1 /* $OpenBSD: s_client.c,v 1.46 2020/05/23 12:52:54 tb Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138 #include <sys/types.h> 139 #include <sys/socket.h> 140 141 #include <netinet/in.h> 142 143 #include <assert.h> 144 #include <ctype.h> 145 #include <limits.h> 146 #include <netdb.h> 147 #include <stdio.h> 148 #include <stdlib.h> 149 #include <string.h> 150 #include <unistd.h> 151 #include <poll.h> 152 153 #include "apps.h" 154 155 #include <openssl/bn.h> 156 #include <openssl/err.h> 157 #include <openssl/ocsp.h> 158 #include <openssl/pem.h> 159 #include <openssl/ssl.h> 160 #include <openssl/x509.h> 161 162 #include "s_apps.h" 163 #include "timeouts.h" 164 165 /*#define SSL_HOST_NAME "www.netscape.com" */ 166 /*#define SSL_HOST_NAME "193.118.187.102" */ 167 #define SSL_HOST_NAME "localhost" 168 169 /*#define TEST_CERT "client.pem" *//* no default cert. */ 170 171 #define BUFSIZZ 1024*8 172 173 static int c_nbio = 0; 174 static int c_Pause = 0; 175 static int c_debug = 0; 176 static int c_tlsextdebug = 0; 177 static int c_status_req = 0; 178 static int c_msg = 0; 179 static int c_showcerts = 0; 180 181 static char *keymatexportlabel = NULL; 182 static int keymatexportlen = 20; 183 184 static void sc_usage(void); 185 static void print_stuff(BIO * berr, SSL * con, int full); 186 static int ocsp_resp_cb(SSL * s, void *arg); 187 static BIO *bio_c_out = NULL; 188 static int c_quiet = 0; 189 static int c_ign_eof = 0; 190 191 192 static void 193 sc_usage(void) 194 { 195 BIO_printf(bio_err, "usage: s_client args\n"); 196 BIO_printf(bio_err, "\n"); 197 BIO_printf(bio_err, " -4 - Force IPv4\n"); 198 BIO_printf(bio_err, " -6 - Force IPv6\n"); 199 BIO_printf(bio_err, " -host host - use -connect instead\n"); 200 BIO_printf(bio_err, " -port port - use -connect instead\n"); 201 BIO_printf(bio_err, " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR); 202 BIO_printf(bio_err, " -proxy host:port - connect to http proxy\n"); 203 204 BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n"); 205 BIO_printf(bio_err, " -cert arg - certificate file to use, PEM format assumed\n"); 206 BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n"); 207 BIO_printf(bio_err, " -key arg - Private key file to use, in cert file if\n"); 208 BIO_printf(bio_err, " not specified but cert file is.\n"); 209 BIO_printf(bio_err, " -keyform arg - key format (PEM or DER) PEM default\n"); 210 BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n"); 211 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); 212 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); 213 BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); 214 BIO_printf(bio_err, " -pause - sleep(1) after each read(2) and write(2) system call\n"); 215 BIO_printf(bio_err, " -showcerts - show all certificates in the chain\n"); 216 BIO_printf(bio_err, " -debug - extra output\n"); 217 BIO_printf(bio_err, " -msg - Show protocol messages\n"); 218 BIO_printf(bio_err, " -nbio_test - more ssl protocol testing\n"); 219 BIO_printf(bio_err, " -state - print the 'ssl' states\n"); 220 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); 221 BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); 222 BIO_printf(bio_err, " -quiet - no s_client output\n"); 223 BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); 224 BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); 225 BIO_printf(bio_err, " -tls1_3 - just use TLSv1.3\n"); 226 BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); 227 BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); 228 BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); 229 BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); 230 BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); 231 BIO_printf(bio_err, " -no_tls1_3/-no_tls1_2/-no_tls1_1/-no_tls1 - turn off that protocol\n"); 232 BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n"); 233 BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); 234 BIO_printf(bio_err, " command to see what is available\n"); 235 BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n"); 236 BIO_printf(bio_err, " for those protocols that support it, where\n"); 237 BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n"); 238 BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); 239 BIO_printf(bio_err, " are supported.\n"); 240 BIO_printf(bio_err, " -xmpphost host - connect to this virtual host on the xmpp server\n"); 241 BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n"); 242 BIO_printf(bio_err, " -sess_in arg - file to read SSL session from\n"); 243 BIO_printf(bio_err, " -servername host - Set TLS extension servername in ClientHello\n"); 244 BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); 245 BIO_printf(bio_err, " -status - request certificate status from server\n"); 246 BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); 247 BIO_printf(bio_err, " -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); 248 BIO_printf(bio_err, " -groups arg - specify EC groups (colon-separated list)\n"); 249 #ifndef OPENSSL_NO_SRTP 250 BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); 251 #endif 252 BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n"); 253 BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); 254 } 255 256 257 /* This is a context that we pass to callbacks */ 258 typedef struct tlsextctx_st { 259 BIO *biodebug; 260 int ack; 261 } tlsextctx; 262 263 264 static int 265 ssl_servername_cb(SSL * s, int *ad, void *arg) 266 { 267 tlsextctx *p = (tlsextctx *) arg; 268 const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 269 if (SSL_get_servername_type(s) != -1) 270 p->ack = !SSL_session_reused(s) && hn != NULL; 271 else 272 BIO_printf(bio_err, "Can't use SSL_get_servername\n"); 273 274 return SSL_TLSEXT_ERR_OK; 275 } 276 277 #ifndef OPENSSL_NO_SRTP 278 char *srtp_profiles = NULL; 279 #endif 280 281 enum { 282 PROTO_OFF = 0, 283 PROTO_SMTP, 284 PROTO_LMTP, 285 PROTO_POP3, 286 PROTO_IMAP, 287 PROTO_FTP, 288 PROTO_XMPP 289 }; 290 291 int 292 s_client_main(int argc, char **argv) 293 { 294 unsigned int off = 0, clr = 0; 295 SSL *con = NULL; 296 int s, k, p = 0, pending = 0, state = 0, af = AF_UNSPEC; 297 char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL, *pbuf = NULL; 298 int cbuf_len, cbuf_off; 299 int sbuf_len, sbuf_off; 300 int pbuf_len, pbuf_off; 301 char *port = PORT_STR; 302 int full_log = 1; 303 char *host = SSL_HOST_NAME; 304 char *xmpphost = NULL; 305 char *proxy = NULL, *connect = NULL; 306 char *cert_file = NULL, *key_file = NULL; 307 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; 308 char *passarg = NULL, *pass = NULL; 309 X509 *cert = NULL; 310 EVP_PKEY *key = NULL; 311 char *CApath = NULL, *CAfile = NULL, *cipher = NULL; 312 int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0; 313 int crlf = 0; 314 int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; 315 SSL_CTX *ctx = NULL; 316 int ret = 1, in_init = 1, i, nbio_test = 0; 317 int starttls_proto = PROTO_OFF; 318 int prexit = 0; 319 int peekaboo = 0; 320 X509_VERIFY_PARAM *vpm = NULL; 321 int badarg = 0; 322 const SSL_METHOD *meth = NULL; 323 int socket_type = SOCK_STREAM; 324 BIO *sbio; 325 int mbuf_len = 0; 326 struct timeval timeout; 327 const char *errstr = NULL; 328 char *servername = NULL; 329 tlsextctx tlsextcbp = {NULL, 0}; 330 const char *alpn_in = NULL; 331 const char *groups_in = NULL; 332 char *sess_in = NULL; 333 char *sess_out = NULL; 334 struct sockaddr_storage peer; 335 int peerlen = sizeof(peer); 336 int enable_timeouts = 0; 337 long socket_mtu = 0; 338 uint16_t min_version = 0, max_version = 0; 339 340 if (single_execution) { 341 if (pledge("stdio cpath wpath rpath inet dns tty", NULL) == -1) { 342 perror("pledge"); 343 exit(1); 344 } 345 } 346 347 meth = TLS_client_method(); 348 349 c_Pause = 0; 350 c_quiet = 0; 351 c_ign_eof = 0; 352 c_debug = 0; 353 c_msg = 0; 354 c_showcerts = 0; 355 356 if (((cbuf = malloc(BUFSIZZ)) == NULL) || 357 ((sbuf = malloc(BUFSIZZ)) == NULL) || 358 ((pbuf = malloc(BUFSIZZ)) == NULL) || 359 ((mbuf = malloc(BUFSIZZ + 1)) == NULL)) { /* NUL byte */ 360 BIO_printf(bio_err, "out of memory\n"); 361 goto end; 362 } 363 verify_depth = 0; 364 c_nbio = 0; 365 366 argc--; 367 argv++; 368 while (argc >= 1) { 369 if (strcmp(*argv, "-host") == 0) { 370 if (--argc < 1) 371 goto bad; 372 host = *(++argv); 373 } else if (strcmp(*argv, "-port") == 0) { 374 if (--argc < 1) 375 goto bad; 376 port = *(++argv); 377 if (port == NULL || *port == '\0') 378 goto bad; 379 } else if (strcmp(*argv, "-connect") == 0) { 380 if (--argc < 1) 381 goto bad; 382 connect = *(++argv); 383 } else if (strcmp(*argv, "-proxy") == 0) { 384 if (--argc < 1) 385 goto bad; 386 proxy = *(++argv); 387 } else if (strcmp(*argv,"-xmpphost") == 0) { 388 if (--argc < 1) 389 goto bad; 390 xmpphost= *(++argv); 391 } else if (strcmp(*argv, "-verify") == 0) { 392 verify = SSL_VERIFY_PEER; 393 if (--argc < 1) 394 goto bad; 395 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr); 396 if (errstr) 397 goto bad; 398 BIO_printf(bio_err, "verify depth is %d\n", verify_depth); 399 } else if (strcmp(*argv, "-cert") == 0) { 400 if (--argc < 1) 401 goto bad; 402 cert_file = *(++argv); 403 } else if (strcmp(*argv, "-sess_out") == 0) { 404 if (--argc < 1) 405 goto bad; 406 sess_out = *(++argv); 407 } else if (strcmp(*argv, "-sess_in") == 0) { 408 if (--argc < 1) 409 goto bad; 410 sess_in = *(++argv); 411 } else if (strcmp(*argv, "-certform") == 0) { 412 if (--argc < 1) 413 goto bad; 414 cert_format = str2fmt(*(++argv)); 415 } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { 416 if (badarg) 417 goto bad; 418 continue; 419 } else if (strcmp(*argv, "-verify_return_error") == 0) 420 verify_return_error = 1; 421 else if (strcmp(*argv, "-prexit") == 0) 422 prexit = 1; 423 else if (strcmp(*argv, "-peekaboo") == 0) 424 peekaboo = 1; 425 else if (strcmp(*argv, "-crlf") == 0) 426 crlf = 1; 427 else if (strcmp(*argv, "-quiet") == 0) { 428 c_quiet = 1; 429 c_ign_eof = 1; 430 } else if (strcmp(*argv, "-ign_eof") == 0) 431 c_ign_eof = 1; 432 else if (strcmp(*argv, "-no_ign_eof") == 0) 433 c_ign_eof = 0; 434 else if (strcmp(*argv, "-pause") == 0) 435 c_Pause = 1; 436 else if (strcmp(*argv, "-debug") == 0) 437 c_debug = 1; 438 else if (strcmp(*argv, "-tlsextdebug") == 0) 439 c_tlsextdebug = 1; 440 else if (strcmp(*argv, "-status") == 0) 441 c_status_req = 1; 442 else if (strcmp(*argv, "-msg") == 0) 443 c_msg = 1; 444 else if (strcmp(*argv, "-showcerts") == 0) 445 c_showcerts = 1; 446 else if (strcmp(*argv, "-nbio_test") == 0) 447 nbio_test = 1; 448 else if (strcmp(*argv, "-state") == 0) 449 state = 1; 450 else if (strcmp(*argv, "-tls1_3") == 0) { 451 min_version = TLS1_3_VERSION; 452 max_version = TLS1_3_VERSION; 453 } else if (strcmp(*argv, "-tls1_2") == 0) { 454 min_version = TLS1_2_VERSION; 455 max_version = TLS1_2_VERSION; 456 } else if (strcmp(*argv, "-tls1_1") == 0) { 457 min_version = TLS1_1_VERSION; 458 max_version = TLS1_1_VERSION; 459 } else if (strcmp(*argv, "-tls1") == 0) { 460 min_version = TLS1_VERSION; 461 max_version = TLS1_VERSION; 462 #ifndef OPENSSL_NO_DTLS1 463 } else if (strcmp(*argv, "-dtls1") == 0) { 464 meth = DTLS_client_method(); 465 socket_type = SOCK_DGRAM; 466 } else if (strcmp(*argv, "-timeout") == 0) 467 enable_timeouts = 1; 468 else if (strcmp(*argv, "-mtu") == 0) { 469 if (--argc < 1) 470 goto bad; 471 socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr); 472 if (errstr) 473 goto bad; 474 } 475 #endif 476 else if (strcmp(*argv, "-bugs") == 0) 477 bugs = 1; 478 else if (strcmp(*argv, "-keyform") == 0) { 479 if (--argc < 1) 480 goto bad; 481 key_format = str2fmt(*(++argv)); 482 } else if (strcmp(*argv, "-pass") == 0) { 483 if (--argc < 1) 484 goto bad; 485 passarg = *(++argv); 486 } else if (strcmp(*argv, "-key") == 0) { 487 if (--argc < 1) 488 goto bad; 489 key_file = *(++argv); 490 } else if (strcmp(*argv, "-reconnect") == 0) { 491 reconnect = 5; 492 } else if (strcmp(*argv, "-CApath") == 0) { 493 if (--argc < 1) 494 goto bad; 495 CApath = *(++argv); 496 } else if (strcmp(*argv, "-CAfile") == 0) { 497 if (--argc < 1) 498 goto bad; 499 CAfile = *(++argv); 500 } else if (strcmp(*argv, "-no_tls1_3") == 0) 501 off |= SSL_OP_NO_TLSv1_3; 502 else if (strcmp(*argv, "-no_tls1_2") == 0) 503 off |= SSL_OP_NO_TLSv1_2; 504 else if (strcmp(*argv, "-no_tls1_1") == 0) 505 off |= SSL_OP_NO_TLSv1_1; 506 else if (strcmp(*argv, "-no_tls1") == 0) 507 off |= SSL_OP_NO_TLSv1; 508 else if (strcmp(*argv, "-no_ssl3") == 0) 509 off |= SSL_OP_NO_SSLv3; 510 else if (strcmp(*argv, "-no_ssl2") == 0) 511 off |= SSL_OP_NO_SSLv2; 512 else if (strcmp(*argv, "-no_comp") == 0) { 513 off |= SSL_OP_NO_COMPRESSION; 514 } else if (strcmp(*argv, "-no_ticket") == 0) { 515 off |= SSL_OP_NO_TICKET; 516 } else if (strcmp(*argv, "-nextprotoneg") == 0) { 517 /* Ignored. */ 518 if (--argc < 1) 519 goto bad; 520 ++argv; 521 } else if (strcmp(*argv, "-alpn") == 0) { 522 if (--argc < 1) 523 goto bad; 524 alpn_in = *(++argv); 525 } else if (strcmp(*argv, "-groups") == 0) { 526 if (--argc < 1) 527 goto bad; 528 groups_in = *(++argv); 529 } else if (strcmp(*argv, "-serverpref") == 0) 530 off |= SSL_OP_CIPHER_SERVER_PREFERENCE; 531 else if (strcmp(*argv, "-legacy_renegotiation") == 0) 532 ; /* no-op */ 533 else if (strcmp(*argv, "-legacy_server_connect") == 0) { 534 off |= SSL_OP_LEGACY_SERVER_CONNECT; 535 } else if (strcmp(*argv, "-no_legacy_server_connect") == 0) { 536 clr |= SSL_OP_LEGACY_SERVER_CONNECT; 537 } else if (strcmp(*argv, "-cipher") == 0) { 538 if (--argc < 1) 539 goto bad; 540 cipher = *(++argv); 541 } 542 else if (strcmp(*argv, "-nbio") == 0) { 543 c_nbio = 1; 544 } 545 else if (strcmp(*argv, "-starttls") == 0) { 546 if (--argc < 1) 547 goto bad; 548 ++argv; 549 if (strcmp(*argv, "smtp") == 0) 550 starttls_proto = PROTO_SMTP; 551 else if (strcmp(*argv, "lmtp") == 0) 552 starttls_proto = PROTO_LMTP; 553 else if (strcmp(*argv, "pop3") == 0) 554 starttls_proto = PROTO_POP3; 555 else if (strcmp(*argv, "imap") == 0) 556 starttls_proto = PROTO_IMAP; 557 else if (strcmp(*argv, "ftp") == 0) 558 starttls_proto = PROTO_FTP; 559 else if (strcmp(*argv, "xmpp") == 0) 560 starttls_proto = PROTO_XMPP; 561 else 562 goto bad; 563 } else if (strcmp(*argv, "-4") == 0) { 564 af = AF_INET; 565 } else if (strcmp(*argv, "-6") == 0) { 566 af = AF_INET6; 567 } else if (strcmp(*argv, "-servername") == 0) { 568 if (--argc < 1) 569 goto bad; 570 servername = *(++argv); 571 } 572 #ifndef OPENSSL_NO_SRTP 573 else if (strcmp(*argv, "-use_srtp") == 0) { 574 if (--argc < 1) 575 goto bad; 576 srtp_profiles = *(++argv); 577 } 578 #endif 579 else if (strcmp(*argv, "-keymatexport") == 0) { 580 if (--argc < 1) 581 goto bad; 582 keymatexportlabel = *(++argv); 583 } else if (strcmp(*argv, "-keymatexportlen") == 0) { 584 if (--argc < 1) 585 goto bad; 586 keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr); 587 if (errstr) 588 goto bad; 589 } else { 590 BIO_printf(bio_err, "unknown option %s\n", *argv); 591 badop = 1; 592 break; 593 } 594 argc--; 595 argv++; 596 } 597 if (proxy != NULL) { 598 if (!extract_host_port(proxy, &host, NULL, &port)) 599 goto bad; 600 if (connect == NULL) 601 connect = SSL_HOST_NAME; 602 } else if (connect != NULL) { 603 if (!extract_host_port(connect, &host, NULL, &port)) 604 goto bad; 605 } 606 if (badop) { 607 bad: 608 if (errstr) 609 BIO_printf(bio_err, "invalid argument %s: %s\n", 610 *argv, errstr); 611 else 612 sc_usage(); 613 goto end; 614 } 615 616 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { 617 BIO_printf(bio_err, "Error getting password\n"); 618 goto end; 619 } 620 if (key_file == NULL) 621 key_file = cert_file; 622 623 624 if (key_file) { 625 626 key = load_key(bio_err, key_file, key_format, 0, pass, 627 "client certificate private key file"); 628 if (!key) { 629 ERR_print_errors(bio_err); 630 goto end; 631 } 632 } 633 if (cert_file) { 634 cert = load_cert(bio_err, cert_file, cert_format, 635 NULL, "client certificate file"); 636 637 if (!cert) { 638 ERR_print_errors(bio_err); 639 goto end; 640 } 641 } 642 if (bio_c_out == NULL) { 643 if (c_quiet && !c_debug && !c_msg) { 644 bio_c_out = BIO_new(BIO_s_null()); 645 } else { 646 if (bio_c_out == NULL) 647 bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE); 648 } 649 } 650 651 ctx = SSL_CTX_new(meth); 652 if (ctx == NULL) { 653 ERR_print_errors(bio_err); 654 goto end; 655 } 656 657 SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); 658 659 if (vpm) 660 SSL_CTX_set1_param(ctx, vpm); 661 662 if (!SSL_CTX_set_min_proto_version(ctx, min_version)) 663 goto end; 664 if (!SSL_CTX_set_max_proto_version(ctx, max_version)) 665 goto end; 666 667 #ifndef OPENSSL_NO_SRTP 668 if (srtp_profiles != NULL) 669 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); 670 #endif 671 if (bugs) 672 SSL_CTX_set_options(ctx, SSL_OP_ALL | off); 673 else 674 SSL_CTX_set_options(ctx, off); 675 676 if (clr) 677 SSL_CTX_clear_options(ctx, clr); 678 /* 679 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting 680 * read ahead solves this problem. 681 */ 682 if (socket_type == SOCK_DGRAM) 683 SSL_CTX_set_read_ahead(ctx, 1); 684 685 if (alpn_in) { 686 unsigned short alpn_len; 687 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); 688 689 if (alpn == NULL) { 690 BIO_printf(bio_err, "Error parsing -alpn argument\n"); 691 goto end; 692 } 693 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len); 694 free(alpn); 695 } 696 if (groups_in != NULL) { 697 if (SSL_CTX_set1_groups_list(ctx, groups_in) != 1) { 698 BIO_printf(bio_err, "Failed to set groups '%s'\n", 699 groups_in); 700 goto end; 701 } 702 } 703 704 if (state) 705 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); 706 if (cipher != NULL) 707 if (!SSL_CTX_set_cipher_list(ctx, cipher)) { 708 BIO_printf(bio_err, "error setting cipher list\n"); 709 ERR_print_errors(bio_err); 710 goto end; 711 } 712 713 SSL_CTX_set_verify(ctx, verify, verify_callback); 714 if (!set_cert_key_stuff(ctx, cert, key)) 715 goto end; 716 717 if ((CAfile || CApath) 718 && !SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) 719 ERR_print_errors(bio_err); 720 721 if (!SSL_CTX_set_default_verify_paths(ctx)) 722 ERR_print_errors(bio_err); 723 724 if (servername != NULL) { 725 tlsextcbp.biodebug = bio_err; 726 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 727 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 728 } 729 730 con = SSL_new(ctx); 731 if (sess_in) { 732 SSL_SESSION *sess; 733 BIO *stmp = BIO_new_file(sess_in, "r"); 734 if (!stmp) { 735 BIO_printf(bio_err, "Can't open session file %s\n", 736 sess_in); 737 ERR_print_errors(bio_err); 738 goto end; 739 } 740 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); 741 BIO_free(stmp); 742 if (!sess) { 743 BIO_printf(bio_err, "Can't open session file %s\n", 744 sess_in); 745 ERR_print_errors(bio_err); 746 goto end; 747 } 748 SSL_set_session(con, sess); 749 SSL_SESSION_free(sess); 750 } 751 if (servername != NULL) { 752 if (!SSL_set_tlsext_host_name(con, servername)) { 753 BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); 754 ERR_print_errors(bio_err); 755 goto end; 756 } 757 } 758 /* SSL_set_cipher_list(con,"RC4-MD5"); */ 759 760 re_start: 761 762 if (init_client(&s, host, port, socket_type, af) == 0) { 763 BIO_printf(bio_err, "connect:errno=%d\n", errno); 764 goto end; 765 } 766 BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s); 767 768 if (c_nbio) { 769 if (!c_quiet) 770 BIO_printf(bio_c_out, "turning on non blocking io\n"); 771 if (!BIO_socket_nbio(s, 1)) { 772 ERR_print_errors(bio_err); 773 goto end; 774 } 775 } 776 if (c_Pause & 0x01) 777 SSL_set_debug(con, 1); 778 779 if (SSL_version(con) == DTLS1_VERSION) { 780 781 sbio = BIO_new_dgram(s, BIO_NOCLOSE); 782 if (getsockname(s, (struct sockaddr *)&peer, 783 (void *)&peerlen) == -1) { 784 BIO_printf(bio_err, "getsockname:errno=%d\n", 785 errno); 786 shutdown(s, SHUT_RD); 787 close(s); 788 goto end; 789 } 790 (void) BIO_ctrl_set_connected(sbio, 1, &peer); 791 792 if (enable_timeouts) { 793 timeout.tv_sec = 0; 794 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 795 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 796 797 timeout.tv_sec = 0; 798 timeout.tv_usec = DGRAM_SND_TIMEOUT; 799 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 800 } 801 if (socket_mtu > 28) { 802 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 803 SSL_set_mtu(con, socket_mtu - 28); 804 } else 805 /* want to do MTU discovery */ 806 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 807 } else 808 sbio = BIO_new_socket(s, BIO_NOCLOSE); 809 810 if (nbio_test) { 811 BIO *test; 812 813 test = BIO_new(BIO_f_nbio_test()); 814 sbio = BIO_push(test, sbio); 815 } 816 if (c_debug) { 817 SSL_set_debug(con, 1); 818 BIO_set_callback(sbio, bio_dump_callback); 819 BIO_set_callback_arg(sbio, (char *) bio_c_out); 820 } 821 if (c_msg) { 822 SSL_set_msg_callback(con, msg_cb); 823 SSL_set_msg_callback_arg(con, bio_c_out); 824 } 825 if (c_tlsextdebug) { 826 SSL_set_tlsext_debug_callback(con, tlsext_cb); 827 SSL_set_tlsext_debug_arg(con, bio_c_out); 828 } 829 if (c_status_req) { 830 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); 831 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); 832 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); 833 } 834 835 SSL_set_bio(con, sbio, sbio); 836 SSL_set_connect_state(con); 837 838 /* ok, lets connect */ 839 read_tty = 1; 840 write_tty = 0; 841 tty_on = 0; 842 read_ssl = 1; 843 write_ssl = 1; 844 845 cbuf_len = 0; 846 cbuf_off = 0; 847 sbuf_len = 0; 848 sbuf_off = 0; 849 pbuf_len = 0; 850 pbuf_off = 0; 851 852 /* This is an ugly hack that does a lot of assumptions */ 853 /* 854 * We do have to handle multi-line responses which may come in a 855 * single packet or not. We therefore have to use BIO_gets() which 856 * does need a buffering BIO. So during the initial chitchat we do 857 * push a buffering BIO into the chain that is removed again later on 858 * to not disturb the rest of the s_client operation. 859 */ 860 if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) { 861 int foundit = 0; 862 BIO *fbio = BIO_new(BIO_f_buffer()); 863 BIO_push(fbio, sbio); 864 /* wait for multi-line response to end from SMTP */ 865 do { 866 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 867 } 868 while (mbuf_len > 3 && mbuf[3] == '-'); 869 /* STARTTLS command requires EHLO... */ 870 BIO_printf(fbio, "%cHLO openssl.client.net\r\n", 871 starttls_proto == PROTO_SMTP ? 'E' : 'L'); 872 (void) BIO_flush(fbio); 873 /* wait for multi-line response to end EHLO SMTP response */ 874 do { 875 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 876 if (strstr(mbuf, "STARTTLS")) 877 foundit = 1; 878 } 879 while (mbuf_len > 3 && mbuf[3] == '-'); 880 (void) BIO_flush(fbio); 881 BIO_pop(fbio); 882 BIO_free(fbio); 883 if (!foundit) 884 BIO_printf(bio_err, 885 "didn't find starttls in server response," 886 " try anyway...\n"); 887 BIO_printf(sbio, "STARTTLS\r\n"); 888 BIO_read(sbio, sbuf, BUFSIZZ); 889 } else if (starttls_proto == PROTO_POP3) { 890 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); 891 if (mbuf_len == -1) { 892 BIO_printf(bio_err, "BIO_read failed\n"); 893 goto end; 894 } 895 BIO_printf(sbio, "STLS\r\n"); 896 BIO_read(sbio, sbuf, BUFSIZZ); 897 } else if (starttls_proto == PROTO_IMAP) { 898 int foundit = 0; 899 BIO *fbio = BIO_new(BIO_f_buffer()); 900 BIO_push(fbio, sbio); 901 BIO_gets(fbio, mbuf, BUFSIZZ); 902 /* STARTTLS command requires CAPABILITY... */ 903 BIO_printf(fbio, ". CAPABILITY\r\n"); 904 (void) BIO_flush(fbio); 905 /* wait for multi-line CAPABILITY response */ 906 do { 907 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 908 if (strstr(mbuf, "STARTTLS")) 909 foundit = 1; 910 } 911 while (mbuf_len > 3 && mbuf[0] != '.'); 912 (void) BIO_flush(fbio); 913 BIO_pop(fbio); 914 BIO_free(fbio); 915 if (!foundit) 916 BIO_printf(bio_err, 917 "didn't find STARTTLS in server response," 918 " try anyway...\n"); 919 BIO_printf(sbio, ". STARTTLS\r\n"); 920 BIO_read(sbio, sbuf, BUFSIZZ); 921 } else if (starttls_proto == PROTO_FTP) { 922 BIO *fbio = BIO_new(BIO_f_buffer()); 923 BIO_push(fbio, sbio); 924 /* wait for multi-line response to end from FTP */ 925 do { 926 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 927 } 928 while (mbuf_len > 3 && mbuf[3] == '-'); 929 (void) BIO_flush(fbio); 930 BIO_pop(fbio); 931 BIO_free(fbio); 932 BIO_printf(sbio, "AUTH TLS\r\n"); 933 BIO_read(sbio, sbuf, BUFSIZZ); 934 } else if (starttls_proto == PROTO_XMPP) { 935 int seen = 0; 936 BIO_printf(sbio, "<stream:stream " 937 "xmlns:stream='http://etherx.jabber.org/streams' " 938 "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ? xmpphost : host); 939 seen = BIO_read(sbio, mbuf, BUFSIZZ); 940 941 if (seen <= 0) 942 goto shut; 943 944 mbuf[seen] = 0; 945 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'") && 946 !strstr(mbuf, "<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\"")) { 947 seen = BIO_read(sbio, mbuf, BUFSIZZ); 948 949 if (seen <= 0) 950 goto shut; 951 952 mbuf[seen] = 0; 953 } 954 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); 955 seen = BIO_read(sbio, sbuf, BUFSIZZ); 956 sbuf[seen] = 0; 957 if (!strstr(sbuf, "<proceed")) 958 goto shut; 959 mbuf[0] = 0; 960 } else if (proxy != NULL) { 961 BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n", connect); 962 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); 963 if (mbuf_len == -1) { 964 BIO_printf(bio_err, "BIO_read failed\n"); 965 goto end; 966 } 967 } 968 for (;;) { 969 struct pollfd pfd[3]; /* stdin, stdout, socket */ 970 int ptimeout = -1; 971 972 if ((SSL_version(con) == DTLS1_VERSION) && 973 DTLSv1_get_timeout(con, &timeout)) 974 ptimeout = timeout.tv_sec * 1000 + timeout.tv_usec / 1000; 975 976 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { 977 in_init = 1; 978 tty_on = 0; 979 } else { 980 tty_on = 1; 981 if (in_init) { 982 in_init = 0; 983 if (sess_out) { 984 BIO *stmp = BIO_new_file(sess_out, "w"); 985 if (stmp) { 986 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); 987 BIO_free(stmp); 988 } else 989 BIO_printf(bio_err, "Error writing session file %s\n", sess_out); 990 } 991 print_stuff(bio_c_out, con, full_log); 992 if (full_log > 0) 993 full_log--; 994 995 if (starttls_proto) { 996 BIO_write(bio_err, mbuf, mbuf_len); 997 /* We don't need to know any more */ 998 starttls_proto = PROTO_OFF; 999 } 1000 if (reconnect) { 1001 reconnect--; 1002 BIO_printf(bio_c_out, "drop connection and then reconnect\n"); 1003 SSL_shutdown(con); 1004 SSL_set_connect_state(con); 1005 shutdown(SSL_get_fd(con), SHUT_RD); 1006 close(SSL_get_fd(con)); 1007 goto re_start; 1008 } 1009 } 1010 } 1011 1012 ssl_pending = read_ssl && SSL_pending(con); 1013 1014 pfd[0].fd = -1; 1015 pfd[1].fd = -1; 1016 if (!ssl_pending) { 1017 if (tty_on) { 1018 if (read_tty) { 1019 pfd[0].fd = fileno(stdin); 1020 pfd[0].events = POLLIN; 1021 } 1022 if (write_tty) { 1023 pfd[1].fd = fileno(stdout); 1024 pfd[1].events = POLLOUT; 1025 } 1026 } 1027 1028 pfd[2].fd = SSL_get_fd(con); 1029 pfd[2].events = 0; 1030 if (read_ssl) 1031 pfd[2].events |= POLLIN; 1032 if (write_ssl) 1033 pfd[2].events |= POLLOUT; 1034 1035 /* printf("mode tty(%d %d%d) ssl(%d%d)\n", 1036 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ 1037 1038 i = poll(pfd, 3, ptimeout); 1039 if (i == -1) { 1040 BIO_printf(bio_err, "bad select %d\n", 1041 errno); 1042 goto shut; 1043 /* goto end; */ 1044 } 1045 } 1046 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { 1047 BIO_printf(bio_err, "TIMEOUT occured\n"); 1048 } 1049 if (!ssl_pending && (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) { 1050 if (pfd[2].revents & (POLLERR|POLLNVAL)) { 1051 BIO_printf(bio_err, "poll error"); 1052 goto shut; 1053 } 1054 k = SSL_write(con, &(cbuf[cbuf_off]), 1055 (unsigned int) cbuf_len); 1056 switch (SSL_get_error(con, k)) { 1057 case SSL_ERROR_NONE: 1058 cbuf_off += k; 1059 cbuf_len -= k; 1060 if (k <= 0) 1061 goto end; 1062 /* we have done a write(con,NULL,0); */ 1063 if (cbuf_len <= 0) { 1064 read_tty = 1; 1065 write_ssl = 0; 1066 } else { /* if (cbuf_len > 0) */ 1067 read_tty = 0; 1068 write_ssl = 1; 1069 } 1070 break; 1071 case SSL_ERROR_WANT_WRITE: 1072 BIO_printf(bio_c_out, "write W BLOCK\n"); 1073 write_ssl = 1; 1074 read_tty = 0; 1075 break; 1076 case SSL_ERROR_WANT_READ: 1077 BIO_printf(bio_c_out, "write R BLOCK\n"); 1078 write_tty = 0; 1079 read_ssl = 1; 1080 write_ssl = 0; 1081 break; 1082 case SSL_ERROR_WANT_X509_LOOKUP: 1083 BIO_printf(bio_c_out, "write X BLOCK\n"); 1084 break; 1085 case SSL_ERROR_ZERO_RETURN: 1086 if (cbuf_len != 0) { 1087 BIO_printf(bio_c_out, "shutdown\n"); 1088 ret = 0; 1089 goto shut; 1090 } else { 1091 read_tty = 1; 1092 write_ssl = 0; 1093 break; 1094 } 1095 1096 case SSL_ERROR_SYSCALL: 1097 if ((k != 0) || (cbuf_len != 0)) { 1098 BIO_printf(bio_err, "write:errno=%d\n", 1099 errno); 1100 goto shut; 1101 } else { 1102 read_tty = 1; 1103 write_ssl = 0; 1104 } 1105 break; 1106 case SSL_ERROR_SSL: 1107 ERR_print_errors(bio_err); 1108 goto shut; 1109 } 1110 } else if (!ssl_pending && 1111 (pfd[1].revents & (POLLOUT|POLLERR|POLLNVAL))) { 1112 if (pfd[1].revents & (POLLERR|POLLNVAL)) { 1113 BIO_printf(bio_err, "poll error"); 1114 goto shut; 1115 } 1116 i = write(fileno(stdout), &(sbuf[sbuf_off]), sbuf_len); 1117 1118 if (i <= 0) { 1119 BIO_printf(bio_c_out, "DONE\n"); 1120 ret = 0; 1121 goto shut; 1122 /* goto end; */ 1123 } 1124 sbuf_len -= i; 1125 sbuf_off += i; 1126 if (sbuf_len <= 0) { 1127 read_ssl = 1; 1128 write_tty = 0; 1129 } 1130 } else if (ssl_pending || (pfd[2].revents & (POLLIN|POLLHUP))) { 1131 #ifdef RENEG 1132 { 1133 static int iiii; 1134 if (++iiii == 52) { 1135 SSL_renegotiate(con); 1136 iiii = 0; 1137 } 1138 } 1139 #endif 1140 if (peekaboo) { 1141 k = p = SSL_peek(con, pbuf, 1024 /* BUFSIZZ */ ); 1142 pending = SSL_pending(con); 1143 if (SSL_get_error(con, p) == SSL_ERROR_NONE) { 1144 if (p <= 0) 1145 goto end; 1146 pbuf_off = 0; 1147 pbuf_len = p; 1148 1149 k = SSL_read(con, sbuf, p); 1150 } 1151 } else { 1152 k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ ); 1153 } 1154 1155 switch (SSL_get_error(con, k)) { 1156 case SSL_ERROR_NONE: 1157 if (k <= 0) 1158 goto end; 1159 sbuf_off = 0; 1160 sbuf_len = k; 1161 if (peekaboo) { 1162 if (p != pending) { 1163 ret = -1; 1164 BIO_printf(bio_err, 1165 "peeked %d but pending %d!\n", p, pending); 1166 goto shut; 1167 } 1168 if (k < p) { 1169 ret = -1; 1170 BIO_printf(bio_err, 1171 "read less than peek!\n"); 1172 goto shut; 1173 } 1174 if (p > 0 && (memcmp(sbuf, pbuf, p) != 0)) { 1175 ret = -1; 1176 BIO_printf(bio_err, 1177 "peek of %d different from read of %d!\n", 1178 p, k); 1179 goto shut; 1180 } 1181 } 1182 read_ssl = 0; 1183 write_tty = 1; 1184 break; 1185 case SSL_ERROR_WANT_WRITE: 1186 BIO_printf(bio_c_out, "read W BLOCK\n"); 1187 write_ssl = 1; 1188 read_tty = 0; 1189 break; 1190 case SSL_ERROR_WANT_READ: 1191 BIO_printf(bio_c_out, "read R BLOCK\n"); 1192 write_tty = 0; 1193 read_ssl = 1; 1194 if ((read_tty == 0) && (write_ssl == 0)) 1195 write_ssl = 1; 1196 break; 1197 case SSL_ERROR_WANT_X509_LOOKUP: 1198 BIO_printf(bio_c_out, "read X BLOCK\n"); 1199 break; 1200 case SSL_ERROR_SYSCALL: 1201 ret = errno; 1202 BIO_printf(bio_err, "read:errno=%d\n", ret); 1203 goto shut; 1204 case SSL_ERROR_ZERO_RETURN: 1205 BIO_printf(bio_c_out, "closed\n"); 1206 ret = 0; 1207 goto shut; 1208 case SSL_ERROR_SSL: 1209 ERR_print_errors(bio_err); 1210 goto shut; 1211 /* break; */ 1212 } 1213 } else if (pfd[0].revents) { 1214 if (pfd[0].revents & (POLLERR|POLLNVAL)) { 1215 BIO_printf(bio_err, "poll error"); 1216 goto shut; 1217 } 1218 if (crlf) { 1219 int j, lf_num; 1220 1221 i = read(fileno(stdin), cbuf, BUFSIZZ / 2); 1222 lf_num = 0; 1223 /* both loops are skipped when i <= 0 */ 1224 for (j = 0; j < i; j++) 1225 if (cbuf[j] == '\n') 1226 lf_num++; 1227 for (j = i - 1; j >= 0; j--) { 1228 cbuf[j + lf_num] = cbuf[j]; 1229 if (cbuf[j] == '\n') { 1230 lf_num--; 1231 i++; 1232 cbuf[j + lf_num] = '\r'; 1233 } 1234 } 1235 assert(lf_num == 0); 1236 } else 1237 i = read(fileno(stdin), cbuf, BUFSIZZ); 1238 1239 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { 1240 BIO_printf(bio_err, "DONE\n"); 1241 ret = 0; 1242 goto shut; 1243 } 1244 if ((!c_ign_eof) && (cbuf[0] == 'R')) { 1245 BIO_printf(bio_err, "RENEGOTIATING\n"); 1246 SSL_renegotiate(con); 1247 cbuf_len = 0; 1248 } else { 1249 cbuf_len = i; 1250 cbuf_off = 0; 1251 } 1252 1253 write_ssl = 1; 1254 read_tty = 0; 1255 } 1256 } 1257 1258 ret = 0; 1259 shut: 1260 if (in_init) 1261 print_stuff(bio_c_out, con, full_log); 1262 SSL_shutdown(con); 1263 shutdown(SSL_get_fd(con), SHUT_RD); 1264 close(SSL_get_fd(con)); 1265 end: 1266 if (con != NULL) { 1267 if (prexit != 0) 1268 print_stuff(bio_c_out, con, 1); 1269 SSL_free(con); 1270 } 1271 SSL_CTX_free(ctx); 1272 X509_free(cert); 1273 EVP_PKEY_free(key); 1274 free(pass); 1275 X509_VERIFY_PARAM_free(vpm); 1276 freezero(cbuf, BUFSIZZ); 1277 freezero(sbuf, BUFSIZZ); 1278 freezero(mbuf, BUFSIZZ); 1279 if (bio_c_out != NULL) { 1280 BIO_free(bio_c_out); 1281 bio_c_out = NULL; 1282 } 1283 1284 return (ret); 1285 } 1286 1287 1288 static void 1289 print_stuff(BIO * bio, SSL * s, int full) 1290 { 1291 X509 *peer = NULL; 1292 char *p; 1293 static const char *space = " "; 1294 char buf[BUFSIZ]; 1295 STACK_OF(X509) * sk; 1296 STACK_OF(X509_NAME) * sk2; 1297 const SSL_CIPHER *c; 1298 X509_NAME *xn; 1299 int j, i; 1300 unsigned char *exportedkeymat; 1301 1302 if (full) { 1303 int got_a_chain = 0; 1304 1305 sk = SSL_get_peer_cert_chain(s); 1306 if (sk != NULL) { 1307 got_a_chain = 1; /* we don't have it for SSL2 1308 * (yet) */ 1309 1310 BIO_printf(bio, "---\nCertificate chain\n"); 1311 for (i = 0; i < sk_X509_num(sk); i++) { 1312 X509_NAME_oneline(X509_get_subject_name( 1313 sk_X509_value(sk, i)), buf, sizeof buf); 1314 BIO_printf(bio, "%2d s:%s\n", i, buf); 1315 X509_NAME_oneline(X509_get_issuer_name( 1316 sk_X509_value(sk, i)), buf, sizeof buf); 1317 BIO_printf(bio, " i:%s\n", buf); 1318 if (c_showcerts) 1319 PEM_write_bio_X509(bio, sk_X509_value(sk, i)); 1320 } 1321 } 1322 BIO_printf(bio, "---\n"); 1323 peer = SSL_get_peer_certificate(s); 1324 if (peer != NULL) { 1325 BIO_printf(bio, "Server certificate\n"); 1326 if (!(c_showcerts && got_a_chain)) /* Redundant if we 1327 * showed the whole 1328 * chain */ 1329 PEM_write_bio_X509(bio, peer); 1330 X509_NAME_oneline(X509_get_subject_name(peer), 1331 buf, sizeof buf); 1332 BIO_printf(bio, "subject=%s\n", buf); 1333 X509_NAME_oneline(X509_get_issuer_name(peer), 1334 buf, sizeof buf); 1335 BIO_printf(bio, "issuer=%s\n", buf); 1336 } else 1337 BIO_printf(bio, "no peer certificate available\n"); 1338 1339 sk2 = SSL_get_client_CA_list(s); 1340 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { 1341 BIO_printf(bio, "---\nAcceptable client certificate CA names\n"); 1342 for (i = 0; i < sk_X509_NAME_num(sk2); i++) { 1343 xn = sk_X509_NAME_value(sk2, i); 1344 X509_NAME_oneline(xn, buf, sizeof(buf)); 1345 BIO_write(bio, buf, strlen(buf)); 1346 BIO_write(bio, "\n", 1); 1347 } 1348 } else { 1349 BIO_printf(bio, "---\nNo client certificate CA names sent\n"); 1350 } 1351 p = SSL_get_shared_ciphers(s, buf, sizeof buf); 1352 if (p != NULL) { 1353 /* 1354 * This works only for SSL 2. In later protocol 1355 * versions, the client does not know what other 1356 * ciphers (in addition to the one to be used in the 1357 * current connection) the server supports. 1358 */ 1359 1360 BIO_printf(bio, "---\nCiphers common between both SSL endpoints:\n"); 1361 j = i = 0; 1362 while (*p) { 1363 if (*p == ':') { 1364 BIO_write(bio, space, 15 - j % 25); 1365 i++; 1366 j = 0; 1367 BIO_write(bio, ((i % 3) ? " " : "\n"), 1); 1368 } else { 1369 BIO_write(bio, p, 1); 1370 j++; 1371 } 1372 p++; 1373 } 1374 BIO_write(bio, "\n", 1); 1375 } 1376 1377 ssl_print_tmp_key(bio, s); 1378 1379 BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", 1380 BIO_number_read(SSL_get_rbio(s)), 1381 BIO_number_written(SSL_get_wbio(s))); 1382 } 1383 BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, ")); 1384 c = SSL_get_current_cipher(s); 1385 BIO_printf(bio, "%s, Cipher is %s\n", 1386 SSL_CIPHER_get_version(c), 1387 SSL_CIPHER_get_name(c)); 1388 if (peer != NULL) { 1389 EVP_PKEY *pktmp; 1390 pktmp = X509_get_pubkey(peer); 1391 BIO_printf(bio, "Server public key is %d bit\n", 1392 EVP_PKEY_bits(pktmp)); 1393 EVP_PKEY_free(pktmp); 1394 } 1395 BIO_printf(bio, "Secure Renegotiation IS%s supported\n", 1396 SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); 1397 1398 /* Compression is not supported and will always be none. */ 1399 BIO_printf(bio, "Compression: NONE\n"); 1400 BIO_printf(bio, "Expansion: NONE\n"); 1401 1402 #ifdef SSL_DEBUG 1403 { 1404 /* Print out local port of connection: useful for debugging */ 1405 int sock; 1406 struct sockaddr_in ladd; 1407 socklen_t ladd_size = sizeof(ladd); 1408 sock = SSL_get_fd(s); 1409 getsockname(sock, (struct sockaddr *) & ladd, &ladd_size); 1410 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); 1411 } 1412 #endif 1413 1414 { 1415 const unsigned char *proto; 1416 unsigned int proto_len; 1417 SSL_get0_alpn_selected(s, &proto, &proto_len); 1418 if (proto_len > 0) { 1419 BIO_printf(bio, "ALPN protocol: "); 1420 BIO_write(bio, proto, proto_len); 1421 BIO_write(bio, "\n", 1); 1422 } else 1423 BIO_printf(bio, "No ALPN negotiated\n"); 1424 } 1425 1426 #ifndef OPENSSL_NO_SRTP 1427 { 1428 SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(s); 1429 1430 if (srtp_profile) 1431 BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n", 1432 srtp_profile->name); 1433 } 1434 #endif 1435 1436 SSL_SESSION_print(bio, SSL_get_session(s)); 1437 if (keymatexportlabel != NULL) { 1438 BIO_printf(bio, "Keying material exporter:\n"); 1439 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); 1440 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); 1441 exportedkeymat = malloc(keymatexportlen); 1442 if (exportedkeymat != NULL) { 1443 if (!SSL_export_keying_material(s, exportedkeymat, 1444 keymatexportlen, 1445 keymatexportlabel, 1446 strlen(keymatexportlabel), 1447 NULL, 0, 0)) { 1448 BIO_printf(bio, " Error\n"); 1449 } else { 1450 BIO_printf(bio, " Keying material: "); 1451 for (i = 0; i < keymatexportlen; i++) 1452 BIO_printf(bio, "%02X", 1453 exportedkeymat[i]); 1454 BIO_printf(bio, "\n"); 1455 } 1456 free(exportedkeymat); 1457 } 1458 } 1459 BIO_printf(bio, "---\n"); 1460 X509_free(peer); 1461 /* flush, or debugging output gets mixed with http response */ 1462 (void) BIO_flush(bio); 1463 } 1464 1465 1466 static int 1467 ocsp_resp_cb(SSL * s, void *arg) 1468 { 1469 const unsigned char *p; 1470 int len; 1471 OCSP_RESPONSE *rsp; 1472 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 1473 BIO_puts(arg, "OCSP response: "); 1474 if (!p) { 1475 BIO_puts(arg, "no response sent\n"); 1476 return 1; 1477 } 1478 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 1479 if (!rsp) { 1480 BIO_puts(arg, "response parse error\n"); 1481 BIO_dump_indent(arg, (char *) p, len, 4); 1482 return 0; 1483 } 1484 BIO_puts(arg, "\n======================================\n"); 1485 OCSP_RESPONSE_print(arg, rsp, 0); 1486 BIO_puts(arg, "======================================\n"); 1487 OCSP_RESPONSE_free(rsp); 1488 return 1; 1489 } 1490 1491