X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=05ffc351f725b3066c2d788d38998ac4cb86b9a4;hp=cf40da528df9b42f2bcf93361786fdb58a1fe399;hb=3ba1e406c2309adb427ced9815ebf05f5b58d155;hpb=a6a48e87bc469f37ed1c53d0e4d22faaa0a5adf3

diff --git a/apps/s_server.c b/apps/s_server.c
index cf40da528d..05ffc351f7 100644
--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -218,7 +218,6 @@ static void init_session_cache_ctx(SSL_CTX *sctx);
 static void free_sessions(void);
 #ifndef OPENSSL_NO_DH
 static DH *load_dh_param(const char *dhfile);
-static DH *get_dh512(void);
 #endif
 
 #ifdef MONOLITH
@@ -229,41 +228,16 @@ static void s_server_init(void);
 
 static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
 
-static const unsigned char *most_recent_supplemental_data;
-static size_t most_recent_supplemental_data_length;
+static unsigned char *generated_supp_data = NULL;
+
+static const unsigned char *most_recent_supplemental_data = NULL;
+static size_t most_recent_supplemental_data_length = 0;
 
 static int client_provided_server_authz = 0;
 static int client_provided_client_authz = 0;
 
 #endif
 
-#ifndef OPENSSL_NO_DH
-static unsigned char dh512_p[]={
-	0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
-	0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
-	0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
-	0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
-	0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
-	0x47,0x74,0xE8,0x33,
-	};
-static unsigned char dh512_g[]={
-	0x02,
-	};
-
-static DH *get_dh512(void)
-	{
-	DH *dh=NULL;
-
-	if ((dh=DH_new()) == NULL) return(NULL);
-	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
-	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
-	if ((dh->p == NULL) || (dh->g == NULL))
-		return(NULL);
-	return(dh);
-	}
-#endif
-
-
 /* static int load_CA(SSL_CTX *ctx, char *file);*/
 
 #undef BUFSIZZ
@@ -335,11 +309,11 @@ static int suppdata_cb(SSL *s, unsigned short supp_data_type,
 
 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
 				     const unsigned char **out,
-				     unsigned short *outlen, void *arg);
+				     unsigned short *outlen, int *al, void *arg);
 
 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
 				    const unsigned char **out, unsigned short *outlen,
-				    void *arg);
+				    int *al, void *arg);
 
 static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
 			   const unsigned char *in,
@@ -511,6 +485,7 @@ static void sv_usage(void)
 	BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
 	BIO_printf(bio_err," -cert arg     - certificate file to use\n");
 	BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
+	BIO_printf(bio_err," -naccept arg  - terminate after 'arg' connections\n");
 #ifndef OPENSSL_NO_TLSEXT
 	BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n");
 	BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
@@ -1056,17 +1031,17 @@ int MAIN(int argc, char *argv[])
 	EVP_PKEY *s_key = NULL, *s_dkey = NULL;
 	int no_cache = 0, ext_cache = 0;
 	int rev = 0, naccept = -1;
-    int c_no_resumption_on_reneg = 0;
+	int sdebug = 0;
 #ifndef OPENSSL_NO_TLSEXT
 	EVP_PKEY *s_key2 = NULL;
 	X509 *s_cert2 = NULL;
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
 # ifndef OPENSSL_NO_NEXTPROTONEG
 	const char *next_proto_neg_in = NULL;
-	tlsextnextprotoctx next_proto;
+	tlsextnextprotoctx next_proto = { NULL, 0};
+# endif
 	const char *alpn_in = NULL;
 	tlsextalpnctx alpn_ctx = { NULL, 0};
-# endif
 #endif
 #ifndef OPENSSL_NO_PSK
 	/* by default do not send a PSK identity hint */
@@ -1181,10 +1156,6 @@ int MAIN(int argc, char *argv[])
 			c_auth = 1;
 			}
 #endif
-		else if (strcmp(*argv, "-no_resumption_on_reneg") == 0)
-			{
-			c_no_resumption_on_reneg = 1;
-			}
 		else if	(strcmp(*argv,"-auth_require_reneg") == 0)
 			{
 			c_auth_require_reneg = 1;
@@ -1375,6 +1346,10 @@ int MAIN(int argc, char *argv[])
 		else if	(strcmp(*argv,"-trace") == 0)
 			{ s_msg=2; }
 #endif
+		else if	(strcmp(*argv,"-security_debug") == 0)
+			{ sdebug=1; }
+		else if	(strcmp(*argv,"-security_debug_verbose") == 0)
+			{ sdebug=2; }
 		else if	(strcmp(*argv,"-hack") == 0)
 			{ hack=1; }
 		else if	(strcmp(*argv,"-state") == 0)
@@ -1523,12 +1498,12 @@ int MAIN(int argc, char *argv[])
 			if (--argc < 1) goto bad;
 			next_proto_neg_in = *(++argv);
 			}
+# endif
 		else if	(strcmp(*argv,"-alpn") == 0)
 			{
 			if (--argc < 1) goto bad;
 			alpn_in = *(++argv);
 			}
-# endif
 #endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
 		else if (strcmp(*argv,"-jpake") == 0)
@@ -1774,6 +1749,8 @@ bad:
 		}
 
 	ctx=SSL_CTX_new(meth);
+	if (sdebug)
+		ssl_ctx_security_debug(ctx, bio_err, sdebug);
 	if (ctx == NULL)
 		{
 		ERR_print_errors(bio_err);
@@ -1863,6 +1840,9 @@ bad:
 		{
 		BIO_printf(bio_s_out,"Setting secondary ctx parameters\n");
 
+		if (sdebug)
+			ssl_ctx_security_debug(ctx, bio_err, sdebug);
+
 		if (session_id_prefix)
 			{
 			if(strlen(session_id_prefix) >= 32)
@@ -1934,11 +1914,18 @@ bad:
 		else
 			{
 			BIO_printf(bio_s_out,"Using default temp DH parameters\n");
-			dh=get_dh512();
 			}
 		(void)BIO_flush(bio_s_out);
 
-		SSL_CTX_set_tmp_dh(ctx,dh);
+		if (dh == NULL)
+			SSL_CTX_set_dh_auto(ctx, 1);
+		else if (!SSL_CTX_set_tmp_dh(ctx,dh))
+			{
+			BIO_puts(bio_err, "Error setting temp DH parameters\n");
+			ERR_print_errors(bio_err);
+			DH_free(dh);
+			goto end;
+			}
 #ifndef OPENSSL_NO_TLSEXT
 		if (ctx2)
 			{
@@ -1954,23 +1941,30 @@ bad:
 					dh = dh2;
 					}
 				}
-			SSL_CTX_set_tmp_dh(ctx2,dh);
+			if (dh == NULL)
+				SSL_CTX_set_dh_auto(ctx2, 1);
+			else if (!SSL_CTX_set_tmp_dh(ctx2,dh))
+				{
+				BIO_puts(bio_err, "Error setting temp DH parameters\n");
+				ERR_print_errors(bio_err);
+				DH_free(dh);
+				goto end;
+				}
 			}
 #endif
 		DH_free(dh);
 		}
 #endif
 
-    if (c_no_resumption_on_reneg)
-        {
-        SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
-        }
 	if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
 		goto end;
 #ifndef OPENSSL_NO_TLSEXT
 	if (s_serverinfo_file != NULL
 	    && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file))
+		{
+		ERR_print_errors(bio_err);
 		goto end;
+		}
 	if (c_auth)
 		{
 		SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
@@ -2156,8 +2150,10 @@ end:
 		EVP_PKEY_free(s_key2);
 	if (serverinfo_in != NULL)
 		BIO_free(serverinfo_in);
+# ifndef OPENSSL_NO_NEXTPROTONEG
 	if (next_proto.data)
 		OPENSSL_free(next_proto.data);
+# endif
 	if (alpn_ctx.data)
 		OPENSSL_free(alpn_ctx.data);
 #endif
@@ -2663,6 +2659,15 @@ static int init_ssl_connection(SSL *con)
 
 
 	i=SSL_accept(con);
+#ifdef CERT_CB_TEST_RETRY
+	{
+	while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) 
+		{
+		fprintf(stderr, "LOOKUP from certificate callback during accept\n");
+		i=SSL_accept(con);
+		}
+	}
+#endif
 #ifndef OPENSSL_NO_SRP
 	while (i <= 0 &&  SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) 
 		{
@@ -2675,6 +2680,13 @@ static int init_ssl_connection(SSL *con)
 			i=SSL_accept(con);
 		}
 #endif
+	/*handshake is complete - free the generated supp data allocated in the callback */
+	if (generated_supp_data)
+		{
+        OPENSSL_free(generated_supp_data);
+		generated_supp_data = NULL;
+		}
+
 	if (i <= 0)
 		{
 		if (BIO_sock_should_retry(i))
@@ -3569,29 +3581,26 @@ static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
 			   void *arg)
 	{
 	if (TLSEXT_TYPE_server_authz == ext_type)
-		{
-		client_provided_server_authz = (memchr(in,
-		TLSEXT_AUTHZDATAFORMAT_dtcp,
-		inlen) != NULL);
-		}
+		client_provided_server_authz
+		  = memchr(in,	TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
 
 	if (TLSEXT_TYPE_client_authz == ext_type)
-		{
-		client_provided_client_authz = (memchr(in,
-		TLSEXT_AUTHZDATAFORMAT_dtcp,
-		inlen) != NULL);
-		}
+		client_provided_client_authz
+		  = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
 
 	return 1;
 	}
 
 static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
 				    const unsigned char **out, unsigned short *outlen,
-				    void *arg)
+				    int *al, void *arg)
 	{
 	if (c_auth && client_provided_client_authz && client_provided_server_authz)
 		{
-		if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
+		/*if auth_require_reneg flag is set, only send extensions if
+		  renegotiation has occurred */
+		if (!c_auth_require_reneg
+		    || (c_auth_require_reneg && SSL_num_renegotiations(s)))
 			{
 			*out = auth_ext_data;
 			*outlen = 1;
@@ -3617,16 +3626,18 @@ static int suppdata_cb(SSL *s, unsigned short supp_data_type,
 
 static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
 				     const unsigned char **out,
-				     unsigned short *outlen, void *arg)
+				     unsigned short *outlen, int *al, void *arg)
 	{
-	unsigned char *result;
 	if (c_auth && client_provided_client_authz && client_provided_server_authz)
 		{
-		if (!c_auth_require_reneg || (c_auth_require_reneg && SSL_num_renegotiations(s)))
+		/*if auth_require_reneg flag is set, only send supplemental data if
+		  renegotiation has occurred */
+		if (!c_auth_require_reneg
+		    || (c_auth_require_reneg && SSL_num_renegotiations(s)))
 			{
-			result = OPENSSL_malloc(10);
-			memcpy(result, "1234512345", 10);
-			*out = result;
+			generated_supp_data = OPENSSL_malloc(10);
+			memcpy(generated_supp_data, "1234512345", 10);
+			*out = generated_supp_data;
 			*outlen = 10;
 			return 1;
 			}