X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_client.c;h=9c852e4edac7a782d37c3d42790c9e49efcf37be;hp=ea0a3216a9f16ac2631825df1ab9046469724a96;hb=66d9f2e5210b7f68c4ac9ffebedca031c05ec487;hpb=33a8de69dc092285fce9a3db4aae2b0df8852427 diff --git a/apps/s_client.c b/apps/s_client.c index ea0a3216a9..9c852e4eda 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -193,6 +193,7 @@ typedef unsigned int u_int; extern int verify_depth; extern int verify_error; extern int verify_return_error; +extern int verify_quiet; #ifdef FIONBIO static int c_nbio=0; @@ -220,6 +221,7 @@ static BIO *bio_c_out=NULL; static BIO *bio_c_msg=NULL; static int c_quiet=0; static int c_ign_eof=0; +static int c_brief=0; #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ @@ -291,6 +293,9 @@ static void sc_usage(void) BIO_printf(bio_err," -host host - use -connect instead\n"); BIO_printf(bio_err," -port port - use -connect instead\n"); BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR); + BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n"); + BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n"); + BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n"); BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); @@ -557,8 +562,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - unsigned int off=0, clr=0; - unsigned int cert_flags=0; int build_chain = 0; SSL *con=NULL; #ifndef OPENSSL_NO_KRB5 @@ -577,8 +580,10 @@ int MAIN(int argc, char **argv) char *passarg = NULL, *pass = NULL; X509 *cert = NULL; EVP_PKEY *key = NULL; - char *CApath=NULL,*CAfile=NULL,*cipher=NULL; - int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; + char *CApath=NULL,*CAfile=NULL; + char *chCApath=NULL,*chCAfile=NULL; + char *vfyCApath=NULL,*vfyCAfile=NULL; + int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int crlf=0; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; @@ -607,9 +612,6 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; - char *curves=NULL; - char *sigalgs=NULL; - char *client_sigalgs=NULL; tlsextctx tlsextcbp = {NULL,0}; # ifndef OPENSSL_NO_NEXTPROTONEG @@ -632,6 +634,15 @@ int MAIN(int argc, char **argv) #endif SSL_EXCERT *exc = NULL; + unsigned char *checkhost = NULL, *checkemail = NULL; + char *checkip = NULL; + SSL_CONF_CTX *cctx = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + + char *crl_file = NULL; + int crl_format = FORMAT_PEM; + STACK_OF(X509_CRL) *crls = NULL; + meth=SSLv23_client_method(); apps_startup(); @@ -647,6 +658,11 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; + cctx = SSL_CONF_CTX_new(); + if (!cctx) + goto end; + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || @@ -688,13 +704,19 @@ int MAIN(int argc, char **argv) verify=SSL_VERIFY_PEER; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d\n",verify_depth); + if (!c_quiet) + BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if (strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; cert_file= *(++argv); } + else if (strcmp(*argv,"-CRL") == 0) + { + if (--argc < 1) goto bad; + crl_file= *(++argv); + } else if (strcmp(*argv,"-sess_out") == 0) { if (--argc < 1) goto bad; @@ -710,6 +732,11 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; cert_format = str2fmt(*(++argv)); } + else if (strcmp(*argv,"-CRLform") == 0) + { + if (--argc < 1) goto bad; + crl_format = str2fmt(*(++argv)); + } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { if (badarg) @@ -718,12 +745,26 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (strcmp(*argv,"-verify_quiet") == 0) + verify_quiet = 1; + else if (strcmp(*argv,"-brief") == 0) + { + c_brief = 1; + verify_quiet = 1; + c_quiet = 1; + } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) { if (badarg) goto bad; continue; } + else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) + { + if (badarg) + goto bad; + continue; + } else if (strcmp(*argv,"-prexit") == 0) prexit=1; else if (strcmp(*argv,"-crlf") == 0) @@ -852,8 +893,6 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif - else if (strcmp(*argv,"-bugs") == 0) - bugs=1; else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; @@ -878,6 +917,16 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-chainCApath") == 0) + { + if (--argc < 1) goto bad; + chCApath= *(++argv); + } + else if (strcmp(*argv,"-verifyCApath") == 0) + { + if (--argc < 1) goto bad; + vfyCApath= *(++argv); + } else if (strcmp(*argv,"-build_chain") == 0) build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) @@ -885,21 +934,17 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAfile= *(++argv); } - else if (strcmp(*argv,"-no_tls1_2") == 0) - off|=SSL_OP_NO_TLSv1_2; - else if (strcmp(*argv,"-no_tls1_1") == 0) - off|=SSL_OP_NO_TLSv1_1; - else if (strcmp(*argv,"-no_tls1") == 0) - off|=SSL_OP_NO_TLSv1; - else if (strcmp(*argv,"-no_ssl3") == 0) - off|=SSL_OP_NO_SSLv3; - else if (strcmp(*argv,"-no_ssl2") == 0) - off|=SSL_OP_NO_SSLv2; - else if (strcmp(*argv,"-no_comp") == 0) - { off|=SSL_OP_NO_COMPRESSION; } + else if (strcmp(*argv,"-chainCAfile") == 0) + { + if (--argc < 1) goto bad; + chCAfile= *(++argv); + } + else if (strcmp(*argv,"-verifyCAfile") == 0) + { + if (--argc < 1) goto bad; + vfyCAfile= *(++argv); + } #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv,"-no_ticket") == 0) - { off|=SSL_OP_NO_TICKET; } # ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) { @@ -908,19 +953,6 @@ int MAIN(int argc, char **argv) } # endif #endif - else if (strcmp(*argv,"-serverpref") == 0) - off|=SSL_OP_CIPHER_SERVER_PREFERENCE; - else if (strcmp(*argv,"-legacy_renegotiation") == 0) - off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-legacy_server_connect") == 0) - { off|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-no_legacy_server_connect") == 0) - { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; - cipher= *(++argv); - } #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) { c_nbio=1; } @@ -966,22 +998,22 @@ int MAIN(int argc, char **argv) servername= *(++argv); /* meth=TLSv1_client_method(); */ } - else if (strcmp(*argv,"-curves") == 0) +#endif + else if (strcmp(*argv,"-checkhost") == 0) { if (--argc < 1) goto bad; - curves= *(++argv); + checkhost=(unsigned char *)*(++argv); } - else if (strcmp(*argv,"-sigalgs") == 0) + else if (strcmp(*argv,"-checkemail") == 0) { if (--argc < 1) goto bad; - sigalgs= *(++argv); + checkemail=(unsigned char *)*(++argv); } - else if (strcmp(*argv,"-client_sigalgs") == 0) + else if (strcmp(*argv,"-checkip") == 0) { if (--argc < 1) goto bad; - client_sigalgs= *(++argv); + checkip=*(++argv); } -#endif #ifndef OPENSSL_NO_JPAKE else if (strcmp(*argv,"-jpake") == 0) { @@ -1005,12 +1037,6 @@ int MAIN(int argc, char **argv) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } - else if (strcmp(*argv, "-cert_strict") == 0) - cert_flags |= SSL_CERT_FLAG_TLS_STRICT; -#ifdef OPENSSL_SSL_DEBUG_BROKEN_PROTOCOL - else if (strcmp(*argv, "-debug_broken_protocol") == 0) - cert_flags |= SSL_CERT_FLAG_BROKEN_PROTCOL; -#endif else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1116,6 +1142,26 @@ bad: } } + if (crl_file) + { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (!crl) + { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (!crls || !sk_X509_CRL_push(crls, crl)) + { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + if (!load_excert(&exc, bio_err)) goto end; @@ -1130,9 +1176,11 @@ bad: if (bio_c_out == NULL) { - if (c_quiet && !c_debug && !c_msg) + if (c_quiet && !c_debug) { bio_c_out=BIO_new(BIO_s_null()); + if (c_msg && !bio_c_msg) + bio_c_msg=BIO_new_fp(stdout,BIO_NOCLOSE); } else { @@ -1159,6 +1207,19 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1)) + { + ERR_print_errors(bio_err); + goto end; + } + + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, crls)) + { + BIO_printf(bio_err, "Error loading store locations\n"); + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { @@ -1187,14 +1248,6 @@ bad: if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); #endif - if (bugs) - SSL_CTX_set_options(ctx,SSL_OP_ALL|off); - else - SSL_CTX_set_options(ctx,off); - - if (clr) - SSL_CTX_clear_options(ctx, clr); - if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); if (exc) ssl_ctx_set_excert(ctx, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. @@ -1207,12 +1260,6 @@ bad: #endif if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); - if (cipher != NULL) - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { - BIO_printf(bio_err,"error setting cipher list\n"); - ERR_print_errors(bio_err); - goto end; - } #if 0 else SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); @@ -1228,28 +1275,12 @@ bad: /* goto end; */ } + ssl_ctx_add_crls(ctx, crls); + if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (curves != NULL) - if(!SSL_CTX_set1_curves_list(ctx,curves)) { - BIO_printf(bio_err,"error setting curve list\n"); - ERR_print_errors(bio_err); - goto end; - } - if (sigalgs != NULL) - if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) { - BIO_printf(bio_err,"error setting signature algorithms list\n"); - ERR_print_errors(bio_err); - goto end; - } - if (client_sigalgs != NULL) - if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) { - BIO_printf(bio_err,"error setting client signature algorithms list\n"); - ERR_print_errors(bio_err); - goto end; - } if (servername != NULL) { tlsextcbp.biodebug = bio_err; @@ -1611,6 +1642,14 @@ SSL_set_tlsext_status_ids(con, ids); else BIO_printf(bio_err, "Error writing session file %s\n", sess_out); } + if (c_brief) + { + BIO_puts(bio_err, + "CONNECTION ESTABLISHED\n"); + print_ssl_summary(bio_err, con); + } + print_ssl_cert_checks(bio_err, con, checkhost, + checkemail, checkip); print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; @@ -1873,7 +1912,10 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 break; case SSL_ERROR_SYSCALL: ret=get_last_socket_error(); - BIO_printf(bio_err,"read:errno=%d\n",ret); + if (ret == 0 && c_brief) + BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n"); + else + BIO_printf(bio_err,"read:errno=%d\n",ret); goto shut; case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_c_out,"closed\n"); @@ -1980,11 +2022,19 @@ end: if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); + if (crls) + sk_X509_CRL_pop_free(crls, X509_CRL_free); if (key) EVP_PKEY_free(key); if (pass) OPENSSL_free(pass); + if (vpm) + X509_VERIFY_PARAM_free(vpm); ssl_excert_free(exc); + if (ssl_args) + sk_OPENSSL_STRING_free(ssl_args); + if (cctx) + SSL_CONF_CTX_free(cctx); if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); }