Demo of use of errors in applications.
[openssl.git] / apps / s_server.c
index f9e33e7..cb68b2c 100644 (file)
@@ -205,9 +205,9 @@ typedef unsigned int u_int;
 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
 #endif
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
-static int sv_body(char *hostname, int s, unsigned char *context);
-static int www_body(char *hostname, int s, unsigned char *context);
-static int rev_body(char *hostname, int s, unsigned char *context);
+static int sv_body(char *hostname, int s, int stype, unsigned char *context);
+static int www_body(char *hostname, int s, int stype, unsigned char *context);
+static int rev_body(char *hostname, int s, int stype, unsigned char *context);
 static void close_accept_socket(void );
 static void sv_usage(void);
 static int init_ssl_connection(SSL *s);
@@ -216,9 +216,6 @@ static int generate_session_id(const SSL *ssl, unsigned char *id,
                                unsigned int *id_len);
 static void init_session_cache_ctx(SSL_CTX *sctx);
 static void free_sessions(void);
-static int ssl_load_stores(SSL_CTX *sctx,
-                       const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile);
 #ifndef OPENSSL_NO_DH
 static DH *load_dh_param(const char *dhfile);
 static DH *get_dh512(void);
@@ -228,6 +225,20 @@ static DH *get_dh512(void);
 static void s_server_init(void);
 #endif
 
+#ifndef OPENSSL_NO_TLSEXT
+
+static const unsigned char auth_ext_data[]={TLSEXT_AUTHZDATAFORMAT_dtcp};
+
+static unsigned char *generated_supp_data = NULL;
+
+static const unsigned char *most_recent_supplemental_data = NULL;
+static size_t most_recent_supplemental_data_length = 0;
+
+static int client_provided_server_authz = 0;
+static int client_provided_client_authz = 0;
+
+#endif
+
 #ifndef OPENSSL_NO_DH
 static unsigned char dh512_p[]={
        0xDA,0x58,0x3C,0x16,0xD9,0x85,0x22,0x89,0xD0,0xE4,0xAF,0x75,
@@ -319,8 +330,29 @@ static int cert_chain = 0;
 #endif
 
 #ifndef OPENSSL_NO_TLSEXT
-static BIO *authz_in = NULL;
-static const char *s_authz_file = NULL;
+static int suppdata_cb(SSL *s, unsigned short supp_data_type,
+                      const unsigned char *in,
+                      unsigned short inlen, int *al,
+                      void *arg);
+
+static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
+                                    const unsigned char **out,
+                                    unsigned short *outlen, void *arg);
+
+static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
+                                   const unsigned char **out, unsigned short *outlen,
+                                   void *arg);
+
+static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
+                          const unsigned char *in,
+                          unsigned short inlen, int *al,
+                          void *arg);
+
+static BIO *serverinfo_in = NULL;
+static const char *s_serverinfo_file = NULL;
+
+static int c_auth = 0;
+static int c_auth_require_reneg = 0;
 #endif
 
 #ifndef OPENSSL_NO_PSK
@@ -476,15 +508,17 @@ static void sv_usage(void)
        BIO_printf(bio_err,"usage: s_server [args ...]\n");
        BIO_printf(bio_err,"\n");
        BIO_printf(bio_err," -accept arg   - port to accept on (default is %d)\n",PORT);
-       BIO_printf(bio_err," -checkhost host - check peer certificate matches \"host\"\n");
-       BIO_printf(bio_err," -checkemail email - check peer certificate matches \"email\"\n");
-       BIO_printf(bio_err," -checkip ipaddr - check peer certificate matches \"ipaddr\"\n");
        BIO_printf(bio_err," -context arg  - set session ID context\n");
        BIO_printf(bio_err," -verify arg   - turn on peer certificate verification\n");
        BIO_printf(bio_err," -Verify arg   - turn on peer certificate verification, must have a cert.\n");
        BIO_printf(bio_err," -cert arg     - certificate file to use\n");
        BIO_printf(bio_err,"                 (default is %s)\n",TEST_CERT);
-       BIO_printf(bio_err," -authz arg   -  binary authz file for certificate\n");
+#ifndef OPENSSL_NO_TLSEXT
+       BIO_printf(bio_err," -serverinfo arg - PEM serverinfo file for certificate\n");
+       BIO_printf(bio_err," -auth               - send and receive RFC 5878 TLS auth extensions and supplemental data\n");
+       BIO_printf(bio_err," -auth_require_reneg - Do not send TLS auth extensions until renegotiation\n");
+#endif
+    BIO_printf(bio_err," -no_resumption_on_reneg - set SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION flag\n");
        BIO_printf(bio_err," -crl_check    - check the peer certificate has not been revoked by its CA.\n" \
                           "                 The CRL(s) are appended to the certificate file\n");
        BIO_printf(bio_err," -crl_check_all - check the peer certificate has not been revoked by its CA\n" \
@@ -539,6 +573,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -tls1_1       - Just talk TLSv1.1\n");
        BIO_printf(bio_err," -tls1         - Just talk TLSv1\n");
        BIO_printf(bio_err," -dtls1        - Just talk DTLSv1\n");
+       BIO_printf(bio_err," -dtls1_2      - Just talk DTLSv1.2\n");
        BIO_printf(bio_err," -timeout      - Enable timeouts\n");
        BIO_printf(bio_err," -mtu          - Set link layer MTU\n");
        BIO_printf(bio_err," -chain        - Read a certificate chain\n");
@@ -578,6 +613,7 @@ static void sv_usage(void)
        BIO_printf(bio_err," -nextprotoneg arg - set the advertised protocols for the NPN extension (comma-separated list)\n");
 # endif
         BIO_printf(bio_err," -use_srtp profiles - Offer SRTP key management with a colon-separated profile list\n");
+       BIO_printf(bio_err," -alpn arg  - set the advertised protocols for the ALPN extension (comma-separated list)\n");
 #endif
        BIO_printf(bio_err," -keymatexport label   - Export keying material using label\n");
        BIO_printf(bio_err," -keymatexportlen len  - Export len bytes of keying material (default 20)\n");
@@ -932,7 +968,48 @@ static int next_proto_cb(SSL *s, const unsigned char **data, unsigned int *len,
        return SSL_TLSEXT_ERR_OK;
        }
 # endif  /* ndef OPENSSL_NO_NEXTPROTONEG */
-#endif
+
+/* This the context that we pass to alpn_cb */
+typedef struct tlsextalpnctx_st {
+       unsigned char *data;
+       unsigned short len;
+} tlsextalpnctx;
+
+static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
+       {
+       tlsextalpnctx *alpn_ctx = arg;
+
+       if (!s_quiet)
+               {
+               /* We can assume that |in| is syntactically valid. */
+               unsigned i;
+               BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
+               for (i = 0; i < inlen; )
+                       {
+                       if (i)
+                               BIO_write(bio_s_out, ", ", 2);
+                       BIO_write(bio_s_out, &in[i + 1], in[i]);
+                       i += in[i] + 1;
+                       }
+               BIO_write(bio_s_out, "\n", 1);
+               }
+
+       if (SSL_select_next_proto((unsigned char**) out, outlen, alpn_ctx->data, alpn_ctx->len, in, inlen) !=
+           OPENSSL_NPN_NEGOTIATED)
+               {
+               return SSL_TLSEXT_ERR_NOACK;
+               }
+
+       if (!s_quiet)
+               {
+               BIO_printf(bio_s_out, "ALPN protocols selected: ");
+               BIO_write(bio_s_out, *out, *outlen);
+               BIO_write(bio_s_out, "\n", 1);
+               }
+
+       return SSL_TLSEXT_ERR_OK;
+       }
+#endif  /* ndef OPENSSL_NO_TLSEXT */
 
 static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
        {
@@ -944,14 +1021,14 @@ int MAIN(int, char **);
 
 #ifndef OPENSSL_NO_JPAKE
 static char *jpake_secret = NULL;
+#define no_jpake !jpake_secret
+#else
+#define no_jpake 1
 #endif
 #ifndef OPENSSL_NO_SRP
        static srpsrvparm srp_callback_parm;
 #endif
 static char *srtp_profiles = NULL;
-static unsigned char *checkhost = NULL, *checkemail = NULL;
-static char *checkip = NULL;
-
 
 int MAIN(int argc, char *argv[])
        {
@@ -981,14 +1058,17 @@ int MAIN(int argc, char *argv[])
        EVP_PKEY *s_key = NULL, *s_dkey = NULL;
        int no_cache = 0, ext_cache = 0;
        int rev = 0, naccept = -1;
+       int c_no_resumption_on_reneg = 0;
 #ifndef OPENSSL_NO_TLSEXT
        EVP_PKEY *s_key2 = NULL;
        X509 *s_cert2 = NULL;
         tlsextctx tlsextcbp = {NULL, NULL, SSL_TLSEXT_ERR_ALERT_WARNING};
 # ifndef OPENSSL_NO_NEXTPROTONEG
        const char *next_proto_neg_in = NULL;
-       tlsextnextprotoctx next_proto;
+       tlsextnextprotoctx next_proto = { NULL, 0};
 # endif
+       const char *alpn_in = NULL;
+       tlsextalpnctx alpn_ctx = { NULL, 0};
 #endif
 #ifndef OPENSSL_NO_PSK
        /* by default do not send a PSK identity hint */
@@ -1002,6 +1082,11 @@ int MAIN(int argc, char *argv[])
        SSL_CONF_CTX *cctx = NULL;
        STACK_OF(OPENSSL_STRING) *ssl_args = NULL;
 
+       char *crl_file = NULL;
+       int crl_format = FORMAT_PEM;
+       int crl_download = 0;
+       STACK_OF(X509_CRL) *crls = NULL;
+
        meth=SSLv23_server_method();
 
        local_argc=argc;
@@ -1022,6 +1107,7 @@ int MAIN(int argc, char *argv[])
        if (!cctx)
                goto end;
        SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_SERVER);
+       SSL_CONF_CTX_set_flags(cctx, SSL_CONF_FLAG_CMDLINE);
 
        verify_depth=0;
 #ifdef FIONBIO
@@ -1057,7 +1143,8 @@ int MAIN(int argc, char *argv[])
                        s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
                        if (--argc < 1) goto bad;
                        verify_depth=atoi(*(++argv));
-                       BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
+                       if (!s_quiet)
+                               BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
                        }
                else if (strcmp(*argv,"-Verify") == 0)
                        {
@@ -1065,7 +1152,8 @@ int MAIN(int argc, char *argv[])
                                SSL_VERIFY_CLIENT_ONCE;
                        if (--argc < 1) goto bad;
                        verify_depth=atoi(*(++argv));
-                       BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
+                       if (!s_quiet)
+                               BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
                        }
                else if (strcmp(*argv,"-context") == 0)
                        {
@@ -1077,13 +1165,32 @@ int MAIN(int argc, char *argv[])
                        if (--argc < 1) goto bad;
                        s_cert_file= *(++argv);
                        }
+               else if (strcmp(*argv,"-CRL") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_file= *(++argv);
+                       }
+               else if (strcmp(*argv,"-crl_download") == 0)
+                       crl_download = 1;
 #ifndef OPENSSL_NO_TLSEXT
-               else if (strcmp(*argv,"-authz") == 0)
+               else if (strcmp(*argv,"-serverinfo") == 0)
                        {
                        if (--argc < 1) goto bad;
-                       s_authz_file = *(++argv);
+                       s_serverinfo_file = *(++argv);
+                       }
+               else if (strcmp(*argv,"-auth") == 0)
+                       {
+                       c_auth = 1;
                        }
 #endif
+               else if (strcmp(*argv, "-no_resumption_on_reneg") == 0)
+                       {
+                       c_no_resumption_on_reneg = 1;
+                       }
+               else if (strcmp(*argv,"-auth_require_reneg") == 0)
+                       {
+                       c_auth_require_reneg = 1;
+                       }
                else if (strcmp(*argv,"-certform") == 0)
                        {
                        if (--argc < 1) goto bad;
@@ -1167,6 +1274,11 @@ int MAIN(int argc, char *argv[])
                        no_cache = 1;
                else if (strcmp(*argv,"-ext_cache") == 0)
                        ext_cache = 1;
+               else if (strcmp(*argv,"-CRLform") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       crl_format = str2fmt(*(++argv));
+                       }
                else if (args_verify(&argv, &argc, &badarg, bio_err, &vpm))
                        {
                        if (badarg)
@@ -1254,21 +1366,6 @@ int MAIN(int argc, char *argv[])
                                }
                        }
 #endif
-               else if (strcmp(*argv,"-checkhost") == 0)
-                       {
-                       if (--argc < 1) goto bad;
-                       checkhost=(unsigned char *)*(++argv);
-                       }
-               else if (strcmp(*argv,"-checkemail") == 0)
-                       {
-                       if (--argc < 1) goto bad;
-                       checkemail=(unsigned char *)*(++argv);
-                       }
-               else if (strcmp(*argv,"-checkip") == 0)
-                       {
-                       if (--argc < 1) goto bad;
-                       checkip=*(++argv);
-                       }
                else if (strcmp(*argv,"-msg") == 0)
                        { s_msg=1; }
                else if (strcmp(*argv,"-msgfile") == 0)
@@ -1362,11 +1459,21 @@ int MAIN(int argc, char *argv[])
                        { meth=TLSv1_2_server_method(); }
 #endif
 #ifndef OPENSSL_NO_DTLS1
+               else if (strcmp(*argv,"-dtls") == 0)
+                       { 
+                       meth=DTLS_server_method();
+                       socket_type = SOCK_DGRAM;
+                       }
                else if (strcmp(*argv,"-dtls1") == 0)
                        { 
                        meth=DTLSv1_server_method();
                        socket_type = SOCK_DGRAM;
                        }
+               else if (strcmp(*argv,"-dtls1_2") == 0)
+                       { 
+                       meth=DTLSv1_2_server_method();
+                       socket_type = SOCK_DGRAM;
+                       }
                else if (strcmp(*argv,"-timeout") == 0)
                        enable_timeouts = 1;
                else if (strcmp(*argv,"-mtu") == 0)
@@ -1419,6 +1526,11 @@ int MAIN(int argc, char *argv[])
                        next_proto_neg_in = *(++argv);
                        }
 # endif
+               else if (strcmp(*argv,"-alpn") == 0)
+                       {
+                       if (--argc < 1) goto bad;
+                       alpn_in = *(++argv);
+                       }
 #endif
 #if !defined(OPENSSL_NO_JPAKE) && !defined(OPENSSL_NO_PSK)
                else if (strcmp(*argv,"-jpake") == 0)
@@ -1469,14 +1581,7 @@ bad:
                        goto end;
                        }
                psk_identity = "JPAKE";
-               if (cipher)
-                       {
-                       BIO_printf(bio_err, "JPAKE sets cipher to PSK\n");
-                       goto end;
-                       }
-               cipher = "PSK";
                }
-
 #endif
 
        SSL_load_error_strings();
@@ -1552,7 +1657,8 @@ bad:
 #endif /* OPENSSL_NO_TLSEXT */
                }
 
-#if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG) 
+#if !defined(OPENSSL_NO_TLSEXT)
+# if !defined(OPENSSL_NO_NEXTPROTONEG) 
        if (next_proto_neg_in)
                {
                unsigned short len;
@@ -1565,8 +1671,38 @@ bad:
                {
                next_proto.data = NULL;
                }
+# endif
+       alpn_ctx.data = NULL;
+       if (alpn_in)
+               {
+               unsigned short len;
+               alpn_ctx.data = next_protos_parse(&len, alpn_in);
+               if (alpn_ctx.data == NULL)
+                       goto end;
+               alpn_ctx.len = len;
+               }
 #endif
 
+       if (crl_file)
+               {
+               X509_CRL *crl;
+               crl = load_crl(crl_file, crl_format);
+               if (!crl)
+                       {
+                       BIO_puts(bio_err, "Error loading CRL\n");
+                       ERR_print_errors(bio_err);
+                       goto end;
+                       }
+               crls = sk_X509_CRL_new_null();
+               if (!crls || !sk_X509_CRL_push(crls, crl))
+                       {
+                       BIO_puts(bio_err, "Error adding CRL\n");
+                       ERR_print_errors(bio_err);
+                       X509_CRL_free(crl);
+                       goto end;
+                       }
+               }
+
 
        if (s_dcert_file)
                {
@@ -1702,10 +1838,12 @@ bad:
        if (vpm)
                SSL_CTX_set1_param(ctx, vpm);
 
-       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe))
+       ssl_ctx_add_crls(ctx, crls, 0);
+       if (!args_ssl_call(ctx, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
                goto end;
 
-       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile))
+       if (!ssl_load_stores(ctx, vfyCApath, vfyCAfile, chCApath, chCAfile,
+                                               crls, crl_download))
                {
                BIO_printf(bio_err, "Error loading store locations\n");
                ERR_print_errors(bio_err);
@@ -1768,7 +1906,8 @@ bad:
                if (vpm)
                        SSL_CTX_set1_param(ctx2, vpm);
 
-               if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe))
+               ssl_ctx_add_crls(ctx2, crls, 0);
+               if (!args_ssl_call(ctx2, bio_err, cctx, ssl_args, no_ecdhe, no_jpake))
                        goto end;
                }
 
@@ -1776,6 +1915,8 @@ bad:
        if (next_proto.data)
                SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb, &next_proto);
 # endif
+       if (alpn_ctx.data)
+               SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
 #endif 
 
 #ifndef OPENSSL_NO_DH
@@ -1822,11 +1963,23 @@ bad:
                }
 #endif
 
+       if (c_no_resumption_on_reneg)
+               SSL_CTX_set_options(ctx, SSL_OP_NO_SESSION_RESUMPTION_ON_RENEGOTIATION);
        if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
                goto end;
 #ifndef OPENSSL_NO_TLSEXT
-       if (s_authz_file != NULL && !SSL_CTX_use_authz_file(ctx, s_authz_file))
+       if (s_serverinfo_file != NULL
+           && !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file))
+               {
+               ERR_print_errors(bio_err);
                goto end;
+               }
+       if (c_auth)
+               {
+               SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_client_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
+               SSL_CTX_set_custom_srv_ext(ctx, TLSEXT_TYPE_server_authz, authz_tlsext_cb, authz_tlsext_generate_cb, bio_err);
+               SSL_CTX_set_srv_supp_data(ctx, TLSEXT_SUPPLEMENTALDATATYPE_authz_data, auth_suppdata_generate_cb, suppdata_cb, bio_err);
+               }
 #endif
 #ifndef OPENSSL_NO_TLSEXT
        if (ctx2 && !set_cert_key_stuff(ctx2,s_cert2,s_key2, NULL, build_chain))
@@ -1973,6 +2126,8 @@ end:
        if (ctx != NULL) SSL_CTX_free(ctx);
        if (s_cert)
                X509_free(s_cert);
+       if (crls)
+               sk_X509_CRL_pop_free(crls, X509_CRL_free);
        if (s_dcert)
                X509_free(s_dcert);
        if (s_key)
@@ -2002,17 +2157,27 @@ end:
                X509_free(s_cert2);
        if (s_key2)
                EVP_PKEY_free(s_key2);
-       if (authz_in != NULL)
-               BIO_free(authz_in);
+       if (serverinfo_in != NULL)
+               BIO_free(serverinfo_in);
+# ifndef OPENSSL_NO_NEXTPROTONEG
+       if (next_proto.data)
+               OPENSSL_free(next_proto.data);
+# endif
+       if (alpn_ctx.data)
+               OPENSSL_free(alpn_ctx.data);
 #endif
        ssl_excert_free(exc);
        if (ssl_args)
                sk_OPENSSL_STRING_free(ssl_args);
        if (cctx)
                SSL_CONF_CTX_free(cctx);
+#ifndef OPENSSL_NO_JPAKE
+       if (jpake_secret && psk_key)
+               OPENSSL_free(psk_key);
+#endif
        if (bio_s_out != NULL)
                {
-        BIO_free(bio_s_out);
+               BIO_free(bio_s_out);
                bio_s_out=NULL;
                }
        if (bio_s_msg != NULL)
@@ -2049,7 +2214,7 @@ static void print_stats(BIO *bio, SSL_CTX *ssl_ctx)
                SSL_CTX_sess_get_cache_size(ssl_ctx));
        }
 
-static int sv_body(char *hostname, int s, unsigned char *context)
+static int sv_body(char *hostname, int s, int stype, unsigned char *context)
        {
        char *buf=NULL;
        fd_set readfds;
@@ -2119,7 +2284,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 #endif
 #endif
 
-       if (SSL_version(con) == DTLS1_VERSION)
+       if (stype == SOCK_DGRAM)
                {
 
                sbio=BIO_new_dgram(s,BIO_NOCLOSE);
@@ -2246,7 +2411,7 @@ static int sv_body(char *hostname, int s, unsigned char *context)
 
                        if ((SSL_version(con) == DTLS1_VERSION) && DTLSv1_handle_timeout(con) > 0)
                                {
-                               BIO_printf(bio_err,"TIMEOUT occured\n");
+                               BIO_printf(bio_err,"TIMEOUT occurred\n");
                                }
 
                        if (i <= 0) continue;
@@ -2503,6 +2668,15 @@ static int init_ssl_connection(SSL *con)
 
 
        i=SSL_accept(con);
+#ifdef CERT_CB_TEST_RETRY
+       {
+       while (i <= 0 && SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP && SSL_state(con) == SSL3_ST_SR_CLNT_HELLO_C) 
+               {
+               fprintf(stderr, "LOOKUP from certificate callback during accept\n");
+               i=SSL_accept(con);
+               }
+       }
+#endif
 #ifndef OPENSSL_NO_SRP
        while (i <= 0 &&  SSL_get_error(con,i) == SSL_ERROR_WANT_X509_LOOKUP) 
                {
@@ -2515,6 +2689,13 @@ static int init_ssl_connection(SSL *con)
                        i=SSL_accept(con);
                }
 #endif
+       /*handshake is complete - free the generated supp data allocated in the callback */
+       if (generated_supp_data)
+               {
+        OPENSSL_free(generated_supp_data);
+               generated_supp_data = NULL;
+               }
+
        if (i <= 0)
                {
                if (BIO_sock_should_retry(i))
@@ -2538,8 +2719,6 @@ static int init_ssl_connection(SSL *con)
        if (s_brief)
                print_ssl_summary(bio_err, con);
 
-       print_ssl_cert_checks(bio_err, con, checkhost, checkemail, checkip);
-
        PEM_write_bio_SSL_SESSION(bio_s_out,SSL_get_session(con));
 
        peer=SSL_get_peer_certificate(con);
@@ -2558,8 +2737,10 @@ static int init_ssl_connection(SSL *con)
                BIO_printf(bio_s_out,"Shared ciphers:%s\n",buf);
        str=SSL_CIPHER_get_name(SSL_get_current_cipher(con));
        ssl_print_sigalgs(bio_s_out, con);
+#ifndef OPENSSL_NO_EC
        ssl_print_point_formats(bio_s_out, con);
        ssl_print_curves(bio_s_out, con, 0);
+#endif
        BIO_printf(bio_s_out,"CIPHER is %s\n",(str != NULL)?str:"(NONE)");
 
 #if !defined(OPENSSL_NO_TLSEXT) && !defined(OPENSSL_NO_NEXTPROTONEG)
@@ -2662,7 +2843,7 @@ static int load_CA(SSL_CTX *ctx, char *file)
        }
 #endif
 
-static int www_body(char *hostname, int s, unsigned char *context)
+static int www_body(char *hostname, int s, int stype, unsigned char *context)
        {
        char *buf=NULL;
        int ret=1;
@@ -2902,7 +3083,9 @@ static int www_body(char *hostname, int s, unsigned char *context)
                                BIO_puts(io,"\n");
                                }
                        ssl_print_sigalgs(io, con);
+#ifndef OPENSSL_NO_EC
                        ssl_print_curves(io, con, 0);
+#endif
                        BIO_printf(io,(SSL_cache_hit(con)
                                ?"---\nReused, "
                                :"---\nNew, "));
@@ -3096,7 +3279,7 @@ err:
        return(ret);
        }
 
-static int rev_body(char *hostname, int s, unsigned char *context)
+static int rev_body(char *hostname, int s, int stype, unsigned char *context)
        {
        char *buf=NULL;
        int i;
@@ -3400,41 +3583,76 @@ static void free_sessions(void)
        first = NULL;
        }
 
-static int ssl_load_stores(SSL_CTX *sctx,
-                       const char *vfyCApath, const char *vfyCAfile,
-                       const char *chCApath, const char *chCAfile)
+#ifndef OPENSSL_NO_TLSEXT
+static int authz_tlsext_cb(SSL *s, unsigned short ext_type,
+                          const unsigned char *in,
+                          unsigned short inlen, int *al,
+                          void *arg)
+       {
+       if (TLSEXT_TYPE_server_authz == ext_type)
+               client_provided_server_authz
+                 = memchr(in,  TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
+
+       if (TLSEXT_TYPE_client_authz == ext_type)
+               client_provided_client_authz
+                 = memchr(in, TLSEXT_AUTHZDATAFORMAT_dtcp, inlen) != NULL;
+
+       return 1;
+       }
+
+static int authz_tlsext_generate_cb(SSL *s, unsigned short ext_type,
+                                   const unsigned char **out, unsigned short *outlen,
+                                   void *arg)
        {
-       X509_STORE *vfy = NULL, *ch = NULL;
-       int rv = 0;
-       if (vfyCApath || vfyCAfile)
+       if (c_auth && client_provided_client_authz && client_provided_server_authz)
                {
-               vfy = X509_STORE_new();
-               if (!X509_STORE_load_locations(vfy, vfyCAfile, vfyCApath))
-                       goto err;
-               SSL_CTX_set1_verify_cert_store(ctx, vfy);
+               /*if auth_require_reneg flag is set, only send extensions if
+                 renegotiation has occurred */
+               if (!c_auth_require_reneg
+                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
+                       {
+                       *out = auth_ext_data;
+                       *outlen = 1;
+                       return 1;
+                       }
                }
-       if (chCApath || chCAfile)
+       /* no auth extension to send */
+       return -1;
+       }
+
+static int suppdata_cb(SSL *s, unsigned short supp_data_type,
+                      const unsigned char *in,
+                      unsigned short inlen, int *al,
+                      void *arg)
+       {
+       if (supp_data_type == TLSEXT_SUPPLEMENTALDATATYPE_authz_data)
                {
-               ch = X509_STORE_new();
-               if (!X509_STORE_load_locations(ch, chCAfile, chCApath))
-                       goto err;
-               /*X509_STORE_set_verify_cb(ch, verify_callback);*/
-               SSL_CTX_set1_chain_cert_store(ctx, ch);
+               most_recent_supplemental_data = in;
+               most_recent_supplemental_data_length = inlen;
                }
-       rv = 1;
-       err:
-       if (vfy)
-               X509_STORE_free(vfy);
-       if (ch)
-               X509_STORE_free(ch);
-       return rv;
+       return 1;
        }
 
-
-
-
-
-
-       
-
+static int auth_suppdata_generate_cb(SSL *s, unsigned short supp_data_type,
+                                    const unsigned char **out,
+                                    unsigned short *outlen, void *arg)
+       {
+       if (c_auth && client_provided_client_authz && client_provided_server_authz)
+               {
+               /*if auth_require_reneg flag is set, only send supplemental data if
+                 renegotiation has occurred */
+               if (!c_auth_require_reneg
+                   || (c_auth_require_reneg && SSL_num_renegotiations(s)))
+                       {
+                       generated_supp_data = OPENSSL_malloc(10);
+                       memcpy(generated_supp_data, "1234512345", 10);
+                       *out = generated_supp_data;
+                       *outlen = 10;
+                       return 1;
+                       }
+               }
+       /* no supplemental data to send */
+       return -1;
+       }
+#endif