summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/apps/s_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/apps/s_server.c')
-rw-r--r--src/lib/libssl/src/apps/s_server.c356
1 files changed, 328 insertions, 28 deletions
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index 8a0c34cf0f..3f9b3704c6 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -186,6 +186,9 @@ typedef unsigned int u_int;
186#ifndef OPENSSL_NO_RSA 186#ifndef OPENSSL_NO_RSA
187#include <openssl/rsa.h> 187#include <openssl/rsa.h>
188#endif 188#endif
189#ifndef OPENSSL_NO_SRP
190#include <openssl/srp.h>
191#endif
189#include "s_apps.h" 192#include "s_apps.h"
190#include "timeouts.h" 193#include "timeouts.h"
191 194
@@ -290,6 +293,9 @@ static int cert_status_cb(SSL *s, void *arg);
290static int s_msg=0; 293static int s_msg=0;
291static int s_quiet=0; 294static int s_quiet=0;
292 295
296static char *keymatexportlabel=NULL;
297static int keymatexportlen=20;
298
293static int hack=0; 299static int hack=0;
294#ifndef OPENSSL_NO_ENGINE 300#ifndef OPENSSL_NO_ENGINE
295static char *engine_id=NULL; 301static char *engine_id=NULL;
@@ -302,6 +308,7 @@ static long socket_mtu;
302static int cert_chain = 0; 308static int cert_chain = 0;
303#endif 309#endif
304 310
311
305#ifndef OPENSSL_NO_PSK 312#ifndef OPENSSL_NO_PSK
306static char *psk_identity="Client_identity"; 313static char *psk_identity="Client_identity";
307char *psk_key=NULL; /* by default PSK is not used */ 314char *psk_key=NULL; /* by default PSK is not used */
@@ -369,6 +376,52 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
369 } 376 }
370#endif 377#endif
371 378
379#ifndef OPENSSL_NO_SRP
380/* This is a context that we pass to callbacks */
381typedef struct srpsrvparm_st
382 {
383 char *login;
384 SRP_VBASE *vb;
385 SRP_user_pwd *user;
386 } srpsrvparm;
387
388/* This callback pretends to require some asynchronous logic in order to obtain
389 a verifier. When the callback is called for a new connection we return
390 with a negative value. This will provoke the accept etc to return with
391 an LOOKUP_X509. The main logic of the reinvokes the suspended call
392 (which would normally occur after a worker has finished) and we
393 set the user parameters.
394*/
395static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
396 {
397 srpsrvparm *p = (srpsrvparm *)arg;
398 if (p->login == NULL && p->user == NULL )
399 {
400 p->login = SSL_get_srp_username(s);
401 BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
402 return (-1) ;
403 }
404
405 if (p->user == NULL)
406 {
407 BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
408 return SSL3_AL_FATAL;
409 }
410 if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v,
411 p->user->info) < 0)
412 {
413 *ad = SSL_AD_INTERNAL_ERROR;
414 return SSL3_AL_FATAL;
415 }
416 BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login,p->user->info);
417 /* need to check whether there are memory leaks */
418 p->user = NULL;
419 p->login = NULL;
420 return SSL_ERROR_NONE;
421 }
422
423#endif
424
372#ifdef MONOLITH 425#ifdef MONOLITH
373static void s_server_init(void) 426static void s_server_init(void)
374 { 427 {
@@ -456,8 +509,14 @@ static void sv_usage(void)
456 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); 509 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
457# endif 510# endif
458#endif 511#endif
512#ifndef OPENSSL_NO_SRP
513 BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n");
514 BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
515#endif
459 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); 516 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
460 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); 517 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
518 BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n");
519 BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n");
461 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); 520 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
462 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); 521 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n");
463 BIO_printf(bio_err," -timeout - Enable timeouts\n"); 522 BIO_printf(bio_err," -timeout - Enable timeouts\n");
@@ -466,6 +525,8 @@ static void sv_usage(void)
466 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); 525 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n");
467 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); 526 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n");
468 BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); 527 BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n");
528 BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n");
529 BIO_printf(bio_err," -no_tls1_2 - Just disable TLSv1.2\n");
469#ifndef OPENSSL_NO_DH 530#ifndef OPENSSL_NO_DH
470 BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); 531 BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n");
471#endif 532#endif
@@ -492,7 +553,13 @@ static void sv_usage(void)
492 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); 553 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
493 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); 554 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
494 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); 555 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
556# ifndef OPENSSL_NO_NEXTPROTONEG
557 BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
558# endif
559 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
495#endif 560#endif
561 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n");
562 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n");
496 } 563 }
497 564
498static int local_argc=0; 565static int local_argc=0;
@@ -826,6 +893,26 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
826 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 893 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
827 goto done; 894 goto done;
828 } 895 }
896
897# ifndef OPENSSL_NO_NEXTPROTONEG
898/* This is the context that we pass to next_proto_cb */
899typedef struct tlsextnextprotoctx_st {
900 unsigned char *data;
901 unsigned int len;
902} tlsextnextprotoctx;
903
904static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
905 {
906 tlsextnextprotoctx *next_proto = arg;
907
908 *data = next_proto->data;
909 *len = next_proto->len;
910
911 return SSL_TLSEXT_ERR_OK;
912 }
913# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
914
915
829#endif 916#endif
830 917
831int MAIN(int, char **); 918int MAIN(int, char **);
@@ -833,6 +920,10 @@ int MAIN(int, char **);
833#ifndef OPENSSL_NO_JPAKE 920#ifndef OPENSSL_NO_JPAKE
834static char *jpake_secret = NULL; 921static char *jpake_secret = NULL;
835#endif 922#endif
923#ifndef OPENSSL_NO_SRP
924 static srpsrvparm srp_callback_parm;
925#endif
926static char *srtp_profiles = NULL;
836 927
837int MAIN(int argc, char *argv[]) 928int MAIN(int argc, char *argv[])
838 { 929 {
@@ -864,21 +955,21 @@ int MAIN(int argc, char *argv[])
864#ifndef OPENSSL_NO_TLSEXT 955#ifndef OPENSSL_NO_TLSEXT
865 EVP_PKEY *s_key2 = NULL; 956 EVP_PKEY *s_key2 = NULL;
866 X509 *s_cert2 = NULL; 957 X509 *s_cert2 = NULL;
867#endif
868#ifndef OPENSSL_NO_TLSEXT
869 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; 958 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
959# ifndef OPENSSL_NO_NEXTPROTONEG
960 const char *next_proto_neg_in = NULL;
961 tlsextnextprotoctx next_proto;
962# endif
870#endif 963#endif
871#ifndef OPENSSL_NO_PSK 964#ifndef OPENSSL_NO_PSK
872 /* by default do not send a PSK identity hint */ 965 /* by default do not send a PSK identity hint */
873 static char *psk_identity_hint=NULL; 966 static char *psk_identity_hint=NULL;
874#endif 967#endif
875#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 968#ifndef OPENSSL_NO_SRP
876 meth=SSLv23_server_method(); 969 char *srpuserseed = NULL;
877#elif !defined(OPENSSL_NO_SSL3) 970 char *srp_verifier_file = NULL;
878 meth=SSLv3_server_method();
879#elif !defined(OPENSSL_NO_SSL2)
880 meth=SSLv2_server_method();
881#endif 971#endif
972 meth=SSLv23_server_method();
882 973
883 local_argc=argc; 974 local_argc=argc;
884 local_argv=argv; 975 local_argv=argv;
@@ -1103,13 +1194,27 @@ int MAIN(int argc, char *argv[])
1103 psk_key=*(++argv); 1194 psk_key=*(++argv);
1104 for (i=0; i<strlen(psk_key); i++) 1195 for (i=0; i<strlen(psk_key); i++)
1105 { 1196 {
1106 if (isxdigit((int)psk_key[i])) 1197 if (isxdigit((unsigned char)psk_key[i]))
1107 continue; 1198 continue;
1108 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); 1199 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
1109 goto bad; 1200 goto bad;
1110 } 1201 }
1111 } 1202 }
1112#endif 1203#endif
1204#ifndef OPENSSL_NO_SRP
1205 else if (strcmp(*argv, "-srpvfile") == 0)
1206 {
1207 if (--argc < 1) goto bad;
1208 srp_verifier_file = *(++argv);
1209 meth=TLSv1_server_method();
1210 }
1211 else if (strcmp(*argv, "-srpuserseed") == 0)
1212 {
1213 if (--argc < 1) goto bad;
1214 srpuserseed = *(++argv);
1215 meth=TLSv1_server_method();
1216 }
1217#endif
1113 else if (strcmp(*argv,"-www") == 0) 1218 else if (strcmp(*argv,"-www") == 0)
1114 { www=1; } 1219 { www=1; }
1115 else if (strcmp(*argv,"-WWW") == 0) 1220 else if (strcmp(*argv,"-WWW") == 0)
@@ -1122,6 +1227,10 @@ int MAIN(int argc, char *argv[])
1122 { off|=SSL_OP_NO_SSLv3; } 1227 { off|=SSL_OP_NO_SSLv3; }
1123 else if (strcmp(*argv,"-no_tls1") == 0) 1228 else if (strcmp(*argv,"-no_tls1") == 0)
1124 { off|=SSL_OP_NO_TLSv1; } 1229 { off|=SSL_OP_NO_TLSv1; }
1230 else if (strcmp(*argv,"-no_tls1_1") == 0)
1231 { off|=SSL_OP_NO_TLSv1_1; }
1232 else if (strcmp(*argv,"-no_tls1_2") == 0)
1233 { off|=SSL_OP_NO_TLSv1_2; }
1125 else if (strcmp(*argv,"-no_comp") == 0) 1234 else if (strcmp(*argv,"-no_comp") == 0)
1126 { off|=SSL_OP_NO_COMPRESSION; } 1235 { off|=SSL_OP_NO_COMPRESSION; }
1127#ifndef OPENSSL_NO_TLSEXT 1236#ifndef OPENSSL_NO_TLSEXT
@@ -1139,6 +1248,10 @@ int MAIN(int argc, char *argv[])
1139#ifndef OPENSSL_NO_TLS1 1248#ifndef OPENSSL_NO_TLS1
1140 else if (strcmp(*argv,"-tls1") == 0) 1249 else if (strcmp(*argv,"-tls1") == 0)
1141 { meth=TLSv1_server_method(); } 1250 { meth=TLSv1_server_method(); }
1251 else if (strcmp(*argv,"-tls1_1") == 0)
1252 { meth=TLSv1_1_server_method(); }
1253 else if (strcmp(*argv,"-tls1_2") == 0)
1254 { meth=TLSv1_2_server_method(); }
1142#endif 1255#endif
1143#ifndef OPENSSL_NO_DTLS1 1256#ifndef OPENSSL_NO_DTLS1
1144 else if (strcmp(*argv,"-dtls1") == 0) 1257 else if (strcmp(*argv,"-dtls1") == 0)
@@ -1191,7 +1304,13 @@ int MAIN(int argc, char *argv[])
1191 if (--argc < 1) goto bad; 1304 if (--argc < 1) goto bad;
1192 s_key_file2= *(++argv); 1305 s_key_file2= *(++argv);
1193 } 1306 }
1194 1307# ifndef OPENSSL_NO_NEXTPROTONEG
1308 else if (strcmp(*argv,"-nextprotoneg") == 0)
1309 {
1310 if (--argc < 1) goto bad;
1311 next_proto_neg_in = *(++argv);
1312 }
1313# endif
1195#endif 1314#endif
1196#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) 1315#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1197 else if (strcmp(*argv,"-jpake") == 0) 1316 else if (strcmp(*argv,"-jpake") == 0)
@@ -1200,6 +1319,22 @@ int MAIN(int argc, char *argv[])
1200 jpake_secret = *(++argv); 1319 jpake_secret = *(++argv);
1201 } 1320 }
1202#endif 1321#endif
1322 else if (strcmp(*argv,"-use_srtp") == 0)
1323 {
1324 if (--argc < 1) goto bad;
1325 srtp_profiles = *(++argv);
1326 }
1327 else if (strcmp(*argv,"-keymatexport") == 0)
1328 {
1329 if (--argc < 1) goto bad;
1330 keymatexportlabel= *(++argv);
1331 }
1332 else if (strcmp(*argv,"-keymatexportlen") == 0)
1333 {
1334 if (--argc < 1) goto bad;
1335 keymatexportlen=atoi(*(++argv));
1336 if (keymatexportlen == 0) goto bad;
1337 }
1203 else 1338 else
1204 { 1339 {
1205 BIO_printf(bio_err,"unknown option %s\n",*argv); 1340 BIO_printf(bio_err,"unknown option %s\n",*argv);
@@ -1296,6 +1431,22 @@ bad:
1296 goto end; 1431 goto end;
1297 } 1432 }
1298 } 1433 }
1434
1435# ifndef OPENSSL_NO_NEXTPROTONEG
1436 if (next_proto_neg_in)
1437 {
1438 unsigned short len;
1439 next_proto.data = next_protos_parse(&len,
1440 next_proto_neg_in);
1441 if (next_proto.data == NULL)
1442 goto end;
1443 next_proto.len = len;
1444 }
1445 else
1446 {
1447 next_proto.data = NULL;
1448 }
1449# endif
1299#endif 1450#endif
1300 } 1451 }
1301 1452
@@ -1399,6 +1550,9 @@ bad:
1399 else 1550 else
1400 SSL_CTX_sess_set_cache_size(ctx,128); 1551 SSL_CTX_sess_set_cache_size(ctx,128);
1401 1552
1553 if (srtp_profiles != NULL)
1554 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
1555
1402#if 0 1556#if 0
1403 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); 1557 if (cipher == NULL) cipher=getenv("SSL_CIPHER");
1404#endif 1558#endif
@@ -1476,6 +1630,11 @@ bad:
1476 if (vpm) 1630 if (vpm)
1477 SSL_CTX_set1_param(ctx2, vpm); 1631 SSL_CTX_set1_param(ctx2, vpm);
1478 } 1632 }
1633
1634# ifndef OPENSSL_NO_NEXTPROTONEG
1635 if (next_proto.data)
1636 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
1637# endif
1479#endif 1638#endif
1480 1639
1481#ifndef OPENSSL_NO_DH 1640#ifndef OPENSSL_NO_DH
@@ -1684,6 +1843,25 @@ bad:
1684 } 1843 }
1685#endif 1844#endif
1686 1845
1846#ifndef OPENSSL_NO_SRP
1847 if (srp_verifier_file != NULL)
1848 {
1849 srp_callback_parm.vb = SRP_VBASE_new(srpuserseed);
1850 srp_callback_parm.user = NULL;
1851 srp_callback_parm.login = NULL;
1852 if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR)
1853 {
1854 BIO_printf(bio_err,
1855 "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
1856 srp_verifier_file, ret);
1857 goto end;
1858 }
1859 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback);
1860 SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
1861 SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
1862 }
1863 else
1864#endif
1687 if (CAfile != NULL) 1865 if (CAfile != NULL)
1688 { 1866 {
1689 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); 1867 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
@@ -1765,6 +1943,9 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1765 unsigned long l; 1943 unsigned long l;
1766 SSL *con=NULL; 1944 SSL *con=NULL;
1767 BIO *sbio; 1945 BIO *sbio;
1946#ifndef OPENSSL_NO_KRB5
1947 KSSL_CTX *kctx;
1948#endif
1768 struct timeval timeout; 1949 struct timeval timeout;
1769#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) 1950#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1770 struct timeval tv; 1951 struct timeval tv;
@@ -1805,12 +1986,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1805 } 1986 }
1806#endif 1987#endif
1807#ifndef OPENSSL_NO_KRB5 1988#ifndef OPENSSL_NO_KRB5
1808 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) 1989 if ((kctx = kssl_ctx_new()) != NULL)
1809 { 1990 {
1810 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, 1991 SSL_set0_kssl_ctx(con, kctx);
1811 KRB5SVC); 1992 kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
1812 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, 1993 kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
1813 KRB5KEYTAB);
1814 } 1994 }
1815#endif /* OPENSSL_NO_KRB5 */ 1995#endif /* OPENSSL_NO_KRB5 */
1816 if(context) 1996 if(context)
@@ -1873,7 +2053,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1873 2053
1874 if (s_debug) 2054 if (s_debug)
1875 { 2055 {
1876 con->debug=1; 2056 SSL_set_debug(con, 1);
1877 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); 2057 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
1878 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); 2058 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
1879 } 2059 }
@@ -2002,6 +2182,16 @@ static int sv_body(char *hostname, int s, unsigned char *context)
2002 goto err; 2182 goto err;
2003 } 2183 }
2004 2184
2185#ifndef OPENSSL_NO_HEARTBEATS
2186 if ((buf[0] == 'B') &&
2187 ((buf[1] == '\n') || (buf[1] == '\r')))
2188 {
2189 BIO_printf(bio_err,"HEARTBEATING\n");
2190 SSL_heartbeat(con);
2191 i=0;
2192 continue;
2193 }
2194#endif
2005 if ((buf[0] == 'r') && 2195 if ((buf[0] == 'r') &&
2006 ((buf[1] == '\n') || (buf[1] == '\r'))) 2196 ((buf[1] == '\n') || (buf[1] == '\r')))
2007 { 2197 {
@@ -2045,6 +2235,18 @@ static int sv_body(char *hostname, int s, unsigned char *context)
2045{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } } 2235{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
2046#endif 2236#endif
2047 k=SSL_write(con,&(buf[l]),(unsigned int)i); 2237 k=SSL_write(con,&(buf[l]),(unsigned int)i);
2238#ifndef OPENSSL_NO_SRP
2239 while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP)
2240 {
2241 BIO_printf(bio_s_out,"LOOKUP renego during write\n");
2242 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2243 if (srp_callback_parm.user)
2244 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
2245 else
2246 BIO_printf(bio_s_out,"LOOKUP not successful\n");
2247 k=SSL_write(con,&(buf[l]),(unsigned int)i);
2248 }
2249#endif
2048 switch (SSL_get_error(con,k)) 2250 switch (SSL_get_error(con,k))
2049 { 2251 {
2050 case SSL_ERROR_NONE: 2252 case SSL_ERROR_NONE:
@@ -2092,6 +2294,18 @@ static int sv_body(char *hostname, int s, unsigned char *context)
2092 { 2294 {
2093again: 2295again:
2094 i=SSL_read(con,(char *)buf,bufsize); 2296 i=SSL_read(con,(char *)buf,bufsize);
2297#ifndef OPENSSL_NO_SRP
2298 while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
2299 {
2300 BIO_printf(bio_s_out,"LOOKUP renego during read\n");
2301 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2302 if (srp_callback_parm.user)
2303 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
2304 else
2305 BIO_printf(bio_s_out,"LOOKUP not successful\n");
2306 i=SSL_read(con,(char *)buf,bufsize);
2307 }
2308#endif
2095 switch (SSL_get_error(con,i)) 2309 switch (SSL_get_error(con,i))
2096 { 2310 {
2097 case SSL_ERROR_NONE: 2311 case SSL_ERROR_NONE:
@@ -2104,7 +2318,6 @@ again:
2104 break; 2318 break;
2105 case SSL_ERROR_WANT_WRITE: 2319 case SSL_ERROR_WANT_WRITE:
2106 case SSL_ERROR_WANT_READ: 2320 case SSL_ERROR_WANT_READ:
2107 case SSL_ERROR_WANT_X509_LOOKUP:
2108 BIO_printf(bio_s_out,"Read BLOCK\n"); 2321 BIO_printf(bio_s_out,"Read BLOCK\n");
2109 break; 2322 break;
2110 case SSL_ERROR_SYSCALL: 2323 case SSL_ERROR_SYSCALL:
@@ -2159,8 +2372,30 @@ static int init_ssl_connection(SSL *con)
2159 X509 *peer; 2372 X509 *peer;
2160 long verify_error; 2373 long verify_error;
2161 MS_STATIC char buf[BUFSIZ]; 2374 MS_STATIC char buf[BUFSIZ];
2375#ifndef OPENSSL_NO_KRB5
2376 char *client_princ;
2377#endif
2378#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2379 const unsigned char *next_proto_neg;
2380 unsigned next_proto_neg_len;
2381#endif
2382 unsigned char *exportedkeymat;
2162 2383
2163 if ((i=SSL_accept(con)) <= 0) 2384
2385 i=SSL_accept(con);
2386#ifndef OPENSSL_NO_SRP
2387 while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
2388 {
2389 BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
2390 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2391 if (srp_callback_parm.user)
2392 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
2393 else
2394 BIO_printf(bio_s_out,"LOOKUP not successful\n");
2395 i=SSL_accept(con);
2396 }
2397#endif
2398 if (i <= 0)
2164 { 2399 {
2165 if (BIO_sock_should_retry(i)) 2400 if (BIO_sock_should_retry(i))
2166 { 2401 {
@@ -2198,19 +2433,67 @@ static int init_ssl_connection(SSL *con)
2198 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); 2433 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
2199 str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); 2434 str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
2200 BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); 2435 BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
2201 if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n"); 2436#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2437 SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
2438 if (next_proto_neg)
2439 {
2440 BIO_printf(bio_s_out,"NEXTPROTO is ");
2441 BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
2442 BIO_printf(bio_s_out, "\n");
2443 }
2444#endif
2445 {
2446 SRTP_PROTECTION_PROFILE *srtp_profile
2447 = SSL_get_selected_srtp_profile(con);
2448
2449 if(srtp_profile)
2450 BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n",
2451 srtp_profile->name);
2452 }
2453 if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n");
2202 if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & 2454 if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
2203 TLS1_FLAGS_TLS_PADDING_BUG) 2455 TLS1_FLAGS_TLS_PADDING_BUG)
2204 BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n"); 2456 BIO_printf(bio_s_out,
2457 "Peer has incorrect TLSv1 block padding\n");
2205#ifndef OPENSSL_NO_KRB5 2458#ifndef OPENSSL_NO_KRB5
2206 if (con->kssl_ctx->client_princ != NULL) 2459 client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con));
2460 if (client_princ != NULL)
2207 { 2461 {
2208 BIO_printf(bio_s_out,"Kerberos peer principal is %s\n", 2462 BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
2209 con->kssl_ctx->client_princ); 2463 client_princ);
2210 } 2464 }
2211#endif /* OPENSSL_NO_KRB5 */ 2465#endif /* OPENSSL_NO_KRB5 */
2212 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", 2466 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
2213 SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); 2467 SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
2468 if (keymatexportlabel != NULL)
2469 {
2470 BIO_printf(bio_s_out, "Keying material exporter:\n");
2471 BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
2472 BIO_printf(bio_s_out, " Length: %i bytes\n",
2473 keymatexportlen);
2474 exportedkeymat = OPENSSL_malloc(keymatexportlen);
2475 if (exportedkeymat != NULL)
2476 {
2477 if (!SSL_export_keying_material(con, exportedkeymat,
2478 keymatexportlen,
2479 keymatexportlabel,
2480 strlen(keymatexportlabel),
2481 NULL, 0, 0))
2482 {
2483 BIO_printf(bio_s_out, " Error\n");
2484 }
2485 else
2486 {
2487 BIO_printf(bio_s_out, " Keying material: ");
2488 for (i=0; i<keymatexportlen; i++)
2489 BIO_printf(bio_s_out, "%02X",
2490 exportedkeymat[i]);
2491 BIO_printf(bio_s_out, "\n");
2492 }
2493 OPENSSL_free(exportedkeymat);
2494 }
2495 }
2496
2214 return(1); 2497 return(1);
2215 } 2498 }
2216 2499
@@ -2228,6 +2511,9 @@ err:
2228 return(ret); 2511 return(ret);
2229 } 2512 }
2230#endif 2513#endif
2514#ifndef OPENSSL_NO_KRB5
2515 char *client_princ;
2516#endif
2231 2517
2232#if 0 2518#if 0
2233static int load_CA(SSL_CTX *ctx, char *file) 2519static int load_CA(SSL_CTX *ctx, char *file)
@@ -2258,6 +2544,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
2258 SSL *con; 2544 SSL *con;
2259 const SSL_CIPHER *c; 2545 const SSL_CIPHER *c;
2260 BIO *io,*ssl_bio,*sbio; 2546 BIO *io,*ssl_bio,*sbio;
2547#ifndef OPENSSL_NO_KRB5
2548 KSSL_CTX *kctx;
2549#endif
2261 2550
2262 buf=OPENSSL_malloc(bufsize); 2551 buf=OPENSSL_malloc(bufsize);
2263 if (buf == NULL) return(0); 2552 if (buf == NULL) return(0);
@@ -2289,10 +2578,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
2289 } 2578 }
2290#endif 2579#endif
2291#ifndef OPENSSL_NO_KRB5 2580#ifndef OPENSSL_NO_KRB5
2292 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) 2581 if ((kctx = kssl_ctx_new()) != NULL)
2293 { 2582 {
2294 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC); 2583 kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
2295 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB); 2584 kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
2296 } 2585 }
2297#endif /* OPENSSL_NO_KRB5 */ 2586#endif /* OPENSSL_NO_KRB5 */
2298 if(context) SSL_set_session_id_context(con, context, 2587 if(context) SSL_set_session_id_context(con, context,
@@ -2318,7 +2607,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
2318 2607
2319 if (s_debug) 2608 if (s_debug)
2320 { 2609 {
2321 con->debug=1; 2610 SSL_set_debug(con, 1);
2322 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); 2611 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
2323 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); 2612 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
2324 } 2613 }
@@ -2333,7 +2622,18 @@ static int www_body(char *hostname, int s, unsigned char *context)
2333 if (hack) 2622 if (hack)
2334 { 2623 {
2335 i=SSL_accept(con); 2624 i=SSL_accept(con);
2336 2625#ifndef OPENSSL_NO_SRP
2626 while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP)
2627 {
2628 BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login);
2629 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2630 if (srp_callback_parm.user)
2631 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
2632 else
2633 BIO_printf(bio_s_out,"LOOKUP not successful\n");
2634 i=SSL_accept(con);
2635 }
2636#endif
2337 switch (SSL_get_error(con,i)) 2637 switch (SSL_get_error(con,i))
2338 { 2638 {
2339 case SSL_ERROR_NONE: 2639 case SSL_ERROR_NONE:
@@ -2439,7 +2739,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
2439 } 2739 }
2440 BIO_puts(io,"\n"); 2740 BIO_puts(io,"\n");
2441 } 2741 }
2442 BIO_printf(io,((con->hit) 2742 BIO_printf(io,(SSL_cache_hit(con)
2443 ?"---\nReused, " 2743 ?"---\nReused, "
2444 :"---\nNew, ")); 2744 :"---\nNew, "));
2445 c=SSL_get_current_cipher(con); 2745 c=SSL_get_current_cipher(con);
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 07:28:10 +0000