#endif
OPT_SSL3, OPT_SSL_CONFIG,
OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
- OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM, OPT_PASS,
- OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN,
+ OPT_DTLS1_2, OPT_QUIC, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM,
+ OPT_PASS, OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN,
OPT_NEXTPROTONEG, OPT_ALPN,
OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
#endif
#ifndef OPENSSL_NO_DTLS
{"dtls", OPT_DTLS, '-', "Use any version of DTLS"},
+ {"quic", OPT_QUIC, '-', "Use QUIC"},
{"timeout", OPT_TIMEOUT, '-',
"Enable send/receive timeout on DTLS connections"},
{"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
#define IS_PROT_FLAG(o) \
(o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
- || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
+ || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2 \
+ || o == OPT_QUIC)
/* Free |*dest| and optionally set it to a copy of |source|. */
static void freeandcopy(char **dest, const char *source)
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
int starttls_proto = PROTO_OFF, crl_format = FORMAT_UNDEF, crl_download = 0;
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
+ int first_loop;
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
int at_eof = 0;
#endif
#endif
BIO *bio_c_msg = NULL;
const char *keylog_file = NULL, *early_data_file = NULL;
-#ifndef OPENSSL_NO_DTLS
int isdtls = 0;
-#endif
+ int isquic = 0;
char *psksessf = NULL;
int enable_pha = 0;
int enable_client_rpk = 0;
int enable_ktls = 0;
#endif
int tfo = 0;
- BIO_ADDR *tfo_addr = NULL;
+ BIO_ADDR *peer_addr = NULL;
struct user_data_st user_data;
FD_ZERO(&readfds);
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
+#endif
+#ifndef OPENSS_NO_QUIC
+ isquic = 0;
#endif
break;
case OPT_TLS1_3:
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
+#endif
+#ifndef OPENSS_NO_QUIC
+ isquic = 0;
#endif
break;
case OPT_TLS1_2:
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
+#endif
+#ifndef OPENSS_NO_QUIC
+ isquic = 0;
#endif
break;
case OPT_TLS1_1:
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
+#endif
+#ifndef OPENSS_NO_QUIC
+ isquic = 0;
#endif
break;
case OPT_TLS1:
socket_type = SOCK_STREAM;
#ifndef OPENSSL_NO_DTLS
isdtls = 0;
+#endif
+#ifndef OPENSS_NO_QUIC
+ isquic = 0;
#endif
break;
case OPT_DTLS:
meth = DTLS_client_method();
socket_type = SOCK_DGRAM;
isdtls = 1;
+# ifndef OPENSS_NO_QUIC
+ isquic = 0;
+# endif
#endif
break;
case OPT_DTLS1:
max_version = DTLS1_VERSION;
socket_type = SOCK_DGRAM;
isdtls = 1;
+# ifndef OPENSS_NO_QUIC
+ isquic = 0;
+# endif
#endif
break;
case OPT_DTLS1_2:
max_version = DTLS1_2_VERSION;
socket_type = SOCK_DGRAM;
isdtls = 1;
+# ifndef OPENSS_NO_QUIC
+ isquic = 0;
+# endif
+#endif
+ break;
+ case OPT_QUIC:
+#ifndef OPENSSL_NO_QUIC
+ meth = OSSL_QUIC_client_method();
+ min_version = 0;
+ max_version = 0;
+ socket_type = SOCK_DGRAM;
+# ifndef OPENSSL_NO_DTLS
+ isdtls = 0;
+# endif
+ isquic = 1;
#endif
break;
case OPT_SCTP:
goto end;
}
#endif
+#ifndef OPENSSL_NO_QUIC
+ if (isquic && tfo) {
+ BIO_printf(bio_err, "%s: QUIC does not support the -tfo option\n", prog);
+ goto end;
+ }
+#endif
if (tfo)
BIO_printf(bio_c_out, "Connecting via TFO\n");
re_start:
if (init_client(&sock, host, port, bindhost, bindport, socket_family,
- socket_type, protocol, tfo, &tfo_addr) == 0) {
+ socket_type, protocol, tfo, !isquic, &peer_addr) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
BIO_closesocket(sock);
goto end;
}
BIO_printf(bio_c_out, "CONNECTED(%08X)\n", sock);
- if (c_nbio) {
+ /*
+ * QUIC always uses a non-blocking socket - and we have to switch on
+ * non-blocking mode at the SSL level
+ */
+ if (c_nbio || isquic) {
if (!BIO_socket_nbio(sock, 1)) {
ERR_print_errors(bio_err);
goto end;
}
- BIO_printf(bio_c_out, "Turned on non blocking io\n");
+ if (c_nbio) {
+ if (isquic && !SSL_set_blocking_mode(con, 0))
+ goto end;
+ BIO_printf(bio_c_out, "Turned on non blocking io\n");
+ }
}
#ifndef OPENSSL_NO_DTLS
if (isdtls) {
}
} else
#endif /* OPENSSL_NO_DTLS */
+#ifndef OPENSSL_NO_QUIC
+ if (isquic) {
+ sbio = BIO_new_dgram(sock, BIO_NOCLOSE);
+ if (!SSL_set_initial_peer_addr(con, peer_addr)) {
+ BIO_printf(bio_err, "Failed to set the inital peer address\n");
+ goto shut;
+ }
+ } else
+#endif
sbio = BIO_new_socket(sock, BIO_NOCLOSE);
if (sbio == NULL) {
}
/* Now that we're using a BIO... */
- if (tfo_addr != NULL)
- (void)BIO_set_conn_address(sbio, tfo_addr);
- if (tfo)
+ if (tfo) {
+ (void)BIO_set_conn_address(sbio, peer_addr);
(void)BIO_set_tfo(sbio, 1);
+ }
if (nbio_test) {
BIO *test;
tty_on = 0;
read_ssl = 1;
write_ssl = 1;
+ first_loop = 1;
cbuf_len = 0;
cbuf_off = 0;
FD_ZERO(&readfds);
FD_ZERO(&writefds);
- if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout))
- timeoutp = &timeout;
- else
+ if ((isdtls || isquic) && SSL_get_tick_timeout(con, &timeout)) {
+ /*
+ * TODO(QUIC): The need to do this seems like an unintended
+ * consequence of the SSL_get_tick_timeout() design. You cannot
+ * call select with the returned timeout if tv_sec < 0 because it
+ * errors out. Possibly SSL_get_tick_timeout() should return 0 if
+ * tv_sec < 0 to make it easier to detect this? Or alternatively
+ * make it work the same way that DTLSv1_get_timeout() did which
+ * would make SSL_get_tick_timeout() a drop in replacement
+ */
+ if (timeout.tv_sec < 0)
+ timeoutp = NULL;
+ else
+ timeoutp = &timeout;
+ } else {
timeoutp = NULL;
+ }
if (!SSL_is_init_finished(con) && SSL_total_renegotiations(con) == 0
&& SSL_get_key_update_type(con) == SSL_KEY_UPDATE_NONE) {
openssl_fdset(fileno_stdout(), &writefds);
#endif
}
- if (read_ssl)
+
+ /*
+ * Note that for QUIC we never actually check FD_ISSET() for the
+ * underlying network fds. We just rely on select waking up when
+ * they become readable/writeable and then SSL_tick() doing the
+ * right thing.
+ */
+ if ((!isquic && read_ssl)
+ || (isquic && SSL_net_read_desired(con)))
openssl_fdset(SSL_get_fd(con), &readfds);
- if (write_ssl)
+ if ((!isquic && write_ssl)
+ || (isquic && (first_loop || SSL_net_write_desired(con))))
openssl_fdset(SSL_get_fd(con), &writefds);
#else
if (!tty_on || !write_tty) {
- if (read_ssl)
+ if ((!isquic && read_ssl)
+ || (isquic && SSL_net_read_desired(con)))
openssl_fdset(SSL_get_fd(con), &readfds);
- if (write_ssl)
+ if ((!isquic && write_ssl)
+ || (isquic && (first_loop || SSL_net_write_desired(con))))
openssl_fdset(SSL_get_fd(con), &writefds);
}
#endif
}
}
- if (SSL_is_dtls(con) && DTLSv1_handle_timeout(con) > 0)
- BIO_printf(bio_err, "TIMEOUT occurred\n");
+ if (timeoutp != NULL) {
+ SSL_tick(con);
+ if (isdtls
+ && !FD_ISSET(SSL_get_fd(con), &readfds)
+ && !FD_ISSET(SSL_get_fd(con), &writefds))
+ BIO_printf(bio_err, "TIMEOUT occurred\n");
+ }
- if (!ssl_pending && FD_ISSET(SSL_get_fd(con), &writefds)) {
+ if (!ssl_pending
+ && ((!isquic && FD_ISSET(SSL_get_fd(con), &writefds))
+ || (isquic && (cbuf_len > 0 || first_loop)))) {
k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len);
switch (SSL_get_error(con, k)) {
case SSL_ERROR_NONE:
read_ssl = 1;
write_tty = 0;
}
- } else if (ssl_pending || FD_ISSET(SSL_get_fd(con), &readfds)) {
+ } else if (ssl_pending
+ || (!isquic && FD_ISSET(SSL_get_fd(con), &readfds))) {
#ifdef RENEG
{
static int iiii;
ret = 0;
goto shut;
}
- write_ssl = 1;
read_tty = 0;
}
+ first_loop = 0;
}
shut:
OPENSSL_free(srp_arg.srppassin);
#endif
OPENSSL_free(sname_alloc);
- BIO_ADDR_free(tfo_addr);
+ BIO_ADDR_free(peer_addr);
OPENSSL_free(connectstr);
OPENSSL_free(bindstr);
OPENSSL_free(bindhost);
projects / thirdparty / openssl.git / commitdiff
