blob: 2eb8cbccddfb69600b6187a88ff551933308c03f [file] [log] [blame]
Paul Bakker5121ce52009-01-03 21:22:43 +00001/*
2 * SSL client with certificate authentication
3 *
Paul Bakker84f12b72010-07-18 10:13:04 +00004 * Copyright (C) 2006-2010, Brainspark B.V.
Paul Bakkerb96f1542010-07-18 20:36:00 +00005 *
6 * This file is part of PolarSSL (http://www.polarssl.org)
Paul Bakker84f12b72010-07-18 10:13:04 +00007 * Lead Maintainer: Paul Bakker <polarssl_maintainer at polarssl.org>
Paul Bakkerb96f1542010-07-18 20:36:00 +00008 *
Paul Bakker77b385e2009-07-28 17:23:11 +00009 * All rights reserved.
Paul Bakkere0ccd0a2009-01-04 16:27:10 +000010 *
Paul Bakker5121ce52009-01-03 21:22:43 +000011 * This program is free software; you can redistribute it and/or modify
12 * it under the terms of the GNU General Public License as published by
13 * the Free Software Foundation; either version 2 of the License, or
14 * (at your option) any later version.
15 *
16 * This program is distributed in the hope that it will be useful,
17 * but WITHOUT ANY WARRANTY; without even the implied warranty of
18 * MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
19 * GNU General Public License for more details.
20 *
21 * You should have received a copy of the GNU General Public License along
22 * with this program; if not, write to the Free Software Foundation, Inc.,
23 * 51 Franklin Street, Fifth Floor, Boston, MA 02110-1301 USA.
24 */
25
26#ifndef _CRT_SECURE_NO_DEPRECATE
27#define _CRT_SECURE_NO_DEPRECATE 1
28#endif
29
30#include <string.h>
Paul Bakker9caf2d22010-02-18 19:37:19 +000031#include <stdlib.h>
Paul Bakker5121ce52009-01-03 21:22:43 +000032#include <stdio.h>
33
Paul Bakker5690efc2011-05-26 13:16:06 +000034#include "polarssl/config.h"
35
Paul Bakker40e46942009-01-03 21:51:57 +000036#include "polarssl/net.h"
37#include "polarssl/ssl.h"
38#include "polarssl/havege.h"
39#include "polarssl/certs.h"
40#include "polarssl/x509.h"
Paul Bakker5121ce52009-01-03 21:22:43 +000041
Paul Bakker9caf2d22010-02-18 19:37:19 +000042#define DFL_SERVER_NAME "localhost"
43#define DFL_SERVER_PORT 4433
44#define DFL_REQUEST_PAGE "/"
45#define DFL_DEBUG_LEVEL 0
Paul Bakker5690efc2011-05-26 13:16:06 +000046#define DFL_CA_FILE ""
Paul Bakker67968392010-07-18 08:28:20 +000047#define DFL_CRT_FILE ""
48#define DFL_KEY_FILE ""
Paul Bakker51936882011-02-20 16:05:58 +000049#define DFL_FORCE_CIPHER 0
Paul Bakker0e6975b2009-02-10 22:19:10 +000050
Paul Bakker9caf2d22010-02-18 19:37:19 +000051#define GET_REQUEST "GET %s HTTP/1.0\r\n\r\n"
Paul Bakker5121ce52009-01-03 21:22:43 +000052
Paul Bakker9caf2d22010-02-18 19:37:19 +000053/*
54 * global options
55 */
56struct options
57{
Paul Bakker67968392010-07-18 08:28:20 +000058 char *server_name; /* hostname of the server (client only) */
59 int server_port; /* port on which the ssl service runs */
60 int debug_level; /* level of debugging */
61 char *request_page; /* page on server to request */
Paul Bakker5690efc2011-05-26 13:16:06 +000062 char *ca_file; /* the file with the CA certificate(s) */
Paul Bakker67968392010-07-18 08:28:20 +000063 char *crt_file; /* the file with the client certificate */
64 char *key_file; /* the file with the client key */
Paul Bakker51936882011-02-20 16:05:58 +000065 int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
Paul Bakker9caf2d22010-02-18 19:37:19 +000066} opt;
Paul Bakker5121ce52009-01-03 21:22:43 +000067
Paul Bakkerff60ee62010-03-16 21:09:09 +000068void my_debug( void *ctx, int level, const char *str )
Paul Bakker5121ce52009-01-03 21:22:43 +000069{
Paul Bakker9caf2d22010-02-18 19:37:19 +000070 if( level < opt.debug_level )
Paul Bakker5121ce52009-01-03 21:22:43 +000071 {
72 fprintf( (FILE *) ctx, "%s", str );
73 fflush( (FILE *) ctx );
74 }
75}
76
Paul Bakker5690efc2011-05-26 13:16:06 +000077#if defined(POLARSSL_FS_IO)
78#define USAGE_IO \
79 " ca_file=%%s default: \"\" (pre-loaded)\n" \
80 " crt_file=%%s default: \"\" (pre-loaded)\n" \
81 " key_file=%%s default: \"\" (pre-loaded)\n"
82#else
83#define USAGE_IO \
84 " No file operations available (POLARSSL_FS_IO not defined)\n"
85#endif /* POLARSSL_FS_IO */
86
Paul Bakker9caf2d22010-02-18 19:37:19 +000087#define USAGE \
Paul Bakker67968392010-07-18 08:28:20 +000088 "\n usage: ssl_client2 param=<>...\n" \
89 "\n acceptable parameters:\n" \
90 " server_name=%%s default: localhost\n" \
91 " server_port=%%d default: 4433\n" \
92 " debug_level=%%d default: 0 (disabled)\n" \
Paul Bakker5690efc2011-05-26 13:16:06 +000093 USAGE_IO \
Paul Bakker67968392010-07-18 08:28:20 +000094 " request_page=%%s default: \".\"\n" \
Paul Bakker51936882011-02-20 16:05:58 +000095 " force_ciphersuite=<name> default: all enabled\n"\
96 " acceptable ciphersuite names:\n"
Paul Bakker9caf2d22010-02-18 19:37:19 +000097
Paul Bakker5690efc2011-05-26 13:16:06 +000098#if !defined(POLARSSL_BIGNUM_C) || !defined(POLARSSL_HAVEGE_C) || \
99 !defined(POLARSSL_SSL_TLS_C) || !defined(POLARSSL_SSL_CLI_C) || \
100 !defined(POLARSSL_NET_C) || !defined(POLARSSL_RSA_C)
101int main( void )
102{
103 printf("POLARSSL_BIGNUM_C and/or POLARSSL_HAVEGE_C and/or "
104 "POLARSSL_SSL_TLS_C and/or POLARSSL_SSL_CLI_C and/or "
105 "POLARSSL_NET_C and/or POLARSSL_RSA_C not defined.\n");
106 return( 0 );
107}
108#else
Paul Bakker9caf2d22010-02-18 19:37:19 +0000109int main( int argc, char *argv[] )
Paul Bakker5121ce52009-01-03 21:22:43 +0000110{
Paul Bakkerf80d4532010-03-16 21:16:04 +0000111 int ret = 0, len, server_fd;
Paul Bakker5121ce52009-01-03 21:22:43 +0000112 unsigned char buf[1024];
113 havege_state hs;
114 ssl_context ssl;
115 ssl_session ssn;
116 x509_cert cacert;
117 x509_cert clicert;
118 rsa_context rsa;
Paul Bakker23986e52011-04-24 08:57:21 +0000119 int i;
120 size_t j, n;
Paul Bakker9caf2d22010-02-18 19:37:19 +0000121 char *p, *q;
Paul Bakker51936882011-02-20 16:05:58 +0000122 const int *list;
Paul Bakker9caf2d22010-02-18 19:37:19 +0000123
Paul Bakker1a207ec2011-02-06 13:22:40 +0000124 /*
125 * Make sure memory references are valid.
126 */
127 server_fd = 0;
128 memset( &ssn, 0, sizeof( ssl_session ) );
129 memset( &ssl, 0, sizeof( ssl_context ) );
130 memset( &cacert, 0, sizeof( x509_cert ) );
131 memset( &clicert, 0, sizeof( x509_cert ) );
132 memset( &rsa, 0, sizeof( rsa_context ) );
133
Paul Bakker9caf2d22010-02-18 19:37:19 +0000134 if( argc == 0 )
135 {
136 usage:
137 printf( USAGE );
Paul Bakker51936882011-02-20 16:05:58 +0000138
139 list = ssl_list_ciphersuites();
140 while( *list )
141 {
142 printf(" %s\n", ssl_get_ciphersuite_name( *list ) );
143 list++;
144 }
145 printf("\n");
Paul Bakker9caf2d22010-02-18 19:37:19 +0000146 goto exit;
147 }
148
149 opt.server_name = DFL_SERVER_NAME;
150 opt.server_port = DFL_SERVER_PORT;
151 opt.debug_level = DFL_DEBUG_LEVEL;
152 opt.request_page = DFL_REQUEST_PAGE;
Paul Bakker5690efc2011-05-26 13:16:06 +0000153 opt.ca_file = DFL_CA_FILE;
Paul Bakker67968392010-07-18 08:28:20 +0000154 opt.crt_file = DFL_CRT_FILE;
155 opt.key_file = DFL_KEY_FILE;
Paul Bakker51936882011-02-20 16:05:58 +0000156 opt.force_ciphersuite[0]= DFL_FORCE_CIPHER;
Paul Bakker9caf2d22010-02-18 19:37:19 +0000157
158 for( i = 1; i < argc; i++ )
159 {
160 n = strlen( argv[i] );
Paul Bakker9caf2d22010-02-18 19:37:19 +0000161
162 for( j = 0; j < n; j++ )
163 {
164 if( argv[i][j] >= 'A' && argv[i][j] <= 'Z' )
165 argv[i][j] |= 0x20;
166 }
167
168 p = argv[i];
169 if( ( q = strchr( p, '=' ) ) == NULL )
170 goto usage;
171 *q++ = '\0';
172
173 if( strcmp( p, "server_name" ) == 0 )
174 opt.server_name = q;
175 else if( strcmp( p, "server_port" ) == 0 )
176 {
177 opt.server_port = atoi( q );
178 if( opt.server_port < 1 || opt.server_port > 65535 )
179 goto usage;
180 }
181 else if( strcmp( p, "debug_level" ) == 0 )
182 {
183 opt.debug_level = atoi( q );
184 if( opt.debug_level < 0 || opt.debug_level > 65535 )
185 goto usage;
186 }
187 else if( strcmp( p, "request_page" ) == 0 )
188 opt.request_page = q;
Paul Bakker5690efc2011-05-26 13:16:06 +0000189 else if( strcmp( p, "ca_file" ) == 0 )
190 opt.ca_file = q;
Paul Bakker67968392010-07-18 08:28:20 +0000191 else if( strcmp( p, "crt_file" ) == 0 )
192 opt.crt_file = q;
193 else if( strcmp( p, "key_file" ) == 0 )
194 opt.key_file = q;
Paul Bakker51936882011-02-20 16:05:58 +0000195 else if( strcmp( p, "force_ciphersuite" ) == 0 )
196 {
197 opt.force_ciphersuite[0] = -1;
198
199 opt.force_ciphersuite[0] = ssl_get_ciphersuite_id( q );
200
201 if( opt.force_ciphersuite[0] <= 0 )
202 goto usage;
203
204 opt.force_ciphersuite[1] = 0;
205 }
Paul Bakker9caf2d22010-02-18 19:37:19 +0000206 else
207 goto usage;
208 }
Paul Bakker5121ce52009-01-03 21:22:43 +0000209
210 /*
211 * 0. Initialize the RNG and the session data
212 */
213 havege_init( &hs );
Paul Bakker5121ce52009-01-03 21:22:43 +0000214
215 /*
216 * 1.1. Load the trusted CA
217 */
218 printf( "\n . Loading the CA root certificate ..." );
219 fflush( stdout );
220
Paul Bakker5690efc2011-05-26 13:16:06 +0000221#if defined(POLARSSL_FS_IO)
222 if( strlen( opt.ca_file ) )
223 ret = x509parse_crtfile( &cacert, opt.ca_file );
224 else
225#endif
226#if defined(POLARSSL_CERTS_C)
227 ret = x509parse_crt( &cacert, (unsigned char *) test_ca_crt,
228 strlen( test_ca_crt ) );
229#else
230 {
231 ret = 1;
232 printf("POLARSSL_CERTS_C not defined.");
233 }
234#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000235 if( ret != 0 )
236 {
237 printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
238 goto exit;
239 }
240
241 printf( " ok\n" );
242
243 /*
244 * 1.2. Load own certificate and private key
245 *
246 * (can be skipped if client authentication is not required)
247 */
248 printf( " . Loading the client cert. and key..." );
249 fflush( stdout );
250
Paul Bakker5690efc2011-05-26 13:16:06 +0000251#if defined(POLARSSL_FS_IO)
Paul Bakker67968392010-07-18 08:28:20 +0000252 if( strlen( opt.crt_file ) )
253 ret = x509parse_crtfile( &clicert, opt.crt_file );
254 else
Paul Bakker5690efc2011-05-26 13:16:06 +0000255#endif
256#if defined(POLARSSL_CERTS_C)
Paul Bakker67968392010-07-18 08:28:20 +0000257 ret = x509parse_crt( &clicert, (unsigned char *) test_cli_crt,
258 strlen( test_cli_crt ) );
Paul Bakker5690efc2011-05-26 13:16:06 +0000259#else
260 {
261 ret = 1;
262 printf("POLARSSL_CERTS_C not defined.");
263 }
264#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000265 if( ret != 0 )
266 {
267 printf( " failed\n ! x509parse_crt returned %d\n\n", ret );
268 goto exit;
269 }
270
Paul Bakker5690efc2011-05-26 13:16:06 +0000271#if defined(POLARSSL_FS_IO)
Paul Bakker67968392010-07-18 08:28:20 +0000272 if( strlen( opt.key_file ) )
273 ret = x509parse_keyfile( &rsa, opt.key_file, "" );
274 else
Paul Bakker5690efc2011-05-26 13:16:06 +0000275#endif
276#if defined(POLARSSL_CERTS_C)
Paul Bakker67968392010-07-18 08:28:20 +0000277 ret = x509parse_key( &rsa, (unsigned char *) test_cli_key,
278 strlen( test_cli_key ), NULL, 0 );
Paul Bakker5690efc2011-05-26 13:16:06 +0000279#else
280 {
281 ret = 1;
282 printf("POLARSSL_CERTS_C not defined.");
283 }
284#endif
Paul Bakker5121ce52009-01-03 21:22:43 +0000285 if( ret != 0 )
286 {
287 printf( " failed\n ! x509parse_key returned %d\n\n", ret );
288 goto exit;
289 }
290
291 printf( " ok\n" );
292
293 /*
294 * 2. Start the connection
295 */
Paul Bakker9caf2d22010-02-18 19:37:19 +0000296 printf( " . Connecting to tcp/%s/%-4d...", opt.server_name,
297 opt.server_port );
Paul Bakker5121ce52009-01-03 21:22:43 +0000298 fflush( stdout );
299
Paul Bakker9caf2d22010-02-18 19:37:19 +0000300 if( ( ret = net_connect( &server_fd, opt.server_name,
301 opt.server_port ) ) != 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000302 {
303 printf( " failed\n ! net_connect returned %d\n\n", ret );
304 goto exit;
305 }
306
307 printf( " ok\n" );
308
309 /*
310 * 3. Setup stuff
311 */
312 printf( " . Setting up the SSL/TLS structure..." );
313 fflush( stdout );
314
315 havege_init( &hs );
316
317 if( ( ret = ssl_init( &ssl ) ) != 0 )
318 {
319 printf( " failed\n ! ssl_init returned %d\n\n", ret );
320 goto exit;
321 }
322
323 printf( " ok\n" );
324
325 ssl_set_endpoint( &ssl, SSL_IS_CLIENT );
326 ssl_set_authmode( &ssl, SSL_VERIFY_OPTIONAL );
327
328 ssl_set_rng( &ssl, havege_rand, &hs );
Paul Bakker9caf2d22010-02-18 19:37:19 +0000329 ssl_set_dbg( &ssl, my_debug, stdout );
Paul Bakker5121ce52009-01-03 21:22:43 +0000330 ssl_set_bio( &ssl, net_recv, &server_fd,
331 net_send, &server_fd );
332
Paul Bakker51936882011-02-20 16:05:58 +0000333 if( opt.force_ciphersuite[0] == DFL_FORCE_CIPHER )
334 ssl_set_ciphersuites( &ssl, ssl_default_ciphersuites );
335 else
336 ssl_set_ciphersuites( &ssl, opt.force_ciphersuite );
337
Paul Bakker5121ce52009-01-03 21:22:43 +0000338 ssl_set_session( &ssl, 1, 600, &ssn );
339
Paul Bakker9caf2d22010-02-18 19:37:19 +0000340 ssl_set_ca_chain( &ssl, &cacert, NULL, opt.server_name );
Paul Bakker5121ce52009-01-03 21:22:43 +0000341 ssl_set_own_cert( &ssl, &clicert, &rsa );
342
Paul Bakker9caf2d22010-02-18 19:37:19 +0000343 ssl_set_hostname( &ssl, opt.server_name );
Paul Bakker5121ce52009-01-03 21:22:43 +0000344
345 /*
346 * 4. Handshake
347 */
348 printf( " . Performing the SSL/TLS handshake..." );
349 fflush( stdout );
350
351 while( ( ret = ssl_handshake( &ssl ) ) != 0 )
352 {
Paul Bakker831a7552011-05-18 13:32:51 +0000353 if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000354 {
355 printf( " failed\n ! ssl_handshake returned %d\n\n", ret );
356 goto exit;
357 }
358 }
359
Paul Bakkere3166ce2011-01-27 17:40:50 +0000360 printf( " ok\n [ Ciphersuite is %s ]\n",
361 ssl_get_ciphersuite( &ssl ) );
Paul Bakker5121ce52009-01-03 21:22:43 +0000362
363 /*
364 * 5. Verify the server certificate
365 */
366 printf( " . Verifying peer X.509 certificate..." );
367
368 if( ( ret = ssl_get_verify_result( &ssl ) ) != 0 )
369 {
370 printf( " failed\n" );
371
372 if( ( ret & BADCERT_EXPIRED ) != 0 )
373 printf( " ! server certificate has expired\n" );
374
375 if( ( ret & BADCERT_REVOKED ) != 0 )
376 printf( " ! server certificate has been revoked\n" );
377
378 if( ( ret & BADCERT_CN_MISMATCH ) != 0 )
Paul Bakker9caf2d22010-02-18 19:37:19 +0000379 printf( " ! CN mismatch (expected CN=%s)\n", opt.server_name );
Paul Bakker5121ce52009-01-03 21:22:43 +0000380
381 if( ( ret & BADCERT_NOT_TRUSTED ) != 0 )
382 printf( " ! self-signed or not signed by a trusted CA\n" );
383
384 printf( "\n" );
385 }
386 else
387 printf( " ok\n" );
388
389 printf( " . Peer certificate information ...\n" );
Paul Bakkerd98030e2009-05-02 15:13:40 +0000390 x509parse_cert_info( (char *) buf, sizeof( buf ) - 1, " ", ssl.peer_cert );
391 printf( "%s\n", buf );
Paul Bakker5121ce52009-01-03 21:22:43 +0000392
393 /*
394 * 6. Write the GET request
395 */
396 printf( " > Write to server:" );
397 fflush( stdout );
398
Paul Bakker9caf2d22010-02-18 19:37:19 +0000399 len = sprintf( (char *) buf, GET_REQUEST, opt.request_page );
Paul Bakker5121ce52009-01-03 21:22:43 +0000400
401 while( ( ret = ssl_write( &ssl, buf, len ) ) <= 0 )
402 {
Paul Bakker831a7552011-05-18 13:32:51 +0000403 if( ret != POLARSSL_ERR_NET_WANT_READ && ret != POLARSSL_ERR_NET_WANT_WRITE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000404 {
405 printf( " failed\n ! ssl_write returned %d\n\n", ret );
406 goto exit;
407 }
408 }
409
410 len = ret;
411 printf( " %d bytes written\n\n%s", len, (char *) buf );
412
413 /*
414 * 7. Read the HTTP response
415 */
416 printf( " < Read from server:" );
417 fflush( stdout );
418
419 do
420 {
421 len = sizeof( buf ) - 1;
422 memset( buf, 0, sizeof( buf ) );
423 ret = ssl_read( &ssl, buf, len );
424
Paul Bakker831a7552011-05-18 13:32:51 +0000425 if( ret == POLARSSL_ERR_NET_WANT_READ || ret == POLARSSL_ERR_NET_WANT_WRITE )
Paul Bakker5121ce52009-01-03 21:22:43 +0000426 continue;
427
Paul Bakker40e46942009-01-03 21:51:57 +0000428 if( ret == POLARSSL_ERR_SSL_PEER_CLOSE_NOTIFY )
Paul Bakker5121ce52009-01-03 21:22:43 +0000429 break;
430
Paul Bakker5690efc2011-05-26 13:16:06 +0000431 if( ret < 0 )
Paul Bakker5121ce52009-01-03 21:22:43 +0000432 {
433 printf( "failed\n ! ssl_read returned %d\n\n", ret );
434 break;
435 }
436
Paul Bakker5690efc2011-05-26 13:16:06 +0000437 if( ret == 0 )
438 {
439 printf("\n\nEOF\n\n");
440 break;
441 }
442
Paul Bakker5121ce52009-01-03 21:22:43 +0000443 len = ret;
444 printf( " %d bytes read\n\n%s", len, (char *) buf );
445 }
Paul Bakkerf3571312011-05-20 12:32:35 +0000446 while( 1 );
Paul Bakker5121ce52009-01-03 21:22:43 +0000447
448 ssl_close_notify( &ssl );
449
450exit:
451
Paul Bakker1a207ec2011-02-06 13:22:40 +0000452 if( server_fd )
453 net_close( server_fd );
Paul Bakker5121ce52009-01-03 21:22:43 +0000454 x509_free( &clicert );
455 x509_free( &cacert );
456 rsa_free( &rsa );
457 ssl_free( &ssl );
458
459 memset( &ssl, 0, sizeof( ssl ) );
460
461#ifdef WIN32
462 printf( " + Press Enter to exit this program.\n" );
463 fflush( stdout ); getchar();
464#endif
465
466 return( ret );
467}
Paul Bakker5690efc2011-05-26 13:16:06 +0000468#endif /* POLARSSL_BIGNUM_C && POLARSSL_HAVEGE_C && POLARSSL_SSL_TLS_C &&
469 POLARSSL_SSL_CLI_C && POLARSSL_NET_C && POLARSSL_RSA_C */