apps/s_client.c: 2 changes in initial handshake

Thu, 10 Nov 2005 14:38:26 -0800 

Hallo,

this patch has 2 changes for s_client:
* It adds the command line param -Verify to terminate the
  ssl handshake if peer verify fails.
* It adds the additional flag "manual" to the param -starttls,
  giving the complete initial handshake in user hands,
  For example exim4 needs at least the EHLO command
  before it accepts the STARTTLS command.

It would be good if anybody would have a look into this patch
and would apply it to the head...

Bye

Goetz

--
DMCA: The greed of the few outweighs the freedom of the many

Index: s_cb.c
===================================================================
RCS file: /home/gbe/data/cvs/openssl/openssl/apps/s_cb.c,v
retrieving revision 1.17
diff -u -r1.17 s_cb.c
--- s_cb.c	5 Apr 2005 19:11:18 -0000	1.17
+++ s_cb.c	13 Jun 2005 20:24:02 -0000
@@ -136,15 +136,19 @@
 
 	X509_NAME_oneline(X509_get_subject_name(err_cert),buf,sizeof buf);
 	BIO_printf(bio_err,"depth=%d %s\n",depth,buf);
+	verify_error=err;
 	if (!ok)
 		{
 		BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
 			X509_verify_cert_error_string(err));
 		if (verify_depth >= depth)
 			{
-			ok=1;
-			verify_error=X509_V_OK;
-			}
+                          if (depth > 0)
+                          {
+                            ok=1;
+                            verify_error=X509_V_OK;
+                          }
+                        }
 		else
 			{
 			ok=0;
Index: s_client.c
===================================================================
RCS file: /home/gbe/data/cvs/openssl/openssl/apps/s_client.c,v
retrieving revision 1.81
diff -u -r1.81 s_client.c
--- s_client.c	4 Nov 2005 09:30:54 -0000	1.81
+++ s_client.c	10 Nov 2005 22:27:54 -0000
@@ -167,6 +167,7 @@
 
 static void sc_usage(void);
 static void print_stuff(BIO *berr,SSL *con,int full);
+static int  do_pressl(BIO *sbio, int starttls_proto);
 static BIO *bio_c_out=NULL;
 static int c_quiet=0;
 static int c_ign_eof=0;
@@ -180,6 +181,7 @@
 	BIO_printf(bio_err," -connect host:port - who to connect to (default is %s:%s)\n",SSL_HOST_NAME,PORT_STR);
 
 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
+	BIO_printf(bio_err," -Verify arg   - turn on mandatory peer certificate verification\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use, PEM format assumed\n");
 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
 	BIO_printf(bio_err," -key arg      - Private key file to use, in cert file if\n");
@@ -217,7 +219,7 @@
 	BIO_printf(bio_err," -starttls prot - use the STARTTLS command before starting TLS\n");
 	BIO_printf(bio_err,"                 for those protocols that support it, where\n");
 	BIO_printf(bio_err,"                 'prot' defines which one to assume.  Currently,\n");
-	BIO_printf(bio_err,"                 only \"smtp\" and \"pop3\" are supported.\n");
+	BIO_printf(bio_err,"                 only \"smtp\",  \"pop3\" and \"manual\" are supported.\n");
 #ifndef OPENSSL_NO_ENGINE
 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
 #endif
@@ -337,6 +339,13 @@
 			verify_depth=atoi(*(++argv));
 			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
 			}
+		else if	(strcmp(*argv,"-Verify") == 0)
+			{
+			verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT;
+			if (--argc < 1) goto bad;
+			verify_depth=atoi(*(++argv));
+			BIO_printf(bio_err,"verify depth is %d (mandatory)\n",verify_depth);
+			}
 		else if	(strcmp(*argv,"-cert") == 0)
 			{
 			if (--argc < 1) goto bad;
@@ -462,6 +471,8 @@
 				starttls_proto = 1;
 			else if (strcmp(*argv,"pop3") == 0)
 				starttls_proto = 2;
+			else if (strcmp(*argv,"manual") == 0)
+				starttls_proto = 3;
 			else
 				goto bad;
 			}
@@ -712,17 +723,13 @@
 	sbuf_off=0;
 
 	/* This is an ugly hack that does a lot of assumptions */
-	if (starttls_proto == 1)
-		{
-		BIO_read(sbio,mbuf,BUFSIZZ);
-		BIO_printf(sbio,"STARTTLS\r\n");
-		BIO_read(sbio,sbuf,BUFSIZZ);
-		}
-	if (starttls_proto == 2)
+	if (starttls_proto > 0)
 		{
-		BIO_read(sbio,mbuf,BUFSIZZ);
-		BIO_printf(sbio,"STLS\r\n");
-		BIO_read(sbio,sbuf,BUFSIZZ);
+		if (!do_pressl(sbio, starttls_proto))
+			{
+			SHUTDOWN(SSL_get_fd(con));
+			goto end;
+			}
 		}
 
 	for (;;)
@@ -1210,3 +1217,52 @@
 	BIO_flush(bio);
 	}
 
+static int  do_pressl(BIO *sbio, int starttls_proto)
+	{
+	char buf[BUFSIZZ+1];
+
+	switch(starttls_proto)
+		{
+		case 1:
+			BIO_read(sbio,buf,BUFSIZZ);
+			BIO_printf(sbio,"STARTTLS\r\n");
+			BIO_read(sbio,buf,BUFSIZZ);
+			return 1;
+		case 2:
+			BIO_read(sbio,buf,BUFSIZZ);
+			BIO_printf(sbio,"STLS\r\n");
+			BIO_read(sbio,buf,BUFSIZZ);
+			return 1;
+		case 3:
+			{
+			int i;
+			printf("please input data (input \"__STARTTLS__\" in single line to start tls)\n");
+			while(1)
+				{
+				i = BIO_read(sbio,buf,BUFSIZZ);
+				if (i > 0)
+					{
+					buf[i] = 0x00;
+					printf("%s",buf);
+					i = raw_read_stdin(buf,BUFSIZZ/2);
+					if (i > 0)
+						{
+						while( i >= 0 &&
+							(buf[i-1] == '\n' ||
+							 buf[i-1] == '\r' ))
+							i--;
+						buf[i] = 0x00;
+						if (!strcmp(buf,"__STARTTLS__"))
+							return 1;
+						BIO_printf(sbio,"%s\r\n",buf);
+						}
+					}
+				else
+					return 0;
+				}
+			return 0;
+			}
+		default:
+			return 0;
+		}
+	}

Attachment: smime.p7s
Description: S/MIME Cryptographic Signature

Reply via email to