X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=10bfdd6b911e0a6ee669fe942de65edd8e6e80b1;hp=f9e33e72c29aeebd37c45f526246eebf9042f702;hb=e03c5b59f04684c55a173d1a8ac38df7e4b21c48;hpb=20b431e3a94e57b916d7e1325217c3a2a6a186a0 diff --git a/apps/s_server.c b/apps/s_server.c index f9e33e72c2..10bfdd6b91 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -205,9 +205,9 @@ typedef unsigned int u_int; static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); #endif static int not_resumable_sess_cb(SSL *s, int is_forward_secure); -static int sv_body(char *hostname, int s, unsigned char *context); -static int www_body(char *hostname, int s, unsigned char *context); -static int rev_body(char *hostname, int s, unsigned char *context); +static int sv_body(char *hostname, int s, int stype, unsigned char *context); +static int www_body(char *hostname, int s, int stype, unsigned char *context); +static int rev_body(char *hostname, int s, int stype, unsigned char *context); static void close_accept_socket(void ); static void sv_usage(void); static int init_ssl_connection(SSL *s); @@ -216,44 +216,27 @@ static int generate_session_id(const SSL *ssl, unsigned char *id, unsigned int *id_len); static void init_session_cache_ctx(SSL_CTX *sctx); static void free_sessions(void); -static int ssl_load_stores(SSL_CTX *sctx, - const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); -static DH *get_dh512(void); #endif #ifdef MONOLITH static void s_server_init(void); #endif -#ifndef OPENSSL_NO_DH -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, - }; -static unsigned char dh512_g[]={ - 0x02, - }; +#ifndef OPENSSL_NO_TLSEXT -static DH *get_dh512(void) - { - DH *dh=NULL; - - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return(NULL); - return(dh); - } -#endif +static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp}; + +static unsigned char *generated_supp_data = NULL; +static const unsigned char *most_recent_supplemental_data = NULL; +static size_t most_recent_supplemental_data_length = 0; + +static int client_provided_server_authz = 0; +static int client_provided_client_authz = 0; + +#endif /* static int load_CA(SSL_CTX *ctx, char *file);*/ @@ -319,8 +302,29 @@ static int cert_chain = 0; #endif #ifndef OPENSSL_NO_TLSEXT -static BIO *authz_in = NULL; -static const char *s_authz_file = NULL; +static int suppdata_cb(SSL *s, unsigned short supp_data_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg); + +static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, + const unsigned char **out, + unsigned short *outlen, int *al, void *arg); + +static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, + const unsigned char **out, unsigned short *outlen, + int *al, void *arg); + +static int authz_tlsext_cb(SSL *s, unsigned short ext_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg); + +static BIO *serverinfo_in = NULL; +static const char *s_serverinfo_file = NULL; + +static int c_auth = 0; +static int c_auth_require_reneg = 0; #endif #ifndef OPENSSL_NO_PSK @@ -476,15 +480,17 @@ static void sv_usage(void) BIO_printf(bio_err,"usage: s_server [args ...]\n"); BIO_printf(bio_err,"\n"); BIO_printf(bio_err," -accept arg - port to accept on (default is %d)\n",PORT); - BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n"); - BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n"); - BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n"); BIO_printf(bio_err," -context arg - set session ID context\n"); BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); - BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); +#ifndef OPENSSL_NO_TLSEXT + BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n"); + BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n"); + BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n"); +#endif + BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ @@ -539,6 +545,7 @@ static void sv_usage(void) BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); + BIO_printf(bio_err," -dtls1_2 - Just talk DTLSv1.2\n"); BIO_printf(bio_err," -timeout - Enable timeouts\n"); BIO_printf(bio_err," -mtu - Set link layer MTU\n"); BIO_printf(bio_err," -chain - Read a certificate chain\n"); @@ -578,6 +585,7 @@ static void sv_usage(void) BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); # endif BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); + BIO_printf(bio_err," -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n"); #endif BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); @@ -932,7 +940,48 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, return SSL_TLSEXT_ERR_OK; } # endif /* ndef OPENSSL_NO_NEXTPROTONEG */ -#endif + +/* This the context that we pass to alpn_cb */ +typedef struct tlsextalpnctx_st { + unsigned char *data; + unsigned short len; +} tlsextalpnctx; + +static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg) + { + tlsextalpnctx *alpn_ctx = arg; + + if (!s_quiet) + { + /* We can assume that |in| is syntactically valid. */ + unsigned i; + BIO_printf(bio_s_out, "ALPN protocols advertised by the client: "); + for (i = 0; i < inlen; ) + { + if (i) + BIO_write(bio_s_out, ", ", 2); + BIO_write(bio_s_out, &in[i + 1], in[i]); + i += in[i] + 1; + } + BIO_write(bio_s_out, "\n", 1); + } + + if (SSL_select_next_proto((unsigned char**) out, outlen, alpn_ctx->data, alpn_ctx->len, in, inlen) != + OPENSSL_NPN_NEGOTIATED) + { + return SSL_TLSEXT_ERR_NOACK; + } + + if (!s_quiet) + { + BIO_printf(bio_s_out, "ALPN protocols selected: "); + BIO_write(bio_s_out, *out, *outlen); + BIO_write(bio_s_out, "\n", 1); + } + + return SSL_TLSEXT_ERR_OK; + } +#endif /* ndef OPENSSL_NO_TLSEXT */ static int not_resumable_sess_cb(SSL *s, int is_forward_secure) { @@ -944,14 +993,14 @@ int MAIN(int, char **); #ifndef OPENSSL_NO_JPAKE static char *jpake_secret = NULL; +#define no_jpake !jpake_secret +#else +#define no_jpake 1 #endif #ifndef OPENSSL_NO_SRP static srpsrvparm srp_callback_parm; #endif static char *srtp_profiles = NULL; -static unsigned char *checkhost = NULL, *checkemail = NULL; -static char *checkip = NULL; - int MAIN(int argc, char *argv[]) { @@ -981,14 +1030,17 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; int rev = 0, naccept = -1; + int sdebug = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; - tlsextnextprotoctx next_proto; + tlsextnextprotoctx next_proto = { NULL, 0}; # endif + const char *alpn_in = NULL; + tlsextalpnctx alpn_ctx = { NULL, 0}; #endif #ifndef OPENSSL_NO_PSK /* by default do not send a PSK identity hint */ @@ -1002,6 +1054,11 @@ int MAIN(int argc, char *argv[]) SSL_CONF_CTX *cctx = NULL; STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + char *crl_file = NULL; + int crl_format = FORMAT_PEM; + int crl_download = 0; + STACK_OF(X509_CRL) *crls = NULL; + meth=SSLv23_server_method(); local_argc=argc; @@ -1022,6 +1079,7 @@ int MAIN(int argc, char *argv[]) if (!cctx) goto end; SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); verify_depth=0; #ifdef FIONBIO @@ -1057,7 +1115,8 @@ int MAIN(int argc, char *argv[]) s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d\n",verify_depth); + if (!s_quiet) + BIO_printf(bio_err,"verify depth is %d\n",verify_depth); } else if (strcmp(*argv,"-Verify") == 0) { @@ -1065,7 +1124,8 @@ int MAIN(int argc, char *argv[]) SSL_VERIFY_CLIENT_ONCE; if (--argc < 1) goto bad; verify_depth=atoi(*(++argv)); - BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); + if (!s_quiet) + BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); } else if (strcmp(*argv,"-context") == 0) { @@ -1077,13 +1137,28 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_cert_file= *(++argv); } + else if (strcmp(*argv,"-CRL") == 0) + { + if (--argc < 1) goto bad; + crl_file= *(++argv); + } + else if (strcmp(*argv,"-crl_download") == 0) + crl_download = 1; #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv,"-authz") == 0) + else if (strcmp(*argv,"-serverinfo") == 0) { if (--argc < 1) goto bad; - s_authz_file = *(++argv); + s_serverinfo_file = *(++argv); + } + else if (strcmp(*argv,"-auth") == 0) + { + c_auth = 1; } #endif + else if (strcmp(*argv,"-auth_require_reneg") == 0) + { + c_auth_require_reneg = 1; + } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1167,6 +1242,11 @@ int MAIN(int argc, char *argv[]) no_cache = 1; else if (strcmp(*argv,"-ext_cache") == 0) ext_cache = 1; + else if (strcmp(*argv,"-CRLform") == 0) + { + if (--argc < 1) goto bad; + crl_format = str2fmt(*(++argv)); + } else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) { if (badarg) @@ -1254,21 +1334,6 @@ int MAIN(int argc, char *argv[]) } } #endif - else if (strcmp(*argv,"-checkhost") == 0) - { - if (--argc < 1) goto bad; - checkhost=(unsigned char *)*(++argv); - } - else if (strcmp(*argv,"-checkemail") == 0) - { - if (--argc < 1) goto bad; - checkemail=(unsigned char *)*(++argv); - } - else if (strcmp(*argv,"-checkip") == 0) - { - if (--argc < 1) goto bad; - checkip=*(++argv); - } else if (strcmp(*argv,"-msg") == 0) { s_msg=1; } else if (strcmp(*argv,"-msgfile") == 0) @@ -1280,6 +1345,10 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-trace") == 0) { s_msg=2; } #endif + else if (strcmp(*argv,"-security_debug") == 0) + { sdebug=1; } + else if (strcmp(*argv,"-security_debug_verbose") == 0) + { sdebug=2; } else if (strcmp(*argv,"-hack") == 0) { hack=1; } else if (strcmp(*argv,"-state") == 0) @@ -1362,11 +1431,21 @@ int MAIN(int argc, char *argv[]) { meth=TLSv1_2_server_method(); } #endif #ifndef OPENSSL_NO_DTLS1 + else if (strcmp(*argv,"-dtls") == 0) + { + meth=DTLS_server_method(); + socket_type = SOCK_DGRAM; + } else if (strcmp(*argv,"-dtls1") == 0) { meth=DTLSv1_server_method(); socket_type = SOCK_DGRAM; } + else if (strcmp(*argv,"-dtls1_2") == 0) + { + meth=DTLSv1_2_server_method(); + socket_type = SOCK_DGRAM; + } else if (strcmp(*argv,"-timeout") == 0) enable_timeouts = 1; else if (strcmp(*argv,"-mtu") == 0) @@ -1419,6 +1498,11 @@ int MAIN(int argc, char *argv[]) next_proto_neg_in = *(++argv); } # endif + else if (strcmp(*argv,"-alpn") == 0) + { + if (--argc < 1) goto bad; + alpn_in = *(++argv); + } #endif #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) else if (strcmp(*argv,"-jpake") == 0) @@ -1469,14 +1553,7 @@ bad: goto end; } psk_identity = "JPAKE"; - if (cipher) - { - BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); - goto end; - } - cipher = "PSK"; } - #endif SSL_load_error_strings(); @@ -1552,7 +1629,8 @@ bad: #endif /* OPENSSL_NO_TLSEXT */ } -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_TLSEXT) +# if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto_neg_in) { unsigned short len; @@ -1565,8 +1643,38 @@ bad: { next_proto.data = NULL; } +# endif + alpn_ctx.data = NULL; + if (alpn_in) + { + unsigned short len; + alpn_ctx.data = next_protos_parse(&len, alpn_in); + if (alpn_ctx.data == NULL) + goto end; + alpn_ctx.len = len; + } #endif + if (crl_file) + { + X509_CRL *crl; + crl = load_crl(crl_file, crl_format); + if (!crl) + { + BIO_puts(bio_err, "Error loading CRL\n"); + ERR_print_errors(bio_err); + goto end; + } + crls = sk_X509_CRL_new_null(); + if (!crls || !sk_X509_CRL_push(crls, crl)) + { + BIO_puts(bio_err, "Error adding CRL\n"); + ERR_print_errors(bio_err); + X509_CRL_free(crl); + goto end; + } + } + if (s_dcert_file) { @@ -1640,6 +1748,8 @@ bad: } ctx=SSL_CTX_new(meth); + if (sdebug) + ssl_ctx_security_debug(ctx, bio_err, sdebug); if (ctx == NULL) { ERR_print_errors(bio_err); @@ -1702,10 +1812,12 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); - if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe)) + ssl_ctx_add_crls(ctx, crls, 0); + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) goto end; - if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, + crls, crl_download)) { BIO_printf(bio_err, "Error loading store locations\n"); ERR_print_errors(bio_err); @@ -1727,6 +1839,9 @@ bad: { BIO_printf(bio_s_out,"Setting secondary ctx parameters\n"); + if (sdebug) + ssl_ctx_security_debug(ctx, bio_err, sdebug); + if (session_id_prefix) { if(strlen(session_id_prefix) >= 32) @@ -1768,7 +1883,8 @@ bad: if (vpm) SSL_CTX_set1_param(ctx2, vpm); - if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe)) + ssl_ctx_add_crls(ctx2, crls, 0); + if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake)) goto end; } @@ -1776,6 +1892,8 @@ bad: if (next_proto.data) SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); # endif + if (alpn_ctx.data) + SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); #endif #ifndef OPENSSL_NO_DH @@ -1795,11 +1913,18 @@ bad: else { BIO_printf(bio_s_out,"Using default temp DH parameters\n"); - dh=get_dh512(); } (void)BIO_flush(bio_s_out); - SSL_CTX_set_tmp_dh(ctx,dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx, 1); + else if (!SSL_CTX_set_tmp_dh(ctx,dh)) + { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } #ifndef OPENSSL_NO_TLSEXT if (ctx2) { @@ -1815,7 +1940,15 @@ bad: dh = dh2; } } - SSL_CTX_set_tmp_dh(ctx2,dh); + if (dh == NULL) + SSL_CTX_set_dh_auto(ctx2, 1); + else if (!SSL_CTX_set_tmp_dh(ctx2,dh)) + { + BIO_puts(bio_err, "Error setting temp DH parameters\n"); + ERR_print_errors(bio_err); + DH_free(dh); + goto end; + } } #endif DH_free(dh); @@ -1825,8 +1958,18 @@ bad: if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file)) + if (s_serverinfo_file != NULL + && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) + { + ERR_print_errors(bio_err); goto end; + } + if (c_auth) + { + SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); + SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); + SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err); + } #endif #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain)) @@ -1973,6 +2116,8 @@ end: if (ctx != NULL) SSL_CTX_free(ctx); if (s_cert) X509_free(s_cert); + if (crls) + sk_X509_CRL_pop_free(crls, X509_CRL_free); if (s_dcert) X509_free(s_dcert); if (s_key) @@ -2002,17 +2147,27 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); - if (authz_in != NULL) - BIO_free(authz_in); + if (serverinfo_in != NULL) + BIO_free(serverinfo_in); +# ifndef OPENSSL_NO_NEXTPROTONEG + if (next_proto.data) + OPENSSL_free(next_proto.data); +# endif + if (alpn_ctx.data) + OPENSSL_free(alpn_ctx.data); #endif ssl_excert_free(exc); if (ssl_args) sk_OPENSSL_STRING_free(ssl_args); if (cctx) SSL_CONF_CTX_free(cctx); +#ifndef OPENSSL_NO_JPAKE + if (jpake_secret && psk_key) + OPENSSL_free(psk_key); +#endif if (bio_s_out != NULL) { - BIO_free(bio_s_out); + BIO_free(bio_s_out); bio_s_out=NULL; } if (bio_s_msg != NULL) @@ -2049,7 +2204,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) SSL_CTX_sess_get_cache_size(ssl_ctx)); } -static int sv_body(char *hostname, int s, unsigned char *context) +static int sv_body(char *hostname, int s, int stype, unsigned char *context) { char *buf=NULL; fd_set readfds; @@ -2119,7 +2274,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) #endif #endif - if (SSL_version(con) == DTLS1_VERSION) + if (stype == SOCK_DGRAM) { sbio=BIO_new_dgram(s,BIO_NOCLOSE); @@ -2246,7 +2401,7 @@ static int sv_body(char *hostname, int s, unsigned char *context) if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { - BIO_printf(bio_err,"TIMEOUT occured\n"); + BIO_printf(bio_err,"TIMEOUT occurred\n"); } if (i <= 0) continue; @@ -2503,6 +2658,15 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); +#ifdef CERT_CB_TEST_RETRY + { + while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) + { + fprintf(stderr, "LOOKUP from certificate callback during accept\n"); + i=SSL_accept(con); + } + } +#endif #ifndef OPENSSL_NO_SRP while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) { @@ -2515,6 +2679,13 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); } #endif + /*handshake is complete - free the generated supp data allocated in the callback */ + if (generated_supp_data) + { + OPENSSL_free(generated_supp_data); + generated_supp_data = NULL; + } + if (i <= 0) { if (BIO_sock_should_retry(i)) @@ -2538,8 +2709,6 @@ static int init_ssl_connection(SSL *con) if (s_brief) print_ssl_summary(bio_err, con); - print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip); - PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); peer=SSL_get_peer_certificate(con); @@ -2558,8 +2727,10 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); ssl_print_sigalgs(bio_s_out, con); +#ifndef OPENSSL_NO_EC ssl_print_point_formats(bio_s_out, con); ssl_print_curves(bio_s_out, con, 0); +#endif BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -2662,7 +2833,7 @@ static int load_CA(SSL_CTX *ctx, char *file) } #endif -static int www_body(char *hostname, int s, unsigned char *context) +static int www_body(char *hostname, int s, int stype, unsigned char *context) { char *buf=NULL; int ret=1; @@ -2902,7 +3073,9 @@ static int www_body(char *hostname, int s, unsigned char *context) BIO_puts(io,"\n"); } ssl_print_sigalgs(io, con); +#ifndef OPENSSL_NO_EC ssl_print_curves(io, con, 0); +#endif BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); @@ -3096,7 +3269,7 @@ err: return(ret); } -static int rev_body(char *hostname, int s, unsigned char *context) +static int rev_body(char *hostname, int s, int stype, unsigned char *context) { char *buf=NULL; int i; @@ -3400,41 +3573,76 @@ static void free_sessions(void) first = NULL; } -static int ssl_load_stores(SSL_CTX *sctx, - const char *vfyCApath, const char *vfyCAfile, - const char *chCApath, const char *chCAfile) +#ifndef OPENSSL_NO_TLSEXT +static int authz_tlsext_cb(SSL *s, unsigned short ext_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg) { - X509_STORE *vfy = NULL, *ch = NULL; - int rv = 0; - if (vfyCApath || vfyCAfile) + if (TLSEXT_TYPE_server_authz == ext_type) + client_provided_server_authz + = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; + + if (TLSEXT_TYPE_client_authz == ext_type) + client_provided_client_authz + = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; + + return 1; + } + +static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, + const unsigned char **out, unsigned short *outlen, + int *al, void *arg) + { + if (c_auth && client_provided_client_authz && client_provided_server_authz) { - vfy = X509_STORE_new(); - if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath)) - goto err; - SSL_CTX_set1_verify_cert_store(ctx, vfy); + /*if auth_require_reneg flag is set, only send extensions if + renegotiation has occurred */ + if (!c_auth_require_reneg + || (c_auth_require_reneg && SSL_num_renegotiations(s))) + { + *out = auth_ext_data; + *outlen = 1; + return 1; + } } - if (chCApath || chCAfile) + /* no auth extension to send */ + return -1; + } + +static int suppdata_cb(SSL *s, unsigned short supp_data_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg) + { + if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data) { - ch = X509_STORE_new(); - if (!X509_STORE_load_locations(ch, chCAfile, chCApath)) - goto err; - /*X509_STORE_set_verify_cb(ch, verify_callback);*/ - SSL_CTX_set1_chain_cert_store(ctx, ch); + most_recent_supplemental_data = in; + most_recent_supplemental_data_length = inlen; } - rv = 1; - err: - if (vfy) - X509_STORE_free(vfy); - if (ch) - X509_STORE_free(ch); - return rv; + return 1; } - - - - - - - +static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, + const unsigned char **out, + unsigned short *outlen, int *al, void *arg) + { + if (c_auth && client_provided_client_authz && client_provided_server_authz) + { + /*if auth_require_reneg flag is set, only send supplemental data if + renegotiation has occurred */ + if (!c_auth_require_reneg + || (c_auth_require_reneg && SSL_num_renegotiations(s))) + { + generated_supp_data = OPENSSL_malloc(10); + memcpy(generated_supp_data, "1234512345", 10); + *out = generated_supp_data; + *outlen = 10; + return 1; + } + } + /* no supplemental data to send */ + return -1; + } +#endif