1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
120
121
122
|
<pre>
<font color="#0000ff">// Copyright (c) 2001 David Muse</font>
<font color="#0000ff">// See the file COPYING for more information</font>
<font color="#a020f0">#include </font><font color="#ff00ff"><rudiments/inetclientsocket.h></font>
<font color="#a020f0">#include </font><font color="#ff00ff"><rudiments/charstring.h></font>
<font color="#a020f0">#include </font><font color="#ff00ff"><rudiments/error.h></font>
<font color="#a020f0">#include </font><font color="#ff00ff"><openssl/err.h></font>
<font color="#a020f0">#ifdef RUDIMENTS_NAMESPACE</font>
<font color="#a52a2a"><b>using</b></font> <font color="#2e8b57"><b>namespace</b></font> rudiments;
<font color="#a020f0">#endif</font>
<font color="#2e8b57"><b>int</b></font> passwdCallback(<font color="#2e8b57"><b>char</b></font> *buf, <font color="#2e8b57"><b>int</b></font> size, <font color="#2e8b57"><b>int</b></font> rwflag, <font color="#2e8b57"><b>void</b></font> *userdata) {
charstring::copy(buf,(<font color="#2e8b57"><b>char</b></font> *)userdata,size);
buf[size-<font color="#ff00ff">1</font>]=(<font color="#2e8b57"><b>char</b></font>)<font color="#ff00ff">NULL</font>;
<font color="#a52a2a"><b>return</b></font> charstring::length(buf);
}
<font color="#2e8b57"><b>int</b></font> main(<font color="#2e8b57"><b>int</b></font> argc, <font color="#2e8b57"><b>const</b></font> <font color="#2e8b57"><b>char</b></font> **argv) {
<font color="#0000ff">// initialize the SSL context</font>
SSL_library_init();
SSL_load_error_strings();
<font color="#0000ff">// Create a new client context usng SSLv2.</font>
SSL_CTX *ctx=SSL_CTX_new(SSLv2_client_method());
<font color="#0000ff">// in cases where a re-negotiation must take place during an SSL_read</font>
<font color="#0000ff">// or SSL_write, automatically re-negotiate, then retry the read/write</font>
<font color="#0000ff">// instead of causing the read/write to fail</font>
SSL_CTX_set_mode(ctx,SSL_MODE_AUTO_RETRY);
<font color="#0000ff">// load the client's certificate chain</font>
SSL_CTX_use_certificate_chain_file(ctx,<font color="#ff00ff">"client.pem"</font>);
<font color="#0000ff">// if the private key requires a password in order to read it,</font>
<font color="#0000ff">// supply "password"</font>
SSL_CTX_set_default_passwd_cb(ctx,passwdCallback);
SSL_CTX_set_default_passwd_cb_userdata(ctx,(<font color="#2e8b57"><b>void</b></font> *)<font color="#ff00ff">"password"</font>);
<font color="#0000ff">// load the client's private key</font>
SSL_CTX_use_PrivateKey_file(ctx,<font color="#ff00ff">"client.pem"</font>,SSL_FILETYPE_PEM);
<font color="#0000ff">// load certificates for the signing authorities that we trust</font>
SSL_CTX_load_verify_locations(ctx,<font color="#ff00ff">"ca.pem"</font>,<font color="#ff00ff">0</font>);
<font color="#a020f0"> #if (OPENSSL_VERSION_NUMBER < </font><font color="#ff00ff">0x0090600fL</font><font color="#a020f0">)</font>
<font color="#0000ff">// server certificates must be directly signed</font>
<font color="#0000ff">// by one of the signing authroities that we trust</font>
SSL_CTX_set_verify_depth(ctx,<font color="#ff00ff">1</font>);
<font color="#a020f0"> #endif</font>
<font color="#0000ff">// create an inet socket client</font>
inetclientsocket clnt;
clnt.setSSLContext(ctx);
<font color="#0000ff">// connect to a server on localhost, listening on port 8000</font>
<font color="#a52a2a"><b>if</b></font> (clnt.connect(<font color="#ff00ff">"localhost"</font>,<font color="#ff00ff">8000</font>,-<font color="#ff00ff">1</font>,-<font color="#ff00ff">1</font>,<font color="#ff00ff">1</font>,<font color="#ff00ff">1</font>)<<font color="#ff00ff">0</font>) {
<font color="#a52a2a"><b>if</b></font> (errno) {
printf(<font color="#ff00ff">"connect failed: </font><font color="#6a5acd">%s</font><font color="#6a5acd">\n</font><font color="#ff00ff">"</font>,error::getErrorString());
} <font color="#a52a2a"><b>else</b></font> {
printf(<font color="#ff00ff">"connect failed: "</font>);
ERR_print_errors_fp(<font color="#ff00ff">stdout</font>);
printf(<font color="#ff00ff">"</font><font color="#6a5acd">\n</font><font color="#ff00ff">"</font>);
}
clnt.close();
exit(<font color="#ff00ff">1</font>);
}
<font color="#0000ff">// make sure the server sent a certificate</font>
X509 *certificate=SSL_get_peer_certificate(clnt.getSSL());
<font color="#a52a2a"><b>if</b></font> (!certificate) {
printf(<font color="#ff00ff">"peer sent no certificate</font><font color="#6a5acd">\n</font><font color="#ff00ff">"</font>);
clnt.close();
exit(<font color="#ff00ff">1</font>);
}
<font color="#0000ff">// make sure the certificate was valid</font>
<font color="#2e8b57"><b>long</b></font> result=SSL_get_verify_result(clnt.getSSL());
<font color="#a52a2a"><b>if</b></font> (result!=X509_V_OK) {
printf(<font color="#ff00ff">"SSL_get_verify_result failed: </font><font color="#6a5acd">%d</font><font color="#6a5acd">\n</font><font color="#ff00ff">"</font>,result);
clnt.close();
exit(<font color="#ff00ff">1</font>);
}
<font color="#0000ff">// Make sure the commonname in the certificate is the one we expect it</font>
<font color="#0000ff">// to be (server.localdomain).</font>
<font color="#0000ff">// (we may also want to check the subject name field or certificate</font>
<font color="#0000ff">// extension for the commonname because sometimes it's there instead</font>
<font color="#0000ff">// of in the commonname field)</font>
<font color="#2e8b57"><b>char</b></font> commonname[<font color="#ff00ff">256</font>];
X509_NAME_get_text_by_NID(X509_get_subject_name(certificate),
NID_commonName,commonname,<font color="#ff00ff">256</font>);
<font color="#a52a2a"><b>if</b></font> (charstring::compareIgnoringCase(commonname,<font color="#ff00ff">"server.localdomain"</font>)) {
printf(<font color="#ff00ff">"</font><font color="#6a5acd">%s</font><font color="#ff00ff">!=server.localdomain</font><font color="#6a5acd">\n</font><font color="#ff00ff">"</font>,commonname);
clnt.close();
exit(<font color="#ff00ff">1</font>);
}
<font color="#0000ff">// write "hello" to the server</font>
clnt.write(<font color="#ff00ff">"hello"</font>,<font color="#ff00ff">5</font>);
<font color="#0000ff">// read 10 bytes from the server and display them</font>
<font color="#2e8b57"><b>char</b></font> buffer[<font color="#ff00ff">11</font>];
<font color="#2e8b57"><b>int</b></font> sizeread=clnt.read(buffer,<font color="#ff00ff">10</font>);
buffer[sizeread]=(<font color="#2e8b57"><b>char</b></font>)<font color="#ff00ff">NULL</font>;
printf(<font color="#ff00ff">"</font><font color="#6a5acd">%s</font><font color="#6a5acd">\n</font><font color="#ff00ff">"</font>,buffer);
<font color="#0000ff">// close the connection to the server</font>
clnt.close();
}
</pre>
|
