X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fs_client.c;h=d76f921db6cfc6766fe823f59d6426f8ec7bb5db;hb=d40a1f72b6a298ee34c9de2c96b222d70609ce4c;hp=009e5fe8956b86b079874fc8bbcbd482d9a93a36;hpb=296f54ee211edbf8d21479091b4c20a9ee7698ad;p=oweals%2Fopenssl.git diff --git a/apps/s_client.c b/apps/s_client.c index 009e5fe895..d76f921db6 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -134,7 +134,6 @@ * OTHERWISE. */ -#include #include #include #include @@ -396,7 +395,7 @@ static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg) #endif -char *srtp_profiles = NULL; +static char *srtp_profiles = NULL; #ifndef OPENSSL_NO_NEXTPROTONEG /* This the context that we pass to next_proto_cb */ @@ -467,8 +466,8 @@ typedef enum OPTION_choice { OPT_SRP_LATEUSER, OPT_SRP_MOREGROUPS, OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS, - OPT_CERT_CHAIN, OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, - OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, + OPT_CERT_CHAIN, OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, + OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_JPAKE, OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_SMTPHOST, @@ -496,6 +495,10 @@ OPTIONS s_client_options[] = { {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, {"reconnect", OPT_RECONNECT, '-', "Drop and re-make the connection with the same Session-ID"}, {"pause", OPT_PAUSE, '-', "Sleep after each read and write system call"}, @@ -509,31 +512,66 @@ OPTIONS s_client_options[] = { {"quiet", OPT_QUIET, '-', "No s_client output"}, {"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"}, {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"}, -#ifndef OPENSSL_NO_SSL3 - {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, -#endif {"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"}, {"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"}, {"tls1", OPT_TLS1, '-', "Just use TLSv1"}, - {"dtls", OPT_DTLS, '-'}, - {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, - {"dtls1_2", OPT_DTLS1_2, '-'}, - {"timeout", OPT_TIMEOUT, '-'}, - {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, {"starttls", OPT_STARTTLS, 's', "Use the STARTTLS command before starting TLS"}, - {"xmpphost", OPT_XMPPHOST, 's', "Host to use with \"-starttls xmpp\""}, + {"xmpphost", OPT_XMPPHOST, 's', + "Host to use with \"-starttls xmpp[-server]\""}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, {"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"}, {"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"}, - {"use_srtp", OPT_USE_SRTP, '<', + {"use_srtp", OPT_USE_SRTP, 's', "Offer SRTP key management with a colon-separated profile list"}, {"keymatexport", OPT_KEYMATEXPORT, 's', "Export keying material using label"}, {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', "Export len bytes of keying material (default 20)"}, {"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"}, + {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""}, + {"CRL", OPT_CRL, '<'}, + {"crl_download", OPT_CRL_DOWNLOAD, '-'}, + {"CRLform", OPT_CRLFORM, 'F'}, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, + {"verify_quiet", OPT_VERIFY_QUIET, '-'}, + {"brief", OPT_BRIEF, '-'}, + {"prexit", OPT_PREXIT, '-'}, + {"security_debug", OPT_SECURITY_DEBUG, '-'}, + {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, + {"cert_chain", OPT_CERT_CHAIN, '<'}, + {"chainCApath", OPT_CHAINCAPATH, '/'}, + {"verifyCApath", OPT_VERIFYCAPATH, '/'}, + {"build_chain", OPT_BUILD_CHAIN, '-'}, + {"chainCAfile", OPT_CHAINCAFILE, '<'}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, + {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"}, + {"servername", OPT_SERVERNAME, 's', + "Set TLS extension servername in ClientHello"}, + {"tlsextdebug", OPT_TLSEXTDEBUG, '-', + "Hex dump of all TLS extensions received"}, + {"status", OPT_STATUS, '-', "Request certificate status from server"}, + {"serverinfo", OPT_SERVERINFO, 's', + "types Send empty ClientHello extensions (comma-separated numbers)"}, + {"alpn", OPT_ALPN, 's', + "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, + OPT_S_OPTIONS, + OPT_V_OPTIONS, + OPT_X_OPTIONS, +#ifndef OPENSSL_NO_SSL3 + {"ssl3", OPT_SSL3, '-', "Just use SSLv3"}, +#endif +#ifndef OPENSSL_NO_DTLS1 + {"dtls", OPT_DTLS, '-'}, + {"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"}, + {"dtls1_2", OPT_DTLS1_2, '-'}, + {"timeout", OPT_TIMEOUT, '-'}, + {"mtu", OPT_MTU, 'p', "Set the link layer MTU"}, +#endif +#ifndef OPENSSL_NO_SSL_TRACE + {"trace", OPT_TRACE, '-'}, +#endif #ifdef WATT32 {"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"}, #endif @@ -554,46 +592,16 @@ OPTIONS s_client_options[] = { "SRP username into second ClientHello message"}, {"srp_moregroups", OPT_SRP_MOREGROUPS, '-', "Tolerate other than the known g N values."}, - {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal mength in bits for N"}, + {"srp_strength", OPT_SRP_STRENGTH, 'p', "Minimal length in bits for N"}, #endif - {"name", OPT_SMTPHOST, 's', "Hostname to use for \"-starttls smtp\""}, - {"servername", OPT_SERVERNAME, 's', - "Set TLS extension servername in ClientHello"}, - {"tlsextdebug", OPT_TLSEXTDEBUG, '-', - "Hex dump of all TLS extensions received"}, - {"status", OPT_STATUS, '-', "Request certificate status from server"}, - {"serverinfo", OPT_SERVERINFO, 's', - "types Send empty ClientHello extensions (comma-separated numbers)"}, - {"alpn", OPT_ALPN, 's', - "Enable ALPN extension, considering named protocols supported (comma-separated list)"}, #ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Enable NPN extension, considering named protocols supported (comma-separated list)"}, #endif - {"CRL", OPT_CRL, '<'}, - {"crl_download", OPT_CRL_DOWNLOAD, '-'}, - {"CRLform", OPT_CRLFORM, 'F'}, - {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, - {"verify_quiet", OPT_VERIFY_QUIET, '-'}, - {"brief", OPT_BRIEF, '-'}, - {"prexit", OPT_PREXIT, '-'}, - {"trace", OPT_TRACE, '-'}, - {"security_debug", OPT_SECURITY_DEBUG, '-'}, - {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, - {"cert_chain", OPT_CERT_CHAIN, '<'}, - {"chainCApath", OPT_CHAINCAPATH, '/'}, - {"verifyCApath", OPT_VERIFYCAPATH, '/'}, - {"build_chain", OPT_BUILD_CHAIN, '-'}, - {"chainCAfile", OPT_CHAINCAFILE, '<'}, - {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, - {"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"}, #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, {"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's'}, #endif - OPT_S_OPTIONS, - OPT_V_OPTIONS, - OPT_X_OPTIONS, {NULL} }; @@ -605,6 +613,7 @@ typedef enum PROTOCOL_choice { PROTO_FTP, PROTO_TELNET, PROTO_XMPP, + PROTO_XMPP_SERVER, PROTO_CONNECT } PROTOCOL_CHOICE; @@ -614,6 +623,7 @@ static OPT_PAIR services[] = { {"imap", PROTO_IMAP}, {"ftp", PROTO_FTP}, {"xmpp", PROTO_XMPP}, + {"xmpp-server", PROTO_XMPP_SERVER}, {"telnet", PROTO_TELNET}, {NULL} }; @@ -645,12 +655,13 @@ int s_client_main(int argc, char **argv) struct sockaddr peer; struct timeval timeout, *timeoutp; fd_set readfds, writefds; + int noCApath = 0, noCAfile = 0; int build_chain = 0, cbuf_len, cbuf_off, cert_format = FORMAT_PEM; int key_format = FORMAT_PEM, crlf = 0, full_log = 1, mbuf_len = 0; int prexit = 0; int enable_timeouts = 0, sdebug = 0, peerlen = sizeof peer; int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0; - int ret = 1, in_init = 1, i, nbio_test = 0, s, k, width, state = 0; + int ret = 1, in_init = 1, i, nbio_test = 0, s = -1, k, width, state = 0; int sbuf_len, sbuf_off, socket_type = SOCK_STREAM, cmdletters = 1; int starttls_proto = PROTO_OFF, crl_format = FORMAT_PEM, crl_download = 0; int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending; @@ -706,29 +717,6 @@ int s_client_main(int argc, char **argv) prog = opt_init(argc, argv, s_client_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { -#ifndef WATT32 - case OPT_WDEBUG: -#endif -#ifdef OPENSSL_NO_JPAKE - case OPT_JPAKE: -#endif -#ifdef OPENSSL_NO_SSL_TRACE - case OPT_TRACE: -#endif -#ifdef OPENSSL_NO_PSK - case OPT_PSK_IDENTITY: - case OPT_PSK: -#endif -#ifdef OPENSSL_NO_SSL3 - case OPT_SSL3: -#endif -#ifdef OPENSSL_NO_DTLS1 - case OPT_DTLS: - case OPT_DTLS1: - case OPT_DTLS1_2: - case OPT_TIMEOUT: - case OPT_MTU: -#endif case OPT_EOF: case OPT_ERR: opthelp: @@ -866,22 +854,22 @@ int s_client_main(int argc, char **argv) case OPT_STATUS: c_status_req = 1; break; -#ifdef WATT32 case OPT_WDEBUG: +#ifdef WATT32 dbug_init(); - break; #endif + break; case OPT_MSG: c_msg = 1; break; case OPT_MSGFILE: bio_c_msg = BIO_new_file(opt_arg(), "w"); break; -#ifndef OPENSSL_NO_SSL_TRACE case OPT_TRACE: +#ifndef OPENSSL_NO_SSL_TRACE c_msg = 2; - break; #endif + break; case OPT_SECURITY_DEBUG: sdebug = 1; break; @@ -909,6 +897,10 @@ int s_client_main(int argc, char **argv) goto end; } break; +#else + case OPT_PSK_IDENTITY: + case OPT_PSK: + break; #endif #ifndef OPENSSL_NO_SRP case OPT_SRPUSER: @@ -941,11 +933,11 @@ int s_client_main(int argc, char **argv) case OPT_SRP_MOREGROUPS: break; #endif -#ifndef OPENSSL_NO_SSL3 case OPT_SSL3: +#ifndef OPENSSL_NO_SSL3 meth = SSLv3_client_method(); - break; #endif + break; case OPT_TLS1_2: meth = TLSv1_2_client_method(); break; @@ -974,6 +966,13 @@ int s_client_main(int argc, char **argv) case OPT_MTU: socket_mtu = atol(opt_arg()); break; +#else + case OPT_DTLS: + case OPT_DTLS1: + case OPT_DTLS1_2: + case OPT_TIMEOUT: + case OPT_MTU: + break; #endif case OPT_FALLBACKSCSV: fallback_scsv = 1; @@ -997,6 +996,9 @@ int s_client_main(int argc, char **argv) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_NOCAPATH: + noCApath = 1; + break; case OPT_CHAINCAPATH: chCApath = opt_arg(); break; @@ -1009,6 +1011,9 @@ int s_client_main(int argc, char **argv) case OPT_CAFILE: CAfile = opt_arg(); break; + case OPT_NOCAFILE: + noCAfile = 1; + break; case OPT_CHAINCAFILE: chCAfile = opt_arg(); break; @@ -1038,13 +1043,12 @@ int s_client_main(int argc, char **argv) goto end; case OPT_SERVERNAME: servername = opt_arg(); - /* meth=TLSv1_client_method(); */ break; -#ifndef OPENSSL_NO_JPAKE case OPT_JPAKE: +#ifndef OPENSSL_NO_JPAKE jpake_secret = opt_arg(); - break; #endif + break; case OPT_USE_SRTP: srtp_profiles = opt_arg(); break; @@ -1169,9 +1173,9 @@ int s_client_main(int argc, char **argv) if (c_quiet && !c_debug) { bio_c_out = BIO_new(BIO_s_null()); if (c_msg && !bio_c_msg) - bio_c_msg = dup_bio_out(); + bio_c_msg = dup_bio_out(FORMAT_TEXT); } else if (bio_c_out == NULL) - bio_c_out = dup_bio_out(); + bio_c_out = dup_bio_out(FORMAT_TEXT); } #ifndef OPENSSL_NO_SRP if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) { @@ -1274,7 +1278,7 @@ int s_client_main(int argc, char **argv) SSL_CTX_set_verify(ctx, verify, verify_callback); - if (!ctx_set_verify_locations(ctx, CAfile, CApath)) { + if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) { ERR_print_errors(bio_err); goto end; } @@ -1558,11 +1562,13 @@ int s_client_main(int argc, char **argv) } break; case PROTO_XMPP: + case PROTO_XMPP_SERVER: { int seen = 0; BIO_printf(sbio, "", + "xmlns='jabber:%s' to='%s' version='1.0'>", + starttls_proto == PROTO_XMPP ? "client" : "server", xmpphost ? xmpphost : host); seen = BIO_read(sbio, mbuf, BUFSIZZ); mbuf[seen] = 0; @@ -2017,6 +2023,9 @@ int s_client_main(int argc, char **argv) EVP_PKEY_free(key); sk_X509_pop_free(chain, X509_free); OPENSSL_free(pass); +#ifndef OPENSSL_NO_SRP + OPENSSL_free(srp_arg.srppassin); +#endif X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); @@ -2097,7 +2106,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) ssl_print_tmp_key(bio, s); BIO_printf(bio, - "---\nSSL handshake has read %ld bytes and written %ld bytes\n", + "---\nSSL handshake has read %"PRIu64" bytes and written %"PRIu64" bytes\n", BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); }