diff options
Diffstat (limited to 'src/usr.bin/openssl/s_server.c')
| -rw-r--r-- | src/usr.bin/openssl/s_server.c | 62 |
1 files changed, 29 insertions, 33 deletions
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c index 2026e72942..65cd36c54e 100644 --- a/src/usr.bin/openssl/s_server.c +++ b/src/usr.bin/openssl/s_server.c | |||
| @@ -1,4 +1,4 @@ | |||
| 1 | /* $OpenBSD: s_server.c,v 1.32 2019/10/04 09:47:34 bcook Exp $ */ | 1 | /* $OpenBSD: s_server.c,v 1.33 2020/04/19 17:05:55 jsing Exp $ */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) | 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. | 3 | * All rights reserved. |
| 4 | * | 4 | * |
| @@ -288,9 +288,6 @@ sv_usage(void) | |||
| 288 | BIO_printf(bio_err, " -dpass arg - second private key file pass phrase source\n"); | 288 | BIO_printf(bio_err, " -dpass arg - second private key file pass phrase source\n"); |
| 289 | BIO_printf(bio_err, " -dhparam arg - DH parameter file to use, in cert file if not specified\n"); | 289 | BIO_printf(bio_err, " -dhparam arg - DH parameter file to use, in cert file if not specified\n"); |
| 290 | BIO_printf(bio_err, " or a default set of parameters is used\n"); | 290 | BIO_printf(bio_err, " or a default set of parameters is used\n"); |
| 291 | BIO_printf(bio_err, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ | ||
| 292 | " Use \"openssl ecparam -list_curves\" for all names\n" \ | ||
| 293 | " (default is nistp256).\n"); | ||
| 294 | BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); | 291 | BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); |
| 295 | BIO_printf(bio_err, " -nbio_test - test with the non-blocking test bio\n"); | 292 | BIO_printf(bio_err, " -nbio_test - test with the non-blocking test bio\n"); |
| 296 | BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); | 293 | BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n"); |
| @@ -333,7 +330,8 @@ sv_usage(void) | |||
| 333 | BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2); | 330 | BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2); |
| 334 | BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); | 331 | BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n"); |
| 335 | BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); | 332 | BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n"); |
| 336 | BIO_printf(bio_err," -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); | 333 | BIO_printf(bio_err, " -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); |
| 334 | BIO_printf(bio_err, " -groups arg - specify EC groups (colon-separated list)\n"); | ||
| 337 | #ifndef OPENSSL_NO_SRTP | 335 | #ifndef OPENSSL_NO_SRTP |
| 338 | BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); | 336 | BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); |
| 339 | #endif | 337 | #endif |
| @@ -581,6 +579,7 @@ s_server_main(int argc, char *argv[]) | |||
| 581 | X509 *s_cert2 = NULL; | 579 | X509 *s_cert2 = NULL; |
| 582 | tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; | 580 | tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; |
| 583 | const char *alpn_in = NULL; | 581 | const char *alpn_in = NULL; |
| 582 | const char *groups_in = NULL; | ||
| 584 | tlsextalpnctx alpn_ctx = { NULL, 0 }; | 583 | tlsextalpnctx alpn_ctx = { NULL, 0 }; |
| 585 | 584 | ||
| 586 | if (single_execution) { | 585 | if (single_execution) { |
| @@ -656,13 +655,11 @@ s_server_main(int argc, char *argv[]) | |||
| 656 | if (--argc < 1) | 655 | if (--argc < 1) |
| 657 | goto bad; | 656 | goto bad; |
| 658 | dhfile = *(++argv); | 657 | dhfile = *(++argv); |
| 659 | } | 658 | } else if (strcmp(*argv, "-named_curve") == 0) { |
| 660 | else if (strcmp(*argv, "-named_curve") == 0) { | ||
| 661 | if (--argc < 1) | 659 | if (--argc < 1) |
| 662 | goto bad; | 660 | goto bad; |
| 663 | named_curve = *(++argv); | 661 | named_curve = *(++argv); |
| 664 | } | 662 | } else if (strcmp(*argv, "-dcertform") == 0) { |
| 665 | else if (strcmp(*argv, "-dcertform") == 0) { | ||
| 666 | if (--argc < 1) | 663 | if (--argc < 1) |
| 667 | goto bad; | 664 | goto bad; |
| 668 | s_dcert_format = str2fmt(*(++argv)); | 665 | s_dcert_format = str2fmt(*(++argv)); |
| @@ -831,6 +828,10 @@ s_server_main(int argc, char *argv[]) | |||
| 831 | if (--argc < 1) | 828 | if (--argc < 1) |
| 832 | goto bad; | 829 | goto bad; |
| 833 | alpn_in = *(++argv); | 830 | alpn_in = *(++argv); |
| 831 | } else if (strcmp(*argv, "-groups") == 0) { | ||
| 832 | if (--argc < 1) | ||
| 833 | goto bad; | ||
| 834 | groups_in = *(++argv); | ||
| 834 | } | 835 | } |
| 835 | #ifndef OPENSSL_NO_SRTP | 836 | #ifndef OPENSSL_NO_SRTP |
| 836 | else if (strcmp(*argv, "-use_srtp") == 0) { | 837 | else if (strcmp(*argv, "-use_srtp") == 0) { |
| @@ -1055,6 +1056,14 @@ s_server_main(int argc, char *argv[]) | |||
| 1055 | if (alpn_ctx.data) | 1056 | if (alpn_ctx.data) |
| 1056 | SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); | 1057 | SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); |
| 1057 | 1058 | ||
| 1059 | if (groups_in != NULL) { | ||
| 1060 | if (SSL_CTX_set1_groups_list(ctx, groups_in) != 1) { | ||
| 1061 | BIO_printf(bio_err, "Failed to set groups '%s'\n", | ||
| 1062 | groups_in); | ||
| 1063 | goto end; | ||
| 1064 | } | ||
| 1065 | } | ||
| 1066 | |||
| 1058 | #ifndef OPENSSL_NO_DH | 1067 | #ifndef OPENSSL_NO_DH |
| 1059 | if (!no_dhe) { | 1068 | if (!no_dhe) { |
| 1060 | DH *dh = NULL; | 1069 | DH *dh = NULL; |
| @@ -1108,34 +1117,21 @@ s_server_main(int argc, char *argv[]) | |||
| 1108 | } | 1117 | } |
| 1109 | #endif | 1118 | #endif |
| 1110 | 1119 | ||
| 1111 | if (!no_ecdhe) { | 1120 | if (!no_ecdhe && named_curve != NULL) { |
| 1112 | EC_KEY *ecdh = NULL; | 1121 | EC_KEY *ecdh = NULL; |
| 1122 | int nid; | ||
| 1113 | 1123 | ||
| 1114 | if (named_curve) { | 1124 | if ((nid = OBJ_sn2nid(named_curve)) == 0) { |
| 1115 | int nid = OBJ_sn2nid(named_curve); | 1125 | BIO_printf(bio_err, "unknown curve name (%s)\n", |
| 1116 | 1126 | named_curve); | |
| 1117 | if (nid == 0) { | 1127 | goto end; |
| 1118 | BIO_printf(bio_err, "unknown curve name (%s)\n", | ||
| 1119 | named_curve); | ||
| 1120 | goto end; | ||
| 1121 | } | ||
| 1122 | ecdh = EC_KEY_new_by_curve_name(nid); | ||
| 1123 | if (ecdh == NULL) { | ||
| 1124 | BIO_printf(bio_err, "unable to create curve (%s)\n", | ||
| 1125 | named_curve); | ||
| 1126 | goto end; | ||
| 1127 | } | ||
| 1128 | } | 1128 | } |
| 1129 | if (ecdh != NULL) { | 1129 | if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { |
| 1130 | BIO_printf(bio_s_out, "Setting temp ECDH parameters\n"); | 1130 | BIO_printf(bio_err, "unable to create curve (%s)\n", |
| 1131 | } else { | 1131 | named_curve); |
| 1132 | BIO_printf(bio_s_out, "Using default temp ECDH parameters\n"); | 1132 | goto end; |
| 1133 | ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); | ||
| 1134 | if (ecdh == NULL) { | ||
| 1135 | BIO_printf(bio_err, "unable to create curve (nistp256)\n"); | ||
| 1136 | goto end; | ||
| 1137 | } | ||
| 1138 | } | 1133 | } |
| 1134 | BIO_printf(bio_s_out, "Setting temp ECDH parameters\n"); | ||
| 1139 | (void) BIO_flush(bio_s_out); | 1135 | (void) BIO_flush(bio_s_out); |
| 1140 | 1136 | ||
| 1141 | SSL_CTX_set_tmp_ecdh(ctx, ecdh); | 1137 | SSL_CTX_set_tmp_ecdh(ctx, ecdh); |