|
Packit |
c4476c |
=pod
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 NAME
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_do_handshake,
|
|
Packit |
c4476c |
BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode,
|
|
Packit |
c4476c |
BIO_set_ssl_renegotiate_bytes,
|
|
Packit |
c4476c |
BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl,
|
|
Packit |
c4476c |
BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id,
|
|
Packit |
c4476c |
BIO_ssl_shutdown - SSL BIO
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 SYNOPSIS
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=for comment multiple includes
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
#include <openssl/bio.h>
|
|
Packit |
c4476c |
#include <openssl/ssl.h>
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
const BIO_METHOD *BIO_f_ssl(void);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
long BIO_set_ssl(BIO *b, SSL *ssl, long c);
|
|
Packit |
c4476c |
long BIO_get_ssl(BIO *b, SSL **sslp);
|
|
Packit |
c4476c |
long BIO_set_ssl_mode(BIO *b, long client);
|
|
Packit |
c4476c |
long BIO_set_ssl_renegotiate_bytes(BIO *b, long num);
|
|
Packit |
c4476c |
long BIO_set_ssl_renegotiate_timeout(BIO *b, long seconds);
|
|
Packit |
c4476c |
long BIO_get_num_renegotiates(BIO *b);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO *BIO_new_ssl(SSL_CTX *ctx, int client);
|
|
Packit |
c4476c |
BIO *BIO_new_ssl_connect(SSL_CTX *ctx);
|
|
Packit |
c4476c |
BIO *BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
|
|
Packit |
c4476c |
int BIO_ssl_copy_session_id(BIO *to, BIO *from);
|
|
Packit |
c4476c |
void BIO_ssl_shutdown(BIO *bio);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
long BIO_do_handshake(BIO *b);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 DESCRIPTION
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which
|
|
Packit |
c4476c |
is a wrapper round the OpenSSL SSL routines adding a BIO "flavour" to
|
|
Packit |
c4476c |
SSL I/O.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
I/O performed on an SSL BIO communicates using the SSL protocol with
|
|
Packit |
c4476c |
the SSLs read and write BIOs. If an SSL connection is not established
|
|
Packit |
c4476c |
then an attempt is made to establish one on the first I/O call.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
If a BIO is appended to an SSL BIO using BIO_push() it is automatically
|
|
Packit |
c4476c |
used as the SSL BIOs read and write BIOs.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Calling BIO_reset() on an SSL BIO closes down any current SSL connection
|
|
Packit |
c4476c |
by calling SSL_shutdown(). BIO_reset() is then sent to the next BIO in
|
|
Packit |
c4476c |
the chain: this will typically disconnect the underlying transport.
|
|
Packit |
c4476c |
The SSL BIO is then reset to the initial accept or connect state.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
If the close flag is set when an SSL BIO is freed then the internal
|
|
Packit |
c4476c |
SSL structure is also freed using SSL_free().
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_set_ssl() sets the internal SSL pointer of BIO B to B<ssl> using
|
|
Packit |
c4476c |
the close flag B<c>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_get_ssl() retrieves the SSL pointer of BIO B, it can then be
|
|
Packit |
c4476c |
manipulated using the standard SSL library functions.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_set_ssl_mode() sets the SSL BIO mode to B<client>. If B<client>
|
|
Packit |
c4476c |
is 1 client mode is set. If B<client> is 0 server mode is set.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_set_ssl_renegotiate_bytes() sets the renegotiate byte count
|
|
Packit |
c4476c |
to B<num>. When set after every B<num> bytes of I/O (read and write)
|
|
Packit |
c4476c |
the SSL session is automatically renegotiated. B<num> must be at
|
|
Packit |
c4476c |
least 512 bytes.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_set_ssl_renegotiate_timeout() sets the renegotiate timeout to
|
|
Packit |
c4476c |
B<seconds>. When the renegotiate timeout elapses the session is
|
|
Packit |
c4476c |
automatically renegotiated.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_get_num_renegotiates() returns the total number of session
|
|
Packit |
c4476c |
renegotiations due to I/O or timeout.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_new_ssl() allocates an SSL BIO using SSL_CTX B<ctx> and using
|
|
Packit |
c4476c |
client mode if B<client> is non zero.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_new_ssl_connect() creates a new BIO chain consisting of an
|
|
Packit |
c4476c |
SSL BIO (using B<ctx>) followed by a connect BIO.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_new_buffer_ssl_connect() creates a new BIO chain consisting
|
|
Packit |
c4476c |
of a buffering BIO, an SSL BIO (using B<ctx>) and a connect
|
|
Packit |
c4476c |
BIO.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_ssl_copy_session_id() copies an SSL session id between
|
|
Packit |
c4476c |
BIO chains B<from> and B<to>. It does this by locating the
|
|
Packit |
c4476c |
SSL BIOs in each chain and calling SSL_copy_session_id() on
|
|
Packit |
c4476c |
the internal SSL pointer.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_ssl_shutdown() closes down an SSL connection on BIO
|
|
Packit |
c4476c |
chain B<bio>. It does this by locating the SSL BIO in the
|
|
Packit |
c4476c |
chain and calling SSL_shutdown() on its internal SSL
|
|
Packit |
c4476c |
pointer.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_do_handshake() attempts to complete an SSL handshake on the
|
|
Packit |
c4476c |
supplied BIO and establish the SSL connection. It returns 1
|
|
Packit |
c4476c |
if the connection was established successfully. A zero or negative
|
|
Packit |
c4476c |
value is returned if the connection could not be established, the
|
|
Packit |
c4476c |
call BIO_should_retry() should be used for non blocking connect BIOs
|
|
Packit |
c4476c |
to determine if the call should be retried. If an SSL connection has
|
|
Packit |
c4476c |
already been established this call has no effect.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 NOTES
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
SSL BIOs are exceptional in that if the underlying transport
|
|
Packit |
c4476c |
is non blocking they can still request a retry in exceptional
|
|
Packit |
c4476c |
circumstances. Specifically this will happen if a session
|
|
Packit |
c4476c |
renegotiation takes place during a BIO_read_ex() operation, one
|
|
Packit |
c4476c |
case where this happens is when step up occurs.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
The SSL flag SSL_AUTO_RETRY can be
|
|
Packit |
c4476c |
set to disable this behaviour. That is when this flag is set
|
|
Packit |
c4476c |
an SSL BIO using a blocking transport will never request a
|
|
Packit |
c4476c |
retry.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Since unknown BIO_ctrl() operations are sent through filter
|
|
Packit |
c4476c |
BIOs the servers name and port can be set using BIO_set_host()
|
|
Packit |
c4476c |
on the BIO returned by BIO_new_ssl_connect() without having
|
|
Packit |
c4476c |
to locate the connect BIO first.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Applications do not have to call BIO_do_handshake() but may wish
|
|
Packit |
c4476c |
to do so to separate the handshake process from other I/O
|
|
Packit |
c4476c |
processing.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(),
|
|
Packit |
c4476c |
BIO_set_ssl_renegotiate_bytes(), BIO_set_ssl_renegotiate_timeout(),
|
|
Packit |
c4476c |
BIO_get_num_renegotiates(), and BIO_do_handshake() are implemented as macros.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 RETURN VALUES
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_f_ssl() returns the SSL B<BIO_METHOD> structure.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_set_ssl(), BIO_get_ssl(), BIO_set_ssl_mode(), BIO_set_ssl_renegotiate_bytes(),
|
|
Packit |
c4476c |
BIO_set_ssl_renegotiate_timeout() and BIO_get_num_renegotiates() return 1 on
|
|
Packit |
c4476c |
success or a value which is less than or equal to 0 if an error occurred.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_new_ssl(), BIO_new_ssl_connect() and BIO_new_buffer_ssl_connect() return
|
|
Packit |
c4476c |
a valid B<BIO> structure on success or B<NULL> if an error occurred.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_ssl_copy_session_id() returns 1 on success or 0 on error.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_do_handshake() returns 1 if the connection was established successfully.
|
|
Packit |
c4476c |
A zero or negative value is returned if the connection could not be established.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 EXAMPLES
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
This SSL/TLS client example attempts to retrieve a page from an
|
|
Packit |
c4476c |
SSL/TLS web server. The I/O routines are identical to those of the
|
|
Packit |
c4476c |
unencrypted example in L<BIO_s_connect(3)>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO *sbio, *out;
|
|
Packit |
c4476c |
int len;
|
|
Packit |
c4476c |
char tmpbuf[1024];
|
|
Packit |
c4476c |
SSL_CTX *ctx;
|
|
Packit |
c4476c |
SSL *ssl;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* XXX Seed the PRNG if needed. */
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
ctx = SSL_CTX_new(TLS_client_method());
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* XXX Set verify paths and mode here. */
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
sbio = BIO_new_ssl_connect(ctx);
|
|
Packit |
c4476c |
BIO_get_ssl(sbio, &ssl;;
|
|
Packit |
c4476c |
if (ssl == NULL) {
|
|
Packit |
c4476c |
fprintf(stderr, "Can't locate SSL pointer\n");
|
|
Packit |
c4476c |
ERR_print_errors_fp(stderr);
|
|
Packit |
c4476c |
exit(1);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* Don't want any retries */
|
|
Packit |
c4476c |
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* XXX We might want to do other things with ssl here */
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* An empty host part means the loopback address */
|
|
Packit |
c4476c |
BIO_set_conn_hostname(sbio, ":https");
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
out = BIO_new_fp(stdout, BIO_NOCLOSE);
|
|
Packit |
c4476c |
if (BIO_do_connect(sbio) <= 0) {
|
|
Packit |
c4476c |
fprintf(stderr, "Error connecting to server\n");
|
|
Packit |
c4476c |
ERR_print_errors_fp(stderr);
|
|
Packit |
c4476c |
exit(1);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
if (BIO_do_handshake(sbio) <= 0) {
|
|
Packit |
c4476c |
fprintf(stderr, "Error establishing SSL connection\n");
|
|
Packit |
c4476c |
ERR_print_errors_fp(stderr);
|
|
Packit |
c4476c |
exit(1);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* XXX Could examine ssl here to get connection info */
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_puts(sbio, "GET / HTTP/1.0\n\n");
|
|
Packit |
c4476c |
for (;;) {
|
|
Packit |
c4476c |
len = BIO_read(sbio, tmpbuf, 1024);
|
|
Packit |
c4476c |
if (len <= 0)
|
|
Packit |
c4476c |
break;
|
|
Packit |
c4476c |
BIO_write(out, tmpbuf, len);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
BIO_free_all(sbio);
|
|
Packit |
c4476c |
BIO_free(out);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Here is a simple server example. It makes use of a buffering
|
|
Packit |
c4476c |
BIO to allow lines to be read from the SSL BIO using BIO_gets.
|
|
Packit |
c4476c |
It creates a pseudo web page containing the actual request from
|
|
Packit |
c4476c |
a client and also echoes the request to standard output.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO *sbio, *bbio, *acpt, *out;
|
|
Packit |
c4476c |
int len;
|
|
Packit |
c4476c |
char tmpbuf[1024];
|
|
Packit |
c4476c |
SSL_CTX *ctx;
|
|
Packit |
c4476c |
SSL *ssl;
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* XXX Seed the PRNG if needed. */
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
ctx = SSL_CTX_new(TLS_server_method());
|
|
Packit |
c4476c |
if (!SSL_CTX_use_certificate_file(ctx, "server.pem", SSL_FILETYPE_PEM)
|
|
Packit |
c4476c |
|| !SSL_CTX_use_PrivateKey_file(ctx, "server.pem", SSL_FILETYPE_PEM)
|
|
Packit |
c4476c |
|| !SSL_CTX_check_private_key(ctx)) {
|
|
Packit |
c4476c |
fprintf(stderr, "Error setting up SSL_CTX\n");
|
|
Packit |
c4476c |
ERR_print_errors_fp(stderr);
|
|
Packit |
c4476c |
exit(1);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* XXX Other things like set verify locations, EDH temp callbacks. */
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* New SSL BIO setup as server */
|
|
Packit |
c4476c |
sbio = BIO_new_ssl(ctx, 0);
|
|
Packit |
c4476c |
BIO_get_ssl(sbio, &ssl;;
|
|
Packit |
c4476c |
if (ssl == NULL) {
|
|
Packit |
c4476c |
fprintf(stderr, "Can't locate SSL pointer\n");
|
|
Packit |
c4476c |
ERR_print_errors_fp(stderr);
|
|
Packit |
c4476c |
exit(1);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY);
|
|
Packit |
c4476c |
bbio = BIO_new(BIO_f_buffer());
|
|
Packit |
c4476c |
sbio = BIO_push(bbio, sbio);
|
|
Packit |
c4476c |
acpt = BIO_new_accept("4433");
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/*
|
|
Packit |
c4476c |
* By doing this when a new connection is established
|
|
Packit |
c4476c |
* we automatically have sbio inserted into it. The
|
|
Packit |
c4476c |
* BIO chain is now 'swallowed' by the accept BIO and
|
|
Packit |
c4476c |
* will be freed when the accept BIO is freed.
|
|
Packit |
c4476c |
*/
|
|
Packit |
c4476c |
BIO_set_accept_bios(acpt, sbio);
|
|
Packit |
c4476c |
out = BIO_new_fp(stdout, BIO_NOCLOSE);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* Setup accept BIO */
|
|
Packit |
c4476c |
if (BIO_do_accept(acpt) <= 0) {
|
|
Packit |
c4476c |
fprintf(stderr, "Error setting up accept BIO\n");
|
|
Packit |
c4476c |
ERR_print_errors_fp(stderr);
|
|
Packit |
c4476c |
exit(1);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
/* We only want one connection so remove and free accept BIO */
|
|
Packit |
c4476c |
sbio = BIO_pop(acpt);
|
|
Packit |
c4476c |
BIO_free_all(acpt);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
if (BIO_do_handshake(sbio) <= 0) {
|
|
Packit |
c4476c |
fprintf(stderr, "Error in SSL handshake\n");
|
|
Packit |
c4476c |
ERR_print_errors_fp(stderr);
|
|
Packit |
c4476c |
exit(1);
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n");
|
|
Packit |
c4476c |
BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n");
|
|
Packit |
c4476c |
BIO_puts(sbio, "--------------------------------------------------\r\n");
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
for (;;) {
|
|
Packit |
c4476c |
len = BIO_gets(sbio, tmpbuf, 1024);
|
|
Packit |
c4476c |
if (len <= 0)
|
|
Packit |
c4476c |
break;
|
|
Packit |
c4476c |
BIO_write(sbio, tmpbuf, len);
|
|
Packit |
c4476c |
BIO_write(out, tmpbuf, len);
|
|
Packit |
c4476c |
/* Look for blank line signifying end of headers*/
|
|
Packit |
c4476c |
if (tmpbuf[0] == '\r' || tmpbuf[0] == '\n')
|
|
Packit |
c4476c |
break;
|
|
Packit |
c4476c |
}
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
BIO_puts(sbio, "--------------------------------------------------\r\n");
|
|
Packit |
c4476c |
BIO_puts(sbio, "\r\n");
|
|
Packit |
c4476c |
BIO_flush(sbio);
|
|
Packit |
c4476c |
BIO_free_all(sbio);
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 HISTORY
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
In OpenSSL before 1.0.0 the BIO_pop() call was handled incorrectly,
|
|
Packit |
c4476c |
the I/O BIO reference count was incorrectly incremented (instead of
|
|
Packit |
c4476c |
decremented) and dissociated with the SSL BIO even if the SSL BIO was not
|
|
Packit |
c4476c |
explicitly being popped (e.g. a pop higher up the chain). Applications which
|
|
Packit |
c4476c |
included workarounds for this bug (e.g. freeing BIOs more than once) should
|
|
Packit |
c4476c |
be modified to handle this fix or they may free up an already freed BIO.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=head1 COPYRIGHT
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Copyright 2000-2019 The OpenSSL Project Authors. All Rights Reserved.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
Licensed under the OpenSSL license (the "License"). You may not use
|
|
Packit |
c4476c |
this file except in compliance with the License. You can obtain a copy
|
|
Packit |
c4476c |
in the file LICENSE in the source distribution or at
|
|
Packit |
c4476c |
L<https://www.openssl.org/source/license.html>.
|
|
Packit |
c4476c |
|
|
Packit |
c4476c |
=cut
|