ssl_pending returns 0 despite having data to read

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

ssl_pending returns 0 despite having data to read

Nadia Lapkovskaya
Hi,

We are using openssl-1.0.2j. Noticed, that for http protocol everything is working fine, but when we are using our own binary protocol ssl_pending returns 0 all the time. We are using blocking socket. Tried with SSL_CTX_set_read_ahead set and unset.

Out test server sends back any info received from the client.

Test code looks like this:
bool write(const uint64_t* data, int count)
{
  int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
  return rc > 0 ? true : false;
}

bool read(uint64_t* data, int count)
{
  do {
      int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
      if (rc <= 0) {
          int err = SSL_get_error(_ssl, rc);
          std::string errs = ERR_error_string(err, nullptr);
          return false;
      }
  } while (SSL_pending(_ssl));
  return true;
}

During first ssl_read we received eight bytes, and after that ssl_pending returns 0. If we continue reading despite having no pending data, ssl_read returns the rest of the data.
Could you please suggest what is wrong here.


Best regards,
Nadia.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_pending returns 0 despite having data to read

Ryan Murray
Could you give me a hand on a issue I've seem to of picked up with my device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not responding.  Power button and display goes black and does not turn on for a period of time.  I believe the programs running in background or in a rooted format has been making the device malfunction. Is there a remote interface we could link up and establish what the heck is happening.  Lol
Your truly
Ryan

Ryan Murray

On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya" <[hidden email]> wrote:
Hi,

We are using openssl-1.0.2j. Noticed, that for http protocol everything is working fine, but when we are using our own binary protocol ssl_pending returns 0 all the time. We are using blocking socket. Tried with SSL_CTX_set_read_ahead set and unset.

Out test server sends back any info received from the client.

Test code looks like this:
bool write(const uint64_t* data, int count)
{
  int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
  return rc > 0 ? true : false;
}

bool read(uint64_t* data, int count)
{
  do {
      int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
      if (rc <= 0) {
          int err = SSL_get_error(_ssl, rc);
          std::string errs = ERR_error_string(err, nullptr);
          return false;
      }
  } while (SSL_pending(_ssl));
  return true;
}

During first ssl_read we received eight bytes, and after that ssl_pending returns 0. If we continue reading despite having no pending data, ssl_read returns the rest of the data.
Could you please suggest what is wrong here.


Best regards,
Nadia.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_pending returns 0 despite having data to read

Ryan Murray
Situation maybe a security issue

Ryan Murray

On Jan 11, 2017 4:14 PM, "Ryan Murray" <[hidden email]> wrote:
Could you give me a hand on a issue I've seem to of picked up with my device . You and the colleagues if possible. My SamsungGalaxy s2 tablet not responding.  Power button and display goes black and does not turn on for a period of time.  I believe the programs running in background or in a rooted format has been making the device malfunction. Is there a remote interface we could link up and establish what the heck is happening.  Lol
Your truly
Ryan

Ryan Murray

On Jan 11, 2017 4:08 PM, "Nadia Lapkovskaya" <[hidden email]> wrote:
Hi,

We are using openssl-1.0.2j. Noticed, that for http protocol everything is working fine, but when we are using our own binary protocol ssl_pending returns 0 all the time. We are using blocking socket. Tried with SSL_CTX_set_read_ahead set and unset.

Out test server sends back any info received from the client.

Test code looks like this:
bool write(const uint64_t* data, int count)
{
  int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
  return rc > 0 ? true : false;
}

bool read(uint64_t* data, int count)
{
  do {
      int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
      if (rc <= 0) {
          int err = SSL_get_error(_ssl, rc);
          std::string errs = ERR_error_string(err, nullptr);
          return false;
      }
  } while (SSL_pending(_ssl));
  return true;
}

During first ssl_read we received eight bytes, and after that ssl_pending returns 0. If we continue reading despite having no pending data, ssl_read returns the rest of the data.
Could you please suggest what is wrong here.


Best regards,
Nadia.

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users

--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_pending returns 0 despite having data to read

Salz, Rich
In reply to this post by Nadia Lapkovskaya
> During first ssl_read we received eight bytes, and after that ssl_pending
> returns 0. If we continue reading despite having no pending data, ssl_read
> returns the rest of the data.
> Could you please suggest what is wrong here.

Pending is an indication that there is unread data *on the local host.*  It has no idea of what the network is doing, buffering or delaying, and so on.

You'll have to look at adding bytecounts or other "framing" techniques to your protocol to know when enough data has been read.
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_pending returns 0 despite having data to read

Michael Wojcik
In reply to this post by Nadia Lapkovskaya
> From: openssl-users [mailto:[hidden email]] On Behalf
> Of Nadia Lapkovskaya
> Sent: Wednesday, January 11, 2017 15:08
>
> During first ssl_read we received eight bytes, and after that ssl_pending
> returns 0. If we continue reading despite having no pending data, ssl_read
> returns the rest of the data.

Are you setting SSL_CTRL_SET_READ_AHEAD? SSL_pending doesn't work if read-ahead is set. See the comment in the definition of SSL_pending in ssl_lib.c


Did the client send a TLS record with more than 8 bytes of application data?

SSL_pending returns true if there's more application data to be read from the current record. (At least that's my interpretation from a quick glance at the source.)

TLS is a record-oriented protocol, but the API is not strictly record-oriented. TLS segments outbound application data into "fragments", with one fragment for each TLS record. If the application makes a single call to SSL_write with a data length that fits in a single fragment, that *should* go out as a single TLS record (I believe); but if the application makes multiple calls to SSL_write or sends a chunk of data that's bigger than the maximum fragment size for the connection, then the partitioning of application data into records is harder to predict.

If you want to know whether there might be additional records waiting, query the socket directly with an API such as select or poll. (If the records haven't made it into the socket's receive buffer yet, you're out of luck; there's no way for the application to tell that more data might arrive some time in the future.)

This isn't an issue for HTTP because HTTP is a self-delimiting protocol. The application can continue to issue receives, parsing what it's received so far, until it knows that it has the entire message. SSL_pending isn't particularly useful for such a protocol, unless it's doing non-blocking I/O - in which case the typical pattern is to loop calling SSL_read as long as either SSL_pending is true or the socket is readable. (Or until OpenSSL returns SSL_WANT_WRITE, in which case you have to wait until the socket is writable instead, because you're renegotiating.)

That's all off the top of my head, so I may have gone wrong there somewhere - in which case no doubt someone will correct me shortly.

Michael Wojcik
Distinguished Engineer, Micro Focus


--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
Reply | Threaded
Open this post in threaded view
|

Re: ssl_pending returns 0 despite having data to read

Matt Caswell-2
In reply to this post by Nadia Lapkovskaya


On 11/01/17 20:07, Nadia Lapkovskaya wrote:

> Hi,
>
> We are using openssl-1.0.2j. Noticed, that for http protocol everything is working fine, but when we are using our own binary protocol ssl_pending returns 0 all the time. We are using blocking socket. Tried with SSL_CTX_set_read_ahead set and unset.
>
> Out test server sends back any info received from the client.
>
> Test code looks like this:
> bool write(const uint64_t* data, int count)
> {
>   int rc = SSL_write(_ssl, data, count * sizeof(uint64_t));
>   return rc > 0 ? true : false;
> }
>
> bool read(uint64_t* data, int count)
> {
>   do {
>       int rc = SSL_read(_ssl, data, count * sizeof(uint64_t));
>       if (rc <= 0) {
>           int err = SSL_get_error(_ssl, rc);
>           std::string errs = ERR_error_string(err, nullptr);
>           return false;
>       }
>   } while (SSL_pending(_ssl));
>   return true;
> }
>
> During first ssl_read we received eight bytes, and after that ssl_pending returns 0. If we continue reading despite having no pending data, ssl_read returns the rest of the data.
> Could you please suggest what is wrong here.

There are three levels of buffered data that you need to consider:

- Data that is buffered at the network level
- Data that is buffered in OpenSSL but not yet processed (i.e. decrypted)
- Data that is buffered in OpenSSL that has been processed

SSL_pending() only tells you about the last type of data. TLS delivers
blocks of data in records and OpenSSL will decrypt an entire record in
one go. If your application only then reads some of that record then
SSL_pending() will tell you how many bytes of data it still has
available. If you always read an entire record in one go (i.e. if the
size of the buffer that you pass to SSL_read() is equal to or greater
than the amount of data in the record) then SSL_pending() will always
return 0.

Normally OpenSSL will only read one record at a time, so there isn't any
data of the second type. However if you set read_ahead then it will
attempt to read as much data as the network can give it, until the
internal buffer is filled. If that means it has read more than one
record (which could include partial records) then you will get data of
the second type. In 1.0.2 there is no way to get OpenSSL to tell you
whether it has any of that data buffered. In 1.1.0 you can find out
about this data using the new function SSL_has_pending():

https://www.openssl.org/docs/man1.1.0/ssl/SSL_pending.html

For data buffered at the network level you should query this yourself
using something like select() or poll().

Matt
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users