3 files changed, 75 insertions, 17 deletions

diff --git a/src/usr.bin/openssl/asn1pars.c b/src/usr.bin/openssl/asn1pars.c
index 52991c392e..7ce5ca34f2 100644
--- a/src/usr.bin/openssl/asn1pars.c
+++ b/src/usr.bin/openssl/asn1pars.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: asn1pars.c,v 1.18 2025/11/27 08:22:32 tb Exp $ */
+/* $OpenBSD: asn1pars.c,v 1.20 2026/01/31 09:01:09 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -237,12 +237,10 @@ int
 asn1parse_main(int argc, char **argv)
 {
         int i, j, ret = 1;
-        long num, tmplen;
+        long num;
         BIO *in = NULL, *out = NULL, *b64 = NULL, *derout = NULL;
-        char *str = NULL;
         const char *errstr = NULL;
-        const unsigned char *tmpbuf;
-        const unsigned char *ctmpbuf;
+        const unsigned char *str;
         BUF_MEM *buf = NULL;
         ASN1_TYPE *at = NULL;
 
@@ -330,13 +328,15 @@ asn1parse_main(int argc, char **argv)
                         num += i;
                 }
         }
-        str = buf->data;
+        str = (const unsigned char *)buf->data;
 
         /* If any structs to parse go through in sequence */
 
         if (sk_OPENSSL_STRING_num(cfg.osk) > 0) {
-                tmpbuf = (unsigned char *) str;
-                tmplen = num;
+                const unsigned char *p;
+                const unsigned char *tmpbuf = str;
+                long tmplen = num;
+
                 for (i = 0; i < sk_OPENSSL_STRING_num(cfg.osk); i++) {
                         ASN1_TYPE *atmp;
                         int typ;
@@ -351,8 +351,8 @@ asn1parse_main(int argc, char **argv)
                         tmpbuf += j;
                         tmplen -= j;
                         atmp = at;
-                        ctmpbuf = tmpbuf;
-                        at = d2i_ASN1_TYPE(NULL, &ctmpbuf, tmplen);
+                        p = tmpbuf;
+                        at = d2i_ASN1_TYPE(NULL, &p, tmplen);
                         ASN1_TYPE_free(atmp);
                         if (!at) {
                                 BIO_printf(bio_err, "Error parsing structure\n");
@@ -371,7 +371,7 @@ asn1parse_main(int argc, char **argv)
                         tmpbuf = ASN1_STRING_get0_data(at->value.asn1_string);
                         tmplen = ASN1_STRING_length(at->value.asn1_string);
                 }
-                str = (char *) tmpbuf;
+                str = tmpbuf;
                 num = tmplen;
         }
         if (cfg.offset >= num) {
@@ -390,8 +390,8 @@ asn1parse_main(int argc, char **argv)
                         goto end;
                 }
         }
-        if (!cfg.noout && !ASN1_parse_dump(out,
-            (unsigned char *)&str[cfg.offset], cfg.length, cfg.indent, cfg.dump)) {
+        if (!cfg.noout && !ASN1_parse_dump(out, &str[cfg.offset], cfg.length,
+            cfg.indent, cfg.dump)) {
                 ERR_print_errors(bio_err);
                 goto end;
         }
diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index f3e0be15ed..b9eba1a1de 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.168 2025/12/20 07:02:37 tb Exp $
+.\" $OpenBSD: openssl.1,v 1.169 2026/02/01 08:45:31 martijn Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: December 20 2025 $
+.Dd $Mdocdate: February 1 2026 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -4416,6 +4416,7 @@ is a keyword for the intended protocol.
 Currently, the supported keywords are
 .Qq ftp ,
 .Qq imap ,
+.Qq sieve ,
 .Qq smtp ,
 .Qq pop3 ,
 and
diff --git a/src/usr.bin/openssl/s_client.c b/src/usr.bin/openssl/s_client.c
index 84718c19fd..2b05facc17 100644
--- a/src/usr.bin/openssl/s_client.c
+++ b/src/usr.bin/openssl/s_client.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_client.c,v 1.67 2025/01/02 16:07:41 tb Exp $ */
+/* $OpenBSD: s_client.c,v 1.68 2026/02/01 08:45:31 martijn Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -174,6 +174,7 @@ enum {
         PROTO_LMTP,
         PROTO_POP3,
         PROTO_IMAP,
+        PROTO_SIEVE,
         PROTO_FTP,
         PROTO_XMPP,
 };
@@ -335,6 +336,8 @@ s_client_opt_starttls(char *arg)
                 cfg.starttls_proto = PROTO_POP3;
         else if (strcmp(arg, "imap") == 0)
                 cfg.starttls_proto = PROTO_IMAP;
+        else if (strcmp(arg, "sieve") == 0)
+                cfg.starttls_proto = PROTO_SIEVE;
         else if (strcmp(arg, "ftp") == 0)
                 cfg.starttls_proto = PROTO_FTP;
         else if (strcmp(arg, "xmpp") == 0)
@@ -729,7 +732,8 @@ static const struct option s_client_options[] = {
                 .name = "starttls",
                 .argname = "protocol",
                 .desc = "Use the STARTTLS command before starting TLS,\n"
-                        "smtp, lmtp, pop3, imap, ftp and xmpp are supported.",
+                        "smtp, lmtp, pop3, imap, sieve, ftp and xmpp "
+                        "are supported.",
                 .type = OPTION_ARG_FUNC,
                 .opt.argfunc = s_client_opt_starttls,
         },
@@ -834,6 +838,28 @@ sc_usage(void)
         fprintf(stderr, "\n");
 }
 
+static int
+s_client_sieve_response_ok(const char *resp, int resplen)
+{
+        /* All lines need to be CRLF terminated */
+        if (resplen <= 2) {
+                BIO_printf(bio_err, "Failed to get full server line\n");
+                return 0;
+        }
+        if (resplen >= 4 && strncasecmp(resp, "OK", 2) == 0 &&
+            (resp[2] == ' ' || resp[2] == '\r'))
+                return 1;
+        if (resplen >= 4 && strncasecmp(resp, "NO", 2) == 0 &&
+            (resp[2] == ' ' || resp[2] == '\r'))
+                BIO_printf(bio_err, "Server rejected our connection\n");
+        else if (resplen >= 5 && strncasecmp(resp, "BYE", 3) == 0 &&
+            (resp[3] == ' ' || resp[3] == '\r'))
+                BIO_printf(bio_err, "Server disconnected our connection\n");
+        else
+                BIO_printf(bio_err, "Server sent invalid response\n");
+        return 0;
+}
+
 int
 s_client_main(int argc, char **argv)
 {
@@ -1220,6 +1246,37 @@ s_client_main(int argc, char **argv)
                             " try anyway...\n");
                 BIO_printf(sbio, ". STARTTLS\r\n");
                 BIO_read(sbio, sbuf, BUFSIZZ);
+        } else if (cfg.starttls_proto == PROTO_SIEVE) {
+                int foundit = 0;
+                BIO *fbio;
+
+                if ((fbio = BIO_new(BIO_f_buffer()))== NULL) {
+                        BIO_printf(bio_err, "Failed to create BIO\n");
+                        goto end;
+                }
+                BIO_push(fbio, sbio);
+                /* wait for multi-line CAPABILITY response */
+                while (1) {
+                        mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+                        if (mbuf_len > 2 && mbuf[0] == '"') {
+                                if (strcasecmp(mbuf, "\"STARTTLS\"\r\n") == 0)
+                                        foundit = 1;
+                        } else if (s_client_sieve_response_ok(mbuf, mbuf_len))
+                                break;
+                        else
+                                goto end;
+                }
+                if (!foundit)
+                        BIO_printf(bio_err,
+                            "didn't find STARTTLS in server response,"
+                            " try anyway...\n");
+                BIO_printf(sbio, "STARTTLS\r\n");
+                mbuf_len = BIO_gets(fbio, mbuf, BUFSIZZ);
+                (void) BIO_flush(fbio);
+                BIO_pop(fbio);
+                BIO_free(fbio);
+                if (!s_client_sieve_response_ok(mbuf, mbuf_len))
+                        goto end;
         } else if (cfg.starttls_proto == PROTO_FTP) {
                 BIO *fbio = BIO_new(BIO_f_buffer());
                 BIO_push(fbio, sbio);