Directly Read/Write Handshake data with Memory BIO

by

Finally I get it to work, I was in the right way:

The function SSL_set_connect_state(ssl) is needed to tell the connection to be prepared for the handshake init. Then, we call SSL_do_handshake(ssl) to start the handshake. This function will return -1 because the handshake was not finished, but we can actually read from the client ssl connection BIO writer and send the data using the protocol we want (in my case, EAP RADIUS packets over UDP).

Client

ctx = SSL_CTX_new(SSLv3_client_method());
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

ssl = SSL_new(ctx);
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());

SSL_set_bio(ssl, rbio, wbio);
SSL_set_connect_state(ssl); 

SSL_do_handshake(ssl); // This will return -1 (error) as the handshake is not finished, we can ignore it.

char buf[4096];
BIO_read(wbio, buf, 4096); // Read from BIO, put data in buffer

// Then use data in buffer to send to the server

The server, in the other hand, should be configured using the credential and private key. Also, instead of SSL_set_connect_state() we should use SSL_set_accept_state() as the server will wait for the client’s handshake hello. Then, we simply write the client handshake hello data to the server BIO reader:

Server

ctx = SSL_CTX_new(SSLv3_server_method()); // This is the server!
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, NULL);

ssl = SSL_new(ctx);
rbio = BIO_new(BIO_s_mem());
wbio = BIO_new(BIO_s_mem());

SSL_set_bio(ssl, rbio, wbio);
SSL_set_accept_state(ssl); // The server uses SSL_set_accept_state

// Here we get the data from the client suppose it's in the variable buf
// and write it to the connection reader BIO.
BIO_write(rbio, buf, strlen(buf));

if (!SSL_is_init_finished(ssl)) {
    SSL_do_handshake(ssl);
}

We can use the the SSL_is_init_finished(ssl) function to check if the handshake was done, and while it is not done we call SSL_do_handshake(ssl), and then read again from the BIO_writer to send data to the client.

This process between client and server should be done until the connection is done (i.e. SSL_is_init_finished(ssl) returns true).

Then, after the handshake is done, you can send secure data between client/server, by using the SSL_read and SSL_write functions. Hope this short explanation is useful for someone!

More Related Contents:

  1. How to implement Server Name Indication (SNI)
  2. How to generate RSA private key using OpenSSL?
  3. Password to key function compatible with OpenSSL commands?
  4. AES CTR 256 Encryption Mode of operation on OpenSSL
  5. Turn a simple socket into an SSL socket
  6. How to compile .c file with OpenSSL includes?
  7. boost asio ssl async_shutdown always finishes with an error?
  8. Error: “invalid use of incomplete type ‘RSA {aka struct rsa_st}” in OpenSSL 1.1.0
  9. AES (aes-cbc-128, aes-cbc-192, aes-cbc-256) encryption/decryption with openssl C
  10. How do I build OpenSSL statically linked against Windows runtime?
  11. x509 certificate verification in C
  12. How to do encryption using AES in Openssl
  13. Build OpenVPN with specific OpenSSL version
  14. Serving multiple domains in one box with SNI
  15. why segmentation error in my program
  16. (Why) is using an uninitialized variable undefined behavior?
  17. How to convert an int to string in C?
  18. Why does the order of the loops affect performance when iterating over a 2D array?
  19. Creating your own header file in C
  20. C How to “draw” a Binary Tree to the console [closed]
  21. undefined reference to gotoxy in C
  22. Are file descriptors shared when fork()ing?
  23. What is the purpose of the div() library function?
  24. How to link to a static library in C?
  25. scanf() variable length specifier
  26. In C, what’s the size of stdout buffer?
  27. double negation in C : is it guaranteed to return 0/1?
  28. Is there a way to get the filename from a `FILE*`? [duplicate]
  29. Compiling a C program that uses OpenGl in Mac OS X
  30. How C strings are allocated in memory?

Leave a Comment