c - openssl自定义扩展回调函数

Question

我正在使用 OpenSSL 自定义扩展 API 创建自定义扩展。

函数 SSL_CTX_add_client_custom_ext 和 SSL_CTX_custom_ext 返回 1 即成功，但问题是有某些回调函数被调用以对我们需要添加或解析的数据进行操作。我添加了某些调试语句以查明它们是否被调用，我认为它们没有。

static int old_add_cb(SSL *s, unsigned int ext_type, const unsigned 
char **out, size_t *outlen, int *al, void *add_arg) {

 printf("called!!");
     return 1;
}

static void old_free_cb(SSL *s, unsigned int ext_type, const unsigned 
char *out, void *add_arg) {

    printf("called!!");
    OPENSSL_free((unsigned char *)out);
}

static int old_parse_cb(SSL *s, unsigned int ext_type, const 
 unsigned char *in, size_t inlen, int *al, void *parse_arg) {

       printf("called!!");     
       return 1;
}

SSL_CTX相关代码为:

int main(int count, char *strings[]) {   

   SSL_CTX *ctx;
   int server;
   SSL *ssl;
   char buf[1024];
   int bytes;
   char *hostname, *portnum;

   if ( count != 3 ) {
    printf("usage: %s <hostname> <portnum>\n", strings[0]);
    exit(0);
           }

   SSL_library_init();

   hostname=strings[1];
   portnum=strings[2];

   ctx = InitCTX();
   int result = SSL_CTX_add_custom_ext(ctx, 1000, 
                            SSL_EXT_CLIENT_HELLO, old_add_cb, 
                          old_free_cb, NULL, old_parse_cb, 
                                                 NULL);
   printf("Extension Register %d", result);

   server = OpenConnection(hostname, atoi(portnum));
   ssl = SSL_new(ctx);      /* create new SSL connection state */
   SSL_set_fd(ssl, server);    /* attach the socket descriptor */

   if ( SSL_connect(ssl) == FAIL )   /* perform the connection */
       ERR_print_errors_fp(stderr);

  else {   char *msg = "Hello???";

    printf("Connected with %s encryption\n", SSL_get_cipher(ssl));
    ShowCerts(ssl);        /* get any certs */
    SSL_write(ssl, msg, strlen(msg));   /* encrypt & send message */
    bytes = SSL_read(ssl, buf, sizeof(buf)); /* get reply & decrypt */
    buf[bytes] = 0;
    printf("Received: \"%s\"\n", buf);
    SSL_free(ssl);        /* release connection state */
   }
  close(server);         /* close socket */
  SSL_CTX_free(ctx);        /* release context */
  return 0;
   }

'SSL_CTX_add_custom_ext' 函数返回 1 但回调函数中的打印语句未被执行。

Answer 1

来自 Openssl doc about SSL_extension_supported 我们可以看到如下语句:

For the ServerHello and EncryptedExtension messages every registered add_cb is called once if and only if the requirements of the specified context are met and the corresponding extension was received in the ClientHello. That is, if no corresponding extension was received in the ClientHello then add_cb will not be called.

我的意思是，来自双方(这里是客户端和服务器)的回调将仅当服务器验证并接受包含扩展的 ClientHello 时执行。所以你应该像客户端一样向服务器添加扩展(这里是回调)以确保回调被执行。这是我的例子:

static int ext_add_cb(SSL *s, unsigned int ext_type,
                      const unsigned char **out,
                      size_t *outlen, int *al, void *add_arg)
{
    switch (ext_type) {
        case 65280:
            printf("ext_add_cb from client called!\n");
            break;

        default:
            break;
    }
    return 1;
}

static void ext_free_cb(SSL *s, unsigned int ext_type,
                        const unsigned char *out, void *add_arg)
{
    printf("ext_free_cb from client called\n");

}

static int ext_parse_cb(SSL *s, unsigned int ext_type,
                        const unsigned char *in,
                        size_t inlen, int *al, void *parse_arg)
{
    printf("ext_parse_cb from client called!\n");
    return 1;
}

服务器类似于客户端。然后在 main 中添加寄存器:

    int result = SSL_CTX_add_client_custom_ext(ctx, 65280, ext_add_cb, ext_free_cb, NULL, ext_parse_cb, NULL);

运行服务器然后运行客户端，我得到这个信息:

# server:
ext_parse_cb from server called!
ext_add_cb from server called!
ext_free_cb from server called!


# client:
ext_add_cb from client called!
ext_free_cb from client called
ext_parse_cb from client called!