X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_client.c;h=af88ffdaada32a8d192d3fb627216c3281a4452c;hp=61ad29134ba4349d2fc20a1d52e5fc6b47846ecd;hb=ded18639d7f8ffacea10a24938cf091a0efbca40;hpb=a898936218bc279b5d7cdf76d58a25e7a2d419cb diff --git a/apps/s_client.c b/apps/s_client.c index 61ad29134b..af88ffdaad 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -203,7 +203,6 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_status_req=0; -static int c_proof_debug=0; #endif static int c_msg=0; static int c_showcerts=0; @@ -215,7 +214,8 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); -static int audit_proof_cb(SSL *s, void *arg); +static int c_auth = 0; +static int c_auth_require_reneg = 0; #endif static BIO *bio_c_out=NULL; static BIO *bio_c_msg=NULL; @@ -223,6 +223,37 @@ static int c_quiet=0; static int c_ign_eof=0; static int c_brief=0; +#ifndef OPENSSL_NO_TLSEXT + +static unsigned char *generated_supp_data = NULL; + +static const unsigned char *most_recent_supplemental_data = NULL; +static size_t most_recent_supplemental_data_length = 0; + +static int server_provided_server_authz = 0; +static int server_provided_client_authz = 0; + +static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp}; + +static int suppdata_cb(SSL *s, unsigned short supp_data_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg); + +static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, + const unsigned char **out, + unsigned short *outlen, int *al, void *arg); + +static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, + const unsigned char **out, unsigned short *outlen, + int *al, void *arg); + +static int authz_tlsext_cb(SSL *s, unsigned short ext_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg); +#endif + #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ static char *psk_identity="Client_identity"; @@ -350,6 +381,7 @@ static void sc_usage(void) BIO_printf(bio_err," 'prot' defines which one to assume. Currently,\n"); BIO_printf(bio_err," only \"smtp\", \"pop3\", \"imap\", \"ftp\" and \"xmpp\"\n"); BIO_printf(bio_err," are supported.\n"); + BIO_printf(bio_err," -xmpphost host - When used with \"-starttls xmpp\" specifies the virtual host.\n"); #ifndef OPENSSL_NO_ENGINE BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); #endif @@ -361,14 +393,13 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); + BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n"); + BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n"); + BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n"); # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); - BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); # endif -#ifndef OPENSSL_NO_TLSEXT - BIO_printf(bio_err," -serverinfo types - send empty ClientHello extensions (comma-separated numbers)\n"); -#endif + BIO_printf(bio_err," -alpn arg - enable ALPN extension, considering named protocols supported (comma-separated list)\n"); #endif BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); @@ -561,7 +592,8 @@ static int serverinfo_cli_cb(SSL* s, unsigned short ext_type, ext_buf[3] = inlen & 0xFF; memcpy(ext_buf+4, in, inlen); - BIO_snprintf(pem_name, sizeof(pem_name), "SERVER_INFO %d", ext_type); + BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d", + ext_type); PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen); return 1; } @@ -595,6 +627,7 @@ int MAIN(int argc, char **argv) short port=PORT; int full_log=1; char *host=SSL_HOST_NAME; + char *xmpphost = NULL; char *cert_file=NULL,*key_file=NULL,*chain_file=NULL; int cert_format = FORMAT_PEM, key_format = FORMAT_PEM; char *passarg = NULL, *pass = NULL; @@ -637,8 +670,8 @@ int MAIN(int argc, char **argv) {NULL,0}; # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; - const char *alpn_in = NULL; # endif + const char *alpn_in = NULL; # define MAX_SI_TYPES 100 unsigned short serverinfo_types[MAX_SI_TYPES]; int serverinfo_types_count = 0; @@ -726,6 +759,11 @@ static char *jpake_secret = NULL; if (!extract_host_port(*(++argv),&host,NULL,&port)) goto bad; } + else if (strcmp(*argv,"-xmpphost") == 0) + { + if (--argc < 1) goto bad; + xmpphost= *(++argv); + } else if (strcmp(*argv,"-verify") == 0) { verify=SSL_VERIFY_PEER; @@ -816,8 +854,10 @@ static char *jpake_secret = NULL; c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) c_status_req=1; - else if (strcmp(*argv,"-proof_debug") == 0) - c_proof_debug=1; + else if (strcmp(*argv,"-auth") == 0) + c_auth = 1; + else if (strcmp(*argv,"-auth_require_reneg") == 0) + c_auth_require_reneg = 1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) @@ -995,12 +1035,12 @@ static char *jpake_secret = NULL; if (--argc < 1) goto bad; next_proto_neg_in = *(++argv); } +# endif else if (strcmp(*argv,"-alpn") == 0) { if (--argc < 1) goto bad; alpn_in = *(++argv); } -# endif else if (strcmp(*argv,"-serverinfo") == 0) { char *c; @@ -1392,9 +1432,12 @@ bad: } #endif - if (c_proof_debug) - SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, - audit_proof_cb); + if (c_auth) + { + SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err); + SSL_CTX_set_custom_cli_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_generate_cb, authz_tlsext_cb, bio_err); + SSL_CTX_set_cli_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, suppdata_cb, auth_suppdata_generate_cb, bio_err); + } #endif con=SSL_new(ctx); @@ -1670,14 +1713,18 @@ SSL_set_tlsext_status_ids(con, ids); int seen = 0; BIO_printf(sbio,"", host); + "xmlns='jabber:client' to='%s' version='1.0'>", xmpphost ? + xmpphost : host); seen = BIO_read(sbio,mbuf,BUFSIZZ); mbuf[seen] = 0; - while (!strstr(mbuf, "")) - goto shut; seen = BIO_read(sbio,mbuf,BUFSIZZ); + + if (seen <= 0) + goto shut; + mbuf[seen] = 0; } BIO_printf(sbio, ""); @@ -1735,6 +1782,13 @@ SSL_set_tlsext_status_ids(con, ids); "CONNECTION ESTABLISHED\n"); print_ssl_summary(bio_err, con); } + /*handshake is complete - free the generated supp data allocated in the callback */ + if (generated_supp_data) + { + OPENSSL_free(generated_supp_data); + generated_supp_data = NULL; + } + print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; @@ -1855,7 +1909,7 @@ SSL_set_tlsext_status_ids(con, ids); if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { - BIO_printf(bio_err,"TIMEOUT occured\n"); + BIO_printf(bio_err,"TIMEOUT occurred\n"); } if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds)) @@ -2297,6 +2351,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_write(bio, proto, proto_len); BIO_write(bio, "\n", 1); } +# endif { const unsigned char *proto; unsigned int proto_len; @@ -2310,7 +2365,6 @@ static void print_stuff(BIO *bio, SSL *s, int full) else BIO_printf(bio, "No ALPN negotiated\n"); } -# endif #endif { @@ -2384,26 +2438,74 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; } -static int audit_proof_cb(SSL *s, void *arg) +static int authz_tlsext_cb(SSL *s, unsigned short ext_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg) { - const unsigned char *proof; - size_t proof_len; - size_t i; - SSL_SESSION *sess = SSL_get_session(s); - - proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, - &proof_len); - if (proof != NULL) + if (TLSEXT_TYPE_server_authz == ext_type) + server_provided_server_authz + = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL); + + if (TLSEXT_TYPE_client_authz == ext_type) + server_provided_client_authz + = (memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL); + + return 1; + } + +static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, + const unsigned char **out, unsigned short *outlen, + int *al, void *arg) + { + if (c_auth) { - BIO_printf(bio_c_out, "Audit proof: "); - for (i = 0; i < proof_len; ++i) - BIO_printf(bio_c_out, "%02X", proof[i]); - BIO_printf(bio_c_out, "\n"); + /*if auth_require_reneg flag is set, only send extensions if + renegotiation has occurred */ + if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s))) + { + *out = auth_ext_data; + *outlen = 1; + return 1; + } } - else + /* no auth extension to send */ + return -1; + } + +static int suppdata_cb(SSL *s, unsigned short supp_data_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg) + { + if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data) { - BIO_printf(bio_c_out, "No audit proof found.\n"); + most_recent_supplemental_data = in; + most_recent_supplemental_data_length = inlen; } return 1; } + +static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, + const unsigned char **out, + unsigned short *outlen, int *al, void *arg) + { + if (c_auth && server_provided_client_authz && server_provided_server_authz) + { + /*if auth_require_reneg flag is set, only send supplemental data if + renegotiation has occurred */ + if (!c_auth_require_reneg + || (c_auth_require_reneg && SSL_num_renegotiations(s))) + { + generated_supp_data = OPENSSL_malloc(10); + memcpy(generated_supp_data, "5432154321", 10); + *out = generated_supp_data; + *outlen = 10; + return 1; + } + } + /* no supplemental data to send */ + return -1; + } + #endif