Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 1 | /* Copyright (c) 2014, Google Inc. |
| 2 | * |
| 3 | * Permission to use, copy, modify, and/or distribute this software for any |
| 4 | * purpose with or without fee is hereby granted, provided that the above |
| 5 | * copyright notice and this permission notice appear in all copies. |
| 6 | * |
| 7 | * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES |
| 8 | * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF |
| 9 | * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY |
| 10 | * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES |
| 11 | * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION |
| 12 | * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN |
| 13 | * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */ |
| 14 | |
| 15 | #include <openssl/base.h> |
| 16 | |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 17 | #include <string> |
| 18 | #include <vector> |
| 19 | |
| 20 | #include <errno.h> |
Adam Langley | 403c52a | 2016-07-07 14:52:02 -0700 | [diff] [blame] | 21 | #include <limits.h> |
Brian Smith | 054e682 | 2015-03-27 21:12:01 -1000 | [diff] [blame] | 22 | #include <stddef.h> |
David Benjamin | f0df86a | 2015-04-20 11:32:12 -0400 | [diff] [blame] | 23 | #include <stdlib.h> |
Adam Langley | 2b2d66d | 2015-01-30 17:08:37 -0800 | [diff] [blame] | 24 | #include <string.h> |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 25 | #include <sys/types.h> |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 26 | |
| 27 | #if !defined(OPENSSL_WINDOWS) |
| 28 | #include <arpa/inet.h> |
| 29 | #include <fcntl.h> |
| 30 | #include <netdb.h> |
| 31 | #include <netinet/in.h> |
| 32 | #include <sys/select.h> |
Brian Smith | 33970e6 | 2015-01-27 22:32:08 -0800 | [diff] [blame] | 33 | #include <sys/socket.h> |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 34 | #include <unistd.h> |
| 35 | #else |
Brian Smith | 33970e6 | 2015-01-27 22:32:08 -0800 | [diff] [blame] | 36 | #include <io.h> |
David Benjamin | a353cdb | 2016-06-09 16:48:33 -0400 | [diff] [blame] | 37 | OPENSSL_MSVC_PRAGMA(warning(push, 3)) |
Adam Langley | 3e71931 | 2015-03-20 16:32:23 -0700 | [diff] [blame] | 38 | #include <winsock2.h> |
| 39 | #include <ws2tcpip.h> |
David Benjamin | a353cdb | 2016-06-09 16:48:33 -0400 | [diff] [blame] | 40 | OPENSSL_MSVC_PRAGMA(warning(pop)) |
Brian Smith | efed221 | 2015-01-28 16:20:02 -0800 | [diff] [blame] | 41 | |
Brian Smith | 33970e6 | 2015-01-27 22:32:08 -0800 | [diff] [blame] | 42 | typedef int ssize_t; |
David Benjamin | 4fec04b | 2016-10-10 14:56:47 -0400 | [diff] [blame] | 43 | OPENSSL_MSVC_PRAGMA(comment(lib, "Ws2_32.lib")) |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 44 | #endif |
| 45 | |
| 46 | #include <openssl/err.h> |
| 47 | #include <openssl/ssl.h> |
Gabriel Redner | dcb3383 | 2016-04-06 15:47:28 -0400 | [diff] [blame] | 48 | #include <openssl/x509.h> |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 49 | |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 50 | #include "../crypto/internal.h" |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 51 | #include "internal.h" |
Piotr Sikora | c6d3029 | 2016-03-18 17:28:36 -0700 | [diff] [blame] | 52 | #include "transport_common.h" |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 53 | |
| 54 | |
Brian Smith | 33970e6 | 2015-01-27 22:32:08 -0800 | [diff] [blame] | 55 | #if !defined(OPENSSL_WINDOWS) |
| 56 | static int closesocket(int sock) { |
| 57 | return close(sock); |
| 58 | } |
| 59 | #endif |
| 60 | |
| 61 | bool InitSocketLibrary() { |
| 62 | #if defined(OPENSSL_WINDOWS) |
| 63 | WSADATA wsaData; |
| 64 | int err = WSAStartup(MAKEWORD(2, 2), &wsaData); |
| 65 | if (err != 0) { |
| 66 | fprintf(stderr, "WSAStartup failed with error %d\n", err); |
| 67 | return false; |
| 68 | } |
| 69 | #endif |
| 70 | return true; |
| 71 | } |
| 72 | |
David Benjamin | ee7aa02 | 2017-07-07 16:47:59 -0400 | [diff] [blame] | 73 | static void SplitHostPort(std::string *out_hostname, std::string *out_port, |
| 74 | const std::string &hostname_and_port) { |
David Benjamin | 72acbec | 2016-06-22 13:01:24 -0400 | [diff] [blame] | 75 | size_t colon_offset = hostname_and_port.find_last_of(':'); |
| 76 | const size_t bracket_offset = hostname_and_port.find_last_of(']'); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 77 | std::string hostname, port; |
| 78 | |
David Benjamin | 72acbec | 2016-06-22 13:01:24 -0400 | [diff] [blame] | 79 | // An IPv6 literal may have colons internally, guarded by square brackets. |
| 80 | if (bracket_offset != std::string::npos && |
| 81 | colon_offset != std::string::npos && bracket_offset > colon_offset) { |
| 82 | colon_offset = std::string::npos; |
| 83 | } |
| 84 | |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 85 | if (colon_offset == std::string::npos) { |
David Benjamin | ee7aa02 | 2017-07-07 16:47:59 -0400 | [diff] [blame] | 86 | *out_hostname = hostname_and_port; |
| 87 | *out_port = "443"; |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 88 | } else { |
David Benjamin | ee7aa02 | 2017-07-07 16:47:59 -0400 | [diff] [blame] | 89 | *out_hostname = hostname_and_port.substr(0, colon_offset); |
| 90 | *out_port = hostname_and_port.substr(colon_offset + 1); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 91 | } |
David Benjamin | ee7aa02 | 2017-07-07 16:47:59 -0400 | [diff] [blame] | 92 | } |
| 93 | |
| 94 | // Connect sets |*out_sock| to be a socket connected to the destination given |
| 95 | // in |hostname_and_port|, which should be of the form "www.example.com:123". |
| 96 | // It returns true on success and false otherwise. |
| 97 | bool Connect(int *out_sock, const std::string &hostname_and_port) { |
| 98 | std::string hostname, port; |
| 99 | SplitHostPort(&hostname, &port, hostname_and_port); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 100 | |
David Benjamin | 72acbec | 2016-06-22 13:01:24 -0400 | [diff] [blame] | 101 | // Handle IPv6 literals. |
| 102 | if (hostname.size() >= 2 && hostname[0] == '[' && |
| 103 | hostname[hostname.size() - 1] == ']') { |
| 104 | hostname = hostname.substr(1, hostname.size() - 2); |
| 105 | } |
| 106 | |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 107 | struct addrinfo hint, *result; |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 108 | OPENSSL_memset(&hint, 0, sizeof(hint)); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 109 | hint.ai_family = AF_UNSPEC; |
| 110 | hint.ai_socktype = SOCK_STREAM; |
| 111 | |
| 112 | int ret = getaddrinfo(hostname.c_str(), port.c_str(), &hint, &result); |
| 113 | if (ret != 0) { |
| 114 | fprintf(stderr, "getaddrinfo returned: %s\n", gai_strerror(ret)); |
| 115 | return false; |
| 116 | } |
| 117 | |
| 118 | bool ok = false; |
| 119 | char buf[256]; |
| 120 | |
| 121 | *out_sock = |
| 122 | socket(result->ai_family, result->ai_socktype, result->ai_protocol); |
| 123 | if (*out_sock < 0) { |
| 124 | perror("socket"); |
| 125 | goto out; |
| 126 | } |
| 127 | |
| 128 | switch (result->ai_family) { |
| 129 | case AF_INET: { |
| 130 | struct sockaddr_in *sin = |
| 131 | reinterpret_cast<struct sockaddr_in *>(result->ai_addr); |
| 132 | fprintf(stderr, "Connecting to %s:%d\n", |
| 133 | inet_ntop(result->ai_family, &sin->sin_addr, buf, sizeof(buf)), |
| 134 | ntohs(sin->sin_port)); |
| 135 | break; |
| 136 | } |
| 137 | case AF_INET6: { |
| 138 | struct sockaddr_in6 *sin6 = |
| 139 | reinterpret_cast<struct sockaddr_in6 *>(result->ai_addr); |
| 140 | fprintf(stderr, "Connecting to [%s]:%d\n", |
| 141 | inet_ntop(result->ai_family, &sin6->sin6_addr, buf, sizeof(buf)), |
| 142 | ntohs(sin6->sin6_port)); |
| 143 | break; |
| 144 | } |
| 145 | } |
| 146 | |
| 147 | if (connect(*out_sock, result->ai_addr, result->ai_addrlen) != 0) { |
| 148 | perror("connect"); |
| 149 | goto out; |
| 150 | } |
| 151 | ok = true; |
| 152 | |
| 153 | out: |
| 154 | freeaddrinfo(result); |
| 155 | return ok; |
| 156 | } |
| 157 | |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 158 | Listener::~Listener() { |
| 159 | if (server_sock_ >= 0) { |
| 160 | closesocket(server_sock_); |
| 161 | } |
| 162 | } |
| 163 | |
| 164 | bool Listener::Init(const std::string &port) { |
| 165 | if (server_sock_ >= 0) { |
| 166 | return false; |
| 167 | } |
| 168 | |
| 169 | struct sockaddr_in6 addr; |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 170 | OPENSSL_memset(&addr, 0, sizeof(addr)); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 171 | |
Matt Braithwaite | 29d8adb | 2015-09-28 19:45:54 -0700 | [diff] [blame] | 172 | addr.sin6_family = AF_INET6; |
Matthew Braithwaite | b348897 | 2016-10-19 15:05:29 -0700 | [diff] [blame] | 173 | addr.sin6_addr = IN6ADDR_ANY_INIT; |
Matt Braithwaite | 29d8adb | 2015-09-28 19:45:54 -0700 | [diff] [blame] | 174 | addr.sin6_port = htons(atoi(port.c_str())); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 175 | |
David Benjamin | 6add9f1 | 2017-01-06 16:02:39 -0500 | [diff] [blame] | 176 | #if defined(OPENSSL_WINDOWS) |
| 177 | const BOOL enable = TRUE; |
| 178 | #else |
| 179 | const int enable = 1; |
| 180 | #endif |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 181 | |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 182 | server_sock_ = socket(addr.sin6_family, SOCK_STREAM, 0); |
| 183 | if (server_sock_ < 0) { |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 184 | perror("socket"); |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 185 | return false; |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 186 | } |
| 187 | |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 188 | if (setsockopt(server_sock_, SOL_SOCKET, SO_REUSEADDR, (const char *)&enable, |
Steven Valdez | bf5bda3 | 2016-12-28 10:51:01 -0500 | [diff] [blame] | 189 | sizeof(enable)) < 0) { |
| 190 | perror("setsockopt"); |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 191 | return false; |
Steven Valdez | bf5bda3 | 2016-12-28 10:51:01 -0500 | [diff] [blame] | 192 | } |
| 193 | |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 194 | if (bind(server_sock_, (struct sockaddr *)&addr, sizeof(addr)) != 0) { |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 195 | perror("connect"); |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 196 | return false; |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 197 | } |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 198 | |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 199 | listen(server_sock_, SOMAXCONN); |
| 200 | return true; |
| 201 | } |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 202 | |
David Benjamin | 2b0444e | 2017-06-27 17:29:27 -0400 | [diff] [blame] | 203 | bool Listener::Accept(int *out_sock) { |
| 204 | struct sockaddr_in6 addr; |
| 205 | socklen_t addr_len = sizeof(addr); |
| 206 | *out_sock = accept(server_sock_, (struct sockaddr *)&addr, &addr_len); |
| 207 | return *out_sock >= 0; |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 208 | } |
| 209 | |
David Benjamin | 225e5ad | 2016-07-16 14:51:58 +0200 | [diff] [blame] | 210 | bool VersionFromString(uint16_t *out_version, const std::string &version) { |
| 211 | if (version == "ssl3") { |
| 212 | *out_version = SSL3_VERSION; |
| 213 | return true; |
| 214 | } else if (version == "tls1" || version == "tls1.0") { |
| 215 | *out_version = TLS1_VERSION; |
| 216 | return true; |
| 217 | } else if (version == "tls1.1") { |
| 218 | *out_version = TLS1_1_VERSION; |
| 219 | return true; |
| 220 | } else if (version == "tls1.2") { |
| 221 | *out_version = TLS1_2_VERSION; |
| 222 | return true; |
| 223 | } else if (version == "tls1.3") { |
| 224 | *out_version = TLS1_3_VERSION; |
| 225 | return true; |
| 226 | } |
| 227 | return false; |
| 228 | } |
| 229 | |
David Benjamin | 31168c9 | 2016-09-09 16:49:02 -0400 | [diff] [blame] | 230 | static const char *SignatureAlgorithmToString(uint16_t version, uint16_t sigalg) { |
| 231 | const bool is_tls12 = version == TLS1_2_VERSION || version == DTLS1_2_VERSION; |
| 232 | switch (sigalg) { |
| 233 | case SSL_SIGN_RSA_PKCS1_SHA1: |
| 234 | return "rsa_pkcs1_sha1"; |
| 235 | case SSL_SIGN_RSA_PKCS1_SHA256: |
| 236 | return "rsa_pkcs1_sha256"; |
| 237 | case SSL_SIGN_RSA_PKCS1_SHA384: |
| 238 | return "rsa_pkcs1_sha384"; |
| 239 | case SSL_SIGN_RSA_PKCS1_SHA512: |
| 240 | return "rsa_pkcs1_sha512"; |
| 241 | case SSL_SIGN_ECDSA_SHA1: |
| 242 | return "ecdsa_sha1"; |
| 243 | case SSL_SIGN_ECDSA_SECP256R1_SHA256: |
| 244 | return is_tls12 ? "ecdsa_sha256" : "ecdsa_secp256r1_sha256"; |
| 245 | case SSL_SIGN_ECDSA_SECP384R1_SHA384: |
| 246 | return is_tls12 ? "ecdsa_sha384" : "ecdsa_secp384r1_sha384"; |
| 247 | case SSL_SIGN_ECDSA_SECP521R1_SHA512: |
| 248 | return is_tls12 ? "ecdsa_sha512" : "ecdsa_secp521r1_sha512"; |
| 249 | case SSL_SIGN_RSA_PSS_SHA256: |
| 250 | return "rsa_pss_sha256"; |
| 251 | case SSL_SIGN_RSA_PSS_SHA384: |
| 252 | return "rsa_pss_sha384"; |
| 253 | case SSL_SIGN_RSA_PSS_SHA512: |
| 254 | return "rsa_pss_sha512"; |
David Benjamin | 6952211 | 2017-03-28 15:38:29 -0500 | [diff] [blame] | 255 | case SSL_SIGN_ED25519: |
| 256 | return "ed25519"; |
David Benjamin | 31168c9 | 2016-09-09 16:49:02 -0400 | [diff] [blame] | 257 | default: |
| 258 | return "(unknown)"; |
| 259 | } |
| 260 | } |
| 261 | |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 262 | void PrintConnectionInfo(const SSL *ssl) { |
| 263 | const SSL_CIPHER *cipher = SSL_get_current_cipher(ssl); |
| 264 | |
| 265 | fprintf(stderr, " Version: %s\n", SSL_get_version(ssl)); |
David Benjamin | 621f95a | 2015-08-28 15:08:34 -0400 | [diff] [blame] | 266 | fprintf(stderr, " Resumed session: %s\n", |
| 267 | SSL_session_reused(ssl) ? "yes" : "no"); |
David Benjamin | 6fff386 | 2017-06-21 21:07:04 -0400 | [diff] [blame] | 268 | fprintf(stderr, " Cipher: %s\n", SSL_CIPHER_standard_name(cipher)); |
David Benjamin | 49864a5 | 2016-07-13 15:50:26 -0400 | [diff] [blame] | 269 | uint16_t curve = SSL_get_curve_id(ssl); |
| 270 | if (curve != 0) { |
| 271 | fprintf(stderr, " ECDHE curve: %s\n", SSL_get_curve_name(curve)); |
| 272 | } |
David Benjamin | 31168c9 | 2016-09-09 16:49:02 -0400 | [diff] [blame] | 273 | uint16_t sigalg = SSL_get_peer_signature_algorithm(ssl); |
| 274 | if (sigalg != 0) { |
| 275 | fprintf(stderr, " Signature algorithm: %s\n", |
| 276 | SignatureAlgorithmToString(SSL_version(ssl), sigalg)); |
| 277 | } |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 278 | fprintf(stderr, " Secure renegotiation: %s\n", |
| 279 | SSL_get_secure_renegotiation_support(ssl) ? "yes" : "no"); |
David Benjamin | 3995a38 | 2016-05-31 16:15:04 -0400 | [diff] [blame] | 280 | fprintf(stderr, " Extended master secret: %s\n", |
| 281 | SSL_get_extms_support(ssl) ? "yes" : "no"); |
David Benjamin | 0570923 | 2015-03-23 19:01:33 -0400 | [diff] [blame] | 282 | |
| 283 | const uint8_t *next_proto; |
| 284 | unsigned next_proto_len; |
| 285 | SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len); |
| 286 | fprintf(stderr, " Next protocol negotiated: %.*s\n", next_proto_len, |
| 287 | next_proto); |
| 288 | |
| 289 | const uint8_t *alpn; |
| 290 | unsigned alpn_len; |
| 291 | SSL_get0_alpn_selected(ssl, &alpn, &alpn_len); |
| 292 | fprintf(stderr, " ALPN protocol: %.*s\n", alpn_len, alpn); |
Gabriel Redner | dcb3383 | 2016-04-06 15:47:28 -0400 | [diff] [blame] | 293 | |
Alessandro Ghedini | 8d3f130 | 2016-11-14 21:24:18 +0000 | [diff] [blame] | 294 | const char *host_name = SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name); |
| 295 | if (host_name != nullptr && SSL_is_server(ssl)) { |
| 296 | fprintf(stderr, " Client sent SNI: %s\n", host_name); |
| 297 | } |
| 298 | |
Alessandro Ghedini | 1149ee1 | 2016-12-12 14:48:55 +0000 | [diff] [blame] | 299 | if (!SSL_is_server(ssl)) { |
| 300 | const uint8_t *ocsp_staple; |
| 301 | size_t ocsp_staple_len; |
| 302 | SSL_get0_ocsp_response(ssl, &ocsp_staple, &ocsp_staple_len); |
| 303 | fprintf(stderr, " OCSP staple: %s\n", ocsp_staple_len > 0 ? "yes" : "no"); |
Alessandro Ghedini | f6d64ef | 2017-02-16 00:57:35 +0000 | [diff] [blame] | 304 | |
| 305 | const uint8_t *sct_list; |
| 306 | size_t sct_list_len; |
| 307 | SSL_get0_signed_cert_timestamp_list(ssl, &sct_list, &sct_list_len); |
| 308 | fprintf(stderr, " SCT list: %s\n", sct_list_len > 0 ? "yes" : "no"); |
Alessandro Ghedini | 1149ee1 | 2016-12-12 14:48:55 +0000 | [diff] [blame] | 309 | } |
| 310 | |
Alessandro Ghedini | ca307ab | 2017-03-26 12:19:40 -0500 | [diff] [blame] | 311 | fprintf(stderr, " Early data: %s\n", |
| 312 | SSL_early_data_accepted(ssl) ? "yes" : "no"); |
| 313 | |
Gabriel Redner | dcb3383 | 2016-04-06 15:47:28 -0400 | [diff] [blame] | 314 | // Print the server cert subject and issuer names. |
David Benjamin | 0cce863 | 2016-10-20 15:13:26 -0400 | [diff] [blame] | 315 | bssl::UniquePtr<X509> peer(SSL_get_peer_certificate(ssl)); |
| 316 | if (peer != nullptr) { |
Gabriel Redner | dcb3383 | 2016-04-06 15:47:28 -0400 | [diff] [blame] | 317 | fprintf(stderr, " Cert subject: "); |
David Benjamin | 0cce863 | 2016-10-20 15:13:26 -0400 | [diff] [blame] | 318 | X509_NAME_print_ex_fp(stderr, X509_get_subject_name(peer.get()), 0, |
Gabriel Redner | dcb3383 | 2016-04-06 15:47:28 -0400 | [diff] [blame] | 319 | XN_FLAG_ONELINE); |
| 320 | fprintf(stderr, "\n Cert issuer: "); |
David Benjamin | 0cce863 | 2016-10-20 15:13:26 -0400 | [diff] [blame] | 321 | X509_NAME_print_ex_fp(stderr, X509_get_issuer_name(peer.get()), 0, |
Gabriel Redner | dcb3383 | 2016-04-06 15:47:28 -0400 | [diff] [blame] | 322 | XN_FLAG_ONELINE); |
| 323 | fprintf(stderr, "\n"); |
Gabriel Redner | dcb3383 | 2016-04-06 15:47:28 -0400 | [diff] [blame] | 324 | } |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 325 | } |
| 326 | |
| 327 | bool SocketSetNonBlocking(int sock, bool is_non_blocking) { |
| 328 | bool ok; |
| 329 | |
| 330 | #if defined(OPENSSL_WINDOWS) |
| 331 | u_long arg = is_non_blocking; |
Brian Smith | 33970e6 | 2015-01-27 22:32:08 -0800 | [diff] [blame] | 332 | ok = 0 == ioctlsocket(sock, FIONBIO, &arg); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 333 | #else |
| 334 | int flags = fcntl(sock, F_GETFL, 0); |
| 335 | if (flags < 0) { |
| 336 | return false; |
| 337 | } |
| 338 | if (is_non_blocking) { |
| 339 | flags |= O_NONBLOCK; |
| 340 | } else { |
| 341 | flags &= ~O_NONBLOCK; |
| 342 | } |
| 343 | ok = 0 == fcntl(sock, F_SETFL, flags); |
| 344 | #endif |
| 345 | if (!ok) { |
| 346 | fprintf(stderr, "Failed to set socket non-blocking.\n"); |
| 347 | } |
| 348 | return ok; |
| 349 | } |
| 350 | |
Steven Valdez | 56851c8 | 2017-07-24 10:19:57 -0400 | [diff] [blame] | 351 | static bool SocketSelect(int sock, bool stdin_open, bool *socket_ready, |
| 352 | bool *stdin_ready) { |
| 353 | #if !defined(OPENSSL_WINDOWS) |
| 354 | fd_set read_fds; |
| 355 | FD_ZERO(&read_fds); |
| 356 | if (stdin_open) { |
| 357 | FD_SET(0, &read_fds); |
| 358 | } |
| 359 | FD_SET(sock, &read_fds); |
| 360 | if (select(sock + 1, &read_fds, NULL, NULL, NULL) <= 0) { |
| 361 | perror("select"); |
| 362 | return false; |
| 363 | } |
| 364 | |
| 365 | if (FD_ISSET(0, &read_fds)) { |
| 366 | *stdin_ready = true; |
| 367 | } |
| 368 | if (FD_ISSET(sock, &read_fds)) { |
| 369 | *socket_ready = true; |
| 370 | } |
| 371 | |
| 372 | return true; |
| 373 | #else |
| 374 | WSAEVENT socket_handle = WSACreateEvent(); |
| 375 | if (socket_handle == WSA_INVALID_EVENT || |
| 376 | WSAEventSelect(sock, socket_handle, FD_READ) != 0) { |
| 377 | WSACloseEvent(socket_handle); |
| 378 | return false; |
| 379 | } |
| 380 | |
| 381 | HANDLE read_fds[2]; |
| 382 | read_fds[0] = socket_handle; |
| 383 | read_fds[1] = GetStdHandle(STD_INPUT_HANDLE); |
| 384 | |
| 385 | switch ( |
| 386 | WaitForMultipleObjects(stdin_open ? 2 : 1, read_fds, FALSE, INFINITE)) { |
| 387 | case WAIT_OBJECT_0 + 0: |
| 388 | *socket_ready = true; |
| 389 | break; |
| 390 | case WAIT_OBJECT_0 + 1: |
| 391 | *stdin_ready = true; |
| 392 | break; |
| 393 | case WAIT_TIMEOUT: |
| 394 | break; |
| 395 | default: |
| 396 | WSACloseEvent(socket_handle); |
| 397 | return false; |
| 398 | } |
| 399 | |
| 400 | WSACloseEvent(socket_handle); |
| 401 | return true; |
| 402 | #endif |
| 403 | } |
| 404 | |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 405 | // PrintErrorCallback is a callback function from OpenSSL's |
| 406 | // |ERR_print_errors_cb| that writes errors to a given |FILE*|. |
| 407 | int PrintErrorCallback(const char *str, size_t len, void *ctx) { |
| 408 | fwrite(str, len, 1, reinterpret_cast<FILE*>(ctx)); |
| 409 | return 1; |
| 410 | } |
| 411 | |
| 412 | bool TransferData(SSL *ssl, int sock) { |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 413 | if (!SocketSetNonBlocking(sock, true)) { |
| 414 | return false; |
| 415 | } |
| 416 | |
Steven Valdez | 56851c8 | 2017-07-24 10:19:57 -0400 | [diff] [blame] | 417 | bool stdin_open = true; |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 418 | for (;;) { |
Steven Valdez | 56851c8 | 2017-07-24 10:19:57 -0400 | [diff] [blame] | 419 | bool socket_ready = false; |
| 420 | bool stdin_ready = false; |
| 421 | if (!SocketSelect(sock, stdin_open, &socket_ready, &stdin_ready)) { |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 422 | return false; |
| 423 | } |
| 424 | |
Steven Valdez | 56851c8 | 2017-07-24 10:19:57 -0400 | [diff] [blame] | 425 | if (stdin_ready) { |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 426 | uint8_t buffer[512]; |
| 427 | ssize_t n; |
| 428 | |
| 429 | do { |
nmittler | f0322b2 | 2016-05-19 08:49:59 -0700 | [diff] [blame] | 430 | n = BORINGSSL_READ(0, buffer, sizeof(buffer)); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 431 | } while (n == -1 && errno == EINTR); |
| 432 | |
| 433 | if (n == 0) { |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 434 | stdin_open = false; |
Brian Smith | 33970e6 | 2015-01-27 22:32:08 -0800 | [diff] [blame] | 435 | #if !defined(OPENSSL_WINDOWS) |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 436 | shutdown(sock, SHUT_WR); |
Brian Smith | 33970e6 | 2015-01-27 22:32:08 -0800 | [diff] [blame] | 437 | #else |
| 438 | shutdown(sock, SD_SEND); |
| 439 | #endif |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 440 | continue; |
| 441 | } else if (n < 0) { |
| 442 | perror("read from stdin"); |
| 443 | return false; |
| 444 | } |
| 445 | |
Steven Valdez | 56851c8 | 2017-07-24 10:19:57 -0400 | [diff] [blame] | 446 | // On Windows, SocketSelect ends up setting sock to non-blocking. |
| 447 | #if !defined(OPENSSL_WINDOWS) |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 448 | if (!SocketSetNonBlocking(sock, false)) { |
| 449 | return false; |
| 450 | } |
Steven Valdez | 56851c8 | 2017-07-24 10:19:57 -0400 | [diff] [blame] | 451 | #endif |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 452 | int ssl_ret = SSL_write(ssl, buffer, n); |
| 453 | if (!SocketSetNonBlocking(sock, true)) { |
| 454 | return false; |
| 455 | } |
| 456 | |
| 457 | if (ssl_ret <= 0) { |
| 458 | int ssl_err = SSL_get_error(ssl, ssl_ret); |
| 459 | fprintf(stderr, "Error while writing: %d\n", ssl_err); |
| 460 | ERR_print_errors_cb(PrintErrorCallback, stderr); |
| 461 | return false; |
| 462 | } else if (ssl_ret != n) { |
| 463 | fprintf(stderr, "Short write from SSL_write.\n"); |
| 464 | return false; |
| 465 | } |
| 466 | } |
| 467 | |
Steven Valdez | 56851c8 | 2017-07-24 10:19:57 -0400 | [diff] [blame] | 468 | if (socket_ready) { |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 469 | uint8_t buffer[512]; |
| 470 | int ssl_ret = SSL_read(ssl, buffer, sizeof(buffer)); |
| 471 | |
| 472 | if (ssl_ret < 0) { |
| 473 | int ssl_err = SSL_get_error(ssl, ssl_ret); |
| 474 | if (ssl_err == SSL_ERROR_WANT_READ) { |
| 475 | continue; |
| 476 | } |
| 477 | fprintf(stderr, "Error while reading: %d\n", ssl_err); |
| 478 | ERR_print_errors_cb(PrintErrorCallback, stderr); |
| 479 | return false; |
| 480 | } else if (ssl_ret == 0) { |
| 481 | return true; |
| 482 | } |
| 483 | |
| 484 | ssize_t n; |
| 485 | do { |
nmittler | f0322b2 | 2016-05-19 08:49:59 -0700 | [diff] [blame] | 486 | n = BORINGSSL_WRITE(1, buffer, ssl_ret); |
Dave Tapuska | b8a824d | 2014-12-10 19:09:52 -0500 | [diff] [blame] | 487 | } while (n == -1 && errno == EINTR); |
| 488 | |
| 489 | if (n != ssl_ret) { |
| 490 | fprintf(stderr, "Short write to stderr.\n"); |
| 491 | return false; |
| 492 | } |
| 493 | } |
| 494 | } |
| 495 | } |
Adam Langley | 403c52a | 2016-07-07 14:52:02 -0700 | [diff] [blame] | 496 | |
| 497 | // SocketLineReader wraps a small buffer around a socket for line-orientated |
| 498 | // protocols. |
| 499 | class SocketLineReader { |
| 500 | public: |
| 501 | explicit SocketLineReader(int sock) : sock_(sock) {} |
| 502 | |
| 503 | // Next reads a '\n'- or '\r\n'-terminated line from the socket and, on |
| 504 | // success, sets |*out_line| to it and returns true. Otherwise it returns |
| 505 | // false. |
| 506 | bool Next(std::string *out_line) { |
| 507 | for (;;) { |
| 508 | for (size_t i = 0; i < buf_len_; i++) { |
| 509 | if (buf_[i] != '\n') { |
| 510 | continue; |
| 511 | } |
| 512 | |
| 513 | size_t length = i; |
| 514 | if (i > 0 && buf_[i - 1] == '\r') { |
| 515 | length--; |
| 516 | } |
| 517 | |
| 518 | out_line->assign(buf_, length); |
| 519 | buf_len_ -= i + 1; |
David Benjamin | 17cf2cb | 2016-12-13 01:07:13 -0500 | [diff] [blame] | 520 | OPENSSL_memmove(buf_, &buf_[i + 1], buf_len_); |
Adam Langley | 403c52a | 2016-07-07 14:52:02 -0700 | [diff] [blame] | 521 | |
| 522 | return true; |
| 523 | } |
| 524 | |
| 525 | if (buf_len_ == sizeof(buf_)) { |
| 526 | fprintf(stderr, "Received line too long!\n"); |
| 527 | return false; |
| 528 | } |
| 529 | |
| 530 | ssize_t n; |
| 531 | do { |
| 532 | n = recv(sock_, &buf_[buf_len_], sizeof(buf_) - buf_len_, 0); |
| 533 | } while (n == -1 && errno == EINTR); |
| 534 | |
| 535 | if (n < 0) { |
| 536 | fprintf(stderr, "Read error from socket\n"); |
| 537 | return false; |
| 538 | } |
| 539 | |
| 540 | buf_len_ += n; |
| 541 | } |
| 542 | } |
| 543 | |
| 544 | // ReadSMTPReply reads one or more lines that make up an SMTP reply. On |
| 545 | // success, it sets |*out_code| to the reply's code (e.g. 250) and |
| 546 | // |*out_content| to the body of the reply (e.g. "OK") and returns true. |
| 547 | // Otherwise it returns false. |
| 548 | // |
| 549 | // See https://tools.ietf.org/html/rfc821#page-48 |
| 550 | bool ReadSMTPReply(unsigned *out_code, std::string *out_content) { |
| 551 | out_content->clear(); |
| 552 | |
| 553 | // kMaxLines is the maximum number of lines that we'll accept in an SMTP |
| 554 | // reply. |
| 555 | static const unsigned kMaxLines = 512; |
| 556 | for (unsigned i = 0; i < kMaxLines; i++) { |
| 557 | std::string line; |
| 558 | if (!Next(&line)) { |
| 559 | return false; |
| 560 | } |
| 561 | |
| 562 | if (line.size() < 4) { |
| 563 | fprintf(stderr, "Short line from SMTP server: %s\n", line.c_str()); |
| 564 | return false; |
| 565 | } |
| 566 | |
| 567 | const std::string code_str = line.substr(0, 3); |
| 568 | char *endptr; |
| 569 | const unsigned long code = strtoul(code_str.c_str(), &endptr, 10); |
| 570 | if (*endptr || code > UINT_MAX) { |
| 571 | fprintf(stderr, "Failed to parse code from line: %s\n", line.c_str()); |
| 572 | return false; |
| 573 | } |
| 574 | |
| 575 | if (i == 0) { |
| 576 | *out_code = code; |
| 577 | } else if (code != *out_code) { |
| 578 | fprintf(stderr, |
| 579 | "Reply code varied within a single reply: was %u, now %u\n", |
| 580 | *out_code, static_cast<unsigned>(code)); |
| 581 | return false; |
| 582 | } |
| 583 | |
| 584 | if (line[3] == ' ') { |
| 585 | // End of reply. |
| 586 | *out_content += line.substr(4, std::string::npos); |
| 587 | return true; |
| 588 | } else if (line[3] == '-') { |
| 589 | // Another line of reply will follow this one. |
| 590 | *out_content += line.substr(4, std::string::npos); |
| 591 | out_content->push_back('\n'); |
| 592 | } else { |
| 593 | fprintf(stderr, "Bad character after code in SMTP reply: %s\n", |
| 594 | line.c_str()); |
| 595 | return false; |
| 596 | } |
| 597 | } |
| 598 | |
| 599 | fprintf(stderr, "Rejected SMTP reply of more then %u lines\n", kMaxLines); |
| 600 | return false; |
| 601 | } |
| 602 | |
| 603 | private: |
| 604 | const int sock_; |
| 605 | char buf_[512]; |
| 606 | size_t buf_len_ = 0; |
| 607 | }; |
| 608 | |
| 609 | // SendAll writes |data_len| bytes from |data| to |sock|. It returns true on |
| 610 | // success and false otherwise. |
| 611 | static bool SendAll(int sock, const char *data, size_t data_len) { |
| 612 | size_t done = 0; |
| 613 | |
| 614 | while (done < data_len) { |
| 615 | ssize_t n; |
| 616 | do { |
| 617 | n = send(sock, &data[done], data_len - done, 0); |
| 618 | } while (n == -1 && errno == EINTR); |
| 619 | |
| 620 | if (n < 0) { |
| 621 | fprintf(stderr, "Error while writing to socket\n"); |
| 622 | return false; |
| 623 | } |
| 624 | |
| 625 | done += n; |
| 626 | } |
| 627 | |
| 628 | return true; |
| 629 | } |
| 630 | |
| 631 | bool DoSMTPStartTLS(int sock) { |
| 632 | SocketLineReader line_reader(sock); |
| 633 | |
Adam Langley | 61367ee | 2016-07-11 12:24:55 -0700 | [diff] [blame] | 634 | unsigned code_220 = 0; |
Adam Langley | 403c52a | 2016-07-07 14:52:02 -0700 | [diff] [blame] | 635 | std::string reply_220; |
| 636 | if (!line_reader.ReadSMTPReply(&code_220, &reply_220)) { |
| 637 | return false; |
| 638 | } |
| 639 | |
| 640 | if (code_220 != 220) { |
| 641 | fprintf(stderr, "Expected 220 line from SMTP server but got code %u\n", |
| 642 | code_220); |
| 643 | return false; |
| 644 | } |
| 645 | |
| 646 | static const char kHelloLine[] = "EHLO BoringSSL\r\n"; |
| 647 | if (!SendAll(sock, kHelloLine, sizeof(kHelloLine) - 1)) { |
| 648 | return false; |
| 649 | } |
| 650 | |
Adam Langley | 61367ee | 2016-07-11 12:24:55 -0700 | [diff] [blame] | 651 | unsigned code_250 = 0; |
Adam Langley | 403c52a | 2016-07-07 14:52:02 -0700 | [diff] [blame] | 652 | std::string reply_250; |
| 653 | if (!line_reader.ReadSMTPReply(&code_250, &reply_250)) { |
| 654 | return false; |
| 655 | } |
| 656 | |
| 657 | if (code_250 != 250) { |
| 658 | fprintf(stderr, "Expected 250 line after EHLO but got code %u\n", code_250); |
| 659 | return false; |
| 660 | } |
| 661 | |
| 662 | // https://tools.ietf.org/html/rfc1869#section-4.3 |
Adam Langley | 505cf39 | 2016-08-09 21:16:45 -0700 | [diff] [blame] | 663 | if (("\n" + reply_250 + "\n").find("\nSTARTTLS\n") == std::string::npos) { |
Adam Langley | 403c52a | 2016-07-07 14:52:02 -0700 | [diff] [blame] | 664 | fprintf(stderr, "Server does not support STARTTLS\n"); |
| 665 | return false; |
| 666 | } |
| 667 | |
| 668 | static const char kSTARTTLSLine[] = "STARTTLS\r\n"; |
| 669 | if (!SendAll(sock, kSTARTTLSLine, sizeof(kSTARTTLSLine) - 1)) { |
| 670 | return false; |
| 671 | } |
| 672 | |
| 673 | if (!line_reader.ReadSMTPReply(&code_220, &reply_220)) { |
| 674 | return false; |
| 675 | } |
| 676 | |
| 677 | if (code_220 != 220) { |
| 678 | fprintf( |
| 679 | stderr, |
| 680 | "Expected 220 line from SMTP server after STARTTLS, but got code %u\n", |
| 681 | code_220); |
| 682 | return false; |
| 683 | } |
| 684 | |
| 685 | return true; |
| 686 | } |
David Benjamin | ee7aa02 | 2017-07-07 16:47:59 -0400 | [diff] [blame] | 687 | |
| 688 | bool DoHTTPTunnel(int sock, const std::string &hostname_and_port) { |
| 689 | std::string hostname, port; |
| 690 | SplitHostPort(&hostname, &port, hostname_and_port); |
| 691 | |
| 692 | fprintf(stderr, "Establishing HTTP tunnel to %s:%s.\n", hostname.c_str(), |
| 693 | port.c_str()); |
| 694 | char buf[1024]; |
| 695 | snprintf(buf, sizeof(buf), "CONNECT %s:%s HTTP/1.0\r\n\r\n", hostname.c_str(), |
| 696 | port.c_str()); |
| 697 | if (!SendAll(sock, buf, strlen(buf))) { |
| 698 | return false; |
| 699 | } |
| 700 | |
| 701 | SocketLineReader line_reader(sock); |
| 702 | |
| 703 | // Read until an empty line, signaling the end of the HTTP response. |
| 704 | std::string line; |
| 705 | for (;;) { |
| 706 | if (!line_reader.Next(&line)) { |
| 707 | return false; |
| 708 | } |
| 709 | if (line.empty()) { |
| 710 | return true; |
| 711 | } |
| 712 | fprintf(stderr, "%s\n", line.c_str()); |
| 713 | } |
| 714 | } |