为什么SSL_set_bio将两个指向BIO的指针作为参数? (OpenSSL"BIO_s_mem" VS"BIO_s_bio") [英] Why does SSL_set_bio takes two pointers to BIO as parameters? (OpenSSL "BIO_s_mem" VS "BIO_s_bio")
问题描述
SSL_set_bio使用两个OpenSSL BIO:输入BIO(rbio)和输出BIO(wbio).第一个用于OpenSSL需要从远程获取数据,第二个用于OpenSSL需要将数据发送至远程.通常,这两个BIO是相同的(它们是指向相同BIO对象的指针).例如,它可能是套接字BIO(BIO_s_socket).当OpenSSL需要数据时,它将从该套接字BIO接收数据.并且它使用相同的套接字BIO发送数据.因此,一个BIO对象就足够了.
SSL_set_bio uses two OpenSSL BIOs: the input BIO (rbio) and the output BIO (wbio). The first one is used when OpenSSL needs to get data from the remote side and the second one is used when OpenSSL needs to send data to remote side. Usually these two BIOs are the same (they are pointers to the same BIO object). For example, it may be a socket BIO (BIO_s_socket). When OpenSSL needs data, it receives it from that socket BIO. And it uses the same socket BIO to send data. So a single BIO object would be enough.
当需要两个不同的BIO时,我唯一想到的情况是使用内存BIO(BIO_s_mem).内存BIO类似于回送BIO:写入内存BIO的所有数据将在以后的后续读取操作中从中读取.当应用程序自行实现数据传输而不使用OpenSSL BIO时,需要使用内存BIO.应用程序使用其自身的功能从远程端接收数据,然后将其放入输入存储器BIO中,以便OpenSSL可以获取它.与之相反的过程是:OpenSSL将输出数据放入输出内存BIO,然后应用程序使用其自身的功能从输出BIO获取数据并将其发送到远程端.由于需要两个缓冲区(输入和输出),因此单个SSL/TLS链接使用两个不同的内存BIO.
The only case I can think of when two different BIOs are required is when memory BIO (BIO_s_mem) is used. Memory BIO is like loopback BIO: any data that is written to memory BIO will be read from it back later in the subsequent read operations. Memory BIO is needed when an application implements data transferring by itself without using OpenSSL BIOs. The application receives data from the remote side using its own functions and then puts it to the input memory BIO so that OpenSSL can get it. And the opposite process: OpenSSL puts output data to the output memory BIO and then the application gets the data from the output BIO and sends it to the remote side using its own functions. Since two buffers (the input and the output) are required, two different memory BIOs are used for a single SSL/TLS link.
但是除此之外,还有一个名为BIO_s_bio的BIO,它具有类似管道的功能.可以创建一对这样的BIO.写入BIO_s_bio对对象中的第一个BIO的任何数据都将从该对对象中的第二个BIO中读取.反之亦然:将数据写入第二个BIO将导致从第一个BIO读取数据.因此,可以使用BIO_s_bio代替BIO_s_mem.将BIO_s_bio对象的单个实例传递给SSL_set_bio函数就足够了.应用程序接收数据并将其写入BIO_s_bio对中的其BIO中.然后,OpenSSL将从其对中的BIO获取此数据. OpenSSL将数据写入该对中的BIO,然后应用程序又从其BIO获取此数据.
But in addition there is a BIO called BIO_s_bio which has a pipe-like functionality. A pair of such BIOs can be created. Any data written to the first BIO in the pair of BIO_s_bio objects will be read from the second BIO in the pair. And vice versa: writing data to the second BIO will result in reading this data from the first BIO. So BIO_s_bio can be used instead of BIO_s_mem. Passing a single instance of BIO_s_bio object to the SSL_set_bio function would be enough. Application receives data and writes it to its BIO in the BIO_s_bio pair. OpenSSL will then get this data from its BIO in the pair. OpenSSL writes data to its BIO in the pair, and the application gets this data from its BIO in turn.
SSL_set_bio仅在将OpenSSL与内存BIO一起使用时才需要两个指向BIO的指针吗?还有其他示例,在SSL_set_bio函数中使用两个不同的BIO可能会有所帮助吗?
Does SSL_set_bio need two pointers to BIOs only for using OpenSSL with memory BIO? Is there any other example where using two different BIOs in the SSL_set_bio function may be helpful?
如果可以代替使用BIO_s_bio,是否完全需要BIO_s_mem?使用BIO_s_mem代替使用BIO_s_bio有什么好处吗?
Is BIO_s_mem needed at all if BIO_s_bio can be used instead? Are there any benefits of using BIO_s_mem instead of using BIO_s_bio?
推荐答案
通常,SSL/TLS使用一个TCP套接字进行链接. 在这种情况下,您可以使用以下功能将fd设置为ssl:
Usually SSL/TLS uses one TCP socket for the link. In that case you can use the following function for setting fd to ssl:
SSL_set_fd(ssl, tcp_socket_fd);
但是,在某些情况下,可能会使用2个单向文件描述符而不是一个TCP套接字.
But, there can be use cases where 2 unidirectional file descriptors are used instead of one TCP socket.
例如,如果要将TLS服务器实现为tcpd的子代. 然后,您服务器的TCP流量文件描述符为:
For example, if you want to implement TLS server as child of tcpd. Then your server's file descriptors for TCP traffic are:
- 输入流的STDIN_FILENO
- 输出流的STDOUT_FILENO
在这种情况下,不能使用SSL_set_fd(),并且您可以玩两个BIO:
In that case SSL_set_fd() can not be used, and you can play with two BIOs:
// not tested
BIO* in = BIO_new_fd(STDIN_FILENO, 0);
BIO* out = BIO_new_fd(STDOUT_FILENO, 0);
SSL_set_bio(ssl, in, out);
也许最好使用SSL_set_rfd()和SSL_set_wfd().但这只是一个例子.
Maybe it is better to use SSL_set_rfd() and SSL_set_wfd(). But that was just an example.
这篇关于为什么SSL_set_bio将两个指向BIO的指针作为参数? (OpenSSL"BIO_s_mem" VS"BIO_s_bio")的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持IT屋!
