4

我正在尝试使用 TLS 1.2 和 Apple 的安全传输 API 将 iOS 客户端连接到 OS X 服务器。我让 BSD 套接字通信正常工作,但在用 TLS 包裹它时遇到了很多麻烦。据我从 Wireshark 的输出中可以看出,SSL 握手甚至还没有真正开始,所以我可能在一侧或另一侧错误地设置了 SSL,但我不确定我可能做错了什么.

服务器端:

void establish_connection(int sockfd) {
  SSLContexRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLServerSide, kSSLStreamType);
  SSLSetIOFuncs(sslContext, readFromSocket, writeToSocket);
  SSLSetConnection(sslContext, (SSLConnectionRef)(long)sockfd);
  SSLSetProtocolVersionMin(sslContext, kTLSProtocol12);

  // Get self-signed certificate from p12 data
  CFDataRef cert_data = CFDataCreate(kCFAllocatorDefault, cert_p12, cert_p12_len);
  CFArrayRef items = NULL;
  const void *options_keys[] = { kSecImportExportPassphrase };
  const void *options_values[] = { CFSTR("password") };
  CFDictionaryRef options = CFDictionaryCreate(kCFAllocatorDefault, options_keys, options_values, 1, &kCFTypeDictionaryKeyCallBacks, &kCFTypeDictionaryValueCallBacks);
  SecPKCS12Import(cert_data, options, &items);
  CFRelease(options);
  CFDictionaryRef item = CFArrayGetValueAtIndex(items, 0);
  SecIdentityRef identity = (SecIdentityRef)CFDictionaryGetValue(item, kSecImportItemIdentity);
  CFArrayRef certs = CFArrayCreate(kCFAllocatorDefault, (const void **)&identity, 1, NULL);
  SSLSetCertificate(sslContext, certs);

  // Fails with errSSLProtocol
  SSLHandshake(sslContext);
  ...
}

客户端:

void establish_connection(int server_sockfd) {
  SSLContextRef sslContext = SSLCreateContext(kCFAllocatorDefault, kSSLClientSide, kSSLStreamType);
  SSLSetIOFuncs(sslContext, readFromSocket, writeToSocket);
  SSLSetConnection(sslContext, (SSLConnectionRef)server_sockfd);
  SSLSetProtocolVersionMin(sslContext, kTLSProtocol12);

  // Fails with errSSLProtocol
  SSLHandshake(sslContext);
  ...
}

Wireshark 尝试握手的转储:

Source Destination Protocol Length Info
client server      TCP      78     50743 > 49754 [SYN] Seq=0 Win=65535 Len=0 MSS=1460 WS=16 TSval=365690143 TSecr=0 SACK_PERM=1
server client      TCP      78     49754 > 50743 [SYN, ACK] Seq=0 Ack=1 Win=65535 Len=0 MSS=1460 WS=16 TSval=666304222 TSecr=365690143 SACK_PERM=1
client server      TCP      66     50743 > 49754 [ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=365690468 TSecr=666304222
server client      TCP      66     [TCP Window Update] 49754 > 50743 [ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=666304252 TSecr=365690468
server client      TCP      66     49754 > 50743 [FIN, ACK] Seq=1 Ack=1 Win=131760 Len=0 TSval=666304281 TSecr=365690468
client server      TCP      66     50743 > 49754 [ACK] Seq=1 Ack=2 Win=131760 Len=0 TSval=365690498 TSecr=666304281
server client      TCP      66     [TCP Dup ACK 9099#1] 49754 > 50743 [ACK] Seq=2 Ack=1 Win=131760 Len=0 TSval=666304283 TSecr=365690498

使用 Wireshark 尝试诊断问题,我什至没有看到任何 SSL 握手消息。我看到 TCP 连接已建立,然后立即关闭,没有长度大于 0 的数据包。我做错了什么?

4

1 回答 1

4

It looks like the problem was that I had my IO functions implemented incorrectly. I'm pasting in socket IO functions that seem to work, but the requirements for the IO functions are not that well documented so I may be missing something.

OSStatus readFromSocket(SSLConnectionRef connection, void *data, size_t *dataLength) {
  int sockfd = (int)connection;
  size_t bytesRequested = *dataLength;
  ssize_t status = read(sockfd, data, bytesRequested);
  if (status > 0) {
    *dataLength = status;
    if (bytesRequested > *dataLength)
      return errSSLWouldBlock;
    else
      return noErr;
  } else if (0 == status) {
    *dataLength = 0;
    return errSSLClosedGraceful;
  } else {
    *dataLength = 0;
    switch (errno) {
      case ENOENT:
        return errSSLClosedGraceful;
      case EAGAIN:
        return errSSLWouldBlock;
      case ECONNRESET:
        return errSSLClosedAbort;
      default:
        return errSecIO;
    }
    return noErr;
  }
}

OSStatus writeToSocket(SSLConnectionRef connection, const void *data, size_t *dataLength) {
  int sockfd = (int)connection;
  size_t bytesToWrite = *dataLength;
  ssize_t status = write(sockfd, data, bytesToWrite);
  if (status > 0) {
    *dataLength = status;
    if (bytesToWrite > *dataLength)
      return errSSLWouldBlock;
    else
      return noErr;
  } else if (0 == status) {
    *dataLength = 0;
    return errSSLClosedGraceful;
  } else {
    *dataLength = 0;
    if (EAGAIN == errno) {
      return errSSLWouldBlock;
    } else {
      return errSecIO;
    }
  }
}
于 2014-05-12T14:03:27.680 回答