4 files changed, 29 insertions, 11 deletions

diff --git a/src/usr.bin/openssl/openssl.1 b/src/usr.bin/openssl/openssl.1
index 84627a84a5..9d9f5ca580 100644
--- a/src/usr.bin/openssl/openssl.1
+++ b/src/usr.bin/openssl/openssl.1
@@ -1,4 +1,4 @@
-.\" $OpenBSD: openssl.1,v 1.129 2021/03/17 18:08:32 jsing Exp $
+.\" $OpenBSD: openssl.1,v 1.130 2021/08/29 12:33:15 tb Exp $
 .\" ====================================================================
 .\" Copyright (c) 1998-2002 The OpenSSL Project.  All rights reserved.
 .\"
@@ -110,7 +110,7 @@
 .\" copied and put under another distribution licence
 .\" [including the GNU Public Licence.]
 .\"
-.Dd $Mdocdate: March 17 2021 $
+.Dd $Mdocdate: August 29 2021 $
 .Dt OPENSSL 1
 .Os
 .Sh NAME
@@ -4607,6 +4607,7 @@ will be used.
 .Op Fl keymatexportlen Ar len
 .Op Fl msg
 .Op Fl mtu Ar mtu
+.Op Fl naccept Ar num
 .Op Fl named_curve Ar arg
 .Op Fl nbio
 .Op Fl nbio_test
@@ -4807,6 +4808,10 @@ Export len bytes of keying material (default 20).
 Show all protocol messages with hex dump.
 .It Fl mtu Ar mtu
 Set the link layer MTU.
+.It Fl naccept Ar num
+Terminate server after
+.Ar num
+connections.
 .It Fl named_curve Ar arg
 Specify the elliptic curve name to use for ephemeral ECDH keys.
 This option is deprecated; use
diff --git a/src/usr.bin/openssl/s_apps.h b/src/usr.bin/openssl/s_apps.h
index 9ee0bb7dc1..f535a35c39 100644
--- a/src/usr.bin/openssl/s_apps.h
+++ b/src/usr.bin/openssl/s_apps.h
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_apps.h,v 1.5 2018/04/25 07:12:33 tb Exp $ */
+/* $OpenBSD: s_apps.h,v 1.6 2021/08/29 12:33:15 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -120,7 +120,7 @@ extern int verify_return_error;
 
 int do_server(int port, int type, int *ret,
     int (*cb)(char *hostname, int s, unsigned char *context),
-    unsigned char *context);
+    unsigned char *context, int naccept);
 #ifdef HEADER_X509_H
 int verify_callback(int ok, X509_STORE_CTX *ctx);
 #endif
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 1bd544324a..abe2ee42ae 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_server.c,v 1.47 2021/03/17 18:11:01 jsing Exp $ */
+/* $OpenBSD: s_server.c,v 1.48 2021/08/29 12:33:15 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -267,6 +267,7 @@ static struct {
         uint16_t min_version;
         const SSL_METHOD *meth;
         int msg;
+        int naccept;
         char *named_curve;
         int nbio;
         int nbio_test;
@@ -741,6 +742,13 @@ static const struct option s_server_options[] = {
         },
 #endif
         {
+                .name = "naccept",
+                .argname = "num",
+                .desc = "terminate after num connections",
+                .type = OPTION_ARG_INT,
+                .opt.value = &s_server_config.naccept
+        },
+        {
                 .name = "named_curve",
                 .argname = "arg",
                 .type = OPTION_ARG,
@@ -1045,7 +1053,7 @@ sv_usage(void)
             "    [-dpass arg] [-dtls] [-dtls1] [-dtls1_2] [-groups list] [-HTTP]\n"
             "    [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n"
             "    [-keyform der | pem] [-keymatexport label]\n"
-            "    [-keymatexportlen len] [-msg] [-mtu mtu]\n"
+            "    [-keymatexportlen len] [-msg] [-mtu mtu] [-naccept num]\n"
             "    [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n"
             "    [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n"
             "    [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
@@ -1084,6 +1092,7 @@ s_server_main(int argc, char *argv[])
         memset(&s_server_config, 0, sizeof(s_server_config));
         s_server_config.keymatexportlen = 20;
         s_server_config.meth = TLS_server_method();
+        s_server_config.naccept = -1;
         s_server_config.port = PORT;
         s_server_config.cert_file = TEST_CERT;
         s_server_config.cert_file2 = TEST_CERT2;
@@ -1465,10 +1474,12 @@ s_server_main(int argc, char *argv[])
         (void) BIO_flush(bio_s_out);
         if (s_server_config.www)
                 do_server(s_server_config.port, s_server_config.socket_type,
-                    &accept_socket, www_body, s_server_config.context);
+                    &accept_socket, www_body, s_server_config.context,
+                    s_server_config.naccept);
         else
                 do_server(s_server_config.port, s_server_config.socket_type,
-                    &accept_socket, sv_body, s_server_config.context);
+                    &accept_socket, sv_body, s_server_config.context,
+                    s_server_config.naccept);
         print_stats(bio_s_out, ctx);
         ret = 0;
  end:
diff --git a/src/usr.bin/openssl/s_socket.c b/src/usr.bin/openssl/s_socket.c
index 5d90fad8bb..f22c88d228 100644
--- a/src/usr.bin/openssl/s_socket.c
+++ b/src/usr.bin/openssl/s_socket.c
@@ -1,4 +1,4 @@
-/* $OpenBSD: s_socket.c,v 1.11 2019/06/28 13:35:02 deraadt Exp $ */
+/* $OpenBSD: s_socket.c,v 1.12 2021/08/29 12:33:15 tb Exp $ */
 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  * All rights reserved.
  *
@@ -132,7 +132,7 @@ init_client(int *sock, char *host, char *port, int type, int af)
 int
 do_server(int port, int type, int *ret,
     int (*cb) (char *hostname, int s, unsigned char *context),
-    unsigned char *context)
+    unsigned char *context, int naccept)
 {
         int sock;
         char *name = NULL;
@@ -161,7 +161,9 @@ do_server(int port, int type, int *ret,
                         shutdown(sock, SHUT_RDWR);
                         close(sock);
                 }
-                if (i < 0) {
+                if (naccept != -1)
+                        naccept--;
+                if (i < 0 || naccept == 0) {
                         shutdown(accept_socket, SHUT_RDWR);
                         close(accept_socket);
                         return (i);