diff options
author | Matt Caswell <matt@openssl.org> | 2016-07-07 11:05:31 +0100 |
---|---|---|
committer | Matt Caswell <matt@openssl.org> | 2016-07-08 16:20:59 +0100 |
commit | 4bbd4ba66dec4ca35502b8fac0315b447fde4d7a (patch) | |
tree | a691cad44820d09910e0d93cb1ed78966189c16b /apps/s_server.c | |
parent | 3503549ee8bd59d23d00b9dbbc2444e91fc44746 (diff) | |
download | openssl-4bbd4ba66dec4ca35502b8fac0315b447fde4d7a.zip openssl-4bbd4ba66dec4ca35502b8fac0315b447fde4d7a.tar.gz openssl-4bbd4ba66dec4ca35502b8fac0315b447fde4d7a.tar.bz2 |
Disallow multiple protocol flags to s_server and s_client
We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2".
The only time multiple flags are allowed is where they are all "-no_<prot>".
This fixes Github Issue #1268
Reviewed-by: Rich Salz <rsalz@openssl.org>
Diffstat (limited to 'apps/s_server.c')
-rw-r--r-- | apps/s_server.c | 17 |
1 files changed, 16 insertions, 1 deletions
diff --git a/apps/s_server.c b/apps/s_server.c index 45c128d..d545546 100644 --- a/apps/s_server.c +++ b/apps/s_server.c @@ -910,6 +910,10 @@ OPTIONS s_server_options[] = { {NULL, OPT_EOF, 0, NULL} }; +#define IS_PROT_FLAG(o) \ + (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \ + || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2) + int s_server_main(int argc, char *argv[]) { ENGINE *engine = NULL; @@ -970,7 +974,7 @@ int s_server_main(int argc, char *argv[]) char *srpuserseed = NULL; char *srp_verifier_file = NULL; #endif - int min_version = 0, max_version = 0; + int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0; local_argc = argc; local_argv = argv; @@ -984,6 +988,17 @@ int s_server_main(int argc, char *argv[]) prog = opt_init(argc, argv, s_server_options); while ((o = opt_next()) != OPT_EOF) { + if (IS_PROT_FLAG(o) && ++prot_opt > 1) { + BIO_printf(bio_err, "Cannot supply multiple protocol flags\n"); + goto end; + } + if (IS_NO_PROT_FLAG(o)) + no_prot_opt++; + if (prot_opt == 1 && no_prot_opt) { + BIO_printf(bio_err, "Cannot supply both a protocol flag and " + "\"-no_<prot>\"\n"); + goto end; + } switch (o) { case OPT_EOF: case OPT_ERR: |