mirror of
https://github.com/Mbed-TLS/mbedtls.git
synced 2024-12-28 06:19:27 +00:00
5333425891
In Mbed TLS 4.0, all cryptography goes through PSA, so calling psa_crypto_init() is now mandatory before starting a TLS connection (as was the case in Mbed TLS 3.x with MBEDTLS_USE_PSA_CRYPTO enabled). Switch the TLS sample programs to calling psa_crypto_init() unconditionally. Otherwise TLS 1.3 connections fail, and (D)TLS 1.2 connections soon will. This commit omits the test programs ssl_client2 and ssl_server2, which don't require a change right now. They will be covered when we make MBEDTLS_USE_PSA_CRYPTO always on. Signed-off-by: Gilles Peskine <Gilles.Peskine@arm.com>
814 lines
25 KiB
C
814 lines
25 KiB
C
/*
|
|
* SSL client for SMTP servers
|
|
*
|
|
* Copyright The Mbed TLS Contributors
|
|
* SPDX-License-Identifier: Apache-2.0 OR GPL-2.0-or-later
|
|
*/
|
|
|
|
/* Enable definition of gethostname() even when compiling with -std=c99. Must
|
|
* be set before mbedtls_config.h, which pulls in glibc's features.h indirectly.
|
|
* Harmless on other platforms. */
|
|
|
|
#define _POSIX_C_SOURCE 200112L
|
|
#define _XOPEN_SOURCE 600
|
|
|
|
#include "mbedtls/build_info.h"
|
|
|
|
#include "mbedtls/platform.h"
|
|
|
|
#if !defined(MBEDTLS_BIGNUM_C) || !defined(MBEDTLS_ENTROPY_C) || \
|
|
!defined(MBEDTLS_SSL_TLS_C) || !defined(MBEDTLS_SSL_CLI_C) || \
|
|
!defined(MBEDTLS_NET_C) || !defined(MBEDTLS_RSA_C) || \
|
|
!defined(MBEDTLS_CTR_DRBG_C) || !defined(MBEDTLS_X509_CRT_PARSE_C) || \
|
|
!defined(MBEDTLS_FS_IO)
|
|
int main(void)
|
|
{
|
|
mbedtls_printf("MBEDTLS_BIGNUM_C and/or MBEDTLS_ENTROPY_C and/or "
|
|
"MBEDTLS_SSL_TLS_C and/or MBEDTLS_SSL_CLI_C and/or "
|
|
"MBEDTLS_NET_C and/or MBEDTLS_RSA_C and/or "
|
|
"MBEDTLS_CTR_DRBG_C and/or MBEDTLS_X509_CRT_PARSE_C "
|
|
"not defined.\n");
|
|
mbedtls_exit(0);
|
|
}
|
|
#else
|
|
|
|
#include "mbedtls/base64.h"
|
|
#include "mbedtls/error.h"
|
|
#include "mbedtls/net_sockets.h"
|
|
#include "mbedtls/ssl.h"
|
|
#include "mbedtls/entropy.h"
|
|
#include "mbedtls/ctr_drbg.h"
|
|
#include "test/certs.h"
|
|
#include "mbedtls/x509.h"
|
|
|
|
#include <stdlib.h>
|
|
#include <string.h>
|
|
|
|
#if !defined(_MSC_VER) || defined(EFIX64) || defined(EFI32)
|
|
#include <unistd.h>
|
|
#else
|
|
#include <io.h>
|
|
#endif
|
|
|
|
#if defined(_WIN32) || defined(_WIN32_WCE)
|
|
#include <winsock2.h>
|
|
#include <windows.h>
|
|
|
|
#if defined(_MSC_VER)
|
|
#if defined(_WIN32_WCE)
|
|
#pragma comment( lib, "ws2.lib" )
|
|
#else
|
|
#pragma comment( lib, "ws2_32.lib" )
|
|
#endif
|
|
#endif /* _MSC_VER */
|
|
#endif
|
|
|
|
#define DFL_SERVER_NAME "localhost"
|
|
#define DFL_SERVER_PORT "465"
|
|
#define DFL_USER_NAME "user"
|
|
#define DFL_USER_PWD "password"
|
|
#define DFL_MAIL_FROM ""
|
|
#define DFL_MAIL_TO ""
|
|
#define DFL_DEBUG_LEVEL 0
|
|
#define DFL_CA_FILE ""
|
|
#define DFL_CRT_FILE ""
|
|
#define DFL_KEY_FILE ""
|
|
#define DFL_FORCE_CIPHER 0
|
|
#define DFL_MODE 0
|
|
#define DFL_AUTHENTICATION 0
|
|
|
|
#define MODE_SSL_TLS 0
|
|
#define MODE_STARTTLS 0
|
|
|
|
#if defined(MBEDTLS_BASE64_C)
|
|
#define USAGE_AUTH \
|
|
" authentication=%%d default: 0 (disabled)\n" \
|
|
" user_name=%%s default: \"" DFL_USER_NAME "\"\n" \
|
|
" user_pwd=%%s default: \"" \
|
|
DFL_USER_PWD "\"\n"
|
|
#else
|
|
#define USAGE_AUTH \
|
|
" authentication options disabled. (Require MBEDTLS_BASE64_C)\n"
|
|
#endif /* MBEDTLS_BASE64_C */
|
|
|
|
#if defined(MBEDTLS_FS_IO)
|
|
#define USAGE_IO \
|
|
" ca_file=%%s default: \"\" (pre-loaded)\n" \
|
|
" crt_file=%%s default: \"\" (pre-loaded)\n" \
|
|
" key_file=%%s default: \"\" (pre-loaded)\n"
|
|
#else
|
|
#define USAGE_IO \
|
|
" No file operations available (MBEDTLS_FS_IO not defined)\n"
|
|
#endif /* MBEDTLS_FS_IO */
|
|
|
|
#define USAGE \
|
|
"\n usage: ssl_mail_client param=<>...\n" \
|
|
"\n acceptable parameters:\n" \
|
|
" server_name=%%s default: " DFL_SERVER_NAME "\n" \
|
|
" server_port=%%d default: " \
|
|
DFL_SERVER_PORT "\n" \
|
|
" debug_level=%%d default: 0 (disabled)\n" \
|
|
" mode=%%d default: 0 (SSL/TLS) (1 for STARTTLS)\n" \
|
|
USAGE_AUTH \
|
|
" mail_from=%%s default: \"\"\n" \
|
|
" mail_to=%%s default: \"\"\n" \
|
|
USAGE_IO \
|
|
" force_ciphersuite=<name> default: all enabled\n" \
|
|
" acceptable ciphersuite names:\n"
|
|
|
|
|
|
/*
|
|
* global options
|
|
*/
|
|
struct options {
|
|
const char *server_name; /* hostname of the server (client only) */
|
|
const char *server_port; /* port on which the ssl service runs */
|
|
int debug_level; /* level of debugging */
|
|
int authentication; /* if authentication is required */
|
|
int mode; /* SSL/TLS (0) or STARTTLS (1) */
|
|
const char *user_name; /* username to use for authentication */
|
|
const char *user_pwd; /* password to use for authentication */
|
|
const char *mail_from; /* E-Mail address to use as sender */
|
|
const char *mail_to; /* E-Mail address to use as recipient */
|
|
const char *ca_file; /* the file with the CA certificate(s) */
|
|
const char *crt_file; /* the file with the client certificate */
|
|
const char *key_file; /* the file with the client key */
|
|
int force_ciphersuite[2]; /* protocol/ciphersuite to use, or all */
|
|
} opt;
|
|
|
|
static void my_debug(void *ctx, int level,
|
|
const char *file, int line,
|
|
const char *str)
|
|
{
|
|
((void) level);
|
|
|
|
mbedtls_fprintf((FILE *) ctx, "%s:%04d: %s", file, line, str);
|
|
fflush((FILE *) ctx);
|
|
}
|
|
|
|
static int do_handshake(mbedtls_ssl_context *ssl)
|
|
{
|
|
int ret;
|
|
uint32_t flags;
|
|
unsigned char buf[1024];
|
|
memset(buf, 0, 1024);
|
|
|
|
/*
|
|
* 4. Handshake
|
|
*/
|
|
mbedtls_printf(" . Performing the SSL/TLS handshake...");
|
|
fflush(stdout);
|
|
|
|
while ((ret = mbedtls_ssl_handshake(ssl)) != 0) {
|
|
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
|
|
#if defined(MBEDTLS_ERROR_C)
|
|
mbedtls_strerror(ret, (char *) buf, 1024);
|
|
#endif
|
|
mbedtls_printf(" failed\n ! mbedtls_ssl_handshake returned %d: %s\n\n", ret, buf);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
mbedtls_printf(" ok\n [ Ciphersuite is %s ]\n",
|
|
mbedtls_ssl_get_ciphersuite(ssl));
|
|
|
|
/*
|
|
* 5. Verify the server certificate
|
|
*/
|
|
mbedtls_printf(" . Verifying peer X.509 certificate...");
|
|
|
|
/* In real life, we probably want to bail out when ret != 0 */
|
|
if ((flags = mbedtls_ssl_get_verify_result(ssl)) != 0) {
|
|
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
|
char vrfy_buf[512];
|
|
#endif
|
|
|
|
mbedtls_printf(" failed\n");
|
|
|
|
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
|
mbedtls_x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), " ! ", flags);
|
|
|
|
mbedtls_printf("%s\n", vrfy_buf);
|
|
#endif
|
|
} else {
|
|
mbedtls_printf(" ok\n");
|
|
}
|
|
|
|
#if !defined(MBEDTLS_X509_REMOVE_INFO)
|
|
mbedtls_printf(" . Peer certificate information ...\n");
|
|
mbedtls_x509_crt_info((char *) buf, sizeof(buf) - 1, " ",
|
|
mbedtls_ssl_get_peer_cert(ssl));
|
|
mbedtls_printf("%s\n", buf);
|
|
#endif
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int write_ssl_data(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
|
|
{
|
|
int ret;
|
|
|
|
mbedtls_printf("\n%s", buf);
|
|
while (len && (ret = mbedtls_ssl_write(ssl, buf, len)) <= 0) {
|
|
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
|
|
mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
return 0;
|
|
}
|
|
|
|
static int write_ssl_and_get_response(mbedtls_ssl_context *ssl, unsigned char *buf, size_t len)
|
|
{
|
|
int ret;
|
|
unsigned char data[128];
|
|
char code[4];
|
|
size_t i, idx = 0;
|
|
|
|
mbedtls_printf("\n%s", buf);
|
|
while (len && (ret = mbedtls_ssl_write(ssl, buf, len)) <= 0) {
|
|
if (ret != MBEDTLS_ERR_SSL_WANT_READ && ret != MBEDTLS_ERR_SSL_WANT_WRITE) {
|
|
mbedtls_printf(" failed\n ! mbedtls_ssl_write returned %d\n\n", ret);
|
|
return -1;
|
|
}
|
|
}
|
|
|
|
do {
|
|
len = sizeof(data) - 1;
|
|
memset(data, 0, sizeof(data));
|
|
ret = mbedtls_ssl_read(ssl, data, len);
|
|
|
|
if (ret == MBEDTLS_ERR_SSL_WANT_READ || ret == MBEDTLS_ERR_SSL_WANT_WRITE) {
|
|
continue;
|
|
}
|
|
|
|
if (ret == MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY) {
|
|
return -1;
|
|
}
|
|
|
|
if (ret <= 0) {
|
|
mbedtls_printf("failed\n ! mbedtls_ssl_read returned %d\n\n", ret);
|
|
return -1;
|
|
}
|
|
|
|
mbedtls_printf("\n%s", data);
|
|
len = ret;
|
|
for (i = 0; i < len; i++) {
|
|
if (data[i] != '\n') {
|
|
if (idx < 4) {
|
|
code[idx++] = data[i];
|
|
}
|
|
continue;
|
|
}
|
|
|
|
if (idx == 4 && code[0] >= '0' && code[0] <= '9' && code[3] == ' ') {
|
|
code[3] = '\0';
|
|
return atoi(code);
|
|
}
|
|
|
|
idx = 0;
|
|
}
|
|
} while (1);
|
|
}
|
|
|
|
static int write_and_get_response(mbedtls_net_context *sock_fd, unsigned char *buf, size_t len)
|
|
{
|
|
int ret;
|
|
unsigned char data[128];
|
|
char code[4];
|
|
size_t i, idx = 0;
|
|
|
|
mbedtls_printf("\n%s", buf);
|
|
if (len && (ret = mbedtls_net_send(sock_fd, buf, len)) <= 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_net_send returned %d\n\n", ret);
|
|
return -1;
|
|
}
|
|
|
|
do {
|
|
len = sizeof(data) - 1;
|
|
memset(data, 0, sizeof(data));
|
|
ret = mbedtls_net_recv(sock_fd, data, len);
|
|
|
|
if (ret <= 0) {
|
|
mbedtls_printf("failed\n ! mbedtls_net_recv returned %d\n\n", ret);
|
|
return -1;
|
|
}
|
|
|
|
data[len] = '\0';
|
|
mbedtls_printf("\n%s", data);
|
|
len = ret;
|
|
for (i = 0; i < len; i++) {
|
|
if (data[i] != '\n') {
|
|
if (idx < 4) {
|
|
code[idx++] = data[i];
|
|
}
|
|
continue;
|
|
}
|
|
|
|
if (idx == 4 && code[0] >= '0' && code[0] <= '9' && code[3] == ' ') {
|
|
code[3] = '\0';
|
|
return atoi(code);
|
|
}
|
|
|
|
idx = 0;
|
|
}
|
|
} while (1);
|
|
}
|
|
|
|
int main(int argc, char *argv[])
|
|
{
|
|
int ret = 1, len;
|
|
int exit_code = MBEDTLS_EXIT_FAILURE;
|
|
mbedtls_net_context server_fd;
|
|
#if defined(MBEDTLS_BASE64_C)
|
|
unsigned char base[1024];
|
|
/* buf is used as the destination buffer for printing base with the format:
|
|
* "%s\r\n". Hence, the size of buf should be at least the size of base
|
|
* plus 2 bytes for the \r and \n characters.
|
|
*/
|
|
unsigned char buf[sizeof(base) + 2];
|
|
#else
|
|
unsigned char buf[1024];
|
|
#endif
|
|
char hostname[32];
|
|
const char *pers = "ssl_mail_client";
|
|
|
|
mbedtls_entropy_context entropy;
|
|
mbedtls_ctr_drbg_context ctr_drbg;
|
|
mbedtls_ssl_context ssl;
|
|
mbedtls_ssl_config conf;
|
|
mbedtls_x509_crt cacert;
|
|
mbedtls_x509_crt clicert;
|
|
mbedtls_pk_context pkey;
|
|
int i;
|
|
size_t n;
|
|
char *p, *q;
|
|
const int *list;
|
|
|
|
/*
|
|
* Make sure memory references are valid in case we exit early.
|
|
*/
|
|
mbedtls_net_init(&server_fd);
|
|
mbedtls_ssl_init(&ssl);
|
|
mbedtls_ssl_config_init(&conf);
|
|
memset(&buf, 0, sizeof(buf));
|
|
mbedtls_x509_crt_init(&cacert);
|
|
mbedtls_x509_crt_init(&clicert);
|
|
mbedtls_pk_init(&pkey);
|
|
mbedtls_ctr_drbg_init(&ctr_drbg);
|
|
mbedtls_entropy_init(&entropy);
|
|
|
|
psa_status_t status = psa_crypto_init();
|
|
if (status != PSA_SUCCESS) {
|
|
mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
|
|
(int) status);
|
|
goto exit;
|
|
}
|
|
|
|
if (argc < 2) {
|
|
usage:
|
|
mbedtls_printf(USAGE);
|
|
|
|
list = mbedtls_ssl_list_ciphersuites();
|
|
while (*list) {
|
|
mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list));
|
|
list++;
|
|
}
|
|
mbedtls_printf("\n");
|
|
goto exit;
|
|
}
|
|
|
|
opt.server_name = DFL_SERVER_NAME;
|
|
opt.server_port = DFL_SERVER_PORT;
|
|
opt.debug_level = DFL_DEBUG_LEVEL;
|
|
opt.authentication = DFL_AUTHENTICATION;
|
|
opt.mode = DFL_MODE;
|
|
opt.user_name = DFL_USER_NAME;
|
|
opt.user_pwd = DFL_USER_PWD;
|
|
opt.mail_from = DFL_MAIL_FROM;
|
|
opt.mail_to = DFL_MAIL_TO;
|
|
opt.ca_file = DFL_CA_FILE;
|
|
opt.crt_file = DFL_CRT_FILE;
|
|
opt.key_file = DFL_KEY_FILE;
|
|
opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
|
|
|
|
for (i = 1; i < argc; i++) {
|
|
p = argv[i];
|
|
if ((q = strchr(p, '=')) == NULL) {
|
|
goto usage;
|
|
}
|
|
*q++ = '\0';
|
|
|
|
if (strcmp(p, "server_name") == 0) {
|
|
opt.server_name = q;
|
|
} else if (strcmp(p, "server_port") == 0) {
|
|
opt.server_port = q;
|
|
} else if (strcmp(p, "debug_level") == 0) {
|
|
opt.debug_level = atoi(q);
|
|
if (opt.debug_level < 0 || opt.debug_level > 65535) {
|
|
goto usage;
|
|
}
|
|
} else if (strcmp(p, "authentication") == 0) {
|
|
opt.authentication = atoi(q);
|
|
if (opt.authentication < 0 || opt.authentication > 1) {
|
|
goto usage;
|
|
}
|
|
} else if (strcmp(p, "mode") == 0) {
|
|
opt.mode = atoi(q);
|
|
if (opt.mode < 0 || opt.mode > 1) {
|
|
goto usage;
|
|
}
|
|
} else if (strcmp(p, "user_name") == 0) {
|
|
opt.user_name = q;
|
|
} else if (strcmp(p, "user_pwd") == 0) {
|
|
opt.user_pwd = q;
|
|
} else if (strcmp(p, "mail_from") == 0) {
|
|
opt.mail_from = q;
|
|
} else if (strcmp(p, "mail_to") == 0) {
|
|
opt.mail_to = q;
|
|
} else if (strcmp(p, "ca_file") == 0) {
|
|
opt.ca_file = q;
|
|
} else if (strcmp(p, "crt_file") == 0) {
|
|
opt.crt_file = q;
|
|
} else if (strcmp(p, "key_file") == 0) {
|
|
opt.key_file = q;
|
|
} else if (strcmp(p, "force_ciphersuite") == 0) {
|
|
opt.force_ciphersuite[0] = -1;
|
|
|
|
opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q);
|
|
|
|
if (opt.force_ciphersuite[0] <= 0) {
|
|
goto usage;
|
|
}
|
|
|
|
opt.force_ciphersuite[1] = 0;
|
|
} else {
|
|
goto usage;
|
|
}
|
|
}
|
|
|
|
/*
|
|
* 0. Initialize the RNG and the session data
|
|
*/
|
|
mbedtls_printf("\n . Seeding the random number generator...");
|
|
fflush(stdout);
|
|
|
|
if ((ret = mbedtls_ctr_drbg_seed(&ctr_drbg, mbedtls_entropy_func, &entropy,
|
|
(const unsigned char *) pers,
|
|
strlen(pers))) != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_ctr_drbg_seed returned %d\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
/*
|
|
* 1.1. Load the trusted CA
|
|
*/
|
|
mbedtls_printf(" . Loading the CA root certificate ...");
|
|
fflush(stdout);
|
|
|
|
#if defined(MBEDTLS_FS_IO)
|
|
if (strlen(opt.ca_file)) {
|
|
ret = mbedtls_x509_crt_parse_file(&cacert, opt.ca_file);
|
|
} else
|
|
#endif
|
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
|
ret = mbedtls_x509_crt_parse(&cacert, (const unsigned char *) mbedtls_test_cas_pem,
|
|
mbedtls_test_cas_pem_len);
|
|
#else
|
|
{
|
|
mbedtls_printf("MBEDTLS_PEM_PARSE_C not defined.");
|
|
goto exit;
|
|
}
|
|
#endif
|
|
if (ret < 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok (%d skipped)\n", ret);
|
|
|
|
/*
|
|
* 1.2. Load own certificate and private key
|
|
*
|
|
* (can be skipped if client authentication is not required)
|
|
*/
|
|
mbedtls_printf(" . Loading the client cert. and key...");
|
|
fflush(stdout);
|
|
|
|
#if defined(MBEDTLS_FS_IO)
|
|
if (strlen(opt.crt_file)) {
|
|
ret = mbedtls_x509_crt_parse_file(&clicert, opt.crt_file);
|
|
} else
|
|
#endif
|
|
ret = mbedtls_x509_crt_parse(&clicert, (const unsigned char *) mbedtls_test_cli_crt,
|
|
mbedtls_test_cli_crt_len);
|
|
if (ret != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_x509_crt_parse returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
#if defined(MBEDTLS_FS_IO)
|
|
if (strlen(opt.key_file)) {
|
|
ret = mbedtls_pk_parse_keyfile(&pkey, opt.key_file, "",
|
|
mbedtls_ctr_drbg_random, &ctr_drbg);
|
|
} else
|
|
#endif
|
|
#if defined(MBEDTLS_PEM_PARSE_C)
|
|
{
|
|
ret = mbedtls_pk_parse_key(&pkey,
|
|
(const unsigned char *) mbedtls_test_cli_key,
|
|
mbedtls_test_cli_key_len,
|
|
NULL,
|
|
0,
|
|
mbedtls_ctr_drbg_random,
|
|
&ctr_drbg);
|
|
}
|
|
#else
|
|
{
|
|
mbedtls_printf("MBEDTLS_PEM_PARSE_C not defined.");
|
|
goto exit;
|
|
}
|
|
#endif
|
|
if (ret != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_pk_parse_key returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
/*
|
|
* 2. Start the connection
|
|
*/
|
|
mbedtls_printf(" . Connecting to tcp/%s/%s...", opt.server_name,
|
|
opt.server_port);
|
|
fflush(stdout);
|
|
|
|
if ((ret = mbedtls_net_connect(&server_fd, opt.server_name,
|
|
opt.server_port, MBEDTLS_NET_PROTO_TCP)) != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_net_connect returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
/*
|
|
* 3. Setup stuff
|
|
*/
|
|
mbedtls_printf(" . Setting up the SSL/TLS structure...");
|
|
fflush(stdout);
|
|
|
|
if ((ret = mbedtls_ssl_config_defaults(&conf,
|
|
MBEDTLS_SSL_IS_CLIENT,
|
|
MBEDTLS_SSL_TRANSPORT_STREAM,
|
|
MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_ssl_config_defaults returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
/* OPTIONAL is not optimal for security,
|
|
* but makes interop easier in this simplified example */
|
|
mbedtls_ssl_conf_authmode(&conf, MBEDTLS_SSL_VERIFY_OPTIONAL);
|
|
|
|
mbedtls_ssl_conf_rng(&conf, mbedtls_ctr_drbg_random, &ctr_drbg);
|
|
mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
|
|
|
|
if (opt.force_ciphersuite[0] != DFL_FORCE_CIPHER) {
|
|
mbedtls_ssl_conf_ciphersuites(&conf, opt.force_ciphersuite);
|
|
}
|
|
|
|
mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
|
|
if ((ret = mbedtls_ssl_conf_own_cert(&conf, &clicert, &pkey)) != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_ssl_setup returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
if ((ret = mbedtls_ssl_set_hostname(&ssl, opt.server_name)) != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_ssl_set_hostname returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_ssl_set_bio(&ssl, &server_fd, mbedtls_net_send, mbedtls_net_recv, NULL);
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
if (opt.mode == MODE_SSL_TLS) {
|
|
if (do_handshake(&ssl) != 0) {
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" > Get header from server:");
|
|
fflush(stdout);
|
|
|
|
ret = write_ssl_and_get_response(&ssl, buf, 0);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write EHLO to server:");
|
|
fflush(stdout);
|
|
|
|
gethostname(hostname, 32);
|
|
len = sprintf((char *) buf, "EHLO %s\r\n", hostname);
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
} else {
|
|
mbedtls_printf(" > Get header from server:");
|
|
fflush(stdout);
|
|
|
|
ret = write_and_get_response(&server_fd, buf, 0);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write EHLO to server:");
|
|
fflush(stdout);
|
|
|
|
gethostname(hostname, 32);
|
|
len = sprintf((char *) buf, "EHLO %s\r\n", hostname);
|
|
ret = write_and_get_response(&server_fd, buf, len);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write STARTTLS to server:");
|
|
fflush(stdout);
|
|
|
|
gethostname(hostname, 32);
|
|
len = sprintf((char *) buf, "STARTTLS\r\n");
|
|
ret = write_and_get_response(&server_fd, buf, len);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
if (do_handshake(&ssl) != 0) {
|
|
goto exit;
|
|
}
|
|
}
|
|
|
|
#if defined(MBEDTLS_BASE64_C)
|
|
if (opt.authentication) {
|
|
mbedtls_printf(" > Write AUTH LOGIN to server:");
|
|
fflush(stdout);
|
|
|
|
len = sprintf((char *) buf, "AUTH LOGIN\r\n");
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 200 || ret > 399) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write username to server: %s", opt.user_name);
|
|
fflush(stdout);
|
|
|
|
ret = mbedtls_base64_encode(base, sizeof(base), &n, (const unsigned char *) opt.user_name,
|
|
strlen(opt.user_name));
|
|
|
|
if (ret != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_base64_encode returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
len = sprintf((char *) buf, "%s\r\n", base);
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 300 || ret > 399) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write password to server: %s", opt.user_pwd);
|
|
fflush(stdout);
|
|
|
|
ret = mbedtls_base64_encode(base, sizeof(base), &n, (const unsigned char *) opt.user_pwd,
|
|
strlen(opt.user_pwd));
|
|
|
|
if (ret != 0) {
|
|
mbedtls_printf(" failed\n ! mbedtls_base64_encode returned %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
len = sprintf((char *) buf, "%s\r\n", base);
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 200 || ret > 399) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
}
|
|
#endif
|
|
|
|
mbedtls_printf(" > Write MAIL FROM to server:");
|
|
fflush(stdout);
|
|
|
|
len = mbedtls_snprintf((char *) buf, sizeof(buf), "MAIL FROM:<%s>\r\n", opt.mail_from);
|
|
if (len < 0 || (size_t) len >= sizeof(buf)) {
|
|
mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n");
|
|
goto exit;
|
|
}
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write RCPT TO to server:");
|
|
fflush(stdout);
|
|
|
|
len = mbedtls_snprintf((char *) buf, sizeof(buf), "RCPT TO:<%s>\r\n", opt.mail_to);
|
|
if (len < 0 || (size_t) len >= sizeof(buf)) {
|
|
mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n");
|
|
goto exit;
|
|
}
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write DATA to server:");
|
|
fflush(stdout);
|
|
|
|
len = sprintf((char *) buf, "DATA\r\n");
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 300 || ret > 399) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_printf(" > Write content to server:");
|
|
fflush(stdout);
|
|
|
|
len = mbedtls_snprintf((char *) buf, sizeof(buf),
|
|
"From: %s\r\nSubject: Mbed TLS Test mail\r\n\r\n"
|
|
"This is a simple test mail from the "
|
|
"Mbed TLS mail client example.\r\n"
|
|
"\r\n"
|
|
"Enjoy!", opt.mail_from);
|
|
if (len < 0 || (size_t) len >= sizeof(buf)) {
|
|
mbedtls_printf(" failed\n ! mbedtls_snprintf encountered error or truncated output\n\n");
|
|
goto exit;
|
|
}
|
|
ret = write_ssl_data(&ssl, buf, len);
|
|
|
|
len = sprintf((char *) buf, "\r\n.\r\n");
|
|
ret = write_ssl_and_get_response(&ssl, buf, len);
|
|
if (ret < 200 || ret > 299) {
|
|
mbedtls_printf(" failed\n ! server responded with %d\n\n", ret);
|
|
goto exit;
|
|
}
|
|
|
|
mbedtls_printf(" ok\n");
|
|
|
|
mbedtls_ssl_close_notify(&ssl);
|
|
|
|
exit_code = MBEDTLS_EXIT_SUCCESS;
|
|
|
|
exit:
|
|
|
|
mbedtls_net_free(&server_fd);
|
|
mbedtls_x509_crt_free(&clicert);
|
|
mbedtls_x509_crt_free(&cacert);
|
|
mbedtls_pk_free(&pkey);
|
|
mbedtls_ssl_free(&ssl);
|
|
mbedtls_ssl_config_free(&conf);
|
|
mbedtls_ctr_drbg_free(&ctr_drbg);
|
|
mbedtls_entropy_free(&entropy);
|
|
mbedtls_psa_crypto_free();
|
|
|
|
mbedtls_exit(exit_code);
|
|
}
|
|
#endif /* MBEDTLS_BIGNUM_C && MBEDTLS_ENTROPY_C && MBEDTLS_SSL_TLS_C &&
|
|
MBEDTLS_SSL_CLI_C && MBEDTLS_NET_C && MBEDTLS_RSA_C **
|
|
MBEDTLS_CTR_DRBG_C */
|