From: Dmitry Belyavskiy Date: Tue, 21 Feb 2017 11:22:55 +0000 (+0300) Subject: Provided support for the -nameopt flag in s_client, s_server and s_time X-Git-Tag: OpenSSL_1_1_1-pre1~2323 X-Git-Url: https://git.openssl.org/?p=openssl.git;a=commitdiff_plain;h=a7c04f2b540cce99055326a3ab932032bdf48cf5 Provided support for the -nameopt flag in s_client, s_server and s_time commands. Reviewed-by: Richard Levitte Reviewed-by: Rich Salz (Merged from https://github.com/openssl/openssl/pull/2695) --- diff --git a/apps/s_apps.h b/apps/s_apps.h index bcca6fad9e..22b65b769a 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -69,6 +69,8 @@ int should_retry(int i); long bio_dump_callback(BIO *bio, int cmd, const char *argp, int argi, long argl, long ret); +int set_nameopt(const char *arg); + #ifdef HEADER_SSL_H void apps_ssl_info_callback(const SSL *s, int where, int ret); void msg_cb(int write_p, int version, int content_type, const void *buf, diff --git a/apps/s_cb.c b/apps/s_cb.c index 0111c24e96..89033d5ddd 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -33,6 +33,12 @@ static unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; static int cookie_initialized = 0; #endif static BIO *bio_keylog = NULL; +static unsigned long nmflag = XN_FLAG_ONELINE; + +int set_nameopt(const char *arg) +{ + return set_name_ex(&nmflag, arg); +} static const char *lookup(int val, const STRINT_PAIR* list, const char* def) { @@ -56,7 +62,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) if (err_cert) { X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), - 0, XN_FLAG_ONELINE); + 0, nmflag); BIO_puts(bio_err, "\n"); } else BIO_puts(bio_err, "\n"); @@ -77,7 +83,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: BIO_puts(bio_err, "issuer= "); X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), - 0, XN_FLAG_ONELINE); + 0, nmflag); BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: @@ -813,7 +819,7 @@ static int set_cert_cb(SSL *ssl, void *arg) rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain); BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i); X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, - XN_FLAG_ONELINE); + nmflag); BIO_puts(bio_err, "\n"); print_chain_flags(ssl, rv); if (rv & CERT_PKEY_VALID) { @@ -1103,7 +1109,7 @@ void print_ssl_summary(SSL *s) BIO_puts(bio_err, "Peer certificate: "); X509_NAME_print_ex(bio_err, X509_get_subject_name(peer), - 0, XN_FLAG_ONELINE); + 0, nmflag); BIO_puts(bio_err, "\n"); if (SSL_get_peer_signature_nid(s, &nid)) BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); diff --git a/apps/s_client.c b/apps/s_client.c index 7d6eb02515..4db3748f30 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -524,7 +524,7 @@ static int tlsa_import_rrset(SSL *con, STACK_OF(OPENSSL_STRING) *rrset) typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_UNIX, - OPT_XMPPHOST, OPT_VERIFY, + OPT_XMPPHOST, OPT_VERIFY, OPT_NAMEOPT, OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN, OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, OPT_BRIEF, OPT_PREXIT, OPT_CRLF, OPT_QUIET, OPT_NBIO, @@ -579,6 +579,7 @@ const OPTIONS s_client_options[] = { {"cert", OPT_CERT, '<', "Certificate file to use, PEM format assumed"}, {"certform", OPT_CERTFORM, 'F', "Certificate format (PEM or DER) PEM default"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"key", OPT_KEY, 's', "Private key file to use, if not in -cert file"}, {"keyform", OPT_KEYFORM, 'E', "Key format (PEM, DER or engine) PEM default"}, {"pass", OPT_PASS, 's', "Private key file pass phrase source"}, @@ -1013,6 +1014,10 @@ int s_client_main(int argc, char **argv) case OPT_CERT: cert_file = opt_arg(); break; + case OPT_NAMEOPT: + if (!set_nameopt(opt_arg())) + goto end; + break; case OPT_CRL: crl_file = opt_arg(); break; diff --git a/apps/s_server.c b/apps/s_server.c index dba7b67709..6d35cb893f 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -699,7 +699,7 @@ static char *srtp_profiles = NULL; typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE, OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT, - OPT_VERIFY, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL, + OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM, OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT, OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT, @@ -744,6 +744,7 @@ const OPTIONS s_server_options[] = { {"Verify", OPT_UPPER_V_VERIFY, 'n', "Turn on peer certificate verification, must have a cert"}, {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"}, {"serverinfo", OPT_SERVERINFO, 's', "PEM serverinfo file for certificate"}, @@ -1127,6 +1128,10 @@ int s_server_main(int argc, char *argv[]) case OPT_CERT: s_cert_file = opt_arg(); break; + case OPT_NAMEOPT: + if (!set_nameopt(opt_arg())) + goto end; + break; case OPT_CRL: crl_file = opt_arg(); break; diff --git a/apps/s_time.c b/apps/s_time.c index 315f69d613..998ef72b88 100644 --- a/apps/s_time.c +++ b/apps/s_time.c @@ -53,7 +53,7 @@ static const char fmt_http_get_cmd[] = "GET %s HTTP/1.0\r\n\r\n"; typedef enum OPTION_choice { OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, - OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_KEY, OPT_CAPATH, + OPT_CONNECT, OPT_CIPHER, OPT_CERT, OPT_NAMEOPT, OPT_KEY, OPT_CAPATH, OPT_CAFILE, OPT_NOCAPATH, OPT_NOCAFILE, OPT_NEW, OPT_REUSE, OPT_BUGS, OPT_VERIFY, OPT_TIME, OPT_SSL3, OPT_WWW @@ -65,6 +65,7 @@ const OPTIONS s_time_options[] = { "Where to connect as post:port (default is " SSL_CONNECT_NAME ")"}, {"cipher", OPT_CIPHER, 's', "Cipher to use, see 'openssl ciphers'"}, {"cert", OPT_CERT, '<', "Cert file to use, PEM format assumed"}, + {"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"}, {"key", OPT_KEY, '<', "File with key, PEM; default is -cert file"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"cafile", OPT_CAFILE, '<', "PEM format file of CA's"}, @@ -141,6 +142,10 @@ int s_time_main(int argc, char **argv) case OPT_CERT: certfile = opt_arg(); break; + case OPT_NAMEOPT: + if (!set_nameopt(opt_arg())) + goto end; + break; case OPT_KEY: keyfile = opt_arg(); break; diff --git a/doc/man1/s_client.pod b/doc/man1/s_client.pod index c4da79fda4..290b515b2d 100644 --- a/doc/man1/s_client.pod +++ b/doc/man1/s_client.pod @@ -50,6 +50,7 @@ B B [B<-no_alt_chains>] [B<-use_deltas>] [B<-auth_level num>] +[B<-nameopt option>] [B<-verify_depth num>] [B<-verify_email email>] [B<-verify_hostname hostname>] @@ -187,6 +188,13 @@ will never fail due to a server certificate verify failure. Return verification errors instead of continuing. This will typically abort the handshake with a fatal error. +=item B<-nameopt option> + +option which determines how the subject or issuer names are displayed. The +B