Alexandre Savard | 1b09e31 | 2012-08-07 20:33:29 -0400 | [diff] [blame] | 1 | /* apps/s_server.c */ |
| 2 | /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) |
| 3 | * All rights reserved. |
| 4 | * |
| 5 | * This package is an SSL implementation written |
| 6 | * by Eric Young (eay@cryptsoft.com). |
| 7 | * The implementation was written so as to conform with Netscapes SSL. |
| 8 | * |
| 9 | * This library is free for commercial and non-commercial use as long as |
| 10 | * the following conditions are aheared to. The following conditions |
| 11 | * apply to all code found in this distribution, be it the RC4, RSA, |
| 12 | * lhash, DES, etc., code; not just the SSL code. The SSL documentation |
| 13 | * included with this distribution is covered by the same copyright terms |
| 14 | * except that the holder is Tim Hudson (tjh@cryptsoft.com). |
| 15 | * |
| 16 | * Copyright remains Eric Young's, and as such any Copyright notices in |
| 17 | * the code are not to be removed. |
| 18 | * If this package is used in a product, Eric Young should be given attribution |
| 19 | * as the author of the parts of the library used. |
| 20 | * This can be in the form of a textual message at program startup or |
| 21 | * in documentation (online or textual) provided with the package. |
| 22 | * |
| 23 | * Redistribution and use in source and binary forms, with or without |
| 24 | * modification, are permitted provided that the following conditions |
| 25 | * are met: |
| 26 | * 1. Redistributions of source code must retain the copyright |
| 27 | * notice, this list of conditions and the following disclaimer. |
| 28 | * 2. Redistributions in binary form must reproduce the above copyright |
| 29 | * notice, this list of conditions and the following disclaimer in the |
| 30 | * documentation and/or other materials provided with the distribution. |
| 31 | * 3. All advertising materials mentioning features or use of this software |
| 32 | * must display the following acknowledgement: |
| 33 | * "This product includes cryptographic software written by |
| 34 | * Eric Young (eay@cryptsoft.com)" |
| 35 | * The word 'cryptographic' can be left out if the rouines from the library |
| 36 | * being used are not cryptographic related :-). |
| 37 | * 4. If you include any Windows specific code (or a derivative thereof) from |
| 38 | * the apps directory (application code) you must include an acknowledgement: |
| 39 | * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" |
| 40 | * |
| 41 | * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND |
| 42 | * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 43 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE |
| 44 | * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE |
| 45 | * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL |
| 46 | * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS |
| 47 | * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 48 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT |
| 49 | * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY |
| 50 | * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF |
| 51 | * SUCH DAMAGE. |
| 52 | * |
| 53 | * The licence and distribution terms for any publically available version or |
| 54 | * derivative of this code cannot be changed. i.e. this code cannot simply be |
| 55 | * copied and put under another distribution licence |
| 56 | * [including the GNU Public Licence.] |
| 57 | */ |
| 58 | /* ==================================================================== |
| 59 | * Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved. |
| 60 | * |
| 61 | * Redistribution and use in source and binary forms, with or without |
| 62 | * modification, are permitted provided that the following conditions |
| 63 | * are met: |
| 64 | * |
| 65 | * 1. Redistributions of source code must retain the above copyright |
| 66 | * notice, this list of conditions and the following disclaimer. |
| 67 | * |
| 68 | * 2. Redistributions in binary form must reproduce the above copyright |
| 69 | * notice, this list of conditions and the following disclaimer in |
| 70 | * the documentation and/or other materials provided with the |
| 71 | * distribution. |
| 72 | * |
| 73 | * 3. All advertising materials mentioning features or use of this |
| 74 | * software must display the following acknowledgment: |
| 75 | * "This product includes software developed by the OpenSSL Project |
| 76 | * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" |
| 77 | * |
| 78 | * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to |
| 79 | * endorse or promote products derived from this software without |
| 80 | * prior written permission. For written permission, please contact |
| 81 | * openssl-core@openssl.org. |
| 82 | * |
| 83 | * 5. Products derived from this software may not be called "OpenSSL" |
| 84 | * nor may "OpenSSL" appear in their names without prior written |
| 85 | * permission of the OpenSSL Project. |
| 86 | * |
| 87 | * 6. Redistributions of any form whatsoever must retain the following |
| 88 | * acknowledgment: |
| 89 | * "This product includes software developed by the OpenSSL Project |
| 90 | * for use in the OpenSSL Toolkit (http://www.openssl.org/)" |
| 91 | * |
| 92 | * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY |
| 93 | * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE |
| 94 | * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR |
| 95 | * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR |
| 96 | * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, |
| 97 | * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT |
| 98 | * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; |
| 99 | * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) |
| 100 | * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, |
| 101 | * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) |
| 102 | * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED |
| 103 | * OF THE POSSIBILITY OF SUCH DAMAGE. |
| 104 | * ==================================================================== |
| 105 | * |
| 106 | * This product includes cryptographic software written by Eric Young |
| 107 | * (eay@cryptsoft.com). This product includes software written by Tim |
| 108 | * Hudson (tjh@cryptsoft.com). |
| 109 | * |
| 110 | */ |
| 111 | /* ==================================================================== |
| 112 | * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. |
| 113 | * ECC cipher suite support in OpenSSL originally developed by |
| 114 | * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. |
| 115 | */ |
| 116 | /* ==================================================================== |
| 117 | * Copyright 2005 Nokia. All rights reserved. |
| 118 | * |
| 119 | * The portions of the attached software ("Contribution") is developed by |
| 120 | * Nokia Corporation and is licensed pursuant to the OpenSSL open source |
| 121 | * license. |
| 122 | * |
| 123 | * The Contribution, originally written by Mika Kousa and Pasi Eronen of |
| 124 | * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites |
| 125 | * support (see RFC 4279) to OpenSSL. |
| 126 | * |
| 127 | * No patent licenses or other rights except those expressly stated in |
| 128 | * the OpenSSL open source license shall be deemed granted or received |
| 129 | * expressly, by implication, estoppel, or otherwise. |
| 130 | * |
| 131 | * No assurances are provided by Nokia that the Contribution does not |
| 132 | * infringe the patent or other intellectual property rights of any third |
| 133 | * party or that the license provides you with all the necessary rights |
| 134 | * to make use of the Contribution. |
| 135 | * |
| 136 | * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN |
| 137 | * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA |
| 138 | * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY |
| 139 | * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR |
| 140 | * OTHERWISE. |
| 141 | */ |
| 142 | |
| 143 | /* Until the key-gen callbacks are modified to use newer prototypes, we allow |
| 144 | * deprecated functions for openssl-internal code */ |
| 145 | #ifdef OPENSSL_NO_DEPRECATED |
| 146 | #undef OPENSSL_NO_DEPRECATED |
| 147 | #endif |
| 148 | |
| 149 | #include <assert.h> |
| 150 | #include <ctype.h> |
| 151 | #include <stdio.h> |
| 152 | #include <stdlib.h> |
| 153 | #include <string.h> |
| 154 | |
| 155 | #include <openssl/e_os2.h> |
| 156 | #ifdef OPENSSL_NO_STDIO |
| 157 | #define APPS_WIN16 |
| 158 | #endif |
| 159 | |
| 160 | #if !defined(OPENSSL_SYS_NETWARE) /* conflicts with winsock2 stuff on netware */ |
| 161 | #include <sys/types.h> |
| 162 | #endif |
| 163 | |
| 164 | /* With IPv6, it looks like Digital has mixed up the proper order of |
| 165 | recursive header file inclusion, resulting in the compiler complaining |
| 166 | that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which |
| 167 | is needed to have fileno() declared correctly... So let's define u_int */ |
| 168 | #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) |
| 169 | #define __U_INT |
| 170 | typedef unsigned int u_int; |
| 171 | #endif |
| 172 | |
| 173 | #include <openssl/lhash.h> |
| 174 | #include <openssl/bn.h> |
| 175 | #define USE_SOCKETS |
| 176 | #include "apps.h" |
| 177 | #include <openssl/err.h> |
| 178 | #include <openssl/pem.h> |
| 179 | #include <openssl/x509.h> |
| 180 | #include <openssl/ssl.h> |
| 181 | #include <openssl/rand.h> |
| 182 | #include <openssl/ocsp.h> |
| 183 | #ifndef OPENSSL_NO_DH |
| 184 | #include <openssl/dh.h> |
| 185 | #endif |
| 186 | #ifndef OPENSSL_NO_RSA |
| 187 | #include <openssl/rsa.h> |
| 188 | #endif |
| 189 | #ifndef OPENSSL_NO_SRP |
| 190 | #include <openssl/srp.h> |
| 191 | #endif |
| 192 | #include "s_apps.h" |
| 193 | #include "timeouts.h" |
| 194 | |
| 195 | #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) |
| 196 | /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ |
| 197 | #undef FIONBIO |
| 198 | #endif |
| 199 | |
| 200 | #if defined(OPENSSL_SYS_BEOS_R5) |
| 201 | #include <fcntl.h> |
| 202 | #endif |
| 203 | |
| 204 | #ifndef OPENSSL_NO_RSA |
| 205 | static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); |
| 206 | #endif |
| 207 | static int sv_body(char *hostname, int s, unsigned char *context); |
| 208 | static int www_body(char *hostname, int s, unsigned char *context); |
| 209 | static void close_accept_socket(void ); |
| 210 | static void sv_usage(void); |
| 211 | static int init_ssl_connection(SSL *s); |
| 212 | static void print_stats(BIO *bp,SSL_CTX *ctx); |
| 213 | static int generate_session_id(const SSL *ssl, unsigned char *id, |
| 214 | unsigned int *id_len); |
| 215 | #ifndef OPENSSL_NO_DH |
| 216 | static DH *load_dh_param(const char *dhfile); |
| 217 | static DH *get_dh512(void); |
| 218 | #endif |
| 219 | |
| 220 | #ifdef MONOLITH |
| 221 | static void s_server_init(void); |
| 222 | #endif |
| 223 | |
| 224 | #ifndef OPENSSL_NO_DH |
| 225 | static unsigned char dh512_p[]={ |
| 226 | 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, |
| 227 | 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, |
| 228 | 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, |
| 229 | 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, |
| 230 | 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, |
| 231 | 0x47,0x74,0xE8,0x33, |
| 232 | }; |
| 233 | static unsigned char dh512_g[]={ |
| 234 | 0x02, |
| 235 | }; |
| 236 | |
| 237 | static DH *get_dh512(void) |
| 238 | { |
| 239 | DH *dh=NULL; |
| 240 | |
| 241 | if ((dh=DH_new()) == NULL) return(NULL); |
| 242 | dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); |
| 243 | dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); |
| 244 | if ((dh->p == NULL) || (dh->g == NULL)) |
| 245 | return(NULL); |
| 246 | return(dh); |
| 247 | } |
| 248 | #endif |
| 249 | |
| 250 | |
| 251 | /* static int load_CA(SSL_CTX *ctx, char *file);*/ |
| 252 | |
| 253 | #undef BUFSIZZ |
| 254 | #define BUFSIZZ 16*1024 |
| 255 | static int bufsize=BUFSIZZ; |
| 256 | static int accept_socket= -1; |
| 257 | |
| 258 | #define TEST_CERT "server.pem" |
| 259 | #ifndef OPENSSL_NO_TLSEXT |
| 260 | #define TEST_CERT2 "server2.pem" |
| 261 | #endif |
| 262 | #undef PROG |
| 263 | #define PROG s_server_main |
| 264 | |
| 265 | extern int verify_depth, verify_return_error; |
| 266 | |
| 267 | static char *cipher=NULL; |
| 268 | static int s_server_verify=SSL_VERIFY_NONE; |
| 269 | static int s_server_session_id_context = 1; /* anything will do */ |
| 270 | static const char *s_cert_file=TEST_CERT,*s_key_file=NULL; |
| 271 | #ifndef OPENSSL_NO_TLSEXT |
| 272 | static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL; |
| 273 | #endif |
| 274 | static char *s_dcert_file=NULL,*s_dkey_file=NULL; |
| 275 | #ifdef FIONBIO |
| 276 | static int s_nbio=0; |
| 277 | #endif |
| 278 | static int s_nbio_test=0; |
| 279 | int s_crlf=0; |
| 280 | static SSL_CTX *ctx=NULL; |
| 281 | #ifndef OPENSSL_NO_TLSEXT |
| 282 | static SSL_CTX *ctx2=NULL; |
| 283 | #endif |
| 284 | static int www=0; |
| 285 | |
| 286 | static BIO *bio_s_out=NULL; |
| 287 | static int s_debug=0; |
| 288 | #ifndef OPENSSL_NO_TLSEXT |
| 289 | static int s_tlsextdebug=0; |
| 290 | static int s_tlsextstatus=0; |
| 291 | static int cert_status_cb(SSL *s, void *arg); |
| 292 | #endif |
| 293 | static int s_msg=0; |
| 294 | static int s_quiet=0; |
| 295 | |
| 296 | static char *keymatexportlabel=NULL; |
| 297 | static int keymatexportlen=20; |
| 298 | |
| 299 | static int hack=0; |
| 300 | #ifndef OPENSSL_NO_ENGINE |
| 301 | static char *engine_id=NULL; |
| 302 | #endif |
| 303 | static const char *session_id_prefix=NULL; |
| 304 | |
| 305 | static int enable_timeouts = 0; |
| 306 | static long socket_mtu; |
| 307 | #ifndef OPENSSL_NO_DTLS1 |
| 308 | static int cert_chain = 0; |
| 309 | #endif |
| 310 | |
| 311 | |
| 312 | #ifndef OPENSSL_NO_PSK |
| 313 | static char *psk_identity="Client_identity"; |
| 314 | char *psk_key=NULL; /* by default PSK is not used */ |
| 315 | |
| 316 | static unsigned int psk_server_cb(SSL *ssl, const char *identity, |
| 317 | unsigned char *psk, unsigned int max_psk_len) |
| 318 | { |
| 319 | unsigned int psk_len = 0; |
| 320 | int ret; |
| 321 | BIGNUM *bn = NULL; |
| 322 | |
| 323 | if (s_debug) |
| 324 | BIO_printf(bio_s_out,"psk_server_cb\n"); |
| 325 | if (!identity) |
| 326 | { |
| 327 | BIO_printf(bio_err,"Error: client did not send PSK identity\n"); |
| 328 | goto out_err; |
| 329 | } |
| 330 | if (s_debug) |
| 331 | BIO_printf(bio_s_out,"identity_len=%d identity=%s\n", |
| 332 | identity ? (int)strlen(identity) : 0, identity); |
| 333 | |
| 334 | /* here we could lookup the given identity e.g. from a database */ |
| 335 | if (strcmp(identity, psk_identity) != 0) |
| 336 | { |
| 337 | BIO_printf(bio_s_out, "PSK error: client identity not found" |
| 338 | " (got '%s' expected '%s')\n", identity, |
| 339 | psk_identity); |
| 340 | goto out_err; |
| 341 | } |
| 342 | if (s_debug) |
| 343 | BIO_printf(bio_s_out, "PSK client identity found\n"); |
| 344 | |
| 345 | /* convert the PSK key to binary */ |
| 346 | ret = BN_hex2bn(&bn, psk_key); |
| 347 | if (!ret) |
| 348 | { |
| 349 | BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key); |
| 350 | if (bn) |
| 351 | BN_free(bn); |
| 352 | return 0; |
| 353 | } |
| 354 | if (BN_num_bytes(bn) > (int)max_psk_len) |
| 355 | { |
| 356 | BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", |
| 357 | max_psk_len, BN_num_bytes(bn)); |
| 358 | BN_free(bn); |
| 359 | return 0; |
| 360 | } |
| 361 | |
| 362 | ret = BN_bn2bin(bn, psk); |
| 363 | BN_free(bn); |
| 364 | |
| 365 | if (ret < 0) |
| 366 | goto out_err; |
| 367 | psk_len = (unsigned int)ret; |
| 368 | |
| 369 | if (s_debug) |
| 370 | BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len); |
| 371 | return psk_len; |
| 372 | out_err: |
| 373 | if (s_debug) |
| 374 | BIO_printf(bio_err, "Error in PSK server callback\n"); |
| 375 | return 0; |
| 376 | } |
| 377 | #endif |
| 378 | |
| 379 | #ifndef OPENSSL_NO_SRP |
| 380 | /* This is a context that we pass to callbacks */ |
| 381 | typedef struct srpsrvparm_st |
| 382 | { |
| 383 | char *login; |
| 384 | SRP_VBASE *vb; |
| 385 | SRP_user_pwd *user; |
| 386 | } srpsrvparm; |
| 387 | |
| 388 | /* This callback pretends to require some asynchronous logic in order to obtain |
| 389 | a verifier. When the callback is called for a new connection we return |
| 390 | with a negative value. This will provoke the accept etc to return with |
| 391 | an LOOKUP_X509. The main logic of the reinvokes the suspended call |
| 392 | (which would normally occur after a worker has finished) and we |
| 393 | set the user parameters. |
| 394 | */ |
| 395 | static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) |
| 396 | { |
| 397 | srpsrvparm *p = (srpsrvparm *)arg; |
| 398 | if (p->login == NULL && p->user == NULL ) |
| 399 | { |
| 400 | p->login = SSL_get_srp_username(s); |
| 401 | BIO_printf(bio_err, "SRP username = \"%s\"\n", p->login); |
| 402 | return (-1) ; |
| 403 | } |
| 404 | |
| 405 | if (p->user == NULL) |
| 406 | { |
| 407 | BIO_printf(bio_err, "User %s doesn't exist\n", p->login); |
| 408 | return SSL3_AL_FATAL; |
| 409 | } |
| 410 | if (SSL_set_srp_server_param(s, p->user->N, p->user->g, p->user->s, p->user->v, |
| 411 | p->user->info) < 0) |
| 412 | { |
| 413 | *ad = SSL_AD_INTERNAL_ERROR; |
| 414 | return SSL3_AL_FATAL; |
| 415 | } |
| 416 | BIO_printf(bio_err, "SRP parameters set: username = \"%s\" info=\"%s\" \n", p->login,p->user->info); |
| 417 | /* need to check whether there are memory leaks */ |
| 418 | p->user = NULL; |
| 419 | p->login = NULL; |
| 420 | return SSL_ERROR_NONE; |
| 421 | } |
| 422 | |
| 423 | #endif |
| 424 | |
| 425 | #ifdef MONOLITH |
| 426 | static void s_server_init(void) |
| 427 | { |
| 428 | accept_socket=-1; |
| 429 | cipher=NULL; |
| 430 | s_server_verify=SSL_VERIFY_NONE; |
| 431 | s_dcert_file=NULL; |
| 432 | s_dkey_file=NULL; |
| 433 | s_cert_file=TEST_CERT; |
| 434 | s_key_file=NULL; |
| 435 | #ifndef OPENSSL_NO_TLSEXT |
| 436 | s_cert_file2=TEST_CERT2; |
| 437 | s_key_file2=NULL; |
| 438 | ctx2=NULL; |
| 439 | #endif |
| 440 | #ifdef FIONBIO |
| 441 | s_nbio=0; |
| 442 | #endif |
| 443 | s_nbio_test=0; |
| 444 | ctx=NULL; |
| 445 | www=0; |
| 446 | |
| 447 | bio_s_out=NULL; |
| 448 | s_debug=0; |
| 449 | s_msg=0; |
| 450 | s_quiet=0; |
| 451 | hack=0; |
| 452 | #ifndef OPENSSL_NO_ENGINE |
| 453 | engine_id=NULL; |
| 454 | #endif |
| 455 | } |
| 456 | #endif |
| 457 | |
| 458 | static void sv_usage(void) |
| 459 | { |
| 460 | BIO_printf(bio_err,"usage: s_server [args ...]\n"); |
| 461 | BIO_printf(bio_err,"\n"); |
| 462 | BIO_printf(bio_err," -accept arg - port to accept on (default is %d)\n",PORT); |
| 463 | BIO_printf(bio_err," -context arg - set session ID context\n"); |
| 464 | BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); |
| 465 | BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); |
| 466 | BIO_printf(bio_err," -cert arg - certificate file to use\n"); |
| 467 | BIO_printf(bio_err," (default is %s)\n",TEST_CERT); |
| 468 | BIO_printf(bio_err," -crl_check - check the peer certificate has not been revoked by its CA.\n" \ |
| 469 | " The CRL(s) are appended to the certificate file\n"); |
| 470 | BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \ |
| 471 | " or any other CRL in the CA chain. CRL(s) are appened to the\n" \ |
| 472 | " the certificate file.\n"); |
| 473 | BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n"); |
| 474 | BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n"); |
| 475 | BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); |
| 476 | BIO_printf(bio_err," -keyform arg - key format (PEM, DER or ENGINE) PEM default\n"); |
| 477 | BIO_printf(bio_err," -pass arg - private key file pass phrase source\n"); |
| 478 | BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n"); |
| 479 | BIO_printf(bio_err," -dcertform x - second certificate format (PEM or DER) PEM default\n"); |
| 480 | BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n"); |
| 481 | BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n"); |
| 482 | BIO_printf(bio_err," -dpass arg - second private key file pass phrase source\n"); |
| 483 | BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n"); |
| 484 | BIO_printf(bio_err," or a default set of parameters is used\n"); |
| 485 | #ifndef OPENSSL_NO_ECDH |
| 486 | BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ |
| 487 | " Use \"openssl ecparam -list_curves\" for all names\n" \ |
| 488 | " (default is nistp256).\n"); |
| 489 | #endif |
| 490 | #ifdef FIONBIO |
| 491 | BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); |
| 492 | #endif |
| 493 | BIO_printf(bio_err," -nbio_test - test with the non-blocking test bio\n"); |
| 494 | BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); |
| 495 | BIO_printf(bio_err," -debug - Print more output\n"); |
| 496 | BIO_printf(bio_err," -msg - Show protocol messages\n"); |
| 497 | BIO_printf(bio_err," -state - Print the SSL states\n"); |
| 498 | BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); |
| 499 | BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); |
| 500 | BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); |
| 501 | BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); |
| 502 | BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); |
| 503 | BIO_printf(bio_err," -quiet - No server output\n"); |
| 504 | BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n"); |
| 505 | #ifndef OPENSSL_NO_PSK |
| 506 | BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n"); |
| 507 | BIO_printf(bio_err," -psk arg - PSK in hex (without 0x)\n"); |
| 508 | # ifndef OPENSSL_NO_JPAKE |
| 509 | BIO_printf(bio_err," -jpake arg - JPAKE secret to use\n"); |
| 510 | # endif |
| 511 | #endif |
| 512 | #ifndef OPENSSL_NO_SRP |
| 513 | BIO_printf(bio_err," -srpvfile file - The verifier file for SRP\n"); |
| 514 | BIO_printf(bio_err," -srpuserseed string - A seed string for a default user salt.\n"); |
| 515 | #endif |
| 516 | BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); |
| 517 | BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); |
| 518 | BIO_printf(bio_err," -tls1_2 - Just talk TLSv1.2\n"); |
| 519 | BIO_printf(bio_err," -tls1_1 - Just talk TLSv1.1\n"); |
| 520 | BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); |
| 521 | BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n"); |
| 522 | BIO_printf(bio_err," -timeout - Enable timeouts\n"); |
| 523 | BIO_printf(bio_err," -mtu - Set link layer MTU\n"); |
| 524 | BIO_printf(bio_err," -chain - Read a certificate chain\n"); |
| 525 | BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); |
| 526 | BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); |
| 527 | BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); |
| 528 | BIO_printf(bio_err," -no_tls1_1 - Just disable TLSv1.1\n"); |
| 529 | BIO_printf(bio_err," -no_tls1_2 - Just disable TLSv1.2\n"); |
| 530 | #ifndef OPENSSL_NO_DH |
| 531 | BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); |
| 532 | #endif |
| 533 | #ifndef OPENSSL_NO_ECDH |
| 534 | BIO_printf(bio_err," -no_ecdhe - Disable ephemeral ECDH\n"); |
| 535 | #endif |
| 536 | BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); |
| 537 | BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); |
| 538 | BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); |
| 539 | BIO_printf(bio_err," -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); |
| 540 | BIO_printf(bio_err," with the assumption it contains a complete HTTP response.\n"); |
| 541 | #ifndef OPENSSL_NO_ENGINE |
| 542 | BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); |
| 543 | #endif |
| 544 | BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); |
| 545 | BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); |
| 546 | #ifndef OPENSSL_NO_TLSEXT |
| 547 | BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n"); |
| 548 | BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n"); |
| 549 | BIO_printf(bio_err," -cert2 arg - certificate file to use for servername\n"); |
| 550 | BIO_printf(bio_err," (default is %s)\n",TEST_CERT2); |
| 551 | BIO_printf(bio_err," -key2 arg - Private Key file to use for servername, in cert file if\n"); |
| 552 | BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT2); |
| 553 | BIO_printf(bio_err," -tlsextdebug - hex dump of all TLS extensions received\n"); |
| 554 | BIO_printf(bio_err," -no_ticket - disable use of RFC4507bis session tickets\n"); |
| 555 | BIO_printf(bio_err," -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n"); |
| 556 | # ifndef OPENSSL_NO_NEXTPROTONEG |
| 557 | BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n"); |
| 558 | # endif |
| 559 | BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n"); |
| 560 | #endif |
| 561 | BIO_printf(bio_err," -keymatexport label - Export keying material using label\n"); |
| 562 | BIO_printf(bio_err," -keymatexportlen len - Export len bytes of keying material (default 20)\n"); |
| 563 | } |
| 564 | |
| 565 | static int local_argc=0; |
| 566 | static char **local_argv; |
| 567 | |
| 568 | #ifdef CHARSET_EBCDIC |
| 569 | static int ebcdic_new(BIO *bi); |
| 570 | static int ebcdic_free(BIO *a); |
| 571 | static int ebcdic_read(BIO *b, char *out, int outl); |
| 572 | static int ebcdic_write(BIO *b, const char *in, int inl); |
| 573 | static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr); |
| 574 | static int ebcdic_gets(BIO *bp, char *buf, int size); |
| 575 | static int ebcdic_puts(BIO *bp, const char *str); |
| 576 | |
| 577 | #define BIO_TYPE_EBCDIC_FILTER (18|0x0200) |
| 578 | static BIO_METHOD methods_ebcdic= |
| 579 | { |
| 580 | BIO_TYPE_EBCDIC_FILTER, |
| 581 | "EBCDIC/ASCII filter", |
| 582 | ebcdic_write, |
| 583 | ebcdic_read, |
| 584 | ebcdic_puts, |
| 585 | ebcdic_gets, |
| 586 | ebcdic_ctrl, |
| 587 | ebcdic_new, |
| 588 | ebcdic_free, |
| 589 | }; |
| 590 | |
| 591 | typedef struct |
| 592 | { |
| 593 | size_t alloced; |
| 594 | char buff[1]; |
| 595 | } EBCDIC_OUTBUFF; |
| 596 | |
| 597 | BIO_METHOD *BIO_f_ebcdic_filter() |
| 598 | { |
| 599 | return(&methods_ebcdic); |
| 600 | } |
| 601 | |
| 602 | static int ebcdic_new(BIO *bi) |
| 603 | { |
| 604 | EBCDIC_OUTBUFF *wbuf; |
| 605 | |
| 606 | wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); |
| 607 | wbuf->alloced = 1024; |
| 608 | wbuf->buff[0] = '\0'; |
| 609 | |
| 610 | bi->ptr=(char *)wbuf; |
| 611 | bi->init=1; |
| 612 | bi->flags=0; |
| 613 | return(1); |
| 614 | } |
| 615 | |
| 616 | static int ebcdic_free(BIO *a) |
| 617 | { |
| 618 | if (a == NULL) return(0); |
| 619 | if (a->ptr != NULL) |
| 620 | OPENSSL_free(a->ptr); |
| 621 | a->ptr=NULL; |
| 622 | a->init=0; |
| 623 | a->flags=0; |
| 624 | return(1); |
| 625 | } |
| 626 | |
| 627 | static int ebcdic_read(BIO *b, char *out, int outl) |
| 628 | { |
| 629 | int ret=0; |
| 630 | |
| 631 | if (out == NULL || outl == 0) return(0); |
| 632 | if (b->next_bio == NULL) return(0); |
| 633 | |
| 634 | ret=BIO_read(b->next_bio,out,outl); |
| 635 | if (ret > 0) |
| 636 | ascii2ebcdic(out,out,ret); |
| 637 | return(ret); |
| 638 | } |
| 639 | |
| 640 | static int ebcdic_write(BIO *b, const char *in, int inl) |
| 641 | { |
| 642 | EBCDIC_OUTBUFF *wbuf; |
| 643 | int ret=0; |
| 644 | int num; |
| 645 | unsigned char n; |
| 646 | |
| 647 | if ((in == NULL) || (inl <= 0)) return(0); |
| 648 | if (b->next_bio == NULL) return(0); |
| 649 | |
| 650 | wbuf=(EBCDIC_OUTBUFF *)b->ptr; |
| 651 | |
| 652 | if (inl > (num = wbuf->alloced)) |
| 653 | { |
| 654 | num = num + num; /* double the size */ |
| 655 | if (num < inl) |
| 656 | num = inl; |
| 657 | OPENSSL_free(wbuf); |
| 658 | wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); |
| 659 | |
| 660 | wbuf->alloced = num; |
| 661 | wbuf->buff[0] = '\0'; |
| 662 | |
| 663 | b->ptr=(char *)wbuf; |
| 664 | } |
| 665 | |
| 666 | ebcdic2ascii(wbuf->buff, in, inl); |
| 667 | |
| 668 | ret=BIO_write(b->next_bio, wbuf->buff, inl); |
| 669 | |
| 670 | return(ret); |
| 671 | } |
| 672 | |
| 673 | static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr) |
| 674 | { |
| 675 | long ret; |
| 676 | |
| 677 | if (b->next_bio == NULL) return(0); |
| 678 | switch (cmd) |
| 679 | { |
| 680 | case BIO_CTRL_DUP: |
| 681 | ret=0L; |
| 682 | break; |
| 683 | default: |
| 684 | ret=BIO_ctrl(b->next_bio,cmd,num,ptr); |
| 685 | break; |
| 686 | } |
| 687 | return(ret); |
| 688 | } |
| 689 | |
| 690 | static int ebcdic_gets(BIO *bp, char *buf, int size) |
| 691 | { |
| 692 | int i, ret=0; |
| 693 | if (bp->next_bio == NULL) return(0); |
| 694 | /* return(BIO_gets(bp->next_bio,buf,size));*/ |
| 695 | for (i=0; i<size-1; ++i) |
| 696 | { |
| 697 | ret = ebcdic_read(bp,&buf[i],1); |
| 698 | if (ret <= 0) |
| 699 | break; |
| 700 | else if (buf[i] == '\n') |
| 701 | { |
| 702 | ++i; |
| 703 | break; |
| 704 | } |
| 705 | } |
| 706 | if (i < size) |
| 707 | buf[i] = '\0'; |
| 708 | return (ret < 0 && i == 0) ? ret : i; |
| 709 | } |
| 710 | |
| 711 | static int ebcdic_puts(BIO *bp, const char *str) |
| 712 | { |
| 713 | if (bp->next_bio == NULL) return(0); |
| 714 | return ebcdic_write(bp, str, strlen(str)); |
| 715 | } |
| 716 | #endif |
| 717 | |
| 718 | #ifndef OPENSSL_NO_TLSEXT |
| 719 | |
| 720 | /* This is a context that we pass to callbacks */ |
| 721 | typedef struct tlsextctx_st { |
| 722 | char * servername; |
| 723 | BIO * biodebug; |
| 724 | int extension_error; |
| 725 | } tlsextctx; |
| 726 | |
| 727 | |
| 728 | static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg) |
| 729 | { |
| 730 | tlsextctx * p = (tlsextctx *) arg; |
| 731 | const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); |
| 732 | if (servername && p->biodebug) |
| 733 | BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername); |
| 734 | |
| 735 | if (!p->servername) |
| 736 | return SSL_TLSEXT_ERR_NOACK; |
| 737 | |
| 738 | if (servername) |
| 739 | { |
| 740 | if (strcmp(servername,p->servername)) |
| 741 | return p->extension_error; |
| 742 | if (ctx2) |
| 743 | { |
| 744 | BIO_printf(p->biodebug,"Switching server context.\n"); |
| 745 | SSL_set_SSL_CTX(s,ctx2); |
| 746 | } |
| 747 | } |
| 748 | return SSL_TLSEXT_ERR_OK; |
| 749 | } |
| 750 | |
| 751 | /* Structure passed to cert status callback */ |
| 752 | |
| 753 | typedef struct tlsextstatusctx_st { |
| 754 | /* Default responder to use */ |
| 755 | char *host, *path, *port; |
| 756 | int use_ssl; |
| 757 | int timeout; |
| 758 | BIO *err; |
| 759 | int verbose; |
| 760 | } tlsextstatusctx; |
| 761 | |
| 762 | static tlsextstatusctx tlscstatp = {NULL, NULL, NULL, 0, -1, NULL, 0}; |
| 763 | |
| 764 | /* Certificate Status callback. This is called when a client includes a |
| 765 | * certificate status request extension. |
| 766 | * |
| 767 | * This is a simplified version. It examines certificates each time and |
| 768 | * makes one OCSP responder query for each request. |
| 769 | * |
| 770 | * A full version would store details such as the OCSP certificate IDs and |
| 771 | * minimise the number of OCSP responses by caching them until they were |
| 772 | * considered "expired". |
| 773 | */ |
| 774 | |
| 775 | static int cert_status_cb(SSL *s, void *arg) |
| 776 | { |
| 777 | tlsextstatusctx *srctx = arg; |
| 778 | BIO *err = srctx->err; |
| 779 | char *host, *port, *path; |
| 780 | int use_ssl; |
| 781 | unsigned char *rspder = NULL; |
| 782 | int rspderlen; |
| 783 | STACK_OF(OPENSSL_STRING) *aia = NULL; |
| 784 | X509 *x = NULL; |
| 785 | X509_STORE_CTX inctx; |
| 786 | X509_OBJECT obj; |
| 787 | OCSP_REQUEST *req = NULL; |
| 788 | OCSP_RESPONSE *resp = NULL; |
| 789 | OCSP_CERTID *id = NULL; |
| 790 | STACK_OF(X509_EXTENSION) *exts; |
| 791 | int ret = SSL_TLSEXT_ERR_NOACK; |
| 792 | int i; |
| 793 | #if 0 |
| 794 | STACK_OF(OCSP_RESPID) *ids; |
| 795 | SSL_get_tlsext_status_ids(s, &ids); |
| 796 | BIO_printf(err, "cert_status: received %d ids\n", sk_OCSP_RESPID_num(ids)); |
| 797 | #endif |
| 798 | if (srctx->verbose) |
| 799 | BIO_puts(err, "cert_status: callback called\n"); |
| 800 | /* Build up OCSP query from server certificate */ |
| 801 | x = SSL_get_certificate(s); |
| 802 | aia = X509_get1_ocsp(x); |
| 803 | if (aia) |
| 804 | { |
| 805 | if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0), |
| 806 | &host, &port, &path, &use_ssl)) |
| 807 | { |
| 808 | BIO_puts(err, "cert_status: can't parse AIA URL\n"); |
| 809 | goto err; |
| 810 | } |
| 811 | if (srctx->verbose) |
| 812 | BIO_printf(err, "cert_status: AIA URL: %s\n", |
| 813 | sk_OPENSSL_STRING_value(aia, 0)); |
| 814 | } |
| 815 | else |
| 816 | { |
| 817 | if (!srctx->host) |
| 818 | { |
| 819 | BIO_puts(srctx->err, "cert_status: no AIA and no default responder URL\n"); |
| 820 | goto done; |
| 821 | } |
| 822 | host = srctx->host; |
| 823 | path = srctx->path; |
| 824 | port = srctx->port; |
| 825 | use_ssl = srctx->use_ssl; |
| 826 | } |
| 827 | |
| 828 | if (!X509_STORE_CTX_init(&inctx, |
| 829 | SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)), |
| 830 | NULL, NULL)) |
| 831 | goto err; |
| 832 | if (X509_STORE_get_by_subject(&inctx,X509_LU_X509, |
| 833 | X509_get_issuer_name(x),&obj) <= 0) |
| 834 | { |
| 835 | BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n"); |
| 836 | X509_STORE_CTX_cleanup(&inctx); |
| 837 | goto done; |
| 838 | } |
| 839 | req = OCSP_REQUEST_new(); |
| 840 | if (!req) |
| 841 | goto err; |
| 842 | id = OCSP_cert_to_id(NULL, x, obj.data.x509); |
| 843 | X509_free(obj.data.x509); |
| 844 | X509_STORE_CTX_cleanup(&inctx); |
| 845 | if (!id) |
| 846 | goto err; |
| 847 | if (!OCSP_request_add0_id(req, id)) |
| 848 | goto err; |
| 849 | id = NULL; |
| 850 | /* Add any extensions to the request */ |
| 851 | SSL_get_tlsext_status_exts(s, &exts); |
| 852 | for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) |
| 853 | { |
| 854 | X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i); |
| 855 | if (!OCSP_REQUEST_add_ext(req, ext, -1)) |
| 856 | goto err; |
| 857 | } |
| 858 | resp = process_responder(err, req, host, path, port, use_ssl, NULL, |
| 859 | srctx->timeout); |
| 860 | if (!resp) |
| 861 | { |
| 862 | BIO_puts(err, "cert_status: error querying responder\n"); |
| 863 | goto done; |
| 864 | } |
| 865 | rspderlen = i2d_OCSP_RESPONSE(resp, &rspder); |
| 866 | if (rspderlen <= 0) |
| 867 | goto err; |
| 868 | SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen); |
| 869 | if (srctx->verbose) |
| 870 | { |
| 871 | BIO_puts(err, "cert_status: ocsp response sent:\n"); |
| 872 | OCSP_RESPONSE_print(err, resp, 2); |
| 873 | } |
| 874 | ret = SSL_TLSEXT_ERR_OK; |
| 875 | done: |
| 876 | if (ret != SSL_TLSEXT_ERR_OK) |
| 877 | ERR_print_errors(err); |
| 878 | if (aia) |
| 879 | { |
| 880 | OPENSSL_free(host); |
| 881 | OPENSSL_free(path); |
| 882 | OPENSSL_free(port); |
| 883 | X509_email_free(aia); |
| 884 | } |
| 885 | if (id) |
| 886 | OCSP_CERTID_free(id); |
| 887 | if (req) |
| 888 | OCSP_REQUEST_free(req); |
| 889 | if (resp) |
| 890 | OCSP_RESPONSE_free(resp); |
| 891 | return ret; |
| 892 | err: |
| 893 | ret = SSL_TLSEXT_ERR_ALERT_FATAL; |
| 894 | goto done; |
| 895 | } |
| 896 | |
| 897 | # ifndef OPENSSL_NO_NEXTPROTONEG |
| 898 | /* This is the context that we pass to next_proto_cb */ |
| 899 | typedef struct tlsextnextprotoctx_st { |
| 900 | unsigned char *data; |
| 901 | unsigned int len; |
| 902 | } tlsextnextprotoctx; |
| 903 | |
| 904 | static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len, void *arg) |
| 905 | { |
| 906 | tlsextnextprotoctx *next_proto = arg; |
| 907 | |
| 908 | *data = next_proto->data; |
| 909 | *len = next_proto->len; |
| 910 | |
| 911 | return SSL_TLSEXT_ERR_OK; |
| 912 | } |
| 913 | # endif /* ndef OPENSSL_NO_NEXTPROTONEG */ |
| 914 | |
| 915 | |
| 916 | #endif |
| 917 | |
| 918 | int MAIN(int, char **); |
| 919 | |
| 920 | #ifndef OPENSSL_NO_JPAKE |
| 921 | static char *jpake_secret = NULL; |
| 922 | #endif |
| 923 | #ifndef OPENSSL_NO_SRP |
| 924 | static srpsrvparm srp_callback_parm; |
| 925 | #endif |
| 926 | static char *srtp_profiles = NULL; |
| 927 | |
| 928 | int MAIN(int argc, char *argv[]) |
| 929 | { |
| 930 | X509_VERIFY_PARAM *vpm = NULL; |
| 931 | int badarg = 0; |
| 932 | short port=PORT; |
| 933 | char *CApath=NULL,*CAfile=NULL; |
| 934 | unsigned char *context = NULL; |
| 935 | char *dhfile = NULL; |
| 936 | #ifndef OPENSSL_NO_ECDH |
| 937 | char *named_curve = NULL; |
| 938 | #endif |
| 939 | int badop=0,bugs=0; |
| 940 | int ret=1; |
| 941 | int off=0; |
| 942 | int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0; |
| 943 | int state=0; |
| 944 | const SSL_METHOD *meth=NULL; |
| 945 | int socket_type=SOCK_STREAM; |
| 946 | ENGINE *e=NULL; |
| 947 | char *inrand=NULL; |
| 948 | int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM; |
| 949 | char *passarg = NULL, *pass = NULL; |
| 950 | char *dpassarg = NULL, *dpass = NULL; |
| 951 | int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM; |
| 952 | X509 *s_cert = NULL, *s_dcert = NULL; |
| 953 | EVP_PKEY *s_key = NULL, *s_dkey = NULL; |
| 954 | int no_cache = 0; |
| 955 | #ifndef OPENSSL_NO_TLSEXT |
| 956 | EVP_PKEY *s_key2 = NULL; |
| 957 | X509 *s_cert2 = NULL; |
| 958 | tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING}; |
| 959 | # ifndef OPENSSL_NO_NEXTPROTONEG |
| 960 | const char *next_proto_neg_in = NULL; |
| 961 | tlsextnextprotoctx next_proto; |
| 962 | # endif |
| 963 | #endif |
| 964 | #ifndef OPENSSL_NO_PSK |
| 965 | /* by default do not send a PSK identity hint */ |
| 966 | static char *psk_identity_hint=NULL; |
| 967 | #endif |
| 968 | #ifndef OPENSSL_NO_SRP |
| 969 | char *srpuserseed = NULL; |
| 970 | char *srp_verifier_file = NULL; |
| 971 | #endif |
| 972 | meth=SSLv23_server_method(); |
| 973 | |
| 974 | local_argc=argc; |
| 975 | local_argv=argv; |
| 976 | |
| 977 | apps_startup(); |
| 978 | #ifdef MONOLITH |
| 979 | s_server_init(); |
| 980 | #endif |
| 981 | |
| 982 | if (bio_err == NULL) |
| 983 | bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); |
| 984 | |
| 985 | if (!load_config(bio_err, NULL)) |
| 986 | goto end; |
| 987 | |
| 988 | verify_depth=0; |
| 989 | #ifdef FIONBIO |
| 990 | s_nbio=0; |
| 991 | #endif |
| 992 | s_nbio_test=0; |
| 993 | |
| 994 | argc--; |
| 995 | argv++; |
| 996 | |
| 997 | while (argc >= 1) |
| 998 | { |
| 999 | if ((strcmp(*argv,"-port") == 0) || |
| 1000 | (strcmp(*argv,"-accept") == 0)) |
| 1001 | { |
| 1002 | if (--argc < 1) goto bad; |
| 1003 | if (!extract_port(*(++argv),&port)) |
| 1004 | goto bad; |
| 1005 | } |
| 1006 | else if (strcmp(*argv,"-verify") == 0) |
| 1007 | { |
| 1008 | s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; |
| 1009 | if (--argc < 1) goto bad; |
| 1010 | verify_depth=atoi(*(++argv)); |
| 1011 | BIO_printf(bio_err,"verify depth is %d\n",verify_depth); |
| 1012 | } |
| 1013 | else if (strcmp(*argv,"-Verify") == 0) |
| 1014 | { |
| 1015 | s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT| |
| 1016 | SSL_VERIFY_CLIENT_ONCE; |
| 1017 | if (--argc < 1) goto bad; |
| 1018 | verify_depth=atoi(*(++argv)); |
| 1019 | BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); |
| 1020 | } |
| 1021 | else if (strcmp(*argv,"-context") == 0) |
| 1022 | { |
| 1023 | if (--argc < 1) goto bad; |
| 1024 | context= (unsigned char *)*(++argv); |
| 1025 | } |
| 1026 | else if (strcmp(*argv,"-cert") == 0) |
| 1027 | { |
| 1028 | if (--argc < 1) goto bad; |
| 1029 | s_cert_file= *(++argv); |
| 1030 | } |
| 1031 | else if (strcmp(*argv,"-certform") == 0) |
| 1032 | { |
| 1033 | if (--argc < 1) goto bad; |
| 1034 | s_cert_format = str2fmt(*(++argv)); |
| 1035 | } |
| 1036 | else if (strcmp(*argv,"-key") == 0) |
| 1037 | { |
| 1038 | if (--argc < 1) goto bad; |
| 1039 | s_key_file= *(++argv); |
| 1040 | } |
| 1041 | else if (strcmp(*argv,"-keyform") == 0) |
| 1042 | { |
| 1043 | if (--argc < 1) goto bad; |
| 1044 | s_key_format = str2fmt(*(++argv)); |
| 1045 | } |
| 1046 | else if (strcmp(*argv,"-pass") == 0) |
| 1047 | { |
| 1048 | if (--argc < 1) goto bad; |
| 1049 | passarg = *(++argv); |
| 1050 | } |
| 1051 | else if (strcmp(*argv,"-dhparam") == 0) |
| 1052 | { |
| 1053 | if (--argc < 1) goto bad; |
| 1054 | dhfile = *(++argv); |
| 1055 | } |
| 1056 | #ifndef OPENSSL_NO_ECDH |
| 1057 | else if (strcmp(*argv,"-named_curve") == 0) |
| 1058 | { |
| 1059 | if (--argc < 1) goto bad; |
| 1060 | named_curve = *(++argv); |
| 1061 | } |
| 1062 | #endif |
| 1063 | else if (strcmp(*argv,"-dcertform") == 0) |
| 1064 | { |
| 1065 | if (--argc < 1) goto bad; |
| 1066 | s_dcert_format = str2fmt(*(++argv)); |
| 1067 | } |
| 1068 | else if (strcmp(*argv,"-dcert") == 0) |
| 1069 | { |
| 1070 | if (--argc < 1) goto bad; |
| 1071 | s_dcert_file= *(++argv); |
| 1072 | } |
| 1073 | else if (strcmp(*argv,"-dkeyform") == 0) |
| 1074 | { |
| 1075 | if (--argc < 1) goto bad; |
| 1076 | s_dkey_format = str2fmt(*(++argv)); |
| 1077 | } |
| 1078 | else if (strcmp(*argv,"-dpass") == 0) |
| 1079 | { |
| 1080 | if (--argc < 1) goto bad; |
| 1081 | dpassarg = *(++argv); |
| 1082 | } |
| 1083 | else if (strcmp(*argv,"-dkey") == 0) |
| 1084 | { |
| 1085 | if (--argc < 1) goto bad; |
| 1086 | s_dkey_file= *(++argv); |
| 1087 | } |
| 1088 | else if (strcmp(*argv,"-nocert") == 0) |
| 1089 | { |
| 1090 | nocert=1; |
| 1091 | } |
| 1092 | else if (strcmp(*argv,"-CApath") == 0) |
| 1093 | { |
| 1094 | if (--argc < 1) goto bad; |
| 1095 | CApath= *(++argv); |
| 1096 | } |
| 1097 | else if (strcmp(*argv,"-no_cache") == 0) |
| 1098 | no_cache = 1; |
| 1099 | else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm)) |
| 1100 | { |
| 1101 | if (badarg) |
| 1102 | goto bad; |
| 1103 | continue; |
| 1104 | } |
| 1105 | else if (strcmp(*argv,"-verify_return_error") == 0) |
| 1106 | verify_return_error = 1; |
| 1107 | else if (strcmp(*argv,"-serverpref") == 0) |
| 1108 | { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } |
| 1109 | else if (strcmp(*argv,"-legacy_renegotiation") == 0) |
| 1110 | off|=SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION; |
| 1111 | else if (strcmp(*argv,"-cipher") == 0) |
| 1112 | { |
| 1113 | if (--argc < 1) goto bad; |
| 1114 | cipher= *(++argv); |
| 1115 | } |
| 1116 | else if (strcmp(*argv,"-CAfile") == 0) |
| 1117 | { |
| 1118 | if (--argc < 1) goto bad; |
| 1119 | CAfile= *(++argv); |
| 1120 | } |
| 1121 | #ifdef FIONBIO |
| 1122 | else if (strcmp(*argv,"-nbio") == 0) |
| 1123 | { s_nbio=1; } |
| 1124 | #endif |
| 1125 | else if (strcmp(*argv,"-nbio_test") == 0) |
| 1126 | { |
| 1127 | #ifdef FIONBIO |
| 1128 | s_nbio=1; |
| 1129 | #endif |
| 1130 | s_nbio_test=1; |
| 1131 | } |
| 1132 | else if (strcmp(*argv,"-debug") == 0) |
| 1133 | { s_debug=1; } |
| 1134 | #ifndef OPENSSL_NO_TLSEXT |
| 1135 | else if (strcmp(*argv,"-tlsextdebug") == 0) |
| 1136 | s_tlsextdebug=1; |
| 1137 | else if (strcmp(*argv,"-status") == 0) |
| 1138 | s_tlsextstatus=1; |
| 1139 | else if (strcmp(*argv,"-status_verbose") == 0) |
| 1140 | { |
| 1141 | s_tlsextstatus=1; |
| 1142 | tlscstatp.verbose = 1; |
| 1143 | } |
| 1144 | else if (!strcmp(*argv, "-status_timeout")) |
| 1145 | { |
| 1146 | s_tlsextstatus=1; |
| 1147 | if (--argc < 1) goto bad; |
| 1148 | tlscstatp.timeout = atoi(*(++argv)); |
| 1149 | } |
| 1150 | else if (!strcmp(*argv, "-status_url")) |
| 1151 | { |
| 1152 | s_tlsextstatus=1; |
| 1153 | if (--argc < 1) goto bad; |
| 1154 | if (!OCSP_parse_url(*(++argv), |
| 1155 | &tlscstatp.host, |
| 1156 | &tlscstatp.port, |
| 1157 | &tlscstatp.path, |
| 1158 | &tlscstatp.use_ssl)) |
| 1159 | { |
| 1160 | BIO_printf(bio_err, "Error parsing URL\n"); |
| 1161 | goto bad; |
| 1162 | } |
| 1163 | } |
| 1164 | #endif |
| 1165 | else if (strcmp(*argv,"-msg") == 0) |
| 1166 | { s_msg=1; } |
| 1167 | else if (strcmp(*argv,"-hack") == 0) |
| 1168 | { hack=1; } |
| 1169 | else if (strcmp(*argv,"-state") == 0) |
| 1170 | { state=1; } |
| 1171 | else if (strcmp(*argv,"-crlf") == 0) |
| 1172 | { s_crlf=1; } |
| 1173 | else if (strcmp(*argv,"-quiet") == 0) |
| 1174 | { s_quiet=1; } |
| 1175 | else if (strcmp(*argv,"-bugs") == 0) |
| 1176 | { bugs=1; } |
| 1177 | else if (strcmp(*argv,"-no_tmp_rsa") == 0) |
| 1178 | { no_tmp_rsa=1; } |
| 1179 | else if (strcmp(*argv,"-no_dhe") == 0) |
| 1180 | { no_dhe=1; } |
| 1181 | else if (strcmp(*argv,"-no_ecdhe") == 0) |
| 1182 | { no_ecdhe=1; } |
| 1183 | #ifndef OPENSSL_NO_PSK |
| 1184 | else if (strcmp(*argv,"-psk_hint") == 0) |
| 1185 | { |
| 1186 | if (--argc < 1) goto bad; |
| 1187 | psk_identity_hint= *(++argv); |
| 1188 | } |
| 1189 | else if (strcmp(*argv,"-psk") == 0) |
| 1190 | { |
| 1191 | size_t i; |
| 1192 | |
| 1193 | if (--argc < 1) goto bad; |
| 1194 | psk_key=*(++argv); |
| 1195 | for (i=0; i<strlen(psk_key); i++) |
| 1196 | { |
| 1197 | if (isxdigit((unsigned char)psk_key[i])) |
| 1198 | continue; |
| 1199 | BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); |
| 1200 | goto bad; |
| 1201 | } |
| 1202 | } |
| 1203 | #endif |
| 1204 | #ifndef OPENSSL_NO_SRP |
| 1205 | else if (strcmp(*argv, "-srpvfile") == 0) |
| 1206 | { |
| 1207 | if (--argc < 1) goto bad; |
| 1208 | srp_verifier_file = *(++argv); |
| 1209 | meth=TLSv1_server_method(); |
| 1210 | } |
| 1211 | else if (strcmp(*argv, "-srpuserseed") == 0) |
| 1212 | { |
| 1213 | if (--argc < 1) goto bad; |
| 1214 | srpuserseed = *(++argv); |
| 1215 | meth=TLSv1_server_method(); |
| 1216 | } |
| 1217 | #endif |
| 1218 | else if (strcmp(*argv,"-www") == 0) |
| 1219 | { www=1; } |
| 1220 | else if (strcmp(*argv,"-WWW") == 0) |
| 1221 | { www=2; } |
| 1222 | else if (strcmp(*argv,"-HTTP") == 0) |
| 1223 | { www=3; } |
| 1224 | else if (strcmp(*argv,"-no_ssl2") == 0) |
| 1225 | { off|=SSL_OP_NO_SSLv2; } |
| 1226 | else if (strcmp(*argv,"-no_ssl3") == 0) |
| 1227 | { off|=SSL_OP_NO_SSLv3; } |
| 1228 | else if (strcmp(*argv,"-no_tls1") == 0) |
| 1229 | { off|=SSL_OP_NO_TLSv1; } |
| 1230 | else if (strcmp(*argv,"-no_tls1_1") == 0) |
| 1231 | { off|=SSL_OP_NO_TLSv1_1; } |
| 1232 | else if (strcmp(*argv,"-no_tls1_2") == 0) |
| 1233 | { off|=SSL_OP_NO_TLSv1_2; } |
| 1234 | else if (strcmp(*argv,"-no_comp") == 0) |
| 1235 | { off|=SSL_OP_NO_COMPRESSION; } |
| 1236 | #ifndef OPENSSL_NO_TLSEXT |
| 1237 | else if (strcmp(*argv,"-no_ticket") == 0) |
| 1238 | { off|=SSL_OP_NO_TICKET; } |
| 1239 | #endif |
| 1240 | #ifndef OPENSSL_NO_SSL2 |
| 1241 | else if (strcmp(*argv,"-ssl2") == 0) |
| 1242 | { meth=SSLv2_server_method(); } |
| 1243 | #endif |
| 1244 | #ifndef OPENSSL_NO_SSL3 |
| 1245 | else if (strcmp(*argv,"-ssl3") == 0) |
| 1246 | { meth=SSLv3_server_method(); } |
| 1247 | #endif |
| 1248 | #ifndef OPENSSL_NO_TLS1 |
| 1249 | else if (strcmp(*argv,"-tls1") == 0) |
| 1250 | { meth=TLSv1_server_method(); } |
| 1251 | else if (strcmp(*argv,"-tls1_1") == 0) |
| 1252 | { meth=TLSv1_1_server_method(); } |
| 1253 | else if (strcmp(*argv,"-tls1_2") == 0) |
| 1254 | { meth=TLSv1_2_server_method(); } |
| 1255 | #endif |
| 1256 | #ifndef OPENSSL_NO_DTLS1 |
| 1257 | else if (strcmp(*argv,"-dtls1") == 0) |
| 1258 | { |
| 1259 | meth=DTLSv1_server_method(); |
| 1260 | socket_type = SOCK_DGRAM; |
| 1261 | } |
| 1262 | else if (strcmp(*argv,"-timeout") == 0) |
| 1263 | enable_timeouts = 1; |
| 1264 | else if (strcmp(*argv,"-mtu") == 0) |
| 1265 | { |
| 1266 | if (--argc < 1) goto bad; |
| 1267 | socket_mtu = atol(*(++argv)); |
| 1268 | } |
| 1269 | else if (strcmp(*argv, "-chain") == 0) |
| 1270 | cert_chain = 1; |
| 1271 | #endif |
| 1272 | else if (strcmp(*argv, "-id_prefix") == 0) |
| 1273 | { |
| 1274 | if (--argc < 1) goto bad; |
| 1275 | session_id_prefix = *(++argv); |
| 1276 | } |
| 1277 | #ifndef OPENSSL_NO_ENGINE |
| 1278 | else if (strcmp(*argv,"-engine") == 0) |
| 1279 | { |
| 1280 | if (--argc < 1) goto bad; |
| 1281 | engine_id= *(++argv); |
| 1282 | } |
| 1283 | #endif |
| 1284 | else if (strcmp(*argv,"-rand") == 0) |
| 1285 | { |
| 1286 | if (--argc < 1) goto bad; |
| 1287 | inrand= *(++argv); |
| 1288 | } |
| 1289 | #ifndef OPENSSL_NO_TLSEXT |
| 1290 | else if (strcmp(*argv,"-servername") == 0) |
| 1291 | { |
| 1292 | if (--argc < 1) goto bad; |
| 1293 | tlsextcbp.servername= *(++argv); |
| 1294 | } |
| 1295 | else if (strcmp(*argv,"-servername_fatal") == 0) |
| 1296 | { tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; } |
| 1297 | else if (strcmp(*argv,"-cert2") == 0) |
| 1298 | { |
| 1299 | if (--argc < 1) goto bad; |
| 1300 | s_cert_file2= *(++argv); |
| 1301 | } |
| 1302 | else if (strcmp(*argv,"-key2") == 0) |
| 1303 | { |
| 1304 | if (--argc < 1) goto bad; |
| 1305 | s_key_file2= *(++argv); |
| 1306 | } |
| 1307 | # ifndef OPENSSL_NO_NEXTPROTONEG |
| 1308 | else if (strcmp(*argv,"-nextprotoneg") == 0) |
| 1309 | { |
| 1310 | if (--argc < 1) goto bad; |
| 1311 | next_proto_neg_in = *(++argv); |
| 1312 | } |
| 1313 | # endif |
| 1314 | #endif |
| 1315 | #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) |
| 1316 | else if (strcmp(*argv,"-jpake") == 0) |
| 1317 | { |
| 1318 | if (--argc < 1) goto bad; |
| 1319 | jpake_secret = *(++argv); |
| 1320 | } |
| 1321 | #endif |
| 1322 | else if (strcmp(*argv,"-use_srtp") == 0) |
| 1323 | { |
| 1324 | if (--argc < 1) goto bad; |
| 1325 | srtp_profiles = *(++argv); |
| 1326 | } |
| 1327 | else if (strcmp(*argv,"-keymatexport") == 0) |
| 1328 | { |
| 1329 | if (--argc < 1) goto bad; |
| 1330 | keymatexportlabel= *(++argv); |
| 1331 | } |
| 1332 | else if (strcmp(*argv,"-keymatexportlen") == 0) |
| 1333 | { |
| 1334 | if (--argc < 1) goto bad; |
| 1335 | keymatexportlen=atoi(*(++argv)); |
| 1336 | if (keymatexportlen == 0) goto bad; |
| 1337 | } |
| 1338 | else |
| 1339 | { |
| 1340 | BIO_printf(bio_err,"unknown option %s\n",*argv); |
| 1341 | badop=1; |
| 1342 | break; |
| 1343 | } |
| 1344 | argc--; |
| 1345 | argv++; |
| 1346 | } |
| 1347 | if (badop) |
| 1348 | { |
| 1349 | bad: |
| 1350 | sv_usage(); |
| 1351 | goto end; |
| 1352 | } |
| 1353 | |
| 1354 | #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK) |
| 1355 | if (jpake_secret) |
| 1356 | { |
| 1357 | if (psk_key) |
| 1358 | { |
| 1359 | BIO_printf(bio_err, |
| 1360 | "Can't use JPAKE and PSK together\n"); |
| 1361 | goto end; |
| 1362 | } |
| 1363 | psk_identity = "JPAKE"; |
| 1364 | if (cipher) |
| 1365 | { |
| 1366 | BIO_printf(bio_err, "JPAKE sets cipher to PSK\n"); |
| 1367 | goto end; |
| 1368 | } |
| 1369 | cipher = "PSK"; |
| 1370 | } |
| 1371 | |
| 1372 | #endif |
| 1373 | |
| 1374 | SSL_load_error_strings(); |
| 1375 | OpenSSL_add_ssl_algorithms(); |
| 1376 | |
| 1377 | #ifndef OPENSSL_NO_ENGINE |
| 1378 | e = setup_engine(bio_err, engine_id, 1); |
| 1379 | #endif |
| 1380 | |
| 1381 | if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) |
| 1382 | { |
| 1383 | BIO_printf(bio_err, "Error getting password\n"); |
| 1384 | goto end; |
| 1385 | } |
| 1386 | |
| 1387 | |
| 1388 | if (s_key_file == NULL) |
| 1389 | s_key_file = s_cert_file; |
| 1390 | #ifndef OPENSSL_NO_TLSEXT |
| 1391 | if (s_key_file2 == NULL) |
| 1392 | s_key_file2 = s_cert_file2; |
| 1393 | #endif |
| 1394 | |
| 1395 | if (nocert == 0) |
| 1396 | { |
| 1397 | s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e, |
| 1398 | "server certificate private key file"); |
| 1399 | if (!s_key) |
| 1400 | { |
| 1401 | ERR_print_errors(bio_err); |
| 1402 | goto end; |
| 1403 | } |
| 1404 | |
| 1405 | s_cert = load_cert(bio_err,s_cert_file,s_cert_format, |
| 1406 | NULL, e, "server certificate file"); |
| 1407 | |
| 1408 | if (!s_cert) |
| 1409 | { |
| 1410 | ERR_print_errors(bio_err); |
| 1411 | goto end; |
| 1412 | } |
| 1413 | |
| 1414 | #ifndef OPENSSL_NO_TLSEXT |
| 1415 | if (tlsextcbp.servername) |
| 1416 | { |
| 1417 | s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e, |
| 1418 | "second server certificate private key file"); |
| 1419 | if (!s_key2) |
| 1420 | { |
| 1421 | ERR_print_errors(bio_err); |
| 1422 | goto end; |
| 1423 | } |
| 1424 | |
| 1425 | s_cert2 = load_cert(bio_err,s_cert_file2,s_cert_format, |
| 1426 | NULL, e, "second server certificate file"); |
| 1427 | |
| 1428 | if (!s_cert2) |
| 1429 | { |
| 1430 | ERR_print_errors(bio_err); |
| 1431 | goto end; |
| 1432 | } |
| 1433 | } |
| 1434 | |
| 1435 | # ifndef OPENSSL_NO_NEXTPROTONEG |
| 1436 | if (next_proto_neg_in) |
| 1437 | { |
| 1438 | unsigned short len; |
| 1439 | next_proto.data = next_protos_parse(&len, |
| 1440 | next_proto_neg_in); |
| 1441 | if (next_proto.data == NULL) |
| 1442 | goto end; |
| 1443 | next_proto.len = len; |
| 1444 | } |
| 1445 | else |
| 1446 | { |
| 1447 | next_proto.data = NULL; |
| 1448 | } |
| 1449 | # endif |
| 1450 | #endif |
| 1451 | } |
| 1452 | |
| 1453 | |
| 1454 | if (s_dcert_file) |
| 1455 | { |
| 1456 | |
| 1457 | if (s_dkey_file == NULL) |
| 1458 | s_dkey_file = s_dcert_file; |
| 1459 | |
| 1460 | s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format, |
| 1461 | 0, dpass, e, |
| 1462 | "second certificate private key file"); |
| 1463 | if (!s_dkey) |
| 1464 | { |
| 1465 | ERR_print_errors(bio_err); |
| 1466 | goto end; |
| 1467 | } |
| 1468 | |
| 1469 | s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format, |
| 1470 | NULL, e, "second server certificate file"); |
| 1471 | |
| 1472 | if (!s_dcert) |
| 1473 | { |
| 1474 | ERR_print_errors(bio_err); |
| 1475 | goto end; |
| 1476 | } |
| 1477 | |
| 1478 | } |
| 1479 | |
| 1480 | if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL |
| 1481 | && !RAND_status()) |
| 1482 | { |
| 1483 | BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); |
| 1484 | } |
| 1485 | if (inrand != NULL) |
| 1486 | BIO_printf(bio_err,"%ld semi-random bytes loaded\n", |
| 1487 | app_RAND_load_files(inrand)); |
| 1488 | |
| 1489 | if (bio_s_out == NULL) |
| 1490 | { |
| 1491 | if (s_quiet && !s_debug && !s_msg) |
| 1492 | { |
| 1493 | bio_s_out=BIO_new(BIO_s_null()); |
| 1494 | } |
| 1495 | else |
| 1496 | { |
| 1497 | if (bio_s_out == NULL) |
| 1498 | bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE); |
| 1499 | } |
| 1500 | } |
| 1501 | |
| 1502 | #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA) |
| 1503 | if (nocert) |
| 1504 | #endif |
| 1505 | { |
| 1506 | s_cert_file=NULL; |
| 1507 | s_key_file=NULL; |
| 1508 | s_dcert_file=NULL; |
| 1509 | s_dkey_file=NULL; |
| 1510 | #ifndef OPENSSL_NO_TLSEXT |
| 1511 | s_cert_file2=NULL; |
| 1512 | s_key_file2=NULL; |
| 1513 | #endif |
| 1514 | } |
| 1515 | |
| 1516 | ctx=SSL_CTX_new(meth); |
| 1517 | if (ctx == NULL) |
| 1518 | { |
| 1519 | ERR_print_errors(bio_err); |
| 1520 | goto end; |
| 1521 | } |
| 1522 | if (session_id_prefix) |
| 1523 | { |
| 1524 | if(strlen(session_id_prefix) >= 32) |
| 1525 | BIO_printf(bio_err, |
| 1526 | "warning: id_prefix is too long, only one new session will be possible\n"); |
| 1527 | else if(strlen(session_id_prefix) >= 16) |
| 1528 | BIO_printf(bio_err, |
| 1529 | "warning: id_prefix is too long if you use SSLv2\n"); |
| 1530 | if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) |
| 1531 | { |
| 1532 | BIO_printf(bio_err,"error setting 'id_prefix'\n"); |
| 1533 | ERR_print_errors(bio_err); |
| 1534 | goto end; |
| 1535 | } |
| 1536 | BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix); |
| 1537 | } |
| 1538 | SSL_CTX_set_quiet_shutdown(ctx,1); |
| 1539 | if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); |
| 1540 | if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); |
| 1541 | SSL_CTX_set_options(ctx,off); |
| 1542 | /* DTLS: partial reads end up discarding unread UDP bytes :-( |
| 1543 | * Setting read ahead solves this problem. |
| 1544 | */ |
| 1545 | if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1); |
| 1546 | |
| 1547 | if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); |
| 1548 | if (no_cache) |
| 1549 | SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF); |
| 1550 | else |
| 1551 | SSL_CTX_sess_set_cache_size(ctx,128); |
| 1552 | |
| 1553 | if (srtp_profiles != NULL) |
| 1554 | SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles); |
| 1555 | |
| 1556 | #if 0 |
| 1557 | if (cipher == NULL) cipher=getenv("SSL_CIPHER"); |
| 1558 | #endif |
| 1559 | |
| 1560 | #if 0 |
| 1561 | if (s_cert_file == NULL) |
| 1562 | { |
| 1563 | BIO_printf(bio_err,"You must specify a certificate file for the server to use\n"); |
| 1564 | goto end; |
| 1565 | } |
| 1566 | #endif |
| 1567 | |
| 1568 | if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || |
| 1569 | (!SSL_CTX_set_default_verify_paths(ctx))) |
| 1570 | { |
| 1571 | /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ |
| 1572 | ERR_print_errors(bio_err); |
| 1573 | /* goto end; */ |
| 1574 | } |
| 1575 | if (vpm) |
| 1576 | SSL_CTX_set1_param(ctx, vpm); |
| 1577 | |
| 1578 | #ifndef OPENSSL_NO_TLSEXT |
| 1579 | if (s_cert2) |
| 1580 | { |
| 1581 | ctx2=SSL_CTX_new(meth); |
| 1582 | if (ctx2 == NULL) |
| 1583 | { |
| 1584 | ERR_print_errors(bio_err); |
| 1585 | goto end; |
| 1586 | } |
| 1587 | } |
| 1588 | |
| 1589 | if (ctx2) |
| 1590 | { |
| 1591 | BIO_printf(bio_s_out,"Setting secondary ctx parameters\n"); |
| 1592 | |
| 1593 | if (session_id_prefix) |
| 1594 | { |
| 1595 | if(strlen(session_id_prefix) >= 32) |
| 1596 | BIO_printf(bio_err, |
| 1597 | "warning: id_prefix is too long, only one new session will be possible\n"); |
| 1598 | else if(strlen(session_id_prefix) >= 16) |
| 1599 | BIO_printf(bio_err, |
| 1600 | "warning: id_prefix is too long if you use SSLv2\n"); |
| 1601 | if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) |
| 1602 | { |
| 1603 | BIO_printf(bio_err,"error setting 'id_prefix'\n"); |
| 1604 | ERR_print_errors(bio_err); |
| 1605 | goto end; |
| 1606 | } |
| 1607 | BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix); |
| 1608 | } |
| 1609 | SSL_CTX_set_quiet_shutdown(ctx2,1); |
| 1610 | if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL); |
| 1611 | if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); |
| 1612 | SSL_CTX_set_options(ctx2,off); |
| 1613 | /* DTLS: partial reads end up discarding unread UDP bytes :-( |
| 1614 | * Setting read ahead solves this problem. |
| 1615 | */ |
| 1616 | if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1); |
| 1617 | |
| 1618 | if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback); |
| 1619 | |
| 1620 | if (no_cache) |
| 1621 | SSL_CTX_set_session_cache_mode(ctx2,SSL_SESS_CACHE_OFF); |
| 1622 | else |
| 1623 | SSL_CTX_sess_set_cache_size(ctx2,128); |
| 1624 | |
| 1625 | if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) || |
| 1626 | (!SSL_CTX_set_default_verify_paths(ctx2))) |
| 1627 | { |
| 1628 | ERR_print_errors(bio_err); |
| 1629 | } |
| 1630 | if (vpm) |
| 1631 | SSL_CTX_set1_param(ctx2, vpm); |
| 1632 | } |
| 1633 | |
| 1634 | # ifndef OPENSSL_NO_NEXTPROTONEG |
| 1635 | if (next_proto.data) |
| 1636 | SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto); |
| 1637 | # endif |
| 1638 | #endif |
| 1639 | |
| 1640 | #ifndef OPENSSL_NO_DH |
| 1641 | if (!no_dhe) |
| 1642 | { |
| 1643 | DH *dh=NULL; |
| 1644 | |
| 1645 | if (dhfile) |
| 1646 | dh = load_dh_param(dhfile); |
| 1647 | else if (s_cert_file) |
| 1648 | dh = load_dh_param(s_cert_file); |
| 1649 | |
| 1650 | if (dh != NULL) |
| 1651 | { |
| 1652 | BIO_printf(bio_s_out,"Setting temp DH parameters\n"); |
| 1653 | } |
| 1654 | else |
| 1655 | { |
| 1656 | BIO_printf(bio_s_out,"Using default temp DH parameters\n"); |
| 1657 | dh=get_dh512(); |
| 1658 | } |
| 1659 | (void)BIO_flush(bio_s_out); |
| 1660 | |
| 1661 | SSL_CTX_set_tmp_dh(ctx,dh); |
| 1662 | #ifndef OPENSSL_NO_TLSEXT |
| 1663 | if (ctx2) |
| 1664 | { |
| 1665 | if (!dhfile) |
| 1666 | { |
| 1667 | DH *dh2=load_dh_param(s_cert_file2); |
| 1668 | if (dh2 != NULL) |
| 1669 | { |
| 1670 | BIO_printf(bio_s_out,"Setting temp DH parameters\n"); |
| 1671 | (void)BIO_flush(bio_s_out); |
| 1672 | |
| 1673 | DH_free(dh); |
| 1674 | dh = dh2; |
| 1675 | } |
| 1676 | } |
| 1677 | SSL_CTX_set_tmp_dh(ctx2,dh); |
| 1678 | } |
| 1679 | #endif |
| 1680 | DH_free(dh); |
| 1681 | } |
| 1682 | #endif |
| 1683 | |
| 1684 | #ifndef OPENSSL_NO_ECDH |
| 1685 | if (!no_ecdhe) |
| 1686 | { |
| 1687 | EC_KEY *ecdh=NULL; |
| 1688 | |
| 1689 | if (named_curve) |
| 1690 | { |
| 1691 | int nid = OBJ_sn2nid(named_curve); |
| 1692 | |
| 1693 | if (nid == 0) |
| 1694 | { |
| 1695 | BIO_printf(bio_err, "unknown curve name (%s)\n", |
| 1696 | named_curve); |
| 1697 | goto end; |
| 1698 | } |
| 1699 | ecdh = EC_KEY_new_by_curve_name(nid); |
| 1700 | if (ecdh == NULL) |
| 1701 | { |
| 1702 | BIO_printf(bio_err, "unable to create curve (%s)\n", |
| 1703 | named_curve); |
| 1704 | goto end; |
| 1705 | } |
| 1706 | } |
| 1707 | |
| 1708 | if (ecdh != NULL) |
| 1709 | { |
| 1710 | BIO_printf(bio_s_out,"Setting temp ECDH parameters\n"); |
| 1711 | } |
| 1712 | else |
| 1713 | { |
| 1714 | BIO_printf(bio_s_out,"Using default temp ECDH parameters\n"); |
| 1715 | ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1); |
| 1716 | if (ecdh == NULL) |
| 1717 | { |
| 1718 | BIO_printf(bio_err, "unable to create curve (nistp256)\n"); |
| 1719 | goto end; |
| 1720 | } |
| 1721 | } |
| 1722 | (void)BIO_flush(bio_s_out); |
| 1723 | |
| 1724 | SSL_CTX_set_tmp_ecdh(ctx,ecdh); |
| 1725 | #ifndef OPENSSL_NO_TLSEXT |
| 1726 | if (ctx2) |
| 1727 | SSL_CTX_set_tmp_ecdh(ctx2,ecdh); |
| 1728 | #endif |
| 1729 | EC_KEY_free(ecdh); |
| 1730 | } |
| 1731 | #endif |
| 1732 | |
| 1733 | if (!set_cert_key_stuff(ctx,s_cert,s_key)) |
| 1734 | goto end; |
| 1735 | #ifndef OPENSSL_NO_TLSEXT |
| 1736 | if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2)) |
| 1737 | goto end; |
| 1738 | #endif |
| 1739 | if (s_dcert != NULL) |
| 1740 | { |
| 1741 | if (!set_cert_key_stuff(ctx,s_dcert,s_dkey)) |
| 1742 | goto end; |
| 1743 | } |
| 1744 | |
| 1745 | #ifndef OPENSSL_NO_RSA |
| 1746 | #if 1 |
| 1747 | if (!no_tmp_rsa) |
| 1748 | { |
| 1749 | SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); |
| 1750 | #ifndef OPENSSL_NO_TLSEXT |
| 1751 | if (ctx2) |
| 1752 | SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb); |
| 1753 | #endif |
| 1754 | } |
| 1755 | #else |
| 1756 | if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) |
| 1757 | { |
| 1758 | RSA *rsa; |
| 1759 | |
| 1760 | BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key..."); |
| 1761 | BIO_flush(bio_s_out); |
| 1762 | |
| 1763 | rsa=RSA_generate_key(512,RSA_F4,NULL); |
| 1764 | |
| 1765 | if (!SSL_CTX_set_tmp_rsa(ctx,rsa)) |
| 1766 | { |
| 1767 | ERR_print_errors(bio_err); |
| 1768 | goto end; |
| 1769 | } |
| 1770 | #ifndef OPENSSL_NO_TLSEXT |
| 1771 | if (ctx2) |
| 1772 | { |
| 1773 | if (!SSL_CTX_set_tmp_rsa(ctx2,rsa)) |
| 1774 | { |
| 1775 | ERR_print_errors(bio_err); |
| 1776 | goto end; |
| 1777 | } |
| 1778 | } |
| 1779 | #endif |
| 1780 | RSA_free(rsa); |
| 1781 | BIO_printf(bio_s_out,"\n"); |
| 1782 | } |
| 1783 | #endif |
| 1784 | #endif |
| 1785 | |
| 1786 | #ifndef OPENSSL_NO_PSK |
| 1787 | #ifdef OPENSSL_NO_JPAKE |
| 1788 | if (psk_key != NULL) |
| 1789 | #else |
| 1790 | if (psk_key != NULL || jpake_secret) |
| 1791 | #endif |
| 1792 | { |
| 1793 | if (s_debug) |
| 1794 | BIO_printf(bio_s_out, "PSK key given or JPAKE in use, setting server callback\n"); |
| 1795 | SSL_CTX_set_psk_server_callback(ctx, psk_server_cb); |
| 1796 | } |
| 1797 | |
| 1798 | if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) |
| 1799 | { |
| 1800 | BIO_printf(bio_err,"error setting PSK identity hint to context\n"); |
| 1801 | ERR_print_errors(bio_err); |
| 1802 | goto end; |
| 1803 | } |
| 1804 | #endif |
| 1805 | |
| 1806 | if (cipher != NULL) |
| 1807 | { |
| 1808 | if(!SSL_CTX_set_cipher_list(ctx,cipher)) |
| 1809 | { |
| 1810 | BIO_printf(bio_err,"error setting cipher list\n"); |
| 1811 | ERR_print_errors(bio_err); |
| 1812 | goto end; |
| 1813 | } |
| 1814 | #ifndef OPENSSL_NO_TLSEXT |
| 1815 | if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher)) |
| 1816 | { |
| 1817 | BIO_printf(bio_err,"error setting cipher list\n"); |
| 1818 | ERR_print_errors(bio_err); |
| 1819 | goto end; |
| 1820 | } |
| 1821 | #endif |
| 1822 | } |
| 1823 | SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); |
| 1824 | SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, |
| 1825 | sizeof s_server_session_id_context); |
| 1826 | |
| 1827 | /* Set DTLS cookie generation and verification callbacks */ |
| 1828 | SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback); |
| 1829 | SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback); |
| 1830 | |
| 1831 | #ifndef OPENSSL_NO_TLSEXT |
| 1832 | if (ctx2) |
| 1833 | { |
| 1834 | SSL_CTX_set_verify(ctx2,s_server_verify,verify_callback); |
| 1835 | SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context, |
| 1836 | sizeof s_server_session_id_context); |
| 1837 | |
| 1838 | tlsextcbp.biodebug = bio_s_out; |
| 1839 | SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb); |
| 1840 | SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp); |
| 1841 | SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb); |
| 1842 | SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp); |
| 1843 | } |
| 1844 | #endif |
| 1845 | |
| 1846 | #ifndef OPENSSL_NO_SRP |
| 1847 | if (srp_verifier_file != NULL) |
| 1848 | { |
| 1849 | srp_callback_parm.vb = SRP_VBASE_new(srpuserseed); |
| 1850 | srp_callback_parm.user = NULL; |
| 1851 | srp_callback_parm.login = NULL; |
| 1852 | if ((ret = SRP_VBASE_init(srp_callback_parm.vb, srp_verifier_file)) != SRP_NO_ERROR) |
| 1853 | { |
| 1854 | BIO_printf(bio_err, |
| 1855 | "Cannot initialize SRP verifier file \"%s\":ret=%d\n", |
| 1856 | srp_verifier_file, ret); |
| 1857 | goto end; |
| 1858 | } |
| 1859 | SSL_CTX_set_verify(ctx, SSL_VERIFY_NONE,verify_callback); |
| 1860 | SSL_CTX_set_srp_cb_arg(ctx, &srp_callback_parm); |
| 1861 | SSL_CTX_set_srp_username_callback(ctx, ssl_srp_server_param_cb); |
| 1862 | } |
| 1863 | else |
| 1864 | #endif |
| 1865 | if (CAfile != NULL) |
| 1866 | { |
| 1867 | SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); |
| 1868 | #ifndef OPENSSL_NO_TLSEXT |
| 1869 | if (ctx2) |
| 1870 | SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile)); |
| 1871 | #endif |
| 1872 | } |
| 1873 | |
| 1874 | BIO_printf(bio_s_out,"ACCEPT\n"); |
| 1875 | (void)BIO_flush(bio_s_out); |
| 1876 | if (www) |
| 1877 | do_server(port,socket_type,&accept_socket,www_body, context); |
| 1878 | else |
| 1879 | do_server(port,socket_type,&accept_socket,sv_body, context); |
| 1880 | print_stats(bio_s_out,ctx); |
| 1881 | ret=0; |
| 1882 | end: |
| 1883 | if (ctx != NULL) SSL_CTX_free(ctx); |
| 1884 | if (s_cert) |
| 1885 | X509_free(s_cert); |
| 1886 | if (s_dcert) |
| 1887 | X509_free(s_dcert); |
| 1888 | if (s_key) |
| 1889 | EVP_PKEY_free(s_key); |
| 1890 | if (s_dkey) |
| 1891 | EVP_PKEY_free(s_dkey); |
| 1892 | if (pass) |
| 1893 | OPENSSL_free(pass); |
| 1894 | if (dpass) |
| 1895 | OPENSSL_free(dpass); |
| 1896 | #ifndef OPENSSL_NO_TLSEXT |
| 1897 | if (ctx2 != NULL) SSL_CTX_free(ctx2); |
| 1898 | if (s_cert2) |
| 1899 | X509_free(s_cert2); |
| 1900 | if (s_key2) |
| 1901 | EVP_PKEY_free(s_key2); |
| 1902 | #endif |
| 1903 | if (bio_s_out != NULL) |
| 1904 | { |
| 1905 | BIO_free(bio_s_out); |
| 1906 | bio_s_out=NULL; |
| 1907 | } |
| 1908 | apps_shutdown(); |
| 1909 | OPENSSL_EXIT(ret); |
| 1910 | } |
| 1911 | |
| 1912 | static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) |
| 1913 | { |
| 1914 | BIO_printf(bio,"%4ld items in the session cache\n", |
| 1915 | SSL_CTX_sess_number(ssl_ctx)); |
| 1916 | BIO_printf(bio,"%4ld client connects (SSL_connect())\n", |
| 1917 | SSL_CTX_sess_connect(ssl_ctx)); |
| 1918 | BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n", |
| 1919 | SSL_CTX_sess_connect_renegotiate(ssl_ctx)); |
| 1920 | BIO_printf(bio,"%4ld client connects that finished\n", |
| 1921 | SSL_CTX_sess_connect_good(ssl_ctx)); |
| 1922 | BIO_printf(bio,"%4ld server accepts (SSL_accept())\n", |
| 1923 | SSL_CTX_sess_accept(ssl_ctx)); |
| 1924 | BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n", |
| 1925 | SSL_CTX_sess_accept_renegotiate(ssl_ctx)); |
| 1926 | BIO_printf(bio,"%4ld server accepts that finished\n", |
| 1927 | SSL_CTX_sess_accept_good(ssl_ctx)); |
| 1928 | BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx)); |
| 1929 | BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx)); |
| 1930 | BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx)); |
| 1931 | BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx)); |
| 1932 | BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n", |
| 1933 | SSL_CTX_sess_cache_full(ssl_ctx), |
| 1934 | SSL_CTX_sess_get_cache_size(ssl_ctx)); |
| 1935 | } |
| 1936 | |
| 1937 | static int sv_body(char *hostname, int s, unsigned char *context) |
| 1938 | { |
| 1939 | char *buf=NULL; |
| 1940 | fd_set readfds; |
| 1941 | int ret=1,width; |
| 1942 | int k,i; |
| 1943 | unsigned long l; |
| 1944 | SSL *con=NULL; |
| 1945 | BIO *sbio; |
| 1946 | #ifndef OPENSSL_NO_KRB5 |
| 1947 | KSSL_CTX *kctx; |
| 1948 | #endif |
| 1949 | struct timeval timeout; |
| 1950 | #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5) |
| 1951 | struct timeval tv; |
| 1952 | #else |
| 1953 | struct timeval *timeoutp; |
| 1954 | #endif |
| 1955 | |
| 1956 | if ((buf=OPENSSL_malloc(bufsize)) == NULL) |
| 1957 | { |
| 1958 | BIO_printf(bio_err,"out of memory\n"); |
| 1959 | goto err; |
| 1960 | } |
| 1961 | #ifdef FIONBIO |
| 1962 | if (s_nbio) |
| 1963 | { |
| 1964 | unsigned long sl=1; |
| 1965 | |
| 1966 | if (!s_quiet) |
| 1967 | BIO_printf(bio_err,"turning on non blocking io\n"); |
| 1968 | if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0) |
| 1969 | ERR_print_errors(bio_err); |
| 1970 | } |
| 1971 | #endif |
| 1972 | |
| 1973 | if (con == NULL) { |
| 1974 | con=SSL_new(ctx); |
| 1975 | #ifndef OPENSSL_NO_TLSEXT |
| 1976 | if (s_tlsextdebug) |
| 1977 | { |
| 1978 | SSL_set_tlsext_debug_callback(con, tlsext_cb); |
| 1979 | SSL_set_tlsext_debug_arg(con, bio_s_out); |
| 1980 | } |
| 1981 | if (s_tlsextstatus) |
| 1982 | { |
| 1983 | SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb); |
| 1984 | tlscstatp.err = bio_err; |
| 1985 | SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp); |
| 1986 | } |
| 1987 | #endif |
| 1988 | #ifndef OPENSSL_NO_KRB5 |
| 1989 | if ((kctx = kssl_ctx_new()) != NULL) |
| 1990 | { |
| 1991 | SSL_set0_kssl_ctx(con, kctx); |
| 1992 | kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); |
| 1993 | kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); |
| 1994 | } |
| 1995 | #endif /* OPENSSL_NO_KRB5 */ |
| 1996 | if(context) |
| 1997 | SSL_set_session_id_context(con, context, |
| 1998 | strlen((char *)context)); |
| 1999 | } |
| 2000 | SSL_clear(con); |
| 2001 | #if 0 |
| 2002 | #ifdef TLSEXT_TYPE_opaque_prf_input |
| 2003 | SSL_set_tlsext_opaque_prf_input(con, "Test server", 11); |
| 2004 | #endif |
| 2005 | #endif |
| 2006 | |
| 2007 | if (SSL_version(con) == DTLS1_VERSION) |
| 2008 | { |
| 2009 | |
| 2010 | sbio=BIO_new_dgram(s,BIO_NOCLOSE); |
| 2011 | |
| 2012 | if (enable_timeouts) |
| 2013 | { |
| 2014 | timeout.tv_sec = 0; |
| 2015 | timeout.tv_usec = DGRAM_RCV_TIMEOUT; |
| 2016 | BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout); |
| 2017 | |
| 2018 | timeout.tv_sec = 0; |
| 2019 | timeout.tv_usec = DGRAM_SND_TIMEOUT; |
| 2020 | BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout); |
| 2021 | } |
| 2022 | |
| 2023 | if (socket_mtu > 28) |
| 2024 | { |
| 2025 | SSL_set_options(con, SSL_OP_NO_QUERY_MTU); |
| 2026 | SSL_set_mtu(con, socket_mtu - 28); |
| 2027 | } |
| 2028 | else |
| 2029 | /* want to do MTU discovery */ |
| 2030 | BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL); |
| 2031 | |
| 2032 | /* turn on cookie exchange */ |
| 2033 | SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE); |
| 2034 | } |
| 2035 | else |
| 2036 | sbio=BIO_new_socket(s,BIO_NOCLOSE); |
| 2037 | |
| 2038 | if (s_nbio_test) |
| 2039 | { |
| 2040 | BIO *test; |
| 2041 | |
| 2042 | test=BIO_new(BIO_f_nbio_test()); |
| 2043 | sbio=BIO_push(test,sbio); |
| 2044 | } |
| 2045 | #ifndef OPENSSL_NO_JPAKE |
| 2046 | if(jpake_secret) |
| 2047 | jpake_server_auth(bio_s_out, sbio, jpake_secret); |
| 2048 | #endif |
| 2049 | |
| 2050 | SSL_set_bio(con,sbio,sbio); |
| 2051 | SSL_set_accept_state(con); |
| 2052 | /* SSL_set_fd(con,s); */ |
| 2053 | |
| 2054 | if (s_debug) |
| 2055 | { |
| 2056 | SSL_set_debug(con, 1); |
| 2057 | BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); |
| 2058 | BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); |
| 2059 | } |
| 2060 | if (s_msg) |
| 2061 | { |
| 2062 | SSL_set_msg_callback(con, msg_cb); |
| 2063 | SSL_set_msg_callback_arg(con, bio_s_out); |
| 2064 | } |
| 2065 | #ifndef OPENSSL_NO_TLSEXT |
| 2066 | if (s_tlsextdebug) |
| 2067 | { |
| 2068 | SSL_set_tlsext_debug_callback(con, tlsext_cb); |
| 2069 | SSL_set_tlsext_debug_arg(con, bio_s_out); |
| 2070 | } |
| 2071 | #endif |
| 2072 | |
| 2073 | width=s+1; |
| 2074 | for (;;) |
| 2075 | { |
| 2076 | int read_from_terminal; |
| 2077 | int read_from_sslcon; |
| 2078 | |
| 2079 | read_from_terminal = 0; |
| 2080 | read_from_sslcon = SSL_pending(con); |
| 2081 | |
| 2082 | if (!read_from_sslcon) |
| 2083 | { |
| 2084 | FD_ZERO(&readfds); |
| 2085 | #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5) |
| 2086 | openssl_fdset(fileno(stdin),&readfds); |
| 2087 | #endif |
| 2088 | openssl_fdset(s,&readfds); |
| 2089 | /* Note: under VMS with SOCKETSHR the second parameter is |
| 2090 | * currently of type (int *) whereas under other systems |
| 2091 | * it is (void *) if you don't have a cast it will choke |
| 2092 | * the compiler: if you do have a cast then you can either |
| 2093 | * go for (int *) or (void *). |
| 2094 | */ |
| 2095 | #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) |
| 2096 | /* Under DOS (non-djgpp) and Windows we can't select on stdin: only |
| 2097 | * on sockets. As a workaround we timeout the select every |
| 2098 | * second and check for any keypress. In a proper Windows |
| 2099 | * application we wouldn't do this because it is inefficient. |
| 2100 | */ |
| 2101 | tv.tv_sec = 1; |
| 2102 | tv.tv_usec = 0; |
| 2103 | i=select(width,(void *)&readfds,NULL,NULL,&tv); |
| 2104 | if((i < 0) || (!i && !_kbhit() ) )continue; |
| 2105 | if(_kbhit()) |
| 2106 | read_from_terminal = 1; |
| 2107 | #elif defined(OPENSSL_SYS_BEOS_R5) |
| 2108 | /* Under BeOS-R5 the situation is similar to DOS */ |
| 2109 | tv.tv_sec = 1; |
| 2110 | tv.tv_usec = 0; |
| 2111 | (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK); |
| 2112 | i=select(width,(void *)&readfds,NULL,NULL,&tv); |
| 2113 | if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0)) |
| 2114 | continue; |
| 2115 | if (read(fileno(stdin), buf, 0) >= 0) |
| 2116 | read_from_terminal = 1; |
| 2117 | (void)fcntl(fileno(stdin), F_SETFL, 0); |
| 2118 | #else |
| 2119 | if ((SSL_version(con) == DTLS1_VERSION) && |
| 2120 | DTLSv1_get_timeout(con, &timeout)) |
| 2121 | timeoutp = &timeout; |
| 2122 | else |
| 2123 | timeoutp = NULL; |
| 2124 | |
| 2125 | i=select(width,(void *)&readfds,NULL,NULL,timeoutp); |
| 2126 | |
| 2127 | if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0) |
| 2128 | { |
| 2129 | BIO_printf(bio_err,"TIMEOUT occured\n"); |
| 2130 | } |
| 2131 | |
| 2132 | if (i <= 0) continue; |
| 2133 | if (FD_ISSET(fileno(stdin),&readfds)) |
| 2134 | read_from_terminal = 1; |
| 2135 | #endif |
| 2136 | if (FD_ISSET(s,&readfds)) |
| 2137 | read_from_sslcon = 1; |
| 2138 | } |
| 2139 | if (read_from_terminal) |
| 2140 | { |
| 2141 | if (s_crlf) |
| 2142 | { |
| 2143 | int j, lf_num; |
| 2144 | |
| 2145 | i=raw_read_stdin(buf, bufsize/2); |
| 2146 | lf_num = 0; |
| 2147 | /* both loops are skipped when i <= 0 */ |
| 2148 | for (j = 0; j < i; j++) |
| 2149 | if (buf[j] == '\n') |
| 2150 | lf_num++; |
| 2151 | for (j = i-1; j >= 0; j--) |
| 2152 | { |
| 2153 | buf[j+lf_num] = buf[j]; |
| 2154 | if (buf[j] == '\n') |
| 2155 | { |
| 2156 | lf_num--; |
| 2157 | i++; |
| 2158 | buf[j+lf_num] = '\r'; |
| 2159 | } |
| 2160 | } |
| 2161 | assert(lf_num == 0); |
| 2162 | } |
| 2163 | else |
| 2164 | i=raw_read_stdin(buf,bufsize); |
| 2165 | if (!s_quiet) |
| 2166 | { |
| 2167 | if ((i <= 0) || (buf[0] == 'Q')) |
| 2168 | { |
| 2169 | BIO_printf(bio_s_out,"DONE\n"); |
| 2170 | SHUTDOWN(s); |
| 2171 | close_accept_socket(); |
| 2172 | ret= -11; |
| 2173 | goto err; |
| 2174 | } |
| 2175 | if ((i <= 0) || (buf[0] == 'q')) |
| 2176 | { |
| 2177 | BIO_printf(bio_s_out,"DONE\n"); |
| 2178 | if (SSL_version(con) != DTLS1_VERSION) |
| 2179 | SHUTDOWN(s); |
| 2180 | /* close_accept_socket(); |
| 2181 | ret= -11;*/ |
| 2182 | goto err; |
| 2183 | } |
| 2184 | |
| 2185 | #ifndef OPENSSL_NO_HEARTBEATS |
| 2186 | if ((buf[0] == 'B') && |
| 2187 | ((buf[1] == '\n') || (buf[1] == '\r'))) |
| 2188 | { |
| 2189 | BIO_printf(bio_err,"HEARTBEATING\n"); |
| 2190 | SSL_heartbeat(con); |
| 2191 | i=0; |
| 2192 | continue; |
| 2193 | } |
| 2194 | #endif |
| 2195 | if ((buf[0] == 'r') && |
| 2196 | ((buf[1] == '\n') || (buf[1] == '\r'))) |
| 2197 | { |
| 2198 | SSL_renegotiate(con); |
| 2199 | i=SSL_do_handshake(con); |
| 2200 | printf("SSL_do_handshake -> %d\n",i); |
| 2201 | i=0; /*13; */ |
| 2202 | continue; |
| 2203 | /* strcpy(buf,"server side RE-NEGOTIATE\n"); */ |
| 2204 | } |
| 2205 | if ((buf[0] == 'R') && |
| 2206 | ((buf[1] == '\n') || (buf[1] == '\r'))) |
| 2207 | { |
| 2208 | SSL_set_verify(con, |
| 2209 | SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL); |
| 2210 | SSL_renegotiate(con); |
| 2211 | i=SSL_do_handshake(con); |
| 2212 | printf("SSL_do_handshake -> %d\n",i); |
| 2213 | i=0; /* 13; */ |
| 2214 | continue; |
| 2215 | /* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */ |
| 2216 | } |
| 2217 | if (buf[0] == 'P') |
| 2218 | { |
| 2219 | static const char *str="Lets print some clear text\n"; |
| 2220 | BIO_write(SSL_get_wbio(con),str,strlen(str)); |
| 2221 | } |
| 2222 | if (buf[0] == 'S') |
| 2223 | { |
| 2224 | print_stats(bio_s_out,SSL_get_SSL_CTX(con)); |
| 2225 | } |
| 2226 | } |
| 2227 | #ifdef CHARSET_EBCDIC |
| 2228 | ebcdic2ascii(buf,buf,i); |
| 2229 | #endif |
| 2230 | l=k=0; |
| 2231 | for (;;) |
| 2232 | { |
| 2233 | /* should do a select for the write */ |
| 2234 | #ifdef RENEG |
| 2235 | { static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } } |
| 2236 | #endif |
| 2237 | k=SSL_write(con,&(buf[l]),(unsigned int)i); |
| 2238 | #ifndef OPENSSL_NO_SRP |
| 2239 | while (SSL_get_error(con,k) == SSL_ERROR_WANT_X509_LOOKUP) |
| 2240 | { |
| 2241 | BIO_printf(bio_s_out,"LOOKUP renego during write\n"); |
| 2242 | srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); |
| 2243 | if (srp_callback_parm.user) |
| 2244 | BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); |
| 2245 | else |
| 2246 | BIO_printf(bio_s_out,"LOOKUP not successful\n"); |
| 2247 | k=SSL_write(con,&(buf[l]),(unsigned int)i); |
| 2248 | } |
| 2249 | #endif |
| 2250 | switch (SSL_get_error(con,k)) |
| 2251 | { |
| 2252 | case SSL_ERROR_NONE: |
| 2253 | break; |
| 2254 | case SSL_ERROR_WANT_WRITE: |
| 2255 | case SSL_ERROR_WANT_READ: |
| 2256 | case SSL_ERROR_WANT_X509_LOOKUP: |
| 2257 | BIO_printf(bio_s_out,"Write BLOCK\n"); |
| 2258 | break; |
| 2259 | case SSL_ERROR_SYSCALL: |
| 2260 | case SSL_ERROR_SSL: |
| 2261 | BIO_printf(bio_s_out,"ERROR\n"); |
| 2262 | ERR_print_errors(bio_err); |
| 2263 | ret=1; |
| 2264 | goto err; |
| 2265 | /* break; */ |
| 2266 | case SSL_ERROR_ZERO_RETURN: |
| 2267 | BIO_printf(bio_s_out,"DONE\n"); |
| 2268 | ret=1; |
| 2269 | goto err; |
| 2270 | } |
| 2271 | l+=k; |
| 2272 | i-=k; |
| 2273 | if (i <= 0) break; |
| 2274 | } |
| 2275 | } |
| 2276 | if (read_from_sslcon) |
| 2277 | { |
| 2278 | if (!SSL_is_init_finished(con)) |
| 2279 | { |
| 2280 | i=init_ssl_connection(con); |
| 2281 | |
| 2282 | if (i < 0) |
| 2283 | { |
| 2284 | ret=0; |
| 2285 | goto err; |
| 2286 | } |
| 2287 | else if (i == 0) |
| 2288 | { |
| 2289 | ret=1; |
| 2290 | goto err; |
| 2291 | } |
| 2292 | } |
| 2293 | else |
| 2294 | { |
| 2295 | again: |
| 2296 | i=SSL_read(con,(char *)buf,bufsize); |
| 2297 | #ifndef OPENSSL_NO_SRP |
| 2298 | while (SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) |
| 2299 | { |
| 2300 | BIO_printf(bio_s_out,"LOOKUP renego during read\n"); |
| 2301 | srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); |
| 2302 | if (srp_callback_parm.user) |
| 2303 | BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); |
| 2304 | else |
| 2305 | BIO_printf(bio_s_out,"LOOKUP not successful\n"); |
| 2306 | i=SSL_read(con,(char *)buf,bufsize); |
| 2307 | } |
| 2308 | #endif |
| 2309 | switch (SSL_get_error(con,i)) |
| 2310 | { |
| 2311 | case SSL_ERROR_NONE: |
| 2312 | #ifdef CHARSET_EBCDIC |
| 2313 | ascii2ebcdic(buf,buf,i); |
| 2314 | #endif |
| 2315 | raw_write_stdout(buf, |
| 2316 | (unsigned int)i); |
| 2317 | if (SSL_pending(con)) goto again; |
| 2318 | break; |
| 2319 | case SSL_ERROR_WANT_WRITE: |
| 2320 | case SSL_ERROR_WANT_READ: |
| 2321 | BIO_printf(bio_s_out,"Read BLOCK\n"); |
| 2322 | break; |
| 2323 | case SSL_ERROR_SYSCALL: |
| 2324 | case SSL_ERROR_SSL: |
| 2325 | BIO_printf(bio_s_out,"ERROR\n"); |
| 2326 | ERR_print_errors(bio_err); |
| 2327 | ret=1; |
| 2328 | goto err; |
| 2329 | case SSL_ERROR_ZERO_RETURN: |
| 2330 | BIO_printf(bio_s_out,"DONE\n"); |
| 2331 | ret=1; |
| 2332 | goto err; |
| 2333 | } |
| 2334 | } |
| 2335 | } |
| 2336 | } |
| 2337 | err: |
| 2338 | if (con != NULL) |
| 2339 | { |
| 2340 | BIO_printf(bio_s_out,"shutting down SSL\n"); |
| 2341 | #if 1 |
| 2342 | SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); |
| 2343 | #else |
| 2344 | SSL_shutdown(con); |
| 2345 | #endif |
| 2346 | SSL_free(con); |
| 2347 | } |
| 2348 | BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); |
| 2349 | if (buf != NULL) |
| 2350 | { |
| 2351 | OPENSSL_cleanse(buf,bufsize); |
| 2352 | OPENSSL_free(buf); |
| 2353 | } |
| 2354 | if (ret >= 0) |
| 2355 | BIO_printf(bio_s_out,"ACCEPT\n"); |
| 2356 | return(ret); |
| 2357 | } |
| 2358 | |
| 2359 | static void close_accept_socket(void) |
| 2360 | { |
| 2361 | BIO_printf(bio_err,"shutdown accept socket\n"); |
| 2362 | if (accept_socket >= 0) |
| 2363 | { |
| 2364 | SHUTDOWN2(accept_socket); |
| 2365 | } |
| 2366 | } |
| 2367 | |
| 2368 | static int init_ssl_connection(SSL *con) |
| 2369 | { |
| 2370 | int i; |
| 2371 | const char *str; |
| 2372 | X509 *peer; |
| 2373 | long verify_error; |
| 2374 | MS_STATIC char buf[BUFSIZ]; |
| 2375 | #ifndef OPENSSL_NO_KRB5 |
| 2376 | char *client_princ; |
| 2377 | #endif |
| 2378 | #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) |
| 2379 | const unsigned char *next_proto_neg; |
| 2380 | unsigned next_proto_neg_len; |
| 2381 | #endif |
| 2382 | unsigned char *exportedkeymat; |
| 2383 | |
| 2384 | |
| 2385 | i=SSL_accept(con); |
| 2386 | #ifndef OPENSSL_NO_SRP |
| 2387 | while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) |
| 2388 | { |
| 2389 | BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); |
| 2390 | srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); |
| 2391 | if (srp_callback_parm.user) |
| 2392 | BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); |
| 2393 | else |
| 2394 | BIO_printf(bio_s_out,"LOOKUP not successful\n"); |
| 2395 | i=SSL_accept(con); |
| 2396 | } |
| 2397 | #endif |
| 2398 | if (i <= 0) |
| 2399 | { |
| 2400 | if (BIO_sock_should_retry(i)) |
| 2401 | { |
| 2402 | BIO_printf(bio_s_out,"DELAY\n"); |
| 2403 | return(1); |
| 2404 | } |
| 2405 | |
| 2406 | BIO_printf(bio_err,"ERROR\n"); |
| 2407 | verify_error=SSL_get_verify_result(con); |
| 2408 | if (verify_error != X509_V_OK) |
| 2409 | { |
| 2410 | BIO_printf(bio_err,"verify error:%s\n", |
| 2411 | X509_verify_cert_error_string(verify_error)); |
| 2412 | } |
| 2413 | else |
| 2414 | ERR_print_errors(bio_err); |
| 2415 | return(0); |
| 2416 | } |
| 2417 | |
| 2418 | PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); |
| 2419 | |
| 2420 | peer=SSL_get_peer_certificate(con); |
| 2421 | if (peer != NULL) |
| 2422 | { |
| 2423 | BIO_printf(bio_s_out,"Client certificate\n"); |
| 2424 | PEM_write_bio_X509(bio_s_out,peer); |
| 2425 | X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf); |
| 2426 | BIO_printf(bio_s_out,"subject=%s\n",buf); |
| 2427 | X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf); |
| 2428 | BIO_printf(bio_s_out,"issuer=%s\n",buf); |
| 2429 | X509_free(peer); |
| 2430 | } |
| 2431 | |
| 2432 | if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL) |
| 2433 | BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); |
| 2434 | str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); |
| 2435 | BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); |
| 2436 | #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) |
| 2437 | SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len); |
| 2438 | if (next_proto_neg) |
| 2439 | { |
| 2440 | BIO_printf(bio_s_out,"NEXTPROTO is "); |
| 2441 | BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len); |
| 2442 | BIO_printf(bio_s_out, "\n"); |
| 2443 | } |
| 2444 | #endif |
| 2445 | { |
| 2446 | SRTP_PROTECTION_PROFILE *srtp_profile |
| 2447 | = SSL_get_selected_srtp_profile(con); |
| 2448 | |
| 2449 | if(srtp_profile) |
| 2450 | BIO_printf(bio_s_out,"SRTP Extension negotiated, profile=%s\n", |
| 2451 | srtp_profile->name); |
| 2452 | } |
| 2453 | if (SSL_cache_hit(con)) BIO_printf(bio_s_out,"Reused session-id\n"); |
| 2454 | if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & |
| 2455 | TLS1_FLAGS_TLS_PADDING_BUG) |
| 2456 | BIO_printf(bio_s_out, |
| 2457 | "Peer has incorrect TLSv1 block padding\n"); |
| 2458 | #ifndef OPENSSL_NO_KRB5 |
| 2459 | client_princ = kssl_ctx_get0_client_princ(SSL_get0_kssl_ctx(con)); |
| 2460 | if (client_princ != NULL) |
| 2461 | { |
| 2462 | BIO_printf(bio_s_out,"Kerberos peer principal is %s\n", |
| 2463 | client_princ); |
| 2464 | } |
| 2465 | #endif /* OPENSSL_NO_KRB5 */ |
| 2466 | BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n", |
| 2467 | SSL_get_secure_renegotiation_support(con) ? "" : " NOT"); |
| 2468 | if (keymatexportlabel != NULL) |
| 2469 | { |
| 2470 | BIO_printf(bio_s_out, "Keying material exporter:\n"); |
| 2471 | BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel); |
| 2472 | BIO_printf(bio_s_out, " Length: %i bytes\n", |
| 2473 | keymatexportlen); |
| 2474 | exportedkeymat = OPENSSL_malloc(keymatexportlen); |
| 2475 | if (exportedkeymat != NULL) |
| 2476 | { |
| 2477 | if (!SSL_export_keying_material(con, exportedkeymat, |
| 2478 | keymatexportlen, |
| 2479 | keymatexportlabel, |
| 2480 | strlen(keymatexportlabel), |
| 2481 | NULL, 0, 0)) |
| 2482 | { |
| 2483 | BIO_printf(bio_s_out, " Error\n"); |
| 2484 | } |
| 2485 | else |
| 2486 | { |
| 2487 | BIO_printf(bio_s_out, " Keying material: "); |
| 2488 | for (i=0; i<keymatexportlen; i++) |
| 2489 | BIO_printf(bio_s_out, "%02X", |
| 2490 | exportedkeymat[i]); |
| 2491 | BIO_printf(bio_s_out, "\n"); |
| 2492 | } |
| 2493 | OPENSSL_free(exportedkeymat); |
| 2494 | } |
| 2495 | } |
| 2496 | |
| 2497 | return(1); |
| 2498 | } |
| 2499 | |
| 2500 | #ifndef OPENSSL_NO_DH |
| 2501 | static DH *load_dh_param(const char *dhfile) |
| 2502 | { |
| 2503 | DH *ret=NULL; |
| 2504 | BIO *bio; |
| 2505 | |
| 2506 | if ((bio=BIO_new_file(dhfile,"r")) == NULL) |
| 2507 | goto err; |
| 2508 | ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL); |
| 2509 | err: |
| 2510 | if (bio != NULL) BIO_free(bio); |
| 2511 | return(ret); |
| 2512 | } |
| 2513 | #endif |
| 2514 | #ifndef OPENSSL_NO_KRB5 |
| 2515 | char *client_princ; |
| 2516 | #endif |
| 2517 | |
| 2518 | #if 0 |
| 2519 | static int load_CA(SSL_CTX *ctx, char *file) |
| 2520 | { |
| 2521 | FILE *in; |
| 2522 | X509 *x=NULL; |
| 2523 | |
| 2524 | if ((in=fopen(file,"r")) == NULL) |
| 2525 | return(0); |
| 2526 | |
| 2527 | for (;;) |
| 2528 | { |
| 2529 | if (PEM_read_X509(in,&x,NULL) == NULL) |
| 2530 | break; |
| 2531 | SSL_CTX_add_client_CA(ctx,x); |
| 2532 | } |
| 2533 | if (x != NULL) X509_free(x); |
| 2534 | fclose(in); |
| 2535 | return(1); |
| 2536 | } |
| 2537 | #endif |
| 2538 | |
| 2539 | static int www_body(char *hostname, int s, unsigned char *context) |
| 2540 | { |
| 2541 | char *buf=NULL; |
| 2542 | int ret=1; |
| 2543 | int i,j,k,dot; |
| 2544 | SSL *con; |
| 2545 | const SSL_CIPHER *c; |
| 2546 | BIO *io,*ssl_bio,*sbio; |
| 2547 | #ifndef OPENSSL_NO_KRB5 |
| 2548 | KSSL_CTX *kctx; |
| 2549 | #endif |
| 2550 | |
| 2551 | buf=OPENSSL_malloc(bufsize); |
| 2552 | if (buf == NULL) return(0); |
| 2553 | io=BIO_new(BIO_f_buffer()); |
| 2554 | ssl_bio=BIO_new(BIO_f_ssl()); |
| 2555 | if ((io == NULL) || (ssl_bio == NULL)) goto err; |
| 2556 | |
| 2557 | #ifdef FIONBIO |
| 2558 | if (s_nbio) |
| 2559 | { |
| 2560 | unsigned long sl=1; |
| 2561 | |
| 2562 | if (!s_quiet) |
| 2563 | BIO_printf(bio_err,"turning on non blocking io\n"); |
| 2564 | if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0) |
| 2565 | ERR_print_errors(bio_err); |
| 2566 | } |
| 2567 | #endif |
| 2568 | |
| 2569 | /* lets make the output buffer a reasonable size */ |
| 2570 | if (!BIO_set_write_buffer_size(io,bufsize)) goto err; |
| 2571 | |
| 2572 | if ((con=SSL_new(ctx)) == NULL) goto err; |
| 2573 | #ifndef OPENSSL_NO_TLSEXT |
| 2574 | if (s_tlsextdebug) |
| 2575 | { |
| 2576 | SSL_set_tlsext_debug_callback(con, tlsext_cb); |
| 2577 | SSL_set_tlsext_debug_arg(con, bio_s_out); |
| 2578 | } |
| 2579 | #endif |
| 2580 | #ifndef OPENSSL_NO_KRB5 |
| 2581 | if ((kctx = kssl_ctx_new()) != NULL) |
| 2582 | { |
| 2583 | kssl_ctx_setstring(kctx, KSSL_SERVICE, KRB5SVC); |
| 2584 | kssl_ctx_setstring(kctx, KSSL_KEYTAB, KRB5KEYTAB); |
| 2585 | } |
| 2586 | #endif /* OPENSSL_NO_KRB5 */ |
| 2587 | if(context) SSL_set_session_id_context(con, context, |
| 2588 | strlen((char *)context)); |
| 2589 | |
| 2590 | sbio=BIO_new_socket(s,BIO_NOCLOSE); |
| 2591 | if (s_nbio_test) |
| 2592 | { |
| 2593 | BIO *test; |
| 2594 | |
| 2595 | test=BIO_new(BIO_f_nbio_test()); |
| 2596 | sbio=BIO_push(test,sbio); |
| 2597 | } |
| 2598 | SSL_set_bio(con,sbio,sbio); |
| 2599 | SSL_set_accept_state(con); |
| 2600 | |
| 2601 | /* SSL_set_fd(con,s); */ |
| 2602 | BIO_set_ssl(ssl_bio,con,BIO_CLOSE); |
| 2603 | BIO_push(io,ssl_bio); |
| 2604 | #ifdef CHARSET_EBCDIC |
| 2605 | io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io); |
| 2606 | #endif |
| 2607 | |
| 2608 | if (s_debug) |
| 2609 | { |
| 2610 | SSL_set_debug(con, 1); |
| 2611 | BIO_set_callback(SSL_get_rbio(con),bio_dump_callback); |
| 2612 | BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out); |
| 2613 | } |
| 2614 | if (s_msg) |
| 2615 | { |
| 2616 | SSL_set_msg_callback(con, msg_cb); |
| 2617 | SSL_set_msg_callback_arg(con, bio_s_out); |
| 2618 | } |
| 2619 | |
| 2620 | for (;;) |
| 2621 | { |
| 2622 | if (hack) |
| 2623 | { |
| 2624 | i=SSL_accept(con); |
| 2625 | #ifndef OPENSSL_NO_SRP |
| 2626 | while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) |
| 2627 | { |
| 2628 | BIO_printf(bio_s_out,"LOOKUP during accept %s\n",srp_callback_parm.login); |
| 2629 | srp_callback_parm.user = SRP_VBASE_get_by_user(srp_callback_parm.vb, srp_callback_parm.login); |
| 2630 | if (srp_callback_parm.user) |
| 2631 | BIO_printf(bio_s_out,"LOOKUP done %s\n",srp_callback_parm.user->info); |
| 2632 | else |
| 2633 | BIO_printf(bio_s_out,"LOOKUP not successful\n"); |
| 2634 | i=SSL_accept(con); |
| 2635 | } |
| 2636 | #endif |
| 2637 | switch (SSL_get_error(con,i)) |
| 2638 | { |
| 2639 | case SSL_ERROR_NONE: |
| 2640 | break; |
| 2641 | case SSL_ERROR_WANT_WRITE: |
| 2642 | case SSL_ERROR_WANT_READ: |
| 2643 | case SSL_ERROR_WANT_X509_LOOKUP: |
| 2644 | continue; |
| 2645 | case SSL_ERROR_SYSCALL: |
| 2646 | case SSL_ERROR_SSL: |
| 2647 | case SSL_ERROR_ZERO_RETURN: |
| 2648 | ret=1; |
| 2649 | goto err; |
| 2650 | /* break; */ |
| 2651 | } |
| 2652 | |
| 2653 | SSL_renegotiate(con); |
| 2654 | SSL_write(con,NULL,0); |
| 2655 | } |
| 2656 | |
| 2657 | i=BIO_gets(io,buf,bufsize-1); |
| 2658 | if (i < 0) /* error */ |
| 2659 | { |
| 2660 | if (!BIO_should_retry(io)) |
| 2661 | { |
| 2662 | if (!s_quiet) |
| 2663 | ERR_print_errors(bio_err); |
| 2664 | goto err; |
| 2665 | } |
| 2666 | else |
| 2667 | { |
| 2668 | BIO_printf(bio_s_out,"read R BLOCK\n"); |
| 2669 | #if defined(OPENSSL_SYS_NETWARE) |
| 2670 | delay(1000); |
| 2671 | #elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) |
| 2672 | sleep(1); |
| 2673 | #endif |
| 2674 | continue; |
| 2675 | } |
| 2676 | } |
| 2677 | else if (i == 0) /* end of input */ |
| 2678 | { |
| 2679 | ret=1; |
| 2680 | goto end; |
| 2681 | } |
| 2682 | |
| 2683 | /* else we have data */ |
| 2684 | if ( ((www == 1) && (strncmp("GET ",buf,4) == 0)) || |
| 2685 | ((www == 2) && (strncmp("GET /stats ",buf,10) == 0))) |
| 2686 | { |
| 2687 | char *p; |
| 2688 | X509 *peer; |
| 2689 | STACK_OF(SSL_CIPHER) *sk; |
| 2690 | static const char *space=" "; |
| 2691 | |
| 2692 | BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); |
| 2693 | BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n"); |
| 2694 | BIO_puts(io,"<pre>\n"); |
| 2695 | /* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/ |
| 2696 | BIO_puts(io,"\n"); |
| 2697 | for (i=0; i<local_argc; i++) |
| 2698 | { |
| 2699 | BIO_puts(io,local_argv[i]); |
| 2700 | BIO_write(io," ",1); |
| 2701 | } |
| 2702 | BIO_puts(io,"\n"); |
| 2703 | |
| 2704 | /* The following is evil and should not really |
| 2705 | * be done */ |
| 2706 | BIO_printf(io,"Ciphers supported in s_server binary\n"); |
| 2707 | sk=SSL_get_ciphers(con); |
| 2708 | j=sk_SSL_CIPHER_num(sk); |
| 2709 | for (i=0; i<j; i++) |
| 2710 | { |
| 2711 | c=sk_SSL_CIPHER_value(sk,i); |
| 2712 | BIO_printf(io,"%-11s:%-25s", |
| 2713 | SSL_CIPHER_get_version(c), |
| 2714 | SSL_CIPHER_get_name(c)); |
| 2715 | if ((((i+1)%2) == 0) && (i+1 != j)) |
| 2716 | BIO_puts(io,"\n"); |
| 2717 | } |
| 2718 | BIO_puts(io,"\n"); |
| 2719 | p=SSL_get_shared_ciphers(con,buf,bufsize); |
| 2720 | if (p != NULL) |
| 2721 | { |
| 2722 | BIO_printf(io,"---\nCiphers common between both SSL end points:\n"); |
| 2723 | j=i=0; |
| 2724 | while (*p) |
| 2725 | { |
| 2726 | if (*p == ':') |
| 2727 | { |
| 2728 | BIO_write(io,space,26-j); |
| 2729 | i++; |
| 2730 | j=0; |
| 2731 | BIO_write(io,((i%3)?" ":"\n"),1); |
| 2732 | } |
| 2733 | else |
| 2734 | { |
| 2735 | BIO_write(io,p,1); |
| 2736 | j++; |
| 2737 | } |
| 2738 | p++; |
| 2739 | } |
| 2740 | BIO_puts(io,"\n"); |
| 2741 | } |
| 2742 | BIO_printf(io,(SSL_cache_hit(con) |
| 2743 | ?"---\nReused, " |
| 2744 | :"---\nNew, ")); |
| 2745 | c=SSL_get_current_cipher(con); |
| 2746 | BIO_printf(io,"%s, Cipher is %s\n", |
| 2747 | SSL_CIPHER_get_version(c), |
| 2748 | SSL_CIPHER_get_name(c)); |
| 2749 | SSL_SESSION_print(io,SSL_get_session(con)); |
| 2750 | BIO_printf(io,"---\n"); |
| 2751 | print_stats(io,SSL_get_SSL_CTX(con)); |
| 2752 | BIO_printf(io,"---\n"); |
| 2753 | peer=SSL_get_peer_certificate(con); |
| 2754 | if (peer != NULL) |
| 2755 | { |
| 2756 | BIO_printf(io,"Client certificate\n"); |
| 2757 | X509_print(io,peer); |
| 2758 | PEM_write_bio_X509(io,peer); |
| 2759 | } |
| 2760 | else |
| 2761 | BIO_puts(io,"no client certificate available\n"); |
| 2762 | BIO_puts(io,"</BODY></HTML>\r\n\r\n"); |
| 2763 | break; |
| 2764 | } |
| 2765 | else if ((www == 2 || www == 3) |
| 2766 | && (strncmp("GET /",buf,5) == 0)) |
| 2767 | { |
| 2768 | BIO *file; |
| 2769 | char *p,*e; |
| 2770 | static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; |
| 2771 | |
| 2772 | /* skip the '/' */ |
| 2773 | p= &(buf[5]); |
| 2774 | |
| 2775 | dot = 1; |
| 2776 | for (e=p; *e != '\0'; e++) |
| 2777 | { |
| 2778 | if (e[0] == ' ') |
| 2779 | break; |
| 2780 | |
| 2781 | switch (dot) |
| 2782 | { |
| 2783 | case 1: |
| 2784 | dot = (e[0] == '.') ? 2 : 0; |
| 2785 | break; |
| 2786 | case 2: |
| 2787 | dot = (e[0] == '.') ? 3 : 0; |
| 2788 | break; |
| 2789 | case 3: |
| 2790 | dot = (e[0] == '/') ? -1 : 0; |
| 2791 | break; |
| 2792 | } |
| 2793 | if (dot == 0) |
| 2794 | dot = (e[0] == '/') ? 1 : 0; |
| 2795 | } |
| 2796 | dot = (dot == 3) || (dot == -1); /* filename contains ".." component */ |
| 2797 | |
| 2798 | if (*e == '\0') |
| 2799 | { |
| 2800 | BIO_puts(io,text); |
| 2801 | BIO_printf(io,"'%s' is an invalid file name\r\n",p); |
| 2802 | break; |
| 2803 | } |
| 2804 | *e='\0'; |
| 2805 | |
| 2806 | if (dot) |
| 2807 | { |
| 2808 | BIO_puts(io,text); |
| 2809 | BIO_printf(io,"'%s' contains '..' reference\r\n",p); |
| 2810 | break; |
| 2811 | } |
| 2812 | |
| 2813 | if (*p == '/') |
| 2814 | { |
| 2815 | BIO_puts(io,text); |
| 2816 | BIO_printf(io,"'%s' is an invalid path\r\n",p); |
| 2817 | break; |
| 2818 | } |
| 2819 | |
| 2820 | #if 0 |
| 2821 | /* append if a directory lookup */ |
| 2822 | if (e[-1] == '/') |
| 2823 | strcat(p,"index.html"); |
| 2824 | #endif |
| 2825 | |
| 2826 | /* if a directory, do the index thang */ |
| 2827 | if (app_isdir(p)>0) |
| 2828 | { |
| 2829 | #if 0 /* must check buffer size */ |
| 2830 | strcat(p,"/index.html"); |
| 2831 | #else |
| 2832 | BIO_puts(io,text); |
| 2833 | BIO_printf(io,"'%s' is a directory\r\n",p); |
| 2834 | break; |
| 2835 | #endif |
| 2836 | } |
| 2837 | |
| 2838 | if ((file=BIO_new_file(p,"r")) == NULL) |
| 2839 | { |
| 2840 | BIO_puts(io,text); |
| 2841 | BIO_printf(io,"Error opening '%s'\r\n",p); |
| 2842 | ERR_print_errors(io); |
| 2843 | break; |
| 2844 | } |
| 2845 | |
| 2846 | if (!s_quiet) |
| 2847 | BIO_printf(bio_err,"FILE:%s\n",p); |
| 2848 | |
| 2849 | if (www == 2) |
| 2850 | { |
| 2851 | i=strlen(p); |
| 2852 | if ( ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) || |
| 2853 | ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) || |
| 2854 | ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0))) |
| 2855 | BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); |
| 2856 | else |
| 2857 | BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"); |
| 2858 | } |
| 2859 | /* send the file */ |
| 2860 | for (;;) |
| 2861 | { |
| 2862 | i=BIO_read(file,buf,bufsize); |
| 2863 | if (i <= 0) break; |
| 2864 | |
| 2865 | #ifdef RENEG |
| 2866 | total_bytes+=i; |
| 2867 | fprintf(stderr,"%d\n",i); |
| 2868 | if (total_bytes > 3*1024) |
| 2869 | { |
| 2870 | total_bytes=0; |
| 2871 | fprintf(stderr,"RENEGOTIATE\n"); |
| 2872 | SSL_renegotiate(con); |
| 2873 | } |
| 2874 | #endif |
| 2875 | |
| 2876 | for (j=0; j<i; ) |
| 2877 | { |
| 2878 | #ifdef RENEG |
| 2879 | { static count=0; if (++count == 13) { SSL_renegotiate(con); } } |
| 2880 | #endif |
| 2881 | k=BIO_write(io,&(buf[j]),i-j); |
| 2882 | if (k <= 0) |
| 2883 | { |
| 2884 | if (!BIO_should_retry(io)) |
| 2885 | goto write_error; |
| 2886 | else |
| 2887 | { |
| 2888 | BIO_printf(bio_s_out,"rwrite W BLOCK\n"); |
| 2889 | } |
| 2890 | } |
| 2891 | else |
| 2892 | { |
| 2893 | j+=k; |
| 2894 | } |
| 2895 | } |
| 2896 | } |
| 2897 | write_error: |
| 2898 | BIO_free(file); |
| 2899 | break; |
| 2900 | } |
| 2901 | } |
| 2902 | |
| 2903 | for (;;) |
| 2904 | { |
| 2905 | i=(int)BIO_flush(io); |
| 2906 | if (i <= 0) |
| 2907 | { |
| 2908 | if (!BIO_should_retry(io)) |
| 2909 | break; |
| 2910 | } |
| 2911 | else |
| 2912 | break; |
| 2913 | } |
| 2914 | end: |
| 2915 | #if 1 |
| 2916 | /* make sure we re-use sessions */ |
| 2917 | SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); |
| 2918 | #else |
| 2919 | /* This kills performance */ |
| 2920 | /* SSL_shutdown(con); A shutdown gets sent in the |
| 2921 | * BIO_free_all(io) procession */ |
| 2922 | #endif |
| 2923 | |
| 2924 | err: |
| 2925 | |
| 2926 | if (ret >= 0) |
| 2927 | BIO_printf(bio_s_out,"ACCEPT\n"); |
| 2928 | |
| 2929 | if (buf != NULL) OPENSSL_free(buf); |
| 2930 | if (io != NULL) BIO_free_all(io); |
| 2931 | /* if (ssl_bio != NULL) BIO_free(ssl_bio);*/ |
| 2932 | return(ret); |
| 2933 | } |
| 2934 | |
| 2935 | #ifndef OPENSSL_NO_RSA |
| 2936 | static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) |
| 2937 | { |
| 2938 | BIGNUM *bn = NULL; |
| 2939 | static RSA *rsa_tmp=NULL; |
| 2940 | |
| 2941 | if (!rsa_tmp && ((bn = BN_new()) == NULL)) |
| 2942 | BIO_printf(bio_err,"Allocation error in generating RSA key\n"); |
| 2943 | if (!rsa_tmp && bn) |
| 2944 | { |
| 2945 | if (!s_quiet) |
| 2946 | { |
| 2947 | BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); |
| 2948 | (void)BIO_flush(bio_err); |
| 2949 | } |
| 2950 | if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) || |
| 2951 | !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) |
| 2952 | { |
| 2953 | if(rsa_tmp) RSA_free(rsa_tmp); |
| 2954 | rsa_tmp = NULL; |
| 2955 | } |
| 2956 | if (!s_quiet) |
| 2957 | { |
| 2958 | BIO_printf(bio_err,"\n"); |
| 2959 | (void)BIO_flush(bio_err); |
| 2960 | } |
| 2961 | BN_free(bn); |
| 2962 | } |
| 2963 | return(rsa_tmp); |
| 2964 | } |
| 2965 | #endif |
| 2966 | |
| 2967 | #define MAX_SESSION_ID_ATTEMPTS 10 |
| 2968 | static int generate_session_id(const SSL *ssl, unsigned char *id, |
| 2969 | unsigned int *id_len) |
| 2970 | { |
| 2971 | unsigned int count = 0; |
| 2972 | do { |
| 2973 | RAND_pseudo_bytes(id, *id_len); |
| 2974 | /* Prefix the session_id with the required prefix. NB: If our |
| 2975 | * prefix is too long, clip it - but there will be worse effects |
| 2976 | * anyway, eg. the server could only possibly create 1 session |
| 2977 | * ID (ie. the prefix!) so all future session negotiations will |
| 2978 | * fail due to conflicts. */ |
| 2979 | memcpy(id, session_id_prefix, |
| 2980 | (strlen(session_id_prefix) < *id_len) ? |
| 2981 | strlen(session_id_prefix) : *id_len); |
| 2982 | } |
| 2983 | while(SSL_has_matching_session_id(ssl, id, *id_len) && |
| 2984 | (++count < MAX_SESSION_ID_ATTEMPTS)); |
| 2985 | if(count >= MAX_SESSION_ID_ATTEMPTS) |
| 2986 | return 0; |
| 2987 | return 1; |
| 2988 | } |