[openssl-users] Root-Level queries while using SSL-connections wrapping "sockets"

Ajay Garg ajaygargnsit at gmail.com
Sun Oct 9 18:12:12 UTC 2016

On Sun, Oct 9, 2016 at 10:55 PM, Viktor Dukhovni
<openssl-users at dukhovni.org> wrote:
>> On Oct 9, 2016, at 10:47 AM, Ajay Garg <ajaygargnsit at gmail.com> wrote:
>>> However, it might sometimes return SSL_ERROR_WANT_READ, in which
>>> case, the SSL layer wants to read, even though the application
>>> wants to write.  Your job is to do the read on the SSL layer's
>>> behalf, and then retry the write.
>> For this particular sub-case, let's say SSL-layer wants to obtain "n"
>> bytes from the socket/wire.
>> So, in this case, is it ok to do a blocking-read on the socket, unless
>> "n" bytes are received (of course, a socket "error" will be handled in
>> the blocking-call; it's just that any socket-timeouts will not be
>> considered).
> Yes, you can do a blocking read (provided you have already flushed all
> pending writes).

Thanks a ton Viktor for the reply.

(Yes, in the above case I mentioned, all pending writes would have
been flushed).

Also, I will be grateful if you could let me know if ANY of the
sub-flows in ANY of the flows below is wrong, remembering that "bio1"
is the SSL-BIO where the app-payload-bytes are written in, and "bio2"
is the IN-MEMORY-BIO where the app-payload-encrypted-bytes emerge.

        app   <==>   bio1   <==>    bio2   <==>   socket

Also, for all my cases, Nagle's algorithm has been disabled on the
client as well as the server, so every write (at client/server)
constitutes a packet-transferred.


           BIO_write(bio1, buf, n)

return a positive, non-zero return-value other than "n"?
In other words, is it possible that only partial-bytes are written?

Let's say

           BIO_write(bio1, buf, n)

was successful in writing "n" bytes to "bio1".

So, will ALL the app-payload-encrypted-bytes be available at "bio2"
immediately in a synchronous manner (so that they can be immediately
sent to the server over the wire) ?

Implicit in this workflow is my assumption that SSL too builds up a
packet for every BIO_write done over "bio1".

Will the following sequence happen exactly as follows ::

   App wants to read some bytes, but in a probing manner (bytes
may/may-not have been sent by server).

   Now, currently, "bio1", "bio2", "socket" are in clean-state.
   Nothing is pending "in the real sense" to be written/read anywhere.

   When app does


   SSL_ERROR_WANT_READ would be returned (after all, "bio1" cannot
provide any app-payload-bytes unless it
   has received any app-payload-encrypted-bytes from server).



   would return 0.

   So, we try reading 1 byte from the socket (in a non-blocking
manner, obviously).
   IFFFF successful, we write the 1 byte into "bio2" (and so, "bio1"
will get the smell of a new encrypted packet).

   Thereafter, when app again does


   (assuming we do not hit any re-negotiation case in this cycle) this time,


   will return a non-zero value "n".

  We read the "n" bytes over the wire, and write them to "bio2".

  Finally, the "m" decrypted-packet-bytes will be available at "bio1",
from the encrypted-packet
  of length "n+1" bytes.

Is my story of 8-points in case c) correct? :)

I am sorry for bothering you so much, but I can take comfort from the
fact that such idiotic questions will help noobs like me integrate
openssl faster, with better understanding of the internals, which will
obviously lead to slicker code.

Thanks again to everyone for the help so far ....

Thanks and Regards,

> --
>         Viktor.
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users


More information about the openssl-users mailing list