Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

2016-10-10 Thread Ajay Garg 
On Mon, Oct 10, 2016 at 2:47 PM, Ajay Garg  wrote:

>
>
> On Mon, Oct 10, 2016 at 1:31 PM, Viktor Dukhovni <
> openssl-us...@dukhovni.org> wrote:
>
>>
>> > On Oct 10, 2016, at 3:52 AM, Ajay Garg  wrote:
>> >
>> > If(BIO_should_read(socket->ssl_bio) != 0)
>> >
>> > If(BIO_should_write(socket->ssl_bio) != 0)
>>
>> In Postfix, we don't bother with the application layer ssl_bio,
>> and just do SSL_read()/SSL_write() directly.  You only need this
>> if you specifically want a BIO API to SSL.
>>
>
I am sorry, but I don't get this :(


In broad words, is there anything wrong in ::

int rc = BIO_write(socket->ssl_bio) / BIO_read(socket->ssl)

followed by

if(rc < 0)
{
  If(BIO_should_read(socket->ssl_bio) != 0)
  {
  }
  If(BIO_should_write(socket->ssl_bio) != 0)
  {
  }
 }

?


>
>> > With this, I could get the entire end-to-end workflow to work 
>>
>> You might not be done yet.  Is the client verifying the server
>> certificate including name checks?  Just doing TLS, without
>> certificate checks, only protects against passive attacks.
>>
>
> Thanks Viktor.
>
> I will add this "enhancement", once I complete the code, in a manner that
> is portable across "any" device.
> Please expect a few questions from me on other threads :P
>
>
> Thanks and Regards,
> Ajay
>
>>
>> --
>> Viktor.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
>
>
> --
> Regards,
> Ajay
>



-- 
Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

2016-10-10 Thread Ajay Garg 
On Mon, Oct 10, 2016 at 1:31 PM, Viktor Dukhovni  wrote:

>
> > On Oct 10, 2016, at 3:52 AM, Ajay Garg  wrote:
> >
> > If(BIO_should_read(socket->ssl_bio) != 0)
> >
> > If(BIO_should_write(socket->ssl_bio) != 0)
>
> In Postfix, we don't bother with the application layer ssl_bio,
> and just do SSL_read()/SSL_write() directly.  You only need this
> if you specifically want a BIO API to SSL.
>
> > With this, I could get the entire end-to-end workflow to work 
>
> You might not be done yet.  Is the client verifying the server
> certificate including name checks?  Just doing TLS, without
> certificate checks, only protects against passive attacks.
>

Thanks Viktor.

I will add this "enhancement", once I complete the code, in a manner that
is portable across "any" device.
Please expect a few questions from me on other threads :P


Thanks and Regards,
Ajay

>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

2016-10-10 Thread Viktor Dukhovni 

> On Oct 10, 2016, at 3:52 AM, Ajay Garg  wrote:
> 
> If(BIO_should_read(socket->ssl_bio) != 0)
> 
> If(BIO_should_write(socket->ssl_bio) != 0)

In Postfix, we don't bother with the application layer ssl_bio,
and just do SSL_read()/SSL_write() directly.  You only need this
if you specifically want a BIO API to SSL.

> With this, I could get the entire end-to-end workflow to work 

You might not be done yet.  Is the client verifying the server
certificate including name checks?  Just doing TLS, without
certificate checks, only protects against passive attacks.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

2016-10-10 Thread Ajay Garg 
Following works :

If(BIO_should_read(socket->ssl_bio) != 0)

If(BIO_should_write(socket->ssl_bio) != 0)

With this, I could get the entire end-to-end workflow to work 

Thanks a ton for all the help !!!

On Mon, Oct 10, 2016 at 11:50 AM, Ajay Garg  wrote:

> Hi All.
>
> Taking the socket-structure as ::
>
> 
> #
>SSL *ssl;
>
>BIO *ssl_bio; // app-payload-bytes will be
> written by app into it.
>BIO *inter_bio;   // intermediate-bio, have no idea
> what it really is used for.
>BIO *network_bio;  // app-payload-encrypted-bytes will
> "emerge" from this bio, ready to be written over the wire
> 
> #
>
>
>
>
> and assuming all initialization went fine, what is the correct way to get
> the retry-reason ::
>
> 
> #
> if(BIO_should_retry(socket->ssl_bio) != 0)
> {
>   int reason =  BIO_get_retry_reason(socket->ssl_bio);
> }
>
>   OR
>
> if(BIO_should_retry(socket->ssl_bio) != 0)
> {
>   int reason = 
> BIO_get_retry_reason(BIO_get_retry_BIO(socket->ssl_bio,
> NULL));
> }
> 
> #
>
>
> Right now, I am receiving 0 (zero) as the reason in both the cases, and
> none of SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ (in either case).
>
>
> Thanks and Regards,
> Ajay
>
>
>
> --
> Regards,
> Ajay
>



-- 
Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

2016-10-10 Thread Ajay Garg 
Hi Viktor,

I am already setting that.

   socket->ssl_bio = BIO_new(BIO_f_ssl());
if (!(socket->ssl_bio))
{
HANDLE_CATASTROPHIC_INIT_ERROR("client-ssl-bio")
return;
}

SSL_set_connect_state(socket->ssl);
SSL_set_bio(socket->ssl, socket->inter_bio, socket->inter_bio);
BIO_set_ssl(socket->ssl_bio, socket->ssl, BIO_NOCLOSE);


On Mon, Oct 10, 2016 at 12:19 PM, Viktor Dukhovni <
openssl-us...@dukhovni.org> wrote:

>
> > On Oct 10, 2016, at 2:20 AM, Ajay Garg  wrote:
> >
> >BIO *inter_bio;   // intermediate-bio, have no
> idea what it really is used for.
>
> The internal BIO from BIO_new_bio_pair must be attached to the SSL
> handle via:
>
> SSL_set_bio(ssl, internal_bio, internal_bio);
>
> When SSL writes ciphertext to the internal bio, you can read that via
> the network_bio.  When you write to the network_bio, SSL can read the
> data via the internal_bio.
>
> --
> Viktor.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>



-- 
Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

2016-10-10 Thread Viktor Dukhovni 

> On Oct 10, 2016, at 2:20 AM, Ajay Garg  wrote:
> 
>BIO *inter_bio;   // intermediate-bio, have no idea 
> what it really is used for.

The internal BIO from BIO_new_bio_pair must be attached to the SSL
handle via:

SSL_set_bio(ssl, internal_bio, internal_bio);

When SSL writes ciphertext to the internal bio, you can read that via
the network_bio.  When you write to the network_bio, SSL can read the
data via the internal_bio.

-- 
Viktor.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] Getting the retry reason for a "failed" BIO_write/BIO_read

2016-10-10 Thread Ajay Garg 
Hi All.

Taking the socket-structure as ::


#
   SSL *ssl;

   BIO *ssl_bio; // app-payload-bytes will be
written by app into it.
   BIO *inter_bio;   // intermediate-bio, have no idea
what it really is used for.
   BIO *network_bio;  // app-payload-encrypted-bytes will
"emerge" from this bio, ready to be written over the wire

#




and assuming all initialization went fine, what is the correct way to get
the retry-reason ::


#
if(BIO_should_retry(socket->ssl_bio) != 0)
{
  int reason =  BIO_get_retry_reason(socket->ssl_bio);
}

  OR

if(BIO_should_retry(socket->ssl_bio) != 0)
{
  int reason =
BIO_get_retry_reason(BIO_get_retry_BIO(socket->ssl_bio, NULL));
}

#


Right now, I am receiving 0 (zero) as the reason in both the cases, and
none of SSL_ERROR_WANT_WRITE or SSL_ERROR_WANT_READ (in either case).


Thanks and Regards,
Ajay



-- 
Regards,
Ajay
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users