X-Git-Url: https://git.openssl.org/gitweb/?p=openssl.git;a=blobdiff_plain;f=apps%2Fs_server.c;h=f897c4fb82e1fc33c0099022fc3e20df0c28528d;hp=8fe1ebe224e4139f52435a7d13c1805ca7c83af8;hb=075c8795857de6746ee662e50ebe44055a494f51;hpb=a60994df34fe6a694441471c7f8dcf9661fb091d diff --git a/apps/s_server.c b/apps/s_server.c index 8fe1ebe224..f897c4fb82 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -232,7 +232,7 @@ static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL; static int s_nbio = 0; #endif static int s_nbio_test = 0; -int s_crlf = 0; +static int s_crlf = 0; static SSL_CTX *ctx = NULL; static SSL_CTX *ctx2 = NULL; static int www = 0; @@ -262,6 +262,7 @@ static long socket_mtu; #ifndef OPENSSL_NO_DTLS1 static int cert_chain = 0; #endif +static int dtlslisten = 0; static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; @@ -795,19 +796,19 @@ typedef enum OPTION_choice { OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM, OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT, OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT, - OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE, + OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE, OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET, - OPT_BUILD_CHAIN, OPT_CAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE, - OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, OPT_DEBUG, - OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT, - OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG, - OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, OPT_QUIET, - OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE, + OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE, + OPT_VERIFYCAFILE, OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, + OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, + OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, + OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, + OPT_QUIET, OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE, OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_SSL3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1, - OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, + OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN, OPT_LISTEN, OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL, OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE, OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN, @@ -853,8 +854,12 @@ OPTIONS s_server_options[] = { {"msg", OPT_MSG, '-', "Show protocol messages"}, {"msgfile", OPT_MSGFILE, '>'}, {"state", OPT_STATE, '-', "Print the SSL states"}, - {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"}, + {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"}, + {"no-CAfile", OPT_NOCAFILE, '-', + "Do not load the default certificates file"}, + {"no-CApath", OPT_NOCAPATH, '-', + "Do not load certificates from the default certificates directory"}, {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"}, {"quiet", OPT_QUIET, '-', "No server output"}, {"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"}, @@ -937,6 +942,8 @@ OPTIONS s_server_options[] = { {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"}, {"mtu", OPT_MTU, 'p', "Set link layer MTU"}, {"chain", OPT_CHAIN, '-', "Read a certificate chain"}, + {"listen", OPT_LISTEN, '-', + "Listen for a DTLS ClientHello with a cookie and then connect"}, #endif #ifndef OPENSSL_NO_DH {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"}, @@ -973,7 +980,10 @@ int s_server_main(int argc, char *argv[]) X509 *s_cert = NULL, *s_dcert = NULL; X509_VERIFY_PARAM *vpm = NULL; char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL; - char *dhfile = NULL, *dpassarg = NULL, *dpass = NULL, *inrand = NULL; +#ifndef OPENSSL_NO_DH + char *dhfile = NULL; +#endif + char *dpassarg = NULL, *dpass = NULL, *inrand = NULL; char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL; char *crl_file = NULL, *prog; #ifndef OPENSSL_NO_PSK @@ -986,7 +996,11 @@ int s_server_main(int argc, char *argv[]) int (*server_cb) (char *hostname, int s, int stype, unsigned char *context); int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0; - int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0, ret = 1; +#ifndef OPENSSL_NO_DH + int no_dhe = 0; +#endif + int no_tmp_rsa = 0, no_ecdhe = 0, nocert = 0, ret = 1; + int noCApath = 0, noCAfile = 0; int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; int rev = 0, naccept = -1, sdebug = 0, socket_type = SOCK_STREAM; @@ -1119,7 +1133,9 @@ int s_server_main(int argc, char *argv[]) s_chain_file = opt_arg(); break; case OPT_DHPARAM: +#ifndef OPENSSL_NO_DH dhfile = opt_arg(); +#endif break; case OPT_DCERTFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format)) @@ -1147,6 +1163,9 @@ int s_server_main(int argc, char *argv[]) case OPT_CAPATH: CApath = opt_arg(); break; + case OPT_NOCAPATH: + noCApath = 1; + break; case OPT_CHAINCAPATH: chCApath = opt_arg(); break; @@ -1194,6 +1213,9 @@ int s_server_main(int argc, char *argv[]) case OPT_CAFILE: CAfile = opt_arg(); break; + case OPT_NOCAFILE: + noCAfile = 1; + break; case OPT_CHAINCAFILE: chCAfile = opt_arg(); break; @@ -1272,7 +1294,9 @@ int s_server_main(int argc, char *argv[]) no_tmp_rsa = 1; break; case OPT_NO_DHE: +#ifndef OPENSSL_NO_DH no_dhe = 1; +#endif break; case OPT_NO_ECDHE: no_ecdhe = 1; @@ -1292,10 +1316,6 @@ int s_server_main(int argc, char *argv[]) goto end; } break; -#else - case OPT_PSK_HINT: - case OPT_PSK: - break; #endif #ifndef OPENSSL_NO_SRP case OPT_SRPVFILE: @@ -1359,6 +1379,9 @@ int s_server_main(int argc, char *argv[]) case OPT_CHAIN: cert_chain = 1; break; + case OPT_LISTEN: + dtlslisten = 1; + break; #else case OPT_DTLS: case OPT_DTLS1: @@ -1366,6 +1389,7 @@ int s_server_main(int argc, char *argv[]) case OPT_TIMEOUT: case OPT_MTU: case OPT_CHAIN: + case OPT_LISTEN: break; #endif case OPT_ID_PREFIX: @@ -1424,6 +1448,11 @@ int s_server_main(int argc, char *argv[]) BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n"); goto end; } + + if (dtlslisten && socket_type != SOCK_DGRAM) { + BIO_printf(bio_err, "Can only use -listen with DTLS\n"); + goto end; + } #endif if (unix_path && (socket_type != SOCK_STREAM)) { @@ -1446,9 +1475,6 @@ int s_server_main(int argc, char *argv[]) goto end; } - if (!app_load_modules(NULL)) - goto end; - if (s_key_file == NULL) s_key_file = s_cert_file; @@ -1635,7 +1661,7 @@ int s_server_main(int argc, char *argv[]) } #endif - if (!ctx_set_verify_locations(ctx, CAfile, CApath)) { + if (!ctx_set_verify_locations(ctx, CAfile, CApath, noCAfile, noCApath)) { ERR_print_errors(bio_err); goto end; } @@ -2366,19 +2392,43 @@ static int init_ssl_connection(SSL *con) int i; const char *str; X509 *peer; - long verify_error; + long verify_err; char buf[BUFSIZ]; #if !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; #endif unsigned char *exportedkeymat; + struct sockaddr_storage client; + +#ifndef OPENSSL_NO_DTLS1 + if(dtlslisten) { + i = DTLSv1_listen(con, &client); + if (i > 0) { + BIO *wbio; + int fd = -1; + + wbio = SSL_get_wbio(con); + if(wbio) { + BIO_get_fd(wbio, &fd); + } + + if(!wbio || connect(fd, (struct sockaddr *)&client, + sizeof(struct sockaddr_storage))) { + BIO_printf(bio_err, "ERROR - unable to connect\n"); + return 0; + } + dtlslisten = 0; + i = SSL_accept(con); + } + } else +#endif + i = SSL_accept(con); - i = SSL_accept(con); #ifdef CERT_CB_TEST_RETRY { while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP - && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) { + && SSL_state(con) == TLS_ST_SR_CLNT_HELLO) { BIO_printf(bio_err, "LOOKUP from certificate callback during accept\n"); i = SSL_accept(con); @@ -2402,17 +2452,18 @@ static int init_ssl_connection(SSL *con) #endif if (i <= 0) { - if (BIO_sock_should_retry(i)) { + if ((dtlslisten && i == 0) + || (!dtlslisten && BIO_sock_should_retry(i))) { BIO_printf(bio_s_out, "DELAY\n"); return (1); } BIO_printf(bio_err, "ERROR\n"); - verify_error = SSL_get_verify_result(con); - if (verify_error != X509_V_OK) { + verify_err = SSL_get_verify_result(con); + if (verify_err != X509_V_OK) { BIO_printf(bio_err, "verify error:%s\n", - X509_verify_cert_error_string(verify_error)); + X509_verify_cert_error_string(verify_err)); } /* Always print any error messages */ ERR_print_errors(bio_err); @@ -2516,6 +2567,11 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) #ifdef RENEG int total_bytes = 0; #endif + int width; + fd_set readfds; + + /* Set width for a select call if needed */ + width = s + 1; buf = app_malloc(bufsize, "server www buffer"); io = BIO_new(BIO_f_buffer()); @@ -2591,6 +2647,21 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) goto err; } else { BIO_printf(bio_s_out, "read R BLOCK\n"); +#ifndef OPENSSL_NO_SRP + if (BIO_should_io_special(io) + && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + srp_callback_parm.user = + SRP_VBASE_get_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + continue; + } +#endif #if defined(OPENSSL_SYS_NETWARE) delay(1000); #elif !defined(OPENSSL_SYS_MSDOS) @@ -2618,6 +2689,7 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) NULL); i = SSL_renegotiate(con); BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i); + /* Send the HelloRequest */ i = SSL_do_handshake(con); if (i <= 0) { BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n", @@ -2625,16 +2697,22 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) ERR_print_errors(bio_err); goto err; } - /* EVIL HACK! */ - SSL_set_state(con, SSL_ST_ACCEPT); - i = SSL_do_handshake(con); - BIO_printf(bio_s_out, "SSL_do_handshake -> %d\n", i); - if (i <= 0) { - BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n", - SSL_get_error(con, i)); + /* Wait for a ClientHello to come back */ + FD_ZERO(&readfds); + openssl_fdset(s, &readfds); + i = select(width, (void *)&readfds, NULL, NULL, NULL); + if (i <= 0 || !FD_ISSET(s, &readfds)) { + BIO_printf(bio_s_out, "Error waiting for client response\n"); ERR_print_errors(bio_err); goto err; } + /* + * We're not acutally expecting any data here and we ignore + * any that is sent. This is just to force the handshake that + * we're expecting to come from the client. If they haven't + * sent one there's not much we can do. + */ + BIO_gets(io, buf, bufsize - 1); } BIO_puts(io, @@ -2931,6 +3009,21 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) ERR_print_errors(bio_err); goto end; } +#ifndef OPENSSL_NO_SRP + if (BIO_should_io_special(io) + && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during accept\n"); + srp_callback_parm.user = + SRP_VBASE_get_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + continue; + } +#endif } BIO_printf(bio_err, "CONNECTION ESTABLISHED\n"); print_ssl_summary(con); @@ -2944,6 +3037,21 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) goto err; } else { BIO_printf(bio_s_out, "read R BLOCK\n"); +#ifndef OPENSSL_NO_SRP + if (BIO_should_io_special(io) + && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP) { + BIO_printf(bio_s_out, "LOOKUP renego during read\n"); + srp_callback_parm.user = + SRP_VBASE_get_by_user(srp_callback_parm.vb, + srp_callback_parm.login); + if (srp_callback_parm.user) + BIO_printf(bio_s_out, "LOOKUP done %s\n", + srp_callback_parm.user->info); + else + BIO_printf(bio_s_out, "LOOKUP not successful\n"); + continue; + } +#endif #if defined(OPENSSL_SYS_NETWARE) delay(1000); #elif !defined(OPENSSL_SYS_MSDOS)