Don't skip leading zeroes in PSK keys.

[openssl.git] / apps / s_server.c

diff --git a/apps/s_server.c b/apps/s_server.c
index 3e1e1ae68685e44acb13b4e03155eec4f15456c1..9188ecf29c902c5e95349ab826509818273625b1 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -146,9 +146,6 @@ static int async = 0;
 static unsigned int split_send_fragment = 0;
 static unsigned int max_pipelines = 0;
 
-#ifndef OPENSSL_NO_ENGINE
-static char *engine_id = NULL;
-#endif
 static const char *session_id_prefix = NULL;
 
 #ifndef OPENSSL_NO_DTLS
@@ -169,9 +166,8 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
                                   unsigned char *psk,
                                   unsigned int max_psk_len)
 {
-    unsigned int psk_len = 0;
-    int ret;
-    BIGNUM *bn = NULL;
+    long key_len = 0;
+    unsigned char *key;
 
     if (s_debug)
         BIO_printf(bio_s_out, "psk_server_cb\n");
@@ -193,31 +189,26 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity,
         BIO_printf(bio_s_out, "PSK client identity found\n");
 
     /* convert the PSK key to binary */
-    ret = BN_hex2bn(&bn, psk_key);
-    if (!ret) {
-        BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
+    key = OPENSSL_hexstr2buf(psk_key, &key_len);
+    if (key == NULL) {
+        BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
                    psk_key);
-        BN_free(bn);
         return 0;
     }
-    if (BN_num_bytes(bn) > (int)max_psk_len) {
+    if (key_len > (int)max_psk_len) {
         BIO_printf(bio_err,
-                   "psk buffer of callback is too small (%d) for key (%d)\n",
-                   max_psk_len, BN_num_bytes(bn));
-        BN_free(bn);
+                   "psk buffer of callback is too small (%d) for key (%ld)\n",
+                   max_psk_len, key_len);
+        OPENSSL_free(key);
         return 0;
     }
 
-    ret = BN_bn2bin(bn, psk);
-    BN_free(bn);
-
-    if (ret < 0)
-        goto out_err;
-    psk_len = (unsigned int)ret;
+    memcpy(psk, key, key_len);
+    OPENSSL_free(key);
 
     if (s_debug)
-        BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len);
-    return psk_len;
+        BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
+    return key_len;
  out_err:
     if (s_debug)
         BIO_printf(bio_err, "Error in PSK server callback\n");
@@ -305,9 +296,6 @@ static void s_server_init(void)
     async = 0;
     split_send_fragment = 0;
     max_pipelines = 0;
-#ifndef OPENSSL_NO_ENGINE
-    engine_id = NULL;
-#endif
 }
 
 static int local_argc = 0;
@@ -582,13 +570,13 @@ static int cert_status_cb(SSL *s, void *arg)
         BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
         goto done;
     }
-    req = OCSP_REQUEST_new();
-    if (req == NULL)
-        goto err;
     id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj));
     X509_OBJECT_free(obj);
     if (!id)
         goto err;
+    req = OCSP_REQUEST_new();
+    if (req == NULL)
+        goto err;
     if (!OCSP_request_add0_id(req, id))
         goto err;
     id = NULL;
@@ -919,12 +907,12 @@ OPTIONS s_server_options[] = {
 #ifndef OPENSSL_NO_ENGINE
     {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
 #endif
-    {NULL}
+    {NULL, OPT_EOF, 0, NULL}
 };
 
 int s_server_main(int argc, char *argv[])
 {
-    ENGINE *e = NULL;
+    ENGINE *engine = NULL;
     EVP_PKEY *s_key = NULL, *s_dkey = NULL;
     SSL_CONF_CTX *cctx = NULL;
     const SSL_METHOD *meth = TLS_server_method();
@@ -1396,7 +1384,7 @@ int s_server_main(int argc, char *argv[])
             session_id_prefix = opt_arg();
             break;
         case OPT_ENGINE:
-            e = setup_engine(opt_arg(), 1);
+            engine = setup_engine(opt_arg(), 1);
             break;
         case OPT_RAND:
             inrand = opt_arg();
@@ -1502,7 +1490,7 @@ int s_server_main(int argc, char *argv[])
         goto end;
 
     if (nocert == 0) {
-        s_key = load_key(s_key_file, s_key_format, 0, pass, e,
+        s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
                          "server certificate private key file");
         if (!s_key) {
             ERR_print_errors(bio_err);
@@ -1523,7 +1511,7 @@ int s_server_main(int argc, char *argv[])
         }
 
         if (tlsextcbp.servername) {
-            s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e,
+            s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
                               "second server certificate private key file");
             if (!s_key2) {
                 ERR_print_errors(bio_err);
@@ -1582,7 +1570,7 @@ int s_server_main(int argc, char *argv[])
             s_dkey_file = s_dcert_file;
 
         s_dkey = load_key(s_dkey_file, s_dkey_format,
-                          0, dpass, e, "second certificate private key file");
+                          0, dpass, engine, "second certificate private key file");
         if (!s_dkey) {
             ERR_print_errors(bio_err);
             goto end;
@@ -1766,9 +1754,10 @@ int s_server_main(int argc, char *argv[])
         if (async)
             SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC);
 
-        if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
-            (!SSL_CTX_set_default_verify_paths(ctx2))) {
+        if (!ctx_set_verify_locations(ctx2, CAfile, CApath, noCAfile,
+                                      noCApath)) {
             ERR_print_errors(bio_err);
+            goto end;
         }
         if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) {
             BIO_printf(bio_err, "Error setting verify params\n");
@@ -2172,10 +2161,10 @@ static int sv_body(int s, int stype, unsigned char *context)
             tv.tv_sec = 1;
             tv.tv_usec = 0;
             i = select(width, (void *)&readfds, NULL, NULL, &tv);
-            if ((i < 0) || (!i && !_kbhit()))
-                continue;
-            if (_kbhit())
+            if (has_stdin_waiting())
                 read_from_terminal = 1;
+            if ((i < 0) || (!i && !read_from_terminal))
+                continue;
 #else
             if ((SSL_version(con) == DTLS1_VERSION) &&
                 DTLSv1_get_timeout(con, &timeout))
@@ -2314,12 +2303,14 @@ static int sv_body(int s, int stype, unsigned char *context)
                     break;
                 case SSL_ERROR_WANT_ASYNC:
                     BIO_printf(bio_s_out, "Write BLOCK (Async)\n");
+                    (void)BIO_flush(bio_s_out);
                     wait_for_async(con);
                     break;
                 case SSL_ERROR_WANT_WRITE:
                 case SSL_ERROR_WANT_READ:
                 case SSL_ERROR_WANT_X509_LOOKUP:
                     BIO_printf(bio_s_out, "Write BLOCK\n");
+                    (void)BIO_flush(bio_s_out);
                     break;
                 case SSL_ERROR_WANT_ASYNC_JOB:
                     /*
@@ -2388,16 +2379,19 @@ static int sv_body(int s, int stype, unsigned char *context)
                     ascii2ebcdic(buf, buf, i);
 #endif
                     raw_write_stdout(buf, (unsigned int)i);
+                    (void)BIO_flush(bio_s_out);
                     if (SSL_has_pending(con))
                         goto again;
                     break;
                 case SSL_ERROR_WANT_ASYNC:
                     BIO_printf(bio_s_out, "Read BLOCK (Async)\n");
+                    (void)BIO_flush(bio_s_out);
                     wait_for_async(con);
                     break;
                 case SSL_ERROR_WANT_WRITE:
                 case SSL_ERROR_WANT_READ:
                     BIO_printf(bio_s_out, "Read BLOCK\n");
+                    (void)BIO_flush(bio_s_out);
                     break;
                 case SSL_ERROR_WANT_ASYNC_JOB:
                     /*
@@ -2453,6 +2447,7 @@ static int init_ssl_connection(SSL *con)
     unsigned next_proto_neg_len;
 #endif
     unsigned char *exportedkeymat;
+    int retry = 0;
 
 #ifndef OPENSSL_NO_DTLS
     if(dtlslisten) {
@@ -2480,6 +2475,8 @@ static int init_ssl_connection(SSL *con)
             BIO_ADDR_free(client);
             dtlslisten = 0;
             i = SSL_accept(con);
+        } else {
+            BIO_ADDR_free(client);
         }
     } else
 #endif
@@ -2487,6 +2484,8 @@ static int init_ssl_connection(SSL *con)
     do {
         i = SSL_accept(con);
 
+        if (i <= 0)
+            retry = BIO_sock_should_retry(i);
 #ifdef CERT_CB_TEST_RETRY
         {
             while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP
@@ -2494,6 +2493,8 @@ static int init_ssl_connection(SSL *con)
                 BIO_printf(bio_err,
                        "LOOKUP from certificate callback during accept\n");
                 i = SSL_accept(con);
+                if (i <= 0)
+                    retry = BIO_sock_should_retry(i);
             }
         }
 #endif
@@ -2512,13 +2513,15 @@ static int init_ssl_connection(SSL *con)
             else
                 BIO_printf(bio_s_out, "LOOKUP not successful\n");
             i = SSL_accept(con);
+            if (i <= 0)
+                retry = BIO_sock_should_retry(i);
         }
 #endif
     } while (i < 0 && SSL_waiting_for_async(con));
 
     if (i <= 0) {
         if ((dtlslisten && i == 0)
-                || (!dtlslisten && BIO_sock_should_retry(i))) {
+                || (!dtlslisten && retry)) {
             BIO_printf(bio_s_out, "DELAY\n");
             return (1);
         }
@@ -2604,6 +2607,7 @@ static int init_ssl_connection(SSL *con)
         OPENSSL_free(exportedkeymat);
     }
 
+       (void)BIO_flush(bio_s_out);
     return (1);
 }