SSL Client HTTP Connection example getting information and verifying certificates. These are just some SSL notes. More...

#include <time.h>
#include <unistd.h>
#include <stdio.h>
#include <string.h>
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdlib.h>
#include <errno.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
#include <sys/select.h>
#include <sys/time.h>

Classes
struct	Sslc

Macros
#define	CAPATH "/etc/ssl/certs"

#define	BUFFERSIZE 16384

#define	STRBUFFERSIZE 256

#define	USERAGENT "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0"

#define	CRLF "\r\n"

Functions
int	ASN1_TIME_to_time_t (ASN1_TIME time, time_t tmt)

char *	join (char buffer, const char origin, size_t *from, size_t size)

long int	check_certificate_validity (X509 *certificate)

int	TCP_Connection (Sslc h, char server, int port)

int	TCP_select (Sslc *h, double timeout)

int	SSL_Connection (Sslc *h)

int	SSL_send (Sslc h, char msg)

int	SSL_recv (Sslc h, char *data)

void	SSL_print_info (Sslc *h)

void	SSL_print_certificate_info (X509 *cert)

char *	SSL_cipher_description (SSL_CIPHER *cipher)

char *	time_t_to_str (char buffer, size_t bufsize, const char format, time_t *tim)

void	print_time (ASN1_TIME asn1time, char pre_string, char *dateformat)

void	print_usage (char *executable)

void	panic (char *msg)

int	main (int argc, char *argv[])

Detailed Description

SSL Client HTTP Connection example getting information and verifying certificates. These are just some SSL notes.

Author: Gaspar Fernández blake.nosp@m.yed@.nosp@m.totak.nosp@m.i.co.nosp@m.m

Version

Date: 17 abr 2015

To compile: $ gcc -o myssl myssl.c -lcrypto -lssl

Definition in file myssl.c.

Macro Definition Documentation

#define BUFFERSIZE 16384

16Kb SSL_read block size

Definition at line 36 of file myssl.c.

Referenced by SSL_recv().

#define CAPATH "/etc/ssl/certs"

Where to look for the Certificate Authorities

Definition at line 34 of file myssl.c.

Referenced by check_certificate_validity(), and SSL_Connection().

#define CRLF "\r\n"

CRLF

Definition at line 42 of file myssl.c.

#define STRBUFFERSIZE 256

For temporary strings

Definition at line 38 of file myssl.c.

Referenced by print_time(), SSL_cipher_description(), and SSL_print_certificate_info().

#define USERAGENT "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:37.0) Gecko/20100101 Firefox/37.0"

User agent string

Definition at line 40 of file myssl.c.

Function Documentation

int ASN1_TIME_to_time_t	(	ASN1_TIME *	time,
		time_t *	tmt
	)

Transforms ASN1 time sring to time_t (except milliseconds and time zone) Ideas from: http://stackoverflow.com/questions/10975542/asn1-time-conversion

Parameters

time	SSL ASN1_TIME pointer
tmt	time_t pointer to write to

Returns: int 0 if OK, <0 if anything goes wrong

Definition at line 279 of file myssl.c.

References join().

Referenced by print_time().

 {
   const char* data = (char*)time->data;
   size_t p = 0;
   char buf[5];
   struct tm t;
 
   memset(&t, 0, sizeof(t));
   size_t datalen = strlen(data);
 
   if (time->type == V_ASN1_UTCTIME) {/* two digit year */
     /* error checking YYMMDDHH at least */
     if (datalen<8)
       return -1;
     t.tm_year = atoi (join(buf, data, &p, 2));
     if (t.tm_year<70)
       t.tm_year += 100;
     datalen = strlen(data+2);
   } else if (time->type == V_ASN1_GENERALIZEDTIME) {/* four digit year */
     /* error checking YYYYMMDDHH at least*/
     if (datalen<10)
       return -1;
 
     t.tm_year = atoi (join(buf, data, &p, 4));
     t.tm_year -= 1900;
     datalen = strlen(data+4);
   }
 
   /* the year is out of datalen. Now datalen is fixed */
 
   t.tm_mon = atoi (join(buf, data, &p, 2))-1; /* January is 0 for time_t */
   t.tm_mday= atoi (join(buf, data, &p, 2));
   t.tm_hour= atoi (join(buf, data, &p, 2));
 
   if (datalen<8)
     return !(*tmt = mktime(&t));
   t.tm_min = atoi (join(buf, data, &p, 2));
 
   if (datalen<10)
     return !(*tmt = mktime(&t));
   t.tm_sec = atoi (join(buf, data, &p, 2));
 
   /* Ignore millisecnds and time zone */
   return !(*tmt = mktime(&t));
 }

long int check_certificate_validity ( X509 * certificate )

Check certificate validity

Parameters

certificate Certificate to check

Returns: error code (0 is OK. See x509_vfy.h for constants (X509_V_ERR_UNABLE_*). You can also use X509_verify_cert_error_string(long int) to see the error string

Definition at line 325 of file myssl.c.

References CAPATH.

Referenced by SSL_print_certificate_info().

 {
   int status;
   X509_STORE_CTX *ctx;
   ctx = X509_STORE_CTX_new();
   X509_STORE *store = X509_STORE_new();
   X509_STORE_load_locations(store, NULL, CAPATH);
   X509_STORE_add_cert(store, certificate);
 
   X509_STORE_CTX_init(ctx, store, certificate, NULL);
 
   status = X509_verify_cert(ctx);
 
   return ctx->error;
 }

char * join	(	char *	buffer,
		const char *	origin,
		size_t *	from,
		size_t	size
	)

Extract a substring from origin into buffer, updating starting value to call in chain. Used by ASN1_TIME_to_time_t to extract substrings easyly

Parameters

buffer	Where to write to
origin	Original string
from	Where to start from. Updated to the last position after end.
size	Characters to extract.

Returns: char* reference to buffer

Definition at line 268 of file myssl.c.

Referenced by ASN1_TIME_to_time_t().

 {
   size_t i=0;
   while (i<size)
     {
       buffer[i++] = origin[(*from)++];
     }
   buffer[i] = '\0';
   return buffer;
 }

void panic ( char * msg )

Prints a tragic error and exit

Parameters

msg	Error text

Returns: void

Definition at line 586 of file myssl.c.

 {
   fprintf (stderr, "Error: %s (errno %d, %s)\n", msg, errno, strerror(errno));
   /* Print SSL errors */
   ERR_print_errors_fp(stderr);
   exit(2);
 }

void print_time	(	ASN1_TIME *	asn1time,
		char *	pre_string,
		char *	dateformat
	)

Prints ASN1_TIME on screen

Parameters

asn1time	Time to write
pre_string	String to write before the date
dateformat	Date format (

See Also: strftime())

Returns: void

Definition at line 557 of file myssl.c.

References ASN1_TIME_to_time_t(), STRBUFFERSIZE, and time_t_to_str().

Referenced by SSL_print_certificate_info().

 {
   time_t tim;
   char buffer[STRBUFFERSIZE];
 
   if (ASN1_TIME_to_time_t(asn1time, &tim)==0)
     printf ("%s: %s\n", pre_string, time_t_to_str(buffer, STRBUFFERSIZE, dateformat, &tim));
   else
     printf ("%s: (error)\n", pre_string);
 }

void print_usage ( char * executable )

Prints program usage

Parameters

executable Program executable (argv[0])

Returns: void

Definition at line 578 of file myssl.c.

 {
   fprintf(stderr, "You must specify a web server to connect through HTTPS and additionally a port:\n");
   fprintf(stderr, "  %s server [port]\n", executable);
   fprintf(stderr, "------------\n\n");
   exit(-1);
 }

char * SSL_cipher_description ( SSL_CIPHER * cipher )

Gets cipher description in a string Please free the resulting string, don't do it like me ;)

Parameters

cipher Cipher

Returns: String with the description

Definition at line 568 of file myssl.c.

References STRBUFFERSIZE.

Referenced by SSL_print_info().

 {
   char *tmp = malloc(sizeof(char)*STRBUFFERSIZE);
   tmp[0] = '\0';
   if (cipher)
     SSL_CIPHER_description(cipher, tmp, STRBUFFERSIZE);
 
   return tmp;
 }

int SSL_Connection ( Sslc * h )

SSL initialization and handshake

Parameters

h	Our structure.

Returns: (0 if OK, else fail)

Definition at line 373 of file myssl.c.

References CAPATH, Sslc::ctx, Sslc::skt, and Sslc::ssl.

 {
   SSL_library_init();       /* not reentrant! */
   SSL_load_error_strings();
 
   /* try SSL methods (TLSv1.2 ... SSLv3 and SSLv2 (caution! SSLv2 and SSLv3 are deprecated!) */
   /* you could use TLSv1_client_method(), TLSv1_2_client_method()... */
   h->ctx = SSL_CTX_new(SSLv23_client_method());
   if (h->ctx == NULL)
     return -3;          /* Context not created */
 
   /* SSL will fail if cerificate can't be validated */
   /* h->ctx->verify_mode = 1; */
 
   h->ssl = SSL_new (h->ctx);
   if (h->ssl == NULL)
     return -4;          /* SSL struct not created */
 
   if (SSL_set_fd(h->ssl, h->skt) == 0)
     return -5;          /* Couldn't bind SSL with our connection */
 
   if (SSL_CTX_load_verify_locations(h->ctx, NULL, CAPATH) == 0)
     return -6;          /* Couldn't load verify locations */
 
   /* Verify depth. How many certs from the chain to verify */
   /* -1 to verify all certificates. */
   printf ("VDepth: %d\n", SSL_get_verify_depth(h->ssl));
 
   if (SSL_connect (h->ssl) < 1)
     return -7;          /* Couldn't finish SSL handshake */
 
   /* Get certificate information */
   return 0;
 }

void SSL_print_certificate_info ( X509 * cert )

Prints out certificate information. Run throught the entries, print the not before and not after information and verify the certificate.

Parameters

cert	The certificate to check

Returns: void

Definition at line 516 of file myssl.c.

References check_certificate_validity(), print_time(), and STRBUFFERSIZE.

Referenced by SSL_print_info().

 {
   X509_NAME *certname;
   X509_NAME_ENTRY* entry;
   char *s;
   char buffer[STRBUFFERSIZE];
   int i;
 
   certname = X509_get_subject_name(cert);
   for (i=0; i< X509_NAME_entry_count(certname); i++)
     {
       entry = X509_NAME_get_entry(certname, i);
       if (entry == NULL)    /* error test. May exit the loop */
     continue;
 
       /* extracted from X509_NAME_print_ex() */
       int n = OBJ_obj2nid(entry->object);
       if ((n == NID_undef) || ((s = (char*)OBJ_nid2sn(n)) == NULL)) 
     {
       i2t_ASN1_OBJECT(buffer, sizeof(buffer), entry->object);
       s = buffer;
     }
       printf ("%s = %s\n", s, entry->value->data);
       /* We must NOT free entries (they are internal pointers) */
     }
   print_time(X509_get_notBefore(cert), "Not Before", "%d/%m/%Y %H:%M:%S");
   print_time(X509_get_notAfter(cert),  "Not After", "%d/%m/%Y %H:%M:%S");
   printf ("Valid certificate?: %s\n", X509_verify_cert_error_string(check_certificate_validity(cert)));
 
   /* We must NOT free X509_get_subject_name() objects */
   /* X509_NAME_free(certname); */
 }

void SSL_print_info ( Sslc * h )

Prints out SSL information: SSL Version, cipher used and certificate information.

Parameters

h	Our structure.

Returns: void

Definition at line 469 of file myssl.c.

References Sslc::ssl, SSL_cipher_description(), and SSL_print_certificate_info().

 {
   long vresult = SSL_get_verify_result (h->ssl);
   X509* cert;
   STACK_OF(X509) *chain;
   int i;
 
   printf ("Verify result: %ld (%s)\n", vresult, X509_verify_cert_error_string(vresult));
   printf ("Verify mode: %d\n", SSL_get_verify_mode(h->ssl)); /* If it's 1 SSL will fail if not verified */
   printf ("SSL version: %s\n", SSL_get_version(h->ssl));
   printf ("Cipher name : %s\n", SSL_get_cipher_name(h->ssl));
   printf ("Cipher version: %s\n", SSL_get_cipher_version(h->ssl));
   printf ("Cipher description: %s\n", SSL_cipher_description((SSL_CIPHER*)SSL_get_current_cipher(h->ssl)));
   printf ("--------------------------------------------\n");
   printf ("Certificate:\n");
   cert = SSL_get_peer_certificate(h->ssl);
   if (cert)
     {
       SSL_print_certificate_info(cert);
       /* X509_free(cert); */
     }
   else
     fprintf(stderr, "------ ERROR: Peer certificate not present!!\n");
 
   printf ("--------------------------------------------\n");
   printf ("The entire certificate chain: \n");
   chain = SSL_get_peer_cert_chain(h->ssl);
   if (chain)
     {
       printf ("Certificates on chain: %d\n", sk_X509_num(chain));
       for (i=0; i<sk_X509_num(chain); i++)
     {
       cert = sk_X509_value(chain, i);
       if (cert)
         {
           SSL_print_certificate_info(cert);
           /* Not a good idea to free, it's an internal pointer and may
              break something*/
           /* X509_free(cert); */
           printf ("            ·················\n");
         }
     }
     }
   else
     fprintf (stderr, "------- ERROR: Couldn't get certificate chain!!\n");
 }

int SSL_recv	(	Sslc *	h,
		char **	data
	)

SSL recv. To be called instead of recs. It will read the socket and decode information, or even perform a handshake if needed

Parameters

h	Our structure.
data	Data to be read (caution a pointer by reference that must be freed manually

Returns: (0 if OK, else fail)

Definition at line 433 of file myssl.c.

References BUFFERSIZE, Sslc::ssl, and TCP_select().

 {
   size_t bytes, totalbytes = 0;
   char buffer[BUFFERSIZE];
   int sel;
   size_t allocated = BUFFERSIZE;
   *data = malloc (sizeof(char) * BUFFERSIZE);
   *data[0] = '\0';
 
   while (1)
     {
       sel = TCP_select(h, 1);
       if (sel<0)
     return -6;      /* select fail */
       else if (sel==0)
     {
       return totalbytes;
     }
       /* We must include terminator after reading */
       bytes = SSL_read (h->ssl, buffer, BUFFERSIZE -1);
       buffer[bytes] = '\0';
 
       if (bytes<1)
     return -7;
 
       if (totalbytes + bytes > allocated)
     {
       allocated+=BUFFERSIZE;
       *data = realloc(*data, allocated * sizeof(char));
     }
       strcat(*data, buffer);
       totalbytes+=bytes;
     }
   return totalbytes;
 }

int SSL_send	(	Sslc *	h,
		char *	msg
	)

SSL send. To be called instead of send. It will send data through the socket and decode information, or even perform a handshake if needed.

Parameters

h	Our structure.
msg	Message to send

Returns: (0 if OK, else fail)

Definition at line 408 of file myssl.c.

References Sslc::err, and Sslc::ssl.

 {
   int bytes = SSL_write(h->ssl, msg, strlen(msg));
   if (bytes<1)
     h->err = bytes;
 
   return bytes;
 }

int TCP_Connection	(	Sslc *	h,
		char *	server,
		int	port
	)

Creates a basic TCP client connection to a server on a port. Uses simple sockets

Parameters

h	Our structure. Only the socket will be used
server	Where to connect
port	The port to use (443 for HTTPS)

Returns: int (0 if OK, else fail)

Definition at line 341 of file myssl.c.

References Sslc::err, and Sslc::skt.

 {
   h->err = 0;
   struct hostent *host = gethostbyname (server);
   struct sockaddr_in addr;
 
   if (host == NULL)
     return -1;          /* Couldn't get host */
 
   h->skt = socket (AF_INET, SOCK_STREAM, 0);
   if (h->skt < 0)
     {
       return -2;
     }
   else
     {
       /* fill in address data */
       addr.sin_family = AF_INET;
       addr.sin_port = htons (port);
       addr.sin_addr = *((struct in_addr *) host->h_addr);
       bzero (&(addr.sin_zero), 8);
 
       /* connect */
       h->err = connect (h->skt, (struct sockaddr *) &addr, sizeof (struct sockaddr));
       if (h->err == -1)
         {
       return -3;
         }
     }
   return 0;
 }

int TCP_select	(	Sslc *	h,
		double	timeout
	)

Uses select to test if there is anything waiting to be read.

Parameters

h	Our structure. Only the socket will be used
timeout	Timeout before giving up

Returns: (0 timeout, 1 data waiting, <0 fail)

Definition at line 417 of file myssl.c.

References Sslc::skt.

Referenced by SSL_recv().

 {
   fd_set fds;
   FD_ZERO(&fds);
   FD_SET(h->skt, &fds);
   fd_set *rset=&fds;
   fd_set *wset=NULL;
 
   struct timeval tv;
   tv.tv_sec = (int)(timeout);
   tv.tv_usec = (int)((timeout - (int)(timeout)) * 1000000.0);
 
   int ret = select(h->skt+1, rset, wset, NULL, &tv);
   return ret;
 }

char * time_t_to_str	(	char *	buffer,
		size_t	bufsize,
		const char *	format,
		time_t *	tim
	)

Gets a string with the time_t into a string

Parameters

buffer	Buffer to write to
bufsize	Total buffer size
format	Date/Time format (

See Also: strftime())

Parameters

tim Time

Returns: buffer

Definition at line 549 of file myssl.c.

Referenced by print_time().

 {
   struct tm _tm;
   gmtime_r(tim, &_tm);
   strftime(buffer, bufsize, format, &_tm);
   return buffer;
 }

Communication Samples

Some C code examples

Classes

Macros

Functions

Detailed Description

Macro Definition Documentation

Function Documentation