OpenSSL: perform en-/decryption without SSL_read() / SSL_write()

Question

I've written an event-based networking library in C and now I want to add SSL/TLS support via OpenSSL. Instead of using SSL_read() and SSL_write(), I'd rather like to have OpenSSL only perform the encryption/decryption of outgoing/incoming data, letting me transmit/receive the data myself.

I'm new to SSL/TLS and OpenSSL, so:

Is there a way to have OpenSSL only perform encryption/decryption of char arrays?

Something like size_t SSL_encrypt(const char *buf_in, size_t size_in, char *buf_out) would be great.

Answer 1

Exactly what you've asked for isn't possible, because with TLS there isn't a 1-to-1 correspondence between sending something at the application layer and sending something on the network socket. Events like renegotiations mean that sometimes SSL needs to read data from the network in order to make progress sending data, and vice-versa.

However, you can still use OpenSSL to perform SSL but take care of the reading and writing from the network yourself. You do this by calling SSL_set_bio() on the SSL pointer instead of SSL_set_fd():

1. Use BIO_new_bio_pair() to create a connected BIO pair. One BIO will be read from and written to by the SSL routines, and the other BIO will be read from and written to by your application (allowing it to pass the data to the other end by whatever method it desires).

2. Use SSL_set_bio() on a new SSL object to set both the read and write BIO to one of the BIOs in the pair generated.

3. Use BIO_read() and BIO_write() on the other BIO in the pair to read and write the SSL protocol data.

4. Use SSL_accept(), SSL_connect(), SSL_read() and SSL_write() as normal on the SSL object.

(It's not clear what advantage this would give in your application, though: in this case you can't really do anything other than read and write exactly what OpenSSL passes you, so you might as well let it do the reading and writing too).