fix leak

[oweals/openssl.git] / apps / s_server.c

diff --git a/apps/s_server.c b/apps/s_server.c
index fe29b4cae7acf2a026bde310166aaff355825056..20f0c221a0d698f4e85de7fe72a6192115378e21 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -267,11 +267,12 @@ extern int verify_depth, verify_return_error;
 static char *cipher=NULL;
 static int s_server_verify=SSL_VERIFY_NONE;
 static int s_server_session_id_context = 1; /* anything will do */
-static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
+static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
 static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
+static char *curves=NULL;
 #endif
-static char *s_dcert_file=NULL,*s_dkey_file=NULL;
+static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL;
 #ifdef FIONBIO
 static int s_nbio=0;
 #endif
@@ -308,6 +309,10 @@ static long socket_mtu;
 static int cert_chain = 0;
 #endif
 
+#ifndef OPENSSL_NO_TLSEXT
+static BIO *authz_in = NULL;
+static const char *s_authz_file = NULL;
+#endif
 
 #ifndef OPENSSL_NO_PSK
 static char *psk_identity="Client_identity";
@@ -430,9 +435,12 @@ static void s_server_init(void)
        s_server_verify=SSL_VERIFY_NONE;
        s_dcert_file=NULL;
        s_dkey_file=NULL;
+       s_dchain_file=NULL;
        s_cert_file=TEST_CERT;
        s_key_file=NULL;
+       s_chain_file=NULL;
 #ifndef OPENSSL_NO_TLSEXT
+       curves=NULL;
        s_cert_file2=TEST_CERT2;
        s_key_file2=NULL;
        ctx2=NULL;
@@ -465,6 +473,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
        BIO_printf(bio_err," -cert arg     - certificate file to use\n");
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
+       BIO_printf(bio_err," -authz arg   -  binary authz file for certificate\n");
        BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
                           "                 The CRL(s) are appended to the certificate file\n");
        BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
@@ -950,6 +959,7 @@ int MAIN(int argc, char *argv[])
        char *dpassarg = NULL, *dpass = NULL;
        int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
        X509 *s_cert = NULL, *s_dcert = NULL;
+       STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL;
        EVP_PKEY *s_key = NULL, *s_dkey = NULL;
        int no_cache = 0;
 #ifndef OPENSSL_NO_TLSEXT
@@ -969,17 +979,7 @@ int MAIN(int argc, char *argv[])
        char *srpuserseed = NULL;
        char *srp_verifier_file = NULL;
 #endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
        meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
-       meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
-       meth=SSLv2_server_method();
-#elif !defined(OPENSSL_NO_TLS1)
-       meth=TLSv1_server_method();
-#else
-  /*  #error no SSL version enabled */
-#endif
 
        local_argc=argc;
        local_argv=argv;
@@ -1038,6 +1038,13 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
+#ifndef OPENSSL_NO_TLSEXT
+               else if (strcmp(*argv,"-authz") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       s_authz_file = *(++argv);
+                       }
+#endif
                else if (strcmp(*argv,"-certform") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1058,6 +1065,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        passarg = *(++argv);
                        }
+               else if (strcmp(*argv,"-cert_chain") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       s_chain_file= *(++argv);
+                       }
                else if (strcmp(*argv,"-dhparam") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1095,6 +1107,11 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_dkey_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-dcert_chain") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       s_dchain_file= *(++argv);
+                       }
                else if (strcmp(*argv,"-nocert") == 0)
                        {
                        nocert=1;
@@ -1171,6 +1188,11 @@ int MAIN(int argc, char *argv[])
                                goto bad;
                                }
                        }
+               else if (strcmp(*argv,"-curves") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       curves= *(++argv);
+                       }
 #endif
                else if (strcmp(*argv,"-msg") == 0)
                        { s_msg=1; }
@@ -1216,13 +1238,13 @@ int MAIN(int argc, char *argv[])
                        {
                        if (--argc < 1) goto bad;
                        srp_verifier_file = *(++argv);
-                       meth=TLSv1_server_method();
+                       meth = TLSv1_server_method();
                        }
                else if (strcmp(*argv, "-srpuserseed") == 0)
                        {
                        if (--argc < 1) goto bad;
                        srpuserseed = *(++argv);
-                       meth=TLSv1_server_method();
+                       meth = TLSv1_server_method();
                        }
 #endif
                else if (strcmp(*argv,"-www") == 0)
@@ -1420,6 +1442,13 @@ bad:
                        ERR_print_errors(bio_err);
                        goto end;
                        }
+               if (s_chain_file)
+                       {
+                       s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM,
+                                       NULL, e, "server certificate chain");
+                       if (!s_chain)
+                               goto end;
+                       }
 
 #ifndef OPENSSL_NO_TLSEXT
                if (tlsextcbp.servername) 
@@ -1441,24 +1470,23 @@ bad:
                                goto end;
                                }
                        }
+#endif /* OPENSSL_NO_TLSEXT */
+               }
 
-# ifndef OPENSSL_NO_NEXTPROTONEG
-               if (next_proto_neg_in)
-                       {
-                       unsigned short len;
-                       next_proto.data = next_protos_parse(&len,
-                               next_proto_neg_in);
-                       if (next_proto.data == NULL)
-                               goto end;
-                       next_proto.len = len;
-                       }
-               else
-                       {
-                       next_proto.data = NULL;
-                       }
-# endif
-#endif
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 
+       if (next_proto_neg_in)
+               {
+               unsigned short len;
+               next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+               if (next_proto.data == NULL)
+                       goto end;
+               next_proto.len = len;
+               }
+       else
+               {
+               next_proto.data = NULL;
                }
+#endif
 
 
        if (s_dcert_file)
@@ -1484,6 +1512,13 @@ bad:
                        ERR_print_errors(bio_err);
                        goto end;
                        }
+               if (s_dchain_file)
+                       {
+                       s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM,
+                               NULL, e, "second server certificate chain");
+                       if (!s_dchain)
+                               goto end;
+                       }
 
                }
 
@@ -1696,10 +1731,11 @@ bad:
                {
                EC_KEY *ecdh=NULL;
 
-               if (named_curve)
+               if (named_curve && strcmp(named_curve, "auto"))
                        {
-                       int nid = OBJ_sn2nid(named_curve);
-
+                       int nid = EC_curve_nist2nid(named_curve);
+                       if (nid == NID_undef)
+                               nid = OBJ_sn2nid(named_curve);
                        if (nid == 0)
                                {
                                BIO_printf(bio_err, "unknown curve name (%s)\n", 
@@ -1719,6 +1755,8 @@ bad:
                        {
                        BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
                        }
+               else if (named_curve)
+                       SSL_CTX_set_ecdh_auto(ctx, 1);
                else
                        {
                        BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
@@ -1740,15 +1778,19 @@ bad:
                }
 #endif
        
-       if (!set_cert_key_stuff(ctx,s_cert,s_key))
+       if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT
-       if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
+       if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file))
+               goto end;
+#endif
+#ifndef OPENSSL_NO_TLSEXT
+       if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL))
                goto end; 
 #endif
        if (s_dcert != NULL)
                {
-               if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+               if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain))
                        goto end;
                }
 
@@ -1830,6 +1872,23 @@ bad:
                        }
 #endif
                }
+#ifndef OPENSSL_NO_TLSEXT
+       if (curves)
+               {
+               if(!SSL_CTX_set1_curves_list(ctx,curves))
+                       {
+                       BIO_printf(bio_err,"error setting curves list\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               if(ctx2 && !SSL_CTX_set1_curves_list(ctx2,curves))
+                       {
+                       BIO_printf(bio_err,"error setting curves list\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               }
+#endif
        SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
        SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
                sizeof s_server_session_id_context);
@@ -1899,16 +1958,30 @@ end:
                EVP_PKEY_free(s_key);
        if (s_dkey)
                EVP_PKEY_free(s_dkey);
+       if (s_chain)
+               sk_X509_pop_free(s_chain, X509_free);
+       if (s_dchain)
+               sk_X509_pop_free(s_dchain, X509_free);
        if (pass)
                OPENSSL_free(pass);
        if (dpass)
                OPENSSL_free(dpass);
+       if (vpm)
+               X509_VERIFY_PARAM_free(vpm);
 #ifndef OPENSSL_NO_TLSEXT
+       if (tlscstatp.host)
+               OPENSSL_free(tlscstatp.host);
+       if (tlscstatp.port)
+               OPENSSL_free(tlscstatp.port);
+       if (tlscstatp.path)
+               OPENSSL_free(tlscstatp.path);
        if (ctx2 != NULL) SSL_CTX_free(ctx2);
        if (s_cert2)
                X509_free(s_cert2);
        if (s_key2)
                EVP_PKEY_free(s_key2);
+       if (authz_in != NULL)
+               BIO_free(authz_in);
 #endif
        if (bio_s_out != NULL)
                {
@@ -2442,7 +2515,10 @@ static int init_ssl_connection(SSL *con)
        if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
+       ssl_print_sigalgs(bio_s_out, con);
+       ssl_print_curves(bio_s_out, con);
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
        if (next_proto_neg)
@@ -2711,6 +2787,11 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                }
                        BIO_puts(io,"\n");
 
+                       BIO_printf(io,
+                               "Secure Renegotiation IS%s supported\n",
+                               SSL_get_secure_renegotiation_support(con) ?
+                                                       "" : " NOT");
+
                        /* The following is evil and should not really
                         * be done */
                        BIO_printf(io,"Ciphers supported in s_server binary\n");
@@ -2749,6 +2830,8 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                        }
                                BIO_puts(io,"\n");
                                }
+                       ssl_print_sigalgs(io, con);
+                       ssl_print_curves(io, con);
                        BIO_printf(io,(SSL_cache_hit(con)
                                ?"---\nReused, "
                                :"---\nNew, "));