Add -brief option to s_client and s_server to summarise connection details.
authorDr. Stephen Henson <steve@openssl.org>
Wed, 12 Sep 2012 23:14:28 +0000 (23:14 +0000)
committerDr. Stephen Henson <steve@openssl.org>
Wed, 12 Sep 2012 23:14:28 +0000 (23:14 +0000)
New option -verify_quiet to shut up the verify callback unless there is
an error.

CHANGES
apps/s_apps.h
apps/s_cb.c
apps/s_client.c
apps/s_server.c

diff --git a/CHANGES b/CHANGES
index 8e358c6..d11b8a3 100644 (file)
--- a/CHANGES
+++ b/CHANGES
@@ -4,6 +4,10 @@
 
  Changes between 1.0.x and 1.1.0  [xx XXX xxxx]
 
+  *) New option -brief for s_client and s_server to print out a brief summary
+     of connection parameters.
+     [Steve Henson]
+
   *) Add functions to retrieve and manipulate the raw cipherlist sent by a
      client to OpenSSL.
      [Steve Henson]
index b45c1b9..b1ae531 100644 (file)
@@ -161,7 +161,7 @@ int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                            unsigned char *authz, size_t authz_length);
 # endif
 int ssl_print_sigalgs(BIO *out, SSL *s);
-int ssl_print_curves(BIO *out, SSL *s);
+int ssl_print_curves(BIO *out, SSL *s, int noshared);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, char *server, int port, int type);
@@ -190,3 +190,4 @@ void ssl_excert_free(SSL_EXCERT *exc);
 int args_excert(char ***pargs, int *pargc,
                        int *badarg, BIO *err, SSL_EXCERT **pexc);
 int load_excert(SSL_EXCERT **pexc, BIO *err);
+void print_ssl_summary(BIO *bio, SSL *s);
index fc40f39..e339a6c 100644 (file)
 #define        COOKIE_SECRET_LENGTH    16
 
 int verify_depth=0;
+int verify_quiet=0;
 int verify_error=X509_V_OK;
 int verify_return_error=0;
 unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@@ -139,15 +140,19 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
        err=    X509_STORE_CTX_get_error(ctx);
        depth=  X509_STORE_CTX_get_error_depth(ctx);
 
-       BIO_printf(bio_err,"depth=%d ",depth);
-       if (err_cert)
+       if (!verify_quiet || !ok)
                {
-               X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
+               BIO_printf(bio_err,"depth=%d ",depth);
+               if (err_cert)
+                       {
+                       X509_NAME_print_ex(bio_err,
+                                       X509_get_subject_name(err_cert),
                                        0, XN_FLAG_ONELINE);
-               BIO_puts(bio_err, "\n");
+                       BIO_puts(bio_err, "\n");
+                       }
+               else
+                       BIO_puts(bio_err, "<no cert>\n");
                }
-       else
-               BIO_puts(bio_err, "<no cert>\n");
        if (!ok)
                {
                BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
@@ -188,10 +193,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
                policies_print(bio_err, ctx);
                break;
                }
-       if (err == X509_V_OK && ok == 2)
+       if (err == X509_V_OK && ok == 2 && !verify_quiet)
                policies_print(bio_err, ctx);
-
-       BIO_printf(bio_err,"verify return:%d\n",ok);
+       if (ok && !verify_quiet)
+               BIO_printf(bio_err,"verify return:%d\n",ok);
        return(ok);
        }
 
@@ -419,7 +424,7 @@ int ssl_print_sigalgs(BIO *out, SSL *s)
        return 1;
        }
 
-int ssl_print_curves(BIO *out, SSL *s)
+int ssl_print_curves(BIO *out, SSL *s, int noshared)
        {
        int i, ncurves, *curves, nid;
        const char *cname;
@@ -447,6 +452,13 @@ int ssl_print_curves(BIO *out, SSL *s)
                        BIO_printf(out, "%s", cname);
                        }
                }
+       if (ncurves == 0)
+               BIO_puts(out, "NONE");
+       if (noshared)
+               {
+               BIO_puts(out, "\n");
+               return 1;
+               }
        BIO_puts(out, "\nShared Elliptic curves: ");
        OPENSSL_free(curves);
        ncurves = SSL_get_shared_curve(s, -1);
@@ -1459,3 +1471,65 @@ int args_excert(char ***pargs, int *pargc,
        return 1;
        }
 
+static void print_raw_cipherlist(BIO *bio, SSL *s)
+       {
+       const unsigned char *rlist;
+       static const unsigned char scsv_id[] = {0, 0, 0xFF};
+       size_t i, rlistlen, num;
+       if (!SSL_is_server(s))
+               return;
+       num = SSL_get0_raw_cipherlist(s, NULL);
+       rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
+       BIO_puts(bio, "Client cipher list: ");
+       for (i = 0; i < rlistlen; i += num, rlist += num)
+               {
+               const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
+               if (i)
+                       BIO_puts(bio, ":");
+               if (c)
+                       BIO_puts(bio, SSL_CIPHER_get_name(c));
+               else if (!memcmp(rlist, scsv_id - num + 3, num))
+                       BIO_puts(bio, "SCSV");
+               else
+                       {
+                       size_t j;
+                       BIO_puts(bio, "0x");
+                       for (j = 0; j < num; j++)
+                               BIO_printf(bio, "%02X", rlist[j]);
+                       }
+               }
+       BIO_puts(bio, "\n");
+       }
+       
+
+void print_ssl_summary(BIO *bio, SSL *s)
+       {
+       const SSL_CIPHER *c;
+       X509 *peer;
+       /*const char *pnam = SSL_is_server(s) ? "client" : "server";*/
+       BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s));
+       print_raw_cipherlist(bio, s);
+       c = SSL_get_current_cipher(s);
+       BIO_printf(bio,"Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
+       do_print_sigalgs(bio, s, 0);
+       peer = SSL_get_peer_certificate(s);
+       if (peer)
+               {
+               int nid;
+               BIO_puts(bio, "Peer certificate: ");
+               X509_NAME_print_ex(bio, X509_get_subject_name(peer),
+                                       0, XN_FLAG_ONELINE);
+               BIO_puts(bio, "\n");
+               if (SSL_get_peer_signature_nid(s, &nid))
+                       BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid));
+               }
+       else
+               BIO_puts(bio, "No peer certificate\n");
+       if (peer)
+               X509_free(peer);
+       if (SSL_is_server(s))
+               ssl_print_curves(bio, s, 1);
+       else
+               ssl_print_tmp_key(bio, s);
+       }
+
index ea0a321..a7b150b 100644 (file)
@@ -193,6 +193,7 @@ typedef unsigned int u_int;
 extern int verify_depth;
 extern int verify_error;
 extern int verify_return_error;
+extern int verify_quiet;
 
 #ifdef FIONBIO
 static int c_nbio=0;
@@ -220,6 +221,7 @@ static BIO *bio_c_out=NULL;
 static BIO *bio_c_msg=NULL;
 static int c_quiet=0;
 static int c_ign_eof=0;
+static int c_brief=0;
 
 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@@ -688,7 +690,8 @@ int MAIN(int argc, char **argv)
                        verify=SSL_VERIFY_PEER;
                        if (--argc < 1) goto bad;
                        verify_depth=atoi(*(++argv));
-                       BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+                       if (!c_quiet)
+                               BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
                        }
                else if (strcmp(*argv,"-cert") == 0)
                        {
@@ -718,6 +721,14 @@ int MAIN(int argc, char **argv)
                        }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
+               else if (strcmp(*argv,"-verify_quiet") == 0)
+                       verify_quiet = 1;
+               else if (strcmp(*argv,"-brief") == 0)
+                       {
+                       c_brief = 1;
+                       verify_quiet = 1;
+                       c_quiet = 1;
+                       }
                else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
                        {
                        if (badarg)
@@ -1611,6 +1622,12 @@ SSL_set_tlsext_status_ids(con, ids);
                                        else 
                                                BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
                                        }
+                               if (c_brief)
+                                       {
+                                       BIO_puts(bio_err,
+                                               "CONNECTION ESTABLISHED\n");
+                                       print_ssl_summary(bio_err, con);
+                                       }
                                print_stuff(bio_c_out,con,full_log);
                                if (full_log > 0) full_log--;
 
index 77b34cb..002de84 100644 (file)
@@ -268,7 +268,7 @@ static int accept_socket= -1;
 #undef PROG
 #define PROG           s_server_main
 
-extern int verify_depth, verify_return_error;
+extern int verify_depth, verify_return_error, verify_quiet;
 
 static char *cipher=NULL;
 static int s_server_verify=SSL_VERIFY_NONE;
@@ -303,6 +303,7 @@ static int cert_status_cb(SSL *s, void *arg);
 static int no_resume_ephemeral = 0;
 static int s_msg=0;
 static int s_quiet=0;
+static int s_brief=0;
 
 static char *keymatexportlabel=NULL;
 static int keymatexportlen=20;
@@ -466,6 +467,7 @@ static void s_server_init(void)
        s_debug=0;
        s_msg=0;
        s_quiet=0;
+       s_brief=0;
        hack=0;
 #ifndef OPENSSL_NO_ENGINE
        engine_id=NULL;
@@ -1169,6 +1171,8 @@ int MAIN(int argc, char *argv[])
                        }
                else if (strcmp(*argv,"-verify_return_error") == 0)
                        verify_return_error = 1;
+               else if (strcmp(*argv,"-verify_quiet") == 0)
+                       verify_quiet = 1;
                else if (strcmp(*argv,"-serverpref") == 0)
                        { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
                else if (strcmp(*argv,"-legacy_renegotiation") == 0)
@@ -1273,6 +1277,12 @@ int MAIN(int argc, char *argv[])
                        { s_crlf=1; }
                else if (strcmp(*argv,"-quiet") == 0)
                        { s_quiet=1; }
+               else if (strcmp(*argv,"-brief") == 0)
+                       {
+                       s_quiet=1;
+                       s_brief=1;
+                       verify_quiet=1;
+                       }
                else if (strcmp(*argv,"-bugs") == 0)
                        { bugs=1; }
                else if (strcmp(*argv,"-no_tmp_rsa") == 0)
@@ -2389,7 +2399,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                                }
                        else
                                i=raw_read_stdin(buf,bufsize);
-                       if (!s_quiet)
+                       if (!s_quiet && !s_brief)
                                {
                                if ((i <= 0) || (buf[0] == 'Q'))
                                        {
@@ -2642,6 +2652,9 @@ static int init_ssl_connection(SSL *con)
                return(0);
                }
 
+       if (s_brief)
+               print_ssl_summary(bio_err, con);
+
        PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
 
        peer=SSL_get_peer_certificate(con);
@@ -2660,7 +2673,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        ssl_print_sigalgs(bio_s_out, con);
-       ssl_print_curves(bio_s_out, con);
+       ssl_print_curves(bio_s_out, con, 0);
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
 
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
@@ -3003,7 +3016,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                BIO_puts(io,"\n");
                                }
                        ssl_print_sigalgs(io, con);
-                       ssl_print_curves(io, con);
+                       ssl_print_curves(io, con, 0);
                        BIO_printf(io,(SSL_cache_hit(con)
                                ?"---\nReused, "
                                :"---\nNew, "));