xref: /freebsd/crypto/openssl/apps/s_server.c (revision 33644623554bb0fc57ed3c7d874193a498679b22)
1 /* apps/s_server.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  *
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  *
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  *
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  *
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  *
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer.
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  * ECC cipher suite support in OpenSSL originally developed by
114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115  */
116 
117 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
118  * deprecated functions for openssl-internal code */
119 #ifdef OPENSSL_NO_DEPRECATED
120 #undef OPENSSL_NO_DEPRECATED
121 #endif
122 
123 #include <assert.h>
124 #include <stdio.h>
125 #include <stdlib.h>
126 #include <string.h>
127 
128 #include <sys/stat.h>
129 #include <openssl/e_os2.h>
130 #ifdef OPENSSL_NO_STDIO
131 #define APPS_WIN16
132 #endif
133 
134 #if !defined(OPENSSL_SYS_NETWARE)  /* conflicts with winsock2 stuff on netware */
135 #include <sys/types.h>
136 #endif
137 
138 /* With IPv6, it looks like Digital has mixed up the proper order of
139    recursive header file inclusion, resulting in the compiler complaining
140    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
141    is needed to have fileno() declared correctly...  So let's define u_int */
142 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
143 #define __U_INT
144 typedef unsigned int u_int;
145 #endif
146 
147 #include <openssl/lhash.h>
148 #include <openssl/bn.h>
149 #define USE_SOCKETS
150 #include "apps.h"
151 #include <openssl/err.h>
152 #include <openssl/pem.h>
153 #include <openssl/x509.h>
154 #include <openssl/ssl.h>
155 #include <openssl/rand.h>
156 #ifndef OPENSSL_NO_DH
157 #include <openssl/dh.h>
158 #endif
159 #ifndef OPENSSL_NO_RSA
160 #include <openssl/rsa.h>
161 #endif
162 #include "s_apps.h"
163 #include "timeouts.h"
164 
165 #ifdef OPENSSL_SYS_WINCE
166 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
167 #ifdef fileno
168 #undef fileno
169 #endif
170 #define fileno(a) (int)_fileno(a)
171 #endif
172 
173 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
174 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
175 #undef FIONBIO
176 #endif
177 
178 #ifndef OPENSSL_NO_RSA
179 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
180 #endif
181 static int sv_body(char *hostname, int s, unsigned char *context);
182 static int www_body(char *hostname, int s, unsigned char *context);
183 static void close_accept_socket(void );
184 static void sv_usage(void);
185 static int init_ssl_connection(SSL *s);
186 static void print_stats(BIO *bp,SSL_CTX *ctx);
187 static int generate_session_id(const SSL *ssl, unsigned char *id,
188 				unsigned int *id_len);
189 #ifndef OPENSSL_NO_DH
190 static DH *load_dh_param(const char *dhfile);
191 static DH *get_dh512(void);
192 #endif
193 
194 #ifdef MONOLITH
195 static void s_server_init(void);
196 #endif
197 
198 #ifndef S_ISDIR
199 # if defined(_S_IFMT) && defined(_S_IFDIR)
200 #  define S_ISDIR(a)	(((a) & _S_IFMT) == _S_IFDIR)
201 # else
202 #  define S_ISDIR(a)	(((a) & S_IFMT) == S_IFDIR)
203 # endif
204 #endif
205 
206 #ifndef OPENSSL_NO_DH
207 static unsigned char dh512_p[]={
208 	0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
209 	0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
210 	0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
211 	0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
212 	0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
213 	0x47,0x74,0xE8,0x33,
214 	};
215 static unsigned char dh512_g[]={
216 	0x02,
217 	};
218 
219 static DH *get_dh512(void)
220 	{
221 	DH *dh=NULL;
222 
223 	if ((dh=DH_new()) == NULL) return(NULL);
224 	dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
225 	dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
226 	if ((dh->p == NULL) || (dh->g == NULL))
227 		return(NULL);
228 	return(dh);
229 	}
230 #endif
231 
232 
233 /* static int load_CA(SSL_CTX *ctx, char *file);*/
234 
235 #undef BUFSIZZ
236 #define BUFSIZZ	16*1024
237 static int bufsize=BUFSIZZ;
238 static int accept_socket= -1;
239 
240 #define TEST_CERT	"server.pem"
241 #undef PROG
242 #define PROG		s_server_main
243 
244 extern int verify_depth;
245 
246 static char *cipher=NULL;
247 static int s_server_verify=SSL_VERIFY_NONE;
248 static int s_server_session_id_context = 1; /* anything will do */
249 static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
250 static char *s_dcert_file=NULL,*s_dkey_file=NULL;
251 #ifdef FIONBIO
252 static int s_nbio=0;
253 #endif
254 static int s_nbio_test=0;
255 int s_crlf=0;
256 static SSL_CTX *ctx=NULL;
257 static int www=0;
258 
259 static BIO *bio_s_out=NULL;
260 static int s_debug=0;
261 static int s_msg=0;
262 static int s_quiet=0;
263 
264 static int hack=0;
265 #ifndef OPENSSL_NO_ENGINE
266 static char *engine_id=NULL;
267 #endif
268 static const char *session_id_prefix=NULL;
269 
270 static int enable_timeouts = 0;
271 #ifdef mtu
272 #undef mtu
273 #endif
274 static long mtu;
275 static int cert_chain = 0;
276 
277 
278 #ifdef MONOLITH
279 static void s_server_init(void)
280 	{
281 	accept_socket=-1;
282 	cipher=NULL;
283 	s_server_verify=SSL_VERIFY_NONE;
284 	s_dcert_file=NULL;
285 	s_dkey_file=NULL;
286 	s_cert_file=TEST_CERT;
287 	s_key_file=NULL;
288 #ifdef FIONBIO
289 	s_nbio=0;
290 #endif
291 	s_nbio_test=0;
292 	ctx=NULL;
293 	www=0;
294 
295 	bio_s_out=NULL;
296 	s_debug=0;
297 	s_msg=0;
298 	s_quiet=0;
299 	hack=0;
300 #ifndef OPENSSL_NO_ENGINE
301 	engine_id=NULL;
302 #endif
303 	}
304 #endif
305 
306 static void sv_usage(void)
307 	{
308 	BIO_printf(bio_err,"usage: s_server [args ...]\n");
309 	BIO_printf(bio_err,"\n");
310 	BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);
311 	BIO_printf(bio_err," -context arg  - set session ID context\n");
312 	BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
313 	BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
314 	BIO_printf(bio_err," -cert arg     - certificate file to use\n");
315 	BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
316 	BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
317 	BIO_printf(bio_err," -key arg      - Private Key file to use, in cert file if\n");
318 	BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT);
319 	BIO_printf(bio_err," -keyform arg  - key format (PEM, DER or ENGINE) PEM default\n");
320 	BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
321 	BIO_printf(bio_err," -dcert arg    - second certificate file to use (usually for DSA)\n");
322 	BIO_printf(bio_err," -dcertform x  - second certificate format (PEM or DER) PEM default\n");
323 	BIO_printf(bio_err," -dkey arg     - second private key file to use (usually for DSA)\n");
324 	BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
325 	BIO_printf(bio_err," -dpass arg    - second private key file pass phrase source\n");
326 	BIO_printf(bio_err," -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
327 	BIO_printf(bio_err,"                 or a default set of parameters is used\n");
328 #ifndef OPENSSL_NO_ECDH
329 	BIO_printf(bio_err," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
330 	                   "                 Use \"openssl ecparam -list_curves\" for all names\n" \
331 	                   "                 (default is sect163r2).\n");
332 #endif
333 #ifdef FIONBIO
334 	BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
335 #endif
336 	BIO_printf(bio_err," -nbio_test    - test with the non-blocking test bio\n");
337 	BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
338 	BIO_printf(bio_err," -debug        - Print more output\n");
339 	BIO_printf(bio_err," -msg          - Show protocol messages\n");
340 	BIO_printf(bio_err," -state        - Print the SSL states\n");
341 	BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
342 	BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
343 	BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
344 	BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
345 	BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
346 	BIO_printf(bio_err," -quiet        - No server output\n");
347 	BIO_printf(bio_err," -no_tmp_rsa   - Do not generate a tmp RSA key\n");
348 	BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
349 	BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
350 	BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
351 	BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
352 	BIO_printf(bio_err," -timeout      - Enable timeouts\n");
353 	BIO_printf(bio_err," -mtu          - Set MTU\n");
354 	BIO_printf(bio_err," -chain        - Read a certificate chain\n");
355 	BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
356 	BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
357 	BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
358 #ifndef OPENSSL_NO_DH
359 	BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
360 #endif
361 #ifndef OPENSSL_NO_ECDH
362 	BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
363 #endif
364 	BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
365 	BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
366 	BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
367 	BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
368         BIO_printf(bio_err,"                 with the assumption it contains a complete HTTP response.\n");
369 #ifndef OPENSSL_NO_ENGINE
370 	BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
371 #endif
372 	BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
373 	BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
374 	}
375 
376 static int local_argc=0;
377 static char **local_argv;
378 
379 #ifdef CHARSET_EBCDIC
380 static int ebcdic_new(BIO *bi);
381 static int ebcdic_free(BIO *a);
382 static int ebcdic_read(BIO *b, char *out, int outl);
383 static int ebcdic_write(BIO *b, const char *in, int inl);
384 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
385 static int ebcdic_gets(BIO *bp, char *buf, int size);
386 static int ebcdic_puts(BIO *bp, const char *str);
387 
388 #define BIO_TYPE_EBCDIC_FILTER	(18|0x0200)
389 static BIO_METHOD methods_ebcdic=
390 	{
391 	BIO_TYPE_EBCDIC_FILTER,
392 	"EBCDIC/ASCII filter",
393 	ebcdic_write,
394 	ebcdic_read,
395 	ebcdic_puts,
396 	ebcdic_gets,
397 	ebcdic_ctrl,
398 	ebcdic_new,
399 	ebcdic_free,
400 	};
401 
402 typedef struct
403 {
404 	size_t	alloced;
405 	char	buff[1];
406 } EBCDIC_OUTBUFF;
407 
408 BIO_METHOD *BIO_f_ebcdic_filter()
409 {
410 	return(&methods_ebcdic);
411 }
412 
413 static int ebcdic_new(BIO *bi)
414 {
415 	EBCDIC_OUTBUFF *wbuf;
416 
417 	wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
418 	wbuf->alloced = 1024;
419 	wbuf->buff[0] = '\0';
420 
421 	bi->ptr=(char *)wbuf;
422 	bi->init=1;
423 	bi->flags=0;
424 	return(1);
425 }
426 
427 static int ebcdic_free(BIO *a)
428 {
429 	if (a == NULL) return(0);
430 	if (a->ptr != NULL)
431 		OPENSSL_free(a->ptr);
432 	a->ptr=NULL;
433 	a->init=0;
434 	a->flags=0;
435 	return(1);
436 }
437 
438 static int ebcdic_read(BIO *b, char *out, int outl)
439 {
440 	int ret=0;
441 
442 	if (out == NULL || outl == 0) return(0);
443 	if (b->next_bio == NULL) return(0);
444 
445 	ret=BIO_read(b->next_bio,out,outl);
446 	if (ret > 0)
447 		ascii2ebcdic(out,out,ret);
448 	return(ret);
449 }
450 
451 static int ebcdic_write(BIO *b, const char *in, int inl)
452 {
453 	EBCDIC_OUTBUFF *wbuf;
454 	int ret=0;
455 	int num;
456 	unsigned char n;
457 
458 	if ((in == NULL) || (inl <= 0)) return(0);
459 	if (b->next_bio == NULL) return(0);
460 
461 	wbuf=(EBCDIC_OUTBUFF *)b->ptr;
462 
463 	if (inl > (num = wbuf->alloced))
464 	{
465 		num = num + num;  /* double the size */
466 		if (num < inl)
467 			num = inl;
468 		OPENSSL_free(wbuf);
469 		wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
470 
471 		wbuf->alloced = num;
472 		wbuf->buff[0] = '\0';
473 
474 		b->ptr=(char *)wbuf;
475 	}
476 
477 	ebcdic2ascii(wbuf->buff, in, inl);
478 
479 	ret=BIO_write(b->next_bio, wbuf->buff, inl);
480 
481 	return(ret);
482 }
483 
484 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
485 {
486 	long ret;
487 
488 	if (b->next_bio == NULL) return(0);
489 	switch (cmd)
490 	{
491 	case BIO_CTRL_DUP:
492 		ret=0L;
493 		break;
494 	default:
495 		ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
496 		break;
497 	}
498 	return(ret);
499 }
500 
501 static int ebcdic_gets(BIO *bp, char *buf, int size)
502 {
503 	int i, ret=0;
504 	if (bp->next_bio == NULL) return(0);
505 /*	return(BIO_gets(bp->next_bio,buf,size));*/
506 	for (i=0; i<size-1; ++i)
507 	{
508 		ret = ebcdic_read(bp,&buf[i],1);
509 		if (ret <= 0)
510 			break;
511 		else if (buf[i] == '\n')
512 		{
513 			++i;
514 			break;
515 		}
516 	}
517 	if (i < size)
518 		buf[i] = '\0';
519 	return (ret < 0 && i == 0) ? ret : i;
520 }
521 
522 static int ebcdic_puts(BIO *bp, const char *str)
523 {
524 	if (bp->next_bio == NULL) return(0);
525 	return ebcdic_write(bp, str, strlen(str));
526 }
527 #endif
528 
529 int MAIN(int, char **);
530 
531 int MAIN(int argc, char *argv[])
532 	{
533 	X509_STORE *store = NULL;
534 	int vflags = 0;
535 	short port=PORT;
536 	char *CApath=NULL,*CAfile=NULL;
537 	unsigned char *context = NULL;
538 	char *dhfile = NULL;
539 #ifndef OPENSSL_NO_ECDH
540 	char *named_curve = NULL;
541 #endif
542 	int badop=0,bugs=0;
543 	int ret=1;
544 	int off=0;
545 	int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
546 	int state=0;
547 	SSL_METHOD *meth=NULL;
548 #ifdef sock_type
549 #undef sock_type
550 #endif
551     int sock_type=SOCK_STREAM;
552 #ifndef OPENSSL_NO_ENGINE
553 	ENGINE *e=NULL;
554 #endif
555 	char *inrand=NULL;
556 	int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
557 	char *passarg = NULL, *pass = NULL;
558 	char *dpassarg = NULL, *dpass = NULL;
559 	int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
560 	X509 *s_cert = NULL, *s_dcert = NULL;
561 	EVP_PKEY *s_key = NULL, *s_dkey = NULL;
562 
563 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
564 	meth=SSLv23_server_method();
565 #elif !defined(OPENSSL_NO_SSL3)
566 	meth=SSLv3_server_method();
567 #elif !defined(OPENSSL_NO_SSL2)
568 	meth=SSLv2_server_method();
569 #endif
570 
571 	local_argc=argc;
572 	local_argv=argv;
573 
574 	apps_startup();
575 #ifdef MONOLITH
576 	s_server_init();
577 #endif
578 
579 	if (bio_err == NULL)
580 		bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
581 
582 	if (!load_config(bio_err, NULL))
583 		goto end;
584 
585 	verify_depth=0;
586 #ifdef FIONBIO
587 	s_nbio=0;
588 #endif
589 	s_nbio_test=0;
590 
591 	argc--;
592 	argv++;
593 
594 	while (argc >= 1)
595 		{
596 		if	((strcmp(*argv,"-port") == 0) ||
597 			 (strcmp(*argv,"-accept") == 0))
598 			{
599 			if (--argc < 1) goto bad;
600 			if (!extract_port(*(++argv),&port))
601 				goto bad;
602 			}
603 		else if	(strcmp(*argv,"-verify") == 0)
604 			{
605 			s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
606 			if (--argc < 1) goto bad;
607 			verify_depth=atoi(*(++argv));
608 			BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
609 			}
610 		else if	(strcmp(*argv,"-Verify") == 0)
611 			{
612 			s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
613 				SSL_VERIFY_CLIENT_ONCE;
614 			if (--argc < 1) goto bad;
615 			verify_depth=atoi(*(++argv));
616 			BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
617 			}
618 		else if	(strcmp(*argv,"-context") == 0)
619 			{
620 			if (--argc < 1) goto bad;
621 			context= (unsigned char *)*(++argv);
622 			}
623 		else if	(strcmp(*argv,"-cert") == 0)
624 			{
625 			if (--argc < 1) goto bad;
626 			s_cert_file= *(++argv);
627 			}
628 		else if	(strcmp(*argv,"-certform") == 0)
629 			{
630 			if (--argc < 1) goto bad;
631 			s_cert_format = str2fmt(*(++argv));
632 			}
633 		else if	(strcmp(*argv,"-key") == 0)
634 			{
635 			if (--argc < 1) goto bad;
636 			s_key_file= *(++argv);
637 			}
638 		else if	(strcmp(*argv,"-keyform") == 0)
639 			{
640 			if (--argc < 1) goto bad;
641 			s_key_format = str2fmt(*(++argv));
642 			}
643 		else if	(strcmp(*argv,"-pass") == 0)
644 			{
645 			if (--argc < 1) goto bad;
646 			passarg = *(++argv);
647 			}
648 		else if	(strcmp(*argv,"-dhparam") == 0)
649 			{
650 			if (--argc < 1) goto bad;
651 			dhfile = *(++argv);
652 			}
653 #ifndef OPENSSL_NO_ECDH
654 		else if	(strcmp(*argv,"-named_curve") == 0)
655 			{
656 			if (--argc < 1) goto bad;
657 			named_curve = *(++argv);
658 			}
659 #endif
660 		else if	(strcmp(*argv,"-dcertform") == 0)
661 			{
662 			if (--argc < 1) goto bad;
663 			s_dcert_format = str2fmt(*(++argv));
664 			}
665 		else if	(strcmp(*argv,"-dcert") == 0)
666 			{
667 			if (--argc < 1) goto bad;
668 			s_dcert_file= *(++argv);
669 			}
670 		else if	(strcmp(*argv,"-dkeyform") == 0)
671 			{
672 			if (--argc < 1) goto bad;
673 			s_dkey_format = str2fmt(*(++argv));
674 			}
675 		else if	(strcmp(*argv,"-dpass") == 0)
676 			{
677 			if (--argc < 1) goto bad;
678 			dpassarg = *(++argv);
679 			}
680 		else if	(strcmp(*argv,"-dkey") == 0)
681 			{
682 			if (--argc < 1) goto bad;
683 			s_dkey_file= *(++argv);
684 			}
685 		else if (strcmp(*argv,"-nocert") == 0)
686 			{
687 			nocert=1;
688 			}
689 		else if	(strcmp(*argv,"-CApath") == 0)
690 			{
691 			if (--argc < 1) goto bad;
692 			CApath= *(++argv);
693 			}
694 		else if (strcmp(*argv,"-crl_check") == 0)
695 			{
696 			vflags |= X509_V_FLAG_CRL_CHECK;
697 			}
698 		else if (strcmp(*argv,"-crl_check") == 0)
699 			{
700 			vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
701 			}
702 		else if	(strcmp(*argv,"-serverpref") == 0)
703 			{ off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
704 		else if	(strcmp(*argv,"-cipher") == 0)
705 			{
706 			if (--argc < 1) goto bad;
707 			cipher= *(++argv);
708 			}
709 		else if	(strcmp(*argv,"-CAfile") == 0)
710 			{
711 			if (--argc < 1) goto bad;
712 			CAfile= *(++argv);
713 			}
714 #ifdef FIONBIO
715 		else if	(strcmp(*argv,"-nbio") == 0)
716 			{ s_nbio=1; }
717 #endif
718 		else if	(strcmp(*argv,"-nbio_test") == 0)
719 			{
720 #ifdef FIONBIO
721 			s_nbio=1;
722 #endif
723 			s_nbio_test=1;
724 			}
725 		else if	(strcmp(*argv,"-debug") == 0)
726 			{ s_debug=1; }
727 		else if	(strcmp(*argv,"-msg") == 0)
728 			{ s_msg=1; }
729 		else if	(strcmp(*argv,"-hack") == 0)
730 			{ hack=1; }
731 		else if	(strcmp(*argv,"-state") == 0)
732 			{ state=1; }
733 		else if	(strcmp(*argv,"-crlf") == 0)
734 			{ s_crlf=1; }
735 		else if	(strcmp(*argv,"-quiet") == 0)
736 			{ s_quiet=1; }
737 		else if	(strcmp(*argv,"-bugs") == 0)
738 			{ bugs=1; }
739 		else if	(strcmp(*argv,"-no_tmp_rsa") == 0)
740 			{ no_tmp_rsa=1; }
741 		else if	(strcmp(*argv,"-no_dhe") == 0)
742 			{ no_dhe=1; }
743 		else if	(strcmp(*argv,"-no_ecdhe") == 0)
744 			{ no_ecdhe=1; }
745 		else if	(strcmp(*argv,"-www") == 0)
746 			{ www=1; }
747 		else if	(strcmp(*argv,"-WWW") == 0)
748 			{ www=2; }
749 		else if	(strcmp(*argv,"-HTTP") == 0)
750 			{ www=3; }
751 		else if	(strcmp(*argv,"-no_ssl2") == 0)
752 			{ off|=SSL_OP_NO_SSLv2; }
753 		else if	(strcmp(*argv,"-no_ssl3") == 0)
754 			{ off|=SSL_OP_NO_SSLv3; }
755 		else if	(strcmp(*argv,"-no_tls1") == 0)
756 			{ off|=SSL_OP_NO_TLSv1; }
757 #ifndef OPENSSL_NO_SSL2
758 		else if	(strcmp(*argv,"-ssl2") == 0)
759 			{ meth=SSLv2_server_method(); }
760 #endif
761 #ifndef OPENSSL_NO_SSL3
762 		else if	(strcmp(*argv,"-ssl3") == 0)
763 			{ meth=SSLv3_server_method(); }
764 #endif
765 #ifndef OPENSSL_NO_TLS1
766 		else if	(strcmp(*argv,"-tls1") == 0)
767 			{ meth=TLSv1_server_method(); }
768 #endif
769 #ifndef OPENSSL_NO_DTLS1
770 		else if	(strcmp(*argv,"-dtls1") == 0)
771 			{
772 			meth=DTLSv1_server_method();
773 			sock_type = SOCK_DGRAM;
774 			}
775 		else if (strcmp(*argv,"-timeout") == 0)
776 			enable_timeouts = 1;
777 		else if (strcmp(*argv,"-mtu") == 0)
778 			{
779 			if (--argc < 1) goto bad;
780 			mtu = atol(*(++argv));
781 			}
782 		else if (strcmp(*argv, "-chain") == 0)
783 			cert_chain = 1;
784 #endif
785 		else if (strcmp(*argv, "-id_prefix") == 0)
786 			{
787 			if (--argc < 1) goto bad;
788 			session_id_prefix = *(++argv);
789 			}
790 #ifndef OPENSSL_NO_ENGINE
791 		else if (strcmp(*argv,"-engine") == 0)
792 			{
793 			if (--argc < 1) goto bad;
794 			engine_id= *(++argv);
795 			}
796 #endif
797 		else if (strcmp(*argv,"-rand") == 0)
798 			{
799 			if (--argc < 1) goto bad;
800 			inrand= *(++argv);
801 			}
802 		else
803 			{
804 			BIO_printf(bio_err,"unknown option %s\n",*argv);
805 			badop=1;
806 			break;
807 			}
808 		argc--;
809 		argv++;
810 		}
811 	if (badop)
812 		{
813 bad:
814 		sv_usage();
815 		goto end;
816 		}
817 
818 	SSL_load_error_strings();
819 	OpenSSL_add_ssl_algorithms();
820 
821 #ifndef OPENSSL_NO_ENGINE
822         e = setup_engine(bio_err, engine_id, 1);
823 #endif
824 
825 	if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass))
826 		{
827 		BIO_printf(bio_err, "Error getting password\n");
828 		goto end;
829 		}
830 
831 
832 	if (s_key_file == NULL)
833 		s_key_file = s_cert_file;
834 
835 	if (nocert == 0)
836 		{
837 		s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
838 		       "server certificate private key file");
839 		if (!s_key)
840 			{
841 			ERR_print_errors(bio_err);
842 			goto end;
843 			}
844 
845 		s_cert = load_cert(bio_err,s_cert_file,s_cert_format,
846 			NULL, e, "server certificate file");
847 
848 		if (!s_cert)
849 			{
850 			ERR_print_errors(bio_err);
851 			goto end;
852 			}
853 		}
854 
855 	if (s_dcert_file)
856 		{
857 
858 		if (s_dkey_file == NULL)
859 			s_dkey_file = s_dcert_file;
860 
861 		s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
862 				0, dpass, e,
863 			       "second certificate private key file");
864 		if (!s_dkey)
865 			{
866 			ERR_print_errors(bio_err);
867 			goto end;
868 			}
869 
870 		s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format,
871 				NULL, e, "second server certificate file");
872 
873 		if (!s_dcert)
874 			{
875 			ERR_print_errors(bio_err);
876 			goto end;
877 			}
878 
879 		}
880 
881 	if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
882 		&& !RAND_status())
883 		{
884 		BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
885 		}
886 	if (inrand != NULL)
887 		BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
888 			app_RAND_load_files(inrand));
889 
890 	if (bio_s_out == NULL)
891 		{
892 		if (s_quiet && !s_debug && !s_msg)
893 			{
894 			bio_s_out=BIO_new(BIO_s_null());
895 			}
896 		else
897 			{
898 			if (bio_s_out == NULL)
899 				bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE);
900 			}
901 		}
902 
903 #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
904 	if (nocert)
905 #endif
906 		{
907 		s_cert_file=NULL;
908 		s_key_file=NULL;
909 		s_dcert_file=NULL;
910 		s_dkey_file=NULL;
911 		}
912 
913 	ctx=SSL_CTX_new(meth);
914 	if (ctx == NULL)
915 		{
916 		ERR_print_errors(bio_err);
917 		goto end;
918 		}
919 	if (session_id_prefix)
920 		{
921 		if(strlen(session_id_prefix) >= 32)
922 			BIO_printf(bio_err,
923 "warning: id_prefix is too long, only one new session will be possible\n");
924 		else if(strlen(session_id_prefix) >= 16)
925 			BIO_printf(bio_err,
926 "warning: id_prefix is too long if you use SSLv2\n");
927 		if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id))
928 			{
929 			BIO_printf(bio_err,"error setting 'id_prefix'\n");
930 			ERR_print_errors(bio_err);
931 			goto end;
932 			}
933 		BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
934 		}
935 	SSL_CTX_set_quiet_shutdown(ctx,1);
936 	if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
937 	if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
938 	SSL_CTX_set_options(ctx,off);
939 	/* DTLS: partial reads end up discarding unread UDP bytes :-(
940 	 * Setting read ahead solves this problem.
941 	 */
942 	if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
943 
944 	if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
945 
946 	SSL_CTX_sess_set_cache_size(ctx,128);
947 
948 #if 0
949 	if (cipher == NULL) cipher=getenv("SSL_CIPHER");
950 #endif
951 
952 #if 0
953 	if (s_cert_file == NULL)
954 		{
955 		BIO_printf(bio_err,"You must specify a certificate file for the server to use\n");
956 		goto end;
957 		}
958 #endif
959 
960 	if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
961 		(!SSL_CTX_set_default_verify_paths(ctx)))
962 		{
963 		/* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
964 		ERR_print_errors(bio_err);
965 		/* goto end; */
966 		}
967 	store = SSL_CTX_get_cert_store(ctx);
968 	X509_STORE_set_flags(store, vflags);
969 
970 #ifndef OPENSSL_NO_DH
971 	if (!no_dhe)
972 		{
973 		DH *dh=NULL;
974 
975 		if (dhfile)
976 			dh = load_dh_param(dhfile);
977 		else if (s_cert_file)
978 			dh = load_dh_param(s_cert_file);
979 
980 		if (dh != NULL)
981 			{
982 			BIO_printf(bio_s_out,"Setting temp DH parameters\n");
983 			}
984 		else
985 			{
986 			BIO_printf(bio_s_out,"Using default temp DH parameters\n");
987 			dh=get_dh512();
988 			}
989 		(void)BIO_flush(bio_s_out);
990 
991 		SSL_CTX_set_tmp_dh(ctx,dh);
992 		DH_free(dh);
993 		}
994 #endif
995 
996 #ifndef OPENSSL_NO_ECDH
997 	if (!no_ecdhe)
998 		{
999 		EC_KEY *ecdh=NULL;
1000 
1001 		if (named_curve)
1002 			{
1003 			int nid = OBJ_sn2nid(named_curve);
1004 
1005 			if (nid == 0)
1006 				{
1007 				BIO_printf(bio_err, "unknown curve name (%s)\n",
1008 					named_curve);
1009 				goto end;
1010 				}
1011 			ecdh = EC_KEY_new_by_curve_name(nid);
1012 			if (ecdh == NULL)
1013 				{
1014 				BIO_printf(bio_err, "unable to create curve (%s)\n",
1015 					named_curve);
1016 				goto end;
1017 				}
1018 			}
1019 
1020 		if (ecdh != NULL)
1021 			{
1022 			BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
1023 			}
1024 		else
1025 			{
1026 			BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
1027 			ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
1028 			if (ecdh == NULL)
1029 				{
1030 				BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
1031 				goto end;
1032 				}
1033 			}
1034 		(void)BIO_flush(bio_s_out);
1035 
1036 		SSL_CTX_set_tmp_ecdh(ctx,ecdh);
1037 		EC_KEY_free(ecdh);
1038 		}
1039 #endif
1040 
1041 	if (!set_cert_key_stuff(ctx,s_cert,s_key))
1042 		goto end;
1043 	if (s_dcert != NULL)
1044 		{
1045 		if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
1046 			goto end;
1047 		}
1048 
1049 #ifndef OPENSSL_NO_RSA
1050 #if 1
1051 	if (!no_tmp_rsa)
1052 		SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
1053 #else
1054 	if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
1055 		{
1056 		RSA *rsa;
1057 
1058 		BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key...");
1059 		BIO_flush(bio_s_out);
1060 
1061 		rsa=RSA_generate_key(512,RSA_F4,NULL);
1062 
1063 		if (!SSL_CTX_set_tmp_rsa(ctx,rsa))
1064 			{
1065 			ERR_print_errors(bio_err);
1066 			goto end;
1067 			}
1068 		RSA_free(rsa);
1069 		BIO_printf(bio_s_out,"\n");
1070 		}
1071 #endif
1072 #endif
1073 
1074 	if (cipher != NULL)
1075 		if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1076 		BIO_printf(bio_err,"error setting cipher list\n");
1077 		ERR_print_errors(bio_err);
1078 		goto end;
1079 	}
1080 	SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
1081 	SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
1082 		sizeof s_server_session_id_context);
1083 
1084 	if (CAfile != NULL)
1085 	    SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
1086 
1087 	BIO_printf(bio_s_out,"ACCEPT\n");
1088 	if (www)
1089 		do_server(port,sock_type,&accept_socket,www_body, context);
1090 	else
1091 		do_server(port,sock_type,&accept_socket,sv_body, context);
1092 	print_stats(bio_s_out,ctx);
1093 	ret=0;
1094 end:
1095 	if (ctx != NULL) SSL_CTX_free(ctx);
1096 	if (s_cert)
1097 		X509_free(s_cert);
1098 	if (s_dcert)
1099 		X509_free(s_dcert);
1100 	if (s_key)
1101 		EVP_PKEY_free(s_key);
1102 	if (s_dkey)
1103 		EVP_PKEY_free(s_dkey);
1104 	if (pass)
1105 		OPENSSL_free(pass);
1106 	if (dpass)
1107 		OPENSSL_free(dpass);
1108 	if (bio_s_out != NULL)
1109 		{
1110         BIO_free(bio_s_out);
1111 		bio_s_out=NULL;
1112 		}
1113 	apps_shutdown();
1114 	OPENSSL_EXIT(ret);
1115 	}
1116 
1117 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
1118 	{
1119 	BIO_printf(bio,"%4ld items in the session cache\n",
1120 		SSL_CTX_sess_number(ssl_ctx));
1121 	BIO_printf(bio,"%4ld client connects (SSL_connect())\n",
1122 		SSL_CTX_sess_connect(ssl_ctx));
1123 	BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n",
1124 		SSL_CTX_sess_connect_renegotiate(ssl_ctx));
1125 	BIO_printf(bio,"%4ld client connects that finished\n",
1126 		SSL_CTX_sess_connect_good(ssl_ctx));
1127 	BIO_printf(bio,"%4ld server accepts (SSL_accept())\n",
1128 		SSL_CTX_sess_accept(ssl_ctx));
1129 	BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n",
1130 		SSL_CTX_sess_accept_renegotiate(ssl_ctx));
1131 	BIO_printf(bio,"%4ld server accepts that finished\n",
1132 		SSL_CTX_sess_accept_good(ssl_ctx));
1133 	BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
1134 	BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
1135 	BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
1136 	BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
1137 	BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n",
1138 		SSL_CTX_sess_cache_full(ssl_ctx),
1139 		SSL_CTX_sess_get_cache_size(ssl_ctx));
1140 	}
1141 
1142 static int sv_body(char *hostname, int s, unsigned char *context)
1143 	{
1144 	char *buf=NULL;
1145 	fd_set readfds;
1146 	int ret=1,width;
1147 	int k,i;
1148 	unsigned long l;
1149 	SSL *con=NULL;
1150 	BIO *sbio;
1151 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1152 	struct timeval tv;
1153 #endif
1154 
1155 	if ((buf=OPENSSL_malloc(bufsize)) == NULL)
1156 		{
1157 		BIO_printf(bio_err,"out of memory\n");
1158 		goto err;
1159 		}
1160 #ifdef FIONBIO
1161 	if (s_nbio)
1162 		{
1163 		unsigned long sl=1;
1164 
1165 		if (!s_quiet)
1166 			BIO_printf(bio_err,"turning on non blocking io\n");
1167 		if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
1168 			ERR_print_errors(bio_err);
1169 		}
1170 #endif
1171 
1172 	if (con == NULL) {
1173 		con=SSL_new(ctx);
1174 #ifndef OPENSSL_NO_KRB5
1175 		if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
1176                         {
1177                         kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,
1178 								KRB5SVC);
1179                         kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,
1180 								KRB5KEYTAB);
1181                         }
1182 #endif	/* OPENSSL_NO_KRB5 */
1183 		if(context)
1184 		      SSL_set_session_id_context(con, context,
1185 						 strlen((char *)context));
1186 	}
1187 	SSL_clear(con);
1188 
1189 	if (SSL_version(con) == DTLS1_VERSION)
1190 		{
1191 		struct timeval timeout;
1192 
1193 		sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1194 
1195 		if ( enable_timeouts)
1196 			{
1197 			timeout.tv_sec = 0;
1198 			timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1199 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1200 
1201 			timeout.tv_sec = 0;
1202 			timeout.tv_usec = DGRAM_SND_TIMEOUT;
1203 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1204 			}
1205 
1206 
1207 		if ( mtu > 0)
1208 			{
1209 			SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1210 			SSL_set_mtu(con, mtu);
1211 			}
1212 		else
1213 			/* want to do MTU discovery */
1214 			BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1215 
1216         /* turn on cookie exchange */
1217         SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
1218 		}
1219 	else
1220 		sbio=BIO_new_socket(s,BIO_NOCLOSE);
1221 
1222 	if (s_nbio_test)
1223 		{
1224 		BIO *test;
1225 
1226 		test=BIO_new(BIO_f_nbio_test());
1227 		sbio=BIO_push(test,sbio);
1228 		}
1229 	SSL_set_bio(con,sbio,sbio);
1230 	SSL_set_accept_state(con);
1231 	/* SSL_set_fd(con,s); */
1232 
1233 	if (s_debug)
1234 		{
1235 		con->debug=1;
1236 		BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
1237 		BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
1238 		}
1239 	if (s_msg)
1240 		{
1241 		SSL_set_msg_callback(con, msg_cb);
1242 		SSL_set_msg_callback_arg(con, bio_s_out);
1243 		}
1244 
1245 	width=s+1;
1246 	for (;;)
1247 		{
1248 		int read_from_terminal;
1249 		int read_from_sslcon;
1250 
1251 		read_from_terminal = 0;
1252 		read_from_sslcon = SSL_pending(con);
1253 
1254 		if (!read_from_sslcon)
1255 			{
1256 			FD_ZERO(&readfds);
1257 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
1258 			FD_SET(fileno(stdin),&readfds);
1259 #endif
1260 			FD_SET(s,&readfds);
1261 			/* Note: under VMS with SOCKETSHR the second parameter is
1262 			 * currently of type (int *) whereas under other systems
1263 			 * it is (void *) if you don't have a cast it will choke
1264 			 * the compiler: if you do have a cast then you can either
1265 			 * go for (int *) or (void *).
1266 			 */
1267 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1268                         /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
1269 			 * on sockets. As a workaround we timeout the select every
1270 			 * second and check for any keypress. In a proper Windows
1271 			 * application we wouldn't do this because it is inefficient.
1272 			 */
1273 			tv.tv_sec = 1;
1274 			tv.tv_usec = 0;
1275 			i=select(width,(void *)&readfds,NULL,NULL,&tv);
1276 			if((i < 0) || (!i && !_kbhit() ) )continue;
1277 			if(_kbhit())
1278 				read_from_terminal = 1;
1279 #else
1280 			i=select(width,(void *)&readfds,NULL,NULL,NULL);
1281 			if (i <= 0) continue;
1282 			if (FD_ISSET(fileno(stdin),&readfds))
1283 				read_from_terminal = 1;
1284 #endif
1285 			if (FD_ISSET(s,&readfds))
1286 				read_from_sslcon = 1;
1287 			}
1288 		if (read_from_terminal)
1289 			{
1290 			if (s_crlf)
1291 				{
1292 				int j, lf_num;
1293 
1294 				i=read(fileno(stdin), buf, bufsize/2);
1295 				lf_num = 0;
1296 				/* both loops are skipped when i <= 0 */
1297 				for (j = 0; j < i; j++)
1298 					if (buf[j] == '\n')
1299 						lf_num++;
1300 				for (j = i-1; j >= 0; j--)
1301 					{
1302 					buf[j+lf_num] = buf[j];
1303 					if (buf[j] == '\n')
1304 						{
1305 						lf_num--;
1306 						i++;
1307 						buf[j+lf_num] = '\r';
1308 						}
1309 					}
1310 				assert(lf_num == 0);
1311 				}
1312 			else
1313 				i=read(fileno(stdin),buf,bufsize);
1314 			if (!s_quiet)
1315 				{
1316 				if ((i <= 0) || (buf[0] == 'Q'))
1317 					{
1318 					BIO_printf(bio_s_out,"DONE\n");
1319 					SHUTDOWN(s);
1320 					close_accept_socket();
1321 					ret= -11;
1322 					goto err;
1323 					}
1324 				if ((i <= 0) || (buf[0] == 'q'))
1325 					{
1326 					BIO_printf(bio_s_out,"DONE\n");
1327 					if (SSL_version(con) != DTLS1_VERSION)
1328                         SHUTDOWN(s);
1329 	/*				close_accept_socket();
1330 					ret= -11;*/
1331 					goto err;
1332 					}
1333 				if ((buf[0] == 'r') &&
1334 					((buf[1] == '\n') || (buf[1] == '\r')))
1335 					{
1336 					SSL_renegotiate(con);
1337 					i=SSL_do_handshake(con);
1338 					printf("SSL_do_handshake -> %d\n",i);
1339 					i=0; /*13; */
1340 					continue;
1341 					/* strcpy(buf,"server side RE-NEGOTIATE\n"); */
1342 					}
1343 				if ((buf[0] == 'R') &&
1344 					((buf[1] == '\n') || (buf[1] == '\r')))
1345 					{
1346 					SSL_set_verify(con,
1347 						SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL);
1348 					SSL_renegotiate(con);
1349 					i=SSL_do_handshake(con);
1350 					printf("SSL_do_handshake -> %d\n",i);
1351 					i=0; /* 13; */
1352 					continue;
1353 					/* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */
1354 					}
1355 				if (buf[0] == 'P')
1356 					{
1357 					static const char *str="Lets print some clear text\n";
1358 					BIO_write(SSL_get_wbio(con),str,strlen(str));
1359 					}
1360 				if (buf[0] == 'S')
1361 					{
1362 					print_stats(bio_s_out,SSL_get_SSL_CTX(con));
1363 					}
1364 				}
1365 #ifdef CHARSET_EBCDIC
1366 			ebcdic2ascii(buf,buf,i);
1367 #endif
1368 			l=k=0;
1369 			for (;;)
1370 				{
1371 				/* should do a select for the write */
1372 #ifdef RENEG
1373 { static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
1374 #endif
1375 				k=SSL_write(con,&(buf[l]),(unsigned int)i);
1376 				switch (SSL_get_error(con,k))
1377 					{
1378 				case SSL_ERROR_NONE:
1379 					break;
1380 				case SSL_ERROR_WANT_WRITE:
1381 				case SSL_ERROR_WANT_READ:
1382 				case SSL_ERROR_WANT_X509_LOOKUP:
1383 					BIO_printf(bio_s_out,"Write BLOCK\n");
1384 					break;
1385 				case SSL_ERROR_SYSCALL:
1386 				case SSL_ERROR_SSL:
1387 					BIO_printf(bio_s_out,"ERROR\n");
1388 					ERR_print_errors(bio_err);
1389 					ret=1;
1390 					goto err;
1391 					/* break; */
1392 				case SSL_ERROR_ZERO_RETURN:
1393 					BIO_printf(bio_s_out,"DONE\n");
1394 					ret=1;
1395 					goto err;
1396 					}
1397 				l+=k;
1398 				i-=k;
1399 				if (i <= 0) break;
1400 				}
1401 			}
1402 		if (read_from_sslcon)
1403 			{
1404 			if (!SSL_is_init_finished(con))
1405 				{
1406 				i=init_ssl_connection(con);
1407 
1408 				if (i < 0)
1409 					{
1410 					ret=0;
1411 					goto err;
1412 					}
1413 				else if (i == 0)
1414 					{
1415 					ret=1;
1416 					goto err;
1417 					}
1418 				}
1419 			else
1420 				{
1421 again:
1422 				i=SSL_read(con,(char *)buf,bufsize);
1423 				switch (SSL_get_error(con,i))
1424 					{
1425 				case SSL_ERROR_NONE:
1426 #ifdef CHARSET_EBCDIC
1427 					ascii2ebcdic(buf,buf,i);
1428 #endif
1429 					write(fileno(stdout),buf,
1430 						(unsigned int)i);
1431 					if (SSL_pending(con)) goto again;
1432 					break;
1433 				case SSL_ERROR_WANT_WRITE:
1434 				case SSL_ERROR_WANT_READ:
1435 				case SSL_ERROR_WANT_X509_LOOKUP:
1436 					BIO_printf(bio_s_out,"Read BLOCK\n");
1437 					break;
1438 				case SSL_ERROR_SYSCALL:
1439 				case SSL_ERROR_SSL:
1440 					BIO_printf(bio_s_out,"ERROR\n");
1441 					ERR_print_errors(bio_err);
1442 					ret=1;
1443 					goto err;
1444 				case SSL_ERROR_ZERO_RETURN:
1445 					BIO_printf(bio_s_out,"DONE\n");
1446 					ret=1;
1447 					goto err;
1448 					}
1449 				}
1450 			}
1451 		}
1452 err:
1453 	BIO_printf(bio_s_out,"shutting down SSL\n");
1454 #if 1
1455 	SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1456 #else
1457 	SSL_shutdown(con);
1458 #endif
1459 	if (con != NULL) SSL_free(con);
1460 	BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
1461 	if (buf != NULL)
1462 		{
1463 		OPENSSL_cleanse(buf,bufsize);
1464 		OPENSSL_free(buf);
1465 		}
1466 	if (ret >= 0)
1467 		BIO_printf(bio_s_out,"ACCEPT\n");
1468 	return(ret);
1469 	}
1470 
1471 static void close_accept_socket(void)
1472 	{
1473 	BIO_printf(bio_err,"shutdown accept socket\n");
1474 	if (accept_socket >= 0)
1475 		{
1476 		SHUTDOWN2(accept_socket);
1477 		}
1478 	}
1479 
1480 static int init_ssl_connection(SSL *con)
1481 	{
1482 	int i;
1483 	const char *str;
1484 	X509 *peer;
1485 	long verify_error;
1486 	MS_STATIC char buf[BUFSIZ];
1487 
1488 	if ((i=SSL_accept(con)) <= 0)
1489 		{
1490 		if (BIO_sock_should_retry(i))
1491 			{
1492 			BIO_printf(bio_s_out,"DELAY\n");
1493 			return(1);
1494 			}
1495 
1496 		BIO_printf(bio_err,"ERROR\n");
1497 		verify_error=SSL_get_verify_result(con);
1498 		if (verify_error != X509_V_OK)
1499 			{
1500 			BIO_printf(bio_err,"verify error:%s\n",
1501 				X509_verify_cert_error_string(verify_error));
1502 			}
1503 		else
1504 			ERR_print_errors(bio_err);
1505 		return(0);
1506 		}
1507 
1508 	PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
1509 
1510 	peer=SSL_get_peer_certificate(con);
1511 	if (peer != NULL)
1512 		{
1513 		BIO_printf(bio_s_out,"Client certificate\n");
1514 		PEM_write_bio_X509(bio_s_out,peer);
1515 		X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf);
1516 		BIO_printf(bio_s_out,"subject=%s\n",buf);
1517 		X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
1518 		BIO_printf(bio_s_out,"issuer=%s\n",buf);
1519 		X509_free(peer);
1520 		}
1521 
1522 	if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
1523 		BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
1524 	str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
1525 	BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
1526 	if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
1527 	if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
1528 		TLS1_FLAGS_TLS_PADDING_BUG)
1529 		BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
1530 #ifndef OPENSSL_NO_KRB5
1531 	if (con->kssl_ctx->client_princ != NULL)
1532 		{
1533 		BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
1534 			con->kssl_ctx->client_princ);
1535 		}
1536 #endif /* OPENSSL_NO_KRB5 */
1537 	return(1);
1538 	}
1539 
1540 #ifndef OPENSSL_NO_DH
1541 static DH *load_dh_param(const char *dhfile)
1542 	{
1543 	DH *ret=NULL;
1544 	BIO *bio;
1545 
1546 	if ((bio=BIO_new_file(dhfile,"r")) == NULL)
1547 		goto err;
1548 	ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
1549 err:
1550 	if (bio != NULL) BIO_free(bio);
1551 	return(ret);
1552 	}
1553 #endif
1554 
1555 #if 0
1556 static int load_CA(SSL_CTX *ctx, char *file)
1557 	{
1558 	FILE *in;
1559 	X509 *x=NULL;
1560 
1561 	if ((in=fopen(file,"r")) == NULL)
1562 		return(0);
1563 
1564 	for (;;)
1565 		{
1566 		if (PEM_read_X509(in,&x,NULL) == NULL)
1567 			break;
1568 		SSL_CTX_add_client_CA(ctx,x);
1569 		}
1570 	if (x != NULL) X509_free(x);
1571 	fclose(in);
1572 	return(1);
1573 	}
1574 #endif
1575 
1576 static int www_body(char *hostname, int s, unsigned char *context)
1577 	{
1578 	char *buf=NULL;
1579 	int ret=1;
1580 	int i,j,k,blank,dot;
1581 	struct stat st_buf;
1582 	SSL *con;
1583 	SSL_CIPHER *c;
1584 	BIO *io,*ssl_bio,*sbio;
1585 	long total_bytes;
1586 
1587 	buf=OPENSSL_malloc(bufsize);
1588 	if (buf == NULL) return(0);
1589 	io=BIO_new(BIO_f_buffer());
1590 	ssl_bio=BIO_new(BIO_f_ssl());
1591 	if ((io == NULL) || (ssl_bio == NULL)) goto err;
1592 
1593 #ifdef FIONBIO
1594 	if (s_nbio)
1595 		{
1596 		unsigned long sl=1;
1597 
1598 		if (!s_quiet)
1599 			BIO_printf(bio_err,"turning on non blocking io\n");
1600 		if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
1601 			ERR_print_errors(bio_err);
1602 		}
1603 #endif
1604 
1605 	/* lets make the output buffer a reasonable size */
1606 	if (!BIO_set_write_buffer_size(io,bufsize)) goto err;
1607 
1608 	if ((con=SSL_new(ctx)) == NULL) goto err;
1609 #ifndef OPENSSL_NO_KRB5
1610 	if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
1611 		{
1612 		kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
1613 		kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
1614 		}
1615 #endif	/* OPENSSL_NO_KRB5 */
1616 	if(context) SSL_set_session_id_context(con, context,
1617 					       strlen((char *)context));
1618 
1619 	sbio=BIO_new_socket(s,BIO_NOCLOSE);
1620 	if (s_nbio_test)
1621 		{
1622 		BIO *test;
1623 
1624 		test=BIO_new(BIO_f_nbio_test());
1625 		sbio=BIO_push(test,sbio);
1626 		}
1627 	SSL_set_bio(con,sbio,sbio);
1628 	SSL_set_accept_state(con);
1629 
1630 	/* SSL_set_fd(con,s); */
1631 	BIO_set_ssl(ssl_bio,con,BIO_CLOSE);
1632 	BIO_push(io,ssl_bio);
1633 #ifdef CHARSET_EBCDIC
1634 	io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io);
1635 #endif
1636 
1637 	if (s_debug)
1638 		{
1639 		con->debug=1;
1640 		BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
1641 		BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
1642 		}
1643 	if (s_msg)
1644 		{
1645 		SSL_set_msg_callback(con, msg_cb);
1646 		SSL_set_msg_callback_arg(con, bio_s_out);
1647 		}
1648 
1649 	blank=0;
1650 	for (;;)
1651 		{
1652 		if (hack)
1653 			{
1654 			i=SSL_accept(con);
1655 
1656 			switch (SSL_get_error(con,i))
1657 				{
1658 			case SSL_ERROR_NONE:
1659 				break;
1660 			case SSL_ERROR_WANT_WRITE:
1661 			case SSL_ERROR_WANT_READ:
1662 			case SSL_ERROR_WANT_X509_LOOKUP:
1663 				continue;
1664 			case SSL_ERROR_SYSCALL:
1665 			case SSL_ERROR_SSL:
1666 			case SSL_ERROR_ZERO_RETURN:
1667 				ret=1;
1668 				goto err;
1669 				/* break; */
1670 				}
1671 
1672 			SSL_renegotiate(con);
1673 			SSL_write(con,NULL,0);
1674 			}
1675 
1676 		i=BIO_gets(io,buf,bufsize-1);
1677 		if (i < 0) /* error */
1678 			{
1679 			if (!BIO_should_retry(io))
1680 				{
1681 				if (!s_quiet)
1682 					ERR_print_errors(bio_err);
1683 				goto err;
1684 				}
1685 			else
1686 				{
1687 				BIO_printf(bio_s_out,"read R BLOCK\n");
1688 #if defined(OPENSSL_SYS_NETWARE)
1689             delay(1000);
1690 #elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
1691 				sleep(1);
1692 #endif
1693 				continue;
1694 				}
1695 			}
1696 		else if (i == 0) /* end of input */
1697 			{
1698 			ret=1;
1699 			goto end;
1700 			}
1701 
1702 		/* else we have data */
1703 		if (	((www == 1) && (strncmp("GET ",buf,4) == 0)) ||
1704 			((www == 2) && (strncmp("GET /stats ",buf,10) == 0)))
1705 			{
1706 			char *p;
1707 			X509 *peer;
1708 			STACK_OF(SSL_CIPHER) *sk;
1709 			static const char *space="                          ";
1710 
1711 			BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
1712 			BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
1713 			BIO_puts(io,"<pre>\n");
1714 /*			BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
1715 			BIO_puts(io,"\n");
1716 			for (i=0; i<local_argc; i++)
1717 				{
1718 				BIO_puts(io,local_argv[i]);
1719 				BIO_write(io," ",1);
1720 				}
1721 			BIO_puts(io,"\n");
1722 
1723 			/* The following is evil and should not really
1724 			 * be done */
1725 			BIO_printf(io,"Ciphers supported in s_server binary\n");
1726 			sk=SSL_get_ciphers(con);
1727 			j=sk_SSL_CIPHER_num(sk);
1728 			for (i=0; i<j; i++)
1729 				{
1730 				c=sk_SSL_CIPHER_value(sk,i);
1731 				BIO_printf(io,"%-11s:%-25s",
1732 					SSL_CIPHER_get_version(c),
1733 					SSL_CIPHER_get_name(c));
1734 				if ((((i+1)%2) == 0) && (i+1 != j))
1735 					BIO_puts(io,"\n");
1736 				}
1737 			BIO_puts(io,"\n");
1738 			p=SSL_get_shared_ciphers(con,buf,bufsize);
1739 			if (p != NULL)
1740 				{
1741 				BIO_printf(io,"---\nCiphers common between both SSL end points:\n");
1742 				j=i=0;
1743 				while (*p)
1744 					{
1745 					if (*p == ':')
1746 						{
1747 						BIO_write(io,space,26-j);
1748 						i++;
1749 						j=0;
1750 						BIO_write(io,((i%3)?" ":"\n"),1);
1751 						}
1752 					else
1753 						{
1754 						BIO_write(io,p,1);
1755 						j++;
1756 						}
1757 					p++;
1758 					}
1759 				BIO_puts(io,"\n");
1760 				}
1761 			BIO_printf(io,((con->hit)
1762 				?"---\nReused, "
1763 				:"---\nNew, "));
1764 			c=SSL_get_current_cipher(con);
1765 			BIO_printf(io,"%s, Cipher is %s\n",
1766 				SSL_CIPHER_get_version(c),
1767 				SSL_CIPHER_get_name(c));
1768 			SSL_SESSION_print(io,SSL_get_session(con));
1769 			BIO_printf(io,"---\n");
1770 			print_stats(io,SSL_get_SSL_CTX(con));
1771 			BIO_printf(io,"---\n");
1772 			peer=SSL_get_peer_certificate(con);
1773 			if (peer != NULL)
1774 				{
1775 				BIO_printf(io,"Client certificate\n");
1776 				X509_print(io,peer);
1777 				PEM_write_bio_X509(io,peer);
1778 				}
1779 			else
1780 				BIO_puts(io,"no client certificate available\n");
1781 			BIO_puts(io,"</BODY></HTML>\r\n\r\n");
1782 			break;
1783 			}
1784 		else if ((www == 2 || www == 3)
1785                          && (strncmp("GET /",buf,5) == 0))
1786 			{
1787 			BIO *file;
1788 			char *p,*e;
1789 			static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
1790 
1791 			/* skip the '/' */
1792 			p= &(buf[5]);
1793 
1794 			dot = 1;
1795 			for (e=p; *e != '\0'; e++)
1796 				{
1797 				if (e[0] == ' ')
1798 					break;
1799 
1800 				switch (dot)
1801 					{
1802 				case 1:
1803 					dot = (e[0] == '.') ? 2 : 0;
1804 					break;
1805 				case 2:
1806 					dot = (e[0] == '.') ? 3 : 0;
1807 					break;
1808 				case 3:
1809 					dot = (e[0] == '/') ? -1 : 0;
1810 					break;
1811 					}
1812 				if (dot == 0)
1813 					dot = (e[0] == '/') ? 1 : 0;
1814 				}
1815 			dot = (dot == 3) || (dot == -1); /* filename contains ".." component */
1816 
1817 			if (*e == '\0')
1818 				{
1819 				BIO_puts(io,text);
1820 				BIO_printf(io,"'%s' is an invalid file name\r\n",p);
1821 				break;
1822 				}
1823 			*e='\0';
1824 
1825 			if (dot)
1826 				{
1827 				BIO_puts(io,text);
1828 				BIO_printf(io,"'%s' contains '..' reference\r\n",p);
1829 				break;
1830 				}
1831 
1832 			if (*p == '/')
1833 				{
1834 				BIO_puts(io,text);
1835 				BIO_printf(io,"'%s' is an invalid path\r\n",p);
1836 				break;
1837 				}
1838 
1839 #if 0
1840 			/* append if a directory lookup */
1841 			if (e[-1] == '/')
1842 				strcat(p,"index.html");
1843 #endif
1844 
1845 			/* if a directory, do the index thang */
1846 			if (stat(p,&st_buf) < 0)
1847 				{
1848 				BIO_puts(io,text);
1849 				BIO_printf(io,"Error accessing '%s'\r\n",p);
1850 				ERR_print_errors(io);
1851 				break;
1852 				}
1853 			if (S_ISDIR(st_buf.st_mode))
1854 				{
1855 #if 0 /* must check buffer size */
1856 				strcat(p,"/index.html");
1857 #else
1858 				BIO_puts(io,text);
1859 				BIO_printf(io,"'%s' is a directory\r\n",p);
1860 				break;
1861 #endif
1862 				}
1863 
1864 			if ((file=BIO_new_file(p,"r")) == NULL)
1865 				{
1866 				BIO_puts(io,text);
1867 				BIO_printf(io,"Error opening '%s'\r\n",p);
1868 				ERR_print_errors(io);
1869 				break;
1870 				}
1871 
1872 			if (!s_quiet)
1873 				BIO_printf(bio_err,"FILE:%s\n",p);
1874 
1875                         if (www == 2)
1876                                 {
1877                                 i=strlen(p);
1878                                 if (	((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) ||
1879                                         ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) ||
1880                                         ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0)))
1881                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
1882                                 else
1883                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
1884                                 }
1885 			/* send the file */
1886 			total_bytes=0;
1887 			for (;;)
1888 				{
1889 				i=BIO_read(file,buf,bufsize);
1890 				if (i <= 0) break;
1891 
1892 #ifdef RENEG
1893 				total_bytes+=i;
1894 				fprintf(stderr,"%d\n",i);
1895 				if (total_bytes > 3*1024)
1896 					{
1897 					total_bytes=0;
1898 					fprintf(stderr,"RENEGOTIATE\n");
1899 					SSL_renegotiate(con);
1900 					}
1901 #endif
1902 
1903 				for (j=0; j<i; )
1904 					{
1905 #ifdef RENEG
1906 { static count=0; if (++count == 13) { SSL_renegotiate(con); } }
1907 #endif
1908 					k=BIO_write(io,&(buf[j]),i-j);
1909 					if (k <= 0)
1910 						{
1911 						if (!BIO_should_retry(io))
1912 							goto write_error;
1913 						else
1914 							{
1915 							BIO_printf(bio_s_out,"rwrite W BLOCK\n");
1916 							}
1917 						}
1918 					else
1919 						{
1920 						j+=k;
1921 						}
1922 					}
1923 				}
1924 write_error:
1925 			BIO_free(file);
1926 			break;
1927 			}
1928 		}
1929 
1930 	for (;;)
1931 		{
1932 		i=(int)BIO_flush(io);
1933 		if (i <= 0)
1934 			{
1935 			if (!BIO_should_retry(io))
1936 				break;
1937 			}
1938 		else
1939 			break;
1940 		}
1941 end:
1942 #if 1
1943 	/* make sure we re-use sessions */
1944 	SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1945 #else
1946 	/* This kills performance */
1947 /*	SSL_shutdown(con); A shutdown gets sent in the
1948  *	BIO_free_all(io) procession */
1949 #endif
1950 
1951 err:
1952 
1953 	if (ret >= 0)
1954 		BIO_printf(bio_s_out,"ACCEPT\n");
1955 
1956 	if (buf != NULL) OPENSSL_free(buf);
1957 	if (io != NULL) BIO_free_all(io);
1958 /*	if (ssl_bio != NULL) BIO_free(ssl_bio);*/
1959 	return(ret);
1960 	}
1961 
1962 #ifndef OPENSSL_NO_RSA
1963 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
1964 	{
1965 	BIGNUM *bn = NULL;
1966 	static RSA *rsa_tmp=NULL;
1967 
1968 	if (!rsa_tmp && ((bn = BN_new()) == NULL))
1969 		BIO_printf(bio_err,"Allocation error in generating RSA key\n");
1970 	if (!rsa_tmp && bn)
1971 		{
1972 		if (!s_quiet)
1973 			{
1974 			BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
1975 			(void)BIO_flush(bio_err);
1976 			}
1977 		if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
1978 				!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL))
1979 			{
1980 			if(rsa_tmp) RSA_free(rsa_tmp);
1981 			rsa_tmp = NULL;
1982 			}
1983 		if (!s_quiet)
1984 			{
1985 			BIO_printf(bio_err,"\n");
1986 			(void)BIO_flush(bio_err);
1987 			}
1988 		BN_free(bn);
1989 		}
1990 	return(rsa_tmp);
1991 	}
1992 #endif
1993 
1994 #define MAX_SESSION_ID_ATTEMPTS 10
1995 static int generate_session_id(const SSL *ssl, unsigned char *id,
1996 				unsigned int *id_len)
1997 	{
1998 	unsigned int count = 0;
1999 	do	{
2000 		RAND_pseudo_bytes(id, *id_len);
2001 		/* Prefix the session_id with the required prefix. NB: If our
2002 		 * prefix is too long, clip it - but there will be worse effects
2003 		 * anyway, eg. the server could only possibly create 1 session
2004 		 * ID (ie. the prefix!) so all future session negotiations will
2005 		 * fail due to conflicts. */
2006 		memcpy(id, session_id_prefix,
2007 			(strlen(session_id_prefix) < *id_len) ?
2008 			strlen(session_id_prefix) : *id_len);
2009 		}
2010 	while(SSL_has_matching_session_id(ssl, id, *id_len) &&
2011 		(++count < MAX_SESSION_ID_ATTEMPTS));
2012 	if(count >= MAX_SESSION_ID_ATTEMPTS)
2013 		return 0;
2014 	return 1;
2015 	}
2016