test mbedtls

lib_acl_cpp/include/acl_cpp/stream/mbedtls_conf.hpp

@@ -27,7 +27,12 @@ class mbedtls_io;
 class ACL_CPP_API mbedtls_conf : public sslbase_conf
 {
 public:
-	mbedtls_conf(void);
+	/**
+	 * 构造函数
+	 * @param server_side {bool} 用来指定是服务端还是客户端，当为 true 时
+	 *  为服务端模式，否则为客户端模式
+	 */
+	mbedtls_conf(bool server_side);
 	~mbedtls_conf(void);
 
 	/**
@@ -73,17 +78,16 @@ public:
 	/**
 	 * mbedtls_io::open 内部会调用本方法用来安装当前 SSL 连接对象的证书
 	 * @param ssl {void*} SSL 连接对象，为 ssl_context 类型
-	 * @param server_side {bool} 该连接对象是否为服务端连接
 	 * @return {bool} 配置 SSL 对象是否成功
 	 */
-	bool setup_certs(void* ssl, bool server_side);
+	bool setup_certs(void* ssl);
 
 public:
 	/**
-	 * 必须首先调用此函数设置 libpolarssl.so 的全路径
+	 * 必须首先调用此函数设置 libmbedtls_all.so 的全路径
-	 * @param path {const char*} libpolarssl.so 的全路径
+	 * @param path {const char*} libmbedtls_all.so 的全路径
 	 */
-	static void set_libpath(const char* path);
+	static void set_libpath(const char* libmbedtls);
 
 	/**
 	 * 可以显式调用本方法，动态加载 polarssl 动态库
@@ -100,7 +104,11 @@ private:
 	bool has_inited_;
 	thread_mutex lock_;
 
+	bool server_side_;
+
+	void* conf_;
 	void* entropy_;
+	void* rnd_;
 	void* cacert_;
 	void* pkey_;
 	void* cert_chain_;
@@ -108,7 +116,8 @@ private:
 	mbedtls_verify_t verify_mode_;
 
 private:
-	void init_once(void);
+	bool init_once(void);
+	bool init_rand(void);
 	void free_ca(void);
 };
 

lib_acl_cpp/include/acl_cpp/stream/mbedtls_io.hpp

@@ -71,7 +71,6 @@ private:
 	mbedtls_conf& conf_;
 	void* ssl_;
 	void* ssn_;
-	void* rnd_;
 
 private:
 	static int sock_read(void *ctx, unsigned char *buf, size_t len);

lib_acl_cpp/samples/aio/http_aclient_ssl/main.cpp

@@ -230,7 +230,7 @@ private:
 class http_aio_client : public acl::http_aclient
 {
 public:
-	http_aio_client(acl::aio_handle& handle, acl::polarssl_conf* ssl_conf,
+	http_aio_client(acl::aio_handle& handle, acl::sslbase_conf* ssl_conf,
 		const char* host)
 	: http_aclient(handle, ssl_conf)
 	, host_(host)
@@ -466,7 +466,7 @@ static void add_dns(std::vector<acl::string>& name_servers, const char* s)
 
 int main(int argc, char* argv[])
 {
-	acl::polarssl_conf* ssl_conf = NULL;
+	acl::sslbase_conf* ssl_conf = NULL;
 	int  ch, conn_timeout = 5, rw_timeout = 5;
 	std::vector<acl::string> name_servers;
 	acl::string addr("127.0.0.1:80");
@@ -530,14 +530,28 @@ int main(int argc, char* argv[])
 	// 如果设置了 SSL 连接库，则启用 SSL 连接模式
 	if (!ssl_lib_path.empty()) {
 		if (access(ssl_lib_path.c_str(), R_OK) == 0) {
-			// 设置 libpolarssl.so 库全路径
+			if (ssl_lib_path.find("mbedtls") != NULL) {
-			acl::polarssl_conf::set_libpath(ssl_lib_path);
+				// 设置 libmbedtls_all.so 库全路径
+				acl::mbedtls_conf::set_libpath(ssl_lib_path);
 
-			// 动态加载 libpolarssl.so 库
+				// 动态加载 libmbedtls_all.so 库
-			acl::polarssl_conf::load();
+				acl::mbedtls_conf::load();
 
-			// 创建全局 SSL 配置项
+				// 创建全局 SSL 配置项
-			ssl_conf = new acl::polarssl_conf;
+				ssl_conf = new acl::mbedtls_conf;
+				printf(">>>use mbedtls<<<\r\n");
+
+			} else {
+				// 设置 libpolarssl.so 库全路径
+				acl::polarssl_conf::set_libpath(ssl_lib_path);
+
+				// 动态加载 libpolarssl.so 库
+				acl::polarssl_conf::load();
+
+				// 创建全局 SSL 配置项
+				ssl_conf = new acl::polarssl_conf;
+				printf(">>>use polarssl<<<\r\n");
+			}
 		} else {
 			printf("disable ssl, %s not found\r\n",
 				ssl_lib_path.c_str());

lib_acl_cpp/samples/aio/http_aclient_ssl/t.sh

@@ -37,3 +37,7 @@ sleep 2
 ./http_aclient_ssl  -s 127.0.0.1:8885 -D -W
 echo ""
 echo ""
+
+./http_aclient_ssl -s echo.websocket.org:443 -H echo.websocket.org -D -Z -U -S ../libmbedtls_all.dylib -N 8.8.8.8:53
+echo ""
+echo ""

lib_acl_cpp/samples/ssl/https_client/Makefile

@@ -2,5 +2,16 @@ PROG = https_client
 util_path = ../..
 base_path = ../../..
 include ../../Makefile.in
+#Path for SunOS
+ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS)
+	EXTLIBS = -liconv
+endif
+ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD)
+	EXTLIBS = -L/usr/local/lib -liconv
+endif
+ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin)
+	EXTLIBS += -L/usr/lib -liconv
+endif
+
 CFLAGS += -I../..
 EXTLIBS += -lz -ldl

lib_acl_cpp/samples/ssl/https_client/https_client.cpp

@@ -14,13 +14,14 @@ https_client::https_client(const char* server_addr, const char* domain,
 , length_(length)
 , ssl_conf_(NULL)
 {
+	(void) length_;
 }
 
 https_client::~https_client()
 {
 }
 
-void https_client::set_ssl_conf(acl::polarssl_conf *conf)
+void https_client::set_ssl_conf(acl::sslbase_conf *conf)
 {
 	ssl_conf_ = conf;
 }
@@ -41,7 +42,7 @@ bool https_client::connect_server(acl::http_client& client)
 	{
 		logger("begin open ssl");
 
-		acl::polarssl_io* ssl = new acl::polarssl_io(*ssl_conf_, false);
+		acl::sslbase_io* ssl = ssl_conf_->open(false, false);
 		if (client.get_stream().setup_hook(ssl) == ssl)
 		{
 			logger_error("open ssl client error");

lib_acl_cpp/samples/ssl/https_client/https_client.h

@@ -7,7 +7,7 @@ public:
 		bool keep_alive, int count, int length);
 	~https_client();
 
-	void set_ssl_conf(acl::polarssl_conf* conf);
+	void set_ssl_conf(acl::sslbase_conf* conf);
 
 protected:
 	virtual void* run();		// 基类虚函数，在子线程中被调用
@@ -18,7 +18,7 @@ private:
 	bool  keep_alive_;		// 是否采用长连接方式
 	int   count_;			// IO 会话次数
 	int   length_;			// 每次 IO 的数据长度
-	acl::polarssl_conf* ssl_conf_;
+	acl::sslbase_conf* ssl_conf_;
 
 	bool connect_server(acl::http_client& client);
 	int http_request(int count);

lib_acl_cpp/samples/ssl/https_client/https_request.cpp

@@ -1,7 +1,7 @@
 #include "stdafx.h"
 #include "https_request.h"
 
-https_request::https_request(const char* addr, acl::polarssl_conf* ssl_conf)
+https_request::https_request(const char* addr, acl::sslbase_conf* ssl_conf)
 	: request_(addr)
 	, to_charset_("utf-8")
 {
@@ -50,7 +50,7 @@ void* https_request::run(void)
 		ret = do_plain(request_);
 
 	if (ret == true)
-		printf("read ok!\r\n");
+		printf("%s(%d): read ok!\r\n", __FILE__, __LINE__);
 	else
 	{
 		printf("read error\r\n");

lib_acl_cpp/samples/ssl/https_client/https_request.h

@@ -3,7 +3,7 @@
 class https_request : public acl::thread
 {
 public:
-	https_request(const char* addr, acl::polarssl_conf* ssl_conf);
+	https_request(const char* addr, acl::sslbase_conf* ssl_conf);
 	~https_request(void);
 
 public:

lib_acl_cpp/samples/ssl/https_client/main.cpp

@@ -58,14 +58,23 @@ int main(int argc, char* argv[])
 		}
 	}
 
-	acl::polarssl_conf::set_libpath(libpath);
+	acl::sslbase_conf* ssl_conf = NULL;;
-	acl::polarssl_conf::load();
+	if (libpath.find("mbedtls") && access(libpath.c_str(), R_OK) == 0) {
+		ssl_conf = new acl::mbedtls_conf;
+		acl::mbedtls_conf::set_libpath(libpath);
+		acl::mbedtls_conf::load();
+	} else if (libpath.find("polarssl") && access(libpath.c_str(), R_OK) == 0) {
+		ssl_conf = new acl::polarssl_conf;
+		acl::polarssl_conf::set_libpath(libpath);
+		acl::polarssl_conf::load();
+	} else {
+		use_ssl = false;
+	}
+
 
 	if (domain.empty())
 		domain = server_addr;
 
-	static acl::polarssl_conf ssl_conf;
-
 	struct timeval begin;
 	gettimeofday(&begin, NULL);
 
@@ -78,7 +87,7 @@ int main(int argc, char* argv[])
 				keep_alive, count, length);
 
 		if (use_ssl)
-			thread->set_ssl_conf(&ssl_conf);
+			thread->set_ssl_conf(ssl_conf);
 
 		thread->set_detachable(false);
 
@@ -108,18 +117,13 @@ int main(int argc, char* argv[])
 
 	for (int i = 0; i < cocurrent; i++)
 	{
-		// ?????߳?
 		https_request* thread = new https_request(server_addr,
-				use_ssl ? &ssl_conf : NULL);
+				use_ssl ? ssl_conf : NULL);
 
-		// ???ô??????߳?Ϊ?Ƿ???ģʽ???Ա??????????Ե?? thread::wait
-		// ?ȴ??߳̽???
 		thread->set_detachable(false);
 
-		// ???̷߳??ڶ?????
 		threads.push_back(thread);
 
-		// ?????߳?
 		thread->start();
 	}
 
@@ -128,14 +132,12 @@ int main(int argc, char* argv[])
 	std::list<https_request*>::iterator it = threads.begin();
 	for (; it != threads.end(); ++it)
 	{
-		// ?ȴ??߳̽???
 		if ((*it)->wait(NULL) == false)
 			printf("wait one thread(%lu) error\r\n",
 				(*it)->thread_id());
 		else
 			printf("wait one thread(%lu) ok\r\n",
 				(*it)->thread_id());
-		// ɾ????̬???????̶߳???
 		delete *it;
 
 	}
@@ -151,5 +153,6 @@ int main(int argc, char* argv[])
 	printf("enter any key to exit\r\n");
 	getchar();
 
+	delete ssl_conf;
 	return 0;
 }

lib_acl_cpp/samples/ssl/https_proxy/Makefile

@@ -1,4 +1,14 @@
 base_path = ../../..
 include ../../Makefile.in
+#Path for SunOS
+ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS)
+	EXTLIBS = -liconv
+endif
+ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD)
+	EXTLIBS = -L/usr/local/lib -liconv
+endif
+ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin)
+	EXTLIBS += -L/usr/lib -liconv
+endif
 PROG = https_proxy
 EXTLIBS += -lz -ldl

lib_acl_cpp/samples/ssl/https_server/Makefile

@@ -1,5 +1,15 @@
 base_path = ../../..
 include ../../Makefile.in
+#Path for SunOS
+ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS)
+	EXTLIBS = -liconv
+endif
+ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD)
+	EXTLIBS = -L/usr/local/lib -liconv
+endif
+ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin)
+	EXTLIBS += -L/usr/lib -liconv
+endif
 PROG = https_server
 #EXTLIBS += -lpolarssl -lz
 EXTLIBS += -lz -ldl

lib_acl_cpp/samples/ssl/ssl_client/ssl_client.cpp

@@ -234,11 +234,14 @@ int main(int argc, char* argv[])
 	// 126 的 SSL 传输时当 HTTP 请求头中的 Host 值为 mail.126.com:443 时其 nginx
 	// 会报错，只能是：Host: mail.126.com，土鳖
 
+	if (0) {
 	test1("mail.126.com", 443, false, true);
 	test2("mail.126.com", 443, false, true);
 	test2("mail.qq.com", 443, false, true);
 	test2("mail.sohu.com", 443, false, true);
 	test2("mail.sina.com.cn", 443, false, true);
+	}
+	test2("127.0.0.1", 2443, false, true);
 
 	printf("Over, enter any key to exit!\n");
 	getchar();

lib_acl_cpp/samples/ssl/ssl_server/Makefile

@@ -1,4 +1,15 @@
 base_path = ../../..
 include ../../Makefile.in
+#Path for SunOS
+ifeq ($(findstring SunOS, $(UNIXNAME)), SunOS)
+	EXTLIBS = -liconv
+endif
+ifeq ($(findstring FreeBSD, $(UNIXNAME)), FreeBSD)
+	EXTLIBS = -L/usr/local/lib -liconv
+endif
+ifeq ($(findstring Darwin, $(UNIXNAME)), Darwin)
+	EXTLIBS += -L/usr/lib -liconv
+endif
+
 PROG = ssl_server
 EXTLIBS += -ldl -lz

lib_acl_cpp/samples/ssl/ssl_server/ssl_server.cpp

@@ -5,11 +5,11 @@
 #include "lib_acl.h"
 #include "acl_cpp/lib_acl.hpp"
 
-using namespace acl;
+#define USE_MBEDTLS
 
 //////////////////////////////////////////////////////////////////////////
 
-class http_servlet : public HttpServlet
+class http_servlet : public acl::HttpServlet
 {
 public:
 	http_servlet()
@@ -27,26 +27,31 @@ public:
 	{
 	}
 
-	virtual bool doError(HttpServletRequest&, HttpServletResponse&)
+	// @override
+	bool doError(acl::HttpServletRequest&, acl::HttpServletResponse&)
 	{
-		if (first_)
+		if (first_) {
 			logger_error("first request error");
+		}
 		return false;
 	}
 
 	// GET 方法
-	virtual bool doGet(HttpServletRequest& req, HttpServletResponse& res)
+	// @override
+	bool doGet(acl::HttpServletRequest& req, acl::HttpServletResponse& res)
 	{
 		bool ret = doPost(req, res);
-		if (ret == false)
+		if (ret == false) {
 			logger_error("doPost error!");
-		else
+		} else {
 			logger("doPost OK!");
+		}
 		return ret;
 	}
 
 	// POST 方法
-	virtual bool doPost(HttpServletRequest& req, HttpServletResponse& res)
+	// @override
+	bool doPost(acl::HttpServletRequest& req, acl::HttpServletResponse& res)
 	{
 		first_ = false;
 
@@ -60,33 +65,33 @@ public:
 		//		res.setStatus(400);  // 可以设置返回的状态码
 
 		// 两种方式都可以设置字符集
-		if (0)
+		if (0) {
 			res.setContentType("text/xml; charset=gb2312");
-		else
+		} else {
-		{
 			res.setContentType("text/xml");
 			res.setCharacterEncoding("gb2312");
 		}
 
 		// 获得 HTTP 请求的数据类型，正常的参数类型，即 name&value 方式
 		// 还是 MIME 数据类型，还是数据流类型
-		http_request_t request_type = req.getRequestType();
+		acl::http_request_t request_type = req.getRequestType();
-		if (request_type == HTTP_REQUEST_NORMAL)
+		if (request_type == acl::HTTP_REQUEST_NORMAL) {
 			return doParams(req, res);
-		else if (request_type == HTTP_REQUEST_MULTIPART_FORM)
+		} else if (request_type == acl::HTTP_REQUEST_MULTIPART_FORM) {
 			return doUpload(req, res);
-		assert(request_type == HTTP_REQUEST_OCTET_STREAM);
+		}
+		assert(request_type == acl::HTTP_REQUEST_OCTET_STREAM);
 		return doOctetStream(req, res);
 	}
 
-	bool doResponse(HttpServletRequest& req, HttpServletResponse& res)
+	bool doResponse(acl::HttpServletRequest& req, acl::HttpServletResponse& res)
 	{
 		// 获得浏览器传来的 cookie 值
 		const char* cookie1 = req.getCookieValue("name1");
 		const char* cookie2 = req.getCookieValue("name2");
 
 		// 创建 xml 格式的数据体
-		xml1 body;
+		acl::xml1 body;
 		body.get_root().add_child("root", true)
 			.add_child("content_type", true)
 				.add_attr("type", (int) req.getRequestType())
@@ -119,7 +124,7 @@ public:
 					.get_parent()
 				.add_child("file", true)
 					.add_attr("filename", file3_ ? file3_ : "null");
-		string buf("<?xml version=\"1.0\"?>");
+		acl::string buf("<?xml version=\"1.0\"?>");
 		body.build_xml(buf);
 
 		//printf(">>>response: %s\r\n", buf.c_str());
@@ -129,14 +134,15 @@ public:
 		//if (res.sendHeader() == false)
 		//	return false;
 		// 发送 http 响应体，当使用 chunk 传输时，必须最后调用一次发送空数据
-		if (res.write(buf) == false || res.write(NULL, 0) == false)
+		if (res.write(buf) == false || res.write(NULL, 0) == false) {
 			return false;
+		}
 		return true;
 	}
 
 	// GET 方式或 POST 方式且满足：
 	// Content-Type: application/x-www-form-urlencoded
-	bool doParams(HttpServletRequest& req, HttpServletResponse& res)
+	bool doParams(acl::HttpServletRequest& req, acl::HttpServletResponse& res)
 	{
 		param1_ = req.getParameter("name1");
 		param2_ = req.getParameter("name2");
@@ -146,32 +152,30 @@ public:
 
 	// POST 方式且满足：
 	// Content-Type: multipart/form-data; boundary=xxx
-	bool doUpload(HttpServletRequest& req, HttpServletResponse& res)
+	bool doUpload(acl::HttpServletRequest& req, acl::HttpServletResponse& res)
 	{
 		// 先获得 Content-Type 对应的 http_ctype 对象
-		http_mime* mime = req.getHttpMime();
+		acl::http_mime* mime = req.getHttpMime();
-		if (mime == NULL)
+		if (mime == NULL) {
-		{
 			logger_error("http_mime null");
 			return false;
 		}
 
 		// 获得数据体的长度
 		long long int len = req.getContentLength();
-		if (len <= 0)
+		if (len <= 0) {
-		{
 			logger_error("body empty");
 			return false;
 		}
 
 		// 获得输入流
-		istream& in = req.getInputStream();
+		acl::istream& in = req.getInputStream();
 		char  buf[8192];
 		int   ret;
 		bool  finish = false;
 
 		const char* filepath = "./var/mime_file";
-		ofstream out;
+		acl::ofstream out;
 		out.open_write(filepath);
 
 		// 设置原始文件存入路径
@@ -180,12 +184,10 @@ public:
 		size_t k;
 
 		// 读取 HTTP 客户端请求数据
-		while (len > 0)
+		while (len > 0) {
-		{
 			k = (size_t) len > sizeof(buf) ? sizeof(buf) : (size_t) len;
 			ret = in.read(buf, k, false);
-			if (ret == -1)
+			if (ret == -1) {
-			{
 				logger_error("read POST data error");
 				return false;
 			}
@@ -194,45 +196,46 @@ public:
 			len -= ret;
 
 			// 将读得到的数据输入至解析器进行解析
-			if (!finish && mime->update(buf, ret) == true)
+			if (!finish && mime->update(buf, ret) == true) {
 				finish = true;
+			}
 		}
 		out.close();
 
-		if (len != 0 || finish == false)
+		if (len != 0 || finish == false) {
 			logger_warn("not read all data from client");
+		}
 
 		param1_ = req.getParameter("name1");
 		param2_ = req.getParameter("name2");
 		param3_ = req.getParameter("name3");
 
-		string path;
+		acl::string path;
 
 		// 遍历所有的 MIME 结点，找出其中为文件结点的部分进行转储
-		const std::list<http_mime_node*>& nodes = mime->get_nodes();
+		const std::list<acl::http_mime_node*>& nodes = mime->get_nodes();
-		std::list<http_mime_node*>::const_iterator cit = nodes.begin();
+		std::list<acl::http_mime_node*>::const_iterator cit = nodes.begin();
-		for (; cit != nodes.end(); ++cit)
+		for (; cit != nodes.end(); ++cit) {
-		{
 			const char* name = (*cit)->get_name();
-			if (name == NULL)
+			if (name == NULL) {
 				continue;
+			}
 
-			http_mime_t mime_type = (*cit)->get_mime_type();
+			acl::http_mime_t mime_type = (*cit)->get_mime_type();
-			if (mime_type == HTTP_MIME_FILE)
+			if (mime_type == acl::HTTP_MIME_FILE) {
-			{
 				const char* filename = (*cit)->get_filename();
-				if (filename == NULL)
+				if (filename == NULL) {
-				{
 					logger("filename null");
 					continue;
 				}
 
-				if (strcmp(name, "file1") == 0)
+				if (strcmp(name, "file1") == 0) {
 					file1_ = filename;
-				else if (strcmp(name, "file2") == 0)
+				} else if (strcmp(name, "file2") == 0) {
 					file2_ = filename;
-				else if (strcmp(name, "file3") == 0)
+				} else if (strcmp(name, "file3") == 0) {
 					file3_ = filename;
+				}
 
 				// 有的浏览器（如IE）上传文件时会带着文件路径，所以
 				// 需要先将路径去掉
@@ -247,12 +250,10 @@ public:
 		}
 
 		// 查找上载的某个文件并转储
-		const http_mime_node* node = mime->get_node("file1");
+		const acl::http_mime_node* node = mime->get_node("file1");
-		if (node && node->get_mime_type() == HTTP_MIME_FILE)
+		if (node && node->get_mime_type() == acl::HTTP_MIME_FILE) {
-		{
 			const char* ptr = node->get_filename();
-			if (ptr)
+			if (ptr) {
-			{
 				// 有的浏览器（如IE）上传文件时会带着文件路径，所以
 				// 需要先将路径去掉
 				ptr = acl_safe_basename(ptr);
@@ -269,7 +270,7 @@ public:
 
 	// POST 方式且满足：
 	// Content-Type: application/octet-stream
-	bool doOctetStream(HttpServletRequest&, HttpServletResponse&)
+	bool doOctetStream(acl::HttpServletRequest&, acl::HttpServletResponse&)
 	{
 		logger_error("not support now!");
 		return false;
@@ -288,103 +289,124 @@ private:
 
 //////////////////////////////////////////////////////////////////////////
 
-static void do_run(socket_stream* stream)
+static void do_run(acl::socket_stream* stream)
 {
-	memcache_session session("127.0.0.1:11211");
+	acl::memcache_session session("127.0.0.1:11211");
 	http_servlet servlet;
 	servlet.setLocalCharset("gb2312");
 	servlet.doRun(session, stream);
 }
 
 // 服务器方式运行时的服务类
-class master_service : public master_proc
+class master_service : public acl::master_proc
 {
 public:
 	master_service(const char* crt_file, const char* key_file,
+#ifdef USE_MBEDTLS
+		acl::mbedtls_verify_t verify_mode)
+#else
 		acl::polarssl_verify_t verify_mode)
+#endif
 	{
-		if (crt_file && *crt_file && key_file && *key_file)
+		if (crt_file && *crt_file && key_file && *key_file) {
-		{
 			crt_file_ = crt_file;
 			key_file_ = key_file;
-			conf_ = new polarssl_conf;
+#ifdef USE_MBEDTLS
-		}
+			conf_ = new acl::mbedtls_conf(true);
-		else
+#else
+			conf_ = new acl::polarssl_conf;
+#endif
+		} else {
 			conf_ = NULL;
+		}
 		verify_mode_ = verify_mode;
 	}
 
 	~master_service()
 	{
-		if (conf_)
+		delete conf_;
-			delete conf_;
 	}
 
 protected:
-	virtual void on_accept(socket_stream* stream)
+	// @override
+	void on_accept(acl::socket_stream* stream)
 	{
 		stream->set_rw_timeout(60);
 
-		if (conf_)
+		if (conf_) {
-		{
 			// 对于使用 SSL 方式的流对象，需要将 SSL IO 流对象注册至网络
 			// 连接流对象中，即用 ssl io 替换 stream 中默认的底层 IO 过程
 
 			logger("begin setup ssl hook...");
 
-			polarssl_io* ssl = new polarssl_io(*conf_, true);
+#ifdef USE_MBEDTLS
-			if (stream->setup_hook(ssl) == ssl)
+			acl::sslbase_io* ssl = new acl::mbedtls_io(*conf_, true);
-			{
+#else
+			acl::sslbase_io* ssl = new acl::polarssl_io(*conf_, true);
+#endif
+			if (stream->setup_hook(ssl) == ssl) {
 				logger_error("setup_hook error!");
 				ssl->destroy();
-			}
+			} else {
-			else
 				logger("setup ssl hook ok");
+			}
 		}
 		do_run(stream);
 	}
 
-	virtual void proc_on_init()
+	// @override
+	void proc_on_init()
 	{
-		if (conf_ == NULL)
+		if (conf_ == NULL) {
 			return;
+		}
 
 		// 允许服务端的 SSL 会话缓存功能
 		conf_->enable_cache(true);
 
 		// 添加本地服务的证书
-		if (conf_->add_cert(crt_file_.c_str()) == false)
+		if (conf_->add_cert(crt_file_.c_str()) == false) {
-		{
 			logger_error("add cert failed, crt: %s, key: %s",
 				crt_file_.c_str(), key_file_.c_str());
 			delete conf_;
 			conf_ = NULL;
 			return;
 		}
-		logger("load cert ok, crt: %s, key: %s",
+		logger("load cert ok, crt: %s", crt_file_.c_str());
-			crt_file_.c_str(), key_file_.c_str());
 
 		// 添加本地服务密钥
-		if (conf_->set_key(key_file_.c_str()) == false)
+		if (conf_->set_key(key_file_.c_str()) == false) {
-		{
 			logger_error("set private key error");
 			delete conf_;
 			conf_ = NULL;
+			return;
 		}
+		logger("set key ok, key: %s", key_file_.c_str());
 
+#ifndef USE_MBEDTLS
 		conf_->set_authmode(verify_mode_);
+#endif
 	}
 
 private:
-	polarssl_conf* conf_;
+#ifdef USE_MBEDTLS
-	string crt_file_;
+	acl::mbedtls_conf*     conf_;
-	string key_file_;
+	acl::mbedtls_verify_t  verify_mode_;
+#else
+	acl::polarssl_conf*    conf_;
 	acl::polarssl_verify_t verify_mode_;
+#endif
+	acl::string crt_file_;
+	acl::string key_file_;
 };
 
 // WEB 服务模式
 static void do_alone(const char* crt_file, const char* key_file,
+#ifdef USE_MBEDTLS
+	acl::mbedtls_verify_t verify_mode)
+#else
 	acl::polarssl_verify_t verify_mode)
+#endif
 {
 	master_service service(crt_file, key_file, verify_mode);
 	acl::log::stdout_open(true);
@@ -408,41 +430,73 @@ int main(int argc, char* argv[])
 #endif
 	acl::log::stdout_open(true);
 
+#ifdef USE_MBEDTLS
+# ifdef __APPLE__
+	acl::mbedtls_conf::set_libpath("../libmbedtls_all.dylib");
+# else
+	acl::mbedtls_conf::set_libpath("../libmbedtls_all.so");
+# endif
+	acl::mbedtls_conf::load();
+#else
+# ifdef __APPLE__
+	acl::polarssl_conf::set_libpath("../libpolarssl.dylib");
+# else
 	acl::polarssl_conf::set_libpath("../libpolarssl.so");
+# endif
 	acl::polarssl_conf::load();
+#endif
 
 	// 开始运行
-	if (argc >= 2 && strcmp(argv[1], "alone") == 0)
+	if (argc >= 2 && strcmp(argv[1], "alone") == 0) {
-	{
+#ifdef USE_MBEDTLS
+		acl::mbedtls_verify_t verify_mode;
+#else
 		acl::polarssl_verify_t verify_mode;
+#endif
 		const char* crt_file, *key_file;
 
-		if (argc >= 3)
+		if (argc >= 3) {
 			crt_file = argv[2];
-		else
+		} else {
 			crt_file = NULL;
-		if (argc >= 4)
-			key_file = argv[3];
-		else
-			key_file = NULL;
-		if (argc >= 5)
-		{
-			if (strcasecmp(argv[4], "req") == 0)
-				verify_mode = acl::POLARSSL_VERIFY_REQ;
-			else if (strcasecmp(argv[4], "opt") == 0)
-				verify_mode = acl::POLARSSL_VERIFY_OPT;
-			else
-				verify_mode = acl::POLARSSL_VERIFY_NONE;
 		}
-		else
+		if (argc >= 4) {
+			key_file = argv[3];
+		} else {
+			key_file = NULL;
+		}
+#ifdef USE_MBEDTLS
+		if (argc >= 5) {
+			if (strcasecmp(argv[4], "req") == 0) {
+				verify_mode = acl::MBEDTLS_VERIFY_REQ;
+			} else if (strcasecmp(argv[4], "opt") == 0) {
+				verify_mode = acl::MBEDTLS_VERIFY_OPT;
+			} else {
+				verify_mode = acl::MBEDTLS_VERIFY_NONE;
+			}
+		} else {
+			verify_mode = acl::MBEDTLS_VERIFY_NONE;
+		}
+#else
+		if (argc >= 5) {
+			if (strcasecmp(argv[4], "req") == 0) {
+				verify_mode = acl::POLARSSL_VERIFY_REQ;
+			} else if (strcasecmp(argv[4], "opt") == 0) {
+				verify_mode = acl::POLARSSL_VERIFY_OPT;
+			} else {
+				verify_mode = acl::POLARSSL_VERIFY_NONE;
+			}
+		} else {
 			verify_mode = acl::POLARSSL_VERIFY_NONE;
+		}
+#endif
 
 		do_alone(crt_file, key_file, verify_mode);
-	}
+	} else if (argc >= 2) {
-	else if (argc >= 2)
 		printf("usage: %s alone cert_file key_file verify[none|req|opt]\r\n", argv[0]);
-	else
+	} else {
 		do_cgi();
+	}
 
 	return 0;
 }

lib_acl_cpp/src/stream/mbedtls_conf.cpp

@@ -6,8 +6,11 @@
 # endif
 #endif
 
+#define DEBUG_SSL
+
 #ifdef HAS_MBEDTLS
 # include "mbedtls/ssl.h"
+# include "mbedtls/ctr_drbg.h"
 # include "mbedtls/entropy.h"
 # include "mbedtls/certs.h"
 # include "mbedtls/x509_crt.h"
@@ -28,89 +31,158 @@
 
 # ifdef HAS_MBEDTLS_DLL
 
-#  define ENTROPY_FREE_NAME		"mbedtls_entropy_free"
 #  define PK_INIT_NAME			"mbedtls_pk_init"
 #  define PK_FREE_NAME			"mbedtls_pk_free"
 #  define PK_PARSE_KEYFILE_NAME		"mbedtls_pk_parse_keyfile"
 
 #  define X509_INIT_NAME		"mbedtls_x509_crt_init"
 #  define X509_FREE_NAME		"mbedtls_x509_crt_free"
-#  define X509_PARSE_CRTPATH_NAME	"mbedtls_x509_crt_parse_path"
+#  define X509_PARSE_CRT_PATH_NAME	"mbedtls_x509_crt_parse_path"
-#  define X509_PARSE_CRTFILE_NAME	"mbedtls_x509_crt_parse_file"
+#  define X509_PARSE_CRT_FILE_NAME	"mbedtls_x509_crt_parse_file"
+
+#  ifdef HAS_HAVEGE
+#   define HAVEGE_INIT_NAME		"mbedtls_havege_init"
+#   define HAVEGE_RANDOM_NAME		"mbedtls_havege_random"
+#  else
+#   define CTR_DRBG_INIT_NAME		"mbedtls_ctr_drbg_init"
+#   define CTR_DRBG_FREE_NAME		"mbedtls_ctr_drbg_free"
+#   define CTR_DRBG_SEED_NAME		"mbedtls_ctr_drbg_seed"
+#   define CTR_DRBG_RANDOM_NAME		"mbedtls_ctr_drbg_random"
+#  endif
 
 #  define ENTROPY_INIT_NAME		"mbedtls_entropy_init"
+#  define ENTROPY_FREE_NAME		"mbedtls_entropy_free"
+#  define ENTROPY_FUNC_NAME		"mbedtls_entropy_func"
+
 #  define SSL_LIST_CIPHERSUITES_NAME	"mbedtls_ssl_list_ciphersuites"
-#  define SSL_SET_CIPHERSUITES_NAME	"mbedtls_ssl_conf_ciphersuites"
+
-#  define SSL_SET_SESSION_CACHE_NAME	"mbedtls_ssl_conf_session_cache"
+#  define SSL_CONF_INIT_NAME		"mbedtls_ssl_config_init"
-#  define SSL_SET_CA_CHAIN_NAME		"mbedtls_ssl_conf_ca_chain"
+#  define SSL_CONF_DEFAULTS_NAME	"mbedtls_ssl_config_defaults"
-#  define SSL_SET_OWN_CERT_NAME		"mbedtls_ssl_conf_own_cert"
+#  define SSL_CONF_RNG_NAME		"mbedtls_ssl_conf_rng"
-#  define SSL_SET_AUTHMODE_NAME		"mbedtls_ssl_conf_authmode"
+#  define SSL_CONF_ENDPOINT_NAME	"mbedtls_ssl_conf_endpoint"
+#  define SSL_CONF_CIPHERSUITES_NAME	"mbedtls_ssl_conf_ciphersuites"
+#  define SSL_CONF_SESSION_CACHE_NAME	"mbedtls_ssl_conf_session_cache"
+#  define SSL_CONF_CA_CHAIN_NAME	"mbedtls_ssl_conf_ca_chain"
+#  define SSL_CONF_OWN_CERT_NAME	"mbedtls_ssl_conf_own_cert"
+#  define SSL_CONF_AUTHMODE_NAME	"mbedtls_ssl_conf_authmode"
+#  ifdef DEBUG_SSL
+#   define SSL_CONF_DBG_NAME		"mbedtls_ssl_conf_dbg"
+#  endif
+
 #  define SSL_CACHE_INIT_NAME		"mbedtls_ssl_cache_init"
 #  define SSL_CACHE_FREE_NAME		"mbedtls_ssl_cache_free"
 #  define SSL_CACHE_SET_NAME		"mbedtls_ssl_cache_set"
 #  define SSL_CACHE_GET_NAME		"mbedtls_ssl_cache_get"
 
+#  define SSL_SETUP_NAME		"mbedtls_ssl_setup"
+
 typedef void (*pk_init_fn)(PKEY*);
 typedef void (*pk_free_fn)(PKEY*);
 typedef int  (*pk_parse_keyfile_fn)(PKEY*, const char*, const char*);
 
-typedef void (*entropy_init_fn)(mbedtls_entropy_context*);
-typedef void (*entropy_free_fn)(mbedtls_entropy_context*);
-
 typedef void (*x509_crt_init_fn)(X509_CRT*);
 typedef void (*x509_crt_free_fn)(X509_CRT*);
 typedef int  (*x509_crt_parse_path_fn)(X509_CRT*, const char*);
 typedef int  (*x509_crt_parse_file_fn)(X509_CRT*, const char*);
 
+# ifdef HAS_HAVEGE
+typedef void (*havege_init_fn)(mbedtls_havege_state*);
+typedef int  (*havege_random_fn)(void*, unsigned char*, size_t);
+# else
+typedef void (*ctr_drbg_init_fn)(mbedtls_ctr_drbg_context*);
+typedef void (*ctr_drbg_free_fn)(mbedtls_ctr_drbg_context*);
+typedef int  (*ctr_drbg_seed_fn)(mbedtls_ctr_drbg_context*,
+		int (*)(void*, unsigned char*, size_t), void *,
+		const unsigned char*, size_t);
+typedef int  (*ctr_drbg_random_fn)(void*, unsigned char*, size_t);
+# endif
+
+typedef void (*entropy_init_fn)(mbedtls_entropy_context*);
+typedef void (*entropy_free_fn)(mbedtls_entropy_context*);
+typedef int  (*entropy_func_fn)(void*, unsigned char*, size_t);
+
 typedef const int* (*ssl_list_ciphersuites_fn)(void);
-typedef void (*ssl_set_ciphersuites_fn)(mbedtls_ssl_context*, const int*);
+
-typedef void (*ssl_set_session_cache_fn)(mbedtls_ssl_context*,
+typedef void (*ssl_config_init_fn)(mbedtls_ssl_config*);
-        int (*f_get_cache)(void*, mbedtls_ssl_session*), void*,
+typedef void (*ssl_conf_rng_fn)(mbedtls_ssl_config*,
-        int (*f_set_cache)(void*, const mbedtls_ssl_session*), void*);
+		int (*f_rng)(void*, unsigned char*, size_t), void *p_rng);
-typedef void (*ssl_set_ca_chain_fn)(mbedtls_ssl_context*, X509_CRT*,
+typedef void (*ssl_conf_endpoint_fn)(mbedtls_ssl_config*, int);
-                       mbedtls_x509_crl*, const char*);
+typedef void (*ssl_conf_ciphersuites_fn)(mbedtls_ssl_config*, const int*);
-typedef int  (*ssl_set_own_cert_fn)(mbedtls_ssl_context*, X509_CRT*, PKEY*);
+typedef void (*ssl_conf_session_cache_fn)(mbedtls_ssl_config*, void*,
-typedef void (*ssl_set_authmode_fn)(mbedtls_ssl_context*, int);
+        int (*)(void*, mbedtls_ssl_session*),
+        int (*)(void*, const mbedtls_ssl_session*));
+typedef void (*ssl_conf_ca_chain_fn)(mbedtls_ssl_config*, X509_CRT*,
+                       mbedtls_x509_crl*);
+typedef int  (*ssl_conf_own_cert_fn)(mbedtls_ssl_config*, X509_CRT*, PKEY*);
+typedef void (*ssl_conf_authmode_fn)(mbedtls_ssl_config*, int);
+# ifdef DEBUG_SSL
+typedef void (*ssl_conf_dbg_fn)(mbedtls_ssl_config*,
+		void (*)(void*, int, const char*, int , const char*), void*);
+# endif
+typedef int  (*ssl_config_defaults_fn)(mbedtls_ssl_config*, int, int, int);
 typedef void (*ssl_cache_init_fn)(mbedtls_ssl_cache_context*);
 typedef void (*ssl_cache_free_fn)(mbedtls_ssl_cache_context*);
-typedef int (*ssl_cache_set_fn)(void*, const mbedtls_ssl_session*);;
+typedef int  (*ssl_cache_set_fn)(void*, const mbedtls_ssl_session*);;
-typedef int (*ssl_cache_get_fn)(void*, mbedtls_ssl_session*);
+typedef int  (*ssl_cache_get_fn)(void*, mbedtls_ssl_session*);
 
-static entropy_init_fn		__entropy_init;
+typedef int  (*ssl_setup_fn)(mbedtls_ssl_context*, mbedtls_ssl_config*);
-static entropy_free_fn		__entropy_free;
 
-static pk_init_fn		__pk_init;
+static pk_init_fn			__pk_init;
-static pk_free_fn		__pk_free;
+static pk_free_fn			__pk_free;
-static pk_parse_keyfile_fn	__pk_parse_keyfile;
+static pk_parse_keyfile_fn		__pk_parse_keyfile;
 
-static x509_crt_init_fn		__x509_init;
+static x509_crt_init_fn			__x509_crt_init;
-static x509_crt_free_fn		__x509_free;
+static x509_crt_free_fn			__x509_crt_free;
-static x509_crt_parse_path_fn	__x509_parse_crtpath;
+static x509_crt_parse_path_fn		__x509_crt_parse_path;
-static x509_crt_parse_file_fn	__x509_parse_crtfile;
+static x509_crt_parse_file_fn		__x509_crt_parse_file;
 
-static ssl_list_ciphersuites_fn	__ssl_list_ciphersuites;
+# ifdef HAS_HAVEGE
+static havege_init_fn			__havege_init;
+static havege_random_fn			__havege_random;
+# else
+static ctr_drbg_init_fn			__ctr_drbg_init;
+static ctr_drbg_free_fn			__ctr_drbg_free;
+static ctr_drbg_seed_fn			__ctr_drbg_seed;
+static ctr_drbg_random_fn		__ctr_drbg_random;
+# endif
 
-static ssl_set_ciphersuites_fn	__ssl_set_ciphersuites;
+static entropy_init_fn			__entropy_init;
-static ssl_set_session_cache_fn	__ssl_set_session_cache;
+static entropy_free_fn			__entropy_free;
-static ssl_set_ca_chain_fn	__ssl_set_ca_chain;
+static entropy_func_fn			__entropy_func;
-static ssl_set_own_cert_fn	__ssl_set_own_cert;
-static ssl_set_authmode_fn	__ssl_set_authmode;
-static ssl_cache_init_fn	__ssl_cache_init;
-static ssl_cache_free_fn	__ssl_cache_free;
-static ssl_cache_set_fn		__ssl_cache_set;
-static ssl_cache_get_fn		__ssl_cache_get;
 
-static acl_pthread_once_t	__mbedtls_once     = ACL_PTHREAD_ONCE_INIT;
+static ssl_list_ciphersuites_fn		__ssl_list_ciphersuites;
-static acl::string*		__mbedtls_path_buf = NULL;
+
-#ifdef	ACL_WINDOWS
+static ssl_config_init_fn		__ssl_config_init;
-static const char* __mbedtls_path = "libmbedtls.dll";
+static ssl_config_defaults_fn		__ssl_config_defaults;
+static ssl_conf_rng_fn			__ssl_conf_rng;
+static ssl_conf_endpoint_fn		__ssl_conf_endpoint;
+static ssl_conf_ciphersuites_fn		__ssl_conf_ciphersuites;
+static ssl_conf_session_cache_fn	__ssl_conf_session_cache;
+static ssl_conf_ca_chain_fn		__ssl_conf_ca_chain;
+static ssl_conf_own_cert_fn		__ssl_conf_own_cert;
+static ssl_conf_authmode_fn		__ssl_conf_authmode;
+# ifdef DEBUG_SSL
+static ssl_conf_dbg_fn			__ssl_conf_dbg;
+# endif
+
+static ssl_cache_init_fn		__ssl_cache_init;
+static ssl_cache_free_fn		__ssl_cache_free;
+static ssl_cache_set_fn			__ssl_cache_set;
+static ssl_cache_get_fn			__ssl_cache_get;
+
+static ssl_setup_fn			__ssl_setup;
+
+static acl_pthread_once_t __mbedtls_once = ACL_PTHREAD_ONCE_INIT;
+static acl::string* __mbedtls_path_buf = NULL;
+# ifdef	ACL_WINDOWS
+static const char* __mbedtls_path      = "libmbedtls_all.dll";
 #elseif defined(ACL_MACOSX)
-static const char* __mbedtls_path = "./libmbedtls.dylib";
+static const char* __mbedtls_path      = "./libmbedtls_all.dylib";
-#else
+# else
-static const char* __mbedtls_path = "./libmbedtls.so";
+static const char* __mbedtls_path      = "./libmbedtls_all.so";
-#endif
+# endif
 
-ACL_DLL_HANDLE			__mbedtls_dll  = NULL;
+ACL_DLL_HANDLE __mbedtls_dll           = NULL;
 
 static void mbedtls_dll_unload(void)
 {
@@ -138,24 +210,46 @@ static void mbedtls_dll_load_conf(void)
 	LOAD(PK_FREE_NAME, pk_free_fn, __pk_free);
 	LOAD(PK_PARSE_KEYFILE_NAME, pk_parse_keyfile_fn, __pk_parse_keyfile);
 
+	LOAD(X509_INIT_NAME, x509_crt_init_fn, __x509_crt_init);
+	LOAD(X509_FREE_NAME, x509_crt_free_fn, __x509_crt_free);
+	LOAD(X509_PARSE_CRT_PATH_NAME, x509_crt_parse_path_fn, __x509_crt_parse_path);
+	LOAD(X509_PARSE_CRT_FILE_NAME, x509_crt_parse_file_fn, __x509_crt_parse_file);
+
+# ifdef HAS_HAVEGE
+	LOAD(HAVEGE_INIT_NAME, havege_init_fn, __havege_init);
+	LOAD(HAVEGE_RANDOM_NAME, havege_random_fn, __havege_random);
+# else
+	LOAD(CTR_DRBG_INIT_NAME, ctr_drbg_init_fn, __ctr_drbg_init);
+	LOAD(CTR_DRBG_FREE_NAME, ctr_drbg_free_fn, __ctr_drbg_free);
+	LOAD(CTR_DRBG_SEED_NAME, ctr_drbg_seed_fn, __ctr_drbg_seed);
+	LOAD(CTR_DRBG_RANDOM_NAME, ctr_drbg_random_fn, __ctr_drbg_random);
+# endif
+
 	LOAD(ENTROPY_INIT_NAME, entropy_init_fn, __entropy_init);
 	LOAD(ENTROPY_FREE_NAME, entropy_free_fn, __entropy_free);
-
+	LOAD(ENTROPY_FUNC_NAME, entropy_func_fn, __entropy_func);
-	LOAD(X509_INIT_NAME, x509_crt_init_fn, __x509_init);
-	LOAD(X509_FREE_NAME, x509_crt_free_fn, __x509_free);
-	LOAD(X509_PARSE_CRTPATH_NAME, x509_crt_parse_path_fn, __x509_parse_crtpath);
-	LOAD(X509_PARSE_CRTFILE_NAME, x509_crt_parse_file_fn, __x509_parse_crtfile);
 
 	LOAD(SSL_LIST_CIPHERSUITES_NAME, ssl_list_ciphersuites_fn, __ssl_list_ciphersuites);
-	LOAD(SSL_SET_CIPHERSUITES_NAME, ssl_set_ciphersuites_fn, __ssl_set_ciphersuites);
+
-	LOAD(SSL_SET_SESSION_CACHE_NAME, ssl_set_session_cache_fn, __ssl_set_session_cache);
+	LOAD(SSL_CONF_INIT_NAME, ssl_config_init_fn, __ssl_config_init);
-	LOAD(SSL_SET_CA_CHAIN_NAME, ssl_set_ca_chain_fn, __ssl_set_ca_chain);
+	LOAD(SSL_CONF_DEFAULTS_NAME, ssl_config_defaults_fn, __ssl_config_defaults);
-	LOAD(SSL_SET_OWN_CERT_NAME, ssl_set_own_cert_fn, __ssl_set_own_cert);
+	LOAD(SSL_CONF_RNG_NAME, ssl_conf_rng_fn, __ssl_conf_rng);
-	LOAD(SSL_SET_AUTHMODE_NAME, ssl_set_authmode_fn, __ssl_set_authmode);
+	LOAD(SSL_CONF_ENDPOINT_NAME, ssl_conf_endpoint_fn, __ssl_conf_endpoint);
+	LOAD(SSL_CONF_CIPHERSUITES_NAME, ssl_conf_ciphersuites_fn, __ssl_conf_ciphersuites);
+	LOAD(SSL_CONF_SESSION_CACHE_NAME, ssl_conf_session_cache_fn, __ssl_conf_session_cache);
+	LOAD(SSL_CONF_CA_CHAIN_NAME, ssl_conf_ca_chain_fn, __ssl_conf_ca_chain);
+	LOAD(SSL_CONF_OWN_CERT_NAME, ssl_conf_own_cert_fn, __ssl_conf_own_cert);
+	LOAD(SSL_CONF_AUTHMODE_NAME, ssl_conf_authmode_fn, __ssl_conf_authmode);
+# ifdef DEBUG_SSL
+	LOAD(SSL_CONF_DBG_NAME, ssl_conf_dbg_fn, __ssl_conf_dbg);
+# endif
+
 	LOAD(SSL_CACHE_INIT_NAME, ssl_cache_init_fn, __ssl_cache_init);
 	LOAD(SSL_CACHE_FREE_NAME, ssl_cache_free_fn, __ssl_cache_free);
 	LOAD(SSL_CACHE_SET_NAME, ssl_cache_set_fn, __ssl_cache_set);
 	LOAD(SSL_CACHE_GET_NAME, ssl_cache_get_fn, __ssl_cache_get);
+
+	LOAD(SSL_SETUP_NAME, ssl_setup_fn, __ssl_setup);
 }
 
 static void mbedtls_dll_load(void)
@@ -165,7 +259,7 @@ static void mbedtls_dll_load(void)
 		return;
 	}
 
-	if (__mbedtls_path_buf != NULL && !__mbedtls_path_buf->empty()) {
+	if (__mbedtls_path_buf && !__mbedtls_path_buf->empty()) {
 		__mbedtls_path = __mbedtls_path_buf->c_str();
 	}
 
@@ -183,26 +277,43 @@ static void mbedtls_dll_load(void)
 
 # else // !HAS_MBEDTLS_DLL && HAS_MBEDTLS
 
-#  define __entropy_free	::entropy_free
+#  define __pk_init			::mbedtls_pk_init
-#  define __pk_init		::pk_init
+#  define __pk_free			::mbedtls_pk_free
-#  define __pk_free		::pk_free
+#  define __pk_parse_keyfile		::mbedtls_pk_parse_keyfile
-#  define __pk_parse_keyfile	::pk_parse_keyfile
+#  define __x509_crt_init		::mbedtls_x509_crt_init
-#  define __x509_init		::x509_crt_init
+#  define __x509_crt_free		::mbedtls_x509_crt_free
-#  define __x509_free		::x509_crt_free
+#  define __x509_crt_parse_path		::mbedtls_x509_crt_parse_path
-#  define __x509_parse_crtpath	::x509_crt_parse_path
+#  define __x509_crt_parse_file		::mbedtls_x509_crt_parse_file
-#  define __x509_parse_crtfile	::x509_crt_parse_file
+#  ifdef HAS_HAVEGE
-
+#   define __havege_init		::mbedtls_havege_init
-#  define __entropy_init	::entropy_init
+#   define __havege_random		::mbedtls_havege_random
-#  define __ssl_list_ciphersuites ::ssl_list_ciphersuites
+#  else
-#  define __ssl_set_ciphersuites  ::ssl_set_ciphersuites
+#   define __ctr_drbg_init		::mbedtls_ctr_drbg_init
-#  define __ssl_set_session_cache ::ssl_set_session_cache
+#   define __ctr_drbg_free		::mbedtls_ctr_drbg_free
-#  define __ssl_set_ca_chain	::ssl_set_ca_chain
+#   define __ctr_drbg_seed		::mbedtls_ctr_drbg_seed
-#  define __ssl_set_own_cert	::ssl_set_own_cert
+#   define __ctr_drbg_random		::mbedtls_ctr_drbg_random
-#  define __ssl_set_authmode	::ssl_set_authmode
+#  endif
-#  define __ssl_cache_init	::ssl_cache_init
+#  define __entropy_init		::mbedtls_entropy_init
-#  define __ssl_cache_free	::ssl_cache_free
+#  define __entropy_free		::mbedtls_entropy_free
-#  define __ssl_cache_set	::ssl_cache_set
+#  define __entropy_func		::mbedtls_entropy_func
-#  define __ssl_cache_get	::ssl_cache_get
+#  define __ssl_list_ciphersuites	::mbedtls_ssl_list_ciphersuites
+#  define __ssl_config_init		::mbedtls_ssl_config_init
+#  define __ssl_config_defaults		::mbedtls_ssl_config_defaults
+#  define __ssl_conf_rng		::mbedtls_ssl_conf_rng
+#  define __ssl_conf_endpoint		::mbedtls_ssl_conf_endpoint
+#  define __ssl_conf_ciphersuites	::mbedtls_ssl_conf_ciphersuites
+#  define __ssl_conf_session_cache	::mbedtls_ssl_conf_session_cache
+#  define __ssl_conf_ca_chain		::mbedtls_ssl_conf_ca_chain
+#  define __ssl_conf_own_cert		::mbedtls_ssl_conf_own_cert
+#  define __ssl_conf_authmode		::mbedtls_ssl_conf_authmode
+#  ifdef DEBUG_SSL
+#   define __ssl_conf_dbg		::mbedtls_ssl_conf_dbg
+#  endif
+#  define __ssl_cache_init		::mbedtls_ssl_cache_init
+#  define __ssl_cache_free		::mbedtls_ssl_cache_free
+#  define __ssl_cache_set		::mbedtls_ssl_cache_set
+#  define __ssl_cache_get		::mbedtls_ssl_cache_get
+#  define __ssl_setup			::mbedtls_ssl_setup
 
 # endif // HAS_MBEDTLS_DLL
 #endif  // HAS_MBEDTLS
@@ -210,13 +321,15 @@ static void mbedtls_dll_load(void)
 namespace acl
 {
 
-void mbedtls_conf::set_libpath(const char* path acl_unused)
+void mbedtls_conf::set_libpath(const char* libmbedtls)
 {
 #ifdef HAS_MBEDTLS_DLL
 	if (__mbedtls_path_buf == NULL) {
 		__mbedtls_path_buf = NEW string;
 	}
-	*__mbedtls_path_buf = path;
+	*__mbedtls_path_buf = libmbedtls;
+#else
+	(void) libmbedtls;
 #endif
 }
 
@@ -229,27 +342,141 @@ void mbedtls_conf::load(void)
 #endif
 }
 
-void mbedtls_conf::init_once(void)
+static void set_authmode(mbedtls_ssl_config* conf, mbedtls_verify_t verify_mode)
+{
+	switch (verify_mode) {
+	case MBEDTLS_VERIFY_NONE:
+		__ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
+		break;
+	case MBEDTLS_VERIFY_OPT:
+		__ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
+		break;
+	case MBEDTLS_VERIFY_REQ:
+		__ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_REQUIRED);
+		break;
+	default:
+		__ssl_conf_authmode(conf, MBEDTLS_SSL_VERIFY_NONE);
+		break;
+	}
+}
+
+bool mbedtls_conf::init_rand(void)
+{
+	char pers[50];
+	safe_snprintf(pers, sizeof(pers), "SSL Pthread Thread %lu",
+		(unsigned long) acl_pthread_self());
+	int ret = __ctr_drbg_seed((mbedtls_ctr_drbg_context*) rnd_,
+			__entropy_func,
+			(mbedtls_entropy_context*) entropy_,
+			(const unsigned char *) pers, strlen(pers));
+	if (ret != 0) {
+		logger_error("ctr_drbg_init error: -0x%04x\n", -ret);
+		return false;
+	}
+
+	// 设置随机数生成器
+	__ssl_conf_rng((mbedtls_ssl_config*) conf_, __ctr_drbg_random,
+		(mbedtls_ctr_drbg_context*) rnd_);
+	return true;
+}
+
+#ifdef DEBUG_SSL
+static void my_debug( void *ctx, int level, const char* fname, int line,
+	const char* str)
+{
+	fprintf((FILE *) ctx, "%s(%d): level=%d, %s", fname, line, level, str);
+	fflush((FILE *) ctx);
+}
+#endif
+
+bool mbedtls_conf::init_once(void)
 {
 	load();
-
 	lock_.lock();
 	if (has_inited_) {
 		lock_.unlock();
-		return;
+		return true;
 	}
 #ifdef HAS_MBEDTLS
+	__ctr_drbg_init((mbedtls_ctr_drbg_context*) rnd_);
 	__entropy_init((mbedtls_entropy_context*) entropy_);
+	__ssl_config_init((mbedtls_ssl_config*) conf_);
+
+#ifdef DEBUG_SSL
+	__ssl_conf_dbg((mbedtls_ssl_config*) conf_, my_debug, stdout);
+#endif
+
+	int ret;
+	if (server_side_) {
+		ret = __ssl_config_defaults((mbedtls_ssl_config*) conf_,
+			MBEDTLS_SSL_IS_SERVER,
+			MBEDTLS_SSL_TRANSPORT_STREAM,
+			MBEDTLS_SSL_PRESET_DEFAULT);
+	} else {
+		ret = __ssl_config_defaults((mbedtls_ssl_config*) conf_,
+			MBEDTLS_SSL_IS_CLIENT,
+			MBEDTLS_SSL_TRANSPORT_STREAM,
+			MBEDTLS_SSL_PRESET_DEFAULT);
+	}
+	if (ret != 0) {
+		logger_error("ssl_config_defaults error=-0x%04x, side=%s",
+			ret, server_side_ ? "server" : "client");
+		return false;
+	}
+
+	if (!init_rand()) {
+		return false;
+	}
+
+	printf(">>>server_side_=%s\n", server_side_ ? "server":"client");
+	set_authmode((mbedtls_ssl_config*) conf_, verify_mode_);
+	__ssl_conf_endpoint((mbedtls_ssl_config*) conf_, server_side_ ?
+		MBEDTLS_SSL_IS_SERVER : MBEDTLS_SSL_IS_CLIENT);
+
+	// Setup cipher_suites
+	const int* cipher_suites = __ssl_list_ciphersuites();
+	if (cipher_suites == NULL) {
+		logger_error("ssl_list_ciphersuites null");
+		return false;
+	}
+
+	__ssl_conf_ciphersuites((mbedtls_ssl_config*) conf_, cipher_suites);
+
+	// Setup cache only for server-side
+	if (server_side_ && cache_ != NULL) {
+		__ssl_conf_session_cache((mbedtls_ssl_config*) conf_, cache_,
+			__ssl_cache_get, __ssl_cache_set);
+	}
+
+	// Setup ca cert
+	if (cacert_) {
+		__ssl_conf_ca_chain((mbedtls_ssl_config*) conf_,
+			(X509_CRT*) cacert_, NULL);
+	}
+
+	// Setup own's cert chain and private key
+	if (cert_chain_ && pkey_) {
+		ret = __ssl_conf_own_cert((mbedtls_ssl_config*) conf_,
+				(X509_CRT*) cert_chain_, (PKEY*) pkey_);
+		if (ret != 0) {
+			logger_error("ssl_conf_own_cert error: -0x%04x", -ret);
+			return false;
+		}
+	}
 #endif
 	has_inited_ = true;
 	lock_.unlock();
+	return true;
 }
 
-mbedtls_conf::mbedtls_conf(void)
+mbedtls_conf::mbedtls_conf(bool server_side)
 {
+	server_side_ = server_side;
 #ifdef HAS_MBEDTLS
 	has_inited_  = false;
+	conf_        = acl_mycalloc(1, sizeof(mbedtls_ssl_config));
 	entropy_     = acl_mycalloc(1, sizeof(mbedtls_entropy_context));
+	rnd_         = acl_mycalloc(1, sizeof(mbedtls_ctr_drbg_context));
 	cacert_      = NULL;
 	cert_chain_  = NULL;
 	
@@ -257,7 +484,10 @@ mbedtls_conf::mbedtls_conf(void)
 	pkey_        = NULL;
 	verify_mode_ = MBEDTLS_VERIFY_NONE;
 #else
+	(void) has_inited_;
+	(void) conf_;
 	(void) entropy_;
+	(void) rnd_;
 	(void) cacert_;
 	(void) cert_chain_;
 	(void) cache_;
@@ -272,7 +502,7 @@ mbedtls_conf::~mbedtls_conf(void)
 	free_ca();
 
 	if (cert_chain_) {
-		__x509_free((X509_CRT*) cert_chain_);
+		__x509_crt_free((X509_CRT*) cert_chain_);
 		acl_myfree(cert_chain_);
 	}
 
@@ -284,8 +514,17 @@ mbedtls_conf::~mbedtls_conf(void)
 	if (has_inited_) {
 		__entropy_free((mbedtls_entropy_context*) entropy_);
 	}
+	acl_myfree(conf_);
 	acl_myfree(entropy_);
 
+	// 使用 havege_random 随机数生成器时，在一些虚机上并不能保证随机性,
+	// 建议使用 ctr_drbg_random 随机数生成器
+#ifdef HAS_HAVEGE
+	acl_myfree(rnd_);
+#else
+	__ctr_drbg_free((mbedtls_ctr_drbg_context*) rnd_);
+#endif
+
 	if (cache_) {
 		__ssl_cache_free((mbedtls_ssl_cache_context*) cache_);
 		acl_myfree(cache_);
@@ -297,7 +536,7 @@ void mbedtls_conf::free_ca(void)
 {
 #ifdef HAS_MBEDTLS
 	if (cacert_) {
-		__x509_free((X509_CRT*) cacert_);
+		__x509_crt_free((X509_CRT*) cacert_);
 		acl_myfree(cacert_);
 		cacert_ = NULL;
 	}
@@ -307,20 +546,23 @@ void mbedtls_conf::free_ca(void)
 bool mbedtls_conf::load_ca(const char* ca_file, const char* ca_path)
 {
 #ifdef HAS_MBEDTLS
-	init_once();
+	if (!init_once()) {
+		logger_error("init_once error");
+		return false;
+	}
 
 	free_ca();
 
 	int  ret;
 
 	cacert_ = acl_mycalloc(1, sizeof(X509_CRT));
-	__x509_init((X509_CRT*) cacert_);
+	__x509_crt_init((X509_CRT*) cacert_);
 
 	if (ca_path && *ca_path) {
-		ret = __x509_parse_crtpath((X509_CRT*) cacert_, ca_path);
+		ret = __x509_crt_parse_path((X509_CRT*) cacert_, ca_path);
 		if (ret != 0) {
 			logger_error("x509_crt_parse_path(%s) error: -0x%04x",
-				ca_path, ret);
+				ca_path, -ret);
 			free_ca();
 			return false;
 		}
@@ -332,10 +574,10 @@ bool mbedtls_conf::load_ca(const char* ca_file, const char* ca_path)
 		return false;
 	}
 
-	ret = __x509_parse_crtfile((X509_CRT*) cacert_, ca_file);
+	ret = __x509_crt_parse_file((X509_CRT*) cacert_, ca_file);
 	if (ret != 0) {
 		logger_error("x509_crt_parse_path(%s) error: -0x%04x",
-			ca_path, ret);
+			ca_path, -ret);
 		free_ca();
 		return false;
 	} else {
@@ -358,23 +600,27 @@ bool mbedtls_conf::add_cert(const char* crt_file)
 	}
 
 #ifdef HAS_MBEDTLS
-	init_once();
+	if (!init_once()) {
+		logger_error("init_once error");
+		return false;
+	}
 
 	if (cert_chain_ == NULL) {
 		cert_chain_ = acl_mycalloc(1, sizeof(X509_CRT));
-		__x509_init((X509_CRT*) cert_chain_);
+		__x509_crt_init((X509_CRT*) cert_chain_);
 	}
 
-	int ret = __x509_parse_crtfile((X509_CRT*) cert_chain_, crt_file);
+	int ret = __x509_crt_parse_file((X509_CRT*) cert_chain_, crt_file);
 	if (ret != 0) {
 		logger_error("x509_crt_parse_file(%s) error: -0x%04x",
-			crt_file, ret);
+			crt_file, -ret);
 
-		__x509_free((X509_CRT*) cert_chain_);
+		__x509_crt_free((X509_CRT*) cert_chain_);
 		acl_myfree(cert_chain_);
 		cert_chain_ = NULL;
 		return false;
 	}
+	printf("%s(%d): add cert %s ok\n", __FUNCTION__, __LINE__, crt_file);
 
 	return true;
 #else
@@ -388,7 +634,10 @@ bool mbedtls_conf::set_key(const char* key_file,
 	const char* key_pass /* = NULL */)
 {
 #ifdef HAS_MBEDTLS
-	init_once();
+	if (!init_once()) {
+		logger_error("init_once error");
+		return false;
+	}
 
 	if (pkey_ != NULL) {
 		__pk_free((PKEY*) pkey_);
@@ -403,7 +652,7 @@ bool mbedtls_conf::set_key(const char* key_file,
 			key_pass ? key_pass : "");
 	if (ret != 0) {
 		logger_error("pk_parse_keyfile(%s) error: -0x%04x",
-			key_file, ret);
+			key_file, -ret);
 
 		__pk_free((PKEY*) pkey_);
 		acl_myfree(pkey_);
@@ -411,6 +660,7 @@ bool mbedtls_conf::set_key(const char* key_file,
 		return false;
 	}
 
+	printf("%s(%d): set key %s ok\r\n", __FUNCTION__, __LINE__, key_file);
 	return true;
 #else
 	(void) key_file;
@@ -424,7 +674,10 @@ bool mbedtls_conf::set_key(const char* key_file,
 void mbedtls_conf::enable_cache(bool on)
 {
 #ifdef HAS_MBEDTLS
-	init_once();
+	if (!init_once()) {
+		logger_error("init_once error");
+		return;
+	}
 
 	if (on) {
 		if (cache_ != NULL) {
@@ -443,69 +696,22 @@ void mbedtls_conf::enable_cache(bool on)
 #endif
 }
 
-bool mbedtls_conf::setup_certs(void* ssl_in, bool server_side)
+bool mbedtls_conf::setup_certs(void* ssl)
 {
 #ifdef HAS_MBEDTLS
-	init_once();
+	if (!init_once()) {
-
-	mbedtls_ssl_context* ssl = (mbedtls_ssl_context*) ssl_in;
-
-	switch (verify_mode_) {
-	case MBEDTLS_VERIFY_NONE:
-		__ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_NONE);
-		break;
-	case MBEDTLS_VERIFY_OPT:
-		__ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_OPTIONAL);
-		break;
-	case MBEDTLS_VERIFY_REQ:
-		__ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_REQUIRED);
-		break;
-	default:
-		__ssl_set_authmode((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_VERIFY_NONE);
-		break;
-	}
-
-	// Setup cipher_suites
-	const int* cipher_suites = __ssl_list_ciphersuites();
-	if (cipher_suites == NULL) {
-		logger_error("ssl_list_ciphersuites null");
 		return false;
 	}
-	__ssl_set_ciphersuites((mbedtls_ssl_context*) ssl, cipher_suites);
 
-//	::ssl_set_min_version((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_MAJOR_VERSION_3,
+	int ret = __ssl_setup((mbedtls_ssl_context*) ssl,
-//		SSL_MINOR_VERSION_0);
+			(mbedtls_ssl_config*) conf_);
-//	::ssl_set_renegotiation((mbedtls_ssl_context*) ssl, MBEDTLS_SSL_RENEGOTIATION_DISABLED);
+	if (ret != 0) {
-//	::ssl_set_dh_param((mbedtls_ssl_context*) &ssl, MBEDTLS_DHM_RFC5114_MODP_2048_P,
+		logger_error("ssl_setup error:-0x%04x", -ret);
-//		MBEDTLS_DHM_RFC5114_MODP_2048_G );
+		return false;
-
-	// Setup cache only for server-side
-	if (server_side && cache_ != NULL) {
-		__ssl_set_session_cache(ssl, __ssl_cache_get,
-			(mbedtls_ssl_cache_context*) cache_, __ssl_cache_set,
-			(mbedtls_ssl_cache_context*) cache_);
 	}
-
-	// Setup ca cert
-	if (cacert_) {
-		__ssl_set_ca_chain(ssl, (X509_CRT*) cacert_, NULL, NULL);
-	}
-
-	// Setup own's cert chain and private key
-
-	if (cert_chain_ && pkey_) {
-		int ret = __ssl_set_own_cert(ssl, (X509_CRT*) cert_chain_,
-				(PKEY*) pkey_);
-		if (ret != 0) {
-			logger_error("ssl_set_own_cert error: -0x%04x", ret);
-			return false;
-		}
-	}
-
 	return true;
 #else
-	(void) ssl_in;
+	(void) ssl;
-	(void) server_side;
 	logger_error("HAS_MBEDTLS not defined!");
 	return false;
 #endif

lib_acl_cpp/src/stream/mbedtls_io.cpp

@@ -25,103 +25,52 @@
 
 #if defined(HAS_MBEDTLS_DLL)
 
-# define CTR_DRBG_FREE_NAME		"mbedtls_ctr_drbg_free"
-
-# ifdef HAS_HAVEGE
-#  define HAVEGE_INIT_NAME		"mbedtls_havege_init"
-#  define HAVEGE_RANDOM_NAME		"mbedtls_havege_random"
-# else
-#  define CTR_DRBG_INIT_NAME		"mbedtls_ctr_drbg_init"
-#  define ENTROPY_FUNC_NAME		"mbedtls_entropy_func"
-#  define CTR_DRBG_RANDOM_NAME		"mbedtls_ctr_drbg_random"
-# endif
-
-# ifdef DEBUG_SSL
-#  define SSL_SET_DBG_NAME		"mbedtls_ssl_set_dbg"
-# endif
-
-# define SSL_SET_SESSION_NAME		"mbedtls_ssl_set_session"
-# define SSL_SET_RNG_NAME		"mbedtls_ssl_set_rng"
 # define SSL_INIT_NAME			"mbedtls_ssl_init"
 # define SSL_FREE_NAME			"mbedtls_ssl_free"
-# define SSL_SET_ENDPOINT_NAME		"mbedtls_ssl_set_endpoint"
+# define SSL_SET_HOSTNAME_NAME		"mbedtls_ssl_set_hostname"
-# define SSL_SESSION_FREE_NAME		"mbedtls_ssl_session_free"
 # define SSL_SET_BIO_NAME		"mbedtls_ssl_set_bio"
-# define SSL_CLOSE_NOTIFY_NAME		"mbedtls_ssl_close_notify"
-# define SSL_HANDSHAKE_NAME		"mbedtls_ssl_handshake"
-# define SSL_GET_VERIFY_RESULT_NAME	"mbedtls_ssl_get_verify_result"
-# define SSL_GET_PEER_CERT_NAME		"mbedtls_ssl_get_peer_cert"
 # define SSL_READ_NAME			"mbedtls_ssl_read"
 # define SSL_WRITE_NAME			"mbedtls_ssl_write"
+# define SSL_HANDSHAKE_NAME		"mbedtls_ssl_handshake"
+# define SSL_SET_SESSION_NAME		"mbedtls_ssl_set_session"
+# define SSL_SESSION_FREE_NAME		"mbedtls_ssl_session_free"
+# define SSL_SESSION_RESET_NAME		"mbedtls_ssl_session_reset"
+# define SSL_CLOSE_NOTIFY_NAME		"mbedtls_ssl_close_notify"
+# define SSL_GET_VERIFY_RESULT_NAME	"mbedtls_ssl_get_verify_result"
+# define SSL_GET_PEER_CERT_NAME		"mbedtls_ssl_get_peer_cert"
 # define SSL_GET_BYTES_AVAIL_NAME	"mbedtls_ssl_get_bytes_avail"
 
-typedef void (*ctr_drbg_free_fn)(mbedtls_ctr_drbg_context*);
+typedef void (*ssl_init_fn)(mbedtls_ssl_context*);
-
-# ifdef HAS_HAVEGE
-typedef void (*havege_init_fn)(mbedtls_havege_state*);
-typedef int (*havege_random_fn)(void*, unsigned char*, size_t);
-# else
-typedef int (*ctr_drbg_init_fn)(mbedtls_ctr_drbg_context*,
-		int (*)(void*, unsigned char*, size_t), void *,
-		const unsigned char*, size_t);
-typedef int (*ctr_drbg_random_fn)(void*, unsigned char*, size_t);
-typedef int (*entropy_func_fn)(void*, unsigned char*, size_t);
-# endif
-
-# ifdef DEBUG_SSL
-typedef void (ssl_set_dbg_fn)(mbedtls_ssl_context*,
-		void (*)(void*, int, const char*), void*);
-# endif
-
-typedef int  (*ssl_set_session_fn)(mbedtls_ssl_context*, const mbedtls_ssl_session*);
-typedef void (ssl_set_session_cache_fn)(mbedtls_ssl_context*,
-		int (*)(void*, mbedtls_ssl_session*), void*,
-		int (*)(void*, const mbedtls_ssl_session*), void*);
-typedef void (*ssl_set_rng_fn)(mbedtls_ssl_context*,
-		int (*f_rng)(void*, unsigned char*, size_t), void *p_rng);
-typedef int (*ssl_init_fn)(mbedtls_ssl_context*);
 typedef void (*ssl_free_fn)(mbedtls_ssl_context*);
-typedef void (*ssl_set_endpoint_fn)(mbedtls_ssl_context*, int);
+typedef int  (*ssl_set_hostname_fn)(mbedtls_ssl_context*, const char*);
-typedef void (*ssl_session_free_fn)(mbedtls_ssl_session*);
+typedef void (*ssl_set_bio_fn)(mbedtls_ssl_context*, void*,
-typedef void (*ssl_set_bio_fn)(mbedtls_ssl_context*,
+		int (*f_send)(void*, const unsigned char*, size_t),
-		int (*)(void*, unsigned char*, size_t), void*,
+		int (*f_recv)(void*, unsigned char*, size_t),
-		int (*)(void*, const unsigned char*, size_t), void*);
+		int (*f_recv_timeo)(void*, unsigned char*, size_t, unsigned));
-typedef int (*ssl_close_notify_fn)(mbedtls_ssl_context*);
-typedef int (*ssl_handshake_fn)(mbedtls_ssl_context*);
-typedef int (*ssl_get_verify_result_fn)(const mbedtls_ssl_context*);
-typedef const mbedtls_x509_crt *(*ssl_get_peer_cert_fn)(const mbedtls_ssl_context*);
 typedef int (*ssl_read_fn)(mbedtls_ssl_context*, unsigned char*, size_t);
 typedef int (*ssl_write_fn)(mbedtls_ssl_context*, const unsigned char*, size_t);
+typedef int  (*ssl_handshake_fn)(mbedtls_ssl_context*);
+typedef int  (*ssl_set_session_fn)(mbedtls_ssl_context*, const mbedtls_ssl_session*);
+typedef void (*ssl_session_free_fn)(mbedtls_ssl_session*);
+typedef int  (*ssl_session_reset_fn)(mbedtls_ssl_context*);
+typedef int  (*ssl_close_notify_fn)(mbedtls_ssl_context*);
+typedef unsigned (*ssl_get_verify_result_fn)(const mbedtls_ssl_context*);
+typedef const mbedtls_x509_crt *(*ssl_get_peer_cert_fn)(const mbedtls_ssl_context*);
 typedef size_t (*ssl_get_bytes_avail_fn)(const mbedtls_ssl_context*);
 
-static ctr_drbg_free_fn			__ctr_drbg_free;
-
-# ifdef HAS_HAVEGE
-static havege_init_fn			__havege_init;
-static havege_random_fn			__havege_random;
-# else
-static ctr_drbg_init_fn			__ctr_drbg_init;
-static ctr_drbg_random_fn		__ctr_drbg_random;
-static entropy_func_fn			__entropy_func;
-# endif
-# ifdef DEBUG_SSL
-static ssl_set_dbg_fn			__ssl_set_dbg;
-# endif
-
-static ssl_set_session_fn		__ssl_set_session;
-//static ssl_set_session_cache_fn		__ssl_set_session_cache;
-static ssl_set_rng_fn			__ssl_set_rng;
 static ssl_init_fn			__ssl_init;
 static ssl_free_fn			__ssl_free;
-static ssl_set_endpoint_fn		__ssl_set_endpoint;
+static ssl_set_hostname_fn		__ssl_set_hostname;
-static ssl_session_free_fn		__ssl_session_free;
 static ssl_set_bio_fn			__ssl_set_bio;
-static ssl_close_notify_fn		__ssl_close_notify;
-static ssl_handshake_fn			__ssl_handshake;
-static ssl_get_verify_result_fn		__ssl_get_verify_result;
-static ssl_get_peer_cert_fn		__ssl_get_peer_cert;
 static ssl_read_fn			__ssl_read;
 static ssl_write_fn			__ssl_write;
+static ssl_handshake_fn			__ssl_handshake;
+static ssl_set_session_fn		__ssl_set_session;
+static ssl_session_free_fn		__ssl_session_free;
+static ssl_session_reset_fn		__ssl_session_reset;
+static ssl_close_notify_fn		__ssl_close_notify;
+static ssl_get_verify_result_fn		__ssl_get_verify_result;
+static ssl_get_peer_cert_fn		__ssl_get_peer_cert;
 static ssl_get_bytes_avail_fn		__ssl_get_bytes_avail;
 
 extern ACL_DLL_HANDLE __mbedtls_dll;  // defined in mbedtls_conf.cpp
@@ -136,67 +85,37 @@ void mbedtls_dll_load_io(void)
 
 	acl_assert(__mbedtls_dll);
 
-	LOAD(CTR_DRBG_FREE_NAME, ctr_drbg_free_fn, __ctr_drbg_free);
-
-# ifdef HAS_HAVEGE
-	LOAD(HAVEGE_INIT_NAME, havege_init_fn, __havege_init);
-	LOAD(HAVEGE_RANDOM_NAME, havege_random_fn, __havege_random);
-# else
-	LOAD(CTR_DRBG_INIT_NAME, ctr_drbg_init_fn, __ctr_drbg_init);
-	LOAD(CTR_DRBG_RANDOM_NAME, ctr_drbg_random_fn, __ctr_drbg_random);
-	LOAD(ENTROPY_FUNC_NAME, entropy_func_fn, __entropy_func);
-# endif
-
-# ifdef DEBUG_SSL
-	LOAD(SSL_SET_DBG_NAME, ssl_set_dbg_fn, __ssl_set_dbg);
-# endif
-
-	LOAD(SSL_SET_SESSION_NAME, ssl_set_session_fn, __ssl_set_session);
-	LOAD(SSL_SET_RNG_NAME, ssl_set_rng_fn, __ssl_set_rng);
 	LOAD(SSL_INIT_NAME, ssl_init_fn, __ssl_init);
 	LOAD(SSL_FREE_NAME, ssl_free_fn, __ssl_free);
-	LOAD(SSL_SET_ENDPOINT_NAME, ssl_set_endpoint_fn, __ssl_set_endpoint);
+	LOAD(SSL_SET_HOSTNAME_NAME, ssl_set_hostname_fn, __ssl_set_hostname);
-	LOAD(SSL_SESSION_FREE_NAME, ssl_session_free_fn, __ssl_session_free);
 	LOAD(SSL_SET_BIO_NAME, ssl_set_bio_fn, __ssl_set_bio);
-	LOAD(SSL_CLOSE_NOTIFY_NAME, ssl_close_notify_fn, __ssl_close_notify);
-	LOAD(SSL_HANDSHAKE_NAME, ssl_handshake_fn, __ssl_handshake);
-	LOAD(SSL_GET_VERIFY_RESULT_NAME, ssl_get_verify_result_fn, __ssl_get_verify_result);
-	LOAD(SSL_GET_PEER_CERT_NAME, ssl_get_peer_cert_fn, __ssl_get_peer_cert);
 	LOAD(SSL_READ_NAME, ssl_read_fn, __ssl_read);
 	LOAD(SSL_WRITE_NAME, ssl_write_fn, __ssl_write);
+	LOAD(SSL_HANDSHAKE_NAME, ssl_handshake_fn, __ssl_handshake);
+	LOAD(SSL_SET_SESSION_NAME, ssl_set_session_fn, __ssl_set_session);
+	LOAD(SSL_SESSION_FREE_NAME, ssl_session_free_fn, __ssl_session_free);
+	LOAD(SSL_SESSION_RESET_NAME, ssl_session_reset_fn, __ssl_session_reset);
+	LOAD(SSL_CLOSE_NOTIFY_NAME, ssl_close_notify_fn, __ssl_close_notify);
+	LOAD(SSL_GET_VERIFY_RESULT_NAME, ssl_get_verify_result_fn, __ssl_get_verify_result);
+	LOAD(SSL_GET_PEER_CERT_NAME, ssl_get_peer_cert_fn, __ssl_get_peer_cert);
 	LOAD(SSL_GET_BYTES_AVAIL_NAME, ssl_get_bytes_avail_fn, __ssl_get_bytes_avail);
 }
 
 #elif defined(HAS_MBEDTLS)
 
-# define __ctr_drbg_free		::mbedtls_ctr_drbg_free
-
-# ifdef HAS_HAVEGE
-#  define __havege_init			::mbedtls_havege_init
-#  define __havege_random		::mbedtls_havege_random
-# else
-#  define __ctr_drbg_init		::mbedtls_ctr_drbg_init
-#  define __ctr_drbg_random		::mbedtls_ctr_drbg_random
-#  define __entropy_func		::mbedtls_entropy_func
-# endif
-# ifdef DEBUG_SSL
-#  define __ssl_set_dbg			::mbedtls_ssl_set_dbg
-# endif
-
-# define __ssl_set_session		::mbedtls_ssl_set_session
-//# define __ssl_set_session_cache	::mbedtls_ssl_set_session_cache
-# define __ssl_set_rng			::mbedtls_ssl_set_rng
 # define __ssl_init			::mbedtls_ssl_init
 # define __ssl_free			::mbedtls_ssl_free
-# define __ssl_set_endpoint		::mbedtls_ssl_set_endpoint
+# define __ssl_set_hostname		::mbedtls_ssl_set_hostname
-# define __ssl_session_free		::mbedtls_ssl_session_free
 # define __ssl_set_bio			::mbedtls_ssl_set_bio
-# define __ssl_close_notify		::mbedtls_ssl_close_notify
-# define __ssl_handshake		::mbedtls_ssl_handshake
-# define __ssl_get_verify_result	::mbedtls_ssl_get_verify_result
-# define __ssl_get_peer_cert		::mbedtls_ssl_get_peer_cert
 # define __ssl_read			::mbedtls_ssl_read
 # define __ssl_write			::mbedtls_ssl_write
+# define __ssl_handshake		::mbedtls_ssl_handshake
+# define __ssl_set_session		::mbedtls_ssl_set_session
+# define __ssl_session_free		::mbedtls_ssl_session_free
+# define __ssl_session_reset		::mbedtls_ssl_session_reset
+# define __ssl_close_notify		::mbedtls_ssl_close_notify
+# define __ssl_get_verify_result	::mbedtls_ssl_get_verify_result
+# define __ssl_get_peer_cert		::mbedtls_ssl_get_peer_cert
 # define __ssl_get_bytes_avail		::mbedtls_ssl_get_bytes_avail
 
 #endif
@@ -209,7 +128,6 @@ mbedtls_io::mbedtls_io(mbedtls_conf& conf, bool server_side,
 , conf_(conf)
 , ssl_(NULL)
 , ssn_(NULL)
-, rnd_(NULL)
 {
 #ifdef HAS_MBEDTLS
 	conf.init_once();
@@ -222,30 +140,11 @@ mbedtls_io::~mbedtls_io(void)
 	if (ssl_) {
 		__ssl_free((mbedtls_ssl_context*) ssl_);
 		acl_myfree(ssl_);
-		ssl_ = NULL;
 	}
 	if (ssn_) {
 		__ssl_session_free((mbedtls_ssl_session*) ssn_);
 		acl_myfree(ssn_);
-		ssn_ = NULL;
 	}
-
-	// 使用 havege_random 随机数生成器时，在一些虚机上并不能保证随机性，
-	// 建议使用 ctr_drbg_random 随机数生成器
-# undef HAS_HAVEGE
-
-# ifdef HAS_HAVEGE
-	if (rnd_) {
-		acl_myfree(rnd_);
-		rnd_ = NULL;
-	}
-# else
-	if (rnd_) {
-		__ctr_drbg_free((mbedtls_ctr_drbg_context*) rnd_);
-		rnd_ = NULL;
-	}
-# endif
-
 #endif
 }
 
@@ -288,77 +187,43 @@ bool mbedtls_io::open(ACL_VSTREAM* s)
 		return false;
 	}
 
+	char host[128];
+	host[0] = 0;
+
+	char* ptr = ACL_VSTREAM_PEER(s);
+	if (ptr && *ptr) {
+		safe_snprintf(host, sizeof(host), ptr);
+	} else if (acl_getpeername(ACL_VSTREAM_SOCK(s), host, sizeof(host))) {
+		logger_error("can't acl_getpeername error=%s", last_serror());
+		return false;
+	}
+
+	ptr = strrchr(host, '|');
+	if (ptr == NULL) {
+		ptr = strrchr(host, ':');
+	}
+	if (ptr) {
+		*ptr = 0;
+	}
+
 	stream_ = s;
 	++(*refers_);
 
 	ssl_ = acl_mycalloc(1, sizeof(mbedtls_ssl_context));
 
-	int ret;
-
 	// 初始化 SSL 对象
-	if ((ret = __ssl_init((mbedtls_ssl_context*) ssl_)) != 0) {
+	__ssl_init((mbedtls_ssl_context*) ssl_);
-		logger_error("failed, ssl_init error: -0x%04x\n", ret);
-		acl_myfree(ssl_);
-		ssl_ = NULL;
-		return false;
-	}
 
-	// 需要区分 SSL 连接是客户端模式还是服务器模式
+	if (host[0]) {
-	if (server_side_) {
+		__ssl_set_hostname((mbedtls_ssl_context*) ssl_, host);
-		__ssl_set_endpoint((mbedtls_ssl_context*) ssl_, MBEDTLS_SSL_IS_SERVER);
-	} else {
-		__ssl_set_endpoint((mbedtls_ssl_context*) ssl_, MBEDTLS_SSL_IS_CLIENT);
-	}
-
-	// 初始化随机数生成过程
-
-# ifdef HAS_HAVEGE
-	rnd_ = acl_mymalloc(sizeof(mbedtls_havege_state));
-	__havege_init((mbedtls_havege_state*) rnd_);
-
-	// 设置随机数生成器
-	__ssl_set_rng((mbedtls_ssl_context*) ssl_, __havege_random, rnd_);
-# else
-	rnd_ = acl_mymalloc(sizeof(mbedtls_ctr_drbg_context));
-
-	char pers[50];
-	safe_snprintf(pers, sizeof(pers), "SSL Pthread Thread %lu",
-		(unsigned long) acl_pthread_self());
-
-	ret = __ctr_drbg_init((mbedtls_ctr_drbg_context*) rnd_, __entropy_func,
-			(mbedtls_entropy_context*) conf_.get_entropy(),
-			(const unsigned char *) pers, strlen(pers));
-	if (ret != 0) {
-		logger_error("ctr_drbg_init error: -0x%04x\n", ret);
-		return false;
-	}
-
-	// 设置随机数生成器
-	__ssl_set_rng((mbedtls_ssl_context*) ssl_, __ctr_drbg_random, rnd_);
-# endif
-
-# ifdef	DEBUG_SSL
-	__ssl_set_dbg((mbedtls_ssl_context*) ssl_, my_debug, stdout);
-# endif
-	
-	if (!server_side_) {
-		// 只有客户端模式下才会调用此过程
-
-		ssn_ = acl_mycalloc(1, sizeof(mbedtls_ssl_session));
-		ret = __ssl_set_session((mbedtls_ssl_context*) ssl_,
-			(mbedtls_ssl_session*) ssn_);
-		if (ret != 0) {
-			logger_error("ssl_set_session error: -0x%04x\n", ret);
-			acl_myfree(ssn_);
-			ssn_ = NULL;
-		}
 	}
 
 	// 配置全局参数（包含证书、私钥）
-	conf_.setup_certs(ssl_, server_side_);
+	conf_.setup_certs(ssl_);
 
 	// Setup SSL IO callback
-	__ssl_set_bio((mbedtls_ssl_context*) ssl_, sock_read, this, sock_send, this);
+	__ssl_set_bio((mbedtls_ssl_context*) ssl_, this,
+		sock_send, sock_read, NULL);
 
 	// 非阻塞模式下先不启动 SSL 握手过程
 	if (nblock_) {
@@ -424,7 +289,7 @@ bool mbedtls_io::handshake(void)
 		if (ret != MBEDTLS_ERR_SSL_WANT_READ
 			&& ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
 
-			logger_error("ssl_handshake failed: -0x%04x", ret);
+			logger_error("ssl_handshake failed: -0x%04x", -ret);
 			return false;
 		}
 
@@ -443,7 +308,7 @@ bool mbedtls_io::handshake(void)
 bool mbedtls_io::check_peer(void)
 {
 #ifdef HAS_MBEDTLS
-	int   ret = __ssl_get_verify_result((mbedtls_ssl_context*) ssl_);
+	int ret = __ssl_get_verify_result((mbedtls_ssl_context*) ssl_);
 	if (ret != 0) {
 		if (!__ssl_get_peer_cert((mbedtls_ssl_context*) ssl_)) {
 			logger("no client certificate sent");
@@ -567,7 +432,6 @@ int mbedtls_io::sock_read(void *ctx, unsigned char *buf, size_t len)
 	// acl_socket_read 内部会根据 vs->read_ready 标志位决定是否需要
 	// 以超时方式读数据，同时会自动清除 vs->read_ready 标志位
 	int ret = acl_socket_read(fd, buf, len, vs->rw_timeout, vs, NULL);
-
 	if (ret < 0) {
 		int errnum = acl_last_error();
 

lib_acl_cpp/src/stream/polarssl_conf.cpp

@@ -343,7 +343,7 @@ bool polarssl_conf::load_ca(const char* ca_file, const char* ca_path)
 		ret = __x509_parse_crtpath((X509_CRT*) cacert_, ca_path);
 		if (ret != 0) {
 			logger_error("x509_crt_parse_path(%s) error: -0x%04x",
-				ca_path, ret);
+				ca_path, -ret);
 			free_ca();
 			return false;
 		}
@@ -358,7 +358,7 @@ bool polarssl_conf::load_ca(const char* ca_file, const char* ca_path)
 	ret = __x509_parse_crtfile((X509_CRT*) cacert_, ca_file);
 	if (ret != 0) {
 		logger_error("x509_crt_parse_path(%s) error: -0x%04x",
-			ca_path, ret);
+			ca_path, -ret);
 		free_ca();
 		return false;
 	} else {
@@ -391,7 +391,7 @@ bool polarssl_conf::add_cert(const char* crt_file)
 	int ret = __x509_parse_crtfile((X509_CRT*) cert_chain_, crt_file);
 	if (ret != 0) {
 		logger_error("x509_crt_parse_file(%s) error: -0x%04x",
-			crt_file, ret);
+			crt_file, -ret);
 
 		__x509_free((X509_CRT*) cert_chain_);
 		acl_myfree(cert_chain_);
@@ -430,7 +430,7 @@ bool polarssl_conf::set_key(const char* key_file,
 			key_pass ? key_pass : "");
 	if (ret != 0) {
 		logger_error("pk_parse_keyfile(%s) error: -0x%04x",
-			key_file, ret);
+			key_file, -ret);
 
 		__pkey_free((PKEY*) pkey_);
 		acl_myfree(pkey_);
@@ -530,7 +530,7 @@ bool polarssl_conf::setup_certs(void* ssl_in, bool server_side)
 		int ret = __ssl_set_own_cert(ssl, (X509_CRT*) cert_chain_,
 				(PKEY*) pkey_);
 		if (ret != 0) {
-			logger_error("ssl_set_own_cert error: -0x%04x", ret);
+			logger_error("ssl_set_own_cert error: -0x%04x", -ret);
 			return false;
 		}
 # else

lib_acl_cpp/src/stream/polarssl_io.cpp

@@ -309,7 +309,7 @@ bool polarssl_io::open(ACL_VSTREAM* s)
 
 	// ³õʼ»¯ SSL ¶ÔÏó
 	if ((ret = __ssl_init((ssl_context*) ssl_)) != 0) {
-		logger_error("failed, ssl_init error: -0x%04x\n", ret);
+		logger_error("failed, ssl_init error: -0x%04x\n", -ret);
 		acl_myfree(ssl_);
 		ssl_ = NULL;
 		return false;
@@ -341,7 +341,7 @@ bool polarssl_io::open(ACL_VSTREAM* s)
 			(entropy_context*) conf_.get_entropy(),
 			(const unsigned char *) pers, strlen(pers));
 	if (ret != 0) {
-		logger_error("ctr_drbg_init error: -0x%04x\n", ret);
+		logger_error("ctr_drbg_init error: -0x%04x\n", -ret);
 		return false;
 	}
 
@@ -361,7 +361,7 @@ bool polarssl_io::open(ACL_VSTREAM* s)
 		ret = __ssl_set_session((ssl_context*) ssl_,
 			(ssl_session*) ssn_);
 		if (ret != 0) {
-			logger_error("ssl_set_session error: -0x%04x\n", ret);
+			logger_error("ssl_set_session error: -0x%04x\n", -ret);
 			acl_myfree(ssn_);
 			ssn_ = NULL;
 		}
@@ -440,7 +440,7 @@ bool polarssl_io::handshake(void)
 		if (ret != POLARSSL_ERR_NET_WANT_READ
 			&& ret != POLARSSL_ERR_NET_WANT_WRITE) {
 
-			logger_error("ssl_handshake failed: -0x%04x", ret);
+			logger_error("ssl_handshake failed: -0x%04x", -ret);
 			return false;
 		}