{", ClientHello", 1},
{", ServerHello", 2},
{", HelloVerifyRequest", 3},
+ {", NewSessionTicket", 4},
{", Certificate", 11},
{", ServerKeyExchange", 12},
{", CertificateRequest", 13},
{", CertificateVerify", 15},
{", ClientKeyExchange", 16},
{", Finished", 20},
+ {", CertificateUrl", 21},
+ {", CertificateStatus", 22},
+ {", SupplementalData", 23},
{NULL}
};
if (len > 0)
str_details1 = lookup((int)bp[0], handshakes, "???");
break;
+ case 23:
+ str_content_type = "ApplicationData";
+ break;
#ifndef OPENSSL_NO_HEARTBEATS
case 24:
str_details1 = ", Heartbeat";
};
void tlsext_cb(SSL *s, int client_server, int type,
- unsigned char *data, int len, void *arg)
+ const unsigned char *data, int len, void *arg)
{
BIO *bio = arg;
const char *extname = lookup(type, tlsext_types, "unknown");
BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
client_server ? "server" : "client", extname, type, len);
- BIO_dump(bio, (char *)data, len);
+ BIO_dump(bio, (const char *)data, len);
(void)BIO_flush(bio);
}
int generate_cookie_callback(SSL *ssl, unsigned char *cookie,
unsigned int *cookie_len)
{
- unsigned char *buffer, result[EVP_MAX_MD_SIZE];
- unsigned int length, resultlength;
- union {
- struct sockaddr sa;
- struct sockaddr_in s4;
-#if OPENSSL_USE_IPV6
- struct sockaddr_in6 s6;
-#endif
- } peer;
+ unsigned char *buffer;
+ size_t length;
+ unsigned short port;
+ BIO_ADDR *peer = NULL;
/* Initialize a random secret */
if (!cookie_initialized) {
cookie_initialized = 1;
}
+ peer = BIO_ADDR_new();
+ if (peer == NULL) {
+ BIO_printf(bio_err, "memory full\n");
+ return 0;
+ }
+
/* Read peer information */
- (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
+ (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), peer);
/* Create buffer with peer's address and port */
- length = 0;
- switch (peer.sa.sa_family) {
- case AF_INET:
- length += sizeof(struct in_addr);
- length += sizeof(peer.s4.sin_port);
- break;
-#if OPENSSL_USE_IPV6
- case AF_INET6:
- length += sizeof(struct in6_addr);
- length += sizeof(peer.s6.sin6_port);
- break;
-#endif
- default:
- OPENSSL_assert(0);
- break;
- }
+ BIO_ADDR_rawaddress(peer, NULL, &length);
+ OPENSSL_assert(length != 0);
+ port = BIO_ADDR_rawport(peer);
+ length += sizeof(port);
buffer = app_malloc(length, "cookie generate buffer");
- switch (peer.sa.sa_family) {
- case AF_INET:
- memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
- memcpy(buffer + sizeof(peer.s4.sin_port),
- &peer.s4.sin_addr, sizeof(struct in_addr));
- break;
-#if OPENSSL_USE_IPV6
- case AF_INET6:
- memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
- memcpy(buffer + sizeof(peer.s6.sin6_port),
- &peer.s6.sin6_addr, sizeof(struct in6_addr));
- break;
-#endif
- default:
- OPENSSL_assert(0);
- break;
- }
+ memcpy(buffer, &port, sizeof(port));
+ BIO_ADDR_rawaddress(peer, buffer + sizeof(port), NULL);
/* Calculate HMAC of buffer using the secret */
HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
- buffer, length, result, &resultlength);
- OPENSSL_free(buffer);
+ buffer, length, cookie, cookie_len);
- memcpy(cookie, result, resultlength);
- *cookie_len = resultlength;
+ OPENSSL_free(buffer);
+ BIO_ADDR_free(peer);
return 1;
}
-int verify_cookie_callback(SSL *ssl, unsigned char *cookie,
+int verify_cookie_callback(SSL *ssl, const unsigned char *cookie,
unsigned int cookie_len)
{
- unsigned char *buffer, result[EVP_MAX_MD_SIZE];
- unsigned int length, resultlength;
- union {
- struct sockaddr sa;
- struct sockaddr_in s4;
-#if OPENSSL_USE_IPV6
- struct sockaddr_in6 s6;
-#endif
- } peer;
-
- /* If secret isn't initialized yet, the cookie can't be valid */
- if (!cookie_initialized)
- return 0;
-
- /* Read peer information */
- (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
-
- /* Create buffer with peer's address and port */
- length = 0;
- switch (peer.sa.sa_family) {
- case AF_INET:
- length += sizeof(struct in_addr);
- length += sizeof(peer.s4.sin_port);
- break;
-#if OPENSSL_USE_IPV6
- case AF_INET6:
- length += sizeof(struct in6_addr);
- length += sizeof(peer.s6.sin6_port);
- break;
-#endif
- default:
- OPENSSL_assert(0);
- break;
- }
- buffer = app_malloc(length, "cookie verify buffer");
-
- switch (peer.sa.sa_family) {
- case AF_INET:
- memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port));
- memcpy(buffer + sizeof(peer.s4.sin_port),
- &peer.s4.sin_addr, sizeof(struct in_addr));
- break;
-#if OPENSSL_USE_IPV6
- case AF_INET6:
- memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port));
- memcpy(buffer + sizeof(peer.s6.sin6_port),
- &peer.s6.sin6_addr, sizeof(struct in6_addr));
- break;
-#endif
- default:
- OPENSSL_assert(0);
- break;
- }
-
- /* Calculate HMAC of buffer using the secret */
- HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
- buffer, length, result, &resultlength);
- OPENSSL_free(buffer);
-
- if (cookie_len == resultlength
+ unsigned char result[EVP_MAX_MD_SIZE];
+ unsigned int resultlength;
+
+ /* Note: we check cookie_initialized because if it's not,
+ * it cannot be valid */
+ if (cookie_initialized
+ && generate_cookie_callback(ssl, result, &resultlength)
+ && cookie_len == resultlength
&& memcmp(result, cookie, resultlength) == 0)
return 1;
if (!exc->key)
return 0;
if (exc->chainfile) {
- exc->chain = load_certs(exc->chainfile, FORMAT_PEM,
- NULL, NULL, "Server Chain");
- if (!exc->chain)
+ if (!load_certs(exc->chainfile, &exc->chain, FORMAT_PEM, NULL,
+ NULL, "Server Chain"))
return 0;
}
}
}
int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str,
- SSL_CTX *ctx, int no_ecdhe, int no_jpake)
+ SSL_CTX *ctx, int no_jpake)
{
int i;
for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) {
const char *flag = sk_OPENSSL_STRING_value(str, i);
const char *arg = sk_OPENSSL_STRING_value(str, i + 1);
- /* If no_ecdhe or named curve already specified don't need a default. */
- if (!no_ecdhe && strcmp(flag, "-named_curve") == 0)
- no_ecdhe = 1;
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake && (strcmp(flag, "-cipher") == 0)) {
BIO_puts(bio_err, "JPAKE sets cipher to PSK\n");
return 0;
}
}
- /*
- * This is a special case to keep existing s_server functionality: if we
- * don't have any curve specified *and* we haven't disabled ECDHE then
- * use P-256.
- */
- if (!no_ecdhe) {
- if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) {
- BIO_puts(bio_err, "Error setting EC curve\n");
- ERR_print_errors(bio_err);
- return 0;
- }
- }
#ifndef OPENSSL_NO_JPAKE
if (!no_jpake) {
if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) {
{
X509_STORE *vfy = NULL, *ch = NULL;
int rv = 0;
- if (vfyCApath || vfyCAfile) {
+ if (vfyCApath != NULL || vfyCAfile != NULL) {
vfy = X509_STORE_new();
+ if (vfy == NULL)
+ goto err;
if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
goto err;
add_crls_store(vfy, crls);
if (crl_download)
store_setup_crl_download(vfy);
}
- if (chCApath || chCAfile) {
+ if (chCApath != NULL || chCAfile != NULL) {
ch = X509_STORE_new();
+ if (ch == NULL)
+ goto err;
if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
goto err;
SSL_CTX_set1_chain_cert_store(ctx, ch);
int sig_nid = X509_get_signature_nid(other);
BIO_puts(sdb->out, OBJ_nid2sn(sig_nid));
} else {
- EVP_PKEY *pkey = X509_get_pubkey(other);
+ EVP_PKEY *pkey = X509_get0_pubkey(other);
const char *algname = "";
EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL,
&algname, EVP_PKEY_get0_asn1(pkey));
BIO_printf(sdb->out, "%s, bits=%d",
algname, EVP_PKEY_bits(pkey));
- EVP_PKEY_free(pkey);
}
break;
}