On Fri, Aug 24, 2007 at 01:33:17PM +0300, Arne Ansper wrote: > On Mon, 26 Jun 2006, Darryl Miles wrote: >> Bodo Moeller wrote:
>>> When using SSL_write() over a non-blocking transport channel, you may >>> have to call SSL_write() multiple times until all your data has been >>> transferred. In this case, the data buffer needs to stay constant >>> between calls until SSL_write() finally returns a positive number >>> since (unless you are using SSL_MODE_ENABLE_PARTIAL_WRITE) some of the >>> calls to SSL_write() may read some of your data, and if the buffer >>> changes, you might end up inadvertantly transferring incoherent data. >>> To help detect such potential application bugs, OpenSSL includes a >>> simple sanity check -- if SSL_write() is called again but the data >>> buffer *location* has changed, OpenSSL suspects that this is a mistake >>> and returns an error. > Sorry, I deleted the Bodo's message, so I'm replying to Darryl. > > Many years ago I had a program that reallocated the buffers when needed. I > analyzed the SSL code (I hope my messages are still somewhere in the > archive) and found out that in fact SSL layer reads the data only once. I > did not found any condition where data was read twice from input buffer. > Since then we have always set the SSL_MODE_ENABLE_PARTIAL_WRITE flag and > does the buffer reallocation as needed. > > There is no need for the data buffer to stay constant between calls to > SSL_write. The library won't look at any byte twice -- but if you have particularly long writes (more than 16 K, and enough to fill up your TCP write buffers or the buffers of whatever lower layer you are using), it may take multiple library calls until the library has looked at all of the bytes. The application won't know which bytes already have been processed and which haven't, thus generally the application is expected not to change the buffer. If the application wants to reallocate the buffer, it should make sure to copy the data around. In this case, it is expected to use the SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER flag to disable the simple sanity check. The purpose of the SSL_MODE_ENABLE_PARTIAL_WRITE flag is exactly to disable this default behavior of OpenSSLL. With SSL_MODE_ENABLE_PARTIAL_WRITE, you don't have to bother to maintain the buffer state, since OpenSSL won't look at the buffer contents more than once. If you are trying to send 64 K of data, OpenSSL might tell you it has only written 16 K of these. This is similar to how the usual write() system call behaves, but differs from previous OpenSSL behaviour (which remains the default for compatibility) where applications were expected to repeat write attempts until finally all of the data had been sent. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
