commit missing apps code for reneg fix

[openssl.git] / apps / s_client.c
diff --git a/apps/s_client.c b/apps/s_client.c

index dcc289b7988783378f8e937ccf93528e8d37071c..a4be63a1148186e631ad5f3abc95e446b7247ad3 100644 (file)
--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -237,7 +237,7 @@ static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
                 BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
  
         /* lookup PSK identity and PSK key based on the given identity hint here */
-       ret = BIO_snprintf(identity, max_identity_len, psk_identity);
+       ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
         if (ret < 0 || (unsigned int)ret > max_identity_len)
                 goto out_err;
         if (c_debug)
@@ -320,7 +320,7 @@ static void sc_usage(void)
         BIO_printf(bio_err," -ssl3         - just use SSLv3\n");
         BIO_printf(bio_err," -tls1         - just use TLSv1\n");
         BIO_printf(bio_err," -dtls1        - just use DTLSv1\n");    
-       BIO_printf(bio_err," -mtu          - set the MTU\n");
+       BIO_printf(bio_err," -mtu          - set the link layer MTU\n");
         BIO_printf(bio_err," -no_tls1/-no_ssl3/-no_ssl2 - turn off that protocol\n");
         BIO_printf(bio_err," -bugs         - Switch on all SSL implementation bug workarounds\n");
         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences (only SSLv2)\n");
@@ -343,6 +343,7 @@ static void sc_usage(void)
         BIO_printf(bio_err," -status           - request certificate status from server\n");
         BIO_printf(bio_err," -no_ticket        - disable use of RFC4507bis session tickets\n");
  #endif
+       BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
         }
  
  #ifndef OPENSSL_NO_TLSEXT
@@ -383,7 +384,6 @@ int MAIN(int argc, char **argv)
         {
         int off=0;
         SSL *con=NULL;
-       X509_STORE *store = NULL;
         int s,k,width,state=0;
         char *cbuf=NULL,*sbuf=NULL,*mbuf=NULL;
         int cbuf_len,cbuf_off;
@@ -404,12 +404,15 @@ int MAIN(int argc, char **argv)
         SSL_CTX *ctx=NULL;
         int ret=1,in_init=1,i,nbio_test=0;
         int starttls_proto = PROTO_OFF;
-       int prexit = 0, vflags = 0;
+       int prexit = 0;
+       X509_VERIFY_PARAM *vpm = NULL;
+       int badarg = 0;
         const SSL_METHOD *meth=NULL;
         int socket_type=SOCK_STREAM;
         BIO *sbio;
         char *inrand=NULL;
         int mbuf_len=0;
+       struct timeval timeout, *timeoutp;
  #ifndef OPENSSL_NO_ENGINE
         char *engine_id=NULL;
         char *ssl_client_engine_id=NULL;
@@ -521,10 +524,12 @@ int MAIN(int argc, char **argv)
                         if (--argc < 1) goto bad;
                         cert_format = str2fmt(*(++argv));
                         }
-               else if (strcmp(*argv,"-crl_check") == 0)
-                       vflags |= X509_V_FLAG_CRL_CHECK;
-               else if (strcmp(*argv,"-crl_check_all") == 0)
-                       vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
+               else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
+                       {
+                       if (badarg)
+                               goto bad;
+                       continue;
+                       }
                 else if (strcmp(*argv,"-verify_return_error") == 0)
                         verify_return_error = 1;
                 else if (strcmp(*argv,"-prexit") == 0)
@@ -654,6 +659,8 @@ int MAIN(int argc, char **argv)
  #endif
                 else if (strcmp(*argv,"-serverpref") == 0)
                         off|=SSL_OP_CIPHER_SERVER_PREFERENCE;
+               else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+                       off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
                 else if (strcmp(*argv,"-cipher") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -831,6 +838,9 @@ bad:
                 goto end;
                 }
  
+       if (vpm)
+               SSL_CTX_set1_param(ctx, vpm);
+
  #ifndef OPENSSL_NO_ENGINE
         if (ssl_client_engine)
                 {
@@ -890,8 +900,6 @@ bad:
                 /* goto end; */
                 }
  
-       store = SSL_CTX_get_cert_store(ctx);
-       X509_STORE_set_flags(store, vflags);
  #ifndef OPENSSL_NO_TLSEXT
         if (servername != NULL)
                 {
@@ -975,7 +983,6 @@ re_start:
  
         if ( SSL_version(con) == DTLS1_VERSION)
                 {
-               struct timeval timeout;
  
                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
                 if (getsockname(s, &peer, (void *)&peerlen) < 0)
@@ -999,10 +1006,10 @@ re_start:
                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
                         }
  
-               if (socket_mtu > 0)
+               if (socket_mtu > 28)
                         {
                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
-                       SSL_set_mtu(con, socket_mtu);
+                       SSL_set_mtu(con, socket_mtu - 28);
                         }
                 else
                         /* want to do MTU discovery */
@@ -1192,6 +1199,12 @@ SSL_set_tlsext_status_ids(con, ids);
                 FD_ZERO(&readfds);
                 FD_ZERO(&writefds);
  
+               if ((SSL_version(con) == DTLS1_VERSION) &&
+                       DTLSv1_get_timeout(con, &timeout))
+                       timeoutp = &timeout;
+               else
+                       timeoutp = NULL;
+
                 if (SSL_in_init(con) && !SSL_total_renegotiations(con))
                         {
                         in_init=1;
@@ -1296,7 +1309,7 @@ SSL_set_tlsext_status_ids(con, ids);
                                         if(!i && (!((_kbhit()) || (WAIT_OBJECT_0 == WaitForSingleObject(GetStdHandle(STD_INPUT_HANDLE), 0))) || !read_tty) ) continue;
  #endif
                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
-                                        NULL,NULL);
+                                        NULL,timeoutp);
                         }
  #elif defined(OPENSSL_SYS_NETWARE)
                         if(!write_tty) {
@@ -1306,7 +1319,7 @@ SSL_set_tlsext_status_ids(con, ids);
                                         i=select(width,(void *)&readfds,(void *)&writefds,
                                                 NULL,&tv);
                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
-                                       NULL,NULL);
+                                       NULL,timeoutp);
                         }
  #elif defined(OPENSSL_SYS_BEOS_R5)
                         /* Under BeOS-R5 the situation is similar to DOS */
@@ -1324,12 +1337,12 @@ SSL_set_tlsext_status_ids(con, ids);
                                         if (!i && (stdin_set != 1 || !read_tty))
                                                 continue;
                                 } else  i=select(width,(void *)&readfds,(void *)&writefds,
-                                        NULL,NULL);
+                                        NULL,timeoutp);
                         }
                         (void)fcntl(fileno(stdin), F_SETFL, 0);
  #else
                         i=select(width,(void *)&readfds,(void *)&writefds,
-                                NULL,NULL);
+                                NULL,timeoutp);
  #endif
                         if ( i < 0)
                                 {
@@ -1340,6 +1353,11 @@ SSL_set_tlsext_status_ids(con, ids);
                                 }
                         }
  
+               if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
+                       {
+                       BIO_printf(bio_err,"TIMEOUT occured\n");
+                       }
+
                 if (!ssl_pending && FD_ISSET(SSL_get_fd(con),&writefds))
                         {
                         k=SSL_write(con,&(cbuf[cbuf_off]),