Adapting the ssl Function
Change-Id: Id545424443408fd91c793aba605aebd0a2fb84e0
diff --git a/mbtk/libmbtk_lib/net/mbtk_mbedtls.c b/mbtk/libmbtk_lib/net/mbtk_mbedtls.c
new file mode 100755
index 0000000..aaa638a
--- /dev/null
+++ b/mbtk/libmbtk_lib/net/mbtk_mbedtls.c
@@ -0,0 +1,406 @@
+/*-----------------------------------------------------------------------------------------------*/
+/**
+ @file mbtk_mbedtls.c
+ @brief MBEDTLS API
+*/
+/*-----------------------------------------------------------------------------------------------*/
+
+/*-------------------------------------------------------------------------------------------------
+ Copyright (c) 2024 mobiletek Wireless Solution, Co., Ltd. All Rights Reserved.
+ mobiletek Wireless Solution Proprietary and Confidential.
+-------------------------------------------------------------------------------------------------*/
+
+/*-------------------------------------------------------------------------------------------------
+ EDIT HISTORY
+ This section contains comments describing changes made to the file.
+ Notice that changes are listed in reverse chronological order.
+ $Header: $
+ when who what, where, why
+ -------- --------- -----------------------------------------------------------------
+ 20250409 yq.wang Created .
+-------------------------------------------------------------------------------------------------*/
+#ifdef MBTK_MBEDTLS_V3_6_2_SUPPORT
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+
+#include "mbtk_log.h"
+#include "mbtk_mbedtls.h"
+
+#define MBTK_SSL_PERS_STR_DEFAULT "mbtk_ssl"
+#define MBTK_SSL_INFO_FD_DEFAULT -1
+#define MBTK_SSL_BUFFER_SIZE_1024 1024
+#define MBTK_SSL_BUFFER_SIZE_128 128
+
+static mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_info_free(mbtk_mbedtls_ssl_info_s *ssl_info)
+{
+ if(NULL == ssl_info)
+ {
+ LOGE("[%s] ssl_info [NULL]", __func__);
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+ }
+
+ if(NULL != ssl_info->entropy)
+ {
+ free(ssl_info->entropy);
+ ssl_info->entropy = NULL;
+ }
+
+ if(NULL != ssl_info->ctr_drbg)
+ {
+ free(ssl_info->ctr_drbg);
+ ssl_info->ctr_drbg = NULL;
+ }
+
+ if(NULL != ssl_info->ssl)
+ {
+ free(ssl_info->ssl);
+ ssl_info->ssl = NULL;
+ }
+
+ if(NULL != ssl_info->conf)
+ {
+ free(ssl_info->conf);
+ ssl_info->conf = NULL;
+ }
+
+ if(NULL != ssl_info->cacert)
+ {
+ free(ssl_info->cacert);
+ ssl_info->cacert = NULL;
+ }
+
+ if(NULL != ssl_info->clientcert)
+ {
+ free(ssl_info->clientcert);
+ ssl_info->clientcert = NULL;
+ }
+
+ if(NULL != ssl_info->clientkey)
+ {
+ free(ssl_info->clientkey);
+ ssl_info->clientkey = NULL;
+ }
+
+ return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
+}
+
+static mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_info_malloc(mbtk_mbedtls_ssl_info_s *ssl_info)
+{
+ if(NULL == ssl_info)
+ {
+ LOGE("[%s] ssl_info [NULL]", __func__);
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+ }
+
+ ssl_info->entropy = (mbedtls_entropy_context *)malloc(sizeof(mbedtls_entropy_context));
+ if(NULL == ssl_info->entropy)
+ {
+ LOGE("[%s] entropy malloc() fail", __func__);
+ goto free_error;
+ }
+
+ ssl_info->ctr_drbg = (mbedtls_ctr_drbg_context *)malloc(sizeof(mbedtls_ctr_drbg_context));
+ if(NULL == ssl_info->ctr_drbg)
+ {
+ LOGE("[%s] ctr_drbg malloc() fail", __func__);
+ goto free_error;
+ }
+
+ ssl_info->ssl = (mbedtls_ssl_context *)malloc(sizeof(mbedtls_ssl_context));
+ if(NULL == ssl_info->ssl)
+ {
+ LOGE("[%s] ssl malloc() fail", __func__);
+ goto free_error;
+ }
+
+ ssl_info->conf = (mbedtls_ssl_config *)malloc(sizeof(mbedtls_ssl_config));
+ if(NULL == ssl_info->conf)
+ {
+ LOGE("[%s] conf malloc() fail", __func__);
+ goto free_error;
+ }
+
+ ssl_info->cacert = (mbedtls_x509_crt *)malloc(sizeof(mbedtls_x509_crt));
+ if(NULL == ssl_info->cacert)
+ {
+ LOGE("[%s] cacert malloc() fail", __func__);
+ goto free_error;
+ }
+
+ ssl_info->clientcert = (mbedtls_x509_crt *)malloc(sizeof(mbedtls_x509_crt));
+ if(NULL == ssl_info->clientcert)
+ {
+ LOGE("[%s] clientcert malloc() fail", __func__);
+ goto free_error;
+ }
+
+ ssl_info->clientkey = (mbedtls_pk_context *)malloc(sizeof(mbedtls_pk_context));
+ if(NULL == ssl_info->clientkey)
+ {
+ LOGE("[%s] clientkey malloc() fail", __func__);
+ goto free_error;
+ }
+
+ return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
+free_error:
+ mbtk_mbedtls_ssl_info_free(ssl_info);
+
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+}
+
+mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_options_default(mbtk_mbedtls_ssl_options_s *opt)
+{
+ if(NULL == opt)
+ {
+ LOGE("[%s] opt [NULL]", __func__);
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+ }
+
+ const mbedtls_x509_crt_profile mbtk_profile = mbedtls_x509_crt_profile_default;
+
+ opt->load_cert = false;
+ opt->ca_file = NULL;
+ opt->crt_file = NULL;
+ opt->key_file = NULL;
+ opt->pers_str = (unsigned char*)MBTK_SSL_PERS_STR_DEFAULT;
+ opt->pers_str_size = strlen((const char*)opt->pers_str);
+ opt->type = MBTK_MBEDTLS_SSL_IS_CLIENT;
+ opt->transprot = MBTK_MBEDTLS_SSL_TRANSPROT_STREAM;
+ opt->preset = MBTK_MBEDTLS_SSL_PRESET_DEFAULT;
+ opt->auth_mode = MBTK_MBEDTLS_SSL_VERIFY_OPTIONAL;
+ opt->renegotiation = MBTK_MBEDTLS_SSL_RENEGOTIATION_DISABLED;
+ opt->allow_legacy = MBTK_MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
+ opt->min_version = MBTK_MBEDTLS_SSL_MINOR_VERSION_3;
+ opt->max_version = MBTK_MBEDTLS_SSL_MINOR_VERSION_4;
+ opt->allowed_mds = mbtk_profile.allowed_mds;
+
+ return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
+}
+
+int mbtk_mbedtls_ssl_write(mbedtls_ssl_context *ssl, const unsigned char *buf, size_t len )
+{
+ return mbedtls_ssl_write(ssl, buf, len);
+}
+
+int mbtk_mbedtls_ssl_read(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len )
+{
+ return mbedtls_ssl_read(ssl, buf, len);
+}
+
+mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_init(int fd , mbtk_mbedtls_ssl_options_s *opt, mbtk_mbedtls_ssl_info_s* inter_info)
+{
+ int ret = -1;
+ uint32_t flags = 0;
+ char verify_err[MBTK_SSL_BUFFER_SIZE_1024 + 1] = {0};
+ char cert_buff[MBTK_SSL_BUFFER_SIZE_1024 + 1] = {0};
+ mbtk_mbedtls_ssl_options_s temp_opt = {0};
+ mbtk_mbedtls_ssl_info_s temp_ssl_info = {0};
+ mbedtls_x509_crt_profile mbtk_profile = mbedtls_x509_crt_profile_default;
+
+ if(NULL == inter_info)
+ {
+ LOGE("[%s] inter_info [NULL]", __func__);
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+ }
+
+ if(NULL == opt)
+ {
+ ret = mbtk_mbedtls_ssl_options_default(&temp_opt);
+ }
+ else
+ {
+ memset(&temp_opt, 0x00, sizeof(mbtk_mbedtls_ssl_options_s));
+ memcpy(&temp_opt, opt, sizeof(mbtk_mbedtls_ssl_options_s));
+ }
+
+ memset(&temp_ssl_info, 0x00, sizeof(mbtk_mbedtls_ssl_info_s));
+ ret = mbtk_mbedtls_ssl_info_malloc(&temp_ssl_info);
+ if(ret != 0)
+ {
+ LOGE("[%s] mbtk_mbedtls_ssl_info_malloc() fail", __func__);
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+ }
+
+ mbedtls_ctr_drbg_init(temp_ssl_info.ctr_drbg);
+ mbedtls_entropy_init(temp_ssl_info.entropy);
+ mbedtls_ssl_init(temp_ssl_info.ssl);
+ mbedtls_ssl_config_init(temp_ssl_info.conf);
+ mbedtls_x509_crt_init(temp_ssl_info.cacert);
+ mbedtls_x509_crt_init(temp_ssl_info.clientcert);
+ mbedtls_pk_init(temp_ssl_info.clientkey);
+
+ //1.Initialize the function for CTR_DRBG pseudorandom number generator
+ ret = mbedtls_ctr_drbg_seed(temp_ssl_info.ctr_drbg, mbedtls_entropy_func, temp_ssl_info.entropy, temp_opt.pers_str, temp_opt.pers_str_size);
+ if (ret != 0)
+ {
+ LOGE("[%s] mbedtls_ctr_drbg_seed() fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+
+ //2.Load certificate
+ if(temp_opt.load_cert)
+ {
+ if(NULL == temp_opt.ca_file || NULL == temp_opt.crt_file || NULL == temp_opt.key_file)
+ {
+ LOGE("[%s] file [NULL]", __func__);
+ goto error;
+ }
+
+ //2.1-Load root certificate
+ ret = mbedtls_x509_crt_parse_file(temp_ssl_info.cacert, temp_opt.ca_file);
+ if(ret != 0)
+ {
+ LOGE("[%s] mbedtls_x509_crt_parse_file() CA fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+
+ //2.2-Load the client public key
+ ret = mbedtls_x509_crt_parse_file(temp_ssl_info.clientcert, temp_opt.crt_file);
+ if(ret != 0)
+ {
+ LOGE("[%s] mbedtls_x509_crt_parse_file() CRT fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+
+ //2.3-Load the client private key
+ ret = mbedtls_pk_parse_keyfile(temp_ssl_info.clientkey, temp_opt.key_file, NULL, mbedtls_ctr_drbg_random, temp_ssl_info.ctr_drbg);
+ if(ret != 0)
+ {
+ LOGE("[%s] mbedtls_pk_parse_keyfile() KEY fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+ }
+
+ LOGD("[%s] Configure the SSL/TLS context...", __func__);
+ //3.Configure the SSL/TLS context
+ ret = mbedtls_ssl_config_defaults(temp_ssl_info.conf, temp_opt.type, temp_opt.transprot, temp_opt.preset);
+ if(ret != 0)
+ {
+ LOGE("[%s] mbedtls_ssl_config_defaults() fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+
+ mbedtls_ssl_conf_authmode(temp_ssl_info.conf, temp_opt.auth_mode);
+ mbedtls_ssl_conf_ca_chain(temp_ssl_info.conf, temp_ssl_info.cacert, NULL);
+ if(temp_opt.load_cert)
+ {
+ ret = mbedtls_ssl_conf_own_cert(temp_ssl_info.conf, temp_ssl_info.clientcert, temp_ssl_info.clientkey);
+ if(ret != 0)
+ {
+ LOGE("[%s] mbedtls_ssl_conf_own_cert() fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+ }
+
+ mbedtls_ssl_conf_rng(temp_ssl_info.conf, mbedtls_ctr_drbg_random, temp_ssl_info.ctr_drbg);
+ //mbedtls_ssl_conf_renegotiation(&conf, temp_opt.renegotiation);
+ mbedtls_ssl_conf_legacy_renegotiation(temp_ssl_info.conf, temp_opt.allow_legacy);
+ // TLS 1.2
+ mbedtls_ssl_conf_min_version(temp_ssl_info.conf, MBEDTLS_SSL_MAJOR_VERSION_3, temp_opt.min_version);
+ // TLS 1.3
+ mbedtls_ssl_conf_max_version(temp_ssl_info.conf, MBEDTLS_SSL_MAJOR_VERSION_3, temp_opt.max_version);
+
+ mbtk_profile.allowed_mds = temp_opt.allowed_mds;
+ mbedtls_ssl_conf_cert_profile(temp_ssl_info.conf, &mbtk_profile);
+
+ //4.Binding SSL configuration
+ ret = mbedtls_ssl_setup(temp_ssl_info.ssl, temp_ssl_info.conf);
+ if (ret != 0)
+ {
+ LOGE("[%s] mbedtls_ssl_setup() fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+
+ mbedtls_ssl_set_bio(temp_ssl_info.ssl, &fd, mbedtls_net_send, mbedtls_net_recv, NULL);
+
+ LOGD("[%s] Performing the SSL/TLS handshake...", __func__);
+ //5.Shake hands
+ while((ret = mbedtls_ssl_handshake(temp_ssl_info.ssl)) != 0)
+ {
+ if(ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE)
+ {
+ LOGE("[%s] mbedtls_ssl_handshake() fail.[-0x%x]", __func__, -ret);
+ goto error;
+ }
+ }
+
+ LOGD("[%s] Handshake ok: Protocol[%s], Ciphersuite[%s]", __func__, mbedtls_ssl_get_version(temp_ssl_info.ssl), mbedtls_ssl_get_ciphersuite(temp_ssl_info.ssl));
+ //6.Verification certificate
+ flags = mbedtls_ssl_get_verify_result(temp_ssl_info.ssl);
+ if(flags != 0)
+ {
+ memset(verify_err, 0x00, MBTK_SSL_BUFFER_SIZE_1024 + 1);
+ mbedtls_x509_crt_verify_info(verify_err, MBTK_SSL_BUFFER_SIZE_1024, "[mbedtls_ssl_get_verify_result] ", flags);
+ LOGD("%s", verify_err);
+ if(temp_opt.auth_mode == MBTK_MBEDTLS_SSL_VERIFY_REQUIRED)
+ {
+ LOGE("[%s] mbedtls_ssl_get_verify_result() fail", __func__);
+ goto error;
+ }
+ }
+
+ if(mbedtls_ssl_get_peer_cert(temp_ssl_info.ssl) != NULL)
+ {
+ LOGD("[%s] Peer certificate information", __func__);
+ memset(cert_buff, 0x00, MBTK_SSL_BUFFER_SIZE_1024 + 1);
+ mbedtls_x509_crt_info(cert_buff, MBTK_SSL_BUFFER_SIZE_1024, "[mbedtls_ssl_get_verify_result] ", mbedtls_ssl_get_peer_cert(temp_ssl_info.ssl));
+ LOGD("%s", cert_buff);
+ }
+
+ temp_ssl_info.fd = fd;
+ memcpy(inter_info, &temp_ssl_info, sizeof(mbtk_mbedtls_ssl_info_s));
+
+ return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
+error:
+ mbedtls_ssl_close_notify(temp_ssl_info.ssl);
+ mbedtls_ssl_free(temp_ssl_info.ssl);
+ mbedtls_ssl_config_free(temp_ssl_info.conf);
+ mbedtls_ctr_drbg_free(temp_ssl_info.ctr_drbg);
+ mbedtls_entropy_free(temp_ssl_info.entropy);
+ mbedtls_pk_free(temp_ssl_info.clientkey);
+ mbedtls_x509_crt_free(temp_ssl_info.clientcert);
+ mbedtls_x509_crt_free(temp_ssl_info.cacert);
+
+ mbtk_mbedtls_ssl_info_free(&temp_ssl_info);
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+}
+
+mbtk_mbedtls_ssl_result_e mbtk_mbedtls_ssl_deinit(mbtk_mbedtls_ssl_info_s* inter_info)
+{
+ if(NULL == inter_info)
+ {
+ LOGE("[%s] inter_info [NULL]", __func__);
+ return MBTK_MBEDTLS_SSL_RESULT_FAIL;
+ }
+
+ int ret = -1;
+ char error_buf[MBTK_SSL_BUFFER_SIZE_128 + 1] = {0};
+
+ do {
+ ret = mbedtls_ssl_close_notify(inter_info->ssl);
+ } while (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE);
+
+ if(ret != 0)
+ {
+ memset(error_buf, 0x00, MBTK_SSL_BUFFER_SIZE_128 + 1);
+ mbedtls_strerror(ret, error_buf, MBTK_SSL_BUFFER_SIZE_128);
+ LOGE("[%s] mbedtls_ssl_close_notify() fail.[%s]", __func__, error_buf);
+ }
+
+ mbedtls_ssl_close_notify(inter_info->ssl);
+ mbedtls_ssl_free(inter_info->ssl);
+ mbedtls_ssl_config_free(inter_info->conf);
+ mbedtls_ctr_drbg_free(inter_info->ctr_drbg);
+ mbedtls_entropy_free(inter_info->entropy);
+ mbedtls_pk_free(inter_info->clientkey);
+ mbedtls_x509_crt_free(inter_info->clientcert);
+ mbedtls_x509_crt_free(inter_info->cacert);
+ inter_info->fd = MBTK_SSL_INFO_FD_DEFAULT;
+
+ mbtk_mbedtls_ssl_info_free(inter_info);
+ return MBTK_MBEDTLS_SSL_RESULT_SUCCESS;
+}
+
+#endif
diff --git a/mbtk/libmbtk_lib/net/mbtk_openssl.c b/mbtk/libmbtk_lib/net/mbtk_openssl.c
new file mode 100755
index 0000000..ba1d932
--- /dev/null
+++ b/mbtk/libmbtk_lib/net/mbtk_openssl.c
@@ -0,0 +1,312 @@
+/*-----------------------------------------------------------------------------------------------*/
+/**
+ @file mbtk_openssl.c
+ @brief OPENSSL API
+*/
+/*-----------------------------------------------------------------------------------------------*/
+
+/*-------------------------------------------------------------------------------------------------
+ Copyright (c) 2024 mobiletek Wireless Solution, Co., Ltd. All Rights Reserved.
+ mobiletek Wireless Solution Proprietary and Confidential.
+-------------------------------------------------------------------------------------------------*/
+
+/*-------------------------------------------------------------------------------------------------
+ EDIT HISTORY
+ This section contains comments describing changes made to the file.
+ Notice that changes are listed in reverse chronological order.
+ $Header: $
+ when who what, where, why
+ -------- --------- -----------------------------------------------------------------
+ 20250410 yq.wang Created .
+-------------------------------------------------------------------------------------------------*/
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+#include <unistd.h>
+#include <sys/socket.h>
+
+#include <sys/select.h>
+#include <sys/time.h>
+
+#include "mbtk_openssl.h"
+#include "mbtk_log.h"
+
+#define MBTK_SSL_INFO_FD_DEFAULT -1
+
+X509 * SSL_get1_peer_certificate(SSL *ssl);
+
+static mbtk_openssl_result_e mbtk_openssl_wait_for_socket(int sockfd, bool is_read)
+{
+ int ret = -1;
+ fd_set fds;
+ struct timeval tv = {.tv_sec = 5, .tv_usec = 0}; // 5s timeout
+
+ FD_ZERO(&fds);
+ FD_SET(sockfd, &fds);
+ ret = select(sockfd + 1, is_read ? &fds : NULL, is_read ? NULL : &fds, NULL, &tv);
+ if (0 >= ret)
+ {
+ LOGE("[%s] select() fail.[%d]", __func__, ret);
+ return MBTK_OPENSSL_RESULT_FAIL;
+ }
+ return MBTK_OPENSSL_RESULT_SUCCESS;
+}
+
+mbtk_openssl_result_e mbtk_openssl_options_default(mbtk_openssl_options_s *opt)
+{
+ if(NULL == opt)
+ {
+ LOGE("[%s] opt [NULL]", __func__);
+ return MBTK_OPENSSL_RESULT_FAIL;
+ }
+
+ opt->load_cert = false;
+ opt->ca_file = NULL;
+ opt->crt_file = NULL;
+ opt->key_file = NULL;
+ opt->ssl_filetype = MBTK_OPENSSL_FILETYPE_PEM;
+ opt->verify_mode = MBTK_OPENSSL_VERIFY_PEER;
+ opt->verify_cb = NULL;
+ opt->init_opts = MBTK_OPENSSL_INIT_LOAD_SSL_STRINGS | MBTK_OPENSSL_INIT_LOAD_CRYPTO_STRINGS \
+ | MBTK_OPENSSL_INIT_ADD_ALL_CIPHERS | MBTK_OPENSSL_INIT_ADD_ALL_DIGESTS;
+ opt->safety_level = MBTK_OPENSSL_SAFETY_LEVEL_2;
+
+ return MBTK_OPENSSL_RESULT_SUCCESS;
+}
+
+int mbtk_openssl_write(SSL *ssl, const void *buf, int len)
+{
+ return SSL_write(ssl, buf, len);
+}
+
+int mbtk_openssl_read(SSL *ssl, void *buf, int len)
+{
+ return SSL_read(ssl, buf, len);
+}
+
+mbtk_openssl_result_e mbtk_openssl_init(int fd, mbtk_openssl_options_s *opt, mbtk_openssl_info_s *inter_info)
+{
+ int ret = -1;
+ int ssl_error = -1;
+ long verify_res = -1;
+ char *line = NULL;
+ X509 *cert = NULL;
+ mbtk_openssl_result_e mbtk_ssl_ret = MBTK_OPENSSL_RESULT_SUCCESS;
+ const SSL_METHOD *method = NULL;
+ mbtk_openssl_info_s temp_inter_info = {0};
+ mbtk_openssl_options_s temp_opt = {0};
+
+ if(NULL == inter_info)
+ {
+ LOGE("[%s] inter_info [NULL]", __func__);
+ return MBTK_OPENSSL_RESULT_FAIL;
+ }
+
+ if(NULL == opt)
+ {
+ mbtk_openssl_options_default(&temp_opt);
+ }
+ else
+ {
+ memset(&temp_opt, 0x00, sizeof(mbtk_openssl_options_s));
+ memcpy(&temp_opt, opt, sizeof(mbtk_openssl_options_s));
+ }
+
+ //1.Initializes the OPENSSL library
+ OPENSSL_init_ssl(temp_opt.init_opts, NULL);
+
+ memset(&temp_inter_info, 0x00, sizeof(mbtk_openssl_info_s));
+ //2.Create an SSL/TLS context object
+ method = TLS_client_method();
+ temp_inter_info.ctx = SSL_CTX_new(method);
+ if(NULL == temp_inter_info.ctx)
+ {
+ LOGE("[%s] SSL_CTX_new() fail", __func__);
+ goto error;
+ }
+
+ //3.Load certificate
+ if(temp_opt.load_cert)
+ {
+ //3.1-Set the certificate security level
+ SSL_CTX_set_security_level(temp_inter_info.ctx, temp_opt.safety_level);
+
+ //3.2-Loading a CA Certificate
+ if(NULL != temp_opt.ca_file)
+ {
+ ret = SSL_CTX_load_verify_locations(temp_inter_info.ctx, temp_opt.ca_file, NULL);
+ if(1 != ret)
+ {
+ LOGE("[%s] SSL_CTX_load_verify_locations() fail.[%d]", __func__, ret);
+ goto error;
+ }
+ }
+
+ //3.3-Load the client public key
+ if(NULL != temp_opt.crt_file)
+ {
+ ret = SSL_CTX_use_certificate_file(temp_inter_info.ctx, temp_opt.crt_file, temp_opt.ssl_filetype);
+ if(1 != ret)
+ {
+ LOGE("[%s] SSL_CTX_use_certificate_file() fail.[%d]", __func__, ret);
+ goto error;
+ }
+ }
+
+ //3.4-Load the client private key
+ if(NULL != temp_opt.key_file)
+ {
+ ret = SSL_CTX_use_PrivateKey_file(temp_inter_info.ctx, temp_opt.key_file, temp_opt.ssl_filetype);
+ if(1 != ret)
+ {
+ LOGE("[%s] SSL_CTX_use_PrivateKey_file() fail.[%d]", __func__, ret);
+ goto error;
+ }
+ }
+
+ //3.5-Verify the private key matching certificate
+ ret = SSL_CTX_check_private_key(temp_inter_info.ctx);
+ if (1 != ret)
+ {
+ LOGE("[%s] SSL_CTX_check_private_key() fail.[%d]", __func__, ret);
+ goto error;
+ }
+
+ //3.6-Set verification mode
+ SSL_CTX_set_verify(temp_inter_info.ctx, temp_opt.verify_mode, temp_opt.verify_cb);
+ }
+
+ //4.Creates and initializes a new SSL/TLS session object
+ temp_inter_info.ssl = SSL_new(temp_inter_info.ctx);
+ if(NULL == temp_inter_info.ssl)
+ {
+ LOGE("[%s] SSL_new() fail", __func__);
+ goto error;
+ }
+ SSL_set_fd(temp_inter_info.ssl, fd);
+
+ LOGD("[%s] Performing the SSL/TLS handshake...", __func__);
+ //5.Executive handshake
+ //SSL_set_connect_state(temp_inter_info.ssl);
+ while((ret = SSL_connect(temp_inter_info.ssl)) <= 0)
+ {
+ ssl_error = SSL_get_error(temp_inter_info.ssl, ret);
+ if(ssl_error == SSL_ERROR_WANT_READ)
+ {
+ mbtk_ssl_ret = mbtk_openssl_wait_for_socket(fd, true);
+ if(MBTK_OPENSSL_RESULT_SUCCESS != mbtk_ssl_ret)
+ {
+ LOGE("[%s] mbtk_openssl_wait_for_socket() fail", __func__);
+ goto error;
+ }
+ }
+ else if(ssl_error == SSL_ERROR_WANT_WRITE)
+ {
+ mbtk_ssl_ret = mbtk_openssl_wait_for_socket(fd, false);
+ if(MBTK_OPENSSL_RESULT_SUCCESS != mbtk_ssl_ret)
+ {
+ LOGE("[%s] mbtk_openssl_wait_for_socket() fail", __func__);
+ goto error;
+ }
+ }
+ else
+ {
+ LOGE("[%s] SSL_connect() fail.[%d]", __func__, ssl_error);
+ goto error;
+ }
+ }
+
+ LOGD("[%s] SSL connect ok: Protocol[%s], Ciphersuite[%s]", __func__, SSL_get_version(temp_inter_info.ssl), SSL_get_cipher_name(temp_inter_info.ssl));
+
+ //6.Verification certificate
+ if(temp_opt.load_cert)
+ {
+ cert = SSL_get1_peer_certificate(temp_inter_info.ssl);
+ if(NULL != cert)
+ {
+ verify_res = SSL_get_verify_result(temp_inter_info.ssl);
+ if(X509_V_OK != verify_res)
+ {
+ LOGE("[%s] SSL_get_verify_result() fail.[%s]", __func__, X509_verify_cert_error_string(verify_res));
+ goto error;
+ }
+
+ LOGD("[%s] Digital certificate information:", __func__);
+
+ line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
+ LOGD("[%s] certificate: [%s]", __func__, line);
+ free(line);
+ line = NULL;
+
+ line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
+ LOGD("[%s] issuer: [%s]", __func__, line);
+ free(line);
+ line = NULL;
+
+ X509_free(cert);
+ cert = NULL;
+ }
+ else
+ {
+ LOGD("[%s] No server certificate received", __func__);
+ if(temp_opt.verify_mode != MBTK_OPENSSL_VERIFY_NONE)
+ {
+ LOGE("[%s] Verification fail", __func__);
+ goto error;
+ }
+ }
+ }
+
+ temp_inter_info.fd = fd;
+ memcpy(inter_info, &temp_inter_info, sizeof(mbtk_openssl_info_s));
+
+ return MBTK_OPENSSL_RESULT_SUCCESS;
+error:
+ if(NULL != cert)
+ {
+ X509_free(cert);
+ cert = NULL;
+ }
+ if(NULL != temp_inter_info.ssl)
+ {
+ SSL_shutdown(temp_inter_info.ssl);
+ SSL_free(temp_inter_info.ssl);
+ temp_inter_info.ssl = NULL;
+ }
+
+ if(NULL != temp_inter_info.ctx)
+ {
+ SSL_CTX_free(temp_inter_info.ctx);
+ temp_inter_info.ctx = NULL;
+ }
+
+ return MBTK_OPENSSL_RESULT_FAIL;
+}
+
+mbtk_openssl_result_e mbtk_openssl_deinit(mbtk_openssl_info_s *inter_info)
+{
+ if(NULL == inter_info)
+ {
+ LOGE("[%s] inter_info [NULL]", __func__);
+ return MBTK_OPENSSL_RESULT_FAIL;
+ }
+
+ if(NULL != inter_info->ssl)
+ {
+ SSL_shutdown(inter_info->ssl);
+ SSL_free(inter_info->ssl);
+ inter_info->ssl = NULL;
+ }
+
+ if(NULL != inter_info->ctx)
+ {
+ SSL_CTX_free(inter_info->ctx);
+ inter_info->ctx = NULL;
+ }
+
+ inter_info->fd = MBTK_SSL_INFO_FD_DEFAULT;
+ return MBTK_OPENSSL_RESULT_SUCCESS;
+}
+
+#endif
diff --git a/mbtk/libmbtk_lib/net/mbtk_sock2.c b/mbtk/libmbtk_lib/net/mbtk_sock2.c
index 6d2c7fb..a5eb174 100755
--- a/mbtk/libmbtk_lib/net/mbtk_sock2.c
+++ b/mbtk/libmbtk_lib/net/mbtk_sock2.c
@@ -11,33 +11,6 @@
#include <fcntl.h>
#include <netdb.h>
#include <pthread.h>
-
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
-#include <polarssl/net.h>
-#include <polarssl/ssl.h>
-#include <polarssl/entropy.h>
-#include <polarssl/ctr_drbg.h>
-#include <polarssl/certs.h>
-#include <polarssl/x509.h>
-#include <polarssl/error.h>
-#include <polarssl/debug.h>
-#include <polarssl/config.h>
-#else
-#include <resolv.h>
-#include <openssl/ssl.h>
-#include <openssl/err.h>
-
-//#define SSL_VERIFY_PEER 0x01
-//#define SSL_FILETYPE_PEM 0x01
-//#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
-
-#define DFL_CA_FILE "/ca.crt"
-#define DFL_CRT_FILE "/client.crt"
-#define DFL_KEY_FILE "/client.key"
-#endif
-#endif
-
#include <sys/ioctl.h>
#ifdef LOG_TAG
@@ -51,6 +24,10 @@
#include "mbtk_str.h"
//#include "mbtk_openssl.h"
+#define DFL_CA_FILE "/ca.crt"
+#define DFL_CRT_FILE "/client.crt"
+#define DFL_KEY_FILE "/client.key"
+
#define SA struct sockaddr
// Must define LOG_TAG in the first.
@@ -248,6 +225,39 @@
}
}
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+static int mbtk_sock_openssl_init(int fd, bool ingnore_cert, mbtk_openssl_info_s *inter_info)
+{
+ if(NULL == inter_info)
+ {
+ LOGE("[%s] inter_info [NULL]", __func__);
+ return -1;
+ }
+
+ mbtk_openssl_result_e mbtk_ssl_ret = MBTK_OPENSSL_RESULT_SUCCESS;
+ mbtk_openssl_options_s opt = {0};
+
+ mbtk_openssl_options_default(&opt);
+ if(!ingnore_cert)
+ {
+ opt.load_cert = true;
+ opt.ca_file = DFL_CA_FILE;
+ opt.crt_file = DFL_CRT_FILE;
+ opt.key_file = DFL_KEY_FILE;
+ opt.safety_level = MBTK_OPENSSL_SAFETY_LEVEL_0;
+ }
+
+ mbtk_ssl_ret = mbtk_openssl_init(fd, &opt, inter_info);
+ if(MBTK_OPENSSL_RESULT_SUCCESS != mbtk_ssl_ret)
+ {
+ LOGE("[%s] mbtk_openssl_init() fail", __func__);
+ return -1;
+ }
+
+ return 0;
+}
+#endif
+
extern mbtk_sock_handle mbtk_sock_init(mbtk_init_info *info)
{
mbtk_sock_handle handle = 0;
@@ -294,376 +304,6 @@
return handle;
}
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
-static int mbtk_polarssl_open(int fd ,bool ingnore_cert,mbtk_sock_inter_info_s* inter_info)
-{
- LOGE("8\n");
- int ret = 0, len, tail_len, i, written, frags;
- unsigned char buf[SSL_MAX_CONTENT_LEN + 1];
- const char *pers = "ssl_client";
- opt.server_name = DFL_SERVER_NAME;
- opt.server_addr = DFL_SERVER_ADDR;
- opt.server_port = DFL_SERVER_PORT;
- opt.debug_level = DFL_DEBUG_LEVEL;
- opt.nbio = DFL_NBIO;
- opt.request_page = DFL_REQUEST_PAGE;
- opt.request_size = DFL_REQUEST_SIZE;
- opt.ca_file = DFL_CA_FILE;
- opt.ca_path = DFL_CA_PATH;
- opt.crt_file = DFL_CRT_FILE;
- opt.key_file = DFL_KEY_FILE;
- opt.psk = DFL_PSK;
- opt.psk_identity = DFL_PSK_IDENTITY;
- opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
- opt.renegotiation = DFL_RENEGOTIATION;
- opt.allow_legacy = DFL_ALLOW_LEGACY;
- opt.renegotiate = DFL_RENEGOTIATE;
- opt.exchanges = DFL_EXCHANGES;
- opt.min_version = DFL_MIN_VERSION;
- opt.max_version = DFL_MAX_VERSION;
- opt.auth_mode = DFL_AUTH_MODE;
- opt.mfl_code = DFL_MFL_CODE;
- opt.trunc_hmac = DFL_TRUNC_HMAC;
- opt.reconnect = DFL_RECONNECT;
- opt.reco_delay = DFL_RECO_DELAY;
- opt.tickets = DFL_TICKETS;
- opt.alpn_string = DFL_ALPN_STRING;
-
- entropy_context entropy;
- ctr_drbg_context ctr_drbg;
- ssl_context ssl;
- ssl_session saved_session;
- x509_crt cacert;
- x509_crt clicert;
- pk_context pkey;
-
- memset( &ssl, 0, sizeof( ssl_context ) );
- memset( &saved_session, 0, sizeof( ssl_session ) );
- x509_crt_init( &cacert );
- x509_crt_init( &clicert );
- pk_init( &pkey );
- LOGE("9\n");
- /*
- * 0. Initialize the RNG and the session data
- */
-
- entropy_init( &entropy );
- if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,
- (const unsigned char *) pers,
- strlen( pers ) ) ) != 0 )
- {
- LOGE( " failed\n ! ctr_drbg_init returned -0x%x\n", -ret );
- return -1;
- }
- if(!ingnore_cert)
- {
- LOGE("10\n");
- /*
- * 1.1. Load the trusted CA
- */
- //ret = x509_crt_parse(&cacert,ca1_cert,strlen(ca1_cert));
- ret = x509_crt_parse_file( &cacert, opt.ca_path );
- if( ret < 0 )
- {
- LOGE( " failed\n ! ca x509_crt_parse returned -0x%x\n\n", -ret );
- return -1;
- }
-
- /*
- * 1.2. Load own certificate and private key
- *
- * (can be skipped if client authentication is not required)
- */
-
- ret = x509_crt_parse_file( &clicert, opt.crt_file );
- if( ret != 0 )
- {
- LOGE( " failed\n ! crt x509_crt_parse returned -0x%x\n\n", -ret );
- return -1;
- }
-
- ret = pk_parse_keyfile( &pkey, opt.key_file, NULL);
- if( ret != 0 )
- {
- LOGE( " failed\n ! key x509_crt_parse returned -0x%x\n\n", -ret );
- return -1;
- }
- }
- /*
- * 2. Setup stuff
- */
- LOGE( " . Setting up the SSL/TLS structure..." );
-
- if( ( ret = ssl_init( &ssl ) ) != 0 )
- {
- LOGE( " failed\n ! ssl_init returned -0x%x\n\n", -ret );
- return -1;
- }
-
- ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
- if(ingnore_cert)
- {
- opt.auth_mode = SSL_VERIFY_OPTIONAL;
- }
- else
- {
- opt.auth_mode = SSL_VERIFY_REQUIRED;
- }
-
- ssl_set_authmode( &ssl, opt.auth_mode );
-
- ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );
-
- ssl_set_bio( &ssl, net_recv, &fd, net_send, &fd );
-
- ssl_set_renegotiation( &ssl, opt.renegotiation );
- ssl_legacy_renegotiation( &ssl, opt.allow_legacy );
-
- ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );
- if(!ingnore_cert)
- {
- if( ( ret = ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )
- {
- LOGE( " failed\n ! ssl_set_own_cert returned %d\n\n", ret );
- return -1;
- }
- }
- if( opt.min_version != -1 )
- ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );
- if( opt.max_version != -1 )
- ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );
- /*
- * 3. Handshake
- */
- LOGE( " . Performing the SSL/TLS handshake..." );
-
- while( ( ret = ssl_handshake( &ssl ) ) != 0 )
- {
- if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
- {
- LOGE( " failed\n ! ssl_handshake returned -0x%x\n", -ret );
- if( ret == POLARSSL_ERR_X509_CERT_VERIFY_FAILED )
- LOGE(
- " Unable to verify the server's certificate. "
- "Either it is invalid,\n"
- " or you didn't set ca_file or ca_path "
- "to an appropriate value.\n"
- " Alternatively, you may want to use "
- "auth_mode=optional for testing purposes.\n" );
- LOGE( "\n" );
- return -1;;
- }
- }
-
- LOGE( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) );
- printf( " ok\n [ Protocol is %s ]\n [ Ciphersuite is %s ]\n",ssl_get_version( &ssl ), ssl_get_ciphersuite( &ssl ) );
-
- /*
- * 4. Verify the server certificate
- */
- LOGE( " . Verifying peer X.509 certificate..." );
-
- if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
- {
- LOGE( " failed\n" );
-
- if( ( ret & BADCERT_EXPIRED ) != 0 )
- LOGE( " ! server certificate has expired\n" );
-
- if( ( ret & BADCERT_REVOKED ) != 0 )
- LOGE( " ! server certificate has been revoked\n" );
-
- if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
- LOGE( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
-
- if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
- LOGE( " ! self-signed or not signed by a trusted CA\n" );
-
- }
-
- if( ssl_get_peer_cert( &ssl ) != NULL )
- {
- LOGE( " . Peer certificate information ...\n" );
- x509_crt_info( (char *) buf, sizeof( buf ) - 1, " ",
- ssl_get_peer_cert( &ssl ) );
- LOGE( "%s\n", buf );
- }
-
- inter_info->cacert = &cacert;
- inter_info->clicert = &clicert;
- inter_info->ctr_drbg = &ctr_drbg;
- inter_info->entropy = &entropy;
- inter_info->pkey = &pkey;
- inter_info->saved_session = &saved_session;
- inter_info->ssl = &ssl;
-
- return 0;
-}
-
-static int mbtk_polarssl_close(mbtk_sock_inter_info_s *inter_info)
-{
- if (inter_info == NULL)
- {
- return -1;
- }
-
- int ret = -1;
- while( ( ret = ssl_close_notify( inter_info->ssl ) ) < 0 )
- {
- if( ret == POLARSSL_ERR_NET_CONN_RESET )
- {
- LOGE( " ok (already closed by peer)\n" );
- ret = 0;
- return -1;
- }
-
- if( ret != POLARSSL_ERR_NET_WANT_READ &&
- ret != POLARSSL_ERR_NET_WANT_WRITE )
- {
- LOGE( " failed\n ! ssl_close_notify returned %d\n\n", ret );
- return -1;
- }
- }
-
- x509_crt_free( inter_info->clicert );
- x509_crt_free( inter_info->cacert );
- pk_free( inter_info->pkey );
- ssl_session_free( inter_info->saved_session );
- ssl_free( inter_info->ssl );
- ctr_drbg_free( inter_info->ctr_drbg );
- entropy_free( inter_info->entropy );
- return 0;
-}
-
-static int mbtk_polarssl_write( ssl_context *ssl, const unsigned char *buf, size_t len )
-{
- return ssl_write(ssl, buf, len);
-}
-
-static int mbtk_polarssl_read( ssl_context *ssl, unsigned char *buf, size_t len )
-{
- return ssl_read(ssl, buf, len);
-}
-
-#else
-
-void ShowCerts(SSL * ssl)
-{
- X509 *cert;
- char *line;
-
- cert = SSL_get_peer_certificate(ssl);
- // SSL_get_verify_result()是重点,SSL_CTX_set_verify()只是配置启不启用并没有执行认证,调用该函数才会真证进行证书认证
- // 如果验证不通过,那么程序抛出异常中止连接
- if(SSL_get_verify_result(ssl) == X509_V_OK){
- printf("证书验证通过\n");
- }
- if (cert != NULL) {
- printf("数字证书信息:\n");
- line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
- printf("证书: %s\n", line);
- free(line);
- line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
- printf("颁发者: %s\n", line);
- free(line);
- X509_free(cert);
- } else
- printf("无证书信息!\n");
-}
-
-static int mbtk_openssl_open(int fd ,bool ingnore_cert,mbtk_sock_inter_info_s* inter_info)
-{
- SSL_CTX *ctx;
- SSL *ssl;
-
- /* SSL 库初始化,参看 ssl-server.c 代码 */
- SSL_library_init();
- OpenSSL_add_all_algorithms();
- SSL_load_error_strings();
- ctx = SSL_CTX_new(SSLv23_client_method());
- if (ctx == NULL) {
- ERR_print_errors_fp(stdout);
- return -1;
- }
-
- if(!ingnore_cert)
- {
- // 双向验证
- // SSL_VERIFY_PEER---要求对证书进行认证,没有证书也会放行
- // SSL_VERIFY_FAIL_IF_NO_PEER_CERT---要求客户端需要提供证书,但验证发现单独使用没有证书也会放行
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
- // 设置信任根证书
- if (SSL_CTX_load_verify_locations(ctx, "/ca.crt",NULL)<=0){
- ERR_print_errors_fp(stdout);
- printf("fail SSL_CTX_load_verify_locations()\n");
- return -1;
- }
-
- /* 载入用户的数字证书, 此证书用来发送给客户端。 证书里包含有公钥 */
- if (SSL_CTX_use_certificate_file(ctx, DFL_CRT_FILE, SSL_FILETYPE_PEM) <= 0) {
- ERR_print_errors_fp(stdout);
- printf("fail SSL_CTX_use_certificate_file()\n");
- return -1;
- }
- /* 载入用户私钥 */
- if (SSL_CTX_use_PrivateKey_file(ctx, DFL_KEY_FILE, SSL_FILETYPE_PEM) <= 0) {
- ERR_print_errors_fp(stdout);
- printf("fail SSL_CTX_use_PrivateKey_file()\n");
- return -1;
- }
- /* 检查用户私钥是否正确 */
- if (!SSL_CTX_check_private_key(ctx)) {
- ERR_print_errors_fp(stdout);
- printf("fail SSL_CTX_check_private_key()\n");
- return -1;
- }
-
- }
-
- /* 基于 ctx 产生一个新的 SSL */
- ssl = SSL_new(ctx);
- SSL_set_fd(ssl, fd);
- /* 建立 SSL 连接 */
- if (SSL_connect(ssl) == -1)
- ERR_print_errors_fp(stderr);
- else {
- printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
- if(!ingnore_cert)
- {
- ShowCerts(ssl);
- }
- }
-
- inter_info->ctx = ctx;
-
- inter_info->ssl = ssl;
-
- return 0;
-}
-
-static int mbtk_openssl_close(mbtk_sock_inter_info_s *inter_info)
-{
- SSL_shutdown(inter_info->ssl);
- SSL_free(inter_info->ssl);
-// close(sockfd);
- SSL_CTX_free(inter_info->ctx);
- return 0;
-}
-
-static int mbtk_openssl_write( SSL *ssl, const unsigned char *buf, size_t len )
-{
- return SSL_write(ssl, buf, len);
-}
-
-static int mbtk_openssl_read( SSL *ssl, unsigned char *buf, size_t len )
-{
- return SSL_read(ssl, buf, len);
-}
-
-#endif
-#endif
-
extern mbtk_sock_session mbtk_sock_open(mbtk_sock_handle handle,mbtk_sock_info *info,
unsigned int timeout,
int *mbtk_errno)
@@ -855,21 +495,16 @@
}
#endif
if(info->is_support_ssl){
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- if(mbtk_polarssl_open(mbtk_sock[handle]->inter_infos[index_free].fd,info->ingnore_cert,&mbtk_sock[handle]->inter_infos[index_free]) == -1){
- LOGE("mbtk_openssl_init fail");
- goto result_fail_with_close;
- }
-#else
- if(mbtk_openssl_open(mbtk_sock[handle]->inter_infos[index_free].fd,info->ingnore_cert,&mbtk_sock[handle]->inter_infos[index_free]) == -1){
- LOGE("mbtk_openssl_init fail");
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ int ret = mbtk_sock_openssl_init(mbtk_sock[handle]->inter_infos[index_free].fd, info->ingnore_cert, &mbtk_sock[handle]->inter_infos[index_free].ssl_info);
+ if(0 != ret){
+ LOGE("mbtk_sock_openssl_init() fail");
goto result_fail_with_close;
}
-
-
-#endif
-
+ mbtk_sock[handle]->inter_infos[index_free].fd = mbtk_sock[handle]->inter_infos[index_free].ssl_info.fd;
+#else
+ LOGE("openssl nonsupport");
+ goto result_fail_with_close;
#endif
}
@@ -878,6 +513,10 @@
mbtk_sock[handle]->sock_num++;
return mbtk_sock[handle]->inter_infos[index_free].fd;
result_fail_with_close:
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ mbtk_openssl_deinit(&mbtk_sock[handle]->inter_infos[index_free].ssl_info);
+#endif
+
close(mbtk_sock[handle]->inter_infos[index_free].fd);
mbtk_sock[handle]->inter_infos[index_free].fd = -1;
result_fail:
@@ -899,16 +538,21 @@
break;
}
}
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- return mbtk_polarssl_open(mbtk_sock[handle]->inter_infos[index_free].fd,ingnore_cert,&mbtk_sock[handle]->inter_infos[index_free]);
+
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ int ret = mbtk_sock_openssl_init(mbtk_sock[handle]->inter_infos[index_free].fd, ingnore_cert, &mbtk_sock[handle]->inter_infos[index_free].ssl_info);
+ if(0 != ret){
+ LOGE("mbtk_sock_openssl_init() fail");
+ return -1;
+ }
+ mbtk_sock[handle]->inter_infos[index_free].fd = mbtk_sock[handle]->inter_infos[index_free].ssl_info.fd;
+ return 0;
#else
- return mbtk_openssl_open(mbtk_sock[handle]->inter_infos[index_free].fd,ingnore_cert,&mbtk_sock[handle]->inter_infos[index_free]);
-#endif
-#else
+ LOGE("openssl support");
return -1;
#endif
}
+
extern int mbtk_ssl_close_func(mbtk_sock_handle handle ,bool ingnore_cert,mbtk_sock_session fd)
{
int i=0;
@@ -922,18 +566,12 @@
break;
}
}
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- if(mbtk_sock[handle]->inter_infos[index_free].ssl!=NULL)
- printf("\nmbtk_sock[handle]->inter_infos[index_free].ssl not empty\n");
- return mbtk_polarssl_close(&mbtk_sock[handle]->inter_infos[index_free]);
+
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ mbtk_openssl_deinit(&mbtk_sock[handle]->inter_infos[index_free].ssl_info);
+ return 0;
#else
- if(mbtk_sock[handle]->inter_infos[index_free].ssl!=NULL)
- printf("\nmbtk_sock[handle]->inter_infos[index_free].ssl not empty\n");
- return mbtk_openssl_close(&mbtk_sock[handle]->inter_infos[index_free]);
-#endif
-
-#else
+ LOGE("openssl nonsupport");
return -1;
#endif
}
@@ -983,16 +621,11 @@
if(mbtk_sock[handle]->infos[index].type == MBTK_SOCK_TCP) {
while(count < buf_len){
if(mbtk_sock[handle]->infos[index].is_support_ssl) {
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- len = mbtk_polarssl_write(inter_info->ssl,(const unsigned char*)buffer + count,buf_len - count);
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ len = mbtk_openssl_write(inter_info->ssl_info.ssl,(const unsigned char *)buffer + count,buf_len - count);
#else
- len = mbtk_openssl_write(inter_info->ssl,(const unsigned char *)buffer + count,buf_len - count);
-
-#endif
-
-#else
- return -1;
+ LOGE("openssl nonsupport");
+ return -1;
#endif
} else
len = write(inter_info->fd,(char*)buffer + count,buf_len - count);
@@ -1097,15 +730,11 @@
while(count < buf_len){
try_count++;
if(mbtk_sock[handle]->infos[index].is_support_ssl) {
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- len = mbtk_polarssl_read(inter_info->ssl,(unsigned char*)buffer + count,buf_len - count);
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ len = mbtk_openssl_read(inter_info->ssl_info.ssl,(unsigned char *)buffer + count,buf_len - count);
#else
- len = mbtk_openssl_read(inter_info->ssl,(unsigned char *)buffer + count,buf_len - count);
-
-#endif
-#else
- return -1;
+ LOGE("openssl nonsupport");
+ return -1;
#endif
} else
len = read(inter_info->fd,(char*)buffer + count,buf_len - count);
@@ -1277,13 +906,10 @@
while(count < buf_len){
try_count++;
if(mbtk_sock[handle]->infos[index].is_support_ssl) {
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- len = mbtk_polarssl_read(inter_info->ssl,(unsigned char*)buffer + count,buf_len - count);
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ len = mbtk_openssl_read(inter_info->ssl_info.ssl,(unsigned char*)buffer + count,buf_len - count);
#else
- len = mbtk_openssl_read(inter_info->ssl,(unsigned char*)buffer + count,buf_len - count);
-#endif
-#else
+ LOGE("openssl nonsupport");
return -1;
#endif
} else
@@ -1457,14 +1083,10 @@
memset(buffer,0x0,buf_len);
while(read_count < buf_len) {
if(mbtk_sock[handle]->infos[index].is_support_ssl) {
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- len = ssl_read(inter_info->ssl,(unsigned char*)buffer + read_count,buf_len - read_count);
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ len = mbtk_openssl_read(inter_info->ssl_info.ssl,(unsigned char*)buffer + read_count,buf_len - read_count);
#else
- len = mbtk_openssl_read(inter_info->ssl,(unsigned char*)buffer + read_count,buf_len - read_count);
-
-#endif
-#else
+ LOGE("openssl nonsupport");
return -1;
#endif
} else
@@ -1552,14 +1174,10 @@
TCP_READ_AGAIN:
memset(buffer,0x0,buf_len);
if(mbtk_sock[handle]->infos[index].is_support_ssl) {
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- len = ssl_read(inter_info->ssl,(unsigned char*)buffer,buf_len);
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ len = mbtk_openssl_read(inter_info->ssl_info.ssl,(unsigned char*)buffer,buf_len);
#else
- len = mbtk_openssl_read(inter_info->ssl,(unsigned char*)buffer,buf_len);
-
-#endif
-#else
+ LOGE("openssl nonsupport");
return -1;
#endif
} else
@@ -1655,21 +1273,8 @@
}
if(mbtk_sock[handle]->infos[index].is_support_ssl){
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- if(mbtk_polarssl_close(inter_info)== -1)
- {
- LOGE("close ssl fail");
- return -1;
- }
-#else
- if(mbtk_openssl_close(inter_info)== -1)
- {
- LOGE("close ssl fail");
- return -1;
- }
-
-#endif
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ mbtk_openssl_deinit(&inter_info->ssl_info);
#endif
}
diff --git a/mbtk/libmbtk_lib/net/mbtk_sock_internal.h b/mbtk/libmbtk_lib/net/mbtk_sock_internal.h
index a6a6241..f7f1e71 100755
--- a/mbtk/libmbtk_lib/net/mbtk_sock_internal.h
+++ b/mbtk/libmbtk_lib/net/mbtk_sock_internal.h
@@ -1,7 +1,10 @@
#ifndef MBTK_SOCK_INTERNAL_INCLUDE
#define MBTK_SOCK_INTERNAL_INCLUDE
#include "mbtk_sock2.h"
-//#include <openssl/ssl.h>
+
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+#include "mbtk_openssl.h"
+#endif
#define MBTK_HANDLE_MAX_NUM 5
#define MBTK_SOCK_MAX_NUM 10
@@ -9,19 +12,8 @@
typedef struct {
int fd;
mbtk_sock_type type; // socket type:TCP or UDP
-#ifdef MBTK_SSL_SUPPORT
-#ifdef MBTK_POLARSSL_SUPPORT
- entropy_context* entropy;
- ctr_drbg_context* ctr_drbg;
- ssl_context *ssl;
- ssl_session *saved_session;
- x509_crt *cacert;
- x509_crt *clicert;
- pk_context* pkey;
-#else
- SSL_CTX *ctx;
- SSL *ssl;
-#endif
+#ifdef MBTK_OPENSSL_V3_0_0_SUPPORT
+ mbtk_openssl_info_s ssl_info;
#endif
} mbtk_sock_inter_info_s;
@@ -31,36 +23,5 @@
mbtk_sock_inter_info_s inter_infos[MBTK_SOCK_MAX_NUM];
mbtk_sock_info infos[MBTK_SOCK_MAX_NUM];
} mbtk_sock_s;
-struct options
-{
- const char *server_name; /* hostname of the server (client only) */
- const char *server_addr; /* address of the server (client only) */
- int server_port; /* port on which the ssl service runs */
- int debug_level; /* level of debugging */
- int nbio; /* should I/O be blocking? */
- const char *request_page; /* page on server to request */
- int request_size; /* pad request with header to requested size */
- const char *ca_file; /* the file with the CA certificate(s) */
- const char *ca_path; /* the path with the CA certificate(s) reside */
- const char *crt_file; /* the file with the client certificate */
- const char *key_file; /* the file with the client key */
- const char *psk; /* the pre-shared key */
- const char *psk_identity; /* the pre-shared key identity */
- int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
- int renegotiation; /* enable / disable renegotiation */
- int allow_legacy; /* allow legacy renegotiation */
- int renegotiate; /* attempt renegotiation? */
- int renego_delay; /* delay before enforcing renegotiation */
- int exchanges; /* number of data exchanges */
- int min_version; /* minimum protocol version accepted */
- int max_version; /* maximum protocol version accepted */
- int auth_mode; /* verify mode for connection */
- unsigned char mfl_code; /* code for maximum fragment length */
- int trunc_hmac; /* negotiate truncated hmac or not */
- int reconnect; /* attempt to resume session */
- int reco_delay; /* delay in seconds before resuming session */
- int tickets; /* enable / disable session tickets */
- const char *alpn_string; /* ALPN supported protocols */
-} opt;
#endif /* MBTK_SOCK_INTERNAL_INCLUDE */