| Index: openssl/apps/s_server.c
|
| ===================================================================
|
| --- openssl/apps/s_server.c (revision 105093)
|
| +++ openssl/apps/s_server.c (working copy)
|
| @@ -56,7 +56,7 @@
|
| * [including the GNU Public Licence.]
|
| */
|
| /* ====================================================================
|
| - * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
|
| + * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
|
| *
|
| * Redistribution and use in source and binary forms, with or without
|
| * modification, are permitted provided that the following conditions
|
| @@ -113,6 +113,32 @@
|
| * ECC cipher suite support in OpenSSL originally developed by
|
| * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
|
| */
|
| +/* ====================================================================
|
| + * Copyright 2005 Nokia. All rights reserved.
|
| + *
|
| + * The portions of the attached software ("Contribution") is developed by
|
| + * Nokia Corporation and is licensed pursuant to the OpenSSL open source
|
| + * license.
|
| + *
|
| + * The Contribution, originally written by Mika Kousa and Pasi Eronen of
|
| + * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
|
| + * support (see RFC 4279) to OpenSSL.
|
| + *
|
| + * No patent licenses or other rights except those expressly stated in
|
| + * the OpenSSL open source license shall be deemed granted or received
|
| + * expressly, by implication, estoppel, or otherwise.
|
| + *
|
| + * No assurances are provided by Nokia that the Contribution does not
|
| + * infringe the patent or other intellectual property rights of any third
|
| + * party or that the license provides you with all the necessary rights
|
| + * to make use of the Contribution.
|
| + *
|
| + * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
|
| + * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
|
| + * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
|
| + * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
|
| + * OTHERWISE.
|
| + */
|
|
|
| /* Until the key-gen callbacks are modified to use newer prototypes, we allow
|
| * deprecated functions for openssl-internal code */
|
| @@ -121,11 +147,11 @@
|
| #endif
|
|
|
| #include <assert.h>
|
| +#include <ctype.h>
|
| #include <stdio.h>
|
| #include <stdlib.h>
|
| #include <string.h>
|
|
|
| -#include <sys/stat.h>
|
| #include <openssl/e_os2.h>
|
| #ifdef OPENSSL_NO_STDIO
|
| #define APPS_WIN16
|
| @@ -163,19 +189,15 @@
|
| #include "s_apps.h"
|
| #include "timeouts.h"
|
|
|
| -#ifdef OPENSSL_SYS_WINCE
|
| -/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
|
| -#ifdef fileno
|
| -#undef fileno
|
| -#endif
|
| -#define fileno(a) (int)_fileno(a)
|
| -#endif
|
| -
|
| #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
|
| /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
|
| #undef FIONBIO
|
| #endif
|
|
|
| +#if defined(OPENSSL_SYS_BEOS_R5)
|
| +#include <fcntl.h>
|
| +#endif
|
| +
|
| #ifndef OPENSSL_NO_RSA
|
| static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
|
| #endif
|
| @@ -196,14 +218,6 @@
|
| static void s_server_init(void);
|
| #endif
|
|
|
| -#ifndef S_ISDIR
|
| -# if defined(_S_IFMT) && defined(_S_IFDIR)
|
| -# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
|
| -# else
|
| -# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
|
| -# endif
|
| -#endif
|
| -
|
| #ifndef OPENSSL_NO_DH
|
| static unsigned char dh512_p[]={
|
| 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
|
| @@ -245,7 +259,7 @@
|
| #undef PROG
|
| #define PROG s_server_main
|
|
|
| -extern int verify_depth;
|
| +extern int verify_depth, verify_return_error;
|
|
|
| static char *cipher=NULL;
|
| static int s_server_verify=SSL_VERIFY_NONE;
|
| @@ -288,7 +302,73 @@
|
| static int cert_chain = 0;
|
| #endif
|
|
|
| +#ifndef OPENSSL_NO_PSK
|
| +static char *psk_identity="Client_identity";
|
| +char *psk_key=NULL; /* by default PSK is not used */
|
|
|
| +static unsigned int psk_server_cb(SSL *ssl, const char *identity,
|
| + unsigned char *psk, unsigned int max_psk_len)
|
| + {
|
| + unsigned int psk_len = 0;
|
| + int ret;
|
| + BIGNUM *bn = NULL;
|
| +
|
| + if (s_debug)
|
| + BIO_printf(bio_s_out,"psk_server_cb\n");
|
| + if (!identity)
|
| + {
|
| + BIO_printf(bio_err,"Error: client did not send PSK identity\n");
|
| + goto out_err;
|
| + }
|
| + if (s_debug)
|
| + BIO_printf(bio_s_out,"identity_len=%d identity=%s\n",
|
| + identity ? (int)strlen(identity) : 0, identity);
|
| +
|
| + /* here we could lookup the given identity e.g. from a database */
|
| + if (strcmp(identity, psk_identity) != 0)
|
| + {
|
| + BIO_printf(bio_s_out, "PSK error: client identity not found"
|
| + " (got '%s' expected '%s')\n", identity,
|
| + psk_identity);
|
| + goto out_err;
|
| + }
|
| + if (s_debug)
|
| + BIO_printf(bio_s_out, "PSK client identity found\n");
|
| +
|
| + /* convert the PSK key to binary */
|
| + ret = BN_hex2bn(&bn, psk_key);
|
| + if (!ret)
|
| + {
|
| + BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
|
| + if (bn)
|
| + BN_free(bn);
|
| + return 0;
|
| + }
|
| + if (BN_num_bytes(bn) > (int)max_psk_len)
|
| + {
|
| + BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
|
| + max_psk_len, BN_num_bytes(bn));
|
| + BN_free(bn);
|
| + return 0;
|
| + }
|
| +
|
| + ret = BN_bn2bin(bn, psk);
|
| + BN_free(bn);
|
| +
|
| + if (ret < 0)
|
| + goto out_err;
|
| + psk_len = (unsigned int)ret;
|
| +
|
| + if (s_debug)
|
| + BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len);
|
| + return psk_len;
|
| + out_err:
|
| + if (s_debug)
|
| + BIO_printf(bio_err, "Error in PSK server callback\n");
|
| + return 0;
|
| + }
|
| +#endif
|
| +
|
| #ifdef MONOLITH
|
| static void s_server_init(void)
|
| {
|
| @@ -352,7 +432,7 @@
|
| #ifndef OPENSSL_NO_ECDH
|
| BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
|
| " Use \"openssl ecparam -list_curves\" for all names\n" \
|
| - " (default is sect163r2).\n");
|
| + " (default is nistp256).\n");
|
| #endif
|
| #ifdef FIONBIO
|
| BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
|
| @@ -369,6 +449,13 @@
|
| BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
|
| BIO_printf(bio_err," -quiet - No server output\n");
|
| BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n");
|
| +#ifndef OPENSSL_NO_PSK
|
| + BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
|
| + BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
|
| +# ifndef OPENSSL_NO_JPAKE
|
| + BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
|
| +# endif
|
| +#endif
|
| BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
|
| BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
|
| BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
|
| @@ -405,7 +492,9 @@
|
| BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n");
|
| BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n");
|
| BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
|
| +# ifndef OPENSSL_NO_NEXTPROTONEG
|
| BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
|
| +# endif
|
| #endif
|
| }
|
|
|
| @@ -588,7 +677,7 @@
|
| return p->extension_error;
|
| if (ctx2)
|
| {
|
| - BIO_printf(p->biodebug,"Swiching server context.\n");
|
| + BIO_printf(p->biodebug,"Switching server context.\n");
|
| SSL_set_SSL_CTX(s,ctx2);
|
| }
|
| }
|
| @@ -627,7 +716,7 @@
|
| int use_ssl;
|
| unsigned char *rspder = NULL;
|
| int rspderlen;
|
| - STACK *aia = NULL;
|
| + STACK_OF(OPENSSL_STRING) *aia = NULL;
|
| X509 *x = NULL;
|
| X509_STORE_CTX inctx;
|
| X509_OBJECT obj;
|
| @@ -649,7 +738,7 @@
|
| aia = X509_get1_ocsp(x);
|
| if (aia)
|
| {
|
| - if (!OCSP_parse_url(sk_value(aia, 0),
|
| + if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
|
| &host, &port, &path, &use_ssl))
|
| {
|
| BIO_puts(err, "cert_status: can't parse AIA URL\n");
|
| @@ -657,7 +746,7 @@
|
| }
|
| if (srctx->verbose)
|
| BIO_printf(err, "cert_status: AIA URL: %s\n",
|
| - sk_value(aia, 0));
|
| + sk_OPENSSL_STRING_value(aia, 0));
|
| }
|
| else
|
| {
|
| @@ -702,7 +791,7 @@
|
| if (!OCSP_REQUEST_add_ext(req, ext, -1))
|
| goto err;
|
| }
|
| - resp = process_responder(err, req, host, path, port, use_ssl,
|
| + resp = process_responder(err, req, host, path, port, use_ssl, NULL,
|
| srctx->timeout);
|
| if (!resp)
|
| {
|
| @@ -740,16 +829,14 @@
|
| ret = SSL_TLSEXT_ERR_ALERT_FATAL;
|
| goto done;
|
| }
|
| -#endif
|
|
|
| -
|
| -/* This the context that we pass to next_proto_cb */
|
| +# ifndef OPENSSL_NO_NEXTPROTONEG
|
| +/* This is the context that we pass to next_proto_cb */
|
| typedef struct tlsextnextprotoctx_st {
|
| unsigned char *data;
|
| unsigned int len;
|
| } tlsextnextprotoctx;
|
|
|
| -
|
| static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
|
| {
|
| tlsextnextprotoctx *next_proto = arg;
|
| @@ -759,8 +846,9 @@
|
|
|
| return SSL_TLSEXT_ERR_OK;
|
| }
|
| +# endif /* ndef OPENSSL_NO_NPN */
|
| +#endif
|
|
|
| -
|
| int MAIN(int, char **);
|
|
|
| #ifndef OPENSSL_NO_JPAKE
|
| @@ -769,8 +857,8 @@
|
|
|
| int MAIN(int argc, char *argv[])
|
| {
|
| - X509_STORE *store = NULL;
|
| - int vflags = 0;
|
| + X509_VERIFY_PARAM *vpm = NULL;
|
| + int badarg = 0;
|
| short port=PORT;
|
| char *CApath=NULL,*CAfile=NULL;
|
| unsigned char *context = NULL;
|
| @@ -783,8 +871,8 @@
|
| int off=0;
|
| int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
|
| int state=0;
|
| - SSL_METHOD *meth=NULL;
|
| - int socket_type=SOCK_STREAM;
|
| + const SSL_METHOD *meth=NULL;
|
| + int socket_type=SOCK_STREAM;
|
| ENGINE *e=NULL;
|
| char *inrand=NULL;
|
| int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
|
| @@ -800,11 +888,15 @@
|
| #endif
|
| #ifndef OPENSSL_NO_TLSEXT
|
| tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
|
| +# ifndef OPENSSL_NO_NEXTPROTONEG
|
| const char *next_proto_neg_in = NULL;
|
| tlsextnextprotoctx next_proto;
|
| - char snapstart = 0;
|
| +# endif
|
| #endif
|
| -
|
| +#ifndef OPENSSL_NO_PSK
|
| + /* by default do not send a PSK identity hint */
|
| + static char *psk_identity_hint=NULL;
|
| +#endif
|
| #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
|
| meth=SSLv23_server_method();
|
| #elif !defined(OPENSSL_NO_SSL3)
|
| @@ -938,14 +1030,14 @@
|
| }
|
| else if (strcmp(*argv,"-no_cache") == 0)
|
| no_cache = 1;
|
| - else if (strcmp(*argv,"-crl_check") == 0)
|
| + else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
|
| {
|
| - vflags |= X509_V_FLAG_CRL_CHECK;
|
| + if (badarg)
|
| + goto bad;
|
| + continue;
|
| }
|
| - else if (strcmp(*argv,"-crl_check_all") == 0)
|
| - {
|
| - vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
|
| - }
|
| + else if (strcmp(*argv,"-verify_return_error") == 0)
|
| + verify_return_error = 1;
|
| else if (strcmp(*argv,"-serverpref") == 0)
|
| { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
|
| else if (strcmp(*argv,"-legacy_renegotiation") == 0)
|
| @@ -1022,6 +1114,27 @@
|
| { no_dhe=1; }
|
| else if (strcmp(*argv,"-no_ecdhe") == 0)
|
| { no_ecdhe=1; }
|
| +#ifndef OPENSSL_NO_PSK
|
| + else if (strcmp(*argv,"-psk_hint") == 0)
|
| + {
|
| + if (--argc < 1) goto bad;
|
| + psk_identity_hint= *(++argv);
|
| + }
|
| + else if (strcmp(*argv,"-psk") == 0)
|
| + {
|
| + size_t i;
|
| +
|
| + if (--argc < 1) goto bad;
|
| + psk_key=*(++argv);
|
| + for (i=0; i<strlen(psk_key); i++)
|
| + {
|
| + if (isxdigit((int)psk_key[i]))
|
| + continue;
|
| + BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
|
| + goto bad;
|
| + }
|
| + }
|
| +#endif
|
| else if (strcmp(*argv,"-www") == 0)
|
| { www=1; }
|
| else if (strcmp(*argv,"-WWW") == 0)
|
| @@ -1034,6 +1147,8 @@
|
| { off|=SSL_OP_NO_SSLv3; }
|
| else if (strcmp(*argv,"-no_tls1") == 0)
|
| { off|=SSL_OP_NO_TLSv1; }
|
| + else if (strcmp(*argv,"-no_comp") == 0)
|
| + { off|=SSL_OP_NO_COMPRESSION; }
|
| #ifndef OPENSSL_NO_TLSEXT
|
| else if (strcmp(*argv,"-no_ticket") == 0)
|
| { off|=SSL_OP_NO_TICKET; }
|
| @@ -1101,17 +1216,15 @@
|
| if (--argc < 1) goto bad;
|
| s_key_file2= *(++argv);
|
| }
|
| +# ifndef OPENSSL_NO_NEXTPROTONEG
|
| else if (strcmp(*argv,"-nextprotoneg") == 0)
|
| {
|
| if (--argc < 1) goto bad;
|
| next_proto_neg_in = *(++argv);
|
| }
|
| - else if (strcmp(*argv,"-snapstart") == 0)
|
| - {
|
| - snapstart = 1;
|
| - }
|
| +# endif
|
| #endif
|
| -#ifndef OPENSSL_NO_JPAKE
|
| +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
|
| else if (strcmp(*argv,"-jpake") == 0)
|
| {
|
| if (--argc < 1) goto bad;
|
| @@ -1134,6 +1247,26 @@
|
| goto end;
|
| }
|
|
|
| +#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
|
| + if (jpake_secret)
|
| + {
|
| + if (psk_key)
|
| + {
|
| + BIO_printf(bio_err,
|
| + "Can't use JPAKE and PSK together\n");
|
| + goto end;
|
| + }
|
| + psk_identity = "JPAKE";
|
| + if (cipher)
|
| + {
|
| + BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
|
| + goto end;
|
| + }
|
| + cipher = "PSK";
|
| + }
|
| +
|
| +#endif
|
| +
|
| SSL_load_error_strings();
|
| OpenSSL_add_ssl_algorithms();
|
|
|
| @@ -1194,22 +1327,10 @@
|
| goto end;
|
| }
|
| }
|
| -
|
| - if (next_proto_neg_in)
|
| - {
|
| - unsigned short len;
|
| - next_proto.data = next_protos_parse(&len,
|
| - next_proto_neg_in);
|
| - if (next_proto.data == NULL)
|
| - goto end;
|
| - next_proto.len = len;
|
| - }
|
| - else
|
| - {
|
| - next_proto.data = NULL;
|
| - }
|
| #endif
|
| }
|
| +
|
| +
|
| if (s_dcert_file)
|
| {
|
|
|
| @@ -1328,8 +1449,9 @@
|
| ERR_print_errors(bio_err);
|
| /* goto end; */
|
| }
|
| - store = SSL_CTX_get_cert_store(ctx);
|
| - X509_STORE_set_flags(store, vflags);
|
| + if (vpm)
|
| + SSL_CTX_set1_param(ctx, vpm);
|
| +
|
| #ifndef OPENSSL_NO_TLSEXT
|
| if (s_cert2)
|
| {
|
| @@ -1365,13 +1487,11 @@
|
| if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);
|
| if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
|
| SSL_CTX_set_options(ctx2,off);
|
| -
|
| /* DTLS: partial reads end up discarding unread UDP bytes :-(
|
| * Setting read ahead solves this problem.
|
| */
|
| if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1);
|
|
|
| -
|
| if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
|
|
|
| if (no_cache)
|
| @@ -1384,22 +1504,16 @@
|
| {
|
| ERR_print_errors(bio_err);
|
| }
|
| - store = SSL_CTX_get_cert_store(ctx2);
|
| - X509_STORE_set_flags(store, vflags);
|
| + if (vpm)
|
| + SSL_CTX_set1_param(ctx2, vpm);
|
| }
|
|
|
| +# ifndef OPENSSL_NO_NEXTPROTONEG
|
| if (next_proto.data)
|
| - {
|
| SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
|
| - }
|
| +# endif
|
| #endif
|
|
|
| - if (snapstart)
|
| - {
|
| - static const unsigned char orbit[8] = {1, 2, 3, 4, 5, 6, 7, 8};
|
| - SSL_CTX_set_snap_start_orbit(ctx, orbit);
|
| - }
|
| -
|
| #ifndef OPENSSL_NO_DH
|
| if (!no_dhe)
|
| {
|
| @@ -1475,10 +1589,10 @@
|
| else
|
| {
|
| BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
|
| - ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
|
| + ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
|
| if (ecdh == NULL)
|
| {
|
| - BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
|
| + BIO_printf(bio_err, "unable to create curve (nistp256)\n");
|
| goto end;
|
| }
|
| }
|
| @@ -1513,7 +1627,7 @@
|
| #ifndef OPENSSL_NO_TLSEXT
|
| if (ctx2)
|
| SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb);
|
| -#endif
|
| +#endif
|
| }
|
| #else
|
| if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
|
| @@ -1539,6 +1653,21 @@
|
| goto end;
|
| }
|
| }
|
| +# ifndef OPENSSL_NO_NEXTPROTONEG
|
| + if (next_proto_neg_in)
|
| + {
|
| + unsigned short len;
|
| + next_proto.data = next_protos_parse(&len,
|
| + next_proto_neg_in);
|
| + if (next_proto.data == NULL)
|
| + goto end;
|
| + next_proto.len = len;
|
| + }
|
| + else
|
| + {
|
| + next_proto.data = NULL;
|
| + }
|
| +# endif
|
| #endif
|
| RSA_free(rsa);
|
| BIO_printf(bio_s_out,"\n");
|
| @@ -1546,11 +1675,34 @@
|
| #endif
|
| #endif
|
|
|
| - if (cipher != NULL)
|
| - if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
|
| - BIO_printf(bio_err,"error setting cipher list\n");
|
| +#ifndef OPENSSL_NO_PSK
|
| +#ifdef OPENSSL_NO_JPAKE
|
| + if (psk_key != NULL)
|
| +#else
|
| + if (psk_key != NULL || jpake_secret)
|
| +#endif
|
| + {
|
| + if (s_debug)
|
| + BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");
|
| + SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
|
| + }
|
| +
|
| + if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint))
|
| + {
|
| + BIO_printf(bio_err,"error setting PSK identity hint to context\n");
|
| ERR_print_errors(bio_err);
|
| goto end;
|
| + }
|
| +#endif
|
| +
|
| + if (cipher != NULL)
|
| + {
|
| + if(!SSL_CTX_set_cipher_list(ctx,cipher))
|
| + {
|
| + BIO_printf(bio_err,"error setting cipher list\n");
|
| + ERR_print_errors(bio_err);
|
| + goto end;
|
| + }
|
| #ifndef OPENSSL_NO_TLSEXT
|
| if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
|
| {
|
| @@ -1559,7 +1711,7 @@
|
| goto end;
|
| }
|
| #endif
|
| - }
|
| + }
|
| SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
|
| SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
|
| sizeof s_server_session_id_context);
|
| @@ -1582,6 +1734,7 @@
|
| SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
|
| }
|
| #endif
|
| +
|
| if (CAfile != NULL)
|
| {
|
| SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
|
| @@ -1590,7 +1743,9 @@
|
| SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile));
|
| #endif
|
| }
|
| +
|
| BIO_printf(bio_s_out,"ACCEPT\n");
|
| + (void)BIO_flush(bio_s_out);
|
| if (www)
|
| do_server(port,socket_type,&accept_socket,www_body, context);
|
| else
|
| @@ -1662,7 +1817,7 @@
|
| SSL *con=NULL;
|
| BIO *sbio;
|
| struct timeval timeout;
|
| -#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
|
| +#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
|
| struct timeval tv;
|
| #else
|
| struct timeval *timeoutp;
|
| @@ -1714,13 +1869,18 @@
|
| strlen((char *)context));
|
| }
|
| SSL_clear(con);
|
| +#if 0
|
| +#ifdef TLSEXT_TYPE_opaque_prf_input
|
| + SSL_set_tlsext_opaque_prf_input(con, "Test server", 11);
|
| +#endif
|
| +#endif
|
|
|
| if (SSL_version(con) == DTLS1_VERSION)
|
| {
|
|
|
| sbio=BIO_new_dgram(s,BIO_NOCLOSE);
|
|
|
| - if ( enable_timeouts)
|
| + if (enable_timeouts)
|
| {
|
| timeout.tv_sec = 0;
|
| timeout.tv_usec = DGRAM_RCV_TIMEOUT;
|
| @@ -1731,7 +1891,6 @@
|
| BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
|
| }
|
|
|
| -
|
| if (socket_mtu > 28)
|
| {
|
| SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
|
| @@ -1794,10 +1953,10 @@
|
| if (!read_from_sslcon)
|
| {
|
| FD_ZERO(&readfds);
|
| -#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
|
| - FD_SET(fileno(stdin),&readfds);
|
| +#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5)
|
| + openssl_fdset(fileno(stdin),&readfds);
|
| #endif
|
| - FD_SET(s,&readfds);
|
| + openssl_fdset(s,&readfds);
|
| /* Note: under VMS with SOCKETSHR the second parameter is
|
| * currently of type (int *) whereas under other systems
|
| * it is (void *) if you don't have a cast it will choke
|
| @@ -1816,6 +1975,17 @@
|
| if((i < 0) || (!i && !_kbhit() ) )continue;
|
| if(_kbhit())
|
| read_from_terminal = 1;
|
| +#elif defined(OPENSSL_SYS_BEOS_R5)
|
| + /* Under BeOS-R5 the situation is similar to DOS */
|
| + tv.tv_sec = 1;
|
| + tv.tv_usec = 0;
|
| + (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
|
| + i=select(width,(void *)&readfds,NULL,NULL,&tv);
|
| + if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0))
|
| + continue;
|
| + if (read(fileno(stdin), buf, 0) >= 0)
|
| + read_from_terminal = 1;
|
| + (void)fcntl(fileno(stdin), F_SETFL, 0);
|
| #else
|
| if ((SSL_version(con) == DTLS1_VERSION) &&
|
| DTLSv1_get_timeout(con, &timeout))
|
| @@ -1843,7 +2013,7 @@
|
| {
|
| int j, lf_num;
|
|
|
| - i=read(fileno(stdin), buf, bufsize/2);
|
| + i=raw_read_stdin(buf, bufsize/2);
|
| lf_num = 0;
|
| /* both loops are skipped when i <= 0 */
|
| for (j = 0; j < i; j++)
|
| @@ -1862,7 +2032,7 @@
|
| assert(lf_num == 0);
|
| }
|
| else
|
| - i=read(fileno(stdin),buf,bufsize);
|
| + i=raw_read_stdin(buf,bufsize);
|
| if (!s_quiet)
|
| {
|
| if ((i <= 0) || (buf[0] == 'Q'))
|
| @@ -1882,6 +2052,7 @@
|
| ret= -11;*/
|
| goto err;
|
| }
|
| +
|
| if ((buf[0] == 'r') &&
|
| ((buf[1] == '\n') || (buf[1] == '\r')))
|
| {
|
| @@ -1978,7 +2149,7 @@
|
| #ifdef CHARSET_EBCDIC
|
| ascii2ebcdic(buf,buf,i);
|
| #endif
|
| - write(fileno(stdout),buf,
|
| + raw_write_stdout(buf,
|
| (unsigned int)i);
|
| if (SSL_pending(con)) goto again;
|
| break;
|
| @@ -2002,13 +2173,16 @@
|
| }
|
| }
|
| err:
|
| - BIO_printf(bio_s_out,"shutting down SSL\n");
|
| + if (con != NULL)
|
| + {
|
| + BIO_printf(bio_s_out,"shutting down SSL\n");
|
| #if 1
|
| - SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
|
| + SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
|
| #else
|
| - SSL_shutdown(con);
|
| + SSL_shutdown(con);
|
| #endif
|
| - if (con != NULL) SSL_free(con);
|
| + SSL_free(con);
|
| + }
|
| BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
|
| if (buf != NULL)
|
| {
|
| @@ -2036,12 +2210,11 @@
|
| X509 *peer;
|
| long verify_error;
|
| MS_STATIC char buf[BUFSIZ];
|
| -#ifndef OPENSSL_NO_TLSEXT
|
| +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
| const unsigned char *next_proto_neg;
|
| unsigned next_proto_neg_len;
|
| #endif
|
|
|
| -again:
|
| if ((i=SSL_accept(con)) <= 0)
|
| {
|
| if (BIO_sock_should_retry(i))
|
| @@ -2050,12 +2223,6 @@
|
| return(1);
|
| }
|
|
|
| - if (SSL_get_error(con, i) == SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING)
|
| - {
|
| - SSL_set_suggested_server_random_validity(con, 1);
|
| - goto again;
|
| - }
|
| -
|
| BIO_printf(bio_err,"ERROR\n");
|
| verify_error=SSL_get_verify_result(con);
|
| if (verify_error != X509_V_OK)
|
| @@ -2086,13 +2253,14 @@
|
| BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
|
| str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
|
| BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
|
| -#ifndef OPENSSL_NO_TLSEXT
|
| +#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
|
| SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
|
| - if (next_proto_neg) {
|
| + if (next_proto_neg)
|
| + {
|
| BIO_printf(bio_s_out,"NEXTPROTO is ");
|
| BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
|
| BIO_printf(bio_s_out, "\n");
|
| - }
|
| + }
|
| #endif
|
| if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
|
| if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
|
| @@ -2150,12 +2318,10 @@
|
| {
|
| char *buf=NULL;
|
| int ret=1;
|
| - int i,j,k,blank,dot;
|
| - struct stat st_buf;
|
| + int i,j,k,dot;
|
| SSL *con;
|
| - SSL_CIPHER *c;
|
| + const SSL_CIPHER *c;
|
| BIO *io,*ssl_bio,*sbio;
|
| - long total_bytes;
|
|
|
| buf=OPENSSL_malloc(bufsize);
|
| if (buf == NULL) return(0);
|
| @@ -2226,7 +2392,6 @@
|
| SSL_set_msg_callback_arg(con, bio_s_out);
|
| }
|
|
|
| - blank=0;
|
| for (;;)
|
| {
|
| if (hack)
|
| @@ -2241,9 +2406,6 @@
|
| case SSL_ERROR_WANT_READ:
|
| case SSL_ERROR_WANT_X509_LOOKUP:
|
| continue;
|
| - case SSL_ERROR_SERVER_RANDOM_VALIDATION_PENDING:
|
| - SSL_set_suggested_server_random_validity(con, 1);
|
| - continue;
|
| case SSL_ERROR_SYSCALL:
|
| case SSL_ERROR_SSL:
|
| case SSL_ERROR_ZERO_RETURN:
|
| @@ -2426,15 +2588,8 @@
|
| #endif
|
|
|
| /* if a directory, do the index thang */
|
| - if (stat(p,&st_buf) < 0)
|
| + if (app_isdir(p)>0)
|
| {
|
| - BIO_puts(io,text);
|
| - BIO_printf(io,"Error accessing '%s'\r\n",p);
|
| - ERR_print_errors(io);
|
| - break;
|
| - }
|
| - if (S_ISDIR(st_buf.st_mode))
|
| - {
|
| #if 0 /* must check buffer size */
|
| strcat(p,"/index.html");
|
| #else
|
| @@ -2466,7 +2621,6 @@
|
| BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
|
| }
|
| /* send the file */
|
| - total_bytes=0;
|
| for (;;)
|
| {
|
| i=BIO_read(file,buf,bufsize);
|
|
|
Chromium Code Reviews
Issue 9254031:
Upgrade chrome's OpenSSL to same version Android ships with. (Closed)
Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/