tls认证--ssl处理client端编写

 

初始化：

struct tls_connection * tls_connection_init(void *ssl_ctx)
{
    struct tls_data *data = ssl_ctx;
    SSL_CTX *ssl = data->ssl;
    struct tls_connection *conn;
    long options;
    X509_STORE *new_cert_store;
    struct os_reltime now;
    struct tls_context *context = SSL_CTX_get_app_data(ssl);

    

    conn = os_zalloc(sizeof(*conn));
    if (conn == NULL)
        return NULL;
    conn->data = data;
    conn->ssl_ctx = ssl;
    conn->ssl = SSL_new(ssl);
    

    conn->context = context;
    SSL_set_app_data(conn->ssl, conn);
    SSL_set_msg_callback(conn->ssl, tls_msg_cb);
    SSL_set_msg_callback_arg(conn->ssl, conn);
    options = SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 |
        SSL_OP_SINGLE_DH_USE;
#ifdef SSL_OP_NO_COMPRESSION
    options |= SSL_OP_NO_COMPRESSION;
#endif /* SSL_OP_NO_COMPRESSION */
    SSL_set_options(conn->ssl, options);
#ifdef SSL_OP_ENABLE_MIDDLEBOX_COMPAT
    /* Hopefully there is no need for middlebox compatibility mechanisms
     * when going through EAP authentication. */
    SSL_clear_options(conn->ssl, SSL_OP_ENABLE_MIDDLEBOX_COMPAT);
#endif

    conn->ssl_in = BIO_new(BIO_s_mem());

    conn->ssl_out = BIO_new(BIO_s_mem())；

    SSL_set_bio(conn->ssl, conn->ssl_in, conn->ssl_out);

    return conn;
}

 

 

 

协商：

openssl_handshake(struct tls_connection *conn, const struct wpabuf *in_data)
{
    int res;
    struct wpabuf *out_data;

    /*
     * Give TLS handshake data from the server (if available) to OpenSSL
     * for processing.
     */
    if (in_data && wpabuf_len(in_data) > 0 &&
        BIO_write(conn->ssl_in, wpabuf_head(in_data), wpabuf_len(in_data))
        < 0) {
        tls_show_errors(MSG_INFO, __func__,
                "Handshake failed - BIO_write");
        return NULL;
    }

    /* Initiate TLS handshake or continue the existing handshake */
    if (conn->server)
        res = SSL_accept(conn->ssl);
    else
        res = SSL_connect(conn->ssl);
    if (res != 1) {
        int err = SSL_get_error(conn->ssl, res);
        if (err == SSL_ERROR_WANT_READ)
            wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want "
                   "more data");
        else if (err == SSL_ERROR_WANT_WRITE)
            wpa_printf(MSG_DEBUG, "SSL: SSL_connect - want to "
                   "write");
        else {
            tls_show_errors(MSG_INFO, __func__, "SSL_connect");
            conn->failed++;
            if (!conn->server && !conn->client_hello_generated) {
                /* The server would not understand TLS Alert
                 * before ClientHello, so simply terminate
                 * handshake on this type of error case caused
                 * by a likely internal error like no ciphers
                 * available. */
                wpa_printf(MSG_DEBUG,
                       "OpenSSL: Could not generate ClientHello");
                conn->write_alerts++;
                return NULL;
            }
        }
    }

    if (!conn->server && !conn->failed)
        conn->client_hello_generated = 1;

#ifdef CONFIG_SUITEB
    if ((conn->flags & TLS_CONN_SUITEB) && !conn->server &&
        os_strncmp(SSL_get_cipher(conn->ssl), "DHE-", 4) == 0 &&
        conn->server_dh_prime_len < 3072) {
        struct tls_context *context = conn->context;

        /*
         * This should not be reached since earlier cert_cb should have
         * terminated the handshake. Keep this check here for extra
         * protection if anything goes wrong with the more low-level
         * checks based on having to parse the TLS handshake messages.
         */
        wpa_printf(MSG_DEBUG,
               "OpenSSL: Server DH prime length: %d bits",
               conn->server_dh_prime_len);

        if (context->event_cb) {
            union tls_event_data ev;

            os_memset(&ev, 0, sizeof(ev));
            ev.alert.is_local = 1;
            ev.alert.type = "fatal";
            ev.alert.description = "insufficient security";
            context->event_cb(context->cb_ctx, TLS_ALERT, &ev);
        }
        /*
         * Could send a TLS Alert to the server, but for now, simply
         * terminate handshake.
         */
        conn->failed++;
        conn->write_alerts++;
        return NULL;
    }
#endif /* CONFIG_SUITEB */

    /* Get the TLS handshake data to be sent to the server */
    res = BIO_ctrl_pending(conn->ssl_out);
    wpa_printf(MSG_DEBUG, "SSL: %d bytes pending from ssl_out", res);
    out_data = wpabuf_alloc(res);
    if (out_data == NULL) {
        wpa_printf(MSG_DEBUG, "SSL: Failed to allocate memory for "
               "handshake output (%d bytes)", res);
        if (BIO_reset(conn->ssl_out) < 0) {
            tls_show_errors(MSG_INFO, __func__,
                    "BIO_reset failed");
        }
        return NULL;
    }
    res = res == 0 ? 0 : BIO_read(conn->ssl_out, wpabuf_mhead(out_data),
                      res);
    if (res < 0) {
        tls_show_errors(MSG_INFO, __func__,
                "Handshake failed - BIO_read");
        if (BIO_reset(conn->ssl_out) < 0) {
            tls_show_errors(MSG_INFO, __func__,
                    "BIO_reset failed");
        }
        wpabuf_free(out_data);
        return NULL;
    }
    wpabuf_put(out_data, res);

    return out_data;
}