X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=cb68b2cc84e298de7f2857cee6f7679f2f8758a1;hp=f5c26dc60534c81bf8eb31d67882ab6ec9d9bd53;hb=9f9ab1dc667186c533454c87f70295fcb67b4e8a;hpb=6f017a8f9db3a79f3a3406cf8d493ccd346db691 diff --git a/apps/s_server.c b/apps/s_server.c index f5c26dc605..cb68b2cc84 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -225,6 +225,20 @@ static DH *get_dh512(void); static void s_server_init(void); #endif +#ifndef OPENSSL_NO_TLSEXT + +static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp}; + +static unsigned char *generated_supp_data = NULL; + +static const unsigned char *most_recent_supplemental_data = NULL; +static size_t most_recent_supplemental_data_length = 0; + +static int client_provided_server_authz = 0; +static int client_provided_client_authz = 0; + +#endif + #ifndef OPENSSL_NO_DH static unsigned char dh512_p[]={ 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, @@ -316,10 +330,29 @@ static int cert_chain = 0; #endif #ifndef OPENSSL_NO_TLSEXT -static BIO *authz_in = NULL; -static const char *s_authz_file = NULL; +static int suppdata_cb(SSL *s, unsigned short supp_data_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg); + +static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, + const unsigned char **out, + unsigned short *outlen, void *arg); + +static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, + const unsigned char **out, unsigned short *outlen, + void *arg); + +static int authz_tlsext_cb(SSL *s, unsigned short ext_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg); + static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; + +static int c_auth = 0; +static int c_auth_require_reneg = 0; #endif #ifndef OPENSSL_NO_PSK @@ -480,10 +513,12 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); - BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); #ifndef OPENSSL_NO_TLSEXT BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n"); + BIO_printf(bio_err," -auth - send and receive RFC 5878 TLS auth extensions and supplemental data\n"); + BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n"); #endif + BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ @@ -1023,16 +1058,17 @@ int MAIN(int argc, char *argv[]) EVP_PKEY *s_key = NULL, *s_dkey = NULL; int no_cache = 0, ext_cache = 0; int rev = 0, naccept = -1; + int c_no_resumption_on_reneg = 0; #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; # ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; - tlsextnextprotoctx next_proto; + tlsextnextprotoctx next_proto = { NULL, 0}; +# endif const char *alpn_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0}; -# endif #endif #ifndef OPENSSL_NO_PSK /* by default do not send a PSK identity hint */ @@ -1137,17 +1173,24 @@ int MAIN(int argc, char *argv[]) else if (strcmp(*argv,"-crl_download") == 0) crl_download = 1; #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv,"-authz") == 0) - { - if (--argc < 1) goto bad; - s_authz_file = *(++argv); - } else if (strcmp(*argv,"-serverinfo") == 0) { if (--argc < 1) goto bad; s_serverinfo_file = *(++argv); } + else if (strcmp(*argv,"-auth") == 0) + { + c_auth = 1; + } #endif + else if (strcmp(*argv, "-no_resumption_on_reneg") == 0) + { + c_no_resumption_on_reneg = 1; + } + else if (strcmp(*argv,"-auth_require_reneg") == 0) + { + c_auth_require_reneg = 1; + } else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1482,12 +1525,12 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; next_proto_neg_in = *(++argv); } +# endif else if (strcmp(*argv,"-alpn") == 0) { if (--argc < 1) goto bad; alpn_in = *(++argv); } -# endif #endif #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) else if (strcmp(*argv,"-jpake") == 0) @@ -1920,14 +1963,23 @@ bad: } #endif + if (c_no_resumption_on_reneg) + SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION); if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT - if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file)) - goto end; if (s_serverinfo_file != NULL && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) + { + ERR_print_errors(bio_err); goto end; + } + if (c_auth) + { + SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); + SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err); + SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err); + } #endif #ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain)) @@ -2105,12 +2157,12 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); - if (authz_in != NULL) - BIO_free(authz_in); if (serverinfo_in != NULL) BIO_free(serverinfo_in); +# ifndef OPENSSL_NO_NEXTPROTONEG if (next_proto.data) OPENSSL_free(next_proto.data); +# endif if (alpn_ctx.data) OPENSSL_free(alpn_ctx.data); #endif @@ -2359,7 +2411,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) { - BIO_printf(bio_err,"TIMEOUT occured\n"); + BIO_printf(bio_err,"TIMEOUT occurred\n"); } if (i <= 0) continue; @@ -2616,6 +2668,15 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); +#ifdef CERT_CB_TEST_RETRY + { + while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) + { + fprintf(stderr, "LOOKUP from certificate callback during accept\n"); + i=SSL_accept(con); + } + } +#endif #ifndef OPENSSL_NO_SRP while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) { @@ -2628,6 +2689,13 @@ static int init_ssl_connection(SSL *con) i=SSL_accept(con); } #endif + /*handshake is complete - free the generated supp data allocated in the callback */ + if (generated_supp_data) + { + OPENSSL_free(generated_supp_data); + generated_supp_data = NULL; + } + if (i <= 0) { if (BIO_sock_should_retry(i)) @@ -2669,8 +2737,10 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); ssl_print_sigalgs(bio_s_out, con); +#ifndef OPENSSL_NO_EC ssl_print_point_formats(bio_s_out, con); ssl_print_curves(bio_s_out, con, 0); +#endif BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) @@ -3013,7 +3083,9 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) BIO_puts(io,"\n"); } ssl_print_sigalgs(io, con); +#ifndef OPENSSL_NO_EC ssl_print_curves(io, con, 0); +#endif BIO_printf(io,(SSL_cache_hit(con) ?"---\nReused, " :"---\nNew, ")); @@ -3510,3 +3582,77 @@ static void free_sessions(void) } first = NULL; } + +#ifndef OPENSSL_NO_TLSEXT +static int authz_tlsext_cb(SSL *s, unsigned short ext_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg) + { + if (TLSEXT_TYPE_server_authz == ext_type) + client_provided_server_authz + = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; + + if (TLSEXT_TYPE_client_authz == ext_type) + client_provided_client_authz + = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL; + + return 1; + } + +static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type, + const unsigned char **out, unsigned short *outlen, + void *arg) + { + if (c_auth && client_provided_client_authz && client_provided_server_authz) + { + /*if auth_require_reneg flag is set, only send extensions if + renegotiation has occurred */ + if (!c_auth_require_reneg + || (c_auth_require_reneg && SSL_num_renegotiations(s))) + { + *out = auth_ext_data; + *outlen = 1; + return 1; + } + } + /* no auth extension to send */ + return -1; + } + +static int suppdata_cb(SSL *s, unsigned short supp_data_type, + const unsigned char *in, + unsigned short inlen, int *al, + void *arg) + { + if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data) + { + most_recent_supplemental_data = in; + most_recent_supplemental_data_length = inlen; + } + return 1; + } + +static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type, + const unsigned char **out, + unsigned short *outlen, void *arg) + { + if (c_auth && client_provided_client_authz && client_provided_server_authz) + { + /*if auth_require_reneg flag is set, only send supplemental data if + renegotiation has occurred */ + if (!c_auth_require_reneg + || (c_auth_require_reneg && SSL_num_renegotiations(s))) + { + generated_supp_data = OPENSSL_malloc(10); + memcpy(generated_supp_data, "1234512345", 10); + *out = generated_supp_data; + *outlen = 10; + return 1; + } + } + /* no supplemental data to send */ + return -1; + } +#endif +