New functions to check a hostname email or IP address against a

[openssl.git] / apps / s_client.c

diff --git a/apps/s_client.c b/apps/s_client.c
index 578b541b13fc147f968d764a34a4e81bb6f0bf34..5ecc957302376120f2e0fe16a91dcad649748f39 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -193,6 +193,7 @@ typedef unsigned int u_int;
 extern int verify_depth;
 extern int verify_error;
 extern int verify_return_error;
+extern int verify_quiet;
 
 #ifdef FIONBIO
 static int c_nbio=0;
@@ -220,6 +221,7 @@ static BIO *bio_c_out=NULL;
 static BIO *bio_c_msg=NULL;
 static int c_quiet=0;
 static int c_ign_eof=0;
+static int c_brief=0;
 
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@@ -558,6 +560,8 @@ int MAIN(int, char **);
 int MAIN(int argc, char **argv)
        {
        unsigned int off=0, clr=0;
+       unsigned int cert_flags=0;
+       int build_chain = 0;
        SSL *con=NULL;
 #ifndef OPENSSL_NO_KRB5
        KSSL_CTX *kctx;
@@ -606,6 +610,8 @@ int MAIN(int argc, char **argv)
 #ifndef OPENSSL_NO_TLSEXT
        char *servername = NULL; 
        char *curves=NULL;
+       char *sigalgs=NULL;
+       char *client_sigalgs=NULL;
         tlsextctx tlsextcbp = 
         {NULL,0};
 # ifndef OPENSSL_NO_NEXTPROTONEG
@@ -626,6 +632,10 @@ int MAIN(int argc, char **argv)
        int srp_lateuser = 0;
        SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024};
 #endif
+       SSL_EXCERT *exc = NULL;
+
+       unsigned char *checkhost = NULL, *checkemail = NULL;
+       char *checkip = NULL;
 
        meth=SSLv23_client_method();
 
@@ -683,7 +693,8 @@ int MAIN(int argc, char **argv)
                        verify=SSL_VERIFY_PEER;
                        if (--argc < 1) goto bad;
                        verify_depth=atoi(*(++argv));
-                       BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+                       if (!c_quiet)
+                               BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
                        }
                else if (strcmp(*argv,"-cert") == 0)
                        {
@@ -713,6 +724,20 @@ int MAIN(int argc, char **argv)
                        }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
+               else if (strcmp(*argv,"-verify_quiet") == 0)
+                       verify_quiet = 1;
+               else if (strcmp(*argv,"-brief") == 0)
+                       {
+                       c_brief = 1;
+                       verify_quiet = 1;
+                       c_quiet = 1;
+                       }
+               else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
+                       {
+                       if (badarg)
+                               goto bad;
+                       continue;
+                       }
                else if (strcmp(*argv,"-prexit") == 0)
                        prexit=1;
                else if (strcmp(*argv,"-crlf") == 0)
@@ -867,6 +892,8 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        CApath= *(++argv);
                        }
+               else if (strcmp(*argv,"-build_chain") == 0)
+                       build_chain = 1;
                else if (strcmp(*argv,"-CAfile") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -958,7 +985,32 @@ int MAIN(int argc, char **argv)
                        if (--argc < 1) goto bad;
                        curves= *(++argv);
                        }
+               else if (strcmp(*argv,"-sigalgs") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       sigalgs= *(++argv);
+                       }
+               else if (strcmp(*argv,"-client_sigalgs") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       client_sigalgs= *(++argv);
+                       }
 #endif
+               else if (strcmp(*argv,"-checkhost") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkhost=(unsigned char *)*(++argv);
+                       }
+               else if (strcmp(*argv,"-checkemail") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkemail=(unsigned char *)*(++argv);
+                       }
+               else if (strcmp(*argv,"-checkip") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       checkip=*(++argv);
+                       }
 #ifndef OPENSSL_NO_JPAKE
                else if (strcmp(*argv,"-jpake") == 0)
                        {
@@ -982,6 +1034,12 @@ int MAIN(int argc, char **argv)
                        keymatexportlen=atoi(*(++argv));
                        if (keymatexportlen == 0) goto bad;
                        }
+               else if (strcmp(*argv, "-cert_strict") == 0)
+                       cert_flags |= SSL_CERT_FLAG_TLS_STRICT;
+#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL
+               else if (strcmp(*argv, "-debug_broken_protocol") == 0)
+                       cert_flags |= SSL_CERT_FLAG_BROKEN_PROTCOL;
+#endif
                 else
                        {
                        BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -1087,6 +1145,9 @@ bad:
                        }
                }
 
+       if (!load_excert(&exc, bio_err))
+               goto end;
+
        if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
                && !RAND_status())
                {
@@ -1162,6 +1223,8 @@ bad:
 
        if (clr)
                SSL_CTX_clear_options(ctx, clr);
+       if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags);
+       if (exc) ssl_ctx_set_excert(ctx, exc);
        /* DTLS: partial reads end up discarding unread UDP bytes :-( 
         * Setting read ahead solves this problem.
         */
@@ -1185,8 +1248,6 @@ bad:
 #endif
 
        SSL_CTX_set_verify(ctx,verify,verify_callback);
-       if (!set_cert_key_stuff(ctx,cert,key, NULL))
-               goto end;
 
        if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
                (!SSL_CTX_set_default_verify_paths(ctx)))
@@ -1196,6 +1257,9 @@ bad:
                /* goto end; */
                }
 
+       if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain))
+               goto end;
+
 #ifndef OPENSSL_NO_TLSEXT
        if (curves != NULL)
                if(!SSL_CTX_set1_curves_list(ctx,curves)) {
@@ -1203,6 +1267,18 @@ bad:
                ERR_print_errors(bio_err);
                goto end;
        }
+       if (sigalgs != NULL)
+               if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) {
+               BIO_printf(bio_err,"error setting signature algorithms list\n");
+               ERR_print_errors(bio_err);
+               goto end;
+       }
+       if (client_sigalgs != NULL)
+               if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) {
+               BIO_printf(bio_err,"error setting client signature algorithms list\n");
+               ERR_print_errors(bio_err);
+               goto end;
+       }
        if (servername != NULL)
                {
                tlsextcbp.biodebug = bio_err;
@@ -1564,6 +1640,14 @@ SSL_set_tlsext_status_ids(con, ids);
                                        else 
                                                BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
                                        }
+                               if (c_brief)
+                                       {
+                                       BIO_puts(bio_err,
+                                               "CONNECTION ESTABLISHED\n");
+                                       print_ssl_summary(bio_err, con);
+                                       }
+                               print_ssl_cert_checks(bio_err, con, checkhost,
+                                                       checkemail, checkip);
                                print_stuff(bio_c_out,con,full_log);
                                if (full_log > 0) full_log--;
 
@@ -1926,6 +2010,10 @@ end:
                        print_stuff(bio_c_out,con,1);
                SSL_free(con);
                }
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
+       if (next_proto.data)
+               OPENSSL_free(next_proto.data);
+#endif
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (cert)
                X509_free(cert);
@@ -1933,6 +2021,7 @@ end:
                EVP_PKEY_free(key);
        if (pass)
                OPENSSL_free(pass);
+       ssl_excert_free(exc);
        if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); }
        if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); }
        if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }
@@ -2053,6 +2142,7 @@ static void print_stuff(BIO *bio, SSL *s, int full)
                        }
 
                ssl_print_sigalgs(bio, s);
+               ssl_print_tmp_key(bio, s);
 
                BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n",
                        BIO_number_read(SSL_get_rbio(s)),