/*
- * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2017 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 2005 Nokia. All rights reserved.
*
* Licensed under the OpenSSL license (the "License"). You may not use
* this file except in compliance with the License. You can obtain a copy
* https://www.openssl.org/source/license.html
*/
-/* ====================================================================
- * Copyright 2005 Nokia. All rights reserved.
- *
- * The portions of the attached software ("Contribution") is developed by
- * Nokia Corporation and is licensed pursuant to the OpenSSL open source
- * license.
- *
- * The Contribution, originally written by Mika Kousa and Pasi Eronen of
- * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
- * support (see RFC 4279) to OpenSSL.
- *
- * No patent licenses or other rights except those expressly stated in
- * the OpenSSL open source license shall be deemed granted or received
- * expressly, by implication, estoppel, or otherwise.
- *
- * No assurances are provided by Nokia that the Contribution does not
- * infringe the patent or other intellectual property rights of any third
- * party or that the license provides you with all the necessary rights
- * to make use of the Contribution.
- *
- * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
- * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
- * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
- * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
- * OTHERWISE.
- */
-
+#include "e_os.h"
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
typedef unsigned int u_int;
#endif
-#define USE_SOCKETS
#include "apps.h"
#include <openssl/x509.h>
#include <openssl/ssl.h>
#endif
#include "s_apps.h"
#include "timeouts.h"
+#include "internal/sockets.h"
#if defined(__has_feature)
# if __has_feature(memory_sanitizer)
static BIO *bio_c_out = NULL;
static int c_quiet = 0;
static char *sess_out = NULL;
+static SSL_SESSION *psksess = NULL;
static void print_stuff(BIO *berr, SSL *con, int full);
#ifndef OPENSSL_NO_OCSP
} while (ret < 0);
}
-#ifndef OPENSSL_NO_PSK
/* Default PSK identity and key */
static char *psk_identity = "Client_identity";
+#ifndef OPENSSL_NO_PSK
static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
unsigned int max_identity_len,
unsigned char *psk,
if (c_debug)
BIO_printf(bio_c_out,
"NULL received PSK identity hint, continuing anyway\n");
- } else if (c_debug)
+ } else if (c_debug) {
BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
+ }
/*
* lookup PSK identity and PSK key based on the given identity hint here
}
#endif
+const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
+const unsigned char tls13_aes256gcmsha384_id[] = { 0x13, 0x02 };
+
+static int psk_use_session_cb(SSL *s, const EVP_MD *md,
+ const unsigned char **id, size_t *idlen,
+ SSL_SESSION **sess)
+{
+ SSL_SESSION *usesess = NULL;
+ const SSL_CIPHER *cipher = NULL;
+
+ if (psksess != NULL) {
+ SSL_SESSION_up_ref(psksess);
+ usesess = psksess;
+ } else {
+ long key_len;
+ unsigned char *key = OPENSSL_hexstr2buf(psk_key, &key_len);
+
+ if (key == NULL) {
+ BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
+ psk_key);
+ return 0;
+ }
+
+ if (key_len == EVP_MD_size(EVP_sha256()))
+ cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
+ else if (key_len == EVP_MD_size(EVP_sha384()))
+ cipher = SSL_CIPHER_find(s, tls13_aes256gcmsha384_id);
+
+ if (cipher == NULL) {
+ /* Doesn't look like a suitable TLSv1.3 key. Ignore it */
+ OPENSSL_free(key);
+ *id = NULL;
+ *idlen = 0;
+ *sess = NULL;
+ return 0;
+ }
+ usesess = SSL_SESSION_new();
+ if (usesess == NULL
+ || !SSL_SESSION_set1_master_key(usesess, key, key_len)
+ || !SSL_SESSION_set_cipher(usesess, cipher)
+ || !SSL_SESSION_set_protocol_version(usesess, TLS1_3_VERSION)) {
+ OPENSSL_free(key);
+ goto err;
+ }
+ OPENSSL_free(key);
+ }
+
+ cipher = SSL_SESSION_get0_cipher(usesess);
+ if (cipher == NULL)
+ goto err;
+
+ if (md != NULL && SSL_CIPHER_get_handshake_digest(cipher) != md) {
+ /* PSK not usable, ignore it */
+ *id = NULL;
+ *idlen = 0;
+ *sess = NULL;
+ SSL_SESSION_free(usesess);
+ } else {
+ *sess = usesess;
+ *id = (unsigned char *)psk_identity;
+ *idlen = strlen(psk_identity);
+ }
+
+ return 1;
+
+ err:
+ SSL_SESSION_free(usesess);
+ return 0;
+}
+
/* This is a context that we pass to callbacks */
typedef struct tlsextctx_st {
BIO *biodebug;
unsigned char ext_buf[4 + 65536];
/* Reconstruct the type/len fields prior to extension data */
- ext_buf[0] = ext_type >> 8;
- ext_buf[1] = ext_type & 0xFF;
- ext_buf[2] = inlen >> 8;
- ext_buf[3] = inlen & 0xFF;
+ inlen &= 0xffff; /* for formal memcmpy correctness */
+ ext_buf[0] = (unsigned char)(ext_type >> 8);
+ ext_buf[1] = (unsigned char)(ext_type);
+ ext_buf[2] = (unsigned char)(inlen >> 8);
+ ext_buf[3] = (unsigned char)(inlen);
memcpy(ext_buf + 4, in, inlen);
BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO,
- OPT_SSL_CLIENT_ENGINE, OPT_RAND, OPT_IGN_EOF, OPT_NO_IGN_EOF,
+ OPT_SSL_CLIENT_ENGINE, OPT_IGN_EOF, OPT_NO_IGN_EOF,
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
-#ifndef OPENSSL_NO_PSK
- OPT_PSK_IDENTITY, OPT_PSK,
-#endif
+ OPT_PSK_IDENTITY, OPT_PSK, OPT_PSK_SESS,
#ifndef OPENSSL_NO_SRP
OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, OPT_SRP_LATEUSER,
OPT_SRP_MOREGROUPS,
OPT_SSL3, OPT_SSL_CONFIG,
OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
- OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH,
- OPT_VERIFYCAPATH,
+ OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE,
OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
- OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME,
- OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
- OPT_ASYNC, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
- OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
+ OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
+ OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_PROTOHOST,
+ OPT_MAXFRAGLEN, OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES,
+ OPT_READ_BUF, OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
OPT_V_ENUM,
OPT_X_ENUM,
OPT_S_ENUM,
#ifndef OPENSSL_NO_CT
OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
#endif
- OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME
+ OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
+ OPT_R_ENUM
} OPTION_CHOICE;
const OPTIONS s_client_options[] = {
{"starttls", OPT_STARTTLS, 's',
"Use the appropriate STARTTLS command before starting TLS"},
{"xmpphost", OPT_XMPPHOST, 's',
- "Host to use with \"-starttls xmpp[-server]\""},
- {"rand", OPT_RAND, 's',
- "Load the file(s) into the random number generator"},
+ "Alias of -name option for \"-starttls xmpp[-server]\""},
+ OPT_R_OPTIONS,
{"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
{"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
{"use_srtp", OPT_USE_SRTP, 's',
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
"Export len bytes of keying material (default 20)"},
+ {"maxfraglen", OPT_MAXFRAGLEN, 'p',
+ "Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"},
{"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
- {"name", OPT_SMTPHOST, 's',
- "Hostname to use for \"-starttls lmtp\" or \"-starttls smtp\""},
+ {"name", OPT_PROTOHOST, 's',
+ "Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""},
{"CRL", OPT_CRL, '<', "CRL file to use"},
{"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
{"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
"CA file for certificate verification (PEM format)"},
{"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
{"servername", OPT_SERVERNAME, 's',
- "Set TLS extension servername in ClientHello"},
+ "Set TLS extension servername (SNI) in ClientHello (default)"},
{"noservername", OPT_NOSERVERNAME, '-',
"Do not send the server name (SNI) extension in the ClientHello"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified configuration file"},
- {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'n',
+ {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
+ {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
"Size used to split data for encrypt pipelines"},
- {"max_pipelines", OPT_MAX_PIPELINES, 'n',
+ {"max_pipelines", OPT_MAX_PIPELINES, 'p',
"Maximum number of encrypt/decrypt pipelines to be used"},
- {"read_buf", OPT_READ_BUF, 'n',
+ {"read_buf", OPT_READ_BUF, 'p',
"Default read buffer size to be used for connections"},
OPT_S_OPTIONS,
OPT_V_OPTIONS,
{"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
#endif
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
-#ifndef OPENSSL_NO_PSK
{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
-#endif
+ {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
#ifndef OPENSSL_NO_SRP
{"srpuser", OPT_SRPUSER, 's', "SRP authentication for 'user'"},
{"srppass", OPT_SRPPASS, 's', "Password for 'user'"},
PROTO_XMPP_SERVER,
PROTO_CONNECT,
PROTO_IRC,
+ PROTO_MYSQL,
PROTO_POSTGRES,
PROTO_LMTP,
PROTO_NNTP,
{"xmpp-server", PROTO_XMPP_SERVER},
{"telnet", PROTO_TELNET},
{"irc", PROTO_IRC},
+ {"mysql", PROTO_MYSQL},
{"postgres", PROTO_POSTGRES},
{"lmtp", PROTO_LMTP},
{"nntp", PROTO_NNTP},
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
char *chCApath = NULL, *chCAfile = NULL, *host = NULL;
char *port = OPENSSL_strdup(PORT);
- char *inrand = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *ReqCAfile = NULL;
char *sess_in = NULL, *crl_file = NULL, *p;
- char *xmpphost = NULL;
- const char *ehlo = "mail.example.com";
+ const char *protohost = NULL;
struct timeval timeout, *timeoutp;
fd_set readfds, writefds;
int noCApath = 0, noCAfile = 0;
#endif
int read_buf_len = 0;
int fallback_scsv = 0;
- long randamt = 0;
OPTION_CHOICE o;
#ifndef OPENSSL_NO_DTLS
int enable_timeouts = 0;
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
struct timeval tv;
#endif
- char *servername = NULL;
+ const char *servername = NULL;
int noservername = 0;
const char *alpn_in = NULL;
tlsextctx tlsextcbp = { NULL, 0 };
#endif
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
int async = 0;
- unsigned int split_send_fragment = 0;
- unsigned int max_pipelines = 0;
+ unsigned int max_send_fragment = 0;
+ unsigned int split_send_fragment = 0, max_pipelines = 0;
enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
int count4or6 = 0;
+ uint8_t maxfraglen = 0;
int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
int c_tlsextdebug = 0;
#ifndef OPENSSL_NO_OCSP
#endif
BIO *bio_c_msg = NULL;
const char *keylog_file = NULL, *early_data_file = NULL;
+#ifndef OPENSSL_NO_DTLS
int isdtls = 0;
+#endif
+ char *psksessf = NULL;
FD_ZERO(&readfds);
FD_ZERO(&writefds);
break;
#endif
case OPT_XMPPHOST:
- xmpphost = opt_arg();
- break;
- case OPT_SMTPHOST:
- ehlo = opt_arg();
+ /* fall through, since this is an alias */
+ case OPT_PROTOHOST:
+ protohost = opt_arg();
break;
case OPT_VERIFY:
verify = SSL_VERIFY_PEER;
}
#endif
break;
- case OPT_RAND:
- inrand = opt_arg();
+ case OPT_R_CASES:
+ if (!opt_rand(o))
+ goto end;
break;
case OPT_IGN_EOF:
c_ign_eof = 1;
case OPT_STATE:
state = 1;
break;
-#ifndef OPENSSL_NO_PSK
case OPT_PSK_IDENTITY:
psk_identity = opt_arg();
break;
goto end;
}
break;
-#endif
+ case OPT_PSK_SESS:
+ psksessf = opt_arg();
+ break;
#ifndef OPENSSL_NO_SRP
case OPT_SRPUSER:
srp_arg.srplogin = opt_arg();
case OPT_ASYNC:
async = 1;
break;
+ case OPT_MAXFRAGLEN:
+ len = atoi(opt_arg());
+ switch (len) {
+ case 512:
+ maxfraglen = TLSEXT_max_fragment_length_512;
+ break;
+ case 1024:
+ maxfraglen = TLSEXT_max_fragment_length_1024;
+ break;
+ case 2048:
+ maxfraglen = TLSEXT_max_fragment_length_2048;
+ break;
+ case 4096:
+ maxfraglen = TLSEXT_max_fragment_length_4096;
+ break;
+ default:
+ BIO_printf(bio_err,
+ "%s: Max Fragment Len %u is out of permitted values",
+ prog, len);
+ goto opthelp;
+ }
+ break;
+ case OPT_MAX_SEND_FRAG:
+ max_send_fragment = atoi(opt_arg());
+ break;
case OPT_SPLIT_SEND_FRAG:
split_send_fragment = atoi(opt_arg());
- if (split_send_fragment == 0) {
- /*
- * Not allowed - set to a deliberately bad value so we get an
- * error message below
- */
- split_send_fragment = SSL3_RT_MAX_PLAIN_LENGTH + 1;
- }
break;
case OPT_MAX_PIPELINES:
max_pipelines = atoi(opt_arg());
}
}
argc = opt_num_rest();
- if (argc != 0)
+ if (argc == 1) {
+ /* If there's a positional argument, it's the equivalent of
+ * OPT_CONNECT.
+ * Don't allow -connect and a separate argument.
+ */
+ if (connectstr != NULL) {
+ BIO_printf(bio_err,
+ "%s: must not provide both -connect option and target parameter\n",
+ prog);
+ goto opthelp;
+ }
+ connect_type = use_inet;
+ freeandcopy(&connectstr, *opt_rest());
+ } else if (argc != 0) {
goto opthelp;
+ }
- if (proxystr) {
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
+ BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
+ goto opthelp;
+ }
+#endif
+ if (proxystr != NULL) {
int res;
char *tmp_host = host, *tmp_port = port;
if (connectstr == NULL) {
- BIO_printf(bio_err, "%s: -proxy requires use of -connect\n", prog);
+ BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog);
goto opthelp;
}
res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST);
OPENSSL_free(tmp_port);
if (!res) {
BIO_printf(bio_err,
- "%s: -connect argument malformed or ambiguous\n",
+ "%s: -connect argument or target parameter malformed or ambiguous\n",
prog);
goto end;
}
}
+#ifdef AF_UNIX
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
BIO_printf(bio_err,
"Can't use unix sockets and datagrams together\n");
goto end;
}
+#endif
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP) {
}
#endif
- if (split_send_fragment > SSL3_RT_MAX_PLAIN_LENGTH) {
- BIO_printf(bio_err, "Bad split send fragment size\n");
- goto end;
- }
-
- if (max_pipelines > SSL_MAX_PIPELINES) {
- BIO_printf(bio_err, "Bad max pipelines value\n");
- goto end;
- }
-
#if !defined(OPENSSL_NO_NEXTPROTONEG)
next_proto.status = -1;
if (next_proto_neg_in) {
if (key_file == NULL)
key_file = cert_file;
- if (key_file) {
+ if (key_file != NULL) {
key = load_key(key_file, key_format, 0, pass, e,
"client certificate private key file");
if (key == NULL) {
}
}
- if (cert_file) {
+ if (cert_file != NULL) {
cert = load_cert(cert_file, cert_format, "client certificate file");
if (cert == NULL) {
ERR_print_errors(bio_err);
}
}
- if (chain_file) {
+ if (chain_file != NULL) {
if (!load_certs(chain_file, &chain, FORMAT_PEM, NULL,
"client certificate chain"))
goto end;
}
- if (crl_file) {
+ if (crl_file != NULL) {
X509_CRL *crl;
crl = load_crl(crl_file, crl_format);
if (crl == NULL) {
if (!load_excert(&exc))
goto end;
- if (!app_RAND_load_file(NULL, 1) && inrand == NULL
- && !RAND_status()) {
- BIO_printf(bio_err,
- "warning, not much extra random data, consider using the -rand option\n");
- }
- if (inrand != NULL) {
- randamt = app_RAND_load_files(inrand);
- BIO_printf(bio_err, "%ld semi-random bytes loaded\n", randamt);
- }
-
if (bio_c_out == NULL) {
if (c_quiet && !c_debug) {
bio_c_out = BIO_new(BIO_s_null());
- if (c_msg && !bio_c_msg)
+ if (c_msg && bio_c_msg == NULL)
bio_c_msg = dup_bio_out(FORMAT_TEXT);
} else if (bio_c_out == NULL)
bio_c_out = dup_bio_out(FORMAT_TEXT);
if (sdebug)
ssl_ctx_security_debug(ctx, sdebug);
- if (ssl_config) {
+ if (ssl_config != NULL) {
if (SSL_CTX_config(ctx, ssl_config) == 0) {
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
ssl_config);
if (async) {
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
}
- if (split_send_fragment > 0) {
- SSL_CTX_set_split_send_fragment(ctx, split_send_fragment);
+
+ if (max_send_fragment > 0
+ && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
+ BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
+ prog, max_send_fragment);
+ goto end;
}
- if (max_pipelines > 0) {
- SSL_CTX_set_max_pipelines(ctx, max_pipelines);
+
+ if (split_send_fragment > 0
+ && !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
+ BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
+ prog, split_send_fragment);
+ goto end;
+ }
+
+ if (max_pipelines > 0
+ && !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
+ BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
+ prog, max_pipelines);
+ goto end;
}
if (read_buf_len > 0) {
SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
}
+ if (maxfraglen > 0
+ && !SSL_CTX_set_tlsext_max_fragment_length(ctx, maxfraglen)) {
+ BIO_printf(bio_err,
+ "%s: Max Fragment Length code %u is out of permitted values"
+ "\n", prog, maxfraglen);
+ goto end;
+ }
+
if (!config_ctx(cctx, ssl_args, ctx))
goto end;
SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
}
#endif
+ if (psksessf != NULL) {
+ BIO *stmp = BIO_new_file(psksessf, "r");
+
+ if (stmp == NULL) {
+ BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ psksess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
+ BIO_free(stmp);
+ if (psksess == NULL) {
+ BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
+ ERR_print_errors(bio_err);
+ goto end;
+ }
+ }
+ if (psk_key != NULL || psksess != NULL)
+ SSL_CTX_set_psk_use_session_callback(ctx, psk_use_session_cb);
+
#ifndef OPENSSL_NO_SRTP
if (srtp_profiles != NULL) {
/* Returns 0 on success! */
}
#endif
- if (exc)
+ if (exc != NULL)
ssl_ctx_set_excert(ctx, exc);
#if !defined(OPENSSL_NO_NEXTPROTONEG)
- if (next_proto.data)
+ if (next_proto.data != NULL)
SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
#endif
if (alpn_in) {
* come at any time. Therefore we use a callback to write out the session
* when we know about it. This approach works for < TLSv1.3 as well.
*/
- if (sess_out) {
+ if (sess_out != NULL) {
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
goto end;
con = SSL_new(ctx);
- if (sess_in) {
+ if (con == NULL)
+ goto end;
+
+ if (sess_in != NULL) {
SSL_SESSION *sess;
BIO *stmp = BIO_new_file(sess_in, "r");
- if (!stmp) {
+ if (stmp == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
ERR_print_errors(bio_err);
goto end;
}
sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
BIO_free(stmp);
- if (!sess) {
+ if (sess == NULL) {
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
ERR_print_errors(bio_err);
goto end;
ERR_print_errors(bio_err);
goto end;
}
+
SSL_SESSION_free(sess);
}
BIO_free(sbio);
goto shut;
}
- } else
+ } else {
/* want to do MTU discovery */
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
+ }
} else
#endif /* OPENSSL_NO_DTLS */
sbio = BIO_new_socket(s, BIO_NOCLOSE);
do {
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
} while (mbuf_len > 3 && mbuf[3] == '-');
+ if (protohost == NULL)
+ protohost = "mail.example.com";
if (starttls_proto == (int)PROTO_LMTP)
- BIO_printf(fbio, "LHLO %s\r\n", ehlo);
+ BIO_printf(fbio, "LHLO %s\r\n", protohost);
else
- BIO_printf(fbio, "EHLO %s\r\n", ehlo);
+ BIO_printf(fbio, "EHLO %s\r\n", protohost);
(void)BIO_flush(fbio);
/*
* Wait for multi-line response to end LHLO LMTP or EHLO SMTP
"xmlns:stream='http://etherx.jabber.org/streams' "
"xmlns='jabber:%s' to='%s' version='1.0'>",
starttls_proto == PROTO_XMPP ? "client" : "server",
- xmpphost ? xmpphost : host);
+ protohost ? protohost : host);
seen = BIO_read(sbio, mbuf, BUFSIZZ);
if (seen < 0) {
BIO_printf(bio_err, "BIO_read failed\n");
* HTTP/d.d ddd Reason text\r\n
*/
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+ if (mbuf_len < (int)strlen("HTTP/1.0 200")) {
+ BIO_printf(bio_err,
+ "%s: HTTP CONNECT failed, insufficient response "
+ "from proxy (got %d octets)\n", prog, mbuf_len);
+ (void)BIO_flush(fbio);
+ BIO_pop(fbio);
+ BIO_free(fbio);
+ goto shut;
+ }
if (mbuf[8] != ' ') {
BIO_printf(bio_err,
"%s: HTTP CONNECT failed, incorrect response "
}
}
break;
+ case PROTO_MYSQL:
+ {
+ /* SSL request packet */
+ static const unsigned char ssl_req[] = {
+ /* payload_length, sequence_id */
+ 0x20, 0x00, 0x00, 0x01,
+ /* payload */
+ /* capability flags, CLIENT_SSL always set */
+ 0x85, 0xae, 0x7f, 0x00,
+ /* max-packet size */
+ 0x00, 0x00, 0x00, 0x01,
+ /* character set */
+ 0x21,
+ /* string[23] reserved (all [0]) */
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+ 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
+ };
+ int bytes = 0;
+ int ssl_flg = 0x800;
+ int pos;
+ const unsigned char *packet = (const unsigned char *)sbuf;
+
+ /* Receiving Initial Handshake packet. */
+ bytes = BIO_read(sbio, (void *)packet, BUFSIZZ);
+ if (bytes < 0) {
+ BIO_printf(bio_err, "BIO_read failed\n");
+ goto shut;
+ /* Packet length[3], Packet number[1] + minimum payload[17] */
+ } else if (bytes < 21) {
+ BIO_printf(bio_err, "MySQL packet too short.\n");
+ goto shut;
+ } else if (bytes != (4 + packet[0] +
+ (packet[1] << 8) +
+ (packet[2] << 16))) {
+ BIO_printf(bio_err, "MySQL packet length does not match.\n");
+ goto shut;
+ /* protocol version[1] */
+ } else if (packet[4] != 0xA) {
+ BIO_printf(bio_err,
+ "Only MySQL protocol version 10 is supported.\n");
+ goto shut;
+ }
+
+ pos = 5;
+ /* server version[string+NULL] */
+ for (;;) {
+ if (pos >= bytes) {
+ BIO_printf(bio_err, "Cannot confirm server version. ");
+ goto shut;
+ } else if (packet[pos++] == '\0') {
+ break;
+ }
+ }
+
+ /* make sure we have at least 15 bytes left in the packet */
+ if (pos + 15 > bytes) {
+ BIO_printf(bio_err,
+ "MySQL server handshake packet is broken.\n");
+ goto shut;
+ }
+
+ pos += 12; /* skip over conn id[4] + SALT[8] */
+ if (packet[pos++] != '\0') { /* verify filler */
+ BIO_printf(bio_err,
+ "MySQL packet is broken.\n");
+ goto shut;
+ }
+
+ /* capability flags[2] */
+ if (!((packet[pos] + (packet[pos + 1] << 8)) & ssl_flg)) {
+ BIO_printf(bio_err, "MySQL server does not support SSL.\n");
+ goto shut;
+ }
+
+ /* Sending SSL Handshake packet. */
+ BIO_write(sbio, ssl_req, sizeof(ssl_req));
+ (void)BIO_flush(sbio);
+ }
+ break;
case PROTO_POSTGRES:
{
static const unsigned char ssl_request[] = {
}
if (early_data_file != NULL
- && SSL_get0_session(con) != NULL
- && SSL_SESSION_get_max_early_data(SSL_get0_session(con)) > 0) {
+ && ((SSL_get0_session(con) != NULL
+ && SSL_SESSION_get_max_early_data(SSL_get0_session(con)) > 0)
+ || (psksess != NULL
+ && SSL_SESSION_get_max_early_data(psksess) > 0))) {
BIO *edfile = BIO_new_file(early_data_file, "r");
size_t readbytes, writtenbytes;
int finish = 0;
default:
BIO_printf(bio_err, "Error writing early data\n");
BIO_free(edfile);
+ ERR_print_errors(bio_err);
goto shut;
}
}
if (in_init) {
in_init = 0;
- if (!noservername && !SSL_session_reused(con)) {
- BIO_printf(bio_c_out,
- "Server did %sacknowledge servername extension.\n",
- tlsextcbp.ack ? "" : "not ");
- }
-
if (c_brief) {
BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
print_ssl_summary(con);
print_stuff(bio_c_out, con, 1);
SSL_free(con);
}
+ SSL_SESSION_free(psksess);
#if !defined(OPENSSL_NO_NEXTPROTONEG)
OPENSSL_free(next_proto.data);
#endif
bio_c_out = NULL;
BIO_free(bio_c_msg);
bio_c_msg = NULL;
- return (ret);
+ return ret;
}
static void print_stuff(BIO *bio, SSL *s, int full)
OCSP_RESPONSE *rsp;
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
BIO_puts(arg, "OCSP response: ");
- if (!p) {
+ if (p == NULL) {
BIO_puts(arg, "no response sent\n");
return 1;
}
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
- if (!rsp) {
+ if (rsp == NULL) {
BIO_puts(arg, "response parse error\n");
BIO_dump_indent(arg, (char *)p, len, 4);
return 0;
projects / openssl.git / blobdiff