X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_client.c;h=5aa1adc51ec88a6fd68b08805cdd5ab13ad00210;hp=0d030056fc7357e1d994a0a22f6d28b27b9a3b2b;hb=c01ff880d47392b82cce2f93ac4a9bb8c68f8cc7;hpb=333b070ec06d7a67538ee9d5312656a19e802dc1 diff --git a/apps/s_client.c b/apps/s_client.c index 0d030056fc..5aa1adc51e 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -134,7 +134,6 @@ * OTHERWISE. */ -#include #include #include #include @@ -161,6 +160,7 @@ typedef unsigned int u_int; #include #include #include +#include #ifndef OPENSSL_NO_SRP # include #endif @@ -176,12 +176,14 @@ typedef unsigned int u_int; #undef BUFSIZZ #define BUFSIZZ 1024*8 +#define S_CLIENT_IRC_READ_TIMEOUT 8 extern int verify_depth; extern int verify_error; extern int verify_return_error; extern int verify_quiet; +static int async = 0; static int c_nbio = 0; static int c_tlsextdebug = 0; static int c_status_req = 0; @@ -198,9 +200,7 @@ static int c_ign_eof = 0; static int c_brief = 0; static void print_stuff(BIO *berr, SSL *con, int full); -#ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); -#endif #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ @@ -241,8 +241,7 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, if (!ret) { BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", psk_key); - if (bn) - BN_free(bn); + BN_free(bn); return 0; } @@ -270,8 +269,6 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity, } #endif -#ifndef OPENSSL_NO_TLSEXT - /* This is a context that we pass to callbacks */ typedef struct tlsextctx_st { BIO *biodebug; @@ -290,7 +287,7 @@ static int ssl_servername_cb(SSL *s, int *ad, void *arg) return SSL_TLSEXT_ERR_OK; } -# ifndef OPENSSL_NO_SRP +#ifndef OPENSSL_NO_SRP /* This is a context that we pass to all callbacks */ typedef struct srp_arg_st { @@ -302,7 +299,7 @@ typedef struct srp_arg_st { int strength /* minimal size for N */ ; } SRP_ARG; -# define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 +# define SRP_NUMBER_ITERATIONS_FOR_PRIME 64 static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g) { @@ -320,12 +317,9 @@ static int srp_Verify_N_and_g(const BIGNUM *N, const BIGNUM *g) BN_mod_exp(r, g, p, N, bn_ctx) && BN_add_word(r, 1) && BN_cmp(r, N) == 0; - if (r) - BN_free(r); - if (p) - BN_free(p); - if (bn_ctx) - BN_CTX_free(bn_ctx); + BN_free(r); + BN_free(p); + BN_CTX_free(bn_ctx); return ret; } @@ -349,7 +343,8 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg) { SRP_ARG *srp_arg = (SRP_ARG *)arg; BIGNUM *N = NULL, *g = NULL; - if (!(N = SSL_get_srp_N(s)) || !(g = SSL_get_srp_g(s))) + + if (((N = SSL_get_srp_N(s)) == NULL) || ((g = SSL_get_srp_g(s)) == NULL)) return 0; if (srp_arg->debug || srp_arg->msg || srp_arg->amp == 1) { BIO_printf(bio_err, "SRP parameters:\n"); @@ -380,19 +375,15 @@ static int ssl_srp_verify_param_cb(SSL *s, void *arg) return 0; } -# define PWD_STRLEN 1024 +# define PWD_STRLEN 1024 static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) { SRP_ARG *srp_arg = (SRP_ARG *)arg; - char *pass = (char *)OPENSSL_malloc(PWD_STRLEN + 1); + char *pass = app_malloc(PWD_STRLEN + 1, "SRP password buffer"); PW_CB_DATA cb_tmp; int l; - if (!pass) { - BIO_printf(bio_err, "Out of memory\n"); - return NULL; - } cb_tmp.password = (char *)srp_arg->srppassin; cb_tmp.prompt_info = "SRP user"; if ((l = password_callback(pass, PWD_STRLEN, 0, &cb_tmp)) < 0) { @@ -405,11 +396,11 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) return pass; } -# endif +#endif -char *srtp_profiles = NULL; +static char *srtp_profiles = NULL; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* This the context that we pass to next_proto_cb */ typedef struct tlsextnextprotoctx_st { unsigned char *data; @@ -442,7 +433,7 @@ static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen, SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len); return SSL_TLSEXT_ERR_OK; } -# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ +#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, const unsigned char *in, size_t inlen, @@ -464,11 +455,9 @@ static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, return 1; } -#endif - typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_VERIFY, + OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, OPT_XMPPHOST, OPT_VERIFY, OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN, OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO, @@ -480,15 +469,16 @@ typedef enum OPTION_choice { OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS, - OPT_CERT_CHAIN, OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, - OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_KRB5SVC, + OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, + OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE, - OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, + OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST, + OPT_ASYNC, OPT_V_ENUM, OPT_X_ENUM, OPT_S_ENUM, - OPT_FALLBACKSCSV + OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_PROXY } OPTION_CHOICE; OPTIONS s_client_options[] = { @@ -497,6 +487,8 @@ OPTIONS s_client_options[] = { {"port", OPT_PORT, 'p', "Use -connect instead"}, {"connect", OPT_CONNECT, 's', "TCP/IP where to connect (default is " SSL_HOST_NAME ":" PORT_STR ")"}, + {"proxy", OPT_PROXY, 's', + "Connect to via specified proxy to the real server"}, {"unix", OPT_UNIX, 's', "Connect over unix domain sockets"}, {"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"}, {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"}, @@ -507,6 +499,10 @@ OPTIONS s_client_options[] = { {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, {"pause", OPT_PAUSE, '-', "Sleep after each read and write system call"}, @@ -520,30 +516,67 @@ OPTIONS s_client_options[] = { {"quiet", OPT_QUIET, '-', "No s_client output"}, {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"}, {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"}, -#ifndef OPENSSL_NO_SSL3 - {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, -#endif {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"}, {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"}, {"tls1", OPT_TLS1, '-', "Just use TLSv1"}, - {"dtls", OPT_DTLS, '-'}, - {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, - {"dtls1_2", OPT_DTLS1_2, '-'}, - {"timeout", OPT_TIMEOUT, '-'}, - {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, {"starttls", OPT_STARTTLS, 's', - "Use the STARTTLS command before starting TLS"}, + "Use the appropriate STARTTLS command before starting TLS"}, + {"xmpphost", OPT_XMPPHOST, 's', + "Host to use with \"-starttls xmpp[-server]\""}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"}, {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"}, - {"use_srtp", OPT_USE_SRTP, '<', + {"use_srtp", OPT_USE_SRTP, 's', "Offer SRTP key management with a colon-separated profile list"}, {"keymatexport", OPT_KEYMATEXPORT, 's', "Export keying material using label"}, {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', "Export len bytes of keying material (default 20)"}, {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"}, + {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""}, + {"CRL", OPT_CRL, '<'}, + {"crl_download", OPT_CRL_DOWNLOAD, '-'}, + {"CRLform", OPT_CRLFORM, 'F'}, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, + {"verify_quiet", OPT_VERIFY_QUIET, '-'}, + {"brief", OPT_BRIEF, '-'}, + {"prexit", OPT_PREXIT, '-'}, + {"security_debug", OPT_SECURITY_DEBUG, '-'}, + {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, + {"cert_chain", OPT_CERT_CHAIN, '<'}, + {"chainCApath", OPT_CHAINCAPATH, '/'}, + {"verifyCApath", OPT_VERIFYCAPATH, '/'}, + {"build_chain", OPT_BUILD_CHAIN, '-'}, + {"chainCAfile", OPT_CHAINCAFILE, '<'}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, + {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"}, + {"servername", OPT_SERVERNAME, 's', + "Set TLS extension servername in ClientHello"}, + {"tlsextdebug", OPT_TLSEXTDEBUG, '-', + "Hex dump of all TLS extensions received"}, + {"status", OPT_STATUS, '-', "Request certificate status from server"}, + {"serverinfo", OPT_SERVERINFO, 's', + "types Send empty ClientHello extensions (comma-separated numbers)"}, + {"alpn", OPT_ALPN, 's', + "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, + {"async", OPT_ASYNC, '-', "Support asynchronous operation"}, + OPT_S_OPTIONS, + OPT_V_OPTIONS, + OPT_X_OPTIONS, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, +#endif +#ifndef OPENSSL_NO_DTLS + {"dtls", OPT_DTLS, '-'}, + {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, + {"dtls1_2", OPT_DTLS1_2, '-'}, + {"timeout", OPT_TIMEOUT, '-'}, + {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, +#endif +#ifndef OPENSSL_NO_SSL_TRACE + {"trace", OPT_TRACE, '-'}, +#endif #ifdef WATT32 {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"}, #endif @@ -557,9 +590,6 @@ OPTIONS s_client_options[] = { {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, # endif #endif -#ifndef OPENSSL_NO_KRB5 - {"krb5svc", OPT_KRB5SVC, 's', "Kerberos service name"}, -#endif #ifndef OPENSSL_NO_SRP {"srpuser", OPT_SRPUSER, 's', "SRP authentification for 'user'"}, {"srppass", OPT_SRPPASS, 's', "Password for 'user'"}, @@ -567,46 +597,16 @@ OPTIONS s_client_options[] = { "SRP username into second ClientHello message"}, {"srp_moregroups", OPT_SRP_MOREGROUPS, '-', "Tolerate other than the known g N values."}, - {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"}, + {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"}, #endif -#ifndef OPENSSL_NO_TLSEXT - {"servername", OPT_SERVERNAME, 's', - "Set TLS extension servername in ClientHello"}, - {"tlsextdebug", OPT_TLSEXTDEBUG, '-', - "Hex dump of all TLS extensions received"}, - {"status", OPT_STATUS, '-', "Request certificate status from server"}, - {"serverinfo", OPT_SERVERINFO, 's', - "types Send empty ClientHello extensions (comma-separated numbers)"}, - {"alpn", OPT_ALPN, 's', - "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Enable NPN extension, considering named protocols supported (comma-separated list)"}, -# endif #endif - {"CRL", OPT_CRL, '<'}, - {"crl_download", OPT_CRL_DOWNLOAD, '-'}, - {"CRLform", OPT_CRLFORM, 'F'}, - {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, - {"verify_quiet", OPT_VERIFY_QUIET, '-'}, - {"brief", OPT_BRIEF, '-'}, - {"prexit", OPT_PREXIT, '-'}, - {"trace", OPT_TRACE, '-'}, - {"security_debug", OPT_SECURITY_DEBUG, '-'}, - {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, - {"cert_chain", OPT_CERT_CHAIN, '<'}, - {"chainCApath", OPT_CHAINCAPATH, '/'}, - {"verifyCApath", OPT_VERIFYCAPATH, '/'}, - {"build_chain", OPT_BUILD_CHAIN, '-'}, - {"chainCAfile", OPT_CHAINCAFILE, '<'}, - {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'}, #endif - OPT_S_OPTIONS, - OPT_V_OPTIONS, - OPT_X_OPTIONS, {NULL} }; @@ -616,7 +616,11 @@ typedef enum PROTOCOL_choice { PROTO_POP3, PROTO_IMAP, PROTO_FTP, - PROTO_XMPP + PROTO_TELNET, + PROTO_XMPP, + PROTO_XMPP_SERVER, + PROTO_CONNECT, + PROTO_IRC } PROTOCOL_CHOICE; static OPT_PAIR services[] = { @@ -625,6 +629,9 @@ static OPT_PAIR services[] = { {"imap", PROTO_IMAP}, {"ftp", PROTO_FTP}, {"xmpp", PROTO_XMPP}, + {"xmpp-server", PROTO_XMPP_SERVER}, + {"telnet", PROTO_TELNET}, + {"irc", PROTO_IRC}, {NULL} }; @@ -641,36 +648,34 @@ int s_client_main(int argc, char **argv) SSL_CONF_CTX *cctx = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL; STACK_OF(X509_CRL) *crls = NULL; - const SSL_METHOD *meth = SSLv23_client_method(); - char *CApath = NULL, *CAfile = NULL, *cbuf = NULL, *sbuf = NULL, *mbuf = - NULL; + const SSL_METHOD *meth = TLS_client_method(); + char *CApath = NULL, *CAfile = NULL, *cbuf = NULL, *sbuf = NULL; + char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL; char *cert_file = NULL, *key_file = NULL, *chain_file = NULL, *prog; - char *chCApath = NULL, *chCAfile = NULL, *host = SSL_HOST_NAME, *inrand = - NULL; + char *chCApath = NULL, *chCAfile = NULL, *host = SSL_HOST_NAME; + char *inrand = NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; char *sess_in = NULL, *sess_out = NULL, *crl_file = NULL, *p; - char *jpake_secret = NULL; + char *jpake_secret = NULL, *xmpphost = NULL; const char *unix_path = NULL; + const char *ehlo = "mail.example.com"; struct sockaddr peer; struct timeval timeout, *timeoutp; fd_set readfds, writefds; + int noCApath = 0, noCAfile = 0; int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM; int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0; int prexit = 0; int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer; int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0; - int ret = 1, in_init = 1, i, nbio_test = 0, s, k, width, state = 0; - int sbuf_len, sbuf_off, socket_type = SOCK_STREAM; + int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0; + int sbuf_len, sbuf_off, socket_type = SOCK_STREAM, cmdletters = 1; int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0; int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; int fallback_scsv = 0; long socket_mtu = 0, randamt = 0; unsigned short port = PORT; OPTION_CHOICE o; -#ifndef OPENSSL_NO_KRB5 - KSSL_CTX *kctx; - const char *krb5svc = NULL; -#endif #ifndef OPENSSL_NO_ENGINE ENGINE *ssl_client_engine = NULL; #endif @@ -678,16 +683,14 @@ int s_client_main(int argc, char **argv) #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #endif -#ifndef OPENSSL_NO_TLSEXT char *servername = NULL; const char *alpn_in = NULL; tlsextctx tlsextcbp = { NULL, 0 }; -# define MAX_SI_TYPES 100 +#define MAX_SI_TYPES 100 unsigned short serverinfo_types[MAX_SI_TYPES]; int serverinfo_count = 0, start = 0, len; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; -# endif #endif #ifndef OPENSSL_NO_SRP char *srppass = NULL; @@ -706,13 +709,12 @@ int s_client_main(int argc, char **argv) verify_depth = 0; verify_error = X509_V_OK; vpm = X509_VERIFY_PARAM_new(); - cbuf = OPENSSL_malloc(BUFSIZZ); - sbuf = OPENSSL_malloc(BUFSIZZ); - mbuf = OPENSSL_malloc(BUFSIZZ); + cbuf = app_malloc(BUFSIZZ, "cbuf"); + sbuf = app_malloc(BUFSIZZ, "sbuf"); + mbuf = app_malloc(BUFSIZZ, "mbuf"); cctx = SSL_CONF_CTX_new(); - if (vpm == NULL || cctx == NULL - || cbuf == NULL || sbuf == NULL || mbuf == NULL) { + if (vpm == NULL || cctx == NULL) { BIO_printf(bio_err, "%s: out of memory\n", prog); goto end; } @@ -722,15 +724,6 @@ int s_client_main(int argc, char **argv) prog = opt_init(argc, argv, s_client_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { -#ifndef WATT32 - case OPT_WDEBUG: -#endif -#ifdef OPENSSL_NO_JPAKE - case OPT_JPAKE: -#endif -#ifdef OPENSSL_NO_SSL_TRACE - case OPT_TRACE: -#endif case OPT_EOF: case OPT_ERR: opthelp: @@ -747,12 +740,21 @@ int s_client_main(int argc, char **argv) port = atoi(opt_arg()); break; case OPT_CONNECT: - if (!extract_host_port(opt_arg(), &host, NULL, &port)) - goto end; + connectstr = opt_arg(); + break; + case OPT_PROXY: + proxystr = opt_arg(); + starttls_proto = PROTO_CONNECT; break; case OPT_UNIX: unix_path = opt_arg(); break; + case OPT_XMPPHOST: + xmpphost = opt_arg(); + break; + case OPT_SMTPHOST: + ehlo = opt_arg(); + break; case OPT_VERIFY: verify = SSL_VERIFY_PEER; verify_depth = atoi(opt_arg()); @@ -822,10 +824,8 @@ int s_client_main(int argc, char **argv) case OPT_NBIO: c_nbio = 1; break; - case OPT_KRB5SVC: -#ifndef OPENSSL_NO_KRB5 - krb5svc = opt_arg(); -#endif + case OPT_NOCMDS: + cmdletters = 0; break; case OPT_ENGINE: e = setup_engine(opt_arg(), 1); @@ -855,30 +855,28 @@ int s_client_main(int argc, char **argv) case OPT_DEBUG: c_debug = 1; break; -#ifndef OPENSSL_NO_TLSEXT case OPT_TLSEXTDEBUG: c_tlsextdebug = 1; break; case OPT_STATUS: c_status_req = 1; break; -#endif -#ifdef WATT32 case OPT_WDEBUG: +#ifdef WATT32 dbug_init(); - break; #endif + break; case OPT_MSG: c_msg = 1; break; case OPT_MSGFILE: bio_c_msg = BIO_new_file(opt_arg(), "w"); break; -#ifndef OPENSSL_NO_SSL_TRACE case OPT_TRACE: +#ifndef OPENSSL_NO_SSL_TRACE c_msg = 2; - break; #endif + break; case OPT_SECURITY_DEBUG: sdebug = 1; break; @@ -906,6 +904,10 @@ int s_client_main(int argc, char **argv) goto end; } break; +#else + case OPT_PSK_IDENTITY: + case OPT_PSK: + break; #endif #ifndef OPENSSL_NO_SRP case OPT_SRPUSER: @@ -930,12 +932,19 @@ int s_client_main(int argc, char **argv) srp_arg.amp = 1; meth = TLSv1_client_method(); break; +#else + case OPT_SRPUSER: + case OPT_SRPPASS: + case OPT_SRP_STRENGTH: + case OPT_SRP_LATEUSER: + case OPT_SRP_MOREGROUPS: + break; #endif -#ifndef OPENSSL_NO_SSL3 case OPT_SSL3: +#ifndef OPENSSL_NO_SSL3 meth = SSLv3_client_method(); - break; #endif + break; case OPT_TLS1_2: meth = TLSv1_2_client_method(); break; @@ -945,7 +954,7 @@ int s_client_main(int argc, char **argv) case OPT_TLS1: meth = TLSv1_client_method(); break; -#ifndef OPENSSL_NO_DTLS1 +#ifndef OPENSSL_NO_DTLS case OPT_DTLS: meth = DTLS_client_method(); socket_type = SOCK_DGRAM; @@ -964,6 +973,13 @@ int s_client_main(int argc, char **argv) case OPT_MTU: socket_mtu = atol(opt_arg()); break; +#else + case OPT_DTLS: + case OPT_DTLS1: + case OPT_DTLS1_2: + case OPT_TIMEOUT: + case OPT_MTU: + break; #endif case OPT_FALLBACKSCSV: fallback_scsv = 1; @@ -987,6 +1003,9 @@ int s_client_main(int argc, char **argv) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_NOCAPATH: + noCApath = 1; + break; case OPT_CHAINCAPATH: chCApath = opt_arg(); break; @@ -999,13 +1018,15 @@ int s_client_main(int argc, char **argv) case OPT_CAFILE: CAfile = opt_arg(); break; + case OPT_NOCAFILE: + noCAfile = 1; + break; case OPT_CHAINCAFILE: chCAfile = opt_arg(); break; case OPT_VERIFYCAFILE: vfyCAfile = opt_arg(); break; -#ifndef OPENSSL_NO_TLSEXT case OPT_NEXTPROTONEG: next_proto_neg_in = opt_arg(); break; @@ -1024,21 +1045,17 @@ int s_client_main(int argc, char **argv) } } break; -#endif case OPT_STARTTLS: if (!opt_pair(opt_arg(), services, &starttls_proto)) goto end; -#ifndef OPENSSL_NO_TLSEXT case OPT_SERVERNAME: servername = opt_arg(); - /* meth=TLSv1_client_method(); */ break; -#endif -#ifndef OPENSSL_NO_JPAKE case OPT_JPAKE: +#ifndef OPENSSL_NO_JPAKE jpake_secret = opt_arg(); - break; #endif + break; case OPT_USE_SRTP: srtp_profiles = opt_arg(); break; @@ -1048,11 +1065,26 @@ int s_client_main(int argc, char **argv) case OPT_KEYMATEXPORTLEN: keymatexportlen = atoi(opt_arg()); break; + case OPT_ASYNC: + async = 1; + break; } } argc = opt_num_rest(); argv = opt_rest(); + if (proxystr) { + if (connectstr == NULL) { + BIO_printf(bio_err, "%s: -proxy requires use of -connect\n", prog); + goto opthelp; + } + if (!extract_host_port(proxystr, &host, NULL, &port)) + goto end; + } + else if (connectstr != NULL + && !extract_host_port(connectstr, &host, NULL, &port)) + goto end; + if (unix_path && (socket_type != SOCK_STREAM)) { BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n"); @@ -1068,7 +1100,7 @@ int s_client_main(int argc, char **argv) } #endif -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) next_proto.status = -1; if (next_proto_neg_in) { next_proto.data = @@ -1148,9 +1180,9 @@ int s_client_main(int argc, char **argv) if (c_quiet && !c_debug) { bio_c_out = BIO_new(BIO_s_null()); if (c_msg && !bio_c_msg) - bio_c_msg = dup_bio_out(); + bio_c_msg = dup_bio_out(FORMAT_TEXT); } else if (bio_c_out == NULL) - bio_c_out = dup_bio_out(); + bio_c_out = dup_bio_out(FORMAT_TEXT); } #ifndef OPENSSL_NO_SRP if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) { @@ -1166,7 +1198,7 @@ int s_client_main(int argc, char **argv) } if (sdebug) - ssl_ctx_security_debug(ctx, bio_err, sdebug); + ssl_ctx_security_debug(ctx, sdebug); if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); @@ -1174,6 +1206,11 @@ int s_client_main(int argc, char **argv) goto end; } + if (async) { + SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); + ASYNC_init(1, 0, 0); + } + if (!config_ctx(cctx, ssl_args, ctx, 1, jpake_secret == NULL)) goto end; @@ -1217,11 +1254,10 @@ int s_client_main(int argc, char **argv) if (exc) ssl_ctx_set_excert(ctx, exc); -#if !defined(OPENSSL_NO_TLSEXT) -# if !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto.data) SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto); -# endif +#endif if (alpn_in) { unsigned short alpn_len; unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in); @@ -1237,8 +1273,7 @@ int s_client_main(int argc, char **argv) } OPENSSL_free(alpn); } -#endif -#ifndef OPENSSL_NO_TLSEXT + for (i = 0; i < serverinfo_count; i++) { if (!SSL_CTX_add_client_custom_ext(ctx, serverinfo_types[i], @@ -1249,14 +1284,13 @@ int s_client_main(int argc, char **argv) serverinfo_types[i]); } } -#endif if (state) SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); SSL_CTX_set_verify(ctx, verify, verify_callback); - if (!ctx_set_verify_locations(ctx, CAfile, CApath)) { + if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) { ERR_print_errors(bio_err); goto end; } @@ -1266,7 +1300,6 @@ int s_client_main(int argc, char **argv) if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain)) goto end; -#ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { tlsextcbp.biodebug = bio_err; SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); @@ -1288,7 +1321,6 @@ int s_client_main(int argc, char **argv) ssl_srp_verify_param_cb); } # endif -#endif con = SSL_new(ctx); if (sess_in) { @@ -1317,7 +1349,6 @@ int s_client_main(int argc, char **argv) if (fallback_scsv) SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV); -#ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { if (!SSL_set_tlsext_host_name(con, servername)) { BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); @@ -1325,15 +1356,6 @@ int s_client_main(int argc, char **argv) goto end; } } -#endif -#ifndef OPENSSL_NO_KRB5 - if (con && (kctx = kssl_ctx_new()) != NULL) { - SSL_set0_kssl_ctx(con, kctx); - kssl_ctx_setstring(kctx, KSSL_SERVER, host); - if (krb5svc) - kssl_ctx_setstring(kctx, KSSL_SERVICE, krb5svc); - } -#endif /* OPENSSL_NO_KRB5 */ re_start: #ifdef NO_SYS_UN_H @@ -1372,7 +1394,7 @@ int s_client_main(int argc, char **argv) goto end; } - (void)BIO_ctrl_set_connected(sbio, 1, &peer); + (void)BIO_ctrl_set_connected(sbio, &peer); if (enable_timeouts) { timeout.tv_sec = 0; @@ -1424,7 +1446,7 @@ int s_client_main(int argc, char **argv) SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out); } -#ifndef OPENSSL_NO_TLSEXT + if (c_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_c_out); @@ -1434,7 +1456,6 @@ int s_client_main(int argc, char **argv) SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb); SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out); } -#endif #ifndef OPENSSL_NO_JPAKE if (jpake_secret) jpake_client_auth(bio_c_out, sbio, jpake_secret); @@ -1478,7 +1499,7 @@ int s_client_main(int argc, char **argv) mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); } while (mbuf_len > 3 && mbuf[3] == '-'); - BIO_printf(fbio, "EHLO openssl.client.net\r\n"); + BIO_printf(fbio, "EHLO %s\r\n", ehlo); (void)BIO_flush(fbio); /* wait for multi-line response to end EHLO SMTP response */ do { @@ -1492,8 +1513,8 @@ int s_client_main(int argc, char **argv) BIO_free(fbio); if (!foundit) BIO_printf(bio_err, - "didn't found starttls in server response," - " try anyway...\n"); + "didn't find starttls in server response," + " trying anyway...\n"); BIO_printf(sbio, "STARTTLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); } @@ -1530,8 +1551,8 @@ int s_client_main(int argc, char **argv) BIO_free(fbio); if (!foundit) BIO_printf(bio_err, - "didn't found STARTTLS in server response," - " try anyway...\n"); + "didn't find STARTTLS in server response," + " trying anyway...\n"); BIO_printf(sbio, ". STARTTLS\r\n"); BIO_read(sbio, sbuf, BUFSIZZ); } @@ -1553,12 +1574,14 @@ int s_client_main(int argc, char **argv) } break; case PROTO_XMPP: + case PROTO_XMPP_SERVER: { int seen = 0; BIO_printf(sbio, "", - host); + "xmlns='jabber:%s' to='%s' version='1.0'>", + starttls_proto == PROTO_XMPP ? "client" : "server", + xmpphost ? xmpphost : host); seen = BIO_read(sbio, mbuf, BUFSIZZ); mbuf[seen] = 0; while (!strstr @@ -1582,6 +1605,121 @@ int s_client_main(int argc, char **argv) mbuf[0] = 0; } break; + case PROTO_TELNET: + { + static const unsigned char tls_do[] = { + /* IAC DO START_TLS */ + 255, 253, 46 + }; + static const unsigned char tls_will[] = { + /* IAC WILL START_TLS */ + 255, 251, 46 + }; + static const unsigned char tls_follows[] = { + /* IAC SB START_TLS FOLLOWS IAC SE */ + 255, 250, 46, 1, 255, 240 + }; + int bytes; + + /* Telnet server should demand we issue START_TLS */ + bytes = BIO_read(sbio, mbuf, BUFSIZZ); + if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0) + goto shut; + /* Agree to issue START_TLS and send the FOLLOWS sub-command */ + BIO_write(sbio, tls_will, 3); + BIO_write(sbio, tls_follows, 6); + (void)BIO_flush(sbio); + /* Telnet server also sent the FOLLOWS sub-command */ + bytes = BIO_read(sbio, mbuf, BUFSIZZ); + if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0) + goto shut; + } + break; + case PROTO_CONNECT: + { + int foundit = 0; + BIO *fbio = BIO_new(BIO_f_buffer()); + + BIO_push(fbio, sbio); + BIO_printf(fbio, "CONNECT %s\r\n\r\n", connectstr); + (void)BIO_flush(fbio); + /* wait for multi-line response to end CONNECT response */ + do { + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + if (strstr(mbuf, "200") != NULL + && strstr(mbuf, "established") != NULL) + foundit++; + } while (mbuf_len > 3 && foundit == 0); + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (!foundit) { + BIO_printf(bio_err, "%s: HTTP CONNECT failed\n", prog); + goto shut; + } + } + break; + case PROTO_IRC: + { + int numeric; + BIO *fbio = BIO_new(BIO_f_buffer()); + + BIO_push(fbio, sbio); + BIO_printf(fbio, "STARTTLS\r\n"); + (void)BIO_flush(fbio); + width = SSL_get_fd(con) + 1; + + do { + numeric = 0; + + FD_ZERO(&readfds); + openssl_fdset(SSL_get_fd(con), &readfds); + timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT; + timeout.tv_usec = 0; + /* + * If the IRCd doesn't respond within + * S_CLIENT_IRC_READ_TIMEOUT seconds, assume + * it doesn't support STARTTLS. Many IRCds + * will not give _any_ sort of response to a + * STARTTLS command when it's not supported. + */ + if (!BIO_get_buffer_num_lines(fbio) + && !BIO_pending(fbio) + && !BIO_pending(sbio) + && select(width, (void *)&readfds, NULL, NULL, + &timeout) < 1) { + BIO_printf(bio_err, + "Timeout waiting for response (%d seconds).\n", + S_CLIENT_IRC_READ_TIMEOUT); + break; + } + + mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ); + if (mbuf_len < 1 || sscanf(mbuf, "%*s %d", &numeric) != 1) + break; + /* :example.net 451 STARTTLS :You have not registered */ + /* :example.net 421 STARTTLS :Unknown command */ + if ((numeric == 451 || numeric == 421) + && strstr(mbuf, "STARTTLS") != NULL) { + BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf); + break; + } + if (numeric == 691) { + BIO_printf(bio_err, "STARTTLS negotiation failed: "); + ERR_print_errors(bio_err); + break; + } + } while (numeric != 670); + + (void)BIO_flush(fbio); + BIO_pop(fbio); + BIO_free(fbio); + if (numeric != 670) { + BIO_printf(bio_err, "Server does not support STARTTLS.\n"); + ret = 1; + goto shut; + } + } } for (;;) { @@ -1601,13 +1739,13 @@ int s_client_main(int argc, char **argv) tty_on = 1; if (in_init) { in_init = 0; -#ifndef OPENSSL_NO_TLSEXT + if (servername != NULL && !SSL_session_reused(con)) { BIO_printf(bio_c_out, "Server did %sacknowledge servername extension.\n", tlsextcbp.ack ? "" : "not "); } -#endif + if (sess_out) { BIO *stmp = BIO_new_file(sess_out, "w"); if (stmp) { @@ -1619,7 +1757,7 @@ int s_client_main(int argc, char **argv) } if (c_brief) { BIO_puts(bio_err, "CONNECTION ESTABLISHED\n"); - print_ssl_summary(bio_err, con); + print_ssl_summary(con); } print_stuff(bio_c_out, con, full_log); @@ -1757,6 +1895,12 @@ int s_client_main(int argc, char **argv) write_ssl = 1; read_tty = 0; break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_c_out, "write A BLOCK\n"); + wait_for_async(con); + write_ssl = 1; + read_tty = 0; + break; case SSL_ERROR_WANT_READ: BIO_printf(bio_c_out, "write R BLOCK\n"); write_tty = 0; @@ -1839,6 +1983,14 @@ int s_client_main(int argc, char **argv) read_ssl = 0; write_tty = 1; break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_c_out, "read A BLOCK\n"); + wait_for_async(con); + write_tty = 0; + read_ssl = 1; + if ((read_tty == 0) && (write_ssl == 0)) + write_ssl = 1; + break; case SSL_ERROR_WANT_WRITE: BIO_printf(bio_c_out, "read W BLOCK\n"); write_ssl = 1; @@ -1906,19 +2058,19 @@ int s_client_main(int argc, char **argv) } else i = raw_read_stdin(cbuf, BUFSIZZ); - if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { + if ((!c_ign_eof) && ((i <= 0) || (cbuf[0] == 'Q' && cmdletters))) { BIO_printf(bio_err, "DONE\n"); ret = 0; goto shut; } - if ((!c_ign_eof) && (cbuf[0] == 'R')) { + if ((!c_ign_eof) && (cbuf[0] == 'R' && cmdletters)) { BIO_printf(bio_err, "RENEGOTIATING\n"); SSL_renegotiate(con); cbuf_len = 0; } #ifndef OPENSSL_NO_HEARTBEATS - else if ((!c_ign_eof) && (cbuf[0] == 'B')) { + else if ((!c_ign_eof) && (cbuf[0] == 'B' && cmdletters)) { BIO_printf(bio_err, "HEARTBEATING\n"); SSL_heartbeat(con); cbuf_len = 0; @@ -1949,41 +2101,28 @@ int s_client_main(int argc, char **argv) print_stuff(bio_c_out, con, 1); SSL_free(con); } -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) - if (next_proto.data) - OPENSSL_free(next_proto.data); + if (async) { + ASYNC_cleanup(1); + } +#if !defined(OPENSSL_NO_NEXTPROTONEG) + OPENSSL_free(next_proto.data); #endif SSL_CTX_free(ctx); - if (cert) - X509_free(cert); - if (crls) - sk_X509_CRL_pop_free(crls, X509_CRL_free); + X509_free(cert); + sk_X509_CRL_pop_free(crls, X509_CRL_free); EVP_PKEY_free(key); - if (chain) - sk_X509_pop_free(chain, X509_free); - if (pass) - OPENSSL_free(pass); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + sk_X509_pop_free(chain, X509_free); + OPENSSL_free(pass); +#ifndef OPENSSL_NO_SRP + OPENSSL_free(srp_arg.srppassin); +#endif + X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); SSL_CONF_CTX_free(cctx); -#ifndef OPENSSL_NO_JPAKE - if (jpake_secret && psk_key) - OPENSSL_free(psk_key); -#endif - if (cbuf != NULL) { - OPENSSL_cleanse(cbuf, BUFSIZZ); - OPENSSL_free(cbuf); - } - if (sbuf != NULL) { - OPENSSL_cleanse(sbuf, BUFSIZZ); - OPENSSL_free(sbuf); - } - if (mbuf != NULL) { - OPENSSL_cleanse(mbuf, BUFSIZZ); - OPENSSL_free(mbuf); - } + OPENSSL_clear_free(cbuf, BUFSIZZ); + OPENSSL_clear_free(sbuf, BUFSIZZ); + OPENSSL_clear_free(mbuf, BUFSIZZ); BIO_free(bio_c_out); bio_c_out = NULL; BIO_free(bio_c_msg); @@ -2057,7 +2196,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) ssl_print_tmp_key(bio, s); BIO_printf(bio, - "---\nSSL handshake has read %ld bytes and written %ld bytes\n", + "---\nSSL handshake has read %"PRIu64" bytes and written %"PRIu64" bytes\n", BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); } @@ -2067,10 +2206,9 @@ static void print_stuff(BIO *bio, SSL *s, int full) SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c)); if (peer != NULL) { EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(peer); + pktmp = X509_get0_pubkey(peer); BIO_printf(bio, "Server public key is %d bit\n", EVP_PKEY_bits(pktmp)); - EVP_PKEY_free(pktmp); } BIO_printf(bio, "Secure Renegotiation IS%s supported\n", SSL_get_secure_renegotiation_support(s) ? "" : " NOT"); @@ -2095,8 +2233,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) } #endif -#if !defined(OPENSSL_NO_TLSEXT) -# if !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto.status != -1) { const unsigned char *proto; unsigned int proto_len; @@ -2105,7 +2242,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_write(bio, proto, proto_len); BIO_write(bio, "\n", 1); } -# endif +#endif { const unsigned char *proto; unsigned int proto_len; @@ -2117,7 +2254,6 @@ static void print_stuff(BIO *bio, SSL *s, int full) } else BIO_printf(bio, "No ALPN negotiated\n"); } -#endif #ifndef OPENSSL_NO_SRTP { @@ -2135,32 +2271,27 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio, "Keying material exporter:\n"); BIO_printf(bio, " Label: '%s'\n", keymatexportlabel); BIO_printf(bio, " Length: %i bytes\n", keymatexportlen); - exportedkeymat = OPENSSL_malloc(keymatexportlen); - if (exportedkeymat != NULL) { - if (!SSL_export_keying_material(s, exportedkeymat, - keymatexportlen, - keymatexportlabel, - strlen(keymatexportlabel), - NULL, 0, 0)) { - BIO_printf(bio, " Error\n"); - } else { - BIO_printf(bio, " Keying material: "); - for (i = 0; i < keymatexportlen; i++) - BIO_printf(bio, "%02X", exportedkeymat[i]); - BIO_printf(bio, "\n"); - } - OPENSSL_free(exportedkeymat); + exportedkeymat = app_malloc(keymatexportlen, "export key"); + if (!SSL_export_keying_material(s, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) { + BIO_printf(bio, " Error\n"); + } else { + BIO_printf(bio, " Keying material: "); + for (i = 0; i < keymatexportlen; i++) + BIO_printf(bio, "%02X", exportedkeymat[i]); + BIO_printf(bio, "\n"); } + OPENSSL_free(exportedkeymat); } BIO_printf(bio, "---\n"); - if (peer != NULL) - X509_free(peer); + X509_free(peer); /* flush, or debugging output gets mixed with http response */ (void)BIO_flush(bio); } -#ifndef OPENSSL_NO_TLSEXT - static int ocsp_resp_cb(SSL *s, void *arg) { const unsigned char *p; @@ -2184,5 +2315,3 @@ static int ocsp_resp_cb(SSL *s, void *arg) OCSP_RESPONSE_free(rsp); return 1; } - -#endif