Symaptic: os/ossrv/ssl/tsrc/topenssl/src/s_server.c@bde4ae8d615e (annotated)

sl@0	1	/* apps/s_server.c */
sl@0	2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
sl@0	3	* All rights reserved.
sl@0	4	*
sl@0	5	* This package is an SSL implementation written
sl@0	6	* by Eric Young (eay@cryptsoft.com).
sl@0	7	* The implementation was written so as to conform with Netscapes SSL.
sl@0	8	*
sl@0	9	* This library is free for commercial and non-commercial use as long as
sl@0	10	* the following conditions are aheared to. The following conditions
sl@0	11	* apply to all code found in this distribution, be it the RC4, RSA,
sl@0	12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
sl@0	13	* included with this distribution is covered by the same copyright terms
sl@0	14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
sl@0	15	*
sl@0	16	* Copyright remains Eric Young's, and as such any Copyright notices in
sl@0	17	* the code are not to be removed.
sl@0	18	* If this package is used in a product, Eric Young should be given attribution
sl@0	19	* as the author of the parts of the library used.
sl@0	20	* This can be in the form of a textual message at program startup or
sl@0	21	* in documentation (online or textual) provided with the package.
sl@0	22	*
sl@0	23	* Redistribution and use in source and binary forms, with or without
sl@0	24	* modification, are permitted provided that the following conditions
sl@0	25	* are met:
sl@0	26	* 1. Redistributions of source code must retain the copyright
sl@0	27	* notice, this list of conditions and the following disclaimer.
sl@0	28	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	29	* notice, this list of conditions and the following disclaimer in the
sl@0	30	* documentation and/or other materials provided with the distribution.
sl@0	31	* 3. All advertising materials mentioning features or use of this software
sl@0	32	* must display the following acknowledgement:
sl@0	33	* "This product includes cryptographic software written by
sl@0	34	* Eric Young (eay@cryptsoft.com)"
sl@0	35	* The word 'cryptographic' can be left out if the rouines from the library
sl@0	36	* being used are not cryptographic related :-).
sl@0	37	* 4. If you include any Windows specific code (or a derivative thereof) from
sl@0	38	* the apps directory (application code) you must include an acknowledgement:
sl@0	39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
sl@0	40	*
sl@0	41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
sl@0	42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
sl@0	44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
sl@0	45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
sl@0	46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
sl@0	47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
sl@0	49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
sl@0	50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
sl@0	51	* SUCH DAMAGE.
sl@0	52	*
sl@0	53	* The licence and distribution terms for any publically available version or
sl@0	54	* derivative of this code cannot be changed. i.e. this code cannot simply be
sl@0	55	* copied and put under another distribution licence
sl@0	56	* [including the GNU Public Licence.]
sl@0	57	*/
sl@0	58	/* ====================================================================
sl@0	59	* Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved.
sl@0	60	*
sl@0	61	* Redistribution and use in source and binary forms, with or without
sl@0	62	* modification, are permitted provided that the following conditions
sl@0	63	* are met:
sl@0	64	*
sl@0	65	* 1. Redistributions of source code must retain the above copyright
sl@0	66	* notice, this list of conditions and the following disclaimer.
sl@0	67	*
sl@0	68	* 2. Redistributions in binary form must reproduce the above copyright
sl@0	69	* notice, this list of conditions and the following disclaimer in
sl@0	70	* the documentation and/or other materials provided with the
sl@0	71	* distribution.
sl@0	72	*
sl@0	73	* 3. All advertising materials mentioning features or use of this
sl@0	74	* software must display the following acknowledgment:
sl@0	75	* "This product includes software developed by the OpenSSL Project
sl@0	76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
sl@0	77	*
sl@0	78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
sl@0	79	* endorse or promote products derived from this software without
sl@0	80	* prior written permission. For written permission, please contact
sl@0	81	* openssl-core@openssl.org.
sl@0	82	*
sl@0	83	* 5. Products derived from this software may not be called "OpenSSL"
sl@0	84	* nor may "OpenSSL" appear in their names without prior written
sl@0	85	* permission of the OpenSSL Project.
sl@0	86	*
sl@0	87	* 6. Redistributions of any form whatsoever must retain the following
sl@0	88	* acknowledgment:
sl@0	89	* "This product includes software developed by the OpenSSL Project
sl@0	90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
sl@0	91	*
sl@0	92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
sl@0	93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
sl@0	94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
sl@0	95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
sl@0	96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
sl@0	97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
sl@0	98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
sl@0	99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
sl@0	100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
sl@0	101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
sl@0	102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
sl@0	103	* OF THE POSSIBILITY OF SUCH DAMAGE.
sl@0	104	* ====================================================================
sl@0	105	*
sl@0	106	* This product includes cryptographic software written by Eric Young
sl@0	107	* (eay@cryptsoft.com). This product includes software written by Tim
sl@0	108	* Hudson (tjh@cryptsoft.com).
sl@0	109	*
sl@0	110	*/
sl@0	111	/* ====================================================================
sl@0	112	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
sl@0	113	* ECC cipher suite support in OpenSSL originally developed by
sl@0	114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
sl@0	115	*/
sl@0	116
sl@0	117	/* Until the key-gen callbacks are modified to use newer prototypes, we allow
sl@0	118	* deprecated functions for openssl-internal code */
sl@0	119	#ifdef OPENSSL_NO_DEPRECATED
sl@0	120	#undef OPENSSL_NO_DEPRECATED
sl@0	121	#endif
sl@0	122
sl@0	123	#include <assert.h>
sl@0	124	#include <stdio.h>
sl@0	125	#include <stdlib.h>
sl@0	126	#include <string.h>
sl@0	127	#include <sys/select.h>
sl@0	128	#include <sys/stat.h>
sl@0	129	#include <openssl/e_os2.h>
sl@0	130	#ifdef OPENSSL_NO_STDIO
sl@0	131	#define APPS_WIN16
sl@0	132	#endif
sl@0	133
sl@0	134	#if !defined(OPENSSL_SYS_NETWARE) /* conflicts with winsock2 stuff on netware */
sl@0	135	#include <sys/types.h>
sl@0	136	#endif
sl@0	137
sl@0	138	/* With IPv6, it looks like Digital has mixed up the proper order of
sl@0	139	recursive header file inclusion, resulting in the compiler complaining
sl@0	140	that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
sl@0	141	is needed to have fileno() declared correctly... So let's define u_int */
sl@0	142	#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
sl@0	143	#define __U_INT
sl@0	144	typedef unsigned int u_int;
sl@0	145	#endif
sl@0	146
sl@0	147	#include <openssl/lhash.h>
sl@0	148	#include <openssl/bn.h>
sl@0	149	#define USE_SOCKETS
sl@0	150	#include "apps.h"
sl@0	151	#include <openssl/err.h>
sl@0	152	#include <openssl/pem.h>
sl@0	153	#include <openssl/x509.h>
sl@0	154	#include <openssl/ssl.h>
sl@0	155	#include <openssl/rand.h>
sl@0	156	#ifndef OPENSSL_NO_DH
sl@0	157	#include <openssl/dh.h>
sl@0	158	#endif
sl@0	159	#ifndef OPENSSL_NO_RSA
sl@0	160	#include <openssl/rsa.h>
sl@0	161	#endif
sl@0	162	#include "s_apps.h"
sl@0	163	#include "timeouts.h"
sl@0	164
sl@0	165	#ifdef OPENSSL_SYS_WINCE
sl@0	166	/* Windows CE incorrectly defines fileno as returning void, so to avoid problems below... /
sl@0	167	#ifdef fileno
sl@0	168	#undef fileno
sl@0	169	#endif
sl@0	170	#define fileno(a) (int)_fileno(a)
sl@0	171	#endif
sl@0	172
sl@0	173	#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
sl@0	174	/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
sl@0	175	#undef FIONBIO
sl@0	176	#endif
sl@0	177
sl@0	178	#ifndef OPENSSL_NO_RSA
sl@0	179	static RSA MS_CALLBACK tmp_rsa_cb(SSL s, int is_export, int keylength);
sl@0	180	#endif
sl@0	181	static int sv_body(char hostname, int s, unsigned char context);
sl@0	182	static int www_body(char hostname, int s, unsigned char context);
sl@0	183	static void close_accept_socket(void );
sl@0	184	static void sv_usage(void);
sl@0	185	static int init_ssl_connection(SSL *s);
sl@0	186	static void print_stats(BIO bp,SSL_CTX ctx);
sl@0	187	static int generate_session_id(const SSL ssl, unsigned char id,
sl@0	188	unsigned int *id_len);
sl@0	189	#ifndef OPENSSL_NO_DH
sl@0	190	static DH load_dh_param(const char dhfile);
sl@0	191	static DH *get_dh512(void);
sl@0	192	#endif
sl@0	193
sl@0	194
sl@0	195	#ifdef MONOLITH
sl@0	196	static void s_server_init(void);
sl@0	197	#endif
sl@0	198
sl@0	199	#ifndef S_ISDIR
sl@0	200	# if defined(_S_IFMT) && defined(_S_IFDIR)
sl@0	201	# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR)
sl@0	202	# else
sl@0	203	# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR)
sl@0	204	# endif
sl@0	205	#endif
sl@0	206
sl@0	207	#ifndef OPENSSL_NO_DH
sl@0	208	static unsigned char dh512_p[]={
sl@0	209	0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
sl@0	210	0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
sl@0	211	0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
sl@0	212	0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
sl@0	213	0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
sl@0	214	0x47,0x74,0xE8,0x33,
sl@0	215	};
sl@0	216	static unsigned char dh512_g[]={
sl@0	217	0x02,
sl@0	218	};
sl@0	219
sl@0	220	static DH *get_dh512(void)
sl@0	221	{
sl@0	222	DH *dh=NULL;
sl@0	223
sl@0	224	if ((dh=DH_new()) == NULL) return(NULL);
sl@0	225	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
sl@0	226	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
sl@0	227	if ((dh->p == NULL) \|\| (dh->g == NULL))
sl@0	228	return(NULL);
sl@0	229	return(dh);
sl@0	230	}
sl@0	231	#endif
sl@0	232
sl@0	233
sl@0	234	/* static int load_CA(SSL_CTX ctx, char file);*/
sl@0	235
sl@0	236	#undef BUFSIZZ
sl@0	237	#define BUFSIZZ 16*1024
sl@0	238	static int bufsize=BUFSIZZ;
sl@0	239	static int accept_socket= -1;
sl@0	240
sl@0	241	#define TEST_CERT "server.pem"
sl@0	242	#undef PROG
sl@0	243	#define PROG s_server_main
sl@0	244
sl@0	245	extern int verify_depth;
sl@0	246
sl@0	247	static char *cipher=NULL;
sl@0	248	static int s_server_verify=SSL_VERIFY_NONE;
sl@0	249	static int s_server_session_id_context = 1; /* anything will do */
sl@0	250	static const char s_cert_file=TEST_CERT,s_key_file=NULL;
sl@0	251	static char s_dcert_file=NULL,s_dkey_file=NULL;
sl@0	252	#ifdef FIONBIO
sl@0	253	static int s_nbio=0;
sl@0	254	#endif
sl@0	255	static int s_nbio_test=0;
sl@0	256	int s_crlf=0;
sl@0	257	static SSL_CTX *ctx=NULL;
sl@0	258	static int www=0;
sl@0	259
sl@0	260	static BIO *bio_s_out=NULL;
sl@0	261	static int s_debug=0;
sl@0	262	static int s_msg=0;
sl@0	263	static int s_quiet=0;
sl@0	264
sl@0	265	static int hack=0;
sl@0	266	#ifndef OPENSSL_NO_ENGINE
sl@0	267	static char *engine_id=NULL;
sl@0	268	#endif
sl@0	269	static const char *session_id_prefix=NULL;
sl@0	270
sl@0	271	static int enable_timeouts = 0;
sl@0	272	#ifdef mtu
sl@0	273	#undef mtu
sl@0	274	#endif
sl@0	275	static long mtu;
sl@0	276	static int cert_chain = 0;
sl@0	277
sl@0	278
sl@0	279	#ifdef MONOLITH
sl@0	280	static void s_server_init(void)
sl@0	281	{
sl@0	282	accept_socket=-1;
sl@0	283	cipher=NULL;
sl@0	284	s_server_verify=SSL_VERIFY_NONE;
sl@0	285	s_dcert_file=NULL;
sl@0	286	s_dkey_file=NULL;
sl@0	287	s_cert_file=TEST_CERT;
sl@0	288	s_key_file=NULL;
sl@0	289	#ifdef FIONBIO
sl@0	290	s_nbio=0;
sl@0	291	#endif
sl@0	292	s_nbio_test=0;
sl@0	293	ctx=NULL;
sl@0	294	www=0;
sl@0	295
sl@0	296	bio_s_out=NULL;
sl@0	297	s_debug=0;
sl@0	298	s_msg=0;
sl@0	299	s_quiet=0;
sl@0	300	hack=0;
sl@0	301	#ifndef OPENSSL_NO_ENGINE
sl@0	302	engine_id=NULL;
sl@0	303	#endif
sl@0	304	}
sl@0	305	#endif
sl@0	306
sl@0	307	static void sv_usage(void)
sl@0	308	{
sl@0	309	BIO_printf(bio_err,"usage: s_server [args ...]\n");
sl@0	310	BIO_printf(bio_err,"\n");
sl@0	311	BIO_printf(bio_err," -accept arg - port to accept on (default is %d)\n",PORT);
sl@0	312	BIO_printf(bio_err," -context arg - set session ID context\n");
sl@0	313	BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n");
sl@0	314	BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n");
sl@0	315	BIO_printf(bio_err," -cert arg - certificate file to use\n");
sl@0	316	BIO_printf(bio_err," (default is %s)\n",TEST_CERT);
sl@0	317	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
sl@0	318	BIO_printf(bio_err," -key arg - Private Key file to use, in cert file if\n");
sl@0	319	BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT);
sl@0	320	BIO_printf(bio_err," -keyform arg - key format (PEM, DER or ENGINE) PEM default\n");
sl@0	321	BIO_printf(bio_err," -pass arg - private key file pass phrase source\n");
sl@0	322	BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n");
sl@0	323	BIO_printf(bio_err," -dcertform x - second certificate format (PEM or DER) PEM default\n");
sl@0	324	BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n");
sl@0	325	BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
sl@0	326	BIO_printf(bio_err," -dpass arg - second private key file pass phrase source\n");
sl@0	327	BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n");
sl@0	328	BIO_printf(bio_err," or a default set of parameters is used\n");
sl@0	329	#ifndef OPENSSL_NO_ECDH
sl@0	330	BIO_printf(bio_err," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
sl@0	331	" Use \"openssl ecparam -list_curves\" for all names\n" \
sl@0	332	" (default is sect163r2).\n");
sl@0	333	#endif
sl@0	334	#ifdef FIONBIO
sl@0	335	BIO_printf(bio_err," -nbio - Run with non-blocking IO\n");
sl@0	336	#endif
sl@0	337	BIO_printf(bio_err," -nbio_test - test with the non-blocking test bio\n");
sl@0	338	BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n");
sl@0	339	BIO_printf(bio_err," -debug - Print more output\n");
sl@0	340	BIO_printf(bio_err," -msg - Show protocol messages\n");
sl@0	341	BIO_printf(bio_err," -state - Print the SSL states\n");
sl@0	342	BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n");
sl@0	343	BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n");
sl@0	344	BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n");
sl@0	345	BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n");
sl@0	346	BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n");
sl@0	347	BIO_printf(bio_err," -quiet - No server output\n");
sl@0	348	BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n");
sl@0	349	BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n");
sl@0	350	BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n");
sl@0	351	BIO_printf(bio_err," -tls1 - Just talk TLSv1\n");
sl@0	352	BIO_printf(bio_err," -dtls1 - Just talk DTLSv1\n");
sl@0	353	BIO_printf(bio_err," -timeout - Enable timeouts\n");
sl@0	354	BIO_printf(bio_err," -mtu - Set MTU\n");
sl@0	355	BIO_printf(bio_err," -chain - Read a certificate chain\n");
sl@0	356	BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n");
sl@0	357	BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n");
sl@0	358	BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n");
sl@0	359	#ifndef OPENSSL_NO_DH
sl@0	360	BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n");
sl@0	361	#endif
sl@0	362	#ifndef OPENSSL_NO_ECDH
sl@0	363	BIO_printf(bio_err," -no_ecdhe - Disable ephemeral ECDH\n");
sl@0	364	#endif
sl@0	365	BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n");
sl@0	366	BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n");
sl@0	367	BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
sl@0	368	BIO_printf(bio_err," -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
sl@0	369	BIO_printf(bio_err," with the assumption it contains a complete HTTP response.\n");
sl@0	370	#ifndef OPENSSL_NO_ENGINE
sl@0	371	BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n");
sl@0	372	#endif
sl@0	373	BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
sl@0	374	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
sl@0	375	}
sl@0	376
sl@0	377	static int local_argc=0;
sl@0	378	static char **local_argv;
sl@0	379
sl@0	380	#ifdef CHARSET_EBCDIC
sl@0	381	static int ebcdic_new(BIO *bi);
sl@0	382	static int ebcdic_free(BIO *a);
sl@0	383	static int ebcdic_read(BIO b, char out, int outl);
sl@0	384	static int ebcdic_write(BIO b, const char in, int inl);
sl@0	385	static long ebcdic_ctrl(BIO b, int cmd, long num, void ptr);
sl@0	386	static int ebcdic_gets(BIO bp, char buf, int size);
sl@0	387	static int ebcdic_puts(BIO bp, const char str);
sl@0	388
sl@0	389	#define BIO_TYPE_EBCDIC_FILTER (18\|0x0200)
sl@0	390	static BIO_METHOD methods_ebcdic=
sl@0	391	{
sl@0	392	BIO_TYPE_EBCDIC_FILTER,
sl@0	393	"EBCDIC/ASCII filter",
sl@0	394	ebcdic_write,
sl@0	395	ebcdic_read,
sl@0	396	ebcdic_puts,
sl@0	397	ebcdic_gets,
sl@0	398	ebcdic_ctrl,
sl@0	399	ebcdic_new,
sl@0	400	ebcdic_free,
sl@0	401	};
sl@0	402
sl@0	403	typedef struct
sl@0	404	{
sl@0	405	size_t alloced;
sl@0	406	char buff[1];
sl@0	407	} EBCDIC_OUTBUFF;
sl@0	408
sl@0	409	BIO_METHOD *BIO_f_ebcdic_filter()
sl@0	410	{
sl@0	411	return(&methods_ebcdic);
sl@0	412	}
sl@0	413
sl@0	414	static int ebcdic_new(BIO *bi)
sl@0	415	{
sl@0	416	EBCDIC_OUTBUFF *wbuf;
sl@0	417
sl@0	418	wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
sl@0	419	wbuf->alloced = 1024;
sl@0	420	wbuf->buff[0] = '\0';
sl@0	421
sl@0	422	bi->ptr=(char *)wbuf;
sl@0	423	bi->init=1;
sl@0	424	bi->flags=0;
sl@0	425	return(1);
sl@0	426	}
sl@0	427
sl@0	428	static int ebcdic_free(BIO *a)
sl@0	429	{
sl@0	430	if (a == NULL) return(0);
sl@0	431	if (a->ptr != NULL)
sl@0	432	OPENSSL_free(a->ptr);
sl@0	433	a->ptr=NULL;
sl@0	434	a->init=0;
sl@0	435	a->flags=0;
sl@0	436	return(1);
sl@0	437	}
sl@0	438
sl@0	439	static int ebcdic_read(BIO b, char out, int outl)
sl@0	440	{
sl@0	441	int ret=0;
sl@0	442
sl@0	443	if (out == NULL \|\| outl == 0) return(0);
sl@0	444	if (b->next_bio == NULL) return(0);
sl@0	445
sl@0	446	ret=BIO_read(b->next_bio,out,outl);
sl@0	447	if (ret > 0)
sl@0	448	ascii2ebcdic(out,out,ret);
sl@0	449	return(ret);
sl@0	450	}
sl@0	451
sl@0	452	static int ebcdic_write(BIO b, const char in, int inl)
sl@0	453	{
sl@0	454	EBCDIC_OUTBUFF *wbuf;
sl@0	455	int ret=0;
sl@0	456	int num;
sl@0	457	unsigned char n;
sl@0	458
sl@0	459	if ((in == NULL) \|\| (inl <= 0)) return(0);
sl@0	460	if (b->next_bio == NULL) return(0);
sl@0	461
sl@0	462	wbuf=(EBCDIC_OUTBUFF *)b->ptr;
sl@0	463
sl@0	464	if (inl > (num = wbuf->alloced))
sl@0	465	{
sl@0	466	num = num + num; /* double the size */
sl@0	467	if (num < inl)
sl@0	468	num = inl;
sl@0	469	OPENSSL_free(wbuf);
sl@0	470	wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
sl@0	471
sl@0	472	wbuf->alloced = num;
sl@0	473	wbuf->buff[0] = '\0';
sl@0	474
sl@0	475	b->ptr=(char *)wbuf;
sl@0	476	}
sl@0	477
sl@0	478	ebcdic2ascii(wbuf->buff, in, inl);
sl@0	479
sl@0	480	ret=BIO_write(b->next_bio, wbuf->buff, inl);
sl@0	481
sl@0	482	return(ret);
sl@0	483	}
sl@0	484
sl@0	485	static long ebcdic_ctrl(BIO b, int cmd, long num, void ptr)
sl@0	486	{
sl@0	487	long ret;
sl@0	488
sl@0	489	if (b->next_bio == NULL) return(0);
sl@0	490	switch (cmd)
sl@0	491	{
sl@0	492	case BIO_CTRL_DUP:
sl@0	493	ret=0L;
sl@0	494	break;
sl@0	495	default:
sl@0	496	ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
sl@0	497	break;
sl@0	498	}
sl@0	499	return(ret);
sl@0	500	}
sl@0	501
sl@0	502	static int ebcdic_gets(BIO bp, char buf, int size)
sl@0	503	{
sl@0	504	int i, ret=0;
sl@0	505	if (bp->next_bio == NULL) return(0);
sl@0	506	/* return(BIO_gets(bp->next_bio,buf,size));*/
sl@0	507	for (i=0; i<size-1; ++i)
sl@0	508	{
sl@0	509	ret = ebcdic_read(bp,&buf[i],1);
sl@0	510	if (ret <= 0)
sl@0	511	break;
sl@0	512	else if (buf[i] == '\n')
sl@0	513	{
sl@0	514	++i;
sl@0	515	break;
sl@0	516	}
sl@0	517	}
sl@0	518	if (i < size)
sl@0	519	buf[i] = '\0';
sl@0	520	return (ret < 0 && i == 0) ? ret : i;
sl@0	521	}
sl@0	522
sl@0	523	static int ebcdic_puts(BIO bp, const char str)
sl@0	524	{
sl@0	525	if (bp->next_bio == NULL) return(0);
sl@0	526	return ebcdic_write(bp, str, strlen(str));
sl@0	527	}
sl@0	528	#endif
sl@0	529
sl@0	530	int MAIN(int, char **);
sl@0	531
sl@0	532	int MAIN(int argc, char *argv[])
sl@0	533	{
sl@0	534	X509_STORE *store = NULL;
sl@0	535	int vflags = 0;
sl@0	536	short port=PORT;
sl@0	537	char CApath=NULL,CAfile=NULL;
sl@0	538	unsigned char *context = NULL;
sl@0	539	char *dhfile = NULL;
sl@0	540	#ifndef OPENSSL_NO_ECDH
sl@0	541	char *named_curve = NULL;
sl@0	542	#endif
sl@0	543	int badop=0,bugs=0;
sl@0	544	int ret=1;
sl@0	545	int off=0;
sl@0	546	int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
sl@0	547	int state=0;
sl@0	548	SSL_METHOD *meth=NULL;
sl@0	549	int socket_type=SOCK_STREAM;
sl@0	550	#ifndef OPENSSL_NO_ENGINE
sl@0	551	ENGINE *e=NULL;
sl@0	552	#endif
sl@0	553	char *inrand=NULL;
sl@0	554	int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
sl@0	555	char passarg = NULL, pass = NULL;
sl@0	556	char dpassarg = NULL, dpass = NULL;
sl@0	557	int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
sl@0	558	X509 s_cert = NULL, s_dcert = NULL;
sl@0	559	EVP_PKEY s_key = NULL, s_dkey = NULL;
sl@0	560
sl@0	561
sl@0	562	#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
sl@0	563	meth=SSLv23_server_method();
sl@0	564	#elif !defined(OPENSSL_NO_SSL3)
sl@0	565	meth=SSLv3_server_method();
sl@0	566	#elif !defined(OPENSSL_NO_SSL2)
sl@0	567	meth=SSLv2_server_method();
sl@0	568	#endif
sl@0	569
sl@0	570	local_argc=argc;
sl@0	571	local_argv=argv;
sl@0	572
sl@0	573	apps_startup();
sl@0	574	#ifdef MONOLITH
sl@0	575	s_server_init();
sl@0	576	#endif
sl@0	577
sl@0	578	if (bio_err == NULL)
sl@0	579	bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
sl@0	580
sl@0	581	if (!load_config(bio_err, NULL))
sl@0	582	goto end;
sl@0	583
sl@0	584	verify_depth=0;
sl@0	585	#ifdef FIONBIO
sl@0	586	s_nbio=0;
sl@0	587	#endif
sl@0	588	s_nbio_test=0;
sl@0	589
sl@0	590	argc--;
sl@0	591	argv++;
sl@0	592
sl@0	593	while (argc >= 1)
sl@0	594	{
sl@0	595	if ((strcmp(*argv,"-port") == 0) \|\|
sl@0	596	(strcmp(*argv,"-accept") == 0))
sl@0	597	{
sl@0	598	if (--argc < 1) goto bad;
sl@0	599	if (!extract_port(*(++argv),&port))
sl@0	600	goto bad;
sl@0	601	}
sl@0	602	else if (strcmp(*argv,"-verify") == 0)
sl@0	603	{
sl@0	604	s_server_verify=SSL_VERIFY_PEER\|SSL_VERIFY_CLIENT_ONCE;
sl@0	605	if (--argc < 1) goto bad;
sl@0	606	verify_depth=atoi(*(++argv));
sl@0	607	BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
sl@0	608	}
sl@0	609	else if (strcmp(*argv,"-Verify") == 0)
sl@0	610	{
sl@0	611	s_server_verify=SSL_VERIFY_PEER\|SSL_VERIFY_FAIL_IF_NO_PEER_CERT\|
sl@0	612	SSL_VERIFY_CLIENT_ONCE;
sl@0	613	if (--argc < 1) goto bad;
sl@0	614	verify_depth=atoi(*(++argv));
sl@0	615	BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
sl@0	616	}
sl@0	617	else if (strcmp(*argv,"-context") == 0)
sl@0	618	{
sl@0	619	if (--argc < 1) goto bad;
sl@0	620	context= (unsigned char )(++argv);
sl@0	621	}
sl@0	622	else if (strcmp(*argv,"-cert") == 0)
sl@0	623	{
sl@0	624	if (--argc < 1) goto bad;
sl@0	625	s_cert_file= *(++argv);
sl@0	626	}
sl@0	627	else if (strcmp(*argv,"-certform") == 0)
sl@0	628	{
sl@0	629	if (--argc < 1) goto bad;
sl@0	630	s_cert_format = str2fmt(*(++argv));
sl@0	631	}
sl@0	632	else if (strcmp(*argv,"-key") == 0)
sl@0	633	{
sl@0	634	if (--argc < 1) goto bad;
sl@0	635	s_key_file= *(++argv);
sl@0	636	}
sl@0	637	else if (strcmp(*argv,"-keyform") == 0)
sl@0	638	{
sl@0	639	if (--argc < 1) goto bad;
sl@0	640	s_key_format = str2fmt(*(++argv));
sl@0	641	}
sl@0	642	else if (strcmp(*argv,"-pass") == 0)
sl@0	643	{
sl@0	644	if (--argc < 1) goto bad;
sl@0	645	passarg = *(++argv);
sl@0	646	}
sl@0	647	else if (strcmp(*argv,"-dhparam") == 0)
sl@0	648	{
sl@0	649	if (--argc < 1) goto bad;
sl@0	650	dhfile = *(++argv);
sl@0	651	}
sl@0	652	#ifndef OPENSSL_NO_ECDH
sl@0	653	else if (strcmp(*argv,"-named_curve") == 0)
sl@0	654	{
sl@0	655	if (--argc < 1) goto bad;
sl@0	656	named_curve = *(++argv);
sl@0	657	}
sl@0	658	#endif
sl@0	659	else if (strcmp(*argv,"-dcertform") == 0)
sl@0	660	{
sl@0	661	if (--argc < 1) goto bad;
sl@0	662	s_dcert_format = str2fmt(*(++argv));
sl@0	663	}
sl@0	664	else if (strcmp(*argv,"-dcert") == 0)
sl@0	665	{
sl@0	666	if (--argc < 1) goto bad;
sl@0	667	s_dcert_file= *(++argv);
sl@0	668	}
sl@0	669	else if (strcmp(*argv,"-dkeyform") == 0)
sl@0	670	{
sl@0	671	if (--argc < 1) goto bad;
sl@0	672	s_dkey_format = str2fmt(*(++argv));
sl@0	673	}
sl@0	674	else if (strcmp(*argv,"-dpass") == 0)
sl@0	675	{
sl@0	676	if (--argc < 1) goto bad;
sl@0	677	dpassarg = *(++argv);
sl@0	678	}
sl@0	679	else if (strcmp(*argv,"-dkey") == 0)
sl@0	680	{
sl@0	681	if (--argc < 1) goto bad;
sl@0	682	s_dkey_file= *(++argv);
sl@0	683	}
sl@0	684	else if (strcmp(*argv,"-nocert") == 0)
sl@0	685	{
sl@0	686	nocert=1;
sl@0	687	}
sl@0	688	else if (strcmp(*argv,"-CApath") == 0)
sl@0	689	{
sl@0	690	if (--argc < 1) goto bad;
sl@0	691	CApath= *(++argv);
sl@0	692	}
sl@0	693	else if (strcmp(*argv,"-crl_check") == 0)
sl@0	694	{
sl@0	695	vflags \|= X509_V_FLAG_CRL_CHECK;
sl@0	696	}
sl@0	697	else if (strcmp(*argv,"-crl_check") == 0)
sl@0	698	{
sl@0	699	vflags \|= X509_V_FLAG_CRL_CHECK\|X509_V_FLAG_CRL_CHECK_ALL;
sl@0	700	}
sl@0	701	else if (strcmp(*argv,"-serverpref") == 0)
sl@0	702	{ off\|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
sl@0	703	else if (strcmp(*argv,"-cipher") == 0)
sl@0	704	{
sl@0	705	if (--argc < 1) goto bad;
sl@0	706	cipher= *(++argv);
sl@0	707	}
sl@0	708	else if (strcmp(*argv,"-CAfile") == 0)
sl@0	709	{
sl@0	710	if (--argc < 1) goto bad;
sl@0	711	CAfile= *(++argv);
sl@0	712	}
sl@0	713	#ifdef FIONBIO
sl@0	714	else if (strcmp(*argv,"-nbio") == 0)
sl@0	715	{ s_nbio=1; }
sl@0	716	#endif
sl@0	717	else if (strcmp(*argv,"-nbio_test") == 0)
sl@0	718	{
sl@0	719	#ifdef FIONBIO
sl@0	720	s_nbio=1;
sl@0	721	#endif
sl@0	722	s_nbio_test=1;
sl@0	723	}
sl@0	724	else if (strcmp(*argv,"-debug") == 0)
sl@0	725	{ s_debug=1; }
sl@0	726	else if (strcmp(*argv,"-msg") == 0)
sl@0	727	{ s_msg=1; }
sl@0	728	else if (strcmp(*argv,"-hack") == 0)
sl@0	729	{ hack=1; }
sl@0	730	else if (strcmp(*argv,"-state") == 0)
sl@0	731	{ state=1; }
sl@0	732	else if (strcmp(*argv,"-crlf") == 0)
sl@0	733	{ s_crlf=1; }
sl@0	734	else if (strcmp(*argv,"-quiet") == 0)
sl@0	735	{ s_quiet=1; }
sl@0	736	else if (strcmp(*argv,"-bugs") == 0)
sl@0	737	{ bugs=1; }
sl@0	738	else if (strcmp(*argv,"-no_tmp_rsa") == 0)
sl@0	739	{ no_tmp_rsa=1; }
sl@0	740	else if (strcmp(*argv,"-no_dhe") == 0)
sl@0	741	{ no_dhe=1; }
sl@0	742	else if (strcmp(*argv,"-no_ecdhe") == 0)
sl@0	743	{ no_ecdhe=1; }
sl@0	744	else if (strcmp(*argv,"-www") == 0)
sl@0	745	{ www=1; }
sl@0	746	else if (strcmp(*argv,"-WWW") == 0)
sl@0	747	{ www=2; }
sl@0	748	else if (strcmp(*argv,"-HTTP") == 0)
sl@0	749	{ www=3; }
sl@0	750	else if (strcmp(*argv,"-no_ssl2") == 0)
sl@0	751	{ off\|=SSL_OP_NO_SSLv2; }
sl@0	752	else if (strcmp(*argv,"-no_ssl3") == 0)
sl@0	753	{ off\|=SSL_OP_NO_SSLv3; }
sl@0	754	else if (strcmp(*argv,"-no_tls1") == 0)
sl@0	755	{ off\|=SSL_OP_NO_TLSv1; }
sl@0	756	#ifndef OPENSSL_NO_SSL2
sl@0	757	else if (strcmp(*argv,"-ssl2") == 0)
sl@0	758	{ meth=SSLv2_server_method(); }
sl@0	759	#endif
sl@0	760	#ifndef OPENSSL_NO_SSL3
sl@0	761	else if (strcmp(*argv,"-ssl3") == 0)
sl@0	762	{ meth=SSLv3_server_method(); }
sl@0	763	#endif
sl@0	764	#ifndef OPENSSL_NO_TLS1
sl@0	765	else if (strcmp(*argv,"-tls1") == 0)
sl@0	766	{ meth=TLSv1_server_method(); }
sl@0	767	#endif
sl@0	768	#ifndef OPENSSL_NO_DTLS1
sl@0	769	else if (strcmp(*argv,"-dtls1") == 0)
sl@0	770	{
sl@0	771	meth=DTLSv1_server_method();
sl@0	772	socket_type = SOCK_DGRAM;
sl@0	773	}
sl@0	774	else if (strcmp(*argv,"-timeout") == 0)
sl@0	775	enable_timeouts = 1;
sl@0	776	else if (strcmp(*argv,"-mtu") == 0)
sl@0	777	{
sl@0	778	if (--argc < 1) goto bad;
sl@0	779	mtu = atol(*(++argv));
sl@0	780	}
sl@0	781	else if (strcmp(*argv, "-chain") == 0)
sl@0	782	cert_chain = 1;
sl@0	783	#endif
sl@0	784	else if (strcmp(*argv, "-id_prefix") == 0)
sl@0	785	{
sl@0	786	if (--argc < 1) goto bad;
sl@0	787	session_id_prefix = *(++argv);
sl@0	788	}
sl@0	789	#ifndef OPENSSL_NO_ENGINE
sl@0	790	else if (strcmp(*argv,"-engine") == 0)
sl@0	791	{
sl@0	792	if (--argc < 1) goto bad;
sl@0	793	engine_id= *(++argv);
sl@0	794	}
sl@0	795	#endif
sl@0	796	else if (strcmp(*argv,"-rand") == 0)
sl@0	797	{
sl@0	798	if (--argc < 1) goto bad;
sl@0	799	inrand= *(++argv);
sl@0	800	}
sl@0	801	else
sl@0	802	{
sl@0	803	BIO_printf(bio_err,"unknown option %s\n",*argv);
sl@0	804	badop=1;
sl@0	805	break;
sl@0	806	}
sl@0	807	argc--;
sl@0	808	argv++;
sl@0	809	}
sl@0	810	if (badop)
sl@0	811	{
sl@0	812	bad:
sl@0	813	sv_usage();
sl@0	814	goto end;
sl@0	815	}
sl@0	816
sl@0	817	SSL_load_error_strings();
sl@0	818	OpenSSL_add_ssl_algorithms();
sl@0	819
sl@0	820	#ifndef OPENSSL_NO_ENGINE
sl@0	821	e = setup_engine(bio_err, engine_id, 1);
sl@0	822	#endif
sl@0	823
sl@0	824	if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass))
sl@0	825	{
sl@0	826	BIO_printf(bio_err, "Error getting password\n");
sl@0	827	goto end;
sl@0	828	}
sl@0	829
sl@0	830
sl@0	831	if (s_key_file == NULL)
sl@0	832	s_key_file = s_cert_file;
sl@0	833
sl@0	834	if (nocert == 0)
sl@0	835	{
sl@0	836	s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
sl@0	837	"server certificate private key file");
sl@0	838	if (!s_key)
sl@0	839	{
sl@0	840	ERR_print_errors(bio_err);
sl@0	841	goto end;
sl@0	842	}
sl@0	843
sl@0	844	s_cert = load_cert(bio_err,s_cert_file,s_cert_format,
sl@0	845	NULL, e, "server certificate file");
sl@0	846
sl@0	847	if (!s_cert)
sl@0	848	{
sl@0	849	ERR_print_errors(bio_err);
sl@0	850	goto end;
sl@0	851	}
sl@0	852
sl@0	853	}
sl@0	854	if (s_dcert_file)
sl@0	855	{
sl@0	856
sl@0	857	if (s_dkey_file == NULL)
sl@0	858	s_dkey_file = s_dcert_file;
sl@0	859
sl@0	860	s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
sl@0	861	0, dpass, e,
sl@0	862	"second certificate private key file");
sl@0	863	if (!s_dkey)
sl@0	864	{
sl@0	865	ERR_print_errors(bio_err);
sl@0	866	goto end;
sl@0	867	}
sl@0	868
sl@0	869	s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format,
sl@0	870	NULL, e, "second server certificate file");
sl@0	871
sl@0	872	if (!s_dcert)
sl@0	873	{
sl@0	874	ERR_print_errors(bio_err);
sl@0	875	goto end;
sl@0	876	}
sl@0	877
sl@0	878	}
sl@0	879
sl@0	880	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
sl@0	881	&& !RAND_status())
sl@0	882	{
sl@0	883	BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
sl@0	884	}
sl@0	885	if (inrand != NULL)
sl@0	886	BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
sl@0	887	app_RAND_load_files(inrand));
sl@0	888
sl@0	889	if (bio_s_out == NULL)
sl@0	890	{
sl@0	891	if (s_quiet && !s_debug && !s_msg)
sl@0	892	{
sl@0	893	bio_s_out=BIO_new(BIO_s_null());
sl@0	894	}
sl@0	895	else
sl@0	896	{
sl@0	897	if (bio_s_out == NULL)
sl@0	898	bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE);
sl@0	899
sl@0	900	}
sl@0	901	}
sl@0	902
sl@0	903	#if !defined(OPENSSL_NO_RSA) \|\| !defined(OPENSSL_NO_DSA) \|\| !defined(OPENSSL_NO_ECDSA)
sl@0	904	if (nocert)
sl@0	905	#endif
sl@0	906	{
sl@0	907	s_cert_file=NULL;
sl@0	908	s_key_file=NULL;
sl@0	909	s_dcert_file=NULL;
sl@0	910	s_dkey_file=NULL;
sl@0	911	}
sl@0	912
sl@0	913	ctx=SSL_CTX_new(meth);
sl@0	914	if (ctx == NULL)
sl@0	915	{
sl@0	916	ERR_print_errors(bio_err);
sl@0	917	goto end;
sl@0	918	}
sl@0	919	if (session_id_prefix)
sl@0	920	{
sl@0	921	if(strlen(session_id_prefix) >= 32)
sl@0	922	BIO_printf(bio_err,
sl@0	923	"warning: id_prefix is too long, only one new session will be possible\n");
sl@0	924	else if(strlen(session_id_prefix) >= 16)
sl@0	925	BIO_printf(bio_err,
sl@0	926	"warning: id_prefix is too long if you use SSLv2\n");
sl@0	927	if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id))
sl@0	928	{
sl@0	929	BIO_printf(bio_err,"error setting 'id_prefix'\n");
sl@0	930	ERR_print_errors(bio_err);
sl@0	931	goto end;
sl@0	932	}
sl@0	933	BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
sl@0	934	}
sl@0	935	SSL_CTX_set_quiet_shutdown(ctx,1);
sl@0	936	if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
sl@0	937	if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
sl@0	938	SSL_CTX_set_options(ctx,off);
sl@0	939	/* DTLS: partial reads end up discarding unread UDP bytes :-(
sl@0	940	* Setting read ahead solves this problem.
sl@0	941	*/
sl@0	942	if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
sl@0	943
sl@0	944	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
sl@0	945
sl@0	946	SSL_CTX_sess_set_cache_size(ctx,128);
sl@0	947
sl@0	948	#if 0
sl@0	949	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
sl@0	950	#endif
sl@0	951
sl@0	952	#if 0
sl@0	953	if (s_cert_file == NULL)
sl@0	954	{
sl@0	955	BIO_printf(bio_err,"You must specify a certificate file for the server to use\n");
sl@0	956	goto end;
sl@0	957	}
sl@0	958	#endif
sl@0	959
sl@0	960	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) \|\|
sl@0	961	(!SSL_CTX_set_default_verify_paths(ctx)))
sl@0	962	{
sl@0	963	/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
sl@0	964	ERR_print_errors(bio_err);
sl@0	965	/* goto end; */
sl@0	966	}
sl@0	967	store = SSL_CTX_get_cert_store(ctx);
sl@0	968	X509_STORE_set_flags(store, vflags);
sl@0	969
sl@0	970	#ifndef OPENSSL_NO_DH
sl@0	971	if (!no_dhe)
sl@0	972	{
sl@0	973	DH *dh=NULL;
sl@0	974
sl@0	975	if (dhfile)
sl@0	976	dh = load_dh_param(dhfile);
sl@0	977	else if (s_cert_file)
sl@0	978	dh = load_dh_param(s_cert_file);
sl@0	979
sl@0	980	if (dh != NULL)
sl@0	981	{
sl@0	982	BIO_printf(bio_s_out,"Setting temp DH parameters\n");
sl@0	983	}
sl@0	984	else
sl@0	985	{
sl@0	986	BIO_printf(bio_s_out,"Using default temp DH parameters\n");
sl@0	987	dh=get_dh512();
sl@0	988	}
sl@0	989	(void)BIO_flush(bio_s_out);
sl@0	990
sl@0	991	SSL_CTX_set_tmp_dh(ctx,dh);
sl@0	992	DH_free(dh);
sl@0	993	}
sl@0	994	#endif
sl@0	995
sl@0	996	#ifndef OPENSSL_NO_ECDH
sl@0	997	if (!no_ecdhe)
sl@0	998	{
sl@0	999	EC_KEY *ecdh=NULL;
sl@0	1000
sl@0	1001	if (named_curve)
sl@0	1002	{
sl@0	1003	int nid = OBJ_sn2nid(named_curve);
sl@0	1004
sl@0	1005	if (nid == 0)
sl@0	1006	{
sl@0	1007	BIO_printf(bio_err, "unknown curve name (%s)\n",
sl@0	1008	named_curve);
sl@0	1009	goto end;
sl@0	1010	}
sl@0	1011	ecdh = EC_KEY_new_by_curve_name(nid);
sl@0	1012	if (ecdh == NULL)
sl@0	1013	{
sl@0	1014	BIO_printf(bio_err, "unable to create curve (%s)\n",
sl@0	1015	named_curve);
sl@0	1016	goto end;
sl@0	1017	}
sl@0	1018	}
sl@0	1019
sl@0	1020	if (ecdh != NULL)
sl@0	1021	{
sl@0	1022	BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
sl@0	1023	}
sl@0	1024	else
sl@0	1025	{
sl@0	1026	BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
sl@0	1027	ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
sl@0	1028	if (ecdh == NULL)
sl@0	1029	{
sl@0	1030	BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
sl@0	1031	goto end;
sl@0	1032	}
sl@0	1033	}
sl@0	1034	(void)BIO_flush(bio_s_out);
sl@0	1035
sl@0	1036	SSL_CTX_set_tmp_ecdh(ctx,ecdh);
sl@0	1037
sl@0	1038	EC_KEY_free(ecdh);
sl@0	1039	}
sl@0	1040	#endif
sl@0	1041
sl@0	1042	if (!set_cert_key_stuff(ctx,s_cert,s_key))
sl@0	1043	goto end;
sl@0	1044
sl@0	1045	if (s_dcert != NULL)
sl@0	1046	{
sl@0	1047	if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
sl@0	1048	goto end;
sl@0	1049	}
sl@0	1050
sl@0	1051	#ifndef OPENSSL_NO_RSA
sl@0	1052	#if 1
sl@0	1053	if (!no_tmp_rsa)
sl@0	1054	{
sl@0	1055	SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
sl@0	1056
sl@0	1057	}
sl@0	1058	#else
sl@0	1059	if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
sl@0	1060	{
sl@0	1061	RSA *rsa;
sl@0	1062
sl@0	1063	BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key...");
sl@0	1064	BIO_flush(bio_s_out);
sl@0	1065
sl@0	1066	rsa=RSA_generate_key(512,RSA_F4,NULL);
sl@0	1067
sl@0	1068	if (!SSL_CTX_set_tmp_rsa(ctx,rsa))
sl@0	1069	{
sl@0	1070	ERR_print_errors(bio_err);
sl@0	1071	goto end;
sl@0	1072	}
sl@0	1073	RSA_free(rsa);
sl@0	1074	BIO_printf(bio_s_out,"\n");
sl@0	1075	}
sl@0	1076	#endif
sl@0	1077	#endif
sl@0	1078
sl@0	1079	if (cipher != NULL)
sl@0	1080	if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
sl@0	1081	BIO_printf(bio_err,"error setting cipher list\n");
sl@0	1082	ERR_print_errors(bio_err);
sl@0	1083	goto end;
sl@0	1084	}
sl@0	1085	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
sl@0	1086	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
sl@0	1087	sizeof s_server_session_id_context);
sl@0	1088
sl@0	1089	if (CAfile != NULL)
sl@0	1090	{
sl@0	1091	SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
sl@0	1092	}
sl@0	1093	BIO_printf(bio_s_out,"ACCEPT\n");
sl@0	1094	if (www)
sl@0	1095	do_server(port,socket_type,&accept_socket,www_body, context);
sl@0	1096	else
sl@0	1097	do_server(port,socket_type,&accept_socket,sv_body, context);
sl@0	1098	print_stats(bio_s_out,ctx);
sl@0	1099	ret=0;
sl@0	1100	end:
sl@0	1101	if (ctx != NULL) SSL_CTX_free(ctx);
sl@0	1102	if (s_cert)
sl@0	1103	X509_free(s_cert);
sl@0	1104	if (s_dcert)
sl@0	1105	X509_free(s_dcert);
sl@0	1106	if (s_key)
sl@0	1107	EVP_PKEY_free(s_key);
sl@0	1108	if (s_dkey)
sl@0	1109	EVP_PKEY_free(s_dkey);
sl@0	1110	if (pass)
sl@0	1111	OPENSSL_free(pass);
sl@0	1112	if (dpass)
sl@0	1113	OPENSSL_free(dpass);
sl@0	1114	if (bio_s_out != NULL)
sl@0	1115	{
sl@0	1116	BIO_free(bio_s_out);
sl@0	1117	bio_s_out=NULL;
sl@0	1118	}
sl@0	1119	apps_shutdown();
sl@0	1120	OPENSSL_EXIT(ret);
sl@0	1121	}
sl@0	1122
sl@0	1123	static void print_stats(BIO bio, SSL_CTX ssl_ctx)
sl@0	1124	{
sl@0	1125	BIO_printf(bio,"%4ld items in the session cache\n",
sl@0	1126	SSL_CTX_sess_number(ssl_ctx));
sl@0	1127	BIO_printf(bio,"%4ld client connects (SSL_connect())\n",
sl@0	1128	SSL_CTX_sess_connect(ssl_ctx));
sl@0	1129	BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n",
sl@0	1130	SSL_CTX_sess_connect_renegotiate(ssl_ctx));
sl@0	1131	BIO_printf(bio,"%4ld client connects that finished\n",
sl@0	1132	SSL_CTX_sess_connect_good(ssl_ctx));
sl@0	1133	BIO_printf(bio,"%4ld server accepts (SSL_accept())\n",
sl@0	1134	SSL_CTX_sess_accept(ssl_ctx));
sl@0	1135	BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n",
sl@0	1136	SSL_CTX_sess_accept_renegotiate(ssl_ctx));
sl@0	1137	BIO_printf(bio,"%4ld server accepts that finished\n",
sl@0	1138	SSL_CTX_sess_accept_good(ssl_ctx));
sl@0	1139	BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
sl@0	1140	BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
sl@0	1141	BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
sl@0	1142	BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
sl@0	1143	BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n",
sl@0	1144	SSL_CTX_sess_cache_full(ssl_ctx),
sl@0	1145	SSL_CTX_sess_get_cache_size(ssl_ctx));
sl@0	1146	}
sl@0	1147
sl@0	1148	static int sv_body(char hostname, int s, unsigned char context)
sl@0	1149	{
sl@0	1150	char *buf=NULL;
sl@0	1151	fd_set readfds;
sl@0	1152	int ret=1,width;
sl@0	1153	int k,i;
sl@0	1154	unsigned long l;
sl@0	1155	SSL *con=NULL;
sl@0	1156	BIO *sbio;
sl@0	1157	#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS) \|\| defined(OPENSSL_SYS_NETWARE)
sl@0	1158	struct timeval tv;
sl@0	1159	#endif
sl@0	1160
sl@0	1161	if ((buf=OPENSSL_malloc(bufsize)) == NULL)
sl@0	1162	{
sl@0	1163	BIO_printf(bio_err,"out of memory\n");
sl@0	1164	goto err;
sl@0	1165	}
sl@0	1166	#ifdef FIONBIO
sl@0	1167	if (s_nbio)
sl@0	1168	{
sl@0	1169	unsigned long sl=1;
sl@0	1170
sl@0	1171	if (!s_quiet)
sl@0	1172	BIO_printf(bio_err,"turning on non blocking io\n");
sl@0	1173	if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
sl@0	1174	ERR_print_errors(bio_err);
sl@0	1175	}
sl@0	1176	#endif
sl@0	1177
sl@0	1178	if (con == NULL) {
sl@0	1179	con=SSL_new(ctx);
sl@0	1180	#ifndef OPENSSL_NO_KRB5
sl@0	1181	if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
sl@0	1182	{
sl@0	1183	kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,
sl@0	1184	KRB5SVC);
sl@0	1185	kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,
sl@0	1186	KRB5KEYTAB);
sl@0	1187	}
sl@0	1188	#endif /* OPENSSL_NO_KRB5 */
sl@0	1189	if(context)
sl@0	1190	SSL_set_session_id_context(con, context,
sl@0	1191	strlen((char *)context));
sl@0	1192	}
sl@0	1193	SSL_clear(con);
sl@0	1194
sl@0	1195	if (SSL_version(con) == DTLS1_VERSION)
sl@0	1196	{
sl@0	1197	struct timeval timeout;
sl@0	1198
sl@0	1199	sbio=BIO_new_dgram(s,BIO_NOCLOSE);
sl@0	1200
sl@0	1201	if ( enable_timeouts)
sl@0	1202	{
sl@0	1203	timeout.tv_sec = 0;
sl@0	1204	timeout.tv_usec = DGRAM_RCV_TIMEOUT;
sl@0	1205	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
sl@0	1206
sl@0	1207	timeout.tv_sec = 0;
sl@0	1208	timeout.tv_usec = DGRAM_SND_TIMEOUT;
sl@0	1209	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
sl@0	1210	}
sl@0	1211
sl@0	1212
sl@0	1213	if ( mtu > 0)
sl@0	1214	{
sl@0	1215	SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
sl@0	1216	SSL_set_mtu(con, mtu);
sl@0	1217	}
sl@0	1218	else
sl@0	1219	/* want to do MTU discovery */
sl@0	1220	BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
sl@0	1221
sl@0	1222	/* turn on cookie exchange */
sl@0	1223	SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
sl@0	1224	}
sl@0	1225	else
sl@0	1226	sbio=BIO_new_socket(s,BIO_NOCLOSE);
sl@0	1227
sl@0	1228	if (s_nbio_test)
sl@0	1229	{
sl@0	1230	BIO *test;
sl@0	1231
sl@0	1232	test=BIO_new(BIO_f_nbio_test());
sl@0	1233	sbio=BIO_push(test,sbio);
sl@0	1234	}
sl@0	1235	SSL_set_bio(con,sbio,sbio);
sl@0	1236	SSL_set_accept_state(con);
sl@0	1237	/* SSL_set_fd(con,s); */
sl@0	1238
sl@0	1239	if (s_debug)
sl@0	1240	{
sl@0	1241	con->debug=1;
sl@0	1242	BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
sl@0	1243	BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
sl@0	1244	}
sl@0	1245	if (s_msg)
sl@0	1246	{
sl@0	1247	SSL_set_msg_callback(con, msg_cb);
sl@0	1248	SSL_set_msg_callback_arg(con, bio_s_out);
sl@0	1249	}
sl@0	1250
sl@0	1251	width=s+1;
sl@0	1252	for (;;)
sl@0	1253	{
sl@0	1254	int read_from_terminal;
sl@0	1255	int read_from_sslcon;
sl@0	1256
sl@0	1257	read_from_terminal = 0;
sl@0	1258	read_from_sslcon = SSL_pending(con);
sl@0	1259
sl@0	1260	if (!read_from_sslcon)
sl@0	1261	{
sl@0	1262	FD_ZERO(&readfds);
sl@0	1263	#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
sl@0	1264	FD_SET(fileno(stdin),&readfds);
sl@0	1265
sl@0	1266	#endif
sl@0	1267	FD_SET(s,&readfds);
sl@0	1268	/* Note: under VMS with SOCKETSHR the second parameter is
sl@0	1269	* currently of type (int *) whereas under other systems
sl@0	1270	* it is (void *) if you don't have a cast it will choke
sl@0	1271	* the compiler: if you do have a cast then you can either
sl@0	1272	* go for (int ) or (void ).
sl@0	1273	*/
sl@0	1274	#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS) \|\| defined(OPENSSL_SYS_NETWARE)
sl@0	1275	/* Under DOS (non-djgpp) and Windows we can't select on stdin: only
sl@0	1276	* on sockets. As a workaround we timeout the select every
sl@0	1277	* second and check for any keypress. In a proper Windows
sl@0	1278	* application we wouldn't do this because it is inefficient.
sl@0	1279	*/
sl@0	1280	tv.tv_sec = 1;
sl@0	1281	tv.tv_usec = 0;
sl@0	1282	i=select(width,(void *)&readfds,NULL,NULL,&tv);
sl@0	1283	if((i < 0) \|\| (!i && !_kbhit() ) )continue;
sl@0	1284	if(_kbhit())
sl@0	1285	read_from_terminal = 1;
sl@0	1286	#else
sl@0	1287	i=select(width,(void *)&readfds,NULL,NULL,NULL);
sl@0	1288	if (i <= 0) continue;
sl@0	1289	if (FD_ISSET(fileno(stdin),&readfds))
sl@0	1290
sl@0	1291	read_from_terminal = 1;
sl@0	1292	#endif
sl@0	1293	if (FD_ISSET(s,&readfds))
sl@0	1294	read_from_sslcon = 1;
sl@0	1295	}
sl@0	1296	if (read_from_terminal)
sl@0	1297	{
sl@0	1298	if (s_crlf)
sl@0	1299	{
sl@0	1300	int j, lf_num;
sl@0	1301	i=read(fileno(stdin), buf, bufsize/2);
sl@0	1302	lf_num = 0;
sl@0	1303	/* both loops are skipped when i <= 0 */
sl@0	1304	for (j = 0; j < i; j++)
sl@0	1305	if (buf[j] == '\n')
sl@0	1306	lf_num++;
sl@0	1307	for (j = i-1; j >= 0; j--)
sl@0	1308	{
sl@0	1309	buf[j+lf_num] = buf[j];
sl@0	1310	if (buf[j] == '\n')
sl@0	1311	{
sl@0	1312	lf_num--;
sl@0	1313	i++;
sl@0	1314	buf[j+lf_num] = '\r';
sl@0	1315	}
sl@0	1316	}
sl@0	1317	assert(lf_num == 0);
sl@0	1318	}
sl@0	1319	else
sl@0	1320	i=read(fileno(stdin),buf,bufsize);
sl@0	1321
sl@0	1322	if (!s_quiet)
sl@0	1323	{
sl@0	1324	if ((i <= 0) \|\| (buf[0] == 'Q'))
sl@0	1325	{
sl@0	1326	BIO_printf(bio_s_out,"DONE\n");
sl@0	1327	SHUTDOWN(s);
sl@0	1328	close_accept_socket();
sl@0	1329	ret= -11;
sl@0	1330	goto err;
sl@0	1331	}
sl@0	1332	if ((i <= 0) \|\| (buf[0] == 'q'))
sl@0	1333	{
sl@0	1334	BIO_printf(bio_s_out,"DONE\n");
sl@0	1335	if (SSL_version(con) != DTLS1_VERSION)
sl@0	1336	SHUTDOWN(s);
sl@0	1337	/* close_accept_socket();
sl@0	1338	ret= -11;*/
sl@0	1339	goto err;
sl@0	1340	}
sl@0	1341	if ((buf[0] == 'r') &&
sl@0	1342	((buf[1] == '\n') \|\| (buf[1] == '\r')))
sl@0	1343	{
sl@0	1344	SSL_renegotiate(con);
sl@0	1345	i=SSL_do_handshake(con);
sl@0	1346	printf("SSL_do_handshake -> %d\n",i);
sl@0	1347
sl@0	1348	i=0; /13; /
sl@0	1349	continue;
sl@0	1350	/* strcpy(buf,"server side RE-NEGOTIATE\n"); */
sl@0	1351	}
sl@0	1352	if ((buf[0] == 'R') &&
sl@0	1353	((buf[1] == '\n') \|\| (buf[1] == '\r')))
sl@0	1354	{
sl@0	1355	SSL_set_verify(con,
sl@0	1356	SSL_VERIFY_PEER\|SSL_VERIFY_CLIENT_ONCE,NULL);
sl@0	1357	SSL_renegotiate(con);
sl@0	1358	i=SSL_do_handshake(con);
sl@0	1359	printf("SSL_do_handshake -> %d\n",i);
sl@0	1360
sl@0	1361	i=0; /* 13; */
sl@0	1362	continue;
sl@0	1363	/* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */
sl@0	1364	}
sl@0	1365	if (buf[0] == 'P')
sl@0	1366	{
sl@0	1367	static const char *str="Lets print some clear text\n";
sl@0	1368	BIO_write(SSL_get_wbio(con),str,strlen(str));
sl@0	1369	}
sl@0	1370	if (buf[0] == 'S')
sl@0	1371	{
sl@0	1372	print_stats(bio_s_out,SSL_get_SSL_CTX(con));
sl@0	1373	}
sl@0	1374	}
sl@0	1375	#ifdef CHARSET_EBCDIC
sl@0	1376	ebcdic2ascii(buf,buf,i);
sl@0	1377	#endif
sl@0	1378	l=k=0;
sl@0	1379	for (;;)
sl@0	1380	{
sl@0	1381	/* should do a select for the write */
sl@0	1382	#ifdef RENEG
sl@0	1383	{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
sl@0	1384	#endif
sl@0	1385	k=SSL_write(con,&(buf[l]),(unsigned int)i);
sl@0	1386	switch (SSL_get_error(con,k))
sl@0	1387	{
sl@0	1388	case SSL_ERROR_NONE:
sl@0	1389	break;
sl@0	1390	case SSL_ERROR_WANT_WRITE:
sl@0	1391	case SSL_ERROR_WANT_READ:
sl@0	1392	case SSL_ERROR_WANT_X509_LOOKUP:
sl@0	1393	BIO_printf(bio_s_out,"Write BLOCK\n");
sl@0	1394	break;
sl@0	1395	case SSL_ERROR_SYSCALL:
sl@0	1396	case SSL_ERROR_SSL:
sl@0	1397	BIO_printf(bio_s_out,"ERROR\n");
sl@0	1398	ERR_print_errors(bio_err);
sl@0	1399	ret=1;
sl@0	1400	goto err;
sl@0	1401	/* break; */
sl@0	1402	case SSL_ERROR_ZERO_RETURN:
sl@0	1403	BIO_printf(bio_s_out,"DONE\n");
sl@0	1404	ret=1;
sl@0	1405	goto err;
sl@0	1406	}
sl@0	1407	l+=k;
sl@0	1408	i-=k;
sl@0	1409	if (i <= 0) break;
sl@0	1410	}
sl@0	1411	}
sl@0	1412	if (read_from_sslcon)
sl@0	1413	{
sl@0	1414	if (!SSL_is_init_finished(con))
sl@0	1415	{
sl@0	1416	i=init_ssl_connection(con);
sl@0	1417
sl@0	1418	if (i < 0)
sl@0	1419	{
sl@0	1420	ret=0;
sl@0	1421	goto err;
sl@0	1422	}
sl@0	1423	else if (i == 0)
sl@0	1424	{
sl@0	1425	ret=1;
sl@0	1426	goto err;
sl@0	1427	}
sl@0	1428	}
sl@0	1429	else
sl@0	1430	{
sl@0	1431	again:
sl@0	1432	i=SSL_read(con,(char *)buf,bufsize);
sl@0	1433	switch (SSL_get_error(con,i))
sl@0	1434	{
sl@0	1435	case SSL_ERROR_NONE:
sl@0	1436	#ifdef CHARSET_EBCDIC
sl@0	1437	ascii2ebcdic(buf,buf,i);
sl@0	1438	#endif
sl@0	1439	write(fileno(stdout),buf,
sl@0	1440	(unsigned int)i);
sl@0	1441
sl@0	1442	if (SSL_pending(con)) goto again;
sl@0	1443	break;
sl@0	1444	case SSL_ERROR_WANT_WRITE:
sl@0	1445	case SSL_ERROR_WANT_READ:
sl@0	1446	case SSL_ERROR_WANT_X509_LOOKUP:
sl@0	1447	BIO_printf(bio_s_out,"Read BLOCK\n");
sl@0	1448	break;
sl@0	1449	case SSL_ERROR_SYSCALL:
sl@0	1450	case SSL_ERROR_SSL:
sl@0	1451	BIO_printf(bio_s_out,"ERROR\n");
sl@0	1452	ERR_print_errors(bio_err);
sl@0	1453	ret=1;
sl@0	1454	goto err;
sl@0	1455	case SSL_ERROR_ZERO_RETURN:
sl@0	1456	BIO_printf(bio_s_out,"DONE\n");
sl@0	1457	ret=1;
sl@0	1458	goto err;
sl@0	1459	}
sl@0	1460	}
sl@0	1461	}
sl@0	1462	}
sl@0	1463	err:
sl@0	1464	BIO_printf(bio_s_out,"shutting down SSL\n");
sl@0	1465	#if 1
sl@0	1466	SSL_set_shutdown(con,SSL_SENT_SHUTDOWN\|SSL_RECEIVED_SHUTDOWN);
sl@0	1467	#else
sl@0	1468	SSL_shutdown(con);
sl@0	1469	#endif
sl@0	1470	if (con != NULL) SSL_free(con);
sl@0	1471	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
sl@0	1472	if (buf != NULL)
sl@0	1473	{
sl@0	1474	OPENSSL_cleanse(buf,bufsize);
sl@0	1475	OPENSSL_free(buf);
sl@0	1476	}
sl@0	1477	if (ret >= 0)
sl@0	1478	BIO_printf(bio_s_out,"ACCEPT\n");
sl@0	1479	return(ret);
sl@0	1480	}
sl@0	1481
sl@0	1482	static void close_accept_socket(void)
sl@0	1483	{
sl@0	1484	BIO_printf(bio_err,"shutdown accept socket\n");
sl@0	1485	if (accept_socket >= 0)
sl@0	1486	{
sl@0	1487	SHUTDOWN2(accept_socket);
sl@0	1488	}
sl@0	1489	}
sl@0	1490
sl@0	1491	static int init_ssl_connection(SSL *con)
sl@0	1492	{
sl@0	1493	int i;
sl@0	1494	const char *str;
sl@0	1495	X509 *peer;
sl@0	1496	long verify_error;
sl@0	1497	MS_STATIC char buf[BUFSIZ];
sl@0	1498
sl@0	1499	if ((i=SSL_accept(con)) <= 0)
sl@0	1500	{
sl@0	1501	if (BIO_sock_should_retry(i))
sl@0	1502	{
sl@0	1503	BIO_printf(bio_s_out,"DELAY\n");
sl@0	1504	return(1);
sl@0	1505	}
sl@0	1506
sl@0	1507	BIO_printf(bio_err,"ERROR\n");
sl@0	1508	verify_error=SSL_get_verify_result(con);
sl@0	1509	if (verify_error != X509_V_OK)
sl@0	1510	{
sl@0	1511	BIO_printf(bio_err,"verify error:%s\n",
sl@0	1512	X509_verify_cert_error_string(verify_error));
sl@0	1513	}
sl@0	1514	else
sl@0	1515	ERR_print_errors(bio_err);
sl@0	1516	return(0);
sl@0	1517	}
sl@0	1518
sl@0	1519	PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
sl@0	1520
sl@0	1521	peer=SSL_get_peer_certificate(con);
sl@0	1522	if (peer != NULL)
sl@0	1523	{
sl@0	1524	BIO_printf(bio_s_out,"Client certificate\n");
sl@0	1525	PEM_write_bio_X509(bio_s_out,peer);
sl@0	1526	X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf);
sl@0	1527	BIO_printf(bio_s_out,"subject=%s\n",buf);
sl@0	1528	X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
sl@0	1529	BIO_printf(bio_s_out,"issuer=%s\n",buf);
sl@0	1530	X509_free(peer);
sl@0	1531	}
sl@0	1532
sl@0	1533	if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
sl@0	1534	BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
sl@0	1535	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
sl@0	1536	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
sl@0	1537	if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
sl@0	1538	if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
sl@0	1539	TLS1_FLAGS_TLS_PADDING_BUG)
sl@0	1540	BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
sl@0	1541	#ifndef OPENSSL_NO_KRB5
sl@0	1542	if (con->kssl_ctx->client_princ != NULL)
sl@0	1543	{
sl@0	1544	BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
sl@0	1545	con->kssl_ctx->client_princ);
sl@0	1546	}
sl@0	1547	#endif /* OPENSSL_NO_KRB5 */
sl@0	1548	return(1);
sl@0	1549	}
sl@0	1550
sl@0	1551	#ifndef OPENSSL_NO_DH
sl@0	1552	static DH load_dh_param(const char dhfile)
sl@0	1553	{
sl@0	1554	DH *ret=NULL;
sl@0	1555	BIO *bio;
sl@0	1556
sl@0	1557	if ((bio=BIO_new_file(dhfile,"r")) == NULL)
sl@0	1558	goto err;
sl@0	1559	ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
sl@0	1560	err:
sl@0	1561	if (bio != NULL) BIO_free(bio);
sl@0	1562	return(ret);
sl@0	1563	}
sl@0	1564	#endif
sl@0	1565
sl@0	1566	#if 0
sl@0	1567	static int load_CA(SSL_CTX ctx, char file)
sl@0	1568	{
sl@0	1569	FILE *in;
sl@0	1570	X509 *x=NULL;
sl@0	1571
sl@0	1572	if ((in=fopen(file,"r")) == NULL)
sl@0	1573	return(0);
sl@0	1574
sl@0	1575	for (;;)
sl@0	1576	{
sl@0	1577	if (PEM_read_X509(in,&x,NULL) == NULL)
sl@0	1578	break;
sl@0	1579	SSL_CTX_add_client_CA(ctx,x);
sl@0	1580	}
sl@0	1581	if (x != NULL) X509_free(x);
sl@0	1582	fclose(in);
sl@0	1583	return(1);
sl@0	1584	}
sl@0	1585	#endif
sl@0	1586
sl@0	1587	static int www_body(char hostname, int s, unsigned char context)
sl@0	1588	{
sl@0	1589	char *buf=NULL;
sl@0	1590	int ret=1;
sl@0	1591	int i,j,k,blank,dot;
sl@0	1592	struct stat st_buf;
sl@0	1593	SSL *con;
sl@0	1594	SSL_CIPHER *c;
sl@0	1595	BIO io,ssl_bio,*sbio;
sl@0	1596	long total_bytes;
sl@0	1597
sl@0	1598	buf=OPENSSL_malloc(bufsize);
sl@0	1599	if (buf == NULL) return(0);
sl@0	1600	io=BIO_new(BIO_f_buffer());
sl@0	1601	ssl_bio=BIO_new(BIO_f_ssl());
sl@0	1602	if ((io == NULL) \|\| (ssl_bio == NULL)) goto err;
sl@0	1603
sl@0	1604	#ifdef FIONBIO
sl@0	1605	if (s_nbio)
sl@0	1606	{
sl@0	1607	unsigned long sl=1;
sl@0	1608
sl@0	1609	if (!s_quiet)
sl@0	1610	BIO_printf(bio_err,"turning on non blocking io\n");
sl@0	1611	if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
sl@0	1612	ERR_print_errors(bio_err);
sl@0	1613	}
sl@0	1614	#endif
sl@0	1615
sl@0	1616	/* lets make the output buffer a reasonable size */
sl@0	1617	if (!BIO_set_write_buffer_size(io,bufsize)) goto err;
sl@0	1618
sl@0	1619	if ((con=SSL_new(ctx)) == NULL) goto err;
sl@0	1620	#ifndef OPENSSL_NO_KRB5
sl@0	1621	if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
sl@0	1622	{
sl@0	1623	kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
sl@0	1624	kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
sl@0	1625	}
sl@0	1626	#endif /* OPENSSL_NO_KRB5 */
sl@0	1627	if(context) SSL_set_session_id_context(con, context,
sl@0	1628	strlen((char *)context));
sl@0	1629
sl@0	1630	sbio=BIO_new_socket(s,BIO_NOCLOSE);
sl@0	1631	if (s_nbio_test)
sl@0	1632	{
sl@0	1633	BIO *test;
sl@0	1634
sl@0	1635	test=BIO_new(BIO_f_nbio_test());
sl@0	1636	sbio=BIO_push(test,sbio);
sl@0	1637	}
sl@0	1638	SSL_set_bio(con,sbio,sbio);
sl@0	1639	SSL_set_accept_state(con);
sl@0	1640
sl@0	1641	/* SSL_set_fd(con,s); */
sl@0	1642	BIO_set_ssl(ssl_bio,con,BIO_CLOSE);
sl@0	1643	BIO_push(io,ssl_bio);
sl@0	1644	#ifdef CHARSET_EBCDIC
sl@0	1645	io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io);
sl@0	1646	#endif
sl@0	1647
sl@0	1648	if (s_debug)
sl@0	1649	{
sl@0	1650	con->debug=1;
sl@0	1651	BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
sl@0	1652	BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
sl@0	1653	}
sl@0	1654	if (s_msg)
sl@0	1655	{
sl@0	1656	SSL_set_msg_callback(con, msg_cb);
sl@0	1657	SSL_set_msg_callback_arg(con, bio_s_out);
sl@0	1658	}
sl@0	1659
sl@0	1660	blank=0;
sl@0	1661	for (;;)
sl@0	1662	{
sl@0	1663	if (hack)
sl@0	1664	{
sl@0	1665	i=SSL_accept(con);
sl@0	1666
sl@0	1667	switch (SSL_get_error(con,i))
sl@0	1668	{
sl@0	1669	case SSL_ERROR_NONE:
sl@0	1670	break;
sl@0	1671	case SSL_ERROR_WANT_WRITE:
sl@0	1672	case SSL_ERROR_WANT_READ:
sl@0	1673	case SSL_ERROR_WANT_X509_LOOKUP:
sl@0	1674	continue;
sl@0	1675	case SSL_ERROR_SYSCALL:
sl@0	1676	case SSL_ERROR_SSL:
sl@0	1677	case SSL_ERROR_ZERO_RETURN:
sl@0	1678	ret=1;
sl@0	1679	goto err;
sl@0	1680	/* break; */
sl@0	1681	}
sl@0	1682
sl@0	1683	SSL_renegotiate(con);
sl@0	1684	SSL_write(con,NULL,0);
sl@0	1685	}
sl@0	1686
sl@0	1687	i=BIO_gets(io,buf,bufsize-1);
sl@0	1688	if (i < 0) /* error */
sl@0	1689	{
sl@0	1690	if (!BIO_should_retry(io))
sl@0	1691	{
sl@0	1692	if (!s_quiet)
sl@0	1693	ERR_print_errors(bio_err);
sl@0	1694	goto err;
sl@0	1695	}
sl@0	1696	else
sl@0	1697	{
sl@0	1698	BIO_printf(bio_s_out,"read R BLOCK\n");
sl@0	1699	#if defined(OPENSSL_SYS_NETWARE)
sl@0	1700	delay(1000);
sl@0	1701	#elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
sl@0	1702	sleep(1);
sl@0	1703	#endif
sl@0	1704	continue;
sl@0	1705	}
sl@0	1706	}
sl@0	1707	else if (i == 0) /* end of input */
sl@0	1708	{
sl@0	1709	ret=1;
sl@0	1710	goto end;
sl@0	1711	}
sl@0	1712
sl@0	1713	/* else we have data */
sl@0	1714	if ( ((www == 1) && (strncmp("GET ",buf,4) == 0)) \|\|
sl@0	1715	((www == 2) && (strncmp("GET /stats ",buf,10) == 0)))
sl@0	1716	{
sl@0	1717	char *p;
sl@0	1718	X509 *peer;
sl@0	1719	STACK_OF(SSL_CIPHER) *sk;
sl@0	1720	static const char *space=" ";
sl@0	1721
sl@0	1722	BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
sl@0	1723	BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
sl@0	1724	BIO_puts(io,"<pre>\n");
sl@0	1725	/* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
sl@0	1726	BIO_puts(io,"\n");
sl@0	1727	for (i=0; i<local_argc; i++)
sl@0	1728	{
sl@0	1729	BIO_puts(io,local_argv[i]);
sl@0	1730	BIO_write(io," ",1);
sl@0	1731	}
sl@0	1732	BIO_puts(io,"\n");
sl@0	1733
sl@0	1734	/* The following is evil and should not really
sl@0	1735	* be done */
sl@0	1736	BIO_printf(io,"Ciphers supported in s_server binary\n");
sl@0	1737	sk=SSL_get_ciphers(con);
sl@0	1738	j=sk_SSL_CIPHER_num(sk);
sl@0	1739	for (i=0; i<j; i++)
sl@0	1740	{
sl@0	1741	c=sk_SSL_CIPHER_value(sk,i);
sl@0	1742	BIO_printf(io,"%-11s:%-25s",
sl@0	1743	SSL_CIPHER_get_version(c),
sl@0	1744	SSL_CIPHER_get_name(c));
sl@0	1745	if ((((i+1)%2) == 0) && (i+1 != j))
sl@0	1746	BIO_puts(io,"\n");
sl@0	1747	}
sl@0	1748	BIO_puts(io,"\n");
sl@0	1749	p=SSL_get_shared_ciphers(con,buf,bufsize);
sl@0	1750	if (p != NULL)
sl@0	1751	{
sl@0	1752	BIO_printf(io,"---\nCiphers common between both SSL end points:\n");
sl@0	1753	j=i=0;
sl@0	1754	while (*p)
sl@0	1755	{
sl@0	1756	if (*p == ':')
sl@0	1757	{
sl@0	1758	BIO_write(io,space,26-j);
sl@0	1759	i++;
sl@0	1760	j=0;
sl@0	1761	BIO_write(io,((i%3)?" ":"\n"),1);
sl@0	1762	}
sl@0	1763	else
sl@0	1764	{
sl@0	1765	BIO_write(io,p,1);
sl@0	1766	j++;
sl@0	1767	}
sl@0	1768	p++;
sl@0	1769	}
sl@0	1770	BIO_puts(io,"\n");
sl@0	1771	}
sl@0	1772	BIO_printf(io,((con->hit)
sl@0	1773	?"---\nReused, "
sl@0	1774	:"---\nNew, "));
sl@0	1775	c=SSL_get_current_cipher(con);
sl@0	1776	BIO_printf(io,"%s, Cipher is %s\n",
sl@0	1777	SSL_CIPHER_get_version(c),
sl@0	1778	SSL_CIPHER_get_name(c));
sl@0	1779	SSL_SESSION_print(io,SSL_get_session(con));
sl@0	1780	BIO_printf(io,"---\n");
sl@0	1781	print_stats(io,SSL_get_SSL_CTX(con));
sl@0	1782	BIO_printf(io,"---\n");
sl@0	1783	peer=SSL_get_peer_certificate(con);
sl@0	1784	if (peer != NULL)
sl@0	1785	{
sl@0	1786	BIO_printf(io,"Client certificate\n");
sl@0	1787	X509_print(io,peer);
sl@0	1788	PEM_write_bio_X509(io,peer);
sl@0	1789	}
sl@0	1790	else
sl@0	1791	BIO_puts(io,"no client certificate available\n");
sl@0	1792	BIO_puts(io,"</BODY></HTML>\r\n\r\n");
sl@0	1793	break;
sl@0	1794	}
sl@0	1795	else if ((www == 2 \|\| www == 3)
sl@0	1796	&& (strncmp("GET /",buf,5) == 0))
sl@0	1797	{
sl@0	1798	BIO *file;
sl@0	1799	char p,e;
sl@0	1800	static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
sl@0	1801
sl@0	1802	/* skip the '/' */
sl@0	1803	p= &(buf[5]);
sl@0	1804
sl@0	1805	dot = 1;
sl@0	1806	for (e=p; *e != '\0'; e++)
sl@0	1807	{
sl@0	1808	if (e[0] == ' ')
sl@0	1809	break;
sl@0	1810
sl@0	1811	switch (dot)
sl@0	1812	{
sl@0	1813	case 1:
sl@0	1814	dot = (e[0] == '.') ? 2 : 0;
sl@0	1815	break;
sl@0	1816	case 2:
sl@0	1817	dot = (e[0] == '.') ? 3 : 0;
sl@0	1818	break;
sl@0	1819	case 3:
sl@0	1820	dot = (e[0] == '/') ? -1 : 0;
sl@0	1821	break;
sl@0	1822	}
sl@0	1823	if (dot == 0)
sl@0	1824	dot = (e[0] == '/') ? 1 : 0;
sl@0	1825	}
sl@0	1826	dot = (dot == 3) \|\| (dot == -1); /* filename contains ".." component */
sl@0	1827
sl@0	1828	if (*e == '\0')
sl@0	1829	{
sl@0	1830	BIO_puts(io,text);
sl@0	1831	BIO_printf(io,"'%s' is an invalid file name\r\n",p);
sl@0	1832	break;
sl@0	1833	}
sl@0	1834	*e='\0';
sl@0	1835
sl@0	1836	if (dot)
sl@0	1837	{
sl@0	1838	BIO_puts(io,text);
sl@0	1839	BIO_printf(io,"'%s' contains '..' reference\r\n",p);
sl@0	1840	break;
sl@0	1841	}
sl@0	1842
sl@0	1843	if (*p == '/')
sl@0	1844	{
sl@0	1845	BIO_puts(io,text);
sl@0	1846	BIO_printf(io,"'%s' is an invalid path\r\n",p);
sl@0	1847	break;
sl@0	1848	}
sl@0	1849
sl@0	1850	#if 0
sl@0	1851	/* append if a directory lookup */
sl@0	1852	if (e[-1] == '/')
sl@0	1853	strcat(p,"index.html");
sl@0	1854	#endif
sl@0	1855
sl@0	1856	/* if a directory, do the index thang */
sl@0	1857	if (stat(p,&st_buf) < 0)
sl@0	1858	{
sl@0	1859	BIO_puts(io,text);
sl@0	1860	BIO_printf(io,"Error accessing '%s'\r\n",p);
sl@0	1861	ERR_print_errors(io);
sl@0	1862	break;
sl@0	1863	}
sl@0	1864	if (S_ISDIR(st_buf.st_mode))
sl@0	1865	{
sl@0	1866	#if 0 /* must check buffer size */
sl@0	1867	strcat(p,"/index.html");
sl@0	1868	#else
sl@0	1869	BIO_puts(io,text);
sl@0	1870	BIO_printf(io,"'%s' is a directory\r\n",p);
sl@0	1871	break;
sl@0	1872	#endif
sl@0	1873	}
sl@0	1874
sl@0	1875	if ((file=BIO_new_file(p,"r")) == NULL)
sl@0	1876	{
sl@0	1877	BIO_puts(io,text);
sl@0	1878	BIO_printf(io,"Error opening '%s'\r\n",p);
sl@0	1879	ERR_print_errors(io);
sl@0	1880	break;
sl@0	1881	}
sl@0	1882
sl@0	1883	if (!s_quiet)
sl@0	1884	BIO_printf(bio_err,"FILE:%s\n",p);
sl@0	1885
sl@0	1886	if (www == 2)
sl@0	1887	{
sl@0	1888	i=strlen(p);
sl@0	1889	if ( ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) \|\|
sl@0	1890	((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) \|\|
sl@0	1891	((i > 4) && (strcmp(&(p[i-4]),".htm") == 0)))
sl@0	1892	BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
sl@0	1893	else
sl@0	1894	BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
sl@0	1895	}
sl@0	1896	/* send the file */
sl@0	1897	total_bytes=0;
sl@0	1898	for (;;)
sl@0	1899	{
sl@0	1900	i=BIO_read(file,buf,bufsize);
sl@0	1901	if (i <= 0) break;
sl@0	1902
sl@0	1903	#ifdef RENEG
sl@0	1904	total_bytes+=i;
sl@0	1905	fprintf(stderr,"%d\n",i);
sl@0	1906	if (total_bytes > 3*1024)
sl@0	1907	{
sl@0	1908	total_bytes=0;
sl@0	1909	fprintf(stderr,"RENEGOTIATE\n");
sl@0	1910	SSL_renegotiate(con);
sl@0	1911	}
sl@0	1912
sl@0	1913	#endif
sl@0	1914
sl@0	1915	for (j=0; j<i; )
sl@0	1916	{
sl@0	1917	#ifdef RENEG
sl@0	1918	{ static count=0; if (++count == 13) { SSL_renegotiate(con); } }
sl@0	1919	#endif
sl@0	1920	k=BIO_write(io,&(buf[j]),i-j);
sl@0	1921	if (k <= 0)
sl@0	1922	{
sl@0	1923	if (!BIO_should_retry(io))
sl@0	1924	goto write_error;
sl@0	1925	else
sl@0	1926	{
sl@0	1927	BIO_printf(bio_s_out,"rwrite W BLOCK\n");
sl@0	1928	}
sl@0	1929	}
sl@0	1930	else
sl@0	1931	{
sl@0	1932	j+=k;
sl@0	1933	}
sl@0	1934	}
sl@0	1935	}
sl@0	1936	write_error:
sl@0	1937	BIO_free(file);
sl@0	1938	break;
sl@0	1939	}
sl@0	1940	}
sl@0	1941
sl@0	1942	for (;;)
sl@0	1943	{
sl@0	1944	i=(int)BIO_flush(io);
sl@0	1945	if (i <= 0)
sl@0	1946	{
sl@0	1947	if (!BIO_should_retry(io))
sl@0	1948	break;
sl@0	1949	}
sl@0	1950	else
sl@0	1951	break;
sl@0	1952	}
sl@0	1953	end:
sl@0	1954	#if 1
sl@0	1955	/* make sure we re-use sessions */
sl@0	1956	SSL_set_shutdown(con,SSL_SENT_SHUTDOWN\|SSL_RECEIVED_SHUTDOWN);
sl@0	1957	#else
sl@0	1958	/* This kills performance */
sl@0	1959	/* SSL_shutdown(con); A shutdown gets sent in the
sl@0	1960	* BIO_free_all(io) procession */
sl@0	1961	#endif
sl@0	1962
sl@0	1963	err:
sl@0	1964
sl@0	1965	if (ret >= 0)
sl@0	1966	BIO_printf(bio_s_out,"ACCEPT\n");
sl@0	1967
sl@0	1968	if (buf != NULL) OPENSSL_free(buf);
sl@0	1969	if (io != NULL) BIO_free_all(io);
sl@0	1970	/* if (ssl_bio != NULL) BIO_free(ssl_bio);*/
sl@0	1971	return(ret);
sl@0	1972	}
sl@0	1973
sl@0	1974	#ifndef OPENSSL_NO_RSA
sl@0	1975	static RSA MS_CALLBACK tmp_rsa_cb(SSL s, int is_export, int keylength)
sl@0	1976	{
sl@0	1977	BIGNUM *bn = NULL;
sl@0	1978	static RSA *rsa_tmp=NULL;
sl@0	1979
sl@0	1980	if (!rsa_tmp && ((bn = BN_new()) == NULL))
sl@0	1981	BIO_printf(bio_err,"Allocation error in generating RSA key\n");
sl@0	1982	if (!rsa_tmp && bn)
sl@0	1983	{
sl@0	1984	if (!s_quiet)
sl@0	1985	{
sl@0	1986	BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
sl@0	1987	(void)BIO_flush(bio_err);
sl@0	1988	}
sl@0	1989	if(!BN_set_word(bn, RSA_F4) \|\| ((rsa_tmp = RSA_new()) == NULL) \|\|
sl@0	1990	!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL))
sl@0	1991	{
sl@0	1992	if(rsa_tmp) RSA_free(rsa_tmp);
sl@0	1993	rsa_tmp = NULL;
sl@0	1994	}
sl@0	1995	if (!s_quiet)
sl@0	1996	{
sl@0	1997	BIO_printf(bio_err,"\n");
sl@0	1998	(void)BIO_flush(bio_err);
sl@0	1999	}
sl@0	2000	BN_free(bn);
sl@0	2001	}
sl@0	2002	return(rsa_tmp);
sl@0	2003	}
sl@0	2004	#endif
sl@0	2005
sl@0	2006	#define MAX_SESSION_ID_ATTEMPTS 10
sl@0	2007	static int generate_session_id(const SSL ssl, unsigned char id,
sl@0	2008	unsigned int *id_len)
sl@0	2009	{
sl@0	2010	unsigned int count = 0;
sl@0	2011	do {
sl@0	2012	RAND_pseudo_bytes(id, *id_len);
sl@0	2013	/* Prefix the session_id with the required prefix. NB: If our
sl@0	2014	* prefix is too long, clip it - but there will be worse effects
sl@0	2015	* anyway, eg. the server could only possibly create 1 session
sl@0	2016	* ID (ie. the prefix!) so all future session negotiations will
sl@0	2017	* fail due to conflicts. */
sl@0	2018	memcpy(id, session_id_prefix,
sl@0	2019	(strlen(session_id_prefix) < *id_len) ?
sl@0	2020	strlen(session_id_prefix) : *id_len);
sl@0	2021	}
sl@0	2022	while(SSL_has_matching_session_id(ssl, id, *id_len) &&
sl@0	2023	(++count < MAX_SESSION_ID_ATTEMPTS));
sl@0	2024	if(count >= MAX_SESSION_ID_ATTEMPTS)
sl@0	2025	return 0;
sl@0	2026	return 1;
sl@0	2027	}

author	sl@SLION-WIN7.fritz.box
	Fri, 15 Jun 2012 03:10:57 +0200
changeset 0	bde4ae8d615e
permissions	-rw-r--r--