X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fs_server.c;h=17ee441009f352dcc032dfcde49e392ca856acb9;hb=01a9a7592e332cf4853bc84c33407d384a1a14ba;hp=97389cd590d8243eb41cefdb3757bc38c45c67f7;hpb=edc032b5e3f3ebb1006a9c89e0ae00504f47966f;p=oweals%2Fopenssl.git diff --git a/apps/s_server.c b/apps/s_server.c index 97389cd590..17ee441009 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -503,6 +503,7 @@ static void sv_usage(void) #endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); + BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); @@ -513,6 +514,7 @@ static void sv_usage(void) BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n"); + BIO_printf(bio_err," -no_tls1_2 - Just disable TLSv1.2\n"); #ifndef OPENSSL_NO_DH BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); #endif @@ -1226,6 +1228,8 @@ int MAIN(int argc, char *argv[]) { off|=SSL_OP_NO_SSLv2; } else if (strcmp(*argv,"-no_ssl3") == 0) { off|=SSL_OP_NO_SSLv3; } + else if (strcmp(*argv,"-no_tls1_2") == 0) + { off|=SSL_OP_NO_TLSv1_2; } else if (strcmp(*argv,"-no_tls1_1") == 0) { off|=SSL_OP_NO_TLSv1_1; } else if (strcmp(*argv,"-no_tls1") == 0) @@ -1245,6 +1249,8 @@ int MAIN(int argc, char *argv[]) { meth=SSLv3_server_method(); } #endif #ifndef OPENSSL_NO_TLS1 + else if (strcmp(*argv,"-tls1_2") == 0) + { meth=TLSv1_2_server_method(); } else if (strcmp(*argv,"-tls1_1") == 0) { meth=TLSv1_1_server_method(); } else if (strcmp(*argv,"-tls1") == 0) @@ -1520,6 +1526,9 @@ bad: SSL_CTX_set_quiet_shutdown(ctx,1); if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); + /* HACK while TLS v1.2 is disabled by default */ + if (!(off & SSL_OP_NO_TLSv1_2)) + SSL_CTX_clear_options(ctx, SSL_OP_NO_TLSv1_2); SSL_CTX_set_options(ctx,off); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. @@ -1934,6 +1943,9 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kctx; +#endif struct timeval timeout; #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) struct timeval tv; @@ -1974,12 +1986,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) } #endif #ifndef OPENSSL_NO_KRB5 - if ((con->kssl_ctx = kssl_ctx_new()) != NULL) + if ((kctx = kssl_ctx_new()) != NULL) { - kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, - KRB5SVC); - kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, - KRB5KEYTAB); + SSL_set0_kssl_ctx(con, kctx); + kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); + kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); } #endif /* OPENSSL_NO_KRB5 */ if(context) @@ -2042,7 +2053,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (s_debug) { - con->debug=1; + SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } @@ -2332,6 +2343,9 @@ static int init_ssl_connection(SSL *con) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; #endif +#ifndef OPENSSL_NO_KRB5 + char *client_princ; +#endif if ((i=SSL_accept(con)) <= 0) { @@ -2380,15 +2394,16 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out, "\n"); } #endif - if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n"); + if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n"); if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & TLS1_FLAGS_TLS_PADDING_BUG) BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n"); #ifndef OPENSSL_NO_KRB5 - if (con->kssl_ctx->client_princ != NULL) + client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con)); + if (client_princ != NULL) { BIO_printf(bio_s_out,"Kerberos peer principal is %s\n", - con->kssl_ctx->client_princ); + client_princ); } #endif /* OPENSSL_NO_KRB5 */ BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", @@ -2440,6 +2455,9 @@ static int www_body(char *hostname, int s, unsigned char *context) SSL *con; const SSL_CIPHER *c; BIO *io,*ssl_bio,*sbio; +#ifndef OPENSSL_NO_KRB5 + KSSL_CTX *kctx; +#endif buf=OPENSSL_malloc(bufsize); if (buf == NULL) return(0); @@ -2471,10 +2489,10 @@ static int www_body(char *hostname, int s, unsigned char *context) } #endif #ifndef OPENSSL_NO_KRB5 - if ((con->kssl_ctx = kssl_ctx_new()) != NULL) + if ((kctx = kssl_ctx_new()) != NULL) { - kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC); - kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB); + kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); + kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); } #endif /* OPENSSL_NO_KRB5 */ if(context) SSL_set_session_id_context(con, context, @@ -2499,7 +2517,7 @@ static int www_body(char *hostname, int s, unsigned char *context) if (s_debug) { - con->debug=1; + SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); } @@ -2585,7 +2603,7 @@ static int www_body(char *hostname, int s, unsigned char *context) goto err; } /* EVIL HACK! */ - con->state = SSL_ST_ACCEPT; + SSL_set_state(con, SSL_ST_ACCEPT); i=SSL_do_handshake(con); BIO_printf(bio_s_out, "SSL_do_handshake -> %d\n",i); if (i <= 0) @@ -2651,7 +2669,7 @@ static int www_body(char *hostname, int s, unsigned char *context) } BIO_puts(io,"\n"); } - BIO_printf(io,((con->hit) + BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); c=SSL_get_current_cipher(con); @@ -2908,7 +2926,7 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, typedef struct simple_ssl_session_st { unsigned char *id; - int idlen; + unsigned int idlen; unsigned char *der; int derlen; struct simple_ssl_session_st *next; @@ -2923,10 +2941,10 @@ static int add_session(SSL *ssl, SSL_SESSION *session) sess = OPENSSL_malloc(sizeof(simple_ssl_session)); - sess->idlen = session->session_id_length; + sess->idlen = SSL_SESSION_get_id_len(session); sess->derlen = i2d_SSL_SESSION(session, NULL); - sess->id = BUF_memdup(session->session_id, sess->idlen); + sess->id = BUF_memdup(SSL_SESSION_get0_id(session), sess->idlen); sess->der = OPENSSL_malloc(sess->derlen); p = sess->der; @@ -2945,7 +2963,7 @@ static SSL_SESSION *get_session(SSL *ssl, unsigned char *id, int idlen, *do_copy = 0; for (sess = first; sess; sess = sess->next) { - if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) + if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) { const unsigned char *p = sess->der; BIO_printf(bio_err, "Lookup session: cache hit\n"); @@ -2959,8 +2977,8 @@ static SSL_SESSION *get_session(SSL *ssl, unsigned char *id, int idlen, static void del_session(SSL_CTX *sctx, SSL_SESSION *session) { simple_ssl_session *sess, *prev = NULL; - unsigned char *id = session->session_id; - int idlen = session->session_id_length; + const unsigned char *id = SSL_SESSION_get0_id(session); + unsigned int idlen = SSL_SESSION_get_id_len(session); for (sess = first; sess; sess = sess->next) { if (idlen == sess->idlen && !memcmp(sess->id, id, idlen))