summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/apps/s_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/apps/s_server.c')
-rw-r--r--src/lib/libssl/src/apps/s_server.c830
1 files changed, 785 insertions, 45 deletions
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index ff4ab6ef28..7919c437c6 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -108,18 +108,33 @@
108 * Hudson (tjh@cryptsoft.com). 108 * Hudson (tjh@cryptsoft.com).
109 * 109 *
110 */ 110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117/* Until the key-gen callbacks are modified to use newer prototypes, we allow
118 * deprecated functions for openssl-internal code */
119#ifdef OPENSSL_NO_DEPRECATED
120#undef OPENSSL_NO_DEPRECATED
121#endif
111 122
112#include <assert.h> 123#include <assert.h>
113#include <stdio.h> 124#include <stdio.h>
114#include <stdlib.h> 125#include <stdlib.h>
115#include <string.h> 126#include <string.h>
116#include <sys/types.h> 127
117#include <sys/stat.h> 128#include <sys/stat.h>
118#include <openssl/e_os2.h> 129#include <openssl/e_os2.h>
119#ifdef OPENSSL_NO_STDIO 130#ifdef OPENSSL_NO_STDIO
120#define APPS_WIN16 131#define APPS_WIN16
121#endif 132#endif
122 133
134#if !defined(OPENSSL_SYS_NETWARE) /* conflicts with winsock2 stuff on netware */
135#include <sys/types.h>
136#endif
137
123/* With IPv6, it looks like Digital has mixed up the proper order of 138/* With IPv6, it looks like Digital has mixed up the proper order of
124 recursive header file inclusion, resulting in the compiler complaining 139 recursive header file inclusion, resulting in the compiler complaining
125 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which 140 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
@@ -138,7 +153,15 @@ typedef unsigned int u_int;
138#include <openssl/x509.h> 153#include <openssl/x509.h>
139#include <openssl/ssl.h> 154#include <openssl/ssl.h>
140#include <openssl/rand.h> 155#include <openssl/rand.h>
156#include <openssl/ocsp.h>
157#ifndef OPENSSL_NO_DH
158#include <openssl/dh.h>
159#endif
160#ifndef OPENSSL_NO_RSA
161#include <openssl/rsa.h>
162#endif
141#include "s_apps.h" 163#include "s_apps.h"
164#include "timeouts.h"
142 165
143#ifdef OPENSSL_SYS_WINCE 166#ifdef OPENSSL_SYS_WINCE
144/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ 167/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
@@ -165,9 +188,10 @@ static void print_stats(BIO *bp,SSL_CTX *ctx);
165static int generate_session_id(const SSL *ssl, unsigned char *id, 188static int generate_session_id(const SSL *ssl, unsigned char *id,
166 unsigned int *id_len); 189 unsigned int *id_len);
167#ifndef OPENSSL_NO_DH 190#ifndef OPENSSL_NO_DH
168static DH *load_dh_param(char *dhfile); 191static DH *load_dh_param(const char *dhfile);
169static DH *get_dh512(void); 192static DH *get_dh512(void);
170#endif 193#endif
194
171#ifdef MONOLITH 195#ifdef MONOLITH
172static void s_server_init(void); 196static void s_server_init(void);
173#endif 197#endif
@@ -206,6 +230,7 @@ static DH *get_dh512(void)
206 } 230 }
207#endif 231#endif
208 232
233
209/* static int load_CA(SSL_CTX *ctx, char *file);*/ 234/* static int load_CA(SSL_CTX *ctx, char *file);*/
210 235
211#undef BUFSIZZ 236#undef BUFSIZZ
@@ -214,6 +239,9 @@ static int bufsize=BUFSIZZ;
214static int accept_socket= -1; 239static int accept_socket= -1;
215 240
216#define TEST_CERT "server.pem" 241#define TEST_CERT "server.pem"
242#ifndef OPENSSL_NO_TLSEXT
243#define TEST_CERT2 "server2.pem"
244#endif
217#undef PROG 245#undef PROG
218#define PROG s_server_main 246#define PROG s_server_main
219 247
@@ -222,7 +250,10 @@ extern int verify_depth;
222static char *cipher=NULL; 250static char *cipher=NULL;
223static int s_server_verify=SSL_VERIFY_NONE; 251static int s_server_verify=SSL_VERIFY_NONE;
224static int s_server_session_id_context = 1; /* anything will do */ 252static int s_server_session_id_context = 1; /* anything will do */
225static char *s_cert_file=TEST_CERT,*s_key_file=NULL; 253static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
254#ifndef OPENSSL_NO_TLSEXT
255static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
256#endif
226static char *s_dcert_file=NULL,*s_dkey_file=NULL; 257static char *s_dcert_file=NULL,*s_dkey_file=NULL;
227#ifdef FIONBIO 258#ifdef FIONBIO
228static int s_nbio=0; 259static int s_nbio=0;
@@ -230,10 +261,18 @@ static int s_nbio=0;
230static int s_nbio_test=0; 261static int s_nbio_test=0;
231int s_crlf=0; 262int s_crlf=0;
232static SSL_CTX *ctx=NULL; 263static SSL_CTX *ctx=NULL;
264#ifndef OPENSSL_NO_TLSEXT
265static SSL_CTX *ctx2=NULL;
266#endif
233static int www=0; 267static int www=0;
234 268
235static BIO *bio_s_out=NULL; 269static BIO *bio_s_out=NULL;
236static int s_debug=0; 270static int s_debug=0;
271#ifndef OPENSSL_NO_TLSEXT
272static int s_tlsextdebug=0;
273static int s_tlsextstatus=0;
274static int cert_status_cb(SSL *s, void *arg);
275#endif
237static int s_msg=0; 276static int s_msg=0;
238static int s_quiet=0; 277static int s_quiet=0;
239 278
@@ -243,6 +282,14 @@ static char *engine_id=NULL;
243#endif 282#endif
244static const char *session_id_prefix=NULL; 283static const char *session_id_prefix=NULL;
245 284
285static int enable_timeouts = 0;
286#ifdef mtu
287#undef mtu
288#endif
289static long mtu;
290static int cert_chain = 0;
291
292
246#ifdef MONOLITH 293#ifdef MONOLITH
247static void s_server_init(void) 294static void s_server_init(void)
248 { 295 {
@@ -253,6 +300,11 @@ static void s_server_init(void)
253 s_dkey_file=NULL; 300 s_dkey_file=NULL;
254 s_cert_file=TEST_CERT; 301 s_cert_file=TEST_CERT;
255 s_key_file=NULL; 302 s_key_file=NULL;
303#ifndef OPENSSL_NO_TLSEXT
304 s_cert_file2=TEST_CERT2;
305 s_key_file2=NULL;
306 ctx2=NULL;
307#endif
256#ifdef FIONBIO 308#ifdef FIONBIO
257 s_nbio=0; 309 s_nbio=0;
258#endif 310#endif
@@ -279,14 +331,30 @@ static void sv_usage(void)
279 BIO_printf(bio_err," -context arg - set session ID context\n"); 331 BIO_printf(bio_err," -context arg - set session ID context\n");
280 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); 332 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
281 BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); 333 BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n");
282 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); 334 BIO_printf(bio_err," -cert arg - certificate file to use\n");
283 BIO_printf(bio_err," (default is %s)\n",TEST_CERT); 335 BIO_printf(bio_err," (default is %s)\n",TEST_CERT);
284 BIO_printf(bio_err," -key arg - Private Key file to use, PEM format assumed, in cert file if\n"); 336 BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \
337 " The CRL(s) are appended to the certificate file\n");
338 BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
339 " or any other CRL in the CA chain. CRL(s) are appened to the\n" \
340 " the certificate file.\n");
341 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
342 BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n");
285 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); 343 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT);
344 BIO_printf(bio_err," -keyform arg - key format (PEM, DER or ENGINE) PEM default\n");
345 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
286 BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n"); 346 BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n");
347 BIO_printf(bio_err," -dcertform x - second certificate format (PEM or DER) PEM default\n");
287 BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n"); 348 BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n");
349 BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
350 BIO_printf(bio_err," -dpass arg - second private key file pass phrase source\n");
288 BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n"); 351 BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n");
289 BIO_printf(bio_err," or a default set of parameters is used\n"); 352 BIO_printf(bio_err," or a default set of parameters is used\n");
353#ifndef OPENSSL_NO_ECDH
354 BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
355 " Use \"openssl ecparam -list_curves\" for all names\n" \
356 " (default is sect163r2).\n");
357#endif
290#ifdef FIONBIO 358#ifdef FIONBIO
291 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 359 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
292#endif 360#endif
@@ -305,12 +373,19 @@ static void sv_usage(void)
305 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); 373 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
306 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); 374 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
307 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); 375 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
376 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n");
377 BIO_printf(bio_err," -timeout - Enable timeouts\n");
378 BIO_printf(bio_err," -mtu - Set MTU\n");
379 BIO_printf(bio_err," -chain - Read a certificate chain\n");
308 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); 380 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n");
309 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); 381 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n");
310 BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); 382 BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n");
311#ifndef OPENSSL_NO_DH 383#ifndef OPENSSL_NO_DH
312 BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); 384 BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n");
313#endif 385#endif
386#ifndef OPENSSL_NO_ECDH
387 BIO_printf(bio_err," -no_ecdhe - Disable ephemeral ECDH\n");
388#endif
314 BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); 389 BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n");
315 BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); 390 BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n");
316 BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); 391 BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
@@ -321,6 +396,16 @@ static void sv_usage(void)
321#endif 396#endif
322 BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); 397 BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
323 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); 398 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
399#ifndef OPENSSL_NO_TLSEXT
400 BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n");
401 BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
402 BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n");
403 BIO_printf(bio_err," (default is %s)\n",TEST_CERT2);
404 BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n");
405 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
406 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
407 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
408#endif
324 } 409 }
325 410
326static int local_argc=0; 411static int local_argc=0;
@@ -476,6 +561,185 @@ static int ebcdic_puts(BIO *bp, const char *str)
476} 561}
477#endif 562#endif
478 563
564#ifndef OPENSSL_NO_TLSEXT
565
566/* This is a context that we pass to callbacks */
567typedef struct tlsextctx_st {
568 char * servername;
569 BIO * biodebug;
570 int extension_error;
571} tlsextctx;
572
573
574static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
575 {
576 tlsextctx * p = (tlsextctx *) arg;
577 const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
578 if (servername && p->biodebug)
579 BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
580
581 if (!p->servername)
582 return SSL_TLSEXT_ERR_NOACK;
583
584 if (servername)
585 {
586 if (strcmp(servername,p->servername))
587 return p->extension_error;
588 if (ctx2)
589 {
590 BIO_printf(p->biodebug,"Swiching server context.\n");
591 SSL_set_SSL_CTX(s,ctx2);
592 }
593 }
594 return SSL_TLSEXT_ERR_OK;
595}
596
597/* Structure passed to cert status callback */
598
599typedef struct tlsextstatusctx_st {
600 /* Default responder to use */
601 char *host, *path, *port;
602 int use_ssl;
603 int timeout;
604 BIO *err;
605 int verbose;
606} tlsextstatusctx;
607
608static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0};
609
610/* Certificate Status callback. This is called when a client includes a
611 * certificate status request extension.
612 *
613 * This is a simplified version. It examines certificates each time and
614 * makes one OCSP responder query for each request.
615 *
616 * A full version would store details such as the OCSP certificate IDs and
617 * minimise the number of OCSP responses by caching them until they were
618 * considered "expired".
619 */
620
621static int cert_status_cb(SSL *s, void *arg)
622 {
623 tlsextstatusctx *srctx = arg;
624 BIO *err = srctx->err;
625 char *host, *port, *path;
626 int use_ssl;
627 unsigned char *rspder = NULL;
628 int rspderlen;
629 STACK *aia = NULL;
630 X509 *x = NULL;
631 X509_STORE_CTX inctx;
632 X509_OBJECT obj;
633 OCSP_REQUEST *req = NULL;
634 OCSP_RESPONSE *resp = NULL;
635 OCSP_CERTID *id = NULL;
636 STACK_OF(X509_EXTENSION) *exts;
637 int ret = SSL_TLSEXT_ERR_NOACK;
638 int i;
639#if 0
640STACK_OF(OCSP_RESPID) *ids;
641SSL_get_tlsext_status_ids(s, &ids);
642BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
643#endif
644 if (srctx->verbose)
645 BIO_puts(err, "cert_status: callback called\n");
646 /* Build up OCSP query from server certificate */
647 x = SSL_get_certificate(s);
648 aia = X509_get1_ocsp(x);
649 if (aia)
650 {
651 if (!OCSP_parse_url(sk_value(aia, 0),
652 &host, &port, &path, &use_ssl))
653 {
654 BIO_puts(err, "cert_status: can't parse AIA URL\n");
655 goto err;
656 }
657 if (srctx->verbose)
658 BIO_printf(err, "cert_status: AIA URL: %s\n",
659 sk_value(aia, 0));
660 }
661 else
662 {
663 if (!srctx->host)
664 {
665 BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n");
666 goto done;
667 }
668 host = srctx->host;
669 path = srctx->path;
670 port = srctx->port;
671 use_ssl = srctx->use_ssl;
672 }
673
674 if (!X509_STORE_CTX_init(&inctx,
675 SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
676 NULL, NULL))
677 goto err;
678 if (X509_STORE_get_by_subject(&inctx,X509_LU_X509,
679 X509_get_issuer_name(x),&obj) <= 0)
680 {
681 BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
682 X509_STORE_CTX_cleanup(&inctx);
683 goto done;
684 }
685 req = OCSP_REQUEST_new();
686 if (!req)
687 goto err;
688 id = OCSP_cert_to_id(NULL, x, obj.data.x509);
689 X509_free(obj.data.x509);
690 X509_STORE_CTX_cleanup(&inctx);
691 if (!id)
692 goto err;
693 if (!OCSP_request_add0_id(req, id))
694 goto err;
695 id = NULL;
696 /* Add any extensions to the request */
697 SSL_get_tlsext_status_exts(s, &exts);
698 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++)
699 {
700 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
701 if (!OCSP_REQUEST_add_ext(req, ext, -1))
702 goto err;
703 }
704 resp = process_responder(err, req, host, path, port, use_ssl,
705 srctx->timeout);
706 if (!resp)
707 {
708 BIO_puts(err, "cert_status: error querying responder\n");
709 goto done;
710 }
711 rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
712 if (rspderlen <= 0)
713 goto err;
714 SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
715 if (srctx->verbose)
716 {
717 BIO_puts(err, "cert_status: ocsp response sent:\n");
718 OCSP_RESPONSE_print(err, resp, 2);
719 }
720 ret = SSL_TLSEXT_ERR_OK;
721 done:
722 if (ret != SSL_TLSEXT_ERR_OK)
723 ERR_print_errors(err);
724 if (aia)
725 {
726 OPENSSL_free(host);
727 OPENSSL_free(path);
728 OPENSSL_free(port);
729 X509_email_free(aia);
730 }
731 if (id)
732 OCSP_CERTID_free(id);
733 if (req)
734 OCSP_REQUEST_free(req);
735 if (resp)
736 OCSP_RESPONSE_free(resp);
737 return ret;
738 err:
739 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
740 goto done;
741 }
742#endif
479int MAIN(int, char **); 743int MAIN(int, char **);
480 744
481int MAIN(int argc, char *argv[]) 745int MAIN(int argc, char *argv[])
@@ -484,18 +748,36 @@ int MAIN(int argc, char *argv[])
484 int vflags = 0; 748 int vflags = 0;
485 short port=PORT; 749 short port=PORT;
486 char *CApath=NULL,*CAfile=NULL; 750 char *CApath=NULL,*CAfile=NULL;
487 char *context = NULL; 751 unsigned char *context = NULL;
488 char *dhfile = NULL; 752 char *dhfile = NULL;
753#ifndef OPENSSL_NO_ECDH
754 char *named_curve = NULL;
755#endif
489 int badop=0,bugs=0; 756 int badop=0,bugs=0;
490 int ret=1; 757 int ret=1;
491 int off=0; 758 int off=0;
492 int no_tmp_rsa=0,no_dhe=0,nocert=0; 759 int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
493 int state=0; 760 int state=0;
494 SSL_METHOD *meth=NULL; 761 SSL_METHOD *meth=NULL;
762 int socket_type=SOCK_STREAM;
495#ifndef OPENSSL_NO_ENGINE 763#ifndef OPENSSL_NO_ENGINE
496 ENGINE *e=NULL; 764 ENGINE *e=NULL;
497#endif 765#endif
498 char *inrand=NULL; 766 char *inrand=NULL;
767 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
768 char *passarg = NULL, *pass = NULL;
769 char *dpassarg = NULL, *dpass = NULL;
770 int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
771 X509 *s_cert = NULL, *s_dcert = NULL;
772 EVP_PKEY *s_key = NULL, *s_dkey = NULL;
773#ifndef OPENSSL_NO_TLSEXT
774 EVP_PKEY *s_key2 = NULL;
775 X509 *s_cert2 = NULL;
776#endif
777
778#ifndef OPENSSL_NO_TLSEXT
779 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
780#endif
499 781
500#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 782#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
501 meth=SSLv23_server_method(); 783 meth=SSLv23_server_method();
@@ -555,28 +837,65 @@ int MAIN(int argc, char *argv[])
555 else if (strcmp(*argv,"-context") == 0) 837 else if (strcmp(*argv,"-context") == 0)
556 { 838 {
557 if (--argc < 1) goto bad; 839 if (--argc < 1) goto bad;
558 context= *(++argv); 840 context= (unsigned char *)*(++argv);
559 } 841 }
560 else if (strcmp(*argv,"-cert") == 0) 842 else if (strcmp(*argv,"-cert") == 0)
561 { 843 {
562 if (--argc < 1) goto bad; 844 if (--argc < 1) goto bad;
563 s_cert_file= *(++argv); 845 s_cert_file= *(++argv);
564 } 846 }
847 else if (strcmp(*argv,"-certform") == 0)
848 {
849 if (--argc < 1) goto bad;
850 s_cert_format = str2fmt(*(++argv));
851 }
565 else if (strcmp(*argv,"-key") == 0) 852 else if (strcmp(*argv,"-key") == 0)
566 { 853 {
567 if (--argc < 1) goto bad; 854 if (--argc < 1) goto bad;
568 s_key_file= *(++argv); 855 s_key_file= *(++argv);
569 } 856 }
857 else if (strcmp(*argv,"-keyform") == 0)
858 {
859 if (--argc < 1) goto bad;
860 s_key_format = str2fmt(*(++argv));
861 }
862 else if (strcmp(*argv,"-pass") == 0)
863 {
864 if (--argc < 1) goto bad;
865 passarg = *(++argv);
866 }
570 else if (strcmp(*argv,"-dhparam") == 0) 867 else if (strcmp(*argv,"-dhparam") == 0)
571 { 868 {
572 if (--argc < 1) goto bad; 869 if (--argc < 1) goto bad;
573 dhfile = *(++argv); 870 dhfile = *(++argv);
574 } 871 }
872#ifndef OPENSSL_NO_ECDH
873 else if (strcmp(*argv,"-named_curve") == 0)
874 {
875 if (--argc < 1) goto bad;
876 named_curve = *(++argv);
877 }
878#endif
879 else if (strcmp(*argv,"-dcertform") == 0)
880 {
881 if (--argc < 1) goto bad;
882 s_dcert_format = str2fmt(*(++argv));
883 }
575 else if (strcmp(*argv,"-dcert") == 0) 884 else if (strcmp(*argv,"-dcert") == 0)
576 { 885 {
577 if (--argc < 1) goto bad; 886 if (--argc < 1) goto bad;
578 s_dcert_file= *(++argv); 887 s_dcert_file= *(++argv);
579 } 888 }
889 else if (strcmp(*argv,"-dkeyform") == 0)
890 {
891 if (--argc < 1) goto bad;
892 s_dkey_format = str2fmt(*(++argv));
893 }
894 else if (strcmp(*argv,"-dpass") == 0)
895 {
896 if (--argc < 1) goto bad;
897 dpassarg = *(++argv);
898 }
580 else if (strcmp(*argv,"-dkey") == 0) 899 else if (strcmp(*argv,"-dkey") == 0)
581 { 900 {
582 if (--argc < 1) goto bad; 901 if (--argc < 1) goto bad;
@@ -595,7 +914,7 @@ int MAIN(int argc, char *argv[])
595 { 914 {
596 vflags |= X509_V_FLAG_CRL_CHECK; 915 vflags |= X509_V_FLAG_CRL_CHECK;
597 } 916 }
598 else if (strcmp(*argv,"-crl_check") == 0) 917 else if (strcmp(*argv,"-crl_check_all") == 0)
599 { 918 {
600 vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; 919 vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
601 } 920 }
@@ -624,6 +943,37 @@ int MAIN(int argc, char *argv[])
624 } 943 }
625 else if (strcmp(*argv,"-debug") == 0) 944 else if (strcmp(*argv,"-debug") == 0)
626 { s_debug=1; } 945 { s_debug=1; }
946#ifndef OPENSSL_NO_TLSEXT
947 else if (strcmp(*argv,"-tlsextdebug") == 0)
948 s_tlsextdebug=1;
949 else if (strcmp(*argv,"-status") == 0)
950 s_tlsextstatus=1;
951 else if (strcmp(*argv,"-status_verbose") == 0)
952 {
953 s_tlsextstatus=1;
954 tlscstatp.verbose = 1;
955 }
956 else if (!strcmp(*argv, "-status_timeout"))
957 {
958 s_tlsextstatus=1;
959 if (--argc < 1) goto bad;
960 tlscstatp.timeout = atoi(*(++argv));
961 }
962 else if (!strcmp(*argv, "-status_url"))
963 {
964 s_tlsextstatus=1;
965 if (--argc < 1) goto bad;
966 if (!OCSP_parse_url(*(++argv),
967 &tlscstatp.host,
968 &tlscstatp.port,
969 &tlscstatp.path,
970 &tlscstatp.use_ssl))
971 {
972 BIO_printf(bio_err, "Error parsing URL\n");
973 goto bad;
974 }
975 }
976#endif
627 else if (strcmp(*argv,"-msg") == 0) 977 else if (strcmp(*argv,"-msg") == 0)
628 { s_msg=1; } 978 { s_msg=1; }
629 else if (strcmp(*argv,"-hack") == 0) 979 else if (strcmp(*argv,"-hack") == 0)
@@ -640,6 +990,8 @@ int MAIN(int argc, char *argv[])
640 { no_tmp_rsa=1; } 990 { no_tmp_rsa=1; }
641 else if (strcmp(*argv,"-no_dhe") == 0) 991 else if (strcmp(*argv,"-no_dhe") == 0)
642 { no_dhe=1; } 992 { no_dhe=1; }
993 else if (strcmp(*argv,"-no_ecdhe") == 0)
994 { no_ecdhe=1; }
643 else if (strcmp(*argv,"-www") == 0) 995 else if (strcmp(*argv,"-www") == 0)
644 { www=1; } 996 { www=1; }
645 else if (strcmp(*argv,"-WWW") == 0) 997 else if (strcmp(*argv,"-WWW") == 0)
@@ -652,6 +1004,10 @@ int MAIN(int argc, char *argv[])
652 { off|=SSL_OP_NO_SSLv3; } 1004 { off|=SSL_OP_NO_SSLv3; }
653 else if (strcmp(*argv,"-no_tls1") == 0) 1005 else if (strcmp(*argv,"-no_tls1") == 0)
654 { off|=SSL_OP_NO_TLSv1; } 1006 { off|=SSL_OP_NO_TLSv1; }
1007#ifndef OPENSSL_NO_TLSEXT
1008 else if (strcmp(*argv,"-no_ticket") == 0)
1009 { off|=SSL_OP_NO_TICKET; }
1010#endif
655#ifndef OPENSSL_NO_SSL2 1011#ifndef OPENSSL_NO_SSL2
656 else if (strcmp(*argv,"-ssl2") == 0) 1012 else if (strcmp(*argv,"-ssl2") == 0)
657 { meth=SSLv2_server_method(); } 1013 { meth=SSLv2_server_method(); }
@@ -664,6 +1020,22 @@ int MAIN(int argc, char *argv[])
664 else if (strcmp(*argv,"-tls1") == 0) 1020 else if (strcmp(*argv,"-tls1") == 0)
665 { meth=TLSv1_server_method(); } 1021 { meth=TLSv1_server_method(); }
666#endif 1022#endif
1023#ifndef OPENSSL_NO_DTLS1
1024 else if (strcmp(*argv,"-dtls1") == 0)
1025 {
1026 meth=DTLSv1_server_method();
1027 socket_type = SOCK_DGRAM;
1028 }
1029 else if (strcmp(*argv,"-timeout") == 0)
1030 enable_timeouts = 1;
1031 else if (strcmp(*argv,"-mtu") == 0)
1032 {
1033 if (--argc < 1) goto bad;
1034 mtu = atol(*(++argv));
1035 }
1036 else if (strcmp(*argv, "-chain") == 0)
1037 cert_chain = 1;
1038#endif
667 else if (strcmp(*argv, "-id_prefix") == 0) 1039 else if (strcmp(*argv, "-id_prefix") == 0)
668 { 1040 {
669 if (--argc < 1) goto bad; 1041 if (--argc < 1) goto bad;
@@ -681,6 +1053,25 @@ int MAIN(int argc, char *argv[])
681 if (--argc < 1) goto bad; 1053 if (--argc < 1) goto bad;
682 inrand= *(++argv); 1054 inrand= *(++argv);
683 } 1055 }
1056#ifndef OPENSSL_NO_TLSEXT
1057 else if (strcmp(*argv,"-servername") == 0)
1058 {
1059 if (--argc < 1) goto bad;
1060 tlsextcbp.servername= *(++argv);
1061 }
1062 else if (strcmp(*argv,"-servername_fatal") == 0)
1063 { tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; }
1064 else if (strcmp(*argv,"-cert2") == 0)
1065 {
1066 if (--argc < 1) goto bad;
1067 s_cert_file2= *(++argv);
1068 }
1069 else if (strcmp(*argv,"-key2") == 0)
1070 {
1071 if (--argc < 1) goto bad;
1072 s_key_file2= *(++argv);
1073 }
1074#endif
684 else 1075 else
685 { 1076 {
686 BIO_printf(bio_err,"unknown option %s\n",*argv); 1077 BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -704,6 +1095,87 @@ bad:
704 e = setup_engine(bio_err, engine_id, 1); 1095 e = setup_engine(bio_err, engine_id, 1);
705#endif 1096#endif
706 1097
1098 if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass))
1099 {
1100 BIO_printf(bio_err, "Error getting password\n");
1101 goto end;
1102 }
1103
1104
1105 if (s_key_file == NULL)
1106 s_key_file = s_cert_file;
1107#ifndef OPENSSL_NO_TLSEXT
1108 if (s_key_file2 == NULL)
1109 s_key_file2 = s_cert_file2;
1110#endif
1111
1112 if (nocert == 0)
1113 {
1114 s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
1115 "server certificate private key file");
1116 if (!s_key)
1117 {
1118 ERR_print_errors(bio_err);
1119 goto end;
1120 }
1121
1122 s_cert = load_cert(bio_err,s_cert_file,s_cert_format,
1123 NULL, e, "server certificate file");
1124
1125 if (!s_cert)
1126 {
1127 ERR_print_errors(bio_err);
1128 goto end;
1129 }
1130
1131#ifndef OPENSSL_NO_TLSEXT
1132 if (tlsextcbp.servername)
1133 {
1134 s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
1135 "second server certificate private key file");
1136 if (!s_key2)
1137 {
1138 ERR_print_errors(bio_err);
1139 goto end;
1140 }
1141
1142 s_cert2 = load_cert(bio_err,s_cert_file2,s_cert_format,
1143 NULL, e, "second server certificate file");
1144
1145 if (!s_cert2)
1146 {
1147 ERR_print_errors(bio_err);
1148 goto end;
1149 }
1150 }
1151#endif
1152 }
1153 if (s_dcert_file)
1154 {
1155
1156 if (s_dkey_file == NULL)
1157 s_dkey_file = s_dcert_file;
1158
1159 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
1160 0, dpass, e,
1161 "second certificate private key file");
1162 if (!s_dkey)
1163 {
1164 ERR_print_errors(bio_err);
1165 goto end;
1166 }
1167
1168 s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format,
1169 NULL, e, "second server certificate file");
1170
1171 if (!s_dcert)
1172 {
1173 ERR_print_errors(bio_err);
1174 goto end;
1175 }
1176
1177 }
1178
707 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL 1179 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
708 && !RAND_status()) 1180 && !RAND_status())
709 { 1181 {
@@ -726,7 +1198,7 @@ bad:
726 } 1198 }
727 } 1199 }
728 1200
729#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) 1201#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
730 if (nocert) 1202 if (nocert)
731#endif 1203#endif
732 { 1204 {
@@ -734,6 +1206,10 @@ bad:
734 s_key_file=NULL; 1206 s_key_file=NULL;
735 s_dcert_file=NULL; 1207 s_dcert_file=NULL;
736 s_dkey_file=NULL; 1208 s_dkey_file=NULL;
1209#ifndef OPENSSL_NO_TLSEXT
1210 s_cert_file2=NULL;
1211 s_key_file2=NULL;
1212#endif
737 } 1213 }
738 1214
739 ctx=SSL_CTX_new(meth); 1215 ctx=SSL_CTX_new(meth);
@@ -762,6 +1238,10 @@ bad:
762 if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); 1238 if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
763 if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); 1239 if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
764 SSL_CTX_set_options(ctx,off); 1240 SSL_CTX_set_options(ctx,off);
1241 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1242 * Setting read ahead solves this problem.
1243 */
1244 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
765 1245
766 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 1246 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
767 1247
@@ -788,6 +1268,62 @@ bad:
788 } 1268 }
789 store = SSL_CTX_get_cert_store(ctx); 1269 store = SSL_CTX_get_cert_store(ctx);
790 X509_STORE_set_flags(store, vflags); 1270 X509_STORE_set_flags(store, vflags);
1271#ifndef OPENSSL_NO_TLSEXT
1272 if (s_cert2)
1273 {
1274 ctx2=SSL_CTX_new(meth);
1275 if (ctx2 == NULL)
1276 {
1277 ERR_print_errors(bio_err);
1278 goto end;
1279 }
1280 }
1281
1282 if (ctx2)
1283 {
1284 BIO_printf(bio_s_out,"Setting secondary ctx parameters\n");
1285
1286 if (session_id_prefix)
1287 {
1288 if(strlen(session_id_prefix) >= 32)
1289 BIO_printf(bio_err,
1290 "warning: id_prefix is too long, only one new session will be possible\n");
1291 else if(strlen(session_id_prefix) >= 16)
1292 BIO_printf(bio_err,
1293 "warning: id_prefix is too long if you use SSLv2\n");
1294 if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id))
1295 {
1296 BIO_printf(bio_err,"error setting 'id_prefix'\n");
1297 ERR_print_errors(bio_err);
1298 goto end;
1299 }
1300 BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
1301 }
1302 SSL_CTX_set_quiet_shutdown(ctx2,1);
1303 if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);
1304 if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1305 SSL_CTX_set_options(ctx2,off);
1306
1307 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1308 * Setting read ahead solves this problem.
1309 */
1310 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1);
1311
1312
1313 if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
1314
1315 SSL_CTX_sess_set_cache_size(ctx2,128);
1316
1317 if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
1318 (!SSL_CTX_set_default_verify_paths(ctx2)))
1319 {
1320 ERR_print_errors(bio_err);
1321 }
1322 store = SSL_CTX_get_cert_store(ctx2);
1323 X509_STORE_set_flags(store, vflags);
1324 }
1325#endif
1326
791 1327
792#ifndef OPENSSL_NO_DH 1328#ifndef OPENSSL_NO_DH
793 if (!no_dhe) 1329 if (!no_dhe)
@@ -811,22 +1347,99 @@ bad:
811 (void)BIO_flush(bio_s_out); 1347 (void)BIO_flush(bio_s_out);
812 1348
813 SSL_CTX_set_tmp_dh(ctx,dh); 1349 SSL_CTX_set_tmp_dh(ctx,dh);
1350#ifndef OPENSSL_NO_TLSEXT
1351 if (ctx2)
1352 {
1353 if (!dhfile)
1354 {
1355 DH *dh2=load_dh_param(s_cert_file2);
1356 if (dh2 != NULL)
1357 {
1358 BIO_printf(bio_s_out,"Setting temp DH parameters\n");
1359 (void)BIO_flush(bio_s_out);
1360
1361 DH_free(dh);
1362 dh = dh2;
1363 }
1364 }
1365 SSL_CTX_set_tmp_dh(ctx2,dh);
1366 }
1367#endif
814 DH_free(dh); 1368 DH_free(dh);
815 } 1369 }
816#endif 1370#endif
1371
1372#ifndef OPENSSL_NO_ECDH
1373 if (!no_ecdhe)
1374 {
1375 EC_KEY *ecdh=NULL;
1376
1377 if (named_curve)
1378 {
1379 int nid = OBJ_sn2nid(named_curve);
1380
1381 if (nid == 0)
1382 {
1383 BIO_printf(bio_err, "unknown curve name (%s)\n",
1384 named_curve);
1385 goto end;
1386 }
1387 ecdh = EC_KEY_new_by_curve_name(nid);
1388 if (ecdh == NULL)
1389 {
1390 BIO_printf(bio_err, "unable to create curve (%s)\n",
1391 named_curve);
1392 goto end;
1393 }
1394 }
1395
1396 if (ecdh != NULL)
1397 {
1398 BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
1399 }
1400 else
1401 {
1402 BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
1403 ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
1404 if (ecdh == NULL)
1405 {
1406 BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
1407 goto end;
1408 }
1409 }
1410 (void)BIO_flush(bio_s_out);
1411
1412 SSL_CTX_set_tmp_ecdh(ctx,ecdh);
1413#ifndef OPENSSL_NO_TLSEXT
1414 if (ctx2)
1415 SSL_CTX_set_tmp_ecdh(ctx2,ecdh);
1416#endif
1417 EC_KEY_free(ecdh);
1418 }
1419#endif
817 1420
818 if (!set_cert_stuff(ctx,s_cert_file,s_key_file)) 1421 if (!set_cert_key_stuff(ctx,s_cert,s_key))
819 goto end; 1422 goto end;
820 if (s_dcert_file != NULL) 1423#ifndef OPENSSL_NO_TLSEXT
1424 if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
1425 goto end;
1426#endif
1427 if (s_dcert != NULL)
821 { 1428 {
822 if (!set_cert_stuff(ctx,s_dcert_file,s_dkey_file)) 1429 if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
823 goto end; 1430 goto end;
824 } 1431 }
825 1432
826#ifndef OPENSSL_NO_RSA 1433#ifndef OPENSSL_NO_RSA
827#if 1 1434#if 1
828 if (!no_tmp_rsa) 1435 if (!no_tmp_rsa)
1436 {
829 SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); 1437 SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
1438#ifndef OPENSSL_NO_TLSEXT
1439 if (ctx2)
1440 SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb);
1441#endif
1442 }
830#else 1443#else
831 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) 1444 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
832 { 1445 {
@@ -842,6 +1455,16 @@ bad:
842 ERR_print_errors(bio_err); 1455 ERR_print_errors(bio_err);
843 goto end; 1456 goto end;
844 } 1457 }
1458#ifndef OPENSSL_NO_TLSEXT
1459 if (ctx2)
1460 {
1461 if (!SSL_CTX_set_tmp_rsa(ctx2,rsa))
1462 {
1463 ERR_print_errors(bio_err);
1464 goto end;
1465 }
1466 }
1467#endif
845 RSA_free(rsa); 1468 RSA_free(rsa);
846 BIO_printf(bio_s_out,"\n"); 1469 BIO_printf(bio_s_out,"\n");
847 } 1470 }
@@ -853,26 +1476,72 @@ bad:
853 BIO_printf(bio_err,"error setting cipher list\n"); 1476 BIO_printf(bio_err,"error setting cipher list\n");
854 ERR_print_errors(bio_err); 1477 ERR_print_errors(bio_err);
855 goto end; 1478 goto end;
1479#ifndef OPENSSL_NO_TLSEXT
1480 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
1481 {
1482 BIO_printf(bio_err,"error setting cipher list\n");
1483 ERR_print_errors(bio_err);
1484 goto end;
1485 }
1486#endif
856 } 1487 }
857 SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); 1488 SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
858 SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, 1489 SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
859 sizeof s_server_session_id_context); 1490 sizeof s_server_session_id_context);
860 1491
1492#ifndef OPENSSL_NO_TLSEXT
1493 if (ctx2)
1494 {
1495 SSL_CTX_set_verify(ctx2,s_server_verify,verify_callback);
1496 SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
1497 sizeof s_server_session_id_context);
1498
1499 tlsextcbp.biodebug = bio_s_out;
1500 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
1501 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
1502 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1503 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1504 }
1505#endif
861 if (CAfile != NULL) 1506 if (CAfile != NULL)
862 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); 1507 {
863 1508 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
1509#ifndef OPENSSL_NO_TLSEXT
1510 if (ctx2)
1511 SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile));
1512#endif
1513 }
864 BIO_printf(bio_s_out,"ACCEPT\n"); 1514 BIO_printf(bio_s_out,"ACCEPT\n");
865 if (www) 1515 if (www)
866 do_server(port,&accept_socket,www_body, context); 1516 do_server(port,socket_type,&accept_socket,www_body, context);
867 else 1517 else
868 do_server(port,&accept_socket,sv_body, context); 1518 do_server(port,socket_type,&accept_socket,sv_body, context);
869 print_stats(bio_s_out,ctx); 1519 print_stats(bio_s_out,ctx);
870 ret=0; 1520 ret=0;
871end: 1521end:
872 if (ctx != NULL) SSL_CTX_free(ctx); 1522 if (ctx != NULL) SSL_CTX_free(ctx);
1523 if (s_cert)
1524 X509_free(s_cert);
1525 if (s_dcert)
1526 X509_free(s_dcert);
1527 if (s_key)
1528 EVP_PKEY_free(s_key);
1529 if (s_dkey)
1530 EVP_PKEY_free(s_dkey);
1531 if (pass)
1532 OPENSSL_free(pass);
1533 if (dpass)
1534 OPENSSL_free(dpass);
1535#ifndef OPENSSL_NO_TLSEXT
1536 if (ctx2 != NULL) SSL_CTX_free(ctx2);
1537 if (s_cert2)
1538 X509_free(s_cert2);
1539 if (s_key2)
1540 EVP_PKEY_free(s_key2);
1541#endif
873 if (bio_s_out != NULL) 1542 if (bio_s_out != NULL)
874 { 1543 {
875 BIO_free(bio_s_out); 1544 BIO_free(bio_s_out);
876 bio_s_out=NULL; 1545 bio_s_out=NULL;
877 } 1546 }
878 apps_shutdown(); 1547 apps_shutdown();
@@ -883,23 +1552,23 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
883 { 1552 {
884 BIO_printf(bio,"%4ld items in the session cache\n", 1553 BIO_printf(bio,"%4ld items in the session cache\n",
885 SSL_CTX_sess_number(ssl_ctx)); 1554 SSL_CTX_sess_number(ssl_ctx));
886 BIO_printf(bio,"%4d client connects (SSL_connect())\n", 1555 BIO_printf(bio,"%4ld client connects (SSL_connect())\n",
887 SSL_CTX_sess_connect(ssl_ctx)); 1556 SSL_CTX_sess_connect(ssl_ctx));
888 BIO_printf(bio,"%4d client renegotiates (SSL_connect())\n", 1557 BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n",
889 SSL_CTX_sess_connect_renegotiate(ssl_ctx)); 1558 SSL_CTX_sess_connect_renegotiate(ssl_ctx));
890 BIO_printf(bio,"%4d client connects that finished\n", 1559 BIO_printf(bio,"%4ld client connects that finished\n",
891 SSL_CTX_sess_connect_good(ssl_ctx)); 1560 SSL_CTX_sess_connect_good(ssl_ctx));
892 BIO_printf(bio,"%4d server accepts (SSL_accept())\n", 1561 BIO_printf(bio,"%4ld server accepts (SSL_accept())\n",
893 SSL_CTX_sess_accept(ssl_ctx)); 1562 SSL_CTX_sess_accept(ssl_ctx));
894 BIO_printf(bio,"%4d server renegotiates (SSL_accept())\n", 1563 BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n",
895 SSL_CTX_sess_accept_renegotiate(ssl_ctx)); 1564 SSL_CTX_sess_accept_renegotiate(ssl_ctx));
896 BIO_printf(bio,"%4d server accepts that finished\n", 1565 BIO_printf(bio,"%4ld server accepts that finished\n",
897 SSL_CTX_sess_accept_good(ssl_ctx)); 1566 SSL_CTX_sess_accept_good(ssl_ctx));
898 BIO_printf(bio,"%4d session cache hits\n",SSL_CTX_sess_hits(ssl_ctx)); 1567 BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
899 BIO_printf(bio,"%4d session cache misses\n",SSL_CTX_sess_misses(ssl_ctx)); 1568 BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
900 BIO_printf(bio,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx)); 1569 BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
901 BIO_printf(bio,"%4d callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx)); 1570 BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
902 BIO_printf(bio,"%4d cache full overflows (%d allowed)\n", 1571 BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n",
903 SSL_CTX_sess_cache_full(ssl_ctx), 1572 SSL_CTX_sess_cache_full(ssl_ctx),
904 SSL_CTX_sess_get_cache_size(ssl_ctx)); 1573 SSL_CTX_sess_get_cache_size(ssl_ctx));
905 } 1574 }
@@ -913,7 +1582,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
913 unsigned long l; 1582 unsigned long l;
914 SSL *con=NULL; 1583 SSL *con=NULL;
915 BIO *sbio; 1584 BIO *sbio;
916#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1585#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
917 struct timeval tv; 1586 struct timeval tv;
918#endif 1587#endif
919 1588
@@ -936,6 +1605,19 @@ static int sv_body(char *hostname, int s, unsigned char *context)
936 1605
937 if (con == NULL) { 1606 if (con == NULL) {
938 con=SSL_new(ctx); 1607 con=SSL_new(ctx);
1608#ifndef OPENSSL_NO_TLSEXT
1609 if (s_tlsextdebug)
1610 {
1611 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1612 SSL_set_tlsext_debug_arg(con, bio_s_out);
1613 }
1614 if (s_tlsextstatus)
1615 {
1616 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
1617 tlscstatp.err = bio_err;
1618 SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
1619 }
1620#endif
939#ifndef OPENSSL_NO_KRB5 1621#ifndef OPENSSL_NO_KRB5
940 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) 1622 if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
941 { 1623 {
@@ -951,7 +1633,39 @@ static int sv_body(char *hostname, int s, unsigned char *context)
951 } 1633 }
952 SSL_clear(con); 1634 SSL_clear(con);
953 1635
954 sbio=BIO_new_socket(s,BIO_NOCLOSE); 1636 if (SSL_version(con) == DTLS1_VERSION)
1637 {
1638 struct timeval timeout;
1639
1640 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1641
1642 if ( enable_timeouts)
1643 {
1644 timeout.tv_sec = 0;
1645 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1646 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1647
1648 timeout.tv_sec = 0;
1649 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1650 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1651 }
1652
1653
1654 if ( mtu > 0)
1655 {
1656 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1657 SSL_set_mtu(con, mtu);
1658 }
1659 else
1660 /* want to do MTU discovery */
1661 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1662
1663 /* turn on cookie exchange */
1664 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
1665 }
1666 else
1667 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1668
955 if (s_nbio_test) 1669 if (s_nbio_test)
956 { 1670 {
957 BIO *test; 1671 BIO *test;
@@ -966,14 +1680,21 @@ static int sv_body(char *hostname, int s, unsigned char *context)
966 if (s_debug) 1680 if (s_debug)
967 { 1681 {
968 con->debug=1; 1682 con->debug=1;
969 BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); 1683 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
970 BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); 1684 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
971 } 1685 }
972 if (s_msg) 1686 if (s_msg)
973 { 1687 {
974 SSL_set_msg_callback(con, msg_cb); 1688 SSL_set_msg_callback(con, msg_cb);
975 SSL_set_msg_callback_arg(con, bio_s_out); 1689 SSL_set_msg_callback_arg(con, bio_s_out);
976 } 1690 }
1691#ifndef OPENSSL_NO_TLSEXT
1692 if (s_tlsextdebug)
1693 {
1694 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1695 SSL_set_tlsext_debug_arg(con, bio_s_out);
1696 }
1697#endif
977 1698
978 width=s+1; 1699 width=s+1;
979 for (;;) 1700 for (;;)
@@ -987,7 +1708,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
987 if (!read_from_sslcon) 1708 if (!read_from_sslcon)
988 { 1709 {
989 FD_ZERO(&readfds); 1710 FD_ZERO(&readfds);
990#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) 1711#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
991 FD_SET(fileno(stdin),&readfds); 1712 FD_SET(fileno(stdin),&readfds);
992#endif 1713#endif
993 FD_SET(s,&readfds); 1714 FD_SET(s,&readfds);
@@ -997,7 +1718,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
997 * the compiler: if you do have a cast then you can either 1718 * the compiler: if you do have a cast then you can either
998 * go for (int *) or (void *). 1719 * go for (int *) or (void *).
999 */ 1720 */
1000#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1721#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1001 /* Under DOS (non-djgpp) and Windows we can't select on stdin: only 1722 /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
1002 * on sockets. As a workaround we timeout the select every 1723 * on sockets. As a workaround we timeout the select every
1003 * second and check for any keypress. In a proper Windows 1724 * second and check for any keypress. In a proper Windows
@@ -1057,7 +1778,8 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1057 if ((i <= 0) || (buf[0] == 'q')) 1778 if ((i <= 0) || (buf[0] == 'q'))
1058 { 1779 {
1059 BIO_printf(bio_s_out,"DONE\n"); 1780 BIO_printf(bio_s_out,"DONE\n");
1060 SHUTDOWN(s); 1781 if (SSL_version(con) != DTLS1_VERSION)
1782 SHUTDOWN(s);
1061 /* close_accept_socket(); 1783 /* close_accept_socket();
1062 ret= -11;*/ 1784 ret= -11;*/
1063 goto err; 1785 goto err;
@@ -1086,7 +1808,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1086 } 1808 }
1087 if (buf[0] == 'P') 1809 if (buf[0] == 'P')
1088 { 1810 {
1089 static char *str="Lets print some clear text\n"; 1811 static const char *str="Lets print some clear text\n";
1090 BIO_write(SSL_get_wbio(con),str,strlen(str)); 1812 BIO_write(SSL_get_wbio(con),str,strlen(str));
1091 } 1813 }
1092 if (buf[0] == 'S') 1814 if (buf[0] == 'S')
@@ -1270,7 +1992,7 @@ static int init_ssl_connection(SSL *con)
1270 } 1992 }
1271 1993
1272#ifndef OPENSSL_NO_DH 1994#ifndef OPENSSL_NO_DH
1273static DH *load_dh_param(char *dhfile) 1995static DH *load_dh_param(const char *dhfile)
1274 { 1996 {
1275 DH *ret=NULL; 1997 DH *ret=NULL;
1276 BIO *bio; 1998 BIO *bio;
@@ -1338,6 +2060,13 @@ static int www_body(char *hostname, int s, unsigned char *context)
1338 if (!BIO_set_write_buffer_size(io,bufsize)) goto err; 2060 if (!BIO_set_write_buffer_size(io,bufsize)) goto err;
1339 2061
1340 if ((con=SSL_new(ctx)) == NULL) goto err; 2062 if ((con=SSL_new(ctx)) == NULL) goto err;
2063#ifndef OPENSSL_NO_TLSEXT
2064 if (s_tlsextdebug)
2065 {
2066 SSL_set_tlsext_debug_callback(con, tlsext_cb);
2067 SSL_set_tlsext_debug_arg(con, bio_s_out);
2068 }
2069#endif
1341#ifndef OPENSSL_NO_KRB5 2070#ifndef OPENSSL_NO_KRB5
1342 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) 2071 if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
1343 { 2072 {
@@ -1369,8 +2098,8 @@ static int www_body(char *hostname, int s, unsigned char *context)
1369 if (s_debug) 2098 if (s_debug)
1370 { 2099 {
1371 con->debug=1; 2100 con->debug=1;
1372 BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); 2101 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
1373 BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); 2102 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
1374 } 2103 }
1375 if (s_msg) 2104 if (s_msg)
1376 { 2105 {
@@ -1417,7 +2146,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
1417 else 2146 else
1418 { 2147 {
1419 BIO_printf(bio_s_out,"read R BLOCK\n"); 2148 BIO_printf(bio_s_out,"read R BLOCK\n");
1420#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) 2149#if defined(OPENSSL_SYS_NETWARE)
2150 delay(1000);
2151#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
1421 sleep(1); 2152 sleep(1);
1422#endif 2153#endif
1423 continue; 2154 continue;
@@ -1436,7 +2167,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
1436 char *p; 2167 char *p;
1437 X509 *peer; 2168 X509 *peer;
1438 STACK_OF(SSL_CIPHER) *sk; 2169 STACK_OF(SSL_CIPHER) *sk;
1439 static char *space=" "; 2170 static const char *space=" ";
1440 2171
1441 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); 2172 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
1442 BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n"); 2173 BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
@@ -1516,7 +2247,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
1516 { 2247 {
1517 BIO *file; 2248 BIO *file;
1518 char *p,*e; 2249 char *p,*e;
1519 static char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; 2250 static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
1520 2251
1521 /* skip the '/' */ 2252 /* skip the '/' */
1522 p= &(buf[5]); 2253 p= &(buf[5]);
@@ -1692,21 +2423,30 @@ err:
1692#ifndef OPENSSL_NO_RSA 2423#ifndef OPENSSL_NO_RSA
1693static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) 2424static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
1694 { 2425 {
2426 BIGNUM *bn = NULL;
1695 static RSA *rsa_tmp=NULL; 2427 static RSA *rsa_tmp=NULL;
1696 2428
1697 if (rsa_tmp == NULL) 2429 if (!rsa_tmp && ((bn = BN_new()) == NULL))
2430 BIO_printf(bio_err,"Allocation error in generating RSA key\n");
2431 if (!rsa_tmp && bn)
1698 { 2432 {
1699 if (!s_quiet) 2433 if (!s_quiet)
1700 { 2434 {
1701 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); 2435 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
1702 (void)BIO_flush(bio_err); 2436 (void)BIO_flush(bio_err);
1703 } 2437 }
1704 rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); 2438 if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
2439 !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL))
2440 {
2441 if(rsa_tmp) RSA_free(rsa_tmp);
2442 rsa_tmp = NULL;
2443 }
1705 if (!s_quiet) 2444 if (!s_quiet)
1706 { 2445 {
1707 BIO_printf(bio_err,"\n"); 2446 BIO_printf(bio_err,"\n");
1708 (void)BIO_flush(bio_err); 2447 (void)BIO_flush(bio_err);
1709 } 2448 }
2449 BN_free(bn);
1710 } 2450 }
1711 return(rsa_tmp); 2451 return(rsa_tmp);
1712 } 2452 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 12:02:00 +0000