openssl
/
openssl
mirror of https://github.com/openssl/openssl
1
0
Fork 0
Code Issues Releases Wiki Activity
openssl/apps/include/s_apps.h

Ignoring revisions in .git-blame-ignore-revs. Click here to bypass and see the normal blame view.

115 lines
4.8 KiB
C
Raw Normal View History

Copyright consolidation 01/10 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 18:18:30 +00:00
/*
Copyright year updates Reviewed-by: Richard Levitte <levitte@openssl.org> Release: yes
2023-09-07 08:59:15 +00:00
* Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
New functions SSL[_CTX]_set_msg_callback(). New macros SSL[_CTX]_set_msg_callback_arg(). Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet). New '-msg' option for 'openssl s_client' and 'openssl s_server' that enable a message callback that displays all protocol messages. In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if client_version is smaller than the protocol version in use. Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the client will at least see that alert. Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic pointer). Add/update some OpenSSL copyright notices.
2001-10-20 17:56:36 +00:00
*
Following the license change, modify the boilerplates in apps/ Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/7765)
2018-12-06 12:00:26 +00:00
* Licensed under the Apache License 2.0 (the "License"). You may not use
Copyright consolidation 01/10 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 18:18:30 +00:00
* this file except in compliance with the License. You can obtain a copy
* in the file LICENSE in the source distribution or at
* https://www.openssl.org/source/license.html
New functions SSL[_CTX]_set_msg_callback(). New macros SSL[_CTX]_set_msg_callback_arg(). Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet). New '-msg' option for 'openssl s_client' and 'openssl s_server' that enable a message callback that displays all protocol messages. In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if client_version is smaller than the protocol version in use. Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the client will at least see that alert. Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic pointer). Add/update some OpenSSL copyright notices.
2001-10-20 17:56:36 +00:00
*/
Copyright consolidation 01/10 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 18:18:30 +00:00
Use new-style system-id macros everywhere possible. I hope I haven't missed any. This compiles and runs on Linux, and external applications have no problems with it. The definite test will be to build this on VMS.
2001-02-20 08:13:47 +00:00
#include <openssl/opensslconf.h>
Remove HEADER_X509_H and HEADER_SSL_H include detectors from apps The HEADER_X509_H check is redundant, because <openssl/x509.h> is already included. Instead of of checking for HEADER_SSL_H, include <openssl/ssl.h> explicitly in "s_apps.h" and don't include "s_apps.h" where it's not necessary. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9364)
2019-07-12 20:49:42 +00:00
#include <openssl/ssl.h>
Deprecate the low level SRP APIs The OTC decided that all low level APIs should be deprecated. This extends to SRP, even though at the current time there is no "EVP" interface to it. This could be added in a future release. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14132)
2021-02-05 11:28:15 +00:00
#include <openssl/srp.h>
Selected changes for MSDOS, contributed by Gisle Vanem <giva@bgnett.no>. PR: 669
2003-09-27 21:56:08 +00:00
Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default |host| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the |family| parameter. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-02 23:47:42 +00:00
#define PORT "4433"
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
#define PROTOCOL "tcp"
Revise s_client and s_server verbiage re secure renegotiation. Since TLS v1.3 eschews renegotiation entirely it’s misleading to have these apps say it’s “not supported” when in fact the TLS version is new enough not to need renegotiation at all. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16937)
2021-10-28 14:13:47 +00:00
#define SSL_VERSION_ALLOWS_RENEGOTIATION(s) \
(SSL_is_dtls(s) || (SSL_version(s) < TLS1_3_VERSION))
Add a -sctp option to s_server Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3286)
2017-04-20 08:56:56 +00:00
typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
Fix HTTP server port output and allow dynamic verbosity setting Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16061)
2021-07-13 08:20:38 +00:00
void get_sock_info_address(int asock, char **hostname, char **service);
80-test_cmp_http.t: Improve the way the test server is launched and killed Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15642)
2021-06-07 09:50:43 +00:00
int report_server_accept(BIO *out, int asock, int with_address, int with_pid);
Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default |host| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the |family| parameter. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-02 23:47:42 +00:00
int do_server(int *accept_sock, const char *host, const char *port,
openssl s_server: print the accepting address and socket The line saying ACCEPT is extended with a space followed by the the address and port combination on which s_server accepts connections. The address is written in such a way that s_client should be able to accepts as argument for the '-connect' option. Reviewed-by: Andy Polyakov <appro@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5843)
2018-03-30 19:13:25 +00:00
int family, int type, int protocol, do_server_cb cb,
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8692)
2021-09-08 20:23:04 +00:00
unsigned char *context, int naccept, BIO *bio_s_out,
int tfo);
RT3548: Remove unsupported platforms This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 22:29:26 +00:00
int verify_callback(int ok, X509_STORE_CTX *ctx);
Remove HEADER_X509_H and HEADER_SSL_H include detectors from apps The HEADER_X509_H check is redundant, because <openssl/x509.h> is already included. Instead of of checking for HEADER_SSL_H, include <openssl/ssl.h> explicitly in "s_apps.h" and don't include "s_apps.h" where it's not necessary. Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Bernd Edlinger <bernd.edlinger@hotmail.de> (Merged from https://github.com/openssl/openssl/pull/9364)
2019-07-12 20:49:42 +00:00
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
Add options to set additional type specific certificate chains to s_server.
2012-04-11 16:53:11 +00:00
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
Add support for certificate stores in CERT structure. This makes it possible to have different stores per SSL structure or one store in the parent SSL_CTX. Include distint stores for certificate chain verification and chain building. New ctrl SSL_CTRL_BUILD_CERT_CHAIN to build and store a certificate chain in CERT structure: returing an error if the chain cannot be built: this will allow applications to test if a chain is correctly configured. Note: if the CERT based stores are not set then the parent SSL_CTX store is used to retain compatibility with existing behaviour.
2012-07-23 23:34:28 +00:00
STACK_OF(X509) *chain, int build_chain);
Add new ctrl to retrieve client certificate types, print out details in s_client. Also add ctrl to set client certificate types. If not used sensible values will be included based on supported signature algorithms: for example if we don't include any DSA signing algorithms the DSA certificate type is omitted. Fix restriction in old code where certificate types would be truncated if it exceeded TLS_CT_NUMBER.
2012-07-08 14:22:45 +00:00
int ssl_print_sigalgs(BIO *out, SSL *s);
Add support for printing out and retrieving EC point formats extension.
2012-11-22 15:20:53 +00:00
int ssl_print_point_formats(BIO *out, SSL *s);
Rename the Elliptic Curves extension to supported_groups This is a skin deep change, which simply renames most places where we talk about curves in a TLS context to groups. This is because TLS1.3 has renamed the extension, and it can now include DH groups too. We still only support curves, but this rename should pave the way for a future extension for DH groups. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-09 14:51:06 +00:00
int ssl_print_groups(BIO *out, SSL *s, int noshared);
new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client
2012-09-08 13:59:51 +00:00
int ssl_print_tmp_key(BIO *out, SSL *s);
Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default |host| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the |family| parameter. Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-02 23:47:42 +00:00
int init_client(int *sock, const char *host, const char *port,
Add BIO_bind function to bind local address for a socket. Add -bind option to s_client application to allow specification of local address for connection. Reviewed-by: Andy Polyakov <appro@openssl.org> Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5272)
2018-02-08 09:49:02 +00:00
const char *bindhost, const char *bindport,
Add QUIC support to s_client Reviewed-by: Hugo Landau <hlandau@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/20580)
2023-03-09 17:06:33 +00:00
int family, int type, int protocol, int tfo, int doconn,
Add TFO support to socket BIO and s_client/s_server Supports Linux, MacOS and FreeBSD Disabled by default, enabled via `enabled-tfo` Some tests Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> Reviewed-by: Tim Hudson <tjh@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8692)
2021-09-08 20:23:04 +00:00
BIO_ADDR **ba_ret);
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
int should_retry(int i);
s_server normal shutdown Partially fixes #11209 Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/11734)
2020-05-05 12:26:32 +00:00
void do_ssl_shutdown(SSL *ssl);
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
Deprecate old style BIO callback calls New style BIO_debug_callback_ex() function added to provide replacement for BIO_debug_callback(). Reviewed-by: Paul Dale <pauli@openssl.org> (Merged from https://github.com/openssl/openssl/pull/15440)
2021-05-24 16:15:57 +00:00
long bio_dump_callback(BIO *bio, int cmd, const char *argp, size_t len,
int argi, long argl, int ret, size_t *processed);
Import of old SSLeay release: SSLeay 0.8.1b
1998-12-21 10:52:47 +00:00
RT3548: Remove unsupported platforms This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 22:29:26 +00:00
void apps_ssl_info_callback(const SSL *s, int where, int ret);
void msg_cb(int write_p, int version, int content_type, const void *buf,
size_t len, SSL *ssl, void *arg);
constify PACKET PACKET contents should be read-only. To achieve this, also - constify two user callbacks - constify BUF_reverse. Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-01 14:26:18 +00:00
void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
RFC4507 (including RFC4507bis) TLS stateless session resumption support for OpenSSL.
2007-08-11 23:18:29 +00:00
int len, void *arg);
PR: 2028 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Approved by: steve@openssl.org Fix DTLS cookie management bugs.
2009-09-04 17:42:53 +00:00
RT3548: Remove unsupported platforms This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 22:29:26 +00:00
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int *cookie_len);
DTLS: remove unused cookie field Note that this commit constifies a user callback parameter and therefore will break compilation for applications using this callback. But unless they are abusing write access to the buffer, the fix is trivial. Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-10-06 15:20:32 +00:00
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
RT3548: Remove unsupported platforms This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 22:29:26 +00:00
unsigned int cookie_len);
Add certificate callback. If set this is called whenever a certificate is required by client or server. An application can decide which certificate chain to present based on arbitrary criteria: for example supported signature algorithms. Add very simple example to s_server. This fixes many of the problems and restrictions of the existing client certificate callback: for example you can now clear existing certificates and specify the whole chain.
2012-06-29 14:24:42 +00:00
VMS: add alias macros to avoid 31 character symbol name limit warning Affected symbol names: generate_stateless_cookie_callback verify_stateless_cookie_callback Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5633)
2018-03-15 19:01:11 +00:00
#ifdef __VMS /* 31 char symbol name limit */
# define generate_stateless_cookie_callback generate_stateless_cookie_cb
# define verify_stateless_cookie_callback verify_stateless_cookie_cb
#endif
Introduce SSL_CTX_set_stateless_cookie_{generate,verify}_cb These functions are similar to SSL_CTX_set_cookie_{generate,verify}_cb, but used for the application-controlled portion of TLS1.3 stateless handshake cookies rather than entire DTLSv1 cookies. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/5463)
2018-02-26 02:39:11 +00:00
int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie,
size_t *cookie_len);
int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie,
size_t cookie_len);
Add certificate callback. If set this is called whenever a certificate is required by client or server. An application can decide which certificate chain to present based on arbitrary criteria: for example supported signature algorithms. Add very simple example to s_server. This fixes many of the problems and restrictions of the existing client certificate callback: for example you can now clear existing certificates and specify the whole chain.
2012-06-29 14:24:42 +00:00
typedef struct ssl_excert_st SSL_EXCERT;
void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
void ssl_excert_free(SSL_EXCERT *exc);
Big apps cleanup (option-parsing, etc) This is merges the old "rsalz-monolith" branch over to master. The biggest change is that option parsing switch from cascasding 'else if strcmp("-foo")' to a utility routine and somethin akin to getopt. Also, an error in the command line no longer prints the full summary; use -help (or --help :) for that. There have been many other changes and code-cleanup, see bullet list below. Special thanks to Matt for the long and detailed code review. TEMPORARY: For now, comment out CRYPTO_mem_leaks() at end of main Tickets closed: RT3515: Use 3DES in pkcs12 if built with no-rc2 RT1766: s_client -reconnect and -starttls broke RT2932: Catch write errors RT2604: port should be 'unsigned short' RT2983: total_bytes undeclared #ifdef RENEG RT1523: Add -nocert to fix output in x509 app RT3508: Remove unused variable introduced by b09eb24 RT3511: doc fix; req default serial is random RT1325,2973: Add more extensions to c_rehash RT2119,3407: Updated to dgst.pod RT2379: Additional typo fix RT2693: Extra include of string.h RT2880: HFS is case-insensitive filenames RT3246: req command prints version number wrong Other changes; incompatibilities marked with *: Add SCSV support Add -misalign to speed command Make dhparam, dsaparam, ecparam, x509 output C in proper style Make some internal ocsp.c functions void Only display cert usages with -help in verify Use global bio_err, remove "BIO*err" parameter from functions For filenames, - always means stdin (or stdout as appropriate) Add aliases for -des/aes "wrap" ciphers. *Remove support for IISSGC (server gated crypto) *The undocumented OCSP -header flag is now "-header name=value" *Documented the OCSP -header flag Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
int args_excert(int option, SSL_EXCERT **pexc);
int load_excert(SSL_EXCERT **pexc);
Suppress DANE TLSA reflection when verification fails As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa() are expected to return a negative match depth and nothing else when verification fails. However, this only happened when verification failed during chain construction. Errors in verification of the constructed chain did not have the intended effect on these functions. This commit updates the functions to check for verify_result == X509_V_OK, and no longer erases any accumulated match information when chain construction fails. Sophisticated developers can, with care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA info even when verification fail. They must of course first check and save the real error, and restore the original error as quickly as possible. Hiding by default seems to be the safer interface. Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED. This also changes the "-brief" output from s_client to include verification results and TLSA match information. Mentioned session resumption in code example in SSL_CTX_dane_enable(3). Also mentioned that depths returned are relative to the verified chain which is now available via SSL_get0_verified_chain(3). Added a few more test-cases to danetest, that exercise the new code. Resolved thread safety issue in use of static buffer in X509_verify_cert_error_string(). Fixed long-stating issue in apps/s_cb.c which always sets verify_error to either X509_V_OK or "chain to long", code elsewhere (e.g. s_time.c), seems to expect the actual error. [ The new chain construction code is expected to correctly generate "chain too long" errors, so at some point we need to drop the work-arounds, once SSL_set_verify_depth() is also fixed to propagate the depth to X509_STORE_CTX reliably. ] Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 00:07:57 +00:00
void print_verify_detail(SSL *s, BIO *bio);
Remove needless bio_err argument Many functions had a BIO* parameter, and it was always called with bio_err. Remove the param and just use bio_err. Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-29 15:27:08 +00:00
void print_ssl_summary(SSL *s);
Remove JPAKE Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-14 05:17:59 +00:00
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
Add code to download CRLs based on CRLDP extension. Just a sample, real world applications would have to be cleverer.
2012-12-06 18:43:40 +00:00
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
int crl_download);
Don't display messages about verify depth in s_server if -quiet it set. Add support for separate verify and chain stores in s_client.
2012-11-23 18:56:25 +00:00
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
Add -CAstore and similar to all openssl commands that have -CApath Reviewed-by: Matt Caswell <matt@openssl.org> (Merged from https://github.com/openssl/openssl/pull/8442)
2019-03-07 14:26:34 +00:00
const char *vfyCAfile, const char *vfyCAstore,
const char *chCApath, const char *chCAfile,
const char *chCAstore, STACK_OF(X509_CRL) *crls,
Add code to download CRLs based on CRLDP extension. Just a sample, real world applications would have to be cleverer.
2012-12-06 18:43:40 +00:00
int crl_download);
Remove needless bio_err argument Many functions had a BIO* parameter, and it was always called with bio_err. Remove the param and just use bio_err. Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-29 15:27:08 +00:00
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
apps: Add support for writing a keylog file The server and client demos (s_client and s_server) are extended with a -keylogfile option. This is similar as setting the SSLKEYLOGFILE environment variable for NSS and creates a keylog file which is suitable for Wireshark. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2343)
2017-02-01 18:14:27 +00:00
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
Print CA names in s_server, add -requestCAfile to s_client Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3015)
2017-03-31 16:04:28 +00:00
void print_ca_names(BIO *bio, SSL *s);
Revise s_client and s_server verbiage re secure renegotiation. Since TLS v1.3 eschews renegotiation entirely it’s misleading to have these apps say it’s “not supported” when in fact the TLS version is new enough not to need renegotiation at all. Reviewed-by: Ben Kaduk <kaduk@mit.edu> Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Paul Dale <pauli@openssl.org> Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/16937)
2021-10-28 14:13:47 +00:00
void ssl_print_secure_renegotiation_notes(BIO *bio, SSL *s);
Deprecate the low level SRP APIs The OTC decided that all low level APIs should be deprecated. This extends to SRP, even though at the current time there is no "EVP" interface to it. This could be added in a future release. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14132)
2021-02-05 11:28:15 +00:00
#ifndef OPENSSL_NO_SRP
/* The client side SRP context that we pass to all SRP related callbacks */
typedef struct srp_arg_st {
char *srppassin;
char *srplogin;
int msg; /* copy from c_msg */
int debug; /* copy from c_debug */
int amp; /* allow more groups */
int strength; /* minimal size for N */
} SRP_ARG;
int set_up_srp_arg(SSL_CTX *ctx, SRP_ARG *srp_arg, int srp_lateuser, int c_msg,
int c_debug);
Deprecate the libssl level SRP APIs The low level SRP implementation has been deprecated with no replacement. Therefore the libssl level APIs need to be similarly deprecated. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14132)
2021-02-08 11:31:59 +00:00
void set_up_dummy_srp(SSL_CTX *ctx);
Deprecate the low level SRP APIs The OTC decided that all low level APIs should be deprecated. This extends to SRP, even though at the current time there is no "EVP" interface to it. This could be added in a future release. Reviewed-by: Tomas Mraz <tomas@openssl.org> (Merged from https://github.com/openssl/openssl/pull/14132)
2021-02-05 11:28:15 +00:00
/* The server side SRP context that we pass to all SRP related callbacks */
typedef struct srpsrvparm_st {
char *login;
SRP_VBASE *vb;
SRP_user_pwd *user;
} srpsrvparm;
int set_up_srp_verifier_file(SSL_CTX *ctx, srpsrvparm *srp_callback_parm,
char *srpuserseed, char *srp_verifier_file);
void lookup_srp_user(srpsrvparm *srp_callback_parm, BIO *bio_s_out);
#endif /* OPENSSL_NO_SRP */