一、openssl庫概述
OpenSSL庫是一個開放源代碼庫,提供了用於SSL / TLS協議的加密,解密和驗證功能,以及用於密碼學的功能。它可以用於安全的網絡通信,數字簽名和證書管理。OpenSSL是一個跨平台的庫,適用於多種操作系統,包括Windows,Linux,Unix等等。
OpenSSL庫提供了兩種主要的API,C語言API和命令行工具API。C語言API包含了700多個函數,其中有很多函數都是用於不同種類加密,解密和簽名算法等等方面。命令行工具API可以讓用戶通過命令行直接操作SSL功能,包括TLS握手、創建和管理密鑰、證書和CRLs等等。
下面介紹一些常用openssl功能及其用法。
二、加密解密
OpenSSL庫提供了多種加密算法,包括對稱加密算法和非對稱加密算法。下面以AES加密算法為例,介紹OpenSSL的加密解密功能。
//AES加密
int aes_encrypt(unsigned char *in_data, int in_data_len, unsigned char *out_data, unsigned char *key, unsigned char *iv) {
EVP_CIPHER_CTX *ctx;
int out_len, len;
int ret = 0;
/* Create and initialise the context */
if(!(ctx = EVP_CIPHER_CTX_new())) return ERR_EVP_CIPHER_INIT;
/* Initialise the encryption operation. IMPORTANT - ensure you use a key and IV size appropriate for your cipher */
if(1 != EVP_EncryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) return ERR_EVP_CIPHER_INIT;
/* Provide the message to be encrypted, and obtain the encrypted output. EVP_EncryptUpdate can be called multiple times if necessary */
if(1 != EVP_EncryptUpdate(ctx, out_data, &out_len, in_data, in_data_len)) ret=ERR_EVP_FAILED;
else {
/* Finalise the encryption. Further data cannot be encrypted */
if(1 != EVP_EncryptFinal_ex(ctx, out_data + out_len, &len)) ret=ERR_EVP_FAILED;
else out_len += len;
}
/* Clean up */
EVP_CIPHER_CTX_free(ctx);
return ret;
}
//AES解密
int aes_decrypt(unsigned char *in_data, int in_data_len, unsigned char *out_data, unsigned char *key, unsigned char *iv) {
EVP_CIPHER_CTX *ctx;
int out_len, len;
int ret = 0;
/* Create and initialise the context */
if(!(ctx = EVP_CIPHER_CTX_new())) return ERR_EVP_CIPHER_INIT;
/* Initialise the decryption operation. IMPORTANT - ensure you use a key and IV size appropriate for your cipher */
if(1 != EVP_DecryptInit_ex(ctx, EVP_aes_256_cbc(), NULL, key, iv)) return ERR_EVP_CIPHER_INIT;
/* Provide the message to be decrypted, and obtain the plaintext output. EVP_DecryptUpdate can be called multiple times if necessary */
if(1 != EVP_DecryptUpdate(ctx, out_data, &out_len, in_data, in_data_len)) ret = ERR_EVP_FAILED;
else {
/* Finalise the decryption. Further data cannot be decrypted */
if(1 != EVP_DecryptFinal_ex(ctx, out_data + out_len, &len)) ret=ERR_EVP_FAILED;
else out_len += len;
}
/* Clean up */
EVP_CIPHER_CTX_free(ctx);
return ret;
}三、密碼學
OpenSSL庫提供了多種密碼學算法,包括哈希算法、消息認證碼算法、數字簽名算法等等。下面以SHA256算法為例,介紹OpenSSL的密碼學功能。
//SHA256哈希算法
int sha256_hash(unsigned char *data, unsigned int data_len, unsigned char *hash) {
EVP_MD_CTX *mdctx;
/* Create and initialise the context */
if(!(mdctx = EVP_MD_CTX_create())) return ERR_EVP_MD_INIT;
/* Initialise the message digest operation with the SHA-256 algorithm */
if(1 != EVP_DigestInit_ex(mdctx, EVP_sha256(), NULL)) return ERR_EVP_MD_INIT;
/* Provide the message to be hashed, and obtain the hashed output */
if(1 != EVP_DigestUpdate(mdctx, data, data_len)) return ERR_EVP_MD_FAILED;
if(1 != EVP_DigestFinal_ex(mdctx, hash, NULL)) return ERR_EVP_MD_FAILED;
/* Clean up */
EVP_MD_CTX_destroy(mdctx);
return 0;
}四、證書管理
OpenSSL庫提供了多種證書管理的功能,包括證書創建、查看和驗證等等。下面以證書查看功能為例,介紹OpenSSL的證書管理功能。
//讀取x509格式證書信息
int read_x509_certificate(const char *cert_file, X509 **x509) {
FILE *fp = NULL;
int ret = 0;
if ((fp = fopen(cert_file, "r")) == NULL) return ERR_X509_FAILED;
/* Create a new X509 object */
if ((*x509 = X509_new()) == NULL) return ERR_X509_FAILED;
/* Read the certificate from the file into the X509 object */
if(!PEM_read_X509(fp, x509, 0, NULL)) ret = ERR_X509_FAILED;
fclose(fp);
return ret;
}
//獲取證書信息
int get_subject_name(X509 *x509, char *subject_name, size_t name_len) {
X509_NAME *name;
BIO *outbio = BIO_new(BIO_s_mem());
if (!outbio) return ERR_BIO_FAILED;
/* Get the subject name from the X509 object */
name = X509_get_subject_name(x509);
X509_NAME_print_ex(outbio, name, 0, XN_FLAG_RFC2253);
/* Copy the name to the output buffer */
memset(subject_name, 0, name_len);
if (BIO_read(outbio, subject_name, name_len-1) <= 0) {
BIO_free(outbio);
return ERR_BIO_FAILED;
}
BIO_free(outbio);
return 0;
}五、TLS/SSL通信
OpenSSL庫最重要的功能之一就是處理SSL/TLS通信,下面以SSL/TLS服務器的創建和客戶端的連接為例,介紹OpenSSL的TLS/SSL通信功能。
//TLS/SSL服務器
int server_start(int listen_fd, SSL_CTX *ctx) {
int conn_fd;
socklen_t client_len;
struct sockaddr_in client_addr;
SSL *ssl;
while (1) {
client_len = sizeof(client_addr);
/* Wait for a client to connect */
if ((conn_fd = accept(listen_fd, (struct sockaddr *)&client_addr, &client_len)) < 0) continue;
/* Create a new SSL object for the connection */
if ((ssl = SSL_new(ctx)) == NULL) {
close(conn_fd);
continue;
}
/* Attach the socket descriptor to the SSL object */
if (!SSL_set_fd(ssl, conn_fd)) {
SSL_free(ssl);
close(conn_fd);
continue;
}
/* Perform the SSL/TLS handshake */
if (SSL_accept(ssl) ai_next) {
if ((sockfd = socket(p->ai_family, p->ai_socktype, p->ai_protocol)) == -1) continue;
if (connect(sockfd, p->ai_addr, p->ai_addrlen) == -1) {
close(sockfd);
continue;
}
break;
}
if (p == NULL) return ERR_SOCKET_FAILED;
/* Create a new SSL object for the connection */
if ((ssl = SSL_new(ctx)) == NULL) {
close(sockfd);
return ERR_SSL_FAILED;
}
/* Attach the socket descriptor to the SSL object */
if (!SSL_set_fd(ssl, sockfd)) {
SSL_free(ssl);
close(sockfd);
return ERR_SSL_FAILED;
}
/* Perform the SSL/TLS handshake */
if (SSL_connect(ssl) <= 0) {
SSL_free(ssl);
close(sockfd);
return ERR_SSL_FAILED;
}
/* Handle the server connection */
handle_server(ssl);
/* Clean up the SSL object */
SSL_shutdown(ssl);
SSL_free(ssl);
close(sockfd);
freeaddrinfo(servinfo);
return 0;
}原創文章,作者:小藍,如若轉載,請註明出處:https://www.506064.com/zh-hant/n/181862.html
微信掃一掃 
支付寶掃一掃 