X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_client.c;h=9c852e4edac7a782d37c3d42790c9e49efcf37be;hp=5ecc957302376120f2e0fe16a91dcad649748f39;hb=66d9f2e5210b7f68c4ac9ffebedca031c05ec487;hpb=a70da5b3ecc3160368529677006801c58cb369db diff --git a/apps/s_client.c b/apps/s_client.c index 5ecc957302..9c852e4eda 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -293,6 +293,9 @@ static void sc_usage(void) BIO_printf(bio_err," -host host - use -connect instead\n"); BIO_printf(bio_err," -port port - use -connect instead\n"); BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); + BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n"); + BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n"); + BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n"); BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); @@ -559,8 +562,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - unsigned int off=0, clr=0; - unsigned int cert_flags=0; int build_chain = 0; SSL *con=NULL; #ifndef OPENSSL_NO_KRB5 @@ -579,8 +580,10 @@ int MAIN(int argc, char **argv) char *passarg = NULL, *pass = NULL; X509 *cert = NULL; EVP_PKEY *key = NULL; - char *CApath=NULL,*CAfile=NULL,*cipher=NULL; - int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; + char *CApath=NULL,*CAfile=NULL; + char *chCApath=NULL,*chCAfile=NULL; + char *vfyCApath=NULL,*vfyCAfile=NULL; + int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int crlf=0; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; @@ -609,9 +612,6 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; - char *curves=NULL; - char *sigalgs=NULL; - char *client_sigalgs=NULL; tlsextctx tlsextcbp = {NULL,0}; # ifndef OPENSSL_NO_NEXTPROTONEG @@ -636,6 +636,12 @@ int MAIN(int argc, char **argv) unsigned char *checkhost = NULL, *checkemail = NULL; char *checkip = NULL; + SSL_CONF_CTX *cctx = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + + char *crl_file = NULL; + int crl_format = FORMAT_PEM; + STACK_OF(X509_CRL) *crls = NULL; meth=SSLv23_client_method(); @@ -652,6 +658,11 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; + cctx = SSL_CONF_CTX_new(); + if (!cctx) + goto end; + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || @@ -701,6 +712,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_file= *(++argv); } + else if (strcmp(*argv,"-CRL") == 0) + { + if (--argc < 1) goto bad; + crl_file= *(++argv); + } else if (strcmp(*argv,"-sess_out") == 0) { if (--argc < 1) goto bad; @@ -716,6 +732,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_format = str2fmt(*(++argv)); } + else if (strcmp(*argv,"-CRLform") == 0) + { + if (--argc < 1) goto bad; + crl_format = str2fmt(*(++argv)); + } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { if (badarg) @@ -738,6 +759,12 @@ int MAIN(int argc, char **argv) goto bad; continue; } + else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) + { + if (badarg) + goto bad; + continue; + } else if (strcmp(*argv,"-prexit") == 0) prexit=1; else if (strcmp(*argv,"-crlf") == 0) @@ -866,8 +893,6 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif - else if (strcmp(*argv,"-bugs") == 0) - bugs=1; else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; @@ -892,6 +917,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-chainCApath") == 0) + { + if (--argc < 1) goto bad; + chCApath= *(++argv); + } + else if (strcmp(*argv,"-verifyCApath") == 0) + { + if (--argc < 1) goto bad; + vfyCApath= *(++argv); + } else if (strcmp(*argv,"-build_chain") == 0) build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) @@ -899,21 +934,17 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAfile= *(++argv); } - else if (strcmp(*argv,"-no_tls1_2") == 0) - off|=SSL_OP_NO_TLSv1_2; - else if (strcmp(*argv,"-no_tls1_1") == 0) - off|=SSL_OP_NO_TLSv1_1; - else if (strcmp(*argv,"-no_tls1") == 0) - off|=SSL_OP_NO_TLSv1; - else if (strcmp(*argv,"-no_ssl3") == 0) - off|=SSL_OP_NO_SSLv3; - else if (strcmp(*argv,"-no_ssl2") == 0) - off|=SSL_OP_NO_SSLv2; - else if (strcmp(*argv,"-no_comp") == 0) - { off|=SSL_OP_NO_COMPRESSION; } + else if (strcmp(*argv,"-chainCAfile") == 0) + { + if (--argc < 1) goto bad; + chCAfile= *(++argv); + } + else if (strcmp(*argv,"-verifyCAfile") == 0) + { + if (--argc < 1) goto bad; + vfyCAfile= *(++argv); + } #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv,"-no_ticket") == 0) - { off|=SSL_OP_NO_TICKET; } # ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) { @@ -922,19 +953,6 @@ int MAIN(int argc, char **argv) } # endif #endif - else if (strcmp(*argv,"-serverpref") == 0) - off|=SSL_OP_CIPHER_SERVER_PREFERENCE; - else if (strcmp(*argv,"-legacy_renegotiation") == 0) - off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-legacy_server_connect") == 0) - { off|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-no_legacy_server_connect") == 0) - { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; - cipher= *(++argv); - } #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) { c_nbio=1; } @@ -980,21 +998,6 @@ int MAIN(int argc, char **argv) servername= *(++argv); /* meth=TLSv1_client_method(); */ } - else if (strcmp(*argv,"-curves") == 0) - { - if (--argc < 1) goto bad; - curves= *(++argv); - } - else if (strcmp(*argv,"-sigalgs") == 0) - { - if (--argc < 1) goto bad; - sigalgs= *(++argv); - } - else if (strcmp(*argv,"-client_sigalgs") == 0) - { - if (--argc < 1) goto bad; - client_sigalgs= *(++argv); - } #endif else if (strcmp(*argv,"-checkhost") == 0) { @@ -1034,12 +1037,6 @@ int MAIN(int argc, char **argv) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } - else if (strcmp(*argv, "-cert_strict") == 0) - cert_flags |= SSL_CERT_FLAG_TLS_STRICT; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - else if (strcmp(*argv, "-debug_broken_protocol") == 0) - cert_flags |= SSL_CERT_FLAG_BROKEN_PROTCOL; -#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1145,6 +1142,26 @@ bad: } } + if (crl_file) + { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (!crl) + { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (!crls || !sk_X509_CRL_push(crls, crl)) + { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + if (!load_excert(&exc, bio_err)) goto end; @@ -1159,9 +1176,11 @@ bad: if (bio_c_out == NULL) { - if (c_quiet && !c_debug && !c_msg) + if (c_quiet && !c_debug) { bio_c_out=BIO_new(BIO_s_null()); + if (c_msg && !bio_c_msg) + bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE); } else { @@ -1188,6 +1207,19 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1)) + { + ERR_print_errors(bio_err); + goto end; + } + + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls)) + { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { @@ -1216,14 +1248,6 @@ bad: if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); #endif - if (bugs) - SSL_CTX_set_options(ctx,SSL_OP_ALL|off); - else - SSL_CTX_set_options(ctx,off); - - if (clr) - SSL_CTX_clear_options(ctx, clr); - if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); if (exc) ssl_ctx_set_excert(ctx, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. @@ -1236,12 +1260,6 @@ bad: #endif if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); - if (cipher != NULL) - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { - BIO_printf(bio_err,"error setting cipher list\n"); - ERR_print_errors(bio_err); - goto end; - } #if 0 else SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); @@ -1257,28 +1275,12 @@ bad: /* goto end; */ } + ssl_ctx_add_crls(ctx, crls); + if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (curves != NULL) - if(!SSL_CTX_set1_curves_list(ctx,curves)) { - BIO_printf(bio_err,"error setting curve list\n"); - ERR_print_errors(bio_err); - goto end; - } - if (sigalgs != NULL) - if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) { - BIO_printf(bio_err,"error setting signature algorithms list\n"); - ERR_print_errors(bio_err); - goto end; - } - if (client_sigalgs != NULL) - if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) { - BIO_printf(bio_err,"error setting client signature algorithms list\n"); - ERR_print_errors(bio_err); - goto end; - } if (servername != NULL) { tlsextcbp.biodebug = bio_err; @@ -1910,7 +1912,10 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 break; case SSL_ERROR_SYSCALL: ret=get_last_socket_error(); - BIO_printf(bio_err,"read:errno=%d\n",ret); + if (ret == 0 && c_brief) + BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n"); + else + BIO_printf(bio_err,"read:errno=%d\n",ret); goto shut; case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_c_out,"closed\n"); @@ -2017,11 +2022,19 @@ end: if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); + if (crls) + sk_X509_CRL_pop_free(crls, X509_CRL_free); if (key) EVP_PKEY_free(key); if (pass) OPENSSL_free(pass); + if (vpm) + X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); + if (ssl_args) + sk_OPENSSL_STRING_free(ssl_args); + if (cctx) + SSL_CONF_CTX_free(cctx); if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }