the connection
+ * was cleanly shut down with a close_notify alert. */
+#define SSL_ERROR_ZERO_RETURN 6
+
+/* SSL_ERROR_WANT_CONNECT indicates the operation failed attempting to connect
+ * the transport (the |BIO| signaled |BIO_RR_CONNECT|). The caller may retry the
+ * operation when the transport is ready. */
+#define SSL_ERROR_WANT_CONNECT 7
+
+/* SSL_ERROR_WANT_ACCEPT indicates the operation failed attempting to accept a
+ * connection from the transport (the |BIO| signaled |BIO_RR_ACCEPT|). The
+ * caller may retry the operation when the transport is ready.
+ *
+ * TODO(davidben): Remove this. It's used by accept BIOs which are bizarre. */
+#define SSL_ERROR_WANT_ACCEPT 8
+
+/* SSL_ERROR_WANT_CHANNEL_ID_LOOKUP indicates the operation failed looking up
+ * the Channel ID key. The caller may retry the operation when |channel_id_cb|
+ * is ready to return a key or one has been configured externally.
+ *
+ * See also |SSL_CTX_set_channel_id_cb|. */
+#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9
+
+/* SSL_ERROR_PENDING_SESSION indicates the operation failed because the session
+ * lookup callback indicated the session was unavailable. The caller may retry
+ * the operation when lookup has completed.
+ *
+ * See also |SSL_CTX_sess_set_get_cb|. */
+#define SSL_ERROR_PENDING_SESSION 11
+
+/* SSL_ERROR_PENDING_CERTIFICATE indicates the operation failed because the
+ * early callback indicated certificate lookup was incomplete. The caller may
+ * retry the operation when lookup has completed. Note: when the operation is
+ * retried, the early callback will not be called a second time.
+ *
+ * See also |select_certificate_cb| on |SSL_CTX|. */
+#define SSL_ERROR_PENDING_CERTIFICATE 12
+
+/* SSL_ERROR_WANT_PRIVATE_KEY_OPERATION indicates the operation failed because
+ * a private key operation was unfinished. The caller may retry the operation
+ * when the private key operation is complete.
+ *
+ * See also |SSL_set_private_key_method|. */
+#define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13
+
/* Protocol versions. */
@@ -1531,10 +1699,10 @@
int *copy));
OPENSSL_EXPORT SSL_SESSION *(*SSL_CTX_sess_get_get_cb(SSL_CTX *ctx))(
SSL *ssl, uint8_t *data, int len, int *copy);
-/* SSL_magic_pending_session_ptr returns a magic SSL_SESSION* which indicates
- * that the session isn't currently unavailable. SSL_get_error will then return
- * SSL_ERROR_PENDING_SESSION and the handshake can be retried later when the
- * lookup has completed. */
+/* SSL_magic_pending_session_ptr returns a magic |SSL_SESSION|* which indicates
+ * that the session isn't currently unavailable. |SSL_get_error| will then
+ * return |SSL_ERROR_PENDING_SESSION| and the handshake can be retried later
+ * when the lookup has completed. */
OPENSSL_EXPORT SSL_SESSION *SSL_magic_pending_session_ptr(void);
OPENSSL_EXPORT void SSL_CTX_set_info_callback(SSL_CTX *ctx,
void (*cb)(const SSL *ssl,
@@ -2008,20 +2176,6 @@
#define SSL_AD_UNKNOWN_PSK_IDENTITY TLS1_AD_UNKNOWN_PSK_IDENTITY /* fatal */
#define SSL_AD_INAPPROPRIATE_FALLBACK SSL3_AD_INAPPROPRIATE_FALLBACK /* fatal */
-#define SSL_ERROR_NONE 0
-#define SSL_ERROR_SSL 1
-#define SSL_ERROR_WANT_READ 2
-#define SSL_ERROR_WANT_WRITE 3
-#define SSL_ERROR_WANT_X509_LOOKUP 4
-#define SSL_ERROR_SYSCALL 5 /* look at error stack/return value/errno */
-#define SSL_ERROR_ZERO_RETURN 6
-#define SSL_ERROR_WANT_CONNECT 7
-#define SSL_ERROR_WANT_ACCEPT 8
-#define SSL_ERROR_WANT_CHANNEL_ID_LOOKUP 9
-#define SSL_ERROR_PENDING_SESSION 11
-#define SSL_ERROR_PENDING_CERTIFICATE 12
-#define SSL_ERROR_WANT_PRIVATE_KEY_OPERATION 13
-
/* DTLSv1_get_timeout queries the next DTLS handshake timeout. If there is a
* timeout in progress, it sets |*out| to the time remaining and returns one.
* Otherwise, it returns zero.
@@ -2150,9 +2304,6 @@
OPENSSL_EXPORT int SSL_set_fd(SSL *s, int fd);
OPENSSL_EXPORT int SSL_set_rfd(SSL *s, int fd);
OPENSSL_EXPORT int SSL_set_wfd(SSL *s, int fd);
-OPENSSL_EXPORT void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio);
-OPENSSL_EXPORT BIO *SSL_get_rbio(const SSL *s);
-OPENSSL_EXPORT BIO *SSL_get_wbio(const SSL *s);
OPENSSL_EXPORT int SSL_set_cipher_list(SSL *s, const char *str);
OPENSSL_EXPORT int SSL_get_verify_mode(const SSL *s);
OPENSSL_EXPORT int SSL_get_verify_depth(const SSL *s);
@@ -2280,13 +2431,6 @@
OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_CTX_get0_param(SSL_CTX *ctx);
OPENSSL_EXPORT X509_VERIFY_PARAM *SSL_get0_param(SSL *ssl);
-OPENSSL_EXPORT int SSL_accept(SSL *ssl);
-OPENSSL_EXPORT int SSL_connect(SSL *ssl);
-OPENSSL_EXPORT int SSL_read(SSL *ssl, void *buf, int num);
-OPENSSL_EXPORT int SSL_peek(SSL *ssl, void *buf, int num);
-OPENSSL_EXPORT int SSL_write(SSL *ssl, const void *buf, int num);
-
-OPENSSL_EXPORT int SSL_get_error(const SSL *s, int ret_code);
/* SSL_get_version returns a string describing the TLS version used by |s|. For
* example, "TLSv1.2" or "SSLv3". */
OPENSSL_EXPORT const char *SSL_get_version(const SSL *s);
@@ -2300,14 +2444,10 @@
OPENSSL_EXPORT STACK_OF(SSL_CIPHER) *SSL_get_ciphers(const SSL *s);
-OPENSSL_EXPORT int SSL_do_handshake(SSL *s);
-
/* SSL_renegotiate_pending returns one if |ssl| is in the middle of a
* renegotiation. */
OPENSSL_EXPORT int SSL_renegotiate_pending(SSL *ssl);
-OPENSSL_EXPORT int SSL_shutdown(SSL *s);
-
OPENSSL_EXPORT const char *SSL_alert_type_string_long(int value);
OPENSSL_EXPORT const char *SSL_alert_type_string(int value);
OPENSSL_EXPORT const char *SSL_alert_desc_string_long(int value);
diff --git a/ssl/ssl_lib.c b/ssl/ssl_lib.c
index 574ae7b..f079846 100644
--- a/ssl/ssl_lib.c
+++ b/ssl/ssl_lib.c
@@ -569,28 +569,28 @@
OPENSSL_free(ssl);
}
-void SSL_set_bio(SSL *s, BIO *rbio, BIO *wbio) {
+void SSL_set_bio(SSL *ssl, BIO *rbio, BIO *wbio) {
/* If the output buffering BIO is still in place, remove it. */
- if (s->bbio != NULL) {
- if (s->wbio == s->bbio) {
- s->wbio = s->wbio->next_bio;
- s->bbio->next_bio = NULL;
+ if (ssl->bbio != NULL) {
+ if (ssl->wbio == ssl->bbio) {
+ ssl->wbio = ssl->wbio->next_bio;
+ ssl->bbio->next_bio = NULL;
}
}
- if (s->rbio != rbio) {
- BIO_free_all(s->rbio);
+ if (ssl->rbio != rbio) {
+ BIO_free_all(ssl->rbio);
}
- if (s->wbio != wbio && s->rbio != s->wbio) {
- BIO_free_all(s->wbio);
+ if (ssl->wbio != wbio && ssl->rbio != ssl->wbio) {
+ BIO_free_all(ssl->wbio);
}
- s->rbio = rbio;
- s->wbio = wbio;
+ ssl->rbio = rbio;
+ ssl->wbio = wbio;
}
-BIO *SSL_get_rbio(const SSL *s) { return s->rbio; }
+BIO *SSL_get_rbio(const SSL *ssl) { return ssl->rbio; }
-BIO *SSL_get_wbio(const SSL *s) { return s->wbio; }
+BIO *SSL_get_wbio(const SSL *ssl) { return ssl->wbio; }
int SSL_get_fd(const SSL *s) { return SSL_get_rfd(s); }
@@ -803,132 +803,132 @@
return X509_check_private_key(ssl->cert->x509, ssl->cert->privatekey);
}
-int SSL_accept(SSL *s) {
- if (s->handshake_func == 0) {
+int SSL_accept(SSL *ssl) {
+ if (ssl->handshake_func == 0) {
/* Not properly initialized yet */
- SSL_set_accept_state(s);
+ SSL_set_accept_state(ssl);
}
- if (s->handshake_func != s->method->ssl_accept) {
+ if (ssl->handshake_func != ssl->method->ssl_accept) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
- return s->handshake_func(s);
+ return ssl->handshake_func(ssl);
}
-int SSL_connect(SSL *s) {
- if (s->handshake_func == 0) {
+int SSL_connect(SSL *ssl) {
+ if (ssl->handshake_func == 0) {
/* Not properly initialized yet */
- SSL_set_connect_state(s);
+ SSL_set_connect_state(ssl);
}
- if (s->handshake_func != s->method->ssl_connect) {
+ if (ssl->handshake_func != ssl->method->ssl_connect) {
OPENSSL_PUT_ERROR(SSL, ERR_R_INTERNAL_ERROR);
return -1;
}
- return s->handshake_func(s);
+ return ssl->handshake_func(ssl);
}
long SSL_get_default_timeout(const SSL *s) {
return SSL_DEFAULT_SESSION_TIMEOUT;
}
-int SSL_read(SSL *s, void *buf, int num) {
- if (s->handshake_func == 0) {
+int SSL_read(SSL *ssl, void *buf, int num) {
+ if (ssl->handshake_func == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
return -1;
}
- if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
- s->rwstate = SSL_NOTHING;
+ if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) {
+ ssl->rwstate = SSL_NOTHING;
return 0;
}
ERR_clear_system_error();
- return s->method->ssl_read_app_data(s, buf, num, 0);
+ return ssl->method->ssl_read_app_data(ssl, buf, num, 0);
}
-int SSL_peek(SSL *s, void *buf, int num) {
- if (s->handshake_func == 0) {
+int SSL_peek(SSL *ssl, void *buf, int num) {
+ if (ssl->handshake_func == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
return -1;
}
- if (s->shutdown & SSL_RECEIVED_SHUTDOWN) {
+ if (ssl->shutdown & SSL_RECEIVED_SHUTDOWN) {
return 0;
}
ERR_clear_system_error();
- return s->method->ssl_read_app_data(s, buf, num, 1);
+ return ssl->method->ssl_read_app_data(ssl, buf, num, 1);
}
-int SSL_write(SSL *s, const void *buf, int num) {
- if (s->handshake_func == 0) {
+int SSL_write(SSL *ssl, const void *buf, int num) {
+ if (ssl->handshake_func == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
return -1;
}
- if (s->shutdown & SSL_SENT_SHUTDOWN) {
- s->rwstate = SSL_NOTHING;
+ if (ssl->shutdown & SSL_SENT_SHUTDOWN) {
+ ssl->rwstate = SSL_NOTHING;
OPENSSL_PUT_ERROR(SSL, SSL_R_PROTOCOL_IS_SHUTDOWN);
return -1;
}
ERR_clear_system_error();
- return s->method->ssl_write_app_data(s, buf, num);
+ return ssl->method->ssl_write_app_data(ssl, buf, num);
}
-int SSL_shutdown(SSL *s) {
+int SSL_shutdown(SSL *ssl) {
/* Note that this function behaves differently from what one might expect.
* Return values are 0 for no success (yet), 1 for success; but calling it
* once is usually not enough, even if blocking I/O is used (see
* ssl3_shutdown). */
- if (s->handshake_func == 0) {
+ if (ssl->handshake_func == 0) {
OPENSSL_PUT_ERROR(SSL, SSL_R_UNINITIALIZED);
return -1;
}
- if (SSL_in_init(s)) {
+ if (SSL_in_init(ssl)) {
return 1;
}
/* Do nothing if configured not to send a close_notify. */
- if (s->quiet_shutdown) {
- s->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
+ if (ssl->quiet_shutdown) {
+ ssl->shutdown = SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN;
return 1;
}
- if (!(s->shutdown & SSL_SENT_SHUTDOWN)) {
- s->shutdown |= SSL_SENT_SHUTDOWN;
- ssl3_send_alert(s, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
+ if (!(ssl->shutdown & SSL_SENT_SHUTDOWN)) {
+ ssl->shutdown |= SSL_SENT_SHUTDOWN;
+ ssl3_send_alert(ssl, SSL3_AL_WARNING, SSL_AD_CLOSE_NOTIFY);
/* our shutdown alert has been sent now, and if it still needs to be
- * written, s->s3->alert_dispatch will be true */
- if (s->s3->alert_dispatch) {
+ * written, ssl->s3->alert_dispatch will be true */
+ if (ssl->s3->alert_dispatch) {
return -1; /* return WANT_WRITE */
}
- } else if (s->s3->alert_dispatch) {
+ } else if (ssl->s3->alert_dispatch) {
/* resend it if not sent */
- int ret = s->method->ssl_dispatch_alert(s);
+ int ret = ssl->method->ssl_dispatch_alert(ssl);
if (ret == -1) {
/* we only get to return -1 here the 2nd/Nth invocation, we must have
* already signalled return 0 upon a previous invoation, return
* WANT_WRITE */
return ret;
}
- } else if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
+ } else if (!(ssl->shutdown & SSL_RECEIVED_SHUTDOWN)) {
/* If we are waiting for a close from our peer, we are closed */
- s->method->ssl_read_close_notify(s);
- if (!(s->shutdown & SSL_RECEIVED_SHUTDOWN)) {
+ ssl->method->ssl_read_close_notify(ssl);
+ if (!(ssl->shutdown & SSL_RECEIVED_SHUTDOWN)) {
return -1; /* return WANT_READ */
}
}
- if (s->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN) &&
- !s->s3->alert_dispatch) {
+ if (ssl->shutdown == (SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN) &&
+ !ssl->s3->alert_dispatch) {
return 1;
} else {
return 0;
@@ -1901,7 +1901,7 @@
}
}
-int SSL_get_error(const SSL *s, int ret_code) {
+int SSL_get_error(const SSL *ssl, int ret_code) {
int reason;
uint32_t err;
BIO *bio;
@@ -1921,8 +1921,8 @@
}
if (ret_code == 0) {
- if ((s->shutdown & SSL_RECEIVED_SHUTDOWN) &&
- (s->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) {
+ if ((ssl->shutdown & SSL_RECEIVED_SHUTDOWN) &&
+ (ssl->s3->warn_alert == SSL_AD_CLOSE_NOTIFY)) {
/* The socket was cleanly shut down with a close_notify. */
return SSL_ERROR_ZERO_RETURN;
}
@@ -1932,16 +1932,16 @@
return SSL_ERROR_SYSCALL;
}
- if (SSL_want_session(s)) {
+ if (SSL_want_session(ssl)) {
return SSL_ERROR_PENDING_SESSION;
}
- if (SSL_want_certificate(s)) {
+ if (SSL_want_certificate(ssl)) {
return SSL_ERROR_PENDING_CERTIFICATE;
}
- if (SSL_want_read(s)) {
- bio = SSL_get_rbio(s);
+ if (SSL_want_read(ssl)) {
+ bio = SSL_get_rbio(ssl);
if (BIO_should_read(bio)) {
return SSL_ERROR_WANT_READ;
}
@@ -1970,14 +1970,14 @@
}
}
- if (SSL_want_write(s)) {
- bio = SSL_get_wbio(s);
+ if (SSL_want_write(ssl)) {
+ bio = SSL_get_wbio(ssl);
if (BIO_should_write(bio)) {
return SSL_ERROR_WANT_WRITE;
}
if (BIO_should_read(bio)) {
- /* See above (SSL_want_read(s) with BIO_should_write(bio)) */
+ /* See above (SSL_want_read(ssl) with BIO_should_write(bio)) */
return SSL_ERROR_WANT_READ;
}
@@ -1995,33 +1995,32 @@
}
}
- if (SSL_want_x509_lookup(s)) {
+ if (SSL_want_x509_lookup(ssl)) {
return SSL_ERROR_WANT_X509_LOOKUP;
}
- if (SSL_want_channel_id_lookup(s)) {
+ if (SSL_want_channel_id_lookup(ssl)) {
return SSL_ERROR_WANT_CHANNEL_ID_LOOKUP;
}
- if (SSL_want_private_key_operation(s)) {
+ if (SSL_want_private_key_operation(ssl)) {
return SSL_ERROR_WANT_PRIVATE_KEY_OPERATION;
}
return SSL_ERROR_SYSCALL;
}
-int SSL_do_handshake(SSL *s) {
- int ret = 1;
-
- if (s->handshake_func == NULL) {
+int SSL_do_handshake(SSL *ssl) {
+ if (ssl->handshake_func == NULL) {
OPENSSL_PUT_ERROR(SSL, SSL_R_CONNECTION_TYPE_NOT_SET);
return -1;
}
- if (SSL_in_init(s)) {
- ret = s->handshake_func(s);
+ if (!SSL_in_init(ssl)) {
+ return 1;
}
- return ret;
+
+ return ssl->handshake_func(ssl);
}
void SSL_set_accept_state(SSL *ssl) {
