You CAN use openssl as an engine, with bio pairs.
Look here: http://h71000.www7.hp.com/doc/83final/ba554_90007/ch04s03.html: Using BIOs for SSL Data Transmission (Optional) Instead of using SSL_write() and SSL_read(), you can transmit data by calling BIO_puts() and BIO_gets(), and BIO_write() and BIO_read(), provided that a buffer BIO is created and set up as follows: BIO *buf_io, *ssl_bio; char rbuf[READBUF_SIZE]; char wbuf[WRITEBUF_SIZE] buf_io = BIO_new(BIO_f_buffer()); /* create a buffer BIO */ ssl_bio = BIO_new(BIO_f_ssl()); /* create an ssl BIO */ BIO_set_ssl(ssl_bio, ssl, BIO_CLOSE); /* assign the ssl BIO to SSL */ BIO_push(buf_io, ssl_bio); /* add ssl_bio to buf_io */ ret = BIO_puts(buf_io, wbuf); /* Write contents of wbuf[] into buf_io */ ret = BIO_write(buf_io, wbuf, wlen); /* Write wlen-byte contents of wbuf[] into buf_io */ ret = BIO_gets(buf_io, rbuf, READBUF_SIZE); /* Read data from buf_io and store in rbuf[] */ ret = BIO_read(buf_io, rbuf, rlen); /* Read rlen-byte data from buf_io and store rbuf[] */ And also here: http://www.openssl.org/docs/crypto/BIO_new_bio_pair.html: The BIO pair can be used to have full control over the network access of an application. The application can call select() on the socket as required without having to go through the SSL-interface. The idea is that you have SSL use a bio that is one half of a bio pair: SSL will read and write from one bio of the pair, and this will "automagically" appear in the other bio of the bio pair (what's written on one side is read from the other, and vice-versa). You can also wrap the SSL-application side in a bio as first mentioned. It's a little tricky if you want to do this asynchronously: writing to the BIO fronting the SSL engine can result in output on the BIO of the BIO pair backing the SSL engine and/or output on the other side of the BIO fronting the SSL engine, and vice versa. This is because the SSL handshake takes place independently of the transfer of the data. Of course, it does no good to block on a BIO read that is stuck waiting a write on the same BIO (or the one on the "other side" of the SSL engine). I'm sure others might be able to explain it better, but it's a technique I've used in cases where I can't have SSL "front" a traditional socket. ________________________________ From: owner-openssl-us...@openssl.org [owner-openssl-us...@openssl.org] on behalf of Neo Liu [diablo...@gmail.com] Sent: Tuesday, May 17, 2011 7:33 PM To: openssl-users@openssl.org Subject: Re: Can openssl support EAP-TLS? On Thu, May 12, 2011 at 10:18 AM, Rene Hollan <rene.hol...@watchguard.com<mailto:rene.hol...@watchguard.com>> wrote: If you're looking to do authentication, freeradius will do EAP, and talk to openssl for the TLS part (and an LDAP server for the actual authentication and authorization). ________________________________ FreeRADIUS is too big for me. I just want to utilize OpenSSL to implement a EAP-TLS server. I want to openssl to handle the tls handshake and data encrypting and decryption, but I encapsulate the eap packet in my application. Can I use something like BIO pair or BIO mem to meet my need? Thanks for your great help.
