diff options
author | Ben Laurie <ben@openssl.org> | 2011-11-13 21:55:42 +0000 |
---|---|---|
committer | Ben Laurie <ben@openssl.org> | 2011-11-13 21:55:42 +0000 |
commit | 68b33cc5c7aa1bb98e95bfb4b61c34192a7a50e3 (patch) | |
tree | 8c4298a1cc0487b3223a06764fe5f338f9691ad8 /apps/s_server.c | |
parent | 4c02cf8ecc4b4cedeb6b6c11185f5d3e49c3cd4a (diff) |
Add Next Protocol Negotiation.
Diffstat (limited to 'apps/s_server.c')
-rw-r--r-- | apps/s_server.c | 71 |
1 files changed, 68 insertions, 3 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 0137b31cd1..19f4fb25e2 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -537,6 +537,9 @@ static void sv_usage(void) BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); +# ifndef OPENSSL_NO_NEXTPROTONEG + BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); +# endif #endif } @@ -871,6 +874,26 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); ret = SSL_TLSEXT_ERR_ALERT_FATAL; goto done; } + +# ifndef OPENSSL_NO_NEXTPROTONEG +/* This is the context that we pass to next_proto_cb */ +typedef struct tlsextnextprotoctx_st { + unsigned char *data; + unsigned int len; +} tlsextnextprotoctx; + +static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg) + { + tlsextnextprotoctx *next_proto = arg; + + *data = next_proto->data; + *len = next_proto->len; + + return SSL_TLSEXT_ERR_OK; + } +# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ + + #endif int MAIN(int, char **); @@ -909,9 +932,11 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; -#endif -#ifndef OPENSSL_NO_TLSEXT tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; +# ifndef OPENSSL_NO_NEXTPROTONEG + const char *next_proto_neg_in = NULL; + tlsextnextprotoctx next_proto; +# endif #endif #ifndef OPENSSL_NO_PSK /* by default do not send a PSK identity hint */ @@ -1267,7 +1292,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_key_file2= *(++argv); } - +# ifndef OPENSSL_NO_NEXTPROTONEG + else if (strcmp(*argv,"-nextprotoneg") == 0) + { + if (--argc < 1) goto bad; + next_proto_neg_in = *(++argv); + } +# endif #endif #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) else if (strcmp(*argv,"-jpake") == 0) @@ -1372,6 +1403,22 @@ bad: goto end; } } + +# ifndef OPENSSL_NO_NEXTPROTONEG + if (next_proto_neg_in) + { + unsigned short len; + next_proto.data = next_protos_parse(&len, + next_proto_neg_in); + if (next_proto.data == NULL) + goto end; + next_proto.len = len; + } + else + { + next_proto.data = NULL; + } +# endif #endif } @@ -1552,6 +1599,11 @@ bad: if (vpm) SSL_CTX_set1_param(ctx2, vpm); } + +# ifndef OPENSSL_NO_NEXTPROTONEG + if (next_proto.data) + SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); +# endif #endif #ifndef OPENSSL_NO_DH @@ -2257,6 +2309,10 @@ static int init_ssl_connection(SSL *con) #ifndef OPENSSL_NO_KRB5 char *client_princ; #endif +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + const unsigned char *next_proto_neg; + unsigned next_proto_neg_len; +#endif if ((i=SSL_accept(con)) <= 0) { @@ -2296,6 +2352,15 @@ static int init_ssl_connection(SSL *con) BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) + SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); + if (next_proto_neg) + { + BIO_printf(bio_s_out,"NEXTPROTO is "); + BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len); + BIO_printf(bio_s_out, "\n"); + } +#endif if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n"); if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & TLS1_FLAGS_TLS_PADDING_BUG) |