/*
- * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
* Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
#endif
#include "apps.h"
+#include "progs.h"
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include <openssl/err.h>
if (key_len == EVP_MD_size(EVP_sha256()))
cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
- else if(key_len == EVP_MD_size(EVP_sha384()))
+ else if (key_len == EVP_MD_size(EVP_sha384()))
cipher = SSL_CIPHER_find(s, tls13_aes256gcmsha384_id);
if (cipher == NULL) {
*id = NULL;
*idlen = 0;
*sess = NULL;
- return 0;
+ return 1;
}
usesess = SSL_SESSION_new();
if (usesess == NULL
unsigned char ext_buf[4 + 65536];
/* Reconstruct the type/len fields prior to extension data */
- ext_buf[0] = ext_type >> 8;
- ext_buf[1] = ext_type & 0xFF;
- ext_buf[2] = inlen >> 8;
- ext_buf[3] = inlen & 0xFF;
+ inlen &= 0xffff; /* for formal memcmpy correctness */
+ ext_buf[0] = (unsigned char)(ext_type >> 8);
+ ext_buf[1] = (unsigned char)(ext_type);
+ ext_buf[2] = (unsigned char)(inlen >> 8);
+ ext_buf[3] = (unsigned char)(inlen);
memcpy(ext_buf + 4, in, inlen);
BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX,
+ OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_BIND, OPT_UNIX,
OPT_XMPPHOST, OPT_VERIFY, OPT_NAMEOPT,
OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_PROTOHOST,
- OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
- OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
+ OPT_MAXFRAGLEN, OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES,
+ OPT_READ_BUF, OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
OPT_V_ENUM,
OPT_X_ENUM,
OPT_S_ENUM,
OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
#endif
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
+ OPT_FORCE_PHA,
OPT_R_ENUM
} OPTION_CHOICE;
{"port", OPT_PORT, 'p', "Use -connect instead"},
{"connect", OPT_CONNECT, 's',
"TCP/IP where to connect (default is :" PORT ")"},
+ {"bind", OPT_BIND, 's', "bind local address for connection"},
{"proxy", OPT_PROXY, 's',
"Connect to via specified proxy to the real server"},
#ifdef AF_UNIX
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
"Export len bytes of keying material (default 20)"},
+ {"maxfraglen", OPT_MAXFRAGLEN, 'p',
+ "Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"},
{"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
{"name", OPT_PROTOHOST, 's',
"Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""},
#endif
{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
{"early_data", OPT_EARLY_DATA, '<', "File to send as early data"},
+ {"force_pha", OPT_FORCE_PHA, '-', "Force-enable post-handshake-authentication"},
{NULL, OPT_EOF, 0x00, NULL}
};
const SSL_METHOD *meth = TLS_client_method();
const char *CApath = NULL, *CAfile = NULL;
char *cbuf = NULL, *sbuf = NULL;
- char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL;
+ char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL, *bindstr = NULL;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
char *chCApath = NULL, *chCAfile = NULL, *host = NULL;
char *port = OPENSSL_strdup(PORT);
+ char *bindhost = NULL, *bindport = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *ReqCAfile = NULL;
char *sess_in = NULL, *crl_file = NULL, *p;
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
struct timeval tv;
#endif
- char *servername = NULL;
+ const char *servername = NULL;
int noservername = 0;
const char *alpn_in = NULL;
tlsextctx tlsextcbp = { NULL, 0 };
unsigned int split_send_fragment = 0, max_pipelines = 0;
enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
int count4or6 = 0;
+ uint8_t maxfraglen = 0;
int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
int c_tlsextdebug = 0;
#ifndef OPENSSL_NO_OCSP
int isdtls = 0;
#endif
char *psksessf = NULL;
+ int force_pha = 0;
FD_ZERO(&readfds);
FD_ZERO(&writefds);
connect_type = use_inet;
freeandcopy(&connectstr, opt_arg());
break;
+ case OPT_BIND:
+ freeandcopy(&bindstr, opt_arg());
+ break;
case OPT_PROXY:
proxystr = opt_arg();
starttls_proto = PROTO_CONNECT;
case OPT_ASYNC:
async = 1;
break;
+ case OPT_MAXFRAGLEN:
+ len = atoi(opt_arg());
+ switch (len) {
+ case 512:
+ maxfraglen = TLSEXT_max_fragment_length_512;
+ break;
+ case 1024:
+ maxfraglen = TLSEXT_max_fragment_length_1024;
+ break;
+ case 2048:
+ maxfraglen = TLSEXT_max_fragment_length_2048;
+ break;
+ case 4096:
+ maxfraglen = TLSEXT_max_fragment_length_4096;
+ break;
+ default:
+ BIO_printf(bio_err,
+ "%s: Max Fragment Len %u is out of permitted values",
+ prog, len);
+ goto opthelp;
+ }
+ break;
case OPT_MAX_SEND_FRAG:
max_send_fragment = atoi(opt_arg());
break;
case OPT_EARLY_DATA:
early_data_file = opt_arg();
break;
+ case OPT_FORCE_PHA:
+ force_pha = 1;
+ break;
}
}
if (count4or6 >= 2) {
}
}
+ if (bindstr != NULL) {
+ int res;
+ res = BIO_parse_hostserv(bindstr, &bindhost, &bindport,
+ BIO_PARSE_PRIO_HOST);
+ if (!res) {
+ BIO_printf(bio_err,
+ "%s: -bind argument parameter malformed or ambiguous\n",
+ prog);
+ goto end;
+ }
+ }
+
#ifdef AF_UNIX
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
BIO_printf(bio_err,
SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
}
+ if (maxfraglen > 0
+ && !SSL_CTX_set_tlsext_max_fragment_length(ctx, maxfraglen)) {
+ BIO_printf(bio_err,
+ "%s: Max Fragment Length code %u is out of permitted values"
+ "\n", prog, maxfraglen);
+ goto end;
+ }
+
if (!config_ctx(cctx, ssl_args, ctx))
goto end;
if (con == NULL)
goto end;
+ if (force_pha)
+ SSL_force_post_handshake_auth(con);
+
if (sess_in != NULL) {
SSL_SESSION *sess;
BIO *stmp = BIO_new_file(sess_in, "r");
ERR_print_errors(bio_err);
goto end;
}
- /* By default the SNI should be the same as was set in the session */
- if (!noservername && servername == NULL) {
- const char *sni = SSL_SESSION_get0_hostname(sess);
- if (sni != NULL) {
- servername = OPENSSL_strdup(sni);
- if (servername == NULL) {
- BIO_printf(bio_err, "Can't set server name\n");
- ERR_print_errors(bio_err);
- goto end;
- }
- } else {
- /*
- * Force no SNI to be sent so we are consistent with the
- * session.
- */
- noservername = 1;
- }
- }
SSL_SESSION_free(sess);
}
}
re_start:
- if (init_client(&s, host, port, socket_family, socket_type, protocol)
- == 0) {
+ if (init_client(&s, host, port, bindhost, bindport, socket_family,
+ socket_type, protocol) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
BIO_closesocket(s);
goto end;
if (in_init)
print_stuff(bio_c_out, con, full_log);
do_ssl_shutdown(con);
-#if defined(OPENSSL_SYS_WINDOWS)
+
/*
* Give the socket time to send its last data before we close it.
* No amount of setting SO_LINGER etc on the socket seems to persuade
* for a short time seems to do it (units in ms)
* TODO: Find a better way to do this
*/
+#if defined(OPENSSL_SYS_WINDOWS)
Sleep(50);
+#elif defined(OPENSSL_SYS_CYGWIN)
+ usleep(50000);
#endif
+
+ /*
+ * If we ended with an alert being sent, but still with data in the
+ * network buffer to be read, then calling BIO_closesocket() will
+ * result in a TCP-RST being sent. On some platforms (notably
+ * Windows) then this will result in the peer immediately abandoning
+ * the connection including any buffered alert data before it has
+ * had a chance to be read. Shutting down the sending side first,
+ * and then closing the socket sends TCP-FIN first followed by
+ * TCP-RST. This seems to allow the peer to read the alert data.
+ */
+ shutdown(SSL_get_fd(con), 1); /* SHUT_WR */
BIO_closesocket(SSL_get_fd(con));
end:
if (con != NULL) {
OPENSSL_free(srp_arg.srppassin);
#endif
OPENSSL_free(connectstr);
+ OPENSSL_free(bindstr);
OPENSSL_free(host);
OPENSSL_free(port);
X509_VERIFY_PARAM_free(vpm);
projects / openssl.git / blobdiff