Add -brief option to s_client and s_server to summarise connection details.

New option -verify_quiet to shut up the verify callback unless there is an error.
2012-09-12 23:14:28 +00:00 · 2012-09-12 23:14:28 +00:00 · 2a7cbe77b3
commit 2a7cbe77b3
parent 94a209d8e1
5 changed files with 125 additions and 16 deletions
--- a/4
+++ b/4
@ -4,6 +4,10 @@

 Changes between 1.0.x and 1.1.0  [xx XXX xxxx]

+  *) New option -brief for s_client and s_server to print out a brief summary
+     of connection parameters.
+     [Steve Henson]
+
  *) Add functions to retrieve and manipulate the raw cipherlist sent by a
     client to OpenSSL.
     [Steve Henson]
--- a/apps/s_apps.h
+++ b/apps/s_apps.h
@ -161,7 +161,7 @@ int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                           unsigned char *authz, size_t authz_length);
 # endif
 int ssl_print_sigalgs(BIO *out, SSL *s);
-int ssl_print_curves(BIO *out, SSL *s);
+int ssl_print_curves(BIO *out, SSL *s, int noshared);
 #endif
 int ssl_print_tmp_key(BIO *out, SSL *s);
 int init_client(int *sock, char *server, int port, int type);
@ -190,3 +190,4 @@ void ssl_excert_free(SSL_EXCERT *exc);
 int args_excert(char ***pargs, int *pargc,
 			int *badarg, BIO *err, SSL_EXCERT **pexc);
 int load_excert(SSL_EXCERT **pexc, BIO *err);
+void print_ssl_summary(BIO *bio, SSL *s);
--- a/apps/s_cb.c
+++ b/apps/s_cb.c
@ -125,6 +125,7 @@
 #define	COOKIE_SECRET_LENGTH	16

 int verify_depth=0;
+int verify_quiet=0;
 int verify_error=X509_V_OK;
 int verify_return_error=0;
 unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
@ -139,15 +140,19 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 	err=	X509_STORE_CTX_get_error(ctx);
 	depth=	X509_STORE_CTX_get_error_depth(ctx);

-	BIO_printf(bio_err,"depth=%d ",depth);
-	if (err_cert)
+	if (!verify_quiet || !ok)
 		{
-		X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
+		BIO_printf(bio_err,"depth=%d ",depth);
+		if (err_cert)
+			{
+			X509_NAME_print_ex(bio_err,
+					X509_get_subject_name(err_cert),
 					0, XN_FLAG_ONELINE);
-		BIO_puts(bio_err, "\n");
+			BIO_puts(bio_err, "\n");
+			}
+		else
+			BIO_puts(bio_err, "<no cert>\n");
 		}
-	else
-		BIO_puts(bio_err, "<no cert>\n");
 	if (!ok)
 		{
 		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
@ -188,10 +193,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
 		policies_print(bio_err, ctx);
 		break;
 		}
-	if (err == X509_V_OK && ok == 2)
+	if (err == X509_V_OK && ok == 2 && !verify_quiet)
 		policies_print(bio_err, ctx);
-
-	BIO_printf(bio_err,"verify return:%d\n",ok);
+	if (ok && !verify_quiet)
+		BIO_printf(bio_err,"verify return:%d\n",ok);
 	return(ok);
 	}

@ -419,7 +424,7 @@ int ssl_print_sigalgs(BIO *out, SSL *s)
 	return 1;
 	}

-int ssl_print_curves(BIO *out, SSL *s)
+int ssl_print_curves(BIO *out, SSL *s, int noshared)
 	{
 	int i, ncurves, *curves, nid;
 	const char *cname;
@ -447,6 +452,13 @@ int ssl_print_curves(BIO *out, SSL *s)
 			BIO_printf(out, "%s", cname);
 			}
 		}
+	if (ncurves == 0)
+		BIO_puts(out, "NONE");
+	if (noshared)
+		{
+		BIO_puts(out, "\n");
+		return 1;
+		}
 	BIO_puts(out, "\nShared Elliptic curves: ");
 	OPENSSL_free(curves);
 	ncurves = SSL_get_shared_curve(s, -1);
@ -1459,3 +1471,65 @@ int args_excert(char ***pargs, int *pargc,
 	return 1;
 	}

+static void print_raw_cipherlist(BIO *bio, SSL *s)
+	{
+	const unsigned char *rlist;
+	static const unsigned char scsv_id[] = {0, 0, 0xFF};
+	size_t i, rlistlen, num;
+	if (!SSL_is_server(s))
+		return;
+	num = SSL_get0_raw_cipherlist(s, NULL);
+	rlistlen = SSL_get0_raw_cipherlist(s, &rlist);
+	BIO_puts(bio, "Client cipher list: ");
+	for (i = 0; i < rlistlen; i += num, rlist += num)
+		{
+		const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist);
+		if (i)
+			BIO_puts(bio, ":");
+		if (c)
+			BIO_puts(bio, SSL_CIPHER_get_name(c));
+		else if (!memcmp(rlist, scsv_id - num + 3, num))
+			BIO_puts(bio, "SCSV");
+		else
+			{
+			size_t j;
+			BIO_puts(bio, "0x");
+			for (j = 0; j < num; j++)
+				BIO_printf(bio, "%02X", rlist[j]);
+			}
+		}
+	BIO_puts(bio, "\n");
+	}
+	
+
+void print_ssl_summary(BIO *bio, SSL *s)
+	{
+	const SSL_CIPHER *c;
+	X509 *peer;
+	/*const char *pnam = SSL_is_server(s) ? "client" : "server";*/
+	BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s));
+	print_raw_cipherlist(bio, s);
+	c = SSL_get_current_cipher(s);
+	BIO_printf(bio,"Ciphersuite: %s\n", SSL_CIPHER_get_name(c));
+	do_print_sigalgs(bio, s, 0);
+	peer = SSL_get_peer_certificate(s);
+	if (peer)
+		{
+		int nid;
+		BIO_puts(bio, "Peer certificate: ");
+		X509_NAME_print_ex(bio, X509_get_subject_name(peer),
+					0, XN_FLAG_ONELINE);
+		BIO_puts(bio, "\n");
+		if (SSL_get_peer_signature_nid(s, &nid))
+			BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid));
+		}
+	else
+		BIO_puts(bio, "No peer certificate\n");
+	if (peer)
+		X509_free(peer);
+	if (SSL_is_server(s))
+		ssl_print_curves(bio, s, 1);
+	else
+		ssl_print_tmp_key(bio, s);
+	}
+
--- a/apps/s_client.c
+++ b/apps/s_client.c
@ -193,6 +193,7 @@ typedef unsigned int u_int;
 extern int verify_depth;
 extern int verify_error;
 extern int verify_return_error;
+extern int verify_quiet;

 #ifdef FIONBIO
 static int c_nbio=0;
@ -220,6 +221,7 @@ static BIO *bio_c_out=NULL;
 static BIO *bio_c_msg=NULL;
 static int c_quiet=0;
 static int c_ign_eof=0;
+static int c_brief=0;

 #ifndef OPENSSL_NO_PSK
 /* Default PSK identity and key */
@ -688,7 +690,8 @@ int MAIN(int argc, char **argv)
 			verify=SSL_VERIFY_PEER;
 			if (--argc < 1) goto bad;
 			verify_depth=atoi(*(++argv));
-			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+			if (!c_quiet)
+				BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
 			}
 		else if	(strcmp(*argv,"-cert") == 0)
 			{
@ -718,6 +721,14 @@ int MAIN(int argc, char **argv)
 			}
 		else if (strcmp(*argv,"-verify_return_error") == 0)
 			verify_return_error = 1;
+		else if (strcmp(*argv,"-verify_quiet") == 0)
+			verify_quiet = 1;
+		else if (strcmp(*argv,"-brief") == 0)
+			{
+			c_brief = 1;
+			verify_quiet = 1;
+			c_quiet = 1;
+			}
 		else if (args_excert(&argv, &argc, &badarg, bio_err, &exc))
 			{
 			if (badarg)
@ -1611,6 +1622,12 @@ SSL_set_tlsext_status_ids(con, ids);
 					else 
 						BIO_printf(bio_err, "Error writing session file %s\n", sess_out);
 					}
+				if (c_brief)
+					{
+					BIO_puts(bio_err,
+						"CONNECTION ESTABLISHED\n");
+					print_ssl_summary(bio_err, con);
+					}
 				print_stuff(bio_c_out,con,full_log);
 				if (full_log > 0) full_log--;

--- a/apps/s_server.c
+++ b/apps/s_server.c
@ -268,7 +268,7 @@ static int accept_socket= -1;
 #undef PROG
 #define PROG		s_server_main

-extern int verify_depth, verify_return_error;
+extern int verify_depth, verify_return_error, verify_quiet;

 static char *cipher=NULL;
 static int s_server_verify=SSL_VERIFY_NONE;
@ -303,6 +303,7 @@ static int cert_status_cb(SSL *s, void *arg);
 static int no_resume_ephemeral = 0;
 static int s_msg=0;
 static int s_quiet=0;
+static int s_brief=0;

 static char *keymatexportlabel=NULL;
 static int keymatexportlen=20;
@ -466,6 +467,7 @@ static void s_server_init(void)
 	s_debug=0;
 	s_msg=0;
 	s_quiet=0;
+	s_brief=0;
 	hack=0;
 #ifndef OPENSSL_NO_ENGINE
 	engine_id=NULL;
@ -1169,6 +1171,8 @@ int MAIN(int argc, char *argv[])
 			}
 		else if (strcmp(*argv,"-verify_return_error") == 0)
 			verify_return_error = 1;
+		else if (strcmp(*argv,"-verify_quiet") == 0)
+			verify_quiet = 1;
 		else if	(strcmp(*argv,"-serverpref") == 0)
 			{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
 		else if (strcmp(*argv,"-legacy_renegotiation") == 0)
@ -1273,6 +1277,12 @@ int MAIN(int argc, char *argv[])
 			{ s_crlf=1; }
 		else if	(strcmp(*argv,"-quiet") == 0)
 			{ s_quiet=1; }
+		else if	(strcmp(*argv,"-brief") == 0)
+			{
+			s_quiet=1;
+			s_brief=1;
+			verify_quiet=1;
+			}
 		else if	(strcmp(*argv,"-bugs") == 0)
 			{ bugs=1; }
 		else if	(strcmp(*argv,"-no_tmp_rsa") == 0)
@ -2389,7 +2399,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 				}
 			else
 				i=raw_read_stdin(buf,bufsize);
-			if (!s_quiet)
+			if (!s_quiet && !s_brief)
 				{
 				if ((i <= 0) || (buf[0] == 'Q'))
 					{
@ -2642,6 +2652,9 @@ static int init_ssl_connection(SSL *con)
 		return(0);
 		}

+	if (s_brief)
+		print_ssl_summary(bio_err, con);
+
 	PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));

 	peer=SSL_get_peer_certificate(con);
@ -2660,7 +2673,7 @@ static int init_ssl_connection(SSL *con)
 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
 	ssl_print_sigalgs(bio_s_out, con);
-	ssl_print_curves(bio_s_out, con);
+	ssl_print_curves(bio_s_out, con, 0);
 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");

 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
@ -3003,7 +3016,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
 				BIO_puts(io,"\n");
 				}
 			ssl_print_sigalgs(io, con);
-			ssl_print_curves(io, con);
+			ssl_print_curves(io, con, 0);
 			BIO_printf(io,(SSL_cache_hit(con)
 				?"---\nReused, "
 				:"---\nNew, "));