X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=d545546f29d0d3bf01a75850f6278ff4f7fad014;hp=9cbff09b858dd565db2a16761577f6099bebbf34;hb=e01a610db8dc7b86422fd08447de25756ddc21e9;hpb=fc7f190c732729c1d0eb9dcdb7ff05ed6b06056f diff --git a/apps/s_server.c b/apps/s_server.c index 9cbff09b85..d545546f29 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -1,112 +1,12 @@ -/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) - * All rights reserved. - * - * This package is an SSL implementation written - * by Eric Young (eay@cryptsoft.com). - * The implementation was written so as to conform with Netscapes SSL. - * - * This library is free for commercial and non-commercial use as long as - * the following conditions are aheared to. The following conditions - * apply to all code found in this distribution, be it the RC4, RSA, - * lhash, DES, etc., code; not just the SSL code. The SSL documentation - * included with this distribution is covered by the same copyright terms - * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * - * Copyright remains Eric Young's, and as such any Copyright notices in - * the code are not to be removed. - * If this package is used in a product, Eric Young should be given attribution - * as the author of the parts of the library used. - * This can be in the form of a textual message at program startup or - * in documentation (online or textual) provided with the package. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * 1. Redistributions of source code must retain the copyright - * notice, this list of conditions and the following disclaimer. - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in the - * documentation and/or other materials provided with the distribution. - * 3. All advertising materials mentioning features or use of this software - * must display the following acknowledgement: - * "This product includes cryptographic software written by - * Eric Young (eay@cryptsoft.com)" - * The word 'cryptographic' can be left out if the rouines from the library - * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from - * the apps directory (application code) you must include an acknowledgement: - * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * - * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND - * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE - * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE - * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL - * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS - * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT - * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY - * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF - * SUCH DAMAGE. - * - * The licence and distribution terms for any publically available version or - * derivative of this code cannot be changed. i.e. this code cannot simply be - * copied and put under another distribution licence - * [including the GNU Public Licence.] - */ -/* ==================================================================== - * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. - * - * Redistribution and use in source and binary forms, with or without - * modification, are permitted provided that the following conditions - * are met: - * - * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. - * - * 2. Redistributions in binary form must reproduce the above copyright - * notice, this list of conditions and the following disclaimer in - * the documentation and/or other materials provided with the - * distribution. - * - * 3. All advertising materials mentioning features or use of this - * software must display the following acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" - * - * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to - * endorse or promote products derived from this software without - * prior written permission. For written permission, please contact - * openssl-core@openssl.org. - * - * 5. Products derived from this software may not be called "OpenSSL" - * nor may "OpenSSL" appear in their names without prior written - * permission of the OpenSSL Project. - * - * 6. Redistributions of any form whatsoever must retain the following - * acknowledgment: - * "This product includes software developed by the OpenSSL Project - * for use in the OpenSSL Toolkit (http://www.openssl.org/)" - * - * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY - * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE - * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR - * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR - * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, - * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT - * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; - * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) - * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, - * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) - * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED - * OF THE POSSIBILITY OF SUCH DAMAGE. - * ==================================================================== - * - * This product includes cryptographic software written by Eric Young - * (eay@cryptsoft.com). This product includes software written by Tim - * Hudson (tjh@cryptsoft.com). +/* + * Copyright 1995-2016 The OpenSSL Project Authors. All Rights Reserved. * + * Licensed under the OpenSSL license (the "License"). You may not use + * this file except in compliance with the License. You can obtain a copy + * in the file LICENSE in the source distribution or at + * https://www.openssl.org/source/license.html */ + /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. * ECC cipher suite support in OpenSSL originally developed by @@ -246,9 +146,6 @@ static int async = 0; static unsigned int split_send_fragment = 0; static unsigned int max_pipelines = 0; -#ifndef OPENSSL_NO_ENGINE -static char *engine_id = NULL; -#endif static const char *session_id_prefix = NULL; #ifndef OPENSSL_NO_DTLS @@ -269,9 +166,8 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, unsigned char *psk, unsigned int max_psk_len) { - unsigned int psk_len = 0; - int ret; - BIGNUM *bn = NULL; + long key_len = 0; + unsigned char *key; if (s_debug) BIO_printf(bio_s_out, "psk_server_cb\n"); @@ -293,31 +189,26 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, BIO_printf(bio_s_out, "PSK client identity found\n"); /* convert the PSK key to binary */ - ret = BN_hex2bn(&bn, psk_key); - if (!ret) { - BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", + key = OPENSSL_hexstr2buf(psk_key, &key_len); + if (key == NULL) { + BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n", psk_key); - BN_free(bn); return 0; } - if (BN_num_bytes(bn) > (int)max_psk_len) { + if (key_len > (int)max_psk_len) { BIO_printf(bio_err, - "psk buffer of callback is too small (%d) for key (%d)\n", - max_psk_len, BN_num_bytes(bn)); - BN_free(bn); + "psk buffer of callback is too small (%d) for key (%ld)\n", + max_psk_len, key_len); + OPENSSL_free(key); return 0; } - ret = BN_bn2bin(bn, psk); - BN_free(bn); - - if (ret < 0) - goto out_err; - psk_len = (unsigned int)ret; + memcpy(psk, key, key_len); + OPENSSL_free(key); if (s_debug) - BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len); - return psk_len; + BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len); + return key_len; out_err: if (s_debug) BIO_printf(bio_err, "Error in PSK server callback\n"); @@ -405,9 +296,6 @@ static void s_server_init(void) async = 0; split_send_fragment = 0; max_pipelines = 0; -#ifndef OPENSSL_NO_ENGINE - engine_id = NULL; -#endif } static int local_argc = 0; @@ -676,19 +564,19 @@ static int cert_status_cb(SSL *s, void *arg) SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), NULL, NULL)) goto err; - obj = X509_STORE_get_X509_by_subject(inctx, X509_LU_X509, - X509_get_issuer_name(x)); + obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509, + X509_get_issuer_name(x)); if (obj == NULL) { BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n"); goto done; } - req = OCSP_REQUEST_new(); - if (req == NULL) - goto err; id = OCSP_cert_to_id(NULL, x, X509_OBJECT_get0_X509(obj)); X509_OBJECT_free(obj); if (!id) goto err; + req = OCSP_REQUEST_new(); + if (req == NULL) + goto err; if (!OCSP_request_add0_id(req, id)) goto err; id = NULL; @@ -1019,12 +907,16 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_ENGINE {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif - {NULL} + {NULL, OPT_EOF, 0, NULL} }; +#define IS_PROT_FLAG(o) \ + (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \ + || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2) + int s_server_main(int argc, char *argv[]) { - ENGINE *e = NULL; + ENGINE *engine = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; SSL_CONF_CTX *cctx = NULL; const SSL_METHOD *meth = TLS_server_method(); @@ -1082,7 +974,7 @@ int s_server_main(int argc, char *argv[]) char *srpuserseed = NULL; char *srp_verifier_file = NULL; #endif - int min_version = 0, max_version = 0; + int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0; local_argc = argc; local_argv = argv; @@ -1096,6 +988,17 @@ int s_server_main(int argc, char *argv[]) prog = opt_init(argc, argv, s_server_options); while ((o = opt_next()) != OPT_EOF) { + if (IS_PROT_FLAG(o) && ++prot_opt > 1) { + BIO_printf(bio_err, "Cannot supply multiple protocol flags\n"); + goto end; + } + if (IS_NO_PROT_FLAG(o)) + no_prot_opt++; + if (prot_opt == 1 && no_prot_opt) { + BIO_printf(bio_err, "Cannot supply both a protocol flag and " + "\"-no_\"\n"); + goto end; + } switch (o) { case OPT_EOF: case OPT_ERR: @@ -1496,7 +1399,7 @@ int s_server_main(int argc, char *argv[]) session_id_prefix = opt_arg(); break; case OPT_ENGINE: - e = setup_engine(opt_arg(), 1); + engine = setup_engine(opt_arg(), 1); break; case OPT_RAND: inrand = opt_arg(); @@ -1602,7 +1505,7 @@ int s_server_main(int argc, char *argv[]) goto end; if (nocert == 0) { - s_key = load_key(s_key_file, s_key_format, 0, pass, e, + s_key = load_key(s_key_file, s_key_format, 0, pass, engine, "server certificate private key file"); if (!s_key) { ERR_print_errors(bio_err); @@ -1623,7 +1526,7 @@ int s_server_main(int argc, char *argv[]) } if (tlsextcbp.servername) { - s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e, + s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine, "second server certificate private key file"); if (!s_key2) { ERR_print_errors(bio_err); @@ -1682,7 +1585,7 @@ int s_server_main(int argc, char *argv[]) s_dkey_file = s_dcert_file; s_dkey = load_key(s_dkey_file, s_dkey_format, - 0, dpass, e, "second certificate private key file"); + 0, dpass, engine, "second certificate private key file"); if (!s_dkey) { ERR_print_errors(bio_err); goto end; @@ -1866,9 +1769,10 @@ int s_server_main(int argc, char *argv[]) if (async) SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC); - if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) || - (!SSL_CTX_set_default_verify_paths(ctx2))) { + if (!ctx_set_verify_locations(ctx2, CAfile, CApath, noCAfile, + noCApath)) { ERR_print_errors(bio_err); + goto end; } if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) { BIO_printf(bio_err, "Error setting verify params\n"); @@ -2272,10 +2176,10 @@ static int sv_body(int s, int stype, unsigned char *context) tv.tv_sec = 1; tv.tv_usec = 0; i = select(width, (void *)&readfds, NULL, NULL, &tv); - if ((i < 0) || (!i && !_kbhit())) - continue; - if (_kbhit()) + if (has_stdin_waiting()) read_from_terminal = 1; + if ((i < 0) || (!i && !read_from_terminal)) + continue; #else if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_get_timeout(con, &timeout)) @@ -2414,12 +2318,14 @@ static int sv_body(int s, int stype, unsigned char *context) break; case SSL_ERROR_WANT_ASYNC: BIO_printf(bio_s_out, "Write BLOCK (Async)\n"); + (void)BIO_flush(bio_s_out); wait_for_async(con); break; case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_READ: case SSL_ERROR_WANT_X509_LOOKUP: BIO_printf(bio_s_out, "Write BLOCK\n"); + (void)BIO_flush(bio_s_out); break; case SSL_ERROR_WANT_ASYNC_JOB: /* @@ -2488,16 +2394,19 @@ static int sv_body(int s, int stype, unsigned char *context) ascii2ebcdic(buf, buf, i); #endif raw_write_stdout(buf, (unsigned int)i); + (void)BIO_flush(bio_s_out); if (SSL_has_pending(con)) goto again; break; case SSL_ERROR_WANT_ASYNC: BIO_printf(bio_s_out, "Read BLOCK (Async)\n"); + (void)BIO_flush(bio_s_out); wait_for_async(con); break; case SSL_ERROR_WANT_WRITE: case SSL_ERROR_WANT_READ: BIO_printf(bio_s_out, "Read BLOCK\n"); + (void)BIO_flush(bio_s_out); break; case SSL_ERROR_WANT_ASYNC_JOB: /* @@ -2553,6 +2462,7 @@ static int init_ssl_connection(SSL *con) unsigned next_proto_neg_len; #endif unsigned char *exportedkeymat; + int retry = 0; #ifndef OPENSSL_NO_DTLS if(dtlslisten) { @@ -2580,6 +2490,8 @@ static int init_ssl_connection(SSL *con) BIO_ADDR_free(client); dtlslisten = 0; i = SSL_accept(con); + } else { + BIO_ADDR_free(client); } } else #endif @@ -2587,6 +2499,8 @@ static int init_ssl_connection(SSL *con) do { i = SSL_accept(con); + if (i <= 0) + retry = BIO_sock_should_retry(i); #ifdef CERT_CB_TEST_RETRY { while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP @@ -2594,6 +2508,8 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_err, "LOOKUP from certificate callback during accept\n"); i = SSL_accept(con); + if (i <= 0) + retry = BIO_sock_should_retry(i); } } #endif @@ -2612,13 +2528,15 @@ static int init_ssl_connection(SSL *con) else BIO_printf(bio_s_out, "LOOKUP not successful\n"); i = SSL_accept(con); + if (i <= 0) + retry = BIO_sock_should_retry(i); } #endif } while (i < 0 && SSL_waiting_for_async(con)); if (i <= 0) { if ((dtlslisten && i == 0) - || (!dtlslisten && BIO_sock_should_retry(i))) { + || (!dtlslisten && retry)) { BIO_printf(bio_s_out, "DELAY\n"); return (1); } @@ -2704,6 +2622,7 @@ static int init_ssl_connection(SSL *con) OPENSSL_free(exportedkeymat); } + (void)BIO_flush(bio_s_out); return (1); } @@ -3400,4 +3319,4 @@ static void free_sessions(void) first = NULL; } -#endif +#endif /* OPENSSL_NO_SOCK */