Commit graph

460 commits

Author SHA1 Message Date
Dr. Stephen Henson
9e313563da fix warning about trailing comma
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 19:32:19 +01:00
Viktor Dukhovni
c4fbed6c31 Add -dane_ee_no_namechecks s_client(1) option
The DANE API supports a DANE_FLAG_NO_DANE_EE_NAMECHECKS option, but
there was no way to exercise/enable it via s_client.  This commit
addresses that gap.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 12:18:49 -04:00
Viktor Dukhovni
bc87fb6bcd Fix missing dane_tlsa_rrdata option error message
The error message said "dane_tlsa_rrset" instead of "dane_tlsa_rrdata".

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-18 17:04:45 -04:00
FdaSilvaYY
d6073e27eb Small nits and cleanups
using util/openssl-format-source on s_derver, s_client, ca.c, speed.c only...

Fix/merge some #ifndef

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 17:09:19 +01:00
FdaSilvaYY
cc69629626 Constify char* input parameters in apps code
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 17:09:19 +01:00
FdaSilvaYY
54463e4f33 Relocalise some globals variables
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-08-17 17:09:19 +01:00
FdaSilvaYY
acc0049213 Pack globals variables used to control apps/verify_callback()
into a structure , to avoid any accident .

Plus some few cleanups

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-08-04 17:07:58 +02:00
Jon Loeliger
1abd292585 RT4639: Typo when -DSSL_DEBUG
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-07-26 12:48:51 -04:00
Richard Levitte
d6accd5040 Fix forgotten goto
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-19 15:26:40 +02:00
Richard Levitte
642a166ce1 Convert the last uses of sockaddr in apps/* to use BIO_ADDR instead
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-07-19 14:32:39 +02:00
Matt Caswell
4bbd4ba66d Disallow multiple protocol flags to s_server and s_client
We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".

This fixes Github Issue #1268

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-07-08 16:20:59 +01:00
David Benjamin
748e85308e Fix BN_is_prime* calls.
This function returns a tri-state -1 on error. See BoringSSL's
53409ee3d7595ed37da472bc73b010cd2c8a5ffd.

Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@openssl.org>

GH: #1251
2016-06-25 11:01:30 +02:00
mmiyashita
1d8b4eb2b4 segmentation fault with 'openssl s_client -prexit -keymatexport'
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1243)
2016-06-21 17:30:46 -04:00
FdaSilvaYY
a8db2cfa4b Add a comment after some #endif at end of apps source code.
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1168)
2016-06-18 16:30:24 -04:00
Dr. Stephen Henson
6ec6d52071 Don't skip leading zeroes in PSK keys.
Don't use BN_hex2bn() for PSK key conversion as the conversion to
BN and back removes leading zeroes, use OPENSSL_hexstr2buf() instead.

RT#4554

Reviewed-by: Matt Caswell <matt@openssl.org>
2016-06-12 19:44:17 +01:00
John Denker
a3ef2c1679 RT2759: Don't read TTY when already at EOF.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-12 08:52:40 -04:00
Rich Salz
7315ce80de Avoid memory leaks if options repeated.
Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-12 08:02:46 -04:00
Rich Salz
fe08bd76e2 GH1183: Fix -unix and -connect, etc., override
If a user specifies -unix, -6, etc., then the program tries to
use the last one specified.  This is confusing code and leads to
scripting errors.  Instead, allow only one type.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-06-10 10:45:49 -04:00
Matt Caswell
cb2e10f257 Fix intermittent windows failures in TLSProxy tests
When closing down the socket in s_client Windows will close it immediately
even if there is data in the write buffer still waiting to be sent. This
was causing tests to fail in Msys/Mingw builds because TLSProxy doesn't see
the final CloseNotify.

I have experimented with various ways of doing this "properly" (e.g.
shutting down the socket before closing, setting SO_LINGER etc). I can't
seem to find the "magic" formula that will make Windows do this. Inserting
a short 50ms sleep seems to do the trick...but its not very "nice" so I've
inserted a TODO on this item. Perhaps someone else will have better luck
in figuring this out.

RT#4255

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-27 15:18:54 +01:00
Matt Caswell
75dd6c1a39 Fix s_client/s_server waiting for stdin on Windows
On Windows we were using the function _kbhit() to determine whether there
was input waiting in stdin for us to read. Actually all this does is work
out whether there is a keyboard press event waiting to be processed in the
input buffer. This only seems to work in a standard Windows console (not
Msys console) and also doesn't work if you redirect the input from some
other source (as we do in TLSProxy tests). This commit changes things to
work differently depending on whether we are on the Windows console or not.

RT#4255

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-27 15:18:46 +01:00
FdaSilvaYY
fba1366398 Locally declare some variables
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-18 10:44:08 +01:00
FdaSilvaYY
bde136c89f Few cleanups in s_client, s_server apps.
Discard useless static engine_id
Add a const qualifier
Fix some spelling

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-18 10:44:08 +01:00
Rich Salz
846e33c729 Copyright consolidation 01/10
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-05-17 14:19:19 -04:00
Rich Salz
49445f21da Use OPENSSL_hexchar2int
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-16 15:21:10 -04:00
Rich Salz
589902b2cb Use app_malloc; two missing cases.
Reviewed-by: Matt Caswell <matt@openssl.org>
2016-05-16 15:18:22 -04:00
Matt Caswell
fc7f190c73 Handle no async jobs in libssl
If the application has limited the size of the async pool using
ASYNC_init_thread() then we could run out of jobs while trying to start a
libssl io operation. However libssl was failing to handle this and treating
it like a fatal error. It should not be fatal...we just need to retry when
there are jobs available again.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-05-05 19:39:14 +01:00
Matt Caswell
46da5f9ca9 Fix missing break in option parsing
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-04-21 10:51:57 +01:00
Matt Caswell
1595ca029c Fix the no-nextprotoneg option
Misc fixes to get no-nextprotoneg config option working again.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-11 14:22:43 +01:00
Viktor Dukhovni
43341433a8 Suppress CT callback as appropriate
Suppress CT callbacks with aNULL or PSK ciphersuites that involve
no certificates.  Ditto when the certificate chain is validated via
DANE-TA(2) or DANE-EE(3) TLSA records.  Also skip SCT processing
when the chain is fails verification.

Move and consolidate CT callbacks from libcrypto to libssl.  We
also simplify the interface to SSL_{,CTX_}_enable_ct() which can
specify either a permissive mode that just collects information or
a strict mode that requires at least one valid SCT or else asks to
abort the connection.

Simplified SCT processing and options in s_client(1) which now has
just a simple pair of "-noct" vs. "-ct" options, the latter enables
the permissive callback so that we can complete the handshake and
report all relevant information.  When printing SCTs, print the
validation status if set and not valid.

Signed-off-by: Rob Percival <robpercival@google.com>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-04-07 14:41:34 -04:00
Matt Caswell
3e41ac3528 Fix no-ocsp
Misc fixes for no-ocsp

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-04-06 14:57:45 +01:00
Matt Caswell
f9e5503412 Fix no-sock
Misc fixes for no-sock

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-21 16:33:59 +00:00
Rich Salz
8230f6c764 GH886: CONNECT should use HTTP/1.1
By default you get 0.9 which isn't widely available.
But we use HTTP/1.0 for now.
Courtesy beusink@users.github.com

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-20 19:41:40 -04:00
Matt Caswell
40a8e9c2ef Fix no-dgram
A few places in s_client needed some OPENSSL_NO_DTLS guards which fixes
no-dgram.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-18 17:07:11 +00:00
Rich Salz
1fbab1dc6f Remove Netware and OS/2
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-17 17:06:57 -04:00
Rob Percival
b536958205 Surround ctx_set_ctlog_list_file() with #ifndef OPENSSL_NO_CT
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-11 09:05:46 -05:00
Rob Percival
0d4d5ab819 check reviewer --reviewer=emilia
Use SSL_get_SSL_CTX instead of passing SSL_CTX to s_client.c:print_stuff

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-10 14:53:04 -05:00
Rob Percival
8359b57f27 check reviewer --reviewer=emilia
Remove 'log' field from SCT and related accessors

In order to still have access to an SCT's CTLOG when calling SCT_print,
SSL_CTX_get0_ctlog_store has been added.

Improved documentation for some CT functions in openssl/ssl.h.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-10 14:53:04 -05:00
Kurt Roeckx
0d5301aff9 Use minimum and maximum protocol version instead of version fixed methods
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>

MR: #1824
2016-03-09 19:38:56 +01:00
Rob Percival
6bea2a72a8 Minor improvement to formatting of SCT output in s_client
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rob Percival
328f36c5c5 Do not display a CT log error message if CT validation is disabled
Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 13:07:09 -05:00
Rob Percival
70073f3e3a Treat boolean functions as booleans
Use "!x" instead of "x <= 0", as these functions never return a negative
value.

Reviewed-by: Emilia Käsper <emilia@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-09 11:34:48 -05:00
Todd Short
817cd0d52f GH787: Fix ALPN
* Perform ALPN after the SNI callback; the SSL_CTX may change due to
  that processing
* Add flags to indicate that we actually sent ALPN, to properly error
  out if unexpectedly received.
* clean up ssl3_free() no need to explicitly clear when doing memset
* document ALPN functions

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2016-03-08 09:03:05 -05:00
Matt Caswell
e2d5183d7c Fix s_server/s_client handling of the split_send_frag argument
Ensure that a value of 0 is correctly handled for the split_send_frag
argument.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:28 +00:00
Matt Caswell
0df8088132 Add documentation for new s_server/s_client options
Document the new split_send_frag, max_pipelines and read_buf options.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:28 +00:00
Matt Caswell
fd068d50c4 Ensure s_client and s_server work when read_ahead is set
Previously s_client and s_server relied on using SSL_pending() which does
not take into account read_ahead. For read pipelining to work, read_ahead
gets set automatically. Therefore s_client and s_server have been
converted to use SSL_has_pending() instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Matt Caswell
dad78fb13d Add an ability to set the SSL read buffer size
This capability is required for read pipelining. We will only read in as
many records as will fit in the read buffer (and the network can provide
in one go). The bigger the buffer the more records we can process in
parallel.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Matt Caswell
032c6d21fc Add pipeline support to s_server and s_client
Add the options min_send_frag and max_pipelines to s_server and s_client
in order to control pipelining capabilities. This will only have an effect
if a pipeline capable cipher is used (such as the one provided by the
dasync engine).

Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-03-07 21:39:27 +00:00
Rich Salz
8731a4fcd2 ISSUE 43: Add BIO_sock_shutdown
This replaces SHUTDOWN/SHUTDOWN2 with BIO_closesocket.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-03-07 14:47:54 -05:00
Rob Percival
dd696a55a2 Extends s_client to allow a basic CT policy to be enabled
Reviewed-by: Ben Laurie <ben@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-03-04 10:50:10 -05:00
Rich Salz
ba8108154d RT2275: use BIO_sock_nbio()
Now that BIO_sock_nbio is available, use it in the apps.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-27 13:41:41 -05:00
Rich Salz
a773b52a61 Remove unused parameters from internal functions
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-22 13:39:44 -05:00
Emilia Kasper
efc943be56 MemorySanitizer: address false positive
Explicitly unpoison the result of FD_ZERO

Tests now pass, using -fsanitize=memory

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-22 18:30:11 +01:00
Kurt Roeckx
0335851754 argv was set but unused
Also gives an error message when you gave it a parameter it didn't expect.

Reviewed-by: Rich Salz <rsalz@openssl.org>

MR: #2009
2016-02-20 14:53:53 +01:00
Rich Salz
9a13bb387d GH681: More command help cleanup
enc:
 - typo in -base64 option
 - missing help opt text
ocsp, req, rsautl, s_client:
 - missing help opt text

Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-02-18 12:24:44 -05:00
Rich Salz
dba3177745 Remove JPAKE
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-02-17 09:46:10 -05:00
Richard Levitte
18295f0c2d Make sure to use unsigned char for is*() functions
On some platforms, the implementation is such that a signed char
triggers a warning when used with is*() functions.  On others, the
behavior is outright buggy when presented with a char that happens
to get promoted to a negative integer.

The safest thing is to cast the char that's used to an unsigned char.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2016-02-14 19:31:55 +01:00
Matt Caswell
7b9f8f7f03 Auto init/deinit libcrypto
This builds on the previous commit to auto initialise/deinitialise
libcrypto.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-09 15:11:38 +00:00
Viktor Dukhovni
c0a445a9f2 Suppress DANE TLSA reflection when verification fails
As documented both SSL_get0_dane_authority() and SSL_get0_dane_tlsa()
are expected to return a negative match depth and nothing else when
verification fails.  However, this only happened when verification
failed during chain construction.  Errors in verification of the
constructed chain did not have the intended effect on these functions.

This commit updates the functions to check for verify_result ==
X509_V_OK, and no longer erases any accumulated match information
when chain construction fails.  Sophisticated developers can, with
care, use SSL_set_verify_result(ssl, X509_V_OK) to "peek" at TLSA
info even when verification fail.  They must of course first check
and save the real error, and restore the original error as quickly
as possible.  Hiding by default seems to be the safer interface.

Introduced X509_V_ERR_DANE_NO_MATCH code to signal failure to find
matching TLSA records.  Previously reported via X509_V_ERR_CERT_UNTRUSTED.

This also changes the "-brief" output from s_client to include
verification results and TLSA match information.

Mentioned session resumption in code example in SSL_CTX_dane_enable(3).
Also mentioned that depths returned are relative to the verified chain
which is now available via SSL_get0_verified_chain(3).

Added a few more test-cases to danetest, that exercise the new
code.

Resolved thread safety issue in use of static buffer in
X509_verify_cert_error_string().

Fixed long-stating issue in apps/s_cb.c which always sets verify_error
to either X509_V_OK or "chain to long", code elsewhere (e.g.
s_time.c), seems to expect the actual error.  [ The new chain
construction code is expected to correctly generate "chain
too long" errors, so at some point we need to drop the
work-arounds, once SSL_set_verify_depth() is also fixed to
propagate the depth to X509_STORE_CTX reliably. ]

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-02-08 14:46:09 -05:00
Dr. Stephen Henson
b577fd0b81 Deprecate undocumented SSL_cache_hit().
Deprecate undocumented SSL_cache_hit(). Make SSL_session_reused() into a
real function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-02-08 16:57:07 +00:00
Richard Levitte
ab69ac00f3 Refactoring BIO: Adapt s_client and s_server
s_socket.c gets brutally cleaned out and now consists of only two
functions, one for client and the other for server.  They both handle
AF_INET, AF_INET6 and additionally AF_UNIX where supported.  The rest
is just easy adaptation.

Both s_client and s_server get the new flags -4 and -6 to force the
use of IPv4 or IPv6 only.

Also, the default host "localhost" in s_client is removed.  It's not
certain that this host is set up for both IPv4 and IPv6.  For example,
Debian has "ip6-localhost" as the default hostname for [::1].  The
better way is to default |host| to NULL and rely on BIO_lookup() to
return a BIO_ADDRINFO with the appropriate loopback address for IPv4
or IPv6 as indicated by the |family| parameter.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2016-02-03 20:36:49 +01:00
Matt Caswell
ec4479249d Implement Async SSL_shutdown
This extends the existing async functionality to SSL_shutdown(), i.e.
SSL_shutdown() can now casuse an SSL_ERROR_WANT_ASYNC error to be returned
from SSL_get_error() if async mode has been enabled.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-29 11:36:44 +00:00
Viktor Dukhovni
0996dc5440 Refactor apps load_certs/load_crls to work incrementally
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-20 19:04:26 -05:00
Viktor Dukhovni
6b01bed206 Support disabling any or all TLS or DTLS versions
Some users want to disable SSL 3.0/TLS 1.0/TLS 1.1, and enable just
TLS 1.2.  In the future they might want to disable TLS 1.2 and
enable just TLS 1.3, ...

This commit makes it possible to disable any or all of the TLS or
DTLS protocols.  It also considerably simplifies the SSL/TLS tests,
by auto-generating the min/max version tests based on the set of
supported protocols (425 explicitly written out tests got replaced
by two loops that generate all 425 tests if all protocols are
enabled, fewer otherwise).

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-19 09:57:15 -05:00
Rich Salz
3a4e9367d8 RT4232: Extra space in help message.
It turns out that -pause calls the undocumented function SSL_set_debug.
That just sets flag inside the SSL structure.  That flag, despite
the command is never used.  So remove the flag, the field, and the
function.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-14 11:32:18 -05:00
Rich Salz
f232d6ece3 Another portability fix.
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-08 13:06:01 -05:00
Rich Salz
7ff970ef55 Portability fix for apps/s_client.c
Make some local variables and a table of them be static.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2016-01-08 12:48:15 -05:00
Viktor Dukhovni
cddd424a5b DANE s_client support
Reviewed-by: Richard Levitte <levitte@openssl.org>
2016-01-07 20:01:32 -05:00
Dr. Stephen Henson
287d0b948d Add ssl configuration support to s_server and s_client
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-22 15:14:14 +00:00
Matt Caswell
8caab744f5 Fix s_server problem with no-ec
s_server was trying to set the ECDH curve when no-ec was defined. This also
highlighted the fact that the -no_ecdhe option to s_server is broken, and
doesn't make any sense any more (ECDHE is on by default and the only way it
can be disabled is through the cipherstring). Therefore this commit removes
the option.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-12-15 11:26:38 +00:00
Dr. Stephen Henson
c01ff880d4 New function X509_get0_pubkey
Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-12-14 23:06:14 +00:00
Kurt Roeckx
a5ecdc6af8 Use OPENSSL_NO_DTLS instead of OPENSSL_NO_DTLS1
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-12-12 12:07:14 +01:00
Quanah Gibson-Mount
c7944cf1f6 Fix grammar errors
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Rich Salz <rsalz@akamai.com>

GH: #481
2015-11-24 22:01:35 +01:00
Matt Caswell
68487a9b06 Convert __thread to pthreads for Thread Local Storage
In theory the pthreads approach for Thread Local Storage should be more
portable.

This also changes some APIs in order to accommodate this change. In
particular ASYNC_init_pool is renamed ASYNC_init_thread and
ASYNC_free_pool is renamed ASYNC_cleanup_thread. Also introduced ASYNC_init
and ASYNC_cleanup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:39:30 +00:00
Matt Caswell
e1b9840ed7 Add s_client support for waiting for async
s_server already had the ability to wait on an async file descriptor. This
adds it to s_client too.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:34:35 +00:00
Matt Caswell
5e6f9775a9 Fix pools for s_client
s_client was not freeing up the async pool if async mode was enabled.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:33:46 +00:00
Matt Caswell
7e25dd6da1 Add s_server and s_client async support
A new -async option is added which activates SSL_MODE_ASYNC. Also
SSL_WANT_ASYNC errors are handled appropriately.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-20 23:31:42 +00:00
Nathan Phillip Brink
cfb4f1efba RT2667: Add IRC support to -starttls
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-11-13 17:17:18 -05:00
Richard Levitte
2c9be7d09f Fix usage of BIO_ctrl_set_connected
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-11-02 21:18:34 +01:00
Matt Caswell
a0a82324f9 Centralise loading default apps config file
Loading the config file after processing command line options can
cause problems, e.g. where an engine provides new ciphers/digests
these are not then recoginised on the command line. Move the
default config file loading to before the command line option
processing. Whilst we're doing this we might as well centralise
this instead of doing it individually for each application. Finally
if we do it before the OpenSSL_add_ssl_algorithms() call then
ciphersuites provided by an engine (e.g. GOST) can be available to
the apps.

RT#4085
RT#4086

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-10-12 22:31:00 +01:00
Dr. Stephen Henson
d40a1f72b6 SRP memory leak fix
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-09-28 14:29:16 +01:00
Matt Caswell
2b6bcb702d Add support for -no-CApath and -no-CAfile options
For those command line options that take the verification options
-CApath and -CAfile, if those options are absent then the default path or
file is used instead. It is not currently possible to specify *no* path or
file at all. This change adds the options -no-CApath and -no-CAfile to
specify that the default locations should not be used to all relevant
applications.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-09-25 14:49:59 +01:00
Ben Laurie
df2ee0e27d Enable -Wmissing-variable-declarations and
-Wincompatible-pointer-types-discards-qualifiers (the latter did not require
any code changes).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-09-11 04:51:55 +01:00
Richard Levitte
a60994df34 Change the treatment of stdin and stdout to allow binary data
If the output to stdout or the input from stdin is meant to be binary,
it's deeply unsetting to get the occasional LF converted to CRLF or
the other way around.  If someone happens to forget to redirect stdin
or stdout, they will get gibberish anyway, line ending conversion will
not change that.

Therefore, let's not have dup_bio_* decide unilaterally what mode the
BIO derived from stdin and stdout, and rather let the app decide by
declaring the intended format.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-09-06 13:34:49 +02:00
Adam Eijdenberg
fb029cebae RT3984: Fix clang compiler warning on Mac OS X where %ld is used for uint64_t.
clang suggests %llu instead, but it isn't clear that is portable on
all platforms.

C99 and above define a handy macro for us, so we try to use that
definition and fall back to current definition if needed (though we
switch to 'u' for unsigned).

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-09-01 20:18:46 +02:00
Matt Caswell
e77bdc7310 Fix SRTP s_client/s_server options
The -use_srtp s_client/s_server option is supposed to take a colon
separated string as an argument. In master this was incorrectly set to
expect a filename.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-04 19:20:11 +01:00
Ben Laurie
480405e4a9 Add -Wconditional-uninitialized to clang strict warnings.
Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-08-02 02:45:44 +01:00
Rich Salz
740ceb5b0c Various doc fixes from GH pull requests
Thanks folks:
        348 Benjamin Kaduk
        317 Christian Brueffer
        254 Erik Tews
        253 Erik Tews
        219 Carl Mehner
        155 (ghost)
        95 mancha
        51 DominikNeubauer

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-07-31 12:27:27 -04:00
Kai Engert
898ea7b855 RT3742: Add xmpp_server to s_client.
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-07-31 11:19:45 -04:00
Dr. Stephen Henson
13cbe5e711 missing break
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-06-25 12:55:56 +01:00
Rich Salz
3b061a00e3 RT2547: Tighten perms on generated privkey files
When generating a private key, try to make the output file be readable
only by the owner.  Put it in CHANGES file since it might be noticeable.

Add "int private" flag to apps that write private keys, and check that it's
set whenever we do write a private key.  Checked via assert so that this
bug (security-related) gets fixed.  Thanks to Viktor for help in tracing
the code-paths where private keys are written.

Reviewed-by: Viktor Dukhovni <viktor@openssl.org>
2015-06-15 18:26:56 -04:00
Rich Salz
9c3bcfa027 Standardize handling of #ifdef'd options.
Here are the "rules" for handling flags that depend on #ifdef:

- Do not ifdef the enum.  Only ifdef the OPTIONS table.  All ifdef'd
  entries appear at the end; by convention "engine" is last.  This
  ensures that at run-time, the flag will never be recognized/allowed.
  The next two bullets entries are for silencing compiler warnings:
- In the while/switch parsing statement, use #ifdef for the body to
  disable it; leave the "case OPT_xxx:" and "break" statements outside
  the ifdef/ifndef.  See ciphers.c for example.
- If there are multiple options controlled by a single guard, OPT_FOO,
  OPT_BAR, etc., put a an #ifdef around the set, and then do "#else"
  and a series of case labels and a break. See OPENSSL_NO_AES in cms.c
  for example.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-06-02 12:40:24 -04:00
Richard Levitte
296f54ee21 Restore module loading
The module loading feature got broken a while ago, so restore it, but
have it a bit more explicit this time around.

Reviewed-by: Stephen Henson <steve@openssl.org>
2015-05-29 12:41:50 +02:00
Rich Salz
fc0eb00bca fix s_client crash
The 'http proxy' commit broke s_client default host/port value.
Thanks to Matt for the simplest fix.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-25 12:46:57 -04:00
Matt Caswell
e481f9b90b Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 23:10:51 +01:00
Michael Trapp
552bf8ec5e RT266: Add HTTP proxy/CONNECT to s_client
Signed-off-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-22 16:56:59 -04:00
Matt Caswell
a7f82a1ab2 Fix various OPENSSL_NO_* options
This fixes compilation with various OPENSSL_NO_* options that got broken
during the big apps cleanup.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-22 09:38:37 +01:00
Matt Caswell
13c9bb3ece Client side version negotiation rewrite
Continuing from the previous commit this changes the way we do client side
version negotiation. Similarly all of the s23* "up front" state machine code
has been avoided and again things now work much the same way as they already
did for DTLS, i.e. we just do most of the work in the
ssl3_get_server_hello() function.

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-05-16 09:20:31 +01:00
Rich Salz
857048a7f3 Use #error in openssl/srp.h
Follow the same convention the other OPENSSL_NO_xxx header files
do, and use #error instead of making the header file be a no-op.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-05-15 08:16:21 -04:00
Matt Caswell
5561419a60 Remove Kerberos support from apps
Remove Kerberos related options from the apps to prepare for the
subsequent commits which will remove libcrypto and libssl support for
Kerberos.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2015-05-13 15:07:34 +01:00
Rich Salz
75ebbd9aa4 Use p==NULL not !p (in if statements, mainly)
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-05-11 10:06:38 -04:00
Rich Salz
b548a1f11c free null cleanup finale
Don't check for NULL before calling OPENSSL_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-05-01 10:02:07 -04:00
Rich Salz
23a1d5e97c free NULL cleanup 7
This gets BN_.*free:
    BN_BLINDING_free BN_CTX_free BN_FLG_FREE BN_GENCB_free
    BN_MONT_CTX_free BN_RECP_CTX_free BN_clear_free BN_free BUF_MEM_free

Also fix a call to DSA_SIG_free to ccgost engine and remove some #ifdef'd
dead code in engines/e_ubsec.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 21:37:06 -04:00
Rich Salz
4b45c6e52b free cleanup almost the finale
Add OPENSSL_clear_free which merges cleanse and free.
(Names was picked to be similar to BN_clear_free, etc.)
Removed OPENSSL_freeFunc macro.
Fixed the small simple ones that are left:
        CRYPTO_free CRYPTO_free_locked OPENSSL_free_locked

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:57:32 -04:00
Rich Salz
68dc682499 In apps, malloc or die
No point in proceeding if you're out of memory.  So change
*all* OPENSSL_malloc calls in apps to use the new routine which
prints a message and exits.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:48:31 -04:00
Rich Salz
222561fe8e free NULL cleanup 5a
Don't check for NULL before calling a free routine.  This gets X509_.*free:
    x509_name_ex_free X509_policy_tree_free X509_VERIFY_PARAM_free
    X509_STORE_free X509_STORE_CTX_free X509_PKEY_free
    X509_OBJECT_free_contents X509_LOOKUP_free X509_INFO_free

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-30 17:33:59 -04:00
Rich Salz
ecf3a1fb18 Remove needless bio_err argument
Many functions had a BIO* parameter, and it was always called
with bio_err.  Remove the param and just use bio_err.

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-29 11:27:08 -04:00
Rich Salz
b196e7d936 remove malloc casts
Following ANSI C rules, remove the casts from calls to
OPENSSL_malloc and OPENSSL_realloc.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-28 15:28:14 -04:00
Emilia Kasper
2f5997b7b9 Fix Wmaybe-uninitialized: initialize variable
Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-27 16:17:27 +02:00
Rich Salz
d8c25de595 RT2451: Add telnet to s_client -starttls
Also add -xmpphost and -smtphost flags.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 16:01:21 -04:00
Rich Salz
6ba8a5b77a Add -nocommands to s_client.
Add flag to disable the 'command letters' from s_client.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 15:58:22 -04:00
Rich Salz
333b070ec0 fewer NO_ENGINE #ifdef's
Make setup_engine be a dummy if NO_ENGINE is enabled.
The option is not enabled if NO_ENGINE is enabled, so the one "wasted"
variable just sits there. Removes some variables and code.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-04-25 15:41:29 -04:00
Rich Salz
7e1b748570 Big apps cleanup (option-parsing, etc)
This is merges the old "rsalz-monolith" branch over to master.  The biggest
change is that option parsing switch from cascasding 'else if strcmp("-foo")'
to a utility routine and somethin akin to getopt.  Also, an error in the
command line no longer prints the full summary; use -help (or --help :)
for that.  There have been many other changes and code-cleanup, see
bullet list below.

Special thanks to Matt for the long and detailed code review.

TEMPORARY:
        For now, comment out CRYPTO_mem_leaks() at end of main

Tickets closed:
        RT3515: Use 3DES in pkcs12 if built with no-rc2
        RT1766: s_client -reconnect and -starttls broke
        RT2932: Catch write errors
        RT2604: port should be 'unsigned short'
        RT2983: total_bytes undeclared #ifdef RENEG
        RT1523: Add -nocert to fix output in x509 app
        RT3508: Remove unused variable introduced by b09eb24
        RT3511: doc fix; req default serial is random
        RT1325,2973: Add more extensions to c_rehash
        RT2119,3407: Updated to dgst.pod
        RT2379: Additional typo fix
        RT2693: Extra include of string.h
        RT2880: HFS is case-insensitive filenames
        RT3246: req command prints version number wrong

Other changes; incompatibilities marked with *:
        Add SCSV support
        Add -misalign to speed command
        Make dhparam, dsaparam, ecparam, x509 output C in proper style
        Make some internal ocsp.c functions void
        Only display cert usages with -help in verify
        Use global bio_err, remove "BIO*err" parameter from functions
        For filenames, - always means stdin (or stdout as appropriate)
        Add aliases for -des/aes "wrap" ciphers.
        *Remove support for IISSGC (server gated crypto)
        *The undocumented OCSP -header flag is now "-header name=value"
        *Documented the OCSP -header flag

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-24 15:26:15 -04:00
Viktor Dukhovni
61986d32f3 Code style: space after 'if'
Reviewed-by: Matt Caswell <matt@openssl.org>
2015-04-16 13:44:59 -04:00
Rich Salz
62adbcee39 free NULL cleanup 10
Avoid checking for NULL before calling free functions.  This gets
ssl.*free:
    ssl_sess_cert_free ssl_free ssl_excert_free ssl_cert_free
    SSL_free SSL_SRP_CTX_free SSL_SESSION_free SSL_CTX_free
    SSL_CTX_SRP_CTX_free SSL_CONF_CTX_free

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-04-11 10:22:36 -04:00
Rich Salz
c5ba2d9904 free NULL cleanup
EVP_.*free; this gets:
        EVP_CIPHER_CTX_free EVP_PKEY_CTX_free EVP_PKEY_asn1_free
        EVP_PKEY_asn1_set_free EVP_PKEY_free EVP_PKEY_free_it
        EVP_PKEY_meth_free; and also EVP_CIPHER_CTX_cleanup

Reviewed-by: Kurt Roeckx <kurt@openssl.org>
2015-03-28 10:54:15 -04:00
Rich Salz
ca3a82c3b3 free NULL cleanup
This commit handles BIO_ACCEPT_free BIO_CB_FREE BIO_CONNECT_free
BIO_free BIO_free_all BIO_vfree

Reviewed-by: Matt Caswell <matt@openssl.org>
2015-03-25 11:31:18 -04:00
Matt Caswell
70e5fd8778 Fix bug in s_client. Previously default verify locations would only be loaded
if CAfile or CApath were also supplied and successfully loaded first.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-25 13:03:57 +00:00
Matt Caswell
ac59d70553 apps return value checks
Ensure that all libssl functions called from within the apps have their
return values checked where appropriate.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-03-23 15:23:18 +00:00
Matt Caswell
918bb86529 Unchecked malloc fixes
Miscellaneous unchecked malloc fixes. Also fixed some mem leaks on error
paths as I spotted them along the way.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-03-05 09:09:57 +00:00
Matt Caswell
25690b7f5f Add -no_alt_chains option to apps to implement the new
X509_V_FLAG_NO_ALT_CHAINS flag. Using this option means that when building
certificate chains, the first chain found will be the one used. Without this
flag, if the first chain found is not trusted then we will keep looking to
see if we can build an alternative chain instead.

Reviewed-by: Dr. Stephen Henson <steve@openssl.org>
2015-02-25 09:15:02 +00:00
Rich Salz
6f91b017bb Live code cleanup: remove #if 1 stuff
For code bracketed by "#if 1" then remove the alternate
"#else .. #endif" lines.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-02-06 10:54:20 -05:00
Rich Salz
75d0ebef2a Dead code clean: #if 0 removal in apps
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-30 14:52:57 -05:00
Rich Salz
68fd6dce73 Remove support for opaque-prf
An expired IETF Internet-Draft (seven years old) that nobody
implements, and probably just as good as NSA DRBG work.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-28 15:37:16 -05:00
Rich Salz
daa48704cc OPENSSL_NO_XXX cleanup: NO_TLS, NO_TLS1
TLS and TLS1 are no longer optional.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-27 15:14:12 -05:00
Matt Caswell
f400241251 Remove explicit setting of read_ahead for DTLS. It never makes sense not to
use read_ahead with DTLS because it doesn't work. Therefore read_ahead needs
to be the default.

Reviewed-by: Andy Polyakov <appro@openssl.org>
2015-01-27 14:28:41 +00:00
Matt Caswell
35a1cc90bc More comment realignment
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:10 +00:00
Matt Caswell
0f113f3ee4 Run util/openssl-format-source -v -c .
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:09 +00:00
Matt Caswell
dbd87ffc21 indent has problems with comments that are on the right hand side of a line.
Sometimes it fails to format them very well, and sometimes it corrupts them!
This commit moves some particularly problematic ones.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:08 +00:00
Matt Caswell
e636e2acd7 Fix source where indent will not be able to cope
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:20:06 +00:00
Matt Caswell
c80fd6b215 Further comment changes for reformat (master)
Reviewed-by: Tim Hudson <tjh@openssl.org>
2015-01-22 09:19:59 +00:00
Rich Salz
6d23cf9744 RT3548: Remove unsupported platforms
This last one for this ticket.  Removes WIN16.
So long, MS_CALLBACK and MS_FAR.  We won't miss you.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2015-01-12 17:30:54 -05:00
Piotr Sikora
e783bae26a Fix building with no-srtp
RT3638

Reviewed-by: Emilia Käsper <emilia@openssl.org>
2015-01-05 14:17:22 +00:00
Dominik Neubauer
2a9338ee31 typo in s_client
Signed-off-by: Kurt Roeckx <kurt@roeckx.be>
Reviewed-by: Geoff Thorpe <geoff@openssl.org>
2014-12-31 11:13:48 +01:00
Rich Salz
b317819b2e RT3548: Remove some obsolete platforms
This commit removes BEOS.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-17 17:24:51 -05:00
Kurt Roeckx
45f55f6a5b Remove SSLv2 support
The only support for SSLv2 left is receiving a SSLv2 compatible client hello.

Reviewed-by: Richard Levitte <levitte@openssl.org>
2014-12-04 11:55:03 +01:00
Matt Caswell
464ce92026 Updates to s_client and s_server to remove the constant 28 (for IPv4 header
and UDP header) when setting an mtu. This constant is not always correct (e.g.
if using IPv6). Use the new DTLS_CTRL functions instead.

Reviewed-by: Tim Hudson <tjh@openssl.org>
2014-12-03 09:24:41 +00:00
Dr. Stephen Henson
3881d8106d New option no-ssl3-method which removes SSLv3_*method
When no-ssl3 is set only make SSLv3 disabled by default. Retain -ssl3
options for s_client/s_server/ssltest.

When no-ssl3-method is set SSLv3_*method() is removed and all -ssl3
options.

We should document this somewhere, e.g. wiki, FAQ or manual page.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-11-19 18:11:37 +00:00
Bodo Moeller
fb0e87fb67 Add TLS_FALLBACK_SCSV documentation, and move s_client -fallback_scsv
handling out of #ifndef OPENSSL_NO_DTLS1 section.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2014-10-15 10:43:50 +02:00
Bodo Moeller
cf6da05304 Support TLS_FALLBACK_SCSV.
Reviewed-by: Stephen Henson <steve@openssl.org>
2014-10-15 04:03:28 +02:00
Dr. Stephen Henson
0cfefe4b6d Rename some callbacks, fix alignment.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
8cafe9e8bf Use consistent function naming.
Instead of SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_srv_ext
use SSL_CTX_add_client_custom_ext and SSL_CTX_add_server_custom_ext.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
33f653adf3 New extension callback features.
Support separate parse and add callback arguments.
Add new callback so an application can free extension data.
Change return value for send functions so < 0 is an error 0
omits extension and > 0 includes it. This is more consistent
with the behaviour of other functions in OpenSSL.

Modify parse_cb handling so <= 0 is an error.

Make SSL_CTX_set_custom_cli_ext and SSL_CTX_set_custom_cli_ext argument
order consistent.

NOTE: these changes WILL break existing code.

Remove (now inaccurate) in line documentation.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Dr. Stephen Henson
de2a9e38f3 Callback revision.
Use "parse" and "add" for function and callback names instead of
"first" and "second".

Change arguments to callback so the extension type is unsigned int
and the buffer length is size_t. Note: this *will* break existing code.
Reviewed-by: Emilia Käsper <emilia@openssl.org>
2014-08-28 17:06:53 +01:00
Rich Salz
f642ebc1e2 Undo a90081576c
Undo unapproved commit that removed DJGPP and WATT32
2014-08-09 08:02:20 -04:00
Rich Salz
a90081576c Remove DJGPP (and therefore WATT32) #ifdef's.
DJGPP is no longer a supported platform.  Remove all #ifdef, etc.,
cases that refer to it.  DJGPP also #define'd WATT32, so that
is now removed as well.
2014-08-08 16:54:14 -04:00
Dr. Stephen Henson
ee724df75d Usage for -hack and -prexit -verify_return_error 2014-07-06 22:42:50 +01:00
Dr. Stephen Henson
b948ee27b0 Remove all RFC5878 code.
Remove RFC5878 code. It is no longer needed for CT and has numerous bugs
2014-07-04 13:26:35 +01:00
Dr. Stephen Henson
9cd86abb51 Make NO_SYS_UN_H compile. 2014-07-01 12:44:00 +01:00
Hubert Kario
6d3d579367 Document -trusted_first option in man pages and help.
Add -trusted_first description to help messages and man pages
of tools that deal with certificate verification.
2014-06-19 23:09:21 +01:00
Geoff Thorpe
a935132099 s_client/s_server: support unix domain sockets
The "-unix <path>" argument allows s_server and s_client to use a unix
domain socket in the filesystem instead of IPv4 ("-connect", "-port",
"-accept", etc). If s_server exits gracefully, such as when "-naccept"
is used and the requested number of SSL/TLS connections have occurred,
then the domain socket file is removed. On ctrl-C, it is likely that
the stale socket file will be left over, such that s_server would
normally fail to restart with the same arguments. For this reason,
s_server also supports an "-unlink" option, which will clean up any
stale socket file before starting.

If you have any reason to want encrypted IPC within an O/S instance,
this concept might come in handy. Otherwise it just demonstrates that
there is nothing about SSL/TLS that limits it to TCP/IP in any way.

(There might also be benchmarking and profiling use in this path, as
unix domain sockets are much lower overhead than connecting over local
IP addresses).

Signed-off-by: Geoff Thorpe <geoff@openssl.org>
2014-05-08 22:07:09 -04:00