Through usage of the dedicated flag _sslio_closing we do manage to prevent getting stuck up in low_read/low_write (BearSSLClient::clientRead/clientWrite.

aentinger · aentinger · commit 0f70b6862f94 · 2021-03-01T08:41:22.000+01:00
diff --git a/src/tls/BearSSLClient.cpp b/src/tls/BearSSLClient.cpp
@@ -36,6 +36,10 @@
 
 extern "C" void aiotc_client_profile_init(br_ssl_client_context *cc, br_x509_minimal_context *xc, const br_x509_trust_anchor *trust_anchors, size_t trust_anchors_num);
 
+
+bool BearSSLClient::_sslio_closing = false;
+
+
 BearSSLClient::BearSSLClient(Client* client, const br_x509_trust_anchor* myTAs, int myNumTAs, GetTimeCallbackFunc func) :
   _client(client),
   _TAs(myTAs),
@@ -156,6 +160,7 @@ void BearSSLClient::stop()
 {
   if (_client->connected()) {
     if ((br_ssl_engine_current_state(&_sc.eng) & BR_SSL_CLOSED) == 0) {
+      BearSSLClient::_sslio_closing = true;
       br_sslio_close(&_ioc);
     }
 
@@ -258,6 +263,9 @@ int BearSSLClient::errorCode()
 
 int BearSSLClient::connectSSL(const char* host)
 {
+  /* Ensure this flag is cleared so we don't terminate a just starting connection. */
+  _sslio_closing = false;
+
   // initialize client context with all necessary algorithms and hardcoded trust anchors.
   aiotc_client_profile_init(&_sc, &_xc, _TAs, _numTAs);
 
@@ -313,8 +321,18 @@ int BearSSLClient::connectSSL(const char* host)
 
 // #define DEBUGSERIAL Serial
 
+/* Define the prototype so that it can be found by the compiler,
+ * the correct function is then assigned at link time.
+ */
+extern "C" void br_ssl_engine_fail(br_ssl_engine_context *rc, int err);
+
 int BearSSLClient::clientRead(void *ctx, unsigned char *buf, size_t len)
 {
+  if (BearSSLClient::_sslio_closing) {
+    br_ssl_engine_fail(reinterpret_cast<br_sslio_context *>(ctx)->engine, BR_ERR_IO);
+    return -1;
+  }
+
   Client* c = (Client*)ctx;
 
   if (!c->connected()) {
@@ -346,6 +364,11 @@ int BearSSLClient::clientRead(void *ctx, unsigned char *buf, size_t len)
 
 int BearSSLClient::clientWrite(void *ctx, const unsigned char *buf, size_t len)
 {
+  if (BearSSLClient::_sslio_closing) {
+    br_ssl_engine_fail(reinterpret_cast<br_sslio_context *>(ctx)->engine, BR_ERR_IO);
+    return -1;
+  }
+
   Client* c = (Client*)ctx;
 
 #ifdef DEBUGSERIAL
diff --git a/src/tls/BearSSLClient.h b/src/tls/BearSSLClient.h
@@ -98,6 +98,7 @@ class BearSSLClient : public Client {
   br_x509_certificate _ecCert;
   bool _ecCertDynamic;
 
+  static bool _sslio_closing;
   br_ssl_client_context _sc;
   br_x509_minimal_context _xc;
   unsigned char _ibuf[BEAR_SSL_CLIENT_IBUF_SIZE];
