summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/apps/s_server.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/apps/s_server.c')
-rw-r--r--src/lib/libssl/src/apps/s_server.c3015
1 files changed, 1416 insertions, 1599 deletions
diff --git a/src/lib/libssl/src/apps/s_server.c b/src/lib/libssl/src/apps/s_server.c
index 7309f740e4..fb44573854 100644
--- a/src/lib/libssl/src/apps/s_server.c
+++ b/src/lib/libssl/src/apps/s_server.c
@@ -5,21 +5,21 @@
5 * This package is an SSL implementation written 5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com). 6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL. 7 * The implementation was written so as to conform with Netscapes SSL.
8 * 8 *
9 * This library is free for commercial and non-commercial use as long as 9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions 10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA, 11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms 13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 * 15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in 16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed. 17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution 18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used. 19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or 20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package. 21 * in documentation (online or textual) provided with the package.
22 * 22 *
23 * Redistribution and use in source and binary forms, with or without 23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions 24 * modification, are permitted provided that the following conditions
25 * are met: 25 * are met:
@@ -34,10 +34,10 @@
34 * Eric Young (eay@cryptsoft.com)" 34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library 35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-). 36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from 37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement: 38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 * 40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
@@ -49,7 +49,7 @@
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE. 51 * SUCH DAMAGE.
52 * 52 *
53 * The licence and distribution terms for any publically available version or 53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be 54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence 55 * copied and put under another distribution licence
@@ -63,7 +63,7 @@
63 * are met: 63 * are met:
64 * 64 *
65 * 1. Redistributions of source code must retain the above copyright 65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer. 66 * notice, this list of conditions and the following disclaimer.
67 * 67 *
68 * 2. Redistributions in binary form must reproduce the above copyright 68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in 69 * notice, this list of conditions and the following disclaimer in
@@ -110,7 +110,7 @@
110 */ 110 */
111/* ==================================================================== 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by 113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */ 115 */
116/* ==================================================================== 116/* ====================================================================
@@ -184,16 +184,17 @@
184 184
185 185
186#ifndef OPENSSL_NO_RSA 186#ifndef OPENSSL_NO_RSA
187static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength); 187static RSA *tmp_rsa_cb(SSL * s, int is_export, int keylength);
188#endif 188#endif
189static int sv_body(char *hostname, int s, unsigned char *context); 189static int sv_body(char *hostname, int s, unsigned char *context);
190static int www_body(char *hostname, int s, unsigned char *context); 190static int www_body(char *hostname, int s, unsigned char *context);
191static void close_accept_socket(void ); 191static void close_accept_socket(void);
192static void sv_usage(void); 192static void sv_usage(void);
193static int init_ssl_connection(SSL *s); 193static int init_ssl_connection(SSL * s);
194static void print_stats(BIO *bp,SSL_CTX *ctx); 194static void print_stats(BIO * bp, SSL_CTX * ctx);
195static int generate_session_id(const SSL *ssl, unsigned char *id, 195static int
196 unsigned int *id_len); 196generate_session_id(const SSL * ssl, unsigned char *id,
197 unsigned int *id_len);
197#ifndef OPENSSL_NO_DH 198#ifndef OPENSSL_NO_DH
198static DH *load_dh_param(const char *dhfile); 199static DH *load_dh_param(const char *dhfile);
199static DH *get_dh512(void); 200static DH *get_dh512(void);
@@ -202,29 +203,31 @@ static DH *get_dh512(void);
202static void s_server_init(void); 203static void s_server_init(void);
203 204
204#ifndef OPENSSL_NO_DH 205#ifndef OPENSSL_NO_DH
205static unsigned char dh512_p[]={ 206static unsigned char dh512_p[] = {
206 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, 207 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
207 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, 208 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
208 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, 209 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
209 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, 210 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
210 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, 211 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
211 0x47,0x74,0xE8,0x33, 212 0x47, 0x74, 0xE8, 0x33,
212 }; 213};
213static unsigned char dh512_g[]={ 214static unsigned char dh512_g[] = {
214 0x02, 215 0x02,
215 }; 216};
216 217
217static DH *get_dh512(void) 218static DH *
218 { 219get_dh512(void)
219 DH *dh=NULL; 220{
221 DH *dh = NULL;
220 222
221 if ((dh=DH_new()) == NULL) return(NULL); 223 if ((dh = DH_new()) == NULL)
222 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); 224 return (NULL);
223 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); 225 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
226 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
224 if ((dh->p == NULL) || (dh->g == NULL)) 227 if ((dh->p == NULL) || (dh->g == NULL))
225 return(NULL); 228 return (NULL);
226 return(dh); 229 return (dh);
227 } 230}
228#endif 231#endif
229 232
230 233
@@ -232,8 +235,8 @@ static DH *get_dh512(void)
232 235
233#undef BUFSIZZ 236#undef BUFSIZZ
234#define BUFSIZZ 16*1024 237#define BUFSIZZ 16*1024
235static int bufsize=BUFSIZZ; 238static int bufsize = BUFSIZZ;
236static int accept_socket= -1; 239static int accept_socket = -1;
237 240
238#define TEST_CERT "server.pem" 241#define TEST_CERT "server.pem"
239#ifndef OPENSSL_NO_TLSEXT 242#ifndef OPENSSL_NO_TLSEXT
@@ -244,43 +247,43 @@ static int accept_socket= -1;
244 247
245extern int verify_depth, verify_return_error; 248extern int verify_depth, verify_return_error;
246 249
247static char *cipher=NULL; 250static char *cipher = NULL;
248static int s_server_verify=SSL_VERIFY_NONE; 251static int s_server_verify = SSL_VERIFY_NONE;
249static int s_server_session_id_context = 1; /* anything will do */ 252static int s_server_session_id_context = 1; /* anything will do */
250static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; 253static const char *s_cert_file = TEST_CERT, *s_key_file = NULL;
251#ifndef OPENSSL_NO_TLSEXT 254#ifndef OPENSSL_NO_TLSEXT
252static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; 255static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
253#endif 256#endif
254static char *s_dcert_file=NULL,*s_dkey_file=NULL; 257static char *s_dcert_file = NULL, *s_dkey_file = NULL;
255#ifdef FIONBIO 258#ifdef FIONBIO
256static int s_nbio=0; 259static int s_nbio = 0;
257#endif 260#endif
258static int s_nbio_test=0; 261static int s_nbio_test = 0;
259int s_crlf=0; 262int s_crlf = 0;
260static SSL_CTX *ctx=NULL; 263static SSL_CTX *ctx = NULL;
261#ifndef OPENSSL_NO_TLSEXT 264#ifndef OPENSSL_NO_TLSEXT
262static SSL_CTX *ctx2=NULL; 265static SSL_CTX *ctx2 = NULL;
263#endif 266#endif
264static int www=0; 267static int www = 0;
265 268
266static BIO *bio_s_out=NULL; 269static BIO *bio_s_out = NULL;
267static int s_debug=0; 270static int s_debug = 0;
268#ifndef OPENSSL_NO_TLSEXT 271#ifndef OPENSSL_NO_TLSEXT
269static int s_tlsextdebug=0; 272static int s_tlsextdebug = 0;
270static int s_tlsextstatus=0; 273static int s_tlsextstatus = 0;
271static int cert_status_cb(SSL *s, void *arg); 274static int cert_status_cb(SSL * s, void *arg);
272#endif 275#endif
273static int s_msg=0; 276static int s_msg = 0;
274static int s_quiet=0; 277static int s_quiet = 0;
275 278
276static char *keymatexportlabel=NULL; 279static char *keymatexportlabel = NULL;
277static int keymatexportlen=20; 280static int keymatexportlen = 20;
278 281
279static int hack=0; 282static int hack = 0;
280#ifndef OPENSSL_NO_ENGINE 283#ifndef OPENSSL_NO_ENGINE
281static char *engine_id=NULL; 284static char *engine_id = NULL;
282#endif 285#endif
283static const char *session_id_prefix=NULL; 286static const char *session_id_prefix = NULL;
284 287
285static int enable_timeouts = 0; 288static int enable_timeouts = 0;
286static long socket_mtu; 289static long socket_mtu;
@@ -290,303 +293,296 @@ static int cert_chain = 0;
290 293
291 294
292#ifndef OPENSSL_NO_PSK 295#ifndef OPENSSL_NO_PSK
293static char *psk_identity="Client_identity"; 296static char *psk_identity = "Client_identity";
294char *psk_key=NULL; /* by default PSK is not used */ 297char *psk_key = NULL; /* by default PSK is not used */
295 298
296static unsigned int psk_server_cb(SSL *ssl, const char *identity, 299static unsigned int
297 unsigned char *psk, unsigned int max_psk_len) 300psk_server_cb(SSL * ssl, const char *identity,
298 { 301 unsigned char *psk, unsigned int max_psk_len)
302{
299 unsigned int psk_len = 0; 303 unsigned int psk_len = 0;
300 int ret; 304 int ret;
301 BIGNUM *bn = NULL; 305 BIGNUM *bn = NULL;
302 306
303 if (s_debug) 307 if (s_debug)
304 BIO_printf(bio_s_out,"psk_server_cb\n"); 308 BIO_printf(bio_s_out, "psk_server_cb\n");
305 if (!identity) 309 if (!identity) {
306 { 310 BIO_printf(bio_err, "Error: client did not send PSK identity\n");
307 BIO_printf(bio_err,"Error: client did not send PSK identity\n");
308 goto out_err; 311 goto out_err;
309 } 312 }
310 if (s_debug) 313 if (s_debug)
311 BIO_printf(bio_s_out,"identity_len=%d identity=%s\n", 314 BIO_printf(bio_s_out, "identity_len=%d identity=%s\n",
312 identity ? (int)strlen(identity) : 0, identity); 315 identity ? (int) strlen(identity) : 0, identity);
313 316
314 /* here we could lookup the given identity e.g. from a database */ 317 /* here we could lookup the given identity e.g. from a database */
315 if (strcmp(identity, psk_identity) != 0) 318 if (strcmp(identity, psk_identity) != 0) {
316 { 319 BIO_printf(bio_s_out, "PSK error: client identity not found"
317 BIO_printf(bio_s_out, "PSK error: client identity not found" 320 " (got '%s' expected '%s')\n", identity,
318 " (got '%s' expected '%s')\n", identity, 321 psk_identity);
319 psk_identity);
320 goto out_err; 322 goto out_err;
321 } 323 }
322 if (s_debug) 324 if (s_debug)
323 BIO_printf(bio_s_out, "PSK client identity found\n"); 325 BIO_printf(bio_s_out, "PSK client identity found\n");
324 326
325 /* convert the PSK key to binary */ 327 /* convert the PSK key to binary */
326 ret = BN_hex2bn(&bn, psk_key); 328 ret = BN_hex2bn(&bn, psk_key);
327 if (!ret) 329 if (!ret) {
328 { 330 BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", psk_key);
329 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
330 if (bn) 331 if (bn)
331 BN_free(bn); 332 BN_free(bn);
332 return 0; 333 return 0;
333 } 334 }
334 if (BN_num_bytes(bn) > (int)max_psk_len) 335 if (BN_num_bytes(bn) > (int) max_psk_len) {
335 { 336 BIO_printf(bio_err, "psk buffer of callback is too small (%d) for key (%d)\n",
336 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", 337 max_psk_len, BN_num_bytes(bn));
337 max_psk_len, BN_num_bytes(bn));
338 BN_free(bn); 338 BN_free(bn);
339 return 0; 339 return 0;
340 } 340 }
341
342 ret = BN_bn2bin(bn, psk); 341 ret = BN_bn2bin(bn, psk);
343 BN_free(bn); 342 BN_free(bn);
344 343
345 if (ret < 0) 344 if (ret < 0)
346 goto out_err; 345 goto out_err;
347 psk_len = (unsigned int)ret; 346 psk_len = (unsigned int) ret;
348 347
349 if (s_debug) 348 if (s_debug)
350 BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len); 349 BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len);
351 return psk_len; 350 return psk_len;
352 out_err: 351out_err:
353 if (s_debug) 352 if (s_debug)
354 BIO_printf(bio_err, "Error in PSK server callback\n"); 353 BIO_printf(bio_err, "Error in PSK server callback\n");
355 return 0; 354 return 0;
356 } 355}
357#endif 356#endif
358 357
359#ifndef OPENSSL_NO_SRP 358#ifndef OPENSSL_NO_SRP
360/* This is a context that we pass to callbacks */ 359/* This is a context that we pass to callbacks */
361typedef struct srpsrvparm_st 360typedef struct srpsrvparm_st {
362 {
363 char *login; 361 char *login;
364 SRP_VBASE *vb; 362 SRP_VBASE *vb;
365 SRP_user_pwd *user; 363 SRP_user_pwd *user;
366 } srpsrvparm; 364} srpsrvparm;
367 365
368/* This callback pretends to require some asynchronous logic in order to obtain 366/* This callback pretends to require some asynchronous logic in order to obtain
369 a verifier. When the callback is called for a new connection we return 367 a verifier. When the callback is called for a new connection we return
370 with a negative value. This will provoke the accept etc to return with 368 with a negative value. This will provoke the accept etc to return with
371 an LOOKUP_X509. The main logic of the reinvokes the suspended call 369 an LOOKUP_X509. The main logic of the reinvokes the suspended call
372 (which would normally occur after a worker has finished) and we 370 (which would normally occur after a worker has finished) and we
373 set the user parameters. 371 set the user parameters.
374*/ 372*/
375static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) 373static int
376 { 374ssl_srp_server_param_cb(SSL * s, int *ad, void *arg)
377 srpsrvparm *p = (srpsrvparm *)arg; 375{
378 if (p->login == NULL && p->user == NULL ) 376 srpsrvparm *p = (srpsrvparm *) arg;
379 { 377 if (p->login == NULL && p->user == NULL) {
380 p->login = SSL_get_srp_username(s); 378 p->login = SSL_get_srp_username(s);
381 BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); 379 BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login);
382 return (-1) ; 380 return (-1);
383 } 381 }
384 382 if (p->user == NULL) {
385 if (p->user == NULL)
386 {
387 BIO_printf(bio_err, "User %s doesn't exist\n", p->login); 383 BIO_printf(bio_err, "User %s doesn't exist\n", p->login);
388 return SSL3_AL_FATAL; 384 return SSL3_AL_FATAL;
389 } 385 }
390 if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v, 386 if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v,
391 p->user->info) < 0) 387 p->user->info) < 0) {
392 {
393 *ad = SSL_AD_INTERNAL_ERROR; 388 *ad = SSL_AD_INTERNAL_ERROR;
394 return SSL3_AL_FATAL; 389 return SSL3_AL_FATAL;
395 } 390 }
396 BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login,p->user->info); 391 BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login, p->user->info);
397 /* need to check whether there are memory leaks */ 392 /* need to check whether there are memory leaks */
398 p->user = NULL; 393 p->user = NULL;
399 p->login = NULL; 394 p->login = NULL;
400 return SSL_ERROR_NONE; 395 return SSL_ERROR_NONE;
401 } 396}
402 397
403#endif 398#endif
404 399
405static void s_server_init(void) 400static void
406 { 401s_server_init(void)
407 accept_socket=-1; 402{
408 cipher=NULL; 403 accept_socket = -1;
409 s_server_verify=SSL_VERIFY_NONE; 404 cipher = NULL;
410 s_dcert_file=NULL; 405 s_server_verify = SSL_VERIFY_NONE;
411 s_dkey_file=NULL; 406 s_dcert_file = NULL;
412 s_cert_file=TEST_CERT; 407 s_dkey_file = NULL;
413 s_key_file=NULL; 408 s_cert_file = TEST_CERT;
409 s_key_file = NULL;
414#ifndef OPENSSL_NO_TLSEXT 410#ifndef OPENSSL_NO_TLSEXT
415 s_cert_file2=TEST_CERT2; 411 s_cert_file2 = TEST_CERT2;
416 s_key_file2=NULL; 412 s_key_file2 = NULL;
417 ctx2=NULL; 413 ctx2 = NULL;
418#endif 414#endif
419#ifdef FIONBIO 415#ifdef FIONBIO
420 s_nbio=0; 416 s_nbio = 0;
421#endif 417#endif
422 s_nbio_test=0; 418 s_nbio_test = 0;
423 ctx=NULL; 419 ctx = NULL;
424 www=0; 420 www = 0;
425 421
426 bio_s_out=NULL; 422 bio_s_out = NULL;
427 s_debug=0; 423 s_debug = 0;
428 s_msg=0; 424 s_msg = 0;
429 s_quiet=0; 425 s_quiet = 0;
430 hack=0; 426 hack = 0;
431#ifndef OPENSSL_NO_ENGINE 427#ifndef OPENSSL_NO_ENGINE
432 engine_id=NULL; 428 engine_id = NULL;
433#endif 429#endif
434 } 430}
435 431
436static void sv_usage(void) 432static void
437 { 433sv_usage(void)
438 BIO_printf(bio_err,"usage: s_server [args ...]\n"); 434{
439 BIO_printf(bio_err,"\n"); 435 BIO_printf(bio_err, "usage: s_server [args ...]\n");
440 BIO_printf(bio_err," -accept arg - port to accept on (default is %d)\n",PORT); 436 BIO_printf(bio_err, "\n");
441 BIO_printf(bio_err," -context arg - set session ID context\n"); 437 BIO_printf(bio_err, " -accept arg - port to accept on (default is %d)\n", PORT);
442 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); 438 BIO_printf(bio_err, " -context arg - set session ID context\n");
443 BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); 439 BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n");
444 BIO_printf(bio_err," -cert arg - certificate file to use\n"); 440 BIO_printf(bio_err, " -Verify arg - turn on peer certificate verification, must have a cert.\n");
445 BIO_printf(bio_err," (default is %s)\n",TEST_CERT); 441 BIO_printf(bio_err, " -cert arg - certificate file to use\n");
446 BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ 442 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT);
447 " The CRL(s) are appended to the certificate file\n"); 443 BIO_printf(bio_err, " -crl_check - check the peer certificate has not been revoked by its CA.\n" \
448 BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ 444 " The CRL(s) are appended to the certificate file\n");
449 " or any other CRL in the CA chain. CRL(s) are appened to the\n" \ 445 BIO_printf(bio_err, " -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
450 " the certificate file.\n"); 446 " or any other CRL in the CA chain. CRL(s) are appened to the\n" \
451 BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); 447 " the certificate file.\n");
452 BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n"); 448 BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n");
453 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); 449 BIO_printf(bio_err, " -key arg - Private Key file to use, in cert file if\n");
454 BIO_printf(bio_err," -keyform arg - key format (PEM, DER or ENGINE) PEM default\n"); 450 BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT);
455 BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); 451 BIO_printf(bio_err, " -keyform arg - key format (PEM, DER or ENGINE) PEM default\n");
456 BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n"); 452 BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n");
457 BIO_printf(bio_err," -dcertform x - second certificate format (PEM or DER) PEM default\n"); 453 BIO_printf(bio_err, " -dcert arg - second certificate file to use (usually for DSA)\n");
458 BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n"); 454 BIO_printf(bio_err, " -dcertform x - second certificate format (PEM or DER) PEM default\n");
459 BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n"); 455 BIO_printf(bio_err, " -dkey arg - second private key file to use (usually for DSA)\n");
460 BIO_printf(bio_err," -dpass arg - second private key file pass phrase source\n"); 456 BIO_printf(bio_err, " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
461 BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n"); 457 BIO_printf(bio_err, " -dpass arg - second private key file pass phrase source\n");
462 BIO_printf(bio_err," or a default set of parameters is used\n"); 458 BIO_printf(bio_err, " -dhparam arg - DH parameter file to use, in cert file if not specified\n");
459 BIO_printf(bio_err, " or a default set of parameters is used\n");
463#ifndef OPENSSL_NO_ECDH 460#ifndef OPENSSL_NO_ECDH
464 BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 461 BIO_printf(bio_err, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
465 " Use \"openssl ecparam -list_curves\" for all names\n" \ 462 " Use \"openssl ecparam -list_curves\" for all names\n" \
466 " (default is nistp256).\n"); 463 " (default is nistp256).\n");
467#endif 464#endif
468#ifdef FIONBIO 465#ifdef FIONBIO
469 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 466 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n");
470#endif 467#endif
471 BIO_printf(bio_err," -nbio_test - test with the non-blocking test bio\n"); 468 BIO_printf(bio_err, " -nbio_test - test with the non-blocking test bio\n");
472 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); 469 BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n");
473 BIO_printf(bio_err," -debug - Print more output\n"); 470 BIO_printf(bio_err, " -debug - Print more output\n");
474 BIO_printf(bio_err," -msg - Show protocol messages\n"); 471 BIO_printf(bio_err, " -msg - Show protocol messages\n");
475 BIO_printf(bio_err," -state - Print the SSL states\n"); 472 BIO_printf(bio_err, " -state - Print the SSL states\n");
476 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); 473 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
477 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); 474 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
478 BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); 475 BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n");
479 BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); 476 BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
480 BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); 477 BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
481 BIO_printf(bio_err," -quiet - No server output\n"); 478 BIO_printf(bio_err, " -quiet - No server output\n");
482 BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n"); 479 BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
483#ifndef OPENSSL_NO_PSK 480#ifndef OPENSSL_NO_PSK
484 BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); 481 BIO_printf(bio_err, " -psk_hint arg - PSK identity hint to use\n");
485 BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); 482 BIO_printf(bio_err, " -psk arg - PSK in hex (without 0x)\n");
486# ifndef OPENSSL_NO_JPAKE 483#ifndef OPENSSL_NO_JPAKE
487 BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); 484 BIO_printf(bio_err, " -jpake arg - JPAKE secret to use\n");
488# endif 485#endif
489#endif 486#endif
490#ifndef OPENSSL_NO_SRP 487#ifndef OPENSSL_NO_SRP
491 BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n"); 488 BIO_printf(bio_err, " -srpvfile file - The verifier file for SRP\n");
492 BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); 489 BIO_printf(bio_err, " -srpuserseed string - A seed string for a default user salt.\n");
493#endif 490#endif
494 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); 491 BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n");
495 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); 492 BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
496 BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); 493 BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n");
497 BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); 494 BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n");
498 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); 495 BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n");
499 BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); 496 BIO_printf(bio_err, " -dtls1 - Just talk DTLSv1\n");
500 BIO_printf(bio_err," -timeout - Enable timeouts\n"); 497 BIO_printf(bio_err, " -timeout - Enable timeouts\n");
501 BIO_printf(bio_err," -mtu - Set link layer MTU\n"); 498 BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
502 BIO_printf(bio_err," -chain - Read a certificate chain\n"); 499 BIO_printf(bio_err, " -chain - Read a certificate chain\n");
503 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); 500 BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
504 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); 501 BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
505 BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); 502 BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
506 BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n"); 503 BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n");
507 BIO_printf(bio_err," -no_tls1_2 - Just disable TLSv1.2\n"); 504 BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n");
508#ifndef OPENSSL_NO_DH 505#ifndef OPENSSL_NO_DH
509 BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); 506 BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n");
510#endif 507#endif
511#ifndef OPENSSL_NO_ECDH 508#ifndef OPENSSL_NO_ECDH
512 BIO_printf(bio_err," -no_ecdhe - Disable ephemeral ECDH\n"); 509 BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n");
513#endif 510#endif
514 BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); 511 BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
515 BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); 512 BIO_printf(bio_err, " -www - Respond to a 'GET /' with a status page\n");
516 BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); 513 BIO_printf(bio_err, " -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
517 BIO_printf(bio_err," -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); 514 BIO_printf(bio_err, " -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
518 BIO_printf(bio_err," with the assumption it contains a complete HTTP response.\n"); 515 BIO_printf(bio_err, " with the assumption it contains a complete HTTP response.\n");
519#ifndef OPENSSL_NO_ENGINE 516#ifndef OPENSSL_NO_ENGINE
520 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); 517 BIO_printf(bio_err, " -engine id - Initialise and use the specified engine\n");
521#endif 518#endif
522 BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); 519 BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
523 BIO_printf(bio_err," -rand file%cfile%c...\n", ':', ':'); 520 BIO_printf(bio_err, " -rand file%cfile%c...\n", ':', ':');
524#ifndef OPENSSL_NO_TLSEXT 521#ifndef OPENSSL_NO_TLSEXT
525 BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n"); 522 BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n");
526 BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); 523 BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
527 BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n"); 524 BIO_printf(bio_err, " -cert2 arg - certificate file to use for servername\n");
528 BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); 525 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2);
529 BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); 526 BIO_printf(bio_err, " -key2 arg - Private Key file to use for servername, in cert file if\n");
530 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); 527 BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2);
531 BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); 528 BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n");
532 BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); 529 BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n");
533 BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); 530 BIO_printf(bio_err, " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
534# ifndef OPENSSL_NO_NEXTPROTONEG 531#ifndef OPENSSL_NO_NEXTPROTONEG
535 BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); 532 BIO_printf(bio_err, " -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
536# endif 533#endif
537# ifndef OPENSSL_NO_SRTP 534#ifndef OPENSSL_NO_SRTP
538 BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); 535 BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
539# endif 536#endif
540#endif 537#endif
541 BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); 538 BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n");
542 BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); 539 BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n");
543 } 540}
544 541
545static int local_argc=0; 542static int local_argc = 0;
546static char **local_argv; 543static char **local_argv;
547 544
548#ifndef OPENSSL_NO_TLSEXT 545#ifndef OPENSSL_NO_TLSEXT
549 546
550/* This is a context that we pass to callbacks */ 547/* This is a context that we pass to callbacks */
551typedef struct tlsextctx_st { 548typedef struct tlsextctx_st {
552 char * servername; 549 char *servername;
553 BIO * biodebug; 550 BIO *biodebug;
554 int extension_error; 551 int extension_error;
555} tlsextctx; 552} tlsextctx;
556 553
557 554
558static int ssl_servername_cb(SSL *s, int *ad, void *arg) 555static int
559 { 556ssl_servername_cb(SSL * s, int *ad, void *arg)
560 tlsextctx * p = (tlsextctx *) arg; 557{
561 const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 558 tlsextctx *p = (tlsextctx *) arg;
562 if (servername && p->biodebug) 559 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
563 BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername); 560 if (servername && p->biodebug)
564 561 BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n", servername);
562
565 if (!p->servername) 563 if (!p->servername)
566 return SSL_TLSEXT_ERR_NOACK; 564 return SSL_TLSEXT_ERR_NOACK;
567 565
568 if (servername) 566 if (servername) {
569 { 567 if (strcmp(servername, p->servername))
570 if (strcmp(servername,p->servername))
571 return p->extension_error; 568 return p->extension_error;
572 if (ctx2) 569 if (ctx2) {
573 { 570 BIO_printf(p->biodebug, "Switching server context.\n");
574 BIO_printf(p->biodebug,"Switching server context.\n"); 571 SSL_set_SSL_CTX(s, ctx2);
575 SSL_set_SSL_CTX(s,ctx2);
576 }
577 } 572 }
573 }
578 return SSL_TLSEXT_ERR_OK; 574 return SSL_TLSEXT_ERR_OK;
579} 575}
580 576
581/* Structure passed to cert status callback */ 577/* Structure passed to cert status callback */
582 578
583typedef struct tlsextstatusctx_st { 579typedef struct tlsextstatusctx_st {
584 /* Default responder to use */ 580 /* Default responder to use */
585 char *host, *path, *port; 581 char *host, *path, *port;
586 int use_ssl; 582 int use_ssl;
587 int timeout; 583 int timeout;
588 BIO *err; 584 BIO *err;
589 int verbose; 585 int verbose;
590} tlsextstatusctx; 586} tlsextstatusctx;
591 587
592static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0}; 588static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0};
@@ -602,70 +598,65 @@ static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0};
602 * considered "expired". 598 * considered "expired".
603 */ 599 */
604 600
605static int cert_status_cb(SSL *s, void *arg) 601static int
606 { 602cert_status_cb(SSL * s, void *arg)
603{
607 tlsextstatusctx *srctx = arg; 604 tlsextstatusctx *srctx = arg;
608 BIO *err = srctx->err; 605 BIO *err = srctx->err;
609 char *host, *port, *path; 606 char *host, *port, *path;
610 int use_ssl; 607 int use_ssl;
611 unsigned char *rspder = NULL; 608 unsigned char *rspder = NULL;
612 int rspderlen; 609 int rspderlen;
613 STACK_OF(OPENSSL_STRING) *aia = NULL; 610 STACK_OF(OPENSSL_STRING) * aia = NULL;
614 X509 *x = NULL; 611 X509 *x = NULL;
615 X509_STORE_CTX inctx; 612 X509_STORE_CTX inctx;
616 X509_OBJECT obj; 613 X509_OBJECT obj;
617 OCSP_REQUEST *req = NULL; 614 OCSP_REQUEST *req = NULL;
618 OCSP_RESPONSE *resp = NULL; 615 OCSP_RESPONSE *resp = NULL;
619 OCSP_CERTID *id = NULL; 616 OCSP_CERTID *id = NULL;
620 STACK_OF(X509_EXTENSION) *exts; 617 STACK_OF(X509_EXTENSION) * exts;
621 int ret = SSL_TLSEXT_ERR_NOACK; 618 int ret = SSL_TLSEXT_ERR_NOACK;
622 int i; 619 int i;
623#if 0 620#if 0
624STACK_OF(OCSP_RESPID) *ids; 621 STACK_OF(OCSP_RESPID) * ids;
625SSL_get_tlsext_status_ids(s, &ids); 622 SSL_get_tlsext_status_ids(s, &ids);
626BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); 623 BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
627#endif 624#endif
628 if (srctx->verbose) 625 if (srctx->verbose)
629 BIO_puts(err, "cert_status: callback called\n"); 626 BIO_puts(err, "cert_status: callback called\n");
630 /* Build up OCSP query from server certificate */ 627 /* Build up OCSP query from server certificate */
631 x = SSL_get_certificate(s); 628 x = SSL_get_certificate(s);
632 aia = X509_get1_ocsp(x); 629 aia = X509_get1_ocsp(x);
633 if (aia) 630 if (aia) {
634 {
635 if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), 631 if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0),
636 &host, &port, &path, &use_ssl)) 632 &host, &port, &path, &use_ssl)) {
637 {
638 BIO_puts(err, "cert_status: can't parse AIA URL\n"); 633 BIO_puts(err, "cert_status: can't parse AIA URL\n");
639 goto err; 634 goto err;
640 } 635 }
641 if (srctx->verbose) 636 if (srctx->verbose)
642 BIO_printf(err, "cert_status: AIA URL: %s\n", 637 BIO_printf(err, "cert_status: AIA URL: %s\n",
643 sk_OPENSSL_STRING_value(aia, 0)); 638 sk_OPENSSL_STRING_value(aia, 0));
644 } 639 } else {
645 else 640 if (!srctx->host) {
646 {
647 if (!srctx->host)
648 {
649 BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n"); 641 BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n");
650 goto done; 642 goto done;
651 } 643 }
652 host = srctx->host; 644 host = srctx->host;
653 path = srctx->path; 645 path = srctx->path;
654 port = srctx->port; 646 port = srctx->port;
655 use_ssl = srctx->use_ssl; 647 use_ssl = srctx->use_ssl;
656 } 648 }
657 649
658 if (!X509_STORE_CTX_init(&inctx, 650 if (!X509_STORE_CTX_init(&inctx,
659 SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), 651 SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
660 NULL, NULL)) 652 NULL, NULL))
661 goto err; 653 goto err;
662 if (X509_STORE_get_by_subject(&inctx,X509_LU_X509, 654 if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
663 X509_get_issuer_name(x),&obj) <= 0) 655 X509_get_issuer_name(x), &obj) <= 0) {
664 {
665 BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n"); 656 BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
666 X509_STORE_CTX_cleanup(&inctx); 657 X509_STORE_CTX_cleanup(&inctx);
667 goto done; 658 goto done;
668 } 659 }
669 req = OCSP_REQUEST_new(); 660 req = OCSP_REQUEST_new();
670 if (!req) 661 if (!req)
671 goto err; 662 goto err;
@@ -679,39 +670,35 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
679 id = NULL; 670 id = NULL;
680 /* Add any extensions to the request */ 671 /* Add any extensions to the request */
681 SSL_get_tlsext_status_exts(s, &exts); 672 SSL_get_tlsext_status_exts(s, &exts);
682 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) 673 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
683 {
684 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); 674 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
685 if (!OCSP_REQUEST_add_ext(req, ext, -1)) 675 if (!OCSP_REQUEST_add_ext(req, ext, -1))
686 goto err; 676 goto err;
687 } 677 }
688 resp = process_responder(err, req, host, path, port, use_ssl, NULL, 678 resp = process_responder(err, req, host, path, port, use_ssl, NULL,
689 srctx->timeout); 679 srctx->timeout);
690 if (!resp) 680 if (!resp) {
691 {
692 BIO_puts(err, "cert_status: error querying responder\n"); 681 BIO_puts(err, "cert_status: error querying responder\n");
693 goto done; 682 goto done;
694 } 683 }
695 rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); 684 rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
696 if (rspderlen <= 0) 685 if (rspderlen <= 0)
697 goto err; 686 goto err;
698 SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); 687 SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
699 if (srctx->verbose) 688 if (srctx->verbose) {
700 {
701 BIO_puts(err, "cert_status: ocsp response sent:\n"); 689 BIO_puts(err, "cert_status: ocsp response sent:\n");
702 OCSP_RESPONSE_print(err, resp, 2); 690 OCSP_RESPONSE_print(err, resp, 2);
703 } 691 }
704 ret = SSL_TLSEXT_ERR_OK; 692 ret = SSL_TLSEXT_ERR_OK;
705 done: 693done:
706 if (ret != SSL_TLSEXT_ERR_OK) 694 if (ret != SSL_TLSEXT_ERR_OK)
707 ERR_print_errors(err); 695 ERR_print_errors(err);
708 if (aia) 696 if (aia) {
709 {
710 free(host); 697 free(host);
711 free(path); 698 free(path);
712 free(port); 699 free(port);
713 X509_email_free(aia); 700 X509_email_free(aia);
714 } 701 }
715 if (id) 702 if (id)
716 OCSP_CERTID_free(id); 703 OCSP_CERTID_free(id);
717 if (req) 704 if (req)
@@ -719,28 +706,29 @@ BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids));
719 if (resp) 706 if (resp)
720 OCSP_RESPONSE_free(resp); 707 OCSP_RESPONSE_free(resp);
721 return ret; 708 return ret;
722 err: 709err:
723 ret = SSL_TLSEXT_ERR_ALERT_FATAL; 710 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
724 goto done; 711 goto done;
725 } 712}
726 713
727# ifndef OPENSSL_NO_NEXTPROTONEG 714#ifndef OPENSSL_NO_NEXTPROTONEG
728/* This is the context that we pass to next_proto_cb */ 715/* This is the context that we pass to next_proto_cb */
729typedef struct tlsextnextprotoctx_st { 716typedef struct tlsextnextprotoctx_st {
730 unsigned char *data; 717 unsigned char *data;
731 unsigned int len; 718 unsigned int len;
732} tlsextnextprotoctx; 719} tlsextnextprotoctx;
733 720
734static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg) 721static int
735 { 722next_proto_cb(SSL * s, const unsigned char **data, unsigned int *len, void *arg)
723{
736 tlsextnextprotoctx *next_proto = arg; 724 tlsextnextprotoctx *next_proto = arg;
737 725
738 *data = next_proto->data; 726 *data = next_proto->data;
739 *len = next_proto->len; 727 *len = next_proto->len;
740 728
741 return SSL_TLSEXT_ERR_OK; 729 return SSL_TLSEXT_ERR_OK;
742 } 730}
743# endif /* ndef OPENSSL_NO_NEXTPROTONEG */ 731#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
744 732
745 733
746#endif 734#endif
@@ -751,32 +739,33 @@ int MAIN(int, char **);
751static char *jpake_secret = NULL; 739static char *jpake_secret = NULL;
752#endif 740#endif
753#ifndef OPENSSL_NO_SRP 741#ifndef OPENSSL_NO_SRP
754 static srpsrvparm srp_callback_parm; 742static srpsrvparm srp_callback_parm;
755#endif 743#endif
756#ifndef OPENSSL_NO_SRTP 744#ifndef OPENSSL_NO_SRTP
757static char *srtp_profiles = NULL; 745static char *srtp_profiles = NULL;
758#endif 746#endif
759 747
760int MAIN(int argc, char *argv[]) 748int
761 { 749MAIN(int argc, char *argv[])
750{
762 X509_VERIFY_PARAM *vpm = NULL; 751 X509_VERIFY_PARAM *vpm = NULL;
763 int badarg = 0; 752 int badarg = 0;
764 short port=PORT; 753 short port = PORT;
765 char *CApath=NULL,*CAfile=NULL; 754 char *CApath = NULL, *CAfile = NULL;
766 unsigned char *context = NULL; 755 unsigned char *context = NULL;
767 char *dhfile = NULL; 756 char *dhfile = NULL;
768#ifndef OPENSSL_NO_ECDH 757#ifndef OPENSSL_NO_ECDH
769 char *named_curve = NULL; 758 char *named_curve = NULL;
770#endif 759#endif
771 int badop=0,bugs=0; 760 int badop = 0, bugs = 0;
772 int ret=1; 761 int ret = 1;
773 int off=0; 762 int off = 0;
774 int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; 763 int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
775 int state=0; 764 int state = 0;
776 const SSL_METHOD *meth=NULL; 765 const SSL_METHOD *meth = NULL;
777 int socket_type=SOCK_STREAM; 766 int socket_type = SOCK_STREAM;
778 ENGINE *e=NULL; 767 ENGINE *e = NULL;
779 char *inrand=NULL; 768 char *inrand = NULL;
780 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; 769 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
781 char *passarg = NULL, *pass = NULL; 770 char *passarg = NULL, *pass = NULL;
782 char *dpassarg = NULL, *dpass = NULL; 771 char *dpassarg = NULL, *dpass = NULL;
@@ -787,428 +776,388 @@ int MAIN(int argc, char *argv[])
787#ifndef OPENSSL_NO_TLSEXT 776#ifndef OPENSSL_NO_TLSEXT
788 EVP_PKEY *s_key2 = NULL; 777 EVP_PKEY *s_key2 = NULL;
789 X509 *s_cert2 = NULL; 778 X509 *s_cert2 = NULL;
790 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; 779 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
791# ifndef OPENSSL_NO_NEXTPROTONEG 780#ifndef OPENSSL_NO_NEXTPROTONEG
792 const char *next_proto_neg_in = NULL; 781 const char *next_proto_neg_in = NULL;
793 tlsextnextprotoctx next_proto; 782 tlsextnextprotoctx next_proto;
794# endif 783#endif
795#endif 784#endif
796#ifndef OPENSSL_NO_PSK 785#ifndef OPENSSL_NO_PSK
797 /* by default do not send a PSK identity hint */ 786 /* by default do not send a PSK identity hint */
798 static char *psk_identity_hint=NULL; 787 static char *psk_identity_hint = NULL;
799#endif 788#endif
800#ifndef OPENSSL_NO_SRP 789#ifndef OPENSSL_NO_SRP
801 char *srpuserseed = NULL; 790 char *srpuserseed = NULL;
802 char *srp_verifier_file = NULL; 791 char *srp_verifier_file = NULL;
803#endif 792#endif
804 meth=SSLv23_server_method(); 793 meth = SSLv23_server_method();
805 794
806 local_argc=argc; 795 local_argc = argc;
807 local_argv=argv; 796 local_argv = argv;
808 797
809 apps_startup(); 798 apps_startup();
810 s_server_init(); 799 s_server_init();
811 800
812 if (bio_err == NULL) 801 if (bio_err == NULL)
813 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 802 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
814 803
815 if (!load_config(bio_err, NULL)) 804 if (!load_config(bio_err, NULL))
816 goto end; 805 goto end;
817 806
818 verify_depth=0; 807 verify_depth = 0;
819#ifdef FIONBIO 808#ifdef FIONBIO
820 s_nbio=0; 809 s_nbio = 0;
821#endif 810#endif
822 s_nbio_test=0; 811 s_nbio_test = 0;
823 812
824 argc--; 813 argc--;
825 argv++; 814 argv++;
826 815
827 while (argc >= 1) 816 while (argc >= 1) {
828 { 817 if ((strcmp(*argv, "-port") == 0) ||
829 if ((strcmp(*argv,"-port") == 0) || 818 (strcmp(*argv, "-accept") == 0)) {
830 (strcmp(*argv,"-accept") == 0)) 819 if (--argc < 1)
831 { 820 goto bad;
832 if (--argc < 1) goto bad; 821 if (!extract_port(*(++argv), &port))
833 if (!extract_port(*(++argv),&port)) 822 goto bad;
823 } else if (strcmp(*argv, "-verify") == 0) {
824 s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
825 if (--argc < 1)
826 goto bad;
827 verify_depth = atoi(*(++argv));
828 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
829 } else if (strcmp(*argv, "-Verify") == 0) {
830 s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
831 SSL_VERIFY_CLIENT_ONCE;
832 if (--argc < 1)
833 goto bad;
834 verify_depth = atoi(*(++argv));
835 BIO_printf(bio_err, "verify depth is %d, must return a certificate\n", verify_depth);
836 } else if (strcmp(*argv, "-context") == 0) {
837 if (--argc < 1)
838 goto bad;
839 context = (unsigned char *) *(++argv);
840 } else if (strcmp(*argv, "-cert") == 0) {
841 if (--argc < 1)
842 goto bad;
843 s_cert_file = *(++argv);
844 } else if (strcmp(*argv, "-certform") == 0) {
845 if (--argc < 1)
834 goto bad; 846 goto bad;
835 }
836 else if (strcmp(*argv,"-verify") == 0)
837 {
838 s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
839 if (--argc < 1) goto bad;
840 verify_depth=atoi(*(++argv));
841 BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
842 }
843 else if (strcmp(*argv,"-Verify") == 0)
844 {
845 s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
846 SSL_VERIFY_CLIENT_ONCE;
847 if (--argc < 1) goto bad;
848 verify_depth=atoi(*(++argv));
849 BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
850 }
851 else if (strcmp(*argv,"-context") == 0)
852 {
853 if (--argc < 1) goto bad;
854 context= (unsigned char *)*(++argv);
855 }
856 else if (strcmp(*argv,"-cert") == 0)
857 {
858 if (--argc < 1) goto bad;
859 s_cert_file= *(++argv);
860 }
861 else if (strcmp(*argv,"-certform") == 0)
862 {
863 if (--argc < 1) goto bad;
864 s_cert_format = str2fmt(*(++argv)); 847 s_cert_format = str2fmt(*(++argv));
865 } 848 } else if (strcmp(*argv, "-key") == 0) {
866 else if (strcmp(*argv,"-key") == 0) 849 if (--argc < 1)
867 { 850 goto bad;
868 if (--argc < 1) goto bad; 851 s_key_file = *(++argv);
869 s_key_file= *(++argv); 852 } else if (strcmp(*argv, "-keyform") == 0) {
870 } 853 if (--argc < 1)
871 else if (strcmp(*argv,"-keyform") == 0) 854 goto bad;
872 {
873 if (--argc < 1) goto bad;
874 s_key_format = str2fmt(*(++argv)); 855 s_key_format = str2fmt(*(++argv));
875 } 856 } else if (strcmp(*argv, "-pass") == 0) {
876 else if (strcmp(*argv,"-pass") == 0) 857 if (--argc < 1)
877 { 858 goto bad;
878 if (--argc < 1) goto bad;
879 passarg = *(++argv); 859 passarg = *(++argv);
880 } 860 } else if (strcmp(*argv, "-dhparam") == 0) {
881 else if (strcmp(*argv,"-dhparam") == 0) 861 if (--argc < 1)
882 { 862 goto bad;
883 if (--argc < 1) goto bad;
884 dhfile = *(++argv); 863 dhfile = *(++argv);
885 } 864 }
886#ifndef OPENSSL_NO_ECDH 865#ifndef OPENSSL_NO_ECDH
887 else if (strcmp(*argv,"-named_curve") == 0) 866 else if (strcmp(*argv, "-named_curve") == 0) {
888 { 867 if (--argc < 1)
889 if (--argc < 1) goto bad; 868 goto bad;
890 named_curve = *(++argv); 869 named_curve = *(++argv);
891 } 870 }
892#endif 871#endif
893 else if (strcmp(*argv,"-dcertform") == 0) 872 else if (strcmp(*argv, "-dcertform") == 0) {
894 { 873 if (--argc < 1)
895 if (--argc < 1) goto bad; 874 goto bad;
896 s_dcert_format = str2fmt(*(++argv)); 875 s_dcert_format = str2fmt(*(++argv));
897 } 876 } else if (strcmp(*argv, "-dcert") == 0) {
898 else if (strcmp(*argv,"-dcert") == 0) 877 if (--argc < 1)
899 { 878 goto bad;
900 if (--argc < 1) goto bad; 879 s_dcert_file = *(++argv);
901 s_dcert_file= *(++argv); 880 } else if (strcmp(*argv, "-dkeyform") == 0) {
902 } 881 if (--argc < 1)
903 else if (strcmp(*argv,"-dkeyform") == 0) 882 goto bad;
904 {
905 if (--argc < 1) goto bad;
906 s_dkey_format = str2fmt(*(++argv)); 883 s_dkey_format = str2fmt(*(++argv));
907 } 884 } else if (strcmp(*argv, "-dpass") == 0) {
908 else if (strcmp(*argv,"-dpass") == 0) 885 if (--argc < 1)
909 { 886 goto bad;
910 if (--argc < 1) goto bad;
911 dpassarg = *(++argv); 887 dpassarg = *(++argv);
912 } 888 } else if (strcmp(*argv, "-dkey") == 0) {
913 else if (strcmp(*argv,"-dkey") == 0) 889 if (--argc < 1)
914 { 890 goto bad;
915 if (--argc < 1) goto bad; 891 s_dkey_file = *(++argv);
916 s_dkey_file= *(++argv); 892 } else if (strcmp(*argv, "-nocert") == 0) {
917 } 893 nocert = 1;
918 else if (strcmp(*argv,"-nocert") == 0) 894 } else if (strcmp(*argv, "-CApath") == 0) {
919 { 895 if (--argc < 1)
920 nocert=1; 896 goto bad;
921 } 897 CApath = *(++argv);
922 else if (strcmp(*argv,"-CApath") == 0) 898 } else if (strcmp(*argv, "-no_cache") == 0)
923 {
924 if (--argc < 1) goto bad;
925 CApath= *(++argv);
926 }
927 else if (strcmp(*argv,"-no_cache") == 0)
928 no_cache = 1; 899 no_cache = 1;
929 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) 900 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
930 {
931 if (badarg) 901 if (badarg)
932 goto bad; 902 goto bad;
933 continue; 903 continue;
934 } 904 } else if (strcmp(*argv, "-verify_return_error") == 0)
935 else if (strcmp(*argv,"-verify_return_error") == 0)
936 verify_return_error = 1; 905 verify_return_error = 1;
937 else if (strcmp(*argv,"-serverpref") == 0) 906 else if (strcmp(*argv, "-serverpref") == 0) {
938 { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } 907 off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
939 else if (strcmp(*argv,"-legacy_renegotiation") == 0) 908 } else if (strcmp(*argv, "-legacy_renegotiation") == 0)
940 off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; 909 off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
941 else if (strcmp(*argv,"-cipher") == 0) 910 else if (strcmp(*argv, "-cipher") == 0) {
942 { 911 if (--argc < 1)
943 if (--argc < 1) goto bad; 912 goto bad;
944 cipher= *(++argv); 913 cipher = *(++argv);
945 } 914 } else if (strcmp(*argv, "-CAfile") == 0) {
946 else if (strcmp(*argv,"-CAfile") == 0) 915 if (--argc < 1)
947 { 916 goto bad;
948 if (--argc < 1) goto bad; 917 CAfile = *(++argv);
949 CAfile= *(++argv); 918 }
950 } 919#ifdef FIONBIO
951#ifdef FIONBIO 920 else if (strcmp(*argv, "-nbio") == 0) {
952 else if (strcmp(*argv,"-nbio") == 0) 921 s_nbio = 1;
953 { s_nbio=1; } 922 }
954#endif 923#endif
955 else if (strcmp(*argv,"-nbio_test") == 0) 924 else if (strcmp(*argv, "-nbio_test") == 0) {
956 { 925#ifdef FIONBIO
957#ifdef FIONBIO 926 s_nbio = 1;
958 s_nbio=1;
959#endif 927#endif
960 s_nbio_test=1; 928 s_nbio_test = 1;
961 } 929 } else if (strcmp(*argv, "-debug") == 0) {
962 else if (strcmp(*argv,"-debug") == 0) 930 s_debug = 1;
963 { s_debug=1; } 931 }
964#ifndef OPENSSL_NO_TLSEXT 932#ifndef OPENSSL_NO_TLSEXT
965 else if (strcmp(*argv,"-tlsextdebug") == 0) 933 else if (strcmp(*argv, "-tlsextdebug") == 0)
966 s_tlsextdebug=1; 934 s_tlsextdebug = 1;
967 else if (strcmp(*argv,"-status") == 0) 935 else if (strcmp(*argv, "-status") == 0)
968 s_tlsextstatus=1; 936 s_tlsextstatus = 1;
969 else if (strcmp(*argv,"-status_verbose") == 0) 937 else if (strcmp(*argv, "-status_verbose") == 0) {
970 { 938 s_tlsextstatus = 1;
971 s_tlsextstatus=1;
972 tlscstatp.verbose = 1; 939 tlscstatp.verbose = 1;
973 } 940 } else if (!strcmp(*argv, "-status_timeout")) {
974 else if (!strcmp(*argv, "-status_timeout")) 941 s_tlsextstatus = 1;
975 { 942 if (--argc < 1)
976 s_tlsextstatus=1; 943 goto bad;
977 if (--argc < 1) goto bad;
978 tlscstatp.timeout = atoi(*(++argv)); 944 tlscstatp.timeout = atoi(*(++argv));
979 } 945 } else if (!strcmp(*argv, "-status_url")) {
980 else if (!strcmp(*argv, "-status_url")) 946 s_tlsextstatus = 1;
981 { 947 if (--argc < 1)
982 s_tlsextstatus=1; 948 goto bad;
983 if (--argc < 1) goto bad;
984 if (!OCSP_parse_url(*(++argv), 949 if (!OCSP_parse_url(*(++argv),
985 &tlscstatp.host, 950 &tlscstatp.host,
986 &tlscstatp.port, 951 &tlscstatp.port,
987 &tlscstatp.path, 952 &tlscstatp.path,
988 &tlscstatp.use_ssl)) 953 &tlscstatp.use_ssl)) {
989 {
990 BIO_printf(bio_err, "Error parsing URL\n"); 954 BIO_printf(bio_err, "Error parsing URL\n");
991 goto bad; 955 goto bad;
992 }
993 } 956 }
957 }
994#endif 958#endif
995 else if (strcmp(*argv,"-msg") == 0) 959 else if (strcmp(*argv, "-msg") == 0) {
996 { s_msg=1; } 960 s_msg = 1;
997 else if (strcmp(*argv,"-hack") == 0) 961 } else if (strcmp(*argv, "-hack") == 0) {
998 { hack=1; } 962 hack = 1;
999 else if (strcmp(*argv,"-state") == 0) 963 } else if (strcmp(*argv, "-state") == 0) {
1000 { state=1; } 964 state = 1;
1001 else if (strcmp(*argv,"-crlf") == 0) 965 } else if (strcmp(*argv, "-crlf") == 0) {
1002 { s_crlf=1; } 966 s_crlf = 1;
1003 else if (strcmp(*argv,"-quiet") == 0) 967 } else if (strcmp(*argv, "-quiet") == 0) {
1004 { s_quiet=1; } 968 s_quiet = 1;
1005 else if (strcmp(*argv,"-bugs") == 0) 969 } else if (strcmp(*argv, "-bugs") == 0) {
1006 { bugs=1; } 970 bugs = 1;
1007 else if (strcmp(*argv,"-no_tmp_rsa") == 0) 971 } else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
1008 { no_tmp_rsa=1; } 972 no_tmp_rsa = 1;
1009 else if (strcmp(*argv,"-no_dhe") == 0) 973 } else if (strcmp(*argv, "-no_dhe") == 0) {
1010 { no_dhe=1; } 974 no_dhe = 1;
1011 else if (strcmp(*argv,"-no_ecdhe") == 0) 975 } else if (strcmp(*argv, "-no_ecdhe") == 0) {
1012 { no_ecdhe=1; } 976 no_ecdhe = 1;
977 }
1013#ifndef OPENSSL_NO_PSK 978#ifndef OPENSSL_NO_PSK
1014 else if (strcmp(*argv,"-psk_hint") == 0) 979 else if (strcmp(*argv, "-psk_hint") == 0) {
1015 { 980 if (--argc < 1)
1016 if (--argc < 1) goto bad; 981 goto bad;
1017 psk_identity_hint= *(++argv); 982 psk_identity_hint = *(++argv);
1018 } 983 } else if (strcmp(*argv, "-psk") == 0) {
1019 else if (strcmp(*argv,"-psk") == 0)
1020 {
1021 size_t i; 984 size_t i;
1022 985
1023 if (--argc < 1) goto bad; 986 if (--argc < 1)
1024 psk_key=*(++argv); 987 goto bad;
1025 for (i=0; i<strlen(psk_key); i++) 988 psk_key = *(++argv);
1026 { 989 for (i = 0; i < strlen(psk_key); i++) {
1027 if (isxdigit((unsigned char)psk_key[i])) 990 if (isxdigit((unsigned char) psk_key[i]))
1028 continue; 991 continue;
1029 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); 992 BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
1030 goto bad; 993 goto bad;
1031 }
1032 } 994 }
995 }
1033#endif 996#endif
1034#ifndef OPENSSL_NO_SRP 997#ifndef OPENSSL_NO_SRP
1035 else if (strcmp(*argv, "-srpvfile") == 0) 998 else if (strcmp(*argv, "-srpvfile") == 0) {
1036 { 999 if (--argc < 1)
1037 if (--argc < 1) goto bad; 1000 goto bad;
1038 srp_verifier_file = *(++argv); 1001 srp_verifier_file = *(++argv);
1039 meth = TLSv1_server_method(); 1002 meth = TLSv1_server_method();
1040 } 1003 } else if (strcmp(*argv, "-srpuserseed") == 0) {
1041 else if (strcmp(*argv, "-srpuserseed") == 0) 1004 if (--argc < 1)
1042 { 1005 goto bad;
1043 if (--argc < 1) goto bad;
1044 srpuserseed = *(++argv); 1006 srpuserseed = *(++argv);
1045 meth = TLSv1_server_method(); 1007 meth = TLSv1_server_method();
1046 } 1008 }
1047#endif 1009#endif
1048 else if (strcmp(*argv,"-www") == 0) 1010 else if (strcmp(*argv, "-www") == 0) {
1049 { www=1; } 1011 www = 1;
1050 else if (strcmp(*argv,"-WWW") == 0) 1012 } else if (strcmp(*argv, "-WWW") == 0) {
1051 { www=2; } 1013 www = 2;
1052 else if (strcmp(*argv,"-HTTP") == 0) 1014 } else if (strcmp(*argv, "-HTTP") == 0) {
1053 { www=3; } 1015 www = 3;
1054 else if (strcmp(*argv,"-no_ssl2") == 0) 1016 } else if (strcmp(*argv, "-no_ssl2") == 0) {
1055 { off|=SSL_OP_NO_SSLv2; } 1017 off |= SSL_OP_NO_SSLv2;
1056 else if (strcmp(*argv,"-no_ssl3") == 0) 1018 } else if (strcmp(*argv, "-no_ssl3") == 0) {
1057 { off|=SSL_OP_NO_SSLv3; } 1019 off |= SSL_OP_NO_SSLv3;
1058 else if (strcmp(*argv,"-no_tls1") == 0) 1020 } else if (strcmp(*argv, "-no_tls1") == 0) {
1059 { off|=SSL_OP_NO_TLSv1; } 1021 off |= SSL_OP_NO_TLSv1;
1060 else if (strcmp(*argv,"-no_tls1_1") == 0) 1022 } else if (strcmp(*argv, "-no_tls1_1") == 0) {
1061 { off|=SSL_OP_NO_TLSv1_1; } 1023 off |= SSL_OP_NO_TLSv1_1;
1062 else if (strcmp(*argv,"-no_tls1_2") == 0) 1024 } else if (strcmp(*argv, "-no_tls1_2") == 0) {
1063 { off|=SSL_OP_NO_TLSv1_2; } 1025 off |= SSL_OP_NO_TLSv1_2;
1064 else if (strcmp(*argv,"-no_comp") == 0) 1026 } else if (strcmp(*argv, "-no_comp") == 0) {
1065 { off|=SSL_OP_NO_COMPRESSION; } 1027 off |= SSL_OP_NO_COMPRESSION;
1028 }
1066#ifndef OPENSSL_NO_TLSEXT 1029#ifndef OPENSSL_NO_TLSEXT
1067 else if (strcmp(*argv,"-no_ticket") == 0) 1030 else if (strcmp(*argv, "-no_ticket") == 0) {
1068 { off|=SSL_OP_NO_TICKET; } 1031 off |= SSL_OP_NO_TICKET;
1069#endif 1032 }
1070 else if (strcmp(*argv,"-ssl3") == 0) 1033#endif
1071 { meth=SSLv3_server_method(); } 1034 else if (strcmp(*argv, "-ssl3") == 0) {
1072 else if (strcmp(*argv,"-tls1") == 0) 1035 meth = SSLv3_server_method();
1073 { meth=TLSv1_server_method(); } 1036 } else if (strcmp(*argv, "-tls1") == 0) {
1074 else if (strcmp(*argv,"-tls1_1") == 0) 1037 meth = TLSv1_server_method();
1075 { meth=TLSv1_1_server_method(); } 1038 } else if (strcmp(*argv, "-tls1_1") == 0) {
1076 else if (strcmp(*argv,"-tls1_2") == 0) 1039 meth = TLSv1_1_server_method();
1077 { meth=TLSv1_2_server_method(); } 1040 } else if (strcmp(*argv, "-tls1_2") == 0) {
1041 meth = TLSv1_2_server_method();
1042 }
1078#ifndef OPENSSL_NO_DTLS1 1043#ifndef OPENSSL_NO_DTLS1
1079 else if (strcmp(*argv,"-dtls1") == 0) 1044 else if (strcmp(*argv, "-dtls1") == 0) {
1080 { 1045 meth = DTLSv1_server_method();
1081 meth=DTLSv1_server_method();
1082 socket_type = SOCK_DGRAM; 1046 socket_type = SOCK_DGRAM;
1083 } 1047 } else if (strcmp(*argv, "-timeout") == 0)
1084 else if (strcmp(*argv,"-timeout") == 0)
1085 enable_timeouts = 1; 1048 enable_timeouts = 1;
1086 else if (strcmp(*argv,"-mtu") == 0) 1049 else if (strcmp(*argv, "-mtu") == 0) {
1087 { 1050 if (--argc < 1)
1088 if (--argc < 1) goto bad; 1051 goto bad;
1089 socket_mtu = atol(*(++argv)); 1052 socket_mtu = atol(*(++argv));
1090 } 1053 } else if (strcmp(*argv, "-chain") == 0)
1091 else if (strcmp(*argv, "-chain") == 0)
1092 cert_chain = 1; 1054 cert_chain = 1;
1093#endif 1055#endif
1094 else if (strcmp(*argv, "-id_prefix") == 0) 1056 else if (strcmp(*argv, "-id_prefix") == 0) {
1095 { 1057 if (--argc < 1)
1096 if (--argc < 1) goto bad; 1058 goto bad;
1097 session_id_prefix = *(++argv); 1059 session_id_prefix = *(++argv);
1098 } 1060 }
1099#ifndef OPENSSL_NO_ENGINE 1061#ifndef OPENSSL_NO_ENGINE
1100 else if (strcmp(*argv,"-engine") == 0) 1062 else if (strcmp(*argv, "-engine") == 0) {
1101 { 1063 if (--argc < 1)
1102 if (--argc < 1) goto bad; 1064 goto bad;
1103 engine_id= *(++argv); 1065 engine_id = *(++argv);
1104 } 1066 }
1105#endif 1067#endif
1106 else if (strcmp(*argv,"-rand") == 0) 1068 else if (strcmp(*argv, "-rand") == 0) {
1107 { 1069 if (--argc < 1)
1108 if (--argc < 1) goto bad; 1070 goto bad;
1109 inrand= *(++argv); 1071 inrand = *(++argv);
1110 } 1072 }
1111#ifndef OPENSSL_NO_TLSEXT 1073#ifndef OPENSSL_NO_TLSEXT
1112 else if (strcmp(*argv,"-servername") == 0) 1074 else if (strcmp(*argv, "-servername") == 0) {
1113 { 1075 if (--argc < 1)
1114 if (--argc < 1) goto bad; 1076 goto bad;
1115 tlsextcbp.servername= *(++argv); 1077 tlsextcbp.servername = *(++argv);
1116 } 1078 } else if (strcmp(*argv, "-servername_fatal") == 0) {
1117 else if (strcmp(*argv,"-servername_fatal") == 0) 1079 tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
1118 { tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; } 1080 } else if (strcmp(*argv, "-cert2") == 0) {
1119 else if (strcmp(*argv,"-cert2") == 0) 1081 if (--argc < 1)
1120 { 1082 goto bad;
1121 if (--argc < 1) goto bad; 1083 s_cert_file2 = *(++argv);
1122 s_cert_file2= *(++argv); 1084 } else if (strcmp(*argv, "-key2") == 0) {
1123 } 1085 if (--argc < 1)
1124 else if (strcmp(*argv,"-key2") == 0) 1086 goto bad;
1125 { 1087 s_key_file2 = *(++argv);
1126 if (--argc < 1) goto bad; 1088 }
1127 s_key_file2= *(++argv); 1089#ifndef OPENSSL_NO_NEXTPROTONEG
1128 } 1090 else if (strcmp(*argv, "-nextprotoneg") == 0) {
1129# ifndef OPENSSL_NO_NEXTPROTONEG 1091 if (--argc < 1)
1130 else if (strcmp(*argv,"-nextprotoneg") == 0) 1092 goto bad;
1131 {
1132 if (--argc < 1) goto bad;
1133 next_proto_neg_in = *(++argv); 1093 next_proto_neg_in = *(++argv);
1134 } 1094 }
1135# endif 1095#endif
1136#endif 1096#endif
1137#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) 1097#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1138 else if (strcmp(*argv,"-jpake") == 0) 1098 else if (strcmp(*argv, "-jpake") == 0) {
1139 { 1099 if (--argc < 1)
1140 if (--argc < 1) goto bad; 1100 goto bad;
1141 jpake_secret = *(++argv); 1101 jpake_secret = *(++argv);
1142 } 1102 }
1143#endif 1103#endif
1144#ifndef OPENSSL_NO_SRTP 1104#ifndef OPENSSL_NO_SRTP
1145 else if (strcmp(*argv,"-use_srtp") == 0) 1105 else if (strcmp(*argv, "-use_srtp") == 0) {
1146 { 1106 if (--argc < 1)
1147 if (--argc < 1) goto bad; 1107 goto bad;
1148 srtp_profiles = *(++argv); 1108 srtp_profiles = *(++argv);
1149 } 1109 }
1150#endif 1110#endif
1151 else if (strcmp(*argv,"-keymatexport") == 0) 1111 else if (strcmp(*argv, "-keymatexport") == 0) {
1152 { 1112 if (--argc < 1)
1153 if (--argc < 1) goto bad; 1113 goto bad;
1154 keymatexportlabel= *(++argv); 1114 keymatexportlabel = *(++argv);
1155 } 1115 } else if (strcmp(*argv, "-keymatexportlen") == 0) {
1156 else if (strcmp(*argv,"-keymatexportlen") == 0) 1116 if (--argc < 1)
1157 { 1117 goto bad;
1158 if (--argc < 1) goto bad; 1118 keymatexportlen = atoi(*(++argv));
1159 keymatexportlen=atoi(*(++argv)); 1119 if (keymatexportlen == 0)
1160 if (keymatexportlen == 0) goto bad; 1120 goto bad;
1161 } 1121 } else {
1162 else 1122 BIO_printf(bio_err, "unknown option %s\n", *argv);
1163 { 1123 badop = 1;
1164 BIO_printf(bio_err,"unknown option %s\n",*argv);
1165 badop=1;
1166 break; 1124 break;
1167 } 1125 }
1168 argc--; 1126 argc--;
1169 argv++; 1127 argv++;
1170 } 1128 }
1171 if (badop) 1129 if (badop) {
1172 {
1173bad: 1130bad:
1174 sv_usage(); 1131 sv_usage();
1175 goto end; 1132 goto end;
1176 } 1133 }
1177
1178#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) 1134#if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
1179 if (jpake_secret) 1135 if (jpake_secret) {
1180 { 1136 if (psk_key) {
1181 if (psk_key)
1182 {
1183 BIO_printf(bio_err, 1137 BIO_printf(bio_err,
1184 "Can't use JPAKE and PSK together\n"); 1138 "Can't use JPAKE and PSK together\n");
1185 goto end; 1139 goto end;
1186 } 1140 }
1187 psk_identity = "JPAKE"; 1141 psk_identity = "JPAKE";
1188 if (cipher) 1142 if (cipher) {
1189 {
1190 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); 1143 BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
1191 goto end; 1144 goto end;
1192 }
1193 cipher = "PSK";
1194 } 1145 }
1195 1146 cipher = "PSK";
1147 }
1196#endif 1148#endif
1197 1149
1198 SSL_load_error_strings(); 1150 SSL_load_error_strings();
1199 OpenSSL_add_ssl_algorithms(); 1151 OpenSSL_add_ssl_algorithms();
1200 1152
1201#ifndef OPENSSL_NO_ENGINE 1153#ifndef OPENSSL_NO_ENGINE
1202 e = setup_engine(bio_err, engine_id, 1); 1154 e = setup_engine(bio_err, engine_id, 1);
1203#endif 1155#endif
1204 1156
1205 if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) 1157 if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
1206 {
1207 BIO_printf(bio_err, "Error getting password\n"); 1158 BIO_printf(bio_err, "Error getting password\n");
1208 goto end; 1159 goto end;
1209 } 1160 }
1210
1211
1212 if (s_key_file == NULL) 1161 if (s_key_file == NULL)
1213 s_key_file = s_cert_file; 1162 s_key_file = s_cert_file;
1214#ifndef OPENSSL_NO_TLSEXT 1163#ifndef OPENSSL_NO_TLSEXT
@@ -1216,162 +1165,138 @@ bad:
1216 s_key_file2 = s_cert_file2; 1165 s_key_file2 = s_cert_file2;
1217#endif 1166#endif
1218 1167
1219 if (nocert == 0) 1168 if (nocert == 0) {
1220 {
1221 s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e, 1169 s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
1222 "server certificate private key file"); 1170 "server certificate private key file");
1223 if (!s_key) 1171 if (!s_key) {
1224 {
1225 ERR_print_errors(bio_err); 1172 ERR_print_errors(bio_err);
1226 goto end; 1173 goto end;
1227 } 1174 }
1228 1175 s_cert = load_cert(bio_err, s_cert_file, s_cert_format,
1229 s_cert = load_cert(bio_err,s_cert_file,s_cert_format, 1176 NULL, e, "server certificate file");
1230 NULL, e, "server certificate file");
1231 1177
1232 if (!s_cert) 1178 if (!s_cert) {
1233 {
1234 ERR_print_errors(bio_err); 1179 ERR_print_errors(bio_err);
1235 goto end; 1180 goto end;
1236 } 1181 }
1237
1238#ifndef OPENSSL_NO_TLSEXT 1182#ifndef OPENSSL_NO_TLSEXT
1239 if (tlsextcbp.servername) 1183 if (tlsextcbp.servername) {
1240 {
1241 s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e, 1184 s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
1242 "second server certificate private key file"); 1185 "second server certificate private key file");
1243 if (!s_key2) 1186 if (!s_key2) {
1244 {
1245 ERR_print_errors(bio_err); 1187 ERR_print_errors(bio_err);
1246 goto end; 1188 goto end;
1247 } 1189 }
1248 1190 s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format,
1249 s_cert2 = load_cert(bio_err,s_cert_file2,s_cert_format, 1191 NULL, e, "second server certificate file");
1250 NULL, e, "second server certificate file"); 1192
1251 1193 if (!s_cert2) {
1252 if (!s_cert2)
1253 {
1254 ERR_print_errors(bio_err); 1194 ERR_print_errors(bio_err);
1255 goto end; 1195 goto end;
1256 }
1257 } 1196 }
1258#endif
1259 } 1197 }
1260 1198#endif
1261#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 1199 }
1262 if (next_proto_neg_in) 1200#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
1263 { 1201 if (next_proto_neg_in) {
1264 unsigned short len; 1202 unsigned short len;
1265 next_proto.data = next_protos_parse(&len, next_proto_neg_in); 1203 next_proto.data = next_protos_parse(&len, next_proto_neg_in);
1266 if (next_proto.data == NULL) 1204 if (next_proto.data == NULL)
1267 goto end; 1205 goto end;
1268 next_proto.len = len; 1206 next_proto.len = len;
1269 } 1207 } else {
1270 else
1271 {
1272 next_proto.data = NULL; 1208 next_proto.data = NULL;
1273 } 1209 }
1274#endif 1210#endif
1275 1211
1276 1212
1277 if (s_dcert_file) 1213 if (s_dcert_file) {
1278 {
1279 1214
1280 if (s_dkey_file == NULL) 1215 if (s_dkey_file == NULL)
1281 s_dkey_file = s_dcert_file; 1216 s_dkey_file = s_dcert_file;
1282 1217
1283 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format, 1218 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
1284 0, dpass, e, 1219 0, dpass, e,
1285 "second certificate private key file"); 1220 "second certificate private key file");
1286 if (!s_dkey) 1221 if (!s_dkey) {
1287 {
1288 ERR_print_errors(bio_err); 1222 ERR_print_errors(bio_err);
1289 goto end; 1223 goto end;
1290 } 1224 }
1291 1225 s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format,
1292 s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format, 1226 NULL, e, "second server certificate file");
1293 NULL, e, "second server certificate file");
1294 1227
1295 if (!s_dcert) 1228 if (!s_dcert) {
1296 {
1297 ERR_print_errors(bio_err); 1229 ERR_print_errors(bio_err);
1298 goto end; 1230 goto end;
1299 }
1300
1301 } 1231 }
1302 1232 }
1303 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL 1233 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1304 && !RAND_status()) 1234 && !RAND_status()) {
1305 { 1235 BIO_printf(bio_err, "warning, not much extra random data, consider using the -rand option\n");
1306 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); 1236 }
1307 }
1308 if (inrand != NULL) 1237 if (inrand != NULL)
1309 BIO_printf(bio_err,"%ld semi-random bytes loaded\n", 1238 BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
1310 app_RAND_load_files(inrand)); 1239 app_RAND_load_files(inrand));
1311 1240
1312 if (bio_s_out == NULL) 1241 if (bio_s_out == NULL) {
1313 { 1242 if (s_quiet && !s_debug && !s_msg) {
1314 if (s_quiet && !s_debug && !s_msg) 1243 bio_s_out = BIO_new(BIO_s_null());
1315 { 1244 } else {
1316 bio_s_out=BIO_new(BIO_s_null());
1317 }
1318 else
1319 {
1320 if (bio_s_out == NULL) 1245 if (bio_s_out == NULL)
1321 bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE); 1246 bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE);
1322 }
1323 } 1247 }
1324 1248 }
1325#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) 1249#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
1326 if (nocert) 1250 if (nocert)
1327#endif 1251#endif
1328 { 1252 {
1329 s_cert_file=NULL; 1253 s_cert_file = NULL;
1330 s_key_file=NULL; 1254 s_key_file = NULL;
1331 s_dcert_file=NULL; 1255 s_dcert_file = NULL;
1332 s_dkey_file=NULL; 1256 s_dkey_file = NULL;
1333#ifndef OPENSSL_NO_TLSEXT 1257#ifndef OPENSSL_NO_TLSEXT
1334 s_cert_file2=NULL; 1258 s_cert_file2 = NULL;
1335 s_key_file2=NULL; 1259 s_key_file2 = NULL;
1336#endif 1260#endif
1337 } 1261 }
1338 1262 ctx = SSL_CTX_new(meth);
1339 ctx=SSL_CTX_new(meth); 1263 if (ctx == NULL) {
1340 if (ctx == NULL)
1341 {
1342 ERR_print_errors(bio_err); 1264 ERR_print_errors(bio_err);
1343 goto end; 1265 goto end;
1344 } 1266 }
1345 if (session_id_prefix) 1267 if (session_id_prefix) {
1346 { 1268 if (strlen(session_id_prefix) >= 32)
1347 if(strlen(session_id_prefix) >= 32)
1348 BIO_printf(bio_err, 1269 BIO_printf(bio_err,
1349"warning: id_prefix is too long, only one new session will be possible\n"); 1270 "warning: id_prefix is too long, only one new session will be possible\n");
1350 else if(strlen(session_id_prefix) >= 16) 1271 else if (strlen(session_id_prefix) >= 16)
1351 BIO_printf(bio_err, 1272 BIO_printf(bio_err,
1352"warning: id_prefix is too long if you use SSLv2\n"); 1273 "warning: id_prefix is too long if you use SSLv2\n");
1353 if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) 1274 if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
1354 { 1275 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1355 BIO_printf(bio_err,"error setting 'id_prefix'\n");
1356 ERR_print_errors(bio_err); 1276 ERR_print_errors(bio_err);
1357 goto end; 1277 goto end;
1358 }
1359 BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
1360 } 1278 }
1361 SSL_CTX_set_quiet_shutdown(ctx,1); 1279 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1362 if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); 1280 }
1363 if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); 1281 SSL_CTX_set_quiet_shutdown(ctx, 1);
1364 SSL_CTX_set_options(ctx,off); 1282 if (bugs)
1365 /* DTLS: partial reads end up discarding unread UDP bytes :-( 1283 SSL_CTX_set_options(ctx, SSL_OP_ALL);
1366 * Setting read ahead solves this problem. 1284 if (hack)
1285 SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1286 SSL_CTX_set_options(ctx, off);
1287 /*
1288 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
1289 * read ahead solves this problem.
1367 */ 1290 */
1368 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); 1291 if (socket_type == SOCK_DGRAM)
1292 SSL_CTX_set_read_ahead(ctx, 1);
1369 1293
1370 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 1294 if (state)
1295 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1371 if (no_cache) 1296 if (no_cache)
1372 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 1297 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1373 else 1298 else
1374 SSL_CTX_sess_set_cache_size(ctx,128); 1299 SSL_CTX_sess_set_cache_size(ctx, 128);
1375 1300
1376#ifndef OPENSSL_NO_SRTP 1301#ifndef OPENSSL_NO_SRTP
1377 if (srtp_profiles != NULL) 1302 if (srtp_profiles != NULL)
@@ -1379,232 +1304,205 @@ bad:
1379#endif 1304#endif
1380 1305
1381#if 0 1306#if 0
1382 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); 1307 if (cipher == NULL)
1308 cipher = getenv("SSL_CIPHER");
1383#endif 1309#endif
1384 1310
1385#if 0 1311#if 0
1386 if (s_cert_file == NULL) 1312 if (s_cert_file == NULL) {
1387 { 1313 BIO_printf(bio_err, "You must specify a certificate file for the server to use\n");
1388 BIO_printf(bio_err,"You must specify a certificate file for the server to use\n");
1389 goto end; 1314 goto end;
1390 } 1315 }
1391#endif 1316#endif
1392 1317
1393 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || 1318 if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
1394 (!SSL_CTX_set_default_verify_paths(ctx))) 1319 (!SSL_CTX_set_default_verify_paths(ctx))) {
1395 {
1396 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ 1320 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
1397 ERR_print_errors(bio_err); 1321 ERR_print_errors(bio_err);
1398 /* goto end; */ 1322 /* goto end; */
1399 } 1323 }
1400 if (vpm) 1324 if (vpm)
1401 SSL_CTX_set1_param(ctx, vpm); 1325 SSL_CTX_set1_param(ctx, vpm);
1402 1326
1403#ifndef OPENSSL_NO_TLSEXT 1327#ifndef OPENSSL_NO_TLSEXT
1404 if (s_cert2) 1328 if (s_cert2) {
1405 { 1329 ctx2 = SSL_CTX_new(meth);
1406 ctx2=SSL_CTX_new(meth); 1330 if (ctx2 == NULL) {
1407 if (ctx2 == NULL)
1408 {
1409 ERR_print_errors(bio_err); 1331 ERR_print_errors(bio_err);
1410 goto end; 1332 goto end;
1411 }
1412 } 1333 }
1413 1334 }
1414 if (ctx2) 1335 if (ctx2) {
1415 { 1336 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1416 BIO_printf(bio_s_out,"Setting secondary ctx parameters\n"); 1337
1417 1338 if (session_id_prefix) {
1418 if (session_id_prefix) 1339 if (strlen(session_id_prefix) >= 32)
1419 {
1420 if(strlen(session_id_prefix) >= 32)
1421 BIO_printf(bio_err, 1340 BIO_printf(bio_err,
1422 "warning: id_prefix is too long, only one new session will be possible\n"); 1341 "warning: id_prefix is too long, only one new session will be possible\n");
1423 else if(strlen(session_id_prefix) >= 16) 1342 else if (strlen(session_id_prefix) >= 16)
1424 BIO_printf(bio_err, 1343 BIO_printf(bio_err,
1425 "warning: id_prefix is too long if you use SSLv2\n"); 1344 "warning: id_prefix is too long if you use SSLv2\n");
1426 if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) 1345 if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
1427 { 1346 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1428 BIO_printf(bio_err,"error setting 'id_prefix'\n");
1429 ERR_print_errors(bio_err); 1347 ERR_print_errors(bio_err);
1430 goto end; 1348 goto end;
1431 }
1432 BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
1433 } 1349 }
1434 SSL_CTX_set_quiet_shutdown(ctx2,1); 1350 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1435 if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); 1351 }
1436 if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); 1352 SSL_CTX_set_quiet_shutdown(ctx2, 1);
1437 SSL_CTX_set_options(ctx2,off); 1353 if (bugs)
1438 /* DTLS: partial reads end up discarding unread UDP bytes :-( 1354 SSL_CTX_set_options(ctx2, SSL_OP_ALL);
1355 if (hack)
1356 SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1357 SSL_CTX_set_options(ctx2, off);
1358 /*
1359 * DTLS: partial reads end up discarding unread UDP bytes :-(
1439 * Setting read ahead solves this problem. 1360 * Setting read ahead solves this problem.
1440 */ 1361 */
1441 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1); 1362 if (socket_type == SOCK_DGRAM)
1363 SSL_CTX_set_read_ahead(ctx2, 1);
1442 1364
1443 if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); 1365 if (state)
1366 SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1444 1367
1445 if (no_cache) 1368 if (no_cache)
1446 SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF); 1369 SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
1447 else 1370 else
1448 SSL_CTX_sess_set_cache_size(ctx2,128); 1371 SSL_CTX_sess_set_cache_size(ctx2, 128);
1449 1372
1450 if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || 1373 if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
1451 (!SSL_CTX_set_default_verify_paths(ctx2))) 1374 (!SSL_CTX_set_default_verify_paths(ctx2))) {
1452 {
1453 ERR_print_errors(bio_err); 1375 ERR_print_errors(bio_err);
1454 } 1376 }
1455 if (vpm) 1377 if (vpm)
1456 SSL_CTX_set1_param(ctx2, vpm); 1378 SSL_CTX_set1_param(ctx2, vpm);
1457 } 1379 }
1458 1380#ifndef OPENSSL_NO_NEXTPROTONEG
1459# ifndef OPENSSL_NO_NEXTPROTONEG
1460 if (next_proto.data) 1381 if (next_proto.data)
1461 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); 1382 SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
1462# endif 1383#endif
1463#endif 1384#endif
1464 1385
1465#ifndef OPENSSL_NO_DH 1386#ifndef OPENSSL_NO_DH
1466 if (!no_dhe) 1387 if (!no_dhe) {
1467 { 1388 DH *dh = NULL;
1468 DH *dh=NULL;
1469 1389
1470 if (dhfile) 1390 if (dhfile)
1471 dh = load_dh_param(dhfile); 1391 dh = load_dh_param(dhfile);
1472 else if (s_cert_file) 1392 else if (s_cert_file)
1473 dh = load_dh_param(s_cert_file); 1393 dh = load_dh_param(s_cert_file);
1474 1394
1475 if (dh != NULL) 1395 if (dh != NULL) {
1476 { 1396 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1477 BIO_printf(bio_s_out,"Setting temp DH parameters\n"); 1397 } else {
1478 } 1398 BIO_printf(bio_s_out, "Using default temp DH parameters\n");
1479 else 1399 dh = get_dh512();
1480 { 1400 }
1481 BIO_printf(bio_s_out,"Using default temp DH parameters\n"); 1401 (void) BIO_flush(bio_s_out);
1482 dh=get_dh512();
1483 }
1484 (void)BIO_flush(bio_s_out);
1485 1402
1486 SSL_CTX_set_tmp_dh(ctx,dh); 1403 SSL_CTX_set_tmp_dh(ctx, dh);
1487#ifndef OPENSSL_NO_TLSEXT 1404#ifndef OPENSSL_NO_TLSEXT
1488 if (ctx2) 1405 if (ctx2) {
1489 { 1406 if (!dhfile) {
1490 if (!dhfile) 1407 DH *dh2 = load_dh_param(s_cert_file2);
1491 { 1408 if (dh2 != NULL) {
1492 DH *dh2=load_dh_param(s_cert_file2); 1409 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1493 if (dh2 != NULL) 1410 (void) BIO_flush(bio_s_out);
1494 {
1495 BIO_printf(bio_s_out,"Setting temp DH parameters\n");
1496 (void)BIO_flush(bio_s_out);
1497 1411
1498 DH_free(dh); 1412 DH_free(dh);
1499 dh = dh2; 1413 dh = dh2;
1500 }
1501 } 1414 }
1502 SSL_CTX_set_tmp_dh(ctx2,dh);
1503 } 1415 }
1416 SSL_CTX_set_tmp_dh(ctx2, dh);
1417 }
1504#endif 1418#endif
1505 DH_free(dh); 1419 DH_free(dh);
1506 } 1420 }
1507#endif 1421#endif
1508 1422
1509#ifndef OPENSSL_NO_ECDH 1423#ifndef OPENSSL_NO_ECDH
1510 if (!no_ecdhe) 1424 if (!no_ecdhe) {
1511 { 1425 EC_KEY *ecdh = NULL;
1512 EC_KEY *ecdh=NULL;
1513 1426
1514 if (named_curve) 1427 if (named_curve) {
1515 {
1516 int nid = OBJ_sn2nid(named_curve); 1428 int nid = OBJ_sn2nid(named_curve);
1517 1429
1518 if (nid == 0) 1430 if (nid == 0) {
1519 { 1431 BIO_printf(bio_err, "unknown curve name (%s)\n",
1520 BIO_printf(bio_err, "unknown curve name (%s)\n", 1432 named_curve);
1521 named_curve);
1522 goto end; 1433 goto end;
1523 } 1434 }
1524 ecdh = EC_KEY_new_by_curve_name(nid); 1435 ecdh = EC_KEY_new_by_curve_name(nid);
1525 if (ecdh == NULL) 1436 if (ecdh == NULL) {
1526 { 1437 BIO_printf(bio_err, "unable to create curve (%s)\n",
1527 BIO_printf(bio_err, "unable to create curve (%s)\n", 1438 named_curve);
1528 named_curve);
1529 goto end; 1439 goto end;
1530 }
1531 } 1440 }
1532 1441 }
1533 if (ecdh != NULL) 1442 if (ecdh != NULL) {
1534 { 1443 BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
1535 BIO_printf(bio_s_out,"Setting temp ECDH parameters\n"); 1444 } else {
1536 } 1445 BIO_printf(bio_s_out, "Using default temp ECDH parameters\n");
1537 else
1538 {
1539 BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
1540 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); 1446 ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1541 if (ecdh == NULL) 1447 if (ecdh == NULL) {
1542 {
1543 BIO_printf(bio_err, "unable to create curve (nistp256)\n"); 1448 BIO_printf(bio_err, "unable to create curve (nistp256)\n");
1544 goto end; 1449 goto end;
1545 }
1546 } 1450 }
1547 (void)BIO_flush(bio_s_out); 1451 }
1452 (void) BIO_flush(bio_s_out);
1548 1453
1549 SSL_CTX_set_tmp_ecdh(ctx,ecdh); 1454 SSL_CTX_set_tmp_ecdh(ctx, ecdh);
1550#ifndef OPENSSL_NO_TLSEXT 1455#ifndef OPENSSL_NO_TLSEXT
1551 if (ctx2) 1456 if (ctx2)
1552 SSL_CTX_set_tmp_ecdh(ctx2,ecdh); 1457 SSL_CTX_set_tmp_ecdh(ctx2, ecdh);
1553#endif 1458#endif
1554 EC_KEY_free(ecdh); 1459 EC_KEY_free(ecdh);
1555 } 1460 }
1556#endif 1461#endif
1557 1462
1558 if (!set_cert_key_stuff(ctx, s_cert, s_key)) 1463 if (!set_cert_key_stuff(ctx, s_cert, s_key))
1559 goto end; 1464 goto end;
1560#ifndef OPENSSL_NO_TLSEXT 1465#ifndef OPENSSL_NO_TLSEXT
1561 if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2)) 1466 if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2))
1562 goto end; 1467 goto end;
1563#endif 1468#endif
1564 if (s_dcert != NULL) 1469 if (s_dcert != NULL) {
1565 {
1566 if (!set_cert_key_stuff(ctx, s_dcert, s_dkey)) 1470 if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
1567 goto end; 1471 goto end;
1568 } 1472 }
1569
1570#ifndef OPENSSL_NO_RSA 1473#ifndef OPENSSL_NO_RSA
1571#if 1 1474#if 1
1572 if (!no_tmp_rsa) 1475 if (!no_tmp_rsa) {
1573 { 1476 SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
1574 SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
1575#ifndef OPENSSL_NO_TLSEXT 1477#ifndef OPENSSL_NO_TLSEXT
1576 if (ctx2) 1478 if (ctx2)
1577 SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb); 1479 SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
1578#endif 1480#endif
1579 } 1481 }
1580#else 1482#else
1581 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) 1483 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) {
1582 {
1583 RSA *rsa; 1484 RSA *rsa;
1584 1485
1585 BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key..."); 1486 BIO_printf(bio_s_out, "Generating temp (512 bit) RSA key...");
1586 BIO_flush(bio_s_out); 1487 BIO_flush(bio_s_out);
1587 1488
1588 rsa=RSA_generate_key(512,RSA_F4,NULL); 1489 rsa = RSA_generate_key(512, RSA_F4, NULL);
1589 1490
1590 if (!SSL_CTX_set_tmp_rsa(ctx,rsa)) 1491 if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
1591 {
1592 ERR_print_errors(bio_err); 1492 ERR_print_errors(bio_err);
1593 goto end; 1493 goto end;
1594 } 1494 }
1595#ifndef OPENSSL_NO_TLSEXT 1495#ifndef OPENSSL_NO_TLSEXT
1596 if (ctx2) 1496 if (ctx2) {
1597 { 1497 if (!SSL_CTX_set_tmp_rsa(ctx2, rsa)) {
1598 if (!SSL_CTX_set_tmp_rsa(ctx2,rsa)) 1498 ERR_print_errors(bio_err);
1599 { 1499 goto end;
1600 ERR_print_errors(bio_err); 1500 }
1601 goto end; 1501 }
1602 }
1603 }
1604#endif 1502#endif
1605 RSA_free(rsa); 1503 RSA_free(rsa);
1606 BIO_printf(bio_s_out,"\n"); 1504 BIO_printf(bio_s_out, "\n");
1607 } 1505 }
1608#endif 1506#endif
1609#endif 1507#endif
1610 1508
@@ -1614,98 +1512,88 @@ bad:
1614#else 1512#else
1615 if (psk_key != NULL || jpake_secret) 1513 if (psk_key != NULL || jpake_secret)
1616#endif 1514#endif
1617 { 1515 {
1618 if (s_debug) 1516 if (s_debug)
1619 BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n"); 1517 BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n");
1620 SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); 1518 SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
1621 } 1519 }
1622 1520 if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) {
1623 if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) 1521 BIO_printf(bio_err, "error setting PSK identity hint to context\n");
1624 {
1625 BIO_printf(bio_err,"error setting PSK identity hint to context\n");
1626 ERR_print_errors(bio_err); 1522 ERR_print_errors(bio_err);
1627 goto end; 1523 goto end;
1628 } 1524 }
1629#endif 1525#endif
1630 1526
1631 if (cipher != NULL) 1527 if (cipher != NULL) {
1632 { 1528 if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
1633 if(!SSL_CTX_set_cipher_list(ctx,cipher)) 1529 BIO_printf(bio_err, "error setting cipher list\n");
1634 {
1635 BIO_printf(bio_err,"error setting cipher list\n");
1636 ERR_print_errors(bio_err); 1530 ERR_print_errors(bio_err);
1637 goto end; 1531 goto end;
1638 } 1532 }
1639#ifndef OPENSSL_NO_TLSEXT 1533#ifndef OPENSSL_NO_TLSEXT
1640 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher)) 1534 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) {
1641 { 1535 BIO_printf(bio_err, "error setting cipher list\n");
1642 BIO_printf(bio_err,"error setting cipher list\n");
1643 ERR_print_errors(bio_err); 1536 ERR_print_errors(bio_err);
1644 goto end; 1537 goto end;
1645 }
1646#endif
1647 } 1538 }
1648 SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); 1539#endif
1649 SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, 1540 }
1650 sizeof s_server_session_id_context); 1541 SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
1542 SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context,
1543 sizeof s_server_session_id_context);
1651 1544
1652 /* Set DTLS cookie generation and verification callbacks */ 1545 /* Set DTLS cookie generation and verification callbacks */
1653 SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); 1546 SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
1654 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); 1547 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
1655 1548
1656#ifndef OPENSSL_NO_TLSEXT 1549#ifndef OPENSSL_NO_TLSEXT
1657 if (ctx2) 1550 if (ctx2) {
1658 { 1551 SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
1659 SSL_CTX_set_verify(ctx2,s_server_verify,verify_callback); 1552 SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context,
1660 SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context, 1553 sizeof s_server_session_id_context);
1661 sizeof s_server_session_id_context);
1662 1554
1663 tlsextcbp.biodebug = bio_s_out; 1555 tlsextcbp.biodebug = bio_s_out;
1664 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); 1556 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
1665 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); 1557 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
1666 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 1558 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1667 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 1559 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1668 } 1560 }
1669#endif 1561#endif
1670 1562
1671#ifndef OPENSSL_NO_SRP 1563#ifndef OPENSSL_NO_SRP
1672 if (srp_verifier_file != NULL) 1564 if (srp_verifier_file != NULL) {
1673 {
1674 srp_callback_parm.vb = SRP_VBASE_new(srpuserseed); 1565 srp_callback_parm.vb = SRP_VBASE_new(srpuserseed);
1675 srp_callback_parm.user = NULL; 1566 srp_callback_parm.user = NULL;
1676 srp_callback_parm.login = NULL; 1567 srp_callback_parm.login = NULL;
1677 if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR) 1568 if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR) {
1678 {
1679 BIO_printf(bio_err, 1569 BIO_printf(bio_err,
1680 "Cannot initialize SRP verifier file \"%s\":ret=%d\n", 1570 "Cannot initialize SRP verifier file \"%s\":ret=%d\n",
1681 srp_verifier_file, ret); 1571 srp_verifier_file, ret);
1682 goto end; 1572 goto end;
1683 }
1684 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback);
1685 SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
1686 SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
1687 } 1573 }
1688 else 1574 SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE, verify_callback);
1575 SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm);
1576 SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb);
1577 } else
1689#endif 1578#endif
1690 if (CAfile != NULL) 1579 if (CAfile != NULL) {
1691 { 1580 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
1692 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
1693#ifndef OPENSSL_NO_TLSEXT 1581#ifndef OPENSSL_NO_TLSEXT
1694 if (ctx2) 1582 if (ctx2)
1695 SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile)); 1583 SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
1696#endif 1584#endif
1697 } 1585 }
1698 1586 BIO_printf(bio_s_out, "ACCEPT\n");
1699 BIO_printf(bio_s_out,"ACCEPT\n"); 1587 (void) BIO_flush(bio_s_out);
1700 (void)BIO_flush(bio_s_out);
1701 if (www) 1588 if (www)
1702 do_server(port,socket_type,&accept_socket,www_body, context); 1589 do_server(port, socket_type, &accept_socket, www_body, context);
1703 else 1590 else
1704 do_server(port,socket_type,&accept_socket,sv_body, context); 1591 do_server(port, socket_type, &accept_socket, sv_body, context);
1705 print_stats(bio_s_out,ctx); 1592 print_stats(bio_s_out, ctx);
1706 ret=0; 1593 ret = 0;
1707end: 1594end:
1708 if (ctx != NULL) SSL_CTX_free(ctx); 1595 if (ctx != NULL)
1596 SSL_CTX_free(ctx);
1709 if (s_cert) 1597 if (s_cert)
1710 X509_free(s_cert); 1598 X509_free(s_cert);
1711 if (s_dcert) 1599 if (s_dcert)
@@ -1727,54 +1615,56 @@ end:
1727 free(tlscstatp.port); 1615 free(tlscstatp.port);
1728 if (tlscstatp.path) 1616 if (tlscstatp.path)
1729 free(tlscstatp.path); 1617 free(tlscstatp.path);
1730 if (ctx2 != NULL) SSL_CTX_free(ctx2); 1618 if (ctx2 != NULL)
1619 SSL_CTX_free(ctx2);
1731 if (s_cert2) 1620 if (s_cert2)
1732 X509_free(s_cert2); 1621 X509_free(s_cert2);
1733 if (s_key2) 1622 if (s_key2)
1734 EVP_PKEY_free(s_key2); 1623 EVP_PKEY_free(s_key2);
1735#endif 1624#endif
1736 if (bio_s_out != NULL) 1625 if (bio_s_out != NULL) {
1737 { 1626 BIO_free(bio_s_out);
1738 BIO_free(bio_s_out); 1627 bio_s_out = NULL;
1739 bio_s_out=NULL;
1740 }
1741 apps_shutdown();
1742 return(ret);
1743 } 1628 }
1629 apps_shutdown();
1630 return (ret);
1631}
1744 1632
1745static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) 1633static void
1746 { 1634print_stats(BIO * bio, SSL_CTX * ssl_ctx)
1747 BIO_printf(bio,"%4ld items in the session cache\n", 1635{
1748 SSL_CTX_sess_number(ssl_ctx)); 1636 BIO_printf(bio, "%4ld items in the session cache\n",
1749 BIO_printf(bio,"%4ld client connects (SSL_connect())\n", 1637 SSL_CTX_sess_number(ssl_ctx));
1750 SSL_CTX_sess_connect(ssl_ctx)); 1638 BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
1751 BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n", 1639 SSL_CTX_sess_connect(ssl_ctx));
1752 SSL_CTX_sess_connect_renegotiate(ssl_ctx)); 1640 BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
1753 BIO_printf(bio,"%4ld client connects that finished\n", 1641 SSL_CTX_sess_connect_renegotiate(ssl_ctx));
1754 SSL_CTX_sess_connect_good(ssl_ctx)); 1642 BIO_printf(bio, "%4ld client connects that finished\n",
1755 BIO_printf(bio,"%4ld server accepts (SSL_accept())\n", 1643 SSL_CTX_sess_connect_good(ssl_ctx));
1756 SSL_CTX_sess_accept(ssl_ctx)); 1644 BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
1757 BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n", 1645 SSL_CTX_sess_accept(ssl_ctx));
1758 SSL_CTX_sess_accept_renegotiate(ssl_ctx)); 1646 BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
1759 BIO_printf(bio,"%4ld server accepts that finished\n", 1647 SSL_CTX_sess_accept_renegotiate(ssl_ctx));
1760 SSL_CTX_sess_accept_good(ssl_ctx)); 1648 BIO_printf(bio, "%4ld server accepts that finished\n",
1761 BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx)); 1649 SSL_CTX_sess_accept_good(ssl_ctx));
1762 BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx)); 1650 BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
1763 BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx)); 1651 BIO_printf(bio, "%4ld session cache misses\n", SSL_CTX_sess_misses(ssl_ctx));
1764 BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx)); 1652 BIO_printf(bio, "%4ld session cache timeouts\n", SSL_CTX_sess_timeouts(ssl_ctx));
1765 BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n", 1653 BIO_printf(bio, "%4ld callback cache hits\n", SSL_CTX_sess_cb_hits(ssl_ctx));
1766 SSL_CTX_sess_cache_full(ssl_ctx), 1654 BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
1767 SSL_CTX_sess_get_cache_size(ssl_ctx)); 1655 SSL_CTX_sess_cache_full(ssl_ctx),
1768 } 1656 SSL_CTX_sess_get_cache_size(ssl_ctx));
1769 1657}
1770static int sv_body(char *hostname, int s, unsigned char *context) 1658
1771 { 1659static int
1772 char *buf=NULL; 1660sv_body(char *hostname, int s, unsigned char *context)
1661{
1662 char *buf = NULL;
1773 fd_set readfds; 1663 fd_set readfds;
1774 int ret=1,width; 1664 int ret = 1, width;
1775 int k,i; 1665 int k, i;
1776 unsigned long l; 1666 unsigned long l;
1777 SSL *con=NULL; 1667 SSL *con = NULL;
1778 BIO *sbio; 1668 BIO *sbio;
1779#ifndef OPENSSL_NO_KRB5 1669#ifndef OPENSSL_NO_KRB5
1780 KSSL_CTX *kctx; 1670 KSSL_CTX *kctx;
@@ -1782,49 +1672,44 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1782 struct timeval timeout; 1672 struct timeval timeout;
1783 struct timeval *timeoutp; 1673 struct timeval *timeoutp;
1784 1674
1785 if ((buf=malloc(bufsize)) == NULL) 1675 if ((buf = malloc(bufsize)) == NULL) {
1786 { 1676 BIO_printf(bio_err, "out of memory\n");
1787 BIO_printf(bio_err,"out of memory\n");
1788 goto err; 1677 goto err;
1789 } 1678 }
1790#ifdef FIONBIO 1679#ifdef FIONBIO
1791 if (s_nbio) 1680 if (s_nbio) {
1792 { 1681 unsigned long sl = 1;
1793 unsigned long sl=1;
1794 1682
1795 if (!s_quiet) 1683 if (!s_quiet)
1796 BIO_printf(bio_err,"turning on non blocking io\n"); 1684 BIO_printf(bio_err, "turning on non blocking io\n");
1797 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0) 1685 if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
1798 ERR_print_errors(bio_err); 1686 ERR_print_errors(bio_err);
1799 } 1687 }
1800#endif 1688#endif
1801 1689
1802 if (con == NULL) { 1690 if (con == NULL) {
1803 con=SSL_new(ctx); 1691 con = SSL_new(ctx);
1804#ifndef OPENSSL_NO_TLSEXT 1692#ifndef OPENSSL_NO_TLSEXT
1805 if (s_tlsextdebug) 1693 if (s_tlsextdebug) {
1806 { 1694 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1807 SSL_set_tlsext_debug_callback(con, tlsext_cb); 1695 SSL_set_tlsext_debug_arg(con, bio_s_out);
1808 SSL_set_tlsext_debug_arg(con, bio_s_out);
1809 } 1696 }
1810 if (s_tlsextstatus) 1697 if (s_tlsextstatus) {
1811 { 1698 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
1812 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); 1699 tlscstatp.err = bio_err;
1813 tlscstatp.err = bio_err; 1700 SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
1814 SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
1815 } 1701 }
1816#endif 1702#endif
1817#ifndef OPENSSL_NO_KRB5 1703#ifndef OPENSSL_NO_KRB5
1818 if ((kctx = kssl_ctx_new()) != NULL) 1704 if ((kctx = kssl_ctx_new()) != NULL) {
1819 {
1820 SSL_set0_kssl_ctx(con, kctx); 1705 SSL_set0_kssl_ctx(con, kctx);
1821 kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); 1706 kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
1822 kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); 1707 kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
1823 } 1708 }
1824#endif /* OPENSSL_NO_KRB5 */ 1709#endif /* OPENSSL_NO_KRB5 */
1825 if(context) 1710 if (context)
1826 SSL_set_session_id_context(con, context, 1711 SSL_set_session_id_context(con, context,
1827 strlen((char *)context)); 1712 strlen((char *) context));
1828 } 1713 }
1829 SSL_clear(con); 1714 SSL_clear(con);
1830#if 0 1715#if 0
@@ -1833,329 +1718,309 @@ static int sv_body(char *hostname, int s, unsigned char *context)
1833#endif 1718#endif
1834#endif 1719#endif
1835 1720
1836 if (SSL_version(con) == DTLS1_VERSION) 1721 if (SSL_version(con) == DTLS1_VERSION) {
1837 {
1838 1722
1839 sbio=BIO_new_dgram(s,BIO_NOCLOSE); 1723 sbio = BIO_new_dgram(s, BIO_NOCLOSE);
1840 1724
1841 if (enable_timeouts) 1725 if (enable_timeouts) {
1842 {
1843 timeout.tv_sec = 0; 1726 timeout.tv_sec = 0;
1844 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 1727 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1845 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 1728 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1846 1729
1847 timeout.tv_sec = 0; 1730 timeout.tv_sec = 0;
1848 timeout.tv_usec = DGRAM_SND_TIMEOUT; 1731 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1849 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 1732 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1850 } 1733 }
1851 1734 if (socket_mtu > 28) {
1852 if (socket_mtu > 28)
1853 {
1854 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 1735 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1855 SSL_set_mtu(con, socket_mtu - 28); 1736 SSL_set_mtu(con, socket_mtu - 28);
1856 } 1737 } else
1857 else
1858 /* want to do MTU discovery */ 1738 /* want to do MTU discovery */
1859 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 1739 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1860 1740
1861 /* turn on cookie exchange */ 1741 /* turn on cookie exchange */
1862 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE); 1742 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
1863 } 1743 } else
1864 else 1744 sbio = BIO_new_socket(s, BIO_NOCLOSE);
1865 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1866 1745
1867 if (s_nbio_test) 1746 if (s_nbio_test) {
1868 {
1869 BIO *test; 1747 BIO *test;
1870 1748
1871 test=BIO_new(BIO_f_nbio_test()); 1749 test = BIO_new(BIO_f_nbio_test());
1872 sbio=BIO_push(test,sbio); 1750 sbio = BIO_push(test, sbio);
1873 } 1751 }
1874#ifndef OPENSSL_NO_JPAKE 1752#ifndef OPENSSL_NO_JPAKE
1875 if(jpake_secret) 1753 if (jpake_secret)
1876 jpake_server_auth(bio_s_out, sbio, jpake_secret); 1754 jpake_server_auth(bio_s_out, sbio, jpake_secret);
1877#endif 1755#endif
1878 1756
1879 SSL_set_bio(con,sbio,sbio); 1757 SSL_set_bio(con, sbio, sbio);
1880 SSL_set_accept_state(con); 1758 SSL_set_accept_state(con);
1881 /* SSL_set_fd(con,s); */ 1759 /* SSL_set_fd(con,s); */
1882 1760
1883 if (s_debug) 1761 if (s_debug) {
1884 {
1885 SSL_set_debug(con, 1); 1762 SSL_set_debug(con, 1);
1886 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); 1763 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
1887 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); 1764 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
1888 } 1765 }
1889 if (s_msg) 1766 if (s_msg) {
1890 {
1891 SSL_set_msg_callback(con, msg_cb); 1767 SSL_set_msg_callback(con, msg_cb);
1892 SSL_set_msg_callback_arg(con, bio_s_out); 1768 SSL_set_msg_callback_arg(con, bio_s_out);
1893 } 1769 }
1894#ifndef OPENSSL_NO_TLSEXT 1770#ifndef OPENSSL_NO_TLSEXT
1895 if (s_tlsextdebug) 1771 if (s_tlsextdebug) {
1896 {
1897 SSL_set_tlsext_debug_callback(con, tlsext_cb); 1772 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1898 SSL_set_tlsext_debug_arg(con, bio_s_out); 1773 SSL_set_tlsext_debug_arg(con, bio_s_out);
1899 } 1774 }
1900#endif 1775#endif
1901 1776
1902 width=s+1; 1777 width = s + 1;
1903 for (;;) 1778 for (;;) {
1904 {
1905 int read_from_terminal; 1779 int read_from_terminal;
1906 int read_from_sslcon; 1780 int read_from_sslcon;
1907 1781
1908 read_from_terminal = 0; 1782 read_from_terminal = 0;
1909 read_from_sslcon = SSL_pending(con); 1783 read_from_sslcon = SSL_pending(con);
1910 1784
1911 if (!read_from_sslcon) 1785 if (!read_from_sslcon) {
1912 {
1913 FD_ZERO(&readfds); 1786 FD_ZERO(&readfds);
1914 openssl_fdset(fileno(stdin),&readfds); 1787 openssl_fdset(fileno(stdin), &readfds);
1915 openssl_fdset(s,&readfds); 1788 openssl_fdset(s, &readfds);
1916 /* Note: under VMS with SOCKETSHR the second parameter is 1789 /*
1917 * currently of type (int *) whereas under other systems 1790 * Note: under VMS with SOCKETSHR the second
1918 * it is (void *) if you don't have a cast it will choke 1791 * parameter is currently of type (int *) whereas
1919 * the compiler: if you do have a cast then you can either 1792 * under other systems it is (void *) if you don't
1920 * go for (int *) or (void *). 1793 * have a cast it will choke the compiler: if you do
1794 * have a cast then you can either go for (int *) or
1795 * (void *).
1921 */ 1796 */
1922 if ((SSL_version(con) == DTLS1_VERSION) && 1797 if ((SSL_version(con) == DTLS1_VERSION) &&
1923 DTLSv1_get_timeout(con, &timeout)) 1798 DTLSv1_get_timeout(con, &timeout))
1924 timeoutp = &timeout; 1799 timeoutp = &timeout;
1925 else 1800 else
1926 timeoutp = NULL; 1801 timeoutp = NULL;
1927 1802
1928 i=select(width,(void *)&readfds,NULL,NULL,timeoutp); 1803 i = select(width, (void *) &readfds, NULL, NULL, timeoutp);
1929 1804
1930 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) 1805 if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) {
1931 { 1806 BIO_printf(bio_err, "TIMEOUT occured\n");
1932 BIO_printf(bio_err,"TIMEOUT occured\n"); 1807 }
1933 } 1808 if (i <= 0)
1934 1809 continue;
1935 if (i <= 0) continue; 1810 if (FD_ISSET(fileno(stdin), &readfds))
1936 if (FD_ISSET(fileno(stdin),&readfds))
1937 read_from_terminal = 1; 1811 read_from_terminal = 1;
1938 if (FD_ISSET(s,&readfds)) 1812 if (FD_ISSET(s, &readfds))
1939 read_from_sslcon = 1; 1813 read_from_sslcon = 1;
1940 } 1814 }
1941 if (read_from_terminal) 1815 if (read_from_terminal) {
1942 { 1816 if (s_crlf) {
1943 if (s_crlf)
1944 {
1945 int j, lf_num; 1817 int j, lf_num;
1946 1818
1947 i=raw_read_stdin(buf, bufsize/2); 1819 i = raw_read_stdin(buf, bufsize / 2);
1948 lf_num = 0; 1820 lf_num = 0;
1949 /* both loops are skipped when i <= 0 */ 1821 /* both loops are skipped when i <= 0 */
1950 for (j = 0; j < i; j++) 1822 for (j = 0; j < i; j++)
1951 if (buf[j] == '\n') 1823 if (buf[j] == '\n')
1952 lf_num++; 1824 lf_num++;
1953 for (j = i-1; j >= 0; j--) 1825 for (j = i - 1; j >= 0; j--) {
1954 { 1826 buf[j + lf_num] = buf[j];
1955 buf[j+lf_num] = buf[j]; 1827 if (buf[j] == '\n') {
1956 if (buf[j] == '\n')
1957 {
1958 lf_num--; 1828 lf_num--;
1959 i++; 1829 i++;
1960 buf[j+lf_num] = '\r'; 1830 buf[j + lf_num] = '\r';
1961 }
1962 } 1831 }
1963 assert(lf_num == 0);
1964 } 1832 }
1965 else 1833 assert(lf_num == 0);
1966 i=raw_read_stdin(buf,bufsize); 1834 } else
1967 if (!s_quiet) 1835 i = raw_read_stdin(buf, bufsize);
1968 { 1836 if (!s_quiet) {
1969 if ((i <= 0) || (buf[0] == 'Q')) 1837 if ((i <= 0) || (buf[0] == 'Q')) {
1970 { 1838 BIO_printf(bio_s_out, "DONE\n");
1971 BIO_printf(bio_s_out,"DONE\n");
1972 shutdown(s, SHUT_RD); 1839 shutdown(s, SHUT_RD);
1973 close(s); 1840 close(s);
1974 close_accept_socket(); 1841 close_accept_socket();
1975 ret= -11; 1842 ret = -11;
1976 goto err; 1843 goto err;
1977 } 1844 }
1978 if ((i <= 0) || (buf[0] == 'q')) 1845 if ((i <= 0) || (buf[0] == 'q')) {
1979 { 1846 BIO_printf(bio_s_out, "DONE\n");
1980 BIO_printf(bio_s_out,"DONE\n");
1981 if (SSL_version(con) != DTLS1_VERSION) { 1847 if (SSL_version(con) != DTLS1_VERSION) {
1982 shutdown(s, SHUT_RD); 1848 shutdown(s, SHUT_RD);
1983 close(s); 1849 close(s);
1984 } 1850 }
1985 /* close_accept_socket(); 1851 /*
1986 ret= -11;*/ 1852 * close_accept_socket(); ret= -11;
1853 */
1987 goto err; 1854 goto err;
1988 } 1855 }
1989 if ((buf[0] == 'r') && 1856 if ((buf[0] == 'r') &&
1990 ((buf[1] == '\n') || (buf[1] == '\r'))) 1857 ((buf[1] == '\n') || (buf[1] == '\r'))) {
1991 {
1992 SSL_renegotiate(con); 1858 SSL_renegotiate(con);
1993 i=SSL_do_handshake(con); 1859 i = SSL_do_handshake(con);
1994 printf("SSL_do_handshake -> %d\n",i); 1860 printf("SSL_do_handshake -> %d\n", i);
1995 i=0; /*13; */ 1861 i = 0; /* 13; */
1996 continue; 1862 continue;
1997 /* strcpy(buf,"server side RE-NEGOTIATE\n"); */ 1863 /*
1998 } 1864 * strcpy(buf,"server side
1865 * RE-NEGOTIATE\n");
1866 */
1867 }
1999 if ((buf[0] == 'R') && 1868 if ((buf[0] == 'R') &&
2000 ((buf[1] == '\n') || (buf[1] == '\r'))) 1869 ((buf[1] == '\n') || (buf[1] == '\r'))) {
2001 {
2002 SSL_set_verify(con, 1870 SSL_set_verify(con,
2003 SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL); 1871 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE, NULL);
2004 SSL_renegotiate(con); 1872 SSL_renegotiate(con);
2005 i=SSL_do_handshake(con); 1873 i = SSL_do_handshake(con);
2006 printf("SSL_do_handshake -> %d\n",i); 1874 printf("SSL_do_handshake -> %d\n", i);
2007 i=0; /* 13; */ 1875 i = 0; /* 13; */
2008 continue; 1876 continue;
2009 /* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */ 1877 /*
2010 } 1878 * strcpy(buf,"server side
2011 if (buf[0] == 'P') 1879 * RE-NEGOTIATE asking for client
2012 { 1880 * cert\n");
2013 static const char *str="Lets print some clear text\n"; 1881 */
2014 BIO_write(SSL_get_wbio(con),str,strlen(str));
2015 }
2016 if (buf[0] == 'S')
2017 {
2018 print_stats(bio_s_out,SSL_get_SSL_CTX(con));
2019 }
2020 } 1882 }
2021 l=k=0; 1883 if (buf[0] == 'P') {
2022 for (;;) 1884 static const char *str = "Lets print some clear text\n";
2023 { 1885 BIO_write(SSL_get_wbio(con), str, strlen(str));
1886 }
1887 if (buf[0] == 'S') {
1888 print_stats(bio_s_out, SSL_get_SSL_CTX(con));
1889 }
1890 }
1891 l = k = 0;
1892 for (;;) {
2024 /* should do a select for the write */ 1893 /* should do a select for the write */
2025#ifdef RENEG 1894#ifdef RENEG
2026{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } } 1895 {
1896 static count = 0;
1897 if (++count == 100) {
1898 count = 0;
1899 SSL_renegotiate(con);
1900 }
1901 }
2027#endif 1902#endif
2028 k=SSL_write(con,&(buf[l]),(unsigned int)i); 1903 k = SSL_write(con, &(buf[l]), (unsigned int) i);
2029#ifndef OPENSSL_NO_SRP 1904#ifndef OPENSSL_NO_SRP
2030 while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP) 1905 while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP) {
2031 { 1906 BIO_printf(bio_s_out, "LOOKUP renego during write\n");
2032 BIO_printf(bio_s_out,"LOOKUP renego during write\n"); 1907 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2033 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 1908 if (srp_callback_parm.user)
2034 if (srp_callback_parm.user) 1909 BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
2035 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); 1910 else
2036 else 1911 BIO_printf(bio_s_out, "LOOKUP not successful\n");
2037 BIO_printf(bio_s_out,"LOOKUP not successful\n"); 1912 k = SSL_write(con, &(buf[l]), (unsigned int) i);
2038 k=SSL_write(con,&(buf[l]),(unsigned int)i); 1913 }
2039 }
2040#endif 1914#endif
2041 switch (SSL_get_error(con,k)) 1915 switch (SSL_get_error(con, k)) {
2042 {
2043 case SSL_ERROR_NONE: 1916 case SSL_ERROR_NONE:
2044 break; 1917 break;
2045 case SSL_ERROR_WANT_WRITE: 1918 case SSL_ERROR_WANT_WRITE:
2046 case SSL_ERROR_WANT_READ: 1919 case SSL_ERROR_WANT_READ:
2047 case SSL_ERROR_WANT_X509_LOOKUP: 1920 case SSL_ERROR_WANT_X509_LOOKUP:
2048 BIO_printf(bio_s_out,"Write BLOCK\n"); 1921 BIO_printf(bio_s_out, "Write BLOCK\n");
2049 break; 1922 break;
2050 case SSL_ERROR_SYSCALL: 1923 case SSL_ERROR_SYSCALL:
2051 case SSL_ERROR_SSL: 1924 case SSL_ERROR_SSL:
2052 BIO_printf(bio_s_out,"ERROR\n"); 1925 BIO_printf(bio_s_out, "ERROR\n");
2053 ERR_print_errors(bio_err); 1926 ERR_print_errors(bio_err);
2054 ret=1; 1927 ret = 1;
2055 goto err; 1928 goto err;
2056 /* break; */ 1929 /* break; */
2057 case SSL_ERROR_ZERO_RETURN: 1930 case SSL_ERROR_ZERO_RETURN:
2058 BIO_printf(bio_s_out,"DONE\n"); 1931 BIO_printf(bio_s_out, "DONE\n");
2059 ret=1; 1932 ret = 1;
2060 goto err; 1933 goto err;
2061 }
2062 l+=k;
2063 i-=k;
2064 if (i <= 0) break;
2065 } 1934 }
1935 l += k;
1936 i -= k;
1937 if (i <= 0)
1938 break;
2066 } 1939 }
2067 if (read_from_sslcon) 1940 }
2068 { 1941 if (read_from_sslcon) {
2069 if (!SSL_is_init_finished(con)) 1942 if (!SSL_is_init_finished(con)) {
2070 { 1943 i = init_ssl_connection(con);
2071 i=init_ssl_connection(con); 1944
2072 1945 if (i < 0) {
2073 if (i < 0) 1946 ret = 0;
2074 {
2075 ret=0;
2076 goto err; 1947 goto err;
2077 } 1948 } else if (i == 0) {
2078 else if (i == 0) 1949 ret = 1;
2079 {
2080 ret=1;
2081 goto err; 1950 goto err;
2082 }
2083 } 1951 }
2084 else 1952 } else {
2085 { 1953 again:
2086again: 1954 i = SSL_read(con, (char *) buf, bufsize);
2087 i=SSL_read(con,(char *)buf,bufsize);
2088#ifndef OPENSSL_NO_SRP 1955#ifndef OPENSSL_NO_SRP
2089 while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) 1956 while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
2090 { 1957 BIO_printf(bio_s_out, "LOOKUP renego during read\n");
2091 BIO_printf(bio_s_out,"LOOKUP renego during read\n"); 1958 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2092 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 1959 if (srp_callback_parm.user)
2093 if (srp_callback_parm.user) 1960 BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
2094 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); 1961 else
2095 else 1962 BIO_printf(bio_s_out, "LOOKUP not successful\n");
2096 BIO_printf(bio_s_out,"LOOKUP not successful\n"); 1963 i = SSL_read(con, (char *) buf, bufsize);
2097 i=SSL_read(con,(char *)buf,bufsize); 1964 }
2098 }
2099#endif 1965#endif
2100 switch (SSL_get_error(con,i)) 1966 switch (SSL_get_error(con, i)) {
2101 {
2102 case SSL_ERROR_NONE: 1967 case SSL_ERROR_NONE:
2103 raw_write_stdout(buf, 1968 raw_write_stdout(buf,
2104 (unsigned int)i); 1969 (unsigned int) i);
2105 if (SSL_pending(con)) goto again; 1970 if (SSL_pending(con))
1971 goto again;
2106 break; 1972 break;
2107 case SSL_ERROR_WANT_WRITE: 1973 case SSL_ERROR_WANT_WRITE:
2108 case SSL_ERROR_WANT_READ: 1974 case SSL_ERROR_WANT_READ:
2109 BIO_printf(bio_s_out,"Read BLOCK\n"); 1975 BIO_printf(bio_s_out, "Read BLOCK\n");
2110 break; 1976 break;
2111 case SSL_ERROR_SYSCALL: 1977 case SSL_ERROR_SYSCALL:
2112 case SSL_ERROR_SSL: 1978 case SSL_ERROR_SSL:
2113 BIO_printf(bio_s_out,"ERROR\n"); 1979 BIO_printf(bio_s_out, "ERROR\n");
2114 ERR_print_errors(bio_err); 1980 ERR_print_errors(bio_err);
2115 ret=1; 1981 ret = 1;
2116 goto err; 1982 goto err;
2117 case SSL_ERROR_ZERO_RETURN: 1983 case SSL_ERROR_ZERO_RETURN:
2118 BIO_printf(bio_s_out,"DONE\n"); 1984 BIO_printf(bio_s_out, "DONE\n");
2119 ret=1; 1985 ret = 1;
2120 goto err; 1986 goto err;
2121 }
2122 } 1987 }
2123 } 1988 }
2124 } 1989 }
1990 }
2125err: 1991err:
2126 if (con != NULL) 1992 if (con != NULL) {
2127 { 1993 BIO_printf(bio_s_out, "shutting down SSL\n");
2128 BIO_printf(bio_s_out,"shutting down SSL\n");
2129#if 1 1994#if 1
2130 SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 1995 SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
2131#else 1996#else
2132 SSL_shutdown(con); 1997 SSL_shutdown(con);
2133#endif 1998#endif
2134 SSL_free(con); 1999 SSL_free(con);
2135 } 2000 }
2136 BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); 2001 BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
2137 if (buf != NULL) 2002 if (buf != NULL) {
2138 { 2003 OPENSSL_cleanse(buf, bufsize);
2139 OPENSSL_cleanse(buf,bufsize);
2140 free(buf); 2004 free(buf);
2141 }
2142 if (ret >= 0)
2143 BIO_printf(bio_s_out,"ACCEPT\n");
2144 return(ret);
2145 } 2005 }
2006 if (ret >= 0)
2007 BIO_printf(bio_s_out, "ACCEPT\n");
2008 return (ret);
2009}
2146 2010
2147static void close_accept_socket(void) 2011static void
2148 { 2012close_accept_socket(void)
2149 BIO_printf(bio_err,"shutdown accept socket\n"); 2013{
2150 if (accept_socket >= 0) 2014 BIO_printf(bio_err, "shutdown accept socket\n");
2151 { 2015 if (accept_socket >= 0) {
2152 shutdown(accept_socket, SHUT_RDWR); 2016 shutdown(accept_socket, SHUT_RDWR);
2153 close(accept_socket); 2017 close(accept_socket);
2154 }
2155 } 2018 }
2019}
2156 2020
2157static int init_ssl_connection(SSL *con) 2021static int
2158 { 2022init_ssl_connection(SSL * con)
2023{
2159 int i; 2024 int i;
2160 const char *str; 2025 const char *str;
2161 X509 *peer; 2026 X509 *peer;
@@ -2171,260 +2036,242 @@ static int init_ssl_connection(SSL *con)
2171 unsigned char *exportedkeymat; 2036 unsigned char *exportedkeymat;
2172 2037
2173 2038
2174 i=SSL_accept(con); 2039 i = SSL_accept(con);
2175#ifndef OPENSSL_NO_SRP 2040#ifndef OPENSSL_NO_SRP
2176 while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) 2041 while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
2177 { 2042 BIO_printf(bio_s_out, "LOOKUP during accept %s\n", srp_callback_parm.login);
2178 BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); 2043 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2179 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 2044 if (srp_callback_parm.user)
2180 if (srp_callback_parm.user) 2045 BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
2181 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info);
2182 else
2183 BIO_printf(bio_s_out,"LOOKUP not successful\n");
2184 i=SSL_accept(con);
2185 }
2186#endif
2187 if (i <= 0)
2188 {
2189 if (BIO_sock_should_retry(i))
2190 {
2191 BIO_printf(bio_s_out,"DELAY\n");
2192 return(1);
2193 }
2194
2195 BIO_printf(bio_err,"ERROR\n");
2196 verify_error=SSL_get_verify_result(con);
2197 if (verify_error != X509_V_OK)
2198 {
2199 BIO_printf(bio_err,"verify error:%s\n",
2200 X509_verify_cert_error_string(verify_error));
2201 }
2202 else 2046 else
2047 BIO_printf(bio_s_out, "LOOKUP not successful\n");
2048 i = SSL_accept(con);
2049 }
2050#endif
2051 if (i <= 0) {
2052 if (BIO_sock_should_retry(i)) {
2053 BIO_printf(bio_s_out, "DELAY\n");
2054 return (1);
2055 }
2056 BIO_printf(bio_err, "ERROR\n");
2057 verify_error = SSL_get_verify_result(con);
2058 if (verify_error != X509_V_OK) {
2059 BIO_printf(bio_err, "verify error:%s\n",
2060 X509_verify_cert_error_string(verify_error));
2061 } else
2203 ERR_print_errors(bio_err); 2062 ERR_print_errors(bio_err);
2204 return(0); 2063 return (0);
2205 } 2064 }
2206 2065 PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
2207 PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); 2066
2208 2067 peer = SSL_get_peer_certificate(con);
2209 peer=SSL_get_peer_certificate(con); 2068 if (peer != NULL) {
2210 if (peer != NULL) 2069 BIO_printf(bio_s_out, "Client certificate\n");
2211 { 2070 PEM_write_bio_X509(bio_s_out, peer);
2212 BIO_printf(bio_s_out,"Client certificate\n"); 2071 X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf);
2213 PEM_write_bio_X509(bio_s_out,peer); 2072 BIO_printf(bio_s_out, "subject=%s\n", buf);
2214 X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf); 2073 X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
2215 BIO_printf(bio_s_out,"subject=%s\n",buf); 2074 BIO_printf(bio_s_out, "issuer=%s\n", buf);
2216 X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
2217 BIO_printf(bio_s_out,"issuer=%s\n",buf);
2218 X509_free(peer); 2075 X509_free(peer);
2219 } 2076 }
2220 2077 if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL)
2221 if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL) 2078 BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
2222 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); 2079 str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
2223 str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); 2080 BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
2224 BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
2225 2081
2226#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 2082#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
2227 SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); 2083 SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
2228 if (next_proto_neg) 2084 if (next_proto_neg) {
2229 { 2085 BIO_printf(bio_s_out, "NEXTPROTO is ");
2230 BIO_printf(bio_s_out,"NEXTPROTO is ");
2231 BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len); 2086 BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
2232 BIO_printf(bio_s_out, "\n"); 2087 BIO_printf(bio_s_out, "\n");
2233 } 2088 }
2234#endif 2089#endif
2235#ifndef OPENSSL_NO_SRTP 2090#ifndef OPENSSL_NO_SRTP
2236 { 2091 {
2237 SRTP_PROTECTION_PROFILE *srtp_profile 2092 SRTP_PROTECTION_PROFILE *srtp_profile
2238 = SSL_get_selected_srtp_profile(con); 2093 = SSL_get_selected_srtp_profile(con);
2239 2094
2240 if(srtp_profile) 2095 if (srtp_profile)
2241 BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n", 2096 BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
2242 srtp_profile->name); 2097 srtp_profile->name);
2243 } 2098 }
2244#endif 2099#endif
2245 if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n"); 2100 if (SSL_cache_hit(con))
2246 if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & 2101 BIO_printf(bio_s_out, "Reused session-id\n");
2247 TLS1_FLAGS_TLS_PADDING_BUG) 2102 if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) &
2103 TLS1_FLAGS_TLS_PADDING_BUG)
2248 BIO_printf(bio_s_out, 2104 BIO_printf(bio_s_out,
2249 "Peer has incorrect TLSv1 block padding\n"); 2105 "Peer has incorrect TLSv1 block padding\n");
2250#ifndef OPENSSL_NO_KRB5 2106#ifndef OPENSSL_NO_KRB5
2251 client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con)); 2107 client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con));
2252 if (client_princ != NULL) 2108 if (client_princ != NULL) {
2253 { 2109 BIO_printf(bio_s_out, "Kerberos peer principal is %s\n",
2254 BIO_printf(bio_s_out,"Kerberos peer principal is %s\n", 2110 client_princ);
2255 client_princ); 2111 }
2256 } 2112#endif /* OPENSSL_NO_KRB5 */
2257#endif /* OPENSSL_NO_KRB5 */
2258 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", 2113 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
2259 SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); 2114 SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
2260 if (keymatexportlabel != NULL) 2115 if (keymatexportlabel != NULL) {
2261 {
2262 BIO_printf(bio_s_out, "Keying material exporter:\n"); 2116 BIO_printf(bio_s_out, "Keying material exporter:\n");
2263 BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); 2117 BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
2264 BIO_printf(bio_s_out, " Length: %i bytes\n", 2118 BIO_printf(bio_s_out, " Length: %i bytes\n",
2265 keymatexportlen); 2119 keymatexportlen);
2266 exportedkeymat = malloc(keymatexportlen); 2120 exportedkeymat = malloc(keymatexportlen);
2267 if (exportedkeymat != NULL) 2121 if (exportedkeymat != NULL) {
2268 {
2269 if (!SSL_export_keying_material(con, exportedkeymat, 2122 if (!SSL_export_keying_material(con, exportedkeymat,
2270 keymatexportlen, 2123 keymatexportlen,
2271 keymatexportlabel, 2124 keymatexportlabel,
2272 strlen(keymatexportlabel), 2125 strlen(keymatexportlabel),
2273 NULL, 0, 0)) 2126 NULL, 0, 0)) {
2274 {
2275 BIO_printf(bio_s_out, " Error\n"); 2127 BIO_printf(bio_s_out, " Error\n");
2276 } 2128 } else {
2277 else
2278 {
2279 BIO_printf(bio_s_out, " Keying material: "); 2129 BIO_printf(bio_s_out, " Keying material: ");
2280 for (i=0; i<keymatexportlen; i++) 2130 for (i = 0; i < keymatexportlen; i++)
2281 BIO_printf(bio_s_out, "%02X", 2131 BIO_printf(bio_s_out, "%02X",
2282 exportedkeymat[i]); 2132 exportedkeymat[i]);
2283 BIO_printf(bio_s_out, "\n"); 2133 BIO_printf(bio_s_out, "\n");
2284 }
2285 free(exportedkeymat);
2286 } 2134 }
2135 free(exportedkeymat);
2287 } 2136 }
2288
2289 return(1);
2290 } 2137 }
2138 return (1);
2139}
2291 2140
2292#ifndef OPENSSL_NO_DH 2141#ifndef OPENSSL_NO_DH
2293static DH *load_dh_param(const char *dhfile) 2142static DH *
2294 { 2143load_dh_param(const char *dhfile)
2295 DH *ret=NULL; 2144{
2145 DH *ret = NULL;
2296 BIO *bio; 2146 BIO *bio;
2297 2147
2298 if ((bio=BIO_new_file(dhfile,"r")) == NULL) 2148 if ((bio = BIO_new_file(dhfile, "r")) == NULL)
2299 goto err; 2149 goto err;
2300 ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL); 2150 ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
2301err: 2151err:
2302 if (bio != NULL) BIO_free(bio); 2152 if (bio != NULL)
2303 return(ret); 2153 BIO_free(bio);
2304 } 2154 return (ret);
2155}
2305#endif 2156#endif
2306#ifndef OPENSSL_NO_KRB5 2157#ifndef OPENSSL_NO_KRB5
2307 char *client_princ; 2158char *client_princ;
2308#endif 2159#endif
2309 2160
2310#if 0 2161#if 0
2311static int load_CA(SSL_CTX *ctx, char *file) 2162static int
2312 { 2163load_CA(SSL_CTX * ctx, char *file)
2164{
2313 FILE *in; 2165 FILE *in;
2314 X509 *x=NULL; 2166 X509 *x = NULL;
2315 2167
2316 if ((in=fopen(file,"r")) == NULL) 2168 if ((in = fopen(file, "r")) == NULL)
2317 return(0); 2169 return (0);
2318 2170
2319 for (;;) 2171 for (;;) {
2320 { 2172 if (PEM_read_X509(in, &x, NULL) == NULL)
2321 if (PEM_read_X509(in,&x,NULL) == NULL)
2322 break; 2173 break;
2323 SSL_CTX_add_client_CA(ctx,x); 2174 SSL_CTX_add_client_CA(ctx, x);
2324 }
2325 if (x != NULL) X509_free(x);
2326 fclose(in);
2327 return(1);
2328 } 2175 }
2176 if (x != NULL)
2177 X509_free(x);
2178 fclose(in);
2179 return (1);
2180}
2329#endif 2181#endif
2330 2182
2331static int www_body(char *hostname, int s, unsigned char *context) 2183static int
2332 { 2184www_body(char *hostname, int s, unsigned char *context)
2333 char *buf=NULL; 2185{
2334 int ret=1; 2186 char *buf = NULL;
2335 int i,j,k,dot; 2187 int ret = 1;
2188 int i, j, k, dot;
2336 SSL *con; 2189 SSL *con;
2337 const SSL_CIPHER *c; 2190 const SSL_CIPHER *c;
2338 BIO *io,*ssl_bio,*sbio; 2191 BIO *io, *ssl_bio, *sbio;
2339#ifndef OPENSSL_NO_KRB5 2192#ifndef OPENSSL_NO_KRB5
2340 KSSL_CTX *kctx; 2193 KSSL_CTX *kctx;
2341#endif 2194#endif
2342 2195
2343 buf=malloc(bufsize); 2196 buf = malloc(bufsize);
2344 if (buf == NULL) return(0); 2197 if (buf == NULL)
2345 io=BIO_new(BIO_f_buffer()); 2198 return (0);
2346 ssl_bio=BIO_new(BIO_f_ssl()); 2199 io = BIO_new(BIO_f_buffer());
2347 if ((io == NULL) || (ssl_bio == NULL)) goto err; 2200 ssl_bio = BIO_new(BIO_f_ssl());
2201 if ((io == NULL) || (ssl_bio == NULL))
2202 goto err;
2348 2203
2349#ifdef FIONBIO 2204#ifdef FIONBIO
2350 if (s_nbio) 2205 if (s_nbio) {
2351 { 2206 unsigned long sl = 1;
2352 unsigned long sl=1;
2353 2207
2354 if (!s_quiet) 2208 if (!s_quiet)
2355 BIO_printf(bio_err,"turning on non blocking io\n"); 2209 BIO_printf(bio_err, "turning on non blocking io\n");
2356 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0) 2210 if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
2357 ERR_print_errors(bio_err); 2211 ERR_print_errors(bio_err);
2358 } 2212 }
2359#endif 2213#endif
2360 2214
2361 /* lets make the output buffer a reasonable size */ 2215 /* lets make the output buffer a reasonable size */
2362 if (!BIO_set_write_buffer_size(io,bufsize)) goto err; 2216 if (!BIO_set_write_buffer_size(io, bufsize))
2217 goto err;
2363 2218
2364 if ((con=SSL_new(ctx)) == NULL) goto err; 2219 if ((con = SSL_new(ctx)) == NULL)
2220 goto err;
2365#ifndef OPENSSL_NO_TLSEXT 2221#ifndef OPENSSL_NO_TLSEXT
2366 if (s_tlsextdebug) 2222 if (s_tlsextdebug) {
2367 { 2223 SSL_set_tlsext_debug_callback(con, tlsext_cb);
2368 SSL_set_tlsext_debug_callback(con, tlsext_cb); 2224 SSL_set_tlsext_debug_arg(con, bio_s_out);
2369 SSL_set_tlsext_debug_arg(con, bio_s_out); 2225 }
2370 }
2371#endif 2226#endif
2372#ifndef OPENSSL_NO_KRB5 2227#ifndef OPENSSL_NO_KRB5
2373 if ((kctx = kssl_ctx_new()) != NULL) 2228 if ((kctx = kssl_ctx_new()) != NULL) {
2374 {
2375 kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); 2229 kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC);
2376 kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); 2230 kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB);
2377 } 2231 }
2378#endif /* OPENSSL_NO_KRB5 */ 2232#endif /* OPENSSL_NO_KRB5 */
2379 if(context) SSL_set_session_id_context(con, context, 2233 if (context)
2380 strlen((char *)context)); 2234 SSL_set_session_id_context(con, context,
2235 strlen((char *) context));
2381 2236
2382 sbio=BIO_new_socket(s,BIO_NOCLOSE); 2237 sbio = BIO_new_socket(s, BIO_NOCLOSE);
2383 if (s_nbio_test) 2238 if (s_nbio_test) {
2384 {
2385 BIO *test; 2239 BIO *test;
2386 2240
2387 test=BIO_new(BIO_f_nbio_test()); 2241 test = BIO_new(BIO_f_nbio_test());
2388 sbio=BIO_push(test,sbio); 2242 sbio = BIO_push(test, sbio);
2389 } 2243 }
2390 SSL_set_bio(con,sbio,sbio); 2244 SSL_set_bio(con, sbio, sbio);
2391 SSL_set_accept_state(con); 2245 SSL_set_accept_state(con);
2392 2246
2393 /* SSL_set_fd(con,s); */ 2247 /* SSL_set_fd(con,s); */
2394 BIO_set_ssl(ssl_bio,con,BIO_CLOSE); 2248 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
2395 BIO_push(io,ssl_bio); 2249 BIO_push(io, ssl_bio);
2396 2250
2397 if (s_debug) 2251 if (s_debug) {
2398 {
2399 SSL_set_debug(con, 1); 2252 SSL_set_debug(con, 1);
2400 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); 2253 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
2401 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); 2254 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
2402 } 2255 }
2403 if (s_msg) 2256 if (s_msg) {
2404 {
2405 SSL_set_msg_callback(con, msg_cb); 2257 SSL_set_msg_callback(con, msg_cb);
2406 SSL_set_msg_callback_arg(con, bio_s_out); 2258 SSL_set_msg_callback_arg(con, bio_s_out);
2407 } 2259 }
2408 2260 for (;;) {
2409 for (;;) 2261 if (hack) {
2410 { 2262 i = SSL_accept(con);
2411 if (hack)
2412 {
2413 i=SSL_accept(con);
2414#ifndef OPENSSL_NO_SRP 2263#ifndef OPENSSL_NO_SRP
2415 while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) 2264 while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP) {
2416 { 2265 BIO_printf(bio_s_out, "LOOKUP during accept %s\n", srp_callback_parm.login);
2417 BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); 2266 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login);
2418 srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); 2267 if (srp_callback_parm.user)
2419 if (srp_callback_parm.user) 2268 BIO_printf(bio_s_out, "LOOKUP done %s\n", srp_callback_parm.user->info);
2420 BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); 2269 else
2421 else 2270 BIO_printf(bio_s_out, "LOOKUP not successful\n");
2422 BIO_printf(bio_s_out,"LOOKUP not successful\n"); 2271 i = SSL_accept(con);
2423 i=SSL_accept(con); 2272 }
2424 }
2425#endif 2273#endif
2426 switch (SSL_get_error(con,i)) 2274 switch (SSL_get_error(con, i)) {
2427 {
2428 case SSL_ERROR_NONE: 2275 case SSL_ERROR_NONE:
2429 break; 2276 break;
2430 case SSL_ERROR_WANT_WRITE: 2277 case SSL_ERROR_WANT_WRITE:
@@ -2434,142 +2281,122 @@ static int www_body(char *hostname, int s, unsigned char *context)
2434 case SSL_ERROR_SYSCALL: 2281 case SSL_ERROR_SYSCALL:
2435 case SSL_ERROR_SSL: 2282 case SSL_ERROR_SSL:
2436 case SSL_ERROR_ZERO_RETURN: 2283 case SSL_ERROR_ZERO_RETURN:
2437 ret=1; 2284 ret = 1;
2438 goto err; 2285 goto err;
2439 /* break; */ 2286 /* break; */
2440 }
2441
2442 SSL_renegotiate(con);
2443 SSL_write(con,NULL,0);
2444 } 2287 }
2445 2288
2446 i=BIO_gets(io,buf,bufsize-1); 2289 SSL_renegotiate(con);
2447 if (i < 0) /* error */ 2290 SSL_write(con, NULL, 0);
2448 { 2291 }
2449 if (!BIO_should_retry(io)) 2292 i = BIO_gets(io, buf, bufsize - 1);
2450 { 2293 if (i < 0) { /* error */
2294 if (!BIO_should_retry(io)) {
2451 if (!s_quiet) 2295 if (!s_quiet)
2452 ERR_print_errors(bio_err); 2296 ERR_print_errors(bio_err);
2453 goto err; 2297 goto err;
2454 } 2298 } else {
2455 else 2299 BIO_printf(bio_s_out, "read R BLOCK\n");
2456 {
2457 BIO_printf(bio_s_out,"read R BLOCK\n");
2458 sleep(1); 2300 sleep(1);
2459 continue; 2301 continue;
2460 }
2461 } 2302 }
2462 else if (i == 0) /* end of input */ 2303 } else if (i == 0) { /* end of input */
2463 { 2304 ret = 1;
2464 ret=1;
2465 goto end; 2305 goto end;
2466 } 2306 }
2467
2468 /* else we have data */ 2307 /* else we have data */
2469 if ( ((www == 1) && (strncmp("GET ",buf,4) == 0)) || 2308 if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
2470 ((www == 2) && (strncmp("GET /stats ",buf,11) == 0))) 2309 ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
2471 {
2472 char *p; 2310 char *p;
2473 X509 *peer; 2311 X509 *peer;
2474 STACK_OF(SSL_CIPHER) *sk; 2312 STACK_OF(SSL_CIPHER) * sk;
2475 static const char *space=" "; 2313 static const char *space = " ";
2476 2314
2477 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); 2315 BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2478 BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n"); 2316 BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
2479 BIO_puts(io,"<pre>\n"); 2317 BIO_puts(io, "<pre>\n");
2480/* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/ 2318/* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
2481 BIO_puts(io,"\n"); 2319 BIO_puts(io, "\n");
2482 for (i=0; i<local_argc; i++) 2320 for (i = 0; i < local_argc; i++) {
2483 { 2321 BIO_puts(io, local_argv[i]);
2484 BIO_puts(io,local_argv[i]); 2322 BIO_write(io, " ", 1);
2485 BIO_write(io," ",1); 2323 }
2486 } 2324 BIO_puts(io, "\n");
2487 BIO_puts(io,"\n");
2488 2325
2489 BIO_printf(io, 2326 BIO_printf(io,
2490 "Secure Renegotiation IS%s supported\n", 2327 "Secure Renegotiation IS%s supported\n",
2491 SSL_get_secure_renegotiation_support(con) ? 2328 SSL_get_secure_renegotiation_support(con) ?
2492 "" : " NOT"); 2329 "" : " NOT");
2493 2330
2494 /* The following is evil and should not really 2331 /*
2495 * be done */ 2332 * The following is evil and should not really be
2496 BIO_printf(io,"Ciphers supported in s_server binary\n"); 2333 * done
2497 sk=SSL_get_ciphers(con); 2334 */
2498 j=sk_SSL_CIPHER_num(sk); 2335 BIO_printf(io, "Ciphers supported in s_server binary\n");
2499 for (i=0; i<j; i++) 2336 sk = SSL_get_ciphers(con);
2500 { 2337 j = sk_SSL_CIPHER_num(sk);
2501 c=sk_SSL_CIPHER_value(sk,i); 2338 for (i = 0; i < j; i++) {
2502 BIO_printf(io,"%-11s:%-25s", 2339 c = sk_SSL_CIPHER_value(sk, i);
2503 SSL_CIPHER_get_version(c), 2340 BIO_printf(io, "%-11s:%-25s",
2504 SSL_CIPHER_get_name(c)); 2341 SSL_CIPHER_get_version(c),
2505 if ((((i+1)%2) == 0) && (i+1 != j)) 2342 SSL_CIPHER_get_name(c));
2506 BIO_puts(io,"\n"); 2343 if ((((i + 1) % 2) == 0) && (i + 1 != j))
2507 } 2344 BIO_puts(io, "\n");
2508 BIO_puts(io,"\n"); 2345 }
2509 p=SSL_get_shared_ciphers(con,buf,bufsize); 2346 BIO_puts(io, "\n");
2510 if (p != NULL) 2347 p = SSL_get_shared_ciphers(con, buf, bufsize);
2511 { 2348 if (p != NULL) {
2512 BIO_printf(io,"---\nCiphers common between both SSL end points:\n"); 2349 BIO_printf(io, "---\nCiphers common between both SSL end points:\n");
2513 j=i=0; 2350 j = i = 0;
2514 while (*p) 2351 while (*p) {
2515 { 2352 if (*p == ':') {
2516 if (*p == ':') 2353 BIO_write(io, space, 26 - j);
2517 {
2518 BIO_write(io,space,26-j);
2519 i++; 2354 i++;
2520 j=0; 2355 j = 0;
2521 BIO_write(io,((i%3)?" ":"\n"),1); 2356 BIO_write(io, ((i % 3) ? " " : "\n"), 1);
2522 } 2357 } else {
2523 else 2358 BIO_write(io, p, 1);
2524 {
2525 BIO_write(io,p,1);
2526 j++; 2359 j++;
2527 }
2528 p++;
2529 } 2360 }
2530 BIO_puts(io,"\n"); 2361 p++;
2531 }
2532 BIO_printf(io,(SSL_cache_hit(con)
2533 ?"---\nReused, "
2534 :"---\nNew, "));
2535 c=SSL_get_current_cipher(con);
2536 BIO_printf(io,"%s, Cipher is %s\n",
2537 SSL_CIPHER_get_version(c),
2538 SSL_CIPHER_get_name(c));
2539 SSL_SESSION_print(io,SSL_get_session(con));
2540 BIO_printf(io,"---\n");
2541 print_stats(io,SSL_get_SSL_CTX(con));
2542 BIO_printf(io,"---\n");
2543 peer=SSL_get_peer_certificate(con);
2544 if (peer != NULL)
2545 {
2546 BIO_printf(io,"Client certificate\n");
2547 X509_print(io,peer);
2548 PEM_write_bio_X509(io,peer);
2549 } 2362 }
2550 else 2363 BIO_puts(io, "\n");
2551 BIO_puts(io,"no client certificate available\n"); 2364 }
2552 BIO_puts(io,"</BODY></HTML>\r\n\r\n"); 2365 BIO_printf(io, (SSL_cache_hit(con)
2366 ? "---\nReused, "
2367 : "---\nNew, "));
2368 c = SSL_get_current_cipher(con);
2369 BIO_printf(io, "%s, Cipher is %s\n",
2370 SSL_CIPHER_get_version(c),
2371 SSL_CIPHER_get_name(c));
2372 SSL_SESSION_print(io, SSL_get_session(con));
2373 BIO_printf(io, "---\n");
2374 print_stats(io, SSL_get_SSL_CTX(con));
2375 BIO_printf(io, "---\n");
2376 peer = SSL_get_peer_certificate(con);
2377 if (peer != NULL) {
2378 BIO_printf(io, "Client certificate\n");
2379 X509_print(io, peer);
2380 PEM_write_bio_X509(io, peer);
2381 } else
2382 BIO_puts(io, "no client certificate available\n");
2383 BIO_puts(io, "</BODY></HTML>\r\n\r\n");
2553 break; 2384 break;
2554 } 2385 } else if ((www == 2 || www == 3)
2555 else if ((www == 2 || www == 3) 2386 && (strncmp("GET /", buf, 5) == 0)) {
2556 && (strncmp("GET /",buf,5) == 0))
2557 {
2558 BIO *file; 2387 BIO *file;
2559 char *p,*e; 2388 char *p, *e;
2560 static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; 2389 static const char *text = "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
2561 2390
2562 /* skip the '/' */ 2391 /* skip the '/' */
2563 p= &(buf[5]); 2392 p = &(buf[5]);
2564 2393
2565 dot = 1; 2394 dot = 1;
2566 for (e=p; *e != '\0'; e++) 2395 for (e = p; *e != '\0'; e++) {
2567 {
2568 if (e[0] == ' ') 2396 if (e[0] == ' ')
2569 break; 2397 break;
2570 2398
2571 switch (dot) 2399 switch (dot) {
2572 {
2573 case 1: 2400 case 1:
2574 dot = (e[0] == '.') ? 2 : 0; 2401 dot = (e[0] == '.') ? 2 : 0;
2575 break; 2402 break;
@@ -2579,132 +2406,119 @@ static int www_body(char *hostname, int s, unsigned char *context)
2579 case 3: 2406 case 3:
2580 dot = (e[0] == '/') ? -1 : 0; 2407 dot = (e[0] == '/') ? -1 : 0;
2581 break; 2408 break;
2582 } 2409 }
2583 if (dot == 0) 2410 if (dot == 0)
2584 dot = (e[0] == '/') ? 1 : 0; 2411 dot = (e[0] == '/') ? 1 : 0;
2585 } 2412 }
2586 dot = (dot == 3) || (dot == -1); /* filename contains ".." component */ 2413 dot = (dot == 3) || (dot == -1); /* filename contains
2414 * ".." component */
2587 2415
2588 if (*e == '\0') 2416 if (*e == '\0') {
2589 { 2417 BIO_puts(io, text);
2590 BIO_puts(io,text); 2418 BIO_printf(io, "'%s' is an invalid file name\r\n", p);
2591 BIO_printf(io,"'%s' is an invalid file name\r\n",p);
2592 break; 2419 break;
2593 } 2420 }
2594 *e='\0'; 2421 *e = '\0';
2595 2422
2596 if (dot) 2423 if (dot) {
2597 { 2424 BIO_puts(io, text);
2598 BIO_puts(io,text); 2425 BIO_printf(io, "'%s' contains '..' reference\r\n", p);
2599 BIO_printf(io,"'%s' contains '..' reference\r\n",p);
2600 break; 2426 break;
2601 } 2427 }
2602 2428 if (*p == '/') {
2603 if (*p == '/') 2429 BIO_puts(io, text);
2604 { 2430 BIO_printf(io, "'%s' is an invalid path\r\n", p);
2605 BIO_puts(io,text);
2606 BIO_printf(io,"'%s' is an invalid path\r\n",p);
2607 break; 2431 break;
2608 } 2432 }
2609
2610#if 0 2433#if 0
2611 /* append if a directory lookup */ 2434 /* append if a directory lookup */
2612 if (e[-1] == '/') 2435 if (e[-1] == '/')
2613 strcat(p,"index.html"); 2436 strcat(p, "index.html");
2614#endif 2437#endif
2615 2438
2616 /* if a directory, do the index thang */ 2439 /* if a directory, do the index thang */
2617 if (app_isdir(p)>0) 2440 if (app_isdir(p) > 0) {
2618 { 2441#if 0 /* must check buffer size */
2619#if 0 /* must check buffer size */ 2442 strcat(p, "/index.html");
2620 strcat(p,"/index.html");
2621#else 2443#else
2622 BIO_puts(io,text); 2444 BIO_puts(io, text);
2623 BIO_printf(io,"'%s' is a directory\r\n",p); 2445 BIO_printf(io, "'%s' is a directory\r\n", p);
2624 break; 2446 break;
2625#endif 2447#endif
2626 } 2448 }
2627 2449 if ((file = BIO_new_file(p, "r")) == NULL) {
2628 if ((file=BIO_new_file(p,"r")) == NULL) 2450 BIO_puts(io, text);
2629 { 2451 BIO_printf(io, "Error opening '%s'\r\n", p);
2630 BIO_puts(io,text);
2631 BIO_printf(io,"Error opening '%s'\r\n",p);
2632 ERR_print_errors(io); 2452 ERR_print_errors(io);
2633 break; 2453 break;
2634 } 2454 }
2635
2636 if (!s_quiet) 2455 if (!s_quiet)
2637 BIO_printf(bio_err,"FILE:%s\n",p); 2456 BIO_printf(bio_err, "FILE:%s\n", p);
2638 2457
2639 if (www == 2) 2458 if (www == 2) {
2640 { 2459 i = strlen(p);
2641 i=strlen(p); 2460 if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
2642 if ( ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) || 2461 ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
2643 ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) || 2462 ((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
2644 ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0))) 2463 BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2645 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); 2464 else
2646 else 2465 BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
2647 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"); 2466 }
2648 }
2649 /* send the file */ 2467 /* send the file */
2650 for (;;) 2468 for (;;) {
2651 { 2469 i = BIO_read(file, buf, bufsize);
2652 i=BIO_read(file,buf,bufsize); 2470 if (i <= 0)
2653 if (i <= 0) break; 2471 break;
2654 2472
2655#ifdef RENEG 2473#ifdef RENEG
2656 total_bytes+=i; 2474 total_bytes += i;
2657 fprintf(stderr,"%d\n",i); 2475 fprintf(stderr, "%d\n", i);
2658 if (total_bytes > 3*1024) 2476 if (total_bytes > 3 * 1024) {
2659 { 2477 total_bytes = 0;
2660 total_bytes=0; 2478 fprintf(stderr, "RENEGOTIATE\n");
2661 fprintf(stderr,"RENEGOTIATE\n");
2662 SSL_renegotiate(con); 2479 SSL_renegotiate(con);
2663 } 2480 }
2664#endif 2481#endif
2665 2482
2666 for (j=0; j<i; ) 2483 for (j = 0; j < i;) {
2667 {
2668#ifdef RENEG 2484#ifdef RENEG
2669{ static count=0; if (++count == 13) { SSL_renegotiate(con); } } 2485 {
2486 static count = 0;
2487 if (++count == 13) {
2488 SSL_renegotiate(con);
2489 }
2490 }
2670#endif 2491#endif
2671 k=BIO_write(io,&(buf[j]),i-j); 2492 k = BIO_write(io, &(buf[j]), i - j);
2672 if (k <= 0) 2493 if (k <= 0) {
2673 {
2674 if (!BIO_should_retry(io)) 2494 if (!BIO_should_retry(io))
2675 goto write_error; 2495 goto write_error;
2676 else 2496 else {
2677 { 2497 BIO_printf(bio_s_out, "rwrite W BLOCK\n");
2678 BIO_printf(bio_s_out,"rwrite W BLOCK\n");
2679 }
2680 }
2681 else
2682 {
2683 j+=k;
2684 } 2498 }
2499 } else {
2500 j += k;
2685 } 2501 }
2686 } 2502 }
2687write_error: 2503 }
2504 write_error:
2688 BIO_free(file); 2505 BIO_free(file);
2689 break; 2506 break;
2690 }
2691 } 2507 }
2508 }
2692 2509
2693 for (;;) 2510 for (;;) {
2694 { 2511 i = (int) BIO_flush(io);
2695 i=(int)BIO_flush(io); 2512 if (i <= 0) {
2696 if (i <= 0)
2697 {
2698 if (!BIO_should_retry(io)) 2513 if (!BIO_should_retry(io))
2699 break; 2514 break;
2700 } 2515 } else
2701 else
2702 break; 2516 break;
2703 } 2517 }
2704end: 2518end:
2705#if 1 2519#if 1
2706 /* make sure we re-use sessions */ 2520 /* make sure we re-use sessions */
2707 SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 2521 SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
2708#else 2522#else
2709 /* This kills performance */ 2523 /* This kills performance */
2710/* SSL_shutdown(con); A shutdown gets sent in the 2524/* SSL_shutdown(con); A shutdown gets sent in the
@@ -2714,65 +2528,68 @@ end:
2714err: 2528err:
2715 2529
2716 if (ret >= 0) 2530 if (ret >= 0)
2717 BIO_printf(bio_s_out,"ACCEPT\n"); 2531 BIO_printf(bio_s_out, "ACCEPT\n");
2718 2532
2719 if (buf != NULL) free(buf); 2533 if (buf != NULL)
2720 if (io != NULL) BIO_free_all(io); 2534 free(buf);
2535 if (io != NULL)
2536 BIO_free_all(io);
2721/* if (ssl_bio != NULL) BIO_free(ssl_bio);*/ 2537/* if (ssl_bio != NULL) BIO_free(ssl_bio);*/
2722 return(ret); 2538 return (ret);
2723 } 2539}
2724 2540
2725#ifndef OPENSSL_NO_RSA 2541#ifndef OPENSSL_NO_RSA
2726static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength) 2542static RSA *
2727 { 2543tmp_rsa_cb(SSL * s, int is_export, int keylength)
2544{
2728 BIGNUM *bn = NULL; 2545 BIGNUM *bn = NULL;
2729 static RSA *rsa_tmp=NULL; 2546 static RSA *rsa_tmp = NULL;
2730 2547
2731 if (!rsa_tmp && ((bn = BN_new()) == NULL)) 2548 if (!rsa_tmp && ((bn = BN_new()) == NULL))
2732 BIO_printf(bio_err,"Allocation error in generating RSA key\n"); 2549 BIO_printf(bio_err, "Allocation error in generating RSA key\n");
2733 if (!rsa_tmp && bn) 2550 if (!rsa_tmp && bn) {
2734 { 2551 if (!s_quiet) {
2735 if (!s_quiet) 2552 BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength);
2736 { 2553 (void) BIO_flush(bio_err);
2737 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); 2554 }
2738 (void)BIO_flush(bio_err); 2555 if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
2739 } 2556 !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
2740 if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) || 2557 if (rsa_tmp)
2741 !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) 2558 RSA_free(rsa_tmp);
2742 {
2743 if(rsa_tmp) RSA_free(rsa_tmp);
2744 rsa_tmp = NULL; 2559 rsa_tmp = NULL;
2745 }
2746 if (!s_quiet)
2747 {
2748 BIO_printf(bio_err,"\n");
2749 (void)BIO_flush(bio_err);
2750 }
2751 BN_free(bn);
2752 } 2560 }
2753 return(rsa_tmp); 2561 if (!s_quiet) {
2562 BIO_printf(bio_err, "\n");
2563 (void) BIO_flush(bio_err);
2564 }
2565 BN_free(bn);
2754 } 2566 }
2567 return (rsa_tmp);
2568}
2755#endif 2569#endif
2756 2570
2757#define MAX_SESSION_ID_ATTEMPTS 10 2571#define MAX_SESSION_ID_ATTEMPTS 10
2758static int generate_session_id(const SSL *ssl, unsigned char *id, 2572static int
2759 unsigned int *id_len) 2573generate_session_id(const SSL * ssl, unsigned char *id,
2760 { 2574 unsigned int *id_len)
2575{
2761 unsigned int count = 0; 2576 unsigned int count = 0;
2762 do { 2577 do {
2763 RAND_pseudo_bytes(id, *id_len); 2578 RAND_pseudo_bytes(id, *id_len);
2764 /* Prefix the session_id with the required prefix. NB: If our 2579 /*
2765 * prefix is too long, clip it - but there will be worse effects 2580 * Prefix the session_id with the required prefix. NB: If our
2766 * anyway, eg. the server could only possibly create 1 session 2581 * prefix is too long, clip it - but there will be worse
2767 * ID (ie. the prefix!) so all future session negotiations will 2582 * effects anyway, eg. the server could only possibly create
2768 * fail due to conflicts. */ 2583 * 1 session ID (ie. the prefix!) so all future session
2584 * negotiations will fail due to conflicts.
2585 */
2769 memcpy(id, session_id_prefix, 2586 memcpy(id, session_id_prefix,
2770 (strlen(session_id_prefix) < *id_len) ? 2587 (strlen(session_id_prefix) < *id_len) ?
2771 strlen(session_id_prefix) : *id_len); 2588 strlen(session_id_prefix) : *id_len);
2772 } 2589 }
2773 while(SSL_has_matching_session_id(ssl, id, *id_len) && 2590 while (SSL_has_matching_session_id(ssl, id, *id_len) &&
2774 (++count < MAX_SESSION_ID_ATTEMPTS)); 2591 (++count < MAX_SESSION_ID_ATTEMPTS));
2775 if(count >= MAX_SESSION_ID_ATTEMPTS) 2592 if (count >= MAX_SESSION_ID_ATTEMPTS)
2776 return 0; 2593 return 0;
2777 return 1; 2594 return 1;
2778 } 2595}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-15 01:33:10 +0000