Running SSL on own socket code

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
7 messages Options
Reply | Threaded
Open this post in threaded view
|

Running SSL on own socket code

Jeff Saremi-2
I'd like to know the feasibility or complexity around using my own
socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
BIOs to read and write would that be sufficient? How tightly integrated
the code is with bio_connect and bio_socket? thanks
jeff
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Running SSL on own socket code

Victor Duchovni
On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote:

> I'd like to know the feasibility or complexity around using my own
> socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
> BIOs to read and write would that be sufficient? How tightly integrated
> the code is with bio_connect and bio_socket? thanks
> jeff

man BIO_new_bio_pair

Look at the example.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Running SSL on own socket code

Eric S. Eberhard-2
In reply to this post by Jeff Saremi-2
The way I do things like this is to slightly modify OpenSSL (and keep
track of the mods!)

1) Hunt down the socket code
2) Set a new variable, a pointer to a function (for each function you
replace)  (fptr in my example)
3) rename the routine to "release_function"
4) make a new function() which has the exact same args and a few lines of code
int function()
{
         If (!fptr)
                 fptr = (int(*)())(&release_function);
         return(*ftpr());
}

In my code I put in the initialization routine:
         extern  int (*fptr)();
         fptr = (int(*)())(&my_function);

Note that is pseudo code and needs fleshing out.

This is because often these functions are VERY tightly coupled
including handshaking and things I don't really understand -- so I
replace a low-level routine I do understand.  And with new releases
it only takes moments to re-do the 3-4 functions I do this with.  It
means that the OpenSSL code will still work as intended in all cases
except where you chose to override.

Using function pointers does have weird/odd/goofy syntax but works
well.  I primarily use this to override error logging as I have my
own logging functions and I need to use syslog() for the version 1.2
PCI/PA-DSS compliance.  I have also replaced low-level TCP code on occasion.

In fact I would argue that all the logging functions should be
released with this capability built in as that is one area I think a
lot of people would like to customize, and if there is any interest I
will modify the code and send it through channels to be
included.  Error handling is tightly coupled -- everywhere -- in the
code, so my system makes using my own logging very easy.

Eric










At 07:22 AM 6/1/2011, Victor Duchovni wrote:

>On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote:
>
> > I'd like to know the feasibility or complexity around using my own
> > socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
> > BIOs to read and write would that be sufficient? How tightly integrated
> > the code is with bio_connect and bio_socket? thanks
> > jeff
>
>man BIO_new_bio_pair
>
>Look at the example.
>
>--
>         Viktor.
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953&id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750&id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484&id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827&id=1409661701

(You can see why we love this state :-) )








______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Running SSL on own socket code

Victor Duchovni
On Wed, Jun 01, 2011 at 10:56:47AM -0700, Eric S. Eberhard wrote:

> The way I do things like this is to slightly modify OpenSSL (and keep track
> of the mods!)

Completely unnecessary, OpenSSL supports custom I/O layers via BIO pairs.

--
        Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Running SSL on own socket code

Eric S. Eberhard-2
In reply to this post by Eric S. Eberhard-2
Depends exactly what the person wants to do and also if he wants to
use existing code and if he is familiar with the bio pairs.  My point
was not specific to his needs as there was not a lot of detail, only
that making changes to the code is better and easier when you
override functions -- such as I must do with the error handling (and
anyone else writing PCI compliant code BTW  -- MUST MUST -- do).  In
the old days I was stupid and inserted my code in to open source code
... making updates a nightmare.  This externalizes changes and makes
updates a cinch. Eric

At 11:09 AM 6/1/2011, Victor Duchovni wrote:

>On Wed, Jun 01, 2011 at 10:56:47AM -0700, Eric S. Eberhard wrote:
>
> > The way I do things like this is to slightly modify OpenSSL (and
> keep track
> > of the mods!)
>
>Completely unnecessary, OpenSSL supports custom I/O layers via BIO pairs.
>
>--
>         Viktor.
>______________________________________________________________________
>OpenSSL Project                                 http://www.openssl.org
>User Support Mailing List                    [hidden email]
>Automated List Manager                           [hidden email]


Eric S. Eberhard
(928) 567-3727          Voice
(928) 567-6122          Fax
(928) 301-7537                           Cell

Vertical Integrated Computer Systems, LLC
Metropolis Support, LLC

For Metropolis support and VICS MBA Support!!!!    http://www.vicsmba.com

Pictures of Snake in Spring

http://www.facebook.com/album.php?aid=115547&id=1409661701&l=1c375e1f49

Pictures of Camp Verde

http://www.facebook.com/album.php?aid=12771&id=1409661701&l=fc0e0a2bcf

Pictures of Land Cruiser in Sedona

http://www.facebook.com/album.php?aid=50953&id=1409661701

Pictures of Flagstaff area near our cabin

http://www.facebook.com/album.php?aid=12750&id=1409661701

Pictures of Cheryl in a Horse Show

http://www.facebook.com/album.php?aid=32484&id=1409661701


Pictures of the AZ Desert

http://www.facebook.com/album.php?aid=58827&id=1409661701

(You can see why we love this state :-) )








______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Running SSL on own socket code

Neo Liu-2
In reply to this post by Victor Duchovni


On Wed, Jun 1, 2011 at 10:22 PM, Victor Duchovni <[hidden email]> wrote:
On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote:

> I'd like to know the feasibility or complexity around using my own
> socket code with OpenSSL's ssl code. If I provide OpenSSL with a pair of
> BIOs to read and write would that be sufficient? How tightly integrated
> the code is with bio_connect and bio_socket? thanks
> jeff

man BIO_new_bio_pair

Look at the example.


As Victor pointed that you can use BIO pair to handle data transmission and separate data transmission procedure from SSL handshake and encrypt/decrypt procedure.
Using BIO pair, the SSL structure only handle the data in SSL Record layer but not any lower layer.

--
       Viktor.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: Running SSL on own socket code

Jeff Saremi-2
Yes it was as straightforward as you mentioned.
Thanks to those who responded.
jeff

On 11-06-02 05:47 AM, Neo Liu wrote:

>
>
> On Wed, Jun 1, 2011 at 10:22 PM, Victor Duchovni
> <[hidden email]
> <mailto:[hidden email]>> wrote:
>
>     On Tue, May 31, 2011 at 09:05:29AM -0400, Jeff Saremi wrote:
>
>     > I'd like to know the feasibility or complexity around using my own
>     > socket code with OpenSSL's ssl code. If I provide OpenSSL with a
>     pair of
>     > BIOs to read and write would that be sufficient? How tightly
>     integrated
>     > the code is with bio_connect and bio_socket? thanks
>     > jeff
>
>     man BIO_new_bio_pair
>
>     Look at the example.
>
>
> As Victor pointed that you can use BIO pair to handle data transmission
> and separate data transmission procedure from SSL handshake and
> encrypt/decrypt procedure.
> Using BIO pair, the SSL structure only handle the data in SSL Record
> layer but not any lower layer.
>
>     --
>            Viktor.
>     ______________________________________________________________________
>     OpenSSL Project                                
>     http://www.openssl.org
>     <http://console.mxlogic.com/redir/?nS6mkQm4PrapEVssoo76M0llLxix_00jt-psLuZXTLsTsTkN3UBWHv2B3OXtfzg5lm-5a7Y01dKc9zzqbdNRXL8Kf6Sm3obZ8Qg0JK49g8Cy0o60Gq8aMd45j43h1iJyLPd45GEurDUvf5zZB0SyrhdIFCzBNNdNwSXjFrmHp>
>     User Support Mailing List                  
>      [hidden email] <mailto:[hidden email]>
>     Automated List Manager                          
>     [hidden email] <mailto:[hidden email]>
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]