Re: [PATCH 4/7] use BIO_write instead of an unchecked write()

Sun, 01 Jun 2014 13:33:12 -0700 

On Sat, May 31, 2014 at 6:09 PM, Brent Cook <bust...@gmail.com> wrote:

> On May 31, 2014, at 6:08 PM, Brendan MacDonell <macdonel...@gmail.com>
> wrote:
>
> > On Sat, May 31, 2014 at 8:02 PM, Brent Cook <bust...@gmail.com> wrote:
> > I totally agree in the general case. BIO is a big pain, and it does seem
> crazy to use it for stdio.
> >
> > However, in this specific case, this file already calls BIO_printf,
> BIO_puts and BIO_write to stdout and stderr, in an unchecked manner,
> several hundred times. I’m not sure if checking write() actually fixes the
> problem, as there may be no guarantees of IO ordering when mixing
> BIO_write, BIO_puts and regular write() calls to the same output stream.
> >
> > Might it be OK to consider unifying this single exception to the (bad)
> rule, and then removing all BIO to stdin/stdout all at once in a follow-up
> patch?
> >
> > For what it's worth, bio_s_out is not stdout if -quiet is passed (it's a
> BIO_s_null instead.) If you change this write to BIO_write, then it will be
> suppressed as well.
>
> Good point. The help for this command says:
>
>    -quiet        - No server output
>
> It seems like supressing here would be the correct behavior as well.
>

Nope.  Trust the manpage over the usage:

     -quiet  Inhibit printing of session and certificate information.

(I've fixed the usage to match the manpage)

This write() is the write of the data being sent over the TLS connection.
 Changing it to a BIO_write() would make -quiet the same as >/dev/null,
which is pointless for this command.



> Maybe a larger question is, should the openssl command really embed a
> static-file-serving HTTP 1.0 web server?


Since this write() is *NOT* in the the support for the -HTTP, -WWW, or -www
options, that's an unrelated question,



> The ‘-hack’ and ‘-bugs’ options seem like a little ripe, among many other
> things.


-hack perhaps, though the "if (hack)" code at the top of the loop
in www_body() may still be useful.  Removing -bugs seems...unwise, given
that *most* real servers using SSL effectively turn that on (IME).  Note
that nginx turns on those options, for example.


Philip Guenther

Reply via email to