Fixes to handle retries for WantWriteError and WantReadError in SSL

julianz- · webknjaz · commit a7750e96cebc · 2025-09-26T04:18:23.000+02:00
As discussed in #245
diff --git a/cheroot/makefile.py b/cheroot/makefile.py
@@ -3,6 +3,8 @@
 # prefer slower Python-based io module
 import _pyio as io
 import socket
+import time
+from OpenSSL import SSL
 
 
 # Write only 16K at a time to sockets
@@ -31,7 +33,11 @@ def _flush_unlocked(self):
                 # so perhaps we should conditionally wrap this for perf?
                 n = self.raw.write(bytes(self._write_buf))
             except io.BlockingIOError as e:
-                n = e.characters_written
+                n = e.characters_writteni
+            except (SSL.WantReadError,SSL.WantWriteError, SSL.WantX509LookupError) as e:
+                # these errors require retries with the same data 
+                # if some data has already been written
+                n = 0
             del self._write_buf[:n]
 
 
@@ -45,9 +51,15 @@ def __init__(self, sock, mode='r', bufsize=io.DEFAULT_BUFFER_SIZE):
 
     def read(self, *args, **kwargs):
         """Capture bytes read."""
-        val = super().read(*args, **kwargs)
-        self.bytes_read += len(val)
-        return val
+        while True:
+            try:
+                val = super().read(*args, **kwargs)
+                self.bytes_read += len(val)
+                return val
+            except SSL.WantReadError:
+                time.sleep(0.1)  # allow some retry delay
+            except SSL.WantWriteError:
+                time.sleep(0.1)
 
     def has_data(self):
         """Return true if there is buffered data to read."""
diff --git a/cheroot/test/test_ssl.py b/cheroot/test/test_ssl.py
@@ -17,6 +17,8 @@
 import requests
 import trustme
 
+from cheroot.makefile import BufferedWriter
+
 from .._compat import (
     IS_ABOVE_OPENSSL10,
     IS_ABOVE_OPENSSL31,
@@ -38,6 +40,7 @@
     _get_conn_data,
     _probe_ipv6_sock,
 )
+from unittest import mock
 from ..wsgi import Gateway_10
 
 
@@ -624,6 +627,37 @@ def test_ssl_env(  # noqa: C901  # FIXME
         ),
     )
 
+class TestBufferedWriterSSLWantErrors:
+    
+    def setup_method(self):
+        self.mock_raw = mock.Mock()
+        self.mock_raw.closed = False
+        self.writer = BufferedWriter(self.mock_raw)
+
+    def test_want_write_error_retry(self):
+        """Test that WantWriteError causes retry with same data."""
+        test_data = b"hello world"
+        
+        self.mock_raw.write.side_effect = [
+            OpenSSL.SSL.WantWriteError(),
+            len(test_data)
+        ]
+        
+        result = self.writer.write(test_data)
+        assert result == len(test_data)
+        assert self.mock_raw.write.call_count == 2
+
+    def test_want_read_error_retry(self):
+        """Test that WantReadError causes retry with same data."""
+        test_data = b"test data"
+        
+        self.mock_raw.write.side_effect = [
+            OpenSSL.SSL.WantReadError(), 
+            len(test_data)
+        ]
+        
+        result = self.writer.write(test_data)
+        assert result == len(test_data)
 
 @pytest.mark.parametrize(
     'ip_addr',
