X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_client.c;h=ba76a0e3bdb2197788dc95763d230e6b25dc8ffc;hp=ce199be81bbb57e5dc50bdbbd0dcfc454770f42d;hb=b5cadfb564a604c0ba1c49984ac796cfd8310731;hpb=e7f8ff43826494896548d054ee8dbb96367f00af diff --git a/apps/s_client.c b/apps/s_client.c index ce199be81b..ba76a0e3bd 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -193,6 +193,7 @@ typedef unsigned int u_int; extern int verify_depth; extern int verify_error; extern int verify_return_error; +extern int verify_quiet; #ifdef FIONBIO static int c_nbio=0; @@ -202,6 +203,7 @@ static int c_debug=0; #ifndef OPENSSL_NO_TLSEXT static int c_tlsextdebug=0; static int c_status_req=0; +static int c_proof_debug=0; #endif static int c_msg=0; static int c_showcerts=0; @@ -213,10 +215,13 @@ static void sc_usage(void); static void print_stuff(BIO *berr,SSL *con,int full); #ifndef OPENSSL_NO_TLSEXT static int ocsp_resp_cb(SSL *s, void *arg); +static int audit_proof_cb(SSL *s, void *arg); #endif static BIO *bio_c_out=NULL; +static BIO *bio_c_msg=NULL; static int c_quiet=0; static int c_ign_eof=0; +static int c_brief=0; #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ @@ -357,6 +362,7 @@ static void sc_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -status - request certificate status from server\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err," -proof_debug - request an audit proof and print its hex dump\n"); # ifndef OPENSSL_NO_NEXTPROTONEG BIO_printf(bio_err," -nextprotoneg arg - enable NPN extension, considering named protocols supported (comma-separated list)\n"); # endif @@ -553,7 +559,7 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - unsigned int off=0, clr=0; + int build_chain = 0; SSL *con=NULL; #ifndef OPENSSL_NO_KRB5 KSSL_CTX *kctx; @@ -571,8 +577,8 @@ int MAIN(int argc, char **argv) char *passarg = NULL, *pass = NULL; X509 *cert = NULL; EVP_PKEY *key = NULL; - char *CApath=NULL,*CAfile=NULL,*cipher=NULL; - int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; + char *CApath=NULL,*CAfile=NULL; + int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int crlf=0; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; @@ -621,14 +627,14 @@ int MAIN(int argc, char **argv) int srp_lateuser = 0; SRP_ARG srp_arg = {NULL,NULL,0,0,0,1024}; #endif + SSL_EXCERT *exc = NULL; + + unsigned char *checkhost = NULL, *checkemail = NULL; + char *checkip = NULL; + SSL_CONF_CTX *cctx = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_client_method(); -#elif !defined(OPENSSL_NO_SSL3) - meth=SSLv3_client_method(); -#elif !defined(OPENSSL_NO_SSL2) - meth=SSLv2_client_method(); -#endif apps_startup(); c_Pause=0; @@ -643,6 +649,11 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; + cctx = SSL_CONF_CTX_new(); + if (!cctx) + goto end; + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || @@ -684,7 +695,8 @@ int MAIN(int argc, char **argv) verify=SSL_VERIFY_PEER; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d\n",verify_depth); + if (!c_quiet) + BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if (strcmp(*argv,"-cert") == 0) { @@ -714,6 +726,26 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (strcmp(*argv,"-verify_quiet") == 0) + verify_quiet = 1; + else if (strcmp(*argv,"-brief") == 0) + { + c_brief = 1; + verify_quiet = 1; + c_quiet = 1; + } + else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) + { + if (badarg) + goto bad; + continue; + } + else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) + { + if (badarg) + goto bad; + continue; + } else if (strcmp(*argv,"-prexit") == 0) prexit=1; else if (strcmp(*argv,"-crlf") == 0) @@ -736,6 +768,8 @@ int MAIN(int argc, char **argv) c_tlsextdebug=1; else if (strcmp(*argv,"-status") == 0) c_status_req=1; + else if (strcmp(*argv,"-proof_debug") == 0) + c_proof_debug=1; #endif #ifdef WATT32 else if (strcmp(*argv,"-wdebug") == 0) @@ -743,6 +777,15 @@ int MAIN(int argc, char **argv) #endif else if (strcmp(*argv,"-msg") == 0) c_msg=1; + else if (strcmp(*argv,"-msgfile") == 0) + { + if (--argc < 1) goto bad; + bio_c_msg = BIO_new_file(*(++argv), "w"); + } +#ifndef OPENSSL_NO_SSL_TRACE + else if (strcmp(*argv,"-trace") == 0) + c_msg=2; +#endif else if (strcmp(*argv,"-showcerts") == 0) c_showcerts=1; else if (strcmp(*argv,"-nbio_test") == 0) @@ -831,8 +874,6 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif - else if (strcmp(*argv,"-bugs") == 0) - bugs=1; else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; @@ -857,26 +898,14 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CApath= *(++argv); } + else if (strcmp(*argv,"-build_chain") == 0) + build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) { if (--argc < 1) goto bad; CAfile= *(++argv); } - else if (strcmp(*argv,"-no_tls1_2") == 0) - off|=SSL_OP_NO_TLSv1_2; - else if (strcmp(*argv,"-no_tls1_1") == 0) - off|=SSL_OP_NO_TLSv1_1; - else if (strcmp(*argv,"-no_tls1") == 0) - off|=SSL_OP_NO_TLSv1; - else if (strcmp(*argv,"-no_ssl3") == 0) - off|=SSL_OP_NO_SSLv3; - else if (strcmp(*argv,"-no_ssl2") == 0) - off|=SSL_OP_NO_SSLv2; - else if (strcmp(*argv,"-no_comp") == 0) - { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv,"-no_ticket") == 0) - { off|=SSL_OP_NO_TICKET; } # ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) { @@ -885,19 +914,6 @@ int MAIN(int argc, char **argv) } # endif #endif - else if (strcmp(*argv,"-serverpref") == 0) - off|=SSL_OP_CIPHER_SERVER_PREFERENCE; - else if (strcmp(*argv,"-legacy_renegotiation") == 0) - off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-legacy_server_connect") == 0) - { off|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-no_legacy_server_connect") == 0) - { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; - cipher= *(++argv); - } #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) { c_nbio=1; } @@ -944,6 +960,21 @@ int MAIN(int argc, char **argv) /* meth=TLSv1_client_method(); */ } #endif + else if (strcmp(*argv,"-checkhost") == 0) + { + if (--argc < 1) goto bad; + checkhost=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkemail") == 0) + { + if (--argc < 1) goto bad; + checkemail=(unsigned char *)*(++argv); + } + else if (strcmp(*argv,"-checkip") == 0) + { + if (--argc < 1) goto bad; + checkip=*(++argv); + } #ifndef OPENSSL_NO_JPAKE else if (strcmp(*argv,"-jpake") == 0) { @@ -1072,6 +1103,9 @@ bad: } } + if (!load_excert(&exc, bio_err)) + goto end; + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) { @@ -1112,6 +1146,12 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args)) + { + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { @@ -1140,13 +1180,7 @@ bad: if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); #endif - if (bugs) - SSL_CTX_set_options(ctx,SSL_OP_ALL|off); - else - SSL_CTX_set_options(ctx,off); - - if (clr) - SSL_CTX_clear_options(ctx, clr); + if (exc) ssl_ctx_set_excert(ctx, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -1158,20 +1192,12 @@ bad: #endif if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); - if (cipher != NULL) - if(!SSL_CTX_set_cipher_list(ctx,cipher)) { - BIO_printf(bio_err,"error setting cipher list\n"); - ERR_print_errors(bio_err); - goto end; - } #if 0 else SSL_CTX_set_cipher_list(ctx,getenv("SSL_CIPHER")); #endif SSL_CTX_set_verify(ctx,verify,verify_callback); - if (!set_cert_key_stuff(ctx,cert,key)) - goto end; if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || (!SSL_CTX_set_default_verify_paths(ctx))) @@ -1181,6 +1207,9 @@ bad: /* goto end; */ } + if (!set_cert_key_stuff(ctx,cert,key, NULL, build_chain)) + goto end; + #ifndef OPENSSL_NO_TLSEXT if (servername != NULL) { @@ -1206,6 +1235,9 @@ bad: } #endif + if (c_proof_debug) + SSL_CTX_set_tlsext_authz_server_audit_proof_cb(ctx, + audit_proof_cb); #endif con=SSL_new(ctx); @@ -1334,8 +1366,13 @@ re_start: } if (c_msg) { - SSL_set_msg_callback(con, msg_cb); - SSL_set_msg_callback_arg(con, bio_c_out); +#ifndef OPENSSL_NO_SSL_TRACE + if (c_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out); } #ifndef OPENSSL_NO_TLSEXT if (c_tlsextdebug) @@ -1535,6 +1572,14 @@ SSL_set_tlsext_status_ids(con, ids); else BIO_printf(bio_err, "Error writing session file %s\n", sess_out); } + if (c_brief) + { + BIO_puts(bio_err, + "CONNECTION ESTABLISHED\n"); + print_ssl_summary(bio_err, con); + } + print_ssl_cert_checks(bio_err, con, checkhost, + checkemail, checkip); print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; @@ -1897,6 +1942,10 @@ end: print_stuff(bio_c_out,con,1); SSL_free(con); } +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.data) + OPENSSL_free(next_proto.data); +#endif if (ctx != NULL) SSL_CTX_free(ctx); if (cert) X509_free(cert); @@ -1904,6 +1953,11 @@ end: EVP_PKEY_free(key); if (pass) OPENSSL_free(pass); + ssl_excert_free(exc); + if (ssl_args) + sk_OPENSSL_STRING_free(ssl_args); + if (cctx) + SSL_CONF_CTX_free(cctx); if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } @@ -1912,6 +1966,11 @@ end: BIO_free(bio_c_out); bio_c_out=NULL; } + if (bio_c_msg != NULL) + { + BIO_free(bio_c_msg); + bio_c_msg=NULL; + } apps_shutdown(); OPENSSL_EXIT(ret); } @@ -2019,6 +2078,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) } ssl_print_sigalgs(bio, s); + ssl_print_tmp_key(bio, s); BIO_printf(bio,"---\nSSL handshake has read %ld bytes and written %ld bytes\n", BIO_number_read(SSL_get_rbio(s)), @@ -2046,18 +2106,7 @@ static void print_stuff(BIO *bio, SSL *s, int full) BIO_printf(bio,"Expansion: %s\n", expansion ? SSL_COMP_get_name(expansion) : "NONE"); #endif - -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) - if (next_proto.status != -1) { - const unsigned char *proto; - unsigned int proto_len; - SSL_get0_next_proto_negotiated(s, &proto, &proto_len); - BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); - BIO_write(bio, proto, proto_len); - BIO_write(bio, "\n", 1); - } -#endif - + #ifdef SSL_DEBUG { /* Print out local port of connection: useful for debugging */ @@ -2070,6 +2119,17 @@ static void print_stuff(BIO *bio, SSL *s, int full) } #endif +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + if (next_proto.status != -1) { + const unsigned char *proto; + unsigned int proto_len; + SSL_get0_next_proto_negotiated(s, &proto, &proto_len); + BIO_printf(bio, "Next protocol: (%d) ", next_proto.status); + BIO_write(bio, proto, proto_len); + BIO_write(bio, "\n", 1); + } +#endif + { SRTP_PROTECTION_PROFILE *srtp_profile=SSL_get_selected_srtp_profile(s); @@ -2141,4 +2201,26 @@ static int ocsp_resp_cb(SSL *s, void *arg) return 1; } +static int audit_proof_cb(SSL *s, void *arg) + { + const unsigned char *proof; + size_t proof_len; + size_t i; + SSL_SESSION *sess = SSL_get_session(s); + + proof = SSL_SESSION_get_tlsext_authz_server_audit_proof(sess, + &proof_len); + if (proof != NULL) + { + BIO_printf(bio_c_out, "Audit proof: "); + for (i = 0; i < proof_len; ++i) + BIO_printf(bio_c_out, "%02X", proof[i]); + BIO_printf(bio_c_out, "\n"); + } + else + { + BIO_printf(bio_c_out, "No audit proof found.\n"); + } + return 1; + } #endif