X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fs_cb.c;h=520323c8b05cfe0498a7a8dc6ad46ff8a29f88a2;hb=cd5e2b0a689a7b22bd470e70ed0b8c84305d6d03;hp=0111c24e96305f7154dbf1b4ac8198271020a8fa;hpb=52f4840cb237cc37cad5eac8328828cf3d3e1049;p=oweals%2Fopenssl.git diff --git a/apps/s_cb.c b/apps/s_cb.c index 0111c24e96..520323c8b0 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1,5 +1,5 @@ /* - * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. + * Copyright 1995-2019 The OpenSSL Project Authors. All Rights Reserved. * * Licensed under the OpenSSL license (the "License"). You may not use * this file except in compliance with the License. You can obtain a copy @@ -11,9 +11,7 @@ #include #include #include /* for memcpy() and strcmp() */ -#define USE_SOCKETS #include "apps.h" -#undef USE_SOCKETS #include #include #include @@ -26,7 +24,7 @@ #define COOKIE_SECRET_LENGTH 16 -VERIFY_CB_ARGS verify_args = { 0, 0, X509_V_OK, 0 }; +VERIFY_CB_ARGS verify_args = { -1, 0, X509_V_OK, 0 }; #ifndef OPENSSL_NO_SOCK static unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; @@ -53,18 +51,19 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) if (!verify_args.quiet || !ok) { BIO_printf(bio_err, "depth=%d ", depth); - if (err_cert) { + if (err_cert != NULL) { X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert), - 0, XN_FLAG_ONELINE); + 0, get_nameopt()); BIO_puts(bio_err, "\n"); - } else + } else { BIO_puts(bio_err, "\n"); + } } if (!ok) { BIO_printf(bio_err, "verify error:num=%d:%s\n", err, X509_verify_cert_error_string(err)); - if (verify_args.depth >= depth) { + if (verify_args.depth < 0 || verify_args.depth >= depth) { if (!verify_args.return_error) ok = 1; verify_args.error = err; @@ -77,7 +76,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT: BIO_puts(bio_err, "issuer= "); X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert), - 0, XN_FLAG_ONELINE); + 0, get_nameopt()); BIO_puts(bio_err, "\n"); break; case X509_V_ERR_CERT_NOT_YET_VALID: @@ -101,7 +100,7 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) policies_print(ctx); if (ok && !verify_args.quiet) BIO_printf(bio_err, "verify return:%d\n", ok); - return (ok); + return ok; } int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) @@ -112,7 +111,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) BIO_printf(bio_err, "unable to get certificate from '%s'\n", cert_file); ERR_print_errors(bio_err); - return (0); + return 0; } if (key_file == NULL) key_file = cert_file; @@ -120,7 +119,7 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) BIO_printf(bio_err, "unable to get private key from '%s'\n", key_file); ERR_print_errors(bio_err); - return (0); + return 0; } /* @@ -135,10 +134,10 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) if (!SSL_CTX_check_private_key(ctx)) { BIO_printf(bio_err, "Private key does not match the certificate public key\n"); - return (0); + return 0; } } - return (1); + return 1; } int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key, @@ -206,7 +205,7 @@ static void ssl_print_client_cert_types(BIO *bio, SSL *s) if (i) BIO_puts(bio, ", "); - if (cname) + if (cname != NULL) BIO_puts(bio, cname); else BIO_printf(bio, "UNKNOWN (%d),", cert_type); @@ -229,6 +228,21 @@ static const char *get_sigtype(int nid) case EVP_PKEY_EC: return "ECDSA"; + case NID_ED25519: + return "Ed25519"; + + case NID_ED448: + return "Ed448"; + + case NID_id_GostR3410_2001: + return "gost2001"; + + case NID_id_GostR3410_2012_256: + return "gost2012_256"; + + case NID_id_GostR3410_2012_512: + return "gost2012_512"; + default: return NULL; } @@ -264,13 +278,13 @@ static int do_print_sigalgs(BIO *out, SSL *s, int shared) BIO_puts(out, ":"); sstr = get_sigtype(sign_nid); if (sstr) - BIO_printf(out, "%s+", sstr); + BIO_printf(out, "%s", sstr); else - BIO_printf(out, "0x%02X+", (int)rsign); + BIO_printf(out, "0x%02X", (int)rsign); if (hash_nid != NID_undef) - BIO_printf(out, "%s", OBJ_nid2sn(hash_nid)); - else - BIO_printf(out, "0x%02X", (int)rhash); + BIO_printf(out, "+%s", OBJ_nid2sn(hash_nid)); + else if (sstr == NULL) + BIO_printf(out, "+0x%02X", (int)rhash); } BIO_puts(out, "\n"); return 1; @@ -283,10 +297,10 @@ int ssl_print_sigalgs(BIO *out, SSL *s) ssl_print_client_cert_types(out, s); do_print_sigalgs(out, s, 0); do_print_sigalgs(out, s, 1); - if (SSL_get_peer_signature_nid(s, &nid)) + if (SSL_get_peer_signature_nid(s, &nid) && nid != NID_undef) BIO_printf(out, "Peer signing digest: %s\n", OBJ_nid2sn(nid)); if (SSL_get_peer_signature_type_nid(s, &nid)) - BIO_printf(bio_err, "Peer signature type: %s\n", get_sigtype(nid)); + BIO_printf(out, "Peer signature type: %s\n", get_sigtype(nid)); return 1; } @@ -342,13 +356,13 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) BIO_puts(out, ":"); nid = groups[i]; /* If unrecognised print out hex version */ - if (nid & TLSEXT_nid_unknown) + if (nid & TLSEXT_nid_unknown) { BIO_printf(out, "0x%04X", nid & 0xFFFF); - else { + } else { /* TODO(TLS1.3): Get group name here */ /* Use NIST name for curve if it exists */ gname = EC_curve_nid2nist(nid); - if (!gname) + if (gname == NULL) gname = OBJ_nid2sn(nid); BIO_printf(out, "%s", gname); } @@ -366,7 +380,7 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) nid = SSL_get_shared_group(s, i); /* TODO(TLS1.3): Convert for DH groups */ gname = EC_curve_nid2nist(nid); - if (!gname) + if (gname == NULL) gname = OBJ_nid2sn(nid); BIO_printf(out, "%s", gname); } @@ -376,10 +390,12 @@ int ssl_print_groups(BIO *out, SSL *s, int noshared) return 1; } #endif + int ssl_print_tmp_key(BIO *out, SSL *s) { EVP_PKEY *key; - if (!SSL_get_server_tmp_key(s, &key)) + + if (!SSL_get_peer_tmp_key(s, &key)) return 1; BIO_puts(out, "Server Temp Key: "); switch (EVP_PKEY_id(key)) { @@ -399,7 +415,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s) nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); EC_KEY_free(ec); cname = EC_curve_nid2nist(nid); - if (!cname) + if (cname == NULL) cname = OBJ_nid2sn(nid); BIO_printf(out, "ECDH, %s, %d bits\n", cname, EVP_PKEY_bits(key)); } @@ -420,19 +436,19 @@ long bio_dump_callback(BIO *bio, int cmd, const char *argp, out = (BIO *)BIO_get_callback_arg(bio); if (out == NULL) - return (ret); + return ret; if (cmd == (BIO_CB_READ | BIO_CB_RETURN)) { BIO_printf(out, "read from %p [%p] (%lu bytes => %ld (0x%lX))\n", (void *)bio, (void *)argp, (unsigned long)argi, ret, ret); BIO_dump(out, argp, (int)ret); - return (ret); + return ret; } else if (cmd == (BIO_CB_WRITE | BIO_CB_RETURN)) { BIO_printf(out, "write to %p [%p] (%lu bytes => %ld (0x%lX))\n", (void *)bio, (void *)argp, (unsigned long)argi, ret, ret); BIO_dump(out, argp, (int)ret); } - return (ret); + return ret; } void apps_ssl_info_callback(const SSL *s, int where, int ret) @@ -461,10 +477,9 @@ void apps_ssl_info_callback(const SSL *s, int where, int ret) if (ret == 0) BIO_printf(bio_err, "%s:failed in %s\n", str, SSL_state_string_long(s)); - else if (ret < 0) { + else if (ret < 0) BIO_printf(bio_err, "%s:error in %s\n", str, SSL_state_string_long(s)); - } } } @@ -478,8 +493,10 @@ static STRINT_PAIR ssl_versions[] = { {"DTLS 1.0 (bad)", DTLS1_BAD_VER}, {NULL} }; + static STRINT_PAIR alert_types[] = { {" close_notify", 0}, + {" end_of_early_data", 1}, {" unexpected_message", 10}, {" bad_record_mac", 20}, {" decryption_failed", 21}, @@ -500,33 +517,43 @@ static STRINT_PAIR alert_types[] = { {" protocol_version", 70}, {" insufficient_security", 71}, {" internal_error", 80}, + {" inappropriate_fallback", 86}, {" user_canceled", 90}, {" no_renegotiation", 100}, + {" missing_extension", 109}, {" unsupported_extension", 110}, {" certificate_unobtainable", 111}, {" unrecognized_name", 112}, {" bad_certificate_status_response", 113}, {" bad_certificate_hash_value", 114}, {" unknown_psk_identity", 115}, + {" certificate_required", 116}, {NULL} }; static STRINT_PAIR handshakes[] = { - {", HelloRequest", 0}, - {", ClientHello", 1}, - {", ServerHello", 2}, - {", HelloVerifyRequest", 3}, - {", NewSessionTicket", 4}, - {", Certificate", 11}, - {", ServerKeyExchange", 12}, - {", CertificateRequest", 13}, - {", ServerHelloDone", 14}, - {", CertificateVerify", 15}, - {", ClientKeyExchange", 16}, - {", Finished", 20}, - {", CertificateUrl", 21}, - {", CertificateStatus", 22}, - {", SupplementalData", 23}, + {", HelloRequest", SSL3_MT_HELLO_REQUEST}, + {", ClientHello", SSL3_MT_CLIENT_HELLO}, + {", ServerHello", SSL3_MT_SERVER_HELLO}, + {", HelloVerifyRequest", DTLS1_MT_HELLO_VERIFY_REQUEST}, + {", NewSessionTicket", SSL3_MT_NEWSESSION_TICKET}, + {", EndOfEarlyData", SSL3_MT_END_OF_EARLY_DATA}, + {", EncryptedExtensions", SSL3_MT_ENCRYPTED_EXTENSIONS}, + {", Certificate", SSL3_MT_CERTIFICATE}, + {", ServerKeyExchange", SSL3_MT_SERVER_KEY_EXCHANGE}, + {", CertificateRequest", SSL3_MT_CERTIFICATE_REQUEST}, + {", ServerHelloDone", SSL3_MT_SERVER_DONE}, + {", CertificateVerify", SSL3_MT_CERTIFICATE_VERIFY}, + {", ClientKeyExchange", SSL3_MT_CLIENT_KEY_EXCHANGE}, + {", Finished", SSL3_MT_FINISHED}, + {", CertificateUrl", SSL3_MT_CERTIFICATE_URL}, + {", CertificateStatus", SSL3_MT_CERTIFICATE_STATUS}, + {", SupplementalData", SSL3_MT_SUPPLEMENTAL_DATA}, + {", KeyUpdate", SSL3_MT_KEY_UPDATE}, +#ifndef OPENSSL_NO_NEXTPROTONEG + {", NextProto", SSL3_MT_NEXT_PROTO}, +#endif + {", MessageHash", SSL3_MT_MESSAGE_HASH}, {NULL} }; @@ -547,10 +574,10 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, version == DTLS1_VERSION || version == DTLS1_BAD_VER) { switch (content_type) { case 20: - str_content_type = "ChangeCipherSpec"; + str_content_type = ", ChangeCipherSpec"; break; case 21: - str_content_type = "Alert"; + str_content_type = ", Alert"; str_details1 = ", ???"; if (len == 2) { switch (bp[0]) { @@ -565,13 +592,13 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, } break; case 22: - str_content_type = "Handshake"; + str_content_type = ", Handshake"; str_details1 = "???"; if (len > 0) str_details1 = lookup((int)bp[0], handshakes, "???"); break; case 23: - str_content_type = "ApplicationData"; + str_content_type = ", ApplicationData"; break; #ifndef OPENSSL_NO_HEARTBEATS case 24: @@ -647,6 +674,59 @@ static STRINT_PAIR tlsext_types[] = { #ifdef TLSEXT_TYPE_extended_master_secret {"extended master secret", TLSEXT_TYPE_extended_master_secret}, #endif + {"key share", TLSEXT_TYPE_key_share}, + {"supported versions", TLSEXT_TYPE_supported_versions}, + {"psk", TLSEXT_TYPE_psk}, + {"psk kex modes", TLSEXT_TYPE_psk_kex_modes}, + {"certificate authorities", TLSEXT_TYPE_certificate_authorities}, + {"post handshake auth", TLSEXT_TYPE_post_handshake_auth}, + {NULL} +}; + +/* from rfc8446 4.2.3. + gost (https://tools.ietf.org/id/draft-smyshlyaev-tls12-gost-suites-04.html) */ +static STRINT_PAIR signature_tls13_scheme_list[] = { + {"rsa_pkcs1_sha1", 0x0201 /* TLSEXT_SIGALG_rsa_pkcs1_sha1 */}, + {"ecdsa_sha1", 0x0203 /* TLSEXT_SIGALG_ecdsa_sha1 */}, +/* {"rsa_pkcs1_sha224", 0x0301 TLSEXT_SIGALG_rsa_pkcs1_sha224}, not in rfc8446 */ +/* {"ecdsa_sha224", 0x0303 TLSEXT_SIGALG_ecdsa_sha224} not in rfc8446 */ + {"rsa_pkcs1_sha256", 0x0401 /* TLSEXT_SIGALG_rsa_pkcs1_sha256 */}, + {"ecdsa_secp256r1_sha256", 0x0403 /* TLSEXT_SIGALG_ecdsa_secp256r1_sha256 */}, + {"rsa_pkcs1_sha384", 0x0501 /* TLSEXT_SIGALG_rsa_pkcs1_sha384 */}, + {"ecdsa_secp384r1_sha384", 0x0503 /* TLSEXT_SIGALG_ecdsa_secp384r1_sha384 */}, + {"rsa_pkcs1_sha512", 0x0601 /* TLSEXT_SIGALG_rsa_pkcs1_sha512 */}, + {"ecdsa_secp521r1_sha512", 0x0603 /* TLSEXT_SIGALG_ecdsa_secp521r1_sha512 */}, + {"rsa_pss_rsae_sha256", 0x0804 /* TLSEXT_SIGALG_rsa_pss_rsae_sha256 */}, + {"rsa_pss_rsae_sha384", 0x0805 /* TLSEXT_SIGALG_rsa_pss_rsae_sha384 */}, + {"rsa_pss_rsae_sha512", 0x0806 /* TLSEXT_SIGALG_rsa_pss_rsae_sha512 */}, + {"ed25519", 0x0807 /* TLSEXT_SIGALG_ed25519 */}, + {"ed448", 0x0808 /* TLSEXT_SIGALG_ed448 */}, + {"rsa_pss_pss_sha256", 0x0809 /* TLSEXT_SIGALG_rsa_pss_pss_sha256 */}, + {"rsa_pss_pss_sha384", 0x080a /* TLSEXT_SIGALG_rsa_pss_pss_sha384 */}, + {"rsa_pss_pss_sha512", 0x080b /* TLSEXT_SIGALG_rsa_pss_pss_sha512 */}, + {"gostr34102001", 0xeded /* TLSEXT_SIGALG_gostr34102001_gostr3411 */}, + {"gostr34102012_256", 0xeeee /* TLSEXT_SIGALG_gostr34102012_256_gostr34112012_256 */}, + {"gostr34102012_512", 0xefef /* TLSEXT_SIGALG_gostr34102012_512_gostr34112012_512 */}, + {NULL} +}; + +/* from rfc5246 7.4.1.4.1. */ +static STRINT_PAIR signature_tls12_alg_list[] = { + {"anonymous", TLSEXT_signature_anonymous /* 0 */}, + {"RSA", TLSEXT_signature_rsa /* 1 */}, + {"DSA", TLSEXT_signature_dsa /* 2 */}, + {"ECDSA", TLSEXT_signature_ecdsa /* 3 */}, + {NULL} +}; + +/* from rfc5246 7.4.1.4.1. */ +static STRINT_PAIR signature_tls12_hash_list[] = { + {"none", TLSEXT_hash_none /* 0 */}, + {"MD5", TLSEXT_hash_md5 /* 1 */}, + {"SHA1", TLSEXT_hash_sha1 /* 2 */}, + {"SHA224", TLSEXT_hash_sha224 /* 3 */}, + {"SHA256", TLSEXT_hash_sha256 /* 4 */}, + {"SHA384", TLSEXT_hash_sha384 /* 5 */}, + {"SHA512", TLSEXT_hash_sha512 /* 6 */}, {NULL} }; @@ -667,9 +747,9 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) { unsigned char *buffer; - size_t length; + size_t length = 0; unsigned short port; - BIO_ADDR *peer = NULL; + BIO_ADDR *lpeer = NULL, *peer = NULL; /* Initialize a random secret */ if (!cookie_initialized) { @@ -680,17 +760,24 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, cookie_initialized = 1; } - peer = BIO_ADDR_new(); - if (peer == NULL) { - BIO_printf(bio_err, "memory full\n"); - return 0; - } + if (SSL_is_dtls(ssl)) { + lpeer = peer = BIO_ADDR_new(); + if (peer == NULL) { + BIO_printf(bio_err, "memory full\n"); + return 0; + } - /* Read peer information */ - (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer); + /* Read peer information */ + (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer); + } else { + peer = ourpeer; + } /* Create buffer with peer's address and port */ - BIO_ADDR_rawaddress(peer, NULL, &length); + if (!BIO_ADDR_rawaddress(peer, NULL, &length)) { + BIO_printf(bio_err, "Failed getting peer address\n"); + return 0; + } OPENSSL_assert(length != 0); port = BIO_ADDR_rawport(peer); length += sizeof(port); @@ -704,7 +791,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, buffer, length, cookie, cookie_len); OPENSSL_free(buffer); - BIO_ADDR_free(peer); + BIO_ADDR_free(lpeer); return 1; } @@ -725,6 +812,22 @@ int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, return 0; } + +int generate_stateless_cookie_callback(SSL *ssl, unsigned char *cookie, + size_t *cookie_len) +{ + unsigned int temp; + int res = generate_cookie_callback(ssl, cookie, &temp); + *cookie_len = temp; + return res; +} + +int verify_stateless_cookie_callback(SSL *ssl, const unsigned char *cookie, + size_t cookie_len) +{ + return verify_cookie_callback(ssl, cookie, cookie_len); +} + #endif /* @@ -796,24 +899,24 @@ static int set_cert_cb(SSL *ssl, void *arg) #endif SSL_certs_clear(ssl); - if (!exc) + if (exc == NULL) return 1; /* * Go to end of list and traverse backwards since we prepend newer * entries this retains the original order. */ - while (exc->next) + while (exc->next != NULL) exc = exc->next; i = 0; - while (exc) { + while (exc != NULL) { i++; rv = SSL_check_chain(ssl, exc->cert, exc->key, exc->chain); BIO_printf(bio_err, "Checking cert chain %d:\nSubject: ", i); X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, - XN_FLAG_ONELINE); + get_nameopt()); BIO_puts(bio_err, "\n"); print_chain_flags(ssl, rv); if (rv & CERT_PKEY_VALID) { @@ -829,8 +932,9 @@ static int set_cert_cb(SSL *ssl, void *arg) if (exc->build_chain) { if (!SSL_build_cert_chain(ssl, 0)) return 0; - } else if (exc->chain) + } else if (exc->chain != NULL) { SSL_set1_chain(ssl, exc->chain); + } } exc = exc->prev; } @@ -867,7 +971,7 @@ void ssl_excert_free(SSL_EXCERT *exc) { SSL_EXCERT *curr; - if (!exc) + if (exc == NULL) return; while (exc) { X509_free(exc->cert); @@ -882,33 +986,33 @@ void ssl_excert_free(SSL_EXCERT *exc) int load_excert(SSL_EXCERT **pexc) { SSL_EXCERT *exc = *pexc; - if (!exc) + if (exc == NULL) return 1; /* If nothing in list, free and set to NULL */ - if (!exc->certfile && !exc->next) { + if (exc->certfile == NULL && exc->next == NULL) { ssl_excert_free(exc); *pexc = NULL; return 1; } for (; exc; exc = exc->next) { - if (!exc->certfile) { + if (exc->certfile == NULL) { BIO_printf(bio_err, "Missing filename\n"); return 0; } exc->cert = load_cert(exc->certfile, exc->certform, "Server Certificate"); - if (!exc->cert) + if (exc->cert == NULL) return 0; - if (exc->keyfile) { + if (exc->keyfile != NULL) { exc->key = load_key(exc->keyfile, exc->keyform, 0, NULL, NULL, "Server Key"); } else { exc->key = load_key(exc->certfile, exc->certform, 0, NULL, NULL, "Server Key"); } - if (!exc->key) + if (exc->key == NULL) return 0; - if (exc->chainfile) { + if (exc->chainfile != NULL) { if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL, "Server Chain")) return 0; @@ -940,7 +1044,7 @@ int args_excert(int opt, SSL_EXCERT **pexc) case OPT_X__LAST: return 0; case OPT_X_CERT: - if (exc->certfile && !ssl_excert_prepend(&exc)) { + if (exc->certfile != NULL && !ssl_excert_prepend(&exc)) { BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog()); goto err; } @@ -948,14 +1052,14 @@ int args_excert(int opt, SSL_EXCERT **pexc) exc->certfile = opt_arg(); break; case OPT_X_KEY: - if (exc->keyfile) { + if (exc->keyfile != NULL) { BIO_printf(bio_err, "%s: Key already specified\n", opt_getprog()); goto err; } exc->keyfile = opt_arg(); break; case OPT_X_CHAIN: - if (exc->chainfile) { + if (exc->chainfile != NULL) { BIO_printf(bio_err, "%s: Chain already specified\n", opt_getprog()); goto err; @@ -998,11 +1102,11 @@ static void print_raw_cipherlist(SSL *s) const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist); if (i) BIO_puts(bio_err, ":"); - if (c) + if (c != NULL) { BIO_puts(bio_err, SSL_CIPHER_get_name(c)); - else if (!memcmp(rlist, scsv_id, num)) + } else if (memcmp(rlist, scsv_id, num) == 0) { BIO_puts(bio_err, "SCSV"); - else { + } else { size_t j; BIO_puts(bio_err, "0x"); for (j = 0; j < num; j++) @@ -1024,8 +1128,8 @@ static char *hexencode(const unsigned char *data, size_t len) int ilen = (int) outlen; if (outlen < len || ilen < 0 || outlen != (size_t)ilen) { - BIO_printf(bio_err, "%s: %" PRIu64 "-byte buffer too large to hexencode\n", - opt_getprog(), (uint64_t)len); + BIO_printf(bio_err, "%s: %zu-byte buffer too large to hexencode\n", + opt_getprog(), len); exit(1); } cp = out = app_malloc(ilen, "TLSA hex data buffer"); @@ -1090,7 +1194,6 @@ void print_ssl_summary(SSL *s) { const SSL_CIPHER *c; X509 *peer; - /* const char *pnam = SSL_is_server(s) ? "client" : "server"; */ BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s)); print_raw_cipherlist(s); @@ -1098,20 +1201,21 @@ void print_ssl_summary(SSL *s) BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); do_print_sigalgs(bio_err, s, 0); peer = SSL_get_peer_certificate(s); - if (peer) { + if (peer != NULL) { int nid; BIO_puts(bio_err, "Peer certificate: "); X509_NAME_print_ex(bio_err, X509_get_subject_name(peer), - 0, XN_FLAG_ONELINE); + 0, get_nameopt()); BIO_puts(bio_err, "\n"); if (SSL_get_peer_signature_nid(s, &nid)) BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); if (SSL_get_peer_signature_type_nid(s, &nid)) BIO_printf(bio_err, "Signature type: %s\n", get_sigtype(nid)); print_verify_detail(s, bio_err); - } else + } else { BIO_puts(bio_err, "No peer certificate\n"); + } X509_free(peer); #ifndef OPENSSL_NO_EC ssl_print_point_formats(bio_err, s); @@ -1135,7 +1239,7 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, const char *flag = sk_OPENSSL_STRING_value(str, i); const char *arg = sk_OPENSSL_STRING_value(str, i + 1); if (SSL_CONF_cmd(cctx, flag, arg) <= 0) { - if (arg) + if (arg != NULL) BIO_printf(bio_err, "Error with command: \"%s %s\"\n", flag, arg); else @@ -1225,9 +1329,9 @@ static STRINT_PAIR callback_types[] = { {"Supported Curve", SSL_SECOP_CURVE_SUPPORTED}, {"Shared Curve", SSL_SECOP_CURVE_SHARED}, {"Check Curve", SSL_SECOP_CURVE_CHECK}, - {"Supported Signature Algorithm digest", SSL_SECOP_SIGALG_SUPPORTED}, - {"Shared Signature Algorithm digest", SSL_SECOP_SIGALG_SHARED}, - {"Check Signature Algorithm digest", SSL_SECOP_SIGALG_CHECK}, + {"Supported Signature Algorithm", SSL_SECOP_SIGALG_SUPPORTED}, + {"Shared Signature Algorithm", SSL_SECOP_SIGALG_SHARED}, + {"Check Signature Algorithm", SSL_SECOP_SIGALG_CHECK}, {"Signature Algorithm mask", SSL_SECOP_SIGALG_MASK}, {"Certificate chain EE key", SSL_SECOP_EE_KEY}, {"Certificate chain CA key", SSL_SECOP_CA_KEY}, @@ -1247,29 +1351,37 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx, security_debug_ex *sdb = ex; int rv, show_bits = 1, cert_md = 0; const char *nm; + int show_nm; rv = sdb->old_cb(s, ctx, op, bits, nid, other, ex); if (rv == 1 && sdb->verbose < 2) return 1; BIO_puts(sdb->out, "Security callback: "); nm = lookup(op, callback_types, NULL); + show_nm = nm != NULL; switch (op) { case SSL_SECOP_TICKET: case SSL_SECOP_COMPRESSION: show_bits = 0; - nm = NULL; + show_nm = 0; break; case SSL_SECOP_VERSION: BIO_printf(sdb->out, "Version=%s", lookup(nid, ssl_versions, "???")); show_bits = 0; - nm = NULL; + show_nm = 0; break; case SSL_SECOP_CA_MD: case SSL_SECOP_PEER_CA_MD: cert_md = 1; break; + case SSL_SECOP_SIGALG_SUPPORTED: + case SSL_SECOP_SIGALG_SHARED: + case SSL_SECOP_SIGALG_CHECK: + case SSL_SECOP_SIGALG_MASK: + show_nm = 0; + break; } - if (nm) + if (show_nm) BIO_printf(sdb->out, "%s=", nm); switch (op & SSL_SECOP_OTHER_TYPE) { @@ -1316,27 +1428,28 @@ static int security_callback_debug(const SSL *s, const SSL_CTX *ctx, { const unsigned char *salg = other; const char *sname = NULL; - switch (salg[1]) { - case TLSEXT_signature_anonymous: - sname = "anonymous"; - break; - case TLSEXT_signature_rsa: - sname = "RSA"; - break; - case TLSEXT_signature_dsa: - sname = "DSA"; - break; - case TLSEXT_signature_ecdsa: - sname = "ECDSA"; - break; - } + int raw_sig_code = (salg[0] << 8) + salg[1]; /* always big endian (msb, lsb) */ + /* raw_sig_code: signature_scheme from tls1.3, or signature_and_hash from tls1.2 */ - BIO_puts(sdb->out, OBJ_nid2sn(nid)); - if (sname) - BIO_printf(sdb->out, ", algorithm=%s", sname); + if (nm != NULL) + BIO_printf(sdb->out, "%s", nm); else - BIO_printf(sdb->out, ", algid=%d", salg[1]); - break; + BIO_printf(sdb->out, "s_cb.c:security_callback_debug op=0x%x", op); + + sname = lookup(raw_sig_code, signature_tls13_scheme_list, NULL); + if (sname != NULL) { + BIO_printf(sdb->out, " scheme=%s", sname); + } else { + int alg_code = salg[1]; + int hash_code = salg[0]; + const char *alg_str = lookup(alg_code, signature_tls12_alg_list, NULL); + const char *hash_str = lookup(hash_code, signature_tls12_hash_list, NULL); + + if (alg_str != NULL && hash_str != NULL) + BIO_printf(sdb->out, " digest=%s, algorithm=%s", hash_str, alg_str); + else + BIO_printf(sdb->out, " scheme=unknown(0x%04x)", raw_sig_code); + } } } @@ -1404,3 +1517,21 @@ int set_keylog_file(SSL_CTX *ctx, const char *keylog_file) SSL_CTX_set_keylog_callback(ctx, keylog_callback); return 0; } + +void print_ca_names(BIO *bio, SSL *s) +{ + const char *cs = SSL_is_server(s) ? "server" : "client"; + const STACK_OF(X509_NAME) *sk = SSL_get0_peer_CA_list(s); + int i; + + if (sk == NULL || sk_X509_NAME_num(sk) == 0) { + BIO_printf(bio, "---\nNo %s certificate CA names sent\n", cs); + return; + } + + BIO_printf(bio, "---\nAcceptable %s certificate CA names\n",cs); + for (i = 0; i < sk_X509_NAME_num(sk); i++) { + X509_NAME_print_ex(bio, sk_X509_NAME_value(sk, i), 0, get_nameopt()); + BIO_write(bio, "\n", 1); + } +}