summaryrefslogtreecommitdiff
path: root/src
diff options
context:
space:
mode:
Diffstat (limited to 'src')
-rw-r--r--src/usr.bin/openssl/s_server.c1497
1 files changed, 929 insertions, 568 deletions
diff --git a/src/usr.bin/openssl/s_server.c b/src/usr.bin/openssl/s_server.c
index 2ff142dab8..07afc18869 100644
--- a/src/usr.bin/openssl/s_server.c
+++ b/src/usr.bin/openssl/s_server.c
@@ -1,4 +1,4 @@
1/* $OpenBSD: s_server.c,v 1.38 2020/05/23 13:00:30 tb Exp $ */ 1/* $OpenBSD: s_server.c,v 1.39 2020/07/27 12:09:14 inoguchi Exp $ */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved. 3 * All rights reserved.
4 * 4 *
@@ -201,158 +201,810 @@ static int accept_socket = -1;
201#define TEST_CERT "server.pem" 201#define TEST_CERT "server.pem"
202#define TEST_CERT2 "server2.pem" 202#define TEST_CERT2 "server2.pem"
203 203
204static char *cipher = NULL;
205static int s_server_verify = SSL_VERIFY_NONE;
206static int s_server_session_id_context = 1; /* anything will do */ 204static int s_server_session_id_context = 1; /* anything will do */
207static const char *s_cert_file = TEST_CERT, *s_key_file = NULL;
208static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
209static char *s_dcert_file = NULL, *s_dkey_file = NULL;
210static int s_nbio = 0;
211static int s_nbio_test = 0;
212int s_crlf = 0;
213static SSL_CTX *ctx = NULL; 205static SSL_CTX *ctx = NULL;
214static SSL_CTX *ctx2 = NULL; 206static SSL_CTX *ctx2 = NULL;
215static int www = 0;
216
217static BIO *bio_s_out = NULL; 207static BIO *bio_s_out = NULL;
218static int s_debug = 0;
219static int s_tlsextdebug = 0;
220static int s_tlsextstatus = 0;
221static int cert_status_cb(SSL * s, void *arg); 208static int cert_status_cb(SSL * s, void *arg);
222static int s_msg = 0;
223static int s_quiet = 0;
224 209
225static char *keymatexportlabel = NULL; 210/* This is a context that we pass to callbacks */
226static int keymatexportlen = 20; 211typedef struct tlsextctx_st {
212 char *servername;
213 BIO *biodebug;
214 int extension_error;
215} tlsextctx;
216
217/* Structure passed to cert status callback */
218typedef struct tlsextstatusctx_st {
219 /* Default responder to use */
220 char *host, *path, *port;
221 int use_ssl;
222 int timeout;
223 BIO *err;
224 int verbose;
225} tlsextstatusctx;
226
227static struct {
228 char *alpn_in;
229 char *npn_in; /* Ignored. */
230 int bugs;
231 char *CAfile;
232 char *CApath;
233#ifndef OPENSSL_NO_DTLS1
234 int cert_chain;
235#endif
236 char *s_cert_file;
237 char *s_cert_file2;
238 int s_cert_format;
239 char *cipher;
240 unsigned char *context;
241 int s_crlf;
242 char *s_dcert_file;
243 int s_dcert_format;
244 int s_debug;
245 char *dhfile;
246 char *s_dkey_file;
247 int s_dkey_format;
248 char *dpassarg;
249 int enable_timeouts;
250 const char *errstr;
251 char *groups_in;
252 char *s_key_file;
253 char *s_key_file2;
254 int s_key_format;
255 char *keymatexportlabel;
256 int keymatexportlen;
257 uint16_t max_version;
258 uint16_t min_version;
259 const SSL_METHOD *meth;
260 int s_msg;
261 char *named_curve;
262 int s_nbio;
263 int s_nbio_test;
264 int no_cache;
265 int nocert;
266 int no_dhe;
267 int no_ecdhe;
268 int no_tmp_rsa; /* No-op. */
269 int off;
270 char *passarg;
271 short port;
272 int s_quiet;
273 int s_server_verify;
274 char *session_id_prefix;
275 long socket_mtu;
276 int socket_type;
277#ifndef OPENSSL_NO_SRTP
278 char *srtp_profiles;
279#endif
280 int state;
281 tlsextstatusctx tlscstatp;
282 tlsextctx tlsextcbp;
283 int s_tlsextdebug;
284 int s_tlsextstatus;
285 X509_VERIFY_PARAM *vpm;
286 int www;
287} s_server_config;
288
289static int
290s_server_opt_context(char *arg)
291{
292 s_server_config.context = (unsigned char *) arg;
293 return (0);
294}
227 295
228static const char *session_id_prefix = NULL; 296static int
297s_server_opt_keymatexportlen(char *arg)
298{
299 s_server_config.keymatexportlen = strtonum(arg, 1, INT_MAX,
300 &s_server_config.errstr);
301 if (s_server_config.errstr != NULL) {
302 BIO_printf(bio_err, "invalid argument %s: %s\n",
303 arg, s_server_config.errstr);
304 return (1);
305 }
306 return (0);
307}
229 308
230static int enable_timeouts = 0;
231static long socket_mtu;
232#ifndef OPENSSL_NO_DTLS1 309#ifndef OPENSSL_NO_DTLS1
233static int cert_chain = 0; 310static int
311s_server_opt_mtu(char *arg)
312{
313 s_server_config.socket_mtu = strtonum(arg, 0, LONG_MAX,
314 &s_server_config.errstr);
315 if (s_server_config.errstr != NULL) {
316 BIO_printf(bio_err, "invalid argument %s: %s\n",
317 arg, s_server_config.errstr);
318 return (1);
319 }
320 return (0);
321}
322
323static int
324s_server_protocol_version_dtls1(void)
325{
326 s_server_config.meth = DTLS_server_method();
327 s_server_config.socket_type = SOCK_DGRAM;
328 return (0);
329}
234#endif 330#endif
235 331
332static int
333s_server_protocol_version_tls1(void)
334{
335 s_server_config.min_version = TLS1_VERSION;
336 s_server_config.max_version = TLS1_VERSION;
337 return (0);
338}
339
340static int
341s_server_protocol_version_tls1_1(void)
342{
343 s_server_config.min_version = TLS1_1_VERSION;
344 s_server_config.max_version = TLS1_1_VERSION;
345 return (0);
346}
347
348static int
349s_server_protocol_version_tls1_2(void)
350{
351 s_server_config.min_version = TLS1_2_VERSION;
352 s_server_config.max_version = TLS1_2_VERSION;
353 return (0);
354}
355
356static int
357s_server_protocol_version_tls1_3(void)
358{
359 s_server_config.min_version = TLS1_3_VERSION;
360 s_server_config.max_version = TLS1_3_VERSION;
361 return (0);
362}
363
364static int
365s_server_opt_nbio_test(void)
366{
367 s_server_config.s_nbio = 1;
368 s_server_config.s_nbio_test = 1;
369 return (0);
370}
371
372static int
373s_server_opt_port(char *arg)
374{
375 if (!extract_port(arg, &s_server_config.port))
376 return (1);
377 return (0);
378}
379
380static int
381s_server_opt_status_timeout(char *arg)
382{
383 s_server_config.s_tlsextstatus = 1;
384 s_server_config.tlscstatp.timeout = strtonum(arg, 0, INT_MAX,
385 &s_server_config.errstr);
386 if (s_server_config.errstr != NULL) {
387 BIO_printf(bio_err, "invalid argument %s: %s\n",
388 arg, s_server_config.errstr);
389 return (1);
390 }
391 return (0);
392}
393
394static int
395s_server_opt_status_url(char *arg)
396{
397 s_server_config.s_tlsextstatus = 1;
398 if (!OCSP_parse_url(arg, &s_server_config.tlscstatp.host,
399 &s_server_config.tlscstatp.port, &s_server_config.tlscstatp.path,
400 &s_server_config.tlscstatp.use_ssl)) {
401 BIO_printf(bio_err, "Error parsing URL\n");
402 return (1);
403 }
404 return (0);
405}
406
407static int
408s_server_opt_status_verbose(void)
409{
410 s_server_config.s_tlsextstatus = 1;
411 s_server_config.tlscstatp.verbose = 1;
412 return (0);
413}
414
415static int
416s_server_opt_verify(char *arg)
417{
418 s_server_config.s_server_verify = SSL_VERIFY_PEER |
419 SSL_VERIFY_CLIENT_ONCE;
420 verify_depth = strtonum(arg, 0, INT_MAX, &s_server_config.errstr);
421 if (s_server_config.errstr != NULL) {
422 BIO_printf(bio_err, "invalid argument %s: %s\n",
423 arg, s_server_config.errstr);
424 return (1);
425 }
426 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
427 return (0);
428}
429
430static int
431s_server_opt_verify_fail(char *arg)
432{
433 s_server_config.s_server_verify = SSL_VERIFY_PEER |
434 SSL_VERIFY_FAIL_IF_NO_PEER_CERT | SSL_VERIFY_CLIENT_ONCE;
435 verify_depth = strtonum(arg, 0, INT_MAX, &s_server_config.errstr);
436 if (s_server_config.errstr != NULL) {
437 BIO_printf(bio_err, "invalid argument %s: %s\n",
438 arg, s_server_config.errstr);
439 return (1);
440 }
441 BIO_printf(bio_err, "verify depth is %d, must return a certificate\n",
442 verify_depth);
443 return (0);
444}
445
446static int
447s_server_opt_verify_param(int argc, char **argv, int *argsused)
448{
449 char **pargs = argv;
450 int pargc = argc;
451 int badarg = 0;
236 452
453 if (!args_verify(&pargs, &pargc, &badarg, bio_err,
454 &s_server_config.vpm)) {
455 BIO_printf(bio_err, "unknown option %s\n", *argv);
456 return (1);
457 }
458 if (badarg)
459 return (1);
237 460
461 *argsused = argc - pargc;
462 return (0);
463}
464
465static const struct option s_server_options[] = {
466 {
467 .name = "accept",
468 .argname = "port",
469 .desc = "Port to accept on (default is 4433)",
470 .type = OPTION_ARG_FUNC,
471 .opt.argfunc = s_server_opt_port,
472 },
473 {
474 .name = "alpn",
475 .argname = "protocols",
476 .desc = "Set the advertised protocols for the ALPN extension"
477 " (comma-separated list)",
478 .type = OPTION_ARG,
479 .opt.arg = &s_server_config.alpn_in,
480 },
481 {
482 .name = "bugs",
483 .desc = "Turn on SSL bug compatibility",
484 .type = OPTION_FLAG,
485 .opt.flag = &s_server_config.bugs,
486 },
487 {
488 .name = "CAfile",
489 .argname = "file",
490 .desc = "PEM format file of CA certificates",
491 .type = OPTION_ARG,
492 .opt.arg = &s_server_config.CAfile,
493 },
494 {
495 .name = "CApath",
496 .argname = "directory",
497 .desc = "PEM format directory of CA certificates",
498 .type = OPTION_ARG,
499 .opt.arg = &s_server_config.CApath,
500 },
501 {
502 .name = "cert",
503 .argname = "file",
504 .desc = "Certificate file to use\n"
505 "(default is " TEST_CERT ")",
506 .type = OPTION_ARG,
507 .opt.arg = &s_server_config.s_cert_file,
508 },
509 {
510 .name = "cert2",
511 .argname = "file",
512 .desc = "Certificate file to use for servername\n"
513 "(default is " TEST_CERT2 ")",
514 .type = OPTION_ARG,
515 .opt.arg = &s_server_config.s_cert_file2,
516 },
517 {
518 .name = "certform",
519 .argname = "fmt",
520 .desc = "Certificate format (PEM or DER) PEM default",
521 .type = OPTION_ARG_FORMAT,
522 .opt.value = &s_server_config.s_cert_format,
523 },
524#ifndef OPENSSL_NO_DTLS1
525 {
526 .name = "chain",
527 .type = OPTION_FLAG,
528 .opt.flag = &s_server_config.cert_chain,
529 },
530#endif
531 {
532 .name = "cipher",
533 .argname = "list",
534 .desc = "List of ciphers to enable (see `openssl ciphers`)",
535 .type = OPTION_ARG,
536 .opt.arg = &s_server_config.cipher,
537 },
538 {
539 .name = "context",
540 .argname = "id",
541 .desc = "Set session ID context",
542 .type = OPTION_ARG_FUNC,
543 .opt.argfunc = s_server_opt_context,
544 },
545 {
546 .name = "crlf",
547 .desc = "Convert LF from terminal into CRLF",
548 .type = OPTION_FLAG,
549 .opt.flag = &s_server_config.s_crlf,
550 },
551 {
552 .name = "dcert",
553 .argname = "file",
554 .desc = "Second certificate file to use (usually for DSA)",
555 .type = OPTION_ARG,
556 .opt.arg = &s_server_config.s_dcert_file,
557 },
558 {
559 .name = "dcertform",
560 .argname = "fmt",
561 .desc = "Second certificate format (PEM or DER) PEM default",
562 .type = OPTION_ARG_FORMAT,
563 .opt.value = &s_server_config.s_dcert_format,
564 },
565 {
566 .name = "debug",
567 .desc = "Print more output",
568 .type = OPTION_FLAG,
569 .opt.flag = &s_server_config.s_debug,
570 },
571 {
572 .name = "dhparam",
573 .argname = "file",
574 .desc = "DH parameter file to use, in cert file if not specified",
575 .type = OPTION_ARG,
576 .opt.arg = &s_server_config.dhfile,
577 },
578 {
579 .name = "dkey",
580 .argname = "file",
581 .desc = "Second private key file to use (usually for DSA)",
582 .type = OPTION_ARG,
583 .opt.arg = &s_server_config.s_dkey_file,
584 },
585 {
586 .name = "dkeyform",
587 .argname = "fmt",
588 .desc = "Second key format (PEM or DER) PEM default",
589 .type = OPTION_ARG_FORMAT,
590 .opt.value = &s_server_config.s_dkey_format,
591 },
592 {
593 .name = "dpass",
594 .argname = "arg",
595 .desc = "Second private key file pass phrase source",
596 .type = OPTION_ARG,
597 .opt.arg = &s_server_config.dpassarg,
598 },
599#ifndef OPENSSL_NO_DTLS1
600 {
601 .name = "dtls1",
602 .desc = "Just talk DTLSv1",
603 .type = OPTION_FUNC,
604 .opt.func = s_server_protocol_version_dtls1,
605 },
606#endif
607 {
608 .name = "groups",
609 .argname = "list",
610 .desc = "Specify EC groups (colon-separated list)",
611 .type = OPTION_ARG,
612 .opt.arg = &s_server_config.groups_in,
613 },
614 {
615 .name = "HTTP",
616 .desc = "Respond to a 'GET /<path> HTTP/1.0' with file ./<path>",
617 .type = OPTION_VALUE,
618 .opt.value = &s_server_config.www,
619 .value = 3,
620 },
621 {
622 .name = "id_prefix",
623 .argname = "arg",
624 .desc = "Generate SSL/TLS session IDs prefixed by 'arg'",
625 .type = OPTION_ARG,
626 .opt.arg = &s_server_config.session_id_prefix,
627 },
628 {
629 .name = "key",
630 .argname = "file",
631 .desc = "Private Key file to use, in cert file if\n"
632 "not specified (default is " TEST_CERT ")",
633 .type = OPTION_ARG,
634 .opt.arg = &s_server_config.s_key_file,
635 },
636 {
637 .name = "key2",
638 .argname = "file",
639 .desc = "Private Key file to use for servername, in cert file if\n"
640 "not specified (default is " TEST_CERT2 ")",
641 .type = OPTION_ARG,
642 .opt.arg = &s_server_config.s_key_file2,
643 },
644 {
645 .name = "keyform",
646 .argname = "fmt",
647 .desc = "Key format (PEM or DER) PEM default",
648 .type = OPTION_ARG_FORMAT,
649 .opt.value = &s_server_config.s_key_format,
650 },
651 {
652 .name = "keymatexport",
653 .argname = "label",
654 .desc = "Export keying material using label",
655 .type = OPTION_ARG,
656 .opt.arg = &s_server_config.keymatexportlabel,
657 },
658 {
659 .name = "keymatexportlen",
660 .argname = "len",
661 .desc = "Export len bytes of keying material (default 20)",
662 .type = OPTION_ARG_FUNC,
663 .opt.argfunc = s_server_opt_keymatexportlen,
664 },
665 {
666 .name = "legacy_renegotiation",
667 .type = OPTION_DISCARD,
668 },
669 {
670 .name = "msg",
671 .desc = "Show protocol messages",
672 .type = OPTION_FLAG,
673 .opt.flag = &s_server_config.s_msg,
674 },
675#ifndef OPENSSL_NO_DTLS1
676 {
677 .name = "mtu",
678 .argname = "mtu",
679 .desc = "Set link layer MTU",
680 .type = OPTION_ARG_FUNC,
681 .opt.argfunc = s_server_opt_mtu,
682 },
683#endif
684 {
685 .name = "named_curve",
686 .argname = "arg",
687 .type = OPTION_ARG,
688 .opt.arg = &s_server_config.named_curve,
689 },
690 {
691 .name = "nbio",
692 .desc = "Run with non-blocking I/O",
693 .type = OPTION_FLAG,
694 .opt.flag = &s_server_config.s_nbio,
695 },
696 {
697 .name = "nbio_test",
698 .desc = "Test with the non-blocking test bio",
699 .type = OPTION_FUNC,
700 .opt.func = s_server_opt_nbio_test,
701 },
702 {
703 .name = "nextprotoneg",
704 .argname = "arg",
705 .type = OPTION_ARG,
706 .opt.arg = &s_server_config.npn_in, /* Ignored. */
707 },
708 {
709 .name = "no_cache",
710 .desc = "Disable session cache",
711 .type = OPTION_FLAG,
712 .opt.flag = &s_server_config.no_cache,
713 },
714 {
715 .name = "no_comp",
716 .desc = "Disable SSL/TLS compression",
717 .type = OPTION_VALUE_OR,
718 .opt.value = &s_server_config.off,
719 .value = SSL_OP_NO_COMPRESSION,
720 },
721 {
722 .name = "no_dhe",
723 .desc = "Disable ephemeral DH",
724 .type = OPTION_FLAG,
725 .opt.flag = &s_server_config.no_dhe,
726 },
727 {
728 .name = "no_ecdhe",
729 .desc = "Disable ephemeral ECDH",
730 .type = OPTION_FLAG,
731 .opt.flag = &s_server_config.no_ecdhe,
732 },
733 {
734 .name = "no_ticket",
735 .desc = "Disable use of RFC4507bis session tickets",
736 .type = OPTION_VALUE_OR,
737 .opt.value = &s_server_config.off,
738 .value = SSL_OP_NO_TICKET,
739 },
740 {
741 .name = "no_ssl2",
742 .type = OPTION_VALUE_OR,
743 .opt.value = &s_server_config.off,
744 .value = SSL_OP_NO_SSLv2,
745 },
746 {
747 .name = "no_ssl3",
748 .type = OPTION_VALUE_OR,
749 .opt.value = &s_server_config.off,
750 .value = SSL_OP_NO_SSLv3,
751 },
752 {
753 .name = "no_tls1",
754 .desc = "Just disable TLSv1",
755 .type = OPTION_VALUE_OR,
756 .opt.value = &s_server_config.off,
757 .value = SSL_OP_NO_TLSv1,
758 },
759 {
760 .name = "no_tls1_1",
761 .desc = "Just disable TLSv1.1",
762 .type = OPTION_VALUE_OR,
763 .opt.value = &s_server_config.off,
764 .value = SSL_OP_NO_TLSv1_1,
765 },
766 {
767 .name = "no_tls1_2",
768 .desc = "Just disable TLSv1.2",
769 .type = OPTION_VALUE_OR,
770 .opt.value = &s_server_config.off,
771 .value = SSL_OP_NO_TLSv1_2,
772 },
773 {
774 .name = "no_tls1_3",
775 .desc = "Just disable TLSv1.3",
776 .type = OPTION_VALUE_OR,
777 .opt.value = &s_server_config.off,
778 .value = SSL_OP_NO_TLSv1_3,
779 },
780 {
781 .name = "no_tmp_rsa",
782 .type = OPTION_DISCARD,
783 },
784 {
785 .name = "nocert",
786 .desc = "Don't use any certificates (Anon-DH)",
787 .type = OPTION_FLAG,
788 .opt.flag = &s_server_config.nocert,
789 },
790 {
791 .name = "pass",
792 .argname = "arg",
793 .desc = "Private key file pass phrase source",
794 .type = OPTION_ARG,
795 .opt.arg = &s_server_config.passarg,
796 },
797 {
798 .name = "port",
799 .argname = "port",
800 .type = OPTION_ARG_FUNC,
801 .opt.argfunc = s_server_opt_port,
802 },
803 {
804 .name = "quiet",
805 .desc = "Inhibit printing of session and certificate information",
806 .type = OPTION_FLAG,
807 .opt.flag = &s_server_config.s_quiet,
808 },
809 {
810 .name = "servername",
811 .argname = "name",
812 .desc = "Servername for HostName TLS extension",
813 .type = OPTION_ARG,
814 .opt.arg = &s_server_config.tlsextcbp.servername,
815 },
816 {
817 .name = "servername_fatal",
818 .desc = "On mismatch send fatal alert (default warning alert)",
819 .type = OPTION_VALUE,
820 .opt.value = &s_server_config.tlsextcbp.extension_error,
821 .value = SSL_TLSEXT_ERR_ALERT_FATAL,
822 },
823 {
824 .name = "serverpref",
825 .desc = "Use server's cipher preferences",
826 .type = OPTION_VALUE_OR,
827 .opt.value = &s_server_config.off,
828 .value = SSL_OP_CIPHER_SERVER_PREFERENCE,
829 },
830 {
831 .name = "state",
832 .desc = "Print the SSL states",
833 .type = OPTION_FLAG,
834 .opt.flag = &s_server_config.state,
835 },
836 {
837 .name = "status",
838 .desc = "Respond to certificate status requests",
839 .type = OPTION_FLAG,
840 .opt.flag = &s_server_config.s_tlsextstatus,
841 },
842 {
843 .name = "status_timeout",
844 .argname = "nsec",
845 .desc = "Status request responder timeout",
846 .type = OPTION_ARG_FUNC,
847 .opt.argfunc = s_server_opt_status_timeout,
848 },
849 {
850 .name = "status_url",
851 .argname = "url",
852 .desc = "Status request fallback URL",
853 .type = OPTION_ARG_FUNC,
854 .opt.argfunc = s_server_opt_status_url,
855 },
856 {
857 .name = "status_verbose",
858 .desc = "Enable status request verbose printout",
859 .type = OPTION_FUNC,
860 .opt.func = s_server_opt_status_verbose,
861 },
862#ifndef OPENSSL_NO_DTLS1
863 {
864 .name = "timeout",
865 .desc = "Enable timeouts",
866 .type = OPTION_FLAG,
867 .opt.flag = &s_server_config.enable_timeouts,
868 },
869#endif
870 {
871 .name = "tls1",
872 .desc = "Just talk TLSv1",
873 .type = OPTION_FUNC,
874 .opt.func = s_server_protocol_version_tls1,
875 },
876 {
877 .name = "tls1_1",
878 .desc = "Just talk TLSv1.1",
879 .type = OPTION_FUNC,
880 .opt.func = s_server_protocol_version_tls1_1,
881 },
882 {
883 .name = "tls1_2",
884 .desc = "Just talk TLSv1.2",
885 .type = OPTION_FUNC,
886 .opt.func = s_server_protocol_version_tls1_2,
887 },
888 {
889 .name = "tls1_3",
890 .desc = "Just talk TLSv1.3",
891 .type = OPTION_FUNC,
892 .opt.func = s_server_protocol_version_tls1_3,
893 },
894 {
895 .name = "tlsextdebug",
896 .desc = "Hex dump of all TLS extensions received",
897 .type = OPTION_FLAG,
898 .opt.flag = &s_server_config.s_tlsextdebug,
899 },
900#ifndef OPENSSL_NO_SRTP
901 {
902 .name = "use_srtp",
903 .argname = "profiles",
904 .desc = "Offer SRTP key management with a colon-separated profile list",
905 .type = OPTION_ARG,
906 .opt.arg = &s_server_config.srtp_profiles,
907 },
908#endif
909 {
910 .name = "Verify",
911 .argname = "depth",
912 .desc = "Turn on peer certificate verification, must have a cert",
913 .type = OPTION_ARG_FUNC,
914 .opt.argfunc = s_server_opt_verify_fail,
915 },
916 {
917 .name = "verify",
918 .argname = "depth",
919 .desc = "Turn on peer certificate verification",
920 .type = OPTION_ARG_FUNC,
921 .opt.argfunc = s_server_opt_verify,
922 },
923 {
924 .name = "verify_return_error",
925 .desc = "Return verification error",
926 .type = OPTION_FLAG,
927 .opt.flag = &verify_return_error,
928 },
929 {
930 .name = "WWW",
931 .desc = "Respond to a 'GET /<path> HTTP/1.0' with file ./<path>",
932 .type = OPTION_VALUE,
933 .opt.value = &s_server_config.www,
934 .value = 2,
935 },
936 {
937 .name = "www",
938 .desc = "Respond to a 'GET /' with a status page",
939 .type = OPTION_VALUE,
940 .opt.value = &s_server_config.www,
941 .value = 1,
942 },
943 {
944 .name = NULL,
945 .desc = "",
946 .type = OPTION_ARGV_FUNC,
947 .opt.argvfunc = s_server_opt_verify_param,
948 },
949 { NULL },
950};
238 951
239static void 952static void
240s_server_init(void) 953s_server_init(void)
241{ 954{
242 accept_socket = -1; 955 accept_socket = -1;
243 cipher = NULL; 956 s_server_config.cipher = NULL;
244 s_server_verify = SSL_VERIFY_NONE; 957 s_server_config.s_server_verify = SSL_VERIFY_NONE;
245 s_dcert_file = NULL; 958 s_server_config.s_dcert_file = NULL;
246 s_dkey_file = NULL; 959 s_server_config.s_dkey_file = NULL;
247 s_cert_file = TEST_CERT; 960 s_server_config.s_cert_file = TEST_CERT;
248 s_key_file = NULL; 961 s_server_config.s_key_file = NULL;
249 s_cert_file2 = TEST_CERT2; 962 s_server_config.s_cert_file2 = TEST_CERT2;
250 s_key_file2 = NULL; 963 s_server_config.s_key_file2 = NULL;
251 ctx2 = NULL; 964 ctx2 = NULL;
252 s_nbio = 0; 965 s_server_config.s_nbio = 0;
253 s_nbio_test = 0; 966 s_server_config.s_nbio_test = 0;
254 ctx = NULL; 967 ctx = NULL;
255 www = 0; 968 s_server_config.www = 0;
256 969
257 bio_s_out = NULL; 970 bio_s_out = NULL;
258 s_debug = 0; 971 s_server_config.s_debug = 0;
259 s_msg = 0; 972 s_server_config.s_msg = 0;
260 s_quiet = 0; 973 s_server_config.s_quiet = 0;
261} 974}
262 975
263static void 976static void
264sv_usage(void) 977sv_usage(void)
265{ 978{
266 BIO_printf(bio_err, "usage: s_server [args ...]\n"); 979 fprintf(stderr, "usage: s_server "
267 BIO_printf(bio_err, "\n"); 980 "[-accept port] [-alpn protocols] [-bugs] [-CAfile file]\n"
268 BIO_printf(bio_err, " -accept arg - port to accept on (default is %d)\n", PORT); 981 " [-CApath directory] [-cert file] [-cert2 file]\n"
269 BIO_printf(bio_err, " -context arg - set session ID context\n"); 982 " [-certform der | pem] [-cipher cipherlist]\n"
270 BIO_printf(bio_err, " -verify arg - turn on peer certificate verification\n"); 983 " [-context id] [-crl_check] [-crl_check_all] [-crlf]\n"
271 BIO_printf(bio_err, " -Verify arg - turn on peer certificate verification, must have a cert.\n"); 984 " [-dcert file] [-dcertform der | pem] [-debug]\n"
272 BIO_printf(bio_err, " -cert arg - certificate file to use\n"); 985 " [-dhparam file] [-dkey file] [-dkeyform der | pem]\n"
273 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT); 986 " [-dpass arg] [-dtls1] [-groups list] [-HTTP]\n"
274 BIO_printf(bio_err, " -crl_check - check the peer certificate has not been revoked by its CA.\n" \ 987 " [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n"
275 " The CRL(s) are appended to the certificate file\n"); 988 " [-keyform der | pem] [-keymatexport label]\n"
276 BIO_printf(bio_err, " -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ 989 " [-keymatexportlen len] [-msg] [-mtu mtu]\n"
277 " or any other CRL in the CA chain. CRL(s) are appended to the\n" \ 990 " [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n"
278 " the certificate file.\n"); 991 " [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n"
279 BIO_printf(bio_err, " -certform arg - certificate format (PEM or DER) PEM default\n"); 992 " [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
280 BIO_printf(bio_err, " -key arg - Private Key file to use, in cert file if\n"); 993 " [-nocert] [-pass arg] [-quiet] [-servername name]\n"
281 BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT); 994 " [-servername_fatal] [-serverpref] [-state] [-status]\n"
282 BIO_printf(bio_err, " -keyform arg - key format (PEM or DER) PEM default\n"); 995 " [-status_timeout nsec] [-status_url url]\n"
283 BIO_printf(bio_err, " -pass arg - private key file pass phrase source\n"); 996 " [-status_verbose] [-timeout] [-tls1] [-tls1_1]\n"
284 BIO_printf(bio_err, " -dcert arg - second certificate file to use (usually for DSA)\n"); 997 " [-tls1_2] [-tls1_3] [-tlsextdebug] [-use_srtp profiles]\n"
285 BIO_printf(bio_err, " -dcertform x - second certificate format (PEM or DER) PEM default\n"); 998 " [-Verify depth] [-verify depth] [-verify_return_error]\n"
286 BIO_printf(bio_err, " -dkey arg - second private key file to use (usually for DSA)\n"); 999 " [-WWW] [-www]\n");
287 BIO_printf(bio_err, " -dkeyform arg - second key format (PEM or DER) PEM default\n"); 1000 fprintf(stderr, "\n");
288 BIO_printf(bio_err, " -dpass arg - second private key file pass phrase source\n"); 1001 options_usage(s_server_options);
289 BIO_printf(bio_err, " -dhparam arg - DH parameter file to use, in cert file if not specified\n"); 1002 fprintf(stderr, "\n");
290 BIO_printf(bio_err, " or a default set of parameters is used\n");
291 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n");
292 BIO_printf(bio_err, " -nbio_test - test with the non-blocking test bio\n");
293 BIO_printf(bio_err, " -crlf - convert LF from terminal into CRLF\n");
294 BIO_printf(bio_err, " -debug - Print more output\n");
295 BIO_printf(bio_err, " -msg - Show protocol messages\n");
296 BIO_printf(bio_err, " -state - Print the SSL states\n");
297 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
298 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
299 BIO_printf(bio_err, " -nocert - Don't use any certificates (Anon-DH)\n");
300 BIO_printf(bio_err, " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
301 BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
302 BIO_printf(bio_err, " -quiet - Inhibit printing of session and certificate information\n");
303 BIO_printf(bio_err, " -tls1_3 - Just talk TLSv1.3\n");
304 BIO_printf(bio_err, " -tls1_2 - Just talk TLSv1.2\n");
305 BIO_printf(bio_err, " -tls1_1 - Just talk TLSv1.1\n");
306 BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n");
307 BIO_printf(bio_err, " -dtls1 - Just talk DTLSv1\n");
308 BIO_printf(bio_err, " -timeout - Enable timeouts\n");
309 BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
310 BIO_printf(bio_err, " -chain - Read a certificate chain\n");
311 BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
312 BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
313 BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
314 BIO_printf(bio_err, " -no_tls1_1 - Just disable TLSv1.1\n");
315 BIO_printf(bio_err, " -no_tls1_2 - Just disable TLSv1.2\n");
316 BIO_printf(bio_err, " -no_tls1_3 - Just disable TLSv1.3\n");
317#ifndef OPENSSL_NO_DH
318 BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n");
319#endif
320 BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n");
321 BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
322 BIO_printf(bio_err, " -www - Respond to a 'GET /' with a status page\n");
323 BIO_printf(bio_err, " -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
324 BIO_printf(bio_err, " -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
325 BIO_printf(bio_err, " with the assumption it contains a complete HTTP response.\n");
326 BIO_printf(bio_err, " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
327 BIO_printf(bio_err, " -servername host - servername for HostName TLS extension\n");
328 BIO_printf(bio_err, " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
329 BIO_printf(bio_err, " -cert2 arg - certificate file to use for servername\n");
330 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2);
331 BIO_printf(bio_err, " -key2 arg - Private Key file to use for servername, in cert file if\n");
332 BIO_printf(bio_err, " not specified (default is %s)\n", TEST_CERT2);
333 BIO_printf(bio_err, " -tlsextdebug - hex dump of all TLS extensions received\n");
334 BIO_printf(bio_err, " -no_ticket - disable use of RFC4507bis session tickets\n");
335 BIO_printf(bio_err, " -alpn arg - set the advertised protocols for the ALPN extension (comma-separated list)\n");
336 BIO_printf(bio_err, " -groups arg - specify EC groups (colon-separated list)\n");
337#ifndef OPENSSL_NO_SRTP
338 BIO_printf(bio_err, " -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
339#endif
340 BIO_printf(bio_err, " -keymatexport label - Export keying material using label\n");
341 BIO_printf(bio_err, " -keymatexportlen len - Export len bytes of keying material (default 20)\n");
342} 1003}
343 1004
344static int local_argc = 0; 1005static int local_argc = 0;
345static char **local_argv; 1006static char **local_argv;
346 1007
347
348/* This is a context that we pass to callbacks */
349typedef struct tlsextctx_st {
350 char *servername;
351 BIO *biodebug;
352 int extension_error;
353} tlsextctx;
354
355
356static int 1008static int
357ssl_servername_cb(SSL * s, int *ad, void *arg) 1009ssl_servername_cb(SSL * s, int *ad, void *arg)
358{ 1010{
@@ -375,19 +1027,6 @@ ssl_servername_cb(SSL * s, int *ad, void *arg)
375 return SSL_TLSEXT_ERR_OK; 1027 return SSL_TLSEXT_ERR_OK;
376} 1028}
377 1029
378/* Structure passed to cert status callback */
379
380typedef struct tlsextstatusctx_st {
381 /* Default responder to use */
382 char *host, *path, *port;
383 int use_ssl;
384 int timeout;
385 BIO *err;
386 int verbose;
387} tlsextstatusctx;
388
389static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0};
390
391/* Certificate Status callback. This is called when a client includes a 1030/* Certificate Status callback. This is called when a client includes a
392 * certificate status request extension. 1031 * certificate status request extension.
393 * 1032 *
@@ -520,7 +1159,7 @@ alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
520{ 1159{
521 tlsextalpnctx *alpn_ctx = arg; 1160 tlsextalpnctx *alpn_ctx = arg;
522 1161
523 if (!s_quiet) { 1162 if (!s_server_config.s_quiet) {
524 /* We can assume that in is syntactically valid. */ 1163 /* We can assume that in is syntactically valid. */
525 unsigned i; 1164 unsigned i;
526 1165
@@ -539,7 +1178,7 @@ alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
539 alpn_ctx->len, in, inlen) != OPENSSL_NPN_NEGOTIATED) 1178 alpn_ctx->len, in, inlen) != OPENSSL_NPN_NEGOTIATED)
540 return (SSL_TLSEXT_ERR_NOACK); 1179 return (SSL_TLSEXT_ERR_NOACK);
541 1180
542 if (!s_quiet) { 1181 if (!s_server_config.s_quiet) {
543 BIO_printf(bio_s_out, "ALPN protocols selected: "); 1182 BIO_printf(bio_s_out, "ALPN protocols selected: ");
544 BIO_write(bio_s_out, *out, *outlen); 1183 BIO_write(bio_s_out, *out, *outlen);
545 BIO_write(bio_s_out, "\n", 1); 1184 BIO_write(bio_s_out, "\n", 1);
@@ -548,42 +1187,18 @@ alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
548 return (SSL_TLSEXT_ERR_OK); 1187 return (SSL_TLSEXT_ERR_OK);
549} 1188}
550 1189
551#ifndef OPENSSL_NO_SRTP
552static char *srtp_profiles = NULL;
553#endif
554
555int 1190int
556s_server_main(int argc, char *argv[]) 1191s_server_main(int argc, char *argv[])
557{ 1192{
558 X509_VERIFY_PARAM *vpm = NULL; 1193 int badop = 0;
559 int badarg = 0;
560 short port = PORT;
561 char *CApath = NULL, *CAfile = NULL;
562 unsigned char *context = NULL;
563 char *dhfile = NULL;
564 char *named_curve = NULL;
565 int badop = 0, bugs = 0;
566 int ret = 1; 1194 int ret = 1;
567 int off = 0; 1195 char *pass = NULL;
568 int no_dhe = 0, no_ecdhe = 0, nocert = 0; 1196 char *dpass = NULL;
569 int state = 0;
570 const SSL_METHOD *meth = NULL;
571 int socket_type = SOCK_STREAM;
572 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
573 char *passarg = NULL, *pass = NULL;
574 char *dpassarg = NULL, *dpass = NULL;
575 int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
576 X509 *s_cert = NULL, *s_dcert = NULL; 1197 X509 *s_cert = NULL, *s_dcert = NULL;
577 EVP_PKEY *s_key = NULL, *s_dkey = NULL; 1198 EVP_PKEY *s_key = NULL, *s_dkey = NULL;
578 int no_cache = 0;
579 const char *errstr = NULL;
580 EVP_PKEY *s_key2 = NULL; 1199 EVP_PKEY *s_key2 = NULL;
581 X509 *s_cert2 = NULL; 1200 X509 *s_cert2 = NULL;
582 tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
583 const char *alpn_in = NULL;
584 const char *groups_in = NULL;
585 tlsextalpnctx alpn_ctx = { NULL, 0 }; 1201 tlsextalpnctx alpn_ctx = { NULL, 0 };
586 uint16_t min_version = 0, max_version = 0;
587 1202
588 if (single_execution) { 1203 if (single_execution) {
589 if (pledge("stdio rpath inet dns tty", NULL) == -1) { 1204 if (pledge("stdio rpath inet dns tty", NULL) == -1) {
@@ -592,7 +1207,20 @@ s_server_main(int argc, char *argv[])
592 } 1207 }
593 } 1208 }
594 1209
595 meth = TLS_server_method(); 1210 memset(&s_server_config, 0, sizeof(s_server_config));
1211 s_server_config.keymatexportlen = 20;
1212 s_server_config.meth = TLS_server_method();
1213 s_server_config.port = PORT;
1214 s_server_config.s_cert_file = TEST_CERT;
1215 s_server_config.s_cert_file2 = TEST_CERT2;
1216 s_server_config.s_cert_format = FORMAT_PEM;
1217 s_server_config.s_dcert_format = FORMAT_PEM;
1218 s_server_config.s_dkey_format = FORMAT_PEM;
1219 s_server_config.s_key_format = FORMAT_PEM;
1220 s_server_config.s_server_verify = SSL_VERIFY_NONE;
1221 s_server_config.socket_type = SOCK_STREAM;
1222 s_server_config.tlscstatp.timeout = -1;
1223 s_server_config.tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_WARNING;
596 1224
597 local_argc = argc; 1225 local_argc = argc;
598 local_argv = argv; 1226 local_argv = argv;
@@ -600,316 +1228,49 @@ s_server_main(int argc, char *argv[])
600 s_server_init(); 1228 s_server_init();
601 1229
602 verify_depth = 0; 1230 verify_depth = 0;
603 s_nbio = 0; 1231
604 s_nbio_test = 0; 1232 if (options_parse(argc, argv, s_server_options, NULL, NULL) != 0) {
605 1233 badop = 1;
606 argc--; 1234 goto bad;
607 argv++;
608
609 while (argc >= 1) {
610 if ((strcmp(*argv, "-port") == 0) ||
611 (strcmp(*argv, "-accept") == 0)) {
612 if (--argc < 1)
613 goto bad;
614 if (!extract_port(*(++argv), &port))
615 goto bad;
616 } else if (strcmp(*argv, "-verify") == 0) {
617 s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
618 if (--argc < 1)
619 goto bad;
620 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr);
621 if (errstr)
622 goto bad;
623 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
624 } else if (strcmp(*argv, "-Verify") == 0) {
625 s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
626 SSL_VERIFY_CLIENT_ONCE;
627 if (--argc < 1)
628 goto bad;
629 verify_depth = strtonum(*(++argv), 0, INT_MAX, &errstr);
630 if (errstr)
631 goto bad;
632 BIO_printf(bio_err, "verify depth is %d, must return a certificate\n", verify_depth);
633 } else if (strcmp(*argv, "-context") == 0) {
634 if (--argc < 1)
635 goto bad;
636 context = (unsigned char *) *(++argv);
637 } else if (strcmp(*argv, "-cert") == 0) {
638 if (--argc < 1)
639 goto bad;
640 s_cert_file = *(++argv);
641 } else if (strcmp(*argv, "-certform") == 0) {
642 if (--argc < 1)
643 goto bad;
644 s_cert_format = str2fmt(*(++argv));
645 } else if (strcmp(*argv, "-key") == 0) {
646 if (--argc < 1)
647 goto bad;
648 s_key_file = *(++argv);
649 } else if (strcmp(*argv, "-keyform") == 0) {
650 if (--argc < 1)
651 goto bad;
652 s_key_format = str2fmt(*(++argv));
653 } else if (strcmp(*argv, "-pass") == 0) {
654 if (--argc < 1)
655 goto bad;
656 passarg = *(++argv);
657 } else if (strcmp(*argv, "-dhparam") == 0) {
658 if (--argc < 1)
659 goto bad;
660 dhfile = *(++argv);
661 } else if (strcmp(*argv, "-named_curve") == 0) {
662 if (--argc < 1)
663 goto bad;
664 named_curve = *(++argv);
665 } else if (strcmp(*argv, "-dcertform") == 0) {
666 if (--argc < 1)
667 goto bad;
668 s_dcert_format = str2fmt(*(++argv));
669 } else if (strcmp(*argv, "-dcert") == 0) {
670 if (--argc < 1)
671 goto bad;
672 s_dcert_file = *(++argv);
673 } else if (strcmp(*argv, "-dkeyform") == 0) {
674 if (--argc < 1)
675 goto bad;
676 s_dkey_format = str2fmt(*(++argv));
677 } else if (strcmp(*argv, "-dpass") == 0) {
678 if (--argc < 1)
679 goto bad;
680 dpassarg = *(++argv);
681 } else if (strcmp(*argv, "-dkey") == 0) {
682 if (--argc < 1)
683 goto bad;
684 s_dkey_file = *(++argv);
685 } else if (strcmp(*argv, "-nocert") == 0) {
686 nocert = 1;
687 } else if (strcmp(*argv, "-CApath") == 0) {
688 if (--argc < 1)
689 goto bad;
690 CApath = *(++argv);
691 } else if (strcmp(*argv, "-no_cache") == 0)
692 no_cache = 1;
693 else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) {
694 if (badarg)
695 goto bad;
696 continue;
697 } else if (strcmp(*argv, "-verify_return_error") == 0)
698 verify_return_error = 1;
699 else if (strcmp(*argv, "-serverpref") == 0) {
700 off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
701 } else if (strcmp(*argv, "-legacy_renegotiation") == 0)
702 ; /* no-op */
703 else if (strcmp(*argv, "-cipher") == 0) {
704 if (--argc < 1)
705 goto bad;
706 cipher = *(++argv);
707 } else if (strcmp(*argv, "-CAfile") == 0) {
708 if (--argc < 1)
709 goto bad;
710 CAfile = *(++argv);
711 }
712 else if (strcmp(*argv, "-nbio") == 0) {
713 s_nbio = 1;
714 }
715 else if (strcmp(*argv, "-nbio_test") == 0) {
716 s_nbio = 1;
717 s_nbio_test = 1;
718 } else if (strcmp(*argv, "-debug") == 0) {
719 s_debug = 1;
720 }
721 else if (strcmp(*argv, "-tlsextdebug") == 0)
722 s_tlsextdebug = 1;
723 else if (strcmp(*argv, "-status") == 0)
724 s_tlsextstatus = 1;
725 else if (strcmp(*argv, "-status_verbose") == 0) {
726 s_tlsextstatus = 1;
727 tlscstatp.verbose = 1;
728 } else if (!strcmp(*argv, "-status_timeout")) {
729 s_tlsextstatus = 1;
730 if (--argc < 1)
731 goto bad;
732 tlscstatp.timeout = strtonum(*(++argv), 0, INT_MAX, &errstr);
733 if (errstr)
734 goto bad;
735 } else if (!strcmp(*argv, "-status_url")) {
736 s_tlsextstatus = 1;
737 if (--argc < 1)
738 goto bad;
739 if (!OCSP_parse_url(*(++argv),
740 &tlscstatp.host,
741 &tlscstatp.port,
742 &tlscstatp.path,
743 &tlscstatp.use_ssl)) {
744 BIO_printf(bio_err, "Error parsing URL\n");
745 goto bad;
746 }
747 }
748 else if (strcmp(*argv, "-msg") == 0) {
749 s_msg = 1;
750 } else if (strcmp(*argv, "-state") == 0) {
751 state = 1;
752 } else if (strcmp(*argv, "-crlf") == 0) {
753 s_crlf = 1;
754 } else if (strcmp(*argv, "-quiet") == 0) {
755 s_quiet = 1;
756 } else if (strcmp(*argv, "-bugs") == 0) {
757 bugs = 1;
758 } else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
759 /* No-op. */
760 } else if (strcmp(*argv, "-no_dhe") == 0) {
761 no_dhe = 1;
762 } else if (strcmp(*argv, "-no_ecdhe") == 0) {
763 no_ecdhe = 1;
764 } else if (strcmp(*argv, "-www") == 0) {
765 www = 1;
766 } else if (strcmp(*argv, "-WWW") == 0) {
767 www = 2;
768 } else if (strcmp(*argv, "-HTTP") == 0) {
769 www = 3;
770 } else if (strcmp(*argv, "-no_ssl2") == 0) {
771 off |= SSL_OP_NO_SSLv2;
772 } else if (strcmp(*argv, "-no_ssl3") == 0) {
773 off |= SSL_OP_NO_SSLv3;
774 } else if (strcmp(*argv, "-no_tls1") == 0) {
775 off |= SSL_OP_NO_TLSv1;
776 } else if (strcmp(*argv, "-no_tls1_1") == 0) {
777 off |= SSL_OP_NO_TLSv1_1;
778 } else if (strcmp(*argv, "-no_tls1_2") == 0) {
779 off |= SSL_OP_NO_TLSv1_2;
780 } else if (strcmp(*argv, "-no_tls1_3") == 0) {
781 off |= SSL_OP_NO_TLSv1_3;
782 } else if (strcmp(*argv, "-no_comp") == 0) {
783 off |= SSL_OP_NO_COMPRESSION;
784 } else if (strcmp(*argv, "-no_ticket") == 0) {
785 off |= SSL_OP_NO_TICKET;
786 } else if (strcmp(*argv, "-tls1") == 0) {
787 min_version = TLS1_VERSION;
788 max_version = TLS1_VERSION;
789 } else if (strcmp(*argv, "-tls1_1") == 0) {
790 min_version = TLS1_1_VERSION;
791 max_version = TLS1_1_VERSION;
792 } else if (strcmp(*argv, "-tls1_2") == 0) {
793 min_version = TLS1_2_VERSION;
794 max_version = TLS1_2_VERSION;
795 } else if (strcmp(*argv, "-tls1_3") == 0) {
796 min_version = TLS1_3_VERSION;
797 max_version = TLS1_3_VERSION;
798 }
799#ifndef OPENSSL_NO_DTLS1
800 else if (strcmp(*argv, "-dtls1") == 0) {
801 meth = DTLS_server_method();
802 socket_type = SOCK_DGRAM;
803 } else if (strcmp(*argv, "-timeout") == 0)
804 enable_timeouts = 1;
805 else if (strcmp(*argv, "-mtu") == 0) {
806 if (--argc < 1)
807 goto bad;
808 socket_mtu = strtonum(*(++argv), 0, LONG_MAX, &errstr);
809 if (errstr)
810 goto bad;
811 } else if (strcmp(*argv, "-chain") == 0)
812 cert_chain = 1;
813#endif
814 else if (strcmp(*argv, "-id_prefix") == 0) {
815 if (--argc < 1)
816 goto bad;
817 session_id_prefix = *(++argv);
818 }
819 else if (strcmp(*argv, "-servername") == 0) {
820 if (--argc < 1)
821 goto bad;
822 tlsextcbp.servername = *(++argv);
823 } else if (strcmp(*argv, "-servername_fatal") == 0) {
824 tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
825 } else if (strcmp(*argv, "-cert2") == 0) {
826 if (--argc < 1)
827 goto bad;
828 s_cert_file2 = *(++argv);
829 } else if (strcmp(*argv, "-key2") == 0) {
830 if (--argc < 1)
831 goto bad;
832 s_key_file2 = *(++argv);
833 } else if (strcmp(*argv, "-nextprotoneg") == 0) {
834 /* Ignored. */
835 if (--argc < 1)
836 goto bad;
837 ++argv;
838 } else if (strcmp(*argv,"-alpn") == 0) {
839 if (--argc < 1)
840 goto bad;
841 alpn_in = *(++argv);
842 } else if (strcmp(*argv, "-groups") == 0) {
843 if (--argc < 1)
844 goto bad;
845 groups_in = *(++argv);
846 }
847#ifndef OPENSSL_NO_SRTP
848 else if (strcmp(*argv, "-use_srtp") == 0) {
849 if (--argc < 1)
850 goto bad;
851 srtp_profiles = *(++argv);
852 }
853#endif
854 else if (strcmp(*argv, "-keymatexport") == 0) {
855 if (--argc < 1)
856 goto bad;
857 keymatexportlabel = *(++argv);
858 } else if (strcmp(*argv, "-keymatexportlen") == 0) {
859 if (--argc < 1)
860 goto bad;
861 keymatexportlen = strtonum(*(++argv), 1, INT_MAX, &errstr);
862 if (errstr)
863 goto bad;
864 } else {
865 BIO_printf(bio_err, "unknown option %s\n", *argv);
866 badop = 1;
867 break;
868 }
869 argc--;
870 argv++;
871 } 1235 }
872 if (badop) { 1236 if (badop) {
873 bad: 1237 bad:
874 if (errstr) 1238 if (s_server_config.errstr == NULL)
875 BIO_printf(bio_err, "invalid argument %s: %s\n",
876 *argv, errstr);
877 else
878 sv_usage(); 1239 sv_usage();
879 goto end; 1240 goto end;
880 } 1241 }
881 1242
882 if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) { 1243 if (!app_passwd(bio_err, s_server_config.passarg, s_server_config.dpassarg, &pass, &dpass)) {
883 BIO_printf(bio_err, "Error getting password\n"); 1244 BIO_printf(bio_err, "Error getting password\n");
884 goto end; 1245 goto end;
885 } 1246 }
886 if (s_key_file == NULL) 1247 if (s_server_config.s_key_file == NULL)
887 s_key_file = s_cert_file; 1248 s_server_config.s_key_file = s_server_config.s_cert_file;
888 if (s_key_file2 == NULL) 1249 if (s_server_config.s_key_file2 == NULL)
889 s_key_file2 = s_cert_file2; 1250 s_server_config.s_key_file2 = s_server_config.s_cert_file2;
890 1251
891 if (nocert == 0) { 1252 if (s_server_config.nocert == 0) {
892 s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, 1253 s_key = load_key(bio_err, s_server_config.s_key_file, s_server_config.s_key_format, 0, pass,
893 "server certificate private key file"); 1254 "server certificate private key file");
894 if (!s_key) { 1255 if (!s_key) {
895 ERR_print_errors(bio_err); 1256 ERR_print_errors(bio_err);
896 goto end; 1257 goto end;
897 } 1258 }
898 s_cert = load_cert(bio_err, s_cert_file, s_cert_format, 1259 s_cert = load_cert(bio_err, s_server_config.s_cert_file, s_server_config.s_cert_format,
899 NULL, "server certificate file"); 1260 NULL, "server certificate file");
900 1261
901 if (!s_cert) { 1262 if (!s_cert) {
902 ERR_print_errors(bio_err); 1263 ERR_print_errors(bio_err);
903 goto end; 1264 goto end;
904 } 1265 }
905 if (tlsextcbp.servername) { 1266 if (s_server_config.tlsextcbp.servername) {
906 s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, 1267 s_key2 = load_key(bio_err, s_server_config.s_key_file2, s_server_config.s_key_format, 0, pass,
907 "second server certificate private key file"); 1268 "second server certificate private key file");
908 if (!s_key2) { 1269 if (!s_key2) {
909 ERR_print_errors(bio_err); 1270 ERR_print_errors(bio_err);
910 goto end; 1271 goto end;
911 } 1272 }
912 s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format, 1273 s_cert2 = load_cert(bio_err, s_server_config.s_cert_file2, s_server_config.s_cert_format,
913 NULL, "second server certificate file"); 1274 NULL, "second server certificate file");
914 1275
915 if (!s_cert2) { 1276 if (!s_cert2) {
@@ -919,26 +1280,26 @@ s_server_main(int argc, char *argv[])
919 } 1280 }
920 } 1281 }
921 alpn_ctx.data = NULL; 1282 alpn_ctx.data = NULL;
922 if (alpn_in) { 1283 if (s_server_config.alpn_in) {
923 unsigned short len; 1284 unsigned short len;
924 alpn_ctx.data = next_protos_parse(&len, alpn_in); 1285 alpn_ctx.data = next_protos_parse(&len, s_server_config.alpn_in);
925 if (alpn_ctx.data == NULL) 1286 if (alpn_ctx.data == NULL)
926 goto end; 1287 goto end;
927 alpn_ctx.len = len; 1288 alpn_ctx.len = len;
928 } 1289 }
929 1290
930 if (s_dcert_file) { 1291 if (s_server_config.s_dcert_file) {
931 1292
932 if (s_dkey_file == NULL) 1293 if (s_server_config.s_dkey_file == NULL)
933 s_dkey_file = s_dcert_file; 1294 s_server_config.s_dkey_file = s_server_config.s_dcert_file;
934 1295
935 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format, 1296 s_dkey = load_key(bio_err, s_server_config.s_dkey_file, s_server_config.s_dkey_format,
936 0, dpass, "second certificate private key file"); 1297 0, dpass, "second certificate private key file");
937 if (!s_dkey) { 1298 if (!s_dkey) {
938 ERR_print_errors(bio_err); 1299 ERR_print_errors(bio_err);
939 goto end; 1300 goto end;
940 } 1301 }
941 s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format, 1302 s_dcert = load_cert(bio_err, s_server_config.s_dcert_file, s_server_config.s_dcert_format,
942 NULL, "second server certificate file"); 1303 NULL, "second server certificate file");
943 1304
944 if (!s_dcert) { 1305 if (!s_dcert) {
@@ -947,22 +1308,22 @@ s_server_main(int argc, char *argv[])
947 } 1308 }
948 } 1309 }
949 if (bio_s_out == NULL) { 1310 if (bio_s_out == NULL) {
950 if (s_quiet && !s_debug && !s_msg) { 1311 if (s_server_config.s_quiet && !s_server_config.s_debug && !s_server_config.s_msg) {
951 bio_s_out = BIO_new(BIO_s_null()); 1312 bio_s_out = BIO_new(BIO_s_null());
952 } else { 1313 } else {
953 if (bio_s_out == NULL) 1314 if (bio_s_out == NULL)
954 bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE); 1315 bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE);
955 } 1316 }
956 } 1317 }
957 if (nocert) { 1318 if (s_server_config.nocert) {
958 s_cert_file = NULL; 1319 s_server_config.s_cert_file = NULL;
959 s_key_file = NULL; 1320 s_server_config.s_key_file = NULL;
960 s_dcert_file = NULL; 1321 s_server_config.s_dcert_file = NULL;
961 s_dkey_file = NULL; 1322 s_server_config.s_dkey_file = NULL;
962 s_cert_file2 = NULL; 1323 s_server_config.s_cert_file2 = NULL;
963 s_key_file2 = NULL; 1324 s_server_config.s_key_file2 = NULL;
964 } 1325 }
965 ctx = SSL_CTX_new(meth); 1326 ctx = SSL_CTX_new(s_server_config.meth);
966 if (ctx == NULL) { 1327 if (ctx == NULL) {
967 ERR_print_errors(bio_err); 1328 ERR_print_errors(bio_err);
968 goto end; 1329 goto end;
@@ -970,16 +1331,16 @@ s_server_main(int argc, char *argv[])
970 1331
971 SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY); 1332 SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY);
972 1333
973 if (!SSL_CTX_set_min_proto_version(ctx, min_version)) 1334 if (!SSL_CTX_set_min_proto_version(ctx, s_server_config.min_version))
974 goto end; 1335 goto end;
975 if (!SSL_CTX_set_max_proto_version(ctx, max_version)) 1336 if (!SSL_CTX_set_max_proto_version(ctx, s_server_config.max_version))
976 goto end; 1337 goto end;
977 1338
978 if (session_id_prefix) { 1339 if (s_server_config.session_id_prefix) {
979 if (strlen(session_id_prefix) >= 32) 1340 if (strlen(s_server_config.session_id_prefix) >= 32)
980 BIO_printf(bio_err, 1341 BIO_printf(bio_err,
981 "warning: id_prefix is too long, only one new session will be possible\n"); 1342 "warning: id_prefix is too long, only one new session will be possible\n");
982 else if (strlen(session_id_prefix) >= 16) 1343 else if (strlen(s_server_config.session_id_prefix) >= 16)
983 BIO_printf(bio_err, 1344 BIO_printf(bio_err,
984 "warning: id_prefix is too long if you use SSLv2\n"); 1345 "warning: id_prefix is too long if you use SSLv2\n");
985 if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) { 1346 if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
@@ -987,62 +1348,62 @@ s_server_main(int argc, char *argv[])
987 ERR_print_errors(bio_err); 1348 ERR_print_errors(bio_err);
988 goto end; 1349 goto end;
989 } 1350 }
990 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); 1351 BIO_printf(bio_err, "id_prefix '%s' set.\n", s_server_config.session_id_prefix);
991 } 1352 }
992 SSL_CTX_set_quiet_shutdown(ctx, 1); 1353 SSL_CTX_set_quiet_shutdown(ctx, 1);
993 if (bugs) 1354 if (s_server_config.bugs)
994 SSL_CTX_set_options(ctx, SSL_OP_ALL); 1355 SSL_CTX_set_options(ctx, SSL_OP_ALL);
995 SSL_CTX_set_options(ctx, off); 1356 SSL_CTX_set_options(ctx, s_server_config.off);
996 /* 1357 /*
997 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting 1358 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
998 * read ahead solves this problem. 1359 * read ahead solves this problem.
999 */ 1360 */
1000 if (socket_type == SOCK_DGRAM) 1361 if (s_server_config.socket_type == SOCK_DGRAM)
1001 SSL_CTX_set_read_ahead(ctx, 1); 1362 SSL_CTX_set_read_ahead(ctx, 1);
1002 1363
1003 if (state) 1364 if (s_server_config.state)
1004 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback); 1365 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1005 if (no_cache) 1366 if (s_server_config.no_cache)
1006 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); 1367 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1007 else 1368 else
1008 SSL_CTX_sess_set_cache_size(ctx, 128); 1369 SSL_CTX_sess_set_cache_size(ctx, 128);
1009 1370
1010#ifndef OPENSSL_NO_SRTP 1371#ifndef OPENSSL_NO_SRTP
1011 if (srtp_profiles != NULL) 1372 if (s_server_config.srtp_profiles != NULL)
1012 SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); 1373 SSL_CTX_set_tlsext_use_srtp(ctx, s_server_config.srtp_profiles);
1013#endif 1374#endif
1014 1375
1015 1376
1016 if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) || 1377 if ((!SSL_CTX_load_verify_locations(ctx, s_server_config.CAfile, s_server_config.CApath)) ||
1017 (!SSL_CTX_set_default_verify_paths(ctx))) { 1378 (!SSL_CTX_set_default_verify_paths(ctx))) {
1018 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ 1379 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
1019 ERR_print_errors(bio_err); 1380 ERR_print_errors(bio_err);
1020 /* goto end; */ 1381 /* goto end; */
1021 } 1382 }
1022 if (vpm) 1383 if (s_server_config.vpm)
1023 SSL_CTX_set1_param(ctx, vpm); 1384 SSL_CTX_set1_param(ctx, s_server_config.vpm);
1024 1385
1025 if (s_cert2) { 1386 if (s_cert2) {
1026 ctx2 = SSL_CTX_new(meth); 1387 ctx2 = SSL_CTX_new(s_server_config.meth);
1027 if (ctx2 == NULL) { 1388 if (ctx2 == NULL) {
1028 ERR_print_errors(bio_err); 1389 ERR_print_errors(bio_err);
1029 goto end; 1390 goto end;
1030 } 1391 }
1031 1392
1032 if (!SSL_CTX_set_min_proto_version(ctx2, min_version)) 1393 if (!SSL_CTX_set_min_proto_version(ctx2, s_server_config.min_version))
1033 goto end; 1394 goto end;
1034 if (!SSL_CTX_set_max_proto_version(ctx2, max_version)) 1395 if (!SSL_CTX_set_max_proto_version(ctx2, s_server_config.max_version))
1035 goto end; 1396 goto end;
1036 SSL_CTX_clear_mode(ctx2, SSL_MODE_AUTO_RETRY); 1397 SSL_CTX_clear_mode(ctx2, SSL_MODE_AUTO_RETRY);
1037 } 1398 }
1038 if (ctx2) { 1399 if (ctx2) {
1039 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n"); 1400 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1040 1401
1041 if (session_id_prefix) { 1402 if (s_server_config.session_id_prefix) {
1042 if (strlen(session_id_prefix) >= 32) 1403 if (strlen(s_server_config.session_id_prefix) >= 32)
1043 BIO_printf(bio_err, 1404 BIO_printf(bio_err,
1044 "warning: id_prefix is too long, only one new session will be possible\n"); 1405 "warning: id_prefix is too long, only one new session will be possible\n");
1045 else if (strlen(session_id_prefix) >= 16) 1406 else if (strlen(s_server_config.session_id_prefix) >= 16)
1046 BIO_printf(bio_err, 1407 BIO_printf(bio_err,
1047 "warning: id_prefix is too long if you use SSLv2\n"); 1408 "warning: id_prefix is too long if you use SSLv2\n");
1048 if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) { 1409 if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
@@ -1050,53 +1411,53 @@ s_server_main(int argc, char *argv[])
1050 ERR_print_errors(bio_err); 1411 ERR_print_errors(bio_err);
1051 goto end; 1412 goto end;
1052 } 1413 }
1053 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix); 1414 BIO_printf(bio_err, "id_prefix '%s' set.\n", s_server_config.session_id_prefix);
1054 } 1415 }
1055 SSL_CTX_set_quiet_shutdown(ctx2, 1); 1416 SSL_CTX_set_quiet_shutdown(ctx2, 1);
1056 if (bugs) 1417 if (s_server_config.bugs)
1057 SSL_CTX_set_options(ctx2, SSL_OP_ALL); 1418 SSL_CTX_set_options(ctx2, SSL_OP_ALL);
1058 SSL_CTX_set_options(ctx2, off); 1419 SSL_CTX_set_options(ctx2, s_server_config.off);
1059 /* 1420 /*
1060 * DTLS: partial reads end up discarding unread UDP bytes :-( 1421 * DTLS: partial reads end up discarding unread UDP bytes :-(
1061 * Setting read ahead solves this problem. 1422 * Setting read ahead solves this problem.
1062 */ 1423 */
1063 if (socket_type == SOCK_DGRAM) 1424 if (s_server_config.socket_type == SOCK_DGRAM)
1064 SSL_CTX_set_read_ahead(ctx2, 1); 1425 SSL_CTX_set_read_ahead(ctx2, 1);
1065 1426
1066 if (state) 1427 if (s_server_config.state)
1067 SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback); 1428 SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1068 1429
1069 if (no_cache) 1430 if (s_server_config.no_cache)
1070 SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF); 1431 SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
1071 else 1432 else
1072 SSL_CTX_sess_set_cache_size(ctx2, 128); 1433 SSL_CTX_sess_set_cache_size(ctx2, 128);
1073 1434
1074 if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) || 1435 if ((!SSL_CTX_load_verify_locations(ctx2, s_server_config.CAfile, s_server_config.CApath)) ||
1075 (!SSL_CTX_set_default_verify_paths(ctx2))) { 1436 (!SSL_CTX_set_default_verify_paths(ctx2))) {
1076 ERR_print_errors(bio_err); 1437 ERR_print_errors(bio_err);
1077 } 1438 }
1078 if (vpm) 1439 if (s_server_config.vpm)
1079 SSL_CTX_set1_param(ctx2, vpm); 1440 SSL_CTX_set1_param(ctx2, s_server_config.vpm);
1080 } 1441 }
1081 if (alpn_ctx.data) 1442 if (alpn_ctx.data)
1082 SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx); 1443 SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
1083 1444
1084 if (groups_in != NULL) { 1445 if (s_server_config.groups_in != NULL) {
1085 if (SSL_CTX_set1_groups_list(ctx, groups_in) != 1) { 1446 if (SSL_CTX_set1_groups_list(ctx, s_server_config.groups_in) != 1) {
1086 BIO_printf(bio_err, "Failed to set groups '%s'\n", 1447 BIO_printf(bio_err, "Failed to set groups '%s'\n",
1087 groups_in); 1448 s_server_config.groups_in);
1088 goto end; 1449 goto end;
1089 } 1450 }
1090 } 1451 }
1091 1452
1092#ifndef OPENSSL_NO_DH 1453#ifndef OPENSSL_NO_DH
1093 if (!no_dhe) { 1454 if (!s_server_config.no_dhe) {
1094 DH *dh = NULL; 1455 DH *dh = NULL;
1095 1456
1096 if (dhfile) 1457 if (s_server_config.dhfile)
1097 dh = load_dh_param(dhfile); 1458 dh = load_dh_param(s_server_config.dhfile);
1098 else if (s_cert_file) 1459 else if (s_server_config.s_cert_file)
1099 dh = load_dh_param(s_cert_file); 1460 dh = load_dh_param(s_server_config.s_cert_file);
1100 1461
1101 if (dh != NULL) 1462 if (dh != NULL)
1102 BIO_printf(bio_s_out, "Setting temp DH parameters\n"); 1463 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
@@ -1115,11 +1476,11 @@ s_server_main(int argc, char *argv[])
1115 } 1476 }
1116 1477
1117 if (ctx2) { 1478 if (ctx2) {
1118 if (!dhfile) { 1479 if (!s_server_config.dhfile) {
1119 DH *dh2 = NULL; 1480 DH *dh2 = NULL;
1120 1481
1121 if (s_cert_file2 != NULL) 1482 if (s_server_config.s_cert_file2 != NULL)
1122 dh2 = load_dh_param(s_cert_file2); 1483 dh2 = load_dh_param(s_server_config.s_cert_file2);
1123 if (dh2 != NULL) { 1484 if (dh2 != NULL) {
1124 BIO_printf(bio_s_out, "Setting temp DH parameters\n"); 1485 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1125 (void) BIO_flush(bio_s_out); 1486 (void) BIO_flush(bio_s_out);
@@ -1142,20 +1503,20 @@ s_server_main(int argc, char *argv[])
1142 } 1503 }
1143#endif 1504#endif
1144 1505
1145 if (!no_ecdhe && named_curve != NULL) { 1506 if (!s_server_config.no_ecdhe && s_server_config.named_curve != NULL) {
1146 EC_KEY *ecdh = NULL; 1507 EC_KEY *ecdh = NULL;
1147 int nid; 1508 int nid;
1148 1509
1149 if ((nid = OBJ_sn2nid(named_curve)) == 0) { 1510 if ((nid = OBJ_sn2nid(s_server_config.named_curve)) == 0) {
1150 BIO_printf(bio_err, "unknown curve name (%s)\n", 1511 BIO_printf(bio_err, "unknown curve name (%s)\n",
1151 named_curve); 1512 s_server_config.named_curve);
1152 goto end; 1513 goto end;
1153 } 1514 }
1154 if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) { 1515 if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL) {
1155 BIO_printf(bio_err, "unable to create curve (%s)\n", 1516 BIO_printf(bio_err, "unable to create curve (%s)\n",
1156 named_curve); 1517 s_server_config.named_curve);
1157 goto end; 1518 goto end;
1158 } 1519 }
1159 BIO_printf(bio_s_out, "Setting temp ECDH parameters\n"); 1520 BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
1160 (void) BIO_flush(bio_s_out); 1521 (void) BIO_flush(bio_s_out);
1161 1522
@@ -1174,19 +1535,19 @@ s_server_main(int argc, char *argv[])
1174 goto end; 1535 goto end;
1175 } 1536 }
1176 1537
1177 if (cipher != NULL) { 1538 if (s_server_config.cipher != NULL) {
1178 if (!SSL_CTX_set_cipher_list(ctx, cipher)) { 1539 if (!SSL_CTX_set_cipher_list(ctx, s_server_config.cipher)) {
1179 BIO_printf(bio_err, "error setting cipher list\n"); 1540 BIO_printf(bio_err, "error setting cipher list\n");
1180 ERR_print_errors(bio_err); 1541 ERR_print_errors(bio_err);
1181 goto end; 1542 goto end;
1182 } 1543 }
1183 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) { 1544 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, s_server_config.cipher)) {
1184 BIO_printf(bio_err, "error setting cipher list\n"); 1545 BIO_printf(bio_err, "error setting cipher list\n");
1185 ERR_print_errors(bio_err); 1546 ERR_print_errors(bio_err);
1186 goto end; 1547 goto end;
1187 } 1548 }
1188 } 1549 }
1189 SSL_CTX_set_verify(ctx, s_server_verify, verify_callback); 1550 SSL_CTX_set_verify(ctx, s_server_config.s_server_verify, verify_callback);
1190 SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context, 1551 SSL_CTX_set_session_id_context(ctx, (void *) &s_server_session_id_context,
1191 sizeof s_server_session_id_context); 1552 sizeof s_server_session_id_context);
1192 1553
@@ -1195,28 +1556,28 @@ s_server_main(int argc, char *argv[])
1195 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); 1556 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
1196 1557
1197 if (ctx2) { 1558 if (ctx2) {
1198 SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback); 1559 SSL_CTX_set_verify(ctx2, s_server_config.s_server_verify, verify_callback);
1199 SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context, 1560 SSL_CTX_set_session_id_context(ctx2, (void *) &s_server_session_id_context,
1200 sizeof s_server_session_id_context); 1561 sizeof s_server_session_id_context);
1201 1562
1202 tlsextcbp.biodebug = bio_s_out; 1563 s_server_config.tlsextcbp.biodebug = bio_s_out;
1203 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); 1564 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
1204 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); 1565 SSL_CTX_set_tlsext_servername_arg(ctx2, &s_server_config.tlsextcbp);
1205 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); 1566 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1206 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); 1567 SSL_CTX_set_tlsext_servername_arg(ctx, &s_server_config.tlsextcbp);
1207 } 1568 }
1208 1569
1209 if (CAfile != NULL) { 1570 if (s_server_config.CAfile != NULL) {
1210 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile)); 1571 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(s_server_config.CAfile));
1211 if (ctx2) 1572 if (ctx2)
1212 SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile)); 1573 SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(s_server_config.CAfile));
1213 } 1574 }
1214 BIO_printf(bio_s_out, "ACCEPT\n"); 1575 BIO_printf(bio_s_out, "ACCEPT\n");
1215 (void) BIO_flush(bio_s_out); 1576 (void) BIO_flush(bio_s_out);
1216 if (www) 1577 if (s_server_config.www)
1217 do_server(port, socket_type, &accept_socket, www_body, context); 1578 do_server(s_server_config.port, s_server_config.socket_type, &accept_socket, www_body, s_server_config.context);
1218 else 1579 else
1219 do_server(port, socket_type, &accept_socket, sv_body, context); 1580 do_server(s_server_config.port, s_server_config.socket_type, &accept_socket, sv_body, s_server_config.context);
1220 print_stats(bio_s_out, ctx); 1581 print_stats(bio_s_out, ctx);
1221 ret = 0; 1582 ret = 0;
1222 end: 1583 end:
@@ -1227,10 +1588,10 @@ s_server_main(int argc, char *argv[])
1227 EVP_PKEY_free(s_dkey); 1588 EVP_PKEY_free(s_dkey);
1228 free(pass); 1589 free(pass);
1229 free(dpass); 1590 free(dpass);
1230 X509_VERIFY_PARAM_free(vpm); 1591 X509_VERIFY_PARAM_free(s_server_config.vpm);
1231 free(tlscstatp.host); 1592 free(s_server_config.tlscstatp.host);
1232 free(tlscstatp.port); 1593 free(s_server_config.tlscstatp.port);
1233 free(tlscstatp.path); 1594 free(s_server_config.tlscstatp.path);
1234 SSL_CTX_free(ctx2); 1595 SSL_CTX_free(ctx2);
1235 X509_free(s_cert2); 1596 X509_free(s_cert2);
1236 EVP_PKEY_free(s_key2); 1597 EVP_PKEY_free(s_key2);
@@ -1284,8 +1645,8 @@ sv_body(char *hostname, int s, unsigned char *context)
1284 BIO_printf(bio_err, "out of memory\n"); 1645 BIO_printf(bio_err, "out of memory\n");
1285 goto err; 1646 goto err;
1286 } 1647 }
1287 if (s_nbio) { 1648 if (s_server_config.s_nbio) {
1288 if (!s_quiet) 1649 if (!s_server_config.s_quiet)
1289 BIO_printf(bio_err, "turning on non blocking io\n"); 1650 BIO_printf(bio_err, "turning on non blocking io\n");
1290 if (!BIO_socket_nbio(s, 1)) 1651 if (!BIO_socket_nbio(s, 1))
1291 ERR_print_errors(bio_err); 1652 ERR_print_errors(bio_err);
@@ -1293,14 +1654,14 @@ sv_body(char *hostname, int s, unsigned char *context)
1293 1654
1294 if (con == NULL) { 1655 if (con == NULL) {
1295 con = SSL_new(ctx); 1656 con = SSL_new(ctx);
1296 if (s_tlsextdebug) { 1657 if (s_server_config.s_tlsextdebug) {
1297 SSL_set_tlsext_debug_callback(con, tlsext_cb); 1658 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1298 SSL_set_tlsext_debug_arg(con, bio_s_out); 1659 SSL_set_tlsext_debug_arg(con, bio_s_out);
1299 } 1660 }
1300 if (s_tlsextstatus) { 1661 if (s_server_config.s_tlsextstatus) {
1301 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); 1662 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
1302 tlscstatp.err = bio_err; 1663 s_server_config.tlscstatp.err = bio_err;
1303 SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); 1664 SSL_CTX_set_tlsext_status_arg(ctx, &s_server_config.tlscstatp);
1304 } 1665 }
1305 if (context) 1666 if (context)
1306 SSL_set_session_id_context(con, context, 1667 SSL_set_session_id_context(con, context,
@@ -1312,7 +1673,7 @@ sv_body(char *hostname, int s, unsigned char *context)
1312 1673
1313 sbio = BIO_new_dgram(s, BIO_NOCLOSE); 1674 sbio = BIO_new_dgram(s, BIO_NOCLOSE);
1314 1675
1315 if (enable_timeouts) { 1676 if (s_server_config.enable_timeouts) {
1316 timeout.tv_sec = 0; 1677 timeout.tv_sec = 0;
1317 timeout.tv_usec = DGRAM_RCV_TIMEOUT; 1678 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1318 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); 1679 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
@@ -1321,9 +1682,9 @@ sv_body(char *hostname, int s, unsigned char *context)
1321 timeout.tv_usec = DGRAM_SND_TIMEOUT; 1682 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1322 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); 1683 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1323 } 1684 }
1324 if (socket_mtu > 28) { 1685 if (s_server_config.socket_mtu > 28) {
1325 SSL_set_options(con, SSL_OP_NO_QUERY_MTU); 1686 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1326 SSL_set_mtu(con, socket_mtu - 28); 1687 SSL_set_mtu(con, s_server_config.socket_mtu - 28);
1327 } else 1688 } else
1328 /* want to do MTU discovery */ 1689 /* want to do MTU discovery */
1329 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); 1690 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
@@ -1333,7 +1694,7 @@ sv_body(char *hostname, int s, unsigned char *context)
1333 } else 1694 } else
1334 sbio = BIO_new_socket(s, BIO_NOCLOSE); 1695 sbio = BIO_new_socket(s, BIO_NOCLOSE);
1335 1696
1336 if (s_nbio_test) { 1697 if (s_server_config.s_nbio_test) {
1337 BIO *test; 1698 BIO *test;
1338 1699
1339 test = BIO_new(BIO_f_nbio_test()); 1700 test = BIO_new(BIO_f_nbio_test());
@@ -1344,16 +1705,16 @@ sv_body(char *hostname, int s, unsigned char *context)
1344 SSL_set_accept_state(con); 1705 SSL_set_accept_state(con);
1345 /* SSL_set_fd(con,s); */ 1706 /* SSL_set_fd(con,s); */
1346 1707
1347 if (s_debug) { 1708 if (s_server_config.s_debug) {
1348 SSL_set_debug(con, 1); 1709 SSL_set_debug(con, 1);
1349 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); 1710 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
1350 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out); 1711 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
1351 } 1712 }
1352 if (s_msg) { 1713 if (s_server_config.s_msg) {
1353 SSL_set_msg_callback(con, msg_cb); 1714 SSL_set_msg_callback(con, msg_cb);
1354 SSL_set_msg_callback_arg(con, bio_s_out); 1715 SSL_set_msg_callback_arg(con, bio_s_out);
1355 } 1716 }
1356 if (s_tlsextdebug) { 1717 if (s_server_config.s_tlsextdebug) {
1357 SSL_set_tlsext_debug_callback(con, tlsext_cb); 1718 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1358 SSL_set_tlsext_debug_arg(con, bio_s_out); 1719 SSL_set_tlsext_debug_arg(con, bio_s_out);
1359 } 1720 }
@@ -1399,7 +1760,7 @@ sv_body(char *hostname, int s, unsigned char *context)
1399 } 1760 }
1400 } 1761 }
1401 if (read_from_terminal) { 1762 if (read_from_terminal) {
1402 if (s_crlf) { 1763 if (s_server_config.s_crlf) {
1403 int j, lf_num; 1764 int j, lf_num;
1404 1765
1405 i = read(fileno(stdin), buf, bufsize / 2); 1766 i = read(fileno(stdin), buf, bufsize / 2);
@@ -1419,7 +1780,7 @@ sv_body(char *hostname, int s, unsigned char *context)
1419 assert(lf_num == 0); 1780 assert(lf_num == 0);
1420 } else 1781 } else
1421 i = read(fileno(stdin), buf, bufsize); 1782 i = read(fileno(stdin), buf, bufsize);
1422 if (!s_quiet) { 1783 if (!s_server_config.s_quiet) {
1423 if ((i <= 0) || (buf[0] == 'Q')) { 1784 if ((i <= 0) || (buf[0] == 'Q')) {
1424 BIO_printf(bio_s_out, "DONE\n"); 1785 BIO_printf(bio_s_out, "DONE\n");
1425 shutdown(s, SHUT_RD); 1786 shutdown(s, SHUT_RD);
@@ -1642,22 +2003,22 @@ init_ssl_connection(SSL * con)
1642 BIO_printf(bio_s_out, "Reused session-id\n"); 2003 BIO_printf(bio_s_out, "Reused session-id\n");
1643 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", 2004 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
1644 SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); 2005 SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
1645 if (keymatexportlabel != NULL) { 2006 if (s_server_config.keymatexportlabel != NULL) {
1646 BIO_printf(bio_s_out, "Keying material exporter:\n"); 2007 BIO_printf(bio_s_out, "Keying material exporter:\n");
1647 BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); 2008 BIO_printf(bio_s_out, " Label: '%s'\n", s_server_config.keymatexportlabel);
1648 BIO_printf(bio_s_out, " Length: %i bytes\n", 2009 BIO_printf(bio_s_out, " Length: %i bytes\n",
1649 keymatexportlen); 2010 s_server_config.keymatexportlen);
1650 exportedkeymat = malloc(keymatexportlen); 2011 exportedkeymat = malloc(s_server_config.keymatexportlen);
1651 if (exportedkeymat != NULL) { 2012 if (exportedkeymat != NULL) {
1652 if (!SSL_export_keying_material(con, exportedkeymat, 2013 if (!SSL_export_keying_material(con, exportedkeymat,
1653 keymatexportlen, 2014 s_server_config.keymatexportlen,
1654 keymatexportlabel, 2015 s_server_config.keymatexportlabel,
1655 strlen(keymatexportlabel), 2016 strlen(s_server_config.keymatexportlabel),
1656 NULL, 0, 0)) { 2017 NULL, 0, 0)) {
1657 BIO_printf(bio_s_out, " Error\n"); 2018 BIO_printf(bio_s_out, " Error\n");
1658 } else { 2019 } else {
1659 BIO_printf(bio_s_out, " Keying material: "); 2020 BIO_printf(bio_s_out, " Keying material: ");
1660 for (i = 0; i < keymatexportlen; i++) 2021 for (i = 0; i < s_server_config.keymatexportlen; i++)
1661 BIO_printf(bio_s_out, "%02X", 2022 BIO_printf(bio_s_out, "%02X",
1662 exportedkeymat[i]); 2023 exportedkeymat[i]);
1663 BIO_printf(bio_s_out, "\n"); 2024 BIO_printf(bio_s_out, "\n");
@@ -1702,8 +2063,8 @@ www_body(char *hostname, int s, unsigned char *context)
1702 if ((io == NULL) || (ssl_bio == NULL)) 2063 if ((io == NULL) || (ssl_bio == NULL))
1703 goto err; 2064 goto err;
1704 2065
1705 if (s_nbio) { 2066 if (s_server_config.s_nbio) {
1706 if (!s_quiet) 2067 if (!s_server_config.s_quiet)
1707 BIO_printf(bio_err, "turning on non blocking io\n"); 2068 BIO_printf(bio_err, "turning on non blocking io\n");
1708 if (!BIO_socket_nbio(s, 1)) 2069 if (!BIO_socket_nbio(s, 1))
1709 ERR_print_errors(bio_err); 2070 ERR_print_errors(bio_err);
@@ -1715,7 +2076,7 @@ www_body(char *hostname, int s, unsigned char *context)
1715 2076
1716 if ((con = SSL_new(ctx)) == NULL) 2077 if ((con = SSL_new(ctx)) == NULL)
1717 goto err; 2078 goto err;
1718 if (s_tlsextdebug) { 2079 if (s_server_config.s_tlsextdebug) {
1719 SSL_set_tlsext_debug_callback(con, tlsext_cb); 2080 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1720 SSL_set_tlsext_debug_arg(con, bio_s_out); 2081 SSL_set_tlsext_debug_arg(con, bio_s_out);
1721 } 2082 }
@@ -1724,7 +2085,7 @@ www_body(char *hostname, int s, unsigned char *context)
1724 strlen((char *) context)); 2085 strlen((char *) context));
1725 2086
1726 sbio = BIO_new_socket(s, BIO_NOCLOSE); 2087 sbio = BIO_new_socket(s, BIO_NOCLOSE);
1727 if (s_nbio_test) { 2088 if (s_server_config.s_nbio_test) {
1728 BIO *test; 2089 BIO *test;
1729 2090
1730 test = BIO_new(BIO_f_nbio_test()); 2091 test = BIO_new(BIO_f_nbio_test());
@@ -1737,12 +2098,12 @@ www_body(char *hostname, int s, unsigned char *context)
1737 BIO_set_ssl(ssl_bio, con, BIO_CLOSE); 2098 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
1738 BIO_push(io, ssl_bio); 2099 BIO_push(io, ssl_bio);
1739 2100
1740 if (s_debug) { 2101 if (s_server_config.s_debug) {
1741 SSL_set_debug(con, 1); 2102 SSL_set_debug(con, 1);
1742 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback); 2103 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
1743 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out); 2104 BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
1744 } 2105 }
1745 if (s_msg) { 2106 if (s_server_config.s_msg) {
1746 SSL_set_msg_callback(con, msg_cb); 2107 SSL_set_msg_callback(con, msg_cb);
1747 SSL_set_msg_callback_arg(con, bio_s_out); 2108 SSL_set_msg_callback_arg(con, bio_s_out);
1748 } 2109 }
@@ -1750,11 +2111,11 @@ www_body(char *hostname, int s, unsigned char *context)
1750 i = BIO_gets(io, buf, bufsize - 1); 2111 i = BIO_gets(io, buf, bufsize - 1);
1751 if (i < 0) { /* error */ 2112 if (i < 0) { /* error */
1752 if (!BIO_should_retry(io)) { 2113 if (!BIO_should_retry(io)) {
1753 if (!s_quiet) 2114 if (!s_server_config.s_quiet)
1754 ERR_print_errors(bio_err); 2115 ERR_print_errors(bio_err);
1755 goto err; 2116 goto err;
1756 } else { 2117 } else {
1757 if (s_debug) { 2118 if (s_server_config.s_debug) {
1758 BIO_printf(bio_s_out, "read R BLOCK\n"); 2119 BIO_printf(bio_s_out, "read R BLOCK\n");
1759 sleep(1); 2120 sleep(1);
1760 } 2121 }
@@ -1765,8 +2126,8 @@ www_body(char *hostname, int s, unsigned char *context)
1765 goto end; 2126 goto end;
1766 } 2127 }
1767 /* else we have data */ 2128 /* else we have data */
1768 if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) || 2129 if (((s_server_config.www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
1769 ((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) { 2130 ((s_server_config.www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
1770 char *p; 2131 char *p;
1771 X509 *peer; 2132 X509 *peer;
1772 STACK_OF(SSL_CIPHER) * sk; 2133 STACK_OF(SSL_CIPHER) * sk;
@@ -1842,7 +2203,7 @@ www_body(char *hostname, int s, unsigned char *context)
1842 BIO_puts(io, "no client certificate available\n"); 2203 BIO_puts(io, "no client certificate available\n");
1843 BIO_puts(io, "</BODY></HTML>\r\n\r\n"); 2204 BIO_puts(io, "</BODY></HTML>\r\n\r\n");
1844 break; 2205 break;
1845 } else if ((www == 2 || www == 3) 2206 } else if ((s_server_config.www == 2 || s_server_config.www == 3)
1846 && (strncmp("GET /", buf, 5) == 0)) { 2207 && (strncmp("GET /", buf, 5) == 0)) {
1847 BIO *file; 2208 BIO *file;
1848 char *p, *e; 2209 char *p, *e;
@@ -1902,10 +2263,10 @@ www_body(char *hostname, int s, unsigned char *context)
1902 ERR_print_errors(io); 2263 ERR_print_errors(io);
1903 break; 2264 break;
1904 } 2265 }
1905 if (!s_quiet) 2266 if (!s_server_config.s_quiet)
1906 BIO_printf(bio_err, "FILE:%s\n", p); 2267 BIO_printf(bio_err, "FILE:%s\n", p);
1907 2268
1908 if (www == 2) { 2269 if (s_server_config.www == 2) {
1909 i = strlen(p); 2270 i = strlen(p);
1910 if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) || 2271 if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
1911 ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) || 2272 ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
@@ -1995,9 +2356,9 @@ generate_session_id(const SSL * ssl, unsigned char *id,
1995 * 1 session ID (ie. the prefix!) so all future session 2356 * 1 session ID (ie. the prefix!) so all future session
1996 * negotiations will fail due to conflicts. 2357 * negotiations will fail due to conflicts.
1997 */ 2358 */
1998 memcpy(id, session_id_prefix, 2359 memcpy(id, s_server_config.session_id_prefix,
1999 (strlen(session_id_prefix) < *id_len) ? 2360 (strlen(s_server_config.session_id_prefix) < *id_len) ?
2000 strlen(session_id_prefix) : *id_len); 2361 strlen(s_server_config.session_id_prefix) : *id_len);
2001 } 2362 }
2002 while (SSL_has_matching_session_id(ssl, id, *id_len) && 2363 while (SSL_has_matching_session_id(ssl, id, *id_len) &&
2003 (++count < MAX_SESSION_ID_ATTEMPTS)); 2364 (++count < MAX_SESSION_ID_ATTEMPTS));
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-11-20 04:50:14 +0000