如何基于标准mbed tls开发实现一个支持cipher suite name:TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256的mbed tls抽象层的设计?并给出示例代码
时间: 2024-02-01 21:03:13 浏览: 196
SSL_TOOL.rar-证书生成和签发工具
以下是基于mbed TLS的示例代码,实现了支持TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256的cipher suite name:
```c
#include "mbedtls/config.h"
#include "mbedtls/ssl.h"
#include "mbedtls/entropy.h"
#include "mbedtls/ctr_drbg.h"
#include "mbedtls/error.h"
#include "mbedtls/net.h"
int main(void)
{
mbedtls_entropy_context entropy;
mbedtls_ctr_drbg_context ctr_drbg;
mbedtls_ssl_context ssl;
mbedtls_ssl_config conf;
mbedtls_x509_crt cacert;
mbedtls_x509_crt clicert;
mbedtls_pk_context pkey;
const char *pers = "mbedtls_ssl_client";
mbedtls_entropy_init(&entropy);
mbedtls_ctr_drbg_init(&ctr_drbg);
mbedtls_ssl_init(&ssl);
mbedtls_ssl_config_init(&conf);
mbedtls_x509_crt_init(&cacert);
mbedtls_x509_crt_init(&clicert);
mbedtls_pk_init(&pkey);
int ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy, (const unsigned char *)pers, strlen(pers));
if (ret != 0) {
mbedtls_printf("mbedtls_ctr_drbg_seed returned %d\n", ret);
goto exit;
}
ret = mbedtls_x509_crt_parse_file(&cacert, "ca.crt");
if (ret != 0) {
mbedtls_printf("mbedtls_x509_crt_parse_file returned %d\n", ret);
goto exit;
}
ret = mbedtls_x509_crt_parse_file(&clicert, "client.crt");
if (ret != 0) {
mbedtls_printf("mbedtls_x509_crt_parse_file returned %d\n", ret);
goto exit;
}
ret = mbedtls_pk_parse_keyfile(&pkey, "client.key", NULL);
if (ret != 0) {
mbedtls_printf("mbedtls_pk_parse_keyfile returned %d\n", ret);
goto exit;
}
ret = mbedtls_ssl_config_defaults(&conf, MBEDTLS_SSL_IS_CLIENT, MBEDTLS_SSL_TRANSPORT_STREAM, MBEDTLS_SSL_PRESET_DEFAULT);
if (ret != 0) {
mbedtls_printf("mbedtls_ssl_config_defaults returned %d\n", ret);
goto exit;
}
mbedtls_ssl_conf_cipher_suites(&conf, MBEDTLS_TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256, NULL);
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey);
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
ret = mbedtls_ssl_setup(&ssl, &conf);
if (ret != 0) {
mbedtls_printf("mbedtls_ssl_setup returned %d\n", ret);
goto exit;
}
mbedtls_net_context server_fd;
mbedtls_net_init(&server_fd);
ret = mbedtls_net_connect(&server_fd, "localhost", "4433", MBEDTLS_NET_PROTO_TCP);
if (ret != 0) {
mbedtls_printf("mbedtls_net_connect returned %d\n", ret);
goto exit;
}
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
ret = mbedtls_ssl_handshake(&ssl);
if (ret != 0) {
mbedtls_printf("mbedtls_ssl_handshake returned %d\n", ret);
goto exit;
}
mbedtls_ssl_close_notify(&ssl);
exit:
mbedtls_x509_crt_free(&cacert);
mbedtls_x509_crt_free(&clicert);
mbedtls_pk_free(&pkey);
mbedtls_ssl_free(&ssl);
mbedtls_ssl_config_free(&conf);
mbedtls_ctr_drbg_free(&ctr_drbg);
mbedtls_entropy_free(&entropy);
mbedtls_net_free(&server_fd);
return ret;
}
```
在这个示例代码中,我们使用了`mbedtls_ssl_conf_cipher_suites`函数来指定了使用TLS_ECDHE_RSA_WITH_AES_128_GCM_SHA256这个cipher suite name。同时,我们还需要使用相应的证书和密钥来进行TLS连接。在示例代码中,我们假设ca.crt、client.crt和client.key文件都已经准备好了,可以通过`mbedtls_x509_crt_parse_file`和`mbedtls_pk_parse_keyfile`函数来解析这些文件。
值得注意的是,在实际使用过程中,我们需要根据具体的需求和场景来选择合适的cipher suite name,并且需要保证相应的证书和密钥的安全性。此外,我们还需要注意使用mbed TLS时的安全最佳实践,例如启用合适的加密套件、密钥长度和证书验证等。
阅读全文