* OTHERWISE.
*/
-#include <assert.h>
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
static int s_nbio = 0;
#endif
static int s_nbio_test = 0;
-int s_crlf = 0;
+static int s_crlf = 0;
static SSL_CTX *ctx = NULL;
static SSL_CTX *ctx2 = NULL;
static int www = 0;
#ifndef OPENSSL_NO_DTLS1
static int cert_chain = 0;
#endif
+static int dtlslisten = 0;
static BIO *serverinfo_in = NULL;
static const char *s_serverinfo_file = NULL;
OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
- OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
+ OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
- OPT_BUILD_CHAIN, OPT_CAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
- OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, OPT_DEBUG,
- OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT,
- OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG,
- OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, OPT_QUIET,
- OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
+ OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
+ OPT_VERIFYCAFILE, OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
+ OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
+ OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE,
+ OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF,
+ OPT_QUIET, OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP,
OPT_SSL3,
OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
- OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN,
+ OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN,
OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE,
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
{"msg", OPT_MSG, '-', "Show protocol messages"},
{"msgfile", OPT_MSGFILE, '>'},
{"state", OPT_STATE, '-', "Print the SSL states"},
- {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
+ {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
+ {"no-CAfile", OPT_NOCAFILE, '-',
+ "Do not load the default certificates file"},
+ {"no-CApath", OPT_NOCAPATH, '-',
+ "Do not load certificates from the default certificates directory"},
{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
{"quiet", OPT_QUIET, '-', "No server output"},
{"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"},
{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
{"mtu", OPT_MTU, 'p', "Set link layer MTU"},
{"chain", OPT_CHAIN, '-', "Read a certificate chain"},
+ {"listen", OPT_LISTEN, '-',
+ "Listen for a DTLS ClientHello with a cookie and then connect"},
#endif
#ifndef OPENSSL_NO_DH
{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
"Set the advertised protocols for the NPN extension (comma-separated list)"},
#endif
#ifndef OPENSSL_NO_SRTP
- {"use_srtp", OPT_SRTP_PROFILES, '<',
+ {"use_srtp", OPT_SRTP_PROFILES, 's',
"Offer SRTP key management with a colon-separated profile list"},
{"alpn", OPT_ALPN, 's',
"Set the advertised protocols for the ALPN extension (comma-separated list)"},
X509 *s_cert = NULL, *s_dcert = NULL;
X509_VERIFY_PARAM *vpm = NULL;
char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL;
- char *dhfile = NULL, *dpassarg = NULL, *dpass = NULL, *inrand = NULL;
+#ifndef OPENSSL_NO_DH
+ char *dhfile = NULL;
+#endif
+ char *dpassarg = NULL, *dpass = NULL, *inrand = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *crl_file = NULL, *prog;
#ifndef OPENSSL_NO_PSK
int (*server_cb) (char *hostname, int s, int stype,
unsigned char *context);
int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
- int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0, ret = 1;
+#ifndef OPENSSL_NO_DH
+ int no_dhe = 0;
+#endif
+ int no_tmp_rsa = 0, no_ecdhe = 0, nocert = 0, ret = 1;
+ int noCApath = 0, noCAfile = 0;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
int rev = 0, naccept = -1, sdebug = 0, socket_type = SOCK_STREAM;
s_chain_file = opt_arg();
break;
case OPT_DHPARAM:
+#ifndef OPENSSL_NO_DH
dhfile = opt_arg();
+#endif
break;
case OPT_DCERTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format))
case OPT_CAPATH:
CApath = opt_arg();
break;
+ case OPT_NOCAPATH:
+ noCApath = 1;
+ break;
case OPT_CHAINCAPATH:
chCApath = opt_arg();
break;
case OPT_CAFILE:
CAfile = opt_arg();
break;
+ case OPT_NOCAFILE:
+ noCAfile = 1;
+ break;
case OPT_CHAINCAFILE:
chCAfile = opt_arg();
break;
no_tmp_rsa = 1;
break;
case OPT_NO_DHE:
+#ifndef OPENSSL_NO_DH
no_dhe = 1;
+#endif
break;
case OPT_NO_ECDHE:
no_ecdhe = 1;
goto end;
}
break;
-#else
- case OPT_PSK_HINT:
- case OPT_PSK:
- break;
#endif
#ifndef OPENSSL_NO_SRP
case OPT_SRPVFILE:
case OPT_CHAIN:
cert_chain = 1;
break;
+ case OPT_LISTEN:
+ dtlslisten = 1;
+ break;
#else
case OPT_DTLS:
case OPT_DTLS1:
case OPT_TIMEOUT:
case OPT_MTU:
case OPT_CHAIN:
+ case OPT_LISTEN:
break;
#endif
case OPT_ID_PREFIX:
BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
goto end;
}
+
+ if (dtlslisten && socket_type != SOCK_DGRAM) {
+ BIO_printf(bio_err, "Can only use -listen with DTLS\n");
+ goto end;
+ }
#endif
if (unix_path && (socket_type != SOCK_STREAM)) {
goto end;
}
- if (!app_load_modules(NULL))
- goto end;
-
if (s_key_file == NULL)
s_key_file = s_cert_file;
if (s_quiet && !s_debug) {
bio_s_out = BIO_new(BIO_s_null());
if (s_msg && !bio_s_msg)
- bio_s_msg = dup_bio_out();
+ bio_s_msg = dup_bio_out(FORMAT_TEXT);
} else {
if (bio_s_out == NULL)
- bio_s_out = dup_bio_out();
+ bio_s_out = dup_bio_out(FORMAT_TEXT);
}
}
#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
}
#endif
- if (!ctx_set_verify_locations(ctx, CAfile, CApath)) {
+ if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) {
ERR_print_errors(bio_err);
goto end;
}
if (ctx2)
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
}
+ if (s_tlsextstatus) {
+ SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
+ SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
+ if (ctx2) {
+ SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb);
+ SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
+ }
+ }
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_s_out);
}
- if (s_tlsextstatus) {
- SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
- SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
- }
if (context
&& !SSL_set_session_id_context(con,
int i;
const char *str;
X509 *peer;
- long verify_error;
+ long verify_err;
char buf[BUFSIZ];
#if !defined(OPENSSL_NO_NEXTPROTONEG)
const unsigned char *next_proto_neg;
unsigned next_proto_neg_len;
#endif
unsigned char *exportedkeymat;
+ struct sockaddr_storage client;
+
+#ifndef OPENSSL_NO_DTLS1
+ if(dtlslisten) {
+ i = DTLSv1_listen(con, &client);
+ if (i > 0) {
+ BIO *wbio;
+ int fd = -1;
+
+ wbio = SSL_get_wbio(con);
+ if(wbio) {
+ BIO_get_fd(wbio, &fd);
+ }
+
+ if(!wbio || connect(fd, (struct sockaddr *)&client,
+ sizeof(struct sockaddr_storage))) {
+ BIO_printf(bio_err, "ERROR - unable to connect\n");
+ return 0;
+ }
+ dtlslisten = 0;
+ i = SSL_accept(con);
+ }
+ } else
+#endif
+ i = SSL_accept(con);
- i = SSL_accept(con);
#ifdef CERT_CB_TEST_RETRY
{
while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP
- && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) {
+ && SSL_state(con) == TLS_ST_SR_CLNT_HELLO) {
BIO_printf(bio_err,
"LOOKUP from certificate callback during accept\n");
i = SSL_accept(con);
#endif
if (i <= 0) {
- if (BIO_sock_should_retry(i)) {
+ if ((dtlslisten && i == 0)
+ || (!dtlslisten && BIO_sock_should_retry(i))) {
BIO_printf(bio_s_out, "DELAY\n");
return (1);
}
BIO_printf(bio_err, "ERROR\n");
- verify_error = SSL_get_verify_result(con);
- if (verify_error != X509_V_OK) {
+ verify_err = SSL_get_verify_result(con);
+ if (verify_err != X509_V_OK) {
BIO_printf(bio_err, "verify error:%s\n",
- X509_verify_cert_error_string(verify_error));
+ X509_verify_cert_error_string(verify_err));
}
/* Always print any error messages */
ERR_print_errors(bio_err);
#ifdef RENEG
int total_bytes = 0;
#endif
+ int width;
+ fd_set readfds;
+
+ /* Set width for a select call if needed */
+ width = s + 1;
buf = app_malloc(bufsize, "server www buffer");
io = BIO_new(BIO_f_buffer());
goto err;
} else {
BIO_printf(bio_s_out, "read R BLOCK\n");
+#ifndef OPENSSL_NO_SRP
+ if (BIO_should_io_special(io)
+ && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+ BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+ srp_callback_parm.user =
+ SRP_VBASE_get_by_user(srp_callback_parm.vb,
+ srp_callback_parm.login);
+ if (srp_callback_parm.user)
+ BIO_printf(bio_s_out, "LOOKUP done %s\n",
+ srp_callback_parm.user->info);
+ else
+ BIO_printf(bio_s_out, "LOOKUP not successful\n");
+ continue;
+ }
+#endif
#if defined(OPENSSL_SYS_NETWARE)
delay(1000);
#elif !defined(OPENSSL_SYS_MSDOS)
NULL);
i = SSL_renegotiate(con);
BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i);
+ /* Send the HelloRequest */
i = SSL_do_handshake(con);
if (i <= 0) {
BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n",
ERR_print_errors(bio_err);
goto err;
}
- /* EVIL HACK! */
- SSL_set_state(con, SSL_ST_ACCEPT);
- i = SSL_do_handshake(con);
- BIO_printf(bio_s_out, "SSL_do_handshake -> %d\n", i);
- if (i <= 0) {
- BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n",
- SSL_get_error(con, i));
+ /* Wait for a ClientHello to come back */
+ FD_ZERO(&readfds);
+ openssl_fdset(s, &readfds);
+ i = select(width, (void *)&readfds, NULL, NULL, NULL);
+ if (i <= 0 || !FD_ISSET(s, &readfds)) {
+ BIO_printf(bio_s_out, "Error waiting for client response\n");
ERR_print_errors(bio_err);
goto err;
}
+ /*
+ * We're not acutally expecting any data here and we ignore
+ * any that is sent. This is just to force the handshake that
+ * we're expecting to come from the client. If they haven't
+ * sent one there's not much we can do.
+ */
+ BIO_gets(io, buf, bufsize - 1);
}
BIO_puts(io,
ERR_print_errors(bio_err);
goto end;
}
+#ifndef OPENSSL_NO_SRP
+ if (BIO_should_io_special(io)
+ && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+ BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
+ srp_callback_parm.user =
+ SRP_VBASE_get_by_user(srp_callback_parm.vb,
+ srp_callback_parm.login);
+ if (srp_callback_parm.user)
+ BIO_printf(bio_s_out, "LOOKUP done %s\n",
+ srp_callback_parm.user->info);
+ else
+ BIO_printf(bio_s_out, "LOOKUP not successful\n");
+ continue;
+ }
+#endif
}
BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
print_ssl_summary(con);
goto err;
} else {
BIO_printf(bio_s_out, "read R BLOCK\n");
+#ifndef OPENSSL_NO_SRP
+ if (BIO_should_io_special(io)
+ && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) {
+ BIO_printf(bio_s_out, "LOOKUP renego during read\n");
+ srp_callback_parm.user =
+ SRP_VBASE_get_by_user(srp_callback_parm.vb,
+ srp_callback_parm.login);
+ if (srp_callback_parm.user)
+ BIO_printf(bio_s_out, "LOOKUP done %s\n",
+ srp_callback_parm.user->info);
+ else
+ BIO_printf(bio_s_out, "LOOKUP not successful\n");
+ continue;
+ }
+#endif
#if defined(OPENSSL_SYS_NETWARE)
delay(1000);
#elif !defined(OPENSSL_SYS_MSDOS)