On Thu, May 28, 2009 at 02:48:34PM -0400, Aaron Wiebe wrote:
> On Tue, May 26, 2009 at 5:27 PM, Victor Duchovni
> <victor.ducho...@morganstanley.com> wrote:
> > On Tue, May 26, 2009 at 05:02:59PM -0400, Aaron Wiebe wrote:
> >
> >> >> You're looking for a BIO_s_mem.
> >> >
> >> > No, he is looking for BIO_new_bio_pair(3) and SSL_set_bio(3).
>
> So, apologies for hammering this down, but I'm still a little fuzzy
> and the documentation is lacking..
>
> This would be in theory how to perform this work:
>
> ctx = SSL_ctx_new();
> myssl = SSL_new(ctx);
> BIO_new_bio_pair(app_bio, 0, net_bio, 0);
> SSL_set_bio(myssl, app_bio, app_bio);
>
> Now, for a write sequence...
>
> BIO_write(app_bio, buffer, len); /* unencrypted */
NO! You call
n = SSL_write(myssl, buffer, len);
err = SSL_get_error(myssl, n);
"err" may be SSL_ERROR_WANT_READ or SSL_ERROR_WANT_WRITE, in which case
you must retry the write again later, after there is room.
On success (n>=0), or with WANT_READ/WANT_WRITE, arrange to move data from
the network bio to the peer and from the peer to the network bio. This
activity may be asynchronous if you are using non-blocking sockets with
select/epoll/... in an event loop. In that case you mark the socket for
read/write interest with appropriate callbacks.
> BIO_read(net_bio, buf, size); /* encrypted */
> write(fd, buf, size);
>
> and the same in reverse:
>
> len = recv(fd, &buf, size);
> BIO_write(net_bio, buf, len);
> len = BIO_read(app_bio, buffer, size);
No. SSL is not a pipe, it is a state machine with 4 I/O ports.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
