X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fs_server.c;h=456952ea7fd459696fcc3ec693a8ccb208aa1558;hb=6b3bf0edf3b22e0f8f4de2f831cc4ed89b503e7c;hp=c95057a7f8f9f4f8541508a8cf703978b17b728c;hpb=babb379849ffb4112792f266f92e9ebb2bd35332;p=openssl.git diff --git a/apps/s_server.c b/apps/s_server.c index c95057a7f8..456952ea7f 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -298,11 +298,13 @@ static const char *session_id_prefix=NULL; static int enable_timeouts = 0; static long socket_mtu; +#ifndef OPENSSL_NO_DTLS1 static int cert_chain = 0; +#endif #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; -static char *psk_key=NULL; /* by default PSK is not used */ +char *psk_key=NULL; /* by default PSK is not used */ static unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) @@ -325,7 +327,9 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, /* here we could lookup the given identity e.g. from a database */ if (strcmp(identity, psk_identity) != 0) { - BIO_printf(bio_s_out, "PSK error: client identity not found\n"); + BIO_printf(bio_s_out, "PSK error: client identity not found" + " (got '%s' expected '%s')\n", identity, + psk_identity); goto out_err; } if (s_debug) @@ -448,13 +452,16 @@ static void sv_usage(void) #ifndef OPENSSL_NO_PSK BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); +# ifndef OPENSSL_NO_JPAKE + BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); +# endif #endif BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set MTU\n"); + BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); @@ -666,7 +673,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) return p->extension_error; if (ctx2) { - BIO_printf(p->biodebug,"Swiching server context.\n"); + BIO_printf(p->biodebug,"Switching server context.\n"); SSL_set_SSL_CTX(s,ctx2); } } @@ -822,10 +829,14 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); int MAIN(int, char **); +#ifndef OPENSSL_NO_JPAKE +static char *jpake_secret = NULL; +#endif + int MAIN(int argc, char *argv[]) { - X509_STORE *store = NULL; - int vflags = 0; + X509_VERIFY_PARAM *vpm = NULL; + int badarg = 0; short port=PORT; char *CApath=NULL,*CAfile=NULL; unsigned char *context = NULL; @@ -840,9 +851,7 @@ int MAIN(int argc, char *argv[]) int state=0; const SSL_METHOD *meth=NULL; int socket_type=SOCK_STREAM; -#ifndef OPENSSL_NO_ENGINE ENGINE *e=NULL; -#endif char *inrand=NULL; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; char *passarg = NULL, *pass = NULL; @@ -854,7 +863,6 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; #endif - #ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; #endif @@ -993,13 +1001,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; CApath= *(++argv); } - else if (strcmp(*argv,"-crl_check") == 0) - { - vflags |= X509_V_FLAG_CRL_CHECK; - } - else if (strcmp(*argv,"-crl_check_all") == 0) + else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; + if (badarg) + goto bad; + continue; } else if (strcmp(*argv,"-verify_return_error") == 0) verify_return_error = 1; @@ -1179,6 +1185,14 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_key_file2= *(++argv); } + +#endif +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + else if (strcmp(*argv,"-jpake") == 0) + { + if (--argc < 1) goto bad; + jpake_secret = *(++argv); + } #endif else { @@ -1196,6 +1210,26 @@ bad: goto end; } +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) + if (jpake_secret) + { + if (psk_key) + { + BIO_printf(bio_err, + "Can't use JPAKE and PSK together\n"); + goto end; + } + psk_identity = "JPAKE"; + if (cipher) + { + BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); + goto end; + } + cipher = "PSK"; + } + +#endif + SSL_load_error_strings(); OpenSSL_add_ssl_algorithms(); @@ -1376,8 +1410,8 @@ bad: ERR_print_errors(bio_err); /* goto end; */ } - store = SSL_CTX_get_cert_store(ctx); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx, vpm); #ifndef OPENSSL_NO_TLSEXT if (s_cert2) @@ -1428,8 +1462,8 @@ bad: { ERR_print_errors(bio_err); } - store = SSL_CTX_get_cert_store(ctx2); - X509_STORE_set_flags(store, vflags); + if (vpm) + SSL_CTX_set1_param(ctx2, vpm); } #endif @@ -1580,10 +1614,14 @@ bad: #endif #ifndef OPENSSL_NO_PSK +#ifdef OPENSSL_NO_JPAKE if (psk_key != NULL) +#else + if (psk_key != NULL || jpake_secret) +#endif { if (s_debug) - BIO_printf(bio_s_out, "PSK key given, setting server callback\n"); + BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n"); SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); } @@ -1785,10 +1823,10 @@ static int sv_body(char *hostname, int s, unsigned char *context) BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 0) + if (socket_mtu > 28) { SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu); + SSL_set_mtu(con, socket_mtu - 28); } else /* want to do MTU discovery */ @@ -1807,6 +1845,11 @@ static int sv_body(char *hostname, int s, unsigned char *context) test=BIO_new(BIO_f_nbio_test()); sbio=BIO_push(test,sbio); } +#ifndef OPENSSL_NO_JPAKE + if(jpake_secret) + jpake_server_auth(bio_s_out, sbio, jpake_secret); +#endif + SSL_set_bio(con,sbio,sbio); SSL_set_accept_state(con); /* SSL_set_fd(con,s); */