SubscribeA little while ago, I was working on a client/server communication module, and I wanted it to be secure. Looking at the documentation I could find, I quickly figured out that it wouldn’t necessarily be easy to do.
Amongst the first issues are the validity of the server’s certificate, which, as I didn’t want to battle with this, I decided to skip
The example below shows how to connect and send/receive data on an SSL-encrypted socket
#include <sys/socket.h>
#include <sys/types.h>
#include <netinet/in.h>
#include <netdb.h>
#include <stdio.h>
#include <string.h>
#include <stdlib.h>
#include <unistd.h>
#include <errno.h>
#include <openssl/rand.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
// Simple structure to keep track of the handle, and
// of what needs to be freed later.
typedef struct {
int socket;
SSL *sslHandle;
SSL_CTX *sslContext;
} connection;
// For this example, we'll be testing on openssl.org
#define SERVER "www.openssl.org"
#define PORT 443
// Establish a regular tcp connection
int tcpConnect ()
{
int error, handle;
struct hostent *host;
struct sockaddr_in server;
host = gethostbyname (SERVER);
handle = socket (AF_INET, SOCK_STREAM, 0);
if (handle == -1)
{
perror ("Socket");
handle = 0;
}
else
{
server.sin_family = AF_INET;
server.sin_port = htons (PORT);
server.sin_addr = *((struct in_addr *) host->h_addr);
bzero (&(server.sin_zero), 8);
error = connect (handle, (struct sockaddr *) &server,
sizeof (struct sockaddr));
if (error == -1)
{
perror ("Connect");
handle = 0;
}
}
return handle;
}
// Establish a connection using an SSL layer
connection *sslConnect (void)
{
connection *c;
c = malloc (sizeof (connection));
c->sslHandle = NULL;
c->sslContext = NULL;
c->socket = tcpConnect ();
if (c->socket)
{
// Register the error strings for libcrypto & libssl
SSL_load_error_strings ();
// Register the available ciphers and digests
SSL_library_init ();
// New context saying we are a client, and using SSL 2 or 3
c->sslContext = SSL_CTX_new (SSLv23_client_method ());
if (c->sslContext == NULL)
ERR_print_errors_fp (stderr);
// Create an SSL struct for the connection
c->sslHandle = SSL_new (c->sslContext);
if (c->sslHandle == NULL)
ERR_print_errors_fp (stderr);
// Connect the SSL struct to our connection
if (!SSL_set_fd (c->sslHandle, c->socket))
ERR_print_errors_fp (stderr);
// Initiate SSL handshake
if (SSL_connect (c->sslHandle) != 1)
ERR_print_errors_fp (stderr);
}
else
{
perror ("Connect failed");
}
return c;
}
// Disconnect & free connection struct
void sslDisconnect (connection *c)
{
if (c->socket)
close (c->socket);
if (c->sslHandle)
{
SSL_shutdown (c->sslHandle);
SSL_free (c->sslHandle);
}
if (c->sslContext)
SSL_CTX_free (c->sslContext);
free (c);
}
// Read all available text from the connection
char *sslRead (connection *c)
{
const int readSize = 1024;
char *rc = NULL;
int received, count = 0;
char buffer[1024];
if (c)
{
while (1)
{
if (!rc)
rc = malloc (readSize * sizeof (char) + 1);
else
rc = realloc (rc, (count + 1) *
readSize * sizeof (char) + 1);
received = SSL_read (c->sslHandle, buffer, readSize);
buffer[received] = '\0';
if (received > 0)
strcat (rc, buffer);
if (received < readSize)
break;
count++;
}
}
return rc;
}
// Write text to the connection
void sslWrite (connection *c, char *text)
{
if (c)
SSL_write (c->sslHandle, text, strlen (text));
}
// Very basic main: we send GET / and print the response.
int main (int argc, char **argv)
{
connection *c;
char *response;
c = sslConnect ();
sslWrite (c, "GET /\r\n\r\n");
response = sslRead (c);
printf ("%s\n", response);
sslDisconnect (c);
free (response);
return 0;
}
To build this example program using gcc:
gcc -Wall -lssl -lcrypto -o ssl-demo ssl-demo.c
Have fun with SSL!
Nice Work!!!
Just thought I would let you know that I tested this code in my research of implementing SSL onto a socket in C, and it resulted in a bad realloc() call. It gives an invalid next size error when calling realloc. I believe this is due to your strcat call with rc not having a null byte to terminate the strcat resulting in an overwrite of arbitrary memory on the heap.
Apart from that, GREAT job. I can now use encryption on my sockets!
Hmm, I didn’t get that error at the time I wrote it, I’ll test it soon.
Thanks for the feedback
Hey suid,
I just compiled and ran it, it works fine *as is*, there are probably bugs in it, and I haven’t written C pretty much since I wrote this article, so I wouldn’t feel comfortable in modifying it… If you want to submit changes or a patch, you’re more than welcome to do so!
How’s your coding going? SSL’ing lots of stuffs over sockets?