X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=6645dc8d8e2853ab44e9a210896968ded7ac9913;hp=1a54f082f48e8cdc148c8f58f1359ec8d70b88cd;hb=380f18ed5f140e0ae1b68f3ab8f4f7c395658d9e;hpb=ab69ac00f3c7a04151662813794ac82bc591a89b diff --git a/apps/s_server.c b/apps/s_server.c index 1a54f082f4..6645dc8d8e 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -191,12 +191,9 @@ typedef unsigned int u_int; #endif static int not_resumable_sess_cb(SSL *s, int is_forward_secure); -static int sv_body(const char *hostname, int s, int stype, - unsigned char *context); -static int www_body(const char *hostname, int s, int stype, - unsigned char *context); -static int rev_body(const char *hostname, int s, int stype, - unsigned char *context); +static int sv_body(int s, int stype, unsigned char *context); +static int www_body(int s, int stype, unsigned char *context); +static int rev_body(int s, int stype, unsigned char *context); static void close_accept_socket(void); static int init_ssl_connection(SSL *s); static void print_stats(BIO *bp, SSL_CTX *ctx); @@ -355,6 +352,8 @@ typedef struct srpsrvparm_st { static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) { srpsrvparm *p = (srpsrvparm *) arg; + int ret = SSL3_AL_FATAL; + if (p->login == NULL && p->user == NULL) { p->login = SSL_get_srp_username(s); BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); @@ -363,21 +362,25 @@ static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) if (p->user == NULL) { BIO_printf(bio_err, "User %s doesn't exist\n", p->login); - return SSL3_AL_FATAL; + goto err; } + if (SSL_set_srp_server_param (s, p->user->N, p->user->g, p->user->s, p->user->v, p->user->info) < 0) { *ad = SSL_AD_INTERNAL_ERROR; - return SSL3_AL_FATAL; + goto err; } BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login, p->user->info); - /* need to check whether there are memory leaks */ + ret = SSL_ERROR_NONE; + +err: + SRP_user_pwd_free(p->user); p->user = NULL; p->login = NULL; - return SSL_ERROR_NONE; + return ret; } #endif @@ -785,7 +788,6 @@ static int not_resumable_sess_cb(SSL *s, int is_forward_secure) return is_forward_secure; } -static char *jpake_secret = NULL; #ifndef OPENSSL_NO_SRP static srpsrvparm srp_callback_parm; #endif @@ -814,7 +816,7 @@ typedef enum OPTION_choice { OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN, OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, - OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE, + OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_S_ENUM, OPT_V_ENUM, @@ -823,15 +825,18 @@ typedef enum OPTION_choice { OPTIONS s_server_options[] = { {"help", OPT_HELP, '-', "Display this summary"}, - {"port", OPT_PORT, 'p'}, + {"port", OPT_PORT, 'p', + "TCP/IP port to listen on for connections (default is " PORT ")"}, {"accept", OPT_ACCEPT, 's', - "TCP/IP port or service to accept on (default is " PORT ")"}, + "TCP/IP optional host and port to accept on (default is " PORT ")"}, #ifdef AF_UNIX {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"}, #endif {"4", OPT_4, '-', "Use IPv4 only"}, {"6", OPT_6, '-', "Use IPv6 only"}, +#ifdef AF_UNIX {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"}, +#endif {"context", OPT_CONTEXT, 's', "Set session ID context"}, {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"}, {"Verify", OPT_UPPER_V_VERIFY, 'n', @@ -860,7 +865,8 @@ OPTIONS s_server_options[] = { {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"}, {"debug", OPT_DEBUG, '-', "Print more output"}, {"msg", OPT_MSG, '-', "Show protocol messages"}, - {"msgfile", OPT_MSGFILE, '>'}, + {"msgfile", OPT_MSGFILE, '>', + "File to send output of -msg or -trace, instead of stdout"}, {"state", OPT_STATE, '-', "Print the SSL states"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, @@ -893,33 +899,52 @@ OPTIONS s_server_options[] = { "Export keying material using label"}, {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', "Export len bytes of keying material (default 20)"}, - {"CRL", OPT_CRL, '<'}, - {"crl_download", OPT_CRL_DOWNLOAD, '-'}, - {"cert_chain", OPT_CERT_CHAIN, '<'}, - {"dcert_chain", OPT_DCERT_CHAIN, '<'}, - {"chainCApath", OPT_CHAINCAPATH, '/'}, - {"verifyCApath", OPT_VERIFYCAPATH, '/'}, - {"no_cache", OPT_NO_CACHE, '-'}, - {"ext_cache", OPT_EXT_CACHE, '-'}, - {"CRLform", OPT_CRLFORM, 'F'}, - {"verify_return_error", OPT_VERIFY_RET_ERROR, '-'}, - {"verify_quiet", OPT_VERIFY_QUIET, '-'}, - {"build_chain", OPT_BUILD_CHAIN, '-'}, - {"chainCAfile", OPT_CHAINCAFILE, '<'}, - {"verifyCAfile", OPT_VERIFYCAFILE, '<'}, - {"ign_eof", OPT_IGN_EOF, '-'}, - {"no_ign_eof", OPT_NO_IGN_EOF, '-'}, - {"status", OPT_STATUS, '-'}, - {"status_verbose", OPT_STATUS_VERBOSE, '-'}, - {"status_timeout", OPT_STATUS_TIMEOUT, 'n'}, - {"status_url", OPT_STATUS_URL, 's'}, - {"trace", OPT_TRACE, '-'}, - {"security_debug", OPT_SECURITY_DEBUG, '-'}, - {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'}, - {"brief", OPT_BRIEF, '-'}, - {"rev", OPT_REV, '-'}, + {"CRL", OPT_CRL, '<', "CRL file to use"}, + {"crl_download", OPT_CRL_DOWNLOAD, '-', + "Download CRL from distribution points"}, + {"cert_chain", OPT_CERT_CHAIN, '<', + "certificate chain file in PEM format"}, + {"dcert_chain", OPT_DCERT_CHAIN, '<', + "second certificate chain file in PEM format"}, + {"chainCApath", OPT_CHAINCAPATH, '/', + "use dir as certificate store path to build CA certificate chain"}, + {"verifyCApath", OPT_VERIFYCAPATH, '/', + "use dir as certificate store path to verify CA certificate"}, + {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"}, + {"ext_cache", OPT_EXT_CACHE, '-', + "Disable internal cache, setup and use external cache"}, + {"CRLform", OPT_CRLFORM, 'F', "CRL format (PEM or DER) PEM is default" }, + {"verify_return_error", OPT_VERIFY_RET_ERROR, '-', + "Close connection on verification error"}, + {"verify_quiet", OPT_VERIFY_QUIET, '-', + "No verify output except verify errors"}, + {"build_chain", OPT_BUILD_CHAIN, '-', "Build certificate chain"}, + {"chainCAfile", OPT_CHAINCAFILE, '<', + "CA file for certificate chain (PEM format)"}, + {"verifyCAfile", OPT_VERIFYCAFILE, '<', + "CA file for certificate verification (PEM format)"}, + {"ign_eof", OPT_IGN_EOF, '-', "ignore input eof (default when -quiet)"}, + {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input eof"}, + {"status", OPT_STATUS, '-', "Request certificate status from server"}, + {"status_verbose", OPT_STATUS_VERBOSE, '-', + "Print more output in certificate status callback"}, + {"status_timeout", OPT_STATUS_TIMEOUT, 'n', + "Status request responder timeout"}, + {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"}, +#ifndef OPENSSL_NO_SSL_TRACE + {"trace", OPT_TRACE, '-', "trace protocol messages"}, +#endif + {"security_debug", OPT_SECURITY_DEBUG, '-', + "Print output from SSL/TLS security framework"}, + {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-', + "Print more output from SSL/TLS security framework"}, + {"brief", OPT_BRIEF, '-', \ + "Restrict output to brief summary of connection parameters"}, + {"rev", OPT_REV, '-', + "act as a simple test server which just sends back with the received text reversed"}, {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"}, - {"ssl_config", OPT_SSL_CONFIG, 's'}, + {"ssl_config", OPT_SSL_CONFIG, 's', \ + "Configure SSL_CTX using the configuration 'val'"}, OPT_S_OPTIONS, OPT_V_OPTIONS, OPT_X_OPTIONS, @@ -929,9 +954,6 @@ OPTIONS s_server_options[] = { #ifndef OPENSSL_NO_PSK {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"}, {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"}, -# ifndef OPENSSL_NO_JPAKE - {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, -# endif #endif #ifndef OPENSSL_NO_SRP {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, @@ -951,7 +973,7 @@ OPTIONS s_server_options[] = { {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"}, #endif #ifndef OPENSSL_NO_DTLS - {"dtls", OPT_DTLS, '-'}, + {"dtls", OPT_DTLS, '-', "Use any DTLS version"}, {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"chain", OPT_CHAIN, '-', "Read a certificate chain"}, @@ -978,7 +1000,7 @@ OPTIONS s_server_options[] = { "Set the advertised protocols for the ALPN extension (comma-separated list)"}, #endif #ifndef OPENSSL_NO_ENGINE - {"engine", OPT_ENGINE, 's'}, + {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"}, #endif {NULL} }; @@ -1008,8 +1030,7 @@ int s_server_main(int argc, char *argv[]) #ifdef AF_UNIX int unlink_unix_path = 0; #endif - int (*server_cb) (const char *hostname, int s, int stype, - unsigned char *context); + do_server_cb server_cb; int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0; #ifndef OPENSSL_NO_DH int no_dhe = 0; @@ -1357,7 +1378,7 @@ int s_server_main(int argc, char *argv[]) case OPT_PSK: #ifndef OPENSSL_NO_PSK for (p = psk_key = opt_arg(); *p; p++) { - if (isxdigit(*p)) + if (isxdigit(_UC(*p))) continue; BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); goto end; @@ -1478,14 +1499,6 @@ int s_server_main(int argc, char *argv[]) case OPT_ALPN: alpn_in = opt_arg(); break; -#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) - case OPT_JPAKE: - jpake_secret = opt_arg(); - break; -#else - case OPT_JPAKE: - goto opthelp; -#endif case OPT_SRTP_PROFILES: srtp_profiles = opt_arg(); break; @@ -1522,15 +1535,6 @@ int s_server_main(int argc, char *argv[]) goto end; } #endif -#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) - if (jpake_secret) { - if (psk_key) { - BIO_printf(bio_err, "Can't use JPAKE and PSK together\n"); - goto end; - } - psk_identity = "JPAKE"; - } -#endif if (!app_passwd(passarg, dpassarg, &pass, &dpass)) { BIO_printf(bio_err, "Error getting password\n"); @@ -1555,14 +1559,14 @@ int s_server_main(int argc, char *argv[]) } s_cert = load_cert(s_cert_file, s_cert_format, - NULL, e, "server certificate file"); + "server certificate file"); if (!s_cert) { ERR_print_errors(bio_err); goto end; } if (s_chain_file) { - if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, e, + if (!load_certs(s_chain_file, &s_chain, FORMAT_PEM, NULL, "server certificate chain")) goto end; } @@ -1576,7 +1580,7 @@ int s_server_main(int argc, char *argv[]) } s_cert2 = load_cert(s_cert_file2, s_cert_format, - NULL, e, "second server certificate file"); + "second server certificate file"); if (!s_cert2) { ERR_print_errors(bio_err); @@ -1634,14 +1638,14 @@ int s_server_main(int argc, char *argv[]) } s_dcert = load_cert(s_dcert_file, s_dcert_format, - NULL, e, "second server certificate file"); + "second server certificate file"); if (!s_dcert) { ERR_print_errors(bio_err); goto end; } if (s_dchain_file) { - if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, e, + if (!load_certs(s_dchain_file, &s_dchain, FORMAT_PEM, NULL, "second server certificate chain")) goto end; } @@ -1680,12 +1684,12 @@ int s_server_main(int argc, char *argv[]) } ctx = SSL_CTX_new(meth); - if (sdebug) - ssl_ctx_security_debug(ctx, sdebug); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; } + if (sdebug) + ssl_ctx_security_debug(ctx, sdebug); if (ssl_config) { if (SSL_CTX_config(ctx, ssl_config) == 0) { BIO_printf(bio_err, "Error using configuration \"%s\"\n", @@ -1721,7 +1725,6 @@ int s_server_main(int argc, char *argv[]) if (async) { SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC); - ASYNC_init(1, 0, 0); } #ifndef OPENSSL_NO_SRTP @@ -1746,7 +1749,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx)) goto end; if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile, @@ -1809,7 +1812,7 @@ int s_server_main(int argc, char *argv[]) } ssl_ctx_add_crls(ctx2, crls, 0); - if (!config_ctx(cctx, ssl_args, ctx2, jpake_secret == NULL)) + if (!config_ctx(cctx, ssl_args, ctx2)) goto end; } #ifndef OPENSSL_NO_NEXTPROTONEG @@ -1895,15 +1898,10 @@ int s_server_main(int argc, char *argv[]) not_resumable_sess_cb); } #ifndef OPENSSL_NO_PSK -# ifdef OPENSSL_NO_JPAKE - if (psk_key != NULL) -# else - if (psk_key != NULL || jpake_secret) -# endif - { + if (psk_key != NULL) { if (s_debug) BIO_printf(bio_s_out, - "PSK key given or JPAKE in use, setting server callback\n"); + "PSK key given, setting server callback\n"); SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); } @@ -2026,9 +2024,6 @@ int s_server_main(int argc, char *argv[]) bio_s_out = NULL; BIO_free(bio_s_msg); bio_s_msg = NULL; - if (async) { - ASYNC_cleanup(1); - } return (ret); } @@ -2060,8 +2055,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) SSL_CTX_sess_get_cache_size(ssl_ctx)); } -static int sv_body(const char *hostname, int s, int stype, - unsigned char *context) +static int sv_body(int s, int stype, unsigned char *context) { char *buf = NULL; fd_set readfds; @@ -2156,10 +2150,6 @@ static int sv_body(const char *hostname, int s, int stype, test = BIO_new(BIO_f_nbio_test()); sbio = BIO_push(test, sbio); } -#ifndef OPENSSL_NO_JPAKE - if (jpake_secret) - jpake_server_auth(bio_s_out, sbio, jpake_secret); -#endif SSL_set_bio(con, sbio, sbio); SSL_set_accept_state(con); @@ -2341,9 +2331,10 @@ static int sv_body(const char *hostname, int s, int stype, #ifndef OPENSSL_NO_SRP while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during write\n"); + SRP_user_pwd_free(srp_callback_parm.user); srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); if (srp_callback_parm.user) BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info); @@ -2409,9 +2400,10 @@ static int sv_body(const char *hostname, int s, int stype, #ifndef OPENSSL_NO_SRP while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + SRP_user_pwd_free(srp_callback_parm.user); srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); if (srp_callback_parm.user) BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info); @@ -2496,7 +2488,7 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_err, "ERROR - memory\n"); return 0; } - i = DTLSv1_listen(con, &client); + i = DTLSv1_listen(con, client); if (i > 0) { BIO *wbio; int fd = -1; @@ -2536,9 +2528,10 @@ static int init_ssl_connection(SSL *con) while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP during accept %s\n", srp_callback_parm.login); + SRP_user_pwd_free(srp_callback_parm.user); srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); if (srp_callback_parm.user) BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info); @@ -2612,7 +2605,7 @@ static int init_ssl_connection(SSL *con) srtp_profile->name); } #endif - if (SSL_cache_hit(con)) + if (SSL_session_reused(con)) BIO_printf(bio_s_out, "Reused session-id\n"); BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); @@ -2654,8 +2647,7 @@ static DH *load_dh_param(const char *dhfile) } #endif -static int www_body(const char *hostname, int s, int stype, - unsigned char *context) +static int www_body(int s, int stype, unsigned char *context) { char *buf = NULL; int ret = 1; @@ -2749,9 +2741,10 @@ static int www_body(const char *hostname, int s, int stype, if (BIO_should_io_special(io) && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + SRP_user_pwd_free(srp_callback_parm.user); srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); if (srp_callback_parm.user) BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info); @@ -2882,7 +2875,7 @@ static int www_body(const char *hostname, int s, int stype, #ifndef OPENSSL_NO_EC ssl_print_curves(io, con, 0); #endif - BIO_printf(io, (SSL_cache_hit(con) + BIO_printf(io, (SSL_session_reused(con) ? "---\nReused, " : "---\nNew, ")); c = SSL_get_current_cipher(con); BIO_printf(io, "%s, Cipher is %s\n", @@ -3042,8 +3035,7 @@ static int www_body(const char *hostname, int s, int stype, return (ret); } -static int rev_body(const char *hostname, int s, int stype, - unsigned char *context) +static int rev_body(int s, int stype, unsigned char *context) { char *buf = NULL; int i; @@ -3111,9 +3103,10 @@ static int rev_body(const char *hostname, int s, int stype, if (BIO_should_io_special(io) && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during accept\n"); + SRP_user_pwd_free(srp_callback_parm.user); srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); if (srp_callback_parm.user) BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info); @@ -3139,9 +3132,10 @@ static int rev_body(const char *hostname, int s, int stype, if (BIO_should_io_special(io) && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + SRP_user_pwd_free(srp_callback_parm.user); srp_callback_parm.user = - SRP_VBASE_get_by_user(srp_callback_parm.vb, - srp_callback_parm.login); + SRP_VBASE_get1_by_user(srp_callback_parm.vb, + srp_callback_parm.login); if (srp_callback_parm.user) BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);