s_server.c 77 KB

123456789101112131415161718192021222324252627282930313233343536373839404142434445464748495051525354555657585960616263646566676869707172737475767778798081828384858687888990919293949596979899100101102103104105106107108109110111112113114115116117118119120121122123124125126127128129130131132133134135136137138139140141142143144145146147148149150151152153154155156157158159160161162163164165166167168169170171172173174175176177178179180181182183184185186187188189190191192193194195196197198199200201202203204205206207208209210211212213214215216217218219220221222223224225226227228229230231232233234235236237238239240241242243244245246247248249250251252253254255256257258259260261262263264265266267268269270271272273274275276277278279280281282283284285286287288289290291292293294295296297298299300301302303304305306307308309310311312313314315316317318319320321322323324325326327328329330331332333334335336337338339340341342343344345346347348349350351352353354355356357358359360361362363364365366367368369370371372373374375376377378379380381382383384385386387388389390391392393394395396397398399400401402403404405406407408409410411412413414415416417418419420421422423424425426427428429430431432433434435436437438439440441442443444445446447448449450451452453454455456457458459460461462463464465466467468469470471472473474475476477478479480481482483484485486487488489490491492493494495496497498499500501502503504505506507508509510511512513514515516517518519520521522523524525526527528529530531532533534535536537538539540541542543544545546547548549550551552553554555556557558559560561562563564565566567568569570571572573574575576577578579580581582583584585586587588589590591592593594595596597598599600601602603604605606607608609610611612613614615616617618619620621622623624625626627628629630631632633634635636637638639640641642643644645646647648649650651652653654655656657658659660661662663664665666667668669670671672673674675676677678679680681682683684685686687688689690691692693694695696697698699700701702703704705706707708709710711712713714715716717718719720721722723724725726727728729730731732733734735736737738739740741742743744745746747748749750751752753754755756757758759760761762763764765766767768769770771772773774775776777778779780781782783784785786787788789790791792793794795796797798799800801802803804805806807808809810811812813814815816817818819820821822823824825826827828829830831832833834835836837838839840841842843844845846847848849850851852853854855856857858859860861862863864865866867868869870871872873874875876877878879880881882883884885886887888889890891892893894895896897898899900901902903904905906907908909910911912913914915916917918919920921922923924925926927928929930931932933934935936937938939940941942943944945946947948949950951952953954955956957958959960961962963964965966967968969970971972973974975976977978979980981982983984985986987988989990991992993994995996997998999100010011002100310041005100610071008100910101011101210131014101510161017101810191020102110221023102410251026102710281029103010311032103310341035103610371038103910401041104210431044104510461047104810491050105110521053105410551056105710581059106010611062106310641065106610671068106910701071107210731074107510761077107810791080108110821083108410851086108710881089109010911092109310941095109610971098109911001101110211031104110511061107110811091110111111121113111411151116111711181119112011211122112311241125112611271128112911301131113211331134113511361137113811391140114111421143114411451146114711481149115011511152115311541155115611571158115911601161116211631164116511661167116811691170117111721173117411751176117711781179118011811182118311841185118611871188118911901191119211931194119511961197119811991200120112021203120412051206120712081209121012111212121312141215121612171218121912201221122212231224122512261227122812291230123112321233123412351236123712381239124012411242124312441245124612471248124912501251125212531254125512561257125812591260126112621263126412651266126712681269127012711272127312741275127612771278127912801281128212831284128512861287128812891290129112921293129412951296129712981299130013011302130313041305130613071308130913101311131213131314131513161317131813191320132113221323132413251326132713281329133013311332133313341335133613371338133913401341134213431344134513461347134813491350135113521353135413551356135713581359136013611362136313641365136613671368136913701371137213731374137513761377137813791380138113821383138413851386138713881389139013911392139313941395139613971398139914001401140214031404140514061407140814091410141114121413141414151416141714181419142014211422142314241425142614271428142914301431143214331434143514361437143814391440144114421443144414451446144714481449145014511452145314541455145614571458145914601461146214631464146514661467146814691470147114721473147414751476147714781479148014811482148314841485148614871488148914901491149214931494149514961497149814991500150115021503150415051506150715081509151015111512151315141515151615171518151915201521152215231524152515261527152815291530153115321533153415351536153715381539154015411542154315441545154615471548154915501551155215531554155515561557155815591560156115621563156415651566156715681569157015711572157315741575157615771578157915801581158215831584158515861587158815891590159115921593159415951596159715981599160016011602160316041605160616071608160916101611161216131614161516161617161816191620162116221623162416251626162716281629163016311632163316341635163616371638163916401641164216431644164516461647164816491650165116521653165416551656165716581659166016611662166316641665166616671668166916701671167216731674167516761677167816791680168116821683168416851686168716881689169016911692169316941695169616971698169917001701170217031704170517061707170817091710171117121713171417151716171717181719172017211722172317241725172617271728172917301731173217331734173517361737173817391740174117421743174417451746174717481749175017511752175317541755175617571758175917601761176217631764176517661767176817691770177117721773177417751776177717781779178017811782178317841785178617871788178917901791179217931794179517961797179817991800180118021803180418051806180718081809181018111812181318141815181618171818181918201821182218231824182518261827182818291830183118321833183418351836183718381839184018411842184318441845184618471848184918501851185218531854185518561857185818591860186118621863186418651866186718681869187018711872187318741875187618771878187918801881188218831884188518861887188818891890189118921893189418951896189718981899190019011902190319041905190619071908190919101911191219131914191519161917191819191920192119221923192419251926192719281929193019311932193319341935193619371938193919401941194219431944194519461947194819491950195119521953195419551956195719581959196019611962196319641965196619671968196919701971197219731974197519761977197819791980198119821983198419851986198719881989199019911992199319941995199619971998199920002001200220032004200520062007200820092010201120122013201420152016201720182019202020212022202320242025202620272028202920302031203220332034203520362037203820392040204120422043204420452046204720482049205020512052205320542055205620572058205920602061206220632064206520662067206820692070207120722073207420752076207720782079208020812082208320842085208620872088208920902091209220932094209520962097209820992100210121022103210421052106210721082109211021112112211321142115211621172118211921202121212221232124212521262127212821292130213121322133213421352136213721382139214021412142214321442145214621472148214921502151215221532154215521562157215821592160216121622163216421652166216721682169217021712172217321742175217621772178217921802181218221832184218521862187218821892190219121922193219421952196219721982199220022012202220322042205220622072208220922102211221222132214221522162217221822192220222122222223222422252226222722282229223022312232223322342235223622372238223922402241224222432244224522462247224822492250225122522253225422552256225722582259226022612262226322642265226622672268226922702271227222732274227522762277227822792280228122822283228422852286228722882289229022912292229322942295229622972298229923002301230223032304230523062307230823092310231123122313231423152316231723182319232023212322232323242325232623272328232923302331233223332334233523362337233823392340234123422343234423452346234723482349235023512352235323542355235623572358235923602361236223632364236523662367236823692370237123722373237423752376237723782379238023812382238323842385238623872388238923902391239223932394239523962397239823992400240124022403240424052406240724082409241024112412241324142415241624172418241924202421242224232424242524262427242824292430243124322433243424352436
  1. /* apps/s_server.c */
  2. /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
  3. * All rights reserved.
  4. *
  5. * This package is an SSL implementation written
  6. * by Eric Young (eay@cryptsoft.com).
  7. * The implementation was written so as to conform with Netscapes SSL.
  8. *
  9. * This library is free for commercial and non-commercial use as long as
  10. * the following conditions are aheared to. The following conditions
  11. * apply to all code found in this distribution, be it the RC4, RSA,
  12. * lhash, DES, etc., code; not just the SSL code. The SSL documentation
  13. * included with this distribution is covered by the same copyright terms
  14. * except that the holder is Tim Hudson (tjh@cryptsoft.com).
  15. *
  16. * Copyright remains Eric Young's, and as such any Copyright notices in
  17. * the code are not to be removed.
  18. * If this package is used in a product, Eric Young should be given attribution
  19. * as the author of the parts of the library used.
  20. * This can be in the form of a textual message at program startup or
  21. * in documentation (online or textual) provided with the package.
  22. *
  23. * Redistribution and use in source and binary forms, with or without
  24. * modification, are permitted provided that the following conditions
  25. * are met:
  26. * 1. Redistributions of source code must retain the copyright
  27. * notice, this list of conditions and the following disclaimer.
  28. * 2. Redistributions in binary form must reproduce the above copyright
  29. * notice, this list of conditions and the following disclaimer in the
  30. * documentation and/or other materials provided with the distribution.
  31. * 3. All advertising materials mentioning features or use of this software
  32. * must display the following acknowledgement:
  33. * "This product includes cryptographic software written by
  34. * Eric Young (eay@cryptsoft.com)"
  35. * The word 'cryptographic' can be left out if the rouines from the library
  36. * being used are not cryptographic related :-).
  37. * 4. If you include any Windows specific code (or a derivative thereof) from
  38. * the apps directory (application code) you must include an acknowledgement:
  39. * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
  40. *
  41. * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
  42. * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  43. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
  44. * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
  45. * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
  46. * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
  47. * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  48. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
  49. * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
  50. * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
  51. * SUCH DAMAGE.
  52. *
  53. * The licence and distribution terms for any publically available version or
  54. * derivative of this code cannot be changed. i.e. this code cannot simply be
  55. * copied and put under another distribution licence
  56. * [including the GNU Public Licence.]
  57. */
  58. /* ====================================================================
  59. * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
  60. *
  61. * Redistribution and use in source and binary forms, with or without
  62. * modification, are permitted provided that the following conditions
  63. * are met:
  64. *
  65. * 1. Redistributions of source code must retain the above copyright
  66. * notice, this list of conditions and the following disclaimer.
  67. *
  68. * 2. Redistributions in binary form must reproduce the above copyright
  69. * notice, this list of conditions and the following disclaimer in
  70. * the documentation and/or other materials provided with the
  71. * distribution.
  72. *
  73. * 3. All advertising materials mentioning features or use of this
  74. * software must display the following acknowledgment:
  75. * "This product includes software developed by the OpenSSL Project
  76. * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
  77. *
  78. * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
  79. * endorse or promote products derived from this software without
  80. * prior written permission. For written permission, please contact
  81. * openssl-core@openssl.org.
  82. *
  83. * 5. Products derived from this software may not be called "OpenSSL"
  84. * nor may "OpenSSL" appear in their names without prior written
  85. * permission of the OpenSSL Project.
  86. *
  87. * 6. Redistributions of any form whatsoever must retain the following
  88. * acknowledgment:
  89. * "This product includes software developed by the OpenSSL Project
  90. * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
  91. *
  92. * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
  93. * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
  94. * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
  95. * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
  96. * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
  97. * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
  98. * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
  99. * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
  100. * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
  101. * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
  102. * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
  103. * OF THE POSSIBILITY OF SUCH DAMAGE.
  104. * ====================================================================
  105. *
  106. * This product includes cryptographic software written by Eric Young
  107. * (eay@cryptsoft.com). This product includes software written by Tim
  108. * Hudson (tjh@cryptsoft.com).
  109. *
  110. */
  111. /* ====================================================================
  112. * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
  113. * ECC cipher suite support in OpenSSL originally developed by
  114. * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
  115. */
  116. /*
  117. * Until the key-gen callbacks are modified to use newer prototypes, we allow
  118. * deprecated functions for openssl-internal code
  119. */
  120. #ifdef OPENSSL_NO_DEPRECATED
  121. # undef OPENSSL_NO_DEPRECATED
  122. #endif
  123. #include <assert.h>
  124. #include <stdio.h>
  125. #include <stdlib.h>
  126. #include <string.h>
  127. #include <sys/stat.h>
  128. #include <openssl/e_os2.h>
  129. #ifdef OPENSSL_NO_STDIO
  130. # define APPS_WIN16
  131. #endif
  132. /* conflicts with winsock2 stuff on netware */
  133. #if !defined(OPENSSL_SYS_NETWARE)
  134. # include <sys/types.h>
  135. #endif
  136. /*
  137. * With IPv6, it looks like Digital has mixed up the proper order of
  138. * recursive header file inclusion, resulting in the compiler complaining
  139. * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
  140. * needed to have fileno() declared correctly... So let's define u_int
  141. */
  142. #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
  143. # define __U_INT
  144. typedef unsigned int u_int;
  145. #endif
  146. #include <openssl/lhash.h>
  147. #include <openssl/bn.h>
  148. #define USE_SOCKETS
  149. #include "apps.h"
  150. #include <openssl/err.h>
  151. #include <openssl/pem.h>
  152. #include <openssl/x509.h>
  153. #include <openssl/ssl.h>
  154. #include <openssl/rand.h>
  155. #include <openssl/ocsp.h>
  156. #ifndef OPENSSL_NO_DH
  157. # include <openssl/dh.h>
  158. #endif
  159. #ifndef OPENSSL_NO_RSA
  160. # include <openssl/rsa.h>
  161. #endif
  162. #include "s_apps.h"
  163. #include "timeouts.h"
  164. #ifdef OPENSSL_SYS_WINCE
  165. /*
  166. * Windows CE incorrectly defines fileno as returning void*, so to avoid
  167. * problems below...
  168. */
  169. # ifdef fileno
  170. # undef fileno
  171. # endif
  172. # define fileno(a) (int)_fileno(a)
  173. #endif
  174. #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
  175. /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
  176. # undef FIONBIO
  177. #endif
  178. #ifndef OPENSSL_NO_RSA
  179. static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
  180. #endif
  181. static int sv_body(char *hostname, int s, unsigned char *context);
  182. static int www_body(char *hostname, int s, unsigned char *context);
  183. static void close_accept_socket(void);
  184. static void sv_usage(void);
  185. static int init_ssl_connection(SSL *s);
  186. static void print_stats(BIO *bp, SSL_CTX *ctx);
  187. static int generate_session_id(const SSL *ssl, unsigned char *id,
  188. unsigned int *id_len);
  189. #ifndef OPENSSL_NO_DH
  190. static DH *load_dh_param(const char *dhfile);
  191. static DH *get_dh512(void);
  192. #endif
  193. #ifdef MONOLITH
  194. static void s_server_init(void);
  195. #endif
  196. #ifndef S_ISDIR
  197. # if defined(_S_IFMT) && defined(_S_IFDIR)
  198. # define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
  199. # else
  200. # define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
  201. # endif
  202. #endif
  203. #ifndef OPENSSL_NO_DH
  204. static unsigned char dh512_p[] = {
  205. 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
  206. 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
  207. 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
  208. 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
  209. 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
  210. 0x47, 0x74, 0xE8, 0x33,
  211. };
  212. static unsigned char dh512_g[] = {
  213. 0x02,
  214. };
  215. static DH *get_dh512(void)
  216. {
  217. DH *dh = NULL;
  218. if ((dh = DH_new()) == NULL)
  219. return (NULL);
  220. dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
  221. dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
  222. if ((dh->p == NULL) || (dh->g == NULL))
  223. return (NULL);
  224. return (dh);
  225. }
  226. #endif
  227. /* static int load_CA(SSL_CTX *ctx, char *file);*/
  228. #undef BUFSIZZ
  229. #define BUFSIZZ 16*1024
  230. static int bufsize = BUFSIZZ;
  231. static int accept_socket = -1;
  232. #define TEST_CERT "server.pem"
  233. #ifndef OPENSSL_NO_TLSEXT
  234. # define TEST_CERT2 "server2.pem"
  235. #endif
  236. #undef PROG
  237. #define PROG s_server_main
  238. extern int verify_depth;
  239. static char *cipher = NULL;
  240. static int s_server_verify = SSL_VERIFY_NONE;
  241. static int s_server_session_id_context = 1; /* anything will do */
  242. static const char *s_cert_file = TEST_CERT, *s_key_file = NULL;
  243. #ifndef OPENSSL_NO_TLSEXT
  244. static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
  245. #endif
  246. static char *s_dcert_file = NULL, *s_dkey_file = NULL;
  247. #ifdef FIONBIO
  248. static int s_nbio = 0;
  249. #endif
  250. static int s_nbio_test = 0;
  251. int s_crlf = 0;
  252. static SSL_CTX *ctx = NULL;
  253. #ifndef OPENSSL_NO_TLSEXT
  254. static SSL_CTX *ctx2 = NULL;
  255. #endif
  256. static int www = 0;
  257. static BIO *bio_s_out = NULL;
  258. static int s_debug = 0;
  259. #ifndef OPENSSL_NO_TLSEXT
  260. static int s_tlsextdebug = 0;
  261. static int s_tlsextstatus = 0;
  262. static int cert_status_cb(SSL *s, void *arg);
  263. #endif
  264. static int s_msg = 0;
  265. static int s_quiet = 0;
  266. static int hack = 0;
  267. #ifndef OPENSSL_NO_ENGINE
  268. static char *engine_id = NULL;
  269. #endif
  270. static const char *session_id_prefix = NULL;
  271. static int enable_timeouts = 0;
  272. static long socket_mtu;
  273. #ifndef OPENSSL_NO_DTLS1
  274. static int cert_chain = 0;
  275. #endif
  276. #ifdef MONOLITH
  277. static void s_server_init(void)
  278. {
  279. accept_socket = -1;
  280. cipher = NULL;
  281. s_server_verify = SSL_VERIFY_NONE;
  282. s_dcert_file = NULL;
  283. s_dkey_file = NULL;
  284. s_cert_file = TEST_CERT;
  285. s_key_file = NULL;
  286. # ifndef OPENSSL_NO_TLSEXT
  287. s_cert_file2 = TEST_CERT2;
  288. s_key_file2 = NULL;
  289. ctx2 = NULL;
  290. # endif
  291. # ifdef FIONBIO
  292. s_nbio = 0;
  293. # endif
  294. s_nbio_test = 0;
  295. ctx = NULL;
  296. www = 0;
  297. bio_s_out = NULL;
  298. s_debug = 0;
  299. s_msg = 0;
  300. s_quiet = 0;
  301. hack = 0;
  302. # ifndef OPENSSL_NO_ENGINE
  303. engine_id = NULL;
  304. # endif
  305. }
  306. #endif
  307. static void sv_usage(void)
  308. {
  309. BIO_printf(bio_err, "usage: s_server [args ...]\n");
  310. BIO_printf(bio_err, "\n");
  311. BIO_printf(bio_err,
  312. " -accept arg - port to accept on (default is %d)\n", PORT);
  313. BIO_printf(bio_err, " -context arg - set session ID context\n");
  314. BIO_printf(bio_err,
  315. " -verify arg - turn on peer certificate verification\n");
  316. BIO_printf(bio_err,
  317. " -Verify arg - turn on peer certificate verification, must have a cert.\n");
  318. BIO_printf(bio_err, " -cert arg - certificate file to use\n");
  319. BIO_printf(bio_err, " (default is %s)\n", TEST_CERT);
  320. BIO_printf(bio_err,
  321. " -crl_check - check the peer certificate has not been revoked by its CA.\n"
  322. " The CRL(s) are appended to the certificate file\n");
  323. BIO_printf(bio_err,
  324. " -crl_check_all - check the peer certificate has not been revoked by its CA\n"
  325. " or any other CRL in the CA chain. CRL(s) are appened to the\n"
  326. " the certificate file.\n");
  327. BIO_printf(bio_err,
  328. " -certform arg - certificate format (PEM or DER) PEM default\n");
  329. BIO_printf(bio_err,
  330. " -key arg - Private Key file to use, in cert file if\n");
  331. BIO_printf(bio_err, " not specified (default is %s)\n",
  332. TEST_CERT);
  333. BIO_printf(bio_err,
  334. " -keyform arg - key format (PEM, DER or ENGINE) PEM default\n");
  335. BIO_printf(bio_err,
  336. " -pass arg - private key file pass phrase source\n");
  337. BIO_printf(bio_err,
  338. " -dcert arg - second certificate file to use (usually for DSA)\n");
  339. BIO_printf(bio_err,
  340. " -dcertform x - second certificate format (PEM or DER) PEM default\n");
  341. BIO_printf(bio_err,
  342. " -dkey arg - second private key file to use (usually for DSA)\n");
  343. BIO_printf(bio_err,
  344. " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
  345. BIO_printf(bio_err,
  346. " -dpass arg - second private key file pass phrase source\n");
  347. BIO_printf(bio_err,
  348. " -dhparam arg - DH parameter file to use, in cert file if not specified\n");
  349. BIO_printf(bio_err,
  350. " or a default set of parameters is used\n");
  351. #ifndef OPENSSL_NO_ECDH
  352. BIO_printf(bio_err,
  353. " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n"
  354. " Use \"openssl ecparam -list_curves\" for all names\n"
  355. " (default is sect163r2).\n");
  356. #endif
  357. #ifdef FIONBIO
  358. BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n");
  359. #endif
  360. BIO_printf(bio_err,
  361. " -nbio_test - test with the non-blocking test bio\n");
  362. BIO_printf(bio_err,
  363. " -crlf - convert LF from terminal into CRLF\n");
  364. BIO_printf(bio_err, " -debug - Print more output\n");
  365. BIO_printf(bio_err, " -msg - Show protocol messages\n");
  366. BIO_printf(bio_err, " -state - Print the SSL states\n");
  367. BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
  368. BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
  369. BIO_printf(bio_err,
  370. " -nocert - Don't use any certificates (Anon-DH)\n");
  371. BIO_printf(bio_err,
  372. " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
  373. BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
  374. BIO_printf(bio_err, " -quiet - No server output\n");
  375. BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
  376. BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n");
  377. BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
  378. BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n");
  379. BIO_printf(bio_err, " -dtls1 - Just talk DTLSv1\n");
  380. BIO_printf(bio_err, " -timeout - Enable timeouts\n");
  381. BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
  382. BIO_printf(bio_err, " -chain - Read a certificate chain\n");
  383. BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
  384. BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
  385. BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
  386. #ifndef OPENSSL_NO_DH
  387. BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n");
  388. #endif
  389. #ifndef OPENSSL_NO_ECDH
  390. BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n");
  391. #endif
  392. BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
  393. BIO_printf(bio_err,
  394. " -www - Respond to a 'GET /' with a status page\n");
  395. BIO_printf(bio_err,
  396. " -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
  397. BIO_printf(bio_err,
  398. " -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
  399. BIO_printf(bio_err,
  400. " with the assumption it contains a complete HTTP response.\n");
  401. #ifndef OPENSSL_NO_ENGINE
  402. BIO_printf(bio_err,
  403. " -engine id - Initialise and use the specified engine\n");
  404. #endif
  405. BIO_printf(bio_err,
  406. " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
  407. BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
  408. LIST_SEPARATOR_CHAR);
  409. #ifndef OPENSSL_NO_TLSEXT
  410. BIO_printf(bio_err,
  411. " -servername host - servername for HostName TLS extension\n");
  412. BIO_printf(bio_err,
  413. " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
  414. BIO_printf(bio_err,
  415. " -cert2 arg - certificate file to use for servername\n");
  416. BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2);
  417. BIO_printf(bio_err,
  418. " -key2 arg - Private Key file to use for servername, in cert file if\n");
  419. BIO_printf(bio_err, " not specified (default is %s)\n",
  420. TEST_CERT2);
  421. BIO_printf(bio_err,
  422. " -tlsextdebug - hex dump of all TLS extensions received\n");
  423. BIO_printf(bio_err,
  424. " -no_ticket - disable use of RFC4507bis session tickets\n");
  425. BIO_printf(bio_err,
  426. " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
  427. #endif
  428. }
  429. static int local_argc = 0;
  430. static char **local_argv;
  431. #ifdef CHARSET_EBCDIC
  432. static int ebcdic_new(BIO *bi);
  433. static int ebcdic_free(BIO *a);
  434. static int ebcdic_read(BIO *b, char *out, int outl);
  435. static int ebcdic_write(BIO *b, const char *in, int inl);
  436. static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
  437. static int ebcdic_gets(BIO *bp, char *buf, int size);
  438. static int ebcdic_puts(BIO *bp, const char *str);
  439. # define BIO_TYPE_EBCDIC_FILTER (18|0x0200)
  440. static BIO_METHOD methods_ebcdic = {
  441. BIO_TYPE_EBCDIC_FILTER,
  442. "EBCDIC/ASCII filter",
  443. ebcdic_write,
  444. ebcdic_read,
  445. ebcdic_puts,
  446. ebcdic_gets,
  447. ebcdic_ctrl,
  448. ebcdic_new,
  449. ebcdic_free,
  450. };
  451. typedef struct {
  452. size_t alloced;
  453. char buff[1];
  454. } EBCDIC_OUTBUFF;
  455. BIO_METHOD *BIO_f_ebcdic_filter()
  456. {
  457. return (&methods_ebcdic);
  458. }
  459. static int ebcdic_new(BIO *bi)
  460. {
  461. EBCDIC_OUTBUFF *wbuf;
  462. wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
  463. wbuf->alloced = 1024;
  464. wbuf->buff[0] = '\0';
  465. bi->ptr = (char *)wbuf;
  466. bi->init = 1;
  467. bi->flags = 0;
  468. return (1);
  469. }
  470. static int ebcdic_free(BIO *a)
  471. {
  472. if (a == NULL)
  473. return (0);
  474. if (a->ptr != NULL)
  475. OPENSSL_free(a->ptr);
  476. a->ptr = NULL;
  477. a->init = 0;
  478. a->flags = 0;
  479. return (1);
  480. }
  481. static int ebcdic_read(BIO *b, char *out, int outl)
  482. {
  483. int ret = 0;
  484. if (out == NULL || outl == 0)
  485. return (0);
  486. if (b->next_bio == NULL)
  487. return (0);
  488. ret = BIO_read(b->next_bio, out, outl);
  489. if (ret > 0)
  490. ascii2ebcdic(out, out, ret);
  491. return (ret);
  492. }
  493. static int ebcdic_write(BIO *b, const char *in, int inl)
  494. {
  495. EBCDIC_OUTBUFF *wbuf;
  496. int ret = 0;
  497. int num;
  498. unsigned char n;
  499. if ((in == NULL) || (inl <= 0))
  500. return (0);
  501. if (b->next_bio == NULL)
  502. return (0);
  503. wbuf = (EBCDIC_OUTBUFF *) b->ptr;
  504. if (inl > (num = wbuf->alloced)) {
  505. num = num + num; /* double the size */
  506. if (num < inl)
  507. num = inl;
  508. OPENSSL_free(wbuf);
  509. wbuf =
  510. (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
  511. wbuf->alloced = num;
  512. wbuf->buff[0] = '\0';
  513. b->ptr = (char *)wbuf;
  514. }
  515. ebcdic2ascii(wbuf->buff, in, inl);
  516. ret = BIO_write(b->next_bio, wbuf->buff, inl);
  517. return (ret);
  518. }
  519. static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
  520. {
  521. long ret;
  522. if (b->next_bio == NULL)
  523. return (0);
  524. switch (cmd) {
  525. case BIO_CTRL_DUP:
  526. ret = 0L;
  527. break;
  528. default:
  529. ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
  530. break;
  531. }
  532. return (ret);
  533. }
  534. static int ebcdic_gets(BIO *bp, char *buf, int size)
  535. {
  536. int i, ret = 0;
  537. if (bp->next_bio == NULL)
  538. return (0);
  539. /* return(BIO_gets(bp->next_bio,buf,size));*/
  540. for (i = 0; i < size - 1; ++i) {
  541. ret = ebcdic_read(bp, &buf[i], 1);
  542. if (ret <= 0)
  543. break;
  544. else if (buf[i] == '\n') {
  545. ++i;
  546. break;
  547. }
  548. }
  549. if (i < size)
  550. buf[i] = '\0';
  551. return (ret < 0 && i == 0) ? ret : i;
  552. }
  553. static int ebcdic_puts(BIO *bp, const char *str)
  554. {
  555. if (bp->next_bio == NULL)
  556. return (0);
  557. return ebcdic_write(bp, str, strlen(str));
  558. }
  559. #endif
  560. #ifndef OPENSSL_NO_TLSEXT
  561. /* This is a context that we pass to callbacks */
  562. typedef struct tlsextctx_st {
  563. char *servername;
  564. BIO *biodebug;
  565. int extension_error;
  566. } tlsextctx;
  567. static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
  568. {
  569. tlsextctx *p = (tlsextctx *) arg;
  570. const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
  571. if (servername && p->biodebug)
  572. BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n",
  573. servername);
  574. if (!p->servername)
  575. return SSL_TLSEXT_ERR_NOACK;
  576. if (servername) {
  577. if (strcasecmp(servername, p->servername))
  578. return p->extension_error;
  579. if (ctx2) {
  580. BIO_printf(p->biodebug, "Swiching server context.\n");
  581. SSL_set_SSL_CTX(s, ctx2);
  582. }
  583. }
  584. return SSL_TLSEXT_ERR_OK;
  585. }
  586. /* Structure passed to cert status callback */
  587. typedef struct tlsextstatusctx_st {
  588. /* Default responder to use */
  589. char *host, *path, *port;
  590. int use_ssl;
  591. int timeout;
  592. BIO *err;
  593. int verbose;
  594. } tlsextstatusctx;
  595. static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, NULL, 0 };
  596. /*
  597. * Certificate Status callback. This is called when a client includes a
  598. * certificate status request extension. This is a simplified version. It
  599. * examines certificates each time and makes one OCSP responder query for
  600. * each request. A full version would store details such as the OCSP
  601. * certificate IDs and minimise the number of OCSP responses by caching them
  602. * until they were considered "expired".
  603. */
  604. static int cert_status_cb(SSL *s, void *arg)
  605. {
  606. tlsextstatusctx *srctx = arg;
  607. BIO *err = srctx->err;
  608. char *host, *port, *path;
  609. int use_ssl;
  610. unsigned char *rspder = NULL;
  611. int rspderlen;
  612. STACK *aia = NULL;
  613. X509 *x = NULL;
  614. X509_STORE_CTX inctx;
  615. X509_OBJECT obj;
  616. OCSP_REQUEST *req = NULL;
  617. OCSP_RESPONSE *resp = NULL;
  618. OCSP_CERTID *id = NULL;
  619. STACK_OF(X509_EXTENSION) *exts;
  620. int ret = SSL_TLSEXT_ERR_NOACK;
  621. int i;
  622. # if 0
  623. STACK_OF(OCSP_RESPID) *ids;
  624. SSL_get_tlsext_status_ids(s, &ids);
  625. BIO_printf(err, "cert_status: received %d ids\n",
  626. sk_OCSP_RESPID_num(ids));
  627. # endif
  628. if (srctx->verbose)
  629. BIO_puts(err, "cert_status: callback called\n");
  630. /* Build up OCSP query from server certificate */
  631. x = SSL_get_certificate(s);
  632. aia = X509_get1_ocsp(x);
  633. if (aia) {
  634. if (!OCSP_parse_url(sk_value(aia, 0), &host, &port, &path, &use_ssl)) {
  635. BIO_puts(err, "cert_status: can't parse AIA URL\n");
  636. goto err;
  637. }
  638. if (srctx->verbose)
  639. BIO_printf(err, "cert_status: AIA URL: %s\n", sk_value(aia, 0));
  640. } else {
  641. if (!srctx->host) {
  642. BIO_puts(srctx->err,
  643. "cert_status: no AIA and no default responder URL\n");
  644. goto done;
  645. }
  646. host = srctx->host;
  647. path = srctx->path;
  648. port = srctx->port;
  649. use_ssl = srctx->use_ssl;
  650. }
  651. if (!X509_STORE_CTX_init(&inctx,
  652. SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
  653. NULL, NULL))
  654. goto err;
  655. if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
  656. X509_get_issuer_name(x), &obj) <= 0) {
  657. BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
  658. X509_STORE_CTX_cleanup(&inctx);
  659. goto done;
  660. }
  661. req = OCSP_REQUEST_new();
  662. if (!req)
  663. goto err;
  664. id = OCSP_cert_to_id(NULL, x, obj.data.x509);
  665. X509_free(obj.data.x509);
  666. X509_STORE_CTX_cleanup(&inctx);
  667. if (!id)
  668. goto err;
  669. if (!OCSP_request_add0_id(req, id))
  670. goto err;
  671. id = NULL;
  672. /* Add any extensions to the request */
  673. SSL_get_tlsext_status_exts(s, &exts);
  674. for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
  675. X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
  676. if (!OCSP_REQUEST_add_ext(req, ext, -1))
  677. goto err;
  678. }
  679. resp = process_responder(err, req, host, path, port, use_ssl,
  680. srctx->timeout);
  681. if (!resp) {
  682. BIO_puts(err, "cert_status: error querying responder\n");
  683. goto done;
  684. }
  685. rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
  686. if (rspderlen <= 0)
  687. goto err;
  688. SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
  689. if (srctx->verbose) {
  690. BIO_puts(err, "cert_status: ocsp response sent:\n");
  691. OCSP_RESPONSE_print(err, resp, 2);
  692. }
  693. ret = SSL_TLSEXT_ERR_OK;
  694. done:
  695. if (ret != SSL_TLSEXT_ERR_OK)
  696. ERR_print_errors(err);
  697. if (aia) {
  698. OPENSSL_free(host);
  699. OPENSSL_free(path);
  700. OPENSSL_free(port);
  701. X509_email_free(aia);
  702. }
  703. if (id)
  704. OCSP_CERTID_free(id);
  705. if (req)
  706. OCSP_REQUEST_free(req);
  707. if (resp)
  708. OCSP_RESPONSE_free(resp);
  709. return ret;
  710. err:
  711. ret = SSL_TLSEXT_ERR_ALERT_FATAL;
  712. goto done;
  713. }
  714. #endif
  715. int MAIN(int, char **);
  716. #ifndef OPENSSL_NO_JPAKE
  717. static char *jpake_secret = NULL;
  718. #endif
  719. int MAIN(int argc, char *argv[])
  720. {
  721. X509_STORE *store = NULL;
  722. int vflags = 0;
  723. short port = PORT;
  724. char *CApath = NULL, *CAfile = NULL;
  725. unsigned char *context = NULL;
  726. char *dhfile = NULL;
  727. #ifndef OPENSSL_NO_ECDH
  728. char *named_curve = NULL;
  729. #endif
  730. int badop = 0, bugs = 0;
  731. int ret = 1;
  732. int off = 0;
  733. int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
  734. int state = 0;
  735. SSL_METHOD *meth = NULL;
  736. int socket_type = SOCK_STREAM;
  737. ENGINE *e = NULL;
  738. char *inrand = NULL;
  739. int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
  740. char *passarg = NULL, *pass = NULL;
  741. char *dpassarg = NULL, *dpass = NULL;
  742. int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
  743. X509 *s_cert = NULL, *s_dcert = NULL;
  744. EVP_PKEY *s_key = NULL, *s_dkey = NULL;
  745. int no_cache = 0;
  746. #ifndef OPENSSL_NO_TLSEXT
  747. EVP_PKEY *s_key2 = NULL;
  748. X509 *s_cert2 = NULL;
  749. #endif
  750. #ifndef OPENSSL_NO_TLSEXT
  751. tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
  752. #endif
  753. meth = SSLv23_server_method();
  754. local_argc = argc;
  755. local_argv = argv;
  756. apps_startup();
  757. #ifdef MONOLITH
  758. s_server_init();
  759. #endif
  760. if (bio_err == NULL)
  761. bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
  762. if (!load_config(bio_err, NULL))
  763. goto end;
  764. verify_depth = 0;
  765. #ifdef FIONBIO
  766. s_nbio = 0;
  767. #endif
  768. s_nbio_test = 0;
  769. argc--;
  770. argv++;
  771. while (argc >= 1) {
  772. if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
  773. if (--argc < 1)
  774. goto bad;
  775. if (!extract_port(*(++argv), &port))
  776. goto bad;
  777. } else if (strcmp(*argv, "-verify") == 0) {
  778. s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
  779. if (--argc < 1)
  780. goto bad;
  781. verify_depth = atoi(*(++argv));
  782. BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
  783. } else if (strcmp(*argv, "-Verify") == 0) {
  784. s_server_verify =
  785. SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
  786. SSL_VERIFY_CLIENT_ONCE;
  787. if (--argc < 1)
  788. goto bad;
  789. verify_depth = atoi(*(++argv));
  790. BIO_printf(bio_err,
  791. "verify depth is %d, must return a certificate\n",
  792. verify_depth);
  793. } else if (strcmp(*argv, "-context") == 0) {
  794. if (--argc < 1)
  795. goto bad;
  796. context = (unsigned char *)*(++argv);
  797. } else if (strcmp(*argv, "-cert") == 0) {
  798. if (--argc < 1)
  799. goto bad;
  800. s_cert_file = *(++argv);
  801. } else if (strcmp(*argv, "-certform") == 0) {
  802. if (--argc < 1)
  803. goto bad;
  804. s_cert_format = str2fmt(*(++argv));
  805. } else if (strcmp(*argv, "-key") == 0) {
  806. if (--argc < 1)
  807. goto bad;
  808. s_key_file = *(++argv);
  809. } else if (strcmp(*argv, "-keyform") == 0) {
  810. if (--argc < 1)
  811. goto bad;
  812. s_key_format = str2fmt(*(++argv));
  813. } else if (strcmp(*argv, "-pass") == 0) {
  814. if (--argc < 1)
  815. goto bad;
  816. passarg = *(++argv);
  817. } else if (strcmp(*argv, "-dhparam") == 0) {
  818. if (--argc < 1)
  819. goto bad;
  820. dhfile = *(++argv);
  821. }
  822. #ifndef OPENSSL_NO_ECDH
  823. else if (strcmp(*argv, "-named_curve") == 0) {
  824. if (--argc < 1)
  825. goto bad;
  826. named_curve = *(++argv);
  827. }
  828. #endif
  829. else if (strcmp(*argv, "-dcertform") == 0) {
  830. if (--argc < 1)
  831. goto bad;
  832. s_dcert_format = str2fmt(*(++argv));
  833. } else if (strcmp(*argv, "-dcert") == 0) {
  834. if (--argc < 1)
  835. goto bad;
  836. s_dcert_file = *(++argv);
  837. } else if (strcmp(*argv, "-dkeyform") == 0) {
  838. if (--argc < 1)
  839. goto bad;
  840. s_dkey_format = str2fmt(*(++argv));
  841. } else if (strcmp(*argv, "-dpass") == 0) {
  842. if (--argc < 1)
  843. goto bad;
  844. dpassarg = *(++argv);
  845. } else if (strcmp(*argv, "-dkey") == 0) {
  846. if (--argc < 1)
  847. goto bad;
  848. s_dkey_file = *(++argv);
  849. } else if (strcmp(*argv, "-nocert") == 0) {
  850. nocert = 1;
  851. } else if (strcmp(*argv, "-CApath") == 0) {
  852. if (--argc < 1)
  853. goto bad;
  854. CApath = *(++argv);
  855. } else if (strcmp(*argv, "-no_cache") == 0)
  856. no_cache = 1;
  857. else if (strcmp(*argv, "-crl_check") == 0) {
  858. vflags |= X509_V_FLAG_CRL_CHECK;
  859. } else if (strcmp(*argv, "-crl_check_all") == 0) {
  860. vflags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
  861. } else if (strcmp(*argv, "-serverpref") == 0) {
  862. off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
  863. } else if (strcmp(*argv, "-legacy_renegotiation") == 0)
  864. off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
  865. else if (strcmp(*argv, "-cipher") == 0) {
  866. if (--argc < 1)
  867. goto bad;
  868. cipher = *(++argv);
  869. } else if (strcmp(*argv, "-CAfile") == 0) {
  870. if (--argc < 1)
  871. goto bad;
  872. CAfile = *(++argv);
  873. }
  874. #ifdef FIONBIO
  875. else if (strcmp(*argv, "-nbio") == 0) {
  876. s_nbio = 1;
  877. }
  878. #endif
  879. else if (strcmp(*argv, "-nbio_test") == 0) {
  880. #ifdef FIONBIO
  881. s_nbio = 1;
  882. #endif
  883. s_nbio_test = 1;
  884. } else if (strcmp(*argv, "-debug") == 0) {
  885. s_debug = 1;
  886. }
  887. #ifndef OPENSSL_NO_TLSEXT
  888. else if (strcmp(*argv, "-tlsextdebug") == 0)
  889. s_tlsextdebug = 1;
  890. else if (strcmp(*argv, "-status") == 0)
  891. s_tlsextstatus = 1;
  892. else if (strcmp(*argv, "-status_verbose") == 0) {
  893. s_tlsextstatus = 1;
  894. tlscstatp.verbose = 1;
  895. } else if (!strcmp(*argv, "-status_timeout")) {
  896. s_tlsextstatus = 1;
  897. if (--argc < 1)
  898. goto bad;
  899. tlscstatp.timeout = atoi(*(++argv));
  900. } else if (!strcmp(*argv, "-status_url")) {
  901. s_tlsextstatus = 1;
  902. if (--argc < 1)
  903. goto bad;
  904. if (!OCSP_parse_url(*(++argv),
  905. &tlscstatp.host,
  906. &tlscstatp.port,
  907. &tlscstatp.path, &tlscstatp.use_ssl)) {
  908. BIO_printf(bio_err, "Error parsing URL\n");
  909. goto bad;
  910. }
  911. }
  912. #endif
  913. else if (strcmp(*argv, "-msg") == 0) {
  914. s_msg = 1;
  915. } else if (strcmp(*argv, "-hack") == 0) {
  916. hack = 1;
  917. } else if (strcmp(*argv, "-state") == 0) {
  918. state = 1;
  919. } else if (strcmp(*argv, "-crlf") == 0) {
  920. s_crlf = 1;
  921. } else if (strcmp(*argv, "-quiet") == 0) {
  922. s_quiet = 1;
  923. } else if (strcmp(*argv, "-bugs") == 0) {
  924. bugs = 1;
  925. } else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
  926. no_tmp_rsa = 1;
  927. } else if (strcmp(*argv, "-no_dhe") == 0) {
  928. no_dhe = 1;
  929. } else if (strcmp(*argv, "-no_ecdhe") == 0) {
  930. no_ecdhe = 1;
  931. } else if (strcmp(*argv, "-www") == 0) {
  932. www = 1;
  933. } else if (strcmp(*argv, "-WWW") == 0) {
  934. www = 2;
  935. } else if (strcmp(*argv, "-HTTP") == 0) {
  936. www = 3;
  937. } else if (strcmp(*argv, "-no_ssl2") == 0) {
  938. off |= SSL_OP_NO_SSLv2;
  939. } else if (strcmp(*argv, "-no_ssl3") == 0) {
  940. off |= SSL_OP_NO_SSLv3;
  941. } else if (strcmp(*argv, "-no_tls1") == 0) {
  942. off |= SSL_OP_NO_TLSv1;
  943. }
  944. #ifndef OPENSSL_NO_TLSEXT
  945. else if (strcmp(*argv, "-no_ticket") == 0) {
  946. off |= SSL_OP_NO_TICKET;
  947. }
  948. #endif
  949. #ifndef OPENSSL_NO_SSL2
  950. else if (strcmp(*argv, "-ssl2") == 0) {
  951. meth = SSLv2_server_method();
  952. }
  953. #endif
  954. #ifndef OPENSSL_NO_SSL3
  955. else if (strcmp(*argv, "-ssl3") == 0) {
  956. meth = SSLv3_server_method();
  957. }
  958. #endif
  959. #ifndef OPENSSL_NO_TLS1
  960. else if (strcmp(*argv, "-tls1") == 0) {
  961. meth = TLSv1_server_method();
  962. }
  963. #endif
  964. #ifndef OPENSSL_NO_DTLS1
  965. else if (strcmp(*argv, "-dtls1") == 0) {
  966. meth = DTLSv1_server_method();
  967. socket_type = SOCK_DGRAM;
  968. } else if (strcmp(*argv, "-timeout") == 0)
  969. enable_timeouts = 1;
  970. else if (strcmp(*argv, "-mtu") == 0) {
  971. if (--argc < 1)
  972. goto bad;
  973. socket_mtu = atol(*(++argv));
  974. } else if (strcmp(*argv, "-chain") == 0)
  975. cert_chain = 1;
  976. #endif
  977. else if (strcmp(*argv, "-id_prefix") == 0) {
  978. if (--argc < 1)
  979. goto bad;
  980. session_id_prefix = *(++argv);
  981. }
  982. #ifndef OPENSSL_NO_ENGINE
  983. else if (strcmp(*argv, "-engine") == 0) {
  984. if (--argc < 1)
  985. goto bad;
  986. engine_id = *(++argv);
  987. }
  988. #endif
  989. else if (strcmp(*argv, "-rand") == 0) {
  990. if (--argc < 1)
  991. goto bad;
  992. inrand = *(++argv);
  993. }
  994. #ifndef OPENSSL_NO_TLSEXT
  995. else if (strcmp(*argv, "-servername") == 0) {
  996. if (--argc < 1)
  997. goto bad;
  998. tlsextcbp.servername = *(++argv);
  999. } else if (strcmp(*argv, "-servername_fatal") == 0) {
  1000. tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
  1001. } else if (strcmp(*argv, "-cert2") == 0) {
  1002. if (--argc < 1)
  1003. goto bad;
  1004. s_cert_file2 = *(++argv);
  1005. } else if (strcmp(*argv, "-key2") == 0) {
  1006. if (--argc < 1)
  1007. goto bad;
  1008. s_key_file2 = *(++argv);
  1009. }
  1010. #endif
  1011. #ifndef OPENSSL_NO_JPAKE
  1012. else if (strcmp(*argv, "-jpake") == 0) {
  1013. if (--argc < 1)
  1014. goto bad;
  1015. jpake_secret = *(++argv);
  1016. }
  1017. #endif
  1018. else {
  1019. BIO_printf(bio_err, "unknown option %s\n", *argv);
  1020. badop = 1;
  1021. break;
  1022. }
  1023. argc--;
  1024. argv++;
  1025. }
  1026. if (badop) {
  1027. bad:
  1028. sv_usage();
  1029. goto end;
  1030. }
  1031. #ifndef OPENSSL_NO_DTLS1
  1032. if (www && socket_type == SOCK_DGRAM) {
  1033. BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
  1034. goto end;
  1035. }
  1036. #endif
  1037. SSL_load_error_strings();
  1038. OpenSSL_add_ssl_algorithms();
  1039. #ifndef OPENSSL_NO_ENGINE
  1040. e = setup_engine(bio_err, engine_id, 1);
  1041. #endif
  1042. if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
  1043. BIO_printf(bio_err, "Error getting password\n");
  1044. goto end;
  1045. }
  1046. if (s_key_file == NULL)
  1047. s_key_file = s_cert_file;
  1048. #ifndef OPENSSL_NO_TLSEXT
  1049. if (s_key_file2 == NULL)
  1050. s_key_file2 = s_cert_file2;
  1051. #endif
  1052. if (nocert == 0) {
  1053. s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
  1054. "server certificate private key file");
  1055. if (!s_key) {
  1056. ERR_print_errors(bio_err);
  1057. goto end;
  1058. }
  1059. s_cert = load_cert(bio_err, s_cert_file, s_cert_format,
  1060. NULL, e, "server certificate file");
  1061. if (!s_cert) {
  1062. ERR_print_errors(bio_err);
  1063. goto end;
  1064. }
  1065. #ifndef OPENSSL_NO_TLSEXT
  1066. if (tlsextcbp.servername) {
  1067. s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
  1068. "second server certificate private key file");
  1069. if (!s_key2) {
  1070. ERR_print_errors(bio_err);
  1071. goto end;
  1072. }
  1073. s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format,
  1074. NULL, e, "second server certificate file");
  1075. if (!s_cert2) {
  1076. ERR_print_errors(bio_err);
  1077. goto end;
  1078. }
  1079. }
  1080. #endif
  1081. }
  1082. if (s_dcert_file) {
  1083. if (s_dkey_file == NULL)
  1084. s_dkey_file = s_dcert_file;
  1085. s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
  1086. 0, dpass, e, "second certificate private key file");
  1087. if (!s_dkey) {
  1088. ERR_print_errors(bio_err);
  1089. goto end;
  1090. }
  1091. s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format,
  1092. NULL, e, "second server certificate file");
  1093. if (!s_dcert) {
  1094. ERR_print_errors(bio_err);
  1095. goto end;
  1096. }
  1097. }
  1098. if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
  1099. && !RAND_status()) {
  1100. BIO_printf(bio_err,
  1101. "warning, not much extra random data, consider using the -rand option\n");
  1102. }
  1103. if (inrand != NULL)
  1104. BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
  1105. app_RAND_load_files(inrand));
  1106. if (bio_s_out == NULL) {
  1107. if (s_quiet && !s_debug && !s_msg) {
  1108. bio_s_out = BIO_new(BIO_s_null());
  1109. } else {
  1110. if (bio_s_out == NULL)
  1111. bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE);
  1112. }
  1113. }
  1114. #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
  1115. if (nocert)
  1116. #endif
  1117. {
  1118. s_cert_file = NULL;
  1119. s_key_file = NULL;
  1120. s_dcert_file = NULL;
  1121. s_dkey_file = NULL;
  1122. #ifndef OPENSSL_NO_TLSEXT
  1123. s_cert_file2 = NULL;
  1124. s_key_file2 = NULL;
  1125. #endif
  1126. }
  1127. ctx = SSL_CTX_new(meth);
  1128. if (ctx == NULL) {
  1129. ERR_print_errors(bio_err);
  1130. goto end;
  1131. }
  1132. if (session_id_prefix) {
  1133. if (strlen(session_id_prefix) >= 32)
  1134. BIO_printf(bio_err,
  1135. "warning: id_prefix is too long, only one new session will be possible\n");
  1136. else if (strlen(session_id_prefix) >= 16)
  1137. BIO_printf(bio_err,
  1138. "warning: id_prefix is too long if you use SSLv2\n");
  1139. if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
  1140. BIO_printf(bio_err, "error setting 'id_prefix'\n");
  1141. ERR_print_errors(bio_err);
  1142. goto end;
  1143. }
  1144. BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
  1145. }
  1146. SSL_CTX_set_quiet_shutdown(ctx, 1);
  1147. if (bugs)
  1148. SSL_CTX_set_options(ctx, SSL_OP_ALL);
  1149. if (hack)
  1150. SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
  1151. SSL_CTX_set_options(ctx, off);
  1152. /*
  1153. * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
  1154. * read ahead solves this problem.
  1155. */
  1156. if (socket_type == SOCK_DGRAM)
  1157. SSL_CTX_set_read_ahead(ctx, 1);
  1158. if (state)
  1159. SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
  1160. if (no_cache)
  1161. SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
  1162. else
  1163. SSL_CTX_sess_set_cache_size(ctx, 128);
  1164. #if 0
  1165. if (cipher == NULL)
  1166. cipher = getenv("SSL_CIPHER");
  1167. #endif
  1168. #if 0
  1169. if (s_cert_file == NULL) {
  1170. BIO_printf(bio_err,
  1171. "You must specify a certificate file for the server to use\n");
  1172. goto end;
  1173. }
  1174. #endif
  1175. if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
  1176. (!SSL_CTX_set_default_verify_paths(ctx))) {
  1177. /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
  1178. ERR_print_errors(bio_err);
  1179. /* goto end; */
  1180. }
  1181. store = SSL_CTX_get_cert_store(ctx);
  1182. X509_STORE_set_flags(store, vflags);
  1183. #ifndef OPENSSL_NO_TLSEXT
  1184. if (s_cert2) {
  1185. ctx2 = SSL_CTX_new(meth);
  1186. if (ctx2 == NULL) {
  1187. ERR_print_errors(bio_err);
  1188. goto end;
  1189. }
  1190. }
  1191. if (ctx2) {
  1192. BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
  1193. if (session_id_prefix) {
  1194. if (strlen(session_id_prefix) >= 32)
  1195. BIO_printf(bio_err,
  1196. "warning: id_prefix is too long, only one new session will be possible\n");
  1197. else if (strlen(session_id_prefix) >= 16)
  1198. BIO_printf(bio_err,
  1199. "warning: id_prefix is too long if you use SSLv2\n");
  1200. if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
  1201. BIO_printf(bio_err, "error setting 'id_prefix'\n");
  1202. ERR_print_errors(bio_err);
  1203. goto end;
  1204. }
  1205. BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
  1206. }
  1207. SSL_CTX_set_quiet_shutdown(ctx2, 1);
  1208. if (bugs)
  1209. SSL_CTX_set_options(ctx2, SSL_OP_ALL);
  1210. if (hack)
  1211. SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
  1212. SSL_CTX_set_options(ctx2, off);
  1213. /*
  1214. * DTLS: partial reads end up discarding unread UDP bytes :-(
  1215. * Setting read ahead solves this problem.
  1216. */
  1217. if (socket_type == SOCK_DGRAM)
  1218. SSL_CTX_set_read_ahead(ctx2, 1);
  1219. if (state)
  1220. SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
  1221. if (no_cache)
  1222. SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
  1223. else
  1224. SSL_CTX_sess_set_cache_size(ctx2, 128);
  1225. if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
  1226. (!SSL_CTX_set_default_verify_paths(ctx2))) {
  1227. ERR_print_errors(bio_err);
  1228. }
  1229. store = SSL_CTX_get_cert_store(ctx2);
  1230. X509_STORE_set_flags(store, vflags);
  1231. }
  1232. #endif
  1233. #ifndef OPENSSL_NO_DH
  1234. if (!no_dhe) {
  1235. DH *dh = NULL;
  1236. if (dhfile)
  1237. dh = load_dh_param(dhfile);
  1238. else if (s_cert_file)
  1239. dh = load_dh_param(s_cert_file);
  1240. if (dh != NULL) {
  1241. BIO_printf(bio_s_out, "Setting temp DH parameters\n");
  1242. } else {
  1243. BIO_printf(bio_s_out, "Using default temp DH parameters\n");
  1244. dh = get_dh512();
  1245. }
  1246. (void)BIO_flush(bio_s_out);
  1247. SSL_CTX_set_tmp_dh(ctx, dh);
  1248. # ifndef OPENSSL_NO_TLSEXT
  1249. if (ctx2) {
  1250. if (!dhfile) {
  1251. DH *dh2 = load_dh_param(s_cert_file2);
  1252. if (dh2 != NULL) {
  1253. BIO_printf(bio_s_out, "Setting temp DH parameters\n");
  1254. (void)BIO_flush(bio_s_out);
  1255. DH_free(dh);
  1256. dh = dh2;
  1257. }
  1258. }
  1259. SSL_CTX_set_tmp_dh(ctx2, dh);
  1260. }
  1261. # endif
  1262. DH_free(dh);
  1263. }
  1264. #endif
  1265. #ifndef OPENSSL_NO_ECDH
  1266. if (!no_ecdhe) {
  1267. EC_KEY *ecdh = NULL;
  1268. if (named_curve) {
  1269. int nid = OBJ_sn2nid(named_curve);
  1270. if (nid == 0) {
  1271. BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
  1272. goto end;
  1273. }
  1274. ecdh = EC_KEY_new_by_curve_name(nid);
  1275. if (ecdh == NULL) {
  1276. BIO_printf(bio_err, "unable to create curve (%s)\n",
  1277. named_curve);
  1278. goto end;
  1279. }
  1280. }
  1281. if (ecdh != NULL) {
  1282. BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
  1283. } else {
  1284. BIO_printf(bio_s_out, "Using default temp ECDH parameters\n");
  1285. ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
  1286. if (ecdh == NULL) {
  1287. BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
  1288. goto end;
  1289. }
  1290. }
  1291. (void)BIO_flush(bio_s_out);
  1292. SSL_CTX_set_tmp_ecdh(ctx, ecdh);
  1293. # ifndef OPENSSL_NO_TLSEXT
  1294. if (ctx2)
  1295. SSL_CTX_set_tmp_ecdh(ctx2, ecdh);
  1296. # endif
  1297. EC_KEY_free(ecdh);
  1298. }
  1299. #endif
  1300. if (!set_cert_key_stuff(ctx, s_cert, s_key))
  1301. goto end;
  1302. #ifndef OPENSSL_NO_TLSEXT
  1303. if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2))
  1304. goto end;
  1305. #endif
  1306. if (s_dcert != NULL) {
  1307. if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
  1308. goto end;
  1309. }
  1310. #ifndef OPENSSL_NO_RSA
  1311. # if 1
  1312. if (!no_tmp_rsa) {
  1313. SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
  1314. # ifndef OPENSSL_NO_TLSEXT
  1315. if (ctx2)
  1316. SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
  1317. # endif
  1318. }
  1319. # else
  1320. if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) {
  1321. RSA *rsa;
  1322. BIO_printf(bio_s_out, "Generating temp (512 bit) RSA key...");
  1323. BIO_flush(bio_s_out);
  1324. rsa = RSA_generate_key(512, RSA_F4, NULL);
  1325. if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
  1326. ERR_print_errors(bio_err);
  1327. goto end;
  1328. }
  1329. # ifndef OPENSSL_NO_TLSEXT
  1330. if (ctx2) {
  1331. if (!SSL_CTX_set_tmp_rsa(ctx2, rsa)) {
  1332. ERR_print_errors(bio_err);
  1333. goto end;
  1334. }
  1335. }
  1336. # endif
  1337. RSA_free(rsa);
  1338. BIO_printf(bio_s_out, "\n");
  1339. }
  1340. # endif
  1341. #endif
  1342. if (cipher != NULL)
  1343. if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
  1344. BIO_printf(bio_err, "error setting cipher list\n");
  1345. ERR_print_errors(bio_err);
  1346. goto end;
  1347. #ifndef OPENSSL_NO_TLSEXT
  1348. if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) {
  1349. BIO_printf(bio_err, "error setting cipher list\n");
  1350. ERR_print_errors(bio_err);
  1351. goto end;
  1352. }
  1353. #endif
  1354. }
  1355. SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
  1356. SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context,
  1357. sizeof s_server_session_id_context);
  1358. /* Set DTLS cookie generation and verification callbacks */
  1359. SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
  1360. SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
  1361. #ifndef OPENSSL_NO_TLSEXT
  1362. if (ctx2) {
  1363. SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
  1364. SSL_CTX_set_session_id_context(ctx2,
  1365. (void *)&s_server_session_id_context,
  1366. sizeof s_server_session_id_context);
  1367. tlsextcbp.biodebug = bio_s_out;
  1368. SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
  1369. SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
  1370. SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
  1371. SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
  1372. }
  1373. #endif
  1374. if (CAfile != NULL) {
  1375. SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
  1376. #ifndef OPENSSL_NO_TLSEXT
  1377. if (ctx2)
  1378. SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
  1379. #endif
  1380. }
  1381. BIO_printf(bio_s_out, "ACCEPT\n");
  1382. if (www)
  1383. do_server(port, socket_type, &accept_socket, www_body, context);
  1384. else
  1385. do_server(port, socket_type, &accept_socket, sv_body, context);
  1386. print_stats(bio_s_out, ctx);
  1387. ret = 0;
  1388. end:
  1389. if (ctx != NULL)
  1390. SSL_CTX_free(ctx);
  1391. if (s_cert)
  1392. X509_free(s_cert);
  1393. if (s_dcert)
  1394. X509_free(s_dcert);
  1395. if (s_key)
  1396. EVP_PKEY_free(s_key);
  1397. if (s_dkey)
  1398. EVP_PKEY_free(s_dkey);
  1399. if (pass)
  1400. OPENSSL_free(pass);
  1401. if (dpass)
  1402. OPENSSL_free(dpass);
  1403. #ifndef OPENSSL_NO_TLSEXT
  1404. if (tlscstatp.host)
  1405. OPENSSL_free(tlscstatp.host);
  1406. if (tlscstatp.port)
  1407. OPENSSL_free(tlscstatp.port);
  1408. if (tlscstatp.path)
  1409. OPENSSL_free(tlscstatp.path);
  1410. if (ctx2 != NULL)
  1411. SSL_CTX_free(ctx2);
  1412. if (s_cert2)
  1413. X509_free(s_cert2);
  1414. if (s_key2)
  1415. EVP_PKEY_free(s_key2);
  1416. #endif
  1417. if (bio_s_out != NULL) {
  1418. BIO_free(bio_s_out);
  1419. bio_s_out = NULL;
  1420. }
  1421. apps_shutdown();
  1422. OPENSSL_EXIT(ret);
  1423. }
  1424. static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
  1425. {
  1426. BIO_printf(bio, "%4ld items in the session cache\n",
  1427. SSL_CTX_sess_number(ssl_ctx));
  1428. BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
  1429. SSL_CTX_sess_connect(ssl_ctx));
  1430. BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
  1431. SSL_CTX_sess_connect_renegotiate(ssl_ctx));
  1432. BIO_printf(bio, "%4ld client connects that finished\n",
  1433. SSL_CTX_sess_connect_good(ssl_ctx));
  1434. BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
  1435. SSL_CTX_sess_accept(ssl_ctx));
  1436. BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
  1437. SSL_CTX_sess_accept_renegotiate(ssl_ctx));
  1438. BIO_printf(bio, "%4ld server accepts that finished\n",
  1439. SSL_CTX_sess_accept_good(ssl_ctx));
  1440. BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
  1441. BIO_printf(bio, "%4ld session cache misses\n",
  1442. SSL_CTX_sess_misses(ssl_ctx));
  1443. BIO_printf(bio, "%4ld session cache timeouts\n",
  1444. SSL_CTX_sess_timeouts(ssl_ctx));
  1445. BIO_printf(bio, "%4ld callback cache hits\n",
  1446. SSL_CTX_sess_cb_hits(ssl_ctx));
  1447. BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
  1448. SSL_CTX_sess_cache_full(ssl_ctx),
  1449. SSL_CTX_sess_get_cache_size(ssl_ctx));
  1450. }
  1451. static int sv_body(char *hostname, int s, unsigned char *context)
  1452. {
  1453. char *buf = NULL;
  1454. fd_set readfds;
  1455. int ret = 1, width;
  1456. int k, i;
  1457. unsigned long l;
  1458. SSL *con = NULL;
  1459. BIO *sbio;
  1460. struct timeval timeout;
  1461. #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
  1462. struct timeval tv;
  1463. #else
  1464. struct timeval *timeoutp;
  1465. #endif
  1466. if ((buf = OPENSSL_malloc(bufsize)) == NULL) {
  1467. BIO_printf(bio_err, "out of memory\n");
  1468. goto err;
  1469. }
  1470. #ifdef FIONBIO
  1471. if (s_nbio) {
  1472. unsigned long sl = 1;
  1473. if (!s_quiet)
  1474. BIO_printf(bio_err, "turning on non blocking io\n");
  1475. if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
  1476. ERR_print_errors(bio_err);
  1477. }
  1478. #endif
  1479. if (con == NULL) {
  1480. con = SSL_new(ctx);
  1481. #ifndef OPENSSL_NO_TLSEXT
  1482. if (s_tlsextdebug) {
  1483. SSL_set_tlsext_debug_callback(con, tlsext_cb);
  1484. SSL_set_tlsext_debug_arg(con, bio_s_out);
  1485. }
  1486. if (s_tlsextstatus) {
  1487. SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
  1488. tlscstatp.err = bio_err;
  1489. SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
  1490. }
  1491. #endif
  1492. #ifndef OPENSSL_NO_KRB5
  1493. if ((con->kssl_ctx = kssl_ctx_new()) != NULL) {
  1494. kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
  1495. kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
  1496. }
  1497. #endif /* OPENSSL_NO_KRB5 */
  1498. if (context)
  1499. SSL_set_session_id_context(con, context, strlen((char *)context));
  1500. }
  1501. SSL_clear(con);
  1502. if (SSL_version(con) == DTLS1_VERSION) {
  1503. sbio = BIO_new_dgram(s, BIO_NOCLOSE);
  1504. if (enable_timeouts) {
  1505. timeout.tv_sec = 0;
  1506. timeout.tv_usec = DGRAM_RCV_TIMEOUT;
  1507. BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
  1508. timeout.tv_sec = 0;
  1509. timeout.tv_usec = DGRAM_SND_TIMEOUT;
  1510. BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
  1511. }
  1512. if (socket_mtu > 28) {
  1513. SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
  1514. SSL_set_mtu(con, socket_mtu - 28);
  1515. } else
  1516. /* want to do MTU discovery */
  1517. BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
  1518. /* turn on cookie exchange */
  1519. SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
  1520. } else
  1521. sbio = BIO_new_socket(s, BIO_NOCLOSE);
  1522. if (s_nbio_test) {
  1523. BIO *test;
  1524. test = BIO_new(BIO_f_nbio_test());
  1525. sbio = BIO_push(test, sbio);
  1526. }
  1527. #ifndef OPENSSL_NO_JPAKE
  1528. if (jpake_secret)
  1529. jpake_server_auth(bio_s_out, sbio, jpake_secret);
  1530. #endif
  1531. SSL_set_bio(con, sbio, sbio);
  1532. SSL_set_accept_state(con);
  1533. /* SSL_set_fd(con,s); */
  1534. if (s_debug) {
  1535. con->debug = 1;
  1536. BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
  1537. BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
  1538. }
  1539. if (s_msg) {
  1540. SSL_set_msg_callback(con, msg_cb);
  1541. SSL_set_msg_callback_arg(con, bio_s_out);
  1542. }
  1543. #ifndef OPENSSL_NO_TLSEXT
  1544. if (s_tlsextdebug) {
  1545. SSL_set_tlsext_debug_callback(con, tlsext_cb);
  1546. SSL_set_tlsext_debug_arg(con, bio_s_out);
  1547. }
  1548. #endif
  1549. width = s + 1;
  1550. for (;;) {
  1551. int read_from_terminal;
  1552. int read_from_sslcon;
  1553. read_from_terminal = 0;
  1554. read_from_sslcon = SSL_pending(con);
  1555. if (!read_from_sslcon) {
  1556. FD_ZERO(&readfds);
  1557. #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
  1558. FD_SET(fileno(stdin), &readfds);
  1559. #endif
  1560. FD_SET(s, &readfds);
  1561. /*
  1562. * Note: under VMS with SOCKETSHR the second parameter is
  1563. * currently of type (int *) whereas under other systems it is
  1564. * (void *) if you don't have a cast it will choke the compiler:
  1565. * if you do have a cast then you can either go for (int *) or
  1566. * (void *).
  1567. */
  1568. #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
  1569. /*
  1570. * Under DOS (non-djgpp) and Windows we can't select on stdin:
  1571. * only on sockets. As a workaround we timeout the select every
  1572. * second and check for any keypress. In a proper Windows
  1573. * application we wouldn't do this because it is inefficient.
  1574. */
  1575. tv.tv_sec = 1;
  1576. tv.tv_usec = 0;
  1577. i = select(width, (void *)&readfds, NULL, NULL, &tv);
  1578. if ((i < 0) || (!i && !_kbhit()))
  1579. continue;
  1580. if (_kbhit())
  1581. read_from_terminal = 1;
  1582. #else
  1583. if ((SSL_version(con) == DTLS1_VERSION) &&
  1584. DTLSv1_get_timeout(con, &timeout))
  1585. timeoutp = &timeout;
  1586. else
  1587. timeoutp = NULL;
  1588. i = select(width, (void *)&readfds, NULL, NULL, timeoutp);
  1589. if ((SSL_version(con) == DTLS1_VERSION)
  1590. && DTLSv1_handle_timeout(con) > 0) {
  1591. BIO_printf(bio_err, "TIMEOUT occured\n");
  1592. }
  1593. if (i <= 0)
  1594. continue;
  1595. if (FD_ISSET(fileno(stdin), &readfds))
  1596. read_from_terminal = 1;
  1597. #endif
  1598. if (FD_ISSET(s, &readfds))
  1599. read_from_sslcon = 1;
  1600. }
  1601. if (read_from_terminal) {
  1602. if (s_crlf) {
  1603. int j, lf_num;
  1604. i = read(fileno(stdin), buf, bufsize / 2);
  1605. lf_num = 0;
  1606. /* both loops are skipped when i <= 0 */
  1607. for (j = 0; j < i; j++)
  1608. if (buf[j] == '\n')
  1609. lf_num++;
  1610. for (j = i - 1; j >= 0; j--) {
  1611. buf[j + lf_num] = buf[j];
  1612. if (buf[j] == '\n') {
  1613. lf_num--;
  1614. i++;
  1615. buf[j + lf_num] = '\r';
  1616. }
  1617. }
  1618. assert(lf_num == 0);
  1619. } else
  1620. i = read(fileno(stdin), buf, bufsize);
  1621. if (!s_quiet) {
  1622. if ((i <= 0) || (buf[0] == 'Q')) {
  1623. BIO_printf(bio_s_out, "DONE\n");
  1624. SHUTDOWN(s);
  1625. close_accept_socket();
  1626. ret = -11;
  1627. goto err;
  1628. }
  1629. if ((i <= 0) || (buf[0] == 'q')) {
  1630. BIO_printf(bio_s_out, "DONE\n");
  1631. if (SSL_version(con) != DTLS1_VERSION)
  1632. SHUTDOWN(s);
  1633. /*
  1634. * close_accept_socket(); ret= -11;
  1635. */
  1636. goto err;
  1637. }
  1638. if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
  1639. SSL_renegotiate(con);
  1640. i = SSL_do_handshake(con);
  1641. printf("SSL_do_handshake -> %d\n", i);
  1642. i = 0; /* 13; */
  1643. continue;
  1644. /*
  1645. * strcpy(buf,"server side RE-NEGOTIATE\n");
  1646. */
  1647. }
  1648. if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
  1649. SSL_set_verify(con,
  1650. SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
  1651. NULL);
  1652. SSL_renegotiate(con);
  1653. i = SSL_do_handshake(con);
  1654. printf("SSL_do_handshake -> %d\n", i);
  1655. i = 0; /* 13; */
  1656. continue;
  1657. /*
  1658. * strcpy(buf,"server side RE-NEGOTIATE asking for client
  1659. * cert\n");
  1660. */
  1661. }
  1662. if (buf[0] == 'P') {
  1663. static const char *str = "Lets print some clear text\n";
  1664. BIO_write(SSL_get_wbio(con), str, strlen(str));
  1665. }
  1666. if (buf[0] == 'S') {
  1667. print_stats(bio_s_out, SSL_get_SSL_CTX(con));
  1668. }
  1669. }
  1670. #ifdef CHARSET_EBCDIC
  1671. ebcdic2ascii(buf, buf, i);
  1672. #endif
  1673. l = k = 0;
  1674. for (;;) {
  1675. /* should do a select for the write */
  1676. #ifdef RENEG
  1677. {
  1678. static count = 0;
  1679. if (++count == 100) {
  1680. count = 0;
  1681. SSL_renegotiate(con);
  1682. }
  1683. }
  1684. #endif
  1685. k = SSL_write(con, &(buf[l]), (unsigned int)i);
  1686. switch (SSL_get_error(con, k)) {
  1687. case SSL_ERROR_NONE:
  1688. break;
  1689. case SSL_ERROR_WANT_WRITE:
  1690. case SSL_ERROR_WANT_READ:
  1691. case SSL_ERROR_WANT_X509_LOOKUP:
  1692. BIO_printf(bio_s_out, "Write BLOCK\n");
  1693. break;
  1694. case SSL_ERROR_SYSCALL:
  1695. case SSL_ERROR_SSL:
  1696. BIO_printf(bio_s_out, "ERROR\n");
  1697. ERR_print_errors(bio_err);
  1698. ret = 1;
  1699. goto err;
  1700. /* break; */
  1701. case SSL_ERROR_ZERO_RETURN:
  1702. BIO_printf(bio_s_out, "DONE\n");
  1703. ret = 1;
  1704. goto err;
  1705. }
  1706. l += k;
  1707. i -= k;
  1708. if (i <= 0)
  1709. break;
  1710. }
  1711. }
  1712. if (read_from_sslcon) {
  1713. if (!SSL_is_init_finished(con)) {
  1714. i = init_ssl_connection(con);
  1715. if (i < 0) {
  1716. ret = 0;
  1717. goto err;
  1718. } else if (i == 0) {
  1719. ret = 1;
  1720. goto err;
  1721. }
  1722. } else {
  1723. again:
  1724. i = SSL_read(con, (char *)buf, bufsize);
  1725. switch (SSL_get_error(con, i)) {
  1726. case SSL_ERROR_NONE:
  1727. #ifdef CHARSET_EBCDIC
  1728. ascii2ebcdic(buf, buf, i);
  1729. #endif
  1730. if (write(fileno(stdout), buf, (unsigned int)i) != i)
  1731. goto err;
  1732. if (SSL_pending(con))
  1733. goto again;
  1734. break;
  1735. case SSL_ERROR_WANT_WRITE:
  1736. case SSL_ERROR_WANT_READ:
  1737. case SSL_ERROR_WANT_X509_LOOKUP:
  1738. BIO_printf(bio_s_out, "Read BLOCK\n");
  1739. break;
  1740. case SSL_ERROR_SYSCALL:
  1741. case SSL_ERROR_SSL:
  1742. BIO_printf(bio_s_out, "ERROR\n");
  1743. ERR_print_errors(bio_err);
  1744. ret = 1;
  1745. goto err;
  1746. case SSL_ERROR_ZERO_RETURN:
  1747. BIO_printf(bio_s_out, "DONE\n");
  1748. ret = 1;
  1749. goto err;
  1750. }
  1751. }
  1752. }
  1753. }
  1754. err:
  1755. BIO_printf(bio_s_out, "shutting down SSL\n");
  1756. #if 1
  1757. SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
  1758. #else
  1759. SSL_shutdown(con);
  1760. #endif
  1761. if (con != NULL)
  1762. SSL_free(con);
  1763. BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
  1764. if (buf != NULL) {
  1765. OPENSSL_cleanse(buf, bufsize);
  1766. OPENSSL_free(buf);
  1767. }
  1768. if (ret >= 0)
  1769. BIO_printf(bio_s_out, "ACCEPT\n");
  1770. return (ret);
  1771. }
  1772. static void close_accept_socket(void)
  1773. {
  1774. BIO_printf(bio_err, "shutdown accept socket\n");
  1775. if (accept_socket >= 0) {
  1776. SHUTDOWN2(accept_socket);
  1777. }
  1778. }
  1779. static int init_ssl_connection(SSL *con)
  1780. {
  1781. int i;
  1782. const char *str;
  1783. X509 *peer;
  1784. long verify_error;
  1785. MS_STATIC char buf[BUFSIZ];
  1786. if ((i = SSL_accept(con)) <= 0) {
  1787. if (BIO_sock_should_retry(i)) {
  1788. BIO_printf(bio_s_out, "DELAY\n");
  1789. return (1);
  1790. }
  1791. BIO_printf(bio_err, "ERROR\n");
  1792. verify_error = SSL_get_verify_result(con);
  1793. if (verify_error != X509_V_OK) {
  1794. BIO_printf(bio_err, "verify error:%s\n",
  1795. X509_verify_cert_error_string(verify_error));
  1796. } else
  1797. ERR_print_errors(bio_err);
  1798. return (0);
  1799. }
  1800. PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
  1801. peer = SSL_get_peer_certificate(con);
  1802. if (peer != NULL) {
  1803. BIO_printf(bio_s_out, "Client certificate\n");
  1804. PEM_write_bio_X509(bio_s_out, peer);
  1805. X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf);
  1806. BIO_printf(bio_s_out, "subject=%s\n", buf);
  1807. X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
  1808. BIO_printf(bio_s_out, "issuer=%s\n", buf);
  1809. X509_free(peer);
  1810. }
  1811. if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL)
  1812. BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
  1813. str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
  1814. BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
  1815. if (con->hit)
  1816. BIO_printf(bio_s_out, "Reused session-id\n");
  1817. if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) &
  1818. TLS1_FLAGS_TLS_PADDING_BUG)
  1819. BIO_printf(bio_s_out, "Peer has incorrect TLSv1 block padding\n");
  1820. #ifndef OPENSSL_NO_KRB5
  1821. if (con->kssl_ctx->client_princ != NULL) {
  1822. BIO_printf(bio_s_out, "Kerberos peer principal is %s\n",
  1823. con->kssl_ctx->client_princ);
  1824. }
  1825. #endif /* OPENSSL_NO_KRB5 */
  1826. BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
  1827. SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
  1828. return (1);
  1829. }
  1830. #ifndef OPENSSL_NO_DH
  1831. static DH *load_dh_param(const char *dhfile)
  1832. {
  1833. DH *ret = NULL;
  1834. BIO *bio;
  1835. if ((bio = BIO_new_file(dhfile, "r")) == NULL)
  1836. goto err;
  1837. ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
  1838. err:
  1839. if (bio != NULL)
  1840. BIO_free(bio);
  1841. return (ret);
  1842. }
  1843. #endif
  1844. #if 0
  1845. static int load_CA(SSL_CTX *ctx, char *file)
  1846. {
  1847. FILE *in;
  1848. X509 *x = NULL;
  1849. if ((in = fopen(file, "r")) == NULL)
  1850. return (0);
  1851. for (;;) {
  1852. if (PEM_read_X509(in, &x, NULL) == NULL)
  1853. break;
  1854. SSL_CTX_add_client_CA(ctx, x);
  1855. }
  1856. if (x != NULL)
  1857. X509_free(x);
  1858. fclose(in);
  1859. return (1);
  1860. }
  1861. #endif
  1862. static int www_body(char *hostname, int s, unsigned char *context)
  1863. {
  1864. char *buf = NULL;
  1865. int ret = 1;
  1866. int i, j, k, dot;
  1867. struct stat st_buf;
  1868. SSL *con;
  1869. SSL_CIPHER *c;
  1870. BIO *io, *ssl_bio, *sbio;
  1871. #ifdef RENEG
  1872. long total_bytes;
  1873. #endif
  1874. buf = OPENSSL_malloc(bufsize);
  1875. if (buf == NULL)
  1876. return (0);
  1877. io = BIO_new(BIO_f_buffer());
  1878. ssl_bio = BIO_new(BIO_f_ssl());
  1879. if ((io == NULL) || (ssl_bio == NULL))
  1880. goto err;
  1881. #ifdef FIONBIO
  1882. if (s_nbio) {
  1883. unsigned long sl = 1;
  1884. if (!s_quiet)
  1885. BIO_printf(bio_err, "turning on non blocking io\n");
  1886. if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
  1887. ERR_print_errors(bio_err);
  1888. }
  1889. #endif
  1890. /* lets make the output buffer a reasonable size */
  1891. if (!BIO_set_write_buffer_size(io, bufsize))
  1892. goto err;
  1893. if ((con = SSL_new(ctx)) == NULL)
  1894. goto err;
  1895. #ifndef OPENSSL_NO_TLSEXT
  1896. if (s_tlsextdebug) {
  1897. SSL_set_tlsext_debug_callback(con, tlsext_cb);
  1898. SSL_set_tlsext_debug_arg(con, bio_s_out);
  1899. }
  1900. #endif
  1901. #ifndef OPENSSL_NO_KRB5
  1902. if ((con->kssl_ctx = kssl_ctx_new()) != NULL) {
  1903. kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
  1904. kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
  1905. }
  1906. #endif /* OPENSSL_NO_KRB5 */
  1907. if (context)
  1908. SSL_set_session_id_context(con, context, strlen((char *)context));
  1909. sbio = BIO_new_socket(s, BIO_NOCLOSE);
  1910. if (s_nbio_test) {
  1911. BIO *test;
  1912. test = BIO_new(BIO_f_nbio_test());
  1913. sbio = BIO_push(test, sbio);
  1914. }
  1915. SSL_set_bio(con, sbio, sbio);
  1916. SSL_set_accept_state(con);
  1917. /* SSL_set_fd(con,s); */
  1918. BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
  1919. BIO_push(io, ssl_bio);
  1920. #ifdef CHARSET_EBCDIC
  1921. io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io);
  1922. #endif
  1923. if (s_debug) {
  1924. con->debug = 1;
  1925. BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
  1926. BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
  1927. }
  1928. if (s_msg) {
  1929. SSL_set_msg_callback(con, msg_cb);
  1930. SSL_set_msg_callback_arg(con, bio_s_out);
  1931. }
  1932. for (;;) {
  1933. if (hack) {
  1934. i = SSL_accept(con);
  1935. switch (SSL_get_error(con, i)) {
  1936. case SSL_ERROR_NONE:
  1937. break;
  1938. case SSL_ERROR_WANT_WRITE:
  1939. case SSL_ERROR_WANT_READ:
  1940. case SSL_ERROR_WANT_X509_LOOKUP:
  1941. continue;
  1942. case SSL_ERROR_SYSCALL:
  1943. case SSL_ERROR_SSL:
  1944. case SSL_ERROR_ZERO_RETURN:
  1945. ret = 1;
  1946. goto err;
  1947. /* break; */
  1948. }
  1949. SSL_renegotiate(con);
  1950. SSL_write(con, NULL, 0);
  1951. }
  1952. i = BIO_gets(io, buf, bufsize - 1);
  1953. if (i < 0) { /* error */
  1954. if (!BIO_should_retry(io)) {
  1955. if (!s_quiet)
  1956. ERR_print_errors(bio_err);
  1957. goto err;
  1958. } else {
  1959. BIO_printf(bio_s_out, "read R BLOCK\n");
  1960. #if defined(OPENSSL_SYS_NETWARE)
  1961. delay(1000);
  1962. #elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
  1963. sleep(1);
  1964. #endif
  1965. continue;
  1966. }
  1967. } else if (i == 0) { /* end of input */
  1968. ret = 1;
  1969. goto end;
  1970. }
  1971. /* else we have data */
  1972. if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
  1973. ((www == 2) && (strncmp("GET /stats ", buf, 10) == 0))) {
  1974. char *p;
  1975. X509 *peer;
  1976. STACK_OF(SSL_CIPHER) *sk;
  1977. static const char *space = " ";
  1978. BIO_puts(io,
  1979. "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
  1980. BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
  1981. BIO_puts(io, "<pre>\n");
  1982. /* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
  1983. BIO_puts(io, "\n");
  1984. for (i = 0; i < local_argc; i++) {
  1985. BIO_puts(io, local_argv[i]);
  1986. BIO_write(io, " ", 1);
  1987. }
  1988. BIO_puts(io, "\n");
  1989. /*
  1990. * The following is evil and should not really be done
  1991. */
  1992. BIO_printf(io, "Ciphers supported in s_server binary\n");
  1993. sk = SSL_get_ciphers(con);
  1994. j = sk_SSL_CIPHER_num(sk);
  1995. for (i = 0; i < j; i++) {
  1996. c = sk_SSL_CIPHER_value(sk, i);
  1997. BIO_printf(io, "%-11s:%-25s",
  1998. SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
  1999. if ((((i + 1) % 2) == 0) && (i + 1 != j))
  2000. BIO_puts(io, "\n");
  2001. }
  2002. BIO_puts(io, "\n");
  2003. p = SSL_get_shared_ciphers(con, buf, bufsize);
  2004. if (p != NULL) {
  2005. BIO_printf(io,
  2006. "---\nCiphers common between both SSL end points:\n");
  2007. j = i = 0;
  2008. while (*p) {
  2009. if (*p == ':') {
  2010. BIO_write(io, space, 26 - j);
  2011. i++;
  2012. j = 0;
  2013. BIO_write(io, ((i % 3) ? " " : "\n"), 1);
  2014. } else {
  2015. BIO_write(io, p, 1);
  2016. j++;
  2017. }
  2018. p++;
  2019. }
  2020. BIO_puts(io, "\n");
  2021. }
  2022. BIO_printf(io, ((con->hit)
  2023. ? "---\nReused, " : "---\nNew, "));
  2024. c = SSL_get_current_cipher(con);
  2025. BIO_printf(io, "%s, Cipher is %s\n",
  2026. SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
  2027. SSL_SESSION_print(io, SSL_get_session(con));
  2028. BIO_printf(io, "---\n");
  2029. print_stats(io, SSL_get_SSL_CTX(con));
  2030. BIO_printf(io, "---\n");
  2031. peer = SSL_get_peer_certificate(con);
  2032. if (peer != NULL) {
  2033. BIO_printf(io, "Client certificate\n");
  2034. X509_print(io, peer);
  2035. PEM_write_bio_X509(io, peer);
  2036. } else
  2037. BIO_puts(io, "no client certificate available\n");
  2038. BIO_puts(io, "</BODY></HTML>\r\n\r\n");
  2039. break;
  2040. } else if ((www == 2 || www == 3)
  2041. && (strncmp("GET /", buf, 5) == 0)) {
  2042. BIO *file;
  2043. char *p, *e;
  2044. static const char *text =
  2045. "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
  2046. /* skip the '/' */
  2047. p = &(buf[5]);
  2048. dot = 1;
  2049. for (e = p; *e != '\0'; e++) {
  2050. if (e[0] == ' ')
  2051. break;
  2052. switch (dot) {
  2053. case 1:
  2054. dot = (e[0] == '.') ? 2 : 0;
  2055. break;
  2056. case 2:
  2057. dot = (e[0] == '.') ? 3 : 0;
  2058. break;
  2059. case 3:
  2060. dot = (e[0] == '/') ? -1 : 0;
  2061. break;
  2062. }
  2063. if (dot == 0)
  2064. dot = (e[0] == '/') ? 1 : 0;
  2065. }
  2066. dot = (dot == 3) || (dot == -1); /* filename contains ".."
  2067. * component */
  2068. if (*e == '\0') {
  2069. BIO_puts(io, text);
  2070. BIO_printf(io, "'%s' is an invalid file name\r\n", p);
  2071. break;
  2072. }
  2073. *e = '\0';
  2074. if (dot) {
  2075. BIO_puts(io, text);
  2076. BIO_printf(io, "'%s' contains '..' reference\r\n", p);
  2077. break;
  2078. }
  2079. if (*p == '/') {
  2080. BIO_puts(io, text);
  2081. BIO_printf(io, "'%s' is an invalid path\r\n", p);
  2082. break;
  2083. }
  2084. #if 0
  2085. /* append if a directory lookup */
  2086. if (e[-1] == '/')
  2087. strcat(p, "index.html");
  2088. #endif
  2089. /* if a directory, do the index thang */
  2090. if (stat(p, &st_buf) < 0) {
  2091. BIO_puts(io, text);
  2092. BIO_printf(io, "Error accessing '%s'\r\n", p);
  2093. ERR_print_errors(io);
  2094. break;
  2095. }
  2096. if (S_ISDIR(st_buf.st_mode)) {
  2097. #if 0 /* must check buffer size */
  2098. strcat(p, "/index.html");
  2099. #else
  2100. BIO_puts(io, text);
  2101. BIO_printf(io, "'%s' is a directory\r\n", p);
  2102. break;
  2103. #endif
  2104. }
  2105. if ((file = BIO_new_file(p, "r")) == NULL) {
  2106. BIO_puts(io, text);
  2107. BIO_printf(io, "Error opening '%s'\r\n", p);
  2108. ERR_print_errors(io);
  2109. break;
  2110. }
  2111. if (!s_quiet)
  2112. BIO_printf(bio_err, "FILE:%s\n", p);
  2113. if (www == 2) {
  2114. i = strlen(p);
  2115. if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
  2116. ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
  2117. ((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
  2118. BIO_puts(io,
  2119. "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
  2120. else
  2121. BIO_puts(io,
  2122. "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
  2123. }
  2124. /* send the file */
  2125. #ifdef RENEG
  2126. total_bytes = 0;
  2127. #endif
  2128. for (;;) {
  2129. i = BIO_read(file, buf, bufsize);
  2130. if (i <= 0)
  2131. break;
  2132. #ifdef RENEG
  2133. total_bytes += i;
  2134. fprintf(stderr, "%d\n", i);
  2135. if (total_bytes > 3 * 1024) {
  2136. total_bytes = 0;
  2137. fprintf(stderr, "RENEGOTIATE\n");
  2138. SSL_renegotiate(con);
  2139. }
  2140. #endif
  2141. for (j = 0; j < i;) {
  2142. #ifdef RENEG
  2143. {
  2144. static count = 0;
  2145. if (++count == 13) {
  2146. SSL_renegotiate(con);
  2147. }
  2148. }
  2149. #endif
  2150. k = BIO_write(io, &(buf[j]), i - j);
  2151. if (k <= 0) {
  2152. if (!BIO_should_retry(io))
  2153. goto write_error;
  2154. else {
  2155. BIO_printf(bio_s_out, "rwrite W BLOCK\n");
  2156. }
  2157. } else {
  2158. j += k;
  2159. }
  2160. }
  2161. }
  2162. write_error:
  2163. BIO_free(file);
  2164. break;
  2165. }
  2166. }
  2167. for (;;) {
  2168. i = (int)BIO_flush(io);
  2169. if (i <= 0) {
  2170. if (!BIO_should_retry(io))
  2171. break;
  2172. } else
  2173. break;
  2174. }
  2175. end:
  2176. #if 1
  2177. /* make sure we re-use sessions */
  2178. SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
  2179. #else
  2180. /* This kills performance */
  2181. /*
  2182. * SSL_shutdown(con); A shutdown gets sent in the BIO_free_all(io)
  2183. * procession
  2184. */
  2185. #endif
  2186. err:
  2187. if (ret >= 0)
  2188. BIO_printf(bio_s_out, "ACCEPT\n");
  2189. if (buf != NULL)
  2190. OPENSSL_free(buf);
  2191. if (io != NULL)
  2192. BIO_free_all(io);
  2193. /* if (ssl_bio != NULL) BIO_free(ssl_bio);*/
  2194. return (ret);
  2195. }
  2196. #ifndef OPENSSL_NO_RSA
  2197. static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
  2198. {
  2199. BIGNUM *bn = NULL;
  2200. static RSA *rsa_tmp = NULL;
  2201. if (!rsa_tmp && ((bn = BN_new()) == NULL))
  2202. BIO_printf(bio_err, "Allocation error in generating RSA key\n");
  2203. if (!rsa_tmp && bn) {
  2204. if (!s_quiet) {
  2205. BIO_printf(bio_err, "Generating temp (%d bit) RSA key...",
  2206. keylength);
  2207. (void)BIO_flush(bio_err);
  2208. }
  2209. if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
  2210. !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
  2211. if (rsa_tmp)
  2212. RSA_free(rsa_tmp);
  2213. rsa_tmp = NULL;
  2214. }
  2215. if (!s_quiet) {
  2216. BIO_printf(bio_err, "\n");
  2217. (void)BIO_flush(bio_err);
  2218. }
  2219. BN_free(bn);
  2220. }
  2221. return (rsa_tmp);
  2222. }
  2223. #endif
  2224. #define MAX_SESSION_ID_ATTEMPTS 10
  2225. static int generate_session_id(const SSL *ssl, unsigned char *id,
  2226. unsigned int *id_len)
  2227. {
  2228. unsigned int count = 0;
  2229. do {
  2230. RAND_pseudo_bytes(id, *id_len);
  2231. /*
  2232. * Prefix the session_id with the required prefix. NB: If our prefix
  2233. * is too long, clip it - but there will be worse effects anyway, eg.
  2234. * the server could only possibly create 1 session ID (ie. the
  2235. * prefix!) so all future session negotiations will fail due to
  2236. * conflicts.
  2237. */
  2238. memcpy(id, session_id_prefix,
  2239. (strlen(session_id_prefix) < *id_len) ?
  2240. strlen(session_id_prefix) : *id_len);
  2241. }
  2242. while (SSL_has_matching_session_id(ssl, id, *id_len) &&
  2243. (++count < MAX_SESSION_ID_ATTEMPTS));
  2244. if (count >= MAX_SESSION_ID_ATTEMPTS)
  2245. return 0;
  2246. return 1;
  2247. }