OpenSSL的读/写带记忆BIO握手数据 [英] OpenSSL Read/Write Handshake data with Memory BIO

问题描述

我需要创建一个OpenSSL的连接，我可以直接读/写握手数据。原因是握手的数据将在UDP连接运输（DTLS是不是一种选择，因为数据是不能直接在数据报，但另一个协议报文里面，的 EAP 如果你好奇）。到目前为止，我已经创建了一个OpenSSL的连接，但我没有，甚至能够读取客户端的握手发送到服务器。

I need to create an OpenSSL connection where I can directly read/write handshake data. The reason is the handshake data will be transported in a UDP connection (DTLS is not an option, because the data is not directly in the datagram, but inside another protocol packets, EAP if you're curious). So far, I've created an OpenSSL connection but I've not even been able to read the client's handshake to send to the server.

在我的研究，我发现我需要一个内存BIO读/写的连接，但无法弄清楚如何提取握手数据。以下是我初始化的客户端连接：

In my research I've found I need a Memory BIO to read/write to the connection, but cannot figure out how to extract the handshake data. Here's how I initialize the client connection:

SSL_library_init();
SSL_load_error_strings();
OpenSSL_add_all_algorithms();

ctx = SSL_CTX_new(SSLv3_client_method());
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

ssl = SSL_new(ctx);
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());

SSL_set_bio(ssl, rbio, wbio);
SSL_set_connect_state(ssl);

我试过doint 所以SSL_connect ，以启动握手：

int ret = SSL_connect(ssl);

但回报 1 ，做 SSL_get_error（SSL，水库）我得到一个错误code 2 ，然后我执行 ERR_error_string 与code，并得到：

But returns -1, and doing SSL_get_error(ssl, res) I get an error code 2, then I execute ERR_error_string with that code and get:

error:00000002:lib(0):func(0):system lib

另外，如果我用 SSL_do_handshake 而不是所以SSL_connect 我得到完全相同的错误。

Also, if I use SSL_do_handshake instead of SSL_connect I get exactly the same error.

我已经能够设置于TCP上，OpenSSL的连接，但从来没有与内存BIOS做到了这一点，所以任何帮助，这将是非常美联社preciated。谢谢！

I've been able to set a OpenSSL connection over TCP, but have never done this with Memory BIOs, so any help with this would be very appreciated. Thanks!

推荐答案

最后，我得到它的工作，我是在正确的方式：

Finally I get it to work, I was in the right way:

功能 SSL_set_connect_state（SSL）需要告诉连接是ppared的握手初始化$ P $。然后，我们称之为 SSL_do_handshake（SSL）启动握手。这个函数将返回 1 ，因为握手没有完成，但我们实际上可以从客户端的SSL连接BIO作家阅读和使用，我们希望协议（发送数据在我情况下，EAP的RADIUS报文通过UDP）。

The function SSL_set_connect_state(ssl) is needed to tell the connection to be prepared for the handshake init. Then, we call SSL_do_handshake(ssl) to start the handshake. This function will return -1 because the handshake was not finished, but we can actually read from the client ssl connection BIO writer and send the data using the protocol we want (in my case, EAP RADIUS packets over UDP).

客户端

ctx = SSL_CTX_new(SSLv3_client_method());
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

ssl = SSL_new(ctx);
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());

SSL_set_bio(ssl, rbio, wbio);
SSL_set_connect_state(ssl); 

SSL_do_handshake(ssl); // This will return -1 (error) as the handshake is not finished, we can ignore it.

char buf[4096];
BIO_read(wbio, buf, 4096); // Read from BIO, put data in buffer

// Then use data in buffer to send to the server

的服务器，在另一方面，应该使用凭证和私钥构成。此外，而不是 SSL_set_connect_state的（）我们应该使用 SSL_set_accept_state（）作为服务器将等待客户的握手打招呼。然后，我们简单地写入数据的客户端握手问好服务器BIO读者：

The server, in the other hand, should be configured using the credential and private key. Also, instead of SSL_set_connect_state() we should use SSL_set_accept_state() as the server will wait for the client's handshake hello. Then, we simply write the client handshake hello data to the server BIO reader:

服务器

ctx = SSL_CTX_new(SSLv3_server_method()); // This is the server!
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

ssl = SSL_new(ctx);
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());

SSL_set_bio(ssl, rbio, wbio);
SSL_set_accept_state(ssl); // The server uses SSL_set_accept_state

// Here we get the data from the client suppose it's in the variable buf
// and write it to the connection reader BIO.
BIO_write(rbio, buf, strlen(buf));

if (!SSL_is_init_finished(ssl)) {
    SSL_do_handshake(ssl);
}

我们可以使用的 SSL_is_init_finished（SSL）函数检查握手做，虽然它不这样做，我们称之为 SSL_do_handshake（ SSL），然后再次从BIO_writer读取数据发送到客户端。

We can use the the SSL_is_init_finished(ssl) function to check if the handshake was done, and while it is not done we call SSL_do_handshake(ssl), and then read again from the BIO_writer to send data to the client.

应该做的客户端和服务器之间的这种过程，直到连接完成（即 SSL_is_init_finished（SSL）收益真正）。

This process between client and server should be done until the connection is done (i.e. SSL_is_init_finished(ssl) returns true).

然后，握手完成后，您可以发送的安全的数据的客户端/服务器之间，通过使用 SSL_read 和 SSL_write 功能。希望这个简短的解释是有用的人！

Then, after the handshake is done, you can send secure data between client/server, by using the SSL_read and SSL_write functions. Hope this short explanation is useful for someone!

这篇关于OpenSSL的读/写带记忆BIO握手数据的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！