DJGPP changes. Contributed by Doug Kaufman <dkaufman@rahul.net>
[openssl.git] / apps / s_server.c
1 /* apps/s_server.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2001 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  * ECC cipher suite support in OpenSSL originally developed by 
114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115  */
116
117 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
118  * deprecated functions for openssl-internal code */
119 #ifdef OPENSSL_NO_DEPRECATED
120 #undef OPENSSL_NO_DEPRECATED
121 #endif
122
123 #include <assert.h>
124 #include <stdio.h>
125 #include <stdlib.h>
126 #include <string.h>
127
128 #include <sys/stat.h>
129 #include <openssl/e_os2.h>
130 #ifdef OPENSSL_NO_STDIO
131 #define APPS_WIN16
132 #endif
133
134 #if !defined(OPENSSL_SYS_NETWARE)  /* conflicts with winsock2 stuff on netware */
135 #include <sys/types.h>
136 #endif
137
138 /* With IPv6, it looks like Digital has mixed up the proper order of
139    recursive header file inclusion, resulting in the compiler complaining
140    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
141    is needed to have fileno() declared correctly...  So let's define u_int */
142 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
143 #define __U_INT
144 typedef unsigned int u_int;
145 #endif
146
147 #include <openssl/lhash.h>
148 #include <openssl/bn.h>
149 #define USE_SOCKETS
150 #include "apps.h"
151 #include <openssl/err.h>
152 #include <openssl/pem.h>
153 #include <openssl/x509.h>
154 #include <openssl/ssl.h>
155 #include <openssl/rand.h>
156 #include "s_apps.h"
157 #include "timeouts.h"
158
159 #ifdef OPENSSL_SYS_WINCE
160 /* Windows CE incorrectly defines fileno as returning void*, so to avoid problems below... */
161 #ifdef fileno
162 #undef fileno
163 #endif
164 #define fileno(a) (int)_fileno(a)
165 #endif
166
167 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
168 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
169 #undef FIONBIO
170 #endif
171
172 #ifndef OPENSSL_NO_RSA
173 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
174 #endif
175 static int sv_body(char *hostname, int s, unsigned char *context);
176 static int www_body(char *hostname, int s, unsigned char *context);
177 static void close_accept_socket(void );
178 static void sv_usage(void);
179 static int init_ssl_connection(SSL *s);
180 static void print_stats(BIO *bp,SSL_CTX *ctx);
181 static int generate_session_id(const SSL *ssl, unsigned char *id,
182                                 unsigned int *id_len);
183 #ifndef OPENSSL_NO_DH
184 static DH *load_dh_param(const char *dhfile);
185 static DH *get_dh512(void);
186 #endif
187
188 #ifdef MONOLITH
189 static void s_server_init(void);
190 #endif
191
192 #ifndef S_ISDIR
193 # if defined(_S_IFMT) && defined(_S_IFDIR)
194 #  define S_ISDIR(a)    (((a) & _S_IFMT) == _S_IFDIR)
195 # else
196 #  define S_ISDIR(a)    (((a) & S_IFMT) == S_IFDIR)
197 # endif
198 #endif
199
200 #ifndef OPENSSL_NO_DH
201 static unsigned char dh512_p[]={
202         0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
203         0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
204         0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
205         0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
206         0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
207         0x47,0x74,0xE8,0x33,
208         };
209 static unsigned char dh512_g[]={
210         0x02,
211         };
212
213 static DH *get_dh512(void)
214         {
215         DH *dh=NULL;
216
217         if ((dh=DH_new()) == NULL) return(NULL);
218         dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
219         dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
220         if ((dh->p == NULL) || (dh->g == NULL))
221                 return(NULL);
222         return(dh);
223         }
224 #endif
225
226
227 /* static int load_CA(SSL_CTX *ctx, char *file);*/
228
229 #undef BUFSIZZ
230 #define BUFSIZZ 16*1024
231 static int bufsize=BUFSIZZ;
232 static int accept_socket= -1;
233
234 #define TEST_CERT       "server.pem"
235 #undef PROG
236 #define PROG            s_server_main
237
238 extern int verify_depth;
239
240 static char *cipher=NULL;
241 static int s_server_verify=SSL_VERIFY_NONE;
242 static int s_server_session_id_context = 1; /* anything will do */
243 static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
244 static char *s_dcert_file=NULL,*s_dkey_file=NULL;
245 #ifdef FIONBIO
246 static int s_nbio=0;
247 #endif
248 static int s_nbio_test=0;
249 int s_crlf=0;
250 static SSL_CTX *ctx=NULL;
251 static int www=0;
252
253 static BIO *bio_s_out=NULL;
254 static int s_debug=0;
255 static int s_msg=0;
256 static int s_quiet=0;
257
258 static int hack=0;
259 #ifndef OPENSSL_NO_ENGINE
260 static char *engine_id=NULL;
261 #endif
262 static const char *session_id_prefix=NULL;
263
264 static int enable_timeouts = 0;
265 #ifdef mtu
266 #undef mtu
267 #endif
268 static long mtu;
269 static int cert_chain = 0;
270
271
272 #ifdef MONOLITH
273 static void s_server_init(void)
274         {
275         accept_socket=-1;
276         cipher=NULL;
277         s_server_verify=SSL_VERIFY_NONE;
278         s_dcert_file=NULL;
279         s_dkey_file=NULL;
280         s_cert_file=TEST_CERT;
281         s_key_file=NULL;
282 #ifdef FIONBIO
283         s_nbio=0;
284 #endif
285         s_nbio_test=0;
286         ctx=NULL;
287         www=0;
288
289         bio_s_out=NULL;
290         s_debug=0;
291         s_msg=0;
292         s_quiet=0;
293         hack=0;
294 #ifndef OPENSSL_NO_ENGINE
295         engine_id=NULL;
296 #endif
297         }
298 #endif
299
300 static void sv_usage(void)
301         {
302         BIO_printf(bio_err,"usage: s_server [args ...]\n");
303         BIO_printf(bio_err,"\n");
304         BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);
305         BIO_printf(bio_err," -context arg  - set session ID context\n");
306         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
307         BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
308         BIO_printf(bio_err," -cert arg     - certificate file to use\n");
309         BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
310         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
311         BIO_printf(bio_err," -key arg      - Private Key file to use, in cert file if\n");
312         BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT);
313         BIO_printf(bio_err," -keyform arg  - key format (PEM, DER or ENGINE) PEM default\n");
314         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
315         BIO_printf(bio_err," -dcert arg    - second certificate file to use (usually for DSA)\n");
316         BIO_printf(bio_err," -dcertform x  - second certificate format (PEM or DER) PEM default\n");
317         BIO_printf(bio_err," -dkey arg     - second private key file to use (usually for DSA)\n");
318         BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
319         BIO_printf(bio_err," -dpass arg    - second private key file pass phrase source\n");
320         BIO_printf(bio_err," -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
321         BIO_printf(bio_err,"                 or a default set of parameters is used\n");
322 #ifndef OPENSSL_NO_ECDH
323         BIO_printf(bio_err," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
324                            "                 Use \"openssl ecparam -list_curves\" for all names\n" \
325                            "                 (default is sect163r2).\n");
326 #endif
327 #ifdef FIONBIO
328         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
329 #endif
330         BIO_printf(bio_err," -nbio_test    - test with the non-blocking test bio\n");
331         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
332         BIO_printf(bio_err," -debug        - Print more output\n");
333         BIO_printf(bio_err," -msg          - Show protocol messages\n");
334         BIO_printf(bio_err," -state        - Print the SSL states\n");
335         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
336         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
337         BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
338         BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
339         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
340         BIO_printf(bio_err," -quiet        - No server output\n");
341         BIO_printf(bio_err," -no_tmp_rsa   - Do not generate a tmp RSA key\n");
342         BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
343         BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
344         BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
345         BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
346         BIO_printf(bio_err," -timeout      - Enable timeouts\n");
347         BIO_printf(bio_err," -mtu          - Set MTU\n");
348         BIO_printf(bio_err," -chain        - Read a certificate chain\n");
349         BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
350         BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
351         BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
352 #ifndef OPENSSL_NO_DH
353         BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
354 #endif
355 #ifndef OPENSSL_NO_ECDH
356         BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
357 #endif
358         BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
359         BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
360         BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
361         BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
362         BIO_printf(bio_err,"                 with the assumption it contains a complete HTTP response.\n");
363 #ifndef OPENSSL_NO_ENGINE
364         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
365 #endif
366         BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
367         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
368         }
369
370 static int local_argc=0;
371 static char **local_argv;
372
373 #ifdef CHARSET_EBCDIC
374 static int ebcdic_new(BIO *bi);
375 static int ebcdic_free(BIO *a);
376 static int ebcdic_read(BIO *b, char *out, int outl);
377 static int ebcdic_write(BIO *b, const char *in, int inl);
378 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
379 static int ebcdic_gets(BIO *bp, char *buf, int size);
380 static int ebcdic_puts(BIO *bp, const char *str);
381
382 #define BIO_TYPE_EBCDIC_FILTER  (18|0x0200)
383 static BIO_METHOD methods_ebcdic=
384         {
385         BIO_TYPE_EBCDIC_FILTER,
386         "EBCDIC/ASCII filter",
387         ebcdic_write,
388         ebcdic_read,
389         ebcdic_puts,
390         ebcdic_gets,
391         ebcdic_ctrl,
392         ebcdic_new,
393         ebcdic_free,
394         };
395
396 typedef struct
397 {
398         size_t  alloced;
399         char    buff[1];
400 } EBCDIC_OUTBUFF;
401
402 BIO_METHOD *BIO_f_ebcdic_filter()
403 {
404         return(&methods_ebcdic);
405 }
406
407 static int ebcdic_new(BIO *bi)
408 {
409         EBCDIC_OUTBUFF *wbuf;
410
411         wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
412         wbuf->alloced = 1024;
413         wbuf->buff[0] = '\0';
414
415         bi->ptr=(char *)wbuf;
416         bi->init=1;
417         bi->flags=0;
418         return(1);
419 }
420
421 static int ebcdic_free(BIO *a)
422 {
423         if (a == NULL) return(0);
424         if (a->ptr != NULL)
425                 OPENSSL_free(a->ptr);
426         a->ptr=NULL;
427         a->init=0;
428         a->flags=0;
429         return(1);
430 }
431         
432 static int ebcdic_read(BIO *b, char *out, int outl)
433 {
434         int ret=0;
435
436         if (out == NULL || outl == 0) return(0);
437         if (b->next_bio == NULL) return(0);
438
439         ret=BIO_read(b->next_bio,out,outl);
440         if (ret > 0)
441                 ascii2ebcdic(out,out,ret);
442         return(ret);
443 }
444
445 static int ebcdic_write(BIO *b, const char *in, int inl)
446 {
447         EBCDIC_OUTBUFF *wbuf;
448         int ret=0;
449         int num;
450         unsigned char n;
451
452         if ((in == NULL) || (inl <= 0)) return(0);
453         if (b->next_bio == NULL) return(0);
454
455         wbuf=(EBCDIC_OUTBUFF *)b->ptr;
456
457         if (inl > (num = wbuf->alloced))
458         {
459                 num = num + num;  /* double the size */
460                 if (num < inl)
461                         num = inl;
462                 OPENSSL_free(wbuf);
463                 wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
464
465                 wbuf->alloced = num;
466                 wbuf->buff[0] = '\0';
467
468                 b->ptr=(char *)wbuf;
469         }
470
471         ebcdic2ascii(wbuf->buff, in, inl);
472
473         ret=BIO_write(b->next_bio, wbuf->buff, inl);
474
475         return(ret);
476 }
477
478 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
479 {
480         long ret;
481
482         if (b->next_bio == NULL) return(0);
483         switch (cmd)
484         {
485         case BIO_CTRL_DUP:
486                 ret=0L;
487                 break;
488         default:
489                 ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
490                 break;
491         }
492         return(ret);
493 }
494
495 static int ebcdic_gets(BIO *bp, char *buf, int size)
496 {
497         int i, ret=0;
498         if (bp->next_bio == NULL) return(0);
499 /*      return(BIO_gets(bp->next_bio,buf,size));*/
500         for (i=0; i<size-1; ++i)
501         {
502                 ret = ebcdic_read(bp,&buf[i],1);
503                 if (ret <= 0)
504                         break;
505                 else if (buf[i] == '\n')
506                 {
507                         ++i;
508                         break;
509                 }
510         }
511         if (i < size)
512                 buf[i] = '\0';
513         return (ret < 0 && i == 0) ? ret : i;
514 }
515
516 static int ebcdic_puts(BIO *bp, const char *str)
517 {
518         if (bp->next_bio == NULL) return(0);
519         return ebcdic_write(bp, str, strlen(str));
520 }
521 #endif
522
523 int MAIN(int, char **);
524
525 int MAIN(int argc, char *argv[])
526         {
527         X509_STORE *store = NULL;
528         int vflags = 0;
529         short port=PORT;
530         char *CApath=NULL,*CAfile=NULL;
531         unsigned char *context = NULL;
532         char *dhfile = NULL;
533         char *named_curve = NULL;
534         int badop=0,bugs=0;
535         int ret=1;
536         int off=0;
537         int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
538         int state=0;
539         SSL_METHOD *meth=NULL;
540 #ifdef sock_type
541 #undef sock_type
542 #endif
543     int sock_type=SOCK_STREAM;
544 #ifndef OPENSSL_NO_ENGINE
545         ENGINE *e=NULL;
546 #endif
547         char *inrand=NULL;
548         int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
549         char *passarg = NULL, *pass = NULL;
550         char *dpassarg = NULL, *dpass = NULL;
551         int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
552         X509 *s_cert = NULL, *s_dcert = NULL;
553         EVP_PKEY *s_key = NULL, *s_dkey = NULL;
554
555 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
556         meth=SSLv23_server_method();
557 #elif !defined(OPENSSL_NO_SSL3)
558         meth=SSLv3_server_method();
559 #elif !defined(OPENSSL_NO_SSL2)
560         meth=SSLv2_server_method();
561 #endif
562
563         local_argc=argc;
564         local_argv=argv;
565
566         apps_startup();
567 #ifdef MONOLITH
568         s_server_init();
569 #endif
570
571         if (bio_err == NULL)
572                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
573
574         if (!load_config(bio_err, NULL))
575                 goto end;
576
577         verify_depth=0;
578 #ifdef FIONBIO
579         s_nbio=0;
580 #endif
581         s_nbio_test=0;
582
583         argc--;
584         argv++;
585
586         while (argc >= 1)
587                 {
588                 if      ((strcmp(*argv,"-port") == 0) ||
589                          (strcmp(*argv,"-accept") == 0))
590                         {
591                         if (--argc < 1) goto bad;
592                         if (!extract_port(*(++argv),&port))
593                                 goto bad;
594                         }
595                 else if (strcmp(*argv,"-verify") == 0)
596                         {
597                         s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
598                         if (--argc < 1) goto bad;
599                         verify_depth=atoi(*(++argv));
600                         BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
601                         }
602                 else if (strcmp(*argv,"-Verify") == 0)
603                         {
604                         s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
605                                 SSL_VERIFY_CLIENT_ONCE;
606                         if (--argc < 1) goto bad;
607                         verify_depth=atoi(*(++argv));
608                         BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
609                         }
610                 else if (strcmp(*argv,"-context") == 0)
611                         {
612                         if (--argc < 1) goto bad;
613                         context= (unsigned char *)*(++argv);
614                         }
615                 else if (strcmp(*argv,"-cert") == 0)
616                         {
617                         if (--argc < 1) goto bad;
618                         s_cert_file= *(++argv);
619                         }
620                 else if (strcmp(*argv,"-certform") == 0)
621                         {
622                         if (--argc < 1) goto bad;
623                         s_cert_format = str2fmt(*(++argv));
624                         }
625                 else if (strcmp(*argv,"-key") == 0)
626                         {
627                         if (--argc < 1) goto bad;
628                         s_key_file= *(++argv);
629                         }
630                 else if (strcmp(*argv,"-keyform") == 0)
631                         {
632                         if (--argc < 1) goto bad;
633                         s_key_format = str2fmt(*(++argv));
634                         }
635                 else if (strcmp(*argv,"-pass") == 0)
636                         {
637                         if (--argc < 1) goto bad;
638                         passarg = *(++argv);
639                         }
640                 else if (strcmp(*argv,"-dhparam") == 0)
641                         {
642                         if (--argc < 1) goto bad;
643                         dhfile = *(++argv);
644                         }
645 #ifndef OPENSSL_NO_ECDH         
646                 else if (strcmp(*argv,"-named_curve") == 0)
647                         {
648                         if (--argc < 1) goto bad;
649                         named_curve = *(++argv);
650                         }
651 #endif
652                 else if (strcmp(*argv,"-dcertform") == 0)
653                         {
654                         if (--argc < 1) goto bad;
655                         s_dcert_format = str2fmt(*(++argv));
656                         }
657                 else if (strcmp(*argv,"-dcert") == 0)
658                         {
659                         if (--argc < 1) goto bad;
660                         s_dcert_file= *(++argv);
661                         }
662                 else if (strcmp(*argv,"-dkeyform") == 0)
663                         {
664                         if (--argc < 1) goto bad;
665                         s_dkey_format = str2fmt(*(++argv));
666                         }
667                 else if (strcmp(*argv,"-dpass") == 0)
668                         {
669                         if (--argc < 1) goto bad;
670                         dpassarg = *(++argv);
671                         }
672                 else if (strcmp(*argv,"-dkey") == 0)
673                         {
674                         if (--argc < 1) goto bad;
675                         s_dkey_file= *(++argv);
676                         }
677                 else if (strcmp(*argv,"-nocert") == 0)
678                         {
679                         nocert=1;
680                         }
681                 else if (strcmp(*argv,"-CApath") == 0)
682                         {
683                         if (--argc < 1) goto bad;
684                         CApath= *(++argv);
685                         }
686                 else if (strcmp(*argv,"-crl_check") == 0)
687                         {
688                         vflags |= X509_V_FLAG_CRL_CHECK;
689                         }
690                 else if (strcmp(*argv,"-crl_check") == 0)
691                         {
692                         vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
693                         }
694                 else if (strcmp(*argv,"-serverpref") == 0)
695                         { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
696                 else if (strcmp(*argv,"-cipher") == 0)
697                         {
698                         if (--argc < 1) goto bad;
699                         cipher= *(++argv);
700                         }
701                 else if (strcmp(*argv,"-CAfile") == 0)
702                         {
703                         if (--argc < 1) goto bad;
704                         CAfile= *(++argv);
705                         }
706 #ifdef FIONBIO  
707                 else if (strcmp(*argv,"-nbio") == 0)
708                         { s_nbio=1; }
709 #endif
710                 else if (strcmp(*argv,"-nbio_test") == 0)
711                         {
712 #ifdef FIONBIO  
713                         s_nbio=1;
714 #endif
715                         s_nbio_test=1;
716                         }
717                 else if (strcmp(*argv,"-debug") == 0)
718                         { s_debug=1; }
719                 else if (strcmp(*argv,"-msg") == 0)
720                         { s_msg=1; }
721                 else if (strcmp(*argv,"-hack") == 0)
722                         { hack=1; }
723                 else if (strcmp(*argv,"-state") == 0)
724                         { state=1; }
725                 else if (strcmp(*argv,"-crlf") == 0)
726                         { s_crlf=1; }
727                 else if (strcmp(*argv,"-quiet") == 0)
728                         { s_quiet=1; }
729                 else if (strcmp(*argv,"-bugs") == 0)
730                         { bugs=1; }
731                 else if (strcmp(*argv,"-no_tmp_rsa") == 0)
732                         { no_tmp_rsa=1; }
733                 else if (strcmp(*argv,"-no_dhe") == 0)
734                         { no_dhe=1; }
735                 else if (strcmp(*argv,"-no_ecdhe") == 0)
736                         { no_ecdhe=1; }
737                 else if (strcmp(*argv,"-www") == 0)
738                         { www=1; }
739                 else if (strcmp(*argv,"-WWW") == 0)
740                         { www=2; }
741                 else if (strcmp(*argv,"-HTTP") == 0)
742                         { www=3; }
743                 else if (strcmp(*argv,"-no_ssl2") == 0)
744                         { off|=SSL_OP_NO_SSLv2; }
745                 else if (strcmp(*argv,"-no_ssl3") == 0)
746                         { off|=SSL_OP_NO_SSLv3; }
747                 else if (strcmp(*argv,"-no_tls1") == 0)
748                         { off|=SSL_OP_NO_TLSv1; }
749 #ifndef OPENSSL_NO_SSL2
750                 else if (strcmp(*argv,"-ssl2") == 0)
751                         { meth=SSLv2_server_method(); }
752 #endif
753 #ifndef OPENSSL_NO_SSL3
754                 else if (strcmp(*argv,"-ssl3") == 0)
755                         { meth=SSLv3_server_method(); }
756 #endif
757 #ifndef OPENSSL_NO_TLS1
758                 else if (strcmp(*argv,"-tls1") == 0)
759                         { meth=TLSv1_server_method(); }
760 #endif
761 #ifndef OPENSSL_NO_DTLS1
762                 else if (strcmp(*argv,"-dtls1") == 0)
763                         { 
764                         meth=DTLSv1_server_method();
765                         sock_type = SOCK_DGRAM;
766                         }
767                 else if (strcmp(*argv,"-timeout") == 0)
768                         enable_timeouts = 1;
769                 else if (strcmp(*argv,"-mtu") == 0)
770                         {
771                         if (--argc < 1) goto bad;
772                         mtu = atol(*(++argv));
773                         }
774                 else if (strcmp(*argv, "-chain") == 0)
775                         cert_chain = 1;
776 #endif
777                 else if (strcmp(*argv, "-id_prefix") == 0)
778                         {
779                         if (--argc < 1) goto bad;
780                         session_id_prefix = *(++argv);
781                         }
782 #ifndef OPENSSL_NO_ENGINE
783                 else if (strcmp(*argv,"-engine") == 0)
784                         {
785                         if (--argc < 1) goto bad;
786                         engine_id= *(++argv);
787                         }
788 #endif
789                 else if (strcmp(*argv,"-rand") == 0)
790                         {
791                         if (--argc < 1) goto bad;
792                         inrand= *(++argv);
793                         }
794                 else
795                         {
796                         BIO_printf(bio_err,"unknown option %s\n",*argv);
797                         badop=1;
798                         break;
799                         }
800                 argc--;
801                 argv++;
802                 }
803         if (badop)
804                 {
805 bad:
806                 sv_usage();
807                 goto end;
808                 }
809
810         SSL_load_error_strings();
811         OpenSSL_add_ssl_algorithms();
812
813 #ifndef OPENSSL_NO_ENGINE
814         e = setup_engine(bio_err, engine_id, 1);
815 #endif
816
817         if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass))
818                 {
819                 BIO_printf(bio_err, "Error getting password\n");
820                 goto end;
821                 }
822
823
824         if (s_key_file == NULL)
825                 s_key_file = s_cert_file;
826
827         s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
828                        "server certificate private key file");
829         if (!s_key)
830                 {
831                 ERR_print_errors(bio_err);
832                 goto end;
833                 }
834
835         s_cert = load_cert(bio_err,s_cert_file,s_cert_format,
836                         NULL, e, "server certificate file");
837
838         if (!s_cert)
839                 {
840                 ERR_print_errors(bio_err);
841                 goto end;
842                 }
843
844         if (s_dcert_file)
845                 {
846
847                 if (s_dkey_file == NULL)
848                         s_dkey_file = s_dcert_file;
849
850                 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
851                                 0, dpass, e,
852                                "second certificate private key file");
853                 if (!s_dkey)
854                         {
855                         ERR_print_errors(bio_err);
856                         goto end;
857                         }
858
859                 s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format,
860                                 NULL, e, "second server certificate file");
861
862                 if (!s_dcert)
863                         {
864                         ERR_print_errors(bio_err);
865                         goto end;
866                         }
867
868                 }
869
870         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
871                 && !RAND_status())
872                 {
873                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
874                 }
875         if (inrand != NULL)
876                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
877                         app_RAND_load_files(inrand));
878
879         if (bio_s_out == NULL)
880                 {
881                 if (s_quiet && !s_debug && !s_msg)
882                         {
883                         bio_s_out=BIO_new(BIO_s_null());
884                         }
885                 else
886                         {
887                         if (bio_s_out == NULL)
888                                 bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE);
889                         }
890                 }
891
892 #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
893         if (nocert)
894 #endif
895                 {
896                 s_cert_file=NULL;
897                 s_key_file=NULL;
898                 s_dcert_file=NULL;
899                 s_dkey_file=NULL;
900                 }
901
902         ctx=SSL_CTX_new(meth);
903         if (ctx == NULL)
904                 {
905                 ERR_print_errors(bio_err);
906                 goto end;
907                 }
908         if (session_id_prefix)
909                 {
910                 if(strlen(session_id_prefix) >= 32)
911                         BIO_printf(bio_err,
912 "warning: id_prefix is too long, only one new session will be possible\n");
913                 else if(strlen(session_id_prefix) >= 16)
914                         BIO_printf(bio_err,
915 "warning: id_prefix is too long if you use SSLv2\n");
916                 if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id))
917                         {
918                         BIO_printf(bio_err,"error setting 'id_prefix'\n");
919                         ERR_print_errors(bio_err);
920                         goto end;
921                         }
922                 BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
923                 }
924         SSL_CTX_set_quiet_shutdown(ctx,1);
925         if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
926         if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
927         SSL_CTX_set_options(ctx,off);
928         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
929          * Setting read ahead solves this problem.
930          */
931         if (sock_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
932
933         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
934
935         SSL_CTX_sess_set_cache_size(ctx,128);
936
937 #if 0
938         if (cipher == NULL) cipher=getenv("SSL_CIPHER");
939 #endif
940
941 #if 0
942         if (s_cert_file == NULL)
943                 {
944                 BIO_printf(bio_err,"You must specify a certificate file for the server to use\n");
945                 goto end;
946                 }
947 #endif
948
949         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
950                 (!SSL_CTX_set_default_verify_paths(ctx)))
951                 {
952                 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
953                 ERR_print_errors(bio_err);
954                 /* goto end; */
955                 }
956         store = SSL_CTX_get_cert_store(ctx);
957         X509_STORE_set_flags(store, vflags);
958
959 #ifndef OPENSSL_NO_DH
960         if (!no_dhe)
961                 {
962                 DH *dh=NULL;
963
964                 if (dhfile)
965                         dh = load_dh_param(dhfile);
966                 else if (s_cert_file)
967                         dh = load_dh_param(s_cert_file);
968
969                 if (dh != NULL)
970                         {
971                         BIO_printf(bio_s_out,"Setting temp DH parameters\n");
972                         }
973                 else
974                         {
975                         BIO_printf(bio_s_out,"Using default temp DH parameters\n");
976                         dh=get_dh512();
977                         }
978                 (void)BIO_flush(bio_s_out);
979
980                 SSL_CTX_set_tmp_dh(ctx,dh);
981                 DH_free(dh);
982                 }
983 #endif
984
985 #ifndef OPENSSL_NO_ECDH
986         if (!no_ecdhe)
987                 {
988                 EC_KEY *ecdh=NULL;
989
990                 if (named_curve)
991                         {
992                         int nid = OBJ_sn2nid(named_curve);
993
994                         if (nid == 0)
995                                 {
996                                 BIO_printf(bio_err, "unknown curve name (%s)\n", 
997                                         named_curve);
998                                 goto end;
999                                 }
1000                         ecdh = EC_KEY_new_by_curve_name(nid);
1001                         if (ecdh == NULL)
1002                                 {
1003                                 BIO_printf(bio_err, "unable to create curve (%s)\n", 
1004                                         named_curve);
1005                                 goto end;
1006                                 }
1007                         }
1008
1009                 if (ecdh != NULL)
1010                         {
1011                         BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
1012                         }
1013                 else
1014                         {
1015                         BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
1016                         ecdh = EC_KEY_new_by_curve_name(NID_sect163r2);
1017                         if (ecdh == NULL) 
1018                                 {
1019                                 BIO_printf(bio_err, "unable to create curve (sect163r2)\n");
1020                                 goto end;
1021                                 }
1022                         }
1023                 (void)BIO_flush(bio_s_out);
1024
1025                 SSL_CTX_set_tmp_ecdh(ctx,ecdh);
1026                 EC_KEY_free(ecdh);
1027                 }
1028 #endif
1029         
1030         if (!set_cert_key_stuff(ctx,s_cert,s_key))
1031                 goto end;
1032         if (s_dcert != NULL)
1033                 {
1034                 if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
1035                         goto end;
1036                 }
1037
1038 #ifndef OPENSSL_NO_RSA
1039 #if 1
1040         if (!no_tmp_rsa)
1041                 SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
1042 #else
1043         if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
1044                 {
1045                 RSA *rsa;
1046
1047                 BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key...");
1048                 BIO_flush(bio_s_out);
1049
1050                 rsa=RSA_generate_key(512,RSA_F4,NULL);
1051
1052                 if (!SSL_CTX_set_tmp_rsa(ctx,rsa))
1053                         {
1054                         ERR_print_errors(bio_err);
1055                         goto end;
1056                         }
1057                 RSA_free(rsa);
1058                 BIO_printf(bio_s_out,"\n");
1059                 }
1060 #endif
1061 #endif
1062
1063         if (cipher != NULL)
1064                 if(!SSL_CTX_set_cipher_list(ctx,cipher)) {
1065                 BIO_printf(bio_err,"error setting cipher list\n");
1066                 ERR_print_errors(bio_err);
1067                 goto end;
1068         }
1069         SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
1070         SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
1071                 sizeof s_server_session_id_context);
1072
1073         if (CAfile != NULL)
1074             SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
1075
1076         BIO_printf(bio_s_out,"ACCEPT\n");
1077         if (www)
1078                 do_server(port,sock_type,&accept_socket,www_body, context);
1079         else
1080                 do_server(port,sock_type,&accept_socket,sv_body, context);
1081         print_stats(bio_s_out,ctx);
1082         ret=0;
1083 end:
1084         if (ctx != NULL) SSL_CTX_free(ctx);
1085         if (s_cert)
1086                 X509_free(s_cert);
1087         if (s_dcert)
1088                 X509_free(s_dcert);
1089         if (s_key)
1090                 EVP_PKEY_free(s_key);
1091         if (s_dkey)
1092                 EVP_PKEY_free(s_dkey);
1093         if (pass)
1094                 OPENSSL_free(pass);
1095         if (dpass)
1096                 OPENSSL_free(dpass);
1097         if (bio_s_out != NULL)
1098                 {
1099         BIO_free(bio_s_out);
1100                 bio_s_out=NULL;
1101                 }
1102         apps_shutdown();
1103         OPENSSL_EXIT(ret);
1104         }
1105
1106 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
1107         {
1108         BIO_printf(bio,"%4ld items in the session cache\n",
1109                 SSL_CTX_sess_number(ssl_ctx));
1110         BIO_printf(bio,"%4ld client connects (SSL_connect())\n",
1111                 SSL_CTX_sess_connect(ssl_ctx));
1112         BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n",
1113                 SSL_CTX_sess_connect_renegotiate(ssl_ctx));
1114         BIO_printf(bio,"%4ld client connects that finished\n",
1115                 SSL_CTX_sess_connect_good(ssl_ctx));
1116         BIO_printf(bio,"%4ld server accepts (SSL_accept())\n",
1117                 SSL_CTX_sess_accept(ssl_ctx));
1118         BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n",
1119                 SSL_CTX_sess_accept_renegotiate(ssl_ctx));
1120         BIO_printf(bio,"%4ld server accepts that finished\n",
1121                 SSL_CTX_sess_accept_good(ssl_ctx));
1122         BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
1123         BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
1124         BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
1125         BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
1126         BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n",
1127                 SSL_CTX_sess_cache_full(ssl_ctx),
1128                 SSL_CTX_sess_get_cache_size(ssl_ctx));
1129         }
1130
1131 static int sv_body(char *hostname, int s, unsigned char *context)
1132         {
1133         char *buf=NULL;
1134         fd_set readfds;
1135         int ret=1,width;
1136         int k,i;
1137         unsigned long l;
1138         SSL *con=NULL;
1139         BIO *sbio;
1140 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1141         struct timeval tv;
1142 #endif
1143
1144         if ((buf=OPENSSL_malloc(bufsize)) == NULL)
1145                 {
1146                 BIO_printf(bio_err,"out of memory\n");
1147                 goto err;
1148                 }
1149 #ifdef FIONBIO  
1150         if (s_nbio)
1151                 {
1152                 unsigned long sl=1;
1153
1154                 if (!s_quiet)
1155                         BIO_printf(bio_err,"turning on non blocking io\n");
1156                 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
1157                         ERR_print_errors(bio_err);
1158                 }
1159 #endif
1160
1161         if (con == NULL) {
1162                 con=SSL_new(ctx);
1163 #ifndef OPENSSL_NO_KRB5
1164                 if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
1165                         {
1166                         kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,
1167                                                                 KRB5SVC);
1168                         kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,
1169                                                                 KRB5KEYTAB);
1170                         }
1171 #endif  /* OPENSSL_NO_KRB5 */
1172                 if(context)
1173                       SSL_set_session_id_context(con, context,
1174                                                  strlen((char *)context));
1175         }
1176         SSL_clear(con);
1177
1178         if (SSL_version(con) == DTLS1_VERSION)
1179                 {
1180                 struct timeval timeout;
1181
1182                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1183
1184                 if ( enable_timeouts)
1185                         {
1186                         timeout.tv_sec = 0;
1187                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1188                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1189                         
1190                         timeout.tv_sec = 0;
1191                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1192                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1193                         }
1194
1195                 
1196                 if ( mtu > 0)
1197                         {
1198                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1199                         SSL_set_mtu(con, mtu);
1200                         }
1201                 else
1202                         /* want to do MTU discovery */
1203                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1204
1205         /* turn on cookie exchange */
1206         SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
1207                 }
1208         else
1209                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1210
1211         if (s_nbio_test)
1212                 {
1213                 BIO *test;
1214
1215                 test=BIO_new(BIO_f_nbio_test());
1216                 sbio=BIO_push(test,sbio);
1217                 }
1218         SSL_set_bio(con,sbio,sbio);
1219         SSL_set_accept_state(con);
1220         /* SSL_set_fd(con,s); */
1221
1222         if (s_debug)
1223                 {
1224                 con->debug=1;
1225                 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
1226                 BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out);
1227                 }
1228         if (s_msg)
1229                 {
1230                 SSL_set_msg_callback(con, msg_cb);
1231                 SSL_set_msg_callback_arg(con, bio_s_out);
1232                 }
1233
1234         width=s+1;
1235         for (;;)
1236                 {
1237                 int read_from_terminal;
1238                 int read_from_sslcon;
1239
1240                 read_from_terminal = 0;
1241                 read_from_sslcon = SSL_pending(con);
1242
1243                 if (!read_from_sslcon)
1244                         {
1245                         FD_ZERO(&readfds);
1246 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE)
1247                         FD_SET(fileno(stdin),&readfds);
1248 #endif
1249                         FD_SET(s,&readfds);
1250                         /* Note: under VMS with SOCKETSHR the second parameter is
1251                          * currently of type (int *) whereas under other systems
1252                          * it is (void *) if you don't have a cast it will choke
1253                          * the compiler: if you do have a cast then you can either
1254                          * go for (int *) or (void *).
1255                          */
1256 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1257                         /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
1258                          * on sockets. As a workaround we timeout the select every
1259                          * second and check for any keypress. In a proper Windows
1260                          * application we wouldn't do this because it is inefficient.
1261                          */
1262                         tv.tv_sec = 1;
1263                         tv.tv_usec = 0;
1264                         i=select(width,(void *)&readfds,NULL,NULL,&tv);
1265                         if((i < 0) || (!i && !_kbhit() ) )continue;
1266                         if(_kbhit())
1267                                 read_from_terminal = 1;
1268 #else
1269                         i=select(width,(void *)&readfds,NULL,NULL,NULL);
1270                         if (i <= 0) continue;
1271                         if (FD_ISSET(fileno(stdin),&readfds))
1272                                 read_from_terminal = 1;
1273 #endif
1274                         if (FD_ISSET(s,&readfds))
1275                                 read_from_sslcon = 1;
1276                         }
1277                 if (read_from_terminal)
1278                         {
1279                         if (s_crlf)
1280                                 {
1281                                 int j, lf_num;
1282
1283                                 i=read(fileno(stdin), buf, bufsize/2);
1284                                 lf_num = 0;
1285                                 /* both loops are skipped when i <= 0 */
1286                                 for (j = 0; j < i; j++)
1287                                         if (buf[j] == '\n')
1288                                                 lf_num++;
1289                                 for (j = i-1; j >= 0; j--)
1290                                         {
1291                                         buf[j+lf_num] = buf[j];
1292                                         if (buf[j] == '\n')
1293                                                 {
1294                                                 lf_num--;
1295                                                 i++;
1296                                                 buf[j+lf_num] = '\r';
1297                                                 }
1298                                         }
1299                                 assert(lf_num == 0);
1300                                 }
1301                         else
1302                                 i=read(fileno(stdin),buf,bufsize);
1303                         if (!s_quiet)
1304                                 {
1305                                 if ((i <= 0) || (buf[0] == 'Q'))
1306                                         {
1307                                         BIO_printf(bio_s_out,"DONE\n");
1308                                         SHUTDOWN(s);
1309                                         close_accept_socket();
1310                                         ret= -11;
1311                                         goto err;
1312                                         }
1313                                 if ((i <= 0) || (buf[0] == 'q'))
1314                                         {
1315                                         BIO_printf(bio_s_out,"DONE\n");
1316                                         if (SSL_version(con) != DTLS1_VERSION)
1317                         SHUTDOWN(s);
1318         /*                              close_accept_socket();
1319                                         ret= -11;*/
1320                                         goto err;
1321                                         }
1322                                 if ((buf[0] == 'r') && 
1323                                         ((buf[1] == '\n') || (buf[1] == '\r')))
1324                                         {
1325                                         SSL_renegotiate(con);
1326                                         i=SSL_do_handshake(con);
1327                                         printf("SSL_do_handshake -> %d\n",i);
1328                                         i=0; /*13; */
1329                                         continue;
1330                                         /* strcpy(buf,"server side RE-NEGOTIATE\n"); */
1331                                         }
1332                                 if ((buf[0] == 'R') &&
1333                                         ((buf[1] == '\n') || (buf[1] == '\r')))
1334                                         {
1335                                         SSL_set_verify(con,
1336                                                 SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL);
1337                                         SSL_renegotiate(con);
1338                                         i=SSL_do_handshake(con);
1339                                         printf("SSL_do_handshake -> %d\n",i);
1340                                         i=0; /* 13; */
1341                                         continue;
1342                                         /* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */
1343                                         }
1344                                 if (buf[0] == 'P')
1345                                         {
1346                                         static const char *str="Lets print some clear text\n";
1347                                         BIO_write(SSL_get_wbio(con),str,strlen(str));
1348                                         }
1349                                 if (buf[0] == 'S')
1350                                         {
1351                                         print_stats(bio_s_out,SSL_get_SSL_CTX(con));
1352                                         }
1353                                 }
1354 #ifdef CHARSET_EBCDIC
1355                         ebcdic2ascii(buf,buf,i);
1356 #endif
1357                         l=k=0;
1358                         for (;;)
1359                                 {
1360                                 /* should do a select for the write */
1361 #ifdef RENEG
1362 { static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
1363 #endif
1364                                 k=SSL_write(con,&(buf[l]),(unsigned int)i);
1365                                 switch (SSL_get_error(con,k))
1366                                         {
1367                                 case SSL_ERROR_NONE:
1368                                         break;
1369                                 case SSL_ERROR_WANT_WRITE:
1370                                 case SSL_ERROR_WANT_READ:
1371                                 case SSL_ERROR_WANT_X509_LOOKUP:
1372                                         BIO_printf(bio_s_out,"Write BLOCK\n");
1373                                         break;
1374                                 case SSL_ERROR_SYSCALL:
1375                                 case SSL_ERROR_SSL:
1376                                         BIO_printf(bio_s_out,"ERROR\n");
1377                                         ERR_print_errors(bio_err);
1378                                         ret=1;
1379                                         goto err;
1380                                         /* break; */
1381                                 case SSL_ERROR_ZERO_RETURN:
1382                                         BIO_printf(bio_s_out,"DONE\n");
1383                                         ret=1;
1384                                         goto err;
1385                                         }
1386                                 l+=k;
1387                                 i-=k;
1388                                 if (i <= 0) break;
1389                                 }
1390                         }
1391                 if (read_from_sslcon)
1392                         {
1393                         if (!SSL_is_init_finished(con))
1394                                 {
1395                                 i=init_ssl_connection(con);
1396                                 
1397                                 if (i < 0)
1398                                         {
1399                                         ret=0;
1400                                         goto err;
1401                                         }
1402                                 else if (i == 0)
1403                                         {
1404                                         ret=1;
1405                                         goto err;
1406                                         }
1407                                 }
1408                         else
1409                                 {
1410 again:  
1411                                 i=SSL_read(con,(char *)buf,bufsize);
1412                                 switch (SSL_get_error(con,i))
1413                                         {
1414                                 case SSL_ERROR_NONE:
1415 #ifdef CHARSET_EBCDIC
1416                                         ascii2ebcdic(buf,buf,i);
1417 #endif
1418                                         write(fileno(stdout),buf,
1419                                                 (unsigned int)i);
1420                                         if (SSL_pending(con)) goto again;
1421                                         break;
1422                                 case SSL_ERROR_WANT_WRITE:
1423                                 case SSL_ERROR_WANT_READ:
1424                                 case SSL_ERROR_WANT_X509_LOOKUP:
1425                                         BIO_printf(bio_s_out,"Read BLOCK\n");
1426                                         break;
1427                                 case SSL_ERROR_SYSCALL:
1428                                 case SSL_ERROR_SSL:
1429                                         BIO_printf(bio_s_out,"ERROR\n");
1430                                         ERR_print_errors(bio_err);
1431                                         ret=1;
1432                                         goto err;
1433                                 case SSL_ERROR_ZERO_RETURN:
1434                                         BIO_printf(bio_s_out,"DONE\n");
1435                                         ret=1;
1436                                         goto err;
1437                                         }
1438                                 }
1439                         }
1440                 }
1441 err:
1442         BIO_printf(bio_s_out,"shutting down SSL\n");
1443 #if 1
1444         SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1445 #else
1446         SSL_shutdown(con);
1447 #endif
1448         if (con != NULL) SSL_free(con);
1449         BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
1450         if (buf != NULL)
1451                 {
1452                 OPENSSL_cleanse(buf,bufsize);
1453                 OPENSSL_free(buf);
1454                 }
1455         if (ret >= 0)
1456                 BIO_printf(bio_s_out,"ACCEPT\n");
1457         return(ret);
1458         }
1459
1460 static void close_accept_socket(void)
1461         {
1462         BIO_printf(bio_err,"shutdown accept socket\n");
1463         if (accept_socket >= 0)
1464                 {
1465                 SHUTDOWN2(accept_socket);
1466                 }
1467         }
1468
1469 static int init_ssl_connection(SSL *con)
1470         {
1471         int i;
1472         const char *str;
1473         X509 *peer;
1474         long verify_error;
1475         MS_STATIC char buf[BUFSIZ];
1476
1477         if ((i=SSL_accept(con)) <= 0)
1478                 {
1479                 if (BIO_sock_should_retry(i))
1480                         {
1481                         BIO_printf(bio_s_out,"DELAY\n");
1482                         return(1);
1483                         }
1484
1485                 BIO_printf(bio_err,"ERROR\n");
1486                 verify_error=SSL_get_verify_result(con);
1487                 if (verify_error != X509_V_OK)
1488                         {
1489                         BIO_printf(bio_err,"verify error:%s\n",
1490                                 X509_verify_cert_error_string(verify_error));
1491                         }
1492                 else
1493                         ERR_print_errors(bio_err);
1494                 return(0);
1495                 }
1496
1497         PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
1498
1499         peer=SSL_get_peer_certificate(con);
1500         if (peer != NULL)
1501                 {
1502                 BIO_printf(bio_s_out,"Client certificate\n");
1503                 PEM_write_bio_X509(bio_s_out,peer);
1504                 X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf);
1505                 BIO_printf(bio_s_out,"subject=%s\n",buf);
1506                 X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
1507                 BIO_printf(bio_s_out,"issuer=%s\n",buf);
1508                 X509_free(peer);
1509                 }
1510
1511         if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
1512                 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
1513         str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
1514         BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
1515         if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
1516         if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
1517                 TLS1_FLAGS_TLS_PADDING_BUG)
1518                 BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
1519 #ifndef OPENSSL_NO_KRB5
1520         if (con->kssl_ctx->client_princ != NULL)
1521                 {
1522                 BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
1523                         con->kssl_ctx->client_princ);
1524                 }
1525 #endif /* OPENSSL_NO_KRB5 */
1526         return(1);
1527         }
1528
1529 #ifndef OPENSSL_NO_DH
1530 static DH *load_dh_param(const char *dhfile)
1531         {
1532         DH *ret=NULL;
1533         BIO *bio;
1534
1535         if ((bio=BIO_new_file(dhfile,"r")) == NULL)
1536                 goto err;
1537         ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
1538 err:
1539         if (bio != NULL) BIO_free(bio);
1540         return(ret);
1541         }
1542 #endif
1543
1544 #if 0
1545 static int load_CA(SSL_CTX *ctx, char *file)
1546         {
1547         FILE *in;
1548         X509 *x=NULL;
1549
1550         if ((in=fopen(file,"r")) == NULL)
1551                 return(0);
1552
1553         for (;;)
1554                 {
1555                 if (PEM_read_X509(in,&x,NULL) == NULL)
1556                         break;
1557                 SSL_CTX_add_client_CA(ctx,x);
1558                 }
1559         if (x != NULL) X509_free(x);
1560         fclose(in);
1561         return(1);
1562         }
1563 #endif
1564
1565 static int www_body(char *hostname, int s, unsigned char *context)
1566         {
1567         char *buf=NULL;
1568         int ret=1;
1569         int i,j,k,blank,dot;
1570         struct stat st_buf;
1571         SSL *con;
1572         SSL_CIPHER *c;
1573         BIO *io,*ssl_bio,*sbio;
1574         long total_bytes;
1575
1576         buf=OPENSSL_malloc(bufsize);
1577         if (buf == NULL) return(0);
1578         io=BIO_new(BIO_f_buffer());
1579         ssl_bio=BIO_new(BIO_f_ssl());
1580         if ((io == NULL) || (ssl_bio == NULL)) goto err;
1581
1582 #ifdef FIONBIO  
1583         if (s_nbio)
1584                 {
1585                 unsigned long sl=1;
1586
1587                 if (!s_quiet)
1588                         BIO_printf(bio_err,"turning on non blocking io\n");
1589                 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
1590                         ERR_print_errors(bio_err);
1591                 }
1592 #endif
1593
1594         /* lets make the output buffer a reasonable size */
1595         if (!BIO_set_write_buffer_size(io,bufsize)) goto err;
1596
1597         if ((con=SSL_new(ctx)) == NULL) goto err;
1598 #ifndef OPENSSL_NO_KRB5
1599         if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
1600                 {
1601                 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
1602                 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
1603                 }
1604 #endif  /* OPENSSL_NO_KRB5 */
1605         if(context) SSL_set_session_id_context(con, context,
1606                                                strlen((char *)context));
1607
1608         sbio=BIO_new_socket(s,BIO_NOCLOSE);
1609         if (s_nbio_test)
1610                 {
1611                 BIO *test;
1612
1613                 test=BIO_new(BIO_f_nbio_test());
1614                 sbio=BIO_push(test,sbio);
1615                 }
1616         SSL_set_bio(con,sbio,sbio);
1617         SSL_set_accept_state(con);
1618
1619         /* SSL_set_fd(con,s); */
1620         BIO_set_ssl(ssl_bio,con,BIO_CLOSE);
1621         BIO_push(io,ssl_bio);
1622 #ifdef CHARSET_EBCDIC
1623         io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io);
1624 #endif
1625
1626         if (s_debug)
1627                 {
1628                 con->debug=1;
1629                 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
1630                 BIO_set_callback_arg(SSL_get_rbio(con),bio_s_out);
1631                 }
1632         if (s_msg)
1633                 {
1634                 SSL_set_msg_callback(con, msg_cb);
1635                 SSL_set_msg_callback_arg(con, bio_s_out);
1636                 }
1637
1638         blank=0;
1639         for (;;)
1640                 {
1641                 if (hack)
1642                         {
1643                         i=SSL_accept(con);
1644
1645                         switch (SSL_get_error(con,i))
1646                                 {
1647                         case SSL_ERROR_NONE:
1648                                 break;
1649                         case SSL_ERROR_WANT_WRITE:
1650                         case SSL_ERROR_WANT_READ:
1651                         case SSL_ERROR_WANT_X509_LOOKUP:
1652                                 continue;
1653                         case SSL_ERROR_SYSCALL:
1654                         case SSL_ERROR_SSL:
1655                         case SSL_ERROR_ZERO_RETURN:
1656                                 ret=1;
1657                                 goto err;
1658                                 /* break; */
1659                                 }
1660
1661                         SSL_renegotiate(con);
1662                         SSL_write(con,NULL,0);
1663                         }
1664
1665                 i=BIO_gets(io,buf,bufsize-1);
1666                 if (i < 0) /* error */
1667                         {
1668                         if (!BIO_should_retry(io))
1669                                 {
1670                                 if (!s_quiet)
1671                                         ERR_print_errors(bio_err);
1672                                 goto err;
1673                                 }
1674                         else
1675                                 {
1676                                 BIO_printf(bio_s_out,"read R BLOCK\n");
1677 #if defined(OPENSSL_SYS_NETWARE)
1678             delay(1000);
1679 #elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
1680                                 sleep(1);
1681 #endif
1682                                 continue;
1683                                 }
1684                         }
1685                 else if (i == 0) /* end of input */
1686                         {
1687                         ret=1;
1688                         goto end;
1689                         }
1690
1691                 /* else we have data */
1692                 if (    ((www == 1) && (strncmp("GET ",buf,4) == 0)) ||
1693                         ((www == 2) && (strncmp("GET /stats ",buf,10) == 0)))
1694                         {
1695                         char *p;
1696                         X509 *peer;
1697                         STACK_OF(SSL_CIPHER) *sk;
1698                         static const char *space="                          ";
1699
1700                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
1701                         BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
1702                         BIO_puts(io,"<pre>\n");
1703 /*                      BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
1704                         BIO_puts(io,"\n");
1705                         for (i=0; i<local_argc; i++)
1706                                 {
1707                                 BIO_puts(io,local_argv[i]);
1708                                 BIO_write(io," ",1);
1709                                 }
1710                         BIO_puts(io,"\n");
1711
1712                         /* The following is evil and should not really
1713                          * be done */
1714                         BIO_printf(io,"Ciphers supported in s_server binary\n");
1715                         sk=SSL_get_ciphers(con);
1716                         j=sk_SSL_CIPHER_num(sk);
1717                         for (i=0; i<j; i++)
1718                                 {
1719                                 c=sk_SSL_CIPHER_value(sk,i);
1720                                 BIO_printf(io,"%-11s:%-25s",
1721                                         SSL_CIPHER_get_version(c),
1722                                         SSL_CIPHER_get_name(c));
1723                                 if ((((i+1)%2) == 0) && (i+1 != j))
1724                                         BIO_puts(io,"\n");
1725                                 }
1726                         BIO_puts(io,"\n");
1727                         p=SSL_get_shared_ciphers(con,buf,bufsize);
1728                         if (p != NULL)
1729                                 {
1730                                 BIO_printf(io,"---\nCiphers common between both SSL end points:\n");
1731                                 j=i=0;
1732                                 while (*p)
1733                                         {
1734                                         if (*p == ':')
1735                                                 {
1736                                                 BIO_write(io,space,26-j);
1737                                                 i++;
1738                                                 j=0;
1739                                                 BIO_write(io,((i%3)?" ":"\n"),1);
1740                                                 }
1741                                         else
1742                                                 {
1743                                                 BIO_write(io,p,1);
1744                                                 j++;
1745                                                 }
1746                                         p++;
1747                                         }
1748                                 BIO_puts(io,"\n");
1749                                 }
1750                         BIO_printf(io,((con->hit)
1751                                 ?"---\nReused, "
1752                                 :"---\nNew, "));
1753                         c=SSL_get_current_cipher(con);
1754                         BIO_printf(io,"%s, Cipher is %s\n",
1755                                 SSL_CIPHER_get_version(c),
1756                                 SSL_CIPHER_get_name(c));
1757                         SSL_SESSION_print(io,SSL_get_session(con));
1758                         BIO_printf(io,"---\n");
1759                         print_stats(io,SSL_get_SSL_CTX(con));
1760                         BIO_printf(io,"---\n");
1761                         peer=SSL_get_peer_certificate(con);
1762                         if (peer != NULL)
1763                                 {
1764                                 BIO_printf(io,"Client certificate\n");
1765                                 X509_print(io,peer);
1766                                 PEM_write_bio_X509(io,peer);
1767                                 }
1768                         else
1769                                 BIO_puts(io,"no client certificate available\n");
1770                         BIO_puts(io,"</BODY></HTML>\r\n\r\n");
1771                         break;
1772                         }
1773                 else if ((www == 2 || www == 3)
1774                          && (strncmp("GET /",buf,5) == 0))
1775                         {
1776                         BIO *file;
1777                         char *p,*e;
1778                         static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
1779
1780                         /* skip the '/' */
1781                         p= &(buf[5]);
1782
1783                         dot = 1;
1784                         for (e=p; *e != '\0'; e++)
1785                                 {
1786                                 if (e[0] == ' ')
1787                                         break;
1788
1789                                 switch (dot)
1790                                         {
1791                                 case 1:
1792                                         dot = (e[0] == '.') ? 2 : 0;
1793                                         break;
1794                                 case 2:
1795                                         dot = (e[0] == '.') ? 3 : 0;
1796                                         break;
1797                                 case 3:
1798                                         dot = (e[0] == '/') ? -1 : 0;
1799                                         break;
1800                                         }
1801                                 if (dot == 0)
1802                                         dot = (e[0] == '/') ? 1 : 0;
1803                                 }
1804                         dot = (dot == 3) || (dot == -1); /* filename contains ".." component */
1805
1806                         if (*e == '\0')
1807                                 {
1808                                 BIO_puts(io,text);
1809                                 BIO_printf(io,"'%s' is an invalid file name\r\n",p);
1810                                 break;
1811                                 }
1812                         *e='\0';
1813
1814                         if (dot)
1815                                 {
1816                                 BIO_puts(io,text);
1817                                 BIO_printf(io,"'%s' contains '..' reference\r\n",p);
1818                                 break;
1819                                 }
1820
1821                         if (*p == '/')
1822                                 {
1823                                 BIO_puts(io,text);
1824                                 BIO_printf(io,"'%s' is an invalid path\r\n",p);
1825                                 break;
1826                                 }
1827
1828 #if 0
1829                         /* append if a directory lookup */
1830                         if (e[-1] == '/')
1831                                 strcat(p,"index.html");
1832 #endif
1833
1834                         /* if a directory, do the index thang */
1835                         if (stat(p,&st_buf) < 0)
1836                                 {
1837                                 BIO_puts(io,text);
1838                                 BIO_printf(io,"Error accessing '%s'\r\n",p);
1839                                 ERR_print_errors(io);
1840                                 break;
1841                                 }
1842                         if (S_ISDIR(st_buf.st_mode))
1843                                 {
1844 #if 0 /* must check buffer size */
1845                                 strcat(p,"/index.html");
1846 #else
1847                                 BIO_puts(io,text);
1848                                 BIO_printf(io,"'%s' is a directory\r\n",p);
1849                                 break;
1850 #endif
1851                                 }
1852
1853                         if ((file=BIO_new_file(p,"r")) == NULL)
1854                                 {
1855                                 BIO_puts(io,text);
1856                                 BIO_printf(io,"Error opening '%s'\r\n",p);
1857                                 ERR_print_errors(io);
1858                                 break;
1859                                 }
1860
1861                         if (!s_quiet)
1862                                 BIO_printf(bio_err,"FILE:%s\n",p);
1863
1864                         if (www == 2)
1865                                 {
1866                                 i=strlen(p);
1867                                 if (    ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) ||
1868                                         ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) ||
1869                                         ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0)))
1870                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
1871                                 else
1872                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
1873                                 }
1874                         /* send the file */
1875                         total_bytes=0;
1876                         for (;;)
1877                                 {
1878                                 i=BIO_read(file,buf,bufsize);
1879                                 if (i <= 0) break;
1880
1881 #ifdef RENEG
1882                                 total_bytes+=i;
1883                                 fprintf(stderr,"%d\n",i);
1884                                 if (total_bytes > 3*1024)
1885                                         {
1886                                         total_bytes=0;
1887                                         fprintf(stderr,"RENEGOTIATE\n");
1888                                         SSL_renegotiate(con);
1889                                         }
1890 #endif
1891
1892                                 for (j=0; j<i; )
1893                                         {
1894 #ifdef RENEG
1895 { static count=0; if (++count == 13) { SSL_renegotiate(con); } }
1896 #endif
1897                                         k=BIO_write(io,&(buf[j]),i-j);
1898                                         if (k <= 0)
1899                                                 {
1900                                                 if (!BIO_should_retry(io))
1901                                                         goto write_error;
1902                                                 else
1903                                                         {
1904                                                         BIO_printf(bio_s_out,"rwrite W BLOCK\n");
1905                                                         }
1906                                                 }
1907                                         else
1908                                                 {
1909                                                 j+=k;
1910                                                 }
1911                                         }
1912                                 }
1913 write_error:
1914                         BIO_free(file);
1915                         break;
1916                         }
1917                 }
1918
1919         for (;;)
1920                 {
1921                 i=(int)BIO_flush(io);
1922                 if (i <= 0)
1923                         {
1924                         if (!BIO_should_retry(io))
1925                                 break;
1926                         }
1927                 else
1928                         break;
1929                 }
1930 end:
1931 #if 1
1932         /* make sure we re-use sessions */
1933         SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1934 #else
1935         /* This kills performance */
1936 /*      SSL_shutdown(con); A shutdown gets sent in the
1937  *      BIO_free_all(io) procession */
1938 #endif
1939
1940 err:
1941
1942         if (ret >= 0)
1943                 BIO_printf(bio_s_out,"ACCEPT\n");
1944
1945         if (buf != NULL) OPENSSL_free(buf);
1946         if (io != NULL) BIO_free_all(io);
1947 /*      if (ssl_bio != NULL) BIO_free(ssl_bio);*/
1948         return(ret);
1949         }
1950
1951 #ifndef OPENSSL_NO_RSA
1952 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
1953         {
1954         BIGNUM *bn = NULL;
1955         static RSA *rsa_tmp=NULL;
1956
1957         if (!rsa_tmp && ((bn = BN_new()) == NULL))
1958                 BIO_printf(bio_err,"Allocation error in generating RSA key\n");
1959         if (!rsa_tmp && bn)
1960                 {
1961                 if (!s_quiet)
1962                         {
1963                         BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
1964                         (void)BIO_flush(bio_err);
1965                         }
1966                 if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
1967                                 !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL))
1968                         {
1969                         if(rsa_tmp) RSA_free(rsa_tmp);
1970                         rsa_tmp = NULL;
1971                         }
1972                 if (!s_quiet)
1973                         {
1974                         BIO_printf(bio_err,"\n");
1975                         (void)BIO_flush(bio_err);
1976                         }
1977                 BN_free(bn);
1978                 }
1979         return(rsa_tmp);
1980         }
1981 #endif
1982
1983 #define MAX_SESSION_ID_ATTEMPTS 10
1984 static int generate_session_id(const SSL *ssl, unsigned char *id,
1985                                 unsigned int *id_len)
1986         {
1987         unsigned int count = 0;
1988         do      {
1989                 RAND_pseudo_bytes(id, *id_len);
1990                 /* Prefix the session_id with the required prefix. NB: If our
1991                  * prefix is too long, clip it - but there will be worse effects
1992                  * anyway, eg. the server could only possibly create 1 session
1993                  * ID (ie. the prefix!) so all future session negotiations will
1994                  * fail due to conflicts. */
1995                 memcpy(id, session_id_prefix,
1996                         (strlen(session_id_prefix) < *id_len) ?
1997                         strlen(session_id_prefix) : *id_len);
1998                 }
1999         while(SSL_has_matching_session_id(ssl, id, *id_len) &&
2000                 (++count < MAX_SESSION_ID_ATTEMPTS));
2001         if(count >= MAX_SESSION_ID_ATTEMPTS)
2002                 return 0;
2003         return 1;
2004         }