2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
35 #include <sys/types.h>
41 static int verbose = 0;
47 "usage: brssl twrch [ options ]\n");
51 " -trace dump all packets on stderr\n");
53 " -v verbose error messages on stderr\n");
55 " -server act as an SSL server\n");
57 " -client act as an SSL client\n");
59 " -sni name use specified name for SNI\n");
61 " -mono use monodirectional buffering\n");
63 " -buf length set the I/O buffer length (in bytes)\n");
65 " -cache length set the session cache storage length (in bytes)\n");
67 " -cert fname read certificate chain from file 'fname'\n");
69 " -key fname read private key from file 'fname'\n");
71 " -CA file add trust anchors from 'file' (for peer auth)\n");
73 " -anon_ok request but do not require a client certificate\n");
75 " -nostaticecdh prohibit full-static ECDH (client only)\n");
77 " -list list supported names (protocols, algorithms...)\n");
79 " -vmin name set minimum supported version (default: TLS-1.0)\n");
81 " -vmax name set maximum supported version (default: TLS-1.2)\n");
83 " -cs names set list of supported cipher suites (comma-separated)\n");
85 " -hf names add support for some hash functions (comma-separated)\n");
87 " -minhello len set minimum ClientHello length (in bytes)\n");
89 " -serverpref enforce server's preferences for cipher suites\n");
91 " -noreneg prohibit renegotiations\n");
93 " -alpn name add protocol name to list of protocols (ALPN extension)\n");
95 " -strictalpn fail on ALPN mismatch\n");
101 xfree(*(char **)alpn);
105 dump_blob(const char *name, const void *data, size_t len)
107 const unsigned char *buf;
111 fprintf(stderr, "%s (len = %lu)", name, (unsigned long)len);
112 for (u = 0; u < len; u ++) {
114 fprintf(stderr, "\n%08lX ", (unsigned long)u);
115 } else if ((u & 7) == 0) {
116 fprintf(stderr, " ");
118 fprintf(stderr, " %02x", buf[u]);
120 fprintf(stderr, "\n");
124 * Callback for reading bytes from standard input.
127 stdin_read(void *ctx, unsigned char *buf, size_t len)
138 eof = !ReadFile(GetStdHandle(STD_INPUT_HANDLE),
139 buf, len, &rlen, NULL) || rlen == 0;
141 rlen = read(0, buf, len);
143 if (rlen < 0 && errno == EINTR) {
154 fprintf(stderr, "recv: EOF\n");
160 dump_blob("recv", buf, (size_t)rlen);
167 * Callback for writing bytes on standard output.
170 stdout_write(void *ctx, const unsigned char *buf, size_t len)
181 eof = !WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),
182 buf, len, &wlen, NULL);
184 wlen = write(1, buf, len);
186 if (wlen < 0 && errno == EINTR) {
197 fprintf(stderr, "send: EOF\n");
203 dump_blob("send", buf, (size_t)wlen);
212 const char *name, *comment;
214 name = find_error_name(err, &comment);
216 fprintf(stderr, "ERR %d: %s\n %s\n", err, name, comment);
219 if (err >= BR_ERR_RECV_FATAL_ALERT
220 && err < BR_ERR_RECV_FATAL_ALERT + 256)
222 fprintf(stderr, "ERR %d: received fatal alert %d\n",
223 err, err - BR_ERR_RECV_FATAL_ALERT);
226 if (err >= BR_ERR_SEND_FATAL_ALERT
227 && err < BR_ERR_SEND_FATAL_ALERT + 256)
229 fprintf(stderr, "ERR %d: sent fatal alert %d\n",
230 err, err - BR_ERR_SEND_FATAL_ALERT);
233 fprintf(stderr, "ERR %d: UNKNOWN\n", err);
238 do_twrch(int argc, char *argv[])
247 cipher_suite *suites;
251 br_x509_certificate *chain;
253 int cert_signer_algo;
256 anchor_list anchors = VEC_INIT;
257 VECTOR(char *) alpn_names = VEC_INIT;
258 br_x509_minimal_context xc;
259 x509_noanchor_context xwc;
260 const br_hash_class *dnhash;
263 br_ssl_engine_context eng;
264 br_ssl_server_context srv;
265 br_ssl_client_context cnt;
267 br_ssl_session_cache_lru lru;
268 unsigned char *iobuf, *cache;
269 size_t iobuf_len, cache_len, minhello_len;
270 br_sslio_context ioc;
288 cert_signer_algo = 0;
294 cache_len = (size_t)-1;
295 minhello_len = (size_t)-1;
298 for (i = 0; i < argc; i ++) {
304 goto twrch_exit_error;
306 if (eqstr(arg, "-trace")) {
308 } else if (eqstr(arg, "-v")) {
310 } else if (eqstr(arg, "-server")) {
312 } else if (eqstr(arg, "-client")) {
314 } else if (eqstr(arg, "-sni")) {
317 "ERROR: no argument for '-sni'\n");
319 goto twrch_exit_error;
323 fprintf(stderr, "ERROR: duplicate SNI\n");
325 goto twrch_exit_error;
328 } else if (eqstr(arg, "-mono")) {
330 } else if (eqstr(arg, "-buf")) {
333 "ERROR: no argument for '-buf'\n");
335 goto twrch_exit_error;
338 if (iobuf_len != 0) {
340 "ERROR: duplicate I/O buffer length\n");
342 goto twrch_exit_error;
344 iobuf_len = parse_size(arg);
345 if (iobuf_len == (size_t)-1) {
347 goto twrch_exit_error;
349 } else if (eqstr(arg, "-cache")) {
352 "ERROR: no argument for '-cache'\n");
354 goto twrch_exit_error;
357 if (cache_len != (size_t)-1) {
358 fprintf(stderr, "ERROR: duplicate session"
361 goto twrch_exit_error;
363 cache_len = parse_size(arg);
364 if (cache_len == (size_t)-1) {
366 goto twrch_exit_error;
368 } else if (eqstr(arg, "-cert")) {
371 "ERROR: no argument for '-cert'\n");
373 goto twrch_exit_error;
377 "ERROR: duplicate certificate chain\n");
379 goto twrch_exit_error;
382 chain = read_certificates(arg, &chain_len);
383 if (chain == NULL || chain_len == 0) {
384 goto twrch_exit_error;
386 } else if (eqstr(arg, "-key")) {
389 "ERROR: no argument for '-key'\n");
391 goto twrch_exit_error;
395 "ERROR: duplicate private key\n");
397 goto twrch_exit_error;
400 sk = read_private_key(arg);
402 goto twrch_exit_error;
404 } else if (eqstr(arg, "-CA")) {
407 "ERROR: no argument for '-CA'\n");
409 goto twrch_exit_error;
412 if (read_trust_anchors(&anchors, arg) == 0) {
414 goto twrch_exit_error;
416 } else if (eqstr(arg, "-anon_ok")) {
417 flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH;
418 } else if (eqstr(arg, "-nostaticecdh")) {
420 } else if (eqstr(arg, "-list")) {
423 } else if (eqstr(arg, "-vmin")) {
426 "ERROR: no argument for '-vmin'\n");
428 goto twrch_exit_error;
433 "ERROR: duplicate minimum version\n");
435 goto twrch_exit_error;
437 vmin = parse_version(arg, strlen(arg));
440 "ERROR: unrecognised version '%s'\n",
443 goto twrch_exit_error;
445 } else if (eqstr(arg, "-vmax")) {
448 "ERROR: no argument for '-vmax'\n");
450 goto twrch_exit_error;
455 "ERROR: duplicate maximum version\n");
457 goto twrch_exit_error;
459 vmax = parse_version(arg, strlen(arg));
462 "ERROR: unrecognised version '%s'\n",
465 goto twrch_exit_error;
467 } else if (eqstr(arg, "-cs")) {
470 "ERROR: no argument for '-cs'\n");
472 goto twrch_exit_error;
475 if (suites != NULL) {
476 fprintf(stderr, "ERROR: duplicate list"
477 " of cipher suites\n");
479 goto twrch_exit_error;
481 suites = parse_suites(arg, &num_suites);
482 if (suites == NULL) {
484 goto twrch_exit_error;
486 } else if (eqstr(arg, "-hf")) {
491 "ERROR: no argument for '-hf'\n");
493 goto twrch_exit_error;
496 x = parse_hash_functions(arg);
499 goto twrch_exit_error;
502 } else if (eqstr(arg, "-minhello")) {
505 "ERROR: no argument for '-minhello'\n");
507 goto twrch_exit_error;
510 if (minhello_len != (size_t)-1) {
511 fprintf(stderr, "ERROR: duplicate minimum"
512 " ClientHello length\n");
514 goto twrch_exit_error;
516 minhello_len = parse_size(arg);
518 * Minimum ClientHello length must fit on 16 bits.
520 if (minhello_len == (size_t)-1
521 || (((minhello_len >> 12) >> 4) != 0))
524 goto twrch_exit_error;
526 } else if (eqstr(arg, "-serverpref")) {
527 flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES;
528 } else if (eqstr(arg, "-noreneg")) {
529 flags |= BR_OPT_NO_RENEGOTIATION;
530 } else if (eqstr(arg, "-alpn")) {
533 "ERROR: no argument for '-alpn'\n");
535 goto twrch_exit_error;
537 VEC_ADD(alpn_names, xstrdup(argv[i]));
538 } else if (eqstr(arg, "-strictalpn")) {
539 flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH;
541 fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
543 goto twrch_exit_error;
548 * Verify consistency of options.
550 if (!is_client && !is_server) {
551 fprintf(stderr, "ERROR:"
552 " one of -server and -client must be specified\n");
554 goto twrch_exit_error;
556 if (is_client && is_server) {
557 fprintf(stderr, "ERROR:"
558 " -server and -client may not be both specified\n");
560 goto twrch_exit_error;
570 fprintf(stderr, "ERROR: impossible minimum/maximum protocol"
571 " version combination\n");
573 goto twrch_exit_error;
577 fprintf(stderr, "ERROR: no certificate specified"
578 " for server (-cert)\n");
580 goto twrch_exit_error;
583 fprintf(stderr, "ERROR: no private key specified"
584 " for server (-key)\n");
586 goto twrch_exit_error;
589 if (chain == NULL && sk != NULL) {
590 fprintf(stderr, "ERROR: private key (-key)"
591 " but no certificate (-cert)");
593 goto twrch_exit_error;
595 if (chain != NULL && sk == NULL) {
596 fprintf(stderr, "ERROR: certificate (-cert)"
597 " but no private key (-key)");
599 goto twrch_exit_error;
602 if (suites == NULL) {
605 for (u = 0; cipher_suites[u].name; u ++) {
606 if ((cipher_suites[u].req & REQ_TLS12) == 0
612 suites = xmalloc(num_suites * sizeof *suites);
614 for (u = 0; cipher_suites[u].name; u ++) {
615 if ((cipher_suites[u].req & REQ_TLS12) == 0
618 suites[num_suites ++] = cipher_suites[u];
623 hfuns = (unsigned)-1;
626 switch (sk->key_type) {
633 curve = sk->key.ec.curve;
634 supp = br_ec_get_default()->supported_curves;
635 if (curve > 31 || !((supp >> curve) & 1)) {
636 fprintf(stderr, "ERROR: private key curve (%d)"
637 " is not supported\n", curve);
638 goto twrch_exit_error;
642 fprintf(stderr, "ERROR: unsupported"
643 " private key type (%d)\n", sk->key_type);
644 goto twrch_exit_error;
648 cert_signer_algo = get_cert_signer_algo(chain);
649 if (cert_signer_algo == 0) {
650 goto twrch_exit_error;
653 if (iobuf_len == 0) {
655 iobuf_len = BR_SSL_BUFSIZE_BIDI;
657 iobuf_len = BR_SSL_BUFSIZE_MONO;
660 iobuf = xmalloc(iobuf_len);
662 if (cache_len == (size_t)-1) {
665 cache = xmalloc(cache_len);
669 * Initialise the relevant context.
672 br_ssl_client_zero(&cc.cnt);
674 br_ssl_server_zero(&cc.srv);
678 * Compute implementation requirements and inject implementations.
680 suite_ids = xmalloc(num_suites * sizeof *suite_ids);
681 br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
682 br_ssl_engine_set_all_flags(&cc.eng, flags);
683 if (vmin <= BR_TLS11) {
684 if (!(hfuns & (1 << br_md5_ID))) {
685 fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need MD5\n");
686 goto twrch_exit_error;
688 if (!(hfuns & (1 << br_sha1_ID))) {
689 fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need SHA-1\n");
690 goto twrch_exit_error;
693 for (u = 0; u < num_suites; u ++) {
697 suite_ids[u] = suites[u].suite;
698 if ((req & REQ_TLS12) != 0 && vmax < BR_TLS12) {
700 "ERROR: cipher suite %s requires TLS 1.2\n",
702 goto twrch_exit_error;
704 if ((req & REQ_SHA1) != 0 && !(hfuns & (1 << br_sha1_ID))) {
706 "ERROR: cipher suite %s requires SHA-1\n",
708 goto twrch_exit_error;
710 if ((req & REQ_SHA256) != 0 && !(hfuns & (1 << br_sha256_ID))) {
712 "ERROR: cipher suite %s requires SHA-256\n",
714 goto twrch_exit_error;
716 if ((req & REQ_SHA384) != 0 && !(hfuns & (1 << br_sha384_ID))) {
718 "ERROR: cipher suite %s requires SHA-384\n",
720 goto twrch_exit_error;
722 /* TODO: algorithm implementation selection */
723 if ((req & REQ_AESCBC) != 0) {
724 br_ssl_engine_set_default_aes_cbc(&cc.eng);
726 if ((req & REQ_AESCCM) != 0) {
727 br_ssl_engine_set_default_aes_ccm(&cc.eng);
729 if ((req & REQ_AESGCM) != 0) {
730 br_ssl_engine_set_default_aes_gcm(&cc.eng);
732 if ((req & REQ_CHAPOL) != 0) {
733 br_ssl_engine_set_default_chapol(&cc.eng);
735 if ((req & REQ_3DESCBC) != 0) {
736 br_ssl_engine_set_default_des_cbc(&cc.eng);
738 if (is_client && (req & REQ_RSAKEYX) != 0) {
739 br_ssl_client_set_default_rsapub(&cc.cnt);
741 if (is_client && (req & REQ_ECDHE_RSA) != 0) {
742 br_ssl_engine_set_default_rsavrfy(&cc.eng);
744 if (is_client && (req & REQ_ECDH) != 0) {
745 br_ssl_engine_set_default_ec(&cc.eng);
747 if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) {
748 br_ssl_engine_set_default_ec(&cc.eng);
751 br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
754 for (u = 0; hash_functions[u].name; u ++) {
755 const br_hash_class *hc;
758 hc = hash_functions[u].hclass;
759 id = (hc->desc >> BR_HASHDESC_ID_OFF) & BR_HASHDESC_ID_MASK;
760 if ((hfuns & ((unsigned)1 << id)) != 0) {
762 br_ssl_engine_set_hash(&cc.eng, id, hc);
765 if (vmin <= BR_TLS11) {
766 br_ssl_engine_set_prf10(&cc.eng, &br_tls10_prf);
768 if (vmax >= BR_TLS12) {
769 if ((hfuns & ((unsigned)1 << br_sha256_ID)) != 0) {
770 br_ssl_engine_set_prf_sha256(&cc.eng,
771 &br_tls12_sha256_prf);
773 if ((hfuns & ((unsigned)1 << br_sha384_ID)) != 0) {
774 br_ssl_engine_set_prf_sha384(&cc.eng,
775 &br_tls12_sha384_prf);
778 if (VEC_LEN(alpn_names) != 0) {
779 br_ssl_engine_set_protocol_names(&cc.eng,
780 (const char **)&VEC_ELT(alpn_names, 0),
781 VEC_LEN(alpn_names));
785 * In server role, we use a session cache (size can be
786 * specified; if size is zero, then no cache is set).
788 if (is_server && cache != NULL) {
789 br_ssl_session_cache_lru_init(&lru, cache, cache_len);
790 br_ssl_server_set_cache(&cc.srv, &lru.vtable);
794 * For a server, set the policy handler.
797 switch (sk->key_type) {
799 br_ssl_server_set_single_rsa(&cc.srv,
800 chain, chain_len, &sk->key.rsa,
801 BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
802 br_rsa_private_get_default(),
803 br_rsa_pkcs1_sign_get_default());
806 br_ssl_server_set_single_ec(&cc.srv,
807 chain, chain_len, &sk->key.ec,
808 BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
811 br_ecdsa_sign_asn1_get_default());
814 fprintf(stderr, "ERROR: unsupported"
815 " private key type (%d)\n", sk->key_type);
816 goto twrch_exit_error;
821 * For a client, if a certificate was specified, use it.
823 if (is_client && chain != NULL) {
824 switch (sk->key_type) {
828 br_ssl_client_set_single_rsa(&cc.cnt,
829 chain, chain_len, &sk->key.rsa,
830 br_rsa_pkcs1_sign_get_default());
834 cert_signer_algo = 0;
835 usages = BR_KEYTYPE_SIGN;
837 usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN;
839 br_ssl_client_set_single_ec(&cc.cnt,
840 chain, chain_len, &sk->key.ec,
841 usages, cert_signer_algo,
843 br_ecdsa_sign_asn1_get_default());
846 fprintf(stderr, "ERROR: unsupported"
847 " private key type (%d)\n", sk->key_type);
848 goto twrch_exit_error;
853 * On a client, or if trust anchors have been configured, then
854 * set an X.509 validation engine. If there are no trust anchors
855 * (client only), then a "no anchor" wrapper will be applied.
857 if (is_client || VEC_LEN(anchors) != 0) {
858 br_x509_minimal_init(&xc, dnhash,
859 &VEC_ELT(anchors, 0), VEC_LEN(anchors));
860 for (u = 0; hash_functions[u].name; u ++) {
861 const br_hash_class *hc;
864 hc = hash_functions[u].hclass;
865 id = (hc->desc >> BR_HASHDESC_ID_OFF)
866 & BR_HASHDESC_ID_MASK;
867 if ((hfuns & ((unsigned)1 << id)) != 0) {
868 br_x509_minimal_set_hash(&xc, id, hc);
871 br_ssl_engine_set_default_rsavrfy(&cc.eng);
872 br_ssl_engine_set_default_ecdsa(&cc.eng);
873 br_x509_minimal_set_rsa(&xc, br_rsa_pkcs1_vrfy_get_default());
874 br_x509_minimal_set_ecdsa(&xc,
875 br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
876 br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
878 if (VEC_LEN(anchors) == 0) {
879 x509_noanchor_init(&xwc, &xc.vtable);
880 br_ssl_engine_set_x509(&cc.eng, &xwc.vtable);
882 br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
885 br_ssl_server_set_trust_anchor_names_alt(&cc.srv,
886 &VEC_ELT(anchors, 0), VEC_LEN(anchors));
893 br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
899 br_ssl_client_reset(&cc.cnt, sni, 0);
902 br_ssl_server_reset(&cc.srv);
906 * On Unix systems, we want to ignore SIGPIPE: if the peer
907 * closes the connection abruptly, then we want to report it
908 * as a "normal" error (exit code = 1).
911 signal(SIGPIPE, SIG_IGN);
915 * Initialize the callbacks for exchanging data over stdin and
918 br_sslio_init(&ioc, &cc.eng, stdin_read, &trace, stdout_write, &trace);
921 * Run the Twrch protocol.
925 unsigned char hv[20], tmp[41];
930 * Read line, byte by byte, hashing it on the fly.
938 if (br_sslio_read(&ioc, &x, 1) < 0) {
939 if (count == 0 && reconnect) {
941 if (br_sslio_close(&ioc) < 0) {
942 goto twrch_loop_finished;
949 br_ssl_server_reset(&cc.srv);
951 br_sslio_init(&ioc, &cc.eng,
953 stdout_write, &trace);
956 goto twrch_loop_finished;
964 br_sha1_update(&sc, &x, 1);
970 br_sslio_close(&ioc);
971 goto twrch_loop_finished;
973 if (br_sslio_close(&ioc) < 0) {
974 goto twrch_loop_finished;
977 br_ssl_client_reset(&cc.cnt, sni, 1);
980 br_ssl_server_reset(&cc.srv);
982 br_sslio_init(&ioc, &cc.eng,
984 stdout_write, &trace);
987 if (!br_ssl_engine_renegotiate(&cc.eng)) {
988 br_sslio_write_all(&ioc, "DENIED\n", 7);
989 br_sslio_flush(&ioc);
991 br_sslio_write_all(&ioc, "OK\n", 3);
992 br_sslio_flush(&ioc);
997 br_sslio_write_all(&ioc, "OK\n", 3);
998 br_sslio_flush(&ioc);
1002 br_ssl_client_forget_session(&cc.cnt);
1004 if (is_server && cache != NULL) {
1005 br_ssl_session_parameters pp;
1007 br_ssl_engine_get_session_parameters(
1009 if (pp.session_id_len == 32) {
1010 br_ssl_session_cache_lru_forget(
1011 &lru, pp.session_id);
1014 br_sslio_write_all(&ioc, "DONE\n", 5);
1015 br_sslio_flush(&ioc);
1019 br_sha1_out(&sc, hv);
1020 for (i = 0; i < 20; i ++) {
1024 tmp[(i << 1) + 0] = "0123456789abcdef"[x >> 4];
1025 tmp[(i << 1) + 1] = "0123456789abcdef"[x & 15];
1028 br_sslio_write_all(&ioc, tmp, 41);
1029 br_sslio_flush(&ioc);
1032 twrch_loop_finished:
1033 if (br_ssl_engine_current_state(&cc.eng) == BR_SSL_CLOSED) {
1036 err = br_ssl_engine_last_error(&cc.eng);
1047 fprintf(stderr, "Engine not closed!\n");
1053 * Release allocated structures.
1058 free_certificates(chain, chain_len);
1059 free_private_key(sk);
1060 VEC_CLEAREXT(anchors, &free_ta_contents);
1061 VEC_CLEAREXT(alpn_names, &free_alpn);