NAME
BIO_f_ssl, BIO_set_ssl, BIO_get_ssl, BIO_set_ssl_mode, BIO_set_ssl_renegotiate_bytes, BIO_get_num_renegotiates, BIO_set_ssl_renegotiate_timeout, BIO_new_ssl, BIO_new_ssl_connect, BIO_new_buffer_ssl_connect, BIO_ssl_copy_session_id, BIO_ssl_shutdown — SSL BIOSYNOPSIS
#include <openssl/bio.h>#include <openssl/ssl.h>
BIO_f_ssl(void);
#define BIO_get_ssl(b,sslp) BIO_ctrl(b,BIO_C_GET_SSL,0,(char *)sslp)
#define BIO_set_ssl_mode(b,client) BIO_ctrl(b,BIO_C_SSL_MODE,client,NULL)
#define BIO_set_ssl_renegotiate_bytes(b,num) BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_BYTES,num,NULL)
#define BIO_set_ssl_renegotiate_timeout(b,seconds) BIO_ctrl(b,BIO_C_SET_SSL_RENEGOTIATE_TIMEOUT,seconds,NULL)
#define BIO_get_num_renegotiates(b) BIO_ctrl(b,BIO_C_SET_SSL_NUM_RENEGOTIATES,0,NULL)
BIO_new_ssl(SSL_CTX *ctx, int client);
BIO_new_ssl_connect(SSL_CTX *ctx);
BIO_new_buffer_ssl_connect(SSL_CTX *ctx);
BIO_ssl_copy_session_id(BIO *to, BIO *from);
BIO_ssl_shutdown(BIO *bio);
DESCRIPTION
BIO_f_ssl() returns the SSL BIO method. This is a filter BIO which is a wrapper around the OpenSSL SSL routines adding a BIO “flavor” to SSL I/O.NOTES
SSL BIOs are exceptional in that if the underlying transport is non-blocking they can still request a retry in exceptional circumstances. Specifically this will happen if a session renegotiation takes place during a BIO_read(3) operation. One case where this happens is when step up occurs.RETURN VALUES
This section is incomplete.EXAMPLES
This SSL/TLS client example attempts to retrieve a page from an SSL/TLS web server. The I/O routines are identical to those of the unencrypted example in BIO_s_connect(3).BIO *sbio, *out; int len; char tmpbuf[1024]; SSL_CTX *ctx; SSL *ssl; ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); /* * We would seed the PRNG here if the platform didn't do it automatically */ ctx = SSL_CTX_new(SSLv23_client_method()); /* * We'd normally set some stuff like the verify paths and mode here because * as things stand this will connect to any server whose certificate is * signed by any CA. */ sbio = BIO_new_ssl_connect(ctx); BIO_get_ssl(sbio, &ssl); if (!ssl) { fprintf(stderr, "Can't locate SSL pointer\n"); /* whatever ... */ } /* Don't want any retries */ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* We might want to do other things with ssl here */ BIO_set_conn_hostname(sbio, "localhost:https"); out = BIO_new_fp(stdout, BIO_NOCLOSE); if (BIO_do_connect(sbio) <= 0) { fprintf(stderr, "Error connecting to server\n"); ERR_print_errors_fp(stderr); /* whatever ... */ } if (BIO_do_handshake(sbio) <= 0) { fprintf(stderr, "Error establishing SSL connection\n"); ERR_print_errors_fp(stderr); /* whatever ... */ } /* Could examine ssl here to get connection info */ BIO_puts(sbio, "GET / HTTP/1.0\n\n"); for (;;) { len = BIO_read(sbio, tmpbuf, 1024); if(len <= 0) break; BIO_write(out, tmpbuf, len); } BIO_free_all(sbio); BIO_free(out);
BIO *sbio, *bbio, *acpt, *out; int len; char tmpbuf[1024]; SSL_CTX *ctx; SSL *ssl; ERR_load_crypto_strings(); ERR_load_SSL_strings(); OpenSSL_add_all_algorithms(); /* Might seed PRNG here */ ctx = SSL_CTX_new(SSLv23_server_method()); if (!SSL_CTX_use_certificate_file(ctx,"server.pem",SSL_FILETYPE_PEM) || !SSL_CTX_use_PrivateKey_file(ctx,"server.pem",SSL_FILETYPE_PEM) || !SSL_CTX_check_private_key(ctx)) { fprintf(stderr, "Error setting up SSL_CTX\n"); ERR_print_errors_fp(stderr); return 0; } /* * Might do other things here like setting verify locations and DH and/or * RSA temporary key callbacks */ /* New SSL BIO setup as server */ sbio = BIO_new_ssl(ctx,0); BIO_get_ssl(sbio, &ssl); if (!ssl) { fprintf(stderr, "Can't locate SSL pointer\n"); /* whatever ... */ } /* Don't want any retries */ SSL_set_mode(ssl, SSL_MODE_AUTO_RETRY); /* Create the buffering BIO */ bbio = BIO_new(BIO_f_buffer()); /* Add to chain */ sbio = BIO_push(bbio, sbio); acpt = BIO_new_accept("4433"); /* * By doing this when a new connection is established we automatically * have sbio inserted into it. The BIO chain is now 'swallowed' by the * accept BIO and will be freed when the accept BIO is freed. */ BIO_set_accept_bios(acpt,sbio); out = BIO_new_fp(stdout, BIO_NOCLOSE); /* Setup accept BIO */ if (BIO_do_accept(acpt) <= 0) { fprintf(stderr, "Error setting up accept BIO\n"); ERR_print_errors_fp(stderr); return 0; } /* Now wait for incoming connection */ if (BIO_do_accept(acpt) <= 0) { fprintf(stderr, "Error in connection\n"); ERR_print_errors_fp(stderr); return 0; } /* We only want one connection so remove and free accept BIO */ sbio = BIO_pop(acpt); BIO_free_all(acpt); if (BIO_do_handshake(sbio) <= 0) { fprintf(stderr, "Error in SSL handshake\n"); ERR_print_errors_fp(stderr); return 0; } BIO_puts(sbio, "HTTP/1.0 200 OK\r\nContent-type: text/plain\r\n\r\n"); BIO_puts(sbio, "\r\nConnection Established\r\nRequest headers:\r\n"); BIO_puts(sbio, "--------------------------------------------------\r\n"); for (;;) { len = BIO_gets(sbio, tmpbuf, 1024); if (len <= 0) break; BIO_write(sbio, tmpbuf, len); BIO_write(out, tmpbuf, len); /* Look for blank line signifying end of headers */ if ((tmpbuf[0] == '\r') || (tmpbuf[0] == '\n')) break; } BIO_puts(sbio, "--------------------------------------------------\r\n"); BIO_puts(sbio, "\r\n"); /* Since there is a buffering BIO present we had better flush it */ BIO_flush(sbio); BIO_free_all(sbio);