=================================================================== RCS file: /cvsrepo/anoncvs/cvs/src/usr.bin/openssl/s_client.c,v retrieving revision 1.48 retrieving revision 1.49 diff -c -r1.48 -r1.49 *** src/usr.bin/openssl/s_client.c 2020/07/09 13:07:46 1.48 --- src/usr.bin/openssl/s_client.c 2020/07/09 14:09:19 1.49 *************** *** 1,4 **** ! /* $OpenBSD: s_client.c,v 1.48 2020/07/09 13:07:46 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * --- 1,4 ---- ! /* $OpenBSD: s_client.c,v 1.49 2020/07/09 14:09:19 inoguchi Exp $ */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * *************** *** 840,853 **** fprintf(stderr, "\n"); } - /* This is a context that we pass to callbacks */ typedef struct tlsextctx_st { BIO *biodebug; int ack; } tlsextctx; - static int ssl_servername_cb(SSL * s, int *ad, void *arg) { --- 840,851 ---- *************** *** 918,929 **** goto bad; } if (s_client_config.proxy != NULL) { ! if (!extract_host_port(s_client_config.proxy, &s_client_config.host, NULL, &s_client_config.port)) goto bad; if (s_client_config.connect == NULL) s_client_config.connect = SSL_HOST_NAME; } else if (s_client_config.connect != NULL) { ! if (!extract_host_port(s_client_config.connect, &s_client_config.host, NULL, &s_client_config.port)) goto bad; } if (badop) { --- 916,929 ---- goto bad; } if (s_client_config.proxy != NULL) { ! if (!extract_host_port(s_client_config.proxy, ! &s_client_config.host, NULL, &s_client_config.port)) goto bad; if (s_client_config.connect == NULL) s_client_config.connect = SSL_HOST_NAME; } else if (s_client_config.connect != NULL) { ! if (!extract_host_port(s_client_config.connect, ! &s_client_config.host, NULL, &s_client_config.port)) goto bad; } if (badop) { *************** *** 943,949 **** if (s_client_config.key_file) { ! key = load_key(bio_err, s_client_config.key_file, s_client_config.key_format, 0, pass, "client certificate private key file"); if (!key) { ERR_print_errors(bio_err); --- 943,950 ---- if (s_client_config.key_file) { ! key = load_key(bio_err, s_client_config.key_file, ! s_client_config.key_format, 0, pass, "client certificate private key file"); if (!key) { ERR_print_errors(bio_err); *************** *** 951,957 **** } } if (s_client_config.cert_file) { ! cert = load_cert(bio_err, s_client_config.cert_file, s_client_config.cert_format, NULL, "client certificate file"); if (!cert) { --- 952,959 ---- } } if (s_client_config.cert_file) { ! cert = load_cert(bio_err, s_client_config.cert_file, ! s_client_config.cert_format, NULL, "client certificate file"); if (!cert) { *************** *** 960,966 **** } } if (bio_c_out == NULL) { ! if (s_client_config.quiet && !s_client_config.debug && !s_client_config.msg) { bio_c_out = BIO_new(BIO_s_null()); } else { if (bio_c_out == NULL) --- 962,969 ---- } } if (bio_c_out == NULL) { ! if (s_client_config.quiet && !s_client_config.debug && ! !s_client_config.msg) { bio_c_out = BIO_new(BIO_s_null()); } else { if (bio_c_out == NULL) *************** *** 1004,1011 **** if (s_client_config.alpn_in) { unsigned short alpn_len; ! unsigned char *alpn = next_protos_parse(&alpn_len, s_client_config.alpn_in); if (alpn == NULL) { BIO_printf(bio_err, "Error parsing -alpn argument\n"); goto end; --- 1007,1015 ---- if (s_client_config.alpn_in) { unsigned short alpn_len; ! unsigned char *alpn; + alpn = next_protos_parse(&alpn_len, s_client_config.alpn_in); if (alpn == NULL) { BIO_printf(bio_err, "Error parsing -alpn argument\n"); goto end; *************** *** 1035,1041 **** goto end; if ((s_client_config.CAfile || s_client_config.CApath) ! && !SSL_CTX_load_verify_locations(ctx, s_client_config.CAfile, s_client_config.CApath)) ERR_print_errors(bio_err); if (!SSL_CTX_set_default_verify_paths(ctx)) --- 1039,1046 ---- goto end; if ((s_client_config.CAfile || s_client_config.CApath) ! && !SSL_CTX_load_verify_locations(ctx, s_client_config.CAfile, ! s_client_config.CApath)) ERR_print_errors(bio_err); if (!SSL_CTX_set_default_verify_paths(ctx)) *************** *** 1070,1085 **** } if (s_client_config.servername != NULL) { if (!SSL_set_tlsext_host_name(con, s_client_config.servername)) { ! BIO_printf(bio_err, "Unable to set TLS servername extension.\n"); ERR_print_errors(bio_err); goto end; } } /* SSL_set_cipher_list(con,"RC4-MD5"); */ ! re_start: ! if (init_client(&s, s_client_config.host, s_client_config.port, s_client_config.socket_type, s_client_config.af) == 0) { BIO_printf(bio_err, "connect:errno=%d\n", errno); goto end; } --- 1075,1092 ---- } if (s_client_config.servername != NULL) { if (!SSL_set_tlsext_host_name(con, s_client_config.servername)) { ! BIO_printf(bio_err, ! "Unable to set TLS servername extension.\n"); ERR_print_errors(bio_err); goto end; } } /* SSL_set_cipher_list(con,"RC4-MD5"); */ ! re_start: ! if (init_client(&s, s_client_config.host, s_client_config.port, ! s_client_config.socket_type, s_client_config.af) == 0) { BIO_printf(bio_err, "connect:errno=%d\n", errno); goto end; } *************** *** 1112,1122 **** if (s_client_config.enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; ! BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); timeout.tv_sec = 0; timeout.tv_usec = DGRAM_SND_TIMEOUT; ! BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } if (s_client_config.socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); --- 1119,1131 ---- if (s_client_config.enable_timeouts) { timeout.tv_sec = 0; timeout.tv_usec = DGRAM_RCV_TIMEOUT; ! BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, ! &timeout); timeout.tv_sec = 0; timeout.tv_usec = DGRAM_SND_TIMEOUT; ! BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, ! &timeout); } if (s_client_config.socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); *************** *** 1177,1183 **** * push a buffering BIO into the chain that is removed again later on * to not disturb the rest of the s_client operation. */ ! if (s_client_config.starttls_proto == PROTO_SMTP || s_client_config.starttls_proto == PROTO_LMTP) { int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); --- 1186,1193 ---- * push a buffering BIO into the chain that is removed again later on * to not disturb the rest of the s_client operation. */ ! if (s_client_config.starttls_proto == PROTO_SMTP || ! s_client_config.starttls_proto == PROTO_LMTP) { int foundit = 0; BIO *fbio = BIO_new(BIO_f_buffer()); BIO_push(fbio, sbio); *************** *** 1188,1194 **** while (mbuf_len > 3 && mbuf[3] == '-'); /* STARTTLS command requires EHLO... */ BIO_printf(fbio, "%cHLO openssl.client.net\r\n", ! s_client_config.starttls_proto == PROTO_SMTP ? 'E' : 'L'); (void) BIO_flush(fbio); /* wait for multi-line response to end EHLO SMTP response */ do { --- 1198,1204 ---- while (mbuf_len > 3 && mbuf[3] == '-'); /* STARTTLS command requires EHLO... */ BIO_printf(fbio, "%cHLO openssl.client.net\r\n", ! s_client_config.starttls_proto == PROTO_SMTP ? 'E' : 'L'); (void) BIO_flush(fbio); /* wait for multi-line response to end EHLO SMTP response */ do { *************** *** 1255,1261 **** int seen = 0; BIO_printf(sbio, "", s_client_config.xmpphost ? s_client_config.xmpphost : s_client_config.host); seen = BIO_read(sbio, mbuf, BUFSIZZ); if (seen <= 0) --- 1265,1273 ---- int seen = 0; BIO_printf(sbio, "", ! s_client_config.xmpphost ? ! s_client_config.xmpphost : s_client_config.host); seen = BIO_read(sbio, mbuf, BUFSIZZ); if (seen <= 0) *************** *** 1271,1284 **** mbuf[seen] = 0; } ! BIO_printf(sbio, ""); seen = BIO_read(sbio, sbuf, BUFSIZZ); sbuf[seen] = 0; if (!strstr(sbuf, ""); seen = BIO_read(sbio, sbuf, BUFSIZZ); sbuf[seen] = 0; if (!strstr(sbuf, " 0) --- 1316,1331 ---- if (in_init) { in_init = 0; if (s_client_config.sess_out) { ! BIO *stmp = BIO_new_file( ! s_client_config.sess_out, "w"); if (stmp) { ! PEM_write_bio_SSL_SESSION(stmp, ! SSL_get_session(con)); BIO_free(stmp); } else ! BIO_printf(bio_err, ! "Error writing session file %s\n", ! s_client_config.sess_out); } print_stuff(bio_c_out, con, full_log); if (full_log > 0) *************** *** 1319,1325 **** } if (s_client_config.reconnect) { s_client_config.reconnect--; ! BIO_printf(bio_c_out, "drop connection and then reconnect\n"); SSL_shutdown(con); SSL_set_connect_state(con); shutdown(SSL_get_fd(con), SHUT_RD); --- 1338,1345 ---- } if (s_client_config.reconnect) { s_client_config.reconnect--; ! BIO_printf(bio_c_out, ! "drop connection and then reconnect\n"); SSL_shutdown(con); SSL_set_connect_state(con); shutdown(SSL_get_fd(con), SHUT_RD); *************** *** 1363,1372 **** /* goto end; */ } } ! if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { BIO_printf(bio_err, "TIMEOUT occured\n"); } ! if (!ssl_pending && (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) { if (pfd[2].revents & (POLLERR|POLLNVAL)) { BIO_printf(bio_err, "poll error"); goto shut; --- 1383,1394 ---- /* goto end; */ } } ! if ((SSL_version(con) == DTLS1_VERSION) && ! DTLSv1_handle_timeout(con) > 0) { BIO_printf(bio_err, "TIMEOUT occured\n"); } ! if (!ssl_pending && ! (pfd[2].revents & (POLLOUT|POLLERR|POLLNVAL))) { if (pfd[2].revents & (POLLERR|POLLNVAL)) { BIO_printf(bio_err, "poll error"); goto shut; *************** *** 1482,1488 **** if (p != pending) { ret = -1; BIO_printf(bio_err, ! "peeked %d but pending %d!\n", p, pending); goto shut; } if (k < p) { --- 1504,1511 ---- if (p != pending) { ret = -1; BIO_printf(bio_err, ! "peeked %d but pending %d!\n", ! p, pending); goto shut; } if (k < p) { *************** *** 1491,1497 **** "read less than peek!\n"); goto shut; } ! if (p > 0 && (memcmp(sbuf, pbuf, p) != 0)) { ret = -1; BIO_printf(bio_err, "peek of %d different from read of %d!\n", --- 1514,1521 ---- "read less than peek!\n"); goto shut; } ! if (p > 0 && ! (memcmp(sbuf, pbuf, p) != 0)) { ret = -1; BIO_printf(bio_err, "peek of %d different from read of %d!\n", *************** *** 1556,1562 **** } else i = read(fileno(stdin), cbuf, BUFSIZZ); ! if ((!s_client_config.ign_eof) && ((i <= 0) || (cbuf[0] == 'Q'))) { BIO_printf(bio_err, "DONE\n"); ret = 0; goto shut; --- 1580,1587 ---- } else i = read(fileno(stdin), cbuf, BUFSIZZ); ! if ((!s_client_config.ign_eof) && ! ((i <= 0) || (cbuf[0] == 'Q'))) { BIO_printf(bio_err, "DONE\n"); ret = 0; goto shut; *************** *** 1604,1610 **** return (ret); } - static void print_stuff(BIO * bio, SSL * s, int full) { --- 1629,1634 ---- *************** *** 1636,1652 **** sk_X509_value(sk, i)), buf, sizeof buf); BIO_printf(bio, " i:%s\n", buf); if (s_client_config.showcerts) ! PEM_write_bio_X509(bio, sk_X509_value(sk, i)); } } BIO_printf(bio, "---\n"); peer = SSL_get_peer_certificate(s); if (peer != NULL) { BIO_printf(bio, "Server certificate\n"); ! if (!(s_client_config.showcerts && got_a_chain)) /* Redundant if we ! * showed the whole ! * chain */ PEM_write_bio_X509(bio, peer); X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf); BIO_printf(bio, "subject=%s\n", buf); --- 1660,1677 ---- sk_X509_value(sk, i)), buf, sizeof buf); BIO_printf(bio, " i:%s\n", buf); if (s_client_config.showcerts) ! PEM_write_bio_X509(bio, ! sk_X509_value(sk, i)); } } BIO_printf(bio, "---\n"); peer = SSL_get_peer_certificate(s); if (peer != NULL) { BIO_printf(bio, "Server certificate\n"); ! if (!(s_client_config.showcerts && got_a_chain)) { ! /* Redundant if we showed the whole chain */ PEM_write_bio_X509(bio, peer); + } X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf); BIO_printf(bio, "subject=%s\n", buf); *************** *** 1658,1664 **** sk2 = SSL_get_client_CA_list(s); if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { ! BIO_printf(bio, "---\nAcceptable client certificate CA names\n"); for (i = 0; i < sk_X509_NAME_num(sk2); i++) { xn = sk_X509_NAME_value(sk2, i); X509_NAME_oneline(xn, buf, sizeof(buf)); --- 1683,1690 ---- sk2 = SSL_get_client_CA_list(s); if ((sk2 != NULL) && (sk_X509_NAME_num(sk2) > 0)) { ! BIO_printf(bio, ! "---\nAcceptable client certificate CA names\n"); for (i = 0; i < sk_X509_NAME_num(sk2); i++) { xn = sk_X509_NAME_value(sk2, i); X509_NAME_oneline(xn, buf, sizeof(buf)); *************** *** 1666,1672 **** BIO_write(bio, "\n", 1); } } else { ! BIO_printf(bio, "---\nNo client certificate CA names sent\n"); } p = SSL_get_shared_ciphers(s, buf, sizeof buf); if (p != NULL) { --- 1692,1699 ---- BIO_write(bio, "\n", 1); } } else { ! BIO_printf(bio, ! "---\nNo client certificate CA names sent\n"); } p = SSL_get_shared_ciphers(s, buf, sizeof buf); if (p != NULL) { *************** *** 1677,1690 **** * current connection) the server supports. */ ! BIO_printf(bio, "---\nCiphers common between both SSL endpoints:\n"); j = i = 0; while (*p) { if (*p == ':') { BIO_write(bio, space, 15 - j % 25); i++; j = 0; ! BIO_write(bio, ((i % 3) ? " " : "\n"), 1); } else { BIO_write(bio, p, 1); j++; --- 1704,1719 ---- * current connection) the server supports. */ ! BIO_printf(bio, ! "---\nCiphers common between both SSL endpoints:\n"); j = i = 0; while (*p) { if (*p == ':') { BIO_write(bio, space, 15 - j % 25); i++; j = 0; ! BIO_write(bio, ! ((i % 3) ? " " : "\n"), 1); } else { BIO_write(bio, p, 1); j++; *************** *** 1696,1702 **** ssl_print_tmp_key(bio, s); ! BIO_printf(bio, "---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); } --- 1725,1732 ---- ssl_print_tmp_key(bio, s); ! BIO_printf(bio, ! "---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_number_read(SSL_get_rbio(s)), BIO_number_written(SSL_get_wbio(s))); } *************** *** 1727,1733 **** socklen_t ladd_size = sizeof(ladd); sock = SSL_get_fd(s); getsockname(sock, (struct sockaddr *) & ladd, &ladd_size); ! BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ntohs(ladd.sin_port)); } #endif --- 1757,1764 ---- socklen_t ladd_size = sizeof(ladd); sock = SSL_get_fd(s); getsockname(sock, (struct sockaddr *) & ladd, &ladd_size); ! BIO_printf(bio_c_out, "LOCAL PORT is %u\n", ! ntohs(ladd.sin_port)); } #endif *************** *** 1745,1754 **** #ifndef OPENSSL_NO_SRTP { ! SRTP_PROTECTION_PROFILE *srtp_profile = SSL_get_selected_srtp_profile(s); if (srtp_profile) ! BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n", srtp_profile->name); } #endif --- 1776,1787 ---- #ifndef OPENSSL_NO_SRTP { ! SRTP_PROTECTION_PROFILE *srtp_profile; + srtp_profile = SSL_get_selected_srtp_profile(s); if (srtp_profile) ! BIO_printf(bio, ! "SRTP Extension negotiated, profile=%s\n", srtp_profile->name); } #endif *************** *** 1756,1763 **** SSL_SESSION_print(bio, SSL_get_session(s)); if (s_client_config.keymatexportlabel != NULL) { BIO_printf(bio, "Keying material exporter:\n"); ! BIO_printf(bio, " Label: '%s'\n", s_client_config.keymatexportlabel); ! BIO_printf(bio, " Length: %i bytes\n", s_client_config.keymatexportlen); exportedkeymat = malloc(s_client_config.keymatexportlen); if (exportedkeymat != NULL) { if (!SSL_export_keying_material(s, exportedkeymat, --- 1789,1798 ---- SSL_SESSION_print(bio, SSL_get_session(s)); if (s_client_config.keymatexportlabel != NULL) { BIO_printf(bio, "Keying material exporter:\n"); ! BIO_printf(bio, " Label: '%s'\n", ! s_client_config.keymatexportlabel); ! BIO_printf(bio, " Length: %i bytes\n", ! s_client_config.keymatexportlen); exportedkeymat = malloc(s_client_config.keymatexportlen); if (exportedkeymat != NULL) { if (!SSL_export_keying_material(s, exportedkeymat, *************** *** 1781,1787 **** /* flush, or debugging output gets mixed with http response */ (void) BIO_flush(bio); } - static int ocsp_resp_cb(SSL * s, void *arg) --- 1816,1821 ----