static char *keymatexportlabel = NULL;
static int keymatexportlen = 20;
-static int hack = 0;
#ifndef OPENSSL_NO_ENGINE
static char *engine_id = NULL;
#endif
s_msg = 0;
s_quiet = 0;
s_brief = 0;
- hack = 0;
# ifndef OPENSSL_NO_ENGINE
engine_id = NULL;
# endif
" -dhparam arg - DH parameter file to use, in cert file if not specified\n");
BIO_printf(bio_err,
" or a default set of parameters is used\n");
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
BIO_printf(bio_err,
" -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n"
" Use \"openssl ecparam -list_curves\" for all names\n"
BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
BIO_printf(bio_err,
" -trusted_first - Use locally trusted CA's first when building trust chain\n");
+ BIO_printf(bio_err,
+ " -no_alt_chains - only ever use the first certificate chain found\n");
BIO_printf(bio_err,
" -nocert - Don't use any certificates (Anon-DH)\n");
BIO_printf(bio_err,
#ifndef OPENSSL_NO_DH
BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n");
#endif
-#ifndef OPENSSL_NO_ECDH
+#ifndef OPENSSL_NO_EC
BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n");
#endif
BIO_printf(bio_err,
"-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
- BIO_printf(bio_err,
- " -hack - workaround for early Netscape code\n");
BIO_printf(bio_err,
" -www - Respond to a 'GET /' with a status page\n");
BIO_printf(bio_err,
EBCDIC_OUTBUFF *wbuf;
wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
+ if (!wbuf)
+ return 0;
wbuf->alloced = 1024;
wbuf->buff[0] = '\0';
num = num + num; /* double the size */
if (num < inl)
num = inl;
- OPENSSL_free(wbuf);
wbuf =
(EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
+ if(!wbuf)
+ return 0;
+ OPENSSL_free(b->ptr);
wbuf->alloced = num;
wbuf->buff[0] = '\0';
STACK_OF(X509_EXTENSION) *exts;
int ret = SSL_TLSEXT_ERR_NOACK;
int i;
-# if 0
- STACK_OF(OCSP_RESPID) *ids;
- SSL_get_tlsext_status_ids(s, &ids);
- BIO_printf(err, "cert_status: received %d ids\n",
- sk_OCSP_RESPID_num(ids));
-# endif
if (srctx->verbose)
BIO_puts(err, "cert_status: callback called\n");
/* Build up OCSP query from server certificate */
sdebug = 1;
} else if (strcmp(*argv, "-security_debug_verbose") == 0) {
sdebug = 2;
- } else if (strcmp(*argv, "-hack") == 0) {
- hack = 1;
} else if (strcmp(*argv, "-state") == 0) {
state = 1;
} else if (strcmp(*argv, "-crlf") == 0) {
meth = SSLv3_server_method();
}
#endif
-#ifndef OPENSSL_NO_TLS1
else if (strcmp(*argv, "-tls1") == 0) {
meth = TLSv1_server_method();
} else if (strcmp(*argv, "-tls1_1") == 0) {
} else if (strcmp(*argv, "-tls1_2") == 0) {
meth = TLSv1_2_server_method();
}
-#endif
#ifndef OPENSSL_NO_DTLS1
else if (strcmp(*argv, "-dtls") == 0) {
meth = DTLS_server_method();
bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE);
}
}
-#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
+#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
if (nocert)
#endif
{
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx, 1);
- if (hack)
- SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
if (exc)
ssl_ctx_set_excert(ctx, exc);
- /*
- * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
- * read ahead solves this problem.
- */
- if (socket_type == SOCK_DGRAM)
- SSL_CTX_set_read_ahead(ctx, 1);
if (state)
SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles);
#endif
-#if 0
- if (cipher == NULL)
- cipher = getenv("SSL_CIPHER");
-#endif
-
-#if 0
- if (s_cert_file == NULL) {
- BIO_printf(bio_err,
- "You must specify a certificate file for the server to use\n");
- goto end;
- }
-#endif
-
if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx))) {
/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx2, 1);
- if (hack)
- SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
if (exc)
ssl_ctx_set_excert(ctx2, exc);
- /*
- * DTLS: partial reads end up discarding unread UDP bytes :-(
- * Setting read ahead solves this problem.
- */
- if (socket_type == SOCK_DGRAM)
- SSL_CTX_set_read_ahead(ctx2, 1);
if (state)
SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
goto end;
}
#ifndef OPENSSL_NO_RSA
-# if 1
if (!no_tmp_rsa) {
SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
# ifndef OPENSSL_NO_TLSEXT
SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
# endif
}
-# else
- if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) {
- RSA *rsa;
-
- BIO_printf(bio_s_out, "Generating temp (512 bit) RSA key...");
- BIO_flush(bio_s_out);
-
- rsa = RSA_generate_key(512, RSA_F4, NULL);
-
- if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
- ERR_print_errors(bio_err);
- goto end;
- }
-# ifndef OPENSSL_NO_TLSEXT
- if (ctx2) {
- if (!SSL_CTX_set_tmp_rsa(ctx2, rsa)) {
- ERR_print_errors(bio_err);
- goto end;
- }
- }
-# endif
- RSA_free(rsa);
- BIO_printf(bio_s_out, "\n");
- }
-# endif
#endif
if (no_resume_ephemeral) {
SSL_set_session_id_context(con, context, strlen((char *)context));
}
SSL_clear(con);
-#if 0
-# ifdef TLSEXT_TYPE_opaque_prf_input
- SSL_set_tlsext_opaque_prf_input(con, "Test server", 11);
-# endif
-#endif
if (stype == SOCK_DGRAM) {
err:
if (con != NULL) {
BIO_printf(bio_s_out, "shutting down SSL\n");
-#if 1
SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
- SSL_shutdown(con);
-#endif
SSL_free(con);
}
BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
}
#endif
-#if 0
-static int load_CA(SSL_CTX *ctx, char *file)
-{
- FILE *in;
- X509 *x = NULL;
-
- if ((in = fopen(file, "r")) == NULL)
- return (0);
-
- for (;;) {
- if (PEM_read_X509(in, &x, NULL) == NULL)
- break;
- SSL_CTX_add_client_CA(ctx, x);
- }
- if (x != NULL)
- X509_free(x);
- fclose(in);
- return (1);
-}
-#endif
-
static int www_body(char *hostname, int s, int stype, unsigned char *context)
{
char *buf = NULL;
}
for (;;) {
- if (hack) {
- i = SSL_accept(con);
-#ifndef OPENSSL_NO_SRP
- while (i <= 0
- && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
- BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
- srp_callback_parm.login);
- srp_callback_parm.user =
- SRP_VBASE_get_by_user(srp_callback_parm.vb,
- srp_callback_parm.login);
- if (srp_callback_parm.user)
- BIO_printf(bio_s_out, "LOOKUP done %s\n",
- srp_callback_parm.user->info);
- else
- BIO_printf(bio_s_out, "LOOKUP not successful\n");
- i = SSL_accept(con);
- }
-#endif
- switch (SSL_get_error(con, i)) {
- case SSL_ERROR_NONE:
- break;
- case SSL_ERROR_WANT_WRITE:
- case SSL_ERROR_WANT_READ:
- case SSL_ERROR_WANT_X509_LOOKUP:
- continue;
- case SSL_ERROR_SYSCALL:
- case SSL_ERROR_SSL:
- case SSL_ERROR_ZERO_RETURN:
- ret = 1;
- goto err;
- /* break; */
- }
-
- SSL_renegotiate(con);
- SSL_write(con, NULL, 0);
- }
-
i = BIO_gets(io, buf, bufsize - 1);
if (i < 0) { /* error */
if (!BIO_should_retry(io)) {
/* else we have data */
if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
- ((www == 2) && (strncmp("GET /stats ", buf, 10) == 0))) {
+ ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
char *p;
X509 *peer;
STACK_OF(SSL_CIPHER) *sk;
BIO_printf(io, "'%s' is an invalid path\r\n", p);
break;
}
-#if 0
- /* append if a directory lookup */
- if (e[-1] == '/')
- strcat(p, "index.html");
-#endif
/* if a directory, do the index thang */
if (app_isdir(p) > 0) {
-#if 0 /* must check buffer size */
- strcat(p, "/index.html");
-#else
BIO_puts(io, text);
BIO_printf(io, "'%s' is a directory\r\n", p);
break;
-#endif
}
if ((file = BIO_new_file(p, "r")) == NULL) {
break;
}
end:
-#if 1
/* make sure we re-use sessions */
SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
-#else
- /* This kills performance */
- /*
- * SSL_shutdown(con); A shutdown gets sent in the BIO_free_all(io)
- * procession
- */
-#endif
err:
unsigned char *p;
sess = OPENSSL_malloc(sizeof(simple_ssl_session));
+ if(!sess) {
+ BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+ return 0;
+ }
SSL_SESSION_get_id(session, &sess->idlen);
sess->derlen = i2d_SSL_SESSION(session, NULL);
sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen);
sess->der = OPENSSL_malloc(sess->derlen);
+ if(!sess->id || !sess->der) {
+ BIO_printf(bio_err, "Out of memory adding session to external cache\n");
+
+ if(sess->id)
+ OPENSSL_free(sess->id);
+ if(sess->der)
+ OPENSSL_free(sess->der);
+ OPENSSL_free(sess);
+ return 0;
+ }
p = sess->der;
i2d_SSL_SESSION(session, &p);