Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read
On Mon, Oct 10, 2016 at 2:47 PM, Ajay Gargwrote: > > > On Mon, Oct 10, 2016 at 1:31 PM, Viktor Dukhovni < > openssl-us...@dukhovni.org> wrote: > >> >> > On Oct 10, 2016, at 3:52 AM, Ajay Garg wrote: >> > >> > If(BIO_should_read(socket->ssl_bio) != 0) >> > >> > If(BIO_should_write(socket->ssl_bio) != 0) >> >> In Postfix, we don't bother with the application layer ssl_bio, >> and just do SSL_read()/SSL_write() directly. You only need this >> if you specifically want a BIO API to SSL. >> > I am sorry, but I don't get this :( In broad words, is there anything wrong in :: int rc = BIO_write(socket->ssl_bio) / BIO_read(socket->ssl) followed by if(rc < 0) { If(BIO_should_read(socket->ssl_bio) != 0) { } If(BIO_should_write(socket->ssl_bio) != 0) { } } ? > >> > With this, I could get the entire end-to-end workflow to work >> >> You might not be done yet. Is the client verifying the server >> certificate including name checks? Just doing TLS, without >> certificate checks, only protects against passive attacks. >> > > Thanks Viktor. > > I will add this "enhancement", once I complete the code, in a manner that > is portable across "any" device. > Please expect a few questions from me on other threads :P > > > Thanks and Regards, > Ajay > >> >> -- >> Viktor. >> >> -- >> openssl-users mailing list >> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users >> > > > > -- > Regards, > Ajay > -- Regards, Ajay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read
On Mon, Oct 10, 2016 at 1:31 PM, Viktor Dukhovniwrote: > > > On Oct 10, 2016, at 3:52 AM, Ajay Garg wrote: > > > > If(BIO_should_read(socket->ssl_bio) != 0) > > > > If(BIO_should_write(socket->ssl_bio) != 0) > > In Postfix, we don't bother with the application layer ssl_bio, > and just do SSL_read()/SSL_write() directly. You only need this > if you specifically want a BIO API to SSL. > > > With this, I could get the entire end-to-end workflow to work > > You might not be done yet. Is the client verifying the server > certificate including name checks? Just doing TLS, without > certificate checks, only protects against passive attacks. > Thanks Viktor. I will add this "enhancement", once I complete the code, in a manner that is portable across "any" device. Please expect a few questions from me on other threads :P Thanks and Regards, Ajay > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- Regards, Ajay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read
> On Oct 10, 2016, at 3:52 AM, Ajay Gargwrote: > > If(BIO_should_read(socket->ssl_bio) != 0) > > If(BIO_should_write(socket->ssl_bio) != 0) In Postfix, we don't bother with the application layer ssl_bio, and just do SSL_read()/SSL_write() directly. You only need this if you specifically want a BIO API to SSL. > With this, I could get the entire end-to-end workflow to work You might not be done yet. Is the client verifying the server certificate including name checks? Just doing TLS, without certificate checks, only protects against passive attacks. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read
Following works : If(BIO_should_read(socket->ssl_bio) != 0) If(BIO_should_write(socket->ssl_bio) != 0) With this, I could get the entire end-to-end workflow to work Thanks a ton for all the help !!! On Mon, Oct 10, 2016 at 11:50 AM, Ajay Gargwrote: > Hi All. > > Taking the socket-structure as :: > > > # >SSL *ssl; > >BIO *ssl_bio; // app-payload-bytes will be > written by app into it. >BIO *inter_bio; // intermediate-bio, have no idea > what it really is used for. >BIO *network_bio; // app-payload-encrypted-bytes will > "emerge" from this bio, ready to be written over the wire > > # > > > > > and assuming all initialization went fine, what is the correct way to get > the retry-reason :: > > > # > if(BIO_should_retry(socket->ssl_bio) != 0) > { > int reason = BIO_get_retry_reason(socket->ssl_bio); > } > > OR > > if(BIO_should_retry(socket->ssl_bio) != 0) > { > int reason = > BIO_get_retry_reason(BIO_get_retry_BIO(socket->ssl_bio, > NULL)); > } > > # > > > Right now, I am receiving 0 (zero) as the reason in both the cases, and > none of SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ (in either case). > > > Thanks and Regards, > Ajay > > > > -- > Regards, > Ajay > -- Regards, Ajay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read
Hi Viktor, I am already setting that. socket->ssl_bio = BIO_new(BIO_f_ssl()); if (!(socket->ssl_bio)) { HANDLE_CATASTROPHIC_INIT_ERROR("client-ssl-bio") return; } SSL_set_connect_state(socket->ssl); SSL_set_bio(socket->ssl, socket->inter_bio, socket->inter_bio); BIO_set_ssl(socket->ssl_bio, socket->ssl, BIO_NOCLOSE); On Mon, Oct 10, 2016 at 12:19 PM, Viktor Dukhovni < openssl-us...@dukhovni.org> wrote: > > > On Oct 10, 2016, at 2:20 AM, Ajay Gargwrote: > > > >BIO *inter_bio; // intermediate-bio, have no > idea what it really is used for. > > The internal BIO from BIO_new_bio_pair must be attached to the SSL > handle via: > > SSL_set_bio(ssl, internal_bio, internal_bio); > > When SSL writes ciphertext to the internal bio, you can read that via > the network_bio. When you write to the network_bio, SSL can read the > data via the internal_bio. > > -- > Viktor. > > -- > openssl-users mailing list > To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users > -- Regards, Ajay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read
> On Oct 10, 2016, at 2:20 AM, Ajay Gargwrote: > >BIO *inter_bio; // intermediate-bio, have no idea > what it really is used for. The internal BIO from BIO_new_bio_pair must be attached to the SSL handle via: SSL_set_bio(ssl, internal_bio, internal_bio); When SSL writes ciphertext to the internal bio, you can read that via the network_bio. When you write to the network_bio, SSL can read the data via the internal_bio. -- Viktor. -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
[openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read
Hi All. Taking the socket-structure as :: # SSL *ssl; BIO *ssl_bio; // app-payload-bytes will be written by app into it. BIO *inter_bio; // intermediate-bio, have no idea what it really is used for. BIO *network_bio; // app-payload-encrypted-bytes will "emerge" from this bio, ready to be written over the wire # and assuming all initialization went fine, what is the correct way to get the retry-reason :: # if(BIO_should_retry(socket->ssl_bio) != 0) { int reason = BIO_get_retry_reason(socket->ssl_bio); } OR if(BIO_should_retry(socket->ssl_bio) != 0) { int reason = BIO_get_retry_reason(BIO_get_retry_BIO(socket->ssl_bio, NULL)); } # Right now, I am receiving 0 (zero) as the reason in both the cases, and none of SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ (in either case). Thanks and Regards, Ajay -- Regards, Ajay -- openssl-users mailing list To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users