279cc5519672da9fafb7c95fed071b8e0c831c42
[openssl.git] / apps / s_server.c
1 /* apps/s_server.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3  * All rights reserved.
4  *
5  * This package is an SSL implementation written
6  * by Eric Young (eay@cryptsoft.com).
7  * The implementation was written so as to conform with Netscapes SSL.
8  * 
9  * This library is free for commercial and non-commercial use as long as
10  * the following conditions are aheared to.  The following conditions
11  * apply to all code found in this distribution, be it the RC4, RSA,
12  * lhash, DES, etc., code; not just the SSL code.  The SSL documentation
13  * included with this distribution is covered by the same copyright terms
14  * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15  * 
16  * Copyright remains Eric Young's, and as such any Copyright notices in
17  * the code are not to be removed.
18  * If this package is used in a product, Eric Young should be given attribution
19  * as the author of the parts of the library used.
20  * This can be in the form of a textual message at program startup or
21  * in documentation (online or textual) provided with the package.
22  * 
23  * Redistribution and use in source and binary forms, with or without
24  * modification, are permitted provided that the following conditions
25  * are met:
26  * 1. Redistributions of source code must retain the copyright
27  *    notice, this list of conditions and the following disclaimer.
28  * 2. Redistributions in binary form must reproduce the above copyright
29  *    notice, this list of conditions and the following disclaimer in the
30  *    documentation and/or other materials provided with the distribution.
31  * 3. All advertising materials mentioning features or use of this software
32  *    must display the following acknowledgement:
33  *    "This product includes cryptographic software written by
34  *     Eric Young (eay@cryptsoft.com)"
35  *    The word 'cryptographic' can be left out if the rouines from the library
36  *    being used are not cryptographic related :-).
37  * 4. If you include any Windows specific code (or a derivative thereof) from 
38  *    the apps directory (application code) you must include an acknowledgement:
39  *    "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40  * 
41  * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42  * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44  * ARE DISCLAIMED.  IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45  * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46  * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47  * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49  * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50  * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51  * SUCH DAMAGE.
52  * 
53  * The licence and distribution terms for any publically available version or
54  * derivative of this code cannot be changed.  i.e. this code cannot simply be
55  * copied and put under another distribution licence
56  * [including the GNU Public Licence.]
57  */
58 /* ====================================================================
59  * Copyright (c) 1998-2006 The OpenSSL Project.  All rights reserved.
60  *
61  * Redistribution and use in source and binary forms, with or without
62  * modification, are permitted provided that the following conditions
63  * are met:
64  *
65  * 1. Redistributions of source code must retain the above copyright
66  *    notice, this list of conditions and the following disclaimer. 
67  *
68  * 2. Redistributions in binary form must reproduce the above copyright
69  *    notice, this list of conditions and the following disclaimer in
70  *    the documentation and/or other materials provided with the
71  *    distribution.
72  *
73  * 3. All advertising materials mentioning features or use of this
74  *    software must display the following acknowledgment:
75  *    "This product includes software developed by the OpenSSL Project
76  *    for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77  *
78  * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79  *    endorse or promote products derived from this software without
80  *    prior written permission. For written permission, please contact
81  *    openssl-core@openssl.org.
82  *
83  * 5. Products derived from this software may not be called "OpenSSL"
84  *    nor may "OpenSSL" appear in their names without prior written
85  *    permission of the OpenSSL Project.
86  *
87  * 6. Redistributions of any form whatsoever must retain the following
88  *    acknowledgment:
89  *    "This product includes software developed by the OpenSSL Project
90  *    for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91  *
92  * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93  * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94  * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95  * PURPOSE ARE DISCLAIMED.  IN NO EVENT SHALL THE OpenSSL PROJECT OR
96  * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97  * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98  * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99  * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100  * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101  * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102  * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103  * OF THE POSSIBILITY OF SUCH DAMAGE.
104  * ====================================================================
105  *
106  * This product includes cryptographic software written by Eric Young
107  * (eay@cryptsoft.com).  This product includes software written by Tim
108  * Hudson (tjh@cryptsoft.com).
109  *
110  */
111 /* ====================================================================
112  * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113  * ECC cipher suite support in OpenSSL originally developed by 
114  * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115  */
116 /* ====================================================================
117  * Copyright 2005 Nokia. All rights reserved.
118  *
119  * The portions of the attached software ("Contribution") is developed by
120  * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121  * license.
122  *
123  * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124  * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125  * support (see RFC 4279) to OpenSSL.
126  *
127  * No patent licenses or other rights except those expressly stated in
128  * the OpenSSL open source license shall be deemed granted or received
129  * expressly, by implication, estoppel, or otherwise.
130  *
131  * No assurances are provided by Nokia that the Contribution does not
132  * infringe the patent or other intellectual property rights of any third
133  * party or that the license provides you with all the necessary rights
134  * to make use of the Contribution.
135  *
136  * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137  * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138  * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139  * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140  * OTHERWISE.
141  */
142
143 /* Until the key-gen callbacks are modified to use newer prototypes, we allow
144  * deprecated functions for openssl-internal code */
145 #ifdef OPENSSL_NO_DEPRECATED
146 #undef OPENSSL_NO_DEPRECATED
147 #endif
148
149 #include <assert.h>
150 #include <ctype.h>
151 #include <stdio.h>
152 #include <stdlib.h>
153 #include <string.h>
154
155 #include <openssl/e_os2.h>
156 #ifdef OPENSSL_NO_STDIO
157 #define APPS_WIN16
158 #endif
159
160 #if !defined(OPENSSL_SYS_NETWARE)  /* conflicts with winsock2 stuff on netware */
161 #include <sys/types.h>
162 #endif
163
164 /* With IPv6, it looks like Digital has mixed up the proper order of
165    recursive header file inclusion, resulting in the compiler complaining
166    that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which
167    is needed to have fileno() declared correctly...  So let's define u_int */
168 #if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
169 #define __U_INT
170 typedef unsigned int u_int;
171 #endif
172
173 #include <openssl/lhash.h>
174 #include <openssl/bn.h>
175 #define USE_SOCKETS
176 #include "apps.h"
177 #include <openssl/err.h>
178 #include <openssl/pem.h>
179 #include <openssl/x509.h>
180 #include <openssl/ssl.h>
181 #include <openssl/rand.h>
182 #ifndef OPENSSL_NO_DH
183 #include <openssl/dh.h>
184 #endif
185 #ifndef OPENSSL_NO_RSA
186 #include <openssl/rsa.h>
187 #endif
188 #include "s_apps.h"
189 #include "timeouts.h"
190
191 #if (defined(OPENSSL_SYS_VMS) && __VMS_VER < 70000000)
192 /* FIONBIO used as a switch to enable ioctl, and that isn't in VMS < 7.0 */
193 #undef FIONBIO
194 #endif
195
196 #if defined(OPENSSL_SYS_BEOS_R5)
197 #include <fcntl.h>
198 #endif
199
200 #ifndef OPENSSL_NO_RSA
201 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
202 #endif
203 static int sv_body(char *hostname, int s, unsigned char *context);
204 static int www_body(char *hostname, int s, unsigned char *context);
205 static void close_accept_socket(void );
206 static void sv_usage(void);
207 static int init_ssl_connection(SSL *s);
208 static void print_stats(BIO *bp,SSL_CTX *ctx);
209 static int generate_session_id(const SSL *ssl, unsigned char *id,
210                                 unsigned int *id_len);
211 #ifndef OPENSSL_NO_DH
212 static DH *load_dh_param(const char *dhfile);
213 static DH *get_dh512(void);
214 #endif
215
216 #ifdef MONOLITH
217 static void s_server_init(void);
218 #endif
219
220 #ifndef OPENSSL_NO_DH
221 static unsigned char dh512_p[]={
222         0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
223         0x6F,0x4C,0xCA,0x92,0xDD,0x4B,0xE5,0x33,0xB8,0x04,0xFB,0x0F,
224         0xED,0x94,0xEF,0x9C,0x8A,0x44,0x03,0xED,0x57,0x46,0x50,0xD3,
225         0x69,0x99,0xDB,0x29,0xD7,0x76,0x27,0x6B,0xA2,0xD3,0xD4,0x12,
226         0xE2,0x18,0xF4,0xDD,0x1E,0x08,0x4C,0xF6,0xD8,0x00,0x3E,0x7C,
227         0x47,0x74,0xE8,0x33,
228         };
229 static unsigned char dh512_g[]={
230         0x02,
231         };
232
233 static DH *get_dh512(void)
234         {
235         DH *dh=NULL;
236
237         if ((dh=DH_new()) == NULL) return(NULL);
238         dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
239         dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
240         if ((dh->p == NULL) || (dh->g == NULL))
241                 return(NULL);
242         return(dh);
243         }
244 #endif
245
246
247 /* static int load_CA(SSL_CTX *ctx, char *file);*/
248
249 #undef BUFSIZZ
250 #define BUFSIZZ 16*1024
251 static int bufsize=BUFSIZZ;
252 static int accept_socket= -1;
253
254 #define TEST_CERT       "server.pem"
255 #ifndef OPENSSL_NO_TLSEXT
256 #define TEST_CERT2      "server2.pem"
257 #endif
258 #undef PROG
259 #define PROG            s_server_main
260
261 extern int verify_depth, verify_return_error;
262
263 static char *cipher=NULL;
264 static int s_server_verify=SSL_VERIFY_NONE;
265 static int s_server_session_id_context = 1; /* anything will do */
266 static const char *s_cert_file=TEST_CERT,*s_key_file=NULL;
267 #ifndef OPENSSL_NO_TLSEXT
268 static const char *s_cert_file2=TEST_CERT2,*s_key_file2=NULL;
269 #endif
270 static char *s_dcert_file=NULL,*s_dkey_file=NULL;
271 #ifdef FIONBIO
272 static int s_nbio=0;
273 #endif
274 static int s_nbio_test=0;
275 int s_crlf=0;
276 static SSL_CTX *ctx=NULL;
277 #ifndef OPENSSL_NO_TLSEXT
278 static SSL_CTX *ctx2=NULL;
279 #endif
280 static int www=0;
281
282 static BIO *bio_s_out=NULL;
283 static int s_debug=0;
284 #ifndef OPENSSL_NO_TLSEXT
285 static int s_tlsextdebug=0;
286 #endif
287 static int s_msg=0;
288 static int s_quiet=0;
289
290 static int hack=0;
291 #ifndef OPENSSL_NO_ENGINE
292 static char *engine_id=NULL;
293 #endif
294 static const char *session_id_prefix=NULL;
295
296 static int enable_timeouts = 0;
297 static long socket_mtu;
298 static int cert_chain = 0;
299
300 #ifndef OPENSSL_NO_PSK
301 static char *psk_identity="Client_identity";
302 static char *psk_key=NULL; /* by default PSK is not used */
303
304 static unsigned int psk_server_cb(SSL *ssl, const char *identity,
305         unsigned char *psk, unsigned int max_psk_len)
306         {
307         unsigned int psk_len = 0;
308         int ret;
309         BIGNUM *bn = NULL;
310
311         if (s_debug)
312                 BIO_printf(bio_s_out,"psk_server_cb\n");
313         if (!identity)
314                 {
315                 BIO_printf(bio_err,"Error: client did not send PSK identity\n");
316                 goto out_err;
317                 }
318         if (s_debug)
319                 BIO_printf(bio_s_out,"identity_len=%d identity=%s\n",
320                         identity ? strlen(identity) : 0, identity);
321
322         /* here we could lookup the given identity e.g. from a database */
323         if (strcmp(identity, psk_identity) != 0)
324                 {
325                 BIO_printf(bio_s_out, "PSK error: client identity not found\n");
326                 goto out_err;
327                 }
328         if (s_debug)
329                 BIO_printf(bio_s_out, "PSK client identity found\n");
330
331         /* convert the PSK key to binary */
332         ret = BN_hex2bn(&bn, psk_key);
333         if (!ret)
334                 {
335                 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", psk_key);
336                 if (bn)
337                         BN_free(bn);
338                 return 0;
339                 }
340         if (BN_num_bytes(bn) > (int)max_psk_len)
341                 {
342                 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
343                         max_psk_len, BN_num_bytes(bn));
344                 BN_free(bn);
345                 return 0;
346                 }
347
348         ret = BN_bn2bin(bn, psk);
349         BN_free(bn);
350
351         if (ret < 0)
352                 goto out_err;
353         psk_len = (unsigned int)ret;
354
355         if (s_debug)
356                 BIO_printf(bio_s_out, "fetched PSK len=%d\n", psk_len);
357         return psk_len;
358  out_err:
359         if (s_debug)
360                 BIO_printf(bio_err, "Error in PSK server callback\n");
361         return 0;
362         }
363 #endif
364
365 #ifdef MONOLITH
366 static void s_server_init(void)
367         {
368         accept_socket=-1;
369         cipher=NULL;
370         s_server_verify=SSL_VERIFY_NONE;
371         s_dcert_file=NULL;
372         s_dkey_file=NULL;
373         s_cert_file=TEST_CERT;
374         s_key_file=NULL;
375 #ifndef OPENSSL_NO_TLSEXT
376         s_cert_file2=TEST_CERT2;
377         s_key_file2=NULL;
378         ctx2=NULL;
379 #endif
380 #ifdef FIONBIO
381         s_nbio=0;
382 #endif
383         s_nbio_test=0;
384         ctx=NULL;
385         www=0;
386
387         bio_s_out=NULL;
388         s_debug=0;
389         s_msg=0;
390         s_quiet=0;
391         hack=0;
392 #ifndef OPENSSL_NO_ENGINE
393         engine_id=NULL;
394 #endif
395         }
396 #endif
397
398 static void sv_usage(void)
399         {
400         BIO_printf(bio_err,"usage: s_server [args ...]\n");
401         BIO_printf(bio_err,"\n");
402         BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);
403         BIO_printf(bio_err," -context arg  - set session ID context\n");
404         BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
405         BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
406         BIO_printf(bio_err," -cert arg     - certificate file to use\n");
407         BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
408         BIO_printf(bio_err," -certform arg - certificate format (PEM or DER) PEM default\n");
409         BIO_printf(bio_err," -key arg      - Private Key file to use, in cert file if\n");
410         BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT);
411         BIO_printf(bio_err," -keyform arg  - key format (PEM, DER or ENGINE) PEM default\n");
412         BIO_printf(bio_err," -pass arg     - private key file pass phrase source\n");
413         BIO_printf(bio_err," -dcert arg    - second certificate file to use (usually for DSA)\n");
414         BIO_printf(bio_err," -dcertform x  - second certificate format (PEM or DER) PEM default\n");
415         BIO_printf(bio_err," -dkey arg     - second private key file to use (usually for DSA)\n");
416         BIO_printf(bio_err," -dkeyform arg - second key format (PEM, DER or ENGINE) PEM default\n");
417         BIO_printf(bio_err," -dpass arg    - second private key file pass phrase source\n");
418         BIO_printf(bio_err," -dhparam arg  - DH parameter file to use, in cert file if not specified\n");
419         BIO_printf(bio_err,"                 or a default set of parameters is used\n");
420 #ifndef OPENSSL_NO_ECDH
421         BIO_printf(bio_err," -named_curve arg  - Elliptic curve name to use for ephemeral ECDH keys.\n" \
422                            "                 Use \"openssl ecparam -list_curves\" for all names\n" \
423                            "                 (default is nistp256).\n");
424 #endif
425 #ifdef FIONBIO
426         BIO_printf(bio_err," -nbio         - Run with non-blocking IO\n");
427 #endif
428         BIO_printf(bio_err," -nbio_test    - test with the non-blocking test bio\n");
429         BIO_printf(bio_err," -crlf         - convert LF from terminal into CRLF\n");
430         BIO_printf(bio_err," -debug        - Print more output\n");
431         BIO_printf(bio_err," -msg          - Show protocol messages\n");
432         BIO_printf(bio_err," -state        - Print the SSL states\n");
433         BIO_printf(bio_err," -CApath arg   - PEM format directory of CA's\n");
434         BIO_printf(bio_err," -CAfile arg   - PEM format file of CA's\n");
435         BIO_printf(bio_err," -nocert       - Don't use any certificates (Anon-DH)\n");
436         BIO_printf(bio_err," -cipher arg   - play with 'openssl ciphers' to see what goes here\n");
437         BIO_printf(bio_err," -serverpref   - Use server's cipher preferences\n");
438         BIO_printf(bio_err," -quiet        - No server output\n");
439         BIO_printf(bio_err," -no_tmp_rsa   - Do not generate a tmp RSA key\n");
440 #ifndef OPENSSL_NO_PSK
441         BIO_printf(bio_err," -psk_hint arg - PSK identity hint to use\n");
442         BIO_printf(bio_err," -psk arg      - PSK in hex (without 0x)\n");
443 #endif
444         BIO_printf(bio_err," -ssl2         - Just talk SSLv2\n");
445         BIO_printf(bio_err," -ssl3         - Just talk SSLv3\n");
446         BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
447         BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
448         BIO_printf(bio_err," -timeout      - Enable timeouts\n");
449         BIO_printf(bio_err," -mtu          - Set MTU\n");
450         BIO_printf(bio_err," -chain        - Read a certificate chain\n");
451         BIO_printf(bio_err," -no_ssl2      - Just disable SSLv2\n");
452         BIO_printf(bio_err," -no_ssl3      - Just disable SSLv3\n");
453         BIO_printf(bio_err," -no_tls1      - Just disable TLSv1\n");
454 #ifndef OPENSSL_NO_DH
455         BIO_printf(bio_err," -no_dhe       - Disable ephemeral DH\n");
456 #endif
457 #ifndef OPENSSL_NO_ECDH
458         BIO_printf(bio_err," -no_ecdhe     - Disable ephemeral ECDH\n");
459 #endif
460         BIO_printf(bio_err," -bugs         - Turn on SSL bug compatibility\n");
461         BIO_printf(bio_err," -www          - Respond to a 'GET /' with a status page\n");
462         BIO_printf(bio_err," -WWW          - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
463         BIO_printf(bio_err," -HTTP         - Respond to a 'GET /<path> HTTP/1.0' with file ./<path>\n");
464         BIO_printf(bio_err,"                 with the assumption it contains a complete HTTP response.\n");
465 #ifndef OPENSSL_NO_ENGINE
466         BIO_printf(bio_err," -engine id    - Initialise and use the specified engine\n");
467 #endif
468         BIO_printf(bio_err," -id_prefix arg - Generate SSL/TLS session IDs prefixed by 'arg'\n");
469         BIO_printf(bio_err," -rand file%cfile%c...\n", LIST_SEPARATOR_CHAR, LIST_SEPARATOR_CHAR);
470 #ifndef OPENSSL_NO_TLSEXT
471         BIO_printf(bio_err," -servername host - servername for HostName TLS extension\n");
472         BIO_printf(bio_err," -servername_fatal - on mismatch send fatal alert (default warning alert)\n");
473         BIO_printf(bio_err," -cert2 arg    - certificate file to use for servername\n");
474         BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT2);
475         BIO_printf(bio_err," -key2 arg     - Private Key file to use for servername, in cert file if\n");
476         BIO_printf(bio_err,"                 not specified (default is %s)\n",TEST_CERT2);
477         BIO_printf(bio_err," -tlsextdebug  - hex dump of all TLS extensions received\n");
478         BIO_printf(bio_err," -no_ticket    - disable use of RFC4507bis session tickets\n");
479 #endif
480         }
481
482 static int local_argc=0;
483 static char **local_argv;
484
485 #ifdef CHARSET_EBCDIC
486 static int ebcdic_new(BIO *bi);
487 static int ebcdic_free(BIO *a);
488 static int ebcdic_read(BIO *b, char *out, int outl);
489 static int ebcdic_write(BIO *b, const char *in, int inl);
490 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr);
491 static int ebcdic_gets(BIO *bp, char *buf, int size);
492 static int ebcdic_puts(BIO *bp, const char *str);
493
494 #define BIO_TYPE_EBCDIC_FILTER  (18|0x0200)
495 static BIO_METHOD methods_ebcdic=
496         {
497         BIO_TYPE_EBCDIC_FILTER,
498         "EBCDIC/ASCII filter",
499         ebcdic_write,
500         ebcdic_read,
501         ebcdic_puts,
502         ebcdic_gets,
503         ebcdic_ctrl,
504         ebcdic_new,
505         ebcdic_free,
506         };
507
508 typedef struct
509 {
510         size_t  alloced;
511         char    buff[1];
512 } EBCDIC_OUTBUFF;
513
514 BIO_METHOD *BIO_f_ebcdic_filter()
515 {
516         return(&methods_ebcdic);
517 }
518
519 static int ebcdic_new(BIO *bi)
520 {
521         EBCDIC_OUTBUFF *wbuf;
522
523         wbuf = (EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + 1024);
524         wbuf->alloced = 1024;
525         wbuf->buff[0] = '\0';
526
527         bi->ptr=(char *)wbuf;
528         bi->init=1;
529         bi->flags=0;
530         return(1);
531 }
532
533 static int ebcdic_free(BIO *a)
534 {
535         if (a == NULL) return(0);
536         if (a->ptr != NULL)
537                 OPENSSL_free(a->ptr);
538         a->ptr=NULL;
539         a->init=0;
540         a->flags=0;
541         return(1);
542 }
543         
544 static int ebcdic_read(BIO *b, char *out, int outl)
545 {
546         int ret=0;
547
548         if (out == NULL || outl == 0) return(0);
549         if (b->next_bio == NULL) return(0);
550
551         ret=BIO_read(b->next_bio,out,outl);
552         if (ret > 0)
553                 ascii2ebcdic(out,out,ret);
554         return(ret);
555 }
556
557 static int ebcdic_write(BIO *b, const char *in, int inl)
558 {
559         EBCDIC_OUTBUFF *wbuf;
560         int ret=0;
561         int num;
562         unsigned char n;
563
564         if ((in == NULL) || (inl <= 0)) return(0);
565         if (b->next_bio == NULL) return(0);
566
567         wbuf=(EBCDIC_OUTBUFF *)b->ptr;
568
569         if (inl > (num = wbuf->alloced))
570         {
571                 num = num + num;  /* double the size */
572                 if (num < inl)
573                         num = inl;
574                 OPENSSL_free(wbuf);
575                 wbuf=(EBCDIC_OUTBUFF *)OPENSSL_malloc(sizeof(EBCDIC_OUTBUFF) + num);
576
577                 wbuf->alloced = num;
578                 wbuf->buff[0] = '\0';
579
580                 b->ptr=(char *)wbuf;
581         }
582
583         ebcdic2ascii(wbuf->buff, in, inl);
584
585         ret=BIO_write(b->next_bio, wbuf->buff, inl);
586
587         return(ret);
588 }
589
590 static long ebcdic_ctrl(BIO *b, int cmd, long num, void *ptr)
591 {
592         long ret;
593
594         if (b->next_bio == NULL) return(0);
595         switch (cmd)
596         {
597         case BIO_CTRL_DUP:
598                 ret=0L;
599                 break;
600         default:
601                 ret=BIO_ctrl(b->next_bio,cmd,num,ptr);
602                 break;
603         }
604         return(ret);
605 }
606
607 static int ebcdic_gets(BIO *bp, char *buf, int size)
608 {
609         int i, ret=0;
610         if (bp->next_bio == NULL) return(0);
611 /*      return(BIO_gets(bp->next_bio,buf,size));*/
612         for (i=0; i<size-1; ++i)
613         {
614                 ret = ebcdic_read(bp,&buf[i],1);
615                 if (ret <= 0)
616                         break;
617                 else if (buf[i] == '\n')
618                 {
619                         ++i;
620                         break;
621                 }
622         }
623         if (i < size)
624                 buf[i] = '\0';
625         return (ret < 0 && i == 0) ? ret : i;
626 }
627
628 static int ebcdic_puts(BIO *bp, const char *str)
629 {
630         if (bp->next_bio == NULL) return(0);
631         return ebcdic_write(bp, str, strlen(str));
632 }
633 #endif
634
635 #ifndef OPENSSL_NO_TLSEXT
636
637 /* This is a context that we pass to callbacks */
638 typedef struct tlsextctx_st {
639    char * servername;
640    BIO * biodebug;
641    int extension_error;
642 } tlsextctx;
643
644
645 static int MS_CALLBACK ssl_servername_cb(SSL *s, int *ad, void *arg)
646         {
647         tlsextctx * p = (tlsextctx *) arg;
648         const char * servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
649         if (servername && p->biodebug) 
650                 BIO_printf(p->biodebug,"Hostname in TLS extension: \"%s\"\n",servername);
651         
652         if (!p->servername)
653                 return SSL_TLSEXT_ERR_NOACK;
654         
655         if (servername)
656                 {
657                 if (strcmp(servername,p->servername)) 
658                         return p->extension_error;
659                 if (ctx2)
660                         {
661                         BIO_printf(p->biodebug,"Swiching server context.\n");
662                         SSL_set_SSL_CTX(s,ctx2);
663                         }     
664                 }
665         return SSL_TLSEXT_ERR_OK;
666 }
667 #endif
668
669 int MAIN(int, char **);
670
671 int MAIN(int argc, char *argv[])
672         {
673         X509_STORE *store = NULL;
674         int vflags = 0;
675         short port=PORT;
676         char *CApath=NULL,*CAfile=NULL;
677         unsigned char *context = NULL;
678         char *dhfile = NULL;
679 #ifndef OPENSSL_NO_ECDH
680         char *named_curve = NULL;
681 #endif
682         int badop=0,bugs=0;
683         int ret=1;
684         int off=0;
685         int no_tmp_rsa=0,no_dhe=0,no_ecdhe=0,nocert=0;
686         int state=0;
687         const SSL_METHOD *meth=NULL;
688         int socket_type=SOCK_STREAM;
689 #ifndef OPENSSL_NO_ENGINE
690         ENGINE *e=NULL;
691 #endif
692         char *inrand=NULL;
693         int s_cert_format = FORMAT_PEM, s_key_format = FORMAT_PEM;
694         char *passarg = NULL, *pass = NULL;
695         char *dpassarg = NULL, *dpass = NULL;
696         int s_dcert_format = FORMAT_PEM, s_dkey_format = FORMAT_PEM;
697         X509 *s_cert = NULL, *s_dcert = NULL;
698         EVP_PKEY *s_key = NULL, *s_dkey = NULL;
699 #ifndef OPENSSL_NO_TLSEXT
700         EVP_PKEY *s_key2 = NULL;
701         X509 *s_cert2 = NULL;
702 #endif
703
704 #ifndef OPENSSL_NO_TLSEXT
705         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
706 #endif
707 #ifndef OPENSSL_NO_PSK
708         /* by default do not send a PSK identity hint */
709         static char *psk_identity_hint=NULL;
710 #endif
711 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
712         meth=SSLv23_server_method();
713 #elif !defined(OPENSSL_NO_SSL3)
714         meth=SSLv3_server_method();
715 #elif !defined(OPENSSL_NO_SSL2)
716         meth=SSLv2_server_method();
717 #endif
718
719         local_argc=argc;
720         local_argv=argv;
721
722         apps_startup();
723 #ifdef MONOLITH
724         s_server_init();
725 #endif
726
727         if (bio_err == NULL)
728                 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
729
730         if (!load_config(bio_err, NULL))
731                 goto end;
732
733         verify_depth=0;
734 #ifdef FIONBIO
735         s_nbio=0;
736 #endif
737         s_nbio_test=0;
738
739         argc--;
740         argv++;
741
742         while (argc >= 1)
743                 {
744                 if      ((strcmp(*argv,"-port") == 0) ||
745                          (strcmp(*argv,"-accept") == 0))
746                         {
747                         if (--argc < 1) goto bad;
748                         if (!extract_port(*(++argv),&port))
749                                 goto bad;
750                         }
751                 else if (strcmp(*argv,"-verify") == 0)
752                         {
753                         s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
754                         if (--argc < 1) goto bad;
755                         verify_depth=atoi(*(++argv));
756                         BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
757                         }
758                 else if (strcmp(*argv,"-Verify") == 0)
759                         {
760                         s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
761                                 SSL_VERIFY_CLIENT_ONCE;
762                         if (--argc < 1) goto bad;
763                         verify_depth=atoi(*(++argv));
764                         BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
765                         }
766                 else if (strcmp(*argv,"-context") == 0)
767                         {
768                         if (--argc < 1) goto bad;
769                         context= (unsigned char *)*(++argv);
770                         }
771                 else if (strcmp(*argv,"-cert") == 0)
772                         {
773                         if (--argc < 1) goto bad;
774                         s_cert_file= *(++argv);
775                         }
776                 else if (strcmp(*argv,"-certform") == 0)
777                         {
778                         if (--argc < 1) goto bad;
779                         s_cert_format = str2fmt(*(++argv));
780                         }
781                 else if (strcmp(*argv,"-key") == 0)
782                         {
783                         if (--argc < 1) goto bad;
784                         s_key_file= *(++argv);
785                         }
786                 else if (strcmp(*argv,"-keyform") == 0)
787                         {
788                         if (--argc < 1) goto bad;
789                         s_key_format = str2fmt(*(++argv));
790                         }
791                 else if (strcmp(*argv,"-pass") == 0)
792                         {
793                         if (--argc < 1) goto bad;
794                         passarg = *(++argv);
795                         }
796                 else if (strcmp(*argv,"-dhparam") == 0)
797                         {
798                         if (--argc < 1) goto bad;
799                         dhfile = *(++argv);
800                         }
801 #ifndef OPENSSL_NO_ECDH         
802                 else if (strcmp(*argv,"-named_curve") == 0)
803                         {
804                         if (--argc < 1) goto bad;
805                         named_curve = *(++argv);
806                         }
807 #endif
808                 else if (strcmp(*argv,"-dcertform") == 0)
809                         {
810                         if (--argc < 1) goto bad;
811                         s_dcert_format = str2fmt(*(++argv));
812                         }
813                 else if (strcmp(*argv,"-dcert") == 0)
814                         {
815                         if (--argc < 1) goto bad;
816                         s_dcert_file= *(++argv);
817                         }
818                 else if (strcmp(*argv,"-dkeyform") == 0)
819                         {
820                         if (--argc < 1) goto bad;
821                         s_dkey_format = str2fmt(*(++argv));
822                         }
823                 else if (strcmp(*argv,"-dpass") == 0)
824                         {
825                         if (--argc < 1) goto bad;
826                         dpassarg = *(++argv);
827                         }
828                 else if (strcmp(*argv,"-dkey") == 0)
829                         {
830                         if (--argc < 1) goto bad;
831                         s_dkey_file= *(++argv);
832                         }
833                 else if (strcmp(*argv,"-nocert") == 0)
834                         {
835                         nocert=1;
836                         }
837                 else if (strcmp(*argv,"-CApath") == 0)
838                         {
839                         if (--argc < 1) goto bad;
840                         CApath= *(++argv);
841                         }
842                 else if (strcmp(*argv,"-crl_check") == 0)
843                         {
844                         vflags |= X509_V_FLAG_CRL_CHECK;
845                         }
846                 else if (strcmp(*argv,"-crl_check") == 0)
847                         {
848                         vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
849                         }
850                 else if (strcmp(*argv,"-verify_return_error") == 0)
851                         verify_return_error = 1;
852                 else if (strcmp(*argv,"-serverpref") == 0)
853                         { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
854                 else if (strcmp(*argv,"-cipher") == 0)
855                         {
856                         if (--argc < 1) goto bad;
857                         cipher= *(++argv);
858                         }
859                 else if (strcmp(*argv,"-CAfile") == 0)
860                         {
861                         if (--argc < 1) goto bad;
862                         CAfile= *(++argv);
863                         }
864 #ifdef FIONBIO  
865                 else if (strcmp(*argv,"-nbio") == 0)
866                         { s_nbio=1; }
867 #endif
868                 else if (strcmp(*argv,"-nbio_test") == 0)
869                         {
870 #ifdef FIONBIO  
871                         s_nbio=1;
872 #endif
873                         s_nbio_test=1;
874                         }
875                 else if (strcmp(*argv,"-debug") == 0)
876                         { s_debug=1; }
877 #ifndef OPENSSL_NO_TLSEXT
878                 else if (strcmp(*argv,"-tlsextdebug") == 0)
879                         s_tlsextdebug=1;
880 #endif
881                 else if (strcmp(*argv,"-msg") == 0)
882                         { s_msg=1; }
883                 else if (strcmp(*argv,"-hack") == 0)
884                         { hack=1; }
885                 else if (strcmp(*argv,"-state") == 0)
886                         { state=1; }
887                 else if (strcmp(*argv,"-crlf") == 0)
888                         { s_crlf=1; }
889                 else if (strcmp(*argv,"-quiet") == 0)
890                         { s_quiet=1; }
891                 else if (strcmp(*argv,"-bugs") == 0)
892                         { bugs=1; }
893                 else if (strcmp(*argv,"-no_tmp_rsa") == 0)
894                         { no_tmp_rsa=1; }
895                 else if (strcmp(*argv,"-no_dhe") == 0)
896                         { no_dhe=1; }
897                 else if (strcmp(*argv,"-no_ecdhe") == 0)
898                         { no_ecdhe=1; }
899 #ifndef OPENSSL_NO_PSK
900                 else if (strcmp(*argv,"-psk_hint") == 0)
901                         {
902                         if (--argc < 1) goto bad;
903                         psk_identity_hint= *(++argv);
904                         }
905                 else if (strcmp(*argv,"-psk") == 0)
906                         {
907                         size_t i;
908
909                         if (--argc < 1) goto bad;
910                         psk_key=*(++argv);
911                         for (i=0; i<strlen(psk_key); i++)
912                                 {
913                                 if (isxdigit((int)psk_key[i]))
914                                         continue;
915                                 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
916                                 goto bad;
917                                 }
918                         }
919 #endif
920                 else if (strcmp(*argv,"-www") == 0)
921                         { www=1; }
922                 else if (strcmp(*argv,"-WWW") == 0)
923                         { www=2; }
924                 else if (strcmp(*argv,"-HTTP") == 0)
925                         { www=3; }
926                 else if (strcmp(*argv,"-no_ssl2") == 0)
927                         { off|=SSL_OP_NO_SSLv2; }
928                 else if (strcmp(*argv,"-no_ssl3") == 0)
929                         { off|=SSL_OP_NO_SSLv3; }
930                 else if (strcmp(*argv,"-no_tls1") == 0)
931                         { off|=SSL_OP_NO_TLSv1; }
932                 else if (strcmp(*argv,"-no_comp") == 0)
933                         { off|=SSL_OP_NO_COMPRESSION; }
934 #ifndef OPENSSL_NO_TLSEXT
935                 else if (strcmp(*argv,"-no_ticket") == 0)
936                         { off|=SSL_OP_NO_TICKET; }
937 #endif
938 #ifndef OPENSSL_NO_SSL2
939                 else if (strcmp(*argv,"-ssl2") == 0)
940                         { meth=SSLv2_server_method(); }
941 #endif
942 #ifndef OPENSSL_NO_SSL3
943                 else if (strcmp(*argv,"-ssl3") == 0)
944                         { meth=SSLv3_server_method(); }
945 #endif
946 #ifndef OPENSSL_NO_TLS1
947                 else if (strcmp(*argv,"-tls1") == 0)
948                         { meth=TLSv1_server_method(); }
949 #endif
950 #ifndef OPENSSL_NO_DTLS1
951                 else if (strcmp(*argv,"-dtls1") == 0)
952                         { 
953                         meth=DTLSv1_server_method();
954                         socket_type = SOCK_DGRAM;
955                         }
956                 else if (strcmp(*argv,"-timeout") == 0)
957                         enable_timeouts = 1;
958                 else if (strcmp(*argv,"-mtu") == 0)
959                         {
960                         if (--argc < 1) goto bad;
961                         socket_mtu = atol(*(++argv));
962                         }
963                 else if (strcmp(*argv, "-chain") == 0)
964                         cert_chain = 1;
965 #endif
966                 else if (strcmp(*argv, "-id_prefix") == 0)
967                         {
968                         if (--argc < 1) goto bad;
969                         session_id_prefix = *(++argv);
970                         }
971 #ifndef OPENSSL_NO_ENGINE
972                 else if (strcmp(*argv,"-engine") == 0)
973                         {
974                         if (--argc < 1) goto bad;
975                         engine_id= *(++argv);
976                         }
977 #endif
978                 else if (strcmp(*argv,"-rand") == 0)
979                         {
980                         if (--argc < 1) goto bad;
981                         inrand= *(++argv);
982                         }
983 #ifndef OPENSSL_NO_TLSEXT
984                 else if (strcmp(*argv,"-servername") == 0)
985                         {
986                         if (--argc < 1) goto bad;
987                         tlsextcbp.servername= *(++argv);
988                         }
989                 else if (strcmp(*argv,"-servername_fatal") == 0)
990                         { tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL; }
991                 else if (strcmp(*argv,"-cert2") == 0)
992                         {
993                         if (--argc < 1) goto bad;
994                         s_cert_file2= *(++argv);
995                         }
996                 else if (strcmp(*argv,"-key2") == 0)
997                         {
998                         if (--argc < 1) goto bad;
999                         s_key_file2= *(++argv);
1000                         }
1001 #endif
1002                 else
1003                         {
1004                         BIO_printf(bio_err,"unknown option %s\n",*argv);
1005                         badop=1;
1006                         break;
1007                         }
1008                 argc--;
1009                 argv++;
1010                 }
1011         if (badop)
1012                 {
1013 bad:
1014                 sv_usage();
1015                 goto end;
1016                 }
1017
1018         SSL_load_error_strings();
1019         OpenSSL_add_ssl_algorithms();
1020
1021 #ifndef OPENSSL_NO_ENGINE
1022         e = setup_engine(bio_err, engine_id, 1);
1023 #endif
1024
1025         if (!app_passwd(bio_err, passarg, dpassarg, &pass, &dpass))
1026                 {
1027                 BIO_printf(bio_err, "Error getting password\n");
1028                 goto end;
1029                 }
1030
1031
1032         if (s_key_file == NULL)
1033                 s_key_file = s_cert_file;
1034 #ifndef OPENSSL_NO_TLSEXT
1035         if (s_key_file2 == NULL)
1036                 s_key_file2 = s_cert_file2;
1037 #endif
1038
1039         if (nocert == 0)
1040                 {
1041                 s_key = load_key(bio_err, s_key_file, s_key_format, 0, pass, e,
1042                        "server certificate private key file");
1043                 if (!s_key)
1044                         {
1045                         ERR_print_errors(bio_err);
1046                         goto end;
1047                         }
1048
1049                 s_cert = load_cert(bio_err,s_cert_file,s_cert_format,
1050                         NULL, e, "server certificate file");
1051
1052                 if (!s_cert)
1053                         {
1054                         ERR_print_errors(bio_err);
1055                         goto end;
1056                         }
1057
1058 #ifndef OPENSSL_NO_TLSEXT
1059                 if (tlsextcbp.servername) 
1060                         {
1061                         s_key2 = load_key(bio_err, s_key_file2, s_key_format, 0, pass, e,
1062                                 "second server certificate private key file");
1063                         if (!s_key2)
1064                                 {
1065                                 ERR_print_errors(bio_err);
1066                                 goto end;
1067                                 }
1068                         
1069                         s_cert2 = load_cert(bio_err,s_cert_file2,s_cert_format,
1070                                 NULL, e, "second server certificate file");
1071                         
1072                         if (!s_cert2)
1073                                 {
1074                                 ERR_print_errors(bio_err);
1075                                 goto end;
1076                                 }
1077                         }
1078 #endif
1079                 }
1080
1081
1082         if (s_dcert_file)
1083                 {
1084
1085                 if (s_dkey_file == NULL)
1086                         s_dkey_file = s_dcert_file;
1087
1088                 s_dkey = load_key(bio_err, s_dkey_file, s_dkey_format,
1089                                 0, dpass, e,
1090                                "second certificate private key file");
1091                 if (!s_dkey)
1092                         {
1093                         ERR_print_errors(bio_err);
1094                         goto end;
1095                         }
1096
1097                 s_dcert = load_cert(bio_err,s_dcert_file,s_dcert_format,
1098                                 NULL, e, "second server certificate file");
1099
1100                 if (!s_dcert)
1101                         {
1102                         ERR_print_errors(bio_err);
1103                         goto end;
1104                         }
1105
1106                 }
1107
1108         if (!app_RAND_load_file(NULL, bio_err, 1) && inrand == NULL
1109                 && !RAND_status())
1110                 {
1111                 BIO_printf(bio_err,"warning, not much extra random data, consider using the -rand option\n");
1112                 }
1113         if (inrand != NULL)
1114                 BIO_printf(bio_err,"%ld semi-random bytes loaded\n",
1115                         app_RAND_load_files(inrand));
1116
1117         if (bio_s_out == NULL)
1118                 {
1119                 if (s_quiet && !s_debug && !s_msg)
1120                         {
1121                         bio_s_out=BIO_new(BIO_s_null());
1122                         }
1123                 else
1124                         {
1125                         if (bio_s_out == NULL)
1126                                 bio_s_out=BIO_new_fp(stdout,BIO_NOCLOSE);
1127                         }
1128                 }
1129
1130 #if !defined(OPENSSL_NO_RSA) || !defined(OPENSSL_NO_DSA) || !defined(OPENSSL_NO_ECDSA)
1131         if (nocert)
1132 #endif
1133                 {
1134                 s_cert_file=NULL;
1135                 s_key_file=NULL;
1136                 s_dcert_file=NULL;
1137                 s_dkey_file=NULL;
1138 #ifndef OPENSSL_NO_TLSEXT
1139                 s_cert_file2=NULL;
1140                 s_key_file2=NULL;
1141 #endif
1142                 }
1143
1144         ctx=SSL_CTX_new(meth);
1145         if (ctx == NULL)
1146                 {
1147                 ERR_print_errors(bio_err);
1148                 goto end;
1149                 }
1150         if (session_id_prefix)
1151                 {
1152                 if(strlen(session_id_prefix) >= 32)
1153                         BIO_printf(bio_err,
1154 "warning: id_prefix is too long, only one new session will be possible\n");
1155                 else if(strlen(session_id_prefix) >= 16)
1156                         BIO_printf(bio_err,
1157 "warning: id_prefix is too long if you use SSLv2\n");
1158                 if(!SSL_CTX_set_generate_session_id(ctx, generate_session_id))
1159                         {
1160                         BIO_printf(bio_err,"error setting 'id_prefix'\n");
1161                         ERR_print_errors(bio_err);
1162                         goto end;
1163                         }
1164                 BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
1165                 }
1166         SSL_CTX_set_quiet_shutdown(ctx,1);
1167         if (bugs) SSL_CTX_set_options(ctx,SSL_OP_ALL);
1168         if (hack) SSL_CTX_set_options(ctx,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1169         SSL_CTX_set_options(ctx,off);
1170         /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1171          * Setting read ahead solves this problem.
1172          */
1173         if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx, 1);
1174
1175         if (state) SSL_CTX_set_info_callback(ctx,apps_ssl_info_callback);
1176
1177         SSL_CTX_sess_set_cache_size(ctx,128);
1178
1179 #if 0
1180         if (cipher == NULL) cipher=getenv("SSL_CIPHER");
1181 #endif
1182
1183 #if 0
1184         if (s_cert_file == NULL)
1185                 {
1186                 BIO_printf(bio_err,"You must specify a certificate file for the server to use\n");
1187                 goto end;
1188                 }
1189 #endif
1190
1191         if ((!SSL_CTX_load_verify_locations(ctx,CAfile,CApath)) ||
1192                 (!SSL_CTX_set_default_verify_paths(ctx)))
1193                 {
1194                 /* BIO_printf(bio_err,"X509_load_verify_locations\n"); */
1195                 ERR_print_errors(bio_err);
1196                 /* goto end; */
1197                 }
1198         store = SSL_CTX_get_cert_store(ctx);
1199         X509_STORE_set_flags(store, vflags);
1200
1201 #ifndef OPENSSL_NO_TLSEXT
1202         if (s_cert2)
1203                 {
1204                 ctx2=SSL_CTX_new(meth);
1205                 if (ctx2 == NULL)
1206                         {
1207                         ERR_print_errors(bio_err);
1208                         goto end;
1209                         }
1210                 }
1211         
1212         if (ctx2)
1213                 {
1214                 BIO_printf(bio_s_out,"Setting secondary ctx parameters\n");
1215
1216                 if (session_id_prefix)
1217                         {
1218                         if(strlen(session_id_prefix) >= 32)
1219                                 BIO_printf(bio_err,
1220                                         "warning: id_prefix is too long, only one new session will be possible\n");
1221                         else if(strlen(session_id_prefix) >= 16)
1222                                 BIO_printf(bio_err,
1223                                         "warning: id_prefix is too long if you use SSLv2\n");
1224                         if(!SSL_CTX_set_generate_session_id(ctx2, generate_session_id))
1225                                 {
1226                                 BIO_printf(bio_err,"error setting 'id_prefix'\n");
1227                                 ERR_print_errors(bio_err);
1228                                 goto end;
1229                                 }
1230                         BIO_printf(bio_err,"id_prefix '%s' set.\n", session_id_prefix);
1231                         }
1232                 SSL_CTX_set_quiet_shutdown(ctx2,1);
1233                 if (bugs) SSL_CTX_set_options(ctx2,SSL_OP_ALL);
1234                 if (hack) SSL_CTX_set_options(ctx2,SSL_OP_NETSCAPE_DEMO_CIPHER_CHANGE_BUG);
1235                 SSL_CTX_set_options(ctx2,off);
1236                 /* DTLS: partial reads end up discarding unread UDP bytes :-( 
1237                  * Setting read ahead solves this problem.
1238                  */
1239                 if (socket_type == SOCK_DGRAM) SSL_CTX_set_read_ahead(ctx2, 1);
1240
1241                 if (state) SSL_CTX_set_info_callback(ctx2,apps_ssl_info_callback);
1242
1243                 SSL_CTX_sess_set_cache_size(ctx2,128);
1244
1245                 if ((!SSL_CTX_load_verify_locations(ctx2,CAfile,CApath)) ||
1246                         (!SSL_CTX_set_default_verify_paths(ctx2)))
1247                         {
1248                         ERR_print_errors(bio_err);
1249                         }
1250                 store = SSL_CTX_get_cert_store(ctx2);
1251                 X509_STORE_set_flags(store, vflags);
1252                 }
1253 #endif 
1254
1255 #ifndef OPENSSL_NO_DH
1256         if (!no_dhe)
1257                 {
1258                 DH *dh=NULL;
1259
1260                 if (dhfile)
1261                         dh = load_dh_param(dhfile);
1262                 else if (s_cert_file)
1263                         dh = load_dh_param(s_cert_file);
1264
1265                 if (dh != NULL)
1266                         {
1267                         BIO_printf(bio_s_out,"Setting temp DH parameters\n");
1268                         }
1269                 else
1270                         {
1271                         BIO_printf(bio_s_out,"Using default temp DH parameters\n");
1272                         dh=get_dh512();
1273                         }
1274                 (void)BIO_flush(bio_s_out);
1275
1276                 SSL_CTX_set_tmp_dh(ctx,dh);
1277 #ifndef OPENSSL_NO_TLSEXT
1278                 if (ctx2)
1279                         {
1280                         if (!dhfile)
1281                                 { 
1282                                 DH *dh2=load_dh_param(s_cert_file2);
1283                                 if (dh2 != NULL)
1284                                         {
1285                                         BIO_printf(bio_s_out,"Setting temp DH parameters\n");
1286                                         (void)BIO_flush(bio_s_out);
1287
1288                                         DH_free(dh);
1289                                         dh = dh2;
1290                                         }
1291                                 }
1292                         SSL_CTX_set_tmp_dh(ctx2,dh);
1293                         }
1294 #endif
1295                 DH_free(dh);
1296                 }
1297 #endif
1298
1299 #ifndef OPENSSL_NO_ECDH
1300         if (!no_ecdhe)
1301                 {
1302                 EC_KEY *ecdh=NULL;
1303
1304                 if (named_curve)
1305                         {
1306                         int nid = OBJ_sn2nid(named_curve);
1307
1308                         if (nid == 0)
1309                                 {
1310                                 BIO_printf(bio_err, "unknown curve name (%s)\n", 
1311                                         named_curve);
1312                                 goto end;
1313                                 }
1314                         ecdh = EC_KEY_new_by_curve_name(nid);
1315                         if (ecdh == NULL)
1316                                 {
1317                                 BIO_printf(bio_err, "unable to create curve (%s)\n", 
1318                                         named_curve);
1319                                 goto end;
1320                                 }
1321                         }
1322
1323                 if (ecdh != NULL)
1324                         {
1325                         BIO_printf(bio_s_out,"Setting temp ECDH parameters\n");
1326                         }
1327                 else
1328                         {
1329                         BIO_printf(bio_s_out,"Using default temp ECDH parameters\n");
1330                         ecdh = EC_KEY_new_by_curve_name(NID_X9_62_prime256v1);
1331                         if (ecdh == NULL) 
1332                                 {
1333                                 BIO_printf(bio_err, "unable to create curve (nistp256)\n");
1334                                 goto end;
1335                                 }
1336                         }
1337                 (void)BIO_flush(bio_s_out);
1338
1339                 SSL_CTX_set_tmp_ecdh(ctx,ecdh);
1340 #ifndef OPENSSL_NO_TLSEXT
1341                 if (ctx2) 
1342                         SSL_CTX_set_tmp_ecdh(ctx2,ecdh);
1343 #endif
1344                 EC_KEY_free(ecdh);
1345                 }
1346 #endif
1347         
1348         if (!set_cert_key_stuff(ctx,s_cert,s_key))
1349                 goto end;
1350 #ifndef OPENSSL_NO_TLSEXT
1351         if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2))
1352                 goto end; 
1353 #endif
1354         if (s_dcert != NULL)
1355                 {
1356                 if (!set_cert_key_stuff(ctx,s_dcert,s_dkey))
1357                         goto end;
1358                 }
1359
1360 #ifndef OPENSSL_NO_RSA
1361 #if 1
1362         if (!no_tmp_rsa)
1363                 {
1364                 SSL_CTX_set_tmp_rsa_callback(ctx,tmp_rsa_cb);
1365 #ifndef OPENSSL_NO_TLSEXT
1366                 if (ctx2) 
1367                         SSL_CTX_set_tmp_rsa_callback(ctx2,tmp_rsa_cb);
1368 #endif          
1369                 }
1370 #else
1371         if (!no_tmp_rsa && SSL_CTX_need_tmp_RSA(ctx))
1372                 {
1373                 RSA *rsa;
1374
1375                 BIO_printf(bio_s_out,"Generating temp (512 bit) RSA key...");
1376                 BIO_flush(bio_s_out);
1377
1378                 rsa=RSA_generate_key(512,RSA_F4,NULL);
1379
1380                 if (!SSL_CTX_set_tmp_rsa(ctx,rsa))
1381                         {
1382                         ERR_print_errors(bio_err);
1383                         goto end;
1384                         }
1385 #ifndef OPENSSL_NO_TLSEXT
1386                         if (ctx2)
1387                                 {
1388                                 if (!SSL_CTX_set_tmp_rsa(ctx2,rsa))
1389                                         {
1390                                         ERR_print_errors(bio_err);
1391                                         goto end;
1392                                         }
1393                                 }
1394 #endif
1395                 RSA_free(rsa);
1396                 BIO_printf(bio_s_out,"\n");
1397                 }
1398 #endif
1399 #endif
1400
1401 #ifndef OPENSSL_NO_PSK
1402         if (psk_key != NULL)
1403                 {
1404                 if (s_debug)
1405                         BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
1406                 SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
1407                 }
1408
1409         if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint))
1410                 {
1411                 BIO_printf(bio_err,"error setting PSK identity hint to context\n");
1412                 ERR_print_errors(bio_err);
1413                 goto end;
1414                 }
1415 #endif
1416
1417         if (cipher != NULL)
1418                 {
1419                 if(!SSL_CTX_set_cipher_list(ctx,cipher))
1420                         {
1421                         BIO_printf(bio_err,"error setting cipher list\n");
1422                         ERR_print_errors(bio_err);
1423                         goto end;
1424                         }
1425 #ifndef OPENSSL_NO_TLSEXT
1426                 if (ctx2 && !SSL_CTX_set_cipher_list(ctx2,cipher))
1427                         {
1428                         BIO_printf(bio_err,"error setting cipher list\n");
1429                         ERR_print_errors(bio_err);
1430                         goto end;
1431                         }
1432 #endif
1433                 }
1434         SSL_CTX_set_verify(ctx,s_server_verify,verify_callback);
1435         SSL_CTX_set_session_id_context(ctx,(void*)&s_server_session_id_context,
1436                 sizeof s_server_session_id_context);
1437
1438 #ifndef OPENSSL_NO_TLSEXT
1439         if (ctx2)
1440                 {
1441                 SSL_CTX_set_verify(ctx2,s_server_verify,verify_callback);
1442                 SSL_CTX_set_session_id_context(ctx2,(void*)&s_server_session_id_context,
1443                         sizeof s_server_session_id_context);
1444
1445                 tlsextcbp.biodebug = bio_s_out;
1446                 SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb);
1447                 SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp);
1448                 SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb);
1449                 SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp);
1450                 }
1451 #endif
1452
1453         if (CAfile != NULL)
1454                 {
1455                 SSL_CTX_set_client_CA_list(ctx,SSL_load_client_CA_file(CAfile));
1456 #ifndef OPENSSL_NO_TLSEXT
1457                 if (ctx2) 
1458                         SSL_CTX_set_client_CA_list(ctx2,SSL_load_client_CA_file(CAfile));
1459 #endif
1460                 }
1461
1462         BIO_printf(bio_s_out,"ACCEPT\n");
1463         (void)BIO_flush(bio_s_out);
1464         if (www)
1465                 do_server(port,socket_type,&accept_socket,www_body, context);
1466         else
1467                 do_server(port,socket_type,&accept_socket,sv_body, context);
1468         print_stats(bio_s_out,ctx);
1469         ret=0;
1470 end:
1471         if (ctx != NULL) SSL_CTX_free(ctx);
1472         if (s_cert)
1473                 X509_free(s_cert);
1474         if (s_dcert)
1475                 X509_free(s_dcert);
1476         if (s_key)
1477                 EVP_PKEY_free(s_key);
1478         if (s_dkey)
1479                 EVP_PKEY_free(s_dkey);
1480         if (pass)
1481                 OPENSSL_free(pass);
1482         if (dpass)
1483                 OPENSSL_free(dpass);
1484 #ifndef OPENSSL_NO_TLSEXT
1485         if (ctx2 != NULL) SSL_CTX_free(ctx2);
1486         if (s_cert2)
1487                 X509_free(s_cert2);
1488         if (s_key2)
1489                 EVP_PKEY_free(s_key2);
1490 #endif
1491         if (bio_s_out != NULL)
1492                 {
1493         BIO_free(bio_s_out);
1494                 bio_s_out=NULL;
1495                 }
1496         apps_shutdown();
1497         OPENSSL_EXIT(ret);
1498         }
1499
1500 static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
1501         {
1502         BIO_printf(bio,"%4ld items in the session cache\n",
1503                 SSL_CTX_sess_number(ssl_ctx));
1504         BIO_printf(bio,"%4ld client connects (SSL_connect())\n",
1505                 SSL_CTX_sess_connect(ssl_ctx));
1506         BIO_printf(bio,"%4ld client renegotiates (SSL_connect())\n",
1507                 SSL_CTX_sess_connect_renegotiate(ssl_ctx));
1508         BIO_printf(bio,"%4ld client connects that finished\n",
1509                 SSL_CTX_sess_connect_good(ssl_ctx));
1510         BIO_printf(bio,"%4ld server accepts (SSL_accept())\n",
1511                 SSL_CTX_sess_accept(ssl_ctx));
1512         BIO_printf(bio,"%4ld server renegotiates (SSL_accept())\n",
1513                 SSL_CTX_sess_accept_renegotiate(ssl_ctx));
1514         BIO_printf(bio,"%4ld server accepts that finished\n",
1515                 SSL_CTX_sess_accept_good(ssl_ctx));
1516         BIO_printf(bio,"%4ld session cache hits\n",SSL_CTX_sess_hits(ssl_ctx));
1517         BIO_printf(bio,"%4ld session cache misses\n",SSL_CTX_sess_misses(ssl_ctx));
1518         BIO_printf(bio,"%4ld session cache timeouts\n",SSL_CTX_sess_timeouts(ssl_ctx));
1519         BIO_printf(bio,"%4ld callback cache hits\n",SSL_CTX_sess_cb_hits(ssl_ctx));
1520         BIO_printf(bio,"%4ld cache full overflows (%ld allowed)\n",
1521                 SSL_CTX_sess_cache_full(ssl_ctx),
1522                 SSL_CTX_sess_get_cache_size(ssl_ctx));
1523         }
1524
1525 static int sv_body(char *hostname, int s, unsigned char *context)
1526         {
1527         char *buf=NULL;
1528         fd_set readfds;
1529         int ret=1,width;
1530         int k,i;
1531         unsigned long l;
1532         SSL *con=NULL;
1533         BIO *sbio;
1534 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE) || defined(OPENSSL_SYS_BEOS_R5)
1535         struct timeval tv;
1536 #endif
1537
1538         if ((buf=OPENSSL_malloc(bufsize)) == NULL)
1539                 {
1540                 BIO_printf(bio_err,"out of memory\n");
1541                 goto err;
1542                 }
1543 #ifdef FIONBIO  
1544         if (s_nbio)
1545                 {
1546                 unsigned long sl=1;
1547
1548                 if (!s_quiet)
1549                         BIO_printf(bio_err,"turning on non blocking io\n");
1550                 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
1551                         ERR_print_errors(bio_err);
1552                 }
1553 #endif
1554
1555         if (con == NULL) {
1556                 con=SSL_new(ctx);
1557 #ifndef OPENSSL_NO_TLSEXT
1558         if (s_tlsextdebug)
1559                 {
1560                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1561                 SSL_set_tlsext_debug_arg(con, bio_s_out);
1562                 }
1563 #endif
1564 #ifndef OPENSSL_NO_KRB5
1565                 if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
1566                         {
1567                         kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE,
1568                                                                 KRB5SVC);
1569                         kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB,
1570                                                                 KRB5KEYTAB);
1571                         }
1572 #endif  /* OPENSSL_NO_KRB5 */
1573                 if(context)
1574                       SSL_set_session_id_context(con, context,
1575                                                  strlen((char *)context));
1576         }
1577         SSL_clear(con);
1578
1579         if (SSL_version(con) == DTLS1_VERSION)
1580                 {
1581                 struct timeval timeout;
1582
1583                 sbio=BIO_new_dgram(s,BIO_NOCLOSE);
1584
1585                 if (enable_timeouts)
1586                         {
1587                         timeout.tv_sec = 0;
1588                         timeout.tv_usec = DGRAM_RCV_TIMEOUT;
1589                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT, 0, &timeout);
1590                         
1591                         timeout.tv_sec = 0;
1592                         timeout.tv_usec = DGRAM_SND_TIMEOUT;
1593                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT, 0, &timeout);
1594                         }
1595
1596                 if (socket_mtu > 0)
1597                         {
1598                         SSL_set_options(con, SSL_OP_NO_QUERY_MTU);
1599                         SSL_set_mtu(con, socket_mtu);
1600                         }
1601                 else
1602                         /* want to do MTU discovery */
1603                         BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER, 0, NULL);
1604
1605         /* turn on cookie exchange */
1606         SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE);
1607                 }
1608         else
1609                 sbio=BIO_new_socket(s,BIO_NOCLOSE);
1610
1611         if (s_nbio_test)
1612                 {
1613                 BIO *test;
1614
1615                 test=BIO_new(BIO_f_nbio_test());
1616                 sbio=BIO_push(test,sbio);
1617                 }
1618         SSL_set_bio(con,sbio,sbio);
1619         SSL_set_accept_state(con);
1620         /* SSL_set_fd(con,s); */
1621
1622         if (s_debug)
1623                 {
1624                 con->debug=1;
1625                 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
1626                 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
1627                 }
1628         if (s_msg)
1629                 {
1630                 SSL_set_msg_callback(con, msg_cb);
1631                 SSL_set_msg_callback_arg(con, bio_s_out);
1632                 }
1633 #ifndef OPENSSL_NO_TLSEXT
1634         if (s_tlsextdebug)
1635                 {
1636                 SSL_set_tlsext_debug_callback(con, tlsext_cb);
1637                 SSL_set_tlsext_debug_arg(con, bio_s_out);
1638                 }
1639 #endif
1640
1641         width=s+1;
1642         for (;;)
1643                 {
1644                 int read_from_terminal;
1645                 int read_from_sslcon;
1646
1647                 read_from_terminal = 0;
1648                 read_from_sslcon = SSL_pending(con);
1649
1650                 if (!read_from_sslcon)
1651                         {
1652                         FD_ZERO(&readfds);
1653 #if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS) && !defined(OPENSSL_SYS_NETWARE) && !defined(OPENSSL_SYS_BEOS_R5)
1654                         openssl_fdset(fileno(stdin),&readfds);
1655 #endif
1656                         openssl_fdset(s,&readfds);
1657                         /* Note: under VMS with SOCKETSHR the second parameter is
1658                          * currently of type (int *) whereas under other systems
1659                          * it is (void *) if you don't have a cast it will choke
1660                          * the compiler: if you do have a cast then you can either
1661                          * go for (int *) or (void *).
1662                          */
1663 #if defined(OPENSSL_SYS_WINDOWS) || defined(OPENSSL_SYS_MSDOS) || defined(OPENSSL_SYS_NETWARE)
1664                         /* Under DOS (non-djgpp) and Windows we can't select on stdin: only
1665                          * on sockets. As a workaround we timeout the select every
1666                          * second and check for any keypress. In a proper Windows
1667                          * application we wouldn't do this because it is inefficient.
1668                          */
1669                         tv.tv_sec = 1;
1670                         tv.tv_usec = 0;
1671                         i=select(width,(void *)&readfds,NULL,NULL,&tv);
1672                         if((i < 0) || (!i && !_kbhit() ) )continue;
1673                         if(_kbhit())
1674                                 read_from_terminal = 1;
1675 #elif defined(OPENSSL_SYS_BEOS_R5)
1676                         /* Under BeOS-R5 the situation is similar to DOS */
1677                         tv.tv_sec = 1;
1678                         tv.tv_usec = 0;
1679                         (void)fcntl(fileno(stdin), F_SETFL, O_NONBLOCK);
1680                         i=select(width,(void *)&readfds,NULL,NULL,&tv);
1681                         if ((i < 0) || (!i && read(fileno(stdin), buf, 0) < 0))
1682                                 continue;
1683                         if (read(fileno(stdin), buf, 0) >= 0)
1684                                 read_from_terminal = 1;
1685                         (void)fcntl(fileno(stdin), F_SETFL, 0);
1686 #else
1687                         i=select(width,(void *)&readfds,NULL,NULL,NULL);
1688                         if (i <= 0) continue;
1689                         if (FD_ISSET(fileno(stdin),&readfds))
1690                                 read_from_terminal = 1;
1691 #endif
1692                         if (FD_ISSET(s,&readfds))
1693                                 read_from_sslcon = 1;
1694                         }
1695                 if (read_from_terminal)
1696                         {
1697                         if (s_crlf)
1698                                 {
1699                                 int j, lf_num;
1700
1701                                 i=raw_read_stdin(buf, bufsize/2);
1702                                 lf_num = 0;
1703                                 /* both loops are skipped when i <= 0 */
1704                                 for (j = 0; j < i; j++)
1705                                         if (buf[j] == '\n')
1706                                                 lf_num++;
1707                                 for (j = i-1; j >= 0; j--)
1708                                         {
1709                                         buf[j+lf_num] = buf[j];
1710                                         if (buf[j] == '\n')
1711                                                 {
1712                                                 lf_num--;
1713                                                 i++;
1714                                                 buf[j+lf_num] = '\r';
1715                                                 }
1716                                         }
1717                                 assert(lf_num == 0);
1718                                 }
1719                         else
1720                                 i=raw_read_stdin(buf,bufsize);
1721                         if (!s_quiet)
1722                                 {
1723                                 if ((i <= 0) || (buf[0] == 'Q'))
1724                                         {
1725                                         BIO_printf(bio_s_out,"DONE\n");
1726                                         SHUTDOWN(s);
1727                                         close_accept_socket();
1728                                         ret= -11;
1729                                         goto err;
1730                                         }
1731                                 if ((i <= 0) || (buf[0] == 'q'))
1732                                         {
1733                                         BIO_printf(bio_s_out,"DONE\n");
1734                                         if (SSL_version(con) != DTLS1_VERSION)
1735                         SHUTDOWN(s);
1736         /*                              close_accept_socket();
1737                                         ret= -11;*/
1738                                         goto err;
1739                                         }
1740
1741                                 if ((buf[0] == 'r') && 
1742                                         ((buf[1] == '\n') || (buf[1] == '\r')))
1743                                         {
1744                                         SSL_renegotiate(con);
1745                                         i=SSL_do_handshake(con);
1746                                         printf("SSL_do_handshake -> %d\n",i);
1747                                         i=0; /*13; */
1748                                         continue;
1749                                         /* strcpy(buf,"server side RE-NEGOTIATE\n"); */
1750                                         }
1751                                 if ((buf[0] == 'R') &&
1752                                         ((buf[1] == '\n') || (buf[1] == '\r')))
1753                                         {
1754                                         SSL_set_verify(con,
1755                                                 SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE,NULL);
1756                                         SSL_renegotiate(con);
1757                                         i=SSL_do_handshake(con);
1758                                         printf("SSL_do_handshake -> %d\n",i);
1759                                         i=0; /* 13; */
1760                                         continue;
1761                                         /* strcpy(buf,"server side RE-NEGOTIATE asking for client cert\n"); */
1762                                         }
1763                                 if (buf[0] == 'P')
1764                                         {
1765                                         static const char *str="Lets print some clear text\n";
1766                                         BIO_write(SSL_get_wbio(con),str,strlen(str));
1767                                         }
1768                                 if (buf[0] == 'S')
1769                                         {
1770                                         print_stats(bio_s_out,SSL_get_SSL_CTX(con));
1771                                         }
1772                                 }
1773 #ifdef CHARSET_EBCDIC
1774                         ebcdic2ascii(buf,buf,i);
1775 #endif
1776                         l=k=0;
1777                         for (;;)
1778                                 {
1779                                 /* should do a select for the write */
1780 #ifdef RENEG
1781 { static count=0; if (++count == 100) { count=0; SSL_renegotiate(con); } }
1782 #endif
1783                                 k=SSL_write(con,&(buf[l]),(unsigned int)i);
1784                                 switch (SSL_get_error(con,k))
1785                                         {
1786                                 case SSL_ERROR_NONE:
1787                                         break;
1788                                 case SSL_ERROR_WANT_WRITE:
1789                                 case SSL_ERROR_WANT_READ:
1790                                 case SSL_ERROR_WANT_X509_LOOKUP:
1791                                         BIO_printf(bio_s_out,"Write BLOCK\n");
1792                                         break;
1793                                 case SSL_ERROR_SYSCALL:
1794                                 case SSL_ERROR_SSL:
1795                                         BIO_printf(bio_s_out,"ERROR\n");
1796                                         ERR_print_errors(bio_err);
1797                                         ret=1;
1798                                         goto err;
1799                                         /* break; */
1800                                 case SSL_ERROR_ZERO_RETURN:
1801                                         BIO_printf(bio_s_out,"DONE\n");
1802                                         ret=1;
1803                                         goto err;
1804                                         }
1805                                 l+=k;
1806                                 i-=k;
1807                                 if (i <= 0) break;
1808                                 }
1809                         }
1810                 if (read_from_sslcon)
1811                         {
1812                         if (!SSL_is_init_finished(con))
1813                                 {
1814                                 i=init_ssl_connection(con);
1815                                 
1816                                 if (i < 0)
1817                                         {
1818                                         ret=0;
1819                                         goto err;
1820                                         }
1821                                 else if (i == 0)
1822                                         {
1823                                         ret=1;
1824                                         goto err;
1825                                         }
1826                                 }
1827                         else
1828                                 {
1829 again:  
1830                                 i=SSL_read(con,(char *)buf,bufsize);
1831                                 switch (SSL_get_error(con,i))
1832                                         {
1833                                 case SSL_ERROR_NONE:
1834 #ifdef CHARSET_EBCDIC
1835                                         ascii2ebcdic(buf,buf,i);
1836 #endif
1837                                         raw_write_stdout(buf,
1838                                                 (unsigned int)i);
1839                                         if (SSL_pending(con)) goto again;
1840                                         break;
1841                                 case SSL_ERROR_WANT_WRITE:
1842                                 case SSL_ERROR_WANT_READ:
1843                                 case SSL_ERROR_WANT_X509_LOOKUP:
1844                                         BIO_printf(bio_s_out,"Read BLOCK\n");
1845                                         break;
1846                                 case SSL_ERROR_SYSCALL:
1847                                 case SSL_ERROR_SSL:
1848                                         BIO_printf(bio_s_out,"ERROR\n");
1849                                         ERR_print_errors(bio_err);
1850                                         ret=1;
1851                                         goto err;
1852                                 case SSL_ERROR_ZERO_RETURN:
1853                                         BIO_printf(bio_s_out,"DONE\n");
1854                                         ret=1;
1855                                         goto err;
1856                                         }
1857                                 }
1858                         }
1859                 }
1860 err:
1861         if (con != NULL)
1862                 {
1863                 BIO_printf(bio_s_out,"shutting down SSL\n");
1864 #if 1
1865                 SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
1866 #else
1867                 SSL_shutdown(con);
1868 #endif
1869                 SSL_free(con);
1870                 }
1871         BIO_printf(bio_s_out,"CONNECTION CLOSED\n");
1872         if (buf != NULL)
1873                 {
1874                 OPENSSL_cleanse(buf,bufsize);
1875                 OPENSSL_free(buf);
1876                 }
1877         if (ret >= 0)
1878                 BIO_printf(bio_s_out,"ACCEPT\n");
1879         return(ret);
1880         }
1881
1882 static void close_accept_socket(void)
1883         {
1884         BIO_printf(bio_err,"shutdown accept socket\n");
1885         if (accept_socket >= 0)
1886                 {
1887                 SHUTDOWN2(accept_socket);
1888                 }
1889         }
1890
1891 static int init_ssl_connection(SSL *con)
1892         {
1893         int i;
1894         const char *str;
1895         X509 *peer;
1896         long verify_error;
1897         MS_STATIC char buf[BUFSIZ];
1898
1899         if ((i=SSL_accept(con)) <= 0)
1900                 {
1901                 if (BIO_sock_should_retry(i))
1902                         {
1903                         BIO_printf(bio_s_out,"DELAY\n");
1904                         return(1);
1905                         }
1906
1907                 BIO_printf(bio_err,"ERROR\n");
1908                 verify_error=SSL_get_verify_result(con);
1909                 if (verify_error != X509_V_OK)
1910                         {
1911                         BIO_printf(bio_err,"verify error:%s\n",
1912                                 X509_verify_cert_error_string(verify_error));
1913                         }
1914                 else
1915                         ERR_print_errors(bio_err);
1916                 return(0);
1917                 }
1918
1919         PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
1920
1921         peer=SSL_get_peer_certificate(con);
1922         if (peer != NULL)
1923                 {
1924                 BIO_printf(bio_s_out,"Client certificate\n");
1925                 PEM_write_bio_X509(bio_s_out,peer);
1926                 X509_NAME_oneline(X509_get_subject_name(peer),buf,sizeof buf);
1927                 BIO_printf(bio_s_out,"subject=%s\n",buf);
1928                 X509_NAME_oneline(X509_get_issuer_name(peer),buf,sizeof buf);
1929                 BIO_printf(bio_s_out,"issuer=%s\n",buf);
1930                 X509_free(peer);
1931                 }
1932
1933         if (SSL_get_shared_ciphers(con,buf,sizeof buf) != NULL)
1934                 BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
1935         str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
1936         BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
1937         if (con->hit) BIO_printf(bio_s_out,"Reused session-id\n");
1938         if (SSL_ctrl(con,SSL_CTRL_GET_FLAGS,0,NULL) &
1939                 TLS1_FLAGS_TLS_PADDING_BUG)
1940                 BIO_printf(bio_s_out,"Peer has incorrect TLSv1 block padding\n");
1941 #ifndef OPENSSL_NO_KRB5
1942         if (con->kssl_ctx->client_princ != NULL)
1943                 {
1944                 BIO_printf(bio_s_out,"Kerberos peer principal is %s\n",
1945                         con->kssl_ctx->client_princ);
1946                 }
1947 #endif /* OPENSSL_NO_KRB5 */
1948         return(1);
1949         }
1950
1951 #ifndef OPENSSL_NO_DH
1952 static DH *load_dh_param(const char *dhfile)
1953         {
1954         DH *ret=NULL;
1955         BIO *bio;
1956
1957         if ((bio=BIO_new_file(dhfile,"r")) == NULL)
1958                 goto err;
1959         ret=PEM_read_bio_DHparams(bio,NULL,NULL,NULL);
1960 err:
1961         if (bio != NULL) BIO_free(bio);
1962         return(ret);
1963         }
1964 #endif
1965
1966 #if 0
1967 static int load_CA(SSL_CTX *ctx, char *file)
1968         {
1969         FILE *in;
1970         X509 *x=NULL;
1971
1972         if ((in=fopen(file,"r")) == NULL)
1973                 return(0);
1974
1975         for (;;)
1976                 {
1977                 if (PEM_read_X509(in,&x,NULL) == NULL)
1978                         break;
1979                 SSL_CTX_add_client_CA(ctx,x);
1980                 }
1981         if (x != NULL) X509_free(x);
1982         fclose(in);
1983         return(1);
1984         }
1985 #endif
1986
1987 static int www_body(char *hostname, int s, unsigned char *context)
1988         {
1989         char *buf=NULL;
1990         int ret=1;
1991         int i,j,k,blank,dot;
1992         SSL *con;
1993         SSL_CIPHER *c;
1994         BIO *io,*ssl_bio,*sbio;
1995         long total_bytes;
1996
1997         buf=OPENSSL_malloc(bufsize);
1998         if (buf == NULL) return(0);
1999         io=BIO_new(BIO_f_buffer());
2000         ssl_bio=BIO_new(BIO_f_ssl());
2001         if ((io == NULL) || (ssl_bio == NULL)) goto err;
2002
2003 #ifdef FIONBIO  
2004         if (s_nbio)
2005                 {
2006                 unsigned long sl=1;
2007
2008                 if (!s_quiet)
2009                         BIO_printf(bio_err,"turning on non blocking io\n");
2010                 if (BIO_socket_ioctl(s,FIONBIO,&sl) < 0)
2011                         ERR_print_errors(bio_err);
2012                 }
2013 #endif
2014
2015         /* lets make the output buffer a reasonable size */
2016         if (!BIO_set_write_buffer_size(io,bufsize)) goto err;
2017
2018         if ((con=SSL_new(ctx)) == NULL) goto err;
2019 #ifndef OPENSSL_NO_TLSEXT
2020                 if (s_tlsextdebug)
2021                         {
2022                         SSL_set_tlsext_debug_callback(con, tlsext_cb);
2023                         SSL_set_tlsext_debug_arg(con, bio_s_out);
2024                         }
2025 #endif
2026 #ifndef OPENSSL_NO_KRB5
2027         if ((con->kssl_ctx = kssl_ctx_new()) != NULL)
2028                 {
2029                 kssl_ctx_setstring(con->kssl_ctx, KSSL_SERVICE, KRB5SVC);
2030                 kssl_ctx_setstring(con->kssl_ctx, KSSL_KEYTAB, KRB5KEYTAB);
2031                 }
2032 #endif  /* OPENSSL_NO_KRB5 */
2033         if(context) SSL_set_session_id_context(con, context,
2034                                                strlen((char *)context));
2035
2036         sbio=BIO_new_socket(s,BIO_NOCLOSE);
2037         if (s_nbio_test)
2038                 {
2039                 BIO *test;
2040
2041                 test=BIO_new(BIO_f_nbio_test());
2042                 sbio=BIO_push(test,sbio);
2043                 }
2044         SSL_set_bio(con,sbio,sbio);
2045         SSL_set_accept_state(con);
2046
2047         /* SSL_set_fd(con,s); */
2048         BIO_set_ssl(ssl_bio,con,BIO_CLOSE);
2049         BIO_push(io,ssl_bio);
2050 #ifdef CHARSET_EBCDIC
2051         io = BIO_push(BIO_new(BIO_f_ebcdic_filter()),io);
2052 #endif
2053
2054         if (s_debug)
2055                 {
2056                 con->debug=1;
2057                 BIO_set_callback(SSL_get_rbio(con),bio_dump_callback);
2058                 BIO_set_callback_arg(SSL_get_rbio(con),(char *)bio_s_out);
2059                 }
2060         if (s_msg)
2061                 {
2062                 SSL_set_msg_callback(con, msg_cb);
2063                 SSL_set_msg_callback_arg(con, bio_s_out);
2064                 }
2065
2066         blank=0;
2067         for (;;)
2068                 {
2069                 if (hack)
2070                         {
2071                         i=SSL_accept(con);
2072
2073                         switch (SSL_get_error(con,i))
2074                                 {
2075                         case SSL_ERROR_NONE:
2076                                 break;
2077                         case SSL_ERROR_WANT_WRITE:
2078                         case SSL_ERROR_WANT_READ:
2079                         case SSL_ERROR_WANT_X509_LOOKUP:
2080                                 continue;
2081                         case SSL_ERROR_SYSCALL:
2082                         case SSL_ERROR_SSL:
2083                         case SSL_ERROR_ZERO_RETURN:
2084                                 ret=1;
2085                                 goto err;
2086                                 /* break; */
2087                                 }
2088
2089                         SSL_renegotiate(con);
2090                         SSL_write(con,NULL,0);
2091                         }
2092
2093                 i=BIO_gets(io,buf,bufsize-1);
2094                 if (i < 0) /* error */
2095                         {
2096                         if (!BIO_should_retry(io))
2097                                 {
2098                                 if (!s_quiet)
2099                                         ERR_print_errors(bio_err);
2100                                 goto err;
2101                                 }
2102                         else
2103                                 {
2104                                 BIO_printf(bio_s_out,"read R BLOCK\n");
2105 #if defined(OPENSSL_SYS_NETWARE)
2106             delay(1000);
2107 #elif !defined(OPENSSL_SYS_MSDOS) && !defined(__DJGPP__)
2108                                 sleep(1);
2109 #endif
2110                                 continue;
2111                                 }
2112                         }
2113                 else if (i == 0) /* end of input */
2114                         {
2115                         ret=1;
2116                         goto end;
2117                         }
2118
2119                 /* else we have data */
2120                 if (    ((www == 1) && (strncmp("GET ",buf,4) == 0)) ||
2121                         ((www == 2) && (strncmp("GET /stats ",buf,10) == 0)))
2122                         {
2123                         char *p;
2124                         X509 *peer;
2125                         STACK_OF(SSL_CIPHER) *sk;
2126                         static const char *space="                          ";
2127
2128                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2129                         BIO_puts(io,"<HTML><BODY BGCOLOR=\"#ffffff\">\n");
2130                         BIO_puts(io,"<pre>\n");
2131 /*                      BIO_puts(io,SSLeay_version(SSLEAY_VERSION));*/
2132                         BIO_puts(io,"\n");
2133                         for (i=0; i<local_argc; i++)
2134                                 {
2135                                 BIO_puts(io,local_argv[i]);
2136                                 BIO_write(io," ",1);
2137                                 }
2138                         BIO_puts(io,"\n");
2139
2140                         /* The following is evil and should not really
2141                          * be done */
2142                         BIO_printf(io,"Ciphers supported in s_server binary\n");
2143                         sk=SSL_get_ciphers(con);
2144                         j=sk_SSL_CIPHER_num(sk);
2145                         for (i=0; i<j; i++)
2146                                 {
2147                                 c=sk_SSL_CIPHER_value(sk,i);
2148                                 BIO_printf(io,"%-11s:%-25s",
2149                                         SSL_CIPHER_get_version(c),
2150                                         SSL_CIPHER_get_name(c));
2151                                 if ((((i+1)%2) == 0) && (i+1 != j))
2152                                         BIO_puts(io,"\n");
2153                                 }
2154                         BIO_puts(io,"\n");
2155                         p=SSL_get_shared_ciphers(con,buf,bufsize);
2156                         if (p != NULL)
2157                                 {
2158                                 BIO_printf(io,"---\nCiphers common between both SSL end points:\n");
2159                                 j=i=0;
2160                                 while (*p)
2161                                         {
2162                                         if (*p == ':')
2163                                                 {
2164                                                 BIO_write(io,space,26-j);
2165                                                 i++;
2166                                                 j=0;
2167                                                 BIO_write(io,((i%3)?" ":"\n"),1);
2168                                                 }
2169                                         else
2170                                                 {
2171                                                 BIO_write(io,p,1);
2172                                                 j++;
2173                                                 }
2174                                         p++;
2175                                         }
2176                                 BIO_puts(io,"\n");
2177                                 }
2178                         BIO_printf(io,((con->hit)
2179                                 ?"---\nReused, "
2180                                 :"---\nNew, "));
2181                         c=SSL_get_current_cipher(con);
2182                         BIO_printf(io,"%s, Cipher is %s\n",
2183                                 SSL_CIPHER_get_version(c),
2184                                 SSL_CIPHER_get_name(c));
2185                         SSL_SESSION_print(io,SSL_get_session(con));
2186                         BIO_printf(io,"---\n");
2187                         print_stats(io,SSL_get_SSL_CTX(con));
2188                         BIO_printf(io,"---\n");
2189                         peer=SSL_get_peer_certificate(con);
2190                         if (peer != NULL)
2191                                 {
2192                                 BIO_printf(io,"Client certificate\n");
2193                                 X509_print(io,peer);
2194                                 PEM_write_bio_X509(io,peer);
2195                                 }
2196                         else
2197                                 BIO_puts(io,"no client certificate available\n");
2198                         BIO_puts(io,"</BODY></HTML>\r\n\r\n");
2199                         break;
2200                         }
2201                 else if ((www == 2 || www == 3)
2202                          && (strncmp("GET /",buf,5) == 0))
2203                         {
2204                         BIO *file;
2205                         char *p,*e;
2206                         static const char *text="HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
2207
2208                         /* skip the '/' */
2209                         p= &(buf[5]);
2210
2211                         dot = 1;
2212                         for (e=p; *e != '\0'; e++)
2213                                 {
2214                                 if (e[0] == ' ')
2215                                         break;
2216
2217                                 switch (dot)
2218                                         {
2219                                 case 1:
2220                                         dot = (e[0] == '.') ? 2 : 0;
2221                                         break;
2222                                 case 2:
2223                                         dot = (e[0] == '.') ? 3 : 0;
2224                                         break;
2225                                 case 3:
2226                                         dot = (e[0] == '/') ? -1 : 0;
2227                                         break;
2228                                         }
2229                                 if (dot == 0)
2230                                         dot = (e[0] == '/') ? 1 : 0;
2231                                 }
2232                         dot = (dot == 3) || (dot == -1); /* filename contains ".." component */
2233
2234                         if (*e == '\0')
2235                                 {
2236                                 BIO_puts(io,text);
2237                                 BIO_printf(io,"'%s' is an invalid file name\r\n",p);
2238                                 break;
2239                                 }
2240                         *e='\0';
2241
2242                         if (dot)
2243                                 {
2244                                 BIO_puts(io,text);
2245                                 BIO_printf(io,"'%s' contains '..' reference\r\n",p);
2246                                 break;
2247                                 }
2248
2249                         if (*p == '/')
2250                                 {
2251                                 BIO_puts(io,text);
2252                                 BIO_printf(io,"'%s' is an invalid path\r\n",p);
2253                                 break;
2254                                 }
2255
2256 #if 0
2257                         /* append if a directory lookup */
2258                         if (e[-1] == '/')
2259                                 strcat(p,"index.html");
2260 #endif
2261
2262                         /* if a directory, do the index thang */
2263                         if (app_isdir(p)>0)
2264                                 {
2265 #if 0 /* must check buffer size */
2266                                 strcat(p,"/index.html");
2267 #else
2268                                 BIO_puts(io,text);
2269                                 BIO_printf(io,"'%s' is a directory\r\n",p);
2270                                 break;
2271 #endif
2272                                 }
2273
2274                         if ((file=BIO_new_file(p,"r")) == NULL)
2275                                 {
2276                                 BIO_puts(io,text);
2277                                 BIO_printf(io,"Error opening '%s'\r\n",p);
2278                                 ERR_print_errors(io);
2279                                 break;
2280                                 }
2281
2282                         if (!s_quiet)
2283                                 BIO_printf(bio_err,"FILE:%s\n",p);
2284
2285                         if (www == 2)
2286                                 {
2287                                 i=strlen(p);
2288                                 if (    ((i > 5) && (strcmp(&(p[i-5]),".html") == 0)) ||
2289                                         ((i > 4) && (strcmp(&(p[i-4]),".php") == 0)) ||
2290                                         ((i > 4) && (strcmp(&(p[i-4]),".htm") == 0)))
2291                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
2292                                 else
2293                                         BIO_puts(io,"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
2294                                 }
2295                         /* send the file */
2296                         total_bytes=0;
2297                         for (;;)
2298                                 {
2299                                 i=BIO_read(file,buf,bufsize);
2300                                 if (i <= 0) break;
2301
2302 #ifdef RENEG
2303                                 total_bytes+=i;
2304                                 fprintf(stderr,"%d\n",i);
2305                                 if (total_bytes > 3*1024)
2306                                         {
2307                                         total_bytes=0;
2308                                         fprintf(stderr,"RENEGOTIATE\n");
2309                                         SSL_renegotiate(con);
2310                                         }
2311 #endif
2312
2313                                 for (j=0; j<i; )
2314                                         {
2315 #ifdef RENEG
2316 { static count=0; if (++count == 13) { SSL_renegotiate(con); } }
2317 #endif
2318                                         k=BIO_write(io,&(buf[j]),i-j);
2319                                         if (k <= 0)
2320                                                 {
2321                                                 if (!BIO_should_retry(io))
2322                                                         goto write_error;
2323                                                 else
2324                                                         {
2325                                                         BIO_printf(bio_s_out,"rwrite W BLOCK\n");
2326                                                         }
2327                                                 }
2328                                         else
2329                                                 {
2330                                                 j+=k;
2331                                                 }
2332                                         }
2333                                 }
2334 write_error:
2335                         BIO_free(file);
2336                         break;
2337                         }
2338                 }
2339
2340         for (;;)
2341                 {
2342                 i=(int)BIO_flush(io);
2343                 if (i <= 0)
2344                         {
2345                         if (!BIO_should_retry(io))
2346                                 break;
2347                         }
2348                 else
2349                         break;
2350                 }
2351 end:
2352 #if 1
2353         /* make sure we re-use sessions */
2354         SSL_set_shutdown(con,SSL_SENT_SHUTDOWN|SSL_RECEIVED_SHUTDOWN);
2355 #else
2356         /* This kills performance */
2357 /*      SSL_shutdown(con); A shutdown gets sent in the
2358  *      BIO_free_all(io) procession */
2359 #endif
2360
2361 err:
2362
2363         if (ret >= 0)
2364                 BIO_printf(bio_s_out,"ACCEPT\n");
2365
2366         if (buf != NULL) OPENSSL_free(buf);
2367         if (io != NULL) BIO_free_all(io);
2368 /*      if (ssl_bio != NULL) BIO_free(ssl_bio);*/
2369         return(ret);
2370         }
2371
2372 #ifndef OPENSSL_NO_RSA
2373 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2374         {
2375         BIGNUM *bn = NULL;
2376         static RSA *rsa_tmp=NULL;
2377
2378         if (!rsa_tmp && ((bn = BN_new()) == NULL))
2379                 BIO_printf(bio_err,"Allocation error in generating RSA key\n");
2380         if (!rsa_tmp && bn)
2381                 {
2382                 if (!s_quiet)
2383                         {
2384                         BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2385                         (void)BIO_flush(bio_err);
2386                         }
2387                 if(!BN_set_word(bn, RSA_F4) || ((rsa_tmp = RSA_new()) == NULL) ||
2388                                 !RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL))
2389                         {
2390                         if(rsa_tmp) RSA_free(rsa_tmp);
2391                         rsa_tmp = NULL;
2392                         }
2393                 if (!s_quiet)
2394                         {
2395                         BIO_printf(bio_err,"\n");
2396                         (void)BIO_flush(bio_err);
2397                         }
2398                 BN_free(bn);
2399                 }
2400         return(rsa_tmp);
2401         }
2402 #endif
2403
2404 #define MAX_SESSION_ID_ATTEMPTS 10
2405 static int generate_session_id(const SSL *ssl, unsigned char *id,
2406                                 unsigned int *id_len)
2407         {
2408         unsigned int count = 0;
2409         do      {
2410                 RAND_pseudo_bytes(id, *id_len);
2411                 /* Prefix the session_id with the required prefix. NB: If our
2412                  * prefix is too long, clip it - but there will be worse effects
2413                  * anyway, eg. the server could only possibly create 1 session
2414                  * ID (ie. the prefix!) so all future session negotiations will
2415                  * fail due to conflicts. */
2416                 memcpy(id, session_id_prefix,
2417                         (strlen(session_id_prefix) < *id_len) ?
2418                         strlen(session_id_prefix) : *id_len);
2419                 }
2420         while(SSL_has_matching_session_id(ssl, id, *id_len) &&
2421                 (++count < MAX_SESSION_ID_ATTEMPTS));
2422         if(count >= MAX_SESSION_ID_ATTEMPTS)
2423                 return 0;
2424         return 1;
2425         }