ucspi-ssl 0.13.00
ucspi-ssl
Loading...
Searching...
No Matches
sslclient.c
Go to the documentation of this file.
1
6#include <unistd.h>
7#include <sys/types.h>
8#include <sys/param.h>
9#include <netdb.h>
10#include <arpa/inet.h>
11#include "ucspissl.h"
12#include "sig.h"
13#include "exit.h"
14#include "getoptb.h"
15#include "uint_t.h"
16#include "fmt.h"
17#include "scan.h"
18#include "str.h"
19#include "ip.h"
20#include "socket_if.h"
21#include "fd.h"
22#include "stralloc.h"
23#include "buffer.h"
24#include "getln.h"
25#include "logmsg.h"
26#include "pathexec.h"
27#include "timeoutconn.h"
28#include "remoteinfo.h"
29#include "dnsresolv.h"
30#include "byte.h"
31#include "ndelay.h"
32#include "wait.h"
33#include "auto_cafile.h"
34#include "auto_cadir.h"
35#include "auto_ciphers.h"
36
37#define WHO "sslclient"
38
39void nomem(void) {
40 logmsg(WHO,111,FATAL,"out of memory");
41}
42void env(const char *s,const char *t) {
43 if (!pathexec_env(s,t)) nomem();
44}
45
46void usage(void) {
47 logmsg(WHO,100,USAGE,"sslclient \
48[ -463hHrRdDiqQveEsSnNxX ] \
49[ -i localip ] \
50[ -p localport ] \
51[ -T timeoutconn ] \
52[ -l localname ] \
53[ -t timeoutinfo ] \
54[ -I interface ] \
55[ -a cafile ] \
56[ -A cadir ] \
57[ -c certfile ] \
58[ -z ciphers ] \
59[ -k keyfile ] \
60[ -V verifydepth ] \
61[ -w progtimeout ] \
62host port program");
63}
64
65int verbosity = 1;
66int flagdelay = 0;
67int flagremoteinfo = 0;
68int flagremotehost = 1;
69int flag3 = 0;
70int flagsslenv = 0;
71int flagtcpenv = 0;
72int flagsni = 0;
73unsigned long itimeout = 26;
74unsigned long ctimeout[2] = { 2, 58 };
75unsigned int progtimeout = 3600;
76uint32 netif = 0;
77
78const char *loopback = "127.0.0.1";
79char iplocal[16] = { 0,0,0,0, 0,0,0,0, 0,0,0,0, 0,0,0,0 };
80uint16 portlocal = 0;
81const char *forcelocal = 0;
82
83char ipremote[16];
84uint16 portremote;
85
86const char *hostname;
87int flagname = 1;
88int flagservercert = 1;
89static stralloc addresses;
90static stralloc certname;
91static stralloc moreaddresses;
92
93static stralloc tmp;
94static stralloc fqdn;
95static char strnum[FMT_ULONG];
96static char ipstr[IP6_FMT];
97
98char seed[128];
99
100char bspace[16];
101buffer b;
102
103SSL_CTX *ctx;
104const char *certfile = 0;
105const char *keyfile = 0;
106const char *cafile = auto_cafile;
107const char *cadir = auto_cadir;
108const char *ciphers = auto_ciphers;
109stralloc password = {0};
110int match = 0;
111int verifydepth = 1;
112
113int pi[2];
114int po[2];
115int pt[2];
116
117void read_passwd() {
118 if (!password.len) {
119 buffer_init(&b,buffer_unixread,3,bspace,sizeof(bspace));
120 if (getln(&b,&password,&match,'\0') == -1)
121 logmsg(WHO,111,ERROR,"unable to read password:");
122 close(3);
123 if (match) --password.len;
124 }
125}
126
127int passwd_cb(char *buf,int size,int rwflag,void *userdata) {
128 if (size < password.len)
129 logmsg(WHO,111,ERROR,"password too long");
130
131 byte_copy(buf,password.len,password.s);
132 return password.len;
133}
134
135int main(int argc,char * const *argv) {
136 unsigned long u;
137 int opt;
138 const char *x;
139 int j;
140 int s;
141 int r;
142 int cloop;
143 SSL *ssl;
144 int wstat;
145 int ipflag = 0;
146
147 dns_random_init(seed);
148
149 close(6);
150 close(7);
151 sig_ignore(sig_pipe);
152
153 while ((opt = getoptb(argc,argv,"dDvqQhHrRimM:p:t:T:l:a:A:c:z:k:V:346eEsSnN0xXw:")) != opteof)
154 switch(opt) {
155 case '4': ipflag = 1; break;
156 case '6': ipflag = 0; break;
157 case 'd': flagdelay = 1; break;
158 case 'D': flagdelay = 0; break;
159 case 'm': flagsni = 1; break;
160 case 'M': flagsni = 0; break;
161 case 'v': verbosity = 2; break;
162 case 'q': verbosity = 0; break;
163 case 'Q': verbosity = 1; break;
164 case 'l': forcelocal = optarg; break;
165 case 'H': flagremotehost = 0; break;
166 case 'h': flagremotehost = 1; break;
167 case 'R': flagremoteinfo = 0; break;
168 case 'r': flagremoteinfo = 1; break;
169 case 't': scan_ulong(optarg,&itimeout); break;
170 case 'T': j = scan_ulong(optarg,&ctimeout[0]);
171 if (optarg[j] == '+') ++j;
172 scan_ulong(optarg + j,&ctimeout[1]);
173 break;
174 case 'w': scan_uint(optarg,&progtimeout); break;
175 case 'i': if (!ip6_scan(optarg,iplocal)) usage(); break;
176 case 'I': netif = socket_getifidx(optarg); break;
177 case 'p': scan_ulong(optarg,&u); portlocal = u; break;
178 case 'a': cafile = optarg; break;
179 case 'A': cadir = optarg; break;
180 case 'c': certfile = optarg; break;
181 case 'z': ciphers = optarg; break;
182 case 'k': keyfile = optarg; break;
183 case 'V': scan_ulong(optarg,&u); verifydepth = u; break;
184 case '3': flag3 = 1; break;
185 case 'S': flagsslenv = 0; break;
186 case 's': flagsslenv = 1; break;
187 case 'E': flagtcpenv = 0; break;
188 case 'e': flagtcpenv = 1; break;
189 case 'N': flagname = 0; break;
190 case 'n': flagname = 1; break;
191 case 'x': flagservercert = 1; break;
192 case 'X': flagservercert = 0; break;
193 default: usage();
194 }
195 argv += optind;
196
197 if (!verbosity)
198 buffer_2->fd = -1;
199
200 hostname = *argv;
201 if (!hostname || str_equal((char *)hostname,"")) usage();
202 if (str_equal((char *)hostname,"0")) hostname = loopback;
203
204 x = *++argv;
205 if (!x) usage();
206 if (!x[scan_ulong(x,&u)])
207 portremote = u;
208 else {
209 struct servent *se;
210 se = getservbyname(x,"tcp");
211 if (!se)
212 logmsg(WHO,111,FATAL,B("unable to figure out port number for ",x));
213 uint16_unpack_big((char*)&se->s_port,&portremote);
214 }
215
216 if (flag3) read_passwd();
217
218 if (cafile && str_equal(cafile,"")) cafile = 0;
219 if (cadir && str_equal(cadir,"")) cadir= 0;
220 if (ciphers && str_equal(ciphers,"")) ciphers= 0;
221
222 if (certfile && str_equal(certfile,"")) certfile = 0;
223 if (keyfile && str_equal(keyfile,"")) keyfile = 0;
224
225 if (!*++argv) usage();
226
227 if (!stralloc_copys(&tmp,hostname)) nomem();
228 dns_ip_qualify(&addresses,&fqdn,&tmp);
229 if (addresses.len < 16)
230 logmsg(WHO,111,ERROR,B("No IP address for: ",hostname));
231
232 if (addresses.len == 16) {
233 ctimeout[0] += ctimeout[1];
234 ctimeout[1] = 0;
235 }
236
237 for (cloop = 0; cloop < 2; ++cloop) {
238 if (!stralloc_copys(&moreaddresses,"")) nomem();
239 for (j = 0; j + 16 <= addresses.len; j += 16) {
240 if (ipflag == 1 || ip6_isv4mapped(addresses.s + j)) {
241 s = socket_tcp4();
242 if (s == -1) logmsg(WHO,111,FATAL,"unable to create socket");
243 r = socket_bind4(s,iplocal,portlocal);
244 } else {
245 s = socket_tcp6();
246 if (s == -1) logmsg(WHO,111,FATAL,"unable to create socket");
247 r = socket_bind6(s,iplocal,portlocal,netif);
248 }
249 if (r == -1) {
250 strnum[fmt_ulong(strnum,portlocal)] = 0;
251 if (ip6_isv4mapped(addresses.s + j))
252 ipstr[ip4_fmt(ipstr,addresses.s + j + 12)] = 0;
253 else
254 ipstr[ip6_fmt(ipstr,addresses.s + j)] = 0;
255
256 logmsg(WHO,111,FATAL,B("unable to bind to: ",ipstr," port: ",strnum));
257 }
258 if (timeoutconn(s,addresses.s + j,portremote,ctimeout[cloop],netif) == 0)
259 goto CONNECTED;
260 close(s);
261 if (!cloop && ctimeout[1] && (errno == ETIMEDOUT)) {
262 if (!stralloc_catb(&moreaddresses,addresses.s + j,16)) nomem();
263 }
264 else {
265 strnum[fmt_ulong(strnum,portremote)] = 0;
266 if (ip6_isv4mapped(addresses.s + j))
267 ipstr[ip4_fmt(ipstr,addresses.s + j + 12)] = 0;
268 else
269 ipstr[ip6_fmt(ipstr,addresses.s + j)] = 0;
270 }
271 }
272 if (!stralloc_copy(&addresses,&moreaddresses)) nomem();
273 }
274 logmsg(WHO,110,DROP,B("unable to connect to: ",ipstr," port: ",strnum));
275
276 _exit(111);
277
278
279 CONNECTED:
280
281 /* Local */
282
283 if (socket_local(s,iplocal,&portlocal,&netif) == -1)
284 logmsg(WHO,111,FATAL,"unable to get local address");
285
286 if (ip6_isv4mapped(iplocal)) {
287 env("PROTO","TCP6");
288 ipstr[ip4_fmt(ipstr,iplocal + 12)] = 0;
289 } else {
290 env("PROTO","TCP6");
291 if (flagtcpenv && netif) env("TCP6INTERFACE",socket_getifname(netif));
292 ipstr[ip6_fmt(ipstr,iplocal)] = 0;
293 }
294
295 env("SSLLOCALIP",ipstr);
296 if (flagtcpenv) env("TCPLOCALIP",ipstr);
297
298 strnum[fmt_ulong(strnum,portlocal)] = 0;
299 env("SSLLOCALPORT",strnum);
300 if (flagtcpenv) env("TCPLOCALPORT",strnum);
301
302 x = forcelocal;
303 if (!x)
304 if (dns_name(&tmp,iplocal) >= 0) {
305 if (!stralloc_0(&tmp)) nomem();
306 x = tmp.s;
307 }
308 env("SSLLOCALHOST",x);
309 if (flagtcpenv) env("TCPLOCALHOST",x);
310
311 /* Remote */
312
313 if (socket_remote(s,ipremote,&portremote,&netif) == -1)
314 logmsg(WHO,111,FATAL,"unable to get remote address");
315
316 if (ip6_isv4mapped(ipremote))
317 ipstr[ip4_fmt(ipstr,ipremote + 12)] = 0;
318 else
319 ipstr[ip6_fmt(ipstr,ipremote)] = 0;
320
321 env("SSLREMOTEIP",ipstr);
322 if (flagtcpenv) env("TCPREMOTEIP",ipstr);
323
324 strnum[fmt_ulong(strnum,portremote)] = 0;
325 env("SSLREMOTEPORT",strnum);
326 if (flagtcpenv) env("TCPREMOTEPORT",strnum);
327
328 x = 0;
329 if (flagremotehost)
330 if (dns_name(&tmp,ipremote) >= 0) {
331 if (!stralloc_0(&tmp)) nomem();
332 x = tmp.s;
333 }
334
335 env("SSLREMOTEHOST",x);
336 if (flagtcpenv) env("TCPREMOTEHOST",x);
337
338 x = 0;
339 if (flagremoteinfo)
340 if (remoteinfo(&tmp,ipremote,portremote,iplocal,portlocal,itimeout,netif) == 0) {
341 if (!stralloc_0(&tmp)) nomem();
342 x = tmp.s;
343 }
344 env("SSLREMOTEINFO",x);
345 if (flagtcpenv) env("TCPREMOTEINFO",x);
346
347 /* Context */
348
349 ctx = ssl_client();
350 ssl_errstr();
351 if (!ctx)
352 logmsg(WHO,111,FATAL,"unable to create TLS context");
353
354 switch (ssl_certkey(ctx,certfile,keyfile,passwd_cb)) {
355 case -1: logmsg(WHO,111,ERROR,"unable to load certificate");
356 case -2: logmsg(WHO,111,ERROR,"unable to load key pair");
357 case -3: logmsg(WHO,111,ERROR,"key does not match certificate");
358 default: break;
359 }
360
361 if (flagservercert && !ssl_ca(ctx,cafile,cadir,verifydepth))
362 logmsg(WHO,111,ERROR,"unable to load CA list");
363
364 if (!ssl_ciphers(ctx,ciphers))
365 logmsg(WHO,111,ERROR,"unable to set cipher list");
366
367 ssl = ssl_new(ctx,s);
368 if (!ssl) logmsg(WHO,111,FATAL,"unable to create TLS instance");
369
370 if (flagsni)
371 if (!SSL_set_tlsext_host_name(ssl,hostname))
372 logmsg(WHO,111,FATAL,B("unable to set TLS SNI extensions for hostname: ",(char *)hostname));
373
374 for (cloop = 0; cloop < 2; ++cloop) {
375 if (!ssl_timeoutconn(ssl,ctimeout[cloop])) goto SSLCONNECTED;
376 if (!cloop && ctimeout[1]) continue;
377 logmsg(WHO,111,FATAL,"unable to TLS connect");
378 }
379
380 _exit(111);
381
382 SSLCONNECTED:
383
384 ndelay_off(s);
385
386 if (flagservercert)
387 switch(ssl_verify(ssl,hostname,&certname)) {
388 case -1:
389 logmsg(WHO,110,ERROR,"no server certificate");
390 case -2:
391 logmsg(WHO,110,ERROR,"missing credentials (CA) or unable to validate server certificate");
392 case -3:
393 if (!stralloc_0(&certname)) nomem();
394 if (flagname)
395 logmsg(WHO,110,ERROR,B("server hostname does not match certificate: ",(char *)hostname," <=> ",certname.s));
396 default: break;
397 }
398
399 if (verbosity >= 2)
400 log_who(WHO,B("tls connected to: ",ipstr," port: ",strnum));
401
402 if (!flagdelay)
403 socket_tcpnodelay(s); /* if it fails, bummer */
404
405 if (pipe(pi) == -1) logmsg(WHO,111,FATAL,"unable to create pipe");
406 if (pipe(po) == -1) logmsg(WHO,111,FATAL,"unable to create pipe");
407 if (pi[0] == 7) {
408 if (pipe(pt) == -1) logmsg(WHO,111,FATAL,"unable to create pipe");
409 close(pi[0]); close(pi[1]);
410 pi[0] = pt[0]; pi[1] = pt[1];
411 }
412 if (po[1] == 6) {
413 if (pipe(pt) == -1) logmsg(WHO,111,FATAL,"unable to create pipe");
414 close(po[0]); close(po[1]);
415 po[0] = pt[0]; po[1] = pt[1];
416 }
417
418 switch (opt = fork()) {
419 case -1:
420 logmsg(WHO,111,FATAL,"unable to fork");
421 case 0:
422 break;
423 default:
424 close(pi[0]); close(po[1]);
425 if (ssl_io(ssl,pi[1],po[0],progtimeout)) {
426 logmsg(WHO,110,DROP,"unable to speak TLS");
427 ssl_close(ssl);
428 wait_pid(&wstat,opt);
429 _exit(111);
430 }
431 ssl_close(ssl);
432 if (wait_pid(&wstat,opt) > 0)
433 _exit(wait_exitcode(wstat));
434 _exit(0);
435 }
436 ssl_close(ssl); close(pi[1]); close(po[0]);
437
438 if (flagsslenv && !ssl_client_env(ssl,0)) nomem();
439
440 if (fd_move(6,pi[0]) == -1)
441 logmsg(WHO,111,FATAL,"unable to set up descriptor 6");
442 if (fd_move(7,po[1]) == -1)
443 logmsg(WHO,111,FATAL,"unable to set up descriptor 7");
444 sig_uncatch(sig_pipe);
445
446 pathexec(argv);
447 logmsg(WHO,111,FATAL,B("unable to run: ",*argv));
448 return 0; /* never happens, but avoids compile warning */
449}
auto_ciphers
const char auto_ciphers[]
ssl_new
SSL * ssl_new(SSL_CTX *ctx, int s)
Definition: ssl_new.c:4
main
int main()
Definition: chkshsgr.c:7
ucspissl.h
Header file to be used with sqmail; previously called ssl.h. (name clash)
ssl_client
#define ssl_client()
Definition: ucspissl.h:34
ssl_errstr
#define ssl_errstr()
Definition: ucspissl.h:56
ssl_close
#define ssl_close(ssl)
Definition: ucspissl.h:58
auto_cadir
const char auto_cadir[]
ssl_io
int ssl_io(SSL *ssl, int fdleft, int fdright, unsigned int timeout)
Definition: ssl_io.c:20
ssl_certkey
int ssl_certkey(SSL_CTX *ctx, const char *certfile, const char *keyfile, pem_password_cb *passwd_cb)
Definition: ssl_certkey.c:3
ssl_ca
int ssl_ca(SSL_CTX *ctx, const char *certfile, const char *certdir, int d)
Definition: ssl_ca.c:3
remoteinfo
int remoteinfo(stralloc *out, char ipremote[16], uint16 portremote, char iplocal[16], uint16 portlocal, unsigned int timeout, uint32 netif)
Definition: remoteinfo.c:86
ssl_client_env
int ssl_client_env(SSL *ssl, stralloc *sa)
Definition: ssl_env.c:379
buf
char buf[SSL_NAME_LEN]
Definition: sslhandle.c:126
ssl_ciphers
int ssl_ciphers(SSL_CTX *ctx, const char *ciphers)
Definition: ssl_ciphers.c:3
ssl_verify
int ssl_verify(SSL *ssl, const char *hostname, stralloc *dnsout)
Definition: ssl_verify.c:10
_exit
void _exit()
portremote
uint16 portremote
Definition: sslclient.c:84
password
stralloc password
Definition: sslclient.c:109
certfile
const char * certfile
Definition: sslclient.c:104
verbosity
int verbosity
Definition: sslclient.c:65
portlocal
uint16 portlocal
Definition: sslclient.c:80
ciphers
const char * ciphers
Definition: sslclient.c:108
flag3
int flag3
Definition: sslclient.c:69
iplocal
char iplocal[16]
Definition: sslclient.c:79
flagsni
int flagsni
Definition: sslclient.c:72
ctimeout
unsigned long ctimeout[2]
Definition: sslclient.c:74
pt
int pt[2]
Definition: sslclient.c:115
itimeout
unsigned long itimeout
Definition: sslclient.c:73
cadir
const char * cadir
Definition: sslclient.c:107
flagremotehost
int flagremotehost
Definition: sslclient.c:68
progtimeout
unsigned int progtimeout
Definition: sslclient.c:75
flagremoteinfo
int flagremoteinfo
Definition: sslclient.c:67
forcelocal
const char * forcelocal
Definition: sslclient.c:81
b
buffer b
Definition: sslclient.c:101
cafile
const char * cafile
Definition: sslclient.c:106
ipremote
char ipremote[16]
Definition: sslclient.c:83
nomem
void nomem(void)
Definition: sslclient.c:39
flagservercert
int flagservercert
Definition: sslclient.c:88
env
void env(const char *s, const char *t)
Definition: sslclient.c:42
keyfile
const char * keyfile
Definition: sslclient.c:105
hostname
const char * hostname
Definition: sslclient.c:86
loopback
const char * loopback
Definition: sslclient.c:78
read_passwd
void read_passwd()
Definition: sslclient.c:117
flagdelay
int flagdelay
Definition: sslclient.c:66
passwd_cb
int passwd_cb(char *buf, int size, int rwflag, void *userdata)
Definition: sslclient.c:127
netif
uint32 netif
Definition: sslclient.c:76
match
int match
Definition: sslclient.c:110
pi
int pi[2]
Definition: sslclient.c:113
ctx
SSL_CTX * ctx
Definition: sslclient.c:103
flagtcpenv
int flagtcpenv
Definition: sslclient.c:71
flagname
int flagname
Definition: sslclient.c:87
WHO
#define WHO
Definition: sslclient.c:37
bspace
char bspace[16]
Definition: sslclient.c:100
seed
char seed[128]
Definition: sslclient.c:98
usage
void usage(void)
Definition: sslclient.c:46
verifydepth
int verifydepth
Definition: sslclient.c:111
flagsslenv
int flagsslenv
Definition: sslclient.c:70
po
int po[2]
Definition: sslclient.c:114
ssl_timeoutconn
int ssl_timeoutconn(SSL *ssl, unsigned int timeout)
Definition: ssl_timeout.c:60
auto_cafile
const char auto_cafile[]
Generated on Sat Aug 10 2024 17:47:39 for ucspi-ssl by doxygen 1.9.6