现在大家经常上网会上到一些https://开头的网站,那就是把SSL标准应用到HTTP上从而变成了HTTPS。另外大家可能都不用telnet这个明文传输工具来进行远程登录了,都改用ssh了,ssh正是SSL的一个实现,用来进行远程加密通讯的。
其次,要在我们现有的TCP程序上加上SSL,你得安装开发包libssl-dev,这个包的描述是这样的:
Package: libssl-dev
Priority: optional
Section: libdevel
Installed-Size: 5552
Maintainer: Debian OpenSSL Team
也就是说这个libssl-dev包是库函数、头文件以及相关编程说明文档的集合。
安装完成之后在/usr/share/doc/libssl-dev/demos目录下有一些编程示例。你可以参照里面的文档自己来写加密通讯程序。
/************关于本文档********************************************
*filename: Linux网络编程一步一步学-利用OpenSSL提供的SSL操作函数进行加密通讯原始例子
*purpose: 说明了如果在Linux下利用OpenSSL库函数进行SSL加密通讯程序开发
*tidied by: zhoulifa(zhoulifa@163.com) 周立发(http://zhoulifa.bokee.com)
Linux爱好者 Linux知识传播者 SOHO族 开发者 最擅长C语言
*date time:2007-01-28 19:00
*Note: 任何人可以任意复制代码并运用这些文档,当然包括你的商业用途
* 但请遵循GPL
*Thanks to: Google.com
*Hope:希望越来越多的人贡献自己的力量,为科学技术发展出力
* 科技站在巨人的肩膀上进步更快!感谢有开源前辈的贡献!
*********************************************************************/
比如/usr/share/doc/libssl-dev/demos/bio目录下提供的一个服务器端例子,代码如下:
/* NOCW */
/* demos/bio/saccept.c */
/* A minimal program to server an SSL connection.
* It uses blocking.
* saccept host:port
* host is the interface IP to use. If any interface, use *:port
* The default it *:4433
*
* cc -I../../include saccept.c -L../.. -lssl -lcrypto
*/
#include
#include
#include
#include
#define CERT_FILE "server.pem"
BIO *in=NULL;
void close_up()
{
if (in != NULL)
BIO_free(in);
}
int main(argc,argv)
int argc;
char *argv[];
{
char *port=NULL;
BIO *ssl_bio,*tmp;
SSL_CTX *ctx;
SSL *ssl;
char buf[512];
int ret=1,i;
if (argc <= 1)
port="*:4433";
else
port=argv[1];
signal(SIGINT,close_up);
SSL_load_error_strings();
#ifdef WATT32
dbug_init();
sock_init();
#endif
/* Add ciphers and message digests */
OpenSSL_add_ssl_algorithms();
ctx=SSL_CTX_new(SSLv23_server_method());
if (!SSL_CTX_use_certificate_file(ctx,CERT_FILE,SSL_FILETYPE_PEM))
goto err;
if (!SSL_CTX_use_PrivateKey_file(ctx,CERT_FILE,SSL_FILETYPE_PEM))
goto err;
if (!SSL_CTX_check_private_key(ctx))
goto err;
/* Setup server side SSL bio */
ssl=SSL_new(ctx);
ssl_bio=BIO_new_ssl(ctx,0);
if ((in=BIO_new_accept(port)) == NULL) goto err;
/* This means that when a new connection is acceptede on 'in',
* The ssl_bio will be 'dupilcated' and have the new socket
* BIO push into it. Basically it means the SSL BIO will be
* automatically setup */
BIO_set_accept_bios(in,ssl_bio);
again:
/* The first call will setup the accept socket, and the second
* will get a socket. In this loop, the first actual accept
* will occur in the BIO_read() function. */
if (BIO_do_accept(in) <= 0) goto err;
for (;;)
{
i=BIO_read(in,buf,512);
if (i == 0)
{
/* If we have finished, remove the underlying
* BIO stack so the next time we call any function
* for this BIO, it will attempt to do an
* accept */
printf("Done\n");
tmp=BIO_pop(in);
BIO_free_all(tmp);
goto again;
}
if (i < 0) goto err;
fwrite(buf,1,i,stdout);
fflush(stdout);
}
ret=0;
err:
if (ret)
{
ERR_print_errors_fp(stderr);
}
if (in != NULL) BIO_free(in);
exit(ret);
return(!ret);
}
对应的一个客户端例子代码如下:
/* NOCW */
/* demos/bio/sconnect.c */
/* A minimal program to do SSL to a passed host and port.
* It is actually using non-blocking IO but in a very simple manner
* sconnect host:port - it does a 'GET / HTTP/1.0'
*
* cc -I../../include sconnect.c -L../.. -lssl -lcrypto
*/
#include
#include
#include
#include
#include
extern int errno;
int main(argc,argv)
int argc;
char *argv[];
{
char *host;
BIO *out;
char buf[1024*10],*p;
SSL_CTX *ssl_ctx=NULL;
SSL *ssl;
BIO *ssl_bio;
int i,len,off,ret=1;
if (argc <= 1)
host="localhost:4433";
else
host=argv[1];
#ifdef WATT32
dbug_init();
sock_init();
#endif
/* Lets get nice error messages */
SSL_load_error_strings();
/* Setup all the global SSL stuff */
OpenSSL_add_ssl_algorithms();
ssl_ctx=SSL_CTX_new(SSLv23_client_method());
/* Lets make a SSL structure */
ssl=SSL_new(ssl_ctx);
SSL_set_connect_state(ssl);
/* Use it inside an SSL BIO */
ssl_bio=BIO_new(BIO_f_ssl());
BIO_set_ssl(ssl_bio,ssl,BIO_CLOSE);
/* Lets use a connect BIO under the SSL BIO */
out=BIO_new(BIO_s_connect());
BIO_set_conn_hostname(out,host);
BIO_set_nbio(out,1);
out=BIO_push(ssl_bio,out);
p="GET / HTTP/1.0\r\n\r\n";
len=strlen(p);
off=0;
for (;;)
{
i=BIO_write(out,&(p[off]),len);
if (i <= 0)
{
if (BIO_should_retry(out))
{
fprintf(stderr,"write DELAY\n");
sleep(1);
continue;
}
else
{
goto err;
}
}
off+=i;
len-=i;
if (len <= 0) break;
}
for (;;)
{
i=BIO_read(out,buf,sizeof(buf));
if (i == 0) break;
if (i < 0)
{
if (BIO_should_retry(out))
{
fprintf(stderr,"read DELAY\n");
sleep(1);
continue;
}
goto err;
}
fwrite(buf,1,i,stdout);
}
ret=1;
if (0)
{
err:
if (ERR_peek_error() == 0) /* system call error */
{
fprintf(stderr,"errno=%d ",errno);
perror("error");
}
else
ERR_print_errors_fp(stderr);
}
BIO_free_all(out);
if (ssl_ctx != NULL) SSL_CTX_free(ssl_ctx);
exit(!ret);
return(ret);
}
编译程序里象一般的gcc命令一样,但需要链接ssl库,比如
gcc -Wall saccept.c -o sslserver -lssl
gcc -Wall sconnect.c -o sslclient -l ssl
没有评论:
发表评论