BIO and openssl24 Of the BIO series of openssl-ssl

BIO and openssl24 Of the BIO series of openssl-ssl

SSL Type BIO

--- Based on openssl doc \ crypto \ bio_f_ssl.pod translation and your own understanding, write

By DragonKing, Mail: wzhah@263.net, published on: http://openssl.126.com

Openssl Professional Forum)

It can be seen from the name that this is a very important BIO type, it encapsulates the ssl rules in openssl

And functions are equivalent to providing an effective tool that uses SSL and a good assistant. Its definition (opens

Sl \ bio. h, openssl \ ssl. h:

BIO_METHOD * BIO_f_ssl (void );

# Define BIO_set_ssl (B, ssl, c) BIO_ctrl (B, BIO_C_SET_SSL, c, (char *) ssl)

# Define BIO_get_ssl (B, sslp) BIO_ctrl (B, BIO_C_GET_SSL, 0, (char *) sslp)

# Define BIO_set_ssl_mode (B, client) BIO_ctrl (B, BIO_C_SSL_MODE, client, NUL

L)

# Define BIO_set_ssl_renegotiate_bytes (B, num) BIO_ctrl (B, BIO_C_SET_SSL_R

ENEGOTIATE_BYTES, num, NULL );

# Define BIO_set_ssl_renegotiate_timeout (B, seconds) BIO_ctrl (B, BIO_C_SET

_ SSL_RENEGOTIATE_TIMEOUT, seconds, NULL );

# Define BIO_get_num_renegotiates (B) BIO_ctrl (B, BIO_C_SET_SSL_NUM_RENEGO

TIATES, 0, NULL );

BIO * BIO_new_ssl (SSL_CTX * ctx, int client );

BIO * BIO_new_ssl_connect (SSL_CTX * ctx );

BIO * BIO_new_buffer_ssl_connect (SSL_CTX * ctx );

Int BIO_ssl_copy_session_id (BIO * to, BIO * from );

Void BIO_ssl_shutdown (BIO * bio );

# Define BIO_do_handshake (B) BIO_ctrl (B, BIO_C_DO_STATE_MACHINE, 0, NULL)

The implementation file of this type of BIO is in ssl \ bio_ssl.c. You can refer to this file to get a detailed letter.

Data implementation information.

[BIO_f_ssl]

This function returns an SSL-type BIO_METHOD structure, which is defined as follows:

Static BIO_METHOD methods_sslp =

{

BIO_TYPE_SSL, "ssl ",

Ssl_write,

Ssl_read,

Ssl_puts,

NULL,/* ssl_gets ,*/

Ssl_ctrl,

Ssl_new,

Ssl_free,

Ssl_callback_ctrl,

};

The SSL Type BIO does not support BIO_gets.

When the BIO_read and BIO_write functions are called, the SSL Type BIO uses the SSL protocol for the underlying I/

O operation. If the SSL connection is not established at this time, the connection will be established first when the first IO function is called.

.

If BIO_push is used to append a BIO to an SSL Type BIO, the number of BIO reads and writes of the SSL type

Data is automatically called.

When BIO_reset is called, The SSL_shutdown function is called to disable all currently connected SSL

And then call BIO_reset for the next bio. This function usually disconnects the underlying transmission connection. Call complete

Then, the SSL Type BIO is in the initial acceptance or connection status.

If the BIO close flag is set, the internal SSL structure will be _

Release the free function.

[BIO_set_ssl]

This function sets the internal SSL pointer of the ssl Type BIO to point to ssl, and uses parameter c to set the close flag.

[BIO_get_ssl]

This function returns the internal SSL structure pointer of the SSL Type BIO. After this pointer is obtained, you can use the flag SSL

Function.

[BIO_set_ssl_mode]

This function sets the SSL working mode. If the client parameter is 1, the SSL working mode is client,

If the client is 0, the SSL mode is server.

[BIO_set_ssl_renegotiate_bytes]

This function sets the length of the read/write data that needs to be re-negotiated by session to num. After the settings are complete

After all the data that has not been read or written reaches the num byte, the SSL connection will automatically re-negotiate the session, which can be enhanced.

Security of SSL connections. The num parameter must be at least 512 bytes.

[BIO_set_ssl_renegotiate_timeout]

This function is similar to the preceding function to enhance the security of SSL connections. The difference is that the function uses

The parameter is time. This function sets the time for re-session negotiation, in seconds. When an SSL session is connected

When the set time of the connection is reached, session negotiation is automatically resumed.

[BIO_get_num_renegotiates]

This function returns an SSL connection that reads and writes data before session re-negotiation due to byte or time restrictions.

Data Length.

[BIO_new_ssl]

This function uses the SSL_CTX structure represented by the ctx parameter to create an ssl bio.

If it is a non-zero value, the client mode is used.

[BIO_new_ssl_connect]

This function creates a new BIO chain containing the SSL Type BIO and attaches a connection type BIO to it.

 

It is convenient and interesting because the BIO of the filter type is unknown (not implemented)

BIO_ctrl operation, which automatically uploads the operation to the next BIO for calling, so we can call this function

The BIO_set_host function is called directly on BIO to set the server name and port. You do not need to find the connection B first.

IO.

[BIO_new_buffer_ssl_connect]

Create a BIO with buffer type, an ssl bio, and a connection BIO.

[BIO_ssl_copy_session_id]

This function copies the SSL Session ID of BIO chain from to BIO chain. In fact, it is found through

The SSL Type BIO in the two BIO chains, and then the SSL_copy_session_id is called to complete the operation.

[BIO_ssl_shutdown]

This function closes the SSL connection in a BIO chain. In fact, this function finds the SSL class in the BIO chain.

Type BIO, and then call the SSL_shutdown function to close its internal SSL pointer.

[BIO_do_handshake]

This function starts the SSL handshake process on related BIO and establishes an SSL connection. 1 is returned if the connection is established successfully. Otherwise

Returns 0 or a negative value. If BIO is connected to a non-blocking BIO, you can call the BIO_should_retry function to determine

Retry the release. If the SSL connection has been established when the function is called, the function will not do anything.

Situation. In general, the application does not need to directly call this function unless you want to perform the handshake process with other IO operations.

Separated.

It should be noted that, if the underlying layer is blocking (openssl helps document write non-blocking type, non-blocki

Ng, but according to the context that BIO has other properties, I personally think it is blocking type, blocking is correct

In some unexpected situations, the SSL Type BIO will also issue an unexpected retry request, such as executing BIO_r.

This happens if the session re-negotiation process is started during the ead operation. In versions 0.9.6 and later

Version. You can use the SSL flag SSL_AUTO_RETRY to disable this type of behavior.

The transmitted SSL Type BIO will never send a retry request.

[Example]

1. An SSL/TLS client is used to return a page from an SSL/TLS server. Its

The IO Operation Method in is the same as the example in the Connection Type BIO.

BIO * sbio, * out;

Int len;

Char tmpbuf [1024];

SSL_CTX * ctx;

SSL * ssl;

ERR_load_crypto_strings ();

ERR_load_SSL_strings ();

OpenSSL_add_all_algorithms ();

// If the system platform does not support automatic seed setting, seed PRN

G)

Ctx = SSL_CTX_new (SSLv23_client_method ());

// You should usually set some authentication paths and modes here, because there is no setup here, so this example can

To establish a connection with any server that uses any CA to issue certificates

Sbio = BIO_new_ssl_connect (ctx );

BIO_get_ssl (sbio, & ssl );

If (! Ssl ){

Fprintf (stderr, "Can't locate SSL pointer \ n ");

}

/* No retry request required */

SSL_set_mode (ssl, SSL_MODE_AUTO_RETRY );

// Here you can add other settings for SSL

BIO_set_conn_hostname (sbio, "localhost: https ");

Out = BIO_new_fp (stdout, BIO_NOCLOSE );

If (BIO_do_connect (sbio) <= 0 ){

Fprintf (stderr, "Error connecting to server \ n ");

ERR_print_errors_fp (stderr );

}

If (BIO_do_handshake (sbio) <= 0 ){

Fprintf (stderr, "Error establishing SSL connection \ n ");

ERR_print_errors_fp (stderr );

}

/* Add the code for detecting the SSL connection to obtain some connection information */

BIO_puts (sbio, "GET/HTTP/1.0 \ n ");

For (;;){

Len = BIO_read (sbio, tmpbuf, 1024 );

If (len <= 0) break;

BIO_write (out, tmpbuf, len );

}

BIO_free_all (sbio );

BIO_free (out );

2. A simple server example. It uses the buffer Type BIO, so you can use BIO_gets from

An SSL Type BIO reads data. It creates a random web page containing client requests and sends the request information

Output to the standard output device.

BIO * sbio, * bbio, * acpt, * out;

Int len;

Char tmpbuf [1024];

SSL_CTX * ctx;

SSL * ssl;

ERR_load_crypto_strings ();

ERR_load_SSL_strings ();

OpenSSL_add_all_algorithms ();

// Seed PRNG)

Ctx = SSL_CTX_new (SSLv23_server_method ());

If (! SSL_CTX_use_certificate_file (ctx, "server. pem", SSL_FILETYPE_PEM)

|! SSL_CTX_use_PrivateKey_file (ctx, "server. pem", SSL_FILETYPE_PEM)

|! SSL_CTX_check_private_key (ctx )){

Fprintf (stderr, "Error setting up SSL_CTX \ n ");

ERR_print_errors_fp (stderr );

Return 0;

}

// You can set the verification path, temporary key callback functions for DH and DSA algorithms, and so on.

/* Create an SSL Type BIO for the new server mode */

Sbio = BIO_new_ssl (ctx, 0 );

BIO_get_ssl (sbio, & ssl );

If (! Ssl ){

Fprintf (stderr, "Can't locate SSL pointer \ n ");

}

/* No retry request required */

SSL_set_mode (ssl, SSL_MODE_AUTO_RETRY );

/* Create a Buffer Type BIO */

Bbio = BIO_new (BIO_f_buffer ());

/* Add to BIO chain */

Sbio = BIO_push (bbio, sbio );

Acpt = BIO_new_accept ("4433 ");

/*

When a new connection is established, we can automatically Insert the sbio chain to the BIO chain where the connection is located.

At this time, this BIO chain (sbio) will be swallowed up by the accept Type BIO, and when the accept Type BIO is released

It is automatically released.

*/

BIO_set_accept_bios (acpt, sbio );

Out = BIO_new_fp (stdout, BIO_NOCLOSE );

/* Set accept BIO */

If (BIO_do_accept (acpt) <= 0 ){

Fprintf (stderr, "Error setting up accept BIO \ n ");

ERR_print_errors_fp (stderr );

Return 0;

}

/* Wait for the connection to be established */

If (BIO_do_accept (acpt) <= 0 ){

Fprintf (stderr, "Error in connection \ n ");

ERR_print_errors_fp (stderr );

Return 0;

}

/*

Because we only want to process a connection, we can delete and release accept BIO.

*/

Sbio = BIO_pop (acpt );

BIO_free_all (acpt );

If (BIO_do_handshake (sbio) <= 0 ){

Fprintf (stderr, "Error in SSL handshake \ n ");

ERR_print_errors_fp (stderr );

Return 0;

}

BIO_puts (sbio, "HTTP/1.0 200 OK \ r \ nContent-type: text/html \ r \ n ");

BIO_puts (sbio, "<pre> \ r \ nConnection Established \ r \ nRequest headers: \ r \ n

");

BIO_puts (sbio, "-------------------------------------------------- \ r \ n"

);

For (;;){

Len = BIO_gets (sbio, tmpbuf, 1024 );

If (len <= 0) break;

BIO_write (sbio, tmpbuf, len );

BIO_write (out, tmpbuf, len );

/* Search for the standard blank line at the end of the Request Header */

If (tmpbuf [0] = '\ R') | (tmpbuf [0] =' \ n') break;

}

BIO_puts (sbio, "-------------------------------------------------- \ r \ n"

);

BIO_puts (sbio, "</pre> \ r \ n ");

/* Because the buffer Type BIO is used, we 'd better call the BIO_flush function */

BIO_flush (sbio );

BIO_free_all (sbio );