]> git.ipfire.org Git - thirdparty/openssl.git/blame - apps/s_cb.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
PR: 2756
[thirdparty/openssl.git] / apps / s_cb.c
CommitLineData
863fe2ec 1/* apps/s_cb.c - callback functions used by s_client, s_server, and s_time */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
a661b653 58/* ====================================================================
241520e6 59 * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
a661b653
BM		 60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
d02b48c6
RE		 111
112#include <stdio.h>
113#include <stdlib.h>
114#define USE_SOCKETS
115#define NON_MAIN
116#include "apps.h"
117#undef NON_MAIN
118#undef USE_SOCKETS
ec577822 119#include <openssl/err.h>
07a9d1a2 120#include <openssl/rand.h>
ec577822
BM		 121#include <openssl/x509.h>
122#include <openssl/ssl.h>
d02b48c6
RE		 123#include "s_apps.h"
124
07a9d1a2
DSH		 125#define COOKIE_SECRET_LENGTH 16
126
d02b48c6
RE		 127int verify_depth=0;
128int verify_error=X509_V_OK;
5d20c4fb 129int verify_return_error=0;
07a9d1a2
DSH		 130unsigned char cookie_secret[COOKIE_SECRET_LENGTH];
131int cookie_initialized=0;
d02b48c6 132
6b691a5c 133int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
d02b48c6 134 {
d02b48c6
RE		 135 X509 *err_cert;
136 int err,depth;
137
138 err_cert=X509_STORE_CTX_get_current_cert(ctx);
139 err= X509_STORE_CTX_get_error(ctx);
140 depth= X509_STORE_CTX_get_error_depth(ctx);
141
17716680
DSH		 142 BIO_printf(bio_err,"depth=%d ",depth);
143 if (err_cert)
144 {
145 X509_NAME_print_ex(bio_err, X509_get_subject_name(err_cert),
146 0, XN_FLAG_ONELINE);
147 BIO_puts(bio_err, "\n");
148 }
149 else
150 BIO_puts(bio_err, "<no cert>\n");
d02b48c6
RE		 151 if (!ok)
152 {
153 BIO_printf(bio_err,"verify error:num=%d:%s\n",err,
154 X509_verify_cert_error_string(err));
155 if (verify_depth >= depth)
156 {
5d20c4fb
DSH		 157 if (!verify_return_error)
158 ok=1;
d02b48c6
RE		 159 verify_error=X509_V_OK;
160 }
161 else
162 {
163 ok=0;
164 verify_error=X509_V_ERR_CERT_CHAIN_TOO_LONG;
165 }
166 }
17716680 167 switch (err)
d02b48c6
RE		 168 {
169 case X509_V_ERR_UNABLE_TO_GET_ISSUER_CERT:
17716680
DSH		 170 BIO_puts(bio_err,"issuer= ");
171 X509_NAME_print_ex(bio_err, X509_get_issuer_name(err_cert),
172 0, XN_FLAG_ONELINE);
173 BIO_puts(bio_err, "\n");
d02b48c6
RE		 174 break;
175 case X509_V_ERR_CERT_NOT_YET_VALID:
176 case X509_V_ERR_ERROR_IN_CERT_NOT_BEFORE_FIELD:
177 BIO_printf(bio_err,"notBefore=");
17716680 178 ASN1_TIME_print(bio_err,X509_get_notBefore(err_cert));
d02b48c6
RE		 179 BIO_printf(bio_err,"\n");
180 break;
181 case X509_V_ERR_CERT_HAS_EXPIRED:
182 case X509_V_ERR_ERROR_IN_CERT_NOT_AFTER_FIELD:
183 BIO_printf(bio_err,"notAfter=");
17716680 184 ASN1_TIME_print(bio_err,X509_get_notAfter(err_cert));
d02b48c6
RE		 185 BIO_printf(bio_err,"\n");
186 break;
17716680
DSH		 187 case X509_V_ERR_NO_EXPLICIT_POLICY:
188 policies_print(bio_err, ctx);
189 break;
d02b48c6 190 }
17716680
DSH		 191 if (err == X509_V_OK && ok == 2)
192 policies_print(bio_err, ctx);
193
d02b48c6
RE		 194 BIO_printf(bio_err,"verify return:%d\n",ok);
195 return(ok);
196 }
197
6b691a5c 198int set_cert_stuff(SSL_CTX *ctx, char *cert_file, char *key_file)
d02b48c6
RE		 199 {
200 if (cert_file != NULL)
201 {
dfeab068 202 /*
d02b48c6
RE		 203 SSL *ssl;
204 X509 *x509;
dfeab068 205 */
d02b48c6
RE		 206
207 if (SSL_CTX_use_certificate_file(ctx,cert_file,
208 SSL_FILETYPE_PEM) <= 0)
209 {
58964a49 210 BIO_printf(bio_err,"unable to get certificate from '%s'\n",cert_file);
d02b48c6
RE		 211 ERR_print_errors(bio_err);
212 return(0);
213 }
214 if (key_file == NULL) key_file=cert_file;
215 if (SSL_CTX_use_PrivateKey_file(ctx,key_file,
216 SSL_FILETYPE_PEM) <= 0)
217 {
58964a49 218 BIO_printf(bio_err,"unable to get private key from '%s'\n",key_file);
d02b48c6
RE		 219 ERR_print_errors(bio_err);
220 return(0);
221 }
222
dfeab068
RE		 223 /*
224 In theory this is no longer needed
d02b48c6
RE		 225 ssl=SSL_new(ctx);
226 x509=SSL_get_certificate(ssl);
227
a8236c8c
DSH		 228 if (x509 != NULL) {
229 EVP_PKEY *pktmp;
230 pktmp = X509_get_pubkey(x509);
231 EVP_PKEY_copy_parameters(pktmp,
232 SSL_get_privatekey(ssl));
233 EVP_PKEY_free(pktmp);
234 }
d02b48c6 235 SSL_free(ssl);
dfeab068 236 */
d02b48c6
RE		 237
238 /* If we are using DSA, we can copy the parameters from
239 * the private key */
240
241
242 /* Now we know that a key and cert have been set against
243 * the SSL context */
244 if (!SSL_CTX_check_private_key(ctx))
245 {
246 BIO_printf(bio_err,"Private key does not match the certificate public key\n");
247 return(0);
248 }
249 }
250 return(1);
251 }
252
826a42a0
DSH		 253int set_cert_key_stuff(SSL_CTX *ctx, X509 *cert, EVP_PKEY *key)
254 {
abbc186b
DSH		 255 if (cert == NULL)
256 return 1;
826a42a0
DSH		 257 if (SSL_CTX_use_certificate(ctx,cert) <= 0)
258 {
259 BIO_printf(bio_err,"error setting certificate\n");
260 ERR_print_errors(bio_err);
261 return 0;
262 }
263 if (SSL_CTX_use_PrivateKey(ctx,key) <= 0)
264 {
265 BIO_printf(bio_err,"error setting private key\n");
266 ERR_print_errors(bio_err);
267 return 0;
268 }
269
270
271 /* Now we know that a key and cert have been set against
272 * the SSL context */
273 if (!SSL_CTX_check_private_key(ctx))
274 {
275 BIO_printf(bio_err,"Private key does not match the certificate public key\n");
276 return 0;
277 }
278 return 1;
279 }
280
e7f8ff43
DSH		 281int ssl_print_sigalgs(BIO *out, SSL *s)
282 {
283 int i, nsig;
284 nsig = SSL_get_sigalgs(s, -1, NULL, NULL, NULL, NULL, NULL);
285 if (nsig == 0)
286 return 1;
287
288 BIO_puts(out, "Signature Algorithms: ");
289 for (i = 0; i < nsig; i++)
290 {
291 int hash_nid, sign_nid;
292 unsigned char rhash, rsign;
293 const char *sstr = NULL;
294 SSL_get_sigalgs(s, i, &sign_nid, &hash_nid, NULL,
295 &rsign, &rhash);
296 if (i)
297 BIO_puts(out, ":");
298 if (sign_nid == EVP_PKEY_RSA)
299 sstr = "RSA";
300 else if(sign_nid == EVP_PKEY_DSA)
301 sstr = "DSA";
302 else if(sign_nid == EVP_PKEY_EC)
303 sstr = "ECDSA";
304 if (sstr)
305 BIO_printf(out,"%s+", sstr);
306 else
307 BIO_printf(out,"0x%02X+", (int)rsign);
308 if (hash_nid != NID_undef)
309 BIO_printf(out, "%s", OBJ_nid2sn(hash_nid));
310 else
311 BIO_printf(out,"0x%02X", (int)rhash);
312 }
313 BIO_puts(out, "\n");
314 return 1;
315 }
316
317int ssl_print_curves(BIO *out, SSL *s)
318 {
319 int i, ncurves, *curves;
320 ncurves = SSL_get1_curvelist(s, NULL);
321 if (ncurves <= 0)
322 return 1;
323 curves = OPENSSL_malloc(ncurves * sizeof(int));
324 SSL_get1_curvelist(s, curves);
325
326 BIO_puts(out, "Supported Elliptic Curves: ");
327 for (i = 0; i < ncurves; i++)
328 {
329 int nid;
330 const char *cname;
331 if (i)
332 BIO_puts(out, ":");
333 nid = curves[i];
334 /* If unrecognised print out hex version */
335 if (nid & TLSEXT_nid_unknown)
336 BIO_printf(out, "0x%04X", nid & 0xFFFF);
337 else
338 {
339 /* Use NIST name for curve if it exists */
340 cname = EC_curve_nid2nist(nid);
341 if (!cname)
342 cname = OBJ_nid2sn(nid);
343 BIO_printf(out, "%s", cname);
344 }
345 }
346 BIO_puts(out, "\n");
347 OPENSSL_free(curves);
348 return 1;
349 }
350
351
25495640 352long MS_CALLBACK bio_dump_callback(BIO *bio, int cmd, const char *argp,
774b2fe7 353 int argi, long argl, long ret)
d02b48c6
RE		 354 {
355 BIO *out;
356
357 out=(BIO *)BIO_get_callback_arg(bio);
358 if (out == NULL) return(ret);
359
360 if (cmd == (BIO_CB_READ|BIO_CB_RETURN))
361 {
70d71f61
DSH		 362 BIO_printf(out,"read from %p [%p] (%lu bytes => %ld (0x%lX))\n",
363 (void *)bio,argp,(unsigned long)argi,ret,ret);
d02b48c6
RE		 364 BIO_dump(out,argp,(int)ret);
365 return(ret);
366 }
367 else if (cmd == (BIO_CB_WRITE|BIO_CB_RETURN))
368 {
70d71f61
DSH		 369 BIO_printf(out,"write to %p [%p] (%lu bytes => %ld (0x%lX))\n",
370 (void *)bio,argp,(unsigned long)argi,ret,ret);
d02b48c6
RE		 371 BIO_dump(out,argp,(int)ret);
372 }
373 return(ret);
374 }
375
45d87a1f 376void MS_CALLBACK apps_ssl_info_callback(const SSL *s, int where, int ret)
d02b48c6 377 {
7d727231 378 const char *str;
d02b48c6
RE		 379 int w;
380
381 w=where& ~SSL_ST_MASK;
382
383 if (w & SSL_ST_CONNECT) str="SSL_connect";
384 else if (w & SSL_ST_ACCEPT) str="SSL_accept";
385 else str="undefined";
386
387 if (where & SSL_CB_LOOP)
388 {
389 BIO_printf(bio_err,"%s:%s\n",str,SSL_state_string_long(s));
390 }
391 else if (where & SSL_CB_ALERT)
392 {
393 str=(where & SSL_CB_READ)?"read":"write";
394 BIO_printf(bio_err,"SSL3 alert %s:%s:%s\n",
395 str,
396 SSL_alert_type_string_long(ret),
397 SSL_alert_desc_string_long(ret));
398 }
399 else if (where & SSL_CB_EXIT)
400 {
401 if (ret == 0)
402 BIO_printf(bio_err,"%s:failed in %s\n",
403 str,SSL_state_string_long(s));
404 else if (ret < 0)
405 {
406 BIO_printf(bio_err,"%s:error in %s\n",
407 str,SSL_state_string_long(s));
408 }
409 }
410 }
411
a661b653
BM		 412
413void MS_CALLBACK msg_cb(int write_p, int version, int content_type, const void *buf, size_t len, SSL *ssl, void *arg)
414 {
415 BIO *bio = arg;
416 const char *str_write_p, *str_version, *str_content_type = "", *str_details1 = "", *str_details2= "";
417
418 str_write_p = write_p ? ">>>" : "<<<";
419
420 switch (version)
421 {
422 case SSL2_VERSION:
423 str_version = "SSL 2.0";
424 break;
425 case SSL3_VERSION:
426 str_version = "SSL 3.0 ";
427 break;
428 case TLS1_VERSION:
429 str_version = "TLS 1.0 ";
430 break;
48435b20
DSH		 431 case TLS1_1_VERSION:
432 str_version = "TLS 1.1 ";
433 break;
cbc0b0ec
AP		 434 case TLS1_2_VERSION:
435 str_version = "TLS 1.2 ";
436 break;
bdfa4ff9
DSH		 437 case DTLS1_VERSION:
438 str_version = "DTLS 1.0 ";
439 break;
440 case DTLS1_BAD_VER:
441 str_version = "DTLS 1.0 (bad) ";
442 break;
a661b653
BM		 443 default:
444 str_version = "???";
445 }
446
29e0c30c
BM		 447 if (version == SSL2_VERSION)
448 {
449 str_details1 = "???";
450
451 if (len > 0)
452 {
7d727231 453 switch (((const unsigned char*)buf)[0])
29e0c30c
BM		 454 {
455 case 0:
456 str_details1 = ", ERROR:";
457 str_details2 = " ???";
458 if (len >= 3)
459 {
7d727231 460 unsigned err = (((const unsigned char*)buf)[1]<<8) + ((const unsigned char*)buf)[2];
29e0c30c
BM		 461
462 switch (err)
463 {
464 case 0x0001:
465 str_details2 = " NO-CIPHER-ERROR";
466 break;
467 case 0x0002:
468 str_details2 = " NO-CERTIFICATE-ERROR";
469 break;
470 case 0x0004:
471 str_details2 = " BAD-CERTIFICATE-ERROR";
472 break;
473 case 0x0006:
474 str_details2 = " UNSUPPORTED-CERTIFICATE-TYPE-ERROR";
475 break;
476 }
477 }
478
479 break;
480 case 1:
481 str_details1 = ", CLIENT-HELLO";
482 break;
483 case 2:
484 str_details1 = ", CLIENT-MASTER-KEY";
485 break;
486 case 3:
487 str_details1 = ", CLIENT-FINISHED";
488 break;
489 case 4:
490 str_details1 = ", SERVER-HELLO";
491 break;
492 case 5:
493 str_details1 = ", SERVER-VERIFY";
494 break;
495 case 6:
496 str_details1 = ", SERVER-FINISHED";
497 break;
498 case 7:
499 str_details1 = ", REQUEST-CERTIFICATE";
500 break;
501 case 8:
502 str_details1 = ", CLIENT-CERTIFICATE";
503 break;
504 }
505 }
506 }
507
bdfa4ff9
DSH		 508 if (version == SSL3_VERSION ||
509 version == TLS1_VERSION ||
510 version == DTLS1_VERSION ||
511 version == DTLS1_BAD_VER)
a661b653
BM		 512 {
513 switch (content_type)
514 {
515 case 20:
516 str_content_type = "ChangeCipherSpec";
517 break;
518 case 21:
519 str_content_type = "Alert";
520 break;
521 case 22:
522 str_content_type = "Handshake";
523 break;
524 }
525
526 if (content_type == 21) /* Alert */
527 {
528 str_details1 = ", ???";
529
530 if (len == 2)
531 {
7d727231 532 switch (((const unsigned char*)buf)[0])
a661b653
BM		 533 {
534 case 1:
535 str_details1 = ", warning";
536 break;
537 case 2:
538 str_details1 = ", fatal";
539 break;
540 }
541
542 str_details2 = " ???";
7d727231 543 switch (((const unsigned char*)buf)[1])
a661b653
BM		 544 {
545 case 0:
546 str_details2 = " close_notify";
547 break;
548 case 10:
549 str_details2 = " unexpected_message";
550 break;
551 case 20:
552 str_details2 = " bad_record_mac";
553 break;
554 case 21:
555 str_details2 = " decryption_failed";
556 break;
557 case 22:
558 str_details2 = " record_overflow";
559 break;
560 case 30:
561 str_details2 = " decompression_failure";
562 break;
563 case 40:
564 str_details2 = " handshake_failure";
565 break;
566 case 42:
567 str_details2 = " bad_certificate";
568 break;
569 case 43:
570 str_details2 = " unsupported_certificate";
571 break;
572 case 44:
573 str_details2 = " certificate_revoked";
574 break;
575 case 45:
576 str_details2 = " certificate_expired";
577 break;
578 case 46:
579 str_details2 = " certificate_unknown";
580 break;
581 case 47:
582 str_details2 = " illegal_parameter";
583 break;
584 case 48:
585 str_details2 = " unknown_ca";
586 break;
587 case 49:
588 str_details2 = " access_denied";
589 break;
590 case 50:
591 str_details2 = " decode_error";
592 break;
593 case 51:
594 str_details2 = " decrypt_error";
595 break;
596 case 60:
597 str_details2 = " export_restriction";
598 break;
599 case 70:
600 str_details2 = " protocol_version";
601 break;
602 case 71:
603 str_details2 = " insufficient_security";
604 break;
605 case 80:
606 str_details2 = " internal_error";
607 break;
608 case 90:
609 str_details2 = " user_canceled";
610 break;
611 case 100:
612 str_details2 = " no_renegotiation";
613 break;
241520e6
BM		 614 case 110:
615 str_details2 = " unsupported_extension";
616 break;
617 case 111:
618 str_details2 = " certificate_unobtainable";
619 break;
620 case 112:
621 str_details2 = " unrecognized_name";
622 break;
623 case 113:
624 str_details2 = " bad_certificate_status_response";
625 break;
626 case 114:
627 str_details2 = " bad_certificate_hash_value";
628 break;
0c58d22a
DSH		 629 case 115:
630 str_details2 = " unknown_psk_identity";
631 break;
a661b653
BM		 632 }
633 }
634 }
635
636 if (content_type == 22) /* Handshake */
637 {
638 str_details1 = "???";
639
640 if (len > 0)
641 {
7d727231 642 switch (((const unsigned char*)buf)[0])
a661b653
BM		 643 {
644 case 0:
645 str_details1 = ", HelloRequest";
646 break;
647 case 1:
648 str_details1 = ", ClientHello";
649 break;
650 case 2:
651 str_details1 = ", ServerHello";
652 break;
bdfa4ff9
DSH		 653 case 3:
654 str_details1 = ", HelloVerifyRequest";
655 break;
a661b653
BM		 656 case 11:
657 str_details1 = ", Certificate";
658 break;
659 case 12:
660 str_details1 = ", ServerKeyExchange";
661 break;
662 case 13:
663 str_details1 = ", CertificateRequest";
664 break;
665 case 14:
666 str_details1 = ", ServerHelloDone";
667 break;
668 case 15:
669 str_details1 = ", CertificateVerify";
670 break;
671 case 16:
672 str_details1 = ", ClientKeyExchange";
673 break;
674 case 20:
675 str_details1 = ", Finished";
676 break;
677 }
678 }
679 }
4817504d
DSH		 680
681#ifndef OPENSSL_NO_HEARTBEATS
682 if (content_type == 24) /* Heartbeat */
683 {
684 str_details1 = ", Heartbeat";
685
686 if (len > 0)
687 {
688 switch (((const unsigned char*)buf)[0])
689 {
690 case 1:
691 str_details1 = ", HeartbeatRequest";
692 break;
693 case 2:
694 str_details1 = ", HeartbeatResponse";
695 break;
696 }
697 }
698 }
699#endif
a661b653
BM		 700 }
701
702 BIO_printf(bio, "%s %s%s [length %04lx]%s%s\n", str_write_p, str_version, str_content_type, (unsigned long)len, str_details1, str_details2);
703
704 if (len > 0)
705 {
706 size_t num, i;
707
708 BIO_printf(bio, " ");
709 num = len;
710#if 0
711 if (num > 16)
712 num = 16;
713#endif
714 for (i = 0; i < num; i++)
715 {
716 if (i % 16 == 0 && i > 0)
717 BIO_printf(bio, "\n ");
7d727231 718 BIO_printf(bio, " %02x", ((const unsigned char*)buf)[i]);
a661b653
BM		 719 }
720 if (i < len)
721 BIO_printf(bio, " ...");
722 BIO_printf(bio, "\n");
723 }
710069c1 724 (void)BIO_flush(bio);
a661b653 725 }
6434abbf
DSH		 726
727void MS_CALLBACK tlsext_cb(SSL *s, int client_server, int type,
728 unsigned char *data, int len,
729 void *arg)
730 {
731 BIO *bio = arg;
732 char *extname;
733
734 switch(type)
735 {
736 case TLSEXT_TYPE_server_name:
737 extname = "server name";
738 break;
739
740 case TLSEXT_TYPE_max_fragment_length:
741 extname = "max fragment length";
742 break;
743
744 case TLSEXT_TYPE_client_certificate_url:
745 extname = "client certificate URL";
746 break;
747
748 case TLSEXT_TYPE_trusted_ca_keys:
749 extname = "trusted CA keys";
750 break;
751
752 case TLSEXT_TYPE_truncated_hmac:
753 extname = "truncated HMAC";
754 break;
755
756 case TLSEXT_TYPE_status_request:
757 extname = "status request";
758 break;
759
760 case TLSEXT_TYPE_elliptic_curves:
761 extname = "elliptic curves";
762 break;
763
764 case TLSEXT_TYPE_ec_point_formats:
765 extname = "EC point formats";
766 break;
767
768 case TLSEXT_TYPE_session_ticket:
769 extname = "server ticket";
770 break;
771
860c3dd1
DSH		 772 case TLSEXT_TYPE_renegotiate:
773 extname = "renegotiate";
774 break;
775
7409d7ad
DSH		 776 case TLSEXT_TYPE_signature_algorithms:
777 extname = "signature algorithms";
778 break;
779
761772d7
BM		 780#ifdef TLSEXT_TYPE_opaque_prf_input
781 case TLSEXT_TYPE_opaque_prf_input:
782 extname = "opaque PRF input";
783 break;
784#endif
6434abbf
DSH		 785
786 default:
787 extname = "unknown";
788 break;
789
790 }
791
792 BIO_printf(bio, "TLS %s extension \"%s\" (id=%d), len=%d\n",
793 client_server ? "server": "client",
794 extname, type, len);
710069c1 795 BIO_dump(bio, (char *)data, len);
367eb1f1 796 (void)BIO_flush(bio);
6434abbf 797 }
07a9d1a2
DSH		 798
799int MS_CALLBACK generate_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int *cookie_len)
800 {
801 unsigned char *buffer, result[EVP_MAX_MD_SIZE];
802 unsigned int length, resultlength;
636b6b45 803 union {
cba9ffc3 804 struct sockaddr sa;
636b6b45 805 struct sockaddr_in s4;
cba9ffc3
AP		 806#if OPENSSL_USE_IPV6
807 struct sockaddr_in6 s6;
636b6b45 808#endif
cba9ffc3 809 } peer;
636b6b45 810
07a9d1a2
DSH		 811 /* Initialize a random secret */
812 if (!cookie_initialized)
813 {
814 if (!RAND_bytes(cookie_secret, COOKIE_SECRET_LENGTH))
815 {
816 BIO_printf(bio_err,"error setting random cookie secret\n");
817 return 0;
818 }
819 cookie_initialized = 1;
820 }
821
822 /* Read peer information */
823 (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
824
825 /* Create buffer with peer's address and port */
636b6b45 826 length = 0;
cba9ffc3 827 switch (peer.sa.sa_family)
636b6b45
DSH		 828 {
829 case AF_INET:
830 length += sizeof(struct in_addr);
be456366 831 length += sizeof(peer.s4.sin_port);
636b6b45 832 break;
cba9ffc3 833#if OPENSSL_USE_IPV6
636b6b45
DSH		 834 case AF_INET6:
835 length += sizeof(struct in6_addr);
be456366 836 length += sizeof(peer.s6.sin6_port);
636b6b45 837 break;
cba9ffc3 838#endif
636b6b45
DSH		 839 default:
840 OPENSSL_assert(0);
841 break;
842 }
07a9d1a2
DSH		 843 buffer = OPENSSL_malloc(length);
844
845 if (buffer == NULL)
846 {
847 BIO_printf(bio_err,"out of memory\n");
848 return 0;
849 }
636b6b45 850
cba9ffc3 851 switch (peer.sa.sa_family)
636b6b45
DSH		 852 {
853 case AF_INET:
854 memcpy(buffer,
855 &peer.s4.sin_port,
be456366
DSH		 856 sizeof(peer.s4.sin_port));
857 memcpy(buffer + sizeof(peer.s4.sin_port),
636b6b45
DSH		 858 &peer.s4.sin_addr,
859 sizeof(struct in_addr));
860 break;
cba9ffc3 861#if OPENSSL_USE_IPV6
636b6b45
DSH		 862 case AF_INET6:
863 memcpy(buffer,
864 &peer.s6.sin6_port,
be456366
DSH		 865 sizeof(peer.s6.sin6_port));
866 memcpy(buffer + sizeof(peer.s6.sin6_port),
636b6b45
DSH		 867 &peer.s6.sin6_addr,
868 sizeof(struct in6_addr));
869 break;
cba9ffc3 870#endif
636b6b45
DSH		 871 default:
872 OPENSSL_assert(0);
873 break;
874 }
07a9d1a2
DSH		 875
876 /* Calculate HMAC of buffer using the secret */
877 HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
878 buffer, length, result, &resultlength);
879 OPENSSL_free(buffer);
880
881 memcpy(cookie, result, resultlength);
882 *cookie_len = resultlength;
883
884 return 1;
885 }
886
887int MS_CALLBACK verify_cookie_callback(SSL *ssl, unsigned char *cookie, unsigned int cookie_len)
888 {
889 unsigned char *buffer, result[EVP_MAX_MD_SIZE];
890 unsigned int length, resultlength;
636b6b45 891 union {
cba9ffc3 892 struct sockaddr sa;
636b6b45 893 struct sockaddr_in s4;
cba9ffc3
AP		 894#if OPENSSL_USE_IPV6
895 struct sockaddr_in6 s6;
636b6b45 896#endif
cba9ffc3 897 } peer;
636b6b45 898
07a9d1a2
DSH		 899 /* If secret isn't initialized yet, the cookie can't be valid */
900 if (!cookie_initialized)
901 return 0;
902
903 /* Read peer information */
904 (void)BIO_dgram_get_peer(SSL_get_rbio(ssl), &peer);
905
906 /* Create buffer with peer's address and port */
636b6b45 907 length = 0;
cba9ffc3 908 switch (peer.sa.sa_family)
636b6b45
DSH		 909 {
910 case AF_INET:
911 length += sizeof(struct in_addr);
be456366 912 length += sizeof(peer.s4.sin_port);
636b6b45 913 break;
cba9ffc3 914#if OPENSSL_USE_IPV6
636b6b45
DSH		 915 case AF_INET6:
916 length += sizeof(struct in6_addr);
be456366 917 length += sizeof(peer.s6.sin6_port);
636b6b45 918 break;
cba9ffc3 919#endif
636b6b45
DSH		 920 default:
921 OPENSSL_assert(0);
922 break;
923 }
07a9d1a2
DSH		 924 buffer = OPENSSL_malloc(length);
925
926 if (buffer == NULL)
927 {
928 BIO_printf(bio_err,"out of memory\n");
929 return 0;
930 }
636b6b45 931
cba9ffc3 932 switch (peer.sa.sa_family)
636b6b45
DSH		 933 {
934 case AF_INET:
935 memcpy(buffer,
936 &peer.s4.sin_port,
be456366
DSH		 937 sizeof(peer.s4.sin_port));
938 memcpy(buffer + sizeof(peer.s4.sin_port),
636b6b45
DSH		 939 &peer.s4.sin_addr,
940 sizeof(struct in_addr));
941 break;
cba9ffc3 942#if OPENSSL_USE_IPV6
636b6b45
DSH		 943 case AF_INET6:
944 memcpy(buffer,
945 &peer.s6.sin6_port,
be456366
DSH		 946 sizeof(peer.s6.sin6_port));
947 memcpy(buffer + sizeof(peer.s6.sin6_port),
636b6b45
DSH		 948 &peer.s6.sin6_addr,
949 sizeof(struct in6_addr));
950 break;
cba9ffc3 951#endif
636b6b45
DSH		 952 default:
953 OPENSSL_assert(0);
954 break;
955 }
07a9d1a2
DSH		 956
957 /* Calculate HMAC of buffer using the secret */
958 HMAC(EVP_sha1(), cookie_secret, COOKIE_SECRET_LENGTH,
959 buffer, length, result, &resultlength);
960 OPENSSL_free(buffer);
636b6b45 961
07a9d1a2
DSH		 962 if (cookie_len == resultlength && memcmp(result, cookie, resultlength) == 0)
963 return 1;
964
965 return 0;
966 }
A mirror of the official openssl repository