我用mbedtls做了一个epoll HTTPS服务器。它监听两个端口:一个用于HTTP,另一个用于HTTPS。HTTP端口工作得很好。但是对于HTTPS,当没有数据可供mbedtls_ssl_read()读取时,我似乎会收到EPOLLIN通知。
可能数据是可用的,但问题出在SSL上下文上,因为mbedtls_ssl_read()返回MBEDTLS_ERR_NET_INVALID_CONTEXT。但我看不出问题出在哪里。我已经正确地初始化了上下文,甚至与它进行了TLS握手。
下面是代码的重要部分:请注意,我知道这段代码在很多情况下会失败。我只是做了一个例子来重现错误。这段代码只是描述了当我接受我的单一客户端时发生的一切,然后,在接收EPOLLIN后,尝试从它读取数据。
#define REQUEST_SIZE 8192struct HTTP_server{mbedtls_net_context https_context;mbedtls_entropy_context entropy;mbedtls_ctr_drbg_context ctr_drbg;mbedtls_ssl_config conf;mbedtls_x509_crt srvcert;mbedtls_pk_context pkey;const char *pers;};typedef struct client_data{char *request;proto_t protocol;union{int client_fd;mbedtls_net_context https_context;};mbedtls_ssl_context ssl;} client_data_t;struct HTTP_server server;server->pers = "ssl_server";mbedtls_net_init(&server->https_context);mbedtls_ssl_config_init(&server->conf);mbedtls_x509_crt_init(&server->srvcert);mbedtls_pk_init(&server->pkey);mbedtls_entropy_init(&server->entropy);mbedtls_ctr_drbg_init(&server->ctr_drbg);if (mbedtls_ctr_drbg_seed(&server->ctr_drbg, mbedtls_entropy_func, &server->entropy,(const unsigned char *) server->pers, strlen(server->pers)) != 0) {return 0;}if (mbedtls_x509_crt_parse_file(&server->srvcert, "server.crt") != 0){return 0;}if (mbedtls_pk_parse_keyfile(&server->pkey, "server.key", "pass_phrase", mbedtls_ctr_drbg_random, &server->ctr_drbg) != 0){return 0;}if (mbedtls_net_bind(&server->https_context, NULL, "8000", MBEDTLS_NET_PROTO_TCP) != 0){return 0;}mbedtls_net_set_nonblock(&server->https_context);if (mbedtls_ssl_config_defaults(&server->conf, MBEDTLS_SSL_IS_SERVER, MBEDTLS_SSL_TRANSPORT_STREAM,MBEDTLS_SSL_PRESET_DEFAULT) != 0){return 0;}mbedtls_ssl_conf_rng(&server->conf, mbedtls_ctr_drbg_random, &server->ctr_drbg);if (mbedtls_ssl_conf_own_cert(&server->conf, &server->srvcert, &server->pkey) != 0){return 0;}int epoll_fd = epoll_create1(0);if (epoll_fd == -1){return;}event.data.fd = server->https_context.fd;event.events = EPOLLIN;if (epoll_ctl(epoll_fd, EPOLL_CTL_ADD, server->https_context.fd, &event) == -1){goto epoll_close;}while (1){int nevents = epoll_wait(epoll_fd, events, 128, -1);if (nevents == -1){goto epoll_close;}else if (errno == EINTR){goto epoll_close;}for (int i = 0; i < nevents; ++i){if ((events[i].events & (EPOLLERR | EPOLLHUP))){continue;}else if (events[i].data.fd == server->https_context.fd){client_data_t client_status = malloc(sizeof(client_data_t));mbedtls_net_context client_socket;mbedtls_net_accept(&server->https_context, &client_socket, NULL, 0, NULL);client_status->https_context = client_socket;mbedtls_ssl_init(&client_status->ssl);if (mbedtls_ssl_setup(&client_status->ssl, &server->conf) != 0){return 0;}mbedtls_ssl_set_bio(&client_status->ssl, &client_socket, mbedtls_net_send, mbedtls_net_recv, NULL);int ret;while (!program_interrupted && ((ret = mbedtls_ssl_handshake(&client_status->ssl)) != 0)){if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE){mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned %d\n\n", ret);return 0;}}client_status->request = malloc(REQUEST_SIZE + 1);event.data.fd = client_socket.fd;event.data.ptr = client_status;event.events = EPOLLIN | EPOLLET;if (epoll_ctl(epoll_fd, EPOLL_CTL_ADD, client_socket.fd, &event) == -1){continue;}}else{client_data_t *client_status = events[i].data.ptr;// Every function call until this was successful, I checked, here nbytes == -69 or nbytes == -76// mbedtls_ssl_get_bytes_avail(&client_status->ssl) gives 0ssize_t nbytes = mbedtls_ssl_read(&client_status->ssl, (unsigned char *)(client_status->request), REQUEST_SIZE);// other stuff}}}epoll_close:close(epoll_fd);
字符串
mbedtls调试错误消息如下所示:
ssl_msg.c:5662: => readssl_msg.c:4110: => read recordssl_msg.c:2155: => fetch inputssl_msg.c:2295: in_left: 0, nb_want: 5ssl_msg.c:2315: in_left: 0, nb_want: 5ssl_msg.c:2318: ssl->f_recv(_timeout)() returned -69 (-0x0045)ssl_msg.c:4782: mbedtls_ssl_fetch_input() returned -69 (-0x0045)ssl_msg.c:4141: ssl_get_next_record() returned -69 (-0x0045)ssl_msg.c:5722: mbedtls_ssl_read_record() returned -69 (-0x0045)
型
编辑:注意,我在从浏览器发送请求后得到EPOLLIN,并且我在边缘触发模式下使用epoll(),所以我使用mbedtls_ssl_read()直到套接字每次都会阻塞,也就是说,直到我得到MBEDTLS_ERR_SSL_WANT_READ。
我是这样读这封信的:
while (1){nbytes = mbedtls_ssl_read(&client_status->ssl, (unsigned char *)(request + client_status->request_bytes_read), server_properties->max_request - client_status->request_bytes_read);if (nbytes < 0){if (errno == EAGAIN || errno == EWOULDBLOCK || nbytes == MBEDTLS_ERR_SSL_WANT_READ){// no application data to read, wait for another epoll_wait() notificationbreak;}else{// print errorbreak;}// I also tried to replace the code above with this, but mbedtls_ssl_read() returns -69, which doesn't compare equal to MBEDTLS_ERR_SSL_WANT_READ and so there must be some sort of error// In case there is control data pending, but no application data, so that epoll_wait() wouldn't hang/* if (nbytes == MBEDTLS_ERR_SSL_WANT_READ){continue;}else if (errno == EAGAIN || errno == EWOULDBLOCK){*blocked = 1;break;}else{ERROR_LOG("read() failed");break;} */}else if (nbytes == 0){break;}else{client_status->request_bytes_read += nbytes;client_status->request[client_status->request_bytes_read] = '\0';char *CRLF = strstr(client_status->request + client_status->request_bytes_read - nbytes, "\r\n\r\n");if (CRLF){// parse the headers, get Content-Length and move to reading body// body is read in a similar mannerbreak;}}}
型
2条答案
按热度按时间omhiaaxx1#
TLS在TCP之上添加了一个层,它有自己的记录帧,也有没有应用程序有效负载的记录(握手,会话票证)。
mbedtls_ssl_read将只在接收到包含应用程序数据的完整记录后返回数据,因为只有这样数据才能被解密。EPOLL仅在TCP套接字级别工作。这意味着只要套接字上的内容可以读取,它就会发出活动信号,无论这是部分TLS记录还是完整的TLS记录,无论这些是应用程序数据还是只是控制信息。
这意味着你不能确定你可以
mbedtls_ssl_read每当EPOLL返回套接字可读.甚至,你可能能够mbedtls_ssl_read即使EPOLL没有说套接字可读,因为最后一个套接字读取了多个TLS记录与应用程序数据.不确定Mbed-TLS,但是使用OpenSSL时,SSL_read只包含来自单个TLS记录的数据,需要使用SSL_pending检查是否有更多数据可用。Mbed-TLS具有类似的功能mbedtls_ssl_check_pending。ergxz8rk2#
问题是
mbedtls_ssl_set_bio(&client_status->ssl, &client_socket, mbedtls_net_send, mbedtls_net_recv, NULL);中的client_socket超出了作用域,在此之后,read/write函数中的后续BIO回调无法使用该共享上下文。应该是
mbedtls_ssl_set_bio(&client_status->ssl, &client_status->https_context, mbedtls_net_send, mbedtls_net_recv, NULL);