version 1.5, 2014/10/31 16:59:00 |
version 1.6, 2014/11/06 14:50:12 |
|
|
static int accept_socket = -1; |
static int accept_socket = -1; |
|
|
#define TEST_CERT "server.pem" |
#define TEST_CERT "server.pem" |
#ifndef OPENSSL_NO_TLSEXT |
|
#define TEST_CERT2 "server2.pem" |
#define TEST_CERT2 "server2.pem" |
#endif |
|
|
|
extern int verify_depth, verify_return_error; |
extern int verify_depth, verify_return_error; |
|
|
|
|
static int s_server_verify = SSL_VERIFY_NONE; |
static int s_server_verify = SSL_VERIFY_NONE; |
static int s_server_session_id_context = 1; /* anything will do */ |
static int s_server_session_id_context = 1; /* anything will do */ |
static const char *s_cert_file = TEST_CERT, *s_key_file = NULL; |
static const char *s_cert_file = TEST_CERT, *s_key_file = NULL; |
#ifndef OPENSSL_NO_TLSEXT |
|
static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; |
static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; |
#endif |
|
static char *s_dcert_file = NULL, *s_dkey_file = NULL; |
static char *s_dcert_file = NULL, *s_dkey_file = NULL; |
static int s_nbio = 0; |
static int s_nbio = 0; |
static int s_nbio_test = 0; |
static int s_nbio_test = 0; |
int s_crlf = 0; |
int s_crlf = 0; |
static SSL_CTX *ctx = NULL; |
static SSL_CTX *ctx = NULL; |
#ifndef OPENSSL_NO_TLSEXT |
|
static SSL_CTX *ctx2 = NULL; |
static SSL_CTX *ctx2 = NULL; |
#endif |
|
static int www = 0; |
static int www = 0; |
|
|
static BIO *bio_s_out = NULL; |
static BIO *bio_s_out = NULL; |
static int s_debug = 0; |
static int s_debug = 0; |
#ifndef OPENSSL_NO_TLSEXT |
|
static int s_tlsextdebug = 0; |
static int s_tlsextdebug = 0; |
static int s_tlsextstatus = 0; |
static int s_tlsextstatus = 0; |
static int cert_status_cb(SSL * s, void *arg); |
static int cert_status_cb(SSL * s, void *arg); |
#endif |
|
static int s_msg = 0; |
static int s_msg = 0; |
static int s_quiet = 0; |
static int s_quiet = 0; |
|
|
|
|
s_dkey_file = NULL; |
s_dkey_file = NULL; |
s_cert_file = TEST_CERT; |
s_cert_file = TEST_CERT; |
s_key_file = NULL; |
s_key_file = NULL; |
#ifndef OPENSSL_NO_TLSEXT |
|
s_cert_file2 = TEST_CERT2; |
s_cert_file2 = TEST_CERT2; |
s_key_file2 = NULL; |
s_key_file2 = NULL; |
ctx2 = NULL; |
ctx2 = NULL; |
#endif |
|
s_nbio = 0; |
s_nbio = 0; |
s_nbio_test = 0; |
s_nbio_test = 0; |
ctx = NULL; |
ctx = NULL; |
|
|
BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n"); |
BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n"); |
#endif |
#endif |
BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); |
BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); |
#ifndef OPENSSL_NO_TLSEXT |
|
BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n"); |
BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n"); |
BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); |
BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); |
BIO_printf(bio_err, " -cert2 arg - certificate file to use for servername\n"); |
BIO_printf(bio_err, " -cert2 arg - certificate file to use for servername\n"); |
|
|
#ifndef OPENSSL_NO_SRTP |
#ifndef OPENSSL_NO_SRTP |
BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); |
BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); |
#endif |
#endif |
#endif |
|
BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n"); |
BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n"); |
BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); |
BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n"); |
} |
} |
|
|
static int local_argc = 0; |
static int local_argc = 0; |
static char **local_argv; |
static char **local_argv; |
|
|
#ifndef OPENSSL_NO_TLSEXT |
|
|
|
/* This is a context that we pass to callbacks */ |
/* This is a context that we pass to callbacks */ |
typedef struct tlsextctx_st { |
typedef struct tlsextctx_st { |
|
|
#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ |
#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ |
|
|
|
|
#endif |
|
|
|
int s_server_main(int, char **); |
int s_server_main(int, char **); |
|
|
|
|
EVP_PKEY *s_key = NULL, *s_dkey = NULL; |
EVP_PKEY *s_key = NULL, *s_dkey = NULL; |
int no_cache = 0; |
int no_cache = 0; |
const char *errstr = NULL; |
const char *errstr = NULL; |
#ifndef OPENSSL_NO_TLSEXT |
|
EVP_PKEY *s_key2 = NULL; |
EVP_PKEY *s_key2 = NULL; |
X509 *s_cert2 = NULL; |
X509 *s_cert2 = NULL; |
tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; |
tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; |
|
|
const char *next_proto_neg_in = NULL; |
const char *next_proto_neg_in = NULL; |
tlsextnextprotoctx next_proto; |
tlsextnextprotoctx next_proto; |
#endif |
#endif |
#endif |
|
meth = SSLv23_server_method(); |
meth = SSLv23_server_method(); |
|
|
local_argc = argc; |
local_argc = argc; |
|
|
} else if (strcmp(*argv, "-debug") == 0) { |
} else if (strcmp(*argv, "-debug") == 0) { |
s_debug = 1; |
s_debug = 1; |
} |
} |
#ifndef OPENSSL_NO_TLSEXT |
|
else if (strcmp(*argv, "-tlsextdebug") == 0) |
else if (strcmp(*argv, "-tlsextdebug") == 0) |
s_tlsextdebug = 1; |
s_tlsextdebug = 1; |
else if (strcmp(*argv, "-status") == 0) |
else if (strcmp(*argv, "-status") == 0) |
|
|
goto bad; |
goto bad; |
} |
} |
} |
} |
#endif |
|
else if (strcmp(*argv, "-msg") == 0) { |
else if (strcmp(*argv, "-msg") == 0) { |
s_msg = 1; |
s_msg = 1; |
} else if (strcmp(*argv, "-hack") == 0) { |
} else if (strcmp(*argv, "-hack") == 0) { |
|
|
} else if (strcmp(*argv, "-no_comp") == 0) { |
} else if (strcmp(*argv, "-no_comp") == 0) { |
off |= SSL_OP_NO_COMPRESSION; |
off |= SSL_OP_NO_COMPRESSION; |
} |
} |
#ifndef OPENSSL_NO_TLSEXT |
|
else if (strcmp(*argv, "-no_ticket") == 0) { |
else if (strcmp(*argv, "-no_ticket") == 0) { |
off |= SSL_OP_NO_TICKET; |
off |= SSL_OP_NO_TICKET; |
} |
} |
#endif |
|
else if (strcmp(*argv, "-ssl3") == 0) { |
else if (strcmp(*argv, "-ssl3") == 0) { |
meth = SSLv3_server_method(); |
meth = SSLv3_server_method(); |
} else if (strcmp(*argv, "-tls1") == 0) { |
} else if (strcmp(*argv, "-tls1") == 0) { |
|
|
engine_id = *(++argv); |
engine_id = *(++argv); |
} |
} |
#endif |
#endif |
#ifndef OPENSSL_NO_TLSEXT |
|
else if (strcmp(*argv, "-servername") == 0) { |
else if (strcmp(*argv, "-servername") == 0) { |
if (--argc < 1) |
if (--argc < 1) |
goto bad; |
goto bad; |
|
|
next_proto_neg_in = *(++argv); |
next_proto_neg_in = *(++argv); |
} |
} |
#endif |
#endif |
#endif |
|
#ifndef OPENSSL_NO_SRTP |
#ifndef OPENSSL_NO_SRTP |
else if (strcmp(*argv, "-use_srtp") == 0) { |
else if (strcmp(*argv, "-use_srtp") == 0) { |
if (--argc < 1) |
if (--argc < 1) |
|
|
} |
} |
if (s_key_file == NULL) |
if (s_key_file == NULL) |
s_key_file = s_cert_file; |
s_key_file = s_cert_file; |
#ifndef OPENSSL_NO_TLSEXT |
|
if (s_key_file2 == NULL) |
if (s_key_file2 == NULL) |
s_key_file2 = s_cert_file2; |
s_key_file2 = s_cert_file2; |
#endif |
|
|
|
if (nocert == 0) { |
if (nocert == 0) { |
s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e, |
s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e, |
|
|
ERR_print_errors(bio_err); |
ERR_print_errors(bio_err); |
goto end; |
goto end; |
} |
} |
#ifndef OPENSSL_NO_TLSEXT |
|
if (tlsextcbp.servername) { |
if (tlsextcbp.servername) { |
s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e, |
s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e, |
"second server certificate private key file"); |
"second server certificate private key file"); |
|
|
goto end; |
goto end; |
} |
} |
} |
} |
#endif |
|
} |
} |
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) |
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) |
if (next_proto_neg_in) { |
if (next_proto_neg_in) { |
|
|
s_key_file = NULL; |
s_key_file = NULL; |
s_dcert_file = NULL; |
s_dcert_file = NULL; |
s_dkey_file = NULL; |
s_dkey_file = NULL; |
#ifndef OPENSSL_NO_TLSEXT |
|
s_cert_file2 = NULL; |
s_cert_file2 = NULL; |
s_key_file2 = NULL; |
s_key_file2 = NULL; |
#endif |
|
} |
} |
ctx = SSL_CTX_new(meth); |
ctx = SSL_CTX_new(meth); |
if (ctx == NULL) { |
if (ctx == NULL) { |
|
|
if (vpm) |
if (vpm) |
SSL_CTX_set1_param(ctx, vpm); |
SSL_CTX_set1_param(ctx, vpm); |
|
|
#ifndef OPENSSL_NO_TLSEXT |
|
if (s_cert2) { |
if (s_cert2) { |
ctx2 = SSL_CTX_new(meth); |
ctx2 = SSL_CTX_new(meth); |
if (ctx2 == NULL) { |
if (ctx2 == NULL) { |
|
|
if (next_proto.data) |
if (next_proto.data) |
SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); |
SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); |
#endif |
#endif |
#endif |
|
|
|
#ifndef OPENSSL_NO_DH |
#ifndef OPENSSL_NO_DH |
if (!no_dhe) { |
if (!no_dhe) { |
|
|
goto end; |
goto end; |
} |
} |
|
|
#ifndef OPENSSL_NO_TLSEXT |
|
if (ctx2) { |
if (ctx2) { |
if (!dhfile) { |
if (!dhfile) { |
DH *dh2 = load_dh_param(s_cert_file2); |
DH *dh2 = load_dh_param(s_cert_file2); |
|
|
goto end; |
goto end; |
} |
} |
} |
} |
#endif |
|
DH_free(dh); |
DH_free(dh); |
} |
} |
#endif |
#endif |
|
|
(void) BIO_flush(bio_s_out); |
(void) BIO_flush(bio_s_out); |
|
|
SSL_CTX_set_tmp_ecdh(ctx, ecdh); |
SSL_CTX_set_tmp_ecdh(ctx, ecdh); |
#ifndef OPENSSL_NO_TLSEXT |
|
if (ctx2) |
if (ctx2) |
SSL_CTX_set_tmp_ecdh(ctx2, ecdh); |
SSL_CTX_set_tmp_ecdh(ctx2, ecdh); |
#endif |
|
EC_KEY_free(ecdh); |
EC_KEY_free(ecdh); |
} |
} |
|
|
if (!set_cert_key_stuff(ctx, s_cert, s_key)) |
if (!set_cert_key_stuff(ctx, s_cert, s_key)) |
goto end; |
goto end; |
#ifndef OPENSSL_NO_TLSEXT |
|
if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2)) |
if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2)) |
goto end; |
goto end; |
#endif |
|
if (s_dcert != NULL) { |
if (s_dcert != NULL) { |
if (!set_cert_key_stuff(ctx, s_dcert, s_dkey)) |
if (!set_cert_key_stuff(ctx, s_dcert, s_dkey)) |
goto end; |
goto end; |
|
|
ERR_print_errors(bio_err); |
ERR_print_errors(bio_err); |
goto end; |
goto end; |
} |
} |
#ifndef OPENSSL_NO_TLSEXT |
|
if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) { |
if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) { |
BIO_printf(bio_err, "error setting cipher list\n"); |
BIO_printf(bio_err, "error setting cipher list\n"); |
ERR_print_errors(bio_err); |
ERR_print_errors(bio_err); |
goto end; |
goto end; |
} |
} |
#endif |
|
} |
} |
SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); |
SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); |
SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context, |
SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context, |
|
|
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); |
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); |
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); |
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); |
|
|
#ifndef OPENSSL_NO_TLSEXT |
|
if (ctx2) { |
if (ctx2) { |
SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); |
SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); |
SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context, |
SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context, |
|
|
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); |
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); |
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); |
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); |
} |
} |
#endif |
|
|
|
if (CAfile != NULL) { |
if (CAfile != NULL) { |
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); |
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); |
#ifndef OPENSSL_NO_TLSEXT |
|
if (ctx2) |
if (ctx2) |
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); |
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); |
#endif |
|
} |
} |
BIO_printf(bio_s_out, "ACCEPT\n"); |
BIO_printf(bio_s_out, "ACCEPT\n"); |
(void) BIO_flush(bio_s_out); |
(void) BIO_flush(bio_s_out); |
|
|
free(dpass); |
free(dpass); |
if (vpm) |
if (vpm) |
X509_VERIFY_PARAM_free(vpm); |
X509_VERIFY_PARAM_free(vpm); |
#ifndef OPENSSL_NO_TLSEXT |
|
free(tlscstatp.host); |
free(tlscstatp.host); |
free(tlscstatp.port); |
free(tlscstatp.port); |
free(tlscstatp.path); |
free(tlscstatp.path); |
|
|
X509_free(s_cert2); |
X509_free(s_cert2); |
if (s_key2) |
if (s_key2) |
EVP_PKEY_free(s_key2); |
EVP_PKEY_free(s_key2); |
#endif |
|
if (bio_s_out != NULL) { |
if (bio_s_out != NULL) { |
BIO_free(bio_s_out); |
BIO_free(bio_s_out); |
bio_s_out = NULL; |
bio_s_out = NULL; |
|
|
|
|
if (con == NULL) { |
if (con == NULL) { |
con = SSL_new(ctx); |
con = SSL_new(ctx); |
#ifndef OPENSSL_NO_TLSEXT |
|
if (s_tlsextdebug) { |
if (s_tlsextdebug) { |
SSL_set_tlsext_debug_callback(con, tlsext_cb); |
SSL_set_tlsext_debug_callback(con, tlsext_cb); |
SSL_set_tlsext_debug_arg(con, bio_s_out); |
SSL_set_tlsext_debug_arg(con, bio_s_out); |
|
|
tlscstatp.err = bio_err; |
tlscstatp.err = bio_err; |
SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); |
SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); |
} |
} |
#endif |
|
if (context) |
if (context) |
SSL_set_session_id_context(con, context, |
SSL_set_session_id_context(con, context, |
strlen((char *) context)); |
strlen((char *) context)); |
|
|
SSL_set_msg_callback(con, msg_cb); |
SSL_set_msg_callback(con, msg_cb); |
SSL_set_msg_callback_arg(con, bio_s_out); |
SSL_set_msg_callback_arg(con, bio_s_out); |
} |
} |
#ifndef OPENSSL_NO_TLSEXT |
|
if (s_tlsextdebug) { |
if (s_tlsextdebug) { |
SSL_set_tlsext_debug_callback(con, tlsext_cb); |
SSL_set_tlsext_debug_callback(con, tlsext_cb); |
SSL_set_tlsext_debug_arg(con, bio_s_out); |
SSL_set_tlsext_debug_arg(con, bio_s_out); |
} |
} |
#endif |
|
|
|
width = s + 1; |
width = s + 1; |
for (;;) { |
for (;;) { |
|
|
|
|
if ((con = SSL_new(ctx)) == NULL) |
if ((con = SSL_new(ctx)) == NULL) |
goto err; |
goto err; |
#ifndef OPENSSL_NO_TLSEXT |
|
if (s_tlsextdebug) { |
if (s_tlsextdebug) { |
SSL_set_tlsext_debug_callback(con, tlsext_cb); |
SSL_set_tlsext_debug_callback(con, tlsext_cb); |
SSL_set_tlsext_debug_arg(con, bio_s_out); |
SSL_set_tlsext_debug_arg(con, bio_s_out); |
} |
} |
#endif |
|
if (context) |
if (context) |
SSL_set_session_id_context(con, context, |
SSL_set_session_id_context(con, context, |
strlen((char *) context)); |
strlen((char *) context)); |