1 /* $OpenBSD: s_client.c,v 1.13 2015/04/14 12:56:36 jsing Exp $ */ 2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58 /* ==================================================================== 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 /* ==================================================================== 112 * Copyright 2005 Nokia. All rights reserved. 113 * 114 * The portions of the attached software ("Contribution") is developed by 115 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 116 * license. 117 * 118 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 119 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 120 * support (see RFC 4279) to OpenSSL. 121 * 122 * No patent licenses or other rights except those expressly stated in 123 * the OpenSSL open source license shall be deemed granted or received 124 * expressly, by implication, estoppel, or otherwise. 125 * 126 * No assurances are provided by Nokia that the Contribution does not 127 * infringe the patent or other intellectual property rights of any third 128 * party or that the license provides you with all the necessary rights 129 * to make use of the Contribution. 130 * 131 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 132 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 133 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 134 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 135 * OTHERWISE. 136 */ 137 138 #include <sys/types.h> 139 #include <sys/ioctl.h> 140 #include <sys/socket.h> 141 142 #include <netinet/in.h> 143 144 #include <assert.h> 145 #include <ctype.h> 146 #include <limits.h> 147 #include <netdb.h> 148 #include <stdio.h> 149 #include <stdlib.h> 150 #include <string.h> 151 #include <unistd.h> 152 #include <poll.h> 153 154 #include "apps.h" 155 156 #include <openssl/bn.h> 157 #include <openssl/err.h> 158 #include <openssl/ocsp.h> 159 #include <openssl/pem.h> 160 #include <openssl/ssl.h> 161 #include <openssl/x509.h> 162 163 #include "s_apps.h" 164 #include "timeouts.h" 165 166 /*#define SSL_HOST_NAME "www.netscape.com" */ 167 /*#define SSL_HOST_NAME "193.118.187.102" */ 168 #define SSL_HOST_NAME "localhost" 169 170 /*#define TEST_CERT "client.pem" *//* no default cert. */ 171 172 #define BUFSIZZ 1024*8 173 174 static int c_nbio = 0; 175 static int c_Pause = 0; 176 static int c_debug = 0; 177 static int c_tlsextdebug = 0; 178 static int c_status_req = 0; 179 static int c_msg = 0; 180 static int c_showcerts = 0; 181 182 static char *keymatexportlabel = NULL; 183 static int keymatexportlen = 20; 184 185 static void sc_usage(void); 186 static void print_stuff(BIO * berr, SSL * con, int full); 187 static int ocsp_resp_cb(SSL * s, void *arg); 188 static BIO *bio_c_out = NULL; 189 static int c_quiet = 0; 190 static int c_ign_eof = 0; 191 192 193 static void 194 sc_usage(void) 195 { 196 BIO_printf(bio_err, "usage: s_client args\n"); 197 BIO_printf(bio_err, "\n"); 198 BIO_printf(bio_err, " -4 - Force IPv4\n"); 199 BIO_printf(bio_err, " -6 - Force IPv6\n"); 200 BIO_printf(bio_err, " -host host - use -connect instead\n"); 201 BIO_printf(bio_err, " -port port - use -connect instead\n"); 202 BIO_printf(bio_err, " -connect host:port - who to connect to (default is %s:%s)\n", SSL_HOST_NAME, PORT_STR); 203 BIO_printf(bio_err, " -proxy host:port - connect to http proxy\n"); 204 205 BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n"); 206 BIO_printf(bio_err, " -cert arg - certificate file to use, PEM format assumed\n"); 207 BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n"); 208 BIO_printf(bio_err, " -key arg - Private key file to use, in cert file if\n"); 209 BIO_printf(bio_err, " not specified but cert file is.\n"); 210 BIO_printf(bio_err, " -keyform arg - key format (PEM or DER) PEM default\n"); 211 BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n"); 212 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); 213 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); 214 BIO_printf(bio_err, " -reconnect - Drop and re-make the connection with the same Session-ID\n"); 215 BIO_printf(bio_err, " -pause - sleep(1) after each read(2) and write(2) system call\n"); 216 BIO_printf(bio_err, " -showcerts - show all certificates in the chain\n"); 217 BIO_printf(bio_err, " -debug - extra output\n"); 218 BIO_printf(bio_err, " -msg - Show protocol messages\n"); 219 BIO_printf(bio_err, " -nbio_test - more ssl protocol testing\n"); 220 BIO_printf(bio_err, " -state - print the 'ssl' states\n"); 221 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); 222 BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); 223 BIO_printf(bio_err, " -quiet - no s_client output\n"); 224 BIO_printf(bio_err, " -ign_eof - ignore input eof (default when -quiet)\n"); 225 BIO_printf(bio_err, " -no_ign_eof - don't ignore input eof\n"); 226 BIO_printf(bio_err, " -ssl3 - just use SSLv3\n"); 227 BIO_printf(bio_err, " -tls1_2 - just use TLSv1.2\n"); 228 BIO_printf(bio_err, " -tls1_1 - just use TLSv1.1\n"); 229 BIO_printf(bio_err, " -tls1 - just use TLSv1\n"); 230 BIO_printf(bio_err, " -dtls1 - just use DTLSv1\n"); 231 BIO_printf(bio_err, " -mtu - set the link layer MTU\n"); 232 BIO_printf(bio_err, " -no_tls1_2/-no_tls1_1/-no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n"); 233 BIO_printf(bio_err, " -bugs - Switch on all SSL implementation bug workarounds\n"); 234 BIO_printf(bio_err, " -cipher - preferred cipher to use, use the 'openssl ciphers'\n"); 235 BIO_printf(bio_err, " command to see what is available\n"); 236 BIO_printf(bio_err, " -starttls prot - use the STARTTLS command before starting TLS\n"); 237 BIO_printf(bio_err, " for those protocols that support it, where\n"); 238 BIO_printf(bio_err, " 'prot' defines which one to assume. Currently,\n"); 239 BIO_printf(bio_err, " only \"smtp\", \"lmtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); 240 BIO_printf(bio_err, " are supported.\n"); 241 #ifndef OPENSSL_NO_ENGINE 242 BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n"); 243 #endif 244 BIO_printf(bio_err, " -sess_out arg - file to write SSL session to\n"); 245 BIO_printf(bio_err, " -sess_in arg - file to read SSL session from\n"); 246 BIO_printf(bio_err, " -servername host - Set TLS extension servername in ClientHello\n"); 247 BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); 248 BIO_printf(bio_err, " -status - request certificate status from server\n"); 249 BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); 250 BIO_printf(bio_err, " -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); 251 BIO_printf(bio_err, " -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); 252 #ifndef OPENSSL_NO_SRTP 253 BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); 254 #endif 255 BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n"); 256 BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); 257 } 258 259 260 /* This is a context that we pass to callbacks */ 261 typedef struct tlsextctx_st { 262 BIO *biodebug; 263 int ack; 264 } tlsextctx; 265 266 267 static int 268 ssl_servername_cb(SSL * s, int *ad, void *arg) 269 { 270 tlsextctx *p = (tlsextctx *) arg; 271 const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 272 if (SSL_get_servername_type(s) != -1) 273 p->ack = !SSL_session_reused(s) && hn != NULL; 274 else 275 BIO_printf(bio_err, "Can't use SSL_get_servername\n"); 276 277 return SSL_TLSEXT_ERR_OK; 278 } 279 280 #ifndef OPENSSL_NO_SRTP 281 char *srtp_profiles = NULL; 282 #endif 283 284 /* This the context that we pass to next_proto_cb */ 285 typedef struct tlsextnextprotoctx_st { 286 unsigned char *data; 287 unsigned short len; 288 int status; 289 } tlsextnextprotoctx; 290 291 static tlsextnextprotoctx next_proto; 292 293 static int 294 next_proto_cb(SSL * s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) 295 { 296 tlsextnextprotoctx *ctx = arg; 297 298 if (!c_quiet) { 299 /* We can assume that |in| is syntactically valid. */ 300 unsigned i; 301 BIO_printf(bio_c_out, "Protocols advertised by server: "); 302 for (i = 0; i < inlen;) { 303 if (i) 304 BIO_write(bio_c_out, ", ", 2); 305 BIO_write(bio_c_out, &in[i + 1], in[i]); 306 i += in[i] + 1; 307 } 308 BIO_write(bio_c_out, "\n", 1); 309 } 310 ctx->status = SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); 311 return SSL_TLSEXT_ERR_OK; 312 } 313 314 enum { 315 PROTO_OFF = 0, 316 PROTO_SMTP, 317 PROTO_LMTP, 318 PROTO_POP3, 319 PROTO_IMAP, 320 PROTO_FTP, 321 PROTO_XMPP 322 }; 323 324 int s_client_main(int, char **); 325 326 int 327 s_client_main(int argc, char **argv) 328 { 329 unsigned int off = 0, clr = 0; 330 SSL *con = NULL; 331 int s, k, state = 0, af = AF_UNSPEC; 332 char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL; 333 int cbuf_len, cbuf_off; 334 int sbuf_len, sbuf_off; 335 char *port = PORT_STR; 336 int full_log = 1; 337 char *host = SSL_HOST_NAME; 338 char *proxy = NULL, *connect = NULL; 339 char *cert_file = NULL, *key_file = NULL; 340 int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; 341 char *passarg = NULL, *pass = NULL; 342 X509 *cert = NULL; 343 EVP_PKEY *key = NULL; 344 char *CApath = NULL, *CAfile = NULL, *cipher = NULL; 345 int reconnect = 0, badop = 0, verify = SSL_VERIFY_NONE, bugs = 0; 346 int crlf = 0; 347 int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; 348 SSL_CTX *ctx = NULL; 349 int ret = 1, in_init = 1, i, nbio_test = 0; 350 int starttls_proto = PROTO_OFF; 351 int prexit = 0; 352 X509_VERIFY_PARAM *vpm = NULL; 353 int badarg = 0; 354 const SSL_METHOD *meth = NULL; 355 int socket_type = SOCK_STREAM; 356 BIO *sbio; 357 int mbuf_len = 0; 358 struct timeval timeout; 359 const char *errstr = NULL; 360 #ifndef OPENSSL_NO_ENGINE 361 char *engine_id = NULL; 362 char *ssl_client_engine_id = NULL; 363 ENGINE *ssl_client_engine = NULL; 364 #endif 365 ENGINE *e = NULL; 366 char *servername = NULL; 367 tlsextctx tlsextcbp = 368 {NULL, 0}; 369 const char *next_proto_neg_in = NULL; 370 const char *alpn_in = NULL; 371 char *sess_in = NULL; 372 char *sess_out = NULL; 373 struct sockaddr peer; 374 int peerlen = sizeof(peer); 375 int enable_timeouts = 0; 376 long socket_mtu = 0; 377 378 meth = SSLv23_client_method(); 379 380 c_Pause = 0; 381 c_quiet = 0; 382 c_ign_eof = 0; 383 c_debug = 0; 384 c_msg = 0; 385 c_showcerts = 0; 386 387 if (((cbuf = malloc(BUFSIZZ)) == NULL) || 388 ((sbuf = malloc(BUFSIZZ)) == NULL) || 389 ((mbuf = malloc(BUFSIZZ + 1)) == NULL)) { /* NUL byte */ 390 BIO_printf(bio_err, "out of memory\n"); 391 goto end; 392 } 393 verify_depth = 0; 394 verify_error = X509_V_OK; 395 c_nbio = 0; 396 397 argc--; 398 argv++; 399 while (argc >= 1) { 400 if (strcmp(*argv, "-host") == 0) { 401 if (--argc < 1) 402 goto bad; 403 host = *(++argv); 404 } else if (strcmp(*argv, "-port") == 0) { 405 if (--argc < 1) 406 goto bad; 407 port = *(++argv); 408 if (port == NULL || *port == '\0') 409 goto bad; 410 } else if (strcmp(*argv, "-connect") == 0) { 411 if (--argc < 1) 412 goto bad; 413 connect = *(++argv); 414 } else if (strcmp(*argv, "-proxy") == 0) { 415 if (--argc < 1) 416 goto bad; 417 proxy = *(++argv); 418 } else if (strcmp(*argv, "-verify") == 0) { 419 verify = SSL_VERIFY_PEER; 420 if (--argc < 1) 421 goto bad; 422 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr); 423 if (errstr) 424 goto bad; 425 BIO_printf(bio_err, "verify depth is %d\n", verify_depth); 426 } else if (strcmp(*argv, "-cert") == 0) { 427 if (--argc < 1) 428 goto bad; 429 cert_file = *(++argv); 430 } else if (strcmp(*argv, "-sess_out") == 0) { 431 if (--argc < 1) 432 goto bad; 433 sess_out = *(++argv); 434 } else if (strcmp(*argv, "-sess_in") == 0) { 435 if (--argc < 1) 436 goto bad; 437 sess_in = *(++argv); 438 } else if (strcmp(*argv, "-certform") == 0) { 439 if (--argc < 1) 440 goto bad; 441 cert_format = str2fmt(*(++argv)); 442 } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { 443 if (badarg) 444 goto bad; 445 continue; 446 } else if (strcmp(*argv, "-verify_return_error") == 0) 447 verify_return_error = 1; 448 else if (strcmp(*argv, "-prexit") == 0) 449 prexit = 1; 450 else if (strcmp(*argv, "-crlf") == 0) 451 crlf = 1; 452 else if (strcmp(*argv, "-quiet") == 0) { 453 c_quiet = 1; 454 c_ign_eof = 1; 455 } else if (strcmp(*argv, "-ign_eof") == 0) 456 c_ign_eof = 1; 457 else if (strcmp(*argv, "-no_ign_eof") == 0) 458 c_ign_eof = 0; 459 else if (strcmp(*argv, "-pause") == 0) 460 c_Pause = 1; 461 else if (strcmp(*argv, "-debug") == 0) 462 c_debug = 1; 463 else if (strcmp(*argv, "-tlsextdebug") == 0) 464 c_tlsextdebug = 1; 465 else if (strcmp(*argv, "-status") == 0) 466 c_status_req = 1; 467 else if (strcmp(*argv, "-msg") == 0) 468 c_msg = 1; 469 else if (strcmp(*argv, "-showcerts") == 0) 470 c_showcerts = 1; 471 else if (strcmp(*argv, "-nbio_test") == 0) 472 nbio_test = 1; 473 else if (strcmp(*argv, "-state") == 0) 474 state = 1; 475 else if (strcmp(*argv, "-ssl3") == 0) 476 meth = SSLv3_client_method(); 477 else if (strcmp(*argv, "-tls1_2") == 0) 478 meth = TLSv1_2_client_method(); 479 else if (strcmp(*argv, "-tls1_1") == 0) 480 meth = TLSv1_1_client_method(); 481 else if (strcmp(*argv, "-tls1") == 0) 482 meth = TLSv1_client_method(); 483 #ifndef OPENSSL_NO_DTLS1 484 else if (strcmp(*argv, "-dtls1") == 0) { 485 meth = DTLSv1_client_method(); 486 socket_type = SOCK_DGRAM; 487 } else if (strcmp(*argv, "-timeout") == 0) 488 enable_timeouts = 1; 489 else if (strcmp(*argv, "-mtu") == 0) { 490 if (--argc < 1) 491 goto bad; 492 socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr); 493 if (errstr) 494 goto bad; 495 } 496 #endif 497 else if (strcmp(*argv, "-bugs") == 0) 498 bugs = 1; 499 else if (strcmp(*argv, "-keyform") == 0) { 500 if (--argc < 1) 501 goto bad; 502 key_format = str2fmt(*(++argv)); 503 } else if (strcmp(*argv, "-pass") == 0) { 504 if (--argc < 1) 505 goto bad; 506 passarg = *(++argv); 507 } else if (strcmp(*argv, "-key") == 0) { 508 if (--argc < 1) 509 goto bad; 510 key_file = *(++argv); 511 } else if (strcmp(*argv, "-reconnect") == 0) { 512 reconnect = 5; 513 } else if (strcmp(*argv, "-CApath") == 0) { 514 if (--argc < 1) 515 goto bad; 516 CApath = *(++argv); 517 } else if (strcmp(*argv, "-CAfile") == 0) { 518 if (--argc < 1) 519 goto bad; 520 CAfile = *(++argv); 521 } else if (strcmp(*argv, "-no_tls1_2") == 0) 522 off |= SSL_OP_NO_TLSv1_2; 523 else if (strcmp(*argv, "-no_tls1_1") == 0) 524 off |= SSL_OP_NO_TLSv1_1; 525 else if (strcmp(*argv, "-no_tls1") == 0) 526 off |= SSL_OP_NO_TLSv1; 527 else if (strcmp(*argv, "-no_ssl3") == 0) 528 off |= SSL_OP_NO_SSLv3; 529 else if (strcmp(*argv, "-no_ssl2") == 0) 530 off |= SSL_OP_NO_SSLv2; 531 else if (strcmp(*argv, "-no_comp") == 0) { 532 off |= SSL_OP_NO_COMPRESSION; 533 } 534 else if (strcmp(*argv, "-no_ticket") == 0) { 535 off |= SSL_OP_NO_TICKET; 536 } 537 else if (strcmp(*argv, "-nextprotoneg") == 0) { 538 if (--argc < 1) 539 goto bad; 540 next_proto_neg_in = *(++argv); 541 } 542 else if (strcmp(*argv, "-alpn") == 0) { 543 if (--argc < 1) 544 goto bad; 545 alpn_in = *(++argv); 546 } else if (strcmp(*argv, "-serverpref") == 0) 547 off |= SSL_OP_CIPHER_SERVER_PREFERENCE; 548 else if (strcmp(*argv, "-legacy_renegotiation") == 0) 549 ; /* no-op */ 550 else if (strcmp(*argv, "-legacy_server_connect") == 0) { 551 off |= SSL_OP_LEGACY_SERVER_CONNECT; 552 } else if (strcmp(*argv, "-no_legacy_server_connect") == 0) { 553 clr |= SSL_OP_LEGACY_SERVER_CONNECT; 554 } else if (strcmp(*argv, "-cipher") == 0) { 555 if (--argc < 1) 556 goto bad; 557 cipher = *(++argv); 558 } 559 else if (strcmp(*argv, "-nbio") == 0) { 560 c_nbio = 1; 561 } 562 else if (strcmp(*argv, "-starttls") == 0) { 563 if (--argc < 1) 564 goto bad; 565 ++argv; 566 if (strcmp(*argv, "smtp") == 0) 567 starttls_proto = PROTO_SMTP; 568 else if (strcmp(*argv, "lmtp") == 0) 569 starttls_proto = PROTO_LMTP; 570 else if (strcmp(*argv, "pop3") == 0) 571 starttls_proto = PROTO_POP3; 572 else if (strcmp(*argv, "imap") == 0) 573 starttls_proto = PROTO_IMAP; 574 else if (strcmp(*argv, "ftp") == 0) 575 starttls_proto = PROTO_FTP; 576 else if (strcmp(*argv, "xmpp") == 0) 577 starttls_proto = PROTO_XMPP; 578 else 579 goto bad; 580 } 581 #ifndef OPENSSL_NO_ENGINE 582 else if (strcmp(*argv, "-engine") == 0) { 583 if (--argc < 1) 584 goto bad; 585 engine_id = *(++argv); 586 } else if (strcmp(*argv, "-ssl_client_engine") == 0) { 587 if (--argc < 1) 588 goto bad; 589 ssl_client_engine_id = *(++argv); 590 } 591 #endif 592 else if (strcmp(*argv, "-4") == 0) { 593 af = AF_INET; 594 } else if (strcmp(*argv, "-6") == 0) { 595 af = AF_INET6; 596 } 597 else if (strcmp(*argv, "-servername") == 0) { 598 if (--argc < 1) 599 goto bad; 600 servername = *(++argv); 601 /* meth=TLSv1_client_method(); */ 602 } 603 #ifndef OPENSSL_NO_SRTP 604 else if (strcmp(*argv, "-use_srtp") == 0) { 605 if (--argc < 1) 606 goto bad; 607 srtp_profiles = *(++argv); 608 } 609 #endif 610 else if (strcmp(*argv, "-keymatexport") == 0) { 611 if (--argc < 1) 612 goto bad; 613 keymatexportlabel = *(++argv); 614 } else if (strcmp(*argv, "-keymatexportlen") == 0) { 615 if (--argc < 1) 616 goto bad; 617 keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr); 618 if (errstr) 619 goto bad; 620 } else { 621 BIO_printf(bio_err, "unknown option %s\n", *argv); 622 badop = 1; 623 break; 624 } 625 argc--; 626 argv++; 627 } 628 if (proxy != NULL) { 629 if (!extract_host_port(proxy, &host, NULL, &port)) 630 goto bad; 631 if (connect == NULL) 632 connect = SSL_HOST_NAME; 633 } else if (connect != NULL) { 634 if (!extract_host_port(connect, &host, NULL, &port)) 635 goto bad; 636 } 637 if (badop) { 638 bad: 639 if (errstr) 640 BIO_printf(bio_err, "invalid argument %s: %s\n", 641 *argv, errstr); 642 else 643 sc_usage(); 644 goto end; 645 } 646 647 next_proto.status = -1; 648 if (next_proto_neg_in) { 649 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in); 650 if (next_proto.data == NULL) { 651 BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n"); 652 goto end; 653 } 654 } else 655 next_proto.data = NULL; 656 657 #ifndef OPENSSL_NO_ENGINE 658 e = setup_engine(bio_err, engine_id, 1); 659 if (ssl_client_engine_id) { 660 ssl_client_engine = ENGINE_by_id(ssl_client_engine_id); 661 if (!ssl_client_engine) { 662 BIO_printf(bio_err, 663 "Error getting client auth engine\n"); 664 goto end; 665 } 666 } 667 #endif 668 if (!app_passwd(bio_err, passarg, NULL, &pass, NULL)) { 669 BIO_printf(bio_err, "Error getting password\n"); 670 goto end; 671 } 672 if (key_file == NULL) 673 key_file = cert_file; 674 675 676 if (key_file) { 677 678 key = load_key(bio_err, key_file, key_format, 0, pass, e, 679 "client certificate private key file"); 680 if (!key) { 681 ERR_print_errors(bio_err); 682 goto end; 683 } 684 } 685 if (cert_file) { 686 cert = load_cert(bio_err, cert_file, cert_format, 687 NULL, e, "client certificate file"); 688 689 if (!cert) { 690 ERR_print_errors(bio_err); 691 goto end; 692 } 693 } 694 if (bio_c_out == NULL) { 695 if (c_quiet && !c_debug && !c_msg) { 696 bio_c_out = BIO_new(BIO_s_null()); 697 } else { 698 if (bio_c_out == NULL) 699 bio_c_out = BIO_new_fp(stdout, BIO_NOCLOSE); 700 } 701 } 702 703 ctx = SSL_CTX_new(meth); 704 if (ctx == NULL) { 705 ERR_print_errors(bio_err); 706 goto end; 707 } 708 if (vpm) 709 SSL_CTX_set1_param(ctx, vpm); 710 711 #ifndef OPENSSL_NO_ENGINE 712 if (ssl_client_engine) { 713 if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) { 714 BIO_puts(bio_err, "Error setting client auth engine\n"); 715 ERR_print_errors(bio_err); 716 ENGINE_free(ssl_client_engine); 717 goto end; 718 } 719 ENGINE_free(ssl_client_engine); 720 } 721 #endif 722 723 #ifndef OPENSSL_NO_SRTP 724 if (srtp_profiles != NULL) 725 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); 726 #endif 727 if (bugs) 728 SSL_CTX_set_options(ctx, SSL_OP_ALL | off); 729 else 730 SSL_CTX_set_options(ctx, off); 731 732 if (clr) 733 SSL_CTX_clear_options(ctx, clr); 734 /* 735 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting 736 * read ahead solves this problem. 737 */ 738 if (socket_type == SOCK_DGRAM) 739 SSL_CTX_set_read_ahead(ctx, 1); 740 741 if (next_proto.data) 742 SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); 743 if (alpn_in) { 744 unsigned short alpn_len; 745 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); 746 747 if (alpn == NULL) { 748 BIO_printf(bio_err, "Error parsing -alpn argument\n"); 749 goto end; 750 } 751 SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len); 752 free(alpn); 753 } 754 755 if (state) 756 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); 757 if (cipher != NULL) 758 if (!SSL_CTX_set_cipher_list(ctx, cipher)) { 759 BIO_printf(bio_err, "error setting cipher list\n"); 760 ERR_print_errors(bio_err); 761 goto end; 762 } 763 764 SSL_CTX_set_verify(ctx, verify, verify_callback); 765 if (!set_cert_key_stuff(ctx, cert, key)) 766 goto end; 767 768 if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || 769 (!SSL_CTX_set_default_verify_paths(ctx))) { 770 /* 771 * BIO_printf(bio_err,"error setting default verify 772 * locations\n"); 773 */ 774 ERR_print_errors(bio_err); 775 /* goto end; */ 776 } 777 if (servername != NULL) { 778 tlsextcbp.biodebug = bio_err; 779 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 780 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 781 } 782 783 con = SSL_new(ctx); 784 if (sess_in) { 785 SSL_SESSION *sess; 786 BIO *stmp = BIO_new_file(sess_in, "r"); 787 if (!stmp) { 788 BIO_printf(bio_err, "Can't open session file %s\n", 789 sess_in); 790 ERR_print_errors(bio_err); 791 goto end; 792 } 793 sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL); 794 BIO_free(stmp); 795 if (!sess) { 796 BIO_printf(bio_err, "Can't open session file %s\n", 797 sess_in); 798 ERR_print_errors(bio_err); 799 goto end; 800 } 801 SSL_set_session(con, sess); 802 SSL_SESSION_free(sess); 803 } 804 if (servername != NULL) { 805 if (!SSL_set_tlsext_host_name(con, servername)) { 806 BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); 807 ERR_print_errors(bio_err); 808 goto end; 809 } 810 } 811 /* SSL_set_cipher_list(con,"RC4-MD5"); */ 812 813 re_start: 814 815 if (init_client(&s, host, port, socket_type, af) == 0) { 816 BIO_printf(bio_err, "connect:errno=%d\n", errno); 817 goto end; 818 } 819 BIO_printf(bio_c_out, "CONNECTED(%08X)\n", s); 820 821 if (c_nbio) { 822 if (!c_quiet) 823 BIO_printf(bio_c_out, "turning on non blocking io\n"); 824 if (!BIO_socket_nbio(s, 1)) { 825 ERR_print_errors(bio_err); 826 goto end; 827 } 828 } 829 if (c_Pause & 0x01) 830 SSL_set_debug(con, 1); 831 832 if (SSL_version(con) == DTLS1_VERSION) { 833 834 sbio = BIO_new_dgram(s, BIO_NOCLOSE); 835 if (getsockname(s, &peer, (void *) &peerlen) < 0) { 836 BIO_printf(bio_err, "getsockname:errno=%d\n", 837 errno); 838 shutdown(s, SHUT_RD); 839 close(s); 840 goto end; 841 } 842 (void) BIO_ctrl_set_connected(sbio, 1, &peer); 843 844 if (enable_timeouts) { 845 timeout.tv_sec = 0; 846 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 847 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 848 849 timeout.tv_sec = 0; 850 timeout.tv_usec = DGRAM_SND_TIMEOUT; 851 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 852 } 853 if (socket_mtu > 28) { 854 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 855 SSL_set_mtu(con, socket_mtu - 28); 856 } else 857 /* want to do MTU discovery */ 858 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 859 } else 860 sbio = BIO_new_socket(s, BIO_NOCLOSE); 861 862 if (nbio_test) { 863 BIO *test; 864 865 test = BIO_new(BIO_f_nbio_test()); 866 sbio = BIO_push(test, sbio); 867 } 868 if (c_debug) { 869 SSL_set_debug(con, 1); 870 BIO_set_callback(sbio, bio_dump_callback); 871 BIO_set_callback_arg(sbio, (char *) bio_c_out); 872 } 873 if (c_msg) { 874 SSL_set_msg_callback(con, msg_cb); 875 SSL_set_msg_callback_arg(con, bio_c_out); 876 } 877 if (c_tlsextdebug) { 878 SSL_set_tlsext_debug_callback(con, tlsext_cb); 879 SSL_set_tlsext_debug_arg(con, bio_c_out); 880 } 881 if (c_status_req) { 882 SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp); 883 SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); 884 SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); 885 } 886 887 SSL_set_bio(con, sbio, sbio); 888 SSL_set_connect_state(con); 889 890 /* ok, lets connect */ 891 read_tty = 1; 892 write_tty = 0; 893 tty_on = 0; 894 read_ssl = 1; 895 write_ssl = 1; 896 897 cbuf_len = 0; 898 cbuf_off = 0; 899 sbuf_len = 0; 900 sbuf_off = 0; 901 902 /* This is an ugly hack that does a lot of assumptions */ 903 /* 904 * We do have to handle multi-line responses which may come in a 905 * single packet or not. We therefore have to use BIO_gets() which 906 * does need a buffering BIO. So during the initial chitchat we do 907 * push a buffering BIO into the chain that is removed again later on 908 * to not disturb the rest of the s_client operation. 909 */ 910 if (starttls_proto == PROTO_SMTP || starttls_proto == PROTO_LMTP) { 911 int foundit = 0; 912 BIO *fbio = BIO_new(BIO_f_buffer()); 913 BIO_push(fbio, sbio); 914 /* wait for multi-line response to end from SMTP */ 915 do { 916 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 917 } 918 while (mbuf_len > 3 && mbuf[3] == '-'); 919 /* STARTTLS command requires EHLO... */ 920 BIO_printf(fbio, "%cHLO openssl.client.net\r\n", 921 starttls_proto == PROTO_SMTP ? 'E' : 'L'); 922 (void) BIO_flush(fbio); 923 /* wait for multi-line response to end EHLO SMTP response */ 924 do { 925 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 926 if (strstr(mbuf, "STARTTLS")) 927 foundit = 1; 928 } 929 while (mbuf_len > 3 && mbuf[3] == '-'); 930 (void) BIO_flush(fbio); 931 BIO_pop(fbio); 932 BIO_free(fbio); 933 if (!foundit) 934 BIO_printf(bio_err, 935 "didn't found starttls in server response," 936 " try anyway...\n"); 937 BIO_printf(sbio, "STARTTLS\r\n"); 938 BIO_read(sbio, sbuf, BUFSIZZ); 939 } else if (starttls_proto == PROTO_POP3) { 940 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); 941 if (mbuf_len == -1) { 942 BIO_printf(bio_err, "BIO_read failed\n"); 943 goto end; 944 } 945 BIO_printf(sbio, "STLS\r\n"); 946 BIO_read(sbio, sbuf, BUFSIZZ); 947 } else if (starttls_proto == PROTO_IMAP) { 948 int foundit = 0; 949 BIO *fbio = BIO_new(BIO_f_buffer()); 950 BIO_push(fbio, sbio); 951 BIO_gets(fbio, mbuf, BUFSIZZ); 952 /* STARTTLS command requires CAPABILITY... */ 953 BIO_printf(fbio, ". CAPABILITY\r\n"); 954 (void) BIO_flush(fbio); 955 /* wait for multi-line CAPABILITY response */ 956 do { 957 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 958 if (strstr(mbuf, "STARTTLS")) 959 foundit = 1; 960 } 961 while (mbuf_len > 3 && mbuf[0] != '.'); 962 (void) BIO_flush(fbio); 963 BIO_pop(fbio); 964 BIO_free(fbio); 965 if (!foundit) 966 BIO_printf(bio_err, 967 "didn't found STARTTLS in server response," 968 " try anyway...\n"); 969 BIO_printf(sbio, ". STARTTLS\r\n"); 970 BIO_read(sbio, sbuf, BUFSIZZ); 971 } else if (starttls_proto == PROTO_FTP) { 972 BIO *fbio = BIO_new(BIO_f_buffer()); 973 BIO_push(fbio, sbio); 974 /* wait for multi-line response to end from FTP */ 975 do { 976 mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); 977 } 978 while (mbuf_len > 3 && mbuf[3] == '-'); 979 (void) BIO_flush(fbio); 980 BIO_pop(fbio); 981 BIO_free(fbio); 982 BIO_printf(sbio, "AUTH TLS\r\n"); 983 BIO_read(sbio, sbuf, BUFSIZZ); 984 } else if (starttls_proto == PROTO_XMPP) { 985 int seen = 0; 986 BIO_printf(sbio, "<stream:stream " 987 "xmlns:stream='http://etherx.jabber.org/streams' " 988 "xmlns='jabber:client' to='%s' version='1.0'>", host); 989 seen = BIO_read(sbio, mbuf, BUFSIZZ); 990 mbuf[seen] = 0; 991 while (!strstr(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")) { 992 if (strstr(mbuf, "/stream:features>")) 993 goto shut; 994 seen = BIO_read(sbio, mbuf, BUFSIZZ); 995 mbuf[seen] = 0; 996 } 997 BIO_printf(sbio, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>"); 998 seen = BIO_read(sbio, sbuf, BUFSIZZ); 999 sbuf[seen] = 0; 1000 if (!strstr(sbuf, "<proceed")) 1001 goto shut; 1002 mbuf[0] = 0; 1003 } else if (proxy != NULL) { 1004 BIO_printf(sbio, "CONNECT %s HTTP/1.0\r\n\r\n", connect); 1005 mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ); 1006 if (mbuf_len == -1) { 1007 BIO_printf(bio_err, "BIO_read failed\n"); 1008 goto end; 1009 } 1010 } 1011 for (;;) { 1012 struct pollfd pfd[3]; /* stdin, stdout, socket */ 1013 int ptimeout = -1; 1014 1015 if ((SSL_version(con) == DTLS1_VERSION) && 1016 DTLSv1_get_timeout(con, &timeout)) 1017 ptimeout = timeout.tv_sec * 1000 + timeout.tv_usec / 1000; 1018 1019 if (SSL_in_init(con) && !SSL_total_renegotiations(con)) { 1020 in_init = 1; 1021 tty_on = 0; 1022 } else { 1023 tty_on = 1; 1024 if (in_init) { 1025 in_init = 0; 1026 if (sess_out) { 1027 BIO *stmp = BIO_new_file(sess_out, "w"); 1028 if (stmp) { 1029 PEM_write_bio_SSL_SESSION(stmp, SSL_get_session(con)); 1030 BIO_free(stmp); 1031 } else 1032 BIO_printf(bio_err, "Error writing session file %s\n", sess_out); 1033 } 1034 print_stuff(bio_c_out, con, full_log); 1035 if (full_log > 0) 1036 full_log--; 1037 1038 if (starttls_proto) { 1039 BIO_write(bio_err, mbuf, mbuf_len); 1040 /* We don't need to know any more */ 1041 starttls_proto = PROTO_OFF; 1042 } 1043 if (reconnect) { 1044 reconnect--; 1045 BIO_printf(bio_c_out, "drop connection and then reconnect\n"); 1046 SSL_shutdown(con); 1047 SSL_set_connect_state(con); 1048 shutdown(SSL_get_fd(con), SHUT_RD); 1049 close(SSL_get_fd(con)); 1050 goto re_start; 1051 } 1052 } 1053 } 1054 1055 ssl_pending = read_ssl && SSL_pending(con); 1056 1057 pfd[0].fd = -1; 1058 pfd[1].fd = -1; 1059 if (!ssl_pending) { 1060 if (tty_on) { 1061 if (read_tty) { 1062 pfd[0].fd = fileno(stdin); 1063 pfd[0].events = POLLIN; 1064 } 1065 if (write_tty) { 1066 pfd[1].fd = fileno(stdout); 1067 pfd[1].events = POLLOUT; 1068 } 1069 } 1070 1071 pfd[2].fd = SSL_get_fd(con); 1072 pfd[2].events = 0; 1073 if (read_ssl) 1074 pfd[2].events |= POLLIN; 1075 if (write_ssl) 1076 pfd[2].events |= POLLOUT; 1077 1078 /* printf("mode tty(%d %d%d) ssl(%d%d)\n", 1079 tty_on,read_tty,write_tty,read_ssl,write_ssl);*/ 1080 1081 i = poll(pfd, 3, ptimeout); 1082 if (i < 0) { 1083 BIO_printf(bio_err, "bad select %d\n", 1084 errno); 1085 goto shut; 1086 /* goto end; */ 1087 } 1088 } 1089 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { 1090 BIO_printf(bio_err, "TIMEOUT occured\n"); 1091 } 1092 if (!ssl_pending && (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) { 1093 if (pfd[2].revents & (POLLERR|POLLNVAL)) { 1094 BIO_printf(bio_err, "poll error"); 1095 goto shut; 1096 } 1097 k = SSL_write(con, &(cbuf[cbuf_off]), 1098 (unsigned int) cbuf_len); 1099 switch (SSL_get_error(con, k)) { 1100 case SSL_ERROR_NONE: 1101 cbuf_off += k; 1102 cbuf_len -= k; 1103 if (k <= 0) 1104 goto end; 1105 /* we have done a write(con,NULL,0); */ 1106 if (cbuf_len <= 0) { 1107 read_tty = 1; 1108 write_ssl = 0; 1109 } else { /* if (cbuf_len > 0) */ 1110 read_tty = 0; 1111 write_ssl = 1; 1112 } 1113 break; 1114 case SSL_ERROR_WANT_WRITE: 1115 BIO_printf(bio_c_out, "write W BLOCK\n"); 1116 write_ssl = 1; 1117 read_tty = 0; 1118 break; 1119 case SSL_ERROR_WANT_READ: 1120 BIO_printf(bio_c_out, "write R BLOCK\n"); 1121 write_tty = 0; 1122 read_ssl = 1; 1123 write_ssl = 0; 1124 break; 1125 case SSL_ERROR_WANT_X509_LOOKUP: 1126 BIO_printf(bio_c_out, "write X BLOCK\n"); 1127 break; 1128 case SSL_ERROR_ZERO_RETURN: 1129 if (cbuf_len != 0) { 1130 BIO_printf(bio_c_out, "shutdown\n"); 1131 ret = 0; 1132 goto shut; 1133 } else { 1134 read_tty = 1; 1135 write_ssl = 0; 1136 break; 1137 } 1138 1139 case SSL_ERROR_SYSCALL: 1140 if ((k != 0) || (cbuf_len != 0)) { 1141 BIO_printf(bio_err, "write:errno=%d\n", 1142 errno); 1143 goto shut; 1144 } else { 1145 read_tty = 1; 1146 write_ssl = 0; 1147 } 1148 break; 1149 case SSL_ERROR_SSL: 1150 ERR_print_errors(bio_err); 1151 goto shut; 1152 } 1153 } else if (!ssl_pending && 1154 (pfd[1].revents & (POLLOUT|POLLERR|POLLNVAL))) { 1155 if (pfd[1].revents & (POLLERR|POLLNVAL)) { 1156 BIO_printf(bio_err, "poll error"); 1157 goto shut; 1158 } 1159 i = write(fileno(stdout), &(sbuf[sbuf_off]), sbuf_len); 1160 1161 if (i <= 0) { 1162 BIO_printf(bio_c_out, "DONE\n"); 1163 ret = 0; 1164 goto shut; 1165 /* goto end; */ 1166 } 1167 sbuf_len -= i; 1168 sbuf_off += i; 1169 if (sbuf_len <= 0) { 1170 read_ssl = 1; 1171 write_tty = 0; 1172 } 1173 } else if (ssl_pending || (pfd[2].revents & (POLLIN|POLLHUP))) { 1174 #ifdef RENEG 1175 { 1176 static int iiii; 1177 if (++iiii == 52) { 1178 SSL_renegotiate(con); 1179 iiii = 0; 1180 } 1181 } 1182 #endif 1183 k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ ); 1184 1185 switch (SSL_get_error(con, k)) { 1186 case SSL_ERROR_NONE: 1187 if (k <= 0) 1188 goto end; 1189 sbuf_off = 0; 1190 sbuf_len = k; 1191 1192 read_ssl = 0; 1193 write_tty = 1; 1194 break; 1195 case SSL_ERROR_WANT_WRITE: 1196 BIO_printf(bio_c_out, "read W BLOCK\n"); 1197 write_ssl = 1; 1198 read_tty = 0; 1199 break; 1200 case SSL_ERROR_WANT_READ: 1201 BIO_printf(bio_c_out, "read R BLOCK\n"); 1202 write_tty = 0; 1203 read_ssl = 1; 1204 if ((read_tty == 0) && (write_ssl == 0)) 1205 write_ssl = 1; 1206 break; 1207 case SSL_ERROR_WANT_X509_LOOKUP: 1208 BIO_printf(bio_c_out, "read X BLOCK\n"); 1209 break; 1210 case SSL_ERROR_SYSCALL: 1211 ret = errno; 1212 BIO_printf(bio_err, "read:errno=%d\n", ret); 1213 goto shut; 1214 case SSL_ERROR_ZERO_RETURN: 1215 BIO_printf(bio_c_out, "closed\n"); 1216 ret = 0; 1217 goto shut; 1218 case SSL_ERROR_SSL: 1219 ERR_print_errors(bio_err); 1220 goto shut; 1221 /* break; */ 1222 } 1223 } else if (pfd[0].revents) { 1224 if (pfd[0].revents & (POLLERR|POLLNVAL)) { 1225 BIO_printf(bio_err, "poll error"); 1226 goto shut; 1227 } 1228 if (crlf) { 1229 int j, lf_num; 1230 1231 i = read(fileno(stdin), cbuf, BUFSIZZ / 2); 1232 lf_num = 0; 1233 /* both loops are skipped when i <= 0 */ 1234 for (j = 0; j < i; j++) 1235 if (cbuf[j] == '\n') 1236 lf_num++; 1237 for (j = i - 1; j >= 0; j--) { 1238 cbuf[j + lf_num] = cbuf[j]; 1239 if (cbuf[j] == '\n') { 1240 lf_num--; 1241 i++; 1242 cbuf[j + lf_num] = '\r'; 1243 } 1244 } 1245 assert(lf_num == 0); 1246 } else 1247 i = read(fileno(stdin), cbuf, BUFSIZZ); 1248 1249 if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { 1250 BIO_printf(bio_err, "DONE\n"); 1251 ret = 0; 1252 goto shut; 1253 } 1254 if ((!c_ign_eof) && (cbuf[0] == 'R')) { 1255 BIO_printf(bio_err, "RENEGOTIATING\n"); 1256 SSL_renegotiate(con); 1257 cbuf_len = 0; 1258 } else { 1259 cbuf_len = i; 1260 cbuf_off = 0; 1261 } 1262 1263 write_ssl = 1; 1264 read_tty = 0; 1265 } 1266 } 1267 1268 ret = 0; 1269 shut: 1270 if (in_init) 1271 print_stuff(bio_c_out, con, full_log); 1272 SSL_shutdown(con); 1273 shutdown(SSL_get_fd(con), SHUT_RD); 1274 close(SSL_get_fd(con)); 1275 end: 1276 if (con != NULL) { 1277 if (prexit != 0) 1278 print_stuff(bio_c_out, con, 1); 1279 SSL_free(con); 1280 } 1281 free(next_proto.data); 1282 if (ctx != NULL) 1283 SSL_CTX_free(ctx); 1284 if (cert) 1285 X509_free(cert); 1286 if (key) 1287 EVP_PKEY_free(key); 1288 free(pass); 1289 if (vpm) 1290 X509_VERIFY_PARAM_free(vpm); 1291 if (cbuf != NULL) { 1292 OPENSSL_cleanse(cbuf, BUFSIZZ); 1293 free(cbuf); 1294 } 1295 if (sbuf != NULL) { 1296 OPENSSL_cleanse(sbuf, BUFSIZZ); 1297 free(sbuf); 1298 } 1299 if (mbuf != NULL) { 1300 OPENSSL_cleanse(mbuf, BUFSIZZ); 1301 free(mbuf); 1302 } 1303 if (bio_c_out != NULL) { 1304 BIO_free(bio_c_out); 1305 bio_c_out = NULL; 1306 } 1307 1308 return (ret); 1309 } 1310 1311 1312 static void 1313 print_stuff(BIO * bio, SSL * s, int full) 1314 { 1315 X509 *peer = NULL; 1316 char *p; 1317 static const char *space = " "; 1318 char buf[BUFSIZ]; 1319 STACK_OF(X509) * sk; 1320 STACK_OF(X509_NAME) * sk2; 1321 const SSL_CIPHER *c; 1322 X509_NAME *xn; 1323 int j, i; 1324 unsigned char *exportedkeymat; 1325 1326 if (full) { 1327 int got_a_chain = 0; 1328 1329 sk = SSL_get_peer_cert_chain(s); 1330 if (sk != NULL) { 1331 got_a_chain = 1; /* we don't have it for SSL2 1332 * (yet) */ 1333 1334 BIO_printf(bio, "---\nCertificate chain\n"); 1335 for (i = 0; i < sk_X509_num(sk); i++) { 1336 X509_NAME_oneline(X509_get_subject_name( 1337 sk_X509_value(sk, i)), buf, sizeof buf); 1338 BIO_printf(bio, "%2d s:%s\n", i, buf); 1339 X509_NAME_oneline(X509_get_issuer_name( 1340 sk_X509_value(sk, i)), buf, sizeof buf); 1341 BIO_printf(bio, " i:%s\n", buf); 1342 if (c_showcerts) 1343 PEM_write_bio_X509(bio, sk_X509_value(sk, i)); 1344 } 1345 } 1346 BIO_printf(bio, "---\n"); 1347 peer = SSL_get_peer_certificate(s); 1348 if (peer != NULL) { 1349 BIO_printf(bio, "Server certificate\n"); 1350 if (!(c_showcerts && got_a_chain)) /* Redundant if we 1351 * showed the whole 1352 * chain */ 1353 PEM_write_bio_X509(bio, peer); 1354 X509_NAME_oneline(X509_get_subject_name(peer), 1355 buf, sizeof buf); 1356 BIO_printf(bio, "subject=%s\n", buf); 1357 X509_NAME_oneline(X509_get_issuer_name(peer), 1358 buf, sizeof buf); 1359 BIO_printf(bio, "issuer=%s\n", buf); 1360 } else 1361 BIO_printf(bio, "no peer certificate available\n"); 1362 1363 sk2 = SSL_get_client_CA_list(s); 1364 if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { 1365 BIO_printf(bio, "---\nAcceptable client certificate CA names\n"); 1366 for (i = 0; i < sk_X509_NAME_num(sk2); i++) { 1367 xn = sk_X509_NAME_value(sk2, i); 1368 X509_NAME_oneline(xn, buf, sizeof(buf)); 1369 BIO_write(bio, buf, strlen(buf)); 1370 BIO_write(bio, "\n", 1); 1371 } 1372 } else { 1373 BIO_printf(bio, "---\nNo client certificate CA names sent\n"); 1374 } 1375 p = SSL_get_shared_ciphers(s, buf, sizeof buf); 1376 if (p != NULL) { 1377 /* 1378 * This works only for SSL 2. In later protocol 1379 * versions, the client does not know what other 1380 * ciphers (in addition to the one to be used in the 1381 * current connection) the server supports. 1382 */ 1383 1384 BIO_printf(bio, "---\nCiphers common between both SSL endpoints:\n"); 1385 j = i = 0; 1386 while (*p) { 1387 if (*p == ':') { 1388 BIO_write(bio, space, 15 - j % 25); 1389 i++; 1390 j = 0; 1391 BIO_write(bio, ((i % 3) ? " " : "\n"), 1); 1392 } else { 1393 BIO_write(bio, p, 1); 1394 j++; 1395 } 1396 p++; 1397 } 1398 BIO_write(bio, "\n", 1); 1399 } 1400 BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", 1401 BIO_number_read(SSL_get_rbio(s)), 1402 BIO_number_written(SSL_get_wbio(s))); 1403 } 1404 BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, ")); 1405 c = SSL_get_current_cipher(s); 1406 BIO_printf(bio, "%s, Cipher is %s\n", 1407 SSL_CIPHER_get_version(c), 1408 SSL_CIPHER_get_name(c)); 1409 if (peer != NULL) { 1410 EVP_PKEY *pktmp; 1411 pktmp = X509_get_pubkey(peer); 1412 BIO_printf(bio, "Server public key is %d bit\n", 1413 EVP_PKEY_bits(pktmp)); 1414 EVP_PKEY_free(pktmp); 1415 } 1416 BIO_printf(bio, "Secure Renegotiation IS%s supported\n", 1417 SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); 1418 1419 /* Compression is not supported and will always be none. */ 1420 BIO_printf(bio, "Compression: NONE\n"); 1421 BIO_printf(bio, "Expansion: NONE\n"); 1422 1423 #ifdef SSL_DEBUG 1424 { 1425 /* Print out local port of connection: useful for debugging */ 1426 int sock; 1427 struct sockaddr_in ladd; 1428 socklen_t ladd_size = sizeof(ladd); 1429 sock = SSL_get_fd(s); 1430 getsockname(sock, (struct sockaddr *) & ladd, &ladd_size); 1431 BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); 1432 } 1433 #endif 1434 1435 if (next_proto.status != -1) { 1436 const unsigned char *proto; 1437 unsigned int proto_len; 1438 SSL_get0_next_proto_negotiated(s, &proto, &proto_len); 1439 BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); 1440 BIO_write(bio, proto, proto_len); 1441 BIO_write(bio, "\n", 1); 1442 } 1443 { 1444 const unsigned char *proto; 1445 unsigned int proto_len; 1446 SSL_get0_alpn_selected(s, &proto, &proto_len); 1447 if (proto_len > 0) { 1448 BIO_printf(bio, "ALPN protocol: "); 1449 BIO_write(bio, proto, proto_len); 1450 BIO_write(bio, "\n", 1); 1451 } else 1452 BIO_printf(bio, "No ALPN negotiated\n"); 1453 } 1454 1455 #ifndef OPENSSL_NO_SRTP 1456 { 1457 SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(s); 1458 1459 if (srtp_profile) 1460 BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n", 1461 srtp_profile->name); 1462 } 1463 #endif 1464 1465 SSL_SESSION_print(bio, SSL_get_session(s)); 1466 if (keymatexportlabel != NULL) { 1467 BIO_printf(bio, "Keying material exporter:\n"); 1468 BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); 1469 BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); 1470 exportedkeymat = malloc(keymatexportlen); 1471 if (exportedkeymat != NULL) { 1472 if (!SSL_export_keying_material(s, exportedkeymat, 1473 keymatexportlen, 1474 keymatexportlabel, 1475 strlen(keymatexportlabel), 1476 NULL, 0, 0)) { 1477 BIO_printf(bio, " Error\n"); 1478 } else { 1479 BIO_printf(bio, " Keying material: "); 1480 for (i = 0; i < keymatexportlen; i++) 1481 BIO_printf(bio, "%02X", 1482 exportedkeymat[i]); 1483 BIO_printf(bio, "\n"); 1484 } 1485 free(exportedkeymat); 1486 } 1487 } 1488 BIO_printf(bio, "---\n"); 1489 if (peer != NULL) 1490 X509_free(peer); 1491 /* flush, or debugging output gets mixed with http response */ 1492 (void) BIO_flush(bio); 1493 } 1494 1495 1496 static int 1497 ocsp_resp_cb(SSL * s, void *arg) 1498 { 1499 const unsigned char *p; 1500 int len; 1501 OCSP_RESPONSE *rsp; 1502 len = SSL_get_tlsext_status_ocsp_resp(s, &p); 1503 BIO_puts(arg, "OCSP response: "); 1504 if (!p) { 1505 BIO_puts(arg, "no response sent\n"); 1506 return 1; 1507 } 1508 rsp = d2i_OCSP_RESPONSE(NULL, &p, len); 1509 if (!rsp) { 1510 BIO_puts(arg, "response parse error\n"); 1511 BIO_dump_indent(arg, (char *) p, len, 4); 1512 return 0; 1513 } 1514 BIO_puts(arg, "\n======================================\n"); 1515 OCSP_RESPONSE_print(arg, rsp, 0); 1516 BIO_puts(arg, "======================================\n"); 1517 OCSP_RESPONSE_free(rsp); 1518 return 1; 1519 } 1520 1521