Add ONC RPC support for starttls

As currently defined by draft-ietf-nfsv4-rpc-tls-11, enable s_client to send appropriate STARTTLS verifier. Signed-off-by: Benjamin Coddington <bcodding@redhat.com>
bcodding · Oct 14, 2021 · 9bf2c4d · 9bf2c4d
1 parent f087ebc
commit 9bf2c4d
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 2 deletions.
diff --git a/apps/s_client.c b/apps/s_client.c
@@ -714,7 +714,8 @@ typedef enum PROTOCOL_choice {
     PROTO_LMTP,
     PROTO_NNTP,
     PROTO_SIEVE,
-    PROTO_LDAP
+    PROTO_LDAP,
+    PROTO_RPC
 } PROTOCOL_CHOICE;
 
 static const OPT_PAIR services[] = {
@@ -732,6 +733,7 @@ static const OPT_PAIR services[] = {
     {"nntp", PROTO_NNTP},
     {"sieve", PROTO_SIEVE},
     {"ldap", PROTO_LDAP},
+    {"rpc", PROTO_RPC},
     {NULL, 0}
 };
 
@@ -2633,6 +2635,37 @@ int s_client_main(int argc, char **argv)
             mbuf_len = 0;
         }
         break;
+    case PROTO_RPC:
+        {
+            static const unsigned char rpc_null[] = {
+              /* lastfrag:1 length: 40  xid: 1234  */
+                0x80, 0x00, 0x00, 0x28, 0x01, 0x02, 0x03, 0x04,
+              /* msg_type: CALL         rpcvers: 2 */
+                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x02,
+              /* prog: NFS              prog version: 4 */
+                0x00, 0x01, 0x86, 0xa3, 0x00, 0x00, 0x00, 0x04,
+              /* proc: NULL */
+                0x00, 0x00, 0x00, 0x00,
+              /* auth flavor: AUTH_TLS  auth length: 0 */
+                0x00, 0x00, 0x00, 0x07, 0x00, 0x00, 0x00, 0x00,
+              /* verf flavor: AUTH_NONE verf length: 0 */
+                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
+            };
+            static const unsigned char verf_tls[] = {
+              /* verf flavor: AUTH_NONE verf length: 8 */
+                0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x08,
+              /* verf opaque: STARTTLS */
+                0x53, 0x54, 0x41, 0x52, 0x54, 0x54, 0x4c, 0x53,
+            };
+
+            int bytes;
+            BIO_write(sbio, rpc_null, 44);
+            (void)BIO_flush(sbio);
+            bytes = BIO_read(sbio, mbuf, BUFSIZZ);
+            if (bytes != 36 || memcmp(mbuf+16, verf_tls, 16) != 0)
+                goto shut;
+        }
+        break;
     }
 
     if (early_data_file != NULL

diff --git a/doc/man1/openssl-s_client.pod.in b/doc/man1/openssl-s_client.pod.in
@@ -642,7 +642,7 @@ colon (":") separated list of TLSv1.3 ciphersuite names.
 Send the protocol-specific message(s) to switch to TLS for communication.
 I<protocol> is a keyword for the intended protocol.  Currently, the only
 supported keywords are "smtp", "pop3", "imap", "ftp", "xmpp", "xmpp-server",
-"irc", "postgres", "mysql", "lmtp", "nntp", "sieve" and "ldap".
+"irc", "postgres", "mysql", "lmtp", "nntp", "sieve", "ldap", and "rpc".
 
 =item B<-xmpphost> I<hostname>