ssl加密管理类:
- #if TARS_SSL
-
- #include "util/tc_sslmgr.h"
- #include "util/tc_buffer.h"
- #include <arpa/inet.h>
- #include <openssl/ssl.h>
- #include <openssl/err.h>
-
- namespace tars
- {
-
- SSLManager::SSLManager()
- {
- }
-
- void SSLManager::GlobalInit()
- {
- (void)SSL_library_init();
- OpenSSL_add_all_algorithms();
-
- ERR_load_ERR_strings();
- SSL_load_error_strings();
- }
-
-
- SSLManager::~SSLManager()
- {
- for (CTX_MAP::iterator it(_ctxSet.begin());
- it != _ctxSet.end();
- ++ it)
- {
- SSL_CTX_free(it->second);
- }
-
- ERR_free_strings();
- EVP_cleanup();
- }
-
- bool SSLManager::AddCtx(const std::string& name,
- const std::string& cafile,
- const std::string& certfile,
- const std::string& keyfile,
- bool verifyClient)
- {
- if (_ctxSet.count(name))
- return false;
-
- SSL_CTX* ctx = SSL_CTX_new(SSLv23_method());
- if (!ctx)
- return false;
-
- #define RETURN_IF_FAIL(call) \
- if ((call) <= 0) { \
- ERR_print_errors_fp(stderr); \
- return false;\
- }
-
- if (verifyClient)
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, NULL);
- else
- SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER, NULL);
-
- SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
- SSL_CTX_clear_options(ctx, SSL_OP_LEGACY_SERVER_CONNECT);
- SSL_CTX_clear_options(ctx, SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION);
-
- RETURN_IF_FAIL (SSL_CTX_set_session_id_context(ctx, (const unsigned char*)ctx, sizeof ctx));
- if (!cafile.empty())
- RETURN_IF_FAIL (SSL_CTX_load_verify_locations(ctx, cafile.data(), NULL));
-
- // 客户端可以不提供证书的
- if (!certfile.empty())
- RETURN_IF_FAIL (SSL_CTX_use_certificate_file(ctx, certfile.data(), SSL_FILETYPE_PEM));
-
- if (!keyfile.empty())
- {
- RETURN_IF_FAIL (SSL_CTX_use_PrivateKey_file(ctx, keyfile.data(), SSL_FILETYPE_PEM));
- RETURN_IF_FAIL (SSL_CTX_check_private_key(ctx));
- }
-
- #undef RETURN_IF_FAIL
-
- return _ctxSet.insert(std::make_pair(name, ctx)).second;
- }
-
- SSL_CTX* SSLManager::GetCtx(const std::string& name) const
- {
- CTX_MAP::const_iterator it = _ctxSet.find(name);
- return it == _ctxSet.end() ? NULL: it->second;
- }
-
-
-
- SSL* NewSSL(const std::string& ctxName)
- {
- SSL_CTX* ctx = SSLManager::getInstance()->GetCtx(ctxName);
- if (!ctx)
- return NULL;
-
- SSL* ssl = SSL_new(ctx);
-
- SSL_set_mode(ssl, SSL_MODE_ACCEPT_MOVING_WRITE_BUFFER); // allow retry ssl-write with different args
- SSL_set_bio(ssl, BIO_new(BIO_s_mem()), BIO_new(BIO_s_mem()));
-
- BIO_set_mem_eof_return(SSL_get_rbio(ssl), -1);
- BIO_set_mem_eof_return(SSL_get_wbio(ssl), -1);
-
- return ssl;
- }
-
- void GetMemData(BIO* bio, TC_Buffer& buf)
- {
- while (true)
- {
- buf.AssureSpace(16 * 1024);
- int bytes = BIO_read(bio, buf.WriteAddr(), buf.WritableSize());
- if (bytes <= 0)
- return;
-
- buf.Produce(bytes);
- }
-
- // never here
- }
-
- void GetSSLHead(const char* data, char& type, unsigned short& ver, unsigned short& len)
- {
- type = data[0];
- ver = *(unsigned short*)(data + 1);
- len = *(unsigned short*)(data + 3);
-
- ver = ntohs(ver);
- len = ntohs(len);
- }
-
- bool DoSSLRead(SSL* ssl, std::string& out)
- {
- while (true)
- {
- char plainBuf[32 * 1024];
-
- ERR_clear_error();
- int bytes = SSL_read(ssl, plainBuf, sizeof plainBuf);
- if (bytes > 0)
- {
- out.append(plainBuf, bytes);
- }
- else
- {
- int err = SSL_get_error(ssl, bytes);
-
- // when peer issued renegotiation, here will demand us to send handshake data.
- // write to mem bio will always success, only need to check whether has data to send.
- //assert (err != SSL_ERROR_WANT_WRITE);
-
- if (err != SSL_ERROR_WANT_READ && err != SSL_ERROR_ZERO_RETURN)
- {
- printf("DoSSLRead err %d\n", err);
- return false;
- }
-
- break;
- }
- }
-
- return true;
- }
-
- } // end namespace tars
-
- #endif // end #if TARS_SSL
