generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Add -brief option to s_client and s_server to summarise connection details.

Browse Source 
New option -verify_quiet to shut up the verify callback unless there is
an error.

(manually applied from commit 2a7cbe77b3abb244c2211d22d7aa3416b97c9342)
This commit is contained in:
Dr. Stephen Henson 2013-08-19 12:36:50 +01:00
parent df430489cf
commit 04611fb0f1
5 changed files with 146 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
CHANGES
View File

@ -4,6 +4,10 @@
Changes between 1.0.1 and 1.0.2 [xx XXX xxxx] Changes between 1.0.1 and 1.0.2 [xx XXX xxxx]
*) New option -brief for s_client and s_server to print out a brief summary
of connection parameters.
[Steve Henson]
*) Add callbacks for arbitrary TLS extensions. *) Add callbacks for arbitrary TLS extensions.
[Trevor Perrin <trevp@trevp.net> and Ben Laurie] [Trevor Perrin <trevp@trevp.net> and Ben Laurie]

3
apps/s_apps.h
View File

@ -162,7 +162,7 @@ int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
# endif # endif
int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_point_formats(BIO *out, SSL *s); int ssl_print_point_formats(BIO *out, SSL *s);
int ssl_print_curves(BIO *out, SSL *s); int ssl_print_curves(BIO *out, SSL *s, int noshared);
#endif #endif
int ssl_print_tmp_key(BIO *out, SSL *s); int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, char *server, int port, int type); int init_client(int *sock, char *server, int port, int type);
@ -191,6 +191,7 @@ void ssl_excert_free(SSL_EXCERT *exc);
int args_excert(char ***pargs, int *pargc, int args_excert(char ***pargs, int *pargc,
int *badarg, BIO *err, SSL_EXCERT **pexc); int *badarg, BIO *err, SSL_EXCERT **pexc);
int load_excert(SSL_EXCERT **pexc, BIO *err); int load_excert(SSL_EXCERT **pexc, BIO *err);
void print_ssl_summary(BIO *bio, SSL *s);
#ifdef HEADER_SSL_H #ifdef HEADER_SSL_H
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr);

92
apps/s_cb.c
View File

@ -125,6 +125,7 @@
#define COOKIE_SECRET_LENGTH 16 #define COOKIE_SECRET_LENGTH 16
int verify_depth=0; int verify_depth=0;
int verify_quiet=0;
int verify_error=X509_V_OK; int verify_error=X509_V_OK;
int verify_return_error=0; int verify_return_error=0;
unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@ -139,15 +140,19 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
err= X509_STORE_CTX_get_error(ctx); err= X509_STORE_CTX_get_error(ctx);
depth= X509_STORE_CTX_get_error_depth(ctx); depth= X509_STORE_CTX_get_error_depth(ctx);
if (!verify_quiet || !ok)
{
BIO_printf(bio_err,"depth=%d ",depth); BIO_printf(bio_err,"depth=%d ",depth);
if (err_cert) if (err_cert)
{ {
X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), X509_NAME_print_ex(bio_err,
X509_get_subject_name(err_cert),
0, XN_FLAG_ONELINE); 0, XN_FLAG_ONELINE);
BIO_puts(bio_err, "\n"); BIO_puts(bio_err, "\n");
} }
else else
BIO_puts(bio_err, "<no cert>\n"); BIO_puts(bio_err, "<no cert>\n");
}
if (!ok) if (!ok)
{ {
BIO_printf(bio_err,"verify error:num=%d:%s\n",err, BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
@ -185,12 +190,13 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
BIO_printf(bio_err,"\n"); BIO_printf(bio_err,"\n");
break; break;
case X509_V_ERR_NO_EXPLICIT_POLICY: case X509_V_ERR_NO_EXPLICIT_POLICY:
if (!verify_quiet)
policies_print(bio_err, ctx); policies_print(bio_err, ctx);
break; break;
} }
if (err == X509_V_OK && ok == 2) if (err == X509_V_OK && ok == 2 && !verify_quiet)
policies_print(bio_err, ctx); policies_print(bio_err, ctx);
if (ok && !verify_quiet)
BIO_printf(bio_err,"verify return:%d\n",ok); BIO_printf(bio_err,"verify return:%d\n",ok);
return(ok); return(ok);
} }
@ -456,8 +462,7 @@ int ssl_print_point_formats(BIO *out, SSL *s)
return 1; return 1;
} }
int ssl_print_curves(BIO *out, SSL *s, int noshared)
int ssl_print_curves(BIO *out, SSL *s)
{ {
int i, ncurves, *curves, nid; int i, ncurves, *curves, nid;
const char *cname; const char *cname;
@ -485,8 +490,15 @@ int ssl_print_curves(BIO *out, SSL *s)
BIO_printf(out, "%s", cname); BIO_printf(out, "%s", cname);
} }
} }
BIO_puts(out, "\nShared Elliptic curves: "); if (ncurves == 0)
BIO_puts(out, "NONE");
OPENSSL_free(curves); OPENSSL_free(curves);
if (noshared)
{
BIO_puts(out, "\n");
return 1;
}
BIO_puts(out, "\nShared Elliptic curves: ");
ncurves = SSL_get_shared_curve(s, -1); ncurves = SSL_get_shared_curve(s, -1);
for (i = 0; i < ncurves; i++) for (i = 0; i < ncurves; i++)
{ {
@ -1497,6 +1509,74 @@ int args_excert(char ***pargs, int *pargc,
return 1; return 1;
} }
static void print_raw_cipherlist(BIO *bio, SSL *s)
{
const unsigned char *rlist;
static const unsigned char scsv_id[] = {0, 0, 0xFF};
size_t i, rlistlen, num;
if (!SSL_is_server(s))
return;
num = SSL_get0_raw_cipherlist(s, NULL);
rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
BIO_puts(bio, "Client cipher list: ");
for (i = 0; i < rlistlen; i += num, rlist += num)
{
const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
if (i)
BIO_puts(bio, ":");
if (c)
BIO_puts(bio, SSL_CIPHER_get_name(c));
else if (!memcmp(rlist, scsv_id - num + 3, num))
BIO_puts(bio, "SCSV");
else
{
size_t j;
BIO_puts(bio, "0x");
for (j = 0; j < num; j++)
BIO_printf(bio, "%02X", rlist[j]);
}
}
BIO_puts(bio, "\n");
}
void print_ssl_summary(BIO *bio, SSL *s)
{
const SSL_CIPHER *c;
X509 *peer;
/*const char *pnam = SSL_is_server(s) ? "client" : "server";*/
BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s));
print_raw_cipherlist(bio, s);
c = SSL_get_current_cipher(s);
BIO_printf(bio,"Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
do_print_sigalgs(bio, s, 0);
peer = SSL_get_peer_certificate(s);
if (peer)
{
int nid;
BIO_puts(bio, "Peer certificate: ");
X509_NAME_print_ex(bio, X509_get_subject_name(peer),
0, XN_FLAG_ONELINE);
BIO_puts(bio, "\n");
if (SSL_get_peer_signature_nid(s, &nid))
BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid));
}
else
BIO_puts(bio, "No peer certificate\n");
if (peer)
X509_free(peer);
#ifndef OPENSSL_NO_EC
ssl_print_point_formats(bio, s);
if (SSL_is_server(s))
ssl_print_curves(bio, s, 1);
else
ssl_print_tmp_key(bio, s);
#else
if (!SSL_is_server(s))
ssl_print_tmp_key(bio, s);
#endif
}
int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx,
int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr) int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr)
{ {

20
apps/s_client.c
View File

@ -193,6 +193,7 @@ typedef unsigned int u_int;
extern int verify_depth; extern int verify_depth;
extern int verify_error; extern int verify_error;
extern int verify_return_error; extern int verify_return_error;
extern int verify_quiet;
#ifdef FIONBIO #ifdef FIONBIO
static int c_nbio=0; static int c_nbio=0;
@ -220,6 +221,7 @@ static BIO *bio_c_out=NULL;
static BIO *bio_c_msg=NULL; static BIO *bio_c_msg=NULL;
static int c_quiet=0; static int c_quiet=0;
static int c_ign_eof=0; static int c_ign_eof=0;
static int c_brief=0;
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
/* Default PSK identity and key */ /* Default PSK identity and key */
@ -729,6 +731,7 @@ static char *jpake_secret = NULL;
verify=SSL_VERIFY_PEER; verify=SSL_VERIFY_PEER;
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
verify_depth=atoi(*(++argv)); verify_depth=atoi(*(++argv));
if (!c_quiet)
BIO_printf(bio_err,"verify depth is %d\n",verify_depth); BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
} }
else if (strcmp(*argv,"-cert") == 0) else if (strcmp(*argv,"-cert") == 0)
@ -771,6 +774,14 @@ static char *jpake_secret = NULL;
} }
else if (strcmp(*argv,"-verify_return_error") == 0) else if (strcmp(*argv,"-verify_return_error") == 0)
verify_return_error = 1; verify_return_error = 1;
else if (strcmp(*argv,"-verify_quiet") == 0)
verify_quiet = 1;
else if (strcmp(*argv,"-brief") == 0)
{
c_brief = 1;
verify_quiet = 1;
c_quiet = 1;
}
else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
{ {
if (badarg) if (badarg)
@ -1690,6 +1701,12 @@ SSL_set_tlsext_status_ids(con, ids);
else else
BIO_printf(bio_err, "Error writing session file %s\n", sess_out); BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
} }
if (c_brief)
{
BIO_puts(bio_err,
"CONNECTION ESTABLISHED\n");
print_ssl_summary(bio_err, con);
}
print_stuff(bio_c_out,con,full_log); print_stuff(bio_c_out,con,full_log);
if (full_log > 0) full_log--; if (full_log > 0) full_log--;
@ -1952,6 +1969,9 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240
break; break;
case SSL_ERROR_SYSCALL: case SSL_ERROR_SYSCALL:
ret=get_last_socket_error(); ret=get_last_socket_error();
if (c_brief)
BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n");
else
BIO_printf(bio_err,"read:errno=%d\n",ret); BIO_printf(bio_err,"read:errno=%d\n",ret);
goto shut; goto shut;
case SSL_ERROR_ZERO_RETURN: case SSL_ERROR_ZERO_RETURN:

28
apps/s_server.c
View File

@ -262,7 +262,7 @@ static int accept_socket= -1;
#undef PROG #undef PROG
#define PROG s_server_main #define PROG s_server_main
extern int verify_depth, verify_return_error; extern int verify_depth, verify_return_error, verify_quiet;
static int s_server_verify=SSL_VERIFY_NONE; static int s_server_verify=SSL_VERIFY_NONE;
static int s_server_session_id_context = 1; /* anything will do */ static int s_server_session_id_context = 1; /* anything will do */
@ -290,8 +290,10 @@ static int s_tlsextdebug=0;
static int s_tlsextstatus=0; static int s_tlsextstatus=0;
static int cert_status_cb(SSL *s, void *arg); static int cert_status_cb(SSL *s, void *arg);
#endif #endif
static int no_resume_ephemeral = 0;
static int s_msg=0; static int s_msg=0;
static int s_quiet=0; static int s_quiet=0;
static int s_brief=0;
static char *keymatexportlabel=NULL; static char *keymatexportlabel=NULL;
static int keymatexportlen=20; static int keymatexportlen=20;
@ -455,6 +457,7 @@ static void s_server_init(void)
s_debug=0; s_debug=0;
s_msg=0; s_msg=0;
s_quiet=0; s_quiet=0;
s_brief=0;
hack=0; hack=0;
#ifndef OPENSSL_NO_ENGINE #ifndef OPENSSL_NO_ENGINE
engine_id=NULL; engine_id=NULL;
@ -1037,6 +1040,7 @@ int MAIN(int argc, char *argv[])
s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
verify_depth=atoi(*(++argv)); verify_depth=atoi(*(++argv));
if (!s_quiet)
BIO_printf(bio_err,"verify depth is %d\n",verify_depth); BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
} }
else if (strcmp(*argv,"-Verify") == 0) else if (strcmp(*argv,"-Verify") == 0)
@ -1045,6 +1049,7 @@ int MAIN(int argc, char *argv[])
SSL_VERIFY_CLIENT_ONCE; SSL_VERIFY_CLIENT_ONCE;
if (--argc < 1) goto bad; if (--argc < 1) goto bad;
verify_depth=atoi(*(++argv)); verify_depth=atoi(*(++argv));
if (!s_quiet)
BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
} }
else if (strcmp(*argv,"-context") == 0) else if (strcmp(*argv,"-context") == 0)
@ -1182,6 +1187,8 @@ int MAIN(int argc, char *argv[])
} }
else if (strcmp(*argv,"-verify_return_error") == 0) else if (strcmp(*argv,"-verify_return_error") == 0)
verify_return_error = 1; verify_return_error = 1;
else if (strcmp(*argv,"-verify_quiet") == 0)
verify_quiet = 1;
else if (strcmp(*argv,"-build_chain") == 0) else if (strcmp(*argv,"-build_chain") == 0)
build_chain = 1; build_chain = 1;
else if (strcmp(*argv,"-CAfile") == 0) else if (strcmp(*argv,"-CAfile") == 0)
@ -1262,12 +1269,20 @@ int MAIN(int argc, char *argv[])
{ s_crlf=1; } { s_crlf=1; }
else if (strcmp(*argv,"-quiet") == 0) else if (strcmp(*argv,"-quiet") == 0)
{ s_quiet=1; } { s_quiet=1; }
else if (strcmp(*argv,"-brief") == 0)
{
s_quiet=1;
s_brief=1;
verify_quiet=1;
}
else if (strcmp(*argv,"-no_tmp_rsa") == 0) else if (strcmp(*argv,"-no_tmp_rsa") == 0)
{ no_tmp_rsa=1; } { no_tmp_rsa=1; }
else if (strcmp(*argv,"-no_dhe") == 0) else if (strcmp(*argv,"-no_dhe") == 0)
{ no_dhe=1; } { no_dhe=1; }
else if (strcmp(*argv,"-no_ecdhe") == 0) else if (strcmp(*argv,"-no_ecdhe") == 0)
{ no_ecdhe=1; } { no_ecdhe=1; }
else if (strcmp(*argv,"-no_resume_ephemeral") == 0)
{ no_resume_ephemeral = 1; }
#ifndef OPENSSL_NO_PSK #ifndef OPENSSL_NO_PSK
else if (strcmp(*argv,"-psk_hint") == 0) else if (strcmp(*argv,"-psk_hint") == 0)
{ {
@ -1589,7 +1604,7 @@ bad:
if (bio_s_out == NULL) if (bio_s_out == NULL)
{ {
if (s_quiet && !s_debug && !s_msg) if (s_quiet && !s_debug)
{ {
bio_s_out=BIO_new(BIO_s_null()); bio_s_out=BIO_new(BIO_s_null());
if (s_msg && !bio_s_msg) if (s_msg && !bio_s_msg)
@ -2260,7 +2275,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
} }
else else
i=raw_read_stdin(buf,bufsize); i=raw_read_stdin(buf,bufsize);
if (!s_quiet) if (!s_quiet && !s_brief)
{ {
if ((i <= 0) || (buf[0] == 'Q')) if ((i <= 0) || (buf[0] == 'Q'))
{ {
@ -2513,6 +2528,9 @@ static int init_ssl_connection(SSL *con)
return(0); return(0);
} }
if (s_brief)
print_ssl_summary(bio_err, con);
PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
peer=SSL_get_peer_certificate(con); peer=SSL_get_peer_certificate(con);
@ -2531,7 +2549,7 @@ static int init_ssl_connection(SSL *con)
BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
ssl_print_sigalgs(bio_s_out, con); ssl_print_sigalgs(bio_s_out, con);
ssl_print_curves(bio_s_out, con); ssl_print_curves(bio_s_out, con, 0);
BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
@ -2851,7 +2869,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
BIO_puts(io,"\n"); BIO_puts(io,"\n");
} }
ssl_print_sigalgs(io, con); ssl_print_sigalgs(io, con);
ssl_print_curves(io, con); ssl_print_curves(io, con, 0);
BIO_printf(io,(SSL_cache_hit(con) BIO_printf(io,(SSL_cache_hit(con)
?"---\nReused, " ?"---\nReused, "
:"---\nNew, ")); :"---\nNew, "));