56
56
* [including the GNU Public Licence.]
58
58
/* ====================================================================
59
* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
59
* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
61
61
* Redistribution and use in source and binary forms, with or without
62
62
* modification, are permitted provided that the following conditions
113
113
* ECC cipher suite support in OpenSSL originally developed by
114
114
* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
116
/* ====================================================================
117
* Copyright 2005 Nokia. All rights reserved.
119
* The portions of the attached software ("Contribution") is developed by
120
* Nokia Corporation and is licensed pursuant to the OpenSSL open source
123
* The Contribution, originally written by Mika Kousa and Pasi Eronen of
124
* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125
* support (see RFC 4279) to OpenSSL.
127
* No patent licenses or other rights except those expressly stated in
128
* the OpenSSL open source license shall be deemed granted or received
129
* expressly, by implication, estoppel, or otherwise.
131
* No assurances are provided by Nokia that the Contribution does not
132
* infringe the patent or other intellectual property rights of any third
133
* party or that the license provides you with all the necessary rights
134
* to make use of the Contribution.
136
* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137
* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138
* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139
* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
117
143
/* Until the key-gen callbacks are modified to use newer prototypes, we allow
118
144
* deprecated functions for openssl-internal code */
163
189
#include "s_apps.h"
164
190
#include "timeouts.h"
166
#ifdef OPENSSL_SYS_WINCE
167
/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
171
#define fileno(a) (int)_fileno(a)
174
192
#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
175
193
/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
197
#if defined(OPENSSL_SYS_BEOS_R5)
179
201
#ifndef OPENSSL_NO_RSA
180
202
static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
196
218
static void s_server_init(void);
200
# if defined(_S_IFMT) && defined(_S_IFDIR)
201
# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
203
# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
207
221
#ifndef OPENSSL_NO_DH
208
222
static unsigned char dh512_p[]={
209
223
0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
246
260
#define PROG s_server_main
248
extern int verify_depth;
262
extern int verify_depth, verify_return_error;
250
264
static char *cipher=NULL;
251
265
static int s_server_verify=SSL_VERIFY_NONE;
288
302
static int cert_chain = 0;
305
#ifndef OPENSSL_NO_PSK
306
static char *psk_identity="Client_identity";
307
char *psk_key=NULL; /* by default PSK is not used */
309
static unsigned int psk_server_cb(SSL *ssl, const char *identity,
310
unsigned char *psk, unsigned int max_psk_len)
312
unsigned int psk_len = 0;
317
BIO_printf(bio_s_out,"psk_server_cb\n");
320
BIO_printf(bio_err,"Error: client did not send PSK identity\n");
324
BIO_printf(bio_s_out,"identity_len=%d identity=%s\n",
325
identity ? (int)strlen(identity) : 0, identity);
327
/* here we could lookup the given identity e.g. from a database */
328
if (strcmp(identity, psk_identity) != 0)
330
BIO_printf(bio_s_out, "PSK error: client identity not found"
331
" (got '%s' expected '%s')\n", identity,
336
BIO_printf(bio_s_out, "PSK client identity found\n");
338
/* convert the PSK key to binary */
339
ret = BN_hex2bn(&bn, psk_key);
342
BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
347
if (BN_num_bytes(bn) > (int)max_psk_len)
349
BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
350
max_psk_len, BN_num_bytes(bn));
355
ret = BN_bn2bin(bn, psk);
360
psk_len = (unsigned int)ret;
363
BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len);
367
BIO_printf(bio_err, "Error in PSK server callback\n");
293
373
static void s_server_init(void)
352
432
#ifndef OPENSSL_NO_ECDH
353
433
BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
354
434
" Use \"openssl ecparam -list_curves\" for all names\n" \
355
" (default is sect163r2).\n");
435
" (default is nistp256).\n");
358
438
BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
369
449
BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
370
450
BIO_printf(bio_err," -quiet - No server output\n");
371
451
BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n");
452
#ifndef OPENSSL_NO_PSK
453
BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
454
BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n");
455
# ifndef OPENSSL_NO_JPAKE
456
BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n");
372
459
BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
373
460
BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
374
461
BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
648
735
aia = X509_get1_ocsp(x);
651
if (!OCSP_parse_url(sk_value(aia, 0),
738
if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
652
739
&host, &port, &path, &use_ssl))
654
741
BIO_puts(err, "cert_status: can't parse AIA URL\n");
701
788
if (!OCSP_REQUEST_add_ext(req, ext, -1))
704
resp = process_responder(err, req, host, path, port, use_ssl,
791
resp = process_responder(err, req, host, path, port, use_ssl, NULL,
749
837
int MAIN(int argc, char *argv[])
751
X509_STORE *store = NULL;
839
X509_VERIFY_PARAM *vpm = NULL;
754
842
char *CApath=NULL,*CAfile=NULL;
755
843
unsigned char *context = NULL;
763
851
int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
765
SSL_METHOD *meth=NULL;
766
int socket_type=SOCK_STREAM;
853
const SSL_METHOD *meth=NULL;
854
int socket_type=SOCK_STREAM;
768
856
char *inrand=NULL;
769
857
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
780
868
#ifndef OPENSSL_NO_TLSEXT
781
869
tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
871
#ifndef OPENSSL_NO_PSK
872
/* by default do not send a PSK identity hint */
873
static char *psk_identity_hint=NULL;
784
875
#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
785
876
meth=SSLv23_server_method();
786
877
#elif !defined(OPENSSL_NO_SSL3)
915
1006
else if (strcmp(*argv,"-no_cache") == 0)
917
else if (strcmp(*argv,"-crl_check") == 0)
919
vflags |= X509_V_FLAG_CRL_CHECK;
921
else if (strcmp(*argv,"-crl_check_all") == 0)
923
vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
1008
else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
1014
else if (strcmp(*argv,"-verify_return_error") == 0)
1015
verify_return_error = 1;
925
1016
else if (strcmp(*argv,"-serverpref") == 0)
926
1017
{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
927
1018
else if (strcmp(*argv,"-legacy_renegotiation") == 0)
999
1090
else if (strcmp(*argv,"-no_ecdhe") == 0)
1000
1091
{ no_ecdhe=1; }
1092
#ifndef OPENSSL_NO_PSK
1093
else if (strcmp(*argv,"-psk_hint") == 0)
1095
if (--argc < 1) goto bad;
1096
psk_identity_hint= *(++argv);
1098
else if (strcmp(*argv,"-psk") == 0)
1102
if (--argc < 1) goto bad;
1104
for (i=0; i<strlen(psk_key); i++)
1106
if (isxdigit((int)psk_key[i]))
1108
BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
1001
1113
else if (strcmp(*argv,"-www") == 0)
1003
1115
else if (strcmp(*argv,"-WWW") == 0)
1010
1122
{ off|=SSL_OP_NO_SSLv3; }
1011
1123
else if (strcmp(*argv,"-no_tls1") == 0)
1012
1124
{ off|=SSL_OP_NO_TLSv1; }
1125
else if (strcmp(*argv,"-no_comp") == 0)
1126
{ off|=SSL_OP_NO_COMPRESSION; }
1013
1127
#ifndef OPENSSL_NO_TLSEXT
1014
1128
else if (strcmp(*argv,"-no_ticket") == 0)
1015
1129
{ off|=SSL_OP_NO_TICKET; }
1219
#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1225
"Can't use JPAKE and PSK together\n");
1228
psk_identity = "JPAKE";
1231
BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
1105
1239
SSL_load_error_strings();
1106
1240
OpenSSL_add_ssl_algorithms();
1282
1418
ERR_print_errors(bio_err);
1283
1419
/* goto end; */
1285
store = SSL_CTX_get_cert_store(ctx);
1286
X509_STORE_set_flags(store, vflags);
1422
SSL_CTX_set1_param(ctx, vpm);
1287
1424
#ifndef OPENSSL_NO_TLSEXT
1319
1456
if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);
1320
1457
if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1321
1458
SSL_CTX_set_options(ctx2,off);
1323
1459
/* DTLS: partial reads end up discarding unread UDP bytes :-(
1324
1460
* Setting read ahead solves this problem.
1326
1462
if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1);
1329
1464
if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
1339
1474
ERR_print_errors(bio_err);
1341
store = SSL_CTX_get_cert_store(ctx2);
1342
X509_STORE_set_flags(store, vflags);
1477
SSL_CTX_set1_param(ctx2, vpm);
1347
1481
#ifndef OPENSSL_NO_DH
1421
1555
BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
1422
ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
1556
ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1423
1557
if (ecdh == NULL)
1425
BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
1559
BIO_printf(bio_err, "unable to create curve (nistp256)\n");
1627
#ifndef OPENSSL_NO_PSK
1628
#ifdef OPENSSL_NO_JPAKE
1629
if (psk_key != NULL)
1631
if (psk_key != NULL || jpake_secret)
1635
BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");
1636
SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
1639
if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint))
1641
BIO_printf(bio_err,"error setting PSK identity hint to context\n");
1642
ERR_print_errors(bio_err);
1493
1647
if (cipher != NULL)
1494
if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1495
BIO_printf(bio_err,"error setting cipher list\n");
1496
ERR_print_errors(bio_err);
1649
if(!SSL_CTX_set_cipher_list(ctx,cipher))
1651
BIO_printf(bio_err,"error setting cipher list\n");
1652
ERR_print_errors(bio_err);
1498
1655
#ifndef OPENSSL_NO_TLSEXT
1499
1656
if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
1507
1664
SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
1508
1665
SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
1509
1666
sizeof s_server_session_id_context);
1534
1692
SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile));
1537
1696
BIO_printf(bio_s_out,"ACCEPT\n");
1697
(void)BIO_flush(bio_s_out);
1539
1699
do_server(port,socket_type,&accept_socket,www_body, context);
1658
1818
strlen((char *)context));
1660
1820
SSL_clear(con);
1822
#ifdef TLSEXT_TYPE_opaque_prf_input
1823
SSL_set_tlsext_opaque_prf_input(con, "Test server", 11);
1662
1827
if (SSL_version(con) == DTLS1_VERSION)
1665
1830
sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1667
if ( enable_timeouts)
1832
if (enable_timeouts)
1669
1834
timeout.tv_sec = 0;
1670
1835
timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1738
1902
if (!read_from_sslcon)
1740
1904
FD_ZERO(&readfds);
1741
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
1742
FD_SET(fileno(stdin),&readfds);
1905
#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5)
1906
openssl_fdset(fileno(stdin),&readfds);
1908
openssl_fdset(s,&readfds);
1745
1909
/* Note: under VMS with SOCKETSHR the second parameter is
1746
1910
* currently of type (int *) whereas under other systems
1747
1911
* it is (void *) if you don't have a cast it will choke
1760
1924
if((i < 0) || (!i && !_kbhit() ) )continue;
1762
1926
read_from_terminal = 1;
1927
#elif defined(OPENSSL_SYS_BEOS_R5)
1928
/* Under BeOS-R5 the situation is similar to DOS */
1931
(void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1932
i=select(width,(void *)&readfds,NULL,NULL,&tv);
1933
if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0))
1935
if (read(fileno(stdin), buf, 0) >= 0)
1936
read_from_terminal = 1;
1937
(void)fcntl(fileno(stdin), F_SETFL, 0);
1764
1939
if ((SSL_version(con) == DTLS1_VERSION) &&
1765
1940
DTLSv1_get_timeout(con, &timeout))
1790
i=read(fileno(stdin), buf, bufsize/2);
1965
i=raw_read_stdin(buf, bufsize/2);
1792
1967
/* both loops are skipped when i <= 0 */
1793
1968
for (j = 0; j < i; j++)
1949
BIO_printf(bio_s_out,"shutting down SSL\n");
2127
BIO_printf(bio_s_out,"shutting down SSL\n");
1951
SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2129
SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1955
if (con != NULL) SSL_free(con);
1956
2135
BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
1957
2136
if (buf != NULL)
2350
2526
/* if a directory, do the index thang */
2351
if (stat(p,&st_buf) < 0)
2354
BIO_printf(io,"Error accessing '%s'\r\n",p);
2355
ERR_print_errors(io);
2358
if (S_ISDIR(st_buf.st_mode))
2360
2529
#if 0 /* must check buffer size */
2361
2530
strcat(p,"/index.html");