Add SSL_OP_ALLOW_CLIENT_RENEGOTIATION

[openssl.git] / apps / s_server.c

diff --git a/apps/s_server.c b/apps/s_server.c
index eee51f33254cfc60f137207001e72f4c58b75c70..51b5c9d381fd77826d43778d4a8a2f6e18163657 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -1,5 +1,5 @@
 /*
- * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
+ * Copyright 1995-2021 The OpenSSL Project Authors. All Rights Reserved.
  * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
  * Copyright 2005 Nokia. All rights reserved.
  *
@@ -78,6 +78,7 @@ static int accept_socket = -1;
 static int s_nbio = 0;
 static int s_nbio_test = 0;
 static int s_crlf = 0;
+static int immediate_reneg = 0;
 static SSL_CTX *ctx = NULL;
 static SSL_CTX *ctx2 = NULL;
 static int www = 0;
@@ -472,8 +473,8 @@ static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
     x = SSL_get_certificate(s);
     aia = X509_get1_ocsp(x);
     if (aia != NULL) {
-        if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
-                                 &host, &port, NULL, &path, &use_ssl)) {
+        if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0), &use_ssl,
+                                 NULL, &host, &port, NULL, &path, NULL, NULL)) {
             BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
             goto err;
         }
@@ -672,7 +673,8 @@ static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
 }
 
 typedef enum OPTION_choice {
-    OPT_ERR = -1, OPT_EOF = 0, OPT_HELP, OPT_ENGINE,
+    OPT_COMMON,
+    OPT_ENGINE,
     OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
     OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
     OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
@@ -977,11 +979,11 @@ int s_server_main(int argc, char *argv[])
     int no_dhe = 0;
     int nocert = 0, ret = 1;
     int noCApath = 0, noCAfile = 0, noCAstore = 0;
-    int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
-    int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
+    int s_cert_format = FORMAT_UNDEF, s_key_format = FORMAT_UNDEF;
+    int s_dcert_format = FORMAT_UNDEF, s_dkey_format = FORMAT_UNDEF;
     int rev = 0, naccept = -1, sdebug = 0;
     int socket_family = AF_UNSPEC, socket_type = SOCK_STREAM, protocol = 0;
-    int state = 0, crl_format = FORMAT_PEM, crl_download = 0;
+    int state = 0, crl_format = FORMAT_UNDEF, crl_download = 0;
     char *host = NULL;
     char *port = OPENSSL_strdup(PORT);
     unsigned char *context = NULL;
@@ -1257,6 +1259,9 @@ int s_server_main(int argc, char *argv[])
             if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &crl_format))
                 goto opthelp;
             break;
+        case OPT_S_IMMEDIATE_RENEG:
+            immediate_reneg = 1;
+            break;
         case OPT_S_CASES:
         case OPT_S_NUM_TICKETS:
         case OPT_ANTI_REPLAY:
@@ -1337,10 +1342,10 @@ int s_server_main(int argc, char *argv[])
         case OPT_STATUS_URL:
 #ifndef OPENSSL_NO_OCSP
             s_tlsextstatus = 1;
-            if (!OSSL_HTTP_parse_url(opt_arg(),
+            if (!OSSL_HTTP_parse_url(opt_arg(), &tlscstatp.use_ssl, NULL,
                                      &tlscstatp.host, &tlscstatp.port, NULL,
-                                     &tlscstatp.path, &tlscstatp.use_ssl)) {
-                BIO_printf(bio_err, "Error parsing URL\n");
+                                     &tlscstatp.path, NULL, NULL)) {
+                BIO_printf(bio_err, "Error parsing -status_url argument\n");
                 goto end;
             }
 #endif
@@ -1610,7 +1615,9 @@ int s_server_main(int argc, char *argv[])
     if (argc != 0)
         goto opthelp;
 
-    app_RAND_load();
+    if (!app_RAND_load())
+        goto end;
+
 #ifndef OPENSSL_NO_NEXTPROTONEG
     if (min_version == TLS1_3_VERSION && next_proto_neg_in != NULL) {
         BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
@@ -1685,12 +1692,13 @@ int s_server_main(int argc, char *argv[])
         if (s_key == NULL)
             goto end;
 
-        s_cert = load_cert_pass(s_cert_file, 1, pass, "server certificate");
+        s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass,
+                                "server certificate");
 
         if (s_cert == NULL)
             goto end;
         if (s_chain_file != NULL) {
-            if (!load_certs(s_chain_file, &s_chain, NULL,
+            if (!load_certs(s_chain_file, 0, &s_chain, NULL,
                             "server certificate chain"))
                 goto end;
         }
@@ -1701,7 +1709,7 @@ int s_server_main(int argc, char *argv[])
             if (s_key2 == NULL)
                 goto end;
 
-            s_cert2 = load_cert_pass(s_cert_file2, 1, pass,
+            s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass,
                                 "second server certificate");
 
             if (s_cert2 == NULL)
@@ -1724,7 +1732,7 @@ int s_server_main(int argc, char *argv[])
 
     if (crl_file != NULL) {
         X509_CRL *crl;
-        crl = load_crl(crl_file, "CRL");
+        crl = load_crl(crl_file, crl_format, 0, "CRL");
         if (crl == NULL)
             goto end;
         crls = sk_X509_CRL_new_null();
@@ -1746,7 +1754,7 @@ int s_server_main(int argc, char *argv[])
         if (s_dkey == NULL)
             goto end;
 
-        s_dcert = load_cert_pass(s_dcert_file, 1, dpass,
+        s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass,
                                  "second server certificate");
 
         if (s_dcert == NULL) {
@@ -1754,7 +1762,7 @@ int s_server_main(int argc, char *argv[])
             goto end;
         }
         if (s_dchain_file != NULL) {
-            if (!load_certs(s_dchain_file, &s_dchain, NULL,
+            if (!load_certs(s_dchain_file, 0, &s_dchain, NULL,
                             "second server certificate chain"))
                 goto end;
         }
@@ -1972,9 +1980,9 @@ int s_server_main(int argc, char *argv[])
         EVP_PKEY *dhpkey = NULL;
 
         if (dhfile != NULL)
-            dhpkey = load_keyparams(dhfile, 0, "DH", "DH parameters");
+            dhpkey = load_keyparams(dhfile, FORMAT_UNDEF, 0, "DH", "DH parameters");
         else if (s_cert_file != NULL)
-            dhpkey = load_keyparams(s_cert_file, 0, "DH", "DH parameters");
+            dhpkey = load_keyparams(s_cert_file, FORMAT_UNDEF, 0, "DH", "DH parameters");
 
         if (dhpkey != NULL) {
             BIO_printf(bio_s_out, "Setting temp DH parameters\n");
@@ -2006,7 +2014,8 @@ int s_server_main(int argc, char *argv[])
 
         if (ctx2 != NULL) {
             if (dhfile != NULL) {
-                EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, 0, "DH",
+                EVP_PKEY *dhpkey2 = load_keyparams(s_cert_file2, FORMAT_UNDEF,
+                                                   0, "DH",
                                                    "DH parameters");
 
                 if (dhpkey2 != NULL) {
@@ -2779,6 +2788,8 @@ static int init_ssl_connection(SSL *con)
     } else {
         do {
             i = SSL_accept(con);
+            if (immediate_reneg)
+                SSL_renegotiate(con);
 
             if (i <= 0)
                 retry = is_retryable(con, i);