Disallow multiple protocol flags to s_server and s_client

We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2". The only time multiple flags are allowed is where they are all "-no_<prot>". This fixes Github Issue #1268 Reviewed-by: N Rich Salz <rsalz@openssl.org>

Disallow multiple protocol flags to s_server and s_client
We shouldn't allow both "-tls1" and "-tls1_2", or "-tls1" and "-no_tls1_2". The only time multiple flags are allowed is where they are all "-no_<prot>". This fixes Github Issue #1268 Reviewed-by: N Rich Salz <rsalz@openssl.org>
4bbd4ba6 · Matt Caswell · 3503549e · 4bbd4ba6 · 4bbd4ba6 · 4bbd4ba6
隐藏空白更改
内联并排

Showing with 38 addition and 2 deletion

apps/apps.h apps/apps.h +4 -0

apps/s_client.c apps/s_client.c +18 -1

apps/s_server.c apps/s_server.c +16 -1

未找到文件。
--- a/apps/apps.h
+++ b/apps/apps.h
@@ -274,6 +274,10 @@ int has_stdin_waiting(void);
        case OPT_S_DHPARAM: \
        case OPT_S_DEBUGBROKE
+#define IS_NO_PROT_FLAG(o) \
+ (o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1 \
+  || o == OPT_S_NOTLS1_2)
 /*
 * Option parsing.
 */

--- a/apps/s_client.c
+++ b/apps/s_client.c
@@ -768,6 +768,10 @@ static const OPT_PAIR services[] = {
 (o == OPT_4 || o == OPT_6 || o == OPT_HOST || o == OPT_PORT || o == OPT_CONNECT)
 #define IS_UNIX_FLAG(o) (o == OPT_UNIX)
+#define IS_PROT_FLAG(o) \
+ (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
+  || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
 /* Free |*dest| and optionally set it to a copy of |source|. */
 static void freeandcopy(char **dest, const char *source)
 {
@@ -851,7 +855,7 @@ int s_client_main(int argc, char **argv)
    char *ctlog_file = NULL;
    int ct_validation = 0;
 #endif
-    int min_version = 0, max_version = 0;
+    int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
    int async = 0;
    unsigned int split_send_fragment = 0;
    unsigned int max_pipelines = 0;
@@ -905,6 +909,19 @@ int s_client_main(int argc, char **argv)
                prog);
            goto end;
        }
+        if (IS_PROT_FLAG(o) && ++prot_opt > 1) {
+            BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
+            goto end;
+        }
+        if (IS_NO_PROT_FLAG(o))
+            no_prot_opt++;
+        if (prot_opt == 1 && no_prot_opt) {
+            BIO_printf(bio_err, "Cannot supply both a protocol flag and "
+                                "\"-no_<prot>\"\n");
+            goto end;
+        }
        switch (o) {
        case OPT_EOF:
        case OPT_ERR:

--- a/apps/s_server.c
+++ b/apps/s_server.c
@@ -910,6 +910,10 @@ OPTIONS s_server_options[] = {
    {NULL, OPT_EOF, 0, NULL}
 };
+#define IS_PROT_FLAG(o) \
+ (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
+  || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
 int s_server_main(int argc, char *argv[])
 {
    ENGINE *engine = NULL;
@@ -970,7 +974,7 @@ int s_server_main(int argc, char *argv[])
    char *srpuserseed = NULL;
    char *srp_verifier_file = NULL;
 #endif
-    int min_version = 0, max_version = 0;
+    int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
    local_argc = argc;
    local_argv = argv;
@@ -984,6 +988,17 @@ int s_server_main(int argc, char *argv[])
    prog = opt_init(argc, argv, s_server_options);
    while ((o = opt_next()) != OPT_EOF) {
+        if (IS_PROT_FLAG(o) && ++prot_opt > 1) {
+            BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
+            goto end;
+        }
+        if (IS_NO_PROT_FLAG(o))
+            no_prot_opt++;
+        if (prot_opt == 1 && no_prot_opt) {
+            BIO_printf(bio_err, "Cannot supply both a protocol flag and "
+                                "\"-no_<prot>\"\n");
+            goto end;
+        }
        switch (o) {
        case OPT_EOF:
        case OPT_ERR: