* https://www.openssl.org/source/license.html
*/
+#include "e_os.h"
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
typedef unsigned int u_int;
#endif
-#define USE_SOCKETS
#include "apps.h"
#include <openssl/x509.h>
#include <openssl/ssl.h>
#endif
#include "s_apps.h"
#include "timeouts.h"
+#include "internal/sockets.h"
#if defined(__has_feature)
# if __has_feature(memory_sanitizer)
static BIO *bio_c_out = NULL;
static int c_quiet = 0;
static char *sess_out = NULL;
+static SSL_SESSION *psksess = NULL;
static void print_stuff(BIO *berr, SSL *con, int full);
#ifndef OPENSSL_NO_OCSP
} while (ret < 0);
}
-#ifndef OPENSSL_NO_PSK
/* Default PSK identity and key */
static char *psk_identity = "Client_identity";
+#ifndef OPENSSL_NO_PSK
static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len,
unsigned char *psk,
}
#endif
+const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
+const unsigned char tls13_aes256gcmsha384_id[] = { 0x13, 0x02 };
+
+static int psk_use_session_cb(SSL *s, const EVP_MD *md,
+ const unsigned char **id, size_t *idlen,
+ SSL_SESSION **sess)
+{
+ SSL_SESSION *usesess = NULL;
+ const SSL_CIPHER *cipher = NULL;
+
+ if (psksess != NULL) {
+ SSL_SESSION_up_ref(psksess);
+ usesess = psksess;
+ } else {
+ long key_len;
+ unsigned char *key = OPENSSL_hexstr2buf(psk_key, &key_len);
+
+ if (key == NULL) {
+ BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
+ psk_key);
+ return 0;
+ }
+
+ if (key_len == EVP_MD_size(EVP_sha256()))
+ cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
+ else if(key_len == EVP_MD_size(EVP_sha384()))
+ cipher = SSL_CIPHER_find(s, tls13_aes256gcmsha384_id);
+
+ if (cipher == NULL) {
+ /* Doesn't look like a suitable TLSv1.3 key. Ignore it */
+ OPENSSL_free(key);
+ *id = NULL;
+ *idlen = 0;
+ *sess = NULL;
+ return 0;
+ }
+ usesess = SSL_SESSION_new();
+ if (usesess == NULL
+ || !SSL_SESSION_set1_master_key(usesess, key, key_len)
+ || !SSL_SESSION_set_cipher(usesess, cipher)
+ || !SSL_SESSION_set_protocol_version(usesess, TLS1_3_VERSION)) {
+ OPENSSL_free(key);
+ goto err;
+ }
+ OPENSSL_free(key);
+ }
+
+ cipher = SSL_SESSION_get0_cipher(usesess);
+ if (cipher == NULL)
+ goto err;
+
+ if (md != NULL && SSL_CIPHER_get_handshake_digest(cipher) != md) {
+ /* PSK not usable, ignore it */
+ *id = NULL;
+ *idlen = 0;
+ *sess = NULL;
+ SSL_SESSION_free(usesess);
+ } else {
+ *sess = usesess;
+ *id = (unsigned char *)psk_identity;
+ *idlen = strlen(psk_identity);
+ }
+
+ return 1;
+
+ err:
+ SSL_SESSION_free(usesess);
+ return 0;
+}
+
/* This is a context that we pass to callbacks */
typedef struct tlsextctx_st {
BIO *biodebug;
OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO,
- OPT_SSL_CLIENT_ENGINE, OPT_RAND, OPT_IGN_EOF, OPT_NO_IGN_EOF,
+ OPT_SSL_CLIENT_ENGINE, OPT_IGN_EOF, OPT_NO_IGN_EOF,
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
-#ifndef OPENSSL_NO_PSK
- OPT_PSK_IDENTITY, OPT_PSK,
-#endif
+ OPT_PSK_IDENTITY, OPT_PSK, OPT_PSK_SESS,
#ifndef OPENSSL_NO_SRP
OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, OPT_SRP_LATEUSER,
OPT_SRP_MOREGROUPS,
#ifndef OPENSSL_NO_CT
OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
#endif
- OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME
+ OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
+ OPT_R_ENUM
} OPTION_CHOICE;
const OPTIONS s_client_options[] = {
"Use the appropriate STARTTLS command before starting TLS"},
{"xmpphost", OPT_XMPPHOST, 's',
"Host to use with \"-starttls xmpp[-server]\""},
- {"rand", OPT_RAND, 's',
- "Load the file(s) into the random number generator"},
+ OPT_R_OPTIONS,
{"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
{"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
{"use_srtp", OPT_USE_SRTP, 's',
{"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
#endif
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
-#ifndef OPENSSL_NO_PSK
{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
-#endif
+ {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
#ifndef OPENSSL_NO_SRP
{"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"},
{"srppass", OPT_SRPPASS, 's', "Password for 'user'"},
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
char *chCApath = NULL, *chCAfile = NULL, *host = NULL;
char *port = OPENSSL_strdup(PORT);
- char *inrand = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *ReqCAfile = NULL;
char *sess_in = NULL, *crl_file = NULL, *p;
#endif
int read_buf_len = 0;
int fallback_scsv = 0;
- long randamt = 0;
OPTION_CHOICE o;
#ifndef OPENSSL_NO_DTLS
int enable_timeouts = 0;
#ifndef OPENSSL_NO_DTLS
int isdtls = 0;
#endif
+ char *psksessf = NULL;
FD_ZERO(&readfds);
FD_ZERO(&writefds);
}
#endif
break;
- case OPT_RAND:
- inrand = opt_arg();
+ case OPT_R_CASES:
+ if (!opt_rand(o))
+ goto end;
break;
case OPT_IGN_EOF:
c_ign_eof = 1;
case OPT_STATE:
state = 1;
break;
-#ifndef OPENSSL_NO_PSK
case OPT_PSK_IDENTITY:
psk_identity = opt_arg();
break;
goto end;
}
break;
-#endif
+ case OPT_PSK_SESS:
+ psksessf = opt_arg();
+ break;
#ifndef OPENSSL_NO_SRP
case OPT_SRPUSER:
srp_arg.srplogin = opt_arg();
goto opthelp;
}
connect_type = use_inet;
- connectstr = *opt_rest();
+ freeandcopy(&connectstr, *opt_rest());
} else if (argc != 0) {
goto opthelp;
}
}
}
+#ifdef AF_UNIX
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
BIO_printf(bio_err,
"Can't use unix sockets and datagrams together\n");
goto end;
}
+#endif
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP) {
if (!load_excert(&exc))
goto end;
- if (!app_RAND_load_file(NULL, 1) && inrand == NULL
- && !RAND_status()) {
- BIO_printf(bio_err,
- "warning, not much extra random data, consider using the -rand option\n");
- }
- if (inrand != NULL) {
- randamt = app_RAND_load_files(inrand);
- BIO_printf(bio_err, "%ld semi-random bytes loaded\n", randamt);
- }
-
if (bio_c_out == NULL) {
if (c_quiet && !c_debug) {
bio_c_out = BIO_new(BIO_s_null());
SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
}
#endif
+ if (psksessf != NULL) {
+ BIO *stmp = BIO_new_file(psksessf, "r");
+
+ if (stmp == NULL) {
+ BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ psksess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
+ BIO_free(stmp);
+ if (psksess == NULL) {
+ BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ if (psk_key != NULL || psksess != NULL)
+ SSL_CTX_set_psk_use_session_callback(ctx, psk_use_session_cb);
+
#ifndef OPENSSL_NO_SRTP
if (srtp_profiles != NULL) {
/* Returns 0 on success! */
ERR_print_errors(bio_err);
goto end;
}
+ /* By default the SNI should be the same as was set in the session */
+ if (!noservername && servername == NULL) {
+ const char *sni = SSL_SESSION_get0_hostname(sess);
+
+ if (sni != NULL) {
+ servername = OPENSSL_strdup(sni);
+ if (servername == NULL) {
+ BIO_printf(bio_err, "Can't set server name\n");
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ } else {
+ /*
+ * Force no SNI to be sent so we are consistent with the
+ * session.
+ */
+ noservername = 1;
+ }
+ }
SSL_SESSION_free(sess);
}
} else if (packet[pos++] == '\0') {
break;
}
- pos++;
}
- /* make sure we have more 15 bytes left in the packet */
+ /* make sure we have at least 15 bytes left in the packet */
if (pos + 15 > bytes) {
BIO_printf(bio_err,
"MySQL server handshake packet is broken.\n");
}
if (early_data_file != NULL
- && SSL_get0_session(con) != NULL
- && SSL_SESSION_get_max_early_data(SSL_get0_session(con)) > 0) {
+ && ((SSL_get0_session(con) != NULL
+ && SSL_SESSION_get_max_early_data(SSL_get0_session(con)) > 0)
+ || (psksess != NULL
+ && SSL_SESSION_get_max_early_data(psksess) > 0))) {
BIO *edfile = BIO_new_file(early_data_file, "r");
size_t readbytes, writtenbytes;
int finish = 0;
default:
BIO_printf(bio_err, "Error writing early data\n");
BIO_free(edfile);
+ ERR_print_errors(bio_err);
goto shut;
}
}
print_stuff(bio_c_out, con, 1);
SSL_free(con);
}
+ SSL_SESSION_free(psksess);
#if !defined(OPENSSL_NO_NEXTPROTONEG)
OPENSSL_free(next_proto.data);
#endif
projects / openssl.git / blobdiff