X-Git-Url: https://git.openssl.org/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=f190d8e0d98ddf3d097ce9af62f1796c9b71258f;hp=4603cdafcd12a9c7dd9c59c6718713ed77ad279b;hb=d61ff83be977d9622b98f61a49ab3c1ca2db78a1;hpb=e7f8ff43826494896548d054ee8dbb96367f00af diff --git a/apps/s_server.c b/apps/s_server.c index 4603cdafcd..f190d8e0d9 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -270,11 +270,13 @@ extern int verify_depth, verify_return_error; static char *cipher=NULL; static int s_server_verify=SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ -static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; +static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; +static char *curves=NULL; +static char *sigalgs=NULL; #endif -static char *s_dcert_file=NULL,*s_dkey_file=NULL; +static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL; #ifdef FIONBIO static int s_nbio=0; #endif @@ -287,6 +289,7 @@ static SSL_CTX *ctx2=NULL; static int www=0; static BIO *bio_s_out=NULL; +static BIO *bio_s_msg = NULL; static int s_debug=0; #ifndef OPENSSL_NO_TLSEXT static int s_tlsextdebug=0; @@ -312,6 +315,10 @@ static long socket_mtu; static int cert_chain = 0; #endif +#ifndef OPENSSL_NO_TLSEXT +static BIO *authz_in = NULL; +static const char *s_authz_file = NULL; +#endif #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; @@ -434,9 +441,12 @@ static void s_server_init(void) s_server_verify=SSL_VERIFY_NONE; s_dcert_file=NULL; s_dkey_file=NULL; + s_dchain_file=NULL; s_cert_file=TEST_CERT; s_key_file=NULL; + s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT + curves=NULL; s_cert_file2=TEST_CERT2; s_key_file2=NULL; ctx2=NULL; @@ -469,6 +479,7 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); + BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ @@ -915,7 +926,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, return SSL_TLSEXT_ERR_OK; } -# endif /* ndef OPENSSL_NO_NPN */ +# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ #endif static int not_resumable_sess_cb(SSL *s, int is_forward_secure) @@ -948,6 +959,7 @@ int MAIN(int argc, char *argv[]) int badop=0,bugs=0; int ret=1; int off=0; + int cert_flags = 0; int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; const SSL_METHOD *meth=NULL; @@ -959,13 +971,12 @@ int MAIN(int argc, char *argv[]) char *dpassarg = NULL, *dpass = NULL; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; X509 *s_cert = NULL, *s_dcert = NULL; + STACK_OF(X509) *s_chain = NULL, *s_dchain = NULL; EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; -#endif -#ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; @@ -980,17 +991,7 @@ int MAIN(int argc, char *argv[]) char *srpuserseed = NULL; char *srp_verifier_file = NULL; #endif -#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) meth=SSLv23_server_method(); -#elif !defined(OPENSSL_NO_SSL3) - meth=SSLv3_server_method(); -#elif !defined(OPENSSL_NO_SSL2) - meth=SSLv2_server_method(); -#elif !defined(OPENSSL_NO_TLS1) - meth=TLSv1_server_method(); -#else - /* #error no SSL version enabled */ -#endif local_argc=argc; local_argv=argv; @@ -1049,6 +1050,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_cert_file= *(++argv); } +#ifndef OPENSSL_NO_TLSEXT + else if (strcmp(*argv,"-authz") == 0) + { + if (--argc < 1) goto bad; + s_authz_file = *(++argv); + } +#endif else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1069,6 +1077,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; passarg = *(++argv); } + else if (strcmp(*argv,"-cert_chain") == 0) + { + if (--argc < 1) goto bad; + s_chain_file= *(++argv); + } else if (strcmp(*argv,"-dhparam") == 0) { if (--argc < 1) goto bad; @@ -1106,6 +1119,11 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_dkey_file= *(++argv); } + else if (strcmp(*argv,"-dcert_chain") == 0) + { + if (--argc < 1) goto bad; + s_dchain_file= *(++argv); + } else if (strcmp(*argv,"-nocert") == 0) { nocert=1; @@ -1184,9 +1202,28 @@ int MAIN(int argc, char *argv[]) goto bad; } } + else if (strcmp(*argv,"-curves") == 0) + { + if (--argc < 1) goto bad; + curves= *(++argv); + } + else if (strcmp(*argv,"-sigalgs") == 0) + { + if (--argc < 1) goto bad; + sigalgs= *(++argv); + } #endif else if (strcmp(*argv,"-msg") == 0) { s_msg=1; } + else if (strcmp(*argv,"-msgfile") == 0) + { + if (--argc < 1) goto bad; + bio_s_msg = BIO_new_file(*(++argv), "w"); + } +#ifndef OPENSSL_NO_SSL_TRACE + else if (strcmp(*argv,"-trace") == 0) + { s_msg=2; } +#endif else if (strcmp(*argv,"-hack") == 0) { hack=1; } else if (strcmp(*argv,"-state") == 0) @@ -1250,12 +1287,12 @@ int MAIN(int argc, char *argv[]) { off|=SSL_OP_NO_SSLv2; } else if (strcmp(*argv,"-no_ssl3") == 0) { off|=SSL_OP_NO_SSLv3; } - else if (strcmp(*argv,"-no_tls1_2") == 0) - { off|=SSL_OP_NO_TLSv1_2; } - else if (strcmp(*argv,"-no_tls1_1") == 0) - { off|=SSL_OP_NO_TLSv1_1; } else if (strcmp(*argv,"-no_tls1") == 0) { off|=SSL_OP_NO_TLSv1; } + else if (strcmp(*argv,"-no_tls1_1") == 0) + { off|=SSL_OP_NO_TLSv1_1; } + else if (strcmp(*argv,"-no_tls1_2") == 0) + { off|=SSL_OP_NO_TLSv1_2; } else if (strcmp(*argv,"-no_comp") == 0) { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT @@ -1271,14 +1308,12 @@ int MAIN(int argc, char *argv[]) { meth=SSLv3_server_method(); } #endif #ifndef OPENSSL_NO_TLS1 - else if (strcmp(*argv,"-tls1_2") == 0) - { meth=TLSv1_2_server_method(); } - else if (strcmp(*argv,"-tls1_1") == 0) - { meth=TLSv1_1_server_method(); } else if (strcmp(*argv,"-tls1") == 0) { meth=TLSv1_server_method(); } else if (strcmp(*argv,"-tls1_1") == 0) { meth=TLSv1_1_server_method(); } + else if (strcmp(*argv,"-tls1_2") == 0) + { meth=TLSv1_2_server_method(); } #endif #ifndef OPENSSL_NO_DTLS1 else if (strcmp(*argv,"-dtls1") == 0) @@ -1362,6 +1397,8 @@ int MAIN(int argc, char *argv[]) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } + else if (strcmp(*argv, "-cert_strict") == 0) + cert_flags |= SSL_CERT_FLAG_TLS_STRICT; else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1437,6 +1474,13 @@ bad: ERR_print_errors(bio_err); goto end; } + if (s_chain_file) + { + s_chain = load_certs(bio_err, s_chain_file,FORMAT_PEM, + NULL, e, "server certificate chain"); + if (!s_chain) + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (tlsextcbp.servername) @@ -1458,6 +1502,7 @@ bad: goto end; } } + # ifndef OPENSSL_NO_NEXTPROTONEG if (next_proto_neg_in) { @@ -1473,7 +1518,7 @@ bad: next_proto.data = NULL; } # endif -#endif +#endif /* OPENSSL_NO_TLSEXT */ } @@ -1500,6 +1545,13 @@ bad: ERR_print_errors(bio_err); goto end; } + if (s_dchain_file) + { + s_dchain = load_certs(bio_err, s_dchain_file,FORMAT_PEM, + NULL, e, "second server certificate chain"); + if (!s_dchain) + goto end; + } } @@ -1565,6 +1617,7 @@ bad: if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx,off); + if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -1638,6 +1691,7 @@ bad: if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); SSL_CTX_set_options(ctx2,off); + if (cert_flags) SSL_CTX_set_cert_flags(ctx2, cert_flags); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. */ @@ -1716,10 +1770,11 @@ bad: { EC_KEY *ecdh=NULL; - if (named_curve) + if (named_curve && strcmp(named_curve, "auto")) { - int nid = OBJ_sn2nid(named_curve); - + int nid = EC_curve_nist2nid(named_curve); + if (nid == NID_undef) + nid = OBJ_sn2nid(named_curve); if (nid == 0) { BIO_printf(bio_err, "unknown curve name (%s)\n", @@ -1739,6 +1794,8 @@ bad: { BIO_printf(bio_s_out,"Setting temp ECDH parameters\n"); } + else if (named_curve) + SSL_CTX_set_ecdh_auto(ctx, 1); else { BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); @@ -1760,15 +1817,19 @@ bad: } #endif - if (!set_cert_key_stuff(ctx,s_cert,s_key)) + if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2)) + if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file)) + goto end; +#endif +#ifndef OPENSSL_NO_TLSEXT + if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; #endif if (s_dcert != NULL) { - if (!set_cert_key_stuff(ctx,s_dcert,s_dkey)) + if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain)) goto end; } @@ -1859,6 +1920,38 @@ bad: } #endif } +#ifndef OPENSSL_NO_TLSEXT + if (curves) + { + if(!SSL_CTX_set1_curves_list(ctx,curves)) + { + BIO_printf(bio_err,"error setting curves list\n"); + ERR_print_errors(bio_err); + goto end; + } + if(ctx2 && !SSL_CTX_set1_curves_list(ctx2,curves)) + { + BIO_printf(bio_err,"error setting curves list\n"); + ERR_print_errors(bio_err); + goto end; + } + } + if (sigalgs) + { + if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) + { + BIO_printf(bio_err,"error setting signature algorithms\n"); + ERR_print_errors(bio_err); + goto end; + } + if(ctx2 && !SSL_CTX_set1_sigalgs_list(ctx2,sigalgs)) + { + BIO_printf(bio_err,"error setting signature algorithms\n"); + ERR_print_errors(bio_err); + goto end; + } + } +#endif SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); @@ -1891,8 +1984,8 @@ bad: if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR) { BIO_printf(bio_err, - "Cannot initialize SRP verifier file \"%s\":ret=%d\n", - srp_verifier_file,ret); + "Cannot initialize SRP verifier file \"%s\":ret=%d\n", + srp_verifier_file, ret); goto end; } SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback); @@ -1939,12 +2032,19 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); + if (authz_in != NULL) + BIO_free(authz_in); #endif if (bio_s_out != NULL) { BIO_free(bio_s_out); bio_s_out=NULL; } + if (bio_s_msg != NULL) + { + BIO_free(bio_s_msg); + bio_s_msg = NULL; + } apps_shutdown(); OPENSSL_EXIT(ret); } @@ -2099,8 +2199,13 @@ static int sv_body(char *hostname, int s, unsigned char *context) } if (s_msg) { - SSL_set_msg_callback(con, msg_cb); - SSL_set_msg_callback_arg(con, bio_s_out); +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); } #ifndef OPENSSL_NO_TLSEXT if (s_tlsextdebug) @@ -2412,12 +2517,12 @@ static int init_ssl_connection(SSL *con) X509 *peer; long verify_error; MS_STATIC char buf[BUFSIZ]; +#ifndef OPENSSL_NO_KRB5 + char *client_princ; +#endif #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; -#endif -#ifndef OPENSSL_NO_KRB5 - char *client_princ; #endif unsigned char *exportedkeymat; @@ -2472,7 +2577,7 @@ static int init_ssl_connection(SSL *con) if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); - ssl_print_sigalgs(bio_s_out, con); + ssl_print_sigalgs(bio_s_out, con, 0); ssl_print_curves(bio_s_out, con); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); @@ -2637,6 +2742,7 @@ static int www_body(char *hostname, int s, unsigned char *context) } SSL_set_bio(con,sbio,sbio); SSL_set_accept_state(con); + /* SSL_set_fd(con,s); */ BIO_set_ssl(ssl_bio,con,BIO_CLOSE); BIO_push(io,ssl_bio); @@ -2652,8 +2758,13 @@ static int www_body(char *hostname, int s, unsigned char *context) } if (s_msg) { - SSL_set_msg_callback(con, msg_cb); - SSL_set_msg_callback_arg(con, bio_s_out); +#ifndef OPENSSL_NO_SSL_TRACE + if (s_msg == 2) + SSL_set_msg_callback(con, SSL_trace); + else +#endif + SSL_set_msg_callback(con, msg_cb); + SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); } for (;;) @@ -2809,7 +2920,7 @@ static int www_body(char *hostname, int s, unsigned char *context) } BIO_puts(io,"\n"); } - ssl_print_sigalgs(io, con); + ssl_print_sigalgs(io, con, 0); ssl_print_curves(io, con); BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, "