[Date Prev][Date Next] [Chronological] [Thread] [Top]

Re: SSL/GSSAPI for OpenLDAP



bart@etpmod.phys.tue.nl wrote:
> 
> On 16 Jun, Kurt D. Zeilenga wrote:
> > bart@etpmod.phys.tue.nl wrote:
> >> On 14 Jun, Kurt D. Zeilenga wrote:
> >> > David Boreham wrote:
> >> >
> >> >> You'll probably find that you need some sort
> >> >> of unread operation too. I did for the server.
> >> >> Big PITA it is too.
> >> >
> >> > I'm thinking that this could be avoided by having a dataAvailable
> >> > hook...  but, yes, something is needed to manage issues concerning
> >> > low-level I/O availability and ber-level data availability.
> >> > That is, a socket can be selectable but no data is yet available
> >> > due data decryption requirements.
> >>
> >> Well, the situation where there is data available on the socket (socket
> >> is selectable), but this new data is held up by the crypto layer is not
> >> a big problem. The read operation could just return a EWOULDBLOCK type
> >> error. If I remember correctly, both libldap and the servers handled
> >> this okay.
> >>
> >> It gets more interesting when there is no data on the socket, but there
> >> is data available from the crypto layer. For this situation, it will be
> >> necessary to modify all calls to 'select'.
> >
> > Hit me with a mallet, please.   How is this possible?
> >
> > As long as the caller drains the connection to EWOULDBLOCK, than the crypto
> > layer has given up all data that ready for the caller.... and data that's
> > not ready needs more from the wire.
> 
> No, it is possible that the crypto system needs a packet of, say, 256
> bytes to decrypt. When 255 bytes come in over the network, the socket
> will be selectable, the caller will try to read, in turn triggering the
> crypto system to read. The crypto system reads the 255 bytes, but can't
> decrypt and hand data over to the caller before the last 256th byte is
> received. So it returns 'EWOULDBLOCK' (note quotes), and waits.
> 
> If suddenly another 257 bytes arive, the procedure repeats itself. It is
> possible, depending on the TLS implementation, that all these bytes are
> read by the crypto layer in one go. This means that the crypto layer
> now has 2 packets ready for the caller. At the moment, (or rather, last
> time I looked, which has been a while :-) ), both the library and the
> server don't do read ahead, so they will request only a single LDAP
> message at a time. This means that the crypto layer will have to keep
> any superfluous data.

So, the problem is that the caller is NOT draining the stream to
EWOULDBLOCK...  which is what I thought (incorrectly) slapd did.

I see two ways of resolving this in slapd:
	1)	modify the code to drain the stream
	2)	redesign the select() away (use per stream threads that do
		blocking reads).

Option 1 is relatively straight forward and likely the best choice for
now.  Eventually, though, we need to serious consider ditching the
select event loop.  Mixing select and threads is problematic.

Kurt