[Author Prev][Author Next][Thread Prev][Thread Next][Author Index][Thread Index]

Re: [Libevent-users] PATCH: bufferevent_openssl consider_read doesn't drain underlying BE in all cases

To: libevent-users@xxxxxxxxxxxxx
Subject: Re: [Libevent-users] PATCH: bufferevent_openssl consider_read doesn't drain underlying BE in all cases
From: Nick Mathewson <nickm@xxxxxxxxxxxxx>
Date: Mon, 6 Feb 2012 12:39:03 -0500
Delivered-to: archiver@xxxxxxxx
Delivered-to: libevent-users-outgoing@xxxxxxxx
Delivered-to: libevent-users@xxxxxxxx
Delivery-date: Mon, 06 Feb 2012 12:39:14 -0500
Dkim-signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=gamma; h=mime-version:sender:in-reply-to:references:date :x-google-sender-auth:message-id:subject:from:to:content-type :content-transfer-encoding; bh=pKqMUcoCoSYfz0RGJSflHHHMFUUvx207wdv7jvu4OD4=; b=q/WiUiqsK2EniJXeNSdSruZEHiYKs3MASSAR79k5i029cTa/VuzaeQp4IoE02sHFKh 2pqydrGTGRpV61yXOD/raGQR84uz6lr2lnu5erE4bDe+5EaJ9lki39HT3PsYohHb0UDf JsVBPT0AH117XPP4mjNQ4BXjvQxcSRZCiokZg=
In-reply-to: <20111220040027.GD20078@xxxxxxxxxx>
References: <FC58DC2FCA1644C6932F304338A04CC0@xxxxxxxxxxxxxxx> <CAJB0wA9_Sm=zJuy4ZXrvU3u7C1auXKq6YWZJWpme7KX7D5P+Hw@xxxxxxxxxxxxxx> <20111220013450.GA20078@xxxxxxxxxx> <20111220014141.GB20078@xxxxxxxxxx> <CAKDKvuw4DRndc11ECh74bY3KPLym-ZNhsUHSbV2_ZuodFn5NGw@xxxxxxxxxxxxxx> <20111220040027.GD20078@xxxxxxxxxx>
Reply-to: libevent-users@xxxxxxxxxxxxx
Sender: owner-libevent-users@xxxxxxxxxxxxx

On Mon, Dec 19, 2011 at 11:00 PM, Mark Ellzey <mthomas@xxxxxxxxxx> wrote:
> On Mon, Dec 19, 2011 at 09:57:08PM -0500, Nick Mathewson wrote:
>> I agree with the part of your fix where we don't ignore the extra data
>> whose presence is indicated by a nonzero  SSL_pending.
>>
>> But I think these fixes all have some problem(s) in common:  They
>> ignore the reason for the logic that initially sets n_to_read, and
>> instead have the behavior for the filtering SSL bufferevent be "read
>> aggressively, as much as possible!"
>>
>> That isn't correct behavior.  Because of rate-limiting[1],
>> watermarks[2], fairness/starvation[3], and loop-avoidance[4], we
>> *don't* want to read aggressively from a single underlying bufferevent
>> until it's out of data.
>>
>> [1][2] This behavior can make the SSL bufferevent aggressively overrun
>> rate limits and watermarks.
>>
>
> IMHO, SSL + rate-limiting is going to be screwy no matter what. AFIAK
> OpenSSL does not have a good way to inform the user just how much total
> data was read before decryption.

Actually, it does; the BIO_number_written and BIO_number_read
functions return the total number of bytes written/read on a BIO.

> We cannot assume the sizes either.
> (think SSL_MODE_RELEASE_BUFFERS)
>
> Watermarks, on the other hand, I agree. We should give a hard look at
> how we can fix this.

Here's what I think will work: Instead of setting the n_to_read based
on the number of bytes currently in the underlying bufferevent (as in
your fix), we only do so if reading is enabled, reading is not
suspended, and the watermark is not overrun.

Why is that safe?  Because each of these conditions causes
consider_reading to get called again once it is no longer triggered.
If reading is enabled again, be_openssl_enable will call
consider_reading.  If reading is unsuspended,
bufferevent_unsuspend_read will call be_openssl_enable, etc.  And if
the buffer is drained below its watermark, then
bufferevent_inbuf_wm_cb calls bufferevent_wm_unsuspend_read, which
then calls bufferevent_unsuspend_read, etc.

So the only case where we want to immediately try reading more from
the underlying buffer is when there is more data to read, and nothing
about our current status prevents us from trying to read it.

What's more, we already have a function that returns a reasonable
amount of data to read, but returns 0 in the cases above:
bytes_to_read().

I've commited a possible patch as 5b4b8126de52c; can folks please
test? I'd like to get a new stable release out soon if possible.

Now, this still has the problems below, but I think that we can
probably survive without fixing them in 2.0.x.  Doing SSL over a
paired bufferevent makes sense for testing, but is a little nutty.
The resource starvation issue is annoying, but the underlying
socket-based bufferevent should prevent stuff from getting _too_ bad
there.

>> [3] If a bunch of data has arrived on a the underlying bufferevent, we
>> probably don't want to aggressively do SSL on it until its gone
>> without giving other events a chance to fire.
>>
>> [4] If the underlying bufferevent is a paired bufferevent, draining it
>> could cause it to refill itself from its partner, invoking callbacks
>> that might refill the partner, etc.
-- 
Nick
***********************************************************************
To unsubscribe, send an e-mail to majordomo@xxxxxxxxxxxxx with
unsubscribe libevent-users    in the body.

Prev by Author: Re: [Libevent-users] Asynchronous writes in the event loop model
Next by Author: Re: [Libevent-users] Asynchronous writes in the event loop model
Previous by thread: Re: [Libevent-users] Asynchronous writes in the event loop model
Next by thread: [Libevent-users] [nicholas.marriott@xxxxxxxxx: libevent and invalid fds]
Index(es):
- Author
- Thread