Bug Summary

File:out/../deps/openssl/openssl/apps/s_server.c
Warning:line 2664, column 17
Although the value stored to 'k' is used in the enclosing expression, the value is never actually read from 'k'

Annotated Source Code

Press '?' to see keyboard shortcuts

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name s_server.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_API_COMPAT=0x10100001L -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl/apps/include -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/config/archs/linux-x86_64/asm -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/apps/s_server.c
1/*
2 * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12#include <ctype.h>
13#include <stdio.h>
14#include <stdlib.h>
15#include <string.h>
16#if defined(_WIN32)
17/* Included before async.h to avoid some warnings */
18# include <windows.h>
19#endif
20
21#include <openssl/e_os2.h>
22#include <openssl/async.h>
23#include <openssl/ssl.h>
24#include <openssl/decoder.h>
25
26#ifndef OPENSSL_NO_SOCK
27
28/*
29 * With IPv6, it looks like Digital has mixed up the proper order of
30 * recursive header file inclusion, resulting in the compiler complaining
31 * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
32 * needed to have fileno() declared correctly... So let's define u_int
33 */
34#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
35# define __U_INT
36typedef unsigned int u_int;
37#endif
38
39#include <openssl/bn.h>
40#include "apps.h"
41#include "progs.h"
42#include <openssl/err.h>
43#include <openssl/pem.h>
44#include <openssl/x509.h>
45#include <openssl/ssl.h>
46#include <openssl/rand.h>
47#include <openssl/ocsp.h>
48#ifndef OPENSSL_NO_DH
49# include <openssl/dh.h>
50#endif
51#include <openssl/rsa.h>
52#include "s_apps.h"
53#include "timeouts.h"
54#ifdef CHARSET_EBCDIC
55#include <openssl/ebcdic.h>
56#endif
57#include "internal/sockets.h"
58
59static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
60static int sv_body(int s, int stype, int prot, unsigned char *context);
61static int www_body(int s, int stype, int prot, unsigned char *context);
62static int rev_body(int s, int stype, int prot, unsigned char *context);
63static void close_accept_socket(void);
64static int init_ssl_connection(SSL *s);
65static void print_stats(BIO *bp, SSL_CTX *ctx);
66static int generate_session_id(SSL *ssl, unsigned char *id,
67 unsigned int *id_len);
68static void init_session_cache_ctx(SSL_CTX *sctx);
69static void free_sessions(void);
70static void print_connection_info(SSL *con);
71
72static const int bufsize = 16 * 1024;
73static int accept_socket = -1;
74
75#define TEST_CERT"server.pem" "server.pem"
76#define TEST_CERT2"server2.pem" "server2.pem"
77
78static int s_nbio = 0;
79static int s_nbio_test = 0;
80static int s_crlf = 0;
81static SSL_CTX *ctx = NULL((void*)0);
82static SSL_CTX *ctx2 = NULL((void*)0);
83static int www = 0;
84
85static BIO *bio_s_out = NULL((void*)0);
86static BIO *bio_s_msg = NULL((void*)0);
87static int s_debug = 0;
88static int s_tlsextdebug = 0;
89static int s_msg = 0;
90static int s_quiet = 0;
91static int s_ign_eof = 0;
92static int s_brief = 0;
93
94static char *keymatexportlabel = NULL((void*)0);
95static int keymatexportlen = 20;
96
97static int async = 0;
98
99static int use_sendfile = 0;
100
101static const char *session_id_prefix = NULL((void*)0);
102
103#ifndef OPENSSL_NO_DTLS
104static int enable_timeouts = 0;
105static long socket_mtu;
106#endif
107
108/*
109 * We define this but make it always be 0 in no-dtls builds to simplify the
110 * code.
111 */
112static int dtlslisten = 0;
113static int stateless = 0;
114
115static int early_data = 0;
116static SSL_SESSION *psksess = NULL((void*)0);
117
118static char *psk_identity = "Client_identity";
119char *psk_key = NULL((void*)0); /* by default PSK is not used */
120
121static char http_server_binmode = 0; /* for now: 0/1 = default/binary */
122
123#ifndef OPENSSL_NO_PSK
124static unsigned int psk_server_cb(SSL *ssl, const char *identity,
125 unsigned char *psk,
126 unsigned int max_psk_len)
127{
128 long key_len = 0;
129 unsigned char *key;
130
131 if (s_debug)
132 BIO_printf(bio_s_out, "psk_server_cb\n");
133
134 if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION0x0304) {
135 /*
136 * This callback is designed for use in (D)TLSv1.2 (or below). It is
137 * possible to use a single callback for all protocol versions - but it
138 * is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
139 * have psk_find_session_cb.
140 */
141 return 0;
142 }
143
144 if (identity == NULL((void*)0)) {
145 BIO_printf(bio_err, "Error: client did not send PSK identity\n");
146 goto out_err;
147 }
148 if (s_debug)
149 BIO_printf(bio_s_out, "identity_len=%d identity=%s\n",
150 (int)strlen(identity), identity);
151
152 /* here we could lookup the given identity e.g. from a database */
153 if (strcmp(identity, psk_identity) != 0) {
154 BIO_printf(bio_s_out, "PSK warning: client identity not what we expected"
155 " (got '%s' expected '%s')\n", identity, psk_identity);
156 } else {
157 if (s_debug)
158 BIO_printf(bio_s_out, "PSK client identity found\n");
159 }
160
161 /* convert the PSK key to binary */
162 key = OPENSSL_hexstr2buf(psk_key, &key_len);
163 if (key == NULL((void*)0)) {
164 BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
165 psk_key);
166 return 0;
167 }
168 if (key_len > (int)max_psk_len) {
169 BIO_printf(bio_err,
170 "psk buffer of callback is too small (%d) for key (%ld)\n",
171 max_psk_len, key_len);
172 OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 172
)
;
173 return 0;
174 }
175
176 memcpy(psk, key, key_len);
177 OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 177
)
;
178
179 if (s_debug)
180 BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
181 return key_len;
182 out_err:
183 if (s_debug)
184 BIO_printf(bio_err, "Error in PSK server callback\n");
185 (void)BIO_flush(bio_err)(int)BIO_ctrl(bio_err,11,0,((void*)0));
186 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
187 return 0;
188}
189#endif
190
191static int psk_find_session_cb(SSL *ssl, const unsigned char *identity,
192 size_t identity_len, SSL_SESSION **sess)
193{
194 SSL_SESSION *tmpsess = NULL((void*)0);
195 unsigned char *key;
196 long key_len;
197 const SSL_CIPHER *cipher = NULL((void*)0);
198
199 if (strlen(psk_identity) != identity_len
200 || memcmp(psk_identity, identity, identity_len) != 0) {
201 *sess = NULL((void*)0);
202 return 1;
203 }
204
205 if (psksess != NULL((void*)0)) {
206 SSL_SESSION_up_ref(psksess);
207 *sess = psksess;
208 return 1;
209 }
210
211 key = OPENSSL_hexstr2buf(psk_key, &key_len);
212 if (key == NULL((void*)0)) {
213 BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
214 psk_key);
215 return 0;
216 }
217
218 /* We default to SHA256 */
219 cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
220 if (cipher == NULL((void*)0)) {
221 BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
222 OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 222
)
;
223 return 0;
224 }
225
226 tmpsess = SSL_SESSION_new();
227 if (tmpsess == NULL((void*)0)
228 || !SSL_SESSION_set1_master_key(tmpsess, key, key_len)
229 || !SSL_SESSION_set_cipher(tmpsess, cipher)
230 || !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
231 OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 231
)
;
232 return 0;
233 }
234 OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 234
)
;
235 *sess = tmpsess;
236
237 return 1;
238}
239
240#ifndef OPENSSL_NO_SRP
241static srpsrvparm srp_callback_parm;
242#endif
243
244static int local_argc = 0;
245static char **local_argv;
246
247#ifdef CHARSET_EBCDIC
248static int ebcdic_new(BIO *bi);
249static int ebcdic_free(BIO *a);
250static int ebcdic_read(BIO *b, char *out, int outl);
251static int ebcdic_write(BIO *b, const char *in, int inl);
252static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
253static int ebcdic_gets(BIO *bp, char *buf, int size);
254static int ebcdic_puts(BIO *bp, const char *str);
255
256# define BIO_TYPE_EBCDIC_FILTER (18|0x0200)
257static BIO_METHOD *methods_ebcdic = NULL((void*)0);
258
259/* This struct is "unwarranted chumminess with the compiler." */
260typedef struct {
261 size_t alloced;
262 char buff[1];
263} EBCDIC_OUTBUFF;
264
265static const BIO_METHOD *BIO_f_ebcdic_filter()
266{
267 if (methods_ebcdic == NULL((void*)0)) {
268 methods_ebcdic = BIO_meth_new(BIO_TYPE_EBCDIC_FILTER,
269 "EBCDIC/ASCII filter");
270 if (methods_ebcdic == NULL((void*)0)
271 || !BIO_meth_set_write(methods_ebcdic, ebcdic_write)
272 || !BIO_meth_set_read(methods_ebcdic, ebcdic_read)
273 || !BIO_meth_set_puts(methods_ebcdic, ebcdic_puts)
274 || !BIO_meth_set_gets(methods_ebcdic, ebcdic_gets)
275 || !BIO_meth_set_ctrl(methods_ebcdic, ebcdic_ctrl)
276 || !BIO_meth_set_create(methods_ebcdic, ebcdic_new)
277 || !BIO_meth_set_destroy(methods_ebcdic, ebcdic_free))
278 return NULL((void*)0);
279 }
280 return methods_ebcdic;
281}
282
283static int ebcdic_new(BIO *bi)
284{
285 EBCDIC_OUTBUFF *wbuf;
286
287 wbuf = app_malloc(sizeof(*wbuf) + 1024, "ebcdic wbuf");
288 wbuf->alloced = 1024;
289 wbuf->buff[0] = '\0';
290
291 BIO_set_data(bi, wbuf);
292 BIO_set_init(bi, 1);
293 return 1;
294}
295
296static int ebcdic_free(BIO *a)
297{
298 EBCDIC_OUTBUFF *wbuf;
299
300 if (a == NULL((void*)0))
301 return 0;
302 wbuf = BIO_get_data(a);
303 OPENSSL_free(wbuf)CRYPTO_free(wbuf, "../deps/openssl/openssl/apps/s_server.c", 303
)
;
304 BIO_set_data(a, NULL((void*)0));
305 BIO_set_init(a, 0);
306
307 return 1;
308}
309
310static int ebcdic_read(BIO *b, char *out, int outl)
311{
312 int ret = 0;
313 BIO *next = BIO_next(b);
314
315 if (out == NULL((void*)0) || outl == 0)
316 return 0;
317 if (next == NULL((void*)0))
318 return 0;
319
320 ret = BIO_read(next, out, outl);
321 if (ret > 0)
322 ascii2ebcdic(out, out, ret);
323 return ret;
324}
325
326static int ebcdic_write(BIO *b, const char *in, int inl)
327{
328 EBCDIC_OUTBUFF *wbuf;
329 BIO *next = BIO_next(b);
330 int ret = 0;
331 int num;
332
333 if ((in == NULL((void*)0)) || (inl <= 0))
334 return 0;
335 if (next == NULL((void*)0))
336 return 0;
337
338 wbuf = (EBCDIC_OUTBUFF *) BIO_get_data(b);
339
340 if (inl > (num = wbuf->alloced)) {
341 num = num + num; /* double the size */
342 if (num < inl)
343 num = inl;
344 OPENSSL_free(wbuf)CRYPTO_free(wbuf, "../deps/openssl/openssl/apps/s_server.c", 344
)
;
345 wbuf = app_malloc(sizeof(*wbuf) + num, "grow ebcdic wbuf");
346
347 wbuf->alloced = num;
348 wbuf->buff[0] = '\0';
349
350 BIO_set_data(b, wbuf);
351 }
352
353 ebcdic2ascii(wbuf->buff, in, inl);
354
355 ret = BIO_write(next, wbuf->buff, inl);
356
357 return ret;
358}
359
360static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
361{
362 long ret;
363 BIO *next = BIO_next(b);
364
365 if (next == NULL((void*)0))
366 return 0;
367 switch (cmd) {
368 case BIO_CTRL_DUP12:
369 ret = 0L;
370 break;
371 default:
372 ret = BIO_ctrl(next, cmd, num, ptr);
373 break;
374 }
375 return ret;
376}
377
378static int ebcdic_gets(BIO *bp, char *buf, int size)
379{
380 int i, ret = 0;
381 BIO *next = BIO_next(bp);
382
383 if (next == NULL((void*)0))
384 return 0;
385/* return(BIO_gets(bp->next_bio,buf,size));*/
386 for (i = 0; i < size - 1; ++i) {
387 ret = ebcdic_read(bp, &buf[i], 1);
388 if (ret <= 0)
389 break;
390 else if (buf[i] == '\n') {
391 ++i;
392 break;
393 }
394 }
395 if (i < size)
396 buf[i] = '\0';
397 return (ret < 0 && i == 0) ? ret : i;
398}
399
400static int ebcdic_puts(BIO *bp, const char *str)
401{
402 if (BIO_next(bp) == NULL((void*)0))
403 return 0;
404 return ebcdic_write(bp, str, strlen(str));
405}
406#endif
407
408/* This is a context that we pass to callbacks */
409typedef struct tlsextctx_st {
410 char *servername;
411 BIO *biodebug;
412 int extension_error;
413} tlsextctx;
414
415static int ssl_servername_cb(SSL *s, int *ad, void *arg)
416{
417 tlsextctx *p = (tlsextctx *) arg;
418 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name0);
419
420 if (servername != NULL((void*)0) && p->biodebug != NULL((void*)0)) {
421 const char *cp = servername;
422 unsigned char uc;
423
424 BIO_printf(p->biodebug, "Hostname in TLS extension: \"");
425 while ((uc = *cp++) != 0)
426 BIO_printf(p->biodebug,
427 (((uc) & ~127) == 0) && isprint(uc)((*__ctype_b_loc ())[(int) ((uc))] & (unsigned short int)
_ISprint)
? "%c" : "\\x%02x", uc);
428 BIO_printf(p->biodebug, "\"\n");
429 }
430
431 if (p->servername == NULL((void*)0))
432 return SSL_TLSEXT_ERR_NOACK3;
433
434 if (servername != NULL((void*)0)) {
435 if (OPENSSL_strcasecmp(servername, p->servername))
436 return p->extension_error;
437 if (ctx2 != NULL((void*)0)) {
438 BIO_printf(p->biodebug, "Switching server context.\n");
439 SSL_set_SSL_CTX(s, ctx2);
440 }
441 }
442 return SSL_TLSEXT_ERR_OK0;
443}
444
445/* Structure passed to cert status callback */
446typedef struct tlsextstatusctx_st {
447 int timeout;
448 /* File to load OCSP Response from (or NULL if no file) */
449 char *respin;
450 /* Default responder to use */
451 char *host, *path, *port;
452 char *proxy, *no_proxy;
453 int use_ssl;
454 int verbose;
455} tlsextstatusctx;
456
457static tlsextstatusctx tlscstatp = { -1 };
458
459#ifndef OPENSSL_NO_OCSP
460
461/*
462 * Helper function to get an OCSP_RESPONSE from a responder. This is a
463 * simplified version. It examines certificates each time and makes one OCSP
464 * responder query for each request. A full version would store details such as
465 * the OCSP certificate IDs and minimise the number of OCSP responses by caching
466 * them until they were considered "expired".
467 */
468static int get_ocsp_resp_from_responder(SSL *s, tlsextstatusctx *srctx,
469 OCSP_RESPONSE **resp)
470{
471 char *host = NULL((void*)0), *port = NULL((void*)0), *path = NULL((void*)0);
472 char *proxy = NULL((void*)0), *no_proxy = NULL((void*)0);
473 int use_ssl;
474 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *aia = NULL((void*)0);
475 X509 *x = NULL((void*)0);
476 X509_STORE_CTX *inctx = NULL((void*)0);
477 X509_OBJECT *obj;
478 OCSP_REQUEST *req = NULL((void*)0);
479 OCSP_CERTID *id = NULL((void*)0);
480 STACK_OF(X509_EXTENSION)struct stack_st_X509_EXTENSION *exts;
481 int ret = SSL_TLSEXT_ERR_NOACK3;
482 int i;
483
484 /* Build up OCSP query from server certificate */
485 x = SSL_get_certificate(s);
486 aia = X509_get1_ocsp(x);
487 if (aia != NULL((void*)0)) {
488 if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0)((char *)OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type
(aia), (0)))
, &use_ssl,
489 NULL((void*)0), &host, &port, NULL((void*)0), &path, NULL((void*)0), NULL((void*)0))) {
490 BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
491 goto err;
492 }
493 if (srctx->verbose)
494 BIO_printf(bio_err, "cert_status: AIA URL: %s\n",
495 sk_OPENSSL_STRING_value(aia, 0)((char *)OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type
(aia), (0)))
);
496 } else {
497 if (srctx->host == NULL((void*)0)) {
498 BIO_puts(bio_err,
499 "cert_status: no AIA and no default responder URL\n");
500 goto done;
501 }
502 host = srctx->host;
503 path = srctx->path;
504 port = srctx->port;
505 use_ssl = srctx->use_ssl;
506 }
507 proxy = srctx->proxy;
508 no_proxy = srctx->no_proxy;
509
510 inctx = X509_STORE_CTX_new();
511 if (inctx == NULL((void*)0))
512 goto err;
513 if (!X509_STORE_CTX_init(inctx,
514 SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
515 NULL((void*)0), NULL((void*)0)))
516 goto err;
517 obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509,
518 X509_get_issuer_name(x));
519 if (obj == NULL((void*)0)) {
520 BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
521 goto done;
522 }
523 id = OCSP_cert_to_id(NULL((void*)0), x, X509_OBJECT_get0_X509(obj));
524 X509_OBJECT_free(obj);
525 if (id == NULL((void*)0))
526 goto err;
527 req = OCSP_REQUEST_new();
528 if (req == NULL((void*)0))
529 goto err;
530 if (!OCSP_request_add0_id(req, id))
531 goto err;
532 id = NULL((void*)0);
533 /* Add any extensions to the request */
534 SSL_get_tlsext_status_exts(s, &exts)SSL_ctrl(s,66,0,&exts);
535 for (i = 0; i < sk_X509_EXTENSION_num(exts)OPENSSL_sk_num(ossl_check_const_X509_EXTENSION_sk_type(exts)); i++) {
536 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i)((X509_EXTENSION *)OPENSSL_sk_value(ossl_check_const_X509_EXTENSION_sk_type
(exts), (i)))
;
537 if (!OCSP_REQUEST_add_ext(req, ext, -1))
538 goto err;
539 }
540 *resp = process_responder(req, host, port, path, proxy, no_proxy,
541 use_ssl, NULL((void*)0) /* headers */, srctx->timeout);
542 if (*resp == NULL((void*)0)) {
543 BIO_puts(bio_err, "cert_status: error querying responder\n");
544 goto done;
545 }
546
547 ret = SSL_TLSEXT_ERR_OK0;
548 goto done;
549
550 err:
551 ret = SSL_TLSEXT_ERR_ALERT_FATAL2;
552 done:
553 /*
554 * If we parsed aia we need to free; otherwise they were copied and we
555 * don't
556 */
557 if (aia != NULL((void*)0)) {
558 OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 558
)
;
559 OPENSSL_free(path)CRYPTO_free(path, "../deps/openssl/openssl/apps/s_server.c", 559
)
;
560 OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 560
)
;
561 X509_email_free(aia);
562 }
563 OCSP_CERTID_free(id);
564 OCSP_REQUEST_free(req);
565 X509_STORE_CTX_free(inctx);
566 return ret;
567}
568
569/*
570 * Certificate Status callback. This is called when a client includes a
571 * certificate status request extension. The response is either obtained from a
572 * file, or from an OCSP responder.
573 */
574static int cert_status_cb(SSL *s, void *arg)
575{
576 tlsextstatusctx *srctx = arg;
577 OCSP_RESPONSE *resp = NULL((void*)0);
578 unsigned char *rspder = NULL((void*)0);
579 int rspderlen;
580 int ret = SSL_TLSEXT_ERR_ALERT_FATAL2;
581
582 if (srctx->verbose)
583 BIO_puts(bio_err, "cert_status: callback called\n");
584
585 if (srctx->respin != NULL((void*)0)) {
586 BIO *derbio = bio_open_default(srctx->respin, 'r', FORMAT_ASN14);
587 if (derbio == NULL((void*)0)) {
588 BIO_puts(bio_err, "cert_status: Cannot open OCSP response file\n");
589 goto err;
590 }
591 resp = d2i_OCSP_RESPONSE_bio(derbio, NULL)((OCSP_RESPONSE*)ASN1_d2i_bio( ((void *(*)(void)) (1 ? OCSP_RESPONSE_new
: ((OCSP_RESPONSE *(*)(void))0))), ((d2i_of_void*) (1 ? d2i_OCSP_RESPONSE
: ((OCSP_RESPONSE *(*)(OCSP_RESPONSE **,const unsigned char *
*,long))0))), derbio, ((void**) (1 ? ((void*)0) : (OCSP_RESPONSE
**)0))))
;
592 BIO_free(derbio);
593 if (resp == NULL((void*)0)) {
594 BIO_puts(bio_err, "cert_status: Error reading OCSP response\n");
595 goto err;
596 }
597 } else {
598 ret = get_ocsp_resp_from_responder(s, srctx, &resp);
599 if (ret != SSL_TLSEXT_ERR_OK0)
600 goto err;
601 }
602
603 rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
604 if (rspderlen <= 0)
605 goto err;
606
607 SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen)SSL_ctrl(s,71,rspderlen,rspder);
608 if (srctx->verbose) {
609 BIO_puts(bio_err, "cert_status: ocsp response sent:\n");
610 OCSP_RESPONSE_print(bio_err, resp, 2);
611 }
612
613 ret = SSL_TLSEXT_ERR_OK0;
614
615 err:
616 if (ret != SSL_TLSEXT_ERR_OK0)
617 ERR_print_errors(bio_err);
618
619 OCSP_RESPONSE_free(resp);
620
621 return ret;
622}
623#endif
624
625#ifndef OPENSSL_NO_NEXTPROTONEG
626/* This is the context that we pass to next_proto_cb */
627typedef struct tlsextnextprotoctx_st {
628 unsigned char *data;
629 size_t len;
630} tlsextnextprotoctx;
631
632static int next_proto_cb(SSL *s, const unsigned char **data,
633 unsigned int *len, void *arg)
634{
635 tlsextnextprotoctx *next_proto = arg;
636
637 *data = next_proto->data;
638 *len = next_proto->len;
639
640 return SSL_TLSEXT_ERR_OK0;
641}
642#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
643
644/* This the context that we pass to alpn_cb */
645typedef struct tlsextalpnctx_st {
646 unsigned char *data;
647 size_t len;
648} tlsextalpnctx;
649
650static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
651 const unsigned char *in, unsigned int inlen, void *arg)
652{
653 tlsextalpnctx *alpn_ctx = arg;
654
655 if (!s_quiet) {
656 /* We can assume that |in| is syntactically valid. */
657 unsigned int i;
658 BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
659 for (i = 0; i < inlen;) {
660 if (i)
661 BIO_write(bio_s_out, ", ", 2);
662 BIO_write(bio_s_out, &in[i + 1], in[i]);
663 i += in[i] + 1;
664 }
665 BIO_write(bio_s_out, "\n", 1);
666 }
667
668 if (SSL_select_next_proto
669 ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
670 inlen) != OPENSSL_NPN_NEGOTIATED1) {
671 return SSL_TLSEXT_ERR_ALERT_FATAL2;
672 }
673
674 if (!s_quiet) {
675 BIO_printf(bio_s_out, "ALPN protocols selected: ");
676 BIO_write(bio_s_out, *out, *outlen);
677 BIO_write(bio_s_out, "\n", 1);
678 }
679
680 return SSL_TLSEXT_ERR_OK0;
681}
682
683static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
684{
685 /* disable resumption for sessions with forward secure ciphers */
686 return is_forward_secure;
687}
688
689typedef enum OPTION_choice {
690 OPT_COMMONOPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
691 OPT_ENGINE,
692 OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
693 OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
694 OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
695 OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
696 OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
697 OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
698 OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
699 OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
700 OPT_VERIFYCAFILE,
701 OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
702 OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
703 OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
704 OPT_STATUS_TIMEOUT, OPT_PROXY, OPT_NO_PROXY, OPT_STATUS_URL,
705 OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
706 OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
707 OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
708 OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,
709 OPT_PSK_SESS, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW,
710 OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG,
711 OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
712 OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
713 OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, OPT_STATELESS,
714 OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
715 OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SENDFILE,
716 OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
717 OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
718 OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
719 OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF,
720 OPT_R_ENUMOPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST,
721 OPT_S_ENUMOPT_S__FIRST=3000, OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1
, OPT_S_NOTLS1_2, OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET
, OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, OPT_S_LEGACYCONN
, OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX,
OPT_S_PRIORITIZE_CHACHA, OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS
, OPT_S_GROUPS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER,
OPT_S_CIPHERSUITES, OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP
, OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX
, OPT_S_NO_ETM, OPT_S__LAST
,
722 OPT_V_ENUMOPT_V__FIRST=2000, OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME
, OPT_V_VERIFY_DEPTH, OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL
, OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS
, OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, OPT_V_EXPLICIT_POLICY
, OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL
, OPT_V_USE_DELTAS, OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST
, OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, OPT_V_PARTIAL_CHAIN
, OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, OPT_V_VERIFY_AUTH_LEVEL
, OPT_V_ALLOW_PROXY_CERTS, OPT_V__LAST
,
723 OPT_X_ENUMOPT_X__FIRST=1000, OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD
, OPT_X_CERTFORM, OPT_X_KEYFORM, OPT_X__LAST
,
724 OPT_PROV_ENUMOPT_PROV__FIRST=1600, OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH
, OPT_PROV_PROPQUERY, OPT_PROV__LAST
725} OPTION_CHOICE;
726
727const OPTIONS s_server_options[] = {
728 OPT_SECTION("General"){ OPT_SECTION_STR, 1, '-', "General" " options:\n" },
729 {"help", OPT_HELP, '-', "Display this summary"},
730 {"ssl_config", OPT_SSL_CONFIG, 's',
731 "Configure SSL_CTX using the given configuration value"},
732#ifndef OPENSSL_NO_SSL_TRACE
733 {"trace", OPT_TRACE, '-', "trace protocol messages"},
734#endif
735#ifndef OPENSSL_NO_ENGINE
736 {"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
737#endif
738
739 OPT_SECTION("Network"){ OPT_SECTION_STR, 1, '-', "Network" " options:\n" },
740 {"port", OPT_PORT, 'p',
741 "TCP/IP port to listen on for connections (default is " PORT"4433" ")"},
742 {"accept", OPT_ACCEPT, 's',
743 "TCP/IP optional host and port to listen on for connections (default is *:" PORT"4433" ")"},
744#ifdef AF_UNIX1
745 {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
746 {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
747#endif
748 {"4", OPT_4, '-', "Use IPv4 only"},
749 {"6", OPT_6, '-', "Use IPv6 only"},
750
751 OPT_SECTION("Identity"){ OPT_SECTION_STR, 1, '-', "Identity" " options:\n" },
752 {"context", OPT_CONTEXT, 's', "Set session ID context"},
753 {"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
754 {"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
755 {"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
756 {"no-CAfile", OPT_NOCAFILE, '-',
757 "Do not load the default certificates file"},
758 {"no-CApath", OPT_NOCAPATH, '-',
759 "Do not load certificates from the default certificates directory"},
760 {"no-CAstore", OPT_NOCASTORE, '-',
761 "Do not load certificates from the default certificates store URI"},
762 {"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
763 {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
764 {"Verify", OPT_UPPER_V_VERIFY, 'n',
765 "Turn on peer certificate verification, must have a cert"},
766 {"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
767 {"cert", OPT_CERT, '<', "Server certificate file to use; default " TEST_CERT"server.pem"},
768 {"cert2", OPT_CERT2, '<',
769 "Certificate file to use for servername; default " TEST_CERT2"server2.pem"},
770 {"certform", OPT_CERTFORM, 'F',
771 "Server certificate file format (PEM/DER/P12); has no effect"},
772 {"cert_chain", OPT_CERT_CHAIN, '<',
773 "Server certificate chain file in PEM format"},
774 {"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"},
775 {"serverinfo", OPT_SERVERINFO, 's',
776 "PEM serverinfo file for certificate"},
777 {"key", OPT_KEY, 's',
778 "Private key file to use; default is -cert file or else" TEST_CERT"server.pem"},
779 {"key2", OPT_KEY2, '<',
780 "-Private Key file to use for servername if not in -cert2"},
781 {"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"},
782 {"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
783 {"dcert", OPT_DCERT, '<',
784 "Second server certificate file to use (usually for DSA)"},
785 {"dcertform", OPT_DCERTFORM, 'F',
786 "Second server certificate file format (PEM/DER/P12); has no effect"},
787 {"dcert_chain", OPT_DCERT_CHAIN, '<',
788 "second server certificate chain file in PEM format"},
789 {"dkey", OPT_DKEY, '<',
790 "Second private key file to use (usually for DSA)"},
791 {"dkeyform", OPT_DKEYFORM, 'F',
792 "Second key file format (ENGINE, other values ignored)"},
793 {"dpass", OPT_DPASS, 's',
794 "Second private key and cert file pass phrase source"},
795 {"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
796 {"servername", OPT_SERVERNAME, 's',
797 "Servername for HostName TLS extension"},
798 {"servername_fatal", OPT_SERVERNAME_FATAL, '-',
799 "On servername mismatch send fatal alert (default warning alert)"},
800 {"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
801 {"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
802 {"quiet", OPT_QUIET, '-', "No server output"},
803 {"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
804 "Disable caching and tickets if ephemeral (EC)DH is used"},
805 {"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
806 {"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
807 {"ignore_unexpected_eof", OPT_IGNORE_UNEXPECTED_EOF, '-',
808 "Do not treat lack of close_notify from a peer as an error"},
809 {"tlsextdebug", OPT_TLSEXTDEBUG, '-',
810 "Hex dump of all TLS extensions received"},
811 {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"},
812 {"id_prefix", OPT_ID_PREFIX, 's',
813 "Generate SSL/TLS session IDs prefixed by arg"},
814 {"keymatexport", OPT_KEYMATEXPORT, 's',
815 "Export keying material using label"},
816 {"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
817 "Export len bytes of keying material; default 20"},
818 {"CRL", OPT_CRL, '<', "CRL file to use"},
819 {"CRLform", OPT_CRLFORM, 'F', "CRL file format (PEM or DER); default PEM"},
820 {"crl_download", OPT_CRL_DOWNLOAD, '-',
821 "Download CRLs from distribution points in certificate CDP entries"},
822 {"chainCAfile", OPT_CHAINCAFILE, '<',
823 "CA file for certificate chain (PEM format)"},
824 {"chainCApath", OPT_CHAINCAPATH, '/',
825 "use dir as certificate store path to build CA certificate chain"},
826 {"chainCAstore", OPT_CHAINCASTORE, ':',
827 "use URI as certificate store to build CA certificate chain"},
828 {"verifyCAfile", OPT_VERIFYCAFILE, '<',
829 "CA file for certificate verification (PEM format)"},
830 {"verifyCApath", OPT_VERIFYCAPATH, '/',
831 "use dir as certificate store path to verify CA certificate"},
832 {"verifyCAstore", OPT_VERIFYCASTORE, ':',
833 "use URI as certificate store to verify CA certificate"},
834 {"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
835 {"ext_cache", OPT_EXT_CACHE, '-',
836 "Disable internal cache, set up and use external cache"},
837 {"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
838 "Close connection on verification error"},
839 {"verify_quiet", OPT_VERIFY_QUIET, '-',
840 "No verify output except verify errors"},
841 {"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
842 {"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
843
844#ifndef OPENSSL_NO_OCSP
845 OPT_SECTION("OCSP"){ OPT_SECTION_STR, 1, '-', "OCSP" " options:\n" },
846 {"status", OPT_STATUS, '-', "Request certificate status from server"},
847 {"status_verbose", OPT_STATUS_VERBOSE, '-',
848 "Print more output in certificate status callback"},
849 {"status_timeout", OPT_STATUS_TIMEOUT, 'n',
850 "Status request responder timeout"},
851 {"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
852 {"proxy", OPT_PROXY, 's',
853 "[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
854 {"no_proxy", OPT_NO_PROXY, 's',
855 "List of addresses of servers not to use HTTP(S) proxy for"},
856 {OPT_MORE_STR, 0, 0,
857 "Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
858 {"status_file", OPT_STATUS_FILE, '<',
859 "File containing DER encoded OCSP Response"},
860#endif
861
862 OPT_SECTION("Debug"){ OPT_SECTION_STR, 1, '-', "Debug" " options:\n" },
863 {"security_debug", OPT_SECURITY_DEBUG, '-',
864 "Print output from SSL/TLS security framework"},
865 {"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
866 "Print more output from SSL/TLS security framework"},
867 {"brief", OPT_BRIEF, '-',
868 "Restrict output to brief summary of connection parameters"},
869 {"rev", OPT_REV, '-',
870 "act as an echo server that sends back received text reversed"},
871 {"debug", OPT_DEBUG, '-', "Print more output"},
872 {"msg", OPT_MSG, '-', "Show protocol messages"},
873 {"msgfile", OPT_MSGFILE, '>',
874 "File to send output of -msg or -trace, instead of stdout"},
875 {"state", OPT_STATE, '-', "Print the SSL states"},
876 {"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
877 {"max_pipelines", OPT_MAX_PIPELINES, 'p',
878 "Maximum number of encrypt/decrypt pipelines to be used"},
879 {"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"},
880 {"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
881
882 OPT_SECTION("Network"){ OPT_SECTION_STR, 1, '-', "Network" " options:\n" },
883 {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
884 {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
885 {"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
886 {"read_buf", OPT_READ_BUF, 'p',
887 "Default read buffer size to be used for connections"},
888 {"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
889 "Size used to split data for encrypt pipelines"},
890 {"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
891
892 OPT_SECTION("Server identity"){ OPT_SECTION_STR, 1, '-', "Server identity" " options:\n" },
893 {"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"},
894#ifndef OPENSSL_NO_PSK
895 {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
896#endif
897 {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
898 {"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
899#ifndef OPENSSL_NO_SRP
900 {"srpvfile", OPT_SRPVFILE, '<', "(deprecated) The verifier file for SRP"},
901 {"srpuserseed", OPT_SRPUSERSEED, 's',
902 "(deprecated) A seed string for a default user salt"},
903#endif
904
905 OPT_SECTION("Protocol and version"){ OPT_SECTION_STR, 1, '-', "Protocol and version" " options:\n"
}
,
906 {"max_early_data", OPT_MAX_EARLY, 'n',
907 "The maximum number of bytes of early data as advertised in tickets"},
908 {"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n',
909 "The maximum number of bytes of early data (hard limit)"},
910 {"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
911 {"num_tickets", OPT_S_NUM_TICKETS, 'n',
912 "The number of TLSv1.3 session tickets that a server will automatically issue" },
913 {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
914 {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
915 {"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
916 {"no_ca_names", OPT_NOCANAMES, '-',
917 "Disable TLS Extension CA Names"},
918 {"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
919#ifndef OPENSSL_NO_SSL3
920 {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
921#endif
922#ifndef OPENSSL_NO_TLS1
923 {"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
924#endif
925#ifndef OPENSSL_NO_TLS1_1
926 {"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
927#endif
928#ifndef OPENSSL_NO_TLS1_2
929 {"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
930#endif
931#ifndef OPENSSL_NO_TLS1_3
932 {"tls1_3", OPT_TLS1_3, '-', "just talk TLSv1.3"},
933#endif
934#ifndef OPENSSL_NO_DTLS
935 {"dtls", OPT_DTLS, '-', "Use any DTLS version"},
936 {"listen", OPT_LISTEN, '-',
937 "Listen for a DTLS ClientHello with a cookie and then connect"},
938#endif
939#ifndef OPENSSL_NO_DTLS1
940 {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
941#endif
942#ifndef OPENSSL_NO_DTLS1_2
943 {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
944#endif
945#ifndef OPENSSL_NO_SCTP
946 {"sctp", OPT_SCTP, '-', "Use SCTP"},
947 {"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
948#endif
949#ifndef OPENSSL_NO_SRTP
950 {"use_srtp", OPT_SRTP_PROFILES, 's',
951 "Offer SRTP key management with a colon-separated profile list"},
952#endif
953 {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
954#ifndef OPENSSL_NO_NEXTPROTONEG
955 {"nextprotoneg", OPT_NEXTPROTONEG, 's',
956 "Set the advertised protocols for the NPN extension (comma-separated list)"},
957#endif
958 {"alpn", OPT_ALPN, 's',
959 "Set the advertised protocols for the ALPN extension (comma-separated list)"},
960#ifndef OPENSSL_NO_KTLS
961 {"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"},
962#endif
963
964 OPT_R_OPTIONS{ OPT_SECTION_STR, 1, '-', "Random state" " options:\n" }, {"rand"
, OPT_R_RAND, 's', "Load the given file(s) into the random number generator"
}, {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file"
}
,
965 OPT_S_OPTIONS{ OPT_SECTION_STR, 1, '-', "TLS/SSL" " options:\n" }, {"no_ssl3"
, OPT_S_NOSSL3, '-',"Just disable SSLv3" }, {"no_tls1", OPT_S_NOTLS1
, '-', "Just disable TLSv1"}, {"no_tls1_1", OPT_S_NOTLS1_1, '-'
, "Just disable TLSv1.1" }, {"no_tls1_2", OPT_S_NOTLS1_2, '-'
, "Just disable TLSv1.2"}, {"no_tls1_3", OPT_S_NOTLS1_3, '-',
"Just disable TLSv1.3"}, {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility"
}, {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)"
}, {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression"
}, {"no_ticket", OPT_S_NOTICKET, '-', "Disable use of TLS session tickets"
}, {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences"
}, {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', "Enable use of legacy renegotiation (dangerous)"
}, {"client_renegotiation", OPT_S_CLIENTRENEG, '-', "Allow client-initiated renegotiation"
}, {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', "Disable all renegotiation."
}, {"legacy_server_connect", OPT_S_LEGACYCONN, '-', "Allow initial connection to servers that don't support RI"
}, {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', "Disallow session resumption on renegotiation"
}, {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', "Disallow initial connection to servers that don't support RI"
}, {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption"
}, {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', "Prioritize ChaCha ciphers when preferred by clients"
}, {"strict", OPT_S_STRICT, '-', "Enforce strict certificate checks as per TLS standard"
}, {"sigalgs", OPT_S_SIGALGS, 's', "Signature algorithms to support (colon-separated list)"
}, {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', "Signature algorithms to support for client certificate"
" authentication (colon-separated list)" }, {"groups", OPT_S_GROUPS
, 's', "Groups to advertise (colon-separated list)" }, {"curves"
, OPT_S_CURVES, 's', "Groups to advertise (colon-separated list)"
}, {"named_curve", OPT_S_NAMEDCURVE, 's', "Elliptic curve used for ECDHE (server-side only)"
}, {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used"
}, {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used"
}, {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used"
}, {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used"
}, {"record_padding", OPT_S_RECORD_PADDING, 's', "Block size to pad TLS 1.3 records to."
}, {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', "Perform all sorts of protocol violations for testing purposes"
}, {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', "Disable TLSv1.3 middlebox compat mode"
}, {"no_etm", OPT_S_NO_ETM, '-', "Disable Encrypt-then-Mac extension"
}
,
966 OPT_V_OPTIONS{ OPT_SECTION_STR, 1, '-', "Validation" " options:\n" }, { "policy"
, OPT_V_POLICY, 's', "adds policy to the acceptable policy set"
}, { "purpose", OPT_V_PURPOSE, 's', "certificate chain purpose"
}, { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name"
}, { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', "chain depth limit"
}, { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', "chain authentication security level"
}, { "attime", OPT_V_ATTIME, 'M', "verification epoch time" }
, { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', "expected peer hostname"
}, { "verify_email", OPT_V_VERIFY_EMAIL, 's', "expected peer email"
}, { "verify_ip", OPT_V_VERIFY_IP, 's', "expected peer IP address"
}, { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', "permit unhandled critical extensions"
}, { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)"
}, { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation"
}, { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation"
}, { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks"
}, { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', "set policy variable require-explicit-policy"
}, { "inhibit_any", OPT_V_INHIBIT_ANY, '-', "set policy variable inhibit-any-policy"
}, { "inhibit_map", OPT_V_INHIBIT_MAP, '-', "set policy variable inhibit-policy-mapping"
}, { "x509_strict", OPT_V_X509_STRICT, '-', "disable certificate compatibility work-arounds"
}, { "extended_crl", OPT_V_EXTENDED_CRL, '-', "enable extended CRL features"
}, { "use_deltas", OPT_V_USE_DELTAS, '-', "use delta CRLs"}, {
"policy_print", OPT_V_POLICY_PRINT, '-', "print policy processing diagnostics"
}, { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', "check root CA self-signatures"
}, { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "search trust store first (default)"
}, { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode"
}, { "suiteB_128", OPT_V_SUITEB_128, '-', "Suite B 128-bit mode allowing 192-bit algorithms"
}, { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode"
}, { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', "accept chains anchored by intermediate trust-store CAs"
}, { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)"
}, { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time"
}, { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates"
}
,
967 OPT_X_OPTIONS{ OPT_SECTION_STR, 1, '-', "Extended certificate" " options:\n"
}, { "xkey", OPT_X_KEY, '<', "key for Extended certificates"
}, { "xcert", OPT_X_CERT, '<', "cert for Extended certificates"
}, { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates"
}, { "xchain_build", OPT_X_CHAIN_BUILD, '-', "build certificate chain for the extended certificates"
}, { "xcertform", OPT_X_CERTFORM, 'F', "format of Extended certificate (PEM/DER/P12); has no effect"
}, { "xkeyform", OPT_X_KEYFORM, 'F', "format of Extended certificate's key (DER/PEM/P12); has no effect"
}
,
968 OPT_PROV_OPTIONS{ OPT_SECTION_STR, 1, '-', "Provider" " options:\n" }, { "provider-path"
, OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)"
}, { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)"
}, { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms"
}
,
969 {NULL((void*)0)}
970};
971
972#define IS_PROT_FLAG(o)(o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2
|| o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o ==
OPT_DTLS1_2)
\
973 (o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2 \
974 || o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o == OPT_DTLS1_2)
975
976int s_server_main(int argc, char *argv[])
977{
978 ENGINE *engine = NULL((void*)0);
979 EVP_PKEY *s_key = NULL((void*)0), *s_dkey = NULL((void*)0);
980 SSL_CONF_CTX *cctx = NULL((void*)0);
981 const SSL_METHOD *meth = TLS_server_method();
982 SSL_EXCERT *exc = NULL((void*)0);
983 STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING *ssl_args = NULL((void*)0);
984 STACK_OF(X509)struct stack_st_X509 *s_chain = NULL((void*)0), *s_dchain = NULL((void*)0);
985 STACK_OF(X509_CRL)struct stack_st_X509_CRL *crls = NULL((void*)0);
986 X509 *s_cert = NULL((void*)0), *s_dcert = NULL((void*)0);
987 X509_VERIFY_PARAM *vpm = NULL((void*)0);
988 const char *CApath = NULL((void*)0), *CAfile = NULL((void*)0), *CAstore = NULL((void*)0);
989 const char *chCApath = NULL((void*)0), *chCAfile = NULL((void*)0), *chCAstore = NULL((void*)0);
990 char *dpassarg = NULL((void*)0), *dpass = NULL((void*)0);
991 char *passarg = NULL((void*)0), *pass = NULL((void*)0);
992 char *vfyCApath = NULL((void*)0), *vfyCAfile = NULL((void*)0), *vfyCAstore = NULL((void*)0);
993 char *crl_file = NULL((void*)0), *prog;
994#ifdef AF_UNIX1
995 int unlink_unix_path = 0;
996#endif
997 do_server_cb server_cb;
998 int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
999 char *dhfile = NULL((void*)0);
1000 int no_dhe = 0;
1001 int nocert = 0, ret = 1;
1002 int noCApath = 0, noCAfile = 0, noCAstore = 0;
1003 int s_cert_format = FORMAT_UNDEF0, s_key_format = FORMAT_UNDEF0;
1004 int s_dcert_format = FORMAT_UNDEF0, s_dkey_format = FORMAT_UNDEF0;
1005 int rev = 0, naccept = -1, sdebug = 0;
1006 int socket_family = AF_UNSPEC0, socket_type = SOCK_STREAMSOCK_STREAM, protocol = 0;
1007 int state = 0, crl_format = FORMAT_UNDEF0, crl_download = 0;
1008 char *host = NULL((void*)0);
1009 char *port = NULL((void*)0);
1010 unsigned char *context = NULL((void*)0);
1011 OPTION_CHOICE o;
1012 EVP_PKEY *s_key2 = NULL((void*)0);
1013 X509 *s_cert2 = NULL((void*)0);
1014 tlsextctx tlsextcbp = { NULL((void*)0), NULL((void*)0), SSL_TLSEXT_ERR_ALERT_WARNING1 };
1015 const char *ssl_config = NULL((void*)0);
1016 int read_buf_len = 0;
1017#ifndef OPENSSL_NO_NEXTPROTONEG
1018 const char *next_proto_neg_in = NULL((void*)0);
1019 tlsextnextprotoctx next_proto = { NULL((void*)0), 0 };
1020#endif
1021 const char *alpn_in = NULL((void*)0);
1022 tlsextalpnctx alpn_ctx = { NULL((void*)0), 0 };
1023#ifndef OPENSSL_NO_PSK
1024 /* by default do not send a PSK identity hint */
1025 char *psk_identity_hint = NULL((void*)0);
1026#endif
1027 char *p;
1028#ifndef OPENSSL_NO_SRP
1029 char *srpuserseed = NULL((void*)0);
1030 char *srp_verifier_file = NULL((void*)0);
1031#endif
1032#ifndef OPENSSL_NO_SRTP
1033 char *srtp_profiles = NULL((void*)0);
1034#endif
1035 int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
1036 int s_server_verify = SSL_VERIFY_NONE0x00;
1037 int s_server_session_id_context = 1; /* anything will do */
1038 const char *s_cert_file = TEST_CERT"server.pem", *s_key_file = NULL((void*)0), *s_chain_file = NULL((void*)0);
1039 const char *s_cert_file2 = TEST_CERT2"server2.pem", *s_key_file2 = NULL((void*)0);
1040 char *s_dcert_file = NULL((void*)0), *s_dkey_file = NULL((void*)0), *s_dchain_file = NULL((void*)0);
1041#ifndef OPENSSL_NO_OCSP
1042 int s_tlsextstatus = 0;
1043#endif
1044 int no_resume_ephemeral = 0;
1045 unsigned int max_send_fragment = 0;
1046 unsigned int split_send_fragment = 0, max_pipelines = 0;
1047 const char *s_serverinfo_file = NULL((void*)0);
1048 const char *keylog_file = NULL((void*)0);
1049 int max_early_data = -1, recv_max_early_data = -1;
1050 char *psksessf = NULL((void*)0);
1051 int no_ca_names = 0;
1052#ifndef OPENSSL_NO_SCTP
1053 int sctp_label_bug = 0;
1054#endif
1055 int ignore_unexpected_eof = 0;
1056
1057 /* Init of few remaining global variables */
1058 local_argc = argc;
1059 local_argv = argv;
1060
1061 ctx = ctx2 = NULL((void*)0);
1062 s_nbio = s_nbio_test = 0;
1063 www = 0;
1064 bio_s_out = NULL((void*)0);
1065 s_debug = 0;
1066 s_msg = 0;
1067 s_quiet = 0;
1068 s_brief = 0;
1069 async = 0;
1070 use_sendfile = 0;
1071
1072 port = OPENSSL_strdup(PORT)CRYPTO_strdup("4433", "../deps/openssl/openssl/apps/s_server.c"
, 1072)
;
1073 cctx = SSL_CONF_CTX_new();
1074 vpm = X509_VERIFY_PARAM_new();
1075 if (port == NULL((void*)0) || cctx == NULL((void*)0) || vpm == NULL((void*)0))
1076 goto end;
1077 SSL_CONF_CTX_set_flags(cctx,
1078 SSL_CONF_FLAG_SERVER0x8 | SSL_CONF_FLAG_CMDLINE0x1);
1079
1080 prog = opt_init(argc, argv, s_server_options);
1081 while ((o = opt_next()) != OPT_EOF) {
1082 if (IS_PROT_FLAG(o)(o == OPT_SSL3 || o == OPT_TLS1 || o == OPT_TLS1_1 || o == OPT_TLS1_2
|| o == OPT_TLS1_3 || o == OPT_DTLS || o == OPT_DTLS1 || o ==
OPT_DTLS1_2)
&& ++prot_opt > 1) {
1083 BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
1084 goto end;
1085 }
1086 if (IS_NO_PROT_FLAG(o)(o == OPT_S_NOSSL3 || o == OPT_S_NOTLS1 || o == OPT_S_NOTLS1_1
|| o == OPT_S_NOTLS1_2 || o == OPT_S_NOTLS1_3)
)
1087 no_prot_opt++;
1088 if (prot_opt == 1 && no_prot_opt) {
1089 BIO_printf(bio_err,
1090 "Cannot supply both a protocol flag and '-no_<prot>'\n");
1091 goto end;
1092 }
1093 switch (o) {
1094 case OPT_EOF:
1095 case OPT_ERR:
1096 opthelp:
1097 BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
1098 goto end;
1099 case OPT_HELP:
1100 opt_help(s_server_options);
1101 ret = 0;
1102 goto end;
1103
1104 case OPT_4:
1105#ifdef AF_UNIX1
1106 if (socket_family == AF_UNIX1) {
1107 OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1107
)
; host = NULL((void*)0);
1108 OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1108
)
; port = NULL((void*)0);
1109 }
1110#endif
1111 socket_family = AF_INET2;
1112 break;
1113 case OPT_6:
1114 if (1) {
1115#ifdef AF_INET610
1116#ifdef AF_UNIX1
1117 if (socket_family == AF_UNIX1) {
1118 OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1118
)
; host = NULL((void*)0);
1119 OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1119
)
; port = NULL((void*)0);
1120 }
1121#endif
1122 socket_family = AF_INET610;
1123 } else {
1124#endif
1125 BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog);
1126 goto end;
1127 }
1128 break;
1129 case OPT_PORT:
1130#ifdef AF_UNIX1
1131 if (socket_family == AF_UNIX1) {
1132 socket_family = AF_UNSPEC0;
1133 }
1134#endif
1135 OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1135
)
; port = NULL((void*)0);
1136 OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1136
)
; host = NULL((void*)0);
1137 if (BIO_parse_hostserv(opt_arg(), NULL((void*)0), &port, BIO_PARSE_PRIO_SERV) < 1) {
1138 BIO_printf(bio_err,
1139 "%s: -port argument malformed or ambiguous\n",
1140 port);
1141 goto end;
1142 }
1143 break;
1144 case OPT_ACCEPT:
1145#ifdef AF_UNIX1
1146 if (socket_family == AF_UNIX1) {
1147 socket_family = AF_UNSPEC0;
1148 }
1149#endif
1150 OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1150
)
; port = NULL((void*)0);
1151 OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1151
)
; host = NULL((void*)0);
1152 if (BIO_parse_hostserv(opt_arg(), &host, &port, BIO_PARSE_PRIO_SERV) < 1) {
1153 BIO_printf(bio_err,
1154 "%s: -accept argument malformed or ambiguous\n",
1155 port);
1156 goto end;
1157 }
1158 break;
1159#ifdef AF_UNIX1
1160 case OPT_UNIX:
1161 socket_family = AF_UNIX1;
1162 OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1162
)
; host = OPENSSL_strdup(opt_arg())CRYPTO_strdup(opt_arg(), "../deps/openssl/openssl/apps/s_server.c"
, 1162)
;
1163 if (host == NULL((void*)0))
1164 goto end;
1165 OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1165
)
; port = NULL((void*)0);
1166 break;
1167 case OPT_UNLINK:
1168 unlink_unix_path = 1;
1169 break;
1170#endif
1171 case OPT_NACCEPT:
1172 naccept = atol(opt_arg());
1173 break;
1174 case OPT_VERIFY:
1175 s_server_verify = SSL_VERIFY_PEER0x01 | SSL_VERIFY_CLIENT_ONCE0x04;
1176 verify_args.depth = atoi(opt_arg());
1177 if (!s_quiet)
1178 BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
1179 break;
1180 case OPT_UPPER_V_VERIFY:
1181 s_server_verify =
1182 SSL_VERIFY_PEER0x01 | SSL_VERIFY_FAIL_IF_NO_PEER_CERT0x02 |
1183 SSL_VERIFY_CLIENT_ONCE0x04;
1184 verify_args.depth = atoi(opt_arg());
1185 if (!s_quiet)
1186 BIO_printf(bio_err,
1187 "verify depth is %d, must return a certificate\n",
1188 verify_args.depth);
1189 break;
1190 case OPT_CONTEXT:
1191 context = (unsigned char *)opt_arg();
1192 break;
1193 case OPT_CERT:
1194 s_cert_file = opt_arg();
1195 break;
1196 case OPT_NAMEOPT:
1197 if (!set_nameopt(opt_arg()))
1198 goto end;
1199 break;
1200 case OPT_CRL:
1201 crl_file = opt_arg();
1202 break;
1203 case OPT_CRL_DOWNLOAD:
1204 crl_download = 1;
1205 break;
1206 case OPT_SERVERINFO:
1207 s_serverinfo_file = opt_arg();
1208 break;
1209 case OPT_CERTFORM:
1210 if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) | (1L << 2) | (1L << 3) | (1L <<
4) | (1L << 5) | (1L << 7) | (1L << 8) | (
1L << 9) | (1L << 10))
, &s_cert_format))
1211 goto opthelp;
1212 break;
1213 case OPT_KEY:
1214 s_key_file = opt_arg();
1215 break;
1216 case OPT_KEYFORM:
1217 if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) | (1L << 2) | (1L << 3) | (1L <<
4) | (1L << 5) | (1L << 7) | (1L << 8) | (
1L << 9) | (1L << 10))
, &s_key_format))
1218 goto opthelp;
1219 break;
1220 case OPT_PASS:
1221 passarg = opt_arg();
1222 break;
1223 case OPT_CERT_CHAIN:
1224 s_chain_file = opt_arg();
1225 break;
1226 case OPT_DHPARAM:
1227 dhfile = opt_arg();
1228 break;
1229 case OPT_DCERTFORM:
1230 if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) | (1L << 2) | (1L << 3) | (1L <<
4) | (1L << 5) | (1L << 7) | (1L << 8) | (
1L << 9) | (1L << 10))
, &s_dcert_format))
1231 goto opthelp;
1232 break;
1233 case OPT_DCERT:
1234 s_dcert_file = opt_arg();
1235 break;
1236 case OPT_DKEYFORM:
1237 if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) | (1L << 2) | (1L << 3) | (1L <<
4) | (1L << 5) | (1L << 7) | (1L << 8) | (
1L << 9) | (1L << 10))
, &s_dkey_format))
1238 goto opthelp;
1239 break;
1240 case OPT_DPASS:
1241 dpassarg = opt_arg();
1242 break;
1243 case OPT_DKEY:
1244 s_dkey_file = opt_arg();
1245 break;
1246 case OPT_DCERT_CHAIN:
1247 s_dchain_file = opt_arg();
1248 break;
1249 case OPT_NOCERT:
1250 nocert = 1;
1251 break;
1252 case OPT_CAPATH:
1253 CApath = opt_arg();
1254 break;
1255 case OPT_NOCAPATH:
1256 noCApath = 1;
1257 break;
1258 case OPT_CHAINCAPATH:
1259 chCApath = opt_arg();
1260 break;
1261 case OPT_VERIFYCAPATH:
1262 vfyCApath = opt_arg();
1263 break;
1264 case OPT_CASTORE:
1265 CAstore = opt_arg();
1266 break;
1267 case OPT_NOCASTORE:
1268 noCAstore = 1;
1269 break;
1270 case OPT_CHAINCASTORE:
1271 chCAstore = opt_arg();
1272 break;
1273 case OPT_VERIFYCASTORE:
1274 vfyCAstore = opt_arg();
1275 break;
1276 case OPT_NO_CACHE:
1277 no_cache = 1;
1278 break;
1279 case OPT_EXT_CACHE:
1280 ext_cache = 1;
1281 break;
1282 case OPT_CRLFORM:
1283 if (!opt_format(opt_arg(), OPT_FMT_PEMDER(1L << 1), &crl_format))
1284 goto opthelp;
1285 break;
1286 case OPT_S_CASESOPT_S__FIRST: case OPT_S__LAST: break; case OPT_S_NOSSL3: case
OPT_S_NOTLS1: case OPT_S_NOTLS1_1: case OPT_S_NOTLS1_2: case
OPT_S_NOTLS1_3: case OPT_S_BUGS: case OPT_S_NO_COMP: case OPT_S_COMP
: case OPT_S_NOTICKET: case OPT_S_SERVERPREF: case OPT_S_LEGACYRENEG
: case OPT_S_CLIENTRENEG: case OPT_S_LEGACYCONN: case OPT_S_ONRESUMP
: case OPT_S_NOLEGACYCONN: case OPT_S_ALLOW_NO_DHE_KEX: case OPT_S_PRIORITIZE_CHACHA
: case OPT_S_STRICT: case OPT_S_SIGALGS: case OPT_S_CLIENTSIGALGS
: case OPT_S_GROUPS: case OPT_S_CURVES: case OPT_S_NAMEDCURVE
: case OPT_S_CIPHER: case OPT_S_CIPHERSUITES: case OPT_S_RECORD_PADDING
: case OPT_S_NO_RENEGOTIATION: case OPT_S_MINPROTO: case OPT_S_MAXPROTO
: case OPT_S_DEBUGBROKE: case OPT_S_NO_MIDDLEBOX: case OPT_S_NO_ETM
:
1287 case OPT_S_NUM_TICKETS:
1288 case OPT_ANTI_REPLAY:
1289 case OPT_NO_ANTI_REPLAY:
1290 if (ssl_args == NULL((void*)0))
1291 ssl_args = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)OPENSSL_sk_new_null());
1292 if (ssl_args == NULL((void*)0)
1293 || !sk_OPENSSL_STRING_push(ssl_args, opt_flag())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type
(opt_flag()))
1294 || !sk_OPENSSL_STRING_push(ssl_args, opt_arg())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type
(opt_arg()))
) {
1295 BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
1296 goto end;
1297 }
1298 break;
1299 case OPT_V_CASESOPT_V__FIRST: case OPT_V__LAST: break; case OPT_V_POLICY: case
OPT_V_PURPOSE: case OPT_V_VERIFY_NAME: case OPT_V_VERIFY_DEPTH
: case OPT_V_VERIFY_AUTH_LEVEL: case OPT_V_ATTIME: case OPT_V_VERIFY_HOSTNAME
: case OPT_V_VERIFY_EMAIL: case OPT_V_VERIFY_IP: case OPT_V_IGNORE_CRITICAL
: case OPT_V_ISSUER_CHECKS: case OPT_V_CRL_CHECK: case OPT_V_CRL_CHECK_ALL
: case OPT_V_POLICY_CHECK: case OPT_V_EXPLICIT_POLICY: case OPT_V_INHIBIT_ANY
: case OPT_V_INHIBIT_MAP: case OPT_V_X509_STRICT: case OPT_V_EXTENDED_CRL
: case OPT_V_USE_DELTAS: case OPT_V_POLICY_PRINT: case OPT_V_CHECK_SS_SIG
: case OPT_V_TRUSTED_FIRST: case OPT_V_SUITEB_128_ONLY: case OPT_V_SUITEB_128
: case OPT_V_SUITEB_192: case OPT_V_PARTIAL_CHAIN: case OPT_V_NO_ALT_CHAINS
: case OPT_V_NO_CHECK_TIME: case OPT_V_ALLOW_PROXY_CERTS
:
1300 if (!opt_verify(o, vpm))
1301 goto end;
1302 vpmtouched++;
1303 break;
1304 case OPT_X_CASESOPT_X__FIRST: case OPT_X__LAST: break; case OPT_X_KEY: case OPT_X_CERT
: case OPT_X_CHAIN: case OPT_X_CHAIN_BUILD: case OPT_X_CERTFORM
: case OPT_X_KEYFORM
:
1305 if (!args_excert(o, &exc))
1306 goto end;
1307 break;
1308 case OPT_VERIFY_RET_ERROR:
1309 verify_args.return_error = 1;
1310 break;
1311 case OPT_VERIFY_QUIET:
1312 verify_args.quiet = 1;
1313 break;
1314 case OPT_BUILD_CHAIN:
1315 build_chain = 1;
1316 break;
1317 case OPT_CAFILE:
1318 CAfile = opt_arg();
1319 break;
1320 case OPT_NOCAFILE:
1321 noCAfile = 1;
1322 break;
1323 case OPT_CHAINCAFILE:
1324 chCAfile = opt_arg();
1325 break;
1326 case OPT_VERIFYCAFILE:
1327 vfyCAfile = opt_arg();
1328 break;
1329 case OPT_NBIO:
1330 s_nbio = 1;
1331 break;
1332 case OPT_NBIO_TEST:
1333 s_nbio = s_nbio_test = 1;
1334 break;
1335 case OPT_IGN_EOF:
1336 s_ign_eof = 1;
1337 break;
1338 case OPT_NO_IGN_EOF:
1339 s_ign_eof = 0;
1340 break;
1341 case OPT_DEBUG:
1342 s_debug = 1;
1343 break;
1344 case OPT_TLSEXTDEBUG:
1345 s_tlsextdebug = 1;
1346 break;
1347 case OPT_STATUS:
1348#ifndef OPENSSL_NO_OCSP
1349 s_tlsextstatus = 1;
1350#endif
1351 break;
1352 case OPT_STATUS_VERBOSE:
1353#ifndef OPENSSL_NO_OCSP
1354 s_tlsextstatus = tlscstatp.verbose = 1;
1355#endif
1356 break;
1357 case OPT_STATUS_TIMEOUT:
1358#ifndef OPENSSL_NO_OCSP
1359 s_tlsextstatus = 1;
1360 tlscstatp.timeout = atoi(opt_arg());
1361#endif
1362 break;
1363 case OPT_PROXY:
1364#ifndef OPENSSL_NO_OCSP
1365 tlscstatp.proxy = opt_arg();
1366#endif
1367 break;
1368 case OPT_NO_PROXY:
1369#ifndef OPENSSL_NO_OCSP
1370 tlscstatp.no_proxy = opt_arg();
1371#endif
1372 break;
1373 case OPT_STATUS_URL:
1374#ifndef OPENSSL_NO_OCSP
1375 s_tlsextstatus = 1;
1376 if (!OSSL_HTTP_parse_url(opt_arg(), &tlscstatp.use_ssl, NULL((void*)0),
1377 &tlscstatp.host, &tlscstatp.port, NULL((void*)0),
1378 &tlscstatp.path, NULL((void*)0), NULL((void*)0))) {
1379 BIO_printf(bio_err, "Error parsing -status_url argument\n");
1380 goto end;
1381 }
1382#endif
1383 break;
1384 case OPT_STATUS_FILE:
1385#ifndef OPENSSL_NO_OCSP
1386 s_tlsextstatus = 1;
1387 tlscstatp.respin = opt_arg();
1388#endif
1389 break;
1390 case OPT_MSG:
1391 s_msg = 1;
1392 break;
1393 case OPT_MSGFILE:
1394 bio_s_msg = BIO_new_file(opt_arg(), "w");
1395 if (bio_s_msg == NULL((void*)0)) {
1396 BIO_printf(bio_err, "Error writing file %s\n", opt_arg());
1397 goto end;
1398 }
1399 break;
1400 case OPT_TRACE:
1401#ifndef OPENSSL_NO_SSL_TRACE
1402 s_msg = 2;
1403#endif
1404 break;
1405 case OPT_SECURITY_DEBUG:
1406 sdebug = 1;
1407 break;
1408 case OPT_SECURITY_DEBUG_VERBOSE:
1409 sdebug = 2;
1410 break;
1411 case OPT_STATE:
1412 state = 1;
1413 break;
1414 case OPT_CRLF:
1415 s_crlf = 1;
1416 break;
1417 case OPT_QUIET:
1418 s_quiet = 1;
1419 break;
1420 case OPT_BRIEF:
1421 s_quiet = s_brief = verify_args.quiet = 1;
1422 break;
1423 case OPT_NO_DHE:
1424 no_dhe = 1;
1425 break;
1426 case OPT_NO_RESUME_EPHEMERAL:
1427 no_resume_ephemeral = 1;
1428 break;
1429 case OPT_PSK_IDENTITY:
1430 psk_identity = opt_arg();
1431 break;
1432 case OPT_PSK_HINT:
1433#ifndef OPENSSL_NO_PSK
1434 psk_identity_hint = opt_arg();
1435#endif
1436 break;
1437 case OPT_PSK:
1438 for (p = psk_key = opt_arg(); *p; p++) {
1439 if (isxdigit(_UC(*p))((*__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & (
unsigned short int) _ISxdigit)
)
1440 continue;
1441 BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
1442 goto end;
1443 }
1444 break;
1445 case OPT_PSK_SESS:
1446 psksessf = opt_arg();
1447 break;
1448 case OPT_SRPVFILE:
1449#ifndef OPENSSL_NO_SRP
1450 srp_verifier_file = opt_arg();
1451 if (min_version < TLS1_VERSION0x0301)
1452 min_version = TLS1_VERSION0x0301;
1453#endif
1454 break;
1455 case OPT_SRPUSERSEED:
1456#ifndef OPENSSL_NO_SRP
1457 srpuserseed = opt_arg();
1458 if (min_version < TLS1_VERSION0x0301)
1459 min_version = TLS1_VERSION0x0301;
1460#endif
1461 break;
1462 case OPT_REV:
1463 rev = 1;
1464 break;
1465 case OPT_WWW:
1466 www = 1;
1467 break;
1468 case OPT_UPPER_WWW:
1469 www = 2;
1470 break;
1471 case OPT_HTTP:
1472 www = 3;
1473 break;
1474 case OPT_SSL_CONFIG:
1475 ssl_config = opt_arg();
1476 break;
1477 case OPT_SSL3:
1478 min_version = SSL3_VERSION0x0300;
1479 max_version = SSL3_VERSION0x0300;
1480 break;
1481 case OPT_TLS1_3:
1482 min_version = TLS1_3_VERSION0x0304;
1483 max_version = TLS1_3_VERSION0x0304;
1484 break;
1485 case OPT_TLS1_2:
1486 min_version = TLS1_2_VERSION0x0303;
1487 max_version = TLS1_2_VERSION0x0303;
1488 break;
1489 case OPT_TLS1_1:
1490 min_version = TLS1_1_VERSION0x0302;
1491 max_version = TLS1_1_VERSION0x0302;
1492 break;
1493 case OPT_TLS1:
1494 min_version = TLS1_VERSION0x0301;
1495 max_version = TLS1_VERSION0x0301;
1496 break;
1497 case OPT_DTLS:
1498#ifndef OPENSSL_NO_DTLS
1499 meth = DTLS_server_method();
1500 socket_type = SOCK_DGRAMSOCK_DGRAM;
1501#endif
1502 break;
1503 case OPT_DTLS1:
1504#ifndef OPENSSL_NO_DTLS
1505 meth = DTLS_server_method();
1506 min_version = DTLS1_VERSION0xFEFF;
1507 max_version = DTLS1_VERSION0xFEFF;
1508 socket_type = SOCK_DGRAMSOCK_DGRAM;
1509#endif
1510 break;
1511 case OPT_DTLS1_2:
1512#ifndef OPENSSL_NO_DTLS
1513 meth = DTLS_server_method();
1514 min_version = DTLS1_2_VERSION0xFEFD;
1515 max_version = DTLS1_2_VERSION0xFEFD;
1516 socket_type = SOCK_DGRAMSOCK_DGRAM;
1517#endif
1518 break;
1519 case OPT_SCTP:
1520#ifndef OPENSSL_NO_SCTP
1521 protocol = IPPROTO_SCTPIPPROTO_SCTP;
1522#endif
1523 break;
1524 case OPT_SCTP_LABEL_BUG:
1525#ifndef OPENSSL_NO_SCTP
1526 sctp_label_bug = 1;
1527#endif
1528 break;
1529 case OPT_TIMEOUT:
1530#ifndef OPENSSL_NO_DTLS
1531 enable_timeouts = 1;
1532#endif
1533 break;
1534 case OPT_MTU:
1535#ifndef OPENSSL_NO_DTLS
1536 socket_mtu = atol(opt_arg());
1537#endif
1538 break;
1539 case OPT_LISTEN:
1540#ifndef OPENSSL_NO_DTLS
1541 dtlslisten = 1;
1542#endif
1543 break;
1544 case OPT_STATELESS:
1545 stateless = 1;
1546 break;
1547 case OPT_ID_PREFIX:
1548 session_id_prefix = opt_arg();
1549 break;
1550 case OPT_ENGINE:
1551#ifndef OPENSSL_NO_ENGINE
1552 engine = setup_engine(opt_arg(), s_debug)setup_engine_methods(opt_arg(), (unsigned int)-1, s_debug);
1553#endif
1554 break;
1555 case OPT_R_CASESOPT_R__FIRST: case OPT_R__LAST: break; case OPT_R_RAND: case OPT_R_WRITERAND:
1556 if (!opt_rand(o))
1557 goto end;
1558 break;
1559 case OPT_PROV_CASESOPT_PROV__FIRST: case OPT_PROV__LAST: break; case OPT_PROV_PROVIDER
: case OPT_PROV_PROVIDER_PATH: case OPT_PROV_PROPQUERY
:
1560 if (!opt_provider(o))
1561 goto end;
1562 break;
1563 case OPT_SERVERNAME:
1564 tlsextcbp.servername = opt_arg();
1565 break;
1566 case OPT_SERVERNAME_FATAL:
1567 tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL2;
1568 break;
1569 case OPT_CERT2:
1570 s_cert_file2 = opt_arg();
1571 break;
1572 case OPT_KEY2:
1573 s_key_file2 = opt_arg();
1574 break;
1575 case OPT_NEXTPROTONEG:
1576# ifndef OPENSSL_NO_NEXTPROTONEG
1577 next_proto_neg_in = opt_arg();
1578#endif
1579 break;
1580 case OPT_ALPN:
1581 alpn_in = opt_arg();
1582 break;
1583 case OPT_SRTP_PROFILES:
1584#ifndef OPENSSL_NO_SRTP
1585 srtp_profiles = opt_arg();
1586#endif
1587 break;
1588 case OPT_KEYMATEXPORT:
1589 keymatexportlabel = opt_arg();
1590 break;
1591 case OPT_KEYMATEXPORTLEN:
1592 keymatexportlen = atoi(opt_arg());
1593 break;
1594 case OPT_ASYNC:
1595 async = 1;
1596 break;
1597 case OPT_MAX_SEND_FRAG:
1598 max_send_fragment = atoi(opt_arg());
1599 break;
1600 case OPT_SPLIT_SEND_FRAG:
1601 split_send_fragment = atoi(opt_arg());
1602 break;
1603 case OPT_MAX_PIPELINES:
1604 max_pipelines = atoi(opt_arg());
1605 break;
1606 case OPT_READ_BUF:
1607 read_buf_len = atoi(opt_arg());
1608 break;
1609 case OPT_KEYLOG_FILE:
1610 keylog_file = opt_arg();
1611 break;
1612 case OPT_MAX_EARLY:
1613 max_early_data = atoi(opt_arg());
1614 if (max_early_data < 0) {
1615 BIO_printf(bio_err, "Invalid value for max_early_data\n");
1616 goto end;
1617 }
1618 break;
1619 case OPT_RECV_MAX_EARLY:
1620 recv_max_early_data = atoi(opt_arg());
1621 if (recv_max_early_data < 0) {
1622 BIO_printf(bio_err, "Invalid value for recv_max_early_data\n");
1623 goto end;
1624 }
1625 break;
1626 case OPT_EARLY_DATA:
1627 early_data = 1;
1628 if (max_early_data == -1)
1629 max_early_data = SSL3_RT_MAX_PLAIN_LENGTH16384;
1630 break;
1631 case OPT_HTTP_SERVER_BINMODE:
1632 http_server_binmode = 1;
1633 break;
1634 case OPT_NOCANAMES:
1635 no_ca_names = 1;
1636 break;
1637 case OPT_SENDFILE:
1638#ifndef OPENSSL_NO_KTLS
1639 use_sendfile = 1;
1640#endif
1641 break;
1642 case OPT_IGNORE_UNEXPECTED_EOF:
1643 ignore_unexpected_eof = 1;
1644 break;
1645 }
1646 }
1647
1648 /* No extra arguments. */
1649 argc = opt_num_rest();
1650 if (argc != 0)
1651 goto opthelp;
1652
1653 if (!app_RAND_load())
1654 goto end;
1655
1656#ifndef OPENSSL_NO_NEXTPROTONEG
1657 if (min_version == TLS1_3_VERSION0x0304 && next_proto_neg_in != NULL((void*)0)) {
1658 BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
1659 goto opthelp;
1660 }
1661#endif
1662#ifndef OPENSSL_NO_DTLS
1663 if (www && socket_type == SOCK_DGRAMSOCK_DGRAM) {
1664 BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
1665 goto end;
1666 }
1667
1668 if (dtlslisten && socket_type != SOCK_DGRAMSOCK_DGRAM) {
1669 BIO_printf(bio_err, "Can only use -listen with DTLS\n");
1670 goto end;
1671 }
1672#endif
1673
1674 if (stateless && socket_type != SOCK_STREAMSOCK_STREAM) {
1675 BIO_printf(bio_err, "Can only use --stateless with TLS\n");
1676 goto end;
1677 }
1678
1679#ifdef AF_UNIX1
1680 if (socket_family == AF_UNIX1 && socket_type != SOCK_STREAMSOCK_STREAM) {
1681 BIO_printf(bio_err,
1682 "Can't use unix sockets and datagrams together\n");
1683 goto end;
1684 }
1685#endif
1686 if (early_data && (www > 0 || rev)) {
1687 BIO_printf(bio_err,
1688 "Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
1689 goto end;
1690 }
1691
1692#ifndef OPENSSL_NO_SCTP
1693 if (protocol == IPPROTO_SCTPIPPROTO_SCTP) {
1694 if (socket_type != SOCK_DGRAMSOCK_DGRAM) {
1695 BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
1696 goto end;
1697 }
1698 /* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
1699 socket_type = SOCK_STREAMSOCK_STREAM;
1700 }
1701#endif
1702
1703#ifndef OPENSSL_NO_KTLS
1704 if (use_sendfile && www <= 1) {
1705 BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n");
1706 goto end;
1707 }
1708#endif
1709
1710 if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
1711 BIO_printf(bio_err, "Error getting password\n");
1712 goto end;
1713 }
1714
1715 if (s_key_file == NULL((void*)0))
1716 s_key_file = s_cert_file;
1717
1718 if (s_key_file2 == NULL((void*)0))
1719 s_key_file2 = s_cert_file2;
1720
1721 if (!load_excert(&exc))
1722 goto end;
1723
1724 if (nocert == 0) {
1725 s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
1726 "server certificate private key");
1727 if (s_key == NULL((void*)0))
1728 goto end;
1729
1730 s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass,
1731 "server certificate");
1732
1733 if (s_cert == NULL((void*)0))
1734 goto end;
1735 if (s_chain_file != NULL((void*)0)) {
1736 if (!load_certs(s_chain_file, 0, &s_chain, NULL((void*)0),
1737 "server certificate chain"))
1738 goto end;
1739 }
1740
1741 if (tlsextcbp.servername != NULL((void*)0)) {
1742 s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
1743 "second server certificate private key");
1744 if (s_key2 == NULL((void*)0))
1745 goto end;
1746
1747 s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass,
1748 "second server certificate");
1749
1750 if (s_cert2 == NULL((void*)0))
1751 goto end;
1752 }
1753 }
1754#if !defined(OPENSSL_NO_NEXTPROTONEG)
1755 if (next_proto_neg_in) {
1756 next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1757 if (next_proto.data == NULL((void*)0))
1758 goto end;
1759 }
1760#endif
1761 alpn_ctx.data = NULL((void*)0);
1762 if (alpn_in) {
1763 alpn_ctx.data = next_protos_parse(&alpn_ctx.len, alpn_in);
1764 if (alpn_ctx.data == NULL((void*)0))
1765 goto end;
1766 }
1767
1768 if (crl_file != NULL((void*)0)) {
1769 X509_CRL *crl;
1770 crl = load_crl(crl_file, crl_format, 0, "CRL");
1771 if (crl == NULL((void*)0))
1772 goto end;
1773 crls = sk_X509_CRL_new_null()((struct stack_st_X509_CRL *)OPENSSL_sk_new_null());
1774 if (crls == NULL((void*)0) || !sk_X509_CRL_push(crls, crl)OPENSSL_sk_push(ossl_check_X509_CRL_sk_type(crls), ossl_check_X509_CRL_type
(crl))
) {
1775 BIO_puts(bio_err, "Error adding CRL\n");
1776 ERR_print_errors(bio_err);
1777 X509_CRL_free(crl);
1778 goto end;
1779 }
1780 }
1781
1782 if (s_dcert_file != NULL((void*)0)) {
1783
1784 if (s_dkey_file == NULL((void*)0))
1785 s_dkey_file = s_dcert_file;
1786
1787 s_dkey = load_key(s_dkey_file, s_dkey_format,
1788 0, dpass, engine, "second certificate private key");
1789 if (s_dkey == NULL((void*)0))
1790 goto end;
1791
1792 s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass,
1793 "second server certificate");
1794
1795 if (s_dcert == NULL((void*)0)) {
1796 ERR_print_errors(bio_err);
1797 goto end;
1798 }
1799 if (s_dchain_file != NULL((void*)0)) {
1800 if (!load_certs(s_dchain_file, 0, &s_dchain, NULL((void*)0),
1801 "second server certificate chain"))
1802 goto end;
1803 }
1804
1805 }
1806
1807 if (bio_s_out == NULL((void*)0)) {
1808 if (s_quiet && !s_debug) {
1809 bio_s_out = BIO_new(BIO_s_null());
1810 if (s_msg && bio_s_msg == NULL((void*)0)) {
1811 bio_s_msg = dup_bio_out(FORMAT_TEXT(1 | 0x8000));
1812 if (bio_s_msg == NULL((void*)0)) {
1813 BIO_printf(bio_err, "Out of memory\n");
1814 goto end;
1815 }
1816 }
1817 } else {
1818 bio_s_out = dup_bio_out(FORMAT_TEXT(1 | 0x8000));
1819 }
1820 }
1821
1822 if (bio_s_out == NULL((void*)0))
1823 goto end;
1824
1825 if (nocert) {
1826 s_cert_file = NULL((void*)0);
1827 s_key_file = NULL((void*)0);
1828 s_dcert_file = NULL((void*)0);
1829 s_dkey_file = NULL((void*)0);
1830 s_cert_file2 = NULL((void*)0);
1831 s_key_file2 = NULL((void*)0);
1832 }
1833
1834 ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
1835 if (ctx == NULL((void*)0)) {
1836 ERR_print_errors(bio_err);
1837 goto end;
1838 }
1839
1840 SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004U),((void*)0));
1841
1842 if (sdebug)
1843 ssl_ctx_security_debug(ctx, sdebug);
1844
1845 if (!config_ctx(cctx, ssl_args, ctx))
1846 goto end;
1847
1848 if (ssl_config) {
1849 if (SSL_CTX_config(ctx, ssl_config) == 0) {
1850 BIO_printf(bio_err, "Error using configuration \"%s\"\n",
1851 ssl_config);
1852 ERR_print_errors(bio_err);
1853 goto end;
1854 }
1855 }
1856#ifndef OPENSSL_NO_SCTP
1857 if (protocol == IPPROTO_SCTPIPPROTO_SCTP && sctp_label_bug == 1)
1858 SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)SSL_CTX_ctrl((ctx),33,(0x00000400U),((void*)0));
1859#endif
1860
1861 if (min_version != 0
1862 && SSL_CTX_set_min_proto_version(ctx, min_version)SSL_CTX_ctrl(ctx, 123, min_version, ((void*)0)) == 0)
1863 goto end;
1864 if (max_version != 0
1865 && SSL_CTX_set_max_proto_version(ctx, max_version)SSL_CTX_ctrl(ctx, 124, max_version, ((void*)0)) == 0)
1866 goto end;
1867
1868 if (session_id_prefix) {
1869 if (strlen(session_id_prefix) >= 32)
1870 BIO_printf(bio_err,
1871 "warning: id_prefix is too long, only one new session will be possible\n");
1872 if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
1873 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1874 ERR_print_errors(bio_err);
1875 goto end;
1876 }
1877 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1878 }
1879 if (exc != NULL((void*)0))
1880 ssl_ctx_set_excert(ctx, exc);
1881
1882 if (state)
1883 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1884 if (no_cache)
1885 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx,44,0x0000,((void*)0));
1886 else if (ext_cache)
1887 init_session_cache_ctx(ctx);
1888 else
1889 SSL_CTX_sess_set_cache_size(ctx, 128)SSL_CTX_ctrl(ctx,42,128,((void*)0));
1890
1891 if (async) {
1892 SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC)SSL_CTX_ctrl((ctx),33,(0x00000100U),((void*)0));
1893 }
1894
1895 if (no_ca_names) {
1896 SSL_CTX_set_options(ctx, SSL_OP_DISABLE_TLSEXT_CA_NAMES((uint64_t)1 << (uint64_t)9));
1897 }
1898
1899 if (ignore_unexpected_eof)
1900 SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF((uint64_t)1 << (uint64_t)7));
1901
1902 if (max_send_fragment > 0
1903 && !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)SSL_CTX_ctrl(ctx,52,max_send_fragment,((void*)0))) {
1904 BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
1905 prog, max_send_fragment);
1906 goto end;
1907 }
1908
1909 if (split_send_fragment > 0
1910 && !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)SSL_CTX_ctrl(ctx,125,split_send_fragment,((void*)0))) {
1911 BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
1912 prog, split_send_fragment);
1913 goto end;
1914 }
1915 if (max_pipelines > 0
1916 && !SSL_CTX_set_max_pipelines(ctx, max_pipelines)SSL_CTX_ctrl(ctx,126,max_pipelines,((void*)0))) {
1917 BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
1918 prog, max_pipelines);
1919 goto end;
1920 }
1921
1922 if (read_buf_len > 0) {
1923 SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
1924 }
1925#ifndef OPENSSL_NO_SRTP
1926 if (srtp_profiles != NULL((void*)0)) {
1927 /* Returns 0 on success! */
1928 if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
1929 BIO_printf(bio_err, "Error setting SRTP profile\n");
1930 ERR_print_errors(bio_err);
1931 goto end;
1932 }
1933 }
1934#endif
1935
1936 if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
1937 CAstore, noCAstore)) {
1938 ERR_print_errors(bio_err);
1939 goto end;
1940 }
1941 if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
1942 BIO_printf(bio_err, "Error setting verify params\n");
1943 ERR_print_errors(bio_err);
1944 goto end;
1945 }
1946
1947 ssl_ctx_add_crls(ctx, crls, 0);
1948
1949 if (!ssl_load_stores(ctx,
1950 vfyCApath, vfyCAfile, vfyCAstore,
1951 chCApath, chCAfile, chCAstore,
1952 crls, crl_download)) {
1953 BIO_printf(bio_err, "Error loading store locations\n");
1954 ERR_print_errors(bio_err);
1955 goto end;
1956 }
1957
1958 if (s_cert2) {
1959 ctx2 = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
1960 if (ctx2 == NULL((void*)0)) {
1961 ERR_print_errors(bio_err);
1962 goto end;
1963 }
1964 }
1965
1966 if (ctx2 != NULL((void*)0)) {
1967 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1968
1969 if (sdebug)
1970 ssl_ctx_security_debug(ctx2, sdebug);
1971
1972 if (session_id_prefix) {
1973 if (strlen(session_id_prefix) >= 32)
1974 BIO_printf(bio_err,
1975 "warning: id_prefix is too long, only one new session will be possible\n");
1976 if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
1977 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1978 ERR_print_errors(bio_err);
1979 goto end;
1980 }
1981 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1982 }
1983 if (exc != NULL((void*)0))
1984 ssl_ctx_set_excert(ctx2, exc);
1985
1986 if (state)
1987 SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1988
1989 if (no_cache)
1990 SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx2,44,0x0000,((void*)0));
1991 else if (ext_cache)
1992 init_session_cache_ctx(ctx2);
1993 else
1994 SSL_CTX_sess_set_cache_size(ctx2, 128)SSL_CTX_ctrl(ctx2,42,128,((void*)0));
1995
1996 if (async)
1997 SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC)SSL_CTX_ctrl((ctx2),33,(0x00000100U),((void*)0));
1998
1999 if (!ctx_set_verify_locations(ctx2, CAfile, noCAfile, CApath,
2000 noCApath, CAstore, noCAstore)) {
2001 ERR_print_errors(bio_err);
2002 goto end;
2003 }
2004 if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) {
2005 BIO_printf(bio_err, "Error setting verify params\n");
2006 ERR_print_errors(bio_err);
2007 goto end;
2008 }
2009
2010 ssl_ctx_add_crls(ctx2, crls, 0);
2011 if (!config_ctx(cctx, ssl_args, ctx2))
2012 goto end;
2013 }
2014#ifndef OPENSSL_NO_NEXTPROTONEG
2015 if (next_proto.data)
2016 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
2017 &next_proto);
2018#endif
2019 if (alpn_ctx.data)
2020 SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
2021
2022 if (!no_dhe) {
2023 EVP_PKEY *dhpkey = NULL((void*)0);
2024
2025 if (dhfile != NULL((void*)0))
2026 dhpkey = load_keyparams(dhfile, FORMAT_UNDEF0, 0, "DH", "DH parameters");
2027 else if (s_cert_file != NULL((void*)0))
2028 dhpkey = load_keyparams_suppress(s_cert_file, FORMAT_UNDEF0, 0, "DH",
2029 "DH parameters", 1);
2030
2031 if (dhpkey != NULL((void*)0)) {
2032 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
2033 } else {
2034 BIO_printf(bio_s_out, "Using default temp DH parameters\n");
2035 }
2036 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2037
2038 if (dhpkey == NULL((void*)0)) {
2039 SSL_CTX_set_dh_auto(ctx, 1)SSL_CTX_ctrl(ctx,118,1,((void*)0));
2040 } else {
2041 /*
2042 * We need 2 references: one for use by ctx and one for use by
2043 * ctx2
2044 */
2045 if (!EVP_PKEY_up_ref(dhpkey)) {
2046 EVP_PKEY_free(dhpkey);
2047 goto end;
2048 }
2049 if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dhpkey)) {
2050 BIO_puts(bio_err, "Error setting temp DH parameters\n");
2051 ERR_print_errors(bio_err);
2052 /* Free 2 references */
2053 EVP_PKEY_free(dhpkey);
2054 EVP_PKEY_free(dhpkey);
2055 goto end;
2056 }
2057 }
2058
2059 if (ctx2 != NULL((void*)0)) {
2060 if (dhfile != NULL((void*)0)) {
2061 EVP_PKEY *dhpkey2 = load_keyparams_suppress(s_cert_file2,
2062 FORMAT_UNDEF0,
2063 0, "DH",
2064 "DH parameters", 1);
2065
2066 if (dhpkey2 != NULL((void*)0)) {
2067 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
2068 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2069
2070 EVP_PKEY_free(dhpkey);
2071 dhpkey = dhpkey2;
2072 }
2073 }
2074 if (dhpkey == NULL((void*)0)) {
2075 SSL_CTX_set_dh_auto(ctx2, 1)SSL_CTX_ctrl(ctx2,118,1,((void*)0));
2076 } else if (!SSL_CTX_set0_tmp_dh_pkey(ctx2, dhpkey)) {
2077 BIO_puts(bio_err, "Error setting temp DH parameters\n");
2078 ERR_print_errors(bio_err);
2079 EVP_PKEY_free(dhpkey);
2080 goto end;
2081 }
2082 dhpkey = NULL((void*)0);
2083 }
2084 EVP_PKEY_free(dhpkey);
2085 }
2086
2087 if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
2088 goto end;
2089
2090 if (s_serverinfo_file != NULL((void*)0)
2091 && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
2092 ERR_print_errors(bio_err);
2093 goto end;
2094 }
2095
2096 if (ctx2 != NULL((void*)0)
2097 && !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL((void*)0), build_chain))
2098 goto end;
2099
2100 if (s_dcert != NULL((void*)0)) {
2101 if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
2102 goto end;
2103 }
2104
2105 if (no_resume_ephemeral) {
2106 SSL_CTX_set_not_resumable_session_callback(ctx,
2107 not_resumable_sess_cb);
2108
2109 if (ctx2 != NULL((void*)0))
2110 SSL_CTX_set_not_resumable_session_callback(ctx2,
2111 not_resumable_sess_cb);
2112 }
2113#ifndef OPENSSL_NO_PSK
2114 if (psk_key != NULL((void*)0)) {
2115 if (s_debug)
2116 BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
2117 SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
2118 }
2119
2120 if (psk_identity_hint != NULL((void*)0)) {
2121 if (min_version == TLS1_3_VERSION0x0304) {
2122 BIO_printf(bio_s_out, "PSK warning: there is NO identity hint in TLSv1.3\n");
2123 } else {
2124 if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) {
2125 BIO_printf(bio_err, "error setting PSK identity hint to context\n");
2126 ERR_print_errors(bio_err);
2127 goto end;
2128 }
2129 }
2130 }
2131#endif
2132 if (psksessf != NULL((void*)0)) {
2133 BIO *stmp = BIO_new_file(psksessf, "r");
2134
2135 if (stmp == NULL((void*)0)) {
2136 BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
2137 ERR_print_errors(bio_err);
2138 goto end;
2139 }
2140 psksess = PEM_read_bio_SSL_SESSION(stmp, NULL((void*)0), 0, NULL((void*)0));
2141 BIO_free(stmp);
2142 if (psksess == NULL((void*)0)) {
2143 BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
2144 ERR_print_errors(bio_err);
2145 goto end;
2146 }
2147
2148 }
2149
2150 if (psk_key != NULL((void*)0) || psksess != NULL((void*)0))
2151 SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb);
2152
2153 SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
2154 if (!SSL_CTX_set_session_id_context(ctx,
2155 (void *)&s_server_session_id_context,
2156 sizeof(s_server_session_id_context))) {
2157 BIO_printf(bio_err, "error setting session id context\n");
2158 ERR_print_errors(bio_err);
2159 goto end;
2160 }
2161
2162 /* Set DTLS cookie generation and verification callbacks */
2163 SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
2164 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
2165
2166 /* Set TLS1.3 cookie generation and verification callbacks */
2167 SSL_CTX_set_stateless_cookie_generate_cb(ctx, generate_stateless_cookie_callback);
2168 SSL_CTX_set_stateless_cookie_verify_cb(ctx, verify_stateless_cookie_callback);
2169
2170 if (ctx2 != NULL((void*)0)) {
2171 SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
2172 if (!SSL_CTX_set_session_id_context(ctx2,
2173 (void *)&s_server_session_id_context,
2174 sizeof(s_server_session_id_context))) {
2175 BIO_printf(bio_err, "error setting session id context\n");
2176 ERR_print_errors(bio_err);
2177 goto end;
2178 }
2179 tlsextcbp.biodebug = bio_s_out;
2180 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx2,53, (void (*)(void))ssl_servername_cb
)
;
2181 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp)SSL_CTX_ctrl(ctx2,54,0,&tlsextcbp);
2182 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53, (void (*)(void))ssl_servername_cb
)
;
2183 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp)SSL_CTX_ctrl(ctx,54,0,&tlsextcbp);
2184 }
2185
2186#ifndef OPENSSL_NO_SRP
2187 if (srp_verifier_file != NULL((void*)0)) {
2188 if (!set_up_srp_verifier_file(ctx, &srp_callback_parm, srpuserseed,
2189 srp_verifier_file))
2190 goto end;
2191 } else
2192#endif
2193 if (CAfile != NULL((void*)0)) {
2194 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
2195
2196 if (ctx2)
2197 SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
2198 }
2199#ifndef OPENSSL_NO_OCSP
2200 if (s_tlsextstatus) {
2201 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb)SSL_CTX_callback_ctrl(ctx,63, (void (*)(void))cert_status_cb);
2202 SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp)SSL_CTX_ctrl(ctx,64,0,&tlscstatp);
2203 if (ctx2) {
2204 SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb)SSL_CTX_callback_ctrl(ctx2,63, (void (*)(void))cert_status_cb
)
;
2205 SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp)SSL_CTX_ctrl(ctx2,64,0,&tlscstatp);
2206 }
2207 }
2208#endif
2209 if (set_keylog_file(ctx, keylog_file))
2210 goto end;
2211
2212 if (max_early_data >= 0)
2213 SSL_CTX_set_max_early_data(ctx, max_early_data);
2214 if (recv_max_early_data >= 0)
2215 SSL_CTX_set_recv_max_early_data(ctx, recv_max_early_data);
2216
2217 if (rev)
2218 server_cb = rev_body;
2219 else if (www)
2220 server_cb = www_body;
2221 else
2222 server_cb = sv_body;
2223#ifdef AF_UNIX1
2224 if (socket_family == AF_UNIX1
2225 && unlink_unix_path)
2226 unlink(host);
2227#endif
2228 do_server(&accept_socket, host, port, socket_family, socket_type, protocol,
2229 server_cb, context, naccept, bio_s_out);
2230 print_stats(bio_s_out, ctx);
2231 ret = 0;
2232 end:
2233 SSL_CTX_free(ctx);
2234 SSL_SESSION_free(psksess);
2235 set_keylog_file(NULL((void*)0), NULL((void*)0));
2236 X509_free(s_cert);
2237 sk_X509_CRL_pop_free(crls, X509_CRL_free)OPENSSL_sk_pop_free(ossl_check_X509_CRL_sk_type(crls),ossl_check_X509_CRL_freefunc_type
(X509_CRL_free))
;
2238 X509_free(s_dcert);
2239 EVP_PKEY_free(s_key);
2240 EVP_PKEY_free(s_dkey);
2241 sk_X509_pop_free(s_chain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s_chain),ossl_check_X509_freefunc_type
(X509_free))
;
2242 sk_X509_pop_free(s_dchain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s_dchain),ossl_check_X509_freefunc_type
(X509_free))
;
2243 OPENSSL_free(pass)CRYPTO_free(pass, "../deps/openssl/openssl/apps/s_server.c", 2243
)
;
2244 OPENSSL_free(dpass)CRYPTO_free(dpass, "../deps/openssl/openssl/apps/s_server.c",
2244)
;
2245 OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 2245
)
;
2246 OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 2246
)
;
2247 X509_VERIFY_PARAM_free(vpm);
2248 free_sessions();
2249 OPENSSL_free(tlscstatp.host)CRYPTO_free(tlscstatp.host, "../deps/openssl/openssl/apps/s_server.c"
, 2249)
;
2250 OPENSSL_free(tlscstatp.port)CRYPTO_free(tlscstatp.port, "../deps/openssl/openssl/apps/s_server.c"
, 2250)
;
2251 OPENSSL_free(tlscstatp.path)CRYPTO_free(tlscstatp.path, "../deps/openssl/openssl/apps/s_server.c"
, 2251)
;
2252 SSL_CTX_free(ctx2);
2253 X509_free(s_cert2);
2254 EVP_PKEY_free(s_key2);
2255#ifndef OPENSSL_NO_NEXTPROTONEG
2256 OPENSSL_free(next_proto.data)CRYPTO_free(next_proto.data, "../deps/openssl/openssl/apps/s_server.c"
, 2256)
;
2257#endif
2258 OPENSSL_free(alpn_ctx.data)CRYPTO_free(alpn_ctx.data, "../deps/openssl/openssl/apps/s_server.c"
, 2258)
;
2259 ssl_excert_free(exc);
2260 sk_OPENSSL_STRING_free(ssl_args)OPENSSL_sk_free(ossl_check_OPENSSL_STRING_sk_type(ssl_args));
2261 SSL_CONF_CTX_free(cctx);
2262 release_engine(engine);
2263 BIO_free(bio_s_out);
2264 bio_s_out = NULL((void*)0);
2265 BIO_free(bio_s_msg);
2266 bio_s_msg = NULL((void*)0);
2267#ifdef CHARSET_EBCDIC
2268 BIO_meth_free(methods_ebcdic);
2269#endif
2270 return ret;
2271}
2272
2273static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
2274{
2275 BIO_printf(bio, "%4ld items in the session cache\n",
2276 SSL_CTX_sess_number(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,20,0,((void*)0)));
2277 BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
2278 SSL_CTX_sess_connect(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,21,0,((void*)0)));
2279 BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
2280 SSL_CTX_sess_connect_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,23,0,((void*)0)));
2281 BIO_printf(bio, "%4ld client connects that finished\n",
2282 SSL_CTX_sess_connect_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,22,0,((void*)0)));
2283 BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
2284 SSL_CTX_sess_accept(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,24,0,((void*)0)));
2285 BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
2286 SSL_CTX_sess_accept_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,26,0,((void*)0)));
2287 BIO_printf(bio, "%4ld server accepts that finished\n",
2288 SSL_CTX_sess_accept_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,25,0,((void*)0)));
2289 BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,27,0,((void*)0)));
2290 BIO_printf(bio, "%4ld session cache misses\n",
2291 SSL_CTX_sess_misses(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,29,0,((void*)0)));
2292 BIO_printf(bio, "%4ld session cache timeouts\n",
2293 SSL_CTX_sess_timeouts(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,30,0,((void*)0)));
2294 BIO_printf(bio, "%4ld callback cache hits\n",
2295 SSL_CTX_sess_cb_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,28,0,((void*)0)));
2296 BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
2297 SSL_CTX_sess_cache_full(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,31,0,((void*)0)),
2298 SSL_CTX_sess_get_cache_size(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,43,0,((void*)0)));
2299}
2300
2301static long int count_reads_callback(BIO *bio, int cmd, const char *argp, size_t len,
2302 int argi, long argl, int ret, size_t *processed)
2303{
2304 unsigned int *p_counter = (unsigned int *)BIO_get_callback_arg(bio);
2305
2306 switch (cmd) {
2307 case BIO_CB_READ0x02: /* No break here */
2308 case BIO_CB_GETS0x05:
2309 if (p_counter != NULL((void*)0))
2310 ++*p_counter;
2311 break;
2312 default:
2313 break;
2314 }
2315
2316 if (s_debug) {
2317 BIO_set_callback_arg(bio, (char *)bio_s_out);
2318 ret = (int)bio_dump_callback(bio, cmd, argp, len, argi, argl, ret, processed);
2319 BIO_set_callback_arg(bio, (char *)p_counter);
2320 }
2321
2322 return ret;
2323}
2324
2325static int sv_body(int s, int stype, int prot, unsigned char *context)
2326{
2327 char *buf = NULL((void*)0);
2328 fd_set readfds;
2329 int ret = 1, width;
2330 int k, i;
2331 unsigned long l;
2332 SSL *con = NULL((void*)0);
2333 BIO *sbio;
2334 struct timeval timeout;
2335#if !(defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS))
2336 struct timeval *timeoutp;
2337#endif
2338#ifndef OPENSSL_NO_DTLS
2339# ifndef OPENSSL_NO_SCTP
2340 int isdtls = (stype == SOCK_DGRAMSOCK_DGRAM || prot == IPPROTO_SCTPIPPROTO_SCTP);
2341# else
2342 int isdtls = (stype == SOCK_DGRAMSOCK_DGRAM);
2343# endif
2344#endif
2345
2346 buf = app_malloc(bufsize, "server buffer");
2347 if (s_nbio) {
2348 if (!BIO_socket_nbio(s, 1))
2349 ERR_print_errors(bio_err);
2350 else if (!s_quiet)
2351 BIO_printf(bio_err, "Turned on non blocking io\n");
2352 }
2353
2354 con = SSL_new(ctx);
2355 if (con == NULL((void*)0)) {
2356 ret = -1;
2357 goto err;
2358 }
2359
2360 if (s_tlsextdebug) {
2361 SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
2362 SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
2363 }
2364
2365 if (context != NULL((void*)0)
2366 && !SSL_set_session_id_context(con, context,
2367 strlen((char *)context))) {
2368 BIO_printf(bio_err, "Error setting session id context\n");
2369 ret = -1;
2370 goto err;
2371 }
2372
2373 if (!SSL_clear(con)) {
2374 BIO_printf(bio_err, "Error clearing SSL connection\n");
2375 ret = -1;
2376 goto err;
2377 }
2378#ifndef OPENSSL_NO_DTLS
2379 if (isdtls) {
2380# ifndef OPENSSL_NO_SCTP
2381 if (prot == IPPROTO_SCTPIPPROTO_SCTP)
2382 sbio = BIO_new_dgram_sctp(s, BIO_NOCLOSE0x00);
2383 else
2384# endif
2385 sbio = BIO_new_dgram(s, BIO_NOCLOSE0x00);
2386 if (sbio == NULL((void*)0)) {
2387 BIO_printf(bio_err, "Unable to create BIO\n");
2388 ERR_print_errors(bio_err);
2389 goto err;
2390 }
2391
2392 if (enable_timeouts) {
2393 timeout.tv_sec = 0;
2394 timeout.tv_usec = DGRAM_RCV_TIMEOUT250000;
2395 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0, &timeout);
2396
2397 timeout.tv_sec = 0;
2398 timeout.tv_usec = DGRAM_SND_TIMEOUT250000;
2399 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0, &timeout);
2400 }
2401
2402 if (socket_mtu) {
2403 if (socket_mtu < DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0))) {
2404 BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
2405 DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0)));
2406 ret = -1;
2407 BIO_free(sbio);
2408 goto err;
2409 }
2410 SSL_set_options(con, SSL_OP_NO_QUERY_MTU((uint64_t)1 << (uint64_t)12));
2411 if (!DTLS_set_link_mtu(con, socket_mtu)SSL_ctrl((con),120,(socket_mtu),((void*)0))) {
2412 BIO_printf(bio_err, "Failed to set MTU\n");
2413 ret = -1;
2414 BIO_free(sbio);
2415 goto err;
2416 }
2417 } else
2418 /* want to do MTU discovery */
2419 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0));
2420
2421# ifndef OPENSSL_NO_SCTP
2422 if (prot != IPPROTO_SCTPIPPROTO_SCTP)
2423# endif
2424 /* Turn on cookie exchange. Not necessary for SCTP */
2425 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE((uint64_t)1 << (uint64_t)13));
2426 } else
2427#endif
2428 sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
2429
2430 if (sbio == NULL((void*)0)) {
2431 BIO_printf(bio_err, "Unable to create BIO\n");
2432 ERR_print_errors(bio_err);
2433 goto err;
2434 }
2435
2436 if (s_nbio_test) {
2437 BIO *test;
2438
2439 test = BIO_new(BIO_f_nbio_test());
2440 if (test == NULL((void*)0)) {
2441 BIO_printf(bio_err, "Unable to create BIO\n");
2442 ret = -1;
2443 BIO_free(sbio);
2444 goto err;
2445 }
2446
2447 sbio = BIO_push(test, sbio);
2448 }
2449
2450 SSL_set_bio(con, sbio, sbio);
2451 SSL_set_accept_state(con);
2452 /* SSL_set_fd(con,s); */
2453
2454 BIO_set_callback_ex(SSL_get_rbio(con), count_reads_callback);
2455 if (s_msg) {
2456#ifndef OPENSSL_NO_SSL_TRACE
2457 if (s_msg == 2)
2458 SSL_set_msg_callback(con, SSL_trace);
2459 else
2460#endif
2461 SSL_set_msg_callback(con, msg_cb);
2462 SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
2463 }
2464
2465 if (s_tlsextdebug) {
2466 SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
2467 SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
2468 }
2469
2470 if (early_data) {
2471 int write_header = 1, edret = SSL_READ_EARLY_DATA_ERROR0;
2472 size_t readbytes;
2473
2474 while (edret != SSL_READ_EARLY_DATA_FINISH2) {
2475 for (;;) {
2476 edret = SSL_read_early_data(con, buf, bufsize, &readbytes);
2477 if (edret != SSL_READ_EARLY_DATA_ERROR0)
2478 break;
2479
2480 switch (SSL_get_error(con, 0)) {
2481 case SSL_ERROR_WANT_WRITE3:
2482 case SSL_ERROR_WANT_ASYNC9:
2483 case SSL_ERROR_WANT_READ2:
2484 /* Just keep trying - busy waiting */
2485 continue;
2486 default:
2487 BIO_printf(bio_err, "Error reading early data\n");
2488 ERR_print_errors(bio_err);
2489 goto err;
2490 }
2491 }
2492 if (readbytes > 0) {
2493 if (write_header) {
2494 BIO_printf(bio_s_out, "Early data received:\n");
2495 write_header = 0;
2496 }
2497 raw_write_stdout(buf, (unsigned int)readbytes);
2498 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2499 }
2500 }
2501 if (write_header) {
2502 if (SSL_get_early_data_status(con) == SSL_EARLY_DATA_NOT_SENT0)
2503 BIO_printf(bio_s_out, "No early data received\n");
2504 else
2505 BIO_printf(bio_s_out, "Early data was rejected\n");
2506 } else {
2507 BIO_printf(bio_s_out, "\nEnd of early data\n");
2508 }
2509 if (SSL_is_init_finished(con))
2510 print_connection_info(con);
2511 }
2512
2513 if (fileno_stdin() > s)
2514 width = fileno_stdin() + 1;
2515 else
2516 width = s + 1;
2517 for (;;) {
2518 int read_from_terminal;
2519 int read_from_sslcon;
2520
2521 read_from_terminal = 0;
2522 read_from_sslcon = SSL_has_pending(con)
2523 || (async && SSL_waiting_for_async(con));
2524
2525 if (!read_from_sslcon) {
2526 FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq"
: "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) /
sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits
)[0]) : "memory"); } while (0)
;
2527#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
2528 openssl_fdset(fileno_stdin(), &readfds)((void) (((&readfds)->__fds_bits)[((fileno_stdin()) / (
8 * (int) sizeof (__fd_mask)))] |= ((__fd_mask) (1UL <<
((fileno_stdin()) % (8 * (int) sizeof (__fd_mask)))))))
;
2529#endif
2530 openssl_fdset(s, &readfds)((void) (((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof
(__fd_mask)))] |= ((__fd_mask) (1UL << ((s) % (8 * (int
) sizeof (__fd_mask)))))))
;
2531 /*
2532 * Note: under VMS with SOCKETSHR the second parameter is
2533 * currently of type (int *) whereas under other systems it is
2534 * (void *) if you don't have a cast it will choke the compiler:
2535 * if you do have a cast then you can either go for (int *) or
2536 * (void *).
2537 */
2538#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS)
2539 /*
2540 * Under DOS (non-djgpp) and Windows we can't select on stdin:
2541 * only on sockets. As a workaround we timeout the select every
2542 * second and check for any keypress. In a proper Windows
2543 * application we wouldn't do this because it is inefficient.
2544 */
2545 timeout.tv_sec = 1;
2546 timeout.tv_usec = 0;
2547 i = select(width, (void *)&readfds, NULL((void*)0), NULL((void*)0), &timeout);
2548 if (has_stdin_waiting())
2549 read_from_terminal = 1;
2550 if ((i < 0) || (!i && !read_from_terminal))
2551 continue;
2552#else
2553 if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)(&timeout)))
2554 timeoutp = &timeout;
2555 else
2556 timeoutp = NULL((void*)0);
2557
2558 i = select(width, (void *)&readfds, NULL((void*)0), NULL((void*)0), timeoutp);
2559
2560 if ((SSL_is_dtls(con)) && DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0)
2561 BIO_printf(bio_err, "TIMEOUT occurred\n");
2562
2563 if (i <= 0)
2564 continue;
2565 if (FD_ISSET(fileno_stdin(), &readfds)((((&readfds)->__fds_bits)[((fileno_stdin()) / (8 * (int
) sizeof (__fd_mask)))] & ((__fd_mask) (1UL << ((fileno_stdin
()) % (8 * (int) sizeof (__fd_mask)))))) != 0)
)
2566 read_from_terminal = 1;
2567#endif
2568 if (FD_ISSET(s, &readfds)((((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask
)))] & ((__fd_mask) (1UL << ((s) % (8 * (int) sizeof
(__fd_mask)))))) != 0)
)
2569 read_from_sslcon = 1;
2570 }
2571 if (read_from_terminal) {
2572 if (s_crlf) {
2573 int j, lf_num;
2574
2575 i = raw_read_stdin(buf, bufsize / 2);
2576 lf_num = 0;
2577 /* both loops are skipped when i <= 0 */
2578 for (j = 0; j < i; j++)
2579 if (buf[j] == '\n')
2580 lf_num++;
2581 for (j = i - 1; j >= 0; j--) {
2582 buf[j + lf_num] = buf[j];
2583 if (buf[j] == '\n') {
2584 lf_num--;
2585 i++;
2586 buf[j + lf_num] = '\r';
2587 }
2588 }
2589 assert(lf_num == 0)((void) (0));
2590 } else {
2591 i = raw_read_stdin(buf, bufsize);
2592 }
2593
2594 if (!s_quiet && !s_brief) {
2595 if ((i <= 0) || (buf[0] == 'Q')) {
2596 BIO_printf(bio_s_out, "DONE\n");
2597 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2598 BIO_closesocket(s);
2599 close_accept_socket();
2600 ret = -11;
2601 goto err;
2602 }
2603 if ((i <= 0) || (buf[0] == 'q')) {
2604 BIO_printf(bio_s_out, "DONE\n");
2605 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2606 if (SSL_version(con) != DTLS1_VERSION0xFEFF)
2607 BIO_closesocket(s);
2608 /*
2609 * close_accept_socket(); ret= -11;
2610 */
2611 goto err;
2612 }
2613 if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
2614 SSL_renegotiate(con);
2615 i = SSL_do_handshake(con);
2616 printf("SSL_do_handshake -> %d\n", i);
2617 i = 0; /* 13; */
2618 continue;
2619 }
2620 if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
2621 SSL_set_verify(con,
2622 SSL_VERIFY_PEER0x01 | SSL_VERIFY_CLIENT_ONCE0x04,
2623 NULL((void*)0));
2624 SSL_renegotiate(con);
2625 i = SSL_do_handshake(con);
2626 printf("SSL_do_handshake -> %d\n", i);
2627 i = 0; /* 13; */
2628 continue;
2629 }
2630 if ((buf[0] == 'K' || buf[0] == 'k')
2631 && ((buf[1] == '\n') || (buf[1] == '\r'))) {
2632 SSL_key_update(con, buf[0] == 'K' ?
2633 SSL_KEY_UPDATE_REQUESTED1
2634 : SSL_KEY_UPDATE_NOT_REQUESTED0);
2635 i = SSL_do_handshake(con);
2636 printf("SSL_do_handshake -> %d\n", i);
2637 i = 0;
2638 continue;
2639 }
2640 if (buf[0] == 'c' && ((buf[1] == '\n') || (buf[1] == '\r'))) {
2641 SSL_set_verify(con, SSL_VERIFY_PEER0x01, NULL((void*)0));
2642 i = SSL_verify_client_post_handshake(con);
2643 if (i == 0) {
2644 printf("Failed to initiate request\n");
2645 ERR_print_errors(bio_err);
2646 } else {
2647 i = SSL_do_handshake(con);
2648 printf("SSL_do_handshake -> %d\n", i);
2649 i = 0;
2650 }
2651 continue;
2652 }
2653 if (buf[0] == 'P') {
2654 static const char str[] = "Lets print some clear text\n";
2655 BIO_write(SSL_get_wbio(con), str, sizeof(str) -1);
2656 }
2657 if (buf[0] == 'S') {
2658 print_stats(bio_s_out, SSL_get_SSL_CTX(con));
2659 }
2660 }
2661#ifdef CHARSET_EBCDIC
2662 ebcdic2ascii(buf, buf, i);
2663#endif
2664 l = k = 0;
Although the value stored to 'k' is used in the enclosing expression, the value is never actually read from 'k'
2665 for (;;) {
2666 /* should do a select for the write */
2667#ifdef RENEG
2668 static count = 0;
2669 if (++count == 100) {
2670 count = 0;
2671 SSL_renegotiate(con);
2672 }
2673#endif
2674 k = SSL_write(con, &(buf[l]), (unsigned int)i);
2675#ifndef OPENSSL_NO_SRP
2676 while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP4) {
2677 BIO_printf(bio_s_out, "LOOKUP renego during write\n");
2678
2679 lookup_srp_user(&srp_callback_parm, bio_s_out);
2680
2681 k = SSL_write(con, &(buf[l]), (unsigned int)i);
2682 }
2683#endif
2684 switch (SSL_get_error(con, k)) {
2685 case SSL_ERROR_NONE0:
2686 break;
2687 case SSL_ERROR_WANT_ASYNC9:
2688 BIO_printf(bio_s_out, "Write BLOCK (Async)\n");
2689 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2690 wait_for_async(con);
2691 break;
2692 case SSL_ERROR_WANT_WRITE3:
2693 case SSL_ERROR_WANT_READ2:
2694 case SSL_ERROR_WANT_X509_LOOKUP4:
2695 BIO_printf(bio_s_out, "Write BLOCK\n");
2696 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2697 break;
2698 case SSL_ERROR_WANT_ASYNC_JOB10:
2699 /*
2700 * This shouldn't ever happen in s_server. Treat as an error
2701 */
2702 case SSL_ERROR_SYSCALL5:
2703 case SSL_ERROR_SSL1:
2704 BIO_printf(bio_s_out, "ERROR\n");
2705 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2706 ERR_print_errors(bio_err);
2707 ret = 1;
2708 goto err;
2709 /* break; */
2710 case SSL_ERROR_ZERO_RETURN6:
2711 BIO_printf(bio_s_out, "DONE\n");
2712 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2713 ret = 1;
2714 goto err;
2715 }
2716 if (k > 0) {
2717 l += k;
2718 i -= k;
2719 }
2720 if (i <= 0)
2721 break;
2722 }
2723 }
2724 if (read_from_sslcon) {
2725 /*
2726 * init_ssl_connection handles all async events itself so if we're
2727 * waiting for async then we shouldn't go back into
2728 * init_ssl_connection
2729 */
2730 if ((!async || !SSL_waiting_for_async(con))
2731 && !SSL_is_init_finished(con)) {
2732 /*
2733 * Count number of reads during init_ssl_connection.
2734 * It helps us to distinguish configuration errors from errors
2735 * caused by a client.
2736 */
2737 unsigned int read_counter = 0;
2738
2739 BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter);
2740 i = init_ssl_connection(con);
2741 BIO_set_callback_arg(SSL_get_rbio(con), NULL((void*)0));
2742
2743 /*
2744 * If initialization fails without reads, then
2745 * there was a fatal error in configuration.
2746 */
2747 if (i <= 0 && read_counter == 0) {
2748 ret = -1;
2749 goto err;
2750 }
2751 if (i < 0) {
2752 ret = 0;
2753 goto err;
2754 } else if (i == 0) {
2755 ret = 1;
2756 goto err;
2757 }
2758 } else {
2759 again:
2760 i = SSL_read(con, (char *)buf, bufsize);
2761#ifndef OPENSSL_NO_SRP
2762 while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4) {
2763 BIO_printf(bio_s_out, "LOOKUP renego during read\n");
2764
2765 lookup_srp_user(&srp_callback_parm, bio_s_out);
2766
2767 i = SSL_read(con, (char *)buf, bufsize);
2768 }
2769#endif
2770 switch (SSL_get_error(con, i)) {
2771 case SSL_ERROR_NONE0:
2772#ifdef CHARSET_EBCDIC
2773 ascii2ebcdic(buf, buf, i);
2774#endif
2775 raw_write_stdout(buf, (unsigned int)i);
2776 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2777 if (SSL_has_pending(con))
2778 goto again;
2779 break;
2780 case SSL_ERROR_WANT_ASYNC9:
2781 BIO_printf(bio_s_out, "Read BLOCK (Async)\n");
2782 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2783 wait_for_async(con);
2784 break;
2785 case SSL_ERROR_WANT_WRITE3:
2786 case SSL_ERROR_WANT_READ2:
2787 BIO_printf(bio_s_out, "Read BLOCK\n");
2788 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2789 break;
2790 case SSL_ERROR_WANT_ASYNC_JOB10:
2791 /*
2792 * This shouldn't ever happen in s_server. Treat as an error
2793 */
2794 case SSL_ERROR_SYSCALL5:
2795 case SSL_ERROR_SSL1:
2796 BIO_printf(bio_s_out, "ERROR\n");
2797 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2798 ERR_print_errors(bio_err);
2799 ret = 1;
2800 goto err;
2801 case SSL_ERROR_ZERO_RETURN6:
2802 BIO_printf(bio_s_out, "DONE\n");
2803 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2804 ret = 1;
2805 goto err;
2806 }
2807 }
2808 }
2809 }
2810 err:
2811 if (con != NULL((void*)0)) {
2812 BIO_printf(bio_s_out, "shutting down SSL\n");
2813 do_ssl_shutdown(con);
2814 SSL_free(con);
2815 }
2816 BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
2817 OPENSSL_clear_free(buf, bufsize)CRYPTO_clear_free(buf, bufsize, "../deps/openssl/openssl/apps/s_server.c"
, 2817)
;
2818 return ret;
2819}
2820
2821static void close_accept_socket(void)
2822{
2823 BIO_printf(bio_err, "shutdown accept socket\n");
2824 if (accept_socket >= 0) {
2825 BIO_closesocket(accept_socket);
2826 }
2827}
2828
2829static int is_retryable(SSL *con, int i)
2830{
2831 int err = SSL_get_error(con, i);
2832
2833 /* If it's not a fatal error, it must be retryable */
2834 return (err != SSL_ERROR_SSL1)
2835 && (err != SSL_ERROR_SYSCALL5)
2836 && (err != SSL_ERROR_ZERO_RETURN6);
2837}
2838
2839static int init_ssl_connection(SSL *con)
2840{
2841 int i;
2842 long verify_err;
2843 int retry = 0;
2844
2845 if (dtlslisten || stateless) {
2846 BIO_ADDR *client = NULL((void*)0);
2847
2848 if (dtlslisten) {
2849 if ((client = BIO_ADDR_new()) == NULL((void*)0)) {
2850 BIO_printf(bio_err, "ERROR - memory\n");
2851 return 0;
2852 }
2853 i = DTLSv1_listen(con, client);
2854 } else {
2855 i = SSL_stateless(con);
2856 }
2857 if (i > 0) {
2858 BIO *wbio;
2859 int fd = -1;
2860
2861 if (dtlslisten) {
2862 wbio = SSL_get_wbio(con);
2863 if (wbio) {
2864 BIO_get_fd(wbio, &fd)BIO_ctrl(wbio,105,0,(char *)(&fd));
2865 }
2866
2867 if (!wbio || BIO_connect(fd, client, 0) == 0) {
2868 BIO_printf(bio_err, "ERROR - unable to connect\n");
2869 BIO_ADDR_free(client);
2870 return 0;
2871 }
2872
2873 (void)BIO_ctrl_set_connected(wbio, client)(int)BIO_ctrl(wbio, 32, 0, (char *)(client));
2874 BIO_ADDR_free(client);
2875 dtlslisten = 0;
2876 } else {
2877 stateless = 0;
2878 }
2879 i = SSL_accept(con);
2880 } else {
2881 BIO_ADDR_free(client);
2882 }
2883 } else {
2884 do {
2885 i = SSL_accept(con);
2886
2887 if (i <= 0)
2888 retry = is_retryable(con, i);
2889#ifdef CERT_CB_TEST_RETRY
2890 {
2891 while (i <= 0
2892 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4
2893 && SSL_get_state(con) == TLS_ST_SR_CLNT_HELLO) {
2894 BIO_printf(bio_err,
2895 "LOOKUP from certificate callback during accept\n");
2896 i = SSL_accept(con);
2897 if (i <= 0)
2898 retry = is_retryable(con, i);
2899 }
2900 }
2901#endif
2902
2903#ifndef OPENSSL_NO_SRP
2904 while (i <= 0
2905 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4) {
2906 BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
2907 srp_callback_parm.login);
2908
2909 lookup_srp_user(&srp_callback_parm, bio_s_out);
2910
2911 i = SSL_accept(con);
2912 if (i <= 0)
2913 retry = is_retryable(con, i);
2914 }
2915#endif
2916 } while (i < 0 && SSL_waiting_for_async(con));
2917 }
2918
2919 if (i <= 0) {
2920 if (((dtlslisten || stateless) && i == 0)
2921 || (!dtlslisten && !stateless && retry)) {
2922 BIO_printf(bio_s_out, "DELAY\n");
2923 return 1;
2924 }
2925
2926 BIO_printf(bio_err, "ERROR\n");
2927
2928 verify_err = SSL_get_verify_result(con);
2929 if (verify_err != X509_V_OK0) {
2930 BIO_printf(bio_err, "verify error:%s\n",
2931 X509_verify_cert_error_string(verify_err));
2932 }
2933 /* Always print any error messages */
2934 ERR_print_errors(bio_err);
2935 return 0;
2936 }
2937
2938 print_connection_info(con);
2939 return 1;
2940}
2941
2942static void print_connection_info(SSL *con)
2943{
2944 const char *str;
2945 X509 *peer;
2946 char buf[BUFSIZ8192];
2947#if !defined(OPENSSL_NO_NEXTPROTONEG)
2948 const unsigned char *next_proto_neg;
2949 unsigned next_proto_neg_len;
2950#endif
2951 unsigned char *exportedkeymat;
2952 int i;
2953
2954 if (s_brief)
2955 print_ssl_summary(con);
2956
2957 PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
2958
2959 peer = SSL_get0_peer_certificate(con);
2960 if (peer != NULL((void*)0)) {
2961 BIO_printf(bio_s_out, "Client certificate\n");
2962 PEM_write_bio_X509(bio_s_out, peer);
2963 dump_cert_text(bio_s_out, peer);
2964 peer = NULL((void*)0);
2965 }
2966
2967 if (SSL_get_shared_ciphers(con, buf, sizeof(buf)) != NULL((void*)0))
2968 BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
2969 str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
2970 ssl_print_sigalgs(bio_s_out, con);
2971#ifndef OPENSSL_NO_EC
2972 ssl_print_point_formats(bio_s_out, con);
2973 ssl_print_groups(bio_s_out, con, 0);
2974#endif
2975 print_ca_names(bio_s_out, con);
2976 BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL((void*)0)) ? str : "(NONE)");
2977
2978#if !defined(OPENSSL_NO_NEXTPROTONEG)
2979 SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
2980 if (next_proto_neg) {
2981 BIO_printf(bio_s_out, "NEXTPROTO is ");
2982 BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
2983 BIO_printf(bio_s_out, "\n");
2984 }
2985#endif
2986#ifndef OPENSSL_NO_SRTP
2987 {
2988 SRTP_PROTECTION_PROFILE *srtp_profile
2989 = SSL_get_selected_srtp_profile(con);
2990
2991 if (srtp_profile)
2992 BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
2993 srtp_profile->name);
2994 }
2995#endif
2996 if (SSL_session_reused(con))
2997 BIO_printf(bio_s_out, "Reused session-id\n");
2998 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
2999 SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ? "" : " NOT");
3000 if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION((uint64_t)1 << (uint64_t)30)))
3001 BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");
3002
3003 if (keymatexportlabel != NULL((void*)0)) {
3004 BIO_printf(bio_s_out, "Keying material exporter:\n");
3005 BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
3006 BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen);
3007 exportedkeymat = app_malloc(keymatexportlen, "export key");
3008 if (SSL_export_keying_material(con, exportedkeymat,
3009 keymatexportlen,
3010 keymatexportlabel,
3011 strlen(keymatexportlabel),
3012 NULL((void*)0), 0, 0) <= 0) {
3013 BIO_printf(bio_s_out, " Error\n");
3014 } else {
3015 BIO_printf(bio_s_out, " Keying material: ");
3016 for (i = 0; i < keymatexportlen; i++)
3017 BIO_printf(bio_s_out, "%02X", exportedkeymat[i]);
3018 BIO_printf(bio_s_out, "\n");
3019 }
3020 OPENSSL_free(exportedkeymat)CRYPTO_free(exportedkeymat, "../deps/openssl/openssl/apps/s_server.c"
, 3020)
;
3021 }
3022#ifndef OPENSSL_NO_KTLS
3023 if (BIO_get_ktls_send(SSL_get_wbio(con))(0))
3024 BIO_printf(bio_err, "Using Kernel TLS for sending\n");
3025 if (BIO_get_ktls_recv(SSL_get_rbio(con))(0))
3026 BIO_printf(bio_err, "Using Kernel TLS for receiving\n");
3027#endif
3028
3029 (void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
3030}
3031
3032static int www_body(int s, int stype, int prot, unsigned char *context)
3033{
3034 char *buf = NULL((void*)0);
3035 int ret = 1;
3036 int i, j, k, dot;
3037 SSL *con;
3038 const SSL_CIPHER *c;
3039 BIO *io, *ssl_bio, *sbio;
3040#ifdef RENEG
3041 int total_bytes = 0;
3042#endif
3043 int width;
3044#ifndef OPENSSL_NO_KTLS
3045 int use_sendfile_for_req = use_sendfile;
3046#endif
3047 fd_set readfds;
3048 const char *opmode;
3049#ifdef CHARSET_EBCDIC
3050 BIO *filter;
3051#endif
3052
3053 /* Set width for a select call if needed */
3054 width = s + 1;
3055
3056 /* as we use BIO_gets(), and it always null terminates data, we need
3057 * to allocate 1 byte longer buffer to fit the full 2^14 byte record */
3058 buf = app_malloc(bufsize + 1, "server www buffer");
3059 io = BIO_new(BIO_f_buffer());
3060 ssl_bio = BIO_new(BIO_f_ssl());
3061 if ((io == NULL((void*)0)) || (ssl_bio == NULL((void*)0)))
3062 goto err;
3063
3064 if (s_nbio) {
3065 if (!BIO_socket_nbio(s, 1))
3066 ERR_print_errors(bio_err);
3067 else if (!s_quiet)
3068 BIO_printf(bio_err, "Turned on non blocking io\n");
3069 }
3070
3071 /* lets make the output buffer a reasonable size */
3072 if (!BIO_set_write_buffer_size(io, bufsize)BIO_int_ctrl(io,117,bufsize,1))
3073 goto err;
3074
3075 if ((con = SSL_new(ctx)) == NULL((void*)0))
3076 goto err;
3077
3078 if (s_tlsextdebug) {
3079 SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
3080 SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
3081 }
3082
3083 if (context != NULL((void*)0)
3084 && !SSL_set_session_id_context(con, context,
3085 strlen((char *)context))) {
3086 SSL_free(con);
3087 goto err;
3088 }
3089
3090 sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
3091 if (sbio == NULL((void*)0)) {
3092 SSL_free(con);
3093 goto err;
3094 }
3095
3096 if (s_nbio_test) {
3097 BIO *test;
3098
3099 test = BIO_new(BIO_f_nbio_test());
3100 if (test == NULL((void*)0)) {
3101 SSL_free(con);
3102 BIO_free(sbio);
3103 goto err;
3104 }
3105
3106 sbio = BIO_push(test, sbio);
3107 }
3108 SSL_set_bio(con, sbio, sbio);
3109 SSL_set_accept_state(con);
3110
3111 /* No need to free |con| after this. Done by BIO_free(ssl_bio) */
3112 BIO_set_ssl(ssl_bio, con, BIO_CLOSE)BIO_ctrl(ssl_bio,109,0x01,(char *)(con));
3113 BIO_push(io, ssl_bio);
3114 ssl_bio = NULL((void*)0);
3115#ifdef CHARSET_EBCDIC
3116 filter = BIO_new(BIO_f_ebcdic_filter());
3117 if (filter == NULL((void*)0))
3118 goto err;
3119
3120 io = BIO_push(filter, io);
3121#endif
3122
3123 if (s_debug) {
3124 BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
3125 BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
3126 }
3127 if (s_msg) {
3128#ifndef OPENSSL_NO_SSL_TRACE
3129 if (s_msg == 2)
3130 SSL_set_msg_callback(con, SSL_trace);
3131 else
3132#endif
3133 SSL_set_msg_callback(con, msg_cb);
3134 SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
3135 }
3136
3137 for (;;) {
3138 i = BIO_gets(io, buf, bufsize + 1);
3139 if (i < 0) { /* error */
3140 if (!BIO_should_retry(io)BIO_test_flags(io, 0x08) && !SSL_waiting_for_async(con)) {
3141 if (!s_quiet)
3142 ERR_print_errors(bio_err);
3143 goto err;
3144 } else {
3145 BIO_printf(bio_s_out, "read R BLOCK\n");
3146#ifndef OPENSSL_NO_SRP
3147 if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3148 && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3149 BIO_printf(bio_s_out, "LOOKUP renego during read\n");
3150
3151 lookup_srp_user(&srp_callback_parm, bio_s_out);
3152
3153 continue;
3154 }
3155#endif
3156 ossl_sleep(1000);
3157 continue;
3158 }
3159 } else if (i == 0) { /* end of input */
3160 ret = 1;
3161 goto end;
3162 }
3163
3164 /* else we have data */
3165 if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
3166 ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
3167 char *p;
3168 X509 *peer = NULL((void*)0);
3169 STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk;
3170 static const char *space = " ";
3171
3172 if (www == 1 && strncmp("GET /reneg", buf, 10) == 0) {
3173 if (strncmp("GET /renegcert", buf, 14) == 0)
3174 SSL_set_verify(con,
3175 SSL_VERIFY_PEER0x01 | SSL_VERIFY_CLIENT_ONCE0x04,
3176 NULL((void*)0));
3177 i = SSL_renegotiate(con);
3178 BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i);
3179 /* Send the HelloRequest */
3180 i = SSL_do_handshake(con);
3181 if (i <= 0) {
3182 BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n",
3183 SSL_get_error(con, i));
3184 ERR_print_errors(bio_err);
3185 goto err;
3186 }
3187 /* Wait for a ClientHello to come back */
3188 FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq"
: "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) /
sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits
)[0]) : "memory"); } while (0)
;
3189 openssl_fdset(s, &readfds)((void) (((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof
(__fd_mask)))] |= ((__fd_mask) (1UL << ((s) % (8 * (int
) sizeof (__fd_mask)))))))
;
3190 i = select(width, (void *)&readfds, NULL((void*)0), NULL((void*)0), NULL((void*)0));
3191 if (i <= 0 || !FD_ISSET(s, &readfds)((((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask
)))] & ((__fd_mask) (1UL << ((s) % (8 * (int) sizeof
(__fd_mask)))))) != 0)
) {
3192 BIO_printf(bio_s_out,
3193 "Error waiting for client response\n");
3194 ERR_print_errors(bio_err);
3195 goto err;
3196 }
3197 /*
3198 * We're not actually expecting any data here and we ignore
3199 * any that is sent. This is just to force the handshake that
3200 * we're expecting to come from the client. If they haven't
3201 * sent one there's not much we can do.
3202 */
3203 BIO_gets(io, buf, bufsize + 1);
3204 }
3205
3206 BIO_puts(io,
3207 "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
3208 BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
3209 BIO_puts(io, "<pre>\n");
3210 /* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
3211 BIO_puts(io, "\n");
3212 for (i = 0; i < local_argc; i++) {
3213 const char *myp;
3214 for (myp = local_argv[i]; *myp; myp++)
3215 switch (*myp) {
3216 case '<':
3217 BIO_puts(io, "&lt;");
3218 break;
3219 case '>':
3220 BIO_puts(io, "&gt;");
3221 break;
3222 case '&':
3223 BIO_puts(io, "&amp;");
3224 break;
3225 default:
3226 BIO_write(io, myp, 1);
3227 break;
3228 }
3229 BIO_write(io, " ", 1);
3230 }
3231 BIO_puts(io, "\n");
3232
3233 BIO_printf(io,
3234 "Secure Renegotiation IS%s supported\n",
3235 SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ?
3236 "" : " NOT");
3237
3238 /*
3239 * The following is evil and should not really be done
3240 */
3241 BIO_printf(io, "Ciphers supported in s_server binary\n");
3242 sk = SSL_get_ciphers(con);
3243 j = sk_SSL_CIPHER_num(sk)OPENSSL_sk_num(ossl_check_const_SSL_CIPHER_sk_type(sk));
3244 for (i = 0; i < j; i++) {
3245 c = sk_SSL_CIPHER_value(sk, i)((const SSL_CIPHER *)OPENSSL_sk_value(ossl_check_const_SSL_CIPHER_sk_type
(sk), (i)))
;
3246 BIO_printf(io, "%-11s:%-25s ",
3247 SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
3248 if ((((i + 1) % 2) == 0) && (i + 1 != j))
3249 BIO_puts(io, "\n");
3250 }
3251 BIO_puts(io, "\n");
3252 p = SSL_get_shared_ciphers(con, buf, bufsize);
3253 if (p != NULL((void*)0)) {
3254 BIO_printf(io,
3255 "---\nCiphers common between both SSL end points:\n");
3256 j = i = 0;
3257 while (*p) {
3258 if (*p == ':') {
3259 BIO_write(io, space, 26 - j);
3260 i++;
3261 j = 0;
3262 BIO_write(io, ((i % 3) ? " " : "\n"), 1);
3263 } else {
3264 BIO_write(io, p, 1);
3265 j++;
3266 }
3267 p++;
3268 }
3269 BIO_puts(io, "\n");
3270 }
3271 ssl_print_sigalgs(io, con);
3272#ifndef OPENSSL_NO_EC
3273 ssl_print_groups(io, con, 0);
3274#endif
3275 print_ca_names(io, con);
3276 BIO_printf(io, (SSL_session_reused(con)
3277 ? "---\nReused, " : "---\nNew, "));
3278 c = SSL_get_current_cipher(con);
3279 BIO_printf(io, "%s, Cipher is %s\n",
3280 SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
3281 SSL_SESSION_print(io, SSL_get_session(con));
3282 BIO_printf(io, "---\n");
3283 print_stats(io, SSL_get_SSL_CTX(con));
3284 BIO_printf(io, "---\n");
3285 peer = SSL_get0_peer_certificate(con);
3286 if (peer != NULL((void*)0)) {
3287 BIO_printf(io, "Client certificate\n");
3288 X509_print(io, peer);
3289 PEM_write_bio_X509(io, peer);
3290 peer = NULL((void*)0);
3291 } else {
3292 BIO_puts(io, "no client certificate available\n");
3293 }
3294 BIO_puts(io, "</pre></BODY></HTML>\r\n\r\n");
3295 break;
3296 } else if ((www == 2 || www == 3)
3297 && (strncmp("GET /", buf, 5) == 0)) {
3298 BIO *file;
3299 char *p, *e;
3300 static const char *text =
3301 "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
3302
3303 /* skip the '/' */
3304 p = &(buf[5]);
3305
3306 dot = 1;
3307 for (e = p; *e != '\0'; e++) {
3308 if (e[0] == ' ')
3309 break;
3310
3311 if (e[0] == ':') {
3312 /* Windows drive. We treat this the same way as ".." */
3313 dot = -1;
3314 break;
3315 }
3316
3317 switch (dot) {
3318 case 1:
3319 dot = (e[0] == '.') ? 2 : 0;
3320 break;
3321 case 2:
3322 dot = (e[0] == '.') ? 3 : 0;
3323 break;
3324 case 3:
3325 dot = (e[0] == '/' || e[0] == '\\') ? -1 : 0;
3326 break;
3327 }
3328 if (dot == 0)
3329 dot = (e[0] == '/' || e[0] == '\\') ? 1 : 0;
3330 }
3331 dot = (dot == 3) || (dot == -1); /* filename contains ".."
3332 * component */
3333
3334 if (*e == '\0') {
3335 BIO_puts(io, text);
3336 BIO_printf(io, "'%s' is an invalid file name\r\n", p);
3337 break;
3338 }
3339 *e = '\0';
3340
3341 if (dot) {
3342 BIO_puts(io, text);
3343 BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
3344 break;
3345 }
3346
3347 if (*p == '/' || *p == '\\') {
3348 BIO_puts(io, text);
3349 BIO_printf(io, "'%s' is an invalid path\r\n", p);
3350 break;
3351 }
3352
3353 /* if a directory, do the index thang */
3354 if (app_isdir(p) > 0) {
3355 BIO_puts(io, text);
3356 BIO_printf(io, "'%s' is a directory\r\n", p);
3357 break;
3358 }
3359
3360 opmode = (http_server_binmode == 1) ? "rb" : "r";
3361 if ((file = BIO_new_file(p, opmode)) == NULL((void*)0)) {
3362 BIO_puts(io, text);
3363 BIO_printf(io, "Error opening '%s' mode='%s'\r\n", p, opmode);
3364 ERR_print_errors(io);
3365 break;
3366 }
3367
3368 if (!s_quiet)
3369 BIO_printf(bio_err, "FILE:%s\n", p);
3370
3371 if (www == 2) {
3372 i = strlen(p);
3373 if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
3374 ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
3375 ((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
3376 BIO_puts(io,
3377 "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
3378 else
3379 BIO_puts(io,
3380 "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
3381 }
3382 /* send the file */
3383#ifndef OPENSSL_NO_KTLS
3384 if (use_sendfile_for_req && !BIO_get_ktls_send(SSL_get_wbio(con))(0)) {
3385 BIO_printf(bio_err, "Warning: sendfile requested but KTLS is not available\n");
3386 use_sendfile_for_req = 0;
3387 }
3388 if (use_sendfile_for_req) {
3389 FILE *fp = NULL((void*)0);
3390 int fd;
3391 struct stat st;
3392 off_t offset = 0;
3393 size_t filesize;
3394
3395 BIO_get_fp(file, &fp)BIO_ctrl(file,107,0,(char *)(&fp));
3396 fd = fileno(fp);
3397 if (fstat(fd, &st) < 0) {
3398 BIO_printf(io, "Error fstat '%s'\r\n", p);
3399 ERR_print_errors(io);
3400 goto write_error;
3401 }
3402
3403 filesize = st.st_size;
3404 if (((int)BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0))) < 0)
3405 goto write_error;
3406
3407 for (;;) {
3408 i = SSL_sendfile(con, fd, offset, filesize, 0);
3409 if (i < 0) {
3410 BIO_printf(io, "Error SSL_sendfile '%s'\r\n", p);
3411 ERR_print_errors(io);
3412 break;
3413 } else {
3414 offset += i;
3415 filesize -= i;
3416 }
3417
3418 if (filesize <= 0) {
3419 if (!s_quiet)
3420 BIO_printf(bio_err, "KTLS SENDFILE '%s' OK\n", p);
3421
3422 break;
3423 }
3424 }
3425 } else
3426#endif
3427 {
3428 for (;;) {
3429 i = BIO_read(file, buf, bufsize);
3430 if (i <= 0)
3431 break;
3432
3433#ifdef RENEG
3434 total_bytes += i;
3435 BIO_printf(bio_err, "%d\n", i);
3436 if (total_bytes > 3 * 1024) {
3437 total_bytes = 0;
3438 BIO_printf(bio_err, "RENEGOTIATE\n");
3439 SSL_renegotiate(con);
3440 }
3441#endif
3442
3443 for (j = 0; j < i;) {
3444#ifdef RENEG
3445 static count = 0;
3446 if (++count == 13)
3447 SSL_renegotiate(con);
3448#endif
3449 k = BIO_write(io, &(buf[j]), i - j);
3450 if (k <= 0) {
3451 if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)
3452 && !SSL_waiting_for_async(con)) {
3453 goto write_error;
3454 } else {
3455 BIO_printf(bio_s_out, "rwrite W BLOCK\n");
3456 }
3457 } else {
3458 j += k;
3459 }
3460 }
3461 }
3462 }
3463 write_error:
3464 BIO_free(file);
3465 break;
3466 }
3467 }
3468
3469 for (;;) {
3470 i = (int)BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0));
3471 if (i <= 0) {
3472 if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
3473 break;
3474 } else
3475 break;
3476 }
3477 end:
3478 /* make sure we re-use sessions */
3479 do_ssl_shutdown(con);
3480
3481 err:
3482 OPENSSL_free(buf)CRYPTO_free(buf, "../deps/openssl/openssl/apps/s_server.c", 3482
)
;
3483 BIO_free(ssl_bio);
3484 BIO_free_all(io);
3485 return ret;
3486}
3487
3488static int rev_body(int s, int stype, int prot, unsigned char *context)
3489{
3490 char *buf = NULL((void*)0);
3491 int i;
3492 int ret = 1;
3493 SSL *con;
3494 BIO *io, *ssl_bio, *sbio;
3495#ifdef CHARSET_EBCDIC
3496 BIO *filter;
3497#endif
3498
3499 /* as we use BIO_gets(), and it always null terminates data, we need
3500 * to allocate 1 byte longer buffer to fit the full 2^14 byte record */
3501 buf = app_malloc(bufsize + 1, "server rev buffer");
3502 io = BIO_new(BIO_f_buffer());
3503 ssl_bio = BIO_new(BIO_f_ssl());
3504 if ((io == NULL((void*)0)) || (ssl_bio == NULL((void*)0)))
3505 goto err;
3506
3507 /* lets make the output buffer a reasonable size */
3508 if (!BIO_set_write_buffer_size(io, bufsize)BIO_int_ctrl(io,117,bufsize,1))
3509 goto err;
3510
3511 if ((con = SSL_new(ctx)) == NULL((void*)0))
3512 goto err;
3513
3514 if (s_tlsextdebug) {
3515 SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
3516 SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
3517 }
3518 if (context != NULL((void*)0)
3519 && !SSL_set_session_id_context(con, context,
3520 strlen((char *)context))) {
3521 SSL_free(con);
3522 ERR_print_errors(bio_err);
3523 goto err;
3524 }
3525
3526 sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
3527 if (sbio == NULL((void*)0)) {
3528 SSL_free(con);
3529 ERR_print_errors(bio_err);
3530 goto err;
3531 }
3532
3533 SSL_set_bio(con, sbio, sbio);
3534 SSL_set_accept_state(con);
3535
3536 /* No need to free |con| after this. Done by BIO_free(ssl_bio) */
3537 BIO_set_ssl(ssl_bio, con, BIO_CLOSE)BIO_ctrl(ssl_bio,109,0x01,(char *)(con));
3538 BIO_push(io, ssl_bio);
3539 ssl_bio = NULL((void*)0);
3540#ifdef CHARSET_EBCDIC
3541 filter = BIO_new(BIO_f_ebcdic_filter());
3542 if (filter == NULL((void*)0))
3543 goto err;
3544
3545 io = BIO_push(filter, io);
3546#endif
3547
3548 if (s_debug) {
3549 BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
3550 BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
3551 }
3552 if (s_msg) {
3553#ifndef OPENSSL_NO_SSL_TRACE
3554 if (s_msg == 2)
3555 SSL_set_msg_callback(con, SSL_trace);
3556 else
3557#endif
3558 SSL_set_msg_callback(con, msg_cb);
3559 SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
3560 }
3561
3562 for (;;) {
3563 i = BIO_do_handshake(io)BIO_ctrl(io,101,0,((void*)0));
3564 if (i > 0)
3565 break;
3566 if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)) {
3567 BIO_puts(bio_err, "CONNECTION FAILURE\n");
3568 ERR_print_errors(bio_err);
3569 goto end;
3570 }
3571#ifndef OPENSSL_NO_SRP
3572 if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3573 && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3574 BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
3575
3576 lookup_srp_user(&srp_callback_parm, bio_s_out);
3577
3578 continue;
3579 }
3580#endif
3581 }
3582 BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
3583 print_ssl_summary(con);
3584
3585 for (;;) {
3586 i = BIO_gets(io, buf, bufsize + 1);
3587 if (i < 0) { /* error */
3588 if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)) {
3589 if (!s_quiet)
3590 ERR_print_errors(bio_err);
3591 goto err;
3592 } else {
3593 BIO_printf(bio_s_out, "read R BLOCK\n");
3594#ifndef OPENSSL_NO_SRP
3595 if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3596 && BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3597 BIO_printf(bio_s_out, "LOOKUP renego during read\n");
3598
3599 lookup_srp_user(&srp_callback_parm, bio_s_out);
3600
3601 continue;
3602 }
3603#endif
3604 ossl_sleep(1000);
3605 continue;
3606 }
3607 } else if (i == 0) { /* end of input */
3608 ret = 1;
3609 BIO_printf(bio_err, "CONNECTION CLOSED\n");
3610 goto end;
3611 } else {
3612 char *p = buf + i - 1;
3613 while (i && (*p == '\n' || *p == '\r')) {
3614 p--;
3615 i--;
3616 }
3617 if (!s_ign_eof && (i == 5) && (strncmp(buf, "CLOSE", 5) == 0)) {
3618 ret = 1;
3619 BIO_printf(bio_err, "CONNECTION CLOSED\n");
3620 goto end;
3621 }
3622 BUF_reverse((unsigned char *)buf, NULL((void*)0), i);
3623 buf[i] = '\n';
3624 BIO_write(io, buf, i + 1);
3625 for (;;) {
3626 i = BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0));
3627 if (i > 0)
3628 break;
3629 if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
3630 goto end;
3631 }
3632 }
3633 }
3634 end:
3635 /* make sure we re-use sessions */
3636 do_ssl_shutdown(con);
3637
3638 err:
3639
3640 OPENSSL_free(buf)CRYPTO_free(buf, "../deps/openssl/openssl/apps/s_server.c", 3640
)
;
3641 BIO_free(ssl_bio);
3642 BIO_free_all(io);
3643 return ret;
3644}
3645
3646#define MAX_SESSION_ID_ATTEMPTS10 10
3647static int generate_session_id(SSL *ssl, unsigned char *id,
3648 unsigned int *id_len)
3649{
3650 unsigned int count = 0;
3651 unsigned int session_id_prefix_len = strlen(session_id_prefix);
3652
3653 do {
3654 if (RAND_bytes(id, *id_len) <= 0)
3655 return 0;
3656 /*
3657 * Prefix the session_id with the required prefix. NB: If our prefix
3658 * is too long, clip it - but there will be worse effects anyway, eg.
3659 * the server could only possibly create 1 session ID (ie. the
3660 * prefix!) so all future session negotiations will fail due to
3661 * conflicts.
3662 */
3663 memcpy(id, session_id_prefix,
3664 (session_id_prefix_len < *id_len) ?
3665 session_id_prefix_len : *id_len);
3666 }
3667 while (SSL_has_matching_session_id(ssl, id, *id_len) &&
3668 (++count < MAX_SESSION_ID_ATTEMPTS10));
3669 if (count >= MAX_SESSION_ID_ATTEMPTS10)
3670 return 0;
3671 return 1;
3672}
3673
3674/*
3675 * By default s_server uses an in-memory cache which caches SSL_SESSION
3676 * structures without any serialization. This hides some bugs which only
3677 * become apparent in deployed servers. By implementing a basic external
3678 * session cache some issues can be debugged using s_server.
3679 */
3680
3681typedef struct simple_ssl_session_st {
3682 unsigned char *id;
3683 unsigned int idlen;
3684 unsigned char *der;
3685 int derlen;
3686 struct simple_ssl_session_st *next;
3687} simple_ssl_session;
3688
3689static simple_ssl_session *first = NULL((void*)0);
3690
3691static int add_session(SSL *ssl, SSL_SESSION *session)
3692{
3693 simple_ssl_session *sess = app_malloc(sizeof(*sess), "get session");
3694 unsigned char *p;
3695
3696 SSL_SESSION_get_id(session, &sess->idlen);
3697 sess->derlen = i2d_SSL_SESSION(session, NULL((void*)0));
3698 if (sess->derlen < 0) {
3699 BIO_printf(bio_err, "Error encoding session\n");
3700 OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3700
)
;
3701 return 0;
3702 }
3703
3704 sess->id = OPENSSL_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen)CRYPTO_memdup((SSL_SESSION_get_id(session, ((void*)0))), sess
->idlen, "../deps/openssl/openssl/apps/s_server.c", 3704)
;
3705 sess->der = app_malloc(sess->derlen, "get session buffer");
3706 if (!sess->id) {
3707 BIO_printf(bio_err, "Out of memory adding to external cache\n");
3708 OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c"
, 3708)
;
3709 OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c"
, 3709)
;
3710 OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3710
)
;
3711 return 0;
3712 }
3713 p = sess->der;
3714
3715 /* Assume it still works. */
3716 if (i2d_SSL_SESSION(session, &p) != sess->derlen) {
3717 BIO_printf(bio_err, "Unexpected session encoding length\n");
3718 OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c"
, 3718)
;
3719 OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c"
, 3719)
;
3720 OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3720
)
;
3721 return 0;
3722 }
3723
3724 sess->next = first;
3725 first = sess;
3726 BIO_printf(bio_err, "New session added to external cache\n");
3727 return 0;
3728}
3729
3730static SSL_SESSION *get_session(SSL *ssl, const unsigned char *id, int idlen,
3731 int *do_copy)
3732{
3733 simple_ssl_session *sess;
3734 *do_copy = 0;
3735 for (sess = first; sess; sess = sess->next) {
3736 if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) {
3737 const unsigned char *p = sess->der;
3738 BIO_printf(bio_err, "Lookup session: cache hit\n");
3739 return d2i_SSL_SESSION(NULL((void*)0), &p, sess->derlen);
3740 }
3741 }
3742 BIO_printf(bio_err, "Lookup session: cache miss\n");
3743 return NULL((void*)0);
3744}
3745
3746static void del_session(SSL_CTX *sctx, SSL_SESSION *session)
3747{
3748 simple_ssl_session *sess, *prev = NULL((void*)0);
3749 const unsigned char *id;
3750 unsigned int idlen;
3751 id = SSL_SESSION_get_id(session, &idlen);
3752 for (sess = first; sess; sess = sess->next) {
3753 if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) {
3754 if (prev)
3755 prev->next = sess->next;
3756 else
3757 first = sess->next;
3758 OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c"
, 3758)
;
3759 OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c"
, 3759)
;
3760 OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3760
)
;
3761 return;
3762 }
3763 prev = sess;
3764 }
3765}
3766
3767static void init_session_cache_ctx(SSL_CTX *sctx)
3768{
3769 SSL_CTX_set_session_cache_mode(sctx,SSL_CTX_ctrl(sctx,44,(0x0100|0x0200) | 0x0002,((void*)0))
3770 SSL_SESS_CACHE_NO_INTERNAL |SSL_CTX_ctrl(sctx,44,(0x0100|0x0200) | 0x0002,((void*)0))
3771 SSL_SESS_CACHE_SERVER)SSL_CTX_ctrl(sctx,44,(0x0100|0x0200) | 0x0002,((void*)0));
3772 SSL_CTX_sess_set_new_cb(sctx, add_session);
3773 SSL_CTX_sess_set_get_cb(sctx, get_session);
3774 SSL_CTX_sess_set_remove_cb(sctx, del_session);
3775}
3776
3777static void free_sessions(void)
3778{
3779 simple_ssl_session *sess, *tsess;
3780 for (sess = first; sess;) {
3781 OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c"
, 3781)
;
3782 OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c"
, 3782)
;
3783 tsess = sess;
3784 sess = sess->next;
3785 OPENSSL_free(tsess)CRYPTO_free(tsess, "../deps/openssl/openssl/apps/s_server.c",
3785)
;
3786 }
3787 first = NULL((void*)0);
3788}
3789
3790#endif /* OPENSSL_NO_SOCK */