X-Git-Url: https://git.openssl.org/?a=blobdiff_plain;f=apps%2Fs_server.c;h=9d1a1fa87ce508d1dd5d9af5b03a662cdffa40fa;hb=1c3e9a7c67ccdc5e770829fe951e5832e600d377;hp=f890aac5b593f361af2071486acbfc083291a667;hpb=6d3d5793673b225b2347ef45b74d0d9994f3132c;p=openssl.git diff --git a/apps/s_server.c b/apps/s_server.c index f890aac5b5..9d1a1fa87c 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -224,20 +224,6 @@ static DH *load_dh_param(const char *dhfile); static void s_server_init(void); #endif -#ifndef OPENSSL_NO_TLSEXT - -static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp}; - -static unsigned char *generated_supp_data = NULL; - -static const unsigned char *most_recent_supplemental_data = NULL; -static size_t most_recent_supplemental_data_length = 0; - -static int client_provided_server_authz = 0; -static int client_provided_client_authz = 0; - -#endif - /* static int load_CA(SSL_CTX *ctx, char *file);*/ #undef BUFSIZZ @@ -302,29 +288,9 @@ static int cert_chain = 0; #endif #ifndef OPENSSL_NO_TLSEXT -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg); - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - int *al, void *arg); - -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; -static int c_auth = 0; -static int c_auth_require_reneg = 0; #endif #ifndef OPENSSL_NO_PSK @@ -485,13 +451,12 @@ static void sv_usage(void) BIO_printf(bio_err," -context arg - set session ID context\n"); BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); + BIO_printf(bio_err," -verify_return_error - return verification errors\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); BIO_printf(bio_err," -naccept arg - terminate after 'arg' connections\n"); #ifndef OPENSSL_NO_TLSEXT BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n"); - BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n"); - BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n"); #endif BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ @@ -566,6 +531,7 @@ static void sv_usage(void) #endif BIO_printf(bio_err, "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n"); BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); + BIO_printf(bio_err," -hack - workaround for early Netscape code\n"); BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); BIO_printf(bio_err," -WWW - Respond to a 'GET / HTTP/1.0' with file ./\n"); BIO_printf(bio_err," -HTTP - Respond to a 'GET / HTTP/1.0' with file ./\n"); @@ -593,6 +559,10 @@ static void sv_usage(void) #endif BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); + BIO_printf(bio_err," -status - respond to certificate status requests\n"); + BIO_printf(bio_err," -status_verbose - enable status request verbose printout\n"); + BIO_printf(bio_err," -status_timeout n - status request responder timeout\n"); + BIO_printf(bio_err," -status_url URL - status request fallback URL\n"); } static int local_argc=0; @@ -770,7 +740,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) if (servername) { - if (strcmp(servername,p->servername)) + if (strcasecmp(servername,p->servername)) return p->extension_error; if (ctx2) { @@ -1012,7 +982,9 @@ int MAIN(int argc, char *argv[]) int badarg = 0; short port=PORT; const char *unix_path=NULL; +#ifndef NO_SYS_UN_H int unlink_unix_path=0; +#endif int (*server_cb)(char *hostname, int s, int stype, unsigned char *context); char *CApath=NULL,*CAfile=NULL; char *chCApath=NULL,*chCAfile=NULL; @@ -1176,15 +1148,7 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_serverinfo_file = *(++argv); } - else if (strcmp(*argv,"-auth") == 0) - { - c_auth = 1; - } #endif - else if (strcmp(*argv,"-auth_require_reneg") == 0) - { - c_auth_require_reneg = 1; - } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1995,12 +1959,6 @@ bad: ERR_print_errors(bio_err); goto end; } - if (c_auth) - { - SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); - SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); - SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err); - } #endif #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain)) @@ -2141,6 +2099,7 @@ bad: server_cb = www_body; else server_cb = sv_body; +#ifndef NO_SYS_UN_H if (unix_path) { if (unlink_unix_path) @@ -2148,6 +2107,7 @@ bad: do_server_unix(unix_path,&accept_socket,server_cb, context, naccept); } else +#endif do_server(port,socket_type,&accept_socket,server_cb, context, naccept); print_stats(bio_s_out,ctx); ret=0; @@ -2718,12 +2678,6 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); } #endif - /*handshake is complete - free the generated supp data allocated in the callback */ - if (generated_supp_data) - { - OPENSSL_free(generated_supp_data); - generated_supp_data = NULL; - } if (i <= 0) { @@ -3611,77 +3565,3 @@ static void free_sessions(void) } first = NULL; } - -#ifndef OPENSSL_NO_TLSEXT -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (TLSEXT_TYPE_server_authz == ext_type) - client_provided_server_authz - = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; - - if (TLSEXT_TYPE_client_authz == ext_type) - client_provided_client_authz - = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; - - return 1; - } - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - int *al, void *arg) - { - if (c_auth && client_provided_client_authz && client_provided_server_authz) - { - /*if auth_require_reneg flag is set, only send extensions if - renegotiation has occurred */ - if (!c_auth_require_reneg - || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - *out = auth_ext_data; - *outlen = 1; - return 1; - } - } - /* no auth extension to send */ - return -1; - } - -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data) - { - most_recent_supplemental_data = in; - most_recent_supplemental_data_length = inlen; - } - return 1; - } - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, int *al, void *arg) - { - if (c_auth && client_provided_client_authz && client_provided_server_authz) - { - /*if auth_require_reneg flag is set, only send supplemental data if - renegotiation has occurred */ - if (!c_auth_require_reneg - || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - generated_supp_data = OPENSSL_malloc(10); - memcpy(generated_supp_data, "1234512345", 10); - *out = generated_supp_data; - *outlen = 10; - return 1; - } - } - /* no supplemental data to send */ - return -1; - } -#endif -