X-Git-Url: https://git.exim.org/users/heiko/exim.git/blobdiff_plain/fc4fcc349cf1c46dadd343b9f9fae8c232e6257e..25af913afa0c279dac709ea6cf7f6a0231d655f8:/test/src/client.c?ds=sidebyside diff --git a/test/src/client.c b/test/src/client.c index 2bd640205..f34cf784c 100644 --- a/test/src/client.c +++ b/test/src/client.c @@ -24,6 +24,7 @@ ripped from the openssl ocsp and s_client utilities. */ #include #include #include +#include #include #include @@ -165,40 +166,33 @@ sigalrm_seen = 1; /****************************************************************************/ #ifdef HAVE_OPENSSL +# ifndef DISABLE_OCSP -X509_STORE * -setup_verify(BIO *bp, char *CAfile, char *CApath) +static STACK_OF(X509) * +chain_from_pem_file(const uschar * file) { - X509_STORE *store; - X509_LOOKUP *lookup; - if(!(store = X509_STORE_new())) goto end; - lookup=X509_STORE_add_lookup(store,X509_LOOKUP_file()); - if (lookup == NULL) goto end; - if (CAfile) { - if(!X509_LOOKUP_load_file(lookup,CAfile,X509_FILETYPE_PEM)) { - BIO_printf(bp, "Error loading file %s\n", CAfile); - goto end; - } - } else X509_LOOKUP_load_file(lookup,NULL,X509_FILETYPE_DEFAULT); - - lookup=X509_STORE_add_lookup(store,X509_LOOKUP_hash_dir()); - if (lookup == NULL) goto end; - if (CApath) { - if(!X509_LOOKUP_add_dir(lookup,CApath,X509_FILETYPE_PEM)) { - BIO_printf(bp, "Error loading directory %s\n", CApath); - goto end; - } - } else X509_LOOKUP_add_dir(lookup,NULL,X509_FILETYPE_DEFAULT); - - ERR_clear_error(); - return store; - end: - X509_STORE_free(store); - return NULL; +BIO * bp; +X509 * x; +STACK_OF(X509) * sk; + +if (!(sk = sk_X509_new_null())) return NULL; +if (!(bp = BIO_new_file(CS file, "r"))) return NULL; +while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL))) + sk_X509_push(sk, x); +BIO_free(bp); +return sk; +} + + + +static void +cert_stack_free(STACK_OF(X509) * sk) +{ +while (sk_X509_num(sk) > 0) (void) sk_X509_pop(sk); +sk_X509_free(sk); } -#ifndef DISABLE_OCSP static int tls_client_stapling_cb(SSL *s, void *arg) { @@ -206,8 +200,7 @@ const unsigned char *p; int len; OCSP_RESPONSE *rsp; OCSP_BASICRESP *bs; -char *CAfile = NULL; -X509_STORE *store = NULL; +STACK_OF(X509) * sk; int ret = 1; len = SSL_get_tlsext_status_ocsp_resp(s, &p); @@ -229,15 +222,19 @@ if(!(bs = OCSP_response_get1_basic(rsp))) return 0; } -CAfile = ocsp_stapling; -if(!(store = setup_verify(arg, CAfile, NULL))) + +if (!(sk = chain_from_pem_file(ocsp_stapling))) { BIO_printf(arg, "error in cert setup\n"); return 0; } -/* No file of alternate certs, no options */ -if(OCSP_basic_verify(bs, NULL, store, 0) <= 0) +/* OCSP_basic_verify takes a "store" arg, but does not +use it for the chain verification, which is all we do +when OCSP_NOVERIFY is set. The content from the wire +(in "bs") and a cert-stack "sk" are all that is used. */ + +if(OCSP_basic_verify(bs, sk, NULL, OCSP_NOVERIFY) <= 0) { BIO_printf(arg, "Response Verify Failure\n"); ERR_print_errors(arg); @@ -246,10 +243,10 @@ if(OCSP_basic_verify(bs, NULL, store, 0) <= 0) else BIO_printf(arg, "Response verify OK\n"); -X509_STORE_free(store); +cert_stack_free(sk); return ret; } -#endif +# endif /*DISABLE_OCSP*/ /************************************************* @@ -479,6 +476,44 @@ return session; /****************************************************************************/ +/* Turn "\n" and "\r" into the relevant characters. This is a hack. */ + +static int +unescape_buf(unsigned char * buf, int len) +{ +unsigned char * s; +unsigned char c, t; +unsigned shift; + +for (s = buf; s < buf+len; s++) if (*s == '\\') + { + switch (s[1]) + { + default: c = s[1]; shift = 1; break; + case 'n': c = '\n'; shift = 1; break; + case 'r': c = '\r'; shift = 1; break; + case 'x': + t = s[2]; + if (t >= 'A' && t <= 'F') t -= 'A'-'9'-1; + else if (t >= 'a' && t <= 'f') t -= 'a'-'9'-1; + t -= '0'; + c = (t<<4) & 0xf0; + t = s[3]; + if (t >= 'A' && t <= 'F') t -= 'A'-'9'-1; + else if (t >= 'a' && t <= 'f') t -= 'a'-'9'-1; + t -= '0'; + c |= t & 0xf; + shift = 3; + break; + } + *s = c; + memmove(s+1, s+shift+1, len-shift); + len -= shift; + } +return len; +} + + /****************************************************************************/ @@ -504,7 +539,8 @@ Usage: client\n" []\n\ \n"; -int main(int argc, char **argv) +int +main(int argc, char **argv) { struct sockaddr *s_ptr; struct sockaddr_in s_in4; @@ -855,16 +891,22 @@ if (tls_on_connect) while (fgets(CS outbuffer, sizeof(outbuffer), stdin) != NULL) { int n = (int)strlen(CS outbuffer); + int crlf = 1; /* Strip trailing newline */ if (outbuffer[n-1] == '\n') outbuffer[--n] = 0; /* Expect incoming */ - if (strncmp(CS outbuffer, "??? ", 4) == 0) + if ( strncmp(CS outbuffer, "???", 3) == 0 + && (outbuffer[3] == ' ' || outbuffer[3] == '*') + ) { unsigned char *lineptr; + unsigned exp_eof = outbuffer[3] == '*'; + printf("%s\n", outbuffer); + n = unescape_buf(outbuffer, n); if (*inptr == 0) /* Refill input buffer */ { @@ -885,15 +927,27 @@ while (fgets(CS outbuffer, sizeof(outbuffer), stdin) != NULL) } if (rc < 0) - { + { printf("Read error %s\n", strerror(errno)); - exit(81) ; - } + exit(81); + } else if (rc == 0) + if (exp_eof) + { + printf("Expected EOF read\n"); + continue; + } + else + { + printf("Unexpected EOF read\n"); + close(sock); + exit(80); + } + else if (exp_eof) { - printf("Unexpected EOF read\n"); + printf("Expected EOF not read\n"); close(sock); - exit(80); + exit(74); } else { @@ -911,7 +965,7 @@ while (fgets(CS outbuffer, sizeof(outbuffer), stdin) != NULL) } printf("<<< %s\n", lineptr); - if (strncmp(CS lineptr, CS outbuffer + 4, (int)strlen(CS outbuffer) - 4) != 0) + if (strncmp(CS lineptr, CS outbuffer + 4, n - 4) != 0) { printf("\n******** Input mismatch ********\n"); exit(79); @@ -1011,12 +1065,19 @@ int rc; else { - unsigned char *escape; + unsigned char * out = outbuffer; + + if (strncmp(CS outbuffer, ">>> ", 4) == 0) + { + crlf = 0; + out += 4; + n -= 4; + } if (*inptr != 0) { printf("Unconsumed input: %s", inptr); - printf(" About to send: %s\n", outbuffer); + printf(" About to send: %s\n", out); exit(78); } @@ -1024,8 +1085,8 @@ int rc; /* Shutdown TLS */ - if (strcmp(CS outbuffer, "stoptls") == 0 || - strcmp(CS outbuffer, "STOPTLS") == 0) + if (strcmp(CS out, "stoptls") == 0 || + strcmp(CS out, "STOPTLS") == 0) { if (!tls_active) { @@ -1052,38 +1113,28 @@ int rc; /* Remember that we sent STARTTLS */ - sent_starttls = (strcmp(CS outbuffer, "starttls") == 0 || - strcmp(CS outbuffer, "STARTTLS") == 0); + sent_starttls = (strcmp(CS out, "starttls") == 0 || + strcmp(CS out, "STARTTLS") == 0); /* Fudge: if the command is "starttls_wait", we send the starttls bit, but we haven't set the flag, so that there is no negotiation. This is for testing the server's timeout. */ - if (strcmp(CS outbuffer, "starttls_wait") == 0) + if (strcmp(CS out, "starttls_wait") == 0) { - outbuffer[8] = 0; + out[8] = 0; n = 8; } #endif - printf(">>> %s\n", outbuffer); - strcpy(CS outbuffer + n, "\r\n"); - - /* Turn "\n" and "\r" into the relevant characters. This is a hack. */ - - while ((escape = US strstr(CS outbuffer, "\\r")) != NULL) + printf(">>> %s\n", out); + if (crlf) { - *escape = '\r'; - memmove(escape + 1, escape + 2, (n + 2) - (escape - outbuffer) - 2); - n--; + strcpy(CS out + n, "\r\n"); + n += 2; } - while ((escape = US strstr(CS outbuffer, "\\n")) != NULL) - { - *escape = '\n'; - memmove(escape + 1, escape + 2, (n + 2) - (escape - outbuffer) - 2); - n--; - } + n = unescape_buf(out, n); /* OK, do it */ @@ -1091,11 +1142,10 @@ int rc; if (tls_active) { #ifdef HAVE_OPENSSL - rc = SSL_write (ssl, outbuffer, n + 2); + rc = SSL_write (ssl, out, n); #endif #ifdef HAVE_GNUTLS - rc = gnutls_record_send(tls_session, CS outbuffer, n + 2); - if (rc < 0) + if ((rc = gnutls_record_send(tls_session, CS out, n)) < 0) { printf("GnuTLS write error: %s\n", gnutls_strerror(rc)); exit(76); @@ -1103,9 +1153,7 @@ int rc; #endif } else - { - rc = write(sock, outbuffer, n + 2); - } + rc = write(sock, out, n); alarm(0); if (rc < 0) @@ -1117,6 +1165,8 @@ int rc; } printf("End of script\n"); +shutdown(sock, SHUT_WR); +while ((rc = read(sock, inbuffer, sizeof(inbuffer))) > 0) ; close(sock); exit(0);