* Hudson (tjh@cryptsoft.com).
*
*/
+/* ====================================================================
+ * Copyright 2005 Nokia. All rights reserved.
+ *
+ * The portions of the attached software ("Contribution") is developed by
+ * Nokia Corporation and is licensed pursuant to the OpenSSL open source
+ * license.
+ *
+ * The Contribution, originally written by Mika Kousa and Pasi Eronen of
+ * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
+ * support (see RFC 4279) to OpenSSL.
+ *
+ * No patent licenses or other rights except those expressly stated in
+ * the OpenSSL open source license shall be deemed granted or received
+ * expressly, by implication, estoppel, or otherwise.
+ *
+ * No assurances are provided by Nokia that the Contribution does not
+ * infringe the patent or other intellectual property rights of any third
+ * party or that the license provides you with all the necessary rights
+ * to make use of the Contribution.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
+ * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
+ * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
+ * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
+ * OTHERWISE.
+ */
#include <assert.h>
+#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
#include <string.h>
#undef FIONBIO
#endif
+#if defined(OPENSSL_SYS_BEOS_R5)
+#include <fcntl.h>
+#endif
+
#undef PROG
#define PROG s_client_main
extern int verify_depth;
extern int verify_error;
+extern int verify_return_error;
#ifdef FIONBIO
static int c_nbio=0;
static int c_quiet=0;
static int c_ign_eof=0;
+#ifndef OPENSSL_NO_PSK
+/* Default PSK identity and key */
+static char *psk_identity="Client_identity";
+static char *psk_key=NULL; /* by default PSK is not used */
+
+static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
+ unsigned int max_identity_len, unsigned char *psk,
+ unsigned int max_psk_len)
+ {
+ unsigned int psk_len = 0;
+ int ret;
+ BIGNUM *bn=NULL;
+
+ if (c_debug)
+ BIO_printf(bio_c_out, "psk_client_cb\n");
+ if (!hint)
+ {
+ /* no ServerKeyExchange message*/
+ if (c_debug)
+ BIO_printf(bio_c_out,"NULL received PSK identity hint, continuing anyway\n");
+ }
+ else if (c_debug)
+ BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
+
+ /* lookup PSK identity and PSK key based on the given identity hint here */
+ ret = BIO_snprintf(identity, max_identity_len, psk_identity);
+ if (ret < 0 || (unsigned int)ret > max_identity_len)
+ goto out_err;
+ if (c_debug)
+ BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity, ret);
+ ret=BN_hex2bn(&bn, psk_key);
+ if (!ret)
+ {
+ BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
+ if (bn)
+ BN_free(bn);
+ return 0;
+ }
+
+ if ((unsigned int)BN_num_bytes(bn) > max_psk_len)
+ {
+ BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
+ max_psk_len, BN_num_bytes(bn));
+ BN_free(bn);
+ return 0;
+ }
+
+ psk_len=BN_bn2bin(bn, psk);
+ BN_free(bn);
+ if (psk_len == 0)
+ goto out_err;
+
+ if (c_debug)
+ BIO_printf(bio_c_out, "created PSK len=%d\n", psk_len);
+
+ return psk_len;
+ out_err:
+ if (c_debug)
+ BIO_printf(bio_err, "Error in PSK client callback\n");
+ return 0;
+ }
+#endif
+
static void sc_usage(void)
{
BIO_printf(bio_err,"usage: s_client args\n");
BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
BIO_printf(bio_err," -quiet - no s_client output\n");
BIO_printf(bio_err," -ign_eof - ignore input eof (default when -quiet)\n");
+#ifndef OPENSSL_NO_PSK
+ BIO_printf(bio_err," -psk_identity arg - PSK identity\n");
+ BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
+#endif
BIO_printf(bio_err," -ssl2 - just use SSLv2\n");
BIO_printf(bio_err," -ssl3 - just use SSLv3\n");
BIO_printf(bio_err," -tls1 - just use TLSv1\n");
BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
BIO_printf(bio_err," for those protocols that support it, where\n");
BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n");
- BIO_printf(bio_err," only \"smtp\" and \"pop3\" are supported.\n");
+ BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", and \"ftp\" are supported.\n");
#ifndef OPENSSL_NO_ENGINE
BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
#endif
else
BIO_printf(bio_err,"Can't use SSL_get_servername\n");
- return 1;
+ return SSL_TLSEXT_ERR_OK;
}
#endif
+enum
+{
+ PROTO_OFF = 0,
+ PROTO_SMTP,
+ PROTO_POP3,
+ PROTO_IMAP,
+ PROTO_FTP
+};
+
int MAIN(int, char **);
int MAIN(int argc, char **argv)
{
int off=0;
- SSL *con=NULL,*con2=NULL;
+ SSL *con=NULL;
X509_STORE *store = NULL;
int s,k,width,state=0;
char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending;
SSL_CTX *ctx=NULL;
int ret=1,in_init=1,i,nbio_test=0;
- int starttls_proto = 0;
+ int starttls_proto = PROTO_OFF;
int prexit = 0, vflags = 0;
const SSL_METHOD *meth=NULL;
int socket_type=SOCK_STREAM;
BIO *sbio;
char *inrand=NULL;
+ int mbuf_len=0;
#ifndef OPENSSL_NO_ENGINE
char *engine_id=NULL;
ENGINE *e=NULL;
#endif
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
struct timeval tv;
+#if defined(OPENSSL_SYS_BEOS_R5)
+ int stdin_set = 0;
+#endif
#endif
#ifndef OPENSSL_NO_TLSEXT
vflags |= X509_V_FLAG_CRL_CHECK;
else if (strcmp(*argv,"-crl_check_all") == 0)
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+ else if (strcmp(*argv,"-verify_return_error") == 0)
+ verify_return_error = 1;
else if (strcmp(*argv,"-prexit") == 0)
prexit=1;
else if (strcmp(*argv,"-crlf") == 0)
nbio_test=1;
else if (strcmp(*argv,"-state") == 0)
state=1;
+#ifndef OPENSSL_NO_PSK
+ else if (strcmp(*argv,"-psk_identity") == 0)
+ {
+ if (--argc < 1) goto bad;
+ psk_identity=*(++argv);
+ }
+ else if (strcmp(*argv,"-psk") == 0)
+ {
+ size_t j;
+
+ if (--argc < 1) goto bad;
+ psk_key=*(++argv);
+ for (j = 0; j < strlen(psk_key); j++)
+ {
+ if (isxdigit((int)psk_key[j]))
+ continue;
+ BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
+ goto bad;
+ }
+ }
+#endif
#ifndef OPENSSL_NO_SSL2
else if (strcmp(*argv,"-ssl2") == 0)
meth=SSLv2_client_method();
if (--argc < 1) goto bad;
++argv;
if (strcmp(*argv,"smtp") == 0)
- starttls_proto = 1;
+ starttls_proto = PROTO_SMTP;
else if (strcmp(*argv,"pop3") == 0)
- starttls_proto = 2;
+ starttls_proto = PROTO_POP3;
+ else if (strcmp(*argv,"imap") == 0)
+ starttls_proto = PROTO_IMAP;
+ else if (strcmp(*argv,"ftp") == 0)
+ starttls_proto = PROTO_FTP;
else
goto bad;
}
goto end;
}
+#ifndef OPENSSL_NO_PSK
+ if (psk_key != NULL)
+ {
+ if (c_debug)
+ BIO_printf(bio_c_out, "PSK key given, setting client callback\n");
+ SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
+ }
+#endif
if (bugs)
SSL_CTX_set_options(ctx,SSL_OP_ALL|off);
else
#ifndef OPENSSL_NO_TLSEXT
if (servername != NULL)
{
- if (!SSL_set_tlsext_hostname(con,servername))
+ if (!SSL_set_tlsext_host_name(con,servername))
{
BIO_printf(bio_err,"Unable to set TLS servername extension.\n");
ERR_print_errors(bio_err);
{
con->debug=1;
BIO_set_callback(sbio,bio_dump_callback);
- BIO_set_callback_arg(sbio,bio_c_out);
+ BIO_set_callback_arg(sbio,(char *)bio_c_out);
}
if (c_msg)
{
sbuf_off=0;
/* This is an ugly hack that does a lot of assumptions */
- if (starttls_proto == 1)
+ /* We do have to handle multi-line responses which may come
+ in a single packet or not. We therefore have to use
+ BIO_gets() which does need a buffering BIO. So during
+ the initial chitchat we do push a buffering BIO into the
+ chain that is removed again later on to not disturb the
+ rest of the s_client operation. */
+ if (starttls_proto == PROTO_SMTP)
{
- BIO_read(sbio,mbuf,BUFSIZZ);
+ int foundit=0;
+ BIO *fbio = BIO_new(BIO_f_buffer());
+ BIO_push(fbio, sbio);
+ /* wait for multi-line response to end from SMTP */
+ do
+ {
+ mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
+ }
+ while (mbuf_len>3 && mbuf[3]=='-');
+ /* STARTTLS command requires EHLO... */
+ BIO_printf(fbio,"EHLO openssl.client.net\r\n");
+ BIO_flush(fbio);
+ /* wait for multi-line response to end EHLO SMTP response */
+ do
+ {
+ mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
+ if (strstr(mbuf,"STARTTLS"))
+ foundit=1;
+ }
+ while (mbuf_len>3 && mbuf[3]=='-');
+ BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ if (!foundit)
+ BIO_printf(bio_err,
+ "didn't found starttls in server response,"
+ " try anyway...\n");
BIO_printf(sbio,"STARTTLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
- if (starttls_proto == 2)
+ else if (starttls_proto == PROTO_POP3)
{
BIO_read(sbio,mbuf,BUFSIZZ);
BIO_printf(sbio,"STLS\r\n");
BIO_read(sbio,sbuf,BUFSIZZ);
}
+ else if (starttls_proto == PROTO_IMAP)
+ {
+ int foundit=0;
+ BIO *fbio = BIO_new(BIO_f_buffer());
+ BIO_push(fbio, sbio);
+ BIO_gets(fbio,mbuf,BUFSIZZ);
+ /* STARTTLS command requires CAPABILITY... */
+ BIO_printf(fbio,". CAPABILITY\r\n");
+ BIO_flush(fbio);
+ /* wait for multi-line CAPABILITY response */
+ do
+ {
+ mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
+ if (strstr(mbuf,"STARTTLS"))
+ foundit=1;
+ }
+ while (mbuf_len>3 && mbuf[0]!='.');
+ BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ if (!foundit)
+ BIO_printf(bio_err,
+ "didn't found STARTTLS in server response,"
+ " try anyway...\n");
+ BIO_printf(sbio,". STARTTLS\r\n");
+ BIO_read(sbio,sbuf,BUFSIZZ);
+ }
+ else if (starttls_proto == PROTO_FTP)
+ {
+ BIO *fbio = BIO_new(BIO_f_buffer());
+ BIO_push(fbio, sbio);
+ /* wait for multi-line response to end from FTP */
+ do
+ {
+ mbuf_len = BIO_gets(fbio,mbuf,BUFSIZZ);
+ }
+ while (mbuf_len>3 && mbuf[3]=='-');
+ BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ BIO_printf(sbio,"AUTH TLS\r\n");
+ BIO_read(sbio,sbuf,BUFSIZZ);
+ }
for (;;)
{
{
in_init=0;
#ifndef OPENSSL_NO_TLSEXT
- if (servername != NULL && !SSL_session_reused(con))
- {
- BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
- }
+ if (servername != NULL && !SSL_session_reused(con))
+ {
+ BIO_printf(bio_c_out,"Server did %sacknowledge servername extension.\n",tlsextcbp.ack?"":"not ");
+ }
#endif
print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--;
{
BIO_printf(bio_err,"%s",mbuf);
/* We don't need to know any more */
- starttls_proto = 0;
+ starttls_proto = PROTO_OFF;
}
if (reconnect)
if (!ssl_pending)
{
-#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
+#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined (OPENSSL_SYS_BEOS_R5)
if (tty_on)
{
- if (read_tty) FD_SET(fileno(stdin),&readfds);
- if (write_tty) FD_SET(fileno(stdout),&writefds);
+ if (read_tty) openssl_fdset(fileno(stdin),&readfds);
+ if (write_tty) openssl_fdset(fileno(stdout),&writefds);
}
if (read_ssl)
- FD_SET(SSL_get_fd(con),&readfds);
+ openssl_fdset(SSL_get_fd(con),&readfds);
if (write_ssl)
- FD_SET(SSL_get_fd(con),&writefds);
+ openssl_fdset(SSL_get_fd(con),&writefds);
#else
if(!tty_on || !write_tty) {
if (read_ssl)
- FD_SET(SSL_get_fd(con),&readfds);
+ openssl_fdset(SSL_get_fd(con),&readfds);
if (write_ssl)
- FD_SET(SSL_get_fd(con),&writefds);
+ openssl_fdset(SSL_get_fd(con),&writefds);
}
#endif
/* printf("mode tty(%d %d%d) ssl(%d%d)\n",
} else i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
}
+#elif defined(OPENSSL_SYS_BEOS_R5)
+ /* Under BeOS-R5 the situation is similar to DOS */
+ i=0;
+ stdin_set = 0;
+ (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
+ if(!write_tty) {
+ if(read_tty) {
+ tv.tv_sec = 1;
+ tv.tv_usec = 0;
+ i=select(width,(void *)&readfds,(void *)&writefds,
+ NULL,&tv);
+ if (read(fileno(stdin), sbuf, 0) >= 0)
+ stdin_set = 1;
+ if (!i && (stdin_set != 1 || !read_tty))
+ continue;
+ } else i=select(width,(void *)&readfds,(void *)&writefds,
+ NULL,NULL);
+ }
+ (void)fcntl(fileno(stdin), F_SETFL, 0);
#else
i=select(width,(void *)&readfds,(void *)&writefds,
NULL,NULL);
goto shut;
}
}
-#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
- /* Assume Windows/DOS can always write */
+#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
+ /* Assume Windows/DOS/BeOS can always write */
else if (!ssl_pending && write_tty)
#else
else if (!ssl_pending && FD_ISSET(fileno(stdout),&writefds))
#endif
#elif defined (OPENSSL_SYS_NETWARE)
else if (_kbhit())
+#elif defined(OPENSSL_SYS_BEOS_R5)
+ else if (stdin_set)
#else
else if (FD_ISSET(fileno(stdin),&readfds))
#endif
}
}
shut:
+ if (in_init)
+ print_stuff(bio_c_out,con,full_log);
SSL_shutdown(con);
SHUTDOWN(SSL_get_fd(con));
ret=0;
end:
- if(prexit) print_stuff(bio_c_out,con,1);
- if (con != NULL) SSL_free(con);
- if (con2 != NULL) SSL_free(con2);
+ if (con != NULL)
+ {
+ if (prexit != 0)
+ print_stuff(bio_c_out,con,1);
+ SSL_free(con);
+ }
if (ctx != NULL) SSL_CTX_free(ctx);
if (cert)
X509_free(cert);