summaryrefslogtreecommitdiff
path: root/src/usr.bin/openssl/s_server.c (follow)
Commit message (Collapse)AuthorAgeFilesLines
* Merge s_apps.h into apps.htb2025-01-021-3/+1
| | | | discussed with jsing
* openssl(1) doesn't need 5 .h files: merge timeouts.h into apps.htb2025-01-021-2/+1
| | | | | | This is an extra header for two stupid constants... discussed with jsing
* Garbage collect the last users of SSL_set_debug(3)tb2023-12-291-3/+1
| | | | | | | | This undocumented, incomplete public function has never done anything useful. It will be removed from libssl. Removing it from openssl(1) clears the way for this. ok jsing
* Bring back no_tls1 and no_tls1_1 as undocumented silently discarded opitonsbeck2023-07-031-7/+11
| | | | | | | | While I'm here, change the no_ssl2 and no_ssl3 options to use OPTION_DISCARD as well instead of continuing to set a no-op option flag. ok jsing@ tb@
* Remove the tls1.0 and 1.1 related options from the openssl(1) toolkitbeck2023-07-031-67/+5
| | | | ok tb@
* Rename struct ${app}_config to plain cfgtb2023-03-061-280/+280
| | | | | | | | | All the structs are static and we need to reach into them many times. Having a shorter name is more concise and results in less visual clutter. It also avoids many overlong lines and we will be able to get rid of some unfortunate line wrapping down the road. Discussed with jsing
* Remove the legacy interactive mode from openssl(1).joshua2022-11-111-6/+4
| | | | | | | | This removes the legacy interactive mode from openssl(1) since it is rarely used, complicates the code, and has also been removed from OpenSSL in version 3.x.x. ok tb@ jsing@
* Clean up a bunch of dead code in s_server.c and s_socket.ctb2021-12-061-5/+5
| | | | | | | | | | | | jsg's analysis tool flagged a potential double free in do_server(). While this looks like a false positive, we can clean this code up a little: the host name passed to the callbacks isn't used by either sv_body() and www_body(), so it can be made local to do_accept() (an extra variable would not even be needed). Simplify the callbacks' signatures accordingly. Remove some commented out linger code that would never be used again anyway. ok inoguchi jsg
* Various minor adjustments to make openssl(1) compile with opaquetb2021-10-311-5/+9
| | | | structs in X509.
* Fix some whitespace issues, some pointed out by jsing, some found intb2021-10-231-4/+4
| | | | the vicinity.
* Prepare s_server for opaque structs in libcryptotb2021-10-231-8/+13
| | | | ok beck jsing
* Remove an unused variable and a pointless label.tb2021-09-231-7/+1
| | | | ok inoguchi
* Start naccept .desc with a capitaltb2021-08-291-2/+2
| | | | noted by inoguchi
* Implement -naccept in the s_server.tb2021-08-291-4/+15
| | | | | doc fixes/ok jmc ok beck
* Read ahead is now enforced for DTLS - remove workarounds.jsing2021-03-171-13/+1
| | | | ok inoguchi@ tb@
* Use consistent s_server_opt_ prefix.jsing2021-03-171-9/+9
|
* Add DTLSv1.2 support to openssl(1) s_client/s_server.jsing2021-03-171-17/+57
| | | | ok inoguchi@ tb@
* Add -[46] nops for compatibility with the OpenSSL s_servertb2020-10-021-1/+9
| | | | | | | | | | | | | | | On OpenBSD it's necessary to use the eopenssl11 s_server with either -4 or -6 to choose an address family. I often want to try something with an OpenSSL server and then test the same thing with LibreSSL or vice versa. Adding and removing -4s on top of editing the command is annoying and distracting. This commits teaches our s_server to ignore -4 and -6 and thus makes commands that work with eopenssl11 more likely to work with openssl(1). These options are deliberately undocumented and don't show up in help listings. ok bcook inoguchi jsing
* Wrap long lines s_server.cinoguchi2020-07-271-67/+130
|
* Add function prototype and move sub functions to bottominoguchi2020-07-271-198/+197
|
* Remove space between '*' and pointer variable in s_server.cinoguchi2020-07-271-12/+12
|
* Remove 's_' prefix from member of s_server_config structinoguchi2020-07-271-110/+110
|
* Convert openssl(1) s_server option handlinginoguchi2020-07-271-568/+929
| | | | ok and comments from jsing@
* While the second SSL_CTX in this code is only used on servernametb2020-05-231-1/+2
| | | | | | | | callback, so its mode is not used to update the ssl's mode, it seems more appropriate to clear the SSL_MODE_AUTO_RETRY flag on it as well. ok jsing
* In ssl_lib.c revision 1.217, jsing enabled SSL_MODE_AUTO_RETRY bytb2020-05-231-1/+3
| | | | | | | default. To avoid hanging on a blocking read, we need to clear the SSL_MODE_AUTO_RETRY flag in the s_client and the s_server. ok beck inoguchi jsing
* Avoid an out-of-bounds array access in the s_server.tb2020-05-231-1/+3
| | | | | | | | | It can be triggered by sending a line to stdin while no connection is open and then connecting a client. The first SSL_write() fails, sends SSL_ERROR_WANT_* and then causes a segfault deep down in the tls stack when accessing &(buf[-1]). ok beck inoguchi
* Add -tls1_3 and -no_tls1_3 options to openssl(1) s_serverinoguchi2020-05-131-6/+28
| | | | | | | - Add -tls1_3 and -no_tls1_3 to openssl(1) s_server - Stop using version pinned methods, instead setting the min and max protocol versions ok jsing@ tb@
* Conditionalize sleep-before-retry in server code to only be done whenbeck2020-05-101-3/+5
| | | | | | | debug is on. otherwise, just retry. Fixes problems this creates in testing. ok jsing@ tb@
* Add -groups option to openssl(1) s_server.jsing2020-04-191-33/+29
| | | | | | | | | | This allows supported EC groups to be configured, which will also control which TLSv1.3 key shares we'll accept. While here, deprecate the rather useless -named_curve option, which is effectively the same as -groups with a single group. Also stop setting a single default group of P-256 via SSL_CTX_set_tmp_ecdh() - use the library defaults instead. ok beck@ inoguchi@
* Avoid a path traversal bug in s_server on Windows.bcook2019-10-041-3/+3
| | | | | | | | openssl s_server has an arbitrary read vulnerability on Windows when run with the -WWW or -HTTP options, due to an incomplete path check logic. Thanks to Jobert Abma for reporting. ok tb@
* When system calls indicate an error they return -1, not some arbitraryderaadt2019-06-281-2/+2
| | | | | | value < 0. errno is only updated in this case. Change all (most?) callers of syscalls to follow this better, and let's see if this strictness helps us in the future.
* Indent labels with a single space so that diff prototypes are more useful.jsing2018-02-071-9/+9
|
* Remove guards around *_free() calls since these functions handle NULL.jsing2018-02-071-21/+11
|
* Initialize variables to avoid compiler warningsinoguchi2018-01-281-2/+2
| | | | ok jsing@
* Remove NPN support - the -nextprotoneg options now become no-ops.jsing2017-08-121-47/+5
| | | | ok bcook@ beck@ doug@
* use freezero() instead of 4-line conditional explicit_bzero + freederaadt2017-04-181-5/+2
|
* rearrange pledge promises into the canonical order; easier to eyeballderaadt2017-01-201-2/+2
|
* remove NULL-check before free()mmcc2015-12-231-3/+2
|
* s_server also needs DNS; reported by tb@jca2015-12-011-2/+2
|
* Exit if a pledge call fails in non-interactive mode.doug2015-10-171-2/+4
| | | | ok semarie@
* add "tty" for several subcommands of opensslsemarie2015-10-171-2/+2
| | | | | | | | | | | it is needed in order to let libssl UI_* function plays with echo on/off when asking for password on terminal. passwd subcommand needs additionnal "wpath cpath" in order to let it calls fopen("/dev/tty", "w") (O_WRONLY with O_CREAT | O_TRUNC). problem reported by several with and ok doug@
* Initial support for pledges in openssl(1) commands.doug2015-10-101-1/+7
| | | | | | | | | | | | | | | | openssl(1) has two mechanisms for operating: either a single execution of one command (looking at argv[0] or argv[1]) or as an interactive session than may execute any number of commands. We already have a top level pledge that should cover all commands and that's what interactive mode must continue using. However, we can tighten up the pledges when only executing one command. This is an initial stab at support and may contain regressions. Most commands only need "stdio rpath wpath cpath". The pledges could be further restricted by evaluating the situation after parsing options. deraadt@ and beck@ are roughly fine with this approach.
* these do not use ioctl.hderaadt2015-10-061-2/+1
|
* kill evil commentbeck2015-09-111-3/+1
| | | | ok deraadt@
* Remove engine command and parameters from openssl(1).bcook2015-09-111-31/+9
| | | | | | | We do not have any builtin or dynamic engines, meaning openssl(1) has no way to use the engine command or parameters at all. ok jsing@
* Correct spelling of OPENSSL_cleanse.jsing2015-09-101-2/+2
|
* Remove all duplicate prototypes for *_main functions (these are alreadyjsing2015-08-221-3/+1
| | | | | | | | | provided by progs.h). Also, move the FUNCTION type (and flags) into openssl.c since that is the only place of use. Lastly, remove pointless 'extern' from the prototypes and use char **argv instead of char *argv[] (the former is used elsewhere). ok deraadt@ doug@
* Avoid possible NULL deref in openssl(1) s_server.doug2015-07-201-2/+5
| | | | | | Fixes Coverity issue 78873. ok miod@
* Remove SSLv3 support from openssl(1) s_server.doug2015-07-171-7/+2
| | | | ok miod@ bcook@ beck@
* Remove workaround for TLS padding bug from SSLeay days.doug2015-07-171-5/+1
| | | | | | | | | OpenSSL doesn't remember which clients were impacted and the functionality has been broken in their stable releases for 2 years. Based on OpenSSL commit a8e4ac6a2fe67c19672ecf0c6aeafa15801ce3a5. ok jsing@
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-26 12:36:42 +0000