From 15387e4ce063d8133e35de4f647c539e06917113 Mon Sep 17 00:00:00 2001 From: "Dr. Stephen Henson" Date: Sat, 29 Dec 2012 14:16:41 +0000 Subject: Delegate command line handling for many common options in s_client/s_server to the SSL_CONF APIs. This is complicated a little because the SSL_CTX structure is not available when the command line is processed: so just check syntax of commands initially and store them, ready to apply later. (backport from HEAD) --- apps/s_apps.h | 6 +++ apps/s_cb.c | 83 ++++++++++++++++++++++++++++++++++++ apps/s_client.c | 106 ++++++++++++---------------------------------- apps/s_server.c | 129 +++++++++++--------------------------------------------- 4 files changed, 141 insertions(+), 183 deletions(-) (limited to 'apps') diff --git a/apps/s_apps.h b/apps/s_apps.h index e4e9bbcdbf..4b06d189a3 100644 --- a/apps/s_apps.h +++ b/apps/s_apps.h @@ -191,3 +191,9 @@ void ssl_excert_free(SSL_EXCERT *exc); int args_excert(char ***pargs, int *pargc, int *badarg, BIO *err, SSL_EXCERT **pexc); int load_excert(SSL_EXCERT **pexc, BIO *err); +#ifdef HEADER_SSL_H +int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, + int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr); +int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, + STACK_OF(OPENSSL_STRING) *str, int no_ecdhe); +#endif diff --git a/apps/s_cb.c b/apps/s_cb.c index 2ac7656f06..45d4aab333 100644 --- a/apps/s_cb.c +++ b/apps/s_cb.c @@ -1498,3 +1498,86 @@ int args_excert(char ***pargs, int *pargc, return 1; } +int args_ssl(char ***pargs, int *pargc, SSL_CONF_CTX *cctx, + int *badarg, BIO *err, STACK_OF(OPENSSL_STRING) **pstr) + { + char *arg = **pargs, *argn = (*pargs)[1]; + int rv; + + /* Attempt to run SSL configuration command */ + rv = SSL_CONF_cmd_argv(cctx, pargc, pargs); + /* If parameter not recognised just return */ + if (rv == 0) + return 0; + /* see if missing argument error */ + if (rv == -3) + { + BIO_printf(err, "%s needs an argument\n", arg); + *badarg = 1; + goto end; + } + /* Check for some other error */ + if (rv < 0) + { + BIO_printf(err, "Error with command: \"%s %s\"\n", + arg, argn ? argn : ""); + *badarg = 1; + goto end; + } + /* Store command and argument */ + /* If only one argument processed store value as NULL */ + if (rv == 1) + argn = NULL; + if (!*pstr) + *pstr = sk_OPENSSL_STRING_new_null(); + if (!*pstr || !sk_OPENSSL_STRING_push(*pstr, arg) || + !sk_OPENSSL_STRING_push(*pstr, argn)) + { + BIO_puts(err, "Memory allocation failure\n"); + goto end; + } + + end: + if (*badarg) + ERR_print_errors(err); + + return 1; + } + +int args_ssl_call(SSL_CTX *ctx, BIO *err, SSL_CONF_CTX *cctx, + STACK_OF(OPENSSL_STRING) *str, int no_ecdhe) + { + int i; + SSL_CONF_CTX_set_ssl_ctx(cctx, ctx); + for (i = 0; i < sk_OPENSSL_STRING_num(str); i+= 2) + { + const char *param = sk_OPENSSL_STRING_value(str, i); + const char *value = sk_OPENSSL_STRING_value(str, i + 1); + /* If no_ecdhe or named curve already specified don't need + * a default. + */ + if (!no_ecdhe && !strcmp(param, "-named_curve")) + no_ecdhe = 1; + if (SSL_CONF_cmd(cctx, param, value) <= 0) + { + BIO_printf(err, "Error with command: \"%s %s\"\n", + param, value ? value : ""); + ERR_print_errors(err); + return 0; + } + } + /* This is a special case to keep existing s_server functionality: + * if we don't have any curve specified *and* we haven't disabled + * ECDHE then use P-256. + */ + if (!no_ecdhe) + { + if (SSL_CONF_cmd(cctx, "-named_curve", "P-256") <= 0) + { + BIO_puts(err, "Error setting EC curve\n"); + ERR_print_errors(err); + return 0; + } + } + return 1; + } diff --git a/apps/s_client.c b/apps/s_client.c index 6e5eaa06df..4a98720691 100644 --- a/apps/s_client.c +++ b/apps/s_client.c @@ -557,8 +557,6 @@ int MAIN(int, char **); int MAIN(int argc, char **argv) { - unsigned int off=0, clr=0; - unsigned int cert_flags=0; int build_chain = 0; SSL *con=NULL; #ifndef OPENSSL_NO_KRB5 @@ -578,7 +576,7 @@ int MAIN(int argc, char **argv) X509 *cert = NULL; EVP_PKEY *key = NULL; char *CApath=NULL,*CAfile=NULL,*cipher=NULL; - int reconnect=0,badop=0,verify=SSL_VERIFY_NONE,bugs=0; + int reconnect=0,badop=0,verify=SSL_VERIFY_NONE; int crlf=0; int write_tty,read_tty,write_ssl,read_ssl,tty_on,ssl_pending; SSL_CTX *ctx=NULL; @@ -607,9 +605,6 @@ int MAIN(int argc, char **argv) #endif #ifndef OPENSSL_NO_TLSEXT char *servername = NULL; - const char *curves=NULL; - const char *sigalgs=NULL; - const char *client_sigalgs=NULL; tlsextctx tlsextcbp = {NULL,0}; # ifndef OPENSSL_NO_NEXTPROTONEG @@ -632,6 +627,9 @@ int MAIN(int argc, char **argv) #endif SSL_EXCERT *exc = NULL; + SSL_CONF_CTX *cctx = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; + meth=SSLv23_client_method(); apps_startup(); @@ -648,6 +646,12 @@ int MAIN(int argc, char **argv) if (!load_config(bio_err, NULL)) goto end; + cctx = SSL_CONF_CTX_new(); + if (!cctx) + goto end; + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CLIENT); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); + if ( ((cbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || ((sbuf=OPENSSL_malloc(BUFSIZZ)) == NULL) || ((mbuf=OPENSSL_malloc(BUFSIZZ)) == NULL)) @@ -724,6 +728,12 @@ int MAIN(int argc, char **argv) goto bad; continue; } + else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) + { + if (badarg) + goto bad; + continue; + } else if (strcmp(*argv,"-prexit") == 0) prexit=1; else if (strcmp(*argv,"-crlf") == 0) @@ -852,8 +862,6 @@ int MAIN(int argc, char **argv) socket_mtu = atol(*(++argv)); } #endif - else if (strcmp(*argv,"-bugs") == 0) - bugs=1; else if (strcmp(*argv,"-keyform") == 0) { if (--argc < 1) goto bad; @@ -885,21 +893,7 @@ int MAIN(int argc, char **argv) if (--argc < 1) goto bad; CAfile= *(++argv); } - else if (strcmp(*argv,"-no_tls1_2") == 0) - off|=SSL_OP_NO_TLSv1_2; - else if (strcmp(*argv,"-no_tls1_1") == 0) - off|=SSL_OP_NO_TLSv1_1; - else if (strcmp(*argv,"-no_tls1") == 0) - off|=SSL_OP_NO_TLSv1; - else if (strcmp(*argv,"-no_ssl3") == 0) - off|=SSL_OP_NO_SSLv3; - else if (strcmp(*argv,"-no_ssl2") == 0) - off|=SSL_OP_NO_SSLv2; - else if (strcmp(*argv,"-no_comp") == 0) - { off|=SSL_OP_NO_COMPRESSION; } #ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv,"-no_ticket") == 0) - { off|=SSL_OP_NO_TICKET; } # ifndef OPENSSL_NO_NEXTPROTONEG else if (strcmp(*argv,"-nextprotoneg") == 0) { @@ -908,19 +902,6 @@ int MAIN(int argc, char **argv) } # endif #endif - else if (strcmp(*argv,"-serverpref") == 0) - off|=SSL_OP_CIPHER_SERVER_PREFERENCE; - else if (strcmp(*argv,"-legacy_renegotiation") == 0) - off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-legacy_server_connect") == 0) - { off|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-no_legacy_server_connect") == 0) - { clr|=SSL_OP_LEGACY_SERVER_CONNECT; } - else if (strcmp(*argv,"-cipher") == 0) - { - if (--argc < 1) goto bad; - cipher= *(++argv); - } #ifdef FIONBIO else if (strcmp(*argv,"-nbio") == 0) { c_nbio=1; } @@ -966,21 +947,6 @@ int MAIN(int argc, char **argv) servername= *(++argv); /* meth=TLSv1_client_method(); */ } - else if (strcmp(*argv,"-curves") == 0) - { - if (--argc < 1) goto bad; - curves= *(++argv); - } - else if (strcmp(*argv,"-sigalgs") == 0) - { - if (--argc < 1) goto bad; - sigalgs= *(++argv); - } - else if (strcmp(*argv,"-client_sigalgs") == 0) - { - if (--argc < 1) goto bad; - client_sigalgs= *(++argv); - } #endif #ifndef OPENSSL_NO_JPAKE else if (strcmp(*argv,"-jpake") == 0) @@ -1005,8 +971,6 @@ int MAIN(int argc, char **argv) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } - else if (strcmp(*argv, "-cert_strict") == 0) - cert_flags |= SSL_CERT_FLAG_TLS_STRICT; else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1156,6 +1120,12 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, 1)) + { + ERR_print_errors(bio_err); + goto end; + } + #ifndef OPENSSL_NO_ENGINE if (ssl_client_engine) { @@ -1184,14 +1154,6 @@ bad: if (srtp_profiles != NULL) SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); #endif - if (bugs) - SSL_CTX_set_options(ctx,SSL_OP_ALL|off); - else - SSL_CTX_set_options(ctx,off); - - if (clr) - SSL_CTX_clear_options(ctx, clr); - if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); if (exc) ssl_ctx_set_excert(ctx, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. @@ -1229,24 +1191,6 @@ bad: goto end; #ifndef OPENSSL_NO_TLSEXT - if (curves != NULL) - if(!SSL_CTX_set1_curves_list(ctx, curves)) { - BIO_printf(bio_err,"error setting curve list\n"); - ERR_print_errors(bio_err); - goto end; - } - if (sigalgs != NULL) - if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) { - BIO_printf(bio_err,"error setting signature algorithms list\n"); - ERR_print_errors(bio_err); - goto end; - } - if (client_sigalgs != NULL) - if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) { - BIO_printf(bio_err,"error setting client signature algorithms list\n"); - ERR_print_errors(bio_err); - goto end; - } if (servername != NULL) { tlsextcbp.biodebug = bio_err; @@ -1981,9 +1925,13 @@ end: EVP_PKEY_free(key); if (pass) OPENSSL_free(pass); - ssl_excert_free(exc); if (vpm) X509_VERIFY_PARAM_free(vpm); + ssl_excert_free(exc); + if (ssl_args) + sk_OPENSSL_STRING_free(ssl_args); + if (cctx) + SSL_CONF_CTX_free(cctx); if (cbuf != NULL) { OPENSSL_cleanse(cbuf,BUFSIZZ); OPENSSL_free(cbuf); } if (sbuf != NULL) { OPENSSL_cleanse(sbuf,BUFSIZZ); OPENSSL_free(sbuf); } if (mbuf != NULL) { OPENSSL_cleanse(mbuf,BUFSIZZ); OPENSSL_free(mbuf); } diff --git a/apps/s_server.c b/apps/s_server.c index f53766d5d8..139005ab46 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -273,9 +273,6 @@ static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file=TEST_CERT,*s_key_file=NULL, *s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; -static const char *curves=NULL; -static const char *sigalgs=NULL; -static const char *client_sigalgs=NULL; #endif static char *s_dcert_file=NULL,*s_dkey_file=NULL, *s_dchain_file=NULL; #ifdef FIONBIO @@ -446,7 +443,6 @@ static void s_server_init(void) s_key_file=NULL; s_chain_file=NULL; #ifndef OPENSSL_NO_TLSEXT - curves=NULL; s_cert_file2=TEST_CERT2; s_key_file2=NULL; ctx2=NULL; @@ -953,10 +949,8 @@ int MAIN(int argc, char *argv[]) #ifndef OPENSSL_NO_ECDH char *named_curve = NULL; #endif - int badop=0,bugs=0; + int badop=0; int ret=1; - int off=0; - unsigned int cert_flags = 0; int build_chain = 0; int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; int state=0; @@ -990,6 +984,8 @@ int MAIN(int argc, char *argv[]) char *srp_verifier_file = NULL; #endif SSL_EXCERT *exc = NULL; + SSL_CONF_CTX *cctx = NULL; + STACK_OF(OPENSSL_STRING) *ssl_args = NULL; meth=SSLv23_server_method(); local_argc=argc; @@ -1006,6 +1002,12 @@ int MAIN(int argc, char *argv[]) if (!load_config(bio_err, NULL)) goto end; + cctx = SSL_CONF_CTX_new(); + if (!cctx) + goto end; + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER); + SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE); + verify_depth=0; #ifdef FIONBIO s_nbio=0; @@ -1156,17 +1158,14 @@ int MAIN(int argc, char *argv[]) goto bad; continue; } - else if (strcmp(*argv,"-verify_return_error") == 0) - verify_return_error = 1; - else if (strcmp(*argv,"-serverpref") == 0) - { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } - else if (strcmp(*argv,"-legacy_renegotiation") == 0) - off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; - else if (strcmp(*argv,"-cipher") == 0) + else if (args_ssl(&argv, &argc, cctx, &badarg, bio_err, &ssl_args)) { - if (--argc < 1) goto bad; - cipher= *(++argv); + if (badarg) + goto bad; + continue; } + else if (strcmp(*argv,"-verify_return_error") == 0) + verify_return_error = 1; else if (strcmp(*argv,"-build_chain") == 0) build_chain = 1; else if (strcmp(*argv,"-CAfile") == 0) @@ -1227,21 +1226,6 @@ int MAIN(int argc, char *argv[]) goto bad; } } - else if (strcmp(*argv,"-curves") == 0) - { - if (--argc < 1) goto bad; - curves= *(++argv); - } - else if (strcmp(*argv,"-sigalgs") == 0) - { - if (--argc < 1) goto bad; - sigalgs= *(++argv); - } - else if (strcmp(*argv,"-client_sigalgs") == 0) - { - if (--argc < 1) goto bad; - client_sigalgs= *(++argv); - } #endif else if (strcmp(*argv,"-msg") == 0) { s_msg=1; } @@ -1262,8 +1246,6 @@ int MAIN(int argc, char *argv[]) { s_crlf=1; } else if (strcmp(*argv,"-quiet") == 0) { s_quiet=1; } - else if (strcmp(*argv,"-bugs") == 0) - { bugs=1; } else if (strcmp(*argv,"-no_tmp_rsa") == 0) { no_tmp_rsa=1; } else if (strcmp(*argv,"-no_dhe") == 0) @@ -1311,22 +1293,6 @@ int MAIN(int argc, char *argv[]) { www=2; } else if (strcmp(*argv,"-HTTP") == 0) { www=3; } - else if (strcmp(*argv,"-no_ssl2") == 0) - { off|=SSL_OP_NO_SSLv2; } - else if (strcmp(*argv,"-no_ssl3") == 0) - { off|=SSL_OP_NO_SSLv3; } - else if (strcmp(*argv,"-no_tls1") == 0) - { off|=SSL_OP_NO_TLSv1; } - else if (strcmp(*argv,"-no_tls1_1") == 0) - { off|=SSL_OP_NO_TLSv1_1; } - else if (strcmp(*argv,"-no_tls1_2") == 0) - { off|=SSL_OP_NO_TLSv1_2; } - else if (strcmp(*argv,"-no_comp") == 0) - { off|=SSL_OP_NO_COMPRESSION; } -#ifndef OPENSSL_NO_TLSEXT - else if (strcmp(*argv,"-no_ticket") == 0) - { off|=SSL_OP_NO_TICKET; } -#endif #ifndef OPENSSL_NO_SSL2 else if (strcmp(*argv,"-ssl2") == 0) { meth=SSLv2_server_method(); } @@ -1425,8 +1391,6 @@ int MAIN(int argc, char *argv[]) keymatexportlen=atoi(*(++argv)); if (keymatexportlen == 0) goto bad; } - else if (strcmp(*argv, "-cert_strict") == 0) - cert_flags |= SSL_CERT_FLAG_TLS_STRICT; else { BIO_printf(bio_err,"unknown option %s\n",*argv); @@ -1646,10 +1610,7 @@ bad: BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix); } SSL_CTX_set_quiet_shutdown(ctx,1); - if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); - SSL_CTX_set_options(ctx,off); - if (cert_flags) SSL_CTX_set_cert_flags(ctx, cert_flags); if (exc) ssl_ctx_set_excert(ctx, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. @@ -1687,6 +1648,9 @@ bad: if (vpm) SSL_CTX_set1_param(ctx, vpm); + if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe)) + goto end; + if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile)) { BIO_printf(bio_err, "Error loading store locations\n"); @@ -1726,10 +1690,7 @@ bad: BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix); } SSL_CTX_set_quiet_shutdown(ctx2,1); - if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); - SSL_CTX_set_options(ctx2,off); - if (cert_flags) SSL_CTX_set_cert_flags(ctx2, cert_flags); if (exc) ssl_ctx_set_excert(ctx2, exc); /* DTLS: partial reads end up discarding unread UDP bytes :-( * Setting read ahead solves this problem. @@ -1750,6 +1711,9 @@ bad: } if (vpm) SSL_CTX_set1_param(ctx2, vpm); + + if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe)) + goto end; } # ifndef OPENSSL_NO_NEXTPROTONEG @@ -1948,53 +1912,6 @@ bad: } #endif } -#ifndef OPENSSL_NO_TLSEXT - if (curves) - { - if(!SSL_CTX_set1_curves_list(ctx,curves)) - { - BIO_printf(bio_err,"error setting curves list\n"); - ERR_print_errors(bio_err); - goto end; - } - if(ctx2 && !SSL_CTX_set1_curves_list(ctx2,curves)) - { - BIO_printf(bio_err,"error setting curves list\n"); - ERR_print_errors(bio_err); - goto end; - } - } - if (sigalgs) - { - if(!SSL_CTX_set1_sigalgs_list(ctx,sigalgs)) - { - BIO_printf(bio_err,"error setting signature algorithms\n"); - ERR_print_errors(bio_err); - goto end; - } - if(ctx2 && !SSL_CTX_set1_sigalgs_list(ctx2,sigalgs)) - { - BIO_printf(bio_err,"error setting signature algorithms\n"); - ERR_print_errors(bio_err); - goto end; - } - } - if (client_sigalgs) - { - if(!SSL_CTX_set1_client_sigalgs_list(ctx,client_sigalgs)) - { - BIO_printf(bio_err,"error setting client signature algorithms\n"); - ERR_print_errors(bio_err); - goto end; - } - if(ctx2 && !SSL_CTX_set1_client_sigalgs_list(ctx2,client_sigalgs)) - { - BIO_printf(bio_err,"error setting client signature algorithms\n"); - ERR_print_errors(bio_err); - goto end; - } - } -#endif SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, sizeof s_server_session_id_context); @@ -2090,6 +2007,10 @@ end: BIO_free(authz_in); #endif ssl_excert_free(exc); + if (ssl_args) + sk_OPENSSL_STRING_free(ssl_args); + if (cctx) + SSL_CONF_CTX_free(cctx); if (bio_s_out != NULL) { BIO_free(bio_s_out); -- cgit v1.2.3