X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_cb.c;h=442b33556817e789e4fe9b0d9d7f5771217b3afb;hp=12e89620ec1d7188a990bb18c06b1db36530c7da;hb=86885c289580066792415218754bd935b449f170;hpb=0f113f3ee4d629ef9a4a30911b22b224772085e5 diff --git a/apps/s_cb.c b/apps/s_cb.c index 12e89620ec..442b335568 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1,4 +1,3 @@ -/* apps/s_cb.c - callback functions used by s_client, s_server, and s_time */ /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) * All rights reserved. * @@ -109,12 +108,12 @@ * */ +/* callback functions used by s_client, s_server, and s_time */ #include #include +#include #define USE_SOCKETS -#define NON_MAIN #include "apps.h" -#undef NON_MAIN #undef USE_SOCKETS #include #include @@ -187,11 +186,11 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) break; case X509_V_ERR_NO_EXPLICIT_POLICY: if (!verify_quiet) - policies_print(bio_err, ctx); + policies_print(ctx); break; } if (err == X509_V_OK && ok == 2 && !verify_quiet) - policies_print(bio_err, ctx); + policies_print(ctx); if (ok && !verify_quiet) BIO_printf(bio_err, "verify return:%d\n", ok); return (ok); @@ -200,11 +199,6 @@ int verify_callback(int ok, X509_STORE_CTX *ctx) int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) { if (cert_file != NULL) { - /*- - SSL *ssl; - X509 *x509; - */ - if (SSL_CTX_use_certificate_file(ctx, cert_file, SSL_FILETYPE_PEM) <= 0) { BIO_printf(bio_err, "unable to get certificate from '%s'\n", @@ -221,21 +215,6 @@ int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file) return (0); } - /*- - In theory this is no longer needed - ssl=SSL_new(ctx); - x509=SSL_get_certificate(ssl); - - if (x509 != NULL) { - EVP_PKEY *pktmp; - pktmp = X509_get_pubkey(x509); - EVP_PKEY_copy_parameters(pktmp, - SSL_get_privatekey(ssl)); - EVP_PKEY_free(pktmp); - } - SSL_free(ssl); - */ - /* * If we are using DSA, we can copy the parameters from the private * key @@ -456,10 +435,11 @@ int ssl_print_curves(BIO *out, SSL *s, int noshared) { int i, ncurves, *curves, nid; const char *cname; + ncurves = SSL_get1_curves(s, NULL); if (ncurves <= 0) return 1; - curves = OPENSSL_malloc(ncurves * sizeof(int)); + curves = app_malloc(ncurves * sizeof(int), "curves to print"); SSL_get1_curves(s, curves); BIO_puts(out, "Supported Elliptic Curves: "); @@ -516,7 +496,7 @@ int ssl_print_tmp_key(BIO *out, SSL *s) case EVP_PKEY_DH: BIO_printf(out, "DH, %d bits\n", EVP_PKEY_bits(key)); break; -#ifndef OPENSSL_NO_ECDH +#ifndef OPENSSL_NO_EC case EVP_PKEY_EC: { EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); @@ -812,10 +792,6 @@ void msg_cb(int write_p, int version, int content_type, const void *buf, BIO_printf(bio, " "); num = len; -#if 0 - if (num > 16) - num = 16; -#endif for (i = 0; i < num; i++) { if (i % 16 == 0 && i > 0) BIO_printf(bio, "\n "); @@ -907,11 +883,6 @@ void tlsext_cb(SSL *s, int client_server, int type, extname = "renegotiation info"; break; -#ifdef TLSEXT_TYPE_opaque_prf_input - case TLSEXT_TYPE_opaque_prf_input: - extname = "opaque PRF input"; - break; -#endif #ifdef TLSEXT_TYPE_next_proto_neg case TLSEXT_TYPE_next_proto_neg: extname = "next protocol"; @@ -953,7 +924,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, /* Initialize a random secret */ if (!cookie_initialized) { - if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH)) { + if (RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH) <= 0) { BIO_printf(bio_err, "error setting random cookie secret\n"); return 0; } @@ -980,12 +951,7 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, OPENSSL_assert(0); break; } - buffer = OPENSSL_malloc(length); - - if (buffer == NULL) { - BIO_printf(bio_err, "out of memory\n"); - return 0; - } + buffer = app_malloc(length, "cookie generate buffer"); switch (peer.sa.sa_family) { case AF_INET: @@ -1053,12 +1019,7 @@ int verify_cookie_callback(SSL *ssl, unsigned char *cookie, OPENSSL_assert(0); break; } - buffer = OPENSSL_malloc(length); - - if (buffer == NULL) { - BIO_printf(bio_err, "out of memory\n"); - return 0; - } + buffer = app_malloc(length, "cookie verify buffer"); switch (peer.sa.sa_family) { case AF_INET: @@ -1129,19 +1090,20 @@ struct chain_flags chain_flags_list[] = { {0, NULL} }; -static void print_chain_flags(BIO *out, SSL *s, int flags) +static void print_chain_flags(SSL *s, int flags) { struct chain_flags *ctmp = chain_flags_list; + while (ctmp->name) { - BIO_printf(out, "\t%s: %s\n", ctmp->name, + BIO_printf(bio_err, "\t%s: %s\n", ctmp->name, flags & ctmp->flag ? "OK" : "NOT OK"); ctmp++; } - BIO_printf(out, "\tSuite B: "); + BIO_printf(bio_err, "\tSuite B: "); if (SSL_set_cert_flags(s, 0) & SSL_CERT_FLAG_SUITEB_128_LOS) - BIO_puts(out, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n"); + BIO_puts(bio_err, flags & CERT_PKEY_SUITEB ? "OK\n" : "NOT OK\n"); else - BIO_printf(out, "not tested\n"); + BIO_printf(bio_err, "not tested\n"); } /* @@ -1182,11 +1144,12 @@ static int set_cert_cb(SSL *ssl, void *arg) X509_NAME_print_ex(bio_err, X509_get_subject_name(exc->cert), 0, XN_FLAG_ONELINE); BIO_puts(bio_err, "\n"); - - print_chain_flags(bio_err, ssl, rv); + print_chain_flags(ssl, rv); if (rv & CERT_PKEY_VALID) { - SSL_use_certificate(ssl, exc->cert); - SSL_use_PrivateKey(ssl, exc->key); + if (!SSL_use_certificate(ssl, exc->cert) + || !SSL_use_PrivateKey(ssl, exc->key)) { + return 0; + } /* * NB: we wouldn't normally do this as it is not efficient * building chains on each connection better to cache the chain @@ -1210,10 +1173,8 @@ void ssl_ctx_set_excert(SSL_CTX *ctx, SSL_EXCERT *exc) static int ssl_excert_prepend(SSL_EXCERT **pexc) { - SSL_EXCERT *exc; - exc = OPENSSL_malloc(sizeof(SSL_EXCERT)); - if (!exc) - return 0; + SSL_EXCERT *exc = app_malloc(sizeof(*exc), "prepend cert"); + exc->certfile = NULL; exc->keyfile = NULL; exc->chainfile = NULL; @@ -1241,20 +1202,20 @@ static int ssl_excert_prepend(SSL_EXCERT **pexc) void ssl_excert_free(SSL_EXCERT *exc) { SSL_EXCERT *curr; + + if (!exc) + return; while (exc) { - if (exc->cert) - X509_free(exc->cert); - if (exc->key) - EVP_PKEY_free(exc->key); - if (exc->chain) - sk_X509_pop_free(exc->chain, X509_free); + X509_free(exc->cert); + EVP_PKEY_free(exc->key); + sk_X509_pop_free(exc->chain, X509_free); curr = exc; exc = exc->next; OPENSSL_free(curr); } } -int load_excert(SSL_EXCERT **pexc, BIO *err) +int load_excert(SSL_EXCERT **pexc) { SSL_EXCERT *exc = *pexc; if (!exc) @@ -1267,25 +1228,24 @@ int load_excert(SSL_EXCERT **pexc, BIO *err) } for (; exc; exc = exc->next) { if (!exc->certfile) { - BIO_printf(err, "Missing filename\n"); + BIO_printf(bio_err, "Missing filename\n"); return 0; } - exc->cert = load_cert(err, exc->certfile, exc->certform, + exc->cert = load_cert(exc->certfile, exc->certform, NULL, NULL, "Server Certificate"); if (!exc->cert) return 0; if (exc->keyfile) { - exc->key = load_key(err, exc->keyfile, exc->keyform, + exc->key = load_key(exc->keyfile, exc->keyform, 0, NULL, NULL, "Server Key"); } else { - exc->key = load_key(err, exc->certfile, exc->certform, + exc->key = load_key(exc->certfile, exc->certform, 0, NULL, NULL, "Server Key"); } if (!exc->key) return 0; if (exc->chainfile) { - exc->chain = load_certs(err, - exc->chainfile, FORMAT_PEM, + exc->chain = load_certs(exc->chainfile, FORMAT_PEM, NULL, NULL, "Server Chain"); if (!exc->chain) return 0; @@ -1294,89 +1254,72 @@ int load_excert(SSL_EXCERT **pexc, BIO *err) return 1; } -int args_excert(char ***pargs, int *pargc, - int *badarg, BIO *err, SSL_EXCERT **pexc) +enum range { OPT_X_ENUM }; + +int args_excert(int opt, SSL_EXCERT **pexc) { - char *arg = **pargs, *argn = (*pargs)[1]; SSL_EXCERT *exc = *pexc; - int narg = 2; - if (!exc) { - if (ssl_excert_prepend(&exc)) - *pexc = exc; - else { - BIO_printf(err, "Error initialising xcert\n"); - *badarg = 1; + + assert(opt > OPT_X__FIRST); + assert(opt < OPT_X__LAST); + + if (exc == NULL) { + if (!ssl_excert_prepend(&exc)) { + BIO_printf(bio_err, " %s: Error initialising xcert\n", + opt_getprog()); goto err; } + *pexc = exc; } - if (strcmp(arg, "-xcert") == 0) { - if (!argn) { - *badarg = 1; - return 1; - } + + switch ((enum range)opt) { + case OPT_X__FIRST: + case OPT_X__LAST: + return 0; + case OPT_X_CERT: if (exc->certfile && !ssl_excert_prepend(&exc)) { - BIO_printf(err, "Error adding xcert\n"); - *badarg = 1; + BIO_printf(bio_err, "%s: Error adding xcert\n", opt_getprog()); goto err; } - exc->certfile = argn; - } else if (strcmp(arg, "-xkey") == 0) { - if (!argn) { - *badarg = 1; - return 1; - } + exc->certfile = opt_arg(); + break; + case OPT_X_KEY: if (exc->keyfile) { - BIO_printf(err, "Key already specified\n"); - *badarg = 1; - return 1; - } - exc->keyfile = argn; - } else if (strcmp(arg, "-xchain") == 0) { - if (!argn) { - *badarg = 1; - return 1; - } - if (exc->chainfile) { - BIO_printf(err, "Chain already specified\n"); - *badarg = 1; - return 1; - } - exc->chainfile = argn; - } else if (strcmp(arg, "-xchain_build") == 0) { - narg = 1; - exc->build_chain = 1; - } else if (strcmp(arg, "-xcertform") == 0) { - if (!argn) { - *badarg = 1; + BIO_printf(bio_err, "%s: Key already specified\n", opt_getprog()); goto err; } - exc->certform = str2fmt(argn); - } else if (strcmp(arg, "-xkeyform") == 0) { - if (!argn) { - *badarg = 1; + exc->keyfile = opt_arg(); + break; + case OPT_X_CHAIN: + if (exc->chainfile) { + BIO_printf(bio_err, "%s: Chain already specified\n", + opt_getprog()); goto err; } - exc->keyform = str2fmt(argn); - } else - return 0; - - (*pargs) += narg; - - if (pargc) - *pargc -= narg; - - *pexc = exc; - + exc->chainfile = opt_arg(); + break; + case OPT_X_CHAIN_BUILD: + exc->build_chain = 1; + break; + case OPT_X_CERTFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->certform)) + return 0; + break; + case OPT_X_KEYFORM: + if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &exc->keyform)) + return 0; + break; + } return 1; err: - ERR_print_errors(err); + ERR_print_errors(bio_err); ssl_excert_free(exc); *pexc = NULL; - return 1; + return 0; } -static void print_raw_cipherlist(BIO *bio, SSL *s) +static void print_raw_cipherlist(SSL *s) { const unsigned char *rlist; static const unsigned char scsv_id[] = { 0, 0, 0xFF }; @@ -1385,128 +1328,85 @@ static void print_raw_cipherlist(BIO *bio, SSL *s) return; num = SSL_get0_raw_cipherlist(s, NULL); rlistlen = SSL_get0_raw_cipherlist(s, &rlist); - BIO_puts(bio, "Client cipher list: "); + BIO_puts(bio_err, "Client cipher list: "); for (i = 0; i < rlistlen; i += num, rlist += num) { const SSL_CIPHER *c = SSL_CIPHER_find(s, rlist); if (i) - BIO_puts(bio, ":"); + BIO_puts(bio_err, ":"); if (c) - BIO_puts(bio, SSL_CIPHER_get_name(c)); + BIO_puts(bio_err, SSL_CIPHER_get_name(c)); else if (!memcmp(rlist, scsv_id - num + 3, num)) - BIO_puts(bio, "SCSV"); + BIO_puts(bio_err, "SCSV"); else { size_t j; - BIO_puts(bio, "0x"); + BIO_puts(bio_err, "0x"); for (j = 0; j < num; j++) - BIO_printf(bio, "%02X", rlist[j]); + BIO_printf(bio_err, "%02X", rlist[j]); } } - BIO_puts(bio, "\n"); + BIO_puts(bio_err, "\n"); } -void print_ssl_summary(BIO *bio, SSL *s) +void print_ssl_summary(SSL *s) { const SSL_CIPHER *c; X509 *peer; - /* - * const char *pnam = SSL_is_server(s) ? "client" : "server"; - */ - BIO_printf(bio, "Protocol version: %s\n", SSL_get_version(s)); - print_raw_cipherlist(bio, s); + /* const char *pnam = SSL_is_server(s) ? "client" : "server"; */ + + BIO_printf(bio_err, "Protocol version: %s\n", SSL_get_version(s)); + print_raw_cipherlist(s); c = SSL_get_current_cipher(s); - BIO_printf(bio, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); - do_print_sigalgs(bio, s, 0); + BIO_printf(bio_err, "Ciphersuite: %s\n", SSL_CIPHER_get_name(c)); + do_print_sigalgs(bio_err, s, 0); peer = SSL_get_peer_certificate(s); if (peer) { int nid; - BIO_puts(bio, "Peer certificate: "); - X509_NAME_print_ex(bio, X509_get_subject_name(peer), + BIO_puts(bio_err, "Peer certificate: "); + X509_NAME_print_ex(bio_err, X509_get_subject_name(peer), 0, XN_FLAG_ONELINE); - BIO_puts(bio, "\n"); + BIO_puts(bio_err, "\n"); if (SSL_get_peer_signature_nid(s, &nid)) - BIO_printf(bio, "Hash used: %s\n", OBJ_nid2sn(nid)); + BIO_printf(bio_err, "Hash used: %s\n", OBJ_nid2sn(nid)); } else - BIO_puts(bio, "No peer certificate\n"); - if (peer) - X509_free(peer); + BIO_puts(bio_err, "No peer certificate\n"); + X509_free(peer); #ifndef OPENSSL_NO_EC - ssl_print_point_formats(bio, s); + ssl_print_point_formats(bio_err, s); if (SSL_is_server(s)) - ssl_print_curves(bio, s, 1); + ssl_print_curves(bio_err, s, 1); else - ssl_print_tmp_key(bio, s); + ssl_print_tmp_key(bio_err, s); #else if (!SSL_is_server(s)) - ssl_print_tmp_key(bio, s); + ssl_print_tmp_key(bio_err, s); #endif } -int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, - int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr) -{ - char *arg = **pargs, *argn = (*pargs)[1]; - int rv; - - /* Attempt to run SSL configuration command */ - rv = SSL_CONF_cmd_argv(cctx, pargc, pargs); - /* If parameter not recognised just return */ - if (rv == 0) - return 0; - /* see if missing argument error */ - if (rv == -3) { - BIO_printf(err, "%s needs an argument\n", arg); - *badarg = 1; - goto end; - } - /* Check for some other error */ - if (rv < 0) { - BIO_printf(err, "Error with command: \"%s %s\"\n", - arg, argn ? argn : ""); - *badarg = 1; - goto end; - } - /* Store command and argument */ - /* If only one argument processed store value as NULL */ - if (rv == 1) - argn = NULL; - if (!*pstr) - *pstr = sk_OPENSSL_STRING_new_null(); - if (!*pstr || !sk_OPENSSL_STRING_push(*pstr, arg) || - !sk_OPENSSL_STRING_push(*pstr, argn)) { - BIO_puts(err, "Memory allocation failure\n"); - goto end; - } - - end: - if (*badarg) - ERR_print_errors(err); - - return 1; -} - -int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, - STACK_OF(OPENSSL_STRING) *str, int no_ecdhe, int no_jpake) +int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, + SSL_CTX *ctx, int no_ecdhe, int no_jpake) { int i; + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { - const char *param = sk_OPENSSL_STRING_value(str, i); - const char *value = sk_OPENSSL_STRING_value(str, i + 1); - /* - * If no_ecdhe or named curve already specified don't need a default. - */ - if (!no_ecdhe && !strcmp(param, "-named_curve")) + const char *flag = sk_OPENSSL_STRING_value(str, i); + const char *arg = sk_OPENSSL_STRING_value(str, i + 1); + /* If no_ecdhe or named curve already specified don't need a default. */ + if (!no_ecdhe && strcmp(flag, "-named_curve") == 0) no_ecdhe = 1; #ifndef OPENSSL_NO_JPAKE - if (!no_jpake && !strcmp(param, "-cipher")) { - BIO_puts(err, "JPAKE sets cipher to PSK\n"); + if (!no_jpake && (strcmp(flag, "-cipher") == 0)) { + BIO_puts(bio_err, "JPAKE sets cipher to PSK\n"); return 0; } #endif - if (SSL_CONF_cmd(cctx, param, value) <= 0) { - BIO_printf(err, "Error with command: \"%s %s\"\n", - param, value ? value : ""); - ERR_print_errors(err); + if (SSL_CONF_cmd(cctx, flag, arg) <= 0) { + if (arg) + BIO_printf(bio_err, "Error with command: \"%s %s\"\n", + flag, arg); + else + BIO_printf(bio_err, "Error with command: \"%s\"\n", flag); + ERR_print_errors(bio_err); return 0; } } @@ -1517,23 +1417,23 @@ int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, */ if (!no_ecdhe) { if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) { - BIO_puts(err, "Error setting EC curve\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error setting EC curve\n"); + ERR_print_errors(bio_err); return 0; } } #ifndef OPENSSL_NO_JPAKE if (!no_jpake) { if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) { - BIO_puts(err, "Error setting cipher to PSK\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error setting cipher to PSK\n"); + ERR_print_errors(bio_err); return 0; } } #endif if (!SSL_CONF_CTX_finish(cctx)) { - BIO_puts(err, "Error finishing context\n"); - ERR_print_errors(err); + BIO_puts(bio_err, "Error finishing context\n"); + ERR_print_errors(bio_err); return 0; } return 1; @@ -1584,10 +1484,8 @@ int ssl_load_stores(SSL_CTX *ctx, } rv = 1; err: - if (vfy) - X509_STORE_free(vfy); - if (ch) - X509_STORE_free(ch); + X509_STORE_free(vfy); + X509_STORE_free(ch); return rv; } @@ -1764,10 +1662,11 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx, return rv; } -void ssl_ctx_security_debug(SSL_CTX *ctx, BIO *out, int verbose) +void ssl_ctx_security_debug(SSL_CTX *ctx, int verbose) { static security_debug_ex sdb; - sdb.out = out; + + sdb.out = bio_err; sdb.verbose = verbose; sdb.old_cb = SSL_CTX_get_security_callback(ctx); SSL_CTX_set_security_callback(ctx, security_callback_debug);