[SSL] add openssl
Change-Id: I22299fc186351dfedabd9e47c90b0283ca6bb29d
diff --git a/mbtk/mbtk_lib/src/mbtk_sock2.c b/mbtk/mbtk_lib/src/mbtk_sock2.c
index 0e65992..d75a854 100755
--- a/mbtk/mbtk_lib/src/mbtk_sock2.c
+++ b/mbtk/mbtk_lib/src/mbtk_sock2.c
@@ -22,7 +22,17 @@
#include <polarssl/debug.h>
#include <polarssl/config.h>
#else
+#include <resolv.h>
+#include <openssl/ssl.h>
+#include <openssl/err.h>
+//#define SSL_VERIFY_PEER 0x01
+//#define SSL_FILETYPE_PEM 0x01
+//#define SSL_VERIFY_FAIL_IF_NO_PEER_CERT 0x02
+
+#define DFL_CA_FILE "/ca.crt"
+#define DFL_CRT_FILE "/client.crt"
+#define DFL_KEY_FILE "/client.key"
#endif
#include <sys/ioctl.h>
@@ -530,9 +540,118 @@
#else
+void ShowCerts(SSL * ssl)
+{
+ X509 *cert;
+ char *line;
+ cert = SSL_get_peer_certificate(ssl);
+ // SSL_get_verify_result()是重点,SSL_CTX_set_verify()只是配置启不启用并没有执行认证,调用该函数才会真证进行证书认证
+ // 如果验证不通过,那么程序抛出异常中止连接
+ if(SSL_get_verify_result(ssl) == X509_V_OK){
+ printf("证书验证通过\n");
+ }
+ if (cert != NULL) {
+ printf("数字证书信息:\n");
+ line = X509_NAME_oneline(X509_get_subject_name(cert), 0, 0);
+ printf("证书: %s\n", line);
+ free(line);
+ line = X509_NAME_oneline(X509_get_issuer_name(cert), 0, 0);
+ printf("颁发者: %s\n", line);
+ free(line);
+ X509_free(cert);
+ } else
+ printf("无证书信息!\n");
+}
+static int mbtk_openssl_open(int fd ,bool ingnore_cert,mbtk_sock_inter_info_s* inter_info)
+{
+ SSL_CTX *ctx;
+ SSL *ssl;
+ /* SSL 库初始化,参看 ssl-server.c 代码 */
+ SSL_library_init();
+ OpenSSL_add_all_algorithms();
+ SSL_load_error_strings();
+ ctx = SSL_CTX_new(SSLv23_client_method());
+ if (ctx == NULL) {
+ ERR_print_errors_fp(stdout);
+ return -1;
+ }
+
+ if(!ingnore_cert)
+ {
+ // 双向验证
+ // SSL_VERIFY_PEER---要求对证书进行认证,没有证书也会放行
+ // SSL_VERIFY_FAIL_IF_NO_PEER_CERT---要求客户端需要提供证书,但验证发现单独使用没有证书也会放行
+ SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
+ // 设置信任根证书
+ if (SSL_CTX_load_verify_locations(ctx, "/ca.crt",NULL)<=0){
+ ERR_print_errors_fp(stdout);
+ printf("fail SSL_CTX_load_verify_locations()\n");
+ return -1;
+ }
+
+ /* 载入用户的数字证书, 此证书用来发送给客户端。 证书里包含有公钥 */
+ if (SSL_CTX_use_certificate_file(ctx, DFL_CRT_FILE, SSL_FILETYPE_PEM) <= 0) {
+ ERR_print_errors_fp(stdout);
+ printf("fail SSL_CTX_use_certificate_file()\n");
+ return -1;
+ }
+ /* 载入用户私钥 */
+ if (SSL_CTX_use_PrivateKey_file(ctx, DFL_KEY_FILE, SSL_FILETYPE_PEM) <= 0) {
+ ERR_print_errors_fp(stdout);
+ printf("fail SSL_CTX_use_PrivateKey_file()\n");
+ return -1;
+ }
+ /* 检查用户私钥是否正确 */
+ if (!SSL_CTX_check_private_key(ctx)) {
+ ERR_print_errors_fp(stdout);
+ printf("fail SSL_CTX_check_private_key()\n");
+ return -1;
+ }
+
+ }
+
+ /* 基于 ctx 产生一个新的 SSL */
+ ssl = SSL_new(ctx);
+ SSL_set_fd(ssl, fd);
+ /* 建立 SSL 连接 */
+ if (SSL_connect(ssl) == -1)
+ ERR_print_errors_fp(stderr);
+ else {
+ printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
+ if(!ingnore_cert)
+ {
+ ShowCerts(ssl);
+ }
+ }
+
+ inter_info->ctx = &ctx;
+
+ inter_info->ssl = &ssl;
+
+ return 0;
+}
+
+static int mbtk_openssl_close(mbtk_sock_inter_info_s *inter_info)
+{
+ SSL_shutdown(inter_info->ssl);
+ SSL_free(inter_info->ssl);
+// close(sockfd);
+ SSL_CTX_free(inter_info->ctx);
+ return 0;
+}
+
+static int mbtk_openssl_write( SSL *ssl, const unsigned char *buf, size_t len )
+{
+ return SSL_write(ssl, buf, len);
+}
+
+static int mbtk_openssl_read( SSL *ssl, unsigned char *buf, size_t len )
+{
+ return SSL_read(ssl, buf, len);
+}
#endif
@@ -733,6 +852,11 @@
goto result_fail_with_close;
}
#else
+ if(mbtk_openssl_open(mbtk_sock[handle]->inter_infos[index_free].fd,info->ingnore_cert,&mbtk_sock[handle]->inter_infos[index_free]) == -1){
+ LOGE("mbtk_openssl_init fail");
+ goto result_fail_with_close;
+ }
+
#endif
}
@@ -766,7 +890,7 @@
#ifdef MBTK_POLARSSL_SUPPORT
return mbtk_polarssl_open(mbtk_sock[handle]->inter_infos[index_free].fd,ingnore_cert,&mbtk_sock[handle]->inter_infos[index_free]);
#else
- return 0;
+ return mbtk_openssl_open(mbtk_sock[handle]->inter_infos[index_free].fd,ingnore_cert,&mbtk_sock[handle]->inter_infos[index_free]);
#endif
}
extern int mbtk_ssl_close_func(mbtk_sock_handle handle ,bool ingnore_cert,mbtk_sock_session fd)
@@ -788,7 +912,9 @@
printf("\nmbtk_sock[handle]->inter_infos[index_free].ssl not empty\n");
return mbtk_polarssl_close(&mbtk_sock[handle]->inter_infos[index_free]);
#else
- return 0;
+ if(mbtk_sock[handle]->inter_infos[index_free].ssl!=NULL);
+ printf("\nmbtk_sock[handle]->inter_infos[index_free].ssl not empty\n");
+ return mbtk_openssl_close(&mbtk_sock[handle]->inter_infos[index_free]);
#endif
}
@@ -840,6 +966,7 @@
#ifdef MBTK_POLARSSL_SUPPORT
len = mbtk_polarssl_write(inter_info->ssl,(char*)buffer + count,buf_len - count);
#else
+ len = mbtk_openssl_write(inter_info->ssl,(char*)buffer + count,buf_len - count);
#endif
} else
@@ -948,6 +1075,7 @@
#ifdef MBTK_POLARSSL_SUPPORT
len = mbtk_polarssl_read(inter_info->ssl,(char*)buffer + count,buf_len - count);
#else
+ len = mbtk_openssl_read(inter_info->ssl,(char*)buffer + count,buf_len - count);
#endif
} else
@@ -1123,7 +1251,7 @@
#ifdef MBTK_POLARSSL_SUPPORT
len = mbtk_polarssl_read(inter_info->ssl,(char*)buffer + count,buf_len - count);
#else
-
+ len = mbtk_openssl_read(inter_info->ssl,(char*)buffer + count,buf_len - count);
#endif
} else
len = read(inter_info->fd,(char*)buffer + count,buf_len - count);
@@ -1299,6 +1427,7 @@
#ifdef MBTK_POLARSSL_SUPPORT
len = ssl_read(inter_info->ssl,(char*)buffer + read_count,buf_len - read_count);
#else
+ len = mbtk_openssl_read(inter_info->ssl,(char*)buffer + read_count,buf_len - read_count);
#endif
} else
@@ -1389,6 +1518,7 @@
#ifdef MBTK_POLARSSL_SUPPORT
len = ssl_read(inter_info->ssl,(char*)buffer,buf_len);
#else
+ len = mbtk_openssl_read(inter_info->ssl,(char*)buffer,buf_len);
#endif
} else
@@ -1491,6 +1621,11 @@
return -1;
}
#else
+ if(mbtk_openssl_close(inter_info)== -1)
+ {
+ LOGE("close ssl fail");
+ return -1;
+ }
#endif
}
@@ -1599,3 +1734,4 @@
}
+