ssl-test.cc

Go to the documentation of this file.

//
#include "common/logging.h"

#include <sys/types.h>
#include <sys/socket.h>
#include <netinet/in.h>
#include <netinet/tcp.h>
#include <netdb.h>

#include <openssl/ssl.h>
#include <openssl/err.h>

int tcp_connect(char* host, int port) {
  struct hostent *hp;
  struct sockaddr_in addr;
  int sock;

  if(!(hp = gethostbyname(host))) {
    LOG(ERROR) << "Couldn't resolve host";
    exit(1);
  }

  memset(&addr,0,sizeof(addr));
  addr.sin_addr=*(struct in_addr*)hp->h_addr_list[0];
  addr.sin_family=AF_INET;
  addr.sin_port=htons(port);

  if((sock=socket(AF_INET,SOCK_STREAM, IPPROTO_TCP))<0) {
    LOG(ERROR) << "Couldn't create socket";
    exit(1);
  }
  if(connect(sock,(struct sockaddr *)&addr, sizeof(addr))<0) {
    LOG(ERROR) << "Couldn't connect socket";
    exit(1);
  }
  return sock;
}

bool check_cert(SSL* ssl, char* host) {
  long result = SSL_get_verify_result(ssl);
  // if (result != X509_V_OK) {
  //   LOG(ERROR) << "Certificate doesn't verify (result: " << result << ")" ;
  //   return false;
  // }

  /*Check the cert chain. The chain length
    is automatically checked by OpenSSL when
    we set the verify depth in the ctx */

  /*Check the common name*/
  X509* peer = SSL_get_peer_certificate(ssl);
  char peer_CN[256];

  X509_NAME_get_text_by_NID (X509_get_subject_name(peer),
      NID_commonName, peer_CN, 256);
  if(strcasecmp(peer_CN,host)) {
    LOG(ERROR) << "Common name doesn't match host name (" << peer_CN << ")";
    return false;
  }

  return true;
}

static int password_cb(char *buf,int num,
    int rwflag,void *userdata)
{
  if(num<strlen("")+1) return(0);

  strcpy(buf, "");
  return(strlen(""));
}


bool install_certificates(SSL_CTX* ctx, char* keyfile) {
  if (!(SSL_CTX_use_certificate_chain_file(ctx, keyfile))) {
    LOG(ERROR) << "Can't read certificate file";
    return false;
  }

  // pass=password;
  // SSL_CTX_set_default_passwd_cb(ctx, password_cb);
  // if(!(SSL_CTX_use_PrivateKey_file(ctx, keyfile,SSL_FILETYPE_PEM))) {
  //   LOG(INFO) << "Can't read key file";
  //   return false;
  // }

  /* Load the CAs we trust*/
  // if(!(SSL_CTX_load_verify_locations(ctx, "root.pem", 0))) {
  //   LOG(INFO) << "Can't read CA list";
  //   return false;
  // }

  return true;
}


int main(int argc, char** argv) {
  google::InitGoogleLogging(argv[0]);
  SSL_library_init();
  SSL_load_error_strings();
  SSL_CTX* ctx = SSL_CTX_new(SSLv23_method());
  SSL* ssl = SSL_new(ctx);

  if (!install_certificates(ctx, "/home/henry/src/cloudera/impala/win2k8-ad1-ca.cer")) {
    BIO* bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
    ERR_print_errors(bio_err);
    exit(1);
    // if (SSL_get_error(ssl, ret) == SSL_ERROR_SYSCALL) {
    //   LOG(INFO) << "Err[" << errno << "]: " << strerror(errno);
    // }
  }

  int sock = tcp_connect((char*)"10.20.186.46", 636);
  LOG(INFO) << "Connected, sock: " << sock;
  BIO* bio = BIO_new_socket(sock, BIO_NOCLOSE);
  SSL_set_bio(ssl, bio, bio);

  int ret = SSL_connect(ssl);
  LOG(INFO) << "SSL_connect() returned: " << ret;
  if (ret < 0) {
    LOG(INFO) << "Errors: " << SSL_get_error(ssl, ret);
    BIO* bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
    ERR_print_errors(bio_err);
    if (SSL_get_error(ssl, ret) == SSL_ERROR_SYSCALL) {
      LOG(INFO) << "Err[" << errno << "]: " << strerror(errno);
    }
  }

  if (!check_cert(ssl, "10.20.186.46")) {
    BIO* bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
    ERR_print_errors(bio_err);
    if (SSL_get_error(ssl, 20) == SSL_ERROR_SYSCALL) {
      LOG(INFO) << "Err[" << errno << "]: " << strerror(errno);
    }
  }
}