Commit df894947 authored by Matt Caswell's avatar Matt Caswell
Browse files

Add the ability to use a server side TLSv1.3 external PSK in s_server 



Reviewed-by: default avatarRich Salz <rsalz@openssl.org>
(Merged from https://github.com/openssl/openssl/pull/3670)
parent e261bdd1

apps/s_server.c

+39 −3
Original line number Original line Diff line number Diff line
@@ -117,6 +117,7 @@ static long socket_mtu; 
static int dtlslisten = 0;

static int dtlslisten = 0;





static int early_data = 0;

static int early_data = 0;

static SSL_SESSION *psksess = NULL;





#ifndef OPENSSL_NO_PSK

#ifndef OPENSSL_NO_PSK

static char *psk_identity = "Client_identity";

static char *psk_identity = "Client_identity";
@@ -178,6 +179,19 @@ static unsigned int psk_server_cb(SSL *ssl, const char *identity, 
}

}

#endif

#endif





static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,

                               size_t identity_len, SSL_SESSION **sess)

{

    if (strlen(psk_identity) != identity_len

            || memcmp(psk_identity, identity, identity_len) != 0)

        return 0;



    SSL_SESSION_up_ref(psksess);

    *sess = psksess;



    return 1;

}



#ifndef OPENSSL_NO_SRP

#ifndef OPENSSL_NO_SRP

/* This is a context that we pass to callbacks */

/* This is a context that we pass to callbacks */

typedef struct srpsrvparm_st {

typedef struct srpsrvparm_st {
@@ -685,9 +699,9 @@ typedef enum OPTION_choice { 
    OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,

    OPT_STATUS_TIMEOUT, OPT_STATUS_URL, OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,

    OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,

    OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,

    OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,

    OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,

    OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,

    OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,

    OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC,

    OPT_PSK_SESS, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW,

    OPT_SSL_CONFIG,

    OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG,

    OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,

    OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,

    OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,

    OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,

    OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN,

    OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN,
@@ -843,6 +857,7 @@ const OPTIONS s_server_options[] = { 
    {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},

    {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},

    {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},

    {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},

#endif

#endif

    {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},

#ifndef OPENSSL_NO_SRP

#ifndef OPENSSL_NO_SRP

    {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},

    {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},

    {"srpuserseed", OPT_SRPUSERSEED, 's',

    {"srpuserseed", OPT_SRPUSERSEED, 's',
@@ -977,6 +992,7 @@ int s_server_main(int argc, char *argv[]) 
    const char *s_serverinfo_file = NULL;

    const char *s_serverinfo_file = NULL;

    const char *keylog_file = NULL;

    const char *keylog_file = NULL;

    int max_early_data = -1;

    int max_early_data = -1;

    char *psksessf = NULL;





    /* Init of few remaining global variables */

    /* Init of few remaining global variables */

    local_argc = argc;

    local_argc = argc;
@@ -1342,6 +1358,9 @@ int s_server_main(int argc, char *argv[]) 
            }

            }

#endif

#endif

            break;

            break;

        case OPT_PSK_SESS:

            psksessf = opt_arg();

            break;

        case OPT_SRPVFILE:

        case OPT_SRPVFILE:

#ifndef OPENSSL_NO_SRP

#ifndef OPENSSL_NO_SRP

            srp_verifier_file = opt_arg();

            srp_verifier_file = opt_arg();
@@ -1940,6 +1959,23 @@ int s_server_main(int argc, char *argv[]) 
        goto end;

        goto end;

    }

    }

#endif

#endif

    if (psksessf != NULL) {

        BIO *stmp = BIO_new_file(psksessf, "r");



        if (stmp == NULL) {

            BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);

            ERR_print_errors(bio_err);

            goto end;

        }

        psksess = PEM_read_bio_SSL_SESSION(stmp, NULL, 0, NULL);

        BIO_free(stmp);

        if (psksess == NULL) {

            BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);

            ERR_print_errors(bio_err);

            goto end;

        }

        SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb);

    }





    SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);

    SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);

    if (!SSL_CTX_set_session_id_context(ctx,

    if (!SSL_CTX_set_session_id_context(ctx,