OpenSSL's Bio Series---SSL-type bi O_o penssl

SSL type of Bio

---According to OpenSSL doc\crypto\bio_f_ssl.pod translation and his own understanding written

(Author: dragonking, Mail:wzhah@263.net, posted in: http://openssl.126.com

OpenSSL Professional Forum)

As you can see from the name, this is a very important bio type that encapsulates the SSL rules in OpenSSL.

and functions, equivalent to providing a good tool for using SSL, a good helper. Its definition (opens

Sl\bio.h,openssl\ssl.h) is as follows:

Bio_method *bio_f_ssl (void);

#define BIO_SET_SSL (B,ssl,c) Bio_ctrl (b,bio_c_set_ssl,c, (char *) SSL)

#define BIO_GET_SSL (B,SSLP) Bio_ctrl (b,bio_c_get_ssl,0, (char *) SSLP)

#define BIO_SET_SSL_MODE (b,client) Bio_ctrl (B,bio_c_ssl_mode,client,nul

L

#define Bio_set_ssl_renegotiate_bytes (B,num) Bio_ctrl (b,bio_c_set_ssl_r

Enegotiate_bytes,num,null);

#define BIO_SET_SSL_RENEGOTIATE_TIMEOUT (B,seconds) Bio_ctrl (b,bio_c_set

_ssl_renegotiate_timeout,seconds,null);

#define Bio_get_num_renegotiates (b) Bio_ctrl (B,bio_c_set_ssl_num_renego

Tiates,0,null);

BIO *bio_new_ssl (ssl_ctx *ctx,int client);

BIO *bio_new_ssl_connect (Ssl_ctx *ctx);

BIO *bio_new_buffer_ssl_connect (Ssl_ctx *ctx);

int bio_ssl_copy_session_id (BIO *to,bio *from);

void Bio_ssl_shutdown (BIO *bio);

#define Bio_do_handshake (b) Bio_ctrl (B,bio_c_do_state_machine,0,null)

The implementation file for this type of bio is in ssl\bio_ssl.c, you can refer to this file for a detailed letter

Number implementation information.

"Bio_f_ssl"

This function returns the BIO_METHOD structure of an SSL type, which is defined as follows:

Static Bio_method methods_sslp=

{

Bio_type_ssl, "SSL",

Ssl_write,

Ssl_read,

Ssl_puts,

NULL,/* ssl_gets, * *

Ssl_ctrl,

Ssl_new,

Ssl_free,

Ssl_callback_ctrl,

};

Visible, the SSL type bio does not support bio_gets functionality.

When the Bio_read and Bio_write functions are invoked, the SSL-type bio uses the SSL protocol for the underlying i/

O operation. If the SSL connection is not established at this time, then the first IO function will be called first when the connection is made

the establishment.

If you use Bio_push to attach a bio to an SSL-type bio, then the SSL-type bio read/write number

According to the time, it will be automatically invoked.

When Bio_reset calls, the Ssl_shutdown function is invoked to close all currently connected SSL

, and then call Bio_reset on the next bio, which typically disconnects the underlying transport connection. Call complete

After that, the SSL-type bio is in the initial accept or connect state.

If the bio shutdown flag is set, the internal SSL structure is ssl_ when the SSL type bio is released

Free function.

"Bio_set_ssl"

This function sets the internal SSL pointer for the SSL type bio to point to SSL, using parameter C to set the shutdown flag.

"Bio_get_ssl"

This function returns the internal SSL structure pointer of the SSL type bio, and after the pointer is obtained, you can use the flag's SSL

function to manipulate it.

"Bio_set_ssl_mode"

This function sets the operating mode of SSL, and if the parameter client is 1, then the SSL working mode is client mode.

If the client is 0, then the SSL operating mode is server mode.

"Bio_set_ssl_renegotiate_bytes"

This function sets the length of the read and write data that requires session negotiation to be Num. When the settings are complete, the

When the data that is not read and write arrives in num bytes, the SSL connection automatically restarts session negotiation, which can enhance

Security for SSL connections. The parameter num is at least 512 bytes.

"Bio_set_ssl_renegotiate_timeout"

This function is the same as the above function to enhance the security of SSL connections. The difference is that the function uses the

parameter is the time. This function sets the time, in seconds, for the session to be negotiated again. When the SSL session connection

The connection automatically restarts session negotiation when the established time reaches its set time.

"Bio_get_num_renegotiates"

This function returns an SSL connection that reads and writes to the session before the session is renegotiated because of a byte limit or time limit

The data length.

"Bio_new_ssl"

This function creates an SSL-type bio using the SSL_CTX structure represented by the CTX parameter, if the parameter client

is a value other than 0, the client mode is used.

"Bio_new_ssl_connect"

This function creates a new bio chain that contains the SSL type bio and appends a connection type of bio to it.

Conveniently and interestingly, because in the filter type of bio, if the bio is not known (not implemented)

Bio_ctrl operation, it will automatically upload the operation to the next bio to invoke, so we can call this function

Get the Bio_set_host function directly on the bio to set the server name and port without having to find connection B first

Io.

"Bio_new_buffer_ssl_connect"

Create a buffer-type bio, an SSL-type bio, and a connection-type bio.

"BIO_SSL_COPY_SESSION_ID"

This function copies the SSL session ID of the bio chain from into the bio chain to. In fact, it was found by looking

Two the SSL type bio in the bio chain, and then call ssl_copy_session_id to complete the operation.

"Bio_ssl_shutdown"

This function closes an SSL connection in a bio chain. In fact, the function finds the SSL class in the bio chain by looking up

Type bio, and then call the Ssl_shutdown function to close its internal SSL pointer.

"Bio_do_handshake"

This function initiates the SSL handshake process and establishes an SSL connection on the associated bio. Connection is successfully established to return 1, otherwise

Returns a 0 or negative value, and if you connect the bio to a non-blocking bio, you can call the Bio_should_retry function to decide

A fixed release requires a retry. If the SSL connection is already established when the function is invoked, then the function does nothing

Cia In general, the application does not need to call this function directly unless you want to manipulate the handshake process with other IO

Separate.

It should be noted that if the bottom is blocked (OpenSSL help document written in non-blocking type, non blocki

Ng, but according to the contextual meaning already other properties of bio, I personally think that is blocking, blocking is the correct

, and in some unexpected cases SSL type Bio will also issue an unexpected retry request, as in the execution Bio_r

This can happen if the session renegotiation process is initiated when the EAD operation occurs. In 0.9.6 and beyond.

Version, you can disable the behavior of this class by ssl_auto_retry the SSL flag, and after this setting, use the blocking type

The transmitted SSL type bio will never send a retry request.

Example

1. An example of a SSL/TLS client that completes the function of returning a page from a SSL/TLS server. Its

The method in IO operations is the same as the example in the connection type bio.

BIO *sbio, *out;

int Len;

Char tmpbuf[1024];

Ssl_ctx *ctx;

SSL *ssl;

Err_load_crypto_strings ();

Err_load_ssl_strings ();

Openssl_add_all_algorithms ();

If the system platform does not support automatic random number seed setting, this should be done here (seed PRN

G

CTX = Ssl_ctx_new (Sslv23_client_method ());

You should usually set some validation paths and patterns here, as there is no setting here, so this example

To establish a connection with any server that uses any CA to issue certificates

Sbio = Bio_new_ssl_connect (CTX);

Bio_get_ssl (Sbio, &SSL);

if (!SSL) {

fprintf (stderr, "Can ' t locate SSL pointer\n");

}

/* No retry request required * *

Ssl_set_mode (SSL, ssl_mode_auto_retry);

Here you can add some other settings for SSL

Bio_set_conn_hostname (Sbio, "Localhost:https");

out = BIO_NEW_FP (stdout, bio_noclose);

if (Bio_do_connect (Sbio) <= 0) {

fprintf (stderr, "Error connecting to server\n");

ERR_PRINT_ERRORS_FP (stderr);

}

if (Bio_do_handshake (Sbio) <= 0) {

fprintf (stderr, "Error establishing SSL connection\n");

ERR_PRINT_ERRORS_FP (stderr);

}

/* Here you can add code to detect SSL connections and get some connection information.

Bio_puts (Sbio, "get/http/1.0\n\n");

for (;;) {

Len = Bio_read (Sbio, TMPBUF, 1024);

if (len <= 0) break;

Bio_write (out, Tmpbuf, Len);

}

Bio_free_all (Sbio);

Bio_free (out);

2. An example of a simple server. It uses a buffer type of bio, which allows you to use bio_gets from

An SSL-type bio reads the data. It creates a random Web page that contains a client request, and the request information

Output to a standard output device.

BIO *sbio, *bbio, *ACPT, *out;

int Len;

Char tmpbuf[1024];

Ssl_ctx *ctx;

SSL *ssl;

Err_load_crypto_strings ();

Err_load_ssl_strings ();

Openssl_add_all_algorithms ();

Seed processing of random numbers may be required (seed PRNG)

CTX = Ssl_ctx_new (Sslv23_server_method ());

if (! Ssl_ctx_use_certificate_file (CTX, "Server.pem", Ssl_filetype_pem)

|| ! Ssl_ctx_use_privatekey_file (CTX, "Server.pem", Ssl_filetype_pem)

|| ! Ssl_ctx_check_private_key (CTX)) {

fprintf (stderr, "Error setting up ssl_ctx\n");

ERR_PRINT_ERRORS_FP (stderr);

return 0;

}

Here you can set the validation path, the temporary key callback function for DH and DSA algorithms, and so on.

/* Create a new server mode SSL type bio*/

Sbio=bio_new_ssl (ctx,0);

Bio_get_ssl (Sbio, &SSL);

if (!SSL) {

fprintf (stderr, "Can ' t locate SSL pointer\n");

}

/* No retry request required * *

Ssl_set_mode (SSL, ssl_mode_auto_retry);

/* Create a buffer type Bio */

Bbio = Bio_new (Bio_f_buffer ());

* * Add to the bio-chain.

Sbio = Bio_push (Bbio, Sbio);

Acpt=bio_new_accept ("4433");

/*

When a new connection is established, we can automatically insert the Sbio chain into the bio-chain where the connection is located.

At this point, the bio-chain (Sbio) is absorbed by the Accept type bio, and when the Accept type bio is released

, it will automatically be released.

*/

Bio_set_accept_bios (Acpt,sbio);

out = BIO_NEW_FP (stdout, bio_noclose);

/* Set Accept BIO * *

if (bio_do_accept (ACPT) <= 0) {

fprintf (stderr, "Error setting up Accept bio\n");

ERR_PRINT_ERRORS_FP (stderr);

return 0;

}

/* Waiting for connection to be established * *

if (bio_do_accept (ACPT) <= 0) {

fprintf (stderr, "Error in connection\n");

ERR_PRINT_ERRORS_FP (stderr);

return 0;

}

/*

Because we only want to handle a connection, so we can remove and release accept bio.

*/

Sbio = Bio_pop (ACPT);

Bio_free_all (ACPT);

if (Bio_do_handshake (Sbio) <= 0) {

fprintf (stderr, "Error in SSL handshake\n");

ERR_PRINT_ERRORS_FP (stderr);

return 0;

}

Bio_puts (Sbio, "http/1.0 ok\r\ncontent-type:text/html\r\n\r\n");

Bio_puts (Sbio, "<pre>\r\nconnection established\r\nrequest headers:\r\n

");

Bio_puts (Sbio, "--------------------------------------------------\ r \ n")

);

for (;;) {

Len = Bio_gets (Sbio, TMPBUF, 1024);

if (len <= 0) break;

Bio_write (Sbio, Tmpbuf, Len);

Bio_write (out, Tmpbuf, Len);

/* Find the end standard blank line of the request header * *

if ((tmpbuf[0] = = ' \ r ') | | (tmpbuf[0] = = ' \ n ')) Break

}

Bio_puts (Sbio, "--------------------------------------------------\ r \ n")

);

Bio_puts (Sbio, "</pre>\r\n");

/* Because of the use of the buffer type of bio, we'd better call the Bio_flush function * *

Bio_flush (Sbio);

Bio_free_all (Sbio);