Reputation: 33
How to use OpenSSL BIOs? Combine BIO_s_socket and BIO_f_ssl
I'm writing a simple application to connect to a server, using OpenSSL. The initial idea was to write a custom BIO method to get information on the hardware socket timestamp via linux's SO_TIMESTAMPING, but in the meantime I realized that I'm missing something in how to build a proper BIO, so I restarted my understanding process from the scratch.
Most basic idea: let's use a BIO to connect to the socket and a BIO to do the crypto stuff, in order to recreate the basic behaviour of SSL_write and SSL_read. The code that is instantiating the BIO method and binding it to the SSL is the following:
BIO *default_sck_bio = BIO_new(BIO_s_socket());
BIO *default_ssl_bio = BIO_new(BIO_f_ssl());
BIO *sock_bio = BIO_new(BIO_s_socket());
BIO *ssl_bio = BIO_new(BIO_f_ssl());
BIO_push(default_sck_bio, default_ssl_bio);
SSL_set_bio(ssl, default_sck_bio, default_sck_bio);
In this way I expect that under the hood SSL_read is doing a BIO-based recv() and then the SSL encription, while for SSL_write a SSL encription and then the BIO-based send(). However, my SSL_connect keep producing a SSL_ERROR_SSL with the err message: error:10000078:BIO routines::uninitialized. Am I missing something?
Once I solved this problem, my original intention was to write a custom BIO method, but then the next question pops up into my mind: How to call SSL encryption functions from inside the read/write BIO callbacks (that I set via BIO_meth_set_read)?
Upvotes: 1
Views: 239
Answers (1)
Reputation: 33
After some days of googling, I finally understood how BIOs work.
First of all, the crypto-related encoding/decoding are managed under the hood while calling SSL_read and SSL_write.
In the basic example from the questions it is not needed to have the BIO *ssl_bio. To obtain the functionalities in the question, the code can be changed to:
BIO *default_sck_bio = BIO_new(BIO_s_socket());
BIO *sock_bio = BIO_new(BIO_s_socket());
SSL_set_bio(ssl, default_sck_bio, default_sck_bio);
The following image let us understand better the flow (thanks to darrenjs's gist):
+------+ +-----+
|......|--> read(fd) --> BIO_write(rbio) -->|.....|--> SSL_read(ssl) --> IN
|......| |.....|
|.sock.| |.SSL.|
|......| |.....|
|......|<-- write(fd) <-- BIO_read(wbio) <--|.....|<-- SSL_write(ssl) <-- OUT
+------+ +-----+
| | | |
|<-------------------------------->| |<------------------->|
| encrypted bytes | | unencrypted bytes |
In conclusion, to answer the question “How to call SSL encryption functions from inside the read/write BIO callbacks (that I set via BIO_meth_set_read)?”: once you access the data via the read method set with BIO_meth_set_read the data will be already encrypted. In the same way, the data accessed in the write callback will be yet to be decrypted.
There’s still the problem of using the custom BIO method, as the client I wrote still return the error. Looking at this comment it looks like it is a problem linked with openssl 3.0.
Upvotes: 0
Related Questions
- How to install OpenSSL in windows 10?
- Compiling an application for use in highly radioactive environments
- How to set, clear, and toggle a single bit
- What is the difference between const int*, const int * const, and int * const?
- How do I use extern to share variables between source files?
- How do function pointers in C work?
- What is the difference between #include <filename> and #include "filename"?
- Is there any way to flush the SSL write buffer
- Add OpenSSL Support in IOCP Client application