make update

[oweals/openssl.git] / apps / s_server.c
diff --git a/apps/s_server.c b/apps/s_server.c

index 43f824b90d9f0301500c48acb00bb88df60d33fb..1f1f317d419ac2df29be38117bdd03994fbfb21a 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -284,7 +284,9 @@ static const char *session_id_prefix=NULL;
  
  static int enable_timeouts = 0;
  static long socket_mtu;
+#ifndef OPENSSL_NO_DTLS1
  static int cert_chain = 0;
+#endif
  
  
  #ifdef MONOLITH
@@ -402,6 +404,7 @@ static void sv_usage(void)
         BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
         BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
         BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
+       BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
  #endif
         }
  
@@ -769,6 +772,7 @@ int MAIN(int argc, char *argv[])
         int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
         X509 *s_cert = NULL, *s_dcert = NULL;
         EVP_PKEY *s_key = NULL, *s_dkey = NULL;
+       int no_cache = 0;
  #ifndef OPENSSL_NO_TLSEXT
         EVP_PKEY *s_key2 = NULL;
         X509 *s_cert2 = NULL;
@@ -777,13 +781,7 @@ int MAIN(int argc, char *argv[])
          tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
  #endif
  
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
         meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
-       meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
-       meth=SSLv2_server_method();
-#endif
  
         local_argc=argc;
         local_argv=argv;
@@ -908,6 +906,8 @@ int MAIN(int argc, char *argv[])
                         if (--argc < 1) goto bad;
                         CApath= *(++argv);
                         }
+               else if (strcmp(*argv,"-no_cache") == 0)
+                       no_cache = 1;
                 else if (strcmp(*argv,"-crl_check") == 0)
                         {
                         vflags |= X509_V_FLAG_CRL_CHECK;
@@ -918,6 +918,8 @@ int MAIN(int argc, char *argv[])
                         }
                 else if (strcmp(*argv,"-serverpref") == 0)
                         { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
+               else if (strcmp(*argv,"-legacy_renegotiation") == 0)
+                       off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
                 else if (strcmp(*argv,"-cipher") == 0)
                         {
                         if (--argc < 1) goto bad;
@@ -1250,8 +1252,10 @@ bad:
         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
  
         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
-
-       SSL_CTX_sess_set_cache_size(ctx,128);
+       if (no_cache)
+               SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
+       else
+               SSL_CTX_sess_set_cache_size(ctx,128);
  
  #if 0
         if (cipher == NULL) cipher=getenv("SSL_CIPHER");
@@ -1318,7 +1322,10 @@ bad:
  
                 if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
  
-               SSL_CTX_sess_set_cache_size(ctx2,128);
+               if (no_cache)
+                       SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF);
+               else
+                       SSL_CTX_sess_set_cache_size(ctx2,128);
  
                 if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
                         (!SSL_CTX_set_default_verify_paths(ctx2)))
@@ -1495,6 +1502,10 @@ bad:
         SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
                 sizeof s_server_session_id_context);
  
+       /* Set DTLS cookie generation and verification callbacks */
+       SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
+       SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
+
  #ifndef OPENSSL_NO_TLSEXT
         if (ctx2)
                 {
@@ -1539,6 +1550,12 @@ end:
         if (dpass)
                 OPENSSL_free(dpass);
  #ifndef OPENSSL_NO_TLSEXT
+       if (tlscstatp.host)
+               OPENSSL_free(tlscstatp.host);
+       if (tlscstatp.port)
+               OPENSSL_free(tlscstatp.port);
+       if (tlscstatp.path)
+               OPENSSL_free(tlscstatp.path);
         if (ctx2 != NULL) SSL_CTX_free(ctx2);
         if (s_cert2)
                 X509_free(s_cert2);
@@ -1588,8 +1605,11 @@ static int sv_body(char *hostname, int s, unsigned char *context)
         unsigned long l;
         SSL *con=NULL;
         BIO *sbio;
+       struct timeval timeout;
  #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
         struct timeval tv;
+#else
+       struct timeval *timeoutp;
  #endif
  
         if ((buf=OPENSSL_malloc(bufsize)) == NULL)
@@ -1641,7 +1661,6 @@ static int sv_body(char *hostname, int s, unsigned char *context)
  
         if (SSL_version(con) == DTLS1_VERSION)
                 {
-               struct timeval timeout;
  
                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
  
@@ -1742,7 +1761,19 @@ static int sv_body(char *hostname, int s, unsigned char *context)
                         if(_kbhit())
                                 read_from_terminal = 1;
  #else
-                       i=select(width,(void *)&readfds,NULL,NULL,NULL);
+                       if ((SSL_version(con) == DTLS1_VERSION) &&
+                               DTLSv1_get_timeout(con, &timeout))
+                               timeoutp = &timeout;
+                       else
+                               timeoutp = NULL;
+
+                       i=select(width,(void *)&readfds,NULL,NULL,timeoutp);
+
+                       if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
+                               {
+                               BIO_printf(bio_err,"TIMEOUT occured\n");
+                               }
+
                         if (i <= 0) continue;
                         if (FD_ISSET(fileno(stdin),&readfds))
                                 read_from_terminal = 1;
@@ -1999,6 +2030,8 @@ static int init_ssl_connection(SSL *con)
                         con->kssl_ctx->client_princ);
                 }
  #endif /* OPENSSL_NO_KRB5 */
+       BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
+                     SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
         return(1);
         }
  
@@ -2042,12 +2075,14 @@ static int www_body(char *hostname, int s, unsigned char *context)
         {
         char *buf=NULL;
         int ret=1;
-       int i,j,k,blank,dot;
+       int i,j,k,dot;
         struct stat st_buf;
         SSL *con;
         SSL_CIPHER *c;
         BIO *io,*ssl_bio,*sbio;
+#ifdef RENEG
         long total_bytes;
+#endif
  
         buf=OPENSSL_malloc(bufsize);
         if (buf == NULL) return(0);
@@ -2118,7 +2153,6 @@ static int www_body(char *hostname, int s, unsigned char *context)
                 SSL_set_msg_callback_arg(con, bio_s_out);
                 }
  
-       blank=0;
         for (;;)
                 {
                 if (hack)
@@ -2355,7 +2389,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                          BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
                                  }
                         /* send the file */
+#ifdef RENEG
                         total_bytes=0;
+#endif
                         for (;;)
                                 {
                                 i=BIO_read(file,buf,bufsize);