s_client.c revision 1.26
1/* $OpenBSD: s_client.c,v 1.26 2015/12/01 01:24:47 beck Exp $ */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138#include <sys/types.h> 139#include <sys/socket.h> 140 141#include <netinet/in.h> 142 143#include <assert.h> 144#include <ctype.h> 145#include <limits.h> 146#include <netdb.h> 147#include <stdio.h> 148#include <stdlib.h> 149#include <string.h> 150#include <unistd.h> 151#include <poll.h> 152 153#include "apps.h" 154 155#include <openssl/bn.h> 156#include <openssl/err.h> 157#include <openssl/ocsp.h> 158#include <openssl/pem.h> 159#include <openssl/ssl.h> 160#include <openssl/x509.h> 161 162#include "s_apps.h" 163#include "timeouts.h" 164 165/*#define SSL_HOST_NAME "www.netscape.com" */ 166/*#define SSL_HOST_NAME "193.118.187.102" */ 167#define SSL_HOST_NAME "localhost" 168 169 /*#define TEST_CERT "client.pem" *//* no default cert. */ 170 171#define BUFSIZZ 1024*8 172 173static int c_nbio = 0; 174static int c_Pause = 0; 175static int c_debug = 0; 176static int c_tlsextdebug = 0; 177static int c_status_req = 0; 178static int c_msg = 0; 179static int c_showcerts = 0; 180 181static char *keymatexportlabel = NULL; 182static int keymatexportlen = 20; 183 184static void sc_usage(void); 185static void print_stuff(BIO * berr, SSL * con, int full); 186static int ocsp_resp_cb(SSL * s, void *arg); 187static BIO *bio_c_out = NULL; 188static int c_quiet = 0; 189static int c_ign_eof = 0; 190 191 192static void 193sc_usage(void) 194{ 195 BIO_printf(bio_err, "usage: s_client args\n"); 196 BIO_printf(bio_err, "\n"); 197 BIO_printf(bio_err, " -4 - Force IPv4\n"); 198 BIO_printf(bio_err, " -6 - Force IPv6\n"); 199 BIO_printf(bio_err, " -host host - use -connect instead\n"); 200 BIO_printf(bio_err, " -port port - use -connect instead\n"); 201 BIO_printf(bio_err, " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR); 202 BIO_printf(bio_err, " -proxy host:port - connect to http proxy\n"); 203 204 BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n"); 205 BIO_printf(bio_err, " -cert arg - certificate file to use, PEM format assumed\n"); 206 BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n"); 207 BIO_printf(bio_err, " -key arg - Private key file to use, in cert file if\n"); 208 BIO_printf(bio_err, " not specified but cert file is.\n"); 209 BIO_printf(bio_err, " -keyform arg - key format (PEM or DER) PEM default\n"); 210 BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n"); 211 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); 212 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); 213 BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); 214 BIO_printf(bio_err, " -pause - sleep(1) after each read(2) and write(2) system call\n"); 215 BIO_printf(bio_err, " -showcerts - show all certificates in the chain\n"); 216 BIO_printf(bio_err, " -debug - extra output\n"); 217 BIO_printf(bio_err, " -msg - Show protocol messages\n"); 218 BIO_printf(bio_err, " -nbio_test - more ssl protocol testing\n"); 219 BIO_printf(bio_err, " -state - print the 'ssl' states\n"); 220 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); 221 BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); 222 BIO_printf(bio_err, " -quiet - no s_client output\n"); 223 BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); 224 BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); 225 BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); 226 BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); 227 BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); 228 BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); 229 BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); 230 BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); 231 BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n"); 232 BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); 233 BIO_printf(bio_err, " command to see what is available\n"); 234 BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n"); 235 BIO_printf(bio_err, " for those protocols that support it, where\n"); 236 BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n"); 237 BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); 238 BIO_printf(bio_err, " are supported.\n"); 239 BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n"); 240 BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n"); 241 BIO_printf(bio_err, " -sess_in arg - file to read SSL session from\n"); 242 BIO_printf(bio_err, " -servername host - Set TLS extension servername in ClientHello\n"); 243 BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); 244 BIO_printf(bio_err, " -status - request certificate status from server\n"); 245 BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); 246 BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); 247 BIO_printf(bio_err, " -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); 248#ifndef OPENSSL_NO_SRTP 249 BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); 250#endif 251 BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n"); 252 BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); 253} 254 255 256/* This is a context that we pass to callbacks */ 257typedef struct tlsextctx_st { 258 BIO *biodebug; 259 int ack; 260} tlsextctx; 261 262 263static int 264ssl_servername_cb(SSL * s, int *ad, void *arg) 265{ 266 tlsextctx *p = (tlsextctx *) arg; 267 const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 268 if (SSL_get_servername_type(s) != -1) 269 p->ack = !SSL_session_reused(s) && hn != NULL; 270 else 271 BIO_printf(bio_err, "Can't use SSL_get_servername\n"); 272 273 return SSL_TLSEXT_ERR_OK; 274} 275 276#ifndef OPENSSL_NO_SRTP 277char *srtp_profiles = NULL; 278#endif 279 280/* This the context that we pass to next_proto_cb */ 281typedef struct tlsextnextprotoctx_st { 282 unsigned char *data; 283 unsigned short len; 284 int status; 285} tlsextnextprotoctx; 286 287static tlsextnextprotoctx next_proto; 288 289static int 290next_proto_cb(SSL * s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) 291{ 292 tlsextnextprotoctx *ctx = arg; 293 294 if (!c_quiet) { 295 /* We can assume that |in| is syntactically valid. */ 296 unsigned i; 297 BIO_printf(bio_c_out, "Protocols advertised by server: "); 298 for (i = 0; i < inlen;) { 299 if (i) 300 BIO_write(bio_c_out, ", ", 2); 301 BIO_write(bio_c_out, &in[i + 1], in[i]); 302 i += in[i] + 1; 303 } 304 BIO_write(bio_c_out, "\n", 1); 305 } 306 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); 307 return SSL_TLSEXT_ERR_OK; 308} 309 310enum { 311 PROTO_OFF = 0, 312 PROTO_SMTP, 313 PROTO_LMTP, 314 PROTO_POP3, 315 PROTO_IMAP, 316 PROTO_FTP, 317 PROTO_XMPP 318}; 319 320int 321s_client_main(int argc, char **argv) 322{ 323 unsigned int off = 0, clr = 0; 324 SSL *con = NULL; 325 int s, k, state = 0, af = AF_UNSPEC; 326 char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL; 327 int cbuf_len, cbuf_off; 328 int sbuf_len, sbuf_off; 329 char *port = PORT_STR; 330 int full_log = 1; 331 char *host = SSL_HOST_NAME; 332 char *xmpphost = NULL; 333 char *proxy = NULL, *connect = NULL; 334 char *cert_file = NULL, *key_file = NULL; 335 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; 336 char *passarg = NULL, *pass = NULL; 337 X509 *cert = NULL; 338 EVP_PKEY *key = NULL; 339 char *CApath = NULL, *CAfile = NULL, *cipher = NULL; 340 int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0; 341 int crlf = 0; 342 int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; 343 SSL_CTX *ctx = NULL; 344 int ret = 1, in_init = 1, i, nbio_test = 0; 345 int starttls_proto = PROTO_OFF; 346 int prexit = 0; 347 X509_VERIFY_PARAM *vpm = NULL; 348 int badarg = 0; 349 const SSL_METHOD *meth = NULL; 350 int socket_type = SOCK_STREAM; 351 BIO *sbio; 352 int mbuf_len = 0; 353 struct timeval timeout; 354 const char *errstr = NULL; 355 char *servername = NULL; 356 tlsextctx tlsextcbp = 357 {NULL, 0}; 358 const char *next_proto_neg_in = NULL; 359 const char *alpn_in = NULL; 360 char *sess_in = NULL; 361 char *sess_out = NULL; 362 struct sockaddr peer; 363 int peerlen = sizeof(peer); 364 int enable_timeouts = 0; 365 long socket_mtu = 0; 366 367 if (single_execution) { 368 if (pledge("stdio inet dns rpath wpath cpath tty dns", NULL) == -1) { 369 perror("pledge"); 370 exit(1); 371 } 372 } 373 374 meth = SSLv23_client_method(); 375 376 c_Pause = 0; 377 c_quiet = 0; 378 c_ign_eof = 0; 379 c_debug = 0; 380 c_msg = 0; 381 c_showcerts = 0; 382 383 if (((cbuf = malloc(BUFSIZZ)) == NULL) || 384 ((sbuf = malloc(BUFSIZZ)) == NULL) || 385 ((mbuf = malloc(BUFSIZZ + 1)) == NULL)) { /* NUL byte */ 386 BIO_printf(bio_err, "out of memory\n"); 387 goto end; 388 } 389 verify_depth = 0; 390 c_nbio = 0; 391 392 argc--; 393 argv++; 394 while (argc >= 1) { 395 if (strcmp(*argv, "-host") == 0) { 396 if (--argc < 1) 397 goto bad; 398 host = *(++argv); 399 } else if (strcmp(*argv, "-port") == 0) { 400 if (--argc < 1) 401 goto bad; 402 port = *(++argv); 403 if (port == NULL || *port == '\0') 404 goto bad; 405 } else if (strcmp(*argv, "-connect") == 0) { 406 if (--argc < 1) 407 goto bad; 408 connect = *(++argv); 409 } else if (strcmp(*argv, "-proxy") == 0) { 410 if (--argc < 1) 411 goto bad; 412 proxy = *(++argv); 413 } else if (strcmp(*argv,"-xmpphost") == 0) { 414 if (--argc < 1) 415 goto bad; 416 xmpphost= *(++argv); 417 } else if (strcmp(*argv, "-verify") == 0) { 418 verify = SSL_VERIFY_PEER; 419 if (--argc < 1) 420 goto bad; 421 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr); 422 if (errstr) 423 goto bad; 424 BIO_printf(bio_err, "verify depth is %d\n", verify_depth); 425 } else if (strcmp(*argv, "-cert") == 0) { 426 if (--argc < 1) 427 goto bad; 428 cert_file = *(++argv); 429 } else if (strcmp(*argv, "-sess_out") == 0) { 430 if (--argc < 1) 431 goto bad; 432 sess_out = *(++argv); 433 } else if (strcmp(*argv, "-sess_in") == 0) { 434 if (--argc < 1) 435 goto bad; 436 sess_in = *(++argv); 437 } else if (strcmp(*argv, "-certform") == 0) { 438 if (--argc < 1) 439 goto bad; 440 cert_format = str2fmt(*(++argv)); 441 } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { 442 if (badarg) 443 goto bad; 444 continue; 445 } else if (strcmp(*argv, "-verify_return_error") == 0) 446 verify_return_error = 1; 447 else if (strcmp(*argv, "-prexit") == 0) 448 prexit = 1; 449 else if (strcmp(*argv, "-crlf") == 0) 450 crlf = 1; 451 else if (strcmp(*argv, "-quiet") == 0) { 452 c_quiet = 1; 453 c_ign_eof = 1; 454 } else if (strcmp(*argv, "-ign_eof") == 0) 455 c_ign_eof = 1; 456 else if (strcmp(*argv, "-no_ign_eof") == 0) 457 c_ign_eof = 0; 458 else if (strcmp(*argv, "-pause") == 0) 459 c_Pause = 1; 460 else if (strcmp(*argv, "-debug") == 0) 461 c_debug = 1; 462 else if (strcmp(*argv, "-tlsextdebug") == 0) 463 c_tlsextdebug = 1; 464 else if (strcmp(*argv, "-status") == 0) 465 c_status_req = 1; 466 else if (strcmp(*argv, "-msg") == 0) 467 c_msg = 1; 468 else if (strcmp(*argv, "-showcerts") == 0) 469 c_showcerts = 1; 470 else if (strcmp(*argv, "-nbio_test") == 0) 471 nbio_test = 1; 472 else if (strcmp(*argv, "-state") == 0) 473 state = 1; 474 else if (strcmp(*argv, "-tls1_2") == 0) 475 meth = TLSv1_2_client_method(); 476 else if (strcmp(*argv, "-tls1_1") == 0) 477 meth = TLSv1_1_client_method(); 478 else if (strcmp(*argv, "-tls1") == 0) 479 meth = TLSv1_client_method(); 480#ifndef OPENSSL_NO_DTLS1 481 else if (strcmp(*argv, "-dtls1") == 0) { 482 meth = DTLSv1_client_method(); 483 socket_type = SOCK_DGRAM; 484 } else if (strcmp(*argv, "-timeout") == 0) 485 enable_timeouts = 1; 486 else if (strcmp(*argv, "-mtu") == 0) { 487 if (--argc < 1) 488 goto bad; 489 socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr); 490 if (errstr) 491 goto bad; 492 } 493#endif 494 else if (strcmp(*argv, "-bugs") == 0) 495 bugs = 1; 496 else if (strcmp(*argv, "-keyform") == 0) { 497 if (--argc < 1) 498 goto bad; 499 key_format = str2fmt(*(++argv)); 500 } else if (strcmp(*argv, "-pass") == 0) { 501 if (--argc < 1) 502 goto bad; 503 passarg = *(++argv); 504 } else if (strcmp(*argv, "-key") == 0) { 505 if (--argc < 1) 506 goto bad; 507 key_file = *(++argv); 508 } else if (strcmp(*argv, "-reconnect") == 0) { 509 reconnect = 5; 510 } else if (strcmp(*argv, "-CApath") == 0) { 511 if (--argc < 1) 512 goto bad; 513 CApath = *(++argv); 514 } else if (strcmp(*argv, "-CAfile") == 0) { 515 if (--argc < 1) 516 goto bad; 517 CAfile = *(++argv); 518 } else if (strcmp(*argv, "-no_tls1_2") == 0) 519 off |= SSL_OP_NO_TLSv1_2; 520 else if (strcmp(*argv, "-no_tls1_1") == 0) 521 off |= SSL_OP_NO_TLSv1_1; 522 else if (strcmp(*argv, "-no_tls1") == 0) 523 off |= SSL_OP_NO_TLSv1; 524 else if (strcmp(*argv, "-no_ssl3") == 0) 525 off |= SSL_OP_NO_SSLv3; 526 else if (strcmp(*argv, "-no_ssl2") == 0) 527 off |= SSL_OP_NO_SSLv2; 528 else if (strcmp(*argv, "-no_comp") == 0) { 529 off |= SSL_OP_NO_COMPRESSION; 530 } 531 else if (strcmp(*argv, "-no_ticket") == 0) { 532 off |= SSL_OP_NO_TICKET; 533 } 534 else if (strcmp(*argv, "-nextprotoneg") == 0) { 535 if (--argc < 1) 536 goto bad; 537 next_proto_neg_in = *(++argv); 538 } 539 else if (strcmp(*argv, "-alpn") == 0) { 540 if (--argc < 1) 541 goto bad; 542 alpn_in = *(++argv); 543 } else if (strcmp(*argv, "-serverpref") == 0) 544 off |= SSL_OP_CIPHER_SERVER_PREFERENCE; 545 else if (strcmp(*argv, "-legacy_renegotiation") == 0) 546 ; /* no-op */ 547 else if (strcmp(*argv, "-legacy_server_connect") == 0) { 548 off |= SSL_OP_LEGACY_SERVER_CONNECT; 549 } else if (strcmp(*argv, "-no_legacy_server_connect") == 0) { 550 clr |= SSL_OP_LEGACY_SERVER_CONNECT; 551 } else if (strcmp(*argv, "-cipher") == 0) { 552 if (--argc < 1) 553 goto bad; 554 cipher = *(++argv); 555 } 556 else if (strcmp(*argv, "-nbio") == 0) { 557 c_nbio = 1; 558 } 559 else if (strcmp(*argv, "-starttls") == 0) { 560 if (--argc < 1) 561 goto bad; 562 ++argv; 563 if (strcmp(*argv, "smtp") == 0) 564 starttls_proto = PROTO_SMTP; 565 else if (strcmp(*argv, "lmtp") == 0) 566 starttls_proto = PROTO_LMTP; 567 else if (strcmp(*argv, "pop3") == 0) 568 starttls_proto = PROTO_POP3; 569 else if (strcmp(*argv, "imap") == 0) 570 starttls_proto = PROTO_IMAP; 571 else if (strcmp(*argv, "ftp") == 0) 572 starttls_proto = PROTO_FTP; 573 else if (strcmp(*argv, "xmpp") == 0) 574 starttls_proto = PROTO_XMPP; 575 else 576 goto bad; 577 } 578 else if (strcmp(*argv, "-4") == 0) { 579 af = AF_INET; 580 } else if (strcmp(*argv, "-6") == 0) { 581 af = AF_INET6; 582 } 583 else if (strcmp(*argv, "-servername") == 0) { 584 if (--argc < 1) 585 goto bad; 586 servername = *(++argv); 587 /* meth=TLSv1_client_method(); */ 588 } 589#ifndef OPENSSL_NO_SRTP 590 else if (strcmp(*argv, "-use_srtp") == 0) { 591 if (--argc < 1) 592 goto bad; 593 srtp_profiles = *(++argv); 594 } 595#endif 596 else if (strcmp(*argv, "-keymatexport") == 0) { 597 if (--argc < 1) 598 goto bad; 599 keymatexportlabel = *(++argv); 600 } else if (strcmp(*argv, "-keymatexportlen") == 0) { 601 if (--argc < 1) 602 goto bad; 603 keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr); 604 if (errstr) 605 goto bad; 606 } else { 607 BIO_printf(bio_err, "unknown option %s\n", *argv); 608 badop = 1; 609 break; 610 } 611 argc--; 612 argv++; 613 } 614 if (proxy != NULL) { 615 if (!extract_host_port(proxy, &host, NULL, &port)) 616 goto bad; 617 if (connect == NULL) 618 connect = SSL_HOST_NAME; 619 } else if (connect != NULL) { 620 if (!extract_host_port(connect, &host, NULL, &port)) 621 goto bad; 622 } 623 if (badop) { 624bad: 625 if (errstr) 626 BIO_printf(bio_err, "invalid argument %s: %s\n", 627 *argv, errstr); 628 else 629 sc_usage(); 630 goto end; 631 } 632 633 next_proto.status = -1; 634 if (next_proto_neg_in) { 635 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); 636 if (next_proto.data == NULL) { 637 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); 638 goto end; 639 } 640 } else 641 next_proto.data = NULL; 642 643 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { 644 BIO_printf(bio_err, "Error getting password\n"); 645 goto end; 646 } 647 if (key_file == NULL) 648 key_file = cert_file; 649 650 651 if (key_file) { 652 653 key = load_key(bio_err, key_file, key_format, 0, pass, 654 "client certificate private key file"); 655 if (!key) { 656 ERR_print_errors(bio_err); 657 goto end; 658 } 659 } 660 if (cert_file) { 661 cert = load_cert(bio_err, cert_file, cert_format, 662 NULL, "client certificate file"); 663 664 if (!cert) { 665 ERR_print_errors(bio_err); 666 goto end; 667 } 668 } 669 if (bio_c_out == NULL) { 670 if (c_quiet && !c_debug && !c_msg) { 671 bio_c_out = BIO_new(BIO_s_null()); 672 } else { 673 if (bio_c_out == NULL) 674 bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE); 675 } 676 } 677 678 ctx = SSL_CTX_new(meth); 679 if (ctx == NULL) { 680 ERR_print_errors(bio_err); 681 goto end; 682 } 683 if (vpm) 684 SSL_CTX_set1_param(ctx, vpm); 685 686#ifndef OPENSSL_NO_SRTP 687 if (srtp_profiles != NULL) 688 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); 689#endif 690 if (bugs) 691 SSL_CTX_set_options(ctx, SSL_OP_ALL | off); 692 else 693 SSL_CTX_set_options(ctx, off); 694 695 if (clr) 696 SSL_CTX_clear_options(ctx, clr); 697 /* 698 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting 699 * read ahead solves this problem. 700 */ 701 if (socket_type == SOCK_DGRAM) 702 SSL_CTX_set_read_ahead(ctx, 1); 703 704 if (next_proto.data) 705 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); 706 if (alpn_in) { 707 unsigned short alpn_len; 708 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); 709 710 if (alpn == NULL) { 711 BIO_printf(bio_err, "Error parsing -alpn argument\n"); 712 goto end; 713 } 714 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len); 715 free(alpn); 716 } 717 718 if (state) 719 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); 720 if (cipher != NULL) 721 if (!SSL_CTX_set_cipher_list(ctx, cipher)) { 722 BIO_printf(bio_err, "error setting cipher list\n"); 723 ERR_print_errors(bio_err); 724 goto end; 725 } 726 727 SSL_CTX_set_verify(ctx, verify, verify_callback); 728 if (!set_cert_key_stuff(ctx, cert, key)) 729 goto end; 730 731 if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || 732 (!SSL_CTX_set_default_verify_paths(ctx))) { 733 /* 734 * BIO_printf(bio_err,"error setting default verify 735 * locations\n"); 736 */ 737 ERR_print_errors(bio_err); 738 /* goto end; */ 739 } 740 if (servername != NULL) { 741 tlsextcbp.biodebug = bio_err; 742 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 743 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 744 } 745 746 con = SSL_new(ctx); 747 if (sess_in) { 748 SSL_SESSION *sess; 749 BIO *stmp = BIO_new_file(sess_in, "r"); 750 if (!stmp) { 751 BIO_printf(bio_err, "Can't open session file %s\n", 752 sess_in); 753 ERR_print_errors(bio_err); 754 goto end; 755 } 756 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); 757 BIO_free(stmp); 758 if (!sess) { 759 BIO_printf(bio_err, "Can't open session file %s\n", 760 sess_in); 761 ERR_print_errors(bio_err); 762 goto end; 763 } 764 SSL_set_session(con, sess); 765 SSL_SESSION_free(sess); 766 } 767 if (servername != NULL) { 768 if (!SSL_set_tlsext_host_name(con, servername)) { 769 BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); 770 ERR_print_errors(bio_err); 771 goto end; 772 } 773 } 774/* SSL_set_cipher_list(con,"RC4-MD5"); */ 775 776re_start: 777 778 if (init_client(&s, host, port, socket_type, af) == 0) { 779 BIO_printf(bio_err, "connect:errno=%d\n", errno); 780 goto end; 781 } 782 BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s); 783 784 if (c_nbio) { 785 if (!c_quiet) 786 BIO_printf(bio_c_out, "turning on non blocking io\n"); 787 if (!BIO_socket_nbio(s, 1)) { 788 ERR_print_errors(bio_err); 789 goto end; 790 } 791 } 792 if (c_Pause & 0x01) 793 SSL_set_debug(con, 1); 794 795 if (SSL_version(con) == DTLS1_VERSION) { 796 797 sbio = BIO_new_dgram(s, BIO_NOCLOSE); 798 if (getsockname(s, &peer, (void *) &peerlen) < 0) { 799 BIO_printf(bio_err, "getsockname:errno=%d\n", 800 errno); 801 shutdown(s, SHUT_RD); 802 close(s); 803 goto end; 804 } 805 (void) BIO_ctrl_set_connected(sbio, 1, &peer); 806 807 if (enable_timeouts) { 808 timeout.tv_sec = 0; 809 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 810 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 811 812 timeout.tv_sec = 0; 813 timeout.tv_usec = DGRAM_SND_TIMEOUT; 814 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 815 } 816 if (socket_mtu > 28) { 817 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 818 SSL_set_mtu(con, socket_mtu - 28); 819 } else 820 /* want to do MTU discovery */ 821 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 822 } else 823 sbio = BIO_new_socket(s, BIO_NOCLOSE); 824 825 if (nbio_test) { 826 BIO *test; 827 828 test = BIO_new(BIO_f_nbio_test()); 829 sbio = BIO_push(test, sbio); 830 } 831 if (c_debug) { 832 SSL_set_debug(con, 1); 833 BIO_set_callback(sbio, bio_dump_callback); 834 BIO_set_callback_arg(sbio, (char *) bio_c_out); 835 } 836 if (c_msg) { 837 SSL_set_msg_callback(con, msg_cb); 838 SSL_set_msg_callback_arg(con, bio_c_out); 839 } 840 if (c_tlsextdebug) { 841 SSL_set_tlsext_debug_callback(con, tlsext_cb); 842 SSL_set_tlsext_debug_arg(con, bio_c_out); 843 } 844 if (c_status_req) { 845 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); 846 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); 847 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); 848 } 849 850 SSL_set_bio(con, sbio, sbio); 851 SSL_set_connect_state(con); 852 853 /* ok, lets connect */ 854 read_tty = 1; 855 write_tty = 0; 856 tty_on = 0; 857 read_ssl = 1; 858 write_ssl = 1; 859 860 cbuf_len = 0; 861 cbuf_off = 0; 862 sbuf_len = 0; 863 sbuf_off = 0; 864 865 /* This is an ugly hack that does a lot of assumptions */ 866 /* 867 * We do have to handle multi-line responses which may come in a 868 * single packet or not. We therefore have to use BIO_gets() which 869 * does need a buffering BIO. So during the initial chitchat we do 870 * push a buffering BIO into the chain that is removed again later on 871 * to not disturb the rest of the s_client operation. 872 */ 873 if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) { 874 int foundit = 0; 875 BIO *fbio = BIO_new(BIO_f_buffer()); 876 BIO_push(fbio, sbio); 877 /* wait for multi-line response to end from SMTP */ 878 do { 879 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 880 } 881 while (mbuf_len > 3 && mbuf[3] == '-'); 882 /* STARTTLS command requires EHLO... */ 883 BIO_printf(fbio, "%cHLO openssl.client.net\r\n", 884 starttls_proto == PROTO_SMTP ? 'E' : 'L'); 885 (void) BIO_flush(fbio); 886 /* wait for multi-line response to end EHLO SMTP response */ 887 do { 888 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 889 if (strstr(mbuf, "STARTTLS")) 890 foundit = 1; 891 } 892 while (mbuf_len > 3 && mbuf[3] == '-'); 893 (void) BIO_flush(fbio); 894 BIO_pop(fbio); 895 BIO_free(fbio); 896 if (!foundit) 897 BIO_printf(bio_err, 898 "didn't found starttls in server response," 899 " try anyway...\n"); 900 BIO_printf(sbio, "STARTTLS\r\n"); 901 BIO_read(sbio, sbuf, BUFSIZZ); 902 } else if (starttls_proto == PROTO_POP3) { 903 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); 904 if (mbuf_len == -1) { 905 BIO_printf(bio_err, "BIO_read failed\n"); 906 goto end; 907 } 908 BIO_printf(sbio, "STLS\r\n"); 909 BIO_read(sbio, sbuf, BUFSIZZ); 910 } else if (starttls_proto == PROTO_IMAP) { 911 int foundit = 0; 912 BIO *fbio = BIO_new(BIO_f_buffer()); 913 BIO_push(fbio, sbio); 914 BIO_gets(fbio, mbuf, BUFSIZZ); 915 /* STARTTLS command requires CAPABILITY... */ 916 BIO_printf(fbio, ". CAPABILITY\r\n"); 917 (void) BIO_flush(fbio); 918 /* wait for multi-line CAPABILITY response */ 919 do { 920 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 921 if (strstr(mbuf, "STARTTLS")) 922 foundit = 1; 923 } 924 while (mbuf_len > 3 && mbuf[0] != '.'); 925 (void) BIO_flush(fbio); 926 BIO_pop(fbio); 927 BIO_free(fbio); 928 if (!foundit) 929 BIO_printf(bio_err, 930 "didn't found STARTTLS in server response," 931 " try anyway...\n"); 932 BIO_printf(sbio, ". STARTTLS\r\n"); 933 BIO_read(sbio, sbuf, BUFSIZZ); 934 } else if (starttls_proto == PROTO_FTP) { 935 BIO *fbio = BIO_new(BIO_f_buffer()); 936 BIO_push(fbio, sbio); 937 /* wait for multi-line response to end from FTP */ 938 do { 939 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 940 } 941 while (mbuf_len > 3 && mbuf[3] == '-'); 942 (void) BIO_flush(fbio); 943 BIO_pop(fbio); 944 BIO_free(fbio); 945 BIO_printf(sbio, "AUTH TLS\r\n"); 946 BIO_read(sbio, sbuf, BUFSIZZ); 947 } else if (starttls_proto == PROTO_XMPP) { 948 int seen = 0; 949 BIO_printf(sbio, "<stream:stream " 950 "xmlns:stream='http://etherx.jabber.org/streams' " 951 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ? xmpphost : host); 952 seen = BIO_read(sbio, mbuf, BUFSIZZ); 953 954 if (seen <= 0) 955 goto shut; 956 957 mbuf[seen] = 0; 958 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && 959 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) { 960 seen = BIO_read(sbio, mbuf, BUFSIZZ); 961 962 if (seen <= 0) 963 goto shut; 964 965 mbuf[seen] = 0; 966 } 967 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); 968 seen = BIO_read(sbio, sbuf, BUFSIZZ); 969 sbuf[seen] = 0; 970 if (!strstr(sbuf, "<proceed")) 971 goto shut; 972 mbuf[0] = 0; 973 } else if (proxy != NULL) { 974 BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n", connect); 975 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); 976 if (mbuf_len == -1) { 977 BIO_printf(bio_err, "BIO_read failed\n"); 978 goto end; 979 } 980 } 981 for (;;) { 982 struct pollfd pfd[3]; /* stdin, stdout, socket */ 983 int ptimeout = -1; 984 985 if ((SSL_version(con) == DTLS1_VERSION) && 986 DTLSv1_get_timeout(con, &timeout)) 987 ptimeout = timeout.tv_sec * 1000 + timeout.tv_usec / 1000; 988 989 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { 990 in_init = 1; 991 tty_on = 0; 992 } else { 993 tty_on = 1; 994 if (in_init) { 995 in_init = 0; 996 if (sess_out) { 997 BIO *stmp = BIO_new_file(sess_out, "w"); 998 if (stmp) { 999 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); 1000 BIO_free(stmp); 1001 } else 1002 BIO_printf(bio_err, "Error writing session file %s\n", sess_out); 1003 } 1004 print_stuff(bio_c_out, con, full_log); 1005 if (full_log > 0) 1006 full_log--; 1007 1008 if (starttls_proto) { 1009 BIO_write(bio_err, mbuf, mbuf_len); 1010 /* We don't need to know any more */ 1011 starttls_proto = PROTO_OFF; 1012 } 1013 if (reconnect) { 1014 reconnect--; 1015 BIO_printf(bio_c_out, "drop connection and then reconnect\n"); 1016 SSL_shutdown(con); 1017 SSL_set_connect_state(con); 1018 shutdown(SSL_get_fd(con), SHUT_RD); 1019 close(SSL_get_fd(con)); 1020 goto re_start; 1021 } 1022 } 1023 } 1024 1025 ssl_pending = read_ssl && SSL_pending(con); 1026 1027 pfd[0].fd = -1; 1028 pfd[1].fd = -1; 1029 if (!ssl_pending) { 1030 if (tty_on) { 1031 if (read_tty) { 1032 pfd[0].fd = fileno(stdin); 1033 pfd[0].events = POLLIN; 1034 } 1035 if (write_tty) { 1036 pfd[1].fd = fileno(stdout); 1037 pfd[1].events = POLLOUT; 1038 } 1039 } 1040 1041 pfd[2].fd = SSL_get_fd(con); 1042 pfd[2].events = 0; 1043 if (read_ssl) 1044 pfd[2].events |= POLLIN; 1045 if (write_ssl) 1046 pfd[2].events |= POLLOUT; 1047 1048/* printf("mode tty(%d %d%d) ssl(%d%d)\n", 1049 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ 1050 1051 i = poll(pfd, 3, ptimeout); 1052 if (i < 0) { 1053 BIO_printf(bio_err, "bad select %d\n", 1054 errno); 1055 goto shut; 1056 /* goto end; */ 1057 } 1058 } 1059 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { 1060 BIO_printf(bio_err, "TIMEOUT occured\n"); 1061 } 1062 if (!ssl_pending && (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) { 1063 if (pfd[2].revents & (POLLERR|POLLNVAL)) { 1064 BIO_printf(bio_err, "poll error"); 1065 goto shut; 1066 } 1067 k = SSL_write(con, &(cbuf[cbuf_off]), 1068 (unsigned int) cbuf_len); 1069 switch (SSL_get_error(con, k)) { 1070 case SSL_ERROR_NONE: 1071 cbuf_off += k; 1072 cbuf_len -= k; 1073 if (k <= 0) 1074 goto end; 1075 /* we have done a write(con,NULL,0); */ 1076 if (cbuf_len <= 0) { 1077 read_tty = 1; 1078 write_ssl = 0; 1079 } else { /* if (cbuf_len > 0) */ 1080 read_tty = 0; 1081 write_ssl = 1; 1082 } 1083 break; 1084 case SSL_ERROR_WANT_WRITE: 1085 BIO_printf(bio_c_out, "write W BLOCK\n"); 1086 write_ssl = 1; 1087 read_tty = 0; 1088 break; 1089 case SSL_ERROR_WANT_READ: 1090 BIO_printf(bio_c_out, "write R BLOCK\n"); 1091 write_tty = 0; 1092 read_ssl = 1; 1093 write_ssl = 0; 1094 break; 1095 case SSL_ERROR_WANT_X509_LOOKUP: 1096 BIO_printf(bio_c_out, "write X BLOCK\n"); 1097 break; 1098 case SSL_ERROR_ZERO_RETURN: 1099 if (cbuf_len != 0) { 1100 BIO_printf(bio_c_out, "shutdown\n"); 1101 ret = 0; 1102 goto shut; 1103 } else { 1104 read_tty = 1; 1105 write_ssl = 0; 1106 break; 1107 } 1108 1109 case SSL_ERROR_SYSCALL: 1110 if ((k != 0) || (cbuf_len != 0)) { 1111 BIO_printf(bio_err, "write:errno=%d\n", 1112 errno); 1113 goto shut; 1114 } else { 1115 read_tty = 1; 1116 write_ssl = 0; 1117 } 1118 break; 1119 case SSL_ERROR_SSL: 1120 ERR_print_errors(bio_err); 1121 goto shut; 1122 } 1123 } else if (!ssl_pending && 1124 (pfd[1].revents & (POLLOUT|POLLERR|POLLNVAL))) { 1125 if (pfd[1].revents & (POLLERR|POLLNVAL)) { 1126 BIO_printf(bio_err, "poll error"); 1127 goto shut; 1128 } 1129 i = write(fileno(stdout), &(sbuf[sbuf_off]), sbuf_len); 1130 1131 if (i <= 0) { 1132 BIO_printf(bio_c_out, "DONE\n"); 1133 ret = 0; 1134 goto shut; 1135 /* goto end; */ 1136 } 1137 sbuf_len -= i; 1138 sbuf_off += i; 1139 if (sbuf_len <= 0) { 1140 read_ssl = 1; 1141 write_tty = 0; 1142 } 1143 } else if (ssl_pending || (pfd[2].revents & (POLLIN|POLLHUP))) { 1144#ifdef RENEG 1145 { 1146 static int iiii; 1147 if (++iiii == 52) { 1148 SSL_renegotiate(con); 1149 iiii = 0; 1150 } 1151 } 1152#endif 1153 k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ ); 1154 1155 switch (SSL_get_error(con, k)) { 1156 case SSL_ERROR_NONE: 1157 if (k <= 0) 1158 goto end; 1159 sbuf_off = 0; 1160 sbuf_len = k; 1161 1162 read_ssl = 0; 1163 write_tty = 1; 1164 break; 1165 case SSL_ERROR_WANT_WRITE: 1166 BIO_printf(bio_c_out, "read W BLOCK\n"); 1167 write_ssl = 1; 1168 read_tty = 0; 1169 break; 1170 case SSL_ERROR_WANT_READ: 1171 BIO_printf(bio_c_out, "read R BLOCK\n"); 1172 write_tty = 0; 1173 read_ssl = 1; 1174 if ((read_tty == 0) && (write_ssl == 0)) 1175 write_ssl = 1; 1176 break; 1177 case SSL_ERROR_WANT_X509_LOOKUP: 1178 BIO_printf(bio_c_out, "read X BLOCK\n"); 1179 break; 1180 case SSL_ERROR_SYSCALL: 1181 ret = errno; 1182 BIO_printf(bio_err, "read:errno=%d\n", ret); 1183 goto shut; 1184 case SSL_ERROR_ZERO_RETURN: 1185 BIO_printf(bio_c_out, "closed\n"); 1186 ret = 0; 1187 goto shut; 1188 case SSL_ERROR_SSL: 1189 ERR_print_errors(bio_err); 1190 goto shut; 1191 /* break; */ 1192 } 1193 } else if (pfd[0].revents) { 1194 if (pfd[0].revents & (POLLERR|POLLNVAL)) { 1195 BIO_printf(bio_err, "poll error"); 1196 goto shut; 1197 } 1198 if (crlf) { 1199 int j, lf_num; 1200 1201 i = read(fileno(stdin), cbuf, BUFSIZZ / 2); 1202 lf_num = 0; 1203 /* both loops are skipped when i <= 0 */ 1204 for (j = 0; j < i; j++) 1205 if (cbuf[j] == '\n') 1206 lf_num++; 1207 for (j = i - 1; j >= 0; j--) { 1208 cbuf[j + lf_num] = cbuf[j]; 1209 if (cbuf[j] == '\n') { 1210 lf_num--; 1211 i++; 1212 cbuf[j + lf_num] = '\r'; 1213 } 1214 } 1215 assert(lf_num == 0); 1216 } else 1217 i = read(fileno(stdin), cbuf, BUFSIZZ); 1218 1219 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { 1220 BIO_printf(bio_err, "DONE\n"); 1221 ret = 0; 1222 goto shut; 1223 } 1224 if ((!c_ign_eof) && (cbuf[0] == 'R')) { 1225 BIO_printf(bio_err, "RENEGOTIATING\n"); 1226 SSL_renegotiate(con); 1227 cbuf_len = 0; 1228 } else { 1229 cbuf_len = i; 1230 cbuf_off = 0; 1231 } 1232 1233 write_ssl = 1; 1234 read_tty = 0; 1235 } 1236 } 1237 1238 ret = 0; 1239shut: 1240 if (in_init) 1241 print_stuff(bio_c_out, con, full_log); 1242 SSL_shutdown(con); 1243 shutdown(SSL_get_fd(con), SHUT_RD); 1244 close(SSL_get_fd(con)); 1245end: 1246 if (con != NULL) { 1247 if (prexit != 0) 1248 print_stuff(bio_c_out, con, 1); 1249 SSL_free(con); 1250 } 1251 free(next_proto.data); 1252 if (ctx != NULL) 1253 SSL_CTX_free(ctx); 1254 if (cert) 1255 X509_free(cert); 1256 if (key) 1257 EVP_PKEY_free(key); 1258 free(pass); 1259 if (vpm) 1260 X509_VERIFY_PARAM_free(vpm); 1261 if (cbuf != NULL) { 1262 explicit_bzero(cbuf, BUFSIZZ); 1263 free(cbuf); 1264 } 1265 if (sbuf != NULL) { 1266 explicit_bzero(sbuf, BUFSIZZ); 1267 free(sbuf); 1268 } 1269 if (mbuf != NULL) { 1270 explicit_bzero(mbuf, BUFSIZZ); 1271 free(mbuf); 1272 } 1273 if (bio_c_out != NULL) { 1274 BIO_free(bio_c_out); 1275 bio_c_out = NULL; 1276 } 1277 1278 return (ret); 1279} 1280 1281 1282static void 1283print_stuff(BIO * bio, SSL * s, int full) 1284{ 1285 X509 *peer = NULL; 1286 char *p; 1287 static const char *space = " "; 1288 char buf[BUFSIZ]; 1289 STACK_OF(X509) * sk; 1290 STACK_OF(X509_NAME) * sk2; 1291 const SSL_CIPHER *c; 1292 X509_NAME *xn; 1293 int j, i; 1294 unsigned char *exportedkeymat; 1295 1296 if (full) { 1297 int got_a_chain = 0; 1298 1299 sk = SSL_get_peer_cert_chain(s); 1300 if (sk != NULL) { 1301 got_a_chain = 1; /* we don't have it for SSL2 1302 * (yet) */ 1303 1304 BIO_printf(bio, "---\nCertificate chain\n"); 1305 for (i = 0; i < sk_X509_num(sk); i++) { 1306 X509_NAME_oneline(X509_get_subject_name( 1307 sk_X509_value(sk, i)), buf, sizeof buf); 1308 BIO_printf(bio, "%2d s:%s\n", i, buf); 1309 X509_NAME_oneline(X509_get_issuer_name( 1310 sk_X509_value(sk, i)), buf, sizeof buf); 1311 BIO_printf(bio, " i:%s\n", buf); 1312 if (c_showcerts) 1313 PEM_write_bio_X509(bio, sk_X509_value(sk, i)); 1314 } 1315 } 1316 BIO_printf(bio, "---\n"); 1317 peer = SSL_get_peer_certificate(s); 1318 if (peer != NULL) { 1319 BIO_printf(bio, "Server certificate\n"); 1320 if (!(c_showcerts && got_a_chain)) /* Redundant if we 1321 * showed the whole 1322 * chain */ 1323 PEM_write_bio_X509(bio, peer); 1324 X509_NAME_oneline(X509_get_subject_name(peer), 1325 buf, sizeof buf); 1326 BIO_printf(bio, "subject=%s\n", buf); 1327 X509_NAME_oneline(X509_get_issuer_name(peer), 1328 buf, sizeof buf); 1329 BIO_printf(bio, "issuer=%s\n", buf); 1330 } else 1331 BIO_printf(bio, "no peer certificate available\n"); 1332 1333 sk2 = SSL_get_client_CA_list(s); 1334 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { 1335 BIO_printf(bio, "---\nAcceptable client certificate CA names\n"); 1336 for (i = 0; i < sk_X509_NAME_num(sk2); i++) { 1337 xn = sk_X509_NAME_value(sk2, i); 1338 X509_NAME_oneline(xn, buf, sizeof(buf)); 1339 BIO_write(bio, buf, strlen(buf)); 1340 BIO_write(bio, "\n", 1); 1341 } 1342 } else { 1343 BIO_printf(bio, "---\nNo client certificate CA names sent\n"); 1344 } 1345 p = SSL_get_shared_ciphers(s, buf, sizeof buf); 1346 if (p != NULL) { 1347 /* 1348 * This works only for SSL 2. In later protocol 1349 * versions, the client does not know what other 1350 * ciphers (in addition to the one to be used in the 1351 * current connection) the server supports. 1352 */ 1353 1354 BIO_printf(bio, "---\nCiphers common between both SSL endpoints:\n"); 1355 j = i = 0; 1356 while (*p) { 1357 if (*p == ':') { 1358 BIO_write(bio, space, 15 - j % 25); 1359 i++; 1360 j = 0; 1361 BIO_write(bio, ((i % 3) ? " " : "\n"), 1); 1362 } else { 1363 BIO_write(bio, p, 1); 1364 j++; 1365 } 1366 p++; 1367 } 1368 BIO_write(bio, "\n", 1); 1369 } 1370 BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", 1371 BIO_number_read(SSL_get_rbio(s)), 1372 BIO_number_written(SSL_get_wbio(s))); 1373 } 1374 BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, ")); 1375 c = SSL_get_current_cipher(s); 1376 BIO_printf(bio, "%s, Cipher is %s\n", 1377 SSL_CIPHER_get_version(c), 1378 SSL_CIPHER_get_name(c)); 1379 if (peer != NULL) { 1380 EVP_PKEY *pktmp; 1381 pktmp = X509_get_pubkey(peer); 1382 BIO_printf(bio, "Server public key is %d bit\n", 1383 EVP_PKEY_bits(pktmp)); 1384 EVP_PKEY_free(pktmp); 1385 } 1386 BIO_printf(bio, "Secure Renegotiation IS%s supported\n", 1387 SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); 1388 1389 /* Compression is not supported and will always be none. */ 1390 BIO_printf(bio, "Compression: NONE\n"); 1391 BIO_printf(bio, "Expansion: NONE\n"); 1392 1393#ifdef SSL_DEBUG 1394 { 1395 /* Print out local port of connection: useful for debugging */ 1396 int sock; 1397 struct sockaddr_in ladd; 1398 socklen_t ladd_size = sizeof(ladd); 1399 sock = SSL_get_fd(s); 1400 getsockname(sock, (struct sockaddr *) & ladd, &ladd_size); 1401 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); 1402 } 1403#endif 1404 1405 if (next_proto.status != -1) { 1406 const unsigned char *proto; 1407 unsigned int proto_len; 1408 SSL_get0_next_proto_negotiated(s, &proto, &proto_len); 1409 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); 1410 BIO_write(bio, proto, proto_len); 1411 BIO_write(bio, "\n", 1); 1412 } 1413 { 1414 const unsigned char *proto; 1415 unsigned int proto_len; 1416 SSL_get0_alpn_selected(s, &proto, &proto_len); 1417 if (proto_len > 0) { 1418 BIO_printf(bio, "ALPN protocol: "); 1419 BIO_write(bio, proto, proto_len); 1420 BIO_write(bio, "\n", 1); 1421 } else 1422 BIO_printf(bio, "No ALPN negotiated\n"); 1423 } 1424 1425#ifndef OPENSSL_NO_SRTP 1426 { 1427 SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(s); 1428 1429 if (srtp_profile) 1430 BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n", 1431 srtp_profile->name); 1432 } 1433#endif 1434 1435 SSL_SESSION_print(bio, SSL_get_session(s)); 1436 if (keymatexportlabel != NULL) { 1437 BIO_printf(bio, "Keying material exporter:\n"); 1438 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); 1439 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); 1440 exportedkeymat = malloc(keymatexportlen); 1441 if (exportedkeymat != NULL) { 1442 if (!SSL_export_keying_material(s, exportedkeymat, 1443 keymatexportlen, 1444 keymatexportlabel, 1445 strlen(keymatexportlabel), 1446 NULL, 0, 0)) { 1447 BIO_printf(bio, " Error\n"); 1448 } else { 1449 BIO_printf(bio, " Keying material: "); 1450 for (i = 0; i < keymatexportlen; i++) 1451 BIO_printf(bio, "%02X", 1452 exportedkeymat[i]); 1453 BIO_printf(bio, "\n"); 1454 } 1455 free(exportedkeymat); 1456 } 1457 } 1458 BIO_printf(bio, "---\n"); 1459 if (peer != NULL) 1460 X509_free(peer); 1461 /* flush, or debugging output gets mixed with http response */ 1462 (void) BIO_flush(bio); 1463} 1464 1465 1466static int 1467ocsp_resp_cb(SSL * s, void *arg) 1468{ 1469 const unsigned char *p; 1470 int len; 1471 OCSP_RESPONSE *rsp; 1472 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 1473 BIO_puts(arg, "OCSP response: "); 1474 if (!p) { 1475 BIO_puts(arg, "no response sent\n"); 1476 return 1; 1477 } 1478 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 1479 if (!rsp) { 1480 BIO_puts(arg, "response parse error\n"); 1481 BIO_dump_indent(arg, (char *) p, len, 4); 1482 return 0; 1483 } 1484 BIO_puts(arg, "\n======================================\n"); 1485 OCSP_RESPONSE_print(arg, rsp, 0); 1486 BIO_puts(arg, "======================================\n"); 1487 OCSP_RESPONSE_free(rsp); 1488 return 1; 1489} 1490 1491