X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=ba281e095011c9ccc9d93f944153e52195b89d8e;hp=8199b888f89485591dc71402318da197082ee24c;hb=86885c289580066792415218754bd935b449f170;hpb=c54cc2b15d96944fcf13ccd24baca79f9593cbf0 diff --git a/apps/s_server.c b/apps/s_server.c index 8199b888f8..ba281e0950 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -228,6 +228,8 @@ static int s_server_verify = SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL; +static const char *krb5svc = NULL; +static const char *krb5tab = NULL; #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; #endif @@ -313,8 +315,7 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, if (!ret) { BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", psk_key); - if (bn) - BN_free(bn); + BN_free(bn); return 0; } if (BN_num_bytes(bn) > (int)max_psk_len) { @@ -445,6 +446,7 @@ static BIO_METHOD methods_ebcdic = { ebcdic_free, }; +/* This struct is "unwarranted chumminess with the compiler." */ typedef struct { size_t alloced; char buff[1]; @@ -459,9 +461,7 @@ static int ebcdic_new(BIO *bi) { EBCDIC_OUTBUFF *wbuf; - wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); - if (!wbuf) - return 0; + wbuf = app_malloc(sizeof(*wbuf) + 1024, "ebcdic wbuf"); wbuf->alloced = 1024; wbuf->buff[0] = '\0'; @@ -475,8 +475,7 @@ static int ebcdic_free(BIO *a) { if (a == NULL) return (0); - if (a->ptr != NULL) - OPENSSL_free(a->ptr); + OPENSSL_free(a->ptr); a->ptr = NULL; a->init = 0; a->flags = 0; @@ -516,9 +515,7 @@ static int ebcdic_write(BIO *b, const char *in, int inl) num = num + num; /* double the size */ if (num < inl) num = inl; - wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - if (!wbuf) - return 0; + wbuf = app_malloc(sizeof(*wbuf) + num, "grow ebcdic wbuf"); OPENSSL_free(b->ptr); wbuf->alloced = num; @@ -634,7 +631,7 @@ static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, 0 }; static int cert_status_cb(SSL *s, void *arg) { tlsextstatusctx *srctx = arg; - char *host, *port, *path; + char *host = NULL, *port = NULL, *path = NULL; int use_ssl; unsigned char *rspder = NULL; int rspderlen; @@ -727,12 +724,9 @@ static int cert_status_cb(SSL *s, void *arg) OPENSSL_free(port); X509_email_free(aia); } - if (id) - OCSP_CERTID_free(id); - if (req) - OCSP_REQUEST_free(req); - if (resp) - OCSP_RESPONSE_free(resp); + OCSP_CERTID_free(id); + OCSP_REQUEST_free(req); + OCSP_RESPONSE_free(resp); return ret; err: ret = SSL_TLSEXT_ERR_ALERT_FATAL; @@ -839,7 +833,8 @@ typedef enum OPTION_choice { OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, OPT_S_ENUM, OPT_V_ENUM, - OPT_X_ENUM + OPT_X_ENUM, + OPT_KRB5SVC, OPT_KRBTAB } OPTION_CHOICE; OPTIONS s_server_options[] = { @@ -897,6 +892,8 @@ OPTIONS s_server_options[] = { {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"}, # endif #endif + {"krb5svc", OPT_KRB5SVC, 's', "Kerberos service name"}, + {"keytab", OPT_KRBTAB, '<', "Kerberos keytab file"}, #ifndef OPENSSL_NO_SRP {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"}, {"srpuserseed", OPT_SRPUSERSEED, 's', @@ -1339,29 +1336,29 @@ int s_server_main(int argc, char *argv[]) break; #ifndef OPENSSL_NO_SSL3 case OPT_SSL3: - meth = SSLv3_client_method(); + meth = SSLv3_server_method(); break; #endif case OPT_TLS1_2: - meth = TLSv1_2_client_method(); + meth = TLSv1_2_server_method(); break; case OPT_TLS1_1: - meth = TLSv1_1_client_method(); + meth = TLSv1_1_server_method(); break; case OPT_TLS1: - meth = TLSv1_client_method(); + meth = TLSv1_server_method(); break; #ifndef OPENSSL_NO_DTLS1 case OPT_DTLS: - meth = DTLS_client_method(); + meth = DTLS_server_method(); socket_type = SOCK_DGRAM; break; case OPT_DTLS1: - meth = DTLSv1_client_method(); + meth = DTLSv1_server_method(); socket_type = SOCK_DGRAM; break; case OPT_DTLS1_2: - meth = DTLSv1_2_client_method(); + meth = DTLSv1_2_server_method(); socket_type = SOCK_DGRAM; break; case OPT_TIMEOUT: @@ -1378,7 +1375,7 @@ int s_server_main(int argc, char *argv[]) session_id_prefix = opt_arg(); break; case OPT_ENGINE: - engine_id = opt_arg(); + e = setup_engine(opt_arg(), 1); break; case OPT_RAND: inrand = opt_arg(); @@ -1413,6 +1410,12 @@ int s_server_main(int argc, char *argv[]) case OPT_JPAKE: goto opthelp; #endif + case OPT_KRB5SVC: + krb5svc = opt_arg(); + break; + case OPT_KRBTAB: + krb5tab = opt_arg(); + break; case OPT_SRTP_PROFILES: srtp_profiles = opt_arg(); break; @@ -1449,10 +1452,6 @@ int s_server_main(int argc, char *argv[]) } #endif -#ifndef OPENSSL_NO_ENGINE - e = setup_engine(engine_id, 1); -#endif - if (!app_passwd(passarg, dpassarg, &pass, &dpass)) { BIO_printf(bio_err, "Error getting password\n"); goto end; @@ -1610,7 +1609,7 @@ int s_server_main(int argc, char *argv[]) ctx = SSL_CTX_new(meth); if (sdebug) - ssl_ctx_security_debug(ctx, bio_err, sdebug); + ssl_ctx_security_debug(ctx, sdebug); if (ctx == NULL) { ERR_print_errors(bio_err); goto end; @@ -1683,7 +1682,7 @@ int s_server_main(int argc, char *argv[]) BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); if (sdebug) - ssl_ctx_security_debug(ctx, bio_err, sdebug); + ssl_ctx_security_debug(ctx, sdebug); if (session_id_prefix) { if (strlen(session_id_prefix) >= 32) @@ -1918,51 +1917,33 @@ int s_server_main(int argc, char *argv[]) ret = 0; end: SSL_CTX_free(ctx); - if (s_cert) - X509_free(s_cert); - if (crls) - sk_X509_CRL_pop_free(crls, X509_CRL_free); - if (s_dcert) - X509_free(s_dcert); + X509_free(s_cert); + sk_X509_CRL_pop_free(crls, X509_CRL_free); + X509_free(s_dcert); EVP_PKEY_free(s_key); EVP_PKEY_free(s_dkey); - if (s_chain) - sk_X509_pop_free(s_chain, X509_free); - if (s_dchain) - sk_X509_pop_free(s_dchain, X509_free); - if (pass) - OPENSSL_free(pass); - if (dpass) - OPENSSL_free(dpass); - if (vpm) - X509_VERIFY_PARAM_free(vpm); + sk_X509_pop_free(s_chain, X509_free); + sk_X509_pop_free(s_dchain, X509_free); + OPENSSL_free(pass); + OPENSSL_free(dpass); + X509_VERIFY_PARAM_free(vpm); free_sessions(); #ifndef OPENSSL_NO_TLSEXT - if (tlscstatp.host) - OPENSSL_free(tlscstatp.host); - if (tlscstatp.port) - OPENSSL_free(tlscstatp.port); - if (tlscstatp.path) - OPENSSL_free(tlscstatp.path); + OPENSSL_free(tlscstatp.host); + OPENSSL_free(tlscstatp.port); + OPENSSL_free(tlscstatp.path); SSL_CTX_free(ctx2); - if (s_cert2) - X509_free(s_cert2); + X509_free(s_cert2); EVP_PKEY_free(s_key2); BIO_free(serverinfo_in); # ifndef OPENSSL_NO_NEXTPROTONEG - if (next_proto.data) - OPENSSL_free(next_proto.data); + OPENSSL_free(next_proto.data); # endif - if (alpn_ctx.data) - OPENSSL_free(alpn_ctx.data); + OPENSSL_free(alpn_ctx.data); #endif ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); SSL_CONF_CTX_free(cctx); -#ifndef OPENSSL_NO_JPAKE - if (jpake_secret && psk_key) - OPENSSL_free(psk_key); -#endif BIO_free(bio_s_out); bio_s_out = NULL; BIO_free(bio_s_msg); @@ -2017,10 +1998,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) struct timeval *timeoutp; #endif - if ((buf = OPENSSL_malloc(bufsize)) == NULL) { - BIO_printf(bio_err, "out of memory\n"); - goto err; - } + buf = app_malloc(bufsize, "server buffer"); #ifdef FIONBIO if (s_nbio) { unsigned long sl = 1; @@ -2400,10 +2378,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_free(con); } BIO_printf(bio_s_out, "CONNECTION CLOSED\n"); - if (buf != NULL) { - OPENSSL_cleanse(buf, bufsize); - OPENSSL_free(buf); - } + OPENSSL_clear_free(buf, bufsize); if (ret >= 0) BIO_printf(bio_s_out, "ACCEPT\n"); (void)BIO_flush(bio_s_out); @@ -2480,7 +2455,7 @@ static int init_ssl_connection(SSL *con) } if (s_brief) - print_ssl_summary(bio_err, con); + print_ssl_summary(con); PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con)); @@ -2541,22 +2516,20 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out, "Keying material exporter:\n"); BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen); - exportedkeymat = OPENSSL_malloc(keymatexportlen); - if (exportedkeymat != NULL) { - if (!SSL_export_keying_material(con, exportedkeymat, - keymatexportlen, - keymatexportlabel, - strlen(keymatexportlabel), - NULL, 0, 0)) { - BIO_printf(bio_s_out, " Error\n"); - } else { - BIO_printf(bio_s_out, " Keying material: "); - for (i = 0; i < keymatexportlen; i++) - BIO_printf(bio_s_out, "%02X", exportedkeymat[i]); - BIO_printf(bio_s_out, "\n"); - } - OPENSSL_free(exportedkeymat); + exportedkeymat = app_malloc(keymatexportlen, "export key"); + if (!SSL_export_keying_material(con, exportedkeymat, + keymatexportlen, + keymatexportlabel, + strlen(keymatexportlabel), + NULL, 0, 0)) { + BIO_printf(bio_s_out, " Error\n"); + } else { + BIO_printf(bio_s_out, " Keying material: "); + for (i = 0; i < keymatexportlen; i++) + BIO_printf(bio_s_out, "%02X", exportedkeymat[i]); + BIO_printf(bio_s_out, "\n"); } + OPENSSL_free(exportedkeymat); } return (1); @@ -2592,9 +2565,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) int total_bytes = 0; #endif - buf = OPENSSL_malloc(bufsize); - if (buf == NULL) - return (0); + buf = app_malloc(bufsize, "server www buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -2727,7 +2698,22 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) /* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/ BIO_puts(io, "\n"); for (i = 0; i < local_argc; i++) { - BIO_puts(io, local_argv[i]); + const char *myp; + for (myp = local_argv[i]; *myp; myp++) + switch (*myp) { + case '<': + BIO_puts(io, "<"); + break; + case '>': + BIO_puts(io, ">"); + break; + case '&': + BIO_puts(io, "&"); + break; + default: + BIO_write(io, myp, 1); + break; + } BIO_write(io, " ", 1); } BIO_puts(io, "\n"); @@ -2929,8 +2915,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) err: if (ret >= 0) BIO_printf(bio_s_out, "ACCEPT\n"); - if (buf != NULL) - OPENSSL_free(buf); + OPENSSL_free(buf); BIO_free_all(io); return (ret); } @@ -2946,9 +2931,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) KSSL_CTX *kctx; #endif - buf = OPENSSL_malloc(bufsize); - if (buf == NULL) - return (0); + buf = app_malloc(bufsize, "server rev buffer"); io = BIO_new(BIO_f_buffer()); ssl_bio = BIO_new(BIO_f_ssl()); if ((io == NULL) || (ssl_bio == NULL)) @@ -3014,7 +2997,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) } } BIO_printf(bio_err, "CONNECTION ESTABLISHED\n"); - print_ssl_summary(bio_err, con); + print_ssl_summary(con); for (;;) { i = BIO_gets(io, buf, bufsize - 1); @@ -3042,7 +3025,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) p--; i--; } - if (!s_ign_eof && i == 5 && !strncmp(buf, "CLOSE", 5)) { + if (!s_ign_eof && (i == 5) && (strncmp(buf, "CLOSE", 5) == 0)) { ret = 1; BIO_printf(bio_err, "CONNECTION CLOSED\n"); goto end; @@ -3065,8 +3048,7 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) err: - if (buf != NULL) - OPENSSL_free(buf); + OPENSSL_free(buf); BIO_free_all(io); return (ret); } @@ -3145,30 +3127,23 @@ static simple_ssl_session *first = NULL; static int add_session(SSL *ssl, SSL_SESSION *session) { - simple_ssl_session *sess; + simple_ssl_session *sess = app_malloc(sizeof(*sess), "get session"); unsigned char *p; - sess = OPENSSL_malloc(sizeof(simple_ssl_session)); - if (!sess) { - BIO_printf(bio_err, "Out of memory adding to external cache\n"); - return 0; - } - SSL_SESSION_get_id(session, &sess->idlen); sess->derlen = i2d_SSL_SESSION(session, NULL); if (sess->derlen < 0) { BIO_printf(bio_err, "Error encoding session\n"); + OPENSSL_free(sess); return 0; } sess->id = BUF_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen); - sess->der = OPENSSL_malloc(sess->derlen); - if (!sess->id || !sess->der) { + sess->der = app_malloc(sess->derlen, "get session buffer"); + if (!sess->id) { BIO_printf(bio_err, "Out of memory adding to external cache\n"); - if (sess->id) - OPENSSL_free(sess->id); - if (sess->der) - OPENSSL_free(sess->der); + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); OPENSSL_free(sess); return 0; } @@ -3176,7 +3151,10 @@ static int add_session(SSL *ssl, SSL_SESSION *session) /* Assume it still works. */ if (i2d_SSL_SESSION(session, &p) != sess->derlen) { - BIO_printf(bio_err, "Error encoding session\n"); + BIO_printf(bio_err, "Unexpected session encoding length\n"); + OPENSSL_free(sess->id); + OPENSSL_free(sess->der); + OPENSSL_free(sess); return 0; }