Konstantin Ivanov wrote: > I am developing a server application which is based on Windows IO > Completion ports which basically means that the reads and write to > the socket are asynchronous. This also means that I cannot use the > SSL_read and SSL_write functions which are tied to the socket fd > if I am correct.
No, they are tied to the underlying BIO, which need to be a socket. > So I tried to use the BIO_read and BIO_write, but I am having > difficulty in using it. Basically what I would like to do is to > read the content passed from the client over SSL connection into > the buffer, which I can decrypt using, parse, and then issue another > read command on the completion port. For send, I would like to write > data into an encrypted buffer and then post a send command to the > completion port with the pointer to encrypted data. That will not work. SSL does not have "encrypt" and "decrypt" operations that are visible at application level. > Can someone please comment on how I could implement such > functionality as I believe I am suing the BIO_read and BIO_write > incorrect (this was the tutorial that I referred to: > http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html) Use BIO pairs. There's example code in the 'apps' directory. Your code has to manage four logically-independent data streams. 1) If you receive data from the socket, give it to the OpenSSL engine. 2) If you have plaintext your application wants to send, give it to the OpenSSL engine. 3) If the OpenSSL engine has encrypted data it wants to send over the socket, give it to the socket. 4) If the OpenSSL engine has decrypted data it wants to give to your application, get it from OpenSSL and process it. Do not assume any correspondence between these operations (even though there will almost always be one). If you send some plaintext data, OpenSSL will likely have some ciphertext to send on the socket, but don't stop checking for ciphertext just because you didn't send any plaintext. And it's not an error if your plaintext generates no ciphertext (OpenSSL may not yet have received enough information to know how to encrypt it.) Do not try to "look through" the SSL state machine. Just run all four data pumps, and it will work. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
