generic-library/openssl
1
0
Fork 0
Code Issues Pull Requests Releases Wiki Activity

Remove support for OPENSSL_NO_TLSEXT

Browse Source 
Given the pervasive nature of TLS extensions it is inadvisable to run
OpenSSL without support for them. It also means that maintaining
the OPENSSL_NO_TLSEXT option within the code is very invasive (and probably
not well tested). Therefore it is being removed.

Reviewed-by: Rich Salz <rsalz@openssl.org>
Reviewed-by: Richard Levitte <levitte@openssl.org>
This commit is contained in:
Matt Caswell
2015-05-15 10:49:56 +01:00
parent 552bf8ec5e
commit e481f9b90b
27 changed files with 328 additions and 619 deletions
Download Patch File Download Diff File Expand all files Collapse all files

111
apps/s_server.c
View File

@@ -218,9 +218,7 @@ static int bufsize = BUFSIZZ;
static int accept_socket = -1;
#define TEST_CERT "server.pem"
#ifndef OPENSSL_NO_TLSEXT
# define TEST_CERT2 "server2.pem"
#endif
#define TEST_CERT2 "server2.pem"
extern int verify_depth, verify_return_error, verify_quiet;
@@ -229,9 +227,7 @@ static int s_server_session_id_context = 1; /* anything will do */
static const char *s_cert_file = TEST_CERT, *s_key_file =
NULL, *s_chain_file = NULL;
#ifndef OPENSSL_NO_TLSEXT
static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
#endif
static char *s_dcert_file = NULL, *s_dkey_file = NULL, *s_dchain_file = NULL;
#ifdef FIONBIO
static int s_nbio = 0;
@@ -239,19 +235,15 @@ static int s_nbio = 0;
static int s_nbio_test = 0;
int s_crlf = 0;
static SSL_CTX *ctx = NULL;
#ifndef OPENSSL_NO_TLSEXT
static SSL_CTX *ctx2 = NULL;
#endif
static int www = 0;
static BIO *bio_s_out = NULL;
static BIO *bio_s_msg = NULL;
static int s_debug = 0;
#ifndef OPENSSL_NO_TLSEXT
static int s_tlsextdebug = 0;
static int s_tlsextstatus = 0;
static int cert_status_cb(SSL *s, void *arg);
#endif
static int no_resume_ephemeral = 0;
static int s_msg = 0;
static int s_quiet = 0;
@@ -272,12 +264,9 @@ static long socket_mtu;
static int cert_chain = 0;
#endif
#ifndef OPENSSL_NO_TLSEXT
static BIO *serverinfo_in = NULL;
static const char *s_serverinfo_file = NULL;
#endif
#ifndef OPENSSL_NO_PSK
static char *psk_identity = "Client_identity";
char *psk_key = NULL; /* by default PSK is not used */
@@ -401,11 +390,9 @@ static void s_server_init(void)
s_cert_file = TEST_CERT;
s_key_file = NULL;
s_chain_file = NULL;
#ifndef OPENSSL_NO_TLSEXT
s_cert_file2 = TEST_CERT2;
s_key_file2 = NULL;
ctx2 = NULL;
#endif
s_nbio = 0;
s_nbio_test = 0;
ctx = NULL;
@@ -575,8 +562,6 @@ static int ebcdic_puts(BIO *bp, const char *str)
}
#endif
#ifndef OPENSSL_NO_TLSEXT
/* This is a context that we pass to callbacks */
typedef struct tlsextctx_st {
char *servername;
@@ -732,7 +717,7 @@ static int cert_status_cb(SSL *s, void *arg)
goto done;
}
# ifndef OPENSSL_NO_NEXTPROTONEG
#ifndef OPENSSL_NO_NEXTPROTONEG
/* This is the context that we pass to next_proto_cb */
typedef struct tlsextnextprotoctx_st {
unsigned char *data;
@@ -749,7 +734,7 @@ static int next_proto_cb(SSL *s, const unsigned char **data,
return SSL_TLSEXT_ERR_OK;
}
# endif /* ndef OPENSSL_NO_NEXTPROTONEG */
#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
/* This the context that we pass to alpn_cb */
typedef struct tlsextalpnctx_st {
@@ -789,7 +774,6 @@ static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
return SSL_TLSEXT_ERR_OK;
}
#endif /* ndef OPENSSL_NO_TLSEXT */
static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
{
@@ -849,10 +833,8 @@ OPTIONS s_server_options[] = {
"Turn on peer certificate verification, must have a cert"},
{"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT},
{"naccept", OPT_NACCEPT, 'p', "Terminate after pnum connections"},
#ifndef OPENSSL_NO_TLSEXT
{"serverinfo", OPT_SERVERINFO, 's',
"PEM serverinfo file for certificate"},
#endif
{"certform", OPT_CERTFORM, 'F',
"Certificate format (PEM or DER) PEM default"},
{"key", OPT_KEY, '<',
@@ -924,7 +906,6 @@ OPTIONS s_server_options[] = {
"Generate SSL/TLS session IDs prefixed by arg"},
{"rand", OPT_RAND, 's',
"Load the file(s) into the random number generator"},
#ifndef OPENSSL_NO_TLSEXT
{"servername", OPT_SERVERNAME, 's',
"Servername for HostName TLS extension"},
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
@@ -935,15 +916,14 @@ OPTIONS s_server_options[] = {
"-Private Key file to use for servername if not in -cert2"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Hex dump of all TLS extensions received"},
# ifndef OPENSSL_NO_NEXTPROTONEG
#ifndef OPENSSL_NO_NEXTPROTONEG
{"nextprotoneg", OPT_NEXTPROTONEG, 's',
"Set the advertised protocols for the NPN extension (comma-separated list)"},
# endif
#endif
{"use_srtp", OPT_SRTP_PROFILES, '<',
"Offer SRTP key management with a colon-separated profile list"},
{"alpn", OPT_ALPN, 's',
"Set the advertised protocols for the ALPN extension (comma-separated list)"},
#endif
{"keymatexport", OPT_KEYMATEXPORT, 's',
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
@@ -1016,17 +996,15 @@ int s_server_main(int argc, char *argv[])
unsigned short port = PORT;
unsigned char *context = NULL;
OPTION_CHOICE o;
#ifndef OPENSSL_NO_TLSEXT
EVP_PKEY *s_key2 = NULL;
X509 *s_cert2 = NULL;
tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
# ifndef OPENSSL_NO_NEXTPROTONEG
#ifndef OPENSSL_NO_NEXTPROTONEG
const char *next_proto_neg_in = NULL;
tlsextnextprotoctx next_proto = { NULL, 0 };
# endif
#endif
const char *alpn_in = NULL;
tlsextalpnctx alpn_ctx = { NULL, 0 };
#endif
#ifndef OPENSSL_NO_PSK
/* by default do not send a PSK identity hint */
static char *psk_identity_hint = NULL;
@@ -1122,11 +1100,9 @@ int s_server_main(int argc, char *argv[])
case OPT_CRL_DOWNLOAD:
crl_download = 1;
break;
#ifndef OPENSSL_NO_TLSEXT
case OPT_SERVERINFO:
s_serverinfo_file = opt_arg();
break;
#endif
case OPT_CERTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_cert_format))
goto opthelp;
@@ -1241,7 +1217,6 @@ int s_server_main(int argc, char *argv[])
case OPT_DEBUG:
s_debug = 1;
break;
#ifndef OPENSSL_NO_TLSEXT
case OPT_TLSEXTDEBUG:
s_tlsextdebug = 1;
break;
@@ -1265,7 +1240,6 @@ int s_server_main(int argc, char *argv[])
goto end;
}
break;
#endif
case OPT_MSG:
s_msg = 1;
break;
@@ -1395,7 +1369,6 @@ int s_server_main(int argc, char *argv[])
case OPT_RAND:
inrand = opt_arg();
break;
#ifndef OPENSSL_NO_TLSEXT
case OPT_SERVERNAME:
tlsextcbp.servername = opt_arg();
break;
@@ -1408,15 +1381,14 @@ int s_server_main(int argc, char *argv[])
case OPT_KEY2:
s_key_file2 = opt_arg();
break;
# ifndef OPENSSL_NO_NEXTPROTONEG
#ifndef OPENSSL_NO_NEXTPROTONEG
case OPT_NEXTPROTONEG:
next_proto_neg_in = opt_arg();
break;
# endif
#endif
case OPT_ALPN:
alpn_in = opt_arg();
break;
#endif
#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
case OPT_JPAKE:
jpake_secret = opt_arg();
@@ -1468,10 +1440,9 @@ int s_server_main(int argc, char *argv[])
if (s_key_file == NULL)
s_key_file = s_cert_file;
#ifndef OPENSSL_NO_TLSEXT
if (s_key_file2 == NULL)
s_key_file2 = s_cert_file2;
#endif
if (!load_excert(&exc))
goto end;
@@ -1497,7 +1468,7 @@ int s_server_main(int argc, char *argv[])
if (!s_chain)
goto end;
}
#ifndef OPENSSL_NO_TLSEXT
if (tlsextcbp.servername) {
s_key2 = load_key(s_key_file2, s_key_format, 0, pass, e,
"second server certificate private key file");
@@ -1514,10 +1485,8 @@ int s_server_main(int argc, char *argv[])
goto end;
}
}
#endif /* OPENSSL_NO_TLSEXT */
}
#if !defined(OPENSSL_NO_TLSEXT)
# if !defined(OPENSSL_NO_NEXTPROTONEG)
#if !defined(OPENSSL_NO_NEXTPROTONEG)
if (next_proto_neg_in) {
unsigned short len;
next_proto.data = next_protos_parse(&len, next_proto_neg_in);
@@ -1527,7 +1496,7 @@ int s_server_main(int argc, char *argv[])
} else {
next_proto.data = NULL;
}
# endif
#endif
alpn_ctx.data = NULL;
if (alpn_in) {
unsigned short len;
@@ -1536,7 +1505,6 @@ int s_server_main(int argc, char *argv[])
goto end;
alpn_ctx.len = len;
}
#endif
if (crl_file) {
X509_CRL *crl;
@@ -1610,10 +1578,8 @@ int s_server_main(int argc, char *argv[])
s_key_file = NULL;
s_dcert_file = NULL;
s_dkey_file = NULL;
#ifndef OPENSSL_NO_TLSEXT
s_cert_file2 = NULL;
s_key_file2 = NULL;
#endif
}
ctx = SSL_CTX_new(meth);
@@ -1678,7 +1644,7 @@ int s_server_main(int argc, char *argv[])
ERR_print_errors(bio_err);
goto end;
}
#ifndef OPENSSL_NO_TLSEXT
if (s_cert2) {
ctx2 = SSL_CTX_new(meth);
if (ctx2 == NULL) {
@@ -1732,14 +1698,13 @@ int s_server_main(int argc, char *argv[])
if (!config_ctx(cctx, ssl_args, ctx2, no_ecdhe, jpake_secret == NULL))
goto end;
}
# ifndef OPENSSL_NO_NEXTPROTONEG
#ifndef OPENSSL_NO_NEXTPROTONEG
if (next_proto.data)
SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
&next_proto);
# endif
#endif
if (alpn_ctx.data)
SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
#endif
#ifndef OPENSSL_NO_DH
if (!no_dhe) {
@@ -1765,7 +1730,7 @@ int s_server_main(int argc, char *argv[])
DH_free(dh);
goto end;
}
# ifndef OPENSSL_NO_TLSEXT
if (ctx2) {
if (!dhfile) {
DH *dh2 = load_dh_param(s_cert_file2);
@@ -1786,24 +1751,22 @@ int s_server_main(int argc, char *argv[])
goto end;
}
}
# endif
DH_free(dh);
}
#endif
if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
goto end;
#ifndef OPENSSL_NO_TLSEXT
if (s_serverinfo_file != NULL
&& !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
ERR_print_errors(bio_err);
goto end;
}
#endif
#ifndef OPENSSL_NO_TLSEXT
if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL, build_chain))
goto end;
#endif
if (s_dcert != NULL) {
if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
goto end;
@@ -1811,21 +1774,18 @@ int s_server_main(int argc, char *argv[])
#ifndef OPENSSL_NO_RSA
if (!no_tmp_rsa) {
SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
# ifndef OPENSSL_NO_TLSEXT
if (ctx2)
SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
# endif
}
#endif
if (no_resume_ephemeral) {
SSL_CTX_set_not_resumable_session_callback(ctx,
not_resumable_sess_cb);
#ifndef OPENSSL_NO_TLSEXT
if (ctx2)
SSL_CTX_set_not_resumable_session_callback(ctx2,
not_resumable_sess_cb);
#endif
}
#ifndef OPENSSL_NO_PSK
# ifdef OPENSSL_NO_JPAKE
@@ -1860,7 +1820,6 @@ int s_server_main(int argc, char *argv[])
SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
#ifndef OPENSSL_NO_TLSEXT
if (ctx2) {
SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
if (!SSL_CTX_set_session_id_context(ctx2,
@@ -1876,7 +1835,6 @@ int s_server_main(int argc, char *argv[])
SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
}
#endif
#ifndef OPENSSL_NO_SRP
if (srp_verifier_file != NULL) {
@@ -1898,10 +1856,9 @@ int s_server_main(int argc, char *argv[])
#endif
if (CAfile != NULL) {
SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
#ifndef OPENSSL_NO_TLSEXT
if (ctx2)
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
#endif
}
BIO_printf(bio_s_out, "ACCEPT\n");
@@ -1937,7 +1894,6 @@ int s_server_main(int argc, char *argv[])
OPENSSL_free(dpass);
X509_VERIFY_PARAM_free(vpm);
free_sessions();
#ifndef OPENSSL_NO_TLSEXT
OPENSSL_free(tlscstatp.host);
OPENSSL_free(tlscstatp.port);
OPENSSL_free(tlscstatp.path);
@@ -1945,11 +1901,10 @@ int s_server_main(int argc, char *argv[])
X509_free(s_cert2);
EVP_PKEY_free(s_key2);
BIO_free(serverinfo_in);
# ifndef OPENSSL_NO_NEXTPROTONEG
#ifndef OPENSSL_NO_NEXTPROTONEG
OPENSSL_free(next_proto.data);
# endif
OPENSSL_free(alpn_ctx.data);
#endif
OPENSSL_free(alpn_ctx.data);
ssl_excert_free(exc);
sk_OPENSSL_STRING_free(ssl_args);
SSL_CONF_CTX_free(cctx);
@@ -2018,7 +1973,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
if (con == NULL) {
con = SSL_new(ctx);
#ifndef OPENSSL_NO_TLSEXT
if (s_tlsextdebug) {
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_s_out);
@@ -2027,7 +1982,7 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
}
#endif
if (context
&& !SSL_set_session_id_context(con,
context, strlen((char *)context))) {
@@ -2109,12 +2064,11 @@ static int sv_body(char *hostname, int s, int stype, unsigned char *context)
SSL_set_msg_callback(con, msg_cb);
SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out);
}
#ifndef OPENSSL_NO_TLSEXT
if (s_tlsextdebug) {
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_s_out);
}
#endif
width = s + 1;
for (;;) {
@@ -2399,7 +2353,7 @@ static int init_ssl_connection(SSL *con)
X509 *peer;
long verify_error;
char buf[BUFSIZ];
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
#if !defined(OPENSSL_NO_NEXTPROTONEG)
const unsigned char *next_proto_neg;
unsigned next_proto_neg_len;
#endif
@@ -2476,7 +2430,7 @@ static int init_ssl_connection(SSL *con)
#endif
BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
#if !defined(OPENSSL_NO_NEXTPROTONEG)
SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
if (next_proto_neg) {
BIO_printf(bio_s_out, "NEXTPROTO is ");
@@ -2574,12 +2528,12 @@ static int www_body(char *hostname, int s, int stype, unsigned char *context)
if ((con = SSL_new(ctx)) == NULL)
goto err;
#ifndef OPENSSL_NO_TLSEXT
if (s_tlsextdebug) {
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_s_out);
}
#endif
if (context && !SSL_set_session_id_context(con, context,
strlen((char *)context)))
goto err;
@@ -2920,12 +2874,11 @@ static int rev_body(char *hostname, int s, int stype, unsigned char *context)
if ((con = SSL_new(ctx)) == NULL)
goto err;
#ifndef OPENSSL_NO_TLSEXT
if (s_tlsextdebug) {
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_s_out);
}
#endif
if (context && !SSL_set_session_id_context(con, context,
strlen((char *)context))) {
ERR_print_errors(bio_err);