summaryrefslogtreecommitdiff
path: root/usr.bin/openssl/s_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'usr.bin/openssl/s_server.c')
-rw-r--r--usr.bin/openssl/s_server.c197
1 files changed, 130 insertions, 67 deletions
diff --git a/usr.bin/openssl/s_server.c b/usr.bin/openssl/s_server.c
index eb5f62ed56c..95e96429cef 100644
--- a/usr.bin/openssl/s_server.c
+++ b/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.42 2020/07/27 13:06:13 inoguchi Exp $ */
+/* $OpenBSD: s_server.c,v 1.43 2020/07/27 13:46:48 inoguchi Exp $ */
/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
* All rights reserved.
*
@@ -1044,7 +1044,8 @@ s_server_main(int argc, char *argv[])
s_server_config.server_verify = SSL_VERIFY_NONE;
s_server_config.socket_type = SOCK_STREAM;
s_server_config.tlscstatp.timeout = -1;
- s_server_config.tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_WARNING;
+ s_server_config.tlsextcbp.extension_error =
+ SSL_TLSEXT_ERR_ALERT_WARNING;
local_argc = argc;
local_argv = argv;
@@ -1064,7 +1065,8 @@ s_server_main(int argc, char *argv[])
goto end;
}
- if (!app_passwd(bio_err, s_server_config.passarg, s_server_config.dpassarg, &pass, &dpass)) {
+ if (!app_passwd(bio_err, s_server_config.passarg,
+ s_server_config.dpassarg, &pass, &dpass)) {
BIO_printf(bio_err, "Error getting password\n");
goto end;
}
@@ -1074,13 +1076,15 @@ s_server_main(int argc, char *argv[])
s_server_config.key_file2 = s_server_config.cert_file2;
if (s_server_config.nocert == 0) {
- s_key = load_key(bio_err, s_server_config.key_file, s_server_config.key_format, 0, pass,
+ s_key = load_key(bio_err, s_server_config.key_file,
+ s_server_config.key_format, 0, pass,
"server certificate private key file");
if (!s_key) {
ERR_print_errors(bio_err);
goto end;
}
- s_cert = load_cert(bio_err, s_server_config.cert_file, s_server_config.cert_format,
+ s_cert = load_cert(bio_err, s_server_config.cert_file,
+ s_server_config.cert_format,
NULL, "server certificate file");
if (!s_cert) {
@@ -1088,13 +1092,15 @@ s_server_main(int argc, char *argv[])
goto end;
}
if (s_server_config.tlsextcbp.servername) {
- s_key2 = load_key(bio_err, s_server_config.key_file2, s_server_config.key_format, 0, pass,
+ s_key2 = load_key(bio_err, s_server_config.key_file2,
+ s_server_config.key_format, 0, pass,
"second server certificate private key file");
if (!s_key2) {
ERR_print_errors(bio_err);
goto end;
}
- s_cert2 = load_cert(bio_err, s_server_config.cert_file2, s_server_config.cert_format,
+ s_cert2 = load_cert(bio_err, s_server_config.cert_file2,
+ s_server_config.cert_format,
NULL, "second server certificate file");
if (!s_cert2) {
@@ -1106,7 +1112,8 @@ s_server_main(int argc, char *argv[])
alpn_ctx.data = NULL;
if (s_server_config.alpn_in) {
unsigned short len;
- alpn_ctx.data = next_protos_parse(&len, s_server_config.alpn_in);
+ alpn_ctx.data = next_protos_parse(&len,
+ s_server_config.alpn_in);
if (alpn_ctx.data == NULL)
goto end;
alpn_ctx.len = len;
@@ -1117,13 +1124,15 @@ s_server_main(int argc, char *argv[])
if (s_server_config.dkey_file == NULL)
s_server_config.dkey_file = s_server_config.dcert_file;
- s_dkey = load_key(bio_err, s_server_config.dkey_file, s_server_config.dkey_format,
+ s_dkey = load_key(bio_err, s_server_config.dkey_file,
+ s_server_config.dkey_format,
0, dpass, "second certificate private key file");
if (!s_dkey) {
ERR_print_errors(bio_err);
goto end;
}
- s_dcert = load_cert(bio_err, s_server_config.dcert_file, s_server_config.dcert_format,
+ s_dcert = load_cert(bio_err, s_server_config.dcert_file,
+ s_server_config.dcert_format,
NULL, "second server certificate file");
if (!s_dcert) {
@@ -1132,7 +1141,8 @@ s_server_main(int argc, char *argv[])
}
}
if (bio_s_out == NULL) {
- if (s_server_config.quiet && !s_server_config.debug && !s_server_config.msg) {
+ if (s_server_config.quiet && !s_server_config.debug &&
+ !s_server_config.msg) {
bio_s_out = BIO_new(BIO_s_null());
} else {
if (bio_s_out == NULL)
@@ -1172,7 +1182,8 @@ s_server_main(int argc, char *argv[])
ERR_print_errors(bio_err);
goto end;
}
- BIO_printf(bio_err, "id_prefix '%s' set.\n", s_server_config.session_id_prefix);
+ BIO_printf(bio_err, "id_prefix '%s' set.\n",
+ s_server_config.session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx, 1);
if (s_server_config.bugs)
@@ -1197,8 +1208,8 @@ s_server_main(int argc, char *argv[])
SSL_CTX_set_tlsext_use_srtp(ctx, s_server_config.srtp_profiles);
#endif
-
- if ((!SSL_CTX_load_verify_locations(ctx, s_server_config.CAfile, s_server_config.CApath)) ||
+ if ((!SSL_CTX_load_verify_locations(ctx, s_server_config.CAfile,
+ s_server_config.CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx))) {
/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
ERR_print_errors(bio_err);
@@ -1214,9 +1225,11 @@ s_server_main(int argc, char *argv[])
goto end;
}
- if (!SSL_CTX_set_min_proto_version(ctx2, s_server_config.min_version))
+ if (!SSL_CTX_set_min_proto_version(ctx2,
+ s_server_config.min_version))
goto end;
- if (!SSL_CTX_set_max_proto_version(ctx2, s_server_config.max_version))
+ if (!SSL_CTX_set_max_proto_version(ctx2,
+ s_server_config.max_version))
goto end;
SSL_CTX_clear_mode(ctx2, SSL_MODE_AUTO_RETRY);
}
@@ -1230,12 +1243,15 @@ s_server_main(int argc, char *argv[])
else if (strlen(s_server_config.session_id_prefix) >= 16)
BIO_printf(bio_err,
"warning: id_prefix is too long if you use SSLv2\n");
- if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
- BIO_printf(bio_err, "error setting 'id_prefix'\n");
+ if (!SSL_CTX_set_generate_session_id(ctx2,
+ generate_session_id)) {
+ BIO_printf(bio_err,
+ "error setting 'id_prefix'\n");
ERR_print_errors(bio_err);
goto end;
}
- BIO_printf(bio_err, "id_prefix '%s' set.\n", s_server_config.session_id_prefix);
+ BIO_printf(bio_err, "id_prefix '%s' set.\n",
+ s_server_config.session_id_prefix);
}
SSL_CTX_set_quiet_shutdown(ctx2, 1);
if (s_server_config.bugs)
@@ -1256,7 +1272,8 @@ s_server_main(int argc, char *argv[])
else
SSL_CTX_sess_set_cache_size(ctx2, 128);
- if ((!SSL_CTX_load_verify_locations(ctx2, s_server_config.CAfile, s_server_config.CApath)) ||
+ if ((!SSL_CTX_load_verify_locations(ctx2,
+ s_server_config.CAfile, s_server_config.CApath)) ||
(!SSL_CTX_set_default_verify_paths(ctx2))) {
ERR_print_errors(bio_err);
}
@@ -1304,9 +1321,11 @@ s_server_main(int argc, char *argv[])
DH *dh2 = NULL;
if (s_server_config.cert_file2 != NULL)
- dh2 = load_dh_param(s_server_config.cert_file2);
+ dh2 = load_dh_param(
+ s_server_config.cert_file2);
if (dh2 != NULL) {
- BIO_printf(bio_s_out, "Setting temp DH parameters\n");
+ BIO_printf(bio_s_out,
+ "Setting temp DH parameters\n");
(void) BIO_flush(bio_s_out);
DH_free(dh);
@@ -1365,14 +1384,16 @@ s_server_main(int argc, char *argv[])
ERR_print_errors(bio_err);
goto end;
}
- if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, s_server_config.cipher)) {
+ if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,
+ s_server_config.cipher)) {
BIO_printf(bio_err, "error setting cipher list\n");
ERR_print_errors(bio_err);
goto end;
}
}
SSL_CTX_set_verify(ctx, s_server_config.server_verify, verify_callback);
- SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context,
+ SSL_CTX_set_session_id_context(ctx,
+ (void *) &s_server_session_id_context,
sizeof s_server_session_id_context);
/* Set DTLS cookie generation and verification callbacks */
@@ -1380,28 +1401,36 @@ s_server_main(int argc, char *argv[])
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
if (ctx2) {
- SSL_CTX_set_verify(ctx2, s_server_config.server_verify, verify_callback);
- SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context,
+ SSL_CTX_set_verify(ctx2, s_server_config.server_verify,
+ verify_callback);
+ SSL_CTX_set_session_id_context(ctx2,
+ (void *) &s_server_session_id_context,
sizeof s_server_session_id_context);
s_server_config.tlsextcbp.biodebug = bio_s_out;
SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
- SSL_CTX_set_tlsext_servername_arg(ctx2, &s_server_config.tlsextcbp);
+ SSL_CTX_set_tlsext_servername_arg(ctx2,
+ &s_server_config.tlsextcbp);
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
- SSL_CTX_set_tlsext_servername_arg(ctx, &s_server_config.tlsextcbp);
+ SSL_CTX_set_tlsext_servername_arg(ctx,
+ &s_server_config.tlsextcbp);
}
if (s_server_config.CAfile != NULL) {
- SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(s_server_config.CAfile));
+ SSL_CTX_set_client_CA_list(ctx,
+ SSL_load_client_CA_file(s_server_config.CAfile));
if (ctx2)
- SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(s_server_config.CAfile));
+ SSL_CTX_set_client_CA_list(ctx2,
+ SSL_load_client_CA_file(s_server_config.CAfile));
}
BIO_printf(bio_s_out, "ACCEPT\n");
(void) BIO_flush(bio_s_out);
if (s_server_config.www)
- do_server(s_server_config.port, s_server_config.socket_type, &accept_socket, www_body, s_server_config.context);
+ do_server(s_server_config.port, s_server_config.socket_type,
+ &accept_socket, www_body, s_server_config.context);
else
- do_server(s_server_config.port, s_server_config.socket_type, &accept_socket, sv_body, s_server_config.context);
+ do_server(s_server_config.port, s_server_config.socket_type,
+ &accept_socket, sv_body, s_server_config.context);
print_stats(bio_s_out, ctx);
ret = 0;
end:
@@ -1445,10 +1474,14 @@ print_stats(BIO *bio, SSL_CTX *ssl_ctx)
SSL_CTX_sess_accept_renegotiate(ssl_ctx));
BIO_printf(bio, "%4ld server accepts that finished\n",
SSL_CTX_sess_accept_good(ssl_ctx));
- BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
- BIO_printf(bio, "%4ld session cache misses\n", SSL_CTX_sess_misses(ssl_ctx));
- BIO_printf(bio, "%4ld session cache timeouts\n", SSL_CTX_sess_timeouts(ssl_ctx));
- BIO_printf(bio, "%4ld callback cache hits\n", SSL_CTX_sess_cb_hits(ssl_ctx));
+ BIO_printf(bio, "%4ld session cache hits\n",
+ SSL_CTX_sess_hits(ssl_ctx));
+ BIO_printf(bio, "%4ld session cache misses\n",
+ SSL_CTX_sess_misses(ssl_ctx));
+ BIO_printf(bio, "%4ld session cache timeouts\n",
+ SSL_CTX_sess_timeouts(ssl_ctx));
+ BIO_printf(bio, "%4ld callback cache hits\n",
+ SSL_CTX_sess_cb_hits(ssl_ctx));
BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
SSL_CTX_sess_cache_full(ssl_ctx),
SSL_CTX_sess_get_cache_size(ssl_ctx));
@@ -1485,7 +1518,8 @@ sv_body(char *hostname, int s, unsigned char *context)
if (s_server_config.tlsextstatus) {
SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
s_server_config.tlscstatp.err = bio_err;
- SSL_CTX_set_tlsext_status_arg(ctx, &s_server_config.tlscstatp);
+ SSL_CTX_set_tlsext_status_arg(ctx,
+ &s_server_config.tlscstatp);
}
if (context)
SSL_set_session_id_context(con, context,
@@ -1500,11 +1534,13 @@ sv_body(char *hostname, int s, unsigned char *context)
if (s_server_config.enable_timeouts) {
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
- BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
+ BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0,
+ &timeout);
timeout.tv_sec = 0;
timeout.tv_usec = DGRAM_SND_TIMEOUT;
- BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
+ BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0,
+ &timeout);
}
if (s_server_config.socket_mtu > 28) {
SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
@@ -1567,7 +1603,8 @@ sv_body(char *hostname, int s, unsigned char *context)
i = poll(pfd, 2, ptimeout);
- if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) {
+ if ((SSL_version(con) == DTLS1_VERSION) &&
+ DTLSv1_handle_timeout(con) > 0) {
BIO_printf(bio_err, "TIMEOUT occured\n");
}
if (i <= 0)
@@ -1638,7 +1675,9 @@ sv_body(char *hostname, int s, unsigned char *context)
if ((buf[0] == 'R') &&
((buf[1] == '\n') || (buf[1] == '\r'))) {
SSL_set_verify(con,
- SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
+ SSL_VERIFY_PEER |
+ SSL_VERIFY_CLIENT_ONCE,
+ NULL);
SSL_renegotiate(con);
i = SSL_do_handshake(con);
printf("SSL_do_handshake -> %d\n", i);
@@ -1650,11 +1689,14 @@ sv_body(char *hostname, int s, unsigned char *context)
*/
}
if (buf[0] == 'P') {
- static const char *str = "Lets print some clear text\n";
- BIO_write(SSL_get_wbio(con), str, strlen(str));
+ static const char *str =
+ "Lets print some clear text\n";
+ BIO_write(SSL_get_wbio(con), str,
+ strlen(str));
}
if (buf[0] == 'S') {
- print_stats(bio_s_out, SSL_get_SSL_CTX(con));
+ print_stats(bio_s_out,
+ SSL_get_SSL_CTX(con));
}
}
l = k = 0;
@@ -1751,7 +1793,8 @@ sv_body(char *hostname, int s, unsigned char *context)
err:
if (con != NULL) {
BIO_printf(bio_s_out, "shutting down SSL\n");
- SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
+ SSL_set_shutdown(con,
+ SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
SSL_free(con);
}
BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
@@ -1819,7 +1862,8 @@ init_ssl_connection(SSL *con)
= SSL_get_selected_srtp_profile(con);
if (srtp_profile)
- BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
+ BIO_printf(bio_s_out,
+ "SRTP Extension negotiated, profile=%s\n",
srtp_profile->name);
}
#endif
@@ -1829,7 +1873,8 @@ init_ssl_connection(SSL *con)
SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
if (s_server_config.keymatexportlabel != NULL) {
BIO_printf(bio_s_out, "Keying material exporter:\n");
- BIO_printf(bio_s_out, " Label: '%s'\n", s_server_config.keymatexportlabel);
+ BIO_printf(bio_s_out, " Label: '%s'\n",
+ s_server_config.keymatexportlabel);
BIO_printf(bio_s_out, " Length: %i bytes\n",
s_server_config.keymatexportlen);
exportedkeymat = malloc(s_server_config.keymatexportlen);
@@ -1950,8 +1995,10 @@ www_body(char *hostname, int s, unsigned char *context)
goto end;
}
/* else we have data */
- if (((s_server_config.www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
- ((s_server_config.www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
+ if (((s_server_config.www == 1) &&
+ (strncmp("GET ", buf, 4) == 0)) ||
+ ((s_server_config.www == 2) &&
+ (strncmp("GET /stats ", buf, 11) == 0))) {
char *p;
X509 *peer;
STACK_OF(SSL_CIPHER) *sk;
@@ -1977,7 +2024,8 @@ www_body(char *hostname, int s, unsigned char *context)
* The following is evil and should not really be
* done
*/
- BIO_printf(io, "Ciphers supported in s_server binary\n");
+ BIO_printf(io,
+ "Ciphers supported in s_server binary\n");
sk = SSL_get_ciphers(con);
j = sk_SSL_CIPHER_num(sk);
for (i = 0; i < j; i++) {
@@ -1991,14 +2039,16 @@ www_body(char *hostname, int s, unsigned char *context)
BIO_puts(io, "\n");
p = SSL_get_shared_ciphers(con, buf, bufsize);
if (p != NULL) {
- BIO_printf(io, "---\nCiphers common between both SSL end points:\n");
+ BIO_printf(io,
+ "---\nCiphers common between both SSL end points:\n");
j = i = 0;
while (*p) {
if (*p == ':') {
BIO_write(io, space, 26 - j);
i++;
j = 0;
- BIO_write(io, ((i % 3) ? " " : "\n"), 1);
+ BIO_write(io,
+ ((i % 3) ? " " : "\n"), 1);
} else {
BIO_write(io, p, 1);
j++;
@@ -2024,11 +2074,13 @@ www_body(char *hostname, int s, unsigned char *context)
X509_print(io, peer);
PEM_write_bio_X509(io, peer);
} else
- BIO_puts(io, "no client certificate available\n");
+ BIO_puts(io,
+ "no client certificate available\n");
BIO_puts(io, "</BODY></HTML>\r\n\r\n");
break;
- } else if ((s_server_config.www == 2 || s_server_config.www == 3)
- && (strncmp("GET /", buf, 5) == 0)) {
+ } else if ((s_server_config.www == 2 ||
+ s_server_config.www == 3) &&
+ (strncmp("GET /", buf, 5) == 0)) {
BIO *file;
char *p, *e;
static const char *text = "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
@@ -2049,30 +2101,35 @@ www_body(char *hostname, int s, unsigned char *context)
dot = (e[0] == '.') ? 3 : 0;
break;
case 3:
- dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
+ dot = (e[0] == '/' || e[0] == '\\') ?
+ -1 : 0;
break;
}
if (dot == 0)
- dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
+ dot = (e[0] == '/' || e[0] == '\\') ?
+ 1 : 0;
}
- dot = (dot == 3) || (dot == -1); /* filename contains
- * ".." component */
+ dot = (dot == 3) || (dot == -1); /* filename contains
+ * ".." component */
if (*e == '\0') {
BIO_puts(io, text);
- BIO_printf(io, "'%s' is an invalid file name\r\n", p);
+ BIO_printf(io,
+ "'%s' is an invalid file name\r\n", p);
break;
}
*e = '\0';
if (dot) {
BIO_puts(io, text);
- BIO_printf(io, "'%s' contains '..' reference\r\n", p);
+ BIO_printf(io,
+ "'%s' contains '..' reference\r\n", p);
break;
}
if (*p == '/') {
BIO_puts(io, text);
- BIO_printf(io, "'%s' is an invalid path\r\n", p);
+ BIO_printf(io,
+ "'%s' is an invalid path\r\n", p);
break;
}
/* if a directory, do the index thang */
@@ -2129,7 +2186,8 @@ www_body(char *hostname, int s, unsigned char *context)
if (!BIO_should_retry(io))
goto write_error;
else {
- BIO_printf(bio_s_out, "rwrite W BLOCK\n");
+ BIO_printf(bio_s_out,
+ "rwrite W BLOCK\n");
}
} else {
j += k;
@@ -2194,9 +2252,12 @@ static int
ssl_servername_cb(SSL *s, int *ad, void *arg)
{
tlsextctx *p = (tlsextctx *) arg;
- const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
+ const char *servername = SSL_get_servername(s,
+ TLSEXT_NAMETYPE_host_name);
+
if (servername && p->biodebug)
- BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n", servername);
+ BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n",
+ servername);
if (!p->servername)
return SSL_TLSEXT_ERR_NOACK;
@@ -2259,7 +2320,8 @@ cert_status_cb(SSL *s, void *arg)
sk_OPENSSL_STRING_value(aia, 0));
} else {
if (!srctx->host) {
- BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n");
+ BIO_puts(srctx->err,
+ "cert_status: no AIA and no default responder URL\n");
goto done;
}
host = srctx->host;
@@ -2274,7 +2336,8 @@ cert_status_cb(SSL *s, void *arg)
goto err;
if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
X509_get_issuer_name(x), &obj) <= 0) {
- BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
+ BIO_puts(err,
+ "cert_status: Can't retrieve issuer certificate.\n");
X509_STORE_CTX_cleanup(&inctx);
goto done;
}