X-Git-Url: https://git.exim.org/users/jgh/exim.git/blobdiff_plain/6d68e1c72d8bd58b005e9d1c8df890e4fe5e6536..050514b5fe25370d4c468adf567f0bdbc47e394e:/test/src/client.c diff --git a/test/src/client.c b/test/src/client.c index 72cebbeb4..2b73098f5 100644 --- a/test/src/client.c +++ b/test/src/client.c @@ -24,6 +24,7 @@ ripped from the openssl ocsp and s_client utilities. */ #include #include #include +#include #include #include @@ -58,11 +59,6 @@ static int sigalrm_seen = 0; /* TLS support can be optionally included, either for OpenSSL or GnuTLS. The latter needs a whole pile of tables. */ -#if !defined(EXIM_HAVE_OPENSSL_TLSEXT) && !defined(DISABLE_OCSP) -# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile" -# define DISABLE_OCSP -#endif - #ifdef HAVE_OPENSSL # define HAVE_TLS # include @@ -71,6 +67,11 @@ latter needs a whole pile of tables. */ # include # include # include + +# if OPENSSL_VERSION_NUMBER < 0x0090806fL && !defined(DISABLE_OCSP) && !defined(OPENSSL_NO_TLSEXT) +# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile" +# define DISABLE_OCSP +# endif # ifndef DISABLE_OCSP # include # endif @@ -85,20 +86,24 @@ latter needs a whole pile of tables. */ # define HAVE_OCSP # include # endif +# ifndef GNUTLS_NO_EXTENSIONS +# define GNUTLS_NO_EXTENSIONS 0 +# endif # define DH_BITS 768 /* Local static variables for GNUTLS */ -static gnutls_dh_params dh_params = NULL; +static gnutls_dh_params_t dh_params = NULL; static gnutls_certificate_credentials_t x509_cred = NULL; -static gnutls_session tls_session = NULL; +static gnutls_session_t tls_session = NULL; static int ssl_session_timeout = 200; /* Priorities for TLS algorithms to use. */ +#if GNUTLS_VERSION_NUMBER < 0x030400 static const int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 }; static const int kx_priority[16] = { @@ -120,7 +125,7 @@ static const int mac_priority[16] = { 0 }; static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 }; -static const int cert_type_priority[16] = { GNUTLS_CRT_X509, 0 }; +#endif #endif /*HAVE_GNUTLS*/ @@ -195,6 +200,33 @@ setup_verify(BIO *bp, char *CAfile, char *CApath) #ifndef DISABLE_OCSP +static STACK_OF(X509) * +cert_stack_from_store(X509_STORE * store) +{ +STACK_OF(X509_OBJECT) * roots= store->objs; +STACK_OF(X509) * sk = sk_X509_new_null(); +int i; + +for(i = sk_X509_OBJECT_num(roots) - 1; i >= 0; i--) + { + X509_OBJECT * tmp_obj= sk_X509_OBJECT_value(roots, i); + if(tmp_obj->type == X509_LU_X509) + { + X509 * x = tmp_obj->data.x509; + sk_X509_push(sk, x); + } + } +return sk; +} + +static void +cert_stack_free(STACK_OF(X509) * sk) +{ +while (sk_X509_num(sk) > 0) (void) sk_X509_pop(sk); +sk_X509_free(sk); +} + + static int tls_client_stapling_cb(SSL *s, void *arg) { @@ -204,6 +236,7 @@ OCSP_RESPONSE *rsp; OCSP_BASICRESP *bs; char *CAfile = NULL; X509_STORE *store = NULL; +STACK_OF(X509) * sk; int ret = 1; len = SSL_get_tlsext_status_ocsp_resp(s, &p); @@ -225,6 +258,7 @@ if(!(bs = OCSP_response_get1_basic(rsp))) return 0; } + CAfile = ocsp_stapling; if(!(store = setup_verify(arg, CAfile, NULL))) { @@ -232,8 +266,14 @@ if(!(store = setup_verify(arg, CAfile, NULL))) return 0; } -/* No file of alternate certs, no options */ -if(OCSP_basic_verify(bs, NULL, store, 0) <= 0) +sk = cert_stack_from_store(store); + +/* OCSP_basic_verify takes a "store" arg, but does not +use it for the chain verification, which is all we do +when OCSP_NOVERIFY is set. The content from the wire +(in "bs") and a cert-stack "sk" are all that is used. */ + +if(OCSP_basic_verify(bs, sk, NULL, OCSP_NOVERIFY) <= 0) { BIO_printf(arg, "Response Verify Failure\n"); ERR_print_errors(arg); @@ -242,6 +282,7 @@ if(OCSP_basic_verify(bs, NULL, store, 0) <= 0) else BIO_printf(arg, "Response verify OK\n"); +cert_stack_free(sk); X509_STORE_free(store); return ret; } @@ -256,12 +297,12 @@ int tls_start(int sock, SSL **ssl, SSL_CTX *ctx) { int rc; -static const unsigned char *sid_ctx = "exim"; +static const unsigned char *sid_ctx = US"exim"; RAND_load_file("client.c", -1); /* Not *very* random! */ *ssl = SSL_new (ctx); -SSL_set_session_id_context(*ssl, sid_ctx, strlen(sid_ctx)); +SSL_set_session_id_context(*ssl, sid_ctx, strlen(CS sid_ctx)); SSL_set_fd (*ssl, sock); SSL_set_connect_state(*ssl); @@ -353,7 +394,7 @@ init_dh(void) { int fd; int ret; -gnutls_datum m; +gnutls_datum_t m; uschar filename[200]; struct stat statbuf; @@ -446,13 +487,14 @@ if (ocsp_stapling) * Initialize a single GNUTLS session * *************************************************/ -static gnutls_session +static gnutls_session_t tls_session_init(void) { -gnutls_session session; +gnutls_session_t session; -gnutls_init(&session, GNUTLS_CLIENT); +gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS); +#if GNUTLS_VERSION_NUMBER < 0x030400 gnutls_cipher_set_priority(session, default_cipher_priority); gnutls_compression_set_priority(session, comp_priority); gnutls_kx_set_priority(session, kx_priority); @@ -460,6 +502,10 @@ gnutls_protocol_set_priority(session, protocol_priority); gnutls_mac_set_priority(session, mac_priority); gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); +#else +gnutls_set_default_priority(session); +gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred); +#endif gnutls_dh_set_prime_bits(session, DH_BITS); gnutls_db_set_cache_expiration(session, ssl_session_timeout); @@ -480,7 +526,14 @@ return session; *************************************************/ const char * const HELP_MESSAGE = "\n\ -Usage: client\n\ +Usage: client\n" +#ifdef HAVE_TLS +"\ + [-tls-on-connect]\n\ + [-ocsp]\n" +#endif +"\ + [-tn] n seconds timeout\n\ \n\ \n\ []\n\ @@ -784,7 +837,7 @@ tls_session = tls_session_init(); if (ocsp_stapling) gnutls_ocsp_status_request_enable_client(tls_session, NULL, 0, NULL); #endif -gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr)sock); +gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr_t)(intptr_t)sock); /* When the server asks for a certificate and the client does not have one, there is a SIGPIPE error in the gnutls_handshake() function for some reason @@ -805,24 +858,32 @@ if (tls_on_connect) { printf("Attempting to start TLS\n"); - #ifdef HAVE_OPENSSL +#ifdef HAVE_OPENSSL tls_active = tls_start(sock, &ssl, ctx); - #endif +#endif - #ifdef HAVE_GNUTLS +#ifdef HAVE_GNUTLS + { + int rc; sigalrm_seen = FALSE; alarm(timeout); - tls_active = gnutls_handshake(tls_session) >= 0; + do { + rc = gnutls_handshake(tls_session); + } while (rc < 0 && gnutls_error_is_fatal(rc) == 0); + tls_active = rc >= 0; alarm(0); - #endif + + if (!tls_active) printf("%s\n", gnutls_strerror(rc)); + } +#endif if (!tls_active) printf("Failed to start TLS\n"); - #if defined(HAVE_GNUTLS) && defined(HAVE_OCSP) +#if defined(HAVE_GNUTLS) && defined(HAVE_OCSP) else if ( ocsp_stapling && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0) printf("Failed to verify certificate status\n"); - #endif +#endif else printf("Succeeded in starting TLS\n"); } @@ -831,14 +892,19 @@ if (tls_on_connect) while (fgets(CS outbuffer, sizeof(outbuffer), stdin) != NULL) { int n = (int)strlen(CS outbuffer); - while (n > 0 && isspace(outbuffer[n-1])) n--; - outbuffer[n] = 0; + + /* Strip trailing newline */ + if (outbuffer[n-1] == '\n') outbuffer[--n] = 0; /* Expect incoming */ - if (strncmp(CS outbuffer, "??? ", 4) == 0) + if ( strncmp(CS outbuffer, "???", 3) == 0 + && (outbuffer[3] == ' ' || outbuffer[3] == '*') + ) { unsigned char *lineptr; + unsigned exp_eof = outbuffer[3] == '*'; + printf("%s\n", outbuffer); if (*inptr == 0) /* Refill input buffer */ @@ -860,15 +926,27 @@ while (fgets(CS outbuffer, sizeof(outbuffer), stdin) != NULL) } if (rc < 0) - { + { printf("Read error %s\n", strerror(errno)); - exit(81) ; - } + exit(81); + } else if (rc == 0) + if (exp_eof) + { + printf("Expected EOF read\n"); + continue; + } + else + { + printf("Enexpected EOF read\n"); + close(sock); + exit(80); + } + else if (exp_eof) { - printf("Unexpected EOF read\n"); + printf("Expected EOF not read\n"); close(sock); - exit(80); + exit(74); } else { @@ -908,10 +986,18 @@ int rc; #endif #ifdef HAVE_GNUTLS - sigalrm_seen = FALSE; - alarm(timeout); - tls_active = gnutls_handshake(tls_session) >= 0; - alarm(0); + { + int rc; + sigalrm_seen = FALSE; + alarm(timeout); + do { + rc = gnutls_handshake(tls_session); + } while (rc < 0 && gnutls_error_is_fatal(rc) == 0); + tls_active = rc >= 0; + alarm(0); + + if (!tls_active) printf("%s\n", gnutls_strerror(rc)); + } #endif if (!tls_active) @@ -1084,6 +1170,8 @@ int rc; } printf("End of script\n"); +shutdown(sock, SHUT_WR); +while ((rc = read(sock, inbuffer, sizeof(inbuffer))) > 0) ; close(sock); exit(0);