../deps/openssl/openssl/apps/s

Bug Summary

File:	out/../deps/openssl/openssl/apps/s_server.c
Warning:	line 2617, column 21 Value stored to 'i' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name s_server.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_API_COMPAT=0x10100001L -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl/apps/include -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/config/archs/linux-x86_64/asm -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/apps/s_server.c

1	/*
2	* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4	* Copyright 2005 Nokia. All rights reserved.
5	*
6	* Licensed under the Apache License 2.0 (the "License"). You may not use
7	* this file except in compliance with the License. You can obtain a copy
8	* in the file LICENSE in the source distribution or at
9	* https://www.openssl.org/source/license.html
10	*/
11
12	#include <ctype.h>
13	#include <stdio.h>
14	#include <stdlib.h>
15	#include <string.h>
16	#if defined(_WIN32)
17	/* Included before async.h to avoid some warnings */
18	# include <windows.h>
19	#endif
20
21	#include <openssl/e_os2.h>
22	#include <openssl/async.h>
23	#include <openssl/ssl.h>
24	#include <openssl/decoder.h>
25
26	#ifndef OPENSSL_NO_SOCK
27
28	/*
29	* With IPv6, it looks like Digital has mixed up the proper order of
30	* recursive header file inclusion, resulting in the compiler complaining
31	* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
32	* needed to have fileno() declared correctly... So let's define u_int
33	*/
34	#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
35	# define __U_INT
36	typedef unsigned int u_int;
37	#endif
38
39	#include <openssl/bn.h>
40	#include "apps.h"
41	#include "progs.h"
42	#include <openssl/err.h>
43	#include <openssl/pem.h>
44	#include <openssl/x509.h>
45	#include <openssl/ssl.h>
46	#include <openssl/rand.h>
47	#include <openssl/ocsp.h>
48	#ifndef OPENSSL_NO_DH
49	# include <openssl/dh.h>
50	#endif
51	#include <openssl/rsa.h>
52	#include "s_apps.h"
53	#include "timeouts.h"
54	#ifdef CHARSET_EBCDIC
55	#include <openssl/ebcdic.h>
56	#endif
57	#include "internal/sockets.h"
58
59	static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
60	static int sv_body(int s, int stype, int prot, unsigned char *context);
61	static int www_body(int s, int stype, int prot, unsigned char *context);
62	static int rev_body(int s, int stype, int prot, unsigned char *context);
63	static void close_accept_socket(void);
64	static int init_ssl_connection(SSL *s);
65	static void print_stats(BIO bp, SSL_CTX ctx);
66	static int generate_session_id(SSL ssl, unsigned char id,
67	unsigned int *id_len);
68	static void init_session_cache_ctx(SSL_CTX *sctx);
69	static void free_sessions(void);
70	static void print_connection_info(SSL *con);
71
72	static const int bufsize = 16 * 1024;
73	static int accept_socket = -1;
74
75	#define TEST_CERT"server.pem" "server.pem"
76	#define TEST_CERT2"server2.pem" "server2.pem"
77
78	static int s_nbio = 0;
79	static int s_nbio_test = 0;
80	static int s_crlf = 0;
81	static SSL_CTX ctx = NULL((void)0);
82	static SSL_CTX ctx2 = NULL((void)0);
83	static int www = 0;
84
85	static BIO bio_s_out = NULL((void)0);
86	static BIO bio_s_msg = NULL((void)0);
87	static int s_debug = 0;
88	static int s_tlsextdebug = 0;
89	static int s_msg = 0;
90	static int s_quiet = 0;
91	static int s_ign_eof = 0;
92	static int s_brief = 0;
93
94	static char keymatexportlabel = NULL((void)0);
95	static int keymatexportlen = 20;
96
97	static int async = 0;
98
99	static int use_sendfile = 0;
100
101	static const char session_id_prefix = NULL((void)0);
102
103	#ifndef OPENSSL_NO_DTLS
104	static int enable_timeouts = 0;
105	static long socket_mtu;
106	#endif
107
108	/*
109	* We define this but make it always be 0 in no-dtls builds to simplify the
110	* code.
111	*/
112	static int dtlslisten = 0;
113	static int stateless = 0;
114
115	static int early_data = 0;
116	static SSL_SESSION psksess = NULL((void)0);
117
118	static char *psk_identity = "Client_identity";
119	char psk_key = NULL((void)0); /* by default PSK is not used */
120
121	static char http_server_binmode = 0; /* for now: 0/1 = default/binary */
122
123	#ifndef OPENSSL_NO_PSK
124	static unsigned int psk_server_cb(SSL ssl, const char identity,
125	unsigned char *psk,
126	unsigned int max_psk_len)
127	{
128	long key_len = 0;
129	unsigned char *key;
130
131	if (s_debug)
132	BIO_printf(bio_s_out, "psk_server_cb\n");
133
134	if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION0x0304) {
135	/*
136	* This callback is designed for use in (D)TLSv1.2 (or below). It is
137	* possible to use a single callback for all protocol versions - but it
138	* is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
139	* have psk_find_session_cb.
140	*/
141	return 0;
142	}
143
144	if (identity == NULL((void*)0)) {
145	BIO_printf(bio_err, "Error: client did not send PSK identity\n");
146	goto out_err;
147	}
148	if (s_debug)
149	BIO_printf(bio_s_out, "identity_len=%d identity=%s\n",
150	(int)strlen(identity), identity);
151
152	/* here we could lookup the given identity e.g. from a database */
153	if (strcmp(identity, psk_identity) != 0) {
154	BIO_printf(bio_s_out, "PSK warning: client identity not what we expected"
155	" (got '%s' expected '%s')\n", identity, psk_identity);
156	} else {
157	if (s_debug)
158	BIO_printf(bio_s_out, "PSK client identity found\n");
159	}
160
161	/* convert the PSK key to binary */
162	key = OPENSSL_hexstr2buf(psk_key, &key_len);
163	if (key == NULL((void*)0)) {
164	BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
165	psk_key);
166	return 0;
167	}
168	if (key_len > (int)max_psk_len) {
169	BIO_printf(bio_err,
170	"psk buffer of callback is too small (%d) for key (%ld)\n",
171	max_psk_len, key_len);
172	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 172 );
173	return 0;
174	}
175
176	memcpy(psk, key, key_len);
177	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 177 );
178
179	if (s_debug)
180	BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
181	return key_len;
182	out_err:
183	if (s_debug)
184	BIO_printf(bio_err, "Error in PSK server callback\n");
185	(void)BIO_flush(bio_err)(int)BIO_ctrl(bio_err,11,0,((void*)0));
186	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
187	return 0;
188	}
189	#endif
190
191	static int psk_find_session_cb(SSL ssl, const unsigned char identity,
192	size_t identity_len, SSL_SESSION **sess)
193	{
194	SSL_SESSION tmpsess = NULL((void)0);
195	unsigned char *key;
196	long key_len;
197	const SSL_CIPHER cipher = NULL((void)0);
198
199	if (strlen(psk_identity) != identity_len
200	\|\| memcmp(psk_identity, identity, identity_len) != 0) {
201	sess = NULL((void)0);
202	return 1;
203	}
204
205	if (psksess != NULL((void*)0)) {
206	SSL_SESSION_up_ref(psksess);
207	*sess = psksess;
208	return 1;
209	}
210
211	key = OPENSSL_hexstr2buf(psk_key, &key_len);
212	if (key == NULL((void*)0)) {
213	BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
214	psk_key);
215	return 0;
216	}
217
218	/* We default to SHA256 */
219	cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
220	if (cipher == NULL((void*)0)) {
221	BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
222	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 222 );
223	return 0;
224	}
225
226	tmpsess = SSL_SESSION_new();
227	if (tmpsess == NULL((void*)0)
228	\|\| !SSL_SESSION_set1_master_key(tmpsess, key, key_len)
229	\|\| !SSL_SESSION_set_cipher(tmpsess, cipher)
230	\|\| !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
231	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 231 );
232	return 0;
233	}
234	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 234 );
235	*sess = tmpsess;
236
237	return 1;
238	}
239
240	#ifndef OPENSSL_NO_SRP
241	static srpsrvparm srp_callback_parm;
242	#endif
243
244	static int local_argc = 0;
245	static char **local_argv;
246
247	#ifdef CHARSET_EBCDIC
248	static int ebcdic_new(BIO *bi);
249	static int ebcdic_free(BIO *a);
250	static int ebcdic_read(BIO b, char out, int outl);
251	static int ebcdic_write(BIO b, const char in, int inl);
252	static long ebcdic_ctrl(BIO b, int cmd, long num, void ptr);
253	static int ebcdic_gets(BIO bp, char buf, int size);
254	static int ebcdic_puts(BIO bp, const char str);
255
256	# define BIO_TYPE_EBCDIC_FILTER (18\|0x0200)
257	static BIO_METHOD methods_ebcdic = NULL((void)0);
258
259	/* This struct is "unwarranted chumminess with the compiler." */
260	typedef struct {
261	size_t alloced;
262	char buff[1];
263	} EBCDIC_OUTBUFF;
264
265	static const BIO_METHOD *BIO_f_ebcdic_filter()
266	{
267	if (methods_ebcdic == NULL((void*)0)) {
268	methods_ebcdic = BIO_meth_new(BIO_TYPE_EBCDIC_FILTER,
269	"EBCDIC/ASCII filter");
270	if (methods_ebcdic == NULL((void*)0)
271	\|\| !BIO_meth_set_write(methods_ebcdic, ebcdic_write)
272	\|\| !BIO_meth_set_read(methods_ebcdic, ebcdic_read)
273	\|\| !BIO_meth_set_puts(methods_ebcdic, ebcdic_puts)
274	\|\| !BIO_meth_set_gets(methods_ebcdic, ebcdic_gets)
275	\|\| !BIO_meth_set_ctrl(methods_ebcdic, ebcdic_ctrl)
276	\|\| !BIO_meth_set_create(methods_ebcdic, ebcdic_new)
277	\|\| !BIO_meth_set_destroy(methods_ebcdic, ebcdic_free))
278	return NULL((void*)0);
279	}
280	return methods_ebcdic;
281	}
282
283	static int ebcdic_new(BIO *bi)
284	{
285	EBCDIC_OUTBUFF *wbuf;
286
287	wbuf = app_malloc(sizeof(*wbuf) + 1024, "ebcdic wbuf");
288	wbuf->alloced = 1024;
289	wbuf->buff[0] = '\0';
290
291	BIO_set_data(bi, wbuf);
292	BIO_set_init(bi, 1);
293	return 1;
294	}
295
296	static int ebcdic_free(BIO *a)
297	{
298	EBCDIC_OUTBUFF *wbuf;
299
300	if (a == NULL((void*)0))
301	return 0;
302	wbuf = BIO_get_data(a);
303	OPENSSL_free(wbuf)CRYPTO_free(wbuf, "../deps/openssl/openssl/apps/s_server.c", 303 );
304	BIO_set_data(a, NULL((void*)0));
305	BIO_set_init(a, 0);
306
307	return 1;
308	}
309
310	static int ebcdic_read(BIO b, char out, int outl)
311	{
312	int ret = 0;
313	BIO *next = BIO_next(b);
314
315	if (out == NULL((void*)0) \|\| outl == 0)
316	return 0;
317	if (next == NULL((void*)0))
318	return 0;
319
320	ret = BIO_read(next, out, outl);
321	if (ret > 0)
322	ascii2ebcdic(out, out, ret);
323	return ret;
324	}
325
326	static int ebcdic_write(BIO b, const char in, int inl)
327	{
328	EBCDIC_OUTBUFF *wbuf;
329	BIO *next = BIO_next(b);
330	int ret = 0;
331	int num;
332
333	if ((in == NULL((void*)0)) \|\| (inl <= 0))
334	return 0;
335	if (next == NULL((void*)0))
336	return 0;
337
338	wbuf = (EBCDIC_OUTBUFF *) BIO_get_data(b);
339
340	if (inl > (num = wbuf->alloced)) {
341	num = num + num; /* double the size */
342	if (num < inl)
343	num = inl;
344	OPENSSL_free(wbuf)CRYPTO_free(wbuf, "../deps/openssl/openssl/apps/s_server.c", 344 );
345	wbuf = app_malloc(sizeof(*wbuf) + num, "grow ebcdic wbuf");
346
347	wbuf->alloced = num;
348	wbuf->buff[0] = '\0';
349
350	BIO_set_data(b, wbuf);
351	}
352
353	ebcdic2ascii(wbuf->buff, in, inl);
354
355	ret = BIO_write(next, wbuf->buff, inl);
356
357	return ret;
358	}
359
360	static long ebcdic_ctrl(BIO b, int cmd, long num, void ptr)
361	{
362	long ret;
363	BIO *next = BIO_next(b);
364
365	if (next == NULL((void*)0))
366	return 0;
367	switch (cmd) {
368	case BIO_CTRL_DUP12:
369	ret = 0L;
370	break;
371	default:
372	ret = BIO_ctrl(next, cmd, num, ptr);
373	break;
374	}
375	return ret;
376	}
377
378	static int ebcdic_gets(BIO bp, char buf, int size)
379	{
380	int i, ret = 0;
381	BIO *next = BIO_next(bp);
382
383	if (next == NULL((void*)0))
384	return 0;
385	/* return(BIO_gets(bp->next_bio,buf,size));*/
386	for (i = 0; i < size - 1; ++i) {
387	ret = ebcdic_read(bp, &buf[i], 1);
388	if (ret <= 0)
389	break;
390	else if (buf[i] == '\n') {
391	++i;
392	break;
393	}
394	}
395	if (i < size)
396	buf[i] = '\0';
397	return (ret < 0 && i == 0) ? ret : i;
398	}
399
400	static int ebcdic_puts(BIO bp, const char str)
401	{
402	if (BIO_next(bp) == NULL((void*)0))
403	return 0;
404	return ebcdic_write(bp, str, strlen(str));
405	}
406	#endif
407
408	/* This is a context that we pass to callbacks */
409	typedef struct tlsextctx_st {
410	char *servername;
411	BIO *biodebug;
412	int extension_error;
413	} tlsextctx;
414
415	static int ssl_servername_cb(SSL s, int ad, void *arg)
416	{
417	tlsextctx p = (tlsextctx ) arg;
418	const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name0);
419
420	if (servername != NULL((void)0) && p->biodebug != NULL((void)0)) {
421	const char *cp = servername;
422	unsigned char uc;
423
424	BIO_printf(p->biodebug, "Hostname in TLS extension: \"");
425	while ((uc = *cp++) != 0)
426	BIO_printf(p->biodebug,
427	(((uc) & ~127) == 0) && isprint(uc)((*__ctype_b_loc ())[(int) ((uc))] & (unsigned short int) _ISprint) ? "%c" : "\\x%02x", uc);
428	BIO_printf(p->biodebug, "\"\n");
429	}
430
431	if (p->servername == NULL((void*)0))
432	return SSL_TLSEXT_ERR_NOACK3;
433
434	if (servername != NULL((void*)0)) {
435	if (OPENSSL_strcasecmp(servername, p->servername))
436	return p->extension_error;
437	if (ctx2 != NULL((void*)0)) {
438	BIO_printf(p->biodebug, "Switching server context.\n");
439	SSL_set_SSL_CTX(s, ctx2);
440	}
441	}
442	return SSL_TLSEXT_ERR_OK0;
443	}
444
445	/* Structure passed to cert status callback */
446	typedef struct tlsextstatusctx_st {
447	int timeout;
448	/* File to load OCSP Response from (or NULL if no file) */
449	char *respin;
450	/* Default responder to use */
451	char host, path, *port;
452	char proxy, no_proxy;
453	int use_ssl;
454	int verbose;
455	} tlsextstatusctx;
456
457	static tlsextstatusctx tlscstatp = { -1 };
458
459	#ifndef OPENSSL_NO_OCSP
460
461	/*
462	* Helper function to get an OCSP_RESPONSE from a responder. This is a
463	* simplified version. It examines certificates each time and makes one OCSP
464	* responder query for each request. A full version would store details such as
465	* the OCSP certificate IDs and minimise the number of OCSP responses by caching
466	* them until they were considered "expired".
467	*/
468	static int get_ocsp_resp_from_responder(SSL s, tlsextstatusctx srctx,
469	OCSP_RESPONSE **resp)
470	{
471	char host = NULL((void)0), port = NULL((void)0), path = NULL((void)0);
472	char proxy = NULL((void)0), no_proxy = NULL((void)0);
473	int use_ssl;
474	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING aia = NULL((void)0);
475	X509 x = NULL((void)0);
476	X509_STORE_CTX inctx = NULL((void)0);
477	X509_OBJECT *obj;
478	OCSP_REQUEST req = NULL((void)0);
479	OCSP_CERTID id = NULL((void)0);
480	STACK_OF(X509_EXTENSION)struct stack_st_X509_EXTENSION *exts;
481	int ret = SSL_TLSEXT_ERR_NOACK3;
482	int i;
483
484	/* Build up OCSP query from server certificate */
485	x = SSL_get_certificate(s);
486	aia = X509_get1_ocsp(x);
487	if (aia != NULL((void*)0)) {
488	if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0)((char *)OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type (aia), (0))), &use_ssl,
489	NULL((void)0), &host, &port, NULL((void)0), &path, NULL((void)0), NULL((void)0))) {
490	BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
491	goto err;
492	}
493	if (srctx->verbose)
494	BIO_printf(bio_err, "cert_status: AIA URL: %s\n",
495	sk_OPENSSL_STRING_value(aia, 0)((char *)OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type (aia), (0))));
496	} else {
497	if (srctx->host == NULL((void*)0)) {
498	BIO_puts(bio_err,
499	"cert_status: no AIA and no default responder URL\n");
500	goto done;
501	}
502	host = srctx->host;
503	path = srctx->path;
504	port = srctx->port;
505	use_ssl = srctx->use_ssl;
506	}
507	proxy = srctx->proxy;
508	no_proxy = srctx->no_proxy;
509
510	inctx = X509_STORE_CTX_new();
511	if (inctx == NULL((void*)0))
512	goto err;
513	if (!X509_STORE_CTX_init(inctx,
514	SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
515	NULL((void)0), NULL((void)0)))
516	goto err;
517	obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509,
518	X509_get_issuer_name(x));
519	if (obj == NULL((void*)0)) {
520	BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
521	goto done;
522	}
523	id = OCSP_cert_to_id(NULL((void*)0), x, X509_OBJECT_get0_X509(obj));
524	X509_OBJECT_free(obj);
525	if (id == NULL((void*)0))
526	goto err;
527	req = OCSP_REQUEST_new();
528	if (req == NULL((void*)0))
529	goto err;
530	if (!OCSP_request_add0_id(req, id))
531	goto err;
532	id = NULL((void*)0);
533	/* Add any extensions to the request */
534	SSL_get_tlsext_status_exts(s, &exts)SSL_ctrl(s,66,0,&exts);
535	for (i = 0; i < sk_X509_EXTENSION_num(exts)OPENSSL_sk_num(ossl_check_const_X509_EXTENSION_sk_type(exts)); i++) {
536	X509_EXTENSION ext = sk_X509_EXTENSION_value(exts, i)((X509_EXTENSION )OPENSSL_sk_value(ossl_check_const_X509_EXTENSION_sk_type (exts), (i)));
537	if (!OCSP_REQUEST_add_ext(req, ext, -1))
538	goto err;
539	}
540	*resp = process_responder(req, host, port, path, proxy, no_proxy,
541	use_ssl, NULL((void)0) / headers */, srctx->timeout);
542	if (resp == NULL((void)0)) {
543	BIO_puts(bio_err, "cert_status: error querying responder\n");
544	goto done;
545	}
546
547	ret = SSL_TLSEXT_ERR_OK0;
548	goto done;
549
550	err:
551	ret = SSL_TLSEXT_ERR_ALERT_FATAL2;
552	done:
553	/*
554	* If we parsed aia we need to free; otherwise they were copied and we
555	* don't
556	*/
557	if (aia != NULL((void*)0)) {
558	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 558 );
559	OPENSSL_free(path)CRYPTO_free(path, "../deps/openssl/openssl/apps/s_server.c", 559 );
560	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 560 );
561	X509_email_free(aia);
562	}
563	OCSP_CERTID_free(id);
564	OCSP_REQUEST_free(req);
565	X509_STORE_CTX_free(inctx);
566	return ret;
567	}
568
569	/*
570	* Certificate Status callback. This is called when a client includes a
571	* certificate status request extension. The response is either obtained from a
572	* file, or from an OCSP responder.
573	*/
574	static int cert_status_cb(SSL s, void arg)
575	{
576	tlsextstatusctx *srctx = arg;
577	OCSP_RESPONSE resp = NULL((void)0);
578	unsigned char rspder = NULL((void)0);
579	int rspderlen;
580	int ret = SSL_TLSEXT_ERR_ALERT_FATAL2;
581
582	if (srctx->verbose)
583	BIO_puts(bio_err, "cert_status: callback called\n");
584
585	if (srctx->respin != NULL((void*)0)) {
586	BIO *derbio = bio_open_default(srctx->respin, 'r', FORMAT_ASN14);
587	if (derbio == NULL((void*)0)) {
588	BIO_puts(bio_err, "cert_status: Cannot open OCSP response file\n");
589	goto err;
590	}
591	resp = d2i_OCSP_RESPONSE_bio(derbio, NULL)((OCSP_RESPONSE)ASN1_d2i_bio( ((void ()(void)) (1 ? OCSP_RESPONSE_new : ((OCSP_RESPONSE ()(void))0))), ((d2i_of_void) (1 ? d2i_OCSP_RESPONSE : ((OCSP_RESPONSE ()(OCSP_RESPONSE *,const unsigned char ,long))0))), derbio, ((void) (1 ? ((void)0) : (OCSP_RESPONSE **)0))));
592	BIO_free(derbio);
593	if (resp == NULL((void*)0)) {
594	BIO_puts(bio_err, "cert_status: Error reading OCSP response\n");
595	goto err;
596	}
597	} else {
598	ret = get_ocsp_resp_from_responder(s, srctx, &resp);
599	if (ret != SSL_TLSEXT_ERR_OK0)
600	goto err;
601	}
602
603	rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
604	if (rspderlen <= 0)
605	goto err;
606
607	SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen)SSL_ctrl(s,71,rspderlen,rspder);
608	if (srctx->verbose) {
609	BIO_puts(bio_err, "cert_status: ocsp response sent:\n");
610	OCSP_RESPONSE_print(bio_err, resp, 2);
611	}
612
613	ret = SSL_TLSEXT_ERR_OK0;
614
615	err:
616	if (ret != SSL_TLSEXT_ERR_OK0)
617	ERR_print_errors(bio_err);
618
619	OCSP_RESPONSE_free(resp);
620
621	return ret;
622	}
623	#endif
624
625	#ifndef OPENSSL_NO_NEXTPROTONEG
626	/* This is the context that we pass to next_proto_cb */
627	typedef struct tlsextnextprotoctx_st {
628	unsigned char *data;
629	size_t len;
630	} tlsextnextprotoctx;
631
632	static int next_proto_cb(SSL s, const unsigned char *data,
633	unsigned int len, void arg)
634	{
635	tlsextnextprotoctx *next_proto = arg;
636
637	*data = next_proto->data;
638	*len = next_proto->len;
639
640	return SSL_TLSEXT_ERR_OK0;
641	}
642	#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
643
644	/* This the context that we pass to alpn_cb */
645	typedef struct tlsextalpnctx_st {
646	unsigned char *data;
647	size_t len;
648	} tlsextalpnctx;
649
650	static int alpn_cb(SSL s, const unsigned char out, unsigned char outlen,
651	const unsigned char in, unsigned int inlen, void arg)
652	{
653	tlsextalpnctx *alpn_ctx = arg;
654
655	if (!s_quiet) {
656	/* We can assume that \|in\| is syntactically valid. */
657	unsigned int i;
658	BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
659	for (i = 0; i < inlen;) {
660	if (i)
661	BIO_write(bio_s_out, ", ", 2);
662	BIO_write(bio_s_out, &in[i + 1], in[i]);
663	i += in[i] + 1;
664	}
665	BIO_write(bio_s_out, "\n", 1);
666	}
667
668	if (SSL_select_next_proto
669	((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
670	inlen) != OPENSSL_NPN_NEGOTIATED1) {
671	return SSL_TLSEXT_ERR_ALERT_FATAL2;
672	}
673
674	if (!s_quiet) {
675	BIO_printf(bio_s_out, "ALPN protocols selected: ");
676	BIO_write(bio_s_out, out, outlen);
677	BIO_write(bio_s_out, "\n", 1);
678	}
679
680	return SSL_TLSEXT_ERR_OK0;
681	}
682
683	static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
684	{
685	/* disable resumption for sessions with forward secure ciphers */
686	return is_forward_secure;
687	}
688
689	typedef enum OPTION_choice {
690	OPT_COMMONOPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
691	OPT_ENGINE,
692	OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
693	OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
694	OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
695	OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
696	OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
697	OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
698	OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
699	OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
700	OPT_VERIFYCAFILE,
701	OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
702	OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
703	OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
704	OPT_STATUS_TIMEOUT, OPT_PROXY, OPT_NO_PROXY, OPT_STATUS_URL,
705	OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
706	OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
707	OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
708	OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,
709	OPT_PSK_SESS, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW,
710	OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG,
711	OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
712	OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
713	OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, OPT_STATELESS,
714	OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
715	OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SENDFILE,
716	OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
717	OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
718	OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
719	OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF,
720	OPT_R_ENUMOPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST,
721	OPT_S_ENUMOPT_S__FIRST=3000, OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1 , OPT_S_NOTLS1_2, OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET , OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, OPT_S_LEGACYCONN , OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, OPT_S_PRIORITIZE_CHACHA, OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS , OPT_S_GROUPS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP , OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX , OPT_S_NO_ETM, OPT_S__LAST,
722	OPT_V_ENUMOPT_V__FIRST=2000, OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME , OPT_V_VERIFY_DEPTH, OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL , OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS , OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, OPT_V_EXPLICIT_POLICY , OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL , OPT_V_USE_DELTAS, OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST , OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, OPT_V_PARTIAL_CHAIN , OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, OPT_V_VERIFY_AUTH_LEVEL , OPT_V_ALLOW_PROXY_CERTS, OPT_V__LAST,
723	OPT_X_ENUMOPT_X__FIRST=1000, OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD , OPT_X_CERTFORM, OPT_X_KEYFORM, OPT_X__LAST,
724	OPT_PROV_ENUMOPT_PROV__FIRST=1600, OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH , OPT_PROV_PROPQUERY, OPT_PROV__LAST
725	} OPTION_CHOICE;
726
727	const OPTIONS s_server_options[] = {
728	OPT_SECTION("General"){ OPT_SECTION_STR, 1, '-', "General" " options:\n" },
729	{"help", OPT_HELP, '-', "Display this summary"},
730	{"ssl_config", OPT_SSL_CONFIG, 's',
731	"Configure SSL_CTX using the given configuration value"},
732	#ifndef OPENSSL_NO_SSL_TRACE
733	{"trace", OPT_TRACE, '-', "trace protocol messages"},
734	#endif
735	#ifndef OPENSSL_NO_ENGINE
736	{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
737	#endif
738
739	OPT_SECTION("Network"){ OPT_SECTION_STR, 1, '-', "Network" " options:\n" },
740	{"port", OPT_PORT, 'p',
741	"TCP/IP port to listen on for connections (default is " PORT"4433" ")"},
742	{"accept", OPT_ACCEPT, 's',
743	"TCP/IP optional host and port to listen on for connections (default is *:" PORT"4433" ")"},
744	#ifdef AF_UNIX1
745	{"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
746	{"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
747	#endif
748	{"4", OPT_4, '-', "Use IPv4 only"},
749	{"6", OPT_6, '-', "Use IPv6 only"},
750
751	OPT_SECTION("Identity"){ OPT_SECTION_STR, 1, '-', "Identity" " options:\n" },
752	{"context", OPT_CONTEXT, 's', "Set session ID context"},
753	{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
754	{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
755	{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
756	{"no-CAfile", OPT_NOCAFILE, '-',
757	"Do not load the default certificates file"},
758	{"no-CApath", OPT_NOCAPATH, '-',
759	"Do not load certificates from the default certificates directory"},
760	{"no-CAstore", OPT_NOCASTORE, '-',
761	"Do not load certificates from the default certificates store URI"},
762	{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
763	{"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
764	{"Verify", OPT_UPPER_V_VERIFY, 'n',
765	"Turn on peer certificate verification, must have a cert"},
766	{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
767	{"cert", OPT_CERT, '<', "Server certificate file to use; default " TEST_CERT"server.pem"},
768	{"cert2", OPT_CERT2, '<',
769	"Certificate file to use for servername; default " TEST_CERT2"server2.pem"},
770	{"certform", OPT_CERTFORM, 'F',
771	"Server certificate file format (PEM/DER/P12); has no effect"},
772	{"cert_chain", OPT_CERT_CHAIN, '<',
773	"Server certificate chain file in PEM format"},
774	{"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"},
775	{"serverinfo", OPT_SERVERINFO, 's',
776	"PEM serverinfo file for certificate"},
777	{"key", OPT_KEY, 's',
778	"Private key file to use; default is -cert file or else" TEST_CERT"server.pem"},
779	{"key2", OPT_KEY2, '<',
780	"-Private Key file to use for servername if not in -cert2"},
781	{"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"},
782	{"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
783	{"dcert", OPT_DCERT, '<',
784	"Second server certificate file to use (usually for DSA)"},
785	{"dcertform", OPT_DCERTFORM, 'F',
786	"Second server certificate file format (PEM/DER/P12); has no effect"},
787	{"dcert_chain", OPT_DCERT_CHAIN, '<',
788	"second server certificate chain file in PEM format"},
789	{"dkey", OPT_DKEY, '<',
790	"Second private key file to use (usually for DSA)"},
791	{"dkeyform", OPT_DKEYFORM, 'F',
792	"Second key file format (ENGINE, other values ignored)"},
793	{"dpass", OPT_DPASS, 's',
794	"Second private key and cert file pass phrase source"},
795	{"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
796	{"servername", OPT_SERVERNAME, 's',
797	"Servername for HostName TLS extension"},
798	{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
799	"On servername mismatch send fatal alert (default warning alert)"},
800	{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
801	{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
802	{"quiet", OPT_QUIET, '-', "No server output"},
803	{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
804	"Disable caching and tickets if ephemeral (EC)DH is used"},
805	{"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
806	{"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
807	{"ignore_unexpected_eof", OPT_IGNORE_UNEXPECTED_EOF, '-',
808	"Do not treat lack of close_notify from a peer as an error"},
809	{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
810	"Hex dump of all TLS extensions received"},
811	{"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"},
812	{"id_prefix", OPT_ID_PREFIX, 's',
813	"Generate SSL/TLS session IDs prefixed by arg"},
814	{"keymatexport", OPT_KEYMATEXPORT, 's',
815	"Export keying material using label"},
816	{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
817	"Export len bytes of keying material; default 20"},
818	{"CRL", OPT_CRL, '<', "CRL file to use"},
819	{"CRLform", OPT_CRLFORM, 'F', "CRL file format (PEM or DER); default PEM"},
820	{"crl_download", OPT_CRL_DOWNLOAD, '-',
821	"Download CRLs from distribution points in certificate CDP entries"},
822	{"chainCAfile", OPT_CHAINCAFILE, '<',
823	"CA file for certificate chain (PEM format)"},
824	{"chainCApath", OPT_CHAINCAPATH, '/',
825	"use dir as certificate store path to build CA certificate chain"},
826	{"chainCAstore", OPT_CHAINCASTORE, ':',
827	"use URI as certificate store to build CA certificate chain"},
828	{"verifyCAfile", OPT_VERIFYCAFILE, '<',
829	"CA file for certificate verification (PEM format)"},
830	{"verifyCApath", OPT_VERIFYCAPATH, '/',
831	"use dir as certificate store path to verify CA certificate"},
832	{"verifyCAstore", OPT_VERIFYCASTORE, ':',
833	"use URI as certificate store to verify CA certificate"},
834	{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
835	{"ext_cache", OPT_EXT_CACHE, '-',
836	"Disable internal cache, set up and use external cache"},
837	{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
838	"Close connection on verification error"},
839	{"verify_quiet", OPT_VERIFY_QUIET, '-',
840	"No verify output except verify errors"},
841	{"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
842	{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
843
844	#ifndef OPENSSL_NO_OCSP
845	OPT_SECTION("OCSP"){ OPT_SECTION_STR, 1, '-', "OCSP" " options:\n" },
846	{"status", OPT_STATUS, '-', "Request certificate status from server"},
847	{"status_verbose", OPT_STATUS_VERBOSE, '-',
848	"Print more output in certificate status callback"},
849	{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
850	"Status request responder timeout"},
851	{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
852	{"proxy", OPT_PROXY, 's',
853	"[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
854	{"no_proxy", OPT_NO_PROXY, 's',
855	"List of addresses of servers not to use HTTP(S) proxy for"},
856	{OPT_MORE_STR, 0, 0,
857	"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
858	{"status_file", OPT_STATUS_FILE, '<',
859	"File containing DER encoded OCSP Response"},
860	#endif
861
862	OPT_SECTION("Debug"){ OPT_SECTION_STR, 1, '-', "Debug" " options:\n" },
863	{"security_debug", OPT_SECURITY_DEBUG, '-',
864	"Print output from SSL/TLS security framework"},
865	{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
866	"Print more output from SSL/TLS security framework"},
867	{"brief", OPT_BRIEF, '-',
868	"Restrict output to brief summary of connection parameters"},
869	{"rev", OPT_REV, '-',
870	"act as an echo server that sends back received text reversed"},
871	{"debug", OPT_DEBUG, '-', "Print more output"},
872	{"msg", OPT_MSG, '-', "Show protocol messages"},
873	{"msgfile", OPT_MSGFILE, '>',
874	"File to send output of -msg or -trace, instead of stdout"},
875	{"state", OPT_STATE, '-', "Print the SSL states"},
876	{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
877	{"max_pipelines", OPT_MAX_PIPELINES, 'p',
878	"Maximum number of encrypt/decrypt pipelines to be used"},
879	{"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"},
880	{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
881
882	OPT_SECTION("Network"){ OPT_SECTION_STR, 1, '-', "Network" " options:\n" },
883	{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
884	{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
885	{"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
886	{"read_buf", OPT_READ_BUF, 'p',
887	"Default read buffer size to be used for connections"},
888	{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
889	"Size used to split data for encrypt pipelines"},
890	{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
891
892	OPT_SECTION("Server identity"){ OPT_SECTION_STR, 1, '-', "Server identity" " options:\n" },
893	{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"},
894	#ifndef OPENSSL_NO_PSK
895	{"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
896	#endif
897	{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
898	{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
899	#ifndef OPENSSL_NO_SRP
900	{"srpvfile", OPT_SRPVFILE, '<', "(deprecated) The verifier file for SRP"},
901	{"srpuserseed", OPT_SRPUSERSEED, 's',
902	"(deprecated) A seed string for a default user salt"},
903	#endif
904
905	OPT_SECTION("Protocol and version"){ OPT_SECTION_STR, 1, '-', "Protocol and version" " options:\n" },
906	{"max_early_data", OPT_MAX_EARLY, 'n',
907	"The maximum number of bytes of early data as advertised in tickets"},
908	{"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n',
909	"The maximum number of bytes of early data (hard limit)"},
910	{"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
911	{"num_tickets", OPT_S_NUM_TICKETS, 'n',
912	"The number of TLSv1.3 session tickets that a server will automatically issue" },
913	{"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
914	{"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
915	{"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
916	{"no_ca_names", OPT_NOCANAMES, '-',
917	"Disable TLS Extension CA Names"},
918	{"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
919	#ifndef OPENSSL_NO_SSL3
920	{"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
921	#endif
922	#ifndef OPENSSL_NO_TLS1
923	{"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
924	#endif
925	#ifndef OPENSSL_NO_TLS1_1
926	{"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
927	#endif
928	#ifndef OPENSSL_NO_TLS1_2
929	{"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
930	#endif
931	#ifndef OPENSSL_NO_TLS1_3
932	{"tls1_3", OPT_TLS1_3, '-', "just talk TLSv1.3"},
933	#endif
934	#ifndef OPENSSL_NO_DTLS
935	{"dtls", OPT_DTLS, '-', "Use any DTLS version"},
936	{"listen", OPT_LISTEN, '-',
937	"Listen for a DTLS ClientHello with a cookie and then connect"},
938	#endif
939	#ifndef OPENSSL_NO_DTLS1
940	{"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
941	#endif
942	#ifndef OPENSSL_NO_DTLS1_2
943	{"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
944	#endif
945	#ifndef OPENSSL_NO_SCTP
946	{"sctp", OPT_SCTP, '-', "Use SCTP"},
947	{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
948	#endif
949	#ifndef OPENSSL_NO_SRTP
950	{"use_srtp", OPT_SRTP_PROFILES, 's',
951	"Offer SRTP key management with a colon-separated profile list"},
952	#endif
953	{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
954	#ifndef OPENSSL_NO_NEXTPROTONEG
955	{"nextprotoneg", OPT_NEXTPROTONEG, 's',
956	"Set the advertised protocols for the NPN extension (comma-separated list)"},
957	#endif
958	{"alpn", OPT_ALPN, 's',
959	"Set the advertised protocols for the ALPN extension (comma-separated list)"},
960	#ifndef OPENSSL_NO_KTLS
961	{"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"},
962	#endif
963
964	OPT_R_OPTIONS{ OPT_SECTION_STR, 1, '-', "Random state" " options:\n" }, {"rand" , OPT_R_RAND, 's', "Load the given file(s) into the random number generator" }, {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file" },
965	OPT_S_OPTIONS{ OPT_SECTION_STR, 1, '-', "TLS/SSL" " options:\n" }, {"no_ssl3" , OPT_S_NOSSL3, '-',"Just disable SSLv3" }, {"no_tls1", OPT_S_NOTLS1 , '-', "Just disable TLSv1"}, {"no_tls1_1", OPT_S_NOTLS1_1, '-' , "Just disable TLSv1.1" }, {"no_tls1_2", OPT_S_NOTLS1_2, '-' , "Just disable TLSv1.2"}, {"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility" }, {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, {"no_ticket", OPT_S_NOTICKET, '-', "Disable use of TLS session tickets" }, {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences" }, {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', "Enable use of legacy renegotiation (dangerous)" }, {"client_renegotiation", OPT_S_CLIENTRENEG, '-', "Allow client-initiated renegotiation" }, {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', "Disable all renegotiation." }, {"legacy_server_connect", OPT_S_LEGACYCONN, '-', "Allow initial connection to servers that don't support RI" }, {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', "Disallow session resumption on renegotiation" }, {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', "Disallow initial connection to servers that don't support RI" }, {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption" }, {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', "Prioritize ChaCha ciphers when preferred by clients" }, {"strict", OPT_S_STRICT, '-', "Enforce strict certificate checks as per TLS standard" }, {"sigalgs", OPT_S_SIGALGS, 's', "Signature algorithms to support (colon-separated list)" }, {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', "Signature algorithms to support for client certificate" " authentication (colon-separated list)" }, {"groups", OPT_S_GROUPS , 's', "Groups to advertise (colon-separated list)" }, {"curves" , OPT_S_CURVES, 's', "Groups to advertise (colon-separated list)" }, {"named_curve", OPT_S_NAMEDCURVE, 's', "Elliptic curve used for ECDHE (server-side only)" }, {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used" }, {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used" }, {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used" }, {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used" }, {"record_padding", OPT_S_RECORD_PADDING, 's', "Block size to pad TLS 1.3 records to." }, {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', "Perform all sorts of protocol violations for testing purposes" }, {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', "Disable TLSv1.3 middlebox compat mode" }, {"no_etm", OPT_S_NO_ETM, '-', "Disable Encrypt-then-Mac extension" },
966	OPT_V_OPTIONS{ OPT_SECTION_STR, 1, '-', "Validation" " options:\n" }, { "policy" , OPT_V_POLICY, 's', "adds policy to the acceptable policy set" }, { "purpose", OPT_V_PURPOSE, 's', "certificate chain purpose" }, { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name" }, { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', "chain depth limit" }, { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', "chain authentication security level" }, { "attime", OPT_V_ATTIME, 'M', "verification epoch time" } , { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', "expected peer hostname" }, { "verify_email", OPT_V_VERIFY_EMAIL, 's', "expected peer email" }, { "verify_ip", OPT_V_VERIFY_IP, 's', "expected peer IP address" }, { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', "permit unhandled critical extensions" }, { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)" }, { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks" }, { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', "set policy variable require-explicit-policy" }, { "inhibit_any", OPT_V_INHIBIT_ANY, '-', "set policy variable inhibit-any-policy" }, { "inhibit_map", OPT_V_INHIBIT_MAP, '-', "set policy variable inhibit-policy-mapping" }, { "x509_strict", OPT_V_X509_STRICT, '-', "disable certificate compatibility work-arounds" }, { "extended_crl", OPT_V_EXTENDED_CRL, '-', "enable extended CRL features" }, { "use_deltas", OPT_V_USE_DELTAS, '-', "use delta CRLs"}, { "policy_print", OPT_V_POLICY_PRINT, '-', "print policy processing diagnostics" }, { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', "check root CA self-signatures" }, { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "search trust store first (default)" }, { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode" }, { "suiteB_128", OPT_V_SUITEB_128, '-', "Suite B 128-bit mode allowing 192-bit algorithms" }, { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', "accept chains anchored by intermediate trust-store CAs" }, { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" },
967	OPT_X_OPTIONS{ OPT_SECTION_STR, 1, '-', "Extended certificate" " options:\n" }, { "xkey", OPT_X_KEY, '<', "key for Extended certificates" }, { "xcert", OPT_X_CERT, '<', "cert for Extended certificates" }, { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates" }, { "xchain_build", OPT_X_CHAIN_BUILD, '-', "build certificate chain for the extended certificates" }, { "xcertform", OPT_X_CERTFORM, 'F', "format of Extended certificate (PEM/DER/P12); has no effect" }, { "xkeyform", OPT_X_KEYFORM, 'F', "format of Extended certificate's key (DER/PEM/P12); has no effect" },
968	OPT_PROV_OPTIONS{ OPT_SECTION_STR, 1, '-', "Provider" " options:\n" }, { "provider-path" , OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" },
969	{NULL((void*)0)}
970	};
971
972	#define IS_PROT_FLAG(o)(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2) \
973	(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \
974	\|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2)
975
976	int s_server_main(int argc, char *argv[])
977	{
978	ENGINE engine = NULL((void)0);
979	EVP_PKEY s_key = NULL((void)0), s_dkey = NULL((void)0);
980	SSL_CONF_CTX cctx = NULL((void)0);
981	const SSL_METHOD *meth = TLS_server_method();
982	SSL_EXCERT exc = NULL((void)0);
983	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING ssl_args = NULL((void)0);
984	STACK_OF(X509)struct stack_st_X509 s_chain = NULL((void)0), s_dchain = NULL((void)0);
985	STACK_OF(X509_CRL)struct stack_st_X509_CRL crls = NULL((void)0);
986	X509 s_cert = NULL((void)0), s_dcert = NULL((void)0);
987	X509_VERIFY_PARAM vpm = NULL((void)0);
988	const char CApath = NULL((void)0), CAfile = NULL((void)0), CAstore = NULL((void)0);
989	const char chCApath = NULL((void)0), chCAfile = NULL((void)0), chCAstore = NULL((void)0);
990	char dpassarg = NULL((void)0), dpass = NULL((void)0);
991	char passarg = NULL((void)0), pass = NULL((void)0);
992	char vfyCApath = NULL((void)0), vfyCAfile = NULL((void)0), vfyCAstore = NULL((void)0);
993	char crl_file = NULL((void)0), *prog;
994	#ifdef AF_UNIX1
995	int unlink_unix_path = 0;
996	#endif
997	do_server_cb server_cb;
998	int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
999	char dhfile = NULL((void)0);
1000	int no_dhe = 0;
1001	int nocert = 0, ret = 1;
1002	int noCApath = 0, noCAfile = 0, noCAstore = 0;
1003	int s_cert_format = FORMAT_UNDEF0, s_key_format = FORMAT_UNDEF0;
1004	int s_dcert_format = FORMAT_UNDEF0, s_dkey_format = FORMAT_UNDEF0;
1005	int rev = 0, naccept = -1, sdebug = 0;
1006	int socket_family = AF_UNSPEC0, socket_type = SOCK_STREAMSOCK_STREAM, protocol = 0;
1007	int state = 0, crl_format = FORMAT_UNDEF0, crl_download = 0;
1008	char host = NULL((void)0);
1009	char port = NULL((void)0);
1010	unsigned char context = NULL((void)0);
1011	OPTION_CHOICE o;
1012	EVP_PKEY s_key2 = NULL((void)0);
1013	X509 s_cert2 = NULL((void)0);
1014	tlsextctx tlsextcbp = { NULL((void)0), NULL((void)0), SSL_TLSEXT_ERR_ALERT_WARNING1 };
1015	const char ssl_config = NULL((void)0);
1016	int read_buf_len = 0;
1017	#ifndef OPENSSL_NO_NEXTPROTONEG
1018	const char next_proto_neg_in = NULL((void)0);
1019	tlsextnextprotoctx next_proto = { NULL((void*)0), 0 };
1020	#endif
1021	const char alpn_in = NULL((void)0);
1022	tlsextalpnctx alpn_ctx = { NULL((void*)0), 0 };
1023	#ifndef OPENSSL_NO_PSK
1024	/* by default do not send a PSK identity hint */
1025	char psk_identity_hint = NULL((void)0);
1026	#endif
1027	char *p;
1028	#ifndef OPENSSL_NO_SRP
1029	char srpuserseed = NULL((void)0);
1030	char srp_verifier_file = NULL((void)0);
1031	#endif
1032	#ifndef OPENSSL_NO_SRTP
1033	char srtp_profiles = NULL((void)0);
1034	#endif
1035	int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
1036	int s_server_verify = SSL_VERIFY_NONE0x00;
1037	int s_server_session_id_context = 1; /* anything will do */
1038	const char s_cert_file = TEST_CERT"server.pem", s_key_file = NULL((void)0), s_chain_file = NULL((void*)0);
1039	const char s_cert_file2 = TEST_CERT2"server2.pem", s_key_file2 = NULL((void*)0);
1040	char s_dcert_file = NULL((void)0), s_dkey_file = NULL((void)0), s_dchain_file = NULL((void)0);
1041	#ifndef OPENSSL_NO_OCSP
1042	int s_tlsextstatus = 0;
1043	#endif
1044	int no_resume_ephemeral = 0;
1045	unsigned int max_send_fragment = 0;
1046	unsigned int split_send_fragment = 0, max_pipelines = 0;
1047	const char s_serverinfo_file = NULL((void)0);
1048	const char keylog_file = NULL((void)0);
1049	int max_early_data = -1, recv_max_early_data = -1;
1050	char psksessf = NULL((void)0);
1051	int no_ca_names = 0;
1052	#ifndef OPENSSL_NO_SCTP
1053	int sctp_label_bug = 0;
1054	#endif
1055	int ignore_unexpected_eof = 0;
1056
1057	/* Init of few remaining global variables */
1058	local_argc = argc;
1059	local_argv = argv;
1060
1061	ctx = ctx2 = NULL((void*)0);
1062	s_nbio = s_nbio_test = 0;
1063	www = 0;
1064	bio_s_out = NULL((void*)0);
1065	s_debug = 0;
1066	s_msg = 0;
1067	s_quiet = 0;
1068	s_brief = 0;
1069	async = 0;
1070	use_sendfile = 0;
1071
1072	port = OPENSSL_strdup(PORT)CRYPTO_strdup("4433", "../deps/openssl/openssl/apps/s_server.c" , 1072);
1073	cctx = SSL_CONF_CTX_new();
1074	vpm = X509_VERIFY_PARAM_new();
1075	if (port == NULL((void)0) \|\| cctx == NULL((void)0) \|\| vpm == NULL((void*)0))
1076	goto end;
1077	SSL_CONF_CTX_set_flags(cctx,
1078	SSL_CONF_FLAG_SERVER0x8 \| SSL_CONF_FLAG_CMDLINE0x1);
1079
1080	prog = opt_init(argc, argv, s_server_options);
1081	while ((o = opt_next()) != OPT_EOF) {
1082	if (IS_PROT_FLAG(o)(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2) && ++prot_opt > 1) {
1083	BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
1084	goto end;
1085	}
1086	if (IS_NO_PROT_FLAG(o)(o == OPT_S_NOSSL3 \|\| o == OPT_S_NOTLS1 \|\| o == OPT_S_NOTLS1_1 \|\| o == OPT_S_NOTLS1_2 \|\| o == OPT_S_NOTLS1_3))
1087	no_prot_opt++;
1088	if (prot_opt == 1 && no_prot_opt) {
1089	BIO_printf(bio_err,
1090	"Cannot supply both a protocol flag and '-no_<prot>'\n");
1091	goto end;
1092	}
1093	switch (o) {
1094	case OPT_EOF:
1095	case OPT_ERR:
1096	opthelp:
1097	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
1098	goto end;
1099	case OPT_HELP:
1100	opt_help(s_server_options);
1101	ret = 0;
1102	goto end;
1103
1104	case OPT_4:
1105	#ifdef AF_UNIX1
1106	if (socket_family == AF_UNIX1) {
1107	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1107 ); host = NULL((void*)0);
1108	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1108 ); port = NULL((void*)0);
1109	}
1110	#endif
1111	socket_family = AF_INET2;
1112	break;
1113	case OPT_6:
1114	if (1) {
1115	#ifdef AF_INET610
1116	#ifdef AF_UNIX1
1117	if (socket_family == AF_UNIX1) {
1118	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1118 ); host = NULL((void*)0);
1119	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1119 ); port = NULL((void*)0);
1120	}
1121	#endif
1122	socket_family = AF_INET610;
1123	} else {
1124	#endif
1125	BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog);
1126	goto end;
1127	}
1128	break;
1129	case OPT_PORT:
1130	#ifdef AF_UNIX1
1131	if (socket_family == AF_UNIX1) {
1132	socket_family = AF_UNSPEC0;
1133	}
1134	#endif
1135	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1135 ); port = NULL((void*)0);
1136	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1136 ); host = NULL((void*)0);
1137	if (BIO_parse_hostserv(opt_arg(), NULL((void*)0), &port, BIO_PARSE_PRIO_SERV) < 1) {
1138	BIO_printf(bio_err,
1139	"%s: -port argument malformed or ambiguous\n",
1140	port);
1141	goto end;
1142	}
1143	break;
1144	case OPT_ACCEPT:
1145	#ifdef AF_UNIX1
1146	if (socket_family == AF_UNIX1) {
1147	socket_family = AF_UNSPEC0;
1148	}
1149	#endif
1150	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1150 ); port = NULL((void*)0);
1151	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1151 ); host = NULL((void*)0);
1152	if (BIO_parse_hostserv(opt_arg(), &host, &port, BIO_PARSE_PRIO_SERV) < 1) {
1153	BIO_printf(bio_err,
1154	"%s: -accept argument malformed or ambiguous\n",
1155	port);
1156	goto end;
1157	}
1158	break;
1159	#ifdef AF_UNIX1
1160	case OPT_UNIX:
1161	socket_family = AF_UNIX1;
1162	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1162 ); host = OPENSSL_strdup(opt_arg())CRYPTO_strdup(opt_arg(), "../deps/openssl/openssl/apps/s_server.c" , 1162);
1163	if (host == NULL((void*)0))
1164	goto end;
1165	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1165 ); port = NULL((void*)0);
1166	break;
1167	case OPT_UNLINK:
1168	unlink_unix_path = 1;
1169	break;
1170	#endif
1171	case OPT_NACCEPT:
1172	naccept = atol(opt_arg());
1173	break;
1174	case OPT_VERIFY:
1175	s_server_verify = SSL_VERIFY_PEER0x01 \| SSL_VERIFY_CLIENT_ONCE0x04;
1176	verify_args.depth = atoi(opt_arg());
1177	if (!s_quiet)
1178	BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
1179	break;
1180	case OPT_UPPER_V_VERIFY:
1181	s_server_verify =
1182	SSL_VERIFY_PEER0x01 \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT0x02 \|
1183	SSL_VERIFY_CLIENT_ONCE0x04;
1184	verify_args.depth = atoi(opt_arg());
1185	if (!s_quiet)
1186	BIO_printf(bio_err,
1187	"verify depth is %d, must return a certificate\n",
1188	verify_args.depth);
1189	break;
1190	case OPT_CONTEXT:
1191	context = (unsigned char *)opt_arg();
1192	break;
1193	case OPT_CERT:
1194	s_cert_file = opt_arg();
1195	break;
1196	case OPT_NAMEOPT:
1197	if (!set_nameopt(opt_arg()))
1198	goto end;
1199	break;
1200	case OPT_CRL:
1201	crl_file = opt_arg();
1202	break;
1203	case OPT_CRL_DOWNLOAD:
1204	crl_download = 1;
1205	break;
1206	case OPT_SERVERINFO:
1207	s_serverinfo_file = opt_arg();
1208	break;
1209	case OPT_CERTFORM:
1210	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_cert_format))
1211	goto opthelp;
1212	break;
1213	case OPT_KEY:
1214	s_key_file = opt_arg();
1215	break;
1216	case OPT_KEYFORM:
1217	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_key_format))
1218	goto opthelp;
1219	break;
1220	case OPT_PASS:
1221	passarg = opt_arg();
1222	break;
1223	case OPT_CERT_CHAIN:
1224	s_chain_file = opt_arg();
1225	break;
1226	case OPT_DHPARAM:
1227	dhfile = opt_arg();
1228	break;
1229	case OPT_DCERTFORM:
1230	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_dcert_format))
1231	goto opthelp;
1232	break;
1233	case OPT_DCERT:
1234	s_dcert_file = opt_arg();
1235	break;
1236	case OPT_DKEYFORM:
1237	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_dkey_format))
1238	goto opthelp;
1239	break;
1240	case OPT_DPASS:
1241	dpassarg = opt_arg();
1242	break;
1243	case OPT_DKEY:
1244	s_dkey_file = opt_arg();
1245	break;
1246	case OPT_DCERT_CHAIN:
1247	s_dchain_file = opt_arg();
1248	break;
1249	case OPT_NOCERT:
1250	nocert = 1;
1251	break;
1252	case OPT_CAPATH:
1253	CApath = opt_arg();
1254	break;
1255	case OPT_NOCAPATH:
1256	noCApath = 1;
1257	break;
1258	case OPT_CHAINCAPATH:
1259	chCApath = opt_arg();
1260	break;
1261	case OPT_VERIFYCAPATH:
1262	vfyCApath = opt_arg();
1263	break;
1264	case OPT_CASTORE:
1265	CAstore = opt_arg();
1266	break;
1267	case OPT_NOCASTORE:
1268	noCAstore = 1;
1269	break;
1270	case OPT_CHAINCASTORE:
1271	chCAstore = opt_arg();
1272	break;
1273	case OPT_VERIFYCASTORE:
1274	vfyCAstore = opt_arg();
1275	break;
1276	case OPT_NO_CACHE:
1277	no_cache = 1;
1278	break;
1279	case OPT_EXT_CACHE:
1280	ext_cache = 1;
1281	break;
1282	case OPT_CRLFORM:
1283	if (!opt_format(opt_arg(), OPT_FMT_PEMDER(1L << 1), &crl_format))
1284	goto opthelp;
1285	break;
1286	case OPT_S_CASESOPT_S__FIRST: case OPT_S__LAST: break; case OPT_S_NOSSL3: case OPT_S_NOTLS1: case OPT_S_NOTLS1_1: case OPT_S_NOTLS1_2: case OPT_S_NOTLS1_3: case OPT_S_BUGS: case OPT_S_NO_COMP: case OPT_S_COMP : case OPT_S_NOTICKET: case OPT_S_SERVERPREF: case OPT_S_LEGACYRENEG : case OPT_S_CLIENTRENEG: case OPT_S_LEGACYCONN: case OPT_S_ONRESUMP : case OPT_S_NOLEGACYCONN: case OPT_S_ALLOW_NO_DHE_KEX: case OPT_S_PRIORITIZE_CHACHA : case OPT_S_STRICT: case OPT_S_SIGALGS: case OPT_S_CLIENTSIGALGS : case OPT_S_GROUPS: case OPT_S_CURVES: case OPT_S_NAMEDCURVE : case OPT_S_CIPHER: case OPT_S_CIPHERSUITES: case OPT_S_RECORD_PADDING : case OPT_S_NO_RENEGOTIATION: case OPT_S_MINPROTO: case OPT_S_MAXPROTO : case OPT_S_DEBUGBROKE: case OPT_S_NO_MIDDLEBOX: case OPT_S_NO_ETM:
1287	case OPT_S_NUM_TICKETS:
1288	case OPT_ANTI_REPLAY:
1289	case OPT_NO_ANTI_REPLAY:
1290	if (ssl_args == NULL((void*)0))
1291	ssl_args = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)OPENSSL_sk_new_null());
1292	if (ssl_args == NULL((void*)0)
1293	\|\| !sk_OPENSSL_STRING_push(ssl_args, opt_flag())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type (opt_flag()))
1294	\|\| !sk_OPENSSL_STRING_push(ssl_args, opt_arg())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type (opt_arg()))) {
1295	BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
1296	goto end;
1297	}
1298	break;
1299	case OPT_V_CASESOPT_V__FIRST: case OPT_V__LAST: break; case OPT_V_POLICY: case OPT_V_PURPOSE: case OPT_V_VERIFY_NAME: case OPT_V_VERIFY_DEPTH : case OPT_V_VERIFY_AUTH_LEVEL: case OPT_V_ATTIME: case OPT_V_VERIFY_HOSTNAME : case OPT_V_VERIFY_EMAIL: case OPT_V_VERIFY_IP: case OPT_V_IGNORE_CRITICAL : case OPT_V_ISSUER_CHECKS: case OPT_V_CRL_CHECK: case OPT_V_CRL_CHECK_ALL : case OPT_V_POLICY_CHECK: case OPT_V_EXPLICIT_POLICY: case OPT_V_INHIBIT_ANY : case OPT_V_INHIBIT_MAP: case OPT_V_X509_STRICT: case OPT_V_EXTENDED_CRL : case OPT_V_USE_DELTAS: case OPT_V_POLICY_PRINT: case OPT_V_CHECK_SS_SIG : case OPT_V_TRUSTED_FIRST: case OPT_V_SUITEB_128_ONLY: case OPT_V_SUITEB_128 : case OPT_V_SUITEB_192: case OPT_V_PARTIAL_CHAIN: case OPT_V_NO_ALT_CHAINS : case OPT_V_NO_CHECK_TIME: case OPT_V_ALLOW_PROXY_CERTS:
1300	if (!opt_verify(o, vpm))
1301	goto end;
1302	vpmtouched++;
1303	break;
1304	case OPT_X_CASESOPT_X__FIRST: case OPT_X__LAST: break; case OPT_X_KEY: case OPT_X_CERT : case OPT_X_CHAIN: case OPT_X_CHAIN_BUILD: case OPT_X_CERTFORM : case OPT_X_KEYFORM:
1305	if (!args_excert(o, &exc))
1306	goto end;
1307	break;
1308	case OPT_VERIFY_RET_ERROR:
1309	verify_args.return_error = 1;
1310	break;
1311	case OPT_VERIFY_QUIET:
1312	verify_args.quiet = 1;
1313	break;
1314	case OPT_BUILD_CHAIN:
1315	build_chain = 1;
1316	break;
1317	case OPT_CAFILE:
1318	CAfile = opt_arg();
1319	break;
1320	case OPT_NOCAFILE:
1321	noCAfile = 1;
1322	break;
1323	case OPT_CHAINCAFILE:
1324	chCAfile = opt_arg();
1325	break;
1326	case OPT_VERIFYCAFILE:
1327	vfyCAfile = opt_arg();
1328	break;
1329	case OPT_NBIO:
1330	s_nbio = 1;
1331	break;
1332	case OPT_NBIO_TEST:
1333	s_nbio = s_nbio_test = 1;
1334	break;
1335	case OPT_IGN_EOF:
1336	s_ign_eof = 1;
1337	break;
1338	case OPT_NO_IGN_EOF:
1339	s_ign_eof = 0;
1340	break;
1341	case OPT_DEBUG:
1342	s_debug = 1;
1343	break;
1344	case OPT_TLSEXTDEBUG:
1345	s_tlsextdebug = 1;
1346	break;
1347	case OPT_STATUS:
1348	#ifndef OPENSSL_NO_OCSP
1349	s_tlsextstatus = 1;
1350	#endif
1351	break;
1352	case OPT_STATUS_VERBOSE:
1353	#ifndef OPENSSL_NO_OCSP
1354	s_tlsextstatus = tlscstatp.verbose = 1;
1355	#endif
1356	break;
1357	case OPT_STATUS_TIMEOUT:
1358	#ifndef OPENSSL_NO_OCSP
1359	s_tlsextstatus = 1;
1360	tlscstatp.timeout = atoi(opt_arg());
1361	#endif
1362	break;
1363	case OPT_PROXY:
1364	#ifndef OPENSSL_NO_OCSP
1365	tlscstatp.proxy = opt_arg();
1366	#endif
1367	break;
1368	case OPT_NO_PROXY:
1369	#ifndef OPENSSL_NO_OCSP
1370	tlscstatp.no_proxy = opt_arg();
1371	#endif
1372	break;
1373	case OPT_STATUS_URL:
1374	#ifndef OPENSSL_NO_OCSP
1375	s_tlsextstatus = 1;
1376	if (!OSSL_HTTP_parse_url(opt_arg(), &tlscstatp.use_ssl, NULL((void*)0),
1377	&tlscstatp.host, &tlscstatp.port, NULL((void*)0),
1378	&tlscstatp.path, NULL((void)0), NULL((void)0))) {
1379	BIO_printf(bio_err, "Error parsing -status_url argument\n");
1380	goto end;
1381	}
1382	#endif
1383	break;
1384	case OPT_STATUS_FILE:
1385	#ifndef OPENSSL_NO_OCSP
1386	s_tlsextstatus = 1;
1387	tlscstatp.respin = opt_arg();
1388	#endif
1389	break;
1390	case OPT_MSG:
1391	s_msg = 1;
1392	break;
1393	case OPT_MSGFILE:
1394	bio_s_msg = BIO_new_file(opt_arg(), "w");
1395	if (bio_s_msg == NULL((void*)0)) {
1396	BIO_printf(bio_err, "Error writing file %s\n", opt_arg());
1397	goto end;
1398	}
1399	break;
1400	case OPT_TRACE:
1401	#ifndef OPENSSL_NO_SSL_TRACE
1402	s_msg = 2;
1403	#endif
1404	break;
1405	case OPT_SECURITY_DEBUG:
1406	sdebug = 1;
1407	break;
1408	case OPT_SECURITY_DEBUG_VERBOSE:
1409	sdebug = 2;
1410	break;
1411	case OPT_STATE:
1412	state = 1;
1413	break;
1414	case OPT_CRLF:
1415	s_crlf = 1;
1416	break;
1417	case OPT_QUIET:
1418	s_quiet = 1;
1419	break;
1420	case OPT_BRIEF:
1421	s_quiet = s_brief = verify_args.quiet = 1;
1422	break;
1423	case OPT_NO_DHE:
1424	no_dhe = 1;
1425	break;
1426	case OPT_NO_RESUME_EPHEMERAL:
1427	no_resume_ephemeral = 1;
1428	break;
1429	case OPT_PSK_IDENTITY:
1430	psk_identity = opt_arg();
1431	break;
1432	case OPT_PSK_HINT:
1433	#ifndef OPENSSL_NO_PSK
1434	psk_identity_hint = opt_arg();
1435	#endif
1436	break;
1437	case OPT_PSK:
1438	for (p = psk_key = opt_arg(); *p; p++) {
1439	if (isxdigit(_UC(p))((__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & ( unsigned short int) _ISxdigit))
1440	continue;
1441	BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
1442	goto end;
1443	}
1444	break;
1445	case OPT_PSK_SESS:
1446	psksessf = opt_arg();
1447	break;
1448	case OPT_SRPVFILE:
1449	#ifndef OPENSSL_NO_SRP
1450	srp_verifier_file = opt_arg();
1451	if (min_version < TLS1_VERSION0x0301)
1452	min_version = TLS1_VERSION0x0301;
1453	#endif
1454	break;
1455	case OPT_SRPUSERSEED:
1456	#ifndef OPENSSL_NO_SRP
1457	srpuserseed = opt_arg();
1458	if (min_version < TLS1_VERSION0x0301)
1459	min_version = TLS1_VERSION0x0301;
1460	#endif
1461	break;
1462	case OPT_REV:
1463	rev = 1;
1464	break;
1465	case OPT_WWW:
1466	www = 1;
1467	break;
1468	case OPT_UPPER_WWW:
1469	www = 2;
1470	break;
1471	case OPT_HTTP:
1472	www = 3;
1473	break;
1474	case OPT_SSL_CONFIG:
1475	ssl_config = opt_arg();
1476	break;
1477	case OPT_SSL3:
1478	min_version = SSL3_VERSION0x0300;
1479	max_version = SSL3_VERSION0x0300;
1480	break;
1481	case OPT_TLS1_3:
1482	min_version = TLS1_3_VERSION0x0304;
1483	max_version = TLS1_3_VERSION0x0304;
1484	break;
1485	case OPT_TLS1_2:
1486	min_version = TLS1_2_VERSION0x0303;
1487	max_version = TLS1_2_VERSION0x0303;
1488	break;
1489	case OPT_TLS1_1:
1490	min_version = TLS1_1_VERSION0x0302;
1491	max_version = TLS1_1_VERSION0x0302;
1492	break;
1493	case OPT_TLS1:
1494	min_version = TLS1_VERSION0x0301;
1495	max_version = TLS1_VERSION0x0301;
1496	break;
1497	case OPT_DTLS:
1498	#ifndef OPENSSL_NO_DTLS
1499	meth = DTLS_server_method();
1500	socket_type = SOCK_DGRAMSOCK_DGRAM;
1501	#endif
1502	break;
1503	case OPT_DTLS1:
1504	#ifndef OPENSSL_NO_DTLS
1505	meth = DTLS_server_method();
1506	min_version = DTLS1_VERSION0xFEFF;
1507	max_version = DTLS1_VERSION0xFEFF;
1508	socket_type = SOCK_DGRAMSOCK_DGRAM;
1509	#endif
1510	break;
1511	case OPT_DTLS1_2:
1512	#ifndef OPENSSL_NO_DTLS
1513	meth = DTLS_server_method();
1514	min_version = DTLS1_2_VERSION0xFEFD;
1515	max_version = DTLS1_2_VERSION0xFEFD;
1516	socket_type = SOCK_DGRAMSOCK_DGRAM;
1517	#endif
1518	break;
1519	case OPT_SCTP:
1520	#ifndef OPENSSL_NO_SCTP
1521	protocol = IPPROTO_SCTPIPPROTO_SCTP;
1522	#endif
1523	break;
1524	case OPT_SCTP_LABEL_BUG:
1525	#ifndef OPENSSL_NO_SCTP
1526	sctp_label_bug = 1;
1527	#endif
1528	break;
1529	case OPT_TIMEOUT:
1530	#ifndef OPENSSL_NO_DTLS
1531	enable_timeouts = 1;
1532	#endif
1533	break;
1534	case OPT_MTU:
1535	#ifndef OPENSSL_NO_DTLS
1536	socket_mtu = atol(opt_arg());
1537	#endif
1538	break;
1539	case OPT_LISTEN:
1540	#ifndef OPENSSL_NO_DTLS
1541	dtlslisten = 1;
1542	#endif
1543	break;
1544	case OPT_STATELESS:
1545	stateless = 1;
1546	break;
1547	case OPT_ID_PREFIX:
1548	session_id_prefix = opt_arg();
1549	break;
1550	case OPT_ENGINE:
1551	#ifndef OPENSSL_NO_ENGINE
1552	engine = setup_engine(opt_arg(), s_debug)setup_engine_methods(opt_arg(), (unsigned int)-1, s_debug);
1553	#endif
1554	break;
1555	case OPT_R_CASESOPT_R__FIRST: case OPT_R__LAST: break; case OPT_R_RAND: case OPT_R_WRITERAND:
1556	if (!opt_rand(o))
1557	goto end;
1558	break;
1559	case OPT_PROV_CASESOPT_PROV__FIRST: case OPT_PROV__LAST: break; case OPT_PROV_PROVIDER : case OPT_PROV_PROVIDER_PATH: case OPT_PROV_PROPQUERY:
1560	if (!opt_provider(o))
1561	goto end;
1562	break;
1563	case OPT_SERVERNAME:
1564	tlsextcbp.servername = opt_arg();
1565	break;
1566	case OPT_SERVERNAME_FATAL:
1567	tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL2;
1568	break;
1569	case OPT_CERT2:
1570	s_cert_file2 = opt_arg();
1571	break;
1572	case OPT_KEY2:
1573	s_key_file2 = opt_arg();
1574	break;
1575	case OPT_NEXTPROTONEG:
1576	# ifndef OPENSSL_NO_NEXTPROTONEG
1577	next_proto_neg_in = opt_arg();
1578	#endif
1579	break;
1580	case OPT_ALPN:
1581	alpn_in = opt_arg();
1582	break;
1583	case OPT_SRTP_PROFILES:
1584	#ifndef OPENSSL_NO_SRTP
1585	srtp_profiles = opt_arg();
1586	#endif
1587	break;
1588	case OPT_KEYMATEXPORT:
1589	keymatexportlabel = opt_arg();
1590	break;
1591	case OPT_KEYMATEXPORTLEN:
1592	keymatexportlen = atoi(opt_arg());
1593	break;
1594	case OPT_ASYNC:
1595	async = 1;
1596	break;
1597	case OPT_MAX_SEND_FRAG:
1598	max_send_fragment = atoi(opt_arg());
1599	break;
1600	case OPT_SPLIT_SEND_FRAG:
1601	split_send_fragment = atoi(opt_arg());
1602	break;
1603	case OPT_MAX_PIPELINES:
1604	max_pipelines = atoi(opt_arg());
1605	break;
1606	case OPT_READ_BUF:
1607	read_buf_len = atoi(opt_arg());
1608	break;
1609	case OPT_KEYLOG_FILE:
1610	keylog_file = opt_arg();
1611	break;
1612	case OPT_MAX_EARLY:
1613	max_early_data = atoi(opt_arg());
1614	if (max_early_data < 0) {
1615	BIO_printf(bio_err, "Invalid value for max_early_data\n");
1616	goto end;
1617	}
1618	break;
1619	case OPT_RECV_MAX_EARLY:
1620	recv_max_early_data = atoi(opt_arg());
1621	if (recv_max_early_data < 0) {
1622	BIO_printf(bio_err, "Invalid value for recv_max_early_data\n");
1623	goto end;
1624	}
1625	break;
1626	case OPT_EARLY_DATA:
1627	early_data = 1;
1628	if (max_early_data == -1)
1629	max_early_data = SSL3_RT_MAX_PLAIN_LENGTH16384;
1630	break;
1631	case OPT_HTTP_SERVER_BINMODE:
1632	http_server_binmode = 1;
1633	break;
1634	case OPT_NOCANAMES:
1635	no_ca_names = 1;
1636	break;
1637	case OPT_SENDFILE:
1638	#ifndef OPENSSL_NO_KTLS
1639	use_sendfile = 1;
1640	#endif
1641	break;
1642	case OPT_IGNORE_UNEXPECTED_EOF:
1643	ignore_unexpected_eof = 1;
1644	break;
1645	}
1646	}
1647
1648	/* No extra arguments. */
1649	argc = opt_num_rest();
1650	if (argc != 0)
1651	goto opthelp;
1652
1653	if (!app_RAND_load())
1654	goto end;
1655
1656	#ifndef OPENSSL_NO_NEXTPROTONEG
1657	if (min_version == TLS1_3_VERSION0x0304 && next_proto_neg_in != NULL((void*)0)) {
1658	BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
1659	goto opthelp;
1660	}
1661	#endif
1662	#ifndef OPENSSL_NO_DTLS
1663	if (www && socket_type == SOCK_DGRAMSOCK_DGRAM) {
1664	BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
1665	goto end;
1666	}
1667
1668	if (dtlslisten && socket_type != SOCK_DGRAMSOCK_DGRAM) {
1669	BIO_printf(bio_err, "Can only use -listen with DTLS\n");
1670	goto end;
1671	}
1672	#endif
1673
1674	if (stateless && socket_type != SOCK_STREAMSOCK_STREAM) {
1675	BIO_printf(bio_err, "Can only use --stateless with TLS\n");
1676	goto end;
1677	}
1678
1679	#ifdef AF_UNIX1
1680	if (socket_family == AF_UNIX1 && socket_type != SOCK_STREAMSOCK_STREAM) {
1681	BIO_printf(bio_err,
1682	"Can't use unix sockets and datagrams together\n");
1683	goto end;
1684	}
1685	#endif
1686	if (early_data && (www > 0 \|\| rev)) {
1687	BIO_printf(bio_err,
1688	"Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
1689	goto end;
1690	}
1691
1692	#ifndef OPENSSL_NO_SCTP
1693	if (protocol == IPPROTO_SCTPIPPROTO_SCTP) {
1694	if (socket_type != SOCK_DGRAMSOCK_DGRAM) {
1695	BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
1696	goto end;
1697	}
1698	/* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
1699	socket_type = SOCK_STREAMSOCK_STREAM;
1700	}
1701	#endif
1702
1703	#ifndef OPENSSL_NO_KTLS
1704	if (use_sendfile && www <= 1) {
1705	BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n");
1706	goto end;
1707	}
1708	#endif
1709
1710	if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
1711	BIO_printf(bio_err, "Error getting password\n");
1712	goto end;
1713	}
1714
1715	if (s_key_file == NULL((void*)0))
1716	s_key_file = s_cert_file;
1717
1718	if (s_key_file2 == NULL((void*)0))
1719	s_key_file2 = s_cert_file2;
1720
1721	if (!load_excert(&exc))
1722	goto end;
1723
1724	if (nocert == 0) {
1725	s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
1726	"server certificate private key");
1727	if (s_key == NULL((void*)0))
1728	goto end;
1729
1730	s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass,
1731	"server certificate");
1732
1733	if (s_cert == NULL((void*)0))
1734	goto end;
1735	if (s_chain_file != NULL((void*)0)) {
1736	if (!load_certs(s_chain_file, 0, &s_chain, NULL((void*)0),
1737	"server certificate chain"))
1738	goto end;
1739	}
1740
1741	if (tlsextcbp.servername != NULL((void*)0)) {
1742	s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
1743	"second server certificate private key");
1744	if (s_key2 == NULL((void*)0))
1745	goto end;
1746
1747	s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass,
1748	"second server certificate");
1749
1750	if (s_cert2 == NULL((void*)0))
1751	goto end;
1752	}
1753	}
1754	#if !defined(OPENSSL_NO_NEXTPROTONEG)
1755	if (next_proto_neg_in) {
1756	next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1757	if (next_proto.data == NULL((void*)0))
1758	goto end;
1759	}
1760	#endif
1761	alpn_ctx.data = NULL((void*)0);
1762	if (alpn_in) {
1763	alpn_ctx.data = next_protos_parse(&alpn_ctx.len, alpn_in);
1764	if (alpn_ctx.data == NULL((void*)0))
1765	goto end;
1766	}
1767
1768	if (crl_file != NULL((void*)0)) {
1769	X509_CRL *crl;
1770	crl = load_crl(crl_file, crl_format, 0, "CRL");
1771	if (crl == NULL((void*)0))
1772	goto end;
1773	crls = sk_X509_CRL_new_null()((struct stack_st_X509_CRL *)OPENSSL_sk_new_null());
1774	if (crls == NULL((void*)0) \|\| !sk_X509_CRL_push(crls, crl)OPENSSL_sk_push(ossl_check_X509_CRL_sk_type(crls), ossl_check_X509_CRL_type (crl))) {
1775	BIO_puts(bio_err, "Error adding CRL\n");
1776	ERR_print_errors(bio_err);
1777	X509_CRL_free(crl);
1778	goto end;
1779	}
1780	}
1781
1782	if (s_dcert_file != NULL((void*)0)) {
1783
1784	if (s_dkey_file == NULL((void*)0))
1785	s_dkey_file = s_dcert_file;
1786
1787	s_dkey = load_key(s_dkey_file, s_dkey_format,
1788	0, dpass, engine, "second certificate private key");
1789	if (s_dkey == NULL((void*)0))
1790	goto end;
1791
1792	s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass,
1793	"second server certificate");
1794
1795	if (s_dcert == NULL((void*)0)) {
1796	ERR_print_errors(bio_err);
1797	goto end;
1798	}
1799	if (s_dchain_file != NULL((void*)0)) {
1800	if (!load_certs(s_dchain_file, 0, &s_dchain, NULL((void*)0),
1801	"second server certificate chain"))
1802	goto end;
1803	}
1804
1805	}
1806
1807	if (bio_s_out == NULL((void*)0)) {
1808	if (s_quiet && !s_debug) {
1809	bio_s_out = BIO_new(BIO_s_null());
1810	if (s_msg && bio_s_msg == NULL((void*)0)) {
1811	bio_s_msg = dup_bio_out(FORMAT_TEXT(1 \| 0x8000));
1812	if (bio_s_msg == NULL((void*)0)) {
1813	BIO_printf(bio_err, "Out of memory\n");
1814	goto end;
1815	}
1816	}
1817	} else {
1818	bio_s_out = dup_bio_out(FORMAT_TEXT(1 \| 0x8000));
1819	}
1820	}
1821
1822	if (bio_s_out == NULL((void*)0))
1823	goto end;
1824
1825	if (nocert) {
1826	s_cert_file = NULL((void*)0);
1827	s_key_file = NULL((void*)0);
1828	s_dcert_file = NULL((void*)0);
1829	s_dkey_file = NULL((void*)0);
1830	s_cert_file2 = NULL((void*)0);
1831	s_key_file2 = NULL((void*)0);
1832	}
1833
1834	ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
1835	if (ctx == NULL((void*)0)) {
1836	ERR_print_errors(bio_err);
1837	goto end;
1838	}
1839
1840	SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004U),((void*)0));
1841
1842	if (sdebug)
1843	ssl_ctx_security_debug(ctx, sdebug);
1844
1845	if (!config_ctx(cctx, ssl_args, ctx))
1846	goto end;
1847
1848	if (ssl_config) {
1849	if (SSL_CTX_config(ctx, ssl_config) == 0) {
1850	BIO_printf(bio_err, "Error using configuration \"%s\"\n",
1851	ssl_config);
1852	ERR_print_errors(bio_err);
1853	goto end;
1854	}
1855	}
1856	#ifndef OPENSSL_NO_SCTP
1857	if (protocol == IPPROTO_SCTPIPPROTO_SCTP && sctp_label_bug == 1)
1858	SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)SSL_CTX_ctrl((ctx),33,(0x00000400U),((void*)0));
1859	#endif
1860
1861	if (min_version != 0
1862	&& SSL_CTX_set_min_proto_version(ctx, min_version)SSL_CTX_ctrl(ctx, 123, min_version, ((void*)0)) == 0)
1863	goto end;
1864	if (max_version != 0
1865	&& SSL_CTX_set_max_proto_version(ctx, max_version)SSL_CTX_ctrl(ctx, 124, max_version, ((void*)0)) == 0)
1866	goto end;
1867
1868	if (session_id_prefix) {
1869	if (strlen(session_id_prefix) >= 32)
1870	BIO_printf(bio_err,
1871	"warning: id_prefix is too long, only one new session will be possible\n");
1872	if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
1873	BIO_printf(bio_err, "error setting 'id_prefix'\n");
1874	ERR_print_errors(bio_err);
1875	goto end;
1876	}
1877	BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1878	}
1879	if (exc != NULL((void*)0))
1880	ssl_ctx_set_excert(ctx, exc);
1881
1882	if (state)
1883	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1884	if (no_cache)
1885	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx,44,0x0000,((void*)0));
1886	else if (ext_cache)
1887	init_session_cache_ctx(ctx);
1888	else
1889	SSL_CTX_sess_set_cache_size(ctx, 128)SSL_CTX_ctrl(ctx,42,128,((void*)0));
1890
1891	if (async) {
1892	SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC)SSL_CTX_ctrl((ctx),33,(0x00000100U),((void*)0));
1893	}
1894
1895	if (no_ca_names) {
1896	SSL_CTX_set_options(ctx, SSL_OP_DISABLE_TLSEXT_CA_NAMES((uint64_t)1 << (uint64_t)9));
1897	}
1898
1899	if (ignore_unexpected_eof)
1900	SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF((uint64_t)1 << (uint64_t)7));
1901
1902	if (max_send_fragment > 0
1903	&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)SSL_CTX_ctrl(ctx,52,max_send_fragment,((void*)0))) {
1904	BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
1905	prog, max_send_fragment);
1906	goto end;
1907	}
1908
1909	if (split_send_fragment > 0
1910	&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)SSL_CTX_ctrl(ctx,125,split_send_fragment,((void*)0))) {
1911	BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
1912	prog, split_send_fragment);
1913	goto end;
1914	}
1915	if (max_pipelines > 0
1916	&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)SSL_CTX_ctrl(ctx,126,max_pipelines,((void*)0))) {
1917	BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
1918	prog, max_pipelines);
1919	goto end;
1920	}
1921
1922	if (read_buf_len > 0) {
1923	SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
1924	}
1925	#ifndef OPENSSL_NO_SRTP
1926	if (srtp_profiles != NULL((void*)0)) {
1927	/* Returns 0 on success! */
1928	if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
1929	BIO_printf(bio_err, "Error setting SRTP profile\n");
1930	ERR_print_errors(bio_err);
1931	goto end;
1932	}
1933	}
1934	#endif
1935
1936	if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
1937	CAstore, noCAstore)) {
1938	ERR_print_errors(bio_err);
1939	goto end;
1940	}
1941	if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
1942	BIO_printf(bio_err, "Error setting verify params\n");
1943	ERR_print_errors(bio_err);
1944	goto end;
1945	}
1946
1947	ssl_ctx_add_crls(ctx, crls, 0);
1948
1949	if (!ssl_load_stores(ctx,
1950	vfyCApath, vfyCAfile, vfyCAstore,
1951	chCApath, chCAfile, chCAstore,
1952	crls, crl_download)) {
1953	BIO_printf(bio_err, "Error loading store locations\n");
1954	ERR_print_errors(bio_err);
1955	goto end;
1956	}
1957
1958	if (s_cert2) {
1959	ctx2 = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
1960	if (ctx2 == NULL((void*)0)) {
1961	ERR_print_errors(bio_err);
1962	goto end;
1963	}
1964	}
1965
1966	if (ctx2 != NULL((void*)0)) {
1967	BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1968
1969	if (sdebug)
1970	ssl_ctx_security_debug(ctx2, sdebug);
1971
1972	if (session_id_prefix) {
1973	if (strlen(session_id_prefix) >= 32)
1974	BIO_printf(bio_err,
1975	"warning: id_prefix is too long, only one new session will be possible\n");
1976	if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
1977	BIO_printf(bio_err, "error setting 'id_prefix'\n");
1978	ERR_print_errors(bio_err);
1979	goto end;
1980	}
1981	BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1982	}
1983	if (exc != NULL((void*)0))
1984	ssl_ctx_set_excert(ctx2, exc);
1985
1986	if (state)
1987	SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1988
1989	if (no_cache)
1990	SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx2,44,0x0000,((void*)0));
1991	else if (ext_cache)
1992	init_session_cache_ctx(ctx2);
1993	else
1994	SSL_CTX_sess_set_cache_size(ctx2, 128)SSL_CTX_ctrl(ctx2,42,128,((void*)0));
1995
1996	if (async)
1997	SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC)SSL_CTX_ctrl((ctx2),33,(0x00000100U),((void*)0));
1998
1999	if (!ctx_set_verify_locations(ctx2, CAfile, noCAfile, CApath,
2000	noCApath, CAstore, noCAstore)) {
2001	ERR_print_errors(bio_err);
2002	goto end;
2003	}
2004	if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) {
2005	BIO_printf(bio_err, "Error setting verify params\n");
2006	ERR_print_errors(bio_err);
2007	goto end;
2008	}
2009
2010	ssl_ctx_add_crls(ctx2, crls, 0);
2011	if (!config_ctx(cctx, ssl_args, ctx2))
2012	goto end;
2013	}
2014	#ifndef OPENSSL_NO_NEXTPROTONEG
2015	if (next_proto.data)
2016	SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
2017	&next_proto);
2018	#endif
2019	if (alpn_ctx.data)
2020	SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
2021
2022	if (!no_dhe) {
2023	EVP_PKEY dhpkey = NULL((void)0);
2024
2025	if (dhfile != NULL((void*)0))
2026	dhpkey = load_keyparams(dhfile, FORMAT_UNDEF0, 0, "DH", "DH parameters");
2027	else if (s_cert_file != NULL((void*)0))
2028	dhpkey = load_keyparams_suppress(s_cert_file, FORMAT_UNDEF0, 0, "DH",
2029	"DH parameters", 1);
2030
2031	if (dhpkey != NULL((void*)0)) {
2032	BIO_printf(bio_s_out, "Setting temp DH parameters\n");
2033	} else {
2034	BIO_printf(bio_s_out, "Using default temp DH parameters\n");
2035	}
2036	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2037
2038	if (dhpkey == NULL((void*)0)) {
2039	SSL_CTX_set_dh_auto(ctx, 1)SSL_CTX_ctrl(ctx,118,1,((void*)0));
2040	} else {
2041	/*
2042	* We need 2 references: one for use by ctx and one for use by
2043	* ctx2
2044	*/
2045	if (!EVP_PKEY_up_ref(dhpkey)) {
2046	EVP_PKEY_free(dhpkey);
2047	goto end;
2048	}
2049	if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dhpkey)) {
2050	BIO_puts(bio_err, "Error setting temp DH parameters\n");
2051	ERR_print_errors(bio_err);
2052	/* Free 2 references */
2053	EVP_PKEY_free(dhpkey);
2054	EVP_PKEY_free(dhpkey);
2055	goto end;
2056	}
2057	}
2058
2059	if (ctx2 != NULL((void*)0)) {
2060	if (dhfile != NULL((void*)0)) {
2061	EVP_PKEY *dhpkey2 = load_keyparams_suppress(s_cert_file2,
2062	FORMAT_UNDEF0,
2063	0, "DH",
2064	"DH parameters", 1);
2065
2066	if (dhpkey2 != NULL((void*)0)) {
2067	BIO_printf(bio_s_out, "Setting temp DH parameters\n");
2068	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2069
2070	EVP_PKEY_free(dhpkey);
2071	dhpkey = dhpkey2;
2072	}
2073	}
2074	if (dhpkey == NULL((void*)0)) {
2075	SSL_CTX_set_dh_auto(ctx2, 1)SSL_CTX_ctrl(ctx2,118,1,((void*)0));
2076	} else if (!SSL_CTX_set0_tmp_dh_pkey(ctx2, dhpkey)) {
2077	BIO_puts(bio_err, "Error setting temp DH parameters\n");
2078	ERR_print_errors(bio_err);
2079	EVP_PKEY_free(dhpkey);
2080	goto end;
2081	}
2082	dhpkey = NULL((void*)0);
2083	}
2084	EVP_PKEY_free(dhpkey);
2085	}
2086
2087	if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
2088	goto end;
2089
2090	if (s_serverinfo_file != NULL((void*)0)
2091	&& !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
2092	ERR_print_errors(bio_err);
2093	goto end;
2094	}
2095
2096	if (ctx2 != NULL((void*)0)
2097	&& !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL((void*)0), build_chain))
2098	goto end;
2099
2100	if (s_dcert != NULL((void*)0)) {
2101	if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
2102	goto end;
2103	}
2104
2105	if (no_resume_ephemeral) {
2106	SSL_CTX_set_not_resumable_session_callback(ctx,
2107	not_resumable_sess_cb);
2108
2109	if (ctx2 != NULL((void*)0))
2110	SSL_CTX_set_not_resumable_session_callback(ctx2,
2111	not_resumable_sess_cb);
2112	}
2113	#ifndef OPENSSL_NO_PSK
2114	if (psk_key != NULL((void*)0)) {
2115	if (s_debug)
2116	BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
2117	SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
2118	}
2119
2120	if (psk_identity_hint != NULL((void*)0)) {
2121	if (min_version == TLS1_3_VERSION0x0304) {
2122	BIO_printf(bio_s_out, "PSK warning: there is NO identity hint in TLSv1.3\n");
2123	} else {
2124	if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) {
2125	BIO_printf(bio_err, "error setting PSK identity hint to context\n");
2126	ERR_print_errors(bio_err);
2127	goto end;
2128	}
2129	}
2130	}
2131	#endif
2132	if (psksessf != NULL((void*)0)) {
2133	BIO *stmp = BIO_new_file(psksessf, "r");
2134
2135	if (stmp == NULL((void*)0)) {
2136	BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
2137	ERR_print_errors(bio_err);
2138	goto end;
2139	}
2140	psksess = PEM_read_bio_SSL_SESSION(stmp, NULL((void)0), 0, NULL((void)0));
2141	BIO_free(stmp);
2142	if (psksess == NULL((void*)0)) {
2143	BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
2144	ERR_print_errors(bio_err);
2145	goto end;
2146	}
2147
2148	}
2149
2150	if (psk_key != NULL((void)0) \|\| psksess != NULL((void)0))
2151	SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb);
2152
2153	SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
2154	if (!SSL_CTX_set_session_id_context(ctx,
2155	(void *)&s_server_session_id_context,
2156	sizeof(s_server_session_id_context))) {
2157	BIO_printf(bio_err, "error setting session id context\n");
2158	ERR_print_errors(bio_err);
2159	goto end;
2160	}
2161
2162	/* Set DTLS cookie generation and verification callbacks */
2163	SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
2164	SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
2165
2166	/* Set TLS1.3 cookie generation and verification callbacks */
2167	SSL_CTX_set_stateless_cookie_generate_cb(ctx, generate_stateless_cookie_callback);
2168	SSL_CTX_set_stateless_cookie_verify_cb(ctx, verify_stateless_cookie_callback);
2169
2170	if (ctx2 != NULL((void*)0)) {
2171	SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
2172	if (!SSL_CTX_set_session_id_context(ctx2,
2173	(void *)&s_server_session_id_context,
2174	sizeof(s_server_session_id_context))) {
2175	BIO_printf(bio_err, "error setting session id context\n");
2176	ERR_print_errors(bio_err);
2177	goto end;
2178	}
2179	tlsextcbp.biodebug = bio_s_out;
2180	SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx2,53, (void (*)(void))ssl_servername_cb );
2181	SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp)SSL_CTX_ctrl(ctx2,54,0,&tlsextcbp);
2182	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53, (void (*)(void))ssl_servername_cb );
2183	SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp)SSL_CTX_ctrl(ctx,54,0,&tlsextcbp);
2184	}
2185
2186	#ifndef OPENSSL_NO_SRP
2187	if (srp_verifier_file != NULL((void*)0)) {
2188	if (!set_up_srp_verifier_file(ctx, &srp_callback_parm, srpuserseed,
2189	srp_verifier_file))
2190	goto end;
2191	} else
2192	#endif
2193	if (CAfile != NULL((void*)0)) {
2194	SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
2195
2196	if (ctx2)
2197	SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
2198	}
2199	#ifndef OPENSSL_NO_OCSP
2200	if (s_tlsextstatus) {
2201	SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb)SSL_CTX_callback_ctrl(ctx,63, (void (*)(void))cert_status_cb);
2202	SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp)SSL_CTX_ctrl(ctx,64,0,&tlscstatp);
2203	if (ctx2) {
2204	SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb)SSL_CTX_callback_ctrl(ctx2,63, (void (*)(void))cert_status_cb );
2205	SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp)SSL_CTX_ctrl(ctx2,64,0,&tlscstatp);
2206	}
2207	}
2208	#endif
2209	if (set_keylog_file(ctx, keylog_file))
2210	goto end;
2211
2212	if (max_early_data >= 0)
2213	SSL_CTX_set_max_early_data(ctx, max_early_data);
2214	if (recv_max_early_data >= 0)
2215	SSL_CTX_set_recv_max_early_data(ctx, recv_max_early_data);
2216
2217	if (rev)
2218	server_cb = rev_body;
2219	else if (www)
2220	server_cb = www_body;
2221	else
2222	server_cb = sv_body;
2223	#ifdef AF_UNIX1
2224	if (socket_family == AF_UNIX1
2225	&& unlink_unix_path)
2226	unlink(host);
2227	#endif
2228	do_server(&accept_socket, host, port, socket_family, socket_type, protocol,
2229	server_cb, context, naccept, bio_s_out);
2230	print_stats(bio_s_out, ctx);
2231	ret = 0;
2232	end:
2233	SSL_CTX_free(ctx);
2234	SSL_SESSION_free(psksess);
2235	set_keylog_file(NULL((void)0), NULL((void)0));
2236	X509_free(s_cert);
2237	sk_X509_CRL_pop_free(crls, X509_CRL_free)OPENSSL_sk_pop_free(ossl_check_X509_CRL_sk_type(crls),ossl_check_X509_CRL_freefunc_type (X509_CRL_free));
2238	X509_free(s_dcert);
2239	EVP_PKEY_free(s_key);
2240	EVP_PKEY_free(s_dkey);
2241	sk_X509_pop_free(s_chain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s_chain),ossl_check_X509_freefunc_type (X509_free));
2242	sk_X509_pop_free(s_dchain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s_dchain),ossl_check_X509_freefunc_type (X509_free));
2243	OPENSSL_free(pass)CRYPTO_free(pass, "../deps/openssl/openssl/apps/s_server.c", 2243 );
2244	OPENSSL_free(dpass)CRYPTO_free(dpass, "../deps/openssl/openssl/apps/s_server.c", 2244);
2245	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 2245 );
2246	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 2246 );
2247	X509_VERIFY_PARAM_free(vpm);
2248	free_sessions();
2249	OPENSSL_free(tlscstatp.host)CRYPTO_free(tlscstatp.host, "../deps/openssl/openssl/apps/s_server.c" , 2249);
2250	OPENSSL_free(tlscstatp.port)CRYPTO_free(tlscstatp.port, "../deps/openssl/openssl/apps/s_server.c" , 2250);
2251	OPENSSL_free(tlscstatp.path)CRYPTO_free(tlscstatp.path, "../deps/openssl/openssl/apps/s_server.c" , 2251);
2252	SSL_CTX_free(ctx2);
2253	X509_free(s_cert2);
2254	EVP_PKEY_free(s_key2);
2255	#ifndef OPENSSL_NO_NEXTPROTONEG
2256	OPENSSL_free(next_proto.data)CRYPTO_free(next_proto.data, "../deps/openssl/openssl/apps/s_server.c" , 2256);
2257	#endif
2258	OPENSSL_free(alpn_ctx.data)CRYPTO_free(alpn_ctx.data, "../deps/openssl/openssl/apps/s_server.c" , 2258);
2259	ssl_excert_free(exc);
2260	sk_OPENSSL_STRING_free(ssl_args)OPENSSL_sk_free(ossl_check_OPENSSL_STRING_sk_type(ssl_args));
2261	SSL_CONF_CTX_free(cctx);
2262	release_engine(engine);
2263	BIO_free(bio_s_out);
2264	bio_s_out = NULL((void*)0);
2265	BIO_free(bio_s_msg);
2266	bio_s_msg = NULL((void*)0);
2267	#ifdef CHARSET_EBCDIC
2268	BIO_meth_free(methods_ebcdic);
2269	#endif
2270	return ret;
2271	}
2272
2273	static void print_stats(BIO bio, SSL_CTX ssl_ctx)
2274	{
2275	BIO_printf(bio, "%4ld items in the session cache\n",
2276	SSL_CTX_sess_number(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,20,0,((void*)0)));
2277	BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
2278	SSL_CTX_sess_connect(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,21,0,((void*)0)));
2279	BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
2280	SSL_CTX_sess_connect_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,23,0,((void*)0)));
2281	BIO_printf(bio, "%4ld client connects that finished\n",
2282	SSL_CTX_sess_connect_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,22,0,((void*)0)));
2283	BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
2284	SSL_CTX_sess_accept(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,24,0,((void*)0)));
2285	BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
2286	SSL_CTX_sess_accept_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,26,0,((void*)0)));
2287	BIO_printf(bio, "%4ld server accepts that finished\n",
2288	SSL_CTX_sess_accept_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,25,0,((void*)0)));
2289	BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,27,0,((void*)0)));
2290	BIO_printf(bio, "%4ld session cache misses\n",
2291	SSL_CTX_sess_misses(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,29,0,((void*)0)));
2292	BIO_printf(bio, "%4ld session cache timeouts\n",
2293	SSL_CTX_sess_timeouts(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,30,0,((void*)0)));
2294	BIO_printf(bio, "%4ld callback cache hits\n",
2295	SSL_CTX_sess_cb_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,28,0,((void*)0)));
2296	BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
2297	SSL_CTX_sess_cache_full(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,31,0,((void*)0)),
2298	SSL_CTX_sess_get_cache_size(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,43,0,((void*)0)));
2299	}
2300
2301	static long int count_reads_callback(BIO bio, int cmd, const char argp, size_t len,
2302	int argi, long argl, int ret, size_t *processed)
2303	{
2304	unsigned int p_counter = (unsigned int )BIO_get_callback_arg(bio);
2305
2306	switch (cmd) {
2307	case BIO_CB_READ0x02: /* No break here */
2308	case BIO_CB_GETS0x05:
2309	if (p_counter != NULL((void*)0))
2310	++*p_counter;
2311	break;
2312	default:
2313	break;
2314	}
2315
2316	if (s_debug) {
2317	BIO_set_callback_arg(bio, (char *)bio_s_out);
2318	ret = (int)bio_dump_callback(bio, cmd, argp, len, argi, argl, ret, processed);
2319	BIO_set_callback_arg(bio, (char *)p_counter);
2320	}
2321
2322	return ret;
2323	}
2324
2325	static int sv_body(int s, int stype, int prot, unsigned char *context)
2326	{
2327	char buf = NULL((void)0);
2328	fd_set readfds;
2329	int ret = 1, width;
2330	int k, i;
2331	unsigned long l;
2332	SSL con = NULL((void)0);
2333	BIO *sbio;
2334	struct timeval timeout;
2335	#if !(defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS))
2336	struct timeval *timeoutp;
2337	#endif
2338	#ifndef OPENSSL_NO_DTLS
2339	# ifndef OPENSSL_NO_SCTP
2340	int isdtls = (stype == SOCK_DGRAMSOCK_DGRAM \|\| prot == IPPROTO_SCTPIPPROTO_SCTP);
2341	# else
2342	int isdtls = (stype == SOCK_DGRAMSOCK_DGRAM);
2343	# endif
2344	#endif
2345
2346	buf = app_malloc(bufsize, "server buffer");
2347	if (s_nbio) {
2348	if (!BIO_socket_nbio(s, 1))
2349	ERR_print_errors(bio_err);
2350	else if (!s_quiet)
2351	BIO_printf(bio_err, "Turned on non blocking io\n");
2352	}
2353
2354	con = SSL_new(ctx);
2355	if (con == NULL((void*)0)) {
2356	ret = -1;
2357	goto err;
2358	}
2359
2360	if (s_tlsextdebug) {
2361	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
2362	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
2363	}
2364
2365	if (context != NULL((void*)0)
2366	&& !SSL_set_session_id_context(con, context,
2367	strlen((char *)context))) {
2368	BIO_printf(bio_err, "Error setting session id context\n");
2369	ret = -1;
2370	goto err;
2371	}
2372
2373	if (!SSL_clear(con)) {
2374	BIO_printf(bio_err, "Error clearing SSL connection\n");
2375	ret = -1;
2376	goto err;
2377	}
2378	#ifndef OPENSSL_NO_DTLS
2379	if (isdtls) {
2380	# ifndef OPENSSL_NO_SCTP
2381	if (prot == IPPROTO_SCTPIPPROTO_SCTP)
2382	sbio = BIO_new_dgram_sctp(s, BIO_NOCLOSE0x00);
2383	else
2384	# endif
2385	sbio = BIO_new_dgram(s, BIO_NOCLOSE0x00);
2386	if (sbio == NULL((void*)0)) {
2387	BIO_printf(bio_err, "Unable to create BIO\n");
2388	ERR_print_errors(bio_err);
2389	goto err;
2390	}
2391
2392	if (enable_timeouts) {
2393	timeout.tv_sec = 0;
2394	timeout.tv_usec = DGRAM_RCV_TIMEOUT250000;
2395	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0, &timeout);
2396
2397	timeout.tv_sec = 0;
2398	timeout.tv_usec = DGRAM_SND_TIMEOUT250000;
2399	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0, &timeout);
2400	}
2401
2402	if (socket_mtu) {
2403	if (socket_mtu < DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0))) {
2404	BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
2405	DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0)));
2406	ret = -1;
2407	BIO_free(sbio);
2408	goto err;
2409	}
2410	SSL_set_options(con, SSL_OP_NO_QUERY_MTU((uint64_t)1 << (uint64_t)12));
2411	if (!DTLS_set_link_mtu(con, socket_mtu)SSL_ctrl((con),120,(socket_mtu),((void*)0))) {
2412	BIO_printf(bio_err, "Failed to set MTU\n");
2413	ret = -1;
2414	BIO_free(sbio);
2415	goto err;
2416	}
2417	} else
2418	/* want to do MTU discovery */
2419	BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0));
2420
2421	# ifndef OPENSSL_NO_SCTP
2422	if (prot != IPPROTO_SCTPIPPROTO_SCTP)
2423	# endif
2424	/* Turn on cookie exchange. Not necessary for SCTP */
2425	SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE((uint64_t)1 << (uint64_t)13));
2426	} else
2427	#endif
2428	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
2429
2430	if (sbio == NULL((void*)0)) {
2431	BIO_printf(bio_err, "Unable to create BIO\n");
2432	ERR_print_errors(bio_err);
2433	goto err;
2434	}
2435
2436	if (s_nbio_test) {
2437	BIO *test;
2438
2439	test = BIO_new(BIO_f_nbio_test());
2440	if (test == NULL((void*)0)) {
2441	BIO_printf(bio_err, "Unable to create BIO\n");
2442	ret = -1;
2443	BIO_free(sbio);
2444	goto err;
2445	}
2446
2447	sbio = BIO_push(test, sbio);
2448	}
2449
2450	SSL_set_bio(con, sbio, sbio);
2451	SSL_set_accept_state(con);
2452	/* SSL_set_fd(con,s); */
2453
2454	BIO_set_callback_ex(SSL_get_rbio(con), count_reads_callback);
2455	if (s_msg) {
2456	#ifndef OPENSSL_NO_SSL_TRACE
2457	if (s_msg == 2)
2458	SSL_set_msg_callback(con, SSL_trace);
2459	else
2460	#endif
2461	SSL_set_msg_callback(con, msg_cb);
2462	SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
2463	}
2464
2465	if (s_tlsextdebug) {
2466	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
2467	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
2468	}
2469
2470	if (early_data) {
2471	int write_header = 1, edret = SSL_READ_EARLY_DATA_ERROR0;
2472	size_t readbytes;
2473
2474	while (edret != SSL_READ_EARLY_DATA_FINISH2) {
2475	for (;;) {
2476	edret = SSL_read_early_data(con, buf, bufsize, &readbytes);
2477	if (edret != SSL_READ_EARLY_DATA_ERROR0)
2478	break;
2479
2480	switch (SSL_get_error(con, 0)) {
2481	case SSL_ERROR_WANT_WRITE3:
2482	case SSL_ERROR_WANT_ASYNC9:
2483	case SSL_ERROR_WANT_READ2:
2484	/* Just keep trying - busy waiting */
2485	continue;
2486	default:
2487	BIO_printf(bio_err, "Error reading early data\n");
2488	ERR_print_errors(bio_err);
2489	goto err;
2490	}
2491	}
2492	if (readbytes > 0) {
2493	if (write_header) {
2494	BIO_printf(bio_s_out, "Early data received:\n");
2495	write_header = 0;
2496	}
2497	raw_write_stdout(buf, (unsigned int)readbytes);
2498	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2499	}
2500	}
2501	if (write_header) {
2502	if (SSL_get_early_data_status(con) == SSL_EARLY_DATA_NOT_SENT0)
2503	BIO_printf(bio_s_out, "No early data received\n");
2504	else
2505	BIO_printf(bio_s_out, "Early data was rejected\n");
2506	} else {
2507	BIO_printf(bio_s_out, "\nEnd of early data\n");
2508	}
2509	if (SSL_is_init_finished(con))
2510	print_connection_info(con);
2511	}
2512
2513	if (fileno_stdin() > s)
2514	width = fileno_stdin() + 1;
2515	else
2516	width = s + 1;
2517	for (;;) {
2518	int read_from_terminal;
2519	int read_from_sslcon;
2520
2521	read_from_terminal = 0;
2522	read_from_sslcon = SSL_has_pending(con)
2523	\|\| (async && SSL_waiting_for_async(con));
2524
2525	if (!read_from_sslcon) {
2526	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
2527	#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
2528	openssl_fdset(fileno_stdin(), &readfds)((void) (((&readfds)->__fds_bits)[((fileno_stdin()) / ( 8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((fileno_stdin()) % (8 * (int) sizeof (__fd_mask)))))));
2529	#endif
2530	openssl_fdset(s, &readfds)((void) (((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((s) % (8 * (int ) sizeof (__fd_mask)))))));
2531	/*
2532	* Note: under VMS with SOCKETSHR the second parameter is
2533	* currently of type (int *) whereas under other systems it is
2534	* (void *) if you don't have a cast it will choke the compiler:
2535	* if you do have a cast then you can either go for (int *) or
2536	* (void *).
2537	*/
2538	#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS)
2539	/*
2540	* Under DOS (non-djgpp) and Windows we can't select on stdin:
2541	* only on sockets. As a workaround we timeout the select every
2542	* second and check for any keypress. In a proper Windows
2543	* application we wouldn't do this because it is inefficient.
2544	*/
2545	timeout.tv_sec = 1;
2546	timeout.tv_usec = 0;
2547	i = select(width, (void )&readfds, NULL((void)0), NULL((void*)0), &timeout);
2548	if (has_stdin_waiting())
2549	read_from_terminal = 1;
2550	if ((i < 0) \|\| (!i && !read_from_terminal))
2551	continue;
2552	#else
2553	if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)(&timeout)))
2554	timeoutp = &timeout;
2555	else
2556	timeoutp = NULL((void*)0);
2557
2558	i = select(width, (void )&readfds, NULL((void)0), NULL((void*)0), timeoutp);
2559
2560	if ((SSL_is_dtls(con)) && DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0)
2561	BIO_printf(bio_err, "TIMEOUT occurred\n");
2562
2563	if (i <= 0)
2564	continue;
2565	if (FD_ISSET(fileno_stdin(), &readfds)((((&readfds)->__fds_bits)[((fileno_stdin()) / (8 * (int ) sizeof (__fd_mask)))] & ((__fd_mask) (1UL << ((fileno_stdin ()) % (8 * (int) sizeof (__fd_mask)))))) != 0))
2566	read_from_terminal = 1;
2567	#endif
2568	if (FD_ISSET(s, &readfds)((((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask )))] & ((__fd_mask) (1UL << ((s) % (8 * (int) sizeof (__fd_mask)))))) != 0))
2569	read_from_sslcon = 1;
2570	}
2571	if (read_from_terminal) {
2572	if (s_crlf) {
2573	int j, lf_num;
2574
2575	i = raw_read_stdin(buf, bufsize / 2);
2576	lf_num = 0;
2577	/* both loops are skipped when i <= 0 */
2578	for (j = 0; j < i; j++)
2579	if (buf[j] == '\n')
2580	lf_num++;
2581	for (j = i - 1; j >= 0; j--) {
2582	buf[j + lf_num] = buf[j];
2583	if (buf[j] == '\n') {
2584	lf_num--;
2585	i++;
2586	buf[j + lf_num] = '\r';
2587	}
2588	}
2589	assert(lf_num == 0)((void) (0));
2590	} else {
2591	i = raw_read_stdin(buf, bufsize);
2592	}
2593
2594	if (!s_quiet && !s_brief) {
2595	if ((i <= 0) \|\| (buf[0] == 'Q')) {
2596	BIO_printf(bio_s_out, "DONE\n");
2597	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2598	BIO_closesocket(s);
2599	close_accept_socket();
2600	ret = -11;
2601	goto err;
2602	}
2603	if ((i <= 0) \|\| (buf[0] == 'q')) {
2604	BIO_printf(bio_s_out, "DONE\n");
2605	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2606	if (SSL_version(con) != DTLS1_VERSION0xFEFF)
2607	BIO_closesocket(s);
2608	/*
2609	* close_accept_socket(); ret= -11;
2610	*/
2611	goto err;
2612	}
2613	if ((buf[0] == 'r') && ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2614	SSL_renegotiate(con);
2615	i = SSL_do_handshake(con);
2616	printf("SSL_do_handshake -> %d\n", i);
2617	i = 0; /* 13; */
	Value stored to 'i' is never read
2618	continue;
2619	}
2620	if ((buf[0] == 'R') && ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2621	SSL_set_verify(con,
2622	SSL_VERIFY_PEER0x01 \| SSL_VERIFY_CLIENT_ONCE0x04,
2623	NULL((void*)0));
2624	SSL_renegotiate(con);
2625	i = SSL_do_handshake(con);
2626	printf("SSL_do_handshake -> %d\n", i);
2627	i = 0; /* 13; */
2628	continue;
2629	}
2630	if ((buf[0] == 'K' \|\| buf[0] == 'k')
2631	&& ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2632	SSL_key_update(con, buf[0] == 'K' ?
2633	SSL_KEY_UPDATE_REQUESTED1
2634	: SSL_KEY_UPDATE_NOT_REQUESTED0);
2635	i = SSL_do_handshake(con);
2636	printf("SSL_do_handshake -> %d\n", i);
2637	i = 0;
2638	continue;
2639	}
2640	if (buf[0] == 'c' && ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2641	SSL_set_verify(con, SSL_VERIFY_PEER0x01, NULL((void*)0));
2642	i = SSL_verify_client_post_handshake(con);
2643	if (i == 0) {
2644	printf("Failed to initiate request\n");
2645	ERR_print_errors(bio_err);
2646	} else {
2647	i = SSL_do_handshake(con);
2648	printf("SSL_do_handshake -> %d\n", i);
2649	i = 0;
2650	}
2651	continue;
2652	}
2653	if (buf[0] == 'P') {
2654	static const char str[] = "Lets print some clear text\n";
2655	BIO_write(SSL_get_wbio(con), str, sizeof(str) -1);
2656	}
2657	if (buf[0] == 'S') {
2658	print_stats(bio_s_out, SSL_get_SSL_CTX(con));
2659	}
2660	}
2661	#ifdef CHARSET_EBCDIC
2662	ebcdic2ascii(buf, buf, i);
2663	#endif
2664	l = k = 0;
2665	for (;;) {
2666	/* should do a select for the write */
2667	#ifdef RENEG
2668	static count = 0;
2669	if (++count == 100) {
2670	count = 0;
2671	SSL_renegotiate(con);
2672	}
2673	#endif
2674	k = SSL_write(con, &(buf[l]), (unsigned int)i);
2675	#ifndef OPENSSL_NO_SRP
2676	while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP4) {
2677	BIO_printf(bio_s_out, "LOOKUP renego during write\n");
2678
2679	lookup_srp_user(&srp_callback_parm, bio_s_out);
2680
2681	k = SSL_write(con, &(buf[l]), (unsigned int)i);
2682	}
2683	#endif
2684	switch (SSL_get_error(con, k)) {
2685	case SSL_ERROR_NONE0:
2686	break;
2687	case SSL_ERROR_WANT_ASYNC9:
2688	BIO_printf(bio_s_out, "Write BLOCK (Async)\n");
2689	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2690	wait_for_async(con);
2691	break;
2692	case SSL_ERROR_WANT_WRITE3:
2693	case SSL_ERROR_WANT_READ2:
2694	case SSL_ERROR_WANT_X509_LOOKUP4:
2695	BIO_printf(bio_s_out, "Write BLOCK\n");
2696	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2697	break;
2698	case SSL_ERROR_WANT_ASYNC_JOB10:
2699	/*
2700	* This shouldn't ever happen in s_server. Treat as an error
2701	*/
2702	case SSL_ERROR_SYSCALL5:
2703	case SSL_ERROR_SSL1:
2704	BIO_printf(bio_s_out, "ERROR\n");
2705	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2706	ERR_print_errors(bio_err);
2707	ret = 1;
2708	goto err;
2709	/* break; */
2710	case SSL_ERROR_ZERO_RETURN6:
2711	BIO_printf(bio_s_out, "DONE\n");
2712	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2713	ret = 1;
2714	goto err;
2715	}
2716	if (k > 0) {
2717	l += k;
2718	i -= k;
2719	}
2720	if (i <= 0)
2721	break;
2722	}
2723	}
2724	if (read_from_sslcon) {
2725	/*
2726	* init_ssl_connection handles all async events itself so if we're
2727	* waiting for async then we shouldn't go back into
2728	* init_ssl_connection
2729	*/
2730	if ((!async \|\| !SSL_waiting_for_async(con))
2731	&& !SSL_is_init_finished(con)) {
2732	/*
2733	* Count number of reads during init_ssl_connection.
2734	* It helps us to distinguish configuration errors from errors
2735	* caused by a client.
2736	*/
2737	unsigned int read_counter = 0;
2738
2739	BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter);
2740	i = init_ssl_connection(con);
2741	BIO_set_callback_arg(SSL_get_rbio(con), NULL((void*)0));
2742
2743	/*
2744	* If initialization fails without reads, then
2745	* there was a fatal error in configuration.
2746	*/
2747	if (i <= 0 && read_counter == 0) {
2748	ret = -1;
2749	goto err;
2750	}
2751	if (i < 0) {
2752	ret = 0;
2753	goto err;
2754	} else if (i == 0) {
2755	ret = 1;
2756	goto err;
2757	}
2758	} else {
2759	again:
2760	i = SSL_read(con, (char *)buf, bufsize);
2761	#ifndef OPENSSL_NO_SRP
2762	while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4) {
2763	BIO_printf(bio_s_out, "LOOKUP renego during read\n");
2764
2765	lookup_srp_user(&srp_callback_parm, bio_s_out);
2766
2767	i = SSL_read(con, (char *)buf, bufsize);
2768	}
2769	#endif
2770	switch (SSL_get_error(con, i)) {
2771	case SSL_ERROR_NONE0:
2772	#ifdef CHARSET_EBCDIC
2773	ascii2ebcdic(buf, buf, i);
2774	#endif
2775	raw_write_stdout(buf, (unsigned int)i);
2776	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2777	if (SSL_has_pending(con))
2778	goto again;
2779	break;
2780	case SSL_ERROR_WANT_ASYNC9:
2781	BIO_printf(bio_s_out, "Read BLOCK (Async)\n");
2782	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2783	wait_for_async(con);
2784	break;
2785	case SSL_ERROR_WANT_WRITE3:
2786	case SSL_ERROR_WANT_READ2:
2787	BIO_printf(bio_s_out, "Read BLOCK\n");
2788	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2789	break;
2790	case SSL_ERROR_WANT_ASYNC_JOB10:
2791	/*
2792	* This shouldn't ever happen in s_server. Treat as an error
2793	*/
2794	case SSL_ERROR_SYSCALL5:
2795	case SSL_ERROR_SSL1:
2796	BIO_printf(bio_s_out, "ERROR\n");
2797	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2798	ERR_print_errors(bio_err);
2799	ret = 1;
2800	goto err;
2801	case SSL_ERROR_ZERO_RETURN6:
2802	BIO_printf(bio_s_out, "DONE\n");
2803	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2804	ret = 1;
2805	goto err;
2806	}
2807	}
2808	}
2809	}
2810	err:
2811	if (con != NULL((void*)0)) {
2812	BIO_printf(bio_s_out, "shutting down SSL\n");
2813	do_ssl_shutdown(con);
2814	SSL_free(con);
2815	}
2816	BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
2817	OPENSSL_clear_free(buf, bufsize)CRYPTO_clear_free(buf, bufsize, "../deps/openssl/openssl/apps/s_server.c" , 2817);
2818	return ret;
2819	}
2820
2821	static void close_accept_socket(void)
2822	{
2823	BIO_printf(bio_err, "shutdown accept socket\n");
2824	if (accept_socket >= 0) {
2825	BIO_closesocket(accept_socket);
2826	}
2827	}
2828
2829	static int is_retryable(SSL *con, int i)
2830	{
2831	int err = SSL_get_error(con, i);
2832
2833	/* If it's not a fatal error, it must be retryable */
2834	return (err != SSL_ERROR_SSL1)
2835	&& (err != SSL_ERROR_SYSCALL5)
2836	&& (err != SSL_ERROR_ZERO_RETURN6);
2837	}
2838
2839	static int init_ssl_connection(SSL *con)
2840	{
2841	int i;
2842	long verify_err;
2843	int retry = 0;
2844
2845	if (dtlslisten \|\| stateless) {
2846	BIO_ADDR client = NULL((void)0);
2847
2848	if (dtlslisten) {
2849	if ((client = BIO_ADDR_new()) == NULL((void*)0)) {
2850	BIO_printf(bio_err, "ERROR - memory\n");
2851	return 0;
2852	}
2853	i = DTLSv1_listen(con, client);
2854	} else {
2855	i = SSL_stateless(con);
2856	}
2857	if (i > 0) {
2858	BIO *wbio;
2859	int fd = -1;
2860
2861	if (dtlslisten) {
2862	wbio = SSL_get_wbio(con);
2863	if (wbio) {
2864	BIO_get_fd(wbio, &fd)BIO_ctrl(wbio,105,0,(char *)(&fd));
2865	}
2866
2867	if (!wbio \|\| BIO_connect(fd, client, 0) == 0) {
2868	BIO_printf(bio_err, "ERROR - unable to connect\n");
2869	BIO_ADDR_free(client);
2870	return 0;
2871	}
2872
2873	(void)BIO_ctrl_set_connected(wbio, client)(int)BIO_ctrl(wbio, 32, 0, (char *)(client));
2874	BIO_ADDR_free(client);
2875	dtlslisten = 0;
2876	} else {
2877	stateless = 0;
2878	}
2879	i = SSL_accept(con);
2880	} else {
2881	BIO_ADDR_free(client);
2882	}
2883	} else {
2884	do {
2885	i = SSL_accept(con);
2886
2887	if (i <= 0)
2888	retry = is_retryable(con, i);
2889	#ifdef CERT_CB_TEST_RETRY
2890	{
2891	while (i <= 0
2892	&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4
2893	&& SSL_get_state(con) == TLS_ST_SR_CLNT_HELLO) {
2894	BIO_printf(bio_err,
2895	"LOOKUP from certificate callback during accept\n");
2896	i = SSL_accept(con);
2897	if (i <= 0)
2898	retry = is_retryable(con, i);
2899	}
2900	}
2901	#endif
2902
2903	#ifndef OPENSSL_NO_SRP
2904	while (i <= 0
2905	&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4) {
2906	BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
2907	srp_callback_parm.login);
2908
2909	lookup_srp_user(&srp_callback_parm, bio_s_out);
2910
2911	i = SSL_accept(con);
2912	if (i <= 0)
2913	retry = is_retryable(con, i);
2914	}
2915	#endif
2916	} while (i < 0 && SSL_waiting_for_async(con));
2917	}
2918
2919	if (i <= 0) {
2920	if (((dtlslisten \|\| stateless) && i == 0)
2921	\|\| (!dtlslisten && !stateless && retry)) {
2922	BIO_printf(bio_s_out, "DELAY\n");
2923	return 1;
2924	}
2925
2926	BIO_printf(bio_err, "ERROR\n");
2927
2928	verify_err = SSL_get_verify_result(con);
2929	if (verify_err != X509_V_OK0) {
2930	BIO_printf(bio_err, "verify error:%s\n",
2931	X509_verify_cert_error_string(verify_err));
2932	}
2933	/* Always print any error messages */
2934	ERR_print_errors(bio_err);
2935	return 0;
2936	}
2937
2938	print_connection_info(con);
2939	return 1;
2940	}
2941
2942	static void print_connection_info(SSL *con)
2943	{
2944	const char *str;
2945	X509 *peer;
2946	char buf[BUFSIZ8192];
2947	#if !defined(OPENSSL_NO_NEXTPROTONEG)
2948	const unsigned char *next_proto_neg;
2949	unsigned next_proto_neg_len;
2950	#endif
2951	unsigned char *exportedkeymat;
2952	int i;
2953
2954	if (s_brief)
2955	print_ssl_summary(con);
2956
2957	PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
2958
2959	peer = SSL_get0_peer_certificate(con);
2960	if (peer != NULL((void*)0)) {
2961	BIO_printf(bio_s_out, "Client certificate\n");
2962	PEM_write_bio_X509(bio_s_out, peer);
2963	dump_cert_text(bio_s_out, peer);
2964	peer = NULL((void*)0);
2965	}
2966
2967	if (SSL_get_shared_ciphers(con, buf, sizeof(buf)) != NULL((void*)0))
2968	BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
2969	str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
2970	ssl_print_sigalgs(bio_s_out, con);
2971	#ifndef OPENSSL_NO_EC
2972	ssl_print_point_formats(bio_s_out, con);
2973	ssl_print_groups(bio_s_out, con, 0);
2974	#endif
2975	print_ca_names(bio_s_out, con);
2976	BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL((void*)0)) ? str : "(NONE)");
2977
2978	#if !defined(OPENSSL_NO_NEXTPROTONEG)
2979	SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
2980	if (next_proto_neg) {
2981	BIO_printf(bio_s_out, "NEXTPROTO is ");
2982	BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
2983	BIO_printf(bio_s_out, "\n");
2984	}
2985	#endif
2986	#ifndef OPENSSL_NO_SRTP
2987	{
2988	SRTP_PROTECTION_PROFILE *srtp_profile
2989	= SSL_get_selected_srtp_profile(con);
2990
2991	if (srtp_profile)
2992	BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
2993	srtp_profile->name);
2994	}
2995	#endif
2996	if (SSL_session_reused(con))
2997	BIO_printf(bio_s_out, "Reused session-id\n");
2998	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
2999	SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ? "" : " NOT");
3000	if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION((uint64_t)1 << (uint64_t)30)))
3001	BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");
3002
3003	if (keymatexportlabel != NULL((void*)0)) {
3004	BIO_printf(bio_s_out, "Keying material exporter:\n");
3005	BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
3006	BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen);
3007	exportedkeymat = app_malloc(keymatexportlen, "export key");
3008	if (SSL_export_keying_material(con, exportedkeymat,
3009	keymatexportlen,
3010	keymatexportlabel,
3011	strlen(keymatexportlabel),
3012	NULL((void*)0), 0, 0) <= 0) {
3013	BIO_printf(bio_s_out, " Error\n");
3014	} else {
3015	BIO_printf(bio_s_out, " Keying material: ");
3016	for (i = 0; i < keymatexportlen; i++)
3017	BIO_printf(bio_s_out, "%02X", exportedkeymat[i]);
3018	BIO_printf(bio_s_out, "\n");
3019	}
3020	OPENSSL_free(exportedkeymat)CRYPTO_free(exportedkeymat, "../deps/openssl/openssl/apps/s_server.c" , 3020);
3021	}
3022	#ifndef OPENSSL_NO_KTLS
3023	if (BIO_get_ktls_send(SSL_get_wbio(con))(0))
3024	BIO_printf(bio_err, "Using Kernel TLS for sending\n");
3025	if (BIO_get_ktls_recv(SSL_get_rbio(con))(0))
3026	BIO_printf(bio_err, "Using Kernel TLS for receiving\n");
3027	#endif
3028
3029	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
3030	}
3031
3032	static int www_body(int s, int stype, int prot, unsigned char *context)
3033	{
3034	char buf = NULL((void)0);
3035	int ret = 1;
3036	int i, j, k, dot;
3037	SSL *con;
3038	const SSL_CIPHER *c;
3039	BIO io, ssl_bio, *sbio;
3040	#ifdef RENEG
3041	int total_bytes = 0;
3042	#endif
3043	int width;
3044	#ifndef OPENSSL_NO_KTLS
3045	int use_sendfile_for_req = use_sendfile;
3046	#endif
3047	fd_set readfds;
3048	const char *opmode;
3049	#ifdef CHARSET_EBCDIC
3050	BIO *filter;
3051	#endif
3052
3053	/* Set width for a select call if needed */
3054	width = s + 1;
3055
3056	/* as we use BIO_gets(), and it always null terminates data, we need
3057	* to allocate 1 byte longer buffer to fit the full 2^14 byte record */
3058	buf = app_malloc(bufsize + 1, "server www buffer");
3059	io = BIO_new(BIO_f_buffer());
3060	ssl_bio = BIO_new(BIO_f_ssl());
3061	if ((io == NULL((void)0)) \|\| (ssl_bio == NULL((void)0)))
3062	goto err;
3063
3064	if (s_nbio) {
3065	if (!BIO_socket_nbio(s, 1))
3066	ERR_print_errors(bio_err);
3067	else if (!s_quiet)
3068	BIO_printf(bio_err, "Turned on non blocking io\n");
3069	}
3070
3071	/* lets make the output buffer a reasonable size */
3072	if (!BIO_set_write_buffer_size(io, bufsize)BIO_int_ctrl(io,117,bufsize,1))
3073	goto err;
3074
3075	if ((con = SSL_new(ctx)) == NULL((void*)0))
3076	goto err;
3077
3078	if (s_tlsextdebug) {
3079	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
3080	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
3081	}
3082
3083	if (context != NULL((void*)0)
3084	&& !SSL_set_session_id_context(con, context,
3085	strlen((char *)context))) {
3086	SSL_free(con);
3087	goto err;
3088	}
3089
3090	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
3091	if (sbio == NULL((void*)0)) {
3092	SSL_free(con);
3093	goto err;
3094	}
3095
3096	if (s_nbio_test) {
3097	BIO *test;
3098
3099	test = BIO_new(BIO_f_nbio_test());
3100	if (test == NULL((void*)0)) {
3101	SSL_free(con);
3102	BIO_free(sbio);
3103	goto err;
3104	}
3105
3106	sbio = BIO_push(test, sbio);
3107	}
3108	SSL_set_bio(con, sbio, sbio);
3109	SSL_set_accept_state(con);
3110
3111	/* No need to free \|con\| after this. Done by BIO_free(ssl_bio) */
3112	BIO_set_ssl(ssl_bio, con, BIO_CLOSE)BIO_ctrl(ssl_bio,109,0x01,(char *)(con));
3113	BIO_push(io, ssl_bio);
3114	ssl_bio = NULL((void*)0);
3115	#ifdef CHARSET_EBCDIC
3116	filter = BIO_new(BIO_f_ebcdic_filter());
3117	if (filter == NULL((void*)0))
3118	goto err;
3119
3120	io = BIO_push(filter, io);
3121	#endif
3122
3123	if (s_debug) {
3124	BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
3125	BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
3126	}
3127	if (s_msg) {
3128	#ifndef OPENSSL_NO_SSL_TRACE
3129	if (s_msg == 2)
3130	SSL_set_msg_callback(con, SSL_trace);
3131	else
3132	#endif
3133	SSL_set_msg_callback(con, msg_cb);
3134	SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
3135	}
3136
3137	for (;;) {
3138	i = BIO_gets(io, buf, bufsize + 1);
3139	if (i < 0) { /* error */
3140	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08) && !SSL_waiting_for_async(con)) {
3141	if (!s_quiet)
3142	ERR_print_errors(bio_err);
3143	goto err;
3144	} else {
3145	BIO_printf(bio_s_out, "read R BLOCK\n");
3146	#ifndef OPENSSL_NO_SRP
3147	if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3148	&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3149	BIO_printf(bio_s_out, "LOOKUP renego during read\n");
3150
3151	lookup_srp_user(&srp_callback_parm, bio_s_out);
3152
3153	continue;
3154	}
3155	#endif
3156	ossl_sleep(1000);
3157	continue;
3158	}
3159	} else if (i == 0) { /* end of input */
3160	ret = 1;
3161	goto end;
3162	}
3163
3164	/* else we have data */
3165	if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) \|\|
3166	((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
3167	char *p;
3168	X509 peer = NULL((void)0);
3169	STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk;
3170	static const char *space = " ";
3171
3172	if (www == 1 && strncmp("GET /reneg", buf, 10) == 0) {
3173	if (strncmp("GET /renegcert", buf, 14) == 0)
3174	SSL_set_verify(con,
3175	SSL_VERIFY_PEER0x01 \| SSL_VERIFY_CLIENT_ONCE0x04,
3176	NULL((void*)0));
3177	i = SSL_renegotiate(con);
3178	BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i);
3179	/* Send the HelloRequest */
3180	i = SSL_do_handshake(con);
3181	if (i <= 0) {
3182	BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n",
3183	SSL_get_error(con, i));
3184	ERR_print_errors(bio_err);
3185	goto err;
3186	}
3187	/* Wait for a ClientHello to come back */
3188	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
3189	openssl_fdset(s, &readfds)((void) (((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((s) % (8 * (int ) sizeof (__fd_mask)))))));
3190	i = select(width, (void )&readfds, NULL((void)0), NULL((void)0), NULL((void)0));
3191	if (i <= 0 \|\| !FD_ISSET(s, &readfds)((((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask )))] & ((__fd_mask) (1UL << ((s) % (8 * (int) sizeof (__fd_mask)))))) != 0)) {
3192	BIO_printf(bio_s_out,
3193	"Error waiting for client response\n");
3194	ERR_print_errors(bio_err);
3195	goto err;
3196	}
3197	/*
3198	* We're not actually expecting any data here and we ignore
3199	* any that is sent. This is just to force the handshake that
3200	* we're expecting to come from the client. If they haven't
3201	* sent one there's not much we can do.
3202	*/
3203	BIO_gets(io, buf, bufsize + 1);
3204	}
3205
3206	BIO_puts(io,
3207	"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
3208	BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
3209	BIO_puts(io, "<pre>\n");
3210	/* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
3211	BIO_puts(io, "\n");
3212	for (i = 0; i < local_argc; i++) {
3213	const char *myp;
3214	for (myp = local_argv[i]; *myp; myp++)
3215	switch (*myp) {
3216	case '<':
3217	BIO_puts(io, "<");
3218	break;
3219	case '>':
3220	BIO_puts(io, ">");
3221	break;
3222	case '&':
3223	BIO_puts(io, "&");
3224	break;
3225	default:
3226	BIO_write(io, myp, 1);
3227	break;
3228	}
3229	BIO_write(io, " ", 1);
3230	}
3231	BIO_puts(io, "\n");
3232
3233	BIO_printf(io,
3234	"Secure Renegotiation IS%s supported\n",
3235	SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ?
3236	"" : " NOT");
3237
3238	/*
3239	* The following is evil and should not really be done
3240	*/
3241	BIO_printf(io, "Ciphers supported in s_server binary\n");
3242	sk = SSL_get_ciphers(con);
3243	j = sk_SSL_CIPHER_num(sk)OPENSSL_sk_num(ossl_check_const_SSL_CIPHER_sk_type(sk));
3244	for (i = 0; i < j; i++) {
3245	c = sk_SSL_CIPHER_value(sk, i)((const SSL_CIPHER *)OPENSSL_sk_value(ossl_check_const_SSL_CIPHER_sk_type (sk), (i)));
3246	BIO_printf(io, "%-11s:%-25s ",
3247	SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
3248	if ((((i + 1) % 2) == 0) && (i + 1 != j))
3249	BIO_puts(io, "\n");
3250	}
3251	BIO_puts(io, "\n");
3252	p = SSL_get_shared_ciphers(con, buf, bufsize);
3253	if (p != NULL((void*)0)) {
3254	BIO_printf(io,
3255	"---\nCiphers common between both SSL end points:\n");
3256	j = i = 0;
3257	while (*p) {
3258	if (*p == ':') {
3259	BIO_write(io, space, 26 - j);
3260	i++;
3261	j = 0;
3262	BIO_write(io, ((i % 3) ? " " : "\n"), 1);
3263	} else {
3264	BIO_write(io, p, 1);
3265	j++;
3266	}
3267	p++;
3268	}
3269	BIO_puts(io, "\n");
3270	}
3271	ssl_print_sigalgs(io, con);
3272	#ifndef OPENSSL_NO_EC
3273	ssl_print_groups(io, con, 0);
3274	#endif
3275	print_ca_names(io, con);
3276	BIO_printf(io, (SSL_session_reused(con)
3277	? "---\nReused, " : "---\nNew, "));
3278	c = SSL_get_current_cipher(con);
3279	BIO_printf(io, "%s, Cipher is %s\n",
3280	SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
3281	SSL_SESSION_print(io, SSL_get_session(con));
3282	BIO_printf(io, "---\n");
3283	print_stats(io, SSL_get_SSL_CTX(con));
3284	BIO_printf(io, "---\n");
3285	peer = SSL_get0_peer_certificate(con);
3286	if (peer != NULL((void*)0)) {
3287	BIO_printf(io, "Client certificate\n");
3288	X509_print(io, peer);
3289	PEM_write_bio_X509(io, peer);
3290	peer = NULL((void*)0);
3291	} else {
3292	BIO_puts(io, "no client certificate available\n");
3293	}
3294	BIO_puts(io, "</pre></BODY></HTML>\r\n\r\n");
3295	break;
3296	} else if ((www == 2 \|\| www == 3)
3297	&& (strncmp("GET /", buf, 5) == 0)) {
3298	BIO *file;
3299	char p, e;
3300	static const char *text =
3301	"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
3302
3303	/* skip the '/' */
3304	p = &(buf[5]);
3305
3306	dot = 1;
3307	for (e = p; *e != '\0'; e++) {
3308	if (e[0] == ' ')
3309	break;
3310
3311	if (e[0] == ':') {
3312	/* Windows drive. We treat this the same way as ".." */
3313	dot = -1;
3314	break;
3315	}
3316
3317	switch (dot) {
3318	case 1:
3319	dot = (e[0] == '.') ? 2 : 0;
3320	break;
3321	case 2:
3322	dot = (e[0] == '.') ? 3 : 0;
3323	break;
3324	case 3:
3325	dot = (e[0] == '/' \|\| e[0] == '\\') ? -1 : 0;
3326	break;
3327	}
3328	if (dot == 0)
3329	dot = (e[0] == '/' \|\| e[0] == '\\') ? 1 : 0;
3330	}
3331	dot = (dot == 3) \|\| (dot == -1); /* filename contains ".."
3332	* component */
3333
3334	if (*e == '\0') {
3335	BIO_puts(io, text);
3336	BIO_printf(io, "'%s' is an invalid file name\r\n", p);
3337	break;
3338	}
3339	*e = '\0';
3340
3341	if (dot) {
3342	BIO_puts(io, text);
3343	BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
3344	break;
3345	}
3346
3347	if (p == '/' \|\| p == '\\') {
3348	BIO_puts(io, text);
3349	BIO_printf(io, "'%s' is an invalid path\r\n", p);
3350	break;
3351	}
3352
3353	/* if a directory, do the index thang */
3354	if (app_isdir(p) > 0) {
3355	BIO_puts(io, text);
3356	BIO_printf(io, "'%s' is a directory\r\n", p);
3357	break;
3358	}
3359
3360	opmode = (http_server_binmode == 1) ? "rb" : "r";
3361	if ((file = BIO_new_file(p, opmode)) == NULL((void*)0)) {
3362	BIO_puts(io, text);
3363	BIO_printf(io, "Error opening '%s' mode='%s'\r\n", p, opmode);
3364	ERR_print_errors(io);
3365	break;
3366	}
3367
3368	if (!s_quiet)
3369	BIO_printf(bio_err, "FILE:%s\n", p);
3370
3371	if (www == 2) {
3372	i = strlen(p);
3373	if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) \|\|
3374	((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) \|\|
3375	((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
3376	BIO_puts(io,
3377	"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
3378	else
3379	BIO_puts(io,
3380	"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
3381	}
3382	/* send the file */
3383	#ifndef OPENSSL_NO_KTLS
3384	if (use_sendfile_for_req && !BIO_get_ktls_send(SSL_get_wbio(con))(0)) {
3385	BIO_printf(bio_err, "Warning: sendfile requested but KTLS is not available\n");
3386	use_sendfile_for_req = 0;
3387	}
3388	if (use_sendfile_for_req) {
3389	FILE fp = NULL((void)0);
3390	int fd;
3391	struct stat st;
3392	off_t offset = 0;
3393	size_t filesize;
3394
3395	BIO_get_fp(file, &fp)BIO_ctrl(file,107,0,(char *)(&fp));
3396	fd = fileno(fp);
3397	if (fstat(fd, &st) < 0) {
3398	BIO_printf(io, "Error fstat '%s'\r\n", p);
3399	ERR_print_errors(io);
3400	goto write_error;
3401	}
3402
3403	filesize = st.st_size;
3404	if (((int)BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0))) < 0)
3405	goto write_error;
3406
3407	for (;;) {
3408	i = SSL_sendfile(con, fd, offset, filesize, 0);
3409	if (i < 0) {
3410	BIO_printf(io, "Error SSL_sendfile '%s'\r\n", p);
3411	ERR_print_errors(io);
3412	break;
3413	} else {
3414	offset += i;
3415	filesize -= i;
3416	}
3417
3418	if (filesize <= 0) {
3419	if (!s_quiet)
3420	BIO_printf(bio_err, "KTLS SENDFILE '%s' OK\n", p);
3421
3422	break;
3423	}
3424	}
3425	} else
3426	#endif
3427	{
3428	for (;;) {
3429	i = BIO_read(file, buf, bufsize);
3430	if (i <= 0)
3431	break;
3432
3433	#ifdef RENEG
3434	total_bytes += i;
3435	BIO_printf(bio_err, "%d\n", i);
3436	if (total_bytes > 3 * 1024) {
3437	total_bytes = 0;
3438	BIO_printf(bio_err, "RENEGOTIATE\n");
3439	SSL_renegotiate(con);
3440	}
3441	#endif
3442
3443	for (j = 0; j < i;) {
3444	#ifdef RENEG
3445	static count = 0;
3446	if (++count == 13)
3447	SSL_renegotiate(con);
3448	#endif
3449	k = BIO_write(io, &(buf[j]), i - j);
3450	if (k <= 0) {
3451	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)
3452	&& !SSL_waiting_for_async(con)) {
3453	goto write_error;
3454	} else {
3455	BIO_printf(bio_s_out, "rwrite W BLOCK\n");
3456	}
3457	} else {
3458	j += k;
3459	}
3460	}
3461	}
3462	}
3463	write_error:
3464	BIO_free(file);
3465	break;
3466	}
3467	}
3468
3469	for (;;) {
3470	i = (int)BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0));
3471	if (i <= 0) {
3472	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
3473	break;
3474	} else
3475	break;
3476	}
3477	end:
3478	/* make sure we re-use sessions */
3479	do_ssl_shutdown(con);
3480
3481	err:
3482	OPENSSL_free(buf)CRYPTO_free(buf, "../deps/openssl/openssl/apps/s_server.c", 3482 );
3483	BIO_free(ssl_bio);
3484	BIO_free_all(io);
3485	return ret;
3486	}
3487
3488	static int rev_body(int s, int stype, int prot, unsigned char *context)
3489	{
3490	char buf = NULL((void)0);
3491	int i;
3492	int ret = 1;
3493	SSL *con;
3494	BIO io, ssl_bio, *sbio;
3495	#ifdef CHARSET_EBCDIC
3496	BIO *filter;
3497	#endif
3498
3499	/* as we use BIO_gets(), and it always null terminates data, we need
3500	* to allocate 1 byte longer buffer to fit the full 2^14 byte record */
3501	buf = app_malloc(bufsize + 1, "server rev buffer");
3502	io = BIO_new(BIO_f_buffer());
3503	ssl_bio = BIO_new(BIO_f_ssl());
3504	if ((io == NULL((void)0)) \|\| (ssl_bio == NULL((void)0)))
3505	goto err;
3506
3507	/* lets make the output buffer a reasonable size */
3508	if (!BIO_set_write_buffer_size(io, bufsize)BIO_int_ctrl(io,117,bufsize,1))
3509	goto err;
3510
3511	if ((con = SSL_new(ctx)) == NULL((void*)0))
3512	goto err;
3513
3514	if (s_tlsextdebug) {
3515	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
3516	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
3517	}
3518	if (context != NULL((void*)0)
3519	&& !SSL_set_session_id_context(con, context,
3520	strlen((char *)context))) {
3521	SSL_free(con);
3522	ERR_print_errors(bio_err);
3523	goto err;
3524	}
3525
3526	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
3527	if (sbio == NULL((void*)0)) {
3528	SSL_free(con);
3529	ERR_print_errors(bio_err);
3530	goto err;
3531	}
3532
3533	SSL_set_bio(con, sbio, sbio);
3534	SSL_set_accept_state(con);
3535
3536	/* No need to free \|con\| after this. Done by BIO_free(ssl_bio) */
3537	BIO_set_ssl(ssl_bio, con, BIO_CLOSE)BIO_ctrl(ssl_bio,109,0x01,(char *)(con));
3538	BIO_push(io, ssl_bio);
3539	ssl_bio = NULL((void*)0);
3540	#ifdef CHARSET_EBCDIC
3541	filter = BIO_new(BIO_f_ebcdic_filter());
3542	if (filter == NULL((void*)0))
3543	goto err;
3544
3545	io = BIO_push(filter, io);
3546	#endif
3547
3548	if (s_debug) {
3549	BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
3550	BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
3551	}
3552	if (s_msg) {
3553	#ifndef OPENSSL_NO_SSL_TRACE
3554	if (s_msg == 2)
3555	SSL_set_msg_callback(con, SSL_trace);
3556	else
3557	#endif
3558	SSL_set_msg_callback(con, msg_cb);
3559	SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
3560	}
3561
3562	for (;;) {
3563	i = BIO_do_handshake(io)BIO_ctrl(io,101,0,((void*)0));
3564	if (i > 0)
3565	break;
3566	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)) {
3567	BIO_puts(bio_err, "CONNECTION FAILURE\n");
3568	ERR_print_errors(bio_err);
3569	goto end;
3570	}
3571	#ifndef OPENSSL_NO_SRP
3572	if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3573	&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3574	BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
3575
3576	lookup_srp_user(&srp_callback_parm, bio_s_out);
3577
3578	continue;
3579	}
3580	#endif
3581	}
3582	BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
3583	print_ssl_summary(con);
3584
3585	for (;;) {
3586	i = BIO_gets(io, buf, bufsize + 1);
3587	if (i < 0) { /* error */
3588	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)) {
3589	if (!s_quiet)
3590	ERR_print_errors(bio_err);
3591	goto err;
3592	} else {
3593	BIO_printf(bio_s_out, "read R BLOCK\n");
3594	#ifndef OPENSSL_NO_SRP
3595	if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3596	&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3597	BIO_printf(bio_s_out, "LOOKUP renego during read\n");
3598
3599	lookup_srp_user(&srp_callback_parm, bio_s_out);
3600
3601	continue;
3602	}
3603	#endif
3604	ossl_sleep(1000);
3605	continue;
3606	}
3607	} else if (i == 0) { /* end of input */
3608	ret = 1;
3609	BIO_printf(bio_err, "CONNECTION CLOSED\n");
3610	goto end;
3611	} else {
3612	char *p = buf + i - 1;
3613	while (i && (p == '\n' \|\| p == '\r')) {
3614	p--;
3615	i--;
3616	}
3617	if (!s_ign_eof && (i == 5) && (strncmp(buf, "CLOSE", 5) == 0)) {
3618	ret = 1;
3619	BIO_printf(bio_err, "CONNECTION CLOSED\n");
3620	goto end;
3621	}
3622	BUF_reverse((unsigned char )buf, NULL((void)0), i);
3623	buf[i] = '\n';
3624	BIO_write(io, buf, i + 1);
3625	for (;;) {
3626	i = BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0));
3627	if (i > 0)
3628	break;
3629	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
3630	goto end;
3631	}
3632	}
3633	}
3634	end:
3635	/* make sure we re-use sessions */
3636	do_ssl_shutdown(con);
3637
3638	err:
3639
3640	OPENSSL_free(buf)CRYPTO_free(buf, "../deps/openssl/openssl/apps/s_server.c", 3640 );
3641	BIO_free(ssl_bio);
3642	BIO_free_all(io);
3643	return ret;
3644	}
3645
3646	#define MAX_SESSION_ID_ATTEMPTS10 10
3647	static int generate_session_id(SSL ssl, unsigned char id,
3648	unsigned int *id_len)
3649	{
3650	unsigned int count = 0;
3651	unsigned int session_id_prefix_len = strlen(session_id_prefix);
3652
3653	do {
3654	if (RAND_bytes(id, *id_len) <= 0)
3655	return 0;
3656	/*
3657	* Prefix the session_id with the required prefix. NB: If our prefix
3658	* is too long, clip it - but there will be worse effects anyway, eg.
3659	* the server could only possibly create 1 session ID (ie. the
3660	* prefix!) so all future session negotiations will fail due to
3661	* conflicts.
3662	*/
3663	memcpy(id, session_id_prefix,
3664	(session_id_prefix_len < *id_len) ?
3665	session_id_prefix_len : *id_len);
3666	}
3667	while (SSL_has_matching_session_id(ssl, id, *id_len) &&
3668	(++count < MAX_SESSION_ID_ATTEMPTS10));
3669	if (count >= MAX_SESSION_ID_ATTEMPTS10)
3670	return 0;
3671	return 1;
3672	}
3673
3674	/*
3675	* By default s_server uses an in-memory cache which caches SSL_SESSION
3676	* structures without any serialization. This hides some bugs which only
3677	* become apparent in deployed servers. By implementing a basic external
3678	* session cache some issues can be debugged using s_server.
3679	*/
3680
3681	typedef struct simple_ssl_session_st {
3682	unsigned char *id;
3683	unsigned int idlen;
3684	unsigned char *der;
3685	int derlen;
3686	struct simple_ssl_session_st *next;
3687	} simple_ssl_session;
3688
3689	static simple_ssl_session first = NULL((void)0);
3690
3691	static int add_session(SSL ssl, SSL_SESSION session)
3692	{
3693	simple_ssl_session sess = app_malloc(sizeof(sess), "get session");
3694	unsigned char *p;
3695
3696	SSL_SESSION_get_id(session, &sess->idlen);
3697	sess->derlen = i2d_SSL_SESSION(session, NULL((void*)0));
3698	if (sess->derlen < 0) {
3699	BIO_printf(bio_err, "Error encoding session\n");
3700	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3700 );
3701	return 0;
3702	}
3703
3704	sess->id = OPENSSL_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen)CRYPTO_memdup((SSL_SESSION_get_id(session, ((void*)0))), sess ->idlen, "../deps/openssl/openssl/apps/s_server.c", 3704);
3705	sess->der = app_malloc(sess->derlen, "get session buffer");
3706	if (!sess->id) {
3707	BIO_printf(bio_err, "Out of memory adding to external cache\n");
3708	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3708);
3709	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3709);
3710	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3710 );
3711	return 0;
3712	}
3713	p = sess->der;
3714
3715	/* Assume it still works. */
3716	if (i2d_SSL_SESSION(session, &p) != sess->derlen) {
3717	BIO_printf(bio_err, "Unexpected session encoding length\n");
3718	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3718);
3719	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3719);
3720	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3720 );
3721	return 0;
3722	}
3723
3724	sess->next = first;
3725	first = sess;
3726	BIO_printf(bio_err, "New session added to external cache\n");
3727	return 0;
3728	}
3729
3730	static SSL_SESSION get_session(SSL ssl, const unsigned char *id, int idlen,
3731	int *do_copy)
3732	{
3733	simple_ssl_session *sess;
3734	*do_copy = 0;
3735	for (sess = first; sess; sess = sess->next) {
3736	if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) {
3737	const unsigned char *p = sess->der;
3738	BIO_printf(bio_err, "Lookup session: cache hit\n");
3739	return d2i_SSL_SESSION(NULL((void*)0), &p, sess->derlen);
3740	}
3741	}
3742	BIO_printf(bio_err, "Lookup session: cache miss\n");
3743	return NULL((void*)0);
3744	}
3745
3746	static void del_session(SSL_CTX sctx, SSL_SESSION session)
3747	{
3748	simple_ssl_session sess, prev = NULL((void*)0);
3749	const unsigned char *id;
3750	unsigned int idlen;
3751	id = SSL_SESSION_get_id(session, &idlen);
3752	for (sess = first; sess; sess = sess->next) {
3753	if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) {
3754	if (prev)
3755	prev->next = sess->next;
3756	else
3757	first = sess->next;
3758	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3758);
3759	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3759);
3760	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3760 );
3761	return;
3762	}
3763	prev = sess;
3764	}
3765	}
3766
3767	static void init_session_cache_ctx(SSL_CTX *sctx)
3768	{
3769	SSL_CTX_set_session_cache_mode(sctx,SSL_CTX_ctrl(sctx,44,(0x0100\|0x0200) \| 0x0002,((void*)0))
3770	SSL_SESS_CACHE_NO_INTERNAL \|SSL_CTX_ctrl(sctx,44,(0x0100\|0x0200) \| 0x0002,((void*)0))
3771	SSL_SESS_CACHE_SERVER)SSL_CTX_ctrl(sctx,44,(0x0100\|0x0200) \| 0x0002,((void*)0));
3772	SSL_CTX_sess_set_new_cb(sctx, add_session);
3773	SSL_CTX_sess_set_get_cb(sctx, get_session);
3774	SSL_CTX_sess_set_remove_cb(sctx, del_session);
3775	}
3776
3777	static void free_sessions(void)
3778	{
3779	simple_ssl_session sess, tsess;
3780	for (sess = first; sess;) {
3781	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3781);
3782	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3782);
3783	tsess = sess;
3784	sess = sess->next;
3785	OPENSSL_free(tsess)CRYPTO_free(tsess, "../deps/openssl/openssl/apps/s_server.c", 3785);
3786	}
3787	first = NULL((void*)0);
3788	}
3789
3790	#endif /* OPENSSL_NO_SOCK */