Check EVP_Cipher return values for SSL2
[openssl.git] / apps / s_server.c
index 5e3e4ac..4ff30d8 100644 (file)
@@ -463,6 +463,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -context arg  - set session ID context\n");
        BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
        BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
+       BIO_printf(bio_err," -verify_return_error - return verification errors\n");
        BIO_printf(bio_err," -cert arg     - certificate file to use\n");
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
        BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
@@ -514,7 +515,9 @@ static void sv_usage(void)
        BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n");
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
+#ifndef OPENSSL_NO_SSL3_METHOD
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
+#endif
        BIO_printf(bio_err," -tls1_2       - Just talk TLSv1.2\n");
        BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
@@ -534,6 +537,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
 #endif
        BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
+       BIO_printf(bio_err," -hack         - workaround for early Netscape code\n");
        BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
        BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
        BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
@@ -556,10 +560,16 @@ static void sv_usage(void)
 # ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 # endif
-        BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list");
+# ifndef OPENSSL_NO_SRTP
+        BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+# endif
 #endif
        BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
        BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
+       BIO_printf(bio_err," -status           - respond to certificate status requests\n");
+       BIO_printf(bio_err," -status_verbose   - enable status request verbose printout\n");
+       BIO_printf(bio_err," -status_timeout n - status request responder timeout\n");
+       BIO_printf(bio_err," -status_url URL   - status request fallback URL\n");
        }
 
 static int local_argc=0;
@@ -737,7 +747,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
        
        if (servername)
                {
-               if (strcmp(servername,p->servername)) 
+               if (strcasecmp(servername,p->servername)) 
                        return p->extension_error;
                if (ctx2)
                        {
@@ -923,7 +933,9 @@ static char *jpake_secret = NULL;
 #ifndef OPENSSL_NO_SRP
        static srpsrvparm srp_callback_parm;
 #endif
+#ifndef OPENSSL_NO_SRTP
 static char *srtp_profiles = NULL;
+#endif
 
 int MAIN(int argc, char *argv[])
        {
@@ -969,17 +981,7 @@ int MAIN(int argc, char *argv[])
        char *srpuserseed = NULL;
        char *srp_verifier_file = NULL;
 #endif
-#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
        meth=SSLv23_server_method();
-#elif !defined(OPENSSL_NO_SSL3)
-       meth=SSLv3_server_method();
-#elif !defined(OPENSSL_NO_SSL2)
-       meth=SSLv2_server_method();
-#elif !defined(OPENSSL_NO_TLS1)
-       meth=TLSv1_server_method();
-#else
-  /*  #error no SSL version enabled */
-#endif
 
        local_argc=argc;
        local_argv=argv;
@@ -1216,13 +1218,13 @@ int MAIN(int argc, char *argv[])
                        {
                        if (--argc < 1) goto bad;
                        srp_verifier_file = *(++argv);
-                       meth=TLSv1_server_method();
+                       meth = TLSv1_server_method();
                        }
                else if (strcmp(*argv, "-srpuserseed") == 0)
                        {
                        if (--argc < 1) goto bad;
                        srpuserseed = *(++argv);
-                       meth=TLSv1_server_method();
+                       meth = TLSv1_server_method();
                        }
 #endif
                else if (strcmp(*argv,"-www") == 0)
@@ -1251,7 +1253,7 @@ int MAIN(int argc, char *argv[])
                else if (strcmp(*argv,"-ssl2") == 0)
                        { meth=SSLv2_server_method(); }
 #endif
-#ifndef OPENSSL_NO_SSL3
+#ifndef OPENSSL_NO_SSL3_METHOD
                else if (strcmp(*argv,"-ssl3") == 0)
                        { meth=SSLv3_server_method(); }
 #endif
@@ -1329,11 +1331,13 @@ int MAIN(int argc, char *argv[])
                        jpake_secret = *(++argv);
                        }
 #endif
+#ifndef OPENSSL_NO_SRTP
                else if (strcmp(*argv,"-use_srtp") == 0)
                        {
                        if (--argc < 1) goto bad;
                        srtp_profiles = *(++argv);
                        }
+#endif
                else if (strcmp(*argv,"-keymatexport") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1360,6 +1364,14 @@ bad:
                sv_usage();
                goto end;
                }
+#ifndef OPENSSL_NO_DTLS1
+       if (www && socket_type == SOCK_DGRAM)
+               {
+               BIO_printf(bio_err,
+                               "Can't use -HTTP, -www or -WWW with DTLS\n");
+               goto end;
+               }
+#endif
 
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
        if (jpake_secret)
@@ -1441,25 +1453,24 @@ bad:
                                goto end;
                                }
                        }
-
-# ifndef OPENSSL_NO_NEXTPROTONEG
-               if (next_proto_neg_in)
-                       {
-                       unsigned short len;
-                       next_proto.data = next_protos_parse(&len,
-                               next_proto_neg_in);
-                       if (next_proto.data == NULL)
-                               goto end;
-                       next_proto.len = len;
-                       }
-               else
-                       {
-                       next_proto.data = NULL;
-                       }
-# endif
 #endif
                }
 
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 
+       if (next_proto_neg_in)
+               {
+               unsigned short len;
+               next_proto.data = next_protos_parse(&len, next_proto_neg_in);
+               if (next_proto.data == NULL)
+                       goto end;
+               next_proto.len = len;
+               }
+       else
+               {
+               next_proto.data = NULL;
+               }
+#endif
+
 
        if (s_dcert_file)
                {
@@ -1560,8 +1571,10 @@ bad:
        else
                SSL_CTX_sess_set_cache_size(ctx,128);
 
+#ifndef OPENSSL_NO_SRTP
        if (srtp_profiles != NULL)
                SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
+#endif
 
 #if 0
        if (cipher == NULL) cipher=getenv("SSL_CIPHER");
@@ -1740,7 +1753,7 @@ bad:
                }
 #endif
        
-       if (!set_cert_key_stuff(ctx,s_cert,s_key))
+       if (!set_cert_key_stuff(ctx, s_cert, s_key))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
@@ -1748,7 +1761,7 @@ bad:
 #endif
        if (s_dcert != NULL)
                {
-               if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
+               if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
                        goto end;
                }
 
@@ -1903,7 +1916,15 @@ end:
                OPENSSL_free(pass);
        if (dpass)
                OPENSSL_free(dpass);
+       if (vpm)
+               X509_VERIFY_PARAM_free(vpm);
 #ifndef OPENSSL_NO_TLSEXT
+       if (tlscstatp.host)
+               OPENSSL_free(tlscstatp.host);
+       if (tlscstatp.port)
+               OPENSSL_free(tlscstatp.port);
+       if (tlscstatp.path)
+               OPENSSL_free(tlscstatp.path);
        if (ctx2 != NULL) SSL_CTX_free(ctx2);
        if (s_cert2)
                X509_free(s_cert2);
@@ -2443,6 +2464,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
+
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
        if (next_proto_neg)
@@ -2452,6 +2474,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out, "\n");
                }
 #endif
+#ifndef OPENSSL_NO_SRTP
        {
        SRTP_PROTECTION_PROFILE *srtp_profile
          = SSL_get_selected_srtp_profile(con);
@@ -2460,6 +2483,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n",
                           srtp_profile->name);
        }
+#endif
        if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n");
        if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
                TLS1_FLAGS_TLS_PADDING_BUG)
@@ -2475,31 +2499,34 @@ static int init_ssl_connection(SSL *con)
 #endif /* OPENSSL_NO_KRB5 */
        BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
                      SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
-       if (keymatexportlabel != NULL) {
-               BIO_printf(bio_s_out, "Keying material exporter:\n");
-               BIO_printf(bio_s_out, "    Label: '%s'\n", keymatexportlabel);
-               BIO_printf(bio_s_out, "    Length: %i bytes\n",
+       if (keymatexportlabel != NULL)
+               {
+               BIO_printf(bio_s_out, "Keying material exporter:\n");
+               BIO_printf(bio_s_out, "    Label: '%s'\n", keymatexportlabel);
+               BIO_printf(bio_s_out, "    Length: %i bytes\n",
                           keymatexportlen);
-               exportedkeymat = OPENSSL_malloc(keymatexportlen);
-               if (exportedkeymat != NULL) {
-                       i = SSL_export_keying_material(con, exportedkeymat,
-                                                      keymatexportlen,
-                                                      keymatexportlabel,
-                                                    strlen(keymatexportlabel),
-                                                      NULL, 0, 0);
-                       if (i != keymatexportlen) {
-                               BIO_printf(bio_s_out,
-                                          "    Error: return value %i\n", i);
-                       } else {
-                               BIO_printf(bio_s_out, "    Keying material: ");
-                               for (i=0; i<keymatexportlen; i++)
-                                       BIO_printf(bio_s_out, "%02X",
+               exportedkeymat = OPENSSL_malloc(keymatexportlen);
+               if (exportedkeymat != NULL)
+                       {
+                       if (!SSL_export_keying_material(con, exportedkeymat,
+                                                       keymatexportlen,
+                                                       keymatexportlabel,
+                                                       strlen(keymatexportlabel),
+                                                       NULL, 0, 0))
+                               {
+                               BIO_printf(bio_s_out, "    Error\n");
+                               }
+                       else
+                               {
+                               BIO_printf(bio_s_out, "    Keying material: ");
+                               for (i=0; i<keymatexportlen; i++)
+                                       BIO_printf(bio_s_out, "%02X",
                                                   exportedkeymat[i]);
-                               BIO_printf(bio_s_out, "\n");
-                       }
-                       OPENSSL_free(exportedkeymat);
-               }
-       }
+                               BIO_printf(bio_s_out, "\n");
+                               }
+                       OPENSSL_free(exportedkeymat);
+                       }
+               }
 
        return(1);
        }
@@ -2708,6 +2735,11 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                }
                        BIO_puts(io,"\n");
 
+                       BIO_printf(io,
+                               "Secure Renegotiation IS%s supported\n",
+                               SSL_get_secure_renegotiation_support(con) ?
+                                                       "" : " NOT");
+
                        /* The following is evil and should not really
                         * be done */
                        BIO_printf(io,"Ciphers supported in s_server binary\n");