2016-05-17 18:18:30 +00:00
|
|
|
/*
|
2018-02-13 12:51:29 +00:00
|
|
|
* Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
|
2017-06-15 14:16:46 +00:00
|
|
|
* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
|
2017-06-20 14:14:36 +00:00
|
|
|
* Copyright 2005 Nokia. All rights reserved.
|
2001-10-20 17:56:36 +00:00
|
|
|
*
|
2016-05-17 18:18:30 +00:00
|
|
|
* Licensed under the OpenSSL license (the "License"). You may not use
|
|
|
|
* this file except in compliance with the License. You can obtain a copy
|
|
|
|
* in the file LICENSE in the source distribution or at
|
|
|
|
* https://www.openssl.org/source/license.html
|
2001-10-20 17:56:36 +00:00
|
|
|
*/
|
2016-05-17 18:18:30 +00:00
|
|
|
|
2006-03-10 23:06:27 +00:00
|
|
|
#include <ctype.h>
|
1999-07-28 23:25:59 +00:00
|
|
|
#include <stdio.h>
|
|
|
|
#include <stdlib.h>
|
|
|
|
#include <string.h>
|
2016-08-03 20:49:25 +00:00
|
|
|
#if defined(_WIN32)
|
|
|
|
/* Included before async.h to avoid some warnings */
|
|
|
|
# include <windows.h>
|
|
|
|
#endif
|
2003-11-28 13:10:58 +00:00
|
|
|
|
2001-02-20 14:07:03 +00:00
|
|
|
#include <openssl/e_os2.h>
|
2016-08-03 20:49:25 +00:00
|
|
|
#include <openssl/async.h>
|
|
|
|
#include <openssl/ssl.h>
|
1999-07-28 23:25:59 +00:00
|
|
|
|
2016-03-21 15:32:40 +00:00
|
|
|
#ifndef OPENSSL_NO_SOCK
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
|
|
|
* With IPv6, it looks like Digital has mixed up the proper order of
|
|
|
|
* recursive header file inclusion, resulting in the compiler complaining
|
|
|
|
* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
|
|
|
|
* needed to have fileno() declared correctly... So let's define u_int
|
|
|
|
*/
|
2001-02-20 08:13:47 +00:00
|
|
|
#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
|
2015-01-22 03:40:55 +00:00
|
|
|
# define __U_INT
|
1999-05-13 11:37:32 +00:00
|
|
|
typedef unsigned int u_int;
|
|
|
|
#endif
|
|
|
|
|
1999-04-23 22:13:45 +00:00
|
|
|
#include <openssl/bn.h>
|
1998-12-21 10:52:47 +00:00
|
|
|
#include "apps.h"
|
2018-01-31 10:13:10 +00:00
|
|
|
#include "progs.h"
|
1999-04-23 22:13:45 +00:00
|
|
|
#include <openssl/err.h>
|
|
|
|
#include <openssl/pem.h>
|
|
|
|
#include <openssl/x509.h>
|
|
|
|
#include <openssl/ssl.h>
|
2001-09-12 02:39:06 +00:00
|
|
|
#include <openssl/rand.h>
|
2007-09-26 21:56:59 +00:00
|
|
|
#include <openssl/ocsp.h>
|
2005-07-16 12:37:36 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
2015-01-22 03:40:55 +00:00
|
|
|
# include <openssl/dh.h>
|
2005-07-16 12:37:36 +00:00
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_RSA
|
2015-01-22 03:40:55 +00:00
|
|
|
# include <openssl/rsa.h>
|
2005-07-16 12:37:36 +00:00
|
|
|
#endif
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2015-01-22 03:40:55 +00:00
|
|
|
# include <openssl/srp.h>
|
2011-03-12 17:01:19 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
#include "s_apps.h"
|
2005-04-26 16:02:40 +00:00
|
|
|
#include "timeouts.h"
|
2016-04-28 10:34:54 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
#include <openssl/ebcdic.h>
|
|
|
|
#endif
|
2017-08-21 21:22:19 +00:00
|
|
|
#include "internal/sockets.h"
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2010-08-26 15:15:47 +00:00
|
|
|
static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
|
2017-04-20 08:56:56 +00:00
|
|
|
static int sv_body(int s, int stype, int prot, unsigned char *context);
|
|
|
|
static int www_body(int s, int stype, int prot, unsigned char *context);
|
|
|
|
static int rev_body(int s, int stype, int prot, unsigned char *context);
|
2015-01-22 03:40:55 +00:00
|
|
|
static void close_accept_socket(void);
|
1998-12-21 10:52:47 +00:00
|
|
|
static int init_ssl_connection(SSL *s);
|
2015-01-22 03:40:55 +00:00
|
|
|
static void print_stats(BIO *bp, SSL_CTX *ctx);
|
2017-08-03 14:24:03 +00:00
|
|
|
static int generate_session_id(SSL *ssl, unsigned char *id,
|
2015-01-22 03:40:55 +00:00
|
|
|
unsigned int *id_len);
|
2009-12-27 23:24:45 +00:00
|
|
|
static void init_session_cache_ctx(SSL_CTX *sctx);
|
|
|
|
static void free_sessions(void);
|
2001-02-19 16:06:34 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
2005-04-07 22:48:33 +00:00
|
|
|
static DH *load_dh_param(const char *dhfile);
|
1998-12-21 10:56:39 +00:00
|
|
|
#endif
|
2017-02-27 20:55:04 +00:00
|
|
|
static void print_connection_info(SSL *con);
|
2002-08-09 08:56:08 +00:00
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
static const int bufsize = 16 * 1024;
|
2015-01-22 03:40:55 +00:00
|
|
|
static int accept_socket = -1;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
#define TEST_CERT "server.pem"
|
2015-05-15 09:49:56 +00:00
|
|
|
#define TEST_CERT2 "server2.pem"
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
static int s_nbio = 0;
|
|
|
|
static int s_nbio_test = 0;
|
2015-09-05 12:32:58 +00:00
|
|
|
static int s_crlf = 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
static SSL_CTX *ctx = NULL;
|
|
|
|
static SSL_CTX *ctx2 = NULL;
|
|
|
|
static int www = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
static BIO *bio_s_out = NULL;
|
2012-06-15 12:46:09 +00:00
|
|
|
static BIO *bio_s_msg = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
static int s_debug = 0;
|
|
|
|
static int s_tlsextdebug = 0;
|
|
|
|
static int s_msg = 0;
|
|
|
|
static int s_quiet = 0;
|
|
|
|
static int s_ign_eof = 0;
|
|
|
|
static int s_brief = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
static char *keymatexportlabel = NULL;
|
|
|
|
static int keymatexportlen = 20;
|
2011-11-15 23:50:52 +00:00
|
|
|
|
2015-02-13 23:33:12 +00:00
|
|
|
static int async = 0;
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
static const char *session_id_prefix = NULL;
|
1999-09-03 23:08:45 +00:00
|
|
|
|
2015-12-16 13:25:07 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2005-04-26 16:02:40 +00:00
|
|
|
static int enable_timeouts = 0;
|
2006-01-02 23:29:12 +00:00
|
|
|
static long socket_mtu;
|
2016-12-05 23:42:01 +00:00
|
|
|
#endif
|
2005-04-26 16:02:40 +00:00
|
|
|
|
2017-03-17 10:21:25 +00:00
|
|
|
/*
|
|
|
|
* We define this but make it always be 0 in no-dtls builds to simplify the
|
|
|
|
* code.
|
|
|
|
*/
|
|
|
|
static int dtlslisten = 0;
|
2017-12-29 17:37:04 +00:00
|
|
|
static int stateless = 0;
|
2017-03-17 10:21:25 +00:00
|
|
|
|
2017-03-06 09:51:54 +00:00
|
|
|
static int early_data = 0;
|
2017-06-12 17:26:09 +00:00
|
|
|
static SSL_SESSION *psksess = NULL;
|
2017-03-06 09:51:54 +00:00
|
|
|
|
2017-06-02 01:01:27 +00:00
|
|
|
static char *psk_identity = "Client_identity";
|
2015-01-22 03:40:55 +00:00
|
|
|
char *psk_key = NULL; /* by default PSK is not used */
|
2006-03-10 23:06:27 +00:00
|
|
|
|
2017-06-13 13:28:45 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2006-03-10 23:06:27 +00:00
|
|
|
static unsigned int psk_server_cb(SSL *ssl, const char *identity,
|
2015-01-22 03:40:55 +00:00
|
|
|
unsigned char *psk,
|
|
|
|
unsigned int max_psk_len)
|
|
|
|
{
|
2016-06-08 18:01:42 +00:00
|
|
|
long key_len = 0;
|
|
|
|
unsigned char *key;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
if (s_debug)
|
|
|
|
BIO_printf(bio_s_out, "psk_server_cb\n");
|
2017-06-12 17:24:02 +00:00
|
|
|
if (identity == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_err, "Error: client did not send PSK identity\n");
|
|
|
|
goto out_err;
|
|
|
|
}
|
|
|
|
if (s_debug)
|
|
|
|
BIO_printf(bio_s_out, "identity_len=%d identity=%s\n",
|
2015-03-12 14:09:00 +00:00
|
|
|
(int)strlen(identity), identity);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
/* here we could lookup the given identity e.g. from a database */
|
|
|
|
if (strcmp(identity, psk_identity) != 0) {
|
2017-06-02 01:01:27 +00:00
|
|
|
BIO_printf(bio_s_out, "PSK warning: client identity not what we expected"
|
2015-01-22 03:40:55 +00:00
|
|
|
" (got '%s' expected '%s')\n", identity, psk_identity);
|
2017-06-02 01:01:27 +00:00
|
|
|
} else {
|
|
|
|
if (s_debug)
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "PSK client identity found\n");
|
2017-06-02 01:01:27 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
/* convert the PSK key to binary */
|
2016-06-08 18:01:42 +00:00
|
|
|
key = OPENSSL_hexstr2buf(psk_key, &key_len);
|
|
|
|
if (key == NULL) {
|
|
|
|
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
|
2015-01-22 03:40:55 +00:00
|
|
|
psk_key);
|
|
|
|
return 0;
|
|
|
|
}
|
2016-06-08 18:01:42 +00:00
|
|
|
if (key_len > (int)max_psk_len) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_err,
|
2016-06-08 18:01:42 +00:00
|
|
|
"psk buffer of callback is too small (%d) for key (%ld)\n",
|
|
|
|
max_psk_len, key_len);
|
|
|
|
OPENSSL_free(key);
|
2015-01-22 03:40:55 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2016-06-08 18:01:42 +00:00
|
|
|
memcpy(psk, key, key_len);
|
|
|
|
OPENSSL_free(key);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
if (s_debug)
|
2016-06-08 18:01:42 +00:00
|
|
|
BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
|
|
|
|
return key_len;
|
2006-03-10 23:06:27 +00:00
|
|
|
out_err:
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_debug)
|
|
|
|
BIO_printf(bio_err, "Error in PSK server callback\n");
|
2015-04-25 13:26:48 +00:00
|
|
|
(void)BIO_flush(bio_err);
|
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
#endif
|
2005-04-26 16:02:40 +00:00
|
|
|
|
2017-06-12 18:12:13 +00:00
|
|
|
#define TLS13_AES_128_GCM_SHA256_BYTES ((const unsigned char *)"\x13\x01")
|
|
|
|
#define TLS13_AES_256_GCM_SHA384_BYTES ((const unsigned char *)"\x13\x02")
|
|
|
|
|
2017-06-12 17:26:09 +00:00
|
|
|
static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
|
|
|
|
size_t identity_len, SSL_SESSION **sess)
|
|
|
|
{
|
2017-06-12 18:12:13 +00:00
|
|
|
SSL_SESSION *tmpsess = NULL;
|
|
|
|
unsigned char *key;
|
|
|
|
long key_len;
|
|
|
|
const SSL_CIPHER *cipher = NULL;
|
|
|
|
|
2017-06-12 17:26:09 +00:00
|
|
|
if (strlen(psk_identity) != identity_len
|
|
|
|
|| memcmp(psk_identity, identity, identity_len) != 0)
|
|
|
|
return 0;
|
|
|
|
|
2017-06-12 18:12:13 +00:00
|
|
|
if (psksess != NULL) {
|
|
|
|
SSL_SESSION_up_ref(psksess);
|
|
|
|
*sess = psksess;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
key = OPENSSL_hexstr2buf(psk_key, &key_len);
|
|
|
|
if (key == NULL) {
|
|
|
|
BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
|
|
|
|
psk_key);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
2018-03-06 14:12:10 +00:00
|
|
|
/* We default to SHA256 */
|
|
|
|
cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
|
2017-06-12 18:12:13 +00:00
|
|
|
if (cipher == NULL) {
|
2018-03-06 14:12:10 +00:00
|
|
|
BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
|
2017-06-12 18:12:13 +00:00
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
|
|
|
|
tmpsess = SSL_SESSION_new();
|
|
|
|
if (tmpsess == NULL
|
|
|
|
|| !SSL_SESSION_set1_master_key(tmpsess, key, key_len)
|
|
|
|
|| !SSL_SESSION_set_cipher(tmpsess, cipher)
|
|
|
|
|| !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
|
|
|
|
OPENSSL_free(key);
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
OPENSSL_free(key);
|
|
|
|
*sess = tmpsess;
|
2017-06-12 17:26:09 +00:00
|
|
|
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
/* This is a context that we pass to callbacks */
|
2015-01-22 03:40:55 +00:00
|
|
|
typedef struct srpsrvparm_st {
|
|
|
|
char *login;
|
|
|
|
SRP_VBASE *vb;
|
|
|
|
SRP_user_pwd *user;
|
|
|
|
} srpsrvparm;
|
|
|
|
|
|
|
|
/*
|
|
|
|
* This callback pretends to require some asynchronous logic in order to
|
|
|
|
* obtain a verifier. When the callback is called for a new connection we
|
|
|
|
* return with a negative value. This will provoke the accept etc to return
|
|
|
|
* with an LOOKUP_X509. The main logic of the reinvokes the suspended call
|
|
|
|
* (which would normally occur after a worker has finished) and we set the
|
|
|
|
* user parameters.
|
|
|
|
*/
|
2015-01-12 22:29:26 +00:00
|
|
|
static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
srpsrvparm *p = (srpsrvparm *) arg;
|
2016-02-24 11:59:59 +00:00
|
|
|
int ret = SSL3_AL_FATAL;
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (p->login == NULL && p->user == NULL) {
|
|
|
|
p->login = SSL_get_srp_username(s);
|
|
|
|
BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
|
2017-10-17 14:04:09 +00:00
|
|
|
return -1;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
if (p->user == NULL) {
|
|
|
|
BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
|
2016-02-24 11:59:59 +00:00
|
|
|
goto err;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2016-02-24 11:59:59 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (SSL_set_srp_server_param
|
|
|
|
(s, p->user->N, p->user->g, p->user->s, p->user->v,
|
|
|
|
p->user->info) < 0) {
|
|
|
|
*ad = SSL_AD_INTERNAL_ERROR;
|
2016-02-24 11:59:59 +00:00
|
|
|
goto err;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"SRP parameters set: username = \"%s\" info=\"%s\" \n",
|
|
|
|
p->login, p->user->info);
|
2016-02-24 11:59:59 +00:00
|
|
|
ret = SSL_ERROR_NONE;
|
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
err:
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_user_pwd_free(p->user);
|
2015-01-22 03:40:55 +00:00
|
|
|
p->user = NULL;
|
|
|
|
p->login = NULL;
|
2016-02-24 11:59:59 +00:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2011-03-12 17:01:19 +00:00
|
|
|
|
|
|
|
#endif
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
static int local_argc = 0;
|
1998-12-21 10:52:47 +00:00
|
|
|
static char **local_argv;
|
|
|
|
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
static int ebcdic_new(BIO *bi);
|
|
|
|
static int ebcdic_free(BIO *a);
|
|
|
|
static int ebcdic_read(BIO *b, char *out, int outl);
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_write(BIO *b, const char *in, int inl);
|
|
|
|
static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
|
1999-06-04 21:35:58 +00:00
|
|
|
static int ebcdic_gets(BIO *bp, char *buf, int size);
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_puts(BIO *bp, const char *str);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
# define BIO_TYPE_EBCDIC_FILTER (18|0x0200)
|
2016-04-28 10:34:54 +00:00
|
|
|
static BIO_METHOD *methods_ebcdic = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2015-04-30 21:48:31 +00:00
|
|
|
/* This struct is "unwarranted chumminess with the compiler." */
|
2015-01-22 03:40:55 +00:00
|
|
|
typedef struct {
|
|
|
|
size_t alloced;
|
|
|
|
char buff[1];
|
1999-06-04 21:35:58 +00:00
|
|
|
} EBCDIC_OUTBUFF;
|
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
static const BIO_METHOD *BIO_f_ebcdic_filter()
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
2016-04-28 10:34:54 +00:00
|
|
|
if (methods_ebcdic == NULL) {
|
|
|
|
methods_ebcdic = BIO_meth_new(BIO_TYPE_EBCDIC_FILTER,
|
2016-08-07 10:04:26 +00:00
|
|
|
"EBCDIC/ASCII filter");
|
|
|
|
if (methods_ebcdic == NULL
|
2016-04-28 10:34:54 +00:00
|
|
|
|| !BIO_meth_set_write(methods_ebcdic, ebcdic_write)
|
|
|
|
|| !BIO_meth_set_read(methods_ebcdic, ebcdic_read)
|
|
|
|
|| !BIO_meth_set_puts(methods_ebcdic, ebcdic_puts)
|
|
|
|
|| !BIO_meth_set_gets(methods_ebcdic, ebcdic_gets)
|
|
|
|
|| !BIO_meth_set_ctrl(methods_ebcdic, ebcdic_ctrl)
|
|
|
|
|| !BIO_meth_set_create(methods_ebcdic, ebcdic_new)
|
|
|
|
|| !BIO_meth_set_destroy(methods_ebcdic, ebcdic_free))
|
|
|
|
return NULL;
|
|
|
|
}
|
|
|
|
return methods_ebcdic;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int ebcdic_new(BIO *bi)
|
|
|
|
{
|
2015-01-22 03:40:55 +00:00
|
|
|
EBCDIC_OUTBUFF *wbuf;
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2015-05-02 03:10:31 +00:00
|
|
|
wbuf = app_malloc(sizeof(*wbuf) + 1024, "ebcdic wbuf");
|
2015-01-22 03:40:55 +00:00
|
|
|
wbuf->alloced = 1024;
|
|
|
|
wbuf->buff[0] = '\0';
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO_set_data(bi, wbuf);
|
|
|
|
BIO_set_init(bi, 1);
|
|
|
|
return 1;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int ebcdic_free(BIO *a)
|
|
|
|
{
|
2016-04-28 10:34:54 +00:00
|
|
|
EBCDIC_OUTBUFF *wbuf;
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (a == NULL)
|
2016-04-28 10:34:54 +00:00
|
|
|
return 0;
|
|
|
|
wbuf = BIO_get_data(a);
|
|
|
|
OPENSSL_free(wbuf);
|
|
|
|
BIO_set_data(a, NULL);
|
|
|
|
BIO_set_init(a, 0);
|
|
|
|
|
|
|
|
return 1;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
1999-06-04 21:35:58 +00:00
|
|
|
static int ebcdic_read(BIO *b, char *out, int outl)
|
|
|
|
{
|
2015-01-22 03:40:55 +00:00
|
|
|
int ret = 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(b);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (out == NULL || outl == 0)
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
if (next == NULL)
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
ret = BIO_read(next, out, outl);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (ret > 0)
|
|
|
|
ascii2ebcdic(out, out, ret);
|
2016-04-28 10:34:54 +00:00
|
|
|
return ret;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_write(BIO *b, const char *in, int inl)
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
2015-01-22 03:40:55 +00:00
|
|
|
EBCDIC_OUTBUFF *wbuf;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(b);
|
2015-01-22 03:40:55 +00:00
|
|
|
int ret = 0;
|
|
|
|
int num;
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if ((in == NULL) || (inl <= 0))
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
if (next == NULL)
|
|
|
|
return 0;
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
wbuf = (EBCDIC_OUTBUFF *) BIO_get_data(b);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (inl > (num = wbuf->alloced)) {
|
|
|
|
num = num + num; /* double the size */
|
|
|
|
if (num < inl)
|
|
|
|
num = inl;
|
2016-04-28 10:34:54 +00:00
|
|
|
OPENSSL_free(wbuf);
|
2015-05-02 03:10:31 +00:00
|
|
|
wbuf = app_malloc(sizeof(*wbuf) + num, "grow ebcdic wbuf");
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
wbuf->alloced = num;
|
|
|
|
wbuf->buff[0] = '\0';
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO_set_data(b, wbuf);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
ebcdic2ascii(wbuf->buff, in, inl);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
ret = BIO_write(next, wbuf->buff, inl);
|
1999-06-04 21:35:58 +00:00
|
|
|
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
2002-08-15 14:52:54 +00:00
|
|
|
static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
2015-01-22 03:40:55 +00:00
|
|
|
long ret;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(b);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-04-28 10:34:54 +00:00
|
|
|
if (next == NULL)
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
switch (cmd) {
|
|
|
|
case BIO_CTRL_DUP:
|
|
|
|
ret = 0L;
|
|
|
|
break;
|
|
|
|
default:
|
2016-04-28 10:34:54 +00:00
|
|
|
ret = BIO_ctrl(next, cmd, num, ptr);
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
}
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
static int ebcdic_gets(BIO *bp, char *buf, int size)
|
|
|
|
{
|
2015-01-22 03:40:55 +00:00
|
|
|
int i, ret = 0;
|
2016-04-28 10:34:54 +00:00
|
|
|
BIO *next = BIO_next(bp);
|
|
|
|
|
|
|
|
if (next == NULL)
|
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
/* return(BIO_gets(bp->next_bio,buf,size));*/
|
|
|
|
for (i = 0; i < size - 1; ++i) {
|
|
|
|
ret = ebcdic_read(bp, &buf[i], 1);
|
|
|
|
if (ret <= 0)
|
|
|
|
break;
|
|
|
|
else if (buf[i] == '\n') {
|
|
|
|
++i;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (i < size)
|
|
|
|
buf[i] = '\0';
|
|
|
|
return (ret < 0 && i == 0) ? ret : i;
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
|
2002-08-15 14:52:54 +00:00
|
|
|
static int ebcdic_puts(BIO *bp, const char *str)
|
1999-06-04 21:35:58 +00:00
|
|
|
{
|
2016-04-28 10:34:54 +00:00
|
|
|
if (BIO_next(bp) == NULL)
|
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
return ebcdic_write(bp, str, strlen(str));
|
1999-06-04 21:35:58 +00:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
2006-01-02 23:14:37 +00:00
|
|
|
/* This is a context that we pass to callbacks */
|
|
|
|
typedef struct tlsextctx_st {
|
2015-01-22 03:40:55 +00:00
|
|
|
char *servername;
|
|
|
|
BIO *biodebug;
|
|
|
|
int extension_error;
|
2006-01-02 23:14:37 +00:00
|
|
|
} tlsextctx;
|
|
|
|
|
2015-01-12 22:29:26 +00:00
|
|
|
static int ssl_servername_cb(SSL *s, int *ad, void *arg)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
tlsextctx *p = (tlsextctx *) arg;
|
|
|
|
const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
|
2017-08-21 19:28:56 +00:00
|
|
|
|
|
|
|
if (servername != NULL && p->biodebug != NULL) {
|
|
|
|
const char *cp = servername;
|
|
|
|
unsigned char uc;
|
|
|
|
|
|
|
|
BIO_printf(p->biodebug, "Hostname in TLS extension: \"");
|
|
|
|
while ((uc = *cp++) != 0)
|
|
|
|
BIO_printf(p->biodebug,
|
|
|
|
isascii(uc) && isprint(uc) ? "%c" : "\\x%02x", uc);
|
|
|
|
BIO_printf(p->biodebug, "\"\n");
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (p->servername == NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
return SSL_TLSEXT_ERR_NOACK;
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (servername != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
if (strcasecmp(servername, p->servername))
|
|
|
|
return p->extension_error;
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(p->biodebug, "Switching server context.\n");
|
|
|
|
SSL_set_SSL_CTX(s, ctx2);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
2006-01-02 23:14:37 +00:00
|
|
|
}
|
2007-09-26 21:56:59 +00:00
|
|
|
|
|
|
|
/* Structure passed to cert status callback */
|
|
|
|
typedef struct tlsextstatusctx_st {
|
2016-11-21 12:10:35 +00:00
|
|
|
int timeout;
|
2016-11-15 14:22:29 +00:00
|
|
|
/* File to load OCSP Response from (or NULL if no file) */
|
|
|
|
char *respin;
|
2015-01-22 03:40:55 +00:00
|
|
|
/* Default responder to use */
|
|
|
|
char *host, *path, *port;
|
|
|
|
int use_ssl;
|
|
|
|
int verbose;
|
2007-09-26 21:56:59 +00:00
|
|
|
} tlsextstatusctx;
|
|
|
|
|
2016-11-21 12:10:35 +00:00
|
|
|
static tlsextstatusctx tlscstatp = { -1 };
|
2007-09-26 21:56:59 +00:00
|
|
|
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2016-11-15 14:22:29 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
2016-11-15 14:22:29 +00:00
|
|
|
* Helper function to get an OCSP_RESPONSE from a responder. This is a
|
|
|
|
* simplified version. It examines certificates each time and makes one OCSP
|
|
|
|
* responder query for each request. A full version would store details such as
|
|
|
|
* the OCSP certificate IDs and minimise the number of OCSP responses by caching
|
|
|
|
* them until they were considered "expired".
|
2007-09-26 21:56:59 +00:00
|
|
|
*/
|
2016-11-15 14:22:29 +00:00
|
|
|
static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
|
|
|
|
OCSP_RESPONSE **resp)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2015-05-06 09:16:55 +00:00
|
|
|
char *host = NULL, *port = NULL, *path = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
int use_ssl;
|
|
|
|
STACK_OF(OPENSSL_STRING) *aia = NULL;
|
|
|
|
X509 *x = NULL;
|
2016-04-15 03:59:26 +00:00
|
|
|
X509_STORE_CTX *inctx = NULL;
|
|
|
|
X509_OBJECT *obj;
|
2015-01-22 03:40:55 +00:00
|
|
|
OCSP_REQUEST *req = NULL;
|
|
|
|
OCSP_CERTID *id = NULL;
|
|
|
|
STACK_OF(X509_EXTENSION) *exts;
|
|
|
|
int ret = SSL_TLSEXT_ERR_NOACK;
|
|
|
|
int i;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/* Build up OCSP query from server certificate */
|
|
|
|
x = SSL_get_certificate(s);
|
|
|
|
aia = X509_get1_ocsp(x);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (aia != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
|
|
|
|
&host, &port, &path, &use_ssl)) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
if (srctx->verbose)
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(bio_err, "cert_status: AIA URL: %s\n",
|
2015-01-22 03:40:55 +00:00
|
|
|
sk_OPENSSL_STRING_value(aia, 0));
|
|
|
|
} else {
|
2017-06-12 17:24:02 +00:00
|
|
|
if (srctx->host == NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_puts(bio_err,
|
2015-01-22 03:40:55 +00:00
|
|
|
"cert_status: no AIA and no default responder URL\n");
|
|
|
|
goto done;
|
|
|
|
}
|
|
|
|
host = srctx->host;
|
|
|
|
path = srctx->path;
|
|
|
|
port = srctx->port;
|
|
|
|
use_ssl = srctx->use_ssl;
|
|
|
|
}
|
|
|
|
|
2016-04-15 03:59:26 +00:00
|
|
|
inctx = X509_STORE_CTX_new();
|
|
|
|
if (inctx == NULL)
|
|
|
|
goto err;
|
|
|
|
if (!X509_STORE_CTX_init(inctx,
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
|
|
|
|
NULL, NULL))
|
|
|
|
goto err;
|
2016-05-17 20:06:09 +00:00
|
|
|
obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509,
|
|
|
|
X509_get_issuer_name(x));
|
2016-04-15 03:59:26 +00:00
|
|
|
if (obj == NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
goto done;
|
|
|
|
}
|
2016-04-15 03:59:26 +00:00
|
|
|
id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
|
|
|
|
X509_OBJECT_free(obj);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (id == NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
goto err;
|
2016-04-26 17:25:39 +00:00
|
|
|
req = OCSP_REQUEST_new();
|
|
|
|
if (req == NULL)
|
|
|
|
goto err;
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!OCSP_request_add0_id(req, id))
|
|
|
|
goto err;
|
|
|
|
id = NULL;
|
|
|
|
/* Add any extensions to the request */
|
|
|
|
SSL_get_tlsext_status_exts(s, &exts);
|
|
|
|
for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
|
|
|
|
X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
|
|
|
|
if (!OCSP_REQUEST_add_ext(req, ext, -1))
|
|
|
|
goto err;
|
|
|
|
}
|
2016-11-15 14:22:29 +00:00
|
|
|
*resp = process_responder(req, host, path, port, use_ssl, NULL,
|
2015-01-22 03:40:55 +00:00
|
|
|
srctx->timeout);
|
2016-11-15 14:22:29 +00:00
|
|
|
if (*resp == NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_puts(bio_err, "cert_status: error querying responder\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
goto done;
|
|
|
|
}
|
2016-11-15 14:22:29 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
ret = SSL_TLSEXT_ERR_OK;
|
2016-04-15 03:59:26 +00:00
|
|
|
goto done;
|
|
|
|
|
|
|
|
err:
|
|
|
|
ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
2015-01-22 03:40:55 +00:00
|
|
|
done:
|
2016-11-23 15:38:32 +00:00
|
|
|
/*
|
|
|
|
* If we parsed aia we need to free; otherwise they were copied and we
|
|
|
|
* don't
|
|
|
|
*/
|
2016-11-21 12:10:35 +00:00
|
|
|
if (aia != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
OPENSSL_free(host);
|
|
|
|
OPENSSL_free(path);
|
|
|
|
OPENSSL_free(port);
|
|
|
|
X509_email_free(aia);
|
|
|
|
}
|
2015-05-01 18:37:16 +00:00
|
|
|
OCSP_CERTID_free(id);
|
|
|
|
OCSP_REQUEST_free(req);
|
2016-04-15 03:59:26 +00:00
|
|
|
X509_STORE_CTX_free(inctx);
|
2015-01-22 03:40:55 +00:00
|
|
|
return ret;
|
|
|
|
}
|
2016-11-15 14:22:29 +00:00
|
|
|
|
|
|
|
/*
|
|
|
|
* Certificate Status callback. This is called when a client includes a
|
|
|
|
* certificate status request extension. The response is either obtained from a
|
|
|
|
* file, or from an OCSP responder.
|
|
|
|
*/
|
|
|
|
static int cert_status_cb(SSL *s, void *arg)
|
|
|
|
{
|
|
|
|
tlsextstatusctx *srctx = arg;
|
|
|
|
OCSP_RESPONSE *resp = NULL;
|
|
|
|
unsigned char *rspder = NULL;
|
|
|
|
int rspderlen;
|
|
|
|
int ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
|
|
|
|
|
|
|
if (srctx->verbose)
|
|
|
|
BIO_puts(bio_err, "cert_status: callback called\n");
|
|
|
|
|
|
|
|
if (srctx->respin != NULL) {
|
|
|
|
BIO *derbio = bio_open_default(srctx->respin, 'r', FORMAT_ASN1);
|
|
|
|
if (derbio == NULL) {
|
|
|
|
BIO_puts(bio_err, "cert_status: Cannot open OCSP response file\n");
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
resp = d2i_OCSP_RESPONSE_bio(derbio, NULL);
|
|
|
|
BIO_free(derbio);
|
2016-11-21 12:10:35 +00:00
|
|
|
if (resp == NULL) {
|
2016-11-15 14:22:29 +00:00
|
|
|
BIO_puts(bio_err, "cert_status: Error reading OCSP response\n");
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
ret = get_ocsp_resp_from_responder(s, srctx, &resp);
|
|
|
|
if (ret != SSL_TLSEXT_ERR_OK)
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
|
|
|
rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
|
|
|
|
if (rspderlen <= 0)
|
|
|
|
goto err;
|
|
|
|
|
|
|
|
SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
|
|
|
|
if (srctx->verbose) {
|
|
|
|
BIO_puts(bio_err, "cert_status: ocsp response sent:\n");
|
|
|
|
OCSP_RESPONSE_print(bio_err, resp, 2);
|
|
|
|
}
|
|
|
|
|
|
|
|
ret = SSL_TLSEXT_ERR_OK;
|
|
|
|
|
|
|
|
err:
|
|
|
|
if (ret != SSL_TLSEXT_ERR_OK)
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
|
|
|
|
OCSP_RESPONSE_free(resp);
|
|
|
|
|
|
|
|
return ret;
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2010-07-28 10:06:55 +00:00
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2010-07-28 10:06:55 +00:00
|
|
|
/* This is the context that we pass to next_proto_cb */
|
|
|
|
typedef struct tlsextnextprotoctx_st {
|
2015-01-22 03:40:55 +00:00
|
|
|
unsigned char *data;
|
2016-12-05 23:42:01 +00:00
|
|
|
size_t len;
|
2010-07-28 10:06:55 +00:00
|
|
|
} tlsextnextprotoctx;
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
static int next_proto_cb(SSL *s, const unsigned char **data,
|
|
|
|
unsigned int *len, void *arg)
|
|
|
|
{
|
|
|
|
tlsextnextprotoctx *next_proto = arg;
|
2010-07-28 10:06:55 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
*data = next_proto->data;
|
|
|
|
*len = next_proto->len;
|
2010-07-28 10:06:55 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
|
2013-04-15 22:07:47 +00:00
|
|
|
|
|
|
|
/* This the context that we pass to alpn_cb */
|
|
|
|
typedef struct tlsextalpnctx_st {
|
2015-01-22 03:40:55 +00:00
|
|
|
unsigned char *data;
|
2016-03-05 13:47:55 +00:00
|
|
|
size_t len;
|
2013-04-15 22:07:47 +00:00
|
|
|
} tlsextalpnctx;
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
|
|
|
|
const unsigned char *in, unsigned int inlen, void *arg)
|
|
|
|
{
|
|
|
|
tlsextalpnctx *alpn_ctx = arg;
|
|
|
|
|
|
|
|
if (!s_quiet) {
|
|
|
|
/* We can assume that |in| is syntactically valid. */
|
2016-03-05 13:47:55 +00:00
|
|
|
unsigned int i;
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
|
|
|
|
for (i = 0; i < inlen;) {
|
|
|
|
if (i)
|
|
|
|
BIO_write(bio_s_out, ", ", 2);
|
|
|
|
BIO_write(bio_s_out, &in[i + 1], in[i]);
|
|
|
|
i += in[i] + 1;
|
|
|
|
}
|
|
|
|
BIO_write(bio_s_out, "\n", 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (SSL_select_next_proto
|
|
|
|
((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
|
|
|
|
inlen) != OPENSSL_NPN_NEGOTIATED) {
|
|
|
|
return SSL_TLSEXT_ERR_NOACK;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!s_quiet) {
|
|
|
|
BIO_printf(bio_s_out, "ALPN protocols selected: ");
|
|
|
|
BIO_write(bio_s_out, *out, *outlen);
|
|
|
|
BIO_write(bio_s_out, "\n", 1);
|
|
|
|
}
|
|
|
|
|
|
|
|
return SSL_TLSEXT_ERR_OK;
|
|
|
|
}
|
2006-01-02 23:14:37 +00:00
|
|
|
|
2010-08-26 15:15:47 +00:00
|
|
|
static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
/* disable resumption for sessions with forward secure ciphers */
|
|
|
|
return is_forward_secure;
|
|
|
|
}
|
2010-08-26 15:15:47 +00:00
|
|
|
|
2011-12-27 14:21:45 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2015-01-22 03:40:55 +00:00
|
|
|
static srpsrvparm srp_callback_parm;
|
2011-12-27 14:21:45 +00:00
|
|
|
#endif
|
2014-12-22 11:15:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2011-11-15 22:59:20 +00:00
|
|
|
static char *srtp_profiles = NULL;
|
2014-12-22 11:15:51 +00:00
|
|
|
#endif
|
2008-10-26 18:40:52 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
typedef enum OPTION_choice {
|
2016-02-02 23:47:42 +00:00
|
|
|
OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE,
|
|
|
|
OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
|
2017-02-21 11:22:55 +00:00
|
|
|
OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
|
|
|
|
OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
|
|
|
|
OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
|
2015-09-22 15:00:52 +00:00
|
|
|
OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
|
2015-09-22 15:00:52 +00:00
|
|
|
OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
|
|
|
|
OPT_VERIFYCAFILE, OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
|
|
|
|
OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
|
2016-11-15 14:22:29 +00:00
|
|
|
OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
|
|
|
|
OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
|
|
|
|
OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
|
2017-06-12 17:26:09 +00:00
|
|
|
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,
|
|
|
|
OPT_PSK_SESS, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW,
|
|
|
|
OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG,
|
2017-04-06 21:47:18 +00:00
|
|
|
OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
|
2016-10-21 16:39:33 +00:00
|
|
|
OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
|
2017-12-29 17:37:04 +00:00
|
|
|
OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, OPT_STATELESS,
|
2017-07-05 14:58:48 +00:00
|
|
|
OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
|
2016-02-14 05:17:59 +00:00
|
|
|
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
|
2017-02-22 15:24:11 +00:00
|
|
|
OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA,
|
2017-07-05 14:58:48 +00:00
|
|
|
OPT_R_ENUM,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_S_ENUM,
|
|
|
|
OPT_V_ENUM,
|
2015-05-12 09:35:51 +00:00
|
|
|
OPT_X_ENUM
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
} OPTION_CHOICE;
|
|
|
|
|
2016-03-13 13:07:50 +00:00
|
|
|
const OPTIONS s_server_options[] = {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"help", OPT_HELP, '-', "Display this summary"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"port", OPT_PORT, 'p',
|
|
|
|
"TCP/IP port to listen on for connections (default is " PORT ")"},
|
2016-02-02 23:47:42 +00:00
|
|
|
{"accept", OPT_ACCEPT, 's',
|
2016-11-12 20:08:32 +00:00
|
|
|
"TCP/IP optional host and port to listen on for connections (default is *:" PORT ")"},
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
|
|
|
{"4", OPT_4, '-', "Use IPv4 only"},
|
|
|
|
{"6", OPT_6, '-', "Use IPv6 only"},
|
2016-02-09 15:55:42 +00:00
|
|
|
#ifdef AF_UNIX
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
|
2016-02-09 15:55:42 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"context", OPT_CONTEXT, 's', "Set session ID context"},
|
|
|
|
{"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
|
|
|
|
{"Verify", OPT_UPPER_V_VERIFY, 'n',
|
|
|
|
"Turn on peer certificate verification, must have a cert"},
|
|
|
|
{"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT},
|
2017-02-21 11:22:55 +00:00
|
|
|
{"nameopt", OPT_NAMEOPT, 's', "Various certificate name options"},
|
2016-07-05 19:22:18 +00:00
|
|
|
{"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"serverinfo", OPT_SERVERINFO, 's',
|
|
|
|
"PEM serverinfo file for certificate"},
|
|
|
|
{"certform", OPT_CERTFORM, 'F',
|
|
|
|
"Certificate format (PEM or DER) PEM default"},
|
2017-09-22 08:41:04 +00:00
|
|
|
{"key", OPT_KEY, 's',
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
"Private Key if not in -cert; default is " TEST_CERT},
|
|
|
|
{"keyform", OPT_KEYFORM, 'f',
|
|
|
|
"Key format (PEM, DER or ENGINE) PEM default"},
|
|
|
|
{"pass", OPT_PASS, 's', "Private key file pass phrase source"},
|
|
|
|
{"dcert", OPT_DCERT, '<',
|
|
|
|
"Second certificate file to use (usually for DSA)"},
|
2017-09-21 12:18:10 +00:00
|
|
|
{"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"dcertform", OPT_DCERTFORM, 'F',
|
|
|
|
"Second certificate format (PEM or DER) PEM default"},
|
|
|
|
{"dkey", OPT_DKEY, '<',
|
|
|
|
"Second private key file to use (usually for DSA)"},
|
|
|
|
{"dkeyform", OPT_DKEYFORM, 'F',
|
|
|
|
"Second key format (PEM, DER or ENGINE) PEM default"},
|
|
|
|
{"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
|
|
|
|
{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
|
|
|
|
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
|
|
|
|
{"debug", OPT_DEBUG, '-', "Print more output"},
|
|
|
|
{"msg", OPT_MSG, '-', "Show protocol messages"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"msgfile", OPT_MSGFILE, '>',
|
|
|
|
"File to send output of -msg or -trace, instead of stdout"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"state", OPT_STATE, '-', "Print the SSL states"},
|
|
|
|
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
|
2015-09-22 15:00:52 +00:00
|
|
|
{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
|
|
|
|
{"no-CAfile", OPT_NOCAFILE, '-',
|
|
|
|
"Do not load the default certificates file"},
|
|
|
|
{"no-CApath", OPT_NOCAPATH, '-',
|
|
|
|
"Do not load certificates from the default certificates directory"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
|
|
|
|
{"quiet", OPT_QUIET, '-', "No server output"},
|
|
|
|
{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
|
|
|
|
"Disable caching and tickets if ephemeral (EC)DH is used"},
|
|
|
|
{"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
|
|
|
|
{"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
|
|
|
|
{"servername", OPT_SERVERNAME, 's',
|
|
|
|
"Servername for HostName TLS extension"},
|
|
|
|
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
|
|
|
|
"mismatch send fatal alert (default warning alert)"},
|
|
|
|
{"cert2", OPT_CERT2, '<',
|
|
|
|
"Certificate file to use for servername; default is" TEST_CERT2},
|
|
|
|
{"key2", OPT_KEY2, '<',
|
|
|
|
"-Private Key file to use for servername if not in -cert2"},
|
|
|
|
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
|
|
|
|
"Hex dump of all TLS extensions received"},
|
2016-07-05 19:22:18 +00:00
|
|
|
{"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"id_prefix", OPT_ID_PREFIX, 's',
|
|
|
|
"Generate SSL/TLS session IDs prefixed by arg"},
|
2017-07-05 14:58:48 +00:00
|
|
|
OPT_R_OPTIONS,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
{"keymatexport", OPT_KEYMATEXPORT, 's',
|
|
|
|
"Export keying material using label"},
|
|
|
|
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
|
|
|
|
"Export len bytes of keying material (default 20)"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"CRL", OPT_CRL, '<', "CRL file to use"},
|
|
|
|
{"crl_download", OPT_CRL_DOWNLOAD, '-',
|
|
|
|
"Download CRL from distribution points"},
|
|
|
|
{"cert_chain", OPT_CERT_CHAIN, '<',
|
|
|
|
"certificate chain file in PEM format"},
|
|
|
|
{"dcert_chain", OPT_DCERT_CHAIN, '<',
|
|
|
|
"second certificate chain file in PEM format"},
|
|
|
|
{"chainCApath", OPT_CHAINCAPATH, '/',
|
|
|
|
"use dir as certificate store path to build CA certificate chain"},
|
|
|
|
{"verifyCApath", OPT_VERIFYCAPATH, '/',
|
|
|
|
"use dir as certificate store path to verify CA certificate"},
|
|
|
|
{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
|
|
|
|
{"ext_cache", OPT_EXT_CACHE, '-',
|
|
|
|
"Disable internal cache, setup and use external cache"},
|
2016-08-07 10:04:26 +00:00
|
|
|
{"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default"},
|
2016-02-09 15:55:42 +00:00
|
|
|
{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
|
|
|
|
"Close connection on verification error"},
|
|
|
|
{"verify_quiet", OPT_VERIFY_QUIET, '-',
|
|
|
|
"No verify output except verify errors"},
|
|
|
|
{"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"},
|
|
|
|
{"chainCAfile", OPT_CHAINCAFILE, '<',
|
|
|
|
"CA file for certificate chain (PEM format)"},
|
|
|
|
{"verifyCAfile", OPT_VERIFYCAFILE, '<',
|
|
|
|
"CA file for certificate verification (PEM format)"},
|
|
|
|
{"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"},
|
|
|
|
{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"},
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2016-02-09 15:55:42 +00:00
|
|
|
{"status", OPT_STATUS, '-', "Request certificate status from server"},
|
|
|
|
{"status_verbose", OPT_STATUS_VERBOSE, '-',
|
|
|
|
"Print more output in certificate status callback"},
|
|
|
|
{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
|
|
|
|
"Status request responder timeout"},
|
|
|
|
{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
|
2016-11-15 14:22:29 +00:00
|
|
|
{"status_file", OPT_STATUS_FILE, '<',
|
|
|
|
"File containing DER encoded OCSP Response"},
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2016-02-09 15:55:42 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
|
|
|
{"trace", OPT_TRACE, '-', "trace protocol messages"},
|
|
|
|
#endif
|
|
|
|
{"security_debug", OPT_SECURITY_DEBUG, '-',
|
|
|
|
"Print output from SSL/TLS security framework"},
|
|
|
|
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
|
|
|
|
"Print more output from SSL/TLS security framework"},
|
2016-08-07 10:04:26 +00:00
|
|
|
{"brief", OPT_BRIEF, '-',
|
2016-02-09 15:55:42 +00:00
|
|
|
"Restrict output to brief summary of connection parameters"},
|
|
|
|
{"rev", OPT_REV, '-',
|
|
|
|
"act as a simple test server which just sends back with the received text reversed"},
|
2015-02-13 23:33:12 +00:00
|
|
|
{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
|
2016-08-07 10:04:26 +00:00
|
|
|
{"ssl_config", OPT_SSL_CONFIG, 's',
|
2016-02-09 15:55:42 +00:00
|
|
|
"Configure SSL_CTX using the configuration 'val'"},
|
2017-04-06 21:47:18 +00:00
|
|
|
{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
|
2017-04-07 17:15:38 +00:00
|
|
|
{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
|
2016-02-16 11:13:33 +00:00
|
|
|
"Size used to split data for encrypt pipelines"},
|
2017-04-07 17:15:38 +00:00
|
|
|
{"max_pipelines", OPT_MAX_PIPELINES, 'p',
|
2015-09-22 10:23:33 +00:00
|
|
|
"Maximum number of encrypt/decrypt pipelines to be used"},
|
2017-04-07 17:15:38 +00:00
|
|
|
{"read_buf", OPT_READ_BUF, 'p',
|
2016-01-13 14:20:25 +00:00
|
|
|
"Default read buffer size to be used for connections"},
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
OPT_S_OPTIONS,
|
|
|
|
OPT_V_OPTIONS,
|
|
|
|
OPT_X_OPTIONS,
|
2015-05-15 17:50:38 +00:00
|
|
|
{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
|
2017-06-02 01:01:27 +00:00
|
|
|
{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"},
|
2017-06-13 13:28:45 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2015-05-15 17:50:38 +00:00
|
|
|
{"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
|
|
|
|
#endif
|
2017-06-13 13:28:45 +00:00
|
|
|
{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
|
2017-06-12 17:26:09 +00:00
|
|
|
{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
{"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
|
|
|
|
{"srpuserseed", OPT_SRPUSERSEED, 's',
|
|
|
|
"A seed string for a default user salt"},
|
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_SSL3
|
|
|
|
{"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
|
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_TLS1
|
|
|
|
{"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
|
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_TLS1_1
|
|
|
|
{"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
|
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_TLS1_2
|
|
|
|
{"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
|
|
|
|
#endif
|
2016-10-21 16:39:33 +00:00
|
|
|
#ifndef OPENSSL_NO_TLS1_3
|
|
|
|
{"tls1_3", OPT_TLS1_3, '-', "just talk TLSv1.3"},
|
|
|
|
#endif
|
2015-12-12 10:12:22 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2016-02-09 15:55:42 +00:00
|
|
|
{"dtls", OPT_DTLS, '-', "Use any DTLS version"},
|
2015-05-15 17:50:38 +00:00
|
|
|
{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
|
|
|
|
{"mtu", OPT_MTU, 'p', "Set link layer MTU"},
|
2015-04-09 09:01:05 +00:00
|
|
|
{"listen", OPT_LISTEN, '-',
|
|
|
|
"Listen for a DTLS ClientHello with a cookie and then connect"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#endif
|
2017-12-29 17:37:04 +00:00
|
|
|
{"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS1
|
|
|
|
{"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
|
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_DTLS1_2
|
|
|
|
{"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
|
|
|
|
#endif
|
2017-04-20 08:56:56 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
{"sctp", OPT_SCTP, '-', "Use SCTP"},
|
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
|
|
|
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
|
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
|
|
|
|
"Set the advertised protocols for the NPN extension (comma-separated list)"},
|
|
|
|
#endif
|
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2015-08-04 18:18:02 +00:00
|
|
|
{"use_srtp", OPT_SRTP_PROFILES, 's',
|
2015-05-15 17:50:38 +00:00
|
|
|
"Offer SRTP key management with a colon-separated profile list"},
|
2016-02-27 03:20:07 +00:00
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
{"alpn", OPT_ALPN, 's',
|
|
|
|
"Set the advertised protocols for the ALPN extension (comma-separated list)"},
|
|
|
|
#ifndef OPENSSL_NO_ENGINE
|
2016-02-09 15:55:42 +00:00
|
|
|
{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
|
2015-05-15 17:50:38 +00:00
|
|
|
#endif
|
2017-02-01 18:14:27 +00:00
|
|
|
{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
|
2017-02-23 16:54:11 +00:00
|
|
|
{"max_early_data", OPT_MAX_EARLY, 'n',
|
2017-02-17 17:01:16 +00:00
|
|
|
"The maximum number of bytes of early data"},
|
2017-02-22 15:24:11 +00:00
|
|
|
{"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
|
2016-03-18 18:02:17 +00:00
|
|
|
{NULL, OPT_EOF, 0, NULL}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
};
|
|
|
|
|
2016-07-07 10:05:31 +00:00
|
|
|
#define IS_PROT_FLAG(o) \
|
|
|
|
(o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
|
2016-10-21 16:39:33 +00:00
|
|
|
|| o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
|
2016-07-07 10:05:31 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int s_server_main(int argc, char *argv[])
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2016-03-18 18:02:17 +00:00
|
|
|
ENGINE *engine = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
EVP_PKEY *s_key = NULL, *s_dkey = NULL;
|
|
|
|
SSL_CONF_CTX *cctx = NULL;
|
2015-03-27 23:01:51 +00:00
|
|
|
const SSL_METHOD *meth = TLS_server_method();
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
SSL_EXCERT *exc = NULL;
|
|
|
|
STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
|
|
|
|
STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
|
|
|
|
STACK_OF(X509_CRL) *crls = NULL;
|
|
|
|
X509 *s_cert = NULL, *s_dcert = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
X509_VERIFY_PARAM *vpm = NULL;
|
2016-08-04 21:52:22 +00:00
|
|
|
const char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL;
|
2017-07-05 14:58:48 +00:00
|
|
|
char *dpassarg = NULL, *dpass = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
|
2015-05-15 08:42:08 +00:00
|
|
|
char *crl_file = NULL, *prog;
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
2015-01-22 03:40:55 +00:00
|
|
|
int unlink_unix_path = 0;
|
|
|
|
#endif
|
2016-02-14 03:33:56 +00:00
|
|
|
do_server_cb server_cb;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
|
2015-09-19 21:03:15 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
2016-08-03 20:49:25 +00:00
|
|
|
char *dhfile = NULL;
|
2015-09-19 21:03:15 +00:00
|
|
|
int no_dhe = 0;
|
|
|
|
#endif
|
2015-12-15 10:43:44 +00:00
|
|
|
int nocert = 0, ret = 1;
|
2015-09-22 15:00:52 +00:00
|
|
|
int noCApath = 0, noCAfile = 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
|
|
|
|
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
|
2016-02-02 23:47:42 +00:00
|
|
|
int rev = 0, naccept = -1, sdebug = 0;
|
2017-04-20 08:56:56 +00:00
|
|
|
int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
int state = 0, crl_format = FORMAT_PEM, crl_download = 0;
|
2016-02-02 23:47:42 +00:00
|
|
|
char *host = NULL;
|
|
|
|
char *port = BUF_strdup(PORT);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
unsigned char *context = NULL;
|
|
|
|
OPTION_CHOICE o;
|
2015-01-22 03:40:55 +00:00
|
|
|
EVP_PKEY *s_key2 = NULL;
|
|
|
|
X509 *s_cert2 = NULL;
|
|
|
|
tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
|
2015-07-08 22:09:52 +00:00
|
|
|
const char *ssl_config = NULL;
|
2016-01-13 14:20:25 +00:00
|
|
|
int read_buf_len = 0;
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2015-01-22 03:40:55 +00:00
|
|
|
const char *next_proto_neg_in = NULL;
|
|
|
|
tlsextnextprotoctx next_proto = { NULL, 0 };
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
const char *alpn_in = NULL;
|
|
|
|
tlsextalpnctx alpn_ctx = { NULL, 0 };
|
2006-03-10 23:06:27 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2015-01-22 03:40:55 +00:00
|
|
|
/* by default do not send a PSK identity hint */
|
2016-12-05 23:42:01 +00:00
|
|
|
char *psk_identity_hint = NULL;
|
2006-03-10 23:06:27 +00:00
|
|
|
#endif
|
2017-06-13 13:28:45 +00:00
|
|
|
char *p;
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2015-01-22 03:40:55 +00:00
|
|
|
char *srpuserseed = NULL;
|
|
|
|
char *srp_verifier_file = NULL;
|
2011-03-12 17:01:19 +00:00
|
|
|
#endif
|
2016-07-07 10:05:31 +00:00
|
|
|
int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
int s_server_verify = SSL_VERIFY_NONE;
|
|
|
|
int s_server_session_id_context = 1; /* anything will do */
|
|
|
|
const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL;
|
|
|
|
const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
|
|
|
|
char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
|
|
|
int s_tlsextstatus = 0;
|
|
|
|
#endif
|
|
|
|
int no_resume_ephemeral = 0;
|
2017-04-06 21:47:18 +00:00
|
|
|
unsigned int max_send_fragment = 0;
|
2016-08-03 20:49:25 +00:00
|
|
|
unsigned int split_send_fragment = 0, max_pipelines = 0;
|
|
|
|
const char *s_serverinfo_file = NULL;
|
2017-02-01 18:14:27 +00:00
|
|
|
const char *keylog_file = NULL;
|
2017-02-23 16:54:11 +00:00
|
|
|
int max_early_data = -1;
|
2017-06-12 17:26:09 +00:00
|
|
|
char *psksessf = NULL;
|
2016-08-03 20:49:25 +00:00
|
|
|
|
|
|
|
/* Init of few remaining global variables */
|
2015-01-22 03:40:55 +00:00
|
|
|
local_argc = argc;
|
|
|
|
local_argv = argv;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2016-08-03 20:49:25 +00:00
|
|
|
ctx = ctx2 = NULL;
|
|
|
|
s_nbio = s_nbio_test = 0;
|
|
|
|
www = 0;
|
|
|
|
bio_s_out = NULL;
|
|
|
|
s_debug = 0;
|
|
|
|
s_msg = 0;
|
|
|
|
s_quiet = 0;
|
|
|
|
s_brief = 0;
|
|
|
|
async = 0;
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
cctx = SSL_CONF_CTX_new();
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
vpm = X509_VERIFY_PARAM_new();
|
|
|
|
if (cctx == NULL || vpm == NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
goto end;
|
2016-08-07 10:04:26 +00:00
|
|
|
SSL_CONF_CTX_set_flags(cctx,
|
|
|
|
SSL_CONF_FLAG_SERVER | SSL_CONF_FLAG_CMDLINE);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
|
|
|
prog = opt_init(argc, argv, s_server_options);
|
|
|
|
while ((o = opt_next()) != OPT_EOF) {
|
2016-07-07 10:05:31 +00:00
|
|
|
if (IS_PROT_FLAG(o) && ++prot_opt > 1) {
|
|
|
|
BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
if (IS_NO_PROT_FLAG(o))
|
|
|
|
no_prot_opt++;
|
|
|
|
if (prot_opt == 1 && no_prot_opt) {
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_err,
|
|
|
|
"Cannot supply both a protocol flag and '-no_<prot>'\n");
|
2016-07-07 10:05:31 +00:00
|
|
|
goto end;
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
switch (o) {
|
|
|
|
case OPT_EOF:
|
|
|
|
case OPT_ERR:
|
|
|
|
opthelp:
|
|
|
|
BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
|
|
|
|
goto end;
|
|
|
|
case OPT_HELP:
|
|
|
|
opt_help(s_server_options);
|
|
|
|
ret = 0;
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2016-02-02 23:47:42 +00:00
|
|
|
case OPT_4:
|
|
|
|
#ifdef AF_UNIX
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
socket_family = AF_INET;
|
|
|
|
break;
|
|
|
|
case OPT_6:
|
|
|
|
if (1) {
|
|
|
|
#ifdef AF_INET6
|
|
|
|
#ifdef AF_UNIX
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
socket_family = AF_INET6;
|
|
|
|
} else {
|
|
|
|
#endif
|
|
|
|
BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_PORT:
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
socket_family = AF_UNSPEC;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
if (BIO_parse_hostserv(opt_arg(), NULL, &port, BIO_PARSE_PRIO_SERV) < 1) {
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"%s: -port argument malformed or ambiguous\n",
|
|
|
|
port);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case OPT_ACCEPT:
|
|
|
|
#ifdef AF_UNIX
|
|
|
|
if (socket_family == AF_UNIX) {
|
|
|
|
socket_family = AF_UNSPEC;
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
OPENSSL_free(port); port = NULL;
|
|
|
|
OPENSSL_free(host); host = NULL;
|
|
|
|
if (BIO_parse_hostserv(opt_arg(), &host, &port, BIO_PARSE_PRIO_SERV) < 1) {
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"%s: -accept argument malformed or ambiguous\n",
|
|
|
|
port);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
2016-02-02 23:47:42 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_UNIX:
|
2016-02-02 23:47:42 +00:00
|
|
|
socket_family = AF_UNIX;
|
|
|
|
OPENSSL_free(host); host = BUF_strdup(opt_arg());
|
|
|
|
OPENSSL_free(port); port = NULL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_UNLINK:
|
2015-01-22 03:40:55 +00:00
|
|
|
unlink_unix_path = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_NACCEPT:
|
|
|
|
naccept = atol(opt_arg());
|
|
|
|
break;
|
|
|
|
case OPT_VERIFY:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.depth = atoi(opt_arg());
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!s_quiet)
|
2016-08-01 19:30:57 +00:00
|
|
|
BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_UPPER_V_VERIFY:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_server_verify =
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
|
|
|
|
SSL_VERIFY_CLIENT_ONCE;
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.depth = atoi(opt_arg());
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!s_quiet)
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"verify depth is %d, must return a certificate\n",
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.depth);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_CONTEXT:
|
|
|
|
context = (unsigned char *)opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_CERT:
|
|
|
|
s_cert_file = opt_arg();
|
|
|
|
break;
|
2017-02-21 11:22:55 +00:00
|
|
|
case OPT_NAMEOPT:
|
|
|
|
if (!set_nameopt(opt_arg()))
|
|
|
|
goto end;
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CRL:
|
|
|
|
crl_file = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_CRL_DOWNLOAD:
|
2015-01-22 03:40:55 +00:00
|
|
|
crl_download = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_SERVERINFO:
|
|
|
|
s_serverinfo_file = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_CERTFORM:
|
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format))
|
|
|
|
goto opthelp;
|
|
|
|
break;
|
|
|
|
case OPT_KEY:
|
|
|
|
s_key_file = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_KEYFORM:
|
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_ANY, &s_key_format))
|
|
|
|
goto opthelp;
|
|
|
|
break;
|
|
|
|
case OPT_PASS:
|
|
|
|
passarg = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_CERT_CHAIN:
|
|
|
|
s_chain_file = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_DHPARAM:
|
2015-09-19 21:03:15 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
dhfile = opt_arg();
|
2015-09-19 21:03:15 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_DCERTFORM:
|
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format))
|
|
|
|
goto opthelp;
|
|
|
|
break;
|
|
|
|
case OPT_DCERT:
|
|
|
|
s_dcert_file = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_DKEYFORM:
|
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dkey_format))
|
|
|
|
goto opthelp;
|
|
|
|
break;
|
|
|
|
case OPT_DPASS:
|
|
|
|
dpassarg = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_DKEY:
|
|
|
|
s_dkey_file = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_DCERT_CHAIN:
|
|
|
|
s_dchain_file = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_NOCERT:
|
2015-01-22 03:40:55 +00:00
|
|
|
nocert = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_CAPATH:
|
|
|
|
CApath = opt_arg();
|
|
|
|
break;
|
2015-09-22 15:00:52 +00:00
|
|
|
case OPT_NOCAPATH:
|
|
|
|
noCApath = 1;
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CHAINCAPATH:
|
|
|
|
chCApath = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_VERIFYCAPATH:
|
|
|
|
vfyCApath = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_NO_CACHE:
|
2015-01-22 03:40:55 +00:00
|
|
|
no_cache = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_EXT_CACHE:
|
2015-01-22 03:40:55 +00:00
|
|
|
ext_cache = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_CRLFORM:
|
|
|
|
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
|
|
|
|
goto opthelp;
|
|
|
|
break;
|
|
|
|
case OPT_S_CASES:
|
|
|
|
if (ssl_args == NULL)
|
|
|
|
ssl_args = sk_OPENSSL_STRING_new_null();
|
|
|
|
if (ssl_args == NULL
|
|
|
|
|| !sk_OPENSSL_STRING_push(ssl_args, opt_flag())
|
|
|
|
|| !sk_OPENSSL_STRING_push(ssl_args, opt_arg())) {
|
|
|
|
BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
break;
|
|
|
|
case OPT_V_CASES:
|
|
|
|
if (!opt_verify(o, vpm))
|
|
|
|
goto end;
|
|
|
|
vpmtouched++;
|
|
|
|
break;
|
|
|
|
case OPT_X_CASES:
|
|
|
|
if (!args_excert(o, &exc))
|
|
|
|
goto end;
|
|
|
|
break;
|
|
|
|
case OPT_VERIFY_RET_ERROR:
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.return_error = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_VERIFY_QUIET:
|
2016-08-01 19:30:57 +00:00
|
|
|
verify_args.quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_BUILD_CHAIN:
|
2015-01-22 03:40:55 +00:00
|
|
|
build_chain = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_CAFILE:
|
|
|
|
CAfile = opt_arg();
|
|
|
|
break;
|
2015-09-22 15:00:52 +00:00
|
|
|
case OPT_NOCAFILE:
|
|
|
|
noCAfile = 1;
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_CHAINCAFILE:
|
|
|
|
chCAfile = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_VERIFYCAFILE:
|
|
|
|
vfyCAfile = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_NBIO:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_nbio = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_NBIO_TEST:
|
|
|
|
s_nbio = s_nbio_test = 1;
|
|
|
|
break;
|
|
|
|
case OPT_IGN_EOF:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_ign_eof = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_NO_IGN_EOF:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_ign_eof = 0;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_DEBUG:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_debug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_TLSEXTDEBUG:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_tlsextdebug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_STATUS:
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2015-01-22 03:40:55 +00:00
|
|
|
s_tlsextstatus = 1;
|
2016-09-19 13:08:58 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_STATUS_VERBOSE:
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
s_tlsextstatus = tlscstatp.verbose = 1;
|
2016-09-19 13:08:58 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_STATUS_TIMEOUT:
|
2016-09-19 13:08:58 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2015-01-22 03:40:55 +00:00
|
|
|
s_tlsextstatus = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
tlscstatp.timeout = atoi(opt_arg());
|
2016-09-19 13:08:58 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_STATUS_URL:
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2015-01-22 03:40:55 +00:00
|
|
|
s_tlsextstatus = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!OCSP_parse_url(opt_arg(),
|
2015-01-22 03:40:55 +00:00
|
|
|
&tlscstatp.host,
|
|
|
|
&tlscstatp.port,
|
|
|
|
&tlscstatp.path, &tlscstatp.use_ssl)) {
|
|
|
|
BIO_printf(bio_err, "Error parsing URL\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2016-11-15 14:22:29 +00:00
|
|
|
#endif
|
|
|
|
break;
|
|
|
|
case OPT_STATUS_FILE:
|
|
|
|
#ifndef OPENSSL_NO_OCSP
|
|
|
|
s_tlsextstatus = 1;
|
|
|
|
tlscstatp.respin = opt_arg();
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_MSG:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_msg = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_MSGFILE:
|
|
|
|
bio_s_msg = BIO_new_file(opt_arg(), "w");
|
|
|
|
break;
|
|
|
|
case OPT_TRACE:
|
2015-05-15 17:50:38 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
2015-01-22 03:40:55 +00:00
|
|
|
s_msg = 2;
|
|
|
|
#endif
|
2016-02-29 16:53:18 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SECURITY_DEBUG:
|
2015-01-22 03:40:55 +00:00
|
|
|
sdebug = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_SECURITY_DEBUG_VERBOSE:
|
2015-01-22 03:40:55 +00:00
|
|
|
sdebug = 2;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_STATE:
|
2015-01-22 03:40:55 +00:00
|
|
|
state = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_CRLF:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_crlf = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_QUIET:
|
2015-01-22 03:40:55 +00:00
|
|
|
s_quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_BRIEF:
|
2016-08-01 19:30:57 +00:00
|
|
|
s_quiet = s_brief = verify_args.quiet = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_NO_DHE:
|
2015-09-19 21:03:15 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
2015-01-22 03:40:55 +00:00
|
|
|
no_dhe = 1;
|
2015-09-19 21:03:15 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_NO_RESUME_EPHEMERAL:
|
2015-01-22 03:40:55 +00:00
|
|
|
no_resume_ephemeral = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2017-06-02 01:01:27 +00:00
|
|
|
case OPT_PSK_IDENTITY:
|
|
|
|
psk_identity = opt_arg();
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_PSK_HINT:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
psk_identity_hint = opt_arg();
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_PSK:
|
|
|
|
for (p = psk_key = opt_arg(); *p; p++) {
|
2016-02-14 12:02:15 +00:00
|
|
|
if (isxdigit(_UC(*p)))
|
2015-01-22 03:40:55 +00:00
|
|
|
continue;
|
|
|
|
BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2016-01-18 18:10:21 +00:00
|
|
|
break;
|
2017-06-12 17:26:09 +00:00
|
|
|
case OPT_PSK_SESS:
|
|
|
|
psksessf = opt_arg();
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SRPVFILE:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
srp_verifier_file = opt_arg();
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
min_version = TLS1_VERSION;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_SRPUSERSEED:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
srpuserseed = opt_arg();
|
2016-02-02 22:58:49 +00:00
|
|
|
if (min_version < TLS1_VERSION)
|
|
|
|
min_version = TLS1_VERSION;
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_REV:
|
2015-01-22 03:40:55 +00:00
|
|
|
rev = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_WWW:
|
2015-01-22 03:40:55 +00:00
|
|
|
www = 1;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_UPPER_WWW:
|
2015-01-22 03:40:55 +00:00
|
|
|
www = 2;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_HTTP:
|
2015-01-22 03:40:55 +00:00
|
|
|
www = 3;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2015-07-08 22:09:52 +00:00
|
|
|
case OPT_SSL_CONFIG:
|
|
|
|
ssl_config = opt_arg();
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_SSL3:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = SSL3_VERSION;
|
|
|
|
max_version = SSL3_VERSION;
|
2015-05-15 17:50:38 +00:00
|
|
|
break;
|
2016-10-21 16:39:33 +00:00
|
|
|
case OPT_TLS1_3:
|
|
|
|
min_version = TLS1_3_VERSION;
|
|
|
|
max_version = TLS1_3_VERSION;
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_TLS1_2:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_2_VERSION;
|
|
|
|
max_version = TLS1_2_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_TLS1_1:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_1_VERSION;
|
|
|
|
max_version = TLS1_1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_TLS1:
|
2016-02-02 22:58:49 +00:00
|
|
|
min_version = TLS1_VERSION;
|
|
|
|
max_version = TLS1_VERSION;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_DTLS:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2015-05-06 10:17:07 +00:00
|
|
|
meth = DTLS_server_method();
|
2015-01-22 03:40:55 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_DTLS1:
|
2016-02-02 22:58:49 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
meth = DTLS_server_method();
|
|
|
|
min_version = DTLS1_VERSION;
|
|
|
|
max_version = DTLS1_VERSION;
|
2015-01-22 03:40:55 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_DTLS1_2:
|
2016-02-02 22:58:49 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
|
|
|
meth = DTLS_server_method();
|
|
|
|
min_version = DTLS1_2_VERSION;
|
|
|
|
max_version = DTLS1_2_VERSION;
|
2015-01-22 03:40:55 +00:00
|
|
|
socket_type = SOCK_DGRAM;
|
2017-04-20 08:56:56 +00:00
|
|
|
#endif
|
|
|
|
break;
|
|
|
|
case OPT_SCTP:
|
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
protocol = IPPROTO_SCTP;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_TIMEOUT:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2015-01-22 03:40:55 +00:00
|
|
|
enable_timeouts = 1;
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_MTU:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
socket_mtu = atol(opt_arg());
|
2016-01-18 18:10:21 +00:00
|
|
|
#endif
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2015-04-09 09:01:05 +00:00
|
|
|
case OPT_LISTEN:
|
2016-01-18 18:10:21 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2015-04-09 09:01:05 +00:00
|
|
|
dtlslisten = 1;
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
2016-01-18 18:10:21 +00:00
|
|
|
break;
|
2017-12-29 17:37:04 +00:00
|
|
|
case OPT_STATELESS:
|
|
|
|
stateless = 1;
|
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_ID_PREFIX:
|
|
|
|
session_id_prefix = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_ENGINE:
|
2016-03-18 18:02:17 +00:00
|
|
|
engine = setup_engine(opt_arg(), 1);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
2017-07-05 14:58:48 +00:00
|
|
|
case OPT_R_CASES:
|
|
|
|
if (!opt_rand(o))
|
|
|
|
goto end;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_SERVERNAME:
|
|
|
|
tlsextcbp.servername = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_SERVERNAME_FATAL:
|
2015-01-22 03:40:55 +00:00
|
|
|
tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
break;
|
|
|
|
case OPT_CERT2:
|
|
|
|
s_cert_file2 = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_KEY2:
|
|
|
|
s_key_file2 = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_NEXTPROTONEG:
|
2015-05-15 17:50:38 +00:00
|
|
|
# ifndef OPENSSL_NO_NEXTPROTONEG
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
next_proto_neg_in = opt_arg();
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2015-05-15 17:50:38 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_ALPN:
|
|
|
|
alpn_in = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_SRTP_PROFILES:
|
2016-02-27 03:35:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
srtp_profiles = opt_arg();
|
2016-02-27 03:20:07 +00:00
|
|
|
#endif
|
2016-02-27 03:35:51 +00:00
|
|
|
break;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
case OPT_KEYMATEXPORT:
|
|
|
|
keymatexportlabel = opt_arg();
|
|
|
|
break;
|
|
|
|
case OPT_KEYMATEXPORTLEN:
|
|
|
|
keymatexportlen = atoi(opt_arg());
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case OPT_ASYNC:
|
|
|
|
async = 1;
|
|
|
|
break;
|
2017-04-06 21:47:18 +00:00
|
|
|
case OPT_MAX_SEND_FRAG:
|
|
|
|
max_send_fragment = atoi(opt_arg());
|
|
|
|
break;
|
2015-09-22 10:23:33 +00:00
|
|
|
case OPT_SPLIT_SEND_FRAG:
|
|
|
|
split_send_fragment = atoi(opt_arg());
|
|
|
|
break;
|
|
|
|
case OPT_MAX_PIPELINES:
|
|
|
|
max_pipelines = atoi(opt_arg());
|
|
|
|
break;
|
2016-01-13 14:20:25 +00:00
|
|
|
case OPT_READ_BUF:
|
|
|
|
read_buf_len = atoi(opt_arg());
|
|
|
|
break;
|
2017-02-01 18:14:27 +00:00
|
|
|
case OPT_KEYLOG_FILE:
|
|
|
|
keylog_file = opt_arg();
|
|
|
|
break;
|
2017-02-17 17:01:16 +00:00
|
|
|
case OPT_MAX_EARLY:
|
|
|
|
max_early_data = atoi(opt_arg());
|
2017-02-23 16:54:11 +00:00
|
|
|
if (max_early_data < 0) {
|
|
|
|
BIO_printf(bio_err, "Invalid value for max_early_data\n");
|
|
|
|
goto end;
|
|
|
|
}
|
2017-02-17 17:01:16 +00:00
|
|
|
break;
|
2017-02-22 15:24:11 +00:00
|
|
|
case OPT_EARLY_DATA:
|
|
|
|
early_data = 1;
|
Do not set a nonzero default max_early_data
When early data support was first added, this seemed like a good
idea, as it would allow applications to just add SSL_read_early_data()
calls as needed and have things "Just Work". However, for applications
that do not use TLS 1.3 early data, there is a negative side effect.
Having a nonzero max_early_data in a SSL_CTX (and thus, SSL objects
derived from it) means that when generating a session ticket,
tls_construct_stoc_early_data() will indicate to the client that
the server supports early data. This is true, in that the implementation
of TLS 1.3 (i.e., OpenSSL) does support early data, but does not
necessarily indicate that the server application supports early data,
when the default value is nonzero. In this case a well-intentioned
client would send early data along with its resumption attempt, which
would then be ignored by the server application, a waste of network
bandwidth.
Since, in order to successfully use TLS 1.3 early data, the application
must introduce calls to SSL_read_early_data(), it is not much additional
burden to require that the application also calls
SSL_{CTX_,}set_max_early_data() in order to enable the feature; doing
so closes this scenario where early data packets would be sent on
the wire but ignored.
Update SSL_read_early_data.pod accordingly, and make s_server and
our test programs into applications that are compliant with the new
requirements on applications that use early data.
Fixes #4725
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/5483)
2018-02-28 20:49:59 +00:00
|
|
|
if (max_early_data == -1)
|
|
|
|
max_early_data = SSL3_RT_MAX_PLAIN_LENGTH;
|
2017-02-22 15:24:11 +00:00
|
|
|
break;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
argc = opt_num_rest();
|
|
|
|
argv = opt_rest();
|
|
|
|
|
2017-06-16 10:12:02 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
|
|
|
if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
|
|
|
|
BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
|
|
|
|
goto opthelp;
|
|
|
|
}
|
|
|
|
#endif
|
2015-12-12 10:12:22 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2015-01-22 03:40:55 +00:00
|
|
|
if (www && socket_type == SOCK_DGRAM) {
|
|
|
|
BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
|
|
|
|
goto end;
|
|
|
|
}
|
2015-04-09 09:01:05 +00:00
|
|
|
|
|
|
|
if (dtlslisten && socket_type != SOCK_DGRAM) {
|
|
|
|
BIO_printf(bio_err, "Can only use -listen with DTLS\n");
|
|
|
|
goto end;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (stateless && socket_type != SOCK_STREAM) {
|
|
|
|
BIO_printf(bio_err, "Can only use --stateless with TLS\n");
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
|
|
|
if (socket_family == AF_UNIX && socket_type != SOCK_STREAM) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_err,
|
|
|
|
"Can't use unix sockets and datagrams together\n");
|
|
|
|
goto end;
|
|
|
|
}
|
2016-02-02 23:47:42 +00:00
|
|
|
#endif
|
2008-11-30 22:01:31 +00:00
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
#ifndef OPENSSL_NO_SCTP
|
|
|
|
if (protocol == IPPROTO_SCTP) {
|
|
|
|
if (socket_type != SOCK_DGRAM) {
|
|
|
|
BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
/* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
|
|
|
|
socket_type = SOCK_STREAM;
|
|
|
|
}
|
|
|
|
#endif
|
2015-09-22 10:23:33 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_err, "Error getting password\n");
|
|
|
|
goto end;
|
|
|
|
}
|
2004-11-16 17:30:59 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_key_file == NULL)
|
|
|
|
s_key_file = s_cert_file;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_key_file2 == NULL)
|
|
|
|
s_key_file2 = s_cert_file2;
|
2006-01-02 23:14:37 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (!load_excert(&exc))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
if (nocert == 0) {
|
2016-03-18 18:02:17 +00:00
|
|
|
s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
|
2015-01-22 03:40:55 +00:00
|
|
|
"server certificate private key file");
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_key == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2004-11-16 17:30:59 +00:00
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
s_cert = load_cert(s_cert_file, s_cert_format,
|
2016-02-14 03:33:56 +00:00
|
|
|
"server certificate file");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_cert == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_chain_file != NULL) {
|
2016-02-14 03:33:56 +00:00
|
|
|
if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL,
|
2016-01-16 05:08:38 +00:00
|
|
|
"server certificate chain"))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto end;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (tlsextcbp.servername != NULL) {
|
2016-03-18 18:02:17 +00:00
|
|
|
s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
|
2015-01-22 03:40:55 +00:00
|
|
|
"second server certificate private key file");
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_key2 == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
s_cert2 = load_cert(s_cert_file2, s_cert_format,
|
2016-02-14 03:33:56 +00:00
|
|
|
"second server certificate file");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_cert2 == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2015-01-22 03:40:55 +00:00
|
|
|
if (next_proto_neg_in) {
|
2016-12-05 23:42:01 +00:00
|
|
|
next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (next_proto.data == NULL)
|
|
|
|
goto end;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
alpn_ctx.data = NULL;
|
|
|
|
if (alpn_in) {
|
2016-12-05 23:42:01 +00:00
|
|
|
alpn_ctx.data = next_protos_parse(&alpn_ctx.len, alpn_in);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (alpn_ctx.data == NULL)
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (crl_file != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
X509_CRL *crl;
|
|
|
|
crl = load_crl(crl_file, crl_format);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (crl == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_puts(bio_err, "Error loading CRL\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
crls = sk_X509_CRL_new_null();
|
2017-06-12 17:24:02 +00:00
|
|
|
if (crls == NULL || !sk_X509_CRL_push(crls, crl)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_puts(bio_err, "Error adding CRL\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
X509_CRL_free(crl);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_dcert_file != NULL) {
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_dkey_file == NULL)
|
|
|
|
s_dkey_file = s_dcert_file;
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
s_dkey = load_key(s_dkey_file, s_dkey_format,
|
2016-03-18 18:02:17 +00:00
|
|
|
0, dpass, engine, "second certificate private key file");
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_dkey == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
s_dcert = load_cert(s_dcert_file, s_dcert_format,
|
2016-02-14 03:33:56 +00:00
|
|
|
"second server certificate file");
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_dcert == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_dchain_file != NULL) {
|
2016-02-14 03:33:56 +00:00
|
|
|
if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL,
|
2016-01-16 05:08:38 +00:00
|
|
|
"second server certificate chain"))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
|
|
|
|
}
|
|
|
|
|
|
|
|
if (bio_s_out == NULL) {
|
|
|
|
if (s_quiet && !s_debug) {
|
|
|
|
bio_s_out = BIO_new(BIO_s_null());
|
2017-06-12 17:24:02 +00:00
|
|
|
if (s_msg && bio_s_msg == NULL)
|
2015-09-06 10:20:12 +00:00
|
|
|
bio_s_msg = dup_bio_out(FORMAT_TEXT);
|
2015-01-22 03:40:55 +00:00
|
|
|
} else {
|
|
|
|
if (bio_s_out == NULL)
|
2015-09-06 10:20:12 +00:00
|
|
|
bio_s_out = dup_bio_out(FORMAT_TEXT);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
}
|
2015-03-10 23:09:27 +00:00
|
|
|
#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
|
2015-01-22 03:40:55 +00:00
|
|
|
if (nocert)
|
1998-12-21 10:52:47 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
s_cert_file = NULL;
|
|
|
|
s_key_file = NULL;
|
|
|
|
s_dcert_file = NULL;
|
|
|
|
s_dkey_file = NULL;
|
|
|
|
s_cert_file2 = NULL;
|
|
|
|
s_key_file2 = NULL;
|
|
|
|
}
|
|
|
|
|
|
|
|
ctx = SSL_CTX_new(meth);
|
|
|
|
if (ctx == NULL) {
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2016-02-09 15:55:42 +00:00
|
|
|
if (sdebug)
|
|
|
|
ssl_ctx_security_debug(ctx, sdebug);
|
2015-07-08 22:09:52 +00:00
|
|
|
if (ssl_config) {
|
|
|
|
if (SSL_CTX_config(ctx, ssl_config) == 0) {
|
|
|
|
BIO_printf(bio_err, "Error using configuration \"%s\"\n",
|
|
|
|
ssl_config);
|
2016-08-07 10:04:26 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
2015-07-08 22:09:52 +00:00
|
|
|
}
|
|
|
|
}
|
2016-02-02 22:58:49 +00:00
|
|
|
if (SSL_CTX_set_min_proto_version(ctx, min_version) == 0)
|
|
|
|
goto end;
|
|
|
|
if (SSL_CTX_set_max_proto_version(ctx, max_version) == 0)
|
|
|
|
goto end;
|
2015-07-08 22:09:52 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (session_id_prefix) {
|
|
|
|
if (strlen(session_id_prefix) >= 32)
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"warning: id_prefix is too long, only one new session will be possible\n");
|
|
|
|
if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
|
|
|
|
BIO_printf(bio_err, "error setting 'id_prefix'\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
|
|
|
|
}
|
|
|
|
SSL_CTX_set_quiet_shutdown(ctx, 1);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (exc != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
ssl_ctx_set_excert(ctx, exc);
|
|
|
|
|
|
|
|
if (state)
|
|
|
|
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
|
|
|
|
if (no_cache)
|
|
|
|
SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
|
|
|
|
else if (ext_cache)
|
|
|
|
init_session_cache_ctx(ctx);
|
|
|
|
else
|
|
|
|
SSL_CTX_sess_set_cache_size(ctx, 128);
|
1998-12-21 10:56:39 +00:00
|
|
|
|
2015-07-22 16:50:51 +00:00
|
|
|
if (async) {
|
2015-02-13 23:33:12 +00:00
|
|
|
SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC);
|
2015-07-22 16:50:51 +00:00
|
|
|
}
|
2017-04-06 21:47:18 +00:00
|
|
|
|
2017-04-07 17:15:38 +00:00
|
|
|
if (max_send_fragment > 0
|
|
|
|
&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)) {
|
|
|
|
BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
|
|
|
|
prog, max_send_fragment);
|
|
|
|
goto end;
|
|
|
|
}
|
2017-04-06 21:47:18 +00:00
|
|
|
|
2017-04-07 17:15:38 +00:00
|
|
|
if (split_send_fragment > 0
|
|
|
|
&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)) {
|
|
|
|
BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
|
|
|
|
prog, split_send_fragment);
|
|
|
|
goto end;
|
2015-09-22 10:23:33 +00:00
|
|
|
}
|
2017-04-07 17:15:38 +00:00
|
|
|
if (max_pipelines > 0
|
|
|
|
&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)) {
|
|
|
|
BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
|
|
|
|
prog, max_pipelines);
|
|
|
|
goto end;
|
2015-09-22 10:23:33 +00:00
|
|
|
}
|
2015-02-13 23:33:12 +00:00
|
|
|
|
2016-01-13 14:20:25 +00:00
|
|
|
if (read_buf_len > 0) {
|
|
|
|
SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
|
|
|
|
}
|
2014-12-22 11:15:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2015-03-06 14:39:46 +00:00
|
|
|
if (srtp_profiles != NULL) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
/* Returns 0 on success! */
|
|
|
|
if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "Error setting SRTP profile\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
}
|
2014-12-22 11:15:51 +00:00
|
|
|
#endif
|
2011-11-15 22:59:20 +00:00
|
|
|
|
2015-09-22 15:00:52 +00:00
|
|
|
if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
|
|
|
|
BIO_printf(bio_err, "Error setting verify params\n");
|
2015-03-06 14:39:46 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
ssl_ctx_add_crls(ctx, crls, 0);
|
2016-02-14 05:17:59 +00:00
|
|
|
if (!config_ctx(cctx, ssl_args, ctx))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto end;
|
|
|
|
|
|
|
|
if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
|
|
|
|
crls, crl_download)) {
|
|
|
|
BIO_printf(bio_err, "Error loading store locations\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_cert2) {
|
|
|
|
ctx2 = SSL_CTX_new(meth);
|
|
|
|
if (ctx2 == NULL) {
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
|
|
|
|
|
|
|
|
if (sdebug)
|
2015-04-29 15:27:08 +00:00
|
|
|
ssl_ctx_security_debug(ctx, sdebug);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
if (session_id_prefix) {
|
|
|
|
if (strlen(session_id_prefix) >= 32)
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"warning: id_prefix is too long, only one new session will be possible\n");
|
|
|
|
if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
|
|
|
|
BIO_printf(bio_err, "error setting 'id_prefix'\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
|
|
|
|
}
|
|
|
|
SSL_CTX_set_quiet_shutdown(ctx2, 1);
|
2017-06-12 17:24:02 +00:00
|
|
|
if (exc != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
ssl_ctx_set_excert(ctx2, exc);
|
|
|
|
|
|
|
|
if (state)
|
|
|
|
SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
|
|
|
|
|
|
|
|
if (no_cache)
|
|
|
|
SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
|
|
|
|
else if (ext_cache)
|
|
|
|
init_session_cache_ctx(ctx2);
|
|
|
|
else
|
|
|
|
SSL_CTX_sess_set_cache_size(ctx2, 128);
|
|
|
|
|
2015-02-13 23:33:12 +00:00
|
|
|
if (async)
|
2015-07-24 07:15:31 +00:00
|
|
|
SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC);
|
2015-02-13 23:33:12 +00:00
|
|
|
|
2016-05-23 17:13:16 +00:00
|
|
|
if (!ctx_set_verify_locations(ctx2, CAfile, CApath, noCAfile,
|
|
|
|
noCApath)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2016-05-23 17:13:16 +00:00
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) {
|
|
|
|
BIO_printf(bio_err, "Error setting verify params\n");
|
2015-03-06 14:39:46 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2010-07-28 10:06:55 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
ssl_ctx_add_crls(ctx2, crls, 0);
|
2016-02-14 05:17:59 +00:00
|
|
|
if (!config_ctx(cctx, ssl_args, ctx2))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto end;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2015-01-22 03:40:55 +00:00
|
|
|
if (next_proto.data)
|
|
|
|
SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
|
|
|
|
&next_proto);
|
2015-05-15 09:49:56 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
if (alpn_ctx.data)
|
|
|
|
SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
|
2006-01-02 23:29:12 +00:00
|
|
|
|
2001-02-19 16:06:34 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!no_dhe) {
|
|
|
|
DH *dh = NULL;
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (dhfile != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
dh = load_dh_param(dhfile);
|
2017-06-12 17:24:02 +00:00
|
|
|
else if (s_cert_file != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
dh = load_dh_param(s_cert_file);
|
|
|
|
|
|
|
|
if (dh != NULL) {
|
|
|
|
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
|
|
|
|
} else {
|
|
|
|
BIO_printf(bio_s_out, "Using default temp DH parameters\n");
|
|
|
|
}
|
|
|
|
(void)BIO_flush(bio_s_out);
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (dh == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CTX_set_dh_auto(ctx, 1);
|
2017-06-12 17:24:02 +00:00
|
|
|
} else if (!SSL_CTX_set_tmp_dh(ctx, dh)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_puts(bio_err, "Error setting temp DH parameters\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
DH_free(dh);
|
|
|
|
goto end;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!dhfile) {
|
|
|
|
DH *dh2 = load_dh_param(s_cert_file2);
|
|
|
|
if (dh2 != NULL) {
|
|
|
|
BIO_printf(bio_s_out, "Setting temp DH parameters\n");
|
|
|
|
(void)BIO_flush(bio_s_out);
|
|
|
|
|
|
|
|
DH_free(dh);
|
|
|
|
dh = dh2;
|
|
|
|
}
|
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (dh == NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CTX_set_dh_auto(ctx2, 1);
|
2017-06-12 17:24:02 +00:00
|
|
|
} else if (!SSL_CTX_set_tmp_dh(ctx2, dh)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_puts(bio_err, "Error setting temp DH parameters\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
DH_free(dh);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
DH_free(dh);
|
|
|
|
}
|
2006-01-02 23:14:37 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
|
|
|
|
goto end;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_serverinfo_file != NULL
|
|
|
|
&& !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL
|
|
|
|
&& !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto end;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_dcert != NULL) {
|
|
|
|
if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
|
|
|
|
goto end;
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (no_resume_ephemeral) {
|
|
|
|
SSL_CTX_set_not_resumable_session_callback(ctx,
|
|
|
|
not_resumable_sess_cb);
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CTX_set_not_resumable_session_callback(ctx2,
|
|
|
|
not_resumable_sess_cb);
|
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
#ifndef OPENSSL_NO_PSK
|
2016-01-31 01:14:39 +00:00
|
|
|
if (psk_key != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_debug)
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
|
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) {
|
|
|
|
BIO_printf(bio_err, "error setting PSK identity hint to context\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
#endif
|
2017-06-12 17:26:09 +00:00
|
|
|
if (psksessf != NULL) {
|
|
|
|
BIO *stmp = BIO_new_file(psksessf, "r");
|
|
|
|
|
|
|
|
if (stmp == NULL) {
|
|
|
|
BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
psksess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);
|
|
|
|
BIO_free(stmp);
|
|
|
|
if (psksess == NULL) {
|
|
|
|
BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2017-06-12 18:12:13 +00:00
|
|
|
|
2017-06-12 17:26:09 +00:00
|
|
|
}
|
2006-03-10 23:06:27 +00:00
|
|
|
|
2017-06-12 18:12:13 +00:00
|
|
|
if (psk_key != NULL || psksess != NULL)
|
|
|
|
SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb);
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_CTX_set_session_id_context(ctx,
|
2016-08-07 10:04:26 +00:00
|
|
|
(void *)&s_server_session_id_context,
|
2017-12-07 18:39:34 +00:00
|
|
|
sizeof(s_server_session_id_context))) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "error setting session id context\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/* Set DTLS cookie generation and verification callbacks */
|
|
|
|
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
|
|
|
|
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
|
2009-09-04 17:42:53 +00:00
|
|
|
|
2018-02-26 02:39:11 +00:00
|
|
|
/* Set TLS1.3 cookie generation and verification callbacks */
|
|
|
|
SSL_CTX_set_stateless_cookie_generate_cb(ctx, generate_stateless_cookie_callback);
|
|
|
|
SSL_CTX_set_stateless_cookie_verify_cb(ctx, verify_stateless_cookie_callback);
|
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (ctx2 != NULL) {
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_CTX_set_session_id_context(ctx2,
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void *)&s_server_session_id_context,
|
2017-12-07 18:39:34 +00:00
|
|
|
sizeof(s_server_session_id_context))) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "error setting session id context\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
tlsextcbp.biodebug = bio_s_out;
|
|
|
|
SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
|
|
|
|
SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
|
|
|
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
|
|
|
|
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
|
|
|
|
}
|
2006-01-03 03:27:19 +00:00
|
|
|
|
2011-03-12 17:01:19 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2015-01-22 03:40:55 +00:00
|
|
|
if (srp_verifier_file != NULL) {
|
|
|
|
srp_callback_parm.vb = SRP_VBASE_new(srpuserseed);
|
|
|
|
srp_callback_parm.user = NULL;
|
|
|
|
srp_callback_parm.login = NULL;
|
|
|
|
if ((ret =
|
|
|
|
SRP_VBASE_init(srp_callback_parm.vb,
|
|
|
|
srp_verifier_file)) != SRP_NO_ERROR) {
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"Cannot initialize SRP verifier file \"%s\":ret=%d\n",
|
|
|
|
srp_verifier_file, ret);
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
|
|
|
|
SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
|
|
|
|
SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
|
|
|
|
} else
|
|
|
|
#endif
|
|
|
|
if (CAfile != NULL) {
|
|
|
|
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (ctx2)
|
|
|
|
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#ifndef OPENSSL_NO_OCSP
|
2015-07-30 01:34:35 +00:00
|
|
|
if (s_tlsextstatus) {
|
|
|
|
SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
|
|
|
|
SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
|
|
|
|
if (ctx2) {
|
|
|
|
SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb);
|
|
|
|
SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
|
|
|
|
}
|
|
|
|
}
|
2016-03-21 16:54:53 +00:00
|
|
|
#endif
|
2017-02-01 18:14:27 +00:00
|
|
|
if (set_keylog_file(ctx, keylog_file))
|
|
|
|
goto end;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
2017-02-23 16:54:11 +00:00
|
|
|
if (max_early_data >= 0)
|
2017-02-17 17:01:16 +00:00
|
|
|
SSL_CTX_set_max_early_data(ctx, max_early_data);
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "ACCEPT\n");
|
|
|
|
(void)BIO_flush(bio_s_out);
|
|
|
|
if (rev)
|
|
|
|
server_cb = rev_body;
|
|
|
|
else if (www)
|
|
|
|
server_cb = www_body;
|
|
|
|
else
|
|
|
|
server_cb = sv_body;
|
2016-02-02 23:47:42 +00:00
|
|
|
#ifdef AF_UNIX
|
|
|
|
if (socket_family == AF_UNIX
|
|
|
|
&& unlink_unix_path)
|
|
|
|
unlink(host);
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
2017-04-20 08:56:56 +00:00
|
|
|
do_server(&accept_socket, host, port, socket_family, socket_type, protocol,
|
2016-02-02 23:47:42 +00:00
|
|
|
server_cb, context, naccept);
|
2015-01-22 03:40:55 +00:00
|
|
|
print_stats(bio_s_out, ctx);
|
|
|
|
ret = 0;
|
|
|
|
end:
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CTX_free(ctx);
|
2017-07-05 09:32:33 +00:00
|
|
|
SSL_SESSION_free(psksess);
|
2017-02-01 18:14:27 +00:00
|
|
|
set_keylog_file(NULL, NULL);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_free(s_cert);
|
|
|
|
sk_X509_CRL_pop_free(crls, X509_CRL_free);
|
|
|
|
X509_free(s_dcert);
|
2015-03-28 14:54:15 +00:00
|
|
|
EVP_PKEY_free(s_key);
|
|
|
|
EVP_PKEY_free(s_dkey);
|
2015-04-30 21:33:59 +00:00
|
|
|
sk_X509_pop_free(s_chain, X509_free);
|
|
|
|
sk_X509_pop_free(s_dchain, X509_free);
|
2015-05-01 18:37:16 +00:00
|
|
|
OPENSSL_free(pass);
|
|
|
|
OPENSSL_free(dpass);
|
2016-02-02 23:47:42 +00:00
|
|
|
OPENSSL_free(host);
|
|
|
|
OPENSSL_free(port);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_VERIFY_PARAM_free(vpm);
|
2015-01-22 03:40:55 +00:00
|
|
|
free_sessions();
|
2015-05-01 18:37:16 +00:00
|
|
|
OPENSSL_free(tlscstatp.host);
|
|
|
|
OPENSSL_free(tlscstatp.port);
|
|
|
|
OPENSSL_free(tlscstatp.path);
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CTX_free(ctx2);
|
2015-04-30 21:33:59 +00:00
|
|
|
X509_free(s_cert2);
|
2015-03-28 14:54:15 +00:00
|
|
|
EVP_PKEY_free(s_key2);
|
2015-05-15 09:49:56 +00:00
|
|
|
#ifndef OPENSSL_NO_NEXTPROTONEG
|
2015-05-01 18:37:16 +00:00
|
|
|
OPENSSL_free(next_proto.data);
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
2015-05-15 09:49:56 +00:00
|
|
|
OPENSSL_free(alpn_ctx.data);
|
2015-01-22 03:40:55 +00:00
|
|
|
ssl_excert_free(exc);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
sk_OPENSSL_STRING_free(ssl_args);
|
2015-04-11 14:22:36 +00:00
|
|
|
SSL_CONF_CTX_free(cctx);
|
2016-09-28 21:39:18 +00:00
|
|
|
release_engine(engine);
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free(bio_s_out);
|
|
|
|
bio_s_out = NULL;
|
|
|
|
BIO_free(bio_s_msg);
|
|
|
|
bio_s_msg = NULL;
|
2016-04-28 10:34:54 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
|
|
|
BIO_meth_free(methods_ebcdic);
|
|
|
|
#endif
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
BIO_printf(bio, "%4ld items in the session cache\n",
|
|
|
|
SSL_CTX_sess_number(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
|
|
|
|
SSL_CTX_sess_connect(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
|
|
|
|
SSL_CTX_sess_connect_renegotiate(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld client connects that finished\n",
|
|
|
|
SSL_CTX_sess_connect_good(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
|
|
|
|
SSL_CTX_sess_accept(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
|
|
|
|
SSL_CTX_sess_accept_renegotiate(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld server accepts that finished\n",
|
|
|
|
SSL_CTX_sess_accept_good(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld session cache misses\n",
|
|
|
|
SSL_CTX_sess_misses(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld session cache timeouts\n",
|
|
|
|
SSL_CTX_sess_timeouts(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld callback cache hits\n",
|
|
|
|
SSL_CTX_sess_cb_hits(ssl_ctx));
|
|
|
|
BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
|
|
|
|
SSL_CTX_sess_cache_full(ssl_ctx),
|
|
|
|
SSL_CTX_sess_get_cache_size(ssl_ctx));
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
static int sv_body(int s, int stype, int prot, unsigned char *context)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
char *buf = NULL;
|
|
|
|
fd_set readfds;
|
|
|
|
int ret = 1, width;
|
|
|
|
int k, i;
|
|
|
|
unsigned long l;
|
|
|
|
SSL *con = NULL;
|
|
|
|
BIO *sbio;
|
|
|
|
struct timeval timeout;
|
2016-03-17 16:53:11 +00:00
|
|
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
2015-01-22 03:40:55 +00:00
|
|
|
struct timeval tv;
|
2009-08-18 11:15:33 +00:00
|
|
|
#else
|
2015-01-22 03:40:55 +00:00
|
|
|
struct timeval *timeoutp;
|
1999-09-20 22:09:17 +00:00
|
|
|
#endif
|
2017-04-20 08:56:56 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2017-04-25 13:35:41 +00:00
|
|
|
# ifndef OPENSSL_NO_SCTP
|
2017-04-20 08:56:56 +00:00
|
|
|
int isdtls = (stype == SOCK_DGRAM || prot == IPPROTO_SCTP);
|
2017-04-25 13:35:41 +00:00
|
|
|
# else
|
2017-04-20 08:56:56 +00:00
|
|
|
int isdtls = (stype == SOCK_DGRAM);
|
2017-04-25 13:35:41 +00:00
|
|
|
# endif
|
2017-04-20 08:56:56 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-04-30 21:48:31 +00:00
|
|
|
buf = app_malloc(bufsize, "server buffer");
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_nbio) {
|
2016-02-27 18:24:28 +00:00
|
|
|
if (!BIO_socket_nbio(s, 1))
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2016-02-27 18:24:28 +00:00
|
|
|
else if (!s_quiet)
|
|
|
|
BIO_printf(bio_err, "Turned on non blocking io\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-10-19 14:41:03 +00:00
|
|
|
con = SSL_new(ctx);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (con == NULL) {
|
2017-10-19 14:41:03 +00:00
|
|
|
ret = -1;
|
|
|
|
goto err;
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-10-19 14:41:03 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-10-19 14:41:03 +00:00
|
|
|
if (context != NULL
|
|
|
|
&& !SSL_set_session_id_context(con, context,
|
|
|
|
strlen((char *)context))) {
|
|
|
|
BIO_printf(bio_err, "Error setting session id context\n");
|
|
|
|
ret = -1;
|
|
|
|
goto err;
|
2015-03-06 14:39:46 +00:00
|
|
|
}
|
2017-10-19 14:41:03 +00:00
|
|
|
|
2015-04-16 05:50:03 +00:00
|
|
|
if (!SSL_clear(con)) {
|
2015-03-06 14:39:46 +00:00
|
|
|
BIO_printf(bio_err, "Error clearing SSL connection\n");
|
|
|
|
ret = -1;
|
|
|
|
goto err;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-12-16 13:25:07 +00:00
|
|
|
#ifndef OPENSSL_NO_DTLS
|
2017-04-20 08:56:56 +00:00
|
|
|
if (isdtls) {
|
2017-04-25 13:35:41 +00:00
|
|
|
# ifndef OPENSSL_NO_SCTP
|
2017-04-20 08:56:56 +00:00
|
|
|
if (prot == IPPROTO_SCTP)
|
|
|
|
sbio = BIO_new_dgram_sctp(s, BIO_NOCLOSE);
|
|
|
|
else
|
2017-04-25 13:35:41 +00:00
|
|
|
# endif
|
2017-04-20 08:56:56 +00:00
|
|
|
sbio = BIO_new_dgram(s, BIO_NOCLOSE);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
if (enable_timeouts) {
|
|
|
|
timeout.tv_sec = 0;
|
|
|
|
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
|
|
|
|
|
|
|
|
timeout.tv_sec = 0;
|
|
|
|
timeout.tv_usec = DGRAM_SND_TIMEOUT;
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
|
|
|
|
}
|
|
|
|
|
|
|
|
if (socket_mtu) {
|
|
|
|
if (socket_mtu < DTLS_get_link_min_mtu(con)) {
|
|
|
|
BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
|
|
|
|
DTLS_get_link_min_mtu(con));
|
|
|
|
ret = -1;
|
|
|
|
BIO_free(sbio);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
|
|
|
|
if (!DTLS_set_link_mtu(con, socket_mtu)) {
|
|
|
|
BIO_printf(bio_err, "Failed to set MTU\n");
|
|
|
|
ret = -1;
|
|
|
|
BIO_free(sbio);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
} else
|
|
|
|
/* want to do MTU discovery */
|
|
|
|
BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
|
2005-04-26 16:02:40 +00:00
|
|
|
|
2017-04-25 13:35:09 +00:00
|
|
|
# ifndef OPENSSL_NO_SCTP
|
2017-08-24 08:52:11 +00:00
|
|
|
if (prot != IPPROTO_SCTP)
|
|
|
|
# endif
|
2017-04-20 08:56:56 +00:00
|
|
|
/* Turn on cookie exchange. Not necessary for SCTP */
|
|
|
|
SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
|
2015-01-22 03:40:55 +00:00
|
|
|
} else
|
2015-12-16 13:25:07 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
sbio = BIO_new_socket(s, BIO_NOCLOSE);
|
2005-04-26 16:02:40 +00:00
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
if (sbio == NULL) {
|
|
|
|
BIO_printf(bio_err, "Unable to create BIO\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_nbio_test) {
|
|
|
|
BIO *test;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
test = BIO_new(BIO_f_nbio_test());
|
|
|
|
sbio = BIO_push(test, sbio);
|
|
|
|
}
|
|
|
|
|
|
|
|
SSL_set_bio(con, sbio, sbio);
|
|
|
|
SSL_set_accept_state(con);
|
|
|
|
/* SSL_set_fd(con,s); */
|
|
|
|
|
|
|
|
if (s_debug) {
|
|
|
|
BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
|
|
|
|
BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
|
|
|
|
}
|
|
|
|
if (s_msg) {
|
2012-06-15 12:46:09 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_msg == 2)
|
|
|
|
SSL_set_msg_callback(con, SSL_trace);
|
|
|
|
else
|
2012-06-15 12:46:09 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_set_msg_callback(con, msg_cb);
|
|
|
|
SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-02-22 15:24:11 +00:00
|
|
|
if (early_data) {
|
2017-03-02 14:42:55 +00:00
|
|
|
int write_header = 1, edret = SSL_READ_EARLY_DATA_ERROR;
|
2017-02-22 15:24:11 +00:00
|
|
|
size_t readbytes;
|
|
|
|
|
2017-03-02 14:42:55 +00:00
|
|
|
while (edret != SSL_READ_EARLY_DATA_FINISH) {
|
2017-02-22 15:24:11 +00:00
|
|
|
for (;;) {
|
2017-03-02 14:42:55 +00:00
|
|
|
edret = SSL_read_early_data(con, buf, bufsize, &readbytes);
|
|
|
|
if (edret != SSL_READ_EARLY_DATA_ERROR)
|
2017-02-22 15:24:11 +00:00
|
|
|
break;
|
|
|
|
|
|
|
|
switch (SSL_get_error(con, 0)) {
|
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
/* Just keep trying - busy waiting */
|
|
|
|
continue;
|
|
|
|
default:
|
|
|
|
BIO_printf(bio_err, "Error reading early data\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (readbytes > 0) {
|
|
|
|
if (write_header) {
|
|
|
|
BIO_printf(bio_s_out, "Early data received:\n");
|
|
|
|
write_header = 0;
|
|
|
|
}
|
|
|
|
raw_write_stdout(buf, (unsigned int)readbytes);
|
|
|
|
(void)BIO_flush(bio_s_out);
|
|
|
|
}
|
|
|
|
}
|
2017-11-14 14:21:13 +00:00
|
|
|
if (write_header) {
|
|
|
|
if (SSL_get_early_data_status(con) == SSL_EARLY_DATA_NOT_SENT)
|
|
|
|
BIO_printf(bio_s_out, "No early data received\n");
|
|
|
|
else
|
|
|
|
BIO_printf(bio_s_out, "Early data was rejected\n");
|
|
|
|
} else {
|
2017-02-22 15:24:11 +00:00
|
|
|
BIO_printf(bio_s_out, "\nEnd of early data\n");
|
2017-11-14 14:21:13 +00:00
|
|
|
}
|
2017-02-27 20:55:04 +00:00
|
|
|
if (SSL_is_init_finished(con))
|
|
|
|
print_connection_info(con);
|
2017-02-22 15:24:11 +00:00
|
|
|
}
|
|
|
|
|
2016-09-15 09:20:18 +00:00
|
|
|
if (fileno_stdin() > s)
|
|
|
|
width = fileno_stdin() + 1;
|
2016-09-14 18:54:30 +00:00
|
|
|
else
|
|
|
|
width = s + 1;
|
2015-01-22 03:40:55 +00:00
|
|
|
for (;;) {
|
|
|
|
int read_from_terminal;
|
|
|
|
int read_from_sslcon;
|
2000-02-21 17:09:54 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
read_from_terminal = 0;
|
2016-02-12 13:33:45 +00:00
|
|
|
read_from_sslcon = SSL_has_pending(con)
|
2015-09-16 21:54:54 +00:00
|
|
|
|| (async && SSL_waiting_for_async(con));
|
2000-02-21 17:09:54 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!read_from_sslcon) {
|
|
|
|
FD_ZERO(&readfds);
|
2016-03-17 16:53:11 +00:00
|
|
|
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
|
2016-09-15 09:20:18 +00:00
|
|
|
openssl_fdset(fileno_stdin(), &readfds);
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
|
|
|
openssl_fdset(s, &readfds);
|
|
|
|
/*
|
|
|
|
* Note: under VMS with SOCKETSHR the second parameter is
|
|
|
|
* currently of type (int *) whereas under other systems it is
|
|
|
|
* (void *) if you don't have a cast it will choke the compiler:
|
|
|
|
* if you do have a cast then you can either go for (int *) or
|
|
|
|
* (void *).
|
|
|
|
*/
|
2016-03-17 16:53:11 +00:00
|
|
|
#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
|
|
|
* Under DOS (non-djgpp) and Windows we can't select on stdin:
|
|
|
|
* only on sockets. As a workaround we timeout the select every
|
|
|
|
* second and check for any keypress. In a proper Windows
|
|
|
|
* application we wouldn't do this because it is inefficient.
|
|
|
|
*/
|
|
|
|
tv.tv_sec = 1;
|
|
|
|
tv.tv_usec = 0;
|
|
|
|
i = select(width, (void *)&readfds, NULL, NULL, &tv);
|
2016-05-20 10:53:26 +00:00
|
|
|
if (has_stdin_waiting())
|
2015-01-22 03:40:55 +00:00
|
|
|
read_from_terminal = 1;
|
2016-05-20 10:53:26 +00:00
|
|
|
if ((i < 0) || (!i && !read_from_terminal))
|
|
|
|
continue;
|
1999-09-20 22:09:17 +00:00
|
|
|
#else
|
2015-01-22 03:40:55 +00:00
|
|
|
if ((SSL_version(con) == DTLS1_VERSION) &&
|
|
|
|
DTLSv1_get_timeout(con, &timeout))
|
|
|
|
timeoutp = &timeout;
|
|
|
|
else
|
|
|
|
timeoutp = NULL;
|
|
|
|
|
|
|
|
i = select(width, (void *)&readfds, NULL, NULL, timeoutp);
|
|
|
|
|
|
|
|
if ((SSL_version(con) == DTLS1_VERSION)
|
|
|
|
&& DTLSv1_handle_timeout(con) > 0) {
|
|
|
|
BIO_printf(bio_err, "TIMEOUT occurred\n");
|
|
|
|
}
|
|
|
|
|
|
|
|
if (i <= 0)
|
|
|
|
continue;
|
2016-09-15 09:20:18 +00:00
|
|
|
if (FD_ISSET(fileno_stdin(), &readfds))
|
2015-01-22 03:40:55 +00:00
|
|
|
read_from_terminal = 1;
|
|
|
|
#endif
|
|
|
|
if (FD_ISSET(s, &readfds))
|
|
|
|
read_from_sslcon = 1;
|
|
|
|
}
|
|
|
|
if (read_from_terminal) {
|
|
|
|
if (s_crlf) {
|
|
|
|
int j, lf_num;
|
|
|
|
|
2016-09-14 18:54:30 +00:00
|
|
|
i = raw_read_stdin(buf, bufsize / 2);
|
|
|
|
lf_num = 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
/* both loops are skipped when i <= 0 */
|
|
|
|
for (j = 0; j < i; j++)
|
|
|
|
if (buf[j] == '\n')
|
|
|
|
lf_num++;
|
|
|
|
for (j = i - 1; j >= 0; j--) {
|
|
|
|
buf[j + lf_num] = buf[j];
|
|
|
|
if (buf[j] == '\n') {
|
|
|
|
lf_num--;
|
|
|
|
i++;
|
|
|
|
buf[j + lf_num] = '\r';
|
|
|
|
}
|
|
|
|
}
|
|
|
|
assert(lf_num == 0);
|
2017-06-12 17:24:02 +00:00
|
|
|
} else {
|
2016-09-14 18:54:30 +00:00
|
|
|
i = raw_read_stdin(buf, bufsize);
|
2017-06-12 17:24:02 +00:00
|
|
|
}
|
2016-09-15 09:20:18 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!s_quiet && !s_brief) {
|
|
|
|
if ((i <= 0) || (buf[0] == 'Q')) {
|
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(s);
|
2015-01-22 03:40:55 +00:00
|
|
|
close_accept_socket();
|
|
|
|
ret = -11;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
if ((i <= 0) || (buf[0] == 'q')) {
|
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (SSL_version(con) != DTLS1_VERSION)
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(s);
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
|
|
|
* close_accept_socket(); ret= -11;
|
|
|
|
*/
|
|
|
|
goto err;
|
|
|
|
}
|
2016-11-15 13:53:33 +00:00
|
|
|
#ifndef OPENSSL_NO_HEARTBEATS
|
|
|
|
if ((buf[0] == 'B') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
|
|
|
BIO_printf(bio_err, "HEARTBEATING\n");
|
|
|
|
SSL_heartbeat(con);
|
|
|
|
i = 0;
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
|
|
|
SSL_renegotiate(con);
|
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
|
|
|
i = 0; /* 13; */
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
|
|
|
SSL_set_verify(con,
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
|
|
|
|
NULL);
|
|
|
|
SSL_renegotiate(con);
|
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
|
|
|
i = 0; /* 13; */
|
|
|
|
continue;
|
|
|
|
}
|
2017-02-08 16:52:23 +00:00
|
|
|
if ((buf[0] == 'K' || buf[0] == 'k')
|
|
|
|
&& ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
|
|
|
SSL_key_update(con, buf[0] == 'K' ?
|
|
|
|
SSL_KEY_UPDATE_REQUESTED
|
|
|
|
: SSL_KEY_UPDATE_NOT_REQUESTED);
|
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
|
|
|
i = 0;
|
|
|
|
continue;
|
|
|
|
}
|
Add TLSv1.3 post-handshake authentication (PHA)
Add SSL_verify_client_post_handshake() for servers to initiate PHA
Add SSL_force_post_handshake_auth() for clients that don't have certificates
initially configured, but use a certificate callback.
Update SSL_CTX_set_verify()/SSL_set_verify() mode:
* Add SSL_VERIFY_POST_HANDSHAKE to postpone client authentication until after
the initial handshake.
* Update SSL_VERIFY_CLIENT_ONCE now only sends out one CertRequest regardless
of when the certificate authentication takes place; either initial handshake,
re-negotiation, or post-handshake authentication.
Add 'RequestPostHandshake' and 'RequirePostHandshake' SSL_CONF options that
add the SSL_VERIFY_POST_HANDSHAKE to the 'Request' and 'Require' options
Add support to s_client:
* Enabled automatically when cert is configured
* Can be forced enabled via -force_pha
Add support to s_server:
* Use 'c' to invoke PHA in s_server
* Remove some dead code
Update documentation
Update unit tests:
* Illegal use of PHA extension
* TLSv1.3 certificate tests
DTLS and TLS behave ever-so-slightly differently. So, when DTLS1.3 is
implemented, it's PHA support state machine may need to be different.
Add a TODO and a #error
Update handshake context to deal with PHA.
The handshake context for TLSv1.3 post-handshake auth is up through the
ClientFinish message, plus the CertificateRequest message. Subsequent
Certificate, CertificateVerify, and Finish messages are based on this
handshake context (not the Certificate message per se, but it's included
after the hash). KeyUpdate, NewSessionTicket, and prior Certificate
Request messages are not included in post-handshake authentication.
After the ClientFinished message is processed, save off the digest state
for future post-handshake authentication. When post-handshake auth occurs,
copy over the saved handshake context into the "main" handshake digest.
This effectively discards the any KeyUpdate or NewSessionTicket messages
and any prior post-handshake authentication.
This, of course, assumes that the ID-22 did not mean to include any
previous post-handshake authentication into the new handshake transcript.
This is implied by section 4.4.1 that lists messages only up to the
first ClientFinished.
Reviewed-by: Ben Kaduk <kaduk@mit.edu>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/4964)
2017-12-18 21:52:28 +00:00
|
|
|
if (buf[0] == 'c' && ((buf[1] == '\n') || (buf[1] == '\r'))) {
|
|
|
|
SSL_set_verify(con, SSL_VERIFY_PEER, NULL);
|
|
|
|
i = SSL_verify_client_post_handshake(con);
|
|
|
|
if (i == 0) {
|
|
|
|
printf("Failed to initiate request\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
} else {
|
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
printf("SSL_do_handshake -> %d\n", i);
|
|
|
|
i = 0;
|
|
|
|
}
|
|
|
|
continue;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
if (buf[0] == 'P') {
|
|
|
|
static const char *str = "Lets print some clear text\n";
|
|
|
|
BIO_write(SSL_get_wbio(con), str, strlen(str));
|
|
|
|
}
|
|
|
|
if (buf[0] == 'S') {
|
|
|
|
print_stats(bio_s_out, SSL_get_SSL_CTX(con));
|
|
|
|
}
|
|
|
|
}
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
2015-01-22 03:40:55 +00:00
|
|
|
ebcdic2ascii(buf, buf, i);
|
1999-06-04 21:35:58 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
l = k = 0;
|
|
|
|
for (;;) {
|
|
|
|
/* should do a select for the write */
|
1998-12-21 10:56:39 +00:00
|
|
|
#ifdef RENEG
|
2016-08-03 20:49:25 +00:00
|
|
|
static count = 0;
|
|
|
|
if (++count == 100) {
|
|
|
|
count = 0;
|
|
|
|
SSL_renegotiate(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
k = SSL_write(con, &(buf[l]), (unsigned int)i);
|
2012-02-10 19:43:14 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2015-01-22 03:40:55 +00:00
|
|
|
while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during write\n");
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_user_pwd_free(srp_callback_parm.user);
|
2015-01-22 03:40:55 +00:00
|
|
|
srp_callback_parm.user =
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
|
|
|
srp_callback_parm.login);
|
2016-09-14 18:54:30 +00:00
|
|
|
if (srp_callback_parm.user)
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
|
|
|
srp_callback_parm.user->info);
|
|
|
|
else
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP not successful\n");
|
|
|
|
k = SSL_write(con, &(buf[l]), (unsigned int)i);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
switch (SSL_get_error(con, k)) {
|
|
|
|
case SSL_ERROR_NONE:
|
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
|
|
|
BIO_printf(bio_s_out, "Write BLOCK (Async)\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-07-24 07:15:31 +00:00
|
|
|
wait_for_async(con);
|
2015-02-13 23:33:12 +00:00
|
|
|
break;
|
2015-01-22 03:40:55 +00:00
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
case SSL_ERROR_WANT_X509_LOOKUP:
|
|
|
|
BIO_printf(bio_s_out, "Write BLOCK\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
2016-05-03 16:55:00 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC_JOB:
|
|
|
|
/*
|
|
|
|
* This shouldn't ever happen in s_server. Treat as an error
|
|
|
|
*/
|
2015-01-22 03:40:55 +00:00
|
|
|
case SSL_ERROR_SYSCALL:
|
|
|
|
case SSL_ERROR_SSL:
|
|
|
|
BIO_printf(bio_s_out, "ERROR\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
ret = 1;
|
|
|
|
goto err;
|
|
|
|
/* break; */
|
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
ret = 1;
|
|
|
|
goto err;
|
|
|
|
}
|
2015-05-18 23:08:02 +00:00
|
|
|
if (k > 0) {
|
|
|
|
l += k;
|
|
|
|
i -= k;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
if (i <= 0)
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
if (read_from_sslcon) {
|
2015-09-16 21:54:54 +00:00
|
|
|
/*
|
|
|
|
* init_ssl_connection handles all async events itself so if we're
|
|
|
|
* waiting for async then we shouldn't go back into
|
|
|
|
* init_ssl_connection
|
|
|
|
*/
|
|
|
|
if ((!async || !SSL_waiting_for_async(con))
|
|
|
|
&& !SSL_is_init_finished(con)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
i = init_ssl_connection(con);
|
|
|
|
|
|
|
|
if (i < 0) {
|
|
|
|
ret = 0;
|
|
|
|
goto err;
|
|
|
|
} else if (i == 0) {
|
|
|
|
ret = 1;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
again:
|
|
|
|
i = SSL_read(con, (char *)buf, bufsize);
|
2012-02-10 19:43:14 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
2015-01-22 03:40:55 +00:00
|
|
|
while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_user_pwd_free(srp_callback_parm.user);
|
2015-01-22 03:40:55 +00:00
|
|
|
srp_callback_parm.user =
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
|
|
|
srp_callback_parm.login);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (srp_callback_parm.user)
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
|
|
|
srp_callback_parm.user->info);
|
|
|
|
else
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP not successful\n");
|
|
|
|
i = SSL_read(con, (char *)buf, bufsize);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
switch (SSL_get_error(con, i)) {
|
|
|
|
case SSL_ERROR_NONE:
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
2015-01-22 03:40:55 +00:00
|
|
|
ascii2ebcdic(buf, buf, i);
|
|
|
|
#endif
|
|
|
|
raw_write_stdout(buf, (unsigned int)i);
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2016-02-12 13:33:45 +00:00
|
|
|
if (SSL_has_pending(con))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto again;
|
|
|
|
break;
|
2015-02-13 23:33:12 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC:
|
2015-07-24 07:15:31 +00:00
|
|
|
BIO_printf(bio_s_out, "Read BLOCK (Async)\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-07-24 07:15:31 +00:00
|
|
|
wait_for_async(con);
|
|
|
|
break;
|
2015-01-22 03:40:55 +00:00
|
|
|
case SSL_ERROR_WANT_WRITE:
|
|
|
|
case SSL_ERROR_WANT_READ:
|
|
|
|
BIO_printf(bio_s_out, "Read BLOCK\n");
|
2016-05-20 10:20:22 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
2016-05-03 16:55:00 +00:00
|
|
|
case SSL_ERROR_WANT_ASYNC_JOB:
|
|
|
|
/*
|
|
|
|
* This shouldn't ever happen in s_server. Treat as an error
|
|
|
|
*/
|
2015-01-22 03:40:55 +00:00
|
|
|
case SSL_ERROR_SYSCALL:
|
|
|
|
case SSL_ERROR_SSL:
|
|
|
|
BIO_printf(bio_s_out, "ERROR\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
ret = 1;
|
|
|
|
goto err;
|
|
|
|
case SSL_ERROR_ZERO_RETURN:
|
|
|
|
BIO_printf(bio_s_out, "DONE\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
ret = 1;
|
|
|
|
goto err;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
err:
|
|
|
|
if (con != NULL) {
|
|
|
|
BIO_printf(bio_s_out, "shutting down SSL\n");
|
|
|
|
SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
|
|
|
|
SSL_free(con);
|
|
|
|
}
|
|
|
|
BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
|
2015-04-30 21:57:32 +00:00
|
|
|
OPENSSL_clear_free(buf, bufsize);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (ret >= 0)
|
|
|
|
BIO_printf(bio_s_out, "ACCEPT\n");
|
2015-04-25 13:26:48 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
static void close_accept_socket(void)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
BIO_printf(bio_err, "shutdown accept socket\n");
|
|
|
|
if (accept_socket >= 0) {
|
2016-03-02 21:12:46 +00:00
|
|
|
BIO_closesocket(accept_socket);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-04-26 13:00:35 +00:00
|
|
|
static int is_retryable(SSL *con, int i)
|
|
|
|
{
|
|
|
|
int err = SSL_get_error(con, i);
|
|
|
|
|
|
|
|
/* If it's not a fatal error, it must be retryable */
|
|
|
|
return (err != SSL_ERROR_SSL)
|
|
|
|
&& (err != SSL_ERROR_SYSCALL)
|
|
|
|
&& (err != SSL_ERROR_ZERO_RETURN);
|
|
|
|
}
|
|
|
|
|
1999-04-19 21:31:43 +00:00
|
|
|
static int init_ssl_connection(SSL *con)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
int i;
|
2015-09-05 12:32:58 +00:00
|
|
|
long verify_err;
|
2016-05-20 10:20:22 +00:00
|
|
|
int retry = 0;
|
2015-04-09 09:01:05 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (dtlslisten || stateless) {
|
2016-02-02 23:27:44 +00:00
|
|
|
BIO_ADDR *client = NULL;
|
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (dtlslisten) {
|
|
|
|
if ((client = BIO_ADDR_new()) == NULL) {
|
|
|
|
BIO_printf(bio_err, "ERROR - memory\n");
|
|
|
|
return 0;
|
|
|
|
}
|
|
|
|
i = DTLSv1_listen(con, client);
|
|
|
|
} else {
|
|
|
|
i = SSL_stateless(con);
|
2016-02-02 23:27:44 +00:00
|
|
|
}
|
2015-04-09 09:01:05 +00:00
|
|
|
if (i > 0) {
|
|
|
|
BIO *wbio;
|
2015-09-23 17:57:42 +00:00
|
|
|
int fd = -1;
|
2015-04-09 09:01:05 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (dtlslisten) {
|
|
|
|
wbio = SSL_get_wbio(con);
|
|
|
|
if (wbio) {
|
|
|
|
BIO_get_fd(wbio, &fd);
|
|
|
|
}
|
2015-04-09 09:01:05 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (!wbio || BIO_connect(fd, client, 0) == 0) {
|
|
|
|
BIO_printf(bio_err, "ERROR - unable to connect\n");
|
|
|
|
BIO_ADDR_free(client);
|
|
|
|
return 0;
|
|
|
|
}
|
2016-02-02 23:27:44 +00:00
|
|
|
BIO_ADDR_free(client);
|
2017-12-29 17:37:04 +00:00
|
|
|
dtlslisten = 0;
|
|
|
|
} else {
|
|
|
|
stateless = 0;
|
2015-04-09 09:01:05 +00:00
|
|
|
}
|
|
|
|
i = SSL_accept(con);
|
2016-04-26 17:33:03 +00:00
|
|
|
} else {
|
|
|
|
BIO_ADDR_free(client);
|
2015-04-09 09:01:05 +00:00
|
|
|
}
|
2017-12-29 17:37:04 +00:00
|
|
|
} else {
|
|
|
|
do {
|
|
|
|
i = SSL_accept(con);
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-12-29 17:37:04 +00:00
|
|
|
if (i <= 0)
|
|
|
|
retry = is_retryable(con, i);
|
2014-01-26 00:51:09 +00:00
|
|
|
#ifdef CERT_CB_TEST_RETRY
|
2017-12-29 17:37:04 +00:00
|
|
|
{
|
|
|
|
while (i <= 0
|
|
|
|
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP
|
|
|
|
&& SSL_get_state(con) == TLS_ST_SR_CLNT_HELLO) {
|
|
|
|
BIO_printf(bio_err,
|
|
|
|
"LOOKUP from certificate callback during accept\n");
|
|
|
|
i = SSL_accept(con);
|
|
|
|
if (i <= 0)
|
|
|
|
retry = is_retryable(con, i);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
#ifndef OPENSSL_NO_SRP
|
2016-08-07 10:04:26 +00:00
|
|
|
while (i <= 0
|
2017-12-29 17:37:04 +00:00
|
|
|
&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
|
|
|
|
srp_callback_parm.login);
|
|
|
|
SRP_user_pwd_free(srp_callback_parm.user);
|
|
|
|
srp_callback_parm.user =
|
|
|
|
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
|
|
|
srp_callback_parm.login);
|
|
|
|
if (srp_callback_parm.user)
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
|
|
|
srp_callback_parm.user->info);
|
|
|
|
else
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP not successful\n");
|
2015-02-13 23:33:12 +00:00
|
|
|
i = SSL_accept(con);
|
2016-05-20 10:20:22 +00:00
|
|
|
if (i <= 0)
|
2017-04-26 13:00:35 +00:00
|
|
|
retry = is_retryable(con, i);
|
2015-02-13 23:33:12 +00:00
|
|
|
}
|
2014-01-26 00:51:09 +00:00
|
|
|
#endif
|
2017-12-29 17:37:04 +00:00
|
|
|
} while (i < 0 && SSL_waiting_for_async(con));
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
if (i <= 0) {
|
2017-12-29 17:37:04 +00:00
|
|
|
if (((dtlslisten || stateless) && i == 0)
|
|
|
|
|| (!dtlslisten && !stateless && retry)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "DELAY\n");
|
2017-10-09 11:05:58 +00:00
|
|
|
return 1;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
BIO_printf(bio_err, "ERROR\n");
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
2015-09-05 12:32:58 +00:00
|
|
|
verify_err = SSL_get_verify_result(con);
|
|
|
|
if (verify_err != X509_V_OK) {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_err, "verify error:%s\n",
|
2015-09-05 12:32:58 +00:00
|
|
|
X509_verify_cert_error_string(verify_err));
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
/* Always print any error messages */
|
|
|
|
ERR_print_errors(bio_err);
|
2017-10-17 14:04:09 +00:00
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
2017-02-27 20:55:04 +00:00
|
|
|
print_connection_info(con);
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
static void print_connection_info(SSL *con)
|
|
|
|
{
|
|
|
|
const char *str;
|
|
|
|
X509 *peer;
|
|
|
|
char buf[BUFSIZ];
|
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
|
|
|
const unsigned char *next_proto_neg;
|
|
|
|
unsigned next_proto_neg_len;
|
|
|
|
#endif
|
|
|
|
unsigned char *exportedkeymat;
|
|
|
|
int i;
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_brief)
|
2015-04-29 15:27:08 +00:00
|
|
|
print_ssl_summary(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
|
|
|
|
|
|
|
|
peer = SSL_get_peer_certificate(con);
|
|
|
|
if (peer != NULL) {
|
|
|
|
BIO_printf(bio_s_out, "Client certificate\n");
|
|
|
|
PEM_write_bio_X509(bio_s_out, peer);
|
2017-04-25 16:25:42 +00:00
|
|
|
dump_cert_text(bio_s_out, peer);
|
2015-01-22 03:40:55 +00:00
|
|
|
X509_free(peer);
|
2016-03-07 20:00:02 +00:00
|
|
|
peer = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
2017-12-07 18:39:34 +00:00
|
|
|
if (SSL_get_shared_ciphers(con, buf, sizeof(buf)) != NULL)
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
|
|
|
|
str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
|
|
|
|
ssl_print_sigalgs(bio_s_out, con);
|
2013-08-17 16:40:08 +00:00
|
|
|
#ifndef OPENSSL_NO_EC
|
2015-01-22 03:40:55 +00:00
|
|
|
ssl_print_point_formats(bio_s_out, con);
|
2016-11-09 14:51:06 +00:00
|
|
|
ssl_print_groups(bio_s_out, con, 0);
|
2013-08-17 16:40:08 +00:00
|
|
|
#endif
|
2017-03-31 16:04:28 +00:00
|
|
|
print_ca_names(bio_s_out, con);
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
|
2012-03-06 14:28:21 +00:00
|
|
|
|
2015-05-15 09:49:56 +00:00
|
|
|
#if !defined(OPENSSL_NO_NEXTPROTONEG)
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
|
|
|
|
if (next_proto_neg) {
|
|
|
|
BIO_printf(bio_s_out, "NEXTPROTO is ");
|
|
|
|
BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
|
|
|
|
BIO_printf(bio_s_out, "\n");
|
|
|
|
}
|
2010-07-28 10:06:55 +00:00
|
|
|
#endif
|
2014-12-22 11:15:51 +00:00
|
|
|
#ifndef OPENSSL_NO_SRTP
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
SRTP_PROTECTION_PROFILE *srtp_profile
|
|
|
|
= SSL_get_selected_srtp_profile(con);
|
|
|
|
|
|
|
|
if (srtp_profile)
|
|
|
|
BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
|
|
|
|
srtp_profile->name);
|
|
|
|
}
|
|
|
|
#endif
|
2016-02-08 16:18:26 +00:00
|
|
|
if (SSL_session_reused(con))
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_printf(bio_s_out, "Reused session-id\n");
|
|
|
|
BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
|
|
|
|
SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
|
2017-05-10 20:46:14 +00:00
|
|
|
if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION))
|
|
|
|
BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (keymatexportlabel != NULL) {
|
|
|
|
BIO_printf(bio_s_out, "Keying material exporter:\n");
|
|
|
|
BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
|
|
|
|
BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen);
|
2015-04-30 21:48:31 +00:00
|
|
|
exportedkeymat = app_malloc(keymatexportlen, "export key");
|
|
|
|
if (!SSL_export_keying_material(con, exportedkeymat,
|
|
|
|
keymatexportlen,
|
|
|
|
keymatexportlabel,
|
|
|
|
strlen(keymatexportlabel),
|
|
|
|
NULL, 0, 0)) {
|
|
|
|
BIO_printf(bio_s_out, " Error\n");
|
|
|
|
} else {
|
|
|
|
BIO_printf(bio_s_out, " Keying material: ");
|
|
|
|
for (i = 0; i < keymatexportlen; i++)
|
|
|
|
BIO_printf(bio_s_out, "%02X", exportedkeymat[i]);
|
|
|
|
BIO_printf(bio_s_out, "\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2015-04-30 21:48:31 +00:00
|
|
|
OPENSSL_free(exportedkeymat);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
(void)BIO_flush(bio_s_out);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2001-02-19 16:06:34 +00:00
|
|
|
#ifndef OPENSSL_NO_DH
|
2005-04-07 22:48:33 +00:00
|
|
|
static DH *load_dh_param(const char *dhfile)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
DH *ret = NULL;
|
|
|
|
BIO *bio;
|
|
|
|
|
|
|
|
if ((bio = BIO_new_file(dhfile, "r")) == NULL)
|
|
|
|
goto err;
|
|
|
|
ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
|
|
|
|
err:
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free(bio);
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:56:39 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
static int www_body(int s, int stype, int prot, unsigned char *context)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
char *buf = NULL;
|
|
|
|
int ret = 1;
|
|
|
|
int i, j, k, dot;
|
|
|
|
SSL *con;
|
|
|
|
const SSL_CIPHER *c;
|
|
|
|
BIO *io, *ssl_bio, *sbio;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
#ifdef RENEG
|
|
|
|
int total_bytes = 0;
|
|
|
|
#endif
|
2015-09-11 12:11:37 +00:00
|
|
|
int width;
|
|
|
|
fd_set readfds;
|
|
|
|
|
|
|
|
/* Set width for a select call if needed */
|
|
|
|
width = s + 1;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-04-30 21:48:31 +00:00
|
|
|
buf = app_malloc(bufsize, "server www buffer");
|
2015-01-22 03:40:55 +00:00
|
|
|
io = BIO_new(BIO_f_buffer());
|
|
|
|
ssl_bio = BIO_new(BIO_f_ssl());
|
|
|
|
if ((io == NULL) || (ssl_bio == NULL))
|
|
|
|
goto err;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_nbio) {
|
2016-02-27 18:24:28 +00:00
|
|
|
if (!BIO_socket_nbio(s, 1))
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
2016-02-27 18:24:28 +00:00
|
|
|
else if (!s_quiet)
|
|
|
|
BIO_printf(bio_err, "Turned on non blocking io\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/* lets make the output buffer a reasonable size */
|
|
|
|
if (!BIO_set_write_buffer_size(io, bufsize))
|
|
|
|
goto err;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if ((con = SSL_new(ctx)) == NULL)
|
|
|
|
goto err;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
}
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2017-06-12 17:24:02 +00:00
|
|
|
if (context != NULL
|
2016-08-07 10:04:26 +00:00
|
|
|
&& !SSL_set_session_id_context(con, context,
|
|
|
|
strlen((char *)context)))
|
2015-03-06 14:39:46 +00:00
|
|
|
goto err;
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
sbio = BIO_new_socket(s, BIO_NOCLOSE);
|
|
|
|
if (s_nbio_test) {
|
|
|
|
BIO *test;
|
|
|
|
|
|
|
|
test = BIO_new(BIO_f_nbio_test());
|
|
|
|
sbio = BIO_push(test, sbio);
|
|
|
|
}
|
|
|
|
SSL_set_bio(con, sbio, sbio);
|
|
|
|
SSL_set_accept_state(con);
|
|
|
|
|
|
|
|
/* SSL_set_fd(con,s); */
|
|
|
|
BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
|
|
|
|
BIO_push(io, ssl_bio);
|
1999-06-04 21:35:58 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
2015-01-22 03:40:55 +00:00
|
|
|
io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io);
|
1999-06-04 21:35:58 +00:00
|
|
|
#endif
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_debug) {
|
|
|
|
BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
|
|
|
|
BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
|
|
|
|
}
|
|
|
|
if (s_msg) {
|
2012-06-15 12:46:09 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_msg == 2)
|
|
|
|
SSL_set_msg_callback(con, SSL_trace);
|
|
|
|
else
|
|
|
|
#endif
|
|
|
|
SSL_set_msg_callback(con, msg_cb);
|
|
|
|
SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
i = BIO_gets(io, buf, bufsize - 1);
|
|
|
|
if (i < 0) { /* error */
|
2015-03-27 15:20:24 +00:00
|
|
|
if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
if (!s_quiet)
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto err;
|
|
|
|
} else {
|
|
|
|
BIO_printf(bio_s_out, "read R BLOCK\n");
|
2015-09-12 01:37:48 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
if (BIO_should_io_special(io)
|
|
|
|
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_user_pwd_free(srp_callback_parm.user);
|
2015-09-12 01:37:48 +00:00
|
|
|
srp_callback_parm.user =
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
|
|
|
srp_callback_parm.login);
|
2015-09-12 01:37:48 +00:00
|
|
|
if (srp_callback_parm.user)
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
|
|
|
srp_callback_parm.user->info);
|
|
|
|
else
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP not successful\n");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
#endif
|
2016-03-17 16:53:11 +00:00
|
|
|
#if !defined(OPENSSL_SYS_MSDOS)
|
2015-01-22 03:40:55 +00:00
|
|
|
sleep(1);
|
|
|
|
#endif
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
} else if (i == 0) { /* end of input */
|
|
|
|
ret = 1;
|
|
|
|
goto end;
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/* else we have data */
|
|
|
|
if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
|
2014-06-01 17:30:52 +00:00
|
|
|
((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
|
2015-01-22 03:40:55 +00:00
|
|
|
char *p;
|
2016-03-07 20:00:02 +00:00
|
|
|
X509 *peer = NULL;
|
2015-01-22 03:40:55 +00:00
|
|
|
STACK_OF(SSL_CIPHER) *sk;
|
|
|
|
static const char *space = " ";
|
|
|
|
|
|
|
|
if (www == 1 && strncmp("GET /reneg", buf, 10) == 0) {
|
|
|
|
if (strncmp("GET /renegcert", buf, 14) == 0)
|
|
|
|
SSL_set_verify(con,
|
|
|
|
SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
|
|
|
|
NULL);
|
|
|
|
i = SSL_renegotiate(con);
|
|
|
|
BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i);
|
2015-09-11 12:11:37 +00:00
|
|
|
/* Send the HelloRequest */
|
2015-01-22 03:40:55 +00:00
|
|
|
i = SSL_do_handshake(con);
|
|
|
|
if (i <= 0) {
|
|
|
|
BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n",
|
|
|
|
SSL_get_error(con, i));
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto err;
|
|
|
|
}
|
2015-09-11 12:11:37 +00:00
|
|
|
/* Wait for a ClientHello to come back */
|
|
|
|
FD_ZERO(&readfds);
|
|
|
|
openssl_fdset(s, &readfds);
|
|
|
|
i = select(width, (void *)&readfds, NULL, NULL, NULL);
|
|
|
|
if (i <= 0 || !FD_ISSET(s, &readfds)) {
|
2016-08-07 10:04:26 +00:00
|
|
|
BIO_printf(bio_s_out,
|
|
|
|
"Error waiting for client response\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto err;
|
|
|
|
}
|
2015-09-11 12:11:37 +00:00
|
|
|
/*
|
2016-03-07 20:00:02 +00:00
|
|
|
* We're not actually expecting any data here and we ignore
|
2015-09-11 12:11:37 +00:00
|
|
|
* any that is sent. This is just to force the handshake that
|
|
|
|
* we're expecting to come from the client. If they haven't
|
|
|
|
* sent one there's not much we can do.
|
|
|
|
*/
|
|
|
|
BIO_gets(io, buf, bufsize - 1);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
|
|
|
|
BIO_puts(io,
|
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
|
|
|
|
BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
|
|
|
|
BIO_puts(io, "<pre>\n");
|
2016-03-07 20:00:02 +00:00
|
|
|
/* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_puts(io, "\n");
|
|
|
|
for (i = 0; i < local_argc; i++) {
|
2015-04-25 20:06:19 +00:00
|
|
|
const char *myp;
|
|
|
|
for (myp = local_argv[i]; *myp; myp++)
|
|
|
|
switch (*myp) {
|
|
|
|
case '<':
|
|
|
|
BIO_puts(io, "<");
|
|
|
|
break;
|
|
|
|
case '>':
|
|
|
|
BIO_puts(io, ">");
|
|
|
|
break;
|
|
|
|
case '&':
|
|
|
|
BIO_puts(io, "&");
|
|
|
|
break;
|
|
|
|
default:
|
|
|
|
BIO_write(io, myp, 1);
|
|
|
|
break;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_write(io, " ", 1);
|
|
|
|
}
|
|
|
|
BIO_puts(io, "\n");
|
|
|
|
|
|
|
|
BIO_printf(io,
|
|
|
|
"Secure Renegotiation IS%s supported\n",
|
|
|
|
SSL_get_secure_renegotiation_support(con) ?
|
|
|
|
"" : " NOT");
|
|
|
|
|
|
|
|
/*
|
|
|
|
* The following is evil and should not really be done
|
|
|
|
*/
|
|
|
|
BIO_printf(io, "Ciphers supported in s_server binary\n");
|
|
|
|
sk = SSL_get_ciphers(con);
|
|
|
|
j = sk_SSL_CIPHER_num(sk);
|
|
|
|
for (i = 0; i < j; i++) {
|
|
|
|
c = sk_SSL_CIPHER_value(sk, i);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(io, "%-11s:%-25s ",
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
|
|
|
|
if ((((i + 1) % 2) == 0) && (i + 1 != j))
|
|
|
|
BIO_puts(io, "\n");
|
|
|
|
}
|
|
|
|
BIO_puts(io, "\n");
|
|
|
|
p = SSL_get_shared_ciphers(con, buf, bufsize);
|
|
|
|
if (p != NULL) {
|
|
|
|
BIO_printf(io,
|
|
|
|
"---\nCiphers common between both SSL end points:\n");
|
|
|
|
j = i = 0;
|
|
|
|
while (*p) {
|
|
|
|
if (*p == ':') {
|
|
|
|
BIO_write(io, space, 26 - j);
|
|
|
|
i++;
|
|
|
|
j = 0;
|
|
|
|
BIO_write(io, ((i % 3) ? " " : "\n"), 1);
|
|
|
|
} else {
|
|
|
|
BIO_write(io, p, 1);
|
|
|
|
j++;
|
|
|
|
}
|
|
|
|
p++;
|
|
|
|
}
|
|
|
|
BIO_puts(io, "\n");
|
|
|
|
}
|
|
|
|
ssl_print_sigalgs(io, con);
|
|
|
|
#ifndef OPENSSL_NO_EC
|
2016-11-09 14:51:06 +00:00
|
|
|
ssl_print_groups(io, con, 0);
|
2015-01-22 03:40:55 +00:00
|
|
|
#endif
|
2017-03-31 16:04:28 +00:00
|
|
|
print_ca_names(io, con);
|
2016-02-08 16:18:26 +00:00
|
|
|
BIO_printf(io, (SSL_session_reused(con)
|
2015-01-22 03:40:55 +00:00
|
|
|
? "---\nReused, " : "---\nNew, "));
|
|
|
|
c = SSL_get_current_cipher(con);
|
|
|
|
BIO_printf(io, "%s, Cipher is %s\n",
|
|
|
|
SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
|
|
|
|
SSL_SESSION_print(io, SSL_get_session(con));
|
|
|
|
BIO_printf(io, "---\n");
|
|
|
|
print_stats(io, SSL_get_SSL_CTX(con));
|
|
|
|
BIO_printf(io, "---\n");
|
|
|
|
peer = SSL_get_peer_certificate(con);
|
|
|
|
if (peer != NULL) {
|
|
|
|
BIO_printf(io, "Client certificate\n");
|
|
|
|
X509_print(io, peer);
|
|
|
|
PEM_write_bio_X509(io, peer);
|
2016-03-07 20:00:02 +00:00
|
|
|
X509_free(peer);
|
|
|
|
peer = NULL;
|
2017-08-05 06:31:04 +00:00
|
|
|
} else {
|
2015-01-22 03:40:55 +00:00
|
|
|
BIO_puts(io, "no client certificate available\n");
|
2017-08-05 06:31:04 +00:00
|
|
|
}
|
|
|
|
BIO_puts(io, "</pre></BODY></HTML>\r\n\r\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
break;
|
|
|
|
} else if ((www == 2 || www == 3)
|
|
|
|
&& (strncmp("GET /", buf, 5) == 0)) {
|
|
|
|
BIO *file;
|
|
|
|
char *p, *e;
|
|
|
|
static const char *text =
|
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
|
|
|
|
|
|
|
|
/* skip the '/' */
|
|
|
|
p = &(buf[5]);
|
|
|
|
|
|
|
|
dot = 1;
|
|
|
|
for (e = p; *e != '\0'; e++) {
|
|
|
|
if (e[0] == ' ')
|
|
|
|
break;
|
|
|
|
|
|
|
|
switch (dot) {
|
|
|
|
case 1:
|
|
|
|
dot = (e[0] == '.') ? 2 : 0;
|
|
|
|
break;
|
|
|
|
case 2:
|
|
|
|
dot = (e[0] == '.') ? 3 : 0;
|
|
|
|
break;
|
|
|
|
case 3:
|
|
|
|
dot = (e[0] == '/') ? -1 : 0;
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
if (dot == 0)
|
|
|
|
dot = (e[0] == '/') ? 1 : 0;
|
|
|
|
}
|
|
|
|
dot = (dot == 3) || (dot == -1); /* filename contains ".."
|
|
|
|
* component */
|
|
|
|
|
|
|
|
if (*e == '\0') {
|
|
|
|
BIO_puts(io, text);
|
|
|
|
BIO_printf(io, "'%s' is an invalid file name\r\n", p);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
*e = '\0';
|
|
|
|
|
|
|
|
if (dot) {
|
|
|
|
BIO_puts(io, text);
|
|
|
|
BIO_printf(io, "'%s' contains '..' reference\r\n", p);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (*p == '/') {
|
|
|
|
BIO_puts(io, text);
|
|
|
|
BIO_printf(io, "'%s' is an invalid path\r\n", p);
|
|
|
|
break;
|
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/* if a directory, do the index thang */
|
|
|
|
if (app_isdir(p) > 0) {
|
|
|
|
BIO_puts(io, text);
|
|
|
|
BIO_printf(io, "'%s' is a directory\r\n", p);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if ((file = BIO_new_file(p, "r")) == NULL) {
|
|
|
|
BIO_puts(io, text);
|
|
|
|
BIO_printf(io, "Error opening '%s'\r\n", p);
|
|
|
|
ERR_print_errors(io);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
|
|
|
|
if (!s_quiet)
|
|
|
|
BIO_printf(bio_err, "FILE:%s\n", p);
|
|
|
|
|
|
|
|
if (www == 2) {
|
|
|
|
i = strlen(p);
|
|
|
|
if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
|
|
|
|
((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
|
|
|
|
((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
|
|
|
|
BIO_puts(io,
|
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
|
|
|
|
else
|
|
|
|
BIO_puts(io,
|
|
|
|
"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
|
|
|
|
}
|
|
|
|
/* send the file */
|
|
|
|
for (;;) {
|
|
|
|
i = BIO_read(file, buf, bufsize);
|
|
|
|
if (i <= 0)
|
|
|
|
break;
|
1998-12-21 10:52:47 +00:00
|
|
|
|
1998-12-21 11:00:56 +00:00
|
|
|
#ifdef RENEG
|
2015-01-22 03:40:55 +00:00
|
|
|
total_bytes += i;
|
2015-06-04 18:26:55 +00:00
|
|
|
BIO_printf(bio_err, "%d\n", i);
|
2015-01-22 03:40:55 +00:00
|
|
|
if (total_bytes > 3 * 1024) {
|
|
|
|
total_bytes = 0;
|
2015-06-04 18:26:55 +00:00
|
|
|
BIO_printf(bio_err, "RENEGOTIATE\n");
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_renegotiate(con);
|
|
|
|
}
|
|
|
|
#endif
|
|
|
|
|
|
|
|
for (j = 0; j < i;) {
|
1998-12-21 10:56:39 +00:00
|
|
|
#ifdef RENEG
|
2016-08-03 20:49:25 +00:00
|
|
|
static count = 0;
|
|
|
|
if (++count == 13) {
|
|
|
|
SSL_renegotiate(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
#endif
|
|
|
|
k = BIO_write(io, &(buf[j]), i - j);
|
|
|
|
if (k <= 0) {
|
2016-08-07 10:04:26 +00:00
|
|
|
if (!BIO_should_retry(io)
|
|
|
|
&& !SSL_waiting_for_async(con))
|
2015-01-22 03:40:55 +00:00
|
|
|
goto write_error;
|
|
|
|
else {
|
|
|
|
BIO_printf(bio_s_out, "rwrite W BLOCK\n");
|
|
|
|
}
|
|
|
|
} else {
|
|
|
|
j += k;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
write_error:
|
|
|
|
BIO_free(file);
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
i = (int)BIO_flush(io);
|
|
|
|
if (i <= 0) {
|
|
|
|
if (!BIO_should_retry(io))
|
|
|
|
break;
|
|
|
|
} else
|
|
|
|
break;
|
|
|
|
}
|
|
|
|
end:
|
|
|
|
/* make sure we re-use sessions */
|
|
|
|
SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
err:
|
|
|
|
if (ret >= 0)
|
|
|
|
BIO_printf(bio_s_out, "ACCEPT\n");
|
2015-05-01 14:02:07 +00:00
|
|
|
OPENSSL_free(buf);
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free_all(io);
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
1998-12-21 10:52:47 +00:00
|
|
|
|
2017-04-20 08:56:56 +00:00
|
|
|
static int rev_body(int s, int stype, int prot, unsigned char *context)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
char *buf = NULL;
|
|
|
|
int i;
|
|
|
|
int ret = 1;
|
|
|
|
SSL *con;
|
|
|
|
BIO *io, *ssl_bio, *sbio;
|
2012-09-14 13:27:05 +00:00
|
|
|
|
2015-04-30 21:48:31 +00:00
|
|
|
buf = app_malloc(bufsize, "server rev buffer");
|
2015-01-22 03:40:55 +00:00
|
|
|
io = BIO_new(BIO_f_buffer());
|
|
|
|
ssl_bio = BIO_new(BIO_f_ssl());
|
|
|
|
if ((io == NULL) || (ssl_bio == NULL))
|
|
|
|
goto err;
|
2012-09-14 13:27:05 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
/* lets make the output buffer a reasonable size */
|
|
|
|
if (!BIO_set_write_buffer_size(io, bufsize))
|
|
|
|
goto err;
|
2012-09-14 13:27:05 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if ((con = SSL_new(ctx)) == NULL)
|
|
|
|
goto err;
|
2015-05-15 09:49:56 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_tlsextdebug) {
|
|
|
|
SSL_set_tlsext_debug_callback(con, tlsext_cb);
|
|
|
|
SSL_set_tlsext_debug_arg(con, bio_s_out);
|
|
|
|
}
|
2017-06-12 17:24:02 +00:00
|
|
|
if (context != NULL
|
2016-08-07 10:04:26 +00:00
|
|
|
&& !SSL_set_session_id_context(con, context,
|
|
|
|
strlen((char *)context))) {
|
2015-03-06 14:39:46 +00:00
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto err;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
sbio = BIO_new_socket(s, BIO_NOCLOSE);
|
|
|
|
SSL_set_bio(con, sbio, sbio);
|
|
|
|
SSL_set_accept_state(con);
|
|
|
|
|
|
|
|
BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
|
|
|
|
BIO_push(io, ssl_bio);
|
2012-09-14 13:27:05 +00:00
|
|
|
#ifdef CHARSET_EBCDIC
|
2015-01-22 03:40:55 +00:00
|
|
|
io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io);
|
2012-09-14 13:27:05 +00:00
|
|
|
#endif
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_debug) {
|
|
|
|
BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
|
|
|
|
BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
|
|
|
|
}
|
|
|
|
if (s_msg) {
|
2012-09-14 13:27:05 +00:00
|
|
|
#ifndef OPENSSL_NO_SSL_TRACE
|
2015-01-22 03:40:55 +00:00
|
|
|
if (s_msg == 2)
|
|
|
|
SSL_set_msg_callback(con, SSL_trace);
|
|
|
|
else
|
|
|
|
#endif
|
|
|
|
SSL_set_msg_callback(con, msg_cb);
|
|
|
|
SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
|
|
|
|
}
|
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
i = BIO_do_handshake(io);
|
|
|
|
if (i > 0)
|
|
|
|
break;
|
|
|
|
if (!BIO_should_retry(io)) {
|
|
|
|
BIO_puts(bio_err, "CONNECTION FAILURE\n");
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto end;
|
|
|
|
}
|
2015-09-12 01:37:48 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
if (BIO_should_io_special(io)
|
|
|
|
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_user_pwd_free(srp_callback_parm.user);
|
2015-09-12 01:37:48 +00:00
|
|
|
srp_callback_parm.user =
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
|
|
|
srp_callback_parm.login);
|
2015-09-12 01:37:48 +00:00
|
|
|
if (srp_callback_parm.user)
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
|
|
|
srp_callback_parm.user->info);
|
|
|
|
else
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP not successful\n");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
#endif
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
|
|
|
BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
|
2015-04-29 15:27:08 +00:00
|
|
|
print_ssl_summary(con);
|
2015-01-22 03:40:55 +00:00
|
|
|
|
|
|
|
for (;;) {
|
|
|
|
i = BIO_gets(io, buf, bufsize - 1);
|
|
|
|
if (i < 0) { /* error */
|
|
|
|
if (!BIO_should_retry(io)) {
|
|
|
|
if (!s_quiet)
|
|
|
|
ERR_print_errors(bio_err);
|
|
|
|
goto err;
|
|
|
|
} else {
|
|
|
|
BIO_printf(bio_s_out, "read R BLOCK\n");
|
2015-09-12 01:37:48 +00:00
|
|
|
#ifndef OPENSSL_NO_SRP
|
|
|
|
if (BIO_should_io_special(io)
|
|
|
|
&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP renego during read\n");
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_user_pwd_free(srp_callback_parm.user);
|
2015-09-12 01:37:48 +00:00
|
|
|
srp_callback_parm.user =
|
2016-02-24 11:59:59 +00:00
|
|
|
SRP_VBASE_get1_by_user(srp_callback_parm.vb,
|
|
|
|
srp_callback_parm.login);
|
2015-09-12 01:37:48 +00:00
|
|
|
if (srp_callback_parm.user)
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP done %s\n",
|
|
|
|
srp_callback_parm.user->info);
|
|
|
|
else
|
|
|
|
BIO_printf(bio_s_out, "LOOKUP not successful\n");
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
#endif
|
2016-03-17 16:53:11 +00:00
|
|
|
#if !defined(OPENSSL_SYS_MSDOS)
|
2015-01-22 03:40:55 +00:00
|
|
|
sleep(1);
|
|
|
|
#endif
|
|
|
|
continue;
|
|
|
|
}
|
|
|
|
} else if (i == 0) { /* end of input */
|
|
|
|
ret = 1;
|
|
|
|
BIO_printf(bio_err, "CONNECTION CLOSED\n");
|
|
|
|
goto end;
|
|
|
|
} else {
|
|
|
|
char *p = buf + i - 1;
|
|
|
|
while (i && (*p == '\n' || *p == '\r')) {
|
|
|
|
p--;
|
|
|
|
i--;
|
|
|
|
}
|
2015-05-06 18:56:14 +00:00
|
|
|
if (!s_ign_eof && (i == 5) && (strncmp(buf, "CLOSE", 5) == 0)) {
|
2015-01-22 03:40:55 +00:00
|
|
|
ret = 1;
|
|
|
|
BIO_printf(bio_err, "CONNECTION CLOSED\n");
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
BUF_reverse((unsigned char *)buf, NULL, i);
|
|
|
|
buf[i] = '\n';
|
|
|
|
BIO_write(io, buf, i + 1);
|
|
|
|
for (;;) {
|
|
|
|
i = BIO_flush(io);
|
|
|
|
if (i > 0)
|
|
|
|
break;
|
|
|
|
if (!BIO_should_retry(io))
|
|
|
|
goto end;
|
|
|
|
}
|
|
|
|
}
|
|
|
|
}
|
|
|
|
end:
|
|
|
|
/* make sure we re-use sessions */
|
|
|
|
SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
|
|
|
|
|
|
|
|
err:
|
|
|
|
|
2015-05-01 14:02:07 +00:00
|
|
|
OPENSSL_free(buf);
|
2015-03-25 15:31:18 +00:00
|
|
|
BIO_free_all(io);
|
2017-10-17 14:04:09 +00:00
|
|
|
return ret;
|
2015-01-22 03:40:55 +00:00
|
|
|
}
|
2012-09-14 13:27:05 +00:00
|
|
|
|
2001-02-21 18:38:48 +00:00
|
|
|
#define MAX_SESSION_ID_ATTEMPTS 10
|
2017-08-03 14:24:03 +00:00
|
|
|
static int generate_session_id(SSL *ssl, unsigned char *id,
|
2015-01-22 03:40:55 +00:00
|
|
|
unsigned int *id_len)
|
|
|
|
{
|
|
|
|
unsigned int count = 0;
|
|
|
|
do {
|
2015-02-26 11:57:37 +00:00
|
|
|
if (RAND_bytes(id, *id_len) <= 0)
|
|
|
|
return 0;
|
2015-01-22 03:40:55 +00:00
|
|
|
/*
|
|
|
|
* Prefix the session_id with the required prefix. NB: If our prefix
|
|
|
|
* is too long, clip it - but there will be worse effects anyway, eg.
|
|
|
|
* the server could only possibly create 1 session ID (ie. the
|
|
|
|
* prefix!) so all future session negotiations will fail due to
|
|
|
|
* conflicts.
|
|
|
|
*/
|
|
|
|
memcpy(id, session_id_prefix,
|
|
|
|
(strlen(session_id_prefix) < *id_len) ?
|
|
|
|
strlen(session_id_prefix) : *id_len);
|
|
|
|
}
|
|
|
|
while (SSL_has_matching_session_id(ssl, id, *id_len) &&
|
|
|
|
(++count < MAX_SESSION_ID_ATTEMPTS));
|
|
|
|
if (count >= MAX_SESSION_ID_ATTEMPTS)
|
|
|
|
return 0;
|
|
|
|
return 1;
|
|
|
|
}
|
|
|
|
|
|
|
|
/*
|
|
|
|
* By default s_server uses an in-memory cache which caches SSL_SESSION
|
2009-12-27 23:24:45 +00:00
|
|
|
* structures without any serialisation. This hides some bugs which only
|
|
|
|
* become apparent in deployed servers. By implementing a basic external
|
|
|
|
* session cache some issues can be debugged using s_server.
|
|
|
|
*/
|
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
typedef struct simple_ssl_session_st {
|
|
|
|
unsigned char *id;
|
|
|
|
unsigned int idlen;
|
|
|
|
unsigned char *der;
|
|
|
|
int derlen;
|
|
|
|
struct simple_ssl_session_st *next;
|
|
|
|
} simple_ssl_session;
|
2009-12-27 23:24:45 +00:00
|
|
|
|
|
|
|
static simple_ssl_session *first = NULL;
|
|
|
|
|
|
|
|
static int add_session(SSL *ssl, SSL_SESSION *session)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
2015-05-02 03:10:31 +00:00
|
|
|
simple_ssl_session *sess = app_malloc(sizeof(*sess), "get session");
|
2015-01-22 03:40:55 +00:00
|
|
|
unsigned char *p;
|
2009-12-27 23:24:45 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
SSL_SESSION_get_id(session, &sess->idlen);
|
|
|
|
sess->derlen = i2d_SSL_SESSION(session, NULL);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
if (sess->derlen < 0) {
|
|
|
|
BIO_printf(bio_err, "Error encoding session\n");
|
2015-04-26 02:55:36 +00:00
|
|
|
OPENSSL_free(sess);
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
Rename some BUF_xxx to OPENSSL_xxx
Rename BUF_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
to OPENSSL_{strdup,strlcat,strlcpy,memdup,strndup,strnlen}
Add #define's for the old names.
Add CRYPTO_{memdup,strndup}, called by OPENSSL_{memdup,strndup} macros.
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-12-16 21:12:24 +00:00
|
|
|
sess->id = OPENSSL_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
|
2015-04-30 21:48:31 +00:00
|
|
|
sess->der = app_malloc(sess->derlen, "get session buffer");
|
|
|
|
if (!sess->id) {
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
BIO_printf(bio_err, "Out of memory adding to external cache\n");
|
2015-04-26 02:55:36 +00:00
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
OPENSSL_free(sess->der);
|
2015-03-04 17:49:51 +00:00
|
|
|
OPENSSL_free(sess);
|
|
|
|
return 0;
|
|
|
|
}
|
2015-01-22 03:40:55 +00:00
|
|
|
p = sess->der;
|
Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master. The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt. Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that. There have been many other changes and code-cleanup, see
bullet list below.
Special thanks to Matt for the long and detailed code review.
TEMPORARY:
For now, comment out CRYPTO_mem_leaks() at end of main
Tickets closed:
RT3515: Use 3DES in pkcs12 if built with no-rc2
RT1766: s_client -reconnect and -starttls broke
RT2932: Catch write errors
RT2604: port should be 'unsigned short'
RT2983: total_bytes undeclared #ifdef RENEG
RT1523: Add -nocert to fix output in x509 app
RT3508: Remove unused variable introduced by b09eb24
RT3511: doc fix; req default serial is random
RT1325,2973: Add more extensions to c_rehash
RT2119,3407: Updated to dgst.pod
RT2379: Additional typo fix
RT2693: Extra include of string.h
RT2880: HFS is case-insensitive filenames
RT3246: req command prints version number wrong
Other changes; incompatibilities marked with *:
Add SCSV support
Add -misalign to speed command
Make dhparam, dsaparam, ecparam, x509 output C in proper style
Make some internal ocsp.c functions void
Only display cert usages with -help in verify
Use global bio_err, remove "BIO*err" parameter from functions
For filenames, - always means stdin (or stdout as appropriate)
Add aliases for -des/aes "wrap" ciphers.
*Remove support for IISSGC (server gated crypto)
*The undocumented OCSP -header flag is now "-header name=value"
*Documented the OCSP -header flag
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 19:26:15 +00:00
|
|
|
|
|
|
|
/* Assume it still works. */
|
|
|
|
if (i2d_SSL_SESSION(session, &p) != sess->derlen) {
|
2015-04-26 20:43:18 +00:00
|
|
|
BIO_printf(bio_err, "Unexpected session encoding length\n");
|
2015-04-26 02:55:36 +00:00
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
OPENSSL_free(sess->der);
|
|
|
|
OPENSSL_free(sess);
|
2015-03-06 14:39:46 +00:00
|
|
|
return 0;
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
2015-01-22 03:40:55 +00:00
|
|
|
sess->next = first;
|
|
|
|
first = sess;
|
|
|
|
BIO_printf(bio_err, "New session added to external cache\n");
|
|
|
|
return 0;
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
2016-02-01 14:26:18 +00:00
|
|
|
static SSL_SESSION *get_session(SSL *ssl, const unsigned char *id, int idlen,
|
2015-01-22 03:40:55 +00:00
|
|
|
int *do_copy)
|
|
|
|
{
|
|
|
|
simple_ssl_session *sess;
|
|
|
|
*do_copy = 0;
|
|
|
|
for (sess = first; sess; sess = sess->next) {
|
|
|
|
if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) {
|
|
|
|
const unsigned char *p = sess->der;
|
|
|
|
BIO_printf(bio_err, "Lookup session: cache hit\n");
|
|
|
|
return d2i_SSL_SESSION(NULL, &p, sess->derlen);
|
|
|
|
}
|
|
|
|
}
|
|
|
|
BIO_printf(bio_err, "Lookup session: cache miss\n");
|
|
|
|
return NULL;
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
|
|
|
static void del_session(SSL_CTX *sctx, SSL_SESSION *session)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
simple_ssl_session *sess, *prev = NULL;
|
|
|
|
const unsigned char *id;
|
|
|
|
unsigned int idlen;
|
|
|
|
id = SSL_SESSION_get_id(session, &idlen);
|
|
|
|
for (sess = first; sess; sess = sess->next) {
|
|
|
|
if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) {
|
|
|
|
if (prev)
|
|
|
|
prev->next = sess->next;
|
|
|
|
else
|
|
|
|
first = sess->next;
|
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
OPENSSL_free(sess->der);
|
|
|
|
OPENSSL_free(sess);
|
|
|
|
return;
|
|
|
|
}
|
|
|
|
prev = sess;
|
|
|
|
}
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
|
|
|
static void init_session_cache_ctx(SSL_CTX *sctx)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
SSL_CTX_set_session_cache_mode(sctx,
|
|
|
|
SSL_SESS_CACHE_NO_INTERNAL |
|
|
|
|
SSL_SESS_CACHE_SERVER);
|
|
|
|
SSL_CTX_sess_set_new_cb(sctx, add_session);
|
|
|
|
SSL_CTX_sess_set_get_cb(sctx, get_session);
|
|
|
|
SSL_CTX_sess_set_remove_cb(sctx, del_session);
|
|
|
|
}
|
2009-12-27 23:24:45 +00:00
|
|
|
|
|
|
|
static void free_sessions(void)
|
2015-01-22 03:40:55 +00:00
|
|
|
{
|
|
|
|
simple_ssl_session *sess, *tsess;
|
|
|
|
for (sess = first; sess;) {
|
|
|
|
OPENSSL_free(sess->id);
|
|
|
|
OPENSSL_free(sess->der);
|
|
|
|
tsess = sess;
|
|
|
|
sess = sess->next;
|
|
|
|
OPENSSL_free(tsess);
|
|
|
|
}
|
|
|
|
first = NULL;
|
|
|
|
}
|
2016-03-21 15:32:40 +00:00
|
|
|
|
2016-08-07 10:04:26 +00:00
|
|
|
#endif /* OPENSSL_NO_SOCK */
|