1/* apps/s_server.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2001 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111 112#include <assert.h> 113#include <stdio.h> 114#include <stdlib.h> 115#include <string.h> 116#include <sys/types.h> 117#include <sys/stat.h> 118#include <openssl/e_os2.h> 119#ifdef OPENSSL_NO_STDIO 120#define APPS_WIN16 121#endif 122 123/* With IPv6, it looks like Digital has mixed up the proper order of 124 recursive header file inclusion, resulting in the compiler complaining 125 that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which 126 is needed to have fileno() declared correctly... So let's define u_int */ 127#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT) 128#define __U_INT 129typedef unsigned int u_int; 130#endif 131 132#include <openssl/lhash.h> 133#include <openssl/bn.h> 134#define USE_SOCKETS 135#include "apps.h" 136#include <openssl/err.h> 137#include <openssl/pem.h> 138#include <openssl/x509.h> 139#include <openssl/ssl.h> 140#include <openssl/rand.h> 141#include "s_apps.h" 142 143#ifdef OPENSSL_SYS_WINCE 144/* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */ 145#ifdef fileno 146#undef fileno 147#endif 148#define fileno(a) (int)_fileno(a) 149#endif 150 151#if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000) 152/* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */ 153#undef FIONBIO 154#endif 155 156#ifndef OPENSSL_NO_RSA 157static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength); 158#endif 159static int sv_body(char *hostname, int s, unsigned char *context); 160static int www_body(char *hostname, int s, unsigned char *context); 161static void close_accept_socket(void ); 162static void sv_usage(void); 163static int init_ssl_connection(SSL *s); 164static void print_stats(BIO *bp,SSL_CTX *ctx); 165static int generate_session_id(const SSL *ssl, unsigned char *id, 166 unsigned int *id_len); 167#ifndef OPENSSL_NO_DH 168static DH *load_dh_param(char *dhfile); 169static DH *get_dh512(void); 170#endif 171#ifdef MONOLITH 172static void s_server_init(void); 173#endif 174 175#ifndef S_ISDIR 176# if defined(_S_IFMT) && defined(_S_IFDIR) 177# define S_ISDIR(a) (((a) & _S_IFMT) == _S_IFDIR) 178# else 179# define S_ISDIR(a) (((a) & S_IFMT) == S_IFDIR) 180# endif 181#endif 182 183#ifndef OPENSSL_NO_DH 184static unsigned char dh512_p[]={ 185 0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75, 186 0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F, 187 0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3, 188 0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12, 189 0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C, 190 0x47,0x74,0xE8,0x33, 191 }; 192static unsigned char dh512_g[]={ 193 0x02, 194 }; 195 196static DH *get_dh512(void) 197 { 198 DH *dh=NULL; 199 200 if ((dh=DH_new()) == NULL) return(NULL); 201 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); 202 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); 203 if ((dh->p == NULL) || (dh->g == NULL)) 204 return(NULL); 205 return(dh); 206 } 207#endif 208 209/* static int load_CA(SSL_CTX *ctx, char *file);*/ 210 211#undef BUFSIZZ 212#define BUFSIZZ 16*1024 213static int bufsize=BUFSIZZ; 214static int accept_socket= -1; 215 216#define TEST_CERT "server.pem" 217#undef PROG 218#define PROG s_server_main 219 220extern int verify_depth; 221 222static char *cipher=NULL; 223static int s_server_verify=SSL_VERIFY_NONE; 224static int s_server_session_id_context = 1; /* anything will do */ 225static char *s_cert_file=TEST_CERT,*s_key_file=NULL; 226static char *s_dcert_file=NULL,*s_dkey_file=NULL; 227#ifdef FIONBIO 228static int s_nbio=0; 229#endif 230static int s_nbio_test=0; 231int s_crlf=0; 232static SSL_CTX *ctx=NULL; 233static int www=0; 234 235static BIO *bio_s_out=NULL; 236static int s_debug=0; 237static int s_msg=0; 238static int s_quiet=0; 239 240static int hack=0; 241#ifndef OPENSSL_NO_ENGINE 242static char *engine_id=NULL; 243#endif 244static const char *session_id_prefix=NULL; 245 246#ifdef MONOLITH 247static void s_server_init(void) 248 { 249 accept_socket=-1; 250 cipher=NULL; 251 s_server_verify=SSL_VERIFY_NONE; 252 s_dcert_file=NULL; 253 s_dkey_file=NULL; 254 s_cert_file=TEST_CERT; 255 s_key_file=NULL; 256#ifdef FIONBIO 257 s_nbio=0; 258#endif 259 s_nbio_test=0; 260 ctx=NULL; 261 www=0; 262 263 bio_s_out=NULL; 264 s_debug=0; 265 s_msg=0; 266 s_quiet=0; 267 hack=0; 268#ifndef OPENSSL_NO_ENGINE 269 engine_id=NULL; 270#endif 271 } 272#endif 273 274static void sv_usage(void) 275 { 276 BIO_printf(bio_err,"usage: s_server [args ...]\n"); 277 BIO_printf(bio_err,"\n"); 278 BIO_printf(bio_err," -accept arg - port to accept on (default is %d)\n",PORT); 279 BIO_printf(bio_err," -context arg - set session ID context\n"); 280 BIO_printf(bio_err," -verify arg - turn on peer certificate verification\n"); 281 BIO_printf(bio_err," -Verify arg - turn on peer certificate verification, must have a cert.\n"); 282 BIO_printf(bio_err," -cert arg - certificate file to use, PEM format assumed\n"); 283 BIO_printf(bio_err," (default is %s)\n",TEST_CERT); 284 BIO_printf(bio_err," -key arg - Private Key file to use, PEM format assumed, in cert file if\n"); 285 BIO_printf(bio_err," not specified (default is %s)\n",TEST_CERT); 286 BIO_printf(bio_err," -dcert arg - second certificate file to use (usually for DSA)\n"); 287 BIO_printf(bio_err," -dkey arg - second private key file to use (usually for DSA)\n"); 288 BIO_printf(bio_err," -dhparam arg - DH parameter file to use, in cert file if not specified\n"); 289 BIO_printf(bio_err," or a default set of parameters is used\n"); 290#ifdef FIONBIO 291 BIO_printf(bio_err," -nbio - Run with non-blocking IO\n"); 292#endif 293 BIO_printf(bio_err," -nbio_test - test with the non-blocking test bio\n"); 294 BIO_printf(bio_err," -crlf - convert LF from terminal into CRLF\n"); 295 BIO_printf(bio_err," -debug - Print more output\n"); 296 BIO_printf(bio_err," -msg - Show protocol messages\n"); 297 BIO_printf(bio_err," -state - Print the SSL states\n"); 298 BIO_printf(bio_err," -CApath arg - PEM format directory of CA's\n"); 299 BIO_printf(bio_err," -CAfile arg - PEM format file of CA's\n"); 300 BIO_printf(bio_err," -nocert - Don't use any certificates (Anon-DH)\n"); 301 BIO_printf(bio_err," -cipher arg - play with 'openssl ciphers' to see what goes here\n"); 302 BIO_printf(bio_err," -serverpref - Use server's cipher preferences\n"); 303 BIO_printf(bio_err," -quiet - No server output\n"); 304 BIO_printf(bio_err," -no_tmp_rsa - Do not generate a tmp RSA key\n"); 305 BIO_printf(bio_err," -ssl2 - Just talk SSLv2\n"); 306 BIO_printf(bio_err," -ssl3 - Just talk SSLv3\n"); 307 BIO_printf(bio_err," -tls1 - Just talk TLSv1\n"); 308 BIO_printf(bio_err," -no_ssl2 - Just disable SSLv2\n"); 309 BIO_printf(bio_err," -no_ssl3 - Just disable SSLv3\n"); 310 BIO_printf(bio_err," -no_tls1 - Just disable TLSv1\n"); 311#ifndef OPENSSL_NO_DH 312 BIO_printf(bio_err," -no_dhe - Disable ephemeral DH\n"); 313#endif 314 BIO_printf(bio_err," -bugs - Turn on SSL bug compatibility\n"); 315 BIO_printf(bio_err," -www - Respond to a 'GET /' with a status page\n"); 316 BIO_printf(bio_err," -WWW - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); 317 BIO_printf(bio_err," -HTTP - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n"); 318 BIO_printf(bio_err," with the assumption it contains a complete HTTP response.\n"); 319#ifndef OPENSSL_NO_ENGINE 320 BIO_printf(bio_err," -engine id - Initialise and use the specified engine\n"); 321#endif 322 BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n"); 323 BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR); 324 } 325 326static int local_argc=0; 327static char **local_argv; 328 329#ifdef CHARSET_EBCDIC 330static int ebcdic_new(BIO *bi); 331static int ebcdic_free(BIO *a); 332static int ebcdic_read(BIO *b, char *out, int outl); 333static int ebcdic_write(BIO *b, const char *in, int inl); 334static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr); 335static int ebcdic_gets(BIO *bp, char *buf, int size); 336static int ebcdic_puts(BIO *bp, const char *str); 337 338#define BIO_TYPE_EBCDIC_FILTER (18|0x0200) 339static BIO_METHOD methods_ebcdic= 340 { 341 BIO_TYPE_EBCDIC_FILTER, 342 "EBCDIC/ASCII filter", 343 ebcdic_write, 344 ebcdic_read, 345 ebcdic_puts, 346 ebcdic_gets, 347 ebcdic_ctrl, 348 ebcdic_new, 349 ebcdic_free, 350 }; 351 352typedef struct 353{ 354 size_t alloced; 355 char buff[1]; 356} EBCDIC_OUTBUFF; 357 358BIO_METHOD *BIO_f_ebcdic_filter() 359{ 360 return(&methods_ebcdic); 361} 362 363static int ebcdic_new(BIO *bi) 364{ 365 EBCDIC_OUTBUFF *wbuf; 366 367 wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024); 368 wbuf->alloced = 1024; 369 wbuf->buff[0] = '\0'; 370 371 bi->ptr=(char *)wbuf; 372 bi->init=1; 373 bi->flags=0; 374 return(1); 375} 376 377static int ebcdic_free(BIO *a) 378{ 379 if (a == NULL) return(0); 380 if (a->ptr != NULL) 381 OPENSSL_free(a->ptr); 382 a->ptr=NULL; 383 a->init=0; 384 a->flags=0; 385 return(1); 386} 387 388static int ebcdic_read(BIO *b, char *out, int outl) 389{ 390 int ret=0; 391 392 if (out == NULL || outl == 0) return(0); 393 if (b->next_bio == NULL) return(0); 394 395 ret=BIO_read(b->next_bio,out,outl); 396 if (ret > 0) 397 ascii2ebcdic(out,out,ret); 398 return(ret); 399} 400 401static int ebcdic_write(BIO *b, const char *in, int inl) 402{ 403 EBCDIC_OUTBUFF *wbuf; 404 int ret=0; 405 int num; 406 unsigned char n; 407 408 if ((in == NULL) || (inl <= 0)) return(0); 409 if (b->next_bio == NULL) return(0); 410 411 wbuf=(EBCDIC_OUTBUFF *)b->ptr; 412 413 if (inl > (num = wbuf->alloced)) 414 { 415 num = num + num; /* double the size */ 416 if (num < inl) 417 num = inl; 418 OPENSSL_free(wbuf); 419 wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num); 420 421 wbuf->alloced = num; 422 wbuf->buff[0] = '\0'; 423 424 b->ptr=(char *)wbuf; 425 } 426 427 ebcdic2ascii(wbuf->buff, in, inl); 428 429 ret=BIO_write(b->next_bio, wbuf->buff, inl); 430 431 return(ret); 432} 433 434static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr) 435{ 436 long ret; 437 438 if (b->next_bio == NULL) return(0); 439 switch (cmd) 440 { 441 case BIO_CTRL_DUP: 442 ret=0L; 443 break; 444 default: 445 ret=BIO_ctrl(b->next_bio,cmd,num,ptr); 446 break; 447 } 448 return(ret); 449} 450 451static int ebcdic_gets(BIO *bp, char *buf, int size) 452{ 453 int i, ret=0; 454 if (bp->next_bio == NULL) return(0); 455/* return(BIO_gets(bp->next_bio,buf,size));*/ 456 for (i=0; i<size-1; ++i) 457 { 458 ret = ebcdic_read(bp,&buf[i],1); 459 if (ret <= 0) 460 break; 461 else if (buf[i] == '\n') 462 { 463 ++i; 464 break; 465 } 466 } 467 if (i < size) 468 buf[i] = '\0'; 469 return (ret < 0 && i == 0) ? ret : i; 470} 471 472static int ebcdic_puts(BIO *bp, const char *str) 473{ 474 if (bp->next_bio == NULL) return(0); 475 return ebcdic_write(bp, str, strlen(str)); 476} 477#endif 478 479int MAIN(int, char **); 480 481int MAIN(int argc, char *argv[]) 482 { 483 X509_STORE *store = NULL; 484 int vflags = 0; 485 short port=PORT; 486 char *CApath=NULL,*CAfile=NULL; 487 char *context = NULL; 488 char *dhfile = NULL; 489 int badop=0,bugs=0; 490 int ret=1; 491 int off=0; 492 int no_tmp_rsa=0,no_dhe=0,nocert=0; 493 int state=0; 494 SSL_METHOD *meth=NULL; 495#ifndef OPENSSL_NO_ENGINE 496 ENGINE *e=NULL; 497#endif 498 char *inrand=NULL; 499 500#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 501 meth=SSLv23_server_method(); 502#elif !defined(OPENSSL_NO_SSL3) 503 meth=SSLv3_server_method(); 504#elif !defined(OPENSSL_NO_SSL2) 505 meth=SSLv2_server_method(); 506#endif 507 508 local_argc=argc; 509 local_argv=argv; 510 511 apps_startup(); 512#ifdef MONOLITH 513 s_server_init(); 514#endif 515 516 if (bio_err == NULL) 517 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 518 519 if (!load_config(bio_err, NULL)) 520 goto end; 521 522 verify_depth=0; 523#ifdef FIONBIO 524 s_nbio=0; 525#endif 526 s_nbio_test=0; 527 528 argc--; 529 argv++; 530 531 while (argc >= 1) 532 { 533 if ((strcmp(*argv,"-port") == 0) || 534 (strcmp(*argv,"-accept") == 0)) 535 { 536 if (--argc < 1) goto bad; 537 if (!extract_port(*(++argv),&port)) 538 goto bad; 539 } 540 else if (strcmp(*argv,"-verify") == 0) 541 { 542 s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE; 543 if (--argc < 1) goto bad; 544 verify_depth=atoi(*(++argv)); 545 BIO_printf(bio_err,"verify depth is %d\n",verify_depth); 546 } 547 else if (strcmp(*argv,"-Verify") == 0) 548 { 549 s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT| 550 SSL_VERIFY_CLIENT_ONCE; 551 if (--argc < 1) goto bad; 552 verify_depth=atoi(*(++argv)); 553 BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth); 554 } 555 else if (strcmp(*argv,"-context") == 0) 556 { 557 if (--argc < 1) goto bad; 558 context= *(++argv); 559 } 560 else if (strcmp(*argv,"-cert") == 0) 561 { 562 if (--argc < 1) goto bad; 563 s_cert_file= *(++argv); 564 } 565 else if (strcmp(*argv,"-key") == 0) 566 { 567 if (--argc < 1) goto bad; 568 s_key_file= *(++argv); 569 } 570 else if (strcmp(*argv,"-dhparam") == 0) 571 { 572 if (--argc < 1) goto bad; 573 dhfile = *(++argv); 574 } 575 else if (strcmp(*argv,"-dcert") == 0) 576 { 577 if (--argc < 1) goto bad; 578 s_dcert_file= *(++argv); 579 } 580 else if (strcmp(*argv,"-dkey") == 0) 581 { 582 if (--argc < 1) goto bad; 583 s_dkey_file= *(++argv); 584 } 585 else if (strcmp(*argv,"-nocert") == 0) 586 { 587 nocert=1; 588 } 589 else if (strcmp(*argv,"-CApath") == 0) 590 { 591 if (--argc < 1) goto bad; 592 CApath= *(++argv); 593 } 594 else if (strcmp(*argv,"-crl_check") == 0) 595 { 596 vflags |= X509_V_FLAG_CRL_CHECK; 597 } 598 else if (strcmp(*argv,"-crl_check") == 0) 599 { 600 vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL; 601 } 602 else if (strcmp(*argv,"-serverpref") == 0) 603 { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; } 604 else if (strcmp(*argv,"-cipher") == 0) 605 { 606 if (--argc < 1) goto bad; 607 cipher= *(++argv); 608 } 609 else if (strcmp(*argv,"-CAfile") == 0) 610 { 611 if (--argc < 1) goto bad; 612 CAfile= *(++argv); 613 } 614#ifdef FIONBIO 615 else if (strcmp(*argv,"-nbio") == 0) 616 { s_nbio=1; } 617#endif 618 else if (strcmp(*argv,"-nbio_test") == 0) 619 { 620#ifdef FIONBIO 621 s_nbio=1; 622#endif 623 s_nbio_test=1; 624 } 625 else if (strcmp(*argv,"-debug") == 0) 626 { s_debug=1; } 627 else if (strcmp(*argv,"-msg") == 0) 628 { s_msg=1; } 629 else if (strcmp(*argv,"-hack") == 0) 630 { hack=1; } 631 else if (strcmp(*argv,"-state") == 0) 632 { state=1; } 633 else if (strcmp(*argv,"-crlf") == 0) 634 { s_crlf=1; } 635 else if (strcmp(*argv,"-quiet") == 0) 636 { s_quiet=1; } 637 else if (strcmp(*argv,"-bugs") == 0) 638 { bugs=1; } 639 else if (strcmp(*argv,"-no_tmp_rsa") == 0) 640 { no_tmp_rsa=1; } 641 else if (strcmp(*argv,"-no_dhe") == 0) 642 { no_dhe=1; } 643 else if (strcmp(*argv,"-www") == 0) 644 { www=1; } 645 else if (strcmp(*argv,"-WWW") == 0) 646 { www=2; } 647 else if (strcmp(*argv,"-HTTP") == 0) 648 { www=3; } 649 else if (strcmp(*argv,"-no_ssl2") == 0) 650 { off|=SSL_OP_NO_SSLv2; } 651 else if (strcmp(*argv,"-no_ssl3") == 0) 652 { off|=SSL_OP_NO_SSLv3; } 653 else if (strcmp(*argv,"-no_tls1") == 0) 654 { off|=SSL_OP_NO_TLSv1; } 655#ifndef OPENSSL_NO_SSL2 656 else if (strcmp(*argv,"-ssl2") == 0) 657 { meth=SSLv2_server_method(); } 658#endif 659#ifndef OPENSSL_NO_SSL3 660 else if (strcmp(*argv,"-ssl3") == 0) 661 { meth=SSLv3_server_method(); } 662#endif 663#ifndef OPENSSL_NO_TLS1 664 else if (strcmp(*argv,"-tls1") == 0) 665 { meth=TLSv1_server_method(); } 666#endif 667 else if (strcmp(*argv, "-id_prefix") == 0) 668 { 669 if (--argc < 1) goto bad; 670 session_id_prefix = *(++argv); 671 } 672#ifndef OPENSSL_NO_ENGINE 673 else if (strcmp(*argv,"-engine") == 0) 674 { 675 if (--argc < 1) goto bad; 676 engine_id= *(++argv); 677 } 678#endif 679 else if (strcmp(*argv,"-rand") == 0) 680 { 681 if (--argc < 1) goto bad; 682 inrand= *(++argv); 683 } 684 else 685 { 686 BIO_printf(bio_err,"unknown option %s\n",*argv); 687 badop=1; 688 break; 689 } 690 argc--; 691 argv++; 692 } 693 if (badop) 694 { 695bad: 696 sv_usage(); 697 goto end; 698 } 699 700 SSL_load_error_strings(); 701 OpenSSL_add_ssl_algorithms(); 702 703#ifndef OPENSSL_NO_ENGINE 704 e = setup_engine(bio_err, engine_id, 1); 705#endif 706 707 if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL 708 && !RAND_status()) 709 { 710 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n"); 711 } 712 if (inrand != NULL) 713 BIO_printf(bio_err,"%ld semi-random bytes loaded\n", 714 app_RAND_load_files(inrand)); 715 716 if (bio_s_out == NULL) 717 { 718 if (s_quiet && !s_debug && !s_msg) 719 { 720 bio_s_out=BIO_new(BIO_s_null()); 721 } 722 else 723 { 724 if (bio_s_out == NULL) 725 bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE); 726 } 727 } 728 729#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) 730 if (nocert) 731#endif 732 { 733 s_cert_file=NULL; 734 s_key_file=NULL; 735 s_dcert_file=NULL; 736 s_dkey_file=NULL; 737 } 738 739 ctx=SSL_CTX_new(meth); 740 if (ctx == NULL) 741 { 742 ERR_print_errors(bio_err); 743 goto end; 744 } 745 if (session_id_prefix) 746 { 747 if(strlen(session_id_prefix) >= 32) 748 BIO_printf(bio_err, 749"warning: id_prefix is too long, only one new session will be possible\n"); 750 else if(strlen(session_id_prefix) >= 16) 751 BIO_printf(bio_err, 752"warning: id_prefix is too long if you use SSLv2\n"); 753 if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) 754 { 755 BIO_printf(bio_err,"error setting 'id_prefix'\n"); 756 ERR_print_errors(bio_err); 757 goto end; 758 } 759 BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix); 760 } 761 SSL_CTX_set_quiet_shutdown(ctx,1); 762 if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL); 763 if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG); 764 SSL_CTX_set_options(ctx,off); 765 766 if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback); 767 768 SSL_CTX_sess_set_cache_size(ctx,128); 769 770#if 0 771 if (cipher == NULL) cipher=getenv("SSL_CIPHER"); 772#endif 773 774#if 0 775 if (s_cert_file == NULL) 776 { 777 BIO_printf(bio_err,"You must specify a certificate file for the server to use\n"); 778 goto end; 779 } 780#endif 781 782 if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) || 783 (!SSL_CTX_set_default_verify_paths(ctx))) 784 { 785 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */ 786 ERR_print_errors(bio_err); 787 /* goto end; */ 788 } 789 store = SSL_CTX_get_cert_store(ctx); 790 X509_STORE_set_flags(store, vflags); 791 792#ifndef OPENSSL_NO_DH 793 if (!no_dhe) 794 { 795 DH *dh=NULL; 796 797 if (dhfile) 798 dh = load_dh_param(dhfile); 799 else if (s_cert_file) 800 dh = load_dh_param(s_cert_file); 801 802 if (dh != NULL) 803 { 804 BIO_printf(bio_s_out,"Setting temp DH parameters\n"); 805 } 806 else 807 { 808 BIO_printf(bio_s_out,"Using default temp DH parameters\n"); 809 dh=get_dh512(); 810 } 811 (void)BIO_flush(bio_s_out); 812 813 SSL_CTX_set_tmp_dh(ctx,dh); 814 DH_free(dh); 815 } 816#endif 817 818 if (!set_cert_stuff(ctx,s_cert_file,s_key_file)) 819 goto end; 820 if (s_dcert_file != NULL) 821 { 822 if (!set_cert_stuff(ctx,s_dcert_file,s_dkey_file)) 823 goto end; 824 } 825 826#ifndef OPENSSL_NO_RSA 827#if 1 828 if (!no_tmp_rsa) 829 SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb); 830#else 831 if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx)) 832 { 833 RSA *rsa; 834 835 BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key..."); 836 BIO_flush(bio_s_out); 837 838 rsa=RSA_generate_key(512,RSA_F4,NULL); 839 840 if (!SSL_CTX_set_tmp_rsa(ctx,rsa)) 841 { 842 ERR_print_errors(bio_err); 843 goto end; 844 } 845 RSA_free(rsa); 846 BIO_printf(bio_s_out,"\n"); 847 } 848#endif 849#endif 850 851 if (cipher != NULL) 852 if(!SSL_CTX_set_cipher_list(ctx,cipher)) { 853 BIO_printf(bio_err,"error setting cipher list\n"); 854 ERR_print_errors(bio_err); 855 goto end; 856 } 857 SSL_CTX_set_verify(ctx,s_server_verify,verify_callback); 858 SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context, 859 sizeof s_server_session_id_context); 860 861 if (CAfile != NULL) 862 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile)); 863 864 BIO_printf(bio_s_out,"ACCEPT\n"); 865 if (www) 866 do_server(port,&accept_socket,www_body, context); 867 else 868 do_server(port,&accept_socket,sv_body, context); 869 print_stats(bio_s_out,ctx); 870 ret=0; 871end: 872 if (ctx != NULL) SSL_CTX_free(ctx); 873 if (bio_s_out != NULL) 874 { 875 BIO_free(bio_s_out); 876 bio_s_out=NULL; 877 } 878 apps_shutdown(); 879 OPENSSL_EXIT(ret); 880 } 881 882static void print_stats(BIO *bio, SSL_CTX *ssl_ctx) 883 { 884 BIO_printf(bio,"%4ld items in the session cache\n", 885 SSL_CTX_sess_number(ssl_ctx)); 886 BIO_printf(bio,"%4d client connects (SSL_connect())\n", 887 SSL_CTX_sess_connect(ssl_ctx)); 888 BIO_printf(bio,"%4d client renegotiates (SSL_connect())\n", 889 SSL_CTX_sess_connect_renegotiate(ssl_ctx)); 890 BIO_printf(bio,"%4d client connects that finished\n", 891 SSL_CTX_sess_connect_good(ssl_ctx)); 892 BIO_printf(bio,"%4d server accepts (SSL_accept())\n", 893 SSL_CTX_sess_accept(ssl_ctx)); 894 BIO_printf(bio,"%4d server renegotiates (SSL_accept())\n", 895 SSL_CTX_sess_accept_renegotiate(ssl_ctx)); 896 BIO_printf(bio,"%4d server accepts that finished\n", 897 SSL_CTX_sess_accept_good(ssl_ctx)); 898 BIO_printf(bio,"%4d session cache hits\n",SSL_CTX_sess_hits(ssl_ctx)); 899 BIO_printf(bio,"%4d session cache misses\n",SSL_CTX_sess_misses(ssl_ctx)); 900 BIO_printf(bio,"%4d session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx)); 901 BIO_printf(bio,"%4d callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx)); 902 BIO_printf(bio,"%4d cache full overflows (%d allowed)\n", 903 SSL_CTX_sess_cache_full(ssl_ctx), 904 SSL_CTX_sess_get_cache_size(ssl_ctx)); 905 } 906 907static int sv_body(char *hostname, int s, unsigned char *context) 908 { 909 char *buf=NULL; 910 fd_set readfds; 911 int ret=1,width; 912 int k,i; 913 unsigned long l; 914 SSL *con=NULL; 915 BIO *sbio; 916#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 917 struct timeval tv; 918#endif 919 920 if ((buf=OPENSSL_malloc(bufsize)) == NULL) 921 { 922 BIO_printf(bio_err,"out of memory\n"); 923 goto err; 924 } 925#ifdef FIONBIO 926 if (s_nbio) 927 { 928 unsigned long sl=1; 929 930 if (!s_quiet) 931 BIO_printf(bio_err,"turning on non blocking io\n"); 932 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0) 933 ERR_print_errors(bio_err); 934 } 935#endif 936 937 if (con == NULL) { 938 con=SSL_new(ctx); 939#ifndef OPENSSL_NO_KRB5 940 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) 941 { 942 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, 943 KRB5SVC); 944 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, 945 KRB5KEYTAB); 946 } 947#endif /* OPENSSL_NO_KRB5 */ 948 if(context) 949 SSL_set_session_id_context(con, context, 950 strlen((char *)context)); 951 } 952 SSL_clear(con); 953 954 sbio=BIO_new_socket(s,BIO_NOCLOSE); 955 if (s_nbio_test) 956 { 957 BIO *test; 958 959 test=BIO_new(BIO_f_nbio_test()); 960 sbio=BIO_push(test,sbio); 961 } 962 SSL_set_bio(con,sbio,sbio); 963 SSL_set_accept_state(con); 964 /* SSL_set_fd(con,s); */ 965 966 if (s_debug) 967 { 968 con->debug=1; 969 BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); 970 BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); 971 } 972 if (s_msg) 973 { 974 SSL_set_msg_callback(con, msg_cb); 975 SSL_set_msg_callback_arg(con, bio_s_out); 976 } 977 978 width=s+1; 979 for (;;) 980 { 981 int read_from_terminal; 982 int read_from_sslcon; 983 984 read_from_terminal = 0; 985 read_from_sslcon = SSL_pending(con); 986 987 if (!read_from_sslcon) 988 { 989 FD_ZERO(&readfds); 990#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) 991 FD_SET(fileno(stdin),&readfds); 992#endif 993 FD_SET(s,&readfds); 994 /* Note: under VMS with SOCKETSHR the second parameter is 995 * currently of type (int *) whereas under other systems 996 * it is (void *) if you don't have a cast it will choke 997 * the compiler: if you do have a cast then you can either 998 * go for (int *) or (void *). 999 */ 1000#if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) 1001 /* Under DOS (non-djgpp) and Windows we can't select on stdin: only 1002 * on sockets. As a workaround we timeout the select every 1003 * second and check for any keypress. In a proper Windows 1004 * application we wouldn't do this because it is inefficient. 1005 */ 1006 tv.tv_sec = 1; 1007 tv.tv_usec = 0; 1008 i=select(width,(void *)&readfds,NULL,NULL,&tv); 1009 if((i < 0) || (!i && !_kbhit() ) )continue; 1010 if(_kbhit()) 1011 read_from_terminal = 1; 1012#else 1013 i=select(width,(void *)&readfds,NULL,NULL,NULL); 1014 if (i <= 0) continue; 1015 if (FD_ISSET(fileno(stdin),&readfds)) 1016 read_from_terminal = 1; 1017#endif 1018 if (FD_ISSET(s,&readfds)) 1019 read_from_sslcon = 1; 1020 } 1021 if (read_from_terminal) 1022 { 1023 if (s_crlf) 1024 { 1025 int j, lf_num; 1026 1027 i=read(fileno(stdin), buf, bufsize/2); 1028 lf_num = 0; 1029 /* both loops are skipped when i <= 0 */ 1030 for (j = 0; j < i; j++) 1031 if (buf[j] == '\n') 1032 lf_num++; 1033 for (j = i-1; j >= 0; j--) 1034 { 1035 buf[j+lf_num] = buf[j]; 1036 if (buf[j] == '\n') 1037 { 1038 lf_num--; 1039 i++; 1040 buf[j+lf_num] = '\r'; 1041 } 1042 } 1043 assert(lf_num == 0); 1044 } 1045 else 1046 i=read(fileno(stdin),buf,bufsize); 1047 if (!s_quiet) 1048 { 1049 if ((i <= 0) || (buf[0] == 'Q')) 1050 { 1051 BIO_printf(bio_s_out,"DONE\n"); 1052 SHUTDOWN(s); 1053 close_accept_socket(); 1054 ret= -11; 1055 goto err; 1056 } 1057 if ((i <= 0) || (buf[0] == 'q')) 1058 { 1059 BIO_printf(bio_s_out,"DONE\n"); 1060 SHUTDOWN(s); 1061 /* close_accept_socket(); 1062 ret= -11;*/ 1063 goto err; 1064 } 1065 if ((buf[0] == 'r') && 1066 ((buf[1] == '\n') || (buf[1] == '\r'))) 1067 { 1068 SSL_renegotiate(con); 1069 i=SSL_do_handshake(con); 1070 printf("SSL_do_handshake -> %d\n",i); 1071 i=0; /*13; */ 1072 continue; 1073 /* strcpy(buf,"server side RE-NEGOTIATE\n"); */ 1074 } 1075 if ((buf[0] == 'R') && 1076 ((buf[1] == '\n') || (buf[1] == '\r'))) 1077 { 1078 SSL_set_verify(con, 1079 SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL); 1080 SSL_renegotiate(con); 1081 i=SSL_do_handshake(con); 1082 printf("SSL_do_handshake -> %d\n",i); 1083 i=0; /* 13; */ 1084 continue; 1085 /* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */ 1086 } 1087 if (buf[0] == 'P') 1088 { 1089 static char *str="Lets print some clear text\n"; 1090 BIO_write(SSL_get_wbio(con),str,strlen(str)); 1091 } 1092 if (buf[0] == 'S') 1093 { 1094 print_stats(bio_s_out,SSL_get_SSL_CTX(con)); 1095 } 1096 } 1097#ifdef CHARSET_EBCDIC 1098 ebcdic2ascii(buf,buf,i); 1099#endif 1100 l=k=0; 1101 for (;;) 1102 { 1103 /* should do a select for the write */ 1104#ifdef RENEG 1105{ static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } } 1106#endif 1107 k=SSL_write(con,&(buf[l]),(unsigned int)i); 1108 switch (SSL_get_error(con,k)) 1109 { 1110 case SSL_ERROR_NONE: 1111 break; 1112 case SSL_ERROR_WANT_WRITE: 1113 case SSL_ERROR_WANT_READ: 1114 case SSL_ERROR_WANT_X509_LOOKUP: 1115 BIO_printf(bio_s_out,"Write BLOCK\n"); 1116 break; 1117 case SSL_ERROR_SYSCALL: 1118 case SSL_ERROR_SSL: 1119 BIO_printf(bio_s_out,"ERROR\n"); 1120 ERR_print_errors(bio_err); 1121 ret=1; 1122 goto err; 1123 /* break; */ 1124 case SSL_ERROR_ZERO_RETURN: 1125 BIO_printf(bio_s_out,"DONE\n"); 1126 ret=1; 1127 goto err; 1128 } 1129 l+=k; 1130 i-=k; 1131 if (i <= 0) break; 1132 } 1133 } 1134 if (read_from_sslcon) 1135 { 1136 if (!SSL_is_init_finished(con)) 1137 { 1138 i=init_ssl_connection(con); 1139 1140 if (i < 0) 1141 { 1142 ret=0; 1143 goto err; 1144 } 1145 else if (i == 0) 1146 { 1147 ret=1; 1148 goto err; 1149 } 1150 } 1151 else 1152 { 1153again: 1154 i=SSL_read(con,(char *)buf,bufsize); 1155 switch (SSL_get_error(con,i)) 1156 { 1157 case SSL_ERROR_NONE: 1158#ifdef CHARSET_EBCDIC 1159 ascii2ebcdic(buf,buf,i); 1160#endif 1161 write(fileno(stdout),buf, 1162 (unsigned int)i); 1163 if (SSL_pending(con)) goto again; 1164 break; 1165 case SSL_ERROR_WANT_WRITE: 1166 case SSL_ERROR_WANT_READ: 1167 case SSL_ERROR_WANT_X509_LOOKUP: 1168 BIO_printf(bio_s_out,"Read BLOCK\n"); 1169 break; 1170 case SSL_ERROR_SYSCALL: 1171 case SSL_ERROR_SSL: 1172 BIO_printf(bio_s_out,"ERROR\n"); 1173 ERR_print_errors(bio_err); 1174 ret=1; 1175 goto err; 1176 case SSL_ERROR_ZERO_RETURN: 1177 BIO_printf(bio_s_out,"DONE\n"); 1178 ret=1; 1179 goto err; 1180 } 1181 } 1182 } 1183 } 1184err: 1185 BIO_printf(bio_s_out,"shutting down SSL\n"); 1186#if 1 1187 SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 1188#else 1189 SSL_shutdown(con); 1190#endif 1191 if (con != NULL) SSL_free(con); 1192 BIO_printf(bio_s_out,"CONNECTION CLOSED\n"); 1193 if (buf != NULL) 1194 { 1195 OPENSSL_cleanse(buf,bufsize); 1196 OPENSSL_free(buf); 1197 } 1198 if (ret >= 0) 1199 BIO_printf(bio_s_out,"ACCEPT\n"); 1200 return(ret); 1201 } 1202 1203static void close_accept_socket(void) 1204 { 1205 BIO_printf(bio_err,"shutdown accept socket\n"); 1206 if (accept_socket >= 0) 1207 { 1208 SHUTDOWN2(accept_socket); 1209 } 1210 } 1211 1212static int init_ssl_connection(SSL *con) 1213 { 1214 int i; 1215 const char *str; 1216 X509 *peer; 1217 long verify_error; 1218 MS_STATIC char buf[BUFSIZ]; 1219 1220 if ((i=SSL_accept(con)) <= 0) 1221 { 1222 if (BIO_sock_should_retry(i)) 1223 { 1224 BIO_printf(bio_s_out,"DELAY\n"); 1225 return(1); 1226 } 1227 1228 BIO_printf(bio_err,"ERROR\n"); 1229 verify_error=SSL_get_verify_result(con); 1230 if (verify_error != X509_V_OK) 1231 { 1232 BIO_printf(bio_err,"verify error:%s\n", 1233 X509_verify_cert_error_string(verify_error)); 1234 } 1235 else 1236 ERR_print_errors(bio_err); 1237 return(0); 1238 } 1239 1240 PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con)); 1241 1242 peer=SSL_get_peer_certificate(con); 1243 if (peer != NULL) 1244 { 1245 BIO_printf(bio_s_out,"Client certificate\n"); 1246 PEM_write_bio_X509(bio_s_out,peer); 1247 X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf); 1248 BIO_printf(bio_s_out,"subject=%s\n",buf); 1249 X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf); 1250 BIO_printf(bio_s_out,"issuer=%s\n",buf); 1251 X509_free(peer); 1252 } 1253 1254 if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL) 1255 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf); 1256 str=SSL_CIPHER_get_name(SSL_get_current_cipher(con)); 1257 BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)"); 1258 if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n"); 1259 if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) & 1260 TLS1_FLAGS_TLS_PADDING_BUG) 1261 BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n"); 1262#ifndef OPENSSL_NO_KRB5 1263 if (con->kssl_ctx->client_princ != NULL) 1264 { 1265 BIO_printf(bio_s_out,"Kerberos peer principal is %s\n", 1266 con->kssl_ctx->client_princ); 1267 } 1268#endif /* OPENSSL_NO_KRB5 */ 1269 return(1); 1270 } 1271 1272#ifndef OPENSSL_NO_DH 1273static DH *load_dh_param(char *dhfile) 1274 { 1275 DH *ret=NULL; 1276 BIO *bio; 1277 1278 if ((bio=BIO_new_file(dhfile,"r")) == NULL) 1279 goto err; 1280 ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL); 1281err: 1282 if (bio != NULL) BIO_free(bio); 1283 return(ret); 1284 } 1285#endif 1286 1287#if 0 1288static int load_CA(SSL_CTX *ctx, char *file) 1289 { 1290 FILE *in; 1291 X509 *x=NULL; 1292 1293 if ((in=fopen(file,"r")) == NULL) 1294 return(0); 1295 1296 for (;;) 1297 { 1298 if (PEM_read_X509(in,&x,NULL) == NULL) 1299 break; 1300 SSL_CTX_add_client_CA(ctx,x); 1301 } 1302 if (x != NULL) X509_free(x); 1303 fclose(in); 1304 return(1); 1305 } 1306#endif 1307 1308static int www_body(char *hostname, int s, unsigned char *context) 1309 { 1310 char *buf=NULL; 1311 int ret=1; 1312 int i,j,k,blank,dot; 1313 struct stat st_buf; 1314 SSL *con; 1315 SSL_CIPHER *c; 1316 BIO *io,*ssl_bio,*sbio; 1317 long total_bytes; 1318 1319 buf=OPENSSL_malloc(bufsize); 1320 if (buf == NULL) return(0); 1321 io=BIO_new(BIO_f_buffer()); 1322 ssl_bio=BIO_new(BIO_f_ssl()); 1323 if ((io == NULL) || (ssl_bio == NULL)) goto err; 1324 1325#ifdef FIONBIO 1326 if (s_nbio) 1327 { 1328 unsigned long sl=1; 1329 1330 if (!s_quiet) 1331 BIO_printf(bio_err,"turning on non blocking io\n"); 1332 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0) 1333 ERR_print_errors(bio_err); 1334 } 1335#endif 1336 1337 /* lets make the output buffer a reasonable size */ 1338 if (!BIO_set_write_buffer_size(io,bufsize)) goto err; 1339 1340 if ((con=SSL_new(ctx)) == NULL) goto err; 1341#ifndef OPENSSL_NO_KRB5 1342 if ((con->kssl_ctx = kssl_ctx_new()) != NULL) 1343 { 1344 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC); 1345 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB); 1346 } 1347#endif /* OPENSSL_NO_KRB5 */ 1348 if(context) SSL_set_session_id_context(con, context, 1349 strlen((char *)context)); 1350 1351 sbio=BIO_new_socket(s,BIO_NOCLOSE); 1352 if (s_nbio_test) 1353 { 1354 BIO *test; 1355 1356 test=BIO_new(BIO_f_nbio_test()); 1357 sbio=BIO_push(test,sbio); 1358 } 1359 SSL_set_bio(con,sbio,sbio); 1360 SSL_set_accept_state(con); 1361 1362 /* SSL_set_fd(con,s); */ 1363 BIO_set_ssl(ssl_bio,con,BIO_CLOSE); 1364 BIO_push(io,ssl_bio); 1365#ifdef CHARSET_EBCDIC 1366 io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io); 1367#endif 1368 1369 if (s_debug) 1370 { 1371 con->debug=1; 1372 BIO_set_callback(SSL_get_rbio(con),bio_dump_cb); 1373 BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out); 1374 } 1375 if (s_msg) 1376 { 1377 SSL_set_msg_callback(con, msg_cb); 1378 SSL_set_msg_callback_arg(con, bio_s_out); 1379 } 1380 1381 blank=0; 1382 for (;;) 1383 { 1384 if (hack) 1385 { 1386 i=SSL_accept(con); 1387 1388 switch (SSL_get_error(con,i)) 1389 { 1390 case SSL_ERROR_NONE: 1391 break; 1392 case SSL_ERROR_WANT_WRITE: 1393 case SSL_ERROR_WANT_READ: 1394 case SSL_ERROR_WANT_X509_LOOKUP: 1395 continue; 1396 case SSL_ERROR_SYSCALL: 1397 case SSL_ERROR_SSL: 1398 case SSL_ERROR_ZERO_RETURN: 1399 ret=1; 1400 goto err; 1401 /* break; */ 1402 } 1403 1404 SSL_renegotiate(con); 1405 SSL_write(con,NULL,0); 1406 } 1407 1408 i=BIO_gets(io,buf,bufsize-1); 1409 if (i < 0) /* error */ 1410 { 1411 if (!BIO_should_retry(io)) 1412 { 1413 if (!s_quiet) 1414 ERR_print_errors(bio_err); 1415 goto err; 1416 } 1417 else 1418 { 1419 BIO_printf(bio_s_out,"read R BLOCK\n"); 1420#if !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__) 1421 sleep(1); 1422#endif 1423 continue; 1424 } 1425 } 1426 else if (i == 0) /* end of input */ 1427 { 1428 ret=1; 1429 goto end; 1430 } 1431 1432 /* else we have data */ 1433 if ( ((www == 1) && (strncmp("GET ",buf,4) == 0)) || 1434 ((www == 2) && (strncmp("GET /stats ",buf,10) == 0))) 1435 { 1436 char *p; 1437 X509 *peer; 1438 STACK_OF(SSL_CIPHER) *sk; 1439 static char *space=" "; 1440 1441 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); 1442 BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n"); 1443 BIO_puts(io,"<pre>\n"); 1444/* BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/ 1445 BIO_puts(io,"\n"); 1446 for (i=0; i<local_argc; i++) 1447 { 1448 BIO_puts(io,local_argv[i]); 1449 BIO_write(io," ",1); 1450 } 1451 BIO_puts(io,"\n"); 1452 1453 /* The following is evil and should not really 1454 * be done */ 1455 BIO_printf(io,"Ciphers supported in s_server binary\n"); 1456 sk=SSL_get_ciphers(con); 1457 j=sk_SSL_CIPHER_num(sk); 1458 for (i=0; i<j; i++) 1459 { 1460 c=sk_SSL_CIPHER_value(sk,i); 1461 BIO_printf(io,"%-11s:%-25s", 1462 SSL_CIPHER_get_version(c), 1463 SSL_CIPHER_get_name(c)); 1464 if ((((i+1)%2) == 0) && (i+1 != j)) 1465 BIO_puts(io,"\n"); 1466 } 1467 BIO_puts(io,"\n"); 1468 p=SSL_get_shared_ciphers(con,buf,bufsize); 1469 if (p != NULL) 1470 { 1471 BIO_printf(io,"---\nCiphers common between both SSL end points:\n"); 1472 j=i=0; 1473 while (*p) 1474 { 1475 if (*p == ':') 1476 { 1477 BIO_write(io,space,26-j); 1478 i++; 1479 j=0; 1480 BIO_write(io,((i%3)?" ":"\n"),1); 1481 } 1482 else 1483 { 1484 BIO_write(io,p,1); 1485 j++; 1486 } 1487 p++; 1488 } 1489 BIO_puts(io,"\n"); 1490 } 1491 BIO_printf(io,((con->hit) 1492 ?"---\nReused, " 1493 :"---\nNew, ")); 1494 c=SSL_get_current_cipher(con); 1495 BIO_printf(io,"%s, Cipher is %s\n", 1496 SSL_CIPHER_get_version(c), 1497 SSL_CIPHER_get_name(c)); 1498 SSL_SESSION_print(io,SSL_get_session(con)); 1499 BIO_printf(io,"---\n"); 1500 print_stats(io,SSL_get_SSL_CTX(con)); 1501 BIO_printf(io,"---\n"); 1502 peer=SSL_get_peer_certificate(con); 1503 if (peer != NULL) 1504 { 1505 BIO_printf(io,"Client certificate\n"); 1506 X509_print(io,peer); 1507 PEM_write_bio_X509(io,peer); 1508 } 1509 else 1510 BIO_puts(io,"no client certificate available\n"); 1511 BIO_puts(io,"</BODY></HTML>\r\n\r\n"); 1512 break; 1513 } 1514 else if ((www == 2 || www == 3) 1515 && (strncmp("GET /",buf,5) == 0)) 1516 { 1517 BIO *file; 1518 char *p,*e; 1519 static char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"; 1520 1521 /* skip the '/' */ 1522 p= &(buf[5]); 1523 1524 dot = 1; 1525 for (e=p; *e != '\0'; e++) 1526 { 1527 if (e[0] == ' ') 1528 break; 1529 1530 switch (dot) 1531 { 1532 case 1: 1533 dot = (e[0] == '.') ? 2 : 0; 1534 break; 1535 case 2: 1536 dot = (e[0] == '.') ? 3 : 0; 1537 break; 1538 case 3: 1539 dot = (e[0] == '/') ? -1 : 0; 1540 break; 1541 } 1542 if (dot == 0) 1543 dot = (e[0] == '/') ? 1 : 0; 1544 } 1545 dot = (dot == 3) || (dot == -1); /* filename contains ".." component */ 1546 1547 if (*e == '\0') 1548 { 1549 BIO_puts(io,text); 1550 BIO_printf(io,"'%s' is an invalid file name\r\n",p); 1551 break; 1552 } 1553 *e='\0'; 1554 1555 if (dot) 1556 { 1557 BIO_puts(io,text); 1558 BIO_printf(io,"'%s' contains '..' reference\r\n",p); 1559 break; 1560 } 1561 1562 if (*p == '/') 1563 { 1564 BIO_puts(io,text); 1565 BIO_printf(io,"'%s' is an invalid path\r\n",p); 1566 break; 1567 } 1568 1569#if 0 1570 /* append if a directory lookup */ 1571 if (e[-1] == '/') 1572 strcat(p,"index.html"); 1573#endif 1574 1575 /* if a directory, do the index thang */ 1576 if (stat(p,&st_buf) < 0) 1577 { 1578 BIO_puts(io,text); 1579 BIO_printf(io,"Error accessing '%s'\r\n",p); 1580 ERR_print_errors(io); 1581 break; 1582 } 1583 if (S_ISDIR(st_buf.st_mode)) 1584 { 1585#if 0 /* must check buffer size */ 1586 strcat(p,"/index.html"); 1587#else 1588 BIO_puts(io,text); 1589 BIO_printf(io,"'%s' is a directory\r\n",p); 1590 break; 1591#endif 1592 } 1593 1594 if ((file=BIO_new_file(p,"r")) == NULL) 1595 { 1596 BIO_puts(io,text); 1597 BIO_printf(io,"Error opening '%s'\r\n",p); 1598 ERR_print_errors(io); 1599 break; 1600 } 1601 1602 if (!s_quiet) 1603 BIO_printf(bio_err,"FILE:%s\n",p); 1604 1605 if (www == 2) 1606 { 1607 i=strlen(p); 1608 if ( ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) || 1609 ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) || 1610 ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0))) 1611 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n"); 1612 else 1613 BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n"); 1614 } 1615 /* send the file */ 1616 total_bytes=0; 1617 for (;;) 1618 { 1619 i=BIO_read(file,buf,bufsize); 1620 if (i <= 0) break; 1621 1622#ifdef RENEG 1623 total_bytes+=i; 1624 fprintf(stderr,"%d\n",i); 1625 if (total_bytes > 3*1024) 1626 { 1627 total_bytes=0; 1628 fprintf(stderr,"RENEGOTIATE\n"); 1629 SSL_renegotiate(con); 1630 } 1631#endif 1632 1633 for (j=0; j<i; ) 1634 { 1635#ifdef RENEG 1636{ static count=0; if (++count == 13) { SSL_renegotiate(con); } } 1637#endif 1638 k=BIO_write(io,&(buf[j]),i-j); 1639 if (k <= 0) 1640 { 1641 if (!BIO_should_retry(io)) 1642 goto write_error; 1643 else 1644 { 1645 BIO_printf(bio_s_out,"rwrite W BLOCK\n"); 1646 } 1647 } 1648 else 1649 { 1650 j+=k; 1651 } 1652 } 1653 } 1654write_error: 1655 BIO_free(file); 1656 break; 1657 } 1658 } 1659 1660 for (;;) 1661 { 1662 i=(int)BIO_flush(io); 1663 if (i <= 0) 1664 { 1665 if (!BIO_should_retry(io)) 1666 break; 1667 } 1668 else 1669 break; 1670 } 1671end: 1672#if 1 1673 /* make sure we re-use sessions */ 1674 SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN); 1675#else 1676 /* This kills performance */ 1677/* SSL_shutdown(con); A shutdown gets sent in the 1678 * BIO_free_all(io) procession */ 1679#endif 1680 1681err: 1682 1683 if (ret >= 0) 1684 BIO_printf(bio_s_out,"ACCEPT\n"); 1685 1686 if (buf != NULL) OPENSSL_free(buf); 1687 if (io != NULL) BIO_free_all(io); 1688/* if (ssl_bio != NULL) BIO_free(ssl_bio);*/ 1689 return(ret); 1690 } 1691 1692#ifndef OPENSSL_NO_RSA 1693static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) 1694 { 1695 static RSA *rsa_tmp=NULL; 1696 1697 if (rsa_tmp == NULL) 1698 { 1699 if (!s_quiet) 1700 { 1701 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); 1702 (void)BIO_flush(bio_err); 1703 } 1704 rsa_tmp=RSA_generate_key(keylength,RSA_F4,NULL,NULL); 1705 if (!s_quiet) 1706 { 1707 BIO_printf(bio_err,"\n"); 1708 (void)BIO_flush(bio_err); 1709 } 1710 } 1711 return(rsa_tmp); 1712 } 1713#endif 1714 1715#define MAX_SESSION_ID_ATTEMPTS 10 1716static int generate_session_id(const SSL *ssl, unsigned char *id, 1717 unsigned int *id_len) 1718 { 1719 unsigned int count = 0; 1720 do { 1721 RAND_pseudo_bytes(id, *id_len); 1722 /* Prefix the session_id with the required prefix. NB: If our 1723 * prefix is too long, clip it - but there will be worse effects 1724 * anyway, eg. the server could only possibly create 1 session 1725 * ID (ie. the prefix!) so all future session negotiations will 1726 * fail due to conflicts. */ 1727 memcpy(id, session_id_prefix, 1728 (strlen(session_id_prefix) < *id_len) ? 1729 strlen(session_id_prefix) : *id_len); 1730 } 1731 while(SSL_has_matching_session_id(ssl, id, *id_len) && 1732 (++count < MAX_SESSION_ID_ATTEMPTS)); 1733 if(count >= MAX_SESSION_ID_ATTEMPTS) 1734 return 0; 1735 return 1; 1736 } 1737