OpenSSL openwrt失败套接字绑定

Question

我在Dragino Yun上运行openwrt。我的愿望是在Dragino上运行一个openssl服务器，用于传输一些（不是很多）数据。但是，启动服务器并加载证书后，对BIO_do_accept()的调用返回值< = 0，表示绑定失败。我试图绑定的端口是5354，但我甚至尝试了8081,8080,443。

的错误信息，我从ERR_print_errors_fp得到的是：

1998677064:error:0200407C:lib(2):func(4):reason(124):NA:0:port='5354' 
1998677064:error:20069076:lib(32):func(105):reason(118):NA:0: 

任何人可以解释为什么我的程序无法绑定？我在Ubuntu上测试过 - 这就是为什么我没有发布任何代码 - （我遇到的问题是交叉编译版本），OpenSSL版本为OpenSSL 1.0.1f 6 Jan 2014，在Dragino上，OpenSSL版本为：OpenSSL 1.0.1h 5 Jun 2014。 另外，Dragino版本（从横幅）是Dragino-v2 common-2.0.5

我使用s_server尝试和结果如下：

root@dragino-70decb:~/certificates# openssl s_server -key server.key.pem -cert server.cert.pem -accept 8081 
Enter pass phrase for server.key.pem: 
Using default temp DH parameters 
ACCEPT 

其中，当使用的s_client.First，产生了一些通信，因此，套接字绑定是确定。

那么，什么是问题，我该如何正确工作呢？ 我试着用谷歌搜索错误信息，但无济于事。

另外，我改变了iptables在INPUT，FORWARD和OUTPUT链上有ACCEPT默认策略。

编辑：添加代码。

COMMON.H：

#define PORT "5354" 
#define SERVER "localhost" 
#define CLIENT "localhost" 
#define CIPHER_LIST "ALL:!ADH:!LOW:!EXP:!MD5:@STRENGTH" 

#define SSL_METHOD_ SSLv23_method() 
#define SEED_PRNG_() seed_prng(30) 
#define SSL_CTX_FLAGS_ SSL_OP_NO_SSLv2 | SSL_OP_NO_SSLv3 | SSL_OP_NO_COMPRESSION 
#define DEFAULT_DEPTH_ 4 
#define DATA_SIZE_ 256 


void init_OpenSSL(void) ; 
int seed_prng(int bytes) ; 
int verify_callback(int ok, X509_STORE_CTX *store) ; 

int write_to_SSL(SSL *ssl, const char* msg, int length) ; 
int read_from_SSL(SSL *ssl, char* msg, int length) ; 

common.c中：

#include "common.h" 
void init_OpenSSL(void) 
{ 
    if (!SSL_library_init()) 
    { 
     fprintf(stderr, "** OpenSSL initialization failed!\n"); 
     exit(-1); 
    } 
    //Loads error strings for various SSL functions 
    SSL_load_error_strings(); 
} 

//Not sure if this is good idea 
int seed_prng(int bytes) 
{ 
    //Seeds PRNG (pseudo random number generator) with the contents of the /dev/urandom file 
    if (!RAND_load_file("/dev/urandom", bytes)) 
    { 
     return 0; 
    } 

    return 1; 
} 

int verify_callback(int ok, X509_STORE_CTX *store) 
{ 
    char data[DATA_SIZE_]; 
    if (!ok) 
    { 
     X509 *cert = X509_STORE_CTX_get_current_cert(store); 
     int depth = X509_STORE_CTX_get_error_depth(store); 
     int err = X509_STORE_CTX_get_error(store); 
     fprintf(stderr, "-Error with certificate at depth: %i\n", depth); 
     X509_NAME_oneline(X509_get_issuer_name(cert), data, DATA_SIZE_); 
     fprintf(stderr, " issuer = %s\n", data); 
     X509_NAME_oneline(X509_get_subject_name(cert), data, DATA_SIZE_); 
     fprintf(stderr, " subject = %s\n", data); 
     fprintf(stderr, " err %i:%s\n", err, 
     X509_verify_cert_error_string(err)); 
    } 
    return ok; 
} 


int write_to_SSL(SSL *ssl, const char* msg, int length) 
{ 
    int writtenbytes = 0; 
    int err = 0; 

    while(err >= 0 && writtenbytes < length) 
    { 
     err = SSL_write(ssl, msg + writtenbytes, length - writtenbytes); 
     if(err < 0) 
     { 
      return err; 
     } 
     else 
     { 
      writtenbytes += err; 
     } 
    } 

    return writtenbytes ; 
} 
int read_from_SSL(SSL *ssl, char* msg, int length) 
{ 
    int err = 0, readbytes = 0; 

    while(err > 0 && readbytes < length) 
    { 
     err = SSL_read(ssl, msg + readbytes, length - readbytes); 

     if(err < 0) 
     { 
      return err; 
     } 
     else 
     { 
      readbytes += err ; 
     } 
    } 
    return readbytes; 
} 

server.h：

#include "common.h" 

//If the key and the certificate are in the same file, these two can be the same 
#define CERTFILE "/root/certificates/server.cert.pem" 
#define KEYFILE "/root/certificates/server.key.pem" 

//One of the two values below can be NULL but not both 
#define CAFILE "/root/certificates/ca-chain.cert.pem" 
#define CADIR NULL 

SSL_CTX *ctx = NULL; 
BIO *acc = NULL; 

void cleanup_(void) ; 

//Does the setup of the server (loading SSL libraries, loading certificates, etc) 
SSL_CTX *setup_server_ctx_(void) ; 

//Exchange of data with the clien 
int exchange_data_(SSL *ssl) ; 

//Does the whole communication once the connection is established 
void communicate_(SSL *ssl) ; 

//Waits for clients, establishes the connection and then proceeds to 
//call communicate_() 
void run_server_(void) ; 

server.c：

#include "server.h" 
#include "logger.h" 
#include <sys/time.h> 


SSL_CTX *setup_server_ctx_(void) 
{ 
    SSL_CTX *ctx; 

    init_OpenSSL(); 

    //This is my function, gotta investigate it and see what should be there (maybe I got it right?) 
    SEED_PRNG_(); 

    // This specifies that either SSL or TLS can be used 
    // Later, we will "filter" out SSLv2 
    ctx = SSL_CTX_new(SSL_METHOD_); 

    // NULL return value indicates a failure in creation of SSL_CTX object 
    if(ctx == NULL) 
    { 
     int_error("Setup error: The creation of a new SSL_CTX object failed."); 
    } 
    SSL_CTX_set_options(ctx, SSL_CTX_FLAGS_); 

    // These two functions are used to load trusted CAs 
    if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1) 
    { 
     int_error("Setup error: Error loading CA file and/or directory"); 
    } 
    if (SSL_CTX_set_default_verify_paths(ctx) != 1) 
    { 
     int_error("Setup error: Error loading default CA file and/or directory"); 
    } 

    // This loads a certificate from a file 
    if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1) 
    { 
      int_error("Setup error: Error loading certificate from file"); 
    } 
    // This loads a private key (can be the same file as certificate) 
    if (SSL_CTX_use_PrivateKey_file(ctx, KEYFILE, SSL_FILETYPE_PEM) != 1) 
    { 
      int_error("Setup error: Error loading private key from file"); 
    } 
    if (SSL_CTX_set_cipher_list(ctx, CIPHER_LIST) != 1) 
    { 
     int_error("Error setting cipher list (no valid ciphers)"); 
    } 
    // Setting the verify options for ctx context 
    SSL_CTX_set_verify(ctx, SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, verify_callback); 
    // Setting the maximum allowed depth for CA verification 
    SSL_CTX_set_verify_depth(ctx, DEFAULT_DEPTH_); 

    return ctx; 
} 

int exchange_data_(SSL *ssl) 
{ 
    int err; 
    err = write_to_SSL(ssl, "Hello, client!", strlen("Hello, client!")); 

    if (err <= 0) 
    { 
     printf("An unsuccessful write!"); 
    } 
    else 
    { 
     printf("Sent %d bytes.\n", err); 
    } 

    // SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN != 0 indicate that the shutdown notification 
    // was sent from the peer (in this case, the client) 
    //close(uart_fd); 
    return (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) ? 1 : 0; 
} 


void communicate_(SSL *ssl) 
{ 
    long err; 
    struct timeval tval_before, tval_after, tval_result; 
    //accepting connection from ssl object (structure) 

    if (SSL_accept(ssl) <= 0) 
    { 
     int_error("Error accepting SSL connection"); 
    } 
    fprintf(stderr, "SSL Connection opened\n"); 

    if (exchange_data_(ssl)) 
    { 
     SSL_shutdown(ssl); 
    } 
    else 
    { 
     SSL_clear(ssl); 
    } 

    fprintf(stderr, "SSL Connection closed\n"); 
    SSL_free(ssl); 
} 


void run_server_(void) 
{ 
    BIO *client; 
    SSL *ssl; 

    //This call does the setup of the server context (see the function for more info) 
    ctx = setup_server_ctx_(); 

    // Creates BIO and sets the accept port 
    acc = BIO_new_accept(PORT); 
    BIO_set_bind_mode(acc, BIO_BIND_REUSEADDR_IF_UNUSED); 
    if (!acc) 
    { 
     int_error("Error creating server socket"); 
    } 
    //The first call to BIO_do_accept() binds to the given port 
    if (BIO_do_accept(acc) <= 0) 
    { 
     int_error("Error binding server socket"); 
    } 
    for (;;) 
    { 
     //The second BIO_do_accept() call listens on the acc BIO 
     if (BIO_do_accept(acc) <= 0) 
     { 
      int_error("Error accepting connection from client"); 
     } 
     client = BIO_pop(acc); 
     if (!(ssl = SSL_new(ctx))) 
     { 
      int_error("Error creating SSL context"); 
     } 
     SSL_set_bio(ssl, client, client); 
     communicate_(ssl); 
    } 


} 

int main(int argc, char *argv[]) 
{ 
    run_server_(); 
    return 1; 
} 

注意：代码主要来自O'Reilly的书籍“使用OpenSSL的网络安全”。另外，这不是我所有的代码，但它是与OpenSSL相关的整个代码，所以我不认为其他代码相关。 由于复制/粘贴，代码可能存在一些错误。

Answer 1

联系OpenSSL团队后，他们得出结论：OpenSSL调用BIO_do_accept()的问题在致电socket()。奇怪的是，当我编写我自己的简单服务器应用程序时，调用socket()似乎工作正常。所以，他们提出了一种解决方法：我现在使用的是系统调用，而不是使用BIO调用。这降低了代码的可移植性，但对我而言，这并不重要。

的run_server_()函数现在看起来是这样的：

void run_server_(void) 
{ 
    BIO *client; 
    SSL *ssl; 

    int  listenfd, connfd; 
    socklen_t clilen; 
    struct sockaddr_in cliaddr, servaddr; 

    ctx = setup_server_ctx_(); 

    listenfd = socket (AF_INET, SOCK_STREAM, PROTOCOL); 
    if(listenfd < 0) 
    { 
     printf("serv_socket unsuccessful\n"); 
     exit(EXIT_FAILURE); 
    } 
    printf("Created socket!\n"); 
    memset(&servaddr, 0, sizeof(servaddr)); 
    servaddr.sin_family = AF_INET; 
    servaddr.sin_addr.s_addr = htonl (INADDR_ANY); 
    servaddr.sin_port = htons (atoi(PORT)); 

    if(bind(listenfd, (const struct sockaddr *) &servaddr, sizeof(servaddr)) < 0) 
    { 
     printf("bind() error\n"); 
     exit(EXIT_FAILURE); 
    } 
    printf("Binded port/socket!\n"); 

    if(listen(listenfd, LISTENQ) < 0) 
    { 
     printf("listen() error\n"); 
     exit(EXIT_FAILURE); 
    } 
    printf("Listening!\n"); 

    for(;;) 
    { 
     clilen = sizeof(cliaddr); 
     connfd = accept(listenfd, (struct sockaddr *) &cliaddr, &clilen); 
     if(connfd < 0) 
     { 
      printf("accept() error\n"); 
     } 
     printf("Accepted!\n"); 
     client = BIO_new(BIO_s_socket()); 

    if (client == NULL) 
     { 
      printf("error creating BIO\n"); 
    } 
    BIO_set_fd(client, connfd, BIO_NOCLOSE); 
     if (!(ssl = SSL_new(ctx))) 
     { 
      server_error_("Error creating SSL context"); 
     } 
     SSL_set_bio(ssl, client, client); 
     communicate_(ssl); 

     close(connfd); 
    } 
}