/usr/src/usr.bin/openssl/s

Bug Summary

File:	src/usr.bin/openssl/s_server.c
Warning:	line 1710, column 6 Value stored to 'i' is never read

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple amd64-unknown-openbsd7.0 -analyze -disable-free -disable-llvm-verifier -discard-value-names -main-file-name s_server.c -analyzer-store=region -analyzer-opt-analyze-nested-blocks -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 1 -pic-is-pie -mframe-pointer=all -relaxed-aliasing -fno-rounding-math -mconstructor-aliases -munwind-tables -target-cpu x86-64 -target-feature +retpoline-indirect-calls -target-feature +retpoline-indirect-branches -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/usr/src/usr.bin/openssl/obj -resource-dir /usr/local/lib/clang/13.0.0 -D LIBRESSL_INTERNAL -internal-isystem /usr/local/lib/clang/13.0.0/include -internal-externc-isystem /usr/include -O2 -fdebug-compilation-dir=/usr/src/usr.bin/openssl/obj -ferror-limit 19 -fwrapv -D_RET_PROTECTOR -ret-protector -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -fno-builtin-malloc -fno-builtin-calloc -fno-builtin-realloc -fno-builtin-valloc -fno-builtin-free -fno-builtin-strdup -fno-builtin-strndup -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /home/ben/Projects/vmm/scan-build/2022-01-12-194120-40624-1 -x c /usr/src/usr.bin/openssl/s_server.c

1	/* $OpenBSD: s_server.c,v 1.54 2021/12/06 11:06:58 tb Exp $ */
2	/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3	* All rights reserved.
4	*
5	* This package is an SSL implementation written
6	* by Eric Young (eay@cryptsoft.com).
7	* The implementation was written so as to conform with Netscapes SSL.
8	*
9	* This library is free for commercial and non-commercial use as long as
10	* the following conditions are aheared to. The following conditions
11	* apply to all code found in this distribution, be it the RC4, RSA,
12	* lhash, DES, etc., code; not just the SSL code. The SSL documentation
13	* included with this distribution is covered by the same copyright terms
14	* except that the holder is Tim Hudson (tjh@cryptsoft.com).
15	*
16	* Copyright remains Eric Young's, and as such any Copyright notices in
17	* the code are not to be removed.
18	* If this package is used in a product, Eric Young should be given attribution
19	* as the author of the parts of the library used.
20	* This can be in the form of a textual message at program startup or
21	* in documentation (online or textual) provided with the package.
22	*
23	* Redistribution and use in source and binary forms, with or without
24	* modification, are permitted provided that the following conditions
25	* are met:
26	* 1. Redistributions of source code must retain the copyright
27	* notice, this list of conditions and the following disclaimer.
28	* 2. Redistributions in binary form must reproduce the above copyright
29	* notice, this list of conditions and the following disclaimer in the
30	* documentation and/or other materials provided with the distribution.
31	* 3. All advertising materials mentioning features or use of this software
32	* must display the following acknowledgement:
33	* "This product includes cryptographic software written by
34	* Eric Young (eay@cryptsoft.com)"
35	* The word 'cryptographic' can be left out if the rouines from the library
36	* being used are not cryptographic related :-).
37	* 4. If you include any Windows specific code (or a derivative thereof) from
38	* the apps directory (application code) you must include an acknowledgement:
39	* "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40	*
41	* THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42	* ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44	* ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45	* FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46	* DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47	* OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49	* LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50	* OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51	* SUCH DAMAGE.
52	*
53	* The licence and distribution terms for any publically available version or
54	* derivative of this code cannot be changed. i.e. this code cannot simply be
55	* copied and put under another distribution licence
56	* [including the GNU Public Licence.]
57	*/
58	/* ====================================================================
59	* Copyright (c) 1998-2006 The OpenSSL Project. All rights reserved.
60	*
61	* Redistribution and use in source and binary forms, with or without
62	* modification, are permitted provided that the following conditions
63	* are met:
64	*
65	* 1. Redistributions of source code must retain the above copyright
66	* notice, this list of conditions and the following disclaimer.
67	*
68	* 2. Redistributions in binary form must reproduce the above copyright
69	* notice, this list of conditions and the following disclaimer in
70	* the documentation and/or other materials provided with the
71	* distribution.
72	*
73	* 3. All advertising materials mentioning features or use of this
74	* software must display the following acknowledgment:
75	* "This product includes software developed by the OpenSSL Project
76	* for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77	*
78	* 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79	* endorse or promote products derived from this software without
80	* prior written permission. For written permission, please contact
81	* openssl-core@openssl.org.
82	*
83	* 5. Products derived from this software may not be called "OpenSSL"
84	* nor may "OpenSSL" appear in their names without prior written
85	* permission of the OpenSSL Project.
86	*
87	* 6. Redistributions of any form whatsoever must retain the following
88	* acknowledgment:
89	* "This product includes software developed by the OpenSSL Project
90	* for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91	*
92	* THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93	* EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94	* IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95	* PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96	* ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97	* SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98	* NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99	* LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100	* HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101	* STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102	* ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103	* OF THE POSSIBILITY OF SUCH DAMAGE.
104	* ====================================================================
105	*
106	* This product includes cryptographic software written by Eric Young
107	* (eay@cryptsoft.com). This product includes software written by Tim
108	* Hudson (tjh@cryptsoft.com).
109	*
110	*/
111	/* ====================================================================
112	* Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113	* ECC cipher suite support in OpenSSL originally developed by
114	* SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115	*/
116	/* ====================================================================
117	* Copyright 2005 Nokia. All rights reserved.
118	*
119	* The portions of the attached software ("Contribution") is developed by
120	* Nokia Corporation and is licensed pursuant to the OpenSSL open source
121	* license.
122	*
123	* The Contribution, originally written by Mika Kousa and Pasi Eronen of
124	* Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125	* support (see RFC 4279) to OpenSSL.
126	*
127	* No patent licenses or other rights except those expressly stated in
128	* the OpenSSL open source license shall be deemed granted or received
129	* expressly, by implication, estoppel, or otherwise.
130	*
131	* No assurances are provided by Nokia that the Contribution does not
132	* infringe the patent or other intellectual property rights of any third
133	* party or that the license provides you with all the necessary rights
134	* to make use of the Contribution.
135	*
136	* THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137	* ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138	* SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139	* OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140	* OTHERWISE.
141	*/
142
143	/* Until the key-gen callbacks are modified to use newer prototypes, we allow
144	* deprecated functions for openssl-internal code */
145	#ifdef OPENSSL_NO_DEPRECATED
146	#undef OPENSSL_NO_DEPRECATED
147	#endif
148
149	#include <sys/types.h>
150	#include <sys/socket.h>
151
152	#include <assert.h>
153	#include <ctype.h>
154	#include <stdio.h>
155	#include <stdlib.h>
156	#include <limits.h>
157	#include <string.h>
158	#include <unistd.h>
159	#include <poll.h>
160
161	#include "apps.h"
162
163	#include <openssl/bn.h>
164	#include <openssl/err.h>
165	#include <openssl/lhash.h>
166	#include <openssl/ocsp.h>
167	#include <openssl/pem.h>
168	#include <openssl/ssl.h>
169	#include <openssl/x509.h>
170
171	#ifndef OPENSSL_NO_DH
172	#include <openssl/dh.h>
173	#endif
174
175	#include <openssl/rsa.h>
176
177	#include "s_apps.h"
178	#include "timeouts.h"
179
180	static void s_server_init(void);
181	static void sv_usage(void);
182	static void print_stats(BIO bp, SSL_CTX ctx);
183	static int sv_body(int s, unsigned char *context);
184	static void close_accept_socket(void);
185	static int init_ssl_connection(SSL *s);
186	#ifndef OPENSSL_NO_DH
187	static DH load_dh_param(const char dhfile);
188	#endif
189	static int www_body(int s, unsigned char *context);
190	static int generate_session_id(const SSL ssl, unsigned char id,
191	unsigned int *id_len);
192	static int ssl_servername_cb(SSL s, int ad, void *arg);
193	static int cert_status_cb(SSL * s, void *arg);
194	static int alpn_cb(SSL s, const unsigned char out, unsigned char outlen,
195	const unsigned char in, unsigned int inlen, void arg);
196	/* static int load_CA(SSL_CTX ctx, char file);*/
197
198	#define BUFSIZZ161024 161024
199	static int bufsize = BUFSIZZ16*1024;
200	static int accept_socket = -1;
201
202	#define TEST_CERT"server.pem" "server.pem"
203	#define TEST_CERT2"server2.pem" "server2.pem"
204
205	static int s_server_session_id_context = 1; /* anything will do */
206	static SSL_CTX ctx = NULL((void)0);
207	static SSL_CTX ctx2 = NULL((void)0);
208	static BIO bio_s_out = NULL((void)0);
209
210	static int local_argc = 0;
211	static char **local_argv;
212
213	/* This is a context that we pass to callbacks */
214	typedef struct tlsextctx_st {
215	char *servername;
216	BIO *biodebug;
217	int extension_error;
218	} tlsextctx;
219
220	/* Structure passed to cert status callback */
221	typedef struct tlsextstatusctx_st {
222	/* Default responder to use */
223	char host, path, *port;
224	int use_ssl;
225	int timeout;
226	BIO *err;
227	int verbose;
228	} tlsextstatusctx;
229
230	/* This the context that we pass to alpn_cb */
231	typedef struct tlsextalpnctx_st {
232	unsigned char *data;
233	unsigned short len;
234	} tlsextalpnctx;
235
236	static struct {
237	char *alpn_in;
238	char npn_in; / Ignored. */
239	int bugs;
240	char *CAfile;
241	char *CApath;
242	#ifndef OPENSSL_NO_DTLS
243	int cert_chain;
244	#endif
245	char *cert_file;
246	char *cert_file2;
247	int cert_format;
248	char *cipher;
249	unsigned char *context;
250	int crlf;
251	char *dcert_file;
252	int dcert_format;
253	int debug;
254	char *dhfile;
255	char *dkey_file;
256	int dkey_format;
257	char *dpassarg;
258	int enable_timeouts;
259	const char *errstr;
260	char *groups_in;
261	char *key_file;
262	char *key_file2;
263	int key_format;
264	char *keymatexportlabel;
265	int keymatexportlen;
266	uint16_t max_version;
267	uint16_t min_version;
268	const SSL_METHOD *meth;
269	int msg;
270	int naccept;
271	char *named_curve;
272	int nbio;
273	int nbio_test;
274	int no_cache;
275	int nocert;
276	int no_dhe;
277	int no_ecdhe;
278	int no_tmp_rsa; /* No-op. */
279	int off;
280	char *passarg;
281	short port;
282	int quiet;
283	int server_verify;
284	char *session_id_prefix;
285	long socket_mtu;
286	int socket_type;
287	#ifndef OPENSSL_NO_SRTP
288	char *srtp_profiles;
289	#endif
290	int state;
291	tlsextstatusctx tlscstatp;
292	tlsextctx tlsextcbp;
293	int tlsextdebug;
294	int tlsextstatus;
295	X509_VERIFY_PARAM *vpm;
296	int www;
297	} s_server_config;
298
299	static int
300	s_server_opt_context(char *arg)
301	{
302	s_server_config.context = (unsigned char *) arg;
303	return (0);
304	}
305
306	static int
307	s_server_opt_keymatexportlen(char *arg)
308	{
309	s_server_config.keymatexportlen = strtonum(arg, 1, INT_MAX2147483647,
310	&s_server_config.errstr);
311	if (s_server_config.errstr != NULL((void*)0)) {
312	BIO_printf(bio_err, "invalid argument %s: %s\n",
313	arg, s_server_config.errstr);
314	return (1);
315	}
316	return (0);
317	}
318
319	#ifndef OPENSSL_NO_DTLS
320	static int
321	s_server_opt_mtu(char *arg)
322	{
323	s_server_config.socket_mtu = strtonum(arg, 0, LONG_MAX9223372036854775807L,
324	&s_server_config.errstr);
325	if (s_server_config.errstr != NULL((void*)0)) {
326	BIO_printf(bio_err, "invalid argument %s: %s\n",
327	arg, s_server_config.errstr);
328	return (1);
329	}
330	return (0);
331	}
332	#endif
333
334	#ifndef OPENSSL_NO_DTLS
335	static int
336	s_server_opt_protocol_version_dtls(void)
337	{
338	s_server_config.meth = DTLS_server_method();
339	s_server_config.socket_type = SOCK_DGRAM2;
340	return (0);
341	}
342	#endif
343
344	#ifndef OPENSSL_NO_DTLS1
345	static int
346	s_server_opt_protocol_version_dtls1(void)
347	{
348	s_server_config.meth = DTLS_server_method();
349	s_server_config.min_version = DTLS1_VERSION0xFEFF;
350	s_server_config.max_version = DTLS1_VERSION0xFEFF;
351	s_server_config.socket_type = SOCK_DGRAM2;
352	return (0);
353	}
354	#endif
355
356	#ifndef OPENSSL_NO_DTLS1_2
357	static int
358	s_server_opt_protocol_version_dtls1_2(void)
359	{
360	s_server_config.meth = DTLS_server_method();
361	s_server_config.min_version = DTLS1_2_VERSION0xFEFD;
362	s_server_config.max_version = DTLS1_2_VERSION0xFEFD;
363	s_server_config.socket_type = SOCK_DGRAM2;
364	return (0);
365	}
366	#endif
367
368	static int
369	s_server_opt_protocol_version_tls1(void)
370	{
371	s_server_config.min_version = TLS1_VERSION0x0301;
372	s_server_config.max_version = TLS1_VERSION0x0301;
373	return (0);
374	}
375
376	static int
377	s_server_opt_protocol_version_tls1_1(void)
378	{
379	s_server_config.min_version = TLS1_1_VERSION0x0302;
380	s_server_config.max_version = TLS1_1_VERSION0x0302;
381	return (0);
382	}
383
384	static int
385	s_server_opt_protocol_version_tls1_2(void)
386	{
387	s_server_config.min_version = TLS1_2_VERSION0x0303;
388	s_server_config.max_version = TLS1_2_VERSION0x0303;
389	return (0);
390	}
391
392	static int
393	s_server_opt_protocol_version_tls1_3(void)
394	{
395	s_server_config.min_version = TLS1_3_VERSION0x0304;
396	s_server_config.max_version = TLS1_3_VERSION0x0304;
397	return (0);
398	}
399
400	static int
401	s_server_opt_nbio_test(void)
402	{
403	s_server_config.nbio = 1;
404	s_server_config.nbio_test = 1;
405	return (0);
406	}
407
408	static int
409	s_server_opt_port(char *arg)
410	{
411	if (!extract_port(arg, &s_server_config.port))
412	return (1);
413	return (0);
414	}
415
416	static int
417	s_server_opt_status_timeout(char *arg)
418	{
419	s_server_config.tlsextstatus = 1;
420	s_server_config.tlscstatp.timeout = strtonum(arg, 0, INT_MAX2147483647,
421	&s_server_config.errstr);
422	if (s_server_config.errstr != NULL((void*)0)) {
423	BIO_printf(bio_err, "invalid argument %s: %s\n",
424	arg, s_server_config.errstr);
425	return (1);
426	}
427	return (0);
428	}
429
430	static int
431	s_server_opt_status_url(char *arg)
432	{
433	s_server_config.tlsextstatus = 1;
434	if (!OCSP_parse_url(arg, &s_server_config.tlscstatp.host,
435	&s_server_config.tlscstatp.port, &s_server_config.tlscstatp.path,
436	&s_server_config.tlscstatp.use_ssl)) {
437	BIO_printf(bio_err, "Error parsing URL\n");
438	return (1);
439	}
440	return (0);
441	}
442
443	static int
444	s_server_opt_status_verbose(void)
445	{
446	s_server_config.tlsextstatus = 1;
447	s_server_config.tlscstatp.verbose = 1;
448	return (0);
449	}
450
451	static int
452	s_server_opt_verify(char *arg)
453	{
454	s_server_config.server_verify = SSL_VERIFY_PEER0x01 \|
455	SSL_VERIFY_CLIENT_ONCE0x04;
456	verify_depth = strtonum(arg, 0, INT_MAX2147483647, &s_server_config.errstr);
457	if (s_server_config.errstr != NULL((void*)0)) {
458	BIO_printf(bio_err, "invalid argument %s: %s\n",
459	arg, s_server_config.errstr);
460	return (1);
461	}
462	BIO_printf(bio_err, "verify depth is %d\n", verify_depth);
463	return (0);
464	}
465
466	static int
467	s_server_opt_verify_fail(char *arg)
468	{
469	s_server_config.server_verify = SSL_VERIFY_PEER0x01 \|
470	SSL_VERIFY_FAIL_IF_NO_PEER_CERT0x02 \| SSL_VERIFY_CLIENT_ONCE0x04;
471	verify_depth = strtonum(arg, 0, INT_MAX2147483647, &s_server_config.errstr);
472	if (s_server_config.errstr != NULL((void*)0)) {
473	BIO_printf(bio_err, "invalid argument %s: %s\n",
474	arg, s_server_config.errstr);
475	return (1);
476	}
477	BIO_printf(bio_err, "verify depth is %d, must return a certificate\n",
478	verify_depth);
479	return (0);
480	}
481
482	static int
483	s_server_opt_verify_param(int argc, char *argv, int argsused)
484	{
485	char **pargs = argv;
486	int pargc = argc;
487	int badarg = 0;
488
489	if (!args_verify(&pargs, &pargc, &badarg, bio_err,
490	&s_server_config.vpm)) {
491	BIO_printf(bio_err, "unknown option %s\n", *argv);
492	return (1);
493	}
494	if (badarg)
495	return (1);
496
497	*argsused = argc - pargc;
498	return (0);
499	}
500
501	static const struct option s_server_options[] = {
502	{
503	.name = "4",
504	.type = OPTION_DISCARD,
505	},
506	{
507	.name = "6",
508	.type = OPTION_DISCARD,
509	},
510	{
511	.name = "accept",
512	.argname = "port",
513	.desc = "Port to accept on (default is 4433)",
514	.type = OPTION_ARG_FUNC,
515	.opt.argfunc = s_server_opt_port,
516	},
517	{
518	.name = "alpn",
519	.argname = "protocols",
520	.desc = "Set the advertised protocols for the ALPN extension"
521	" (comma-separated list)",
522	.type = OPTION_ARG,
523	.opt.arg = &s_server_config.alpn_in,
524	},
525	{
526	.name = "bugs",
527	.desc = "Turn on SSL bug compatibility",
528	.type = OPTION_FLAG,
529	.opt.flag = &s_server_config.bugs,
530	},
531	{
532	.name = "CAfile",
533	.argname = "file",
534	.desc = "PEM format file of CA certificates",
535	.type = OPTION_ARG,
536	.opt.arg = &s_server_config.CAfile,
537	},
538	{
539	.name = "CApath",
540	.argname = "directory",
541	.desc = "PEM format directory of CA certificates",
542	.type = OPTION_ARG,
543	.opt.arg = &s_server_config.CApath,
544	},
545	{
546	.name = "cert",
547	.argname = "file",
548	.desc = "Certificate file to use\n"
549	"(default is " TEST_CERT"server.pem" ")",
550	.type = OPTION_ARG,
551	.opt.arg = &s_server_config.cert_file,
552	},
553	{
554	.name = "cert2",
555	.argname = "file",
556	.desc = "Certificate file to use for servername\n"
557	"(default is " TEST_CERT2"server2.pem" ")",
558	.type = OPTION_ARG,
559	.opt.arg = &s_server_config.cert_file2,
560	},
561	{
562	.name = "certform",
563	.argname = "fmt",
564	.desc = "Certificate format (PEM or DER) PEM default",
565	.type = OPTION_ARG_FORMAT,
566	.opt.value = &s_server_config.cert_format,
567	},
568	#ifndef OPENSSL_NO_DTLS
569	{
570	.name = "chain",
571	.type = OPTION_FLAG,
572	.opt.flag = &s_server_config.cert_chain,
573	},
574	#endif
575	{
576	.name = "cipher",
577	.argname = "list",
578	.desc = "List of ciphers to enable (see `openssl ciphers`)",
579	.type = OPTION_ARG,
580	.opt.arg = &s_server_config.cipher,
581	},
582	{
583	.name = "context",
584	.argname = "id",
585	.desc = "Set session ID context",
586	.type = OPTION_ARG_FUNC,
587	.opt.argfunc = s_server_opt_context,
588	},
589	{
590	.name = "crlf",
591	.desc = "Convert LF from terminal into CRLF",
592	.type = OPTION_FLAG,
593	.opt.flag = &s_server_config.crlf,
594	},
595	{
596	.name = "dcert",
597	.argname = "file",
598	.desc = "Second certificate file to use (usually for DSA)",
599	.type = OPTION_ARG,
600	.opt.arg = &s_server_config.dcert_file,
601	},
602	{
603	.name = "dcertform",
604	.argname = "fmt",
605	.desc = "Second certificate format (PEM or DER) PEM default",
606	.type = OPTION_ARG_FORMAT,
607	.opt.value = &s_server_config.dcert_format,
608	},
609	{
610	.name = "debug",
611	.desc = "Print more output",
612	.type = OPTION_FLAG,
613	.opt.flag = &s_server_config.debug,
614	},
615	{
616	.name = "dhparam",
617	.argname = "file",
618	.desc = "DH parameter file to use, in cert file if not specified",
619	.type = OPTION_ARG,
620	.opt.arg = &s_server_config.dhfile,
621	},
622	{
623	.name = "dkey",
624	.argname = "file",
625	.desc = "Second private key file to use (usually for DSA)",
626	.type = OPTION_ARG,
627	.opt.arg = &s_server_config.dkey_file,
628	},
629	{
630	.name = "dkeyform",
631	.argname = "fmt",
632	.desc = "Second key format (PEM or DER) PEM default",
633	.type = OPTION_ARG_FORMAT,
634	.opt.value = &s_server_config.dkey_format,
635	},
636	{
637	.name = "dpass",
638	.argname = "arg",
639	.desc = "Second private key file pass phrase source",
640	.type = OPTION_ARG,
641	.opt.arg = &s_server_config.dpassarg,
642	},
643	#ifndef OPENSSL_NO_DTLS
644	{
645	.name = "dtls",
646	.desc = "Use any version of DTLS",
647	.type = OPTION_FUNC,
648	.opt.func = s_server_opt_protocol_version_dtls,
649	},
650	#endif
651	#ifndef OPENSSL_NO_DTLS1
652	{
653	.name = "dtls1",
654	.desc = "Just use DTLSv1",
655	.type = OPTION_FUNC,
656	.opt.func = s_server_opt_protocol_version_dtls1,
657	},
658	#endif
659	#ifndef OPENSSL_NO_DTLS1_2
660	{
661	.name = "dtls1_2",
662	.desc = "Just use DTLSv1.2",
663	.type = OPTION_FUNC,
664	.opt.func = s_server_opt_protocol_version_dtls1_2,
665	},
666	#endif
667	{
668	.name = "groups",
669	.argname = "list",
670	.desc = "Specify EC groups (colon-separated list)",
671	.type = OPTION_ARG,
672	.opt.arg = &s_server_config.groups_in,
673	},
674	{
675	.name = "HTTP",
676	.desc = "Respond to a 'GET /<path> HTTP/1.0' with file ./<path>",
677	.type = OPTION_VALUE,
678	.opt.value = &s_server_config.www,
679	.value = 3,
680	},
681	{
682	.name = "id_prefix",
683	.argname = "arg",
684	.desc = "Generate SSL/TLS session IDs prefixed by 'arg'",
685	.type = OPTION_ARG,
686	.opt.arg = &s_server_config.session_id_prefix,
687	},
688	{
689	.name = "key",
690	.argname = "file",
691	.desc = "Private Key file to use, in cert file if\n"
692	"not specified (default is " TEST_CERT"server.pem" ")",
693	.type = OPTION_ARG,
694	.opt.arg = &s_server_config.key_file,
695	},
696	{
697	.name = "key2",
698	.argname = "file",
699	.desc = "Private Key file to use for servername, in cert file if\n"
700	"not specified (default is " TEST_CERT2"server2.pem" ")",
701	.type = OPTION_ARG,
702	.opt.arg = &s_server_config.key_file2,
703	},
704	{
705	.name = "keyform",
706	.argname = "fmt",
707	.desc = "Key format (PEM or DER) PEM default",
708	.type = OPTION_ARG_FORMAT,
709	.opt.value = &s_server_config.key_format,
710	},
711	{
712	.name = "keymatexport",
713	.argname = "label",
714	.desc = "Export keying material using label",
715	.type = OPTION_ARG,
716	.opt.arg = &s_server_config.keymatexportlabel,
717	},
718	{
719	.name = "keymatexportlen",
720	.argname = "len",
721	.desc = "Export len bytes of keying material (default 20)",
722	.type = OPTION_ARG_FUNC,
723	.opt.argfunc = s_server_opt_keymatexportlen,
724	},
725	{
726	.name = "legacy_renegotiation",
727	.type = OPTION_DISCARD,
728	},
729	{
730	.name = "msg",
731	.desc = "Show protocol messages",
732	.type = OPTION_FLAG,
733	.opt.flag = &s_server_config.msg,
734	},
735	#ifndef OPENSSL_NO_DTLS
736	{
737	.name = "mtu",
738	.argname = "mtu",
739	.desc = "Set link layer MTU",
740	.type = OPTION_ARG_FUNC,
741	.opt.argfunc = s_server_opt_mtu,
742	},
743	#endif
744	{
745	.name = "naccept",
746	.argname = "num",
747	.desc = "Terminate after num connections",
748	.type = OPTION_ARG_INT,
749	.opt.value = &s_server_config.naccept
750	},
751	{
752	.name = "named_curve",
753	.argname = "arg",
754	.type = OPTION_ARG,
755	.opt.arg = &s_server_config.named_curve,
756	},
757	{
758	.name = "nbio",
759	.desc = "Run with non-blocking I/O",
760	.type = OPTION_FLAG,
761	.opt.flag = &s_server_config.nbio,
762	},
763	{
764	.name = "nbio_test",
765	.desc = "Test with the non-blocking test bio",
766	.type = OPTION_FUNC,
767	.opt.func = s_server_opt_nbio_test,
768	},
769	{
770	.name = "nextprotoneg",
771	.argname = "arg",
772	.type = OPTION_ARG,
773	.opt.arg = &s_server_config.npn_in, /* Ignored. */
774	},
775	{
776	.name = "no_cache",
777	.desc = "Disable session cache",
778	.type = OPTION_FLAG,
779	.opt.flag = &s_server_config.no_cache,
780	},
781	{
782	.name = "no_comp",
783	.desc = "Disable SSL/TLS compression",
784	.type = OPTION_VALUE_OR,
785	.opt.value = &s_server_config.off,
786	.value = SSL_OP_NO_COMPRESSION0x0,
787	},
788	{
789	.name = "no_dhe",
790	.desc = "Disable ephemeral DH",
791	.type = OPTION_FLAG,
792	.opt.flag = &s_server_config.no_dhe,
793	},
794	{
795	.name = "no_ecdhe",
796	.desc = "Disable ephemeral ECDH",
797	.type = OPTION_FLAG,
798	.opt.flag = &s_server_config.no_ecdhe,
799	},
800	{
801	.name = "no_ticket",
802	.desc = "Disable use of RFC4507bis session tickets",
803	.type = OPTION_VALUE_OR,
804	.opt.value = &s_server_config.off,
805	.value = SSL_OP_NO_TICKET0x00004000L,
806	},
807	{
808	.name = "no_ssl2",
809	.type = OPTION_VALUE_OR,
810	.opt.value = &s_server_config.off,
811	.value = SSL_OP_NO_SSLv20x0,
812	},
813	{
814	.name = "no_ssl3",
815	.type = OPTION_VALUE_OR,
816	.opt.value = &s_server_config.off,
817	.value = SSL_OP_NO_SSLv30x0,
818	},
819	{
820	.name = "no_tls1",
821	.desc = "Just disable TLSv1",
822	.type = OPTION_VALUE_OR,
823	.opt.value = &s_server_config.off,
824	.value = SSL_OP_NO_TLSv10x04000000L,
825	},
826	{
827	.name = "no_tls1_1",
828	.desc = "Just disable TLSv1.1",
829	.type = OPTION_VALUE_OR,
830	.opt.value = &s_server_config.off,
831	.value = SSL_OP_NO_TLSv1_10x10000000L,
832	},
833	{
834	.name = "no_tls1_2",
835	.desc = "Just disable TLSv1.2",
836	.type = OPTION_VALUE_OR,
837	.opt.value = &s_server_config.off,
838	.value = SSL_OP_NO_TLSv1_20x08000000L,
839	},
840	{
841	.name = "no_tls1_3",
842	.desc = "Just disable TLSv1.3",
843	.type = OPTION_VALUE_OR,
844	.opt.value = &s_server_config.off,
845	.value = SSL_OP_NO_TLSv1_30x20000000L,
846	},
847	{
848	.name = "no_tmp_rsa",
849	.type = OPTION_DISCARD,
850	},
851	{
852	.name = "nocert",
853	.desc = "Don't use any certificates (Anon-DH)",
854	.type = OPTION_FLAG,
855	.opt.flag = &s_server_config.nocert,
856	},
857	{
858	.name = "pass",
859	.argname = "arg",
860	.desc = "Private key file pass phrase source",
861	.type = OPTION_ARG,
862	.opt.arg = &s_server_config.passarg,
863	},
864	{
865	.name = "port",
866	.argname = "port",
867	.type = OPTION_ARG_FUNC,
868	.opt.argfunc = s_server_opt_port,
869	},
870	{
871	.name = "quiet",
872	.desc = "Inhibit printing of session and certificate information",
873	.type = OPTION_FLAG,
874	.opt.flag = &s_server_config.quiet,
875	},
876	{
877	.name = "servername",
878	.argname = "name",
879	.desc = "Servername for HostName TLS extension",
880	.type = OPTION_ARG,
881	.opt.arg = &s_server_config.tlsextcbp.servername,
882	},
883	{
884	.name = "servername_fatal",
885	.desc = "On mismatch send fatal alert (default warning alert)",
886	.type = OPTION_VALUE,
887	.opt.value = &s_server_config.tlsextcbp.extension_error,
888	.value = SSL_TLSEXT_ERR_ALERT_FATAL2,
889	},
890	{
891	.name = "serverpref",
892	.desc = "Use server's cipher preferences",
893	.type = OPTION_VALUE_OR,
894	.opt.value = &s_server_config.off,
895	.value = SSL_OP_CIPHER_SERVER_PREFERENCE0x00400000L,
896	},
897	{
898	.name = "state",
899	.desc = "Print the SSL states",
900	.type = OPTION_FLAG,
901	.opt.flag = &s_server_config.state,
902	},
903	{
904	.name = "status",
905	.desc = "Respond to certificate status requests",
906	.type = OPTION_FLAG,
907	.opt.flag = &s_server_config.tlsextstatus,
908	},
909	{
910	.name = "status_timeout",
911	.argname = "nsec",
912	.desc = "Status request responder timeout",
913	.type = OPTION_ARG_FUNC,
914	.opt.argfunc = s_server_opt_status_timeout,
915	},
916	{
917	.name = "status_url",
918	.argname = "url",
919	.desc = "Status request fallback URL",
920	.type = OPTION_ARG_FUNC,
921	.opt.argfunc = s_server_opt_status_url,
922	},
923	{
924	.name = "status_verbose",
925	.desc = "Enable status request verbose printout",
926	.type = OPTION_FUNC,
927	.opt.func = s_server_opt_status_verbose,
928	},
929	#ifndef OPENSSL_NO_DTLS
930	{
931	.name = "timeout",
932	.desc = "Enable timeouts",
933	.type = OPTION_FLAG,
934	.opt.flag = &s_server_config.enable_timeouts,
935	},
936	#endif
937	{
938	.name = "tls1",
939	.desc = "Just talk TLSv1",
940	.type = OPTION_FUNC,
941	.opt.func = s_server_opt_protocol_version_tls1,
942	},
943	{
944	.name = "tls1_1",
945	.desc = "Just talk TLSv1.1",
946	.type = OPTION_FUNC,
947	.opt.func = s_server_opt_protocol_version_tls1_1,
948	},
949	{
950	.name = "tls1_2",
951	.desc = "Just talk TLSv1.2",
952	.type = OPTION_FUNC,
953	.opt.func = s_server_opt_protocol_version_tls1_2,
954	},
955	{
956	.name = "tls1_3",
957	.desc = "Just talk TLSv1.3",
958	.type = OPTION_FUNC,
959	.opt.func = s_server_opt_protocol_version_tls1_3,
960	},
961	{
962	.name = "tlsextdebug",
963	.desc = "Hex dump of all TLS extensions received",
964	.type = OPTION_FLAG,
965	.opt.flag = &s_server_config.tlsextdebug,
966	},
967	#ifndef OPENSSL_NO_SRTP
968	{
969	.name = "use_srtp",
970	.argname = "profiles",
971	.desc = "Offer SRTP key management with a colon-separated profile list",
972	.type = OPTION_ARG,
973	.opt.arg = &s_server_config.srtp_profiles,
974	},
975	#endif
976	{
977	.name = "Verify",
978	.argname = "depth",
979	.desc = "Turn on peer certificate verification, must have a cert",
980	.type = OPTION_ARG_FUNC,
981	.opt.argfunc = s_server_opt_verify_fail,
982	},
983	{
984	.name = "verify",
985	.argname = "depth",
986	.desc = "Turn on peer certificate verification",
987	.type = OPTION_ARG_FUNC,
988	.opt.argfunc = s_server_opt_verify,
989	},
990	{
991	.name = "verify_return_error",
992	.desc = "Return verification error",
993	.type = OPTION_FLAG,
994	.opt.flag = &verify_return_error,
995	},
996	{
997	.name = "WWW",
998	.desc = "Respond to a 'GET /<path> HTTP/1.0' with file ./<path>",
999	.type = OPTION_VALUE,
1000	.opt.value = &s_server_config.www,
1001	.value = 2,
1002	},
1003	{
1004	.name = "www",
1005	.desc = "Respond to a 'GET /' with a status page",
1006	.type = OPTION_VALUE,
1007	.opt.value = &s_server_config.www,
1008	.value = 1,
1009	},
1010	{
1011	.name = NULL((void*)0),
1012	.desc = "",
1013	.type = OPTION_ARGV_FUNC,
1014	.opt.argvfunc = s_server_opt_verify_param,
1015	},
1016	{ NULL((void*)0) },
1017	};
1018
1019	static void
1020	s_server_init(void)
1021	{
1022	accept_socket = -1;
1023	s_server_config.cipher = NULL((void*)0);
1024	s_server_config.server_verify = SSL_VERIFY_NONE0x00;
1025	s_server_config.dcert_file = NULL((void*)0);
1026	s_server_config.dkey_file = NULL((void*)0);
1027	s_server_config.cert_file = TEST_CERT"server.pem";
1028	s_server_config.key_file = NULL((void*)0);
1029	s_server_config.cert_file2 = TEST_CERT2"server2.pem";
1030	s_server_config.key_file2 = NULL((void*)0);
1031	ctx2 = NULL((void*)0);
1032	s_server_config.nbio = 0;
1033	s_server_config.nbio_test = 0;
1034	ctx = NULL((void*)0);
1035	s_server_config.www = 0;
1036
1037	bio_s_out = NULL((void*)0);
1038	s_server_config.debug = 0;
1039	s_server_config.msg = 0;
1040	s_server_config.quiet = 0;
1041	}
1042
1043	static void
1044	sv_usage(void)
1045	{
1046	fprintf(stderr(&__sF[2]), "usage: s_server "
1047	"[-accept port] [-alpn protocols] [-bugs] [-CAfile file]\n"
1048	" [-CApath directory] [-cert file] [-cert2 file]\n"
1049	" [-certform der \| pem] [-cipher cipherlist]\n"
1050	" [-context id] [-crl_check] [-crl_check_all] [-crlf]\n"
1051	" [-dcert file] [-dcertform der \| pem] [-debug]\n"
1052	" [-dhparam file] [-dkey file] [-dkeyform der \| pem]\n"
1053	" [-dpass arg] [-dtls] [-dtls1] [-dtls1_2] [-groups list] [-HTTP]\n"
1054	" [-id_prefix arg] [-key keyfile] [-key2 keyfile]\n"
1055	" [-keyform der \| pem] [-keymatexport label]\n"
1056	" [-keymatexportlen len] [-msg] [-mtu mtu] [-naccept num]\n"
1057	" [-named_curve arg] [-nbio] [-nbio_test] [-no_cache]\n"
1058	" [-no_dhe] [-no_ecdhe] [-no_ticket] [-no_tls1]\n"
1059	" [-no_tls1_1] [-no_tls1_2] [-no_tls1_3] [-no_tmp_rsa]\n"
1060	" [-nocert] [-pass arg] [-quiet] [-servername name]\n"
1061	" [-servername_fatal] [-serverpref] [-state] [-status]\n"
1062	" [-status_timeout nsec] [-status_url url]\n"
1063	" [-status_verbose] [-timeout] [-tls1] [-tls1_1]\n"
1064	" [-tls1_2] [-tls1_3] [-tlsextdebug] [-use_srtp profiles]\n"
1065	" [-Verify depth] [-verify depth] [-verify_return_error]\n"
1066	" [-WWW] [-www]\n");
1067	fprintf(stderr(&__sF[2]), "\n");
1068	options_usage(s_server_options);
1069	fprintf(stderr(&__sF[2]), "\n");
1070	}
1071
1072	int
1073	s_server_main(int argc, char *argv[])
1074	{
1075	int ret = 1;
1076	char pass = NULL((void)0);
1077	char dpass = NULL((void)0);
1078	X509 s_cert = NULL((void)0), s_dcert = NULL((void)0);
1079	EVP_PKEY s_key = NULL((void)0), s_dkey = NULL((void)0);
1080	EVP_PKEY s_key2 = NULL((void)0);
1081	X509 s_cert2 = NULL((void)0);
1082	tlsextalpnctx alpn_ctx = { NULL((void*)0), 0 };
1083
1084	if (single_execution) {
1085	if (pledge("stdio rpath inet dns tty", NULL((void*)0)) == -1) {
1086	perror("pledge");
1087	exit(1);
1088	}
1089	}
1090
1091	memset(&s_server_config, 0, sizeof(s_server_config));
1092	s_server_config.keymatexportlen = 20;
1093	s_server_config.meth = TLS_server_method();
1094	s_server_config.naccept = -1;
1095	s_server_config.port = PORT4433;
1096	s_server_config.cert_file = TEST_CERT"server.pem";
1097	s_server_config.cert_file2 = TEST_CERT2"server2.pem";
1098	s_server_config.cert_format = FORMAT_PEM3;
1099	s_server_config.dcert_format = FORMAT_PEM3;
1100	s_server_config.dkey_format = FORMAT_PEM3;
1101	s_server_config.key_format = FORMAT_PEM3;
1102	s_server_config.server_verify = SSL_VERIFY_NONE0x00;
1103	s_server_config.socket_type = SOCK_STREAM1;
1104	s_server_config.tlscstatp.timeout = -1;
1105	s_server_config.tlsextcbp.extension_error =
1106	SSL_TLSEXT_ERR_ALERT_WARNING1;
1107
1108	local_argc = argc;
1109	local_argv = argv;
1110
1111	s_server_init();
1112
1113	verify_depth = 0;
1114
1115	if (options_parse(argc, argv, s_server_options, NULL((void)0), NULL((void)0)) != 0) {
1116	if (s_server_config.errstr == NULL((void*)0))
1117	sv_usage();
1118	goto end;
1119	}
1120
1121	if (!app_passwd(bio_err, s_server_config.passarg,
1122	s_server_config.dpassarg, &pass, &dpass)) {
1123	BIO_printf(bio_err, "Error getting password\n");
1124	goto end;
1125	}
1126	if (s_server_config.key_file == NULL((void*)0))
1127	s_server_config.key_file = s_server_config.cert_file;
1128	if (s_server_config.key_file2 == NULL((void*)0))
1129	s_server_config.key_file2 = s_server_config.cert_file2;
1130
1131	if (s_server_config.nocert == 0) {
1132	s_key = load_key(bio_err, s_server_config.key_file,
1133	s_server_config.key_format, 0, pass,
1134	"server certificate private key file");
1135	if (!s_key) {
1136	ERR_print_errors(bio_err);
1137	goto end;
1138	}
1139	s_cert = load_cert(bio_err, s_server_config.cert_file,
1140	s_server_config.cert_format,
1141	NULL((void*)0), "server certificate file");
1142
1143	if (!s_cert) {
1144	ERR_print_errors(bio_err);
1145	goto end;
1146	}
1147	if (s_server_config.tlsextcbp.servername) {
1148	s_key2 = load_key(bio_err, s_server_config.key_file2,
1149	s_server_config.key_format, 0, pass,
1150	"second server certificate private key file");
1151	if (!s_key2) {
1152	ERR_print_errors(bio_err);
1153	goto end;
1154	}
1155	s_cert2 = load_cert(bio_err, s_server_config.cert_file2,
1156	s_server_config.cert_format,
1157	NULL((void*)0), "second server certificate file");
1158
1159	if (!s_cert2) {
1160	ERR_print_errors(bio_err);
1161	goto end;
1162	}
1163	}
1164	}
1165	alpn_ctx.data = NULL((void*)0);
1166	if (s_server_config.alpn_in) {
1167	unsigned short len;
1168	alpn_ctx.data = next_protos_parse(&len,
1169	s_server_config.alpn_in);
1170	if (alpn_ctx.data == NULL((void*)0))
1171	goto end;
1172	alpn_ctx.len = len;
1173	}
1174
1175	if (s_server_config.dcert_file) {
1176
1177	if (s_server_config.dkey_file == NULL((void*)0))
1178	s_server_config.dkey_file = s_server_config.dcert_file;
1179
1180	s_dkey = load_key(bio_err, s_server_config.dkey_file,
1181	s_server_config.dkey_format,
1182	0, dpass, "second certificate private key file");
1183	if (!s_dkey) {
1184	ERR_print_errors(bio_err);
1185	goto end;
1186	}
1187	s_dcert = load_cert(bio_err, s_server_config.dcert_file,
1188	s_server_config.dcert_format,
1189	NULL((void*)0), "second server certificate file");
1190
1191	if (!s_dcert) {
1192	ERR_print_errors(bio_err);
1193	goto end;
1194	}
1195	}
1196	if (bio_s_out == NULL((void*)0)) {
1197	if (s_server_config.quiet && !s_server_config.debug &&
1198	!s_server_config.msg) {
1199	bio_s_out = BIO_new(BIO_s_null());
1200	} else {
1201	if (bio_s_out == NULL((void*)0))
1202	bio_s_out = BIO_new_fp(stdout(&__sF[1]), BIO_NOCLOSE0x00);
1203	}
1204	}
1205	if (s_server_config.nocert) {
1206	s_server_config.cert_file = NULL((void*)0);
1207	s_server_config.key_file = NULL((void*)0);
1208	s_server_config.dcert_file = NULL((void*)0);
1209	s_server_config.dkey_file = NULL((void*)0);
1210	s_server_config.cert_file2 = NULL((void*)0);
1211	s_server_config.key_file2 = NULL((void*)0);
1212	}
1213	ctx = SSL_CTX_new(s_server_config.meth);
1214	if (ctx == NULL((void*)0)) {
1215	ERR_print_errors(bio_err);
1216	goto end;
1217	}
1218
1219	SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004L),((void*)0));
1220
1221	if (!SSL_CTX_set_min_proto_version(ctx, s_server_config.min_version))
1222	goto end;
1223	if (!SSL_CTX_set_max_proto_version(ctx, s_server_config.max_version))
1224	goto end;
1225
1226	if (s_server_config.session_id_prefix) {
1227	if (strlen(s_server_config.session_id_prefix) >= 32)
1228	BIO_printf(bio_err,
1229	"warning: id_prefix is too long, only one new session will be possible\n");
1230	else if (strlen(s_server_config.session_id_prefix) >= 16)
1231	BIO_printf(bio_err,
1232	"warning: id_prefix is too long if you use SSLv2\n");
1233	if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
1234	BIO_printf(bio_err, "error setting 'id_prefix'\n");
1235	ERR_print_errors(bio_err);
1236	goto end;
1237	}
1238	BIO_printf(bio_err, "id_prefix '%s' set.\n",
1239	s_server_config.session_id_prefix);
1240	}
1241	SSL_CTX_set_quiet_shutdown(ctx, 1);
1242	if (s_server_config.bugs)
1243	SSL_CTX_set_options(ctx, SSL_OP_ALL)SSL_CTX_ctrl((ctx),32,((0x00000004L)),((void*)0));
1244	SSL_CTX_set_options(ctx, s_server_config.off)SSL_CTX_ctrl((ctx),32,(s_server_config.off),((void*)0));
1245
1246	if (s_server_config.state)
1247	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1248	if (s_server_config.no_cache)
1249	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx,44,0x0000,((void*)0));
1250	else
1251	SSL_CTX_sess_set_cache_size(ctx, 128)SSL_CTX_ctrl(ctx,42,128,((void*)0));
1252
1253	#ifndef OPENSSL_NO_SRTP
1254	if (s_server_config.srtp_profiles != NULL((void*)0))
1255	SSL_CTX_set_tlsext_use_srtp(ctx, s_server_config.srtp_profiles);
1256	#endif
1257
1258	if ((!SSL_CTX_load_verify_locations(ctx, s_server_config.CAfile,
1259	s_server_config.CApath)) \|\|
1260	(!SSL_CTX_set_default_verify_paths(ctx))) {
1261	/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
1262	ERR_print_errors(bio_err);
1263	/* goto end; */
1264	}
1265	if (s_server_config.vpm)
1266	SSL_CTX_set1_param(ctx, s_server_config.vpm);
1267
1268	if (s_cert2) {
1269	ctx2 = SSL_CTX_new(s_server_config.meth);
1270	if (ctx2 == NULL((void*)0)) {
1271	ERR_print_errors(bio_err);
1272	goto end;
1273	}
1274
1275	if (!SSL_CTX_set_min_proto_version(ctx2,
1276	s_server_config.min_version))
1277	goto end;
1278	if (!SSL_CTX_set_max_proto_version(ctx2,
1279	s_server_config.max_version))
1280	goto end;
1281	SSL_CTX_clear_mode(ctx2, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx2),78,(0x00000004L),((void*)0));
1282	}
1283	if (ctx2) {
1284	BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1285
1286	if (s_server_config.session_id_prefix) {
1287	if (strlen(s_server_config.session_id_prefix) >= 32)
1288	BIO_printf(bio_err,
1289	"warning: id_prefix is too long, only one new session will be possible\n");
1290	else if (strlen(s_server_config.session_id_prefix) >= 16)
1291	BIO_printf(bio_err,
1292	"warning: id_prefix is too long if you use SSLv2\n");
1293	if (!SSL_CTX_set_generate_session_id(ctx2,
1294	generate_session_id)) {
1295	BIO_printf(bio_err,
1296	"error setting 'id_prefix'\n");
1297	ERR_print_errors(bio_err);
1298	goto end;
1299	}
1300	BIO_printf(bio_err, "id_prefix '%s' set.\n",
1301	s_server_config.session_id_prefix);
1302	}
1303	SSL_CTX_set_quiet_shutdown(ctx2, 1);
1304	if (s_server_config.bugs)
1305	SSL_CTX_set_options(ctx2, SSL_OP_ALL)SSL_CTX_ctrl((ctx2),32,((0x00000004L)),((void*)0));
1306	SSL_CTX_set_options(ctx2, s_server_config.off)SSL_CTX_ctrl((ctx2),32,(s_server_config.off),((void*)0));
1307
1308	if (s_server_config.state)
1309	SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1310
1311	if (s_server_config.no_cache)
1312	SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx2,44,0x0000,((void*)0));
1313	else
1314	SSL_CTX_sess_set_cache_size(ctx2, 128)SSL_CTX_ctrl(ctx2,42,128,((void*)0));
1315
1316	if ((!SSL_CTX_load_verify_locations(ctx2,
1317	s_server_config.CAfile, s_server_config.CApath)) \|\|
1318	(!SSL_CTX_set_default_verify_paths(ctx2))) {
1319	ERR_print_errors(bio_err);
1320	}
1321	if (s_server_config.vpm)
1322	SSL_CTX_set1_param(ctx2, s_server_config.vpm);
1323	}
1324	if (alpn_ctx.data)
1325	SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
1326
1327	if (s_server_config.groups_in != NULL((void*)0)) {
1328	if (SSL_CTX_set1_groups_list(ctx, s_server_config.groups_in) != 1) {
1329	BIO_printf(bio_err, "Failed to set groups '%s'\n",
1330	s_server_config.groups_in);
1331	goto end;
1332	}
1333	}
1334
1335	#ifndef OPENSSL_NO_DH
1336	if (!s_server_config.no_dhe) {
1337	DH dh = NULL((void)0);
1338
1339	if (s_server_config.dhfile)
1340	dh = load_dh_param(s_server_config.dhfile);
1341	else if (s_server_config.cert_file)
1342	dh = load_dh_param(s_server_config.cert_file);
1343
1344	if (dh != NULL((void*)0))
1345	BIO_printf(bio_s_out, "Setting temp DH parameters\n");
1346	else
1347	BIO_printf(bio_s_out, "Using auto DH parameters\n");
1348	(void) BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
1349
1350	if (dh == NULL((void*)0))
1351	SSL_CTX_set_dh_auto(ctx, 1)SSL_CTX_ctrl(ctx,118,1,((void*)0));
1352	else if (!SSL_CTX_set_tmp_dh(ctx, dh)SSL_CTX_ctrl(ctx,3,0,(char *)dh)) {
1353	BIO_printf(bio_err,
1354	"Error setting temp DH parameters\n");
1355	ERR_print_errors(bio_err);
1356	DH_free(dh);
1357	goto end;
1358	}
1359
1360	if (ctx2) {
1361	if (!s_server_config.dhfile) {
1362	DH dh2 = NULL((void)0);
1363
1364	if (s_server_config.cert_file2 != NULL((void*)0))
1365	dh2 = load_dh_param(
1366	s_server_config.cert_file2);
1367	if (dh2 != NULL((void*)0)) {
1368	BIO_printf(bio_s_out,
1369	"Setting temp DH parameters\n");
1370	(void) BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
1371
1372	DH_free(dh);
1373	dh = dh2;
1374	}
1375	}
1376	if (dh == NULL((void*)0))
1377	SSL_CTX_set_dh_auto(ctx2, 1)SSL_CTX_ctrl(ctx2,118,1,((void*)0));
1378	else if (!SSL_CTX_set_tmp_dh(ctx2, dh)SSL_CTX_ctrl(ctx2,3,0,(char *)dh)) {
1379	BIO_printf(bio_err,
1380	"Error setting temp DH parameters\n");
1381	ERR_print_errors(bio_err);
1382	DH_free(dh);
1383	goto end;
1384	}
1385	}
1386	DH_free(dh);
1387	}
1388	#endif
1389
1390	if (!s_server_config.no_ecdhe && s_server_config.named_curve != NULL((void*)0)) {
1391	EC_KEY ecdh = NULL((void)0);
1392	int nid;
1393
1394	if ((nid = OBJ_sn2nid(s_server_config.named_curve)) == 0) {
1395	BIO_printf(bio_err, "unknown curve name (%s)\n",
1396	s_server_config.named_curve);
1397	goto end;
1398	}
1399	if ((ecdh = EC_KEY_new_by_curve_name(nid)) == NULL((void*)0)) {
1400	BIO_printf(bio_err, "unable to create curve (%s)\n",
1401	s_server_config.named_curve);
1402	goto end;
1403	}
1404	BIO_printf(bio_s_out, "Setting temp ECDH parameters\n");
1405	(void) BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
1406
1407	SSL_CTX_set_tmp_ecdh(ctx, ecdh)SSL_CTX_ctrl(ctx,4,0,(char *)ecdh);
1408	if (ctx2)
1409	SSL_CTX_set_tmp_ecdh(ctx2, ecdh)SSL_CTX_ctrl(ctx2,4,0,(char *)ecdh);
1410	EC_KEY_free(ecdh);
1411	}
1412
1413	if (!set_cert_key_stuff(ctx, s_cert, s_key))
1414	goto end;
1415	if (ctx2 && !set_cert_key_stuff(ctx2, s_cert2, s_key2))
1416	goto end;
1417	if (s_dcert != NULL((void*)0)) {
1418	if (!set_cert_key_stuff(ctx, s_dcert, s_dkey))
1419	goto end;
1420	}
1421
1422	if (s_server_config.cipher != NULL((void*)0)) {
1423	if (!SSL_CTX_set_cipher_list(ctx, s_server_config.cipher)) {
1424	BIO_printf(bio_err, "error setting cipher list\n");
1425	ERR_print_errors(bio_err);
1426	goto end;
1427	}
1428	if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,
1429	s_server_config.cipher)) {
1430	BIO_printf(bio_err, "error setting cipher list\n");
1431	ERR_print_errors(bio_err);
1432	goto end;
1433	}
1434	}
1435	SSL_CTX_set_verify(ctx, s_server_config.server_verify, verify_callback);
1436	SSL_CTX_set_session_id_context(ctx,
1437	(void *) &s_server_session_id_context,
1438	sizeof s_server_session_id_context);
1439
1440	/* Set DTLS cookie generation and verification callbacks */
1441	SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
1442	SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
1443
1444	if (ctx2) {
1445	SSL_CTX_set_verify(ctx2, s_server_config.server_verify,
1446	verify_callback);
1447	SSL_CTX_set_session_id_context(ctx2,
1448	(void *) &s_server_session_id_context,
1449	sizeof s_server_session_id_context);
1450
1451	s_server_config.tlsextcbp.biodebug = bio_s_out;
1452	SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx2,53,(void (*)(void))ssl_servername_cb );
1453	SSL_CTX_set_tlsext_servername_arg(ctx2,SSL_CTX_ctrl(ctx2,54,0, (void *)&s_server_config.tlsextcbp )
1454	&s_server_config.tlsextcbp)SSL_CTX_ctrl(ctx2,54,0, (void *)&s_server_config.tlsextcbp );
1455	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53,(void (*)(void))ssl_servername_cb );
1456	SSL_CTX_set_tlsext_servername_arg(ctx,SSL_CTX_ctrl(ctx,54,0, (void *)&s_server_config.tlsextcbp )
1457	&s_server_config.tlsextcbp)SSL_CTX_ctrl(ctx,54,0, (void *)&s_server_config.tlsextcbp );
1458	}
1459
1460	if (s_server_config.CAfile != NULL((void*)0)) {
1461	SSL_CTX_set_client_CA_list(ctx,
1462	SSL_load_client_CA_file(s_server_config.CAfile));
1463	if (ctx2)
1464	SSL_CTX_set_client_CA_list(ctx2,
1465	SSL_load_client_CA_file(s_server_config.CAfile));
1466	}
1467	BIO_printf(bio_s_out, "ACCEPT\n");
1468	(void) BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
1469	if (s_server_config.www)
1470	do_server(s_server_config.port, s_server_config.socket_type,
1471	&accept_socket, www_body, s_server_config.context,
1472	s_server_config.naccept);
1473	else
1474	do_server(s_server_config.port, s_server_config.socket_type,
1475	&accept_socket, sv_body, s_server_config.context,
1476	s_server_config.naccept);
1477	print_stats(bio_s_out, ctx);
1478	ret = 0;
1479	end:
1480	SSL_CTX_free(ctx);
1481	X509_free(s_cert);
1482	X509_free(s_dcert);
1483	EVP_PKEY_free(s_key);
1484	EVP_PKEY_free(s_dkey);
1485	free(pass);
1486	free(dpass);
1487	X509_VERIFY_PARAM_free(s_server_config.vpm);
1488	free(s_server_config.tlscstatp.host);
1489	free(s_server_config.tlscstatp.port);
1490	free(s_server_config.tlscstatp.path);
1491	SSL_CTX_free(ctx2);
1492	X509_free(s_cert2);
1493	EVP_PKEY_free(s_key2);
1494	free(alpn_ctx.data);
1495	if (bio_s_out != NULL((void*)0)) {
1496	BIO_free(bio_s_out);
1497	bio_s_out = NULL((void*)0);
1498	}
1499
1500	return (ret);
1501	}
1502
1503	static void
1504	print_stats(BIO bio, SSL_CTX ssl_ctx)
1505	{
1506	BIO_printf(bio, "%4ld items in the session cache\n",
1507	SSL_CTX_sess_number(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,20,0,((void*)0)));
1508	BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
1509	SSL_CTX_sess_connect(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,21,0,((void*)0)));
1510	BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
1511	SSL_CTX_sess_connect_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,23,0,((void*)0)));
1512	BIO_printf(bio, "%4ld client connects that finished\n",
1513	SSL_CTX_sess_connect_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,22,0,((void*)0)));
1514	BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
1515	SSL_CTX_sess_accept(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,24,0,((void*)0)));
1516	BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
1517	SSL_CTX_sess_accept_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,26,0,((void*)0)));
1518	BIO_printf(bio, "%4ld server accepts that finished\n",
1519	SSL_CTX_sess_accept_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,25,0,((void*)0)));
1520	BIO_printf(bio, "%4ld session cache hits\n",
1521	SSL_CTX_sess_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,27,0,((void*)0)));
1522	BIO_printf(bio, "%4ld session cache misses\n",
1523	SSL_CTX_sess_misses(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,29,0,((void*)0)));
1524	BIO_printf(bio, "%4ld session cache timeouts\n",
1525	SSL_CTX_sess_timeouts(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,30,0,((void*)0)));
1526	BIO_printf(bio, "%4ld callback cache hits\n",
1527	SSL_CTX_sess_cb_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,28,0,((void*)0)));
1528	BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
1529	SSL_CTX_sess_cache_full(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,31,0,((void*)0)),
1530	SSL_CTX_sess_get_cache_size(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,43,0,((void*)0)));
1531	}
1532
1533	static int
1534	sv_body(int s, unsigned char *context)
1535	{
1536	char buf = NULL((void)0);
1537	int ret = 1;
1538	int k, i;
1539	unsigned long l;
1540	SSL con = NULL((void)0);
1541	BIO *sbio;
1542	struct timeval timeout;
1543
1544	if ((buf = malloc(bufsize)) == NULL((void*)0)) {
1545	BIO_printf(bio_err, "out of memory\n");
1546	goto err;
1547	}
1548	if (s_server_config.nbio) {
1549	if (!s_server_config.quiet)
1550	BIO_printf(bio_err, "turning on non blocking io\n");
1551	if (!BIO_socket_nbio(s, 1))
1552	ERR_print_errors(bio_err);
1553	}
1554
1555	if (con == NULL((void*)0)) {
1556	con = SSL_new(ctx);
1557	if (s_server_config.tlsextdebug) {
1558	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56,(void (*)(void))tlsext_cb);
1559	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0, (void *)bio_s_out);
1560	}
1561	if (s_server_config.tlsextstatus) {
1562	SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb)SSL_CTX_callback_ctrl(ctx,63,(void (*)(void))cert_status_cb);
1563	s_server_config.tlscstatp.err = bio_err;
1564	SSL_CTX_set_tlsext_status_arg(ctx,SSL_CTX_ctrl(ctx,64,0,(void *)&s_server_config.tlscstatp)
1565	&s_server_config.tlscstatp)SSL_CTX_ctrl(ctx,64,0,(void *)&s_server_config.tlscstatp);
1566	}
1567	if (context)
1568	SSL_set_session_id_context(con, context,
1569	strlen((char *) context));
1570	}
1571	SSL_clear(con);
1572
1573	if (SSL_is_dtls(con)) {
1574	sbio = BIO_new_dgram(s, BIO_NOCLOSE0x00);
1575
1576	if (s_server_config.enable_timeouts) {
1577	timeout.tv_sec = 0;
1578	timeout.tv_usec = DGRAM_RCV_TIMEOUT250000;
1579	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0,
1580	&timeout);
1581
1582	timeout.tv_sec = 0;
1583	timeout.tv_usec = DGRAM_SND_TIMEOUT250000;
1584	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0,
1585	&timeout);
1586	}
1587	if (s_server_config.socket_mtu > 28) {
1588	SSL_set_options(con, SSL_OP_NO_QUERY_MTU)SSL_ctrl((con),32,(0x00001000L),((void*)0));
1589	SSL_set_mtu(con, s_server_config.socket_mtu - 28)SSL_ctrl((con),17,(s_server_config.socket_mtu - 28),((void*)0 ));
1590	} else
1591	/* want to do MTU discovery */
1592	BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0));
1593
1594	/* turn on cookie exchange */
1595	SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE)SSL_ctrl((con),32,(0x00002000L),((void*)0));
1596	} else
1597	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
1598
1599	if (s_server_config.nbio_test) {
1600	BIO *test;
1601
1602	test = BIO_new(BIO_f_nbio_test());
1603	sbio = BIO_push(test, sbio);
1604	}
1605
1606	SSL_set_bio(con, sbio, sbio);
1607	SSL_set_accept_state(con);
1608	/* SSL_set_fd(con,s); */
1609
1610	if (s_server_config.debug) {
1611	SSL_set_debug(con, 1);
1612	BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
1613	BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
1614	}
1615	if (s_server_config.msg) {
1616	SSL_set_msg_callback(con, msg_cb);
1617	SSL_set_msg_callback_arg(con, bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_out));
1618	}
1619	if (s_server_config.tlsextdebug) {
1620	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56,(void (*)(void))tlsext_cb);
1621	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0, (void *)bio_s_out);
1622	}
1623
1624	for (;;) {
1625	int read_from_terminal;
1626	int read_from_sslcon;
1627	struct pollfd pfd[2];
1628	int ptimeout;
1629
1630	read_from_terminal = 0;
1631	read_from_sslcon = SSL_pending(con);
1632
1633	if (!read_from_sslcon) {
1634	pfd[0].fd = fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0])));
1635	pfd[0].events = POLLIN0x0001;
1636	pfd[1].fd = s;
1637	pfd[1].events = POLLIN0x0001;
1638
1639	if (SSL_is_dtls(con) &&
1640	DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)&timeout))
1641	ptimeout = timeout.tv_sec * 1000 +
1642	timeout.tv_usec / 1000;
1643	else
1644	ptimeout = -1;
1645
1646	i = poll(pfd, 2, ptimeout);
1647
1648	if (SSL_is_dtls(con) &&
1649	DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0)
1650	BIO_printf(bio_err, "TIMEOUT occured\n");
1651	if (i <= 0)
1652	continue;
1653	if (pfd[0].revents) {
1654	if ((pfd[0].revents & (POLLERR0x0008\|POLLNVAL0x0020)))
1655	continue;
1656	read_from_terminal = 1;
1657	}
1658	if (pfd[1].revents) {
1659	if ((pfd[1].revents & (POLLERR0x0008\|POLLNVAL0x0020)))
1660	continue;
1661	read_from_sslcon = 1;
1662	}
1663	}
1664	if (read_from_terminal) {
1665	if (s_server_config.crlf) {
1666	int j, lf_num;
1667
1668	i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0]))), buf, bufsize / 2);
1669	lf_num = 0;
1670	/* both loops are skipped when i <= 0 */
1671	for (j = 0; j < i; j++)
1672	if (buf[j] == '\n')
1673	lf_num++;
1674	for (j = i - 1; j >= 0; j--) {
1675	buf[j + lf_num] = buf[j];
1676	if (buf[j] == '\n') {
1677	lf_num--;
1678	i++;
1679	buf[j + lf_num] = '\r';
1680	}
1681	}
1682	assert(lf_num == 0)((lf_num == 0) ? (void)0 : __assert2("/usr/src/usr.bin/openssl/s_server.c" , 1682, __func__, "lf_num == 0"));
1683	} else
1684	i = read(fileno(stdin)(!__isthreaded ? (((&__sF[0]))->_file) : (fileno)((& __sF[0]))), buf, bufsize);
1685	if (!s_server_config.quiet) {
1686	if ((i <= 0) \|\| (buf[0] == 'Q')) {
1687	BIO_printf(bio_s_out, "DONE\n");
1688	shutdown(s, SHUT_RD0);
1689	close(s);
1690	close_accept_socket();
1691	ret = -11;
1692	goto err;
1693	}
1694	if ((i <= 0) \|\| (buf[0] == 'q')) {
1695	BIO_printf(bio_s_out, "DONE\n");
1696	if (!SSL_is_dtls(con)) {
1697	shutdown(s, SHUT_RD0);
1698	close(s);
1699	}
1700	/*
1701	* close_accept_socket(); ret= -11;
1702	*/
1703	goto err;
1704	}
1705	if ((buf[0] == 'r') &&
1706	((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
1707	SSL_renegotiate(con);
1708	i = SSL_do_handshake(con);
1709	printf("SSL_do_handshake -> %d\n", i);
1710	i = 0; /* 13; */
	Value stored to 'i' is never read
1711	continue;
1712	/*
1713	* RE-NEGOTIATE\n");
1714	*/
1715	}
1716	if ((buf[0] == 'R') &&
1717	((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
1718	SSL_set_verify(con,
1719	SSL_VERIFY_PEER0x01 \|
1720	SSL_VERIFY_CLIENT_ONCE0x04,
1721	NULL((void*)0));
1722	SSL_renegotiate(con);
1723	i = SSL_do_handshake(con);
1724	printf("SSL_do_handshake -> %d\n", i);
1725	i = 0; /* 13; */
1726	continue;
1727	/*
1728	* RE-NEGOTIATE asking for client
1729	* cert\n");
1730	*/
1731	}
1732	if (buf[0] == 'P') {
1733	static const char *str =
1734	"Lets print some clear text\n";
1735	BIO_write(SSL_get_wbio(con), str,
1736	strlen(str));
1737	}
1738	if (buf[0] == 'S') {
1739	print_stats(bio_s_out,
1740	SSL_get_SSL_CTX(con));
1741	}
1742	}
1743	l = k = 0;
1744	for (;;) {
1745	/* should do a select for the write */
1746	#ifdef RENEG
1747	{
1748	static count = 0;
1749	if (++count == 100) {
1750	count = 0;
1751	SSL_renegotiate(con);
1752	}
1753	}
1754	#endif
1755	k = SSL_write(con, &(buf[l]), (unsigned int) i);
1756	switch (SSL_get_error(con, k)) {
1757	case SSL_ERROR_NONE0:
1758	break;
1759	case SSL_ERROR_WANT_WRITE3:
1760	case SSL_ERROR_WANT_READ2:
1761	case SSL_ERROR_WANT_X509_LOOKUP4:
1762	BIO_printf(bio_s_out, "Write BLOCK\n");
1763	break;
1764	case SSL_ERROR_SYSCALL5:
1765	case SSL_ERROR_SSL1:
1766	BIO_printf(bio_s_out, "ERROR\n");
1767	ERR_print_errors(bio_err);
1768	ret = 1;
1769	goto err;
1770	/* break; */
1771	case SSL_ERROR_ZERO_RETURN6:
1772	BIO_printf(bio_s_out, "DONE\n");
1773	ret = 1;
1774	goto err;
1775	}
1776	if (k <= 0)
1777	continue;
1778	l += k;
1779	i -= k;
1780	if (i <= 0)
1781	break;
1782	}
1783	}
1784	if (read_from_sslcon) {
1785	if (!SSL_is_init_finished(con)(SSL_state((con)) == 0x03)) {
1786	i = init_ssl_connection(con);
1787
1788	if (i < 0) {
1789	ret = 0;
1790	goto err;
1791	} else if (i == 0) {
1792	ret = 1;
1793	goto err;
1794	}
1795	} else {
1796	again:
1797	i = SSL_read(con, (char *) buf, bufsize);
1798	switch (SSL_get_error(con, i)) {
1799	case SSL_ERROR_NONE0: {
1800	int len, n;
1801	for (len = 0; len < i;) {
1802	do {
1803	n = write(fileno(stdout)(!__isthreaded ? (((&__sF[1]))->_file) : (fileno)((& __sF[1]))), buf + len, i - len);
1804	} while (n == -1 && errno(*__errno()) == EINTR4);
1805
1806	if (n == -1) {
1807	BIO_printf(bio_s_out, "ERROR\n");
1808	goto err;
1809	}
1810	len += n;
1811	}
1812	}
1813	if (SSL_pending(con))
1814	goto again;
1815	break;
1816	case SSL_ERROR_WANT_WRITE3:
1817	case SSL_ERROR_WANT_READ2:
1818	BIO_printf(bio_s_out, "Read BLOCK\n");
1819	break;
1820	case SSL_ERROR_SYSCALL5:
1821	case SSL_ERROR_SSL1:
1822	BIO_printf(bio_s_out, "ERROR\n");
1823	ERR_print_errors(bio_err);
1824	ret = 1;
1825	goto err;
1826	case SSL_ERROR_ZERO_RETURN6:
1827	BIO_printf(bio_s_out, "DONE\n");
1828	ret = 1;
1829	goto err;
1830	}
1831	}
1832	}
1833	}
1834	err:
1835	if (con != NULL((void*)0)) {
1836	BIO_printf(bio_s_out, "shutting down SSL\n");
1837	SSL_set_shutdown(con,
1838	SSL_SENT_SHUTDOWN1 \| SSL_RECEIVED_SHUTDOWN2);
1839	SSL_free(con);
1840	}
1841	BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
1842	freezero(buf, bufsize);
1843	if (ret >= 0)
1844	BIO_printf(bio_s_out, "ACCEPT\n");
1845	return (ret);
1846	}
1847
1848	static void
1849	close_accept_socket(void)
1850	{
1851	BIO_printf(bio_err, "shutdown accept socket\n");
1852	if (accept_socket >= 0) {
1853	shutdown(accept_socket, SHUT_RDWR2);
1854	close(accept_socket);
1855	}
1856	}
1857
1858	static int
1859	init_ssl_connection(SSL *con)
1860	{
1861	int i;
1862	const char *str;
1863	X509 *peer;
1864	long verify_error;
1865	char buf[BUFSIZ1024];
1866	unsigned char *exportedkeymat;
1867
1868	i = SSL_accept(con);
1869	if (i <= 0) {
1870	if (BIO_sock_should_retry(i)) {
1871	BIO_printf(bio_s_out, "DELAY\n");
1872	return (1);
1873	}
1874	BIO_printf(bio_err, "ERROR\n");
1875	verify_error = SSL_get_verify_result(con);
1876	if (verify_error != X509_V_OK0) {
1877	BIO_printf(bio_err, "verify error:%s\n",
1878	X509_verify_cert_error_string(verify_error));
1879	} else
1880	ERR_print_errors(bio_err);
1881	return (0);
1882	}
1883	PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
1884
1885	peer = SSL_get_peer_certificate(con);
1886	if (peer != NULL((void*)0)) {
1887	BIO_printf(bio_s_out, "Client certificate\n");
1888	PEM_write_bio_X509(bio_s_out, peer);
1889	X509_NAME_oneline(X509_get_subject_name(peer), buf, sizeof buf);
1890	BIO_printf(bio_s_out, "subject=%s\n", buf);
1891	X509_NAME_oneline(X509_get_issuer_name(peer), buf, sizeof buf);
1892	BIO_printf(bio_s_out, "issuer=%s\n", buf);
1893	X509_free(peer);
1894	}
1895	if (SSL_get_shared_ciphers(con, buf, sizeof buf) != NULL((void*)0))
1896	BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
1897	str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
1898	BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL((void*)0)) ? str : "(NONE)");
1899
1900	#ifndef OPENSSL_NO_SRTP
1901	{
1902	SRTP_PROTECTION_PROFILE *srtp_profile
1903	= SSL_get_selected_srtp_profile(con);
1904
1905	if (srtp_profile)
1906	BIO_printf(bio_s_out,
1907	"SRTP Extension negotiated, profile=%s\n",
1908	srtp_profile->name);
1909	}
1910	#endif
1911	if (SSL_cache_hit(con))
1912	BIO_printf(bio_s_out, "Reused session-id\n");
1913	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
1914	SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ? "" : " NOT");
1915	if (s_server_config.keymatexportlabel != NULL((void*)0)) {
1916	BIO_printf(bio_s_out, "Keying material exporter:\n");
1917	BIO_printf(bio_s_out, " Label: '%s'\n",
1918	s_server_config.keymatexportlabel);
1919	BIO_printf(bio_s_out, " Length: %i bytes\n",
1920	s_server_config.keymatexportlen);
1921	exportedkeymat = malloc(s_server_config.keymatexportlen);
1922	if (exportedkeymat != NULL((void*)0)) {
1923	if (!SSL_export_keying_material(con, exportedkeymat,
1924	s_server_config.keymatexportlen,
1925	s_server_config.keymatexportlabel,
1926	strlen(s_server_config.keymatexportlabel),
1927	NULL((void*)0), 0, 0)) {
1928	BIO_printf(bio_s_out, " Error\n");
1929	} else {
1930	BIO_printf(bio_s_out, " Keying material: ");
1931	for (i = 0; i < s_server_config.keymatexportlen; i++)
1932	BIO_printf(bio_s_out, "%02X",
1933	exportedkeymat[i]);
1934	BIO_printf(bio_s_out, "\n");
1935	}
1936	free(exportedkeymat);
1937	}
1938	}
1939	return (1);
1940	}
1941
1942	#ifndef OPENSSL_NO_DH
1943	static DH *
1944	load_dh_param(const char *dhfile)
1945	{
1946	DH ret = NULL((void)0);
1947	BIO *bio;
1948
1949	if ((bio = BIO_new_file(dhfile, "r")) == NULL((void*)0))
1950	goto err;
1951	ret = PEM_read_bio_DHparams(bio, NULL((void)0), NULL((void)0), NULL((void*)0));
1952	err:
1953	BIO_free(bio);
1954	return (ret);
1955	}
1956	#endif
1957
1958	static int
1959	www_body(int s, unsigned char *context)
1960	{
1961	char buf = NULL((void)0);
1962	int ret = 1;
1963	int i, j, k, dot;
1964	SSL *con;
1965	const SSL_CIPHER *c;
1966	BIO io, ssl_bio, *sbio;
1967
1968	buf = malloc(bufsize);
1969	if (buf == NULL((void*)0))
1970	return (0);
1971	io = BIO_new(BIO_f_buffer());
1972	ssl_bio = BIO_new(BIO_f_ssl());
1973	if ((io == NULL((void)0)) \|\| (ssl_bio == NULL((void)0)))
1974	goto err;
1975
1976	if (s_server_config.nbio) {
1977	if (!s_server_config.quiet)
1978	BIO_printf(bio_err, "turning on non blocking io\n");
1979	if (!BIO_socket_nbio(s, 1))
1980	ERR_print_errors(bio_err);
1981	}
1982
1983	/* lets make the output buffer a reasonable size */
1984	if (!BIO_set_write_buffer_size(io, bufsize)BIO_int_ctrl(io,117,bufsize,1))
1985	goto err;
1986
1987	if ((con = SSL_new(ctx)) == NULL((void*)0))
1988	goto err;
1989	if (s_server_config.tlsextdebug) {
1990	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56,(void (*)(void))tlsext_cb);
1991	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0, (void *)bio_s_out);
1992	}
1993	if (context)
1994	SSL_set_session_id_context(con, context,
1995	strlen((char *) context));
1996
1997	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
1998	if (s_server_config.nbio_test) {
1999	BIO *test;
2000
2001	test = BIO_new(BIO_f_nbio_test());
2002	sbio = BIO_push(test, sbio);
2003	}
2004	SSL_set_bio(con, sbio, sbio);
2005	SSL_set_accept_state(con);
2006
2007	/* SSL_set_fd(con,s); */
2008	BIO_set_ssl(ssl_bio, con, BIO_CLOSE)BIO_ctrl(ssl_bio,109,0x01,(char *)con);
2009	BIO_push(io, ssl_bio);
2010
2011	if (s_server_config.debug) {
2012	SSL_set_debug(con, 1);
2013	BIO_set_callback(SSL_get_rbio(con), bio_dump_callback);
2014	BIO_set_callback_arg(SSL_get_rbio(con), (char *) bio_s_out);
2015	}
2016	if (s_server_config.msg) {
2017	SSL_set_msg_callback(con, msg_cb);
2018	SSL_set_msg_callback_arg(con, bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_out));
2019	}
2020	for (;;) {
2021	i = BIO_gets(io, buf, bufsize - 1);
2022	if (i < 0) { /* error */
2023	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)) {
2024	if (!s_server_config.quiet)
2025	ERR_print_errors(bio_err);
2026	goto err;
2027	} else {
2028	if (s_server_config.debug) {
2029	BIO_printf(bio_s_out, "read R BLOCK\n");
2030	sleep(1);
2031	}
2032	continue;
2033	}
2034	} else if (i == 0) { /* end of input */
2035	ret = 1;
2036	goto end;
2037	}
2038	/* else we have data */
2039	if (((s_server_config.www == 1) &&
2040	(strncmp("GET ", buf, 4) == 0)) \|\|
2041	((s_server_config.www == 2) &&
2042	(strncmp("GET /stats ", buf, 11) == 0))) {
2043	char *p;
2044	X509 *peer;
2045	STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk;
2046	static const char *space = " ";
2047
2048	BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2049	BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
2050	BIO_puts(io, "<pre>\n");
2051	/* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
2052	BIO_puts(io, "\n");
2053	for (i = 0; i < local_argc; i++) {
2054	BIO_puts(io, local_argv[i]);
2055	BIO_write(io, " ", 1);
2056	}
2057	BIO_puts(io, "\n");
2058
2059	BIO_printf(io,
2060	"Secure Renegotiation IS%s supported\n",
2061	SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ?
2062	"" : " NOT");
2063
2064	/*
2065	* The following is evil and should not really be
2066	* done
2067	*/
2068	BIO_printf(io,
2069	"Ciphers supported in s_server binary\n");
2070	sk = SSL_get_ciphers(con);
2071	j = sk_SSL_CIPHER_num(sk)sk_num(((_STACK) (1 ? (sk) : (struct stack_st_SSL_CIPHER)0) ));
2072	for (i = 0; i < j; i++) {
2073	c = sk_SSL_CIPHER_value(sk, i)((SSL_CIPHER )sk_value(((_STACK) (1 ? (sk) : (struct stack_st_SSL_CIPHER *)0)), (i)));
2074	BIO_printf(io, "%-11s:%-25s",
2075	SSL_CIPHER_get_version(c),
2076	SSL_CIPHER_get_name(c));
2077	if ((((i + 1) % 2) == 0) && (i + 1 != j))
2078	BIO_puts(io, "\n");
2079	}
2080	BIO_puts(io, "\n");
2081	p = SSL_get_shared_ciphers(con, buf, bufsize);
2082	if (p != NULL((void*)0)) {
2083	BIO_printf(io,
2084	"---\nCiphers common between both SSL end points:\n");
2085	j = i = 0;
2086	while (*p) {
2087	if (*p == ':') {
2088	BIO_write(io, space, 26 - j);
2089	i++;
2090	j = 0;
2091	BIO_write(io,
2092	((i % 3) ? " " : "\n"), 1);
2093	} else {
2094	BIO_write(io, p, 1);
2095	j++;
2096	}
2097	p++;
2098	}
2099	BIO_puts(io, "\n");
2100	}
2101	BIO_printf(io, (SSL_cache_hit(con)
2102	? "---\nReused, "
2103	: "---\nNew, "));
2104	c = SSL_get_current_cipher(con);
2105	BIO_printf(io, "%s, Cipher is %s\n",
2106	SSL_CIPHER_get_version(c),
2107	SSL_CIPHER_get_name(c));
2108	SSL_SESSION_print(io, SSL_get_session(con));
2109	BIO_printf(io, "---\n");
2110	print_stats(io, SSL_get_SSL_CTX(con));
2111	BIO_printf(io, "---\n");
2112	peer = SSL_get_peer_certificate(con);
2113	if (peer != NULL((void*)0)) {
2114	BIO_printf(io, "Client certificate\n");
2115	X509_print(io, peer);
2116	PEM_write_bio_X509(io, peer);
2117	} else
2118	BIO_puts(io,
2119	"no client certificate available\n");
2120	BIO_puts(io, "</BODY></HTML>\r\n\r\n");
2121	break;
2122	} else if ((s_server_config.www == 2 \|\|
2123	s_server_config.www == 3) &&
2124	(strncmp("GET /", buf, 5) == 0)) {
2125	BIO *file;
2126	char p, e;
2127	static const char *text = "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
2128
2129	/* skip the '/' */
2130	p = &(buf[5]);
2131
2132	dot = 1;
2133	for (e = p; *e != '\0'; e++) {
2134	if (e[0] == ' ')
2135	break;
2136
2137	switch (dot) {
2138	case 1:
2139	dot = (e[0] == '.') ? 2 : 0;
2140	break;
2141	case 2:
2142	dot = (e[0] == '.') ? 3 : 0;
2143	break;
2144	case 3:
2145	dot = (e[0] == '/' \|\| e[0] == '\\') ?
2146	-1 : 0;
2147	break;
2148	}
2149	if (dot == 0)
2150	dot = (e[0] == '/' \|\| e[0] == '\\') ?
2151	1 : 0;
2152	}
2153	dot = (dot == 3) \|\| (dot == -1); /* filename contains
2154	* ".." component */
2155
2156	if (*e == '\0') {
2157	BIO_puts(io, text);
2158	BIO_printf(io,
2159	"'%s' is an invalid file name\r\n", p);
2160	break;
2161	}
2162	*e = '\0';
2163
2164	if (dot) {
2165	BIO_puts(io, text);
2166	BIO_printf(io,
2167	"'%s' contains '..' reference\r\n", p);
2168	break;
2169	}
2170	if (*p == '/') {
2171	BIO_puts(io, text);
2172	BIO_printf(io,
2173	"'%s' is an invalid path\r\n", p);
2174	break;
2175	}
2176	/* if a directory, do the index thang */
2177	if (app_isdir(p) > 0) {
2178	BIO_puts(io, text);
2179	BIO_printf(io, "'%s' is a directory\r\n", p);
2180	break;
2181	}
2182	if ((file = BIO_new_file(p, "r")) == NULL((void*)0)) {
2183	BIO_puts(io, text);
2184	BIO_printf(io, "Error opening '%s'\r\n", p);
2185	ERR_print_errors(io);
2186	break;
2187	}
2188	if (!s_server_config.quiet)
2189	BIO_printf(bio_err, "FILE:%s\n", p);
2190
2191	if (s_server_config.www == 2) {
2192	i = strlen(p);
2193	if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) \|\|
2194	((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) \|\|
2195	((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
2196	BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2197	else
2198	BIO_puts(io, "HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
2199	}
2200	/* send the file */
2201	for (;;) {
2202	i = BIO_read(file, buf, bufsize);
2203	if (i <= 0)
2204	break;
2205
2206	#ifdef RENEG
2207	total_bytes += i;
2208	fprintf(stderr(&__sF[2]), "%d\n", i);
2209	if (total_bytes > 3 * 1024) {
2210	total_bytes = 0;
2211	fprintf(stderr(&__sF[2]), "RENEGOTIATE\n");
2212	SSL_renegotiate(con);
2213	}
2214	#endif
2215
2216	for (j = 0; j < i;) {
2217	#ifdef RENEG
2218	{
2219	static count = 0;
2220	if (++count == 13) {
2221	SSL_renegotiate(con);
2222	}
2223	}
2224	#endif
2225	k = BIO_write(io, &(buf[j]), i - j);
2226	if (k <= 0) {
2227	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
2228	goto write_error;
2229	else {
2230	BIO_printf(bio_s_out,
2231	"rwrite W BLOCK\n");
2232	}
2233	} else {
2234	j += k;
2235	}
2236	}
2237	}
2238	write_error:
2239	BIO_free(file);
2240	break;
2241	}
2242	}
2243
2244	for (;;) {
2245	i = (int) BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0));
2246	if (i <= 0) {
2247	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
2248	break;
2249	} else
2250	break;
2251	}
2252	end:
2253	/* make sure we re-use sessions */
2254	SSL_set_shutdown(con, SSL_SENT_SHUTDOWN1 \| SSL_RECEIVED_SHUTDOWN2);
2255
2256	err:
2257
2258	if (ret >= 0)
2259	BIO_printf(bio_s_out, "ACCEPT\n");
2260
2261	free(buf);
2262	BIO_free_all(io);
2263	/* if (ssl_bio != NULL) BIO_free(ssl_bio);*/
2264	return (ret);
2265	}
2266
2267	#define MAX_SESSION_ID_ATTEMPTS10 10
2268	static int
2269	generate_session_id(const SSL ssl, unsigned char id, unsigned int *id_len)
2270	{
2271	unsigned int count = 0;
2272	do {
2273	arc4random_buf(id, *id_len);
2274	/*
2275	* Prefix the session_id with the required prefix. NB: If our
2276	* prefix is too long, clip it - but there will be worse
2277	* effects anyway, eg. the server could only possibly create
2278	* 1 session ID (ie. the prefix!) so all future session
2279	* negotiations will fail due to conflicts.
2280	*/
2281	memcpy(id, s_server_config.session_id_prefix,
2282	(strlen(s_server_config.session_id_prefix) < *id_len) ?
2283	strlen(s_server_config.session_id_prefix) : *id_len);
2284	}
2285	while (SSL_has_matching_session_id(ssl, id, *id_len) &&
2286	(++count < MAX_SESSION_ID_ATTEMPTS10));
2287	if (count >= MAX_SESSION_ID_ATTEMPTS10)
2288	return 0;
2289	return 1;
2290	}
2291
2292	static int
2293	ssl_servername_cb(SSL s, int ad, void *arg)
2294	{
2295	tlsextctx p = (tlsextctx ) arg;
2296	const char *servername = SSL_get_servername(s,
2297	TLSEXT_NAMETYPE_host_name0);
2298
2299	if (servername && p->biodebug)
2300	BIO_printf(p->biodebug, "Hostname in TLS extension: \"%s\"\n",
2301	servername);
2302
2303	if (!p->servername)
2304	return SSL_TLSEXT_ERR_NOACK3;
2305
2306	if (servername) {
2307	if (strcmp(servername, p->servername))
2308	return p->extension_error;
2309	if (ctx2) {
2310	BIO_printf(p->biodebug, "Switching server context.\n");
2311	SSL_set_SSL_CTX(s, ctx2);
2312	}
2313	}
2314	return SSL_TLSEXT_ERR_OK0;
2315	}
2316
2317	/* Certificate Status callback. This is called when a client includes a
2318	* certificate status request extension.
2319	*
2320	* This is a simplified version. It examines certificates each time and
2321	* makes one OCSP responder query for each request.
2322	*
2323	* A full version would store details such as the OCSP certificate IDs and
2324	* minimise the number of OCSP responses by caching them until they were
2325	* considered "expired".
2326	*/
2327
2328	static int
2329	cert_status_cb(SSL s, void arg)
2330	{
2331	tlsextstatusctx *srctx = arg;
2332	BIO *err = srctx->err;
2333	char host = NULL((void)0), port = NULL((void)0), path = NULL((void)0);
2334	int use_ssl;
2335	unsigned char rspder = NULL((void)0);
2336	int rspderlen;
2337	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING aia = NULL((void)0);
2338	X509 x = NULL((void)0);
2339	X509_STORE_CTX inctx = NULL((void)0);
2340	X509_OBJECT obj = NULL((void)0);
2341	OCSP_REQUEST req = NULL((void)0);
2342	OCSP_RESPONSE resp = NULL((void)0);
2343	OCSP_CERTID id = NULL((void)0);
2344	STACK_OF(X509_EXTENSION)struct stack_st_X509_EXTENSION *exts;
2345	int ret = SSL_TLSEXT_ERR_NOACK3;
2346	int i;
2347
2348	if (srctx->verbose)
2349	BIO_puts(err, "cert_status: callback called\n");
2350	/* Build up OCSP query from server certificate */
2351	x = SSL_get_certificate(s);
2352	aia = X509_get1_ocsp(x);
2353	if (aia) {
2354	if (!OCSP_parse_url(sk_OPENSSL_STRING_value(aia, 0)((OPENSSL_STRING)sk_value(((_STACK) (1 ? aia : (struct stack_st_OPENSSL_STRING )0)), 0)),
2355	&host, &port, &path, &use_ssl)) {
2356	BIO_puts(err, "cert_status: can't parse AIA URL\n");
2357	goto err;
2358	}
2359	if (srctx->verbose)
2360	BIO_printf(err, "cert_status: AIA URL: %s\n",
2361	sk_OPENSSL_STRING_value(aia, 0)((OPENSSL_STRING)sk_value(((_STACK) (1 ? aia : (struct stack_st_OPENSSL_STRING )0)), 0)));
2362	} else {
2363	if (!srctx->host) {
2364	BIO_puts(srctx->err,
2365	"cert_status: no AIA and no default responder URL\n");
2366	goto done;
2367	}
2368	host = srctx->host;
2369	path = srctx->path;
2370	port = srctx->port;
2371	use_ssl = srctx->use_ssl;
2372	}
2373
2374	if ((inctx = X509_STORE_CTX_new()) == NULL((void*)0))
2375	goto err;
2376
2377	if (!X509_STORE_CTX_init(inctx,
2378	SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
2379	NULL((void)0), NULL((void)0)))
2380	goto err;
2381	if ((obj = X509_OBJECT_new()) == NULL((void*)0))
2382	goto done;
2383	if (X509_STORE_get_by_subjectX509_STORE_CTX_get_by_subject(inctx, X509_LU_X509,
2384	X509_get_issuer_name(x), obj) <= 0) {
2385	BIO_puts(err,
2386	"cert_status: Can't retrieve issuer certificate.\n");
2387	X509_STORE_CTX_cleanup(inctx);
2388	goto done;
2389	}
2390	req = OCSP_REQUEST_new();
2391	if (!req)
2392	goto err;
2393	id = OCSP_cert_to_id(NULL((void*)0), x, X509_OBJECT_get0_X509(obj));
2394	X509_OBJECT_free(obj);
2395	obj = NULL((void*)0);
2396	X509_STORE_CTX_free(inctx);
2397	inctx = NULL((void*)0);
2398	if (!id)
2399	goto err;
2400	if (!OCSP_request_add0_id(req, id))
2401	goto err;
2402	id = NULL((void*)0);
2403	/* Add any extensions to the request */
2404	SSL_get_tlsext_status_exts(s, &exts)SSL_ctrl(s,66,0, (void *)&exts);
2405	for (i = 0; i < sk_X509_EXTENSION_num(exts)sk_num(((_STACK) (1 ? (exts) : (struct stack_st_X509_EXTENSION )0))); i++) {
2406	X509_EXTENSION ext = sk_X509_EXTENSION_value(exts, i)((X509_EXTENSION )sk_value(((_STACK) (1 ? (exts) : (struct stack_st_X509_EXTENSION )0)), (i)));
2407	if (!OCSP_REQUEST_add_ext(req, ext, -1))
2408	goto err;
2409	}
2410	resp = process_responder(err, req, host, path, port, use_ssl, NULL((void*)0),
2411	srctx->timeout);
2412	if (!resp) {
2413	BIO_puts(err, "cert_status: error querying responder\n");
2414	goto done;
2415	}
2416	rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
2417	if (rspderlen <= 0)
2418	goto err;
2419	SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen)SSL_ctrl(s,71,rspderlen, (void *)rspder);
2420	if (srctx->verbose) {
2421	BIO_puts(err, "cert_status: ocsp response sent:\n");
2422	OCSP_RESPONSE_print(err, resp, 2);
2423	}
2424	ret = SSL_TLSEXT_ERR_OK0;
2425	done:
2426	X509_STORE_CTX_free(inctx);
2427	X509_OBJECT_free(obj);
2428	if (ret != SSL_TLSEXT_ERR_OK0)
2429	ERR_print_errors(err);
2430	if (aia) {
2431	free(host);
2432	free(path);
2433	free(port);
2434	X509_email_free(aia);
2435	}
2436	if (id)
2437	OCSP_CERTID_free(id);
2438	if (req)
2439	OCSP_REQUEST_free(req);
2440	if (resp)
2441	OCSP_RESPONSE_free(resp);
2442	return ret;
2443	err:
2444	ret = SSL_TLSEXT_ERR_ALERT_FATAL2;
2445	goto done;
2446	}
2447
2448	static int
2449	alpn_cb(SSL s, const unsigned char out, unsigned char outlen,
2450	const unsigned char in, unsigned int inlen, void arg)
2451	{
2452	tlsextalpnctx *alpn_ctx = arg;
2453
2454	if (!s_server_config.quiet) {
2455	/* We can assume that in is syntactically valid. */
2456	unsigned i;
2457
2458	BIO_printf(bio_s_out,
2459	"ALPN protocols advertised by the client: ");
2460	for (i = 0; i < inlen; ) {
2461	if (i)
2462	BIO_write(bio_s_out, ", ", 2);
2463	BIO_write(bio_s_out, &in[i + 1], in[i]);
2464	i += in[i] + 1;
2465	}
2466	BIO_write(bio_s_out, "\n", 1);
2467	}
2468
2469	if (SSL_select_next_proto((unsigned char**)out, outlen, alpn_ctx->data,
2470	alpn_ctx->len, in, inlen) != OPENSSL_NPN_NEGOTIATED1)
2471	return (SSL_TLSEXT_ERR_NOACK3);
2472
2473	if (!s_server_config.quiet) {
2474	BIO_printf(bio_s_out, "ALPN protocols selected: ");
2475	BIO_write(bio_s_out, out, outlen);
2476	BIO_write(bio_s_out, "\n", 1);
2477	}
2478
2479	return (SSL_TLSEXT_ERR_OK0);
2480	}