projects / openssl.git / blobdiff
? search:
summary | shortlog | log | commit | commitdiff | tree
raw | inline | side by side
Fix duplicate code and typo.
[openssl.git] / apps / s_server.c
diff --git a/apps/s_server.c b/apps/s_server.c
index d33996820060524286c6fb70ccb0e46e2e9cc7d4..f5d313ceb52f3fa6b0620a6f20a95ba29ced14f3 100644 (file)
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -201,6 +201,7 @@ typedef unsigned int u_int;
 #ifndef OPENSSL_NO_RSA
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
 #endif
 #ifndef OPENSSL_NO_RSA
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
 #endif
+static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
 static int sv_body(char *hostname, int s, unsigned char *context);
 static int www_body(char *hostname, int s, unsigned char *context);
 static void close_accept_socket(void );
 static int sv_body(char *hostname, int s, unsigned char *context);
 static int www_body(char *hostname, int s, unsigned char *context);
 static void close_accept_socket(void );
@@ -289,6 +290,7 @@ static int s_tlsextdebug=0;
 static int s_tlsextstatus=0;
 static int cert_status_cb(SSL *s, void *arg);
 #endif
 static int s_tlsextstatus=0;
 static int cert_status_cb(SSL *s, void *arg);
 #endif
+static int no_resume_ephemeral = 0;
 static int s_msg=0;
 static int s_quiet=0;
 
 static int s_msg=0;
 static int s_quiet=0;
 
@@ -460,7 +462,7 @@ static void sv_usage(void)
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
 #endif
        BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
        BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
-       BIO_printf(bio_err," -tls1_1       - Just talk TLSv1_1\n");
+       BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
@@ -476,6 +478,7 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_ECDH
        BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
 #endif
 #ifndef OPENSSL_NO_ECDH
        BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
 #endif
+       BIO_printf(bio_err, "-no_resume_ephemeral - Disable caching and tickets if ephemeral (EC)DH is used\n");
        BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
        BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
        BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
        BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
        BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
        BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
@@ -493,12 +496,12 @@ static void sv_usage(void)
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT2);
        BIO_printf(bio_err," -key2 arg     - Private Key file to use for servername, in cert file if\n");
        BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT2);
        BIO_printf(bio_err," -key2 arg     - Private Key file to use for servername, in cert file if\n");
        BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
-# ifndef OPENSSL_NO_NPN
        BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
        BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
-# endif
        BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
        BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
        BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
        BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
+# ifndef OPENSSL_NO_NEXTPROTONEG
        BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
        BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
+# endif
 #endif
        }
 
 #endif
        }
 
@@ -834,7 +837,7 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
        goto done;
        }
 
        goto done;
        }
 
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
 /* This is the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
        unsigned char *data;
 /* This is the context that we pass to next_proto_cb */
 typedef struct tlsextnextprotoctx_st {
        unsigned char *data;
@@ -853,6 +856,12 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
 # endif  /* ndef OPENSSL_NO_NPN */
 #endif
 
 # endif  /* ndef OPENSSL_NO_NPN */
 #endif
 
+static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
+       {
+       /* disable resumption for sessions with forward secure ciphers */
+       return is_forward_secure;
+       }
+
 int MAIN(int, char **);
 
 #ifndef OPENSSL_NO_JPAKE
 int MAIN(int, char **);
 
 #ifndef OPENSSL_NO_JPAKE
@@ -892,7 +901,7 @@ int MAIN(int argc, char *argv[])
 #endif
 #ifndef OPENSSL_NO_TLSEXT
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
 #endif
 #ifndef OPENSSL_NO_TLSEXT
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;
        tlsextnextprotoctx next_proto;
 # endif
        const char *next_proto_neg_in = NULL;
        tlsextnextprotoctx next_proto;
 # endif
@@ -1120,6 +1129,8 @@ int MAIN(int argc, char *argv[])
                        { no_dhe=1; }
                else if (strcmp(*argv,"-no_ecdhe") == 0)
                        { no_ecdhe=1; }
                        { no_dhe=1; }
                else if (strcmp(*argv,"-no_ecdhe") == 0)
                        { no_ecdhe=1; }
+               else if (strcmp(*argv,"-no_resume_ephemeral") == 0)
+                       { no_resume_ephemeral = 1; }
 #ifndef OPENSSL_NO_PSK
                 else if (strcmp(*argv,"-psk_hint") == 0)
                        {
 #ifndef OPENSSL_NO_PSK
                 else if (strcmp(*argv,"-psk_hint") == 0)
                        {
@@ -1174,6 +1185,8 @@ int MAIN(int argc, char *argv[])
                        { meth=TLSv1_1_server_method(); }
                else if (strcmp(*argv,"-tls1") == 0)
                        { meth=TLSv1_server_method(); }
                        { meth=TLSv1_1_server_method(); }
                else if (strcmp(*argv,"-tls1") == 0)
                        { meth=TLSv1_server_method(); }
+               else if (strcmp(*argv,"-tls1_1") == 0)
+                       { meth=TLSv1_1_server_method(); }
 #endif
 #ifndef OPENSSL_NO_DTLS1
                else if (strcmp(*argv,"-dtls1") == 0)
 #endif
 #ifndef OPENSSL_NO_DTLS1
                else if (strcmp(*argv,"-dtls1") == 0)
@@ -1226,7 +1239,7 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_key_file2= *(++argv);
                        }
                        if (--argc < 1) goto bad;
                        s_key_file2= *(++argv);
                        }
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
                else if (strcmp(*argv,"-nextprotoneg") == 0)
                        {
                        if (--argc < 1) goto bad;
                else if (strcmp(*argv,"-nextprotoneg") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1337,7 +1350,7 @@ bad:
                                goto end;
                                }
                        }
                                goto end;
                                }
                        }
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
                if (next_proto_neg_in)
                        {
                        unsigned short len;
                if (next_proto_neg_in)
                        {
                        unsigned short len;
@@ -1537,7 +1550,7 @@ bad:
                        SSL_CTX_set1_param(ctx2, vpm);
                }
 
                        SSL_CTX_set1_param(ctx2, vpm);
                }
 
-# ifndef OPENSSL_NO_NPN
+# ifndef OPENSSL_NO_NEXTPROTONEG
        if (next_proto.data)
                SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
 # endif
        if (next_proto.data)
                SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
 # endif
@@ -1689,6 +1702,15 @@ bad:
 #endif
 #endif
 
 #endif
 #endif
 
+       if (no_resume_ephemeral)
+               {
+               SSL_CTX_set_not_resumable_session_callback(ctx, not_resumable_sess_cb);
+#ifndef OPENSSL_NO_TLSEXT
+               if (ctx2)
+                       SSL_CTX_set_not_resumable_session_callback(ctx2, not_resumable_sess_cb);
+#endif
+               }
+
 #ifndef OPENSSL_NO_PSK
 #ifdef OPENSSL_NO_JPAKE
        if (psk_key != NULL)
 #ifndef OPENSSL_NO_PSK
 #ifdef OPENSSL_NO_JPAKE
        if (psk_key != NULL)
@@ -2225,7 +2247,7 @@ static int init_ssl_connection(SSL *con)
        X509 *peer;
        long verify_error;
        MS_STATIC char buf[BUFSIZ];
        X509 *peer;
        long verify_error;
        MS_STATIC char buf[BUFSIZ];
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        const unsigned char *next_proto_neg;
        unsigned next_proto_neg_len;
 #endif
        const unsigned char *next_proto_neg;
        unsigned next_proto_neg_len;
 #endif
@@ -2268,7 +2290,7 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NPN)
+#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
        SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
        if (next_proto_neg)
                {
        SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
        if (next_proto_neg)
                {
Unnamed repository; edit this file 'description' to name the repository.