1 /*
2 * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
3 *
4 * Licensed under the Apache License 2.0 (the "License"). You may not use
5 * this file except in compliance with the License. You can obtain a copy
6 * in the file LICENSE in the source distribution or at
7 * https://www.openssl.org/source/license.html
8 */
9
10 /*
11 * callback functions used by s_client, s_server, and s_time,
12 * as well as other common logic for those apps
13 */
14 #include <stdio.h>
15 #include <stdlib.h>
16 #include <string.h> /* for memcpy() and strcmp() */
17 #include "apps.h"
18 #include <openssl/core_names.h>
19 #include <openssl/params.h>
20 #include <openssl/err.h>
21 #include <openssl/rand.h>
22 #include <openssl/x509.h>
23 #include <openssl/ssl.h>
24 #include <openssl/bn.h>
25 #ifndef OPENSSL_NO_DH
26 # include <openssl/dh.h>
27 #endif
28 #include "s_apps.h"
29
30 #define COOKIE_SECRET_LENGTH 16
31
32 VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 };
33
34 #ifndef OPENSSL_NO_SOCK
35 static unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
36 static int cookie_initialized = 0;
37 #endif
38 static BIO *bio_keylog = NULL;
39
lookup(int val,const STRINT_PAIR * list,const char * def)40 static const char *lookup(int val, const STRINT_PAIR* list, const char* def)
41 {
42 for ( ; list->name; ++list)
43 if (list->retval == val)
44 return list->name;
45 return def;
46 }
47
verify_callback(int ok,X509_STORE_CTX * ctx)48 int verify_callback(int ok, X509_STORE_CTX *ctx)
49 {
50 X509 *err_cert;
51 int err, depth;
52
53 err_cert = X509_STORE_CTX_get_current_cert(ctx);
54 err = X509_STORE_CTX_get_error(ctx);
55 depth = X509_STORE_CTX_get_error_depth(ctx);
56
57 if (!verify_args.quiet || !ok) {
58 BIO_printf(bio_err, "depth=%d ", depth);
59 if (err_cert != NULL) {
60 X509_NAME_print_ex(bio_err,
61 X509_get_subject_name(err_cert),
62 0, get_nameopt());
63 BIO_puts(bio_err, "\n");
64 } else {
65 BIO_puts(bio_err, "<no cert>\n");
66 }
67 }
68 if (!ok) {
69 BIO_printf(bio_err, "verify error:num=%d:%s\n", err,
70 X509_verify_cert_error_string(err));
71 if (verify_args.depth < 0 || verify_args.depth >= depth) {
72 if (!verify_args.return_error)
73 ok = 1;
74 verify_args.error = err;
75 } else {
76 ok = 0;
77 verify_args.error = X509_V_ERR_CERT_CHAIN_TOO_LONG;
78 }
79 }
80 switch (err) {
81 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
82 BIO_puts(bio_err, "issuer= ");
83 X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
84 0, get_nameopt());
85 BIO_puts(bio_err, "\n");
86 break;
87 case X509_V_ERR_CERT_NOT_YET_VALID:
88 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
89 BIO_printf(bio_err, "notBefore=");
90 ASN1_TIME_print(bio_err, X509_get0_notBefore(err_cert));
91 BIO_printf(bio_err, "\n");
92 break;
93 case X509_V_ERR_CERT_HAS_EXPIRED:
94 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
95 BIO_printf(bio_err, "notAfter=");
96 ASN1_TIME_print(bio_err, X509_get0_notAfter(err_cert));
97 BIO_printf(bio_err, "\n");
98 break;
99 case X509_V_ERR_NO_EXPLICIT_POLICY:
100 if (!verify_args.quiet)
101 policies_print(ctx);
102 break;
103 }
104 if (err == X509_V_OK && ok == 2 && !verify_args.quiet)
105 policies_print(ctx);
106 if (ok && !verify_args.quiet)
107 BIO_printf(bio_err, "verify return:%d\n", ok);
108 return ok;
109 }
110
set_cert_stuff(SSL_CTX * ctx,char * cert_file,char * key_file)111 int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
112 {
113 if (cert_file != NULL) {
114 if (SSL_CTX_use_certificate_file(ctx, cert_file,
115 SSL_FILETYPE_PEM) <= 0) {
116 BIO_printf(bio_err, "unable to get certificate from '%s'\n",
117 cert_file);
118 ERR_print_errors(bio_err);
119 return 0;
120 }
121 if (key_file == NULL)
122 key_file = cert_file;
123 if (SSL_CTX_use_PrivateKey_file(ctx, key_file, SSL_FILETYPE_PEM) <= 0) {
124 BIO_printf(bio_err, "unable to get private key from '%s'\n",
125 key_file);
126 ERR_print_errors(bio_err);
127 return 0;
128 }
129
130 /*
131 * If we are using DSA, we can copy the parameters from the private
132 * key
133 */
134
135 /*
136 * Now we know that a key and cert have been set against the SSL
137 * context
138 */
139 if (!SSL_CTX_check_private_key(ctx)) {
140 BIO_printf(bio_err,
141 "Private key does not match the certificate public key\n");
142 return 0;
143 }
144 }
145 return 1;
146 }
147
set_cert_key_stuff(SSL_CTX * ctx,X509 * cert,EVP_PKEY * key,STACK_OF (X509)* chain,int build_chain)148 int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
149 STACK_OF(X509) *chain, int build_chain)
150 {
151 int chflags = chain ? SSL_BUILD_CHAIN_FLAG_CHECK : 0;
152 if (cert == NULL)
153 return 1;
154 if (SSL_CTX_use_certificate(ctx, cert) <= 0) {
155 BIO_printf(bio_err, "error setting certificate\n");
156 ERR_print_errors(bio_err);
157 return 0;
158 }
159
160 if (SSL_CTX_use_PrivateKey(ctx, key) <= 0) {
161 BIO_printf(bio_err, "error setting private key\n");
162 ERR_print_errors(bio_err);
163 return 0;
164 }
165
166 /*
167 * Now we know that a key and cert have been set against the SSL context
168 */
169 if (!SSL_CTX_check_private_key(ctx)) {
170 BIO_printf(bio_err,
171 "Private key does not match the certificate public key\n");
172 return 0;
173 }
174 if (chain && !SSL_CTX_set1_chain(ctx, chain)) {
175 BIO_printf(bio_err, "error setting certificate chain\n");
176 ERR_print_errors(bio_err);
177 return 0;
178 }
179 if (build_chain && !SSL_CTX_build_cert_chain(ctx, chflags)) {
180 BIO_printf(bio_err, "error building certificate chain\n");
181 ERR_print_errors(bio_err);
182 return 0;
183 }
184 return 1;
185 }
186
187 static STRINT_PAIR cert_type_list[] = {
188 {"RSA sign", TLS_CT_RSA_SIGN},
189 {"DSA sign", TLS_CT_DSS_SIGN},
190 {"RSA fixed DH", TLS_CT_RSA_FIXED_DH},
191 {"DSS fixed DH", TLS_CT_DSS_FIXED_DH},
192 {"ECDSA sign", TLS_CT_ECDSA_SIGN},
193 {"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH},
194 {"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH},
195 {"GOST01 Sign", TLS_CT_GOST01_SIGN},
196 {"GOST12 Sign", TLS_CT_GOST12_IANA_SIGN},
197 {NULL}
198 };
199
ssl_print_client_cert_types(BIO * bio,SSL * s)200 static void ssl_print_client_cert_types(BIO *bio, SSL *s)
201 {
202 const unsigned char *p;
203 int i;
204 int cert_type_num = SSL_get0_certificate_types(s, &p);
205 if (!cert_type_num)
206 return;
207 BIO_puts(bio, "Client Certificate Types: ");
208 for (i = 0; i < cert_type_num; i++) {
209 unsigned char cert_type = p[i];
210 const char *cname = lookup((int)cert_type, cert_type_list, NULL);
211
212 if (i)
213 BIO_puts(bio, ", ");
214 if (cname != NULL)
215 BIO_puts(bio, cname);
216 else
217 BIO_printf(bio, "UNKNOWN (%d),", cert_type);
218 }
219 BIO_puts(bio, "\n");
220 }
221
get_sigtype(int nid)222 static const char *get_sigtype(int nid)
223 {
224 switch (nid) {
225 case EVP_PKEY_RSA:
226 return "RSA";
227
228 case EVP_PKEY_RSA_PSS:
229 return "RSA-PSS";
230
231 case EVP_PKEY_DSA:
232 return "DSA";
233
234 case EVP_PKEY_EC:
235 return "ECDSA";
236
237 case NID_ED25519:
238 return "Ed25519";
239
240 case NID_ED448:
241 return "Ed448";
242
243 case NID_id_GostR3410_2001:
244 return "gost2001";
245
246 case NID_id_GostR3410_2012_256:
247 return "gost2012_256";
248
249 case NID_id_GostR3410_2012_512:
250 return "gost2012_512";
251
252 default:
253 return NULL;
254 }
255 }
256
do_print_sigalgs(BIO * out,SSL * s,int shared)257 static int do_print_sigalgs(BIO *out, SSL *s, int shared)
258 {
259 int i, nsig, client;
260 client = SSL_is_server(s) ? 0 : 1;
261 if (shared)
262 nsig = SSL_get_shared_sigalgs(s, 0, NULL, NULL, NULL, NULL, NULL);
263 else
264 nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
265 if (nsig == 0)
266 return 1;
267
268 if (shared)
269 BIO_puts(out, "Shared ");
270
271 if (client)
272 BIO_puts(out, "Requested ");
273 BIO_puts(out, "Signature Algorithms: ");
274 for (i = 0; i < nsig; i++) {
275 int hash_nid, sign_nid;
276 unsigned char rhash, rsign;
277 const char *sstr = NULL;
278 if (shared)
279 SSL_get_shared_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
280 &rsign, &rhash);
281 else
282 SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL, &rsign, &rhash);
283 if (i)
284 BIO_puts(out, ":");
285 sstr = get_sigtype(sign_nid);
286 if (sstr)
287 BIO_printf(out, "%s", sstr);
288 else
289 BIO_printf(out, "0x%02X", (int)rsign);
290 if (hash_nid != NID_undef)
291 BIO_printf(out, "+%s", OBJ_nid2sn(hash_nid));
292 else if (sstr == NULL)
293 BIO_printf(out, "+0x%02X", (int)rhash);
294 }
295 BIO_puts(out, "\n");
296 return 1;
297 }
298
ssl_print_sigalgs(BIO * out,SSL * s)299 int ssl_print_sigalgs(BIO *out, SSL *s)
300 {
301 int nid;
302 if (!SSL_is_server(s))
303 ssl_print_client_cert_types(out, s);
304 do_print_sigalgs(out, s, 0);
305 do_print_sigalgs(out, s, 1);
306 if (SSL_get_peer_signature_nid(s, &nid) && nid != NID_undef)
307 BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(nid));
308 if (SSL_get_peer_signature_type_nid(s, &nid))
309 BIO_printf(out, "Peer signature type: %s\n", get_sigtype(nid));
310 return 1;
311 }
312
313 #ifndef OPENSSL_NO_EC
ssl_print_point_formats(BIO * out,SSL * s)314 int ssl_print_point_formats(BIO *out, SSL *s)
315 {
316 int i, nformats;
317 const char *pformats;
318 nformats = SSL_get0_ec_point_formats(s, &pformats);
319 if (nformats <= 0)
320 return 1;
321 BIO_puts(out, "Supported Elliptic Curve Point Formats: ");
322 for (i = 0; i < nformats; i++, pformats++) {
323 if (i)
324 BIO_puts(out, ":");
325 switch (*pformats) {
326 case TLSEXT_ECPOINTFORMAT_uncompressed:
327 BIO_puts(out, "uncompressed");
328 break;
329
330 case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_prime:
331 BIO_puts(out, "ansiX962_compressed_prime");
332 break;
333
334 case TLSEXT_ECPOINTFORMAT_ansiX962_compressed_char2:
335 BIO_puts(out, "ansiX962_compressed_char2");
336 break;
337
338 default:
339 BIO_printf(out, "unknown(%d)", (int)*pformats);
340 break;
341
342 }
343 }
344 BIO_puts(out, "\n");
345 return 1;
346 }
347
ssl_print_groups(BIO * out,SSL * s,int noshared)348 int ssl_print_groups(BIO *out, SSL *s, int noshared)
349 {
350 int i, ngroups, *groups, nid;
351
352 ngroups = SSL_get1_groups(s, NULL);
353 if (ngroups <= 0)
354 return 1;
355 groups = app_malloc(ngroups * sizeof(int), "groups to print");
356 SSL_get1_groups(s, groups);
357
358 BIO_puts(out, "Supported groups: ");
359 for (i = 0; i < ngroups; i++) {
360 if (i)
361 BIO_puts(out, ":");
362 nid = groups[i];
363 BIO_printf(out, "%s", SSL_group_to_name(s, nid));
364 }
365 OPENSSL_free(groups);
366 if (noshared) {
367 BIO_puts(out, "\n");
368 return 1;
369 }
370 BIO_puts(out, "\nShared groups: ");
371 ngroups = SSL_get_shared_group(s, -1);
372 for (i = 0; i < ngroups; i++) {
373 if (i)
374 BIO_puts(out, ":");
375 nid = SSL_get_shared_group(s, i);
376 BIO_printf(out, "%s", SSL_group_to_name(s, nid));
377 }
378 if (ngroups == 0)
379 BIO_puts(out, "NONE");
380 BIO_puts(out, "\n");
381 return 1;
382 }
383 #endif
384
ssl_print_tmp_key(BIO * out,SSL * s)385 int ssl_print_tmp_key(BIO *out, SSL *s)
386 {
387 EVP_PKEY *key;
388
389 if (!SSL_get_peer_tmp_key(s, &key))
390 return 1;
391 BIO_puts(out, "Server Temp Key: ");
392 switch (EVP_PKEY_get_id(key)) {
393 case EVP_PKEY_RSA:
394 BIO_printf(out, "RSA, %d bits\n", EVP_PKEY_get_bits(key));
395 break;
396
397 case EVP_PKEY_DH:
398 BIO_printf(out, "DH, %d bits\n", EVP_PKEY_get_bits(key));
399 break;
400 #ifndef OPENSSL_NO_EC
401 case EVP_PKEY_EC:
402 {
403 char name[80];
404 size_t name_len;
405
406 if (!EVP_PKEY_get_utf8_string_param(key, OSSL_PKEY_PARAM_GROUP_NAME,
407 name, sizeof(name), &name_len))
408 strcpy(name, "?");
409 BIO_printf(out, "ECDH, %s, %d bits\n", name, EVP_PKEY_get_bits(key));
410 }
411 break;
412 #endif
413 default:
414 BIO_printf(out, "%s, %d bits\n", OBJ_nid2sn(EVP_PKEY_get_id(key)),
415 EVP_PKEY_get_bits(key));
416 }
417 EVP_PKEY_free(key);
418 return 1;
419 }
420
bio_dump_callback(BIO * bio,int cmd,const char * argp,size_t len,int argi,long argl,int ret,size_t * processed)421 long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
422 int argi, long argl, int ret, size_t *processed)
423 {
424 BIO *out;
425
426 out = (BIO *)BIO_get_callback_arg(bio);
427 if (out == NULL)
428 return ret;
429
430 if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) {
431 if (ret > 0 && processed != NULL) {
432 BIO_printf(out, "read from %p [%p] (%zu bytes => %zu (0x%zX))\n",
433 (void *)bio, (void *)argp, len, *processed, *processed);
434 BIO_dump(out, argp, (int)*processed);
435 } else {
436 BIO_printf(out, "read from %p [%p] (%zu bytes => %d)\n",
437 (void *)bio, (void *)argp, len, ret);
438 }
439 } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) {
440 if (ret > 0 && processed != NULL) {
441 BIO_printf(out, "write to %p [%p] (%zu bytes => %zu (0x%zX))\n",
442 (void *)bio, (void *)argp, len, *processed, *processed);
443 BIO_dump(out, argp, (int)*processed);
444 } else {
445 BIO_printf(out, "write to %p [%p] (%zu bytes => %d)\n",
446 (void *)bio, (void *)argp, len, ret);
447 }
448 }
449 return ret;
450 }
451
apps_ssl_info_callback(const SSL * s,int where,int ret)452 void apps_ssl_info_callback(const SSL *s, int where, int ret)
453 {
454 const char *str;
455 int w;
456
457 w = where & ~SSL_ST_MASK;
458
459 if (w & SSL_ST_CONNECT)
460 str = "SSL_connect";
461 else if (w & SSL_ST_ACCEPT)
462 str = "SSL_accept";
463 else
464 str = "undefined";
465
466 if (where & SSL_CB_LOOP) {
467 BIO_printf(bio_err, "%s:%s\n", str, SSL_state_string_long(s));
468 } else if (where & SSL_CB_ALERT) {
469 str = (where & SSL_CB_READ) ? "read" : "write";
470 BIO_printf(bio_err, "SSL3 alert %s:%s:%s\n",
471 str,
472 SSL_alert_type_string_long(ret),
473 SSL_alert_desc_string_long(ret));
474 } else if (where & SSL_CB_EXIT) {
475 if (ret == 0)
476 BIO_printf(bio_err, "%s:failed in %s\n",
477 str, SSL_state_string_long(s));
478 else if (ret < 0)
479 BIO_printf(bio_err, "%s:error in %s\n",
480 str, SSL_state_string_long(s));
481 }
482 }
483
484 static STRINT_PAIR ssl_versions[] = {
485 {"SSL 3.0", SSL3_VERSION},
486 {"TLS 1.0", TLS1_VERSION},
487 {"TLS 1.1", TLS1_1_VERSION},
488 {"TLS 1.2", TLS1_2_VERSION},
489 {"TLS 1.3", TLS1_3_VERSION},
490 {"DTLS 1.0", DTLS1_VERSION},
491 {"DTLS 1.0 (bad)", DTLS1_BAD_VER},
492 {NULL}
493 };
494
495 static STRINT_PAIR alert_types[] = {
496 {" close_notify", 0},
497 {" end_of_early_data", 1},
498 {" unexpected_message", 10},
499 {" bad_record_mac", 20},
500 {" decryption_failed", 21},
501 {" record_overflow", 22},
502 {" decompression_failure", 30},
503 {" handshake_failure", 40},
504 {" bad_certificate", 42},
505 {" unsupported_certificate", 43},
506 {" certificate_revoked", 44},
507 {" certificate_expired", 45},
508 {" certificate_unknown", 46},
509 {" illegal_parameter", 47},
510 {" unknown_ca", 48},
511 {" access_denied", 49},
512 {" decode_error", 50},
513 {" decrypt_error", 51},
514 {" export_restriction", 60},
515 {" protocol_version", 70},
516 {" insufficient_security", 71},
517 {" internal_error", 80},
518 {" inappropriate_fallback", 86},
519 {" user_canceled", 90},
520 {" no_renegotiation", 100},
521 {" missing_extension", 109},
522 {" unsupported_extension", 110},
523 {" certificate_unobtainable", 111},
524 {" unrecognized_name", 112},
525 {" bad_certificate_status_response", 113},
526 {" bad_certificate_hash_value", 114},
527 {" unknown_psk_identity", 115},
528 {" certificate_required", 116},
529 {NULL}
530 };
531
532 static STRINT_PAIR handshakes[] = {
533 {", HelloRequest", SSL3_MT_HELLO_REQUEST},
534 {", ClientHello", SSL3_MT_CLIENT_HELLO},
535 {", ServerHello", SSL3_MT_SERVER_HELLO},
536 {", HelloVerifyRequest", DTLS1_MT_HELLO_VERIFY_REQUEST},
537 {", NewSessionTicket", SSL3_MT_NEWSESSION_TICKET},
538 {", EndOfEarlyData", SSL3_MT_END_OF_EARLY_DATA},
539 {", EncryptedExtensions", SSL3_MT_ENCRYPTED_EXTENSIONS},
540 {", Certificate", SSL3_MT_CERTIFICATE},
541 {", ServerKeyExchange", SSL3_MT_SERVER_KEY_EXCHANGE},
542 {", CertificateRequest", SSL3_MT_CERTIFICATE_REQUEST},
543 {", ServerHelloDone", SSL3_MT_SERVER_DONE},
544 {", CertificateVerify", SSL3_MT_CERTIFICATE_VERIFY},
545 {", ClientKeyExchange", SSL3_MT_CLIENT_KEY_EXCHANGE},
546 {", Finished", SSL3_MT_FINISHED},
547 {", CertificateUrl", SSL3_MT_CERTIFICATE_URL},
548 {", CertificateStatus", SSL3_MT_CERTIFICATE_STATUS},
549 {", SupplementalData", SSL3_MT_SUPPLEMENTAL_DATA},
550 {", KeyUpdate", SSL3_MT_KEY_UPDATE},
551 #ifndef OPENSSL_NO_NEXTPROTONEG
552 {", NextProto", SSL3_MT_NEXT_PROTO},
553 #endif
554 {", MessageHash", SSL3_MT_MESSAGE_HASH},
555 {NULL}
556 };
557
msg_cb(int write_p,int version,int content_type,const void * buf,size_t len,SSL * ssl,void * arg)558 void msg_cb(int write_p, int version, int content_type, const void *buf,
559 size_t len, SSL *ssl, void *arg)
560 {
561 BIO *bio = arg;
562 const char *str_write_p = write_p ? ">>>" : "<<<";
563 char tmpbuf[128];
564 const char *str_version, *str_content_type = "", *str_details1 = "", *str_details2 = "";
565 const unsigned char* bp = buf;
566
567 if (version == SSL3_VERSION ||
568 version == TLS1_VERSION ||
569 version == TLS1_1_VERSION ||
570 version == TLS1_2_VERSION ||
571 version == TLS1_3_VERSION ||
572 version == DTLS1_VERSION || version == DTLS1_BAD_VER) {
573 str_version = lookup(version, ssl_versions, "???");
574 switch (content_type) {
575 case SSL3_RT_CHANGE_CIPHER_SPEC:
576 /* type 20 */
577 str_content_type = ", ChangeCipherSpec";
578 break;
579 case SSL3_RT_ALERT:
580 /* type 21 */
581 str_content_type = ", Alert";
582 str_details1 = ", ???";
583 if (len == 2) {
584 switch (bp[0]) {
585 case 1:
586 str_details1 = ", warning";
587 break;
588 case 2:
589 str_details1 = ", fatal";
590 break;
591 }
592 str_details2 = lookup((int)bp[1], alert_types, " ???");
593 }
594 break;
595 case SSL3_RT_HANDSHAKE:
596 /* type 22 */
597 str_content_type = ", Handshake";
598 str_details1 = "???";
599 if (len > 0)
600 str_details1 = lookup((int)bp[0], handshakes, "???");
601 break;
602 case SSL3_RT_APPLICATION_DATA:
603 /* type 23 */
604 str_content_type = ", ApplicationData";
605 break;
606 case SSL3_RT_HEADER:
607 /* type 256 */
608 str_content_type = ", RecordHeader";
609 break;
610 case SSL3_RT_INNER_CONTENT_TYPE:
611 /* type 257 */
612 str_content_type = ", InnerContent";
613 break;
614 default:
615 BIO_snprintf(tmpbuf, sizeof(tmpbuf)-1, ", Unknown (content_type=%d)", content_type);
616 str_content_type = tmpbuf;
617 }
618 } else {
619 BIO_snprintf(tmpbuf, sizeof(tmpbuf)-1, "Not TLS data or unknown version (version=%d, content_type=%d)", version, content_type);
620 str_version = tmpbuf;
621 }
622
623 BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version,
624 str_content_type, (unsigned long)len, str_details1,
625 str_details2);
626
627 if (len > 0) {
628 size_t num, i;
629
630 BIO_printf(bio, " ");
631 num = len;
632 for (i = 0; i < num; i++) {
633 if (i % 16 == 0 && i > 0)
634 BIO_printf(bio, "\n ");
635 BIO_printf(bio, " %02x", ((const unsigned char *)buf)[i]);
636 }
637 if (i < len)
638 BIO_printf(bio, " ...");
639 BIO_printf(bio, "\n");
640 }
641 (void)BIO_flush(bio);
642 }
643
644 static STRINT_PAIR tlsext_types[] = {
645 {"server name", TLSEXT_TYPE_server_name},
646 {"max fragment length", TLSEXT_TYPE_max_fragment_length},
647 {"client certificate URL", TLSEXT_TYPE_client_certificate_url},
648 {"trusted CA keys", TLSEXT_TYPE_trusted_ca_keys},
649 {"truncated HMAC", TLSEXT_TYPE_truncated_hmac},
650 {"status request", TLSEXT_TYPE_status_request},
651 {"user mapping", TLSEXT_TYPE_user_mapping},
652 {"client authz", TLSEXT_TYPE_client_authz},
653 {"server authz", TLSEXT_TYPE_server_authz},
654 {"cert type", TLSEXT_TYPE_cert_type},
655 {"supported_groups", TLSEXT_TYPE_supported_groups},
656 {"EC point formats", TLSEXT_TYPE_ec_point_formats},
657 {"SRP", TLSEXT_TYPE_srp},
658 {"signature algorithms", TLSEXT_TYPE_signature_algorithms},
659 {"use SRTP", TLSEXT_TYPE_use_srtp},
660 {"session ticket", TLSEXT_TYPE_session_ticket},
661 {"renegotiation info", TLSEXT_TYPE_renegotiate},
662 {"signed certificate timestamps", TLSEXT_TYPE_signed_certificate_timestamp},
663 {"TLS padding", TLSEXT_TYPE_padding},
664 #ifdef TLSEXT_TYPE_next_proto_neg
665 {"next protocol", TLSEXT_TYPE_next_proto_neg},
666 #endif
667 #ifdef TLSEXT_TYPE_encrypt_then_mac
668 {"encrypt-then-mac", TLSEXT_TYPE_encrypt_then_mac},
669 #endif
670 #ifdef TLSEXT_TYPE_application_layer_protocol_negotiation
671 {"application layer protocol negotiation",
672 TLSEXT_TYPE_application_layer_protocol_negotiation},
673 #endif
674 #ifdef TLSEXT_TYPE_extended_master_secret
675 {"extended master secret", TLSEXT_TYPE_extended_master_secret},
676 #endif
677 {"key share", TLSEXT_TYPE_key_share},
678 {"supported versions", TLSEXT_TYPE_supported_versions},
679 {"psk", TLSEXT_TYPE_psk},
680 {"psk kex modes", TLSEXT_TYPE_psk_kex_modes},
681 {"certificate authorities", TLSEXT_TYPE_certificate_authorities},
682 {"post handshake auth", TLSEXT_TYPE_post_handshake_auth},
683 {NULL}
684 };
685
686 /* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */
687 static STRINT_PAIR signature_tls13_scheme_list[] = {
688 {"rsa_pkcs1_sha1", 0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */},
689 {"ecdsa_sha1", 0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */},
690 /* {"rsa_pkcs1_sha224", 0x0301 TLSEXT_SIGALG_rsa_pkcs1_sha224}, not in rfc8446 */
691 /* {"ecdsa_sha224", 0x0303 TLSEXT_SIGALG_ecdsa_sha224} not in rfc8446 */
692 {"rsa_pkcs1_sha256", 0x0401 /* TLSEXT_SIGALG_rsa_pkcs1_sha256 */},
693 {"ecdsa_secp256r1_sha256", 0x0403 /* TLSEXT_SIGALG_ecdsa_secp256r1_sha256 */},
694 {"rsa_pkcs1_sha384", 0x0501 /* TLSEXT_SIGALG_rsa_pkcs1_sha384 */},
695 {"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */},
696 {"rsa_pkcs1_sha512", 0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */},
697 {"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */},
698 {"rsa_pss_rsae_sha256", 0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */},
699 {"rsa_pss_rsae_sha384", 0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */},
700 {"rsa_pss_rsae_sha512", 0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */},
701 {"ed25519", 0x0807 /* TLSEXT_SIGALG_ed25519 */},
702 {"ed448", 0x0808 /* TLSEXT_SIGALG_ed448 */},
703 {"rsa_pss_pss_sha256", 0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */},
704 {"rsa_pss_pss_sha384", 0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */},
705 {"rsa_pss_pss_sha512", 0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */},
706 {"gostr34102001", 0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */},
707 {"gostr34102012_256", 0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */},
708 {"gostr34102012_512", 0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */},
709 {NULL}
710 };
711
712 /* from rfc5246 7.4.1.4.1. */
713 static STRINT_PAIR signature_tls12_alg_list[] = {
714 {"anonymous", TLSEXT_signature_anonymous /* 0 */},
715 {"RSA", TLSEXT_signature_rsa /* 1 */},
716 {"DSA", TLSEXT_signature_dsa /* 2 */},
717 {"ECDSA", TLSEXT_signature_ecdsa /* 3 */},
718 {NULL}
719 };
720
721 /* from rfc5246 7.4.1.4.1. */
722 static STRINT_PAIR signature_tls12_hash_list[] = {
723 {"none", TLSEXT_hash_none /* 0 */},
724 {"MD5", TLSEXT_hash_md5 /* 1 */},
725 {"SHA1", TLSEXT_hash_sha1 /* 2 */},
726 {"SHA224", TLSEXT_hash_sha224 /* 3 */},
727 {"SHA256", TLSEXT_hash_sha256 /* 4 */},
728 {"SHA384", TLSEXT_hash_sha384 /* 5 */},
729 {"SHA512", TLSEXT_hash_sha512 /* 6 */},
730 {NULL}
731 };
732
tlsext_cb(SSL * s,int client_server,int type,const unsigned char * data,int len,void * arg)733 void tlsext_cb(SSL *s, int client_server, int type,
734 const unsigned char *data, int len, void *arg)
735 {
736 BIO *bio = arg;
737 const char *extname = lookup(type, tlsext_types, "unknown");
738
739 BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
740 client_server ? "server" : "client", extname, type, len);
741 BIO_dump(bio, (const char *)data, len);
742 (void)BIO_flush(bio);
743 }
744
745 #ifndef OPENSSL_NO_SOCK
generate_stateless_cookie_callback(SSL * ssl,unsigned char * cookie,size_t * cookie_len)746 int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
747 size_t *cookie_len)
748 {
749 unsigned char *buffer = NULL;
750 size_t length = 0;
751 unsigned short port;
752 BIO_ADDR *lpeer = NULL, *peer = NULL;
753 int res = 0;
754
755 /* Initialize a random secret */
756 if (!cookie_initialized) {
757 if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) {
758 BIO_printf(bio_err, "error setting random cookie secret\n");
759 return 0;
760 }
761 cookie_initialized = 1;
762 }
763
764 if (SSL_is_dtls(ssl)) {
765 lpeer = peer = BIO_ADDR_new();
766 if (peer == NULL) {
767 BIO_printf(bio_err, "memory full\n");
768 return 0;
769 }
770
771 /* Read peer information */
772 (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer);
773 } else {
774 peer = ourpeer;
775 }
776
777 /* Create buffer with peer's address and port */
778 if (!BIO_ADDR_rawaddress(peer, NULL, &length)) {
779 BIO_printf(bio_err, "Failed getting peer address\n");
780 BIO_ADDR_free(lpeer);
781 return 0;
782 }
783 OPENSSL_assert(length != 0);
784 port = BIO_ADDR_rawport(peer);
785 length += sizeof(port);
786 buffer = app_malloc(length, "cookie generate buffer");
787
788 memcpy(buffer, &port, sizeof(port));
789 BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL);
790
791 if (EVP_Q_mac(NULL, "HMAC", NULL, "SHA1", NULL,
792 cookie_secret, COOKIE_SECRET_LENGTH, buffer, length,
793 cookie, DTLS1_COOKIE_LENGTH, cookie_len) == NULL) {
794 BIO_printf(bio_err,
795 "Error calculating HMAC-SHA1 of buffer with secret\n");
796 goto end;
797 }
798 res = 1;
799 end:
800 OPENSSL_free(buffer);
801 BIO_ADDR_free(lpeer);
802
803 return res;
804 }
805
verify_stateless_cookie_callback(SSL * ssl,const unsigned char * cookie,size_t cookie_len)806 int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
807 size_t cookie_len)
808 {
809 unsigned char result[EVP_MAX_MD_SIZE];
810 size_t resultlength;
811
812 /* Note: we check cookie_initialized because if it's not,
813 * it cannot be valid */
814 if (cookie_initialized
815 && generate_stateless_cookie_callback(ssl, result, &resultlength)
816 && cookie_len == resultlength
817 && memcmp(result, cookie, resultlength) == 0)
818 return 1;
819
820 return 0;
821 }
822
generate_cookie_callback(SSL * ssl,unsigned char * cookie,unsigned int * cookie_len)823 int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
824 unsigned int *cookie_len)
825 {
826 size_t temp = 0;
827 int res = generate_stateless_cookie_callback(ssl, cookie, &temp);
828
829 if (res != 0)
830 *cookie_len = (unsigned int)temp;
831 return res;
832 }
833
verify_cookie_callback(SSL * ssl,const unsigned char * cookie,unsigned int cookie_len)834 int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
835 unsigned int cookie_len)
836 {
837 return verify_stateless_cookie_callback(ssl, cookie, cookie_len);
838 }
839
840 #endif
841
842 /*
843 * Example of extended certificate handling. Where the standard support of
844 * one certificate per algorithm is not sufficient an application can decide
845 * which certificate(s) to use at runtime based on whatever criteria it deems
846 * appropriate.
847 */
848
849 /* Linked list of certificates, keys and chains */
850 struct ssl_excert_st {
851 int certform;
852 const char *certfile;
853 int keyform;
854 const char *keyfile;
855 const char *chainfile;
856 X509 *cert;
857 EVP_PKEY *key;
858 STACK_OF(X509) *chain;
859 int build_chain;
860 struct ssl_excert_st *next, *prev;
861 };
862
863 static STRINT_PAIR chain_flags[] = {
864 {"Overall Validity", CERT_PKEY_VALID},
865 {"Sign with EE key", CERT_PKEY_SIGN},
866 {"EE signature", CERT_PKEY_EE_SIGNATURE},
867 {"CA signature", CERT_PKEY_CA_SIGNATURE},
868 {"EE key parameters", CERT_PKEY_EE_PARAM},
869 {"CA key parameters", CERT_PKEY_CA_PARAM},
870 {"Explicitly sign with EE key", CERT_PKEY_EXPLICIT_SIGN},
871 {"Issuer Name", CERT_PKEY_ISSUER_NAME},
872 {"Certificate Type", CERT_PKEY_CERT_TYPE},
873 {NULL}
874 };
875
print_chain_flags(SSL * s,int flags)876 static void print_chain_flags(SSL *s, int flags)
877 {
878 STRINT_PAIR *pp;
879
880 for (pp = chain_flags; pp->name; ++pp)
881 BIO_printf(bio_err, "\t%s: %s\n",
882 pp->name,
883 (flags & pp->retval) ? "OK" : "NOT OK");
884 BIO_printf(bio_err, "\tSuite B: ");
885 if (SSL_set_cert_flags(s, 0) & SSL_CERT_FLAG_SUITEB_128_LOS)
886 BIO_puts(bio_err, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n");
887 else
888 BIO_printf(bio_err, "not tested\n");
889 }
890
891 /*
892 * Very basic selection callback: just use any certificate chain reported as
893 * valid. More sophisticated could prioritise according to local policy.
894 */
set_cert_cb(SSL * ssl,void * arg)895 static int set_cert_cb(SSL *ssl, void *arg)
896 {
897 int i, rv;
898 SSL_EXCERT *exc = arg;
899 #ifdef CERT_CB_TEST_RETRY
900 static int retry_cnt;
901 if (retry_cnt < 5) {
902 retry_cnt++;
903 BIO_printf(bio_err,
904 "Certificate callback retry test: count %d\n",
905 retry_cnt);
906 return -1;
907 }
908 #endif
909 SSL_certs_clear(ssl);
910
911 if (exc == NULL)
912 return 1;
913
914 /*
915 * Go to end of list and traverse backwards since we prepend newer
916 * entries this retains the original order.
917 */
918 while (exc->next != NULL)
919 exc = exc->next;
920
921 i = 0;
922
923 while (exc != NULL) {
924 i++;
925 rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain);
926 BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i);
927 X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0,
928 get_nameopt());
929 BIO_puts(bio_err, "\n");
930 print_chain_flags(ssl, rv);
931 if (rv & CERT_PKEY_VALID) {
932 if (!SSL_use_certificate(ssl, exc->cert)
933 || !SSL_use_PrivateKey(ssl, exc->key)) {
934 return 0;
935 }
936 /*
937 * NB: we wouldn't normally do this as it is not efficient
938 * building chains on each connection better to cache the chain
939 * in advance.
940 */
941 if (exc->build_chain) {
942 if (!SSL_build_cert_chain(ssl, 0))
943 return 0;
944 } else if (exc->chain != NULL) {
945 if (!SSL_set1_chain(ssl, exc->chain))
946 return 0;
947 }
948 }
949 exc = exc->prev;
950 }
951 return 1;
952 }
953
ssl_ctx_set_excert(SSL_CTX * ctx,SSL_EXCERT * exc)954 void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc)
955 {
956 SSL_CTX_set_cert_cb(ctx, set_cert_cb, exc);
957 }
958
ssl_excert_prepend(SSL_EXCERT ** pexc)959 static int ssl_excert_prepend(SSL_EXCERT **pexc)
960 {
961 SSL_EXCERT *exc = app_malloc(sizeof(*exc), "prepend cert");
962
963 memset(exc, 0, sizeof(*exc));
964
965 exc->next = *pexc;
966 *pexc = exc;
967
968 if (exc->next) {
969 exc->certform = exc->next->certform;
970 exc->keyform = exc->next->keyform;
971 exc->next->prev = exc;
972 } else {
973 exc->certform = FORMAT_PEM;
974 exc->keyform = FORMAT_PEM;
975 }
976 return 1;
977
978 }
979
ssl_excert_free(SSL_EXCERT * exc)980 void ssl_excert_free(SSL_EXCERT *exc)
981 {
982 SSL_EXCERT *curr;
983
984 if (exc == NULL)
985 return;
986 while (exc) {
987 X509_free(exc->cert);
988 EVP_PKEY_free(exc->key);
989 sk_X509_pop_free(exc->chain, X509_free);
990 curr = exc;
991 exc = exc->next;
992 OPENSSL_free(curr);
993 }
994 }
995
load_excert(SSL_EXCERT ** pexc)996 int load_excert(SSL_EXCERT **pexc)
997 {
998 SSL_EXCERT *exc = *pexc;
999 if (exc == NULL)
1000 return 1;
1001 /* If nothing in list, free and set to NULL */
1002 if (exc->certfile == NULL && exc->next == NULL) {
1003 ssl_excert_free(exc);
1004 *pexc = NULL;
1005 return 1;
1006 }
1007 for (; exc; exc = exc->next) {
1008 if (exc->certfile == NULL) {
1009 BIO_printf(bio_err, "Missing filename\n");
1010 return 0;
1011 }
1012 exc->cert = load_cert(exc->certfile, exc->certform,
1013 "Server Certificate");
1014 if (exc->cert == NULL)
1015 return 0;
1016 if (exc->keyfile != NULL) {
1017 exc->key = load_key(exc->keyfile, exc->keyform,
1018 0, NULL, NULL, "server key");
1019 } else {
1020 exc->key = load_key(exc->certfile, exc->certform,
1021 0, NULL, NULL, "server key");
1022 }
1023 if (exc->key == NULL)
1024 return 0;
1025 if (exc->chainfile != NULL) {
1026 if (!load_certs(exc->chainfile, 0, &exc->chain, NULL, "server chain"))
1027 return 0;
1028 }
1029 }
1030 return 1;
1031 }
1032
1033 enum range { OPT_X_ENUM };
1034
args_excert(int opt,SSL_EXCERT ** pexc)1035 int args_excert(int opt, SSL_EXCERT **pexc)
1036 {
1037 SSL_EXCERT *exc = *pexc;
1038
1039 assert(opt > OPT_X__FIRST);
1040 assert(opt < OPT_X__LAST);
1041
1042 if (exc == NULL) {
1043 if (!ssl_excert_prepend(&exc)) {
1044 BIO_printf(bio_err, " %s: Error initialising xcert\n",
1045 opt_getprog());
1046 goto err;
1047 }
1048 *pexc = exc;
1049 }
1050
1051 switch ((enum range)opt) {
1052 case OPT_X__FIRST:
1053 case OPT_X__LAST:
1054 return 0;
1055 case OPT_X_CERT:
1056 if (exc->certfile != NULL && !ssl_excert_prepend(&exc)) {
1057 BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog());
1058 goto err;
1059 }
1060 *pexc = exc;
1061 exc->certfile = opt_arg();
1062 break;
1063 case OPT_X_KEY:
1064 if (exc->keyfile != NULL) {
1065 BIO_printf(bio_err, "%s: Key already specified\n", opt_getprog());
1066 goto err;
1067 }
1068 exc->keyfile = opt_arg();
1069 break;
1070 case OPT_X_CHAIN:
1071 if (exc->chainfile != NULL) {
1072 BIO_printf(bio_err, "%s: Chain already specified\n",
1073 opt_getprog());
1074 goto err;
1075 }
1076 exc->chainfile = opt_arg();
1077 break;
1078 case OPT_X_CHAIN_BUILD:
1079 exc->build_chain = 1;
1080 break;
1081 case OPT_X_CERTFORM:
1082 if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->certform))
1083 return 0;
1084 break;
1085 case OPT_X_KEYFORM:
1086 if (!opt_format(opt_arg(), OPT_FMT_ANY, &exc->keyform))
1087 return 0;
1088 break;
1089 }
1090 return 1;
1091
1092 err:
1093 ERR_print_errors(bio_err);
1094 ssl_excert_free(exc);
1095 *pexc = NULL;
1096 return 0;
1097 }
1098
print_raw_cipherlist(SSL * s)1099 static void print_raw_cipherlist(SSL *s)
1100 {
1101 const unsigned char *rlist;
1102 static const unsigned char scsv_id[] = { 0, 0xFF };
1103 size_t i, rlistlen, num;
1104 if (!SSL_is_server(s))
1105 return;
1106 num = SSL_get0_raw_cipherlist(s, NULL);
1107 OPENSSL_assert(num == 2);
1108 rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
1109 BIO_puts(bio_err, "Client cipher list: ");
1110 for (i = 0; i < rlistlen; i += num, rlist += num) {
1111 const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
1112 if (i)
1113 BIO_puts(bio_err, ":");
1114 if (c != NULL) {
1115 BIO_puts(bio_err, SSL_CIPHER_get_name(c));
1116 } else if (memcmp(rlist, scsv_id, num) == 0) {
1117 BIO_puts(bio_err, "SCSV");
1118 } else {
1119 size_t j;
1120 BIO_puts(bio_err, "0x");
1121 for (j = 0; j < num; j++)
1122 BIO_printf(bio_err, "%02X", rlist[j]);
1123 }
1124 }
1125 BIO_puts(bio_err, "\n");
1126 }
1127
1128 /*
1129 * Hex encoder for TLSA RRdata, not ':' delimited.
1130 */
hexencode(const unsigned char * data,size_t len)1131 static char *hexencode(const unsigned char *data, size_t len)
1132 {
1133 static const char *hex = "0123456789abcdef";
1134 char *out;
1135 char *cp;
1136 size_t outlen = 2 * len + 1;
1137 int ilen = (int) outlen;
1138
1139 if (outlen < len || ilen < 0 || outlen != (size_t)ilen) {
1140 BIO_printf(bio_err, "%s: %zu-byte buffer too large to hexencode\n",
1141 opt_getprog(), len);
1142 exit(1);
1143 }
1144 cp = out = app_malloc(ilen, "TLSA hex data buffer");
1145
1146 while (len-- > 0) {
1147 *cp++ = hex[(*data >> 4) & 0x0f];
1148 *cp++ = hex[*data++ & 0x0f];
1149 }
1150 *cp = '\0';
1151 return out;
1152 }
1153
print_verify_detail(SSL * s,BIO * bio)1154 void print_verify_detail(SSL *s, BIO *bio)
1155 {
1156 int mdpth;
1157 EVP_PKEY *mspki;
1158 long verify_err = SSL_get_verify_result(s);
1159
1160 if (verify_err == X509_V_OK) {
1161 const char *peername = SSL_get0_peername(s);
1162
1163 BIO_printf(bio, "Verification: OK\n");
1164 if (peername != NULL)
1165 BIO_printf(bio, "Verified peername: %s\n", peername);
1166 } else {
1167 const char *reason = X509_verify_cert_error_string(verify_err);
1168
1169 BIO_printf(bio, "Verification error: %s\n", reason);
1170 }
1171
1172 if ((mdpth = SSL_get0_dane_authority(s, NULL, &mspki)) >= 0) {
1173 uint8_t usage, selector, mtype;
1174 const unsigned char *data = NULL;
1175 size_t dlen = 0;
1176 char *hexdata;
1177
1178 mdpth = SSL_get0_dane_tlsa(s, &usage, &selector, &mtype, &data, &dlen);
1179
1180 /*
1181 * The TLSA data field can be quite long when it is a certificate,
1182 * public key or even a SHA2-512 digest. Because the initial octets of
1183 * ASN.1 certificates and public keys contain mostly boilerplate OIDs
1184 * and lengths, we show the last 12 bytes of the data instead, as these
1185 * are more likely to distinguish distinct TLSA records.
1186 */
1187 #define TLSA_TAIL_SIZE 12
1188 if (dlen > TLSA_TAIL_SIZE)
1189 hexdata = hexencode(data + dlen - TLSA_TAIL_SIZE, TLSA_TAIL_SIZE);
1190 else
1191 hexdata = hexencode(data, dlen);
1192 BIO_printf(bio, "DANE TLSA %d %d %d %s%s %s at depth %d\n",
1193 usage, selector, mtype,
1194 (dlen > TLSA_TAIL_SIZE) ? "..." : "", hexdata,
1195 (mspki != NULL) ? "signed the certificate" :
1196 mdpth ? "matched TA certificate" : "matched EE certificate",
1197 mdpth);
1198 OPENSSL_free(hexdata);
1199 }
1200 }
1201
print_ssl_summary(SSL * s)1202 void print_ssl_summary(SSL *s)
1203 {
1204 const SSL_CIPHER *c;
1205 X509 *peer;
1206
1207 BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s));
1208 print_raw_cipherlist(s);
1209 c = SSL_get_current_cipher(s);
1210 BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
1211 do_print_sigalgs(bio_err, s, 0);
1212 peer = SSL_get0_peer_certificate(s);
1213 if (peer != NULL) {
1214 int nid;
1215
1216 BIO_puts(bio_err, "Peer certificate: ");
1217 X509_NAME_print_ex(bio_err, X509_get_subject_name(peer),
1218 0, get_nameopt());
1219 BIO_puts(bio_err, "\n");
1220 if (SSL_get_peer_signature_nid(s, &nid))
1221 BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid));
1222 if (SSL_get_peer_signature_type_nid(s, &nid))
1223 BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid));
1224 print_verify_detail(s, bio_err);
1225 } else {
1226 BIO_puts(bio_err, "No peer certificate\n");
1227 }
1228 #ifndef OPENSSL_NO_EC
1229 ssl_print_point_formats(bio_err, s);
1230 if (SSL_is_server(s))
1231 ssl_print_groups(bio_err, s, 1);
1232 else
1233 ssl_print_tmp_key(bio_err, s);
1234 #else
1235 if (!SSL_is_server(s))
1236 ssl_print_tmp_key(bio_err, s);
1237 #endif
1238 }
1239
config_ctx(SSL_CONF_CTX * cctx,STACK_OF (OPENSSL_STRING)* str,SSL_CTX * ctx)1240 int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
1241 SSL_CTX *ctx)
1242 {
1243 int i;
1244
1245 SSL_CONF_CTX_set_ssl_ctx(cctx, ctx);
1246 for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
1247 const char *flag = sk_OPENSSL_STRING_value(str, i);
1248 const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
1249
1250 if (SSL_CONF_cmd(cctx, flag, arg) <= 0) {
1251 BIO_printf(bio_err, "Call to SSL_CONF_cmd(%s, %s) failed\n",
1252 flag, arg == NULL ? "<NULL>" : arg);
1253 ERR_print_errors(bio_err);
1254 return 0;
1255 }
1256 }
1257 if (!SSL_CONF_CTX_finish(cctx)) {
1258 BIO_puts(bio_err, "Error finishing context\n");
1259 ERR_print_errors(bio_err);
1260 return 0;
1261 }
1262 return 1;
1263 }
1264
add_crls_store(X509_STORE * st,STACK_OF (X509_CRL)* crls)1265 static int add_crls_store(X509_STORE *st, STACK_OF(X509_CRL) *crls)
1266 {
1267 X509_CRL *crl;
1268 int i, ret = 1;
1269
1270 for (i = 0; i < sk_X509_CRL_num(crls); i++) {
1271 crl = sk_X509_CRL_value(crls, i);
1272 if (!X509_STORE_add_crl(st, crl))
1273 ret = 0;
1274 }
1275 return ret;
1276 }
1277
ssl_ctx_add_crls(SSL_CTX * ctx,STACK_OF (X509_CRL)* crls,int crl_download)1278 int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls, int crl_download)
1279 {
1280 X509_STORE *st;
1281 st = SSL_CTX_get_cert_store(ctx);
1282 add_crls_store(st, crls);
1283 if (crl_download)
1284 store_setup_crl_download(st);
1285 return 1;
1286 }
1287
ssl_load_stores(SSL_CTX * ctx,const char * vfyCApath,const char * vfyCAfile,const char * vfyCAstore,const char * chCApath,const char * chCAfile,const char * chCAstore,STACK_OF (X509_CRL)* crls,int crl_download)1288 int ssl_load_stores(SSL_CTX *ctx,
1289 const char *vfyCApath, const char *vfyCAfile,
1290 const char *vfyCAstore,
1291 const char *chCApath, const char *chCAfile,
1292 const char *chCAstore,
1293 STACK_OF(X509_CRL) *crls, int crl_download)
1294 {
1295 X509_STORE *vfy = NULL, *ch = NULL;
1296 int rv = 0;
1297 if (vfyCApath != NULL || vfyCAfile != NULL || vfyCAstore != NULL) {
1298 vfy = X509_STORE_new();
1299 if (vfy == NULL)
1300 goto err;
1301 if (vfyCAfile != NULL && !X509_STORE_load_file(vfy, vfyCAfile))
1302 goto err;
1303 if (vfyCApath != NULL && !X509_STORE_load_path(vfy, vfyCApath))
1304 goto err;
1305 if (vfyCAstore != NULL && !X509_STORE_load_store(vfy, vfyCAstore))
1306 goto err;
1307 add_crls_store(vfy, crls);
1308 SSL_CTX_set1_verify_cert_store(ctx, vfy);
1309 if (crl_download)
1310 store_setup_crl_download(vfy);
1311 }
1312 if (chCApath != NULL || chCAfile != NULL || chCAstore != NULL) {
1313 ch = X509_STORE_new();
1314 if (ch == NULL)
1315 goto err;
1316 if (chCAfile != NULL && !X509_STORE_load_file(ch, chCAfile))
1317 goto err;
1318 if (chCApath != NULL && !X509_STORE_load_path(ch, chCApath))
1319 goto err;
1320 if (chCAstore != NULL && !X509_STORE_load_store(ch, chCAstore))
1321 goto err;
1322 SSL_CTX_set1_chain_cert_store(ctx, ch);
1323 }
1324 rv = 1;
1325 err:
1326 X509_STORE_free(vfy);
1327 X509_STORE_free(ch);
1328 return rv;
1329 }
1330
1331 /* Verbose print out of security callback */
1332
1333 typedef struct {
1334 BIO *out;
1335 int verbose;
1336 int (*old_cb) (const SSL *s, const SSL_CTX *ctx, int op, int bits, int nid,
1337 void *other, void *ex);
1338 } security_debug_ex;
1339
1340 static STRINT_PAIR callback_types[] = {
1341 {"Supported Ciphersuite", SSL_SECOP_CIPHER_SUPPORTED},
1342 {"Shared Ciphersuite", SSL_SECOP_CIPHER_SHARED},
1343 {"Check Ciphersuite", SSL_SECOP_CIPHER_CHECK},
1344 #ifndef OPENSSL_NO_DH
1345 {"Temp DH key bits", SSL_SECOP_TMP_DH},
1346 #endif
1347 {"Supported Curve", SSL_SECOP_CURVE_SUPPORTED},
1348 {"Shared Curve", SSL_SECOP_CURVE_SHARED},
1349 {"Check Curve", SSL_SECOP_CURVE_CHECK},
1350 {"Supported Signature Algorithm", SSL_SECOP_SIGALG_SUPPORTED},
1351 {"Shared Signature Algorithm", SSL_SECOP_SIGALG_SHARED},
1352 {"Check Signature Algorithm", SSL_SECOP_SIGALG_CHECK},
1353 {"Signature Algorithm mask", SSL_SECOP_SIGALG_MASK},
1354 {"Certificate chain EE key", SSL_SECOP_EE_KEY},
1355 {"Certificate chain CA key", SSL_SECOP_CA_KEY},
1356 {"Peer Chain EE key", SSL_SECOP_PEER_EE_KEY},
1357 {"Peer Chain CA key", SSL_SECOP_PEER_CA_KEY},
1358 {"Certificate chain CA digest", SSL_SECOP_CA_MD},
1359 {"Peer chain CA digest", SSL_SECOP_PEER_CA_MD},
1360 {"SSL compression", SSL_SECOP_COMPRESSION},
1361 {"Session ticket", SSL_SECOP_TICKET},
1362 {NULL}
1363 };
1364
security_callback_debug(const SSL * s,const SSL_CTX * ctx,int op,int bits,int nid,void * other,void * ex)1365 static int security_callback_debug(const SSL *s, const SSL_CTX *ctx,
1366 int op, int bits, int nid,
1367 void *other, void *ex)
1368 {
1369 security_debug_ex *sdb = ex;
1370 int rv, show_bits = 1, cert_md = 0;
1371 const char *nm;
1372 int show_nm;
1373 rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex);
1374 if (rv == 1 && sdb->verbose < 2)
1375 return 1;
1376 BIO_puts(sdb->out, "Security callback: ");
1377
1378 nm = lookup(op, callback_types, NULL);
1379 show_nm = nm != NULL;
1380 switch (op) {
1381 case SSL_SECOP_TICKET:
1382 case SSL_SECOP_COMPRESSION:
1383 show_bits = 0;
1384 show_nm = 0;
1385 break;
1386 case SSL_SECOP_VERSION:
1387 BIO_printf(sdb->out, "Version=%s", lookup(nid, ssl_versions, "???"));
1388 show_bits = 0;
1389 show_nm = 0;
1390 break;
1391 case SSL_SECOP_CA_MD:
1392 case SSL_SECOP_PEER_CA_MD:
1393 cert_md = 1;
1394 break;
1395 case SSL_SECOP_SIGALG_SUPPORTED:
1396 case SSL_SECOP_SIGALG_SHARED:
1397 case SSL_SECOP_SIGALG_CHECK:
1398 case SSL_SECOP_SIGALG_MASK:
1399 show_nm = 0;
1400 break;
1401 }
1402 if (show_nm)
1403 BIO_printf(sdb->out, "%s=", nm);
1404
1405 switch (op & SSL_SECOP_OTHER_TYPE) {
1406
1407 case SSL_SECOP_OTHER_CIPHER:
1408 BIO_puts(sdb->out, SSL_CIPHER_get_name(other));
1409 break;
1410
1411 #ifndef OPENSSL_NO_EC
1412 case SSL_SECOP_OTHER_CURVE:
1413 {
1414 const char *cname;
1415 cname = EC_curve_nid2nist(nid);
1416 if (cname == NULL)
1417 cname = OBJ_nid2sn(nid);
1418 BIO_puts(sdb->out, cname);
1419 }
1420 break;
1421 #endif
1422 case SSL_SECOP_OTHER_CERT:
1423 {
1424 if (cert_md) {
1425 int sig_nid = X509_get_signature_nid(other);
1426 BIO_puts(sdb->out, OBJ_nid2sn(sig_nid));
1427 } else {
1428 EVP_PKEY *pkey = X509_get0_pubkey(other);
1429 const char *algname = "";
1430 EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
1431 &algname, EVP_PKEY_get0_asn1(pkey));
1432 BIO_printf(sdb->out, "%s, bits=%d",
1433 algname, EVP_PKEY_get_bits(pkey));
1434 }
1435 break;
1436 }
1437 case SSL_SECOP_OTHER_SIGALG:
1438 {
1439 const unsigned char *salg = other;
1440 const char *sname = NULL;
1441 int raw_sig_code = (salg[0] << 8) + salg[1]; /* always big endian (msb, lsb) */
1442 /* raw_sig_code: signature_scheme from tls1.3, or signature_and_hash from tls1.2 */
1443
1444 if (nm != NULL)
1445 BIO_printf(sdb->out, "%s", nm);
1446 else
1447 BIO_printf(sdb->out, "s_cb.c:security_callback_debug op=0x%x", op);
1448
1449 sname = lookup(raw_sig_code, signature_tls13_scheme_list, NULL);
1450 if (sname != NULL) {
1451 BIO_printf(sdb->out, " scheme=%s", sname);
1452 } else {
1453 int alg_code = salg[1];
1454 int hash_code = salg[0];
1455 const char *alg_str = lookup(alg_code, signature_tls12_alg_list, NULL);
1456 const char *hash_str = lookup(hash_code, signature_tls12_hash_list, NULL);
1457
1458 if (alg_str != NULL && hash_str != NULL)
1459 BIO_printf(sdb->out, " digest=%s, algorithm=%s", hash_str, alg_str);
1460 else
1461 BIO_printf(sdb->out, " scheme=unknown(0x%04x)", raw_sig_code);
1462 }
1463 }
1464
1465 }
1466
1467 if (show_bits)
1468 BIO_printf(sdb->out, ", security bits=%d", bits);
1469 BIO_printf(sdb->out, ": %s\n", rv ? "yes" : "no");
1470 return rv;
1471 }
1472
ssl_ctx_security_debug(SSL_CTX * ctx,int verbose)1473 void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose)
1474 {
1475 static security_debug_ex sdb;
1476
1477 sdb.out = bio_err;
1478 sdb.verbose = verbose;
1479 sdb.old_cb = SSL_CTX_get_security_callback(ctx);
1480 SSL_CTX_set_security_callback(ctx, security_callback_debug);
1481 SSL_CTX_set0_security_ex_data(ctx, &sdb);
1482 }
1483
keylog_callback(const SSL * ssl,const char * line)1484 static void keylog_callback(const SSL *ssl, const char *line)
1485 {
1486 if (bio_keylog == NULL) {
1487 BIO_printf(bio_err, "Keylog callback is invoked without valid file!\n");
1488 return;
1489 }
1490
1491 /*
1492 * There might be concurrent writers to the keylog file, so we must ensure
1493 * that the given line is written at once.
1494 */
1495 BIO_printf(bio_keylog, "%s\n", line);
1496 (void)BIO_flush(bio_keylog);
1497 }
1498
set_keylog_file(SSL_CTX * ctx,const char * keylog_file)1499 int set_keylog_file(SSL_CTX *ctx, const char *keylog_file)
1500 {
1501 /* Close any open files */
1502 BIO_free_all(bio_keylog);
1503 bio_keylog = NULL;
1504
1505 if (ctx == NULL || keylog_file == NULL) {
1506 /* Keylogging is disabled, OK. */
1507 return 0;
1508 }
1509
1510 /*
1511 * Append rather than write in order to allow concurrent modification.
1512 * Furthermore, this preserves existing keylog files which is useful when
1513 * the tool is run multiple times.
1514 */
1515 bio_keylog = BIO_new_file(keylog_file, "a");
1516 if (bio_keylog == NULL) {
1517 BIO_printf(bio_err, "Error writing keylog file %s\n", keylog_file);
1518 return 1;
1519 }
1520
1521 /* Write a header for seekable, empty files (this excludes pipes). */
1522 if (BIO_tell(bio_keylog) == 0) {
1523 BIO_puts(bio_keylog,
1524 "# SSL/TLS secrets log file, generated by OpenSSL\n");
1525 (void)BIO_flush(bio_keylog);
1526 }
1527 SSL_CTX_set_keylog_callback(ctx, keylog_callback);
1528 return 0;
1529 }
1530
print_ca_names(BIO * bio,SSL * s)1531 void print_ca_names(BIO *bio, SSL *s)
1532 {
1533 const char *cs = SSL_is_server(s) ? "server" : "client";
1534 const STACK_OF(X509_NAME) *sk = SSL_get0_peer_CA_list(s);
1535 int i;
1536
1537 if (sk == NULL || sk_X509_NAME_num(sk) == 0) {
1538 if (!SSL_is_server(s))
1539 BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs);
1540 return;
1541 }
1542
1543 BIO_printf(bio, "---\nAcceptable %s certificate CA names\n", cs);
1544 for (i = 0; i < sk_X509_NAME_num(sk); i++) {
1545 X509_NAME_print_ex(bio, sk_X509_NAME_value(sk, i), 0, get_nameopt());
1546 BIO_write(bio, "\n", 1);
1547 }
1548 }
1549
ssl_print_secure_renegotiation_notes(BIO * bio,SSL * s)1550 void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s)
1551 {
1552 if (SSL_VERSION_ALLOWS_RENEGOTIATION(s)) {
1553 BIO_printf(bio, "Secure Renegotiation IS%s supported\n",
1554 SSL_get_secure_renegotiation_support(s) ? "" : " NOT");
1555 } else {
1556 BIO_printf(bio, "This TLS version forbids renegotiation.\n");
1557 }
1558 }
1559