[openssl-users] SSL_read, SSL_write error handling

Thu Sep 15 05:18:52 UTC 2016

I did find a very good explanation here:
https://mta.openssl.org/pipermail/openssl-users/2015-March/000709.html

The idea of "what SSL wants" and "what the app wants" is a very good
explanation. This is the pseudocode I'm working with currently:

    io_callback(events) {
        if (messages_to_send && (events & OS_WRITABLE)) {
            SSL_write(.....);
            if (error) {
                if (error_is_want_read) {
                    system_poll &= OS_READABLE;
                } else if (error_is_want_write) {
                    system_poll &= OS_WRITABLE;
                }
                update_os_poll(system_poll);
                return;
            } else {
                // emit send success to app
            }
        } else if (app_wants_data && (events & OS_READABLE)) {
            SSL_read(.....);
            if (error) {
                if (error_is_want_read) {
                    system_poll &= OS_READABLE;
                } else if (error_is_want_write) {
                    system_poll &= OS_WRITABLE;
                }
                update_os_poll(system_poll);
                return;
            } else {
                // emit the data to app
            }
        }
    }

This code is probably not 100% correct, but should show my design pretty
clear. One needs to do what YOU want, combined with what SSL wants.

However, question still remains - it is ALLOWED to perform SSL_read before
SSL_write, when a previous call to SSL_write failed with WANT_READ?

2016-09-15 7:01 GMT+02:00 Viktor Dukhovni <openssl-users at dukhovni.org>:

> On Thu, Sep 15, 2016 at 05:07:22AM +0200, Alex Hultman wrote:
>
> > If SSL_write returns the error SSL_ERROR_WANT_READ, am I then allowed to
> > call SSL_read before I have called SSL_write?
>
> WANT_READ means that OpenSSL *internally* needs to read some (often
> ciphertext) bytes from the peer, and that since the socket is
> non-blocking or you're using BIO_pairs, ... the application must
> wait for data to arrive (poll(), select(), ...) and then retry
> the call once the socket becomes readable.
>
> It is not an invitation to read *application* layer data, which
> would typically also fail for lack anything to read at that
> moment.
>
>     * WANT_READ -- Select the socket for read, and retry
>       the original function (hanshake, read or write) once
>       the socket is readable.
>
>     * WANT_READ -- Select the socket for write, and retry
>       the original function (hanshake, read or write) once
>       the socket becomes writable.
>
> Again, these are not a request for the application to *consume*
> data, rather the application needs to retry once the socket is
> ready for the requested operation.  OpenSSL will internally
> read or write to the socket.
>
> --
>         Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160915/e69b92e1/attachment.html>