Compilable C++ code to implement a secure SLL/TLS client using MS SSPI

Question

As described here http://www.ddj.com/cpp/184401688

I do not have time to write this from scratch.

Asked and not answered https://stackoverflow.com/questions/434961/implementing-ssl

THE QUESTION IS:

I am looking for some compilable working source code that implements MS SSPI (as alluded to in the thread above), procedural not OOP preferred.

I have looked at the code projects sample here:

http://www.codeproject.com/KB/IP/sslclasses.aspx

But this is C# OOP. Converting this to C++ code is not trivial.

OpenSSL

SChannel calls follow GSS API standards. There are, of course, some alternatives -- OpenSSL for example. This package is a complete and thorough implementation of the protocol and for someone all too familiar with UNIX is undoubtedly the best choice. The package originally targeted the UNIX community and to compile it relies on the Perl runtime, so some learning curve is required for Windows developers who never worked with UNIX-type systems.

Apart from that, OpenSLL does some very non-standard things

Nikolai, Having contibuted a lot of COMPILABLE source code (www.coastrd.com) I was hoping to find someone willing to do the same.

You will find no answer here.. maybe only a joke answer with code for writing ssl encoded stream of zeroes to /dev/null — Frunsi, Jan 09 '10 at 02:08
Bump, you catched the second down-vote. Please ask a better question. You don't want OpenSSL, thats fine. Then, use MS SSPI. Or write your own SSL/TLS implementation. — Frunsi, Jan 09 '10 at 02:32
Please read the question. I am asking for a solution USING MS SSPI... — Mike Trader, Jan 09 '10 at 02:34
BTW: OpenSSL can be compiled without perl. There is an nmake makefile or even a VS project. I am very sure that I compiled it without perl a year ago. — Frunsi, Jan 09 '10 at 02:34
No, I didn't down-vote you. The original question sounded downright *give me solution right now*, thus my answer. — Nikolai Fetissov, Jan 09 '10 at 02:35
Thank you for your feedback, I will try to write my questions so they do not sound that way. That was certainly NOT my intention. — Mike Trader, Jan 09 '10 at 02:37
It seems (from your comments below) that the "procedural, not OOP preferred" is really "procedural, not OOP *required*" — Mark Elliot, Jan 09 '10 at 02:54
So what if it needs Perl, perl is free, installs easily and without a hitch on windows. — President James K. Polk, Jan 09 '10 at 02:56
This is a clear request for a recommendation for an off-site resource, which makes it off-topic here. — user207421, Oct 20 '21 at 23:28

score 23 · Accepted Answer · edited Oct 20 '21 at 23:17

This SSPI SChannel SMTPS example should compile and run in Visual Studio 2008 as is

http://www.coastrd.com/c-schannel-smtp (the original site seems dead; fortunately WaybackMachine has it archived)

SChannel is the Microsoft implementation of the GSS API that wraps the SSL/TLS protocol.

Advantages of utilizing SChannel:

gory details are shielded from the developer by the SSPI.
No extra setup is required to run the final application:
SChannel is an integral part of the operating system
On Windows ME/2000/XP/... platforms, SChannel is installed and configured by default
SChannel calls follow GSS API standards.
You do not need to create/install any certificates
no third party dll's (1MB or larger) to ship and install

The code should produce a session that looks like this:

----- SSPI Initialized
----- WinSock Initialized
----- Credentials Initialized
----- Connectd To Server
70 bytes of handshake data sent
974 bytes of handshake data received
182 bytes of handshake data sent
43 bytes of handshake data received
Handshake was successful
----- Client Handshake Performed
----- Server Credentials Authenticated

Server subject: C=US, S=California, L=Mountain View, O=Google Inc, CN=smtp.gmail.com
Server issuer: C=ZA, S=Western Cape, L=Cape Town, O=Thawte Consulting cc, OU=Certification Services Division, CN=Thawte Premium Server CA, E=premium-server@thawte.com

----- Certificate Chain Displayed
----- Server Certificate Verified
----- Server certificate context released

Protocol: TLS1
Cipher: RC4
Cipher strength: 128
Hash: MD5
Hash strength: 128
Key exchange: RSA
Key exchange strength: 1024
----- Secure Connection Info
64 bytes of (encrypted) application data received
Decrypted data: 43 bytes
220 mx.google.com ESMTP 6sm17740567yxg.66

Sending 7 bytes of plaintext:
EHLO

28 bytes of encrypted data sent
169 bytes of (encrypted) application data received
Decrypted data: 148 bytes
250-mx.google.com at your service, [22.33.111.222]
250-SIZE 35651584
250-8BITMIME
250-AUTH LOGIN PLAIN
250-ENHANCEDSTATUSCODES
250 PIPELINING

Sending 7 bytes of plaintext:
QUIT

28 bytes of encrypted data sent
69 bytes of (encrypted) application data received
Decrypted data: 48 bytes
221 2.0.0 closing connection 6sm17740567yxg.66

----- SMTP session Complete
Sending Close Notify
23 bytes of handshake data sent
----- Disconnected From Server
----- Begin Cleanup
----- All Done -----

How to send large using the Schannel. we tried but if data increases more than 16432 it fails — Dnyan Waychal, Jan 31 '18 at 09:48

score 5 · Answer 2 · answered Jan 09 '10 at 02:42

5

Maybe this link is a good starting point. It contains actually working sample code using MS SSPI (though it looks very MSVC specific, but ok, its windows only anyway). Just ignore the OpenSSL examples ;-)

answered Jan 09 '10 at 02:42

Frunsi

7,099
5
36
42

Thank you. I forgot to mention that. See Above – Mike Trader Jan 09 '10 at 02:43
Well, then I can't help here anymore. But it shouldn't be too hard to convert these to imperative code. – Frunsi Jan 09 '10 at 02:47

score 4 · Answer 3 · answered Jan 09 '10 at 02:15

4

Repeat after me: "I want to use OpenSSL".

This problem is far too serious and far too easy to screw up to be rolling your own every time you want to solve it. If you have a problem with OpenSSL, then try to address that through dialogue and patches to OpenSSL.

(No one is immune to screwing it up, not even Microsoft, or indeed, OpenSSL. Use something whose source you can review and which gets patched when there are problems. Use OpenSSL.)

answered Jan 09 '10 at 02:15

Nick Bastin

30,415
7
59
78

3

If you're that glued to windows, then surely you must have an MSDN account and/or development contract. If so, it seems this is exactly the kind of question we pay microsoft to answer. – Nick Bastin Jan 09 '10 at 02:25
Almost, this is the kind of question that someone who has actually developed a *solution* would probably love to answer. See my OpenSLL comments above – Mike Trader Jan 09 '10 at 02:32
1

Unfortunately, OpenSSL does not integrate with the Windows Cryptography store, so if you've got secure usb tokens which are only accessible via the WinSCrypt API, then SChannel is a necessity. Otherwise, OpenSSL is a much better choice. – Gearoid Murphy Apr 08 '13 at 14:21

score 0 · Answer 4 · answered Jan 09 '10 at 02:21

0

How much would you be paying for such compilable working source code? Or did you expect somebody just give it to you? OpenSSL guys already did. It's god-ugly, but the price is right.

answered Jan 09 '10 at 02:21

Nikolai Fetissov

82,306
11
110
171

1

My code is now available. It's the same price, but I hope you find it less ugly. – Mike Trader Jan 12 '10 at 10:50

Compilable C++ code to implement a secure SLL/TLS client using MS SSPI

4 Answers4

Linked