Commit Graph

409 Commits

Author SHA1 Message Date
FdaSilvaYY
36b2cfb191 Add checks on return code when applying some settings.
Remove hardcoded bound checkings.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)
2017-04-28 15:49:36 +02:00
FdaSilvaYY
67887855af Output prog name within error message
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)
2017-04-28 15:49:36 +02:00
FdaSilvaYY
28e5ea88a8 Add a 'max_send_frag' option to configure maximum size of send fragments
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3141)
2017-04-28 15:49:36 +02:00
Todd Short
9ff2cebf29 Fix s_client when no-dtls
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3344)
2017-04-28 15:42:41 +02:00
Rich Salz
f2150cd74f Remove (broken) diagnostic print
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3336)
2017-04-27 11:38:17 -04:00
Matt Caswell
11ba87f2ff Ensure s_client sends an SNI extension by default
Enforcement of an SNI extension in the initial ClientHello is becoming
increasingly common (e.g. see GitHub issue #2580). This commit changes
s_client so that it adds SNI be default, unless explicitly told not to via
the new "-noservername" option.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2614)
2017-04-27 11:43:55 +01:00
Dmitry Belyavskiy
b5c4209be9 Switch command-line utils to new nameopt API.
The CA names should be printed according to user's decision
print_name instead of set of BIO_printf
dump_cert_text instead of set of BIO_printf
Testing cyrillic output of X509_CRL_print_ex
Write and use X509_CRL_print_ex
Reduce usage of X509_NAME_online
Using X509_REQ_print_ex instead of X509_REQ_print
Fix nameopt processing.
Make dump_cert_text nameopt-friendly
Move nameopt getter/setter to apps/apps.c

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3262)
2017-04-25 12:37:17 -04:00
Matt Caswell
8ccc237720 Add a -sctp option to s_client
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3286)
2017-04-25 11:13:39 +01:00
Dr. Stephen Henson
5969a2dd2c Print CA names in s_server, add -requestCAfile to s_client
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
2017-04-03 23:47:22 +01:00
Dr. Stephen Henson
d2add501f0 Add requestCAfile option
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3015)
2017-04-03 23:47:21 +01:00
Andy Polyakov
7d672984f4 apps/*.c: switch to platform-neutral format modifiers in BIO_print calls.
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3083)
2017-03-30 19:34:18 +02:00
Matt Caswell
12557a3445 Fix s_client early data indicator
s_client was always saying that early_data was rejected even when it was
accepted. This was because it was using the wrong test to detect the end
of the handshake. It was using SSL_in_init() which only tells you whether
it is currently processing/sending/expecting handshake messages. It should
use SSL_is_init_finished() which tells you that no handshake messages are
being processed/sent/expected AND we have completed the handshake. In the
early data case we are not processing/sending handshake messages and we
are expecting early data (not a handshake message) - but the handshake has
not yet completed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3090)
2017-03-30 16:16:38 +01:00
Benjamin Kaduk
96a5d7fdba Fix a -Wsign-compare warning
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2940)
2017-03-14 11:44:34 -05:00
Andy Polyakov
8b0d424240 apps/s_client.c: harden ldap_ExtendedResponse_parse.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
2017-03-04 23:16:17 +01:00
Matt Caswell
0665b4edae Rename SSL_write_early() to SSL_write_early_data()
This is for consistency with the rest of the API where all the functions
are called *early_data*.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:16 +00:00
Matt Caswell
ade1e88806 Updates to s_server and s_client for the latest early_data API changes
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:16 +00:00
Matt Caswell
0a5ece5bd2 Tighten sanity checks when calling early data functions
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:16 +00:00
Matt Caswell
576eb3958c Get s_client to report on whether early data was accepted or not
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:15 +00:00
Matt Caswell
923ac8271b Add an option to s_client to send early_data
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2737)
2017-03-02 17:44:15 +00:00
Robert Scheck
398b0bbdf7 Add LDAP support (RFC 4511) to s_client ("-starttls ldap")
Based on initial patch by Alex Bergmann <alex@linlab.net> and new function
ldap_ExtendedResponse_parse() by Andy Polyakov <appro@openssl.org>. Thanks
very much to both.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2293)
2017-03-02 16:33:22 +01:00
Matt Caswell
9fa36f5f4b Remove some commented out code in the apps
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Andy Polyakov <appro@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2774)
2017-02-28 16:02:11 +00:00
Dmitry Belyavskiy
a7c04f2b54 Provided support for the -nameopt flag in s_client, s_server and s_time
commands.

Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2695)
2017-02-21 13:50:00 -05:00
Matt Caswell
f14afcaa42 Updates following review feedback
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)
2017-02-17 10:28:01 +00:00
Matt Caswell
b07b2a1b44 Add the ability for s_client to send a KeyUpdate message
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2609)
2017-02-17 10:28:00 +00:00
Robert Scheck
af7e05c7c6 Handle negative reply for NNTP STARTTLS in s_client
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2629)
2017-02-15 20:28:44 -05:00
Robert Scheck
20967afb7f Add Sieve support (RFC 5804) to s_client ("-starttls sieve")
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2300)
2017-02-14 14:15:28 -05:00
Peter Wu
4bf73e9f86 apps: Add support for writing a keylog file
The server and client demos (s_client and s_server) are extended with a
-keylogfile option. This is similar as setting the SSLKEYLOGFILE
environment variable for NSS and creates a keylog file which is suitable
for Wireshark.

Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2343)
2017-02-07 19:20:56 +01:00
Robert Scheck
8f85aa6bd3 Add NNTP support (RFC 4642) to s_client ("-starttls nntp")
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2310)
2017-02-03 09:49:54 -05:00
Matt Caswell
1f5b44e943 Miscellaneous style tweaks based on feedback received
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:18:23 +00:00
Matt Caswell
be62b22b52 Update the s_client -sess_out feature to work for TLSv1.3
Previously "-sess_out" wrote out the session as soon as the handshake
finished. In TLSv1.3 this won't work because the NewSessionTicket message
arrives post-handshake. Instead we use the session callback mechanism to
do this.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/2259)
2017-01-30 10:17:52 +00:00
FdaSilvaYY
0fe2a0af89 Fix a few double ;
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Matt Caswell <matt@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1618)
2017-01-25 09:06:34 +00:00
Richard Levitte
ec2a0e6065 s_client: Better response success check for CONNECT
Instead of looking for "200" and "established" (and failing all other
2xx responses or "Established"), let's look for a line that's not a
header (i.e. doesn't contain a ':') and where the first space is
followed by a '2'.

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1664)
2017-01-25 00:40:17 +01:00
Robert Scheck
7524c52017 Avoid warnings like unused enum value (as suggested by Rich Salz)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)
2016-11-18 07:37:41 -05:00
Robert Scheck
1d8a94fb7d Shift inside of switch back one level (code style change, as requested by Rich Salz)
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)
2016-11-18 07:37:41 -05:00
Robert Scheck
9576545a51 Add LMTP support (RFC 2033) to s_client ("-starttls lmtp")
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1945)
2016-11-18 07:37:41 -05:00
Richard Levitte
b612799a80 Revert "Remove heartbeats completely"
Done too soon, this is for future OpenSSL 1.2.0

This reverts commit 6c62f9e163.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-15 14:53:33 +01:00
Richard Levitte
6c62f9e163 Remove heartbeats completely
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1669)
2016-11-15 10:45:21 +01:00
EasySec
a22f9c84b4 Update s_client and s_server documentation about some missing arguments
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1837)
2016-11-12 21:33:24 -05:00
Matt Caswell
582a17d662 Add the SSL_METHOD for TLSv1.3 and all other base changes required
Includes addition of the various options to s_server/s_client. Also adds
one of the new TLS1.3 ciphersuites.

This isn't "real" TLS1.3!! It's identical to TLS1.2 apart from the protocol
and the ciphersuite...and the ciphersuite is just a renamed TLS1.2 one (not
a "real" TLS1.3 ciphersuite).

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-11-02 13:08:21 +00:00
Richard Levitte
dd1abd4462 If an engine comes up explicitely, it must also come down explicitely
In apps/apps.c, one can set up an engine with setup_engine().
However, we freed the structural reference immediately, which means
that for engines that don't already have a structural reference
somewhere else (because it's a built in engine), we end up returning
an invalid reference.

Instead, the function release_engine() is added, and called at the end
of the routines that call setup_engine().

Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1643)
2016-10-19 17:44:08 +02:00
Valentin Vidic
b2e54eb834 Add Postgres support to -starttls
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-10-17 23:05:36 +01:00
FdaSilvaYY
44c83ebd70 Constify command options
Reviewed-by: Kurt Roeckx <kurt@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1694)
2016-10-14 18:25:50 +02:00
Dr. Stephen Henson
eb67172ae5 fix memory leak
Reviewed-by: Tim Hudson <tjh@openssl.org>
2016-10-01 15:16:59 +01:00
David Woodhouse
a6972f3462 Restore '-keyform engine' support for s_client
This used to work in 1.0.2 but disappeared when the argument parsing was
revamped.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1639)
2016-09-28 12:15:17 -04:00
Richard Levitte
057c676afb Fix no-ocsp
Some compilers complain about unused variables, and some tests do
not run well without OCSP.

Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-19 15:08:58 +02:00
Richard Levitte
51e5133d55 Refactor to avoid unnecessary preprocessor logic
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-15 23:24:06 +02:00
Richard Levitte
c7bdb6a31f Reformat to fit OpenSSL source code standards
Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-15 23:24:06 +02:00
Richard Levitte
0d3b65832c VSI submission: redirect terminal input through socket
This is needed, because on VMS, select() can only be used on sockets.  being
able to use select() on all kinds of file descriptors is unique to Unix.

So, the solution for VMS is to create a layer that translates input from
standard input to socket communication.

Reviewed-by: Andy Polyakov <appro@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-09-15 23:24:06 +02:00
Viktor Szakats
d485640b80 s_client: avoid warning on Windows/MS-DOS systems
it appears when using gcc/mingw:
```
apps/s_client.c:815:9: warning: variable 'at_eof' set but not used [-Wunused-but-set-variable]
     int at_eof = 0;
         ^~~~~~
```
Reviewed-by: Matt Caswell <matt@openssl.org>
Reviewed-by: Rich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/1512)
2016-09-13 09:14:15 -04:00
Dr. Stephen Henson
9e313563da fix warning about trailing comma
Reviewed-by: Rich Salz <rsalz@openssl.org>
2016-08-19 19:32:19 +01:00