TrustedFirmware Git Browser
Code Review Sign In
review.trustedfirmware.org / mirror / mbed-tls / b749d68f9c7120d27ceed06bdb246cd22a707b66 / . / programs / ssl / ssl_client2.c
blob: d21309301234a7a85d5de63ce3e9919be7f96a84 [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]1/*
2 * SSL client with certificate authentication
3 *
4 * Copyright (C) 2006-2007 Christophe Devine
5 *
6 * This program is free software; you can redistribute it and/or modify
7 * it under the terms of the GNU General Public License as published by
8 * the Free Software Foundation; either version 2 of the License, or
9 * (at your option) any later version.
10 *
11 * This program is distributed in the hope that it will be useful,
12 * but WITHOUT ANY WARRANTY; without even the implied warranty of
13 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
14 * GNU General Public License for more details.
15 *
16 * You should have received a copy of the GNU General Public License along
17 * with this program; if not, write to the Free Software Foundation, Inc.,
18 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
19 */
20
21#ifndef _CRT_SECURE_NO_DEPRECATE
22#define _CRT_SECURE_NO_DEPRECATE 1
23#endif
24
25#include <string.h>
26#include <stdio.h>
27
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]28#include "polarssl/net.h"
29#include "polarssl/ssl.h"
30#include "polarssl/havege.h"
31#include "polarssl/certs.h"
32#include "polarssl/x509.h"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]33
34#define SERVER_PORT 443
35/*
36#define SERVER_NAME "localhost"
37#define GET_REQUEST "GET / HTTP/1.0\r\n\r\n"
38*/
Paul Bakkerb749d682009-01-04 16:08:55 +0000[diff] [blame^]39#define SERVER_NAME "polarssl.org"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]40#define GET_REQUEST \
41 "GET /hello/ HTTP/1.1\r\n" \
Paul Bakkerb749d682009-01-04 16:08:55 +0000[diff] [blame^]42 "Host: polarssl.org\r\n\r\n"
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]43
44#define DEBUG_LEVEL 0
45
46void my_debug( void *ctx, int level, char *str )
47{
48 if( level < DEBUG_LEVEL )
49 {
50 fprintf( (FILE *) ctx, "%s", str );
51 fflush( (FILE *) ctx );
52 }
53}
54
55int main( void )
56{
57 int ret, len, server_fd;
58 unsigned char buf[1024];
59 havege_state hs;
60 ssl_context ssl;
61 ssl_session ssn;
62 x509_cert cacert;
63 x509_cert clicert;
64 rsa_context rsa;
65
66 /*
67 * 0. Initialize the RNG and the session data
68 */
69 havege_init( &hs );
70 memset( &ssn, 0, sizeof( ssl_session ) );
71
72 /*
73 * 1.1. Load the trusted CA
74 */
75 printf( "\n . Loading the CA root certificate ..." );
76 fflush( stdout );
77
78 memset( &cacert, 0, sizeof( x509_cert ) );
79
80 /*
81 * Alternatively, you may load the CA certificates from a .pem or
82 * .crt file by calling x509parse_crtfile( &cacert, "myca.crt" ).
83 */
84 ret = x509parse_crt( &cacert, (unsigned char *) xyssl_ca_crt,
85 strlen( xyssl_ca_crt ) );
86 if( ret != 0 )
87 {
88 printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
89 goto exit;
90 }
91
92 printf( " ok\n" );
93
94 /*
95 * 1.2. Load own certificate and private key
96 *
97 * (can be skipped if client authentication is not required)
98 */
99 printf( " . Loading the client cert. and key..." );
100 fflush( stdout );
101
102 memset( &clicert, 0, sizeof( x509_cert ) );
103
104 ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
105 strlen( test_cli_crt ) );
106 if( ret != 0 )
107 {
108 printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
109 goto exit;
110 }
111
112 ret = x509parse_key( &rsa, (unsigned char *) test_cli_key,
113 strlen( test_cli_key ), NULL, 0 );
114 if( ret != 0 )
115 {
116 printf( " failed\n ! x509parse_key returned %d\n\n", ret );
117 goto exit;
118 }
119
120 printf( " ok\n" );
121
122 /*
123 * 2. Start the connection
124 */
125 printf( " . Connecting to tcp/%s/%-4d...", SERVER_NAME,
126 SERVER_PORT );
127 fflush( stdout );
128
129 if( ( ret = net_connect( &server_fd, SERVER_NAME,
130 SERVER_PORT ) ) != 0 )
131 {
132 printf( " failed\n ! net_connect returned %d\n\n", ret );
133 goto exit;
134 }
135
136 printf( " ok\n" );
137
138 /*
139 * 3. Setup stuff
140 */
141 printf( " . Setting up the SSL/TLS structure..." );
142 fflush( stdout );
143
144 havege_init( &hs );
145
146 if( ( ret = ssl_init( &ssl ) ) != 0 )
147 {
148 printf( " failed\n ! ssl_init returned %d\n\n", ret );
149 goto exit;
150 }
151
152 printf( " ok\n" );
153
154 ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
155 ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
156
157 ssl_set_rng( &ssl, havege_rand, &hs );
158 ssl_set_bio( &ssl, net_recv, &server_fd,
159 net_send, &server_fd );
160
161 ssl_set_ciphers( &ssl, ssl_default_ciphers );
162 ssl_set_session( &ssl, 1, 600, &ssn );
163
164 ssl_set_ca_chain( &ssl, &cacert, SERVER_NAME );
165 ssl_set_own_cert( &ssl, &clicert, &rsa );
166
167 ssl_set_hostname( &ssl, SERVER_NAME );
168
169 /*
170 * 4. Handshake
171 */
172 printf( " . Performing the SSL/TLS handshake..." );
173 fflush( stdout );
174
175 while( ( ret = ssl_handshake( &ssl ) ) != 0 )
176 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]177 if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]178 {
179 printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
180 goto exit;
181 }
182 }
183
184 printf( " ok\n [ Cipher is %s ]\n",
185 ssl_get_cipher( &ssl ) );
186
187 /*
188 * 5. Verify the server certificate
189 */
190 printf( " . Verifying peer X.509 certificate..." );
191
192 if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
193 {
194 printf( " failed\n" );
195
196 if( ( ret & BADCERT_EXPIRED ) != 0 )
197 printf( " ! server certificate has expired\n" );
198
199 if( ( ret & BADCERT_REVOKED ) != 0 )
200 printf( " ! server certificate has been revoked\n" );
201
202 if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
203 printf( " ! CN mismatch (expected CN=%s)\n", SERVER_NAME );
204
205 if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
206 printf( " ! self-signed or not signed by a trusted CA\n" );
207
208 printf( "\n" );
209 }
210 else
211 printf( " ok\n" );
212
213 printf( " . Peer certificate information ...\n" );
214 printf( x509parse_cert_info( " ", ssl.peer_cert ) );
215
216 /*
217 * 6. Write the GET request
218 */
219 printf( " > Write to server:" );
220 fflush( stdout );
221
222 len = sprintf( (char *) buf, GET_REQUEST );
223
224 while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
225 {
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]226 if( ret != POLARSSL_ERR_NET_TRY_AGAIN )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]227 {
228 printf( " failed\n ! ssl_write returned %d\n\n", ret );
229 goto exit;
230 }
231 }
232
233 len = ret;
234 printf( " %d bytes written\n\n%s", len, (char *) buf );
235
236 /*
237 * 7. Read the HTTP response
238 */
239 printf( " < Read from server:" );
240 fflush( stdout );
241
242 do
243 {
244 len = sizeof( buf ) - 1;
245 memset( buf, 0, sizeof( buf ) );
246 ret = ssl_read( &ssl, buf, len );
247
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]248 if( ret == POLARSSL_ERR_NET_TRY_AGAIN )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]249 continue;
250
Paul Bakker40e46942009-01-03 21:51:57 +0000[diff] [blame]251 if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000[diff] [blame]252 break;
253
254 if( ret <= 0 )
255 {
256 printf( "failed\n ! ssl_read returned %d\n\n", ret );
257 break;
258 }
259
260 len = ret;
261 printf( " %d bytes read\n\n%s", len, (char *) buf );
262 }
263 while( 0 );
264
265 ssl_close_notify( &ssl );
266
267exit:
268
269 net_close( server_fd );
270 x509_free( &clicert );
271 x509_free( &cacert );
272 rsa_free( &rsa );
273 ssl_free( &ssl );
274
275 memset( &ssl, 0, sizeof( ssl ) );
276
277#ifdef WIN32
278 printf( " + Press Enter to exit this program.\n" );
279 fflush( stdout ); getchar();
280#endif
281
282 return( ret );
283}