buffering/blocking in chained BIOs

samrobin samrobin at protonmail.com
Tue Aug 10 12:30:08 UTC 2021 

Hello,

I am trying to implement the following chain:
SSL BIO <-> cipher BIO <-> socket BIO (wrapped around a TCP socket())

There are two aspects of this setup that I can't find enough documentation on: the buffering aspect and the blocking/non-blocking aspect.

buffering:
When feeding data to the cipher BIO, we have to call BIO_flush() on the final chunk to let it pad it and send it off, how does this behave when I have a cipher BIO appended to an SSL BIO in a chain? I would be writing to the SSL BIO using BIO_write(). I.E. this setup would make both application and non-application data from the SSL connection to be encrypted through the cipher BIO.
How would I make sure then, that the cipher BIO doesn't buffer up some critical [handshake non-application data] or some sent application data? Do I just call BIO_flush() after every BIO_write() I do to the SSL BIO? If I do that, will the added padding interfere with the SSL protocol talking to each other, since it is adding padding data? I assume the cipher BIO on the other end will be stripping that padded data off, am I right?
Since the cipher BIO processes data from and to the SSL BIO this makes it even more complicated due to implicit non-application data being written/read by the SSL BIO. What happens if the cipher BIO buffers a bit of application data (because it is too few) and thus the SSL BIO on the other side assumes some error so it sends a response which is big enough to get through the cipher BIO, the SSL BIO then responds to that which makes the old buffered data go through, messing up the handshaking or whatever completely. How do you advice I should handle this?

For the socket BIO wrapped around the TCP socket(), what happens if the underlying TCP socket dies or has a low throughput? Does the socket BIO buffer data fed into it until it can feed it down to the TCP socket? How much data can it buffer until it fills up? Is there some error value I can examine?

Should I just give this chain up completely and use BIOs individually and setup dynamic heap buffers between them to handle any buffering behaviour?

blocking:
How do I determine if BIO_write()/BIO_read() on the SSL BIO are blocking here? Will any BIO down the chain block at any point? Why / Why not?

Much thanks in advance.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <https://mta.openssl.org/pipermail/openssl-users/attachments/20210810/56236873/attachment-0001.html>

More information about the openssl-users mailing list