From 04611fb0f178b9385c680b576824e35400784269 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Mon, 19 Aug 2013 12:36:50 +0100 Subject: [PATCH] Add -brief option to s_client and s_server to summarise connection details. New option -verify_quiet to shut up the verify callback unless there is an error. (manually applied from commit 2a7cbe77b3abb244c2211d22d7aa3416b97c9342) --- CHANGES | 4 ++ apps/s_apps.h | 3 +- apps/s_cb.c | 106 ++++++++++++++++++++++++++++++++++++++++++------ apps/s_client.c | 24 ++++++++++- apps/s_server.c | 32 +++++++++++---- 5 files changed, 146 insertions(+), 23 deletions(-) diff --git a/CHANGES b/CHANGES index 751819bf6f..db4e8e85b1 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.1 and 1.0.2 [xx XXX xxxx] + *) New option -brief for s_client and s_server to print out a brief summary + of connection parameters. + [Steve Henson] + *) Add callbacks for arbitrary TLS extensions. [Trevor Perrin and Ben Laurie] diff --git a/apps/s_apps.h b/apps/s_apps.h index 0a150b791e..64f06090a5 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -162,7 +162,7 @@ int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, # endif int ssl_print_sigalgs(BIO *out, SSL *s); int ssl_print_point_formats(BIO *out, SSL *s); -int ssl_print_curves(BIO *out, SSL *s); +int ssl_print_curves(BIO *out, SSL *s, int noshared); #endif int ssl_print_tmp_key(BIO *out, SSL *s); int init_client(int *sock, char *server, int port, int type); @@ -191,6 +191,7 @@ void ssl_excert_free(SSL_EXCERT *exc); int args_excert(char ***pargs, int *pargc, int *badarg, BIO *err, SSL_EXCERT **pexc); int load_excert(SSL_EXCERT **pexc, BIO *err); +void print_ssl_summary(BIO *bio, SSL *s); #ifdef HEADER_SSL_H int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); diff --git a/apps/s_cb.c b/apps/s_cb.c index 865aa383e8..380fc329b0 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -125,6 +125,7 @@ #define COOKIE_SECRET_LENGTH 16 int verify_depth=0; +int verify_quiet=0; int verify_error=X509_V_OK; int verify_return_error=0; unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; @@ -139,15 +140,19 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) err= X509_STORE_CTX_get_error(ctx); depth= X509_STORE_CTX_get_error_depth(ctx); - BIO_printf(bio_err,"depth=%d ",depth); - if (err_cert) + if (!verify_quiet || !ok) { - X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), + BIO_printf(bio_err,"depth=%d ",depth); + if (err_cert) + { + X509_NAME_print_ex(bio_err, + X509_get_subject_name(err_cert), 0, XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); + BIO_puts(bio_err, "\n"); + } + else + BIO_puts(bio_err, "\n"); } - else - BIO_puts(bio_err, "\n"); if (!ok) { BIO_printf(bio_err,"verify error:num=%d:%s\n",err, @@ -185,13 +190,14 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) BIO_printf(bio_err,"\n"); break; case X509_V_ERR_NO_EXPLICIT_POLICY: - policies_print(bio_err, ctx); + if (!verify_quiet) + policies_print(bio_err, ctx); break; } - if (err == X509_V_OK && ok == 2) + if (err == X509_V_OK && ok == 2 && !verify_quiet) policies_print(bio_err, ctx); - - BIO_printf(bio_err,"verify return:%d\n",ok); + if (ok && !verify_quiet) + BIO_printf(bio_err,"verify return:%d\n",ok); return(ok); } @@ -456,8 +462,7 @@ int ssl_print_point_formats(BIO *out, SSL *s) return 1; } - -int ssl_print_curves(BIO *out, SSL *s) +int ssl_print_curves(BIO *out, SSL *s, int noshared) { int i, ncurves, *curves, nid; const char *cname; @@ -485,8 +490,15 @@ int ssl_print_curves(BIO *out, SSL *s) BIO_printf(out, "%s", cname); } } - BIO_puts(out, "\nShared Elliptic curves: "); + if (ncurves == 0) + BIO_puts(out, "NONE"); OPENSSL_free(curves); + if (noshared) + { + BIO_puts(out, "\n"); + return 1; + } + BIO_puts(out, "\nShared Elliptic curves: "); ncurves = SSL_get_shared_curve(s, -1); for (i = 0; i < ncurves; i++) { @@ -1497,6 +1509,74 @@ int args_excert(char ***pargs, int *pargc, return 1; } +static void print_raw_cipherlist(BIO *bio, SSL *s) + { + const unsigned char *rlist; + static const unsigned char scsv_id[] = {0, 0, 0xFF}; + size_t i, rlistlen, num; + if (!SSL_is_server(s)) + return; + num = SSL_get0_raw_cipherlist(s, NULL); + rlistlen = SSL_get0_raw_cipherlist(s, &rlist); + BIO_puts(bio, "Client cipher list: "); + for (i = 0; i < rlistlen; i += num, rlist += num) + { + const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist); + if (i) + BIO_puts(bio, ":"); + if (c) + BIO_puts(bio, SSL_CIPHER_get_name(c)); + else if (!memcmp(rlist, scsv_id - num + 3, num)) + BIO_puts(bio, "SCSV"); + else + { + size_t j; + BIO_puts(bio, "0x"); + for (j = 0; j < num; j++) + BIO_printf(bio, "%02X", rlist[j]); + } + } + BIO_puts(bio, "\n"); + } + + +void print_ssl_summary(BIO *bio, SSL *s) + { + const SSL_CIPHER *c; + X509 *peer; + /*const char *pnam = SSL_is_server(s) ? "client" : "server";*/ + BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s)); + print_raw_cipherlist(bio, s); + c = SSL_get_current_cipher(s); + BIO_printf(bio,"Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); + do_print_sigalgs(bio, s, 0); + peer = SSL_get_peer_certificate(s); + if (peer) + { + int nid; + BIO_puts(bio, "Peer certificate: "); + X509_NAME_print_ex(bio, X509_get_subject_name(peer), + 0, XN_FLAG_ONELINE); + BIO_puts(bio, "\n"); + if (SSL_get_peer_signature_nid(s, &nid)) + BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid)); + } + else + BIO_puts(bio, "No peer certificate\n"); + if (peer) + X509_free(peer); +#ifndef OPENSSL_NO_EC + ssl_print_point_formats(bio, s); + if (SSL_is_server(s)) + ssl_print_curves(bio, s, 1); + else + ssl_print_tmp_key(bio, s); +#else + if (!SSL_is_server(s)) + ssl_print_tmp_key(bio, s); +#endif + } + int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr) { diff --git a/apps/s_client.c b/apps/s_client.c index e08534b44d..602cec9e90 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -193,6 +193,7 @@ typedef unsigned int u_int; extern int verify_depth; extern int verify_error; extern int verify_return_error; +extern int verify_quiet; #ifdef FIONBIO static int c_nbio=0; @@ -220,6 +221,7 @@ static BIO *bio_c_out=NULL; static BIO *bio_c_msg=NULL; static int c_quiet=0; static int c_ign_eof=0; +static int c_brief=0; #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ @@ -729,7 +731,8 @@ static char *jpake_secret = NULL; verify=SSL_VERIFY_PEER; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d\n",verify_depth); + if (!c_quiet) + BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if (strcmp(*argv,"-cert") == 0) { @@ -771,6 +774,14 @@ static char *jpake_secret = NULL; } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (strcmp(*argv,"-verify_quiet") == 0) + verify_quiet = 1; + else if (strcmp(*argv,"-brief") == 0) + { + c_brief = 1; + verify_quiet = 1; + c_quiet = 1; + } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) { if (badarg) @@ -1690,6 +1701,12 @@ SSL_set_tlsext_status_ids(con, ids); else BIO_printf(bio_err, "Error writing session file %s\n", sess_out); } + if (c_brief) + { + BIO_puts(bio_err, + "CONNECTION ESTABLISHED\n"); + print_ssl_summary(bio_err, con); + } print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; @@ -1952,7 +1969,10 @@ printf("read=%d pending=%d peek=%d\n",k,SSL_pending(con),SSL_peek(con,zbuf,10240 break; case SSL_ERROR_SYSCALL: ret=get_last_socket_error(); - BIO_printf(bio_err,"read:errno=%d\n",ret); + if (c_brief) + BIO_puts(bio_err, "CONNECTION CLOSED BY SERVER\n"); + else + BIO_printf(bio_err,"read:errno=%d\n",ret); goto shut; case SSL_ERROR_ZERO_RETURN: BIO_printf(bio_c_out,"closed\n"); diff --git a/apps/s_server.c b/apps/s_server.c index 6bd3ac7a84..96e38c77dd 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -262,7 +262,7 @@ static int accept_socket= -1; #undef PROG #define PROG s_server_main -extern int verify_depth, verify_return_error; +extern int verify_depth, verify_return_error, verify_quiet; static int s_server_verify=SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ @@ -290,8 +290,10 @@ static int s_tlsextdebug=0; static int s_tlsextstatus=0; static int cert_status_cb(SSL *s, void *arg); #endif +static int no_resume_ephemeral = 0; static int s_msg=0; static int s_quiet=0; +static int s_brief=0; static char *keymatexportlabel=NULL; static int keymatexportlen=20; @@ -455,6 +457,7 @@ static void s_server_init(void) s_debug=0; s_msg=0; s_quiet=0; + s_brief=0; hack=0; #ifndef OPENSSL_NO_ENGINE engine_id=NULL; @@ -1037,7 +1040,8 @@ int MAIN(int argc, char *argv[]) s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d\n",verify_depth); + if (!s_quiet) + BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if (strcmp(*argv,"-Verify") == 0) { @@ -1045,7 +1049,8 @@ int MAIN(int argc, char *argv[]) SSL_VERIFY_CLIENT_ONCE; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); + if (!s_quiet) + BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); } else if (strcmp(*argv,"-context") == 0) { @@ -1182,6 +1187,8 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (strcmp(*argv,"-verify_quiet") == 0) + verify_quiet = 1; else if (strcmp(*argv,"-build_chain") == 0) build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) @@ -1262,12 +1269,20 @@ int MAIN(int argc, char *argv[]) { s_crlf=1; } else if (strcmp(*argv,"-quiet") == 0) { s_quiet=1; } + else if (strcmp(*argv,"-brief") == 0) + { + s_quiet=1; + s_brief=1; + verify_quiet=1; + } else if (strcmp(*argv,"-no_tmp_rsa") == 0) { no_tmp_rsa=1; } else if (strcmp(*argv,"-no_dhe") == 0) { no_dhe=1; } else if (strcmp(*argv,"-no_ecdhe") == 0) { no_ecdhe=1; } + else if (strcmp(*argv,"-no_resume_ephemeral") == 0) + { no_resume_ephemeral = 1; } #ifndef OPENSSL_NO_PSK else if (strcmp(*argv,"-psk_hint") == 0) { @@ -1589,7 +1604,7 @@ bad: if (bio_s_out == NULL) { - if (s_quiet && !s_debug && !s_msg) + if (s_quiet && !s_debug) { bio_s_out=BIO_new(BIO_s_null()); if (s_msg && !bio_s_msg) @@ -2260,7 +2275,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) } else i=raw_read_stdin(buf,bufsize); - if (!s_quiet) + if (!s_quiet && !s_brief) { if ((i <= 0) || (buf[0] == 'Q')) { @@ -2513,6 +2528,9 @@ static int init_ssl_connection(SSL *con) return(0); } + if (s_brief) + print_ssl_summary(bio_err, con); + PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); peer=SSL_get_peer_certificate(con); @@ -2531,7 +2549,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); ssl_print_sigalgs(bio_s_out, con); - ssl_print_curves(bio_s_out, con); + ssl_print_curves(bio_s_out, con, 0); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -2851,7 +2869,7 @@ static int www_body(char *hostname, int s, unsigned char *context) BIO_puts(io,"\n"); } ssl_print_sigalgs(io, con); - ssl_print_curves(io, con); + ssl_print_curves(io, con, 0); BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); -- 2.40.0