BIO_read_ex does not distinguish EOF from failure

[davidben]

OpenSSL 1.1.1 added BIO_read_ex and BIO_write_ex functions, along with corresponding functions at the SSL layer, so that things can be size_t-clean.

BIO_read_ex is not a suitable replacement for BIO_read because it loses the ability to distinguish EOF from failure. BIO_read did so via a 0 vs -1 return.

See this logic where a file BIO's BIO_read implementation uses ferror to decide whether to return 0 or -1.
https://github.com/openssl/openssl/blob/master/crypto/bio/bss_file.c#L145-L154

Or this logic where fd BIOs preserve whether read returned 0 or -1.
https://github.com/openssl/openssl/blob/master/crypto/bio/bss_fd.c#L121

For BIO_read_ex, one answer would be to return a "successful" read of zero bytes. However, BIO_read_ex's documentation does not call this out (necessary so a caller knows to expect it), and indeed the implementation does not do this. Both 0 and -1 from an old-style BIO_read get mapped to the same thing.
https://github.com/openssl/openssl/blob/master/crypto/bio/bio_meth.c#L123-L128

This means that any BIO implementation which distinguishes these, such as fd or file BIOs above, cannot be ported to BIO_meth_set_read_ex because there is no way to retain that signal for existing BIO_read callers. Conversely, any BIO consumer that needs to distinguish EOF from error cannot be ported to BIO_read_ex. This includes many of the BIO_read calls within OpenSSL itself:
https://github.com/openssl/openssl/blob/master/apps/apps.c#L1704
https://github.com/openssl/openssl/blob/master/apps/dgst.c#L425
https://github.com/openssl/openssl/blob/master/apps/rsautl.c#L222
https://github.com/openssl/openssl/blob/master/crypto/asn1/a_d2i_fp.c#L123
https://github.com/openssl/openssl/blob/master/demos/bio/saccept.c#L97
https://github.com/openssl/openssl/blob/master/demos/bio/sconnect.c#L101
https://github.com/openssl/openssl/blob/master/demos/bio/server-arg.c#L120
https://github.com/openssl/openssl/blob/master/demos/bio/server-conf.c#L112

The distinction is messier for SSL_read_ex, since it has SSL_get_error, but I'll note that SSL_ERROR_ZERO_RETURN is really just a clean EOF. Though EOFs for TLS are a little messy because there's a clean close_notify and there's unclear transport EOFs which, while technically an unclean shutdown, are in practice treated as "clean" in many uses of TLS due to the ecosystem failing to send close_notify. In SSL_read, this is signaled via some messy combination of SSL_get_error and 0 vs -1.

[mattcaswell]

Why can't BIO_eof be used to distinguish these cases?

[davidben]

Well, most existing BIO types don't signal this (fd, socket, etc.), so it's not usable that way today. Indeed the OpenSSL code linked above doesn't expect such behavior.

The old/new API emulation layers also don't behave this way. One the direction would need to set some EOF flag based on 0/-1 and the other would need to query BIO_eof and return 0/-1 according. Right now I think converting an existing BIO to the new API would cause it to report EOFs on all errors out of the old API because it just passes the zero return along. (Though not documented, the code linked above shows callers, including OpenSSL itself, interpreted BIO_read to behave like read and return zero on EOF and -1 on error.)

Using BIO_eof would introduce extra state internally, as well as make everyone use an out-of-band API. In contrast, most systems signal this in-band. (Though sometimes it is a special error the caller checks for and sometimes it is a "successful" read of zero bytes. OpenSSL's error queue does not lend itself to programmatic queries, so the latter is probably better here, unless we add an extra is_eof out param or something.)
https://golang.org/pkg/io/#Reader
https://doc.rust-lang.org/std/io/trait.Read.html#tymethod.read
http://man7.org/linux/man-pages/man2/read.2.html
https://docs.microsoft.com/en-us/windows/desktop/api/fileapi/nf-fileapi-readfile
https://docs.python.org/3/library/io.html

Finally, note statefulness doesn't fully capture the POSIX read function, where one can read past an EOF in weird cases (Ctrl-D on a tty). But those are, granted, weird.

[davidben]

Since OpenSSL 3.0 beta is coming up, this might be a good time to get this resolved. Given OpenSSL's error queue makes a using well-known error code tricky, I'd suggest that EOF be marked by a successful return of zero bytes. This aligns with POSIX (EOF returns 0 without errno) and Windows's synchronous API.

This does fit the type signature of BIO_read_ex, but it's not compatible with the existing behavior (since the existing behavior cannot signal EOF at all). Introducing BIO_read_ex2 is somewhat disappointing, but it is an option. (FWIW, I've not seen any external project migrate to BIO_read_ex yet.)

[levitte]

So basically, from pretty much appearing to be modelled according to POSIX I/O, BIO is now in a bit of an in between state, with some ambitions to be more like stdio, but hasn't quite reached there. Is that the gist of it?
(I'm not trying to be contradictory, I'm just trying to have a "complete API" view)

[davidben]

That's true, fread works via a stateful feof flag instead, and I see 22623e0 has since added BIO_FLAGS_IN_EOF to more BIOs. Though the two models aren't currently mapped in any way, so it's up to the individual BIO to implement this. (Is that documented anywhere? Seems not especially compatible.)

[levitte]

so it's up to the individual BIO to implement this

Yeah, they aren't quite as uniform as one might desire.

(Is that documented anywhere? Seems not especially compatible.)

The indications are there, but aren't always clear on the matter. I suggest you read the manual that contains on BIO_eof(), BIO_seek() and BIO_tell(), including return values... and well, in some cases, you might want to brace yourself 😉

[davidben]

Thoughts on this, folks? This ticket's been open for a while now.

I've looking at bio_read_intern, noticed an even deeper problem. I suspect this slipped through because none of the built-in BIOs were converted to the new API and the compatibility bread_conv mode breaks the rules a bit. That means BIO_read_ex as an API was never tested for suitability.
https://github.com/openssl/openssl/blob/master/crypto/bio/bio_lib.c#L291
https://github.com/openssl/openssl/blob/master/crypto/bio/bio_lib.c#L317

Callers that call BIO_read expect the old behavior where 0 means EOF and -1 means error. However, the bread function (other than bread_conv) only returns 1 for success and 0 for error. Notice that BIO_read simply preserves the error return from bio_read_intern. That means that, for BIOs which internally use the BIO_read_ex convention, BIO_read suddenly breaks.

For example, the FD BIOs currently preserve read's convention of returning zero on EOF. Tellingly, that BIOs doesn't use the read_ex convention.
https://github.com/openssl/openssl/blob/master/crypto/bio/bss_fd.c#L119

It really doesn't seem like BIO_read_ex is usable right now. From BIO_FLAGS_IN_EOF, are you all leaning towards a stateful, out-of-band EOF, rather than the more conventional in-band signal? If so, this should be documented and the various conventions between BIO_read and BIO_read_ex should enforce this. That is, if the BIO is natively bread, not bread_old, BIO_read should check whatever the EOF convention is and return 0 or -1 accordingly.

Given you all also have BIO_seek, I'm not sure an out-of-band EOF is the best decision. Since BIO_seek exists but is under the purview of the BIO, we can't have the BIO machinery simulate BIO_FLAGS_IN_EOF automatically based on bread_old. We don't know what other operations will change the BIO's state. That means that an old-style BIO cannot be relied on to correctly report BIO_eof. That, in turn, means code that previously called BIO_read cannot switch to BIO_read_ex + BIO_eof until it is sure that all BIOs it ever sees has been converted to manage BIO_eof.

In contrast, an in-band return signal does not rely on any statefulness. It's unfortunate, but you could deprecate BIO_read_ex and introduce BIO_read_ex2 which behaves the same except, on EOF, it "successfully" returns true. This aligns with POSIX and (non-overlapped) Windows. That convention can convert to and from BIO_read. Since BIO_read_ex's behavior is a subset of BIO_read_ex2, you can keep BIO_meth_set_read_ex as-is.

[mattcaswell]

This needs an OTC discussion. I see @t8m has applied the OTC hold so this should be discussed next week.