* OTHERWISE.
*/
-#include <assert.h>
#include <ctype.h>
#include <stdio.h>
#include <stdlib.h>
static int s_nbio = 0;
#endif
static int s_nbio_test = 0;
-int s_crlf = 0;
+static int s_crlf = 0;
static SSL_CTX *ctx = NULL;
static SSL_CTX *ctx2 = NULL;
static int www = 0;
OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP,
-#ifndef OPENSSL_NO_SSL3
OPT_SSL3,
-#endif
OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN,
OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
OPTIONS s_server_options[] = {
{"help", OPT_HELP, '-', "Display this summary"},
-
{"port", OPT_PORT, 'p'},
{"accept", OPT_PORT, 'p',
"TCP/IP port to accept on (default is " PORT_STR ")"},
{"dkeyform", OPT_DKEYFORM, 'F',
"Second key format (PEM, DER or ENGINE) PEM default"},
{"dpass", OPT_DPASS, 's', "Second private key file pass phrase source"},
-#ifdef FIONBIO
- {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
-#endif
{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
{"debug", OPT_DEBUG, '-', "Print more output"},
{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
{"quiet", OPT_QUIET, '-', "No server output"},
{"no_tmp_rsa", OPT_NO_TMP_RSA, '-', "Do not generate a tmp RSA key"},
-#ifndef OPENSSL_NO_PSK
- {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
- {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
-# ifndef OPENSSL_NO_JPAKE
- {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
-# endif
-#endif
-#ifndef OPENSSL_NO_SRP
- {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
- {"srpuserseed", OPT_SRPUSERSEED, 's',
- "A seed string for a default user salt"},
-#endif
-#ifndef OPENSSL_NO_SSL3
- {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
-#endif
{"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
{"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
{"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
-#ifndef OPENSSL_NO_DTLS1
- {"dtls", OPT_DTLS, '-'},
- {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
- {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
- {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
- {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
- {"chain", OPT_CHAIN, '-', "Read a certificate chain"},
-#endif
-#ifndef OPENSSL_NO_DH
- {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
-#endif
-#ifndef OPENSSL_NO_EC
- {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"},
-#endif
{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
"Disable caching and tickets if ephemeral (EC)DH is used"},
{"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
{"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
- {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path incluedes HTTP headers"},
- {"id_prefix", OPT_ID_PREFIX, 's',
- "Generate SSL/TLS session IDs prefixed by arg"},
- {"rand", OPT_RAND, 's',
- "Load the file(s) into the random number generator"},
{"servername", OPT_SERVERNAME, 's',
"Servername for HostName TLS extension"},
{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
"-Private Key file to use for servername if not in -cert2"},
{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
"Hex dump of all TLS extensions received"},
-#ifndef OPENSSL_NO_NEXTPROTONEG
- {"nextprotoneg", OPT_NEXTPROTONEG, 's',
- "Set the advertised protocols for the NPN extension (comma-separated list)"},
-#endif
- {"use_srtp", OPT_SRTP_PROFILES, '<',
- "Offer SRTP key management with a colon-separated profile list"},
- {"alpn", OPT_ALPN, 's',
- "Set the advertised protocols for the ALPN extension (comma-separated list)"},
+ {"HTTP", OPT_HTTP, '-', "Like -WWW but ./path incluedes HTTP headers"},
+ {"id_prefix", OPT_ID_PREFIX, 's',
+ "Generate SSL/TLS session IDs prefixed by arg"},
+ {"rand", OPT_RAND, 's',
+ "Load the file(s) into the random number generator"},
{"keymatexport", OPT_KEYMATEXPORT, 's',
"Export keying material using label"},
{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-'},
{"brief", OPT_BRIEF, '-'},
{"rev", OPT_REV, '-'},
-#ifndef OPENSSL_NO_ENGINE
- {"engine", OPT_ENGINE, 's'},
-#endif
OPT_S_OPTIONS,
OPT_V_OPTIONS,
OPT_X_OPTIONS,
+#ifdef FIONBIO
+ {"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
+#endif
+#ifndef OPENSSL_NO_PSK
+ {"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
+ {"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
+# ifndef OPENSSL_NO_JPAKE
+ {"jpake", OPT_JPAKE, 's', "JPAKE secret to use"},
+# endif
+#endif
+#ifndef OPENSSL_NO_SRP
+ {"srpvfile", OPT_SRPVFILE, '<', "The verifier file for SRP"},
+ {"srpuserseed", OPT_SRPUSERSEED, 's',
+ "A seed string for a default user salt"},
+#endif
+#ifndef OPENSSL_NO_SSL3
+ {"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
+#endif
+#ifndef OPENSSL_NO_DTLS1
+ {"dtls", OPT_DTLS, '-'},
+ {"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
+ {"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
+ {"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
+ {"mtu", OPT_MTU, 'p', "Set link layer MTU"},
+ {"chain", OPT_CHAIN, '-', "Read a certificate chain"},
+#endif
+#ifndef OPENSSL_NO_DH
+ {"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
+#endif
+#ifndef OPENSSL_NO_EC
+ {"no_ecdhe", OPT_NO_ECDHE, '-', "Disable ephemeral ECDH"},
+#endif
+#ifndef OPENSSL_NO_NEXTPROTONEG
+ {"nextprotoneg", OPT_NEXTPROTONEG, 's',
+ "Set the advertised protocols for the NPN extension (comma-separated list)"},
+#endif
+#ifndef OPENSSL_NO_SRTP
+ {"use_srtp", OPT_SRTP_PROFILES, 's',
+ "Offer SRTP key management with a colon-separated profile list"},
+ {"alpn", OPT_ALPN, 's',
+ "Set the advertised protocols for the ALPN extension (comma-separated list)"},
+#endif
+#ifndef OPENSSL_NO_ENGINE
+ {"engine", OPT_ENGINE, 's'},
+#endif
{NULL}
};
X509 *s_cert = NULL, *s_dcert = NULL;
X509_VERIFY_PARAM *vpm = NULL;
char *CApath = NULL, *CAfile = NULL, *chCApath = NULL, *chCAfile = NULL;
- char *dhfile = NULL, *dpassarg = NULL, *dpass = NULL, *inrand = NULL;
+#ifndef OPENSSL_NO_DH
+ char *dhfile = NULL;
+#endif
+ char *dpassarg = NULL, *dpass = NULL, *inrand = NULL;
char *passarg = NULL, *pass = NULL, *vfyCApath = NULL, *vfyCAfile = NULL;
char *crl_file = NULL, *prog;
#ifndef OPENSSL_NO_PSK
int (*server_cb) (char *hostname, int s, int stype,
unsigned char *context);
int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
- int no_tmp_rsa = 0, no_dhe = 0, no_ecdhe = 0, nocert = 0, ret = 1;
+#ifndef OPENSSL_NO_DH
+ int no_dhe = 0;
+#endif
+ int no_tmp_rsa = 0, no_ecdhe = 0, nocert = 0, ret = 1;
int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
int rev = 0, naccept = -1, sdebug = 0, socket_type = SOCK_STREAM;
s_chain_file = opt_arg();
break;
case OPT_DHPARAM:
+#ifndef OPENSSL_NO_DH
dhfile = opt_arg();
+#endif
break;
case OPT_DCERTFORM:
if (!opt_format(opt_arg(), OPT_FMT_PEMDER, &s_dcert_format))
case OPT_MSGFILE:
bio_s_msg = BIO_new_file(opt_arg(), "w");
break;
-#ifndef OPENSSL_NO_SSL_TRACE
case OPT_TRACE:
+#ifndef OPENSSL_NO_SSL_TRACE
s_msg = 2;
- break;
#else
- case OPT_TRACE:
- goto opthelp;
+ break;
#endif
case OPT_SECURITY_DEBUG:
sdebug = 1;
no_tmp_rsa = 1;
break;
case OPT_NO_DHE:
+#ifndef OPENSSL_NO_DH
no_dhe = 1;
+#endif
break;
case OPT_NO_ECDHE:
no_ecdhe = 1;
goto end;
}
break;
+#else
+ case OPT_PSK_HINT:
+ case OPT_PSK:
+ break;
#endif
#ifndef OPENSSL_NO_SRP
case OPT_SRPVFILE:
case OPT_HTTP:
www = 3;
break;
-#ifndef OPENSSL_NO_SSL3
case OPT_SSL3:
+#ifndef OPENSSL_NO_SSL3
meth = SSLv3_server_method();
- break;
#endif
+ break;
case OPT_TLS1_2:
meth = TLSv1_2_server_method();
break;
case OPT_CHAIN:
cert_chain = 1;
break;
+#else
+ case OPT_DTLS:
+ case OPT_DTLS1:
+ case OPT_DTLS1_2:
+ case OPT_TIMEOUT:
+ case OPT_MTU:
+ case OPT_CHAIN:
+ break;
#endif
case OPT_ID_PREFIX:
session_id_prefix = opt_arg();
case OPT_KEY2:
s_key_file2 = opt_arg();
break;
-#ifndef OPENSSL_NO_NEXTPROTONEG
case OPT_NEXTPROTONEG:
+# ifndef OPENSSL_NO_NEXTPROTONEG
next_proto_neg_in = opt_arg();
- break;
#endif
+ break;
case OPT_ALPN:
alpn_in = opt_arg();
break;
if (s_quiet && !s_debug) {
bio_s_out = BIO_new(BIO_s_null());
if (s_msg && !bio_s_msg)
- bio_s_msg = dup_bio_out();
+ bio_s_msg = dup_bio_out(FORMAT_TEXT);
} else {
if (bio_s_out == NULL)
- bio_s_out = dup_bio_out();
+ bio_s_out = dup_bio_out(FORMAT_TEXT);
}
}
#if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_EC)
if (ctx2)
SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
}
+ if (s_tlsextstatus) {
+ SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
+ SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
+ if (ctx2) {
+ SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb);
+ SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp);
+ }
+ }
BIO_printf(bio_s_out, "ACCEPT\n");
(void)BIO_flush(bio_s_out);
SSL_set_tlsext_debug_callback(con, tlsext_cb);
SSL_set_tlsext_debug_arg(con, bio_s_out);
}
- if (s_tlsextstatus) {
- SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb);
- SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp);
- }
if (context
&& !SSL_set_session_id_context(con,
int i;
const char *str;
X509 *peer;
- long verify_error;
+ long verify_err;
char buf[BUFSIZ];
#if !defined(OPENSSL_NO_NEXTPROTONEG)
const unsigned char *next_proto_neg;
{
while (i <= 0 && SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP
&& SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) {
- fprintf(stderr,
- "LOOKUP from certificate callback during accept\n");
+ BIO_printf(bio_err,
+ "LOOKUP from certificate callback during accept\n");
i = SSL_accept(con);
}
}
BIO_printf(bio_err, "ERROR\n");
- verify_error = SSL_get_verify_result(con);
- if (verify_error != X509_V_OK) {
+ verify_err = SSL_get_verify_result(con);
+ if (verify_err != X509_V_OK) {
BIO_printf(bio_err, "verify error:%s\n",
- X509_verify_cert_error_string(verify_error));
+ X509_verify_cert_error_string(verify_err));
}
/* Always print any error messages */
ERR_print_errors(bio_err);
#endif
if (SSL_cache_hit(con))
BIO_printf(bio_s_out, "Reused session-id\n");
- if (SSL_ctrl(con, SSL_CTRL_GET_FLAGS, 0, NULL) &
- TLS1_FLAGS_TLS_PADDING_BUG)
- BIO_printf(bio_s_out, "Peer has incorrect TLSv1 block padding\n");
BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
SSL_get_secure_renegotiation_support(con) ? "" : " NOT");
if (keymatexportlabel != NULL) {
#ifdef RENEG
total_bytes += i;
- fprintf(stderr, "%d\n", i);
+ BIO_printf(bio_err, "%d\n", i);
if (total_bytes > 3 * 1024) {
total_bytes = 0;
- fprintf(stderr, "RENEGOTIATE\n");
+ BIO_printf(bio_err, "RENEGOTIATE\n");
SSL_renegotiate(con);
}
#endif