0

When using a non-encrypted socket I'd use

int num bytes = recvmsg(sock, &msg, 0)

and then get the SO_TIMESTAMP info from the msg (see e.g. Linux recvmsg() not getting a software timestamp from socket and https://linux.die.net/man/2/recvmsg).

However, there doesn't seem to be a corresponding API for an SSL-encrypted socket, at least for OpenSSL. The only one I can see is

int SSL_read(SSL *ssl, void *buf, int num);

which obviously doesn't propagate the timestamp info.

Have people tried this before? I can see a few options,

  • fork/extend OpenSSL at the point where it reads from the raw socket and carry the data across
  • do a recvmsg(s, data, flags) explicitly and somehow pass that into an OpenSSL function for subsequent decoding.
  • use a different library?

I find surprisingly little info about this online. Thanks!

Joris Peeters
  • 123
  • 1
  • 11
  • 1
    If you want to have full control over the underlying socket or if you want to use something else for I/O than a TCP socket you need to use the [BIO interface](https://stackoverflow.com/questions/51672133/what-are-openssl-bios-how-do-they-work-how-are-bios-used-in-openssl) – Steffen Ullrich Nov 19 '22 at 09:47
  • SSL is a *stream* protocol - there's no "socket timestamp" for decrypted bytes that come out of the receipt stream, and there's no direct correspondence between any raw data chunk being received and the actual decrypted data. What time does a liter of water dumped into a full bathtub drain out? – Andrew Henle Nov 19 '22 at 14:58
  • WRT "fork/extend OpenSSL", are you signing up to maintaining your fork, including keeping up-to-date on any and all vulnerabilities, and fixing critical ones immediately? – Andrew Henle Nov 19 '22 at 15:02
  • @AndrewHenle the extension is obviously not my favourite option. Wrt your first comment, though, my impression is that SSL data comes in records, which should be possible to tie back to the raw data and therefore to a sensible timestamp? – Joris Peeters Nov 19 '22 at 19:02

1 Answers1

0

Followed the comments suggestion by Steffen Ullrich (thank you) to make something work.

I ended up implementing a custom BIO along the lines of https://github.com/openssl/openssl/blob/master/crypto/bio/bio_sock.c but with recvmsg for the read path, and grabbing the SO_TIMESTAMP, which I subsequently stick in custom data.

I attach the BIO (SSL_set_bio) to my SSL object, and can retrieve the timestamp after a succesful SSL_read.

It was quite painful.

Joris Peeters
  • 123
  • 1
  • 11