add IPv6 support and TLS SNI

Author: darrenjs

common.h

@@ -1,8 +1,8 @@
 /*
-Copyright (c) 2017 Darren Smith
+  Copyright (c) 2017 Darren Smith
 
-ssl_examples is free software; you can redistribute it and/or modify
-it under the terms of the MIT license. See LICENSE for details.
+  ssl_examples is free software; you can redistribute it and/or modify
+  it under the terms of the MIT license. See LICENSE for details.
 */
 
 #include <openssl/bio.h>
@@ -63,6 +63,9 @@ struct ssl_client
   char* encrypt_buf;
   size_t encrypt_len;
 
+  /* Store the previous state string */
+  const char * last_state;
+
   /* Method to invoke when unencrypted bytes are available. */
   void (*io_on_read)(char *buf, size_t len);
 } client;
@@ -71,6 +74,7 @@ struct ssl_client
  * handshake. */
 enum ssl_mode { SSLMODE_SERVER, SSLMODE_CLIENT };
 
+
 void ssl_client_init(struct ssl_client *p,
                      int fd,
                      enum ssl_mode mode)
@@ -93,21 +97,25 @@ void ssl_client_init(struct ssl_client *p,
   p->io_on_read = print_unencrypted_data;
 }
 
+
 void ssl_client_cleanup(struct ssl_client *p)
 {
   SSL_free(p->ssl);   /* free the SSL object and its BIO's */
   free(p->write_buf);
   free(p->encrypt_buf);
 }
 
+
 int ssl_client_want_write(struct ssl_client *cp) {
   return (cp->write_len>0);
 }
 
+
 /* Obtain the return value of an SSL operation and convert into a simplified
  * error code, which is easier to examine for failure. */
 enum sslstatus { SSLSTATUS_OK, SSLSTATUS_WANT_IO, SSLSTATUS_FAIL};
 
+
 static enum sslstatus get_sslstatus(SSL* ssl, int n)
 {
   switch (SSL_get_error(ssl, n))
@@ -124,6 +132,7 @@ static enum sslstatus get_sslstatus(SSL* ssl, int n)
   }
 }
 
+
 /* Handle request to send unencrypted data to the SSL.  All we do here is just
  * queue the data into the encrypt_buf for later processing by the SSL
  * object. */
@@ -134,6 +143,7 @@ void send_unencrypted_bytes(const char *buf, size_t len)
   client.encrypt_len += len;
 }
 
+
 /* Queue encrypted bytes. Should only be used when the SSL object has requested a
  * write operation. */
 void queue_encrypted_bytes(const char *buf, size_t len)
@@ -143,12 +153,38 @@ void queue_encrypted_bytes(const char *buf, size_t len)
   client.write_len += len;
 }
 
+
+void print_ssl_state()
+{
+  const char * current_state = SSL_state_string_long(client.ssl);
+  if (current_state != client.last_state) {
+    if (current_state)
+      printf("SSL-STATE: %s\n", current_state);
+    client.last_state = current_state;
+  }
+}
+
+
+void print_ssl_error()
+{
+  BIO *bio = BIO_new(BIO_s_mem());
+  ERR_print_errors(bio);
+  char *buf;
+  size_t len = BIO_get_mem_data(bio, &buf);
+  if (len > 0)
+    printf("SSL-ERROR: %s", buf);
+  BIO_free(bio);
+}
+
+
 enum sslstatus do_ssl_handshake()
 {
   char buf[DEFAULT_BUF_SIZE];
   enum sslstatus status;
 
+  print_ssl_state();
   int n = SSL_do_handshake(client.ssl);
+  print_ssl_state();
   status = get_sslstatus(client.ssl, n);
 
   /* Did SSL request to write bytes? */
@@ -259,6 +295,7 @@ int do_encrypt()
   return 0;
 }
 
+
 /* Read bytes from stdin and queue for later encryption. */
 void do_stdin_read()
 {
@@ -268,6 +305,7 @@ void do_stdin_read()
     send_unencrypted_bytes(buf, (size_t)n);
 }
 
+
 /* Read encrypted bytes from socket. */
 int do_sock_read()
 {
@@ -280,6 +318,7 @@ int do_sock_read()
     return -1;
 }
 
+
 /* Write encrypted bytes to the socket. */
 int do_sock_write()
 {
@@ -295,19 +334,21 @@ int do_sock_write()
     return -1;
 }
 
+
 void ssl_init(const char * certfile, const char* keyfile)
 {
-  printf("initialising SSL\n");
-
   /* SSL library initialisation */
+
   SSL_library_init();
   OpenSSL_add_all_algorithms();
   SSL_load_error_strings();
-  ERR_load_BIO_strings();
+#if OPENSSL_VERSION_MAJOR < 3
+  ERR_load_BIO_strings(); // deprecated since OpenSSL 3.0
+#endif
   ERR_load_crypto_strings();
 
   /* create the SSL server context */
-  ctx = SSL_CTX_new(SSLv23_method());
+  ctx = SSL_CTX_new(TLS_method());
   if (!ctx)
     die("SSL_CTX_new()");
 
@@ -326,6 +367,7 @@ void ssl_init(const char * certfile, const char* keyfile)
       printf("certificate and private key loaded and verified\n");
   }
 
+
   /* Recommended to avoid SSLv2 & SSLv3 */
   SSL_CTX_set_options(ctx, SSL_OP_ALL|SSL_OP_NO_SSLv2|SSL_OP_NO_SSLv3);
 }

makefile

@@ -1,28 +1,29 @@
 #
 # Copyright (c) 2017 Darren Smith
 #
-# wampcc is free software; you can redistribute it and/or modify
-# it under the terms of the MIT license. See LICENSE for details.
+# ssl_examples is free software; you can redistribute it and/or modify it under
+# the terms of the MIT license. See LICENSE for details.
 #
 
 
-CFLAGS += -MMD -MP -Wall -O0 -g3 -ggdb
+CFLAGS += -MMD -MP -Wall -Wextra -O0 -g3 -ggdb
 
 LDLIBS += -lcrypto -lssl
 
-# default: callee
-
 all_srcs := $(shell find . -name \*.c)
-app_srcs := $(shell find . -name \*.c)
+
 
 all   : apps
-apps  : $(app_srcs:%.c=%)
+apps  : $(all_srcs:%.c=%)
 test  : obj/test/main ; @$<
-clean : ; rm -f $(app_srcs:%.c=%) $(app_srcs:%.c=%.d)
+clean : ; rm -f $(all_srcs:%.c=%) $(all_srcs:%.c=%.d)
 
-#-include $(all_srcs:%.cc=%.d)
 .PRECIOUS : %.o
 
-%.o            : %.cc ; $(COMPILE.cpp) $(OUTPUT_OPTION) $<
-%.o            : %.c ; $(COMPILE.c) $(OUTPUT_OPTION) $<
-%              : %.o ; @$(LINK.cpp) $(OUTPUT_OPTION) $^  $(LDLIBS)
+ssl_server_nonblock: ssl_server_nonblock.c common.h
+	$(CC) $(CFLAGS) ssl_server_nonblock.c $(OUTPUT_OPTION) $(LDLIBS)
+
+ssl_client_nonblock: ssl_client_nonblock.c common.h
+	$(CC) $(CFLAGS) ssl_client_nonblock.c $(OUTPUT_OPTION) $(LDLIBS)
+
+#-include $(all_srcs:%.c=%.d)

ssl_client_nonblock.c

@@ -1,31 +1,74 @@
 /*
-Copyright (c) 2017 Darren Smith
+  Copyright (c) 2017 Darren Smith
 
-ssl_examples is free software; you can redistribute it and/or modify
-it under the terms of the MIT license. See LICENSE for details.
+  ssl_examples is free software; you can redistribute it and/or modify
+  it under the terms of the MIT license. See LICENSE for details.
 */
 
 #include "common.h"
 
 int main(int argc, char **argv)
 {
-  int port = argc>1? atoi(argv[1]):55555;
-  char* host="127.0.0.1";
+  /* --- CONFIGURE PEER SOCKET --- */
+
+  // port name, optionally take from args
+  int port = argc>1? atoi(argv[1]):443;
+
+  // host IP address. Attention! This must be a numeric address, not a server
+  // host name, because this example code does not perform address lookup.
+  char* host_ip = "2600:9000:225d:600:14:c251:2440:93a1";
+
+  // provide the hostname if this SSL client needs to use SNI to tell the server
+  // what certificate to use
+  const char * host_name = "api.huobi.pro";
+
+  // socket family, AF_INET (ipv4) or AF_INET6 (ipv6), must match host_ip above
+  int ip_family = AF_INET6;
+
+  /* Example for localhost connection
+     int port = argc>1? atoi(argv[1]):55555;
+     const char* host_ip = "127.0.0.1";
+     const char * host_name = NULL;
+     int ip_family = AF_INET;
+  */
+
+
+  /* --- CONFIGURAITON ENDS --- */
+
+  int sockfd = socket(ip_family, SOCK_STREAM, 0);
 
-  int sockfd = socket(AF_INET, SOCK_STREAM, 0);
   if (sockfd < 0)
     die("socket()");
 
   /* Specify socket address */
-  struct sockaddr_in addr;
-  memset(&addr, 0, sizeof(addr));
-  addr.sin_family = AF_INET;
-  addr.sin_port = htons(port);
-  if (inet_pton(AF_INET, host, &(addr.sin_addr)) <= 0)
-    die("inet_pton()");
 
-  if (connect(sockfd, (struct sockaddr*) &addr, sizeof(addr)) < 0)
-    die("connect()");
+  if (ip_family == AF_INET6) {
+    struct sockaddr_in6 addr;
+    memset(&addr, 0, sizeof(addr));
+    addr.sin6_family = ip_family;
+    addr.sin6_port = htons(port);
+
+    if (inet_pton(ip_family, host_ip, &(addr.sin6_addr)) <= 0)
+      die("inet_pton()");
+
+    if (connect(sockfd, (struct sockaddr*) &addr, sizeof(addr)) < 0)
+      die("connect()");
+  }
+
+  if (ip_family == AF_INET) {
+    struct sockaddr_in addr;
+    memset(&addr, 0, sizeof(addr));
+    addr.sin_family = ip_family;
+    addr.sin_port = htons(port);
+
+    if (inet_pton(ip_family, host_ip, &(addr.sin_addr)) <= 0)
+      die("inet_pton()");
+
+    if (connect(sockfd, (struct sockaddr*) &addr, sizeof(addr)) < 0)
+      die("connect()");
+  }
+
+  printf("socket connected\n");
 
   struct pollfd fdset[2];
   memset(&fdset, 0, sizeof(fdset));
@@ -36,6 +79,9 @@ int main(int argc, char **argv)
   ssl_init(0,0);
   ssl_client_init(&client, sockfd, SSLMODE_CLIENT);
 
+  if (host_name)
+    SSL_set_tlsext_host_name(client.ssl, host_name); // TLS SNI
+
   fdset[1].fd = sockfd;
   fdset[1].events = POLLERR | POLLHUP | POLLNVAL | POLLIN;
 #ifdef POLLRDHUP
@@ -71,10 +117,13 @@ int main(int argc, char **argv)
     if (fdset[0].revents & POLLIN)
       do_stdin_read();
     if (client.encrypt_len>0)
-      do_encrypt();
+      if (do_encrypt() < 0)
+        break;
   }
 
   close(fdset[1].fd);
+  print_ssl_state();
+  print_ssl_error();
   ssl_client_cleanup(&client);
 
   return 0;