SSL type of Bio
---According to OpenSSL doc\crypto\bio_f_ssl.pod translation and his own understanding written
(Author: dragonking, Mail:wzhah@263.net, posted in: http://openssl.126.com
OpenSSL Professional Forum)
As you can see from the name, this is a very important bio type that encapsulates the SSL rules in OpenSSL.
and functions, equivalent to providing a good tool for using SSL, a good helper. Its definition (opens
Sl\bio.h,openssl\ssl.h) is as follows:
Bio_method *bio_f_ssl (void);
#define BIO_SET_SSL (B,ssl,c) Bio_ctrl (b,bio_c_set_ssl,c, (char *) SSL)
#define BIO_GET_SSL (B,SSLP) Bio_ctrl (b,bio_c_get_ssl,0, (char *) SSLP)
#define BIO_SET_SSL_MODE (b,client) Bio_ctrl (B,bio_c_ssl_mode,client,nul
L
#define Bio_set_ssl_renegotiate_bytes (B,num) Bio_ctrl (b,bio_c_set_ssl_r
Enegotiate_bytes,num,null);
#define BIO_SET_SSL_RENEGOTIATE_TIMEOUT (B,seconds) Bio_ctrl (b,bio_c_set
_ssl_renegotiate_timeout,seconds,null);
#define Bio_get_num_renegotiates (b) Bio_ctrl (B,bio_c_set_ssl_num_renego
Tiates,0,null);
BIO *bio_new_ssl (ssl_ctx *ctx,int client);
BIO *bio_new_ssl_connect (Ssl_ctx *ctx);
BIO *bio_new_buffer_ssl_connect (Ssl_ctx *ctx);
int bio_ssl_copy_session_id (BIO *to,bio *from);
void Bio_ssl_shutdown (BIO *bio);
#define Bio_do_handshake (b) Bio_ctrl (B,bio_c_do_state_machine,0,null)
The implementation file for this type of bio is in ssl\bio_ssl.c, you can refer to this file for a detailed letter
Number implementation information.
"Bio_f_ssl"
This function returns the BIO_METHOD structure of an SSL type, which is defined as follows:
Static Bio_method methods_sslp=
{
Bio_type_ssl, "SSL",
Ssl_write,
Ssl_read,
Ssl_puts,
NULL,/* ssl_gets, * *
Ssl_ctrl,
Ssl_new,
Ssl_free,
Ssl_callback_ctrl,
};
Visible, the SSL type bio does not support bio_gets functionality.
When the Bio_read and Bio_write functions are invoked, the SSL-type bio uses the SSL protocol for the underlying i/
O operation. If the SSL connection is not established at this time, then the first IO function will be called first when the connection is made
the establishment.
If you use Bio_push to attach a bio to an SSL-type bio, then the SSL-type bio read/write number
According to the time, it will be automatically invoked.
When Bio_reset calls, the Ssl_shutdown function is invoked to close all currently connected SSL
, and then call Bio_reset on the next bio, which typically disconnects the underlying transport connection. Call complete
After that, the SSL-type bio is in the initial accept or connect state.
If the bio shutdown flag is set, the internal SSL structure is ssl_ when the SSL type bio is released
Free function.
"Bio_set_ssl"
This function sets the internal SSL pointer for the SSL type bio to point to SSL, using parameter C to set the shutdown flag.
"Bio_get_ssl"
This function returns the internal SSL structure pointer of the SSL type bio, and after the pointer is obtained, you can use the flag's SSL
function to manipulate it.
"Bio_set_ssl_mode"
This function sets the operating mode of SSL, and if the parameter client is 1, then the SSL working mode is client mode.
If the client is 0, then the SSL operating mode is server mode.
"Bio_set_ssl_renegotiate_bytes"
This function sets the length of the read and write data that requires session negotiation to be Num. When the settings are complete, the
When the data that is not read and write arrives in num bytes, the SSL connection automatically restarts session negotiation, which can enhance
Security for SSL connections. The parameter num is at least 512 bytes.
"Bio_set_ssl_renegotiate_timeout"
This function is the same as the above function to enhance the security of SSL connections. The difference is that the function uses the
parameter is the time. This function sets the time, in seconds, for the session to be negotiated again. When the SSL session connection
The connection automatically restarts session negotiation when the established time reaches its set time.
"Bio_get_num_renegotiates"
This function returns an SSL connection that reads and writes to the session before the session is renegotiated because of a byte limit or time limit
The data length.
"Bio_new_ssl"
This function creates an SSL-type bio using the SSL_CTX structure represented by the CTX parameter, if the parameter client
is a value other than 0, the client mode is used.
"Bio_new_ssl_connect"
This function creates a new bio chain that contains the SSL type bio and appends a connection type of bio to it.
Conveniently and interestingly, because in the filter type of bio, if the bio is not known (not implemented)
Bio_ctrl operation, it will automatically upload the operation to the next bio to invoke, so we can call this function
Get the Bio_set_host function directly on the bio to set the server name and port without having to find connection B first
Io.
"Bio_new_buffer_ssl_connect"
Create a buffer-type bio, an SSL-type bio, and a connection-type bio.
"BIO_SSL_COPY_SESSION_ID"
This function copies the SSL session ID of the bio chain from into the bio chain to. In fact, it was found by looking
Two the SSL type bio in the bio chain, and then call ssl_copy_session_id to complete the operation.
"Bio_ssl_shutdown"
This function closes an SSL connection in a bio chain. In fact, the function finds the SSL class in the bio chain by looking up
Type bio, and then call the Ssl_shutdown function to close its internal SSL pointer.
"Bio_do_handshake"
This function initiates the SSL handshake process and establishes an SSL connection on the associated bio. Connection is successfully established to return 1, otherwise
Returns a 0 or negative value, and if you connect the bio to a non-blocking bio, you can call the Bio_should_retry function to decide
A fixed release requires a retry. If the SSL connection is already established when the function is invoked, then the function does nothing
Cia In general, the application does not need to call this function directly unless you want to manipulate the handshake process with other IO
Separate.
It should be noted that if the bottom is blocked (OpenSSL help document written in non-blocking type, non blocki
Ng, but according to the contextual meaning already other properties of bio, I personally think that is blocking, blocking is the correct
, and in some unexpected cases SSL type Bio will also issue an unexpected retry request, as in the execution Bio_r
This can happen if the session renegotiation process is initiated when the EAD operation occurs. In 0.9.6 and beyond.
Version, you can disable the behavior of this class by ssl_auto_retry the SSL flag, and after this setting, use the blocking type
The transmitted SSL type bio will never send a retry request.
Example
1. An example of a SSL/TLS client that completes the function of returning a page from a SSL/TLS server. Its
The method in IO operations is the same as the example in the connection type bio.
BIO *sbio, *out;
int Len;
Char tmpbuf[1024];
Ssl_ctx *ctx;
SSL *ssl;
Err_load_crypto_strings ();
Err_load_ssl_strings ();
Openssl_add_all_algorithms ();
If the system platform does not support automatic random number seed setting, this should be done here (seed PRN
G
CTX = Ssl_ctx_new (Sslv23_client_method ());
You should usually set some validation paths and patterns here, as there is no setting here, so this example
To establish a connection with any server that uses any CA to issue certificates
Sbio = Bio_new_ssl_connect (CTX);
Bio_get_ssl (Sbio, &SSL);
if (!SSL) {
fprintf (stderr, "Can ' t locate SSL pointer\n");
}
/* No retry request required * *
Ssl_set_mode (SSL, ssl_mode_auto_retry);
Here you can add some other settings for SSL
Bio_set_conn_hostname (Sbio, "Localhost:https");
out = BIO_NEW_FP (stdout, bio_noclose);
if (Bio_do_connect (Sbio) <= 0) {
fprintf (stderr, "Error connecting to server\n");
ERR_PRINT_ERRORS_FP (stderr);
}
if (Bio_do_handshake (Sbio) <= 0) {
fprintf (stderr, "Error establishing SSL connection\n");
ERR_PRINT_ERRORS_FP (stderr);
}
/* Here you can add code to detect SSL connections and get some connection information.
Bio_puts (Sbio, "get/http/1.0\n\n");
for (;;) {
Len = Bio_read (Sbio, TMPBUF, 1024);
if (len <= 0) break;
Bio_write (out, Tmpbuf, Len);
}
Bio_free_all (Sbio);
Bio_free (out);
2. An example of a simple server. It uses a buffer type of bio, which allows you to use bio_gets from
An SSL-type bio reads the data. It creates a random Web page that contains a client request, and the request information
Output to a standard output device.
BIO *sbio, *bbio, *ACPT, *out;
int Len;
Char tmpbuf[1024];
Ssl_ctx *ctx;
SSL *ssl;
Err_load_crypto_strings ();
Err_load_ssl_strings ();
Openssl_add_all_algorithms ();
Seed processing of random numbers may be required (seed PRNG)
CTX = Ssl_ctx_new (Sslv23_server_method ());
if (! Ssl_ctx_use_certificate_file (CTX, "Server.pem", Ssl_filetype_pem)
|| ! Ssl_ctx_use_privatekey_file (CTX, "Server.pem", Ssl_filetype_pem)
|| ! Ssl_ctx_check_private_key (CTX)) {
fprintf (stderr, "Error setting up ssl_ctx\n");
ERR_PRINT_ERRORS_FP (stderr);
return 0;
}
Here you can set the validation path, the temporary key callback function for DH and DSA algorithms, and so on.
/* Create a new server mode SSL type bio*/
Sbio=bio_new_ssl (ctx,0);
Bio_get_ssl (Sbio, &SSL);
if (!SSL) {
fprintf (stderr, "Can ' t locate SSL pointer\n");
}
/* No retry request required * *
Ssl_set_mode (SSL, ssl_mode_auto_retry);
/* Create a buffer type Bio */
Bbio = Bio_new (Bio_f_buffer ());
* * Add to the bio-chain.
Sbio = Bio_push (Bbio, Sbio);
Acpt=bio_new_accept ("4433");
/*
When a new connection is established, we can automatically insert the Sbio chain into the bio-chain where the connection is located.
At this point, the bio-chain (Sbio) is absorbed by the Accept type bio, and when the Accept type bio is released
, it will automatically be released.
*/
Bio_set_accept_bios (Acpt,sbio);
out = BIO_NEW_FP (stdout, bio_noclose);
/* Set Accept BIO * *
if (bio_do_accept (ACPT) <= 0) {
fprintf (stderr, "Error setting up Accept bio\n");
ERR_PRINT_ERRORS_FP (stderr);
return 0;
}
/* Waiting for connection to be established * *
if (bio_do_accept (ACPT) <= 0) {
fprintf (stderr, "Error in connection\n");
ERR_PRINT_ERRORS_FP (stderr);
return 0;
}
/*
Because we only want to handle a connection, so we can remove and release accept bio.
*/
Sbio = Bio_pop (ACPT);
Bio_free_all (ACPT);
if (Bio_do_handshake (Sbio) <= 0) {
fprintf (stderr, "Error in SSL handshake\n");
ERR_PRINT_ERRORS_FP (stderr);
return 0;
}
Bio_puts (Sbio, "http/1.0 ok\r\ncontent-type:text/html\r\n\r\n");
Bio_puts (Sbio, "<pre>\r\nconnection established\r\nrequest headers:\r\n
");
Bio_puts (Sbio, "--------------------------------------------------\ r \ n")
);
for (;;) {
Len = Bio_gets (Sbio, TMPBUF, 1024);
if (len <= 0) break;
Bio_write (Sbio, Tmpbuf, Len);
Bio_write (out, Tmpbuf, Len);
/* Find the end standard blank line of the request header * *
if ((tmpbuf[0] = = ' \ r ') | | (tmpbuf[0] = = ' \ n ')) Break
}
Bio_puts (Sbio, "--------------------------------------------------\ r \ n")
);
Bio_puts (Sbio, "</pre>\r\n");
/* Because of the use of the buffer type of bio, we'd better call the Bio_flush function * *
Bio_flush (Sbio);
Bio_free_all (Sbio);