[openssl-users] DTLS fragmentation and mem BIO

Lorenzo Miniero lminiero at gmail.com
Tue Sep 6 13:55:31 UTC 2016


2015-06-05 20:42 GMT+02:00 Lorenzo Miniero <lminiero at gmail.com>:

> 2015-06-05 20:18 GMT+02:00 Matt Caswell <matt at openssl.org>:
>
>>
>> I see you got it working! Just some comments below
>>
>> On 05/06/15 12:34, Lorenzo Miniero wrote:
>> > I've started looking into filters and I have some doubts, though, also
>> > taking into account what you suggested, and I apologize again if this
>> > turns out to be silly. As far as I've understood, what I should do is
>> > changing the current pattern I use for outgoing packets:
>> >
>> >       application < memBIO < ssl
>> >
>> > to something like this:
>> >
>> >       application < memBIO < filter < ssl
>> >
>> > or this:
>> >
>> >       application < filter < memBIO < ssl
>> >
>> > that is, a new BIO filter that enforces the fragmentation I talked
>> > about. Not exactly sure about which one should be the way to go, but
>> > I've given this some thought.
>>
>> I took a very brief look at your code and I see you went with the first
>> option. That's fine, although I would have done it slightly differently:
>>
>> application <--   -- ssl
>>               |   |
>>               |   V
>>               filter
>>               ^   V
>>               memBIO
>>
>> i.e. the filter does all the reading and writing to the memBIO. libssl
>> calls BIO_write(), the filter takes note of the packet sizes, and then
>> writes to the membBIO. When the application wants to read data it calls
>> BIO_read on the filter, and the filter figures out how big the packet
>> needs to be and reads that amount out of the memBIO. Your way works too
>> though.
>>
>> Matt
>>
>
>
> Ah I didn't know that was an option: I'm quite unfamiliar with how BIO
> filters worked, and so I just went with what made sense to me while
> experimenting with them. I'll try doing something along the lines you
> suggested as soon as I have some time, thanks!
>
> Lorenzo
>
>

Apologies for reviving this old thread, but a user of my project made me
notice that my code doesn't compile on Openssl 1.1.0 anymore. Apparently
the cause is some structures have been made opaque in the new version. In
my case, the structure that breaks the code is BIO, as I used some of its
previously public properties in my filter. Is there any transition
documentation page that can help figuring out how I can adapt it
accordingly? Or is the way my filter was written at the time hopelessly
broken now, and a different approach to do the same needed?

Thanks!
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mta.openssl.org/pipermail/openssl-users/attachments/20160906/20b4a0be/attachment.html>


More information about the openssl-users mailing list