[openssl-commits] [openssl] master update
Andy Polyakov
appro at openssl.org
Mon Feb 19 22:04:24 UTC 2018
The branch master has been updated
via ebc0168384e9bbc29c02b85adb01036609769761 (commit)
from b383aa2081467e8d49c3362d295da7bd5cb4e1d8 (commit)
- Log -----------------------------------------------------------------
commit ebc0168384e9bbc29c02b85adb01036609769761
Author: John Hughes <john at atlantech.com>
Date: Thu Feb 8 10:49:02 2018 +0100
Add BIO_bind function to bind local address for a socket.
Add -bind option to s_client application to allow specification of
local address for connection.
Reviewed-by: Andy Polyakov <appro at openssl.org>
Reviewed-by: Rich Salz <rsalz at openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5272)
-----------------------------------------------------------------------
Summary of changes:
apps/s_apps.h | 1 +
apps/s_client.c | 26 +++++++++++++++---
apps/s_socket.c | 49 ++++++++++++++++++++++++++++++++++
crypto/bio/b_sock2.c | 69 +++++++++++++++++++++++++++++++++++-------------
crypto/bio/bio_err.c | 1 +
crypto/err/openssl.txt | 1 +
doc/man1/s_client.pod | 10 +++++++
doc/man3/BIO_connect.pod | 11 +++++---
include/openssl/bio.h | 1 +
include/openssl/bioerr.h | 1 +
util/libcrypto.num | 1 +
11 files changed, 145 insertions(+), 26 deletions(-)
diff --git a/apps/s_apps.h b/apps/s_apps.h
index 6ee2b0c..fbffd86 100644
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@@ -38,6 +38,7 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared);
#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, const char *host, const char *port,
+ const char *bindhost, const char *bindport,
int family, int type, int protocol);
int should_retry(int i);
diff --git a/apps/s_client.c b/apps/s_client.c
index eca0a4a..a319d21 100644
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -570,7 +570,7 @@ static int tlsa_import_rrset(SSL *con, STACK_OF(OPENSSL_STRING) *rrset)
typedef enum OPTION_choice {
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
- OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX,
+ OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_BIND, OPT_UNIX,
OPT_XMPPHOST, OPT_VERIFY, OPT_NAMEOPT,
OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
@@ -612,6 +612,7 @@ const OPTIONS s_client_options[] = {
{"port", OPT_PORT, 'p', "Use -connect instead"},
{"connect", OPT_CONNECT, 's',
"TCP/IP where to connect (default is :" PORT ")"},
+ {"bind", OPT_BIND, 's', "bind local address for connection"},
{"proxy", OPT_PROXY, 's',
"Connect to via specified proxy to the real server"},
#ifdef AF_UNIX
@@ -884,10 +885,11 @@ int s_client_main(int argc, char **argv)
const SSL_METHOD *meth = TLS_client_method();
const char *CApath = NULL, *CAfile = NULL;
char *cbuf = NULL, *sbuf = NULL;
- char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL;
+ char *mbuf = NULL, *proxystr = NULL, *connectstr = NULL, *bindstr = NULL;
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
char *chCApath = NULL, *chCAfile = NULL, *host = NULL;
char *port = OPENSSL_strdup(PORT);
+ char *bindhost = NULL, *bindport = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *ReqCAfile = NULL;
char *sess_in = NULL, *crl_file = NULL, *p;
@@ -1053,6 +1055,9 @@ int s_client_main(int argc, char **argv)
connect_type = use_inet;
freeandcopy(&connectstr, opt_arg());
break;
+ case OPT_BIND:
+ freeandcopy(&bindstr, opt_arg());
+ break;
case OPT_PROXY:
proxystr = opt_arg();
starttls_proto = PROTO_CONNECT;
@@ -1554,6 +1559,18 @@ int s_client_main(int argc, char **argv)
}
}
+ if (bindstr != NULL) {
+ int res;
+ res = BIO_parse_hostserv(bindstr, &bindhost, &bindport,
+ BIO_PARSE_PRIO_HOST);
+ if (!res) {
+ BIO_printf(bio_err,
+ "%s: -bind argument parameter malformed or ambiguous\n",
+ prog);
+ goto end;
+ }
+ }
+
#ifdef AF_UNIX
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
BIO_printf(bio_err,
@@ -1976,8 +1993,8 @@ int s_client_main(int argc, char **argv)
}
re_start:
- if (init_client(&s, host, port, socket_family, socket_type, protocol)
- == 0) {
+ if (init_client(&s, host, port, bindhost, bindport, socket_family,
+ socket_type, protocol) == 0) {
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
BIO_closesocket(s);
goto end;
@@ -3082,6 +3099,7 @@ int s_client_main(int argc, char **argv)
OPENSSL_free(srp_arg.srppassin);
#endif
OPENSSL_free(connectstr);
+ OPENSSL_free(bindstr);
OPENSSL_free(host);
OPENSSL_free(port);
X509_VERIFY_PARAM_free(vpm);
diff --git a/apps/s_socket.c b/apps/s_socket.c
index 485b419..4b82011 100644
--- a/apps/s_socket.c
+++ b/apps/s_socket.c
@@ -43,6 +43,8 @@ BIO_ADDR *ourpeer = NULL;
* @sock: pointer to storage of resulting socket.
* @host: the host name or path (for AF_UNIX) to connect to.
* @port: the port to connect to (ignored for AF_UNIX).
+ * @bindhost: source host or path (for AF_UNIX).
+ * @bindport: source port (ignored for AF_UNIX).
* @family: desired socket family, may be AF_INET, AF_INET6, AF_UNIX or
* AF_UNSPEC
* @type: socket type, must be SOCK_STREAM or SOCK_DGRAM
@@ -58,10 +60,14 @@ BIO_ADDR *ourpeer = NULL;
* Returns 1 on success, 0 on failure.
*/
int init_client(int *sock, const char *host, const char *port,
+ const char *bindhost, const char *bindport,
int family, int type, int protocol)
{
BIO_ADDRINFO *res = NULL;
+ BIO_ADDRINFO *bindaddr = NULL;
const BIO_ADDRINFO *ai = NULL;
+ const BIO_ADDRINFO *bi = NULL;
+ int found = 0;
int ret;
if (BIO_sock_init() != 1)
@@ -74,6 +80,15 @@ int init_client(int *sock, const char *host, const char *port,
return 0;
}
+ if (bindhost != NULL || bindport != NULL) {
+ ret = BIO_lookup_ex(bindhost, bindport, BIO_LOOKUP_CLIENT,
+ family, type, protocol, &bindaddr);
+ if (ret == 0) {
+ ERR_print_errors (bio_err);
+ goto out;
+ }
+ }
+
ret = 0;
for (ai = res; ai != NULL; ai = BIO_ADDRINFO_next(ai)) {
/* Admittedly, these checks are quite paranoid, we should not get
@@ -85,6 +100,16 @@ int init_client(int *sock, const char *host, const char *port,
&& (protocol == 0
|| protocol == BIO_ADDRINFO_protocol(ai)));
+ if (bindaddr != NULL) {
+ for (bi = bindaddr; bi != NULL; bi = BIO_ADDRINFO_next(bi)) {
+ if (BIO_ADDRINFO_family(bi) == BIO_ADDRINFO_family(ai))
+ break;
+ }
+ if (bi == NULL)
+ continue;
+ ++found;
+ }
+
*sock = BIO_socket(BIO_ADDRINFO_family(ai), BIO_ADDRINFO_socktype(ai),
BIO_ADDRINFO_protocol(ai), 0);
if (*sock == INVALID_SOCKET) {
@@ -94,6 +119,15 @@ int init_client(int *sock, const char *host, const char *port,
continue;
}
+ if (bi != NULL) {
+ if (!BIO_bind(*sock, BIO_ADDRINFO_address(bi),
+ BIO_SOCK_REUSEADDR)) {
+ BIO_closesocket(*sock);
+ *sock = INVALID_SOCKET;
+ break;
+ }
+ }
+
#ifndef OPENSSL_NO_SCTP
if (protocol == IPPROTO_SCTP) {
/*
@@ -123,12 +157,27 @@ int init_client(int *sock, const char *host, const char *port,
}
if (*sock == INVALID_SOCKET) {
+ if (bindaddr != NULL && !found) {
+ BIO_printf(bio_err, "Can't bind %saddress for %s%s%s\n",
+ BIO_ADDRINFO_family(res) == AF_INET6 ? "IPv6 " :
+ BIO_ADDRINFO_family(res) == AF_INET ? "IPv4 " :
+ BIO_ADDRINFO_family(res) == AF_UNIX ? "unix " : "",
+ bindhost != NULL ? bindhost : "",
+ bindport != NULL ? ":" : "",
+ bindport != NULL ? bindport : "");
+ ERR_clear_error();
+ ret = 0;
+ }
ERR_print_errors(bio_err);
} else {
/* Remove any stale errors from previous connection attempts */
ERR_clear_error();
ret = 1;
}
+out:
+ if (bindaddr != NULL) {
+ BIO_ADDRINFO_free (bindaddr);
+ }
BIO_ADDRINFO_free(res);
return ret;
}
diff --git a/crypto/bio/b_sock2.c b/crypto/bio/b_sock2.c
index 12a3b36..823732d 100644
--- a/crypto/bio/b_sock2.c
+++ b/crypto/bio/b_sock2.c
@@ -116,6 +116,55 @@ int BIO_connect(int sock, const BIO_ADDR *addr, int options)
}
/*-
+ * BIO_bind - bind socket to address
+ * @sock: the socket to set
+ * @addr: local address to bind to
+ * @options: BIO socket options
+ *
+ * Binds to the address using the given socket and options.
+ *
+ * Options can be a combination of the following:
+ * - BIO_SOCK_REUSEADDR: Try to reuse the address and port combination
+ * for a recently closed port.
+ *
+ * When restarting the program it could be that the port is still in use. If
+ * you set to BIO_SOCK_REUSEADDR option it will try to reuse the port anyway.
+ * It's recommended that you use this.
+ */
+int BIO_bind(int sock, const BIO_ADDR *addr, int options)
+{
+ int on = 1;
+
+ if (sock == -1) {
+ BIOerr(BIO_F_BIO_BIND, BIO_R_INVALID_SOCKET);
+ return 0;
+ }
+
+# ifndef OPENSSL_SYS_WINDOWS
+ /*
+ * SO_REUSEADDR has different behavior on Windows than on
+ * other operating systems, don't set it there.
+ */
+ if (options & BIO_SOCK_REUSEADDR) {
+ if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR,
+ (const void *)&on, sizeof(on)) != 0) {
+ SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
+ BIOerr(BIO_F_BIO_BIND, BIO_R_UNABLE_TO_REUSEADDR);
+ return 0;
+ }
+ }
+# endif
+
+ if (bind(sock, BIO_ADDR_sockaddr(addr), BIO_ADDR_sockaddr_size(addr)) != 0) {
+ SYSerr(SYS_F_BIND, get_last_socket_error());
+ BIOerr(BIO_F_BIO_BIND, BIO_R_UNABLE_TO_BIND_SOCKET);
+ return 0;
+ }
+
+ return 1;
+}
+
+/*-
* BIO_listen - Creates a listen socket
* @sock: the socket to listen with
* @addr: local address to bind to
@@ -174,21 +223,6 @@ int BIO_listen(int sock, const BIO_ADDR *addr, int options)
if (!BIO_socket_nbio(sock, (options & BIO_SOCK_NONBLOCK) != 0))
return 0;
-# ifndef OPENSSL_SYS_WINDOWS
- /*
- * SO_REUSEADDR has different behavior on Windows than on
- * other operating systems, don't set it there.
- */
- if (options & BIO_SOCK_REUSEADDR) {
- if (setsockopt(sock, SOL_SOCKET, SO_REUSEADDR,
- (const void *)&on, sizeof(on)) != 0) {
- SYSerr(SYS_F_SETSOCKOPT, get_last_socket_error());
- BIOerr(BIO_F_BIO_LISTEN, BIO_R_UNABLE_TO_REUSEADDR);
- return 0;
- }
- }
-# endif
-
if (options & BIO_SOCK_KEEPALIVE) {
if (setsockopt(sock, SOL_SOCKET, SO_KEEPALIVE,
(const void *)&on, sizeof(on)) != 0) {
@@ -223,11 +257,8 @@ int BIO_listen(int sock, const BIO_ADDR *addr, int options)
}
# endif
- if (bind(sock, BIO_ADDR_sockaddr(addr), BIO_ADDR_sockaddr_size(addr)) != 0) {
- SYSerr(SYS_F_BIND, get_last_socket_error());
- BIOerr(BIO_F_BIO_LISTEN, BIO_R_UNABLE_TO_BIND_SOCKET);
+ if (!BIO_bind(sock, addr, options))
return 0;
- }
if (socktype != SOCK_DGRAM && listen(sock, MAX_LISTEN) == -1) {
SYSerr(SYS_F_LISTEN, get_last_socket_error());
diff --git a/crypto/bio/bio_err.c b/crypto/bio/bio_err.c
index 20f3aa1..594013d 100644
--- a/crypto/bio/bio_err.c
+++ b/crypto/bio/bio_err.c
@@ -19,6 +19,7 @@ static const ERR_STRING_DATA BIO_str_functs[] = {
{ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_ACCEPT, 0), "BIO_accept"},
{ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_ACCEPT_EX, 0), "BIO_accept_ex"},
{ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_ADDR_NEW, 0), "BIO_ADDR_new"},
+ {ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_BIND, 0), "BIO_bind"},
{ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_CALLBACK_CTRL, 0), "BIO_callback_ctrl"},
{ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_CONNECT, 0), "BIO_connect"},
{ERR_PACK(ERR_LIB_BIO, BIO_F_BIO_CTRL, 0), "BIO_ctrl"},
diff --git a/crypto/err/openssl.txt b/crypto/err/openssl.txt
index 43001be..9b8a03a 100644
--- a/crypto/err/openssl.txt
+++ b/crypto/err/openssl.txt
@@ -116,6 +116,7 @@ BIO_F_ADDR_STRINGS:134:addr_strings
BIO_F_BIO_ACCEPT:101:BIO_accept
BIO_F_BIO_ACCEPT_EX:137:BIO_accept_ex
BIO_F_BIO_ADDR_NEW:144:BIO_ADDR_new
+BIO_F_BIO_BIND:147:BIO_bind
BIO_F_BIO_CALLBACK_CTRL:131:BIO_callback_ctrl
BIO_F_BIO_CONNECT:138:BIO_connect
BIO_F_BIO_CTRL:103:BIO_ctrl
diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod
index 8d8eac7..6e47140 100644
--- a/doc/man1/s_client.pod
+++ b/doc/man1/s_client.pod
@@ -10,6 +10,7 @@ s_client - SSL/TLS client program
B<openssl> B<s_client>
[B<-help>]
[B<-connect host:port>]
+[B<-bind host:port>]
[B<-proxy host:port>]
[B<-unix path>]
[B<-4>]
@@ -147,6 +148,12 @@ select the host and port using the optional target positional argument instead.
If neither this nor the target positonal argument are specified then an attempt
is made to connect to the local host on port 4433.
+=item B<-bind host:port>]
+
+This specifies the host address and or port to bind as the source for the
+connection. For Unix-domain sockets the port is ignored and the host is
+used as the source socket address.
+
=item B<-proxy host:port>
When used with the B<-connect> flag, the program uses the host and port
@@ -686,6 +693,9 @@ applications should B<not> do this as it makes them vulnerable to a MITM
attack. This behaviour can be changed by with the B<-verify_return_error>
option: any verify errors are then returned aborting the handshake.
+The B<-bind> option may be useful if the server or a firewall requires
+connections to come from some particular address and or port.
+
=head1 BUGS
Because this program has a lot of options and also because some of the
diff --git a/doc/man3/BIO_connect.pod b/doc/man3/BIO_connect.pod
index 91dcab1..454832e 100644
--- a/doc/man3/BIO_connect.pod
+++ b/doc/man3/BIO_connect.pod
@@ -2,7 +2,7 @@
=head1 NAME
-BIO_socket, BIO_connect, BIO_listen, BIO_accept_ex, BIO_closesocket - BIO
+BIO_socket, BIO_bind, BIO_connect, BIO_listen, BIO_accept_ex, BIO_closesocket - BIO
socket communication setup routines
=head1 SYNOPSIS
@@ -10,6 +10,7 @@ socket communication setup routines
#include <openssl/bio.h>
int BIO_socket(int domain, int socktype, int protocol, int options);
+ int BIO_bind(int sock, const BIO_ADDR *addr, int options);
int BIO_connect(int sock, const BIO_ADDR *addr, int options);
int BIO_listen(int sock, const BIO_ADDR *addr, int options);
int BIO_accept_ex(int accept_sock, BIO_ADDR *peer, int options);
@@ -21,6 +22,10 @@ BIO_socket() creates a socket in the domain B<domain>, of type
B<socktype> and B<protocol>. Socket B<options> are currently unused,
but is present for future use.
+BIO_bind() binds the source address and service to a socket and
+may be useful before calling BIO_connect(). The options may include
+B<BIO_SOCK_REUSADDR>, which is described in L</FLAGS> below.
+
BIO_connect() connects B<sock> to the address and service given by
B<addr>. Connection B<options> may be zero or any combination of
B<BIO_SOCK_KEEPALIVE>, B<BIO_SOCK_NONBLOCK> and B<BIO_SOCK_NODELAY>.
@@ -81,7 +86,7 @@ BIO_socket() returns the socket number on success or B<INVALID_SOCKET>
(-1) on error. When an error has occurred, the OpenSSL error stack
will hold the error data and errno has the system error.
-BIO_connect() and BIO_listen() return 1 on success or 0 on error.
+BIO_bind(), BIO_connect() and BIO_listen() return 1 on success or 0 on error.
When an error has occurred, the OpenSSL error stack will hold the error
data and errno has the system error.
@@ -102,7 +107,7 @@ L<BIO_ADDR(3)>
=head1 COPYRIGHT
-Copyright 2016 The OpenSSL Project Authors. All Rights Reserved.
+Copyright 2016-2018 The OpenSSL Project Authors. All Rights Reserved.
Licensed under the OpenSSL license (the "License"). You may not use
this file except in compliance with the License. You can obtain a copy
diff --git a/include/openssl/bio.h b/include/openssl/bio.h
index cffcd3d..c6f57f2 100644
--- a/include/openssl/bio.h
+++ b/include/openssl/bio.h
@@ -709,6 +709,7 @@ int BIO_sock_info(int sock,
int BIO_socket(int domain, int socktype, int protocol, int options);
int BIO_connect(int sock, const BIO_ADDR *addr, int options);
+int BIO_bind(int sock, const BIO_ADDR *addr, int options);
int BIO_listen(int sock, const BIO_ADDR *addr, int options);
int BIO_accept_ex(int accept_sock, BIO_ADDR *addr, int options);
int BIO_closesocket(int sock);
diff --git a/include/openssl/bioerr.h b/include/openssl/bioerr.h
index 7a552d6..4931c1d 100644
--- a/include/openssl/bioerr.h
+++ b/include/openssl/bioerr.h
@@ -24,6 +24,7 @@ int ERR_load_BIO_strings(void);
# define BIO_F_BIO_ACCEPT 101
# define BIO_F_BIO_ACCEPT_EX 137
# define BIO_F_BIO_ADDR_NEW 144
+# define BIO_F_BIO_BIND 147
# define BIO_F_BIO_CALLBACK_CTRL 131
# define BIO_F_BIO_CONNECT 138
# define BIO_F_BIO_CTRL 103
diff --git a/util/libcrypto.num b/util/libcrypto.num
index b1dd6a0..0049eab 100644
--- a/util/libcrypto.num
+++ b/util/libcrypto.num
@@ -4504,3 +4504,4 @@ RAND_DRBG_bytes 4445 1_1_1 EXIST::FUNCTION:
RAND_DRBG_secure_new 4446 1_1_1 EXIST::FUNCTION:
OSSL_STORE_vctrl 4447 1_1_1 EXIST::FUNCTION:
X509_get0_authority_key_id 4448 1_1_0h EXIST::FUNCTION:
+BIO_bind 4449 1_1_1 EXIST::FUNCTION:SOCK
More information about the openssl-commits
mailing list