/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* https://www.openssl.org/source/license.html
*/
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
if (c_debug)
BIO_printf(bio_c_out,
"NULL received PSK identity hint, continuing anyway\n");
- } else if (c_debug)
+ } else if (c_debug) {
BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
+ }
/*
* lookup PSK identity and PSK key based on the given identity hint here
"CA file for certificate verification (PEM format)"},
{"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
{"servername", OPT_SERVERNAME, 's',
- "Set TLS extension servername in ClientHello"},
+ "Set TLS extension servername (SNI) in ClientHello (default)"},
{"noservername", OPT_NOSERVERNAME, '-',
"Do not send the server name (SNI) extension in the ClientHello"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
- {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+ {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
"Size used to split data for encrypt pipelines"},
- {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+ {"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
- {"read_buf", OPT_READ_BUF, 'n',
+ {"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
PROTO_XMPP_SERVER,
PROTO_CONNECT,
PROTO_IRC,
+ PROTO_MYSQL,
PROTO_POSTGRES,
PROTO_LMTP,
PROTO_NNTP,
{"xmpp-server", PROTO_XMPP_SERVER},
{"telnet", PROTO_TELNET},
{"irc", PROTO_IRC},
+ {"mysql", PROTO_MYSQL},
{"postgres", PROTO_POSTGRES},
{"lmtp", PROTO_LMTP},
{"nntp", PROTO_NNTP},
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
int async = 0;
unsigned int max_send_fragment = 0;
- unsigned int split_send_fragment = 0, max_pipelines = 0;
+ unsigned int split_send_fragment = 0, max_pipelines = 0;
enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
int count4or6 = 0;
int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
break;
case OPT_MAX_SEND_FRAG:
max_send_fragment = atoi(opt_arg());
- if (max_send_fragment == 0) {
- /*
- * Not allowed - set to a deliberately bad value so we get an
- * error message below
- */
- max_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
- }
break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
- if (split_send_fragment == 0) {
- /*
- * Not allowed - set to a deliberately bad value so we get an
- * error message below
- */
- split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
- }
break;
case OPT_MAX_PIPELINES:
max_pipelines = atoi(opt_arg());
}
}
argc = opt_num_rest();
- if (argc != 0)
+ if (argc == 1) {
+ /* If there's a positional argument, it's the equivalent of
+ * OPT_CONNECT.
+ * Don't allow -connect and a separate argument.
+ */
+ if (connectstr != NULL) {
+ BIO_printf(bio_err,
+ "%s: must not provide both -connect option and target parameter\n",
+ prog);
+ goto opthelp;
+ }
+ connect_type = use_inet;
+ connectstr = *opt_rest();
+ } else if (argc != 0) {
goto opthelp;
+ }
- if (proxystr) {
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+ BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+ goto opthelp;
+ }
+#endif
+ if (proxystr != NULL) {
int res;
char *tmp_host = host, *tmp_port = port;
if (connectstr == NULL) {
- BIO_printf(bio_err, "%s: -proxy requires use of -connect\n", prog);
+ BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog);
goto opthelp;
}
res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST);
OPENSSL_free(tmp_port);
if (!res) {
BIO_printf(bio_err,
- "%s: -connect argument malformed or ambiguous\n",
+ "%s: -connect argument or target parameter malformed or ambiguous\n",
prog);
goto end;
}
socket_type = SOCK_STREAM;
}
#endif
- if (max_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
- BIO_printf(bio_err, "%s: Bad max send fragment size\n", prog);
- goto end;
- }
-
- if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
- BIO_printf(bio_err, "%s: Bad split send fragment size\n", prog);
- goto end;
- }
-
- if (max_pipelines > SSL_MAX_PIPELINES) {
- BIO_printf(bio_err, "%s: Bad max pipelines value\n", prog);
- goto end;
- }
#if !defined(OPENSSL_NO_NEXTPROTONEG)
next_proto.status = -1;
if (key_file == NULL)
key_file = cert_file;
- if (key_file) {
+ if (key_file != NULL) {
key = load_key(key_file, key_format, 0, pass, e,
"client certificate private key file");
if (key == NULL) {
}
}
- if (cert_file) {
+ if (cert_file != NULL) {
cert = load_cert(cert_file, cert_format, "client certificate file");
if (cert == NULL) {
ERR_print_errors(bio_err);
}
}
- if (chain_file) {
+ if (chain_file != NULL) {
if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL,
"client certificate chain"))
goto end;
}
- if (crl_file) {
+ if (crl_file != NULL) {
X509_CRL *crl;
crl = load_crl(crl_file, crl_format);
if (crl == NULL) {
if (bio_c_out == NULL) {
if (c_quiet && !c_debug) {
bio_c_out = BIO_new(BIO_s_null());
- if (c_msg && !bio_c_msg)
+ if (c_msg && bio_c_msg == NULL)
bio_c_msg = dup_bio_out(FORMAT_TEXT);
} else if (bio_c_out == NULL)
bio_c_out = dup_bio_out(FORMAT_TEXT);
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
- if (ssl_config) {
+ if (ssl_config != NULL) {
if (SSL_CTX_config(ctx, ssl_config) == 0) {
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
ssl_config);
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
- if (max_send_fragment > 0)
- SSL_CTX_set_max_send_fragment(ctx, max_send_fragment);
+ if (max_send_fragment > 0
+ && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
+ BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
+ prog, max_send_fragment);
+ goto end;
+ }
- if (split_send_fragment > 0) {
- SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+ if (split_send_fragment > 0
+ && !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
+ BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
+ prog, split_send_fragment);
+ goto end;
}
- if (max_pipelines > 0) {
- SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+
+ if (max_pipelines > 0
+ && !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
+ BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
+ prog, max_pipelines);
+ goto end;
}
if (read_buf_len > 0) {
}
#endif
- if (exc)
+ if (exc != NULL)
ssl_ctx_set_excert(ctx, exc);
#if !defined(OPENSSL_NO_NEXTPROTONEG)
- if (next_proto.data)
+ if (next_proto.data != NULL)
SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
#endif
if (alpn_in) {
* come at any time. Therefore we use a callback to write out the session
* when we know about it. This approach works for < TLSv1.3 as well.
*/
- if (sess_out) {
+ if (sess_out != NULL) {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
goto end;
con = SSL_new(ctx);
- if (sess_in) {
+ if (sess_in != NULL) {
SSL_SESSION *sess;
BIO *stmp = BIO_new_file(sess_in, "r");
- if (!stmp) {
+ if (stmp == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
ERR_print_errors(bio_err);
goto end;
}
sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
BIO_free(stmp);
- if (!sess) {
+ if (sess == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
ERR_print_errors(bio_err);
goto end;
BIO_free(sbio);
goto shut;
}
- } else
+ } else {
/* want to do MTU discovery */
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
+ }
} else
#endif /* OPENSSL_NO_DTLS */
sbio = BIO_new_socket(s, BIO_NOCLOSE);
* HTTP/d.d ddd Reason text\r\n
*/
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+ if (mbuf_len < (int)strlen("HTTP/1.0 200")) {
+ BIO_printf(bio_err,
+ "%s: HTTP CONNECT failed, insufficient response "
+ "from proxy (got %d octets)\n", prog, mbuf_len);
+ (void)BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ goto shut;
+ }
if (mbuf[8] != ' ') {
BIO_printf(bio_err,
"%s: HTTP CONNECT failed, incorrect response "
}
}
break;
+ case PROTO_MYSQL:
+ {
+ /* SSL request packet */
+ static const unsigned char ssl_req[] = {
+ /* payload_length, sequence_id */
+ 0x20, 0x00, 0x00, 0x01,
+ /* payload */
+ /* capability flags, CLIENT_SSL always set */
+ 0x85, 0xae, 0x7f, 0x00,
+ /* max-packet size */
+ 0x00, 0x00, 0x00, 0x01,
+ /* character set */
+ 0x21,
+ /* string[23] reserved (all [0]) */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ int bytes = 0;
+ int ssl_flg = 0x800;
+ int pos;
+ const unsigned char *packet = (const unsigned char *)sbuf;
+
+ /* Receiving Initial Handshake packet. */
+ bytes = BIO_read(sbio, (void *)packet, BUFSIZZ);
+ if (bytes < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto shut;
+ /* Packet length[3], Packet number[1] + minimum payload[17] */
+ } else if (bytes < 21) {
+ BIO_printf(bio_err, "MySQL packet too short.\n");
+ goto shut;
+ } else if (bytes != (4 + packet[0] +
+ (packet[1] << 8) +
+ (packet[2] << 16))) {
+ BIO_printf(bio_err, "MySQL packet length does not match.\n");
+ goto shut;
+ /* protocol version[1] */
+ } else if (packet[4] != 0xA) {
+ BIO_printf(bio_err,
+ "Only MySQL protocol version 10 is supported.\n");
+ goto shut;
+ }
+
+ pos = 5;
+ /* server version[string+NULL] */
+ for (;;) {
+ if (pos >= bytes) {
+ BIO_printf(bio_err, "Cannot confirm server version. ");
+ goto shut;
+ } else if (packet[pos++] == '\0') {
+ break;
+ }
+ pos++;
+ }
+
+ /* make sure we have more 15 bytes left in the packet */
+ if (pos + 15 > bytes) {
+ BIO_printf(bio_err,
+ "MySQL server handshake packet is broken.\n");
+ goto shut;
+ }
+
+ pos += 12; /* skip over conn id[4] + SALT[8] */
+ if (packet[pos++] != '\0') { /* verify filler */
+ BIO_printf(bio_err,
+ "MySQL packet is broken.\n");
+ goto shut;
+ }
+
+ /* capability flags[2] */
+ if (!((packet[pos] + (packet[pos + 1] << 8)) & ssl_flg)) {
+ BIO_printf(bio_err, "MySQL server does not support SSL.\n");
+ goto shut;
+ }
+
+ /* Sending SSL Handshake packet. */
+ BIO_write(sbio, ssl_req, sizeof(ssl_req));
+ (void)BIO_flush(sbio);
+ }
+ break;
case PROTO_POSTGRES:
{
static const unsigned char ssl_request[] = {
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
- if (!p) {
+ if (p == NULL) {
BIO_puts(arg, "no response sent\n");
return 1;
}
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
- if (!rsp) {
+ if (rsp == NULL) {
BIO_puts(arg, "response parse error\n");
BIO_dump_indent(arg, (char *)p, len, 4);
return 0;