Fix error codes.

[oweals/openssl.git] / apps / s_server.c
diff --git a/apps/s_server.c b/apps/s_server.c

index 03675d62e4eb2e4e9d631ef506ec150c3b16f3a3..7cb9a08da51f23da8964b7ae6b0c9164e1ea177b 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -216,9 +216,6 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
                                 unsigned int *id_len);
  static void init_session_cache_ctx(SSL_CTX *sctx);
  static void free_sessions(void);
-static int ssl_load_stores(SSL_CTX *sctx,
-                       const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile);
  #ifndef OPENSSL_NO_DH
  static DH *load_dh_param(const char *dhfile);
  static DH *get_dh512(void);
@@ -476,9 +473,6 @@ static void sv_usage(void)
         BIO_printf(bio_err,"usage: s_server [args ...]\n");
         BIO_printf(bio_err,"\n");
         BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);
-       BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
-       BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
-       BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
         BIO_printf(bio_err," -context arg  - set session ID context\n");
         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
         BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
@@ -944,14 +938,14 @@ int MAIN(int, char **);
  
  #ifndef OPENSSL_NO_JPAKE
  static char *jpake_secret = NULL;
+#define no_jpake !jpake_secret
+#else
+#define no_jpake 1
  #endif
  #ifndef OPENSSL_NO_SRP
         static srpsrvparm srp_callback_parm;
  #endif
  static char *srtp_profiles = NULL;
-static unsigned char *checkhost = NULL, *checkemail = NULL;
-static char *checkip = NULL;
-
  
  int MAIN(int argc, char *argv[])
         {
@@ -1002,6 +996,11 @@ int MAIN(int argc, char *argv[])
         SSL_CONF_CTX *cctx = NULL;
         STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
  
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       int crl_download = 0;
+       STACK_OF(X509_CRL) *crls = NULL;
+
         meth=SSLv23_server_method();
  
         local_argc=argc;
@@ -1022,6 +1021,7 @@ int MAIN(int argc, char *argv[])
         if (!cctx)
                 goto end;
         SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+       SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
  
         verify_depth=0;
  #ifdef FIONBIO
@@ -1057,7 +1057,8 @@ int MAIN(int argc, char *argv[])
                         s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
                         if (--argc < 1) goto bad;
                         verify_depth=atoi(*(++argv));
-                       BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+                       if (!s_quiet)
+                               BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
                         }
                 else if (strcmp(*argv,"-Verify") == 0)
                         {
@@ -1065,7 +1066,8 @@ int MAIN(int argc, char *argv[])
                                 SSL_VERIFY_CLIENT_ONCE;
                         if (--argc < 1) goto bad;
                         verify_depth=atoi(*(++argv));
-                       BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
+                       if (!s_quiet)
+                               BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
                         }
                 else if (strcmp(*argv,"-context") == 0)
                         {
@@ -1077,6 +1079,13 @@ int MAIN(int argc, char *argv[])
                         if (--argc < 1) goto bad;
                         s_cert_file= *(++argv);
                         }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
+               else if (strcmp(*argv,"-crl_download") == 0)
+                       crl_download = 1;
  #ifndef OPENSSL_NO_TLSEXT
                 else if (strcmp(*argv,"-authz") == 0)
                         {
@@ -1167,6 +1176,11 @@ int MAIN(int argc, char *argv[])
                         no_cache = 1;
                 else if (strcmp(*argv,"-ext_cache") == 0)
                         ext_cache = 1;
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                         {
                         if (badarg)
@@ -1254,21 +1268,6 @@ int MAIN(int argc, char *argv[])
                                 }
                         }
  #endif
-               else if (strcmp(*argv,"-checkhost") == 0)
-                       {
-                       if (--argc < 1) goto bad;
-                       checkhost=(unsigned char *)*(++argv);
-                       }
-               else if (strcmp(*argv,"-checkemail") == 0)
-                       {
-                       if (--argc < 1) goto bad;
-                       checkemail=(unsigned char *)*(++argv);
-                       }
-               else if (strcmp(*argv,"-checkip") == 0)
-                       {
-                       if (--argc < 1) goto bad;
-                       checkip=*(++argv);
-                       }
                 else if (strcmp(*argv,"-msg") == 0)
                         { s_msg=1; }
                 else if (strcmp(*argv,"-msgfile") == 0)
@@ -1469,14 +1468,7 @@ bad:
                         goto end;
                         }
                 psk_identity = "JPAKE";
-               if (cipher)
-                       {
-                       BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
-                       goto end;
-                       }
-               cipher = "PSK";
                 }
-
  #endif
  
         SSL_load_error_strings();
@@ -1567,6 +1559,26 @@ bad:
                 }
  #endif
  
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
  
         if (s_dcert_file)
                 {
@@ -1612,9 +1624,11 @@ bad:
  
         if (bio_s_out == NULL)
                 {
-               if (s_quiet && !s_debug && !s_msg)
+               if (s_quiet && !s_debug)
                         {
                         bio_s_out=BIO_new(BIO_s_null());
+                       if (s_msg && !bio_s_msg)
+                               bio_s_msg=BIO_new_fp(stdout,BIO_NOCLOSE);
                         }
                 else
                         {
@@ -1700,10 +1714,12 @@ bad:
         if (vpm)
                 SSL_CTX_set1_param(ctx, vpm);
  
-       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
+       ssl_ctx_add_crls(ctx, crls, 0);
+       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
                 goto end;
  
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+                                               crls, crl_download))
                 {
                 BIO_printf(bio_err, "Error loading store locations\n");
                 ERR_print_errors(bio_err);
@@ -1766,7 +1782,8 @@ bad:
                 if (vpm)
                         SSL_CTX_set1_param(ctx2, vpm);
  
-               if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
+               ssl_ctx_add_crls(ctx2, crls, 0);
+               if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
                         goto end;
                 }
  
@@ -1971,6 +1988,8 @@ end:
         if (ctx != NULL) SSL_CTX_free(ctx);
         if (s_cert)
                 X509_free(s_cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
         if (s_dcert)
                 X509_free(s_dcert);
         if (s_key)
@@ -2008,9 +2027,13 @@ end:
                 sk_OPENSSL_STRING_free(ssl_args);
         if (cctx)
                 SSL_CONF_CTX_free(cctx);
+#ifndef OPENSSL_NO_JPAKE
+       if (jpake_secret && psk_key)
+               OPENSSL_free(psk_key);
+#endif
         if (bio_s_out != NULL)
                 {
-        BIO_free(bio_s_out);
+               BIO_free(bio_s_out);
                 bio_s_out=NULL;
                 }
         if (bio_s_msg != NULL)
@@ -2536,8 +2559,6 @@ static int init_ssl_connection(SSL *con)
         if (s_brief)
                 print_ssl_summary(bio_err, con);
  
-       print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip);
-
         PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
  
         peer=SSL_get_peer_certificate(con);
@@ -2556,6 +2577,7 @@ static int init_ssl_connection(SSL *con)
                 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
         str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
         ssl_print_sigalgs(bio_s_out, con);
+       ssl_print_point_formats(bio_s_out, con);
         ssl_print_curves(bio_s_out, con, 0);
         BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
  
@@ -3396,42 +3418,3 @@ static void free_sessions(void)
                 }
         first = NULL;
         }
-
-static int ssl_load_stores(SSL_CTX *sctx,
-                       const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile)
-       {
-       X509_STORE *vfy = NULL, *ch = NULL;
-       int rv = 0;
-       if (vfyCApath || vfyCAfile)
-               {
-               vfy = X509_STORE_new();
-               if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
-                       goto err;
-               SSL_CTX_set1_verify_cert_store(ctx, vfy);
-               }
-       if (chCApath || chCAfile)
-               {
-               ch = X509_STORE_new();
-               if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
-                       goto err;
-               /*X509_STORE_set_verify_cb(ch, verify_callback);*/
-               SSL_CTX_set1_chain_cert_store(ctx, ch);
-               }
-       rv = 1;
-       err:
-       if (vfy)
-               X509_STORE_free(vfy);
-       if (ch)
-               X509_STORE_free(ch);
-       return rv;
-       }
-
-
-
-
-
-
-       
-
-