Add functions to return FIPS module version.

[oweals/openssl.git] / apps / s_server.c

diff --git a/apps/s_server.c b/apps/s_server.c
index 923338402893d87a996186f9b8576b5dfe3aef1e..17ee441009f352dcc032dfcde49e392ca856acb9 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -503,6 +503,7 @@ static void sv_usage(void)
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+       BIO_printf(bio_err," -tls1_2       - Just talk TLSv1.2\n");
        BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
@@ -513,6 +514,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
        BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
        BIO_printf(bio_err," -no_tls1_1    - Just disable TLSv1.1\n");
+       BIO_printf(bio_err," -no_tls1_2    - Just disable TLSv1.2\n");
 #ifndef OPENSSL_NO_DH
        BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
 #endif
@@ -1226,6 +1228,8 @@ int MAIN(int argc, char *argv[])
                        { off|=SSL_OP_NO_SSLv2; }
                else if (strcmp(*argv,"-no_ssl3") == 0)
                        { off|=SSL_OP_NO_SSLv3; }
+               else if (strcmp(*argv,"-no_tls1_2") == 0)
+                       { off|=SSL_OP_NO_TLSv1_2; }
                else if (strcmp(*argv,"-no_tls1_1") == 0)
                        { off|=SSL_OP_NO_TLSv1_1; }
                else if (strcmp(*argv,"-no_tls1") == 0)
@@ -1245,6 +1249,8 @@ int MAIN(int argc, char *argv[])
                        { meth=SSLv3_server_method(); }
 #endif
 #ifndef OPENSSL_NO_TLS1
+               else if (strcmp(*argv,"-tls1_2") == 0)
+                       { meth=TLSv1_2_server_method(); }
                else if (strcmp(*argv,"-tls1_1") == 0)
                        { meth=TLSv1_1_server_method(); }
                else if (strcmp(*argv,"-tls1") == 0)
@@ -1520,6 +1526,9 @@ bad:
        SSL_CTX_set_quiet_shutdown(ctx,1);
        if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
        if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
+       /* HACK while TLS v1.2 is disabled by default */
+       if (!(off & SSL_OP_NO_TLSv1_2))
+               SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2);
        SSL_CTX_set_options(ctx,off);
        /* DTLS: partial reads end up discarding unread UDP bytes :-( 
         * Setting read ahead solves this problem.
@@ -1934,6 +1943,9 @@ static int sv_body(char *hostname, int s, unsigned char *context)
        unsigned long l;
        SSL *con=NULL;
        BIO *sbio;
+#ifndef OPENSSL_NO_KRB5
+       KSSL_CTX *kctx;
+#endif
        struct timeval timeout;
 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
        struct timeval tv;
@@ -1974,12 +1986,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                }
 #endif
 #ifndef OPENSSL_NO_KRB5
-               if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
+               if ((kctx = kssl_ctx_new()) != NULL)
                         {
-                        kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,
-                                                               KRB5SVC);
-                        kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,
-                                                               KRB5KEYTAB);
+                       SSL_set0_kssl_ctx(con, kctx);
+                        kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+                        kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
                         }
 #endif /* OPENSSL_NO_KRB5 */
                if(context)
@@ -2332,6 +2343,9 @@ static int init_ssl_connection(SSL *con)
        const unsigned char *next_proto_neg;
        unsigned next_proto_neg_len;
 #endif
+#ifndef OPENSSL_NO_KRB5
+       char *client_princ;
+#endif
 
        if ((i=SSL_accept(con)) <= 0)
                {
@@ -2385,10 +2399,11 @@ static int init_ssl_connection(SSL *con)
                TLS1_FLAGS_TLS_PADDING_BUG)
                BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
 #ifndef OPENSSL_NO_KRB5
-       if (con->kssl_ctx->client_princ != NULL)
+       client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con));
+       if (client_princ != NULL)
                {
                BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
-                       con->kssl_ctx->client_princ);
+                                                               client_princ);
                }
 #endif /* OPENSSL_NO_KRB5 */
        BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
@@ -2440,6 +2455,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
        SSL *con;
        const SSL_CIPHER *c;
        BIO *io,*ssl_bio,*sbio;
+#ifndef OPENSSL_NO_KRB5
+       KSSL_CTX *kctx;
+#endif
 
        buf=OPENSSL_malloc(bufsize);
        if (buf == NULL) return(0);
@@ -2471,10 +2489,10 @@ static int www_body(char *hostname, int s, unsigned char *context)
                        }
 #endif
 #ifndef OPENSSL_NO_KRB5
-       if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
+       if ((kctx = kssl_ctx_new()) != NULL)
                {
-               kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
-               kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
+               kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
+               kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
                }
 #endif /* OPENSSL_NO_KRB5 */
        if(context) SSL_set_session_id_context(con, context,