Re: [openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Matt Caswell 


On 11/01/17 20:07, Nadia Lapkovskaya wrote:
> Hi,
> 
> We are using openssl-1.0.2j. Noticed, that for http protocol everything is 
> working fine, but when we are using our own binary protocol ssl_pending 
> returns 0 all the time. We are using blocking socket. Tried with 
> SSL_CTX_set_read_ahead set and unset.
> 
> Out test server sends back any info received from the client.
> 
> Test code looks like this:
> bool write(const uint64_t* data, int count)
> {
>   int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
>   return rc > 0 ? true : false;
> }
> 
> bool read(uint64_t* data, int count)
> {
>   do {
>   int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
>   if (rc <= 0) {
>   int err = SSL_get_error(_ssl, rc);
>   std::string errs = ERR_error_string(err, nullptr);
>   return false;
>   }
>   } while (SSL_pending(_ssl));
>   return true;
> }
> 
> During first ssl_read we received eight bytes, and after that ssl_pending 
> returns 0. If we continue reading despite having no pending data, ssl_read 
> returns the rest of the data. 
> Could you please suggest what is wrong here.

There are three levels of buffered data that you need to consider:

- Data that is buffered at the network level
- Data that is buffered in OpenSSL but not yet processed (i.e. decrypted)
- Data that is buffered in OpenSSL that has been processed

SSL_pending() only tells you about the last type of data. TLS delivers
blocks of data in records and OpenSSL will decrypt an entire record in
one go. If your application only then reads some of that record then
SSL_pending() will tell you how many bytes of data it still has
available. If you always read an entire record in one go (i.e. if the
size of the buffer that you pass to SSL_read() is equal to or greater
than the amount of data in the record) then SSL_pending() will always
return 0.

Normally OpenSSL will only read one record at a time, so there isn't any
data of the second type. However if you set read_ahead then it will
attempt to read as much data as the network can give it, until the
internal buffer is filled. If that means it has read more than one
record (which could include partial records) then you will get data of
the second type. In 1.0.2 there is no way to get OpenSSL to tell you
whether it has any of that data buffered. In 1.1.0 you can find out
about this data using the new function SSL_has_pending():

https://www.openssl.org/docs/man1.1.0/ssl/SSL_pending.html

For data buffered at the network level you should query this yourself
using something like select() or poll().

Matt
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Michael Wojcik 
> From: openssl-users [mailto:openssl-users-boun...@openssl.org] On Behalf
> Of Nadia Lapkovskaya
> Sent: Wednesday, January 11, 2017 15:08
> 
> During first ssl_read we received eight bytes, and after that ssl_pending
> returns 0. If we continue reading despite having no pending data, ssl_read
> returns the rest of the data.

Are you setting SSL_CTRL_SET_READ_AHEAD? SSL_pending doesn't work if read-ahead 
is set. See the comment in the definition of SSL_pending in ssl_lib.c


Did the client send a TLS record with more than 8 bytes of application data?

SSL_pending returns true if there's more application data to be read from the 
current record. (At least that's my interpretation from a quick glance at the 
source.)

TLS is a record-oriented protocol, but the API is not strictly record-oriented. 
TLS segments outbound application data into "fragments", with one fragment for 
each TLS record. If the application makes a single call to SSL_write with a 
data length that fits in a single fragment, that *should* go out as a single 
TLS record (I believe); but if the application makes multiple calls to 
SSL_write or sends a chunk of data that's bigger than the maximum fragment size 
for the connection, then the partitioning of application data into records is 
harder to predict.

If you want to know whether there might be additional records waiting, query 
the socket directly with an API such as select or poll. (If the records haven't 
made it into the socket's receive buffer yet, you're out of luck; there's no 
way for the application to tell that more data might arrive some time in the 
future.)

This isn't an issue for HTTP because HTTP is a self-delimiting protocol. The 
application can continue to issue receives, parsing what it's received so far, 
until it knows that it has the entire message. SSL_pending isn't particularly 
useful for such a protocol, unless it's doing non-blocking I/O - in which case 
the typical pattern is to loop calling SSL_read as long as either SSL_pending 
is true or the socket is readable. (Or until OpenSSL returns SSL_WANT_WRITE, in 
which case you have to wait until the socket is writable instead, because 
you're renegotiating.)

That's all off the top of my head, so I may have gone wrong there somewhere - 
in which case no doubt someone will correct me shortly.

Michael Wojcik 
Distinguished Engineer, Micro Focus 


-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Salz, Rich 
> During first ssl_read we received eight bytes, and after that ssl_pending
> returns 0. If we continue reading despite having no pending data, ssl_read
> returns the rest of the data.
> Could you please suggest what is wrong here.

Pending is an indication that there is unread data *on the local host.*  It has 
no idea of what the network is doing, buffering or delaying, and so on.

You'll have to look at adding bytecounts or other "framing" techniques to your 
protocol to know when enough data has been read.
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Ryan Murray 
Situation maybe a security issue

Ryan Murray

On Jan 11, 2017 4:14 PM, "Ryan Murray"  wrote:

> Could you give me a hand on a issue I've seem to of picked up with my
> device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not
> responding.  Power button and display goes black and does not turn on for a
> period of time.  I believe the programs running in background or in a
> rooted format has been making the device malfunction. Is there a remote
> interface we could link up and establish what the heck is happening.  Lol
> Your truly
> Ryan
>
> Ryan Murray
>
> On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya"  wrote:
>
>> Hi,
>>
>> We are using openssl-1.0.2j. Noticed, that for http protocol everything
>> is working fine, but when we are using our own binary protocol ssl_pending
>> returns 0 all the time. We are using blocking socket. Tried with
>> SSL_CTX_set_read_ahead set and unset.
>>
>> Out test server sends back any info received from the client.
>>
>> Test code looks like this:
>> bool write(const uint64_t* data, int count)
>> {
>>   int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
>>   return rc > 0 ? true : false;
>> }
>>
>> bool read(uint64_t* data, int count)
>> {
>>   do {
>>   int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
>>   if (rc <= 0) {
>>   int err = SSL_get_error(_ssl, rc);
>>   std::string errs = ERR_error_string(err, nullptr);
>>   return false;
>>   }
>>   } while (SSL_pending(_ssl));
>>   return true;
>> }
>>
>> During first ssl_read we received eight bytes, and after that ssl_pending
>> returns 0. If we continue reading despite having no pending data, ssl_read
>> returns the rest of the data.
>> Could you please suggest what is wrong here.
>>
>>
>> Best regards,
>> Nadia.
>>
>> --
>> openssl-users mailing list
>> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>>
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

Re: [openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Ryan Murray 
Could you give me a hand on a issue I've seem to of picked up with my
device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not
responding.  Power button and display goes black and does not turn on for a
period of time.  I believe the programs running in background or in a
rooted format has been making the device malfunction. Is there a remote
interface we could link up and establish what the heck is happening.  Lol
Your truly
Ryan

Ryan Murray

On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya"  wrote:

> Hi,
>
> We are using openssl-1.0.2j. Noticed, that for http protocol everything is
> working fine, but when we are using our own binary protocol ssl_pending
> returns 0 all the time. We are using blocking socket. Tried with
> SSL_CTX_set_read_ahead set and unset.
>
> Out test server sends back any info received from the client.
>
> Test code looks like this:
> bool write(const uint64_t* data, int count)
> {
>   int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
>   return rc > 0 ? true : false;
> }
>
> bool read(uint64_t* data, int count)
> {
>   do {
>   int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
>   if (rc <= 0) {
>   int err = SSL_get_error(_ssl, rc);
>   std::string errs = ERR_error_string(err, nullptr);
>   return false;
>   }
>   } while (SSL_pending(_ssl));
>   return true;
> }
>
> During first ssl_read we received eight bytes, and after that ssl_pending
> returns 0. If we continue reading despite having no pending data, ssl_read
> returns the rest of the data.
> Could you please suggest what is wrong here.
>
>
> Best regards,
> Nadia.
>
> --
> openssl-users mailing list
> To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
>
-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

[openssl-users] ssl_pending returns 0 despite having data to read

2017-01-11 Thread Nadia Lapkovskaya 
Hi,

We are using openssl-1.0.2j. Noticed, that for http protocol everything is 
working fine, but when we are using our own binary protocol ssl_pending returns 
0 all the time. We are using blocking socket. Tried with SSL_CTX_set_read_ahead 
set and unset.

Out test server sends back any info received from the client.

Test code looks like this:
bool write(const uint64_t* data, int count)
{
  int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
  return rc > 0 ? true : false;
}

bool read(uint64_t* data, int count)
{
  do {
  int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
  if (rc <= 0) {
  int err = SSL_get_error(_ssl, rc);
  std::string errs = ERR_error_string(err, nullptr);
  return false;
  }
  } while (SSL_pending(_ssl));
  return true;
}

During first ssl_read we received eight bytes, and after that ssl_pending 
returns 0. If we continue reading despite having no pending data, ssl_read 
returns the rest of the data. 
Could you please suggest what is wrong here.


Best regards,
Nadia.

-- 
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users