diff options
Diffstat (limited to 'apps/s_server.c')
-rw-r--r-- | apps/s_server.c | 4050 |
1 files changed, 1976 insertions, 2074 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 4ef91f704f..a93f8bc3b7 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -5,21 +5,21 @@ * This package is an SSL implementation written * by Eric Young (eay@cryptsoft.com). * The implementation was written so as to conform with Netscapes SSL. - * + * * This library is free for commercial and non-commercial use as long as * the following conditions are aheared to. The following conditions * apply to all code found in this distribution, be it the RC4, RSA, * lhash, DES, etc., code; not just the SSL code. The SSL documentation * included with this distribution is covered by the same copyright terms * except that the holder is Tim Hudson (tjh@cryptsoft.com). - * + * * Copyright remains Eric Young's, and as such any Copyright notices in * the code are not to be removed. * If this package is used in a product, Eric Young should be given attribution * as the author of the parts of the library used. * This can be in the form of a textual message at program startup or * in documentation (online or textual) provided with the package. - * + * * Redistribution and use in source and binary forms, with or without * modification, are permitted provided that the following conditions * are met: @@ -34,10 +34,10 @@ * Eric Young (eay@cryptsoft.com)" * The word 'cryptographic' can be left out if the rouines from the library * being used are not cryptographic related :-). - * 4. If you include any Windows specific code (or a derivative thereof) from + * 4. If you include any Windows specific code (or a derivative thereof) from * the apps directory (application code) you must include an acknowledgement: * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" - * + * * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE @@ -49,7 +49,7 @@ * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF * SUCH DAMAGE. - * + * * The licence and distribution terms for any publically available version or * derivative of this code cannot be changed. i.e. this code cannot simply be * copied and put under another distribution licence @@ -63,7 +63,7 @@ * are met: * * 1. Redistributions of source code must retain the above copyright - * notice, this list of conditions and the following disclaimer. + * notice, this list of conditions and the following disclaimer. * * 2. Redistributions in binary form must reproduce the above copyright * notice, this list of conditions and the following disclaimer in @@ -110,14 +110,16 @@ */ /* ==================================================================== * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. - * ECC cipher suite support in OpenSSL originally developed by + * ECC cipher suite support in OpenSSL originally developed by * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. */ -/* Until the key-gen callbacks are modified to use newer prototypes, we allow - * deprecated functions for openssl-internal code */ +/* + * Until the key-gen callbacks are modified to use newer prototypes, we allow + * deprecated functions for openssl-internal code + */ #ifdef OPENSSL_NO_DEPRECATED -#undef OPENSSL_NO_DEPRECATED +# undef OPENSSL_NO_DEPRECATED #endif #include <assert.h> @@ -128,20 +130,22 @@ #include <sys/stat.h> #include <openssl/e_os2.h> #ifdef OPENSSL_NO_STDIO -#define APPS_WIN16 +# define APPS_WIN16 #endif /* conflicts with winsock2 stuff on netware */ #if !defined(OPENSSL_SYS_NETWARE) -#include <sys/types.h> +# include <sys/types.h> #endif -/* With IPv6, it looks like Digital has mixed up the proper order of - recursive header file inclusion, resulting in the compiler complaining - that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which - is needed to have fileno() declared correctly... So let's define u_int */ +/* + * With IPv6, it looks like Digital has mixed up the proper order of + * recursive header file inclusion, resulting in the compiler complaining + * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is + * needed to have fileno() declared correctly... So let's define u_int + */ #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) -#define __U_INT +# define __U_INT typedef unsigned int u_int; #endif @@ -156,25 +160,28 @@ typedef unsigned int u_int; #include <openssl/rand.h> #include <openssl/ocsp.h> #ifndef OPENSSL_NO_DH -#include <openssl/dh.h> +# include <openssl/dh.h> #endif #ifndef OPENSSL_NO_RSA -#include <openssl/rsa.h> +# include <openssl/rsa.h> #endif #include "s_apps.h" #include "timeouts.h" #ifdef OPENSSL_SYS_WINCE -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ -#ifdef fileno -#undef fileno -#endif -#define fileno(a) (int)_fileno(a) +/* + * Windows CE incorrectly defines fileno as returning void*, so to avoid + * problems below... + */ +# ifdef fileno +# undef fileno +# endif +# define fileno(a) (int)_fileno(a) #endif #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ -#undef FIONBIO +# undef FIONBIO #endif #ifndef OPENSSL_NO_RSA @@ -182,12 +189,12 @@ static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); #endif static int sv_body(char *hostname, int s, unsigned char *context); static int www_body(char *hostname, int s, unsigned char *context); -static void close_accept_socket(void ); +static void close_accept_socket(void); static void sv_usage(void); static int init_ssl_connection(SSL *s); -static void print_stats(BIO *bp,SSL_CTX *ctx); +static void print_stats(BIO *bp, SSL_CTX *ctx); static int generate_session_id(const SSL *ssl, unsigned char *id, - unsigned int *id_len); + unsigned int *id_len); #ifndef OPENSSL_NO_DH static DH *load_dh_param(const char *dhfile); static DH *get_dh512(void); @@ -199,89 +206,90 @@ static void s_server_init(void); #ifndef S_ISDIR # if defined(_S_IFMT) && defined(_S_IFDIR) -# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) +# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) # else -# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) +# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) # endif #endif #ifndef OPENSSL_NO_DH -static unsigned char dh512_p[]={ - 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, - 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, - 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, - 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, - 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, - 0x47,0x74,0xE8,0x33, - }; -static unsigned char dh512_g[]={ - 0x02, - }; +static unsigned char dh512_p[] = { + 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75, + 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F, + 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3, + 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12, + 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C, + 0x47, 0x74, 0xE8, 0x33, +}; + +static unsigned char dh512_g[] = { + 0x02, +}; static DH *get_dh512(void) - { - DH *dh=NULL; - - if ((dh=DH_new()) == NULL) return(NULL); - dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); - dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); - if ((dh->p == NULL) || (dh->g == NULL)) - return(NULL); - return(dh); - } +{ + DH *dh = NULL; + + if ((dh = DH_new()) == NULL) + return (NULL); + dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); + dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); + if ((dh->p == NULL) || (dh->g == NULL)) + return (NULL); + return (dh); +} #endif - /* static int load_CA(SSL_CTX *ctx, char *file);*/ #undef BUFSIZZ -#define BUFSIZZ 16*1024 -static int bufsize=BUFSIZZ; -static int accept_socket= -1; +#define BUFSIZZ 16*1024 +static int bufsize = BUFSIZZ; +static int accept_socket = -1; -#define TEST_CERT "server.pem" +#define TEST_CERT "server.pem" #ifndef OPENSSL_NO_TLSEXT -#define TEST_CERT2 "server2.pem" +# define TEST_CERT2 "server2.pem" #endif #undef PROG -#define PROG s_server_main +#define PROG s_server_main extern int verify_depth; -static char *cipher=NULL; -static int s_server_verify=SSL_VERIFY_NONE; +static char *cipher = NULL; +static int s_server_verify = SSL_VERIFY_NONE; static int s_server_session_id_context = 1; /* anything will do */ -static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; +static const char *s_cert_file = TEST_CERT, *s_key_file = NULL; #ifndef OPENSSL_NO_TLSEXT -static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; +static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; #endif -static char *s_dcert_file=NULL,*s_dkey_file=NULL; +static char *s_dcert_file = NULL, *s_dkey_file = NULL; #ifdef FIONBIO -static int s_nbio=0; +static int s_nbio = 0; #endif -static int s_nbio_test=0; -int s_crlf=0; -static SSL_CTX *ctx=NULL; +static int s_nbio_test = 0; +int s_crlf = 0; +static SSL_CTX *ctx = NULL; #ifndef OPENSSL_NO_TLSEXT -static SSL_CTX *ctx2=NULL; +static SSL_CTX *ctx2 = NULL; #endif -static int www=0; +static int www = 0; -static BIO *bio_s_out=NULL; -static int s_debug=0; +static BIO *bio_s_out = NULL; +static int s_debug = 0; #ifndef OPENSSL_NO_TLSEXT -static int s_tlsextdebug=0; -static int s_tlsextstatus=0; +static int s_tlsextdebug = 0; +static int s_tlsextstatus = 0; static int cert_status_cb(SSL *s, void *arg); #endif -static int s_msg=0; -static int s_quiet=0; +static int s_msg = 0; +static int s_quiet = 0; -static int hack=0; +static int hack = 0; #ifndef OPENSSL_NO_ENGINE -static char *engine_id=NULL; +static char *engine_id = NULL; #endif -static const char *session_id_prefix=NULL; +static const char *session_id_prefix = NULL; static int enable_timeouts = 0; static long socket_mtu; @@ -289,127 +297,163 @@ static long socket_mtu; static int cert_chain = 0; #endif - #ifdef MONOLITH static void s_server_init(void) - { - accept_socket=-1; - cipher=NULL; - s_server_verify=SSL_VERIFY_NONE; - s_dcert_file=NULL; - s_dkey_file=NULL; - s_cert_file=TEST_CERT; - s_key_file=NULL; -#ifndef OPENSSL_NO_TLSEXT - s_cert_file2=TEST_CERT2; - s_key_file2=NULL; - ctx2=NULL; -#endif -#ifdef FIONBIO - s_nbio=0; -#endif - s_nbio_test=0; - ctx=NULL; - www=0; - - bio_s_out=NULL; - s_debug=0; - s_msg=0; - s_quiet=0; - hack=0; -#ifndef OPENSSL_NO_ENGINE - engine_id=NULL; -#endif - } +{ + accept_socket = -1; + cipher = NULL; + s_server_verify = SSL_VERIFY_NONE; + s_dcert_file = NULL; + s_dkey_file = NULL; + s_cert_file = TEST_CERT; + s_key_file = NULL; +# ifndef OPENSSL_NO_TLSEXT + s_cert_file2 = TEST_CERT2; + s_key_file2 = NULL; + ctx2 = NULL; +# endif +# ifdef FIONBIO + s_nbio = 0; +# endif + s_nbio_test = 0; + ctx = NULL; + www = 0; + + bio_s_out = NULL; + s_debug = 0; + s_msg = 0; + s_quiet = 0; + hack = 0; +# ifndef OPENSSL_NO_ENGINE + engine_id = NULL; +# endif +} #endif static void sv_usage(void) - { - BIO_printf(bio_err,"usage: s_server [args ...]\n"); - BIO_printf(bio_err,"\n"); - BIO_printf(bio_err," -accept arg - port to accept on (default is %d)\n",PORT); - BIO_printf(bio_err," -context arg - set session ID context\n"); - BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); - BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); - BIO_printf(bio_err," -cert arg - certificate file to use\n"); - BIO_printf(bio_err," (default is %s)\n",TEST_CERT); - BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ - " The CRL(s) are appended to the certificate file\n"); - BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ - " or any other CRL in the CA chain. CRL(s) are appened to the\n" \ - " the certificate file.\n"); - BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); - BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n"); - BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); - BIO_printf(bio_err," -keyform arg - key format (PEM, DER or ENGINE) PEM default\n"); - BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); - BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n"); - BIO_printf(bio_err," -dcertform x - second certificate format (PEM or DER) PEM default\n"); - BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n"); - BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n"); - BIO_printf(bio_err," -dpass arg - second private key file pass phrase source\n"); - BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n"); - BIO_printf(bio_err," or a default set of parameters is used\n"); +{ + BIO_printf(bio_err, "usage: s_server [args ...]\n"); + BIO_printf(bio_err, "\n"); + BIO_printf(bio_err, + " -accept arg - port to accept on (default is %d)\n", PORT); + BIO_printf(bio_err, " -context arg - set session ID context\n"); + BIO_printf(bio_err, + " -verify arg - turn on peer certificate verification\n"); + BIO_printf(bio_err, + " -Verify arg - turn on peer certificate verification, must have a cert.\n"); + BIO_printf(bio_err, " -cert arg - certificate file to use\n"); + BIO_printf(bio_err, " (default is %s)\n", TEST_CERT); + BIO_printf(bio_err, + " -crl_check - check the peer certificate has not been revoked by its CA.\n" + " The CRL(s) are appended to the certificate file\n"); + BIO_printf(bio_err, + " -crl_check_all - check the peer certificate has not been revoked by its CA\n" + " or any other CRL in the CA chain. CRL(s) are appened to the\n" + " the certificate file.\n"); + BIO_printf(bio_err, + " -certform arg - certificate format (PEM or DER) PEM default\n"); + BIO_printf(bio_err, + " -key arg - Private Key file to use, in cert file if\n"); + BIO_printf(bio_err, " not specified (default is %s)\n", + TEST_CERT); + BIO_printf(bio_err, + " -keyform arg - key format (PEM, DER or ENGINE) PEM default\n"); + BIO_printf(bio_err, + " -pass arg - private key file pass phrase source\n"); + BIO_printf(bio_err, + " -dcert arg - second certificate file to use (usually for DSA)\n"); + BIO_printf(bio_err, + " -dcertform x - second certificate format (PEM or DER) PEM default\n"); + BIO_printf(bio_err, + " -dkey arg - second private key file to use (usually for DSA)\n"); + BIO_printf(bio_err, + " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n"); + BIO_printf(bio_err, + " -dpass arg - second private key file pass phrase source\n"); + BIO_printf(bio_err, + " -dhparam arg - DH parameter file to use, in cert file if not specified\n"); + BIO_printf(bio_err, + " or a default set of parameters is used\n"); #ifndef OPENSSL_NO_ECDH - BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ - " Use \"openssl ecparam -list_curves\" for all names\n" \ - " (default is sect163r2).\n"); + BIO_printf(bio_err, + " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" + " Use \"openssl ecparam -list_curves\" for all names\n" + " (default is sect163r2).\n"); #endif #ifdef FIONBIO - BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); -#endif - BIO_printf(bio_err," -nbio_test - test with the non-blocking test bio\n"); - BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); - BIO_printf(bio_err," -debug - Print more output\n"); - BIO_printf(bio_err," -msg - Show protocol messages\n"); - BIO_printf(bio_err," -state - Print the SSL states\n"); - BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); - BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); - BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); - BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); - BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); - BIO_printf(bio_err," -quiet - No server output\n"); - BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n"); - BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); - BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); - BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); - BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); - BIO_printf(bio_err," -timeout - Enable timeouts\n"); - BIO_printf(bio_err," -mtu - Set link layer MTU\n"); - BIO_printf(bio_err," -chain - Read a certificate chain\n"); - BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); - BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); - BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); + BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n"); +#endif + BIO_printf(bio_err, + " -nbio_test - test with the non-blocking test bio\n"); + BIO_printf(bio_err, + " -crlf - convert LF from terminal into CRLF\n"); + BIO_printf(bio_err, " -debug - Print more output\n"); + BIO_printf(bio_err, " -msg - Show protocol messages\n"); + BIO_printf(bio_err, " -state - Print the SSL states\n"); + BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n"); + BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n"); + BIO_printf(bio_err, + " -nocert - Don't use any certificates (Anon-DH)\n"); + BIO_printf(bio_err, + " -cipher arg - play with 'openssl ciphers' to see what goes here\n"); + BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n"); + BIO_printf(bio_err, " -quiet - No server output\n"); + BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n"); + BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n"); + BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n"); + BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n"); + BIO_printf(bio_err, " -dtls1 - Just talk DTLSv1\n"); + BIO_printf(bio_err, " -timeout - Enable timeouts\n"); + BIO_printf(bio_err, " -mtu - Set link layer MTU\n"); + BIO_printf(bio_err, " -chain - Read a certificate chain\n"); + BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n"); + BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n"); + BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n"); #ifndef OPENSSL_NO_DH - BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); + BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n"); #endif #ifndef OPENSSL_NO_ECDH - BIO_printf(bio_err," -no_ecdhe - Disable ephemeral ECDH\n"); -#endif - BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); - BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); - BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); - BIO_printf(bio_err," -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); - BIO_printf(bio_err," with the assumption it contains a complete HTTP response.\n"); + BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n"); +#endif + BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n"); + BIO_printf(bio_err, + " -www - Respond to a 'GET /' with a status page\n"); + BIO_printf(bio_err, + " -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); + BIO_printf(bio_err, + " -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); + BIO_printf(bio_err, + " with the assumption it contains a complete HTTP response.\n"); #ifndef OPENSSL_NO_ENGINE - BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); + BIO_printf(bio_err, + " -engine id - Initialise and use the specified engine\n"); #endif - BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); - BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); + BIO_printf(bio_err, + " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); + BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, + LIST_SEPARATOR_CHAR); #ifndef OPENSSL_NO_TLSEXT - BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n"); - BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); - BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n"); - BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); - BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); - BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); - BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); - BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); - BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); -#endif - } - -static int local_argc=0; + BIO_printf(bio_err, + " -servername host - servername for HostName TLS extension\n"); + BIO_printf(bio_err, + " -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); + BIO_printf(bio_err, + " -cert2 arg - certificate file to use for servername\n"); + BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2); + BIO_printf(bio_err, + " -key2 arg - Private Key file to use for servername, in cert file if\n"); + BIO_printf(bio_err, " not specified (default is %s)\n", + TEST_CERT2); + BIO_printf(bio_err, + " -tlsextdebug - hex dump of all TLS extensions received\n"); + BIO_printf(bio_err, + " -no_ticket - disable use of RFC4507bis session tickets\n"); + BIO_printf(bio_err, + " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); +#endif +} + +static int local_argc = 0; static char **local_argv; #ifdef CHARSET_EBCDIC @@ -421,144 +465,147 @@ static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr); static int ebcdic_gets(BIO *bp, char *buf, int size); static int ebcdic_puts(BIO *bp, const char *str); -#define BIO_TYPE_EBCDIC_FILTER (18|0x0200) -static BIO_METHOD methods_ebcdic= - { - BIO_TYPE_EBCDIC_FILTER, - "EBCDIC/ASCII filter", - ebcdic_write, - ebcdic_read, - ebcdic_puts, - ebcdic_gets, - ebcdic_ctrl, - ebcdic_new, - ebcdic_free, - }; - -typedef struct -{ - size_t alloced; - char buff[1]; +# define BIO_TYPE_EBCDIC_FILTER (18|0x0200) +static BIO_METHOD methods_ebcdic = { + BIO_TYPE_EBCDIC_FILTER, + "EBCDIC/ASCII filter", + ebcdic_write, + ebcdic_read, + ebcdic_puts, + ebcdic_gets, + ebcdic_ctrl, + ebcdic_new, + ebcdic_free, +}; + +typedef struct { + size_t alloced; + char buff[1]; } EBCDIC_OUTBUFF; BIO_METHOD *BIO_f_ebcdic_filter() { - return(&methods_ebcdic); + return (&methods_ebcdic); } static int ebcdic_new(BIO *bi) { - EBCDIC_OUTBUFF *wbuf; + EBCDIC_OUTBUFF *wbuf; - wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); - wbuf->alloced = 1024; - wbuf->buff[0] = '\0'; + wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); + wbuf->alloced = 1024; + wbuf->buff[0] = '\0'; - bi->ptr=(char *)wbuf; - bi->init=1; - bi->flags=0; - return(1); + bi->ptr = (char *)wbuf; + bi->init = 1; + bi->flags = 0; + return (1); } static int ebcdic_free(BIO *a) { - if (a == NULL) return(0); - if (a->ptr != NULL) - OPENSSL_free(a->ptr); - a->ptr=NULL; - a->init=0; - a->flags=0; - return(1); + if (a == NULL) + return (0); + if (a->ptr != NULL) + OPENSSL_free(a->ptr); + a->ptr = NULL; + a->init = 0; + a->flags = 0; + return (1); } - + static int ebcdic_read(BIO *b, char *out, int outl) { - int ret=0; + int ret = 0; - if (out == NULL || outl == 0) return(0); - if (b->next_bio == NULL) return(0); + if (out == NULL || outl == 0) + return (0); + if (b->next_bio == NULL) + return (0); - ret=BIO_read(b->next_bio,out,outl); - if (ret > 0) - ascii2ebcdic(out,out,ret); - return(ret); + ret = BIO_read(b->next_bio, out, outl); + if (ret > 0) + ascii2ebcdic(out, out, ret); + return (ret); } static int ebcdic_write(BIO *b, const char *in, int inl) { - EBCDIC_OUTBUFF *wbuf; - int ret=0; - int num; - unsigned char n; + EBCDIC_OUTBUFF *wbuf; + int ret = 0; + int num; + unsigned char n; - if ((in == NULL) || (inl <= 0)) return(0); - if (b->next_bio == NULL) return(0); + if ((in == NULL) || (inl <= 0)) + return (0); + if (b->next_bio == NULL) + return (0); - wbuf=(EBCDIC_OUTBUFF *)b->ptr; + wbuf = (EBCDIC_OUTBUFF *) b->ptr; - if (inl > (num = wbuf->alloced)) - { - num = num + num; /* double the size */ - if (num < inl) - num = inl; - OPENSSL_free(wbuf); - wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); + if (inl > (num = wbuf->alloced)) { + num = num + num; /* double the size */ + if (num < inl) + num = inl; + OPENSSL_free(wbuf); + wbuf = + (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); - wbuf->alloced = num; - wbuf->buff[0] = '\0'; + wbuf->alloced = num; + wbuf->buff[0] = '\0'; - b->ptr=(char *)wbuf; - } + b->ptr = (char *)wbuf; + } - ebcdic2ascii(wbuf->buff, in, inl); + ebcdic2ascii(wbuf->buff, in, inl); - ret=BIO_write(b->next_bio, wbuf->buff, inl); + ret = BIO_write(b->next_bio, wbuf->buff, inl); - return(ret); + return (ret); } static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr) { - long ret; - - if (b->next_bio == NULL) return(0); - switch (cmd) - { - case BIO_CTRL_DUP: - ret=0L; - break; - default: - ret=BIO_ctrl(b->next_bio,cmd,num,ptr); - break; - } - return(ret); + long ret; + + if (b->next_bio == NULL) + return (0); + switch (cmd) { + case BIO_CTRL_DUP: + ret = 0L; + break; + default: + ret = BIO_ctrl(b->next_bio, cmd, num, ptr); + break; + } + return (ret); } static int ebcdic_gets(BIO *bp, char *buf, int size) { - int i, ret=0; - if (bp->next_bio == NULL) return(0); -/* return(BIO_gets(bp->next_bio,buf,size));*/ - for (i=0; i<size-1; ++i) - { - ret = ebcdic_read(bp,&buf[i],1); - if (ret <= 0) - break; - else if (buf[i] == '\n') - { - ++i; - break; - } - } - if (i < size) - buf[i] = '\0'; - return (ret < 0 && i == 0) ? ret : i; + int i, ret = 0; + if (bp->next_bio == NULL) + return (0); +/* return(BIO_gets(bp->next_bio,buf,size));*/ + for (i = 0; i < size - 1; ++i) { + ret = ebcdic_read(bp, &buf[i], 1); + if (ret <= 0) + break; + else if (buf[i] == '\n') { + ++i; + break; + } + } + if (i < size) + buf[i] = '\0'; + return (ret < 0 && i == 0) ? ret : i; } static int ebcdic_puts(BIO *bp, const char *str) { - if (bp->next_bio == NULL) return(0); - return ebcdic_write(bp, str, strlen(str)); + if (bp->next_bio == NULL) + return (0); + return ebcdic_write(bp, str, strlen(str)); } #endif @@ -566,180 +613,166 @@ static int ebcdic_puts(BIO *bp, const char *str) /* This is a context that we pass to callbacks */ typedef struct tlsextctx_st { - char * servername; - BIO * biodebug; - int extension_error; + char *servername; + BIO *biodebug; + int extension_error; } tlsextctx; - static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) - { - tlsextctx * p = (tlsextctx *) arg; - const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); - if (servername && p->biodebug) - BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername); - - if (!p->servername) - return SSL_TLSEXT_ERR_NOACK; - - if (servername) - { - if (strcasecmp(servername,p->servername)) - return p->extension_error; - if (ctx2) - { - BIO_printf(p->biodebug,"Swiching server context.\n"); - SSL_set_SSL_CTX(s,ctx2); - } - } - return SSL_TLSEXT_ERR_OK; +{ + tlsextctx *p = (tlsextctx *) arg; + const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); + if (servername && p->biodebug) + BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n", + servername); + + if (!p->servername) + return SSL_TLSEXT_ERR_NOACK; + + if (servername) { + if (strcasecmp(servername, p->servername)) + return p->extension_error; + if (ctx2) { + BIO_printf(p->biodebug, "Swiching server context.\n"); + SSL_set_SSL_CTX(s, ctx2); + } + } + return SSL_TLSEXT_ERR_OK; } /* Structure passed to cert status callback */ typedef struct tlsextstatusctx_st { - /* Default responder to use */ - char *host, *path, *port; - int use_ssl; - int timeout; - BIO *err; - int verbose; + /* Default responder to use */ + char *host, *path, *port; + int use_ssl; + int timeout; + BIO *err; + int verbose; } tlsextstatusctx; -static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0}; +static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, NULL, 0 }; -/* Certificate Status callback. This is called when a client includes a - * certificate status request extension. - * - * This is a simplified version. It examines certificates each time and - * makes one OCSP responder query for each request. - * - * A full version would store details such as the OCSP certificate IDs and - * minimise the number of OCSP responses by caching them until they were - * considered "expired". +/* + * Certificate Status callback. This is called when a client includes a + * certificate status request extension. This is a simplified version. It + * examines certificates each time and makes one OCSP responder query for + * each request. A full version would store details such as the OCSP + * certificate IDs and minimise the number of OCSP responses by caching them + * until they were considered "expired". */ static int cert_status_cb(SSL *s, void *arg) - { - tlsextstatusctx *srctx = arg; - BIO *err = srctx->err; - char *host, *port, *path; - int use_ssl; - unsigned char *rspder = NULL; - int rspderlen; - STACK *aia = NULL; - X509 *x = NULL; - X509_STORE_CTX inctx; - X509_OBJECT obj; - OCSP_REQUEST *req = NULL; - OCSP_RESPONSE *resp = NULL; - OCSP_CERTID *id = NULL; - STACK_OF(X509_EXTENSION) *exts; - int ret = SSL_TLSEXT_ERR_NOACK; - int i; -#if 0 -STACK_OF(OCSP_RESPID) *ids; -SSL_get_tlsext_status_ids(s, &ids); -BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); -#endif - if (srctx->verbose) - BIO_puts(err, "cert_status: callback called\n"); - /* Build up OCSP query from server certificate */ - x = SSL_get_certificate(s); - aia = X509_get1_ocsp(x); - if (aia) - { - if (!OCSP_parse_url(sk_value(aia, 0), - &host, &port, &path, &use_ssl)) - { - BIO_puts(err, "cert_status: can't parse AIA URL\n"); - goto err; - } - if (srctx->verbose) - BIO_printf(err, "cert_status: AIA URL: %s\n", - sk_value(aia, 0)); - } - else - { - if (!srctx->host) - { - BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n"); - goto done; - } - host = srctx->host; - path = srctx->path; - port = srctx->port; - use_ssl = srctx->use_ssl; - } - - if (!X509_STORE_CTX_init(&inctx, - SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), - NULL, NULL)) - goto err; - if (X509_STORE_get_by_subject(&inctx,X509_LU_X509, - X509_get_issuer_name(x),&obj) <= 0) - { - BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n"); - X509_STORE_CTX_cleanup(&inctx); - goto done; - } - req = OCSP_REQUEST_new(); - if (!req) - goto err; - id = OCSP_cert_to_id(NULL, x, obj.data.x509); - X509_free(obj.data.x509); - X509_STORE_CTX_cleanup(&inctx); - if (!id) - goto err; - if (!OCSP_request_add0_id(req, id)) - goto err; - id = NULL; - /* Add any extensions to the request */ - SSL_get_tlsext_status_exts(s, &exts); - for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) - { - X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); - if (!OCSP_REQUEST_add_ext(req, ext, -1)) - goto err; - } - resp = process_responder(err, req, host, path, port, use_ssl, - srctx->timeout); - if (!resp) - { - BIO_puts(err, "cert_status: error querying responder\n"); - goto done; - } - rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); - if (rspderlen <= 0) - goto err; - SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); - if (srctx->verbose) - { - BIO_puts(err, "cert_status: ocsp response sent:\n"); - OCSP_RESPONSE_print(err, resp, 2); - } - ret = SSL_TLSEXT_ERR_OK; - done: - if (ret != SSL_TLSEXT_ERR_OK) - ERR_print_errors(err); - if (aia) - { - OPENSSL_free(host); - OPENSSL_free(path); - OPENSSL_free(port); - X509_email_free(aia); - } - if (id) - OCSP_CERTID_free(id); - if (req) - OCSP_REQUEST_free(req); - if (resp) - OCSP_RESPONSE_free(resp); - return ret; - err: - ret = SSL_TLSEXT_ERR_ALERT_FATAL; |