projects / exim.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Testsuite: src/client.c: handle long lines read back from the server
[exim.git] / test / src / client.c
CommitLineData
c55a77db
PH		 1/* A little hacked up program that makes a TCP/IP call and reads a script to
2drive it, for testing Exim server code running as a daemon. It's got a bit
3messy with the addition of support for either OpenSSL or GnuTLS. The code for
2b4a568d
JH		 4those was hacked out of Exim itself, then code for OpenSSL OCSP stapling was
5ripped from the openssl ocsp and s_client utilities. */
c55a77db
PH		 6
7/* ANSI C standard includes */
8
9#include <ctype.h>
10#include <signal.h>
11#include <stdarg.h>
12#include <stddef.h>
13#include <stdio.h>
14#include <stdlib.h>
15#include <string.h>
16#include <time.h>
17
18/* Unix includes */
19
20#include <errno.h>
21#include <dirent.h>
22#include <sys/types.h>
23
24#include <netinet/in_systm.h>
25#include <netinet/in.h>
26#include <netinet/ip.h>
5ddc9771 27#include <netinet/tcp.h>
c55a77db
PH		 28
29#include <netdb.h>
30#include <arpa/inet.h>
31#include <sys/time.h>
32#include <sys/resource.h>
33#include <sys/socket.h>
34#include <sys/stat.h>
35#include <fcntl.h>
36#include <unistd.h>
37#include <utime.h>
38
90788405
JH		 39/* Set to TRUE to enable debug output */
40#define DEBUG if (FALSE)
41
c55a77db
PH		 42#ifdef AF_INET6
43#define HAVE_IPV6 1
44#endif
45
46#ifndef S_ADDR_TYPE
47#define S_ADDR_TYPE u_long
48#endif
49
50typedef unsigned char uschar;
51
52#define CS (char *)
53#define US (unsigned char *)
54
55#define FALSE 0
56#define TRUE 1
57
58
59
60static int sigalrm_seen = 0;
61
62
63/* TLS support can be optionally included, either for OpenSSL or GnuTLS. The
64latter needs a whole pile of tables. */
c55a77db 65#ifdef HAVE_OPENSSL
348051ad
JH		 66# define HAVE_TLS
67# include <openssl/crypto.h>
68# include <openssl/x509.h>
69# include <openssl/pem.h>
70# include <openssl/ssl.h>
71# include <openssl/err.h>
72# include <openssl/rand.h>
839a3b0d
JH		 73
74# if OPENSSL_VERSION_NUMBER < 0x0090806fL && !defined(DISABLE_OCSP) && !defined(OPENSSL_NO_TLSEXT)
eca4debb
TL		 75# warning "OpenSSL library version too old; define DISABLE_OCSP in Makefile"
76# define DISABLE_OCSP
77# endif
6d68e1c7
TL		 78# ifndef DISABLE_OCSP
79# include <openssl/ocsp.h>
80# endif
c55a77db
PH		 81#endif
82
83
84#ifdef HAVE_GNUTLS
348051ad
JH		 85# define HAVE_TLS
86# include <gnutls/gnutls.h>
87# include <gnutls/x509.h>
88# if GNUTLS_VERSION_NUMBER >= 0x030103
89# define HAVE_OCSP
90# include <gnutls/ocsp.h>
5597be31
JH		 91# endif
92# ifndef GNUTLS_NO_EXTENSIONS
93# define GNUTLS_NO_EXTENSIONS 0
348051ad 94# endif
c55a77db 95
348051ad 96# define DH_BITS 768
c55a77db
PH		 97
98/* Local static variables for GNUTLS */
99
fc4fcc34 100static gnutls_dh_params_t dh_params = NULL;
c55a77db
PH		 101
102static gnutls_certificate_credentials_t x509_cred = NULL;
fc4fcc34 103static gnutls_session_t tls_session = NULL;
c55a77db
PH		 104
105static int ssl_session_timeout = 200;
106
107/* Priorities for TLS algorithms to use. */
108
ba86e143 109# if GNUTLS_VERSION_NUMBER < 0x030400
c55a77db
PH		 110static const int protocol_priority[16] = { GNUTLS_TLS1, GNUTLS_SSL3, 0 };
111
112static const int kx_priority[16] = {
113 GNUTLS_KX_RSA,
114 GNUTLS_KX_DHE_DSS,
115 GNUTLS_KX_DHE_RSA,
c55a77db
PH		 116 0 };
117
118static int default_cipher_priority[16] = {
119 GNUTLS_CIPHER_AES_256_CBC,
120 GNUTLS_CIPHER_AES_128_CBC,
121 GNUTLS_CIPHER_3DES_CBC,
122 GNUTLS_CIPHER_ARCFOUR_128,
123 0 };
124
125static const int mac_priority[16] = {
126 GNUTLS_MAC_SHA,
127 GNUTLS_MAC_MD5,
128 0 };
129
130static const int comp_priority[16] = { GNUTLS_COMP_NULL, 0 };
ba86e143 131# endif
c55a77db 132
348051ad 133#endif /*HAVE_GNUTLS*/
c55a77db
PH		 134
135
136
2b4a568d
JH		 137#ifdef HAVE_TLS
138char * ocsp_stapling = NULL;
ba86e143 139char * pri_string = NULL;
2b4a568d
JH		 140#endif
141
c55a77db
PH		 142
143/*************************************************
144* SIGALRM handler - crash out *
145*************************************************/
146
147static void
148sigalrm_handler_crash(int sig)
149{
150sig = sig; /* Keep picky compilers happy */
151printf("\nClient timed out\n");
152exit(99);
153}
154
155
156/*************************************************
157* SIGALRM handler - set flag *
158*************************************************/
159
160static void
161sigalrm_handler_flag(int sig)
162{
163sig = sig; /* Keep picky compilers happy */
164sigalrm_seen = 1;
165}
166
167
168
169/****************************************************************************/
170/****************************************************************************/
171
172#ifdef HAVE_OPENSSL
3b3634d0 173# ifndef DISABLE_OCSP
f5d78688 174
ee5b1e28 175static STACK_OF(X509) *
3b3634d0 176chain_from_pem_file(const uschar * file)
ee5b1e28 177{
3b3634d0
JH		 178BIO * bp;
179X509 * x;
180STACK_OF(X509) * sk;
ee5b1e28 181
3b3634d0
JH		 182if (!(sk = sk_X509_new_null())) return NULL;
183if (!(bp = BIO_new_file(CS file, "r"))) return NULL;
184while ((x = PEM_read_bio_X509(bp, NULL, 0, NULL)))
185 sk_X509_push(sk, x);
186BIO_free(bp);
ee5b1e28
JH		 187return sk;
188}
189
3b3634d0
JH		 190
191
ee5b1e28
JH		 192static void
193cert_stack_free(STACK_OF(X509) * sk)
194{
195while (sk_X509_num(sk) > 0) (void) sk_X509_pop(sk);
196sk_X509_free(sk);
197}
198
199
f5d78688
JH		 200static int
201tls_client_stapling_cb(SSL *s, void *arg)
202{
203const unsigned char *p;
204int len;
205OCSP_RESPONSE *rsp;
206OCSP_BASICRESP *bs;
ee5b1e28 207STACK_OF(X509) * sk;
f5d78688
JH		 208int ret = 1;
209
210len = SSL_get_tlsext_status_ocsp_resp(s, &p);
211/*BIO_printf(arg, "OCSP response: ");*/
212if (!p)
213 {
214 BIO_printf(arg, "no response received\n");
215 return 1;
216 }
217if(!(rsp = d2i_OCSP_RESPONSE(NULL, &p, len)))
218 {
219 BIO_printf(arg, "response parse error\n");
220 BIO_dump_indent(arg, (char *)p, len, 4);
221 return 0;
222 }
223if(!(bs = OCSP_response_get1_basic(rsp)))
224 {
225 BIO_printf(arg, "error parsing response\n");
226 return 0;
227 }
228
ee5b1e28 229
f1a49684 230if (!(sk = chain_from_pem_file((const uschar *)ocsp_stapling)))
f5d78688
JH		 231 {
232 BIO_printf(arg, "error in cert setup\n");
233 return 0;
234 }
235
ee5b1e28
JH		 236/* OCSP_basic_verify takes a "store" arg, but does not
237use it for the chain verification, which is all we do
238when OCSP_NOVERIFY is set. The content from the wire
239(in "bs") and a cert-stack "sk" are all that is used. */
240
241if(OCSP_basic_verify(bs, sk, NULL, OCSP_NOVERIFY) <= 0)
f5d78688
JH		 242 {
243 BIO_printf(arg, "Response Verify Failure\n");
244 ERR_print_errors(arg);
245 ret = 0;
246 }
247else
248 BIO_printf(arg, "Response verify OK\n");
249
ee5b1e28 250cert_stack_free(sk);
f5d78688
JH		 251return ret;
252}
3b3634d0 253# endif /*DISABLE_OCSP*/
f5d78688
JH		 254
255
c55a77db
PH		 256/*************************************************
257* Start an OpenSSL TLS session *
258*************************************************/
259
2b4a568d
JH		 260int
261tls_start(int sock, SSL **ssl, SSL_CTX *ctx)
c55a77db
PH		 262{
263int rc;
57cde6e4 264static const unsigned char *sid_ctx = US"exim";
c55a77db
PH		 265
266RAND_load_file("client.c", -1); /* Not *very* random! */
267
268*ssl = SSL_new (ctx);
57cde6e4 269SSL_set_session_id_context(*ssl, sid_ctx, strlen(CS sid_ctx));
c55a77db
PH		 270SSL_set_fd (*ssl, sock);
271SSL_set_connect_state(*ssl);
272
6d68e1c7 273#ifndef DISABLE_OCSP
f5d78688
JH		 274if (ocsp_stapling)
275 {
276 SSL_CTX_set_tlsext_status_cb(ctx, tls_client_stapling_cb);
277 SSL_CTX_set_tlsext_status_arg(ctx, BIO_new_fp(stdout, BIO_NOCLOSE));
278 SSL_set_tlsext_status_type(*ssl, TLSEXT_STATUSTYPE_ocsp);
279 }
6d68e1c7 280#endif
f5d78688 281
c55a77db
PH		 282signal(SIGALRM, sigalrm_handler_flag);
283sigalrm_seen = 0;
284alarm(5);
285rc = SSL_connect (*ssl);
286alarm(0);
287
288if (sigalrm_seen)
289 {
290 printf("SSL_connect timed out\n");
291 return 0;
292 }
293
294if (rc <= 0)
295 {
296 ERR_print_errors_fp(stdout);
297 return 0;
298 }
299
300printf("SSL connection using %s\n", SSL_get_cipher (*ssl));
301return 1;
302}
303
304
305/*************************************************
306* SSL Information callback *
307*************************************************/
308
309static void
310info_callback(SSL *s, int where, int ret)
311{
312where = where;
313ret = ret;
314printf("SSL info: %s\n", SSL_state_string_long(s));
315}
316#endif
317
318
319/****************************************************************************/
320/****************************************************************************/
321
322
323#ifdef HAVE_GNUTLS
324/*************************************************
325* Handle GnuTLS error *
326*************************************************/
327
328/* Called from lots of places when errors occur before actually starting to do
329the TLS handshake, that is, while the session is still in clear.
330
331Argument:
332 prefix prefix text
333 err a GnuTLS error number, or 0 if local error
334
335Returns: doesn't - it dies
336*/
337
338static void
339gnutls_error(uschar *prefix, int err)
340{
bb727765 341fprintf(stderr, "GnuTLS connection error: %s:", prefix);
c55a77db
PH		 342if (err != 0) fprintf(stderr, " %s", gnutls_strerror(err));
343fprintf(stderr, "\n");
9ff403f8 344exit(98);
c55a77db
PH		 345}
346
347
348
349/*************************************************
bb727765 350* Setup up DH parameters *
c55a77db
PH		 351*************************************************/
352
353/* For the test suite, the parameters should always be available in the spool
354directory. */
355
356static void
bb727765 357init_dh(void)
c55a77db
PH		 358{
359int fd;
360int ret;
fc4fcc34 361gnutls_datum_t m;
c55a77db
PH		 362uschar filename[200];
363struct stat statbuf;
364
365/* Initialize the data structures for holding the parameters */
366
c55a77db
PH		 367ret = gnutls_dh_params_init(&dh_params);
368if (ret < 0) gnutls_error(US"init dh_params", ret);
369
370/* Open the cache file for reading and if successful, read it and set up the
bb727765 371parameters. */
c55a77db
PH		 372
373fd = open("aux-fixed/gnutls-params", O_RDONLY, 0);
374if (fd < 0)
375 {
376 fprintf(stderr, "Failed to open spool/gnutls-params: %s\n", strerror(errno));
9ff403f8 377 exit(97);
c55a77db
PH		 378 }
379
380if (fstat(fd, &statbuf) < 0)
381 {
382 (void)close(fd);
383 return gnutls_error(US"TLS cache stat failed", 0);
384 }
385
386m.size = statbuf.st_size;
387m.data = malloc(m.size);
388if (m.data == NULL)
389 return gnutls_error(US"memory allocation failed", 0);
390if (read(fd, m.data, m.size) != m.size)
391 return gnutls_error(US"TLS cache read failed", 0);
392(void)close(fd);
393
c55a77db
PH		 394ret = gnutls_dh_params_import_pkcs3(dh_params, &m, GNUTLS_X509_FMT_PEM);
395if (ret < 0) return gnutls_error(US"DH params import", ret);
396free(m.data);
397}
398
399
400
401
402/*************************************************
403* Initialize for GnuTLS *
404*************************************************/
405
406/*
407Arguments:
408 certificate certificate file
409 privatekey private key file
410*/
411
412static void
413tls_init(uschar *certificate, uschar *privatekey)
414{
415int rc;
416
417rc = gnutls_global_init();
418if (rc < 0) gnutls_error(US"gnutls_global_init", rc);
419
bb727765 420/* Read D-H parameters from the cache file. */
c55a77db 421
bb727765 422init_dh();
c55a77db
PH		 423
424/* Create the credentials structure */
425
426rc = gnutls_certificate_allocate_credentials(&x509_cred);
427if (rc < 0) gnutls_error(US"certificate_allocate_credentials", rc);
428
429/* Set the certificate and private keys */
430
431if (certificate != NULL)
432 {
433 rc = gnutls_certificate_set_x509_key_file(x509_cred, CS certificate,
434 CS privatekey, GNUTLS_X509_FMT_PEM);
059f2ace 435 if (rc < 0) gnutls_error(US"gnutls_certificate", rc);
c55a77db
PH		 436 }
437
438/* Associate the parameters with the x509 credentials structure. */
439
440gnutls_certificate_set_dh_params(x509_cred, dh_params);
2b4a568d
JH		 441
442/* set the CA info for server-cert verify */
443if (ocsp_stapling)
444 gnutls_certificate_set_x509_trust_file(x509_cred, ocsp_stapling,
445 GNUTLS_X509_FMT_PEM);
c55a77db
PH		 446}
447
448
449
450/*************************************************
451* Initialize a single GNUTLS session *
452*************************************************/
453
fc4fcc34 454static gnutls_session_t
c55a77db
PH		 455tls_session_init(void)
456{
fc4fcc34 457gnutls_session_t session;
c55a77db 458
0886a95e 459gnutls_init(&session, GNUTLS_CLIENT | GNUTLS_NO_EXTENSIONS);
c55a77db 460
ba86e143 461# if GNUTLS_VERSION_NUMBER < 0x030400
c55a77db
PH		 462gnutls_cipher_set_priority(session, default_cipher_priority);
463gnutls_compression_set_priority(session, comp_priority);
464gnutls_kx_set_priority(session, kx_priority);
465gnutls_protocol_set_priority(session, protocol_priority);
466gnutls_mac_set_priority(session, mac_priority);
467
468gnutls_cred_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
ba86e143
JH		 469# else
470if (pri_string)
471 {
472 gnutls_priority_t priority_cache;
473 const char * errpos;
474
475 gnutls_priority_init(&priority_cache, pri_string, &errpos);
476 gnutls_priority_set(session, priority_cache);
477 }
478else
479 gnutls_set_default_priority(session);
fc4fcc34 480gnutls_credentials_set(session, GNUTLS_CRD_CERTIFICATE, x509_cred);
ba86e143 481# endif
c55a77db
PH		 482
483gnutls_dh_set_prime_bits(session, DH_BITS);
484gnutls_db_set_cache_expiration(session, ssl_session_timeout);
485
486return session;
487}
488#endif
489
490
491/****************************************************************************/
5d036699
JH		 492/* Turn "\n" and "\r" into the relevant characters. This is a hack. */
493
494static int
495unescape_buf(unsigned char * buf, int len)
496{
497unsigned char * s;
498unsigned char c, t;
499unsigned shift;
500
501for (s = buf; s < buf+len; s++) if (*s == '\\')
502 {
503 switch (s[1])
504 {
505 default: c = s[1]; shift = 1; break;
506 case 'n': c = '\n'; shift = 1; break;
507 case 'r': c = '\r'; shift = 1; break;
508 case 'x':
509 t = s[2];
510 if (t >= 'A' && t <= 'F') t -= 'A'-'9'-1;
511 else if (t >= 'a' && t <= 'f') t -= 'a'-'9'-1;
512 t -= '0';
513 c = (t<<4) & 0xf0;
514 t = s[3];
515 if (t >= 'A' && t <= 'F') t -= 'A'-'9'-1;
516 else if (t >= 'a' && t <= 'f') t -= 'a'-'9'-1;
517 t -= '0';
518 c |= t & 0xf;
519 shift = 3;
520 break;
521 }
522 *s = c;
523 memmove(s+1, s+shift+1, len-shift);
524 len -= shift;
525 }
526return len;
527}
528
529
c55a77db 530/****************************************************************************/
7bbb3621
JH		 531typedef struct {
532 int sock;
533 int tls_active;
534#ifdef HAVE_OPENSSL
535 SSL_CTX * ctx;
536 SSL * ssl;
537#endif
538 int sent_starttls;
539} srv_ctx;
540
541static void
542do_file(srv_ctx * srv, FILE * f, int timeout,
543 unsigned char * inbuffer, unsigned bsiz, unsigned char * inptr)
544{
b9df1829 545unsigned char outbuffer[1024 * 20];
7bbb3621
JH		 546
547while (fgets(CS outbuffer, sizeof(outbuffer), f) != NULL)
548 {
549 int n = (int)strlen(CS outbuffer);
550 int crlf = 1;
551 int rc;
552
553 /* Strip trailing newline */
554 if (outbuffer[n-1] == '\n') outbuffer[--n] = 0;
555
556 /* Expect incoming */
557
558 if ( strncmp(CS outbuffer, "???", 3) == 0
ce80533b 559 && (outbuffer[3] == ' ' || outbuffer[3] == '*' || outbuffer[3] == '?')
7bbb3621
JH		 560 )
561 {
562 unsigned char *lineptr;
563 unsigned exp_eof = outbuffer[3] == '*';
ce80533b 564 unsigned resp_optional = outbuffer[3] == '?';
7bbb3621
JH		 565
566 printf("%s\n", outbuffer);
567 n = unescape_buf(outbuffer, n);
568
ce80533b 569nextinput:
7bbb3621
JH		 570 if (*inptr == 0) /* Refill input buffer */
571 {
ce80533b 572 alarm(timeout);
5346d9dc
HSHR		 573 unsigned char *inbufferp = inbuffer;
574 for (;;) {
7bbb3621
JH		 575 if (srv->tls_active)
576 {
5dcadbf4
JH		 577#ifdef HAVE_OPENSSL
578 int error;
90788405 579 DEBUG { printf("call SSL_read\n"); fflush(stdout); }
5346d9dc 580 rc = SSL_read(srv->ssl, inbufferp, bsiz - (inbufferp - inbuffer) - 1);
90788405 581 DEBUG { printf("SSL_read: %d\n", rc); fflush(stdout); }
5dcadbf4
JH		 582 if (rc <= 0)
583 switch (error = SSL_get_error(srv->ssl, rc))
584 {
585 case SSL_ERROR_ZERO_RETURN:
586 break;
587 case SSL_ERROR_SYSCALL:
fd3cf789 588 printf("%s\n", ERR_error_string(ERR_get_error(), NULL));
5dcadbf4 589 rc = -1;
fd3cf789 590 break;
5dcadbf4 591 case SSL_ERROR_SSL:
fd3cf789 592 printf("%s\nTLS terminated\n", ERR_error_string(ERR_get_error(), NULL));
5dcadbf4
JH		 593 SSL_shutdown(srv->ssl);
594 SSL_free(srv->ssl);
595 srv->tls_active = FALSE;
fd3cf789
JH		 596 { /* OpenSSL leaves it in restartsys mode */
597 struct sigaction act = {.sa_handler = sigalrm_handler_flag, .sa_flags = 0};
598 sigalrm_seen = 1;
599 sigaction(SIGALRM, &act, NULL);
600 }
601 *inptr = 0;
90788405 602 DEBUG { printf("go round\n"); fflush(stdout); }
5dcadbf4
JH		 603 goto nextinput;
604 default:
605 printf("SSL error code %d\n", error);
606 }
5dcadbf4
JH		 607#endif
608#ifdef HAVE_GNUTLS
5346d9dc 609 rc = gnutls_record_recv(tls_session, CS inbufferp, bsiz - (inbufferp - inbuffer) - 1);
5dcadbf4 610#endif
7bbb3621
JH		 611 }
612 else
90788405
JH		 613 {
614 DEBUG { printf("call read\n"); fflush(stdout); }
5346d9dc 615 rc = read(srv->sock, inbufferp, bsiz - (inbufferp - inbuffer) - 1);
90788405
JH		 616 DEBUG { printf("read: %d\n", rc); fflush(stdout); }
617 }
5346d9dc
HSHR		 618
619 if (rc > 0) inbufferp[rc] = '\0';
620 if (rc <= 0 || strchr(inbufferp, '\n')) break;
621 inbufferp += rc;
622 if (inbufferp >= inbuffer + bsiz) {
623 printf("Input buffer overrun, need more than %d bytes input buffer\n", bsiz);
624 exit(73);
625 }
626 DEBUG { printf("read more\n"); }
627 }
ce80533b 628 alarm(0);
7bbb3621
JH		 629
630 if (rc < 0)
631 {
fd3cf789
JH		 632 if (errno == EINTR && sigalrm_seen && resp_optional)
633 continue; /* next scriptline */
7bbb3621
JH		 634 printf("Read error %s\n", strerror(errno));
635 exit(81);
636 }
637 else if (rc == 0)
638 if (exp_eof)
639 {
640 printf("Expected EOF read\n");
641 continue;
642 }
5dcadbf4
JH		 643 else if (resp_optional)
644 continue; /* next scriptline */
7bbb3621
JH		 645 else
646 {
647 printf("Unexpected EOF read\n");
648 close(srv->sock);
649 exit(80);
650 }
651 else if (exp_eof)
652 {
653 printf("Expected EOF not read\n");
654 close(srv->sock);
655 exit(74);
656 }
657 else
7bbb3621 658 inptr = inbuffer;
7bbb3621 659 }
90788405 660 DEBUG { printf("read: '%s'\n", inptr); fflush(stdout); }
7bbb3621
JH		 661
662 lineptr = inptr;
663 while (*inptr != 0 && *inptr != '\r' && *inptr != '\n') inptr++;
664 if (*inptr != 0)
665 {
666 *inptr++ = 0;
667 if (*inptr == '\n') inptr++;
668 }
669
7bbb3621 670 if (strncmp(CS lineptr, CS outbuffer + 4, n - 4) != 0)
ce80533b
JH		 671 if (resp_optional)
672 {
673 inptr = lineptr; /* consume scriptline, not inputline */
674 continue;
675 }
676 else
677 {
678 printf("<<< %s\n", lineptr);
679 printf("\n******** Input mismatch ********\n");
680 exit(79);
681 }
682
90788405
JH		 683 /* Input matched script. Output the inputline, unless optional */
684 DEBUG { printf("read matched\n"); fflush(stdout); }
685
686 if (!resp_optional)
687 printf("<<< %s\n", lineptr);
688 else
ce80533b 689
90788405
JH		 690 /* If there is further input after this line, consume inputline but not
691 scriptline in case there are several matching. Nonmatches are dealt with
692 above. */
ce80533b 693
90788405
JH		 694 if (*inptr != 0)
695 goto nextinput;
7bbb3621
JH		 696
697 #ifdef HAVE_TLS
698 if (srv->sent_starttls)
699 {
700 if (lineptr[0] == '2')
701 {
7bbb3621
JH		 702 unsigned int verify;
703
704 printf("Attempting to start TLS\n");
705 fflush(stdout);
706
707 #ifdef HAVE_OPENSSL
708 srv->tls_active = tls_start(srv->sock, &srv->ssl, srv->ctx);
709 #endif
710
711 #ifdef HAVE_GNUTLS
712 {
713 int rc;
714 sigalrm_seen = FALSE;
715 alarm(timeout);
716 do {
717 rc = gnutls_handshake(tls_session);
718 } while (rc < 0 && gnutls_error_is_fatal(rc) == 0);
719 srv->tls_active = rc >= 0;
720 alarm(0);
721
722 if (!srv->tls_active) printf("%s\n", gnutls_strerror(rc));
723 }
724 #endif
725
726 if (!srv->tls_active)
727 {
728 printf("Failed to start TLS\n");
729 fflush(stdout);
730 }
731 #ifdef HAVE_GNUTLS
732 else if (ocsp_stapling)
733 {
734 if ((rc= gnutls_certificate_verify_peers2(tls_session, &verify)) < 0)
735 {
736 printf("Failed to verify certificate: %s\n", gnutls_strerror(rc));
737 fflush(stdout);
738 }
739 else if (verify & (GNUTLS_CERT_INVALID|GNUTLS_CERT_REVOKED))
740 {
741 printf("Bad certificate\n");
742 fflush(stdout);
743 }
744 #ifdef HAVE_OCSP
745 else if (gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
746 {
747 printf("Failed to verify certificate status\n");
748 {
749 gnutls_datum_t stapling;
750 gnutls_ocsp_resp_t resp;
751 gnutls_datum_t printed;
752 if ( (rc= gnutls_ocsp_status_request_get(tls_session, &stapling)) == 0
753 && (rc= gnutls_ocsp_resp_init(&resp)) == 0
754 && (rc= gnutls_ocsp_resp_import(resp, &stapling)) == 0
755 && (rc= gnutls_ocsp_resp_print(resp, GNUTLS_OCSP_PRINT_FULL, &printed)) == 0
756 )
757 {
758 fprintf(stderr, "%.4096s", printed.data);
759 gnutls_free(printed.data);
760 }
761 else
762 (void) fprintf(stderr,"ocsp decode: %s", gnutls_strerror(rc));
763 }
764 fflush(stdout);
765 }
766 #endif
767 }
768 #endif
769 else
770 printf("Succeeded in starting TLS\n");
771 }
772 else printf("Abandoning TLS start attempt\n");
773 }
774 srv->sent_starttls = 0;
775 #endif
776 }
777
778 /* Wait for a bit before proceeding */
779
780 else if (strncmp(CS outbuffer, "+++ ", 4) == 0)
781 {
782 printf("%s\n", outbuffer);
783 sleep(atoi(CS outbuffer + 4));
784 }
785
786 /* Stack new input file */
787
788 else if (strncmp(CS outbuffer, "<<< ", 4) == 0)
789 {
790 FILE * new_f;
f1a49684 791 if (!(new_f = fopen((const char *)outbuffer+4 , "r")))
7bbb3621 792 {
768e8b5b 793 printf("Unable to open '%s': %s", inptr, strerror(errno));
7bbb3621
JH		 794 exit(74);
795 }
796 do_file(srv, new_f, timeout, inbuffer, bsiz, inptr);
797 }
798
799
800 /* Send line outgoing, but barf if unconsumed incoming */
801
802 else
803 {
804 unsigned char * out = outbuffer;
805
806 if (strncmp(CS outbuffer, ">>> ", 4) == 0)
807 {
808 crlf = 0;
809 out += 4;
810 n -= 4;
811 }
812
813 if (*inptr != 0)
814 {
815 printf("Unconsumed input: %s", inptr);
816 printf(" About to send: %s\n", out);
817 exit(78);
818 }
819
820 #ifdef HAVE_TLS
821
822 /* Shutdown TLS */
823
824 if (strcmp(CS out, "stoptls") == 0 ||
825 strcmp(CS out, "STOPTLS") == 0)
826 {
827 if (!srv->tls_active)
828 {
829 printf("STOPTLS read when TLS not active\n");
830 exit(77);
831 }
832 printf("Shutting down TLS encryption\n");
833
834 #ifdef HAVE_OPENSSL
835 SSL_shutdown(srv->ssl);
836 SSL_free(srv->ssl);
837 #endif
838
839 #ifdef HAVE_GNUTLS
840 gnutls_bye(tls_session, GNUTLS_SHUT_WR);
841 gnutls_deinit(tls_session);
842 tls_session = NULL;
843 gnutls_global_deinit();
844 #endif
845
846 srv->tls_active = 0;
847 continue;
848 }
849
850 /* Remember that we sent STARTTLS */
851
852 srv->sent_starttls = (strcmp(CS out, "starttls") == 0 ||
853 strcmp(CS out, "STARTTLS") == 0);
854
855 /* Fudge: if the command is "starttls_wait", we send the starttls bit,
856 but we haven't set the flag, so that there is no negotiation. This is for
857 testing the server's timeout. */
858
859 if (strcmp(CS out, "starttls_wait") == 0)
860 {
861 out[8] = 0;
862 n = 8;
863 }
864 #endif
865
866 printf(">>> %s\n", out);
867 if (crlf)
868 {
869 strcpy(CS out + n, "\r\n");
870 n += 2;
871 }
872
873 n = unescape_buf(out, n);
874
875 /* OK, do it */
876
877 alarm(timeout);
878 if (srv->tls_active)
879 {
880 #ifdef HAVE_OPENSSL
881 rc = SSL_write (srv->ssl, out, n);
882 #endif
883 #ifdef HAVE_GNUTLS
884 if ((rc = gnutls_record_send(tls_session, CS out, n)) < 0)
885 {
886 printf("GnuTLS write error: %s\n", gnutls_strerror(rc));
887 exit(76);
888 }
889 #endif
890 }
891 else
892 rc = write(srv->sock, out, n);
893 alarm(0);
894
895 if (rc < 0)
896 {
897 printf("Write error: %s\n", strerror(errno));
898 exit(75);
899 }
900 }
901 }
902}
c55a77db
PH		 903
904
905
906
907/*************************************************
908* Main Program *
909*************************************************/
910
4fe99a6c 911const char * const HELP_MESSAGE = "\n\
972e83f5
HSHR		 912Usage: client\n"
913#ifdef HAVE_TLS
914"\
915 [-tls-on-connect]\n\
916 [-ocsp]\n"
ba86e143
JH		 917# ifdef HAVE_GNUTLS
918"\
919 [-p priority-string]\n"
920# endif
972e83f5
HSHR		 921#endif
922"\
923 [-tn] n seconds timeout\n\
4fe99a6c
PP		 924 <IP address>\n\
925 <port>\n\
926 [<outgoing interface>]\n\
927 [<cert file>]\n\
928 [<key file>]\n\
929\n";
c55a77db 930
5d036699
JH		 931int
932main(int argc, char **argv)
c55a77db
PH		 933{
934struct sockaddr *s_ptr;
935struct sockaddr_in s_in4;
936char *interface = NULL;
937char *address = NULL;
938char *certfile = NULL;
939char *keyfile = NULL;
1ec3f27d 940char *end = NULL;
c55a77db 941int argi = 1;
7bbb3621 942int host_af, port, s_len, rc, save_errno;
d528a389 943int timeout = 5;
c55a77db 944int tls_on_connect = 0;
1ec3f27d 945long tmplong;
c55a77db
PH		 946
947#if HAVE_IPV6
948struct sockaddr_in6 s_in6;
949#endif
950
7bbb3621 951srv_ctx srv;
c55a77db 952
5346d9dc 953unsigned char inbuffer[100 * 1024];
c55a77db
PH		 954unsigned char *inptr = inbuffer;
955
956*inptr = 0; /* Buffer empty */
7bbb3621
JH		 957srv.tls_active = 0;
958srv.sent_starttls = 0;
c55a77db
PH		 959
960/* Options */
961
962while (argc >= argi + 1 && argv[argi][0] == '-')
963 {
4fe99a6c
PP		 964 if (strcmp(argv[argi], "-help") == 0 ||
965 strcmp(argv[argi], "--help") == 0 ||
966 strcmp(argv[argi], "-h") == 0)
967 {
dd4c8678 968 puts(HELP_MESSAGE);
4fe99a6c
PP		 969 exit(0);
970 }
c55a77db
PH		 971 if (strcmp(argv[argi], "-tls-on-connect") == 0)
972 {
973 tls_on_connect = 1;
974 argi++;
975 }
2b4a568d 976#ifdef HAVE_TLS
f5d78688
JH		 977 else if (strcmp(argv[argi], "-ocsp") == 0)
978 {
979 if (argc < ++argi + 1)
980 {
981 fprintf(stderr, "Missing required certificate file for ocsp option\n");
9ff403f8 982 exit(96);
f5d78688
JH		 983 }
984 ocsp_stapling = argv[argi++];
985 }
ba86e143
JH		 986# ifdef HAVE_GNUTLS
987 else if (strcmp(argv[argi], "-p") == 0)
988 {
989 if (argc < ++argi + 1)
990 {
991 fprintf(stderr, "Missing priority string\n");
992 exit(96);
993 }
994 pri_string = argv[argi++];
995 }
996#endif
2b4a568d 997
f5d78688 998#endif
c55a77db
PH		 999 else if (argv[argi][1] == 't' && isdigit(argv[argi][2]))
1000 {
1ec3f27d
PP		 1001 tmplong = strtol(argv[argi]+2, &end, 10);
1002 if (end == argv[argi]+2 || *end)
1003 {
1004 fprintf(stderr, "Failed to parse seconds from option <%s>\n",
1005 argv[argi]);
9ff403f8 1006 exit(95);
1ec3f27d
PP		 1007 }
1008 if (tmplong > 10000L)
1009 {
dd4c8678 1010 fprintf(stderr, "Unreasonably long wait of %ld seconds requested\n",
1ec3f27d 1011 tmplong);
9ff403f8 1012 exit(94);
1ec3f27d
PP		 1013 }
1014 if (tmplong < 0L)
1015 {
dd4c8678 1016 fprintf(stderr, "Timeout must not be negative (%ld)\n", tmplong);
9ff403f8 1017 exit(93);
1ec3f27d
PP		 1018 }
1019 timeout = (int) tmplong;
c55a77db
PH		 1020 argi++;
1021 }
1022 else
1023 {
1ec3f27d 1024 fprintf(stderr, "Unrecognized option %s\n", argv[argi]);
9ff403f8 1025 exit(92);
c55a77db
PH		 1026 }
1027 }
1028
1029/* Mandatory 1st arg is IP address */
1030
1031if (argc < argi+1)
1032 {
1ec3f27d 1033 fprintf(stderr, "No IP address given\n");
9ff403f8 1034 exit(91);
c55a77db
PH		 1035 }
1036
1037address = argv[argi++];
1038host_af = (strchr(address, ':') != NULL)? AF_INET6 : AF_INET;
1039
1040/* Mandatory 2nd arg is port */
1041
1042if (argc < argi+1)
1043 {
1ec3f27d 1044 fprintf(stderr, "No port number given\n");
9ff403f8 1045 exit(90);
c55a77db
PH		 1046 }
1047
1048port = atoi(argv[argi++]);
1049
1050/* Optional next arg is interface */
1051
1052if (argc > argi &&
1053 (isdigit((unsigned char)argv[argi][0]) || argv[argi][0] == ':'))
1054 interface = argv[argi++];
1055
1056/* Any more arguments are the name of a certificate file and key file */
1057
1058if (argc > argi) certfile = argv[argi++];
1059if (argc > argi) keyfile = argv[argi++];
1060
1061
1062#if HAVE_IPV6
1063/* For an IPv6 address, use an IPv6 sockaddr structure. */
1064
1065if (host_af == AF_INET6)
1066 {
1067 s_ptr = (struct sockaddr *)&s_in6;
1068 s_len = sizeof(s_in6);
1069 }
1070else
1071#endif
1072
1073/* For an IPv4 address, use an IPv4 sockaddr structure,
1074even on an IPv6 system. */
1075
1076 {
1077 s_ptr = (struct sockaddr *)&s_in4;
1078 s_len = sizeof(s_in4);
1079 }
1080
1081printf("Connecting to %s port %d ... ", address, port);
1082
7bbb3621
JH		 1083srv.sock = socket(host_af, SOCK_STREAM, 0);
1084if (srv.sock < 0)
c55a77db
PH		 1085 {
1086 printf("socket creation failed: %s\n", strerror(errno));
9ff403f8 1087 exit(89);
c55a77db
PH		 1088 }
1089
1090/* Bind to a specific interface if requested. On an IPv6 system, this has
1091to be of the same family as the address we are calling. On an IPv4 system the
1092test is redundant, but it keeps the code tidier. */
1093
1094if (interface != NULL)
1095 {
1096 int interface_af = (strchr(interface, ':') != NULL)? AF_INET6 : AF_INET;
1097
1098 if (interface_af == host_af)
1099 {
1100 #if HAVE_IPV6
1101
1102 /* Set up for IPv6 binding */
1103
1104 if (host_af == AF_INET6)
1105 {
1106 memset(&s_in6, 0, sizeof(s_in6));
1107 s_in6.sin6_family = AF_INET6;
1108 s_in6.sin6_port = 0;
1109 if (inet_pton(AF_INET6, interface, &s_in6.sin6_addr) != 1)
1110 {
1111 printf("Unable to parse \"%s\"", interface);
9ff403f8 1112 exit(88);
c55a77db
PH		 1113 }
1114 }
1115 else
1116 #endif
1117
1118 /* Set up for IPv4 binding */
1119
1120 {
1121 memset(&s_in4, 0, sizeof(s_in4));
1122 s_in4.sin_family = AF_INET;
1123 s_in4.sin_port = 0;
1124 s_in4.sin_addr.s_addr = (S_ADDR_TYPE)inet_addr(interface);
1125 }
1126
1127 /* Bind */
1128
7bbb3621 1129 if (bind(srv.sock, s_ptr, s_len) < 0)
c55a77db
PH		 1130 {
1131 printf("Unable to bind outgoing SMTP call to %s: %s",
1132 interface, strerror(errno));
9ff403f8 1133 exit(87);
c55a77db
PH		 1134 }
1135 }
1136 }
1137
1138/* Set up a remote IPv6 address */
1139
1140#if HAVE_IPV6
1141if (host_af == AF_INET6)
1142 {
1143 memset(&s_in6, 0, sizeof(s_in6));
1144 s_in6.sin6_family = AF_INET6;
1145 s_in6.sin6_port = htons(port);
1146 if (inet_pton(host_af, address, &s_in6.sin6_addr) != 1)
1147 {
1148 printf("Unable to parse \"%s\"", address);
9ff403f8 1149 exit(86);
c55a77db
PH		 1150 }
1151 }
1152else
1153#endif
1154
1155/* Set up a remote IPv4 address */
1156
1157 {
1158 memset(&s_in4, 0, sizeof(s_in4));
1159 s_in4.sin_family = AF_INET;
1160 s_in4.sin_port = htons(port);
1161 s_in4.sin_addr.s_addr = (S_ADDR_TYPE)inet_addr(address);
1162 }
1163
1164/* SIGALRM handler crashes out */
1165
1166signal(SIGALRM, sigalrm_handler_crash);
1167alarm(timeout);
7bbb3621 1168rc = connect(srv.sock, s_ptr, s_len);
c55a77db
PH		 1169save_errno = errno;
1170alarm(0);
1171
1172/* A failure whose error code is "Interrupted system call" is in fact
1173an externally applied timeout if the signal handler has been run. */
1174
1175if (rc < 0)
1176 {
7bbb3621 1177 close(srv.sock);
41fdef91 1178 printf("connect failed: %s\n", strerror(save_errno));
9ff403f8 1179 exit(85);
c55a77db
PH		 1180 }
1181
1182printf("connected\n");
1183
1184
1185/* --------------- Set up for OpenSSL --------------- */
1186
1187#ifdef HAVE_OPENSSL
1188SSL_library_init();
1189SSL_load_error_strings();
1190
7bbb3621 1191if (!(srv.ctx = SSL_CTX_new(SSLv23_method())))
c55a77db
PH		 1192 {
1193 printf ("SSL_CTX_new failed\n");
9ff403f8 1194 exit(84);
c55a77db
PH		 1195 }
1196
7bbb3621 1197if (certfile)
c55a77db 1198 {
7bbb3621 1199 if (!SSL_CTX_use_certificate_file(srv.ctx, certfile, SSL_FILETYPE_PEM))
c55a77db
PH		 1200 {
1201 printf("SSL_CTX_use_certificate_file failed\n");
9ff403f8 1202 exit(83);
c55a77db
PH		 1203 }
1204 printf("Certificate file = %s\n", certfile);
1205 }
1206
7bbb3621 1207if (keyfile)
c55a77db 1208 {
7bbb3621 1209 if (!SSL_CTX_use_PrivateKey_file(srv.ctx, keyfile, SSL_FILETYPE_PEM))
c55a77db
PH		 1210 {
1211 printf("SSL_CTX_use_PrivateKey_file failed\n");
9ff403f8 1212 exit(82);
c55a77db
PH		 1213 }
1214 printf("Key file = %s\n", keyfile);
1215 }
1216
7bbb3621
JH		 1217SSL_CTX_set_session_cache_mode(srv.ctx, SSL_SESS_CACHE_BOTH);
1218SSL_CTX_set_timeout(srv.ctx, 200);
1219SSL_CTX_set_info_callback(srv.ctx, (void (*)())info_callback);
c55a77db
PH		 1220#endif
1221
1222
1223/* --------------- Set up for GnuTLS --------------- */
1224
1225#ifdef HAVE_GNUTLS
1226if (certfile != NULL) printf("Certificate file = %s\n", certfile);
1227if (keyfile != NULL) printf("Key file = %s\n", keyfile);
059f2ace 1228tls_init(US certfile, US keyfile);
c55a77db 1229tls_session = tls_session_init();
348051ad 1230#ifdef HAVE_OCSP
2b4a568d
JH		 1231if (ocsp_stapling)
1232 gnutls_ocsp_status_request_enable_client(tls_session, NULL, 0, NULL);
348051ad 1233#endif
7bbb3621 1234gnutls_transport_set_ptr(tls_session, (gnutls_transport_ptr_t)(intptr_t)srv.sock);
c55a77db
PH		 1235
1236/* When the server asks for a certificate and the client does not have one,
1237there is a SIGPIPE error in the gnutls_handshake() function for some reason
1238that is not understood. As luck would have it, this has never hit Exim itself
1239because it ignores SIGPIPE errors. Doing the same here allows it all to work as
1240one wants. */
1241
1242signal(SIGPIPE, SIG_IGN);
1243#endif
1244
1245/* ---------------------------------------------- */
1246
1247
1248/* Start TLS session if configured to do so without STARTTLS */
1249
1250#ifdef HAVE_TLS
1251if (tls_on_connect)
1252 {
1253 printf("Attempting to start TLS\n");
1254
fc4fcc34 1255#ifdef HAVE_OPENSSL
7bbb3621 1256 srv.tls_active = tls_start(srv.sock, &srv.ssl, srv.ctx);
fc4fcc34 1257#endif
c55a77db 1258
fc4fcc34
JH		 1259#ifdef HAVE_GNUTLS
1260 {
1261 int rc;
c55a77db
PH		 1262 sigalrm_seen = FALSE;
1263 alarm(timeout);
fc4fcc34
JH		 1264 do {
1265 rc = gnutls_handshake(tls_session);
1266 } while (rc < 0 && gnutls_error_is_fatal(rc) == 0);
7bbb3621 1267 srv.tls_active = rc >= 0;
c55a77db 1268 alarm(0);
fc4fcc34 1269
7bbb3621 1270 if (!srv.tls_active) printf("%s\n", gnutls_strerror(rc));
fc4fcc34
JH		 1271 }
1272#endif
c55a77db 1273
7bbb3621 1274 if (!srv.tls_active)
c55a77db 1275 printf("Failed to start TLS\n");
fc4fcc34 1276#if defined(HAVE_GNUTLS) && defined(HAVE_OCSP)
2b4a568d
JH		 1277 else if ( ocsp_stapling
1278 && gnutls_ocsp_status_request_is_checked(tls_session, 0) == 0)
1279 printf("Failed to verify certificate status\n");
fc4fcc34 1280#endif
c55a77db
PH		 1281 else
1282 printf("Succeeded in starting TLS\n");
1283 }
1284#endif
1285
7bbb3621 1286do_file(&srv, stdin, timeout, inbuffer, sizeof(inbuffer), inptr);
c55a77db
PH		 1287
1288printf("End of script\n");
7bbb3621 1289shutdown(srv.sock, SHUT_WR);
ce80533b
JH		 1290if (fcntl(srv.sock, F_SETFL, O_NONBLOCK) == 0)
1291 while (read(srv.sock, inbuffer, sizeof(inbuffer)) > 0) ;
7bbb3621 1292close(srv.sock);
c55a77db
PH		 1293
1294exit(0);
1295}
1296
1297/* End of client.c */
Unnamed repository; edit this file 'description' to name the repository.