I have a set of local modifications to a proprietary SSL library which has an openssl-compatible API. They significantly increase performance for applications using non-blocking I/O by allowing the SSL I/O operations (SSL_read(), SSL_write(), etc.) to return a CRYPTO_PENDING error code if the hardware device actually performing the crypto is not yet ready.
Then the application can add the device's file descriptor (obtained from the underlying hardware driver by a new call) to its poll or select set and retry the read or write request when the device says the crypto op is ready (this was my workaround after my proposal for SSL_select() or SSL_poll() received a fairly negative response here last year). I would like to make it possible to do the same using ENGINE, with an eye to getting these changes into the mainstream OpenSSL source tree. I would love some feedback on this from the OpenSSL developers. Restrictions of my current code are: 1) The application must retry the _exact_ same request when the device says it's ready (that is, if you SSL_read() for 1026 bytes, non-blocking, and get back SSL_ERROR_CRYPTO_PENDING, the next operation you do on that SSL session _must_ be an SSL_read() for 1026 bytes). This could be quite hard to fix but, in practice, has not turned out to be much of a problem for applications, since this is usually exactly what they want to do. 2) I use a local extension to the API to get the device's file descriptor. I am not sure how to get this up from the ENGINE in a clean way though I'm aware I could use a per-engine control command -- that, though, would entangle the implementation with a particular ENGINE's implementation details. Concerns I have about adapting this to the ENGINE API are: 1) I do not undertstand the locking strategy for ENGINEs. There was a query about this here recently from another poster who, AFAICT, received no response. 2) Since ENGINEs could now hold references to SSL requests across multiple SSL_xyz() calls at the upper layer, I need to ensure that the ENGINE finds out when a request is abandoned, so it does not leak its local state for tracking requests pending on the device. I'd appreciate ideas on this. 3) I'm not sure how to actually cause there to be a nontrivial likelihood that my changes might be integrated into OpenSSL proper. Here I would like advice most of all. -- Thor Lancelot Simon [EMAIL PROTECTED] "The inconsistency is startling, though admittedly, if consistency is to be abandoned or transcended, there is no problem." - Noam Chomsky ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List [email protected] Automated List Manager [EMAIL PROTECTED]
