|
Packit |
549fdc |
/*
|
|
Packit |
549fdc |
* Copyright (C) 2000-2016 Free Software Foundation, Inc.
|
|
Packit |
549fdc |
* Copyright (C) 2013-2016 Nikos Mavrogiannopoulos
|
|
Packit |
549fdc |
* Copyright (C) 2015-2017 Red Hat, Inc.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* This file is part of GnuTLS.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* GnuTLS is free software: you can redistribute it and/or modify
|
|
Packit |
549fdc |
* it under the terms of the GNU General Public License as published by
|
|
Packit |
549fdc |
* the Free Software Foundation, either version 3 of the License, or
|
|
Packit |
549fdc |
* (at your option) any later version.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* GnuTLS is distributed in the hope that it will be useful,
|
|
Packit |
549fdc |
* but WITHOUT ANY WARRANTY; without even the implied warranty of
|
|
Packit |
549fdc |
* MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
|
|
Packit |
549fdc |
* GNU General Public License for more details.
|
|
Packit |
549fdc |
*
|
|
Packit |
549fdc |
* You should have received a copy of the GNU General Public License
|
|
Packit |
549fdc |
* along with this program. If not, see <http://www.gnu.org/licenses/>.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include <config.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include <stdio.h>
|
|
Packit |
549fdc |
#include <errno.h>
|
|
Packit |
549fdc |
#include <stdlib.h>
|
|
Packit |
549fdc |
#include <sys/types.h>
|
|
Packit |
549fdc |
#include <string.h>
|
|
Packit |
549fdc |
#include <sys/time.h>
|
|
Packit |
549fdc |
#include <sys/stat.h>
|
|
Packit |
549fdc |
#if HAVE_SYS_SOCKET_H
|
|
Packit |
549fdc |
#include <sys/socket.h>
|
|
Packit |
549fdc |
#elif HAVE_WS2TCPIP_H
|
|
Packit |
549fdc |
#include <ws2tcpip.h>
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
#include <sys/select.h>
|
|
Packit |
549fdc |
#include <unistd.h>
|
|
Packit |
549fdc |
#include <stdint.h>
|
|
Packit |
549fdc |
#include <stdbool.h>
|
|
Packit |
549fdc |
#include <fcntl.h>
|
|
Packit |
549fdc |
#include <netdb.h>
|
|
Packit |
549fdc |
#include <ctype.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Get TCP_FASTOPEN */
|
|
Packit |
549fdc |
#ifdef HAVE_NETINET_TCP_H
|
|
Packit |
549fdc |
#include <netinet/tcp.h>
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include <gnutls/gnutls.h>
|
|
Packit |
549fdc |
#include <gnutls/abstract.h>
|
|
Packit |
549fdc |
#include <gnutls/dtls.h>
|
|
Packit |
549fdc |
#include <gnutls/x509.h>
|
|
Packit |
549fdc |
#include <gnutls/pkcs11.h>
|
|
Packit |
549fdc |
#include <gnutls/crypto.h>
|
|
Packit |
549fdc |
#include <gnutls/socket.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Gnulib portability files. */
|
|
Packit |
549fdc |
#include <read-file.h>
|
|
Packit |
549fdc |
#include <getpass.h>
|
|
Packit |
549fdc |
#include <minmax.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include "sockets.h"
|
|
Packit |
549fdc |
#include "benchmark.h"
|
|
Packit |
549fdc |
#include "inline_cmds.h"
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef HAVE_DANE
|
|
Packit |
549fdc |
#include <gnutls/dane.h>
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include <common.h>
|
|
Packit |
549fdc |
#include <socket.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#include <cli-args.h>
|
|
Packit |
549fdc |
#include <ocsptool-common.h>
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#define MAX_BUF 4096
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* global stuff here */
|
|
Packit |
549fdc |
int resume, starttls, insecure, ranges, rehandshake, udp, mtu,
|
|
Packit |
549fdc |
inline_commands;
|
|
Packit |
549fdc |
unsigned int global_vflags = 0;
|
|
Packit |
549fdc |
char *hostname = NULL;
|
|
Packit |
549fdc |
char service[32]="";
|
|
Packit |
549fdc |
int record_max_size;
|
|
Packit |
549fdc |
int crlf;
|
|
Packit |
549fdc |
int fastopen;
|
|
Packit |
549fdc |
unsigned int verbose = 0;
|
|
Packit |
549fdc |
int print_cert;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
const char *srp_passwd = NULL;
|
|
Packit |
549fdc |
const char *srp_username = NULL;
|
|
Packit |
549fdc |
const char *x509_keyfile = NULL;
|
|
Packit |
549fdc |
const char *x509_certfile = NULL;
|
|
Packit |
549fdc |
const char *x509_cafile = NULL;
|
|
Packit |
549fdc |
const char *x509_crlfile = NULL;
|
|
Packit |
549fdc |
static int x509ctype;
|
|
Packit |
549fdc |
static int disable_extensions;
|
|
Packit |
549fdc |
static int disable_sni;
|
|
Packit |
549fdc |
static unsigned int init_flags = GNUTLS_CLIENT;
|
|
Packit |
549fdc |
static const char *priorities = NULL;
|
|
Packit |
549fdc |
static const char *inline_commands_prefix;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
const char *psk_username = NULL;
|
|
Packit |
549fdc |
gnutls_datum_t psk_key = { NULL, 0 };
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static gnutls_srp_client_credentials_t srp_cred;
|
|
Packit |
549fdc |
static gnutls_psk_client_credentials_t psk_cred;
|
|
Packit |
549fdc |
static gnutls_anon_client_credentials_t anon_cred;
|
|
Packit |
549fdc |
static gnutls_certificate_credentials_t xcred;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* The number of seconds we wait for a reply from peer prior to
|
|
Packit |
549fdc |
* closing the connection. */
|
|
Packit |
549fdc |
#define TERM_TIMEOUT 8000
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* end of global stuff */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* prototypes */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void check_rehandshake(socket_st * socket, int ret);
|
|
Packit |
549fdc |
static void init_global_tls_stuff(void);
|
|
Packit |
549fdc |
static int cert_verify_ocsp(gnutls_session_t session);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#define MAX_CRT 6
|
|
Packit |
549fdc |
static unsigned int x509_crt_size;
|
|
Packit |
549fdc |
static gnutls_pcert_st x509_crt[MAX_CRT];
|
|
Packit |
549fdc |
static gnutls_privkey_t x509_key = NULL;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Load the certificate and the private key.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
static void load_keys(void)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
unsigned int crt_num;
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
unsigned int i;
|
|
Packit |
549fdc |
gnutls_datum_t data = { NULL, 0 };
|
|
Packit |
549fdc |
gnutls_x509_crt_t crt_list[MAX_CRT];
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (x509_certfile != NULL && x509_keyfile != NULL) {
|
|
Packit |
549fdc |
#ifdef ENABLE_PKCS11
|
|
Packit |
549fdc |
if (strncmp(x509_certfile, "pkcs11:", 7) == 0) {
|
|
Packit |
549fdc |
crt_num = 1;
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_init(&crt_list[0]);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Memory error\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
gnutls_x509_crt_set_pin_function(crt_list[0],
|
|
Packit |
549fdc |
pin_callback,
|
|
Packit |
549fdc |
NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_x509_crt_import_pkcs11_url(crt_list[0],
|
|
Packit |
549fdc |
x509_certfile,
|
|
Packit |
549fdc |
0);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE)
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_x509_crt_import_pkcs11_url
|
|
Packit |
549fdc |
(crt_list[0], x509_certfile,
|
|
Packit |
549fdc |
GNUTLS_PKCS11_OBJ_FLAG_LOGIN);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error loading cert file.\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
x509_crt_size = 1;
|
|
Packit |
549fdc |
} else
|
|
Packit |
549fdc |
#endif /* ENABLE_PKCS11 */
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_load_file(x509_certfile, &data);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error loading cert file.\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
crt_num = MAX_CRT;
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_x509_crt_list_import(crt_list, &crt_num,
|
|
Packit |
549fdc |
&data, x509ctype,
|
|
Packit |
549fdc |
GNUTLS_X509_CRT_LIST_IMPORT_FAIL_IF_EXCEED);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
if (ret == GNUTLS_E_SHORT_MEMORY_BUFFER) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error loading cert file: Too many certs %d\n",
|
|
Packit |
549fdc |
crt_num);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error loading cert file: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
x509_crt_size = ret;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for (i = 0; i < x509_crt_size; i++) {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_pcert_import_x509(&x509_crt[i],
|
|
Packit |
549fdc |
crt_list[i], 0);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error importing crt to pcert: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
gnutls_x509_crt_deinit(crt_list[i]);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_free(data.data);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_privkey_init(&x509_key);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "*** Error initializing key: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_privkey_set_pin_function(x509_key, pin_callback,
|
|
Packit |
549fdc |
NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (gnutls_url_is_supported(x509_keyfile) != 0) {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_privkey_import_url(x509_key,
|
|
Packit |
549fdc |
x509_keyfile, 0);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error loading url: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
ret = gnutls_load_file(x509_keyfile, &data);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error loading key file.\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_privkey_import_x509_raw(x509_key, &data,
|
|
Packit |
549fdc |
x509ctype, NULL,
|
|
Packit |
549fdc |
0);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Error loading url: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_free(data.data);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
fprintf(stdout,
|
|
Packit |
549fdc |
"Processed %d client X.509 certificates...\n",
|
|
Packit |
549fdc |
x509_crt_size);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#define IS_NEWLINE(x) ((x[0] == '\n') || (x[0] == '\r'))
|
|
Packit |
549fdc |
static int read_yesno(const char *input_str)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
char input[128];
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
fputs(input_str, stderr);
|
|
Packit |
549fdc |
if (fgets(input, sizeof(input), stdin) == NULL)
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (IS_NEWLINE(input))
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (input[0] == 'y' || input[0] == 'Y')
|
|
Packit |
549fdc |
return 1;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void try_save_cert(gnutls_session_t session)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
const gnutls_datum_t *cert_list;
|
|
Packit |
549fdc |
unsigned int cert_list_size = 0;
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
unsigned i;
|
|
Packit |
549fdc |
gnutls_datum_t t;
|
|
Packit |
549fdc |
FILE *fp;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
|
|
Packit |
549fdc |
if (cert_list_size == 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "no certificates sent by server!\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
fp = fopen(OPT_ARG(SAVE_CERT), "w");
|
|
Packit |
549fdc |
if (fp == NULL) {
|
|
Packit |
549fdc |
fprintf(stderr, "could not open %s\n", OPT_ARG(SAVE_CERT));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for (i=0;i
|
|
Packit |
549fdc |
ret = gnutls_pem_base64_encode_alloc("CERTIFICATE", &cert_list[i], &t);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "error[%d]: %s\n", __LINE__,
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
fwrite(t.data, t.size, 1, fp);
|
|
Packit |
549fdc |
gnutls_free(t.data);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
fclose(fp);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int cert_verify_callback(gnutls_session_t session)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int rc;
|
|
Packit |
549fdc |
unsigned int status = 0;
|
|
Packit |
549fdc |
int ssh = ENABLED_OPT(TOFU);
|
|
Packit |
549fdc |
int strictssh = ENABLED_OPT(STRICT_TOFU);
|
|
Packit |
549fdc |
int dane = ENABLED_OPT(DANE);
|
|
Packit |
549fdc |
int ca_verify = ENABLED_OPT(CA_VERIFICATION);
|
|
Packit |
549fdc |
const char *txt_service;
|
|
Packit |
549fdc |
gnutls_datum_t oresp;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* On an session with TOFU the PKI/DANE verification
|
|
Packit |
549fdc |
* become advisory.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (strictssh) {
|
|
Packit |
549fdc |
ssh = strictssh;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Save certificate and OCSP response */
|
|
Packit |
549fdc |
if (HAVE_OPT(SAVE_CERT)) {
|
|
Packit |
549fdc |
try_save_cert(session);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
rc = gnutls_ocsp_status_request_get(session, &oresp);
|
|
Packit |
549fdc |
if (rc < 0) {
|
|
Packit |
549fdc |
oresp.data = NULL;
|
|
Packit |
549fdc |
oresp.size = 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(SAVE_OCSP) && oresp.data) {
|
|
Packit |
549fdc |
FILE *fp = fopen(OPT_ARG(SAVE_OCSP), "w");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (fp != NULL) {
|
|
Packit |
549fdc |
fwrite(oresp.data, 1, oresp.size, fp);
|
|
Packit |
549fdc |
fclose(fp);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
print_cert_info(session, verbose, print_cert);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ca_verify) {
|
|
Packit |
549fdc |
rc = cert_verify(session, hostname, GNUTLS_KP_TLS_WWW_SERVER);
|
|
Packit |
549fdc |
if (rc == 0) {
|
|
Packit |
549fdc |
printf
|
|
Packit |
549fdc |
("*** PKI verification of server certificate failed...\n");
|
|
Packit |
549fdc |
if (!insecure && !ssh)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
} else if (ENABLED_OPT(OCSP) && gnutls_ocsp_status_request_is_checked(session, 0) == 0) { /* off-line verification succeeded. Try OCSP */
|
|
Packit |
549fdc |
rc = cert_verify_ocsp(session);
|
|
Packit |
549fdc |
if (rc == -1) {
|
|
Packit |
549fdc |
printf
|
|
Packit |
549fdc |
("*** Verifying (with OCSP) server certificate chain failed...\n");
|
|
Packit |
549fdc |
if (!insecure && !ssh)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
} else if (rc == 0)
|
|
Packit |
549fdc |
printf("*** OCSP: nothing to check.\n");
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
printf("*** OCSP: verified %d certificate(s).\n", rc);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (dane) { /* try DANE auth */
|
|
Packit |
549fdc |
#ifdef HAVE_DANE
|
|
Packit |
549fdc |
int port;
|
|
Packit |
549fdc |
unsigned vflags = 0;
|
|
Packit |
549fdc |
unsigned int sflags =
|
|
Packit |
549fdc |
ENABLED_OPT(LOCAL_DNS) ? 0 :
|
|
Packit |
549fdc |
DANE_F_IGNORE_LOCAL_RESOLVER;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* if we didn't verify the chain it only makes sense
|
|
Packit |
549fdc |
* to check the end certificate using dane. */
|
|
Packit |
549fdc |
if (ca_verify == 0)
|
|
Packit |
549fdc |
vflags |= DANE_VFLAG_ONLY_CHECK_EE_USAGE;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
port = service_to_port(service, udp?"udp":"tcp");
|
|
Packit |
549fdc |
rc = dane_verify_session_crt(NULL, session, hostname,
|
|
Packit |
549fdc |
udp ? "udp" : "tcp", port,
|
|
Packit |
549fdc |
sflags, vflags, &status);
|
|
Packit |
549fdc |
if (rc < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** DANE verification error: %s\n",
|
|
Packit |
549fdc |
dane_strerror(rc));
|
|
Packit |
549fdc |
if (!insecure && !ssh)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
gnutls_datum_t out;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
rc = dane_verification_status_print(status, &out,
|
|
Packit |
549fdc |
0);
|
|
Packit |
549fdc |
if (rc < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "*** DANE error: %s\n",
|
|
Packit |
549fdc |
dane_strerror(rc));
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
fprintf(stderr, "- DANE: %s\n", out.data);
|
|
Packit |
549fdc |
gnutls_free(out.data);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (status != 0 && !insecure && !ssh)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#else
|
|
Packit |
549fdc |
fprintf(stderr, "*** DANE error: GnuTLS is not compiled with DANE support.\n");
|
|
Packit |
549fdc |
if (!insecure && !ssh)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ssh) { /* try ssh auth */
|
|
Packit |
549fdc |
unsigned int list_size;
|
|
Packit |
549fdc |
const gnutls_datum_t *cert;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cert = gnutls_certificate_get_peers(session, &list_size);
|
|
Packit |
549fdc |
if (cert == NULL) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Cannot obtain peer's certificate!\n");
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
txt_service = port_to_service(service, udp?"udp":"tcp");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
rc = gnutls_verify_stored_pubkey(NULL, NULL, hostname,
|
|
Packit |
549fdc |
txt_service,
|
|
Packit |
549fdc |
GNUTLS_CRT_X509, cert, 0);
|
|
Packit |
549fdc |
if (rc == GNUTLS_E_NO_CERTIFICATE_FOUND) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Host %s (%s) has never been contacted before.\n",
|
|
Packit |
549fdc |
hostname, txt_service);
|
|
Packit |
549fdc |
if (status == 0)
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Its certificate is valid for %s.\n",
|
|
Packit |
549fdc |
hostname);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
rc = read_yesno
|
|
Packit |
549fdc |
("Are you sure you want to trust it? (y/N): ");
|
|
Packit |
549fdc |
if (rc == 0)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
} else if (rc == GNUTLS_E_CERTIFICATE_KEY_MISMATCH) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Warning: host %s is known and it is associated with a different key.\n",
|
|
Packit |
549fdc |
hostname);
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"It might be that the server has multiple keys, or an attacker replaced the key to eavesdrop this connection .\n");
|
|
Packit |
549fdc |
if (status == 0)
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Its certificate is valid for %s.\n",
|
|
Packit |
549fdc |
hostname);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (strictssh == 0) {
|
|
Packit |
549fdc |
rc = read_yesno
|
|
Packit |
549fdc |
("Do you trust the received key? (y/N): ");
|
|
Packit |
549fdc |
if (rc == 0)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
} else return -1;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
} else if (rc < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"gnutls_verify_stored_pubkey: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(rc));
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (rc != 0) {
|
|
Packit |
549fdc |
rc = gnutls_store_pubkey(NULL, NULL, hostname,
|
|
Packit |
549fdc |
txt_service,
|
|
Packit |
549fdc |
GNUTLS_CRT_X509, cert, 0,
|
|
Packit |
549fdc |
0);
|
|
Packit |
549fdc |
if (rc < 0)
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Could not store key: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(rc));
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* This callback should be associated with a session by calling
|
|
Packit |
549fdc |
* gnutls_certificate_client_set_retrieve_function( session, cert_callback),
|
|
Packit |
549fdc |
* before a handshake.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int
|
|
Packit |
549fdc |
cert_callback(gnutls_session_t session,
|
|
Packit |
549fdc |
const gnutls_datum_t * req_ca_rdn, int nreqs,
|
|
Packit |
549fdc |
const gnutls_pk_algorithm_t * sign_algos,
|
|
Packit |
549fdc |
int sign_algos_length, gnutls_pcert_st ** pcert,
|
|
Packit |
549fdc |
unsigned int *pcert_length, gnutls_privkey_t * pkey)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
char issuer_dn[256];
|
|
Packit |
549fdc |
int i, ret, cert_type;
|
|
Packit |
549fdc |
size_t len;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (verbose) {
|
|
Packit |
549fdc |
/* Print the server's trusted CAs
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (nreqs > 0)
|
|
Packit |
549fdc |
printf("- Server's trusted authorities:\n");
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
printf
|
|
Packit |
549fdc |
("- Server did not send us any trusted authorities names.\n");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* print the names (if any) */
|
|
Packit |
549fdc |
for (i = 0; i < nreqs; i++) {
|
|
Packit |
549fdc |
len = sizeof(issuer_dn);
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_x509_rdn_get(&req_ca_rdn[i], issuer_dn,
|
|
Packit |
549fdc |
&len;;
|
|
Packit |
549fdc |
if (ret >= 0) {
|
|
Packit |
549fdc |
printf(" [%d]: ", i);
|
|
Packit |
549fdc |
printf("%s\n", issuer_dn);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Select a certificate and return it.
|
|
Packit |
549fdc |
* The certificate must be of any of the "sign algorithms"
|
|
Packit |
549fdc |
* supported by the server.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cert_type = gnutls_certificate_type_get(session);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
*pcert_length = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (cert_type == GNUTLS_CRT_X509) {
|
|
Packit |
549fdc |
if (x509_crt_size > 0) {
|
|
Packit |
549fdc |
if (x509_key != NULL) {
|
|
Packit |
549fdc |
*pkey = x509_key;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
printf
|
|
Packit |
549fdc |
("- Could not find a suitable key to send to server\n");
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
*pcert_length = x509_crt_size;
|
|
Packit |
549fdc |
*pcert = x509_crt;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf("- Successfully sent %u certificate(s) to server.\n",
|
|
Packit |
549fdc |
*pcert_length);
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* initializes a gnutls_session_t with some defaults.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
gnutls_session_t init_tls_session(const char *host)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
const char *err;
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
unsigned i;
|
|
Packit |
549fdc |
gnutls_session_t session;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (udp) {
|
|
Packit |
549fdc |
gnutls_init(&session, GNUTLS_DATAGRAM | init_flags);
|
|
Packit |
549fdc |
if (mtu)
|
|
Packit |
549fdc |
gnutls_dtls_set_mtu(session, mtu);
|
|
Packit |
549fdc |
} else
|
|
Packit |
549fdc |
gnutls_init(&session, init_flags);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (priorities == NULL) {
|
|
Packit |
549fdc |
ret = gnutls_set_default_priority(session);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Error in setting priorities: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
ret = gnutls_priority_set_direct(session, priorities, &err;;
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
Packit |
549fdc |
fprintf(stderr, "Syntax error at: %s\n", err);
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
fprintf(stderr, "Error in priorities: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* allow the use of private ciphersuites.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
if (disable_extensions == 0 && disable_sni == 0) {
|
|
Packit |
549fdc |
if (HAVE_OPT(SNI_HOSTNAME)) {
|
|
Packit |
549fdc |
gnutls_server_name_set(session, GNUTLS_NAME_DNS,
|
|
Packit |
549fdc |
OPT_ARG(SNI_HOSTNAME), strlen(OPT_ARG(SNI_HOSTNAME)));
|
|
Packit |
549fdc |
} else if (host != NULL && is_ip(host) == 0)
|
|
Packit |
549fdc |
gnutls_server_name_set(session, GNUTLS_NAME_DNS,
|
|
Packit |
549fdc |
host, strlen(host));
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(DH_BITS))
|
|
Packit |
549fdc |
gnutls_dh_set_prime_bits(session, OPT_VALUE_DH_BITS);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(ALPN)) {
|
|
Packit |
549fdc |
unsigned proto_n = STACKCT_OPT(ALPN);
|
|
Packit |
549fdc |
char **protos = (void *) STACKLST_OPT(ALPN);
|
|
Packit |
549fdc |
gnutls_datum_t p[proto_n];
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for (i = 0; i < proto_n; i++) {
|
|
Packit |
549fdc |
p[i].data = (void *) protos[i];
|
|
Packit |
549fdc |
p[i].size = strlen(protos[i]);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
gnutls_alpn_set_protocols(session, p, proto_n, 0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_credentials_set(session, GNUTLS_CRD_ANON, anon_cred);
|
|
Packit |
549fdc |
if (srp_cred)
|
|
Packit |
549fdc |
gnutls_credentials_set(session, GNUTLS_CRD_SRP, srp_cred);
|
|
Packit |
549fdc |
if (psk_cred)
|
|
Packit |
549fdc |
gnutls_credentials_set(session, GNUTLS_CRD_PSK, psk_cred);
|
|
Packit |
549fdc |
gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, xcred);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_certificate_set_retrieve_function2(xcred, cert_callback);
|
|
Packit |
549fdc |
gnutls_certificate_set_verify_function(xcred,
|
|
Packit |
549fdc |
cert_verify_callback);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* use the max record size extension */
|
|
Packit |
549fdc |
if (record_max_size > 0 && disable_extensions == 0) {
|
|
Packit |
549fdc |
if (gnutls_record_set_max_size(session, record_max_size) <
|
|
Packit |
549fdc |
0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Cannot set the maximum record size to %d.\n",
|
|
Packit |
549fdc |
record_max_size);
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Possible values: 512, 1024, 2048, 4096.\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(HEARTBEAT))
|
|
Packit |
549fdc |
gnutls_heartbeat_enable(session,
|
|
Packit |
549fdc |
GNUTLS_HB_PEER_ALLOWED_TO_SEND);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef ENABLE_DTLS_SRTP
|
|
Packit |
549fdc |
if (HAVE_OPT(SRTP_PROFILES)) {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_srtp_set_profile_direct(session,
|
|
Packit |
549fdc |
OPT_ARG(SRTP_PROFILES),
|
|
Packit |
549fdc |
&err;;
|
|
Packit |
549fdc |
if (ret == GNUTLS_E_INVALID_REQUEST)
|
|
Packit |
549fdc |
fprintf(stderr, "Syntax error at: %s\n", err);
|
|
Packit |
549fdc |
else if (ret != 0)
|
|
Packit |
549fdc |
fprintf(stderr, "Error in profiles: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
else fprintf(stderr,"DTLS profile set to %s\n",
|
|
Packit |
549fdc |
OPT_ARG(SRTP_PROFILES));
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret != 0) exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return session;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void cmd_parser(int argc, char **argv);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Returns zero if the error code was successfully handled.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
static int handle_error(socket_st * hd, int err)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int alert, ret;
|
|
Packit |
549fdc |
const char *err_type, *str;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (err >= 0 || err == GNUTLS_E_AGAIN
|
|
Packit |
549fdc |
|| err == GNUTLS_E_INTERRUPTED)
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (gnutls_error_is_fatal(err) == 0) {
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
err_type = "Non fatal";
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
ret = err;
|
|
Packit |
549fdc |
err_type = "Fatal";
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
str = gnutls_strerror(err);
|
|
Packit |
549fdc |
if (str == NULL)
|
|
Packit |
549fdc |
str = str_unknown;
|
|
Packit |
549fdc |
fprintf(stderr, "*** %s error: %s\n", err_type, str);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (err == GNUTLS_E_WARNING_ALERT_RECEIVED
|
|
Packit |
549fdc |
|| err == GNUTLS_E_FATAL_ALERT_RECEIVED) {
|
|
Packit |
549fdc |
alert = gnutls_alert_get(hd->session);
|
|
Packit |
549fdc |
str = gnutls_alert_get_name(alert);
|
|
Packit |
549fdc |
if (str == NULL)
|
|
Packit |
549fdc |
str = str_unknown;
|
|
Packit |
549fdc |
printf("*** Received alert [%d]: %s\n", alert, str);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
check_rehandshake(hd, err);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return ret;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
int starttls_alarmed = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifndef _WIN32
|
|
Packit |
549fdc |
static void starttls_alarm(int signum)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
starttls_alarmed = 1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void tls_log_func(int level, const char *str)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
fprintf(stderr, "|<%d>| %s", level, str);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#define IN_KEYBOARD 1
|
|
Packit |
549fdc |
#define IN_NET 2
|
|
Packit |
549fdc |
#define IN_NONE 0
|
|
Packit |
549fdc |
/* returns IN_KEYBOARD for keyboard input and IN_NET for network input
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
static int check_net_or_keyboard_input(socket_st * hd)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int maxfd;
|
|
Packit |
549fdc |
fd_set rset;
|
|
Packit |
549fdc |
int err;
|
|
Packit |
549fdc |
struct timeval tv;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
do {
|
|
Packit |
549fdc |
FD_ZERO(&rset);
|
|
Packit |
549fdc |
FD_SET(hd->fd, &rset);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifndef _WIN32
|
|
Packit |
549fdc |
FD_SET(fileno(stdin), &rset);
|
|
Packit |
549fdc |
maxfd = MAX(fileno(stdin), hd->fd);
|
|
Packit |
549fdc |
#else
|
|
Packit |
549fdc |
maxfd = hd->fd;
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
tv.tv_sec = 0;
|
|
Packit |
549fdc |
tv.tv_usec = 500 * 1000;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (hd->secure == 1)
|
|
Packit |
549fdc |
if (gnutls_record_check_pending(hd->session))
|
|
Packit |
549fdc |
return IN_NET;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
err = select(maxfd + 1, &rset, NULL, NULL, &tv;;
|
|
Packit |
549fdc |
if (err < 0)
|
|
Packit |
549fdc |
continue;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (FD_ISSET(hd->fd, &rset))
|
|
Packit |
549fdc |
return IN_NET;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef _WIN32
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int state;
|
|
Packit |
549fdc |
state =
|
|
Packit |
549fdc |
WaitForSingleObject(GetStdHandle
|
|
Packit |
549fdc |
(STD_INPUT_HANDLE), 200);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (state == WAIT_OBJECT_0)
|
|
Packit |
549fdc |
return IN_KEYBOARD;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#else
|
|
Packit |
549fdc |
if (FD_ISSET(fileno(stdin), &rset))
|
|
Packit |
549fdc |
return IN_KEYBOARD;
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
while (err == 0);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return IN_NONE;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int try_rehandshake(socket_st * hd)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = do_handshake(hd);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "*** ReHandshake has failed\n");
|
|
Packit |
549fdc |
gnutls_perror(ret);
|
|
Packit |
549fdc |
return ret;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
printf("- ReHandshake was completed\n");
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int try_resume(socket_st * hd)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret, socket_flags = 0;
|
|
Packit |
549fdc |
gnutls_datum_t rdata = {NULL, 0};
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (gnutls_session_is_resumed(hd->session) == 0) {
|
|
Packit |
549fdc |
/* not resumed - obtain the session data */
|
|
Packit |
549fdc |
ret = gnutls_session_get_data2(hd->session, &rdata);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
rdata.data = NULL;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
/* resumed - try to reuse the previous session data */
|
|
Packit |
549fdc |
rdata.data = hd->rdata.data;
|
|
Packit |
549fdc |
rdata.size = hd->rdata.size;
|
|
Packit |
549fdc |
hd->rdata.data = NULL;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf("- Disconnecting\n");
|
|
Packit |
549fdc |
socket_bye(hd, 1);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
canonicalize_host(hostname, service, sizeof(service));
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf
|
|
Packit |
549fdc |
("\n\n- Connecting again- trying to resume previous session\n");
|
|
Packit |
549fdc |
if (HAVE_OPT(STARTTLS_PROTO))
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_STARTTLS;
|
|
Packit |
549fdc |
else if (fastopen)
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_FASTOPEN;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (udp)
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_UDP;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
socket_open(hd, hostname, service, OPT_ARG(STARTTLS_PROTO),
|
|
Packit |
549fdc |
socket_flags, CONNECT_MSG, &rdata);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf("- Resume Handshake was completed\n");
|
|
Packit |
549fdc |
if (gnutls_session_is_resumed(hd->session) != 0)
|
|
Packit |
549fdc |
printf("*** This is a resumed session\n");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static
|
|
Packit |
549fdc |
bool parse_for_inline_commands_in_buffer(char *buffer, size_t bytes,
|
|
Packit |
549fdc |
inline_cmds_st * inline_cmds)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
ssize_t local_bytes, match_bytes, prev_bytes_copied, ii, jj;
|
|
Packit |
549fdc |
char *local_buffer_ptr, *ptr;
|
|
Packit |
549fdc |
char inline_command_string[MAX_INLINE_COMMAND_BYTES];
|
|
Packit |
549fdc |
ssize_t l;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline_cmds->bytes_to_flush = 0;
|
|
Packit |
549fdc |
inline_cmds->cmd_found = INLINE_COMMAND_NONE;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (inline_cmds->bytes_copied) {
|
|
Packit |
549fdc |
local_buffer_ptr =
|
|
Packit |
549fdc |
&inline_cmds->inline_cmd_buffer[inline_cmds->
|
|
Packit |
549fdc |
bytes_copied];
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
local_bytes =
|
|
Packit |
549fdc |
((inline_cmds->bytes_copied + bytes) <=
|
|
Packit |
549fdc |
MAX_INLINE_COMMAND_BYTES) ? (ssize_t) bytes
|
|
Packit |
549fdc |
: (MAX_INLINE_COMMAND_BYTES -
|
|
Packit |
549fdc |
inline_cmds->bytes_copied);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memcpy(local_buffer_ptr, buffer, local_bytes);
|
|
Packit |
549fdc |
prev_bytes_copied = inline_cmds->bytes_copied;
|
|
Packit |
549fdc |
inline_cmds->new_buffer_ptr = buffer + local_bytes;
|
|
Packit |
549fdc |
inline_cmds->bytes_copied += local_bytes;
|
|
Packit |
549fdc |
local_buffer_ptr = inline_cmds->inline_cmd_buffer;
|
|
Packit |
549fdc |
local_bytes = inline_cmds->bytes_copied;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
prev_bytes_copied = 0;
|
|
Packit |
549fdc |
local_buffer_ptr = buffer;
|
|
Packit |
549fdc |
local_bytes = bytes;
|
|
Packit |
549fdc |
inline_cmds->new_buffer_ptr = buffer + bytes;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline_cmds->current_ptr = local_buffer_ptr;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (local_buffer_ptr[0] == inline_commands_prefix[0]
|
|
Packit |
549fdc |
&& inline_cmds->lf_found) {
|
|
Packit |
549fdc |
for (jj = 0; jj < NUM_INLINE_COMMANDS; jj++) {
|
|
Packit |
549fdc |
if (inline_commands_prefix[0] != '^') { /* refer inline_cmds.h for usage of ^ */
|
|
Packit |
549fdc |
strcpy(inline_command_string,
|
|
Packit |
549fdc |
inline_commands_def[jj].string);
|
|
Packit |
549fdc |
inline_command_string[strlen
|
|
Packit |
549fdc |
(inline_commands_def
|
|
Packit |
549fdc |
[jj].string)] =
|
|
Packit |
549fdc |
'\0';
|
|
Packit |
549fdc |
inline_command_string[0] =
|
|
Packit |
549fdc |
inline_commands_prefix[0];
|
|
Packit |
549fdc |
/* Inline commands are delimited by the inline_commands_prefix[0] (default is ^).
|
|
Packit |
549fdc |
The inline_commands_def[].string includes a trailing LF */
|
|
Packit |
549fdc |
inline_command_string[strlen
|
|
Packit |
549fdc |
(inline_commands_def
|
|
Packit |
549fdc |
[jj].string) - 2] =
|
|
Packit |
549fdc |
inline_commands_prefix[0];
|
|
Packit |
549fdc |
ptr = inline_command_string;
|
|
Packit |
549fdc |
} else
|
|
Packit |
549fdc |
ptr = inline_commands_def[jj].string;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
l = strlen(ptr);
|
|
Packit |
549fdc |
match_bytes = (local_bytes <= l) ? local_bytes : l;
|
|
Packit |
549fdc |
if (strncmp(ptr, local_buffer_ptr, match_bytes) ==
|
|
Packit |
549fdc |
0) {
|
|
Packit |
549fdc |
if (match_bytes == (ssize_t) strlen(ptr)) {
|
|
Packit |
549fdc |
inline_cmds->new_buffer_ptr =
|
|
Packit |
549fdc |
buffer + match_bytes -
|
|
Packit |
549fdc |
prev_bytes_copied;
|
|
Packit |
549fdc |
inline_cmds->cmd_found =
|
|
Packit |
549fdc |
inline_commands_def[jj].
|
|
Packit |
549fdc |
command;
|
|
Packit |
549fdc |
inline_cmds->bytes_copied = 0; /* reset it */
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
/* partial command */
|
|
Packit |
549fdc |
memcpy(&inline_cmds->
|
|
Packit |
549fdc |
inline_cmd_buffer
|
|
Packit |
549fdc |
[inline_cmds->bytes_copied],
|
|
Packit |
549fdc |
buffer, bytes);
|
|
Packit |
549fdc |
inline_cmds->bytes_copied += bytes;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
return true;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
/* else - if not a match, do nothing here */
|
|
Packit |
549fdc |
} /* for */
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for (ii = prev_bytes_copied; ii < local_bytes; ii++) {
|
|
Packit |
549fdc |
if (ii && local_buffer_ptr[ii] == inline_commands_prefix[0]
|
|
Packit |
549fdc |
&& inline_cmds->lf_found) {
|
|
Packit |
549fdc |
/* possible inline command. First, let's flush bytes up to ^ */
|
|
Packit |
549fdc |
inline_cmds->new_buffer_ptr =
|
|
Packit |
549fdc |
buffer + ii - prev_bytes_copied;
|
|
Packit |
549fdc |
inline_cmds->bytes_to_flush = ii;
|
|
Packit |
549fdc |
inline_cmds->lf_found = true;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* bytes to flush starts at inline_cmds->current_ptr */
|
|
Packit |
549fdc |
return true;
|
|
Packit |
549fdc |
} else if (local_buffer_ptr[ii] == '\n') {
|
|
Packit |
549fdc |
inline_cmds->lf_found = true;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
inline_cmds->lf_found = false;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} /* for */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline_cmds->bytes_copied = 0; /* reset it */
|
|
Packit |
549fdc |
return false; /* not an inline command */
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static
|
|
Packit |
549fdc |
int run_inline_command(inline_cmds_st * cmd, socket_st * hd)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
switch (cmd->cmd_found) {
|
|
Packit |
549fdc |
case INLINE_COMMAND_RESUME:
|
|
Packit |
549fdc |
return try_resume(hd);
|
|
Packit |
549fdc |
case INLINE_COMMAND_RENEGOTIATE:
|
|
Packit |
549fdc |
return try_rehandshake(hd);
|
|
Packit |
549fdc |
default:
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static
|
|
Packit |
549fdc |
int do_inline_command_processing(char *buffer_ptr, size_t curr_bytes,
|
|
Packit |
549fdc |
socket_st * hd,
|
|
Packit |
549fdc |
inline_cmds_st * inline_cmds)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int skip_bytes, bytes;
|
|
Packit |
549fdc |
bool inline_cmd_start_found;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
bytes = curr_bytes;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
continue_inline_processing:
|
|
Packit |
549fdc |
/* parse_for_inline_commands_in_buffer hunts for start of an inline command
|
|
Packit |
549fdc |
* sequence. The function maintains state information in inline_cmds.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
inline_cmd_start_found =
|
|
Packit |
549fdc |
parse_for_inline_commands_in_buffer(buffer_ptr, bytes,
|
|
Packit |
549fdc |
inline_cmds);
|
|
Packit |
549fdc |
if (!inline_cmd_start_found)
|
|
Packit |
549fdc |
return bytes;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* inline_cmd_start_found is set */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (inline_cmds->bytes_to_flush) {
|
|
Packit |
549fdc |
/* start of an inline command sequence found, but is not
|
|
Packit |
549fdc |
* at the beginning of buffer. So, we flush all preceding bytes.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
return inline_cmds->bytes_to_flush;
|
|
Packit |
549fdc |
} else if (inline_cmds->cmd_found == INLINE_COMMAND_NONE) {
|
|
Packit |
549fdc |
/* partial command found */
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
/* complete inline command found and is at the start */
|
|
Packit |
549fdc |
if (run_inline_command(inline_cmds, hd))
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline_cmds->cmd_found = INLINE_COMMAND_NONE;
|
|
Packit |
549fdc |
skip_bytes = inline_cmds->new_buffer_ptr - buffer_ptr;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (skip_bytes >= bytes)
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
else {
|
|
Packit |
549fdc |
buffer_ptr = inline_cmds->new_buffer_ptr;
|
|
Packit |
549fdc |
bytes -= skip_bytes;
|
|
Packit |
549fdc |
goto continue_inline_processing;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void
|
|
Packit |
549fdc |
print_other_info(gnutls_session_t session)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
gnutls_datum_t oresp;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_ocsp_status_request_get(session, &oresp);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
oresp.data = NULL;
|
|
Packit |
549fdc |
oresp.size = 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ENABLED_OPT(VERBOSE) && oresp.data) {
|
|
Packit |
549fdc |
gnutls_ocsp_resp_t r;
|
|
Packit |
549fdc |
gnutls_datum_t p;
|
|
Packit |
549fdc |
unsigned flag;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_ocsp_resp_init(&r);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "ocsp_resp_init: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
return;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_ocsp_resp_import(r, &oresp);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "importing response: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
return;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (print_cert != 0)
|
|
Packit |
549fdc |
flag = GNUTLS_OCSP_PRINT_FULL;
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
flag = GNUTLS_OCSP_PRINT_COMPACT;
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_ocsp_resp_print(r, flag, &p);
|
|
Packit |
549fdc |
gnutls_ocsp_resp_deinit(r);
|
|
Packit |
549fdc |
if (ret>=0) {
|
|
Packit |
549fdc |
fputs((char*)p.data, stdout);
|
|
Packit |
549fdc |
gnutls_free(p.data);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void flush_socket(socket_st *hd, unsigned ms)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret, ii;
|
|
Packit |
549fdc |
char buffer[MAX_BUF + 1];
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memset(buffer, 0, MAX_BUF + 1);
|
|
Packit |
549fdc |
ret = socket_recv_timeout(hd, buffer, MAX_BUF, ms);
|
|
Packit |
549fdc |
if (ret == 0)
|
|
Packit |
549fdc |
return;
|
|
Packit |
549fdc |
else if (ret > 0) {
|
|
Packit |
549fdc |
if (verbose != 0)
|
|
Packit |
549fdc |
printf("- Received[%d]: ", ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for (ii = 0; ii < ret; ii++) {
|
|
Packit |
549fdc |
fputc(buffer[ii], stdout);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
fflush(stdout);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
int main(int argc, char **argv)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
int ii, inp;
|
|
Packit |
549fdc |
char buffer[MAX_BUF + 1];
|
|
Packit |
549fdc |
int user_term = 0, retval = 0;
|
|
Packit |
549fdc |
socket_st hd;
|
|
Packit |
549fdc |
ssize_t bytes, keyboard_bytes;
|
|
Packit |
549fdc |
char *keyboard_buffer_ptr;
|
|
Packit |
549fdc |
inline_cmds_st inline_cmds;
|
|
Packit |
549fdc |
unsigned last_op_is_write = 0;
|
|
Packit |
549fdc |
int socket_flags = 0;
|
|
Packit |
549fdc |
FILE *server_fp = NULL;
|
|
Packit |
549fdc |
FILE *client_fp = NULL;
|
|
Packit |
549fdc |
#ifndef _WIN32
|
|
Packit |
549fdc |
struct sigaction new_action;
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cmd_parser(argc, argv);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_global_set_log_function(tls_log_func);
|
|
Packit |
549fdc |
gnutls_global_set_log_level(OPT_VALUE_DEBUG);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if ((ret = gnutls_global_init()) < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "global_init: %s\n", gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (hostname == NULL) {
|
|
Packit |
549fdc |
fprintf(stderr, "No hostname given\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
sockets_init();
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
init_global_tls_stuff();
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
canonicalize_host(hostname, service, sizeof(service));
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (udp)
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_UDP;
|
|
Packit |
549fdc |
if (fastopen)
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_FASTOPEN;
|
|
Packit |
549fdc |
if (verbose)
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_VERBOSE;
|
|
Packit |
549fdc |
if (starttls)
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_RAW;
|
|
Packit |
549fdc |
else if (HAVE_OPT(STARTTLS_PROTO))
|
|
Packit |
549fdc |
socket_flags |= SOCKET_FLAG_STARTTLS;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(SAVE_SERVER_TRACE)) {
|
|
Packit |
549fdc |
server_fp = fopen(OPT_ARG(SAVE_SERVER_TRACE), "wb");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
if (HAVE_OPT(SAVE_CLIENT_TRACE)) {
|
|
Packit |
549fdc |
client_fp = fopen(OPT_ARG(SAVE_CLIENT_TRACE), "wb");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
socket_open2(&hd, hostname, service, OPT_ARG(STARTTLS_PROTO),
|
|
Packit |
549fdc |
socket_flags, CONNECT_MSG, NULL,
|
|
Packit |
549fdc |
server_fp, client_fp);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
hd.verbose = verbose;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (hd.secure) {
|
|
Packit |
549fdc |
printf("- Handshake was completed\n");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (resume != 0)
|
|
Packit |
549fdc |
if (try_resume(&hd)) {
|
|
Packit |
549fdc |
retval = 1;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
print_other_info(hd.session);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* Warning! Do not touch this text string, it is used by external
|
|
Packit |
549fdc |
programs to search for when gnutls-cli has reached this point. */
|
|
Packit |
549fdc |
printf("\n- Simple Client Mode:\n\n");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (rehandshake)
|
|
Packit |
549fdc |
if (try_rehandshake(&hd)) {
|
|
Packit |
549fdc |
retval = 1;
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifndef _WIN32
|
|
Packit |
549fdc |
new_action.sa_handler = starttls_alarm;
|
|
Packit |
549fdc |
sigemptyset(&new_action.sa_mask);
|
|
Packit |
549fdc |
new_action.sa_flags = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
sigaction(SIGALRM, &new_action, NULL);
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
fflush(stdout);
|
|
Packit |
549fdc |
fflush(stderr);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* do not buffer */
|
|
Packit |
549fdc |
#ifndef _WIN32
|
|
Packit |
549fdc |
setbuf(stdin, NULL);
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
setbuf(stdout, NULL);
|
|
Packit |
549fdc |
setbuf(stderr, NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
memset(&inline_cmds, 0, sizeof(inline_cmds_st));
|
|
Packit |
549fdc |
if (inline_commands) {
|
|
Packit |
549fdc |
inline_cmds.lf_found = true; /* initially, at start of line */
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for (;;) {
|
|
Packit |
549fdc |
if (starttls_alarmed && !hd.secure) {
|
|
Packit |
549fdc |
/* Warning! Do not touch this text string, it is used by
|
|
Packit |
549fdc |
external programs to search for when gnutls-cli has
|
|
Packit |
549fdc |
reached this point. */
|
|
Packit |
549fdc |
fprintf(stderr, "*** Starting TLS handshake\n");
|
|
Packit |
549fdc |
ret = do_handshake(&hd;;
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Handshake has failed\n");
|
|
Packit |
549fdc |
user_term = 1;
|
|
Packit |
549fdc |
retval = 1;
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inp = check_net_or_keyboard_input(&hd;;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (inp == IN_NET) {
|
|
Packit |
549fdc |
memset(buffer, 0, MAX_BUF + 1);
|
|
Packit |
549fdc |
last_op_is_write = 0;
|
|
Packit |
549fdc |
ret = socket_recv(&hd, buffer, MAX_BUF);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret == 0) {
|
|
Packit |
549fdc |
printf
|
|
Packit |
549fdc |
("- Peer has closed the GnuTLS connection\n");
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
} else if (handle_error(&hd, ret) < 0
|
|
Packit |
549fdc |
&& user_term == 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Server has terminated the connection abnormally.\n");
|
|
Packit |
549fdc |
retval = 1;
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
} else if (ret > 0) {
|
|
Packit |
549fdc |
if (verbose != 0)
|
|
Packit |
549fdc |
printf("- Received[%d]: ", ret);
|
|
Packit |
549fdc |
for (ii = 0; ii < ret; ii++) {
|
|
Packit |
549fdc |
fputc(buffer[ii], stdout);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
fflush(stdout);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (user_term != 0)
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (inp == IN_KEYBOARD) {
|
|
Packit |
549fdc |
if ((bytes =
|
|
Packit |
549fdc |
read(fileno(stdin), buffer,
|
|
Packit |
549fdc |
MAX_BUF - 1)) <= 0) {
|
|
Packit |
549fdc |
if (hd.secure == 0) {
|
|
Packit |
549fdc |
/* Warning! Do not touch this text string, it is
|
|
Packit |
549fdc |
used by external programs to search for when
|
|
Packit |
549fdc |
gnutls-cli has reached this point. */
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Starting TLS handshake\n");
|
|
Packit |
549fdc |
ret = do_handshake(&hd;;
|
|
Packit |
549fdc |
clearerr(stdin);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"*** Handshake has failed\n");
|
|
Packit |
549fdc |
user_term = 1;
|
|
Packit |
549fdc |
retval = 1;
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
if (last_op_is_write)
|
|
Packit |
549fdc |
flush_socket(&hd, TERM_TIMEOUT);
|
|
Packit |
549fdc |
user_term = 1;
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
continue;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
buffer[bytes] = 0;
|
|
Packit |
549fdc |
if (crlf != 0) {
|
|
Packit |
549fdc |
char *b = strchr(buffer, '\n');
|
|
Packit |
549fdc |
if (b != NULL) {
|
|
Packit |
549fdc |
strcpy(b, "\r\n");
|
|
Packit |
549fdc |
bytes++;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
keyboard_bytes = bytes;
|
|
Packit |
549fdc |
keyboard_buffer_ptr = buffer;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline_command_processing:
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (inline_commands) {
|
|
Packit |
549fdc |
keyboard_bytes =
|
|
Packit |
549fdc |
do_inline_command_processing
|
|
Packit |
549fdc |
(keyboard_buffer_ptr, keyboard_bytes,
|
|
Packit |
549fdc |
&hd, &inline_cmds);
|
|
Packit |
549fdc |
if (keyboard_bytes == 0)
|
|
Packit |
549fdc |
continue;
|
|
Packit |
549fdc |
else if (keyboard_bytes < 0) { /* error processing an inline command */
|
|
Packit |
549fdc |
retval = 1;
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
/* current_ptr could point to either an inline_cmd_buffer
|
|
Packit |
549fdc |
* or may point to start or an offset into buffer.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
keyboard_buffer_ptr =
|
|
Packit |
549fdc |
inline_cmds.current_ptr;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
last_op_is_write = 1;
|
|
Packit |
549fdc |
if (ranges
|
|
Packit |
549fdc |
&& gnutls_record_can_use_length_hiding(hd.
|
|
Packit |
549fdc |
session))
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
gnutls_range_st range;
|
|
Packit |
549fdc |
range.low = 0;
|
|
Packit |
549fdc |
range.high = MAX_BUF;
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
socket_send_range(&hd,
|
|
Packit |
549fdc |
keyboard_buffer_ptr,
|
|
Packit |
549fdc |
keyboard_bytes,
|
|
Packit |
549fdc |
&range);
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
socket_send(&hd, keyboard_buffer_ptr,
|
|
Packit |
549fdc |
keyboard_bytes);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret > 0) {
|
|
Packit |
549fdc |
if (verbose != 0)
|
|
Packit |
549fdc |
printf("- Sent: %d bytes\n", ret);
|
|
Packit |
549fdc |
} else
|
|
Packit |
549fdc |
handle_error(&hd, ret);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (inline_commands &&
|
|
Packit |
549fdc |
inline_cmds.new_buffer_ptr < (buffer + bytes))
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
keyboard_buffer_ptr =
|
|
Packit |
549fdc |
inline_cmds.new_buffer_ptr;
|
|
Packit |
549fdc |
keyboard_bytes =
|
|
Packit |
549fdc |
(buffer + bytes) - keyboard_buffer_ptr;
|
|
Packit |
549fdc |
goto inline_command_processing;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cleanup:
|
|
Packit |
549fdc |
if (user_term != 0)
|
|
Packit |
549fdc |
socket_bye(&hd, 1);
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
socket_bye(&hd, 0);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef ENABLE_SRP
|
|
Packit |
549fdc |
if (srp_cred)
|
|
Packit |
549fdc |
gnutls_srp_free_client_credentials(srp_cred);
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
#ifdef ENABLE_PSK
|
|
Packit |
549fdc |
if (psk_cred)
|
|
Packit |
549fdc |
gnutls_psk_free_client_credentials(psk_cred);
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_certificate_free_credentials(xcred);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef ENABLE_ANON
|
|
Packit |
549fdc |
gnutls_anon_free_client_credentials(anon_cred);
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_global_deinit();
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return retval;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static
|
|
Packit |
549fdc |
void print_priority_list(void)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
unsigned int idx;
|
|
Packit |
549fdc |
const char *str;
|
|
Packit |
549fdc |
unsigned int lineb = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf("Priority strings in GnuTLS %s:\n", gnutls_check_version(NULL));
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
fputs("\t", stdout);
|
|
Packit |
549fdc |
for (idx=0;;idx++) {
|
|
Packit |
549fdc |
str = gnutls_priority_string_list(idx, GNUTLS_PRIORITY_LIST_INIT_KEYWORDS);
|
|
Packit |
549fdc |
if (str == NULL)
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
lineb += printf("%s ", str);
|
|
Packit |
549fdc |
if (lineb > 64) {
|
|
Packit |
549fdc |
lineb = 0;
|
|
Packit |
549fdc |
printf("\n\t");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf("\n\nSpecial strings:\n");
|
|
Packit |
549fdc |
lineb = 0;
|
|
Packit |
549fdc |
fputs("\t", stdout);
|
|
Packit |
549fdc |
for (idx=0;;idx++) {
|
|
Packit |
549fdc |
str = gnutls_priority_string_list(idx, GNUTLS_PRIORITY_LIST_SPECIAL);
|
|
Packit |
549fdc |
if (str == NULL)
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
if (str[0] == 0)
|
|
Packit |
549fdc |
continue;
|
|
Packit |
549fdc |
lineb += printf("%%%s ", str);
|
|
Packit |
549fdc |
if (lineb > 64) {
|
|
Packit |
549fdc |
lineb = 0;
|
|
Packit |
549fdc |
printf("\n\t");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
printf("\n");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void cmd_parser(int argc, char **argv)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
char *rest = NULL;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
int optct = optionProcess(&gnutls_cliOptions, argc, argv);
|
|
Packit |
549fdc |
argc -= optct;
|
|
Packit |
549fdc |
argv += optct;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (rest == NULL && argc > 0)
|
|
Packit |
549fdc |
rest = argv[0];
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(FIPS140_MODE)) {
|
|
Packit |
549fdc |
if (gnutls_fips140_mode_enabled() != 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "library is in FIPS140-2 mode\n");
|
|
Packit |
549fdc |
exit(0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
fprintf(stderr, "library is NOT in FIPS140-2 mode\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(BENCHMARK_CIPHERS)) {
|
|
Packit |
549fdc |
benchmark_cipher(OPT_VALUE_DEBUG);
|
|
Packit |
549fdc |
exit(0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(BENCHMARK_TLS_CIPHERS)) {
|
|
Packit |
549fdc |
benchmark_tls(OPT_VALUE_DEBUG, 1);
|
|
Packit |
549fdc |
exit(0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(BENCHMARK_TLS_KX)) {
|
|
Packit |
549fdc |
benchmark_tls(OPT_VALUE_DEBUG, 0);
|
|
Packit |
549fdc |
exit(0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(PRIORITY)) {
|
|
Packit |
549fdc |
priorities = OPT_ARG(PRIORITY);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
verbose = HAVE_OPT(VERBOSE);
|
|
Packit |
549fdc |
if (verbose)
|
|
Packit |
549fdc |
print_cert = 1;
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
print_cert = HAVE_OPT(PRINT_CERT);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(LIST)) {
|
|
Packit |
549fdc |
print_list(priorities, verbose);
|
|
Packit |
549fdc |
exit(0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(PRIORITY_LIST)) {
|
|
Packit |
549fdc |
print_priority_list();
|
|
Packit |
549fdc |
exit(0);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
disable_sni = HAVE_OPT(DISABLE_SNI);
|
|
Packit |
549fdc |
disable_extensions = HAVE_OPT(DISABLE_EXTENSIONS);
|
|
Packit |
549fdc |
if (disable_extensions)
|
|
Packit |
549fdc |
init_flags |= GNUTLS_NO_EXTENSIONS;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
inline_commands = HAVE_OPT(INLINE_COMMANDS);
|
|
Packit |
549fdc |
if (HAVE_OPT(INLINE_COMMANDS_PREFIX)) {
|
|
Packit |
549fdc |
if (strlen(OPT_ARG(INLINE_COMMANDS_PREFIX)) > 1) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"inline-commands-prefix value is a single US-ASCII character (octets 0 - 127)\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
inline_commands_prefix =
|
|
Packit |
549fdc |
(char *) OPT_ARG(INLINE_COMMANDS_PREFIX);
|
|
Packit |
549fdc |
if (!isascii(inline_commands_prefix[0])) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"inline-commands-prefix value is a single US-ASCII character (octets 0 - 127)\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else
|
|
Packit |
549fdc |
inline_commands_prefix = "^";
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
starttls = HAVE_OPT(STARTTLS);
|
|
Packit |
549fdc |
resume = HAVE_OPT(RESUME);
|
|
Packit |
549fdc |
rehandshake = HAVE_OPT(REHANDSHAKE);
|
|
Packit |
549fdc |
insecure = HAVE_OPT(INSECURE);
|
|
Packit |
549fdc |
ranges = HAVE_OPT(RANGES);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (insecure || HAVE_OPT(VERIFY_ALLOW_BROKEN)) {
|
|
Packit |
549fdc |
global_vflags |= GNUTLS_VERIFY_ALLOW_BROKEN;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
udp = HAVE_OPT(UDP);
|
|
Packit |
549fdc |
mtu = OPT_VALUE_MTU;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(PORT)) {
|
|
Packit |
549fdc |
snprintf(service, sizeof(service), "%s", OPT_ARG(PORT));
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
if (HAVE_OPT(STARTTLS_PROTO))
|
|
Packit |
549fdc |
snprintf(service, sizeof(service), "%s", starttls_proto_to_service(OPT_ARG(STARTTLS_PROTO)));
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
strcpy(service, "443");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
record_max_size = OPT_VALUE_RECORDSIZE;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(X509FMTDER))
|
|
Packit |
549fdc |
x509ctype = GNUTLS_X509_FMT_DER;
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
x509ctype = GNUTLS_X509_FMT_PEM;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(SRPUSERNAME))
|
|
Packit |
549fdc |
srp_username = OPT_ARG(SRPUSERNAME);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(SRPPASSWD))
|
|
Packit |
549fdc |
srp_passwd = OPT_ARG(SRPPASSWD);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(X509CAFILE))
|
|
Packit |
549fdc |
x509_cafile = OPT_ARG(X509CAFILE);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(X509CRLFILE))
|
|
Packit |
549fdc |
x509_crlfile = OPT_ARG(X509CRLFILE);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(X509KEYFILE))
|
|
Packit |
549fdc |
x509_keyfile = OPT_ARG(X509KEYFILE);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(X509CERTFILE))
|
|
Packit |
549fdc |
x509_certfile = OPT_ARG(X509CERTFILE);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(PSKUSERNAME))
|
|
Packit |
549fdc |
psk_username = OPT_ARG(PSKUSERNAME);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(PSKKEY)) {
|
|
Packit |
549fdc |
psk_key.data = (unsigned char *) OPT_ARG(PSKKEY);
|
|
Packit |
549fdc |
psk_key.size = strlen(OPT_ARG(PSKKEY));
|
|
Packit |
549fdc |
} else
|
|
Packit |
549fdc |
psk_key.size = 0;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
crlf = HAVE_OPT(CRLF);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef TCP_FASTOPEN
|
|
Packit |
549fdc |
fastopen = HAVE_OPT(FASTOPEN);
|
|
Packit |
549fdc |
#else
|
|
Packit |
549fdc |
if (HAVE_OPT(FASTOPEN)) {
|
|
Packit |
549fdc |
fprintf(stderr, "Warning: TCP Fast Open not supported on this OS\n");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (rest != NULL)
|
|
Packit |
549fdc |
hostname = rest;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (hostname == NULL) {
|
|
Packit |
549fdc |
fprintf(stderr, "No hostname specified\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void check_rehandshake(socket_st * socket, int ret)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
if (socket->secure && ret == GNUTLS_E_REHANDSHAKE) {
|
|
Packit |
549fdc |
/* There is a race condition here. If application
|
|
Packit |
549fdc |
* data is sent after the rehandshake request,
|
|
Packit |
549fdc |
* the server thinks we ignored his request.
|
|
Packit |
549fdc |
* This is a bad design of this client.
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
printf("*** Received rehandshake request\n");
|
|
Packit |
549fdc |
/* gnutls_alert_send( session, GNUTLS_AL_WARNING, GNUTLS_A_NO_RENEGOTIATION); */
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = do_handshake(socket);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret == 0) {
|
|
Packit |
549fdc |
printf("*** Rehandshake was performed.\n");
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
printf("*** Rehandshake Failed.\n");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
int do_handshake(socket_st * socket)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (fastopen && socket->connect_addrlen) {
|
|
Packit |
549fdc |
gnutls_transport_set_fastopen(socket->session, socket->fd,
|
|
Packit |
549fdc |
(struct sockaddr*)&socket->connect_addr,
|
|
Packit |
549fdc |
socket->connect_addrlen, 0);
|
|
Packit |
549fdc |
socket->connect_addrlen = 0;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
set_read_funcs(socket->session);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
do {
|
|
Packit |
549fdc |
gnutls_handshake_set_timeout(socket->session,
|
|
Packit |
549fdc |
GNUTLS_DEFAULT_HANDSHAKE_TIMEOUT);
|
|
Packit |
549fdc |
ret = gnutls_handshake(socket->session);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
handle_error(socket, ret);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
while (ret < 0 && gnutls_error_is_fatal(ret) == 0);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret == 0) {
|
|
Packit |
549fdc |
/* print some information */
|
|
Packit |
549fdc |
print_info(socket->session, verbose, HAVE_OPT(X509CERTFILE)?P_WAIT_FOR_CERT:0);
|
|
Packit |
549fdc |
socket->secure = 1;
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
gnutls_alert_send_appropriate(socket->session, ret);
|
|
Packit |
549fdc |
shutdown(socket->fd, SHUT_RDWR);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
return ret;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int
|
|
Packit |
549fdc |
srp_username_callback(gnutls_session_t session,
|
|
Packit |
549fdc |
char **username, char **password)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
if (srp_username == NULL || srp_passwd == NULL) {
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
*username = gnutls_strdup(srp_username);
|
|
Packit |
549fdc |
*password = gnutls_strdup(srp_passwd);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static int
|
|
Packit |
549fdc |
psk_callback(gnutls_session_t session, char **username,
|
|
Packit |
549fdc |
gnutls_datum_t * key)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
const char *hint = gnutls_psk_client_get_hint(session);
|
|
Packit |
549fdc |
char *rawkey;
|
|
Packit |
549fdc |
char *passwd;
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
size_t res_size;
|
|
Packit |
549fdc |
gnutls_datum_t tmp;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf("- PSK client callback. ");
|
|
Packit |
549fdc |
if (hint)
|
|
Packit |
549fdc |
printf("PSK hint '%s'\n", hint);
|
|
Packit |
549fdc |
else
|
|
Packit |
549fdc |
printf("No PSK hint\n");
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(PSKUSERNAME))
|
|
Packit |
549fdc |
*username = gnutls_strdup(OPT_ARG(PSKUSERNAME));
|
|
Packit |
549fdc |
else {
|
|
Packit |
549fdc |
char *p = NULL;
|
|
Packit |
549fdc |
size_t n;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
printf("Enter PSK identity: ");
|
|
Packit |
549fdc |
fflush(stdout);
|
|
Packit |
549fdc |
ret = getline(&p, &n, stdin);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (ret == -1 || p == NULL) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"No username given, aborting...\n");
|
|
Packit |
549fdc |
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (p[strlen(p) - 1] == '\n')
|
|
Packit |
549fdc |
p[strlen(p) - 1] = '\0';
|
|
Packit |
549fdc |
if (p[strlen(p) - 1] == '\r')
|
|
Packit |
549fdc |
p[strlen(p) - 1] = '\0';
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
*username = gnutls_strdup(p);
|
|
Packit |
549fdc |
free(p);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
if (!*username)
|
|
Packit |
549fdc |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
passwd = getpass("Enter key: ");
|
|
Packit |
549fdc |
if (passwd == NULL) {
|
|
Packit |
549fdc |
fprintf(stderr, "No key given, aborting...\n");
|
|
Packit |
549fdc |
return GNUTLS_E_INSUFFICIENT_CREDENTIALS;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
tmp.data = (void *) passwd;
|
|
Packit |
549fdc |
tmp.size = strlen(passwd);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
res_size = tmp.size / 2 + 1;
|
|
Packit |
549fdc |
rawkey = gnutls_malloc(res_size);
|
|
Packit |
549fdc |
if (rawkey == NULL)
|
|
Packit |
549fdc |
return GNUTLS_E_MEMORY_ERROR;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_hex_decode(&tmp, rawkey, &res_size);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Error deriving password: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
gnutls_free(rawkey);
|
|
Packit |
549fdc |
gnutls_free(*username);
|
|
Packit |
549fdc |
return ret;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
key->data = (void *) rawkey;
|
|
Packit |
549fdc |
key->size = res_size;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (HAVE_OPT(DEBUG)) {
|
|
Packit |
549fdc |
char hexkey[41];
|
|
Packit |
549fdc |
res_size = sizeof(hexkey);
|
|
Packit |
549fdc |
ret = gnutls_hex_encode(key, hexkey, &res_size);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Error in hex encoding: %s\n", gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
fprintf(stderr, "PSK username: %s\n", *username);
|
|
Packit |
549fdc |
fprintf(stderr, "PSK hint: %s\n", hint);
|
|
Packit |
549fdc |
fprintf(stderr, "PSK key: %s\n", hexkey);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
static void init_global_tls_stuff(void)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef ENABLE_PKCS11
|
|
Packit |
549fdc |
if (HAVE_OPT(PROVIDER)) {
|
|
Packit |
549fdc |
ret = gnutls_pkcs11_init(GNUTLS_PKCS11_FLAG_MANUAL, NULL);
|
|
Packit |
549fdc |
if (ret < 0)
|
|
Packit |
549fdc |
fprintf(stderr, "pkcs11_init: %s",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
else {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_pkcs11_add_provider(OPT_ARG(PROVIDER),
|
|
Packit |
549fdc |
NULL);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "pkcs11_add_provider: %s",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* X509 stuff */
|
|
Packit |
549fdc |
if (gnutls_certificate_allocate_credentials(&xcred) < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Certificate allocation memory error\n");
|
|
Packit |
549fdc |
exit(1);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
gnutls_certificate_set_pin_function(xcred, pin_callback, NULL);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_certificate_set_verify_flags(xcred, global_vflags);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (x509_cafile != NULL) {
|
|
Packit |
549fdc |
ret = gnutls_certificate_set_x509_trust_file(xcred,
|
|
Packit |
549fdc |
x509_cafile,
|
|
Packit |
549fdc |
x509ctype);
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
if (insecure == 0) {
|
|
Packit |
549fdc |
ret = gnutls_certificate_set_x509_system_trust(xcred);
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
ret = 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Error setting the x509 trust file\n");
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
printf("Processed %d CA certificate(s).\n", ret);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (x509_crlfile != NULL) {
|
|
Packit |
549fdc |
ret =
|
|
Packit |
549fdc |
gnutls_certificate_set_x509_crl_file(xcred,
|
|
Packit |
549fdc |
x509_crlfile,
|
|
Packit |
549fdc |
x509ctype);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Error setting the x509 CRL file\n");
|
|
Packit |
549fdc |
} else {
|
|
Packit |
549fdc |
printf("Processed %d CRL(s).\n", ret);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
load_keys();
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef ENABLE_SRP
|
|
Packit |
549fdc |
if (srp_username && srp_passwd) {
|
|
Packit |
549fdc |
/* SRP stuff */
|
|
Packit |
549fdc |
if (gnutls_srp_allocate_client_credentials(&srp_cred) < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "SRP authentication error\n");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
gnutls_srp_set_client_credentials_function(srp_cred,
|
|
Packit |
549fdc |
srp_username_callback);
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef ENABLE_PSK
|
|
Packit |
549fdc |
/* PSK stuff */
|
|
Packit |
549fdc |
if (gnutls_psk_allocate_client_credentials(&psk_cred) < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "PSK authentication error\n");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (psk_username && psk_key.data) {
|
|
Packit |
549fdc |
ret = gnutls_psk_set_client_credentials(psk_cred,
|
|
Packit |
549fdc |
psk_username,
|
|
Packit |
549fdc |
&psk_key,
|
|
Packit |
549fdc |
GNUTLS_PSK_KEY_HEX);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr,
|
|
Packit |
549fdc |
"Error setting the PSK credentials: %s\n",
|
|
Packit |
549fdc |
gnutls_strerror(ret));
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else
|
|
Packit |
549fdc |
gnutls_psk_set_client_credentials_function(psk_cred,
|
|
Packit |
549fdc |
psk_callback);
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
#ifdef ENABLE_ANON
|
|
Packit |
549fdc |
/* ANON stuff */
|
|
Packit |
549fdc |
if (gnutls_anon_allocate_client_credentials(&anon_cred) < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Anonymous authentication error\n");
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
#endif
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* OCSP check for the peer's certificate. Should be called
|
|
Packit |
549fdc |
* only after the certificate list verification is complete.
|
|
Packit |
549fdc |
* Returns:
|
|
Packit |
549fdc |
* -1: certificate chain could not be checked fully
|
|
Packit |
549fdc |
* >=0: number of certificates verified ok
|
|
Packit |
549fdc |
*/
|
|
Packit |
549fdc |
static int cert_verify_ocsp(gnutls_session_t session)
|
|
Packit |
549fdc |
{
|
|
Packit |
549fdc |
gnutls_x509_crt_t cert, issuer;
|
|
Packit |
549fdc |
const gnutls_datum_t *cert_list;
|
|
Packit |
549fdc |
unsigned int cert_list_size = 0, ok = 0;
|
|
Packit |
549fdc |
unsigned failed = 0;
|
|
Packit |
549fdc |
int deinit_issuer = 0, deinit_cert = 0;
|
|
Packit |
549fdc |
gnutls_datum_t resp;
|
|
Packit |
549fdc |
unsigned char noncebuf[23];
|
|
Packit |
549fdc |
gnutls_datum_t nonce = { noncebuf, sizeof(noncebuf) };
|
|
Packit |
549fdc |
int ret;
|
|
Packit |
549fdc |
unsigned it;
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cert_list = gnutls_certificate_get_peers(session, &cert_list_size);
|
|
Packit |
549fdc |
if (cert_list_size == 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "No certificates found!\n");
|
|
Packit |
549fdc |
return 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
for (it = 0; it < cert_list_size; it++) {
|
|
Packit |
549fdc |
if (deinit_cert)
|
|
Packit |
549fdc |
gnutls_x509_crt_deinit(cert);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_init(&cert);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Memory error: %s\n", gnutls_strerror(ret));
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
deinit_cert = 1;
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_import(cert, &cert_list[it], GNUTLS_X509_FMT_DER);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret));
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (deinit_issuer) {
|
|
Packit |
549fdc |
gnutls_x509_crt_deinit(issuer);
|
|
Packit |
549fdc |
deinit_issuer = 0;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_certificate_get_issuer(xcred, cert, &issuer, 0);
|
|
Packit |
549fdc |
if (ret < 0 && cert_list_size - it > 1) {
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_init(&issuer);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Memory error: %s\n", gnutls_strerror(ret));
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
deinit_issuer = 1;
|
|
Packit |
549fdc |
ret = gnutls_x509_crt_import(issuer, &cert_list[it + 1], GNUTLS_X509_FMT_DER);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Decoding error: %s\n", gnutls_strerror(ret));
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
} else if (ret < 0) {
|
|
Packit |
549fdc |
if (it == 0)
|
|
Packit |
549fdc |
fprintf(stderr, "Cannot find issuer: %s\n", gnutls_strerror(ret));
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = gnutls_rnd(GNUTLS_RND_NONCE, nonce.data, nonce.size);
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "gnutls_rnd: %s", gnutls_strerror(ret));
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
ret = send_ocsp_request(NULL, cert, issuer, &resp, &nonce);
|
|
Packit |
549fdc |
if (ret == GNUTLS_E_REQUESTED_DATA_NOT_AVAILABLE) {
|
|
Packit |
549fdc |
continue;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
if (ret < 0) {
|
|
Packit |
549fdc |
fprintf(stderr, "Cannot contact OCSP server\n");
|
|
Packit |
549fdc |
goto cleanup;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
/* verify and check the response for revoked cert */
|
|
Packit |
549fdc |
ret = check_ocsp_response(cert, issuer, &resp, &nonce, verbose);
|
|
Packit |
549fdc |
free(resp.data);
|
|
Packit |
549fdc |
if (ret == 1)
|
|
Packit |
549fdc |
ok++;
|
|
Packit |
549fdc |
else if (ret == 0) {
|
|
Packit |
549fdc |
failed++;
|
|
Packit |
549fdc |
break;
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
}
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
cleanup:
|
|
Packit |
549fdc |
if (deinit_issuer)
|
|
Packit |
549fdc |
gnutls_x509_crt_deinit(issuer);
|
|
Packit |
549fdc |
if (deinit_cert)
|
|
Packit |
549fdc |
gnutls_x509_crt_deinit(cert);
|
|
Packit |
549fdc |
|
|
Packit |
549fdc |
if (failed > 0)
|
|
Packit |
549fdc |
return -1;
|
|
Packit |
549fdc |
return ok >= 1 ? (int) ok : -1;
|
|
Packit |
549fdc |
}
|