How secure are these programs?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
1 message Options
Reply | Threaded
Open this post in threaded view
|

How secure are these programs?

michael Dorrian
I would just like to have the same security as somebody connecting to a https server(certificate does not need to be a trusted one). I cannot use any client keys or certs. I know that i have to present my server certificate to the client and then the client decides whether or not to connect to the server. I know that the server basically validates nothing about the client but just presents its certificate and the user decides if he/she wishes to connect to the server. I know that if i get a trusted certificate from some company like verisign and use that, that it could be more secure but at the moment i think that is not an option.Is it possible to make these programs more secure and how?. 
server output is:
[root@localhost]$./server
SSL connection opened
 
client output is:
[root@localhost]$./client
  Subject-CN: 192.13.19.25
  Issuer-CN:  Server CA
  Issuer Country:  US
  Issuer Organisation:  My company
Do you wish to have a secure connection with this server[y:n]y
SSL Connection opened
 
The c programs are the following........
/******************************************** client.c*******************************************/
#include "common.h"
 
SSL_CTX* InitCTX(void)
{   SSL_METHOD *method;
    SSL_CTX *ctx;
    OpenSSL_add_all_algorithms();  /* Load cryptos, et.al. */
    SSL_load_error_strings();   /* Bring in and register error messages */
    method = SSLv2_client_method();  /* Create new client-method instance */
    ctx = SSL_CTX_new(method);   /* Create new context */
    if ( ctx == NULL )
    {
        ERR_print_errors_fp(stderr);
        abort();
    }
    return ctx;
}
int do_client_loop(SSL *ssl)
{
    int  err, nwritten;
    char buf[80];
 
    for (;;)
    {
        if (!fgets(buf, sizeof(buf), stdin))
            break;
        for (nwritten = 0;  nwritten < sizeof(buf);  nwritten += err)
        {
            err = SSL_write(ssl, buf + nwritten, sizeof(buf) - nwritten);
            if (err <= 0)
                return 0;
        }
    }
    return 1;
}
void ShowCerts(SSL* ssl)
{   X509 *cert;
 char buf[100];
 /* get the server's certificate */
 cert = SSL_get_peer_certificate(ssl);
 if ( cert != NULL )
    {      
  /* issuer */ 
  X509_NAME_get_text_by_NID(cert->cert_info->subject, NID_commonName, buf,sizeof(buf));
  printf("  Subject-CN: %s\n", buf);
  X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_commonName, buf,sizeof(buf));
  printf("  Issuer-CN:  %s\n", buf);
  X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_countryName, buf,sizeof(buf));
  printf("  Issuer Country:  %s\n", buf);
  X509_NAME_get_text_by_NID(cert->cert_info->issuer, NID_organizationName, buf,sizeof(buf));
  printf("  Issuer Organisation:  %s\n", buf);
 }
    else
        printf("No certificates.\n");
}
int main(int argc, char *argv[])
{
    BIO     *conn;
    SSL     *ssl;
    SSL_CTX *ctx;
    char input;

    init_OpenSSL(  );
    seed_prng(  );
 
    ctx = InitCTX();
 
    conn = BIO_new_connect(SERVER ":" PORT);
    if (!conn)
        int_error("Error creating connection BIO");
 
    if (BIO_do_connect(conn) <= 0)
        int_error("Error connecting to remote machine");
 
    ssl = SSL_new(ctx);
    SSL_set_bio(ssl, conn, conn);
    if (SSL_connect(ssl) <= 0)
        int_error("Error connecting SSL object");
 ShowCerts(ssl); 
 printf("Do you wish to have a secure connection with this server[y:n]:");
 scanf("%s", &input);
 //Isconnect = (char*)input;
 if (!strncmp(input, "n",1)){
     SSL_free(ssl);
     SSL_CTX_free(ctx);
     return 0;
 }
    fprintf(stderr, "SSL Connection opened\n");
    if (do_client_loop(ssl))
        SSL_shutdown(ssl);
    else
        SSL_clear(ssl);
    fprintf(stderr, "SSL Connection closed\n");
 
    SSL_free(ssl);
    SSL_CTX_free(ctx);
    return 0;
}
/******************************************** server.c*******************************************/
#include "common.h"
 
#define CERTFILE "server.pem"
#define CAFILE "rootcert.pem"
#define CADIR NULL
SSL_CTX *setup_server_ctx(void)
{
    SSL_CTX *ctx;
    ctx = SSL_CTX_new(SSLv23_method(  ));
    if (SSL_CTX_load_verify_locations(ctx, CAFILE, CADIR) != 1)
        int_error("Error loading CA file and/or directory");
    if (SSL_CTX_set_default_verify_paths(ctx) != 1)
        int_error("Error loading default CA file and/or directory");
    if (SSL_CTX_use_certificate_chain_file(ctx, CERTFILE) != 1)
        int_error("Error loading certificate from file");
    if (SSL_CTX_use_PrivateKey_file(ctx, CERTFILE, SSL_FILETYPE_PEM) != 1)
        int_error("Error loading private key from file");
    return ctx;
}
int do_server_loop(SSL *ssl)
{
    int  err, nread;
    char buf[80];
 
    do
    {
        for (nread = 0;  nread < sizeof(buf);  nread += err)
        {
            err = SSL_read(ssl, buf + nread, sizeof(buf) - nread);
            if (err <= 0)
                break;
        }
        fprintf(stdout, "%s", buf);
    }
    while (err > 0);
    return (SSL_get_shutdown(ssl) & SSL_RECEIVED_SHUTDOWN) ? 1 : 0;
}
 
void THREAD_CC server_thread(void *arg)
{
    SSL *ssl = (SSL *)arg;
#ifndef WIN32
    pthread_detach(pthread_self(  ));
#endif
    if (SSL_accept(ssl) <= 0)
        int_error("Error accepting SSL connection");
    fprintf(stderr, "SSL Connection opened\n");
    if (do_server_loop(ssl))
        SSL_shutdown(ssl);
    else
        SSL_clear(ssl);
    fprintf(stderr, "SSL Connection closed\n");
    SSL_free(ssl);
    ERR_remove_state(0);
#ifdef WIN32
    _endthread(  );
#endif
}
 
int main(int argc, char *argv[])
{
    BIO         *acc, *client;
    SSL         *ssl;
    SSL_CTX     *ctx;
    THREAD_TYPE tid;
 
    init_OpenSSL(  );
    seed_prng(  );
    ctx = setup_server_ctx(  );
    acc = BIO_new_accept(PORT);
    if (!acc)
        int_error("Error creating server socket");
 
    if (BIO_do_accept(acc) <= 0)
        int_error("Error binding server socket");
 
    for (;;)
    {
        if (BIO_do_accept(acc) <= 0)
            int_error("Error accepting connection");
 
        client = BIO_pop(acc);
        if (!(ssl = SSL_new(ctx)))
            int_error("Error creating SSL context");
        SSL_set_bio(ssl, client, client);
        THREAD_CREATE(tid, (void *)server_thread, ssl);
    }
   
    SSL_CTX_free(ctx);
    BIO_free(acc);
    return 0;
}


Yahoo! Mail
Use Photomail to share photos without annoying attachments.