OpenSSL BIO Series 24 --- SSL Type Bio

SSL type BIO

--- Translation according to OpenSSL DOC / CRYPTO / BIO_F_SSL.POD and its own understanding

(Author: DragonKing, Mail: wzhah@263.net, released in:

Http://openssl.126.com OpenSSL professional forum)

As can be seen from the name, this is a very important BIO type, which encapsulates the SSL rules and functions in OpenSSL, which is equivalent to providing a well-effective tool that uses SSL, a good assistant. It is as follows: OpenSSSL / BIO.H, OpenSSL / SSL.H.

BIO_METHOD * BIO_F_SSL (Void);

#define bio_set_ssl (b, ssl, c) bio_ctrl (b, bio_c_set_ssl, c, (char *) ssl)

#define bio_get_ssl (b, sslp) BIO_CTRL (B, BIO_C_GET_SSL, 0, (CHAR *) SSLP)

#define bio_set_ssl_mode (b, client) BIO_CTRL (B, BIO_C_SSL_MODE, Client, Null)

#define bio_set_ssl_renegotiate_bytes (b, num) BIO_CTRL (B, BIO_C_SET_SSL_RENEGOTIATE_BYTES, NUM, NULL);

#define bio_set_ssl_renegotiate_timeout (b, seconds) Bio_ctrl (b, bio_c_set_ssl_renegotiate_timeout, seconds, null);

#define bio_get_num_renegotiates (b) BIO_CTRL (B, BIO_C_SET_SSL_NUM_RENEGOTIATES, 0, NULL);

BIO * BIO_NEW_SSL (SSL_CTX * CTX, INT Client);

BIO * BIO_NEW_SSL_CONNECT (SSL_CTX * CTX);

BIO * BIO_NEW_BUFFER_SSL_CONNECT (SSL_CTX * CTX);

INT BIO_SSL_COPY_SESSION_ID (BIO * TO, BIO * FROM);

Void Bio_ssl_shutdown (bio * bio);

#define bio_do_handshake (b) BIO_CTRL (B, BIO_C_DO_STATE_MACHINE, 0, NULL)

This type of BIO implements file inside SSL / BIO_SSL.C, you can see this file to get a detailed function implementation information.

[BIO_F_SSL]

This function returns an SSL type BIO_METHOD structure that is defined as follows:

Static Bio_Method Methods_sslp =

{

Bio_Type_ssl, "SSL",

SSL_WRITE,

SSL_READ,

SSL_PUTS,

NULL, / * SSL_GETS, * /

SSL_CTRL,

SSL_NEW,

SSL_Free,

SSL_CALLBACK_CTRL,

}

It can be seen that the SSL type BIO does not support the function of BIO_GETS.

When the BIO_READ and BIO_WRITE are called, the SSL type BIO uses the SSL protocol to perform the underlying I / O operation. If the SSL connection is not built at this time, the connection is performed first on the first IO function.

If you attach a BIO to a SSL type BIO using BIO_PUSH, it will be automatically called when the SSL type BIO reads and writes.

When the BIO_RESET is called, the SSL_SHUTDOWN function will be called to close all the SSLs in the connection state, and then call the Bio_reset on the next BIO, which is generally disconnected by the underlying transmission connection. After the call is completed, the SSL type BIO is in the initial acceptance or connection status. If the BIO close flag is set, the SSL type BIO is released, and the internal SSL structure is also released by the SSL_Free function.

[BIO_SET_SSL]

This function sets the internal SSL pointer of the SSL type BIO points to SSL, and the closing flag is set using the parameter c.

[BIO_GET_SSL]

This function returns the SSL structural pointer of the SSL type BIO to obtain the pointer, you can use the flag's SSL function to operate.

[BIO_SET_SSL_MODE]

This function sets the operating mode of the SSL. If the parameter client is 1, the SSL mode is a client mode. If the client is 0, the SSL operating mode is server mode.

[BIO_SET_SSL_RENEGOTIATE_BYTES]

This function setting requires re-performing the length of read and write data for the session negotiation to NUM. When the setting is completed, the SSL connection will be automatically reinforced with the SSL connection after the setting is completed. The parameter NUM is at least 512 bytes.

[BIO_SET_SSL_RENEGOTIATE_TIMEOUT]

This function is the same as the above function to enhance the security of the SSL connection. Different, the parameters used by this function are time. This function setting is re-performed for the session negotiation, and its unit is second. When the SSL Session connection established time reaches the time it sets, the connection will automatically re-perform the session negotiation.

[BIO_GET_NUM_RENEGOTIATES]]

This function returns the SSL connection to the data length read and written before the session restrictions due to byte limit or time limits.

[BIO_NEW_SSL]

This function creates an SSL type Bio using the SSL_CTX structure represented by the CTX parameter. If the parameter client is a non-zero value, the client mode is used.

[BIO_NEW_SSL_CONNECT]

This function creates a new Bio chain containing SSL type BIO and attaches a connection type Bio.

Convenient and interesting is because in the Filter type Bio, if it is this BIO, it doesn't know (no implementation) BIO_CTRL operation, it will automatically pass the action to the next BIO, so we can call this function to get BIO The BIO_SET_HOST function directly calls the server name and port without having to find the connection Bio first.

[BIO_NEW_BUFFER_SSL_CONNECT]

Create a Bio, an SSL type BIO, and a Bio of a connection type.

[BIO_SSL_COPY_SESSION_ID]

This function copies the SSL Session ID of the Bio chain from to the BIO chain TO. In fact, it is done by finding the SSL type BIO in the two BIO chains and then calls SSL_COPY_SESSION_ID to complete the operation.

[BIO_SSL_SHUTDOWN]

This function turns off the SSL connection in a BIO chain. In fact, the function is to close the SSL pointer in the internal SSL_ShutDown function by finding the SSL type BIO in the BIO chain.

[BIO_DO_HANDSHAKE]

This function starts the SSL handshake process on the related BIO and establishes an SSL connection. The connection successfully establishes the return 1, otherwise returns 0 or negative value, if the connection BIO is a non-blocking Bio, can call the BIO_SHOULD_RETRY function to determine the release of the need to retry. If the SSL connection has been created when the function is called, then the function will not do anything. Under normal circumstances, the application does not need to call this function directly unless you want to separate the handshake process to separate from other IO. It should be noted that if the bottom layer is a blocking type (the OpenSSL help text file writes non-blocking, non-blocking, but according to the above meaning of the other nature of Bio, I personally think is blocked, blocking is the correct) Bio, in Some unexpected cases SSL type BIO will also issue an unexpected retry request. This happens if the process of starting the session re-negotiation is when performing the Bio_Read operation. In 0.9.6 and later, the class behavior can be banned from the SSL flag SSL_AUTO_RETRY, so after setting, the SSL type BIO that uses the blocked transmission will never issue a re-try.

【example】

1. An example of an SSL / TLS client to complete the function of returning a page from an SSL / TLS server. The method of IO operation is the same as the example in the connection type BIO.

BIO * SBIO, * OUT

Int Len;

Char tmpbuf [1024];

SSL_CTX * CTX;

SSL * SSL;

ERR_LOAD_CRYPTO_STRINGS ();

Err_Load_ssl_strings ();

OpenSSL_ADD_ALL_ALGORITHMS ();

// If the system platform does not support the settings of automatic random number, it should be set (SEED PRNG)

CTX = SSL_CTX_NEW (SSLV23_CLIENT_METHOD ());

// The verification path and mode should also be set here because there is no setting here, so this example can establish an arbitrary server using any CA issuance certificate

SBIO = BIO_NEW_SSL_CONNECT (CTX);

BIO_GET_SSL (SBIO, & SSL);

IF (! ssl) {

FPRINTF (stderr, "can't locate ssl pointer / n");

}

/ * Do not need any retry request * /

SSL_SET_MODE (SSL, SSL_MODE_AUTO_RETRY);

/ / Here you can add some other settings to SSL

BIO_SET_CONN_HOSTNAME (SBIO, "Localhost: https");

OUT = BIO_NEW_FP (stdout, bio_noclose);

IF (BIO_DO_CONNECT (SBIO) <= 0) {

FPRINTF (stderr, "error connecting to server / n");

ERR_PRINT_ERRORS_FP (STDERR);

}

IF (Bio_DO_Handshake (SBIO) <= 0) {

FPRINTF (stderr, "Error Establishing SSL Connection / N");

ERR_PRINT_ERRORS_FP (STDERR);

}

/ * Here you can add code that detects the SSL connection to get some connection information * /

BIO_PUTS (SBIO, "GET / HTTP / 1.0 / N / N");

For (;;) {

LEN = BIO_READ (SBIO, TMPBUF, 1024);

IF (len <= 0) Break;

BIO_WRITE (OUT, TMPBUF, LEN);

}

BIO_FREE_ALL (SBI);

BIO_FREE (OUT);

2. An example of a simple server. It uses the Bio of the buffer type to read data from a SSL type BIO using BIO_GETS. It creates a random web page containing the client request and outputs the request information to the standard output device.

BIO * SBIO, * BBIO, * ACPT, * OUT

Int Len;

Char tmpbuf [1024];

SSL_CTX * CTX;

SSL * SSL;

ERR_LOAD_CRYPTO_STRINGS ();

Err_Load_ssl_strings ();

OpenSSL_ADD_ALL_ALGORITHMS ();

// may need seed processing of random numbers (SEED PRNG)

CTX = SSL_CTX_NEW (SSLV23_SERVER_METHOD ());

IF (! SSL_CTX_USE_CERTIFICATE_FILE (CTX, "Server.Pem", SSL_FileType_pem)

||! SSL_CTX_USE_PRIVATEKEY_FILE (CTX, "Server.pem", SSL_FileTyPE_PEM)

||! SSL_CTX_CHECK_PRIVATE_KEY (CTX)) {

FPRINTF (stderr, "error setting up ssl_ctx / n");

ERR_PRINT_ERRORS_FP (STDERR);

Return 0;

}

// You can set the verification path, the temporary key callback function of the DH and DSA algorithms, etc.

/ * Create a new server mode SSL type BIO * /

SBIO = BIO_NEW_SSL (CTX, 0);

BIO_GET_SSL (SBIO, & SSL);

IF (! ssl) {

FPRINTF (stderr, "can't locate ssl pointer / n");

}

/ * Do not need any retry request * /

SSL_SET_MODE (SSL, SSL_MODE_AUTO_RETRY);

/ * Create a buffer type BIO * /

BBIO = BIO_NEW (BIO_F_BUFFER ());

/ * Add to BIO chain * /

SBIO = BIO_PUSH (BBIO, SBI);

Acpt = BIO_NEW_ACCEPT ("4433");

/ *

When a new connection is established, we can automatically insert the SBIO chain into the BIO chain where the connection is located. At this time, this BIO chain (SBIO) is annexed by the Accept type BIO, and it will be automatically released when the Accept type BIO is released.

* /

BIO_SET_ACCEPT_BIOS (ACPT, SBI);

OUT = BIO_NEW_FP (stdout, bio_noclose);

/ * Setupt bio * /

IF (Bio_DO_ACCEPT (ACPT) <= 0) {

FPRINTF (stderr, "error setting up accept bio / n");

ERR_PRINT_ERRORS_FP (STDERR);

Return 0;

}

/ * Waiting for the establishment of the connection * /

IF (Bio_DO_ACCEPT (ACPT) <= 0) {

FPRINTF (stderr, "error in connection / n");

ERR_PRINT_ERRORS_FP (STDERR);

Return 0;

}

/ *

Because we just want to handle a connection, you can delete and release Accept Bio.

* /

SBIO = BIO_POP (ACPT);

BIO_FREE_ALL (ACPT);

IF (Bio_DO_Handshake (SBIO) <= 0) {fprintf (stderr, "error in ssl handshake / n");

ERR_PRINT_ERRORS_FP (STDERR);

Return 0;

}

Bio_PUTS (SBIO, "HTTP / 1.0 200 OK / R / NCONTENT-TYPE: TEXT / HTML / R / N / R / N");

Bio_PUTS (SBIO, "

 / r / nconnection established / r / nRequest headers: / r / n");

Bio_puts (SBIO, "---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----- / r / n ");
For (;;) {
LEN = Bio_GETS (SBIO, TMPBUF, 1024);
IF (len <= 0) Break;
BIO_WRITE (SBIO, TMPBUF, LEN);
BIO_WRITE (OUT, TMPBUF, LEN);
/ * Find the end of the request header standard blank line * /
IF ((TmpBuf [0] == '/ R') || (TMPBUF [0] == '/ n')) Break;
}
Bio_puts (SBIO, "---------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- ----- / r / n ");
BIO_PUTS (SBIO, " / r / n");
/ * Because of the use of Bio type, we'd better call BIO_FLUSH functions * /
BIO_FLUSH (SBIO);
BIO_FREE_ALL (SBI);