#undef NON_MAIN
#undef USE_SOCKETS
#include <openssl/err.h>
+#include <openssl/rand.h>
#include <openssl/x509.h>
#include <openssl/ssl.h>
#include "s_apps.h"
+#define COOKIE_SECRET_LENGTH 16
+
int verify_depth=0;
int verify_error=X509_V_OK;
int verify_return_error=0;
+unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
+int cookie_initialized=0;
int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
{
case TLS1_VERSION:
str_version = "TLS 1.0 ";
break;
+ case TLS1_1_VERSION:
+ str_version = "TLS 1.1 ";
+ break;
case DTLS1_VERSION:
str_version = "DTLS 1.0 ";
break;
case 114:
str_details2 = " bad_certificate_hash_value";
break;
+ case 115:
+ str_details2 = " unknown_psk_identity";
+ break;
}
}
}
extname = "server ticket";
break;
+ case TLSEXT_TYPE_renegotiate:
+ extname = "renegotiate";
+ break;
+
+ case TLSEXT_TYPE_signature_algorithms:
+ extname = "signature algorithms";
+ break;
+
#ifdef TLSEXT_TYPE_opaque_prf_input
case TLSEXT_TYPE_opaque_prf_input:
extname = "opaque PRF input";
BIO_dump(bio, (char *)data, len);
(void)BIO_flush(bio);
}
+
+int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)
+ {
+ unsigned char *buffer, result[EVP_MAX_MD_SIZE];
+ unsigned int length, resultlength;
+ union {
+ struct sockaddr sa;
+ struct sockaddr_in s4;
+#if OPENSSL_USE_IPV6
+ struct sockaddr_in6 s6;
+#endif
+ } peer;
+
+ /* Initialize a random secret */
+ if (!cookie_initialized)
+ {
+ if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH))
+ {
+ BIO_printf(bio_err,"error setting random cookie secret\n");
+ return 0;
+ }
+ cookie_initialized = 1;
+ }
+
+ /* Read peer information */
+ (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+
+ /* Create buffer with peer's address and port */
+ length = 0;
+ switch (peer.sa.sa_family)
+ {
+ case AF_INET:
+ length += sizeof(struct in_addr);
+ length += sizeof(peer.s4.sin_port);
+ break;
+#if OPENSSL_USE_IPV6
+ case AF_INET6:
+ length += sizeof(struct in6_addr);
+ length += sizeof(peer.s6.sin6_port);
+ break;
+#endif
+ default:
+ OPENSSL_assert(0);
+ break;
+ }
+ buffer = OPENSSL_malloc(length);
+
+ if (buffer == NULL)
+ {
+ BIO_printf(bio_err,"out of memory\n");
+ return 0;
+ }
+
+ switch (peer.sa.sa_family)
+ {
+ case AF_INET:
+ memcpy(buffer,
+ &peer.s4.sin_port,
+ sizeof(peer.s4.sin_port));
+ memcpy(buffer + sizeof(peer.s4.sin_port),
+ &peer.s4.sin_addr,
+ sizeof(struct in_addr));
+ break;
+#if OPENSSL_USE_IPV6
+ case AF_INET6:
+ memcpy(buffer,
+ &peer.s6.sin6_port,
+ sizeof(peer.s6.sin6_port));
+ memcpy(buffer + sizeof(peer.s6.sin6_port),
+ &peer.s6.sin6_addr,
+ sizeof(struct in6_addr));
+ break;
+#endif
+ default:
+ OPENSSL_assert(0);
+ break;
+ }
+
+ /* Calculate HMAC of buffer using the secret */
+ HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
+ buffer, length, result, &resultlength);
+ OPENSSL_free(buffer);
+
+ memcpy(cookie, result, resultlength);
+ *cookie_len = resultlength;
+
+ return 1;
+ }
+
+int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)
+ {
+ unsigned char *buffer, result[EVP_MAX_MD_SIZE];
+ unsigned int length, resultlength;
+ union {
+ struct sockaddr sa;
+ struct sockaddr_in s4;
+#if OPENSSL_USE_IPV6
+ struct sockaddr_in6 s6;
+#endif
+ } peer;
+
+ /* If secret isn't initialized yet, the cookie can't be valid */
+ if (!cookie_initialized)
+ return 0;
+
+ /* Read peer information */
+ (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+
+ /* Create buffer with peer's address and port */
+ length = 0;
+ switch (peer.sa.sa_family)
+ {
+ case AF_INET:
+ length += sizeof(struct in_addr);
+ length += sizeof(peer.s4.sin_port);
+ break;
+#if OPENSSL_USE_IPV6
+ case AF_INET6:
+ length += sizeof(struct in6_addr);
+ length += sizeof(peer.s6.sin6_port);
+ break;
+#endif
+ default:
+ OPENSSL_assert(0);
+ break;
+ }
+ buffer = OPENSSL_malloc(length);
+
+ if (buffer == NULL)
+ {
+ BIO_printf(bio_err,"out of memory\n");
+ return 0;
+ }
+
+ switch (peer.sa.sa_family)
+ {
+ case AF_INET:
+ memcpy(buffer,
+ &peer.s4.sin_port,
+ sizeof(peer.s4.sin_port));
+ memcpy(buffer + sizeof(peer.s4.sin_port),
+ &peer.s4.sin_addr,
+ sizeof(struct in_addr));
+ break;
+#if OPENSSL_USE_IPV6
+ case AF_INET6:
+ memcpy(buffer,
+ &peer.s6.sin6_port,
+ sizeof(peer.s6.sin6_port));
+ memcpy(buffer + sizeof(peer.s6.sin6_port),
+ &peer.s6.sin6_addr,
+ sizeof(struct in6_addr));
+ break;
+#endif
+ default:
+ OPENSSL_assert(0);
+ break;
+ }
+
+ /* Calculate HMAC of buffer using the secret */
+ HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
+ buffer, length, result, &resultlength);
+ OPENSSL_free(buffer);
+
+ if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0)
+ return 1;
+
+ return 0;
+ }