基于GmSSL搭建Nginx国密反代服务器
2 C源码#include
//SM2是国家密码管理局基于椭圆算法(ECC)制定的国内非对称算法标准。
EVP_PKEY *pk = X509_get_pubkey(cert);
if (NULL != pk) {
//switch (pk->type) { //openssl 1.1.1不允许访问成员变量
switch(EVP_PKEY_base_id(pk)) {
case EVP_PKEY_RSA : Eprintf("公钥 : RSA\n"); break;
case EVP_PKEY_EC : Eprintf("公钥 : ECC\n"); break;
case EVP_PKEY_DSA : Eprintf("公钥 : DSA\n"); break;
case EVP_PKEY_DH : Eprintf("公钥 : DH\n"); break;
default : Eprintf("公钥 : 未知\n"); break;
}
}
// 证书按用途分为"签名证书"和"加密证书"。
// "签名证书"的公钥用来验证签名,而"加密证书"的公钥则用来加密数据。
//X509_check_ca(cert);
//if ((cert->ex_kusage & X509v3_KU_DATA_ENCIPHERMENT) == X509v3_KU_DATA_ENCIPHERMENT) {
if ((X509_get_key_usage(cert) & X509v3_KU_DATA_ENCIPHERMENT) == X509v3_KU_DATA_ENCIPHERMENT) {
Eprintf("证书用途 : 加密\n");
} else if ((X509_get_key_usage(cert) & X509v3_KU_DIGITAL_SIGNATURE) == X509v3_KU_DIGITAL_SIGNATURE) {
Eprintf("证书用途 : 签名\n");
}
//证书的指纹算法
//int X509_get_signature_type(const X509 *x);
Eprintf("签名算法=%d\n", X509_get_signature_type(cert));
//证书发行者对证书的签名(指纹)
}
void ssl_print_info(const SSL *ssl)
{
X509 *cert = NULL;
if (NULL == ssl)
return;
// 支持的算法列表
const char *cl = NULL;
int priority = 0;
for(priority=0; priority < 10000; priority++){
if( (cl = SSL_get_cipher_list(ssl, priority)) != NULL) {
Eprintf("SSL cipher list: %d %s\n", priority, cl);
}
}
Eprintf( "SSL using cipher : %s\n", SSL_get_cipher(ssl)); // SM2-WITH-SMS4-SM3
Eprintf( "SSL using cipher_name : %s\n", SSL_get_cipher_name(ssl));
Eprintf( "SSL using cipher_version: %s\n", SSL_get_cipher_version(ssl));
// 服务端证书
//cert = SSL_get_peer_certificate(ssl);
STACK_OF(X509) *sk = SSL_get_peer_cert_chain(ssl);
while(NULL != (cert = sk_X509_pop(sk))) {
ssl_print_x509(cert);
}
}
int ssl_send(const char* ip, const int port, const char *send_buf, char *recv_buf, int recv_buf_size)
{
int ret;
int client_fd = -1;
int total_len = 0;
int len = 0;
struct sockaddr_in stSockAddr;
SSL_CTX *ctx = NULL;
SSL *ssl = NULL;
const SSL_METHOD *meth = NULL;
meth = GMTLS_client_method(); //使用GMTLSv1.1协议
if(meth == NULL) {
Eprintf("SSLv23_client_method err [%d:%s]\n", errno,strerror(errno));
ret = -1;
goto _ErrorRet;
}
ctx = SSL_CTX_new(meth); //申请SSL会话环境
if(ctx == NULL)
{
Eprintf("SSL_CTX_new err [%d:%s]\n", errno,strerror(errno));
ret = -1;
goto _ErrorRet;
}
#if 0 // 指定使用的算法
const char * cipher_list = "ECDHE-ECDSA-AES256-GCM-SHA384:ECDHE-RSA-AES256-GCM-SHA384:ECDHE-RSA-AES128-SHA256:AES128-GCM-SHA256:RC4:HIGH:!MD5:!aNULL:!EDH";
if (SSL_CTX_set_cipher_list(ctx, cipher_list) == 0) {
Eprintf("Failed to set cipher list: %s\n", cipher_list);
ret = -1;
goto _ErrorRet;
}
#endif
//建立普通的TCP连接
client_fd = socket(AF_INET, SOCK_STREAM, 0);
if(client_fd < 0)
{
Eprintf("socket fail, err[%d:%s]\n", errno, strerror(errno));
ret = -1;
goto _ErrorRet;
}
memset(&stSockAddr, 0, sizeof(stSockAddr));
stSockAddr.sin_family = AF_INET;
stSockAddr.sin_port = htons(port);
stSockAddr.sin_addr.s_addr = inet_addr(ip);
Eprintf("connect[%s:%d]\n" , ip, port);
ssl_set_alarm(CONNECT_TIME_OUT);
ret = connect(client_fd,(struct sockaddr *) &stSockAddr, sizeof(stSockAddr));
ssl_unset_alarm();
if (SSL_IS_TIMEOUT) {
Eprintf("connect server[%s:%d] time out\n", ip,port);
ret = -1;
goto _ErrorRet;
} else if(ret != 0) {
Eprintf("connect server[%s:%d] fail, err[%d:%s]\n", ip, port, errno, strerror(errno));
ret = -1;
goto _ErrorRet;
}
ssl = SSL_new(ctx); //创建SSL套接字
if(ssl == NULL)
{
Eprintf("SSL_new err [%d:%s]\n", errno,strerror(errno));
ret = -1;
goto _ErrorRet;
}
SSL_set_fd(ssl, client_fd); //将TCP套接字与SSL套接字联系起来
ssl_set_alarm(CONNECT_TIME_OUT);
ret = SSL_connect(ssl); //启动SSL链接
ssl_unset_alarm();
if (SSL_IS_TIMEOUT) {
Eprintf("SSL_connect [%s:%d] time out\n", ip,port);
ret = -1;
goto _ErrorRet;
} else if(ret <= 0) {
ERR_print_errors_fp(stderr);
Eprintf("SSL_connect ret[%d][%d:%s]\n", ret, errno, strerror(errno));
ret = -1;
goto _ErrorRet;
}
ssl_print_info(ssl);
Eprintf("SSL_write[%s]\n" , send_buf);
total_len = strlen(send_buf);
len = 0;
while (len < total_len) {
ssl_set_alarm(SEND_TIME_OUT);
ret = SSL_write(ssl, send_buf+len, total_len-len);
ssl_unset_alarm();
if (SSL_IS_TIMEOUT) {
Eprintf("SSL_write server[%s:%d] time out\n", ip,port);
ret = -1;
goto _ErrorRet;
} else if(ret <= 0) {
Eprintf("SSL_write err [%d:%s]\n", errno,strerror(errno));
ret = -1;
goto _ErrorRet;
}
len += ret;
}
//read from the TLS/SSL connection
ssl_set_alarm(RECV_TIME_OUT);
ret = SSL_read(ssl, recv_buf, recv_buf_size-1);
ssl_unset_alarm();
if (SSL_IS_TIMEOUT) {
Eprintf("SSL_read server[%s:%d] time out\n", ip,port);
ret = -1;
goto _ErrorRet;
} else if(ret <= 0) {
Eprintf("SSL_read err [%d:%s]", errno,strerror(errno));
ret = -1;
goto _ErrorRet;
}
recv_buf[ret] = ';'Eprintf
("SSL_read[%s]\n", ) recv_buf;=
ret 0 ;:
_ErrorRetif
(NULL!= ) sslSSL_shutdown {
()ssl;//结束SSL通信 SSL_free
()ssl;//释放SSL套接字 }
if
(-1!= ) client_fdclose {
()client_fd;}
if
(NULL!= ) ctxSSL_CTX_free {
()ctx;//释放SSL会话环境 }
return
; ret}
int
main (void)//初始化 openssl 环境
{
SSLeay_add_ssl_algorithms
();// 添加SSL的加密/HASH算法 SSL_load_error_strings
();// 加载SSL错误信息 char
* =host "192.168.218.141" ;int
= port 1443 ;char
* =body "{\"loginName\":\"jiean\"}" ;char
[ send_buf1024];char
[ recv_buf1024];memset
(,send_buf0x00 ,sizeof ()send_buf);memset
(,recv_buf0x00 ,sizeof ()recv_buf);snprintf
(,send_bufsizeof ()send_buf,"POST /horn/pushmsg HTTP/1.1\r\n"
"Accept: */*\r\n" \
"Accept-Language: zh-cn\r\n" \
"Content-Type: application/json\r\n" \
"User-Agent: herve\r\n" \
"Host: %s:%d\r\n" \
"Content-Length: %d\r\n" \
"Connection: close\r\n" \
"Cache-Control: no-cache\r\n\r\n%s" \
,,
host, portstrlen ()body,) body;ssl_send
(,host,port,send_buf,recv_bufsizeof()recv_buf);return
0 ;}
.
>gcc GmSSLC-c -o GmSSLC -lssl .lcrypto
>/[GmSSLC.c]GmSSLC
[ssl_send][]245[ connect.192.168.218]141:1443[GmSSLC.c]
Z=297C46B49FA33064B85EE53C6A6F333AC1CBF4F0A4FA3F250F5F20A92195511A
C=00021930820215308201BCA00302010202043B9AD1D1300A06082A811CCF55018375307F310B300906035504061302434E3111300F06035504080C084775616E446F6E673111300F06035504070C085368656E5A68656E31233021060355040A0C1A4E455720504F5320544543484E4F4C4F4759204C494D4954454431163014060355040B0C0D53797320536F66742044657074310D300B06035504030C04526F6F74301E170D3232303332393037303633305A170D3332303332363037303633305A30818A310B300906035504061302434E3111300F06035504080C084775616E446F6E673111300F06035504070C085368656E5A68656E31233021060355040A0C1A4E455720504F5320544543484E4F4C4F4759204C494D4954454431163014060355040B0C0D53797320536F667420446570743118301606035504030C0F3139322E3136382E3231382E3134313059301306072A8648CE3D020106082A811CCF5501822D03420004126303D018D4812AD1057DA8AF11A55959DB6912A0E222C5717253224E32B167EC11AC78700C6319129A2BE6563B3D90FBAEF83094B9BA6C43983B0731432A0DA31A301830090603551D1304023000300B0603551D0F040403020338300A06082A811CCF550183750347003044022065A52BBECFD0B03C0E805A5FD792A8B1109D792CCD413486971CB75E1AEC549802205192FF4C6C2FC7B79669F0FB9B5799CED5DC318A2A440BA985F21A02088A5DF1
ssl_get_algorithm2=41e99a3508x
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 0 ECDHE-ECDSA-AES256-GCM-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 1 ECDHE-RSA-AES256-GCM-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 2 DHE-RSA-AES256-GCM-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 3 ECDHE-ECDSA-CHACHA20-POLY1305
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 4 ECDHE-RSA-CHACHA20-POLY1305
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 5 DHE-RSA-CHACHA20-POLY1305
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 6 ECDHE-ECDSA-AES128-GCM-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 7 ECDHE-RSA-AES128-GCM-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 8 DHE-RSA-AES128-GCM-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 9 ECDHE-SM2-WITH-SMS4-GCM-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 10 ECDHE-ECDSA-AES256-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 11 ECDHE-RSA-AES256-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 12 DHE-RSA-AES256-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 13 ECDHE-ECDSA-AES128-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 14 ECDHE-RSA-AES128-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 15 DHE-RSA-AES128-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 16 ECDHE-SM2-WITH-SMS4-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 17 ECDHE-ECDSA-AES256-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 18 ECDHE-RSA-AES256-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 19 DHE-RSA-AES256-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 20 ECDHE-ECDSA-AES128-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 21 ECDHE-RSA-AES128-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 22 DHE-RSA-AES128-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 23 RSA-PSK-AES256-GCM-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 24 DHE-PSK-AES256-GCM-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 25 RSA-PSK-CHACHA20-POLY1305
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 26 DHE-PSK-CHACHA20-POLY1305
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 27 ECDHE-PSK-CHACHA20-POLY1305
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 28 AES256-GCM-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 29 PSK-AES256-GCM-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 30 PSK-CHACHA20-POLY1305
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 31 RSA-PSK-AES128-GCM-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 32 DHE-PSK-AES128-GCM-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 33 AES128-GCM-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 34 PSK-AES128-GCM-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 35 AES256-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 36 AES128-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 37 ECDHE-PSK-AES256-CBC-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 38 ECDHE-PSK-AES256-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 39 SRP-RSA-AES-256-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 40 SRP-AES-256-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 41 RSA-PSK-AES256-CBC-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 42 DHE-PSK-AES256-CBC-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 43 RSA-PSK-AES256-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 44 DHE-PSK-AES256-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 45 AES256-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 46 PSK-AES256-CBC-SHA384
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 47 PSK-AES256-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 48 ECDHE-PSK-AES128-CBC-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 49 ECDHE-PSK-AES128-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 50 SRP-RSA-AES-128-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 51 SRP-AES-128-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 52 RSA-PSK-AES128-CBC-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 53 DHE-PSK-AES128-CBC-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 54 RSA-PSK-AES128-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 55 DHE-PSK-AES128-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 56 ECDHE-PSK-WITH-SMS4-CBC-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 57 SM9-WITH-SMS4-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 58 SM9DHE-WITH-SMS4-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 59 SM2-WITH-SMS4-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 60 SM2DHE-WITH-SMS4-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 61 AES128-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 62 RSA-WITH-SMS4-SHA1
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 63 RSA-WITH-SMS4-SM3
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 64 PSK-AES128-CBC-SHA256
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 65 PSK-AES128-CBC-SHA
[ssl_print_info][]174[GmSSLC.c] SSL cipher list: 66 PSK-WITH-SMS4-CBC-SM3
[ssl_print_info][]178using SSL [GmSSLC.c] cipher : SM2-WITH-SMS4-SM3
[ssl_print_info][]179using SSL [GmSSLC.c] cipher_name : SM2-WITH-SMS4-SM3
[ssl_print_info][]180using SSL . cipher_version: GMTLSv1[GmSSLC.c]1
[ssl_print_x509][]57[GmSSLC.c] 版本 : V3
[ssl_print_x509][]59[GmSSLC.c] 序列号 : 3b9ad1d1
[ssl_print_x509][]71. 签名算法Oid : 1.2.156.10197.1[GmSSLC.c]501
[ssl_print_x509][]74[GmSSLC.c] 1125 sm2sign-with-sm3
[ssl_print_x509][]75[GmSSLC.c] 1125 SM2Sign-with-SM3
[ssl_print_x509][]80/ 颁发者 : [GmSSLC.c]C=CN/ST=GuanDong/L=ShenZhen/O=NEW POS TECHNOLOGY LIMITED/OU=Sys Soft Dept/CN=Root
[ssl_print_x509][]87[GmSSLC.c] 有效期从 : 220329070630Z
[ssl_print_x509][]92[GmSSLC.c] 到 : 320326070630Z
[ssl_print_x509][]98/ 使用者 : .C=CN/ST=GuanDong/L=ShenZhen/O=NEW POS TECHNOLOGY LIMITED/OU=Sys Soft Dept/CN=192.168.218[GmSSLC.c]141
[ssl_print_x509][]104/ 双字母国家[GmSSLC.c]地区代码 C=CN
[ssl_print_x509][]108[GmSSLC.c] 组织名称 O=NEW POS TECHNOLOGY LIMITED
[ssl_print_x509][]112[GmSSLC.c] 组织单位名称 OU=Sys Soft Dept
[ssl_print_x509][]116. 域名 CN=192.168.218[GmSSLC.c]141
[ssl_print_x509][]120[GmSSLC.c] 城市或区域名称 L=ShenZhen
[ssl_print_x509][]124/ 省/市[GmSSLC.c]自治区名称 ST=GuanDong
[ssl_print_x509][]137[GmSSLC.c] 公钥 : ECC
[ssl_print_x509][]149[GmSSLC.c] 证书用途 : 加密
[ssl_print_x509][]157[GmSSLC.c] 签名算法=0
[ssl_print_x509][]57[GmSSLC.c] 版本 : V3
[ssl_print_x509][]59[GmSSLC.c] 序列号 : 3b9aca01
[ssl_print_x509][]71. 签名算法Oid : 1.2.156.10197.1[GmSSLC.c]501
[ssl_print_x509][]74[GmSSLC.c] 1125 sm2sign-with-sm3
[ssl_print_x509][]75[GmSSLC.c] 1125 SM2Sign-with-SM3
[ssl_print_x509][]80/ 颁发者 : [GmSSLC.c]C=CN/ST=GuanDong/L=ShenZhen/O=NEW POS TECHNOLOGY LIMITED/OU=Sys Soft Dept/CN=Root
[ssl_print_x509][]87[GmSSLC.c] 有效期从 : 220411115047Z
[ssl_print_x509][]92[GmSSLC.c] 到 : 320408115047Z
[ssl_print_x509][]98/ 使用者 : .C=CN/ST=GuanDong/L=ShenZhen/O=NEW POS TECHNOLOGY LIMITED/OU=Sys Soft Dept/CN=192.168.218[GmSSLC.c]141
[ssl_print_x509][]104/ 双字母国家[GmSSLC.c]地区代码 C=CN
[ssl_print_x509][]108[GmSSLC.c] 组织名称 O=NEW POS TECHNOLOGY LIMITED
[ssl_print_x509][]112[GmSSLC.c] 组织单位名称 OU=Sys Soft Dept
[ssl_print_x509][]116. 域名 CN=192.168.218[GmSSLC.c]141
[ssl_print_x509][]120[GmSSLC.c] 城市或区域名称 L=ShenZhen
[ssl_print_x509][]124/ 省/市[GmSSLC.c]自治区名称 ST=GuanDong
[ssl_print_x509][]137[GmSSLC.c] 公钥 : ECC
[ssl_print_x509][]151[GmSSLC.c] 证书用途 : 签名
[ssl_print_x509][]157[GmSSLC.c] 签名算法=0
[ssl_send][]289[ SSL_write/POST .horn/pushmsg HTTP/1*1
Accept: /*Type
Accept-Language: zh-cn
Content-.: application/json
User-Agent: herve
Host: 192.168.218"loginName"141:1443
Content-Length: 21
Connection: close
Cache-Control: no-cache
{"jiean":}][GmSSLC.c]
[ssl_send][]326404 Not Found SSL_read[HTTP/1.1 404 Not Found
Server: nginx/1.20.1
Date: Tue, 12 Apr 2022 01:50:30 GMT
Content-Type: text/html
Content-Length: 153
Connection: close
404 Not Found
nginx/1.20.1
]
欢迎分享,转载请注明来源:内存溢出
微信扫一扫
支付宝扫一扫
评论列表(0条)