summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/apps/s_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/apps/s_server.c')
-rw-r--r--src/lib/libssl/src/apps/s_server.c375
1 files changed, 288 insertions, 87 deletions
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index 84b1b28461..1a06d19bb1 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -56,7 +56,7 @@
56 * [including the GNU Public Licence.] 56 * [including the GNU Public Licence.]
57 */ 57 */
58/* ==================================================================== 58/* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60 * 60 *
61 * Redistribution and use in source and binary forms, with or without 61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions 62 * modification, are permitted provided that the following conditions
@@ -113,6 +113,32 @@
113 * ECC cipher suite support in OpenSSL originally developed by 113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */ 115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
116 142
117/* Until the key-gen callbacks are modified to use newer prototypes, we allow 143/* Until the key-gen callbacks are modified to use newer prototypes, we allow
118 * deprecated functions for openssl-internal code */ 144 * deprecated functions for openssl-internal code */
@@ -121,11 +147,11 @@
121#endif 147#endif
122 148
123#include <assert.h> 149#include <assert.h>
150#include <ctype.h>
124#include <stdio.h> 151#include <stdio.h>
125#include <stdlib.h> 152#include <stdlib.h>
126#include <string.h> 153#include <string.h>
127 154
128#include <sys/stat.h>
129#include <openssl/e_os2.h> 155#include <openssl/e_os2.h>
130#ifdef OPENSSL_NO_STDIO 156#ifdef OPENSSL_NO_STDIO
131#define APPS_WIN16 157#define APPS_WIN16
@@ -163,19 +189,15 @@ typedef unsigned int u_int;
163#include "s_apps.h" 189#include "s_apps.h"
164#include "timeouts.h" 190#include "timeouts.h"
165 191
166#ifdef OPENSSL_SYS_WINCE
167/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
168#ifdef fileno
169#undef fileno
170#endif
171#define fileno(a) (int)_fileno(a)
172#endif
173
174#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) 192#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
175/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ 193/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
176#undef FIONBIO 194#undef FIONBIO
177#endif 195#endif
178 196
197#if defined(OPENSSL_SYS_BEOS_R5)
198#include <fcntl.h>
199#endif
200
179#ifndef OPENSSL_NO_RSA 201#ifndef OPENSSL_NO_RSA
180static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); 202static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
181#endif 203#endif
@@ -196,14 +218,6 @@ static DH *get_dh512(void);
196static void s_server_init(void); 218static void s_server_init(void);
197#endif 219#endif
198 220
199#ifndef S_ISDIR
200# if defined(_S_IFMT) && defined(_S_IFDIR)
201# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
202# else
203# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
204# endif
205#endif
206
207#ifndef OPENSSL_NO_DH 221#ifndef OPENSSL_NO_DH
208static unsigned char dh512_p[]={ 222static unsigned char dh512_p[]={
209 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, 223 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
@@ -245,7 +259,7 @@ static int accept_socket= -1;
245#undef PROG 259#undef PROG
246#define PROG s_server_main 260#define PROG s_server_main
247 261
248extern int verify_depth; 262extern int verify_depth, verify_return_error;
249 263
250static char *cipher=NULL; 264static char *cipher=NULL;
251static int s_server_verify=SSL_VERIFY_NONE; 265static int s_server_verify=SSL_VERIFY_NONE;
@@ -283,12 +297,77 @@ static char *engine_id=NULL;
283static const char *session_id_prefix=NULL; 297static const char *session_id_prefix=NULL;
284 298
285static int enable_timeouts = 0; 299static int enable_timeouts = 0;
286#ifdef mtu 300static long socket_mtu;
287#undef mtu 301#ifndef OPENSSL_NO_DTLS1
288#endif
289static long mtu;
290static int cert_chain = 0; 302static int cert_chain = 0;
303#endif
304
305#ifndef OPENSSL_NO_PSK
306static char *psk_identity="Client_identity";
307char *psk_key=NULL; /* by default PSK is not used */
308
309static unsigned int psk_server_cb(SSL *ssl, const char *identity,
310 unsigned char *psk, unsigned int max_psk_len)
311 {
312 unsigned int psk_len = 0;
313 int ret;
314 BIGNUM *bn = NULL;
291 315
316 if (s_debug)
317 BIO_printf(bio_s_out,"psk_server_cb\n");
318 if (!identity)
319 {
320 BIO_printf(bio_err,"Error: client did not send PSK identity\n");
321 goto out_err;
322 }
323 if (s_debug)
324 BIO_printf(bio_s_out,"identity_len=%d identity=%s\n",
325 identity ? (int)strlen(identity) : 0, identity);
326
327 /* here we could lookup the given identity e.g. from a database */
328 if (strcmp(identity, psk_identity) != 0)
329 {
330 BIO_printf(bio_s_out, "PSK error: client identity not found"
331 " (got '%s' expected '%s')\n", identity,
332 psk_identity);
333 goto out_err;
334 }
335 if (s_debug)
336 BIO_printf(bio_s_out, "PSK client identity found\n");
337
338 /* convert the PSK key to binary */
339 ret = BN_hex2bn(&bn, psk_key);
340 if (!ret)
341 {
342 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
343 if (bn)
344 BN_free(bn);
345 return 0;
346 }
347 if (BN_num_bytes(bn) > (int)max_psk_len)
348 {
349 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
350 max_psk_len, BN_num_bytes(bn));
351 BN_free(bn);
352 return 0;
353 }
354
355 ret = BN_bn2bin(bn, psk);
356 BN_free(bn);
357
358 if (ret < 0)
359 goto out_err;
360 psk_len = (unsigned int)ret;
361
362 if (s_debug)
363 BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len);
364 return psk_len;
365 out_err:
366 if (s_debug)
367 BIO_printf(bio_err, "Error in PSK server callback\n");
368 return 0;
369 }
370#endif
292 371
293#ifdef MONOLITH 372#ifdef MONOLITH
294static void s_server_init(void) 373static void s_server_init(void)
@@ -353,7 +432,7 @@ static void sv_usage(void)
353#ifndef OPENSSL_NO_ECDH 432#ifndef OPENSSL_NO_ECDH
354 BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 433 BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
355 " Use \"openssl ecparam -list_curves\" for all names\n" \ 434 " Use \"openssl ecparam -list_curves\" for all names\n" \
356 " (default is sect163r2).\n"); 435 " (default is nistp256).\n");
357#endif 436#endif
358#ifdef FIONBIO 437#ifdef FIONBIO
359 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 438 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
@@ -370,12 +449,19 @@ static void sv_usage(void)
370 BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); 449 BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
371 BIO_printf(bio_err," -quiet - No server output\n"); 450 BIO_printf(bio_err," -quiet - No server output\n");
372 BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n"); 451 BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n");
452#ifndef OPENSSL_NO_PSK
453 BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
454 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
455# ifndef OPENSSL_NO_JPAKE
456 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
457# endif
458#endif
373 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); 459 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
374 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); 460 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
375 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); 461 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
376 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); 462 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n");
377 BIO_printf(bio_err," -timeout - Enable timeouts\n"); 463 BIO_printf(bio_err," -timeout - Enable timeouts\n");
378 BIO_printf(bio_err," -mtu - Set MTU\n"); 464 BIO_printf(bio_err," -mtu - Set link layer MTU\n");
379 BIO_printf(bio_err," -chain - Read a certificate chain\n"); 465 BIO_printf(bio_err," -chain - Read a certificate chain\n");
380 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); 466 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n");
381 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); 467 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n");
@@ -405,6 +491,7 @@ static void sv_usage(void)
405 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); 491 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2);
406 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); 492 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
407 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); 493 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
494 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
408#endif 495#endif
409 } 496 }
410 497
@@ -587,7 +674,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
587 return p->extension_error; 674 return p->extension_error;
588 if (ctx2) 675 if (ctx2)
589 { 676 {
590 BIO_printf(p->biodebug,"Swiching server context.\n"); 677 BIO_printf(p->biodebug,"Switching server context.\n");
591 SSL_set_SSL_CTX(s,ctx2); 678 SSL_set_SSL_CTX(s,ctx2);
592 } 679 }
593 } 680 }
@@ -626,7 +713,7 @@ static int cert_status_cb(SSL *s, void *arg)
626 int use_ssl; 713 int use_ssl;
627 unsigned char *rspder = NULL; 714 unsigned char *rspder = NULL;
628 int rspderlen; 715 int rspderlen;
629 STACK *aia = NULL; 716 STACK_OF(OPENSSL_STRING) *aia = NULL;
630 X509 *x = NULL; 717 X509 *x = NULL;
631 X509_STORE_CTX inctx; 718 X509_STORE_CTX inctx;
632 X509_OBJECT obj; 719 X509_OBJECT obj;
@@ -648,7 +735,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
648 aia = X509_get1_ocsp(x); 735 aia = X509_get1_ocsp(x);
649 if (aia) 736 if (aia)
650 { 737 {
651 if (!OCSP_parse_url(sk_value(aia, 0), 738 if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
652 &host, &port, &path, &use_ssl)) 739 &host, &port, &path, &use_ssl))
653 { 740 {
654 BIO_puts(err, "cert_status: can't parse AIA URL\n"); 741 BIO_puts(err, "cert_status: can't parse AIA URL\n");
@@ -656,7 +743,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
656 } 743 }
657 if (srctx->verbose) 744 if (srctx->verbose)
658 BIO_printf(err, "cert_status: AIA URL: %s\n", 745 BIO_printf(err, "cert_status: AIA URL: %s\n",
659 sk_value(aia, 0)); 746 sk_OPENSSL_STRING_value(aia, 0));
660 } 747 }
661 else 748 else
662 { 749 {
@@ -701,7 +788,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
701 if (!OCSP_REQUEST_add_ext(req, ext, -1)) 788 if (!OCSP_REQUEST_add_ext(req, ext, -1))
702 goto err; 789 goto err;
703 } 790 }
704 resp = process_responder(err, req, host, path, port, use_ssl, 791 resp = process_responder(err, req, host, path, port, use_ssl, NULL,
705 srctx->timeout); 792 srctx->timeout);
706 if (!resp) 793 if (!resp)
707 { 794 {
@@ -740,6 +827,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
740 goto done; 827 goto done;
741 } 828 }
742#endif 829#endif
830
743int MAIN(int, char **); 831int MAIN(int, char **);
744 832
745#ifndef OPENSSL_NO_JPAKE 833#ifndef OPENSSL_NO_JPAKE
@@ -748,8 +836,8 @@ static char *jpake_secret = NULL;
748 836
749int MAIN(int argc, char *argv[]) 837int MAIN(int argc, char *argv[])
750 { 838 {
751 X509_STORE *store = NULL; 839 X509_VERIFY_PARAM *vpm = NULL;
752 int vflags = 0; 840 int badarg = 0;
753 short port=PORT; 841 short port=PORT;
754 char *CApath=NULL,*CAfile=NULL; 842 char *CApath=NULL,*CAfile=NULL;
755 unsigned char *context = NULL; 843 unsigned char *context = NULL;
@@ -762,8 +850,8 @@ int MAIN(int argc, char *argv[])
762 int off=0; 850 int off=0;
763 int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; 851 int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
764 int state=0; 852 int state=0;
765 SSL_METHOD *meth=NULL; 853 const SSL_METHOD *meth=NULL;
766 int socket_type=SOCK_STREAM; 854 int socket_type=SOCK_STREAM;
767 ENGINE *e=NULL; 855 ENGINE *e=NULL;
768 char *inrand=NULL; 856 char *inrand=NULL;
769 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; 857 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
@@ -772,6 +860,7 @@ int MAIN(int argc, char *argv[])
772 int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; 860 int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
773 X509 *s_cert = NULL, *s_dcert = NULL; 861 X509 *s_cert = NULL, *s_dcert = NULL;
774 EVP_PKEY *s_key = NULL, *s_dkey = NULL; 862 EVP_PKEY *s_key = NULL, *s_dkey = NULL;
863 int no_cache = 0;
775#ifndef OPENSSL_NO_TLSEXT 864#ifndef OPENSSL_NO_TLSEXT
776 EVP_PKEY *s_key2 = NULL; 865 EVP_PKEY *s_key2 = NULL;
777 X509 *s_cert2 = NULL; 866 X509 *s_cert2 = NULL;
@@ -779,7 +868,10 @@ int MAIN(int argc, char *argv[])
779#ifndef OPENSSL_NO_TLSEXT 868#ifndef OPENSSL_NO_TLSEXT
780 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; 869 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
781#endif 870#endif
782 871#ifndef OPENSSL_NO_PSK
872 /* by default do not send a PSK identity hint */
873 static char *psk_identity_hint=NULL;
874#endif
783#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 875#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
784 meth=SSLv23_server_method(); 876 meth=SSLv23_server_method();
785#elif !defined(OPENSSL_NO_SSL3) 877#elif !defined(OPENSSL_NO_SSL3)
@@ -911,16 +1003,20 @@ int MAIN(int argc, char *argv[])
911 if (--argc < 1) goto bad; 1003 if (--argc < 1) goto bad;
912 CApath= *(++argv); 1004 CApath= *(++argv);
913 } 1005 }
914 else if (strcmp(*argv,"-crl_check") == 0) 1006 else if (strcmp(*argv,"-no_cache") == 0)
915 { 1007 no_cache = 1;
916 vflags |= X509_V_FLAG_CRL_CHECK; 1008 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
917 }
918 else if (strcmp(*argv,"-crl_check_all") == 0)
919 { 1009 {
920 vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; 1010 if (badarg)
1011 goto bad;
1012 continue;
921 } 1013 }
1014 else if (strcmp(*argv,"-verify_return_error") == 0)
1015 verify_return_error = 1;
922 else if (strcmp(*argv,"-serverpref") == 0) 1016 else if (strcmp(*argv,"-serverpref") == 0)
923 { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } 1017 { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
1018 else if (strcmp(*argv,"-legacy_renegotiation") == 0)
1019 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
924 else if (strcmp(*argv,"-cipher") == 0) 1020 else if (strcmp(*argv,"-cipher") == 0)
925 { 1021 {
926 if (--argc < 1) goto bad; 1022 if (--argc < 1) goto bad;
@@ -993,6 +1089,27 @@ int MAIN(int argc, char *argv[])
993 { no_dhe=1; } 1089 { no_dhe=1; }
994 else if (strcmp(*argv,"-no_ecdhe") == 0) 1090 else if (strcmp(*argv,"-no_ecdhe") == 0)
995 { no_ecdhe=1; } 1091 { no_ecdhe=1; }
1092#ifndef OPENSSL_NO_PSK
1093 else if (strcmp(*argv,"-psk_hint") == 0)
1094 {
1095 if (--argc < 1) goto bad;
1096 psk_identity_hint= *(++argv);
1097 }
1098 else if (strcmp(*argv,"-psk") == 0)
1099 {
1100 size_t i;
1101
1102 if (--argc < 1) goto bad;
1103 psk_key=*(++argv);
1104 for (i=0; i<strlen(psk_key); i++)
1105 {
1106 if (isxdigit((int)psk_key[i]))
1107 continue;
1108 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
1109 goto bad;
1110 }
1111 }
1112#endif
996 else if (strcmp(*argv,"-www") == 0) 1113 else if (strcmp(*argv,"-www") == 0)
997 { www=1; } 1114 { www=1; }
998 else if (strcmp(*argv,"-WWW") == 0) 1115 else if (strcmp(*argv,"-WWW") == 0)
@@ -1005,6 +1122,8 @@ int MAIN(int argc, char *argv[])
1005 { off|=SSL_OP_NO_SSLv3; } 1122 { off|=SSL_OP_NO_SSLv3; }
1006 else if (strcmp(*argv,"-no_tls1") == 0) 1123 else if (strcmp(*argv,"-no_tls1") == 0)
1007 { off|=SSL_OP_NO_TLSv1; } 1124 { off|=SSL_OP_NO_TLSv1; }
1125 else if (strcmp(*argv,"-no_comp") == 0)
1126 { off|=SSL_OP_NO_COMPRESSION; }
1008#ifndef OPENSSL_NO_TLSEXT 1127#ifndef OPENSSL_NO_TLSEXT
1009 else if (strcmp(*argv,"-no_ticket") == 0) 1128 else if (strcmp(*argv,"-no_ticket") == 0)
1010 { off|=SSL_OP_NO_TICKET; } 1129 { off|=SSL_OP_NO_TICKET; }
@@ -1032,7 +1151,7 @@ int MAIN(int argc, char *argv[])
1032 else if (strcmp(*argv,"-mtu") == 0) 1151 else if (strcmp(*argv,"-mtu") == 0)
1033 { 1152 {
1034 if (--argc < 1) goto bad; 1153 if (--argc < 1) goto bad;
1035 mtu = atol(*(++argv)); 1154 socket_mtu = atol(*(++argv));
1036 } 1155 }
1037 else if (strcmp(*argv, "-chain") == 0) 1156 else if (strcmp(*argv, "-chain") == 0)
1038 cert_chain = 1; 1157 cert_chain = 1;
@@ -1074,7 +1193,7 @@ int MAIN(int argc, char *argv[])
1074 } 1193 }
1075 1194
1076#endif 1195#endif
1077#ifndef OPENSSL_NO_JPAKE 1196#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1078 else if (strcmp(*argv,"-jpake") == 0) 1197 else if (strcmp(*argv,"-jpake") == 0)
1079 { 1198 {
1080 if (--argc < 1) goto bad; 1199 if (--argc < 1) goto bad;
@@ -1097,6 +1216,26 @@ bad:
1097 goto end; 1216 goto end;
1098 } 1217 }
1099 1218
1219#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1220 if (jpake_secret)
1221 {
1222 if (psk_key)
1223 {
1224 BIO_printf(bio_err,
1225 "Can't use JPAKE and PSK together\n");
1226 goto end;
1227 }
1228 psk_identity = "JPAKE";
1229 if (cipher)
1230 {
1231 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
1232 goto end;
1233 }
1234 cipher = "PSK";
1235 }
1236
1237#endif
1238
1100 SSL_load_error_strings(); 1239 SSL_load_error_strings();
1101 OpenSSL_add_ssl_algorithms(); 1240 OpenSSL_add_ssl_algorithms();
1102 1241
@@ -1159,6 +1298,8 @@ bad:
1159 } 1298 }
1160#endif 1299#endif
1161 } 1300 }
1301
1302
1162 if (s_dcert_file) 1303 if (s_dcert_file)
1163 { 1304 {
1164 1305
@@ -1253,8 +1394,10 @@ bad:
1253 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); 1394 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1254 1395
1255 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 1396 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1256 1397 if (no_cache)
1257 SSL_CTX_sess_set_cache_size(ctx,128); 1398 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1399 else
1400 SSL_CTX_sess_set_cache_size(ctx,128);
1258 1401
1259#if 0 1402#if 0
1260 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); 1403 if (cipher == NULL) cipher=getenv("SSL_CIPHER");
@@ -1275,8 +1418,9 @@ bad:
1275 ERR_print_errors(bio_err); 1418 ERR_print_errors(bio_err);
1276 /* goto end; */ 1419 /* goto end; */
1277 } 1420 }
1278 store = SSL_CTX_get_cert_store(ctx); 1421 if (vpm)
1279 X509_STORE_set_flags(store, vflags); 1422 SSL_CTX_set1_param(ctx, vpm);
1423
1280#ifndef OPENSSL_NO_TLSEXT 1424#ifndef OPENSSL_NO_TLSEXT
1281 if (s_cert2) 1425 if (s_cert2)
1282 { 1426 {
@@ -1312,28 +1456,28 @@ bad:
1312 if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); 1456 if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);
1313 if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); 1457 if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1314 SSL_CTX_set_options(ctx2,off); 1458 SSL_CTX_set_options(ctx2,off);
1315
1316 /* DTLS: partial reads end up discarding unread UDP bytes :-( 1459 /* DTLS: partial reads end up discarding unread UDP bytes :-(
1317 * Setting read ahead solves this problem. 1460 * Setting read ahead solves this problem.
1318 */ 1461 */
1319 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1); 1462 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1);
1320 1463
1321
1322 if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); 1464 if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
1323 1465
1324 SSL_CTX_sess_set_cache_size(ctx2,128); 1466 if (no_cache)
1467 SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF);
1468 else
1469 SSL_CTX_sess_set_cache_size(ctx2,128);
1325 1470
1326 if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || 1471 if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
1327 (!SSL_CTX_set_default_verify_paths(ctx2))) 1472 (!SSL_CTX_set_default_verify_paths(ctx2)))
1328 { 1473 {
1329 ERR_print_errors(bio_err); 1474 ERR_print_errors(bio_err);
1330 } 1475 }
1331 store = SSL_CTX_get_cert_store(ctx2); 1476 if (vpm)
1332 X509_STORE_set_flags(store, vflags); 1477 SSL_CTX_set1_param(ctx2, vpm);
1333 } 1478 }
1334#endif 1479#endif
1335 1480
1336
1337#ifndef OPENSSL_NO_DH 1481#ifndef OPENSSL_NO_DH
1338 if (!no_dhe) 1482 if (!no_dhe)
1339 { 1483 {
@@ -1409,10 +1553,10 @@ bad:
1409 else 1553 else
1410 { 1554 {
1411 BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); 1555 BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
1412 ecdh = EC_KEY_new_by_curve_name(NID_sect163r2); 1556 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1413 if (ecdh == NULL) 1557 if (ecdh == NULL)
1414 { 1558 {
1415 BIO_printf(bio_err, "unable to create curve (sect163r2)\n"); 1559 BIO_printf(bio_err, "unable to create curve (nistp256)\n");
1416 goto end; 1560 goto end;
1417 } 1561 }
1418 } 1562 }
@@ -1447,7 +1591,7 @@ bad:
1447#ifndef OPENSSL_NO_TLSEXT 1591#ifndef OPENSSL_NO_TLSEXT
1448 if (ctx2) 1592 if (ctx2)
1449 SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb); 1593 SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb);
1450#endif 1594#endif
1451 } 1595 }
1452#else 1596#else
1453 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) 1597 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
@@ -1480,11 +1624,34 @@ bad:
1480#endif 1624#endif
1481#endif 1625#endif
1482 1626
1483 if (cipher != NULL) 1627#ifndef OPENSSL_NO_PSK
1484 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { 1628#ifdef OPENSSL_NO_JPAKE
1485 BIO_printf(bio_err,"error setting cipher list\n"); 1629 if (psk_key != NULL)
1630#else
1631 if (psk_key != NULL || jpake_secret)
1632#endif
1633 {
1634 if (s_debug)
1635 BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");
1636 SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
1637 }
1638
1639 if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint))
1640 {
1641 BIO_printf(bio_err,"error setting PSK identity hint to context\n");
1486 ERR_print_errors(bio_err); 1642 ERR_print_errors(bio_err);
1487 goto end; 1643 goto end;
1644 }
1645#endif
1646
1647 if (cipher != NULL)
1648 {
1649 if(!SSL_CTX_set_cipher_list(ctx,cipher))
1650 {
1651 BIO_printf(bio_err,"error setting cipher list\n");
1652 ERR_print_errors(bio_err);
1653 goto end;
1654 }
1488#ifndef OPENSSL_NO_TLSEXT 1655#ifndef OPENSSL_NO_TLSEXT
1489 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher)) 1656 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
1490 { 1657 {
@@ -1493,11 +1660,15 @@ bad:
1493 goto end; 1660 goto end;
1494 } 1661 }
1495#endif 1662#endif
1496 } 1663 }
1497 SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); 1664 SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
1498 SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, 1665 SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
1499 sizeof s_server_session_id_context); 1666 sizeof s_server_session_id_context);
1500 1667
1668 /* Set DTLS cookie generation and verification callbacks */
1669 SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
1670 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
1671
1501#ifndef OPENSSL_NO_TLSEXT 1672#ifndef OPENSSL_NO_TLSEXT
1502 if (ctx2) 1673 if (ctx2)
1503 { 1674 {
@@ -1512,6 +1683,7 @@ bad:
1512 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 1683 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1513 } 1684 }
1514#endif 1685#endif
1686
1515 if (CAfile != NULL) 1687 if (CAfile != NULL)
1516 { 1688 {
1517 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); 1689 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
@@ -1520,7 +1692,9 @@ bad:
1520 SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile)); 1692 SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile));
1521#endif 1693#endif
1522 } 1694 }
1695
1523 BIO_printf(bio_s_out,"ACCEPT\n"); 1696 BIO_printf(bio_s_out,"ACCEPT\n");
1697 (void)BIO_flush(bio_s_out);
1524 if (www) 1698 if (www)
1525 do_server(port,socket_type,&accept_socket,www_body, context); 1699 do_server(port,socket_type,&accept_socket,www_body, context);
1526 else 1700 else
@@ -1591,8 +1765,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1591 unsigned long l; 1765 unsigned long l;
1592 SSL *con=NULL; 1766 SSL *con=NULL;
1593 BIO *sbio; 1767 BIO *sbio;
1594#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) 1768 struct timeval timeout;
1769#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1595 struct timeval tv; 1770 struct timeval tv;
1771#else
1772 struct timeval *timeoutp;
1596#endif 1773#endif
1597 1774
1598 if ((buf=OPENSSL_malloc(bufsize)) == NULL) 1775 if ((buf=OPENSSL_malloc(bufsize)) == NULL)
@@ -1641,14 +1818,18 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1641 strlen((char *)context)); 1818 strlen((char *)context));
1642 } 1819 }
1643 SSL_clear(con); 1820 SSL_clear(con);
1821#if 0
1822#ifdef TLSEXT_TYPE_opaque_prf_input
1823 SSL_set_tlsext_opaque_prf_input(con, "Test server", 11);
1824#endif
1825#endif
1644 1826
1645 if (SSL_version(con) == DTLS1_VERSION) 1827 if (SSL_version(con) == DTLS1_VERSION)
1646 { 1828 {
1647 struct timeval timeout;
1648 1829
1649 sbio=BIO_new_dgram(s,BIO_NOCLOSE); 1830 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1650 1831
1651 if ( enable_timeouts) 1832 if (enable_timeouts)
1652 { 1833 {
1653 timeout.tv_sec = 0; 1834 timeout.tv_sec = 0;
1654 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 1835 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
@@ -1659,11 +1840,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1659 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 1840 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1660 } 1841 }
1661 1842
1662 1843 if (socket_mtu > 28)
1663 if ( mtu > 0)
1664 { 1844 {
1665 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 1845 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1666 SSL_set_mtu(con, mtu); 1846 SSL_set_mtu(con, socket_mtu - 28);
1667 } 1847 }
1668 else 1848 else
1669 /* want to do MTU discovery */ 1849 /* want to do MTU discovery */
@@ -1722,10 +1902,10 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1722 if (!read_from_sslcon) 1902 if (!read_from_sslcon)
1723 { 1903 {
1724 FD_ZERO(&readfds); 1904 FD_ZERO(&readfds);
1725#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) 1905#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5)
1726 FD_SET(fileno(stdin),&readfds); 1906 openssl_fdset(fileno(stdin),&readfds);
1727#endif 1907#endif
1728 FD_SET(s,&readfds); 1908 openssl_fdset(s,&readfds);
1729 /* Note: under VMS with SOCKETSHR the second parameter is 1909 /* Note: under VMS with SOCKETSHR the second parameter is
1730 * currently of type (int *) whereas under other systems 1910 * currently of type (int *) whereas under other systems
1731 * it is (void *) if you don't have a cast it will choke 1911 * it is (void *) if you don't have a cast it will choke
@@ -1744,8 +1924,31 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1744 if((i < 0) || (!i && !_kbhit() ) )continue; 1924 if((i < 0) || (!i && !_kbhit() ) )continue;
1745 if(_kbhit()) 1925 if(_kbhit())
1746 read_from_terminal = 1; 1926 read_from_terminal = 1;
1927#elif defined(OPENSSL_SYS_BEOS_R5)
1928 /* Under BeOS-R5 the situation is similar to DOS */
1929 tv.tv_sec = 1;
1930 tv.tv_usec = 0;
1931 (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1932 i=select(width,(void *)&readfds,NULL,NULL,&tv);
1933 if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0))
1934 continue;
1935 if (read(fileno(stdin), buf, 0) >= 0)
1936 read_from_terminal = 1;
1937 (void)fcntl(fileno(stdin), F_SETFL, 0);
1747#else 1938#else
1748 i=select(width,(void *)&readfds,NULL,NULL,NULL); 1939 if ((SSL_version(con) == DTLS1_VERSION) &&
1940 DTLSv1_get_timeout(con, &timeout))
1941 timeoutp = &timeout;
1942 else
1943 timeoutp = NULL;
1944
1945 i=select(width,(void *)&readfds,NULL,NULL,timeoutp);
1946
1947 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
1948 {
1949 BIO_printf(bio_err,"TIMEOUT occured\n");
1950 }
1951
1749 if (i <= 0) continue; 1952 if (i <= 0) continue;
1750 if (FD_ISSET(fileno(stdin),&readfds)) 1953 if (FD_ISSET(fileno(stdin),&readfds))
1751 read_from_terminal = 1; 1954 read_from_terminal = 1;
@@ -1759,7 +1962,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1759 { 1962 {
1760 int j, lf_num; 1963 int j, lf_num;
1761 1964
1762 i=read(fileno(stdin), buf, bufsize/2); 1965 i=raw_read_stdin(buf, bufsize/2);
1763 lf_num = 0; 1966 lf_num = 0;
1764 /* both loops are skipped when i <= 0 */ 1967 /* both loops are skipped when i <= 0 */
1765 for (j = 0; j < i; j++) 1968 for (j = 0; j < i; j++)
@@ -1778,7 +1981,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1778 assert(lf_num == 0); 1981 assert(lf_num == 0);
1779 } 1982 }
1780 else 1983 else
1781 i=read(fileno(stdin),buf,bufsize); 1984 i=raw_read_stdin(buf,bufsize);
1782 if (!s_quiet) 1985 if (!s_quiet)
1783 { 1986 {
1784 if ((i <= 0) || (buf[0] == 'Q')) 1987 if ((i <= 0) || (buf[0] == 'Q'))
@@ -1798,6 +2001,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1798 ret= -11;*/ 2001 ret= -11;*/
1799 goto err; 2002 goto err;
1800 } 2003 }
2004
1801 if ((buf[0] == 'r') && 2005 if ((buf[0] == 'r') &&
1802 ((buf[1] == '\n') || (buf[1] == '\r'))) 2006 ((buf[1] == '\n') || (buf[1] == '\r')))
1803 { 2007 {
@@ -1894,7 +2098,7 @@ again:
1894#ifdef CHARSET_EBCDIC 2098#ifdef CHARSET_EBCDIC
1895 ascii2ebcdic(buf,buf,i); 2099 ascii2ebcdic(buf,buf,i);
1896#endif 2100#endif
1897 write(fileno(stdout),buf, 2101 raw_write_stdout(buf,
1898 (unsigned int)i); 2102 (unsigned int)i);
1899 if (SSL_pending(con)) goto again; 2103 if (SSL_pending(con)) goto again;
1900 break; 2104 break;
@@ -1918,13 +2122,16 @@ again:
1918 } 2122 }
1919 } 2123 }
1920err: 2124err:
1921 BIO_printf(bio_s_out,"shutting down SSL\n"); 2125 if (con != NULL)
2126 {
2127 BIO_printf(bio_s_out,"shutting down SSL\n");
1922#if 1 2128#if 1
1923 SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2129 SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1924#else 2130#else
1925 SSL_shutdown(con); 2131 SSL_shutdown(con);
1926#endif 2132#endif
1927 if (con != NULL) SSL_free(con); 2133 SSL_free(con);
2134 }
1928 BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); 2135 BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
1929 if (buf != NULL) 2136 if (buf != NULL)
1930 { 2137 {
@@ -2002,6 +2209,8 @@ static int init_ssl_connection(SSL *con)
2002 con->kssl_ctx->client_princ); 2209 con->kssl_ctx->client_princ);
2003 } 2210 }
2004#endif /* OPENSSL_NO_KRB5 */ 2211#endif /* OPENSSL_NO_KRB5 */
2212 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
2213 SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
2005 return(1); 2214 return(1);
2006 } 2215 }
2007 2216
@@ -2046,9 +2255,8 @@ static int www_body(char *hostname, int s, unsigned char *context)
2046 char *buf=NULL; 2255 char *buf=NULL;
2047 int ret=1; 2256 int ret=1;
2048 int i,j,k,blank,dot; 2257 int i,j,k,blank,dot;
2049 struct stat st_buf;
2050 SSL *con; 2258 SSL *con;
2051 SSL_CIPHER *c; 2259 const SSL_CIPHER *c;
2052 BIO *io,*ssl_bio,*sbio; 2260 BIO *io,*ssl_bio,*sbio;
2053 long total_bytes; 2261 long total_bytes;
2054 2262
@@ -2318,14 +2526,7 @@ static int www_body(char *hostname, int s, unsigned char *context)
2318#endif 2526#endif
2319 2527
2320 /* if a directory, do the index thang */ 2528 /* if a directory, do the index thang */
2321 if (stat(p,&st_buf) < 0) 2529 if (app_isdir(p)>0)
2322 {
2323 BIO_puts(io,text);
2324 BIO_printf(io,"Error accessing '%s'\r\n",p);
2325 ERR_print_errors(io);
2326 break;
2327 }
2328 if (S_ISDIR(st_buf.st_mode))
2329 { 2530 {
2330#if 0 /* must check buffer size */ 2531#if 0 /* must check buffer size */
2331 strcat(p,"/index.html"); 2532 strcat(p,"/index.html");
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 17:10:55 +0000