2016-05-17 18:18:30 +00:00
|
|
|
/*
|
2021-01-27 19:23:33 +00:00
|
|
|
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
|
2017-06-20 14:14:36 +00:00
|
|
|
* Copyright 2005 Nokia. All rights reserved.
|
2001-10-20 17:56:36 +00:00
|
|
|
*
|
2018-12-06 12:00:26 +00:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-17 18:18:30 +00:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
2001-10-20 17:56:36 +00:00
|
|
|
*/
|
2016-05-17 18:18:30 +00:00
|
|
|
|
2022-02-04 14:13:01 +00:00
|
|
|
#include "internal/e_os.h"
|
2006-03-10 23:06:27 +00:00
|
|
|
#include <ctype.h>
|
1999-07-28 23:25:59 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
2015-12-29 19:25:50 +00:00
|
|
|
#include <errno.h>
|
2001-02-20 14:07:03 +00:00
|
|
|
#include <openssl/e_os2.h>
|
2021-02-20 22:39:30 +00:00
|
|
|
#include "internal/nelem.h"
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2016-03-21 15:32:40 +00:00
|
|
|
#ifndef OPENSSL_NO_SOCK
|
|
|
|
|
|
1999-05-13 11:37:32 +00:00
|
|
|
/*
|
|
|
|
|
* With IPv6, it looks like Digital has mixed up the proper order of
|
|
|
|
|
* recursive header file inclusion, resulting in the compiler complaining
|
|
|
|
|
* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
|
|
|
|
|
* needed to have fileno() declared correctly... So let's define u_int
|
|
|
|
|
*/
|
2001-02-20 08:13:47 +00:00
|
|
|
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
|
1999-05-13 11:37:32 +00:00
|
|
|
# define __U_INT
|
|
|
|
|
typedef unsigned int u_int;
|
|
|
|
|
#endif
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
#include "apps.h"
|
2018-01-31 10:13:10 +00:00
|
|
|
#include "progs.h"
|
1999-04-23 22:13:45 +00:00
|
|
|
#include <openssl/x509.h>
|
|
|
|
|
#include <openssl/ssl.h>
|
|
|
|
|
#include <openssl/err.h>
|
|
|
|
|
#include <openssl/pem.h>
|
2001-09-12 02:39:06 +00:00
|
|
|
#include <openssl/rand.h>
|
2007-09-26 21:56:59 +00:00
|
|
|
#include <openssl/ocsp.h>
|
2008-03-16 21:05:46 +00:00
|
|
|
#include <openssl/bn.h>
|
2018-12-11 23:04:44 +00:00
|
|
|
#include <openssl/trace.h>
|
2015-09-16 22:09:15 +00:00
|
|
|
#include <openssl/async.h>
|
2016-03-02 13:34:05 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
|
|
|
|
# include <openssl/ct.h>
|
|
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
#include "s_apps.h"
|
2005-04-26 16:02:40 +00:00
|
|
|
#include "timeouts.h"
|
2017-08-21 21:22:19 +00:00
|
|
|
#include "internal/sockets.h"
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2016-02-22 15:58:36 +00:00
|
|
|
#if defined(__has_feature)
|
|
|
|
|
# if __has_feature(memory_sanitizer)
|
|
|
|
|
# include <sanitizer/msan_interface.h>
|
|
|
|
|
# endif
|
|
|
|
|
#endif
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
#undef BUFSIZZ
|
|
|
|
|
#define BUFSIZZ 1024*8
|
2015-05-13 20:00:21 +00:00
|
|
|
#define S_CLIENT_IRC_READ_TIMEOUT 8
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
#define USER_DATA_MODE_NONE 0
|
|
|
|
|
#define USER_DATA_MODE_BASIC 1
|
|
|
|
|
#define USER_DATA_MODE_ADVANCED 2
|
|
|
|
|
|
|
|
|
|
#define USER_DATA_PROCESS_BAD_ARGUMENT 0
|
|
|
|
|
#define USER_DATA_PROCESS_SHUT 1
|
|
|
|
|
#define USER_DATA_PROCESS_RESTART 2
|
|
|
|
|
#define USER_DATA_PROCESS_NO_DATA 3
|
|
|
|
|
#define USER_DATA_PROCESS_CONTINUE 4
|
|
|
|
|
|
|
|
|
|
struct user_data_st {
|
|
|
|
|
/* SSL connection we are processing commands for */
|
|
|
|
|
SSL *con;
|
|
|
|
|
|
|
|
|
|
/* Buffer where we are storing data supplied by the user */
|
|
|
|
|
char *buf;
|
|
|
|
|
|
|
|
|
|
/* Allocated size of the buffer */
|
|
|
|
|
size_t bufmax;
|
|
|
|
|
|
|
|
|
|
/* Amount of the buffer actually used */
|
|
|
|
|
size_t buflen;
|
|
|
|
|
|
|
|
|
|
/* Current location in the buffer where we will read from next*/
|
|
|
|
|
size_t bufoff;
|
|
|
|
|
|
|
|
|
|
/* The mode we are using for processing commands */
|
|
|
|
|
int mode;
|
2023-03-21 16:52:32 +00:00
|
|
|
|
|
|
|
|
/* Whether FIN has ben sent on the stream */
|
|
|
|
|
int isfin;
|
2023-03-16 15:08:04 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
static void user_data_init(struct user_data_st *user_data, SSL *con, char *buf,
|
|
|
|
|
size_t bufmax, int mode);
|
|
|
|
|
static int user_data_add(struct user_data_st *user_data, size_t i);
|
|
|
|
|
static int user_data_process(struct user_data_st *user_data, size_t *len,
|
|
|
|
|
size_t *off);
|
|
|
|
|
static int user_data_has_data(struct user_data_st *user_data);
|
|
|
|
|
|
2015-12-29 19:25:50 +00:00
|
|
|
static char *prog;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
static int c_debug = 0;
|
1999-03-31 12:06:30 +00:00
|
|
|
static int c_showcerts = 0;
|
2011-11-15 23:50:52 +00:00
|
|
|
static char *keymatexportlabel = NULL;
|
|
|
|
|
static int keymatexportlen = 20;
|
1998-12-21 10:52:47 +00:00
|
|
|
static BIO *bio_c_out = NULL;
|
|
|
|
|
static int c_quiet = 0;
|
2017-01-13 14:25:15 +00:00
|
|
|
static char *sess_out = NULL;
|
2017-06-12 15:57:06 +00:00
|
|
|
static SSL_SESSION *psksess = NULL;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2016-03-10 19:49:34 +00:00
|
|
|
static void print_stuff(BIO *berr, SSL *con, int full);
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
static int ocsp_resp_cb(SSL *s, void *arg);
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2017-02-26 23:44:14 +00:00
|
|
|
static int ldap_ExtendedResponse_parse(const char *buf, long rem);
|
2019-02-06 21:09:15 +00:00
|
|
|
static int is_dNS_name(const char *host);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2021-01-27 19:23:33 +00:00
|
|
|
static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
|
|
|
|
|
static int enable_server_rpk = 0;
|
|
|
|
|
|
2015-12-29 19:25:50 +00:00
|
|
|
static int saved_errno;
|
|
|
|
|
|
|
|
|
|
static void save_errno(void)
|
|
|
|
|
{
|
|
|
|
|
saved_errno = errno;
|
|
|
|
|
errno = 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int restore_errno(void)
|
|
|
|
|
{
|
|
|
|
|
int ret = errno;
|
|
|
|
|
errno = saved_errno;
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
/* Default PSK identity and key */
|
|
|
|
|
static char *psk_identity = "Client_identity";
|
|
|
|
|
|
2017-06-13 13:28:45 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2006-03-10 23:06:27 +00:00
|
|
|
static unsigned int psk_client_cb(SSL *ssl, const char *hint, char *identity,
|
|
|
|
|
unsigned int max_identity_len,
|
|
|
|
|
unsigned char *psk,
|
|
|
|
|
unsigned int max_psk_len)
|
|
|
|
|
{
|
|
|
|
|
int ret;
|
2016-06-08 18:01:42 +00:00
|
|
|
long key_len;
|
|
|
|
|
unsigned char *key;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
if (c_debug)
|
|
|
|
|
BIO_printf(bio_c_out, "psk_client_cb\n");
|
|
|
|
|
if (!hint) {
|
|
|
|
|
/* no ServerKeyExchange message */
|
|
|
|
|
if (c_debug)
|
|
|
|
|
BIO_printf(bio_c_out,
|
|
|
|
|
"NULL received PSK identity hint, continuing anyway\n");
|
2017-06-12 17:24:02 +00:00
|
|
|
} else if (c_debug) {
|
2006-03-10 23:06:27 +00:00
|
|
|
BIO_printf(bio_c_out, "Received PSK identity hint '%s'\n", hint);
|
2017-06-12 17:24:02 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
/*
|
|
|
|
|
* lookup PSK identity and PSK key based on the given identity hint here
|
|
|
|
|
*/
|
2009-02-15 15:29:59 +00:00
|
|
|
ret = BIO_snprintf(identity, max_identity_len, "%s", psk_identity);
|
2006-03-11 12:18:11 +00:00
|
|
|
if (ret < 0 || (unsigned int)ret > max_identity_len)
|
2006-03-10 23:06:27 +00:00
|
|
|
goto out_err;
|
|
|
|
|
if (c_debug)
|
|
|
|
|
BIO_printf(bio_c_out, "created identity '%s' len=%d\n", identity,
|
|
|
|
|
ret);
|
2016-06-08 18:01:42 +00:00
|
|
|
|
|
|
|
|
/* convert the PSK key to binary */
|
|
|
|
|
key = OPENSSL_hexstr2buf(psk_key, &key_len);
|
|
|
|
|
if (key == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
|
2006-03-10 23:06:27 +00:00
|
|
|
psk_key);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2017-03-14 16:37:42 +00:00
|
|
|
if (max_psk_len > INT_MAX || key_len > (long)max_psk_len) {
|
2006-03-10 23:06:27 +00:00
|
|
|
BIO_printf(bio_err,
|
2016-06-08 18:01:42 +00:00
|
|
|
"psk buffer of callback is too small (%d) for key (%ld)\n",
|
|
|
|
|
max_psk_len, key_len);
|
|
|
|
|
OPENSSL_free(key);
|
2006-03-10 23:06:27 +00:00
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
|
2016-06-08 18:01:42 +00:00
|
|
|
memcpy(psk, key, key_len);
|
|
|
|
|
OPENSSL_free(key);
|
2006-03-10 23:06:27 +00:00
|
|
|
|
|
|
|
|
if (c_debug)
|
2016-06-08 18:01:42 +00:00
|
|
|
BIO_printf(bio_c_out, "created PSK len=%ld\n", key_len);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-06-08 18:01:42 +00:00
|
|
|
return key_len;
|
2006-03-10 23:06:27 +00:00
|
|
|
out_err:
|
|
|
|
|
if (c_debug)
|
|
|
|
|
BIO_printf(bio_err, "Error in PSK client callback\n");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2017-06-21 10:58:10 +00:00
|
|
|
const unsigned char tls13_aes128gcmsha256_id[] = { 0x13, 0x01 };
|
|
|
|
|
const unsigned char tls13_aes256gcmsha384_id[] = { 0x13, 0x02 };
|
2017-06-12 18:12:13 +00:00
|
|
|
|
2017-06-12 15:57:06 +00:00
|
|
|
static int psk_use_session_cb(SSL *s, const EVP_MD *md,
|
|
|
|
|
const unsigned char **id, size_t *idlen,
|
|
|
|
|
SSL_SESSION **sess)
|
|
|
|
|
{
|
2017-06-12 18:12:13 +00:00
|
|
|
SSL_SESSION *usesess = NULL;
|
|
|
|
|
const SSL_CIPHER *cipher = NULL;
|
|
|
|
|
|
|
|
|
|
if (psksess != NULL) {
|
|
|
|
|
SSL_SESSION_up_ref(psksess);
|
|
|
|
|
usesess = psksess;
|
|
|
|
|
} else {
|
|
|
|
|
long key_len;
|
|
|
|
|
unsigned char *key = OPENSSL_hexstr2buf(psk_key, &key_len);
|
|
|
|
|
|
|
|
|
|
if (key == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
|
|
|
|
|
psk_key);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-06 14:12:10 +00:00
|
|
|
/* We default to SHA-256 */
|
|
|
|
|
cipher = SSL_CIPHER_find(s, tls13_aes128gcmsha256_id);
|
2017-06-12 18:12:13 +00:00
|
|
|
if (cipher == NULL) {
|
2018-03-06 14:12:10 +00:00
|
|
|
BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
|
2018-05-29 15:05:10 +00:00
|
|
|
OPENSSL_free(key);
|
2018-03-06 14:12:10 +00:00
|
|
|
return 0;
|
2017-06-12 18:12:13 +00:00
|
|
|
}
|
2018-03-06 14:12:10 +00:00
|
|
|
|
2017-06-12 18:12:13 +00:00
|
|
|
usesess = SSL_SESSION_new();
|
|
|
|
|
if (usesess == NULL
|
|
|
|
|
|| !SSL_SESSION_set1_master_key(usesess, key, key_len)
|
|
|
|
|
|| !SSL_SESSION_set_cipher(usesess, cipher)
|
|
|
|
|
|| !SSL_SESSION_set_protocol_version(usesess, TLS1_3_VERSION)) {
|
|
|
|
|
OPENSSL_free(key);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
OPENSSL_free(key);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cipher = SSL_SESSION_get0_cipher(usesess);
|
2017-06-12 15:57:06 +00:00
|
|
|
if (cipher == NULL)
|
2017-06-12 18:12:13 +00:00
|
|
|
goto err;
|
2017-06-12 15:57:06 +00:00
|
|
|
|
2017-06-16 15:26:25 +00:00
|
|
|
if (md != NULL && SSL_CIPHER_get_handshake_digest(cipher) != md) {
|
|
|
|
|
/* PSK not usable, ignore it */
|
|
|
|
|
*id = NULL;
|
|
|
|
|
*idlen = 0;
|
|
|
|
|
*sess = NULL;
|
|
|
|
|
SSL_SESSION_free(usesess);
|
|
|
|
|
} else {
|
|
|
|
|
*sess = usesess;
|
|
|
|
|
*id = (unsigned char *)psk_identity;
|
|
|
|
|
*idlen = strlen(psk_identity);
|
|
|
|
|
}
|
2017-06-12 15:57:06 +00:00
|
|
|
|
|
|
|
|
return 1;
|
2017-06-12 18:12:13 +00:00
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
SSL_SESSION_free(usesess);
|
|
|
|
|
return 0;
|
2017-06-12 15:57:06 +00:00
|
|
|
}
|
|
|
|
|
|
2006-01-02 23:14:37 +00:00
|
|
|
/* This is a context that we pass to callbacks */
|
|
|
|
|
typedef struct tlsextctx_st {
|
|
|
|
|
BIO *biodebug;
|
|
|
|
|
int ack;
|
|
|
|
|
} tlsextctx;
|
|
|
|
|
|
2015-01-12 22:29:26 +00:00
|
|
|
static int ssl_servername_cb(SSL *s, int *ad, void *arg)
|
2006-01-02 23:29:12 +00:00
|
|
|
{
|
2006-01-02 23:14:37 +00:00
|
|
|
tlsextctx *p = (tlsextctx *) arg;
|
2006-01-04 12:02:43 +00:00
|
|
|
const char *hn = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
|
2006-01-02 23:14:37 +00:00
|
|
|
if (SSL_get_servername_type(s) != -1)
|
|
|
|
|
p->ack = !SSL_session_reused(s) && hn != NULL;
|
|
|
|
|
else
|
2006-01-03 03:27:19 +00:00
|
|
|
BIO_printf(bio_err, "Can't use SSL_get_servername\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-01-11 06:10:40 +00:00
|
|
|
return SSL_TLSEXT_ERR_OK;
|
2006-01-02 23:29:12 +00:00
|
|
|
}
|
2010-07-28 10:06:55 +00:00
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2010-07-28 10:06:55 +00:00
|
|
|
/* This the context that we pass to next_proto_cb */
|
|
|
|
|
typedef struct tlsextnextprotoctx_st {
|
|
|
|
|
unsigned char *data;
|
2016-03-05 13:47:55 +00:00
|
|
|
size_t len;
|
2010-07-28 10:06:55 +00:00
|
|
|
int status;
|
|
|
|
|
} tlsextnextprotoctx;
|
|
|
|
|
|
|
|
|
|
static tlsextnextprotoctx next_proto;
|
|
|
|
|
|
|
|
|
|
static int next_proto_cb(SSL *s, unsigned char **out, unsigned char *outlen,
|
|
|
|
|
const unsigned char *in, unsigned int inlen,
|
|
|
|
|
void *arg)
|
|
|
|
|
{
|
|
|
|
|
tlsextnextprotoctx *ctx = arg;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2010-07-28 10:06:55 +00:00
|
|
|
if (!c_quiet) {
|
|
|
|
|
/* We can assume that |in| is syntactically valid. */
|
|
|
|
|
unsigned i;
|
|
|
|
|
BIO_printf(bio_c_out, "Protocols advertised by server: ");
|
|
|
|
|
for (i = 0; i < inlen;) {
|
|
|
|
|
if (i)
|
|
|
|
|
BIO_write(bio_c_out, ", ", 2);
|
|
|
|
|
BIO_write(bio_c_out, &in[i + 1], in[i]);
|
|
|
|
|
i += in[i] + 1;
|
|
|
|
|
}
|
|
|
|
|
BIO_write(bio_c_out, "\n", 1);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2014-08-19 13:02:50 +00:00
|
|
|
ctx->status =
|
|
|
|
|
SSL_select_next_proto(out, outlen, in, inlen, ctx->data, ctx->len);
|
2013-05-13 01:55:27 +00:00
|
|
|
return SSL_TLSEXT_ERR_OK;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-09-25 12:55:06 +00:00
|
|
|
static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
|
2013-05-13 01:55:27 +00:00
|
|
|
const unsigned char *in, size_t inlen,
|
|
|
|
|
int *al, void *arg)
|
2007-02-16 18:12:16 +00:00
|
|
|
{
|
2013-05-13 01:55:27 +00:00
|
|
|
char pem_name[100];
|
|
|
|
|
unsigned char ext_buf[4 + 65536];
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-05-13 01:55:27 +00:00
|
|
|
/* Reconstruct the type/len fields prior to extension data */
|
2017-11-11 21:23:12 +00:00
|
|
|
inlen &= 0xffff; /* for formal memcmpy correctness */
|
|
|
|
|
ext_buf[0] = (unsigned char)(ext_type >> 8);
|
|
|
|
|
ext_buf[1] = (unsigned char)(ext_type);
|
|
|
|
|
ext_buf[2] = (unsigned char)(inlen >> 8);
|
|
|
|
|
ext_buf[3] = (unsigned char)(inlen);
|
2013-05-13 01:55:27 +00:00
|
|
|
memcpy(ext_buf + 4, in, inlen);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-09-25 12:55:06 +00:00
|
|
|
BIO_snprintf(pem_name, sizeof(pem_name), "SERVERINFO FOR EXTENSION %d",
|
|
|
|
|
ext_type);
|
2013-05-13 01:55:27 +00:00
|
|
|
PEM_write_bio(bio_c_out, pem_name, "", ext_buf, 4 + inlen);
|
|
|
|
|
return 1;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
2015-12-29 19:25:50 +00:00
|
|
|
/*
|
|
|
|
|
* Hex decoder that tolerates optional whitespace. Returns number of bytes
|
|
|
|
|
* produced, advances inptr to end of input string.
|
|
|
|
|
*/
|
|
|
|
|
static ossl_ssize_t hexdecode(const char **inptr, void *result)
|
|
|
|
|
{
|
|
|
|
|
unsigned char **out = (unsigned char **)result;
|
|
|
|
|
const char *in = *inptr;
|
2016-08-07 10:04:26 +00:00
|
|
|
unsigned char *ret = app_malloc(strlen(in) / 2, "hexdecode");
|
2015-12-29 19:25:50 +00:00
|
|
|
unsigned char *cp = ret;
|
|
|
|
|
uint8_t byte;
|
|
|
|
|
int nibble = 0;
|
|
|
|
|
|
|
|
|
|
if (ret == NULL)
|
|
|
|
|
return -1;
|
|
|
|
|
|
|
|
|
|
for (byte = 0; *in; ++in) {
|
2016-05-12 19:52:58 +00:00
|
|
|
int x;
|
2015-12-29 19:25:50 +00:00
|
|
|
|
2016-02-14 12:02:15 +00:00
|
|
|
if (isspace(_UC(*in)))
|
2015-12-29 19:25:50 +00:00
|
|
|
continue;
|
2016-05-12 19:52:58 +00:00
|
|
|
x = OPENSSL_hexchar2int(*in);
|
|
|
|
|
if (x < 0) {
|
2015-12-29 19:25:50 +00:00
|
|
|
OPENSSL_free(ret);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2016-05-12 19:52:58 +00:00
|
|
|
byte |= (char)x;
|
2015-12-29 19:25:50 +00:00
|
|
|
if ((nibble ^= 1) == 0) {
|
|
|
|
|
*cp++ = byte;
|
|
|
|
|
byte = 0;
|
|
|
|
|
} else {
|
|
|
|
|
byte <<= 4;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (nibble != 0) {
|
|
|
|
|
OPENSSL_free(ret);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
*inptr = in;
|
|
|
|
|
|
|
|
|
|
return cp - (*out = ret);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Decode unsigned 0..255, returns 1 on success, <= 0 on failure. Advances
|
|
|
|
|
* inptr to next field skipping leading whitespace.
|
|
|
|
|
*/
|
|
|
|
|
static ossl_ssize_t checked_uint8(const char **inptr, void *out)
|
|
|
|
|
{
|
|
|
|
|
uint8_t *result = (uint8_t *)out;
|
|
|
|
|
const char *in = *inptr;
|
|
|
|
|
char *endp;
|
|
|
|
|
long v;
|
|
|
|
|
int e;
|
|
|
|
|
|
|
|
|
|
save_errno();
|
|
|
|
|
v = strtol(in, &endp, 10);
|
|
|
|
|
e = restore_errno();
|
|
|
|
|
|
|
|
|
|
if (((v == LONG_MIN || v == LONG_MAX) && e == ERANGE) ||
|
2016-02-14 12:02:15 +00:00
|
|
|
endp == in || !isspace(_UC(*endp)) ||
|
2015-12-29 19:25:50 +00:00
|
|
|
v != (*result = (uint8_t) v)) {
|
|
|
|
|
return -1;
|
|
|
|
|
}
|
2016-02-14 12:02:15 +00:00
|
|
|
for (in = endp; isspace(_UC(*in)); ++in)
|
2015-12-29 19:25:50 +00:00
|
|
|
continue;
|
|
|
|
|
|
|
|
|
|
*inptr = in;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2016-01-08 15:36:37 +00:00
|
|
|
struct tlsa_field {
|
|
|
|
|
void *var;
|
|
|
|
|
const char *name;
|
|
|
|
|
ossl_ssize_t (*parser)(const char **, void *);
|
|
|
|
|
};
|
|
|
|
|
|
2015-12-29 19:25:50 +00:00
|
|
|
static int tlsa_import_rr(SSL *con, const char *rrdata)
|
|
|
|
|
{
|
2016-01-08 15:36:37 +00:00
|
|
|
/* Not necessary to re-init these values; the "parsers" do that. */
|
|
|
|
|
static uint8_t usage;
|
|
|
|
|
static uint8_t selector;
|
|
|
|
|
static uint8_t mtype;
|
|
|
|
|
static unsigned char *data;
|
2016-01-08 18:06:01 +00:00
|
|
|
static struct tlsa_field tlsa_fields[] = {
|
2015-12-29 19:25:50 +00:00
|
|
|
{ &usage, "usage", checked_uint8 },
|
|
|
|
|
{ &selector, "selector", checked_uint8 },
|
|
|
|
|
{ &mtype, "mtype", checked_uint8 },
|
|
|
|
|
{ &data, "data", hexdecode },
|
|
|
|
|
{ NULL, }
|
|
|
|
|
};
|
|
|
|
|
struct tlsa_field *f;
|
2016-01-08 15:36:37 +00:00
|
|
|
int ret;
|
|
|
|
|
const char *cp = rrdata;
|
|
|
|
|
ossl_ssize_t len = 0;
|
2015-12-29 19:25:50 +00:00
|
|
|
|
|
|
|
|
for (f = tlsa_fields; f->var; ++f) {
|
|
|
|
|
/* Returns number of bytes produced, advances cp to next field */
|
|
|
|
|
if ((len = f->parser(&cp, f->var)) <= 0) {
|
|
|
|
|
BIO_printf(bio_err, "%s: warning: bad TLSA %s field in: %s\n",
|
|
|
|
|
prog, f->name, rrdata);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
/* The data field is last, so len is its length */
|
|
|
|
|
ret = SSL_dane_tlsa_add(con, usage, selector, mtype, data, len);
|
|
|
|
|
OPENSSL_free(data);
|
|
|
|
|
|
|
|
|
|
if (ret == 0) {
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
BIO_printf(bio_err, "%s: warning: unusable TLSA rrdata: %s\n",
|
|
|
|
|
prog, rrdata);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
if (ret < 0) {
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
BIO_printf(bio_err, "%s: warning: error loading TLSA rrdata: %s\n",
|
|
|
|
|
prog, rrdata);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int tlsa_import_rrset(SSL *con, STACK_OF(OPENSSL_STRING) *rrset)
|
|
|
|
|
{
|
|
|
|
|
int num = sk_OPENSSL_STRING_num(rrset);
|
|
|
|
|
int count = 0;
|
|
|
|
|
int i;
|
|
|
|
|
|
|
|
|
|
for (i = 0; i < num; ++i) {
|
|
|
|
|
char *rrdata = sk_OPENSSL_STRING_value(rrset, i);
|
|
|
|
|
if (tlsa_import_rr(con, rrdata) > 0)
|
|
|
|
|
++count;
|
|
|
|
|
}
|
|
|
|
|
return count > 0;
|
|
|
|
|
}
|
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
typedef enum OPTION_choice {
|
2021-05-01 13:29:00 +00:00
|
|
|
OPT_COMMON,
|
2018-02-08 09:49:02 +00:00
|
|
|
OPT_4, OPT_6, OPT_HOST, OPT_PORT, OPT_CONNECT, OPT_BIND, OPT_UNIX,
|
2017-02-21 11:22:55 +00:00
|
|
|
OPT_XMPPHOST, OPT_VERIFY, OPT_NAMEOPT,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_CERT, OPT_CRL, OPT_CRL_DOWNLOAD, OPT_SESS_OUT, OPT_SESS_IN,
|
|
|
|
|
OPT_CERTFORM, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
|
2021-11-23 22:27:35 +00:00
|
|
|
OPT_BRIEF, OPT_PREXIT, OPT_NO_INTERACTIVE, OPT_CRLF, OPT_QUIET, OPT_NBIO,
|
2017-07-05 14:58:48 +00:00
|
|
|
OPT_SSL_CLIENT_ENGINE, OPT_IGN_EOF, OPT_NO_IGN_EOF,
|
2016-01-14 04:11:01 +00:00
|
|
|
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_WDEBUG,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_MSG, OPT_MSGFILE, OPT_ENGINE, OPT_TRACE, OPT_SECURITY_DEBUG,
|
|
|
|
|
OPT_SECURITY_DEBUG_VERBOSE, OPT_SHOWCERTS, OPT_NBIO_TEST, OPT_STATE,
|
2017-06-21 11:17:30 +00:00
|
|
|
OPT_PSK_IDENTITY, OPT_PSK, OPT_PSK_SESS,
|
2016-03-18 18:02:17 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
OPT_SRPUSER, OPT_SRPPASS, OPT_SRP_STRENGTH, OPT_SRP_LATEUSER,
|
|
|
|
|
OPT_SRP_MOREGROUPS,
|
|
|
|
|
#endif
|
|
|
|
|
OPT_SSL3, OPT_SSL_CONFIG,
|
2016-10-21 16:39:33 +00:00
|
|
|
OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
|
2023-03-09 17:06:33 +00:00
|
|
|
OPT_DTLS1_2, OPT_QUIC, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_KEYFORM,
|
|
|
|
|
OPT_PASS, OPT_CERT_CHAIN, OPT_KEY, OPT_RECONNECT, OPT_BUILD_CHAIN,
|
2019-03-07 14:26:34 +00:00
|
|
|
OPT_NEXTPROTONEG, OPT_ALPN,
|
|
|
|
|
OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH,
|
|
|
|
|
OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
|
|
|
|
|
OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
|
2017-04-06 21:47:18 +00:00
|
|
|
OPT_SERVERINFO, OPT_STARTTLS, OPT_SERVERNAME, OPT_NOSERVERNAME, OPT_ASYNC,
|
2017-10-16 19:32:24 +00:00
|
|
|
OPT_USE_SRTP, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_PROTOHOST,
|
2017-11-05 16:46:48 +00:00
|
|
|
OPT_MAXFRAGLEN, OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES,
|
|
|
|
|
OPT_READ_BUF, OPT_KEYLOG_FILE, OPT_EARLY_DATA, OPT_REQCAFILE,
|
2021-09-08 20:23:04 +00:00
|
|
|
OPT_TFO,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_V_ENUM,
|
|
|
|
|
OPT_X_ENUM,
|
2020-05-05 13:20:42 +00:00
|
|
|
OPT_S_ENUM, OPT_IGNORE_UNEXPECTED_EOF,
|
2023-03-16 15:08:04 +00:00
|
|
|
OPT_FALLBACKSCSV, OPT_NOCMDS, OPT_ADV, OPT_PROXY, OPT_PROXY_USER,
|
|
|
|
|
OPT_PROXY_PASS, OPT_DANE_TLSA_DOMAIN,
|
2016-03-02 13:34:05 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
2016-04-07 18:17:37 +00:00
|
|
|
OPT_CT, OPT_NOCT, OPT_CTLOG_FILE,
|
2016-03-02 13:34:05 +00:00
|
|
|
#endif
|
2017-07-05 14:58:48 +00:00
|
|
|
OPT_DANE_TLSA_RRDATA, OPT_DANE_EE_NO_NAME,
|
2018-08-13 14:23:27 +00:00
|
|
|
OPT_ENABLE_PHA,
|
2021-01-27 19:23:33 +00:00
|
|
|
OPT_ENABLE_SERVER_RPK,
|
|
|
|
|
OPT_ENABLE_CLIENT_RPK,
|
2018-12-26 11:44:53 +00:00
|
|
|
OPT_SCTP_LABEL_BUG,
|
2021-09-15 03:00:50 +00:00
|
|
|
OPT_KTLS,
|
2020-02-25 04:29:30 +00:00
|
|
|
OPT_R_ENUM, OPT_PROV_ENUM
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
} OPTION_CHOICE;
|
|
|
|
|
|
2016-03-13 13:07:50 +00:00
|
|
|
const OPTIONS s_client_options[] = {
|
2019-09-20 01:33:17 +00:00
|
|
|
{OPT_HELP_STR, 1, '-', "Usage: %s [options] [host:port]\n"},
|
|
|
|
|
|
2019-11-07 20:08:30 +00:00
|
|
|
OPT_SECTION("General"),
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"help", OPT_HELP, '-', "Display this summary"},
|
2019-11-07 20:08:30 +00:00
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
|
|
|
|
{"ssl_client_engine", OPT_SSL_CLIENT_ENGINE, 's',
|
|
|
|
|
"Specify engine to be used for client certificate operations"},
|
|
|
|
|
#endif
|
2020-02-03 21:06:42 +00:00
|
|
|
{"ssl_config", OPT_SSL_CONFIG, 's', "Use specified section for SSL_CTX configuration"},
|
2019-11-07 20:08:30 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
|
|
|
|
{"ct", OPT_CT, '-', "Request and parse SCTs (also enables OCSP stapling)"},
|
|
|
|
|
{"noct", OPT_NOCT, '-', "Do not request or parse SCTs (default)"},
|
|
|
|
|
{"ctlogfile", OPT_CTLOG_FILE, '<', "CT log list CONF file"},
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Network"),
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"host", OPT_HOST, 's', "Use -connect instead"},
|
|
|
|
|
{"port", OPT_PORT, 'p', "Use -connect instead"},
|
|
|
|
|
{"connect", OPT_CONNECT, 's',
|
2020-08-16 13:25:27 +00:00
|
|
|
"TCP/IP where to connect; default: " PORT ")"},
|
2018-02-08 09:49:02 +00:00
|
|
|
{"bind", OPT_BIND, 's', "bind local address for connection"},
|
2015-05-08 19:34:07 +00:00
|
|
|
{"proxy", OPT_PROXY, 's',
|
|
|
|
|
"Connect to via specified proxy to the real server"},
|
2019-01-03 00:32:00 +00:00
|
|
|
{"proxy_user", OPT_PROXY_USER, 's', "UserID for proxy authentication"},
|
|
|
|
|
{"proxy_pass", OPT_PROXY_PASS, 's', "Proxy authentication password source"},
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
2016-11-12 20:08:32 +00:00
|
|
|
{"unix", OPT_UNIX, 's', "Connect over the specified Unix-domain socket"},
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
|
|
|
|
{"4", OPT_4, '-', "Use IPv4 only"},
|
2016-06-08 16:22:14 +00:00
|
|
|
#ifdef AF_INET6
|
2016-02-02 23:47:42 +00:00
|
|
|
{"6", OPT_6, '-', "Use IPv6 only"},
|
2016-06-08 16:22:14 +00:00
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
{"maxfraglen", OPT_MAXFRAGLEN, 'p',
|
|
|
|
|
"Enable Maximum Fragment Length Negotiation (len values: 512, 1024, 2048 and 4096)"},
|
|
|
|
|
{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
|
|
|
|
|
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
|
|
|
|
|
"Size used to split data for encrypt pipelines"},
|
|
|
|
|
{"max_pipelines", OPT_MAX_PIPELINES, 'p',
|
|
|
|
|
"Maximum number of encrypt/decrypt pipelines to be used"},
|
|
|
|
|
{"read_buf", OPT_READ_BUF, 'p',
|
|
|
|
|
"Default read buffer size to be used for connections"},
|
|
|
|
|
{"fallback_scsv", OPT_FALLBACKSCSV, '-', "Send the fallback SCSV"},
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Identity"),
|
2020-03-06 20:46:33 +00:00
|
|
|
{"cert", OPT_CERT, '<', "Client certificate file to use"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"certform", OPT_CERTFORM, 'F',
|
2020-05-06 11:51:50 +00:00
|
|
|
"Client certificate file format (PEM/DER/P12); has no effect"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"cert_chain", OPT_CERT_CHAIN, '<',
|
|
|
|
|
"Client certificate chain file (in PEM format)"},
|
|
|
|
|
{"build_chain", OPT_BUILD_CHAIN, '-', "Build client certificate chain"},
|
2020-08-16 13:25:27 +00:00
|
|
|
{"key", OPT_KEY, 's', "Private key file to use; default: -cert file"},
|
2020-05-06 11:51:50 +00:00
|
|
|
{"keyform", OPT_KEYFORM, 'E', "Key format (ENGINE, other values ignored)"},
|
2020-08-16 13:25:27 +00:00
|
|
|
{"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"verify", OPT_VERIFY, 'p', "Turn on peer certificate verification"},
|
|
|
|
|
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
|
|
|
|
|
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
|
2020-03-02 05:35:02 +00:00
|
|
|
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
|
2015-09-22 15:00:52 +00:00
|
|
|
{"no-CAfile", OPT_NOCAFILE, '-',
|
|
|
|
|
"Do not load the default certificates file"},
|
|
|
|
|
{"no-CApath", OPT_NOCAPATH, '-',
|
|
|
|
|
"Do not load certificates from the default certificates directory"},
|
2020-03-02 05:35:02 +00:00
|
|
|
{"no-CAstore", OPT_NOCASTORE, '-',
|
2019-03-07 14:26:34 +00:00
|
|
|
"Do not load certificates from the default certificates store"},
|
2017-03-20 18:32:43 +00:00
|
|
|
{"requestCAfile", OPT_REQCAFILE, '<',
|
2017-03-31 16:04:28 +00:00
|
|
|
"PEM format file of CA names to send to the server"},
|
2021-09-08 20:23:04 +00:00
|
|
|
#if defined(TCP_FASTOPEN) && !defined(OPENSSL_NO_TFO)
|
|
|
|
|
{"tfo", OPT_TFO, '-', "Connect using TCP Fast Open"},
|
|
|
|
|
#endif
|
2015-12-29 19:25:50 +00:00
|
|
|
{"dane_tlsa_domain", OPT_DANE_TLSA_DOMAIN, 's', "DANE TLSA base domain"},
|
|
|
|
|
{"dane_tlsa_rrdata", OPT_DANE_TLSA_RRDATA, 's',
|
|
|
|
|
"DANE TLSA rrdata presentation form"},
|
2016-08-19 15:59:47 +00:00
|
|
|
{"dane_ee_no_namechecks", OPT_DANE_EE_NO_NAME, '-',
|
|
|
|
|
"Disable name checks when matching DANE-EE(3) TLSA records"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity"},
|
|
|
|
|
{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
|
|
|
|
|
{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
|
|
|
|
|
{"name", OPT_PROTOHOST, 's',
|
|
|
|
|
"Hostname to use for \"-starttls lmtp\", \"-starttls smtp\" or \"-starttls xmpp[-server]\""},
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Session"),
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"reconnect", OPT_RECONNECT, '-',
|
|
|
|
|
"Drop and re-make the connection with the same Session-ID"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"sess_out", OPT_SESS_OUT, '>', "File to write SSL session to"},
|
|
|
|
|
{"sess_in", OPT_SESS_IN, '<', "File to read SSL session from"},
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Input/Output"),
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
|
|
|
|
|
{"quiet", OPT_QUIET, '-', "No s_client output"},
|
|
|
|
|
{"ign_eof", OPT_IGN_EOF, '-', "Ignore input eof (default when -quiet)"},
|
|
|
|
|
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Don't ignore input eof"},
|
|
|
|
|
{"starttls", OPT_STARTTLS, 's',
|
2015-05-13 20:00:21 +00:00
|
|
|
"Use the appropriate STARTTLS command before starting TLS"},
|
2015-07-29 21:41:00 +00:00
|
|
|
{"xmpphost", OPT_XMPPHOST, 's',
|
2017-10-16 19:32:24 +00:00
|
|
|
"Alias of -name option for \"-starttls xmpp[-server]\""},
|
2016-02-18 17:23:27 +00:00
|
|
|
{"brief", OPT_BRIEF, '-',
|
|
|
|
|
"Restrict output to brief summary of connection parameters"},
|
|
|
|
|
{"prexit", OPT_PREXIT, '-',
|
|
|
|
|
"Print session information when the program exits"},
|
2021-11-23 22:27:35 +00:00
|
|
|
{"no-interactive", OPT_NO_INTERACTIVE, '-',
|
|
|
|
|
"Don't run the client in the interactive mode"},
|
2019-11-07 20:08:30 +00:00
|
|
|
|
|
|
|
|
OPT_SECTION("Debug"),
|
|
|
|
|
{"showcerts", OPT_SHOWCERTS, '-',
|
|
|
|
|
"Show all certificates sent by the server"},
|
|
|
|
|
{"debug", OPT_DEBUG, '-', "Extra output"},
|
|
|
|
|
{"msg", OPT_MSG, '-', "Show protocol messages"},
|
|
|
|
|
{"msgfile", OPT_MSGFILE, '>',
|
|
|
|
|
"File to send output of -msg or -trace, instead of stdout"},
|
|
|
|
|
{"nbio_test", OPT_NBIO_TEST, '-', "More ssl protocol testing"},
|
|
|
|
|
{"state", OPT_STATE, '-', "Print the ssl states"},
|
|
|
|
|
{"keymatexport", OPT_KEYMATEXPORT, 's',
|
|
|
|
|
"Export keying material using label"},
|
|
|
|
|
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
|
2020-08-16 13:25:27 +00:00
|
|
|
"Export len bytes of keying material; default 20"},
|
2016-02-18 17:23:27 +00:00
|
|
|
{"security_debug", OPT_SECURITY_DEBUG, '-',
|
|
|
|
|
"Enable security debug messages"},
|
|
|
|
|
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
|
|
|
|
|
"Output more security debug output"},
|
2019-11-07 20:08:30 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
|
|
|
|
{"trace", OPT_TRACE, '-', "Show trace output of protocol messages"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifdef WATT32
|
|
|
|
|
{"wdebug", OPT_WDEBUG, '-', "WATT-32 tcp debugging"},
|
|
|
|
|
#endif
|
|
|
|
|
{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"nocommands", OPT_NOCMDS, '-', "Do not use interactive command letters"},
|
2023-03-16 15:08:04 +00:00
|
|
|
{"adv", OPT_ADV, '-', "Advanced command mode"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"servername", OPT_SERVERNAME, 's',
|
2017-06-13 12:18:55 +00:00
|
|
|
"Set TLS extension servername (SNI) in ClientHello (default)"},
|
2017-02-13 13:26:37 +00:00
|
|
|
{"noservername", OPT_NOSERVERNAME, '-',
|
|
|
|
|
"Do not send the server name (SNI) extension in the ClientHello"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
|
|
|
|
|
"Hex dump of all TLS extensions received"},
|
2020-05-05 13:20:42 +00:00
|
|
|
{"ignore_unexpected_eof", OPT_IGNORE_UNEXPECTED_EOF, '-',
|
|
|
|
|
"Do not treat lack of close_notify from a peer as an error"},
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2015-05-15 17:50:38 +00:00
|
|
|
{"status", OPT_STATUS, '-', "Request certificate status from server"},
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
{"serverinfo", OPT_SERVERINFO, 's',
|
|
|
|
|
"types Send empty ClientHello extensions (comma-separated numbers)"},
|
|
|
|
|
{"alpn", OPT_ALPN, 's',
|
|
|
|
|
"Enable ALPN extension, considering named protocols supported (comma-separated list)"},
|
2015-02-13 23:33:12 +00:00
|
|
|
{"async", OPT_ASYNC, '-', "Support asynchronous operation"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Protocol and version"),
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL3
|
|
|
|
|
{"ssl3", OPT_SSL3, '-', "Just use SSLv3"},
|
|
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_TLS1
|
|
|
|
|
{"tls1", OPT_TLS1, '-', "Just use TLSv1"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_TLS1_1
|
|
|
|
|
{"tls1_1", OPT_TLS1_1, '-', "Just use TLSv1.1"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_TLS1_2
|
|
|
|
|
{"tls1_2", OPT_TLS1_2, '-', "Just use TLSv1.2"},
|
|
|
|
|
#endif
|
2016-10-21 16:39:33 +00:00
|
|
|
#ifndef OPENSSL_NO_TLS1_3
|
|
|
|
|
{"tls1_3", OPT_TLS1_3, '-', "Just use TLSv1.3"},
|
|
|
|
|
#endif
|
2015-12-12 10:12:22 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2016-02-18 17:23:27 +00:00
|
|
|
{"dtls", OPT_DTLS, '-', "Use any version of DTLS"},
|
2023-03-09 17:06:33 +00:00
|
|
|
{"quic", OPT_QUIC, '-', "Use QUIC"},
|
2016-02-18 17:23:27 +00:00
|
|
|
{"timeout", OPT_TIMEOUT, '-',
|
|
|
|
|
"Enable send/receive timeout on DTLS connections"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"mtu", OPT_MTU, 'p', "Set the link layer MTU"},
|
|
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS1
|
|
|
|
|
{"dtls1", OPT_DTLS1, '-', "Just use DTLSv1"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_DTLS1_2
|
2016-02-18 17:23:27 +00:00
|
|
|
{"dtls1_2", OPT_DTLS1_2, '-', "Just use DTLSv1.2"},
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
2017-04-20 08:57:12 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
{"sctp", OPT_SCTP, '-', "Use SCTP"},
|
2018-12-26 11:44:53 +00:00
|
|
|
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
|
2017-04-20 08:57:12 +00:00
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
|
|
|
|
|
"Enable NPN extension, considering named protocols supported (comma-separated list)"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
{"early_data", OPT_EARLY_DATA, '<', "File to send as early data"},
|
|
|
|
|
{"enable_pha", OPT_ENABLE_PHA, '-', "Enable post-handshake-authentication"},
|
2021-01-27 19:23:33 +00:00
|
|
|
{"enable_server_rpk", OPT_ENABLE_SERVER_RPK, '-', "Enable raw public keys (RFC7250) from the server"},
|
|
|
|
|
{"enable_client_rpk", OPT_ENABLE_CLIENT_RPK, '-', "Enable raw public keys (RFC7250) from the client"},
|
2019-11-07 20:08:30 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
|
|
|
|
{"use_srtp", OPT_USE_SRTP, 's',
|
|
|
|
|
"Offer SRTP key management with a colon-separated profile list"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_SRP
|
2021-02-05 11:28:15 +00:00
|
|
|
{"srpuser", OPT_SRPUSER, 's', "(deprecated) SRP authentication for 'user'"},
|
|
|
|
|
{"srppass", OPT_SRPPASS, 's', "(deprecated) Password for 'user'"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"srp_lateuser", OPT_SRP_LATEUSER, '-',
|
2021-02-05 11:28:15 +00:00
|
|
|
"(deprecated) SRP username into second ClientHello message"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"srp_moregroups", OPT_SRP_MOREGROUPS, '-',
|
2021-02-05 11:28:15 +00:00
|
|
|
"(deprecated) Tolerate other than the known g N values."},
|
|
|
|
|
{"srp_strength", OPT_SRP_STRENGTH, 'p',
|
|
|
|
|
"(deprecated) Minimal length in bits for N"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
#endif
|
2021-09-15 03:00:50 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
{"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
|
|
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
|
|
|
|
|
OPT_R_OPTIONS,
|
|
|
|
|
OPT_S_OPTIONS,
|
|
|
|
|
OPT_V_OPTIONS,
|
|
|
|
|
{"CRL", OPT_CRL, '<', "CRL file to use"},
|
|
|
|
|
{"crl_download", OPT_CRL_DOWNLOAD, '-', "Download CRL from distribution points"},
|
2020-08-16 13:25:27 +00:00
|
|
|
{"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER); default PEM"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
|
|
|
|
|
"Close connection on verification error"},
|
|
|
|
|
{"verify_quiet", OPT_VERIFY_QUIET, '-', "Restrict verify output to errors"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"chainCAfile", OPT_CHAINCAFILE, '<',
|
|
|
|
|
"CA file for certificate chain (PEM format)"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"chainCApath", OPT_CHAINCAPATH, '/',
|
|
|
|
|
"Use dir as certificate store path to build CA certificate chain"},
|
|
|
|
|
{"chainCAstore", OPT_CHAINCASTORE, ':',
|
|
|
|
|
"CA store URI for certificate chain"},
|
|
|
|
|
{"verifyCAfile", OPT_VERIFYCAFILE, '<',
|
|
|
|
|
"CA file for certificate verification (PEM format)"},
|
|
|
|
|
{"verifyCApath", OPT_VERIFYCAPATH, '/',
|
|
|
|
|
"Use dir as certificate store path to verify CA certificate"},
|
|
|
|
|
{"verifyCAstore", OPT_VERIFYCASTORE, ':',
|
|
|
|
|
"CA store URI for certificate verification"},
|
|
|
|
|
OPT_X_OPTIONS,
|
2020-02-25 04:29:30 +00:00
|
|
|
OPT_PROV_OPTIONS,
|
2019-09-20 01:33:17 +00:00
|
|
|
|
|
|
|
|
OPT_PARAMETERS(),
|
|
|
|
|
{"host:port", 0, 0, "Where to connect; same as -connect option"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{NULL}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
};
|
|
|
|
|
|
|
|
|
|
typedef enum PROTOCOL_choice {
|
|
|
|
|
PROTO_OFF,
|
2007-02-16 18:12:16 +00:00
|
|
|
PROTO_SMTP,
|
|
|
|
|
PROTO_POP3,
|
|
|
|
|
PROTO_IMAP,
|
2008-10-14 19:11:26 +00:00
|
|
|
PROTO_FTP,
|
2015-04-25 20:01:21 +00:00
|
|
|
PROTO_TELNET,
|
2015-05-08 19:34:07 +00:00
|
|
|
PROTO_XMPP,
|
2015-07-29 21:41:00 +00:00
|
|
|
PROTO_XMPP_SERVER,
|
2016-02-15 14:28:41 +00:00
|
|
|
PROTO_IRC,
|
2017-05-13 00:50:49 +00:00
|
|
|
PROTO_MYSQL,
|
2016-11-17 16:16:50 +00:00
|
|
|
PROTO_POSTGRES,
|
2017-01-27 23:52:27 +00:00
|
|
|
PROTO_LMTP,
|
2017-02-09 21:20:59 +00:00
|
|
|
PROTO_NNTP,
|
2017-02-26 23:44:14 +00:00
|
|
|
PROTO_SIEVE,
|
|
|
|
|
PROTO_LDAP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
} PROTOCOL_CHOICE;
|
|
|
|
|
|
2016-03-18 18:02:17 +00:00
|
|
|
static const OPT_PAIR services[] = {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"smtp", PROTO_SMTP},
|
|
|
|
|
{"pop3", PROTO_POP3},
|
|
|
|
|
{"imap", PROTO_IMAP},
|
|
|
|
|
{"ftp", PROTO_FTP},
|
|
|
|
|
{"xmpp", PROTO_XMPP},
|
2015-07-29 21:41:00 +00:00
|
|
|
{"xmpp-server", PROTO_XMPP_SERVER},
|
2015-04-25 20:01:21 +00:00
|
|
|
{"telnet", PROTO_TELNET},
|
2015-05-13 20:00:21 +00:00
|
|
|
{"irc", PROTO_IRC},
|
2017-05-13 00:50:49 +00:00
|
|
|
{"mysql", PROTO_MYSQL},
|
2016-02-15 14:28:41 +00:00
|
|
|
{"postgres", PROTO_POSTGRES},
|
2016-11-17 16:16:50 +00:00
|
|
|
{"lmtp", PROTO_LMTP},
|
2017-01-27 23:52:27 +00:00
|
|
|
{"nntp", PROTO_NNTP},
|
2017-02-09 21:20:59 +00:00
|
|
|
{"sieve", PROTO_SIEVE},
|
2017-02-26 23:44:14 +00:00
|
|
|
{"ldap", PROTO_LDAP},
|
2016-03-18 18:02:17 +00:00
|
|
|
{NULL, 0}
|
2007-02-16 18:12:16 +00:00
|
|
|
};
|
|
|
|
|
|
2016-06-08 16:22:14 +00:00
|
|
|
#define IS_INET_FLAG(o) \
|
|
|
|
|
(o == OPT_4 || o == OPT_6 || o == OPT_HOST || o == OPT_PORT || o == OPT_CONNECT)
|
|
|
|
|
#define IS_UNIX_FLAG(o) (o == OPT_UNIX)
|
|
|
|
|
|
2016-07-07 10:05:31 +00:00
|
|
|
#define IS_PROT_FLAG(o) \
|
|
|
|
|
(o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
|
2023-03-09 17:06:33 +00:00
|
|
|
|| o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2 \
|
|
|
|
|
|| o == OPT_QUIC)
|
2016-07-07 10:05:31 +00:00
|
|
|
|
2016-06-10 15:40:32 +00:00
|
|
|
/* Free |*dest| and optionally set it to a copy of |source|. */
|
|
|
|
|
static void freeandcopy(char **dest, const char *source)
|
|
|
|
|
{
|
|
|
|
|
OPENSSL_free(*dest);
|
|
|
|
|
*dest = NULL;
|
|
|
|
|
if (source != NULL)
|
|
|
|
|
*dest = OPENSSL_strdup(source);
|
|
|
|
|
}
|
|
|
|
|
|
2018-06-25 15:46:57 +00:00
|
|
|
static int new_session_cb(SSL *s, SSL_SESSION *sess)
|
2017-01-13 14:25:15 +00:00
|
|
|
{
|
|
|
|
|
|
2018-06-25 15:46:57 +00:00
|
|
|
if (sess_out != NULL) {
|
|
|
|
|
BIO *stmp = BIO_new_file(sess_out, "w");
|
|
|
|
|
|
|
|
|
|
if (stmp == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
|
|
|
|
|
} else {
|
|
|
|
|
PEM_write_bio_SSL_SESSION(stmp, sess);
|
|
|
|
|
BIO_free(stmp);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Session data gets dumped on connection for TLSv1.2 and below, and on
|
|
|
|
|
* arrival of the NewSessionTicket for TLSv1.3.
|
|
|
|
|
*/
|
|
|
|
|
if (SSL_version(s) == TLS1_3_VERSION) {
|
|
|
|
|
BIO_printf(bio_c_out,
|
|
|
|
|
"---\nPost-Handshake New Session Ticket arrived:\n");
|
|
|
|
|
SSL_SESSION_print(bio_c_out, sess);
|
|
|
|
|
BIO_printf(bio_c_out, "---\n");
|
2017-01-13 14:25:15 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We always return a "fail" response so that the session gets freed again
|
|
|
|
|
* because we haven't used the reference.
|
|
|
|
|
*/
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int s_client_main(int argc, char **argv)
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO *sbio;
|
2004-11-16 17:30:59 +00:00
|
|
|
EVP_PKEY *key = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
SSL *con = NULL;
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CTX *ctx = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
STACK_OF(X509) *chain = NULL;
|
|
|
|
|
X509 *cert = NULL;
|
2009-06-30 15:56:35 +00:00
|
|
|
X509_VERIFY_PARAM *vpm = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
SSL_EXCERT *exc = NULL;
|
|
|
|
|
SSL_CONF_CTX *cctx = NULL;
|
|
|
|
|
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
|
2015-12-29 19:25:50 +00:00
|
|
|
char *dane_tlsa_domain = NULL;
|
|
|
|
|
STACK_OF(OPENSSL_STRING) *dane_tlsa_rrset = NULL;
|
2016-08-19 15:59:47 +00:00
|
|
|
int dane_ee_no_name = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
STACK_OF(X509_CRL) *crls = NULL;
|
2015-03-30 23:18:31 +00:00
|
|
|
const SSL_METHOD *meth = TLS_client_method();
|
2019-03-07 14:26:34 +00:00
|
|
|
const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL;
|
2019-01-03 00:32:00 +00:00
|
|
|
char *cbuf = NULL, *sbuf = NULL, *mbuf = NULL;
|
|
|
|
|
char *proxystr = NULL, *proxyuser = NULL;
|
|
|
|
|
char *proxypassarg = NULL, *proxypass = NULL;
|
|
|
|
|
char *connectstr = NULL, *bindstr = NULL;
|
2015-12-29 19:25:50 +00:00
|
|
|
char *cert_file = NULL, *key_file = NULL, *chain_file = NULL;
|
2019-03-07 14:26:34 +00:00
|
|
|
char *chCApath = NULL, *chCAfile = NULL, *chCAstore = NULL, *host = NULL;
|
2020-05-20 00:25:10 +00:00
|
|
|
char *thost = NULL, *tport = NULL;
|
2022-02-21 07:17:46 +00:00
|
|
|
char *port = NULL;
|
2018-02-08 09:49:02 +00:00
|
|
|
char *bindhost = NULL, *bindport = NULL;
|
2019-03-07 14:26:34 +00:00
|
|
|
char *passarg = NULL, *pass = NULL;
|
|
|
|
|
char *vfyCApath = NULL, *vfyCAfile = NULL, *vfyCAstore = NULL;
|
2017-03-20 18:32:43 +00:00
|
|
|
char *ReqCAfile = NULL;
|
2017-01-13 14:25:15 +00:00
|
|
|
char *sess_in = NULL, *crl_file = NULL, *p;
|
2017-10-16 19:32:24 +00:00
|
|
|
const char *protohost = NULL;
|
2009-08-12 13:19:54 +00:00
|
|
|
struct timeval timeout, *timeoutp;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
fd_set readfds, writefds;
|
2019-03-07 14:26:34 +00:00
|
|
|
int noCApath = 0, noCAfile = 0, noCAstore = 0;
|
2023-03-16 15:08:04 +00:00
|
|
|
int build_chain = 0, cert_format = FORMAT_UNDEF;
|
|
|
|
|
size_t cbuf_len, cbuf_off;
|
2021-04-30 14:57:53 +00:00
|
|
|
int key_format = FORMAT_UNDEF, crlf = 0, full_log = 1, mbuf_len = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int prexit = 0;
|
2021-11-23 22:27:35 +00:00
|
|
|
int nointeractive = 0;
|
2016-03-18 14:17:03 +00:00
|
|
|
int sdebug = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int reconnect = 0, verify = SSL_VERIFY_NONE, vpmtouched = 0;
|
2019-10-30 22:39:35 +00:00
|
|
|
int ret = 1, in_init = 1, i, nbio_test = 0, sock = -1, k, width, state = 0;
|
2023-03-16 15:08:04 +00:00
|
|
|
int sbuf_len, sbuf_off, cmdmode = USER_DATA_MODE_BASIC;
|
2017-04-20 08:57:12 +00:00
|
|
|
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
|
2021-04-30 14:57:53 +00:00
|
|
|
int starttls_proto = PROTO_OFF, crl_format = FORMAT_UNDEF, crl_download = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int write_tty, read_tty, write_ssl, read_ssl, tty_on, ssl_pending;
|
2023-03-09 17:06:33 +00:00
|
|
|
int first_loop;
|
2016-08-30 01:01:16 +00:00
|
|
|
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
|
2016-06-10 18:46:07 +00:00
|
|
|
int at_eof = 0;
|
2016-08-30 01:01:16 +00:00
|
|
|
#endif
|
2016-01-13 14:20:25 +00:00
|
|
|
int read_buf_len = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int fallback_scsv = 0;
|
|
|
|
|
OPTION_CHOICE o;
|
2016-03-18 14:17:03 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
int enable_timeouts = 0;
|
|
|
|
|
long socket_mtu = 0;
|
|
|
|
|
#endif
|
2003-01-30 17:39:26 +00:00
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
2008-12-20 17:04:40 +00:00
|
|
|
ENGINE *ssl_client_engine = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
#endif
|
2015-04-25 19:41:29 +00:00
|
|
|
ENGINE *e = NULL;
|
2016-03-17 16:53:11 +00:00
|
|
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
1999-09-20 22:09:17 +00:00
|
|
|
struct timeval tv;
|
|
|
|
|
#endif
|
2017-11-08 13:22:59 +00:00
|
|
|
const char *servername = NULL;
|
2021-12-09 16:27:47 +00:00
|
|
|
char *sname_alloc = NULL;
|
2017-02-13 13:26:37 +00:00
|
|
|
int noservername = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
const char *alpn_in = NULL;
|
2006-01-02 23:14:37 +00:00
|
|
|
tlsextctx tlsextcbp = { NULL, 0 };
|
2015-07-08 22:09:52 +00:00
|
|
|
const char *ssl_config = NULL;
|
2015-05-15 09:49:56 +00:00
|
|
|
#define MAX_SI_TYPES 100
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
unsigned short serverinfo_types[MAX_SI_TYPES];
|
|
|
|
|
int serverinfo_count = 0, start = 0, len;
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2010-07-28 10:06:55 +00:00
|
|
|
const char *next_proto_neg_in = NULL;
|
2008-11-12 17:28:18 +00:00
|
|
|
#endif
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
char *srppass = NULL;
|
|
|
|
|
int srp_lateuser = 0;
|
|
|
|
|
SRP_ARG srp_arg = { NULL, NULL, 0, 0, 0, 1024 };
|
|
|
|
|
#endif
|
2018-05-14 14:41:06 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2018-03-21 20:01:24 +00:00
|
|
|
char *srtp_profiles = NULL;
|
2018-05-14 14:41:06 +00:00
|
|
|
#endif
|
2016-03-02 13:34:05 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
|
|
|
|
char *ctlog_file = NULL;
|
2016-04-07 18:17:37 +00:00
|
|
|
int ct_validation = 0;
|
2016-03-02 13:34:05 +00:00
|
|
|
#endif
|
2016-07-07 10:05:31 +00:00
|
|
|
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
|
2016-05-10 21:39:05 +00:00
|
|
|
int async = 0;
|
2017-04-06 21:47:18 +00:00
|
|
|
unsigned int max_send_fragment = 0;
|
2017-04-07 17:15:38 +00:00
|
|
|
unsigned int split_send_fragment = 0, max_pipelines = 0;
|
2016-06-08 16:22:14 +00:00
|
|
|
enum { use_inet, use_unix, use_unknown } connect_type = use_unknown;
|
|
|
|
|
int count4or6 = 0;
|
2017-11-05 16:46:48 +00:00
|
|
|
uint8_t maxfraglen = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
int c_nbio = 0, c_msg = 0, c_ign_eof = 0, c_brief = 0;
|
2016-09-19 13:08:58 +00:00
|
|
|
int c_tlsextdebug = 0;
|
|
|
|
|
#ifndef OPENSSL_NO_OCSP
|
|
|
|
|
int c_status_req = 0;
|
|
|
|
|
#endif
|
2016-08-03 20:49:25 +00:00
|
|
|
BIO *bio_c_msg = NULL;
|
2017-02-20 16:00:20 +00:00
|
|
|
const char *keylog_file = NULL, *early_data_file = NULL;
|
2023-03-21 16:52:32 +00:00
|
|
|
int isdtls = 0, isquic = 0;
|
2017-06-12 15:57:06 +00:00
|
|
|
char *psksessf = NULL;
|
2018-08-13 14:23:27 +00:00
|
|
|
int enable_pha = 0;
|
2021-01-27 19:23:33 +00:00
|
|
|
int enable_client_rpk = 0;
|
2018-12-26 11:44:53 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
int sctp_label_bug = 0;
|
|
|
|
|
#endif
|
2020-05-05 13:20:42 +00:00
|
|
|
int ignore_unexpected_eof = 0;
|
2021-09-15 03:00:50 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
int enable_ktls = 0;
|
|
|
|
|
#endif
|
2021-09-08 20:23:04 +00:00
|
|
|
int tfo = 0;
|
2023-05-18 12:10:36 +00:00
|
|
|
int is_infinite;
|
2023-03-09 17:06:33 +00:00
|
|
|
BIO_ADDR *peer_addr = NULL;
|
2023-03-16 15:08:04 +00:00
|
|
|
struct user_data_st user_data;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-02-22 15:58:36 +00:00
|
|
|
FD_ZERO(&readfds);
|
|
|
|
|
FD_ZERO(&writefds);
|
|
|
|
|
/* Known false-positive of MemorySanitizer. */
|
|
|
|
|
#if defined(__has_feature)
|
|
|
|
|
# if __has_feature(memory_sanitizer)
|
|
|
|
|
__msan_unpoison(&readfds, sizeof(readfds));
|
|
|
|
|
__msan_unpoison(&writefds, sizeof(writefds));
|
|
|
|
|
# endif
|
|
|
|
|
#endif
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
c_quiet = 0;
|
|
|
|
|
c_debug = 0;
|
1999-03-31 12:06:30 +00:00
|
|
|
c_showcerts = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
c_nbio = 0;
|
2022-02-21 07:17:46 +00:00
|
|
|
port = OPENSSL_strdup(PORT);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
vpm = X509_VERIFY_PARAM_new();
|
2012-11-17 14:42:22 +00:00
|
|
|
cctx = SSL_CONF_CTX_new();
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2022-02-21 07:17:46 +00:00
|
|
|
if (port == NULL || vpm == NULL || cctx == NULL) {
|
2021-01-07 08:00:02 +00:00
|
|
|
BIO_printf(bio_err, "%s: out of memory\n", opt_getprog());
|
1998-12-21 10:52:47 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-08-01 19:30:57 +00:00
|
|
|
cbuf = app_malloc(BUFSIZZ, "cbuf");
|
|
|
|
|
sbuf = app_malloc(BUFSIZZ, "sbuf");
|
|
|
|
|
mbuf = app_malloc(BUFSIZZ, "mbuf");
|
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT | SSL_CONF_FLAG_CMDLINE);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
prog = opt_init(argc, argv, s_client_options);
|
|
|
|
|
while ((o = opt_next()) != OPT_EOF) {
|
2016-06-08 16:22:14 +00:00
|
|
|
/* Check for intermixing flags. */
|
|
|
|
|
if (connect_type == use_unix && IS_INET_FLAG(o)) {
|
|
|
|
|
BIO_printf(bio_err,
|
2016-08-07 10:04:26 +00:00
|
|
|
"%s: Intermixed protocol flags (unix and internet domains)\n",
|
|
|
|
|
prog);
|
2016-06-08 16:22:14 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (connect_type == use_inet && IS_UNIX_FLAG(o)) {
|
|
|
|
|
BIO_printf(bio_err,
|
2016-08-07 10:04:26 +00:00
|
|
|
"%s: Intermixed protocol flags (internet and unix domains)\n",
|
|
|
|
|
prog);
|
2016-06-08 16:22:14 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2016-07-07 10:05:31 +00:00
|
|
|
|
|
|
|
|
if (IS_PROT_FLAG(o) && ++prot_opt > 1) {
|
|
|
|
|
BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (IS_NO_PROT_FLAG(o))
|
|
|
|
|
no_prot_opt++;
|
|
|
|
|
if (prot_opt == 1 && no_prot_opt) {
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Cannot supply both a protocol flag and '-no_<prot>'\n");
|
2016-07-07 10:05:31 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
switch (o) {
|
|
|
|
|
case OPT_EOF:
|
|
|
|
|
case OPT_ERR:
|
|
|
|
|
opthelp:
|
|
|
|
|
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
case OPT_HELP:
|
|
|
|
|
opt_help(s_client_options);
|
|
|
|
|
ret = 0;
|
|
|
|
|
goto end;
|
2016-02-02 23:47:42 +00:00
|
|
|
case OPT_4:
|
2016-06-08 16:22:14 +00:00
|
|
|
connect_type = use_inet;
|
2016-02-02 23:47:42 +00:00
|
|
|
socket_family = AF_INET;
|
2016-06-08 16:22:14 +00:00
|
|
|
count4or6++;
|
2016-02-02 23:47:42 +00:00
|
|
|
break;
|
|
|
|
|
#ifdef AF_INET6
|
2016-06-08 16:22:14 +00:00
|
|
|
case OPT_6:
|
|
|
|
|
connect_type = use_inet;
|
|
|
|
|
socket_family = AF_INET6;
|
|
|
|
|
count4or6++;
|
2016-02-02 23:47:42 +00:00
|
|
|
break;
|
|
|
|
|
#endif
|
2016-06-08 16:22:14 +00:00
|
|
|
case OPT_HOST:
|
|
|
|
|
connect_type = use_inet;
|
2016-06-10 15:40:32 +00:00
|
|
|
freeandcopy(&host, opt_arg());
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_PORT:
|
2016-06-08 16:22:14 +00:00
|
|
|
connect_type = use_inet;
|
2016-06-10 15:40:32 +00:00
|
|
|
freeandcopy(&port, opt_arg());
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CONNECT:
|
2016-06-08 16:22:14 +00:00
|
|
|
connect_type = use_inet;
|
2016-06-10 15:40:32 +00:00
|
|
|
freeandcopy(&connectstr, opt_arg());
|
2015-05-08 19:34:07 +00:00
|
|
|
break;
|
2018-02-08 09:49:02 +00:00
|
|
|
case OPT_BIND:
|
|
|
|
|
freeandcopy(&bindstr, opt_arg());
|
|
|
|
|
break;
|
2015-05-08 19:34:07 +00:00
|
|
|
case OPT_PROXY:
|
|
|
|
|
proxystr = opt_arg();
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2019-01-03 00:32:00 +00:00
|
|
|
case OPT_PROXY_USER:
|
|
|
|
|
proxyuser = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_PROXY_PASS:
|
|
|
|
|
proxypassarg = opt_arg();
|
|
|
|
|
break;
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_UNIX:
|
2016-06-08 16:22:14 +00:00
|
|
|
connect_type = use_unix;
|
2016-02-02 23:47:42 +00:00
|
|
|
socket_family = AF_UNIX;
|
2016-06-10 15:40:32 +00:00
|
|
|
freeandcopy(&host, opt_arg());
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
2015-04-25 20:01:21 +00:00
|
|
|
case OPT_XMPPHOST:
|
2017-10-16 19:32:24 +00:00
|
|
|
/* fall through, since this is an alias */
|
|
|
|
|
case OPT_PROTOHOST:
|
|
|
|
|
protohost = opt_arg();
|
2015-04-25 20:01:21 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_VERIFY:
|
1998-12-21 10:52:47 +00:00
|
|
|
verify = SSL_VERIFY_PEER;
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.depth = atoi(opt_arg());
|
2012-09-12 23:14:28 +00:00
|
|
|
if (!c_quiet)
|
2016-08-01 19:30:57 +00:00
|
|
|
BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CERT:
|
|
|
|
|
cert_file = opt_arg();
|
|
|
|
|
break;
|
2017-02-21 11:22:55 +00:00
|
|
|
case OPT_NAMEOPT:
|
|
|
|
|
if (!set_nameopt(opt_arg()))
|
|
|
|
|
goto end;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CRL:
|
|
|
|
|
crl_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CRL_DOWNLOAD:
|
2012-12-06 18:43:40 +00:00
|
|
|
crl_download = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SESS_OUT:
|
|
|
|
|
sess_out = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SESS_IN:
|
|
|
|
|
sess_in = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CERTFORM:
|
2020-05-06 11:51:50 +00:00
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_ANY, &cert_format))
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CRLFORM:
|
|
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
|
|
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFY_RET_ERROR:
|
2019-01-24 12:21:39 +00:00
|
|
|
verify = SSL_VERIFY_PEER;
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.return_error = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_VERIFY_QUIET:
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_BRIEF:
|
2016-08-01 19:30:57 +00:00
|
|
|
c_brief = verify_args.quiet = c_quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_S_CASES:
|
|
|
|
|
if (ssl_args == NULL)
|
|
|
|
|
ssl_args = sk_OPENSSL_STRING_new_null();
|
|
|
|
|
if (ssl_args == NULL
|
|
|
|
|
|| !sk_OPENSSL_STRING_push(ssl_args, opt_flag())
|
|
|
|
|
|| !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case OPT_V_CASES:
|
|
|
|
|
if (!opt_verify(o, vpm))
|
|
|
|
|
goto end;
|
|
|
|
|
vpmtouched++;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_X_CASES:
|
|
|
|
|
if (!args_excert(o, &exc))
|
|
|
|
|
goto end;
|
|
|
|
|
break;
|
2020-05-05 13:20:42 +00:00
|
|
|
case OPT_IGNORE_UNEXPECTED_EOF:
|
|
|
|
|
ignore_unexpected_eof = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_PREXIT:
|
2000-01-08 19:05:47 +00:00
|
|
|
prexit = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2021-11-23 22:27:35 +00:00
|
|
|
case OPT_NO_INTERACTIVE:
|
|
|
|
|
nointeractive = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CRLF:
|
1999-08-07 02:51:10 +00:00
|
|
|
crlf = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_QUIET:
|
|
|
|
|
c_quiet = c_ign_eof = 1;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_NBIO:
|
|
|
|
|
c_nbio = 1;
|
|
|
|
|
break;
|
2015-04-25 19:58:22 +00:00
|
|
|
case OPT_NOCMDS:
|
2023-03-16 15:08:04 +00:00
|
|
|
cmdmode = USER_DATA_MODE_NONE;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_ADV:
|
|
|
|
|
cmdmode = USER_DATA_MODE_ADVANCED;
|
2015-04-25 19:58:22 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_ENGINE:
|
2015-04-25 19:41:29 +00:00
|
|
|
e = setup_engine(opt_arg(), 1);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SSL_CLIENT_ENGINE:
|
2015-04-25 19:41:29 +00:00
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
2020-09-30 16:01:06 +00:00
|
|
|
ssl_client_engine = setup_engine(opt_arg(), 0);
|
2015-04-25 19:41:29 +00:00
|
|
|
if (ssl_client_engine == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Error getting client auth engine\n");
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2017-07-05 14:58:48 +00:00
|
|
|
case OPT_R_CASES:
|
|
|
|
|
if (!opt_rand(o))
|
|
|
|
|
goto end;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2020-02-25 04:29:30 +00:00
|
|
|
case OPT_PROV_CASES:
|
|
|
|
|
if (!opt_provider(o))
|
|
|
|
|
goto end;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_IGN_EOF:
|
2000-03-10 12:18:28 +00:00
|
|
|
c_ign_eof = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_NO_IGN_EOF:
|
2008-10-22 06:46:14 +00:00
|
|
|
c_ign_eof = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DEBUG:
|
1998-12-21 10:52:47 +00:00
|
|
|
c_debug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TLSEXTDEBUG:
|
2007-08-11 23:18:29 +00:00
|
|
|
c_tlsextdebug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STATUS:
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2007-09-26 21:56:59 +00:00
|
|
|
c_status_req = 1;
|
2016-09-19 13:08:58 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_WDEBUG:
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifdef WATT32
|
2014-08-09 12:02:20 +00:00
|
|
|
dbug_init();
|
2005-01-04 10:28:38 +00:00
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_MSG:
|
2001-10-20 17:56:36 +00:00
|
|
|
c_msg = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_MSGFILE:
|
|
|
|
|
bio_c_msg = BIO_new_file(opt_arg(), "w");
|
2022-03-07 07:43:16 +00:00
|
|
|
if (bio_c_msg == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Error writing file %s\n", opt_arg());
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TRACE:
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
2012-06-15 12:46:09 +00:00
|
|
|
c_msg = 2;
|
|
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SECURITY_DEBUG:
|
2014-02-17 00:10:00 +00:00
|
|
|
sdebug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SECURITY_DEBUG_VERBOSE:
|
2014-02-17 00:10:00 +00:00
|
|
|
sdebug = 2;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SHOWCERTS:
|
1999-03-31 12:06:30 +00:00
|
|
|
c_showcerts = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_NBIO_TEST:
|
1998-12-21 10:52:47 +00:00
|
|
|
nbio_test = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STATE:
|
1998-12-21 10:52:47 +00:00
|
|
|
state = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_PSK_IDENTITY:
|
|
|
|
|
psk_identity = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_PSK:
|
|
|
|
|
for (p = psk_key = opt_arg(); *p; p++) {
|
2016-02-14 12:02:15 +00:00
|
|
|
if (isxdigit(_UC(*p)))
|
2006-03-10 23:06:27 +00:00
|
|
|
continue;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
|
|
|
|
|
goto end;
|
2006-03-10 23:06:27 +00:00
|
|
|
}
|
2015-06-25 03:05:07 +00:00
|
|
|
break;
|
2017-06-12 15:57:06 +00:00
|
|
|
case OPT_PSK_SESS:
|
|
|
|
|
psksessf = opt_arg();
|
|
|
|
|
break;
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SRPUSER:
|
|
|
|
|
srp_arg.srplogin = opt_arg();
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
|
min_version = TLS1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SRPPASS:
|
|
|
|
|
srppass = opt_arg();
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
|
min_version = TLS1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SRP_STRENGTH:
|
|
|
|
|
srp_arg.strength = atoi(opt_arg());
|
2011-03-12 17:01:19 +00:00
|
|
|
BIO_printf(bio_err, "SRP minimal length for N is %d\n",
|
|
|
|
|
srp_arg.strength);
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
|
min_version = TLS1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SRP_LATEUSER:
|
2011-03-12 17:01:19 +00:00
|
|
|
srp_lateuser = 1;
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
|
min_version = TLS1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SRP_MOREGROUPS:
|
2011-03-12 17:01:19 +00:00
|
|
|
srp_arg.amp = 1;
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
|
min_version = TLS1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2011-03-12 17:01:19 +00:00
|
|
|
#endif
|
2015-07-08 22:09:52 +00:00
|
|
|
case OPT_SSL_CONFIG:
|
|
|
|
|
ssl_config = opt_arg();
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SSL3:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = SSL3_VERSION;
|
|
|
|
|
max_version = SSL3_VERSION;
|
2020-06-24 19:54:05 +00:00
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
isdtls = 0;
|
2023-03-09 17:06:33 +00:00
|
|
|
#endif
|
|
|
|
|
isquic = 0;
|
2015-05-15 17:50:38 +00:00
|
|
|
break;
|
2016-10-21 16:39:33 +00:00
|
|
|
case OPT_TLS1_3:
|
|
|
|
|
min_version = TLS1_3_VERSION;
|
|
|
|
|
max_version = TLS1_3_VERSION;
|
2020-06-24 19:54:05 +00:00
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
isdtls = 0;
|
2023-03-09 17:06:33 +00:00
|
|
|
#endif
|
|
|
|
|
isquic = 0;
|
2016-10-21 16:39:33 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_TLS1_2:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_2_VERSION;
|
|
|
|
|
max_version = TLS1_2_VERSION;
|
2020-06-24 19:54:05 +00:00
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
isdtls = 0;
|
2023-03-09 17:06:33 +00:00
|
|
|
#endif
|
|
|
|
|
isquic = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TLS1_1:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_1_VERSION;
|
|
|
|
|
max_version = TLS1_1_VERSION;
|
2020-06-24 19:54:05 +00:00
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
isdtls = 0;
|
2023-03-09 17:06:33 +00:00
|
|
|
#endif
|
|
|
|
|
isquic = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TLS1:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_VERSION;
|
|
|
|
|
max_version = TLS1_VERSION;
|
2020-06-24 19:54:05 +00:00
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
isdtls = 0;
|
2023-03-09 17:06:33 +00:00
|
|
|
#endif
|
|
|
|
|
isquic = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DTLS:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2013-04-06 14:50:12 +00:00
|
|
|
meth = DTLS_client_method();
|
|
|
|
|
socket_type = SOCK_DGRAM;
|
2017-04-20 08:57:12 +00:00
|
|
|
isdtls = 1;
|
2023-03-09 17:06:33 +00:00
|
|
|
isquic = 0;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DTLS1:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS1
|
2016-02-02 22:58:49 +00:00
|
|
|
meth = DTLS_client_method();
|
|
|
|
|
min_version = DTLS1_VERSION;
|
|
|
|
|
max_version = DTLS1_VERSION;
|
2006-01-02 23:29:12 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2017-04-20 08:57:12 +00:00
|
|
|
isdtls = 1;
|
2023-03-09 17:06:33 +00:00
|
|
|
isquic = 0;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DTLS1_2:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS1_2
|
2016-02-02 22:58:49 +00:00
|
|
|
meth = DTLS_client_method();
|
|
|
|
|
min_version = DTLS1_2_VERSION;
|
|
|
|
|
max_version = DTLS1_2_VERSION;
|
2013-03-20 15:49:14 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2017-04-20 08:57:12 +00:00
|
|
|
isdtls = 1;
|
2023-03-09 17:06:33 +00:00
|
|
|
isquic = 0;
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_QUIC:
|
|
|
|
|
#ifndef OPENSSL_NO_QUIC
|
|
|
|
|
meth = OSSL_QUIC_client_method();
|
|
|
|
|
min_version = 0;
|
|
|
|
|
max_version = 0;
|
|
|
|
|
socket_type = SOCK_DGRAM;
|
|
|
|
|
# ifndef OPENSSL_NO_DTLS
|
|
|
|
|
isdtls = 0;
|
|
|
|
|
# endif
|
|
|
|
|
isquic = 1;
|
2017-04-20 08:57:12 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SCTP:
|
|
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
protocol = IPPROTO_SCTP;
|
2018-12-26 11:44:53 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SCTP_LABEL_BUG:
|
|
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
sctp_label_bug = 1;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TIMEOUT:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2005-04-26 16:02:40 +00:00
|
|
|
enable_timeouts = 1;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_MTU:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
socket_mtu = atol(opt_arg());
|
1998-12-21 10:52:47 +00:00
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_FALLBACKSCSV:
|
2014-10-15 08:43:50 +00:00
|
|
|
fallback_scsv = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_KEYFORM:
|
2020-05-06 11:51:50 +00:00
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_ANY, &key_format))
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_PASS:
|
|
|
|
|
passarg = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CERT_CHAIN:
|
|
|
|
|
chain_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_KEY:
|
|
|
|
|
key_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_RECONNECT:
|
1998-12-21 10:52:47 +00:00
|
|
|
reconnect = 5;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CAPATH:
|
|
|
|
|
CApath = opt_arg();
|
|
|
|
|
break;
|
2015-09-22 15:00:52 +00:00
|
|
|
case OPT_NOCAPATH:
|
|
|
|
|
noCApath = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CHAINCAPATH:
|
|
|
|
|
chCApath = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFYCAPATH:
|
|
|
|
|
vfyCApath = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_BUILD_CHAIN:
|
2012-07-23 23:34:28 +00:00
|
|
|
build_chain = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2017-03-20 18:32:43 +00:00
|
|
|
case OPT_REQCAFILE:
|
|
|
|
|
ReqCAfile = opt_arg();
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CAFILE:
|
|
|
|
|
CAfile = opt_arg();
|
|
|
|
|
break;
|
2015-09-22 15:00:52 +00:00
|
|
|
case OPT_NOCAFILE:
|
|
|
|
|
noCAfile = 1;
|
|
|
|
|
break;
|
2016-03-02 13:34:05 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
|
|
|
|
case OPT_NOCT:
|
2016-04-07 18:17:37 +00:00
|
|
|
ct_validation = 0;
|
2016-03-02 13:34:05 +00:00
|
|
|
break;
|
2016-04-07 18:17:37 +00:00
|
|
|
case OPT_CT:
|
|
|
|
|
ct_validation = 1;
|
2016-03-02 13:34:05 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CTLOG_FILE:
|
|
|
|
|
ctlog_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CHAINCAFILE:
|
|
|
|
|
chCAfile = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFYCAFILE:
|
|
|
|
|
vfyCAfile = opt_arg();
|
|
|
|
|
break;
|
2019-03-07 14:26:34 +00:00
|
|
|
case OPT_CASTORE:
|
|
|
|
|
CAstore = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_NOCASTORE:
|
|
|
|
|
noCAstore = 1;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CHAINCASTORE:
|
|
|
|
|
chCAstore = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFYCASTORE:
|
|
|
|
|
vfyCAstore = opt_arg();
|
|
|
|
|
break;
|
2015-12-29 19:25:50 +00:00
|
|
|
case OPT_DANE_TLSA_DOMAIN:
|
|
|
|
|
dane_tlsa_domain = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DANE_TLSA_RRDATA:
|
|
|
|
|
if (dane_tlsa_rrset == NULL)
|
|
|
|
|
dane_tlsa_rrset = sk_OPENSSL_STRING_new_null();
|
|
|
|
|
if (dane_tlsa_rrset == NULL ||
|
|
|
|
|
!sk_OPENSSL_STRING_push(dane_tlsa_rrset, opt_arg())) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
break;
|
2016-08-19 15:59:47 +00:00
|
|
|
case OPT_DANE_EE_NO_NAME:
|
|
|
|
|
dane_ee_no_name = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_NEXTPROTONEG:
|
2016-04-11 10:41:19 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
next_proto_neg_in = opt_arg();
|
2016-04-11 10:41:19 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_ALPN:
|
|
|
|
|
alpn_in = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SERVERINFO:
|
|
|
|
|
p = opt_arg();
|
|
|
|
|
len = strlen(p);
|
|
|
|
|
for (start = 0, i = 0; i <= len; ++i) {
|
|
|
|
|
if (i == len || p[i] == ',') {
|
|
|
|
|
serverinfo_types[serverinfo_count] = atoi(p + start);
|
|
|
|
|
if (++serverinfo_count == MAX_SI_TYPES)
|
|
|
|
|
break;
|
2013-05-13 01:55:27 +00:00
|
|
|
start = i + 1;
|
|
|
|
|
}
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STARTTLS:
|
|
|
|
|
if (!opt_pair(opt_arg(), services, &starttls_proto))
|
|
|
|
|
goto end;
|
2016-04-15 13:11:09 +00:00
|
|
|
break;
|
2021-09-08 20:23:04 +00:00
|
|
|
case OPT_TFO:
|
|
|
|
|
tfo = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SERVERNAME:
|
|
|
|
|
servername = opt_arg();
|
|
|
|
|
break;
|
2017-02-13 13:26:37 +00:00
|
|
|
case OPT_NOSERVERNAME:
|
|
|
|
|
noservername = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_USE_SRTP:
|
2018-05-14 14:41:06 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
srtp_profiles = opt_arg();
|
2018-05-14 14:41:06 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_KEYMATEXPORT:
|
|
|
|
|
keymatexportlabel = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_KEYMATEXPORTLEN:
|
|
|
|
|
keymatexportlen = atoi(opt_arg());
|
1998-12-21 10:52:47 +00:00
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case OPT_ASYNC:
|
|
|
|
|
async = 1;
|
|
|
|
|
break;
|
2017-11-05 16:46:48 +00:00
|
|
|
case OPT_MAXFRAGLEN:
|
|
|
|
|
len = atoi(opt_arg());
|
|
|
|
|
switch (len) {
|
|
|
|
|
case 512:
|
|
|
|
|
maxfraglen = TLSEXT_max_fragment_length_512;
|
|
|
|
|
break;
|
|
|
|
|
case 1024:
|
|
|
|
|
maxfraglen = TLSEXT_max_fragment_length_1024;
|
|
|
|
|
break;
|
|
|
|
|
case 2048:
|
|
|
|
|
maxfraglen = TLSEXT_max_fragment_length_2048;
|
|
|
|
|
break;
|
|
|
|
|
case 4096:
|
|
|
|
|
maxfraglen = TLSEXT_max_fragment_length_4096;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: Max Fragment Len %u is out of permitted values",
|
|
|
|
|
prog, len);
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
break;
|
2017-04-06 21:47:18 +00:00
|
|
|
case OPT_MAX_SEND_FRAG:
|
|
|
|
|
max_send_fragment = atoi(opt_arg());
|
|
|
|
|
break;
|
2015-09-22 10:23:33 +00:00
|
|
|
case OPT_SPLIT_SEND_FRAG:
|
|
|
|
|
split_send_fragment = atoi(opt_arg());
|
|
|
|
|
break;
|
|
|
|
|
case OPT_MAX_PIPELINES:
|
|
|
|
|
max_pipelines = atoi(opt_arg());
|
|
|
|
|
break;
|
2016-01-13 14:20:25 +00:00
|
|
|
case OPT_READ_BUF:
|
|
|
|
|
read_buf_len = atoi(opt_arg());
|
|
|
|
|
break;
|
2017-02-01 18:14:27 +00:00
|
|
|
case OPT_KEYLOG_FILE:
|
|
|
|
|
keylog_file = opt_arg();
|
|
|
|
|
break;
|
2017-02-20 16:00:20 +00:00
|
|
|
case OPT_EARLY_DATA:
|
|
|
|
|
early_data_file = opt_arg();
|
|
|
|
|
break;
|
2018-08-13 14:23:27 +00:00
|
|
|
case OPT_ENABLE_PHA:
|
|
|
|
|
enable_pha = 1;
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-18 21:52:28 +00:00
|
|
|
break;
|
2021-09-15 03:00:50 +00:00
|
|
|
case OPT_KTLS:
|
|
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
enable_ktls = 1;
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
2021-01-27 19:23:33 +00:00
|
|
|
case OPT_ENABLE_SERVER_RPK:
|
|
|
|
|
enable_server_rpk = 1;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_ENABLE_CLIENT_RPK:
|
|
|
|
|
enable_client_rpk = 1;
|
|
|
|
|
break;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-12-11 23:04:44 +00:00
|
|
|
|
2020-11-28 21:12:58 +00:00
|
|
|
/* Optional argument is connect string if -connect not used. */
|
2021-08-27 13:33:18 +00:00
|
|
|
if (opt_num_rest() == 1) {
|
2021-02-08 18:45:23 +00:00
|
|
|
/* Don't allow -connect and a separate argument. */
|
2020-11-28 21:12:58 +00:00
|
|
|
if (connectstr != NULL) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: cannot provide both -connect option and target parameter\n",
|
|
|
|
|
prog);
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
connect_type = use_inet;
|
|
|
|
|
freeandcopy(&connectstr, *opt_rest());
|
2021-08-27 13:33:18 +00:00
|
|
|
} else if (!opt_check_rest_arg(NULL)) {
|
2020-11-28 21:12:58 +00:00
|
|
|
goto opthelp;
|
|
|
|
|
}
|
2021-04-03 10:53:51 +00:00
|
|
|
if (!app_RAND_load())
|
|
|
|
|
goto end;
|
2020-11-28 21:12:58 +00:00
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
if (c_ign_eof)
|
|
|
|
|
cmdmode = USER_DATA_MODE_NONE;
|
|
|
|
|
|
2016-06-08 16:22:14 +00:00
|
|
|
if (count4or6 >= 2) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Can't use both -4 and -6\n", prog);
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
2017-02-13 13:26:37 +00:00
|
|
|
if (noservername) {
|
|
|
|
|
if (servername != NULL) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: Can't use -servername and -noservername together\n",
|
|
|
|
|
prog);
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
if (dane_tlsa_domain != NULL) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: Can't use -dane_tlsa_domain and -noservername together\n",
|
|
|
|
|
prog);
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-16 10:12:02 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2020-05-20 00:25:10 +00:00
|
|
|
|
|
|
|
|
if (connectstr != NULL) {
|
2016-02-02 23:47:42 +00:00
|
|
|
int res;
|
|
|
|
|
char *tmp_host = host, *tmp_port = port;
|
2020-05-20 00:25:10 +00:00
|
|
|
|
|
|
|
|
res = BIO_parse_hostserv(connectstr, &host, &port, BIO_PARSE_PRIO_HOST);
|
2016-02-02 23:47:42 +00:00
|
|
|
if (tmp_host != host)
|
|
|
|
|
OPENSSL_free(tmp_host);
|
|
|
|
|
if (tmp_port != port)
|
|
|
|
|
OPENSSL_free(tmp_port);
|
|
|
|
|
if (!res) {
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_err,
|
2020-05-20 00:25:10 +00:00
|
|
|
"%s: -connect argument or target parameter malformed or ambiguous\n",
|
|
|
|
|
prog);
|
2016-02-02 23:47:42 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2020-05-20 00:25:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (proxystr != NULL) {
|
2023-06-01 17:55:54 +00:00
|
|
|
#ifndef OPENSSL_NO_HTTP
|
2020-05-20 00:25:10 +00:00
|
|
|
int res;
|
2016-02-02 23:47:42 +00:00
|
|
|
char *tmp_host = host, *tmp_port = port;
|
2020-05-20 00:25:10 +00:00
|
|
|
|
|
|
|
|
if (host == NULL || port == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "%s: -proxy requires use of -connect or target parameter\n", prog);
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
|
2021-12-09 16:27:47 +00:00
|
|
|
if (servername == NULL && !noservername) {
|
|
|
|
|
servername = sname_alloc = OPENSSL_strdup(host);
|
|
|
|
|
if (sname_alloc == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "%s: out of memory\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-20 00:25:10 +00:00
|
|
|
/* Retain the original target host:port for use in the HTTP proxy connect string */
|
|
|
|
|
thost = OPENSSL_strdup(host);
|
|
|
|
|
tport = OPENSSL_strdup(port);
|
|
|
|
|
if (thost == NULL || tport == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "%s: out of memory\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
res = BIO_parse_hostserv(proxystr, &host, &port, BIO_PARSE_PRIO_HOST);
|
2016-02-02 23:47:42 +00:00
|
|
|
if (tmp_host != host)
|
|
|
|
|
OPENSSL_free(tmp_host);
|
|
|
|
|
if (tmp_port != port)
|
|
|
|
|
OPENSSL_free(tmp_port);
|
|
|
|
|
if (!res) {
|
|
|
|
|
BIO_printf(bio_err,
|
2020-05-20 00:25:10 +00:00
|
|
|
"%s: -proxy argument malformed or ambiguous\n", prog);
|
2015-05-08 19:34:07 +00:00
|
|
|
goto end;
|
2016-02-02 23:47:42 +00:00
|
|
|
}
|
2023-06-01 17:55:54 +00:00
|
|
|
#else
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: -proxy not supported in no-http build\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
#endif
|
2015-05-08 19:34:07 +00:00
|
|
|
}
|
|
|
|
|
|
2023-06-01 17:55:54 +00:00
|
|
|
|
2018-02-08 09:49:02 +00:00
|
|
|
if (bindstr != NULL) {
|
|
|
|
|
int res;
|
|
|
|
|
res = BIO_parse_hostserv(bindstr, &bindhost, &bindport,
|
|
|
|
|
BIO_PARSE_PRIO_HOST);
|
|
|
|
|
if (!res) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: -bind argument parameter malformed or ambiguous\n",
|
|
|
|
|
prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-08-01 11:24:13 +00:00
|
|
|
#ifdef AF_UNIX
|
2016-02-02 23:47:42 +00:00
|
|
|
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
|
s_client/s_server: support unix domain sockets
The "-unix <path>" argument allows s_server and s_client to use a unix
domain socket in the filesystem instead of IPv4 ("-connect", "-port",
"-accept", etc). If s_server exits gracefully, such as when "-naccept"
is used and the requested number of SSL/TLS connections have occurred,
then the domain socket file is removed. On ctrl-C, it is likely that
the stale socket file will be left over, such that s_server would
normally fail to restart with the same arguments. For this reason,
s_server also supports an "-unlink" option, which will clean up any
stale socket file before starting.
If you have any reason to want encrypted IPC within an O/S instance,
this concept might come in handy. Otherwise it just demonstrates that
there is nothing about SSL/TLS that limits it to TCP/IP in any way.
(There might also be benchmarking and profiling use in this path, as
unix domain sockets are much lower overhead than connecting over local
IP addresses).
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-04-26 05:22:54 +00:00
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Can't use unix sockets and datagrams together\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-08-01 11:24:13 +00:00
|
|
|
#endif
|
2008-11-16 12:47:12 +00:00
|
|
|
|
2017-04-20 08:57:12 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
if (protocol == IPPROTO_SCTP) {
|
|
|
|
|
if (socket_type != SOCK_DGRAM) {
|
|
|
|
|
BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
/* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
|
|
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2015-09-22 10:23:33 +00:00
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2010-07-28 10:06:55 +00:00
|
|
|
next_proto.status = -1;
|
|
|
|
|
if (next_proto_neg_in) {
|
|
|
|
|
next_proto.data =
|
|
|
|
|
next_protos_parse(&next_proto.len, next_proto_neg_in);
|
|
|
|
|
if (next_proto.data == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Error parsing -nextprotoneg argument\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
next_proto.data = NULL;
|
|
|
|
|
#endif
|
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!app_passwd(passarg, NULL, &pass, NULL)) {
|
2019-01-03 00:32:00 +00:00
|
|
|
BIO_printf(bio_err, "Error getting private key password\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (!app_passwd(proxypassarg, NULL, &proxypass, NULL)) {
|
|
|
|
|
BIO_printf(bio_err, "Error getting proxy password\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (proxypass != NULL && proxyuser == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Error: Must specify proxy_user with proxy_pass\n");
|
2004-11-16 17:30:59 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2004-11-16 17:30:59 +00:00
|
|
|
if (key_file == NULL)
|
|
|
|
|
key_file = cert_file;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (key_file != NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
key = load_key(key_file, key_format, 0, pass, e,
|
2020-09-16 23:39:00 +00:00
|
|
|
"client certificate private key");
|
2020-04-22 12:58:41 +00:00
|
|
|
if (key == NULL)
|
2004-12-13 18:02:23 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (cert_file != NULL) {
|
2021-04-30 14:57:53 +00:00
|
|
|
cert = load_cert_pass(cert_file, cert_format, 1, pass,
|
|
|
|
|
"client certificate");
|
2020-04-22 12:58:41 +00:00
|
|
|
if (cert == NULL)
|
2004-12-13 18:02:23 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (chain_file != NULL) {
|
2021-03-05 20:05:35 +00:00
|
|
|
if (!load_certs(chain_file, 0, &chain, pass, "client certificate chain"))
|
2012-12-12 00:50:26 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (crl_file != NULL) {
|
2012-12-02 16:16:28 +00:00
|
|
|
X509_CRL *crl;
|
2021-04-30 14:57:53 +00:00
|
|
|
crl = load_crl(crl_file, crl_format, 0, "CRL");
|
2017-12-15 19:50:37 +00:00
|
|
|
if (crl == NULL)
|
2012-12-02 16:16:28 +00:00
|
|
|
goto end;
|
|
|
|
|
crls = sk_X509_CRL_new_null();
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
|
2012-12-02 16:16:28 +00:00
|
|
|
BIO_puts(bio_err, "Error adding CRL\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
X509_CRL_free(crl);
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2012-12-02 16:16:28 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!load_excert(&exc))
|
2012-07-03 14:53:27 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (bio_c_out == NULL) {
|
2012-11-21 17:11:42 +00:00
|
|
|
if (c_quiet && !c_debug) {
|
1998-12-21 10:52:47 +00:00
|
|
|
bio_c_out = BIO_new(BIO_s_null());
|
2022-01-05 07:54:10 +00:00
|
|
|
if (c_msg && bio_c_msg == NULL) {
|
2015-09-06 10:20:12 +00:00
|
|
|
bio_c_msg = dup_bio_out(FORMAT_TEXT);
|
2022-01-05 07:54:10 +00:00
|
|
|
if (bio_c_msg == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Out of memory\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
} else {
|
2015-09-06 10:20:12 +00:00
|
|
|
bio_c_out = dup_bio_out(FORMAT_TEXT);
|
2022-01-05 07:54:10 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (bio_c_out == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!app_passwd(srppass, NULL, &srp_arg.srppassin, NULL)) {
|
2011-03-12 17:01:19 +00:00
|
|
|
BIO_printf(bio_err, "Error getting password\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2021-02-15 19:07:27 +00:00
|
|
|
ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (ctx == NULL) {
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2018-05-15 17:01:41 +00:00
|
|
|
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
|
|
|
|
|
|
2014-02-17 00:10:00 +00:00
|
|
|
if (sdebug)
|
2015-04-29 15:27:08 +00:00
|
|
|
ssl_ctx_security_debug(ctx, sdebug);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2018-03-19 19:33:50 +00:00
|
|
|
if (!config_ctx(cctx, ssl_args, ctx))
|
|
|
|
|
goto end;
|
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ssl_config != NULL) {
|
2015-07-08 22:09:52 +00:00
|
|
|
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
|
|
|
|
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
|
|
|
|
ssl_config);
|
2016-08-07 10:04:26 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
2015-07-08 22:09:52 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2018-12-26 11:44:53 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
|
|
|
|
|
SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-03-19 19:33:50 +00:00
|
|
|
if (min_version != 0
|
|
|
|
|
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
|
2016-02-02 22:58:49 +00:00
|
|
|
goto end;
|
2018-03-19 19:33:50 +00:00
|
|
|
if (max_version != 0
|
|
|
|
|
&& SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
|
2016-02-02 22:58:49 +00:00
|
|
|
goto end;
|
|
|
|
|
|
2020-05-05 13:20:42 +00:00
|
|
|
if (ignore_unexpected_eof)
|
|
|
|
|
SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
|
2021-09-15 03:00:50 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
if (enable_ktls)
|
|
|
|
|
SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
|
|
|
|
|
#endif
|
2020-05-05 13:20:42 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "Error setting verify params\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2015-09-16 22:09:15 +00:00
|
|
|
if (async) {
|
2015-02-13 23:33:12 +00:00
|
|
|
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
|
2015-09-16 22:09:15 +00:00
|
|
|
}
|
2017-04-06 21:47:18 +00:00
|
|
|
|
2017-04-07 17:15:38 +00:00
|
|
|
if (max_send_fragment > 0
|
|
|
|
|
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
|
|
|
|
|
prog, max_send_fragment);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-04-06 21:47:18 +00:00
|
|
|
|
2017-04-07 17:15:38 +00:00
|
|
|
if (split_send_fragment > 0
|
|
|
|
|
&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
|
|
|
|
|
prog, split_send_fragment);
|
|
|
|
|
goto end;
|
2015-09-22 10:23:33 +00:00
|
|
|
}
|
2017-04-07 17:15:38 +00:00
|
|
|
|
|
|
|
|
if (max_pipelines > 0
|
|
|
|
|
&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
|
|
|
|
|
prog, max_pipelines);
|
|
|
|
|
goto end;
|
2015-09-22 10:23:33 +00:00
|
|
|
}
|
2015-02-13 23:33:12 +00:00
|
|
|
|
2016-01-13 14:20:25 +00:00
|
|
|
if (read_buf_len > 0) {
|
|
|
|
|
SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
|
|
|
|
|
}
|
|
|
|
|
|
2017-11-05 16:46:48 +00:00
|
|
|
if (maxfraglen > 0
|
|
|
|
|
&& !SSL_CTX_set_tlsext_max_fragment_length(ctx, maxfraglen)) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: Max Fragment Length code %u is out of permitted values"
|
|
|
|
|
"\n", prog, maxfraglen);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
2019-03-07 14:26:34 +00:00
|
|
|
if (!ssl_load_stores(ctx,
|
|
|
|
|
vfyCApath, vfyCAfile, vfyCAstore,
|
|
|
|
|
chCApath, chCAfile, chCAstore,
|
2012-12-06 18:43:40 +00:00
|
|
|
crls, crl_download)) {
|
2012-11-23 18:56:25 +00:00
|
|
|
BIO_printf(bio_err, "Error loading store locations\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-03-20 18:32:43 +00:00
|
|
|
if (ReqCAfile != NULL) {
|
|
|
|
|
STACK_OF(X509_NAME) *nm = sk_X509_NAME_new_null();
|
2017-03-31 16:04:28 +00:00
|
|
|
|
2017-03-20 18:32:43 +00:00
|
|
|
if (nm == NULL || !SSL_add_file_cert_subjects_to_stack(nm, ReqCAfile)) {
|
|
|
|
|
sk_X509_NAME_pop_free(nm, X509_NAME_free);
|
|
|
|
|
BIO_printf(bio_err, "Error loading CA names\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
SSL_CTX_set0_CA_list(ctx, nm);
|
|
|
|
|
}
|
2008-06-03 11:26:27 +00:00
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
if (ssl_client_engine) {
|
|
|
|
|
if (!SSL_CTX_set_client_cert_engine(ctx, ssl_client_engine)) {
|
|
|
|
|
BIO_puts(bio_err, "Error setting client auth engine\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
2020-09-30 16:01:06 +00:00
|
|
|
release_engine(ssl_client_engine);
|
2008-06-03 11:26:27 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2020-09-30 16:01:06 +00:00
|
|
|
release_engine(ssl_client_engine);
|
2008-06-03 11:26:27 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2016-02-14 05:17:59 +00:00
|
|
|
if (psk_key != NULL) {
|
2006-03-10 23:06:27 +00:00
|
|
|
if (c_debug)
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_c_out, "PSK key given, setting client callback\n");
|
2006-03-10 23:06:27 +00:00
|
|
|
SSL_CTX_set_psk_client_callback(ctx, psk_client_cb);
|
|
|
|
|
}
|
2014-12-22 11:15:51 +00:00
|
|
|
#endif
|
2017-06-12 15:57:06 +00:00
|
|
|
if (psksessf != NULL) {
|
|
|
|
|
BIO *stmp = BIO_new_file(psksessf, "r");
|
|
|
|
|
|
|
|
|
|
if (stmp == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
psksess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
|
|
|
|
|
BIO_free(stmp);
|
|
|
|
|
if (psksess == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-06-12 18:12:13 +00:00
|
|
|
if (psk_key != NULL || psksess != NULL)
|
|
|
|
|
SSL_CTX_set_psk_use_session_callback(ctx, psk_use_session_cb);
|
|
|
|
|
|
2014-12-22 11:15:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2015-03-06 14:39:46 +00:00
|
|
|
if (srtp_profiles != NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
/* Returns 0 on success! */
|
|
|
|
|
if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "Error setting SRTP profile\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (exc != NULL)
|
2012-07-03 14:53:27 +00:00
|
|
|
ssl_ctx_set_excert(ctx, exc);
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2017-06-12 17:24:02 +00:00
|
|
|
if (next_proto.data != NULL)
|
2010-07-28 10:06:55 +00:00
|
|
|
SSL_CTX_set_next_proto_select_cb(ctx, next_proto_cb, &next_proto);
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2013-04-15 22:07:47 +00:00
|
|
|
if (alpn_in) {
|
2016-03-05 13:47:55 +00:00
|
|
|
size_t alpn_len;
|
2013-04-15 22:07:47 +00:00
|
|
|
unsigned char *alpn = next_protos_parse(&alpn_len, alpn_in);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-04-15 22:07:47 +00:00
|
|
|
if (alpn == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Error parsing -alpn argument\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
/* Returns 0 on success! */
|
|
|
|
|
if (SSL_CTX_set_alpn_protos(ctx, alpn, alpn_len) != 0) {
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_err, "Error setting ALPN\n");
|
2015-03-06 14:39:46 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2013-07-15 19:57:16 +00:00
|
|
|
OPENSSL_free(alpn);
|
2013-04-15 22:07:47 +00:00
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
for (i = 0; i < serverinfo_count; i++) {
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_CTX_add_client_custom_ext(ctx,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
serverinfo_types[i],
|
|
|
|
|
NULL, NULL, NULL,
|
|
|
|
|
serverinfo_cli_parse_cb, NULL)) {
|
|
|
|
|
BIO_printf(bio_err,
|
2016-08-07 10:04:26 +00:00
|
|
|
"Warning: Unable to add custom extension %u, skipping\n",
|
|
|
|
|
serverinfo_types[i]);
|
2015-03-06 14:39:46 +00:00
|
|
|
}
|
2013-05-13 01:55:27 +00:00
|
|
|
}
|
2010-07-28 10:06:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (state)
|
|
|
|
|
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
|
|
|
|
|
|
2016-03-02 13:34:05 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
2016-04-07 18:17:37 +00:00
|
|
|
/* Enable SCT processing, without early connection termination */
|
|
|
|
|
if (ct_validation &&
|
|
|
|
|
!SSL_CTX_enable_ct(ctx, SSL_CT_VALIDATION_PERMISSIVE)) {
|
2016-03-02 13:34:05 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
2016-03-07 18:38:06 +00:00
|
|
|
if (!ctx_set_ctlog_list_file(ctx, ctlog_file)) {
|
2016-04-07 18:17:37 +00:00
|
|
|
if (ct_validation) {
|
2016-03-04 19:06:43 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If CT validation is not enabled, the log list isn't needed so don't
|
|
|
|
|
* show errors or abort. We try to load it regardless because then we
|
|
|
|
|
* can show the names of the logs any SCTs came from (SCTs may be seen
|
|
|
|
|
* even with validation disabled).
|
|
|
|
|
*/
|
|
|
|
|
ERR_clear_error();
|
2016-03-02 13:34:05 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CTX_set_verify(ctx, verify, verify_callback);
|
|
|
|
|
|
2019-03-07 14:26:34 +00:00
|
|
|
if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
|
|
|
|
|
CAstore, noCAstore)) {
|
1998-12-21 10:52:47 +00:00
|
|
|
ERR_print_errors(bio_err);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2012-12-06 18:43:40 +00:00
|
|
|
ssl_ctx_add_crls(ctx, crls, crl_download);
|
2012-12-02 16:16:28 +00:00
|
|
|
|
2012-12-12 00:50:26 +00:00
|
|
|
if (!set_cert_key_stuff(ctx, cert, key, chain, build_chain))
|
2012-07-23 23:34:28 +00:00
|
|
|
goto end;
|
|
|
|
|
|
2017-02-13 13:26:37 +00:00
|
|
|
if (!noservername) {
|
2006-01-02 23:14:37 +00:00
|
|
|
tlsextcbp.biodebug = bio_err;
|
|
|
|
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
|
|
|
|
|
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
|
2006-01-02 23:29:12 +00:00
|
|
|
}
|
2021-02-05 11:28:15 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
if (srp_arg.srplogin != NULL
|
|
|
|
|
&& !set_up_srp_arg(ctx, &srp_arg, srp_lateuser, c_msg, c_debug))
|
|
|
|
|
goto end;
|
2011-03-12 17:01:19 +00:00
|
|
|
# endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2015-12-29 19:25:50 +00:00
|
|
|
if (dane_tlsa_domain != NULL) {
|
|
|
|
|
if (SSL_CTX_dane_enable(ctx) <= 0) {
|
|
|
|
|
BIO_printf(bio_err,
|
2016-08-07 10:04:26 +00:00
|
|
|
"%s: Error enabling DANE TLSA authentication.\n",
|
|
|
|
|
prog);
|
2015-12-29 19:25:50 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-01-13 14:25:15 +00:00
|
|
|
/*
|
|
|
|
|
* In TLSv1.3 NewSessionTicket messages arrive after the handshake and can
|
2021-02-20 22:39:30 +00:00
|
|
|
* come at any time. Therefore, we use a callback to write out the session
|
2017-01-13 14:25:15 +00:00
|
|
|
* when we know about it. This approach works for < TLSv1.3 as well.
|
|
|
|
|
*/
|
2018-06-25 15:46:57 +00:00
|
|
|
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_CLIENT
|
|
|
|
|
| SSL_SESS_CACHE_NO_INTERNAL_STORE);
|
|
|
|
|
SSL_CTX_sess_set_new_cb(ctx, new_session_cb);
|
2017-01-13 14:25:15 +00:00
|
|
|
|
2017-02-01 18:14:27 +00:00
|
|
|
if (set_keylog_file(ctx, keylog_file))
|
|
|
|
|
goto end;
|
|
|
|
|
|
2000-02-03 02:56:48 +00:00
|
|
|
con = SSL_new(ctx);
|
2017-10-19 14:41:03 +00:00
|
|
|
if (con == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
2018-08-13 14:23:27 +00:00
|
|
|
if (enable_pha)
|
|
|
|
|
SSL_set_post_handshake_auth(con, 1);
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-18 21:52:28 +00:00
|
|
|
|
2021-01-27 19:23:33 +00:00
|
|
|
if (enable_client_rpk)
|
|
|
|
|
if (!SSL_set1_client_cert_type(con, cert_type_rpk, sizeof(cert_type_rpk))) {
|
|
|
|
|
BIO_printf(bio_err, "Error setting client certificate types\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (enable_server_rpk) {
|
|
|
|
|
if (!SSL_set1_server_cert_type(con, cert_type_rpk, sizeof(cert_type_rpk))) {
|
|
|
|
|
BIO_printf(bio_err, "Error setting server certificate types\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (sess_in != NULL) {
|
2007-08-11 23:18:29 +00:00
|
|
|
SSL_SESSION *sess;
|
|
|
|
|
BIO *stmp = BIO_new_file(sess_in, "r");
|
2017-06-12 17:24:02 +00:00
|
|
|
if (stmp == NULL) {
|
2007-08-11 23:18:29 +00:00
|
|
|
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
sess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
|
|
|
|
|
BIO_free(stmp);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (sess == NULL) {
|
2007-08-11 23:18:29 +00:00
|
|
|
BIO_printf(bio_err, "Can't open session file %s\n", sess_in);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_set_session(con, sess)) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "Can't set session\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-11-14 13:43:42 +00:00
|
|
|
|
2007-08-11 23:18:29 +00:00
|
|
|
SSL_SESSION_free(sess);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2014-10-15 02:03:28 +00:00
|
|
|
if (fallback_scsv)
|
|
|
|
|
SSL_set_mode(con, SSL_MODE_SEND_FALLBACK_SCSV);
|
|
|
|
|
|
2017-02-13 13:26:37 +00:00
|
|
|
if (!noservername && (servername != NULL || dane_tlsa_domain == NULL)) {
|
2019-02-06 21:09:15 +00:00
|
|
|
if (servername == NULL) {
|
2021-10-26 07:16:18 +00:00
|
|
|
if (host == NULL || is_dNS_name(host))
|
2019-02-06 21:09:15 +00:00
|
|
|
servername = (host == NULL) ? "localhost" : host;
|
|
|
|
|
}
|
|
|
|
|
if (servername != NULL && !SSL_set_tlsext_host_name(con, servername)) {
|
2006-01-02 23:14:37 +00:00
|
|
|
BIO_printf(bio_err, "Unable to set TLS servername extension.\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
2006-01-02 23:29:12 +00:00
|
|
|
}
|
2006-01-02 23:14:37 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-12-29 19:25:50 +00:00
|
|
|
if (dane_tlsa_domain != NULL) {
|
|
|
|
|
if (SSL_dane_enable(con, dane_tlsa_domain) <= 0) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Error enabling DANE TLSA "
|
|
|
|
|
"authentication.\n", prog);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (dane_tlsa_rrset == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "%s: DANE TLSA authentication requires at "
|
2016-08-18 20:57:55 +00:00
|
|
|
"least one -dane_tlsa_rrdata option.\n", prog);
|
2015-12-29 19:25:50 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (tlsa_import_rrset(con, dane_tlsa_rrset) <= 0) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Failed to import any TLSA "
|
|
|
|
|
"records.\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2016-08-19 15:59:47 +00:00
|
|
|
if (dane_ee_no_name)
|
|
|
|
|
SSL_dane_set_flags(con, DANE_FLAG_NO_DANE_EE_NAMECHECKS);
|
2015-12-29 19:25:50 +00:00
|
|
|
} else if (dane_tlsa_rrset != NULL) {
|
2016-03-18 18:02:17 +00:00
|
|
|
BIO_printf(bio_err, "%s: DANE TLSA authentication requires the "
|
|
|
|
|
"-dane_tlsa_domain option.\n", prog);
|
|
|
|
|
goto end;
|
2015-12-29 19:25:50 +00:00
|
|
|
}
|
2021-09-08 20:23:04 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
if (isdtls && tfo) {
|
|
|
|
|
BIO_printf(bio_err, "%s: DTLS does not support the -tfo option\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2023-03-09 17:06:33 +00:00
|
|
|
#ifndef OPENSSL_NO_QUIC
|
|
|
|
|
if (isquic && tfo) {
|
|
|
|
|
BIO_printf(bio_err, "%s: QUIC does not support the -tfo option\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2023-03-24 12:02:37 +00:00
|
|
|
if (isquic && alpn_in == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "%s: QUIC requires ALPN to be specified (e.g. \"h3\" for HTTP/3) via the -alpn option\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2023-03-09 17:06:33 +00:00
|
|
|
#endif
|
2015-12-29 19:25:50 +00:00
|
|
|
|
2021-09-08 20:23:04 +00:00
|
|
|
if (tfo)
|
|
|
|
|
BIO_printf(bio_c_out, "Connecting via TFO\n");
|
1998-12-21 10:52:47 +00:00
|
|
|
re_start:
|
2019-10-30 22:39:35 +00:00
|
|
|
if (init_client(&sock, host, port, bindhost, bindport, socket_family,
|
2023-03-09 17:06:33 +00:00
|
|
|
socket_type, protocol, tfo, !isquic, &peer_addr) == 0) {
|
1998-12-21 10:56:39 +00:00
|
|
|
BIO_printf(bio_err, "connect:errno=%d\n", get_last_socket_error());
|
2019-10-30 22:39:35 +00:00
|
|
|
BIO_closesocket(sock);
|
1998-12-21 10:52:47 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2019-10-30 22:39:35 +00:00
|
|
|
BIO_printf(bio_c_out, "CONNECTED(%08X)\n", sock);
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2023-03-09 17:06:33 +00:00
|
|
|
/*
|
|
|
|
|
* QUIC always uses a non-blocking socket - and we have to switch on
|
|
|
|
|
* non-blocking mode at the SSL level
|
|
|
|
|
*/
|
|
|
|
|
if (c_nbio || isquic) {
|
2019-10-30 22:39:35 +00:00
|
|
|
if (!BIO_socket_nbio(sock, 1)) {
|
1998-12-21 10:56:39 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2023-03-09 17:06:33 +00:00
|
|
|
if (c_nbio) {
|
|
|
|
|
if (isquic && !SSL_set_blocking_mode(con, 0))
|
|
|
|
|
goto end;
|
|
|
|
|
BIO_printf(bio_c_out, "Turned on non blocking io\n");
|
|
|
|
|
}
|
1998-12-21 10:56:39 +00:00
|
|
|
}
|
2016-03-18 14:17:03 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2017-04-20 08:57:12 +00:00
|
|
|
if (isdtls) {
|
2016-07-19 11:52:26 +00:00
|
|
|
union BIO_sock_info_u peer_info;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-04-20 08:57:12 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
if (protocol == IPPROTO_SCTP)
|
2019-10-30 22:39:35 +00:00
|
|
|
sbio = BIO_new_dgram_sctp(sock, BIO_NOCLOSE);
|
2017-04-20 08:57:12 +00:00
|
|
|
else
|
|
|
|
|
#endif
|
2019-10-30 22:39:35 +00:00
|
|
|
sbio = BIO_new_dgram(sock, BIO_NOCLOSE);
|
2017-04-20 08:57:12 +00:00
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (sbio == NULL || (peer_info.addr = BIO_ADDR_new()) == NULL) {
|
2016-07-19 11:52:26 +00:00
|
|
|
BIO_printf(bio_err, "memory allocation failure\n");
|
2022-01-05 07:54:10 +00:00
|
|
|
BIO_free(sbio);
|
2019-10-30 22:39:35 +00:00
|
|
|
BIO_closesocket(sock);
|
2016-07-19 13:20:00 +00:00
|
|
|
goto end;
|
2016-07-19 11:52:26 +00:00
|
|
|
}
|
2019-10-30 22:39:35 +00:00
|
|
|
if (!BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &peer_info)) {
|
2005-04-26 16:02:40 +00:00
|
|
|
BIO_printf(bio_err, "getsockname:errno=%d\n",
|
|
|
|
|
get_last_socket_error());
|
2022-01-05 07:54:10 +00:00
|
|
|
BIO_free(sbio);
|
2016-07-19 11:52:26 +00:00
|
|
|
BIO_ADDR_free(peer_info.addr);
|
2019-10-30 22:39:35 +00:00
|
|
|
BIO_closesocket(sock);
|
2005-04-26 16:02:40 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-07-19 11:52:26 +00:00
|
|
|
(void)BIO_ctrl_set_connected(sbio, peer_info.addr);
|
|
|
|
|
BIO_ADDR_free(peer_info.addr);
|
|
|
|
|
peer_info.addr = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-01-02 23:29:12 +00:00
|
|
|
if (enable_timeouts) {
|
2005-04-26 16:02:40 +00:00
|
|
|
timeout.tv_sec = 0;
|
|
|
|
|
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
|
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2005-04-26 16:02:40 +00:00
|
|
|
timeout.tv_sec = 0;
|
|
|
|
|
timeout.tv_usec = DGRAM_SND_TIMEOUT;
|
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2014-12-01 23:57:44 +00:00
|
|
|
if (socket_mtu) {
|
|
|
|
|
if (socket_mtu < DTLS_get_link_min_mtu(con)) {
|
|
|
|
|
BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
|
|
|
|
|
DTLS_get_link_min_mtu(con));
|
|
|
|
|
BIO_free(sbio);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
2005-04-26 16:02:40 +00:00
|
|
|
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
|
2014-12-01 23:57:44 +00:00
|
|
|
if (!DTLS_set_link_mtu(con, socket_mtu)) {
|
|
|
|
|
BIO_printf(bio_err, "Failed to set MTU\n");
|
|
|
|
|
BIO_free(sbio);
|
|
|
|
|
goto shut;
|
2005-04-26 16:02:40 +00:00
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
} else {
|
2005-04-26 16:02:40 +00:00
|
|
|
/* want to do MTU discovery */
|
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
|
2017-06-12 17:24:02 +00:00
|
|
|
}
|
2005-04-26 16:02:40 +00:00
|
|
|
} else
|
2016-03-18 14:17:03 +00:00
|
|
|
#endif /* OPENSSL_NO_DTLS */
|
2023-03-09 17:06:33 +00:00
|
|
|
#ifndef OPENSSL_NO_QUIC
|
|
|
|
|
if (isquic) {
|
|
|
|
|
sbio = BIO_new_dgram(sock, BIO_NOCLOSE);
|
2023-08-23 07:19:01 +00:00
|
|
|
if (!SSL_set1_initial_peer_addr(con, peer_addr)) {
|
2023-05-09 07:06:40 +00:00
|
|
|
BIO_printf(bio_err, "Failed to set the initial peer address\n");
|
2023-03-09 17:06:33 +00:00
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
} else
|
|
|
|
|
#endif
|
2019-10-30 22:39:35 +00:00
|
|
|
sbio = BIO_new_socket(sock, BIO_NOCLOSE);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (sbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
BIO_closesocket(sock);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-08 20:23:04 +00:00
|
|
|
/* Now that we're using a BIO... */
|
2023-03-09 17:06:33 +00:00
|
|
|
if (tfo) {
|
|
|
|
|
(void)BIO_set_conn_address(sbio, peer_addr);
|
2021-09-08 20:23:04 +00:00
|
|
|
(void)BIO_set_tfo(sbio, 1);
|
2023-03-09 17:06:33 +00:00
|
|
|
}
|
2021-09-08 20:23:04 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (nbio_test) {
|
|
|
|
|
BIO *test;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
test = BIO_new(BIO_f_nbio_test());
|
2022-01-05 07:54:10 +00:00
|
|
|
if (test == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
BIO_free(sbio);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
sbio = BIO_push(test, sbio);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (c_debug) {
|
2021-05-24 16:15:57 +00:00
|
|
|
BIO_set_callback_ex(sbio, bio_dump_callback);
|
2006-11-29 20:54:57 +00:00
|
|
|
BIO_set_callback_arg(sbio, (char *)bio_c_out);
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2001-10-20 17:56:36 +00:00
|
|
|
if (c_msg) {
|
2012-06-15 12:46:09 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
|
|
|
|
if (c_msg == 2)
|
|
|
|
|
SSL_set_msg_callback(con, SSL_trace);
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
SSL_set_msg_callback(con, msg_cb);
|
|
|
|
|
SSL_set_msg_callback_arg(con, bio_c_msg ? bio_c_msg : bio_c_out);
|
2001-10-20 17:56:36 +00:00
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2007-08-11 23:18:29 +00:00
|
|
|
if (c_tlsextdebug) {
|
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_c_out);
|
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2007-09-26 21:56:59 +00:00
|
|
|
if (c_status_req) {
|
|
|
|
|
SSL_set_tlsext_status_type(con, TLSEXT_STATUSTYPE_ocsp);
|
|
|
|
|
SSL_CTX_set_tlsext_status_cb(ctx, ocsp_resp_cb);
|
|
|
|
|
SSL_CTX_set_tlsext_status_arg(ctx, bio_c_out);
|
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_set_bio(con, sbio, sbio);
|
|
|
|
|
SSL_set_connect_state(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
/* ok, lets connect */
|
2016-09-15 09:20:18 +00:00
|
|
|
if (fileno_stdin() > SSL_get_fd(con))
|
|
|
|
|
width = fileno_stdin() + 1;
|
2016-08-03 19:16:43 +00:00
|
|
|
else
|
|
|
|
|
width = SSL_get_fd(con) + 1;
|
2016-09-15 09:20:18 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
read_tty = 1;
|
|
|
|
|
write_tty = 0;
|
|
|
|
|
tty_on = 0;
|
|
|
|
|
read_ssl = 1;
|
|
|
|
|
write_ssl = 1;
|
2023-03-09 17:06:33 +00:00
|
|
|
first_loop = 1;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
cbuf_len = 0;
|
|
|
|
|
cbuf_off = 0;
|
|
|
|
|
sbuf_len = 0;
|
|
|
|
|
sbuf_off = 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2023-06-01 17:55:54 +00:00
|
|
|
#ifndef OPENSSL_NO_HTTP
|
2022-03-18 21:02:50 +00:00
|
|
|
if (proxystr != NULL) {
|
|
|
|
|
/* Here we must use the connect string target host & port */
|
|
|
|
|
if (!OSSL_HTTP_proxy_connect(sbio, thost, tport, proxyuser, proxypass,
|
|
|
|
|
0 /* no timeout */, bio_err, prog))
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
2023-06-01 17:55:54 +00:00
|
|
|
#endif
|
2022-03-18 21:02:50 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
switch ((PROTOCOL_CHOICE) starttls_proto) {
|
|
|
|
|
case PROTO_OFF:
|
|
|
|
|
break;
|
2016-11-17 16:16:50 +00:00
|
|
|
case PROTO_LMTP:
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case PROTO_SMTP:
|
|
|
|
|
{
|
|
|
|
|
/*
|
|
|
|
|
* This is an ugly hack that does a lot of assumptions. We do
|
|
|
|
|
* have to handle multi-line responses which may come in a single
|
|
|
|
|
* packet or not. We therefore have to use BIO_gets() which does
|
|
|
|
|
* need a buffering BIO. So during the initial chitchat we do
|
|
|
|
|
* push a buffering BIO into the chain that is removed again
|
|
|
|
|
* later on to not disturb the rest of the s_client operation.
|
|
|
|
|
*/
|
|
|
|
|
int foundit = 0;
|
|
|
|
|
BIO *fbio = BIO_new(BIO_f_buffer());
|
2017-02-09 21:20:59 +00:00
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (fbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_push(fbio, sbio);
|
2016-11-17 16:16:50 +00:00
|
|
|
/* Wait for multi-line response to end from LMTP or SMTP */
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
do {
|
|
|
|
|
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
2017-02-09 21:20:59 +00:00
|
|
|
} while (mbuf_len > 3 && mbuf[3] == '-');
|
2017-10-16 19:32:24 +00:00
|
|
|
if (protohost == NULL)
|
|
|
|
|
protohost = "mail.example.com";
|
2016-11-17 23:01:28 +00:00
|
|
|
if (starttls_proto == (int)PROTO_LMTP)
|
2017-10-16 19:32:24 +00:00
|
|
|
BIO_printf(fbio, "LHLO %s\r\n", protohost);
|
2016-11-17 23:01:28 +00:00
|
|
|
else
|
2017-10-16 19:32:24 +00:00
|
|
|
BIO_printf(fbio, "EHLO %s\r\n", protohost);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(fbio);
|
2016-11-17 16:16:50 +00:00
|
|
|
/*
|
|
|
|
|
* Wait for multi-line response to end LHLO LMTP or EHLO SMTP
|
|
|
|
|
* response.
|
|
|
|
|
*/
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
do {
|
|
|
|
|
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (strstr(mbuf, "STARTTLS"))
|
|
|
|
|
foundit = 1;
|
2017-02-09 21:20:59 +00:00
|
|
|
} while (mbuf_len > 3 && mbuf[3] == '-');
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
BIO_pop(fbio);
|
|
|
|
|
BIO_free(fbio);
|
|
|
|
|
if (!foundit)
|
|
|
|
|
BIO_printf(bio_err,
|
2017-02-09 21:20:59 +00:00
|
|
|
"Didn't find STARTTLS in server response,"
|
2015-11-23 03:35:15 +00:00
|
|
|
" trying anyway...\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(sbio, "STARTTLS\r\n");
|
|
|
|
|
BIO_read(sbio, sbuf, BUFSIZZ);
|
2007-02-16 18:12:16 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case PROTO_POP3:
|
|
|
|
|
{
|
|
|
|
|
BIO_read(sbio, mbuf, BUFSIZZ);
|
|
|
|
|
BIO_printf(sbio, "STLS\r\n");
|
|
|
|
|
mbuf_len = BIO_read(sbio, sbuf, BUFSIZZ);
|
|
|
|
|
if (mbuf_len < 0) {
|
|
|
|
|
BIO_printf(bio_err, "BIO_read failed\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2007-02-21 18:20:41 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case PROTO_IMAP:
|
|
|
|
|
{
|
|
|
|
|
int foundit = 0;
|
|
|
|
|
BIO *fbio = BIO_new(BIO_f_buffer());
|
2017-02-09 21:20:59 +00:00
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (fbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_push(fbio, sbio);
|
|
|
|
|
BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
/* STARTTLS command requires CAPABILITY... */
|
|
|
|
|
BIO_printf(fbio, ". CAPABILITY\r\n");
|
|
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
/* wait for multi-line CAPABILITY response */
|
|
|
|
|
do {
|
|
|
|
|
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (strstr(mbuf, "STARTTLS"))
|
|
|
|
|
foundit = 1;
|
|
|
|
|
}
|
|
|
|
|
while (mbuf_len > 3 && mbuf[0] != '.');
|
|
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
BIO_pop(fbio);
|
|
|
|
|
BIO_free(fbio);
|
|
|
|
|
if (!foundit)
|
|
|
|
|
BIO_printf(bio_err,
|
2017-02-09 21:20:59 +00:00
|
|
|
"Didn't find STARTTLS in server response,"
|
2015-11-23 03:35:15 +00:00
|
|
|
" trying anyway...\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(sbio, ". STARTTLS\r\n");
|
|
|
|
|
BIO_read(sbio, sbuf, BUFSIZZ);
|
2007-02-21 18:20:41 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case PROTO_FTP:
|
|
|
|
|
{
|
|
|
|
|
BIO *fbio = BIO_new(BIO_f_buffer());
|
2017-02-09 21:20:59 +00:00
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (fbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_push(fbio, sbio);
|
|
|
|
|
/* wait for multi-line response to end from FTP */
|
|
|
|
|
do {
|
|
|
|
|
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
}
|
2023-06-05 11:09:29 +00:00
|
|
|
while (mbuf_len > 3 && (!isdigit((unsigned char)mbuf[0]) || !isdigit((unsigned char)mbuf[1]) || !isdigit((unsigned char)mbuf[2]) || mbuf[3] != ' '));
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
BIO_pop(fbio);
|
|
|
|
|
BIO_free(fbio);
|
|
|
|
|
BIO_printf(sbio, "AUTH TLS\r\n");
|
|
|
|
|
BIO_read(sbio, sbuf, BUFSIZZ);
|
2007-02-16 18:12:16 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case PROTO_XMPP:
|
2015-07-29 21:41:00 +00:00
|
|
|
case PROTO_XMPP_SERVER:
|
2008-10-14 19:11:26 +00:00
|
|
|
{
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int seen = 0;
|
|
|
|
|
BIO_printf(sbio, "<stream:stream "
|
|
|
|
|
"xmlns:stream='http://etherx.jabber.org/streams' "
|
2015-07-29 21:41:00 +00:00
|
|
|
"xmlns='jabber:%s' to='%s' version='1.0'>",
|
|
|
|
|
starttls_proto == PROTO_XMPP ? "client" : "server",
|
2017-10-16 19:32:24 +00:00
|
|
|
protohost ? protohost : host);
|
2008-10-14 19:11:26 +00:00
|
|
|
seen = BIO_read(sbio, mbuf, BUFSIZZ);
|
2017-02-09 21:20:59 +00:00
|
|
|
if (seen < 0) {
|
|
|
|
|
BIO_printf(bio_err, "BIO_read failed\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
mbuf[seen] = '\0';
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
while (!strstr
|
|
|
|
|
(mbuf, "<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'")
|
|
|
|
|
&& !strstr(mbuf,
|
|
|
|
|
"<starttls xmlns=\"urn:ietf:params:xml:ns:xmpp-tls\""))
|
|
|
|
|
{
|
|
|
|
|
seen = BIO_read(sbio, mbuf, BUFSIZZ);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (seen <= 0)
|
|
|
|
|
goto shut;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-02-09 21:20:59 +00:00
|
|
|
mbuf[seen] = '\0';
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
}
|
|
|
|
|
BIO_printf(sbio,
|
|
|
|
|
"<starttls xmlns='urn:ietf:params:xml:ns:xmpp-tls'/>");
|
|
|
|
|
seen = BIO_read(sbio, sbuf, BUFSIZZ);
|
2017-02-09 21:20:59 +00:00
|
|
|
if (seen < 0) {
|
|
|
|
|
BIO_printf(bio_err, "BIO_read failed\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
sbuf[seen] = '\0';
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!strstr(sbuf, "<proceed"))
|
|
|
|
|
goto shut;
|
2017-02-09 21:20:59 +00:00
|
|
|
mbuf[0] = '\0';
|
2008-10-14 19:11:26 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2015-04-25 20:01:21 +00:00
|
|
|
case PROTO_TELNET:
|
|
|
|
|
{
|
|
|
|
|
static const unsigned char tls_do[] = {
|
|
|
|
|
/* IAC DO START_TLS */
|
|
|
|
|
255, 253, 46
|
|
|
|
|
};
|
|
|
|
|
static const unsigned char tls_will[] = {
|
|
|
|
|
/* IAC WILL START_TLS */
|
|
|
|
|
255, 251, 46
|
|
|
|
|
};
|
|
|
|
|
static const unsigned char tls_follows[] = {
|
|
|
|
|
/* IAC SB START_TLS FOLLOWS IAC SE */
|
|
|
|
|
255, 250, 46, 1, 255, 240
|
|
|
|
|
};
|
|
|
|
|
int bytes;
|
|
|
|
|
|
|
|
|
|
/* Telnet server should demand we issue START_TLS */
|
|
|
|
|
bytes = BIO_read(sbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (bytes != 3 || memcmp(mbuf, tls_do, 3) != 0)
|
|
|
|
|
goto shut;
|
|
|
|
|
/* Agree to issue START_TLS and send the FOLLOWS sub-command */
|
|
|
|
|
BIO_write(sbio, tls_will, 3);
|
|
|
|
|
BIO_write(sbio, tls_follows, 6);
|
|
|
|
|
(void)BIO_flush(sbio);
|
|
|
|
|
/* Telnet server also sent the FOLLOWS sub-command */
|
|
|
|
|
bytes = BIO_read(sbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (bytes != 6 || memcmp(mbuf, tls_follows, 6) != 0)
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
2015-05-08 19:34:07 +00:00
|
|
|
break;
|
2015-05-13 20:00:21 +00:00
|
|
|
case PROTO_IRC:
|
|
|
|
|
{
|
|
|
|
|
int numeric;
|
|
|
|
|
BIO *fbio = BIO_new(BIO_f_buffer());
|
|
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (fbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-05-13 20:00:21 +00:00
|
|
|
BIO_push(fbio, sbio);
|
|
|
|
|
BIO_printf(fbio, "STARTTLS\r\n");
|
|
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
width = SSL_get_fd(con) + 1;
|
|
|
|
|
|
|
|
|
|
do {
|
|
|
|
|
numeric = 0;
|
|
|
|
|
|
|
|
|
|
FD_ZERO(&readfds);
|
|
|
|
|
openssl_fdset(SSL_get_fd(con), &readfds);
|
|
|
|
|
timeout.tv_sec = S_CLIENT_IRC_READ_TIMEOUT;
|
|
|
|
|
timeout.tv_usec = 0;
|
|
|
|
|
/*
|
|
|
|
|
* If the IRCd doesn't respond within
|
|
|
|
|
* S_CLIENT_IRC_READ_TIMEOUT seconds, assume
|
|
|
|
|
* it doesn't support STARTTLS. Many IRCds
|
|
|
|
|
* will not give _any_ sort of response to a
|
|
|
|
|
* STARTTLS command when it's not supported.
|
|
|
|
|
*/
|
|
|
|
|
if (!BIO_get_buffer_num_lines(fbio)
|
|
|
|
|
&& !BIO_pending(fbio)
|
|
|
|
|
&& !BIO_pending(sbio)
|
|
|
|
|
&& select(width, (void *)&readfds, NULL, NULL,
|
|
|
|
|
&timeout) < 1) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Timeout waiting for response (%d seconds).\n",
|
|
|
|
|
S_CLIENT_IRC_READ_TIMEOUT);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (mbuf_len < 1 || sscanf(mbuf, "%*s %d", &numeric) != 1)
|
|
|
|
|
break;
|
|
|
|
|
/* :example.net 451 STARTTLS :You have not registered */
|
|
|
|
|
/* :example.net 421 STARTTLS :Unknown command */
|
|
|
|
|
if ((numeric == 451 || numeric == 421)
|
|
|
|
|
&& strstr(mbuf, "STARTTLS") != NULL) {
|
|
|
|
|
BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
if (numeric == 691) {
|
|
|
|
|
BIO_printf(bio_err, "STARTTLS negotiation failed: ");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} while (numeric != 670);
|
|
|
|
|
|
|
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
BIO_pop(fbio);
|
|
|
|
|
BIO_free(fbio);
|
|
|
|
|
if (numeric != 670) {
|
|
|
|
|
BIO_printf(bio_err, "Server does not support STARTTLS.\n");
|
|
|
|
|
ret = 1;
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-02-15 14:28:41 +00:00
|
|
|
break;
|
2017-05-13 00:50:49 +00:00
|
|
|
case PROTO_MYSQL:
|
|
|
|
|
{
|
|
|
|
|
/* SSL request packet */
|
|
|
|
|
static const unsigned char ssl_req[] = {
|
|
|
|
|
/* payload_length, sequence_id */
|
|
|
|
|
0x20, 0x00, 0x00, 0x01,
|
|
|
|
|
/* payload */
|
|
|
|
|
/* capability flags, CLIENT_SSL always set */
|
|
|
|
|
0x85, 0xae, 0x7f, 0x00,
|
|
|
|
|
/* max-packet size */
|
|
|
|
|
0x00, 0x00, 0x00, 0x01,
|
|
|
|
|
/* character set */
|
|
|
|
|
0x21,
|
|
|
|
|
/* string[23] reserved (all [0]) */
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00,
|
|
|
|
|
0x00, 0x00, 0x00, 0x00, 0x00, 0x00, 0x00
|
|
|
|
|
};
|
|
|
|
|
int bytes = 0;
|
|
|
|
|
int ssl_flg = 0x800;
|
|
|
|
|
int pos;
|
|
|
|
|
const unsigned char *packet = (const unsigned char *)sbuf;
|
|
|
|
|
|
|
|
|
|
/* Receiving Initial Handshake packet. */
|
|
|
|
|
bytes = BIO_read(sbio, (void *)packet, BUFSIZZ);
|
|
|
|
|
if (bytes < 0) {
|
|
|
|
|
BIO_printf(bio_err, "BIO_read failed\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
/* Packet length[3], Packet number[1] + minimum payload[17] */
|
|
|
|
|
} else if (bytes < 21) {
|
|
|
|
|
BIO_printf(bio_err, "MySQL packet too short.\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
} else if (bytes != (4 + packet[0] +
|
|
|
|
|
(packet[1] << 8) +
|
|
|
|
|
(packet[2] << 16))) {
|
|
|
|
|
BIO_printf(bio_err, "MySQL packet length does not match.\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
/* protocol version[1] */
|
|
|
|
|
} else if (packet[4] != 0xA) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Only MySQL protocol version 10 is supported.\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pos = 5;
|
|
|
|
|
/* server version[string+NULL] */
|
|
|
|
|
for (;;) {
|
|
|
|
|
if (pos >= bytes) {
|
|
|
|
|
BIO_printf(bio_err, "Cannot confirm server version. ");
|
|
|
|
|
goto shut;
|
|
|
|
|
} else if (packet[pos++] == '\0') {
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-27 22:53:11 +00:00
|
|
|
/* make sure we have at least 15 bytes left in the packet */
|
2017-05-13 00:50:49 +00:00
|
|
|
if (pos + 15 > bytes) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"MySQL server handshake packet is broken.\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
pos += 12; /* skip over conn id[4] + SALT[8] */
|
|
|
|
|
if (packet[pos++] != '\0') { /* verify filler */
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"MySQL packet is broken.\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* capability flags[2] */
|
|
|
|
|
if (!((packet[pos] + (packet[pos + 1] << 8)) & ssl_flg)) {
|
|
|
|
|
BIO_printf(bio_err, "MySQL server does not support SSL.\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Sending SSL Handshake packet. */
|
|
|
|
|
BIO_write(sbio, ssl_req, sizeof(ssl_req));
|
|
|
|
|
(void)BIO_flush(sbio);
|
|
|
|
|
}
|
|
|
|
|
break;
|
2016-02-15 14:28:41 +00:00
|
|
|
case PROTO_POSTGRES:
|
|
|
|
|
{
|
|
|
|
|
static const unsigned char ssl_request[] = {
|
|
|
|
|
/* Length SSLRequest */
|
|
|
|
|
0, 0, 0, 8, 4, 210, 22, 47
|
|
|
|
|
};
|
|
|
|
|
int bytes;
|
|
|
|
|
|
|
|
|
|
/* Send SSLRequest packet */
|
|
|
|
|
BIO_write(sbio, ssl_request, 8);
|
|
|
|
|
(void)BIO_flush(sbio);
|
|
|
|
|
|
|
|
|
|
/* Reply will be a single S if SSL is enabled */
|
|
|
|
|
bytes = BIO_read(sbio, sbuf, BUFSIZZ);
|
|
|
|
|
if (bytes != 1 || sbuf[0] != 'S')
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
break;
|
2017-01-27 23:52:27 +00:00
|
|
|
case PROTO_NNTP:
|
|
|
|
|
{
|
|
|
|
|
int foundit = 0;
|
|
|
|
|
BIO *fbio = BIO_new(BIO_f_buffer());
|
|
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (fbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-01-27 23:52:27 +00:00
|
|
|
BIO_push(fbio, sbio);
|
|
|
|
|
BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
/* STARTTLS command requires CAPABILITIES... */
|
|
|
|
|
BIO_printf(fbio, "CAPABILITIES\r\n");
|
|
|
|
|
(void)BIO_flush(fbio);
|
2018-12-17 16:26:29 +00:00
|
|
|
BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
/* no point in trying to parse the CAPABILITIES response if there is none */
|
|
|
|
|
if (strstr(mbuf, "101") != NULL) {
|
|
|
|
|
/* wait for multi-line CAPABILITIES response */
|
|
|
|
|
do {
|
|
|
|
|
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (strstr(mbuf, "STARTTLS"))
|
|
|
|
|
foundit = 1;
|
|
|
|
|
} while (mbuf_len > 1 && mbuf[0] != '.');
|
|
|
|
|
}
|
2017-01-27 23:52:27 +00:00
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
BIO_pop(fbio);
|
|
|
|
|
BIO_free(fbio);
|
|
|
|
|
if (!foundit)
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Didn't find STARTTLS in server response,"
|
|
|
|
|
" trying anyway...\n");
|
|
|
|
|
BIO_printf(sbio, "STARTTLS\r\n");
|
2017-02-14 20:47:25 +00:00
|
|
|
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (mbuf_len < 0) {
|
|
|
|
|
BIO_printf(bio_err, "BIO_read failed\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
mbuf[mbuf_len] = '\0';
|
|
|
|
|
if (strstr(mbuf, "382") == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
2017-01-27 23:52:27 +00:00
|
|
|
}
|
|
|
|
|
break;
|
2017-02-09 21:20:59 +00:00
|
|
|
case PROTO_SIEVE:
|
|
|
|
|
{
|
|
|
|
|
int foundit = 0;
|
|
|
|
|
BIO *fbio = BIO_new(BIO_f_buffer());
|
|
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (fbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-02-09 21:20:59 +00:00
|
|
|
BIO_push(fbio, sbio);
|
|
|
|
|
/* wait for multi-line response to end from Sieve */
|
|
|
|
|
do {
|
|
|
|
|
mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
|
|
|
|
|
/*
|
|
|
|
|
* According to RFC 5804 § 1.7, capability
|
|
|
|
|
* is case-insensitive, make it uppercase
|
|
|
|
|
*/
|
|
|
|
|
if (mbuf_len > 1 && mbuf[0] == '"') {
|
|
|
|
|
make_uppercase(mbuf);
|
2021-06-21 06:55:50 +00:00
|
|
|
if (HAS_PREFIX(mbuf, "\"STARTTLS\""))
|
2017-02-09 21:20:59 +00:00
|
|
|
foundit = 1;
|
|
|
|
|
}
|
|
|
|
|
} while (mbuf_len > 1 && mbuf[0] == '"');
|
|
|
|
|
(void)BIO_flush(fbio);
|
|
|
|
|
BIO_pop(fbio);
|
|
|
|
|
BIO_free(fbio);
|
|
|
|
|
if (!foundit)
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Didn't find STARTTLS in server response,"
|
|
|
|
|
" trying anyway...\n");
|
|
|
|
|
BIO_printf(sbio, "STARTTLS\r\n");
|
|
|
|
|
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (mbuf_len < 0) {
|
|
|
|
|
BIO_printf(bio_err, "BIO_read failed\n");
|
|
|
|
|
goto end;
|
2017-02-14 20:47:25 +00:00
|
|
|
}
|
|
|
|
|
mbuf[mbuf_len] = '\0';
|
|
|
|
|
if (mbuf_len < 2) {
|
|
|
|
|
BIO_printf(bio_err, "STARTTLS failed: %s", mbuf);
|
2017-02-09 21:20:59 +00:00
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* According to RFC 5804 § 2.2, response codes are case-
|
|
|
|
|
* insensitive, make it uppercase but preserve the response.
|
|
|
|
|
*/
|
|
|
|
|
strncpy(sbuf, mbuf, 2);
|
|
|
|
|
make_uppercase(sbuf);
|
2021-06-21 06:55:50 +00:00
|
|
|
if (!HAS_PREFIX(sbuf, "OK")) {
|
2017-02-09 21:20:59 +00:00
|
|
|
BIO_printf(bio_err, "STARTTLS not supported: %s", mbuf);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
break;
|
2017-02-26 23:44:14 +00:00
|
|
|
case PROTO_LDAP:
|
|
|
|
|
{
|
|
|
|
|
/* StartTLS Operation according to RFC 4511 */
|
|
|
|
|
static char ldap_tls_genconf[] = "asn1=SEQUENCE:LDAPMessage\n"
|
|
|
|
|
"[LDAPMessage]\n"
|
|
|
|
|
"messageID=INTEGER:1\n"
|
|
|
|
|
"extendedReq=EXPLICIT:23A,IMPLICIT:0C,"
|
|
|
|
|
"FORMAT:ASCII,OCT:1.3.6.1.4.1.1466.20037\n";
|
|
|
|
|
long errline = -1;
|
|
|
|
|
char *genstr = NULL;
|
|
|
|
|
int result = -1;
|
|
|
|
|
ASN1_TYPE *atyp = NULL;
|
|
|
|
|
BIO *ldapbio = BIO_new(BIO_s_mem());
|
|
|
|
|
CONF *cnf = NCONF_new(NULL);
|
|
|
|
|
|
2022-01-05 07:54:10 +00:00
|
|
|
if (ldapbio == NULL || cnf == NULL) {
|
2017-02-26 23:44:14 +00:00
|
|
|
BIO_free(ldapbio);
|
2022-01-05 07:54:10 +00:00
|
|
|
NCONF_free(cnf);
|
2017-02-26 23:44:14 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
BIO_puts(ldapbio, ldap_tls_genconf);
|
|
|
|
|
if (NCONF_load_bio(cnf, ldapbio, &errline) <= 0) {
|
|
|
|
|
BIO_free(ldapbio);
|
|
|
|
|
NCONF_free(cnf);
|
|
|
|
|
if (errline <= 0) {
|
|
|
|
|
BIO_printf(bio_err, "NCONF_load_bio failed\n");
|
|
|
|
|
goto end;
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio_err, "Error on line %ld\n", errline);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
BIO_free(ldapbio);
|
|
|
|
|
genstr = NCONF_get_string(cnf, "default", "asn1");
|
|
|
|
|
if (genstr == NULL) {
|
|
|
|
|
NCONF_free(cnf);
|
|
|
|
|
BIO_printf(bio_err, "NCONF_get_string failed\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
atyp = ASN1_generate_nconf(genstr, cnf);
|
|
|
|
|
if (atyp == NULL) {
|
|
|
|
|
NCONF_free(cnf);
|
|
|
|
|
BIO_printf(bio_err, "ASN1_generate_nconf failed\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
NCONF_free(cnf);
|
|
|
|
|
|
|
|
|
|
/* Send SSLRequest packet */
|
|
|
|
|
BIO_write(sbio, atyp->value.sequence->data,
|
|
|
|
|
atyp->value.sequence->length);
|
|
|
|
|
(void)BIO_flush(sbio);
|
|
|
|
|
ASN1_TYPE_free(atyp);
|
|
|
|
|
|
|
|
|
|
mbuf_len = BIO_read(sbio, mbuf, BUFSIZZ);
|
|
|
|
|
if (mbuf_len < 0) {
|
|
|
|
|
BIO_printf(bio_err, "BIO_read failed\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
result = ldap_ExtendedResponse_parse(mbuf, mbuf_len);
|
|
|
|
|
if (result < 0) {
|
|
|
|
|
BIO_printf(bio_err, "ldap_ExtendedResponse_parse failed\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
} else if (result > 0) {
|
|
|
|
|
BIO_printf(bio_err, "STARTTLS failed, LDAP Result Code: %i\n",
|
|
|
|
|
result);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
mbuf_len = 0;
|
|
|
|
|
}
|
|
|
|
|
break;
|
2008-10-14 19:11:26 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-02-24 16:11:03 +00:00
|
|
|
if (early_data_file != NULL
|
2017-07-05 19:53:03 +00:00
|
|
|
&& ((SSL_get0_session(con) != NULL
|
|
|
|
|
&& SSL_SESSION_get_max_early_data(SSL_get0_session(con)) > 0)
|
|
|
|
|
|| (psksess != NULL
|
|
|
|
|
&& SSL_SESSION_get_max_early_data(psksess) > 0))) {
|
2017-02-20 16:00:20 +00:00
|
|
|
BIO *edfile = BIO_new_file(early_data_file, "r");
|
|
|
|
|
size_t readbytes, writtenbytes;
|
|
|
|
|
int finish = 0;
|
|
|
|
|
|
|
|
|
|
if (edfile == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Cannot open early data file\n");
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
while (!finish) {
|
|
|
|
|
if (!BIO_read_ex(edfile, cbuf, BUFSIZZ, &readbytes))
|
|
|
|
|
finish = 1;
|
|
|
|
|
|
2017-03-02 15:05:36 +00:00
|
|
|
while (!SSL_write_early_data(con, cbuf, readbytes, &writtenbytes)) {
|
2017-02-20 16:00:20 +00:00
|
|
|
switch (SSL_get_error(con, 0)) {
|
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
|
/* Just keep trying - busy waiting */
|
|
|
|
|
continue;
|
|
|
|
|
default:
|
|
|
|
|
BIO_printf(bio_err, "Error writing early data\n");
|
|
|
|
|
BIO_free(edfile);
|
2017-07-21 10:40:28 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2017-02-20 16:00:20 +00:00
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BIO_free(edfile);
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
user_data_init(&user_data, con, cbuf, BUFSIZZ, cmdmode);
|
1998-12-21 10:52:47 +00:00
|
|
|
for (;;) {
|
|
|
|
|
FD_ZERO(&readfds);
|
|
|
|
|
FD_ZERO(&writefds);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2023-05-18 12:10:36 +00:00
|
|
|
if ((isdtls || isquic)
|
|
|
|
|
&& SSL_get_event_timeout(con, &timeout, &is_infinite)
|
|
|
|
|
&& !is_infinite)
|
|
|
|
|
timeoutp = &timeout;
|
|
|
|
|
else
|
2009-08-12 13:19:54 +00:00
|
|
|
timeoutp = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-03-30 15:06:29 +00:00
|
|
|
if (!SSL_is_init_finished(con) && SSL_total_renegotiations(con) == 0
|
2017-02-09 13:33:09 +00:00
|
|
|
&& SSL_get_key_update_type(con) == SSL_KEY_UPDATE_NONE) {
|
1998-12-21 10:52:47 +00:00
|
|
|
in_init = 1;
|
|
|
|
|
tty_on = 0;
|
|
|
|
|
} else {
|
|
|
|
|
tty_on = 1;
|
|
|
|
|
if (in_init) {
|
|
|
|
|
in_init = 0;
|
2012-09-12 23:14:28 +00:00
|
|
|
if (c_brief) {
|
|
|
|
|
BIO_puts(bio_err, "CONNECTION ESTABLISHED\n");
|
2015-04-29 15:27:08 +00:00
|
|
|
print_ssl_summary(con);
|
2012-09-12 23:14:28 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-03-10 19:49:34 +00:00
|
|
|
print_stuff(bio_c_out, con, full_log);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (full_log > 0)
|
|
|
|
|
full_log--;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2003-05-28 20:24:57 +00:00
|
|
|
if (starttls_proto) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_write(bio_err, mbuf, mbuf_len);
|
2001-11-14 13:57:52 +00:00
|
|
|
/* We don't need to know any more */
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!reconnect)
|
|
|
|
|
starttls_proto = PROTO_OFF;
|
2001-11-14 13:57:52 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (reconnect) {
|
|
|
|
|
reconnect--;
|
|
|
|
|
BIO_printf(bio_c_out,
|
|
|
|
|
"drop connection and then reconnect\n");
|
2016-01-25 15:00:10 +00:00
|
|
|
do_ssl_shutdown(con);
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_set_connect_state(con);
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(SSL_get_fd(con));
|
1998-12-21 10:52:47 +00:00
|
|
|
goto re_start;
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
if (!write_ssl) {
|
|
|
|
|
do {
|
|
|
|
|
switch (user_data_process(&user_data, &cbuf_len, &cbuf_off)) {
|
|
|
|
|
default:
|
|
|
|
|
BIO_printf(bio_err, "ERROR\n");
|
|
|
|
|
/* fall through */
|
|
|
|
|
case USER_DATA_PROCESS_SHUT:
|
|
|
|
|
ret = 0;
|
|
|
|
|
goto shut;
|
|
|
|
|
|
|
|
|
|
case USER_DATA_PROCESS_RESTART:
|
|
|
|
|
goto re_start;
|
|
|
|
|
|
|
|
|
|
case USER_DATA_PROCESS_NO_DATA:
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case USER_DATA_PROCESS_CONTINUE:
|
|
|
|
|
write_ssl = 1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} while (!write_ssl
|
|
|
|
|
&& cbuf_len == 0
|
|
|
|
|
&& user_data_has_data(&user_data));
|
2023-10-23 17:11:06 +00:00
|
|
|
if (cbuf_len > 0) {
|
2023-03-16 15:08:04 +00:00
|
|
|
read_tty = 0;
|
2023-10-23 17:11:06 +00:00
|
|
|
timeout.tv_sec = 0;
|
|
|
|
|
timeout.tv_usec = 0;
|
|
|
|
|
} else {
|
2023-03-16 15:08:04 +00:00
|
|
|
read_tty = 1;
|
2023-10-23 17:11:06 +00:00
|
|
|
}
|
2023-03-16 15:08:04 +00:00
|
|
|
}
|
|
|
|
|
|
2016-02-12 13:33:45 +00:00
|
|
|
ssl_pending = read_ssl && SSL_has_pending(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1999-04-09 20:54:25 +00:00
|
|
|
if (!ssl_pending) {
|
2016-03-17 16:53:11 +00:00
|
|
|
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
|
1999-04-09 20:54:25 +00:00
|
|
|
if (tty_on) {
|
2016-06-10 18:46:07 +00:00
|
|
|
/*
|
|
|
|
|
* Note that select() returns when read _would not block_,
|
|
|
|
|
* and EOF satisfies that. To avoid a CPU-hogging loop,
|
|
|
|
|
* set the flag so we exit.
|
|
|
|
|
*/
|
|
|
|
|
if (read_tty && !at_eof)
|
2016-09-15 09:20:18 +00:00
|
|
|
openssl_fdset(fileno_stdin(), &readfds);
|
|
|
|
|
#if !defined(OPENSSL_SYS_VMS)
|
2006-04-17 12:22:13 +00:00
|
|
|
if (write_tty)
|
2016-09-15 09:20:18 +00:00
|
|
|
openssl_fdset(fileno_stdout(), &writefds);
|
2016-08-03 19:16:43 +00:00
|
|
|
#endif
|
1999-04-09 20:54:25 +00:00
|
|
|
}
|
2023-03-09 17:06:33 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Note that for QUIC we never actually check FD_ISSET() for the
|
|
|
|
|
* underlying network fds. We just rely on select waking up when
|
2023-05-18 12:10:36 +00:00
|
|
|
* they become readable/writeable and then SSL_handle_events() doing
|
|
|
|
|
* the right thing.
|
2023-03-09 17:06:33 +00:00
|
|
|
*/
|
|
|
|
|
if ((!isquic && read_ssl)
|
|
|
|
|
|| (isquic && SSL_net_read_desired(con)))
|
2006-04-17 12:22:13 +00:00
|
|
|
openssl_fdset(SSL_get_fd(con), &readfds);
|
2023-03-09 17:06:33 +00:00
|
|
|
if ((!isquic && write_ssl)
|
|
|
|
|
|| (isquic && (first_loop || SSL_net_write_desired(con))))
|
2006-04-17 12:22:13 +00:00
|
|
|
openssl_fdset(SSL_get_fd(con), &writefds);
|
1999-09-20 22:09:17 +00:00
|
|
|
#else
|
|
|
|
|
if (!tty_on || !write_tty) {
|
2023-03-09 17:06:33 +00:00
|
|
|
if ((!isquic && read_ssl)
|
|
|
|
|
|| (isquic && SSL_net_read_desired(con)))
|
2006-04-17 12:22:13 +00:00
|
|
|
openssl_fdset(SSL_get_fd(con), &readfds);
|
2023-03-09 17:06:33 +00:00
|
|
|
if ((!isquic && write_ssl)
|
|
|
|
|
|| (isquic && (first_loop || SSL_net_write_desired(con))))
|
2006-04-17 12:22:13 +00:00
|
|
|
openssl_fdset(SSL_get_fd(con), &writefds);
|
1999-09-20 22:09:17 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1999-05-13 13:21:17 +00:00
|
|
|
/*
|
|
|
|
|
* Note: under VMS with SOCKETSHR the second parameter is
|
1999-05-13 11:37:32 +00:00
|
|
|
* currently of type (int *) whereas under other systems it is
|
|
|
|
|
* (void *) if you don't have a cast it will choke the compiler:
|
|
|
|
|
* if you do have a cast then you can either go for (int *) or
|
|
|
|
|
* (void *).
|
|
|
|
|
*/
|
2003-09-27 21:56:08 +00:00
|
|
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
|
|
|
|
/*
|
|
|
|
|
* Under Windows/DOS we make the assumption that we can always
|
2021-02-20 22:39:30 +00:00
|
|
|
* write to the tty: therefore, if we need to write to the tty we
|
1999-09-20 22:09:17 +00:00
|
|
|
* just fall through. Otherwise we timeout the select every
|
|
|
|
|
* second and see if there are any keypresses. Note: this is a
|
|
|
|
|
* hack, in a proper Windows application we wouldn't do this.
|
|
|
|
|
*/
|
2000-02-20 20:59:21 +00:00
|
|
|
i = 0;
|
1999-09-20 22:09:17 +00:00
|
|
|
if (!write_tty) {
|
|
|
|
|
if (read_tty) {
|
|
|
|
|
tv.tv_sec = 1;
|
|
|
|
|
tv.tv_usec = 0;
|
|
|
|
|
i = select(width, (void *)&readfds, (void *)&writefds,
|
|
|
|
|
NULL, &tv);
|
2016-05-20 10:53:26 +00:00
|
|
|
if (!i && (!has_stdin_waiting() || !read_tty))
|
2002-11-15 22:37:18 +00:00
|
|
|
continue;
|
1999-09-20 22:09:17 +00:00
|
|
|
} else
|
|
|
|
|
i = select(width, (void *)&readfds, (void *)&writefds,
|
2009-08-12 13:19:54 +00:00
|
|
|
NULL, timeoutp);
|
1999-09-20 22:09:17 +00:00
|
|
|
}
|
|
|
|
|
#else
|
1999-05-13 11:37:32 +00:00
|
|
|
i = select(width, (void *)&readfds, (void *)&writefds,
|
2009-08-12 13:19:54 +00:00
|
|
|
NULL, timeoutp);
|
1999-09-20 22:09:17 +00:00
|
|
|
#endif
|
1999-04-09 20:54:25 +00:00
|
|
|
if (i < 0) {
|
|
|
|
|
BIO_printf(bio_err, "bad select %d\n",
|
1998-12-21 10:56:39 +00:00
|
|
|
get_last_socket_error());
|
1999-04-09 20:54:25 +00:00
|
|
|
goto shut;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2023-03-09 17:06:33 +00:00
|
|
|
if (timeoutp != NULL) {
|
2023-05-18 12:10:36 +00:00
|
|
|
SSL_handle_events(con);
|
2023-03-09 17:06:33 +00:00
|
|
|
if (isdtls
|
|
|
|
|
&& !FD_ISSET(SSL_get_fd(con), &readfds)
|
|
|
|
|
&& !FD_ISSET(SSL_get_fd(con), &writefds))
|
|
|
|
|
BIO_printf(bio_err, "TIMEOUT occurred\n");
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2023-03-09 17:06:33 +00:00
|
|
|
if (!ssl_pending
|
|
|
|
|
&& ((!isquic && FD_ISSET(SSL_get_fd(con), &writefds))
|
|
|
|
|
|| (isquic && (cbuf_len > 0 || first_loop)))) {
|
1998-12-21 10:52:47 +00:00
|
|
|
k = SSL_write(con, &(cbuf[cbuf_off]), (unsigned int)cbuf_len);
|
|
|
|
|
switch (SSL_get_error(con, k)) {
|
|
|
|
|
case SSL_ERROR_NONE:
|
|
|
|
|
cbuf_off += k;
|
|
|
|
|
cbuf_len -= k;
|
|
|
|
|
if (k <= 0)
|
|
|
|
|
goto end;
|
|
|
|
|
/* we have done a write(con,NULL,0); */
|
2023-03-16 15:08:04 +00:00
|
|
|
if (cbuf_len == 0) {
|
1998-12-21 10:52:47 +00:00
|
|
|
read_tty = 1;
|
|
|
|
|
write_ssl = 0;
|
|
|
|
|
} else { /* if (cbuf_len > 0) */
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
read_tty = 0;
|
|
|
|
|
write_ssl = 1;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
BIO_printf(bio_c_out, "write W BLOCK\n");
|
|
|
|
|
write_ssl = 1;
|
|
|
|
|
read_tty = 0;
|
|
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
|
|
|
|
BIO_printf(bio_c_out, "write A BLOCK\n");
|
2015-10-06 13:04:11 +00:00
|
|
|
wait_for_async(con);
|
2015-02-13 23:33:12 +00:00
|
|
|
write_ssl = 1;
|
|
|
|
|
read_tty = 0;
|
|
|
|
|
break;
|
1998-12-21 10:52:47 +00:00
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
|
BIO_printf(bio_c_out, "write R BLOCK\n");
|
|
|
|
|
write_tty = 0;
|
|
|
|
|
read_ssl = 1;
|
|
|
|
|
write_ssl = 0;
|
|
|
|
|
break;
|
|
|
|
|
case SSL_ERROR_WANT_X509_LOOKUP:
|
|
|
|
|
BIO_printf(bio_c_out, "write X BLOCK\n");
|
|
|
|
|
break;
|
|
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
|
|
|
|
if (cbuf_len != 0) {
|
|
|
|
|
BIO_printf(bio_c_out, "shutdown\n");
|
1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure
2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).
3. Changes to EVP
- adding of function EVP_PKEY_CTX_get0_peerkey
- Make function EVP_PKEY_derive_set_peerkey work for context with
ENCRYPT operation, because we use peerkey field in the context to
pass non-ephemeral secret key to GOST encrypt operation.
- added EVP_PKEY_CTRL_SET_IV control command. It is really
GOST-specific, but it is used in SSL code, so it has to go
in some header file, available during libssl compilation
4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data
5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
make debugging output which depends on constants defined there, work
and other KSSL_DEBUG output fixes
6. Declaration of real GOST ciphersuites, two authentication methods
SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST
7. Implementation of these methods.
8. Support for sending unsolicited serverhello extension if GOST
ciphersuite is selected. It is require for interoperability with
CryptoPro CSP 3.0 and 3.6 and controlled by
SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
This constant is added to SSL_OP_ALL, because it does nothing, if
non-GOST ciphersuite is selected, and all implementation of GOST
include compatibility with CryptoPro.
9. Support for CertificateVerify message without length field. It is
another CryptoPro bug, but support is made unconditional, because it
does no harm for draft-conforming implementation.
10. In tls1_mac extra copy of stream mac context is no more done.
When I've written currently commited code I haven't read
EVP_DigestSignFinal manual carefully enough and haven't noticed that
it does an internal digest ctx copying.
This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
|
|
|
ret = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
goto shut;
|
|
|
|
|
} else {
|
|
|
|
|
read_tty = 1;
|
|
|
|
|
write_ssl = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
case SSL_ERROR_SYSCALL:
|
|
|
|
|
if ((k != 0) || (cbuf_len != 0)) {
|
2021-09-08 20:23:04 +00:00
|
|
|
int sockerr = get_last_socket_error();
|
|
|
|
|
|
|
|
|
|
if (!tfo || sockerr != EISCONN) {
|
|
|
|
|
BIO_printf(bio_err, "write:errno=%d\n", sockerr);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
} else {
|
|
|
|
|
read_tty = 1;
|
|
|
|
|
write_ssl = 0;
|
|
|
|
|
}
|
|
|
|
|
break;
|
2016-05-03 16:55:00 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC_JOB:
|
|
|
|
|
/* This shouldn't ever happen in s_client - treat as an error */
|
1998-12-21 10:52:47 +00:00
|
|
|
case SSL_ERROR_SSL:
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-09-14 18:54:30 +00:00
|
|
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_VMS)
|
2006-04-11 21:34:21 +00:00
|
|
|
/* Assume Windows/DOS/BeOS can always write */
|
1999-09-20 22:09:17 +00:00
|
|
|
else if (!ssl_pending && write_tty)
|
|
|
|
|
#else
|
2016-09-15 09:20:18 +00:00
|
|
|
else if (!ssl_pending && FD_ISSET(fileno_stdout(), &writefds))
|
1999-09-20 22:09:17 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
ascii2ebcdic(&(sbuf[sbuf_off]), &(sbuf[sbuf_off]), sbuf_len);
|
|
|
|
|
#endif
|
2005-11-04 09:30:55 +00:00
|
|
|
i = raw_write_stdout(&(sbuf[sbuf_off]), sbuf_len);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (i <= 0) {
|
|
|
|
|
BIO_printf(bio_c_out, "DONE\n");
|
1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure
2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).
3. Changes to EVP
- adding of function EVP_PKEY_CTX_get0_peerkey
- Make function EVP_PKEY_derive_set_peerkey work for context with
ENCRYPT operation, because we use peerkey field in the context to
pass non-ephemeral secret key to GOST encrypt operation.
- added EVP_PKEY_CTRL_SET_IV control command. It is really
GOST-specific, but it is used in SSL code, so it has to go
in some header file, available during libssl compilation
4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data
5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
make debugging output which depends on constants defined there, work
and other KSSL_DEBUG output fixes
6. Declaration of real GOST ciphersuites, two authentication methods
SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST
7. Implementation of these methods.
8. Support for sending unsolicited serverhello extension if GOST
ciphersuite is selected. It is require for interoperability with
CryptoPro CSP 3.0 and 3.6 and controlled by
SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
This constant is added to SSL_OP_ALL, because it does nothing, if
non-GOST ciphersuite is selected, and all implementation of GOST
include compatibility with CryptoPro.
9. Support for CertificateVerify message without length field. It is
another CryptoPro bug, but support is made unconditional, because it
does no harm for draft-conforming implementation.
10. In tls1_mac extra copy of stream mac context is no more done.
When I've written currently commited code I haven't read
EVP_DigestSignFinal manual carefully enough and haven't noticed that
it does an internal digest ctx copying.
This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
|
|
|
ret = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
goto shut;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-12-28 18:22:25 +00:00
|
|
|
sbuf_len -= i;
|
1998-12-21 10:52:47 +00:00
|
|
|
sbuf_off += i;
|
|
|
|
|
if (sbuf_len <= 0) {
|
|
|
|
|
read_ssl = 1;
|
|
|
|
|
write_tty = 0;
|
|
|
|
|
}
|
2023-03-09 17:06:33 +00:00
|
|
|
} else if (ssl_pending
|
|
|
|
|
|| (!isquic && FD_ISSET(SSL_get_fd(con), &readfds))) {
|
1998-12-21 10:56:39 +00:00
|
|
|
#ifdef RENEG
|
|
|
|
|
{
|
|
|
|
|
static int iiii;
|
|
|
|
|
if (++iiii == 52) {
|
|
|
|
|
SSL_renegotiate(con);
|
|
|
|
|
iiii = 0;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
k = SSL_read(con, sbuf, 1024 /* BUFSIZZ */ );
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
switch (SSL_get_error(con, k)) {
|
|
|
|
|
case SSL_ERROR_NONE:
|
|
|
|
|
if (k <= 0)
|
|
|
|
|
goto end;
|
|
|
|
|
sbuf_off = 0;
|
|
|
|
|
sbuf_len = k;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
read_ssl = 0;
|
|
|
|
|
write_tty = 1;
|
|
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
|
|
|
|
BIO_printf(bio_c_out, "read A BLOCK\n");
|
2015-10-06 13:04:11 +00:00
|
|
|
wait_for_async(con);
|
2015-02-13 23:33:12 +00:00
|
|
|
write_tty = 0;
|
|
|
|
|
read_ssl = 1;
|
|
|
|
|
if ((read_tty == 0) && (write_ssl == 0))
|
|
|
|
|
write_ssl = 1;
|
|
|
|
|
break;
|
1998-12-21 10:52:47 +00:00
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
BIO_printf(bio_c_out, "read W BLOCK\n");
|
|
|
|
|
write_ssl = 1;
|
|
|
|
|
read_tty = 0;
|
|
|
|
|
break;
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
|
BIO_printf(bio_c_out, "read R BLOCK\n");
|
|
|
|
|
write_tty = 0;
|
|
|
|
|
read_ssl = 1;
|
|
|
|
|
if ((read_tty == 0) && (write_ssl == 0))
|
|
|
|
|
write_ssl = 1;
|
|
|
|
|
break;
|
|
|
|
|
case SSL_ERROR_WANT_X509_LOOKUP:
|
|
|
|
|
BIO_printf(bio_c_out, "read X BLOCK\n");
|
|
|
|
|
break;
|
|
|
|
|
case SSL_ERROR_SYSCALL:
|
1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure
2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).
3. Changes to EVP
- adding of function EVP_PKEY_CTX_get0_peerkey
- Make function EVP_PKEY_derive_set_peerkey work for context with
ENCRYPT operation, because we use peerkey field in the context to
pass non-ephemeral secret key to GOST encrypt operation.
- added EVP_PKEY_CTRL_SET_IV control command. It is really
GOST-specific, but it is used in SSL code, so it has to go
in some header file, available during libssl compilation
4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data
5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
make debugging output which depends on constants defined there, work
and other KSSL_DEBUG output fixes
6. Declaration of real GOST ciphersuites, two authentication methods
SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST
7. Implementation of these methods.
8. Support for sending unsolicited serverhello extension if GOST
ciphersuite is selected. It is require for interoperability with
CryptoPro CSP 3.0 and 3.6 and controlled by
SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
This constant is added to SSL_OP_ALL, because it does nothing, if
non-GOST ciphersuite is selected, and all implementation of GOST
include compatibility with CryptoPro.
9. Support for CertificateVerify message without length field. It is
another CryptoPro bug, but support is made unconditional, because it
does no harm for draft-conforming implementation.
10. In tls1_mac extra copy of stream mac context is no more done.
When I've written currently commited code I haven't read
EVP_DigestSignFinal manual carefully enough and haven't noticed that
it does an internal digest ctx copying.
This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
|
|
|
ret = get_last_socket_error();
|
2012-12-03 03:40:57 +00:00
|
|
|
if (c_brief)
|
2012-12-03 03:33:44 +00:00
|
|
|
BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
|
|
|
|
|
else
|
|
|
|
|
BIO_printf(bio_err, "read:errno=%d\n", ret);
|
1998-12-21 10:52:47 +00:00
|
|
|
goto shut;
|
|
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
|
|
|
|
BIO_printf(bio_c_out, "closed\n");
|
1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure
2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).
3. Changes to EVP
- adding of function EVP_PKEY_CTX_get0_peerkey
- Make function EVP_PKEY_derive_set_peerkey work for context with
ENCRYPT operation, because we use peerkey field in the context to
pass non-ephemeral secret key to GOST encrypt operation.
- added EVP_PKEY_CTRL_SET_IV control command. It is really
GOST-specific, but it is used in SSL code, so it has to go
in some header file, available during libssl compilation
4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data
5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
make debugging output which depends on constants defined there, work
and other KSSL_DEBUG output fixes
6. Declaration of real GOST ciphersuites, two authentication methods
SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST
7. Implementation of these methods.
8. Support for sending unsolicited serverhello extension if GOST
ciphersuite is selected. It is require for interoperability with
CryptoPro CSP 3.0 and 3.6 and controlled by
SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
This constant is added to SSL_OP_ALL, because it does nothing, if
non-GOST ciphersuite is selected, and all implementation of GOST
include compatibility with CryptoPro.
9. Support for CertificateVerify message without length field. It is
another CryptoPro bug, but support is made unconditional, because it
does no harm for draft-conforming implementation.
10. In tls1_mac extra copy of stream mac context is no more done.
When I've written currently commited code I haven't read
EVP_DigestSignFinal manual carefully enough and haven't noticed that
it does an internal digest ctx copying.
This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
|
|
|
ret = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
goto shut;
|
2016-05-03 16:55:00 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC_JOB:
|
|
|
|
|
/* This shouldn't ever happen in s_client. Treat as an error */
|
1998-12-21 10:52:47 +00:00
|
|
|
case SSL_ERROR_SSL:
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2021-11-23 22:27:35 +00:00
|
|
|
|
|
|
|
|
/* don't wait for client input in the non-interactive mode */
|
|
|
|
|
else if (nointeractive) {
|
|
|
|
|
ret = 0;
|
|
|
|
|
goto shut;
|
|
|
|
|
}
|
|
|
|
|
|
2016-05-20 10:53:26 +00:00
|
|
|
/* OPENSSL_SYS_MSDOS includes OPENSSL_SYS_WINDOWS */
|
|
|
|
|
#if defined(OPENSSL_SYS_MSDOS)
|
|
|
|
|
else if (has_stdin_waiting())
|
1999-09-20 22:09:17 +00:00
|
|
|
#else
|
2016-09-15 09:20:18 +00:00
|
|
|
else if (FD_ISSET(fileno_stdin(), &readfds))
|
1999-09-20 22:09:17 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
1999-08-07 02:51:10 +00:00
|
|
|
if (crlf) {
|
|
|
|
|
int j, lf_num;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2005-11-04 09:30:55 +00:00
|
|
|
i = raw_read_stdin(cbuf, BUFSIZZ / 2);
|
1999-08-07 02:51:10 +00:00
|
|
|
lf_num = 0;
|
|
|
|
|
/* both loops are skipped when i <= 0 */
|
|
|
|
|
for (j = 0; j < i; j++)
|
|
|
|
|
if (cbuf[j] == '\n')
|
|
|
|
|
lf_num++;
|
|
|
|
|
for (j = i - 1; j >= 0; j--) {
|
|
|
|
|
cbuf[j + lf_num] = cbuf[j];
|
|
|
|
|
if (cbuf[j] == '\n') {
|
|
|
|
|
lf_num--;
|
|
|
|
|
i++;
|
|
|
|
|
cbuf[j + lf_num] = '\r';
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
assert(lf_num == 0);
|
2016-09-15 09:20:18 +00:00
|
|
|
} else
|
2016-09-14 18:54:30 +00:00
|
|
|
i = raw_read_stdin(cbuf, BUFSIZZ);
|
2016-08-30 01:01:16 +00:00
|
|
|
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
|
2016-06-10 18:46:07 +00:00
|
|
|
if (i == 0)
|
|
|
|
|
at_eof = 1;
|
2016-08-30 01:01:16 +00:00
|
|
|
#endif
|
2016-06-10 18:46:07 +00:00
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
if (!c_ign_eof && i <= 0) {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_err, "DONE\n");
|
1. Changes for s_client.c to make it return non-zero exit code in case
of handshake failure
2. Changes to x509_certificate_type function (crypto/x509/x509type.c) to
make it recognize GOST certificates as EVP_PKT_SIGN|EVP_PKT_EXCH
(required for s3_srvr to accept GOST client certificates).
3. Changes to EVP
- adding of function EVP_PKEY_CTX_get0_peerkey
- Make function EVP_PKEY_derive_set_peerkey work for context with
ENCRYPT operation, because we use peerkey field in the context to
pass non-ephemeral secret key to GOST encrypt operation.
- added EVP_PKEY_CTRL_SET_IV control command. It is really
GOST-specific, but it is used in SSL code, so it has to go
in some header file, available during libssl compilation
4. Fix to HMAC to avoid call of OPENSSL_cleanse on undefined data
5. Include des.h if KSSL_DEBUG is defined into some libssl files, to
make debugging output which depends on constants defined there, work
and other KSSL_DEBUG output fixes
6. Declaration of real GOST ciphersuites, two authentication methods
SSL_aGOST94 and SSL_aGOST2001 and one key exchange method SSL_kGOST
7. Implementation of these methods.
8. Support for sending unsolicited serverhello extension if GOST
ciphersuite is selected. It is require for interoperability with
CryptoPro CSP 3.0 and 3.6 and controlled by
SSL_OP_CRYPTOPRO_TLSEXT_BUG constant.
This constant is added to SSL_OP_ALL, because it does nothing, if
non-GOST ciphersuite is selected, and all implementation of GOST
include compatibility with CryptoPro.
9. Support for CertificateVerify message without length field. It is
another CryptoPro bug, but support is made unconditional, because it
does no harm for draft-conforming implementation.
10. In tls1_mac extra copy of stream mac context is no more done.
When I've written currently commited code I haven't read
EVP_DigestSignFinal manual carefully enough and haven't noticed that
it does an internal digest ctx copying.
This implementation was tested against
1. CryptoPro CSP 3.6 client and server
2. Cryptopro CSP 3.0 server
2007-10-26 12:06:36 +00:00
|
|
|
ret = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
goto shut;
|
|
|
|
|
}
|
2023-10-23 17:11:06 +00:00
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
if (i > 0 && !user_data_add(&user_data, i)) {
|
|
|
|
|
ret = 0;
|
|
|
|
|
goto shut;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
1999-04-10 12:08:46 +00:00
|
|
|
read_tty = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2023-03-09 17:06:33 +00:00
|
|
|
first_loop = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
shut:
|
2006-06-15 19:00:34 +00:00
|
|
|
if (in_init)
|
2016-03-10 19:49:34 +00:00
|
|
|
print_stuff(bio_c_out, con, full_log);
|
2016-01-25 15:00:10 +00:00
|
|
|
do_ssl_shutdown(con);
|
2018-01-14 16:15:32 +00:00
|
|
|
|
2018-01-13 17:41:08 +00:00
|
|
|
/*
|
|
|
|
|
* If we ended with an alert being sent, but still with data in the
|
|
|
|
|
* network buffer to be read, then calling BIO_closesocket() will
|
|
|
|
|
* result in a TCP-RST being sent. On some platforms (notably
|
|
|
|
|
* Windows) then this will result in the peer immediately abandoning
|
|
|
|
|
* the connection including any buffered alert data before it has
|
|
|
|
|
* had a chance to be read. Shutting down the sending side first,
|
|
|
|
|
* and then closing the socket sends TCP-FIN first followed by
|
|
|
|
|
* TCP-RST. This seems to allow the peer to read the alert data.
|
|
|
|
|
*/
|
|
|
|
|
shutdown(SSL_get_fd(con), 1); /* SHUT_WR */
|
2018-04-05 17:19:35 +00:00
|
|
|
/*
|
|
|
|
|
* We just said we have nothing else to say, but it doesn't mean that
|
|
|
|
|
* the other side has nothing. It's even recommended to consume incoming
|
|
|
|
|
* data. [In testing context this ensures that alerts are passed on...]
|
|
|
|
|
*/
|
|
|
|
|
timeout.tv_sec = 0;
|
|
|
|
|
timeout.tv_usec = 500000; /* some extreme round-trip */
|
|
|
|
|
do {
|
|
|
|
|
FD_ZERO(&readfds);
|
2019-10-30 22:39:35 +00:00
|
|
|
openssl_fdset(sock, &readfds);
|
|
|
|
|
} while (select(sock + 1, &readfds, NULL, NULL, &timeout) > 0
|
2018-04-05 17:19:35 +00:00
|
|
|
&& BIO_read(sbio, sbuf, BUFSIZZ) > 0);
|
|
|
|
|
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(SSL_get_fd(con));
|
1998-12-21 10:52:47 +00:00
|
|
|
end:
|
2006-03-18 14:24:02 +00:00
|
|
|
if (con != NULL) {
|
|
|
|
|
if (prexit != 0)
|
2016-03-10 19:49:34 +00:00
|
|
|
print_stuff(bio_c_out, con, 1);
|
2006-03-18 14:24:02 +00:00
|
|
|
SSL_free(con);
|
|
|
|
|
}
|
2017-07-05 09:32:33 +00:00
|
|
|
SSL_SESSION_free(psksess);
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2015-05-01 14:02:07 +00:00
|
|
|
OPENSSL_free(next_proto.data);
|
2012-07-03 16:37:50 +00:00
|
|
|
#endif
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CTX_free(ctx);
|
2017-02-01 18:14:27 +00:00
|
|
|
set_keylog_file(NULL, NULL);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_free(cert);
|
2015-04-30 21:57:32 +00:00
|
|
|
sk_X509_CRL_pop_free(crls, X509_CRL_free);
|
2015-03-28 14:54:15 +00:00
|
|
|
EVP_PKEY_free(key);
|
2021-12-18 15:15:49 +00:00
|
|
|
OSSL_STACK_OF_X509_free(chain);
|
2015-05-01 14:02:07 +00:00
|
|
|
OPENSSL_free(pass);
|
2015-09-20 12:59:49 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
OPENSSL_free(srp_arg.srppassin);
|
|
|
|
|
#endif
|
2021-12-09 16:27:47 +00:00
|
|
|
OPENSSL_free(sname_alloc);
|
2023-03-09 17:06:33 +00:00
|
|
|
BIO_ADDR_free(peer_addr);
|
2016-10-01 14:16:59 +00:00
|
|
|
OPENSSL_free(connectstr);
|
2018-02-08 09:49:02 +00:00
|
|
|
OPENSSL_free(bindstr);
|
2021-10-07 17:14:50 +00:00
|
|
|
OPENSSL_free(bindhost);
|
|
|
|
|
OPENSSL_free(bindport);
|
2016-02-02 23:47:42 +00:00
|
|
|
OPENSSL_free(host);
|
|
|
|
|
OPENSSL_free(port);
|
2020-05-20 00:25:10 +00:00
|
|
|
OPENSSL_free(thost);
|
|
|
|
|
OPENSSL_free(tport);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_VERIFY_PARAM_free(vpm);
|
2012-07-03 14:53:27 +00:00
|
|
|
ssl_excert_free(exc);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
sk_OPENSSL_STRING_free(ssl_args);
|
2015-12-29 19:25:50 +00:00
|
|
|
sk_OPENSSL_STRING_free(dane_tlsa_rrset);
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CONF_CTX_free(cctx);
|
2015-04-30 21:57:32 +00:00
|
|
|
OPENSSL_clear_free(cbuf, BUFSIZZ);
|
|
|
|
|
OPENSSL_clear_free(sbuf, BUFSIZZ);
|
|
|
|
|
OPENSSL_clear_free(mbuf, BUFSIZZ);
|
2020-05-06 11:51:50 +00:00
|
|
|
clear_free(proxypass);
|
2016-09-28 21:39:18 +00:00
|
|
|
release_engine(e);
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free(bio_c_out);
|
|
|
|
|
bio_c_out = NULL;
|
|
|
|
|
BIO_free(bio_c_msg);
|
|
|
|
|
bio_c_msg = NULL;
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2016-03-10 19:49:34 +00:00
|
|
|
static void print_stuff(BIO *bio, SSL *s, int full)
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
1998-12-21 10:56:39 +00:00
|
|
|
X509 *peer = NULL;
|
1999-04-12 17:23:57 +00:00
|
|
|
STACK_OF(X509) *sk;
|
2008-10-12 14:32:47 +00:00
|
|
|
const SSL_CIPHER *c;
|
s_client: Show cert algorithms & validity period
Add certificate validity period (v) and public key & signature algorithms (a) to the "Certificate Chain" output.
Eg:
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 3 14:49:26 2019 GMT; NotAfter: Feb 25 14:49:26 2020 GMT
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 15 00:00:42 2017 GMT; NotAfter: Dec 15 00:00:42 2021 GMT
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10757)
2020-01-04 15:27:17 +00:00
|
|
|
EVP_PKEY *public_key;
|
2018-06-25 15:46:57 +00:00
|
|
|
int i, istls13 = (SSL_version(s) == TLS1_3_VERSION);
|
|
|
|
|
long verify_result;
|
2005-09-30 23:35:33 +00:00
|
|
|
#ifndef OPENSSL_NO_COMP
|
2003-11-04 00:51:32 +00:00
|
|
|
const COMP_METHOD *comp, *expansion;
|
2005-09-30 23:35:33 +00:00
|
|
|
#endif
|
2011-11-15 23:50:52 +00:00
|
|
|
unsigned char *exportedkeymat;
|
2016-03-02 13:34:05 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
2016-03-10 19:49:34 +00:00
|
|
|
const SSL_CTX *ctx = SSL_get_SSL_CTX(s);
|
2016-03-10 23:10:02 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (full) {
|
1999-05-17 20:46:43 +00:00
|
|
|
int got_a_chain = 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
sk = SSL_get_peer_cert_chain(s);
|
|
|
|
|
if (sk != NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
got_a_chain = 1;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 11:00:56 +00:00
|
|
|
BIO_printf(bio, "---\nCertificate chain\n");
|
1999-04-12 17:23:57 +00:00
|
|
|
for (i = 0; i < sk_X509_num(sk); i++) {
|
2017-04-25 16:25:42 +00:00
|
|
|
BIO_printf(bio, "%2d s:", i);
|
|
|
|
|
X509_NAME_print_ex(bio, X509_get_subject_name(sk_X509_value(sk, i)), 0, get_nameopt());
|
|
|
|
|
BIO_puts(bio, "\n");
|
|
|
|
|
BIO_printf(bio, " i:");
|
|
|
|
|
X509_NAME_print_ex(bio, X509_get_issuer_name(sk_X509_value(sk, i)), 0, get_nameopt());
|
|
|
|
|
BIO_puts(bio, "\n");
|
s_client: Show cert algorithms & validity period
Add certificate validity period (v) and public key & signature algorithms (a) to the "Certificate Chain" output.
Eg:
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 3 14:49:26 2019 GMT; NotAfter: Feb 25 14:49:26 2020 GMT
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 15 00:00:42 2017 GMT; NotAfter: Dec 15 00:00:42 2021 GMT
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10757)
2020-01-04 15:27:17 +00:00
|
|
|
public_key = X509_get_pubkey(sk_X509_value(sk, i));
|
|
|
|
|
if (public_key != NULL) {
|
|
|
|
|
BIO_printf(bio, " a:PKEY: %s, %d (bit); sigalg: %s\n",
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 14:58:08 +00:00
|
|
|
OBJ_nid2sn(EVP_PKEY_get_base_id(public_key)),
|
|
|
|
|
EVP_PKEY_get_bits(public_key),
|
s_client: Show cert algorithms & validity period
Add certificate validity period (v) and public key & signature algorithms (a) to the "Certificate Chain" output.
Eg:
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 3 14:49:26 2019 GMT; NotAfter: Feb 25 14:49:26 2020 GMT
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 15 00:00:42 2017 GMT; NotAfter: Dec 15 00:00:42 2021 GMT
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10757)
2020-01-04 15:27:17 +00:00
|
|
|
OBJ_nid2sn(X509_get_signature_nid(sk_X509_value(sk, i))));
|
|
|
|
|
EVP_PKEY_free(public_key);
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(bio, " v:NotBefore: ");
|
2020-05-16 18:31:03 +00:00
|
|
|
ASN1_TIME_print(bio, X509_get0_notBefore(sk_X509_value(sk, i)));
|
s_client: Show cert algorithms & validity period
Add certificate validity period (v) and public key & signature algorithms (a) to the "Certificate Chain" output.
Eg:
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 3 14:49:26 2019 GMT; NotAfter: Feb 25 14:49:26 2020 GMT
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 15 00:00:42 2017 GMT; NotAfter: Dec 15 00:00:42 2021 GMT
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10757)
2020-01-04 15:27:17 +00:00
|
|
|
BIO_printf(bio, "; NotAfter: ");
|
2020-05-16 18:31:03 +00:00
|
|
|
ASN1_TIME_print(bio, X509_get0_notAfter(sk_X509_value(sk, i)));
|
s_client: Show cert algorithms & validity period
Add certificate validity period (v) and public key & signature algorithms (a) to the "Certificate Chain" output.
Eg:
Certificate chain
0 s:C = US, ST = California, L = Mountain View, O = Google LLC, CN = www.google.com
i:C = US, O = Google Trust Services, CN = GTS CA 1O1
a:PKEY: id-ecPublicKey, 256 (bit); sigalg: RSA-SHA256
v:NotBefore: Dec 3 14:49:26 2019 GMT; NotAfter: Feb 25 14:49:26 2020 GMT
1 s:C = US, O = Google Trust Services, CN = GTS CA 1O1
i:OU = GlobalSign Root CA - R2, O = GlobalSign, CN = GlobalSign
a:PKEY: rsaEncryption, 2048 (bit); sigalg: RSA-SHA256
v:NotBefore: Jun 15 00:00:42 2017 GMT; NotAfter: Dec 15 00:00:42 2021 GMT
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Dmitry Belyavskiy <beldmit@gmail.com>
(Merged from https://github.com/openssl/openssl/pull/10757)
2020-01-04 15:27:17 +00:00
|
|
|
BIO_puts(bio, "\n");
|
1999-03-31 12:06:30 +00:00
|
|
|
if (c_showcerts)
|
1999-04-12 17:23:57 +00:00
|
|
|
PEM_write_bio_X509(bio, sk_X509_value(sk, i));
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio, "---\n");
|
2019-04-11 14:47:13 +00:00
|
|
|
peer = SSL_get0_peer_certificate(s);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (peer != NULL) {
|
|
|
|
|
BIO_printf(bio, "Server certificate\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2015-01-21 11:09:58 +00:00
|
|
|
/* Redundant if we showed the whole chain */
|
|
|
|
|
if (!(c_showcerts && got_a_chain))
|
1999-03-31 12:06:30 +00:00
|
|
|
PEM_write_bio_X509(bio, peer);
|
2017-04-25 16:25:42 +00:00
|
|
|
dump_cert_text(bio, peer);
|
1998-12-21 10:52:47 +00:00
|
|
|
} else {
|
2017-03-31 16:04:28 +00:00
|
|
|
BIO_printf(bio, "no peer certificate available\n");
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2021-01-27 19:23:33 +00:00
|
|
|
|
|
|
|
|
/* Only display RPK information if configured */
|
|
|
|
|
if (SSL_get_negotiated_client_cert_type(s) == TLSEXT_cert_type_rpk)
|
|
|
|
|
BIO_printf(bio, "Client-to-server raw public key negotiated\n");
|
|
|
|
|
if (SSL_get_negotiated_server_cert_type(s) == TLSEXT_cert_type_rpk)
|
|
|
|
|
BIO_printf(bio, "Server-to-client raw public key negotiated\n");
|
|
|
|
|
if (enable_server_rpk) {
|
|
|
|
|
EVP_PKEY *peer_rpk = SSL_get0_peer_rpk(s);
|
|
|
|
|
|
|
|
|
|
if (peer_rpk != NULL) {
|
|
|
|
|
BIO_printf(bio, "Server raw public key\n");
|
|
|
|
|
EVP_PKEY_print_public(bio, peer_rpk, 2, NULL);
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio, "no peer rpk available\n");
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-31 16:04:28 +00:00
|
|
|
print_ca_names(bio, s);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2012-07-08 14:22:45 +00:00
|
|
|
ssl_print_sigalgs(bio, s);
|
2012-09-08 13:59:51 +00:00
|
|
|
ssl_print_tmp_key(bio, s);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-03-02 13:34:05 +00:00
|
|
|
#ifndef OPENSSL_NO_CT
|
2016-04-07 18:17:37 +00:00
|
|
|
/*
|
|
|
|
|
* When the SSL session is anonymous, or resumed via an abbreviated
|
|
|
|
|
* handshake, no SCTs are provided as part of the handshake. While in
|
|
|
|
|
* a resumed session SCTs may be present in the session's certificate,
|
|
|
|
|
* no callbacks are invoked to revalidate these, and in any case that
|
|
|
|
|
* set of SCTs may be incomplete. Thus it makes little sense to
|
|
|
|
|
* attempt to display SCTs from a resumed session's certificate, and of
|
|
|
|
|
* course none are associated with an anonymous peer.
|
|
|
|
|
*/
|
|
|
|
|
if (peer != NULL && !SSL_session_reused(s) && SSL_ct_is_enabled(s)) {
|
|
|
|
|
const STACK_OF(SCT) *scts = SSL_get0_peer_scts(s);
|
|
|
|
|
int sct_count = scts != NULL ? sk_SCT_num(scts) : 0;
|
|
|
|
|
|
|
|
|
|
BIO_printf(bio, "---\nSCTs present (%i)\n", sct_count);
|
|
|
|
|
if (sct_count > 0) {
|
|
|
|
|
const CTLOG_STORE *log_store = SSL_CTX_get0_ctlog_store(ctx);
|
|
|
|
|
|
|
|
|
|
BIO_printf(bio, "---\n");
|
|
|
|
|
for (i = 0; i < sct_count; ++i) {
|
|
|
|
|
SCT *sct = sk_SCT_value(scts, i);
|
|
|
|
|
|
|
|
|
|
BIO_printf(bio, "SCT validation status: %s\n",
|
|
|
|
|
SCT_validation_status_string(sct));
|
|
|
|
|
SCT_print(sct, bio, 0, log_store);
|
|
|
|
|
if (i < sct_count - 1)
|
|
|
|
|
BIO_printf(bio, "\n---\n");
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(bio, "\n");
|
|
|
|
|
}
|
2016-03-04 19:07:25 +00:00
|
|
|
}
|
2016-03-02 13:34:05 +00:00
|
|
|
#endif
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio,
|
2017-03-29 21:23:56 +00:00
|
|
|
"---\nSSL handshake has read %ju bytes "
|
|
|
|
|
"and written %ju bytes\n",
|
2017-08-15 13:42:38 +00:00
|
|
|
BIO_number_read(SSL_get_rbio(s)),
|
|
|
|
|
BIO_number_written(SSL_get_wbio(s)));
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails. However, this only happened when verification
failed during chain construction. Errors in verification of the
constructed chain did not have the intended effect on these functions.
This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails. Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail. They must of course first check
and save the real error, and restore the original error as quickly
as possible. Hiding by default seems to be the safer interface.
Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED.
This also changes the "-brief" output from s_client to include
verification results and TLSA match information.
Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).
Added a few more test-cases to danetest, that exercise the new
code.
Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().
Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error. [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 00:07:57 +00:00
|
|
|
print_verify_detail(s, bio);
|
2016-02-08 16:18:26 +00:00
|
|
|
BIO_printf(bio, (SSL_session_reused(s) ? "---\nReused, " : "---\nNew, "));
|
1998-12-21 10:52:47 +00:00
|
|
|
c = SSL_get_current_cipher(s);
|
|
|
|
|
BIO_printf(bio, "%s, Cipher is %s\n",
|
|
|
|
|
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
|
1999-02-15 21:05:21 +00:00
|
|
|
if (peer != NULL) {
|
|
|
|
|
EVP_PKEY *pktmp;
|
2016-03-18 18:02:17 +00:00
|
|
|
|
2015-12-14 13:13:32 +00:00
|
|
|
pktmp = X509_get0_pubkey(peer);
|
1998-12-21 10:56:39 +00:00
|
|
|
BIO_printf(bio, "Server public key is %d bit\n",
|
Rename all getters to use get/get0 in name
For functions that exist in 1.1.1 provide a simple aliases via #define.
Fixes #15236
Functions with OSSL_DECODER_, OSSL_ENCODER_, OSSL_STORE_LOADER_,
EVP_KEYEXCH_, EVP_KEM_, EVP_ASYM_CIPHER_, EVP_SIGNATURE_,
EVP_KEYMGMT_, EVP_RAND_, EVP_MAC_, EVP_KDF_, EVP_PKEY_,
EVP_MD_, and EVP_CIPHER_ prefixes are renamed.
Reviewed-by: Paul Dale <pauli@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/15405)
2021-05-21 14:58:08 +00:00
|
|
|
EVP_PKEY_get_bits(pktmp));
|
1999-02-15 21:05:21 +00:00
|
|
|
}
|
2021-10-28 14:13:47 +00:00
|
|
|
|
|
|
|
|
ssl_print_secure_renegotiation_notes(bio, s);
|
|
|
|
|
|
2005-09-30 23:35:33 +00:00
|
|
|
#ifndef OPENSSL_NO_COMP
|
2003-10-06 12:19:38 +00:00
|
|
|
comp = SSL_get_current_compression(s);
|
2003-11-04 00:51:32 +00:00
|
|
|
expansion = SSL_get_current_expansion(s);
|
2003-10-06 12:19:38 +00:00
|
|
|
BIO_printf(bio, "Compression: %s\n",
|
|
|
|
|
comp ? SSL_COMP_get_name(comp) : "NONE");
|
|
|
|
|
BIO_printf(bio, "Expansion: %s\n",
|
2003-11-04 00:51:32 +00:00
|
|
|
expansion ? SSL_COMP_get_name(expansion) : "NONE");
|
2005-09-30 23:35:33 +00:00
|
|
|
#endif
|
2018-11-14 21:53:57 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
if (BIO_get_ktls_send(SSL_get_wbio(s)))
|
|
|
|
|
BIO_printf(bio_err, "Using Kernel TLS for sending\n");
|
2018-12-06 19:17:26 +00:00
|
|
|
if (BIO_get_ktls_recv(SSL_get_rbio(s)))
|
|
|
|
|
BIO_printf(bio_err, "Using Kernel TLS for receiving\n");
|
2018-11-14 21:53:57 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2018-12-11 23:04:44 +00:00
|
|
|
if (OSSL_TRACE_ENABLED(TLS)) {
|
2011-05-09 15:44:01 +00:00
|
|
|
/* Print out local port of connection: useful for debugging */
|
|
|
|
|
int sock;
|
2016-07-19 11:52:26 +00:00
|
|
|
union BIO_sock_info_u info;
|
|
|
|
|
|
2011-05-09 15:44:01 +00:00
|
|
|
sock = SSL_get_fd(s);
|
2016-07-19 11:52:26 +00:00
|
|
|
if ((info.addr = BIO_ADDR_new()) != NULL
|
|
|
|
|
&& BIO_sock_info(sock, BIO_SOCK_INFO_ADDRESS, &info)) {
|
|
|
|
|
BIO_printf(bio_c_out, "LOCAL PORT is %u\n",
|
2016-07-26 16:48:20 +00:00
|
|
|
ntohs(BIO_ADDR_rawport(info.addr)));
|
2016-07-19 11:52:26 +00:00
|
|
|
}
|
|
|
|
|
BIO_ADDR_free(info.addr);
|
2011-05-09 15:44:01 +00:00
|
|
|
}
|
|
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2012-06-03 22:00:21 +00:00
|
|
|
if (next_proto.status != -1) {
|
|
|
|
|
const unsigned char *proto;
|
|
|
|
|
unsigned int proto_len;
|
|
|
|
|
SSL_get0_next_proto_negotiated(s, &proto, &proto_len);
|
|
|
|
|
BIO_printf(bio, "Next protocol: (%d) ", next_proto.status);
|
|
|
|
|
BIO_write(bio, proto, proto_len);
|
|
|
|
|
BIO_write(bio, "\n", 1);
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2013-04-15 22:07:47 +00:00
|
|
|
{
|
|
|
|
|
const unsigned char *proto;
|
|
|
|
|
unsigned int proto_len;
|
|
|
|
|
SSL_get0_alpn_selected(s, &proto, &proto_len);
|
|
|
|
|
if (proto_len > 0) {
|
|
|
|
|
BIO_printf(bio, "ALPN protocol: ");
|
|
|
|
|
BIO_write(bio, proto, proto_len);
|
|
|
|
|
BIO_write(bio, "\n", 1);
|
|
|
|
|
} else
|
|
|
|
|
BIO_printf(bio, "No ALPN negotiated\n");
|
|
|
|
|
}
|
2012-06-03 22:00:21 +00:00
|
|
|
|
2014-12-22 11:15:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2011-11-15 22:59:20 +00:00
|
|
|
{
|
|
|
|
|
SRTP_PROTECTION_PROFILE *srtp_profile =
|
|
|
|
|
SSL_get_selected_srtp_profile(s);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2011-11-15 22:59:20 +00:00
|
|
|
if (srtp_profile)
|
|
|
|
|
BIO_printf(bio, "SRTP Extension negotiated, profile=%s\n",
|
|
|
|
|
srtp_profile->name);
|
|
|
|
|
}
|
2014-12-22 11:15:51 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2018-06-25 15:46:57 +00:00
|
|
|
if (istls13) {
|
2017-02-23 11:52:43 +00:00
|
|
|
switch (SSL_get_early_data_status(s)) {
|
|
|
|
|
case SSL_EARLY_DATA_NOT_SENT:
|
|
|
|
|
BIO_printf(bio, "Early data was not sent\n");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case SSL_EARLY_DATA_REJECTED:
|
|
|
|
|
BIO_printf(bio, "Early data was rejected\n");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
case SSL_EARLY_DATA_ACCEPTED:
|
|
|
|
|
BIO_printf(bio, "Early data was accepted\n");
|
|
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
}
|
2018-06-25 15:46:57 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* We also print the verify results when we dump session information,
|
|
|
|
|
* but in TLSv1.3 we may not get that right away (or at all) depending
|
2021-02-20 22:39:30 +00:00
|
|
|
* on when we get a NewSessionTicket. Therefore, we print it now as well.
|
2018-06-25 15:46:57 +00:00
|
|
|
*/
|
|
|
|
|
verify_result = SSL_get_verify_result(s);
|
|
|
|
|
BIO_printf(bio, "Verify return code: %ld (%s)\n", verify_result,
|
|
|
|
|
X509_verify_cert_error_string(verify_result));
|
|
|
|
|
} else {
|
|
|
|
|
/* In TLSv1.3 we do this on arrival of a NewSessionTicket */
|
|
|
|
|
SSL_SESSION_print(bio, SSL_get_session(s));
|
2017-02-23 11:52:43 +00:00
|
|
|
}
|
|
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
if (SSL_get_session(s) != NULL && keymatexportlabel != NULL) {
|
2011-11-15 23:50:52 +00:00
|
|
|
BIO_printf(bio, "Keying material exporter:\n");
|
|
|
|
|
BIO_printf(bio, " Label: '%s'\n", keymatexportlabel);
|
|
|
|
|
BIO_printf(bio, " Length: %i bytes\n", keymatexportlen);
|
2015-04-30 21:48:31 +00:00
|
|
|
exportedkeymat = app_malloc(keymatexportlen, "export key");
|
2021-11-14 16:27:31 +00:00
|
|
|
if (SSL_export_keying_material(s, exportedkeymat,
|
2015-04-30 21:48:31 +00:00
|
|
|
keymatexportlen,
|
|
|
|
|
keymatexportlabel,
|
|
|
|
|
strlen(keymatexportlabel),
|
2021-11-14 16:27:31 +00:00
|
|
|
NULL, 0, 0) <= 0) {
|
2015-04-30 21:48:31 +00:00
|
|
|
BIO_printf(bio, " Error\n");
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio, " Keying material: ");
|
|
|
|
|
for (i = 0; i < keymatexportlen; i++)
|
|
|
|
|
BIO_printf(bio, "%02X", exportedkeymat[i]);
|
|
|
|
|
BIO_printf(bio, "\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-04-30 21:48:31 +00:00
|
|
|
OPENSSL_free(exportedkeymat);
|
2012-02-11 23:20:53 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio, "---\n");
|
2001-10-16 14:24:46 +00:00
|
|
|
/* flush, or debugging output gets mixed with http response */
|
2007-08-12 17:44:32 +00:00
|
|
|
(void)BIO_flush(bio);
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2016-03-21 16:54:53 +00:00
|
|
|
# ifndef OPENSSL_NO_OCSP
|
2007-09-26 21:56:59 +00:00
|
|
|
static int ocsp_resp_cb(SSL *s, void *arg)
|
|
|
|
|
{
|
|
|
|
|
const unsigned char *p;
|
|
|
|
|
int len;
|
|
|
|
|
OCSP_RESPONSE *rsp;
|
|
|
|
|
len = SSL_get_tlsext_status_ocsp_resp(s, &p);
|
|
|
|
|
BIO_puts(arg, "OCSP response: ");
|
2017-06-12 17:24:02 +00:00
|
|
|
if (p == NULL) {
|
2007-09-26 21:56:59 +00:00
|
|
|
BIO_puts(arg, "no response sent\n");
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
rsp = d2i_OCSP_RESPONSE(NULL, &p, len);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (rsp == NULL) {
|
2007-09-26 21:56:59 +00:00
|
|
|
BIO_puts(arg, "response parse error\n");
|
|
|
|
|
BIO_dump_indent(arg, (char *)p, len, 4);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
BIO_puts(arg, "\n======================================\n");
|
|
|
|
|
OCSP_RESPONSE_print(arg, rsp, 0);
|
|
|
|
|
BIO_puts(arg, "======================================\n");
|
|
|
|
|
OCSP_RESPONSE_free(rsp);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
# endif
|
2016-03-21 15:32:40 +00:00
|
|
|
|
2017-02-26 23:44:14 +00:00
|
|
|
static int ldap_ExtendedResponse_parse(const char *buf, long rem)
|
|
|
|
|
{
|
|
|
|
|
const unsigned char *cur, *end;
|
|
|
|
|
long len;
|
|
|
|
|
int tag, xclass, inf, ret = -1;
|
|
|
|
|
|
|
|
|
|
cur = (const unsigned char *)buf;
|
|
|
|
|
end = cur + rem;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* From RFC 4511:
|
|
|
|
|
*
|
|
|
|
|
* LDAPMessage ::= SEQUENCE {
|
|
|
|
|
* messageID MessageID,
|
|
|
|
|
* protocolOp CHOICE {
|
|
|
|
|
* ...
|
|
|
|
|
* extendedResp ExtendedResponse,
|
|
|
|
|
* ... },
|
|
|
|
|
* controls [0] Controls OPTIONAL }
|
|
|
|
|
*
|
|
|
|
|
* ExtendedResponse ::= [APPLICATION 24] SEQUENCE {
|
|
|
|
|
* COMPONENTS OF LDAPResult,
|
|
|
|
|
* responseName [10] LDAPOID OPTIONAL,
|
|
|
|
|
* responseValue [11] OCTET STRING OPTIONAL }
|
|
|
|
|
*
|
|
|
|
|
* LDAPResult ::= SEQUENCE {
|
|
|
|
|
* resultCode ENUMERATED {
|
|
|
|
|
* success (0),
|
|
|
|
|
* ...
|
|
|
|
|
* other (80),
|
|
|
|
|
* ... },
|
|
|
|
|
* matchedDN LDAPDN,
|
|
|
|
|
* diagnosticMessage LDAPString,
|
|
|
|
|
* referral [3] Referral OPTIONAL }
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
/* pull SEQUENCE */
|
|
|
|
|
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
|
|
|
|
if (inf != V_ASN1_CONSTRUCTED || tag != V_ASN1_SEQUENCE ||
|
|
|
|
|
(rem = end - cur, len > rem)) {
|
|
|
|
|
BIO_printf(bio_err, "Unexpected LDAP response\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
2017-03-02 15:56:44 +00:00
|
|
|
rem = len; /* ensure that we don't overstep the SEQUENCE */
|
|
|
|
|
|
2017-02-26 23:44:14 +00:00
|
|
|
/* pull MessageID */
|
|
|
|
|
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
|
|
|
|
if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_INTEGER ||
|
|
|
|
|
(rem = end - cur, len > rem)) {
|
|
|
|
|
BIO_printf(bio_err, "No MessageID\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
cur += len; /* shall we check for MessageId match or just skip? */
|
|
|
|
|
|
|
|
|
|
/* pull [APPLICATION 24] */
|
|
|
|
|
rem = end - cur;
|
|
|
|
|
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
|
|
|
|
if (inf != V_ASN1_CONSTRUCTED || xclass != V_ASN1_APPLICATION ||
|
|
|
|
|
tag != 24) {
|
|
|
|
|
BIO_printf(bio_err, "Not ExtendedResponse\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* pull resultCode */
|
|
|
|
|
rem = end - cur;
|
|
|
|
|
inf = ASN1_get_object(&cur, &len, &tag, &xclass, rem);
|
|
|
|
|
if (inf != V_ASN1_UNIVERSAL || tag != V_ASN1_ENUMERATED || len == 0 ||
|
|
|
|
|
(rem = end - cur, len > rem)) {
|
|
|
|
|
BIO_printf(bio_err, "Not LDAPResult\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* len should always be one, but just in case... */
|
|
|
|
|
for (ret = 0, inf = 0; inf < len; inf++) {
|
|
|
|
|
ret <<= 8;
|
|
|
|
|
ret |= cur[inf];
|
|
|
|
|
}
|
|
|
|
|
/* There is more data, but we don't care... */
|
|
|
|
|
end:
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2019-02-06 21:09:15 +00:00
|
|
|
/*
|
2019-07-16 10:35:42 +00:00
|
|
|
* Host dNS Name verifier: used for checking that the hostname is in dNS format
|
2019-02-06 21:09:15 +00:00
|
|
|
* before setting it as SNI
|
|
|
|
|
*/
|
|
|
|
|
static int is_dNS_name(const char *host)
|
|
|
|
|
{
|
|
|
|
|
const size_t MAX_LABEL_LENGTH = 63;
|
|
|
|
|
size_t i;
|
|
|
|
|
int isdnsname = 0;
|
|
|
|
|
size_t length = strlen(host);
|
|
|
|
|
size_t label_length = 0;
|
|
|
|
|
int all_numeric = 1;
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Deviation from strict DNS name syntax, also check names with '_'
|
|
|
|
|
* Check DNS name syntax, any '-' or '.' must be internal,
|
|
|
|
|
* and on either side of each '.' we can't have a '-' or '.'.
|
|
|
|
|
*
|
|
|
|
|
* If the name has just one label, we don't consider it a DNS name.
|
|
|
|
|
*/
|
|
|
|
|
for (i = 0; i < length && label_length < MAX_LABEL_LENGTH; ++i) {
|
|
|
|
|
char c = host[i];
|
|
|
|
|
|
|
|
|
|
if ((c >= 'a' && c <= 'z')
|
|
|
|
|
|| (c >= 'A' && c <= 'Z')
|
|
|
|
|
|| c == '_') {
|
|
|
|
|
label_length += 1;
|
|
|
|
|
all_numeric = 0;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (c >= '0' && c <= '9') {
|
|
|
|
|
label_length += 1;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* Dot and hyphen cannot be first or last. */
|
|
|
|
|
if (i > 0 && i < length - 1) {
|
|
|
|
|
if (c == '-') {
|
|
|
|
|
label_length += 1;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
/*
|
|
|
|
|
* Next to a dot the preceding and following characters must not be
|
|
|
|
|
* another dot or a hyphen. Otherwise, record that the name is
|
|
|
|
|
* plausible, since it has two or more labels.
|
|
|
|
|
*/
|
|
|
|
|
if (c == '.'
|
|
|
|
|
&& host[i + 1] != '.'
|
|
|
|
|
&& host[i - 1] != '-'
|
|
|
|
|
&& host[i + 1] != '-') {
|
|
|
|
|
label_length = 0;
|
|
|
|
|
isdnsname = 1;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
isdnsname = 0;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* dNS name must not be all numeric and labels must be shorter than 64 characters. */
|
|
|
|
|
isdnsname &= !all_numeric && !(label_length == MAX_LABEL_LENGTH);
|
|
|
|
|
|
|
|
|
|
return isdnsname;
|
|
|
|
|
}
|
2023-03-16 15:08:04 +00:00
|
|
|
|
|
|
|
|
static void user_data_init(struct user_data_st *user_data, SSL *con, char *buf,
|
|
|
|
|
size_t bufmax, int mode)
|
|
|
|
|
{
|
|
|
|
|
user_data->con = con;
|
|
|
|
|
user_data->buf = buf;
|
|
|
|
|
user_data->bufmax = bufmax;
|
|
|
|
|
user_data->buflen = 0;
|
|
|
|
|
user_data->bufoff = 0;
|
|
|
|
|
user_data->mode = mode;
|
2023-03-21 16:52:32 +00:00
|
|
|
user_data->isfin = 0;
|
2023-03-16 15:08:04 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int user_data_add(struct user_data_st *user_data, size_t i)
|
|
|
|
|
{
|
2023-10-30 16:53:30 +00:00
|
|
|
if (user_data->buflen != 0 || i > user_data->bufmax)
|
2023-03-16 15:08:04 +00:00
|
|
|
return 0;
|
|
|
|
|
|
|
|
|
|
user_data->buflen = i;
|
|
|
|
|
user_data->bufoff = 0;
|
|
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
#define USER_COMMAND_HELP 0
|
|
|
|
|
#define USER_COMMAND_QUIT 1
|
|
|
|
|
#define USER_COMMAND_RECONNECT 2
|
|
|
|
|
#define USER_COMMAND_RENEGOTIATE 3
|
|
|
|
|
#define USER_COMMAND_KEY_UPDATE 4
|
2023-03-21 16:52:32 +00:00
|
|
|
#define USER_COMMAND_FIN 5
|
2023-03-16 15:08:04 +00:00
|
|
|
|
|
|
|
|
static int user_data_execute(struct user_data_st *user_data, int cmd, char *arg)
|
|
|
|
|
{
|
|
|
|
|
switch (cmd) {
|
|
|
|
|
case USER_COMMAND_HELP:
|
|
|
|
|
/* This only ever occurs in advanced mode, so just emit advanced help */
|
|
|
|
|
BIO_printf(bio_err, "Enter text to send to the peer followed by <enter>\n");
|
|
|
|
|
BIO_printf(bio_err, "To issue a command insert {cmd} or {cmd:arg} anywhere in the text\n");
|
|
|
|
|
BIO_printf(bio_err, "Entering {{ will send { to the peer\n");
|
|
|
|
|
BIO_printf(bio_err, "The following commands are available\n");
|
|
|
|
|
BIO_printf(bio_err, " {help}: Get this help text\n");
|
|
|
|
|
BIO_printf(bio_err, " {quit}: Close the connection to the peer\n");
|
|
|
|
|
BIO_printf(bio_err, " {reconnect}: Reconnect to the peer\n");
|
2023-03-21 16:52:32 +00:00
|
|
|
if (SSL_is_quic(user_data->con)) {
|
|
|
|
|
BIO_printf(bio_err, " {fin}: Send FIN on the stream. No further writing is possible\n");
|
|
|
|
|
} else if(SSL_version(user_data->con) == TLS1_3_VERSION) {
|
2023-03-16 15:08:04 +00:00
|
|
|
BIO_printf(bio_err, " {keyup:req|noreq}: Send a Key Update message\n");
|
|
|
|
|
BIO_printf(bio_err, " Arguments:\n");
|
|
|
|
|
BIO_printf(bio_err, " req = peer update requested (default)\n");
|
|
|
|
|
BIO_printf(bio_err, " noreq = peer update not requested\n");
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio_err, " {reneg}: Attempt to renegotiate\n");
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(bio_err, "\n");
|
|
|
|
|
return USER_DATA_PROCESS_NO_DATA;
|
|
|
|
|
|
|
|
|
|
case USER_COMMAND_QUIT:
|
|
|
|
|
BIO_printf(bio_err, "DONE\n");
|
|
|
|
|
return USER_DATA_PROCESS_SHUT;
|
|
|
|
|
|
|
|
|
|
case USER_COMMAND_RECONNECT:
|
|
|
|
|
BIO_printf(bio_err, "RECONNECTING\n");
|
|
|
|
|
do_ssl_shutdown(user_data->con);
|
|
|
|
|
SSL_set_connect_state(user_data->con);
|
|
|
|
|
BIO_closesocket(SSL_get_fd(user_data->con));
|
|
|
|
|
return USER_DATA_PROCESS_RESTART;
|
|
|
|
|
|
|
|
|
|
case USER_COMMAND_RENEGOTIATE:
|
|
|
|
|
BIO_printf(bio_err, "RENEGOTIATING\n");
|
|
|
|
|
if (!SSL_renegotiate(user_data->con))
|
|
|
|
|
break;
|
|
|
|
|
return USER_DATA_PROCESS_CONTINUE;
|
|
|
|
|
|
|
|
|
|
case USER_COMMAND_KEY_UPDATE: {
|
|
|
|
|
int updatetype;
|
|
|
|
|
|
|
|
|
|
if (OPENSSL_strcasecmp(arg, "req") == 0)
|
|
|
|
|
updatetype = SSL_KEY_UPDATE_REQUESTED;
|
|
|
|
|
else if (OPENSSL_strcasecmp(arg, "noreq") == 0)
|
|
|
|
|
updatetype = SSL_KEY_UPDATE_NOT_REQUESTED;
|
|
|
|
|
else
|
|
|
|
|
return USER_DATA_PROCESS_BAD_ARGUMENT;
|
|
|
|
|
BIO_printf(bio_err, "KEYUPDATE\n");
|
|
|
|
|
if (!SSL_key_update(user_data->con, updatetype))
|
|
|
|
|
break;
|
|
|
|
|
return USER_DATA_PROCESS_CONTINUE;
|
|
|
|
|
}
|
2023-03-21 16:52:32 +00:00
|
|
|
|
|
|
|
|
case USER_COMMAND_FIN:
|
|
|
|
|
if (!SSL_stream_conclude(user_data->con, 0))
|
|
|
|
|
break;
|
|
|
|
|
user_data->isfin = 1;
|
|
|
|
|
return USER_DATA_PROCESS_NO_DATA;
|
|
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
BIO_printf(bio_err, "ERROR\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
|
|
|
|
|
return USER_DATA_PROCESS_SHUT;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int user_data_process(struct user_data_st *user_data, size_t *len,
|
|
|
|
|
size_t *off)
|
|
|
|
|
{
|
|
|
|
|
char *buf_start = user_data->buf + user_data->bufoff;
|
|
|
|
|
size_t outlen = user_data->buflen;
|
|
|
|
|
|
|
|
|
|
if (user_data->buflen == 0) {
|
|
|
|
|
*len = 0;
|
|
|
|
|
*off = 0;
|
|
|
|
|
return USER_DATA_PROCESS_NO_DATA;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (user_data->mode == USER_DATA_MODE_BASIC) {
|
|
|
|
|
switch (buf_start[0]) {
|
|
|
|
|
case 'Q':
|
|
|
|
|
user_data->buflen = user_data->bufoff = *len = *off = 0;
|
|
|
|
|
return user_data_execute(user_data, USER_COMMAND_QUIT, NULL);
|
|
|
|
|
|
|
|
|
|
case 'C':
|
|
|
|
|
user_data->buflen = user_data->bufoff = *len = *off = 0;
|
|
|
|
|
return user_data_execute(user_data, USER_COMMAND_RECONNECT, NULL);
|
|
|
|
|
|
|
|
|
|
case 'R':
|
|
|
|
|
user_data->buflen = user_data->bufoff = *len = *off = 0;
|
|
|
|
|
return user_data_execute(user_data, USER_COMMAND_RENEGOTIATE, NULL);
|
|
|
|
|
|
|
|
|
|
case 'K':
|
|
|
|
|
case 'k':
|
|
|
|
|
user_data->buflen = user_data->bufoff = *len = *off = 0;
|
|
|
|
|
return user_data_execute(user_data, USER_COMMAND_KEY_UPDATE,
|
|
|
|
|
buf_start[0] == 'K' ? "req" : "noreq");
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
} else if (user_data->mode == USER_DATA_MODE_ADVANCED) {
|
|
|
|
|
char *cmd_start = buf_start;
|
|
|
|
|
|
|
|
|
|
cmd_start[outlen] = '\0';
|
2023-04-20 11:34:04 +00:00
|
|
|
for (;;) {
|
2023-04-21 09:17:11 +00:00
|
|
|
cmd_start = strchr(cmd_start, '{');
|
2023-03-16 15:08:04 +00:00
|
|
|
if (cmd_start == buf_start && *(cmd_start + 1) == '{') {
|
|
|
|
|
/* The "{" is escaped, so skip it */
|
|
|
|
|
cmd_start += 2;
|
|
|
|
|
buf_start++;
|
|
|
|
|
user_data->bufoff++;
|
|
|
|
|
user_data->buflen--;
|
|
|
|
|
outlen--;
|
|
|
|
|
continue;
|
|
|
|
|
}
|
2023-04-20 11:34:04 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2023-03-16 15:08:04 +00:00
|
|
|
|
|
|
|
|
if (cmd_start == buf_start) {
|
|
|
|
|
/* Command detected */
|
2023-04-21 09:17:11 +00:00
|
|
|
char *cmd_end = strchr(cmd_start, '}');
|
2023-03-16 15:08:04 +00:00
|
|
|
char *arg_start;
|
|
|
|
|
int cmd = -1, ret = USER_DATA_PROCESS_NO_DATA;
|
|
|
|
|
size_t oldoff;
|
|
|
|
|
|
|
|
|
|
if (cmd_end == NULL) {
|
|
|
|
|
/* Malformed command */
|
|
|
|
|
cmd_start[outlen - 1] = '\0';
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"ERROR PROCESSING COMMAND. REST OF LINE IGNORED: %s\n",
|
|
|
|
|
cmd_start);
|
|
|
|
|
user_data->buflen = user_data->bufoff = *len = *off = 0;
|
|
|
|
|
return USER_DATA_PROCESS_NO_DATA;
|
|
|
|
|
}
|
|
|
|
|
*cmd_end = '\0';
|
2023-04-21 09:17:11 +00:00
|
|
|
arg_start = strchr(cmd_start, ':');
|
2023-03-16 15:08:04 +00:00
|
|
|
if (arg_start != NULL) {
|
|
|
|
|
*arg_start = '\0';
|
|
|
|
|
arg_start++;
|
|
|
|
|
}
|
|
|
|
|
/* Skip over the { */
|
|
|
|
|
cmd_start++;
|
|
|
|
|
/*
|
|
|
|
|
* Now we have cmd_start pointing to a NUL terminated string for
|
|
|
|
|
* the command, and arg_start either being NULL or pointing to a
|
|
|
|
|
* NUL terminated string for the argument.
|
|
|
|
|
*/
|
|
|
|
|
if (OPENSSL_strcasecmp(cmd_start, "help") == 0) {
|
|
|
|
|
cmd = USER_COMMAND_HELP;
|
|
|
|
|
} else if (OPENSSL_strcasecmp(cmd_start, "quit") == 0) {
|
|
|
|
|
cmd = USER_COMMAND_QUIT;
|
|
|
|
|
} else if (OPENSSL_strcasecmp(cmd_start, "reconnect") == 0) {
|
|
|
|
|
cmd = USER_COMMAND_RECONNECT;
|
2023-03-21 16:52:32 +00:00
|
|
|
} else if(SSL_is_quic(user_data->con)) {
|
|
|
|
|
if (OPENSSL_strcasecmp(cmd_start, "fin") == 0)
|
|
|
|
|
cmd = USER_COMMAND_FIN;
|
|
|
|
|
} if (SSL_version(user_data->con) == TLS1_3_VERSION) {
|
2023-03-16 15:08:04 +00:00
|
|
|
if (OPENSSL_strcasecmp(cmd_start, "keyup") == 0) {
|
|
|
|
|
cmd = USER_COMMAND_KEY_UPDATE;
|
|
|
|
|
if (arg_start == NULL)
|
|
|
|
|
arg_start = "req";
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
/* (D)TLSv1.2 or below */
|
|
|
|
|
if (OPENSSL_strcasecmp(cmd_start, "reneg") == 0)
|
|
|
|
|
cmd = USER_COMMAND_RENEGOTIATE;
|
|
|
|
|
}
|
|
|
|
|
if (cmd == -1) {
|
|
|
|
|
BIO_printf(bio_err, "UNRECOGNISED COMMAND (IGNORED): %s\n",
|
|
|
|
|
cmd_start);
|
|
|
|
|
} else {
|
|
|
|
|
ret = user_data_execute(user_data, cmd, arg_start);
|
|
|
|
|
if (ret == USER_DATA_PROCESS_BAD_ARGUMENT) {
|
|
|
|
|
BIO_printf(bio_err, "BAD ARGUMENT (COMMAND IGNORED): %s\n",
|
|
|
|
|
arg_start);
|
|
|
|
|
ret = USER_DATA_PROCESS_NO_DATA;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
oldoff = user_data->bufoff;
|
|
|
|
|
user_data->bufoff = (cmd_end - user_data->buf) + 1;
|
|
|
|
|
user_data->buflen -= user_data->bufoff - oldoff;
|
|
|
|
|
if (user_data->buf + 1 == cmd_start
|
|
|
|
|
&& user_data->buflen == 1
|
|
|
|
|
&& user_data->buf[user_data->bufoff] == '\n') {
|
|
|
|
|
/*
|
|
|
|
|
* This command was the only thing on the whole line. We
|
2023-05-09 07:06:40 +00:00
|
|
|
* suppress the final `\n`
|
2023-03-16 15:08:04 +00:00
|
|
|
*/
|
|
|
|
|
user_data->bufoff = 0;
|
|
|
|
|
user_data->buflen = 0;
|
|
|
|
|
}
|
|
|
|
|
*len = *off = 0;
|
|
|
|
|
return ret;
|
|
|
|
|
} else if (cmd_start != NULL) {
|
|
|
|
|
/*
|
|
|
|
|
* There is a command on this line, but its not at the start. Output
|
|
|
|
|
* the start of the line, and we'll process the command next time
|
|
|
|
|
* we call this function
|
|
|
|
|
*/
|
|
|
|
|
outlen = cmd_start - buf_start;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-21 16:52:32 +00:00
|
|
|
if (user_data->isfin) {
|
|
|
|
|
user_data->buflen = user_data->bufoff = *len = *off = 0;
|
|
|
|
|
return USER_DATA_PROCESS_NO_DATA;
|
|
|
|
|
}
|
|
|
|
|
|
2023-03-16 15:08:04 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
ebcdic2ascii(buf_start, buf_start, outlen);
|
|
|
|
|
#endif
|
|
|
|
|
*len = outlen;
|
|
|
|
|
*off = user_data->bufoff;
|
|
|
|
|
user_data->buflen -= outlen;
|
|
|
|
|
if (user_data->buflen == 0)
|
|
|
|
|
user_data->bufoff = 0;
|
|
|
|
|
else
|
|
|
|
|
user_data->bufoff += outlen;
|
|
|
|
|
return USER_DATA_PROCESS_CONTINUE;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int user_data_has_data(struct user_data_st *user_data)
|
|
|
|
|
{
|
|
|
|
|
return user_data->buflen > 0;
|
|
|
|
|
}
|
2016-08-07 10:04:26 +00:00
|
|
|
#endif /* OPENSSL_NO_SOCK */
|
