xref: /freebsd/contrib/bearssl/tools/server.c (revision 924226fba12cc9a228c73b956e1b7fa24c60b055)
1 /*
2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <stdint.h>
29 #include <errno.h>
30 #include <signal.h>
31 
32 #ifdef _WIN32
33 #include <winsock2.h>
34 #include <ws2tcpip.h>
35 #else
36 #include <sys/types.h>
37 #include <sys/socket.h>
38 #include <netdb.h>
39 #include <netinet/in.h>
40 #include <arpa/inet.h>
41 #include <unistd.h>
42 #include <fcntl.h>
43 
44 #define SOCKET             int
45 #define INVALID_SOCKET     (-1)
46 #define SOCKADDR_STORAGE   struct sockaddr_storage
47 #endif
48 
49 #include "brssl.h"
50 
51 static SOCKET
52 host_bind(const char *host, const char *port, int verbose)
53 {
54 	struct addrinfo hints, *si, *p;
55 	SOCKET fd;
56 	int err;
57 
58 	memset(&hints, 0, sizeof hints);
59 	hints.ai_family = PF_UNSPEC;
60 	hints.ai_socktype = SOCK_STREAM;
61 	err = getaddrinfo(host, port, &hints, &si);
62 	if (err != 0) {
63 		fprintf(stderr, "ERROR: getaddrinfo(): %s\n",
64 			gai_strerror(err));
65 		return INVALID_SOCKET;
66 	}
67 	fd = INVALID_SOCKET;
68 	for (p = si; p != NULL; p = p->ai_next) {
69 		struct sockaddr *sa;
70 		struct sockaddr_in sa4;
71 		struct sockaddr_in6 sa6;
72 		size_t sa_len;
73 		void *addr;
74 		int opt;
75 
76 		sa = (struct sockaddr *)p->ai_addr;
77 		if (sa->sa_family == AF_INET) {
78 			memcpy(&sa4, sa, sizeof sa4);
79 			sa = (struct sockaddr *)&sa4;
80 			sa_len = sizeof sa4;
81 			addr = &sa4.sin_addr;
82 			if (host == NULL) {
83 				sa4.sin_addr.s_addr = INADDR_ANY;
84 			}
85 		} else if (sa->sa_family == AF_INET6) {
86 			memcpy(&sa6, sa, sizeof sa6);
87 			sa = (struct sockaddr *)&sa6;
88 			sa_len = sizeof sa6;
89 			addr = &sa6.sin6_addr;
90 			if (host == NULL) {
91 				sa6.sin6_addr = in6addr_any;
92 			}
93 		} else {
94 			addr = NULL;
95 			sa_len = p->ai_addrlen;
96 		}
97 		if (verbose) {
98 			char tmp[INET6_ADDRSTRLEN + 50];
99 
100 			if (addr != NULL) {
101 				if (!inet_ntop(p->ai_family, addr,
102 					tmp, sizeof tmp))
103 				{
104 					strcpy(tmp, "<invalid>");
105 				}
106 			} else {
107 				sprintf(tmp, "<unknown family: %d>",
108 					(int)sa->sa_family);
109 			}
110 			fprintf(stderr, "binding to: %s\n", tmp);
111 		}
112 		fd = socket(p->ai_family, p->ai_socktype, p->ai_protocol);
113 		if (fd == INVALID_SOCKET) {
114 			if (verbose) {
115 				perror("socket()");
116 			}
117 			continue;
118 		}
119 		opt = 1;
120 		setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
121 			(void *)&opt, sizeof opt);
122 #ifdef IPV6_V6ONLY
123 		/*
124 		 * We want to make sure that the server socket works for
125 		 * both IPv4 and IPv6. But IPV6_V6ONLY is not defined on
126 		 * some very old systems.
127 		 */
128 		opt = 0;
129 		setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
130 			(void *)&opt, sizeof opt);
131 #endif
132 		if (bind(fd, sa, sa_len) < 0) {
133 			if (verbose) {
134 				perror("bind()");
135 			}
136 #ifdef _WIN32
137 			closesocket(fd);
138 #else
139 			close(fd);
140 #endif
141 			continue;
142 		}
143 		break;
144 	}
145 	if (p == NULL) {
146 		freeaddrinfo(si);
147 		fprintf(stderr, "ERROR: failed to bind\n");
148 		return INVALID_SOCKET;
149 	}
150 	freeaddrinfo(si);
151 	if (listen(fd, 5) < 0) {
152 		if (verbose) {
153 			perror("listen()");
154 		}
155 #ifdef _WIN32
156 		closesocket(fd);
157 #else
158 		close(fd);
159 #endif
160 		return INVALID_SOCKET;
161 	}
162 	if (verbose) {
163 		fprintf(stderr, "bound.\n");
164 	}
165 	return fd;
166 }
167 
168 static SOCKET
169 accept_client(SOCKET server_fd, int verbose, int nonblock)
170 {
171 	int fd;
172 	SOCKADDR_STORAGE sa;
173 	socklen_t sa_len;
174 
175 	sa_len = sizeof sa;
176 	fd = accept(server_fd, (struct sockaddr *)&sa, &sa_len);
177 	if (fd == INVALID_SOCKET) {
178 		if (verbose) {
179 			perror("accept()");
180 		}
181 		return INVALID_SOCKET;
182 	}
183 	if (verbose) {
184 		char tmp[INET6_ADDRSTRLEN + 50];
185 		const char *name;
186 
187 		name = NULL;
188 		switch (((struct sockaddr *)&sa)->sa_family) {
189 		case AF_INET:
190 			name = inet_ntop(AF_INET,
191 				&((struct sockaddr_in *)&sa)->sin_addr,
192 				tmp, sizeof tmp);
193 			break;
194 		case AF_INET6:
195 			name = inet_ntop(AF_INET6,
196 				&((struct sockaddr_in6 *)&sa)->sin6_addr,
197 				tmp, sizeof tmp);
198 			break;
199 		}
200 		if (name == NULL) {
201 			sprintf(tmp, "<unknown: %lu>", (unsigned long)
202 				((struct sockaddr *)&sa)->sa_family);
203 			name = tmp;
204 		}
205 		fprintf(stderr, "accepting connection from: %s\n", name);
206 	}
207 
208 	/*
209 	 * We make the socket non-blocking, since we are going to use
210 	 * poll() or select() to organise I/O.
211 	 */
212 	if (nonblock) {
213 #ifdef _WIN32
214 		u_long arg;
215 
216 		arg = 1;
217 		ioctlsocket(fd, FIONBIO, &arg);
218 #else
219 		fcntl(fd, F_SETFL, O_NONBLOCK);
220 #endif
221 	}
222 	return fd;
223 }
224 
225 static void
226 usage_server(void)
227 {
228 	fprintf(stderr,
229 "usage: brssl server [ options ]\n");
230 	fprintf(stderr,
231 "options:\n");
232 	fprintf(stderr,
233 "   -q              suppress verbose messages\n");
234 	fprintf(stderr,
235 "   -trace          activate extra debug messages (dump of all packets)\n");
236 	fprintf(stderr,
237 "   -b name         bind to a specific address or host name\n");
238 	fprintf(stderr,
239 "   -p port         bind to a specific port (default: 4433)\n");
240 	fprintf(stderr,
241 "   -mono           use monodirectional buffering\n");
242 	fprintf(stderr,
243 "   -buf length     set the I/O buffer length (in bytes)\n");
244 	fprintf(stderr,
245 "   -cache length   set the session cache storage length (in bytes)\n");
246 	fprintf(stderr,
247 "   -cert fname     read certificate chain from file 'fname'\n");
248 	fprintf(stderr,
249 "   -key fname      read private key from file 'fname'\n");
250 	fprintf(stderr,
251 "   -CA file        add trust anchors from 'file' (for client auth)\n");
252 	fprintf(stderr,
253 "   -anon_ok        request but do not require a client certificate\n");
254 	fprintf(stderr,
255 "   -list           list supported names (protocols, algorithms...)\n");
256 	fprintf(stderr,
257 "   -vmin name      set minimum supported version (default: TLS-1.0)\n");
258 	fprintf(stderr,
259 "   -vmax name      set maximum supported version (default: TLS-1.2)\n");
260 	fprintf(stderr,
261 "   -cs names       set list of supported cipher suites (comma-separated)\n");
262 	fprintf(stderr,
263 "   -hf names       add support for some hash functions (comma-separated)\n");
264 	fprintf(stderr,
265 "   -cbhash         test hashing in policy callback\n");
266 	fprintf(stderr,
267 "   -serverpref     enforce server's preferences for cipher suites\n");
268 	fprintf(stderr,
269 "   -noreneg        prohibit renegotiations\n");
270 	fprintf(stderr,
271 "   -alpn name      add protocol name to list of protocols (ALPN extension)\n");
272 	fprintf(stderr,
273 "   -strictalpn     fail on ALPN mismatch\n");
274 	exit(EXIT_FAILURE);
275 }
276 
277 typedef struct {
278 	const br_ssl_server_policy_class *vtable;
279 	int verbose;
280 	br_x509_certificate *chain;
281 	size_t chain_len;
282 	int cert_signer_algo;
283 	private_key *sk;
284 	int cbhash;
285 } policy_context;
286 
287 static void
288 print_hashes(unsigned chashes)
289 {
290 	int i;
291 
292 	for (i = 2; i <= 6; i ++) {
293 		if ((chashes >> i) & 1) {
294 			int z;
295 
296 			switch (i) {
297 			case 3: z = 224; break;
298 			case 4: z = 256; break;
299 			case 5: z = 384; break;
300 			case 6: z = 512; break;
301 			default:
302 				z = 1;
303 				break;
304 			}
305 			fprintf(stderr, " sha%d", z);
306 		}
307 	}
308 }
309 
310 static unsigned
311 choose_hash(unsigned chashes)
312 {
313 	unsigned hash_id;
314 
315 	for (hash_id = 6; hash_id >= 2; hash_id --) {
316 		if (((chashes >> hash_id) & 1) != 0) {
317 			return hash_id;
318 		}
319 	}
320 	/*
321 	 * Normally unreachable.
322 	 */
323 	return 0;
324 }
325 
326 static int
327 sp_choose(const br_ssl_server_policy_class **pctx,
328 	const br_ssl_server_context *cc,
329 	br_ssl_server_choices *choices)
330 {
331 	policy_context *pc;
332 	const br_suite_translated *st;
333 	size_t u, st_num;
334 	unsigned chashes;
335 
336 	pc = (policy_context *)pctx;
337 	st = br_ssl_server_get_client_suites(cc, &st_num);
338 	chashes = br_ssl_server_get_client_hashes(cc);
339 	if (pc->verbose) {
340 		fprintf(stderr, "Client parameters:\n");
341 		fprintf(stderr, "   Maximum version:      ");
342 		switch (cc->client_max_version) {
343 		case BR_SSL30:
344 			fprintf(stderr, "SSL 3.0");
345 			break;
346 		case BR_TLS10:
347 			fprintf(stderr, "TLS 1.0");
348 			break;
349 		case BR_TLS11:
350 			fprintf(stderr, "TLS 1.1");
351 			break;
352 		case BR_TLS12:
353 			fprintf(stderr, "TLS 1.2");
354 			break;
355 		default:
356 			fprintf(stderr, "unknown (0x%04X)",
357 				(unsigned)cc->client_max_version);
358 			break;
359 		}
360 		fprintf(stderr, "\n");
361 		fprintf(stderr, "   Compatible cipher suites:\n");
362 		for (u = 0; u < st_num; u ++) {
363 			char csn[80];
364 
365 			get_suite_name_ext(st[u][0], csn, sizeof csn);
366 			fprintf(stderr, "      %s\n", csn);
367 		}
368 		fprintf(stderr, "   Common sign+hash functions:\n");
369 		if ((chashes & 0xFF) != 0) {
370 			fprintf(stderr, "      with RSA:");
371 			print_hashes(chashes);
372 			fprintf(stderr, "\n");
373 		}
374 		if ((chashes >> 8) != 0) {
375 			fprintf(stderr, "      with ECDSA:");
376 			print_hashes(chashes >> 8);
377 			fprintf(stderr, "\n");
378 		}
379 	}
380 	for (u = 0; u < st_num; u ++) {
381 		unsigned tt;
382 
383 		tt = st[u][1];
384 		switch (tt >> 12) {
385 		case BR_SSLKEYX_RSA:
386 			if (pc->sk->key_type == BR_KEYTYPE_RSA) {
387 				choices->cipher_suite = st[u][0];
388 				goto choose_ok;
389 			}
390 			break;
391 		case BR_SSLKEYX_ECDHE_RSA:
392 			if (pc->sk->key_type == BR_KEYTYPE_RSA) {
393 				choices->cipher_suite = st[u][0];
394 				if (br_ssl_engine_get_version(&cc->eng)
395 					< BR_TLS12)
396 				{
397 					if (pc->cbhash) {
398 						choices->algo_id = 0x0001;
399 					} else {
400 						choices->algo_id = 0xFF00;
401 					}
402 				} else {
403 					unsigned id;
404 
405 					id = choose_hash(chashes);
406 					if (pc->cbhash) {
407 						choices->algo_id =
408 							(id << 8) + 0x01;
409 					} else {
410 						choices->algo_id = 0xFF00 + id;
411 					}
412 				}
413 				goto choose_ok;
414 			}
415 			break;
416 		case BR_SSLKEYX_ECDHE_ECDSA:
417 			if (pc->sk->key_type == BR_KEYTYPE_EC) {
418 				choices->cipher_suite = st[u][0];
419 				if (br_ssl_engine_get_version(&cc->eng)
420 					< BR_TLS12)
421 				{
422 					if (pc->cbhash) {
423 						choices->algo_id = 0x0203;
424 					} else {
425 						choices->algo_id =
426 							0xFF00 + br_sha1_ID;
427 					}
428 				} else {
429 					unsigned id;
430 
431 					id = choose_hash(chashes >> 8);
432 					if (pc->cbhash) {
433 						choices->algo_id =
434 							(id << 8) + 0x03;
435 					} else {
436 						choices->algo_id =
437 							0xFF00 + id;
438 					}
439 				}
440 				goto choose_ok;
441 			}
442 			break;
443 		case BR_SSLKEYX_ECDH_RSA:
444 			if (pc->sk->key_type == BR_KEYTYPE_EC
445 				&& pc->cert_signer_algo == BR_KEYTYPE_RSA)
446 			{
447 				choices->cipher_suite = st[u][0];
448 				goto choose_ok;
449 			}
450 			break;
451 		case BR_SSLKEYX_ECDH_ECDSA:
452 			if (pc->sk->key_type == BR_KEYTYPE_EC
453 				&& pc->cert_signer_algo == BR_KEYTYPE_EC)
454 			{
455 				choices->cipher_suite = st[u][0];
456 				goto choose_ok;
457 			}
458 			break;
459 		}
460 	}
461 	return 0;
462 
463 choose_ok:
464 	choices->chain = pc->chain;
465 	choices->chain_len = pc->chain_len;
466 	if (pc->verbose) {
467 		char csn[80];
468 
469 		get_suite_name_ext(choices->cipher_suite, csn, sizeof csn);
470 		fprintf(stderr, "Using: %s\n", csn);
471 	}
472 	return 1;
473 }
474 
475 static uint32_t
476 sp_do_keyx(const br_ssl_server_policy_class **pctx,
477 	unsigned char *data, size_t *len)
478 {
479 	policy_context *pc;
480 	uint32_t r;
481 	size_t xoff, xlen;
482 
483 	pc = (policy_context *)pctx;
484 	switch (pc->sk->key_type) {
485 		const br_ec_impl *iec;
486 
487 	case BR_KEYTYPE_RSA:
488 		return br_rsa_ssl_decrypt(
489 			br_rsa_private_get_default(),
490 			&pc->sk->key.rsa, data, *len);
491 	case BR_KEYTYPE_EC:
492 		iec = br_ec_get_default();
493 		r = iec->mul(data, *len, pc->sk->key.ec.x,
494 			pc->sk->key.ec.xlen, pc->sk->key.ec.curve);
495 		xoff = iec->xoff(pc->sk->key.ec.curve, &xlen);
496 		memmove(data, data + xoff, xlen);
497 		*len = xlen;
498 		return r;
499 	default:
500 		fprintf(stderr, "ERROR: unknown private key type (%d)\n",
501 			(int)pc->sk->key_type);
502 		return 0;
503 	}
504 }
505 
506 static size_t
507 sp_do_sign(const br_ssl_server_policy_class **pctx,
508 	unsigned algo_id, unsigned char *data, size_t hv_len, size_t len)
509 {
510 	policy_context *pc;
511 	unsigned char hv[64];
512 
513 	pc = (policy_context *)pctx;
514 	if (algo_id >= 0xFF00) {
515 		algo_id &= 0xFF;
516 		memcpy(hv, data, hv_len);
517 	} else {
518 		const br_hash_class *hc;
519 		br_hash_compat_context zc;
520 
521 		if (pc->verbose) {
522 			fprintf(stderr, "Callback hashing, algo = 0x%04X,"
523 				" data_len = %lu\n",
524 				algo_id, (unsigned long)hv_len);
525 		}
526 		algo_id >>= 8;
527 		hc = get_hash_impl(algo_id);
528 		if (hc == NULL) {
529 			if (pc->verbose) {
530 				fprintf(stderr,
531 					"ERROR: unsupported hash function %u\n",
532 					algo_id);
533 			}
534 			return 0;
535 		}
536 		hc->init(&zc.vtable);
537 		hc->update(&zc.vtable, data, hv_len);
538 		hc->out(&zc.vtable, hv);
539 		hv_len = (hc->desc >> BR_HASHDESC_OUT_OFF)
540 			& BR_HASHDESC_OUT_MASK;
541 	}
542 	switch (pc->sk->key_type) {
543 		size_t sig_len;
544 		uint32_t x;
545 		const unsigned char *hash_oid;
546 		const br_hash_class *hc;
547 
548 	case BR_KEYTYPE_RSA:
549 		hash_oid = get_hash_oid(algo_id);
550 		if (hash_oid == NULL && algo_id != 0) {
551 			if (pc->verbose) {
552 				fprintf(stderr, "ERROR: cannot RSA-sign with"
553 					" unknown hash function: %u\n",
554 					algo_id);
555 			}
556 			return 0;
557 		}
558 		sig_len = (pc->sk->key.rsa.n_bitlen + 7) >> 3;
559 		if (len < sig_len) {
560 			if (pc->verbose) {
561 				fprintf(stderr, "ERROR: cannot RSA-sign,"
562 					" buffer is too small"
563 					" (sig=%lu, buf=%lu)\n",
564 					(unsigned long)sig_len,
565 					(unsigned long)len);
566 			}
567 			return 0;
568 		}
569 		x = br_rsa_pkcs1_sign_get_default()(
570 			hash_oid, hv, hv_len, &pc->sk->key.rsa, data);
571 		if (!x) {
572 			if (pc->verbose) {
573 				fprintf(stderr, "ERROR: RSA-sign failure\n");
574 			}
575 			return 0;
576 		}
577 		return sig_len;
578 
579 	case BR_KEYTYPE_EC:
580 		hc = get_hash_impl(algo_id);
581 		if (hc == NULL) {
582 			if (pc->verbose) {
583 				fprintf(stderr, "ERROR: cannot ECDSA-sign with"
584 					" unknown hash function: %u\n",
585 					algo_id);
586 			}
587 			return 0;
588 		}
589 		if (len < 139) {
590 			if (pc->verbose) {
591 				fprintf(stderr, "ERROR: cannot ECDSA-sign"
592 					" (output buffer = %lu)\n",
593 					(unsigned long)len);
594 			}
595 			return 0;
596 		}
597 		sig_len = br_ecdsa_sign_asn1_get_default()(
598 			br_ec_get_default(), hc, hv, &pc->sk->key.ec, data);
599 		if (sig_len == 0) {
600 			if (pc->verbose) {
601 				fprintf(stderr, "ERROR: ECDSA-sign failure\n");
602 			}
603 			return 0;
604 		}
605 		return sig_len;
606 
607 	default:
608 		return 0;
609 	}
610 }
611 
612 static const br_ssl_server_policy_class policy_vtable = {
613 	sizeof(policy_context),
614 	sp_choose,
615 	sp_do_keyx,
616 	sp_do_sign
617 };
618 
619 void
620 free_alpn(void *alpn)
621 {
622 	xfree(*(char **)alpn);
623 }
624 
625 /* see brssl.h */
626 int
627 do_server(int argc, char *argv[])
628 {
629 	int retcode;
630 	int verbose;
631 	int trace;
632 	int i, bidi;
633 	const char *bind_name;
634 	const char *port;
635 	unsigned vmin, vmax;
636 	cipher_suite *suites;
637 	size_t num_suites;
638 	uint16_t *suite_ids;
639 	unsigned hfuns;
640 	int cbhash;
641 	br_x509_certificate *chain;
642 	size_t chain_len;
643 	int cert_signer_algo;
644 	private_key *sk;
645 	anchor_list anchors = VEC_INIT;
646 	VECTOR(char *) alpn_names = VEC_INIT;
647 	br_x509_minimal_context xc;
648 	const br_hash_class *dnhash;
649 	size_t u;
650 	br_ssl_server_context cc;
651 	policy_context pc;
652 	br_ssl_session_cache_lru lru;
653 	unsigned char *iobuf, *cache;
654 	size_t iobuf_len, cache_len;
655 	uint32_t flags;
656 	SOCKET server_fd, fd;
657 
658 	retcode = 0;
659 	verbose = 1;
660 	trace = 0;
661 	bind_name = NULL;
662 	port = NULL;
663 	bidi = 1;
664 	vmin = 0;
665 	vmax = 0;
666 	suites = NULL;
667 	num_suites = 0;
668 	hfuns = 0;
669 	cbhash = 0;
670 	suite_ids = NULL;
671 	chain = NULL;
672 	chain_len = 0;
673 	sk = NULL;
674 	iobuf = NULL;
675 	iobuf_len = 0;
676 	cache = NULL;
677 	cache_len = (size_t)-1;
678 	flags = 0;
679 	server_fd = INVALID_SOCKET;
680 	fd = INVALID_SOCKET;
681 	for (i = 0; i < argc; i ++) {
682 		const char *arg;
683 
684 		arg = argv[i];
685 		if (arg[0] != '-') {
686 			usage_server();
687 			goto server_exit_error;
688 		}
689 		if (eqstr(arg, "-v") || eqstr(arg, "-verbose")) {
690 			verbose = 1;
691 		} else if (eqstr(arg, "-q") || eqstr(arg, "-quiet")) {
692 			verbose = 0;
693 		} else if (eqstr(arg, "-trace")) {
694 			trace = 1;
695 		} else if (eqstr(arg, "-b")) {
696 			if (++ i >= argc) {
697 				fprintf(stderr,
698 					"ERROR: no argument for '-b'\n");
699 				usage_server();
700 				goto server_exit_error;
701 			}
702 			if (bind_name != NULL) {
703 				fprintf(stderr, "ERROR: duplicate bind host\n");
704 				usage_server();
705 				goto server_exit_error;
706 			}
707 			bind_name = argv[i];
708 		} else if (eqstr(arg, "-p")) {
709 			if (++ i >= argc) {
710 				fprintf(stderr,
711 					"ERROR: no argument for '-p'\n");
712 				usage_server();
713 				goto server_exit_error;
714 			}
715 			if (port != NULL) {
716 				fprintf(stderr, "ERROR: duplicate bind port\n");
717 				usage_server();
718 				goto server_exit_error;
719 			}
720 			port = argv[i];
721 		} else if (eqstr(arg, "-mono")) {
722 			bidi = 0;
723 		} else if (eqstr(arg, "-buf")) {
724 			if (++ i >= argc) {
725 				fprintf(stderr,
726 					"ERROR: no argument for '-buf'\n");
727 				usage_server();
728 				goto server_exit_error;
729 			}
730 			arg = argv[i];
731 			if (iobuf_len != 0) {
732 				fprintf(stderr,
733 					"ERROR: duplicate I/O buffer length\n");
734 				usage_server();
735 				goto server_exit_error;
736 			}
737 			iobuf_len = parse_size(arg);
738 			if (iobuf_len == (size_t)-1) {
739 				usage_server();
740 				goto server_exit_error;
741 			}
742 		} else if (eqstr(arg, "-cache")) {
743 			if (++ i >= argc) {
744 				fprintf(stderr,
745 					"ERROR: no argument for '-cache'\n");
746 				usage_server();
747 				goto server_exit_error;
748 			}
749 			arg = argv[i];
750 			if (cache_len != (size_t)-1) {
751 				fprintf(stderr, "ERROR: duplicate session"
752 					" cache length\n");
753 				usage_server();
754 				goto server_exit_error;
755 			}
756 			cache_len = parse_size(arg);
757 			if (cache_len == (size_t)-1) {
758 				usage_server();
759 				goto server_exit_error;
760 			}
761 		} else if (eqstr(arg, "-cert")) {
762 			if (++ i >= argc) {
763 				fprintf(stderr,
764 					"ERROR: no argument for '-cert'\n");
765 				usage_server();
766 				goto server_exit_error;
767 			}
768 			if (chain != NULL) {
769 				fprintf(stderr,
770 					"ERROR: duplicate certificate chain\n");
771 				usage_server();
772 				goto server_exit_error;
773 			}
774 			arg = argv[i];
775 			chain = read_certificates(arg, &chain_len);
776 			if (chain == NULL || chain_len == 0) {
777 				goto server_exit_error;
778 			}
779 		} else if (eqstr(arg, "-key")) {
780 			if (++ i >= argc) {
781 				fprintf(stderr,
782 					"ERROR: no argument for '-key'\n");
783 				usage_server();
784 				goto server_exit_error;
785 			}
786 			if (sk != NULL) {
787 				fprintf(stderr,
788 					"ERROR: duplicate private key\n");
789 				usage_server();
790 				goto server_exit_error;
791 			}
792 			arg = argv[i];
793 			sk = read_private_key(arg);
794 			if (sk == NULL) {
795 				goto server_exit_error;
796 			}
797 		} else if (eqstr(arg, "-CA")) {
798 			if (++ i >= argc) {
799 				fprintf(stderr,
800 					"ERROR: no argument for '-CA'\n");
801 				usage_server();
802 				goto server_exit_error;
803 			}
804 			arg = argv[i];
805 			if (read_trust_anchors(&anchors, arg) == 0) {
806 				usage_server();
807 				goto server_exit_error;
808 			}
809 		} else if (eqstr(arg, "-anon_ok")) {
810 			flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH;
811 		} else if (eqstr(arg, "-list")) {
812 			list_names();
813 			goto server_exit;
814 		} else if (eqstr(arg, "-vmin")) {
815 			if (++ i >= argc) {
816 				fprintf(stderr,
817 					"ERROR: no argument for '-vmin'\n");
818 				usage_server();
819 				goto server_exit_error;
820 			}
821 			arg = argv[i];
822 			if (vmin != 0) {
823 				fprintf(stderr,
824 					"ERROR: duplicate minimum version\n");
825 				usage_server();
826 				goto server_exit_error;
827 			}
828 			vmin = parse_version(arg, strlen(arg));
829 			if (vmin == 0) {
830 				fprintf(stderr,
831 					"ERROR: unrecognised version '%s'\n",
832 					arg);
833 				usage_server();
834 				goto server_exit_error;
835 			}
836 		} else if (eqstr(arg, "-vmax")) {
837 			if (++ i >= argc) {
838 				fprintf(stderr,
839 					"ERROR: no argument for '-vmax'\n");
840 				usage_server();
841 				goto server_exit_error;
842 			}
843 			arg = argv[i];
844 			if (vmax != 0) {
845 				fprintf(stderr,
846 					"ERROR: duplicate maximum version\n");
847 				usage_server();
848 				goto server_exit_error;
849 			}
850 			vmax = parse_version(arg, strlen(arg));
851 			if (vmax == 0) {
852 				fprintf(stderr,
853 					"ERROR: unrecognised version '%s'\n",
854 					arg);
855 				usage_server();
856 				goto server_exit_error;
857 			}
858 		} else if (eqstr(arg, "-cs")) {
859 			if (++ i >= argc) {
860 				fprintf(stderr,
861 					"ERROR: no argument for '-cs'\n");
862 				usage_server();
863 				goto server_exit_error;
864 			}
865 			arg = argv[i];
866 			if (suites != NULL) {
867 				fprintf(stderr, "ERROR: duplicate list"
868 					" of cipher suites\n");
869 				usage_server();
870 				goto server_exit_error;
871 			}
872 			suites = parse_suites(arg, &num_suites);
873 			if (suites == NULL) {
874 				usage_server();
875 				goto server_exit_error;
876 			}
877 		} else if (eqstr(arg, "-hf")) {
878 			unsigned x;
879 
880 			if (++ i >= argc) {
881 				fprintf(stderr,
882 					"ERROR: no argument for '-hf'\n");
883 				usage_server();
884 				goto server_exit_error;
885 			}
886 			arg = argv[i];
887 			x = parse_hash_functions(arg);
888 			if (x == 0) {
889 				usage_server();
890 				goto server_exit_error;
891 			}
892 			hfuns |= x;
893 		} else if (eqstr(arg, "-cbhash")) {
894 			cbhash = 1;
895 		} else if (eqstr(arg, "-serverpref")) {
896 			flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES;
897 		} else if (eqstr(arg, "-noreneg")) {
898 			flags |= BR_OPT_NO_RENEGOTIATION;
899 		} else if (eqstr(arg, "-alpn")) {
900 			if (++ i >= argc) {
901 				fprintf(stderr,
902 					"ERROR: no argument for '-alpn'\n");
903 				usage_server();
904 				goto server_exit_error;
905 			}
906 			VEC_ADD(alpn_names, xstrdup(argv[i]));
907 		} else if (eqstr(arg, "-strictalpn")) {
908 			flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH;
909 		} else {
910 			fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
911 			usage_server();
912 			goto server_exit_error;
913 		}
914 	}
915 	if (port == NULL) {
916 		port = "4433";
917 	}
918 	if (vmin == 0) {
919 		vmin = BR_TLS10;
920 	}
921 	if (vmax == 0) {
922 		vmax = BR_TLS12;
923 	}
924 	if (vmax < vmin) {
925 		fprintf(stderr, "ERROR: impossible minimum/maximum protocol"
926 			" version combination\n");
927 		usage_server();
928 		goto server_exit_error;
929 	}
930 	if (suites == NULL) {
931 		num_suites = 0;
932 
933 		for (u = 0; cipher_suites[u].name; u ++) {
934 			if ((cipher_suites[u].req & REQ_TLS12) == 0
935 				|| vmax >= BR_TLS12)
936 			{
937 				num_suites ++;
938 			}
939 		}
940 		suites = xmalloc(num_suites * sizeof *suites);
941 		num_suites = 0;
942 		for (u = 0; cipher_suites[u].name; u ++) {
943 			if ((cipher_suites[u].req & REQ_TLS12) == 0
944 				|| vmax >= BR_TLS12)
945 			{
946 				suites[num_suites ++] = cipher_suites[u];
947 			}
948 		}
949 	}
950 	if (hfuns == 0) {
951 		hfuns = (unsigned)-1;
952 	}
953 	if (chain == NULL || chain_len == 0) {
954 		fprintf(stderr, "ERROR: no certificate chain provided\n");
955 		goto server_exit_error;
956 	}
957 	if (sk == NULL) {
958 		fprintf(stderr, "ERROR: no private key provided\n");
959 		goto server_exit_error;
960 	}
961 	switch (sk->key_type) {
962 		int curve;
963 		uint32_t supp;
964 
965 	case BR_KEYTYPE_RSA:
966 		break;
967 	case BR_KEYTYPE_EC:
968 		curve = sk->key.ec.curve;
969 		supp = br_ec_get_default()->supported_curves;
970 		if (curve > 31 || !((supp >> curve) & 1)) {
971 			fprintf(stderr, "ERROR: private key curve (%d)"
972 				" is not supported\n", curve);
973 			goto server_exit_error;
974 		}
975 		break;
976 	default:
977 		fprintf(stderr, "ERROR: unsupported private key type (%d)\n",
978 			sk->key_type);
979 		break;
980 	}
981 	cert_signer_algo = get_cert_signer_algo(chain);
982 	if (cert_signer_algo == 0) {
983 		goto server_exit_error;
984 	}
985 	if (verbose) {
986 		const char *csas;
987 
988 		switch (cert_signer_algo) {
989 		case BR_KEYTYPE_RSA: csas = "RSA"; break;
990 		case BR_KEYTYPE_EC:  csas = "EC"; break;
991 		default:
992 			csas = "unknown";
993 			break;
994 		}
995 		fprintf(stderr, "Issuing CA key type: %d (%s)\n",
996 			cert_signer_algo, csas);
997 	}
998 	if (iobuf_len == 0) {
999 		if (bidi) {
1000 			iobuf_len = BR_SSL_BUFSIZE_BIDI;
1001 		} else {
1002 			iobuf_len = BR_SSL_BUFSIZE_MONO;
1003 		}
1004 	}
1005 	iobuf = xmalloc(iobuf_len);
1006 	if (cache_len == (size_t)-1) {
1007 		cache_len = 5000;
1008 	}
1009 	cache = xmalloc(cache_len);
1010 
1011 	/*
1012 	 * Compute implementation requirements and inject implementations.
1013 	 */
1014 	suite_ids = xmalloc(num_suites * sizeof *suite_ids);
1015 	br_ssl_server_zero(&cc);
1016 	br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
1017 	br_ssl_engine_set_all_flags(&cc.eng, flags);
1018 	if (vmin <= BR_TLS11) {
1019 		if (!(hfuns & (1 << br_md5_ID))) {
1020 			fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need MD5\n");
1021 			goto server_exit_error;
1022 		}
1023 		if (!(hfuns & (1 << br_sha1_ID))) {
1024 			fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need SHA-1\n");
1025 			goto server_exit_error;
1026 		}
1027 	}
1028 	for (u = 0; u < num_suites; u ++) {
1029 		unsigned req;
1030 
1031 		req = suites[u].req;
1032 		suite_ids[u] = suites[u].suite;
1033 		if ((req & REQ_TLS12) != 0 && vmax < BR_TLS12) {
1034 			fprintf(stderr,
1035 				"ERROR: cipher suite %s requires TLS 1.2\n",
1036 				suites[u].name);
1037 			goto server_exit_error;
1038 		}
1039 		if ((req & REQ_SHA1) != 0 && !(hfuns & (1 << br_sha1_ID))) {
1040 			fprintf(stderr,
1041 				"ERROR: cipher suite %s requires SHA-1\n",
1042 				suites[u].name);
1043 			goto server_exit_error;
1044 		}
1045 		if ((req & REQ_SHA256) != 0 && !(hfuns & (1 << br_sha256_ID))) {
1046 			fprintf(stderr,
1047 				"ERROR: cipher suite %s requires SHA-256\n",
1048 				suites[u].name);
1049 			goto server_exit_error;
1050 		}
1051 		if ((req & REQ_SHA384) != 0 && !(hfuns & (1 << br_sha384_ID))) {
1052 			fprintf(stderr,
1053 				"ERROR: cipher suite %s requires SHA-384\n",
1054 				suites[u].name);
1055 			goto server_exit_error;
1056 		}
1057 		/* TODO: algorithm implementation selection */
1058 		if ((req & REQ_AESCBC) != 0) {
1059 			br_ssl_engine_set_default_aes_cbc(&cc.eng);
1060 		}
1061 		if ((req & REQ_AESCCM) != 0) {
1062 			br_ssl_engine_set_default_aes_ccm(&cc.eng);
1063 		}
1064 		if ((req & REQ_AESGCM) != 0) {
1065 			br_ssl_engine_set_default_aes_gcm(&cc.eng);
1066 		}
1067 		if ((req & REQ_CHAPOL) != 0) {
1068 			br_ssl_engine_set_default_chapol(&cc.eng);
1069 		}
1070 		if ((req & REQ_3DESCBC) != 0) {
1071 			br_ssl_engine_set_default_des_cbc(&cc.eng);
1072 		}
1073 		if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) {
1074 			br_ssl_engine_set_default_ec(&cc.eng);
1075 		}
1076 	}
1077 	br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
1078 
1079 	dnhash = NULL;
1080 	for (u = 0; hash_functions[u].name; u ++) {
1081 		const br_hash_class *hc;
1082 		int id;
1083 
1084 		hc = hash_functions[u].hclass;
1085 		id = (hc->desc >> BR_HASHDESC_ID_OFF) & BR_HASHDESC_ID_MASK;
1086 		if ((hfuns & ((unsigned)1 << id)) != 0) {
1087 			dnhash = hc;
1088 			br_ssl_engine_set_hash(&cc.eng, id, hc);
1089 		}
1090 	}
1091 	if (vmin <= BR_TLS11) {
1092 		br_ssl_engine_set_prf10(&cc.eng, &br_tls10_prf);
1093 	}
1094 	if (vmax >= BR_TLS12) {
1095 		if ((hfuns & ((unsigned)1 << br_sha256_ID)) != 0) {
1096 			br_ssl_engine_set_prf_sha256(&cc.eng,
1097 				&br_tls12_sha256_prf);
1098 		}
1099 		if ((hfuns & ((unsigned)1 << br_sha384_ID)) != 0) {
1100 			br_ssl_engine_set_prf_sha384(&cc.eng,
1101 				&br_tls12_sha384_prf);
1102 		}
1103 	}
1104 
1105 	br_ssl_session_cache_lru_init(&lru, cache, cache_len);
1106 	br_ssl_server_set_cache(&cc, &lru.vtable);
1107 
1108 	if (VEC_LEN(alpn_names) != 0) {
1109 		br_ssl_engine_set_protocol_names(&cc.eng,
1110 			(const char **)&VEC_ELT(alpn_names, 0),
1111 			VEC_LEN(alpn_names));
1112 	}
1113 
1114 	/*
1115 	 * Set the policy handler (that chooses the actual cipher suite,
1116 	 * selects the certificate chain, and runs the private key
1117 	 * operations).
1118 	 */
1119 	pc.vtable = &policy_vtable;
1120 	pc.verbose = verbose;
1121 	pc.chain = chain;
1122 	pc.chain_len = chain_len;
1123 	pc.cert_signer_algo = cert_signer_algo;
1124 	pc.sk = sk;
1125 	pc.cbhash = cbhash;
1126 	br_ssl_server_set_policy(&cc, &pc.vtable);
1127 
1128 	/*
1129 	 * If trust anchors have been configured, then set an X.509
1130 	 * validation engine and activate client certificate
1131 	 * authentication.
1132 	 */
1133 	if (VEC_LEN(anchors) != 0) {
1134 		br_x509_minimal_init(&xc, dnhash,
1135 			&VEC_ELT(anchors, 0), VEC_LEN(anchors));
1136 		for (u = 0; hash_functions[u].name; u ++) {
1137 			const br_hash_class *hc;
1138 			int id;
1139 
1140 			hc = hash_functions[u].hclass;
1141 			id = (hc->desc >> BR_HASHDESC_ID_OFF)
1142 				& BR_HASHDESC_ID_MASK;
1143 			if ((hfuns & ((unsigned)1 << id)) != 0) {
1144 				br_x509_minimal_set_hash(&xc, id, hc);
1145 			}
1146 		}
1147 		br_ssl_engine_set_default_rsavrfy(&cc.eng);
1148 		br_ssl_engine_set_default_ecdsa(&cc.eng);
1149 		br_x509_minimal_set_rsa(&xc, br_rsa_pkcs1_vrfy_get_default());
1150 		br_x509_minimal_set_ecdsa(&xc,
1151 			br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
1152 		br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
1153 		br_ssl_server_set_trust_anchor_names_alt(&cc,
1154 			&VEC_ELT(anchors, 0), VEC_LEN(anchors));
1155 	}
1156 
1157 	br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
1158 
1159 	/*
1160 	 * On Unix systems, we need to ignore SIGPIPE.
1161 	 */
1162 #ifndef _WIN32
1163 	signal(SIGPIPE, SIG_IGN);
1164 #endif
1165 
1166 	/*
1167 	 * Open the server socket.
1168 	 */
1169 	server_fd = host_bind(bind_name, port, verbose);
1170 	if (server_fd == INVALID_SOCKET) {
1171 		goto server_exit_error;
1172 	}
1173 
1174 	/*
1175 	 * Process incoming clients, one at a time. Note that we do not
1176 	 * accept any client until the previous connection has finished:
1177 	 * this is voluntary, since the tool uses stdin/stdout for
1178 	 * application data, and thus cannot really run two connections
1179 	 * simultaneously.
1180 	 */
1181 	for (;;) {
1182 		int x;
1183 		unsigned run_flags;
1184 
1185 		fd = accept_client(server_fd, verbose, 1);
1186 		if (fd == INVALID_SOCKET) {
1187 			goto server_exit_error;
1188 		}
1189 		br_ssl_server_reset(&cc);
1190 		run_flags = (verbose ? RUN_ENGINE_VERBOSE : 0)
1191 			| (trace ? RUN_ENGINE_TRACE : 0);
1192 		x = run_ssl_engine(&cc.eng, fd, run_flags);
1193 #ifdef _WIN32
1194 		closesocket(fd);
1195 #else
1196 		close(fd);
1197 #endif
1198 		fd = INVALID_SOCKET;
1199 		if (x < -1) {
1200 			goto server_exit_error;
1201 		}
1202 	}
1203 
1204 	/*
1205 	 * Release allocated structures.
1206 	 */
1207 server_exit:
1208 	xfree(suites);
1209 	xfree(suite_ids);
1210 	free_certificates(chain, chain_len);
1211 	free_private_key(sk);
1212 	VEC_CLEAREXT(anchors, &free_ta_contents);
1213 	VEC_CLEAREXT(alpn_names, &free_alpn);
1214 	xfree(iobuf);
1215 	xfree(cache);
1216 	if (fd != INVALID_SOCKET) {
1217 #ifdef _WIN32
1218 		closesocket(fd);
1219 #else
1220 		close(fd);
1221 #endif
1222 	}
1223 	if (server_fd != INVALID_SOCKET) {
1224 #ifdef _WIN32
1225 		closesocket(server_fd);
1226 #else
1227 		close(server_fd);
1228 #endif
1229 	}
1230 	return retcode;
1231 
1232 server_exit_error:
1233 	retcode = -1;
1234 	goto server_exit;
1235 }
1236