Jeffrey Altman wrote:
>
> > Jeffrey Altman wrote:
> > >
> > >
> > > I think what he would like is the ability to do what the Microsoft
> > > SSPI does. Instead of OpenSSL being a layer between the I/O channel
> > > and the app, he would like the app to provide all I/O functions and
> > > have OpenSSL provide routines that encode and decode buffers provided
> > > to it by the application. After OpenSSL has done its work, the
> > > application transmits the outgoing data to the peer. After receiving
> > > data from the peer it calls OpenSSL to process it.
> > >
> >
This looks like GSSAPI using SSL protocol which we have with the Globus project.
The SSL handshake is converted into GSS tokens, and sent by the application.
GSS wrap and unwrap also call the SSL routines and return as tokens what would
have been sent over the socket.
This done using BIO_s_mem. Here are some code snippets an examples:
222 if ((context->gs_rbio = BIO_new(BIO_s_mem())) == NULL) {
223 return GSS_S_FAILURE;
224 }
225
226 if ((context->gs_wbio = BIO_new(BIO_s_mem())) == NULL) {
227 return GSS_S_FAILURE;
228 }
229
230 if ((context->gs_sslbio = BIO_new(BIO_f_ssl())) == NULL) {
231 return GSS_S_FAILURE;
232 }
236
237 if ( cred_usage == GSS_C_INITIATE) {
238 SSL_set_connect_state(context->gs_ssl);
239 } else {
240 SSL_set_accept_state(context->gs_ssl);
241 }
242
243 SSL_set_bio(context->gs_ssl,
244 context->gs_rbio,
245 context->gs_wbio);
246
247 BIO_set_ssl(context->gs_sslbio,
248 context->gs_ssl,
249 BIO_CLOSE);
The gss_init_sec_context and gss_accept_sec_context then use code
like this to write tokens they received from the application
to the read bio:
295 if (input_token->length > 0) {
296 BIO_write(context_handle->gs_rbio,
297 input_token->value,
298 input_token->length);
They then reenter the handshake loop:
480 /*
481 * do the BIO_do_handshake which may produce output,
482 * and endup waiting for input
483 * when completed without error, connection established
484 */
485 rc = BIO_do_handshake(context_handle->gs_sslbio);
486 if (rc <= 0) {
487 if (!BIO_should_retry(context_handle->gs_sslbio) ||
488 !BIO_should_read(context_handle->gs_sslbio)) {
Then when the SSL code waits for BIO_should_read, they get all the data
from the write bio to convert to an output token for the application to send:
331 output_token->length = BIO_pending(context_handle->gs_wbio);
332 if (output_token->length > 0) {
333 output_token->value = (char *) malloc(output_token->length);
334 if (output_token->value == NULL) {
335 output_token->length = 0 ;
336 GSSerr(GSSERR_F_GS_HANDSHAKE,ERR_R_MALLOC_FAILURE);
337 return GSS_S_FAILURE;
338 }
339 BIO_read(context_handle->gs_wbio,
340 output_token->value,
341 output_token->length);
The SSL never does any networking at all.
You can learn more about this at http://www.globus.org/security/v1.1/
or drop me a note.
(We are just polishing up the OpenSSL-0.9.5a mods. The production
Globus Security Interface is using SSLeay.)
>
> I was just attempting to summarize what the original poster was asking
> for. I think the primary problem is that there are no example apps
> showing how to use the different types of BIOs.
So here is an example.
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
______________________________________________________________________
OpenSSL Project http://www.openssl.org
Development Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
