From be1ff25ee187f4e3f297cba9192019ec8b5d2e66 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?shuxin=20=E3=80=80=E3=80=80zheng?= Date: Fri, 20 Dec 2019 15:08:36 +0800 Subject: [PATCH] test mbedtls --- .../include/acl_cpp/stream/mbedtls_conf.hpp | 23 +- .../include/acl_cpp/stream/mbedtls_io.hpp | 1 - .../samples/aio/http_aclient_ssl/main.cpp | 30 +- lib_acl_cpp/samples/aio/http_aclient_ssl/t.sh | 4 + lib_acl_cpp/samples/ssl/https_client/Makefile | 11 + .../samples/ssl/https_client/https_client.cpp | 5 +- .../samples/ssl/https_client/https_client.h | 4 +- .../ssl/https_client/https_request.cpp | 4 +- .../samples/ssl/https_client/https_request.h | 2 +- lib_acl_cpp/samples/ssl/https_client/main.cpp | 29 +- lib_acl_cpp/samples/ssl/https_proxy/Makefile | 10 + lib_acl_cpp/samples/ssl/https_server/Makefile | 10 + .../samples/ssl/ssl_client/ssl_client.cpp | 3 + lib_acl_cpp/samples/ssl/ssl_server/Makefile | 11 + .../samples/ssl/ssl_server/ssl_server.cpp | 260 +++++---- lib_acl_cpp/src/stream/mbedtls_conf.cpp | 520 ++++++++++++------ lib_acl_cpp/src/stream/mbedtls_io.cpp | 280 +++------- lib_acl_cpp/src/stream/polarssl_conf.cpp | 10 +- lib_acl_cpp/src/stream/polarssl_io.cpp | 8 +- 19 files changed, 712 insertions(+), 513 deletions(-) diff --git a/lib_acl_cpp/include/acl_cpp/stream/mbedtls_conf.hpp b/lib_acl_cpp/include/acl_cpp/stream/mbedtls_conf.hpp index 2eeb867a3..5c491eae8 100644 --- a/lib_acl_cpp/include/acl_cpp/stream/mbedtls_conf.hpp +++ b/lib_acl_cpp/include/acl_cpp/stream/mbedtls_conf.hpp @@ -27,7 +27,12 @@ class mbedtls_io; class ACL_CPP_API mbedtls_conf : public sslbase_conf { public: - mbedtls_conf(void); + /** + * 构造函数 + * @param server_side {bool} 用来指定是服务端还是客户端,当为 true 时 + * 为服务端模式,否则为客户端模式 + */ + mbedtls_conf(bool server_side); ~mbedtls_conf(void); /** @@ -73,17 +78,16 @@ public: /** * mbedtls_io::open 内部会调用本方法用来安装当前 SSL 连接对象的证书 * @param ssl {void*} SSL 连接对象,为 ssl_context 类型 - * @param server_side {bool} 该连接对象是否为服务端连接 * @return {bool} 配置 SSL 对象是否成功 */ - bool setup_certs(void* ssl, bool server_side); + bool setup_certs(void* ssl); public: /** - * 必须首先调用此函数设置 libpolarssl.so 的全路径 - * @param path {const char*} libpolarssl.so 的全路径 + * 必须首先调用此函数设置 libmbedtls_all.so 的全路径 + * @param path {const char*} libmbedtls_all.so 的全路径 */ - static void set_libpath(const char* path); + static void set_libpath(const char* libmbedtls); /** * 可以显式调用本方法,动态加载 polarssl 动态库 @@ -100,7 +104,11 @@ private: bool has_inited_; thread_mutex lock_; + bool server_side_; + + void* conf_; void* entropy_; + void* rnd_; void* cacert_; void* pkey_; void* cert_chain_; @@ -108,7 +116,8 @@ private: mbedtls_verify_t verify_mode_; private: - void init_once(void); + bool init_once(void); + bool init_rand(void); void free_ca(void); }; diff --git a/lib_acl_cpp/include/acl_cpp/stream/mbedtls_io.hpp b/lib_acl_cpp/include/acl_cpp/stream/mbedtls_io.hpp index 34db97cd5..95576c0b8 100644 --- a/lib_acl_cpp/include/acl_cpp/stream/mbedtls_io.hpp +++ b/lib_acl_cpp/include/acl_cpp/stream/mbedtls_io.hpp @@ -71,7 +71,6 @@ private: mbedtls_conf& conf_; void* ssl_; void* ssn_; - void* rnd_; private: static int sock_read(void *ctx, unsigned char *buf, size_t len); diff --git a/lib_acl_cpp/samples/aio/http_aclient_ssl/main.cpp b/lib_acl_cpp/samples/aio/http_aclient_ssl/main.cpp index 247536194..715c38e37 100644 --- a/lib_acl_cpp/samples/aio/http_aclient_ssl/main.cpp +++ b/lib_acl_cpp/samples/aio/http_aclient_ssl/main.cpp @@ -230,7 +230,7 @@ private: class http_aio_client : public acl::http_aclient { public: - http_aio_client(acl::aio_handle& handle, acl::polarssl_conf* ssl_conf, + http_aio_client(acl::aio_handle& handle, acl::sslbase_conf* ssl_conf, const char* host) : http_aclient(handle, ssl_conf) , host_(host) @@ -466,7 +466,7 @@ static void add_dns(std::vector& name_servers, const char* s) int main(int argc, char* argv[]) { - acl::polarssl_conf* ssl_conf = NULL; + acl::sslbase_conf* ssl_conf = NULL; int ch, conn_timeout = 5, rw_timeout = 5; std::vector name_servers; acl::string addr("127.0.0.1:80"); @@ -530,14 +530,28 @@ int main(int argc, char* argv[]) // 如果设置了 SSL 连接库,则启用 SSL 连接模式 if (!ssl_lib_path.empty()) { if (access(ssl_lib_path.c_str(), R_OK) == 0) { - // 设置 libpolarssl.so 库全路径 - acl::polarssl_conf::set_libpath(ssl_lib_path); + if (ssl_lib_path.find("mbedtls") != NULL) { + // 设置 libmbedtls_all.so 库全路径 + acl::mbedtls_conf::set_libpath(ssl_lib_path); - // 动态加载 libpolarssl.so 库 - acl::polarssl_conf::load(); + // 动态加载 libmbedtls_all.so 库 + acl::mbedtls_conf::load(); - // 创建全局 SSL 配置项 - ssl_conf = new acl::polarssl_conf; + // 创建全局 SSL 配置项 + ssl_conf = new acl::mbedtls_conf; + printf(">>>use mbedtls<<<\r\n"); + + } else { + // 设置 libpolarssl.so 库全路径 + acl::polarssl_conf::set_libpath(ssl_lib_path); + + // 动态加载 libpolarssl.so 库 + acl::polarssl_conf::load(); + + // 创建全局 SSL 配置项 + ssl_conf = new acl::polarssl_conf; + printf(">>>use polarssl<<<\r\n"); + } } else { printf("disable ssl, %s not found\r\n", ssl_lib_path.c_str()); diff --git a/lib_acl_cpp/samples/aio/http_aclient_ssl/t.sh b/lib_acl_cpp/samples/aio/http_aclient_ssl/t.sh index 5d0b825a5..d6531e5f6 100755 --- a/lib_acl_cpp/samples/aio/http_aclient_ssl/t.sh +++ b/lib_acl_cpp/samples/aio/http_aclient_ssl/t.sh @@ -37,3 +37,7 @@ sleep 2 ./http_aclient_ssl -s 127.0.0.1:8885 -D -W echo "" echo "" + +./http_aclient_ssl -s echo.websocket.org:443 -H echo.websocket.org -D -Z -U -S ../libmbedtls_all.dylib -N 8.8.8.8:53 +echo "" +echo "" diff --git a/lib_acl_cpp/samples/ssl/https_client/Makefile b/lib_acl_cpp/samples/ssl/https_client/Makefile index fb72b4906..2bfea4205 100644 --- a/lib_acl_cpp/samples/ssl/https_client/Makefile +++ b/lib_acl_cpp/samples/ssl/https_client/Makefile @@ -2,5 +2,16 @@ PROG = https_client util_path = ../.. base_path = ../../.. include ../../Makefile.in +#Path for SunOS +ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS) + EXTLIBS = -liconv +endif +ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD) + EXTLIBS = -L/usr/local/lib -liconv +endif +ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin) + EXTLIBS += -L/usr/lib -liconv +endif + CFLAGS += -I../.. EXTLIBS += -lz -ldl diff --git a/lib_acl_cpp/samples/ssl/https_client/https_client.cpp b/lib_acl_cpp/samples/ssl/https_client/https_client.cpp index ea0e622da..ac46d3b7a 100644 --- a/lib_acl_cpp/samples/ssl/https_client/https_client.cpp +++ b/lib_acl_cpp/samples/ssl/https_client/https_client.cpp @@ -14,13 +14,14 @@ https_client::https_client(const char* server_addr, const char* domain, , length_(length) , ssl_conf_(NULL) { + (void) length_; } https_client::~https_client() { } -void https_client::set_ssl_conf(acl::polarssl_conf *conf) +void https_client::set_ssl_conf(acl::sslbase_conf *conf) { ssl_conf_ = conf; } @@ -41,7 +42,7 @@ bool https_client::connect_server(acl::http_client& client) { logger("begin open ssl"); - acl::polarssl_io* ssl = new acl::polarssl_io(*ssl_conf_, false); + acl::sslbase_io* ssl = ssl_conf_->open(false, false); if (client.get_stream().setup_hook(ssl) == ssl) { logger_error("open ssl client error"); diff --git a/lib_acl_cpp/samples/ssl/https_client/https_client.h b/lib_acl_cpp/samples/ssl/https_client/https_client.h index 47a94cfaa..bbf925bd9 100644 --- a/lib_acl_cpp/samples/ssl/https_client/https_client.h +++ b/lib_acl_cpp/samples/ssl/https_client/https_client.h @@ -7,7 +7,7 @@ public: bool keep_alive, int count, int length); ~https_client(); - void set_ssl_conf(acl::polarssl_conf* conf); + void set_ssl_conf(acl::sslbase_conf* conf); protected: virtual void* run(); // 基类虚函数,在子线程中被调用 @@ -18,7 +18,7 @@ private: bool keep_alive_; // 是否采用长连接方式 int count_; // IO 会话次数 int length_; // 每次 IO 的数据长度 - acl::polarssl_conf* ssl_conf_; + acl::sslbase_conf* ssl_conf_; bool connect_server(acl::http_client& client); int http_request(int count); diff --git a/lib_acl_cpp/samples/ssl/https_client/https_request.cpp b/lib_acl_cpp/samples/ssl/https_client/https_request.cpp index 8e16f8bf5..87059a6d4 100644 --- a/lib_acl_cpp/samples/ssl/https_client/https_request.cpp +++ b/lib_acl_cpp/samples/ssl/https_client/https_request.cpp @@ -1,7 +1,7 @@ #include "stdafx.h" #include "https_request.h" -https_request::https_request(const char* addr, acl::polarssl_conf* ssl_conf) +https_request::https_request(const char* addr, acl::sslbase_conf* ssl_conf) : request_(addr) , to_charset_("utf-8") { @@ -50,7 +50,7 @@ void* https_request::run(void) ret = do_plain(request_); if (ret == true) - printf("read ok!\r\n"); + printf("%s(%d): read ok!\r\n", __FILE__, __LINE__); else { printf("read error\r\n"); diff --git a/lib_acl_cpp/samples/ssl/https_client/https_request.h b/lib_acl_cpp/samples/ssl/https_client/https_request.h index dc8b91ad7..8b50023d3 100644 --- a/lib_acl_cpp/samples/ssl/https_client/https_request.h +++ b/lib_acl_cpp/samples/ssl/https_client/https_request.h @@ -3,7 +3,7 @@ class https_request : public acl::thread { public: - https_request(const char* addr, acl::polarssl_conf* ssl_conf); + https_request(const char* addr, acl::sslbase_conf* ssl_conf); ~https_request(void); public: diff --git a/lib_acl_cpp/samples/ssl/https_client/main.cpp b/lib_acl_cpp/samples/ssl/https_client/main.cpp index 98daa739b..4b3de8dbb 100644 --- a/lib_acl_cpp/samples/ssl/https_client/main.cpp +++ b/lib_acl_cpp/samples/ssl/https_client/main.cpp @@ -58,14 +58,23 @@ int main(int argc, char* argv[]) } } - acl::polarssl_conf::set_libpath(libpath); - acl::polarssl_conf::load(); + acl::sslbase_conf* ssl_conf = NULL;; + if (libpath.find("mbedtls") && access(libpath.c_str(), R_OK) == 0) { + ssl_conf = new acl::mbedtls_conf; + acl::mbedtls_conf::set_libpath(libpath); + acl::mbedtls_conf::load(); + } else if (libpath.find("polarssl") && access(libpath.c_str(), R_OK) == 0) { + ssl_conf = new acl::polarssl_conf; + acl::polarssl_conf::set_libpath(libpath); + acl::polarssl_conf::load(); + } else { + use_ssl = false; + } + if (domain.empty()) domain = server_addr; - static acl::polarssl_conf ssl_conf; - struct timeval begin; gettimeofday(&begin, NULL); @@ -78,7 +87,7 @@ int main(int argc, char* argv[]) keep_alive, count, length); if (use_ssl) - thread->set_ssl_conf(&ssl_conf); + thread->set_ssl_conf(ssl_conf); thread->set_detachable(false); @@ -108,18 +117,13 @@ int main(int argc, char* argv[]) for (int i = 0; i < cocurrent; i++) { - // ?????叱? https_request* thread = new https_request(server_addr, - use_ssl ? &ssl_conf : NULL); + use_ssl ? ssl_conf : NULL); - // ???么??????叱?为?欠???模式???员??????????缘?? thread::wait - // ?却??叱探??? thread->set_detachable(false); - // ???叱谭??诙????? threads.push_back(thread); - // ?????叱? thread->start(); } @@ -128,14 +132,12 @@ int main(int argc, char* argv[]) std::list::iterator it = threads.begin(); for (; it != threads.end(); ++it) { - // ?却??叱探??? if ((*it)->wait(NULL) == false) printf("wait one thread(%lu) error\r\n", (*it)->thread_id()); else printf("wait one thread(%lu) ok\r\n", (*it)->thread_id()); - // 删????态???????叱潭??? delete *it; } @@ -151,5 +153,6 @@ int main(int argc, char* argv[]) printf("enter any key to exit\r\n"); getchar(); + delete ssl_conf; return 0; } diff --git a/lib_acl_cpp/samples/ssl/https_proxy/Makefile b/lib_acl_cpp/samples/ssl/https_proxy/Makefile index 311d13eca..98799f61a 100644 --- a/lib_acl_cpp/samples/ssl/https_proxy/Makefile +++ b/lib_acl_cpp/samples/ssl/https_proxy/Makefile @@ -1,4 +1,14 @@ base_path = ../../.. include ../../Makefile.in +#Path for SunOS +ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS) + EXTLIBS = -liconv +endif +ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD) + EXTLIBS = -L/usr/local/lib -liconv +endif +ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin) + EXTLIBS += -L/usr/lib -liconv +endif PROG = https_proxy EXTLIBS += -lz -ldl diff --git a/lib_acl_cpp/samples/ssl/https_server/Makefile b/lib_acl_cpp/samples/ssl/https_server/Makefile index ecb62319b..188319280 100644 --- a/lib_acl_cpp/samples/ssl/https_server/Makefile +++ b/lib_acl_cpp/samples/ssl/https_server/Makefile @@ -1,5 +1,15 @@ base_path = ../../.. include ../../Makefile.in +#Path for SunOS +ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS) + EXTLIBS = -liconv +endif +ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD) + EXTLIBS = -L/usr/local/lib -liconv +endif +ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin) + EXTLIBS += -L/usr/lib -liconv +endif PROG = https_server #EXTLIBS += -lpolarssl -lz EXTLIBS += -lz -ldl diff --git a/lib_acl_cpp/samples/ssl/ssl_client/ssl_client.cpp b/lib_acl_cpp/samples/ssl/ssl_client/ssl_client.cpp index 291a9ba7f..4df5ad2de 100644 --- a/lib_acl_cpp/samples/ssl/ssl_client/ssl_client.cpp +++ b/lib_acl_cpp/samples/ssl/ssl_client/ssl_client.cpp @@ -234,11 +234,14 @@ int main(int argc, char* argv[]) // 126 的 SSL 传输时当 HTTP 请求头中的 Host 值为 mail.126.com:443 时其 nginx // 会报错,只能是:Host: mail.126.com,土鳖 + if (0) { test1("mail.126.com", 443, false, true); test2("mail.126.com", 443, false, true); test2("mail.qq.com", 443, false, true); test2("mail.sohu.com", 443, false, true); test2("mail.sina.com.cn", 443, false, true); + } + test2("127.0.0.1", 2443, false, true); printf("Over, enter any key to exit!\n"); getchar(); diff --git a/lib_acl_cpp/samples/ssl/ssl_server/Makefile b/lib_acl_cpp/samples/ssl/ssl_server/Makefile index b22ec2ef0..024e44204 100644 --- a/lib_acl_cpp/samples/ssl/ssl_server/Makefile +++ b/lib_acl_cpp/samples/ssl/ssl_server/Makefile @@ -1,4 +1,15 @@ base_path = ../../.. include ../../Makefile.in +#Path for SunOS +ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS) + EXTLIBS = -liconv +endif +ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD) + EXTLIBS = -L/usr/local/lib -liconv +endif +ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin) + EXTLIBS += -L/usr/lib -liconv +endif + PROG = ssl_server EXTLIBS += -ldl -lz diff --git a/lib_acl_cpp/samples/ssl/ssl_server/ssl_server.cpp b/lib_acl_cpp/samples/ssl/ssl_server/ssl_server.cpp index 9b0492b82..e6fb1826f 100644 --- a/lib_acl_cpp/samples/ssl/ssl_server/ssl_server.cpp +++ b/lib_acl_cpp/samples/ssl/ssl_server/ssl_server.cpp @@ -5,11 +5,11 @@ #include "lib_acl.h" #include "acl_cpp/lib_acl.hpp" -using namespace acl; +#define USE_MBEDTLS ////////////////////////////////////////////////////////////////////////// -class http_servlet : public HttpServlet +class http_servlet : public acl::HttpServlet { public: http_servlet() @@ -27,26 +27,31 @@ public: { } - virtual bool doError(HttpServletRequest&, HttpServletResponse&) + // @override + bool doError(acl::HttpServletRequest&, acl::HttpServletResponse&) { - if (first_) + if (first_) { logger_error("first request error"); + } return false; } // GET 方法 - virtual bool doGet(HttpServletRequest& req, HttpServletResponse& res) + // @override + bool doGet(acl::HttpServletRequest& req, acl::HttpServletResponse& res) { bool ret = doPost(req, res); - if (ret == false) + if (ret == false) { logger_error("doPost error!"); - else + } else { logger("doPost OK!"); + } return ret; } // POST 方法 - virtual bool doPost(HttpServletRequest& req, HttpServletResponse& res) + // @override + bool doPost(acl::HttpServletRequest& req, acl::HttpServletResponse& res) { first_ = false; @@ -60,33 +65,33 @@ public: // res.setStatus(400); // 可以设置返回的状态码 // 两种方式都可以设置字符集 - if (0) + if (0) { res.setContentType("text/xml; charset=gb2312"); - else - { + } else { res.setContentType("text/xml"); res.setCharacterEncoding("gb2312"); } // 获得 HTTP 请求的数据类型,正常的参数类型,即 name&value 方式 // 还是 MIME 数据类型,还是数据流类型 - http_request_t request_type = req.getRequestType(); - if (request_type == HTTP_REQUEST_NORMAL) + acl::http_request_t request_type = req.getRequestType(); + if (request_type == acl::HTTP_REQUEST_NORMAL) { return doParams(req, res); - else if (request_type == HTTP_REQUEST_MULTIPART_FORM) + } else if (request_type == acl::HTTP_REQUEST_MULTIPART_FORM) { return doUpload(req, res); - assert(request_type == HTTP_REQUEST_OCTET_STREAM); + } + assert(request_type == acl::HTTP_REQUEST_OCTET_STREAM); return doOctetStream(req, res); } - bool doResponse(HttpServletRequest& req, HttpServletResponse& res) + bool doResponse(acl::HttpServletRequest& req, acl::HttpServletResponse& res) { // 获得浏览器传来的 cookie 值 const char* cookie1 = req.getCookieValue("name1"); const char* cookie2 = req.getCookieValue("name2"); // 创建 xml 格式的数据体 - xml1 body; + acl::xml1 body; body.get_root().add_child("root", true) .add_child("content_type", true) .add_attr("type", (int) req.getRequestType()) @@ -119,7 +124,7 @@ public: .get_parent() .add_child("file", true) .add_attr("filename", file3_ ? file3_ : "null"); - string buf(""); + acl::string buf(""); body.build_xml(buf); //printf(">>>response: %s\r\n", buf.c_str()); @@ -129,14 +134,15 @@ public: //if (res.sendHeader() == false) // return false; // 发送 http 响应体,当使用 chunk 传输时,必须最后调用一次发送空数据 - if (res.write(buf) == false || res.write(NULL, 0) == false) + if (res.write(buf) == false || res.write(NULL, 0) == false) { return false; + } return true; } // GET 方式或 POST 方式且满足: // Content-Type: application/x-www-form-urlencoded - bool doParams(HttpServletRequest& req, HttpServletResponse& res) + bool doParams(acl::HttpServletRequest& req, acl::HttpServletResponse& res) { param1_ = req.getParameter("name1"); param2_ = req.getParameter("name2"); @@ -146,32 +152,30 @@ public: // POST 方式且满足: // Content-Type: multipart/form-data; boundary=xxx - bool doUpload(HttpServletRequest& req, HttpServletResponse& res) + bool doUpload(acl::HttpServletRequest& req, acl::HttpServletResponse& res) { // 先获得 Content-Type 对应的 http_ctype 对象 - http_mime* mime = req.getHttpMime(); - if (mime == NULL) - { + acl::http_mime* mime = req.getHttpMime(); + if (mime == NULL) { logger_error("http_mime null"); return false; } // 获得数据体的长度 long long int len = req.getContentLength(); - if (len <= 0) - { + if (len <= 0) { logger_error("body empty"); return false; } // 获得输入流 - istream& in = req.getInputStream(); + acl::istream& in = req.getInputStream(); char buf[8192]; int ret; bool finish = false; const char* filepath = "./var/mime_file"; - ofstream out; + acl::ofstream out; out.open_write(filepath); // 设置原始文件存入路径 @@ -180,12 +184,10 @@ public: size_t k; // 读取 HTTP 客户端请求数据 - while (len > 0) - { + while (len > 0) { k = (size_t) len > sizeof(buf) ? sizeof(buf) : (size_t) len; ret = in.read(buf, k, false); - if (ret == -1) - { + if (ret == -1) { logger_error("read POST data error"); return false; } @@ -194,45 +196,46 @@ public: len -= ret; // 将读得到的数据输入至解析器进行解析 - if (!finish && mime->update(buf, ret) == true) + if (!finish && mime->update(buf, ret) == true) { finish = true; + } } out.close(); - if (len != 0 || finish == false) + if (len != 0 || finish == false) { logger_warn("not read all data from client"); + } param1_ = req.getParameter("name1"); param2_ = req.getParameter("name2"); param3_ = req.getParameter("name3"); - string path; + acl::string path; // 遍历所有的 MIME 结点,找出其中为文件结点的部分进行转储 - const std::list& nodes = mime->get_nodes(); - std::list::const_iterator cit = nodes.begin(); - for (; cit != nodes.end(); ++cit) - { + const std::list& nodes = mime->get_nodes(); + std::list::const_iterator cit = nodes.begin(); + for (; cit != nodes.end(); ++cit) { const char* name = (*cit)->get_name(); - if (name == NULL) + if (name == NULL) { continue; + } - http_mime_t mime_type = (*cit)->get_mime_type(); - if (mime_type == HTTP_MIME_FILE) - { + acl::http_mime_t mime_type = (*cit)->get_mime_type(); + if (mime_type == acl::HTTP_MIME_FILE) { const char* filename = (*cit)->get_filename(); - if (filename == NULL) - { + if (filename == NULL) { logger("filename null"); continue; } - if (strcmp(name, "file1") == 0) + if (strcmp(name, "file1") == 0) { file1_ = filename; - else if (strcmp(name, "file2") == 0) + } else if (strcmp(name, "file2") == 0) { file2_ = filename; - else if (strcmp(name, "file3") == 0) + } else if (strcmp(name, "file3") == 0) { file3_ = filename; + } // 有的浏览器(如IE)上传文件时会带着文件路径,所以 // 需要先将路径去掉 @@ -247,12 +250,10 @@ public: } // 查找上载的某个文件并转储 - const http_mime_node* node = mime->get_node("file1"); - if (node && node->get_mime_type() == HTTP_MIME_FILE) - { + const acl::http_mime_node* node = mime->get_node("file1"); + if (node && node->get_mime_type() == acl::HTTP_MIME_FILE) { const char* ptr = node->get_filename(); - if (ptr) - { + if (ptr) { // 有的浏览器(如IE)上传文件时会带着文件路径,所以 // 需要先将路径去掉 ptr = acl_safe_basename(ptr); @@ -269,7 +270,7 @@ public: // POST 方式且满足: // Content-Type: application/octet-stream - bool doOctetStream(HttpServletRequest&, HttpServletResponse&) + bool doOctetStream(acl::HttpServletRequest&, acl::HttpServletResponse&) { logger_error("not support now!"); return false; @@ -288,103 +289,124 @@ private: ////////////////////////////////////////////////////////////////////////// -static void do_run(socket_stream* stream) +static void do_run(acl::socket_stream* stream) { - memcache_session session("127.0.0.1:11211"); + acl::memcache_session session("127.0.0.1:11211"); http_servlet servlet; servlet.setLocalCharset("gb2312"); servlet.doRun(session, stream); } // 服务器方式运行时的服务类 -class master_service : public master_proc +class master_service : public acl::master_proc { public: master_service(const char* crt_file, const char* key_file, +#ifdef USE_MBEDTLS + acl::mbedtls_verify_t verify_mode) +#else acl::polarssl_verify_t verify_mode) +#endif { - if (crt_file && *crt_file && key_file && *key_file) - { + if (crt_file && *crt_file && key_file && *key_file) { crt_file_ = crt_file; key_file_ = key_file; - conf_ = new polarssl_conf; - } - else +#ifdef USE_MBEDTLS + conf_ = new acl::mbedtls_conf(true); +#else + conf_ = new acl::polarssl_conf; +#endif + } else { conf_ = NULL; + } verify_mode_ = verify_mode; } ~master_service() { - if (conf_) - delete conf_; + delete conf_; } protected: - virtual void on_accept(socket_stream* stream) + // @override + void on_accept(acl::socket_stream* stream) { stream->set_rw_timeout(60); - if (conf_) - { + if (conf_) { // 对于使用 SSL 方式的流对象,需要将 SSL IO 流对象注册至网络 // 连接流对象中,即用 ssl io 替换 stream 中默认的底层 IO 过程 logger("begin setup ssl hook..."); - polarssl_io* ssl = new polarssl_io(*conf_, true); - if (stream->setup_hook(ssl) == ssl) - { +#ifdef USE_MBEDTLS + acl::sslbase_io* ssl = new acl::mbedtls_io(*conf_, true); +#else + acl::sslbase_io* ssl = new acl::polarssl_io(*conf_, true); +#endif + if (stream->setup_hook(ssl) == ssl) { logger_error("setup_hook error!"); ssl->destroy(); - } - else + } else { logger("setup ssl hook ok"); + } } do_run(stream); } - virtual void proc_on_init() + // @override + void proc_on_init() { - if (conf_ == NULL) + if (conf_ == NULL) { return; + } // 允许服务端的 SSL 会话缓存功能 conf_->enable_cache(true); // 添加本地服务的证书 - if (conf_->add_cert(crt_file_.c_str()) == false) - { + if (conf_->add_cert(crt_file_.c_str()) == false) { logger_error("add cert failed, crt: %s, key: %s", crt_file_.c_str(), key_file_.c_str()); delete conf_; conf_ = NULL; return; } - logger("load cert ok, crt: %s, key: %s", - crt_file_.c_str(), key_file_.c_str()); + logger("load cert ok, crt: %s", crt_file_.c_str()); // 添加本地服务密钥 - if (conf_->set_key(key_file_.c_str()) == false) - { + if (conf_->set_key(key_file_.c_str()) == false) { logger_error("set private key error"); delete conf_; conf_ = NULL; + return; } + logger("set key ok, key: %s", key_file_.c_str()); +#ifndef USE_MBEDTLS conf_->set_authmode(verify_mode_); +#endif } private: - polarssl_conf* conf_; - string crt_file_; - string key_file_; +#ifdef USE_MBEDTLS + acl::mbedtls_conf* conf_; + acl::mbedtls_verify_t verify_mode_; +#else + acl::polarssl_conf* conf_; acl::polarssl_verify_t verify_mode_; +#endif + acl::string crt_file_; + acl::string key_file_; }; // WEB 服务模式 static void do_alone(const char* crt_file, const char* key_file, +#ifdef USE_MBEDTLS + acl::mbedtls_verify_t verify_mode) +#else acl::polarssl_verify_t verify_mode) +#endif { master_service service(crt_file, key_file, verify_mode); acl::log::stdout_open(true); @@ -408,41 +430,73 @@ int main(int argc, char* argv[]) #endif acl::log::stdout_open(true); +#ifdef USE_MBEDTLS +# ifdef __APPLE__ + acl::mbedtls_conf::set_libpath("../libmbedtls_all.dylib"); +# else + acl::mbedtls_conf::set_libpath("../libmbedtls_all.so"); +# endif + acl::mbedtls_conf::load(); +#else +# ifdef __APPLE__ + acl::polarssl_conf::set_libpath("../libpolarssl.dylib"); +# else acl::polarssl_conf::set_libpath("../libpolarssl.so"); +# endif acl::polarssl_conf::load(); +#endif // 开始运行 - if (argc >= 2 && strcmp(argv[1], "alone") == 0) - { + if (argc >= 2 && strcmp(argv[1], "alone") == 0) { +#ifdef USE_MBEDTLS + acl::mbedtls_verify_t verify_mode; +#else acl::polarssl_verify_t verify_mode; +#endif const char* crt_file, *key_file; - if (argc >= 3) + if (argc >= 3) { crt_file = argv[2]; - else + } else { crt_file = NULL; - if (argc >= 4) - key_file = argv[3]; - else - key_file = NULL; - if (argc >= 5) - { - if (strcasecmp(argv[4], "req") == 0) - verify_mode = acl::POLARSSL_VERIFY_REQ; - else if (strcasecmp(argv[4], "opt") == 0) - verify_mode = acl::POLARSSL_VERIFY_OPT; - else - verify_mode = acl::POLARSSL_VERIFY_NONE; } - else + if (argc >= 4) { + key_file = argv[3]; + } else { + key_file = NULL; + } +#ifdef USE_MBEDTLS + if (argc >= 5) { + if (strcasecmp(argv[4], "req") == 0) { + verify_mode = acl::MBEDTLS_VERIFY_REQ; + } else if (strcasecmp(argv[4], "opt") == 0) { + verify_mode = acl::MBEDTLS_VERIFY_OPT; + } else { + verify_mode = acl::MBEDTLS_VERIFY_NONE; + } + } else { + verify_mode = acl::MBEDTLS_VERIFY_NONE; + } +#else + if (argc >= 5) { + if (strcasecmp(argv[4], "req") == 0) { + verify_mode = acl::POLARSSL_VERIFY_REQ; + } else if (strcasecmp(argv[4], "opt") == 0) { + verify_mode = acl::POLARSSL_VERIFY_OPT; + } else { + verify_mode = acl::POLARSSL_VERIFY_NONE; + } + } else { verify_mode = acl::POLARSSL_VERIFY_NONE; + } +#endif do_alone(crt_file, key_file, verify_mode); - } - else if (argc >= 2) + } else if (argc >= 2) { printf("usage: %s alone cert_file key_file verify[none|req|opt]\r\n", argv[0]); - else + } else { do_cgi(); + } return 0; } diff --git a/lib_acl_cpp/src/stream/mbedtls_conf.cpp b/lib_acl_cpp/src/stream/mbedtls_conf.cpp index a0c137a2a..ffe4ace6c 100644 --- a/lib_acl_cpp/src/stream/mbedtls_conf.cpp +++ b/lib_acl_cpp/src/stream/mbedtls_conf.cpp @@ -6,8 +6,11 @@ # endif #endif +#define DEBUG_SSL + #ifdef HAS_MBEDTLS # include "mbedtls/ssl.h" +# include "mbedtls/ctr_drbg.h" # include "mbedtls/entropy.h" # include "mbedtls/certs.h" # include "mbedtls/x509_crt.h" @@ -28,89 +31,158 @@ # ifdef HAS_MBEDTLS_DLL -# define ENTROPY_FREE_NAME "mbedtls_entropy_free" # define PK_INIT_NAME "mbedtls_pk_init" # define PK_FREE_NAME "mbedtls_pk_free" # define PK_PARSE_KEYFILE_NAME "mbedtls_pk_parse_keyfile" # define X509_INIT_NAME "mbedtls_x509_crt_init" # define X509_FREE_NAME "mbedtls_x509_crt_free" -# define X509_PARSE_CRTPATH_NAME "mbedtls_x509_crt_parse_path" -# define X509_PARSE_CRTFILE_NAME "mbedtls_x509_crt_parse_file" +# define X509_PARSE_CRT_PATH_NAME "mbedtls_x509_crt_parse_path" +# define X509_PARSE_CRT_FILE_NAME "mbedtls_x509_crt_parse_file" + +# ifdef HAS_HAVEGE +# define HAVEGE_INIT_NAME "mbedtls_havege_init" +# define HAVEGE_RANDOM_NAME "mbedtls_havege_random" +# else +# define CTR_DRBG_INIT_NAME "mbedtls_ctr_drbg_init" +# define CTR_DRBG_FREE_NAME "mbedtls_ctr_drbg_free" +# define CTR_DRBG_SEED_NAME "mbedtls_ctr_drbg_seed" +# define CTR_DRBG_RANDOM_NAME "mbedtls_ctr_drbg_random" +# endif # define ENTROPY_INIT_NAME "mbedtls_entropy_init" +# define ENTROPY_FREE_NAME "mbedtls_entropy_free" +# define ENTROPY_FUNC_NAME "mbedtls_entropy_func" + # define SSL_LIST_CIPHERSUITES_NAME "mbedtls_ssl_list_ciphersuites" -# define SSL_SET_CIPHERSUITES_NAME "mbedtls_ssl_conf_ciphersuites" -# define SSL_SET_SESSION_CACHE_NAME "mbedtls_ssl_conf_session_cache" -# define SSL_SET_CA_CHAIN_NAME "mbedtls_ssl_conf_ca_chain" -# define SSL_SET_OWN_CERT_NAME "mbedtls_ssl_conf_own_cert" -# define SSL_SET_AUTHMODE_NAME "mbedtls_ssl_conf_authmode" + +# define SSL_CONF_INIT_NAME "mbedtls_ssl_config_init" +# define SSL_CONF_DEFAULTS_NAME "mbedtls_ssl_config_defaults" +# define SSL_CONF_RNG_NAME "mbedtls_ssl_conf_rng" +# define SSL_CONF_ENDPOINT_NAME "mbedtls_ssl_conf_endpoint" +# define SSL_CONF_CIPHERSUITES_NAME "mbedtls_ssl_conf_ciphersuites" +# define SSL_CONF_SESSION_CACHE_NAME "mbedtls_ssl_conf_session_cache" +# define SSL_CONF_CA_CHAIN_NAME "mbedtls_ssl_conf_ca_chain" +# define SSL_CONF_OWN_CERT_NAME "mbedtls_ssl_conf_own_cert" +# define SSL_CONF_AUTHMODE_NAME "mbedtls_ssl_conf_authmode" +# ifdef DEBUG_SSL +# define SSL_CONF_DBG_NAME "mbedtls_ssl_conf_dbg" +# endif + # define SSL_CACHE_INIT_NAME "mbedtls_ssl_cache_init" # define SSL_CACHE_FREE_NAME "mbedtls_ssl_cache_free" # define SSL_CACHE_SET_NAME "mbedtls_ssl_cache_set" # define SSL_CACHE_GET_NAME "mbedtls_ssl_cache_get" +# define SSL_SETUP_NAME "mbedtls_ssl_setup" + typedef void (*pk_init_fn)(PKEY*); typedef void (*pk_free_fn)(PKEY*); typedef int (*pk_parse_keyfile_fn)(PKEY*, const char*, const char*); -typedef void (*entropy_init_fn)(mbedtls_entropy_context*); -typedef void (*entropy_free_fn)(mbedtls_entropy_context*); - typedef void (*x509_crt_init_fn)(X509_CRT*); typedef void (*x509_crt_free_fn)(X509_CRT*); typedef int (*x509_crt_parse_path_fn)(X509_CRT*, const char*); typedef int (*x509_crt_parse_file_fn)(X509_CRT*, const char*); +# ifdef HAS_HAVEGE +typedef void (*havege_init_fn)(mbedtls_havege_state*); +typedef int (*havege_random_fn)(void*, unsigned char*, size_t); +# else +typedef void (*ctr_drbg_init_fn)(mbedtls_ctr_drbg_context*); +typedef void (*ctr_drbg_free_fn)(mbedtls_ctr_drbg_context*); +typedef int (*ctr_drbg_seed_fn)(mbedtls_ctr_drbg_context*, + int (*)(void*, unsigned char*, size_t), void *, + const unsigned char*, size_t); +typedef int (*ctr_drbg_random_fn)(void*, unsigned char*, size_t); +# endif + +typedef void (*entropy_init_fn)(mbedtls_entropy_context*); +typedef void (*entropy_free_fn)(mbedtls_entropy_context*); +typedef int (*entropy_func_fn)(void*, unsigned char*, size_t); + typedef const int* (*ssl_list_ciphersuites_fn)(void); -typedef void (*ssl_set_ciphersuites_fn)(mbedtls_ssl_context*, const int*); -typedef void (*ssl_set_session_cache_fn)(mbedtls_ssl_context*, - int (*f_get_cache)(void*, mbedtls_ssl_session*), void*, - int (*f_set_cache)(void*, const mbedtls_ssl_session*), void*); -typedef void (*ssl_set_ca_chain_fn)(mbedtls_ssl_context*, X509_CRT*, - mbedtls_x509_crl*, const char*); -typedef int (*ssl_set_own_cert_fn)(mbedtls_ssl_context*, X509_CRT*, PKEY*); -typedef void (*ssl_set_authmode_fn)(mbedtls_ssl_context*, int); + +typedef void (*ssl_config_init_fn)(mbedtls_ssl_config*); +typedef void (*ssl_conf_rng_fn)(mbedtls_ssl_config*, + int (*f_rng)(void*, unsigned char*, size_t), void *p_rng); +typedef void (*ssl_conf_endpoint_fn)(mbedtls_ssl_config*, int); +typedef void (*ssl_conf_ciphersuites_fn)(mbedtls_ssl_config*, const int*); +typedef void (*ssl_conf_session_cache_fn)(mbedtls_ssl_config*, void*, + int (*)(void*, mbedtls_ssl_session*), + int (*)(void*, const mbedtls_ssl_session*)); +typedef void (*ssl_conf_ca_chain_fn)(mbedtls_ssl_config*, X509_CRT*, + mbedtls_x509_crl*); +typedef int (*ssl_conf_own_cert_fn)(mbedtls_ssl_config*, X509_CRT*, PKEY*); +typedef void (*ssl_conf_authmode_fn)(mbedtls_ssl_config*, int); +# ifdef DEBUG_SSL +typedef void (*ssl_conf_dbg_fn)(mbedtls_ssl_config*, + void (*)(void*, int, const char*, int , const char*), void*); +# endif +typedef int (*ssl_config_defaults_fn)(mbedtls_ssl_config*, int, int, int); typedef void (*ssl_cache_init_fn)(mbedtls_ssl_cache_context*); typedef void (*ssl_cache_free_fn)(mbedtls_ssl_cache_context*); -typedef int (*ssl_cache_set_fn)(void*, const mbedtls_ssl_session*);; -typedef int (*ssl_cache_get_fn)(void*, mbedtls_ssl_session*); +typedef int (*ssl_cache_set_fn)(void*, const mbedtls_ssl_session*);; +typedef int (*ssl_cache_get_fn)(void*, mbedtls_ssl_session*); -static entropy_init_fn __entropy_init; -static entropy_free_fn __entropy_free; +typedef int (*ssl_setup_fn)(mbedtls_ssl_context*, mbedtls_ssl_config*); -static pk_init_fn __pk_init; -static pk_free_fn __pk_free; -static pk_parse_keyfile_fn __pk_parse_keyfile; +static pk_init_fn __pk_init; +static pk_free_fn __pk_free; +static pk_parse_keyfile_fn __pk_parse_keyfile; -static x509_crt_init_fn __x509_init; -static x509_crt_free_fn __x509_free; -static x509_crt_parse_path_fn __x509_parse_crtpath; -static x509_crt_parse_file_fn __x509_parse_crtfile; +static x509_crt_init_fn __x509_crt_init; +static x509_crt_free_fn __x509_crt_free; +static x509_crt_parse_path_fn __x509_crt_parse_path; +static x509_crt_parse_file_fn __x509_crt_parse_file; -static ssl_list_ciphersuites_fn __ssl_list_ciphersuites; +# ifdef HAS_HAVEGE +static havege_init_fn __havege_init; +static havege_random_fn __havege_random; +# else +static ctr_drbg_init_fn __ctr_drbg_init; +static ctr_drbg_free_fn __ctr_drbg_free; +static ctr_drbg_seed_fn __ctr_drbg_seed; +static ctr_drbg_random_fn __ctr_drbg_random; +# endif -static ssl_set_ciphersuites_fn __ssl_set_ciphersuites; -static ssl_set_session_cache_fn __ssl_set_session_cache; -static ssl_set_ca_chain_fn __ssl_set_ca_chain; -static ssl_set_own_cert_fn __ssl_set_own_cert; -static ssl_set_authmode_fn __ssl_set_authmode; -static ssl_cache_init_fn __ssl_cache_init; -static ssl_cache_free_fn __ssl_cache_free; -static ssl_cache_set_fn __ssl_cache_set; -static ssl_cache_get_fn __ssl_cache_get; +static entropy_init_fn __entropy_init; +static entropy_free_fn __entropy_free; +static entropy_func_fn __entropy_func; -static acl_pthread_once_t __mbedtls_once = ACL_PTHREAD_ONCE_INIT; -static acl::string* __mbedtls_path_buf = NULL; -#ifdef ACL_WINDOWS -static const char* __mbedtls_path = "libmbedtls.dll"; +static ssl_list_ciphersuites_fn __ssl_list_ciphersuites; + +static ssl_config_init_fn __ssl_config_init; +static ssl_config_defaults_fn __ssl_config_defaults; +static ssl_conf_rng_fn __ssl_conf_rng; +static ssl_conf_endpoint_fn __ssl_conf_endpoint; +static ssl_conf_ciphersuites_fn __ssl_conf_ciphersuites; +static ssl_conf_session_cache_fn __ssl_conf_session_cache; +static ssl_conf_ca_chain_fn __ssl_conf_ca_chain; +static ssl_conf_own_cert_fn __ssl_conf_own_cert; +static ssl_conf_authmode_fn __ssl_conf_authmode; +# ifdef DEBUG_SSL +static ssl_conf_dbg_fn __ssl_conf_dbg; +# endif + +static ssl_cache_init_fn __ssl_cache_init; +static ssl_cache_free_fn __ssl_cache_free; +static ssl_cache_set_fn __ssl_cache_set; +static ssl_cache_get_fn __ssl_cache_get; + +static ssl_setup_fn __ssl_setup; + +static acl_pthread_once_t __mbedtls_once = ACL_PTHREAD_ONCE_INIT; +static acl::string* __mbedtls_path_buf = NULL; +# ifdef ACL_WINDOWS +static const char* __mbedtls_path = "libmbedtls_all.dll"; #elseif defined(ACL_MACOSX) -static const char* __mbedtls_path = "./libmbedtls.dylib"; -#else -static const char* __mbedtls_path = "./libmbedtls.so"; -#endif +static const char* __mbedtls_path = "./libmbedtls_all.dylib"; +# else +static const char* __mbedtls_path = "./libmbedtls_all.so"; +# endif -ACL_DLL_HANDLE __mbedtls_dll = NULL; +ACL_DLL_HANDLE __mbedtls_dll = NULL; static void mbedtls_dll_unload(void) { @@ -138,24 +210,46 @@ static void mbedtls_dll_load_conf(void) LOAD(PK_FREE_NAME, pk_free_fn, __pk_free); LOAD(PK_PARSE_KEYFILE_NAME, pk_parse_keyfile_fn, __pk_parse_keyfile); + LOAD(X509_INIT_NAME, x509_crt_init_fn, __x509_crt_init); + LOAD(X509_FREE_NAME, x509_crt_free_fn, __x509_crt_free); + LOAD(X509_PARSE_CRT_PATH_NAME, x509_crt_parse_path_fn, __x509_crt_parse_path); + LOAD(X509_PARSE_CRT_FILE_NAME, x509_crt_parse_file_fn, __x509_crt_parse_file); + +# ifdef HAS_HAVEGE + LOAD(HAVEGE_INIT_NAME, havege_init_fn, __havege_init); + LOAD(HAVEGE_RANDOM_NAME, havege_random_fn, __havege_random); +# else + LOAD(CTR_DRBG_INIT_NAME, ctr_drbg_init_fn, __ctr_drbg_init); + LOAD(CTR_DRBG_FREE_NAME, ctr_drbg_free_fn, __ctr_drbg_free); + LOAD(CTR_DRBG_SEED_NAME, ctr_drbg_seed_fn, __ctr_drbg_seed); + LOAD(CTR_DRBG_RANDOM_NAME, ctr_drbg_random_fn, __ctr_drbg_random); +# endif + LOAD(ENTROPY_INIT_NAME, entropy_init_fn, __entropy_init); LOAD(ENTROPY_FREE_NAME, entropy_free_fn, __entropy_free); - - LOAD(X509_INIT_NAME, x509_crt_init_fn, __x509_init); - LOAD(X509_FREE_NAME, x509_crt_free_fn, __x509_free); - LOAD(X509_PARSE_CRTPATH_NAME, x509_crt_parse_path_fn, __x509_parse_crtpath); - LOAD(X509_PARSE_CRTFILE_NAME, x509_crt_parse_file_fn, __x509_parse_crtfile); + LOAD(ENTROPY_FUNC_NAME, entropy_func_fn, __entropy_func); LOAD(SSL_LIST_CIPHERSUITES_NAME, ssl_list_ciphersuites_fn, __ssl_list_ciphersuites); - LOAD(SSL_SET_CIPHERSUITES_NAME, ssl_set_ciphersuites_fn, __ssl_set_ciphersuites); - LOAD(SSL_SET_SESSION_CACHE_NAME, ssl_set_session_cache_fn, __ssl_set_session_cache); - LOAD(SSL_SET_CA_CHAIN_NAME, ssl_set_ca_chain_fn, __ssl_set_ca_chain); - LOAD(SSL_SET_OWN_CERT_NAME, ssl_set_own_cert_fn, __ssl_set_own_cert); - LOAD(SSL_SET_AUTHMODE_NAME, ssl_set_authmode_fn, __ssl_set_authmode); + + LOAD(SSL_CONF_INIT_NAME, ssl_config_init_fn, __ssl_config_init); + LOAD(SSL_CONF_DEFAULTS_NAME, ssl_config_defaults_fn, __ssl_config_defaults); + LOAD(SSL_CONF_RNG_NAME, ssl_conf_rng_fn, __ssl_conf_rng); + LOAD(SSL_CONF_ENDPOINT_NAME, ssl_conf_endpoint_fn, __ssl_conf_endpoint); + LOAD(SSL_CONF_CIPHERSUITES_NAME, ssl_conf_ciphersuites_fn, __ssl_conf_ciphersuites); + LOAD(SSL_CONF_SESSION_CACHE_NAME, ssl_conf_session_cache_fn, __ssl_conf_session_cache); + LOAD(SSL_CONF_CA_CHAIN_NAME, ssl_conf_ca_chain_fn, __ssl_conf_ca_chain); + LOAD(SSL_CONF_OWN_CERT_NAME, ssl_conf_own_cert_fn, __ssl_conf_own_cert); + LOAD(SSL_CONF_AUTHMODE_NAME, ssl_conf_authmode_fn, __ssl_conf_authmode); +# ifdef DEBUG_SSL + LOAD(SSL_CONF_DBG_NAME, ssl_conf_dbg_fn, __ssl_conf_dbg); +# endif + LOAD(SSL_CACHE_INIT_NAME, ssl_cache_init_fn, __ssl_cache_init); LOAD(SSL_CACHE_FREE_NAME, ssl_cache_free_fn, __ssl_cache_free); LOAD(SSL_CACHE_SET_NAME, ssl_cache_set_fn, __ssl_cache_set); LOAD(SSL_CACHE_GET_NAME, ssl_cache_get_fn, __ssl_cache_get); + + LOAD(SSL_SETUP_NAME, ssl_setup_fn, __ssl_setup); } static void mbedtls_dll_load(void) @@ -165,7 +259,7 @@ static void mbedtls_dll_load(void) return; } - if (__mbedtls_path_buf != NULL && !__mbedtls_path_buf->empty()) { + if (__mbedtls_path_buf && !__mbedtls_path_buf->empty()) { __mbedtls_path = __mbedtls_path_buf->c_str(); } @@ -183,26 +277,43 @@ static void mbedtls_dll_load(void) # else // !HAS_MBEDTLS_DLL && HAS_MBEDTLS -# define __entropy_free ::entropy_free -# define __pk_init ::pk_init -# define __pk_free ::pk_free -# define __pk_parse_keyfile ::pk_parse_keyfile -# define __x509_init ::x509_crt_init -# define __x509_free ::x509_crt_free -# define __x509_parse_crtpath ::x509_crt_parse_path -# define __x509_parse_crtfile ::x509_crt_parse_file - -# define __entropy_init ::entropy_init -# define __ssl_list_ciphersuites ::ssl_list_ciphersuites -# define __ssl_set_ciphersuites ::ssl_set_ciphersuites -# define __ssl_set_session_cache ::ssl_set_session_cache -# define __ssl_set_ca_chain ::ssl_set_ca_chain -# define __ssl_set_own_cert ::ssl_set_own_cert -# define __ssl_set_authmode ::ssl_set_authmode -# define __ssl_cache_init ::ssl_cache_init -# define __ssl_cache_free ::ssl_cache_free -# define __ssl_cache_set ::ssl_cache_set -# define __ssl_cache_get ::ssl_cache_get +# define __pk_init ::mbedtls_pk_init +# define __pk_free ::mbedtls_pk_free +# define __pk_parse_keyfile ::mbedtls_pk_parse_keyfile +# define __x509_crt_init ::mbedtls_x509_crt_init +# define __x509_crt_free ::mbedtls_x509_crt_free +# define __x509_crt_parse_path ::mbedtls_x509_crt_parse_path +# define __x509_crt_parse_file ::mbedtls_x509_crt_parse_file +# ifdef HAS_HAVEGE +# define __havege_init ::mbedtls_havege_init +# define __havege_random ::mbedtls_havege_random +# else +# define __ctr_drbg_init ::mbedtls_ctr_drbg_init +# define __ctr_drbg_free ::mbedtls_ctr_drbg_free +# define __ctr_drbg_seed ::mbedtls_ctr_drbg_seed +# define __ctr_drbg_random ::mbedtls_ctr_drbg_random +# endif +# define __entropy_init ::mbedtls_entropy_init +# define __entropy_free ::mbedtls_entropy_free +# define __entropy_func ::mbedtls_entropy_func +# define __ssl_list_ciphersuites ::mbedtls_ssl_list_ciphersuites +# define __ssl_config_init ::mbedtls_ssl_config_init +# define __ssl_config_defaults ::mbedtls_ssl_config_defaults +# define __ssl_conf_rng ::mbedtls_ssl_conf_rng +# define __ssl_conf_endpoint ::mbedtls_ssl_conf_endpoint +# define __ssl_conf_ciphersuites ::mbedtls_ssl_conf_ciphersuites +# define __ssl_conf_session_cache ::mbedtls_ssl_conf_session_cache +# define __ssl_conf_ca_chain ::mbedtls_ssl_conf_ca_chain +# define __ssl_conf_own_cert ::mbedtls_ssl_conf_own_cert +# define __ssl_conf_authmode ::mbedtls_ssl_conf_authmode +# ifdef DEBUG_SSL +# define __ssl_conf_dbg ::mbedtls_ssl_conf_dbg +# endif +# define __ssl_cache_init ::mbedtls_ssl_cache_init +# define __ssl_cache_free ::mbedtls_ssl_cache_free +# define __ssl_cache_set ::mbedtls_ssl_cache_set +# define __ssl_cache_get ::mbedtls_ssl_cache_get +# define __ssl_setup ::mbedtls_ssl_setup # endif // HAS_MBEDTLS_DLL #endif // HAS_MBEDTLS @@ -210,13 +321,15 @@ static void mbedtls_dll_load(void) namespace acl { -void mbedtls_conf::set_libpath(const char* path acl_unused) +void mbedtls_conf::set_libpath(const char* libmbedtls) { #ifdef HAS_MBEDTLS_DLL if (__mbedtls_path_buf == NULL) { __mbedtls_path_buf = NEW string; } - *__mbedtls_path_buf = path; + *__mbedtls_path_buf = libmbedtls; +#else + (void) libmbedtls; #endif } @@ -229,27 +342,141 @@ void mbedtls_conf::load(void) #endif } -void mbedtls_conf::init_once(void) +static void set_authmode(mbedtls_ssl_config* conf, mbedtls_verify_t verify_mode) +{ + switch (verify_mode) { + case MBEDTLS_VERIFY_NONE: + __ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); + break; + case MBEDTLS_VERIFY_OPT: + __ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL); + break; + case MBEDTLS_VERIFY_REQ: + __ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_REQUIRED); + break; + default: + __ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE); + break; + } +} + +bool mbedtls_conf::init_rand(void) +{ + char pers[50]; + safe_snprintf(pers, sizeof(pers), "SSL Pthread Thread %lu", + (unsigned long) acl_pthread_self()); + int ret = __ctr_drbg_seed((mbedtls_ctr_drbg_context*) rnd_, + __entropy_func, + (mbedtls_entropy_context*) entropy_, + (const unsigned char *) pers, strlen(pers)); + if (ret != 0) { + logger_error("ctr_drbg_init error: -0x%04x\n", -ret); + return false; + } + + // 璁剧疆闅忔満鏁扮敓鎴愬櫒 + __ssl_conf_rng((mbedtls_ssl_config*) conf_, __ctr_drbg_random, + (mbedtls_ctr_drbg_context*) rnd_); + return true; +} + +#ifdef DEBUG_SSL +static void my_debug( void *ctx, int level, const char* fname, int line, + const char* str) +{ + fprintf((FILE *) ctx, "%s(%d): level=%d, %s", fname, line, level, str); + fflush((FILE *) ctx); +} +#endif + +bool mbedtls_conf::init_once(void) { load(); - lock_.lock(); if (has_inited_) { lock_.unlock(); - return; + return true; } #ifdef HAS_MBEDTLS + __ctr_drbg_init((mbedtls_ctr_drbg_context*) rnd_); __entropy_init((mbedtls_entropy_context*) entropy_); + __ssl_config_init((mbedtls_ssl_config*) conf_); + +#ifdef DEBUG_SSL + __ssl_conf_dbg((mbedtls_ssl_config*) conf_, my_debug, stdout); +#endif + + int ret; + if (server_side_) { + ret = __ssl_config_defaults((mbedtls_ssl_config*) conf_, + MBEDTLS_SSL_IS_SERVER, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT); + } else { + ret = __ssl_config_defaults((mbedtls_ssl_config*) conf_, + MBEDTLS_SSL_IS_CLIENT, + MBEDTLS_SSL_TRANSPORT_STREAM, + MBEDTLS_SSL_PRESET_DEFAULT); + } + if (ret != 0) { + logger_error("ssl_config_defaults error=-0x%04x, side=%s", + ret, server_side_ ? "server" : "client"); + return false; + } + + if (!init_rand()) { + return false; + } + + printf(">>>server_side_=%s\n", server_side_ ? "server":"client"); + set_authmode((mbedtls_ssl_config*) conf_, verify_mode_); + __ssl_conf_endpoint((mbedtls_ssl_config*) conf_, server_side_ ? + MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT); + + // Setup cipher_suites + const int* cipher_suites = __ssl_list_ciphersuites(); + if (cipher_suites == NULL) { + logger_error("ssl_list_ciphersuites null"); + return false; + } + + __ssl_conf_ciphersuites((mbedtls_ssl_config*) conf_, cipher_suites); + + // Setup cache only for server-side + if (server_side_ && cache_ != NULL) { + __ssl_conf_session_cache((mbedtls_ssl_config*) conf_, cache_, + __ssl_cache_get, __ssl_cache_set); + } + + // Setup ca cert + if (cacert_) { + __ssl_conf_ca_chain((mbedtls_ssl_config*) conf_, + (X509_CRT*) cacert_, NULL); + } + + // Setup own's cert chain and private key + if (cert_chain_ && pkey_) { + ret = __ssl_conf_own_cert((mbedtls_ssl_config*) conf_, + (X509_CRT*) cert_chain_, (PKEY*) pkey_); + if (ret != 0) { + logger_error("ssl_conf_own_cert error: -0x%04x", -ret); + return false; + } + } #endif has_inited_ = true; lock_.unlock(); + return true; } -mbedtls_conf::mbedtls_conf(void) +mbedtls_conf::mbedtls_conf(bool server_side) { + server_side_ = server_side; #ifdef HAS_MBEDTLS has_inited_ = false; + conf_ = acl_mycalloc(1, sizeof(mbedtls_ssl_config)); entropy_ = acl_mycalloc(1, sizeof(mbedtls_entropy_context)); + rnd_ = acl_mycalloc(1, sizeof(mbedtls_ctr_drbg_context)); cacert_ = NULL; cert_chain_ = NULL; @@ -257,7 +484,10 @@ mbedtls_conf::mbedtls_conf(void) pkey_ = NULL; verify_mode_ = MBEDTLS_VERIFY_NONE; #else + (void) has_inited_; + (void) conf_; (void) entropy_; + (void) rnd_; (void) cacert_; (void) cert_chain_; (void) cache_; @@ -272,7 +502,7 @@ mbedtls_conf::~mbedtls_conf(void) free_ca(); if (cert_chain_) { - __x509_free((X509_CRT*) cert_chain_); + __x509_crt_free((X509_CRT*) cert_chain_); acl_myfree(cert_chain_); } @@ -284,8 +514,17 @@ mbedtls_conf::~mbedtls_conf(void) if (has_inited_) { __entropy_free((mbedtls_entropy_context*) entropy_); } + acl_myfree(conf_); acl_myfree(entropy_); + // 浣跨敤 havege_random 闅忔満鏁扮敓鎴愬櫒鏃讹紝鍦ㄤ竴浜涜櫄鏈轰笂骞朵笉鑳戒繚璇侀殢鏈烘, + // 寤鸿浣跨敤 ctr_drbg_random 闅忔満鏁扮敓鎴愬櫒 +#ifdef HAS_HAVEGE + acl_myfree(rnd_); +#else + __ctr_drbg_free((mbedtls_ctr_drbg_context*) rnd_); +#endif + if (cache_) { __ssl_cache_free((mbedtls_ssl_cache_context*) cache_); acl_myfree(cache_); @@ -297,7 +536,7 @@ void mbedtls_conf::free_ca(void) { #ifdef HAS_MBEDTLS if (cacert_) { - __x509_free((X509_CRT*) cacert_); + __x509_crt_free((X509_CRT*) cacert_); acl_myfree(cacert_); cacert_ = NULL; } @@ -307,20 +546,23 @@ void mbedtls_conf::free_ca(void) bool mbedtls_conf::load_ca(const char* ca_file, const char* ca_path) { #ifdef HAS_MBEDTLS - init_once(); + if (!init_once()) { + logger_error("init_once error"); + return false; + } free_ca(); int ret; cacert_ = acl_mycalloc(1, sizeof(X509_CRT)); - __x509_init((X509_CRT*) cacert_); + __x509_crt_init((X509_CRT*) cacert_); if (ca_path && *ca_path) { - ret = __x509_parse_crtpath((X509_CRT*) cacert_, ca_path); + ret = __x509_crt_parse_path((X509_CRT*) cacert_, ca_path); if (ret != 0) { logger_error("x509_crt_parse_path(%s) error: -0x%04x", - ca_path, ret); + ca_path, -ret); free_ca(); return false; } @@ -332,10 +574,10 @@ bool mbedtls_conf::load_ca(const char* ca_file, const char* ca_path) return false; } - ret = __x509_parse_crtfile((X509_CRT*) cacert_, ca_file); + ret = __x509_crt_parse_file((X509_CRT*) cacert_, ca_file); if (ret != 0) { logger_error("x509_crt_parse_path(%s) error: -0x%04x", - ca_path, ret); + ca_path, -ret); free_ca(); return false; } else { @@ -358,23 +600,27 @@ bool mbedtls_conf::add_cert(const char* crt_file) } #ifdef HAS_MBEDTLS - init_once(); + if (!init_once()) { + logger_error("init_once error"); + return false; + } if (cert_chain_ == NULL) { cert_chain_ = acl_mycalloc(1, sizeof(X509_CRT)); - __x509_init((X509_CRT*) cert_chain_); + __x509_crt_init((X509_CRT*) cert_chain_); } - int ret = __x509_parse_crtfile((X509_CRT*) cert_chain_, crt_file); + int ret = __x509_crt_parse_file((X509_CRT*) cert_chain_, crt_file); if (ret != 0) { logger_error("x509_crt_parse_file(%s) error: -0x%04x", - crt_file, ret); + crt_file, -ret); - __x509_free((X509_CRT*) cert_chain_); + __x509_crt_free((X509_CRT*) cert_chain_); acl_myfree(cert_chain_); cert_chain_ = NULL; return false; } + printf("%s(%d): add cert %s ok\n", __FUNCTION__, __LINE__, crt_file); return true; #else @@ -388,7 +634,10 @@ bool mbedtls_conf::set_key(const char* key_file, const char* key_pass /* = NULL */) { #ifdef HAS_MBEDTLS - init_once(); + if (!init_once()) { + logger_error("init_once error"); + return false; + } if (pkey_ != NULL) { __pk_free((PKEY*) pkey_); @@ -403,7 +652,7 @@ bool mbedtls_conf::set_key(const char* key_file, key_pass ? key_pass : ""); if (ret != 0) { logger_error("pk_parse_keyfile(%s) error: -0x%04x", - key_file, ret); + key_file, -ret); __pk_free((PKEY*) pkey_); acl_myfree(pkey_); @@ -411,6 +660,7 @@ bool mbedtls_conf::set_key(const char* key_file, return false; } + printf("%s(%d): set key %s ok\r\n", __FUNCTION__, __LINE__, key_file); return true; #else (void) key_file; @@ -424,7 +674,10 @@ bool mbedtls_conf::set_key(const char* key_file, void mbedtls_conf::enable_cache(bool on) { #ifdef HAS_MBEDTLS - init_once(); + if (!init_once()) { + logger_error("init_once error"); + return; + } if (on) { if (cache_ != NULL) { @@ -443,69 +696,22 @@ void mbedtls_conf::enable_cache(bool on) #endif } -bool mbedtls_conf::setup_certs(void* ssl_in, bool server_side) +bool mbedtls_conf::setup_certs(void* ssl) { #ifdef HAS_MBEDTLS - init_once(); - - mbedtls_ssl_context* ssl = (mbedtls_ssl_context*) ssl_in; - - switch (verify_mode_) { - case MBEDTLS_VERIFY_NONE: - __ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_NONE); - break; - case MBEDTLS_VERIFY_OPT: - __ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_OPTIONAL); - break; - case MBEDTLS_VERIFY_REQ: - __ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_REQUIRED); - break; - default: - __ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_NONE); - break; - } - - // Setup cipher_suites - const int* cipher_suites = __ssl_list_ciphersuites(); - if (cipher_suites == NULL) { - logger_error("ssl_list_ciphersuites null"); + if (!init_once()) { return false; } - __ssl_set_ciphersuites((mbedtls_ssl_context*) ssl, cipher_suites); -// ::ssl_set_min_version((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_MAJOR_VERSION_3, -// SSL_MINOR_VERSION_0); -// ::ssl_set_renegotiation((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_RENEGOTIATION_DISABLED); -// ::ssl_set_dh_param((mbedtls_ssl_context*) &ssl, MBEDTLS_DHM_RFC5114_MODP_2048_P, -// MBEDTLS_DHM_RFC5114_MODP_2048_G ); - - // Setup cache only for server-side - if (server_side && cache_ != NULL) { - __ssl_set_session_cache(ssl, __ssl_cache_get, - (mbedtls_ssl_cache_context*) cache_, __ssl_cache_set, - (mbedtls_ssl_cache_context*) cache_); + int ret = __ssl_setup((mbedtls_ssl_context*) ssl, + (mbedtls_ssl_config*) conf_); + if (ret != 0) { + logger_error("ssl_setup error:-0x%04x", -ret); + return false; } - - // Setup ca cert - if (cacert_) { - __ssl_set_ca_chain(ssl, (X509_CRT*) cacert_, NULL, NULL); - } - - // Setup own's cert chain and private key - - if (cert_chain_ && pkey_) { - int ret = __ssl_set_own_cert(ssl, (X509_CRT*) cert_chain_, - (PKEY*) pkey_); - if (ret != 0) { - logger_error("ssl_set_own_cert error: -0x%04x", ret); - return false; - } - } - return true; #else - (void) ssl_in; - (void) server_side; + (void) ssl; logger_error("HAS_MBEDTLS not defined!"); return false; #endif diff --git a/lib_acl_cpp/src/stream/mbedtls_io.cpp b/lib_acl_cpp/src/stream/mbedtls_io.cpp index 96a22278f..b083a29a7 100644 --- a/lib_acl_cpp/src/stream/mbedtls_io.cpp +++ b/lib_acl_cpp/src/stream/mbedtls_io.cpp @@ -25,103 +25,52 @@ #if defined(HAS_MBEDTLS_DLL) -# define CTR_DRBG_FREE_NAME "mbedtls_ctr_drbg_free" - -# ifdef HAS_HAVEGE -# define HAVEGE_INIT_NAME "mbedtls_havege_init" -# define HAVEGE_RANDOM_NAME "mbedtls_havege_random" -# else -# define CTR_DRBG_INIT_NAME "mbedtls_ctr_drbg_init" -# define ENTROPY_FUNC_NAME "mbedtls_entropy_func" -# define CTR_DRBG_RANDOM_NAME "mbedtls_ctr_drbg_random" -# endif - -# ifdef DEBUG_SSL -# define SSL_SET_DBG_NAME "mbedtls_ssl_set_dbg" -# endif - -# define SSL_SET_SESSION_NAME "mbedtls_ssl_set_session" -# define SSL_SET_RNG_NAME "mbedtls_ssl_set_rng" # define SSL_INIT_NAME "mbedtls_ssl_init" # define SSL_FREE_NAME "mbedtls_ssl_free" -# define SSL_SET_ENDPOINT_NAME "mbedtls_ssl_set_endpoint" -# define SSL_SESSION_FREE_NAME "mbedtls_ssl_session_free" +# define SSL_SET_HOSTNAME_NAME "mbedtls_ssl_set_hostname" # define SSL_SET_BIO_NAME "mbedtls_ssl_set_bio" -# define SSL_CLOSE_NOTIFY_NAME "mbedtls_ssl_close_notify" -# define SSL_HANDSHAKE_NAME "mbedtls_ssl_handshake" -# define SSL_GET_VERIFY_RESULT_NAME "mbedtls_ssl_get_verify_result" -# define SSL_GET_PEER_CERT_NAME "mbedtls_ssl_get_peer_cert" # define SSL_READ_NAME "mbedtls_ssl_read" # define SSL_WRITE_NAME "mbedtls_ssl_write" +# define SSL_HANDSHAKE_NAME "mbedtls_ssl_handshake" +# define SSL_SET_SESSION_NAME "mbedtls_ssl_set_session" +# define SSL_SESSION_FREE_NAME "mbedtls_ssl_session_free" +# define SSL_SESSION_RESET_NAME "mbedtls_ssl_session_reset" +# define SSL_CLOSE_NOTIFY_NAME "mbedtls_ssl_close_notify" +# define SSL_GET_VERIFY_RESULT_NAME "mbedtls_ssl_get_verify_result" +# define SSL_GET_PEER_CERT_NAME "mbedtls_ssl_get_peer_cert" # define SSL_GET_BYTES_AVAIL_NAME "mbedtls_ssl_get_bytes_avail" -typedef void (*ctr_drbg_free_fn)(mbedtls_ctr_drbg_context*); - -# ifdef HAS_HAVEGE -typedef void (*havege_init_fn)(mbedtls_havege_state*); -typedef int (*havege_random_fn)(void*, unsigned char*, size_t); -# else -typedef int (*ctr_drbg_init_fn)(mbedtls_ctr_drbg_context*, - int (*)(void*, unsigned char*, size_t), void *, - const unsigned char*, size_t); -typedef int (*ctr_drbg_random_fn)(void*, unsigned char*, size_t); -typedef int (*entropy_func_fn)(void*, unsigned char*, size_t); -# endif - -# ifdef DEBUG_SSL -typedef void (ssl_set_dbg_fn)(mbedtls_ssl_context*, - void (*)(void*, int, const char*), void*); -# endif - -typedef int (*ssl_set_session_fn)(mbedtls_ssl_context*, const mbedtls_ssl_session*); -typedef void (ssl_set_session_cache_fn)(mbedtls_ssl_context*, - int (*)(void*, mbedtls_ssl_session*), void*, - int (*)(void*, const mbedtls_ssl_session*), void*); -typedef void (*ssl_set_rng_fn)(mbedtls_ssl_context*, - int (*f_rng)(void*, unsigned char*, size_t), void *p_rng); -typedef int (*ssl_init_fn)(mbedtls_ssl_context*); +typedef void (*ssl_init_fn)(mbedtls_ssl_context*); typedef void (*ssl_free_fn)(mbedtls_ssl_context*); -typedef void (*ssl_set_endpoint_fn)(mbedtls_ssl_context*, int); -typedef void (*ssl_session_free_fn)(mbedtls_ssl_session*); -typedef void (*ssl_set_bio_fn)(mbedtls_ssl_context*, - int (*)(void*, unsigned char*, size_t), void*, - int (*)(void*, const unsigned char*, size_t), void*); -typedef int (*ssl_close_notify_fn)(mbedtls_ssl_context*); -typedef int (*ssl_handshake_fn)(mbedtls_ssl_context*); -typedef int (*ssl_get_verify_result_fn)(const mbedtls_ssl_context*); -typedef const mbedtls_x509_crt *(*ssl_get_peer_cert_fn)(const mbedtls_ssl_context*); +typedef int (*ssl_set_hostname_fn)(mbedtls_ssl_context*, const char*); +typedef void (*ssl_set_bio_fn)(mbedtls_ssl_context*, void*, + int (*f_send)(void*, const unsigned char*, size_t), + int (*f_recv)(void*, unsigned char*, size_t), + int (*f_recv_timeo)(void*, unsigned char*, size_t, unsigned)); typedef int (*ssl_read_fn)(mbedtls_ssl_context*, unsigned char*, size_t); typedef int (*ssl_write_fn)(mbedtls_ssl_context*, const unsigned char*, size_t); +typedef int (*ssl_handshake_fn)(mbedtls_ssl_context*); +typedef int (*ssl_set_session_fn)(mbedtls_ssl_context*, const mbedtls_ssl_session*); +typedef void (*ssl_session_free_fn)(mbedtls_ssl_session*); +typedef int (*ssl_session_reset_fn)(mbedtls_ssl_context*); +typedef int (*ssl_close_notify_fn)(mbedtls_ssl_context*); +typedef unsigned (*ssl_get_verify_result_fn)(const mbedtls_ssl_context*); +typedef const mbedtls_x509_crt *(*ssl_get_peer_cert_fn)(const mbedtls_ssl_context*); typedef size_t (*ssl_get_bytes_avail_fn)(const mbedtls_ssl_context*); -static ctr_drbg_free_fn __ctr_drbg_free; - -# ifdef HAS_HAVEGE -static havege_init_fn __havege_init; -static havege_random_fn __havege_random; -# else -static ctr_drbg_init_fn __ctr_drbg_init; -static ctr_drbg_random_fn __ctr_drbg_random; -static entropy_func_fn __entropy_func; -# endif -# ifdef DEBUG_SSL -static ssl_set_dbg_fn __ssl_set_dbg; -# endif - -static ssl_set_session_fn __ssl_set_session; -//static ssl_set_session_cache_fn __ssl_set_session_cache; -static ssl_set_rng_fn __ssl_set_rng; static ssl_init_fn __ssl_init; static ssl_free_fn __ssl_free; -static ssl_set_endpoint_fn __ssl_set_endpoint; -static ssl_session_free_fn __ssl_session_free; +static ssl_set_hostname_fn __ssl_set_hostname; static ssl_set_bio_fn __ssl_set_bio; -static ssl_close_notify_fn __ssl_close_notify; -static ssl_handshake_fn __ssl_handshake; -static ssl_get_verify_result_fn __ssl_get_verify_result; -static ssl_get_peer_cert_fn __ssl_get_peer_cert; static ssl_read_fn __ssl_read; static ssl_write_fn __ssl_write; +static ssl_handshake_fn __ssl_handshake; +static ssl_set_session_fn __ssl_set_session; +static ssl_session_free_fn __ssl_session_free; +static ssl_session_reset_fn __ssl_session_reset; +static ssl_close_notify_fn __ssl_close_notify; +static ssl_get_verify_result_fn __ssl_get_verify_result; +static ssl_get_peer_cert_fn __ssl_get_peer_cert; static ssl_get_bytes_avail_fn __ssl_get_bytes_avail; extern ACL_DLL_HANDLE __mbedtls_dll; // defined in mbedtls_conf.cpp @@ -136,67 +85,37 @@ void mbedtls_dll_load_io(void) acl_assert(__mbedtls_dll); - LOAD(CTR_DRBG_FREE_NAME, ctr_drbg_free_fn, __ctr_drbg_free); - -# ifdef HAS_HAVEGE - LOAD(HAVEGE_INIT_NAME, havege_init_fn, __havege_init); - LOAD(HAVEGE_RANDOM_NAME, havege_random_fn, __havege_random); -# else - LOAD(CTR_DRBG_INIT_NAME, ctr_drbg_init_fn, __ctr_drbg_init); - LOAD(CTR_DRBG_RANDOM_NAME, ctr_drbg_random_fn, __ctr_drbg_random); - LOAD(ENTROPY_FUNC_NAME, entropy_func_fn, __entropy_func); -# endif - -# ifdef DEBUG_SSL - LOAD(SSL_SET_DBG_NAME, ssl_set_dbg_fn, __ssl_set_dbg); -# endif - - LOAD(SSL_SET_SESSION_NAME, ssl_set_session_fn, __ssl_set_session); - LOAD(SSL_SET_RNG_NAME, ssl_set_rng_fn, __ssl_set_rng); LOAD(SSL_INIT_NAME, ssl_init_fn, __ssl_init); LOAD(SSL_FREE_NAME, ssl_free_fn, __ssl_free); - LOAD(SSL_SET_ENDPOINT_NAME, ssl_set_endpoint_fn, __ssl_set_endpoint); - LOAD(SSL_SESSION_FREE_NAME, ssl_session_free_fn, __ssl_session_free); + LOAD(SSL_SET_HOSTNAME_NAME, ssl_set_hostname_fn, __ssl_set_hostname); LOAD(SSL_SET_BIO_NAME, ssl_set_bio_fn, __ssl_set_bio); - LOAD(SSL_CLOSE_NOTIFY_NAME, ssl_close_notify_fn, __ssl_close_notify); - LOAD(SSL_HANDSHAKE_NAME, ssl_handshake_fn, __ssl_handshake); - LOAD(SSL_GET_VERIFY_RESULT_NAME, ssl_get_verify_result_fn, __ssl_get_verify_result); - LOAD(SSL_GET_PEER_CERT_NAME, ssl_get_peer_cert_fn, __ssl_get_peer_cert); LOAD(SSL_READ_NAME, ssl_read_fn, __ssl_read); LOAD(SSL_WRITE_NAME, ssl_write_fn, __ssl_write); + LOAD(SSL_HANDSHAKE_NAME, ssl_handshake_fn, __ssl_handshake); + LOAD(SSL_SET_SESSION_NAME, ssl_set_session_fn, __ssl_set_session); + LOAD(SSL_SESSION_FREE_NAME, ssl_session_free_fn, __ssl_session_free); + LOAD(SSL_SESSION_RESET_NAME, ssl_session_reset_fn, __ssl_session_reset); + LOAD(SSL_CLOSE_NOTIFY_NAME, ssl_close_notify_fn, __ssl_close_notify); + LOAD(SSL_GET_VERIFY_RESULT_NAME, ssl_get_verify_result_fn, __ssl_get_verify_result); + LOAD(SSL_GET_PEER_CERT_NAME, ssl_get_peer_cert_fn, __ssl_get_peer_cert); LOAD(SSL_GET_BYTES_AVAIL_NAME, ssl_get_bytes_avail_fn, __ssl_get_bytes_avail); } #elif defined(HAS_MBEDTLS) -# define __ctr_drbg_free ::mbedtls_ctr_drbg_free - -# ifdef HAS_HAVEGE -# define __havege_init ::mbedtls_havege_init -# define __havege_random ::mbedtls_havege_random -# else -# define __ctr_drbg_init ::mbedtls_ctr_drbg_init -# define __ctr_drbg_random ::mbedtls_ctr_drbg_random -# define __entropy_func ::mbedtls_entropy_func -# endif -# ifdef DEBUG_SSL -# define __ssl_set_dbg ::mbedtls_ssl_set_dbg -# endif - -# define __ssl_set_session ::mbedtls_ssl_set_session -//# define __ssl_set_session_cache ::mbedtls_ssl_set_session_cache -# define __ssl_set_rng ::mbedtls_ssl_set_rng # define __ssl_init ::mbedtls_ssl_init # define __ssl_free ::mbedtls_ssl_free -# define __ssl_set_endpoint ::mbedtls_ssl_set_endpoint -# define __ssl_session_free ::mbedtls_ssl_session_free +# define __ssl_set_hostname ::mbedtls_ssl_set_hostname # define __ssl_set_bio ::mbedtls_ssl_set_bio -# define __ssl_close_notify ::mbedtls_ssl_close_notify -# define __ssl_handshake ::mbedtls_ssl_handshake -# define __ssl_get_verify_result ::mbedtls_ssl_get_verify_result -# define __ssl_get_peer_cert ::mbedtls_ssl_get_peer_cert # define __ssl_read ::mbedtls_ssl_read # define __ssl_write ::mbedtls_ssl_write +# define __ssl_handshake ::mbedtls_ssl_handshake +# define __ssl_set_session ::mbedtls_ssl_set_session +# define __ssl_session_free ::mbedtls_ssl_session_free +# define __ssl_session_reset ::mbedtls_ssl_session_reset +# define __ssl_close_notify ::mbedtls_ssl_close_notify +# define __ssl_get_verify_result ::mbedtls_ssl_get_verify_result +# define __ssl_get_peer_cert ::mbedtls_ssl_get_peer_cert # define __ssl_get_bytes_avail ::mbedtls_ssl_get_bytes_avail #endif @@ -209,7 +128,6 @@ mbedtls_io::mbedtls_io(mbedtls_conf& conf, bool server_side, , conf_(conf) , ssl_(NULL) , ssn_(NULL) -, rnd_(NULL) { #ifdef HAS_MBEDTLS conf.init_once(); @@ -222,30 +140,11 @@ mbedtls_io::~mbedtls_io(void) if (ssl_) { __ssl_free((mbedtls_ssl_context*) ssl_); acl_myfree(ssl_); - ssl_ = NULL; } if (ssn_) { __ssl_session_free((mbedtls_ssl_session*) ssn_); acl_myfree(ssn_); - ssn_ = NULL; } - - // 使用 havege_random 随机数生成器时,在一些虚机上并不能保证随机性, - // 建议使用 ctr_drbg_random 随机数生成器 -# undef HAS_HAVEGE - -# ifdef HAS_HAVEGE - if (rnd_) { - acl_myfree(rnd_); - rnd_ = NULL; - } -# else - if (rnd_) { - __ctr_drbg_free((mbedtls_ctr_drbg_context*) rnd_); - rnd_ = NULL; - } -# endif - #endif } @@ -288,77 +187,43 @@ bool mbedtls_io::open(ACL_VSTREAM* s) return false; } + char host[128]; + host[0] = 0; + + char* ptr = ACL_VSTREAM_PEER(s); + if (ptr && *ptr) { + safe_snprintf(host, sizeof(host), ptr); + } else if (acl_getpeername(ACL_VSTREAM_SOCK(s), host, sizeof(host))) { + logger_error("can't acl_getpeername error=%s", last_serror()); + return false; + } + + ptr = strrchr(host, '|'); + if (ptr == NULL) { + ptr = strrchr(host, ':'); + } + if (ptr) { + *ptr = 0; + } + stream_ = s; ++(*refers_); ssl_ = acl_mycalloc(1, sizeof(mbedtls_ssl_context)); - int ret; - // 初始化 SSL 对象 - if ((ret = __ssl_init((mbedtls_ssl_context*) ssl_)) != 0) { - logger_error("failed, ssl_init error: -0x%04x\n", ret); - acl_myfree(ssl_); - ssl_ = NULL; - return false; - } + __ssl_init((mbedtls_ssl_context*) ssl_); - // 需要区分 SSL 连接是客户端模式还是服务器模式 - if (server_side_) { - __ssl_set_endpoint((mbedtls_ssl_context*) ssl_, MBEDTLS_SSL_IS_SERVER); - } else { - __ssl_set_endpoint((mbedtls_ssl_context*) ssl_, MBEDTLS_SSL_IS_CLIENT); - } - - // 初始化随机数生成过程 - -# ifdef HAS_HAVEGE - rnd_ = acl_mymalloc(sizeof(mbedtls_havege_state)); - __havege_init((mbedtls_havege_state*) rnd_); - - // 设置随机数生成器 - __ssl_set_rng((mbedtls_ssl_context*) ssl_, __havege_random, rnd_); -# else - rnd_ = acl_mymalloc(sizeof(mbedtls_ctr_drbg_context)); - - char pers[50]; - safe_snprintf(pers, sizeof(pers), "SSL Pthread Thread %lu", - (unsigned long) acl_pthread_self()); - - ret = __ctr_drbg_init((mbedtls_ctr_drbg_context*) rnd_, __entropy_func, - (mbedtls_entropy_context*) conf_.get_entropy(), - (const unsigned char *) pers, strlen(pers)); - if (ret != 0) { - logger_error("ctr_drbg_init error: -0x%04x\n", ret); - return false; - } - - // 设置随机数生成器 - __ssl_set_rng((mbedtls_ssl_context*) ssl_, __ctr_drbg_random, rnd_); -# endif - -# ifdef DEBUG_SSL - __ssl_set_dbg((mbedtls_ssl_context*) ssl_, my_debug, stdout); -# endif - - if (!server_side_) { - // 只有客户端模式下才会调用此过程 - - ssn_ = acl_mycalloc(1, sizeof(mbedtls_ssl_session)); - ret = __ssl_set_session((mbedtls_ssl_context*) ssl_, - (mbedtls_ssl_session*) ssn_); - if (ret != 0) { - logger_error("ssl_set_session error: -0x%04x\n", ret); - acl_myfree(ssn_); - ssn_ = NULL; - } + if (host[0]) { + __ssl_set_hostname((mbedtls_ssl_context*) ssl_, host); } // 配置全局参数(包含证书、私钥) - conf_.setup_certs(ssl_, server_side_); + conf_.setup_certs(ssl_); // Setup SSL IO callback - __ssl_set_bio((mbedtls_ssl_context*) ssl_, sock_read, this, sock_send, this); + __ssl_set_bio((mbedtls_ssl_context*) ssl_, this, + sock_send, sock_read, NULL); // 非阻塞模式下先不启动 SSL 握手过程 if (nblock_) { @@ -424,7 +289,7 @@ bool mbedtls_io::handshake(void) if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) { - logger_error("ssl_handshake failed: -0x%04x", ret); + logger_error("ssl_handshake failed: -0x%04x", -ret); return false; } @@ -443,7 +308,7 @@ bool mbedtls_io::handshake(void) bool mbedtls_io::check_peer(void) { #ifdef HAS_MBEDTLS - int ret = __ssl_get_verify_result((mbedtls_ssl_context*) ssl_); + int ret = __ssl_get_verify_result((mbedtls_ssl_context*) ssl_); if (ret != 0) { if (!__ssl_get_peer_cert((mbedtls_ssl_context*) ssl_)) { logger("no client certificate sent"); @@ -567,7 +432,6 @@ int mbedtls_io::sock_read(void *ctx, unsigned char *buf, size_t len) // acl_socket_read 内部会根据 vs->read_ready 标志位决定是否需要 // 以超时方式读数据,同时会自动清除 vs->read_ready 标志位 int ret = acl_socket_read(fd, buf, len, vs->rw_timeout, vs, NULL); - if (ret < 0) { int errnum = acl_last_error(); diff --git a/lib_acl_cpp/src/stream/polarssl_conf.cpp b/lib_acl_cpp/src/stream/polarssl_conf.cpp index f5519c571..5544dba1b 100644 --- a/lib_acl_cpp/src/stream/polarssl_conf.cpp +++ b/lib_acl_cpp/src/stream/polarssl_conf.cpp @@ -343,7 +343,7 @@ bool polarssl_conf::load_ca(const char* ca_file, const char* ca_path) ret = __x509_parse_crtpath((X509_CRT*) cacert_, ca_path); if (ret != 0) { logger_error("x509_crt_parse_path(%s) error: -0x%04x", - ca_path, ret); + ca_path, -ret); free_ca(); return false; } @@ -358,7 +358,7 @@ bool polarssl_conf::load_ca(const char* ca_file, const char* ca_path) ret = __x509_parse_crtfile((X509_CRT*) cacert_, ca_file); if (ret != 0) { logger_error("x509_crt_parse_path(%s) error: -0x%04x", - ca_path, ret); + ca_path, -ret); free_ca(); return false; } else { @@ -391,7 +391,7 @@ bool polarssl_conf::add_cert(const char* crt_file) int ret = __x509_parse_crtfile((X509_CRT*) cert_chain_, crt_file); if (ret != 0) { logger_error("x509_crt_parse_file(%s) error: -0x%04x", - crt_file, ret); + crt_file, -ret); __x509_free((X509_CRT*) cert_chain_); acl_myfree(cert_chain_); @@ -430,7 +430,7 @@ bool polarssl_conf::set_key(const char* key_file, key_pass ? key_pass : ""); if (ret != 0) { logger_error("pk_parse_keyfile(%s) error: -0x%04x", - key_file, ret); + key_file, -ret); __pkey_free((PKEY*) pkey_); acl_myfree(pkey_); @@ -530,7 +530,7 @@ bool polarssl_conf::setup_certs(void* ssl_in, bool server_side) int ret = __ssl_set_own_cert(ssl, (X509_CRT*) cert_chain_, (PKEY*) pkey_); if (ret != 0) { - logger_error("ssl_set_own_cert error: -0x%04x", ret); + logger_error("ssl_set_own_cert error: -0x%04x", -ret); return false; } # else diff --git a/lib_acl_cpp/src/stream/polarssl_io.cpp b/lib_acl_cpp/src/stream/polarssl_io.cpp index d2de0da41..d4a93bfb2 100644 --- a/lib_acl_cpp/src/stream/polarssl_io.cpp +++ b/lib_acl_cpp/src/stream/polarssl_io.cpp @@ -309,7 +309,7 @@ bool polarssl_io::open(ACL_VSTREAM* s) // 初始化 SSL 对象 if ((ret = __ssl_init((ssl_context*) ssl_)) != 0) { - logger_error("failed, ssl_init error: -0x%04x\n", ret); + logger_error("failed, ssl_init error: -0x%04x\n", -ret); acl_myfree(ssl_); ssl_ = NULL; return false; @@ -341,7 +341,7 @@ bool polarssl_io::open(ACL_VSTREAM* s) (entropy_context*) conf_.get_entropy(), (const unsigned char *) pers, strlen(pers)); if (ret != 0) { - logger_error("ctr_drbg_init error: -0x%04x\n", ret); + logger_error("ctr_drbg_init error: -0x%04x\n", -ret); return false; } @@ -361,7 +361,7 @@ bool polarssl_io::open(ACL_VSTREAM* s) ret = __ssl_set_session((ssl_context*) ssl_, (ssl_session*) ssn_); if (ret != 0) { - logger_error("ssl_set_session error: -0x%04x\n", ret); + logger_error("ssl_set_session error: -0x%04x\n", -ret); acl_myfree(ssn_); ssn_ = NULL; } @@ -440,7 +440,7 @@ bool polarssl_io::handshake(void) if (ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE) { - logger_error("ssl_handshake failed: -0x%04x", ret); + logger_error("ssl_handshake failed: -0x%04x", -ret); return false; }