2016-05-17 18:18:30 +00:00
|
|
|
/*
|
2024-03-20 12:07:54 +00:00
|
|
|
* Copyright 1995-2024 The OpenSSL Project Authors. All Rights Reserved.
|
2017-06-15 14:16:46 +00:00
|
|
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
2017-06-20 14:14:36 +00:00
|
|
|
* Copyright 2005 Nokia. All rights reserved.
|
2001-10-20 17:56:36 +00:00
|
|
|
*
|
2018-12-06 12:00:26 +00:00
|
|
|
* Licensed under the Apache License 2.0 (the "License"). You may not use
|
2016-05-17 18:18:30 +00:00
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
|
* https://www.openssl.org/source/license.html
|
2001-10-20 17:56:36 +00:00
|
|
|
*/
|
2016-05-17 18:18:30 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
#include <ctype.h>
|
1999-07-28 23:25:59 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
|
#include <stdlib.h>
|
|
|
|
|
#include <string.h>
|
2016-08-03 20:49:25 +00:00
|
|
|
#if defined(_WIN32)
|
|
|
|
|
/* Included before async.h to avoid some warnings */
|
|
|
|
|
# include <windows.h>
|
|
|
|
|
#endif
|
2003-11-28 13:10:58 +00:00
|
|
|
|
2001-02-20 14:07:03 +00:00
|
|
|
#include <openssl/e_os2.h>
|
2016-08-03 20:49:25 +00:00
|
|
|
#include <openssl/async.h>
|
|
|
|
|
#include <openssl/ssl.h>
|
2020-10-15 15:45:54 +00:00
|
|
|
#include <openssl/decoder.h>
|
1999-07-28 23:25:59 +00:00
|
|
|
|
2016-03-21 15:32:40 +00:00
|
|
|
#ifndef OPENSSL_NO_SOCK
|
|
|
|
|
|
1999-05-13 11:37:32 +00:00
|
|
|
/*
|
|
|
|
|
* With IPv6, it looks like Digital has mixed up the proper order of
|
|
|
|
|
* recursive header file inclusion, resulting in the compiler complaining
|
|
|
|
|
* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
|
|
|
|
|
* needed to have fileno() declared correctly... So let's define u_int
|
|
|
|
|
*/
|
2001-02-20 08:13:47 +00:00
|
|
|
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
|
1999-05-13 11:37:32 +00:00
|
|
|
# define __U_INT
|
|
|
|
|
typedef unsigned int u_int;
|
|
|
|
|
#endif
|
|
|
|
|
|
1999-04-23 22:13:45 +00:00
|
|
|
#include <openssl/bn.h>
|
1998-12-21 10:52:47 +00:00
|
|
|
#include "apps.h"
|
2018-01-31 10:13:10 +00:00
|
|
|
#include "progs.h"
|
1999-04-23 22:13:45 +00:00
|
|
|
#include <openssl/err.h>
|
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
|
#include <openssl/x509.h>
|
2001-09-12 02:39:06 +00:00
|
|
|
#include <openssl/rand.h>
|
2007-09-26 21:56:59 +00:00
|
|
|
#include <openssl/ocsp.h>
|
2005-07-16 12:37:36 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
|
|
|
|
# include <openssl/dh.h>
|
|
|
|
|
#endif
|
2020-12-17 20:37:15 +00:00
|
|
|
#include <openssl/rsa.h>
|
1998-12-21 10:52:47 +00:00
|
|
|
#include "s_apps.h"
|
2005-04-26 16:02:40 +00:00
|
|
|
#include "timeouts.h"
|
2016-04-28 10:34:54 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
#include <openssl/ebcdic.h>
|
|
|
|
|
#endif
|
2017-08-21 21:22:19 +00:00
|
|
|
#include "internal/sockets.h"
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2010-08-26 15:15:47 +00:00
|
|
|
static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
|
2017-04-20 08:56:56 +00:00
|
|
|
static int sv_body(int s, int stype, int prot, unsigned char *context);
|
|
|
|
|
static int www_body(int s, int stype, int prot, unsigned char *context);
|
|
|
|
|
static int rev_body(int s, int stype, int prot, unsigned char *context);
|
1998-12-21 10:52:47 +00:00
|
|
|
static void close_accept_socket(void);
|
|
|
|
|
static int init_ssl_connection(SSL *s);
|
|
|
|
|
static void print_stats(BIO *bp, SSL_CTX *ctx);
|
2017-08-03 14:24:03 +00:00
|
|
|
static int generate_session_id(SSL *ssl, unsigned char *id,
|
2001-02-21 18:38:48 +00:00
|
|
|
unsigned int *id_len);
|
2009-12-27 23:24:45 +00:00
|
|
|
static void init_session_cache_ctx(SSL_CTX *sctx);
|
|
|
|
|
static void free_sessions(void);
|
2017-02-27 20:55:04 +00:00
|
|
|
static void print_connection_info(SSL *con);
|
2002-08-09 08:56:08 +00:00
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
static const int bufsize = 16 * 1024;
|
1998-12-21 10:52:47 +00:00
|
|
|
static int accept_socket = -1;
|
|
|
|
|
|
|
|
|
|
#define TEST_CERT "server.pem"
|
2015-05-15 09:49:56 +00:00
|
|
|
#define TEST_CERT2 "server2.pem"
|
1998-12-21 10:52:47 +00:00
|
|
|
|
|
|
|
|
static int s_nbio = 0;
|
|
|
|
|
static int s_nbio_test = 0;
|
2015-09-05 12:32:58 +00:00
|
|
|
static int s_crlf = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
static SSL_CTX *ctx = NULL;
|
2006-01-02 23:14:37 +00:00
|
|
|
static SSL_CTX *ctx2 = NULL;
|
1998-12-21 10:52:47 +00:00
|
|
|
static int www = 0;
|
|
|
|
|
|
|
|
|
|
static BIO *bio_s_out = NULL;
|
2012-06-15 12:46:09 +00:00
|
|
|
static BIO *bio_s_msg = NULL;
|
1998-12-21 10:52:47 +00:00
|
|
|
static int s_debug = 0;
|
2007-08-11 23:18:29 +00:00
|
|
|
static int s_tlsextdebug = 0;
|
2001-10-20 17:56:36 +00:00
|
|
|
static int s_msg = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
static int s_quiet = 0;
|
2012-11-19 23:41:24 +00:00
|
|
|
static int s_ign_eof = 0;
|
2012-09-12 23:14:28 +00:00
|
|
|
static int s_brief = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2011-11-15 23:50:52 +00:00
|
|
|
static char *keymatexportlabel = NULL;
|
|
|
|
|
static int keymatexportlen = 20;
|
|
|
|
|
|
2015-02-13 23:33:12 +00:00
|
|
|
static int async = 0;
|
|
|
|
|
|
2020-03-13 03:24:05 +00:00
|
|
|
static int use_sendfile = 0;
|
2022-11-09 09:26:11 +00:00
|
|
|
static int use_zc_sendfile = 0;
|
2020-03-13 03:24:05 +00:00
|
|
|
|
2001-02-21 18:38:48 +00:00
|
|
|
static const char *session_id_prefix = NULL;
|
1999-09-03 23:08:45 +00:00
|
|
|
|
2021-01-27 19:23:33 +00:00
|
|
|
static const unsigned char cert_type_rpk[] = { TLSEXT_cert_type_rpk, TLSEXT_cert_type_x509 };
|
|
|
|
|
static int enable_client_rpk = 0;
|
|
|
|
|
|
2015-12-16 13:25:07 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2005-04-26 16:02:40 +00:00
|
|
|
static int enable_timeouts = 0;
|
2006-01-02 23:29:12 +00:00
|
|
|
static long socket_mtu;
|
2016-12-05 23:42:01 +00:00
|
|
|
#endif
|
2005-04-26 16:02:40 +00:00
|
|
|
|
2017-03-17 10:21:25 +00:00
|
|
|
/*
|
|
|
|
|
* We define this but make it always be 0 in no-dtls builds to simplify the
|
|
|
|
|
* code.
|
|
|
|
|
*/
|
|
|
|
|
static int dtlslisten = 0;
|
2017-12-29 17:37:04 +00:00
|
|
|
static int stateless = 0;
|
2017-03-17 10:21:25 +00:00
|
|
|
|
2017-03-06 09:51:54 +00:00
|
|
|
static int early_data = 0;
|
2017-06-12 17:26:09 +00:00
|
|
|
static SSL_SESSION *psksess = NULL;
|
2017-03-06 09:51:54 +00:00
|
|
|
|
2017-06-02 01:01:27 +00:00
|
|
|
static char *psk_identity = "Client_identity";
|
2008-11-16 12:47:12 +00:00
|
|
|
char *psk_key = NULL; /* by default PSK is not used */
|
2006-03-10 23:06:27 +00:00
|
|
|
|
2019-05-08 23:16:19 +00:00
|
|
|
static char http_server_binmode = 0; /* for now: 0/1 = default/binary */
|
|
|
|
|
|
2017-06-13 13:28:45 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2006-03-10 23:06:27 +00:00
|
|
|
static unsigned int psk_server_cb(SSL *ssl, const char *identity,
|
|
|
|
|
unsigned char *psk,
|
|
|
|
|
unsigned int max_psk_len)
|
|
|
|
|
{
|
2016-06-08 18:01:42 +00:00
|
|
|
long key_len = 0;
|
|
|
|
|
unsigned char *key;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
if (s_debug)
|
|
|
|
|
BIO_printf(bio_s_out, "psk_server_cb\n");
|
2021-07-06 15:24:07 +00:00
|
|
|
|
2021-10-14 16:31:36 +00:00
|
|
|
if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION) {
|
2021-07-06 15:24:07 +00:00
|
|
|
/*
|
2021-10-14 16:31:36 +00:00
|
|
|
* This callback is designed for use in (D)TLSv1.2 (or below). It is
|
|
|
|
|
* possible to use a single callback for all protocol versions - but it
|
|
|
|
|
* is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
|
|
|
|
|
* have psk_find_session_cb.
|
2021-07-06 15:24:07 +00:00
|
|
|
*/
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (identity == NULL) {
|
2006-03-10 23:06:27 +00:00
|
|
|
BIO_printf(bio_err, "Error: client did not send PSK identity\n");
|
|
|
|
|
goto out_err;
|
|
|
|
|
}
|
|
|
|
|
if (s_debug)
|
|
|
|
|
BIO_printf(bio_s_out, "identity_len=%d identity=%s\n",
|
2015-03-12 14:09:00 +00:00
|
|
|
(int)strlen(identity), identity);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
/* here we could lookup the given identity e.g. from a database */
|
|
|
|
|
if (strcmp(identity, psk_identity) != 0) {
|
2017-06-02 01:01:27 +00:00
|
|
|
BIO_printf(bio_s_out, "PSK warning: client identity not what we expected"
|
2008-11-16 12:47:12 +00:00
|
|
|
" (got '%s' expected '%s')\n", identity, psk_identity);
|
2017-06-02 01:01:27 +00:00
|
|
|
} else {
|
|
|
|
|
if (s_debug)
|
2006-03-10 23:06:27 +00:00
|
|
|
BIO_printf(bio_s_out, "PSK client identity found\n");
|
2017-06-02 01:01:27 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
/* convert the PSK key to binary */
|
2016-06-08 18:01:42 +00:00
|
|
|
key = OPENSSL_hexstr2buf(psk_key, &key_len);
|
|
|
|
|
if (key == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
|
2006-03-10 23:06:27 +00:00
|
|
|
psk_key);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2016-06-08 18:01:42 +00:00
|
|
|
if (key_len > (int)max_psk_len) {
|
2006-03-10 23:06:27 +00:00
|
|
|
BIO_printf(bio_err,
|
2016-06-08 18:01:42 +00:00
|
|
|
"psk buffer of callback is too small (%d) for key (%ld)\n",
|
|
|
|
|
max_psk_len, key_len);
|
|
|
|
|
OPENSSL_free(key);
|
2006-03-10 23:06:27 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-06-08 18:01:42 +00:00
|
|
|
memcpy(psk, key, key_len);
|
|
|
|
|
OPENSSL_free(key);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
if (s_debug)
|
2016-06-08 18:01:42 +00:00
|
|
|
BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
|
|
|
|
|
return key_len;
|
2006-03-10 23:06:27 +00:00
|
|
|
out_err:
|
|
|
|
|
if (s_debug)
|
|
|
|
|
BIO_printf(bio_err, "Error in PSK server callback\n");
|
2015-04-25 13:26:48 +00:00
|
|
|
(void)BIO_flush(bio_err);
|
|
|
|
|
(void)BIO_flush(bio_s_out);
|
2006-03-10 23:06:27 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2005-04-26 16:02:40 +00:00
|
|
|
|
2017-06-12 17:26:09 +00:00
|
|
|
static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
|
|
|
|
|
size_t identity_len, SSL_SESSION **sess)
|
|
|
|
|
{
|
2017-06-12 18:12:13 +00:00
|
|
|
SSL_SESSION *tmpsess = NULL;
|
|
|
|
|
unsigned char *key;
|
|
|
|
|
long key_len;
|
|
|
|
|
const SSL_CIPHER *cipher = NULL;
|
|
|
|
|
|
2017-06-12 17:26:09 +00:00
|
|
|
if (strlen(psk_identity) != identity_len
|
2018-07-06 08:16:51 +00:00
|
|
|
|| memcmp(psk_identity, identity, identity_len) != 0) {
|
2018-10-18 13:45:59 +00:00
|
|
|
*sess = NULL;
|
|
|
|
|
return 1;
|
2018-07-06 08:16:51 +00:00
|
|
|
}
|
2017-06-12 17:26:09 +00:00
|
|
|
|
2017-06-12 18:12:13 +00:00
|
|
|
if (psksess != NULL) {
|
|
|
|
|
SSL_SESSION_up_ref(psksess);
|
|
|
|
|
*sess = psksess;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
key = OPENSSL_hexstr2buf(psk_key, &key_len);
|
|
|
|
|
if (key == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
|
|
|
|
|
psk_key);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2018-03-06 14:12:10 +00:00
|
|
|
/* We default to SHA256 */
|
|
|
|
|
cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
|
2017-06-12 18:12:13 +00:00
|
|
|
if (cipher == NULL) {
|
2018-03-06 14:12:10 +00:00
|
|
|
BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
|
2018-05-29 14:59:25 +00:00
|
|
|
OPENSSL_free(key);
|
2017-06-12 18:12:13 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
tmpsess = SSL_SESSION_new();
|
|
|
|
|
if (tmpsess == NULL
|
|
|
|
|
|| !SSL_SESSION_set1_master_key(tmpsess, key, key_len)
|
|
|
|
|
|| !SSL_SESSION_set_cipher(tmpsess, cipher)
|
|
|
|
|
|| !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
|
|
|
|
|
OPENSSL_free(key);
|
2023-02-04 23:08:14 +00:00
|
|
|
SSL_SESSION_free(tmpsess);
|
2017-06-12 18:12:13 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
OPENSSL_free(key);
|
|
|
|
|
*sess = tmpsess;
|
2017-06-12 17:26:09 +00:00
|
|
|
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2018-03-21 20:01:24 +00:00
|
|
|
static srpsrvparm srp_callback_parm;
|
2011-03-12 17:01:19 +00:00
|
|
|
#endif
|
|
|
|
|
|
1998-12-21 10:56:39 +00:00
|
|
|
static int local_argc = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
static char **local_argv;
|
|
|
|
|
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
static int ebcdic_new(BIO *bi);
|
|
|
|
|
static int ebcdic_free(BIO *a);
|
|
|
|
|
static int ebcdic_read(BIO *b, char *out, int outl);
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_write(BIO *b, const char *in, int inl);
|
|
|
|
|
static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
|
1999-06-04 21:35:58 +00:00
|
|
|
static int ebcdic_gets(BIO *bp, char *buf, int size);
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_puts(BIO *bp, const char *str);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
|
|
|
|
# define BIO_TYPE_EBCDIC_FILTER (18|0x0200)
|
2016-04-28 10:34:54 +00:00
|
|
|
static BIO_METHOD *methods_ebcdic = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2015-04-30 21:48:31 +00:00
|
|
|
/* This struct is "unwarranted chumminess with the compiler." */
|
1999-06-04 21:35:58 +00:00
|
|
|
typedef struct {
|
|
|
|
|
size_t alloced;
|
|
|
|
|
char buff[1];
|
|
|
|
|
} EBCDIC_OUTBUFF;
|
|
|
|
|
|
2023-08-06 17:44:37 +00:00
|
|
|
static const BIO_METHOD *BIO_f_ebcdic_filter(void)
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
2016-04-28 10:34:54 +00:00
|
|
|
if (methods_ebcdic == NULL) {
|
|
|
|
|
methods_ebcdic = BIO_meth_new(BIO_TYPE_EBCDIC_FILTER,
|
2016-08-07 10:04:26 +00:00
|
|
|
"EBCDIC/ASCII filter");
|
|
|
|
|
if (methods_ebcdic == NULL
|
2016-04-28 10:34:54 +00:00
|
|
|
|| !BIO_meth_set_write(methods_ebcdic, ebcdic_write)
|
|
|
|
|
|| !BIO_meth_set_read(methods_ebcdic, ebcdic_read)
|
|
|
|
|
|| !BIO_meth_set_puts(methods_ebcdic, ebcdic_puts)
|
|
|
|
|
|| !BIO_meth_set_gets(methods_ebcdic, ebcdic_gets)
|
|
|
|
|
|| !BIO_meth_set_ctrl(methods_ebcdic, ebcdic_ctrl)
|
|
|
|
|
|| !BIO_meth_set_create(methods_ebcdic, ebcdic_new)
|
|
|
|
|
|| !BIO_meth_set_destroy(methods_ebcdic, ebcdic_free))
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
return methods_ebcdic;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ebcdic_new(BIO *bi)
|
|
|
|
|
{
|
|
|
|
|
EBCDIC_OUTBUFF *wbuf;
|
|
|
|
|
|
2015-05-02 03:10:31 +00:00
|
|
|
wbuf = app_malloc(sizeof(*wbuf) + 1024, "ebcdic wbuf");
|
1999-06-04 21:35:58 +00:00
|
|
|
wbuf->alloced = 1024;
|
|
|
|
|
wbuf->buff[0] = '\0';
|
|
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO_set_data(bi, wbuf);
|
|
|
|
|
BIO_set_init(bi, 1);
|
|
|
|
|
return 1;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ebcdic_free(BIO *a)
|
|
|
|
|
{
|
2016-04-28 10:34:54 +00:00
|
|
|
EBCDIC_OUTBUFF *wbuf;
|
|
|
|
|
|
1999-06-04 21:35:58 +00:00
|
|
|
if (a == NULL)
|
2016-04-28 10:34:54 +00:00
|
|
|
return 0;
|
|
|
|
|
wbuf = BIO_get_data(a);
|
|
|
|
|
OPENSSL_free(wbuf);
|
|
|
|
|
BIO_set_data(a, NULL);
|
|
|
|
|
BIO_set_init(a, 0);
|
|
|
|
|
|
|
|
|
|
return 1;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1999-06-04 21:35:58 +00:00
|
|
|
static int ebcdic_read(BIO *b, char *out, int outl)
|
|
|
|
|
{
|
|
|
|
|
int ret = 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(b);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
|
|
|
|
if (out == NULL || outl == 0)
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
if (next == NULL)
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
ret = BIO_read(next, out, outl);
|
1999-06-04 21:35:58 +00:00
|
|
|
if (ret > 0)
|
|
|
|
|
ascii2ebcdic(out, out, ret);
|
2016-04-28 10:34:54 +00:00
|
|
|
return ret;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_write(BIO *b, const char *in, int inl)
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
|
|
|
|
EBCDIC_OUTBUFF *wbuf;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(b);
|
1999-06-04 21:35:58 +00:00
|
|
|
int ret = 0;
|
|
|
|
|
int num;
|
|
|
|
|
|
|
|
|
|
if ((in == NULL) || (inl <= 0))
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
if (next == NULL)
|
|
|
|
|
return 0;
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
wbuf = (EBCDIC_OUTBUFF *) BIO_get_data(b);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
|
|
|
|
if (inl > (num = wbuf->alloced)) {
|
|
|
|
|
num = num + num; /* double the size */
|
|
|
|
|
if (num < inl)
|
|
|
|
|
num = inl;
|
2016-04-28 10:34:54 +00:00
|
|
|
OPENSSL_free(wbuf);
|
2015-05-02 03:10:31 +00:00
|
|
|
wbuf = app_malloc(sizeof(*wbuf) + num, "grow ebcdic wbuf");
|
1999-06-04 21:35:58 +00:00
|
|
|
|
|
|
|
|
wbuf->alloced = num;
|
|
|
|
|
wbuf->buff[0] = '\0';
|
|
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO_set_data(b, wbuf);
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ebcdic2ascii(wbuf->buff, in, inl);
|
|
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
ret = BIO_write(next, wbuf->buff, inl);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
2002-08-15 14:52:54 +00:00
|
|
|
static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
|
|
|
|
long ret;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(b);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
if (next == NULL)
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
1999-06-04 21:35:58 +00:00
|
|
|
switch (cmd) {
|
|
|
|
|
case BIO_CTRL_DUP:
|
|
|
|
|
ret = 0L;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
2016-04-28 10:34:54 +00:00
|
|
|
ret = BIO_ctrl(next, cmd, num, ptr);
|
1999-06-04 21:35:58 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static int ebcdic_gets(BIO *bp, char *buf, int size)
|
|
|
|
|
{
|
2002-08-15 14:52:54 +00:00
|
|
|
int i, ret = 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(bp);
|
|
|
|
|
|
|
|
|
|
if (next == NULL)
|
|
|
|
|
return 0;
|
1999-06-04 21:35:58 +00:00
|
|
|
/* return(BIO_gets(bp->next_bio,buf,size));*/
|
|
|
|
|
for (i = 0; i < size - 1; ++i) {
|
|
|
|
|
ret = ebcdic_read(bp, &buf[i], 1);
|
|
|
|
|
if (ret <= 0)
|
|
|
|
|
break;
|
|
|
|
|
else if (buf[i] == '\n') {
|
|
|
|
|
++i;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (i < size)
|
|
|
|
|
buf[i] = '\0';
|
|
|
|
|
return (ret < 0 && i == 0) ? ret : i;
|
|
|
|
|
}
|
|
|
|
|
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_puts(BIO *bp, const char *str)
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
2016-04-28 10:34:54 +00:00
|
|
|
if (BIO_next(bp) == NULL)
|
|
|
|
|
return 0;
|
1999-06-04 21:35:58 +00:00
|
|
|
return ebcdic_write(bp, str, strlen(str));
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
2006-01-02 23:14:37 +00:00
|
|
|
/* This is a context that we pass to callbacks */
|
|
|
|
|
typedef struct tlsextctx_st {
|
|
|
|
|
char *servername;
|
|
|
|
|
BIO *biodebug;
|
2006-01-11 06:10:40 +00:00
|
|
|
int extension_error;
|
2006-01-02 23:14:37 +00:00
|
|
|
} tlsextctx;
|
|
|
|
|
|
2015-01-12 22:29:26 +00:00
|
|
|
static int ssl_servername_cb(SSL *s, int *ad, void *arg)
|
2006-01-02 23:29:12 +00:00
|
|
|
{
|
2006-01-02 23:14:37 +00:00
|
|
|
tlsextctx *p = (tlsextctx *) arg;
|
2006-01-03 03:27:19 +00:00
|
|
|
const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
|
2017-08-21 19:28:56 +00:00
|
|
|
|
|
|
|
|
if (servername != NULL && p->biodebug != NULL) {
|
|
|
|
|
const char *cp = servername;
|
|
|
|
|
unsigned char uc;
|
|
|
|
|
|
|
|
|
|
BIO_printf(p->biodebug, "Hostname in TLS extension: \"");
|
|
|
|
|
while ((uc = *cp++) != 0)
|
|
|
|
|
BIO_printf(p->biodebug,
|
2019-08-18 08:29:50 +00:00
|
|
|
(((uc) & ~127) == 0) && isprint(uc) ? "%c" : "\\x%02x", uc);
|
2017-08-21 19:28:56 +00:00
|
|
|
BIO_printf(p->biodebug, "\"\n");
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (p->servername == NULL)
|
2006-01-11 06:10:40 +00:00
|
|
|
return SSL_TLSEXT_ERR_NOACK;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (servername != NULL) {
|
2022-04-12 10:30:08 +00:00
|
|
|
if (OPENSSL_strcasecmp(servername, p->servername))
|
2006-01-11 06:10:40 +00:00
|
|
|
return p->extension_error;
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2009-04-20 11:33:12 +00:00
|
|
|
BIO_printf(p->biodebug, "Switching server context.\n");
|
2006-01-02 23:14:37 +00:00
|
|
|
SSL_set_SSL_CTX(s, ctx2);
|
2006-01-09 19:49:05 +00:00
|
|
|
}
|
2006-01-02 23:29:12 +00:00
|
|
|
}
|
2006-01-11 06:10:40 +00:00
|
|
|
return SSL_TLSEXT_ERR_OK;
|
2006-01-02 23:14:37 +00:00
|
|
|
}
|
2007-09-26 21:56:59 +00:00
|
|
|
|
|
|
|
|
/* Structure passed to cert status callback */
|
|
|
|
|
typedef struct tlsextstatusctx_st {
|
2016-11-21 12:10:35 +00:00
|
|
|
int timeout;
|
2016-11-15 14:22:29 +00:00
|
|
|
/* File to load OCSP Response from (or NULL if no file) */
|
|
|
|
|
char *respin;
|
2007-09-26 21:56:59 +00:00
|
|
|
/* Default responder to use */
|
|
|
|
|
char *host, *path, *port;
|
2021-05-12 12:15:31 +00:00
|
|
|
char *proxy, *no_proxy;
|
2007-09-26 21:56:59 +00:00
|
|
|
int use_ssl;
|
|
|
|
|
int verbose;
|
|
|
|
|
} tlsextstatusctx;
|
|
|
|
|
|
2016-11-21 12:10:35 +00:00
|
|
|
static tlsextstatusctx tlscstatp = { -1 };
|
2007-09-26 21:56:59 +00:00
|
|
|
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2016-11-15 14:22:29 +00:00
|
|
|
|
2007-09-26 21:56:59 +00:00
|
|
|
/*
|
2016-11-15 14:22:29 +00:00
|
|
|
* Helper function to get an OCSP_RESPONSE from a responder. This is a
|
|
|
|
|
* simplified version. It examines certificates each time and makes one OCSP
|
|
|
|
|
* responder query for each request. A full version would store details such as
|
|
|
|
|
* the OCSP certificate IDs and minimise the number of OCSP responses by caching
|
|
|
|
|
* them until they were considered "expired".
|
2007-09-26 21:56:59 +00:00
|
|
|
*/
|
2016-11-15 14:22:29 +00:00
|
|
|
static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
|
|
|
|
|
OCSP_RESPONSE **resp)
|
2007-09-26 21:56:59 +00:00
|
|
|
{
|
2015-05-06 09:16:55 +00:00
|
|
|
char *host = NULL, *port = NULL, *path = NULL;
|
2021-05-12 12:15:31 +00:00
|
|
|
char *proxy = NULL, *no_proxy = NULL;
|
2007-09-26 21:56:59 +00:00
|
|
|
int use_ssl;
|
2009-07-27 21:10:00 +00:00
|
|
|
STACK_OF(OPENSSL_STRING) *aia = NULL;
|
2024-01-05 12:41:59 +00:00
|
|
|
X509 *x = NULL, *cert;
|
|
|
|
|
X509_NAME *iname;
|
|
|
|
|
STACK_OF(X509) *chain = NULL;
|
|
|
|
|
SSL_CTX *ssl_ctx;
|
2016-04-15 03:59:26 +00:00
|
|
|
X509_STORE_CTX *inctx = NULL;
|
|
|
|
|
X509_OBJECT *obj;
|
2007-09-26 21:56:59 +00:00
|
|
|
OCSP_REQUEST *req = NULL;
|
|
|
|
|
OCSP_CERTID *id = NULL;
|
|
|
|
|
STACK_OF(X509_EXTENSION) *exts;
|
|
|
|
|
int ret = SSL_TLSEXT_ERR_NOACK;
|
|
|
|
|
int i;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2007-09-26 21:56:59 +00:00
|
|
|
/* Build up OCSP query from server certificate */
|
|
|
|
|
x = SSL_get_certificate(s);
|
2024-01-05 12:41:59 +00:00
|
|
|
iname = X509_get_issuer_name(x);
|
2007-09-26 21:56:59 +00:00
|
|
|
aia = X509_get1_ocsp(x);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (aia != NULL) {
|
2021-01-28 21:10:47 +00:00
|
|
|
if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0), &use_ssl,
|
|
|
|
|
NULL, &host, &port, NULL, &path, NULL, NULL)) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
|
2007-09-26 21:56:59 +00:00
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if (srctx->verbose)
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(bio_err, "cert_status: AIA URL: %s\n",
|
2009-07-27 21:10:00 +00:00
|
|
|
sk_OPENSSL_STRING_value(aia, 0));
|
2007-09-26 21:56:59 +00:00
|
|
|
} else {
|
2017-06-12 17:24:02 +00:00
|
|
|
if (srctx->host == NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_puts(bio_err,
|
2007-09-26 21:56:59 +00:00
|
|
|
"cert_status: no AIA and no default responder URL\n");
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
host = srctx->host;
|
|
|
|
|
path = srctx->path;
|
|
|
|
|
port = srctx->port;
|
|
|
|
|
use_ssl = srctx->use_ssl;
|
|
|
|
|
}
|
2021-05-12 12:15:31 +00:00
|
|
|
proxy = srctx->proxy;
|
|
|
|
|
no_proxy = srctx->no_proxy;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2024-01-05 12:41:59 +00:00
|
|
|
ssl_ctx = SSL_get_SSL_CTX(s);
|
|
|
|
|
if (!SSL_CTX_get0_chain_certs(ssl_ctx, &chain))
|
2016-04-15 03:59:26 +00:00
|
|
|
goto err;
|
2024-01-05 12:41:59 +00:00
|
|
|
for (i = 0; i < sk_X509_num(chain); i++) {
|
|
|
|
|
/* check the untrusted certificate chain (-cert_chain option) */
|
|
|
|
|
cert = sk_X509_value(chain, i);
|
|
|
|
|
if (X509_name_cmp(iname, X509_get_subject_name(cert)) == 0) {
|
|
|
|
|
/* the issuer certificate is found */
|
|
|
|
|
id = OCSP_cert_to_id(NULL, x, cert);
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (id == NULL) {
|
|
|
|
|
inctx = X509_STORE_CTX_new();
|
|
|
|
|
if (inctx == NULL)
|
|
|
|
|
goto err;
|
|
|
|
|
if (!X509_STORE_CTX_init(inctx, SSL_CTX_get_cert_store(ssl_ctx),
|
|
|
|
|
NULL, NULL))
|
|
|
|
|
goto err;
|
|
|
|
|
obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509, iname);
|
|
|
|
|
if (obj == NULL) {
|
|
|
|
|
BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
|
|
|
|
|
goto done;
|
|
|
|
|
}
|
|
|
|
|
id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
|
|
|
|
|
X509_OBJECT_free(obj);
|
2007-09-26 21:56:59 +00:00
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (id == NULL)
|
2007-09-26 21:56:59 +00:00
|
|
|
goto err;
|
2016-04-26 17:25:39 +00:00
|
|
|
req = OCSP_REQUEST_new();
|
|
|
|
|
if (req == NULL)
|
|
|
|
|
goto err;
|
2007-09-26 21:56:59 +00:00
|
|
|
if (!OCSP_request_add0_id(req, id))
|
|
|
|
|
goto err;
|
|
|
|
|
id = NULL;
|
|
|
|
|
/* Add any extensions to the request */
|
|
|
|
|
SSL_get_tlsext_status_exts(s, &exts);
|
|
|
|
|
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
|
|
|
|
|
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
|
|
|
|
|
if (!OCSP_REQUEST_add_ext(req, ext, -1))
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2021-05-12 11:58:52 +00:00
|
|
|
*resp = process_responder(req, host, port, path, proxy, no_proxy,
|
|
|
|
|
use_ssl, NULL /* headers */, srctx->timeout);
|
2016-11-15 14:22:29 +00:00
|
|
|
if (*resp == NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_puts(bio_err, "cert_status: error querying responder\n");
|
2007-09-26 21:56:59 +00:00
|
|
|
goto done;
|
|
|
|
|
}
|
2016-11-15 14:22:29 +00:00
|
|
|
|
2007-09-26 21:56:59 +00:00
|
|
|
ret = SSL_TLSEXT_ERR_OK;
|
2016-04-15 03:59:26 +00:00
|
|
|
goto done;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
2007-09-26 21:56:59 +00:00
|
|
|
done:
|
2016-11-23 15:38:32 +00:00
|
|
|
/*
|
|
|
|
|
* If we parsed aia we need to free; otherwise they were copied and we
|
|
|
|
|
* don't
|
|
|
|
|
*/
|
2016-11-21 12:10:35 +00:00
|
|
|
if (aia != NULL) {
|
2007-09-26 21:56:59 +00:00
|
|
|
OPENSSL_free(host);
|
|
|
|
|
OPENSSL_free(path);
|
|
|
|
|
OPENSSL_free(port);
|
|
|
|
|
X509_email_free(aia);
|
|
|
|
|
}
|
2015-05-01 18:37:16 +00:00
|
|
|
OCSP_CERTID_free(id);
|
|
|
|
|
OCSP_REQUEST_free(req);
|
2016-04-15 03:59:26 +00:00
|
|
|
X509_STORE_CTX_free(inctx);
|
2007-09-26 21:56:59 +00:00
|
|
|
return ret;
|
|
|
|
|
}
|
2016-11-15 14:22:29 +00:00
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* Certificate Status callback. This is called when a client includes a
|
|
|
|
|
* certificate status request extension. The response is either obtained from a
|
|
|
|
|
* file, or from an OCSP responder.
|
|
|
|
|
*/
|
|
|
|
|
static int cert_status_cb(SSL *s, void *arg)
|
|
|
|
|
{
|
|
|
|
|
tlsextstatusctx *srctx = arg;
|
|
|
|
|
OCSP_RESPONSE *resp = NULL;
|
|
|
|
|
unsigned char *rspder = NULL;
|
|
|
|
|
int rspderlen;
|
|
|
|
|
int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
|
|
|
|
|
|
|
|
if (srctx->verbose)
|
|
|
|
|
BIO_puts(bio_err, "cert_status: callback called\n");
|
|
|
|
|
|
|
|
|
|
if (srctx->respin != NULL) {
|
|
|
|
|
BIO *derbio = bio_open_default(srctx->respin, 'r', FORMAT_ASN1);
|
|
|
|
|
if (derbio == NULL) {
|
|
|
|
|
BIO_puts(bio_err, "cert_status: Cannot open OCSP response file\n");
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
|
|
|
|
|
BIO_free(derbio);
|
2016-11-21 12:10:35 +00:00
|
|
|
if (resp == NULL) {
|
2016-11-15 14:22:29 +00:00
|
|
|
BIO_puts(bio_err, "cert_status: Error reading OCSP response\n");
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
ret = get_ocsp_resp_from_responder(s, srctx, &resp);
|
|
|
|
|
if (ret != SSL_TLSEXT_ERR_OK)
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
|
|
|
|
|
if (rspderlen <= 0)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
|
|
|
|
|
if (srctx->verbose) {
|
|
|
|
|
BIO_puts(bio_err, "cert_status: ocsp response sent:\n");
|
|
|
|
|
OCSP_RESPONSE_print(bio_err, resp, 2);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
ret = SSL_TLSEXT_ERR_OK;
|
|
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
if (ret != SSL_TLSEXT_ERR_OK)
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
|
|
|
|
|
OCSP_RESPONSE_free(resp);
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2010-07-28 10:06:55 +00:00
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2010-07-28 10:06:55 +00:00
|
|
|
/* This is the context that we pass to next_proto_cb */
|
|
|
|
|
typedef struct tlsextnextprotoctx_st {
|
|
|
|
|
unsigned char *data;
|
2016-12-05 23:42:01 +00:00
|
|
|
size_t len;
|
2010-07-28 10:06:55 +00:00
|
|
|
} tlsextnextprotoctx;
|
|
|
|
|
|
|
|
|
|
static int next_proto_cb(SSL *s, const unsigned char **data,
|
|
|
|
|
unsigned int *len, void *arg)
|
|
|
|
|
{
|
|
|
|
|
tlsextnextprotoctx *next_proto = arg;
|
|
|
|
|
|
|
|
|
|
*data = next_proto->data;
|
|
|
|
|
*len = next_proto->len;
|
|
|
|
|
|
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
|
2013-04-15 22:07:47 +00:00
|
|
|
|
|
|
|
|
/* This the context that we pass to alpn_cb */
|
|
|
|
|
typedef struct tlsextalpnctx_st {
|
|
|
|
|
unsigned char *data;
|
2016-03-05 13:47:55 +00:00
|
|
|
size_t len;
|
2013-04-15 22:07:47 +00:00
|
|
|
} tlsextalpnctx;
|
|
|
|
|
|
|
|
|
|
static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
|
|
|
|
|
const unsigned char *in, unsigned int inlen, void *arg)
|
|
|
|
|
{
|
|
|
|
|
tlsextalpnctx *alpn_ctx = arg;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-04-15 22:07:47 +00:00
|
|
|
if (!s_quiet) {
|
|
|
|
|
/* We can assume that |in| is syntactically valid. */
|
2016-03-05 13:47:55 +00:00
|
|
|
unsigned int i;
|
2013-04-15 22:07:47 +00:00
|
|
|
BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
|
|
|
|
|
for (i = 0; i < inlen;) {
|
|
|
|
|
if (i)
|
|
|
|
|
BIO_write(bio_s_out, ", ", 2);
|
|
|
|
|
BIO_write(bio_s_out, &in[i + 1], in[i]);
|
|
|
|
|
i += in[i] + 1;
|
|
|
|
|
}
|
|
|
|
|
BIO_write(bio_s_out, "\n", 1);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-04-15 22:07:47 +00:00
|
|
|
if (SSL_select_next_proto
|
|
|
|
|
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
|
|
|
|
|
inlen) != OPENSSL_NPN_NEGOTIATED) {
|
2020-03-26 14:59:00 +00:00
|
|
|
return SSL_TLSEXT_ERR_ALERT_FATAL;
|
2013-04-15 22:07:47 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-04-15 22:07:47 +00:00
|
|
|
if (!s_quiet) {
|
|
|
|
|
BIO_printf(bio_s_out, "ALPN protocols selected: ");
|
|
|
|
|
BIO_write(bio_s_out, *out, *outlen);
|
|
|
|
|
BIO_write(bio_s_out, "\n", 1);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2013-04-15 22:07:47 +00:00
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
|
}
|
2006-01-02 23:14:37 +00:00
|
|
|
|
2010-08-26 15:15:47 +00:00
|
|
|
static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
|
|
|
|
|
{
|
|
|
|
|
/* disable resumption for sessions with forward secure ciphers */
|
|
|
|
|
return is_forward_secure;
|
|
|
|
|
}
|
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
typedef enum OPTION_choice {
|
2021-05-01 13:29:00 +00:00
|
|
|
OPT_COMMON,
|
|
|
|
|
OPT_ENGINE,
|
2016-02-02 23:47:42 +00:00
|
|
|
OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
|
2017-02-21 11:22:55 +00:00
|
|
|
OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
|
|
|
|
|
OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
|
|
|
|
|
OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
|
2015-09-22 15:00:52 +00:00
|
|
|
OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
|
2015-09-22 15:00:52 +00:00
|
|
|
OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
|
2019-03-07 14:26:34 +00:00
|
|
|
OPT_VERIFYCAFILE,
|
|
|
|
|
OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
|
|
|
|
|
OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
|
2015-09-22 15:00:52 +00:00
|
|
|
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
|
2021-05-12 12:15:31 +00:00
|
|
|
OPT_STATUS_TIMEOUT, OPT_PROXY, OPT_NO_PROXY, OPT_STATUS_URL,
|
|
|
|
|
OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
|
2016-11-15 14:22:29 +00:00
|
|
|
OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
|
|
|
|
|
OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
|
2017-06-12 17:26:09 +00:00
|
|
|
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,
|
|
|
|
|
OPT_PSK_SESS, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW,
|
|
|
|
|
OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG,
|
2017-04-06 21:47:18 +00:00
|
|
|
OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
|
2016-10-21 16:39:33 +00:00
|
|
|
OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
|
2017-12-29 17:37:04 +00:00
|
|
|
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, OPT_STATELESS,
|
2017-07-05 14:58:48 +00:00
|
|
|
OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
|
2020-03-13 03:24:05 +00:00
|
|
|
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SENDFILE,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
|
2018-07-05 14:42:36 +00:00
|
|
|
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
|
2018-12-26 11:44:53 +00:00
|
|
|
OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
|
2021-09-15 03:39:51 +00:00
|
|
|
OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF, OPT_KTLS,
|
2022-11-09 09:26:11 +00:00
|
|
|
OPT_USE_ZC_SENDFILE,
|
2021-08-09 20:56:50 +00:00
|
|
|
OPT_TFO, OPT_CERT_COMP,
|
2021-01-27 19:23:33 +00:00
|
|
|
OPT_ENABLE_SERVER_RPK,
|
|
|
|
|
OPT_ENABLE_CLIENT_RPK,
|
2017-07-05 14:58:48 +00:00
|
|
|
OPT_R_ENUM,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_S_ENUM,
|
|
|
|
|
OPT_V_ENUM,
|
2020-02-25 04:29:30 +00:00
|
|
|
OPT_X_ENUM,
|
|
|
|
|
OPT_PROV_ENUM
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
} OPTION_CHOICE;
|
|
|
|
|
|
2016-03-13 13:07:50 +00:00
|
|
|
const OPTIONS s_server_options[] = {
|
2019-11-07 20:08:30 +00:00
|
|
|
OPT_SECTION("General"),
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"help", OPT_HELP, '-', "Display this summary"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"ssl_config", OPT_SSL_CONFIG, 's',
|
2021-05-17 09:04:40 +00:00
|
|
|
"Configure SSL_CTX using the given configuration value"},
|
2019-11-07 20:08:30 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
|
|
|
|
{"trace", OPT_TRACE, '-', "trace protocol messages"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Network"),
|
2016-02-09 15:55:42 +00:00
|
|
|
{"port", OPT_PORT, 'p',
|
|
|
|
|
"TCP/IP port to listen on for connections (default is " PORT ")"},
|
2016-02-02 23:47:42 +00:00
|
|
|
{"accept", OPT_ACCEPT, 's',
|
2016-11-12 20:08:32 +00:00
|
|
|
"TCP/IP optional host and port to listen on for connections (default is *:" PORT ")"},
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
|
|
|
|
{"4", OPT_4, '-', "Use IPv4 only"},
|
|
|
|
|
{"6", OPT_6, '-', "Use IPv6 only"},
|
2021-09-08 20:23:04 +00:00
|
|
|
#if defined(TCP_FASTOPEN) && !defined(OPENSSL_NO_TFO)
|
|
|
|
|
{"tfo", OPT_TFO, '-', "Listen for TCP Fast Open connections"},
|
|
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
|
|
|
|
|
OPT_SECTION("Identity"),
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"context", OPT_CONTEXT, 's', "Set session ID context"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
|
|
|
|
|
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
|
|
|
|
|
{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
|
|
|
|
|
{"no-CAfile", OPT_NOCAFILE, '-',
|
|
|
|
|
"Do not load the default certificates file"},
|
|
|
|
|
{"no-CApath", OPT_NOCAPATH, '-',
|
|
|
|
|
"Do not load certificates from the default certificates directory"},
|
|
|
|
|
{"no-CAstore", OPT_NOCASTORE, '-',
|
|
|
|
|
"Do not load certificates from the default certificates store URI"},
|
|
|
|
|
{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
|
|
|
|
|
{"Verify", OPT_UPPER_V_VERIFY, 'n',
|
|
|
|
|
"Turn on peer certificate verification, must have a cert"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
|
2020-08-16 13:25:27 +00:00
|
|
|
{"cert", OPT_CERT, '<', "Server certificate file to use; default " TEST_CERT},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"cert2", OPT_CERT2, '<',
|
2020-08-16 13:25:27 +00:00
|
|
|
"Certificate file to use for servername; default " TEST_CERT2},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"certform", OPT_CERTFORM, 'F',
|
2020-05-06 11:51:50 +00:00
|
|
|
"Server certificate file format (PEM/DER/P12); has no effect"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"cert_chain", OPT_CERT_CHAIN, '<',
|
|
|
|
|
"Server certificate chain file in PEM format"},
|
|
|
|
|
{"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"serverinfo", OPT_SERVERINFO, 's',
|
|
|
|
|
"PEM serverinfo file for certificate"},
|
2017-09-22 08:41:04 +00:00
|
|
|
{"key", OPT_KEY, 's',
|
2020-03-06 20:46:33 +00:00
|
|
|
"Private key file to use; default is -cert file or else" TEST_CERT},
|
|
|
|
|
{"key2", OPT_KEY2, '<',
|
|
|
|
|
"-Private Key file to use for servername if not in -cert2"},
|
2020-05-06 11:51:50 +00:00
|
|
|
{"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"},
|
2020-08-16 13:25:27 +00:00
|
|
|
{"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"dcert", OPT_DCERT, '<',
|
2020-03-06 20:46:33 +00:00
|
|
|
"Second server certificate file to use (usually for DSA)"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"dcertform", OPT_DCERTFORM, 'F',
|
2020-05-06 11:51:50 +00:00
|
|
|
"Second server certificate file format (PEM/DER/P12); has no effect"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"dcert_chain", OPT_DCERT_CHAIN, '<',
|
|
|
|
|
"second server certificate chain file in PEM format"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"dkey", OPT_DKEY, '<',
|
|
|
|
|
"Second private key file to use (usually for DSA)"},
|
2023-09-06 13:29:38 +00:00
|
|
|
{"dkeyform", OPT_DKEYFORM, 'f',
|
2020-05-06 11:51:50 +00:00
|
|
|
"Second key file format (ENGINE, other values ignored)"},
|
2017-12-14 10:10:33 +00:00
|
|
|
{"dpass", OPT_DPASS, 's',
|
|
|
|
|
"Second private key and cert file pass phrase source"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"servername", OPT_SERVERNAME, 's',
|
|
|
|
|
"Servername for HostName TLS extension"},
|
|
|
|
|
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
|
2021-05-17 09:04:40 +00:00
|
|
|
"On servername mismatch send fatal alert (default warning alert)"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
|
|
|
|
|
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
|
|
|
|
|
{"quiet", OPT_QUIET, '-', "No server output"},
|
|
|
|
|
{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
|
|
|
|
|
"Disable caching and tickets if ephemeral (EC)DH is used"},
|
|
|
|
|
{"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
|
|
|
|
|
{"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
|
2020-05-05 13:20:42 +00:00
|
|
|
{"ignore_unexpected_eof", OPT_IGNORE_UNEXPECTED_EOF, '-',
|
|
|
|
|
"Do not treat lack of close_notify from a peer as an error"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
|
|
|
|
|
"Hex dump of all TLS extensions received"},
|
2016-07-05 19:22:18 +00:00
|
|
|
{"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"id_prefix", OPT_ID_PREFIX, 's',
|
|
|
|
|
"Generate SSL/TLS session IDs prefixed by arg"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"keymatexport", OPT_KEYMATEXPORT, 's',
|
|
|
|
|
"Export keying material using label"},
|
|
|
|
|
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
|
2020-08-16 13:25:27 +00:00
|
|
|
"Export len bytes of keying material; default 20"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"CRL", OPT_CRL, '<', "CRL file to use"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"CRLform", OPT_CRLFORM, 'F', "CRL file format (PEM or DER); default PEM"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"crl_download", OPT_CRL_DOWNLOAD, '-',
|
2020-03-06 20:46:33 +00:00
|
|
|
"Download CRLs from distribution points in certificate CDP entries"},
|
|
|
|
|
{"chainCAfile", OPT_CHAINCAFILE, '<',
|
|
|
|
|
"CA file for certificate chain (PEM format)"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"chainCApath", OPT_CHAINCAPATH, '/',
|
|
|
|
|
"use dir as certificate store path to build CA certificate chain"},
|
2019-03-07 14:26:34 +00:00
|
|
|
{"chainCAstore", OPT_CHAINCASTORE, ':',
|
|
|
|
|
"use URI as certificate store to build CA certificate chain"},
|
2020-03-06 20:46:33 +00:00
|
|
|
{"verifyCAfile", OPT_VERIFYCAFILE, '<',
|
|
|
|
|
"CA file for certificate verification (PEM format)"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"verifyCApath", OPT_VERIFYCAPATH, '/',
|
|
|
|
|
"use dir as certificate store path to verify CA certificate"},
|
2019-03-07 14:26:34 +00:00
|
|
|
{"verifyCAstore", OPT_VERIFYCASTORE, ':',
|
|
|
|
|
"use URI as certificate store to verify CA certificate"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
|
|
|
|
|
{"ext_cache", OPT_EXT_CACHE, '-',
|
2021-05-17 09:04:40 +00:00
|
|
|
"Disable internal cache, set up and use external cache"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
|
|
|
|
|
"Close connection on verification error"},
|
|
|
|
|
{"verify_quiet", OPT_VERIFY_QUIET, '-',
|
|
|
|
|
"No verify output except verify errors"},
|
2021-05-17 09:04:40 +00:00
|
|
|
{"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
|
|
|
|
|
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
|
2021-08-09 20:56:50 +00:00
|
|
|
#ifndef OPENSSL_NO_COMP_ALG
|
|
|
|
|
{"cert_comp", OPT_CERT_COMP, '-', "Pre-compress server certificates"},
|
|
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2019-11-07 20:08:30 +00:00
|
|
|
OPT_SECTION("OCSP"),
|
2016-02-09 15:55:42 +00:00
|
|
|
{"status", OPT_STATUS, '-', "Request certificate status from server"},
|
|
|
|
|
{"status_verbose", OPT_STATUS_VERBOSE, '-',
|
|
|
|
|
"Print more output in certificate status callback"},
|
|
|
|
|
{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
|
|
|
|
|
"Status request responder timeout"},
|
|
|
|
|
{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
|
2021-05-12 12:15:31 +00:00
|
|
|
{"proxy", OPT_PROXY, 's',
|
|
|
|
|
"[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
|
|
|
|
|
{"no_proxy", OPT_NO_PROXY, 's',
|
|
|
|
|
"List of addresses of servers not to use HTTP(S) proxy for"},
|
|
|
|
|
{OPT_MORE_STR, 0, 0,
|
|
|
|
|
"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
|
2016-11-15 14:22:29 +00:00
|
|
|
{"status_file", OPT_STATUS_FILE, '<',
|
|
|
|
|
"File containing DER encoded OCSP Response"},
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
|
|
|
|
|
OPT_SECTION("Debug"),
|
2016-02-09 15:55:42 +00:00
|
|
|
{"security_debug", OPT_SECURITY_DEBUG, '-',
|
|
|
|
|
"Print output from SSL/TLS security framework"},
|
|
|
|
|
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
|
|
|
|
|
"Print more output from SSL/TLS security framework"},
|
2016-08-07 10:04:26 +00:00
|
|
|
{"brief", OPT_BRIEF, '-',
|
2016-02-09 15:55:42 +00:00
|
|
|
"Restrict output to brief summary of connection parameters"},
|
|
|
|
|
{"rev", OPT_REV, '-',
|
2021-06-14 11:38:02 +00:00
|
|
|
"act as an echo server that sends back received text reversed"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"debug", OPT_DEBUG, '-', "Print more output"},
|
|
|
|
|
{"msg", OPT_MSG, '-', "Show protocol messages"},
|
|
|
|
|
{"msgfile", OPT_MSGFILE, '>',
|
|
|
|
|
"File to send output of -msg or -trace, instead of stdout"},
|
|
|
|
|
{"state", OPT_STATE, '-', "Print the SSL states"},
|
2015-02-13 23:33:12 +00:00
|
|
|
{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
|
2017-04-07 17:15:38 +00:00
|
|
|
{"max_pipelines", OPT_MAX_PIPELINES, 'p',
|
2015-09-22 10:23:33 +00:00
|
|
|
"Maximum number of encrypt/decrypt pipelines to be used"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"},
|
|
|
|
|
{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Network"),
|
|
|
|
|
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
|
|
|
|
|
{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
|
2021-05-17 09:04:40 +00:00
|
|
|
{"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
|
2017-04-07 17:15:38 +00:00
|
|
|
{"read_buf", OPT_READ_BUF, 'p',
|
2016-01-13 14:20:25 +00:00
|
|
|
"Default read buffer size to be used for connections"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
|
|
|
|
|
"Size used to split data for encrypt pipelines"},
|
|
|
|
|
{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
|
|
|
|
|
|
|
|
|
|
OPT_SECTION("Server identity"),
|
2017-06-02 01:01:27 +00:00
|
|
|
{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"},
|
2017-06-13 13:28:45 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2015-05-15 17:50:38 +00:00
|
|
|
{"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
|
|
|
|
|
#endif
|
2017-06-13 13:28:45 +00:00
|
|
|
{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
|
2017-06-12 17:26:09 +00:00
|
|
|
{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2021-02-05 11:28:15 +00:00
|
|
|
{"srpvfile", OPT_SRPVFILE, '<', "(deprecated) The verifier file for SRP"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"srpuserseed", OPT_SRPUSERSEED, 's',
|
2021-02-05 11:28:15 +00:00
|
|
|
"(deprecated) A seed string for a default user salt"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
|
|
|
|
|
OPT_SECTION("Protocol and version"),
|
|
|
|
|
{"max_early_data", OPT_MAX_EARLY, 'n',
|
|
|
|
|
"The maximum number of bytes of early data as advertised in tickets"},
|
|
|
|
|
{"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n',
|
|
|
|
|
"The maximum number of bytes of early data (hard limit)"},
|
|
|
|
|
{"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
|
|
|
|
|
{"num_tickets", OPT_S_NUM_TICKETS, 'n',
|
|
|
|
|
"The number of TLSv1.3 session tickets that a server will automatically issue" },
|
|
|
|
|
{"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
|
|
|
|
|
{"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
|
|
|
|
|
{"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
|
2020-05-02 09:22:43 +00:00
|
|
|
{"no_ca_names", OPT_NOCANAMES, '-',
|
|
|
|
|
"Disable TLS Extension CA Names"},
|
2019-11-07 20:08:30 +00:00
|
|
|
{"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL3
|
|
|
|
|
{"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
|
|
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_TLS1
|
|
|
|
|
{"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_TLS1_1
|
|
|
|
|
{"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_TLS1_2
|
|
|
|
|
{"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
|
|
|
|
|
#endif
|
2016-10-21 16:39:33 +00:00
|
|
|
#ifndef OPENSSL_NO_TLS1_3
|
|
|
|
|
{"tls1_3", OPT_TLS1_3, '-', "just talk TLSv1.3"},
|
|
|
|
|
#endif
|
2015-12-12 10:12:22 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2016-02-09 15:55:42 +00:00
|
|
|
{"dtls", OPT_DTLS, '-', "Use any DTLS version"},
|
2015-04-09 09:01:05 +00:00
|
|
|
{"listen", OPT_LISTEN, '-',
|
|
|
|
|
"Listen for a DTLS ClientHello with a cookie and then connect"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS1
|
|
|
|
|
{"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
|
|
|
|
|
#endif
|
|
|
|
|
#ifndef OPENSSL_NO_DTLS1_2
|
|
|
|
|
{"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
|
|
|
|
|
#endif
|
2017-04-20 08:56:56 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
{"sctp", OPT_SCTP, '-', "Use SCTP"},
|
2018-12-26 11:44:53 +00:00
|
|
|
{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
|
2017-04-20 08:56:56 +00:00
|
|
|
#endif
|
2019-11-07 20:08:30 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
|
|
|
|
{"use_srtp", OPT_SRTP_PROFILES, 's',
|
|
|
|
|
"Offer SRTP key management with a colon-separated profile list"},
|
|
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
|
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
|
|
|
|
|
"Set the advertised protocols for the NPN extension (comma-separated list)"},
|
2016-02-27 03:20:07 +00:00
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
{"alpn", OPT_ALPN, 's',
|
|
|
|
|
"Set the advertised protocols for the ALPN extension (comma-separated list)"},
|
2020-03-13 03:24:05 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
2021-09-15 03:39:51 +00:00
|
|
|
{"ktls", OPT_KTLS, '-', "Enable Kernel TLS for sending and receiving"},
|
2020-03-13 03:24:05 +00:00
|
|
|
{"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"},
|
2022-11-09 09:26:11 +00:00
|
|
|
{"zerocopy_sendfile", OPT_USE_ZC_SENDFILE, '-', "Use zerocopy mode of KTLS sendfile"},
|
2020-03-13 03:24:05 +00:00
|
|
|
#endif
|
2021-01-27 19:23:33 +00:00
|
|
|
{"enable_server_rpk", OPT_ENABLE_SERVER_RPK, '-', "Enable raw public keys (RFC7250) from the server"},
|
|
|
|
|
{"enable_client_rpk", OPT_ENABLE_CLIENT_RPK, '-', "Enable raw public keys (RFC7250) from the client"},
|
2019-11-07 20:08:30 +00:00
|
|
|
OPT_R_OPTIONS,
|
|
|
|
|
OPT_S_OPTIONS,
|
|
|
|
|
OPT_V_OPTIONS,
|
|
|
|
|
OPT_X_OPTIONS,
|
2020-02-25 04:29:30 +00:00
|
|
|
OPT_PROV_OPTIONS,
|
2019-11-07 20:08:30 +00:00
|
|
|
{NULL}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
};
|
|
|
|
|
|
2016-07-07 10:05:31 +00:00
|
|
|
#define IS_PROT_FLAG(o) \
|
|
|
|
|
(o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
|
2016-10-21 16:39:33 +00:00
|
|
|
|| o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
|
2016-07-07 10:05:31 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int s_server_main(int argc, char *argv[])
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
2016-03-18 18:02:17 +00:00
|
|
|
ENGINE *engine = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
EVP_PKEY *s_key = NULL, *s_dkey = NULL;
|
|
|
|
|
SSL_CONF_CTX *cctx = NULL;
|
2015-03-27 23:01:51 +00:00
|
|
|
const SSL_METHOD *meth = TLS_server_method();
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
SSL_EXCERT *exc = NULL;
|
|
|
|
|
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
|
|
|
|
|
STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
|
|
|
|
|
STACK_OF(X509_CRL) *crls = NULL;
|
|
|
|
|
X509 *s_cert = NULL, *s_dcert = NULL;
|
2009-06-30 15:56:35 +00:00
|
|
|
X509_VERIFY_PARAM *vpm = NULL;
|
2019-03-07 14:26:34 +00:00
|
|
|
const char *CApath = NULL, *CAfile = NULL, *CAstore = NULL;
|
|
|
|
|
const char *chCApath = NULL, *chCAfile = NULL, *chCAstore = NULL;
|
2017-07-05 14:58:48 +00:00
|
|
|
char *dpassarg = NULL, *dpass = NULL;
|
2019-03-07 14:26:34 +00:00
|
|
|
char *passarg = NULL, *pass = NULL;
|
|
|
|
|
char *vfyCApath = NULL, *vfyCAfile = NULL, *vfyCAstore = NULL;
|
2015-05-15 08:42:08 +00:00
|
|
|
char *crl_file = NULL, *prog;
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
s_client/s_server: support unix domain sockets
The "-unix <path>" argument allows s_server and s_client to use a unix
domain socket in the filesystem instead of IPv4 ("-connect", "-port",
"-accept", etc). If s_server exits gracefully, such as when "-naccept"
is used and the requested number of SSL/TLS connections have occurred,
then the domain socket file is removed. On ctrl-C, it is likely that
the stale socket file will be left over, such that s_server would
normally fail to restart with the same arguments. For this reason,
s_server also supports an "-unlink" option, which will clean up any
stale socket file before starting.
If you have any reason to want encrypted IPC within an O/S instance,
this concept might come in handy. Otherwise it just demonstrates that
there is nothing about SSL/TLS that limits it to TCP/IP in any way.
(There might also be benchmarking and profiling use in this path, as
unix domain sockets are much lower overhead than connecting over local
IP addresses).
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-04-26 05:22:54 +00:00
|
|
|
int unlink_unix_path = 0;
|
2014-07-01 11:44:00 +00:00
|
|
|
#endif
|
2016-02-14 03:33:56 +00:00
|
|
|
do_server_cb server_cb;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
char *dhfile = NULL;
|
2015-09-19 21:03:15 +00:00
|
|
|
int no_dhe = 0;
|
2015-12-15 10:43:44 +00:00
|
|
|
int nocert = 0, ret = 1;
|
2019-03-07 14:26:34 +00:00
|
|
|
int noCApath = 0, noCAfile = 0, noCAstore = 0;
|
2021-04-30 14:57:53 +00:00
|
|
|
int s_cert_format = FORMAT_UNDEF, s_key_format = FORMAT_UNDEF;
|
|
|
|
|
int s_dcert_format = FORMAT_UNDEF, s_dkey_format = FORMAT_UNDEF;
|
2016-02-02 23:47:42 +00:00
|
|
|
int rev = 0, naccept = -1, sdebug = 0;
|
2017-04-20 08:56:56 +00:00
|
|
|
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
|
2021-04-30 14:57:53 +00:00
|
|
|
int state = 0, crl_format = FORMAT_UNDEF, crl_download = 0;
|
2016-02-02 23:47:42 +00:00
|
|
|
char *host = NULL;
|
2022-02-09 15:04:25 +00:00
|
|
|
char *port = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
unsigned char *context = NULL;
|
|
|
|
|
OPTION_CHOICE o;
|
2006-01-02 23:14:37 +00:00
|
|
|
EVP_PKEY *s_key2 = NULL;
|
|
|
|
|
X509 *s_cert2 = NULL;
|
2006-01-11 06:10:40 +00:00
|
|
|
tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
|
2015-07-08 22:09:52 +00:00
|
|
|
const char *ssl_config = NULL;
|
2016-01-13 14:20:25 +00:00
|
|
|
int read_buf_len = 0;
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2010-07-28 10:06:55 +00:00
|
|
|
const char *next_proto_neg_in = NULL;
|
2013-09-12 00:22:00 +00:00
|
|
|
tlsextnextprotoctx next_proto = { NULL, 0 };
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2013-04-15 22:07:47 +00:00
|
|
|
const char *alpn_in = NULL;
|
|
|
|
|
tlsextalpnctx alpn_ctx = { NULL, 0 };
|
2006-03-10 23:06:27 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
|
|
|
|
/* by default do not send a PSK identity hint */
|
2016-12-05 23:42:01 +00:00
|
|
|
char *psk_identity_hint = NULL;
|
2006-03-10 23:06:27 +00:00
|
|
|
#endif
|
2017-06-13 13:28:45 +00:00
|
|
|
char *p;
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
char *srpuserseed = NULL;
|
|
|
|
|
char *srp_verifier_file = NULL;
|
|
|
|
|
#endif
|
2018-05-14 14:41:06 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2018-03-21 20:01:24 +00:00
|
|
|
char *srtp_profiles = NULL;
|
2018-05-14 14:41:06 +00:00
|
|
|
#endif
|
2016-07-07 10:05:31 +00:00
|
|
|
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
int s_server_verify = SSL_VERIFY_NONE;
|
|
|
|
|
int s_server_session_id_context = 1; /* anything will do */
|
|
|
|
|
const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL;
|
|
|
|
|
const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
|
|
|
|
|
char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
|
|
|
|
int s_tlsextstatus = 0;
|
|
|
|
|
#endif
|
|
|
|
|
int no_resume_ephemeral = 0;
|
2017-04-06 21:47:18 +00:00
|
|
|
unsigned int max_send_fragment = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
unsigned int split_send_fragment = 0, max_pipelines = 0;
|
|
|
|
|
const char *s_serverinfo_file = NULL;
|
2017-02-01 18:14:27 +00:00
|
|
|
const char *keylog_file = NULL;
|
2018-07-05 14:42:36 +00:00
|
|
|
int max_early_data = -1, recv_max_early_data = -1;
|
2017-06-12 17:26:09 +00:00
|
|
|
char *psksessf = NULL;
|
2020-05-02 09:22:43 +00:00
|
|
|
int no_ca_names = 0;
|
2018-12-26 11:44:53 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
int sctp_label_bug = 0;
|
|
|
|
|
#endif
|
2020-05-05 13:20:42 +00:00
|
|
|
int ignore_unexpected_eof = 0;
|
2021-09-15 03:39:51 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
int enable_ktls = 0;
|
|
|
|
|
#endif
|
2021-09-08 20:23:04 +00:00
|
|
|
int tfo = 0;
|
2021-08-09 20:56:50 +00:00
|
|
|
int cert_comp = 0;
|
2021-01-27 19:23:33 +00:00
|
|
|
int enable_server_rpk = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
|
|
|
|
|
/* Init of few remaining global variables */
|
1998-12-21 10:52:47 +00:00
|
|
|
local_argc = argc;
|
|
|
|
|
local_argv = argv;
|
|
|
|
|
|
2016-08-03 20:49:25 +00:00
|
|
|
ctx = ctx2 = NULL;
|
|
|
|
|
s_nbio = s_nbio_test = 0;
|
|
|
|
|
www = 0;
|
|
|
|
|
bio_s_out = NULL;
|
|
|
|
|
s_debug = 0;
|
|
|
|
|
s_msg = 0;
|
|
|
|
|
s_quiet = 0;
|
|
|
|
|
s_brief = 0;
|
|
|
|
|
async = 0;
|
2020-03-13 03:24:05 +00:00
|
|
|
use_sendfile = 0;
|
2022-11-09 09:26:11 +00:00
|
|
|
use_zc_sendfile = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
|
2022-02-09 15:04:25 +00:00
|
|
|
port = OPENSSL_strdup(PORT);
|
2012-11-17 14:42:22 +00:00
|
|
|
cctx = SSL_CONF_CTX_new();
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
vpm = X509_VERIFY_PARAM_new();
|
2022-02-09 15:04:25 +00:00
|
|
|
if (port == NULL || cctx == NULL || vpm == NULL)
|
2012-11-17 14:42:22 +00:00
|
|
|
goto end;
|
2016-08-07 10:04:26 +00:00
|
|
|
SSL_CONF_CTX_set_flags(cctx,
|
|
|
|
|
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CMDLINE);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
|
|
|
|
prog = opt_init(argc, argv, s_server_options);
|
|
|
|
|
while ((o = opt_next()) != OPT_EOF) {
|
2016-07-07 10:05:31 +00:00
|
|
|
if (IS_PROT_FLAG(o) && ++prot_opt > 1) {
|
|
|
|
|
BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (IS_NO_PROT_FLAG(o))
|
|
|
|
|
no_prot_opt++;
|
|
|
|
|
if (prot_opt == 1 && no_prot_opt) {
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Cannot supply both a protocol flag and '-no_<prot>'\n");
|
2016-07-07 10:05:31 +00:00
|
|
|
goto end;
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
switch (o) {
|
|
|
|
|
case OPT_EOF:
|
|
|
|
|
case OPT_ERR:
|
|
|
|
|
opthelp:
|
|
|
|
|
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
case OPT_HELP:
|
|
|
|
|
opt_help(s_server_options);
|
|
|
|
|
ret = 0;
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-02-02 23:47:42 +00:00
|
|
|
case OPT_4:
|
|
|
|
|
#ifdef AF_UNIX
|
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
socket_family = AF_INET;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_6:
|
|
|
|
|
if (1) {
|
|
|
|
|
#ifdef AF_INET6
|
|
|
|
|
#ifdef AF_UNIX
|
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
socket_family = AF_INET6;
|
|
|
|
|
} else {
|
|
|
|
|
#endif
|
|
|
|
|
BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_PORT:
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
|
socket_family = AF_UNSPEC;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
|
if (BIO_parse_hostserv(opt_arg(), NULL, &port, BIO_PARSE_PRIO_SERV) < 1) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: -port argument malformed or ambiguous\n",
|
|
|
|
|
port);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case OPT_ACCEPT:
|
|
|
|
|
#ifdef AF_UNIX
|
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
|
socket_family = AF_UNSPEC;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
|
if (BIO_parse_hostserv(opt_arg(), &host, &port, BIO_PARSE_PRIO_SERV) < 1) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"%s: -accept argument malformed or ambiguous\n",
|
|
|
|
|
port);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
2016-02-02 23:47:42 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_UNIX:
|
2016-02-02 23:47:42 +00:00
|
|
|
socket_family = AF_UNIX;
|
2019-10-17 19:45:34 +00:00
|
|
|
OPENSSL_free(host); host = OPENSSL_strdup(opt_arg());
|
2022-06-17 09:44:24 +00:00
|
|
|
if (host == NULL)
|
|
|
|
|
goto end;
|
2016-02-02 23:47:42 +00:00
|
|
|
OPENSSL_free(port); port = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_UNLINK:
|
s_client/s_server: support unix domain sockets
The "-unix <path>" argument allows s_server and s_client to use a unix
domain socket in the filesystem instead of IPv4 ("-connect", "-port",
"-accept", etc). If s_server exits gracefully, such as when "-naccept"
is used and the requested number of SSL/TLS connections have occurred,
then the domain socket file is removed. On ctrl-C, it is likely that
the stale socket file will be left over, such that s_server would
normally fail to restart with the same arguments. For this reason,
s_server also supports an "-unlink" option, which will clean up any
stale socket file before starting.
If you have any reason to want encrypted IPC within an O/S instance,
this concept might come in handy. Otherwise it just demonstrates that
there is nothing about SSL/TLS that limits it to TCP/IP in any way.
(There might also be benchmarking and profiling use in this path, as
unix domain sockets are much lower overhead than connecting over local
IP addresses).
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-04-26 05:22:54 +00:00
|
|
|
unlink_unix_path = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_NACCEPT:
|
|
|
|
|
naccept = atol(opt_arg());
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFY:
|
1998-12-21 10:56:39 +00:00
|
|
|
s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.depth = atoi(opt_arg());
|
2012-11-23 18:56:25 +00:00
|
|
|
if (!s_quiet)
|
2016-08-01 19:30:57 +00:00
|
|
|
BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_UPPER_V_VERIFY:
|
1998-12-21 10:56:39 +00:00
|
|
|
s_server_verify =
|
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_VERIFY_CLIENT_ONCE;
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.depth = atoi(opt_arg());
|
2012-11-23 18:56:25 +00:00
|
|
|
if (!s_quiet)
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"verify depth is %d, must return a certificate\n",
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.depth);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CONTEXT:
|
|
|
|
|
context = (unsigned char *)opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CERT:
|
|
|
|
|
s_cert_file = opt_arg();
|
|
|
|
|
break;
|
2017-02-21 11:22:55 +00:00
|
|
|
case OPT_NAMEOPT:
|
|
|
|
|
if (!set_nameopt(opt_arg()))
|
|
|
|
|
goto end;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CRL:
|
|
|
|
|
crl_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CRL_DOWNLOAD:
|
2012-12-12 03:35:31 +00:00
|
|
|
crl_download = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SERVERINFO:
|
|
|
|
|
s_serverinfo_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CERTFORM:
|
2020-05-06 11:51:50 +00:00
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_cert_format))
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_KEY:
|
|
|
|
|
s_key_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_KEYFORM:
|
2020-05-06 11:51:50 +00:00
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format))
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_PASS:
|
|
|
|
|
passarg = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CERT_CHAIN:
|
|
|
|
|
s_chain_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DHPARAM:
|
|
|
|
|
dhfile = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DCERTFORM:
|
2020-05-06 11:51:50 +00:00
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dcert_format))
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DCERT:
|
|
|
|
|
s_dcert_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DKEYFORM:
|
2020-05-06 11:51:50 +00:00
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_dkey_format))
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DPASS:
|
|
|
|
|
dpassarg = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DKEY:
|
|
|
|
|
s_dkey_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_DCERT_CHAIN:
|
|
|
|
|
s_dchain_file = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_NOCERT:
|
1998-12-21 10:52:47 +00:00
|
|
|
nocert = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CAPATH:
|
|
|
|
|
CApath = opt_arg();
|
|
|
|
|
break;
|
2015-09-22 15:00:52 +00:00
|
|
|
case OPT_NOCAPATH:
|
|
|
|
|
noCApath = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CHAINCAPATH:
|
|
|
|
|
chCApath = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFYCAPATH:
|
|
|
|
|
vfyCApath = opt_arg();
|
|
|
|
|
break;
|
2019-03-07 14:26:34 +00:00
|
|
|
case OPT_CASTORE:
|
|
|
|
|
CAstore = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_NOCASTORE:
|
|
|
|
|
noCAstore = 1;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_CHAINCASTORE:
|
|
|
|
|
chCAstore = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFYCASTORE:
|
|
|
|
|
vfyCAstore = opt_arg();
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_NO_CACHE:
|
2009-10-28 17:49:30 +00:00
|
|
|
no_cache = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_EXT_CACHE:
|
2009-12-27 23:24:45 +00:00
|
|
|
ext_cache = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CRLFORM:
|
|
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
|
|
|
|
|
goto opthelp;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_S_CASES:
|
2018-01-31 16:40:03 +00:00
|
|
|
case OPT_S_NUM_TICKETS:
|
2018-06-15 13:55:06 +00:00
|
|
|
case OPT_ANTI_REPLAY:
|
|
|
|
|
case OPT_NO_ANTI_REPLAY:
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (ssl_args == NULL)
|
|
|
|
|
ssl_args = sk_OPENSSL_STRING_new_null();
|
|
|
|
|
if (ssl_args == NULL
|
|
|
|
|
|| !sk_OPENSSL_STRING_push(ssl_args, opt_flag())
|
|
|
|
|
|| !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
break;
|
|
|
|
|
case OPT_V_CASES:
|
|
|
|
|
if (!opt_verify(o, vpm))
|
|
|
|
|
goto end;
|
|
|
|
|
vpmtouched++;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_X_CASES:
|
|
|
|
|
if (!args_excert(o, &exc))
|
|
|
|
|
goto end;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFY_RET_ERROR:
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.return_error = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_VERIFY_QUIET:
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_BUILD_CHAIN:
|
2012-07-23 23:34:28 +00:00
|
|
|
build_chain = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CAFILE:
|
|
|
|
|
CAfile = opt_arg();
|
|
|
|
|
break;
|
2015-09-22 15:00:52 +00:00
|
|
|
case OPT_NOCAFILE:
|
|
|
|
|
noCAfile = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CHAINCAFILE:
|
|
|
|
|
chCAfile = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_VERIFYCAFILE:
|
|
|
|
|
vfyCAfile = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_NBIO:
|
1998-12-21 10:52:47 +00:00
|
|
|
s_nbio = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_NBIO_TEST:
|
|
|
|
|
s_nbio = s_nbio_test = 1;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_IGN_EOF:
|
2012-11-19 23:41:24 +00:00
|
|
|
s_ign_eof = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_NO_IGN_EOF:
|
2012-11-19 23:41:24 +00:00
|
|
|
s_ign_eof = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DEBUG:
|
1998-12-21 10:52:47 +00:00
|
|
|
s_debug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TLSEXTDEBUG:
|
2007-08-11 23:18:29 +00:00
|
|
|
s_tlsextdebug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STATUS:
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2007-09-26 21:56:59 +00:00
|
|
|
s_tlsextstatus = 1;
|
2016-09-19 13:08:58 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STATUS_VERBOSE:
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
s_tlsextstatus = tlscstatp.verbose = 1;
|
2016-09-19 13:08:58 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STATUS_TIMEOUT:
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2007-09-26 21:56:59 +00:00
|
|
|
s_tlsextstatus = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
tlscstatp.timeout = atoi(opt_arg());
|
2021-05-12 12:15:31 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_PROXY:
|
|
|
|
|
#ifndef OPENSSL_NO_OCSP
|
|
|
|
|
tlscstatp.proxy = opt_arg();
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_NO_PROXY:
|
|
|
|
|
#ifndef OPENSSL_NO_OCSP
|
|
|
|
|
tlscstatp.no_proxy = opt_arg();
|
2016-09-19 13:08:58 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STATUS_URL:
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2007-09-26 21:56:59 +00:00
|
|
|
s_tlsextstatus = 1;
|
2021-01-28 21:10:47 +00:00
|
|
|
if (!OSSL_HTTP_parse_url(opt_arg(), &tlscstatp.use_ssl, NULL,
|
2020-09-03 11:32:56 +00:00
|
|
|
&tlscstatp.host, &tlscstatp.port, NULL,
|
2021-01-28 21:10:47 +00:00
|
|
|
&tlscstatp.path, NULL, NULL)) {
|
|
|
|
|
BIO_printf(bio_err, "Error parsing -status_url argument\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2016-11-15 14:22:29 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_STATUS_FILE:
|
|
|
|
|
#ifndef OPENSSL_NO_OCSP
|
|
|
|
|
s_tlsextstatus = 1;
|
|
|
|
|
tlscstatp.respin = opt_arg();
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_MSG:
|
2001-10-20 17:56:36 +00:00
|
|
|
s_msg = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_MSGFILE:
|
|
|
|
|
bio_s_msg = BIO_new_file(opt_arg(), "w");
|
2022-03-07 07:43:16 +00:00
|
|
|
if (bio_s_msg == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Error writing file %s\n", opt_arg());
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TRACE:
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
2012-06-15 12:46:09 +00:00
|
|
|
s_msg = 2;
|
|
|
|
|
#endif
|
2016-02-29 16:53:18 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SECURITY_DEBUG:
|
2014-02-17 00:10:00 +00:00
|
|
|
sdebug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SECURITY_DEBUG_VERBOSE:
|
2014-02-17 00:10:00 +00:00
|
|
|
sdebug = 2;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_STATE:
|
1998-12-21 10:52:47 +00:00
|
|
|
state = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CRLF:
|
1999-08-07 02:51:10 +00:00
|
|
|
s_crlf = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_QUIET:
|
2012-09-12 23:14:28 +00:00
|
|
|
s_quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_BRIEF:
|
2016-08-01 19:30:57 +00:00
|
|
|
s_quiet = s_brief = verify_args.quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_NO_DHE:
|
1999-07-12 17:15:42 +00:00
|
|
|
no_dhe = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_NO_RESUME_EPHEMERAL:
|
2010-08-26 15:15:47 +00:00
|
|
|
no_resume_ephemeral = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2017-06-02 01:01:27 +00:00
|
|
|
case OPT_PSK_IDENTITY:
|
|
|
|
|
psk_identity = opt_arg();
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_PSK_HINT:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
psk_identity_hint = opt_arg();
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_PSK:
|
|
|
|
|
for (p = psk_key = opt_arg(); *p; p++) {
|
2016-02-14 12:02:15 +00:00
|
|
|
if (isxdigit(_UC(*p)))
|
2006-03-10 23:06:27 +00:00
|
|
|
continue;
|
2019-01-31 07:16:20 +00:00
|
|
|
BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
2006-03-10 23:06:27 +00:00
|
|
|
}
|
2016-01-18 18:10:21 +00:00
|
|
|
break;
|
2017-06-12 17:26:09 +00:00
|
|
|
case OPT_PSK_SESS:
|
|
|
|
|
psksessf = opt_arg();
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SRPVFILE:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
srp_verifier_file = opt_arg();
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
|
min_version = TLS1_VERSION;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_SRPUSERSEED:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
srpuserseed = opt_arg();
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
|
min_version = TLS1_VERSION;
|
2006-03-10 23:06:27 +00:00
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_REV:
|
2012-09-14 13:27:05 +00:00
|
|
|
rev = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_WWW:
|
1998-12-21 10:52:47 +00:00
|
|
|
www = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_UPPER_WWW:
|
1998-12-21 10:52:47 +00:00
|
|
|
www = 2;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_HTTP:
|
2001-03-10 16:20:52 +00:00
|
|
|
www = 3;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2015-07-08 22:09:52 +00:00
|
|
|
case OPT_SSL_CONFIG:
|
|
|
|
|
ssl_config = opt_arg();
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SSL3:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = SSL3_VERSION;
|
|
|
|
|
max_version = SSL3_VERSION;
|
2015-05-15 17:50:38 +00:00
|
|
|
break;
|
2016-10-21 16:39:33 +00:00
|
|
|
case OPT_TLS1_3:
|
|
|
|
|
min_version = TLS1_3_VERSION;
|
|
|
|
|
max_version = TLS1_3_VERSION;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_TLS1_2:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_2_VERSION;
|
|
|
|
|
max_version = TLS1_2_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TLS1_1:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_1_VERSION;
|
|
|
|
|
max_version = TLS1_1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TLS1:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_VERSION;
|
|
|
|
|
max_version = TLS1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DTLS:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2015-05-06 10:17:07 +00:00
|
|
|
meth = DTLS_server_method();
|
2013-04-06 14:50:12 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DTLS1:
|
2016-02-02 22:58:49 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
meth = DTLS_server_method();
|
|
|
|
|
min_version = DTLS1_VERSION;
|
|
|
|
|
max_version = DTLS1_VERSION;
|
2006-01-02 23:29:12 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_DTLS1_2:
|
2016-02-02 22:58:49 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
|
meth = DTLS_server_method();
|
|
|
|
|
min_version = DTLS1_2_VERSION;
|
|
|
|
|
max_version = DTLS1_2_VERSION;
|
2013-03-20 15:49:14 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2017-04-20 08:56:56 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SCTP:
|
|
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
protocol = IPPROTO_SCTP;
|
2018-12-26 11:44:53 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SCTP_LABEL_BUG:
|
|
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
sctp_label_bug = 1;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_TIMEOUT:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2005-04-26 16:02:40 +00:00
|
|
|
enable_timeouts = 1;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_MTU:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
socket_mtu = atol(opt_arg());
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2015-04-09 09:01:05 +00:00
|
|
|
case OPT_LISTEN:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2015-04-09 09:01:05 +00:00
|
|
|
dtlslisten = 1;
|
1998-12-21 10:52:47 +00:00
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
break;
|
2017-12-29 17:37:04 +00:00
|
|
|
case OPT_STATELESS:
|
|
|
|
|
stateless = 1;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_ID_PREFIX:
|
|
|
|
|
session_id_prefix = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_ENGINE:
|
2017-08-28 17:14:47 +00:00
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
|
|
|
|
engine = setup_engine(opt_arg(), s_debug);
|
|
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2017-07-05 14:58:48 +00:00
|
|
|
case OPT_R_CASES:
|
|
|
|
|
if (!opt_rand(o))
|
|
|
|
|
goto end;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2020-02-25 04:29:30 +00:00
|
|
|
case OPT_PROV_CASES:
|
|
|
|
|
if (!opt_provider(o))
|
|
|
|
|
goto end;
|
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SERVERNAME:
|
|
|
|
|
tlsextcbp.servername = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SERVERNAME_FATAL:
|
2006-01-11 06:10:40 +00:00
|
|
|
tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
|
case OPT_CERT2:
|
|
|
|
|
s_cert_file2 = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_KEY2:
|
|
|
|
|
s_key_file2 = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_NEXTPROTONEG:
|
2015-05-15 17:50:38 +00:00
|
|
|
# ifndef OPENSSL_NO_NEXTPROTONEG
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
next_proto_neg_in = opt_arg();
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_ALPN:
|
|
|
|
|
alpn_in = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_SRTP_PROFILES:
|
2018-05-14 14:41:06 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
srtp_profiles = opt_arg();
|
2018-05-14 14:41:06 +00:00
|
|
|
#endif
|
2016-02-27 03:35:51 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_KEYMATEXPORT:
|
|
|
|
|
keymatexportlabel = opt_arg();
|
|
|
|
|
break;
|
|
|
|
|
case OPT_KEYMATEXPORTLEN:
|
|
|
|
|
keymatexportlen = atoi(opt_arg());
|
1998-12-21 10:52:47 +00:00
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case OPT_ASYNC:
|
|
|
|
|
async = 1;
|
|
|
|
|
break;
|
2017-04-06 21:47:18 +00:00
|
|
|
case OPT_MAX_SEND_FRAG:
|
|
|
|
|
max_send_fragment = atoi(opt_arg());
|
|
|
|
|
break;
|
2015-09-22 10:23:33 +00:00
|
|
|
case OPT_SPLIT_SEND_FRAG:
|
|
|
|
|
split_send_fragment = atoi(opt_arg());
|
|
|
|
|
break;
|
|
|
|
|
case OPT_MAX_PIPELINES:
|
|
|
|
|
max_pipelines = atoi(opt_arg());
|
|
|
|
|
break;
|
2016-01-13 14:20:25 +00:00
|
|
|
case OPT_READ_BUF:
|
|
|
|
|
read_buf_len = atoi(opt_arg());
|
|
|
|
|
break;
|
2017-02-01 18:14:27 +00:00
|
|
|
case OPT_KEYLOG_FILE:
|
|
|
|
|
keylog_file = opt_arg();
|
|
|
|
|
break;
|
2017-02-17 17:01:16 +00:00
|
|
|
case OPT_MAX_EARLY:
|
|
|
|
|
max_early_data = atoi(opt_arg());
|
2017-02-23 16:54:11 +00:00
|
|
|
if (max_early_data < 0) {
|
|
|
|
|
BIO_printf(bio_err, "Invalid value for max_early_data\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-02-17 17:01:16 +00:00
|
|
|
break;
|
2018-07-05 14:42:36 +00:00
|
|
|
case OPT_RECV_MAX_EARLY:
|
|
|
|
|
recv_max_early_data = atoi(opt_arg());
|
|
|
|
|
if (recv_max_early_data < 0) {
|
|
|
|
|
BIO_printf(bio_err, "Invalid value for recv_max_early_data\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
break;
|
2017-02-22 15:24:11 +00:00
|
|
|
case OPT_EARLY_DATA:
|
|
|
|
|
early_data = 1;
|
Do not set a nonzero default max_early_data
When early data support was first added, this seemed like a good
idea, as it would allow applications to just add SSL_read_early_data()
calls as needed and have things "Just Work". However, for applications
that do not use TLS 1.3 early data, there is a negative side effect.
Having a nonzero max_early_data in a SSL_CTX (and thus, SSL objects
derived from it) means that when generating a session ticket,
tls_construct_stoc_early_data() will indicate to the client that
the server supports early data. This is true, in that the implementation
of TLS 1.3 (i.e., OpenSSL) does support early data, but does not
necessarily indicate that the server application supports early data,
when the default value is nonzero. In this case a well-intentioned
client would send early data along with its resumption attempt, which
would then be ignored by the server application, a waste of network
bandwidth.
Since, in order to successfully use TLS 1.3 early data, the application
must introduce calls to SSL_read_early_data(), it is not much additional
burden to require that the application also calls
SSL_{CTX_,}set_max_early_data() in order to enable the feature; doing
so closes this scenario where early data packets would be sent on
the wire but ignored.
Update SSL_read_early_data.pod accordingly, and make s_server and
our test programs into applications that are compliant with the new
requirements on applications that use early data.
Fixes #4725
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5483)
2018-02-28 20:49:59 +00:00
|
|
|
if (max_early_data == -1)
|
|
|
|
|
max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
|
2017-02-22 15:24:11 +00:00
|
|
|
break;
|
2019-05-08 23:16:19 +00:00
|
|
|
case OPT_HTTP_SERVER_BINMODE:
|
|
|
|
|
http_server_binmode = 1;
|
|
|
|
|
break;
|
2020-05-02 09:22:43 +00:00
|
|
|
case OPT_NOCANAMES:
|
|
|
|
|
no_ca_names = 1;
|
|
|
|
|
break;
|
2021-09-15 03:39:51 +00:00
|
|
|
case OPT_KTLS:
|
|
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
enable_ktls = 1;
|
|
|
|
|
#endif
|
|
|
|
|
break;
|
2020-03-13 03:24:05 +00:00
|
|
|
case OPT_SENDFILE:
|
|
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
use_sendfile = 1;
|
2022-11-09 09:26:11 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
|
|
|
|
case OPT_USE_ZC_SENDFILE:
|
|
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
use_zc_sendfile = 1;
|
2020-03-13 03:24:05 +00:00
|
|
|
#endif
|
|
|
|
|
break;
|
2020-05-05 13:20:42 +00:00
|
|
|
case OPT_IGNORE_UNEXPECTED_EOF:
|
|
|
|
|
ignore_unexpected_eof = 1;
|
|
|
|
|
break;
|
2021-09-08 20:23:04 +00:00
|
|
|
case OPT_TFO:
|
|
|
|
|
tfo = 1;
|
|
|
|
|
break;
|
2021-08-09 20:56:50 +00:00
|
|
|
case OPT_CERT_COMP:
|
|
|
|
|
cert_comp = 1;
|
|
|
|
|
break;
|
2021-01-27 19:23:33 +00:00
|
|
|
case OPT_ENABLE_SERVER_RPK:
|
|
|
|
|
enable_server_rpk = 1;
|
|
|
|
|
break;
|
|
|
|
|
case OPT_ENABLE_CLIENT_RPK:
|
|
|
|
|
enable_client_rpk = 1;
|
|
|
|
|
break;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
}
|
2020-11-28 21:12:58 +00:00
|
|
|
|
|
|
|
|
/* No extra arguments. */
|
2021-08-27 13:33:18 +00:00
|
|
|
if (!opt_check_rest_arg(NULL))
|
2020-11-28 21:12:58 +00:00
|
|
|
goto opthelp;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2021-04-03 10:53:51 +00:00
|
|
|
if (!app_RAND_load())
|
|
|
|
|
goto end;
|
|
|
|
|
|
2017-06-16 10:12:02 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
|
if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
|
|
|
|
|
goto opthelp;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2015-12-12 10:12:22 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2014-07-15 11:22:49 +00:00
|
|
|
if (www && socket_type == SOCK_DGRAM) {
|
|
|
|
|
BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-04-09 09:01:05 +00:00
|
|
|
|
|
|
|
|
if (dtlslisten && socket_type != SOCK_DGRAM) {
|
|
|
|
|
BIO_printf(bio_err, "Can only use -listen with DTLS\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2024-01-12 09:14:43 +00:00
|
|
|
|
|
|
|
|
if (rev && socket_type == SOCK_DGRAM) {
|
|
|
|
|
BIO_printf(bio_err, "Can't use -rev with DTLS\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2014-07-15 11:22:49 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2021-09-08 20:23:04 +00:00
|
|
|
if (tfo && socket_type != SOCK_STREAM) {
|
|
|
|
|
BIO_printf(bio_err, "Can only use -tfo with TLS\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (stateless && socket_type != SOCK_STREAM) {
|
|
|
|
|
BIO_printf(bio_err, "Can only use --stateless with TLS\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
|
|
|
|
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
|
s_client/s_server: support unix domain sockets
The "-unix <path>" argument allows s_server and s_client to use a unix
domain socket in the filesystem instead of IPv4 ("-connect", "-port",
"-accept", etc). If s_server exits gracefully, such as when "-naccept"
is used and the requested number of SSL/TLS connections have occurred,
then the domain socket file is removed. On ctrl-C, it is likely that
the stale socket file will be left over, such that s_server would
normally fail to restart with the same arguments. For this reason,
s_server also supports an "-unlink" option, which will clean up any
stale socket file before starting.
If you have any reason to want encrypted IPC within an O/S instance,
this concept might come in handy. Otherwise it just demonstrates that
there is nothing about SSL/TLS that limits it to TCP/IP in any way.
(There might also be benchmarking and profiling use in this path, as
unix domain sockets are much lower overhead than connecting over local
IP addresses).
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-04-26 05:22:54 +00:00
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Can't use unix sockets and datagrams together\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
2018-09-12 16:11:10 +00:00
|
|
|
if (early_data && (www > 0 || rev)) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2008-11-30 22:01:31 +00:00
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
if (protocol == IPPROTO_SCTP) {
|
|
|
|
|
if (socket_type != SOCK_DGRAM) {
|
|
|
|
|
BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
/* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
|
|
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2015-09-22 10:23:33 +00:00
|
|
|
|
2020-03-13 03:24:05 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
2022-11-09 09:26:11 +00:00
|
|
|
if (use_zc_sendfile && !use_sendfile) {
|
|
|
|
|
BIO_printf(bio_out, "Warning: -zerocopy_sendfile depends on -sendfile, enabling -sendfile now.\n");
|
|
|
|
|
use_sendfile = 1;
|
|
|
|
|
}
|
|
|
|
|
|
2021-09-15 03:39:51 +00:00
|
|
|
if (use_sendfile && enable_ktls == 0) {
|
|
|
|
|
BIO_printf(bio_out, "Warning: -sendfile depends on -ktls, enabling -ktls now.\n");
|
|
|
|
|
enable_ktls = 1;
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-13 03:24:05 +00:00
|
|
|
if (use_sendfile && www <= 1) {
|
|
|
|
|
BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
|
2004-11-16 17:30:59 +00:00
|
|
|
BIO_printf(bio_err, "Error getting password\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s_key_file == NULL)
|
|
|
|
|
s_key_file = s_cert_file;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2006-01-02 23:14:37 +00:00
|
|
|
if (s_key_file2 == NULL)
|
2005-09-02 12:44:59 +00:00
|
|
|
s_key_file2 = s_cert_file2;
|
2006-01-02 23:14:37 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!load_excert(&exc))
|
2012-06-29 14:24:42 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-01-02 23:14:37 +00:00
|
|
|
if (nocert == 0) {
|
2016-03-18 18:02:17 +00:00
|
|
|
s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
|
2020-09-16 23:39:00 +00:00
|
|
|
"server certificate private key");
|
2020-04-22 12:58:41 +00:00
|
|
|
if (s_key == NULL)
|
2006-01-02 23:14:37 +00:00
|
|
|
goto end;
|
2004-11-16 17:30:59 +00:00
|
|
|
|
2021-04-30 14:57:53 +00:00
|
|
|
s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass,
|
|
|
|
|
"server certificate");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2020-04-22 12:58:41 +00:00
|
|
|
if (s_cert == NULL)
|
2012-06-29 14:24:42 +00:00
|
|
|
goto end;
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_chain_file != NULL) {
|
2021-03-05 20:05:35 +00:00
|
|
|
if (!load_certs(s_chain_file, 0, &s_chain, NULL,
|
2016-01-16 05:08:38 +00:00
|
|
|
"server certificate chain"))
|
2005-09-02 12:44:59 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (tlsextcbp.servername != NULL) {
|
2016-03-18 18:02:17 +00:00
|
|
|
s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
|
2020-09-16 23:39:00 +00:00
|
|
|
"second server certificate private key");
|
2020-04-22 12:58:41 +00:00
|
|
|
if (s_key2 == NULL)
|
2005-09-02 12:44:59 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2021-04-30 14:57:53 +00:00
|
|
|
s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass,
|
2020-09-16 23:39:00 +00:00
|
|
|
"second server certificate");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2020-04-22 12:58:41 +00:00
|
|
|
if (s_cert2 == NULL)
|
2012-04-11 16:53:11 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2012-07-03 16:37:50 +00:00
|
|
|
if (next_proto_neg_in) {
|
2016-12-05 23:42:01 +00:00
|
|
|
next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
|
2012-07-03 16:37:50 +00:00
|
|
|
if (next_proto.data == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2013-04-15 22:07:47 +00:00
|
|
|
alpn_ctx.data = NULL;
|
|
|
|
|
if (alpn_in) {
|
2016-12-05 23:42:01 +00:00
|
|
|
alpn_ctx.data = next_protos_parse(&alpn_ctx.len, alpn_in);
|
2013-04-15 22:07:47 +00:00
|
|
|
if (alpn_ctx.data == NULL)
|
2012-12-02 16:16:28 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (crl_file != NULL) {
|
2012-12-02 16:16:28 +00:00
|
|
|
X509_CRL *crl;
|
2021-04-30 14:57:53 +00:00
|
|
|
crl = load_crl(crl_file, crl_format, 0, "CRL");
|
2017-12-15 19:50:37 +00:00
|
|
|
if (crl == NULL)
|
2004-11-16 17:30:59 +00:00
|
|
|
goto end;
|
2012-04-11 16:53:11 +00:00
|
|
|
crls = sk_X509_CRL_new_null();
|
2017-06-12 17:24:02 +00:00
|
|
|
if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
|
2001-02-15 10:22:07 +00:00
|
|
|
BIO_puts(bio_err, "Error adding CRL\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
X509_CRL_free(crl);
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_dcert_file != NULL) {
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2004-11-16 17:30:59 +00:00
|
|
|
if (s_dkey_file == NULL)
|
|
|
|
|
s_dkey_file = s_dcert_file;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
s_dkey = load_key(s_dkey_file, s_dkey_format,
|
2020-09-16 23:39:00 +00:00
|
|
|
0, dpass, engine, "second certificate private key");
|
2020-04-22 12:58:41 +00:00
|
|
|
if (s_dkey == NULL)
|
2013-04-15 22:07:47 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2021-04-30 14:57:53 +00:00
|
|
|
s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass,
|
2020-10-24 14:31:57 +00:00
|
|
|
"second server certificate");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_dcert == NULL) {
|
2012-12-02 16:16:28 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_dchain_file != NULL) {
|
2021-03-05 20:05:35 +00:00
|
|
|
if (!load_certs(s_dchain_file, 0, &s_dchain, NULL,
|
2016-01-16 05:08:38 +00:00
|
|
|
"second server certificate chain"))
|
2012-12-02 16:16:28 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (bio_s_out == NULL) {
|
2012-09-12 23:14:28 +00:00
|
|
|
if (s_quiet && !s_debug) {
|
1998-12-21 10:52:47 +00:00
|
|
|
bio_s_out = BIO_new(BIO_s_null());
|
2022-01-05 07:54:10 +00:00
|
|
|
if (s_msg && bio_s_msg == NULL) {
|
2015-09-06 10:20:12 +00:00
|
|
|
bio_s_msg = dup_bio_out(FORMAT_TEXT);
|
2022-01-05 07:54:10 +00:00
|
|
|
if (bio_s_msg == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Out of memory\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
} else {
|
2022-02-16 03:27:23 +00:00
|
|
|
bio_s_out = dup_bio_out(FORMAT_TEXT);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
2022-02-16 03:27:23 +00:00
|
|
|
|
|
|
|
|
if (bio_s_out == NULL)
|
|
|
|
|
goto end;
|
|
|
|
|
|
2020-12-02 17:27:03 +00:00
|
|
|
if (nocert) {
|
1998-12-21 10:52:47 +00:00
|
|
|
s_cert_file = NULL;
|
|
|
|
|
s_key_file = NULL;
|
1998-12-21 10:56:39 +00:00
|
|
|
s_dcert_file = NULL;
|
|
|
|
|
s_dkey_file = NULL;
|
2006-01-02 23:14:37 +00:00
|
|
|
s_cert_file2 = NULL;
|
|
|
|
|
s_key_file2 = NULL;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2021-02-15 19:07:27 +00:00
|
|
|
ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (ctx == NULL) {
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2018-05-15 17:01:41 +00:00
|
|
|
|
|
|
|
|
SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
|
|
|
|
|
|
2016-02-09 15:55:42 +00:00
|
|
|
if (sdebug)
|
|
|
|
|
ssl_ctx_security_debug(ctx, sdebug);
|
2018-03-19 19:33:50 +00:00
|
|
|
|
|
|
|
|
if (!config_ctx(cctx, ssl_args, ctx))
|
|
|
|
|
goto end;
|
|
|
|
|
|
2015-07-08 22:09:52 +00:00
|
|
|
if (ssl_config) {
|
|
|
|
|
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
|
|
|
|
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
|
|
|
|
ssl_config);
|
2016-08-07 10:04:26 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
2015-07-08 22:09:52 +00:00
|
|
|
}
|
|
|
|
|
}
|
2018-12-26 11:44:53 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
|
if (protocol == IPPROTO_SCTP && sctp_label_bug == 1)
|
|
|
|
|
SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG);
|
|
|
|
|
#endif
|
|
|
|
|
|
2018-03-19 19:33:50 +00:00
|
|
|
if (min_version != 0
|
|
|
|
|
&& SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
|
2016-02-02 22:58:49 +00:00
|
|
|
goto end;
|
2018-03-19 19:33:50 +00:00
|
|
|
if (max_version != 0
|
|
|
|
|
&& SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
|
2016-02-02 22:58:49 +00:00
|
|
|
goto end;
|
2015-07-08 22:09:52 +00:00
|
|
|
|
2001-02-21 18:38:48 +00:00
|
|
|
if (session_id_prefix) {
|
|
|
|
|
if (strlen(session_id_prefix) >= 32)
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"warning: id_prefix is too long, only one new session will be possible\n");
|
|
|
|
|
if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
|
|
|
|
|
BIO_printf(bio_err, "error setting 'id_prefix'\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
|
|
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (exc != NULL)
|
2012-06-29 14:24:42 +00:00
|
|
|
ssl_ctx_set_excert(ctx, exc);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (state)
|
|
|
|
|
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
|
2009-10-28 17:49:30 +00:00
|
|
|
if (no_cache)
|
|
|
|
|
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
2009-12-27 23:24:45 +00:00
|
|
|
else if (ext_cache)
|
|
|
|
|
init_session_cache_ctx(ctx);
|
2009-10-28 17:49:30 +00:00
|
|
|
else
|
|
|
|
|
SSL_CTX_sess_set_cache_size(ctx, 128);
|
1998-12-21 10:56:39 +00:00
|
|
|
|
2015-07-22 16:50:51 +00:00
|
|
|
if (async) {
|
2015-02-13 23:33:12 +00:00
|
|
|
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
|
2015-07-22 16:50:51 +00:00
|
|
|
}
|
2017-04-06 21:47:18 +00:00
|
|
|
|
2020-05-02 09:22:43 +00:00
|
|
|
if (no_ca_names) {
|
|
|
|
|
SSL_CTX_set_options(ctx, SSL_OP_DISABLE_TLSEXT_CA_NAMES);
|
|
|
|
|
}
|
|
|
|
|
|
2020-05-05 13:20:42 +00:00
|
|
|
if (ignore_unexpected_eof)
|
|
|
|
|
SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF);
|
2021-09-15 03:39:51 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
if (enable_ktls)
|
|
|
|
|
SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS);
|
2022-11-09 09:26:11 +00:00
|
|
|
if (use_zc_sendfile)
|
|
|
|
|
SSL_CTX_set_options(ctx, SSL_OP_ENABLE_KTLS_TX_ZEROCOPY_SENDFILE);
|
2021-09-15 03:39:51 +00:00
|
|
|
#endif
|
2020-05-05 13:20:42 +00:00
|
|
|
|
2017-04-07 17:15:38 +00:00
|
|
|
if (max_send_fragment > 0
|
|
|
|
|
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
|
|
|
|
|
prog, max_send_fragment);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-04-06 21:47:18 +00:00
|
|
|
|
2017-04-07 17:15:38 +00:00
|
|
|
if (split_send_fragment > 0
|
|
|
|
|
&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
|
|
|
|
|
prog, split_send_fragment);
|
|
|
|
|
goto end;
|
2015-09-22 10:23:33 +00:00
|
|
|
}
|
2017-04-07 17:15:38 +00:00
|
|
|
if (max_pipelines > 0
|
|
|
|
|
&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
|
|
|
|
|
BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
|
|
|
|
|
prog, max_pipelines);
|
|
|
|
|
goto end;
|
2015-09-22 10:23:33 +00:00
|
|
|
}
|
2015-02-13 23:33:12 +00:00
|
|
|
|
2016-01-13 14:20:25 +00:00
|
|
|
if (read_buf_len > 0) {
|
|
|
|
|
SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
|
|
|
|
|
}
|
2014-12-22 11:15:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2015-03-06 14:39:46 +00:00
|
|
|
if (srtp_profiles != NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
/* Returns 0 on success! */
|
|
|
|
|
if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "Error setting SRTP profile\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
2014-12-22 11:15:51 +00:00
|
|
|
#endif
|
2011-11-15 22:59:20 +00:00
|
|
|
|
2019-03-07 14:26:34 +00:00
|
|
|
if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
|
|
|
|
|
CAstore, noCAstore)) {
|
1998-12-21 10:52:47 +00:00
|
|
|
ERR_print_errors(bio_err);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
|
|
|
|
|
BIO_printf(bio_err, "Error setting verify params\n");
|
2015-03-06 14:39:46 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2012-12-06 18:43:40 +00:00
|
|
|
ssl_ctx_add_crls(ctx, crls, 0);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2019-03-07 14:26:34 +00:00
|
|
|
if (!ssl_load_stores(ctx,
|
|
|
|
|
vfyCApath, vfyCAfile, vfyCAstore,
|
|
|
|
|
chCApath, chCAfile, chCAstore,
|
2012-12-12 03:35:31 +00:00
|
|
|
crls, crl_download)) {
|
2012-07-23 23:34:28 +00:00
|
|
|
BIO_printf(bio_err, "Error loading store locations\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2006-01-02 23:29:12 +00:00
|
|
|
if (s_cert2) {
|
2021-02-15 19:07:27 +00:00
|
|
|
ctx2 = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
|
2006-01-02 23:29:12 +00:00
|
|
|
if (ctx2 == NULL) {
|
2006-01-02 23:14:37 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2006-01-02 23:14:37 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2006-01-02 23:29:12 +00:00
|
|
|
BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2014-02-17 00:10:00 +00:00
|
|
|
if (sdebug)
|
2020-03-20 19:17:50 +00:00
|
|
|
ssl_ctx_security_debug(ctx2, sdebug);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-01-02 23:29:12 +00:00
|
|
|
if (session_id_prefix) {
|
|
|
|
|
if (strlen(session_id_prefix) >= 32)
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"warning: id_prefix is too long, only one new session will be possible\n");
|
|
|
|
|
if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
|
|
|
|
|
BIO_printf(bio_err, "error setting 'id_prefix'\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
|
|
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (exc != NULL)
|
2012-06-29 14:24:42 +00:00
|
|
|
ssl_ctx_set_excert(ctx2, exc);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-01-02 23:29:12 +00:00
|
|
|
if (state)
|
|
|
|
|
SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2009-10-28 17:49:30 +00:00
|
|
|
if (no_cache)
|
|
|
|
|
SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
|
2009-12-27 23:24:45 +00:00
|
|
|
else if (ext_cache)
|
|
|
|
|
init_session_cache_ctx(ctx2);
|
2009-10-28 17:49:30 +00:00
|
|
|
else
|
|
|
|
|
SSL_CTX_sess_set_cache_size(ctx2, 128);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2015-02-13 23:33:12 +00:00
|
|
|
if (async)
|
2015-07-24 07:15:31 +00:00
|
|
|
SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC);
|
2015-02-13 23:33:12 +00:00
|
|
|
|
2019-03-07 14:26:34 +00:00
|
|
|
if (!ctx_set_verify_locations(ctx2, CAfile, noCAfile, CApath,
|
|
|
|
|
noCApath, CAstore, noCAstore)) {
|
2006-01-02 23:14:37 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2016-05-23 17:13:16 +00:00
|
|
|
goto end;
|
2006-01-02 23:29:12 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) {
|
|
|
|
|
BIO_printf(bio_err, "Error setting verify params\n");
|
2015-03-06 14:39:46 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2010-07-28 10:06:55 +00:00
|
|
|
|
2012-12-06 18:43:40 +00:00
|
|
|
ssl_ctx_add_crls(ctx2, crls, 0);
|
2016-02-14 05:17:59 +00:00
|
|
|
if (!config_ctx(cctx, ssl_args, ctx2))
|
2012-11-17 14:42:22 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2010-07-28 10:06:55 +00:00
|
|
|
if (next_proto.data)
|
|
|
|
|
SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
|
|
|
|
|
&next_proto);
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2013-04-15 22:07:47 +00:00
|
|
|
if (alpn_ctx.data)
|
|
|
|
|
SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
|
2006-01-02 23:29:12 +00:00
|
|
|
|
1999-07-12 17:15:42 +00:00
|
|
|
if (!no_dhe) {
|
2020-10-15 15:45:54 +00:00
|
|
|
EVP_PKEY *dhpkey = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (dhfile != NULL)
|
2021-04-30 14:57:53 +00:00
|
|
|
dhpkey = load_keyparams(dhfile, FORMAT_UNDEF, 0, "DH", "DH parameters");
|
2017-06-12 17:24:02 +00:00
|
|
|
else if (s_cert_file != NULL)
|
2021-06-09 07:34:55 +00:00
|
|
|
dhpkey = load_keyparams_suppress(s_cert_file, FORMAT_UNDEF, 0, "DH",
|
|
|
|
|
"DH parameters", 1);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2020-10-15 15:45:54 +00:00
|
|
|
if (dhpkey != NULL) {
|
1999-07-12 17:15:42 +00:00
|
|
|
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio_s_out, "Using default temp DH parameters\n");
|
|
|
|
|
}
|
|
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2020-10-15 15:45:54 +00:00
|
|
|
if (dhpkey == NULL) {
|
2014-01-22 16:22:48 +00:00
|
|
|
SSL_CTX_set_dh_auto(ctx, 1);
|
2020-10-15 15:45:54 +00:00
|
|
|
} else {
|
|
|
|
|
/*
|
|
|
|
|
* We need 2 references: one for use by ctx and one for use by
|
|
|
|
|
* ctx2
|
|
|
|
|
*/
|
|
|
|
|
if (!EVP_PKEY_up_ref(dhpkey)) {
|
|
|
|
|
EVP_PKEY_free(dhpkey);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dhpkey)) {
|
|
|
|
|
BIO_puts(bio_err, "Error setting temp DH parameters\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
/* Free 2 references */
|
|
|
|
|
EVP_PKEY_free(dhpkey);
|
|
|
|
|
EVP_PKEY_free(dhpkey);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2020-10-14 16:30:17 +00:00
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2020-10-15 15:45:54 +00:00
|
|
|
if (dhfile != NULL) {
|
2021-06-09 07:34:55 +00:00
|
|
|
EVP_PKEY *dhpkey2 = load_keyparams_suppress(s_cert_file2,
|
|
|
|
|
FORMAT_UNDEF,
|
|
|
|
|
0, "DH",
|
|
|
|
|
"DH parameters", 1);
|
2020-10-15 15:45:54 +00:00
|
|
|
|
|
|
|
|
if (dhpkey2 != NULL) {
|
2006-01-02 23:14:37 +00:00
|
|
|
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
|
|
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2020-10-15 15:45:54 +00:00
|
|
|
EVP_PKEY_free(dhpkey);
|
|
|
|
|
dhpkey = dhpkey2;
|
2006-01-02 23:29:12 +00:00
|
|
|
}
|
2006-01-02 23:14:37 +00:00
|
|
|
}
|
2020-10-15 15:45:54 +00:00
|
|
|
if (dhpkey == NULL) {
|
2014-01-22 16:22:48 +00:00
|
|
|
SSL_CTX_set_dh_auto(ctx2, 1);
|
2020-10-15 15:45:54 +00:00
|
|
|
} else if (!SSL_CTX_set0_tmp_dh_pkey(ctx2, dhpkey)) {
|
2014-01-22 16:22:48 +00:00
|
|
|
BIO_puts(bio_err, "Error setting temp DH parameters\n");
|
2013-09-24 22:13:22 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2020-10-15 15:45:54 +00:00
|
|
|
EVP_PKEY_free(dhpkey);
|
2013-05-13 01:55:27 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2020-10-15 15:45:54 +00:00
|
|
|
dhpkey = NULL;
|
2013-09-24 22:13:22 +00:00
|
|
|
}
|
2020-10-15 15:45:54 +00:00
|
|
|
EVP_PKEY_free(dhpkey);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
|
|
|
|
if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
|
|
|
|
|
goto end;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2006-01-02 23:29:12 +00:00
|
|
|
if (s_serverinfo_file != NULL
|
|
|
|
|
&& !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
|
2006-01-02 23:14:37 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL
|
|
|
|
|
&& !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain))
|
1998-12-21 10:52:47 +00:00
|
|
|
goto end;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2004-11-16 17:30:59 +00:00
|
|
|
if (s_dcert != NULL) {
|
2012-07-23 23:34:28 +00:00
|
|
|
if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
|
2014-01-22 16:22:48 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2010-08-26 15:15:47 +00:00
|
|
|
if (no_resume_ephemeral) {
|
|
|
|
|
SSL_CTX_set_not_resumable_session_callback(ctx,
|
|
|
|
|
not_resumable_sess_cb);
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL)
|
2010-08-26 15:15:47 +00:00
|
|
|
SSL_CTX_set_not_resumable_session_callback(ctx2,
|
|
|
|
|
not_resumable_sess_cb);
|
|
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2016-01-31 01:14:39 +00:00
|
|
|
if (psk_key != NULL) {
|
2006-03-10 23:06:27 +00:00
|
|
|
if (s_debug)
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
|
2006-03-10 23:06:27 +00:00
|
|
|
SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
|
|
|
|
|
}
|
|
|
|
|
|
2020-03-12 13:38:38 +00:00
|
|
|
if (psk_identity_hint != NULL) {
|
|
|
|
|
if (min_version == TLS1_3_VERSION) {
|
|
|
|
|
BIO_printf(bio_s_out, "PSK warning: there is NO identity hint in TLSv1.3\n");
|
|
|
|
|
} else {
|
|
|
|
|
if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) {
|
|
|
|
|
BIO_printf(bio_err, "error setting PSK identity hint to context\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
2017-06-12 17:26:09 +00:00
|
|
|
if (psksessf != NULL) {
|
|
|
|
|
BIO *stmp = BIO_new_file(psksessf, "r");
|
|
|
|
|
|
|
|
|
|
if (stmp == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
psksess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
|
|
|
|
|
BIO_free(stmp);
|
|
|
|
|
if (psksess == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2017-06-12 18:12:13 +00:00
|
|
|
|
2017-06-12 17:26:09 +00:00
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
|
2017-06-12 18:12:13 +00:00
|
|
|
if (psk_key != NULL || psksess != NULL)
|
|
|
|
|
SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb);
|
|
|
|
|
|
1998-12-21 10:56:39 +00:00
|
|
|
SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_CTX_set_session_id_context(ctx,
|
2016-08-07 10:04:26 +00:00
|
|
|
(void *)&s_server_session_id_context,
|
2017-12-07 18:39:34 +00:00
|
|
|
sizeof(s_server_session_id_context))) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "error setting session id context\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2009-09-04 17:42:53 +00:00
|
|
|
/* Set DTLS cookie generation and verification callbacks */
|
|
|
|
|
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
|
|
|
|
|
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
|
|
|
|
|
|
2018-02-26 02:39:11 +00:00
|
|
|
/* Set TLS1.3 cookie generation and verification callbacks */
|
|
|
|
|
SSL_CTX_set_stateless_cookie_generate_cb(ctx, generate_stateless_cookie_callback);
|
|
|
|
|
SSL_CTX_set_stateless_cookie_verify_cb(ctx, verify_stateless_cookie_callback);
|
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2006-01-02 23:14:37 +00:00
|
|
|
SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_CTX_set_session_id_context(ctx2,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void *)&s_server_session_id_context,
|
2017-12-07 18:39:34 +00:00
|
|
|
sizeof(s_server_session_id_context))) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "error setting session id context\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2006-01-03 03:27:19 +00:00
|
|
|
tlsextcbp.biodebug = bio_s_out;
|
|
|
|
|
SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
|
|
|
|
|
SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
|
|
|
|
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
|
|
|
|
|
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
|
2006-01-02 23:29:12 +00:00
|
|
|
}
|
2006-01-03 03:27:19 +00:00
|
|
|
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
if (srp_verifier_file != NULL) {
|
2021-02-05 11:28:15 +00:00
|
|
|
if (!set_up_srp_verifier_file(ctx, &srp_callback_parm, srpuserseed,
|
|
|
|
|
srp_verifier_file))
|
2011-03-12 17:01:19 +00:00
|
|
|
goto end;
|
|
|
|
|
} else
|
|
|
|
|
#endif
|
2006-01-02 23:29:12 +00:00
|
|
|
if (CAfile != NULL) {
|
|
|
|
|
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2006-01-02 23:14:37 +00:00
|
|
|
if (ctx2)
|
2006-01-02 23:29:12 +00:00
|
|
|
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
|
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2015-07-30 01:34:35 +00:00
|
|
|
if (s_tlsextstatus) {
|
|
|
|
|
SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
|
|
|
|
|
SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
|
|
|
|
|
if (ctx2) {
|
|
|
|
|
SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb);
|
|
|
|
|
SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
|
|
|
|
|
}
|
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2017-02-01 18:14:27 +00:00
|
|
|
if (set_keylog_file(ctx, keylog_file))
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-02-23 16:54:11 +00:00
|
|
|
if (max_early_data >= 0)
|
2017-02-17 17:01:16 +00:00
|
|
|
SSL_CTX_set_max_early_data(ctx, max_early_data);
|
2018-07-05 14:42:36 +00:00
|
|
|
if (recv_max_early_data >= 0)
|
|
|
|
|
SSL_CTX_set_recv_max_early_data(ctx, recv_max_early_data);
|
2017-02-17 17:01:16 +00:00
|
|
|
|
2021-08-09 20:56:50 +00:00
|
|
|
if (cert_comp) {
|
|
|
|
|
BIO_printf(bio_s_out, "Compressing certificates\n");
|
|
|
|
|
if (!SSL_CTX_compress_certs(ctx, 0))
|
|
|
|
|
BIO_printf(bio_s_out, "Error compressing certs on ctx\n");
|
|
|
|
|
if (ctx2 != NULL && !SSL_CTX_compress_certs(ctx2, 0))
|
|
|
|
|
BIO_printf(bio_s_out, "Error compressing certs on ctx2\n");
|
|
|
|
|
}
|
2021-01-27 19:23:33 +00:00
|
|
|
if (enable_server_rpk)
|
|
|
|
|
if (!SSL_CTX_set1_server_cert_type(ctx, cert_type_rpk, sizeof(cert_type_rpk))) {
|
|
|
|
|
BIO_printf(bio_s_out, "Error setting server certificate types\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
|
|
|
|
if (enable_client_rpk)
|
|
|
|
|
if (!SSL_CTX_set1_client_cert_type(ctx, cert_type_rpk, sizeof(cert_type_rpk))) {
|
|
|
|
|
BIO_printf(bio_s_out, "Error setting server certificate types\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2021-08-09 20:56:50 +00:00
|
|
|
|
2012-09-14 13:27:05 +00:00
|
|
|
if (rev)
|
s_client/s_server: support unix domain sockets
The "-unix <path>" argument allows s_server and s_client to use a unix
domain socket in the filesystem instead of IPv4 ("-connect", "-port",
"-accept", etc). If s_server exits gracefully, such as when "-naccept"
is used and the requested number of SSL/TLS connections have occurred,
then the domain socket file is removed. On ctrl-C, it is likely that
the stale socket file will be left over, such that s_server would
normally fail to restart with the same arguments. For this reason,
s_server also supports an "-unlink" option, which will clean up any
stale socket file before starting.
If you have any reason to want encrypted IPC within an O/S instance,
this concept might come in handy. Otherwise it just demonstrates that
there is nothing about SSL/TLS that limits it to TCP/IP in any way.
(There might also be benchmarking and profiling use in this path, as
unix domain sockets are much lower overhead than connecting over local
IP addresses).
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-04-26 05:22:54 +00:00
|
|
|
server_cb = rev_body;
|
2012-09-14 13:27:05 +00:00
|
|
|
else if (www)
|
s_client/s_server: support unix domain sockets
The "-unix <path>" argument allows s_server and s_client to use a unix
domain socket in the filesystem instead of IPv4 ("-connect", "-port",
"-accept", etc). If s_server exits gracefully, such as when "-naccept"
is used and the requested number of SSL/TLS connections have occurred,
then the domain socket file is removed. On ctrl-C, it is likely that
the stale socket file will be left over, such that s_server would
normally fail to restart with the same arguments. For this reason,
s_server also supports an "-unlink" option, which will clean up any
stale socket file before starting.
If you have any reason to want encrypted IPC within an O/S instance,
this concept might come in handy. Otherwise it just demonstrates that
there is nothing about SSL/TLS that limits it to TCP/IP in any way.
(There might also be benchmarking and profiling use in this path, as
unix domain sockets are much lower overhead than connecting over local
IP addresses).
Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-04-26 05:22:54 +00:00
|
|
|
server_cb = www_body;
|
|
|
|
|
else
|
|
|
|
|
server_cb = sv_body;
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
|
|
|
|
if (socket_family == AF_UNIX
|
|
|
|
|
&& unlink_unix_path)
|
|
|
|
|
unlink(host);
|
2014-07-01 11:44:00 +00:00
|
|
|
#endif
|
2021-09-08 20:23:04 +00:00
|
|
|
if (tfo)
|
|
|
|
|
BIO_printf(bio_s_out, "Listening for TFO\n");
|
2017-04-20 08:56:56 +00:00
|
|
|
do_server(&accept_socket, host, port, socket_family, socket_type, protocol,
|
2021-09-08 20:23:04 +00:00
|
|
|
server_cb, context, naccept, bio_s_out, tfo);
|
1998-12-21 10:52:47 +00:00
|
|
|
print_stats(bio_s_out, ctx);
|
|
|
|
|
ret = 0;
|
|
|
|
|
end:
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CTX_free(ctx);
|
2017-07-05 09:32:33 +00:00
|
|
|
SSL_SESSION_free(psksess);
|
2017-02-01 18:14:27 +00:00
|
|
|
set_keylog_file(NULL, NULL);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_free(s_cert);
|
|
|
|
|
sk_X509_CRL_pop_free(crls, X509_CRL_free);
|
|
|
|
|
X509_free(s_dcert);
|
2015-03-28 14:54:15 +00:00
|
|
|
EVP_PKEY_free(s_key);
|
|
|
|
|
EVP_PKEY_free(s_dkey);
|
2021-12-18 15:15:49 +00:00
|
|
|
OSSL_STACK_OF_X509_free(s_chain);
|
|
|
|
|
OSSL_STACK_OF_X509_free(s_dchain);
|
2015-05-01 18:37:16 +00:00
|
|
|
OPENSSL_free(pass);
|
|
|
|
|
OPENSSL_free(dpass);
|
2016-02-02 23:47:42 +00:00
|
|
|
OPENSSL_free(host);
|
|
|
|
|
OPENSSL_free(port);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_VERIFY_PARAM_free(vpm);
|
2009-12-27 23:24:45 +00:00
|
|
|
free_sessions();
|
2015-05-01 18:37:16 +00:00
|
|
|
OPENSSL_free(tlscstatp.host);
|
|
|
|
|
OPENSSL_free(tlscstatp.port);
|
|
|
|
|
OPENSSL_free(tlscstatp.path);
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CTX_free(ctx2);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_free(s_cert2);
|
2015-03-28 14:54:15 +00:00
|
|
|
EVP_PKEY_free(s_key2);
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2015-05-01 18:37:16 +00:00
|
|
|
OPENSSL_free(next_proto.data);
|
2006-01-02 23:14:37 +00:00
|
|
|
#endif
|
2015-05-15 09:49:56 +00:00
|
|
|
OPENSSL_free(alpn_ctx.data);
|
2012-06-29 14:24:42 +00:00
|
|
|
ssl_excert_free(exc);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
sk_OPENSSL_STRING_free(ssl_args);
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CONF_CTX_free(cctx);
|
2016-09-28 21:39:18 +00:00
|
|
|
release_engine(engine);
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free(bio_s_out);
|
|
|
|
|
bio_s_out = NULL;
|
|
|
|
|
BIO_free(bio_s_msg);
|
|
|
|
|
bio_s_msg = NULL;
|
2016-04-28 10:34:54 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
BIO_meth_free(methods_ebcdic);
|
|
|
|
|
#endif
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
|
|
|
|
BIO_printf(bio, "%4ld items in the session cache\n",
|
|
|
|
|
SSL_CTX_sess_number(ssl_ctx));
|
2003-04-03 23:39:48 +00:00
|
|
|
BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CTX_sess_connect(ssl_ctx));
|
2003-04-03 23:39:48 +00:00
|
|
|
BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
|
1998-12-21 10:56:39 +00:00
|
|
|
SSL_CTX_sess_connect_renegotiate(ssl_ctx));
|
2003-04-03 23:39:48 +00:00
|
|
|
BIO_printf(bio, "%4ld client connects that finished\n",
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CTX_sess_connect_good(ssl_ctx));
|
2003-04-03 23:39:48 +00:00
|
|
|
BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CTX_sess_accept(ssl_ctx));
|
2003-04-03 23:39:48 +00:00
|
|
|
BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
|
1998-12-21 10:56:39 +00:00
|
|
|
SSL_CTX_sess_accept_renegotiate(ssl_ctx));
|
2003-04-03 23:39:48 +00:00
|
|
|
BIO_printf(bio, "%4ld server accepts that finished\n",
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CTX_sess_accept_good(ssl_ctx));
|
2003-04-03 23:39:48 +00:00
|
|
|
BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
|
|
|
|
|
BIO_printf(bio, "%4ld session cache misses\n",
|
|
|
|
|
SSL_CTX_sess_misses(ssl_ctx));
|
|
|
|
|
BIO_printf(bio, "%4ld session cache timeouts\n",
|
|
|
|
|
SSL_CTX_sess_timeouts(ssl_ctx));
|
|
|
|
|
BIO_printf(bio, "%4ld callback cache hits\n",
|
|
|
|
|
SSL_CTX_sess_cb_hits(ssl_ctx));
|
|
|
|
|
BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
|
1998-12-21 10:56:39 +00:00
|
|
|
SSL_CTX_sess_cache_full(ssl_ctx),
|
|
|
|
|
SSL_CTX_sess_get_cache_size(ssl_ctx));
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2022-04-28 11:35:40 +00:00
|
|
|
static long int count_reads_callback(BIO *bio, int cmd, const char *argp, size_t len,
|
|
|
|
|
int argi, long argl, int ret, size_t *processed)
|
|
|
|
|
{
|
|
|
|
|
unsigned int *p_counter = (unsigned int *)BIO_get_callback_arg(bio);
|
|
|
|
|
|
|
|
|
|
switch (cmd) {
|
|
|
|
|
case BIO_CB_READ: /* No break here */
|
|
|
|
|
case BIO_CB_GETS:
|
|
|
|
|
if (p_counter != NULL)
|
|
|
|
|
++*p_counter;
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (s_debug) {
|
|
|
|
|
BIO_set_callback_arg(bio, (char *)bio_s_out);
|
|
|
|
|
ret = (int)bio_dump_callback(bio, cmd, argp, len, argi, argl, ret, processed);
|
|
|
|
|
BIO_set_callback_arg(bio, (char *)p_counter);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
static int sv_body(int s, int stype, int prot, unsigned char *context)
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
|
|
|
|
char *buf = NULL;
|
|
|
|
|
fd_set readfds;
|
|
|
|
|
int ret = 1, width;
|
2023-06-07 12:05:38 +00:00
|
|
|
int k;
|
1998-12-21 10:52:47 +00:00
|
|
|
unsigned long l;
|
|
|
|
|
SSL *con = NULL;
|
|
|
|
|
BIO *sbio;
|
2009-08-18 11:15:33 +00:00
|
|
|
struct timeval timeout;
|
2018-04-26 19:11:26 +00:00
|
|
|
#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS))
|
2009-08-18 11:15:33 +00:00
|
|
|
struct timeval *timeoutp;
|
1999-09-20 22:09:17 +00:00
|
|
|
#endif
|
2017-04-20 08:56:56 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2017-04-25 13:35:41 +00:00
|
|
|
# ifndef OPENSSL_NO_SCTP
|
2017-04-20 08:56:56 +00:00
|
|
|
int isdtls = (stype == SOCK_DGRAM || prot == IPPROTO_SCTP);
|
2017-04-25 13:35:41 +00:00
|
|
|
# else
|
2017-04-20 08:56:56 +00:00
|
|
|
int isdtls = (stype == SOCK_DGRAM);
|
2017-04-25 13:35:41 +00:00
|
|
|
# endif
|
2017-04-20 08:56:56 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-04-30 21:48:31 +00:00
|
|
|
buf = app_malloc(bufsize, "server buffer");
|
1998-12-21 10:52:47 +00:00
|
|
|
if (s_nbio) {
|
2016-02-27 18:24:28 +00:00
|
|
|
if (!BIO_socket_nbio(s, 1))
|
1998-12-21 10:56:39 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2016-02-27 18:24:28 +00:00
|
|
|
else if (!s_quiet)
|
|
|
|
|
BIO_printf(bio_err, "Turned on non blocking io\n");
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2017-10-19 14:41:03 +00:00
|
|
|
con = SSL_new(ctx);
|
1999-03-22 12:22:14 +00:00
|
|
|
if (con == NULL) {
|
2017-10-19 14:41:03 +00:00
|
|
|
ret = -1;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-10-19 14:41:03 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-10-19 14:41:03 +00:00
|
|
|
if (context != NULL
|
|
|
|
|
&& !SSL_set_session_id_context(con, context,
|
|
|
|
|
strlen((char *)context))) {
|
|
|
|
|
BIO_printf(bio_err, "Error setting session id context\n");
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto err;
|
2015-03-06 14:39:46 +00:00
|
|
|
}
|
2017-10-19 14:41:03 +00:00
|
|
|
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_clear(con)) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "Error clearing SSL connection\n");
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto err;
|
1999-03-22 12:22:14 +00:00
|
|
|
}
|
2015-12-16 13:25:07 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2017-04-20 08:56:56 +00:00
|
|
|
if (isdtls) {
|
2017-04-25 13:35:41 +00:00
|
|
|
# ifndef OPENSSL_NO_SCTP
|
2017-04-20 08:56:56 +00:00
|
|
|
if (prot == IPPROTO_SCTP)
|
|
|
|
|
sbio = BIO_new_dgram_sctp(s, BIO_NOCLOSE);
|
|
|
|
|
else
|
2017-04-25 13:35:41 +00:00
|
|
|
# endif
|
2017-04-20 08:56:56 +00:00
|
|
|
sbio = BIO_new_dgram(s, BIO_NOCLOSE);
|
2022-02-16 03:27:23 +00:00
|
|
|
if (sbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2006-01-02 23:29:12 +00:00
|
|
|
if (enable_timeouts) {
|
2005-04-26 16:02:40 +00:00
|
|
|
timeout.tv_sec = 0;
|
|
|
|
|
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
|
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2005-04-26 16:02:40 +00:00
|
|
|
timeout.tv_sec = 0;
|
|
|
|
|
timeout.tv_usec = DGRAM_SND_TIMEOUT;
|
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2014-12-01 23:57:44 +00:00
|
|
|
if (socket_mtu) {
|
|
|
|
|
if (socket_mtu < DTLS_get_link_min_mtu(con)) {
|
|
|
|
|
BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
|
|
|
|
|
DTLS_get_link_min_mtu(con));
|
|
|
|
|
ret = -1;
|
|
|
|
|
BIO_free(sbio);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2005-04-26 16:02:40 +00:00
|
|
|
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
|
2014-12-01 23:57:44 +00:00
|
|
|
if (!DTLS_set_link_mtu(con, socket_mtu)) {
|
|
|
|
|
BIO_printf(bio_err, "Failed to set MTU\n");
|
|
|
|
|
ret = -1;
|
|
|
|
|
BIO_free(sbio);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2005-04-26 16:02:40 +00:00
|
|
|
} else
|
|
|
|
|
/* want to do MTU discovery */
|
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
|
|
|
|
|
|
2017-04-25 13:35:09 +00:00
|
|
|
# ifndef OPENSSL_NO_SCTP
|
2017-08-24 08:52:11 +00:00
|
|
|
if (prot != IPPROTO_SCTP)
|
|
|
|
|
# endif
|
2017-04-20 08:56:56 +00:00
|
|
|
/* Turn on cookie exchange. Not necessary for SCTP */
|
|
|
|
|
SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
|
2005-04-26 16:02:40 +00:00
|
|
|
} else
|
2015-12-16 13:25:07 +00:00
|
|
|
#endif
|
2005-04-26 16:02:40 +00:00
|
|
|
sbio = BIO_new_socket(s, BIO_NOCLOSE);
|
|
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
if (sbio == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (s_nbio_test) {
|
|
|
|
|
BIO *test;
|
|
|
|
|
|
|
|
|
|
test = BIO_new(BIO_f_nbio_test());
|
2022-02-16 03:27:23 +00:00
|
|
|
if (test == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
|
ret = -1;
|
|
|
|
|
BIO_free(sbio);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
sbio = BIO_push(test, sbio);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_set_bio(con, sbio, sbio);
|
|
|
|
|
SSL_set_accept_state(con);
|
|
|
|
|
/* SSL_set_fd(con,s); */
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2022-04-28 11:35:40 +00:00
|
|
|
BIO_set_callback_ex(SSL_get_rbio(con), count_reads_callback);
|
2001-10-20 17:56:36 +00:00
|
|
|
if (s_msg) {
|
2012-06-15 12:46:09 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
|
|
|
|
if (s_msg == 2)
|
|
|
|
|
SSL_set_msg_callback(con, SSL_trace);
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
SSL_set_msg_callback(con, msg_cb);
|
|
|
|
|
SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
|
2001-10-20 17:56:36 +00:00
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2007-08-11 23:18:29 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-02-22 15:24:11 +00:00
|
|
|
if (early_data) {
|
2017-03-02 14:42:55 +00:00
|
|
|
int write_header = 1, edret = SSL_READ_EARLY_DATA_ERROR;
|
2017-02-22 15:24:11 +00:00
|
|
|
size_t readbytes;
|
|
|
|
|
|
2017-03-02 14:42:55 +00:00
|
|
|
while (edret != SSL_READ_EARLY_DATA_FINISH) {
|
2017-02-22 15:24:11 +00:00
|
|
|
for (;;) {
|
2017-03-02 14:42:55 +00:00
|
|
|
edret = SSL_read_early_data(con, buf, bufsize, &readbytes);
|
|
|
|
|
if (edret != SSL_READ_EARLY_DATA_ERROR)
|
2017-02-22 15:24:11 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
|
|
switch (SSL_get_error(con, 0)) {
|
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
|
/* Just keep trying - busy waiting */
|
|
|
|
|
continue;
|
|
|
|
|
default:
|
|
|
|
|
BIO_printf(bio_err, "Error reading early data\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
if (readbytes > 0) {
|
|
|
|
|
if (write_header) {
|
|
|
|
|
BIO_printf(bio_s_out, "Early data received:\n");
|
|
|
|
|
write_header = 0;
|
|
|
|
|
}
|
|
|
|
|
raw_write_stdout(buf, (unsigned int)readbytes);
|
|
|
|
|
(void)BIO_flush(bio_s_out);
|
|
|
|
|
}
|
|
|
|
|
}
|
2017-11-14 14:21:13 +00:00
|
|
|
if (write_header) {
|
|
|
|
|
if (SSL_get_early_data_status(con) == SSL_EARLY_DATA_NOT_SENT)
|
|
|
|
|
BIO_printf(bio_s_out, "No early data received\n");
|
|
|
|
|
else
|
|
|
|
|
BIO_printf(bio_s_out, "Early data was rejected\n");
|
|
|
|
|
} else {
|
2017-02-22 15:24:11 +00:00
|
|
|
BIO_printf(bio_s_out, "\nEnd of early data\n");
|
2017-11-14 14:21:13 +00:00
|
|
|
}
|
2017-02-27 20:55:04 +00:00
|
|
|
if (SSL_is_init_finished(con))
|
|
|
|
|
print_connection_info(con);
|
2017-02-22 15:24:11 +00:00
|
|
|
}
|
|
|
|
|
|
2016-09-15 09:20:18 +00:00
|
|
|
if (fileno_stdin() > s)
|
|
|
|
|
width = fileno_stdin() + 1;
|
2016-09-14 18:54:30 +00:00
|
|
|
else
|
|
|
|
|
width = s + 1;
|
1998-12-21 10:52:47 +00:00
|
|
|
for (;;) {
|
2023-06-07 12:05:38 +00:00
|
|
|
int i;
|
2000-02-21 17:09:54 +00:00
|
|
|
int read_from_terminal;
|
|
|
|
|
int read_from_sslcon;
|
|
|
|
|
|
|
|
|
|
read_from_terminal = 0;
|
2016-02-12 13:33:45 +00:00
|
|
|
read_from_sslcon = SSL_has_pending(con)
|
2015-09-16 21:54:54 +00:00
|
|
|
|| (async && SSL_waiting_for_async(con));
|
2000-02-21 17:09:54 +00:00
|
|
|
|
|
|
|
|
if (!read_from_sslcon) {
|
|
|
|
|
FD_ZERO(&readfds);
|
2016-03-17 16:53:11 +00:00
|
|
|
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
|
2016-09-15 09:20:18 +00:00
|
|
|
openssl_fdset(fileno_stdin(), &readfds);
|
2000-02-21 17:09:54 +00:00
|
|
|
#endif
|
2006-04-17 12:22:13 +00:00
|
|
|
openssl_fdset(s, &readfds);
|
2000-02-21 17:09:54 +00:00
|
|
|
/*
|
|
|
|
|
* Note: under VMS with SOCKETSHR the second parameter is
|
|
|
|
|
* currently of type (int *) whereas under other systems it is
|
|
|
|
|
* (void *) if you don't have a cast it will choke the compiler:
|
|
|
|
|
* if you do have a cast then you can either go for (int *) or
|
|
|
|
|
* (void *).
|
|
|
|
|
*/
|
2016-03-17 16:53:11 +00:00
|
|
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
2003-09-27 21:56:08 +00:00
|
|
|
/*
|
|
|
|
|
* Under DOS (non-djgpp) and Windows we can't select on stdin:
|
2000-02-21 17:09:54 +00:00
|
|
|
* only on sockets. As a workaround we timeout the select every
|
|
|
|
|
* second and check for any keypress. In a proper Windows
|
|
|
|
|
* application we wouldn't do this because it is inefficient.
|
|
|
|
|
*/
|
2018-04-26 19:11:26 +00:00
|
|
|
timeout.tv_sec = 1;
|
|
|
|
|
timeout.tv_usec = 0;
|
|
|
|
|
i = select(width, (void *)&readfds, NULL, NULL, &timeout);
|
2016-05-20 10:53:26 +00:00
|
|
|
if (has_stdin_waiting())
|
2000-02-21 17:09:54 +00:00
|
|
|
read_from_terminal = 1;
|
2016-05-20 10:53:26 +00:00
|
|
|
if ((i < 0) || (!i && !read_from_terminal))
|
|
|
|
|
continue;
|
1999-09-20 22:09:17 +00:00
|
|
|
#else
|
2018-05-03 14:59:31 +00:00
|
|
|
if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout))
|
2009-08-12 13:19:54 +00:00
|
|
|
timeoutp = &timeout;
|
|
|
|
|
else
|
|
|
|
|
timeoutp = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2009-08-12 13:19:54 +00:00
|
|
|
i = select(width, (void *)&readfds, NULL, NULL, timeoutp);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2018-05-03 14:59:31 +00:00
|
|
|
if ((SSL_is_dtls(con)) && DTLSv1_handle_timeout(con) > 0)
|
2013-06-12 23:22:32 +00:00
|
|
|
BIO_printf(bio_err, "TIMEOUT occurred\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2000-02-21 17:09:54 +00:00
|
|
|
if (i <= 0)
|
|
|
|
|
continue;
|
2016-09-15 09:20:18 +00:00
|
|
|
if (FD_ISSET(fileno_stdin(), &readfds))
|
2000-02-21 17:09:54 +00:00
|
|
|
read_from_terminal = 1;
|
1999-09-20 22:09:17 +00:00
|
|
|
#endif
|
2000-02-21 17:09:54 +00:00
|
|
|
if (FD_ISSET(s, &readfds))
|
|
|
|
|
read_from_sslcon = 1;
|
|
|
|
|
}
|
|
|
|
|
if (read_from_terminal) {
|
1999-08-07 02:51:10 +00:00
|
|
|
if (s_crlf) {
|
|
|
|
|
int j, lf_num;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-09-14 18:54:30 +00:00
|
|
|
i = raw_read_stdin(buf, bufsize / 2);
|
|
|
|
|
lf_num = 0;
|
1999-08-07 02:51:10 +00:00
|
|
|
/* both loops are skipped when i <= 0 */
|
|
|
|
|
for (j = 0; j < i; j++)
|
|
|
|
|
if (buf[j] == '\n')
|
|
|
|
|
lf_num++;
|
|
|
|
|
for (j = i - 1; j >= 0; j--) {
|
|
|
|
|
buf[j + lf_num] = buf[j];
|
|
|
|
|
if (buf[j] == '\n') {
|
|
|
|
|
lf_num--;
|
|
|
|
|
i++;
|
|
|
|
|
buf[j + lf_num] = '\r';
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1999-08-07 02:51:10 +00:00
|
|
|
assert(lf_num == 0);
|
2017-06-12 17:24:02 +00:00
|
|
|
} else {
|
2016-09-14 18:54:30 +00:00
|
|
|
i = raw_read_stdin(buf, bufsize);
|
2017-06-12 17:24:02 +00:00
|
|
|
}
|
2016-09-15 09:20:18 +00:00
|
|
|
|
2012-09-12 23:14:28 +00:00
|
|
|
if (!s_quiet && !s_brief) {
|
1998-12-21 10:52:47 +00:00
|
|
|
if ((i <= 0) || (buf[0] == 'Q')) {
|
|
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(s);
|
1998-12-21 10:52:47 +00:00
|
|
|
close_accept_socket();
|
|
|
|
|
ret = -11;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
if ((i <= 0) || (buf[0] == 'q')) {
|
|
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2005-04-26 16:02:40 +00:00
|
|
|
if (SSL_version(con) != DTLS1_VERSION)
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(s);
|
1998-12-21 10:52:47 +00:00
|
|
|
/*
|
|
|
|
|
* close_accept_socket(); ret= -11;
|
|
|
|
|
*/
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
1998-12-21 10:56:39 +00:00
|
|
|
if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_renegotiate(con);
|
1998-12-21 10:56:39 +00:00
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
1998-12-21 10:52:47 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
1999-01-07 00:16:37 +00:00
|
|
|
if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_set_verify(con,
|
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
|
|
|
|
|
NULL);
|
|
|
|
|
SSL_renegotiate(con);
|
1998-12-21 10:56:39 +00:00
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
1998-12-21 10:52:47 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2017-02-08 16:52:23 +00:00
|
|
|
if ((buf[0] == 'K' || buf[0] == 'k')
|
|
|
|
|
&& ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
|
|
|
|
SSL_key_update(con, buf[0] == 'K' ?
|
|
|
|
|
SSL_KEY_UPDATE_REQUESTED
|
|
|
|
|
: SSL_KEY_UPDATE_NOT_REQUESTED);
|
|
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
|
|
|
|
continue;
|
|
|
|
|
}
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-18 21:52:28 +00:00
|
|
|
if (buf[0] == 'c' && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
|
|
|
|
SSL_set_verify(con, SSL_VERIFY_PEER, NULL);
|
|
|
|
|
i = SSL_verify_client_post_handshake(con);
|
|
|
|
|
if (i == 0) {
|
|
|
|
|
printf("Failed to initiate request\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
} else {
|
|
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
|
|
|
|
}
|
|
|
|
|
continue;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
if (buf[0] == 'P') {
|
2019-11-15 22:28:00 +00:00
|
|
|
static const char str[] = "Lets print some clear text\n";
|
|
|
|
|
BIO_write(SSL_get_wbio(con), str, sizeof(str) -1);
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
if (buf[0] == 'S') {
|
|
|
|
|
print_stats(bio_s_out, SSL_get_SSL_CTX(con));
|
|
|
|
|
}
|
|
|
|
|
}
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
ebcdic2ascii(buf, buf, i);
|
|
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
l = k = 0;
|
|
|
|
|
for (;;) {
|
|
|
|
|
/* should do a select for the write */
|
1998-12-21 10:56:39 +00:00
|
|
|
#ifdef RENEG
|
2016-08-03 20:49:25 +00:00
|
|
|
static count = 0;
|
|
|
|
|
if (++count == 100) {
|
|
|
|
|
count = 0;
|
|
|
|
|
SSL_renegotiate(con);
|
1998-12-21 10:56:39 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
#endif
|
1998-12-21 10:56:39 +00:00
|
|
|
k = SSL_write(con, &(buf[l]), (unsigned int)i);
|
2012-02-10 19:43:14 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2011-12-27 14:21:45 +00:00
|
|
|
while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
|
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during write\n");
|
2021-02-05 11:28:15 +00:00
|
|
|
|
|
|
|
|
lookup_srp_user(&srp_callback_parm, bio_s_out);
|
|
|
|
|
|
2011-12-27 14:21:45 +00:00
|
|
|
k = SSL_write(con, &(buf[l]), (unsigned int)i);
|
|
|
|
|
}
|
2012-02-10 19:43:14 +00:00
|
|
|
#endif
|
1998-12-21 10:56:39 +00:00
|
|
|
switch (SSL_get_error(con, k)) {
|
|
|
|
|
case SSL_ERROR_NONE:
|
|
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
|
|
|
|
BIO_printf(bio_s_out, "Write BLOCK (Async)\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-07-24 07:15:31 +00:00
|
|
|
wait_for_async(con);
|
2015-02-13 23:33:12 +00:00
|
|
|
break;
|
1998-12-21 10:56:39 +00:00
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
|
case SSL_ERROR_WANT_X509_LOOKUP:
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "Write BLOCK\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
1998-12-21 10:56:39 +00:00
|
|
|
break;
|
2016-05-03 16:55:00 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC_JOB:
|
|
|
|
|
/*
|
|
|
|
|
* This shouldn't ever happen in s_server. Treat as an error
|
|
|
|
|
*/
|
1998-12-21 10:56:39 +00:00
|
|
|
case SSL_ERROR_SYSCALL:
|
|
|
|
|
case SSL_ERROR_SSL:
|
|
|
|
|
BIO_printf(bio_s_out, "ERROR\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
1998-12-21 10:52:47 +00:00
|
|
|
ERR_print_errors(bio_err);
|
1998-12-21 10:56:39 +00:00
|
|
|
ret = 1;
|
|
|
|
|
goto err;
|
1998-12-21 11:00:56 +00:00
|
|
|
/* break; */
|
1998-12-21 10:56:39 +00:00
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
1998-12-21 10:52:47 +00:00
|
|
|
ret = 1;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2015-05-18 23:08:02 +00:00
|
|
|
if (k > 0) {
|
|
|
|
|
l += k;
|
|
|
|
|
i -= k;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
if (i <= 0)
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2000-02-21 17:09:54 +00:00
|
|
|
if (read_from_sslcon) {
|
2015-09-16 21:54:54 +00:00
|
|
|
/*
|
|
|
|
|
* init_ssl_connection handles all async events itself so if we're
|
|
|
|
|
* waiting for async then we shouldn't go back into
|
|
|
|
|
* init_ssl_connection
|
|
|
|
|
*/
|
|
|
|
|
if ((!async || !SSL_waiting_for_async(con))
|
|
|
|
|
&& !SSL_is_init_finished(con)) {
|
2022-04-28 11:35:40 +00:00
|
|
|
/*
|
|
|
|
|
* Count number of reads during init_ssl_connection.
|
|
|
|
|
* It helps us to distinguish configuration errors from errors
|
|
|
|
|
* caused by a client.
|
|
|
|
|
*/
|
|
|
|
|
unsigned int read_counter = 0;
|
|
|
|
|
|
|
|
|
|
BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter);
|
1998-12-21 10:52:47 +00:00
|
|
|
i = init_ssl_connection(con);
|
2022-04-28 11:35:40 +00:00
|
|
|
BIO_set_callback_arg(SSL_get_rbio(con), NULL);
|
|
|
|
|
|
|
|
|
|
/*
|
|
|
|
|
* If initialization fails without reads, then
|
|
|
|
|
* there was a fatal error in configuration.
|
|
|
|
|
*/
|
|
|
|
|
if (i <= 0 && read_counter == 0) {
|
|
|
|
|
ret = -1;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
if (i < 0) {
|
|
|
|
|
ret = 0;
|
|
|
|
|
goto err;
|
|
|
|
|
} else if (i == 0) {
|
|
|
|
|
ret = 1;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
} else {
|
1998-12-21 11:00:56 +00:00
|
|
|
again:
|
|
|
|
|
i = SSL_read(con, (char *)buf, bufsize);
|
2012-02-10 19:43:14 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2011-12-27 14:21:45 +00:00
|
|
|
while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
|
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
2021-02-05 11:28:15 +00:00
|
|
|
|
|
|
|
|
lookup_srp_user(&srp_callback_parm, bio_s_out);
|
|
|
|
|
|
2011-12-27 14:21:45 +00:00
|
|
|
i = SSL_read(con, (char *)buf, bufsize);
|
|
|
|
|
}
|
2012-02-10 19:43:14 +00:00
|
|
|
#endif
|
1998-12-21 10:56:39 +00:00
|
|
|
switch (SSL_get_error(con, i)) {
|
|
|
|
|
case SSL_ERROR_NONE:
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
ascii2ebcdic(buf, buf, i);
|
|
|
|
|
#endif
|
2005-11-04 09:30:55 +00:00
|
|
|
raw_write_stdout(buf, (unsigned int)i);
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2016-02-12 13:33:45 +00:00
|
|
|
if (SSL_has_pending(con))
|
1998-12-21 11:00:56 +00:00
|
|
|
goto again;
|
1998-12-21 10:56:39 +00:00
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
2015-07-24 07:15:31 +00:00
|
|
|
BIO_printf(bio_s_out, "Read BLOCK (Async)\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-07-24 07:15:31 +00:00
|
|
|
wait_for_async(con);
|
|
|
|
|
break;
|
1998-12-21 10:56:39 +00:00
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
|
case SSL_ERROR_WANT_READ:
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "Read BLOCK\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
1998-12-21 10:56:39 +00:00
|
|
|
break;
|
2016-05-03 16:55:00 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC_JOB:
|
|
|
|
|
/*
|
|
|
|
|
* This shouldn't ever happen in s_server. Treat as an error
|
|
|
|
|
*/
|
1998-12-21 10:56:39 +00:00
|
|
|
case SSL_ERROR_SYSCALL:
|
|
|
|
|
case SSL_ERROR_SSL:
|
|
|
|
|
BIO_printf(bio_s_out, "ERROR\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
1998-12-21 10:52:47 +00:00
|
|
|
ERR_print_errors(bio_err);
|
1998-12-21 10:56:39 +00:00
|
|
|
ret = 1;
|
|
|
|
|
goto err;
|
|
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
1998-12-21 10:52:47 +00:00
|
|
|
ret = 1;
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
err:
|
2006-03-18 14:24:02 +00:00
|
|
|
if (con != NULL) {
|
|
|
|
|
BIO_printf(bio_s_out, "shutting down SSL\n");
|
2020-05-05 12:26:32 +00:00
|
|
|
do_ssl_shutdown(con);
|
2006-03-18 14:24:02 +00:00
|
|
|
SSL_free(con);
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
|
2015-04-30 21:57:32 +00:00
|
|
|
OPENSSL_clear_free(buf, bufsize);
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
static void close_accept_socket(void)
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
|
|
|
|
BIO_printf(bio_err, "shutdown accept socket\n");
|
|
|
|
|
if (accept_socket >= 0) {
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(accept_socket);
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
2017-04-26 13:00:35 +00:00
|
|
|
static int is_retryable(SSL *con, int i)
|
|
|
|
|
{
|
|
|
|
|
int err = SSL_get_error(con, i);
|
|
|
|
|
|
|
|
|
|
/* If it's not a fatal error, it must be retryable */
|
|
|
|
|
return (err != SSL_ERROR_SSL)
|
|
|
|
|
&& (err != SSL_ERROR_SYSCALL)
|
|
|
|
|
&& (err != SSL_ERROR_ZERO_RETURN);
|
|
|
|
|
}
|
|
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
static int init_ssl_connection(SSL *con)
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
|
|
|
|
int i;
|
2015-09-05 12:32:58 +00:00
|
|
|
long verify_err;
|
2016-05-20 10:20:22 +00:00
|
|
|
int retry = 0;
|
2015-04-09 09:01:05 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (dtlslisten || stateless) {
|
2016-02-02 23:27:44 +00:00
|
|
|
BIO_ADDR *client = NULL;
|
|
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (dtlslisten) {
|
|
|
|
|
if ((client = BIO_ADDR_new()) == NULL) {
|
|
|
|
|
BIO_printf(bio_err, "ERROR - memory\n");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
i = DTLSv1_listen(con, client);
|
|
|
|
|
} else {
|
|
|
|
|
i = SSL_stateless(con);
|
2016-02-02 23:27:44 +00:00
|
|
|
}
|
2015-04-09 09:01:05 +00:00
|
|
|
if (i > 0) {
|
|
|
|
|
BIO *wbio;
|
2015-09-23 17:57:42 +00:00
|
|
|
int fd = -1;
|
2015-04-09 09:01:05 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (dtlslisten) {
|
|
|
|
|
wbio = SSL_get_wbio(con);
|
|
|
|
|
if (wbio) {
|
|
|
|
|
BIO_get_fd(wbio, &fd);
|
|
|
|
|
}
|
2015-04-09 09:01:05 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (!wbio || BIO_connect(fd, client, 0) == 0) {
|
|
|
|
|
BIO_printf(bio_err, "ERROR - unable to connect\n");
|
|
|
|
|
BIO_ADDR_free(client);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2018-11-21 02:00:52 +00:00
|
|
|
|
|
|
|
|
(void)BIO_ctrl_set_connected(wbio, client);
|
2016-02-02 23:27:44 +00:00
|
|
|
BIO_ADDR_free(client);
|
2017-12-29 17:37:04 +00:00
|
|
|
dtlslisten = 0;
|
|
|
|
|
} else {
|
|
|
|
|
stateless = 0;
|
2015-04-09 09:01:05 +00:00
|
|
|
}
|
|
|
|
|
i = SSL_accept(con);
|
2016-04-26 17:33:03 +00:00
|
|
|
} else {
|
|
|
|
|
BIO_ADDR_free(client);
|
2015-04-09 09:01:05 +00:00
|
|
|
}
|
2017-12-29 17:37:04 +00:00
|
|
|
} else {
|
|
|
|
|
do {
|
|
|
|
|
i = SSL_accept(con);
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (i <= 0)
|
|
|
|
|
retry = is_retryable(con, i);
|
2014-01-26 00:51:09 +00:00
|
|
|
#ifdef CERT_CB_TEST_RETRY
|
2017-12-29 17:37:04 +00:00
|
|
|
{
|
|
|
|
|
while (i <= 0
|
|
|
|
|
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP
|
|
|
|
|
&& SSL_get_state(con) == TLS_ST_SR_CLNT_HELLO) {
|
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
|
"LOOKUP from certificate callback during accept\n");
|
|
|
|
|
i = SSL_accept(con);
|
|
|
|
|
if (i <= 0)
|
|
|
|
|
retry = is_retryable(con, i);
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_SRP
|
2016-08-07 10:04:26 +00:00
|
|
|
while (i <= 0
|
2017-12-29 17:37:04 +00:00
|
|
|
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
|
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
|
|
|
|
|
srp_callback_parm.login);
|
2021-02-05 11:28:15 +00:00
|
|
|
|
|
|
|
|
lookup_srp_user(&srp_callback_parm, bio_s_out);
|
|
|
|
|
|
2015-02-13 23:33:12 +00:00
|
|
|
i = SSL_accept(con);
|
2016-05-20 10:20:22 +00:00
|
|
|
if (i <= 0)
|
2017-04-26 13:00:35 +00:00
|
|
|
retry = is_retryable(con, i);
|
2015-02-13 23:33:12 +00:00
|
|
|
}
|
2014-01-26 00:51:09 +00:00
|
|
|
#endif
|
2017-12-29 17:37:04 +00:00
|
|
|
} while (i < 0 && SSL_waiting_for_async(con));
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2011-12-27 14:21:45 +00:00
|
|
|
if (i <= 0) {
|
2017-12-29 17:37:04 +00:00
|
|
|
if (((dtlslisten || stateless) && i == 0)
|
|
|
|
|
|| (!dtlslisten && !stateless && retry)) {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "DELAY\n");
|
2017-10-09 11:05:58 +00:00
|
|
|
return 1;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_err, "ERROR\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2015-09-05 12:32:58 +00:00
|
|
|
verify_err = SSL_get_verify_result(con);
|
|
|
|
|
if (verify_err != X509_V_OK) {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_err, "verify error:%s\n",
|
2015-09-05 12:32:58 +00:00
|
|
|
X509_verify_cert_error_string(verify_err));
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2012-08-15 15:15:05 +00:00
|
|
|
/* Always print any error messages */
|
|
|
|
|
ERR_print_errors(bio_err);
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-02-27 20:55:04 +00:00
|
|
|
print_connection_info(con);
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void print_connection_info(SSL *con)
|
|
|
|
|
{
|
|
|
|
|
const char *str;
|
|
|
|
|
X509 *peer;
|
|
|
|
|
char buf[BUFSIZ];
|
|
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
|
|
|
const unsigned char *next_proto_neg;
|
|
|
|
|
unsigned next_proto_neg_len;
|
|
|
|
|
#endif
|
|
|
|
|
unsigned char *exportedkeymat;
|
|
|
|
|
int i;
|
|
|
|
|
|
2012-09-12 23:14:28 +00:00
|
|
|
if (s_brief)
|
2015-04-29 15:27:08 +00:00
|
|
|
print_ssl_summary(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2019-04-11 14:47:13 +00:00
|
|
|
peer = SSL_get0_peer_certificate(con);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (peer != NULL) {
|
|
|
|
|
BIO_printf(bio_s_out, "Client certificate\n");
|
|
|
|
|
PEM_write_bio_X509(bio_s_out, peer);
|
2017-04-25 16:25:42 +00:00
|
|
|
dump_cert_text(bio_s_out, peer);
|
2016-03-07 20:00:02 +00:00
|
|
|
peer = NULL;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2021-01-27 19:23:33 +00:00
|
|
|
/* Only display RPK information if configured */
|
|
|
|
|
if (SSL_get_negotiated_server_cert_type(con) == TLSEXT_cert_type_rpk)
|
|
|
|
|
BIO_printf(bio_s_out, "Server-to-client raw public key negotiated\n");
|
|
|
|
|
if (SSL_get_negotiated_client_cert_type(con) == TLSEXT_cert_type_rpk)
|
|
|
|
|
BIO_printf(bio_s_out, "Client-to-server raw public key negotiated\n");
|
|
|
|
|
if (enable_client_rpk) {
|
|
|
|
|
EVP_PKEY *client_rpk = SSL_get0_peer_rpk(con);
|
|
|
|
|
|
|
|
|
|
if (client_rpk != NULL) {
|
|
|
|
|
BIO_printf(bio_s_out, "Client raw public key\n");
|
|
|
|
|
EVP_PKEY_print_public(bio_s_out, client_rpk, 2, NULL);
|
|
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-12-07 18:39:34 +00:00
|
|
|
if (SSL_get_shared_ciphers(con, buf, sizeof(buf)) != NULL)
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
|
|
|
|
|
str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
|
2012-07-08 14:22:45 +00:00
|
|
|
ssl_print_sigalgs(bio_s_out, con);
|
2013-08-17 16:40:08 +00:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2012-11-22 15:20:53 +00:00
|
|
|
ssl_print_point_formats(bio_s_out, con);
|
2016-11-09 14:51:06 +00:00
|
|
|
ssl_print_groups(bio_s_out, con, 0);
|
2013-08-17 16:40:08 +00:00
|
|
|
#endif
|
2017-03-31 16:04:28 +00:00
|
|
|
print_ca_names(bio_s_out, con);
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
|
2012-03-06 14:28:21 +00:00
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2010-07-28 10:06:55 +00:00
|
|
|
SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
|
|
|
|
|
if (next_proto_neg) {
|
|
|
|
|
BIO_printf(bio_s_out, "NEXTPROTO is ");
|
|
|
|
|
BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
|
|
|
|
|
BIO_printf(bio_s_out, "\n");
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2014-12-22 11:15:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2011-11-15 22:59:20 +00:00
|
|
|
{
|
|
|
|
|
SRTP_PROTECTION_PROFILE *srtp_profile
|
|
|
|
|
= SSL_get_selected_srtp_profile(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2011-11-15 22:59:20 +00:00
|
|
|
if (srtp_profile)
|
|
|
|
|
BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
|
|
|
|
|
srtp_profile->name);
|
|
|
|
|
}
|
2014-12-22 11:15:51 +00:00
|
|
|
#endif
|
2016-02-08 16:18:26 +00:00
|
|
|
if (SSL_session_reused(con))
|
2011-04-29 22:37:12 +00:00
|
|
|
BIO_printf(bio_s_out, "Reused session-id\n");
|
2021-10-28 14:13:47 +00:00
|
|
|
|
|
|
|
|
ssl_print_secure_renegotiation_notes(bio_s_out, con);
|
|
|
|
|
|
2017-05-10 20:46:14 +00:00
|
|
|
if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION))
|
|
|
|
|
BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");
|
|
|
|
|
|
2012-02-11 23:20:53 +00:00
|
|
|
if (keymatexportlabel != NULL) {
|
|
|
|
|
BIO_printf(bio_s_out, "Keying material exporter:\n");
|
|
|
|
|
BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
|
|
|
|
|
BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen);
|
2015-04-30 21:48:31 +00:00
|
|
|
exportedkeymat = app_malloc(keymatexportlen, "export key");
|
2021-11-14 16:27:31 +00:00
|
|
|
if (SSL_export_keying_material(con, exportedkeymat,
|
2015-04-30 21:48:31 +00:00
|
|
|
keymatexportlen,
|
|
|
|
|
keymatexportlabel,
|
|
|
|
|
strlen(keymatexportlabel),
|
2021-11-14 16:27:31 +00:00
|
|
|
NULL, 0, 0) <= 0) {
|
2015-04-30 21:48:31 +00:00
|
|
|
BIO_printf(bio_s_out, " Error\n");
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio_s_out, " Keying material: ");
|
|
|
|
|
for (i = 0; i < keymatexportlen; i++)
|
|
|
|
|
BIO_printf(bio_s_out, "%02X", exportedkeymat[i]);
|
|
|
|
|
BIO_printf(bio_s_out, "\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-04-30 21:48:31 +00:00
|
|
|
OPENSSL_free(exportedkeymat);
|
2012-02-11 23:20:53 +00:00
|
|
|
}
|
2018-11-14 21:53:57 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
if (BIO_get_ktls_send(SSL_get_wbio(con)))
|
|
|
|
|
BIO_printf(bio_err, "Using Kernel TLS for sending\n");
|
2018-12-06 19:17:26 +00:00
|
|
|
if (BIO_get_ktls_recv(SSL_get_rbio(con)))
|
|
|
|
|
BIO_printf(bio_err, "Using Kernel TLS for receiving\n");
|
2018-11-14 21:53:57 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
static int www_body(int s, int stype, int prot, unsigned char *context)
|
1998-12-21 10:52:47 +00:00
|
|
|
{
|
2021-06-21 06:55:50 +00:00
|
|
|
char *buf = NULL, *p;
|
1998-12-21 10:52:47 +00:00
|
|
|
int ret = 1;
|
2010-06-12 14:13:23 +00:00
|
|
|
int i, j, k, dot;
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL *con;
|
2008-10-12 14:32:47 +00:00
|
|
|
const SSL_CIPHER *c;
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO *io, *ssl_bio, *sbio;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
#ifdef RENEG
|
|
|
|
|
int total_bytes = 0;
|
|
|
|
|
#endif
|
2015-09-11 12:11:37 +00:00
|
|
|
int width;
|
2022-03-01 16:47:03 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
|
|
|
|
int use_sendfile_for_req = use_sendfile;
|
|
|
|
|
#endif
|
2015-09-11 12:11:37 +00:00
|
|
|
fd_set readfds;
|
2019-05-08 23:16:19 +00:00
|
|
|
const char *opmode;
|
2022-02-16 03:27:23 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
BIO *filter;
|
|
|
|
|
#endif
|
2015-09-11 12:11:37 +00:00
|
|
|
|
|
|
|
|
/* Set width for a select call if needed */
|
|
|
|
|
width = s + 1;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2022-01-17 19:55:04 +00:00
|
|
|
/* as we use BIO_gets(), and it always null terminates data, we need
|
|
|
|
|
* to allocate 1 byte longer buffer to fit the full 2^14 byte record */
|
|
|
|
|
p = buf = app_malloc(bufsize + 1, "server www buffer");
|
1998-12-21 10:52:47 +00:00
|
|
|
io = BIO_new(BIO_f_buffer());
|
|
|
|
|
ssl_bio = BIO_new(BIO_f_ssl());
|
|
|
|
|
if ((io == NULL) || (ssl_bio == NULL))
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if (s_nbio) {
|
2016-02-27 18:24:28 +00:00
|
|
|
if (!BIO_socket_nbio(s, 1))
|
1998-12-21 10:56:39 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2016-02-27 18:24:28 +00:00
|
|
|
else if (!s_quiet)
|
|
|
|
|
BIO_printf(bio_err, "Turned on non blocking io\n");
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
|
|
/* lets make the output buffer a reasonable size */
|
2022-12-02 08:35:53 +00:00
|
|
|
if (BIO_set_write_buffer_size(io, bufsize) <= 0)
|
1998-12-21 11:00:56 +00:00
|
|
|
goto err;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2000-02-03 02:56:48 +00:00
|
|
|
if ((con = SSL_new(ctx)) == NULL)
|
|
|
|
|
goto err;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2007-08-11 23:18:29 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (context != NULL
|
2016-08-07 10:04:26 +00:00
|
|
|
&& !SSL_set_session_id_context(con, context,
|
2018-08-27 14:04:28 +00:00
|
|
|
strlen((char *)context))) {
|
|
|
|
|
SSL_free(con);
|
2015-03-06 14:39:46 +00:00
|
|
|
goto err;
|
2018-08-27 14:04:28 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
sbio = BIO_new_socket(s, BIO_NOCLOSE);
|
2022-02-16 03:27:23 +00:00
|
|
|
if (sbio == NULL) {
|
|
|
|
|
SSL_free(con);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (s_nbio_test) {
|
|
|
|
|
BIO *test;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
test = BIO_new(BIO_f_nbio_test());
|
2022-02-16 03:27:23 +00:00
|
|
|
if (test == NULL) {
|
|
|
|
|
SSL_free(con);
|
|
|
|
|
BIO_free(sbio);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
sbio = BIO_push(test, sbio);
|
|
|
|
|
}
|
|
|
|
|
SSL_set_bio(con, sbio, sbio);
|
|
|
|
|
SSL_set_accept_state(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2018-08-27 14:04:28 +00:00
|
|
|
/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
|
|
|
|
|
BIO_push(io, ssl_bio);
|
2021-06-25 02:55:28 +00:00
|
|
|
ssl_bio = NULL;
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
2022-02-16 03:27:23 +00:00
|
|
|
filter = BIO_new(BIO_f_ebcdic_filter());
|
|
|
|
|
if (filter == NULL)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
io = BIO_push(filter, io);
|
1999-06-04 21:35:58 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
|
|
|
|
|
if (s_debug) {
|
2021-05-24 16:15:57 +00:00
|
|
|
BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
|
2006-11-29 20:54:57 +00:00
|
|
|
BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2001-10-20 17:56:36 +00:00
|
|
|
if (s_msg) {
|
2012-06-15 12:46:09 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
|
|
|
|
if (s_msg == 2)
|
|
|
|
|
SSL_set_msg_callback(con, SSL_trace);
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
SSL_set_msg_callback(con, msg_cb);
|
|
|
|
|
SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
|
2001-10-20 17:56:36 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
for (;;) {
|
2022-01-17 19:55:04 +00:00
|
|
|
i = BIO_gets(io, buf, bufsize + 1);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (i < 0) { /* error */
|
2015-03-27 15:20:24 +00:00
|
|
|
if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) {
|
1998-12-21 10:52:47 +00:00
|
|
|
if (!s_quiet)
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio_s_out, "read R BLOCK\n");
|
2015-09-12 01:37:48 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
if (BIO_should_io_special(io)
|
|
|
|
|
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
|
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
2021-02-05 11:28:15 +00:00
|
|
|
|
|
|
|
|
lookup_srp_user(&srp_callback_parm, bio_s_out);
|
|
|
|
|
|
2015-09-12 01:37:48 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2022-10-03 05:22:52 +00:00
|
|
|
OSSL_sleep(1000);
|
1998-12-21 10:52:47 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
2013-08-17 16:40:08 +00:00
|
|
|
} else if (i == 0) { /* end of input */
|
2001-03-10 16:20:52 +00:00
|
|
|
ret = 1;
|
2001-03-30 10:47:21 +00:00
|
|
|
goto end;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2010-01-27 17:49:33 +00:00
|
|
|
/* else we have data */
|
2021-06-21 06:55:50 +00:00
|
|
|
if ((www == 1 && HAS_PREFIX(buf, "GET "))
|
|
|
|
|
|| (www == 2 && HAS_PREFIX(buf, "GET /stats "))) {
|
2016-03-07 20:00:02 +00:00
|
|
|
X509 *peer = NULL;
|
1999-04-12 17:23:57 +00:00
|
|
|
STACK_OF(SSL_CIPHER) *sk;
|
2005-04-05 19:11:19 +00:00
|
|
|
static const char *space = " ";
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2021-06-21 06:55:50 +00:00
|
|
|
if (www == 1 && HAS_PREFIX(buf, "GET /reneg")) {
|
|
|
|
|
if (HAS_PREFIX(buf, "GET /renegcert"))
|
2010-01-28 19:48:36 +00:00
|
|
|
SSL_set_verify(con,
|
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
|
2015-01-22 03:40:55 +00:00
|
|
|
NULL);
|
1998-12-21 10:56:39 +00:00
|
|
|
i = SSL_renegotiate(con);
|
2010-01-28 19:48:36 +00:00
|
|
|
BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i);
|
2015-09-11 12:11:37 +00:00
|
|
|
/* Send the HelloRequest */
|
2010-01-28 19:48:36 +00:00
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
|
if (i <= 0) {
|
|
|
|
|
BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n",
|
|
|
|
|
SSL_get_error(con, i));
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-09-11 12:11:37 +00:00
|
|
|
/* Wait for a ClientHello to come back */
|
|
|
|
|
FD_ZERO(&readfds);
|
|
|
|
|
openssl_fdset(s, &readfds);
|
|
|
|
|
i = select(width, (void *)&readfds, NULL, NULL, NULL);
|
|
|
|
|
if (i <= 0 || !FD_ISSET(s, &readfds)) {
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_s_out,
|
|
|
|
|
"Error waiting for client response\n");
|
2010-01-28 19:48:36 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-09-11 12:11:37 +00:00
|
|
|
/*
|
2016-03-07 20:00:02 +00:00
|
|
|
* We're not actually expecting any data here and we ignore
|
2015-09-11 12:11:37 +00:00
|
|
|
* any that is sent. This is just to force the handshake that
|
|
|
|
|
* we're expecting to come from the client. If they haven't
|
|
|
|
|
* sent one there's not much we can do.
|
|
|
|
|
*/
|
2022-01-17 19:55:04 +00:00
|
|
|
BIO_gets(io, buf, bufsize + 1);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io,
|
2001-03-10 16:20:52 +00:00
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
|
1999-06-04 21:35:58 +00:00
|
|
|
BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, "<pre>\n");
|
2016-03-07 20:00:02 +00:00
|
|
|
/* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, "\n");
|
|
|
|
|
for (i = 0; i < local_argc; i++) {
|
2015-04-25 20:06:19 +00:00
|
|
|
const char *myp;
|
2021-06-21 06:55:50 +00:00
|
|
|
|
2015-04-25 20:06:19 +00:00
|
|
|
for (myp = local_argv[i]; *myp; myp++)
|
|
|
|
|
switch (*myp) {
|
|
|
|
|
case '<':
|
|
|
|
|
BIO_puts(io, "<");
|
|
|
|
|
break;
|
|
|
|
|
case '>':
|
|
|
|
|
BIO_puts(io, ">");
|
|
|
|
|
break;
|
|
|
|
|
case '&':
|
|
|
|
|
BIO_puts(io, "&");
|
|
|
|
|
break;
|
|
|
|
|
default:
|
|
|
|
|
BIO_write(io, myp, 1);
|
|
|
|
|
break;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_write(io, " ", 1);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, "\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2021-10-28 14:13:47 +00:00
|
|
|
ssl_print_secure_renegotiation_notes(io, con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
|
/*
|
1998-12-21 10:52:47 +00:00
|
|
|
* The following is evil and should not really be done
|
2015-01-22 03:40:55 +00:00
|
|
|
*/
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_printf(io, "Ciphers supported in s_server binary\n");
|
|
|
|
|
sk = SSL_get_ciphers(con);
|
1999-04-12 17:23:57 +00:00
|
|
|
j = sk_SSL_CIPHER_num(sk);
|
1998-12-21 10:52:47 +00:00
|
|
|
for (i = 0; i < j; i++) {
|
1999-04-12 17:23:57 +00:00
|
|
|
c = sk_SSL_CIPHER_value(sk, i);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(io, "%-11s:%-25s ",
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
|
1998-12-21 10:56:39 +00:00
|
|
|
if ((((i + 1) % 2) == 0) && (i + 1 != j))
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, "\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, "\n");
|
1998-12-21 11:00:56 +00:00
|
|
|
p = SSL_get_shared_ciphers(con, buf, bufsize);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (p != NULL) {
|
2010-01-28 19:48:36 +00:00
|
|
|
BIO_printf(io,
|
1998-12-21 10:52:47 +00:00
|
|
|
"---\nCiphers common between both SSL end points:\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
j = i = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
while (*p) {
|
|
|
|
|
if (*p == ':') {
|
1998-12-21 10:56:39 +00:00
|
|
|
BIO_write(io, space, 26 - j);
|
2015-01-22 03:40:55 +00:00
|
|
|
i++;
|
|
|
|
|
j = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_write(io, ((i % 3) ? " " : "\n"), 1);
|
2015-01-22 03:40:55 +00:00
|
|
|
} else {
|
2012-09-14 13:27:05 +00:00
|
|
|
BIO_write(io, p, 1);
|
2015-01-22 03:40:55 +00:00
|
|
|
j++;
|
|
|
|
|
}
|
|
|
|
|
p++;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, "\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2012-07-08 14:22:45 +00:00
|
|
|
ssl_print_sigalgs(io, con);
|
2013-08-17 16:40:08 +00:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2016-11-09 14:51:06 +00:00
|
|
|
ssl_print_groups(io, con, 0);
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
2017-03-31 16:04:28 +00:00
|
|
|
print_ca_names(io, con);
|
2016-02-08 16:18:26 +00:00
|
|
|
BIO_printf(io, (SSL_session_reused(con)
|
1998-12-21 10:52:47 +00:00
|
|
|
? "---\nReused, " : "---\nNew, "));
|
|
|
|
|
c = SSL_get_current_cipher(con);
|
1998-12-21 10:56:39 +00:00
|
|
|
BIO_printf(io, "%s, Cipher is %s\n",
|
1998-12-21 10:52:47 +00:00
|
|
|
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
|
|
|
|
|
SSL_SESSION_print(io, SSL_get_session(con));
|
|
|
|
|
BIO_printf(io, "---\n");
|
|
|
|
|
print_stats(io, SSL_get_SSL_CTX(con));
|
|
|
|
|
BIO_printf(io, "---\n");
|
2019-04-11 14:47:13 +00:00
|
|
|
peer = SSL_get0_peer_certificate(con);
|
1998-12-21 10:52:47 +00:00
|
|
|
if (peer != NULL) {
|
|
|
|
|
BIO_printf(io, "Client certificate\n");
|
|
|
|
|
X509_print(io, peer);
|
|
|
|
|
PEM_write_bio_X509(io, peer);
|
2016-03-07 20:00:02 +00:00
|
|
|
peer = NULL;
|
2017-08-05 06:31:04 +00:00
|
|
|
} else {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, "no client certificate available\n");
|
2017-08-05 06:31:04 +00:00
|
|
|
}
|
|
|
|
|
BIO_puts(io, "</pre></BODY></HTML>\r\n\r\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
2021-12-08 07:53:49 +00:00
|
|
|
} else if ((www == 2 || www == 3) && CHECK_AND_SKIP_PREFIX(p, "GET /")) {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO *file;
|
2021-06-21 06:55:50 +00:00
|
|
|
char *e;
|
2005-04-05 19:11:19 +00:00
|
|
|
static const char *text =
|
|
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
|
dot = 1;
|
1998-12-21 10:52:47 +00:00
|
|
|
for (e = p; *e != '\0'; e++) {
|
2001-03-30 10:47:21 +00:00
|
|
|
if (e[0] == ' ')
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
|
|
2019-10-18 15:40:44 +00:00
|
|
|
if (e[0] == ':') {
|
|
|
|
|
/* Windows drive. We treat this the same way as ".." */
|
|
|
|
|
dot = -1;
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2001-03-30 10:47:21 +00:00
|
|
|
switch (dot) {
|
2015-01-22 03:40:55 +00:00
|
|
|
case 1:
|
2001-03-30 10:47:21 +00:00
|
|
|
dot = (e[0] == '.') ? 2 : 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
|
case 2:
|
2001-03-30 10:47:21 +00:00
|
|
|
dot = (e[0] == '.') ? 3 : 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
|
case 3:
|
2019-10-18 15:40:44 +00:00
|
|
|
dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
|
}
|
2001-03-30 14:55:50 +00:00
|
|
|
if (dot == 0)
|
2019-10-18 15:40:44 +00:00
|
|
|
dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2001-03-30 10:47:21 +00:00
|
|
|
dot = (dot == 3) || (dot == -1); /* filename contains ".."
|
|
|
|
|
* component */
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (*e == '\0') {
|
|
|
|
|
BIO_puts(io, text);
|
|
|
|
|
BIO_printf(io, "'%s' is an invalid file name\r\n", p);
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
*e = '\0';
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
|
if (dot) {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, text);
|
2019-10-18 15:40:44 +00:00
|
|
|
BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
|
2019-10-18 15:40:44 +00:00
|
|
|
if (*p == '/' || *p == '\\') {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, text);
|
|
|
|
|
BIO_printf(io, "'%s' is an invalid path\r\n", p);
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
|
|
|
|
/* if a directory, do the index thang */
|
2005-11-04 09:30:55 +00:00
|
|
|
if (app_isdir(p) > 0) {
|
2001-03-31 07:48:07 +00:00
|
|
|
BIO_puts(io, text);
|
|
|
|
|
BIO_printf(io, "'%s' is a directory\r\n", p);
|
|
|
|
|
break;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2019-05-08 23:16:19 +00:00
|
|
|
opmode = (http_server_binmode == 1) ? "rb" : "r";
|
|
|
|
|
if ((file = BIO_new_file(p, opmode)) == NULL) {
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_puts(io, text);
|
2019-05-08 23:16:19 +00:00
|
|
|
BIO_printf(io, "Error opening '%s' mode='%s'\r\n", p, opmode);
|
1998-12-21 10:52:47 +00:00
|
|
|
ERR_print_errors(io);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
if (!s_quiet)
|
|
|
|
|
BIO_printf(bio_err, "FILE:%s\n", p);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2001-03-10 16:20:52 +00:00
|
|
|
if (www == 2) {
|
|
|
|
|
i = strlen(p);
|
|
|
|
|
if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
|
|
|
|
|
((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
|
|
|
|
|
((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
|
|
|
|
|
BIO_puts(io,
|
|
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
|
|
|
|
|
else
|
|
|
|
|
BIO_puts(io,
|
|
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
/* send the file */
|
2020-03-13 03:24:05 +00:00
|
|
|
#ifndef OPENSSL_NO_KTLS
|
2022-03-01 16:47:03 +00:00
|
|
|
if (use_sendfile_for_req && !BIO_get_ktls_send(SSL_get_wbio(con))) {
|
|
|
|
|
BIO_printf(bio_err, "Warning: sendfile requested but KTLS is not available\n");
|
|
|
|
|
use_sendfile_for_req = 0;
|
|
|
|
|
}
|
|
|
|
|
if (use_sendfile_for_req) {
|
2020-03-13 03:24:05 +00:00
|
|
|
FILE *fp = NULL;
|
|
|
|
|
int fd;
|
|
|
|
|
struct stat st;
|
|
|
|
|
off_t offset = 0;
|
|
|
|
|
size_t filesize;
|
|
|
|
|
|
|
|
|
|
BIO_get_fp(file, &fp);
|
|
|
|
|
fd = fileno(fp);
|
|
|
|
|
if (fstat(fd, &st) < 0) {
|
|
|
|
|
BIO_printf(io, "Error fstat '%s'\r\n", p);
|
|
|
|
|
ERR_print_errors(io);
|
|
|
|
|
goto write_error;
|
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2020-03-13 03:24:05 +00:00
|
|
|
filesize = st.st_size;
|
|
|
|
|
if (((int)BIO_flush(io)) < 0)
|
|
|
|
|
goto write_error;
|
|
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
|
i = SSL_sendfile(con, fd, offset, filesize, 0);
|
|
|
|
|
if (i < 0) {
|
|
|
|
|
BIO_printf(io, "Error SSL_sendfile '%s'\r\n", p);
|
|
|
|
|
ERR_print_errors(io);
|
|
|
|
|
break;
|
|
|
|
|
} else {
|
|
|
|
|
offset += i;
|
|
|
|
|
filesize -= i;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
if (filesize <= 0) {
|
|
|
|
|
if (!s_quiet)
|
|
|
|
|
BIO_printf(bio_err, "KTLS SENDFILE '%s' OK\n", p);
|
|
|
|
|
|
|
|
|
|
break;
|
|
|
|
|
}
|
1998-12-21 10:56:39 +00:00
|
|
|
}
|
2020-03-13 03:24:05 +00:00
|
|
|
} else
|
1998-12-21 11:00:56 +00:00
|
|
|
#endif
|
2020-03-13 03:24:05 +00:00
|
|
|
{
|
|
|
|
|
for (;;) {
|
|
|
|
|
i = BIO_read(file, buf, bufsize);
|
|
|
|
|
if (i <= 0)
|
|
|
|
|
break;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1998-12-21 10:56:39 +00:00
|
|
|
#ifdef RENEG
|
2020-03-13 03:24:05 +00:00
|
|
|
total_bytes += i;
|
|
|
|
|
BIO_printf(bio_err, "%d\n", i);
|
|
|
|
|
if (total_bytes > 3 * 1024) {
|
|
|
|
|
total_bytes = 0;
|
|
|
|
|
BIO_printf(bio_err, "RENEGOTIATE\n");
|
2016-08-03 20:49:25 +00:00
|
|
|
SSL_renegotiate(con);
|
1998-12-21 10:56:39 +00:00
|
|
|
}
|
|
|
|
|
#endif
|
2020-03-13 03:24:05 +00:00
|
|
|
|
|
|
|
|
for (j = 0; j < i;) {
|
|
|
|
|
#ifdef RENEG
|
|
|
|
|
static count = 0;
|
|
|
|
|
if (++count == 13)
|
|
|
|
|
SSL_renegotiate(con);
|
|
|
|
|
#endif
|
|
|
|
|
k = BIO_write(io, &(buf[j]), i - j);
|
|
|
|
|
if (k <= 0) {
|
|
|
|
|
if (!BIO_should_retry(io)
|
|
|
|
|
&& !SSL_waiting_for_async(con)) {
|
|
|
|
|
goto write_error;
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio_s_out, "rwrite W BLOCK\n");
|
|
|
|
|
}
|
|
|
|
|
} else {
|
|
|
|
|
j += k;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
1998-12-21 10:56:39 +00:00
|
|
|
write_error:
|
1998-12-21 10:52:47 +00:00
|
|
|
BIO_free(file);
|
|
|
|
|
break;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
1998-12-21 10:52:47 +00:00
|
|
|
for (;;) {
|
|
|
|
|
i = (int)BIO_flush(io);
|
|
|
|
|
if (i <= 0) {
|
|
|
|
|
if (!BIO_should_retry(io))
|
|
|
|
|
break;
|
|
|
|
|
} else
|
|
|
|
|
break;
|
|
|
|
|
}
|
|
|
|
|
end:
|
2023-07-16 06:25:55 +00:00
|
|
|
/* make sure we reuse sessions */
|
2020-05-05 12:26:32 +00:00
|
|
|
do_ssl_shutdown(con);
|
1998-12-21 10:52:47 +00:00
|
|
|
|
|
|
|
|
err:
|
2015-05-01 14:02:07 +00:00
|
|
|
OPENSSL_free(buf);
|
2021-06-25 02:55:28 +00:00
|
|
|
BIO_free(ssl_bio);
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free_all(io);
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1998-12-21 10:52:47 +00:00
|
|
|
}
|
|
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
static int rev_body(int s, int stype, int prot, unsigned char *context)
|
2012-09-14 13:27:05 +00:00
|
|
|
{
|
|
|
|
|
char *buf = NULL;
|
|
|
|
|
int i;
|
|
|
|
|
int ret = 1;
|
|
|
|
|
SSL *con;
|
|
|
|
|
BIO *io, *ssl_bio, *sbio;
|
2022-02-16 03:27:23 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
|
BIO *filter;
|
|
|
|
|
#endif
|
2012-09-14 13:27:05 +00:00
|
|
|
|
2022-01-17 19:55:04 +00:00
|
|
|
/* as we use BIO_gets(), and it always null terminates data, we need
|
|
|
|
|
* to allocate 1 byte longer buffer to fit the full 2^14 byte record */
|
|
|
|
|
buf = app_malloc(bufsize + 1, "server rev buffer");
|
2012-09-14 13:27:05 +00:00
|
|
|
io = BIO_new(BIO_f_buffer());
|
|
|
|
|
ssl_bio = BIO_new(BIO_f_ssl());
|
|
|
|
|
if ((io == NULL) || (ssl_bio == NULL))
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
/* lets make the output buffer a reasonable size */
|
2022-12-02 08:35:53 +00:00
|
|
|
if (BIO_set_write_buffer_size(io, bufsize) <= 0)
|
2012-09-14 13:27:05 +00:00
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
if ((con = SSL_new(ctx)) == NULL)
|
|
|
|
|
goto err;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2012-09-14 13:27:05 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (context != NULL
|
2016-08-07 10:04:26 +00:00
|
|
|
&& !SSL_set_session_id_context(con, context,
|
|
|
|
|
strlen((char *)context))) {
|
2018-08-27 14:04:28 +00:00
|
|
|
SSL_free(con);
|
2015-03-06 14:39:46 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2012-09-14 13:27:05 +00:00
|
|
|
sbio = BIO_new_socket(s, BIO_NOCLOSE);
|
2022-02-16 03:27:23 +00:00
|
|
|
if (sbio == NULL) {
|
|
|
|
|
SSL_free(con);
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
|
|
|
|
}
|
|
|
|
|
|
2012-09-14 13:27:05 +00:00
|
|
|
SSL_set_bio(con, sbio, sbio);
|
|
|
|
|
SSL_set_accept_state(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2018-08-27 14:04:28 +00:00
|
|
|
/* No need to free |con| after this. Done by BIO_free(ssl_bio) */
|
2012-09-14 13:27:05 +00:00
|
|
|
BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
|
|
|
|
|
BIO_push(io, ssl_bio);
|
2021-06-25 02:55:28 +00:00
|
|
|
ssl_bio = NULL;
|
2012-09-14 13:27:05 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
2022-02-16 03:27:23 +00:00
|
|
|
filter = BIO_new(BIO_f_ebcdic_filter());
|
|
|
|
|
if (filter == NULL)
|
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
|
|
io = BIO_push(filter, io);
|
2012-09-14 13:27:05 +00:00
|
|
|
#endif
|
|
|
|
|
|
|
|
|
|
if (s_debug) {
|
2021-05-24 16:15:57 +00:00
|
|
|
BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
|
2012-09-14 13:27:05 +00:00
|
|
|
BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
|
|
|
|
|
}
|
|
|
|
|
if (s_msg) {
|
|
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
|
|
|
|
if (s_msg == 2)
|
|
|
|
|
SSL_set_msg_callback(con, SSL_trace);
|
|
|
|
|
else
|
|
|
|
|
#endif
|
|
|
|
|
SSL_set_msg_callback(con, msg_cb);
|
|
|
|
|
SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2012-09-14 13:27:05 +00:00
|
|
|
for (;;) {
|
|
|
|
|
i = BIO_do_handshake(io);
|
|
|
|
|
if (i > 0)
|
|
|
|
|
break;
|
|
|
|
|
if (!BIO_should_retry(io)) {
|
|
|
|
|
BIO_puts(bio_err, "CONNECTION FAILURE\n");
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2015-09-12 01:37:48 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
if (BIO_should_io_special(io)
|
|
|
|
|
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
|
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
|
2021-02-05 11:28:15 +00:00
|
|
|
|
|
|
|
|
lookup_srp_user(&srp_callback_parm, bio_s_out);
|
|
|
|
|
|
2015-09-12 01:37:48 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2012-09-14 13:27:05 +00:00
|
|
|
BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
|
2015-04-29 15:27:08 +00:00
|
|
|
print_ssl_summary(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2012-09-14 13:27:05 +00:00
|
|
|
for (;;) {
|
2022-01-17 19:55:04 +00:00
|
|
|
i = BIO_gets(io, buf, bufsize + 1);
|
2012-09-14 13:27:05 +00:00
|
|
|
if (i < 0) { /* error */
|
|
|
|
|
if (!BIO_should_retry(io)) {
|
|
|
|
|
if (!s_quiet)
|
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
goto err;
|
|
|
|
|
} else {
|
|
|
|
|
BIO_printf(bio_s_out, "read R BLOCK\n");
|
2015-09-12 01:37:48 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
|
if (BIO_should_io_special(io)
|
|
|
|
|
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
|
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
2021-02-05 11:28:15 +00:00
|
|
|
|
|
|
|
|
lookup_srp_user(&srp_callback_parm, bio_s_out);
|
|
|
|
|
|
2015-09-12 01:37:48 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
#endif
|
2022-10-03 05:22:52 +00:00
|
|
|
OSSL_sleep(1000);
|
2012-09-14 13:27:05 +00:00
|
|
|
continue;
|
|
|
|
|
}
|
|
|
|
|
} else if (i == 0) { /* end of input */
|
|
|
|
|
ret = 1;
|
|
|
|
|
BIO_printf(bio_err, "CONNECTION CLOSED\n");
|
|
|
|
|
goto end;
|
|
|
|
|
} else {
|
|
|
|
|
char *p = buf + i - 1;
|
|
|
|
|
while (i && (*p == '\n' || *p == '\r')) {
|
|
|
|
|
p--;
|
|
|
|
|
i--;
|
|
|
|
|
}
|
2021-06-21 06:55:50 +00:00
|
|
|
if (!s_ign_eof && i == 5 && HAS_PREFIX(buf, "CLOSE")) {
|
2012-11-19 23:41:24 +00:00
|
|
|
ret = 1;
|
|
|
|
|
BIO_printf(bio_err, "CONNECTION CLOSED\n");
|
|
|
|
|
goto end;
|
|
|
|
|
}
|
2012-09-14 13:27:05 +00:00
|
|
|
BUF_reverse((unsigned char *)buf, NULL, i);
|
|
|
|
|
buf[i] = '\n';
|
|
|
|
|
BIO_write(io, buf, i + 1);
|
|
|
|
|
for (;;) {
|
|
|
|
|
i = BIO_flush(io);
|
|
|
|
|
if (i > 0)
|
|
|
|
|
break;
|
|
|
|
|
if (!BIO_should_retry(io))
|
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
}
|
2012-09-14 13:27:05 +00:00
|
|
|
}
|
|
|
|
|
end:
|
2023-07-16 06:25:55 +00:00
|
|
|
/* make sure we reuse sessions */
|
2020-05-05 12:26:32 +00:00
|
|
|
do_ssl_shutdown(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2012-09-14 13:27:05 +00:00
|
|
|
err:
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2015-05-01 14:02:07 +00:00
|
|
|
OPENSSL_free(buf);
|
2021-06-25 02:55:28 +00:00
|
|
|
BIO_free(ssl_bio);
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free_all(io);
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
2012-09-14 13:27:05 +00:00
|
|
|
}
|
|
|
|
|
|
2001-02-21 18:38:48 +00:00
|
|
|
#define MAX_SESSION_ID_ATTEMPTS 10
|
2017-08-03 14:24:03 +00:00
|
|
|
static int generate_session_id(SSL *ssl, unsigned char *id,
|
2001-02-21 18:38:48 +00:00
|
|
|
unsigned int *id_len)
|
|
|
|
|
{
|
|
|
|
|
unsigned int count = 0;
|
2019-11-15 22:28:00 +00:00
|
|
|
unsigned int session_id_prefix_len = strlen(session_id_prefix);
|
2019-10-30 22:39:35 +00:00
|
|
|
|
2001-02-21 18:38:48 +00:00
|
|
|
do {
|
2015-02-26 11:57:37 +00:00
|
|
|
if (RAND_bytes(id, *id_len) <= 0)
|
|
|
|
|
return 0;
|
2001-02-21 18:38:48 +00:00
|
|
|
/*
|
|
|
|
|
* Prefix the session_id with the required prefix. NB: If our prefix
|
|
|
|
|
* is too long, clip it - but there will be worse effects anyway, eg.
|
|
|
|
|
* the server could only possibly create 1 session ID (ie. the
|
|
|
|
|
* prefix!) so all future session negotiations will fail due to
|
|
|
|
|
* conflicts.
|
|
|
|
|
*/
|
|
|
|
|
memcpy(id, session_id_prefix,
|
2019-11-15 22:28:00 +00:00
|
|
|
(session_id_prefix_len < *id_len) ?
|
|
|
|
|
session_id_prefix_len : *id_len);
|
2001-02-21 18:38:48 +00:00
|
|
|
}
|
2001-02-23 00:09:50 +00:00
|
|
|
while (SSL_has_matching_session_id(ssl, id, *id_len) &&
|
2001-02-21 18:38:48 +00:00
|
|
|
(++count < MAX_SESSION_ID_ATTEMPTS));
|
|
|
|
|
if (count >= MAX_SESSION_ID_ATTEMPTS)
|
|
|
|
|
return 0;
|
|
|
|
|
return 1;
|
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2009-12-27 23:24:45 +00:00
|
|
|
/*
|
|
|
|
|
* By default s_server uses an in-memory cache which caches SSL_SESSION
|
2020-06-10 23:42:34 +00:00
|
|
|
* structures without any serialization. This hides some bugs which only
|
2009-12-27 23:24:45 +00:00
|
|
|
* become apparent in deployed servers. By implementing a basic external
|
|
|
|
|
* session cache some issues can be debugged using s_server.
|
|
|
|
|
*/
|
|
|
|
|
|
|
|
|
|
typedef struct simple_ssl_session_st {
|
|
|
|
|
unsigned char *id;
|
2011-04-29 22:37:12 +00:00
|
|
|
unsigned int idlen;
|
2009-12-27 23:24:45 +00:00
|
|
|
unsigned char *der;
|
|
|
|
|
int derlen;
|
|
|
|
|
struct simple_ssl_session_st *next;
|
|
|
|
|
} simple_ssl_session;
|
|
|
|
|
|
|
|
|
|
static simple_ssl_session *first = NULL;
|
|
|
|
|
|
|
|
|
|
static int add_session(SSL *ssl, SSL_SESSION *session)
|
|
|
|
|
{
|
2015-05-02 03:10:31 +00:00
|
|
|
simple_ssl_session *sess = app_malloc(sizeof(*sess), "get session");
|
2009-12-27 23:24:45 +00:00
|
|
|
unsigned char *p;
|
|
|
|
|
|
2011-12-22 15:14:32 +00:00
|
|
|
SSL_SESSION_get_id(session, &sess->idlen);
|
2009-12-27 23:24:45 +00:00
|
|
|
sess->derlen = i2d_SSL_SESSION(session, NULL);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (sess->derlen < 0) {
|
|
|
|
|
BIO_printf(bio_err, "Error encoding session\n");
|
2015-04-26 02:55:36 +00:00
|
|
|
OPENSSL_free(sess);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
Rename some BUF_xxx to OPENSSL_xxx
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 21:12:24 +00:00
|
|
|
sess->id = OPENSSL_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
|
2015-04-30 21:48:31 +00:00
|
|
|
sess->der = app_malloc(sess->derlen, "get session buffer");
|
|
|
|
|
if (!sess->id) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(bio_err, "Out of memory adding to external cache\n");
|
2015-04-26 02:55:36 +00:00
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
|
OPENSSL_free(sess->der);
|
2015-03-04 17:49:51 +00:00
|
|
|
OPENSSL_free(sess);
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
p = sess->der;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
|
|
|
|
/* Assume it still works. */
|
|
|
|
|
if (i2d_SSL_SESSION(session, &p) != sess->derlen) {
|
2015-04-26 20:43:18 +00:00
|
|
|
BIO_printf(bio_err, "Unexpected session encoding length\n");
|
2015-04-26 02:55:36 +00:00
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
|
OPENSSL_free(sess->der);
|
|
|
|
|
OPENSSL_free(sess);
|
2015-03-06 14:39:46 +00:00
|
|
|
return 0;
|
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
|
|
|
|
sess->next = first;
|
|
|
|
|
first = sess;
|
|
|
|
|
BIO_printf(bio_err, "New session added to external cache\n");
|
|
|
|
|
return 0;
|
|
|
|
|
}
|
|
|
|
|
|
2016-02-01 14:26:18 +00:00
|
|
|
static SSL_SESSION *get_session(SSL *ssl, const unsigned char *id, int idlen,
|
2009-12-27 23:24:45 +00:00
|
|
|
int *do_copy)
|
|
|
|
|
{
|
|
|
|
|
simple_ssl_session *sess;
|
|
|
|
|
*do_copy = 0;
|
|
|
|
|
for (sess = first; sess; sess = sess->next) {
|
2011-04-29 22:37:12 +00:00
|
|
|
if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) {
|
2009-12-27 23:24:45 +00:00
|
|
|
const unsigned char *p = sess->der;
|
|
|
|
|
BIO_printf(bio_err, "Lookup session: cache hit\n");
|
2021-01-27 19:23:33 +00:00
|
|
|
return d2i_SSL_SESSION_ex(NULL, &p, sess->derlen, app_get0_libctx(),
|
|
|
|
|
app_get0_propq());
|
2009-12-27 23:24:45 +00:00
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
BIO_printf(bio_err, "Lookup session: cache miss\n");
|
|
|
|
|
return NULL;
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void del_session(SSL_CTX *sctx, SSL_SESSION *session)
|
|
|
|
|
{
|
|
|
|
|
simple_ssl_session *sess, *prev = NULL;
|
2011-12-22 15:14:32 +00:00
|
|
|
const unsigned char *id;
|
|
|
|
|
unsigned int idlen;
|
|
|
|
|
id = SSL_SESSION_get_id(session, &idlen);
|
2009-12-27 23:24:45 +00:00
|
|
|
for (sess = first; sess; sess = sess->next) {
|
|
|
|
|
if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) {
|
|
|
|
|
if (prev)
|
|
|
|
|
prev->next = sess->next;
|
|
|
|
|
else
|
|
|
|
|
first = sess->next;
|
|
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
|
OPENSSL_free(sess->der);
|
|
|
|
|
OPENSSL_free(sess);
|
|
|
|
|
return;
|
|
|
|
|
}
|
|
|
|
|
prev = sess;
|
|
|
|
|
}
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void init_session_cache_ctx(SSL_CTX *sctx)
|
|
|
|
|
{
|
|
|
|
|
SSL_CTX_set_session_cache_mode(sctx,
|
|
|
|
|
SSL_SESS_CACHE_NO_INTERNAL |
|
|
|
|
|
SSL_SESS_CACHE_SERVER);
|
|
|
|
|
SSL_CTX_sess_set_new_cb(sctx, add_session);
|
|
|
|
|
SSL_CTX_sess_set_get_cb(sctx, get_session);
|
|
|
|
|
SSL_CTX_sess_set_remove_cb(sctx, del_session);
|
|
|
|
|
}
|
|
|
|
|
|
|
|
|
|
static void free_sessions(void)
|
|
|
|
|
{
|
|
|
|
|
simple_ssl_session *sess, *tsess;
|
|
|
|
|
for (sess = first; sess;) {
|
|
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
|
OPENSSL_free(sess->der);
|
|
|
|
|
tsess = sess;
|
|
|
|
|
sess = sess->next;
|
|
|
|
|
OPENSSL_free(tsess);
|
|
|
|
|
}
|
|
|
|
|
first = NULL;
|
|
|
|
|
}
|
2016-03-21 15:32:40 +00:00
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
#endif /* OPENSSL_NO_SOCK */
|
