X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=afc27e15c962001444e486706754decf98278e3a;hp=64d4c82861af8f0e0e3eb3486b0f07921c3b3c3b;hb=b29228836aacf1280b6eda9c8faec06489143e43;hpb=253e893c2b0e0d1bc2d4b64073a30cfc493e5bc6 diff --git a/apps/s_server.c b/apps/s_server.c index 64d4c82861..afc27e15c9 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -124,13 +124,17 @@ #include #include #include -#include + #include #include #ifdef OPENSSL_NO_STDIO #define APPS_WIN16 #endif +#if !defined(OPENSSL_SYS_NETWARE) /* conflicts with winsock2 stuff on netware */ +#include +#endif + /* With IPv6, it looks like Digital has mixed up the proper order of recursive header file inclusion, resulting in the compiler complaining that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which @@ -150,10 +154,7 @@ typedef unsigned int u_int; #include #include #include "s_apps.h" - -#ifdef OPENSSL_SYS_WINDOWS -#include -#endif +#include "timeouts.h" #ifdef OPENSSL_SYS_WINCE /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ @@ -180,7 +181,7 @@ static void print_stats(BIO *bp,SSL_CTX *ctx); static int generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len); #ifndef OPENSSL_NO_DH -static DH *load_dh_param(char *dhfile); +static DH *load_dh_param(const char *dhfile); static DH *get_dh512(void); #endif @@ -239,7 +240,7 @@ extern int verify_depth; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ -static char *s_cert_file=TEST_CERT,*s_key_file=NULL; +static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; static char *s_dcert_file=NULL,*s_dkey_file=NULL; #ifdef FIONBIO static int s_nbio=0; @@ -260,6 +261,14 @@ static char *engine_id=NULL; #endif static const char *session_id_prefix=NULL; +static int enable_timeouts = 0; +#ifdef mtu +#undef mtu +#endif +static long mtu; +static int cert_chain = 0; + + #ifdef MONOLITH static void s_server_init(void) { @@ -296,12 +305,18 @@ static void sv_usage(void) BIO_printf(bio_err," -context arg - set session ID context\n"); BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); - BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); + BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); - BIO_printf(bio_err," -key arg - Private Key file to use, PEM format assumed, in cert file if\n"); + BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); + BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n"); BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); + BIO_printf(bio_err," -keyform arg - key format (PEM, DER or ENGINE) PEM default\n"); + BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n"); + BIO_printf(bio_err," -dcertform x - second certificate format (PEM or DER) PEM default\n"); BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n"); + BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n"); + BIO_printf(bio_err," -dpass arg - second private key file pass phrase source\n"); BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n"); BIO_printf(bio_err," or a default set of parameters is used\n"); #ifndef OPENSSL_NO_ECDH @@ -327,6 +342,10 @@ static void sv_usage(void) BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); + BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); + BIO_printf(bio_err," -timeout - Enable timeouts\n"); + BIO_printf(bio_err," -mtu - Set MTU\n"); + BIO_printf(bio_err," -chain - Read a certificate chain\n"); BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); @@ -509,7 +528,7 @@ int MAIN(int argc, char *argv[]) int vflags = 0; short port=PORT; char *CApath=NULL,*CAfile=NULL; - char *context = NULL; + unsigned char *context = NULL; char *dhfile = NULL; char *named_curve = NULL; int badop=0,bugs=0; @@ -518,10 +537,20 @@ int MAIN(int argc, char *argv[]) int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; SSL_METHOD *meth=NULL; +#ifdef sock_type +#undef sock_type +#endif + int sock_type=SOCK_STREAM; #ifndef OPENSSL_NO_ENGINE ENGINE *e=NULL; #endif char *inrand=NULL; + int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; + char *passarg = NULL, *pass = NULL; + char *dpassarg = NULL, *dpass = NULL; + int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; + X509 *s_cert = NULL, *s_dcert = NULL; + EVP_PKEY *s_key = NULL, *s_dkey = NULL; #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_server_method(); @@ -581,18 +610,33 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-context") == 0) { if (--argc < 1) goto bad; - context= *(++argv); + context= (unsigned char *)*(++argv); } else if (strcmp(*argv,"-cert") == 0) { if (--argc < 1) goto bad; s_cert_file= *(++argv); } + else if (strcmp(*argv,"-certform") == 0) + { + if (--argc < 1) goto bad; + s_cert_format = str2fmt(*(++argv)); + } else if (strcmp(*argv,"-key") == 0) { if (--argc < 1) goto bad; s_key_file= *(++argv); } + else if (strcmp(*argv,"-keyform") == 0) + { + if (--argc < 1) goto bad; + s_key_format = str2fmt(*(++argv)); + } + else if (strcmp(*argv,"-pass") == 0) + { + if (--argc < 1) goto bad; + passarg = *(++argv); + } else if (strcmp(*argv,"-dhparam") == 0) { if (--argc < 1) goto bad; @@ -605,11 +649,26 @@ int MAIN(int argc, char *argv[]) named_curve = *(++argv); } #endif + else if (strcmp(*argv,"-dcertform") == 0) + { + if (--argc < 1) goto bad; + s_dcert_format = str2fmt(*(++argv)); + } else if (strcmp(*argv,"-dcert") == 0) { if (--argc < 1) goto bad; s_dcert_file= *(++argv); } + else if (strcmp(*argv,"-dkeyform") == 0) + { + if (--argc < 1) goto bad; + s_dkey_format = str2fmt(*(++argv)); + } + else if (strcmp(*argv,"-dpass") == 0) + { + if (--argc < 1) goto bad; + dpassarg = *(++argv); + } else if (strcmp(*argv,"-dkey") == 0) { if (--argc < 1) goto bad; @@ -698,6 +757,22 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_TLS1 else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } +#endif +#ifndef OPENSSL_NO_DTLS1 + else if (strcmp(*argv,"-dtls1") == 0) + { + meth=DTLSv1_server_method(); + sock_type = SOCK_DGRAM; + } + else if (strcmp(*argv,"-timeout") == 0) + enable_timeouts = 1; + else if (strcmp(*argv,"-mtu") == 0) + { + if (--argc < 1) goto bad; + mtu = atol(*(++argv)); + } + else if (strcmp(*argv, "-chain") == 0) + cert_chain = 1; #endif else if (strcmp(*argv, "-id_prefix") == 0) { @@ -739,6 +814,59 @@ bad: e = setup_engine(bio_err, engine_id, 1); #endif + if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) + { + BIO_printf(bio_err, "Error getting password\n"); + goto end; + } + + + if (s_key_file == NULL) + s_key_file = s_cert_file; + + s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e, + "server certificate private key file"); + if (!s_key) + { + ERR_print_errors(bio_err); + goto end; + } + + s_cert = load_cert(bio_err,s_cert_file,s_cert_format, + NULL, e, "server certificate file"); + + if (!s_cert) + { + ERR_print_errors(bio_err); + goto end; + } + + if (s_dcert_file) + { + + if (s_dkey_file == NULL) + s_dkey_file = s_dcert_file; + + s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format, + 0, dpass, e, + "second certificate private key file"); + if (!s_dkey) + { + ERR_print_errors(bio_err); + goto end; + } + + s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format, + NULL, e, "second server certificate file"); + + if (!s_dcert) + { + ERR_print_errors(bio_err); + goto end; + } + + } + if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL && !RAND_status()) { @@ -797,6 +925,10 @@ bad: if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx,off); + /* DTLS: partial reads end up discarding unread UDP bytes :-( + * Setting read ahead solves this problem. + */ + if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); @@ -855,13 +987,6 @@ bad: { EC_KEY *ecdh=NULL; - ecdh = EC_KEY_new(); - if (ecdh == NULL) - { - BIO_printf(bio_err,"Could not create ECDH struct.\n"); - goto end; - } - if (named_curve) { int nid = OBJ_sn2nid(named_curve); @@ -872,9 +997,8 @@ bad: named_curve); goto end; } - - ecdh->group = EC_GROUP_new_by_nid(nid); - if (ecdh->group == NULL) + ecdh = EC_KEY_new_by_curve_name(nid); + if (ecdh == NULL) { BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve); @@ -882,15 +1006,15 @@ bad: } } - if (ecdh->group != NULL) + if (ecdh != NULL) { BIO_printf(bio_s_out,"Setting temp ECDH parameters\n"); } else { BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); - ecdh->group=EC_GROUP_new_by_nid(NID_sect163r2); - if (ecdh->group == NULL) + ecdh = EC_KEY_new_by_curve_name(NID_sect163r2); + if (ecdh == NULL) { BIO_printf(bio_err, "unable to create curve (sect163r2)\n"); goto end; @@ -903,11 +1027,11 @@ bad: } #endif - if (!set_cert_stuff(ctx,s_cert_file,s_key_file)) + if (!set_cert_key_stuff(ctx,s_cert,s_key)) goto end; - if (s_dcert_file != NULL) + if (s_dcert != NULL) { - if (!set_cert_stuff(ctx,s_dcert_file,s_dkey_file)) + if (!set_cert_key_stuff(ctx,s_dcert,s_dkey)) goto end; } @@ -951,16 +1075,28 @@ bad: BIO_printf(bio_s_out,"ACCEPT\n"); if (www) - do_server(port,&accept_socket,www_body, context); + do_server(port,sock_type,&accept_socket,www_body, context); else - do_server(port,&accept_socket,sv_body, context); + do_server(port,sock_type,&accept_socket,sv_body, context); print_stats(bio_s_out,ctx); ret=0; end: if (ctx != NULL) SSL_CTX_free(ctx); + if (s_cert) + X509_free(s_cert); + if (s_dcert) + X509_free(s_dcert); + if (s_key) + EVP_PKEY_free(s_key); + if (s_dkey) + EVP_PKEY_free(s_dkey); + if (pass) + OPENSSL_free(pass); + if (dpass) + OPENSSL_free(dpass); if (bio_s_out != NULL) { - BIO_free(bio_s_out); + BIO_free(bio_s_out); bio_s_out=NULL; } apps_shutdown(); @@ -1001,7 +1137,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) unsigned long l; SSL *con=NULL; BIO *sbio; -#ifdef OPENSSL_SYS_WINDOWS +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) struct timeval tv; #endif @@ -1039,7 +1175,39 @@ static int sv_body(char *hostname, int s, unsigned char *context) } SSL_clear(con); - sbio=BIO_new_socket(s,BIO_NOCLOSE); + if (SSL_version(con) == DTLS1_VERSION) + { + struct timeval timeout; + + sbio=BIO_new_dgram(s,BIO_NOCLOSE); + + if ( enable_timeouts) + { + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_RCV_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); + + timeout.tv_sec = 0; + timeout.tv_usec = DGRAM_SND_TIMEOUT; + BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); + } + + + if ( mtu > 0) + { + SSL_set_options(con, SSL_OP_NO_QUERY_MTU); + SSL_set_mtu(con, mtu); + } + else + /* want to do MTU discovery */ + BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); + + /* turn on cookie exchange */ + SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE); + } + else + sbio=BIO_new_socket(s,BIO_NOCLOSE); + if (s_nbio_test) { BIO *test; @@ -1054,7 +1222,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (s_debug) { con->debug=1; - BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); + BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); } if (s_msg) @@ -1075,7 +1243,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) if (!read_from_sslcon) { FD_ZERO(&readfds); -#ifndef OPENSSL_SYS_WINDOWS +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) FD_SET(fileno(stdin),&readfds); #endif FD_SET(s,&readfds); @@ -1085,8 +1253,8 @@ static int sv_body(char *hostname, int s, unsigned char *context) * the compiler: if you do have a cast then you can either * go for (int *) or (void *). */ -#ifdef OPENSSL_SYS_WINDOWS - /* Under Windows we can't select on stdin: only +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) + /* Under DOS (non-djgpp) and Windows we can't select on stdin: only * on sockets. As a workaround we timeout the select every * second and check for any keypress. In a proper Windows * application we wouldn't do this because it is inefficient. @@ -1145,7 +1313,8 @@ static int sv_body(char *hostname, int s, unsigned char *context) if ((i <= 0) || (buf[0] == 'q')) { BIO_printf(bio_s_out,"DONE\n"); - SHUTDOWN(s); + if (SSL_version(con) != DTLS1_VERSION) + SHUTDOWN(s); /* close_accept_socket(); ret= -11;*/ goto err; @@ -1174,7 +1343,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) } if (buf[0] == 'P') { - static char *str="Lets print some clear text\n"; + static const char *str="Lets print some clear text\n"; BIO_write(SSL_get_wbio(con),str,strlen(str)); } if (buf[0] == 'S') @@ -1358,7 +1527,7 @@ static int init_ssl_connection(SSL *con) } #ifndef OPENSSL_NO_DH -static DH *load_dh_param(char *dhfile) +static DH *load_dh_param(const char *dhfile) { DH *ret=NULL; BIO *bio; @@ -1457,7 +1626,7 @@ static int www_body(char *hostname, int s, unsigned char *context) if (s_debug) { con->debug=1; - BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); + BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); } if (s_msg) @@ -1505,7 +1674,9 @@ static int www_body(char *hostname, int s, unsigned char *context) else { BIO_printf(bio_s_out,"read R BLOCK\n"); -#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) +#if defined(OPENSSL_SYS_NETWARE) + delay(1000); +#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) sleep(1); #endif continue; @@ -1524,7 +1695,7 @@ static int www_body(char *hostname, int s, unsigned char *context) char *p; X509 *peer; STACK_OF(SSL_CIPHER) *sk; - static char *space=" "; + static const char *space=" "; BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); BIO_puts(io,"\n"); @@ -1604,7 +1775,7 @@ static int www_body(char *hostname, int s, unsigned char *context) { BIO *file; char *p,*e; - static char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; + static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; /* skip the '/' */ p= &(buf[5]); @@ -1780,21 +1951,30 @@ err: #ifndef OPENSSL_NO_RSA static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) { + BIGNUM *bn = NULL; static RSA *rsa_tmp=NULL; - if (rsa_tmp == NULL) + if (!rsa_tmp && ((bn = BN_new()) == NULL)) + BIO_printf(bio_err,"Allocation error in generating RSA key\n"); + if (!rsa_tmp && bn) { if (!s_quiet) { BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); (void)BIO_flush(bio_err); } - rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); + if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) || + !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) + { + if(rsa_tmp) RSA_free(rsa_tmp); + rsa_tmp = NULL; + } if (!s_quiet) { BIO_printf(bio_err,"\n"); (void)BIO_flush(bio_err); } + BN_free(bn); } return(rsa_tmp); }