File: | src/usr.bin/openssl/s_client.c |
Warning: | line 1213, column 2 Value stored to 'tty_on' is never read |
Press '?' to see keyboard shortcuts
Keyboard shortcuts:
1 | /* $OpenBSD: s_client.c,v 1.57 2021/12/26 14:46:06 jsing Exp $ */ |
2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
3 | * All rights reserved. |
4 | * |
5 | * This package is an SSL implementation written |
6 | * by Eric Young (eay@cryptsoft.com). |
7 | * The implementation was written so as to conform with Netscapes SSL. |
8 | * |
9 | * This library is free for commercial and non-commercial use as long as |
10 | * the following conditions are aheared to. The following conditions |
11 | * apply to all code found in this distribution, be it the RC4, RSA, |
12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
13 | * included with this distribution is covered by the same copyright terms |
14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
15 | * |
16 | * Copyright remains Eric Young's, and as such any Copyright notices in |
17 | * the code are not to be removed. |
18 | * If this package is used in a product, Eric Young should be given attribution |
19 | * as the author of the parts of the library used. |
20 | * This can be in the form of a textual message at program startup or |
21 | * in documentation (online or textual) provided with the package. |
22 | * |
23 | * Redistribution and use in source and binary forms, with or without |
24 | * modification, are permitted provided that the following conditions |
25 | * are met: |
26 | * 1. Redistributions of source code must retain the copyright |
27 | * notice, this list of conditions and the following disclaimer. |
28 | * 2. Redistributions in binary form must reproduce the above copyright |
29 | * notice, this list of conditions and the following disclaimer in the |
30 | * documentation and/or other materials provided with the distribution. |
31 | * 3. All advertising materials mentioning features or use of this software |
32 | * must display the following acknowledgement: |
33 | * "This product includes cryptographic software written by |
34 | * Eric Young (eay@cryptsoft.com)" |
35 | * The word 'cryptographic' can be left out if the rouines from the library |
36 | * being used are not cryptographic related :-). |
37 | * 4. If you include any Windows specific code (or a derivative thereof) from |
38 | * the apps directory (application code) you must include an acknowledgement: |
39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
40 | * |
41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
51 | * SUCH DAMAGE. |
52 | * |
53 | * The licence and distribution terms for any publically available version or |
54 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
55 | * copied and put under another distribution licence |
56 | * [including the GNU Public Licence.] |
57 | */ |
58 | /* ==================================================================== |
59 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
60 | * |
61 | * Redistribution and use in source and binary forms, with or without |
62 | * modification, are permitted provided that the following conditions |
63 | * are met: |
64 | * |
65 | * 1. Redistributions of source code must retain the above copyright |
66 | * notice, this list of conditions and the following disclaimer. |
67 | * |
68 | * 2. Redistributions in binary form must reproduce the above copyright |
69 | * notice, this list of conditions and the following disclaimer in |
70 | * the documentation and/or other materials provided with the |
71 | * distribution. |
72 | * |
73 | * 3. All advertising materials mentioning features or use of this |
74 | * software must display the following acknowledgment: |
75 | * "This product includes software developed by the OpenSSL Project |
76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
77 | * |
78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
79 | * endorse or promote products derived from this software without |
80 | * prior written permission. For written permission, please contact |
81 | * openssl-core@openssl.org. |
82 | * |
83 | * 5. Products derived from this software may not be called "OpenSSL" |
84 | * nor may "OpenSSL" appear in their names without prior written |
85 | * permission of the OpenSSL Project. |
86 | * |
87 | * 6. Redistributions of any form whatsoever must retain the following |
88 | * acknowledgment: |
89 | * "This product includes software developed by the OpenSSL Project |
90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
91 | * |
92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
103 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
104 | * ==================================================================== |
105 | * |
106 | * This product includes cryptographic software written by Eric Young |
107 | * (eay@cryptsoft.com). This product includes software written by Tim |
108 | * Hudson (tjh@cryptsoft.com). |
109 | * |
110 | */ |
111 | /* ==================================================================== |
112 | * Copyright 2005 Nokia. All rights reserved. |
113 | * |
114 | * The portions of the attached software ("Contribution") is developed by |
115 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
116 | * license. |
117 | * |
118 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
119 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
120 | * support (see RFC 4279) to OpenSSL. |
121 | * |
122 | * No patent licenses or other rights except those expressly stated in |
123 | * the OpenSSL open source license shall be deemed granted or received |
124 | * expressly, by implication, estoppel, or otherwise. |
125 | * |
126 | * No assurances are provided by Nokia that the Contribution does not |
127 | * infringe the patent or other intellectual property rights of any third |
128 | * party or that the license provides you with all the necessary rights |
129 | * to make use of the Contribution. |
130 | * |
131 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
132 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
133 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
134 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
135 | * OTHERWISE. |
136 | */ |
137 | |
138 | #include <sys/types.h> |
139 | #include <sys/socket.h> |
140 | |
141 | #include <netinet/in.h> |
142 | |
143 | #include <assert.h> |
144 | #include <ctype.h> |
145 | #include <limits.h> |
146 | #include <netdb.h> |
147 | #include <stdio.h> |
148 | #include <stdlib.h> |
149 | #include <string.h> |
150 | #include <unistd.h> |
151 | #include <poll.h> |
152 | |
153 | #include "apps.h" |
154 | |
155 | #include <openssl/bn.h> |
156 | #include <openssl/err.h> |
157 | #include <openssl/ocsp.h> |
158 | #include <openssl/pem.h> |
159 | #include <openssl/ssl.h> |
160 | #include <openssl/x509.h> |
161 | |
162 | #include "s_apps.h" |
163 | #include "timeouts.h" |
164 | |
165 | /*#define SSL_HOST_NAME "www.netscape.com" */ |
166 | /*#define SSL_HOST_NAME "193.118.187.102" */ |
167 | #define SSL_HOST_NAME"localhost" "localhost" |
168 | |
169 | /*#define TEST_CERT "client.pem" *//* no default cert. */ |
170 | |
171 | #define BUFSIZZ1024*8 1024*8 |
172 | |
173 | static void sc_usage(void); |
174 | static void print_stuff(BIO *berr, SSL *con, int full); |
175 | static int ocsp_resp_cb(SSL *s, void *arg); |
176 | static int ssl_servername_cb(SSL *s, int *ad, void *arg); |
177 | |
178 | enum { |
179 | PROTO_OFF = 0, |
180 | PROTO_SMTP, |
181 | PROTO_LMTP, |
182 | PROTO_POP3, |
183 | PROTO_IMAP, |
184 | PROTO_FTP, |
185 | PROTO_XMPP, |
186 | }; |
187 | |
188 | /* This is a context that we pass to callbacks */ |
189 | typedef struct tlsextctx_st { |
190 | BIO *biodebug; |
191 | int ack; |
192 | } tlsextctx; |
193 | |
194 | static struct { |
195 | int af; |
196 | char *alpn_in; |
197 | int bugs; |
198 | char *CAfile; |
199 | char *CApath; |
200 | char *cert_file; |
201 | int cert_format; |
202 | char *cipher; |
203 | unsigned int clr; |
204 | char *connect; |
205 | int crlf; |
206 | int debug; |
207 | int enable_timeouts; |
208 | const char *errstr; |
209 | char *groups_in; |
210 | char *host; |
211 | int ign_eof; |
212 | char *key_file; |
213 | int key_format; |
214 | char *keymatexportlabel; |
215 | int keymatexportlen; |
216 | uint16_t max_version; |
217 | uint16_t min_version; |
218 | const SSL_METHOD *meth; |
219 | int msg; |
220 | int nbio; |
221 | int nbio_test; |
222 | int no_servername; |
223 | char *npn_in; |
224 | unsigned int off; |
225 | char *passarg; |
226 | int pause; |
227 | int peekaboo; |
228 | char *port; |
229 | int prexit; |
230 | char *proxy; |
231 | int quiet; |
232 | int reconnect; |
233 | char *servername; |
234 | char *sess_in; |
235 | char *sess_out; |
236 | int showcerts; |
237 | int socket_type; |
238 | long socket_mtu; |
239 | #ifndef OPENSSL_NO_SRTP |
240 | char *srtp_profiles; |
241 | #endif |
242 | int starttls_proto; |
243 | int state; |
244 | int status_req; |
245 | int tlsextdebug; |
246 | int verify; |
247 | X509_VERIFY_PARAM *vpm; |
248 | char *xmpphost; |
249 | } s_client_config; |
250 | |
251 | static int |
252 | s_client_opt_keymatexportlen(char *arg) |
253 | { |
254 | s_client_config.keymatexportlen = strtonum(arg, 1, INT_MAX2147483647, |
255 | &s_client_config.errstr); |
256 | if (s_client_config.errstr != NULL((void*)0)) { |
257 | BIO_printf(bio_err, "invalid argument %s: %s\n", |
258 | arg, s_client_config.errstr); |
259 | return (1); |
260 | } |
261 | return (0); |
262 | } |
263 | |
264 | #ifndef OPENSSL_NO_DTLS |
265 | static int |
266 | s_client_opt_mtu(char *arg) |
267 | { |
268 | s_client_config.socket_mtu = strtonum(arg, 0, LONG_MAX9223372036854775807L, |
269 | &s_client_config.errstr); |
270 | if (s_client_config.errstr != NULL((void*)0)) { |
271 | BIO_printf(bio_err, "invalid argument %s: %s\n", |
272 | arg, s_client_config.errstr); |
273 | return (1); |
274 | } |
275 | return (0); |
276 | } |
277 | #endif |
278 | |
279 | static int |
280 | s_client_opt_port(char *arg) |
281 | { |
282 | if (*arg == '\0') |
283 | return (1); |
284 | |
285 | s_client_config.port = arg; |
286 | return (0); |
287 | } |
288 | |
289 | #ifndef OPENSSL_NO_DTLS |
290 | static int |
291 | s_client_opt_protocol_version_dtls(void) |
292 | { |
293 | s_client_config.meth = DTLS_client_method(); |
294 | s_client_config.socket_type = SOCK_DGRAM2; |
295 | return (0); |
296 | } |
297 | #endif |
298 | |
299 | #ifndef OPENSSL_NO_DTLS1 |
300 | static int |
301 | s_client_opt_protocol_version_dtls1(void) |
302 | { |
303 | s_client_config.meth = DTLS_client_method(); |
304 | s_client_config.min_version = DTLS1_VERSION0xFEFF; |
305 | s_client_config.max_version = DTLS1_VERSION0xFEFF; |
306 | s_client_config.socket_type = SOCK_DGRAM2; |
307 | return (0); |
308 | } |
309 | #endif |
310 | |
311 | #ifndef OPENSSL_NO_DTLS1_2 |
312 | static int |
313 | s_client_opt_protocol_version_dtls1_2(void) |
314 | { |
315 | s_client_config.meth = DTLS_client_method(); |
316 | s_client_config.min_version = DTLS1_2_VERSION0xFEFD; |
317 | s_client_config.max_version = DTLS1_2_VERSION0xFEFD; |
318 | s_client_config.socket_type = SOCK_DGRAM2; |
319 | return (0); |
320 | } |
321 | #endif |
322 | |
323 | static int |
324 | s_client_opt_protocol_version_tls1(void) |
325 | { |
326 | s_client_config.min_version = TLS1_VERSION0x0301; |
327 | s_client_config.max_version = TLS1_VERSION0x0301; |
328 | return (0); |
329 | } |
330 | |
331 | static int |
332 | s_client_opt_protocol_version_tls1_1(void) |
333 | { |
334 | s_client_config.min_version = TLS1_1_VERSION0x0302; |
335 | s_client_config.max_version = TLS1_1_VERSION0x0302; |
336 | return (0); |
337 | } |
338 | |
339 | static int |
340 | s_client_opt_protocol_version_tls1_2(void) |
341 | { |
342 | s_client_config.min_version = TLS1_2_VERSION0x0303; |
343 | s_client_config.max_version = TLS1_2_VERSION0x0303; |
344 | return (0); |
345 | } |
346 | |
347 | static int |
348 | s_client_opt_protocol_version_tls1_3(void) |
349 | { |
350 | s_client_config.min_version = TLS1_3_VERSION0x0304; |
351 | s_client_config.max_version = TLS1_3_VERSION0x0304; |
352 | return (0); |
353 | } |
354 | |
355 | static int |
356 | s_client_opt_quiet(void) |
357 | { |
358 | s_client_config.quiet = 1; |
359 | s_client_config.ign_eof = 1; |
360 | return (0); |
361 | } |
362 | |
363 | static int |
364 | s_client_opt_starttls(char *arg) |
365 | { |
366 | if (strcmp(arg, "smtp") == 0) |
367 | s_client_config.starttls_proto = PROTO_SMTP; |
368 | else if (strcmp(arg, "lmtp") == 0) |
369 | s_client_config.starttls_proto = PROTO_LMTP; |
370 | else if (strcmp(arg, "pop3") == 0) |
371 | s_client_config.starttls_proto = PROTO_POP3; |
372 | else if (strcmp(arg, "imap") == 0) |
373 | s_client_config.starttls_proto = PROTO_IMAP; |
374 | else if (strcmp(arg, "ftp") == 0) |
375 | s_client_config.starttls_proto = PROTO_FTP; |
376 | else if (strcmp(arg, "xmpp") == 0) |
377 | s_client_config.starttls_proto = PROTO_XMPP; |
378 | else |
379 | return (1); |
380 | return (0); |
381 | } |
382 | |
383 | static int |
384 | s_client_opt_verify(char *arg) |
385 | { |
386 | s_client_config.verify = SSL_VERIFY_PEER0x01; |
387 | |
388 | verify_depth = strtonum(arg, 0, INT_MAX2147483647, &s_client_config.errstr); |
389 | if (s_client_config.errstr != NULL((void*)0)) { |
390 | BIO_printf(bio_err, "invalid argument %s: %s\n", |
391 | arg, s_client_config.errstr); |
392 | return (1); |
393 | } |
394 | BIO_printf(bio_err, "verify depth is %d\n", verify_depth); |
395 | return (0); |
396 | } |
397 | |
398 | static int |
399 | s_client_opt_verify_param(int argc, char **argv, int *argsused) |
400 | { |
401 | char **pargs = argv; |
402 | int pargc = argc; |
403 | int badarg = 0; |
404 | |
405 | if (!args_verify(&pargs, &pargc, &badarg, bio_err, |
406 | &s_client_config.vpm)) { |
407 | BIO_printf(bio_err, "unknown option %s\n", *argv); |
408 | return (1); |
409 | } |
410 | if (badarg) |
411 | return (1); |
412 | |
413 | *argsused = argc - pargc; |
414 | return (0); |
415 | } |
416 | |
417 | static const struct option s_client_options[] = { |
418 | { |
419 | .name = "4", |
420 | .desc = "Use IPv4 only", |
421 | .type = OPTION_VALUE, |
422 | .opt.value = &s_client_config.af, |
423 | .value = AF_INET2, |
424 | }, |
425 | { |
426 | .name = "6", |
427 | .desc = "Use IPv6 only", |
428 | .type = OPTION_VALUE, |
429 | .opt.value = &s_client_config.af, |
430 | .value = AF_INET624, |
431 | }, |
432 | { |
433 | .name = "alpn", |
434 | .argname = "protocols", |
435 | .desc = "Set the advertised protocols for ALPN" |
436 | " (comma-separated list)", |
437 | .type = OPTION_ARG, |
438 | .opt.arg = &s_client_config.alpn_in, |
439 | }, |
440 | { |
441 | .name = "bugs", |
442 | .desc = "Enable various workarounds for buggy implementations", |
443 | .type = OPTION_FLAG, |
444 | .opt.flag = &s_client_config.bugs, |
445 | }, |
446 | { |
447 | .name = "CAfile", |
448 | .argname = "file", |
449 | .desc = "PEM format file of CA certificates", |
450 | .type = OPTION_ARG, |
451 | .opt.arg = &s_client_config.CAfile, |
452 | }, |
453 | { |
454 | .name = "CApath", |
455 | .argname = "directory", |
456 | .desc = "PEM format directory of CA certificates", |
457 | .type = OPTION_ARG, |
458 | .opt.arg = &s_client_config.CApath, |
459 | }, |
460 | { |
461 | .name = "cert", |
462 | .argname = "file", |
463 | .desc = "Certificate file to use, PEM format assumed", |
464 | .type = OPTION_ARG, |
465 | .opt.arg = &s_client_config.cert_file, |
466 | }, |
467 | { |
468 | .name = "certform", |
469 | .argname = "fmt", |
470 | .desc = "Certificate format (PEM or DER) PEM default", |
471 | .type = OPTION_ARG_FORMAT, |
472 | .opt.value = &s_client_config.cert_format, |
473 | }, |
474 | { |
475 | .name = "cipher", |
476 | .argname = "cipherlist", |
477 | .desc = "Preferred cipher to use (see 'openssl ciphers')", |
478 | .type = OPTION_ARG, |
479 | .opt.arg = &s_client_config.cipher, |
480 | }, |
481 | { |
482 | .name = "connect", |
483 | .argname = "host:port", |
484 | .desc = "Who to connect to (default is localhost:4433)", |
485 | .type = OPTION_ARG, |
486 | .opt.arg = &s_client_config.connect, |
487 | }, |
488 | { |
489 | .name = "crlf", |
490 | .desc = "Convert LF from terminal into CRLF", |
491 | .type = OPTION_FLAG, |
492 | .opt.flag = &s_client_config.crlf, |
493 | }, |
494 | { |
495 | .name = "debug", |
496 | .desc = "Print extensive debugging information", |
497 | .type = OPTION_FLAG, |
498 | .opt.flag = &s_client_config.debug, |
499 | }, |
500 | #ifndef OPENSSL_NO_DTLS |
501 | { |
502 | .name = "dtls", |
503 | .desc = "Use any version of DTLS", |
504 | .type = OPTION_FUNC, |
505 | .opt.func = s_client_opt_protocol_version_dtls, |
506 | }, |
507 | #endif |
508 | #ifndef OPENSSL_NO_DTLS1 |
509 | { |
510 | .name = "dtls1", |
511 | .desc = "Just use DTLSv1", |
512 | .type = OPTION_FUNC, |
513 | .opt.func = s_client_opt_protocol_version_dtls1, |
514 | }, |
515 | #endif |
516 | #ifndef OPENSSL_NO_DTLS1_2 |
517 | { |
518 | .name = "dtls1_2", |
519 | .desc = "Just use DTLSv1.2", |
520 | .type = OPTION_FUNC, |
521 | .opt.func = s_client_opt_protocol_version_dtls1_2, |
522 | }, |
523 | #endif |
524 | { |
525 | .name = "groups", |
526 | .argname = "list", |
527 | .desc = "Specify EC groups (colon-separated list)", |
528 | .type = OPTION_ARG, |
529 | .opt.arg = &s_client_config.groups_in, |
530 | }, |
531 | { |
532 | .name = "host", |
533 | .argname = "host", |
534 | .desc = "Use -connect instead", |
535 | .type = OPTION_ARG, |
536 | .opt.arg = &s_client_config.host, |
537 | }, |
538 | { |
539 | .name = "ign_eof", |
540 | .desc = "Ignore input EOF (default when -quiet)", |
541 | .type = OPTION_VALUE, |
542 | .opt.value = &s_client_config.ign_eof, |
543 | .value = 1, |
544 | }, |
545 | { |
546 | .name = "key", |
547 | .argname = "file", |
548 | .desc = "Private key file to use, if not, -cert file is used", |
549 | .type = OPTION_ARG, |
550 | .opt.arg = &s_client_config.key_file, |
551 | }, |
552 | { |
553 | .name = "keyform", |
554 | .argname = "fmt", |
555 | .desc = "Key format (PEM or DER) PEM default", |
556 | .type = OPTION_ARG_FORMAT, |
557 | .opt.value = &s_client_config.key_format, |
558 | }, |
559 | { |
560 | .name = "keymatexport", |
561 | .argname = "label", |
562 | .desc = "Export keying material using label", |
563 | .type = OPTION_ARG, |
564 | .opt.arg = &s_client_config.keymatexportlabel, |
565 | }, |
566 | { |
567 | .name = "keymatexportlen", |
568 | .argname = "len", |
569 | .desc = "Export len bytes of keying material (default 20)", |
570 | .type = OPTION_ARG_FUNC, |
571 | .opt.argfunc = s_client_opt_keymatexportlen, |
572 | }, |
573 | { |
574 | .name = "legacy_renegotiation", |
575 | .type = OPTION_DISCARD, |
576 | }, |
577 | { |
578 | .name = "legacy_server_connect", |
579 | .desc = "Allow initial connection to servers that don't support RI", |
580 | .type = OPTION_VALUE_OR, |
581 | .opt.value = &s_client_config.off, |
582 | .value = SSL_OP_LEGACY_SERVER_CONNECT0x00000004L, |
583 | }, |
584 | { |
585 | .name = "msg", |
586 | .desc = "Show all protocol messages with hex dump", |
587 | .type = OPTION_FLAG, |
588 | .opt.flag = &s_client_config.msg, |
589 | }, |
590 | #ifndef OPENSSL_NO_DTLS |
591 | { |
592 | .name = "mtu", |
593 | .argname = "mtu", |
594 | .desc = "Set the link layer MTU on DTLS connections", |
595 | .type = OPTION_ARG_FUNC, |
596 | .opt.argfunc = s_client_opt_mtu, |
597 | }, |
598 | #endif |
599 | { |
600 | .name = "nbio", |
601 | .desc = "Turn on non-blocking I/O", |
602 | .type = OPTION_FLAG, |
603 | .opt.flag = &s_client_config.nbio, |
604 | }, |
605 | { |
606 | .name = "nbio_test", |
607 | .desc = "Test non-blocking I/O", |
608 | .type = OPTION_FLAG, |
609 | .opt.flag = &s_client_config.nbio_test, |
610 | }, |
611 | { |
612 | .name = "nextprotoneg", |
613 | .argname = "protocols", |
614 | .type = OPTION_ARG, |
615 | .opt.arg = &s_client_config.npn_in, /* Ignored. */ |
616 | }, |
617 | { |
618 | .name = "no_comp", |
619 | .type = OPTION_VALUE_OR, |
620 | .opt.value = &s_client_config.off, |
621 | .value = SSL_OP_NO_COMPRESSION0x0, |
622 | }, |
623 | { |
624 | .name = "no_ign_eof", |
625 | .desc = "Don't ignore input EOF", |
626 | .type = OPTION_VALUE, |
627 | .opt.value = &s_client_config.ign_eof, |
628 | .value = 0, |
629 | }, |
630 | { |
631 | .name = "no_legacy_server_connect", |
632 | .desc = "Disallow initial connection to servers that don't support RI", |
633 | .type = OPTION_VALUE_OR, |
634 | .opt.value = &s_client_config.clr, |
635 | .value = SSL_OP_LEGACY_SERVER_CONNECT0x00000004L, |
636 | }, |
637 | { |
638 | .name = "no_servername", |
639 | .desc = "Do not send a Server Name Indication (SNI) extension", |
640 | .type = OPTION_FLAG, |
641 | .opt.value = &s_client_config.no_servername, |
642 | }, |
643 | { |
644 | .name = "no_ssl2", |
645 | .type = OPTION_VALUE_OR, |
646 | .opt.value = &s_client_config.off, |
647 | .value = SSL_OP_NO_SSLv20x0, |
648 | }, |
649 | { |
650 | .name = "no_ssl3", |
651 | .type = OPTION_VALUE_OR, |
652 | .opt.value = &s_client_config.off, |
653 | .value = SSL_OP_NO_SSLv30x0, |
654 | }, |
655 | { |
656 | .name = "no_ticket", |
657 | .desc = "Disable use of RFC4507 session ticket support", |
658 | .type = OPTION_VALUE_OR, |
659 | .opt.value = &s_client_config.off, |
660 | .value = SSL_OP_NO_TICKET0x00004000L, |
661 | }, |
662 | { |
663 | .name = "no_tls1", |
664 | .desc = "Disable the use of TLSv1", |
665 | .type = OPTION_VALUE_OR, |
666 | .opt.value = &s_client_config.off, |
667 | .value = SSL_OP_NO_TLSv10x04000000L, |
668 | }, |
669 | { |
670 | .name = "no_tls1_1", |
671 | .desc = "Disable the use of TLSv1.1", |
672 | .type = OPTION_VALUE_OR, |
673 | .opt.value = &s_client_config.off, |
674 | .value = SSL_OP_NO_TLSv1_10x10000000L, |
675 | }, |
676 | { |
677 | .name = "no_tls1_2", |
678 | .desc = "Disable the use of TLSv1.2", |
679 | .type = OPTION_VALUE_OR, |
680 | .opt.value = &s_client_config.off, |
681 | .value = SSL_OP_NO_TLSv1_20x08000000L, |
682 | }, |
683 | { |
684 | .name = "no_tls1_3", |
685 | .desc = "Disable the use of TLSv1.3", |
686 | .type = OPTION_VALUE_OR, |
687 | .opt.value = &s_client_config.off, |
688 | .value = SSL_OP_NO_TLSv1_30x20000000L, |
689 | }, |
690 | { |
691 | .name = "noservername", |
692 | .type = OPTION_FLAG, |
693 | .opt.value = &s_client_config.no_servername, |
694 | }, |
695 | { |
696 | .name = "pass", |
697 | .argname = "arg", |
698 | .desc = "Private key file pass phrase source", |
699 | .type = OPTION_ARG, |
700 | .opt.arg = &s_client_config.passarg, |
701 | }, |
702 | { |
703 | .name = "pause", |
704 | .desc = "Pause 1 second between each read and write call", |
705 | .type = OPTION_FLAG, |
706 | .opt.flag = &s_client_config.pause, |
707 | }, |
708 | { |
709 | .name = "peekaboo", |
710 | .type = OPTION_FLAG, |
711 | .opt.flag = &s_client_config.peekaboo, |
712 | }, |
713 | { |
714 | .name = "port", |
715 | .argname = "port", |
716 | .desc = "Use -connect instead", |
717 | .type = OPTION_ARG_FUNC, |
718 | .opt.argfunc = s_client_opt_port, |
719 | }, |
720 | { |
721 | .name = "prexit", |
722 | .desc = "Print session information when the program exits", |
723 | .type = OPTION_FLAG, |
724 | .opt.flag = &s_client_config.prexit, |
725 | }, |
726 | { |
727 | .name = "proxy", |
728 | .argname = "host:port", |
729 | .desc = "Connect to http proxy", |
730 | .type = OPTION_ARG, |
731 | .opt.arg = &s_client_config.proxy, |
732 | }, |
733 | { |
734 | .name = "quiet", |
735 | .desc = "Inhibit printing of session and certificate info", |
736 | .type = OPTION_FUNC, |
737 | .opt.func = s_client_opt_quiet, |
738 | }, |
739 | { |
740 | .name = "reconnect", |
741 | .desc = "Drop and re-make the connection with the same Session-ID", |
742 | .type = OPTION_VALUE, |
743 | .opt.value = &s_client_config.reconnect, |
744 | .value = 5, |
745 | }, |
746 | { |
747 | .name = "servername", |
748 | .argname = "name", |
749 | .desc = "Set TLS extension servername in ClientHello (SNI)", |
750 | .type = OPTION_ARG, |
751 | .opt.arg = &s_client_config.servername, |
752 | }, |
753 | { |
754 | .name = "serverpref", |
755 | .desc = "Use server's cipher preferences", |
756 | .type = OPTION_VALUE_OR, |
757 | .opt.value = &s_client_config.off, |
758 | .value = SSL_OP_CIPHER_SERVER_PREFERENCE0x00400000L, |
759 | }, |
760 | { |
761 | .name = "sess_in", |
762 | .argname = "file", |
763 | .desc = "File to read TLS session from", |
764 | .type = OPTION_ARG, |
765 | .opt.arg = &s_client_config.sess_in, |
766 | }, |
767 | { |
768 | .name = "sess_out", |
769 | .argname = "file", |
770 | .desc = "File to write TLS session to", |
771 | .type = OPTION_ARG, |
772 | .opt.arg = &s_client_config.sess_out, |
773 | }, |
774 | { |
775 | .name = "showcerts", |
776 | .desc = "Show all server certificates in the chain", |
777 | .type = OPTION_FLAG, |
778 | .opt.flag = &s_client_config.showcerts, |
779 | }, |
780 | { |
781 | .name = "starttls", |
782 | .argname = "protocol", |
783 | .desc = "Use the STARTTLS command before starting TLS,\n" |
784 | "smtp, lmtp, pop3, imap, ftp and xmpp are supported.", |
785 | .type = OPTION_ARG_FUNC, |
786 | .opt.argfunc = s_client_opt_starttls, |
787 | }, |
788 | { |
789 | .name = "state", |
790 | .desc = "Print the TLS session states", |
791 | .type = OPTION_FLAG, |
792 | .opt.flag = &s_client_config.state, |
793 | }, |
794 | { |
795 | .name = "status", |
796 | .desc = "Send a certificate status request to the server (OCSP)", |
797 | .type = OPTION_FLAG, |
798 | .opt.flag = &s_client_config.status_req, |
799 | }, |
800 | #ifndef OPENSSL_NO_DTLS |
801 | { |
802 | .name = "timeout", |
803 | .desc = "Enable send/receive timeout on DTLS connections", |
804 | .type = OPTION_FLAG, |
805 | .opt.flag = &s_client_config.enable_timeouts, |
806 | }, |
807 | #endif |
808 | { |
809 | .name = "tls1", |
810 | .desc = "Just use TLSv1", |
811 | .type = OPTION_FUNC, |
812 | .opt.func = s_client_opt_protocol_version_tls1, |
813 | }, |
814 | { |
815 | .name = "tls1_1", |
816 | .desc = "Just use TLSv1.1", |
817 | .type = OPTION_FUNC, |
818 | .opt.func = s_client_opt_protocol_version_tls1_1, |
819 | }, |
820 | { |
821 | .name = "tls1_2", |
822 | .desc = "Just use TLSv1.2", |
823 | .type = OPTION_FUNC, |
824 | .opt.func = s_client_opt_protocol_version_tls1_2, |
825 | }, |
826 | { |
827 | .name = "tls1_3", |
828 | .desc = "Just use TLSv1.3", |
829 | .type = OPTION_FUNC, |
830 | .opt.func = s_client_opt_protocol_version_tls1_3, |
831 | }, |
832 | { |
833 | .name = "tlsextdebug", |
834 | .desc = "Hex dump of all TLS extensions received", |
835 | .type = OPTION_FLAG, |
836 | .opt.flag = &s_client_config.tlsextdebug, |
837 | }, |
838 | #ifndef OPENSSL_NO_SRTP |
839 | { |
840 | .name = "use_srtp", |
841 | .argname = "profiles", |
842 | .desc = "Offer SRTP key management with a colon-separated profiles", |
843 | .type = OPTION_ARG, |
844 | .opt.arg = &s_client_config.srtp_profiles, |
845 | }, |
846 | #endif |
847 | { |
848 | .name = "verify", |
849 | .argname = "depth", |
850 | .desc = "Turn on peer certificate verification, with a max of depth", |
851 | .type = OPTION_ARG_FUNC, |
852 | .opt.argfunc = s_client_opt_verify, |
853 | }, |
854 | { |
855 | .name = "verify_return_error", |
856 | .desc = "Return verification error", |
857 | .type = OPTION_FLAG, |
858 | .opt.flag = &verify_return_error, |
859 | }, |
860 | { |
861 | .name = "xmpphost", |
862 | .argname = "host", |
863 | .desc = "Connect to this virtual host on the xmpp server", |
864 | .type = OPTION_ARG, |
865 | .opt.arg = &s_client_config.xmpphost, |
866 | }, |
867 | { |
868 | .name = NULL((void*)0), |
869 | .desc = "", |
870 | .type = OPTION_ARGV_FUNC, |
871 | .opt.argvfunc = s_client_opt_verify_param, |
872 | }, |
873 | { NULL((void*)0) }, |
874 | }; |
875 | |
876 | static void |
877 | sc_usage(void) |
878 | { |
879 | fprintf(stderr(&__sF[2]), "usage: s_client " |
880 | "[-4 | -6] [-alpn protocols] [-bugs] [-CAfile file]\n" |
881 | " [-CApath directory] [-cert file] [-certform der | pem] [-check_ss_sig]\n" |
882 | " [-cipher cipherlist] [-connect host[:port]] [-crl_check]\n" |
883 | " [-crl_check_all] [-crlf] [-debug] [-dtls] [-dtls1] [-dtls1_2] [-extended_crl]\n" |
884 | " [-groups list] [-host host] [-ign_eof] [-ignore_critical]\n" |
885 | " [-issuer_checks] [-key keyfile] [-keyform der | pem]\n" |
886 | " [-keymatexport label] [-keymatexportlen len] [-legacy_server_connect]\n" |
887 | " [-msg] [-mtu mtu] [-nbio] [-nbio_test] [-no_comp] [-no_ign_eof]\n" |
888 | " [-no_legacy_server_connect] [-no_ticket] [-no_tls1] [-no_tls1_1]\n" |
889 | " [-no_tls1_2] [-no_tls1_3] [-pass arg] [-pause] [-policy_check]\n" |
890 | " [-port port] [-prexit] [-proxy host:port] [-quiet] [-reconnect]\n" |
891 | " [-servername name] [-serverpref] [-sess_in file] [-sess_out file]\n" |
892 | " [-showcerts] [-starttls protocol] [-state] [-status] [-timeout]\n" |
893 | " [-tls1] [-tls1_1] [-tls1_2] [-tls1_3] [-tlsextdebug]\n" |
894 | " [-use_srtp profiles] [-verify depth] [-verify_return_error]\n" |
895 | " [-x509_strict] [-xmpphost host]\n"); |
896 | fprintf(stderr(&__sF[2]), "\n"); |
897 | options_usage(s_client_options); |
898 | fprintf(stderr(&__sF[2]), "\n"); |
899 | } |
900 | |
901 | int |
902 | s_client_main(int argc, char **argv) |
903 | { |
904 | SSL *con = NULL((void*)0); |
905 | int s, k, p = 0, pending = 0; |
906 | char *cbuf = NULL((void*)0), *sbuf = NULL((void*)0), *mbuf = NULL((void*)0), *pbuf = NULL((void*)0); |
907 | int cbuf_len, cbuf_off; |
908 | int sbuf_len, sbuf_off; |
909 | int full_log = 1; |
910 | const char *servername; |
911 | char *pass = NULL((void*)0); |
912 | X509 *cert = NULL((void*)0); |
913 | EVP_PKEY *key = NULL((void*)0); |
914 | int badop = 0; |
915 | int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; |
916 | SSL_CTX *ctx = NULL((void*)0); |
917 | int ret = 1, in_init = 1, i; |
918 | BIO *bio_c_out = NULL((void*)0); |
919 | BIO *sbio; |
920 | int mbuf_len = 0; |
921 | struct timeval timeout; |
922 | tlsextctx tlsextcbp = {NULL((void*)0), 0}; |
923 | struct sockaddr_storage peer; |
924 | int peerlen = sizeof(peer); |
925 | |
926 | if (single_execution) { |
927 | if (pledge("stdio cpath wpath rpath inet dns tty", NULL((void*)0)) == -1) { |
928 | perror("pledge"); |
929 | exit(1); |
930 | } |
931 | } |
932 | |
933 | memset(&s_client_config, 0, sizeof(s_client_config)); |
934 | s_client_config.af = AF_UNSPEC0; |
935 | s_client_config.cert_format = FORMAT_PEM3; |
936 | s_client_config.host = SSL_HOST_NAME"localhost"; |
937 | s_client_config.key_format = FORMAT_PEM3; |
938 | s_client_config.keymatexportlen = 20; |
939 | s_client_config.meth = TLS_client_method(); |
940 | s_client_config.port = PORT_STR"4433"; |
941 | s_client_config.socket_type = SOCK_STREAM1; |
942 | s_client_config.starttls_proto = PROTO_OFF; |
943 | s_client_config.verify = SSL_VERIFY_NONE0x00; |
944 | |
945 | if (((cbuf = malloc(BUFSIZZ1024*8)) == NULL((void*)0)) || |
946 | ((sbuf = malloc(BUFSIZZ1024*8)) == NULL((void*)0)) || |
947 | ((pbuf = malloc(BUFSIZZ1024*8)) == NULL((void*)0)) || |
948 | ((mbuf = malloc(BUFSIZZ1024*8 + 1)) == NULL((void*)0))) { /* NUL byte */ |
949 | BIO_printf(bio_err, "out of memory\n"); |
950 | goto end; |
951 | } |
952 | verify_depth = 0; |
953 | |
954 | if (options_parse(argc, argv, s_client_options, NULL((void*)0), NULL((void*)0)) != 0) { |
955 | badop = 1; |
956 | goto bad; |
957 | } |
958 | if (s_client_config.proxy != NULL((void*)0)) { |
959 | if (!extract_host_port(s_client_config.proxy, |
960 | &s_client_config.host, NULL((void*)0), &s_client_config.port)) |
961 | goto bad; |
962 | if (s_client_config.connect == NULL((void*)0)) |
963 | s_client_config.connect = SSL_HOST_NAME"localhost"; |
964 | } else if (s_client_config.connect != NULL((void*)0)) { |
965 | if (!extract_host_port(s_client_config.connect, |
966 | &s_client_config.host, NULL((void*)0), &s_client_config.port)) |
967 | goto bad; |
968 | } |
969 | if (badop) { |
970 | bad: |
971 | if (s_client_config.errstr == NULL((void*)0)) |
972 | sc_usage(); |
973 | goto end; |
974 | } |
975 | |
976 | if (!app_passwd(bio_err, s_client_config.passarg, NULL((void*)0), &pass, NULL((void*)0))) { |
977 | BIO_printf(bio_err, "Error getting password\n"); |
978 | goto end; |
979 | } |
980 | if (s_client_config.key_file == NULL((void*)0)) |
981 | s_client_config.key_file = s_client_config.cert_file; |
982 | |
983 | |
984 | if (s_client_config.key_file) { |
985 | |
986 | key = load_key(bio_err, s_client_config.key_file, |
987 | s_client_config.key_format, 0, pass, |
988 | "client certificate private key file"); |
989 | if (!key) { |
990 | ERR_print_errors(bio_err); |
991 | goto end; |
992 | } |
993 | } |
994 | if (s_client_config.cert_file) { |
995 | cert = load_cert(bio_err, s_client_config.cert_file, |
996 | s_client_config.cert_format, |
997 | NULL((void*)0), "client certificate file"); |
998 | |
999 | if (!cert) { |
1000 | ERR_print_errors(bio_err); |
1001 | goto end; |
1002 | } |
1003 | } |
1004 | if (s_client_config.quiet && !s_client_config.debug && |
1005 | !s_client_config.msg) { |
1006 | if ((bio_c_out = BIO_new(BIO_s_null())) == NULL((void*)0)) |
1007 | goto end; |
1008 | } else { |
1009 | if ((bio_c_out = BIO_new_fp(stdout(&__sF[1]), BIO_NOCLOSE0x00)) == NULL((void*)0)) |
1010 | goto end; |
1011 | } |
1012 | |
1013 | ctx = SSL_CTX_new(s_client_config.meth); |
1014 | if (ctx == NULL((void*)0)) { |
1015 | ERR_print_errors(bio_err); |
1016 | goto end; |
1017 | } |
1018 | |
1019 | SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004L),((void*)0)); |
1020 | |
1021 | if (s_client_config.vpm) |
1022 | SSL_CTX_set1_param(ctx, s_client_config.vpm); |
1023 | |
1024 | if (!SSL_CTX_set_min_proto_version(ctx, s_client_config.min_version)) |
1025 | goto end; |
1026 | if (!SSL_CTX_set_max_proto_version(ctx, s_client_config.max_version)) |
1027 | goto end; |
1028 | |
1029 | #ifndef OPENSSL_NO_SRTP |
1030 | if (s_client_config.srtp_profiles != NULL((void*)0)) |
1031 | SSL_CTX_set_tlsext_use_srtp(ctx, s_client_config.srtp_profiles); |
1032 | #endif |
1033 | if (s_client_config.bugs) |
1034 | SSL_CTX_set_options(ctx, SSL_OP_ALL | s_client_config.off)SSL_CTX_ctrl((ctx),32,((0x00000004L) | s_client_config.off),( (void*)0)); |
1035 | else |
1036 | SSL_CTX_set_options(ctx, s_client_config.off)SSL_CTX_ctrl((ctx),32,(s_client_config.off),((void*)0)); |
1037 | |
1038 | if (s_client_config.clr) |
1039 | SSL_CTX_clear_options(ctx, s_client_config.clr)SSL_CTX_ctrl((ctx),77,(s_client_config.clr),((void*)0)); |
1040 | |
1041 | if (s_client_config.alpn_in) { |
1042 | unsigned short alpn_len; |
1043 | unsigned char *alpn; |
1044 | |
1045 | alpn = next_protos_parse(&alpn_len, s_client_config.alpn_in); |
1046 | if (alpn == NULL((void*)0)) { |
1047 | BIO_printf(bio_err, "Error parsing -alpn argument\n"); |
1048 | goto end; |
1049 | } |
1050 | SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len); |
1051 | free(alpn); |
1052 | } |
1053 | if (s_client_config.groups_in != NULL((void*)0)) { |
1054 | if (SSL_CTX_set1_groups_list(ctx, s_client_config.groups_in) != 1) { |
1055 | BIO_printf(bio_err, "Failed to set groups '%s'\n", |
1056 | s_client_config.groups_in); |
1057 | goto end; |
1058 | } |
1059 | } |
1060 | |
1061 | if (s_client_config.state) |
1062 | SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); |
1063 | if (s_client_config.cipher != NULL((void*)0)) |
1064 | if (!SSL_CTX_set_cipher_list(ctx, s_client_config.cipher)) { |
1065 | BIO_printf(bio_err, "error setting cipher list\n"); |
1066 | ERR_print_errors(bio_err); |
1067 | goto end; |
1068 | } |
1069 | |
1070 | SSL_CTX_set_verify(ctx, s_client_config.verify, verify_callback); |
1071 | if (!set_cert_key_stuff(ctx, cert, key)) |
1072 | goto end; |
1073 | |
1074 | if ((s_client_config.CAfile || s_client_config.CApath) |
1075 | && !SSL_CTX_load_verify_locations(ctx, s_client_config.CAfile, |
1076 | s_client_config.CApath)) |
1077 | ERR_print_errors(bio_err); |
1078 | |
1079 | if (!SSL_CTX_set_default_verify_paths(ctx)) |
1080 | ERR_print_errors(bio_err); |
1081 | |
1082 | con = SSL_new(ctx); |
1083 | if (s_client_config.sess_in) { |
1084 | SSL_SESSION *sess; |
1085 | BIO *stmp = BIO_new_file(s_client_config.sess_in, "r"); |
1086 | if (!stmp) { |
1087 | BIO_printf(bio_err, "Can't open session file %s\n", |
1088 | s_client_config.sess_in); |
1089 | ERR_print_errors(bio_err); |
1090 | goto end; |
1091 | } |
1092 | sess = PEM_read_bio_SSL_SESSION(stmp, NULL((void*)0), 0, NULL((void*)0)); |
1093 | BIO_free(stmp); |
1094 | if (!sess) { |
1095 | BIO_printf(bio_err, "Can't open session file %s\n", |
1096 | s_client_config.sess_in); |
1097 | ERR_print_errors(bio_err); |
1098 | goto end; |
1099 | } |
1100 | SSL_set_session(con, sess); |
1101 | SSL_SESSION_free(sess); |
1102 | } |
1103 | |
1104 | /* Attempt to opportunistically use the host name for SNI. */ |
1105 | servername = s_client_config.servername; |
1106 | if (servername == NULL((void*)0)) |
1107 | servername = s_client_config.host; |
1108 | |
1109 | if (!s_client_config.no_servername && servername != NULL((void*)0) && |
1110 | !SSL_set_tlsext_host_name(con, servername)SSL_ctrl(con,55,0,(char *)servername)) { |
1111 | long ssl_err = ERR_peek_error(); |
1112 | |
1113 | if (s_client_config.servername != NULL((void*)0) || |
1114 | ERR_GET_LIB(ssl_err)(int)((((unsigned long)ssl_err)>>24L)&0xffL) != ERR_LIB_SSL20 || |
1115 | ERR_GET_REASON(ssl_err)(int)((ssl_err)&0xfffL) != SSL_R_SSL3_EXT_INVALID_SERVERNAME319) { |
1116 | BIO_printf(bio_err, |
1117 | "Unable to set TLS servername extension.\n"); |
1118 | ERR_print_errors(bio_err); |
1119 | goto end; |
1120 | } |
1121 | servername = NULL((void*)0); |
1122 | ERR_clear_error(); |
1123 | } |
1124 | if (!s_client_config.no_servername && servername != NULL((void*)0)) { |
1125 | tlsextcbp.biodebug = bio_err; |
1126 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53,(void (*)(void))ssl_servername_cb ); |
1127 | SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp)SSL_CTX_ctrl(ctx,54,0, (void *)&tlsextcbp); |
1128 | } |
1129 | |
1130 | re_start: |
1131 | |
1132 | if (init_client(&s, s_client_config.host, s_client_config.port, |
1133 | s_client_config.socket_type, s_client_config.af) == 0) { |
1134 | BIO_printf(bio_err, "connect:errno=%d\n", errno(*__errno())); |
1135 | goto end; |
1136 | } |
1137 | BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s); |
1138 | |
1139 | if (s_client_config.nbio) { |
1140 | if (!s_client_config.quiet) |
1141 | BIO_printf(bio_c_out, "turning on non blocking io\n"); |
1142 | if (!BIO_socket_nbio(s, 1)) { |
1143 | ERR_print_errors(bio_err); |
1144 | goto end; |
1145 | } |
1146 | } |
1147 | if (s_client_config.pause & 0x01) |
1148 | SSL_set_debug(con, 1); |
1149 | |
1150 | if (SSL_is_dtls(con)) { |
1151 | sbio = BIO_new_dgram(s, BIO_NOCLOSE0x00); |
1152 | if (getsockname(s, (struct sockaddr *)&peer, |
1153 | (void *)&peerlen) == -1) { |
1154 | BIO_printf(bio_err, "getsockname:errno=%d\n", |
1155 | errno(*__errno())); |
1156 | shutdown(s, SHUT_RD0); |
1157 | close(s); |
1158 | goto end; |
1159 | } |
1160 | (void) BIO_ctrl_set_connected(sbio, 1, &peer)(int)BIO_ctrl(sbio, 32, 1, (char *)&peer); |
1161 | |
1162 | if (s_client_config.enable_timeouts) { |
1163 | timeout.tv_sec = 0; |
1164 | timeout.tv_usec = DGRAM_RCV_TIMEOUT250000; |
1165 | BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0, |
1166 | &timeout); |
1167 | |
1168 | timeout.tv_sec = 0; |
1169 | timeout.tv_usec = DGRAM_SND_TIMEOUT250000; |
1170 | BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0, |
1171 | &timeout); |
1172 | } |
1173 | if (s_client_config.socket_mtu > 28) { |
1174 | SSL_set_options(con, SSL_OP_NO_QUERY_MTU)SSL_ctrl((con),32,(0x00001000L),((void*)0)); |
1175 | SSL_set_mtu(con, s_client_config.socket_mtu - 28)SSL_ctrl((con),17,(s_client_config.socket_mtu - 28),((void*)0 )); |
1176 | } else |
1177 | /* want to do MTU discovery */ |
1178 | BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0)); |
1179 | } else |
1180 | sbio = BIO_new_socket(s, BIO_NOCLOSE0x00); |
1181 | |
1182 | if (s_client_config.nbio_test) { |
1183 | BIO *test; |
1184 | |
1185 | test = BIO_new(BIO_f_nbio_test()); |
1186 | sbio = BIO_push(test, sbio); |
1187 | } |
1188 | if (s_client_config.debug) { |
1189 | SSL_set_debug(con, 1); |
1190 | BIO_set_callback(sbio, bio_dump_callback); |
1191 | BIO_set_callback_arg(sbio, (char *) bio_c_out); |
1192 | } |
1193 | if (s_client_config.msg) { |
1194 | SSL_set_msg_callback(con, msg_cb); |
1195 | SSL_set_msg_callback_arg(con, bio_c_out)SSL_ctrl((con), 16, 0, (bio_c_out)); |
1196 | } |
1197 | if (s_client_config.tlsextdebug) { |
1198 | SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56,(void (*)(void))tlsext_cb); |
1199 | SSL_set_tlsext_debug_arg(con, bio_c_out)SSL_ctrl(con,57,0, (void *)bio_c_out); |
1200 | } |
1201 | if (s_client_config.status_req) { |
1202 | SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp)SSL_ctrl(con,65,1, ((void*)0)); |
1203 | SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb)SSL_CTX_callback_ctrl(ctx,63,(void (*)(void))ocsp_resp_cb); |
1204 | SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out)SSL_CTX_ctrl(ctx,64,0,(void *)bio_c_out); |
1205 | } |
1206 | |
1207 | SSL_set_bio(con, sbio, sbio); |
1208 | SSL_set_connect_state(con); |
1209 | |
1210 | /* ok, lets connect */ |
1211 | read_tty = 1; |
1212 | write_tty = 0; |
1213 | tty_on = 0; |
Value stored to 'tty_on' is never read | |
1214 | read_ssl = 1; |
1215 | write_ssl = 1; |
1216 | |
1217 | cbuf_len = 0; |
1218 | cbuf_off = 0; |
1219 | sbuf_len = 0; |
1220 | sbuf_off = 0; |
1221 | |
1222 | /* This is an ugly hack that does a lot of assumptions */ |
1223 | /* |
1224 | * We do have to handle multi-line responses which may come in a |
1225 | * single packet or not. We therefore have to use BIO_gets() which |
1226 | * does need a buffering BIO. So during the initial chitchat we do |
1227 | * push a buffering BIO into the chain that is removed again later on |
1228 | * to not disturb the rest of the s_client operation. |
1229 | */ |
1230 | if (s_client_config.starttls_proto == PROTO_SMTP || |
1231 | s_client_config.starttls_proto == PROTO_LMTP) { |
1232 | int foundit = 0; |
1233 | BIO *fbio = BIO_new(BIO_f_buffer()); |
1234 | BIO_push(fbio, sbio); |
1235 | /* wait for multi-line response to end from SMTP */ |
1236 | do { |
1237 | mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8); |
1238 | } |
1239 | while (mbuf_len > 3 && mbuf[3] == '-'); |
1240 | /* STARTTLS command requires EHLO... */ |
1241 | BIO_printf(fbio, "%cHLO openssl.client.net\r\n", |
1242 | s_client_config.starttls_proto == PROTO_SMTP ? 'E' : 'L'); |
1243 | (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0)); |
1244 | /* wait for multi-line response to end EHLO SMTP response */ |
1245 | do { |
1246 | mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8); |
1247 | if (strstr(mbuf, "STARTTLS")) |
1248 | foundit = 1; |
1249 | } |
1250 | while (mbuf_len > 3 && mbuf[3] == '-'); |
1251 | (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0)); |
1252 | BIO_pop(fbio); |
1253 | BIO_free(fbio); |
1254 | if (!foundit) |
1255 | BIO_printf(bio_err, |
1256 | "didn't find starttls in server response," |
1257 | " try anyway...\n"); |
1258 | BIO_printf(sbio, "STARTTLS\r\n"); |
1259 | BIO_read(sbio, sbuf, BUFSIZZ1024*8); |
1260 | } else if (s_client_config.starttls_proto == PROTO_POP3) { |
1261 | mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8); |
1262 | if (mbuf_len == -1) { |
1263 | BIO_printf(bio_err, "BIO_read failed\n"); |
1264 | goto end; |
1265 | } |
1266 | BIO_printf(sbio, "STLS\r\n"); |
1267 | BIO_read(sbio, sbuf, BUFSIZZ1024*8); |
1268 | } else if (s_client_config.starttls_proto == PROTO_IMAP) { |
1269 | int foundit = 0; |
1270 | BIO *fbio = BIO_new(BIO_f_buffer()); |
1271 | BIO_push(fbio, sbio); |
1272 | BIO_gets(fbio, mbuf, BUFSIZZ1024*8); |
1273 | /* STARTTLS command requires CAPABILITY... */ |
1274 | BIO_printf(fbio, ". CAPABILITY\r\n"); |
1275 | (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0)); |
1276 | /* wait for multi-line CAPABILITY response */ |
1277 | do { |
1278 | mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8); |
1279 | if (strstr(mbuf, "STARTTLS")) |
1280 | foundit = 1; |
1281 | } |
1282 | while (mbuf_len > 3 && mbuf[0] != '.'); |
1283 | (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0)); |
1284 | BIO_pop(fbio); |
1285 | BIO_free(fbio); |
1286 | if (!foundit) |
1287 | BIO_printf(bio_err, |
1288 | "didn't find STARTTLS in server response," |
1289 | " try anyway...\n"); |
1290 | BIO_printf(sbio, ". STARTTLS\r\n"); |
1291 | BIO_read(sbio, sbuf, BUFSIZZ1024*8); |
1292 | } else if (s_client_config.starttls_proto == PROTO_FTP) { |
1293 | BIO *fbio = BIO_new(BIO_f_buffer()); |
1294 | BIO_push(fbio, sbio); |
1295 | /* wait for multi-line response to end from FTP */ |
1296 | do { |
1297 | mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ1024*8); |
1298 | } |
1299 | while (mbuf_len > 3 && mbuf[3] == '-'); |
1300 | (void) BIO_flush(fbio)(int)BIO_ctrl(fbio,11,0,((void*)0)); |
1301 | BIO_pop(fbio); |
1302 | BIO_free(fbio); |
1303 | BIO_printf(sbio, "AUTH TLS\r\n"); |
1304 | BIO_read(sbio, sbuf, BUFSIZZ1024*8); |
1305 | } else if (s_client_config.starttls_proto == PROTO_XMPP) { |
1306 | int seen = 0; |
1307 | BIO_printf(sbio, "<stream:stream " |
1308 | "xmlns:stream='http://etherx.jabber.org/streams' " |
1309 | "xmlns='jabber:client' to='%s' version='1.0'>", |
1310 | s_client_config.xmpphost ? |
1311 | s_client_config.xmpphost : s_client_config.host); |
1312 | seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8); |
1313 | |
1314 | if (seen <= 0) |
1315 | goto shut; |
1316 | |
1317 | mbuf[seen] = 0; |
1318 | while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && |
1319 | !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) { |
1320 | seen = BIO_read(sbio, mbuf, BUFSIZZ1024*8); |
1321 | |
1322 | if (seen <= 0) |
1323 | goto shut; |
1324 | |
1325 | mbuf[seen] = 0; |
1326 | } |
1327 | BIO_printf(sbio, |
1328 | "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); |
1329 | seen = BIO_read(sbio, sbuf, BUFSIZZ1024*8); |
1330 | sbuf[seen] = 0; |
1331 | if (!strstr(sbuf, "<proceed")) |
1332 | goto shut; |
1333 | mbuf[0] = 0; |
1334 | } else if (s_client_config.proxy != NULL((void*)0)) { |
1335 | BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n", |
1336 | s_client_config.connect); |
1337 | mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ1024*8); |
1338 | if (mbuf_len == -1) { |
1339 | BIO_printf(bio_err, "BIO_read failed\n"); |
1340 | goto end; |
1341 | } |
1342 | } |
1343 | for (;;) { |
1344 | struct pollfd pfd[3]; /* stdin, stdout, socket */ |
1345 | int ptimeout = -1; |
1346 | |
1347 | if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)&timeout)) |
1348 | ptimeout = timeout.tv_sec * 1000 + |
1349 | timeout.tv_usec / 1000; |
1350 | |
1351 | if (SSL_in_init(con)(SSL_state((con))&(0x1000|0x2000)) && !SSL_total_renegotiations(con)SSL_ctrl((con),12,0,((void*)0))) { |
1352 | in_init = 1; |
1353 | tty_on = 0; |
1354 | } else { |
1355 | tty_on = 1; |
1356 | if (in_init) { |
1357 | in_init = 0; |
1358 | if (s_client_config.sess_out) { |
1359 | BIO *stmp = BIO_new_file( |
1360 | s_client_config.sess_out, "w"); |
1361 | if (stmp) { |
1362 | PEM_write_bio_SSL_SESSION(stmp, |
1363 | SSL_get_session(con)); |
1364 | BIO_free(stmp); |
1365 | } else |
1366 | BIO_printf(bio_err, |
1367 | "Error writing session file %s\n", |
1368 | s_client_config.sess_out); |
1369 | } |
1370 | print_stuff(bio_c_out, con, full_log); |
1371 | if (full_log > 0) |
1372 | full_log--; |
1373 | |
1374 | if (s_client_config.starttls_proto) { |
1375 | BIO_write(bio_err, mbuf, mbuf_len); |
1376 | /* We don't need to know any more */ |
1377 | s_client_config.starttls_proto = PROTO_OFF; |
1378 | } |
1379 | if (s_client_config.reconnect) { |
1380 | s_client_config.reconnect--; |
1381 | BIO_printf(bio_c_out, |
1382 | "drop connection and then reconnect\n"); |
1383 | SSL_shutdown(con); |
1384 | SSL_set_connect_state(con); |
1385 | shutdown(SSL_get_fd(con), SHUT_RD0); |
1386 | close(SSL_get_fd(con)); |
1387 | goto re_start; |
1388 | } |
1389 | } |
1390 | } |
1391 | |
1392 | ssl_pending = read_ssl && SSL_pending(con); |
1393 | |
1394 | pfd[0].fd = -1; |
1395 | pfd[1].fd = -1; |
1396 | if (!ssl_pending) { |
1397 | if (tty_on) { |
1398 | if (read_tty) { |
1399 | pfd[0].fd = fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0]))); |
1400 | pfd[0].events = POLLIN0x0001; |
1401 | } |
1402 | if (write_tty) { |
1403 | pfd[1].fd = fileno(stdout)(!__isthreaded ? (((&__sF[1]))->_file) : (fileno)((& __sF[1]))); |
1404 | pfd[1].events = POLLOUT0x0004; |
1405 | } |
1406 | } |
1407 | |
1408 | pfd[2].fd = SSL_get_fd(con); |
1409 | pfd[2].events = 0; |
1410 | if (read_ssl) |
1411 | pfd[2].events |= POLLIN0x0001; |
1412 | if (write_ssl) |
1413 | pfd[2].events |= POLLOUT0x0004; |
1414 | |
1415 | /* printf("mode tty(%d %d%d) ssl(%d%d)\n", |
1416 | tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ |
1417 | |
1418 | i = poll(pfd, 3, ptimeout); |
1419 | if (i == -1) { |
1420 | BIO_printf(bio_err, "bad select %d\n", |
1421 | errno(*__errno())); |
1422 | goto shut; |
1423 | /* goto end; */ |
1424 | } |
1425 | } |
1426 | if (SSL_is_dtls(con) && |
1427 | DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0) |
1428 | BIO_printf(bio_err, "TIMEOUT occured\n"); |
1429 | if (!ssl_pending && |
1430 | (pfd[2].revents & (POLLOUT0x0004|POLLERR0x0008|POLLNVAL0x0020))) { |
1431 | if (pfd[2].revents & (POLLERR0x0008|POLLNVAL0x0020)) { |
1432 | BIO_printf(bio_err, "poll error"); |
1433 | goto shut; |
1434 | } |
1435 | k = SSL_write(con, &(cbuf[cbuf_off]), |
1436 | (unsigned int) cbuf_len); |
1437 | switch (SSL_get_error(con, k)) { |
1438 | case SSL_ERROR_NONE0: |
1439 | cbuf_off += k; |
1440 | cbuf_len -= k; |
1441 | if (k <= 0) |
1442 | goto end; |
1443 | /* we have done a write(con,NULL,0); */ |
1444 | if (cbuf_len <= 0) { |
1445 | read_tty = 1; |
1446 | write_ssl = 0; |
1447 | } else { /* if (cbuf_len > 0) */ |
1448 | read_tty = 0; |
1449 | write_ssl = 1; |
1450 | } |
1451 | break; |
1452 | case SSL_ERROR_WANT_WRITE3: |
1453 | BIO_printf(bio_c_out, "write W BLOCK\n"); |
1454 | write_ssl = 1; |
1455 | read_tty = 0; |
1456 | break; |
1457 | case SSL_ERROR_WANT_READ2: |
1458 | BIO_printf(bio_c_out, "write R BLOCK\n"); |
1459 | write_tty = 0; |
1460 | read_ssl = 1; |
1461 | write_ssl = 0; |
1462 | break; |
1463 | case SSL_ERROR_WANT_X509_LOOKUP4: |
1464 | BIO_printf(bio_c_out, "write X BLOCK\n"); |
1465 | break; |
1466 | case SSL_ERROR_ZERO_RETURN6: |
1467 | if (cbuf_len != 0) { |
1468 | BIO_printf(bio_c_out, "shutdown\n"); |
1469 | ret = 0; |
1470 | goto shut; |
1471 | } else { |
1472 | read_tty = 1; |
1473 | write_ssl = 0; |
1474 | break; |
1475 | } |
1476 | |
1477 | case SSL_ERROR_SYSCALL5: |
1478 | if ((k != 0) || (cbuf_len != 0)) { |
1479 | BIO_printf(bio_err, "write:errno=%d\n", |
1480 | errno(*__errno())); |
1481 | goto shut; |
1482 | } else { |
1483 | read_tty = 1; |
1484 | write_ssl = 0; |
1485 | } |
1486 | break; |
1487 | case SSL_ERROR_SSL1: |
1488 | ERR_print_errors(bio_err); |
1489 | goto shut; |
1490 | } |
1491 | } else if (!ssl_pending && |
1492 | (pfd[1].revents & (POLLOUT0x0004|POLLERR0x0008|POLLNVAL0x0020))) { |
1493 | if (pfd[1].revents & (POLLERR0x0008|POLLNVAL0x0020)) { |
1494 | BIO_printf(bio_err, "poll error"); |
1495 | goto shut; |
1496 | } |
1497 | i = write(fileno(stdout)(!__isthreaded ? (((&__sF[1]))->_file) : (fileno)((& __sF[1]))), &(sbuf[sbuf_off]), sbuf_len); |
1498 | |
1499 | if (i <= 0) { |
1500 | BIO_printf(bio_c_out, "DONE\n"); |
1501 | ret = 0; |
1502 | goto shut; |
1503 | /* goto end; */ |
1504 | } |
1505 | sbuf_len -= i; |
1506 | sbuf_off += i; |
1507 | if (sbuf_len <= 0) { |
1508 | read_ssl = 1; |
1509 | write_tty = 0; |
1510 | } |
1511 | } else if (ssl_pending || (pfd[2].revents & (POLLIN0x0001|POLLHUP0x0010))) { |
1512 | #ifdef RENEG |
1513 | { |
1514 | static int iiii; |
1515 | if (++iiii == 52) { |
1516 | SSL_renegotiate(con); |
1517 | iiii = 0; |
1518 | } |
1519 | } |
1520 | #endif |
1521 | if (s_client_config.peekaboo) { |
1522 | k = p = SSL_peek(con, pbuf, 1024 /* BUFSIZZ */ ); |
1523 | pending = SSL_pending(con); |
1524 | if (SSL_get_error(con, p) == SSL_ERROR_NONE0) { |
1525 | if (p <= 0) |
1526 | goto end; |
1527 | |
1528 | k = SSL_read(con, sbuf, p); |
1529 | } |
1530 | } else { |
1531 | k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ ); |
1532 | } |
1533 | |
1534 | switch (SSL_get_error(con, k)) { |
1535 | case SSL_ERROR_NONE0: |
1536 | if (k <= 0) |
1537 | goto end; |
1538 | sbuf_off = 0; |
1539 | sbuf_len = k; |
1540 | if (s_client_config.peekaboo) { |
1541 | if (p != pending) { |
1542 | ret = -1; |
1543 | BIO_printf(bio_err, |
1544 | "peeked %d but pending %d!\n", |
1545 | p, pending); |
1546 | goto shut; |
1547 | } |
1548 | if (k < p) { |
1549 | ret = -1; |
1550 | BIO_printf(bio_err, |
1551 | "read less than peek!\n"); |
1552 | goto shut; |
1553 | } |
1554 | if (p > 0 && |
1555 | (memcmp(sbuf, pbuf, p) != 0)) { |
1556 | ret = -1; |
1557 | BIO_printf(bio_err, |
1558 | "peek of %d different from read of %d!\n", |
1559 | p, k); |
1560 | goto shut; |
1561 | } |
1562 | } |
1563 | read_ssl = 0; |
1564 | write_tty = 1; |
1565 | break; |
1566 | case SSL_ERROR_WANT_WRITE3: |
1567 | BIO_printf(bio_c_out, "read W BLOCK\n"); |
1568 | write_ssl = 1; |
1569 | read_tty = 0; |
1570 | break; |
1571 | case SSL_ERROR_WANT_READ2: |
1572 | BIO_printf(bio_c_out, "read R BLOCK\n"); |
1573 | write_tty = 0; |
1574 | read_ssl = 1; |
1575 | if ((read_tty == 0) && (write_ssl == 0)) |
1576 | write_ssl = 1; |
1577 | break; |
1578 | case SSL_ERROR_WANT_X509_LOOKUP4: |
1579 | BIO_printf(bio_c_out, "read X BLOCK\n"); |
1580 | break; |
1581 | case SSL_ERROR_SYSCALL5: |
1582 | ret = errno(*__errno()); |
1583 | BIO_printf(bio_err, "read:errno=%d\n", ret); |
1584 | goto shut; |
1585 | case SSL_ERROR_ZERO_RETURN6: |
1586 | BIO_printf(bio_c_out, "closed\n"); |
1587 | ret = 0; |
1588 | goto shut; |
1589 | case SSL_ERROR_SSL1: |
1590 | ERR_print_errors(bio_err); |
1591 | goto shut; |
1592 | /* break; */ |
1593 | } |
1594 | } else if (pfd[0].revents) { |
1595 | if (pfd[0].revents & (POLLERR0x0008|POLLNVAL0x0020)) { |
1596 | BIO_printf(bio_err, "poll error"); |
1597 | goto shut; |
1598 | } |
1599 | if (s_client_config.crlf) { |
1600 | int j, lf_num; |
1601 | |
1602 | i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0]))), cbuf, BUFSIZZ1024*8 / 2); |
1603 | lf_num = 0; |
1604 | /* both loops are skipped when i <= 0 */ |
1605 | for (j = 0; j < i; j++) |
1606 | if (cbuf[j] == '\n') |
1607 | lf_num++; |
1608 | for (j = i - 1; j >= 0; j--) { |
1609 | cbuf[j + lf_num] = cbuf[j]; |
1610 | if (cbuf[j] == '\n') { |
1611 | lf_num--; |
1612 | i++; |
1613 | cbuf[j + lf_num] = '\r'; |
1614 | } |
1615 | } |
1616 | assert(lf_num == 0)((lf_num == 0) ? (void)0 : __assert2("/usr/src/usr.bin/openssl/s_client.c" , 1616, __func__, "lf_num == 0")); |
1617 | } else |
1618 | i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0]))), cbuf, BUFSIZZ1024*8); |
1619 | |
1620 | if ((!s_client_config.ign_eof) && |
1621 | ((i <= 0) || (cbuf[0] == 'Q'))) { |
1622 | BIO_printf(bio_err, "DONE\n"); |
1623 | ret = 0; |
1624 | goto shut; |
1625 | } |
1626 | if ((!s_client_config.ign_eof) && (cbuf[0] == 'R')) { |
1627 | BIO_printf(bio_err, "RENEGOTIATING\n"); |
1628 | SSL_renegotiate(con); |
1629 | cbuf_len = 0; |
1630 | } else { |
1631 | cbuf_len = i; |
1632 | cbuf_off = 0; |
1633 | } |
1634 | |
1635 | write_ssl = 1; |
1636 | read_tty = 0; |
1637 | } |
1638 | } |
1639 | |
1640 | ret = 0; |
1641 | shut: |
1642 | if (in_init) |
1643 | print_stuff(bio_c_out, con, full_log); |
1644 | SSL_shutdown(con); |
1645 | shutdown(SSL_get_fd(con), SHUT_RD0); |
1646 | close(SSL_get_fd(con)); |
1647 | end: |
1648 | if (con != NULL((void*)0)) { |
1649 | if (s_client_config.prexit != 0) |
1650 | print_stuff(bio_c_out, con, 1); |
1651 | SSL_free(con); |
1652 | } |
1653 | SSL_CTX_free(ctx); |
1654 | X509_free(cert); |
1655 | EVP_PKEY_free(key); |
1656 | free(pass); |
1657 | X509_VERIFY_PARAM_free(s_client_config.vpm); |
1658 | freezero(cbuf, BUFSIZZ1024*8); |
1659 | freezero(sbuf, BUFSIZZ1024*8); |
1660 | freezero(pbuf, BUFSIZZ1024*8); |
1661 | freezero(mbuf, BUFSIZZ1024*8); |
1662 | BIO_free(bio_c_out); |
1663 | |
1664 | return (ret); |
1665 | } |
1666 | |
1667 | static void |
1668 | print_stuff(BIO *bio, SSL *s, int full) |
1669 | { |
1670 | X509 *peer = NULL((void*)0); |
1671 | char *p; |
1672 | static const char *space = " "; |
1673 | char buf[BUFSIZ1024]; |
1674 | STACK_OF(X509)struct stack_st_X509 *sk; |
1675 | STACK_OF(X509_NAME)struct stack_st_X509_NAME *sk2; |
1676 | const SSL_CIPHER *c; |
1677 | X509_NAME *xn; |
1678 | int j, i; |
1679 | unsigned char *exportedkeymat; |
1680 | |
1681 | if (full) { |
1682 | int got_a_chain = 0; |
1683 | |
1684 | sk = SSL_get_peer_cert_chain(s); |
1685 | if (sk != NULL((void*)0)) { |
1686 | got_a_chain = 1; /* we don't have it for SSL2 |
1687 | * (yet) */ |
1688 | |
1689 | BIO_printf(bio, "---\nCertificate chain\n"); |
1690 | for (i = 0; i < sk_X509_num(sk)sk_num(((_STACK*) (1 ? (sk) : (struct stack_st_X509*)0))); i++) { |
1691 | X509_NAME_oneline(X509_get_subject_name( |
1692 | sk_X509_value(sk, i)((X509 *)sk_value(((_STACK*) (1 ? (sk) : (struct stack_st_X509 *)0)), (i)))), buf, sizeof buf); |
1693 | BIO_printf(bio, "%2d s:%s\n", i, buf); |
1694 | X509_NAME_oneline(X509_get_issuer_name( |
1695 | sk_X509_value(sk, i)((X509 *)sk_value(((_STACK*) (1 ? (sk) : (struct stack_st_X509 *)0)), (i)))), buf, sizeof buf); |
1696 | BIO_printf(bio, " i:%s\n", buf); |
1697 | if (s_client_config.showcerts) |
1698 | PEM_write_bio_X509(bio, |
1699 | sk_X509_value(sk, i)((X509 *)sk_value(((_STACK*) (1 ? (sk) : (struct stack_st_X509 *)0)), (i)))); |
1700 | } |
1701 | } |
1702 | BIO_printf(bio, "---\n"); |
1703 | peer = SSL_get_peer_certificate(s); |
1704 | if (peer != NULL((void*)0)) { |
1705 | BIO_printf(bio, "Server certificate\n"); |
1706 | if (!(s_client_config.showcerts && got_a_chain)) { |
1707 | /* Redundant if we showed the whole chain */ |
1708 | PEM_write_bio_X509(bio, peer); |
1709 | } |
1710 | X509_NAME_oneline(X509_get_subject_name(peer), |
1711 | buf, sizeof buf); |
1712 | BIO_printf(bio, "subject=%s\n", buf); |
1713 | X509_NAME_oneline(X509_get_issuer_name(peer), |
1714 | buf, sizeof buf); |
1715 | BIO_printf(bio, "issuer=%s\n", buf); |
1716 | } else |
1717 | BIO_printf(bio, "no peer certificate available\n"); |
1718 | |
1719 | sk2 = SSL_get_client_CA_list(s); |
1720 | if ((sk2 != NULL((void*)0)) && (sk_X509_NAME_num(sk2)sk_num(((_STACK*) (1 ? (sk2) : (struct stack_st_X509_NAME*)0) )) > 0)) { |
1721 | BIO_printf(bio, |
1722 | "---\nAcceptable client certificate CA names\n"); |
1723 | for (i = 0; i < sk_X509_NAME_num(sk2)sk_num(((_STACK*) (1 ? (sk2) : (struct stack_st_X509_NAME*)0) )); i++) { |
1724 | xn = sk_X509_NAME_value(sk2, i)((X509_NAME *)sk_value(((_STACK*) (1 ? (sk2) : (struct stack_st_X509_NAME *)0)), (i))); |
1725 | X509_NAME_oneline(xn, buf, sizeof(buf)); |
1726 | BIO_write(bio, buf, strlen(buf)); |
1727 | BIO_write(bio, "\n", 1); |
1728 | } |
1729 | } else { |
1730 | BIO_printf(bio, |
1731 | "---\nNo client certificate CA names sent\n"); |
1732 | } |
1733 | p = SSL_get_shared_ciphers(s, buf, sizeof buf); |
1734 | if (p != NULL((void*)0)) { |
1735 | /* |
1736 | * This works only for SSL 2. In later protocol |
1737 | * versions, the client does not know what other |
1738 | * ciphers (in addition to the one to be used in the |
1739 | * current connection) the server supports. |
1740 | */ |
1741 | |
1742 | BIO_printf(bio, |
1743 | "---\nCiphers common between both SSL endpoints:\n"); |
1744 | j = i = 0; |
1745 | while (*p) { |
1746 | if (*p == ':') { |
1747 | BIO_write(bio, space, 15 - j % 25); |
1748 | i++; |
1749 | j = 0; |
1750 | BIO_write(bio, |
1751 | ((i % 3) ? " " : "\n"), 1); |
1752 | } else { |
1753 | BIO_write(bio, p, 1); |
1754 | j++; |
1755 | } |
1756 | p++; |
1757 | } |
1758 | BIO_write(bio, "\n", 1); |
1759 | } |
1760 | |
1761 | ssl_print_tmp_key(bio, s); |
1762 | |
1763 | BIO_printf(bio, |
1764 | "---\nSSL handshake has read %ld bytes and written %ld bytes\n", |
1765 | BIO_number_read(SSL_get_rbio(s)), |
1766 | BIO_number_written(SSL_get_wbio(s))); |
1767 | } |
1768 | BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, ")); |
1769 | c = SSL_get_current_cipher(s); |
1770 | BIO_printf(bio, "%s, Cipher is %s\n", |
1771 | SSL_CIPHER_get_version(c), |
1772 | SSL_CIPHER_get_name(c)); |
1773 | if (peer != NULL((void*)0)) { |
1774 | EVP_PKEY *pktmp; |
1775 | pktmp = X509_get_pubkey(peer); |
1776 | BIO_printf(bio, "Server public key is %d bit\n", |
1777 | EVP_PKEY_bits(pktmp)); |
1778 | EVP_PKEY_free(pktmp); |
1779 | } |
1780 | BIO_printf(bio, "Secure Renegotiation IS%s supported\n", |
1781 | SSL_get_secure_renegotiation_support(s)SSL_ctrl((s), 76, 0, ((void*)0)) ? "" : " NOT"); |
1782 | |
1783 | /* Compression is not supported and will always be none. */ |
1784 | BIO_printf(bio, "Compression: NONE\n"); |
1785 | BIO_printf(bio, "Expansion: NONE\n"); |
1786 | |
1787 | #ifdef SSL_DEBUG |
1788 | { |
1789 | /* Print out local port of connection: useful for debugging */ |
1790 | int sock; |
1791 | struct sockaddr_in ladd; |
1792 | socklen_t ladd_size = sizeof(ladd); |
1793 | sock = SSL_get_fd(s); |
1794 | getsockname(sock, (struct sockaddr *) & ladd, &ladd_size); |
1795 | BIO_printf(bio, "LOCAL PORT is %u\n", |
1796 | ntohs(ladd.sin_port)(__uint16_t)(__builtin_constant_p(ladd.sin_port) ? (__uint16_t )(((__uint16_t)(ladd.sin_port) & 0xffU) << 8 | ((__uint16_t )(ladd.sin_port) & 0xff00U) >> 8) : __swap16md(ladd .sin_port))); |
1797 | } |
1798 | #endif |
1799 | |
1800 | { |
1801 | const unsigned char *proto; |
1802 | unsigned int proto_len; |
1803 | SSL_get0_alpn_selected(s, &proto, &proto_len); |
1804 | if (proto_len > 0) { |
1805 | BIO_printf(bio, "ALPN protocol: "); |
1806 | BIO_write(bio, proto, proto_len); |
1807 | BIO_write(bio, "\n", 1); |
1808 | } else |
1809 | BIO_printf(bio, "No ALPN negotiated\n"); |
1810 | } |
1811 | |
1812 | #ifndef OPENSSL_NO_SRTP |
1813 | { |
1814 | SRTP_PROTECTION_PROFILE *srtp_profile; |
1815 | |
1816 | srtp_profile = SSL_get_selected_srtp_profile(s); |
1817 | if (srtp_profile) |
1818 | BIO_printf(bio, |
1819 | "SRTP Extension negotiated, profile=%s\n", |
1820 | srtp_profile->name); |
1821 | } |
1822 | #endif |
1823 | |
1824 | SSL_SESSION_print(bio, SSL_get_session(s)); |
1825 | if (s_client_config.keymatexportlabel != NULL((void*)0)) { |
1826 | BIO_printf(bio, "Keying material exporter:\n"); |
1827 | BIO_printf(bio, " Label: '%s'\n", |
1828 | s_client_config.keymatexportlabel); |
1829 | BIO_printf(bio, " Length: %i bytes\n", |
1830 | s_client_config.keymatexportlen); |
1831 | exportedkeymat = malloc(s_client_config.keymatexportlen); |
1832 | if (exportedkeymat != NULL((void*)0)) { |
1833 | if (!SSL_export_keying_material(s, exportedkeymat, |
1834 | s_client_config.keymatexportlen, |
1835 | s_client_config.keymatexportlabel, |
1836 | strlen(s_client_config.keymatexportlabel), |
1837 | NULL((void*)0), 0, 0)) { |
1838 | BIO_printf(bio, " Error\n"); |
1839 | } else { |
1840 | BIO_printf(bio, " Keying material: "); |
1841 | for (i = 0; i < s_client_config.keymatexportlen; i++) |
1842 | BIO_printf(bio, "%02X", |
1843 | exportedkeymat[i]); |
1844 | BIO_printf(bio, "\n"); |
1845 | } |
1846 | free(exportedkeymat); |
1847 | } |
1848 | } |
1849 | BIO_printf(bio, "---\n"); |
1850 | X509_free(peer); |
1851 | /* flush, or debugging output gets mixed with http response */ |
1852 | (void) BIO_flush(bio)(int)BIO_ctrl(bio,11,0,((void*)0)); |
1853 | } |
1854 | |
1855 | static int |
1856 | ocsp_resp_cb(SSL *s, void *arg) |
1857 | { |
1858 | const unsigned char *p; |
1859 | int len; |
1860 | OCSP_RESPONSE *rsp; |
1861 | len = SSL_get_tlsext_status_ocsp_resp(s, &p)SSL_ctrl(s,70,0, (void *)&p); |
1862 | BIO_puts(arg, "OCSP response: "); |
1863 | if (!p) { |
1864 | BIO_puts(arg, "no response sent\n"); |
1865 | return 1; |
1866 | } |
1867 | rsp = d2i_OCSP_RESPONSE(NULL((void*)0), &p, len); |
1868 | if (!rsp) { |
1869 | BIO_puts(arg, "response parse error\n"); |
1870 | BIO_dump_indent(arg, (char *) p, len, 4); |
1871 | return 0; |
1872 | } |
1873 | BIO_puts(arg, "\n======================================\n"); |
1874 | OCSP_RESPONSE_print(arg, rsp, 0); |
1875 | BIO_puts(arg, "======================================\n"); |
1876 | OCSP_RESPONSE_free(rsp); |
1877 | return 1; |
1878 | } |
1879 | |
1880 | static int |
1881 | ssl_servername_cb(SSL *s, int *ad, void *arg) |
1882 | { |
1883 | tlsextctx *p = (tlsextctx *) arg; |
1884 | const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name0); |
1885 | if (SSL_get_servername_type(s) != -1) |
1886 | p->ack = !SSL_session_reused(s)SSL_ctrl((s),8,0,((void*)0)) && hn != NULL((void*)0); |
1887 | else |
1888 | BIO_printf(bio_err, "Can't use SSL_get_servername\n"); |
1889 | |
1890 | return SSL_TLSEXT_ERR_OK0; |
1891 | } |
1892 |