{

if (likely(this->ssl = SSL_new(ctx))) {

// Only set up the bio stuff for the server side

if (this->get_context() == NET_VCONNECTION_OUT) {

BIO *bio = BIO_new(const_cast<BIO_METHOD *>(BIO_s_fastopen()));

BIO_set_fd(bio, this->get_socket(), BIO_NOCLOSE);

BIO_fastopen_set_dest_addr(bio,

this->options.f_tcp_fastopen ? this->get_remote_addr() : static_cast<const sockaddr *>(nullptr));

SSL_set_bio(ssl, bio, bio);

} else {

this->initialize_handshake_buffers();

BIO *rbio = BIO_new(BIO_s_mem());

BIO *wbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);

BIO_set_mem_eof_return(wbio, -1);

SSL_set_bio(ssl, rbio, wbio);

#if TS_HAS_TLS_EARLY_DATA

update_early_data_config(ssl, SSLConfigParams::server_max_early_data, SSLConfigParams::server_recv_max_early_data);

#endif

}

this->_bindSSLObject();

}

{

SSLNetVCAttach(this->ssl, this);

TLSBasicSupport::bind(this->ssl, this);

TLSEventSupport::bind(this->ssl, this);

ALPNSupport::bind(this->ssl, this);

TLSSessionResumptionSupport::bind(this->ssl, this);

TLSSNISupport::bind(this->ssl, this);

TLSEarlyDataSupport::bind(this->ssl, this);

TLSTunnelSupport::bind(this->ssl, this);

TLSCertSwitchSupport::bind(this->ssl, this);

{

SSLNetVCDetach(this->ssl);

TLSBasicSupport::unbind(this->ssl);

TLSEventSupport::unbind(this->ssl);

ALPNSupport::unbind(this->ssl);

TLSSessionResumptionSupport::unbind(this->ssl);

TLSSNISupport::unbind(this->ssl);

TLSEarlyDataSupport::unbind(this->ssl);

TLSTunnelSupport::unbind(this->ssl);

TLSCertSwitchSupport::unbind(this->ssl);

{

BIO *bio;

if (name == nullptr) {

return;

}

bio = BIO_new(BIO_s_mem());

if (bio == nullptr) {

return;

}

if (X509_NAME_print_ex(bio, name, 0 /* indent */, XN_FLAG_ONELINE) > 0) {

long len;

char *ptr;

len = BIO_get_mem_data(bio, &ptr);

Dbg(dbg_ctl_ssl, "%s %.*s", msg, static_cast<int>(len), ptr);

}

BIO_free(bio);

{

NetState *s = &this->read;

MIOBufferAccessor &buf = s->vio.buffer;

int event = SSL_READ_ERROR_NONE;

int64_t bytes_read = 0;

ssl_error_t sslErr = SSL_ERROR_NONE;

int64_t toread = buf.writer()->write_avail();

ink_release_assert(toread > 0);

if (toread > s->vio.ntodo()) {

toread = s->vio.ntodo();

}

bytes_read = 0;

while (sslErr == SSL_ERROR_NONE && bytes_read < toread) {

int64_t nread = 0;

int64_t block_write_avail = buf.writer()->block_write_avail();

ink_release_assert(block_write_avail > 0);

int64_t amount_to_read = toread - bytes_read;

if (amount_to_read > block_write_avail) {

amount_to_read = block_write_avail;

}

Dbg(dbg_ctl_ssl, "amount_to_read=%" PRId64, amount_to_read);

char *current_block = buf.writer()->end();

ink_release_assert(current_block != nullptr);

sslErr = this->_ssl_read_buffer(current_block, amount_to_read, nread);

Dbg(dbg_ctl_ssl, "nread=%" PRId64, nread);

switch (sslErr) {

case SSL_ERROR_NONE:

#if DEBUG

{

static DbgCtl dbg_ctl{"ssl_buff"};

SSLDebugBufferPrint(dbg_ctl, current_block, nread, "SSL Read");

}

#endif

ink_assert(nread);

bytes_read += nread;

if (nread > 0) {

buf.writer()->fill(nread); // Tell the buffer, we've used the bytes

this->netActivity();

}

break;

case SSL_ERROR_WANT_WRITE:

event = SSL_WRITE_WOULD_BLOCK;

Dbg(dbg_ctl_ssl_error, "SSL_ERROR_WOULD_BLOCK(write)");

break;

case SSL_ERROR_WANT_READ:

event = SSL_READ_WOULD_BLOCK;

Dbg(dbg_ctl_ssl_error, "SSL_ERROR_WOULD_BLOCK(read)");

break;

#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB

case SSL_ERROR_WANT_CLIENT_HELLO_CB:

event = SSL_READ_WOULD_BLOCK;

Dbg(dbg_ctl_ssl_error, "SSL_ERROR_WOULD_BLOCK(read/client hello cb)");

break;

#endif

case SSL_ERROR_WANT_X509_LOOKUP:

event = SSL_READ_WOULD_BLOCK;

Dbg(dbg_ctl_ssl_error, "SSL_ERROR_WOULD_BLOCK(read/x509 lookup)");

break;

case SSL_ERROR_SYSCALL:

if (nread != 0) {

// not EOF

Metrics::Counter::increment(ssl_rsb.error_syscall);

event = SSL_READ_ERROR;

ret = errno;

Dbg(dbg_ctl_ssl_error, "SSL_ERROR_SYSCALL, underlying IO error: %s", strerror(errno));

} else {

// then EOF observed, treat it as EOS

event = SSL_READ_EOS;

}

break;

case SSL_ERROR_ZERO_RETURN:

event = SSL_READ_EOS;

Dbg(dbg_ctl_ssl_error, "SSL_ERROR_ZERO_RETURN");

break;

case SSL_ERROR_SSL:

default: {

char buf[512];

unsigned long e = ERR_peek_last_error();

ERR_error_string_n(e, buf, sizeof(buf));

event = SSL_READ_ERROR;

ret = errno;

SSLVCDebug(this, "errno=%d", errno);

Metrics::Counter::increment(ssl_rsb.error_ssl);

} break;

} // switch

} // while

if (bytes_read > 0) {

Dbg(dbg_ctl_ssl, "bytes_read=%" PRId64, bytes_read);

s->vio.ndone += bytes_read;

this->netActivity();

ret = bytes_read;

// If we read it all, don't worry about the other events and just send read complete

event = (s->vio.ntodo() <= 0) ? SSL_READ_COMPLETE : SSL_READ_READY;

if (sslErr == SSL_ERROR_NONE && s->vio.ntodo() > 0) {

// We stopped with data on the wire (to avoid overbuffering). Make sure we are triggered

this->read.triggered = 1;

}

} else { // if( bytes_read > 0 )

#if defined(_DEBUG)

if (bytes_read == 0) {

Dbg(dbg_ctl_ssl, "bytes_read == 0");

}

#endif

}

return event;

{

// read data

int64_t r = 0;

int64_t total_read = 0;

int64_t rattempted = 0;

char *buffer = nullptr;

int buf_len;

IOBufferBlock *b = this->handShakeBuffer->first_write_block();

rattempted = b->write_avail();

while (rattempted) {

buffer = b->_end;

buf_len = rattempted;

b = b->next.get();

r = this->con.sock.read(buffer, buf_len);

Metrics::Counter::increment(net_rsb.calls_to_read);

total_read += rattempted;

Dbg(dbg_ctl_ssl, "read_raw_data r=%" PRId64 " rattempted=%" PRId64 " total_read=%" PRId64 " fd=%d", r, rattempted, total_read,

con.sock.get_fd());

// last read failed or was incomplete

if (r != rattempted || !b) {

break;

}

rattempted = b->write_avail();

}

// If we have already moved some bytes successfully, adjust total_read to reflect reality

// If any read succeeded, we should return success

if (r != rattempted) {

// If the first read fails, we should return error

if (r <= 0 && total_read > rattempted) {

r = total_read - rattempted;

} else {

r = total_read - rattempted + r;

}

}

Metrics::Counter::increment(net_rsb.read_bytes, r);

Metrics::Counter::increment(net_rsb.read_bytes_count);

if (!this->haveCheckedProxyProtocol) {

// The PROXY Protocol, by spec, is designed to require only the first TCP packet of bytes

// because it is under typical MTU. So we only need to perform the following inspection on the

// first packet.

this->haveCheckedProxyProtocol = true;

swoc::IPRangeSet *pp_ipmap;

pp_ipmap = SSLConfigParams::proxy_protocol_ip_addrs;

if (this->get_is_proxy_protocol() && this->get_proxy_protocol_version() == ProxyProtocolVersion::UNDEFINED) {

Dbg(dbg_ctl_proxyprotocol, "proxy protocol is enabled on this port");

if (pp_ipmap->count() > 0) {

Dbg(dbg_ctl_proxyprotocol, "proxy protocol has a configured allowlist of trusted IPs - checking");

// Using get_remote_addr() will return the ip of the

// proxy source IP, not the Proxy Protocol client ip.

if (!pp_ipmap->contains(swoc::IPAddr(get_remote_addr()))) {

Dbg(dbg_ctl_proxyprotocol, "Source IP is NOT in the configured allowlist of trusted IPs - closing connection");

r = -ENOTCONN; // Need a quick close/exit here to refuse the connection!!!!!!!!!

goto proxy_protocol_bypass;

} else {

char new_host[INET6_ADDRSTRLEN];

Dbg(dbg_ctl_proxyprotocol, "Source IP [%s] is in the trusted allowlist for proxy protocol",

ats_ip_ntop(this->get_remote_addr(), new_host, sizeof(new_host)));

}

} else {

Dbg(dbg_ctl_proxyprotocol, "proxy protocol DOES NOT have a configured allowlist of trusted IPs but "

"proxy protocol is enabled on this port - processing all connections");

}

auto const stored_r = r;

if (this->has_proxy_protocol(buffer, &r)) {

Dbg(dbg_ctl_proxyprotocol, "ssl has proxy protocol header");

if (dbg_ctl_proxyprotocol.on()) {

IpEndpoint dst;

dst.sa = *(this->get_proxy_protocol_dst_addr());

ip_port_text_buffer ipb1;

ats_ip_nptop(&dst, ipb1, sizeof(ipb1));

DbgPrint(dbg_ctl_proxyprotocol, "ssl_has_proxy_v1, dest IP received [%s]", ipb1);

}

} else {

Dbg(dbg_ctl_proxyprotocol, "proxy protocol was enabled, but Proxy Protocol header was not present");

// We are flexible with the Proxy Protocol designation. Maybe not all

// connections include Proxy Protocol. Revert to the stored value of r so

// we can process the bytes that are on the wire (likely a CLIENT_HELLO).

r = stored_r;

}

}

} // end of Proxy Protocol processing

proxy_protocol_bypass:

if (r > 0) {

this->handShakeBuffer->fill(r);

auto const total_chain_size = this->handShakeReader->read_avail();

this->handShakeBioStored = total_chain_size;

char *buffer_for_bio = this->_getCoalescedHandShakeBuffer(total_chain_size);

// Sets up the buffer as a read only bio target

// Must be reset on each read

BIO *rbio = BIO_new_mem_buf(buffer_for_bio, this->handShakeBioStored);

BIO_set_mem_eof_return(rbio, -1);

SSL_set0_rbio(this->ssl, rbio);

} else {

this->handShakeBioStored = 0;

}

Dbg(dbg_ctl_ssl, "%p read r=%" PRId64 " total=%" PRId64 " bio=%d\n", this, r, total_read, this->handShakeBioStored);

// check for errors

if (r <= 0) {

if (r == -EAGAIN || r == -ENOTCONN) {

Metrics::Counter::increment(net_rsb.calls_to_read_nodata);

}

}

return r;

{

bool retval = false;

if (BIO_eof(SSL_get_rbio(this->ssl)) && this->handShakeReader != nullptr) {

Dbg(dbg_ctl_ssl, "Consuming handShakeBioStored=%d bytes from the handshake reader", this->handShakeBioStored);

this->handShakeReader->consume(this->handShakeBioStored);

this->handShakeBioStored = 0;

// Load up the next block if present

if (this->handShakeReader->is_read_avail_more_than(0)) {

auto const total_chain_size = this->handShakeReader->read_avail();

this->handShakeBioStored = total_chain_size;

char *buffer_for_bio = this->_getCoalescedHandShakeBuffer(total_chain_size);

Dbg(dbg_ctl_ssl, "Adding %d bytes to the ssl rbio", this->handShakeBioStored);

// Sets up the buffer as a read only bio target

// Must be reset on each read

BIO *rbio = BIO_new_mem_buf(buffer_for_bio, this->handShakeBioStored);

BIO_set_mem_eof_return(rbio, -1);

SSL_set0_rbio(this->ssl, rbio);

retval = true;

// Handshake buffer is empty but we have read something, move to the socket rbio

} else if (move_to_socket && this->handShakeHolder->is_read_avail_more_than(0)) {

Dbg(dbg_ctl_ssl, "No other bytes in the handshake reader, moving to socket rbio");

BIO *rbio = BIO_new_socket(this->get_socket(), BIO_NOCLOSE);

BIO_set_mem_eof_return(rbio, -1);

SSL_set0_rbio(this->ssl, rbio);

free_handshake_buffers();

}

}

return retval;

{

int ret;

int64_t r = 0;

int64_t bytes = 0;

NetState *s = &this->read;

if (HttpProxyPort::TRANSPORT_BLIND_TUNNEL == this->attributes) {

this->super::net_read_io(nh);

return;

}

MUTEX_TRY_LOCK(lock, s->vio.mutex, nh->thread);

if (!lock.is_locked()) {

readReschedule(nh);

return;

}

// Got closed by the HttpSessionManager thread during a migration

// The closed flag should be stable once we get the s->vio.mutex in that case

// (the global session pool mutex).

if (this->closed) {

this->super::net_read_io(nh);

return;

}

// If the key renegotiation failed it's over, just signal the error and finish.

if (sslClientRenegotiationAbort == true) {

this->read.triggered = 0;

this->_readSignalError(nh, -ENET_SSL_FAILED);

Dbg(dbg_ctl_ssl, "client renegotiation setting read signal error");

return;

}

// If it is not enabled, lower its priority. This allows

// a fast connection to speed match a slower connection by

// shifting down in priority even if it could read.

if (!s->enabled || s->vio.op != VIO::READ || s->vio.is_disabled()) {

read_disable(nh, this);

return;

}

MIOBufferAccessor &buf = s->vio.buffer;

int64_t ntodo = s->vio.ntodo();

ink_assert(buf.writer());

// Continue on if we are still in the handshake

if (!getSSLHandShakeComplete()) {

int err = 0;

if (get_context() == NET_VCONNECTION_OUT) {

ret = _sslStartHandShake(SSL_EVENT_CLIENT, err);

} else {

ret = _sslStartHandShake(SSL_EVENT_SERVER, err);

}

if (ret == SSL_RESTART) {

// VC migrated into a new object

// Just give up and go home. Events should trigger on the new vc

Dbg(dbg_ctl_ssl, "Restart for allow plain");

return;

}

// If we have flipped to blind tunnel, don't read ahead. We check for a

// non-error return first, though, because if TLS has already failed with

// the CLIENT_HELLO, then there is no need to continue toward the origin

// with the blind tunnel.

if (ret != EVENT_ERROR && this->handShakeReader && this->attributes == HttpProxyPort::TRANSPORT_BLIND_TUNNEL) {

// Now in blind tunnel. Set things up to read what is in the buffer

// Must send the READ_COMPLETE here before considering

// forwarding on the handshake buffer, so the

// SSLNextProtocolTrampoline has a chance to do its

// thing before forwarding the buffers.

this->readSignalDone(VC_EVENT_READ_COMPLETE, nh);

// If the handshake isn't set yet, this means the tunnel

// decision was make in the SNI callback. We must move

// the client hello message back into the standard read.vio

// so it will get forwarded onto the origin server

if (!this->getSSLHandShakeComplete()) {

this->sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_DONE;

// Copy over all data already read in during the SSL_accept

// (the client hello message)

NetState *s = &this->read;

MIOBufferAccessor &buf = s->vio.buffer;

int64_t r = buf.writer()->write(this->handShakeHolder);

s->vio.nbytes += r;

s->vio.ndone += r;

Dbg(dbg_ctl_ssl, "Copied %" PRId64 " TLS handshake bytes to read.vio", r);

// Clean up the handshake buffers

this->free_handshake_buffers();

if (r > 0) {

// Kick things again, so the data that was copied into the

// vio.read buffer gets processed

this->readSignalDone(VC_EVENT_READ_COMPLETE, nh);

}

}

return; // Leave if we are tunneling

}

if (ret == EVENT_ERROR) {

this->read.triggered = 0;

this->_readSignalError(nh, err);

} else if (ret == SSL_HANDSHAKE_WANT_READ || ret == SSL_HANDSHAKE_WANT_ACCEPT) {

if (SSLConfigParams::ssl_handshake_timeout_in > 0) {

double handshake_time = (static_cast<double>(ink_get_hrtime() - this->get_tls_handshake_begin_time()) / 1000000000);

Dbg(dbg_ctl_ssl, "ssl handshake for vc %p, took %.3f seconds, configured handshake_timer: %d", this, handshake_time,

SSLConfigParams::ssl_handshake_timeout_in);

if (handshake_time > SSLConfigParams::ssl_handshake_timeout_in) {

Dbg(dbg_ctl_ssl, "ssl handshake for vc %p, expired, release the connection", this);

read.triggered = 0;

nh->read_ready_list.remove(this);

this->_readSignalError(nh, ETIMEDOUT);

return;

}

}

// move over to the socket if we haven't already

if (this->handShakeBuffer != nullptr) {

bool const in_client_hello =

this->get_handshake_hook_state() == TLSEventSupport::SSLHandshakeHookState::HANDSHAKE_HOOKS_CLIENT_HELLO;

// Only transfer buffers to the socket once the CLIENT_HELLO is

// finished. We need to keep our buffers updated until then in case we

// enter tunnel mode.

Dbg(dbg_ctl_ssl, "Updating our buffers, in CLIENT_HELLO: %s", in_client_hello ? "true" : "false");

read.triggered = update_rbio(!in_client_hello);

} else {

read.triggered = 0;

}

if (!read.triggered) {

nh->read_ready_list.remove(this);

}

readReschedule(nh);

} else if (ret == SSL_HANDSHAKE_WANT_CONNECT || ret == SSL_HANDSHAKE_WANT_WRITE) {

write.triggered = 0;

nh->write_ready_list.remove(this);

writeReschedule(nh);

} else if (ret == EVENT_DONE) {

Dbg(dbg_ctl_ssl, "ssl handshake EVENT_DONE ntodo=%" PRId64, ntodo);

// If this was driven by a zero length read, signal complete when

// the handshake is complete. Otherwise set up for continuing read

// operations.

if (ntodo <= 0) {

readSignalDone(VC_EVENT_READ_COMPLETE, nh);

} else {

read.triggered = 1;

if (read.enabled) {

nh->read_ready_list.in_or_enqueue(this);

}

}

} else if (ret == SSL_WAIT_FOR_HOOK || ret == SSL_WAIT_FOR_ASYNC) {

// avoid readReschedule - done when the plugin calls us back to reenable

} else {

readReschedule(nh);

}

return;

}

// If there is nothing to do or no space available, disable connection

if (ntodo <= 0 || !buf.writer()->write_avail() || s->vio.is_disabled()) {

read_disable(nh, this);

return;

}

// At this point we are at the post-handshake SSL processing

//

// not sure if this do-while loop is really needed here, please replace

// this comment if you know

int ssl_read_errno = 0;

do {

ret = this->_ssl_read_from_net(r);

if (ret == SSL_READ_READY || ret == SSL_READ_ERROR_NONE) {

bytes += r;

}

ink_assert(bytes >= 0);

} while ((ret == SSL_READ_READY && bytes == 0) || ret == SSL_READ_ERROR_NONE);

ssl_read_errno = errno;

if (bytes > 0) {

if (ret == SSL_READ_WOULD_BLOCK || ret == SSL_READ_READY) {

if (readSignalAndUpdate(VC_EVENT_READ_READY) != EVENT_CONT) {

Dbg(dbg_ctl_ssl, "readSignal != EVENT_CONT");

return;

}

}

}

switch (ret) {

case SSL_READ_READY:

readReschedule(nh);

return;

break;

case SSL_WRITE_WOULD_BLOCK:

case SSL_READ_WOULD_BLOCK:

if (lock.get_mutex() != s->vio.mutex.get()) {

Dbg(dbg_ctl_ssl, "mutex switched");

if (ret == SSL_READ_WOULD_BLOCK) {

readReschedule(nh);

} else {

writeReschedule(nh);

}

return;

}

// reset the trigger and remove from the ready queue

// we will need to be retriggered to read from this socket again

read.triggered = 0;

nh->read_ready_list.remove(this);

Dbg(dbg_ctl_ssl, "read finished - would block");

break;

case SSL_READ_EOS:

// close the connection if we have SSL_READ_EOS, this is the return value from ssl_read_from_net() if we get an

// SSL_ERROR_ZERO_RETURN from SSL_get_error()

// SSL_ERROR_ZERO_RETURN means that the origin server closed the SSL connection

read.triggered = 0;

readSignalDone(VC_EVENT_EOS, nh);

if (bytes > 0) {

Dbg(dbg_ctl_ssl, "read finished - EOS");

} else {

Dbg(dbg_ctl_ssl, "read finished - 0 useful bytes read, bytes used by SSL layer");

}

break;

case SSL_READ_COMPLETE:

readSignalDone(VC_EVENT_READ_COMPLETE, nh);

Dbg(dbg_ctl_ssl, "read finished - signal done");

break;

case SSL_READ_ERROR:

this->read.triggered = 0;

this->_readSignalError(nh, (ssl_read_errno) ? ssl_read_errno : -ENET_SSL_FAILED);

Dbg(dbg_ctl_ssl, "read finished - read error");

break;

}

{

int64_t try_to_write;

int64_t num_really_written = 0;

int64_t l = 0;

uint32_t dynamic_tls_record_size = 0;

ssl_error_t err = SSL_ERROR_NONE;

// Dynamic TLS record sizing

ink_hrtime now = 0;

if (SSLConfigParams::ssl_maxrecord == -1) {

now = ink_get_hrtime();

int msec_since_last_write = ink_hrtime_diff_msec(now, sslLastWriteTime);

if (msec_since_last_write > SSL_DEF_TLS_RECORD_MSEC_THRESHOLD) {

// reset sslTotalBytesSent upon inactivity for SSL_DEF_TLS_RECORD_MSEC_THRESHOLD

sslTotalBytesSent = 0;

}

Dbg(dbg_ctl_ssl, "now=%" PRId64 " lastwrite=%" PRId64 " msec_since_last_write=%d", now, sslLastWriteTime,

msec_since_last_write);

}

if (HttpProxyPort::TRANSPORT_BLIND_TUNNEL == this->attributes) {

return this->super::load_buffer_and_write(towrite, buf, total_written, needs);

}

Dbg(dbg_ctl_ssl, "towrite=%" PRId64, towrite);

ERR_clear_error();

do {

// What is remaining left in the next block?

l = buf.reader()->block_read_avail();

char *current_block = buf.reader()->start();

// check if to amount to write exceeds that in this buffer

int64_t wavail = towrite - total_written;

if (l > wavail) {

l = wavail;

}

// TS-2365: If the SSL max record size is set and we have

// more data than that, break this into smaller write

// operations.

//

// TS-4424: Don't mess with record size if last SSL_write failed with

// needs write

if (redoWriteSize) {

l = redoWriteSize;

redoWriteSize = 0;

} else {

if (SSLConfigParams::ssl_maxrecord > 0 && l > SSLConfigParams::ssl_maxrecord) {

l = SSLConfigParams::ssl_maxrecord;

} else if (SSLConfigParams::ssl_maxrecord == -1) {

if (sslTotalBytesSent < SSL_DEF_TLS_RECORD_BYTE_THRESHOLD) {

dynamic_tls_record_size = SSL_DEF_TLS_RECORD_SIZE;

Metrics::Counter::increment(ssl_rsb.total_dyn_def_tls_record_count);

} else {

dynamic_tls_record_size = SSL_MAX_TLS_RECORD_SIZE;

Metrics::Counter::increment(ssl_rsb.total_dyn_max_tls_record_count);

}

if (l > dynamic_tls_record_size) {

l = dynamic_tls_record_size;

}

}

}

if (!l) {

break;

}

try_to_write = l;

num_really_written = 0;

Dbg(dbg_ctl_v_ssl, "b=%p l=%" PRId64, current_block, l);

err = this->_ssl_write_buffer(current_block, l, num_really_written);

// We wrote all that we thought we should

if (num_really_written > 0) {

total_written += num_really_written;

buf.reader()->consume(num_really_written);

}

Dbg(dbg_ctl_ssl, "try_to_write=%" PRId64 " written=%" PRId64 " total_written=%" PRId64, try_to_write, num_really_written,

total_written);

Metrics::Counter::increment(net_rsb.calls_to_write);

} while (num_really_written == try_to_write && total_written < towrite);

if (total_written > 0) {

sslLastWriteTime = now;

sslTotalBytesSent += total_written;

}

redoWriteSize = 0;

if (num_really_written > 0) {

needs |= EVENTIO_WRITE;

} else {

switch (err) {

case SSL_ERROR_NONE:

Dbg(dbg_ctl_ssl, "SSL_write-SSL_ERROR_NONE");

break;

case SSL_ERROR_WANT_READ:

needs |= EVENTIO_READ;

num_really_written = -EAGAIN;

Dbg(dbg_ctl_ssl_error, "SSL_write-SSL_ERROR_WANT_READ");

break;

case SSL_ERROR_WANT_WRITE:

#ifdef SSL_ERROR_WANT_CLIENT_HELLO_CB

case SSL_ERROR_WANT_CLIENT_HELLO_CB:

#endif

case SSL_ERROR_WANT_X509_LOOKUP: {

if (SSL_ERROR_WANT_WRITE == err) {

redoWriteSize = l;

}

needs |= EVENTIO_WRITE;

num_really_written = -EAGAIN;

Dbg(dbg_ctl_ssl_error, "SSL_write-SSL_ERROR_WANT_WRITE");

break;

}

case SSL_ERROR_SYSCALL:

// SSL_ERROR_SYSCALL is an IO error. errno is likely 0, so set EPIPE, as

// we do with SSL_ERROR_SSL below, to indicate a connection error.

num_really_written = -EPIPE;

Metrics::Counter::increment(ssl_rsb.error_syscall);

Dbg(dbg_ctl_ssl_error, "SSL_write-SSL_ERROR_SYSCALL");

break;

// end of stream

case SSL_ERROR_ZERO_RETURN:

num_really_written = -errno;

Dbg(dbg_ctl_ssl_error, "SSL_write-SSL_ERROR_ZERO_RETURN");

break;

case SSL_ERROR_SSL:

default: {

// Treat SSL_ERROR_SSL as EPIPE error.

num_really_written = -EPIPE;

SSLVCDebug(this, "SSL_write-SSL_ERROR_SSL errno=%d", errno);

Metrics::Counter::increment(ssl_rsb.error_ssl);

} break;

}

}

return num_really_written;

{

this->_set_service(static_cast<ALPNSupport *>(this));

this->_set_service(static_cast<TLSBasicSupport *>(this));

this->_set_service(static_cast<TLSEventSupport *>(this));

this->_set_service(static_cast<TLSCertSwitchSupport *>(this));

this->_set_service(static_cast<TLSEarlyDataSupport *>(this));

this->_set_service(static_cast<TLSSNISupport *>(this));

this->_set_service(static_cast<TLSSessionResumptionSupport *>(this));

this->_set_service(static_cast<TLSTunnelSupport *>(this));

{

if (this->ssl != nullptr) {

if (get_context() == NET_VCONNECTION_OUT) {

callHooks(TS_EVENT_VCONN_OUTBOUND_CLOSE);

} else {

callHooks(TS_EVENT_VCONN_CLOSE);

}

if (getSSLHandShakeComplete()) {

int shutdown_mode = SSL_get_shutdown(ssl);

Dbg(dbg_ctl_ssl_shutdown, "previous shutdown state 0x%x", shutdown_mode);

int new_shutdown_mode = shutdown_mode | SSL_RECEIVED_SHUTDOWN;

if (new_shutdown_mode != shutdown_mode) {

// We do not need to sit around and wait for the client's close-notify if

// they have not already sent it. We will still be standards compliant

Dbg(dbg_ctl_ssl_shutdown, "new SSL_set_shutdown 0x%x", new_shutdown_mode);

SSL_set_shutdown(ssl, new_shutdown_mode);

}

// If the peer has already sent a FIN, don't bother with the shutdown

// They will just send us a RST for our troubles

// This test is not foolproof. The client's fin could be on the wire

// at the same time we send the close-notify. If so, the client will likely

// send RST anyway

char c;

ssize_t x = this->con.sock.recv(&c, 1, MSG_PEEK);

// x < 0 means error. x == 0 means fin sent

bool do_shutdown = (x > 0);

if (x < 0) {

do_shutdown = (errno == EAGAIN || errno == EWOULDBLOCK);

}

if (do_shutdown) {

// Send the close-notify

int ret = SSL_shutdown(ssl);

Dbg(dbg_ctl_ssl_shutdown, "SSL_shutdown %s", (ret) ? "success" : "failed");

} else {

// Request a quiet shutdown to OpenSSL

SSL_set_quiet_shutdown(ssl, 1);

SSL_set_shutdown(ssl, SSL_RECEIVED_SHUTDOWN | SSL_SENT_SHUTDOWN);

Dbg(dbg_ctl_ssl_shutdown, "Enable quiet shutdown");

}

}

}

// Go on and do the unix socket cleanups

super::do_io_close(lerrno);

{

if (get_tunnel_type() == SNIRoutingType::BLIND) {

// we don't have TLS layer control of blind tunnel

UnixNetVConnection::do_io_shutdown(howto);

return;

}

switch (howto) {

case IO_SHUTDOWN_READ:

// No need to call SSL API

// SSL_shutdown() sends the close_notify alert to the peer and it only closes the write direction.

// The read direction will be closed by the peer.

read.enabled = 0;

read.vio.buffer.clear();

read.vio.nbytes = 0;

read.vio.cont = nullptr;

f.shutdown |= NetEvent::SHUTDOWN_READ;

break;

case IO_SHUTDOWN_WRITE:

SSL_shutdown(ssl);

write.enabled = 0;

write.vio.buffer.clear();

write.vio.nbytes = 0;

write.vio.cont = nullptr;

f.shutdown |= NetEvent::SHUTDOWN_WRITE;

break;

case IO_SHUTDOWN_READWRITE:

SSL_shutdown(ssl);

read.enabled = 0;

write.enabled = 0;

read.vio.buffer.clear();

read.vio.nbytes = 0;

write.vio.buffer.clear();

write.vio.nbytes = 0;

read.vio.cont = nullptr;

write.vio.cont = nullptr;

f.shutdown = NetEvent::SHUTDOWN_READ | NetEvent::SHUTDOWN_WRITE;

break;

default:

ink_assert(!"not reached");

}

{

_ca_cert_file.reset();

_ca_cert_dir.reset();

// SSL_SESSION_free() must only be called for SSL_SESSION objects,

// for which the reference count was explicitly incremented (e.g.

// by calling SSL_get1_session(), see SSL_get_session(3)) or when

// the SSL_SESSION object was generated outside a TLS handshake

// operation, e.g. by using d2i_SSL_SESSION(3). It must not be called

// on other SSL_SESSION objects, as this would cause incorrect

// reference counts and therefore program failures.

// Since we created the shared pointer with a custom deleter,

// resetting here will decrement the ref-counter.

client_sess.reset();

if (ssl != nullptr) {

SSL_free(ssl);

ssl = nullptr;

}

ALPNSupport::clear();

TLSBasicSupport::clear();

TLSEventSupport::clear();

TLSSessionResumptionSupport::clear();

TLSSNISupport::_clear();

TLSTunnelSupport::_clear();

TLSCertSwitchSupport::_clear();

sslHandshakeStatus = SSLHandshakeStatus::SSL_HANDSHAKE_ONGOING;

sslLastWriteTime = 0;

sslTotalBytesSent = 0;

sslClientRenegotiationAbort = false;

hookOpRequested = SslVConnOp::SSL_HOOK_OP_DEFAULT;

free_handshake_buffers();

super::clear();

{

ink_release_assert(t == this_ethread());

// close socket fd

if (con.sock.is_ok()) {

release_inbound_connection_tracking();

Metrics::Gauge::decrement(net_rsb.connections_currently_open);

}

con.close();

if (is_tunnel_endpoint()) {

ink_assert(get_context() != NET_VCONNECTION_UNSET);

Metrics::Gauge::decrement(([&]() -> Metrics::Gauge::AtomicType * {