RE: Wrapping SSL_read/SSL_write so they behave like read/write.

Sun, 20 Aug 2006 16:13:10 -0700 

> Encapsulated SSL data comes in records/packets. When you select()
> some descriptor for read, and select() gives you such hit you start
> reading data from SSL buffers. And now we may have some problems.
> If you will retry SSL_read() until you will get WANT_READ then
> you will get all data from SSL layer to your application buffers
> and now you may select() again.

        Right, WANT_READ is specifically telling you to 'select' for 
readability.

> But if you will read once (or not until WANT_READ), there may be
> data left in SSL layer and now you can not select() (or you should
> not select() - this depends on upper layer protocol).

        Right, you should *never* 'select' unless the SSL layer tells you to.

> For example if we have 400 bytes in SSL layer and you will read only
> 100, then we have 300 bytes in SSL layer and now waiting in select()
> may give you hang. For such purpose SSL_pending() function exists
> which can tell you is SSL buffers has some data or not. If has, you
> simply call SSL_read(), if not - you select().
> Of course if you will perform "incremental" SSL_read() until
> WANT_READ then you will have all data from SSL and you may select()
> without calling SSL_pending().

        Right, you don't need SSL_pending. The more logical approach (IMO) is 
that
when you want to read some data, you call SSL_read. You 'select' for read if
and only if an SSL function (either SSL_read or SSL_write) gives you a
WANT_READ indication. The same goes for writing.

        You should never assume that the SSL layer wants to read encrypted data
from the socket just because you are reading unencrypted data from the SSL
layer. That assumption may or may not be true, and can deadlock you when
it's false. Treat the SSL layer as a black box, don't assume you know what
it needs to do -- it specifically returns the WANT_* indications for this
purpose.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to