writev over OpenSSL

Viktor Dukhovni openssl-users at dukhovni.org
Sun Feb 2 18:09:36 UTC 2020


On Sun, Feb 02, 2020 at 05:28:19PM +0000, Salz, Rich via openssl-users wrote:

> TLS/TLS will take your data and wrap it inside it’s own record
> structure.  It has to, that’s the nature of the protocol.  Thinking
> that a single writev() is “encrypt buffers and then do analogous
> syscall” is wrong.

Right, the encryption is not in place, the user's data is copied for
encryption, by which point there's no incentive for a writev between
OpenSSL and the socket.

What could be useful to the OP is some equivalent to "cork" and
"uncork", that tell OpenSSL to not send anything until it has
accumulated a maximal size TLS record or the user "uncorks"
first. 

This could allow the OP to do multipe SSL_write calls from from his
iovec, that would be buffered internally in OpenSSL, removing the
need for the user to copy the data before OpenSSL copies it again.

If the OP is actually looking for in-place encryption, that not
generally possible with every block cipher mode.  OCB can do in place
encryption, but OpenSSL presents a general-purpose API.  And one
should it seems avoid OCB2:

    https://en.wikipedia.org/wiki/OCB_mode#Attacks

-- 
    Viktor.


More information about the openssl-users mailing list