openssl/apps/s_apps.h

/*
 * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.
 *
 * Licensed under the OpenSSL license (the "License").  You may not use
 * this file except in compliance with the License.  You can obtain a copy
 * in the file LICENSE in the source distribution or at
 * https://www.openssl.org/source/license.html
 */

#include <openssl/opensslconf.h>

#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
# include <conio.h>
#endif

#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)
# define _kbhit kbhit
#endif

#define PORT            "4433"
#define PROTOCOL        "tcp"

typedef int (*do_server_cb)(int s, int stype, int prot, unsigned char *context);
int do_server(int *accept_sock, const char *host, const char *port,
              int family, int type, int protocol,
              do_server_cb cb,
              unsigned char *context, int naccept);
#ifdef HEADER_X509_H
int verify_callback(int ok, X509_STORE_CTX *ctx);
#endif
#ifdef HEADER_SSL_H
int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file);
int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key,
                       STACK_OF(X509) *chain, int build_chain);
int ssl_print_sigalgs(BIO *out, SSL *s);
int ssl_print_point_formats(BIO *out, SSL *s);
int ssl_print_groups(BIO *out, SSL *s, int noshared);
#endif
int ssl_print_tmp_key(BIO *out, SSL *s);
int init_client(int *sock, const char *host, const char *port,
                int family, int type, int protocol);
int should_retry(int i);

long bio_dump_callback(BIO *bio, int cmd, const char *argp,
                       int argi, long argl, long ret);

#ifdef HEADER_SSL_H
void apps_ssl_info_callback(const SSL *s, int where, int ret);
void msg_cb(int write_p, int version, int content_type, const void *buf,
            size_t len, SSL *ssl, void *arg);
void tlsext_cb(SSL *s, int client_server, int type, const unsigned char *data,
               int len, void *arg);
#endif

int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
                             unsigned int *cookie_len);
int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
                           unsigned int cookie_len);

typedef struct ssl_excert_st SSL_EXCERT;

void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc);
void ssl_excert_free(SSL_EXCERT *exc);
int args_excert(int option, SSL_EXCERT **pexc);
int load_excert(SSL_EXCERT **pexc);
void print_verify_detail(SSL *s, BIO *bio);
void print_ssl_summary(SSL *s);
#ifdef HEADER_SSL_H
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, SSL_CTX *ctx);
int ssl_ctx_add_crls(SSL_CTX *ctx, STACK_OF(X509_CRL) *crls,
                     int crl_download);
int ssl_load_stores(SSL_CTX *ctx, const char *vfyCApath,
                    const char *vfyCAfile, const char *chCApath,
                    const char *chCAfile, STACK_OF(X509_CRL) *crls,
                    int crl_download);
void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);
int set_keylog_file(SSL_CTX *ctx, const char *keylog_file);
void print_ca_names(BIO *bio, SSL *s);
#endif
Copyright consolidation 01/10 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> 2016-05-17 18:18:30 +00:00			`/*`
			`* Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved.`
New functions SSL[_CTX]_set_msg_callback(). New macros SSL[_CTX]_set_msg_callback_arg(). Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet). New '-msg' option for 'openssl s_client' and 'openssl s_server' that enable a message callback that displays all protocol messages. In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if client_version is smaller than the protocol version in use. Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the client will at least see that alert. Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic pointer). Add/update some OpenSSL copyright notices. 2001-10-20 17:56:36 +00:00			`*`
Copyright consolidation 01/10 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> 2016-05-17 18:18:30 +00:00			`* Licensed under the OpenSSL license (the "License"). You may not use`
			`* this file except in compliance with the License. You can obtain a copy`
			`* in the file LICENSE in the source distribution or at`
			`* https://www.openssl.org/source/license.html`
New functions SSL[_CTX]_set_msg_callback(). New macros SSL[_CTX]_set_msg_callback_arg(). Message callback imlementation for SSL 3.0/TLS 1.0 (no SSL 2.0 yet). New '-msg' option for 'openssl s_client' and 'openssl s_server' that enable a message callback that displays all protocol messages. In ssl3_get_client_hello (ssl/s3_srvr.c), generate a fatal alert if client_version is smaller than the protocol version in use. Also change ssl23_get_client_hello (ssl/s23_srvr.c) to select TLS 1.0 if the client demanded SSL 3.0 but only TLS 1.0 is enabled; then the client will at least see that alert. Fix SSL[_CTX]_ctrl prototype (void * instead of char * for generic pointer). Add/update some OpenSSL copyright notices. 2001-10-20 17:56:36 +00:00			`*/`
Copyright consolidation 01/10 Reviewed-by: Richard Levitte <levitte@openssl.org> Reviewed-by: Kurt Roeckx <kurt@openssl.org> 2016-05-17 18:18:30 +00:00
Use new-style system-id macros everywhere possible. I hope I haven't missed any. This compiles and runs on Linux, and external applications have no problems with it. The definite test will be to build this on VMS. 2001-02-20 08:13:47 +00:00			`#include <openssl/opensslconf.h>`

Selected changes for MSDOS, contributed by Gisle Vanem <giva@bgnett.no>. PR: 669 2003-09-27 21:56:08 +00:00			`#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS)`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`# include <conio.h>`
Selected changes for MSDOS, contributed by Gisle Vanem <giva@bgnett.no>. PR: 669 2003-09-27 21:56:08 +00:00			`#endif`

Incidentally http://cvs.openssl.org/chngview?cn=17710 also made it possible to build the library without -D_CRT_NONSTDC_NO_DEPRECATE. This commit expands it even to apps catalog and actually omits the macro in question from Configure. 2008-12-22 14:05:42 +00:00			`#if defined(OPENSSL_SYS_MSDOS) && !defined(_WIN32)`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`# define _kbhit kbhit`
Selected changes for MSDOS, contributed by Gisle Vanem <giva@bgnett.no>. PR: 669 2003-09-27 21:56:08 +00:00			`#endif`

Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default \|host\| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the \|family\| parameter. Reviewed-by: Kurt Roeckx <kurt@openssl.org> 2016-02-02 23:47:42 +00:00			`#define PORT "4433"`
Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00			`#define PROTOCOL "tcp"`

Add a -sctp option to s_server Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3286) 2017-04-20 08:56:56 +00:00			`typedef int (do_server_cb)(int s, int stype, int prot, unsigned char context);`
Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default \|host\| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the \|family\| parameter. Reviewed-by: Kurt Roeckx <kurt@openssl.org> 2016-02-02 23:47:42 +00:00			`int do_server(int accept_sock, const char host, const char *port,`
Add a -sctp option to s_server Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3286) 2017-04-20 08:56:56 +00:00			`int family, int type, int protocol,`
Remove unused parameters from internal functions Reviewed-by: Richard Levitte <levitte@openssl.org> 2016-02-14 03:33:56 +00:00			`do_server_cb cb,`
			`unsigned char *context, int naccept);`
Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00			`#ifdef HEADER_X509_H`
RT3548: Remove unsupported platforms This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-01-12 22:29:26 +00:00			`int verify_callback(int ok, X509_STORE_CTX *ctx);`
Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00			`#endif`
			`#ifdef HEADER_SSL_H`
			`int set_cert_stuff(SSL_CTX ctx, char cert_file, char *key_file);`
Add options to set additional type specific certificate chains to s_server. 2012-04-11 16:53:11 +00:00			`int set_cert_key_stuff(SSL_CTX ctx, X509 cert, EVP_PKEY *key,`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`STACK_OF(X509) *chain, int build_chain);`
Add new ctrl to retrieve client certificate types, print out details in s_client. Also add ctrl to set client certificate types. If not used sensible values will be included based on supported signature algorithms: for example if we don't include any DSA signing algorithms the DSA certificate type is omitted. Fix restriction in old code where certificate types would be truncated if it exceeded TLS_CT_NUMBER. 2012-07-08 14:22:45 +00:00			`int ssl_print_sigalgs(BIO out, SSL s);`
Add support for printing out and retrieving EC point formats extension. 2012-11-22 15:20:53 +00:00			`int ssl_print_point_formats(BIO out, SSL s);`
Rename the Elliptic Curves extension to supported_groups This is a skin deep change, which simply renames most places where we talk about curves in a TLS context to groups. This is because TLS1.3 has renamed the extension, and it can now include DH groups too. We still only support curves, but this rename should pave the way for a future extension for DH groups. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-11-09 14:51:06 +00:00			`int ssl_print_groups(BIO out, SSL s, int noshared);`
Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00			`#endif`
new ctrl to retrive value of received temporary key in server key exchange message, print out details in s_client 2012-09-08 13:59:51 +00:00			`int ssl_print_tmp_key(BIO out, SSL s);`
Refactoring BIO: Adapt s_client and s_server s_socket.c gets brutally cleaned out and now consists of only two functions, one for client and the other for server. They both handle AF_INET, AF_INET6 and additionally AF_UNIX where supported. The rest is just easy adaptation. Both s_client and s_server get the new flags -4 and -6 to force the use of IPv4 or IPv6 only. Also, the default host "localhost" in s_client is removed. It's not certain that this host is set up for both IPv4 and IPv6. For example, Debian has "ip6-localhost" as the default hostname for [::1]. The better way is to default \|host\| to NULL and rely on BIO_lookup() to return a BIO_ADDRINFO with the appropriate loopback address for IPv4 or IPv6 as indicated by the \|family\| parameter. Reviewed-by: Kurt Roeckx <kurt@openssl.org> 2016-02-02 23:47:42 +00:00			`int init_client(int sock, const char host, const char *port,`
Add a -sctp option to s_client Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3286) 2017-04-20 08:57:12 +00:00			`int family, int type, int protocol);`
Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00			`int should_retry(int i);`

RT3548: Remove unsupported platforms This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-01-12 22:29:26 +00:00			`long bio_dump_callback(BIO bio, int cmd, const char argp,`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`int argi, long argl, long ret);`
Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00
			`#ifdef HEADER_SSL_H`
RT3548: Remove unsupported platforms This last one for this ticket. Removes WIN16. So long, MS_CALLBACK and MS_FAR. We won't miss you. Reviewed-by: Richard Levitte <levitte@openssl.org> 2015-01-12 22:29:26 +00:00			`void apps_ssl_info_callback(const SSL *s, int where, int ret);`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`void msg_cb(int write_p, int version, int content_type, const void *buf,`
			`size_t len, SSL ssl, void arg);`
constify PACKET PACKET contents should be read-only. To achieve this, also - constify two user callbacks - constify BUF_reverse. Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-02-01 14:26:18 +00:00			`void tlsext_cb(SSL s, int client_server, int type, const unsigned char data,`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`int len, void *arg);`
Import of old SSLeay release: SSLeay 0.8.1b 1998-12-21 10:52:47 +00:00			`#endif`
PR: 2028 Submitted by: Robin Seggelmann <seggelmann@fh-muenster.de> Approved by: steve@openssl.org Fix DTLS cookie management bugs. 2009-09-04 17:42:53 +00:00
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`int generate_cookie_callback(SSL ssl, unsigned char cookie,`
			`unsigned int *cookie_len);`
DTLS: remove unused cookie field Note that this commit constifies a user callback parameter and therefore will break compilation for applications using this callback. But unless they are abusing write access to the buffer, the fix is trivial. Reviewed-by: Andy Polyakov <appro@openssl.org> 2015-10-06 15:20:32 +00:00			`int verify_cookie_callback(SSL ssl, const unsigned char cookie,`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`unsigned int cookie_len);`
Add certificate callback. If set this is called whenever a certificate is required by client or server. An application can decide which certificate chain to present based on arbitrary criteria: for example supported signature algorithms. Add very simple example to s_server. This fixes many of the problems and restrictions of the existing client certificate callback: for example you can now clear existing certificates and specify the whole chain. 2012-06-29 14:24:42 +00:00
			`typedef struct ssl_excert_st SSL_EXCERT;`

			`void ssl_ctx_set_excert(SSL_CTX ctx, SSL_EXCERT exc);`
			`void ssl_excert_free(SSL_EXCERT *exc);`
Big apps cleanup (option-parsing, etc) This is merges the old "rsalz-monolith" branch over to master. The biggest change is that option parsing switch from cascasding 'else if strcmp("-foo")' to a utility routine and somethin akin to getopt. Also, an error in the command line no longer prints the full summary; use -help (or --help :) for that. There have been many other changes and code-cleanup, see bullet list below. Special thanks to Matt for the long and detailed code review. TEMPORARY: For now, comment out CRYPTO_mem_leaks() at end of main Tickets closed: RT3515: Use 3DES in pkcs12 if built with no-rc2 RT1766: s_client -reconnect and -starttls broke RT2932: Catch write errors RT2604: port should be 'unsigned short' RT2983: total_bytes undeclared #ifdef RENEG RT1523: Add -nocert to fix output in x509 app RT3508: Remove unused variable introduced by b09eb24 RT3511: doc fix; req default serial is random RT1325,2973: Add more extensions to c_rehash RT2119,3407: Updated to dgst.pod RT2379: Additional typo fix RT2693: Extra include of string.h RT2880: HFS is case-insensitive filenames RT3246: req command prints version number wrong Other changes; incompatibilities marked with : Add SCSV support Add -misalign to speed command Make dhparam, dsaparam, ecparam, x509 output C in proper style Make some internal ocsp.c functions void Only display cert usages with -help in verify Use global bio_err, remove "BIOerr" parameter from functions For filenames, - always means stdin (or stdout as appropriate) Add aliases for -des/aes "wrap" ciphers. Remove support for IISSGC (server gated crypto) The undocumented OCSP -header flag is now "-header name=value" *Documented the OCSP -header flag Reviewed-by: Matt Caswell <matt@openssl.org> 2015-04-24 19:26:15 +00:00			`int args_excert(int option, SSL_EXCERT **pexc);`
			`int load_excert(SSL_EXCERT **pexc);`
Suppress DANE TLSA reflection when verification fails As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa() are expected to return a negative match depth and nothing else when verification fails. However, this only happened when verification failed during chain construction. Errors in verification of the constructed chain did not have the intended effect on these functions. This commit updates the functions to check for verify_result == X509_V_OK, and no longer erases any accumulated match information when chain construction fails. Sophisticated developers can, with care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA info even when verification fail. They must of course first check and save the real error, and restore the original error as quickly as possible. Hiding by default seems to be the safer interface. Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find matching TLSA records. Previously reported via X509_V_ERR_CERT_UNTRUSTED. This also changes the "-brief" output from s_client to include verification results and TLSA match information. Mentioned session resumption in code example in SSL_CTX_dane_enable(3). Also mentioned that depths returned are relative to the verified chain which is now available via SSL_get0_verified_chain(3). Added a few more test-cases to danetest, that exercise the new code. Resolved thread safety issue in use of static buffer in X509_verify_cert_error_string(). Fixed long-stating issue in apps/s_cb.c which always sets verify_error to either X509_V_OK or "chain to long", code elsewhere (e.g. s_time.c), seems to expect the actual error. [ The new chain construction code is expected to correctly generate "chain too long" errors, so at some point we need to drop the work-arounds, once SSL_set_verify_depth() is also fixed to propagate the depth to X509_STORE_CTX reliably. ] Reviewed-by: Rich Salz <rsalz@openssl.org> 2016-02-08 00:07:57 +00:00			`void print_verify_detail(SSL s, BIO bio);`
Remove needless bio_err argument Many functions had a BIO* parameter, and it was always called with bio_err. Remove the param and just use bio_err. Reviewed-by: Matt Caswell <matt@openssl.org> 2015-04-29 15:27:08 +00:00			`void print_ssl_summary(SSL *s);`
Delegate command line handling for many common options in s_client/s_server to the SSL_CONF APIs. This is complicated a little because the SSL_CTX structure is not available when the command line is processed: so just check syntax of commands initially and store them, ready to apply later. 2012-11-17 14:42:22 +00:00			`#ifdef HEADER_SSL_H`
Remove JPAKE Reviewed-by: Viktor Dukhovni <viktor@openssl.org> 2016-02-14 05:17:59 +00:00			`int config_ctx(SSL_CONF_CTX cctx, STACK_OF(OPENSSL_STRING) str, SSL_CTX *ctx);`
Run util/openssl-format-source -v -c . Reviewed-by: Tim Hudson <tjh@openssl.org> 2015-01-22 03:40:55 +00:00			`int ssl_ctx_add_crls(SSL_CTX ctx, STACK_OF(X509_CRL) crls,`
			`int crl_download);`
			`int ssl_load_stores(SSL_CTX ctx, const char vfyCApath,`
			`const char vfyCAfile, const char chCApath,`
			`const char chCAfile, STACK_OF(X509_CRL) crls,`
			`int crl_download);`
Remove needless bio_err argument Many functions had a BIO* parameter, and it was always called with bio_err. Remove the param and just use bio_err. Reviewed-by: Matt Caswell <matt@openssl.org> 2015-04-29 15:27:08 +00:00			`void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose);`
apps: Add support for writing a keylog file The server and client demos (s_client and s_server) are extended with a -keylogfile option. This is similar as setting the SSLKEYLOGFILE environment variable for NSS and creates a keylog file which is suitable for Wireshark. Reviewed-by: Matt Caswell <matt@openssl.org> Reviewed-by: Richard Levitte <levitte@openssl.org> (Merged from https://github.com/openssl/openssl/pull/2343) 2017-02-01 18:14:27 +00:00			`int set_keylog_file(SSL_CTX ctx, const char keylog_file);`
Print CA names in s_server, add -requestCAfile to s_client Reviewed-by: Rich Salz <rsalz@openssl.org> (Merged from https://github.com/openssl/openssl/pull/3015) 2017-03-31 16:04:28 +00:00			`void print_ca_names(BIO bio, SSL s);`
Delegate command line handling for many common options in s_client/s_server to the SSL_CONF APIs. This is complicated a little because the SSL_CTX structure is not available when the command line is processed: so just check syntax of commands initially and store them, ready to apply later. 2012-11-17 14:42:22 +00:00			`#endif`