X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=1e407696e7f4edc3e48d4da56c362be72e4cdbd7;hp=d3b2d4ae159693e46e5db58e7c8a1ea354400843;hb=5bafb04d2e8a792afbc97395410ef3291f3fbc8b;hpb=36086186a9b90cdad0d2cd0a598a10f03f8f4bcc diff --git a/apps/s_server.c b/apps/s_server.c index d3b2d4ae15..1e407696e7 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -140,11 +140,6 @@ * OTHERWISE. */ -/* Until the key-gen callbacks are modified to use newer prototypes, we allow - * deprecated functions for openssl-internal code */ -#ifdef OPENSSL_NO_DEPRECATED -#undef OPENSSL_NO_DEPRECATED -#endif #include #include @@ -197,10 +192,6 @@ typedef unsigned int u_int; #undef FIONBIO #endif -#if defined(OPENSSL_SYS_BEOS_R5) -#include -#endif - #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); #endif @@ -218,52 +209,12 @@ static void init_session_cache_ctx(SSL_CTX *sctx); static void free_sessions(void); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); -static DH *get_dh512(void); #endif #ifdef MONOLITH static void s_server_init(void); #endif -#ifndef OPENSSL_NO_TLSEXT - -static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp}; - -static const unsigned char *most_recent_supplemental_data; -static size_t most_recent_supplemental_data_length; - -static int client_provided_server_authz = 0; -static int client_provided_client_authz = 0; - -#endif - -#ifndef OPENSSL_NO_DH -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, - }; -static unsigned char dh512_g[]={ - 0x02, - }; - -static DH *get_dh512(void) - { - DH *dh=NULL; - - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return(NULL); - return(dh); - } -#endif - - /* static int load_CA(SSL_CTX *ctx, char *file);*/ #undef BUFSIZZ @@ -328,29 +279,9 @@ static int cert_chain = 0; #endif #ifndef OPENSSL_NO_TLSEXT -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, void *arg); - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - void *arg); - -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg); - static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; -static int c_auth = 0; -static int c_auth_require_reneg = 0; #endif #ifndef OPENSSL_NO_PSK @@ -505,16 +436,18 @@ static void sv_usage(void) { BIO_printf(bio_err,"usage: s_server [args ...]\n"); BIO_printf(bio_err,"\n"); - BIO_printf(bio_err," -accept arg - port to accept on (default is %d)\n",PORT); + BIO_printf(bio_err," -accept port - TCP/IP port to accept on (default is %d)\n",PORT); + BIO_printf(bio_err," -unix path - unix domain socket to accept on\n"); + BIO_printf(bio_err," -unlink - for -unix, unlink existing socket first\n"); BIO_printf(bio_err," -context arg - set session ID context\n"); BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); + BIO_printf(bio_err," -verify_return_error - return verification errors\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); + BIO_printf(bio_err," -naccept arg - terminate after 'arg' connections\n"); #ifndef OPENSSL_NO_TLSEXT BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n"); - BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n"); - BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n"); #endif BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ @@ -549,6 +482,7 @@ static void sv_usage(void) BIO_printf(bio_err," -state - Print the SSL states\n"); BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err," -trusted_first - Use locally trusted CA's first when building trust chain\n"); BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); @@ -565,8 +499,9 @@ static void sv_usage(void) BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n"); BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); #endif - BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); +#ifndef OPENSSL_NO_SSL3_METHOD BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); +#endif BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); @@ -575,7 +510,6 @@ static void sv_usage(void) BIO_printf(bio_err," -timeout - Enable timeouts\n"); BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); - BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n"); @@ -588,6 +522,7 @@ static void sv_usage(void) #endif BIO_printf(bio_err, "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n"); BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); + BIO_printf(bio_err," -hack - workaround for early Netscape code\n"); BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); BIO_printf(bio_err," -WWW - Respond to a 'GET / HTTP/1.0' with file ./\n"); BIO_printf(bio_err," -HTTP - Respond to a 'GET / HTTP/1.0' with file ./\n"); @@ -615,6 +550,10 @@ static void sv_usage(void) #endif BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); + BIO_printf(bio_err," -status - respond to certificate status requests\n"); + BIO_printf(bio_err," -status_verbose - enable status request verbose printout\n"); + BIO_printf(bio_err," -status_timeout n - status request responder timeout\n"); + BIO_printf(bio_err," -status_url URL - status request fallback URL\n"); } static int local_argc=0; @@ -792,7 +731,7 @@ static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) if (servername) { - if (strcmp(servername,p->servername)) + if (strcasecmp(servername,p->servername)) return p->extension_error; if (ctx2) { @@ -1033,6 +972,11 @@ int MAIN(int argc, char *argv[]) X509_VERIFY_PARAM *vpm = NULL; int badarg = 0; short port=PORT; + const char *unix_path=NULL; +#ifndef NO_SYS_UN_H + int unlink_unix_path=0; +#endif + int (*server_cb)(char *hostname, int s, int stype, unsigned char *context); char *CApath=NULL,*CAfile=NULL; char *chCApath=NULL,*chCAfile=NULL; char *vfyCApath=NULL,*vfyCAfile=NULL; @@ -1056,17 +1000,17 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; int rev = 0, naccept = -1; - int c_no_resumption_on_reneg = 0; + int sdebug = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; - tlsextnextprotoctx next_proto; + tlsextnextprotoctx next_proto = { NULL, 0}; +# endif const char *alpn_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0}; -# endif #endif #ifndef OPENSSL_NO_PSK /* by default do not send a PSK identity hint */ @@ -1125,6 +1069,25 @@ int MAIN(int argc, char *argv[]) if (!extract_port(*(++argv),&port)) goto bad; } + else if (strcmp(*argv,"-unix") == 0) + { +#ifdef NO_SYS_UN_H + BIO_printf(bio_err, "unix domain sockets unsupported\n"); + goto bad; +#else + if (--argc < 1) goto bad; + unix_path = *(++argv); +#endif + } + else if (strcmp(*argv,"-unlink") == 0) + { +#ifdef NO_SYS_UN_H + BIO_printf(bio_err, "unix domain sockets unsupported\n"); + goto bad; +#else + unlink_unix_path = 1; +#endif + } else if (strcmp(*argv,"-naccept") == 0) { if (--argc < 1) goto bad; @@ -1176,19 +1139,7 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_serverinfo_file = *(++argv); } - else if (strcmp(*argv,"-auth") == 0) - { - c_auth = 1; - } #endif - else if (strcmp(*argv, "-no_resumption_on_reneg") == 0) - { - c_no_resumption_on_reneg = 1; - } - else if (strcmp(*argv,"-auth_require_reneg") == 0) - { - c_auth_require_reneg = 1; - } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1375,6 +1326,10 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-trace") == 0) { s_msg=2; } #endif + else if (strcmp(*argv,"-security_debug") == 0) + { sdebug=1; } + else if (strcmp(*argv,"-security_debug_verbose") == 0) + { sdebug=2; } else if (strcmp(*argv,"-hack") == 0) { hack=1; } else if (strcmp(*argv,"-state") == 0) @@ -1440,11 +1395,7 @@ int MAIN(int argc, char *argv[]) { www=2; } else if (strcmp(*argv,"-HTTP") == 0) { www=3; } -#ifndef OPENSSL_NO_SSL2 - else if (strcmp(*argv,"-ssl2") == 0) - { meth=SSLv2_server_method(); } -#endif -#ifndef OPENSSL_NO_SSL3 +#ifndef OPENSSL_NO_SSL3_METHOD else if (strcmp(*argv,"-ssl3") == 0) { meth=SSLv3_server_method(); } #endif @@ -1523,12 +1474,12 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; next_proto_neg_in = *(++argv); } +# endif else if (strcmp(*argv,"-alpn") == 0) { if (--argc < 1) goto bad; alpn_in = *(++argv); } -# endif #endif #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) else if (strcmp(*argv,"-jpake") == 0) @@ -1568,7 +1519,20 @@ bad: sv_usage(); goto end; } +#ifndef OPENSSL_NO_DTLS1 + if (www && socket_type == SOCK_DGRAM) + { + BIO_printf(bio_err, + "Can't use -HTTP, -www or -WWW with DTLS\n"); + goto end; + } +#endif + if (unix_path && (socket_type != SOCK_STREAM)) + { + BIO_printf(bio_err, "Can't use unix sockets and datagrams together\n"); + goto end; + } #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) if (jpake_secret) { @@ -1774,6 +1738,8 @@ bad: } ctx=SSL_CTX_new(meth); + if (sdebug) + ssl_ctx_security_debug(ctx, bio_err, sdebug); if (ctx == NULL) { ERR_print_errors(bio_err); @@ -1784,9 +1750,6 @@ bad: if(strlen(session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if(strlen(session_id_prefix) >= 16) - BIO_printf(bio_err, -"warning: id_prefix is too long if you use SSLv2\n"); if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) { BIO_printf(bio_err,"error setting 'id_prefix'\n"); @@ -1863,14 +1826,14 @@ bad: { BIO_printf(bio_s_out,"Setting secondary ctx parameters\n"); + if (sdebug) + ssl_ctx_security_debug(ctx, bio_err, sdebug); + if (session_id_prefix) { if(strlen(session_id_prefix) >= 32) BIO_printf(bio_err, "warning: id_prefix is too long, only one new session will be possible\n"); - else if(strlen(session_id_prefix) >= 16) - BIO_printf(bio_err, - "warning: id_prefix is too long if you use SSLv2\n"); if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) { BIO_printf(bio_err,"error setting 'id_prefix'\n"); @@ -1934,11 +1897,18 @@ bad: else { BIO_printf(bio_s_out,"Using default temp DH parameters\n"); - dh=get_dh512(); } (void)BIO_flush(bio_s_out); - SSL_CTX_set_tmp_dh(ctx,dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx, 1); + else if (!SSL_CTX_set_tmp_dh(ctx,dh)) + { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (ctx2) { @@ -1954,28 +1924,29 @@ bad: dh = dh2; } } - SSL_CTX_set_tmp_dh(ctx2,dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx2, 1); + else if (!SSL_CTX_set_tmp_dh(ctx2,dh)) + { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } } #endif DH_free(dh); } #endif - if (c_no_resumption_on_reneg) - { - SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); - } if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT if (s_serverinfo_file != NULL && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) - goto end; - if (c_auth) { - SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); - SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); - SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err); + ERR_print_errors(bio_err); + goto end; } #endif #ifndef OPENSSL_NO_TLSEXT @@ -2112,11 +2083,21 @@ bad: BIO_printf(bio_s_out,"ACCEPT\n"); (void)BIO_flush(bio_s_out); if (rev) - do_server(port,socket_type,&accept_socket,rev_body, context, naccept); + server_cb = rev_body; else if (www) - do_server(port,socket_type,&accept_socket,www_body, context, naccept); + server_cb = www_body; + else + server_cb = sv_body; +#ifndef NO_SYS_UN_H + if (unix_path) + { + if (unlink_unix_path) + unlink(unix_path); + do_server_unix(unix_path,&accept_socket,server_cb, context, naccept); + } else - do_server(port,socket_type,&accept_socket,sv_body, context, naccept); +#endif + do_server(port,socket_type,&accept_socket,server_cb, context, naccept); print_stats(bio_s_out,ctx); ret=0; end: @@ -2156,8 +2137,10 @@ end: EVP_PKEY_free(s_key2); if (serverinfo_in != NULL) BIO_free(serverinfo_in); +# ifndef OPENSSL_NO_NEXTPROTONEG if (next_proto.data) OPENSSL_free(next_proto.data); +# endif if (alpn_ctx.data) OPENSSL_free(alpn_ctx.data); #endif @@ -2222,7 +2205,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) KSSL_CTX *kctx; #endif struct timeval timeout; -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #else struct timeval *timeoutp; @@ -2295,10 +2278,24 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); } - if (socket_mtu > 28) + if (socket_mtu) { + if(socket_mtu < DTLS_get_link_min_mtu(con)) + { + BIO_printf(bio_err,"MTU too small. Must be at least %ld\n", + DTLS_get_link_min_mtu(con)); + ret = -1; + BIO_free(sbio); + goto err; + } SSL_set_options(con, SSL_OP_NO_QUERY_MTU); - SSL_set_mtu(con, socket_mtu - 28); + if(!DTLS_set_link_mtu(con, socket_mtu)) + { + BIO_printf(bio_err, "Failed to set MTU\n"); + ret = -1; + BIO_free(sbio); + goto err; + } } else /* want to do MTU discovery */ @@ -2362,7 +2359,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) if (!read_from_sslcon) { FD_ZERO(&readfds); -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5) +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) openssl_fdset(fileno(stdin),&readfds); #endif openssl_fdset(s,&readfds); @@ -2384,17 +2381,6 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) if((i < 0) || (!i && !_kbhit() ) )continue; if(_kbhit()) read_from_terminal = 1; -#elif defined(OPENSSL_SYS_BEOS_R5) - /* Under BeOS-R5 the situation is similar to DOS */ - tv.tv_sec = 1; - tv.tv_usec = 0; - (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); - i=select(width,(void *)&readfds,NULL,NULL,&tv); - if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0)) - continue; - if (read(fileno(stdin), buf, 0) >= 0) - read_from_terminal = 1; - (void)fcntl(fileno(stdin), F_SETFL, 0); #else if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_get_timeout(con, &timeout)) @@ -2663,6 +2649,15 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); +#ifdef CERT_CB_TEST_RETRY + { + while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) + { + fprintf(stderr, "LOOKUP from certificate callback during accept\n"); + i=SSL_accept(con); + } + } +#endif #ifndef OPENSSL_NO_SRP while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) { @@ -2675,6 +2670,7 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); } #endif + if (i <= 0) { if (BIO_sock_should_retry(i)) @@ -2959,7 +2955,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) BIO_printf(bio_s_out,"read R BLOCK\n"); #if defined(OPENSSL_SYS_NETWARE) delay(1000); -#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) +#elif !defined(OPENSSL_SYS_MSDOS) sleep(1); #endif continue; @@ -3354,7 +3350,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) BIO_printf(bio_s_out,"read R BLOCK\n"); #if defined(OPENSSL_SYS_NETWARE) delay(1000); -#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) +#elif !defined(OPENSSL_SYS_MSDOS) sleep(1); #endif continue; @@ -3561,78 +3557,3 @@ static void free_sessions(void) } first = NULL; } - -#ifndef OPENSSL_NO_TLSEXT -static int authz_tlsext_cb(SSL *s, unsigned short ext_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (TLSEXT_TYPE_server_authz == ext_type) - { - client_provided_server_authz = (memchr(in, - TLSEXT_AUTHZDATAFORMAT_dtcp, - inlen) != NULL); - } - - if (TLSEXT_TYPE_client_authz == ext_type) - { - client_provided_client_authz = (memchr(in, - TLSEXT_AUTHZDATAFORMAT_dtcp, - inlen) != NULL); - } - - return 1; - } - -static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, - const unsigned char **out, unsigned short *outlen, - void *arg) - { - if (c_auth && client_provided_client_authz && client_provided_server_authz) - { - if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - *out = auth_ext_data; - *outlen = 1; - return 1; - } - } - //no auth extension to send - return -1; - } - -static int suppdata_cb(SSL *s, unsigned short supp_data_type, - const unsigned char *in, - unsigned short inlen, int *al, - void *arg) - { - if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data) - { - most_recent_supplemental_data = in; - most_recent_supplemental_data_length = inlen; - } - return 1; - } - -static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, - const unsigned char **out, - unsigned short *outlen, void *arg) - { - unsigned char *result; - if (c_auth && client_provided_client_authz && client_provided_server_authz) - { - if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s))) - { - result = OPENSSL_malloc(10); - memcpy(result, "1234512345", 10); - *out = result; - *outlen = 10; - return 1; - } - } - //no supplemental data to send - return -1; - } -#endif -