Add OpenSSL Support in IOCP Client application

Question

I have developed IOCP Client application which send message to server. Now I want to add SSL Support in it for Connecting SSL enabled Server application using OpenSSL.

I have initialize SSL using

/* Load encryption & hashing algorithms for the SSL program */
SSL_library_init();

/* Load the error strings for SSL & CRYPTO APIs */
SSL_load_error_strings();

/* Create an SSL_METHOD structure (choose an SSL/TLS protocol version) */
meth = TLSv1_2_method();

/* Create an SSL_CTX structure */
ctx = SSL_CTX_new(meth);

if(ctx == NULL)
    return false;

SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, nullptr);

SSL_CTX_set_verify_depth(ctx,1);

After Initialization we create normal IOCP Worker Threads, IOCP sockets then connect to SSL Server socket as

            /* An SSL structure is created */
            ssl = SSL_new (ctx);

            RETURN_NULL(ssl);

            /* Assign the socket into the SSL structure (SSL and socket without BIO) */
            SSL_set_fd(ssl, Socket);

            /* Perform SSL Handshake on the SSL client */
            int     err;
            err = SSL_connect(ssl);
            if (err<1) 
            {
                err=SSL_get_error(ssl,err);
                printf("SSL error #%d in accept,program terminated\n",err);
            }

            RETURN_SSL(err);

            /* Informational output (optional) */
            printf ("SSL connection using %s\n", SSL_get_cipher (ssl));

            /* Get the server's certificate (optional) */
            X509            *server_cert;
            server_cert = SSL_get_peer_certificate (ssl);    

            if (server_cert != NULL)
            {
                printf ("Server certificate:\n");

                char  *str;
                str = X509_NAME_oneline(X509_get_subject_name(server_cert),0,0);
                //RETURN_NULL(str);
                printf ("\t subject: %s\n", str);
                free (str);

                str = X509_NAME_oneline(X509_get_issuer_name(server_cert),0,0);
                //RETURN_NULL(str);
                printf ("\t issuer: %s\n", str);
                free(str);

                X509_free (server_cert);

            }
            else
                printf("The SSL server does not have certificate.\n");

SSL Connection to Server upto this works properly and I am able to retrieve Server Certificate details properly. Now I want to Send message to SSL Server over SSL Socket and receive response from Server. But in our IOCP client application we user WSASend and WSARecv for data exchange. How I can do this over SSL Server using SSL_write/SSL_read function ?

Please guide me to do this.

---

Edit on : 01 March 2016

I have tried to use BIO pairs for SSL socket after "err = SSL_connect(ssl);" as

bioIn = BIO_new_socket(this->Socket, BIO_NOCLOSE);
bioOut = BIO_new_socket(this->Socket, BIO_NOCLOSE);
SSL_set_bio(ssl, bioIn, bioIn);

Then try to send message length to server as

int err = SSL_write(ssl, PerIOHandle->Buffer, PerIOHandle->BufferLength);

Once above statement executes, server reads proper message length and waits for actual message from client. But when i try to send message using same above statement, then Server SSL_read function fails with -1 return code.

Please anyone help me to add complete SSL support.

Answer 1

As you have discovered, you need to use the OpenSSL IO abstraction, the BIO. This lets you separate the OpenSSL code from the socket. You just push data through the BIOs and then take the data that they give you and issue your own writes to the async/IOCP sockets.

I wrote about this for Dr. Dobbs Journal back in 2002, see here. The article focuses on using OpenSSL with MFC's async sockets but the ideas are the same if you want to use it with IOCP code.

The article comes with complete and working code which you can probably use as a base for your IOCP code. You wire up the BIO pair right at the start and don't use SSL_connect() at all.