X-Git-Url: https://git.librecmc.org/?a=blobdiff_plain;f=apps%2Fs_server.c;h=456952ea7fd459696fcc3ec693a8ccb208aa1558;hb=7171ade2c218542184238f7c38b195e21b437914;hp=7230750c47bca0ec55f2f77c3d821a66dc3f9e7e;hpb=b7fcc08976b0f5d4a3befd30e20bc95f120c892a;p=oweals%2Fopenssl.git diff --git a/apps/s_server.c b/apps/s_server.c index 7230750c47..456952ea7f 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -298,11 +298,13 @@ static const char *session_id_prefix=NULL; static int enable_timeouts = 0; static long socket_mtu; +#ifndef OPENSSL_NO_DTLS1 static int cert_chain = 0; +#endif #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; -static char *psk_key=NULL; /* by default PSK is not used */ +char *psk_key=NULL; /* by default PSK is not used */ static unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) @@ -325,7 +327,9 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, /* here we could lookup the given identity e.g. from a database */ if (strcmp(identity, psk_identity) != 0) { - BIO_printf(bio_s_out, "PSK error: client identity not found\n"); + BIO_printf(bio_s_out, "PSK error: client identity not found" + " (got '%s' expected '%s')\n", identity, + psk_identity); goto out_err; } if (s_debug) @@ -408,6 +412,11 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); + BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ + " The CRL(s) are appended to the certificate file\n"); + BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ + " or any other CRL in the CA chain. CRL(s) are appened to the\n" \ + " the certificate file.\n"); BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n"); BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); @@ -443,13 +452,16 @@ static void sv_usage(void) #ifndef OPENSSL_NO_PSK BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE + BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); +# endif #endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set MTU\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); @@ -661,7 +673,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) return p->extension_error; if (ctx2) { - BIO_printf(p->biodebug,"Swiching server context.\n"); + BIO_printf(p->biodebug,"Switching server context.\n"); SSL_set_SSL_CTX(s,ctx2); } } @@ -700,7 +712,7 @@ static int cert_status_cb(SSL *s, void *arg) int use_ssl; unsigned char *rspder = NULL; int rspderlen; - STACK *aia = NULL; + STACK_OF(STRING) *aia = NULL; X509 *x = NULL; X509_STORE_CTX inctx; X509_OBJECT obj; @@ -722,7 +734,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); aia = X509_get1_ocsp(x); if (aia) { - if (!OCSP_parse_url(sk_value(aia, 0), + if (!OCSP_parse_url(sk_STRING_value(aia, 0), &host, &port, &path, &use_ssl)) { BIO_puts(err, "cert_status: can't parse AIA URL\n"); @@ -730,7 +742,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); } if (srctx->verbose) BIO_printf(err, "cert_status: AIA URL: %s\n", - sk_value(aia, 0)); + sk_STRING_value(aia, 0)); } else { @@ -817,10 +829,14 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); int MAIN(int, char **); +#ifndef OPENSSL_NO_JPAKE +static char *jpake_secret = NULL; +#endif + int MAIN(int argc, char *argv[]) { - X509_STORE *store = NULL; - int vflags = 0; + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; short port=PORT; char *CApath=NULL,*CAfile=NULL; unsigned char *context = NULL; @@ -835,9 +851,7 @@ int MAIN(int argc, char *argv[]) int state=0; const SSL_METHOD *meth=NULL; int socket_type=SOCK_STREAM; -#ifndef OPENSSL_NO_ENGINE ENGINE *e=NULL; -#endif char *inrand=NULL; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; char *passarg = NULL, *pass = NULL; @@ -849,7 +863,6 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; #endif - #ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; #endif @@ -988,13 +1001,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; CApath= *(++argv); } - else if (strcmp(*argv,"-crl_check") == 0) - { - vflags |= X509_V_FLAG_CRL_CHECK; - } - else if (strcmp(*argv,"-crl_check") == 0) + else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + if (badarg) + goto bad; + continue; } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; @@ -1174,6 +1185,14 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_key_file2= *(++argv); } + +#endif +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + else if (strcmp(*argv,"-jpake") == 0) + { + if (--argc < 1) goto bad; + jpake_secret = *(++argv); + } #endif else { @@ -1191,6 +1210,26 @@ bad: goto end; } +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + if (jpake_secret) + { + if (psk_key) + { + BIO_printf(bio_err, + "Can't use JPAKE and PSK together\n"); + goto end; + } + psk_identity = "JPAKE"; + if (cipher) + { + BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); + goto end; + } + cipher = "PSK"; + } + +#endif + SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); @@ -1371,8 +1410,8 @@ bad: ERR_print_errors(bio_err); /* goto end; */ } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx, vpm); #ifndef OPENSSL_NO_TLSEXT if (s_cert2) @@ -1423,8 +1462,8 @@ bad: { ERR_print_errors(bio_err); } - store = SSL_CTX_get_cert_store(ctx2); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx2, vpm); } #endif @@ -1575,10 +1614,14 @@ bad: #endif #ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE if (psk_key != NULL) +#else + if (psk_key != NULL || jpake_secret) +#endif { if (s_debug) - BIO_printf(bio_s_out, "PSK key given, setting server callback\n"); + BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n"); SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); } @@ -1780,10 +1823,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1802,6 +1845,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) test=BIO_new(BIO_f_nbio_test()); sbio=BIO_push(test,sbio); } +#ifndef OPENSSL_NO_JPAKE + if(jpake_secret) + jpake_server_auth(bio_s_out, sbio, jpake_secret); +#endif + SSL_set_bio(con,sbio,sbio); SSL_set_accept_state(con); /* SSL_set_fd(con,s); */ @@ -2177,7 +2225,7 @@ static int www_body(char *hostname, int s, unsigned char *context) int ret=1; int i,j,k,blank,dot; SSL *con; - SSL_CIPHER *c; + const SSL_CIPHER *c; BIO *io,*ssl_bio,*sbio; long total_bytes;