X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_client.c;h=441da2417fef94e37b67fe47cea4ae1661c9fbb9;hp=4a93b3de540c69958e089e447739b60f5254be12;hb=cddd424a5bda94e238e4ff06c0efc80cff3b07d1;hpb=e1b9840ed7c52346e4e203470210f7821158f708 diff --git a/apps/s_client.c b/apps/s_client.c index 4a93b3de54..441da2417f 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -138,6 +138,7 @@ #include #include #include +#include #include /* @@ -183,6 +184,7 @@ extern int verify_error; extern int verify_return_error; extern int verify_quiet; +static char *prog; static int async = 0; static int c_nbio = 0; static int c_tlsextdebug = 0; @@ -202,6 +204,21 @@ static int c_brief = 0; static void print_stuff(BIO *berr, SSL *con, int full); static int ocsp_resp_cb(SSL *s, void *arg); +static int saved_errno; + +static void save_errno(void) +{ + saved_errno = errno; + errno = 0; +} + +static int restore_errno(void) +{ + int ret = errno; + errno = saved_errno; + return ret; +} + #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ static char *psk_identity = "Client_identity"; @@ -455,6 +472,143 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, return 1; } +/* + * Hex decoder that tolerates optional whitespace. Returns number of bytes + * produced, advances inptr to end of input string. + */ +static ossl_ssize_t hexdecode(const char **inptr, void *result) +{ + unsigned char **out = (unsigned char **)result; + const char *in = *inptr; + unsigned char *ret = OPENSSL_malloc(strlen(in)/2); + unsigned char *cp = ret; + uint8_t byte; + int nibble = 0; + + if (ret == NULL) + return -1; + + for (byte = 0; *in; ++in) { + char c; + + if (isspace(*in)) + continue; + c = tolower(*in); + if ('0' <= c && c <= '9') { + byte |= c - '0'; + } else if ('a' <= c && c <= 'f') { + byte |= c - 'a' + 10; + } else { + OPENSSL_free(ret); + return 0; + } + if ((nibble ^= 1) == 0) { + *cp++ = byte; + byte = 0; + } else { + byte <<= 4; + } + } + if (nibble != 0) { + OPENSSL_free(ret); + return 0; + } + *inptr = in; + + return cp - (*out = ret); +} + +/* + * Decode unsigned 0..255, returns 1 on success, <= 0 on failure. Advances + * inptr to next field skipping leading whitespace. + */ +static ossl_ssize_t checked_uint8(const char **inptr, void *out) +{ + uint8_t *result = (uint8_t *)out; + const char *in = *inptr; + char *endp; + long v; + int e; + + save_errno(); + v = strtol(in, &endp, 10); + e = restore_errno(); + + if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) || + endp == in || !isspace(*endp) || + v != (*result = (uint8_t) v)) { + return -1; + } + for (in = endp; isspace(*in); ++in) + continue; + + *inptr = in; + return 1; +} + +static int tlsa_import_rr(SSL *con, const char *rrdata) +{ + int ret; + uint8_t usage; + uint8_t selector; + uint8_t mtype; + unsigned char *data = NULL; + const char *cp = rrdata; + ossl_ssize_t len = 0; + struct tlsa_field { + void *var; + const char *name; + ossl_ssize_t (*parser)(const char **, void *); + } tlsa_fields[] = { + { &usage, "usage", checked_uint8 }, + { &selector, "selector", checked_uint8 }, + { &mtype, "mtype", checked_uint8 }, + { &data, "data", hexdecode }, + { NULL, } + }; + struct tlsa_field *f; + + for (f = tlsa_fields; f->var; ++f) { + /* Returns number of bytes produced, advances cp to next field */ + if ((len = f->parser(&cp, f->var)) <= 0) { + BIO_printf(bio_err, "%s: warning: bad TLSA %s field in: %s\n", + prog, f->name, rrdata); + return 0; + } + } + /* The data field is last, so len is its length */ + ret = SSL_dane_tlsa_add(con, usage, selector, mtype, data, len); + OPENSSL_free(data); + + if (ret == 0) { + ERR_print_errors(bio_err); + BIO_printf(bio_err, "%s: warning: unusable TLSA rrdata: %s\n", + prog, rrdata); + return 0; + } + if (ret < 0) { + ERR_print_errors(bio_err); + BIO_printf(bio_err, "%s: warning: error loading TLSA rrdata: %s\n", + prog, rrdata); + return 0; + } + return ret; +} + +static int tlsa_import_rrset(SSL *con, STACK_OF(OPENSSL_STRING) *rrset) +{ + int num = sk_OPENSSL_STRING_num(rrset); + int count = 0; + int i; + + for (i = 0; i < num; ++i) { + char *rrdata = sk_OPENSSL_STRING_value(rrset, i); + if (tlsa_import_rr(con, rrdata) > 0) + ++count; + } + return count > 0; +} + typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY, @@ -466,7 +620,7 @@ typedef enum OPTION_choice { OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE, OPT_PSK_IDENTITY, OPT_PSK, OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, - OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3, + OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3, OPT_SSL_CONFIG, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS, OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, @@ -478,7 +632,8 @@ typedef enum OPTION_choice { OPT_V_ENUM, OPT_X_ENUM, OPT_S_ENUM, - OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY + OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY, OPT_DANE_TLSA_DOMAIN, + OPT_DANE_TLSA_RRDATA } OPTION_CHOICE; OPTIONS s_client_options[] = { @@ -503,6 +658,9 @@ OPTIONS s_client_options[] = { "Do not load the default certificates file"}, {"no-CApath", OPT_NOCAPATH, '-', "Do not load certificates from the default certificates directory"}, + {"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"}, + {"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's', + "DANE TLSA rrdata presentation form"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, {"pause", OPT_PAUSE, '-', "Sleep after each read and write system call"}, @@ -561,13 +719,14 @@ OPTIONS s_client_options[] = { {"alpn", OPT_ALPN, 's', "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, {"async", OPT_ASYNC, '-', "Support asynchronous operation"}, + {"ssl_config", OPT_SSL_CONFIG, 's'}, OPT_S_OPTIONS, OPT_V_OPTIONS, OPT_X_OPTIONS, #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, #endif -#ifndef OPENSSL_NO_DTLS1 +#ifndef OPENSSL_NO_DTLS {"dtls", OPT_DTLS, '-'}, {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, {"dtls1_2", OPT_DTLS1_2, '-'}, @@ -647,11 +806,13 @@ int s_client_main(int argc, char **argv) SSL_EXCERT *exc = NULL; SSL_CONF_CTX *cctx = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + char *dane_tlsa_domain = NULL; + STACK_OF(OPENSSL_STRING) *dane_tlsa_rrset = NULL; STACK_OF(X509_CRL) *crls = NULL; const SSL_METHOD *meth = TLS_client_method(); char *CApath = NULL, *CAfile = NULL, *cbuf = NULL, *sbuf = NULL; char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL; - char *cert_file = NULL, *key_file = NULL, *chain_file = NULL, *prog; + char *cert_file = NULL, *key_file = NULL, *chain_file = NULL; char *chCApath = NULL, *chCAfile = NULL, *host = SSL_HOST_NAME; char *inrand = NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; @@ -686,6 +847,7 @@ int s_client_main(int argc, char **argv) char *servername = NULL; const char *alpn_in = NULL; tlsextctx tlsextcbp = { NULL, 0 }; + const char *ssl_config = NULL; #define MAX_SI_TYPES 100 unsigned short serverinfo_types[MAX_SI_TYPES]; int serverinfo_count = 0, start = 0, len; @@ -940,6 +1102,9 @@ int s_client_main(int argc, char **argv) case OPT_SRP_MOREGROUPS: break; #endif + case OPT_SSL_CONFIG: + ssl_config = opt_arg(); + break; case OPT_SSL3: #ifndef OPENSSL_NO_SSL3 meth = SSLv3_client_method(); @@ -954,7 +1119,7 @@ int s_client_main(int argc, char **argv) case OPT_TLS1: meth = TLSv1_client_method(); break; -#ifndef OPENSSL_NO_DTLS1 +#ifndef OPENSSL_NO_DTLS case OPT_DTLS: meth = DTLS_client_method(); socket_type = SOCK_DGRAM; @@ -1027,6 +1192,18 @@ int s_client_main(int argc, char **argv) case OPT_VERIFYCAFILE: vfyCAfile = opt_arg(); break; + case OPT_DANE_TLSA_DOMAIN: + dane_tlsa_domain = opt_arg(); + break; + case OPT_DANE_TLSA_RRDATA: + if (dane_tlsa_rrset == NULL) + dane_tlsa_rrset = sk_OPENSSL_STRING_new_null(); + if (dane_tlsa_rrset == NULL || + !sk_OPENSSL_STRING_push(dane_tlsa_rrset, opt_arg())) { + BIO_printf(bio_err, "%s: Memory allocation failure\n", prog); + goto end; + } + break; case OPT_NEXTPROTONEG: next_proto_neg_in = opt_arg(); break; @@ -1200,6 +1377,15 @@ int s_client_main(int argc, char **argv) if (sdebug) ssl_ctx_security_debug(ctx, sdebug); + if (ssl_config) { + if (SSL_CTX_config(ctx, ssl_config) == 0) { + BIO_printf(bio_err, "Error using configuration \"%s\"\n", + ssl_config); + ERR_print_errors(bio_err); + goto end; + } + } + if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); ERR_print_errors(bio_err); @@ -1208,10 +1394,10 @@ int s_client_main(int argc, char **argv) if (async) { SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); - ASYNC_init_pool(0, 0); + ASYNC_init(1, 0, 0); } - if (!config_ctx(cctx, ssl_args, ctx, 1, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1322,6 +1508,15 @@ int s_client_main(int argc, char **argv) } # endif + if (dane_tlsa_domain != NULL) { + if (SSL_CTX_dane_enable(ctx) <= 0) { + BIO_printf(bio_err, + "%s: Error enabling DANE TLSA authentication.\n", prog); + ERR_print_errors(bio_err); + goto end; + } + } + con = SSL_new(ctx); if (sess_in) { SSL_SESSION *sess; @@ -1357,6 +1552,29 @@ int s_client_main(int argc, char **argv) } } + if (dane_tlsa_domain != NULL) { + if (SSL_dane_enable(con, dane_tlsa_domain) <= 0) { + BIO_printf(bio_err, "%s: Error enabling DANE TLSA " + "authentication.\n", prog); + ERR_print_errors(bio_err); + goto end; + } + if (dane_tlsa_rrset == NULL) { + BIO_printf(bio_err, "%s: DANE TLSA authentication requires at " + "least one -dane_tlsa_rrset option.\n", prog); + goto end; + } + if (tlsa_import_rrset(con, dane_tlsa_rrset) <= 0) { + BIO_printf(bio_err, "%s: Failed to import any TLSA " + "records.\n", prog); + goto end; + } + } else if (dane_tlsa_rrset != NULL) { + BIO_printf(bio_err, "%s: DANE TLSA authentication requires the " + "-dane_tlsa_domain option.\n", prog); + goto end; + } + re_start: #ifdef NO_SYS_UN_H if (init_client(&s, host, port, socket_type) == 0) @@ -1513,8 +1731,8 @@ int s_client_main(int argc, char **argv) BIO_free(fbio); if (!foundit) BIO_printf(bio_err, - "didn't found starttls in server response," - " try anyway...\n"); + "didn't find starttls in server response," + " trying anyway...\n"); BIO_printf(sbio, "STARTTLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); } @@ -1551,8 +1769,8 @@ int s_client_main(int argc, char **argv) BIO_free(fbio); if (!foundit) BIO_printf(bio_err, - "didn't found STARTTLS in server response," - " try anyway...\n"); + "didn't find STARTTLS in server response," + " trying anyway...\n"); BIO_printf(sbio, ". STARTTLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); } @@ -2102,7 +2320,7 @@ int s_client_main(int argc, char **argv) SSL_free(con); } if (async) { - ASYNC_free_pool(); + ASYNC_cleanup(1); } #if !defined(OPENSSL_NO_NEXTPROTONEG) OPENSSL_free(next_proto.data); @@ -2119,6 +2337,7 @@ int s_client_main(int argc, char **argv) X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); + sk_OPENSSL_STRING_free(dane_tlsa_rrset); SSL_CONF_CTX_free(cctx); OPENSSL_clear_free(cbuf, BUFSIZZ); OPENSSL_clear_free(sbuf, BUFSIZZ); @@ -2139,6 +2358,9 @@ static void print_stuff(BIO *bio, SSL *s, int full) const SSL_CIPHER *c; X509_NAME *xn; int i; + int mdpth; + EVP_PKEY *mspki; + const char *peername; #ifndef OPENSSL_NO_COMP const COMP_METHOD *comp, *expansion; #endif @@ -2200,16 +2422,27 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); } + if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) { + uint8_t usage, selector, mtype; + (void) SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, NULL, NULL); + BIO_printf(bio, "DANE TLSA %d %d %d %s at depth %d\n", + usage, selector, mtype, + (mspki != NULL) ? "TA public key verified certificate" : + mdpth ? "matched TA certificate" : "matched EE certificate", + mdpth); + } + if (SSL_get_verify_result(s) == X509_V_OK && + (peername = SSL_get0_peername(s)) != NULL) + BIO_printf(bio, "Verified peername: %s\n", peername); BIO_printf(bio, (SSL_cache_hit(s) ? "---\nReused, " : "---\nNew, ")); c = SSL_get_current_cipher(s); BIO_printf(bio, "%s, Cipher is %s\n", SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c)); if (peer != NULL) { EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(peer); + pktmp = X509_get0_pubkey(peer); BIO_printf(bio, "Server public key is %d bit\n", EVP_PKEY_bits(pktmp)); - EVP_PKEY_free(pktmp); } BIO_printf(bio, "Secure Renegotiation IS%s supported\n", SSL_get_secure_renegotiation_support(s) ? "" : " NOT");