diff options
author | Matt Caswell <matt@openssl.org> | 2015-05-15 10:49:56 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2015-05-22 23:10:51 +0100 |
commit | e481f9b90b164fd1053015d1c4e0a0d92076d7a8 (patch) | |
tree | 2dbf5d699977893b677a18b213f31c61b59d468b /apps/s_server.c | |
parent | 552bf8ec5e64d1a169069111850ebc5d250e0499 (diff) | |
download | openssl-e481f9b90b164fd1053015d1c4e0a0d92076d7a8.tar.gz |
Remove support for OPENSSL_NO_TLSEXT
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.
Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
Diffstat (limited to 'apps/s_server.c')
-rw-r--r-- | apps/s_server.c | 111 |
1 files changed, 32 insertions, 79 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 5500ceadbc..6bbabcc5f4 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -218,9 +218,7 @@ static int bufsize = BUFSIZZ; static int accept_socket = -1; #define TEST_CERT "server.pem" -#ifndef OPENSSL_NO_TLSEXT -# define TEST_CERT2 "server2.pem" -#endif +#define TEST_CERT2 "server2.pem" extern int verify_depth, verify_return_error, verify_quiet; @@ -229,9 +227,7 @@ static int s_server_session_id_context = 1; /* anything will do */ static const char *s_cert_file = TEST_CERT, *s_key_file = NULL, *s_chain_file = NULL; -#ifndef OPENSSL_NO_TLSEXT static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL; -#endif static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL; #ifdef FIONBIO static int s_nbio = 0; @@ -239,19 +235,15 @@ static int s_nbio = 0; static int s_nbio_test = 0; int s_crlf = 0; static SSL_CTX *ctx = NULL; -#ifndef OPENSSL_NO_TLSEXT static SSL_CTX *ctx2 = NULL; -#endif static int www = 0; static BIO *bio_s_out = NULL; static BIO *bio_s_msg = NULL; static int s_debug = 0; -#ifndef OPENSSL_NO_TLSEXT static int s_tlsextdebug = 0; static int s_tlsextstatus = 0; static int cert_status_cb(SSL *s, void *arg); -#endif static int no_resume_ephemeral = 0; static int s_msg = 0; static int s_quiet = 0; @@ -272,12 +264,9 @@ static long socket_mtu; static int cert_chain = 0; #endif -#ifndef OPENSSL_NO_TLSEXT static BIO *serverinfo_in = NULL; static const char *s_serverinfo_file = NULL; -#endif - #ifndef OPENSSL_NO_PSK static char *psk_identity = "Client_identity"; char *psk_key = NULL; /* by default PSK is not used */ @@ -401,11 +390,9 @@ static void s_server_init(void) s_cert_file = TEST_CERT; s_key_file = NULL; s_chain_file = NULL; -#ifndef OPENSSL_NO_TLSEXT s_cert_file2 = TEST_CERT2; s_key_file2 = NULL; ctx2 = NULL; -#endif s_nbio = 0; s_nbio_test = 0; ctx = NULL; @@ -575,8 +562,6 @@ static int ebcdic_puts(BIO *bp, const char *str) } #endif -#ifndef OPENSSL_NO_TLSEXT - /* This is a context that we pass to callbacks */ typedef struct tlsextctx_st { char *servername; @@ -732,7 +717,7 @@ static int cert_status_cb(SSL *s, void *arg) goto done; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG /* This is the context that we pass to next_proto_cb */ typedef struct tlsextnextprotoctx_st { unsigned char *data; @@ -749,7 +734,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data, return SSL_TLSEXT_ERR_OK; } -# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ +#endif /* ndef OPENSSL_NO_NEXTPROTONEG */ /* This the context that we pass to alpn_cb */ typedef struct tlsextalpnctx_st { @@ -789,7 +774,6 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, return SSL_TLSEXT_ERR_OK; } -#endif /* ndef OPENSSL_NO_TLSEXT */ static int not_resumable_sess_cb(SSL *s, int is_forward_secure) { @@ -849,10 +833,8 @@ OPTIONS s_server_options[] = { "Turn on peer certificate verification, must have a cert"}, {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT}, {"naccept", OPT_NACCEPT, 'p', "Terminate after pnum connections"}, -#ifndef OPENSSL_NO_TLSEXT {"serverinfo", OPT_SERVERINFO, 's', "PEM serverinfo file for certificate"}, -#endif {"certform", OPT_CERTFORM, 'F', "Certificate format (PEM or DER) PEM default"}, {"key", OPT_KEY, '<', @@ -924,7 +906,6 @@ OPTIONS s_server_options[] = { "Generate SSL/TLS session IDs prefixed by arg"}, {"rand", OPT_RAND, 's', "Load the file(s) into the random number generator"}, -#ifndef OPENSSL_NO_TLSEXT {"servername", OPT_SERVERNAME, 's', "Servername for HostName TLS extension"}, {"servername_fatal", OPT_SERVERNAME_FATAL, '-', @@ -935,15 +916,14 @@ OPTIONS s_server_options[] = { "-Private Key file to use for servername if not in -cert2"}, {"tlsextdebug", OPT_TLSEXTDEBUG, '-', "Hex dump of all TLS extensions received"}, -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG {"nextprotoneg", OPT_NEXTPROTONEG, 's', "Set the advertised protocols for the NPN extension (comma-separated list)"}, -# endif +#endif {"use_srtp", OPT_SRTP_PROFILES, '<', "Offer SRTP key management with a colon-separated profile list"}, {"alpn", OPT_ALPN, 's', "Set the advertised protocols for the ALPN extension (comma-separated list)"}, -#endif {"keymatexport", OPT_KEYMATEXPORT, 's', "Export keying material using label"}, {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p', @@ -1016,17 +996,15 @@ int s_server_main(int argc, char *argv[]) unsigned short port = PORT; unsigned char *context = NULL; OPTION_CHOICE o; -#ifndef OPENSSL_NO_TLSEXT EVP_PKEY *s_key2 = NULL; X509 *s_cert2 = NULL; tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING }; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG const char *next_proto_neg_in = NULL; tlsextnextprotoctx next_proto = { NULL, 0 }; -# endif +#endif const char *alpn_in = NULL; tlsextalpnctx alpn_ctx = { NULL, 0 }; -#endif #ifndef OPENSSL_NO_PSK /* by default do not send a PSK identity hint */ static char *psk_identity_hint = NULL; @@ -1122,11 +1100,9 @@ int s_server_main(int argc, char *argv[]) case OPT_CRL_DOWNLOAD: crl_download = 1; break; -#ifndef OPENSSL_NO_TLSEXT case OPT_SERVERINFO: s_serverinfo_file = opt_arg(); break; -#endif case OPT_CERTFORM: if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format)) goto opthelp; @@ -1241,7 +1217,6 @@ int s_server_main(int argc, char *argv[]) case OPT_DEBUG: s_debug = 1; break; -#ifndef OPENSSL_NO_TLSEXT case OPT_TLSEXTDEBUG: s_tlsextdebug = 1; break; @@ -1265,7 +1240,6 @@ int s_server_main(int argc, char *argv[]) goto end; } break; -#endif case OPT_MSG: s_msg = 1; break; @@ -1395,7 +1369,6 @@ int s_server_main(int argc, char *argv[]) case OPT_RAND: inrand = opt_arg(); break; -#ifndef OPENSSL_NO_TLSEXT case OPT_SERVERNAME: tlsextcbp.servername = opt_arg(); break; @@ -1408,15 +1381,14 @@ int s_server_main(int argc, char *argv[]) case OPT_KEY2: s_key_file2 = opt_arg(); break; -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG case OPT_NEXTPROTONEG: next_proto_neg_in = opt_arg(); break; -# endif +#endif case OPT_ALPN: alpn_in = opt_arg(); break; -#endif #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) case OPT_JPAKE: jpake_secret = opt_arg(); @@ -1468,10 +1440,9 @@ int s_server_main(int argc, char *argv[]) if (s_key_file == NULL) s_key_file = s_cert_file; -#ifndef OPENSSL_NO_TLSEXT + if (s_key_file2 == NULL) s_key_file2 = s_cert_file2; -#endif if (!load_excert(&exc)) goto end; @@ -1497,7 +1468,7 @@ int s_server_main(int argc, char *argv[]) if (!s_chain) goto end; } -#ifndef OPENSSL_NO_TLSEXT + if (tlsextcbp.servername) { s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e, "second server certificate private key file"); @@ -1514,10 +1485,8 @@ int s_server_main(int argc, char *argv[]) goto end; } } -#endif /* OPENSSL_NO_TLSEXT */ } -#if !defined(OPENSSL_NO_TLSEXT) -# if !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) if (next_proto_neg_in) { unsigned short len; next_proto.data = next_protos_parse(&len, next_proto_neg_in); @@ -1527,7 +1496,7 @@ int s_server_main(int argc, char *argv[]) } else { next_proto.data = NULL; } -# endif +#endif alpn_ctx.data = NULL; if (alpn_in) { unsigned short len; @@ -1536,7 +1505,6 @@ int s_server_main(int argc, char *argv[]) goto end; alpn_ctx.len = len; } -#endif if (crl_file) { X509_CRL *crl; @@ -1610,10 +1578,8 @@ int s_server_main(int argc, char *argv[]) s_key_file = NULL; s_dcert_file = NULL; s_dkey_file = NULL; -#ifndef OPENSSL_NO_TLSEXT s_cert_file2 = NULL; s_key_file2 = NULL; -#endif } ctx = SSL_CTX_new(meth); @@ -1678,7 +1644,7 @@ int s_server_main(int argc, char *argv[]) ERR_print_errors(bio_err); goto end; } -#ifndef OPENSSL_NO_TLSEXT + if (s_cert2) { ctx2 = SSL_CTX_new(meth); if (ctx2 == NULL) { @@ -1732,14 +1698,13 @@ int s_server_main(int argc, char *argv[]) if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL)) goto end; } -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG if (next_proto.data) SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); -# endif +#endif if (alpn_ctx.data) SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); -#endif #ifndef OPENSSL_NO_DH if (!no_dhe) { @@ -1765,7 +1730,7 @@ int s_server_main(int argc, char *argv[]) DH_free(dh); goto end; } -# ifndef OPENSSL_NO_TLSEXT + if (ctx2) { if (!dhfile) { DH *dh2 = load_dh_param(s_cert_file2); @@ -1786,24 +1751,22 @@ int s_server_main(int argc, char *argv[]) goto end; } } -# endif DH_free(dh); } #endif if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain)) goto end; -#ifndef OPENSSL_NO_TLSEXT + if (s_serverinfo_file != NULL && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) { ERR_print_errors(bio_err); goto end; } -#endif -#ifndef OPENSSL_NO_TLSEXT + if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain)) goto end; -#endif + if (s_dcert != NULL) { if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain)) goto end; @@ -1811,21 +1774,18 @@ int s_server_main(int argc, char *argv[]) #ifndef OPENSSL_NO_RSA if (!no_tmp_rsa) { SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb); -# ifndef OPENSSL_NO_TLSEXT if (ctx2) SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb); -# endif } #endif if (no_resume_ephemeral) { SSL_CTX_set_not_resumable_session_callback(ctx, not_resumable_sess_cb); -#ifndef OPENSSL_NO_TLSEXT + if (ctx2) SSL_CTX_set_not_resumable_session_callback(ctx2, not_resumable_sess_cb); -#endif } #ifndef OPENSSL_NO_PSK # ifdef OPENSSL_NO_JPAKE @@ -1860,7 +1820,6 @@ int s_server_main(int argc, char *argv[]) SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); -#ifndef OPENSSL_NO_TLSEXT if (ctx2) { SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); if (!SSL_CTX_set_session_id_context(ctx2, @@ -1876,7 +1835,6 @@ int s_server_main(int argc, char *argv[]) SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); } -#endif #ifndef OPENSSL_NO_SRP if (srp_verifier_file != NULL) { @@ -1898,10 +1856,9 @@ int s_server_main(int argc, char *argv[]) #endif if (CAfile != NULL) { SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); -#ifndef OPENSSL_NO_TLSEXT + if (ctx2) SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); -#endif } BIO_printf(bio_s_out, "ACCEPT\n"); @@ -1937,7 +1894,6 @@ int s_server_main(int argc, char *argv[]) OPENSSL_free(dpass); X509_VERIFY_PARAM_free(vpm); free_sessions(); -#ifndef OPENSSL_NO_TLSEXT OPENSSL_free(tlscstatp.host); OPENSSL_free(tlscstatp.port); OPENSSL_free(tlscstatp.path); @@ -1945,11 +1901,10 @@ int s_server_main(int argc, char *argv[]) X509_free(s_cert2); EVP_PKEY_free(s_key2); BIO_free(serverinfo_in); -# ifndef OPENSSL_NO_NEXTPROTONEG +#ifndef OPENSSL_NO_NEXTPROTONEG OPENSSL_free(next_proto.data); -# endif - OPENSSL_free(alpn_ctx.data); #endif + OPENSSL_free(alpn_ctx.data); ssl_excert_free(exc); sk_OPENSSL_STRING_free(ssl_args); SSL_CONF_CTX_free(cctx); @@ -2018,7 +1973,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) if (con == NULL) { con = SSL_new(ctx); -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); @@ -2027,7 +1982,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); } -#endif + if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) { @@ -2109,12 +2064,11 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context) SSL_set_msg_callback(con, msg_cb); SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out); } -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } -#endif width = s + 1; for (;;) { @@ -2399,7 +2353,7 @@ static int init_ssl_connection(SSL *con) X509 *peer; long verify_error; char buf[BUFSIZ]; -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) const unsigned char *next_proto_neg; unsigned next_proto_neg_len; #endif @@ -2476,7 +2430,7 @@ static int init_ssl_connection(SSL *con) #endif BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)"); -#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) +#if !defined(OPENSSL_NO_NEXTPROTONEG) SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); if (next_proto_neg) { BIO_printf(bio_s_out, "NEXTPROTO is "); @@ -2574,12 +2528,12 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context) if ((con = SSL_new(ctx)) == NULL) goto err; -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } -#endif + if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) goto err; @@ -2920,12 +2874,11 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context) if ((con = SSL_new(ctx)) == NULL) goto err; -#ifndef OPENSSL_NO_TLSEXT + if (s_tlsextdebug) { SSL_set_tlsext_debug_callback(con, tlsext_cb); SSL_set_tlsext_debug_arg(con, bio_s_out); } -#endif if (context && !SSL_set_session_id_context(con, context, strlen((char *)context))) { ERR_print_errors(bio_err); |