自学教程：C++ ssl_set_ca_chain函数代码示例

SSL *SSL_new(SSL_CTX *ctx) {  int res;  SSL *ssl = (SSL*)calloc(1, sizeof(*ssl));  res = ssl_init(&ssl->cntx);  if (res == 0) {    ssl_set_endpoint(&ssl->cntx, ctx->ssl_method->endpoint_type);    ssl_set_authmode(&ssl->cntx, ctx->authmode);    ssl_set_min_version(&ssl->cntx, ctx->ssl_method->ssl_maj_ver,                        ctx->ssl_method->ssl_min_ver);    ssl_set_ca_chain(&ssl->cntx, &ctx->CA_cert, NULL, NULL);    ssl_set_rng( &ssl->cntx, ctr_drbg_random, &g_ctr_drbg_context );    res = ssl_set_own_cert(&ssl->cntx, &ctx->cert, &ctx->pk);  }  if (res != 0) {    free(ssl);    return NULL;  }  ssl->fd = -1;  ssl->ssl_ctx = ctx;  return ssl;}

void gtget_ssl_init(connection_t * conn){  char *clientcert = NULL;  char *clientkey = NULL;  const char *pers = "gtget";  sslparam_t *ssl = calloc(1, sizeof(sslparam_t));    if (!(conn->flags & GTGET_FLAG_INSECURE)) {    char *cacertfile = alloca(strlen(conn->remote->host) + 5);    char *servercert = NULL;    strcpy(cacertfile, conn->remote->host);    strcat(cacertfile, ".pem");    if (!(servercert = tryopen_alt(conn, conn->caFile, cacertfile)))      servercert = tryopen("cacerts.pem");    if (!(servercert))      die(conn, "can't open cacert", NULL);    if (x509_crt_parse_file(&ssl->cacert, servercert))      die(conn, "error reading cacert", servercert);  }  /* read and parse the client certificate if provided */  if ((clientcert = tryopen_alt(conn, conn->ccFile, "clientcert.pem"))) {    if (!(clientkey = tryopen_alt(conn, conn->ckFile, "clientkey.pem")))      clientkey = clientcert;    if (x509_crt_parse_file(&ssl->clicert, clientcert)) {      die(conn, "error reading client certificate", clientcert);      if (clientkey && pk_parse_public_keyfile(&ssl->pk, clientkey))        die(conn, "error reading client key", clientkey);    }    write2f("using client cert: %s/n", clientcert);    write2f("using client key:  %s/n", clientkey);  }  entropy_init(&ssl->entropy);  if (0 != (ctr_drbg_init(&ssl->ctr_drbg, entropy_func, &ssl->entropy,	  (const unsigned char *)pers, strlen(pers))))    die(conn, "Seeding the random number generator failed", NULL);  if (ssl_init(&ssl->ssl))    die(conn, "error initializing SSL", NULL);  ssl_set_endpoint(&ssl->ssl, SSL_IS_CLIENT);  if ((conn->flags & GTGET_FLAG_INSECURE)) {    ssl_set_authmode(&ssl->ssl, SSL_VERIFY_NONE);  }  ssl_set_ca_chain(&ssl->ssl, &ssl->cacert, NULL, conn->remote->host);  ssl_set_authmode(&ssl->ssl, SSL_VERIFY_OPTIONAL);  ssl_set_verify(&ssl->ssl, verify_cb, conn);  ssl_set_ciphersuites(&ssl->ssl, ssl_list_ciphersuites());  ssl_set_session(&ssl->ssl, &ssl->ssn);  ssl_set_rng(&ssl->ssl, ctr_drbg_random, &ssl->ctr_drbg);  conn->ssl = ssl;}

int ssl_init_info(int *server_fd,ssl_info *sslinfo){    int ret;    const char *pers = "ssl";    x509_crt_init(&sslinfo->cacert );    entropy_init(&sslinfo->entropy );    if( ( ret = ctr_drbg_init( &sslinfo->ctr_drbg, entropy_func, &sslinfo->entropy,                               (const unsigned char *) pers,                               strlen( pers ) ) ) != 0 )    {        return -1;    }    if( ( ret = ssl_init( &sslinfo->ssl ) ) != 0 )    {        echo( " failed/n  ! ssl_init returned %d/n/n", ret );        return -1;    }    ssl_set_endpoint( &sslinfo->ssl, SSL_IS_CLIENT );    ssl_set_authmode( &sslinfo->ssl, SSL_VERIFY_OPTIONAL );    ssl_set_ca_chain( &sslinfo->ssl, &sslinfo->cacert, NULL, "" );    ssl_set_rng( &sslinfo->ssl, ctr_drbg_random, &sslinfo->ctr_drbg );    ssl_set_bio( &sslinfo->ssl, net_recv, server_fd,net_send, server_fd );    ssl_set_session(&sslinfo->ssl, &ssn);    while((ret = ssl_handshake(&sslinfo->ssl))!=0)    {        if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )        {            echo( " failed/n  ! ssl_handshake returned -0x%x/n/n", -ret );            return -1;        }        //CPU sleep        sleeps(1);    }    if((ret = ssl_get_verify_result( &sslinfo->ssl ) ) != 0 )    {       // echo( "Verifying peer X.509 certificate...failed /r/n" );    }    else    {        echo( " ok/n" );    }    //保存session加快握手速度    if( ( ret = ssl_get_session( &sslinfo->ssl, &ssn ) ) != 0 )    {        //失败初始化        memset(&ssn, 0, sizeof(ssl_session));    }    return 0;}

static int ms_dtls_srtp_initialise_polarssl_dtls_context(DtlsPolarsslContext *dtlsContext, MSDtlsSrtpParams *params, RtpSession *s){	int ret;	enum DTLS_SRTP_protection_profiles dtls_srtp_protection_profiles[2] = {SRTP_AES128_CM_HMAC_SHA1_80, SRTP_AES128_CM_HMAC_SHA1_32};		memset( &(dtlsContext->ssl), 0, sizeof( ssl_context ) );	//memset( &(dtlsContext->saved_session), 0, sizeof( ssl_session ) );	ssl_cookie_init( &(dtlsContext->cookie_ctx) );	x509_crt_init( &(dtlsContext->crt) );	entropy_init( &(dtlsContext->entropy) );	ctr_drbg_init( &(dtlsContext->ctr_drbg), entropy_func, &(dtlsContext->entropy), NULL, 0 );		/* initialise certificate */	ret = x509_crt_parse( &(dtlsContext->crt), (const unsigned char *) params->pem_certificate, strlen( params->pem_certificate ) );	if( ret < 0 ) {		return ret;	}		ret =  pk_parse_key( &(dtlsContext->pkey), (const unsigned char *) params->pem_pkey, strlen( params->pem_pkey ), NULL, 0 );	if( ret != 0 ) {		return ret;	}	/* ssl setup */	ssl_init(&(dtlsContext->ssl));	if( ret < 0 ) {		return ret;	}	if (params->role == MSDtlsSrtpRoleIsClient) {		ssl_set_endpoint(&(dtlsContext->ssl), SSL_IS_CLIENT);	} else if (params->role == MSDtlsSrtpRoleIsServer) {		ssl_set_endpoint(&(dtlsContext->ssl), SSL_IS_SERVER);	}	ssl_set_transport(&(dtlsContext->ssl), SSL_TRANSPORT_DATAGRAM);	ssl_set_dtls_srtp_protection_profiles(  &(dtlsContext->ssl), dtls_srtp_protection_profiles, 2 ); /* TODO: get param from caller to select available profiles */	/* set CA chain */	ssl_set_authmode( &(dtlsContext->ssl), SSL_VERIFY_OPTIONAL ); /* this will force server to send his certificate to client as we need it to compute the fingerprint */	ssl_set_rng(  &(dtlsContext->ssl), ctr_drbg_random, &(dtlsContext->ctr_drbg) );	ssl_set_ca_chain( &(dtlsContext->ssl), &(dtlsContext->crt), NULL, NULL );	ssl_set_own_cert( &(dtlsContext->ssl), &(dtlsContext->crt), &(dtlsContext->pkey) );	if (params->role == MSDtlsSrtpRoleIsServer) {		ssl_cookie_setup( &(dtlsContext->cookie_ctx), ctr_drbg_random, &(dtlsContext->ctr_drbg) );		ssl_set_dtls_cookies( &(dtlsContext->ssl), ssl_cookie_write, ssl_cookie_check, &(dtlsContext->cookie_ctx) );		ssl_session_reset( &(dtlsContext->ssl) );		ssl_set_client_transport_id(&(dtlsContext->ssl), (const unsigned char *)(&(s->snd.ssrc)), 4);	}	ms_mutex_init(&dtlsContext->ssl_context_mutex, NULL);	return 0;}

__hidden void *__ustream_ssl_session_new(struct ustream_ssl_ctx *ctx){    ssl_context *ssl;    int auth;    int ep;    ssl = calloc(1, sizeof(ssl_context));    if (!ssl)        return NULL;    if (ssl_init(ssl)) {        free(ssl);        return NULL;    }    if (ctx->server) {        ep = SSL_IS_SERVER;        auth = SSL_VERIFY_NONE;    } else {        ep = SSL_IS_CLIENT;        auth = SSL_VERIFY_OPTIONAL;    }    ssl_set_ciphersuites(ssl, default_ciphersuites);    ssl_set_endpoint(ssl, ep);    ssl_set_authmode(ssl, auth);    ssl_set_rng(ssl, _urandom, NULL);    if (ctx->server) {        if (ctx->cert.next)            ssl_set_ca_chain(ssl, ctx->cert.next, NULL, NULL);        ssl_set_own_cert(ssl, &ctx->cert, &ctx->key);    } else {        ssl_set_ca_chain(ssl, &ctx->cert, NULL, NULL);    }    ssl_session_reset(ssl);    return ssl;}

int ircd_client_init_ssl(struct ircd_client* const client){	if (ssl_init(&client->ssl_ctx) != 0)		return -1;	// We are a server	(void) ssl_set_endpoint(&client->ssl_ctx, SSL_IS_SERVER);	// Tell the library how to send and receive data to the client	(void) ssl_set_bio(&client->ssl_ctx, net_recv, &client->fd, net_send, &client->fd);	// Tell the library how to generate random data for the client (e.g. session ticket encryption key)	(void) ssl_set_rng(&client->ssl_ctx, hmac_drbg_random, &ircd_ssl_hmac_drbg_ctx);	// Normally DHE- ciphersuites are enabled anyway, but do so with a stronger prime	(void) ssl_set_dh_param_ctx(&client->ssl_ctx, &ircd_ssl_dh_ctx);	// To request (but not require) a certificate from the client	(void) ssl_set_authmode(&client->ssl_ctx, SSL_VERIFY_OPTIONAL);	//(void) ssl_set_ca_chain(&client->ssl_ctx, &ircd_ssl_ca_certificates, NULL, NULL);	(void) ssl_set_ca_chain(&client->ssl_ctx, &ircd_ssl_certificate, NULL, NULL);	// To test if the client supports RC4 (bad, in violation of TLS standards; see RFC 7465)	(void) ssl_set_arc4_support(&client->ssl_ctx, SSL_ARC4_ENABLED);	// To test if the client supports SNI (good)	(void) ssl_set_sni(&client->ssl_ctx, ircd_server_ssl_sni_cb, (void*) client);	// To test if the client supports Session Tickets (concerning)	(void) ssl_set_session_tickets(&client->ssl_ctx, SSL_SESSION_TICKETS_ENABLED);	(void) ssl_set_session_ticket_lifetime(&client->ssl_ctx, 300);	// We could do this in the SNI callback, but that would require all clients to support SNI	(void) ssl_set_own_cert(&client->ssl_ctx, &ircd_ssl_certificate, &ircd_ssl_private_key);#ifdef POLARSSL_SSL_CIPHERSUITES_CB	// This is an addition of mine to the library - see the patch in patches/	(void) ssl_set_cs_cb(&client->ssl_ctx, ircd_server_ssl_cs_cb, (void*) client);#endif#ifdef POLARSSL_SSL_TICKETS_CB	// This is an addition of mine to the library - see the patch in patches/	(void) ssl_set_tick_cb(&client->ssl_ctx, ircd_server_ssl_tick_cb, (void*) client);#endif	return 0;}

int32_t bctbx_ssl_context_setup(bctbx_ssl_context_t *ssl_ctx, bctbx_ssl_config_t *ssl_config) {	/* Check validity of context and config */	if (ssl_config == NULL) {		return BCTBX_ERROR_INVALID_SSL_CONFIG;	}	if (ssl_ctx == NULL) {		return BCTBX_ERROR_INVALID_SSL_CONTEXT;	}	/* apply all valids settings to the ssl_context */	if (ssl_config->endpoint != BCTBX_SSL_UNSET) {		ssl_set_endpoint(&(ssl_ctx->ssl_ctx), ssl_config->endpoint);	}	if (ssl_config->authmode != BCTBX_SSL_UNSET) {		ssl_set_authmode(&(ssl_ctx->ssl_ctx), ssl_config->authmode);	}	if (ssl_config->rng_function != NULL) {		ssl_set_rng(&(ssl_ctx->ssl_ctx), ssl_config->rng_function, ssl_config->rng_context);	}	if (ssl_config->callback_verify_function != NULL) {		ssl_set_verify(&(ssl_ctx->ssl_ctx), ssl_config->callback_verify_function, ssl_config->callback_verify_data);	}	if (ssl_config->callback_cli_cert_function != NULL) {		ssl_ctx->callback_cli_cert_function = ssl_config->callback_cli_cert_function;		ssl_ctx->callback_cli_cert_data = ssl_config->callback_cli_cert_data;	}	if (ssl_config->ca_chain != NULL) {		ssl_set_ca_chain(&(ssl_ctx->ssl_ctx), ssl_config->ca_chain, NULL, ssl_ctx->cn);	}	if (ssl_config->own_cert != NULL && ssl_config->own_cert_pk != NULL) {		ssl_set_own_cert(&(ssl_ctx->ssl_ctx) , ssl_config->own_cert , ssl_config->own_cert_pk);	}	return 0;}

/* Server Name Indication callback function */static int sni_callback(void *sad, ssl_context *context, const unsigned char *sni_hostname, size_t len) {	char hostname[SNI_MAX_HOSTNAME_LEN + 1];	t_sni_list *sni;	int i;	if (len > SNI_MAX_HOSTNAME_LEN) {		return -1;	}	memcpy(hostname, sni_hostname, len);	hostname[len] = '/0';	sni = sni_list;	while (sni != NULL) {		for (i = 0; i < sni->hostname->size; i++) {			if (hostname_match(hostname, *(sni->hostname->item + i))) {				((t_ssl_accept_data*)sad)->timeout = HS_TIMEOUT_CERT_SELECT;				/* Set private key and certificate				 */				if ((sni->private_key != NULL) && (sni->certificate != NULL)) {					ssl_set_own_cert(context, sni->certificate, sni->private_key);				}				/* Set CA certificate for SSL client authentication				 */				if (sni->ca_certificate != NULL) {					ssl_set_authmode(context, SSL_VERIFY_REQUIRED);					ssl_set_ca_chain(context, sni->ca_certificate, sni->ca_crl, NULL);				}				return 0;			}		}		sni = sni->next;	}	return 0;}

result_t SslSocket::accept(Stream_base *s, obj_ptr<SslSocket_base> &retVal,                           exlib::AsyncEvent *ac){    if (m_s)        return CHECK_ERROR(CALL_E_INVALID_CALL);    if (!ac)        return CHECK_ERROR(CALL_E_NOSYNC);    obj_ptr<SslSocket> ss = new SslSocket();    retVal = ss;    int sz = (int)m_crts.size();    int i;    result_t hr;    for (i = 0; i < sz; i ++)    {        hr = ss->setCert(m_crts[i], m_keys[i]);        if (hr < 0)            return hr;    }    ss->m_s = s;    ssl_set_authmode(&ss->m_ssl, m_ssl.authmode);    ssl_set_endpoint(&ss->m_ssl, SSL_IS_SERVER);    if (m_ca)    {        ss->m_ca = m_ca;        ssl_set_ca_chain(&ss->m_ssl, &m_ca->m_crt, NULL, NULL);    }    ssl_set_session_cache(&ss->m_ssl, ssl_cache_get, &g_ssl.m_cache,                          ssl_cache_set, &g_ssl.m_cache);    return ss->handshake(NULL, ac);}

PUBLIC int sslUpgrade(Webs *wp){    EstSocket   *est;    WebsSocket  *sp;    assert(wp);    if ((est = malloc(sizeof(EstSocket))) == 0) {        return -1;    }    wp->ssl = est;    ssl_free(&est->ctx);    havege_init(&est->hs);    ssl_init(&est->ctx);	ssl_set_endpoint(&est->ctx, 1);	ssl_set_authmode(&est->ctx, BIT_GOAHEAD_VERIFY_PEER ? SSL_VERIFY_OPTIONAL : SSL_VERIFY_NO_CHECK);    ssl_set_rng(&est->ctx, havege_rand, &est->hs);	ssl_set_dbg(&est->ctx, estTrace, NULL);    sp = socketPtr(wp->sid);	ssl_set_bio(&est->ctx, net_recv, &sp->sock, net_send, &sp->sock);    ssl_set_ciphers(&est->ctx, estConfig.ciphers);	ssl_set_session(&est->ctx, 1, 0, &est->session);	memset(&est->session, 0, sizeof(ssl_session));	ssl_set_ca_chain(&est->ctx, *BIT_GOAHEAD_CA ? &estConfig.ca : NULL, NULL);    if (*BIT_GOAHEAD_CERTIFICATE && *BIT_GOAHEAD_KEY) {        ssl_set_own_cert(&est->ctx, &estConfig.cert, &estConfig.rsa);    }	ssl_set_dh_param(&est->ctx, dhKey, dhg);    if (estHandshake(wp) < 0) {        return -1;    }    return 0;}

/**  * @brief  SSL client task.  * @param  pvParameters not used  * @retval None  */void ssl_client(void const * argument){  int ret, len, server_fd;  unsigned char buf[1024];  ssl_context ssl;  x509_cert cacert;    memset( &ssl, 0, sizeof( ssl_context ) );  memset( &cacert, 0, sizeof( x509_cert ) );    /*  *  Initialize certificates  */  printf( "  . Loading the CA root certificate ..." );  #if defined(POLARSSL_CERTS_C)  ret = x509parse_crt( &cacert, (const unsigned char *) test_ca_crt,                      strlen( test_ca_crt ) );#else  ret = 1;  printf("POLARSSL_CERTS_C not defined.");#endif    if( ret < 0 )  {    printf( " failed/n  !  x509parse_crt returned -0x%x/n/n", -ret );    goto exit;  }    printf( " ok (%d skipped)/n", ret );    /* Start the connection */  do  {    printf(( "/n/rSSL : Start the connection /n/r"));    printf("/n/rConnecting to tcp/%s/ Port:%4d...", SSL_SERVER_NAME, SSL_SERVER_PORT);         /* Bint the connection to SSL server port */    ret = net_connect(&server_fd, SSL_SERVER_NAME, SSL_SERVER_PORT);    if(ret != 0)    {      /* Connection to SSL server failed */      printf(" failed /n/r ! net_connect returned %d/n/r", -ret);            /* Wait 500 ms until next retry */      vTaskDelay(500);    }   }while(ret!=0);    printf( " ok/n/r" );    /*  * 2. Setup stuff  */  printf( "  . Setting up the SSL/TLS structure..." );    if( ( ret = ssl_init( &ssl ) ) != 0 )  {    printf( " failed/n  ! ssl_init returned %d/n/n/r", ret );    goto exit;  }    printf( " ok/n/r" );    ssl_set_endpoint( &ssl, SSL_IS_CLIENT );  ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );  ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );    ssl_set_rng( &ssl, RandVal , NULL );  ssl_set_dbg( &ssl, my_debug, NULL);  ssl_set_bio( &ssl, net_recv, &server_fd,              net_send, &server_fd );    /* Set max ssl version to TLS v1.1 because TLS v1.2 needs SHA-256 for HASH     which is not supported by STM32F417xx Hardware*/  ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_2);    /*  * Handshake  */  printf( "  . Performing the SSL/TLS handshake..." );    while( ( ret = ssl_handshake( &ssl ) ) != 0 )  {    if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )    {      printf( " failed/n  ! ssl_handshake returned -0x%x/n/n/r", -ret );      goto exit;    }  }    printf( " ok/n/r" );    /*  * Verify the server certificate//.........这里部分代码省略.........

//.........这里部分代码省略.........			"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "			"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",			_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,			_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,			BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);		break;	}	case IOCTLV_NET_SSL_SETROOTCA:	{		INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA "			"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "			"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "			"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",			_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,			_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,			BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);		int sslID = Memory::Read_U32(BufferOut) - 1;		if (SSLID_VALID(sslID))		{			WII_SSL* ssl = &_SSL[sslID];			int ret = x509_crt_parse_der(				&ssl->cacert,				Memory::GetPointer(BufferOut2),				BufferOutSize2);			if (ret)			{				Memory::Write_U32(SSL_ERR_FAILED, _BufferIn);			}			else			{				ssl_set_ca_chain(&ssl->ctx, &ssl->cacert, nullptr, ssl->hostname.c_str());				Memory::Write_U32(SSL_OK, _BufferIn);			}			INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETROOTCA = %d", ret);		}		else		{			Memory::Write_U32(SSL_ERR_ID, _BufferIn);		}		break;	}	case IOCTLV_NET_SSL_SETBUILTINCLIENTCERT:	{		INFO_LOG(WII_IPC_SSL, "IOCTLV_NET_SSL_SETBUILTINCLIENTCERT "			"BufferIn: (%08x, %i), BufferIn2: (%08x, %i), "			"BufferIn3: (%08x, %i), BufferOut: (%08x, %i), "			"BufferOut2: (%08x, %i), BufferOut3: (%08x, %i)",			_BufferIn, BufferInSize, _BufferIn2, BufferInSize2,			_BufferIn3, BufferInSize3, BufferOut, BufferOutSize,			BufferOut2, BufferOutSize2, BufferOut3, BufferOutSize3);		int sslID = Memory::Read_U32(BufferOut) - 1;		if (SSLID_VALID(sslID))		{			WII_SSL* ssl = &_SSL[sslID];			std::string cert_base_path = File::GetUserPath(D_SESSION_WIIROOT_IDX);			int ret = x509_crt_parse_file(&ssl->clicert, (cert_base_path + "clientca.pem").c_str());			int pk_ret = pk_parse_keyfile(&ssl->pk, (cert_base_path + "clientcakey.pem").c_str(), nullptr);			if (ret || pk_ret)			{				x509_crt_free(&ssl->clicert);				pk_free(&ssl->pk);

int main( int argc, char *argv[] ){    int ret, len, server_fd;    unsigned char buf[1024];    char *pers = "ssl_client1";    entropy_context entropy;    ctr_drbg_context ctr_drbg;    ssl_context ssl;    x509_cert cacert;    ((void) argc);    ((void) argv);    /*     * 0. Initialize the RNG and the session data     */    memset( &ssl, 0, sizeof( ssl_context ) );    memset( &cacert, 0, sizeof( x509_cert ) );    printf( "/n  . Seeding the random number generator..." );    fflush( stdout );    entropy_init( &entropy );    if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, &entropy,                               (unsigned char *) pers, strlen( pers ) ) ) != 0 )    {        printf( " failed/n  ! ctr_drbg_init returned %d/n", ret );        goto exit;    }    printf( " ok/n" );    /*     * 0. Initialize certificates     */    printf( "  . Loading the CA root certificate ..." );    fflush( stdout );#if defined(POLARSSL_CERTS_C)    ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,                         strlen( test_ca_crt ) );#else    ret = 1;    printf("POLARSSL_CERTS_C not defined.");#endif    if( ret < 0 )    {        printf( " failed/n  !  x509parse_crt returned -0x%x/n/n", -ret );        goto exit;    }    printf( " ok (%d skipped)/n", ret );    /*     * 1. Start the connection     */    printf( "  . Connecting to tcp/%s/%4d...", SERVER_NAME,                                               SERVER_PORT );    fflush( stdout );    if( ( ret = net_connect( &server_fd, SERVER_NAME,                                         SERVER_PORT ) ) != 0 )    {        printf( " failed/n  ! net_connect returned %d/n/n", ret );        goto exit;    }    printf( " ok/n" );    /*     * 2. Setup stuff     */    printf( "  . Setting up the SSL/TLS structure..." );    fflush( stdout );    if( ( ret = ssl_init( &ssl ) ) != 0 )    {        printf( " failed/n  ! ssl_init returned %d/n/n", ret );        goto exit;    }    printf( " ok/n" );    ssl_set_endpoint( &ssl, SSL_IS_CLIENT );    ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );    ssl_set_ca_chain( &ssl, &cacert, NULL, "PolarSSL Server 1" );    ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );    ssl_set_dbg( &ssl, my_debug, stdout );    ssl_set_bio( &ssl, net_recv, &server_fd,                       net_send, &server_fd );    /*     * 4. Handshake     */    printf( "  . Performing the SSL/TLS handshake..." );    fflush( stdout );//.........这里部分代码省略.........

//.........这里部分代码省略.........        if( ( ret = ssl_set_alpn_protocols( &ssl, alpn_list ) ) != 0 )        {            printf( " failed/n  ! ssl_set_alpn_protocols returned %d/n/n", ret );            goto exit;        }#endif    ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );    ssl_set_dbg( &ssl, my_debug, stdout );    if( opt.nbio == 2 )        ssl_set_bio( &ssl, my_recv, &server_fd, my_send, &server_fd );    else        ssl_set_bio( &ssl, net_recv, &server_fd, net_send, &server_fd );#if defined(POLARSSL_SSL_SESSION_TICKETS)    if( ( ret = ssl_set_session_tickets( &ssl, opt.tickets ) ) != 0 )    {        printf( " failed/n  ! ssl_set_session_tickets returned %d/n/n", ret );        goto exit;    }#endif    if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )        ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );    ssl_set_renegotiation( &ssl, opt.renegotiation );    ssl_legacy_renegotiation( &ssl, opt.allow_legacy );#if defined(POLARSSL_X509_CRT_PARSE_C)    if( strcmp( opt.ca_path, "none" ) != 0 &&        strcmp( opt.ca_file, "none" ) != 0 )    {        ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );    }    if( strcmp( opt.crt_file, "none" ) != 0 &&        strcmp( opt.key_file, "none" ) != 0 )    {        if( ( ret = ssl_set_own_cert( &ssl, &clicert, &pkey ) ) != 0 )        {            printf( " failed/n  ! ssl_set_own_cert returned %d/n/n", ret );            goto exit;        }    }#endif#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)    if( ( ret = ssl_set_psk( &ssl, psk, psk_len,                             (const unsigned char *) opt.psk_identity,                             strlen( opt.psk_identity ) ) ) != 0 )    {        printf( " failed/n  ! ssl_set_psk returned %d/n/n", ret );        goto exit;    }#endif#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)    if( ( ret = ssl_set_hostname( &ssl, opt.server_name ) ) != 0 )    {        printf( " failed/n  ! ssl_set_hostname returned %d/n/n", ret );        goto exit;    }#endif    if( opt.min_version != -1 )        ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );

/** * Run SSL handshake and store the resulting time value in the * 'time_map'. * * @param time_map where to store the current time * @param time_is_an_illusion * @param http whether to do an http request and take the date from that *     instead. */static voidrun_ssl (uint32_t *time_map, int time_is_an_illusion, int http){  entropy_context entropy;  ctr_drbg_context ctr_drbg;  ssl_context ssl;  proxy_polarssl_ctx proxy_ctx;  x509_cert cacert;  struct stat statbuf;  int ret = 0, server_fd = 0;  char *pers = "tlsdate-helper";  memset (&ssl, 0, sizeof(ssl_context));  memset (&cacert, 0, sizeof(x509_cert));  verb("V: Using PolarSSL for SSL");  if (ca_racket)  {    if (-1 == stat (ca_cert_container, &statbuf))    {      die("Unable to stat CA certficate container %s", ca_cert_container);    }    else    {      switch (statbuf.st_mode & S_IFMT)      {      case S_IFREG:        if (0 > x509parse_crtfile(&cacert, ca_cert_container))          fprintf(stderr, "x509parse_crtfile failed");        break;      case S_IFDIR:        if (0 > x509parse_crtpath(&cacert, ca_cert_container))          fprintf(stderr, "x509parse_crtpath failed");        break;      default:        die("Unable to load CA certficate container %s", ca_cert_container);      }    }  }  entropy_init (&entropy);  if (0 != ctr_drbg_init (&ctr_drbg, entropy_func, &entropy,                         (unsigned char *) pers, strlen(pers)))  {    die("Failed to initialize CTR_DRBG");  }  if (0 != ssl_init (&ssl))  {    die("SSL initialization failed");  }  ssl_set_endpoint (&ssl, SSL_IS_CLIENT);  ssl_set_rng (&ssl, ctr_drbg_random, &ctr_drbg);  ssl_set_ca_chain (&ssl, &cacert, NULL, hostname_to_verify);  if (ca_racket)  {      // You can do SSL_VERIFY_REQUIRED here, but then the check in      // inspect_key() never happens as the ssl_handshake() will fail.      ssl_set_authmode (&ssl, SSL_VERIFY_OPTIONAL);  }  if (proxy)  {    char *scheme;    char *proxy_host;    char *proxy_port;    parse_proxy_uri (proxy, &scheme, &proxy_host, &proxy_port);    verb("V: opening socket to proxy %s:%s", proxy_host, proxy_port);    if (0 != net_connect (&server_fd, proxy_host, atoi(proxy_port)))    {      die ("SSL connection failed");    }    proxy_polarssl_init (&proxy_ctx);    proxy_polarssl_set_bio (&proxy_ctx, net_recv, &server_fd, net_send, &server_fd);    proxy_polarssl_set_host (&proxy_ctx, host);    proxy_polarssl_set_port (&proxy_ctx, atoi(port));    proxy_polarssl_set_scheme (&proxy_ctx, scheme);    ssl_set_bio (&ssl, proxy_polarssl_recv, &proxy_ctx, proxy_polarssl_send, &proxy_ctx);    verb("V: Handle proxy connection");    if (0 == proxy_ctx.f_connect (&proxy_ctx))      die("Proxy connection failed");  }  else  {    verb("V: opening socket to %s:%s", host, port);    if (0 != net_connect (&server_fd, host, atoi(port)))//.........这里部分代码省略.........

//.........这里部分代码省略.........            printf( " failed/n  ! ctr_drbg_init returned %d/n", ret );            goto exit;        }        printf( " ok/n" );        /*         * 2. Start the connection         */        printf( "  . SSL connection to tcp/%s/%-4d...", opt.server_name,                                                        opt.server_port );        fflush( stdout );        if( ( ret = net_connect( &server_fd, opt.server_name,                                             opt.server_port ) ) != 0 )        {            printf( " failed/n  ! net_connect returned %d/n/n", ret );            goto exit;        }        /*         * 3. Setup stuff         */        if( ( ret = ssl_init( &ssl ) ) != 0 )        {            printf( " failed/n  ! ssl_init returned %d/n/n", ret );            goto exit;        }        ssl_set_endpoint( &ssl, SSL_IS_CLIENT );        if( verify )        {            ssl_set_authmode( &ssl, SSL_VERIFY_REQUIRED );            ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );            ssl_set_verify( &ssl, my_verify, NULL );        }        else            ssl_set_authmode( &ssl, SSL_VERIFY_NONE );        ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );        ssl_set_dbg( &ssl, my_debug, stdout );        ssl_set_bio( &ssl, net_recv, &server_fd,                net_send, &server_fd );        ssl_set_own_cert( &ssl, &clicert, &pkey );#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)        ssl_set_hostname( &ssl, opt.server_name );#endif        /*         * 4. Handshake         */        while( ( ret = ssl_handshake( &ssl ) ) != 0 )        {            if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )            {                printf( " failed/n  ! ssl_handshake returned %d/n/n", ret );                ssl_free( &ssl );                goto exit;            }        }        printf( " ok/n" );        /*

wiced_result_t wiced_generic_start_tls_with_ciphers( wiced_tls_simple_context_t* tls_context, void* referee, wiced_tls_endpoint_type_t type, wiced_tls_certificate_verification_t verification, const cipher_suite_t* cipher_list[], tls_transport_protocol_t transport_protocol ){    microrng_state              rngstate;    int                         prev_state;    uint64_t                    start_time;    tls_result_t                result;    /* Initialize the session data */    if ( transport_protocol != TLS_EAP_TRANSPORT )    {        memset( &tls_context->session, 0, sizeof(wiced_tls_session_t) );    }    memset( &tls_context->context, 0, sizeof(wiced_tls_context_t) );    /* Prepare session and entropy */    tls_context->session.age = MAX_TLS_SESSION_AGE;    wwd_wifi_get_random( &rngstate.entropy, 4 );    /* Initialize session context */ /* TODO: Ideally this should be done once for a socket */    if ( ssl_init( &tls_context->context ) != 0 )    {        wiced_assert("Error initialising SSL", 0!=0 );        return WICED_TLS_INIT_FAIL;    }    tls_context->context.transport_protocol = transport_protocol;    microrng_init( &rngstate );    ssl_set_endpoint( &tls_context->context, type );    ssl_set_rng     ( &tls_context->context, microrng_rand, &rngstate );    tls_context->context.receive_context = referee;    tls_context->context.send_context    = referee;    tls_context->context.get_session     = tls_get_session;    tls_context->context.set_session     = tls_set_session;    tls_context->context.ciphers         = cipher_list;    ssl_set_session ( &tls_context->context, SESSION_CAN_BE_RESUMED, 1000000, &tls_context->session );    /* Assert if user has not created correct TLS context for the TLS endpoint type */    wiced_assert("TLS servers must have an advanced TLS context", !((type == WICED_TLS_AS_SERVER) && (tls_context->context_type != WICED_TLS_ADVANCED_CONTEXT)));    if ( root_ca_certificates != NULL )    {        ssl_set_ca_chain( &tls_context->context, root_ca_certificates, tls_context->context.peer_cn );        ssl_set_authmode( &tls_context->context, verification );    }    else    {        ssl_set_authmode( &tls_context->context, SSL_VERIFY_NONE );    }    if ( tls_context->context_type == WICED_TLS_ADVANCED_CONTEXT )    {        wiced_tls_advanced_context_t* advanced_context = (wiced_tls_advanced_context_t*)tls_context;        ssl_set_own_cert( &advanced_context->context, &advanced_context->certificate, &advanced_context->key );        ssl_set_dh_param( &tls_context->context, diffie_hellman_prime_P, sizeof( diffie_hellman_prime_P ), diffie_hellman_prime_G, sizeof( diffie_hellman_prime_G ) );    }    prev_state = 0;    start_time = tls_host_get_time_ms();    do    {        uint64_t curr_time;        if (type == WICED_TLS_AS_SERVER)        {            result = ssl_handshake_server_async( &tls_context->context );            if ( result != TLS_SUCCESS )            {                WPRINT_SECURITY_INFO(( "Error with TLS server handshake/n" ));                goto exit_with_inited_context;            }        }        else        {            result = ssl_handshake_client_async( &tls_context->context );            if ( result != TLS_SUCCESS )            {                WPRINT_SECURITY_INFO(( "Error with TLS client handshake %u/n", (unsigned int)result ));                goto exit_with_inited_context;            }        }        /* break out if stuck */        curr_time = tls_host_get_time_ms();        if ( curr_time - start_time > MAX_HANDSHAKE_WAIT )        {            WPRINT_SECURITY_INFO(( "Timeout in SSL handshake/n" ));            result = TLS_HANDSHAKE_TIMEOUT;            goto exit_with_inited_context;        }        /* if no state change then wait on client */        if ( prev_state == tls_context->context.state )        {            host_rtos_delay_milliseconds( 10 );        }        else /* otherwise process next state with no delay */        {            prev_state = tls_context->context.state;//.........这里部分代码省略.........

//.........这里部分代码省略.........            return  (PX_ERROR);        }        iError = x509parse_crtfile(&pvpnctx->VPNCTX_x509certPrivate, cpcPrivateCrtFile);        if (iError != ERROR_NONE) {            _DebugHandle(__ERRORMESSAGE_LEVEL, "client certificate error./r/n");            goto    __error_handle;        }        /*         *  安装 RSA 私有密钥         */        if (cpcKeyFile) {            iError = x509parse_keyfile(&pvpnctx->VPNCTX_rasctx, cpcKeyFile, cpcKeyPassword);        } else {            iError = x509parse_keyfile(&pvpnctx->VPNCTX_rasctx, cpcPrivateCrtFile, cpcKeyPassword);        }        if (iError != ERROR_NONE) {            _DebugHandle(__ERRORMESSAGE_LEVEL, "key file error./r/n");            goto    __error_handle;        }    }    /*     *  链接 SSL 服务器     */    pvpnctx->VPNCTX_iSocket = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);    if (pvpnctx->VPNCTX_iSocket < 0) {        _DebugHandle(__ERRORMESSAGE_LEVEL, "can not create socket./r/n");        goto    __error_handle;    }    lib_bzero(&sockaddrinRemote, sizeof(sockaddrinRemote));    sockaddrinRemote.sin_len    = sizeof(struct sockaddr_in);    sockaddrinRemote.sin_family = AF_INET;    sockaddrinRemote.sin_addr   = inaddr;    sockaddrinRemote.sin_port   = usPort;    if(connect(pvpnctx->VPNCTX_iSocket,               (struct sockaddr *)&sockaddrinRemote,               sizeof(struct sockaddr_in)) < 0) {        _DebugHandle(__ERRORMESSAGE_LEVEL, "can not connect server./r/n");        goto    __error_handle;    }    havege_init(&pvpnctx->VPNCTX_haveagestat);                          /*  初始化随机数                */    /*     *  初始化 SSL/STL     */    if (ssl_init(&pvpnctx->VPNCTX_sslctx) != ERROR_NONE) {        _DebugHandle(__ERRORMESSAGE_LEVEL, "can not init ssl context./r/n");        goto    __error_handle;    }    ssl_set_endpoint(&pvpnctx->VPNCTX_sslctx, SSL_IS_CLIENT);    ssl_set_authmode(&pvpnctx->VPNCTX_sslctx, pvpnctx->VPNCTX_iVerifyOpt);    ssl_set_rng(&pvpnctx->VPNCTX_sslctx, havege_random, &pvpnctx->VPNCTX_haveagestat);    ssl_set_dbg(&pvpnctx->VPNCTX_sslctx, LW_NULL, stdout);              /*  不需要 DEBUG 信息           */    ssl_set_bio(&pvpnctx->VPNCTX_sslctx,                net_recv, &pvpnctx->VPNCTX_iSocket,                net_send, &pvpnctx->VPNCTX_iSocket);    ssl_set_ciphersuites(&pvpnctx->VPNCTX_sslctx, ssl_default_ciphersuites);    ssl_set_session(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_sslsn);    ssl_set_ca_chain(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_x509certCA, LW_NULL, LW_NULL);    ssl_set_own_cert(&pvpnctx->VPNCTX_sslctx, &pvpnctx->VPNCTX_x509certPrivate, &pvpnctx->VPNCTX_rasctx);    ssl_set_hostname(&pvpnctx->VPNCTX_sslctx, LW_NULL);                 /*  不设置服务器名              */    for (i = 0; i < __VPN_SSL_HANDSHAKE_MAX_TIME; i++) {        iError = ssl_handshake(&pvpnctx->VPNCTX_sslctx);                /*  握手                        */        if (iError == ERROR_NONE) {            break;        } else if ((iError != POLARSSL_ERR_NET_WANT_READ) &&                   (iError != POLARSSL_ERR_NET_WANT_WRITE)) {            _DebugHandle(__ERRORMESSAGE_LEVEL, "can not handshake./r/n");            goto    __error_handle;        }    }    if (i >= __VPN_SSL_HANDSHAKE_MAX_TIME) {        goto    __error_handle;    }    return  (ERROR_NONE);__error_handle:    if (pvpnctx->VPNCTX_iSocket >= 0) {        net_close(pvpnctx->VPNCTX_iSocket);    }    x509_free(&pvpnctx->VPNCTX_x509certPrivate);    x509_free(&pvpnctx->VPNCTX_x509certCA);    rsa_free(&pvpnctx->VPNCTX_rasctx);    ssl_free(&pvpnctx->VPNCTX_sslctx);    return  (PX_ERROR);}

//.........这里部分代码省略.........#endif /* POLARSSL_ERROR_C */      failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s",            data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf);      return CURLE_SSL_CRL_BADFILE;    }  }  infof(data, "PolarSSL: Connecting to %s:%d/n",        conn->host.name, conn->remote_port);  if(ssl_init(&connssl->ssl)) {    failf(data, "PolarSSL: ssl_init failed");    return CURLE_SSL_CONNECT_ERROR;  }  switch(data->set.ssl.version) {  default:  case CURL_SSLVERSION_DEFAULT:    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_1);    break;  case CURL_SSLVERSION_SSLv3:    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_0);    infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3/n");    break;  case CURL_SSLVERSION_TLSv1_0:    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_1);    infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.0/n");    break;  case CURL_SSLVERSION_TLSv1_1:    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_2);    infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.1/n");    break;  case CURL_SSLVERSION_TLSv1_2:    ssl_set_min_version(&connssl->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_3);    infof(data, "PolarSSL: Forced min. SSL Version to be TLS 1.2/n");    break;  }  ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);  ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL);  ssl_set_rng(&connssl->ssl, ctr_drbg_random,              &connssl->ctr_drbg);  ssl_set_bio(&connssl->ssl,              net_recv, &conn->sock[sockindex],              net_send, &conn->sock[sockindex]);  ssl_set_ciphersuites(&connssl->ssl, ssl_list_ciphersuites());  if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {    memcpy(&connssl->ssn, old_session, old_session_size);    infof(data, "PolarSSL re-using session/n");  }  ssl_set_session(&connssl->ssl,                  &connssl->ssn);  ssl_set_ca_chain(&connssl->ssl,                   &connssl->cacert,                   &connssl->crl,                   conn->host.name);  ssl_set_own_cert_rsa(&connssl->ssl,                       &connssl->clicert, &connssl->rsa);  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&#ifdef ENABLE_IPV6     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&#endif     sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {     infof(data, "WARNING: failed to configure "                 "server name indication (SNI) TLS extension/n");  }#ifdef HAS_ALPN  if(data->set.httpversion == CURL_HTTP_VERSION_2_0) {    if(data->set.ssl_enable_alpn) {      static const char* protocols[] = {        NGHTTP2_PROTO_VERSION_ID, ALPN_HTTP_1_1, NULL      };      ssl_set_alpn_protocols(&connssl->ssl, protocols);      infof(data, "ALPN, offering %s, %s/n", protocols[0],            protocols[1]);    }  }#endif#ifdef POLARSSL_DEBUG  ssl_set_dbg(&connssl->ssl, polarssl_debug, data);#endif  connssl->connecting_state = ssl_connect_2;  return CURLE_OK;}

//.........这里部分代码省略.........                                         opt.server_port ) ) != 0 )    {        printf( " failed/n  ! net_connect returned %d/n/n", ret );        goto exit;    }    printf( " ok/n" );    /*     * 3. Setup stuff     */    printf( "  . Setting up the SSL/TLS structure..." );    fflush( stdout );    if( ( ret = ssl_init( &ssl ) ) != 0 )    {        printf( " failed/n  ! ssl_init returned %d/n/n", ret );        goto exit;    }    printf( " ok/n" );    ssl_set_endpoint( &ssl, SSL_IS_CLIENT );    ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );    ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );    ssl_set_dbg( &ssl, my_debug, stdout );    ssl_set_bio( &ssl, net_recv, &server_fd,            net_send, &server_fd );    if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )        ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );    ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );    ssl_set_own_cert( &ssl, &clicert, &pkey );#if defined(POLARSSL_SSL_SERVER_NAME_INDICATION)    ssl_set_hostname( &ssl, opt.server_name );#endif    if( opt.mode == MODE_SSL_TLS )    {        if( do_handshake( &ssl, &opt ) != 0 )            goto exit;        printf( "  > Get header from server:" );        fflush( stdout );        ret = write_ssl_and_get_response( &ssl, buf, 0 );        if( ret < 200 || ret > 299 )        {            printf( " failed/n  ! server responded with %d/n/n", ret );            goto exit;        }        printf(" ok/n" );        printf( "  > Write EHLO to server:" );        fflush( stdout );        gethostname( hostname, 32 );        len = sprintf( (char *) buf, "EHLO %s/r/n", hostname );        ret = write_ssl_and_get_response( &ssl, buf, len );        if( ret < 200 || ret > 299 )        {            printf( " failed/n  ! server responded with %d/n/n", ret );

/**  * @brief  SSL Server task.  * @param  pvParameters not used  * @retval None  */void ssl_server(void const * argument){  int ret, len;  int listen_fd;  int client_fd = -1;  unsigned char buf[1524];  ssl_context ssl;  x509_cert srvcert;  rsa_context rsa;#if defined(POLARSSL_SSL_CACHE_C)  ssl_cache_context cache;    ssl_cache_init( &cache );#endif    /*  * Load the certificates and private RSA key  */  printf( "/n  . Loading the server cert. and key..." );    memset( &srvcert, 0, sizeof( x509_cert ) );    /*  * This demonstration program uses embedded test certificates.  * Instead, you may want to use x509parse_crtfile() to read the  * server and CA certificates, as well as x509parse_keyfile().  */  ret = x509parse_crt( &srvcert, (const unsigned char *) test_srv_crt,                      strlen( test_srv_crt ) );  if( ret != 0 )  {    printf( " failed/n  !  x509parse_crt returned %d/n/n", ret );    goto exit;  }    ret = x509parse_crt( &srvcert, (const unsigned char *) test_ca_crt,                      strlen( test_ca_crt ) );  if( ret != 0 )  {    printf( " failed/n  !  x509parse_crt returned %d/n/n", ret );    goto exit;  }    rsa_init( &rsa, RSA_PKCS_V15, 0 );  ret =  x509parse_key( &rsa, (const unsigned char *) test_srv_key,                       strlen( test_srv_key ), NULL, 0 );  if( ret != 0 )  {    printf( " failed/n  !  x509parse_key returned %d/n/n", ret );    goto exit;  }    printf( " ok/n/r" );    /*  * Setup the listening TCP socket  */  printf( "  . Bind on https://localhost:443/ ..." );    if( ( ret = net_bind( &listen_fd, NULL, 443) ) != 0 )  {    printf( " failed/n  ! net_bind returned %d/n/n", ret );    goto exit;  }    printf( " ok/n/r" );        /*    * Setup stuff    */    printf( "  . Setting up the SSL data...." );        if( ( ret = ssl_init( &ssl ) ) != 0 )    {      printf( " failed/n  ! ssl_init returned %d/n/n", ret );      goto reset;    }        ssl_set_endpoint( &ssl, SSL_IS_SERVER );    ssl_set_authmode( &ssl, SSL_VERIFY_NONE );        ssl_set_rng( &ssl, RandVal , NULL );    ssl_set_dbg( &ssl, my_debug, stdout );    #if defined(POLARSSL_SSL_CACHE_C)    ssl_set_session_cache( &ssl, ssl_cache_get, &cache,                          ssl_cache_set, &cache );#endif    ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );    ssl_set_own_cert( &ssl, &srvcert, &rsa );        ssl_set_bio( &ssl, net_recv, &client_fd, net_send, &client_fd );        printf( " ok/n/r" );//.........这里部分代码省略.........

//.........这里部分代码省略.........    /*     * Server:     * Setup stuff     */    if( packet_in_num == 0 )    {        printf( "  . Server: Setting up the SSL data...." );        fflush( stdout );    }    if( ( ret = ssl_init( &s_ssl ) ) != 0 )    {        polarssl_printf( " failed/n  ! ssl_init returned %d/n/n", ret );        goto exit;    }    ssl_set_endpoint( &s_ssl, SSL_IS_SERVER );    ssl_set_authmode( &s_ssl, SSL_VERIFY_NONE );    /* SSLv3 is deprecated, set minimum to TLS 1.0 */    ssl_set_min_version( &s_ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );    /* RC4 is deprecated, disable it */    ssl_set_arc4_support( &s_ssl, SSL_ARC4_DISABLED );    ssl_set_rng( &s_ssl, ctr_drbg_deterministic, NULL );    ssl_set_dbg( &s_ssl, my_debug, stdout );#if defined(POLARSSL_SSL_CACHE_C)    ssl_set_session_cache( &s_ssl, ssl_cache_get, &cache,                           ssl_cache_set, &cache );#endif    ssl_set_ca_chain( &s_ssl, srvcert.next, NULL, NULL );    if( ( ret = ssl_set_own_cert( &s_ssl, &srvcert, &pkey ) ) != 0 )    {        printf( " failed/n  ! ssl_set_own_cert returned %d/n/n", ret );        goto exit;    }    if( packet_in_num == 0 )    {        printf( " ok/n" );    }    ssl_session_reset( &s_ssl );#if SOCKET_COMMUNICATION    /*     * Server:     * Setup the listening TCP socket     */    if( packet_in_num == 0 )    {        printf( "  . Bind on https://localhost:%d/ ...", SERVER_PORT );        fflush( stdout );    }    if( ( ret = net_bind( &listen_fd, NULL, SERVER_PORT ) ) != 0 )    {        printf( " failed/n  ! net_bind returned %d/n/n", ret );        goto exit;    }    if( packet_in_num == 0 )    {

static void *handle_ssl_connection( void *data ){    int ret, len;    thread_info_t *thread_info = (thread_info_t *) data;    int client_fd = thread_info->client_fd;    int thread_id = (int) pthread_self();    unsigned char buf[1024];    char pers[50];    ssl_context ssl;    ctr_drbg_context ctr_drbg;    /* Make sure memory references are valid */    memset( &ssl, 0, sizeof( ssl_context ) );    memset( &ctr_drbg, 0, sizeof( ctr_drbg_context ) );    snprintf( pers, sizeof(pers), "SSL Pthread Thread %d", thread_id );    polarssl_printf( "  [ #%d ]  Client FD %d/n", thread_id, client_fd );    polarssl_printf( "  [ #%d ]  Seeding the random number generator.../n", thread_id );    /* entropy_func() is thread-safe if POLARSSL_THREADING_C is set     */    if( ( ret = ctr_drbg_init( &ctr_drbg, entropy_func, thread_info->entropy,                               (const unsigned char *) pers,                               strlen( pers ) ) ) != 0 )    {        polarssl_printf( "  [ #%d ]  failed: ctr_drbg_init returned -0x%04x/n",                thread_id, -ret );        goto thread_exit;    }    polarssl_printf( "  [ #%d ]  ok/n", thread_id );    /*     * 4. Setup stuff     */    polarssl_printf( "  [ #%d ]  Setting up the SSL data..../n", thread_id );    if( ( ret = ssl_init( &ssl ) ) != 0 )    {        polarssl_printf( "  [ #%d ]  failed: ssl_init returned -0x%04x/n",                thread_id, -ret );        goto thread_exit;    }    ssl_set_endpoint( &ssl, SSL_IS_SERVER );    ssl_set_authmode( &ssl, SSL_VERIFY_NONE );    /* SSLv3 is deprecated, set minimum to TLS 1.0 */    ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, SSL_MINOR_VERSION_1 );    /* RC4 is deprecated, disable it */    ssl_set_arc4_support( &ssl, SSL_ARC4_DISABLED );    ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );    ssl_set_dbg( &ssl, my_mutexed_debug, stdout );    /* ssl_cache_get() and ssl_cache_set() are thread-safe if     * POLARSSL_THREADING_C is set.     */#if defined(POLARSSL_SSL_CACHE_C)    ssl_set_session_cache( &ssl, ssl_cache_get, thread_info->cache,                                 ssl_cache_set, thread_info->cache );#endif    ssl_set_ca_chain( &ssl, thread_info->ca_chain, NULL, NULL );    if( ( ret = ssl_set_own_cert( &ssl, thread_info->server_cert, thread_info->server_key ) ) != 0 )    {        polarssl_printf( " failed/n  ! ssl_set_own_cert returned %d/n/n", ret );        goto thread_exit;    }    polarssl_printf( "  [ #%d ]  ok/n", thread_id );    ssl_set_bio( &ssl, net_recv, &client_fd,                       net_send, &client_fd );    polarssl_printf( "  [ #%d ]  ok/n", thread_id );    /*     * 5. Handshake     */    polarssl_printf( "  [ #%d ]  Performing the SSL/TLS handshake/n", thread_id );    while( ( ret = ssl_handshake( &ssl ) ) != 0 )    {        if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )        {            polarssl_printf( "  [ #%d ]  failed: ssl_handshake returned -0x%04x/n",                    thread_id, -ret );            goto thread_exit;        }    }    polarssl_printf( "  [ #%d ]  ok/n", thread_id );    /*     * 6. Read the HTTP Request     */    polarssl_printf( "  [ #%d ]  < Read from client/n", thread_id );    do//.........这里部分代码省略.........

//.........这里部分代码省略.........    if( ( ret = ssl_init( &ssl ) ) != 0 )    {        printf( " failed/n  ! ssl_init returned -0x%x/n/n", -ret );        goto exit;    }    ssl_set_endpoint( &ssl, SSL_IS_SERVER );    ssl_set_authmode( &ssl, opt.auth_mode );#if defined(POLARSSL_SSL_MAX_FRAGMENT_LENGTH)    ssl_set_max_frag_len( &ssl, opt.mfl_code );#endif    ssl_set_rng( &ssl, ctr_drbg_random, &ctr_drbg );    ssl_set_dbg( &ssl, my_debug, stdout );#if defined(POLARSSL_SSL_CACHE_C)    ssl_set_session_cache( &ssl, ssl_cache_get, &cache,                                 ssl_cache_set, &cache );#endif#if defined(POLARSSL_SSL_SESSION_TICKETS)    ssl_set_session_tickets( &ssl, opt.tickets );#endif    if( opt.force_ciphersuite[0] != DFL_FORCE_CIPHER )        ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );    ssl_set_renegotiation( &ssl, opt.renegotiation );    ssl_legacy_renegotiation( &ssl, opt.allow_legacy );#if defined(POLARSSL_X509_CRT_PARSE_C)    ssl_set_ca_chain( &ssl, &cacert, NULL, NULL );    if( key_cert_init )        ssl_set_own_cert( &ssl, &srvcert, &pkey );    if( key_cert_init2 )        ssl_set_own_cert( &ssl, &srvcert2, &pkey2 );#endif#if defined(POLARSSL_KEY_EXCHANGE__SOME__PSK_ENABLED)    ssl_set_psk( &ssl, psk, psk_len, (const unsigned char *) opt.psk_identity,                 strlen( opt.psk_identity ) );#endif#if defined(POLARSSL_DHM_C)    /*     * Use different group than default DHM group     */    ssl_set_dh_param( &ssl, POLARSSL_DHM_RFC5114_MODP_2048_P,                            POLARSSL_DHM_RFC5114_MODP_2048_G );#endif    if( opt.min_version != -1 )        ssl_set_min_version( &ssl, SSL_MAJOR_VERSION_3, opt.min_version );    if( opt.max_version != -1 )        ssl_set_max_version( &ssl, SSL_MAJOR_VERSION_3, opt.max_version );    printf( " ok/n" );reset:#ifdef POLARSSL_ERROR_C    if( ret != 0 )    {        char error_buf[100];

char *mlsc_network_request(char *request, int debug_level) {    int ret, len, server_fd = -1;    char tmpbuf[BUFFER_SIZE];    char *buf = malloc(BUFFER_SIZE);    const char *pers = "ssl_client1";    entropy_context entropy;    ctr_drbg_context ctr_drbg;    ssl_context ssl;    x509_crt cacert;#if defined(POLARSSL_DEBUG_C)    if (debug_level) debug_set_threshold(1);#endif    /*     * 0. Initialize the RNG and the session data     */    memset(&ssl, 0, sizeof(ssl_context));    x509_crt_init(&cacert);    if (debug_level) fprintf(stderr, "/n  . Seeding the random number generator...");    entropy_init(&entropy);    if ((ret = ctr_drbg_init(&ctr_drbg, entropy_func, &entropy,                             (const unsigned char *) pers,                             strlen(pers))) != 0) {        if (debug_level) fprintf(stderr, " failed/n  ! ctr_drbg_init returned %d/n", ret);        goto exit;    }    if (debug_level) fprintf(stderr, " ok/n");    /*     * 0. Initialize certificates     */    if (debug_level) fprintf(stderr, "  . Loading the CA root certificate ...");    fflush(stdout);#if defined(POLARSSL_CERTS_C)    ret = x509_crt_parse(&cacert, (const unsigned char *) test_ca_list,                         strlen(test_ca_list));#else    ret = 1;    if (debug_level) fprintf(stderr, "POLARSSL_CERTS_C not defined.");#endif    if (ret < 0) {        if (debug_level) fprintf(stderr, " failed/n  !  x509_crt_parse returned -0x%x/n/n", -ret);        goto exit;    }    if (debug_level) fprintf(stderr, " ok (%d skipped)/n", ret);    /*     * 1. Start the connection     */    if (debug_level)        fprintf(stderr, "  . Connecting to tcp/%s/%4d...", SERVER_NAME,                SERVER_PORT);    if ((ret = net_connect(&server_fd, SERVER_NAME,                           SERVER_PORT)) != 0) {        if (debug_level) fprintf(stderr, " failed/n  ! net_connect returned %d/n/n", ret);        goto exit;    }    if (debug_level) fprintf(stderr, " ok/n");    /*     * 2. Setup stuff     */    if (debug_level) fprintf(stderr, "  . Setting up the SSL/TLS structure...");    if ((ret = ssl_init(&ssl)) != 0) {        if (debug_level) fprintf(stderr, " failed/n  ! ssl_init returned %d/n/n", ret);        goto exit;    }    if (debug_level) fprintf(stderr, " ok/n");    ssl_set_endpoint(&ssl, SSL_IS_CLIENT);    /* OPTIONAL is not optimal for security,     * but makes interop easier in this simplified example */    ssl_set_authmode(&ssl, SSL_VERIFY_OPTIONAL);    ssl_set_ca_chain(&ssl, &cacert, NULL, SERVER_NAME);    ssl_set_rng(&ssl, ctr_drbg_random, &ctr_drbg);    ssl_set_bio(&ssl, net_recv, &server_fd,                net_send, &server_fd);    /*     * 4. Handshake     */    if (debug_level) fprintf(stderr, "  . Performing the SSL/TLS handshake...");    while ((ret = ssl_handshake(&ssl)) != 0) {        if (ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE) {            fprintf(stderr, " failed/n  ! ssl_handshake returned -0x%x/n/n", -ret);//.........这里部分代码省略.........

//.........这里部分代码省略.........                            data->set.str[STRING_KEY],                            data->set.str[STRING_KEY_PASSWD]);    if(ret) {#ifdef POLARSSL_ERROR_C      error_strerror(ret, errorbuf, sizeof(errorbuf));#endif /* POLARSSL_ERROR_C */      failf(data, "Error reading private key %s - PolarSSL: (-0x%04X) %s",            data->set.str[STRING_KEY], -ret, errorbuf);      return CURLE_SSL_CERTPROBLEM;    }  }  /* Load the CRL */  memset(&connssl->crl, 0, sizeof(x509_crl));  if(data->set.str[STRING_SSL_CRLFILE]) {    ret = x509parse_crlfile(&connssl->crl,                            data->set.str[STRING_SSL_CRLFILE]);    if(ret) {#ifdef POLARSSL_ERROR_C      error_strerror(ret, errorbuf, sizeof(errorbuf));#endif /* POLARSSL_ERROR_C */      failf(data, "Error reading CRL file %s - PolarSSL: (-0x%04X) %s",            data->set.str[STRING_SSL_CRLFILE], -ret, errorbuf);      return CURLE_SSL_CRL_BADFILE;    }  }  infof(data, "PolarSSL: Connecting to %s:%d/n",        conn->host.name, conn->remote_port);  if(ssl_init(&connssl->ssl)) {    failf(data, "PolarSSL: ssl_init failed");    return CURLE_SSL_CONNECT_ERROR;  }  ssl_set_endpoint(&connssl->ssl, SSL_IS_CLIENT);  ssl_set_authmode(&connssl->ssl, SSL_VERIFY_OPTIONAL);#if POLARSSL_VERSION_NUMBER<0x01010000  ssl_set_rng(&connssl->ssl, havege_rand,              &connssl->hs);#else  ssl_set_rng(&connssl->ssl, ctr_drbg_random,              &connssl->ctr_drbg);#endif /* POLARSSL_VERSION_NUMBER<0x01010000 */  ssl_set_bio(&connssl->ssl,              net_recv, &conn->sock[sockindex],              net_send, &conn->sock[sockindex]);#if POLARSSL_VERSION_NUMBER<0x01000000  ssl_set_ciphers(&connssl->ssl, ssl_default_ciphers);#else  ssl_set_ciphersuites(&connssl->ssl, ssl_default_ciphersuites);#endif  if(!Curl_ssl_getsessionid(conn, &old_session, &old_session_size)) {    memcpy(&connssl->ssn, old_session, old_session_size);    infof(data, "PolarSSL re-using session/n");  }/* PolarSSL SVN revision r1316 to r1317, matching <1.2.0 is to cover Ubuntu's   1.1.4 version and the like */#if POLARSSL_VERSION_NUMBER<0x01020000  ssl_set_session(&connssl->ssl, 1, 600,                  &connssl->ssn);#else  ssl_set_session(&connssl->ssl,                  &connssl->ssn);#endif  ssl_set_ca_chain(&connssl->ssl,                   &connssl->cacert,                   &connssl->crl,                   conn->host.name);  ssl_set_own_cert(&connssl->ssl,                   &connssl->clicert, &connssl->rsa);  if(!Curl_inet_pton(AF_INET, conn->host.name, &addr) &&#ifdef ENABLE_IPV6     !Curl_inet_pton(AF_INET6, conn->host.name, &addr) &&#endif     sni && ssl_set_hostname(&connssl->ssl, conn->host.name)) {     infof(data, "WARNING: failed to configure "                 "server name indication (SNI) TLS extension/n");  }#ifdef POLARSSL_DEBUG  ssl_set_dbg(&connssl->ssl, polarssl_debug, data);#endif  connssl->connecting_state = ssl_connect_2;  return CURLE_OK;}

__hidden void __ustream_ssl_update_peer_cn(struct ustream_ssl *us){    struct ustream_ssl_ctx *ctx = us->ctx;    ssl_set_ca_chain(us->ssl, &ctx->ca_cert, NULL, us->peer_cn);}

//.........这里部分代码省略.........  case CURL_SSLVERSION_DEFAULT:  case CURL_SSLVERSION_TLSv1:    ssl_set_min_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_1);    break;  case CURL_SSLVERSION_SSLv3:    ssl_set_min_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_0);    ssl_set_max_version(&BACKEND->ssl, SSL_MAJOR_VERSION_3,                        SSL_MINOR_VERSION_0);    infof(data, "PolarSSL: Forced min. SSL Version to be SSLv3/n");    break;  case CURL_SSLVERSION_TLSv1_0:  case CURL_SSLVERSION_TLSv1_1:  case CURL_SSLVERSION_TLSv1_2:  case CURL_SSLVERSION_TLSv1_3:    {      CURLcode result = set_ssl_version_min_max(conn, sockindex);      if(result != CURLE_OK)        return result;      break;    }  default:    failf(data, "Unrecognized parameter passed via CURLOPT_SSLVERSION");    return CURLE_SSL_CONNECT_ERROR;  }  ssl_set_endpoint(&BACKEND->ssl, SSL_IS_CLIENT);  ssl_set_authmode(&BACKEND->ssl, SSL_VERIFY_OPTIONAL);  ssl_set_rng(&BACKEND->ssl, ctr_drbg_random,              &BACKEND->ctr_drbg);  ssl_set_bio(&BACKEND->ssl,              net_recv, &conn->sock[sockindex],              net_send, &conn->sock[sockindex]);  ssl_set_ciphersuites(&BACKEND->ssl, ssl_list_ciphersuites());  /* Check if there's a cached ID we can/should use here! */  if(SSL_SET_OPTION(primary.sessionid)) {    void *old_session = NULL;    Curl_ssl_sessionid_lock(conn);    if(!Curl_ssl_getsessionid(conn, &old_session, NULL, sockindex)) {      ret = ssl_set_session(&BACKEND->ssl, old_session);      if(ret) {        Curl_ssl_sessionid_unlock(conn);        failf(data, "ssl_set_session returned -0x%x", -ret);        return CURLE_SSL_CONNECT_ERROR;      }      infof(data, "PolarSSL re-using session/n");    }    Curl_ssl_sessionid_unlock(conn);  }  ssl_set_ca_chain(&BACKEND->ssl,                   &BACKEND->cacert,                   &BACKEND->crl,                   hostname);  ssl_set_own_cert_rsa(&BACKEND->ssl,                       &BACKEND->clicert, &BACKEND->rsa);  if(ssl_set_hostname(&BACKEND->ssl, hostname)) {    /* ssl_set_hostname() sets the name to use in CN/SAN checks *and* the name       to set in the SNI extension. So even if curl connects to a host       specified as an IP address, this function must be used. */    failf(data, "couldn't set hostname in PolarSSL");    return CURLE_SSL_CONNECT_ERROR;  }#ifdef HAS_ALPN  if(conn->bits.tls_enable_alpn) {    static const char *protocols[3];    int cur = 0;#ifdef USE_NGHTTP2    if(data->set.httpversion >= CURL_HTTP_VERSION_2) {      protocols[cur++] = NGHTTP2_PROTO_VERSION_ID;      infof(data, "ALPN, offering %s/n", NGHTTP2_PROTO_VERSION_ID);    }#endif    protocols[cur++] = ALPN_HTTP_1_1;    infof(data, "ALPN, offering %s/n", ALPN_HTTP_1_1);    protocols[cur] = NULL;    ssl_set_alpn_protocols(&BACKEND->ssl, protocols);  }#endif#ifdef POLARSSL_DEBUG  ssl_set_dbg(&BACKEND->ssl, polarssl_debug, data);#endif  connssl->connecting_state = ssl_connect_2;  return CURLE_OK;}

//.........这里部分代码省略.........    printf( " ok/n" );    /*     * 4. Setup stuff     */    printf( "  . Setting up the RNG and SSL data...." );    fflush( stdout );    havege_init( &hs );    if( ( ret = ssl_init( &ssl ) ) != 0 )    {        printf( " failed/n  ! ssl_init returned %d/n/n", ret );        goto accept;    }    printf( " ok/n" );    ssl_set_endpoint( &ssl, SSL_IS_SERVER );    ssl_set_authmode( &ssl, SSL_VERIFY_NONE );    ssl_set_rng( &ssl, havege_rand, &hs );    ssl_set_dbg( &ssl, my_debug, stdout );    ssl_set_bio( &ssl, net_recv, &client_fd,                       net_send, &client_fd );    ssl_set_scb( &ssl, my_get_session,                       my_set_session );    ssl_set_ciphers( &ssl, my_ciphers );    ssl_set_session( &ssl, 1, 0, &ssn );    memset( &ssn, 0, sizeof( ssl_session ) );    ssl_set_ca_chain( &ssl, srvcert.next, NULL, NULL );    ssl_set_own_cert( &ssl, &srvcert, &rsa );    ssl_set_dh_param( &ssl, my_dhm_P, my_dhm_G );    /*     * 5. Handshake     */    printf( "  . Performing the SSL/TLS handshake..." );    fflush( stdout );    while( ( ret = ssl_handshake( &ssl ) ) != 0 )    {        if( ret != POLARSSL_ERR_NET_TRY_AGAIN )        {            printf( " failed/n  ! ssl_handshake returned %d/n/n", ret );            goto accept;        }    }    printf( " ok/n" );    /*     * 6. Read the HTTP Request     */    printf( "  < Read from client:" );    fflush( stdout );    do    {        len = sizeof( buf ) - 1;        memset( buf, 0, sizeof( buf ) );        ret = ssl_read( &ssl, buf, len );