From 2a7cbe77b3abb244c2211d22d7aa3416b97c9342 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Wed, 12 Sep 2012 23:14:28 +0000 Subject: [PATCH] Add -brief option to s_client and s_server to summarise connection details. New option -verify_quiet to shut up the verify callback unless there is an error. --- CHANGES | 4 +++ apps/s_apps.h | 3 +- apps/s_cb.c | 94 +++++++++++++++++++++++++++++++++++++++++++------ apps/s_client.c | 19 +++++++++- apps/s_server.c | 21 ++++++++--- 5 files changed, 125 insertions(+), 16 deletions(-) diff --git a/CHANGES b/CHANGES index 8e358c69fa..d11b8a3505 100644 --- a/CHANGES +++ b/CHANGES @@ -4,6 +4,10 @@ Changes between 1.0.x and 1.1.0 [xx XXX xxxx] + *) New option -brief for s_client and s_server to print out a brief summary + of connection parameters. + [Steve Henson] + *) Add functions to retrieve and manipulate the raw cipherlist sent by a client to OpenSSL. [Steve Henson] diff --git a/apps/s_apps.h b/apps/s_apps.h index b45c1b9a56..b1ae531367 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -161,7 +161,7 @@ int set_cert_key_and_authz(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, unsigned char *authz, size_t authz_length); # endif int ssl_print_sigalgs(BIO *out, SSL *s); -int ssl_print_curves(BIO *out, SSL *s); +int ssl_print_curves(BIO *out, SSL *s, int noshared); #endif int ssl_print_tmp_key(BIO *out, SSL *s); int init_client(int *sock, char *server, int port, int type); @@ -190,3 +190,4 @@ void ssl_excert_free(SSL_EXCERT *exc); int args_excert(char ***pargs, int *pargc, int *badarg, BIO *err, SSL_EXCERT **pexc); int load_excert(SSL_EXCERT **pexc, BIO *err); +void print_ssl_summary(BIO *bio, SSL *s); diff --git a/apps/s_cb.c b/apps/s_cb.c index fc40f391e3..e339a6ce5d 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -125,6 +125,7 @@ #define COOKIE_SECRET_LENGTH 16 int verify_depth=0; +int verify_quiet=0; int verify_error=X509_V_OK; int verify_return_error=0; unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; @@ -139,15 +140,19 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) err= X509_STORE_CTX_get_error(ctx); depth= X509_STORE_CTX_get_error_depth(ctx); - BIO_printf(bio_err,"depth=%d ",depth); - if (err_cert) + if (!verify_quiet || !ok) { - X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), + BIO_printf(bio_err,"depth=%d ",depth); + if (err_cert) + { + X509_NAME_print_ex(bio_err, + X509_get_subject_name(err_cert), 0, XN_FLAG_ONELINE); - BIO_puts(bio_err, "\n"); + BIO_puts(bio_err, "\n"); + } + else + BIO_puts(bio_err, "\n"); } - else - BIO_puts(bio_err, "\n"); if (!ok) { BIO_printf(bio_err,"verify error:num=%d:%s\n",err, @@ -188,10 +193,10 @@ int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) policies_print(bio_err, ctx); break; } - if (err == X509_V_OK && ok == 2) + if (err == X509_V_OK && ok == 2 && !verify_quiet) policies_print(bio_err, ctx); - - BIO_printf(bio_err,"verify return:%d\n",ok); + if (ok && !verify_quiet) + BIO_printf(bio_err,"verify return:%d\n",ok); return(ok); } @@ -419,7 +424,7 @@ int ssl_print_sigalgs(BIO *out, SSL *s) return 1; } -int ssl_print_curves(BIO *out, SSL *s) +int ssl_print_curves(BIO *out, SSL *s, int noshared) { int i, ncurves, *curves, nid; const char *cname; @@ -447,6 +452,13 @@ int ssl_print_curves(BIO *out, SSL *s) BIO_printf(out, "%s", cname); } } + if (ncurves == 0) + BIO_puts(out, "NONE"); + if (noshared) + { + BIO_puts(out, "\n"); + return 1; + } BIO_puts(out, "\nShared Elliptic curves: "); OPENSSL_free(curves); ncurves = SSL_get_shared_curve(s, -1); @@ -1459,3 +1471,65 @@ int args_excert(char ***pargs, int *pargc, return 1; } +static void print_raw_cipherlist(BIO *bio, SSL *s) + { + const unsigned char *rlist; + static const unsigned char scsv_id[] = {0, 0, 0xFF}; + size_t i, rlistlen, num; + if (!SSL_is_server(s)) + return; + num = SSL_get0_raw_cipherlist(s, NULL); + rlistlen = SSL_get0_raw_cipherlist(s, &rlist); + BIO_puts(bio, "Client cipher list: "); + for (i = 0; i < rlistlen; i += num, rlist += num) + { + const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist); + if (i) + BIO_puts(bio, ":"); + if (c) + BIO_puts(bio, SSL_CIPHER_get_name(c)); + else if (!memcmp(rlist, scsv_id - num + 3, num)) + BIO_puts(bio, "SCSV"); + else + { + size_t j; + BIO_puts(bio, "0x"); + for (j = 0; j < num; j++) + BIO_printf(bio, "%02X", rlist[j]); + } + } + BIO_puts(bio, "\n"); + } + + +void print_ssl_summary(BIO *bio, SSL *s) + { + const SSL_CIPHER *c; + X509 *peer; + /*const char *pnam = SSL_is_server(s) ? "client" : "server";*/ + BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s)); + print_raw_cipherlist(bio, s); + c = SSL_get_current_cipher(s); + BIO_printf(bio,"Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); + do_print_sigalgs(bio, s, 0); + peer = SSL_get_peer_certificate(s); + if (peer) + { + int nid; + BIO_puts(bio, "Peer certificate: "); + X509_NAME_print_ex(bio, X509_get_subject_name(peer), + 0, XN_FLAG_ONELINE); + BIO_puts(bio, "\n"); + if (SSL_get_peer_signature_nid(s, &nid)) + BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid)); + } + else + BIO_puts(bio, "No peer certificate\n"); + if (peer) + X509_free(peer); + if (SSL_is_server(s)) + ssl_print_curves(bio, s, 1); + else + ssl_print_tmp_key(bio, s); + } + diff --git a/apps/s_client.c b/apps/s_client.c index ea0a3216a9..a7b150b02a 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -193,6 +193,7 @@ typedef unsigned int u_int; extern int verify_depth; extern int verify_error; extern int verify_return_error; +extern int verify_quiet; #ifdef FIONBIO static int c_nbio=0; @@ -220,6 +221,7 @@ static BIO *bio_c_out=NULL; static BIO *bio_c_msg=NULL; static int c_quiet=0; static int c_ign_eof=0; +static int c_brief=0; #ifndef OPENSSL_NO_PSK /* Default PSK identity and key */ @@ -688,7 +690,8 @@ int MAIN(int argc, char **argv) verify=SSL_VERIFY_PEER; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d\n",verify_depth); + if (!c_quiet) + BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if (strcmp(*argv,"-cert") == 0) { @@ -718,6 +721,14 @@ int MAIN(int argc, char **argv) } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (strcmp(*argv,"-verify_quiet") == 0) + verify_quiet = 1; + else if (strcmp(*argv,"-brief") == 0) + { + c_brief = 1; + verify_quiet = 1; + c_quiet = 1; + } else if (args_excert(&argv, &argc, &badarg, bio_err, &exc)) { if (badarg) @@ -1611,6 +1622,12 @@ SSL_set_tlsext_status_ids(con, ids); else BIO_printf(bio_err, "Error writing session file %s\n", sess_out); } + if (c_brief) + { + BIO_puts(bio_err, + "CONNECTION ESTABLISHED\n"); + print_ssl_summary(bio_err, con); + } print_stuff(bio_c_out,con,full_log); if (full_log > 0) full_log--; diff --git a/apps/s_server.c b/apps/s_server.c index 77b34cbd3e..002de84380 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -268,7 +268,7 @@ static int accept_socket= -1; #undef PROG #define PROG s_server_main -extern int verify_depth, verify_return_error; +extern int verify_depth, verify_return_error, verify_quiet; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; @@ -303,6 +303,7 @@ static int cert_status_cb(SSL *s, void *arg); static int no_resume_ephemeral = 0; static int s_msg=0; static int s_quiet=0; +static int s_brief=0; static char *keymatexportlabel=NULL; static int keymatexportlen=20; @@ -466,6 +467,7 @@ static void s_server_init(void) s_debug=0; s_msg=0; s_quiet=0; + s_brief=0; hack=0; #ifndef OPENSSL_NO_ENGINE engine_id=NULL; @@ -1169,6 +1171,8 @@ int MAIN(int argc, char *argv[]) } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; + else if (strcmp(*argv,"-verify_quiet") == 0) + verify_quiet = 1; else if (strcmp(*argv,"-serverpref") == 0) { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } else if (strcmp(*argv,"-legacy_renegotiation") == 0) @@ -1273,6 +1277,12 @@ int MAIN(int argc, char *argv[]) { s_crlf=1; } else if (strcmp(*argv,"-quiet") == 0) { s_quiet=1; } + else if (strcmp(*argv,"-brief") == 0) + { + s_quiet=1; + s_brief=1; + verify_quiet=1; + } else if (strcmp(*argv,"-bugs") == 0) { bugs=1; } else if (strcmp(*argv,"-no_tmp_rsa") == 0) @@ -2389,7 +2399,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) } else i=raw_read_stdin(buf,bufsize); - if (!s_quiet) + if (!s_quiet && !s_brief) { if ((i <= 0) || (buf[0] == 'Q')) { @@ -2642,6 +2652,9 @@ static int init_ssl_connection(SSL *con) return(0); } + if (s_brief) + print_ssl_summary(bio_err, con); + PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); peer=SSL_get_peer_certificate(con); @@ -2660,7 +2673,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); ssl_print_sigalgs(bio_s_out, con); - ssl_print_curves(bio_s_out, con); + ssl_print_curves(bio_s_out, con, 0); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -3003,7 +3016,7 @@ static int www_body(char *hostname, int s, unsigned char *context) BIO_puts(io,"\n"); } ssl_print_sigalgs(io, con); - ssl_print_curves(io, con); + ssl_print_curves(io, con, 0); BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); -- 2.40.0