diff options
| author | Ben Laurie <ben@openssl.org> | 2012-05-29 17:27:48 +0000 |
|---|---|---|
| committer | Ben Laurie <ben@openssl.org> | 2012-05-29 17:27:48 +0000 |
| commit | 8a02a46a5cb92790c79bfbf04c043e234e2af6bf (patch) | |
| tree | b1f3963b25a9be2887d673228df7d811a1572d59 /apps/s_server.c | |
| parent | 0de5a0feeef1e43aa080189c25af691448a2d860 (diff) | |
RFC 5878 support.
Diffstat (limited to 'apps/s_server.c')
| -rw-r--r-- | apps/s_server.c | 51 |
1 files changed, 50 insertions, 1 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 23f7988393..bd6577b4d6 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -309,6 +309,12 @@ static long socket_mtu; static int cert_chain = 0; #endif +#ifndef OPENSSL_NO_TLSEXT +static BIO *authz_in = NULL; +static const char *s_authz_file = NULL; +static unsigned char *authz = NULL; +static size_t authz_length; +#endif #ifndef OPENSSL_NO_PSK static char *psk_identity="Client_identity"; @@ -469,6 +475,7 @@ static void sv_usage(void) BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); BIO_printf(bio_err," -cert arg - certificate file to use\n"); BIO_printf(bio_err," (default is %s)\n",TEST_CERT); + BIO_printf(bio_err," -authz arg - binary authz file for certificate\n"); BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ " The CRL(s) are appended to the certificate file\n"); BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ @@ -1033,6 +1040,13 @@ int MAIN(int argc, char *argv[]) if (--argc < 1) goto bad; s_cert_file= *(++argv); } +#ifndef OPENSSL_NO_TLSEXT + else if (strcmp(*argv,"-authz") == 0) + { + if (--argc < 1) goto bad; + s_authz_file = *(++argv); + } +#endif else if (strcmp(*argv,"-certform") == 0) { if (--argc < 1) goto bad; @@ -1474,7 +1488,34 @@ bad: next_proto.data = NULL; } # endif -#endif + if (s_authz_file != NULL) + { + /* Allow authzs up to 64KB bytes. */ + static const size_t authz_limit = 65536; + + authz_in = BIO_new(BIO_s_file_internal()); + if (authz_in == NULL) + { + ERR_print_errors(bio_err); + goto end; + } + + if (BIO_read_filename(authz_in, s_authz_file) <= 0) + { + ERR_print_errors(bio_err); + goto end; + } + authz = OPENSSL_malloc(authz_limit); + authz_length = BIO_read(authz_in, authz, authz_limit); + if (authz_length == authz_limit || authz_length <= 0) + { + BIO_printf(bio_err, "authz too large\n"); + goto end; + } + BIO_free(authz_in); + authz_in = NULL; + } +#endif /* OPENSSL_NO_TLSEXT */ } @@ -1770,6 +1811,10 @@ bad: if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain)) goto end; #ifndef OPENSSL_NO_TLSEXT + if (authz != NULL && !SSL_CTX_use_authz(ctx, authz, authz_length)) + goto end; +#endif +#ifndef OPENSSL_NO_TLSEXT if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL)) goto end; #endif @@ -1953,6 +1998,10 @@ end: X509_free(s_cert2); if (s_key2) EVP_PKEY_free(s_key2); + if (authz != NULL) + OPENSSL_free(authz); + if (authz_in != NULL) + BIO_free(authz_in); #endif if (bio_s_out != NULL) { |