[openssl-users] Root-Level queries while using SSL-connections wrapping "sockets"

Viktor Dukhovni openssl-users at dukhovni.org
Fri Oct 7 09:55:04 UTC 2016

On Fri, Oct 07, 2016 at 12:28:46PM +0530, Ajay Garg wrote:

> I realise I am still stuck with the original issue.

Failure to read the documentation closely.

> Also, how do "bio1" and "bio2" communicate in case of non-ideal
> scenarios (timeouts, errors)?

They don't, you move all the data.  All reads/writes by OpenSSL will
return SSL_ERROR_WANT_READ/SSL_ERROR_WANT_WRITE when the requisite
data is not already buffered.  At that point you do the requsite
I/O and copy data into and out of the network bio.

First, do all pending writes:

    BIO_read(network_bio, ...)

    ... write the opaque ciphertext to the underlying socket-like
    ... thing when it is writable, take to not block or drop
    ... the ciphertext on the floor if you do.

then if SSL_ERROR_WANT_READ, find out how much OpenSSL wants to
read, and read that much data from the underlying socket-like thing
and copy its (opaque ciphertext) into the network bio:

    BIO_write(network_bio, ...)

A double-buffer (separate read/write) between the socket and SSL
may make the logic simpler, but the write side must be flushed
whenever to the SSL network BIO becomes empty, to avoid deadlock.
And of course avoid blocking on reads when it is OpenSSL's turn to
write.  In general you have an event loop, a non-blocking socket
thingy, and select/poll/... read/write or both depending on
SSL_ERROR_WANT_READ/WRITE and the state of any intermediate buffers
you're managing.

A careful read of the manpage will expose all these facilities.


More information about the openssl-users mailing list