if (!ret) {
BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
psk_key);
- if (bn)
- BN_free(bn);
+ BN_free(bn);
return 0;
}
BN_mod_exp(r, g, p, N, bn_ctx) &&
BN_add_word(r, 1) && BN_cmp(r, N) == 0;
- if (r)
- BN_free(r);
- if (p)
- BN_free(p);
- if (bn_ctx)
- BN_CTX_free(bn_ctx);
+ BN_free(r);
+ BN_free(p);
+ BN_CTX_free(bn_ctx);
return ret;
}
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
BIGNUM *N = NULL, *g = NULL;
- if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s)))
+
+ if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL))
return 0;
if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) {
BIO_printf(bio_err, "SRP parameters:\n");
static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
{
SRP_ARG *srp_arg = (SRP_ARG *)arg;
- char *pass = (char *)OPENSSL_malloc(PWD_STRLEN + 1);
+ char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer");
PW_CB_DATA cb_tmp;
int l;
- if (!pass) {
- BIO_printf(bio_err, "Out of memory\n");
- return NULL;
- }
cb_tmp.password = (char *)srp_arg->srppassin;
cb_tmp.prompt_info = "SRP user";
if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) {
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_VERIFY,
+ OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY,
OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO,
OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
OPT_CERT_CHAIN, OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
- OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_KRB5SVC,
+ OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE,
OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE,
- OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
+ OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST,
OPT_V_ENUM,
OPT_X_ENUM,
OPT_S_ENUM,
{"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
{"starttls", OPT_STARTTLS, 's',
"Use the STARTTLS command before starting TLS"},
+ {"xmpphost", OPT_XMPPHOST, 's', "Host to use with \"-starttls xmpp\""},
{"rand", OPT_RAND, 's',
"Load the file(s) into the random number generator"},
{"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
{"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
# endif
#endif
-#ifndef OPENSSL_NO_KRB5
- {"krb5svc", OPT_KRB5SVC, 's', "Kerberos service name"},
-#endif
#ifndef OPENSSL_NO_SRP
{"srpuser", OPT_SRPUSER, 's', "SRP authentification for 'user'"},
{"srppass", OPT_SRPPASS, 's', "Password for 'user'"},
"Tolerate other than the known g N values."},
{"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"},
#endif
+ {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""},
#ifndef OPENSSL_NO_TLSEXT
{"servername", OPT_SERVERNAME, 's',
"Set TLS extension servername in ClientHello"},
PROTO_POP3,
PROTO_IMAP,
PROTO_FTP,
+ PROTO_TELNET,
PROTO_XMPP
} PROTOCOL_CHOICE;
{"imap", PROTO_IMAP},
{"ftp", PROTO_FTP},
{"xmpp", PROTO_XMPP},
+ {"telnet", PROTO_TELNET},
{NULL}
};
NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p;
- char *jpake_secret = NULL;
+ char *jpake_secret = NULL, *xmpphost = NULL;
const char *unix_path = NULL;
+ const char *ehlo = "mail.example.com";
struct sockaddr peer;
struct timeval timeout, *timeoutp;
fd_set readfds, writefds;
long socket_mtu = 0, randamt = 0;
unsigned short port = PORT;
OPTION_CHOICE o;
-#ifndef OPENSSL_NO_KRB5
- KSSL_CTX *kctx;
- const char *krb5svc = NULL;
-#endif
#ifndef OPENSSL_NO_ENGINE
ENGINE *ssl_client_engine = NULL;
#endif
verify_depth = 0;
verify_error = X509_V_OK;
vpm = X509_VERIFY_PARAM_new();
- cbuf = OPENSSL_malloc(BUFSIZZ);
- sbuf = OPENSSL_malloc(BUFSIZZ);
- mbuf = OPENSSL_malloc(BUFSIZZ);
+ cbuf = app_malloc(BUFSIZZ, "cbuf");
+ sbuf = app_malloc(BUFSIZZ, "sbuf");
+ mbuf = app_malloc(BUFSIZZ, "mbuf");
cctx = SSL_CONF_CTX_new();
- if (vpm == NULL || cctx == NULL
- || cbuf == NULL || sbuf == NULL || mbuf == NULL) {
+ if (vpm == NULL || cctx == NULL) {
BIO_printf(bio_err, "%s: out of memory\n", prog);
goto end;
}
case OPT_UNIX:
unix_path = opt_arg();
break;
+ case OPT_XMPPHOST:
+ xmpphost = opt_arg();
+ break;
+ case OPT_SMTPHOST:
+ ehlo = opt_arg();
+ break;
case OPT_VERIFY:
verify = SSL_VERIFY_PEER;
verify_depth = atoi(opt_arg());
case OPT_NOCMDS:
cmdletters = 0;
break;
- case OPT_KRB5SVC:
-#ifndef OPENSSL_NO_KRB5
- krb5svc = opt_arg();
-#endif
- break;
case OPT_ENGINE:
e = setup_engine(opt_arg(), 1);
break;
}
if (sdebug)
- ssl_ctx_security_debug(ctx, bio_err, sdebug);
+ ssl_ctx_security_debug(ctx, sdebug);
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
BIO_printf(bio_err, "Error setting verify params\n");
}
}
#endif
-#ifndef OPENSSL_NO_KRB5
- if (con && (kctx = kssl_ctx_new()) != NULL) {
- SSL_set0_kssl_ctx(con, kctx);
- kssl_ctx_setstring(kctx, KSSL_SERVER, host);
- if (krb5svc)
- kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc);
- }
-#endif /* OPENSSL_NO_KRB5 */
re_start:
#ifdef NO_SYS_UN_H
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
}
while (mbuf_len > 3 && mbuf[3] == '-');
- BIO_printf(fbio, "EHLO openssl.client.net\r\n");
+ BIO_printf(fbio, "EHLO %s\r\n", ehlo);
(void)BIO_flush(fbio);
/* wait for multi-line response to end EHLO SMTP response */
do {
BIO_printf(sbio, "<stream:stream "
"xmlns:stream='http://etherx.jabber.org/streams' "
"xmlns='jabber:client' to='%s' version='1.0'>",
- host);
+ xmpphost ? xmpphost : host);
seen = BIO_read(sbio, mbuf, BUFSIZZ);
mbuf[seen] = 0;
while (!strstr
mbuf[0] = 0;
}
break;
+ case PROTO_TELNET:
+ {
+ static const unsigned char tls_do[] = {
+ /* IAC DO START_TLS */
+ 255, 253, 46
+ };
+ static const unsigned char tls_will[] = {
+ /* IAC WILL START_TLS */
+ 255, 251, 46
+ };
+ static const unsigned char tls_follows[] = {
+ /* IAC SB START_TLS FOLLOWS IAC SE */
+ 255, 250, 46, 1, 255, 240
+ };
+ int bytes;
+
+ /* Telnet server should demand we issue START_TLS */
+ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0)
+ goto shut;
+ /* Agree to issue START_TLS and send the FOLLOWS sub-command */
+ BIO_write(sbio, tls_will, 3);
+ BIO_write(sbio, tls_follows, 6);
+ (void)BIO_flush(sbio);
+ /* Telnet server also sent the FOLLOWS sub-command */
+ bytes = BIO_read(sbio, mbuf, BUFSIZZ);
+ if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0)
+ goto shut;
+ }
}
for (;;) {
}
if (c_brief) {
BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
- print_ssl_summary(bio_err, con);
+ print_ssl_summary(con);
}
print_stuff(bio_c_out, con, full_log);
SSL_free(con);
}
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
- if (next_proto.data)
- OPENSSL_free(next_proto.data);
+ OPENSSL_free(next_proto.data);
#endif
SSL_CTX_free(ctx);
- if (cert)
- X509_free(cert);
- if (crls)
- sk_X509_CRL_pop_free(crls, X509_CRL_free);
+ X509_free(cert);
+ sk_X509_CRL_pop_free(crls, X509_CRL_free);
EVP_PKEY_free(key);
- if (chain)
- sk_X509_pop_free(chain, X509_free);
- if (pass)
- OPENSSL_free(pass);
- if (vpm)
- X509_VERIFY_PARAM_free(vpm);
+ sk_X509_pop_free(chain, X509_free);
+ OPENSSL_free(pass);
+ X509_VERIFY_PARAM_free(vpm);
ssl_excert_free(exc);
sk_OPENSSL_STRING_free(ssl_args);
SSL_CONF_CTX_free(cctx);
-#ifndef OPENSSL_NO_JPAKE
- if (jpake_secret && psk_key)
- OPENSSL_free(psk_key);
-#endif
- if (cbuf != NULL) {
- OPENSSL_cleanse(cbuf, BUFSIZZ);
- OPENSSL_free(cbuf);
- }
- if (sbuf != NULL) {
- OPENSSL_cleanse(sbuf, BUFSIZZ);
- OPENSSL_free(sbuf);
- }
- if (mbuf != NULL) {
- OPENSSL_cleanse(mbuf, BUFSIZZ);
- OPENSSL_free(mbuf);
- }
+ OPENSSL_clear_free(cbuf, BUFSIZZ);
+ OPENSSL_clear_free(sbuf, BUFSIZZ);
+ OPENSSL_clear_free(mbuf, BUFSIZZ);
BIO_free(bio_c_out);
bio_c_out = NULL;
BIO_free(bio_c_msg);
BIO_printf(bio, "Keying material exporter:\n");
BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
- exportedkeymat = OPENSSL_malloc(keymatexportlen);
- if (exportedkeymat != NULL) {
- if (!SSL_export_keying_material(s, exportedkeymat,
- keymatexportlen,
- keymatexportlabel,
- strlen(keymatexportlabel),
- NULL, 0, 0)) {
- BIO_printf(bio, " Error\n");
- } else {
- BIO_printf(bio, " Keying material: ");
- for (i = 0; i < keymatexportlen; i++)
- BIO_printf(bio, "%02X", exportedkeymat[i]);
- BIO_printf(bio, "\n");
- }
- OPENSSL_free(exportedkeymat);
+ exportedkeymat = app_malloc(keymatexportlen, "export key");
+ if (!SSL_export_keying_material(s, exportedkeymat,
+ keymatexportlen,
+ keymatexportlabel,
+ strlen(keymatexportlabel),
+ NULL, 0, 0)) {
+ BIO_printf(bio, " Error\n");
+ } else {
+ BIO_printf(bio, " Keying material: ");
+ for (i = 0; i < keymatexportlen; i++)
+ BIO_printf(bio, "%02X", exportedkeymat[i]);
+ BIO_printf(bio, "\n");
}
+ OPENSSL_free(exportedkeymat);
}
BIO_printf(bio, "---\n");
- if (peer != NULL)
- X509_free(peer);
+ X509_free(peer);
/* flush, or debugging output gets mixed with http response */
(void)BIO_flush(bio);
}