X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fs_server.c;h=6467060c0f86744c0b48786768da654d29b6a89b;hb=417be660e1cd21a2ee085569ff98b0c4249b5416;hp=3143078346ffde9eed8fde946fa8124c9c782d2a;hpb=3b061a00e39d2e4ad524ff01cbdc0c53fe8171ee;p=openssl.git diff --git a/apps/s_server.c b/apps/s_server.c index 3143078346..6467060c0f 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -143,6 +143,7 @@ #include #include #include +#include #include @@ -189,9 +190,6 @@ typedef unsigned int u_int; # undef FIONBIO #endif -#ifndef OPENSSL_NO_RSA -static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); -#endif static int not_resumable_sess_cb(SSL *s, int is_forward_secure); static int sv_body(char *hostname, int s, int stype, unsigned char *context); static int www_body(char *hostname, int s, int stype, unsigned char *context); @@ -232,7 +230,7 @@ static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL; static int s_nbio = 0; #endif static int s_nbio_test = 0; -int s_crlf = 0; +static int s_crlf = 0; static SSL_CTX *ctx = NULL; static SSL_CTX *ctx2 = NULL; static int www = 0; @@ -252,16 +250,19 @@ static int s_brief = 0; static char *keymatexportlabel = NULL; static int keymatexportlen = 20; +static int async = 0; + #ifndef OPENSSL_NO_ENGINE static char *engine_id = NULL; #endif static const char *session_id_prefix = NULL; +#ifndef OPENSSL_NO_DTLS static int enable_timeouts = 0; static long socket_mtu; -#ifndef OPENSSL_NO_DTLS1 static int cert_chain = 0; #endif +static int dtlslisten = 0; static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; @@ -401,6 +402,7 @@ static void s_server_init(void) s_msg = 0; s_quiet = 0; s_brief = 0; + async = 0; #ifndef OPENSSL_NO_ENGINE engine_id = NULL; #endif @@ -666,7 +668,7 @@ static int cert_status_cb(SSL *s, void *arg) goto done; } req = OCSP_REQUEST_new(); - if (!req) + if (req == NULL) goto err; id = OCSP_cert_to_id(NULL, x, obj.data.x509); X509_free(obj.data.x509); @@ -795,19 +797,19 @@ typedef enum OPTION_choice { OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM, OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT, OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT, - OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE, + OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE, OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, - OPT_BUILD_CHAIN, OPT_CAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, - OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, OPT_DEBUG, - OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT, - OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG, - OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, OPT_QUIET, - OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE, + OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, + OPT_VERIFYCAFILE, OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, + OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, + OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, + OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, + OPT_QUIET, OPT_BRIEF, OPT_NO_DHE, OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE, - OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, - OPT_SSL3, + OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, + OPT_SSL_CONFIG, OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, - OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, + OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN, OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE, OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, @@ -853,14 +855,14 @@ OPTIONS s_server_options[] = { {"msg", OPT_MSG, '-', "Show protocol messages"}, {"msgfile", OPT_MSGFILE, '>'}, {"state", OPT_STATE, '-', "Print the SSL states"}, - {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, {"quiet", OPT_QUIET, '-', "No server output"}, - {"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"}, - {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, - {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, - {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-', "Disable caching and tickets if ephemeral (EC)DH is used"}, {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"}, @@ -909,6 +911,8 @@ OPTIONS s_server_options[] = { {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, {"brief", OPT_BRIEF, '-'}, {"rev", OPT_REV, '-'}, + {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"}, + {"ssl_config", OPT_SSL_CONFIG, 's'}, OPT_S_OPTIONS, OPT_V_OPTIONS, OPT_X_OPTIONS, @@ -930,26 +934,38 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_SSL3 {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"}, #endif -#ifndef OPENSSL_NO_DTLS1 +#ifndef OPENSSL_NO_TLS1 + {"tls1", OPT_TLS1, '-', "Just talk TLSv1"}, +#endif +#ifndef OPENSSL_NO_TLS1_1 + {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"}, +#endif +#ifndef OPENSSL_NO_TLS1_2 + {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, +#endif +#ifndef OPENSSL_NO_DTLS {"dtls", OPT_DTLS, '-'}, - {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, - {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"chain", OPT_CHAIN, '-', "Read a certificate chain"}, + {"listen", OPT_LISTEN, '-', + "Listen for a DTLS ClientHello with a cookie and then connect"}, +#endif +#ifndef OPENSSL_NO_DTLS1 + {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"}, +#endif +#ifndef OPENSSL_NO_DTLS1_2 + {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"}, #endif #ifndef OPENSSL_NO_DH {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, #endif -#ifndef OPENSSL_NO_EC - {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"}, -#endif #ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Set the advertised protocols for the NPN extension (comma-separated list)"}, #endif #ifndef OPENSSL_NO_SRTP - {"use_srtp", OPT_SRTP_PROFILES, '<', + {"use_srtp", OPT_SRTP_PROFILES, 's', "Offer SRTP key management with a colon-separated profile list"}, {"alpn", OPT_ALPN, 's', "Set the advertised protocols for the ALPN extension (comma-separated list)"}, @@ -973,7 +989,10 @@ int s_server_main(int argc, char *argv[]) X509 *s_cert = NULL, *s_dcert = NULL; X509_VERIFY_PARAM *vpm = NULL; char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL; - char *dhfile = NULL, *dpassarg = NULL, *dpass = NULL, *inrand = NULL; +#ifndef OPENSSL_NO_DH + char *dhfile = NULL; +#endif + char *dpassarg = NULL, *dpass = NULL, *inrand = NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; char *crl_file = NULL, *prog; #ifndef OPENSSL_NO_PSK @@ -986,7 +1005,11 @@ int s_server_main(int argc, char *argv[]) int (*server_cb) (char *hostname, int s, int stype, unsigned char *context); int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0; - int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0, ret = 1; +#ifndef OPENSSL_NO_DH + int no_dhe = 0; +#endif + int nocert = 0, ret = 1; + int noCApath = 0, noCAfile = 0; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; int rev = 0, naccept = -1, sdebug = 0, socket_type = SOCK_STREAM; @@ -997,6 +1020,7 @@ int s_server_main(int argc, char *argv[]) EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING }; + const char *ssl_config = NULL; #ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; tlsextnextprotoctx next_proto = { NULL, 0 }; @@ -1025,18 +1049,6 @@ int s_server_main(int argc, char *argv[]) prog = opt_init(argc, argv, s_server_options); while ((o = opt_next()) != OPT_EOF) { switch (o) { -#ifdef OPENSSL_NO_PSK - case OPT_PSK_HINT: - case OPT_PSK: -#endif -#ifdef OPENSSL_NO_DTLS1 - case OPT_DTLS: - case OPT_DTLS1: - case OPT_DTLS1_2: - case OPT_TIMEOUT: - case OPT_MTU: - case OPT_CHAIN: -#endif case OPT_EOF: case OPT_ERR: opthelp: @@ -1119,7 +1131,9 @@ int s_server_main(int argc, char *argv[]) s_chain_file = opt_arg(); break; case OPT_DHPARAM: +#ifndef OPENSSL_NO_DH dhfile = opt_arg(); +#endif break; case OPT_DCERTFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format)) @@ -1147,6 +1161,9 @@ int s_server_main(int argc, char *argv[]) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_NOCAPATH: + noCApath = 1; + break; case OPT_CHAINCAPATH: chCApath = opt_arg(); break; @@ -1194,6 +1211,9 @@ int s_server_main(int argc, char *argv[]) case OPT_CAFILE: CAfile = opt_arg(); break; + case OPT_NOCAFILE: + noCAfile = 1; + break; case OPT_CHAINCAFILE: chCAfile = opt_arg(); break; @@ -1268,49 +1288,41 @@ int s_server_main(int argc, char *argv[]) case OPT_BRIEF: s_quiet = s_brief = verify_quiet = 1; break; - case OPT_NO_TMP_RSA: - no_tmp_rsa = 1; - break; case OPT_NO_DHE: +#ifndef OPENSSL_NO_DH no_dhe = 1; - break; - case OPT_NO_ECDHE: - no_ecdhe = 1; +#endif break; case OPT_NO_RESUME_EPHEMERAL: no_resume_ephemeral = 1; break; -#ifndef OPENSSL_NO_PSK case OPT_PSK_HINT: +#ifndef OPENSSL_NO_PSK psk_identity_hint = opt_arg(); +#endif break; case OPT_PSK: +#ifndef OPENSSL_NO_PSK for (p = psk_key = opt_arg(); *p; p++) { if (isxdigit(*p)) continue; BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); goto end; } - break; -#else - case OPT_PSK_HINT: - case OPT_PSK: - break; #endif -#ifndef OPENSSL_NO_SRP + break; case OPT_SRPVFILE: +#ifndef OPENSSL_NO_SRP srp_verifier_file = opt_arg(); meth = TLSv1_server_method(); +#endif break; case OPT_SRPUSERSEED: +#ifndef OPENSSL_NO_SRP srpuserseed = opt_arg(); meth = TLSv1_server_method(); - break; -#else - case OPT_SRPVFILE: - case OPT_SRPUSERSEED: - break; #endif + break; case OPT_REV: rev = 1; break; @@ -1323,51 +1335,67 @@ int s_server_main(int argc, char *argv[]) case OPT_HTTP: www = 3; break; + case OPT_SSL_CONFIG: + ssl_config = opt_arg(); + break; case OPT_SSL3: #ifndef OPENSSL_NO_SSL3 meth = SSLv3_server_method(); #endif break; case OPT_TLS1_2: +#ifndef OPENSSL_NO_TLS1_2 meth = TLSv1_2_server_method(); +#endif break; case OPT_TLS1_1: +#ifndef OPENSSL_NO_TLS1_1 meth = TLSv1_1_server_method(); +#endif break; case OPT_TLS1: +#ifndef OPENSSL_NO_TLS1 meth = TLSv1_server_method(); +#endif break; -#ifndef OPENSSL_NO_DTLS1 case OPT_DTLS: +#ifndef OPENSSL_NO_DTLS meth = DTLS_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1: +#ifndef OPENSSL_NO_DTLS1 meth = DTLSv1_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_DTLS1_2: +#ifndef OPENSSL_NO_DTLS1_2 meth = DTLSv1_2_server_method(); socket_type = SOCK_DGRAM; +#endif break; case OPT_TIMEOUT: +#ifndef OPENSSL_NO_DTLS enable_timeouts = 1; +#endif break; case OPT_MTU: +#ifndef OPENSSL_NO_DTLS socket_mtu = atol(opt_arg()); +#endif break; case OPT_CHAIN: +#ifndef OPENSSL_NO_DTLS cert_chain = 1; +#endif break; -#else - case OPT_DTLS: - case OPT_DTLS1: - case OPT_DTLS1_2: - case OPT_TIMEOUT: - case OPT_MTU: - case OPT_CHAIN: - break; + case OPT_LISTEN: +#ifndef OPENSSL_NO_DTLS + dtlslisten = 1; #endif + break; case OPT_ID_PREFIX: session_id_prefix = opt_arg(); break; @@ -1414,16 +1442,24 @@ int s_server_main(int argc, char *argv[]) case OPT_KEYMATEXPORTLEN: keymatexportlen = atoi(opt_arg()); break; + case OPT_ASYNC: + async = 1; + break; } } argc = opt_num_rest(); argv = opt_rest(); -#ifndef OPENSSL_NO_DTLS1 +#ifndef OPENSSL_NO_DTLS if (www && socket_type == SOCK_DGRAM) { BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n"); goto end; } + + if (dtlslisten && socket_type != SOCK_DGRAM) { + BIO_printf(bio_err, "Can only use -listen with DTLS\n"); + goto end; + } #endif if (unix_path && (socket_type != SOCK_STREAM)) { @@ -1446,9 +1482,6 @@ int s_server_main(int argc, char *argv[]) goto end; } - if (!app_load_modules(NULL)) - goto end; - if (s_key_file == NULL) s_key_file = s_cert_file; @@ -1474,9 +1507,8 @@ int s_server_main(int argc, char *argv[]) goto end; } if (s_chain_file) { - s_chain = load_certs(s_chain_file, FORMAT_PEM, - NULL, e, "server certificate chain"); - if (!s_chain) + if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, e, + "server certificate chain")) goto end; } @@ -1554,9 +1586,8 @@ int s_server_main(int argc, char *argv[]) goto end; } if (s_dchain_file) { - s_dchain = load_certs(s_dchain_file, FORMAT_PEM, - NULL, e, "second server certificate chain"); - if (!s_dchain) + if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, e, + "second server certificate chain")) goto end; } @@ -1575,10 +1606,10 @@ int s_server_main(int argc, char *argv[]) if (s_quiet && !s_debug) { bio_s_out = BIO_new(BIO_s_null()); if (s_msg && !bio_s_msg) - bio_s_msg = dup_bio_out(); + bio_s_msg = dup_bio_out(FORMAT_TEXT); } else { if (bio_s_out == NULL) - bio_s_out = dup_bio_out(); + bio_s_out = dup_bio_out(FORMAT_TEXT); } } #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC) @@ -1600,6 +1631,15 @@ int s_server_main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } + if (ssl_config) { + if (SSL_CTX_config(ctx, ssl_config) == 0) { + BIO_printf(bio_err, "Error using configuration \"%s\"\n", + ssl_config); + ERR_print_errors(bio_err); + goto end; + } + } + if (session_id_prefix) { if (strlen(session_id_prefix) >= 32) BIO_printf(bio_err, @@ -1624,6 +1664,11 @@ int s_server_main(int argc, char *argv[]) else SSL_CTX_sess_set_cache_size(ctx, 128); + if (async) { + SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); + ASYNC_init(1, 0, 0); + } + #ifndef OPENSSL_NO_SRTP if (srtp_profiles != NULL) { /* Returns 0 on success! */ @@ -1635,7 +1680,7 @@ int s_server_main(int argc, char *argv[]) } #endif - if (!ctx_set_verify_locations(ctx, CAfile, CApath)) { + if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) { ERR_print_errors(bio_err); goto end; } @@ -1646,7 +1691,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx, no_ecdhe, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1695,6 +1740,9 @@ int s_server_main(int argc, char *argv[]) else SSL_CTX_sess_set_cache_size(ctx2, 128); + if (async) + SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC); + if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) || (!SSL_CTX_set_default_verify_paths(ctx2))) { ERR_print_errors(bio_err); @@ -1706,7 +1754,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx2, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL)) goto end; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -1782,13 +1830,6 @@ int s_server_main(int argc, char *argv[]) if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain)) goto end; } -#ifndef OPENSSL_NO_RSA - if (!no_tmp_rsa) { - SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb); - if (ctx2) - SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb); - } -#endif if (no_resume_ephemeral) { SSL_CTX_set_not_resumable_session_callback(ctx, @@ -1871,6 +1912,14 @@ int s_server_main(int argc, char *argv[]) if (ctx2) SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); } + if (s_tlsextstatus) { + SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); + SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); + if (ctx2) { + SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb); + SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp); + } + } BIO_printf(bio_s_out, "ACCEPT\n"); (void)BIO_flush(bio_s_out); @@ -1923,6 +1972,9 @@ int s_server_main(int argc, char *argv[]) bio_s_out = NULL; BIO_free(bio_s_msg); bio_s_msg = NULL; + if (async) { + ASYNC_cleanup(1); + } return (ret); } @@ -1989,10 +2041,6 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } - if (s_tlsextstatus) { - SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); - SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); - } if (context && !SSL_set_session_id_context(con, @@ -2007,7 +2055,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) ret = -1; goto err; } - +#ifndef OPENSSL_NO_DTLS if (stype == SOCK_DGRAM) { sbio = BIO_new_dgram(s, BIO_NOCLOSE); @@ -2044,6 +2092,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) /* turn on cookie exchange */ SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE); } else +#endif sbio = BIO_new_socket(s, BIO_NOCLOSE); if (s_nbio_test) { @@ -2062,7 +2111,6 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) /* SSL_set_fd(con,s); */ if (s_debug) { - SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out); } @@ -2087,7 +2135,8 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) int read_from_sslcon; read_from_terminal = 0; - read_from_sslcon = SSL_pending(con); + read_from_sslcon = SSL_pending(con) + || (async && SSL_waiting_for_async(con)); if (!read_from_sslcon) { FD_ZERO(&readfds); @@ -2251,6 +2300,10 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) switch (SSL_get_error(con, k)) { case SSL_ERROR_NONE: break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_s_out, "Write BLOCK (Async)\n"); + wait_for_async(con); + break; case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_X509_LOOKUP: @@ -2279,7 +2332,13 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) } } if (read_from_sslcon) { - if (!SSL_is_init_finished(con)) { + /* + * init_ssl_connection handles all async events itself so if we're + * waiting for async then we shouldn't go back into + * init_ssl_connection + */ + if ((!async || !SSL_waiting_for_async(con)) + && !SSL_is_init_finished(con)) { i = init_ssl_connection(con); if (i < 0) { @@ -2315,6 +2374,10 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) if (SSL_pending(con)) goto again; break; + case SSL_ERROR_WANT_ASYNC: + BIO_printf(bio_s_out, "Read BLOCK (Async)\n"); + wait_for_async(con); + break; case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_READ: BIO_printf(bio_s_out, "Read BLOCK\n"); @@ -2362,53 +2425,84 @@ static int init_ssl_connection(SSL *con) int i; const char *str; X509 *peer; - long verify_error; + long verify_err; char buf[BUFSIZ]; #if !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; #endif unsigned char *exportedkeymat; +#ifndef OPENSSL_NO_DTLS + struct sockaddr_storage client; +#endif + +#ifndef OPENSSL_NO_DTLS + if(dtlslisten) { + i = DTLSv1_listen(con, &client); + if (i > 0) { + BIO *wbio; + int fd = -1; + + wbio = SSL_get_wbio(con); + if(wbio) { + BIO_get_fd(wbio, &fd); + } + + if(!wbio || connect(fd, (struct sockaddr *)&client, + sizeof(struct sockaddr_storage))) { + BIO_printf(bio_err, "ERROR - unable to connect\n"); + return 0; + } + dtlslisten = 0; + i = SSL_accept(con); + } + } else +#endif + + do { + i = SSL_accept(con); - i = SSL_accept(con); #ifdef CERT_CB_TEST_RETRY - { - while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP - && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) { - BIO_printf(bio_err, + { + while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP + && SSL_get_state(con) == TLS_ST_SR_CLNT_HELLO) { + BIO_printf(bio_err, "LOOKUP from certificate callback during accept\n"); - i = SSL_accept(con); + i = SSL_accept(con); + } } - } #endif + #ifndef OPENSSL_NO_SRP - while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { - BIO_printf(bio_s_out, "LOOKUP during accept %s\n", - srp_callback_parm.login); - srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); - if (srp_callback_parm.user) - BIO_printf(bio_s_out, "LOOKUP done %s\n", - srp_callback_parm.user->info); - else - BIO_printf(bio_s_out, "LOOKUP not successful\n"); - i = SSL_accept(con); - } + while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP during accept %s\n", + srp_callback_parm.login); + srp_callback_parm.user = + SRP_VBASE_get_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + i = SSL_accept(con); + } #endif + } while (i < 0 && SSL_waiting_for_async(con)); if (i <= 0) { - if (BIO_sock_should_retry(i)) { + if ((dtlslisten && i == 0) + || (!dtlslisten && BIO_sock_should_retry(i))) { BIO_printf(bio_s_out, "DELAY\n"); return (1); } BIO_printf(bio_err, "ERROR\n"); - verify_error = SSL_get_verify_result(con); - if (verify_error != X509_V_OK) { + verify_err = SSL_get_verify_result(con); + if (verify_err != X509_V_OK) { BIO_printf(bio_err, "verify error:%s\n", - X509_verify_cert_error_string(verify_error)); + X509_verify_cert_error_string(verify_err)); } /* Always print any error messages */ ERR_print_errors(bio_err); @@ -2512,6 +2606,11 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) #ifdef RENEG int total_bytes = 0; #endif + int width; + fd_set readfds; + + /* Set width for a select call if needed */ + width = s + 1; buf = app_malloc(bufsize, "server www buffer"); io = BIO_new(BIO_f_buffer()); @@ -2564,7 +2663,6 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) #endif if (s_debug) { - SSL_set_debug(con, 1); BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out); } @@ -2581,12 +2679,27 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) for (;;) { i = BIO_gets(io, buf, bufsize - 1); if (i < 0) { /* error */ - if (!BIO_should_retry(io)) { + if (!BIO_should_retry(io) && !SSL_waiting_for_async(con)) { if (!s_quiet) ERR_print_errors(bio_err); goto err; } else { BIO_printf(bio_s_out, "read R BLOCK\n"); +#ifndef OPENSSL_NO_SRP + if (BIO_should_io_special(io) + && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + srp_callback_parm.user = + SRP_VBASE_get_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + continue; + } +#endif #if defined(OPENSSL_SYS_NETWARE) delay(1000); #elif !defined(OPENSSL_SYS_MSDOS) @@ -2614,6 +2727,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) NULL); i = SSL_renegotiate(con); BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i); + /* Send the HelloRequest */ i = SSL_do_handshake(con); if (i <= 0) { BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n", @@ -2621,23 +2735,29 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) ERR_print_errors(bio_err); goto err; } - /* EVIL HACK! */ - SSL_set_state(con, SSL_ST_ACCEPT); - i = SSL_do_handshake(con); - BIO_printf(bio_s_out, "SSL_do_handshake -> %d\n", i); - if (i <= 0) { - BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n", - SSL_get_error(con, i)); + /* Wait for a ClientHello to come back */ + FD_ZERO(&readfds); + openssl_fdset(s, &readfds); + i = select(width, (void *)&readfds, NULL, NULL, NULL); + if (i <= 0 || !FD_ISSET(s, &readfds)) { + BIO_printf(bio_s_out, "Error waiting for client response\n"); ERR_print_errors(bio_err); goto err; } + /* + * We're not acutally expecting any data here and we ignore + * any that is sent. This is just to force the handshake that + * we're expecting to come from the client. If they haven't + * sent one there's not much we can do. + */ + BIO_gets(io, buf, bufsize - 1); } BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); BIO_puts(io, "\n"); BIO_puts(io, "
\n");
-/*                      BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
+/*                      BIO_puts(io,OpenSSL_version(OPENSSL_VERSION));*/
             BIO_puts(io, "\n");
             for (i = 0; i < local_argc; i++) {
                 const char *myp;
@@ -2826,7 +2946,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
 #endif
                     k = BIO_write(io, &(buf[j]), i - j);
                     if (k <= 0) {
-                        if (!BIO_should_retry(io))
+                        if (!BIO_should_retry(io)  && !SSL_waiting_for_async(con))
                             goto write_error;
                         else {
                             BIO_printf(bio_s_out, "rwrite W BLOCK\n");
@@ -2904,7 +3024,6 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
 #endif
 
     if (s_debug) {
-        SSL_set_debug(con, 1);
         BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
         BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
     }
@@ -2927,6 +3046,21 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
             ERR_print_errors(bio_err);
             goto end;
         }
+#ifndef OPENSSL_NO_SRP
+        if (BIO_should_io_special(io)
+            && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+            BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
+            srp_callback_parm.user =
+                SRP_VBASE_get_by_user(srp_callback_parm.vb,
+                                      srp_callback_parm.login);
+            if (srp_callback_parm.user)
+                BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                           srp_callback_parm.user->info);
+            else
+                BIO_printf(bio_s_out, "LOOKUP not successful\n");
+            continue;
+        }
+#endif
     }
     BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
     print_ssl_summary(con);
@@ -2940,6 +3074,21 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
                 goto err;
             } else {
                 BIO_printf(bio_s_out, "read R BLOCK\n");
+#ifndef OPENSSL_NO_SRP
+                if (BIO_should_io_special(io)
+                    && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+                    BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+                    srp_callback_parm.user =
+                        SRP_VBASE_get_by_user(srp_callback_parm.vb,
+                                              srp_callback_parm.login);
+                    if (srp_callback_parm.user)
+                        BIO_printf(bio_s_out, "LOOKUP done %s\n",
+                                   srp_callback_parm.user->info);
+                    else
+                        BIO_printf(bio_s_out, "LOOKUP not successful\n");
+                    continue;
+                }
+#endif
 #if defined(OPENSSL_SYS_NETWARE)
                 delay(1000);
 #elif !defined(OPENSSL_SYS_MSDOS)
@@ -2985,35 +3134,6 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
     return (ret);
 }
 
-#ifndef OPENSSL_NO_RSA
-static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength)
-{
-    BIGNUM *bn = NULL;
-    static RSA *rsa_tmp = NULL;
-
-    if (!rsa_tmp && ((bn = BN_new()) == NULL))
-        BIO_printf(bio_err, "Allocation error in generating RSA key\n");
-    if (!rsa_tmp && bn) {
-        if (!s_quiet) {
-            BIO_printf(bio_err, "Generating temp (%d bit) RSA key...",
-                       keylength);
-            (void)BIO_flush(bio_err);
-        }
-        if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
-            !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
-            RSA_free(rsa_tmp);
-            rsa_tmp = NULL;
-        }
-        if (!s_quiet) {
-            BIO_printf(bio_err, "\n");
-            (void)BIO_flush(bio_err);
-        }
-        BN_free(bn);
-    }
-    return (rsa_tmp);
-}
-#endif
-
 #define MAX_SESSION_ID_ATTEMPTS 10
 static int generate_session_id(const SSL *ssl, unsigned char *id,
                                unsigned int *id_len)
@@ -3070,7 +3190,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
         return 0;
     }
 
-    sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
+    sess->id = OPENSSL_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
     sess->der = app_malloc(sess->derlen, "get session buffer");
     if (!sess->id) {
         BIO_printf(bio_err, "Out of memory adding to external cache\n");
@@ -3096,7 +3216,7 @@ static int add_session(SSL *ssl, SSL_SESSION *session)
     return 0;
 }
 
-static SSL_SESSION *get_session(SSL *ssl, unsigned char *id, int idlen,
+static SSL_SESSION *get_session(SSL *ssl, const unsigned char *id, int idlen,
                                 int *do_copy)
 {
     simple_ssl_session *sess;