Linux网络编程一步一步学-利用OpenSSL提供的SSL操作函数进行加密通讯原始例子

首先，大家知道SSL这一目前“事实上的Internet加密标准”吧？一般的网站是没有用到SSL的，所以如果你用TCPDUMP就可以很容易地看到别人上网的帐号、密码之类的，当然，现在有些已经改用安全通讯方式进行验证了，比如google的邮件服务gmail，而象银行、证券等行业，从一开始就要求用加密通讯，你在哪个银行网站上输入帐号和密码后点击提交不是通过加密方式提交的呢？事实上，SSL也正是在银行这些行业的需求下才产生的。
现在大家经常上网会上到一些https://开头的网站，那就是把SSL标准应用到HTTP上从而变成了HTTPS。另外大家可能都不用telnet这个明文传输工具来进行远程登录了，都改用ssh了，ssh正是SSL的一个实现，用来进行远程加密通讯的。

其次，要在我们现有的TCP程序上加上SSL，你得安装开发包libssl-dev，这个包的描述是这样的：

Package: libssl-dev Priority: optional Section: libdevel Installed-Size: 5552 Maintainer: Debian OpenSSL Team Architecture: i386 Source: openssl Version: 0.9.8a-7ubuntu0.3 Depends: libssl0.9.8 (= 0.9.8a-7ubuntu0.3), zlib1g-dev Conflicts: ssleay (<< 0.9.2b), libssl08-dev, libssl09-dev, libssl095a-dev, libssl096-dev Filename: pool/main/o/openssl/libssl-dev_0.9.8a-7ubuntu0.3_i386.deb Size: 2023440 MD5sum: 3c4052d07abe7d7984a774ca815ba4cf SHA1: 29145b66372613e78c37d9ce0de6a7d1cfc7bac0 SHA256: 9e86aa1174a45e4f61e5afcb56d485ea60f90e31b0ecaf2bf31f426f7eb8c6eb Description: SSL development libraries, header files and documentation libssl and libcrypt development libraries, header files and manpages . It is part of the OpenSSL implementation of SSL. Bugs: mailto:ubuntu-users@lists.ubuntu.com Origin: Ubuntu Package: libssl-dev Priority: optional Section: libdevel Installed-Size: 5548 Maintainer: Debian OpenSSL Team Architecture: i386 Source: openssl Version: 0.9.8a-7build1 Depends: libssl0.9.8 (= 0.9.8a-7build1), zlib1g-dev Conflicts: ssleay (<< 0.9.2b), libssl08-dev, libssl09-dev, libssl095a-dev, libssl096-dev Filename: pool/main/o/openssl/libssl-dev_0.9.8a-7build1_i386.deb Size: 2022142 MD5sum: c9b989aebbae4f6f5dbde67207858023 Description: SSL development libraries, header files and documentation libssl and libcrypt development libraries, header files and manpages . It is part of the OpenSSL implementation of SSL. Bugs: mailto:ubuntu-users@lists.ubuntu.com Origin: Ubuntu

也就是说这个libssl-dev包是库函数、头文件以及相关编程说明文档的集合。

安装完成之后在/usr/share/doc/libssl-dev/demos目录下有一些编程示例。你可以参照里面的文档自己来写加密通讯程序。
比如/usr/share/doc/libssl-dev/demos/bio目录下提供的一个服务器端例子，代码如下：

1. /* NOCW */
2. /* demos/bio/saccept.c */
4. /* A minimal program to server an SSL connection.
5.  * It uses blocking.
6.  * saccept host:port
7.  * host is the interface IP to use.  If any interface, use *:port
8.  * The default it *:4433
9.  *
10.  * cc -I../../include saccept.c -L../.. -lssl -lcrypto
11.  */
13. #include <stdio.h>
14. #include <signal.h>
15. #include <openssl/err.h>
16. #include <openssl/ssl.h>
18. #define CERT_FILE    "server.pem"
20. BIO *in=NULL;
22. void close_up()
23.     {
24.     if (in != NULL)
25.         BIO_free(in);
26.     }
28. int main(argc,argv)
29. int argc;
30. char *argv[];
31.     {
32.     char *port=NULL;
33.     BIO *ssl_bio,*tmp;
34.     SSL_CTX *ctx;
35.     SSL *ssl;
36.     char buf[512];
37.     int ret=1,i;
39.         if (argc <= 1)
40.         port="*:4433";
41.     else
42.         port=argv[1];
44.     signal(SIGINT,close_up);
46.     SSL_load_error_strings();
48. #ifdef WATT32
49.     dbug_init();
50.     sock_init();
51. #endif
53.     /* Add ciphers and message digests */
54.     OpenSSL_add_ssl_algorithms();
56.     ctx=SSL_CTX_new(SSLv23_server_method());
57.     if (!SSL_CTX_use_certificate_file(ctx,CERT_FILE,SSL_FILETYPE_PEM))
58.         goto err;
59.     if (!SSL_CTX_use_PrivateKey_file(ctx,CERT_FILE,SSL_FILETYPE_PEM))
60.         goto err;
61.     if (!SSL_CTX_check_private_key(ctx))
62.         goto err;
64.     /* Setup server side SSL bio */
65.     ssl=SSL_new(ctx);
66.     ssl_bio=BIO_new_ssl(ctx,0);
68.     if ((in=BIO_new_accept(port)) == NULL) goto err;
70.     /* This means that when a new connection is acceptede on 'in',
71.      * The ssl_bio will be 'dupilcated' and have the new socket
72.      * BIO push into it.  Basically it means the SSL BIO will be
73.      * automatically setup */
74.     BIO_set_accept_bios(in,ssl_bio);
76. again:
77.     /* The first call will setup the accept socket, and the second
78.      * will get a socket.  In this loop, the first actual accept
79.      * will occur in the BIO_read() function. */
81.     if (BIO_do_accept(in) <= 0) goto err;
83.     for (;;)
84.         {
85.         i=BIO_read(in,buf,512);
86.         if (i == 0)
87.             {
88.             /* If we have finished, remove the underlying
89.              * BIO stack so the next time we call any function
90.              * for this BIO, it will attempt to do an
91.              * accept */
92.             printf("Done/n");
93.             tmp=BIO_pop(in);
94.             BIO_free_all(tmp);
95.             goto again;
96.             }
97.         if (i < 0) goto err;
98.         fwrite(buf,1,i,stdout);
99.         fflush(stdout);
100.         }
102.     ret=0;
103. err:
104.     if (ret)
105.         {
106.         ERR_print_errors_fp(stderr);
107.         }
108.     if (in != NULL) BIO_free(in);
109.     exit(ret);
110.     return(!ret);
111.     }

 

对应的一个客户端例子代码如下：

1. /* NOCW */
2. /* demos/bio/sconnect.c */
4. /* A minimal program to do SSL to a passed host and port.
5.  * It is actually using non-blocking IO but in a very simple manner
6.  * sconnect host:port - it does a 'GET / HTTP/1.0'
7.  *
8.  * cc -I../../include sconnect.c -L../.. -lssl -lcrypto
9.  */
10. #include <stdio.h>
11. #include <stdlib.h>
12. #include <unistd.h>
13. #include <openssl/err.h>
14. #include <openssl/ssl.h>
16. extern int errno;
18. int main(argc,argv)
19. int argc;
20. char *argv[];
21.     {
22.     char *host;
23.     BIO *out;
24.     char buf[1024*10],*p;
25.     SSL_CTX *ssl_ctx=NULL;
26.     SSL *ssl;
27.     BIO *ssl_bio;
28.     int i,len,off,ret=1;
30.     if (argc <= 1)
31.         host="localhost:4433";
32.     else
33.         host=argv[1];
35. #ifdef WATT32
36.     dbug_init();
37.     sock_init();
38. #endif
40.     /* Lets get nice error messages */
41.     SSL_load_error_strings();
43.     /* Setup all the global SSL stuff */
44.     OpenSSL_add_ssl_algorithms();
45.     ssl_ctx=SSL_CTX_new(SSLv23_client_method());
47.     /* Lets make a SSL structure */
48.     ssl=SSL_new(ssl_ctx);
49.     SSL_set_connect_state(ssl);
51.     /* Use it inside an SSL BIO */
52.     ssl_bio=BIO_new(BIO_f_ssl());
53.     BIO_set_ssl(ssl_bio,ssl,BIO_CLOSE);
55.     /* Lets use a connect BIO under the SSL BIO */
56.     out=BIO_new(BIO_s_connect());
57.     BIO_set_conn_hostname(out,host);
58.     BIO_set_nbio(out,1);
59.     out=BIO_push(ssl_bio,out);
61.     p="GET / HTTP/1.0/r/n/r/n";
62.     len=strlen(p);
64.     off=0;
65.     for (;;)
66.         {
67.         i=BIO_write(out,&(p[off]),len);
68.         if (i <= 0)
69.             {
70.             if (BIO_should_retry(out))
71.                 {
72.                 fprintf(stderr,"write DELAY/n");
73.                 sleep(1);
74.                 continue;
75.                 }
76.             else
77.                 {
78.                 goto err;
79.                 }
80.             }
81.         off+=i;
82.         len-=i;
83.         if (len <= 0) break;
84.         }
86.     for (;;)
87.         {
88.         i=BIO_read(out,buf,sizeof(buf));
89.         if (i == 0) break;
90.         if (i < 0)
91.             {
92.             if (BIO_should_retry(out))
93.                 {
94.                 fprintf(stderr,"read DELAY/n");
95.                 sleep(1);
96.                 continue;
97.                 }
98.             goto err;
99.             }
100.         fwrite(buf,1,i,stdout);
101.         }
103.     ret=1;
105.     if (0)
106.         {
107. err:
108.         if (ERR_peek_error() == 0) /* system call error */
109.             {
110.             fprintf(stderr,"errno=%d ",errno);
111.             perror("error");
112.             }
113.         else
114.             ERR_print_errors_fp(stderr);
115.         }
116.     BIO_free_all(out);
117.     if (ssl_ctx != NULL) SSL_CTX_free(ssl_ctx);
118.     exit(!ret);
119.     return(ret);
120.     }

 

编译程序里象一般的gcc命令一样，但需要链接ssl库，比如

gcc -Wall saccept.c -o sslserver -lssl gcc -Wall sconnect.c -o sslclient -l ssl