]> git.ipfire.org Git - thirdparty/openssl.git/blob - apps/s_server.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
PKCS#7: avoid NULL pointer dereferences with missing content
[thirdparty/openssl.git] / apps / s_server.c
1 /* apps/s_server.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117 /*
118 * Until the key-gen callbacks are modified to use newer prototypes, we allow
119 * deprecated functions for openssl-internal code
120 */
121 #ifdef OPENSSL_NO_DEPRECATED
122 # undef OPENSSL_NO_DEPRECATED
123 #endif
124
125 #include <assert.h>
126 #include <stdio.h>
127 #include <stdlib.h>
128 #include <string.h>
129
130 #include <sys/stat.h>
131 #include <openssl/e_os2.h>
132 #ifdef OPENSSL_NO_STDIO
133 # define APPS_WIN16
134 #endif
135
136 /* conflicts with winsock2 stuff on netware */
137 #if !defined(OPENSSL_SYS_NETWARE)
138 # include <sys/types.h>
139 #endif
140
141 /*
142 * With IPv6, it looks like Digital has mixed up the proper order of
143 * recursive header file inclusion, resulting in the compiler complaining
144 * that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
145 * needed to have fileno() declared correctly... So let's define u_int
146 */
147 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
148 # define __U_INT
149 typedef unsigned int u_int;
150 #endif
151
152 #include <openssl/lhash.h>
153 #include <openssl/bn.h>
154 #define USE_SOCKETS
155 #include "apps.h"
156 #include <openssl/err.h>
157 #include <openssl/pem.h>
158 #include <openssl/x509.h>
159 #include <openssl/ssl.h>
160 #include <openssl/rand.h>
161 #include <openssl/ocsp.h>
162 #ifndef OPENSSL_NO_DH
163 # include <openssl/dh.h>
164 #endif
165 #ifndef OPENSSL_NO_RSA
166 # include <openssl/rsa.h>
167 #endif
168 #include "s_apps.h"
169 #include "timeouts.h"
170
171 #ifdef OPENSSL_SYS_WINCE
172 /*
173 * Windows CE incorrectly defines fileno as returning void*, so to avoid
174 * problems below...
175 */
176 # ifdef fileno
177 # undef fileno
178 # endif
179 # define fileno(a) (int)_fileno(a)
180 #endif
181
182 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
183 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
184 # undef FIONBIO
185 #endif
186
187 #ifndef OPENSSL_NO_RSA
188 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
189 #endif
190 static int sv_body(char *hostname, int s, unsigned char *context);
191 static int www_body(char *hostname, int s, unsigned char *context);
192 static void close_accept_socket(void);
193 static void sv_usage(void);
194 static int init_ssl_connection(SSL *s);
195 static void print_stats(BIO *bp, SSL_CTX *ctx);
196 static int generate_session_id(const SSL *ssl, unsigned char *id,
197 unsigned int *id_len);
198 #ifndef OPENSSL_NO_DH
199 static DH *load_dh_param(const char *dhfile);
200 static DH *get_dh512(void);
201 #endif
202
203 #ifdef MONOLITH
204 static void s_server_init(void);
205 #endif
206
207 #ifndef S_ISDIR
208 # if defined(_S_IFMT) && defined(_S_IFDIR)
209 # define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
210 # else
211 # define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
212 # endif
213 #endif
214
215 #ifndef OPENSSL_NO_DH
216 static unsigned char dh512_p[] = {
217 0xDA, 0x58, 0x3C, 0x16, 0xD9, 0x85, 0x22, 0x89, 0xD0, 0xE4, 0xAF, 0x75,
218 0x6F, 0x4C, 0xCA, 0x92, 0xDD, 0x4B, 0xE5, 0x33, 0xB8, 0x04, 0xFB, 0x0F,
219 0xED, 0x94, 0xEF, 0x9C, 0x8A, 0x44, 0x03, 0xED, 0x57, 0x46, 0x50, 0xD3,
220 0x69, 0x99, 0xDB, 0x29, 0xD7, 0x76, 0x27, 0x6B, 0xA2, 0xD3, 0xD4, 0x12,
221 0xE2, 0x18, 0xF4, 0xDD, 0x1E, 0x08, 0x4C, 0xF6, 0xD8, 0x00, 0x3E, 0x7C,
222 0x47, 0x74, 0xE8, 0x33,
223 };
224
225 static unsigned char dh512_g[] = {
226 0x02,
227 };
228
229 static DH *get_dh512(void)
230 {
231 DH *dh = NULL;
232
233 if ((dh = DH_new()) == NULL)
234 return (NULL);
235 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
236 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
237 if ((dh->p == NULL) || (dh->g == NULL))
238 return (NULL);
239 return (dh);
240 }
241 #endif
242
243 /* static int load_CA(SSL_CTX *ctx, char *file);*/
244
245 #undef BUFSIZZ
246 #define BUFSIZZ 16*1024
247 static int bufsize = BUFSIZZ;
248 static int accept_socket = -1;
249
250 #define TEST_CERT "server.pem"
251 #ifndef OPENSSL_NO_TLSEXT
252 # define TEST_CERT2 "server2.pem"
253 #endif
254 #undef PROG
255 #define PROG s_server_main
256
257 extern int verify_depth;
258
259 static char *cipher = NULL;
260 static int s_server_verify = SSL_VERIFY_NONE;
261 static int s_server_session_id_context = 1; /* anything will do */
262 static const char *s_cert_file = TEST_CERT, *s_key_file = NULL;
263 #ifndef OPENSSL_NO_TLSEXT
264 static const char *s_cert_file2 = TEST_CERT2, *s_key_file2 = NULL;
265 #endif
266 static char *s_dcert_file = NULL, *s_dkey_file = NULL;
267 #ifdef FIONBIO
268 static int s_nbio = 0;
269 #endif
270 static int s_nbio_test = 0;
271 int s_crlf = 0;
272 static SSL_CTX *ctx = NULL;
273 #ifndef OPENSSL_NO_TLSEXT
274 static SSL_CTX *ctx2 = NULL;
275 #endif
276 static int www = 0;
277
278 static BIO *bio_s_out = NULL;
279 static int s_debug = 0;
280 #ifndef OPENSSL_NO_TLSEXT
281 static int s_tlsextdebug = 0;
282 static int s_tlsextstatus = 0;
283 static int cert_status_cb(SSL *s, void *arg);
284 #endif
285 static int s_msg = 0;
286 static int s_quiet = 0;
287
288 static int hack = 0;
289 #ifndef OPENSSL_NO_ENGINE
290 static char *engine_id = NULL;
291 #endif
292 static const char *session_id_prefix = NULL;
293
294 static int enable_timeouts = 0;
295 static long socket_mtu;
296 #ifndef OPENSSL_NO_DTLS1
297 static int cert_chain = 0;
298 #endif
299
300 #ifdef MONOLITH
301 static void s_server_init(void)
302 {
303 accept_socket = -1;
304 cipher = NULL;
305 s_server_verify = SSL_VERIFY_NONE;
306 s_dcert_file = NULL;
307 s_dkey_file = NULL;
308 s_cert_file = TEST_CERT;
309 s_key_file = NULL;
310 # ifndef OPENSSL_NO_TLSEXT
311 s_cert_file2 = TEST_CERT2;
312 s_key_file2 = NULL;
313 ctx2 = NULL;
314 # endif
315 # ifdef FIONBIO
316 s_nbio = 0;
317 # endif
318 s_nbio_test = 0;
319 ctx = NULL;
320 www = 0;
321
322 bio_s_out = NULL;
323 s_debug = 0;
324 s_msg = 0;
325 s_quiet = 0;
326 hack = 0;
327 # ifndef OPENSSL_NO_ENGINE
328 engine_id = NULL;
329 # endif
330 }
331 #endif
332
333 static void sv_usage(void)
334 {
335 BIO_printf(bio_err, "usage: s_server [args ...]\n");
336 BIO_printf(bio_err, "\n");
337 BIO_printf(bio_err,
338 " -accept arg - port to accept on (default is %d)\n", PORT);
339 BIO_printf(bio_err, " -context arg - set session ID context\n");
340 BIO_printf(bio_err,
341 " -verify arg - turn on peer certificate verification\n");
342 BIO_printf(bio_err,
343 " -Verify arg - turn on peer certificate verification, must have a cert.\n");
344 BIO_printf(bio_err, " -cert arg - certificate file to use\n");
345 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT);
346 BIO_printf(bio_err,
347 " -crl_check - check the peer certificate has not been revoked by its CA.\n"
348 " The CRL(s) are appended to the certificate file\n");
349 BIO_printf(bio_err,
350 " -crl_check_all - check the peer certificate has not been revoked by its CA\n"
351 " or any other CRL in the CA chain. CRL(s) are appened to the\n"
352 " the certificate file.\n");
353 BIO_printf(bio_err,
354 " -certform arg - certificate format (PEM or DER) PEM default\n");
355 BIO_printf(bio_err,
356 " -key arg - Private Key file to use, in cert file if\n");
357 BIO_printf(bio_err, " not specified (default is %s)\n",
358 TEST_CERT);
359 BIO_printf(bio_err,
360 " -keyform arg - key format (PEM, DER or ENGINE) PEM default\n");
361 BIO_printf(bio_err,
362 " -pass arg - private key file pass phrase source\n");
363 BIO_printf(bio_err,
364 " -dcert arg - second certificate file to use (usually for DSA)\n");
365 BIO_printf(bio_err,
366 " -dcertform x - second certificate format (PEM or DER) PEM default\n");
367 BIO_printf(bio_err,
368 " -dkey arg - second private key file to use (usually for DSA)\n");
369 BIO_printf(bio_err,
370 " -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
371 BIO_printf(bio_err,
372 " -dpass arg - second private key file pass phrase source\n");
373 BIO_printf(bio_err,
374 " -dhparam arg - DH parameter file to use, in cert file if not specified\n");
375 BIO_printf(bio_err,
376 " or a default set of parameters is used\n");
377 #ifndef OPENSSL_NO_ECDH
378 BIO_printf(bio_err,
379 " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n"
380 " Use \"openssl ecparam -list_curves\" for all names\n"
381 " (default is sect163r2).\n");
382 #endif
383 #ifdef FIONBIO
384 BIO_printf(bio_err, " -nbio - Run with non-blocking IO\n");
385 #endif
386 BIO_printf(bio_err,
387 " -nbio_test - test with the non-blocking test bio\n");
388 BIO_printf(bio_err,
389 " -crlf - convert LF from terminal into CRLF\n");
390 BIO_printf(bio_err, " -debug - Print more output\n");
391 BIO_printf(bio_err, " -msg - Show protocol messages\n");
392 BIO_printf(bio_err, " -state - Print the SSL states\n");
393 BIO_printf(bio_err, " -CApath arg - PEM format directory of CA's\n");
394 BIO_printf(bio_err, " -CAfile arg - PEM format file of CA's\n");
395 BIO_printf(bio_err,
396 " -nocert - Don't use any certificates (Anon-DH)\n");
397 BIO_printf(bio_err,
398 " -cipher arg - play with 'openssl ciphers' to see what goes here\n");
399 BIO_printf(bio_err, " -serverpref - Use server's cipher preferences\n");
400 BIO_printf(bio_err, " -quiet - No server output\n");
401 BIO_printf(bio_err, " -no_tmp_rsa - Do not generate a tmp RSA key\n");
402 BIO_printf(bio_err, " -ssl2 - Just talk SSLv2\n");
403 BIO_printf(bio_err, " -ssl3 - Just talk SSLv3\n");
404 BIO_printf(bio_err, " -tls1 - Just talk TLSv1\n");
405 BIO_printf(bio_err, " -dtls1 - Just talk DTLSv1\n");
406 BIO_printf(bio_err, " -timeout - Enable timeouts\n");
407 BIO_printf(bio_err, " -mtu - Set link layer MTU\n");
408 BIO_printf(bio_err, " -chain - Read a certificate chain\n");
409 BIO_printf(bio_err, " -no_ssl2 - Just disable SSLv2\n");
410 BIO_printf(bio_err, " -no_ssl3 - Just disable SSLv3\n");
411 BIO_printf(bio_err, " -no_tls1 - Just disable TLSv1\n");
412 #ifndef OPENSSL_NO_DH
413 BIO_printf(bio_err, " -no_dhe - Disable ephemeral DH\n");
414 #endif
415 #ifndef OPENSSL_NO_ECDH
416 BIO_printf(bio_err, " -no_ecdhe - Disable ephemeral ECDH\n");
417 #endif
418 BIO_printf(bio_err, " -bugs - Turn on SSL bug compatibility\n");
419 BIO_printf(bio_err,
420 " -www - Respond to a 'GET /' with a status page\n");
421 BIO_printf(bio_err,
422 " -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
423 BIO_printf(bio_err,
424 " -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
425 BIO_printf(bio_err,
426 " with the assumption it contains a complete HTTP response.\n");
427 #ifndef OPENSSL_NO_ENGINE
428 BIO_printf(bio_err,
429 " -engine id - Initialise and use the specified engine\n");
430 #endif
431 BIO_printf(bio_err,
432 " -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
433 BIO_printf(bio_err, " -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR,
434 LIST_SEPARATOR_CHAR);
435 #ifndef OPENSSL_NO_TLSEXT
436 BIO_printf(bio_err,
437 " -servername host - servername for HostName TLS extension\n");
438 BIO_printf(bio_err,
439 " -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
440 BIO_printf(bio_err,
441 " -cert2 arg - certificate file to use for servername\n");
442 BIO_printf(bio_err, " (default is %s)\n", TEST_CERT2);
443 BIO_printf(bio_err,
444 " -key2 arg - Private Key file to use for servername, in cert file if\n");
445 BIO_printf(bio_err, " not specified (default is %s)\n",
446 TEST_CERT2);
447 BIO_printf(bio_err,
448 " -tlsextdebug - hex dump of all TLS extensions received\n");
449 BIO_printf(bio_err,
450 " -no_ticket - disable use of RFC4507bis session tickets\n");
451 BIO_printf(bio_err,
452 " -legacy_renegotiation - enable use of legacy renegotiation (dangerous)\n");
453 #endif
454 }
455
456 static int local_argc = 0;
457 static char **local_argv;
458
459 #ifdef CHARSET_EBCDIC
460 static int ebcdic_new(BIO *bi);
461 static int ebcdic_free(BIO *a);
462 static int ebcdic_read(BIO *b, char *out, int outl);
463 static int ebcdic_write(BIO *b, const char *in, int inl);
464 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
465 static int ebcdic_gets(BIO *bp, char *buf, int size);
466 static int ebcdic_puts(BIO *bp, const char *str);
467
468 # define BIO_TYPE_EBCDIC_FILTER (18|0x0200)
469 static BIO_METHOD methods_ebcdic = {
470 BIO_TYPE_EBCDIC_FILTER,
471 "EBCDIC/ASCII filter",
472 ebcdic_write,
473 ebcdic_read,
474 ebcdic_puts,
475 ebcdic_gets,
476 ebcdic_ctrl,
477 ebcdic_new,
478 ebcdic_free,
479 };
480
481 typedef struct {
482 size_t alloced;
483 char buff[1];
484 } EBCDIC_OUTBUFF;
485
486 BIO_METHOD *BIO_f_ebcdic_filter()
487 {
488 return (&methods_ebcdic);
489 }
490
491 static int ebcdic_new(BIO *bi)
492 {
493 EBCDIC_OUTBUFF *wbuf;
494
495 wbuf = (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
496 wbuf->alloced = 1024;
497 wbuf->buff[0] = '\0';
498
499 bi->ptr = (char *)wbuf;
500 bi->init = 1;
501 bi->flags = 0;
502 return (1);
503 }
504
505 static int ebcdic_free(BIO *a)
506 {
507 if (a == NULL)
508 return (0);
509 if (a->ptr != NULL)
510 OPENSSL_free(a->ptr);
511 a->ptr = NULL;
512 a->init = 0;
513 a->flags = 0;
514 return (1);
515 }
516
517 static int ebcdic_read(BIO *b, char *out, int outl)
518 {
519 int ret = 0;
520
521 if (out == NULL || outl == 0)
522 return (0);
523 if (b->next_bio == NULL)
524 return (0);
525
526 ret = BIO_read(b->next_bio, out, outl);
527 if (ret > 0)
528 ascii2ebcdic(out, out, ret);
529 return (ret);
530 }
531
532 static int ebcdic_write(BIO *b, const char *in, int inl)
533 {
534 EBCDIC_OUTBUFF *wbuf;
535 int ret = 0;
536 int num;
537 unsigned char n;
538
539 if ((in == NULL) || (inl <= 0))
540 return (0);
541 if (b->next_bio == NULL)
542 return (0);
543
544 wbuf = (EBCDIC_OUTBUFF *) b->ptr;
545
546 if (inl > (num = wbuf->alloced)) {
547 num = num + num; /* double the size */
548 if (num < inl)
549 num = inl;
550 OPENSSL_free(wbuf);
551 wbuf =
552 (EBCDIC_OUTBUFF *) OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
553
554 wbuf->alloced = num;
555 wbuf->buff[0] = '\0';
556
557 b->ptr = (char *)wbuf;
558 }
559
560 ebcdic2ascii(wbuf->buff, in, inl);
561
562 ret = BIO_write(b->next_bio, wbuf->buff, inl);
563
564 return (ret);
565 }
566
567 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
568 {
569 long ret;
570
571 if (b->next_bio == NULL)
572 return (0);
573 switch (cmd) {
574 case BIO_CTRL_DUP:
575 ret = 0L;
576 break;
577 default:
578 ret = BIO_ctrl(b->next_bio, cmd, num, ptr);
579 break;
580 }
581 return (ret);
582 }
583
584 static int ebcdic_gets(BIO *bp, char *buf, int size)
585 {
586 int i, ret = 0;
587 if (bp->next_bio == NULL)
588 return (0);
589 /* return(BIO_gets(bp->next_bio,buf,size));*/
590 for (i = 0; i < size - 1; ++i) {
591 ret = ebcdic_read(bp, &buf[i], 1);
592 if (ret <= 0)
593 break;
594 else if (buf[i] == '\n') {
595 ++i;
596 break;
597 }
598 }
599 if (i < size)
600 buf[i] = '\0';
601 return (ret < 0 && i == 0) ? ret : i;
602 }
603
604 static int ebcdic_puts(BIO *bp, const char *str)
605 {
606 if (bp->next_bio == NULL)
607 return (0);
608 return ebcdic_write(bp, str, strlen(str));
609 }
610 #endif
611
612 #ifndef OPENSSL_NO_TLSEXT
613
614 /* This is a context that we pass to callbacks */
615 typedef struct tlsextctx_st {
616 char *servername;
617 BIO *biodebug;
618 int extension_error;
619 } tlsextctx;
620
621 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
622 {
623 tlsextctx *p = (tlsextctx *) arg;
624 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
625 if (servername && p->biodebug)
626 BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n",
627 servername);
628
629 if (!p->servername)
630 return SSL_TLSEXT_ERR_NOACK;
631
632 if (servername) {
633 if (strcasecmp(servername, p->servername))
634 return p->extension_error;
635 if (ctx2) {
636 BIO_printf(p->biodebug, "Swiching server context.\n");
637 SSL_set_SSL_CTX(s, ctx2);
638 }
639 }
640 return SSL_TLSEXT_ERR_OK;
641 }
642
643 /* Structure passed to cert status callback */
644
645 typedef struct tlsextstatusctx_st {
646 /* Default responder to use */
647 char *host, *path, *port;
648 int use_ssl;
649 int timeout;
650 BIO *err;
651 int verbose;
652 } tlsextstatusctx;
653
654 static tlsextstatusctx tlscstatp = { NULL, NULL, NULL, 0, -1, NULL, 0 };
655
656 /*
657 * Certificate Status callback. This is called when a client includes a
658 * certificate status request extension. This is a simplified version. It
659 * examines certificates each time and makes one OCSP responder query for
660 * each request. A full version would store details such as the OCSP
661 * certificate IDs and minimise the number of OCSP responses by caching them
662 * until they were considered "expired".
663 */
664
665 static int cert_status_cb(SSL *s, void *arg)
666 {
667 tlsextstatusctx *srctx = arg;
668 BIO *err = srctx->err;
669 char *host, *port, *path;
670 int use_ssl;
671 unsigned char *rspder = NULL;
672 int rspderlen;
673 STACK *aia = NULL;
674 X509 *x = NULL;
675 X509_STORE_CTX inctx;
676 X509_OBJECT obj;
677 OCSP_REQUEST *req = NULL;
678 OCSP_RESPONSE *resp = NULL;
679 OCSP_CERTID *id = NULL;
680 STACK_OF(X509_EXTENSION) *exts;
681 int ret = SSL_TLSEXT_ERR_NOACK;
682 int i;
683 # if 0
684 STACK_OF(OCSP_RESPID) *ids;
685 SSL_get_tlsext_status_ids(s, &ids);
686 BIO_printf(err, "cert_status: received %d ids\n",
687 sk_OCSP_RESPID_num(ids));
688 # endif
689 if (srctx->verbose)
690 BIO_puts(err, "cert_status: callback called\n");
691 /* Build up OCSP query from server certificate */
692 x = SSL_get_certificate(s);
693 aia = X509_get1_ocsp(x);
694 if (aia) {
695 if (!OCSP_parse_url(sk_value(aia, 0), &host, &port, &path, &use_ssl)) {
696 BIO_puts(err, "cert_status: can't parse AIA URL\n");
697 goto err;
698 }
699 if (srctx->verbose)
700 BIO_printf(err, "cert_status: AIA URL: %s\n", sk_value(aia, 0));
701 } else {
702 if (!srctx->host) {
703 BIO_puts(srctx->err,
704 "cert_status: no AIA and no default responder URL\n");
705 goto done;
706 }
707 host = srctx->host;
708 path = srctx->path;
709 port = srctx->port;
710 use_ssl = srctx->use_ssl;
711 }
712
713 if (!X509_STORE_CTX_init(&inctx,
714 SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
715 NULL, NULL))
716 goto err;
717 if (X509_STORE_get_by_subject(&inctx, X509_LU_X509,
718 X509_get_issuer_name(x), &obj) <= 0) {
719 BIO_puts(err, "cert_status: Can't retrieve issuer certificate.\n");
720 X509_STORE_CTX_cleanup(&inctx);
721 goto done;
722 }
723 req = OCSP_REQUEST_new();
724 if (!req)
725 goto err;
726 id = OCSP_cert_to_id(NULL, x, obj.data.x509);
727 X509_free(obj.data.x509);
728 X509_STORE_CTX_cleanup(&inctx);
729 if (!id)
730 goto err;
731 if (!OCSP_request_add0_id(req, id))
732 goto err;
733 id = NULL;
734 /* Add any extensions to the request */
735 SSL_get_tlsext_status_exts(s, &exts);
736 for (i = 0; i < sk_X509_EXTENSION_num(exts); i++) {
737 X509_EXTENSION *ext = sk_X509_EXTENSION_value(exts, i);
738 if (!OCSP_REQUEST_add_ext(req, ext, -1))
739 goto err;
740 }
741 resp = process_responder(err, req, host, path, port, use_ssl,
742 srctx->timeout);
743 if (!resp) {
744 BIO_puts(err, "cert_status: error querying responder\n");
745 goto done;
746 }
747 rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
748 if (rspderlen <= 0)
749 goto err;
750 SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen);
751 if (srctx->verbose) {
752 BIO_puts(err, "cert_status: ocsp response sent:\n");
753 OCSP_RESPONSE_print(err, resp, 2);
754 }
755 ret = SSL_TLSEXT_ERR_OK;
756 done:
757 if (ret != SSL_TLSEXT_ERR_OK)
758 ERR_print_errors(err);
759 if (aia) {
760 OPENSSL_free(host);
761 OPENSSL_free(path);
762 OPENSSL_free(port);
763 X509_email_free(aia);
764 }
765 if (id)
766 OCSP_CERTID_free(id);
767 if (req)
768 OCSP_REQUEST_free(req);
769 if (resp)
770 OCSP_RESPONSE_free(resp);
771 return ret;
772 err:
773 ret = SSL_TLSEXT_ERR_ALERT_FATAL;
774 goto done;
775 }
776 #endif
777 int MAIN(int, char **);
778
779 #ifndef OPENSSL_NO_JPAKE
780 static char *jpake_secret = NULL;
781 #endif
782
783 int MAIN(int argc, char *argv[])
784 {
785 X509_STORE *store = NULL;
786 int vflags = 0;
787 short port = PORT;
788 char *CApath = NULL, *CAfile = NULL;
789 unsigned char *context = NULL;
790 char *dhfile = NULL;
791 #ifndef OPENSSL_NO_ECDH
792 char *named_curve = NULL;
793 #endif
794 int badop = 0, bugs = 0;
795 int ret = 1;
796 int off = 0;
797 int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0;
798 int state = 0;
799 SSL_METHOD *meth = NULL;
800 int socket_type = SOCK_STREAM;
801 ENGINE *e = NULL;
802 char *inrand = NULL;
803 int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
804 char *passarg = NULL, *pass = NULL;
805 char *dpassarg = NULL, *dpass = NULL;
806 int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
807 X509 *s_cert = NULL, *s_dcert = NULL;
808 EVP_PKEY *s_key = NULL, *s_dkey = NULL;
809 int no_cache = 0;
810 #ifndef OPENSSL_NO_TLSEXT
811 EVP_PKEY *s_key2 = NULL;
812 X509 *s_cert2 = NULL;
813 #endif
814 #ifndef OPENSSL_NO_TLSEXT
815 tlsextctx tlsextcbp = { NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING };
816 #endif
817
818 meth = SSLv23_server_method();
819
820 local_argc = argc;
821 local_argv = argv;
822
823 apps_startup();
824 #ifdef MONOLITH
825 s_server_init();
826 #endif
827
828 if (bio_err == NULL)
829 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE);
830
831 if (!load_config(bio_err, NULL))
832 goto end;
833
834 verify_depth = 0;
835 #ifdef FIONBIO
836 s_nbio = 0;
837 #endif
838 s_nbio_test = 0;
839
840 argc--;
841 argv++;
842
843 while (argc >= 1) {
844 if ((strcmp(*argv, "-port") == 0) || (strcmp(*argv, "-accept") == 0)) {
845 if (--argc < 1)
846 goto bad;
847 if (!extract_port(*(++argv), &port))
848 goto bad;
849 } else if (strcmp(*argv, "-verify") == 0) {
850 s_server_verify = SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE;
851 if (--argc < 1)
852 goto bad;
853 verify_depth = atoi(*(++argv));
854 BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
855 } else if (strcmp(*argv, "-Verify") == 0) {
856 s_server_verify =
857 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT |
858 SSL_VERIFY_CLIENT_ONCE;
859 if (--argc < 1)
860 goto bad;
861 verify_depth = atoi(*(++argv));
862 BIO_printf(bio_err,
863 "verify depth is %d, must return a certificate\n",
864 verify_depth);
865 } else if (strcmp(*argv, "-context") == 0) {
866 if (--argc < 1)
867 goto bad;
868 context = (unsigned char *)*(++argv);
869 } else if (strcmp(*argv, "-cert") == 0) {
870 if (--argc < 1)
871 goto bad;
872 s_cert_file = *(++argv);
873 } else if (strcmp(*argv, "-certform") == 0) {
874 if (--argc < 1)
875 goto bad;
876 s_cert_format = str2fmt(*(++argv));
877 } else if (strcmp(*argv, "-key") == 0) {
878 if (--argc < 1)
879 goto bad;
880 s_key_file = *(++argv);
881 } else if (strcmp(*argv, "-keyform") == 0) {
882 if (--argc < 1)
883 goto bad;
884 s_key_format = str2fmt(*(++argv));
885 } else if (strcmp(*argv, "-pass") == 0) {
886 if (--argc < 1)
887 goto bad;
888 passarg = *(++argv);
889 } else if (strcmp(*argv, "-dhparam") == 0) {
890 if (--argc < 1)
891 goto bad;
892 dhfile = *(++argv);
893 }
894 #ifndef OPENSSL_NO_ECDH
895 else if (strcmp(*argv, "-named_curve") == 0) {
896 if (--argc < 1)
897 goto bad;
898 named_curve = *(++argv);
899 }
900 #endif
901 else if (strcmp(*argv, "-dcertform") == 0) {
902 if (--argc < 1)
903 goto bad;
904 s_dcert_format = str2fmt(*(++argv));
905 } else if (strcmp(*argv, "-dcert") == 0) {
906 if (--argc < 1)
907 goto bad;
908 s_dcert_file = *(++argv);
909 } else if (strcmp(*argv, "-dkeyform") == 0) {
910 if (--argc < 1)
911 goto bad;
912 s_dkey_format = str2fmt(*(++argv));
913 } else if (strcmp(*argv, "-dpass") == 0) {
914 if (--argc < 1)
915 goto bad;
916 dpassarg = *(++argv);
917 } else if (strcmp(*argv, "-dkey") == 0) {
918 if (--argc < 1)
919 goto bad;
920 s_dkey_file = *(++argv);
921 } else if (strcmp(*argv, "-nocert") == 0) {
922 nocert = 1;
923 } else if (strcmp(*argv, "-CApath") == 0) {
924 if (--argc < 1)
925 goto bad;
926 CApath = *(++argv);
927 } else if (strcmp(*argv, "-no_cache") == 0)
928 no_cache = 1;
929 else if (strcmp(*argv, "-crl_check") == 0) {
930 vflags |= X509_V_FLAG_CRL_CHECK;
931 } else if (strcmp(*argv, "-crl_check_all") == 0) {
932 vflags |= X509_V_FLAG_CRL_CHECK | X509_V_FLAG_CRL_CHECK_ALL;
933 } else if (strcmp(*argv, "-serverpref") == 0) {
934 off |= SSL_OP_CIPHER_SERVER_PREFERENCE;
935 } else if (strcmp(*argv, "-legacy_renegotiation") == 0)
936 off |= SSL_OP_ALLOW_UNSAFE_LEGACY_RENEGOTIATION;
937 else if (strcmp(*argv, "-cipher") == 0) {
938 if (--argc < 1)
939 goto bad;
940 cipher = *(++argv);
941 } else if (strcmp(*argv, "-CAfile") == 0) {
942 if (--argc < 1)
943 goto bad;
944 CAfile = *(++argv);
945 }
946 #ifdef FIONBIO
947 else if (strcmp(*argv, "-nbio") == 0) {
948 s_nbio = 1;
949 }
950 #endif
951 else if (strcmp(*argv, "-nbio_test") == 0) {
952 #ifdef FIONBIO
953 s_nbio = 1;
954 #endif
955 s_nbio_test = 1;
956 } else if (strcmp(*argv, "-debug") == 0) {
957 s_debug = 1;
958 }
959 #ifndef OPENSSL_NO_TLSEXT
960 else if (strcmp(*argv, "-tlsextdebug") == 0)
961 s_tlsextdebug = 1;
962 else if (strcmp(*argv, "-status") == 0)
963 s_tlsextstatus = 1;
964 else if (strcmp(*argv, "-status_verbose") == 0) {
965 s_tlsextstatus = 1;
966 tlscstatp.verbose = 1;
967 } else if (!strcmp(*argv, "-status_timeout")) {
968 s_tlsextstatus = 1;
969 if (--argc < 1)
970 goto bad;
971 tlscstatp.timeout = atoi(*(++argv));
972 } else if (!strcmp(*argv, "-status_url")) {
973 s_tlsextstatus = 1;
974 if (--argc < 1)
975 goto bad;
976 if (!OCSP_parse_url(*(++argv),
977 &tlscstatp.host,
978 &tlscstatp.port,
979 &tlscstatp.path, &tlscstatp.use_ssl)) {
980 BIO_printf(bio_err, "Error parsing URL\n");
981 goto bad;
982 }
983 }
984 #endif
985 else if (strcmp(*argv, "-msg") == 0) {
986 s_msg = 1;
987 } else if (strcmp(*argv, "-hack") == 0) {
988 hack = 1;
989 } else if (strcmp(*argv, "-state") == 0) {
990 state = 1;
991 } else if (strcmp(*argv, "-crlf") == 0) {
992 s_crlf = 1;
993 } else if (strcmp(*argv, "-quiet") == 0) {
994 s_quiet = 1;
995 } else if (strcmp(*argv, "-bugs") == 0) {
996 bugs = 1;
997 } else if (strcmp(*argv, "-no_tmp_rsa") == 0) {
998 no_tmp_rsa = 1;
999 } else if (strcmp(*argv, "-no_dhe") == 0) {
1000 no_dhe = 1;
1001 } else if (strcmp(*argv, "-no_ecdhe") == 0) {
1002 no_ecdhe = 1;
1003 } else if (strcmp(*argv, "-www") == 0) {
1004 www = 1;
1005 } else if (strcmp(*argv, "-WWW") == 0) {
1006 www = 2;
1007 } else if (strcmp(*argv, "-HTTP") == 0) {
1008 www = 3;
1009 } else if (strcmp(*argv, "-no_ssl2") == 0) {
1010 off |= SSL_OP_NO_SSLv2;
1011 } else if (strcmp(*argv, "-no_ssl3") == 0) {
1012 off |= SSL_OP_NO_SSLv3;
1013 } else if (strcmp(*argv, "-no_tls1") == 0) {
1014 off |= SSL_OP_NO_TLSv1;
1015 }
1016 #ifndef OPENSSL_NO_TLSEXT
1017 else if (strcmp(*argv, "-no_ticket") == 0) {
1018 off |= SSL_OP_NO_TICKET;
1019 }
1020 #endif
1021 #ifndef OPENSSL_NO_SSL2
1022 else if (strcmp(*argv, "-ssl2") == 0) {
1023 meth = SSLv2_server_method();
1024 }
1025 #endif
1026 #ifndef OPENSSL_NO_SSL3
1027 else if (strcmp(*argv, "-ssl3") == 0) {
1028 meth = SSLv3_server_method();
1029 }
1030 #endif
1031 #ifndef OPENSSL_NO_TLS1
1032 else if (strcmp(*argv, "-tls1") == 0) {
1033 meth = TLSv1_server_method();
1034 }
1035 #endif
1036 #ifndef OPENSSL_NO_DTLS1
1037 else if (strcmp(*argv, "-dtls1") == 0) {
1038 meth = DTLSv1_server_method();
1039 socket_type = SOCK_DGRAM;
1040 } else if (strcmp(*argv, "-timeout") == 0)
1041 enable_timeouts = 1;
1042 else if (strcmp(*argv, "-mtu") == 0) {
1043 if (--argc < 1)
1044 goto bad;
1045 socket_mtu = atol(*(++argv));
1046 } else if (strcmp(*argv, "-chain") == 0)
1047 cert_chain = 1;
1048 #endif
1049 else if (strcmp(*argv, "-id_prefix") == 0) {
1050 if (--argc < 1)
1051 goto bad;
1052 session_id_prefix = *(++argv);
1053 }
1054 #ifndef OPENSSL_NO_ENGINE
1055 else if (strcmp(*argv, "-engine") == 0) {
1056 if (--argc < 1)
1057 goto bad;
1058 engine_id = *(++argv);
1059 }
1060 #endif
1061 else if (strcmp(*argv, "-rand") == 0) {
1062 if (--argc < 1)
1063 goto bad;
1064 inrand = *(++argv);
1065 }
1066 #ifndef OPENSSL_NO_TLSEXT
1067 else if (strcmp(*argv, "-servername") == 0) {
1068 if (--argc < 1)
1069 goto bad;
1070 tlsextcbp.servername = *(++argv);
1071 } else if (strcmp(*argv, "-servername_fatal") == 0) {
1072 tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL;
1073 } else if (strcmp(*argv, "-cert2") == 0) {
1074 if (--argc < 1)
1075 goto bad;
1076 s_cert_file2 = *(++argv);
1077 } else if (strcmp(*argv, "-key2") == 0) {
1078 if (--argc < 1)
1079 goto bad;
1080 s_key_file2 = *(++argv);
1081 }
1082 #endif
1083 #ifndef OPENSSL_NO_JPAKE
1084 else if (strcmp(*argv, "-jpake") == 0) {
1085 if (--argc < 1)
1086 goto bad;
1087 jpake_secret = *(++argv);
1088 }
1089 #endif
1090 else {
1091 BIO_printf(bio_err, "unknown option %s\n", *argv);
1092 badop = 1;
1093 break;
1094 }
1095 argc--;
1096 argv++;
1097 }
1098 if (badop) {
1099 bad:
1100 sv_usage();
1101 goto end;
1102 }
1103 #ifndef OPENSSL_NO_DTLS1
1104 if (www && socket_type == SOCK_DGRAM) {
1105 BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
1106 goto end;
1107 }
1108 #endif
1109
1110 SSL_load_error_strings();
1111 OpenSSL_add_ssl_algorithms();
1112
1113 #ifndef OPENSSL_NO_ENGINE
1114 e = setup_engine(bio_err, engine_id, 1);
1115 #endif
1116
1117 if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass)) {
1118 BIO_printf(bio_err, "Error getting password\n");
1119 goto end;
1120 }
1121
1122 if (s_key_file == NULL)
1123 s_key_file = s_cert_file;
1124 #ifndef OPENSSL_NO_TLSEXT
1125 if (s_key_file2 == NULL)
1126 s_key_file2 = s_cert_file2;
1127 #endif
1128
1129 if (nocert == 0) {
1130 s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
1131 "server certificate private key file");
1132 if (!s_key) {
1133 ERR_print_errors(bio_err);
1134 goto end;
1135 }
1136
1137 s_cert = load_cert(bio_err, s_cert_file, s_cert_format,
1138 NULL, e, "server certificate file");
1139
1140 if (!s_cert) {
1141 ERR_print_errors(bio_err);
1142 goto end;
1143 }
1144 #ifndef OPENSSL_NO_TLSEXT
1145 if (tlsextcbp.servername) {
1146 s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
1147 "second server certificate private key file");
1148 if (!s_key2) {
1149 ERR_print_errors(bio_err);
1150 goto end;
1151 }
1152
1153 s_cert2 = load_cert(bio_err, s_cert_file2, s_cert_format,
1154 NULL, e, "second server certificate file");
1155
1156 if (!s_cert2) {
1157 ERR_print_errors(bio_err);
1158 goto end;
1159 }
1160 }
1161 #endif
1162 }
1163 if (s_dcert_file) {
1164
1165 if (s_dkey_file == NULL)
1166 s_dkey_file = s_dcert_file;
1167
1168 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
1169 0, dpass, e, "second certificate private key file");
1170 if (!s_dkey) {
1171 ERR_print_errors(bio_err);
1172 goto end;
1173 }
1174
1175 s_dcert = load_cert(bio_err, s_dcert_file, s_dcert_format,
1176 NULL, e, "second server certificate file");
1177
1178 if (!s_dcert) {
1179 ERR_print_errors(bio_err);
1180 goto end;
1181 }
1182
1183 }
1184
1185 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1186 && !RAND_status()) {
1187 BIO_printf(bio_err,
1188 "warning, not much extra random data, consider using the -rand option\n");
1189 }
1190 if (inrand != NULL)
1191 BIO_printf(bio_err, "%ld semi-random bytes loaded\n",
1192 app_RAND_load_files(inrand));
1193
1194 if (bio_s_out == NULL) {
1195 if (s_quiet && !s_debug && !s_msg) {
1196 bio_s_out = BIO_new(BIO_s_null());
1197 } else {
1198 if (bio_s_out == NULL)
1199 bio_s_out = BIO_new_fp(stdout, BIO_NOCLOSE);
1200 }
1201 }
1202 #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
1203 if (nocert)
1204 #endif
1205 {
1206 s_cert_file = NULL;
1207 s_key_file = NULL;
1208 s_dcert_file = NULL;
1209 s_dkey_file = NULL;
1210 #ifndef OPENSSL_NO_TLSEXT
1211 s_cert_file2 = NULL;
1212 s_key_file2 = NULL;
1213 #endif
1214 }
1215
1216 ctx = SSL_CTX_new(meth);
1217 if (ctx == NULL) {
1218 ERR_print_errors(bio_err);
1219 goto end;
1220 }
1221 if (session_id_prefix) {
1222 if (strlen(session_id_prefix) >= 32)
1223 BIO_printf(bio_err,
1224 "warning: id_prefix is too long, only one new session will be possible\n");
1225 else if (strlen(session_id_prefix) >= 16)
1226 BIO_printf(bio_err,
1227 "warning: id_prefix is too long if you use SSLv2\n");
1228 if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
1229 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1230 ERR_print_errors(bio_err);
1231 goto end;
1232 }
1233 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1234 }
1235 SSL_CTX_set_quiet_shutdown(ctx, 1);
1236 if (bugs)
1237 SSL_CTX_set_options(ctx, SSL_OP_ALL);
1238 if (hack)
1239 SSL_CTX_set_options(ctx, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1240 SSL_CTX_set_options(ctx, off);
1241 /*
1242 * DTLS: partial reads end up discarding unread UDP bytes :-( Setting
1243 * read ahead solves this problem.
1244 */
1245 if (socket_type == SOCK_DGRAM)
1246 SSL_CTX_set_read_ahead(ctx, 1);
1247
1248 if (state)
1249 SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1250 if (no_cache)
1251 SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF);
1252 else
1253 SSL_CTX_sess_set_cache_size(ctx, 128);
1254
1255 #if 0
1256 if (cipher == NULL)
1257 cipher = getenv("SSL_CIPHER");
1258 #endif
1259
1260 #if 0
1261 if (s_cert_file == NULL) {
1262 BIO_printf(bio_err,
1263 "You must specify a certificate file for the server to use\n");
1264 goto end;
1265 }
1266 #endif
1267
1268 if ((!SSL_CTX_load_verify_locations(ctx, CAfile, CApath)) ||
1269 (!SSL_CTX_set_default_verify_paths(ctx))) {
1270 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
1271 ERR_print_errors(bio_err);
1272 /* goto end; */
1273 }
1274 store = SSL_CTX_get_cert_store(ctx);
1275 X509_STORE_set_flags(store, vflags);
1276 #ifndef OPENSSL_NO_TLSEXT
1277 if (s_cert2) {
1278 ctx2 = SSL_CTX_new(meth);
1279 if (ctx2 == NULL) {
1280 ERR_print_errors(bio_err);
1281 goto end;
1282 }
1283 }
1284
1285 if (ctx2) {
1286 BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1287
1288 if (session_id_prefix) {
1289 if (strlen(session_id_prefix) >= 32)
1290 BIO_printf(bio_err,
1291 "warning: id_prefix is too long, only one new session will be possible\n");
1292 else if (strlen(session_id_prefix) >= 16)
1293 BIO_printf(bio_err,
1294 "warning: id_prefix is too long if you use SSLv2\n");
1295 if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
1296 BIO_printf(bio_err, "error setting 'id_prefix'\n");
1297 ERR_print_errors(bio_err);
1298 goto end;
1299 }
1300 BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1301 }
1302 SSL_CTX_set_quiet_shutdown(ctx2, 1);
1303 if (bugs)
1304 SSL_CTX_set_options(ctx2, SSL_OP_ALL);
1305 if (hack)
1306 SSL_CTX_set_options(ctx2, SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1307 SSL_CTX_set_options(ctx2, off);
1308
1309 /*
1310 * DTLS: partial reads end up discarding unread UDP bytes :-(
1311 * Setting read ahead solves this problem.
1312 */
1313 if (socket_type == SOCK_DGRAM)
1314 SSL_CTX_set_read_ahead(ctx2, 1);
1315
1316 if (state)
1317 SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1318
1319 if (no_cache)
1320 SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF);
1321 else
1322 SSL_CTX_sess_set_cache_size(ctx2, 128);
1323
1324 if ((!SSL_CTX_load_verify_locations(ctx2, CAfile, CApath)) ||
1325 (!SSL_CTX_set_default_verify_paths(ctx2))) {
1326 ERR_print_errors(bio_err);
1327 }
1328 store = SSL_CTX_get_cert_store(ctx2);
1329 X509_STORE_set_flags(store, vflags);
1330 }
1331 #endif
1332
1333 #ifndef OPENSSL_NO_DH
1334 if (!no_dhe) {
1335 DH *dh = NULL;
1336
1337 if (dhfile)
1338 dh = load_dh_param(dhfile);
1339 else if (s_cert_file)
1340 dh = load_dh_param(s_cert_file);
1341
1342 if (dh != NULL) {
1343 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1344 } else {
1345 BIO_printf(bio_s_out, "Using default temp DH parameters\n");
1346 dh = get_dh512();
1347 }
1348 (void)BIO_flush(bio_s_out);
1349
1350 SSL_CTX_set_tmp_dh(ctx, dh);
1351 # ifndef OPENSSL_NO_TLSEXT
1352 if (ctx2) {
1353 if (!dhfile) {
1354 DH *dh2 = load_dh_param(s_cert_file2);
1355 if (dh2 != NULL) {
1356 BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1357 (void)BIO_flush(bio_s_out);
1358
1359 DH_free(dh);
1360 dh = dh2;
1361 }
1362 }
1363 SSL_CTX_set_tmp_dh(ctx2, dh);
1364 }
1365 # endif
1366 DH_free(dh);
1367 }
1368 #endif
1369
1370 #ifndef OPENSSL_NO_ECDH
1371 if (!no_ecdhe) {
1372 EC_KEY *ecdh = NULL;
1373
1374 if (named_curve) {
1375 int nid = OBJ_sn2nid(named_curve);
1376
1377 if (nid == 0) {
1378 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
1379 goto end;
1380 }
1381 ecdh = EC_KEY_new_by_curve_name(nid);
1382 if (ecdh == NULL) {
1383 BIO_printf(bio_err, "unable to create curve (%s)\n",
1384 named_curve);
1385 goto end;
1386 }
1387 }
1388
1389 if (ecdh != NULL) {
1390 BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
1391 } else {
1392 BIO_printf(bio_s_out, "Using default temp ECDH parameters\n");
1393 ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
1394 if (ecdh == NULL) {
1395 BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
1396 goto end;
1397 }
1398 }
1399 (void)BIO_flush(bio_s_out);
1400
1401 SSL_CTX_set_tmp_ecdh(ctx, ecdh);
1402 # ifndef OPENSSL_NO_TLSEXT
1403 if (ctx2)
1404 SSL_CTX_set_tmp_ecdh(ctx2, ecdh);
1405 # endif
1406 EC_KEY_free(ecdh);
1407 }
1408 #endif
1409
1410 if (!set_cert_key_stuff(ctx, s_cert, s_key))
1411 goto end;
1412 #ifndef OPENSSL_NO_TLSEXT
1413 if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2))
1414 goto end;
1415 #endif
1416 if (s_dcert != NULL) {
1417 if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
1418 goto end;
1419 }
1420 #ifndef OPENSSL_NO_RSA
1421 # if 1
1422 if (!no_tmp_rsa) {
1423 SSL_CTX_set_tmp_rsa_callback(ctx, tmp_rsa_cb);
1424 # ifndef OPENSSL_NO_TLSEXT
1425 if (ctx2)
1426 SSL_CTX_set_tmp_rsa_callback(ctx2, tmp_rsa_cb);
1427 # endif
1428 }
1429 # else
1430 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) {
1431 RSA *rsa;
1432
1433 BIO_printf(bio_s_out, "Generating temp (512 bit) RSA key...");
1434 BIO_flush(bio_s_out);
1435
1436 rsa = RSA_generate_key(512, RSA_F4, NULL);
1437
1438 if (!SSL_CTX_set_tmp_rsa(ctx, rsa)) {
1439 ERR_print_errors(bio_err);
1440 goto end;
1441 }
1442 # ifndef OPENSSL_NO_TLSEXT
1443 if (ctx2) {
1444 if (!SSL_CTX_set_tmp_rsa(ctx2, rsa)) {
1445 ERR_print_errors(bio_err);
1446 goto end;
1447 }
1448 }
1449 # endif
1450 RSA_free(rsa);
1451 BIO_printf(bio_s_out, "\n");
1452 }
1453 # endif
1454 #endif
1455
1456 if (cipher != NULL)
1457 if (!SSL_CTX_set_cipher_list(ctx, cipher)) {
1458 BIO_printf(bio_err, "error setting cipher list\n");
1459 ERR_print_errors(bio_err);
1460 goto end;
1461 #ifndef OPENSSL_NO_TLSEXT
1462 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2, cipher)) {
1463 BIO_printf(bio_err, "error setting cipher list\n");
1464 ERR_print_errors(bio_err);
1465 goto end;
1466 }
1467 #endif
1468 }
1469 SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
1470 SSL_CTX_set_session_id_context(ctx, (void *)&s_server_session_id_context,
1471 sizeof s_server_session_id_context);
1472
1473 /* Set DTLS cookie generation and verification callbacks */
1474 SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
1475 SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
1476
1477 #ifndef OPENSSL_NO_TLSEXT
1478 if (ctx2) {
1479 SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
1480 SSL_CTX_set_session_id_context(ctx2,
1481 (void *)&s_server_session_id_context,
1482 sizeof s_server_session_id_context);
1483
1484 tlsextcbp.biodebug = bio_s_out;
1485 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
1486 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
1487 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1488 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1489 }
1490 #endif
1491 if (CAfile != NULL) {
1492 SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
1493 #ifndef OPENSSL_NO_TLSEXT
1494 if (ctx2)
1495 SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
1496 #endif
1497 }
1498 BIO_printf(bio_s_out, "ACCEPT\n");
1499 if (www)
1500 do_server(port, socket_type, &accept_socket, www_body, context);
1501 else
1502 do_server(port, socket_type, &accept_socket, sv_body, context);
1503 print_stats(bio_s_out, ctx);
1504 ret = 0;
1505 end:
1506 if (ctx != NULL)
1507 SSL_CTX_free(ctx);
1508 if (s_cert)
1509 X509_free(s_cert);
1510 if (s_dcert)
1511 X509_free(s_dcert);
1512 if (s_key)
1513 EVP_PKEY_free(s_key);
1514 if (s_dkey)
1515 EVP_PKEY_free(s_dkey);
1516 if (pass)
1517 OPENSSL_free(pass);
1518 if (dpass)
1519 OPENSSL_free(dpass);
1520 #ifndef OPENSSL_NO_TLSEXT
1521 if (tlscstatp.host)
1522 OPENSSL_free(tlscstatp.host);
1523 if (tlscstatp.port)
1524 OPENSSL_free(tlscstatp.port);
1525 if (tlscstatp.path)
1526 OPENSSL_free(tlscstatp.path);
1527 if (ctx2 != NULL)
1528 SSL_CTX_free(ctx2);
1529 if (s_cert2)
1530 X509_free(s_cert2);
1531 if (s_key2)
1532 EVP_PKEY_free(s_key2);
1533 #endif
1534 if (bio_s_out != NULL) {
1535 BIO_free(bio_s_out);
1536 bio_s_out = NULL;
1537 }
1538 apps_shutdown();
1539 OPENSSL_EXIT(ret);
1540 }
1541
1542 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
1543 {
1544 BIO_printf(bio, "%4ld items in the session cache\n",
1545 SSL_CTX_sess_number(ssl_ctx));
1546 BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
1547 SSL_CTX_sess_connect(ssl_ctx));
1548 BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
1549 SSL_CTX_sess_connect_renegotiate(ssl_ctx));
1550 BIO_printf(bio, "%4ld client connects that finished\n",
1551 SSL_CTX_sess_connect_good(ssl_ctx));
1552 BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
1553 SSL_CTX_sess_accept(ssl_ctx));
1554 BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
1555 SSL_CTX_sess_accept_renegotiate(ssl_ctx));
1556 BIO_printf(bio, "%4ld server accepts that finished\n",
1557 SSL_CTX_sess_accept_good(ssl_ctx));
1558 BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx));
1559 BIO_printf(bio, "%4ld session cache misses\n",
1560 SSL_CTX_sess_misses(ssl_ctx));
1561 BIO_printf(bio, "%4ld session cache timeouts\n",
1562 SSL_CTX_sess_timeouts(ssl_ctx));
1563 BIO_printf(bio, "%4ld callback cache hits\n",
1564 SSL_CTX_sess_cb_hits(ssl_ctx));
1565 BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
1566 SSL_CTX_sess_cache_full(ssl_ctx),
1567 SSL_CTX_sess_get_cache_size(ssl_ctx));
1568 }
1569
1570 static int sv_body(char *hostname, int s, unsigned char *context)
1571 {
1572 char *buf = NULL;
1573 fd_set readfds;
1574 int ret = 1, width;
1575 int k, i;
1576 unsigned long l;
1577 SSL *con = NULL;
1578 BIO *sbio;
1579 struct timeval timeout;
1580 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1581 struct timeval tv;
1582 #else
1583 struct timeval *timeoutp;
1584 #endif
1585
1586 if ((buf = OPENSSL_malloc(bufsize)) == NULL) {
1587 BIO_printf(bio_err, "out of memory\n");
1588 goto err;
1589 }
1590 #ifdef FIONBIO
1591 if (s_nbio) {
1592 unsigned long sl = 1;
1593
1594 if (!s_quiet)
1595 BIO_printf(bio_err, "turning on non blocking io\n");
1596 if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
1597 ERR_print_errors(bio_err);
1598 }
1599 #endif
1600
1601 if (con == NULL) {
1602 con = SSL_new(ctx);
1603 #ifndef OPENSSL_NO_TLSEXT
1604 if (s_tlsextdebug) {
1605 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1606 SSL_set_tlsext_debug_arg(con, bio_s_out);
1607 }
1608 if (s_tlsextstatus) {
1609 SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
1610 tlscstatp.err = bio_err;
1611 SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
1612 }
1613 #endif
1614 #ifndef OPENSSL_NO_KRB5
1615 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) {
1616 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
1617 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
1618 }
1619 #endif /* OPENSSL_NO_KRB5 */
1620 if (context)
1621 SSL_set_session_id_context(con, context, strlen((char *)context));
1622 }
1623 SSL_clear(con);
1624
1625 if (SSL_version(con) == DTLS1_VERSION) {
1626
1627 sbio = BIO_new_dgram(s, BIO_NOCLOSE);
1628
1629 if (enable_timeouts) {
1630 timeout.tv_sec = 0;
1631 timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1632 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1633
1634 timeout.tv_sec = 0;
1635 timeout.tv_usec = DGRAM_SND_TIMEOUT;
1636 BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1637 }
1638
1639 if (socket_mtu > 28) {
1640 SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1641 SSL_set_mtu(con, socket_mtu - 28);
1642 } else
1643 /* want to do MTU discovery */
1644 BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1645
1646 /* turn on cookie exchange */
1647 SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
1648 } else
1649 sbio = BIO_new_socket(s, BIO_NOCLOSE);
1650
1651 if (s_nbio_test) {
1652 BIO *test;
1653
1654 test = BIO_new(BIO_f_nbio_test());
1655 sbio = BIO_push(test, sbio);
1656 }
1657 #ifndef OPENSSL_NO_JPAKE
1658 if (jpake_secret)
1659 jpake_server_auth(bio_s_out, sbio, jpake_secret);
1660 #endif
1661
1662 SSL_set_bio(con, sbio, sbio);
1663 SSL_set_accept_state(con);
1664 /* SSL_set_fd(con,s); */
1665
1666 if (s_debug) {
1667 con->debug = 1;
1668 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
1669 BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
1670 }
1671 if (s_msg) {
1672 SSL_set_msg_callback(con, msg_cb);
1673 SSL_set_msg_callback_arg(con, bio_s_out);
1674 }
1675 #ifndef OPENSSL_NO_TLSEXT
1676 if (s_tlsextdebug) {
1677 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1678 SSL_set_tlsext_debug_arg(con, bio_s_out);
1679 }
1680 #endif
1681
1682 width = s + 1;
1683 for (;;) {
1684 int read_from_terminal;
1685 int read_from_sslcon;
1686
1687 read_from_terminal = 0;
1688 read_from_sslcon = SSL_pending(con);
1689
1690 if (!read_from_sslcon) {
1691 FD_ZERO(&readfds);
1692 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
1693 FD_SET(fileno(stdin), &readfds);
1694 #endif
1695 FD_SET(s, &readfds);
1696 /*
1697 * Note: under VMS with SOCKETSHR the second parameter is
1698 * currently of type (int *) whereas under other systems it is
1699 * (void *) if you don't have a cast it will choke the compiler:
1700 * if you do have a cast then you can either go for (int *) or
1701 * (void *).
1702 */
1703 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1704 /*
1705 * Under DOS (non-djgpp) and Windows we can't select on stdin:
1706 * only on sockets. As a workaround we timeout the select every
1707 * second and check for any keypress. In a proper Windows
1708 * application we wouldn't do this because it is inefficient.
1709 */
1710 tv.tv_sec = 1;
1711 tv.tv_usec = 0;
1712 i = select(width, (void *)&readfds, NULL, NULL, &tv);
1713 if ((i < 0) || (!i && !_kbhit()))
1714 continue;
1715 if (_kbhit())
1716 read_from_terminal = 1;
1717 #else
1718 if ((SSL_version(con) == DTLS1_VERSION) &&
1719 DTLSv1_get_timeout(con, &timeout))
1720 timeoutp = &timeout;
1721 else
1722 timeoutp = NULL;
1723
1724 i = select(width, (void *)&readfds, NULL, NULL, timeoutp);
1725
1726 if ((SSL_version(con) == DTLS1_VERSION)
1727 && DTLSv1_handle_timeout(con) > 0) {
1728 BIO_printf(bio_err, "TIMEOUT occured\n");
1729 }
1730
1731 if (i <= 0)
1732 continue;
1733 if (FD_ISSET(fileno(stdin), &readfds))
1734 read_from_terminal = 1;
1735 #endif
1736 if (FD_ISSET(s, &readfds))
1737 read_from_sslcon = 1;
1738 }
1739 if (read_from_terminal) {
1740 if (s_crlf) {
1741 int j, lf_num;
1742
1743 i = read(fileno(stdin), buf, bufsize / 2);
1744 lf_num = 0;
1745 /* both loops are skipped when i <= 0 */
1746 for (j = 0; j < i; j++)
1747 if (buf[j] == '\n')
1748 lf_num++;
1749 for (j = i - 1; j >= 0; j--) {
1750 buf[j + lf_num] = buf[j];
1751 if (buf[j] == '\n') {
1752 lf_num--;
1753 i++;
1754 buf[j + lf_num] = '\r';
1755 }
1756 }
1757 assert(lf_num == 0);
1758 } else
1759 i = read(fileno(stdin), buf, bufsize);
1760 if (!s_quiet) {
1761 if ((i <= 0) || (buf[0] == 'Q')) {
1762 BIO_printf(bio_s_out, "DONE\n");
1763 SHUTDOWN(s);
1764 close_accept_socket();
1765 ret = -11;
1766 goto err;
1767 }
1768 if ((i <= 0) || (buf[0] == 'q')) {
1769 BIO_printf(bio_s_out, "DONE\n");
1770 if (SSL_version(con) != DTLS1_VERSION)
1771 SHUTDOWN(s);
1772 /*
1773 * close_accept_socket(); ret= -11;
1774 */
1775 goto err;
1776 }
1777 if ((buf[0] == 'r') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
1778 SSL_renegotiate(con);
1779 i = SSL_do_handshake(con);
1780 printf("SSL_do_handshake -> %d\n", i);
1781 i = 0; /* 13; */
1782 continue;
1783 /*
1784 * strcpy(buf,"server side RE-NEGOTIATE\n");
1785 */
1786 }
1787 if ((buf[0] == 'R') && ((buf[1] == '\n') || (buf[1] == '\r'))) {
1788 SSL_set_verify(con,
1789 SSL_VERIFY_PEER | SSL_VERIFY_CLIENT_ONCE,
1790 NULL);
1791 SSL_renegotiate(con);
1792 i = SSL_do_handshake(con);
1793 printf("SSL_do_handshake -> %d\n", i);
1794 i = 0; /* 13; */
1795 continue;
1796 /*
1797 * strcpy(buf,"server side RE-NEGOTIATE asking for client
1798 * cert\n");
1799 */
1800 }
1801 if (buf[0] == 'P') {
1802 static const char *str = "Lets print some clear text\n";
1803 BIO_write(SSL_get_wbio(con), str, strlen(str));
1804 }
1805 if (buf[0] == 'S') {
1806 print_stats(bio_s_out, SSL_get_SSL_CTX(con));
1807 }
1808 }
1809 #ifdef CHARSET_EBCDIC
1810 ebcdic2ascii(buf, buf, i);
1811 #endif
1812 l = k = 0;
1813 for (;;) {
1814 /* should do a select for the write */
1815 #ifdef RENEG
1816 {
1817 static count = 0;
1818 if (++count == 100) {
1819 count = 0;
1820 SSL_renegotiate(con);
1821 }
1822 }
1823 #endif
1824 k = SSL_write(con, &(buf[l]), (unsigned int)i);
1825 switch (SSL_get_error(con, k)) {
1826 case SSL_ERROR_NONE:
1827 break;
1828 case SSL_ERROR_WANT_WRITE:
1829 case SSL_ERROR_WANT_READ:
1830 case SSL_ERROR_WANT_X509_LOOKUP:
1831 BIO_printf(bio_s_out, "Write BLOCK\n");
1832 break;
1833 case SSL_ERROR_SYSCALL:
1834 case SSL_ERROR_SSL:
1835 BIO_printf(bio_s_out, "ERROR\n");
1836 ERR_print_errors(bio_err);
1837 ret = 1;
1838 goto err;
1839 /* break; */
1840 case SSL_ERROR_ZERO_RETURN:
1841 BIO_printf(bio_s_out, "DONE\n");
1842 ret = 1;
1843 goto err;
1844 }
1845 l += k;
1846 i -= k;
1847 if (i <= 0)
1848 break;
1849 }
1850 }
1851 if (read_from_sslcon) {
1852 if (!SSL_is_init_finished(con)) {
1853 i = init_ssl_connection(con);
1854
1855 if (i < 0) {
1856 ret = 0;
1857 goto err;
1858 } else if (i == 0) {
1859 ret = 1;
1860 goto err;
1861 }
1862 } else {
1863 again:
1864 i = SSL_read(con, (char *)buf, bufsize);
1865 switch (SSL_get_error(con, i)) {
1866 case SSL_ERROR_NONE:
1867 #ifdef CHARSET_EBCDIC
1868 ascii2ebcdic(buf, buf, i);
1869 #endif
1870 if (write(fileno(stdout), buf, (unsigned int)i) != i)
1871 goto err;
1872
1873 if (SSL_pending(con))
1874 goto again;
1875 break;
1876 case SSL_ERROR_WANT_WRITE:
1877 case SSL_ERROR_WANT_READ:
1878 case SSL_ERROR_WANT_X509_LOOKUP:
1879 BIO_printf(bio_s_out, "Read BLOCK\n");
1880 break;
1881 case SSL_ERROR_SYSCALL:
1882 case SSL_ERROR_SSL:
1883 BIO_printf(bio_s_out, "ERROR\n");
1884 ERR_print_errors(bio_err);
1885 ret = 1;
1886 goto err;
1887 case SSL_ERROR_ZERO_RETURN:
1888 BIO_printf(bio_s_out, "DONE\n");
1889 ret = 1;
1890 goto err;
1891 }
1892 }
1893 }
1894 }
1895 err:
1896 BIO_printf(bio_s_out, "shutting down SSL\n");
1897 #if 1
1898 SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
1899 #else
1900 SSL_shutdown(con);
1901 #endif
1902 if (con != NULL)
1903 SSL_free(con);
1904 BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
1905 if (buf != NULL) {
1906 OPENSSL_cleanse(buf, bufsize);
1907 OPENSSL_free(buf);
1908 }
1909 if (ret >= 0)
1910 BIO_printf(bio_s_out, "ACCEPT\n");
1911 return (ret);
1912 }
1913
1914 static void close_accept_socket(void)
1915 {
1916 BIO_printf(bio_err, "shutdown accept socket\n");
1917 if (accept_socket >= 0) {
1918 SHUTDOWN2(accept_socket);
1919 }
1920 }
1921
1922 static int init_ssl_connection(SSL *con)
1923 {
1924 int i;
1925 const char *str;
1926 X509 *peer;
1927 long verify_error;
1928 MS_STATIC char buf[BUFSIZ];
1929
1930 if ((i = SSL_accept(con)) <= 0) {
1931 if (BIO_sock_should_retry(i)) {
1932 BIO_printf(bio_s_out, "DELAY\n");
1933 return (1);
1934 }
1935
1936 BIO_printf(bio_err, "ERROR\n");
1937 verify_error = SSL_get_verify_result(con);
1938 if (verify_error != X509_V_OK) {
1939 BIO_printf(bio_err, "verify error:%s\n",
1940 X509_verify_cert_error_string(verify_error));
1941 } else
1942 ERR_print_errors(bio_err);
1943 return (0);
1944 }
1945
1946 PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
1947
1948 peer = SSL_get_peer_certificate(con);
1949 if (peer != NULL) {
1950 BIO_printf(bio_s_out, "Client certificate\n");
1951 PEM_write_bio_X509(bio_s_out, peer);
1952 X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf);
1953 BIO_printf(bio_s_out, "subject=%s\n", buf);
1954 X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
1955 BIO_printf(bio_s_out, "issuer=%s\n", buf);
1956 X509_free(peer);
1957 }
1958
1959 if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL)
1960 BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
1961 str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
1962 BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL) ? str : "(NONE)");
1963 if (con->hit)
1964 BIO_printf(bio_s_out, "Reused session-id\n");
1965 if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) &
1966 TLS1_FLAGS_TLS_PADDING_BUG)
1967 BIO_printf(bio_s_out, "Peer has incorrect TLSv1 block padding\n");
1968 #ifndef OPENSSL_NO_KRB5
1969 if (con->kssl_ctx->client_princ != NULL) {
1970 BIO_printf(bio_s_out, "Kerberos peer principal is %s\n",
1971 con->kssl_ctx->client_princ);
1972 }
1973 #endif /* OPENSSL_NO_KRB5 */
1974 BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
1975 SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
1976 return (1);
1977 }
1978
1979 #ifndef OPENSSL_NO_DH
1980 static DH *load_dh_param(const char *dhfile)
1981 {
1982 DH *ret = NULL;
1983 BIO *bio;
1984
1985 if ((bio = BIO_new_file(dhfile, "r")) == NULL)
1986 goto err;
1987 ret = PEM_read_bio_DHparams(bio, NULL, NULL, NULL);
1988 err:
1989 if (bio != NULL)
1990 BIO_free(bio);
1991 return (ret);
1992 }
1993 #endif
1994
1995 #if 0
1996 static int load_CA(SSL_CTX *ctx, char *file)
1997 {
1998 FILE *in;
1999 X509 *x = NULL;
2000
2001 if ((in = fopen(file, "r")) == NULL)
2002 return (0);
2003
2004 for (;;) {
2005 if (PEM_read_X509(in, &x, NULL) == NULL)
2006 break;
2007 SSL_CTX_add_client_CA(ctx, x);
2008 }
2009 if (x != NULL)
2010 X509_free(x);
2011 fclose(in);
2012 return (1);
2013 }
2014 #endif
2015
2016 static int www_body(char *hostname, int s, unsigned char *context)
2017 {
2018 char *buf = NULL;
2019 int ret = 1;
2020 int i, j, k, dot;
2021 struct stat st_buf;
2022 SSL *con;
2023 SSL_CIPHER *c;
2024 BIO *io, *ssl_bio, *sbio;
2025 #ifdef RENEG
2026 long total_bytes;
2027 #endif
2028
2029 buf = OPENSSL_malloc(bufsize);
2030 if (buf == NULL)
2031 return (0);
2032 io = BIO_new(BIO_f_buffer());
2033 ssl_bio = BIO_new(BIO_f_ssl());
2034 if ((io == NULL) || (ssl_bio == NULL))
2035 goto err;
2036
2037 #ifdef FIONBIO
2038 if (s_nbio) {
2039 unsigned long sl = 1;
2040
2041 if (!s_quiet)
2042 BIO_printf(bio_err, "turning on non blocking io\n");
2043 if (BIO_socket_ioctl(s, FIONBIO, &sl) < 0)
2044 ERR_print_errors(bio_err);
2045 }
2046 #endif
2047
2048 /* lets make the output buffer a reasonable size */
2049 if (!BIO_set_write_buffer_size(io, bufsize))
2050 goto err;
2051
2052 if ((con = SSL_new(ctx)) == NULL)
2053 goto err;
2054 #ifndef OPENSSL_NO_TLSEXT
2055 if (s_tlsextdebug) {
2056 SSL_set_tlsext_debug_callback(con, tlsext_cb);
2057 SSL_set_tlsext_debug_arg(con, bio_s_out);
2058 }
2059 #endif
2060 #ifndef OPENSSL_NO_KRB5
2061 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) {
2062 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
2063 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
2064 }
2065 #endif /* OPENSSL_NO_KRB5 */
2066 if (context)
2067 SSL_set_session_id_context(con, context, strlen((char *)context));
2068
2069 sbio = BIO_new_socket(s, BIO_NOCLOSE);
2070 if (s_nbio_test) {
2071 BIO *test;
2072
2073 test = BIO_new(BIO_f_nbio_test());
2074 sbio = BIO_push(test, sbio);
2075 }
2076 SSL_set_bio(con, sbio, sbio);
2077 SSL_set_accept_state(con);
2078
2079 /* SSL_set_fd(con,s); */
2080 BIO_set_ssl(ssl_bio, con, BIO_CLOSE);
2081 BIO_push(io, ssl_bio);
2082 #ifdef CHARSET_EBCDIC
2083 io = BIO_push(BIO_new(BIO_f_ebcdic_filter()), io);
2084 #endif
2085
2086 if (s_debug) {
2087 con->debug = 1;
2088 BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
2089 BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
2090 }
2091 if (s_msg) {
2092 SSL_set_msg_callback(con, msg_cb);
2093 SSL_set_msg_callback_arg(con, bio_s_out);
2094 }
2095
2096 for (;;) {
2097 if (hack) {
2098 i = SSL_accept(con);
2099
2100 switch (SSL_get_error(con, i)) {
2101 case SSL_ERROR_NONE:
2102 break;
2103 case SSL_ERROR_WANT_WRITE:
2104 case SSL_ERROR_WANT_READ:
2105 case SSL_ERROR_WANT_X509_LOOKUP:
2106 continue;
2107 case SSL_ERROR_SYSCALL:
2108 case SSL_ERROR_SSL:
2109 case SSL_ERROR_ZERO_RETURN:
2110 ret = 1;
2111 goto err;
2112 /* break; */
2113 }
2114
2115 SSL_renegotiate(con);
2116 SSL_write(con, NULL, 0);
2117 }
2118
2119 i = BIO_gets(io, buf, bufsize - 1);
2120 if (i < 0) { /* error */
2121 if (!BIO_should_retry(io)) {
2122 if (!s_quiet)
2123 ERR_print_errors(bio_err);
2124 goto err;
2125 } else {
2126 BIO_printf(bio_s_out, "read R BLOCK\n");
2127 #if defined(OPENSSL_SYS_NETWARE)
2128 delay(1000);
2129 #elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
2130 sleep(1);
2131 #endif
2132 continue;
2133 }
2134 } else if (i == 0) { /* end of input */
2135 ret = 1;
2136 goto end;
2137 }
2138
2139 /* else we have data */
2140 if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) ||
2141 ((www == 2) && (strncmp("GET /stats ", buf, 10) == 0))) {
2142 char *p;
2143 X509 *peer;
2144 STACK_OF(SSL_CIPHER) *sk;
2145 static const char *space = " ";
2146
2147 BIO_puts(io,
2148 "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2149 BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
2150 BIO_puts(io, "<pre>\n");
2151 /* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
2152 BIO_puts(io, "\n");
2153 for (i = 0; i < local_argc; i++) {
2154 BIO_puts(io, local_argv[i]);
2155 BIO_write(io, " ", 1);
2156 }
2157 BIO_puts(io, "\n");
2158
2159 /*
2160 * The following is evil and should not really be done
2161 */
2162 BIO_printf(io, "Ciphers supported in s_server binary\n");
2163 sk = SSL_get_ciphers(con);
2164 j = sk_SSL_CIPHER_num(sk);
2165 for (i = 0; i < j; i++) {
2166 c = sk_SSL_CIPHER_value(sk, i);
2167 BIO_printf(io, "%-11s:%-25s",
2168 SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
2169 if ((((i + 1) % 2) == 0) && (i + 1 != j))
2170 BIO_puts(io, "\n");
2171 }
2172 BIO_puts(io, "\n");
2173 p = SSL_get_shared_ciphers(con, buf, bufsize);
2174 if (p != NULL) {
2175 BIO_printf(io,
2176 "---\nCiphers common between both SSL end points:\n");
2177 j = i = 0;
2178 while (*p) {
2179 if (*p == ':') {
2180 BIO_write(io, space, 26 - j);
2181 i++;
2182 j = 0;
2183 BIO_write(io, ((i % 3) ? " " : "\n"), 1);
2184 } else {
2185 BIO_write(io, p, 1);
2186 j++;
2187 }
2188 p++;
2189 }
2190 BIO_puts(io, "\n");
2191 }
2192 BIO_printf(io, ((con->hit)
2193 ? "---\nReused, " : "---\nNew, "));
2194 c = SSL_get_current_cipher(con);
2195 BIO_printf(io, "%s, Cipher is %s\n",
2196 SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
2197 SSL_SESSION_print(io, SSL_get_session(con));
2198 BIO_printf(io, "---\n");
2199 print_stats(io, SSL_get_SSL_CTX(con));
2200 BIO_printf(io, "---\n");
2201 peer = SSL_get_peer_certificate(con);
2202 if (peer != NULL) {
2203 BIO_printf(io, "Client certificate\n");
2204 X509_print(io, peer);
2205 PEM_write_bio_X509(io, peer);
2206 } else
2207 BIO_puts(io, "no client certificate available\n");
2208 BIO_puts(io, "</BODY></HTML>\r\n\r\n");
2209 break;
2210 } else if ((www == 2 || www == 3)
2211 && (strncmp("GET /", buf, 5) == 0)) {
2212 BIO *file;
2213 char *p, *e;
2214 static const char *text =
2215 "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
2216
2217 /* skip the '/' */
2218 p = &(buf[5]);
2219
2220 dot = 1;
2221 for (e = p; *e != '\0'; e++) {
2222 if (e[0] == ' ')
2223 break;
2224
2225 switch (dot) {
2226 case 1:
2227 dot = (e[0] == '.') ? 2 : 0;
2228 break;
2229 case 2:
2230 dot = (e[0] == '.') ? 3 : 0;
2231 break;
2232 case 3:
2233 dot = (e[0] == '/') ? -1 : 0;
2234 break;
2235 }
2236 if (dot == 0)
2237 dot = (e[0] == '/') ? 1 : 0;
2238 }
2239 dot = (dot == 3) || (dot == -1); /* filename contains ".."
2240 * component */
2241
2242 if (*e == '\0') {
2243 BIO_puts(io, text);
2244 BIO_printf(io, "'%s' is an invalid file name\r\n", p);
2245 break;
2246 }
2247 *e = '\0';
2248
2249 if (dot) {
2250 BIO_puts(io, text);
2251 BIO_printf(io, "'%s' contains '..' reference\r\n", p);
2252 break;
2253 }
2254
2255 if (*p == '/') {
2256 BIO_puts(io, text);
2257 BIO_printf(io, "'%s' is an invalid path\r\n", p);
2258 break;
2259 }
2260 #if 0
2261 /* append if a directory lookup */
2262 if (e[-1] == '/')
2263 strcat(p, "index.html");
2264 #endif
2265
2266 /* if a directory, do the index thang */
2267 if (stat(p, &st_buf) < 0) {
2268 BIO_puts(io, text);
2269 BIO_printf(io, "Error accessing '%s'\r\n", p);
2270 ERR_print_errors(io);
2271 break;
2272 }
2273 if (S_ISDIR(st_buf.st_mode)) {
2274 #if 0 /* must check buffer size */
2275 strcat(p, "/index.html");
2276 #else
2277 BIO_puts(io, text);
2278 BIO_printf(io, "'%s' is a directory\r\n", p);
2279 break;
2280 #endif
2281 }
2282
2283 if ((file = BIO_new_file(p, "r")) == NULL) {
2284 BIO_puts(io, text);
2285 BIO_printf(io, "Error opening '%s'\r\n", p);
2286 ERR_print_errors(io);
2287 break;
2288 }
2289
2290 if (!s_quiet)
2291 BIO_printf(bio_err, "FILE:%s\n", p);
2292
2293 if (www == 2) {
2294 i = strlen(p);
2295 if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) ||
2296 ((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) ||
2297 ((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
2298 BIO_puts(io,
2299 "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2300 else
2301 BIO_puts(io,
2302 "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
2303 }
2304 /* send the file */
2305 #ifdef RENEG
2306 total_bytes = 0;
2307 #endif
2308 for (;;) {
2309 i = BIO_read(file, buf, bufsize);
2310 if (i <= 0)
2311 break;
2312
2313 #ifdef RENEG
2314 total_bytes += i;
2315 fprintf(stderr, "%d\n", i);
2316 if (total_bytes > 3 * 1024) {
2317 total_bytes = 0;
2318 fprintf(stderr, "RENEGOTIATE\n");
2319 SSL_renegotiate(con);
2320 }
2321 #endif
2322
2323 for (j = 0; j < i;) {
2324 #ifdef RENEG
2325 {
2326 static count = 0;
2327 if (++count == 13) {
2328 SSL_renegotiate(con);
2329 }
2330 }
2331 #endif
2332 k = BIO_write(io, &(buf[j]), i - j);
2333 if (k <= 0) {
2334 if (!BIO_should_retry(io))
2335 goto write_error;
2336 else {
2337 BIO_printf(bio_s_out, "rwrite W BLOCK\n");
2338 }
2339 } else {
2340 j += k;
2341 }
2342 }
2343 }
2344 write_error:
2345 BIO_free(file);
2346 break;
2347 }
2348 }
2349
2350 for (;;) {
2351 i = (int)BIO_flush(io);
2352 if (i <= 0) {
2353 if (!BIO_should_retry(io))
2354 break;
2355 } else
2356 break;
2357 }
2358 end:
2359 #if 1
2360 /* make sure we re-use sessions */
2361 SSL_set_shutdown(con, SSL_SENT_SHUTDOWN | SSL_RECEIVED_SHUTDOWN);
2362 #else
2363 /* This kills performance */
2364 /*
2365 * SSL_shutdown(con); A shutdown gets sent in the BIO_free_all(io)
2366 * procession
2367 */
2368 #endif
2369
2370 err:
2371
2372 if (ret >= 0)
2373 BIO_printf(bio_s_out, "ACCEPT\n");
2374
2375 if (buf != NULL)
2376 OPENSSL_free(buf);
2377 if (io != NULL)
2378 BIO_free_all(io);
2379 /* if (ssl_bio != NULL) BIO_free(ssl_bio);*/
2380 return (ret);
2381 }
2382
2383 #ifndef OPENSSL_NO_RSA
2384 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2385 {
2386 BIGNUM *bn = NULL;
2387 static RSA *rsa_tmp = NULL;
2388
2389 if (!rsa_tmp && ((bn = BN_new()) == NULL))
2390 BIO_printf(bio_err, "Allocation error in generating RSA key\n");
2391 if (!rsa_tmp && bn) {
2392 if (!s_quiet) {
2393 BIO_printf(bio_err, "Generating temp (%d bit) RSA key...",
2394 keylength);
2395 (void)BIO_flush(bio_err);
2396 }
2397 if (!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
2398 !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
2399 if (rsa_tmp)
2400 RSA_free(rsa_tmp);
2401 rsa_tmp = NULL;
2402 }
2403 if (!s_quiet) {
2404 BIO_printf(bio_err, "\n");
2405 (void)BIO_flush(bio_err);
2406 }
2407 BN_free(bn);
2408 }
2409 return (rsa_tmp);
2410 }
2411 #endif
2412
2413 #define MAX_SESSION_ID_ATTEMPTS 10
2414 static int generate_session_id(const SSL *ssl, unsigned char *id,
2415 unsigned int *id_len)
2416 {
2417 unsigned int count = 0;
2418 do {
2419 RAND_pseudo_bytes(id, *id_len);
2420 /*
2421 * Prefix the session_id with the required prefix. NB: If our prefix
2422 * is too long, clip it - but there will be worse effects anyway, eg.
2423 * the server could only possibly create 1 session ID (ie. the
2424 * prefix!) so all future session negotiations will fail due to
2425 * conflicts.
2426 */
2427 memcpy(id, session_id_prefix,
2428 (strlen(session_id_prefix) < *id_len) ?
2429 strlen(session_id_prefix) : *id_len);
2430 }
2431 while (SSL_has_matching_session_id(ssl, id, *id_len) &&
2432 (++count < MAX_SESSION_ID_ATTEMPTS));
2433 if (count >= MAX_SESSION_ID_ATTEMPTS)
2434 return 0;
2435 return 1;
2436 }
A mirror of the official openssl repository