X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_cb.c;h=c72e4c2314504fa1ae91dde4ef020846ce1a942c;hp=a14e00cd33e73e7dd17936e2c13f95415561c8c2;hb=87a595e554f9e753c3e653c8caae62739c7958b0;hpb=3b061a00e39d2e4ad524ff01cbdc0c53fe8171ee diff --git a/apps/s_cb.c b/apps/s_cb.c index a14e00cd33..c72e4c2314 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -131,8 +131,8 @@ int verify_depth = 0; int verify_quiet = 0; int verify_error = X509_V_OK; int verify_return_error = 0; -unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; -int cookie_initialized = 0; +static unsigned char cookie_secret[COOKIE_SECRET_LENGTH]; +static int cookie_initialized = 0; static const char *lookup(int val, const STRINT_PAIR* list, const char* def) { @@ -288,7 +288,6 @@ static STRINT_PAIR cert_type_list[] = { {"ECDSA sign", TLS_CT_ECDSA_SIGN}, {"RSA fixed ECDH", TLS_CT_RSA_FIXED_ECDH}, {"ECDSA fixed ECDH", TLS_CT_ECDSA_FIXED_ECDH}, - {"GOST94 Sign", TLS_CT_GOST94_SIGN}, {"GOST01 Sign", TLS_CT_GOST01_SIGN}, {NULL} }; @@ -711,6 +710,13 @@ static STRINT_PAIR tlsext_types[] = { #endif #ifdef TLSEXT_TYPE_encrypt_then_mac {"encrypt-then-mac", TLSEXT_TYPE_encrypt_then_mac}, +#endif +#ifdef TLSEXT_TYPE_application_layer_protocol_negotiation + {"application layer protocol negotiation", + TLSEXT_TYPE_application_layer_protocol_negotiation}, +#endif +#ifdef TLSEXT_TYPE_extended_master_secret + {"extended master secret", TLSEXT_TYPE_extended_master_secret}, #endif {NULL} }; @@ -730,8 +736,8 @@ void tlsext_cb(SSL *s, int client_server, int type, int generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len) { - unsigned char *buffer, result[EVP_MAX_MD_SIZE]; - unsigned int length, resultlength; + unsigned char *buffer; + unsigned int length; union { struct sockaddr sa; struct sockaddr_in s4; @@ -791,78 +797,23 @@ int generate_cookie_callback(SSL *ssl, unsigned char *cookie, /* Calculate HMAC of buffer using the secret */ HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, - buffer, length, result, &resultlength); + buffer, length, cookie, cookie_len); OPENSSL_free(buffer); - memcpy(cookie, result, resultlength); - *cookie_len = resultlength; - return 1; } -int verify_cookie_callback(SSL *ssl, unsigned char *cookie, +int verify_cookie_callback(SSL *ssl, const unsigned char *cookie, unsigned int cookie_len) { - unsigned char *buffer, result[EVP_MAX_MD_SIZE]; - unsigned int length, resultlength; - union { - struct sockaddr sa; - struct sockaddr_in s4; -#if OPENSSL_USE_IPV6 - struct sockaddr_in6 s6; -#endif - } peer; - - /* If secret isn't initialized yet, the cookie can't be valid */ - if (!cookie_initialized) - return 0; - - /* Read peer information */ - (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer); - - /* Create buffer with peer's address and port */ - length = 0; - switch (peer.sa.sa_family) { - case AF_INET: - length += sizeof(struct in_addr); - length += sizeof(peer.s4.sin_port); - break; -#if OPENSSL_USE_IPV6 - case AF_INET6: - length += sizeof(struct in6_addr); - length += sizeof(peer.s6.sin6_port); - break; -#endif - default: - OPENSSL_assert(0); - break; - } - buffer = app_malloc(length, "cookie verify buffer"); - - switch (peer.sa.sa_family) { - case AF_INET: - memcpy(buffer, &peer.s4.sin_port, sizeof(peer.s4.sin_port)); - memcpy(buffer + sizeof(peer.s4.sin_port), - &peer.s4.sin_addr, sizeof(struct in_addr)); - break; -#if OPENSSL_USE_IPV6 - case AF_INET6: - memcpy(buffer, &peer.s6.sin6_port, sizeof(peer.s6.sin6_port)); - memcpy(buffer + sizeof(peer.s6.sin6_port), - &peer.s6.sin6_addr, sizeof(struct in6_addr)); - break; -#endif - default: - OPENSSL_assert(0); - break; - } - - /* Calculate HMAC of buffer using the secret */ - HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH, - buffer, length, result, &resultlength); - OPENSSL_free(buffer); - - if (cookie_len == resultlength + unsigned char result[EVP_MAX_MD_SIZE]; + unsigned int resultlength; + + /* Note: we check cookie_initialized because if it's not, + * it cannot be valid */ + if (cookie_initialized + && generate_cookie_callback(ssl, result, &resultlength) + && cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0) return 1; @@ -988,14 +939,7 @@ static int ssl_excert_prepend(SSL_EXCERT **pexc) { SSL_EXCERT *exc = app_malloc(sizeof(*exc), "prepend cert"); - exc->certfile = NULL; - exc->keyfile = NULL; - exc->chainfile = NULL; - exc->cert = NULL; - exc->key = NULL; - exc->chain = NULL; - exc->prev = NULL; - exc->build_chain = 0; + memset(exc, 0, sizeof(*exc)); exc->next = *pexc; *pexc = exc; @@ -1196,7 +1140,7 @@ void print_ssl_summary(SSL *s) } int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, - SSL_CTX *ctx, int no_ecdhe, int no_jpake) + SSL_CTX *ctx, int no_jpake) { int i; @@ -1204,9 +1148,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, for (i = 0; i < sk_OPENSSL_STRING_num(str); i += 2) { const char *flag = sk_OPENSSL_STRING_value(str, i); const char *arg = sk_OPENSSL_STRING_value(str, i + 1); - /* If no_ecdhe or named curve already specified don't need a default. */ - if (!no_ecdhe && strcmp(flag, "-named_curve") == 0) - no_ecdhe = 1; #ifndef OPENSSL_NO_JPAKE if (!no_jpake && (strcmp(flag, "-cipher") == 0)) { BIO_puts(bio_err, "JPAKE sets cipher to PSK\n"); @@ -1223,18 +1164,6 @@ int config_ctx(SSL_CONF_CTX *cctx, STACK_OF(OPENSSL_STRING) *str, return 0; } } - /* - * This is a special case to keep existing s_server functionality: if we - * don't have any curve specified *and* we haven't disabled ECDHE then - * use P-256. - */ - if (!no_ecdhe) { - if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) { - BIO_puts(bio_err, "Error setting EC curve\n"); - ERR_print_errors(bio_err); - return 0; - } - } #ifndef OPENSSL_NO_JPAKE if (!no_jpake) { if (SSL_CONF_cmd(cctx, "-cipher", "PSK") <= 0) { @@ -1280,8 +1209,10 @@ int ssl_load_stores(SSL_CTX *ctx, { X509_STORE *vfy = NULL, *ch = NULL; int rv = 0; - if (vfyCApath || vfyCAfile) { + if (vfyCApath != NULL || vfyCAfile != NULL) { vfy = X509_STORE_new(); + if (vfy == NULL) + goto err; if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) goto err; add_crls_store(vfy, crls); @@ -1289,8 +1220,10 @@ int ssl_load_stores(SSL_CTX *ctx, if (crl_download) store_setup_crl_download(vfy); } - if (chCApath || chCAfile) { + if (chCApath != NULL || chCAfile != NULL) { ch = X509_STORE_new(); + if (ch == NULL) + goto err; if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) goto err; SSL_CTX_set1_chain_cert_store(ctx, ch); @@ -1385,26 +1318,26 @@ static int security_callback_debug(SSL *s, SSL_CTX *ctx, } break; #endif - +#ifndef OPENSSL_NO_DH case SSL_SECOP_OTHER_DH: { DH *dh = other; BIO_printf(sdb->out, "%d", BN_num_bits(dh->p)); break; } +#endif case SSL_SECOP_OTHER_CERT: { if (cert_md) { int sig_nid = X509_get_signature_nid(other); BIO_puts(sdb->out, OBJ_nid2sn(sig_nid)); } else { - EVP_PKEY *pkey = X509_get_pubkey(other); + EVP_PKEY *pkey = X509_get0_pubkey(other); const char *algname = ""; EVP_PKEY_asn1_get0_info(NULL, NULL, NULL, NULL, &algname, EVP_PKEY_get0_asn1(pkey)); BIO_printf(sdb->out, "%s, bits=%d", algname, EVP_PKEY_bits(pkey)); - EVP_PKEY_free(pkey); } break; }