Re: nonblocking implementation question

Tue, 26 May 2009 08:35:27 -0700 

On Tue, May 26, 2009 at 10:33:11AM -0400, Aaron Wiebe wrote:

> Greetings All,
> 
> I've gone through various levels of documentation to see if there is a
> method available to implement SSL as I have envisioned, but I haven't
> been able to find what I'm looking for.  Perhaps someone here could
> point me in a good direction...
> 
> I'm developing a nonblocking application (backed by several
> edge-trigger methods, such as epoll/kqueue/etc).  I'd like to
> integrate SSL into the flow, but I'm not fond of pushing the buffering
> and socket interaction routines into the SSL library.  What I would
> prefer to do is to perform callouts to the ssl library, while
> maintaining the buffering and socket handling within my application.
> 
> Ideally, I'd like to perform the recv() calls, buffer the data myself,
> and pass it to a function that would be capable of decrypting the data
> (if a complete encryption block is received) - and provide me
> appropriate returns to let me know if additional steps are required
> (such as a renegotiation).  I'd also prefer to be able to encrypt the
> data through a function call, and be able to buffer and deliver that
> data at my leisure.

The "biopair" abstraction allows you do exactly this.

        The TLS layer to network interface is realized with a BIO pair:
  
         Application         |   TLS layer
                             |
        Your Code            |
         /\    ||            |
         ||    \/            |
        Application buffer <===> TLS read/write/etc
                             |     /\    ||
                             |     ||    \/
                             |   BIO pair (internal_bio)
                             |   BIO pair (network_bio)
                             |     /\    ||
                             |     ||    \/
        socket read/write  <===> BIO read/write
         /\    ||            |
         ||    \/            |
         network             |

All SSL calls that need to write/read data to/from the network "fail" with
SSL_WANT_WRITE or SSL_WANT_READ, it is then up to you send as much pending
data as possible out of the network bio to the peer, and then read data
from the peed and write it to the network bio if a read was requested.

> In short, I don't really want SSL doing my writing or buffering.  I
> just want the library to do my negotiation and encryption - but by
> providing me the data I need rather than by writing to the socket.

See the biopair docs.

-- 
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to