SourceForge has been redesigned. Learn more.
Close

Possible bug in CyaSSL SSL_accept( )

Developers
elsevers
2010-11-04
2013-04-23
  • elsevers

    elsevers - 2010-11-04

    Hello,

    I have found what I believe to be a bug in SSL_accept( ). When using non-blocking I/O, if the complete certificate chain cannot fit in one outgoing send-to-BIO, CyaSSL goes into an infinite loop attempting to send the certificate chain over and over. The problem seems to be that the wrong state variable is being incremented when the transmit buffer is finally emptied.

    Here is the code as is:  (from SSL_accept() )

    if (ssl->buffers.outputBuffer.length > 0) {
                if ( (ssl->error = SendBuffered(ssl)) == 0) {
                    ssl->options.connectState++;        
                    CYASSL_MSG("accept state: Advanced from buffered send");
                }            
            }
    

    Here is what I think it should be:

            if (ssl->buffers.outputBuffer.length > 0) {
                if ( (ssl->error = SendBuffered(ssl)) == 0) {
                    ssl->options.acceptState++;     /*ELS changed from connectState++ to acceptState++  */
                    CYASSL_MSG("accept state: Advanced from buffered send");
                }
    

    Is this the proper place to post such things - or would you prefer I move over to the new forum on yassl.com?

    Also, are you still planning to add the ability to generate unsigned certificates (that a standard certificate authority can then sign)?

    Thanks!

     
  • Todd Ouska

    Todd Ouska - 2010-11-04

    Thanks for the report and fix!  I've seen SSL clients run into that issue with non-blocking sockets, especially on embedded systems.  But I haven't on the server.  What system are you on?

    Do you think we should add a bug report category to the new forums?  Go ahead and post to whichever one you like though we'd prefer the new forums I guess just to show it's being used :)

    The next release will allow CA signed cert generation but there won't be an intermediate output where certs can be sent to other signers (just CyaSSL CA signing).  Do you think another tool that provides intermediate certs would be useful?  Is there anything wrong with the tools people are currently using or things you'd like to see improved?

    Thanks again for the fix.

     
  • elsevers

    elsevers - 2010-11-05

    Hi,

    I am going to go ahead and reply to your questions on the new forum. :-)

    I'll copy in your text.

    -Eric

     

Log in to post a comment.