search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
certs: add proper const attributes to global variables
[tropicssl.git] / programs / ssl / ssl_client2.c
blob59ace03ad65765cc04b9286fba36ac05cd86fd89
1 /*
2 * SSL client with certificate authentication
3 *
4 * Based on XySSL: Copyright (C) 2006-2008 Christophe Devine
5 *
6 * Copyright (C) 2009 Paul Bakker <polarssl_maintainer at polarssl dot org>
7 *
8 * All rights reserved.
9 *
10 * Redistribution and use in source and binary forms, with or without
11 * modification, are permitted provided that the following conditions
12 * are met:
13 *
14 * * Redistributions of source code must retain the above copyright
15 * notice, this list of conditions and the following disclaimer.
16 * * Redistributions in binary form must reproduce the above copyright
17 * notice, this list of conditions and the following disclaimer in the
18 * documentation and/or other materials provided with the distribution.
19 * * Neither the names of PolarSSL or XySSL nor the names of its contributors
20 * may be used to endorse or promote products derived from this software
21 * without specific prior written permission.
22 *
23 * THIS SOFTWARE IS PROVIDED BY THE COPYRIGHT HOLDERS AND CONTRIBUTORS
24 * "AS IS" AND ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT
25 * LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS
26 * FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE COPYRIGHT
27 * OWNER OR CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
28 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED
29 * TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF USE, DATA, OR
30 * PROFITS; OR BUSINESS INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF
31 * LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING
32 * NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS
33 * SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH DAMAGE.
34 */
35
36 #ifndef _CRT_SECURE_NO_DEPRECATE
37 #define _CRT_SECURE_NO_DEPRECATE 1
38 #endif
39
40 #include <string.h>
41 #include <stdio.h>
42
43 #include "tropicssl/net.h"
44 #include "tropicssl/ssl.h"
45 #include "tropicssl/havege.h"
46 #include "tropicssl/certs.h"
47 #include "tropicssl/x509.h"
48
49 #define SERVER_PORT 443
50 /*
51 #define SERVER_NAME "localhost"
52 #define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
53 */
54 #define SERVER_NAME "tropicssl.org"
55 #define GET_REQUEST \
56 "GET /hello/ HTTP/1.1\r\n" \
57 "Host: tropicssl.org\r\n\r\n"
58
59 #define DEBUG_LEVEL 0
60
61 static void my_debug(void *ctx, int level, const char *str)
62 {
63 if (level < DEBUG_LEVEL) {
64 fprintf((FILE *) ctx, "%s", str);
65 fflush((FILE *) ctx);
66 }
67 }
68
69 int main(void)
70 {
71 int ret, len, server_fd;
72 unsigned char buf[1024];
73 havege_state hs;
74 ssl_context ssl;
75 ssl_session ssn;
76 x509_cert cacert;
77 x509_cert clicert;
78 rsa_context rsa;
79
80 /*
81 * 0. Initialize the RNG and the session data
82 */
83 havege_init(&hs);
84 memset(&ssn, 0, sizeof(ssl_session));
85
86 /*
87 * 1.1. Load the trusted CA
88 */
89 printf("\n . Loading the CA root certificate ...");
90 fflush(stdout);
91
92 memset(&cacert, 0, sizeof(x509_cert));
93
94 /*
95 * Alternatively, you may load the CA certificates from a .pem or
96 * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
97 */
98 ret = x509parse_crt(&cacert, (const unsigned char *)xyssl_ca_crt,
99 strlen(xyssl_ca_crt));
100 if (ret != 0) {
101 printf(" failed\n ! x509parse_crt returned %d\n\n", ret);
102 goto exit;
103 }
104
105 printf(" ok\n");
106
107 /*
108 * 1.2. Load own certificate and private key
109 *
110 * (can be skipped if client authentication is not required)
111 */
112 printf(" . Loading the client cert. and key...");
113 fflush(stdout);
114
115 memset(&clicert, 0, sizeof(x509_cert));
116
117 ret = x509parse_crt(&clicert, (const unsigned char *)test_cli_crt,
118 strlen(test_cli_crt));
119 if (ret != 0) {
120 printf(" failed\n ! x509parse_crt returned %d\n\n", ret);
121 goto exit;
122 }
123
124 ret = x509parse_key(&rsa, (const unsigned char *)test_cli_key,
125 strlen(test_cli_key), NULL, 0);
126 if (ret != 0) {
127 printf(" failed\n ! x509parse_key returned %d\n\n", ret);
128 goto exit;
129 }
130
131 printf(" ok\n");
132
133 /*
134 * 2. Start the connection
135 */
136 printf(" . Connecting to tcp/%s/%-4d...", SERVER_NAME, SERVER_PORT);
137 fflush(stdout);
138
139 if ((ret = net_connect(&server_fd, SERVER_NAME, SERVER_PORT)) != 0) {
140 printf(" failed\n ! net_connect returned %d\n\n", ret);
141 goto exit;
142 }
143
144 printf(" ok\n");
145
146 /*
147 * 3. Setup stuff
148 */
149 printf(" . Setting up the SSL/TLS structure...");
150 fflush(stdout);
151
152 havege_init(&hs);
153
154 if ((ret = ssl_init(&ssl)) != 0) {
155 printf(" failed\n ! ssl_init returned %d\n\n", ret);
156 goto exit;
157 }
158
159 printf(" ok\n");
160
161 ssl_set_endpoint(&ssl, SSL_IS_CLIENT);
162 ssl_set_authmode(&ssl, SSL_VERIFY_OPTIONAL);
163
164 ssl_set_rng(&ssl, havege_rand, &hs);
165 ssl_set_dbg(&ssl, my_debug, stdout);
166 ssl_set_bio(&ssl, net_recv, &server_fd, net_send, &server_fd);
167
168 ssl_set_ciphers(&ssl, ssl_default_ciphers);
169 ssl_set_session(&ssl, 1, 600, &ssn);
170
171 ssl_set_ca_chain(&ssl, &cacert, SERVER_NAME);
172 ssl_set_own_cert(&ssl, &clicert, &rsa);
173
174 ssl_set_hostname(&ssl, SERVER_NAME);
175
176 /*
177 * 4. Handshake
178 */
179 printf(" . Performing the SSL/TLS handshake...");
180 fflush(stdout);
181
182 while ((ret = ssl_handshake(&ssl)) != 0) {
183 if (ret != TROPICSSL_ERR_NET_TRY_AGAIN) {
184 printf(" failed\n ! ssl_handshake returned %d\n\n",
185 ret);
186 goto exit;
187 }
188 }
189
190 printf(" ok\n [ Cipher is %s ]\n", ssl_get_cipher(&ssl));
191
192 /*
193 * 5. Verify the server certificate
194 */
195 printf(" . Verifying peer X.509 certificate...");
196
197 if ((ret = ssl_get_verify_result(&ssl)) != 0) {
198 printf(" failed\n");
199
200 if ((ret & BADCERT_EXPIRED) != 0)
201 printf(" ! server certificate has expired\n");
202
203 if ((ret & BADCERT_REVOKED) != 0)
204 printf(" ! server certificate has been revoked\n");
205
206 if ((ret & BADCERT_CN_MISMATCH) != 0)
207 printf(" ! CN mismatch (expected CN=%s)\n",
208 SERVER_NAME);
209
210 if ((ret & BADCERT_NOT_TRUSTED) != 0)
211 printf
212 (" ! self-signed or not signed by a trusted CA\n");
213
214 printf("\n");
215 } else
216 printf(" ok\n");
217
218 printf(" . Peer certificate information ...\n");
219 x509parse_cert_info((char *) buf, sizeof( buf ) - 1,
220 " ", ssl.peer_cert);
221 printf("%s", buf);
222
223 /*
224 * 6. Write the GET request
225 */
226 printf(" > Write to server:");
227 fflush(stdout);
228
229 len = sprintf((char *)buf, GET_REQUEST);
230
231 while ((ret = ssl_write(&ssl, buf, len)) <= 0) {
232 if (ret != TROPICSSL_ERR_NET_TRY_AGAIN) {
233 printf(" failed\n ! ssl_write returned %d\n\n", ret);
234 goto exit;
235 }
236 }
237
238 len = ret;
239 printf(" %d bytes written\n\n%s", len, (char *)buf);
240
241 /*
242 * 7. Read the HTTP response
243 */
244 printf(" < Read from server:");
245 fflush(stdout);
246
247 do {
248 len = sizeof(buf) - 1;
249 memset(buf, 0, sizeof(buf));
250 ret = ssl_read(&ssl, buf, len);
251
252 if (ret == TROPICSSL_ERR_NET_TRY_AGAIN)
253 continue;
254
255 if (ret == TROPICSSL_ERR_SSL_PEER_CLOSE_NOTIFY)
256 break;
257
258 if (ret <= 0) {
259 printf("failed\n ! ssl_read returned %d\n\n", ret);
260 break;
261 }
262
263 len = ret;
264 printf(" %d bytes read\n\n%s", len, (char *)buf);
265 }
266 while (0);
267
268 ssl_close_notify(&ssl);
269
270 exit:
271
272 net_close(server_fd);
273 x509_free(&clicert);
274 x509_free(&cacert);
275 rsa_free(&rsa);
276 ssl_free(&ssl);
277
278 memset(&ssl, 0, sizeof(ssl));
279
280 #ifdef WIN32
281 printf(" + Press Enter to exit this program.\n");
282 fflush(stdout);
283 getchar();
284 #endif
285
286 return (ret);
287 }
fork of last BSD polarssl