📄 extl_tls.c
字号:
ssl = SSL_new (ssl_ctx); if (ssl == NULL) { OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL, "Cannot create ssl connection context\n")); return -1; } if (!SSL_check_private_key (ssl)) { OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL, "SSL private key check error\n")); } sbio = BIO_new_socket (sock, BIO_NOCLOSE); if (sbio == NULL) { OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL, "BIO_new_socket error\n")); } SSL_set_bio (ssl, sbio, sbio); /* cannot fail */ i = SSL_accept (ssl); if (i <= 0) { i = SSL_get_error (ssl, i); print_ssl_error (i); SSL_shutdown (ssl); close (sock); SSL_free (ssl); if (tls_socket_tab[pos].ssl_ctx != NULL) SSL_CTX_free (tls_socket_tab[pos].ssl_ctx); tls_socket_tab[pos].ssl_conn = NULL; tls_socket_tab[pos].ssl_ctx = NULL; tls_socket_tab[pos].socket = 0; return -1; } OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL, "New TLS connection accepted\n")); tls_socket_tab[pos].socket = sock; tls_socket_tab[pos].ssl_conn = ssl; tls_socket_tab[pos].ssl_state = 2; memset (src6host, 0, sizeof (src6host)); if (eXtl_tls.proto_family == AF_INET) recvport = ntohs (((struct sockaddr_in *) &sa)->sin_port); else recvport = ntohs (((struct sockaddr_in6 *) &sa)->sin6_port);#if defined(__arc__) { struct sockaddr_in *fromsa = (struct sockaddr_in *) &sa; char *tmp; tmp = inet_ntoa (fromsa->sin_addr); if (tmp == NULL) { OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL, "Message received from: NULL:%i inet_ntoa failure\n", recvport)); } else { snprintf (src6host, sizeof (src6host), "%s", tmp); OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL, "Message received from: %s:%i\n", src6host, recvport)); osip_strncpy (tls_socket_tab[pos].remote_ip, src6host, sizeof (tls_socket_tab[pos].remote_ip) - 1); tls_socket_tab[pos].remote_port = recvport; } }#else i = getnameinfo ((struct sockaddr *) &sa, slen, src6host, NI_MAXHOST, NULL, 0, NI_NUMERICHOST); if (i != 0) { OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_ERROR, NULL, "Message received from: NULL:%i getnameinfo failure\n", recvport)); snprintf (src6host, sizeof (src6host), "127.0.0.1"); } else { OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL, "Message received from: %s:%i\n", src6host, recvport)); osip_strncpy (tls_socket_tab[pos].remote_ip, src6host, sizeof (tls_socket_tab[pos].remote_ip) - 1); tls_socket_tab[pos].remote_port = recvport; }#endif } } buf = NULL; for (pos = 0; pos < EXOSIP_MAX_SOCKETS; pos++) { if (tls_socket_tab[pos].socket > 0 && FD_ISSET (tls_socket_tab[pos].socket, osip_fdset)) { int i; int rlen, err; if (buf == NULL) buf = (char *) osip_malloc (SIP_MESSAGE_MAX_LENGTH * sizeof (char) + 1); if (buf == NULL) return OSIP_NOMEM; /* do TLS handshake? */ if (tls_socket_tab[pos].ssl_state == 2) { i = SSL_do_handshake (tls_socket_tab[pos].ssl_conn); if (i <= 0) { i = SSL_get_error (tls_socket_tab[pos].ssl_conn, i); print_ssl_error (i); SSL_shutdown (tls_socket_tab[pos].ssl_conn); close (tls_socket_tab[pos].socket); SSL_free (tls_socket_tab[pos].ssl_conn); if (tls_socket_tab[pos].ssl_ctx != NULL) SSL_CTX_free (tls_socket_tab[pos].ssl_ctx); memset (&(tls_socket_tab[pos]), 0, sizeof (tls_socket_tab[pos])); continue; } tls_socket_tab[pos].ssl_state = 3; } if (tls_socket_tab[pos].ssl_state != 3) continue; i = 0; rlen = 0; do { i = SSL_read (tls_socket_tab[pos].ssl_conn, buf + rlen, SIP_MESSAGE_MAX_LENGTH - rlen); err = SSL_get_error (tls_socket_tab[pos].ssl_conn, i); print_ssl_error (err); switch (err) { case SSL_ERROR_NONE: rlen += i; break; } if (err == SSL_ERROR_SSL || err == SSL_ERROR_SYSCALL || err == SSL_ERROR_ZERO_RETURN) { /* The TLS/SSL connection has been closed. If the protocol version is SSL 3.0 or TLS 1.0, this result code is returned only if a closure alert has occurred in the protocol, i.e. if the connection has been closed cleanly. Note that in this case SSL_ERROR_ZERO_RETURN does not necessarily indicate that the underlying transport has been closed. */ OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_WARNING, NULL, "TLS closed\n")); SSL_shutdown (tls_socket_tab[pos].ssl_conn); close (tls_socket_tab[pos].socket); SSL_free (tls_socket_tab[pos].ssl_conn); if (tls_socket_tab[pos].ssl_ctx != NULL) SSL_CTX_free (tls_socket_tab[pos].ssl_ctx); memset (&(tls_socket_tab[pos]), 0, sizeof (tls_socket_tab[pos])); rlen = 0; /* discard any remaining data ? */ break; } } while (SSL_pending (tls_socket_tab[pos].ssl_conn)); if (rlen > 5) { osip_strncpy (buf + rlen, "\0", 1); OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO1, NULL, "Received TLS message: \n%s\n", buf)); _eXosip_handle_incoming_message (buf, i, tls_socket_tab[pos].socket, tls_socket_tab[pos].remote_ip, tls_socket_tab[pos].remote_port); } } } if (buf != NULL) osip_free (buf); return OSIP_SUCCESS;}static int_tls_tl_find_socket (char *host, int port){ int pos; for (pos = 0; pos < EXOSIP_MAX_SOCKETS; pos++) { if (tls_socket_tab[pos].socket != 0) { if (0 == osip_strcasecmp (tls_socket_tab[pos].remote_ip, host) && port == tls_socket_tab[pos].remote_port) return pos; } } return -1;}static voidtls_dump_cert_info (char *s, X509 * cert){ char *subj; char *issuer; subj = X509_NAME_oneline (X509_get_subject_name (cert), 0, 0); issuer = X509_NAME_oneline (X509_get_issuer_name (cert), 0, 0); OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO2, NULL, "%s subject:%s\n", s ? s : "", subj)); OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO2, NULL, "%s issuer: %s\n", s ? s : "", issuer)); OPENSSL_free (subj); OPENSSL_free (issuer);}static voidtls_dump_verification_failure (long verification_result){ char tmp[64]; snprintf (tmp, sizeof (tmp), "unknown errror"); switch (verification_result) { case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: snprintf (tmp, sizeof (tmp), "unable to get issuer certificate"); break; case X509_V_ERR_UNABLE_TO_GET_CRL: snprintf (tmp, sizeof (tmp), "unable to get certificate CRL"); break; case X509_V_ERR_UNABLE_TO_DECRYPT_CERT_SIGNATURE: snprintf (tmp, sizeof (tmp), "unable to decrypt certificate's signature"); break; case X509_V_ERR_UNABLE_TO_DECRYPT_CRL_SIGNATURE: snprintf (tmp, sizeof (tmp), "unable to decrypt CRL's signature"); break; case X509_V_ERR_UNABLE_TO_DECODE_ISSUER_PUBLIC_KEY: snprintf (tmp, sizeof (tmp), "unable to decode issuer public key"); break; case X509_V_ERR_CERT_SIGNATURE_FAILURE: snprintf (tmp, sizeof (tmp), "certificate signature failure"); break; case X509_V_ERR_CRL_SIGNATURE_FAILURE: snprintf (tmp, sizeof (tmp), "CRL signature failure"); break; case X509_V_ERR_CERT_NOT_YET_VALID: snprintf (tmp, sizeof (tmp), "certificate is not yet valid"); break; case X509_V_ERR_CERT_HAS_EXPIRED: snprintf (tmp, sizeof (tmp), "certificate has expired"); break; case X509_V_ERR_CRL_NOT_YET_VALID: snprintf (tmp, sizeof (tmp), "CRL is not yet valid"); break; case X509_V_ERR_CRL_HAS_EXPIRED: snprintf (tmp, sizeof (tmp), "CRL has expired"); break; case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD: snprintf (tmp, sizeof (tmp), "format error in certificate's notBefore field"); break; case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD: snprintf (tmp, sizeof (tmp), "format error in certificate's notAfter field"); break; case X509_V_ERR_ERROR_IN_CRL_LAST_UPDATE_FIELD: snprintf (tmp, sizeof (tmp), "format error in CRL's lastUpdate field"); break; case X509_V_ERR_ERROR_IN_CRL_NEXT_UPDATE_FIELD: snprintf (tmp, sizeof (tmp), "format error in CRL's nextUpdate field"); break; case X509_V_ERR_OUT_OF_MEM: snprintf (tmp, sizeof (tmp), "out of memory"); break; case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: snprintf (tmp, sizeof (tmp), "self signed certificate"); break; case X509_V_ERR_SELF_SIGNED_CERT_IN_CHAIN: snprintf (tmp, sizeof (tmp), "self signed certificate in certificate chain"); break; case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT_LOCALLY: snprintf (tmp, sizeof (tmp), "unable to get local issuer certificate"); break; case X509_V_ERR_UNABLE_TO_VERIFY_LEAF_SIGNATURE: snprintf (tmp, sizeof (tmp), "unable to verify the first certificate"); break; case X509_V_ERR_CERT_CHAIN_TOO_LONG: snprintf (tmp, sizeof (tmp), "certificate chain too long"); break; case X509_V_ERR_CERT_REVOKED: snprintf (tmp, sizeof (tmp), "certificate revoked"); break; case X509_V_ERR_INVALID_CA: snprintf (tmp, sizeof (tmp), "invalid CA certificate"); break; case X509_V_ERR_PATH_LENGTH_EXCEEDED: snprintf (tmp, sizeof (tmp), "path length constraint exceeded"); break; case X509_V_ERR_INVALID_PURPOSE: snprintf (tmp, sizeof (tmp), "unsupported certificate purpose"); break; case X509_V_ERR_CERT_UNTRUSTED: snprintf (tmp, sizeof (tmp), "certificate not trusted"); break; case X509_V_ERR_CERT_REJECTED: snprintf (tmp, sizeof (tmp), "certificate rejected"); break; case X509_V_ERR_SUBJECT_ISSUER_MISMATCH: snprintf (tmp, sizeof (tmp), "subject issuer mismatch"); break; case X509_V_ERR_AKID_SKID_MISMATCH: snprintf (tmp, sizeof (tmp), "authority and subject key identifier mismatch"); break; case X509_V_ERR_AKID_ISSUER_SERIAL_MISMATCH: snprintf (tmp, sizeof (tmp), "authority and issuer serial number mismatch"); break; case X509_V_ERR_KEYUSAGE_NO_CERTSIGN: snprintf (tmp, sizeof (tmp), "key usage does not include certificate signing"); break; case X509_V_ERR_APPLICATION_VERIFICATION: snprintf (tmp, sizeof (tmp), "application verification failure"); break; } OSIP_TRACE (osip_trace (__FILE__, __LINE__, OSIP_INFO2, NULL, "verification failure: %s\n", tmp));}static int_tls_tl_connect_socket (char *host, int port){ int pos; int res; struct addrinfo *addrinfo = NULL; struct addrinfo *curinfo; int sock = -1; BIO *sbio; SSL *ssl; SSL_CTX *ctx; X509 *cert; char src6host[NI_MAXHOST]; memset (src6host, 0, sizeof (src6host)); for (pos = 0; pos < EXOSIP_MAX_SOCKETS; pos++) { if (tls_socket_tab[pos].socket == 0) { break; }⌨️ 快捷键说明
复制代码
Ctrl + C
搜索代码
Ctrl + F
全屏模式
F11
切换主题
Ctrl + Shift + D
显示快捷键
?
增大字号
Ctrl + =
减小字号
Ctrl + -