../deps/openssl/openssl/apps/s

Bug Summary

File:	out/../deps/openssl/openssl/apps/s_server.c
Warning:	line 2664, column 17 Although the value stored to 'k' is used in the enclosing expression, the value is never actually read from 'k'

Annotated Source Code

Press '?' to see keyboard shortcuts

Show analyzer invocation

clang -cc1 -cc1 -triple x86_64-unknown-linux-gnu -analyze -disable-free -clear-ast-before-backend -disable-llvm-verifier -discard-value-names -main-file-name s_server.c -analyzer-checker=core -analyzer-checker=apiModeling -analyzer-checker=unix -analyzer-checker=deadcode -analyzer-checker=security.insecureAPI.UncheckedReturn -analyzer-checker=security.insecureAPI.getpw -analyzer-checker=security.insecureAPI.gets -analyzer-checker=security.insecureAPI.mktemp -analyzer-checker=security.insecureAPI.mkstemp -analyzer-checker=security.insecureAPI.vfork -analyzer-checker=nullability.NullPassedToNonnull -analyzer-checker=nullability.NullReturnedFromNonnull -analyzer-output plist -w -setup-static-analyzer -mrelocation-model pic -pic-level 2 -pic-is-pie -mframe-pointer=all -fmath-errno -ffp-contract=on -fno-rounding-math -mconstructor-aliases -funwind-tables=2 -target-cpu x86-64 -tune-cpu generic -debugger-tuning=gdb -fcoverage-compilation-dir=/home/maurizio/node-v18.6.0/out -resource-dir /usr/local/lib/clang/16.0.0 -D V8_DEPRECATION_WARNINGS -D V8_IMMINENT_DEPRECATION_WARNINGS -D _GLIBCXX_USE_CXX11_ABI=1 -D NODE_OPENSSL_CONF_NAME=nodejs_conf -D NODE_OPENSSL_HAS_QUIC -D __STDC_FORMAT_MACROS -D OPENSSL_NO_PINSHARED -D OPENSSL_THREADS -D OPENSSL_API_COMPAT=0x10100001L -D NDEBUG -D OPENSSL_USE_NODELETE -D L_ENDIAN -D OPENSSL_BUILDING_OPENSSL -D AES_ASM -D BSAES_ASM -D CMLL_ASM -D ECP_NISTZ256_ASM -D GHASH_ASM -D KECCAK1600_ASM -D MD5_ASM -D OPENSSL_BN_ASM_GF2m -D OPENSSL_BN_ASM_MONT -D OPENSSL_BN_ASM_MONT5 -D OPENSSL_CPUID_OBJ -D OPENSSL_IA32_SSE2 -D PADLOCK_ASM -D POLY1305_ASM -D SHA1_ASM -D SHA256_ASM -D SHA512_ASM -D VPAES_ASM -D WHIRLPOOL_ASM -D X25519_ASM -D OPENSSL_PIC -D OPENSSLDIR="/etc/ssl" -D ENGINESDIR="/dev/null" -D TERMIOS -I ../deps/openssl/openssl/apps/include -I ../deps/openssl/openssl -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/openssl/crypto/modes -I ../deps/openssl/openssl/crypto/ec/curve448 -I ../deps/openssl/openssl/crypto/ec/curve448/arch_32 -I ../deps/openssl/openssl/providers/common/include -I ../deps/openssl/openssl/providers/implementations/include -I ../deps/openssl/config -I ../deps/openssl/config/archs/linux-x86_64/asm/include -I ../deps/openssl/openssl/include -I ../deps/openssl/openssl/crypto/include -I ../deps/openssl/config/archs/linux-x86_64/asm -internal-isystem /usr/local/lib/clang/16.0.0/include -internal-isystem /usr/local/include -internal-isystem /usr/lib/gcc/x86_64-redhat-linux/8/../../../../x86_64-redhat-linux/include -internal-externc-isystem /include -internal-externc-isystem /usr/include -O3 -Wno-unused-parameter -Wno-missing-field-initializers -Wno-old-style-declaration -fdebug-compilation-dir=/home/maurizio/node-v18.6.0/out -ferror-limit 19 -fgnuc-version=4.2.1 -vectorize-loops -vectorize-slp -analyzer-output=html -faddrsig -D__GCC_HAVE_DWARF2_CFI_ASM=1 -o /tmp/scan-build-2022-08-22-142216-507842-1 -x c ../deps/openssl/openssl/apps/s_server.c

1	/*
2	* Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved.
3	* Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4	* Copyright 2005 Nokia. All rights reserved.
5	*
6	* Licensed under the Apache License 2.0 (the "License"). You may not use
7	* this file except in compliance with the License. You can obtain a copy
8	* in the file LICENSE in the source distribution or at
9	* https://www.openssl.org/source/license.html
10	*/
11
12	#include <ctype.h>
13	#include <stdio.h>
14	#include <stdlib.h>
15	#include <string.h>
16	#if defined(_WIN32)
17	/* Included before async.h to avoid some warnings */
18	# include <windows.h>
19	#endif
20
21	#include <openssl/e_os2.h>
22	#include <openssl/async.h>
23	#include <openssl/ssl.h>
24	#include <openssl/decoder.h>
25
26	#ifndef OPENSSL_NO_SOCK
27
28	/*
29	* With IPv6, it looks like Digital has mixed up the proper order of
30	* recursive header file inclusion, resulting in the compiler complaining
31	* that u_int isn't defined, but only if _POSIX_C_SOURCE is defined, which is
32	* needed to have fileno() declared correctly... So let's define u_int
33	*/
34	#if defined(OPENSSL_SYS_VMS_DECC) && !defined(__U_INT)
35	# define __U_INT
36	typedef unsigned int u_int;
37	#endif
38
39	#include <openssl/bn.h>
40	#include "apps.h"
41	#include "progs.h"
42	#include <openssl/err.h>
43	#include <openssl/pem.h>
44	#include <openssl/x509.h>
45	#include <openssl/ssl.h>
46	#include <openssl/rand.h>
47	#include <openssl/ocsp.h>
48	#ifndef OPENSSL_NO_DH
49	# include <openssl/dh.h>
50	#endif
51	#include <openssl/rsa.h>
52	#include "s_apps.h"
53	#include "timeouts.h"
54	#ifdef CHARSET_EBCDIC
55	#include <openssl/ebcdic.h>
56	#endif
57	#include "internal/sockets.h"
58
59	static int not_resumable_sess_cb(SSL *s, int is_forward_secure);
60	static int sv_body(int s, int stype, int prot, unsigned char *context);
61	static int www_body(int s, int stype, int prot, unsigned char *context);
62	static int rev_body(int s, int stype, int prot, unsigned char *context);
63	static void close_accept_socket(void);
64	static int init_ssl_connection(SSL *s);
65	static void print_stats(BIO bp, SSL_CTX ctx);
66	static int generate_session_id(SSL ssl, unsigned char id,
67	unsigned int *id_len);
68	static void init_session_cache_ctx(SSL_CTX *sctx);
69	static void free_sessions(void);
70	static void print_connection_info(SSL *con);
71
72	static const int bufsize = 16 * 1024;
73	static int accept_socket = -1;
74
75	#define TEST_CERT"server.pem" "server.pem"
76	#define TEST_CERT2"server2.pem" "server2.pem"
77
78	static int s_nbio = 0;
79	static int s_nbio_test = 0;
80	static int s_crlf = 0;
81	static SSL_CTX ctx = NULL((void)0);
82	static SSL_CTX ctx2 = NULL((void)0);
83	static int www = 0;
84
85	static BIO bio_s_out = NULL((void)0);
86	static BIO bio_s_msg = NULL((void)0);
87	static int s_debug = 0;
88	static int s_tlsextdebug = 0;
89	static int s_msg = 0;
90	static int s_quiet = 0;
91	static int s_ign_eof = 0;
92	static int s_brief = 0;
93
94	static char keymatexportlabel = NULL((void)0);
95	static int keymatexportlen = 20;
96
97	static int async = 0;
98
99	static int use_sendfile = 0;
100
101	static const char session_id_prefix = NULL((void)0);
102
103	#ifndef OPENSSL_NO_DTLS
104	static int enable_timeouts = 0;
105	static long socket_mtu;
106	#endif
107
108	/*
109	* We define this but make it always be 0 in no-dtls builds to simplify the
110	* code.
111	*/
112	static int dtlslisten = 0;
113	static int stateless = 0;
114
115	static int early_data = 0;
116	static SSL_SESSION psksess = NULL((void)0);
117
118	static char *psk_identity = "Client_identity";
119	char psk_key = NULL((void)0); /* by default PSK is not used */
120
121	static char http_server_binmode = 0; /* for now: 0/1 = default/binary */
122
123	#ifndef OPENSSL_NO_PSK
124	static unsigned int psk_server_cb(SSL ssl, const char identity,
125	unsigned char *psk,
126	unsigned int max_psk_len)
127	{
128	long key_len = 0;
129	unsigned char *key;
130
131	if (s_debug)
132	BIO_printf(bio_s_out, "psk_server_cb\n");
133
134	if (!SSL_is_dtls(ssl) && SSL_version(ssl) >= TLS1_3_VERSION0x0304) {
135	/*
136	* This callback is designed for use in (D)TLSv1.2 (or below). It is
137	* possible to use a single callback for all protocol versions - but it
138	* is preferred to use a dedicated callback for TLSv1.3. For TLSv1.3 we
139	* have psk_find_session_cb.
140	*/
141	return 0;
142	}
143
144	if (identity == NULL((void*)0)) {
145	BIO_printf(bio_err, "Error: client did not send PSK identity\n");
146	goto out_err;
147	}
148	if (s_debug)
149	BIO_printf(bio_s_out, "identity_len=%d identity=%s\n",
150	(int)strlen(identity), identity);
151
152	/* here we could lookup the given identity e.g. from a database */
153	if (strcmp(identity, psk_identity) != 0) {
154	BIO_printf(bio_s_out, "PSK warning: client identity not what we expected"
155	" (got '%s' expected '%s')\n", identity, psk_identity);
156	} else {
157	if (s_debug)
158	BIO_printf(bio_s_out, "PSK client identity found\n");
159	}
160
161	/* convert the PSK key to binary */
162	key = OPENSSL_hexstr2buf(psk_key, &key_len);
163	if (key == NULL((void*)0)) {
164	BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
165	psk_key);
166	return 0;
167	}
168	if (key_len > (int)max_psk_len) {
169	BIO_printf(bio_err,
170	"psk buffer of callback is too small (%d) for key (%ld)\n",
171	max_psk_len, key_len);
172	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 172 );
173	return 0;
174	}
175
176	memcpy(psk, key, key_len);
177	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 177 );
178
179	if (s_debug)
180	BIO_printf(bio_s_out, "fetched PSK len=%ld\n", key_len);
181	return key_len;
182	out_err:
183	if (s_debug)
184	BIO_printf(bio_err, "Error in PSK server callback\n");
185	(void)BIO_flush(bio_err)(int)BIO_ctrl(bio_err,11,0,((void*)0));
186	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
187	return 0;
188	}
189	#endif
190
191	static int psk_find_session_cb(SSL ssl, const unsigned char identity,
192	size_t identity_len, SSL_SESSION **sess)
193	{
194	SSL_SESSION tmpsess = NULL((void)0);
195	unsigned char *key;
196	long key_len;
197	const SSL_CIPHER cipher = NULL((void)0);
198
199	if (strlen(psk_identity) != identity_len
200	\|\| memcmp(psk_identity, identity, identity_len) != 0) {
201	sess = NULL((void)0);
202	return 1;
203	}
204
205	if (psksess != NULL((void*)0)) {
206	SSL_SESSION_up_ref(psksess);
207	*sess = psksess;
208	return 1;
209	}
210
211	key = OPENSSL_hexstr2buf(psk_key, &key_len);
212	if (key == NULL((void*)0)) {
213	BIO_printf(bio_err, "Could not convert PSK key '%s' to buffer\n",
214	psk_key);
215	return 0;
216	}
217
218	/* We default to SHA256 */
219	cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
220	if (cipher == NULL((void*)0)) {
221	BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
222	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 222 );
223	return 0;
224	}
225
226	tmpsess = SSL_SESSION_new();
227	if (tmpsess == NULL((void*)0)
228	\|\| !SSL_SESSION_set1_master_key(tmpsess, key, key_len)
229	\|\| !SSL_SESSION_set_cipher(tmpsess, cipher)
230	\|\| !SSL_SESSION_set_protocol_version(tmpsess, SSL_version(ssl))) {
231	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 231 );
232	return 0;
233	}
234	OPENSSL_free(key)CRYPTO_free(key, "../deps/openssl/openssl/apps/s_server.c", 234 );
235	*sess = tmpsess;
236
237	return 1;
238	}
239
240	#ifndef OPENSSL_NO_SRP
241	static srpsrvparm srp_callback_parm;
242	#endif
243
244	static int local_argc = 0;
245	static char **local_argv;
246
247	#ifdef CHARSET_EBCDIC
248	static int ebcdic_new(BIO *bi);
249	static int ebcdic_free(BIO *a);
250	static int ebcdic_read(BIO b, char out, int outl);
251	static int ebcdic_write(BIO b, const char in, int inl);
252	static long ebcdic_ctrl(BIO b, int cmd, long num, void ptr);
253	static int ebcdic_gets(BIO bp, char buf, int size);
254	static int ebcdic_puts(BIO bp, const char str);
255
256	# define BIO_TYPE_EBCDIC_FILTER (18\|0x0200)
257	static BIO_METHOD methods_ebcdic = NULL((void)0);
258
259	/* This struct is "unwarranted chumminess with the compiler." */
260	typedef struct {
261	size_t alloced;
262	char buff[1];
263	} EBCDIC_OUTBUFF;
264
265	static const BIO_METHOD *BIO_f_ebcdic_filter()
266	{
267	if (methods_ebcdic == NULL((void*)0)) {
268	methods_ebcdic = BIO_meth_new(BIO_TYPE_EBCDIC_FILTER,
269	"EBCDIC/ASCII filter");
270	if (methods_ebcdic == NULL((void*)0)
271	\|\| !BIO_meth_set_write(methods_ebcdic, ebcdic_write)
272	\|\| !BIO_meth_set_read(methods_ebcdic, ebcdic_read)
273	\|\| !BIO_meth_set_puts(methods_ebcdic, ebcdic_puts)
274	\|\| !BIO_meth_set_gets(methods_ebcdic, ebcdic_gets)
275	\|\| !BIO_meth_set_ctrl(methods_ebcdic, ebcdic_ctrl)
276	\|\| !BIO_meth_set_create(methods_ebcdic, ebcdic_new)
277	\|\| !BIO_meth_set_destroy(methods_ebcdic, ebcdic_free))
278	return NULL((void*)0);
279	}
280	return methods_ebcdic;
281	}
282
283	static int ebcdic_new(BIO *bi)
284	{
285	EBCDIC_OUTBUFF *wbuf;
286
287	wbuf = app_malloc(sizeof(*wbuf) + 1024, "ebcdic wbuf");
288	wbuf->alloced = 1024;
289	wbuf->buff[0] = '\0';
290
291	BIO_set_data(bi, wbuf);
292	BIO_set_init(bi, 1);
293	return 1;
294	}
295
296	static int ebcdic_free(BIO *a)
297	{
298	EBCDIC_OUTBUFF *wbuf;
299
300	if (a == NULL((void*)0))
301	return 0;
302	wbuf = BIO_get_data(a);
303	OPENSSL_free(wbuf)CRYPTO_free(wbuf, "../deps/openssl/openssl/apps/s_server.c", 303 );
304	BIO_set_data(a, NULL((void*)0));
305	BIO_set_init(a, 0);
306
307	return 1;
308	}
309
310	static int ebcdic_read(BIO b, char out, int outl)
311	{
312	int ret = 0;
313	BIO *next = BIO_next(b);
314
315	if (out == NULL((void*)0) \|\| outl == 0)
316	return 0;
317	if (next == NULL((void*)0))
318	return 0;
319
320	ret = BIO_read(next, out, outl);
321	if (ret > 0)
322	ascii2ebcdic(out, out, ret);
323	return ret;
324	}
325
326	static int ebcdic_write(BIO b, const char in, int inl)
327	{
328	EBCDIC_OUTBUFF *wbuf;
329	BIO *next = BIO_next(b);
330	int ret = 0;
331	int num;
332
333	if ((in == NULL((void*)0)) \|\| (inl <= 0))
334	return 0;
335	if (next == NULL((void*)0))
336	return 0;
337
338	wbuf = (EBCDIC_OUTBUFF *) BIO_get_data(b);
339
340	if (inl > (num = wbuf->alloced)) {
341	num = num + num; /* double the size */
342	if (num < inl)
343	num = inl;
344	OPENSSL_free(wbuf)CRYPTO_free(wbuf, "../deps/openssl/openssl/apps/s_server.c", 344 );
345	wbuf = app_malloc(sizeof(*wbuf) + num, "grow ebcdic wbuf");
346
347	wbuf->alloced = num;
348	wbuf->buff[0] = '\0';
349
350	BIO_set_data(b, wbuf);
351	}
352
353	ebcdic2ascii(wbuf->buff, in, inl);
354
355	ret = BIO_write(next, wbuf->buff, inl);
356
357	return ret;
358	}
359
360	static long ebcdic_ctrl(BIO b, int cmd, long num, void ptr)
361	{
362	long ret;
363	BIO *next = BIO_next(b);
364
365	if (next == NULL((void*)0))
366	return 0;
367	switch (cmd) {
368	case BIO_CTRL_DUP12:
369	ret = 0L;
370	break;
371	default:
372	ret = BIO_ctrl(next, cmd, num, ptr);
373	break;
374	}
375	return ret;
376	}
377
378	static int ebcdic_gets(BIO bp, char buf, int size)
379	{
380	int i, ret = 0;
381	BIO *next = BIO_next(bp);
382
383	if (next == NULL((void*)0))
384	return 0;
385	/* return(BIO_gets(bp->next_bio,buf,size));*/
386	for (i = 0; i < size - 1; ++i) {
387	ret = ebcdic_read(bp, &buf[i], 1);
388	if (ret <= 0)
389	break;
390	else if (buf[i] == '\n') {
391	++i;
392	break;
393	}
394	}
395	if (i < size)
396	buf[i] = '\0';
397	return (ret < 0 && i == 0) ? ret : i;
398	}
399
400	static int ebcdic_puts(BIO bp, const char str)
401	{
402	if (BIO_next(bp) == NULL((void*)0))
403	return 0;
404	return ebcdic_write(bp, str, strlen(str));
405	}
406	#endif
407
408	/* This is a context that we pass to callbacks */
409	typedef struct tlsextctx_st {
410	char *servername;
411	BIO *biodebug;
412	int extension_error;
413	} tlsextctx;
414
415	static int ssl_servername_cb(SSL s, int ad, void *arg)
416	{
417	tlsextctx p = (tlsextctx ) arg;
418	const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name0);
419
420	if (servername != NULL((void)0) && p->biodebug != NULL((void)0)) {
421	const char *cp = servername;
422	unsigned char uc;
423
424	BIO_printf(p->biodebug, "Hostname in TLS extension: \"");
425	while ((uc = *cp++) != 0)
426	BIO_printf(p->biodebug,
427	(((uc) & ~127) == 0) && isprint(uc)((*__ctype_b_loc ())[(int) ((uc))] & (unsigned short int) _ISprint) ? "%c" : "\\x%02x", uc);
428	BIO_printf(p->biodebug, "\"\n");
429	}
430
431	if (p->servername == NULL((void*)0))
432	return SSL_TLSEXT_ERR_NOACK3;
433
434	if (servername != NULL((void*)0)) {
435	if (OPENSSL_strcasecmp(servername, p->servername))
436	return p->extension_error;
437	if (ctx2 != NULL((void*)0)) {
438	BIO_printf(p->biodebug, "Switching server context.\n");
439	SSL_set_SSL_CTX(s, ctx2);
440	}
441	}
442	return SSL_TLSEXT_ERR_OK0;
443	}
444
445	/* Structure passed to cert status callback */
446	typedef struct tlsextstatusctx_st {
447	int timeout;
448	/* File to load OCSP Response from (or NULL if no file) */
449	char *respin;
450	/* Default responder to use */
451	char host, path, *port;
452	char proxy, no_proxy;
453	int use_ssl;
454	int verbose;
455	} tlsextstatusctx;
456
457	static tlsextstatusctx tlscstatp = { -1 };
458
459	#ifndef OPENSSL_NO_OCSP
460
461	/*
462	* Helper function to get an OCSP_RESPONSE from a responder. This is a
463	* simplified version. It examines certificates each time and makes one OCSP
464	* responder query for each request. A full version would store details such as
465	* the OCSP certificate IDs and minimise the number of OCSP responses by caching
466	* them until they were considered "expired".
467	*/
468	static int get_ocsp_resp_from_responder(SSL s, tlsextstatusctx srctx,
469	OCSP_RESPONSE **resp)
470	{
471	char host = NULL((void)0), port = NULL((void)0), path = NULL((void)0);
472	char proxy = NULL((void)0), no_proxy = NULL((void)0);
473	int use_ssl;
474	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING aia = NULL((void)0);
475	X509 x = NULL((void)0);
476	X509_STORE_CTX inctx = NULL((void)0);
477	X509_OBJECT *obj;
478	OCSP_REQUEST req = NULL((void)0);
479	OCSP_CERTID id = NULL((void)0);
480	STACK_OF(X509_EXTENSION)struct stack_st_X509_EXTENSION *exts;
481	int ret = SSL_TLSEXT_ERR_NOACK3;
482	int i;
483
484	/* Build up OCSP query from server certificate */
485	x = SSL_get_certificate(s);
486	aia = X509_get1_ocsp(x);
487	if (aia != NULL((void*)0)) {
488	if (!OSSL_HTTP_parse_url(sk_OPENSSL_STRING_value(aia, 0)((char *)OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type (aia), (0))), &use_ssl,
489	NULL((void)0), &host, &port, NULL((void)0), &path, NULL((void)0), NULL((void)0))) {
490	BIO_puts(bio_err, "cert_status: can't parse AIA URL\n");
491	goto err;
492	}
493	if (srctx->verbose)
494	BIO_printf(bio_err, "cert_status: AIA URL: %s\n",
495	sk_OPENSSL_STRING_value(aia, 0)((char *)OPENSSL_sk_value(ossl_check_const_OPENSSL_STRING_sk_type (aia), (0))));
496	} else {
497	if (srctx->host == NULL((void*)0)) {
498	BIO_puts(bio_err,
499	"cert_status: no AIA and no default responder URL\n");
500	goto done;
501	}
502	host = srctx->host;
503	path = srctx->path;
504	port = srctx->port;
505	use_ssl = srctx->use_ssl;
506	}
507	proxy = srctx->proxy;
508	no_proxy = srctx->no_proxy;
509
510	inctx = X509_STORE_CTX_new();
511	if (inctx == NULL((void*)0))
512	goto err;
513	if (!X509_STORE_CTX_init(inctx,
514	SSL_CTX_get_cert_store(SSL_get_SSL_CTX(s)),
515	NULL((void)0), NULL((void)0)))
516	goto err;
517	obj = X509_STORE_CTX_get_obj_by_subject(inctx, X509_LU_X509,
518	X509_get_issuer_name(x));
519	if (obj == NULL((void*)0)) {
520	BIO_puts(bio_err, "cert_status: Can't retrieve issuer certificate.\n");
521	goto done;
522	}
523	id = OCSP_cert_to_id(NULL((void*)0), x, X509_OBJECT_get0_X509(obj));
524	X509_OBJECT_free(obj);
525	if (id == NULL((void*)0))
526	goto err;
527	req = OCSP_REQUEST_new();
528	if (req == NULL((void*)0))
529	goto err;
530	if (!OCSP_request_add0_id(req, id))
531	goto err;
532	id = NULL((void*)0);
533	/* Add any extensions to the request */
534	SSL_get_tlsext_status_exts(s, &exts)SSL_ctrl(s,66,0,&exts);
535	for (i = 0; i < sk_X509_EXTENSION_num(exts)OPENSSL_sk_num(ossl_check_const_X509_EXTENSION_sk_type(exts)); i++) {
536	X509_EXTENSION ext = sk_X509_EXTENSION_value(exts, i)((X509_EXTENSION )OPENSSL_sk_value(ossl_check_const_X509_EXTENSION_sk_type (exts), (i)));
537	if (!OCSP_REQUEST_add_ext(req, ext, -1))
538	goto err;
539	}
540	*resp = process_responder(req, host, port, path, proxy, no_proxy,
541	use_ssl, NULL((void)0) / headers */, srctx->timeout);
542	if (resp == NULL((void)0)) {
543	BIO_puts(bio_err, "cert_status: error querying responder\n");
544	goto done;
545	}
546
547	ret = SSL_TLSEXT_ERR_OK0;
548	goto done;
549
550	err:
551	ret = SSL_TLSEXT_ERR_ALERT_FATAL2;
552	done:
553	/*
554	* If we parsed aia we need to free; otherwise they were copied and we
555	* don't
556	*/
557	if (aia != NULL((void*)0)) {
558	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 558 );
559	OPENSSL_free(path)CRYPTO_free(path, "../deps/openssl/openssl/apps/s_server.c", 559 );
560	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 560 );
561	X509_email_free(aia);
562	}
563	OCSP_CERTID_free(id);
564	OCSP_REQUEST_free(req);
565	X509_STORE_CTX_free(inctx);
566	return ret;
567	}
568
569	/*
570	* Certificate Status callback. This is called when a client includes a
571	* certificate status request extension. The response is either obtained from a
572	* file, or from an OCSP responder.
573	*/
574	static int cert_status_cb(SSL s, void arg)
575	{
576	tlsextstatusctx *srctx = arg;
577	OCSP_RESPONSE resp = NULL((void)0);
578	unsigned char rspder = NULL((void)0);
579	int rspderlen;
580	int ret = SSL_TLSEXT_ERR_ALERT_FATAL2;
581
582	if (srctx->verbose)
583	BIO_puts(bio_err, "cert_status: callback called\n");
584
585	if (srctx->respin != NULL((void*)0)) {
586	BIO *derbio = bio_open_default(srctx->respin, 'r', FORMAT_ASN14);
587	if (derbio == NULL((void*)0)) {
588	BIO_puts(bio_err, "cert_status: Cannot open OCSP response file\n");
589	goto err;
590	}
591	resp = d2i_OCSP_RESPONSE_bio(derbio, NULL)((OCSP_RESPONSE)ASN1_d2i_bio( ((void ()(void)) (1 ? OCSP_RESPONSE_new : ((OCSP_RESPONSE ()(void))0))), ((d2i_of_void) (1 ? d2i_OCSP_RESPONSE : ((OCSP_RESPONSE ()(OCSP_RESPONSE *,const unsigned char ,long))0))), derbio, ((void) (1 ? ((void)0) : (OCSP_RESPONSE **)0))));
592	BIO_free(derbio);
593	if (resp == NULL((void*)0)) {
594	BIO_puts(bio_err, "cert_status: Error reading OCSP response\n");
595	goto err;
596	}
597	} else {
598	ret = get_ocsp_resp_from_responder(s, srctx, &resp);
599	if (ret != SSL_TLSEXT_ERR_OK0)
600	goto err;
601	}
602
603	rspderlen = i2d_OCSP_RESPONSE(resp, &rspder);
604	if (rspderlen <= 0)
605	goto err;
606
607	SSL_set_tlsext_status_ocsp_resp(s, rspder, rspderlen)SSL_ctrl(s,71,rspderlen,rspder);
608	if (srctx->verbose) {
609	BIO_puts(bio_err, "cert_status: ocsp response sent:\n");
610	OCSP_RESPONSE_print(bio_err, resp, 2);
611	}
612
613	ret = SSL_TLSEXT_ERR_OK0;
614
615	err:
616	if (ret != SSL_TLSEXT_ERR_OK0)
617	ERR_print_errors(bio_err);
618
619	OCSP_RESPONSE_free(resp);
620
621	return ret;
622	}
623	#endif
624
625	#ifndef OPENSSL_NO_NEXTPROTONEG
626	/* This is the context that we pass to next_proto_cb */
627	typedef struct tlsextnextprotoctx_st {
628	unsigned char *data;
629	size_t len;
630	} tlsextnextprotoctx;
631
632	static int next_proto_cb(SSL s, const unsigned char *data,
633	unsigned int len, void arg)
634	{
635	tlsextnextprotoctx *next_proto = arg;
636
637	*data = next_proto->data;
638	*len = next_proto->len;
639
640	return SSL_TLSEXT_ERR_OK0;
641	}
642	#endif /* ndef OPENSSL_NO_NEXTPROTONEG */
643
644	/* This the context that we pass to alpn_cb */
645	typedef struct tlsextalpnctx_st {
646	unsigned char *data;
647	size_t len;
648	} tlsextalpnctx;
649
650	static int alpn_cb(SSL s, const unsigned char out, unsigned char outlen,
651	const unsigned char in, unsigned int inlen, void arg)
652	{
653	tlsextalpnctx *alpn_ctx = arg;
654
655	if (!s_quiet) {
656	/* We can assume that \|in\| is syntactically valid. */
657	unsigned int i;
658	BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
659	for (i = 0; i < inlen;) {
660	if (i)
661	BIO_write(bio_s_out, ", ", 2);
662	BIO_write(bio_s_out, &in[i + 1], in[i]);
663	i += in[i] + 1;
664	}
665	BIO_write(bio_s_out, "\n", 1);
666	}
667
668	if (SSL_select_next_proto
669	((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
670	inlen) != OPENSSL_NPN_NEGOTIATED1) {
671	return SSL_TLSEXT_ERR_ALERT_FATAL2;
672	}
673
674	if (!s_quiet) {
675	BIO_printf(bio_s_out, "ALPN protocols selected: ");
676	BIO_write(bio_s_out, out, outlen);
677	BIO_write(bio_s_out, "\n", 1);
678	}
679
680	return SSL_TLSEXT_ERR_OK0;
681	}
682
683	static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
684	{
685	/* disable resumption for sessions with forward secure ciphers */
686	return is_forward_secure;
687	}
688
689	typedef enum OPTION_choice {
690	OPT_COMMONOPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
691	OPT_ENGINE,
692	OPT_4, OPT_6, OPT_ACCEPT, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
693	OPT_VERIFY, OPT_NAMEOPT, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
694	OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
695	OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
696	OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
697	OPT_CAPATH, OPT_NOCAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
698	OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
699	OPT_BUILD_CHAIN, OPT_CAFILE, OPT_NOCAFILE, OPT_CHAINCAFILE,
700	OPT_VERIFYCAFILE,
701	OPT_CASTORE, OPT_NOCASTORE, OPT_CHAINCASTORE, OPT_VERIFYCASTORE,
702	OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF,
703	OPT_DEBUG, OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE,
704	OPT_STATUS_TIMEOUT, OPT_PROXY, OPT_NO_PROXY, OPT_STATUS_URL,
705	OPT_STATUS_FILE, OPT_MSG, OPT_MSGFILE,
706	OPT_TRACE, OPT_SECURITY_DEBUG, OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE,
707	OPT_CRLF, OPT_QUIET, OPT_BRIEF, OPT_NO_DHE,
708	OPT_NO_RESUME_EPHEMERAL, OPT_PSK_IDENTITY, OPT_PSK_HINT, OPT_PSK,
709	OPT_PSK_SESS, OPT_SRPVFILE, OPT_SRPUSERSEED, OPT_REV, OPT_WWW,
710	OPT_UPPER_WWW, OPT_HTTP, OPT_ASYNC, OPT_SSL_CONFIG,
711	OPT_MAX_SEND_FRAG, OPT_SPLIT_SEND_FRAG, OPT_MAX_PIPELINES, OPT_READ_BUF,
712	OPT_SSL3, OPT_TLS1_3, OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
713	OPT_DTLS1_2, OPT_SCTP, OPT_TIMEOUT, OPT_MTU, OPT_LISTEN, OPT_STATELESS,
714	OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
715	OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_SENDFILE,
716	OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
717	OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
718	OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY, OPT_SCTP_LABEL_BUG,
719	OPT_HTTP_SERVER_BINMODE, OPT_NOCANAMES, OPT_IGNORE_UNEXPECTED_EOF,
720	OPT_R_ENUMOPT_R__FIRST=1500, OPT_R_RAND, OPT_R_WRITERAND, OPT_R__LAST,
721	OPT_S_ENUMOPT_S__FIRST=3000, OPT_S_NOSSL3, OPT_S_NOTLS1, OPT_S_NOTLS1_1 , OPT_S_NOTLS1_2, OPT_S_NOTLS1_3, OPT_S_BUGS, OPT_S_NO_COMP, OPT_S_NOTICKET , OPT_S_SERVERPREF, OPT_S_LEGACYRENEG, OPT_S_CLIENTRENEG, OPT_S_LEGACYCONN , OPT_S_ONRESUMP, OPT_S_NOLEGACYCONN, OPT_S_ALLOW_NO_DHE_KEX, OPT_S_PRIORITIZE_CHACHA, OPT_S_STRICT, OPT_S_SIGALGS, OPT_S_CLIENTSIGALGS , OPT_S_GROUPS, OPT_S_CURVES, OPT_S_NAMEDCURVE, OPT_S_CIPHER, OPT_S_CIPHERSUITES, OPT_S_RECORD_PADDING, OPT_S_DEBUGBROKE, OPT_S_COMP , OPT_S_MINPROTO, OPT_S_MAXPROTO, OPT_S_NO_RENEGOTIATION, OPT_S_NO_MIDDLEBOX , OPT_S_NO_ETM, OPT_S__LAST,
722	OPT_V_ENUMOPT_V__FIRST=2000, OPT_V_POLICY, OPT_V_PURPOSE, OPT_V_VERIFY_NAME , OPT_V_VERIFY_DEPTH, OPT_V_ATTIME, OPT_V_VERIFY_HOSTNAME, OPT_V_VERIFY_EMAIL , OPT_V_VERIFY_IP, OPT_V_IGNORE_CRITICAL, OPT_V_ISSUER_CHECKS , OPT_V_CRL_CHECK, OPT_V_CRL_CHECK_ALL, OPT_V_POLICY_CHECK, OPT_V_EXPLICIT_POLICY , OPT_V_INHIBIT_ANY, OPT_V_INHIBIT_MAP, OPT_V_X509_STRICT, OPT_V_EXTENDED_CRL , OPT_V_USE_DELTAS, OPT_V_POLICY_PRINT, OPT_V_CHECK_SS_SIG, OPT_V_TRUSTED_FIRST , OPT_V_SUITEB_128_ONLY, OPT_V_SUITEB_128, OPT_V_SUITEB_192, OPT_V_PARTIAL_CHAIN , OPT_V_NO_ALT_CHAINS, OPT_V_NO_CHECK_TIME, OPT_V_VERIFY_AUTH_LEVEL , OPT_V_ALLOW_PROXY_CERTS, OPT_V__LAST,
723	OPT_X_ENUMOPT_X__FIRST=1000, OPT_X_KEY, OPT_X_CERT, OPT_X_CHAIN, OPT_X_CHAIN_BUILD , OPT_X_CERTFORM, OPT_X_KEYFORM, OPT_X__LAST,
724	OPT_PROV_ENUMOPT_PROV__FIRST=1600, OPT_PROV_PROVIDER, OPT_PROV_PROVIDER_PATH , OPT_PROV_PROPQUERY, OPT_PROV__LAST
725	} OPTION_CHOICE;
726
727	const OPTIONS s_server_options[] = {
728	OPT_SECTION("General"){ OPT_SECTION_STR, 1, '-', "General" " options:\n" },
729	{"help", OPT_HELP, '-', "Display this summary"},
730	{"ssl_config", OPT_SSL_CONFIG, 's',
731	"Configure SSL_CTX using the given configuration value"},
732	#ifndef OPENSSL_NO_SSL_TRACE
733	{"trace", OPT_TRACE, '-', "trace protocol messages"},
734	#endif
735	#ifndef OPENSSL_NO_ENGINE
736	{"engine", OPT_ENGINE, 's', "Use engine, possibly a hardware device"},
737	#endif
738
739	OPT_SECTION("Network"){ OPT_SECTION_STR, 1, '-', "Network" " options:\n" },
740	{"port", OPT_PORT, 'p',
741	"TCP/IP port to listen on for connections (default is " PORT"4433" ")"},
742	{"accept", OPT_ACCEPT, 's',
743	"TCP/IP optional host and port to listen on for connections (default is *:" PORT"4433" ")"},
744	#ifdef AF_UNIX1
745	{"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
746	{"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
747	#endif
748	{"4", OPT_4, '-', "Use IPv4 only"},
749	{"6", OPT_6, '-', "Use IPv6 only"},
750
751	OPT_SECTION("Identity"){ OPT_SECTION_STR, 1, '-', "Identity" " options:\n" },
752	{"context", OPT_CONTEXT, 's', "Set session ID context"},
753	{"CAfile", OPT_CAFILE, '<', "PEM format file of CA's"},
754	{"CApath", OPT_CAPATH, '/', "PEM format directory of CA's"},
755	{"CAstore", OPT_CASTORE, ':', "URI to store of CA's"},
756	{"no-CAfile", OPT_NOCAFILE, '-',
757	"Do not load the default certificates file"},
758	{"no-CApath", OPT_NOCAPATH, '-',
759	"Do not load certificates from the default certificates directory"},
760	{"no-CAstore", OPT_NOCASTORE, '-',
761	"Do not load certificates from the default certificates store URI"},
762	{"nocert", OPT_NOCERT, '-', "Don't use any certificates (Anon-DH)"},
763	{"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
764	{"Verify", OPT_UPPER_V_VERIFY, 'n',
765	"Turn on peer certificate verification, must have a cert"},
766	{"nameopt", OPT_NAMEOPT, 's', "Certificate subject/issuer name printing options"},
767	{"cert", OPT_CERT, '<', "Server certificate file to use; default " TEST_CERT"server.pem"},
768	{"cert2", OPT_CERT2, '<',
769	"Certificate file to use for servername; default " TEST_CERT2"server2.pem"},
770	{"certform", OPT_CERTFORM, 'F',
771	"Server certificate file format (PEM/DER/P12); has no effect"},
772	{"cert_chain", OPT_CERT_CHAIN, '<',
773	"Server certificate chain file in PEM format"},
774	{"build_chain", OPT_BUILD_CHAIN, '-', "Build server certificate chain"},
775	{"serverinfo", OPT_SERVERINFO, 's',
776	"PEM serverinfo file for certificate"},
777	{"key", OPT_KEY, 's',
778	"Private key file to use; default is -cert file or else" TEST_CERT"server.pem"},
779	{"key2", OPT_KEY2, '<',
780	"-Private Key file to use for servername if not in -cert2"},
781	{"keyform", OPT_KEYFORM, 'f', "Key format (ENGINE, other values ignored)"},
782	{"pass", OPT_PASS, 's', "Private key and cert file pass phrase source"},
783	{"dcert", OPT_DCERT, '<',
784	"Second server certificate file to use (usually for DSA)"},
785	{"dcertform", OPT_DCERTFORM, 'F',
786	"Second server certificate file format (PEM/DER/P12); has no effect"},
787	{"dcert_chain", OPT_DCERT_CHAIN, '<',
788	"second server certificate chain file in PEM format"},
789	{"dkey", OPT_DKEY, '<',
790	"Second private key file to use (usually for DSA)"},
791	{"dkeyform", OPT_DKEYFORM, 'F',
792	"Second key file format (ENGINE, other values ignored)"},
793	{"dpass", OPT_DPASS, 's',
794	"Second private key and cert file pass phrase source"},
795	{"dhparam", OPT_DHPARAM, '<', "DH parameters file to use"},
796	{"servername", OPT_SERVERNAME, 's',
797	"Servername for HostName TLS extension"},
798	{"servername_fatal", OPT_SERVERNAME_FATAL, '-',
799	"On servername mismatch send fatal alert (default warning alert)"},
800	{"nbio_test", OPT_NBIO_TEST, '-', "Test with the non-blocking test bio"},
801	{"crlf", OPT_CRLF, '-', "Convert LF from terminal into CRLF"},
802	{"quiet", OPT_QUIET, '-', "No server output"},
803	{"no_resume_ephemeral", OPT_NO_RESUME_EPHEMERAL, '-',
804	"Disable caching and tickets if ephemeral (EC)DH is used"},
805	{"www", OPT_WWW, '-', "Respond to a 'GET /' with a status page"},
806	{"WWW", OPT_UPPER_WWW, '-', "Respond to a 'GET with the file ./path"},
807	{"ignore_unexpected_eof", OPT_IGNORE_UNEXPECTED_EOF, '-',
808	"Do not treat lack of close_notify from a peer as an error"},
809	{"tlsextdebug", OPT_TLSEXTDEBUG, '-',
810	"Hex dump of all TLS extensions received"},
811	{"HTTP", OPT_HTTP, '-', "Like -WWW but ./path includes HTTP headers"},
812	{"id_prefix", OPT_ID_PREFIX, 's',
813	"Generate SSL/TLS session IDs prefixed by arg"},
814	{"keymatexport", OPT_KEYMATEXPORT, 's',
815	"Export keying material using label"},
816	{"keymatexportlen", OPT_KEYMATEXPORTLEN, 'p',
817	"Export len bytes of keying material; default 20"},
818	{"CRL", OPT_CRL, '<', "CRL file to use"},
819	{"CRLform", OPT_CRLFORM, 'F', "CRL file format (PEM or DER); default PEM"},
820	{"crl_download", OPT_CRL_DOWNLOAD, '-',
821	"Download CRLs from distribution points in certificate CDP entries"},
822	{"chainCAfile", OPT_CHAINCAFILE, '<',
823	"CA file for certificate chain (PEM format)"},
824	{"chainCApath", OPT_CHAINCAPATH, '/',
825	"use dir as certificate store path to build CA certificate chain"},
826	{"chainCAstore", OPT_CHAINCASTORE, ':',
827	"use URI as certificate store to build CA certificate chain"},
828	{"verifyCAfile", OPT_VERIFYCAFILE, '<',
829	"CA file for certificate verification (PEM format)"},
830	{"verifyCApath", OPT_VERIFYCAPATH, '/',
831	"use dir as certificate store path to verify CA certificate"},
832	{"verifyCAstore", OPT_VERIFYCASTORE, ':',
833	"use URI as certificate store to verify CA certificate"},
834	{"no_cache", OPT_NO_CACHE, '-', "Disable session cache"},
835	{"ext_cache", OPT_EXT_CACHE, '-',
836	"Disable internal cache, set up and use external cache"},
837	{"verify_return_error", OPT_VERIFY_RET_ERROR, '-',
838	"Close connection on verification error"},
839	{"verify_quiet", OPT_VERIFY_QUIET, '-',
840	"No verify output except verify errors"},
841	{"ign_eof", OPT_IGN_EOF, '-', "Ignore input EOF (default when -quiet)"},
842	{"no_ign_eof", OPT_NO_IGN_EOF, '-', "Do not ignore input EOF"},
843
844	#ifndef OPENSSL_NO_OCSP
845	OPT_SECTION("OCSP"){ OPT_SECTION_STR, 1, '-', "OCSP" " options:\n" },
846	{"status", OPT_STATUS, '-', "Request certificate status from server"},
847	{"status_verbose", OPT_STATUS_VERBOSE, '-',
848	"Print more output in certificate status callback"},
849	{"status_timeout", OPT_STATUS_TIMEOUT, 'n',
850	"Status request responder timeout"},
851	{"status_url", OPT_STATUS_URL, 's', "Status request fallback URL"},
852	{"proxy", OPT_PROXY, 's',
853	"[http[s]://]host[:port][/path] of HTTP(S) proxy to use; path is ignored"},
854	{"no_proxy", OPT_NO_PROXY, 's',
855	"List of addresses of servers not to use HTTP(S) proxy for"},
856	{OPT_MORE_STR, 0, 0,
857	"Default from environment variable 'no_proxy', else 'NO_PROXY', else none"},
858	{"status_file", OPT_STATUS_FILE, '<',
859	"File containing DER encoded OCSP Response"},
860	#endif
861
862	OPT_SECTION("Debug"){ OPT_SECTION_STR, 1, '-', "Debug" " options:\n" },
863	{"security_debug", OPT_SECURITY_DEBUG, '-',
864	"Print output from SSL/TLS security framework"},
865	{"security_debug_verbose", OPT_SECURITY_DEBUG_VERBOSE, '-',
866	"Print more output from SSL/TLS security framework"},
867	{"brief", OPT_BRIEF, '-',
868	"Restrict output to brief summary of connection parameters"},
869	{"rev", OPT_REV, '-',
870	"act as an echo server that sends back received text reversed"},
871	{"debug", OPT_DEBUG, '-', "Print more output"},
872	{"msg", OPT_MSG, '-', "Show protocol messages"},
873	{"msgfile", OPT_MSGFILE, '>',
874	"File to send output of -msg or -trace, instead of stdout"},
875	{"state", OPT_STATE, '-', "Print the SSL states"},
876	{"async", OPT_ASYNC, '-', "Operate in asynchronous mode"},
877	{"max_pipelines", OPT_MAX_PIPELINES, 'p',
878	"Maximum number of encrypt/decrypt pipelines to be used"},
879	{"naccept", OPT_NACCEPT, 'p', "Terminate after #num connections"},
880	{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
881
882	OPT_SECTION("Network"){ OPT_SECTION_STR, 1, '-', "Network" " options:\n" },
883	{"nbio", OPT_NBIO, '-', "Use non-blocking IO"},
884	{"timeout", OPT_TIMEOUT, '-', "Enable timeouts"},
885	{"mtu", OPT_MTU, 'p', "Set link-layer MTU"},
886	{"read_buf", OPT_READ_BUF, 'p',
887	"Default read buffer size to be used for connections"},
888	{"split_send_frag", OPT_SPLIT_SEND_FRAG, 'p',
889	"Size used to split data for encrypt pipelines"},
890	{"max_send_frag", OPT_MAX_SEND_FRAG, 'p', "Maximum Size of send frames "},
891
892	OPT_SECTION("Server identity"){ OPT_SECTION_STR, 1, '-', "Server identity" " options:\n" },
893	{"psk_identity", OPT_PSK_IDENTITY, 's', "PSK identity to expect"},
894	#ifndef OPENSSL_NO_PSK
895	{"psk_hint", OPT_PSK_HINT, 's', "PSK identity hint to use"},
896	#endif
897	{"psk", OPT_PSK, 's', "PSK in hex (without 0x)"},
898	{"psk_session", OPT_PSK_SESS, '<', "File to read PSK SSL session from"},
899	#ifndef OPENSSL_NO_SRP
900	{"srpvfile", OPT_SRPVFILE, '<', "(deprecated) The verifier file for SRP"},
901	{"srpuserseed", OPT_SRPUSERSEED, 's',
902	"(deprecated) A seed string for a default user salt"},
903	#endif
904
905	OPT_SECTION("Protocol and version"){ OPT_SECTION_STR, 1, '-', "Protocol and version" " options:\n" },
906	{"max_early_data", OPT_MAX_EARLY, 'n',
907	"The maximum number of bytes of early data as advertised in tickets"},
908	{"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n',
909	"The maximum number of bytes of early data (hard limit)"},
910	{"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
911	{"num_tickets", OPT_S_NUM_TICKETS, 'n',
912	"The number of TLSv1.3 session tickets that a server will automatically issue" },
913	{"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
914	{"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
915	{"http_server_binmode", OPT_HTTP_SERVER_BINMODE, '-', "opening files in binary mode when acting as http server (-WWW and -HTTP)"},
916	{"no_ca_names", OPT_NOCANAMES, '-',
917	"Disable TLS Extension CA Names"},
918	{"stateless", OPT_STATELESS, '-', "Require TLSv1.3 cookies"},
919	#ifndef OPENSSL_NO_SSL3
920	{"ssl3", OPT_SSL3, '-', "Just talk SSLv3"},
921	#endif
922	#ifndef OPENSSL_NO_TLS1
923	{"tls1", OPT_TLS1, '-', "Just talk TLSv1"},
924	#endif
925	#ifndef OPENSSL_NO_TLS1_1
926	{"tls1_1", OPT_TLS1_1, '-', "Just talk TLSv1.1"},
927	#endif
928	#ifndef OPENSSL_NO_TLS1_2
929	{"tls1_2", OPT_TLS1_2, '-', "just talk TLSv1.2"},
930	#endif
931	#ifndef OPENSSL_NO_TLS1_3
932	{"tls1_3", OPT_TLS1_3, '-', "just talk TLSv1.3"},
933	#endif
934	#ifndef OPENSSL_NO_DTLS
935	{"dtls", OPT_DTLS, '-', "Use any DTLS version"},
936	{"listen", OPT_LISTEN, '-',
937	"Listen for a DTLS ClientHello with a cookie and then connect"},
938	#endif
939	#ifndef OPENSSL_NO_DTLS1
940	{"dtls1", OPT_DTLS1, '-', "Just talk DTLSv1"},
941	#endif
942	#ifndef OPENSSL_NO_DTLS1_2
943	{"dtls1_2", OPT_DTLS1_2, '-', "Just talk DTLSv1.2"},
944	#endif
945	#ifndef OPENSSL_NO_SCTP
946	{"sctp", OPT_SCTP, '-', "Use SCTP"},
947	{"sctp_label_bug", OPT_SCTP_LABEL_BUG, '-', "Enable SCTP label length bug"},
948	#endif
949	#ifndef OPENSSL_NO_SRTP
950	{"use_srtp", OPT_SRTP_PROFILES, 's',
951	"Offer SRTP key management with a colon-separated profile list"},
952	#endif
953	{"no_dhe", OPT_NO_DHE, '-', "Disable ephemeral DH"},
954	#ifndef OPENSSL_NO_NEXTPROTONEG
955	{"nextprotoneg", OPT_NEXTPROTONEG, 's',
956	"Set the advertised protocols for the NPN extension (comma-separated list)"},
957	#endif
958	{"alpn", OPT_ALPN, 's',
959	"Set the advertised protocols for the ALPN extension (comma-separated list)"},
960	#ifndef OPENSSL_NO_KTLS
961	{"sendfile", OPT_SENDFILE, '-', "Use sendfile to response file with -WWW"},
962	#endif
963
964	OPT_R_OPTIONS{ OPT_SECTION_STR, 1, '-', "Random state" " options:\n" }, {"rand" , OPT_R_RAND, 's', "Load the given file(s) into the random number generator" }, {"writerand", OPT_R_WRITERAND, '>', "Write random data to the specified file" },
965	OPT_S_OPTIONS{ OPT_SECTION_STR, 1, '-', "TLS/SSL" " options:\n" }, {"no_ssl3" , OPT_S_NOSSL3, '-',"Just disable SSLv3" }, {"no_tls1", OPT_S_NOTLS1 , '-', "Just disable TLSv1"}, {"no_tls1_1", OPT_S_NOTLS1_1, '-' , "Just disable TLSv1.1" }, {"no_tls1_2", OPT_S_NOTLS1_2, '-' , "Just disable TLSv1.2"}, {"no_tls1_3", OPT_S_NOTLS1_3, '-', "Just disable TLSv1.3"}, {"bugs", OPT_S_BUGS, '-', "Turn on SSL bug compatibility" }, {"no_comp", OPT_S_NO_COMP, '-', "Disable SSL/TLS compression (default)" }, {"comp", OPT_S_COMP, '-', "Use SSL/TLS-level compression" }, {"no_ticket", OPT_S_NOTICKET, '-', "Disable use of TLS session tickets" }, {"serverpref", OPT_S_SERVERPREF, '-', "Use server's cipher preferences" }, {"legacy_renegotiation", OPT_S_LEGACYRENEG, '-', "Enable use of legacy renegotiation (dangerous)" }, {"client_renegotiation", OPT_S_CLIENTRENEG, '-', "Allow client-initiated renegotiation" }, {"no_renegotiation", OPT_S_NO_RENEGOTIATION, '-', "Disable all renegotiation." }, {"legacy_server_connect", OPT_S_LEGACYCONN, '-', "Allow initial connection to servers that don't support RI" }, {"no_resumption_on_reneg", OPT_S_ONRESUMP, '-', "Disallow session resumption on renegotiation" }, {"no_legacy_server_connect", OPT_S_NOLEGACYCONN, '-', "Disallow initial connection to servers that don't support RI" }, {"allow_no_dhe_kex", OPT_S_ALLOW_NO_DHE_KEX, '-', "In TLSv1.3 allow non-(ec)dhe based key exchange on resumption" }, {"prioritize_chacha", OPT_S_PRIORITIZE_CHACHA, '-', "Prioritize ChaCha ciphers when preferred by clients" }, {"strict", OPT_S_STRICT, '-', "Enforce strict certificate checks as per TLS standard" }, {"sigalgs", OPT_S_SIGALGS, 's', "Signature algorithms to support (colon-separated list)" }, {"client_sigalgs", OPT_S_CLIENTSIGALGS, 's', "Signature algorithms to support for client certificate" " authentication (colon-separated list)" }, {"groups", OPT_S_GROUPS , 's', "Groups to advertise (colon-separated list)" }, {"curves" , OPT_S_CURVES, 's', "Groups to advertise (colon-separated list)" }, {"named_curve", OPT_S_NAMEDCURVE, 's', "Elliptic curve used for ECDHE (server-side only)" }, {"cipher", OPT_S_CIPHER, 's', "Specify TLSv1.2 and below cipher list to be used" }, {"ciphersuites", OPT_S_CIPHERSUITES, 's', "Specify TLSv1.3 ciphersuites to be used" }, {"min_protocol", OPT_S_MINPROTO, 's', "Specify the minimum protocol version to be used" }, {"max_protocol", OPT_S_MAXPROTO, 's', "Specify the maximum protocol version to be used" }, {"record_padding", OPT_S_RECORD_PADDING, 's', "Block size to pad TLS 1.3 records to." }, {"debug_broken_protocol", OPT_S_DEBUGBROKE, '-', "Perform all sorts of protocol violations for testing purposes" }, {"no_middlebox", OPT_S_NO_MIDDLEBOX, '-', "Disable TLSv1.3 middlebox compat mode" }, {"no_etm", OPT_S_NO_ETM, '-', "Disable Encrypt-then-Mac extension" },
966	OPT_V_OPTIONS{ OPT_SECTION_STR, 1, '-', "Validation" " options:\n" }, { "policy" , OPT_V_POLICY, 's', "adds policy to the acceptable policy set" }, { "purpose", OPT_V_PURPOSE, 's', "certificate chain purpose" }, { "verify_name", OPT_V_VERIFY_NAME, 's', "verification policy name" }, { "verify_depth", OPT_V_VERIFY_DEPTH, 'n', "chain depth limit" }, { "auth_level", OPT_V_VERIFY_AUTH_LEVEL, 'n', "chain authentication security level" }, { "attime", OPT_V_ATTIME, 'M', "verification epoch time" } , { "verify_hostname", OPT_V_VERIFY_HOSTNAME, 's', "expected peer hostname" }, { "verify_email", OPT_V_VERIFY_EMAIL, 's', "expected peer email" }, { "verify_ip", OPT_V_VERIFY_IP, 's', "expected peer IP address" }, { "ignore_critical", OPT_V_IGNORE_CRITICAL, '-', "permit unhandled critical extensions" }, { "issuer_checks", OPT_V_ISSUER_CHECKS, '-', "(deprecated)" }, { "crl_check", OPT_V_CRL_CHECK, '-', "check leaf certificate revocation" }, { "crl_check_all", OPT_V_CRL_CHECK_ALL, '-', "check full chain revocation" }, { "policy_check", OPT_V_POLICY_CHECK, '-', "perform rfc5280 policy checks" }, { "explicit_policy", OPT_V_EXPLICIT_POLICY, '-', "set policy variable require-explicit-policy" }, { "inhibit_any", OPT_V_INHIBIT_ANY, '-', "set policy variable inhibit-any-policy" }, { "inhibit_map", OPT_V_INHIBIT_MAP, '-', "set policy variable inhibit-policy-mapping" }, { "x509_strict", OPT_V_X509_STRICT, '-', "disable certificate compatibility work-arounds" }, { "extended_crl", OPT_V_EXTENDED_CRL, '-', "enable extended CRL features" }, { "use_deltas", OPT_V_USE_DELTAS, '-', "use delta CRLs"}, { "policy_print", OPT_V_POLICY_PRINT, '-', "print policy processing diagnostics" }, { "check_ss_sig", OPT_V_CHECK_SS_SIG, '-', "check root CA self-signatures" }, { "trusted_first", OPT_V_TRUSTED_FIRST, '-', "search trust store first (default)" }, { "suiteB_128_only", OPT_V_SUITEB_128_ONLY, '-', "Suite B 128-bit-only mode" }, { "suiteB_128", OPT_V_SUITEB_128, '-', "Suite B 128-bit mode allowing 192-bit algorithms" }, { "suiteB_192", OPT_V_SUITEB_192, '-', "Suite B 192-bit-only mode" }, { "partial_chain", OPT_V_PARTIAL_CHAIN, '-', "accept chains anchored by intermediate trust-store CAs" }, { "no_alt_chains", OPT_V_NO_ALT_CHAINS, '-', "(deprecated)" }, { "no_check_time", OPT_V_NO_CHECK_TIME, '-', "ignore certificate validity time" }, { "allow_proxy_certs", OPT_V_ALLOW_PROXY_CERTS, '-', "allow the use of proxy certificates" },
967	OPT_X_OPTIONS{ OPT_SECTION_STR, 1, '-', "Extended certificate" " options:\n" }, { "xkey", OPT_X_KEY, '<', "key for Extended certificates" }, { "xcert", OPT_X_CERT, '<', "cert for Extended certificates" }, { "xchain", OPT_X_CHAIN, '<', "chain for Extended certificates" }, { "xchain_build", OPT_X_CHAIN_BUILD, '-', "build certificate chain for the extended certificates" }, { "xcertform", OPT_X_CERTFORM, 'F', "format of Extended certificate (PEM/DER/P12); has no effect" }, { "xkeyform", OPT_X_KEYFORM, 'F', "format of Extended certificate's key (DER/PEM/P12); has no effect" },
968	OPT_PROV_OPTIONS{ OPT_SECTION_STR, 1, '-', "Provider" " options:\n" }, { "provider-path" , OPT_PROV_PROVIDER_PATH, 's', "Provider load path (must be before 'provider' argument if required)" }, { "provider", OPT_PROV_PROVIDER, 's', "Provider to load (can be specified multiple times)" }, { "propquery", OPT_PROV_PROPQUERY, 's', "Property query used when fetching algorithms" },
969	{NULL((void*)0)}
970	};
971
972	#define IS_PROT_FLAG(o)(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2) \
973	(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \
974	\|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2)
975
976	int s_server_main(int argc, char *argv[])
977	{
978	ENGINE engine = NULL((void)0);
979	EVP_PKEY s_key = NULL((void)0), s_dkey = NULL((void)0);
980	SSL_CONF_CTX cctx = NULL((void)0);
981	const SSL_METHOD *meth = TLS_server_method();
982	SSL_EXCERT exc = NULL((void)0);
983	STACK_OF(OPENSSL_STRING)struct stack_st_OPENSSL_STRING ssl_args = NULL((void)0);
984	STACK_OF(X509)struct stack_st_X509 s_chain = NULL((void)0), s_dchain = NULL((void)0);
985	STACK_OF(X509_CRL)struct stack_st_X509_CRL crls = NULL((void)0);
986	X509 s_cert = NULL((void)0), s_dcert = NULL((void)0);
987	X509_VERIFY_PARAM vpm = NULL((void)0);
988	const char CApath = NULL((void)0), CAfile = NULL((void)0), CAstore = NULL((void)0);
989	const char chCApath = NULL((void)0), chCAfile = NULL((void)0), chCAstore = NULL((void)0);
990	char dpassarg = NULL((void)0), dpass = NULL((void)0);
991	char passarg = NULL((void)0), pass = NULL((void)0);
992	char vfyCApath = NULL((void)0), vfyCAfile = NULL((void)0), vfyCAstore = NULL((void)0);
993	char crl_file = NULL((void)0), *prog;
994	#ifdef AF_UNIX1
995	int unlink_unix_path = 0;
996	#endif
997	do_server_cb server_cb;
998	int vpmtouched = 0, build_chain = 0, no_cache = 0, ext_cache = 0;
999	char dhfile = NULL((void)0);
1000	int no_dhe = 0;
1001	int nocert = 0, ret = 1;
1002	int noCApath = 0, noCAfile = 0, noCAstore = 0;
1003	int s_cert_format = FORMAT_UNDEF0, s_key_format = FORMAT_UNDEF0;
1004	int s_dcert_format = FORMAT_UNDEF0, s_dkey_format = FORMAT_UNDEF0;
1005	int rev = 0, naccept = -1, sdebug = 0;
1006	int socket_family = AF_UNSPEC0, socket_type = SOCK_STREAMSOCK_STREAM, protocol = 0;
1007	int state = 0, crl_format = FORMAT_UNDEF0, crl_download = 0;
1008	char host = NULL((void)0);
1009	char port = NULL((void)0);
1010	unsigned char context = NULL((void)0);
1011	OPTION_CHOICE o;
1012	EVP_PKEY s_key2 = NULL((void)0);
1013	X509 s_cert2 = NULL((void)0);
1014	tlsextctx tlsextcbp = { NULL((void)0), NULL((void)0), SSL_TLSEXT_ERR_ALERT_WARNING1 };
1015	const char ssl_config = NULL((void)0);
1016	int read_buf_len = 0;
1017	#ifndef OPENSSL_NO_NEXTPROTONEG
1018	const char next_proto_neg_in = NULL((void)0);
1019	tlsextnextprotoctx next_proto = { NULL((void*)0), 0 };
1020	#endif
1021	const char alpn_in = NULL((void)0);
1022	tlsextalpnctx alpn_ctx = { NULL((void*)0), 0 };
1023	#ifndef OPENSSL_NO_PSK
1024	/* by default do not send a PSK identity hint */
1025	char psk_identity_hint = NULL((void)0);
1026	#endif
1027	char *p;
1028	#ifndef OPENSSL_NO_SRP
1029	char srpuserseed = NULL((void)0);
1030	char srp_verifier_file = NULL((void)0);
1031	#endif
1032	#ifndef OPENSSL_NO_SRTP
1033	char srtp_profiles = NULL((void)0);
1034	#endif
1035	int min_version = 0, max_version = 0, prot_opt = 0, no_prot_opt = 0;
1036	int s_server_verify = SSL_VERIFY_NONE0x00;
1037	int s_server_session_id_context = 1; /* anything will do */
1038	const char s_cert_file = TEST_CERT"server.pem", s_key_file = NULL((void)0), s_chain_file = NULL((void*)0);
1039	const char s_cert_file2 = TEST_CERT2"server2.pem", s_key_file2 = NULL((void*)0);
1040	char s_dcert_file = NULL((void)0), s_dkey_file = NULL((void)0), s_dchain_file = NULL((void)0);
1041	#ifndef OPENSSL_NO_OCSP
1042	int s_tlsextstatus = 0;
1043	#endif
1044	int no_resume_ephemeral = 0;
1045	unsigned int max_send_fragment = 0;
1046	unsigned int split_send_fragment = 0, max_pipelines = 0;
1047	const char s_serverinfo_file = NULL((void)0);
1048	const char keylog_file = NULL((void)0);
1049	int max_early_data = -1, recv_max_early_data = -1;
1050	char psksessf = NULL((void)0);
1051	int no_ca_names = 0;
1052	#ifndef OPENSSL_NO_SCTP
1053	int sctp_label_bug = 0;
1054	#endif
1055	int ignore_unexpected_eof = 0;
1056
1057	/* Init of few remaining global variables */
1058	local_argc = argc;
1059	local_argv = argv;
1060
1061	ctx = ctx2 = NULL((void*)0);
1062	s_nbio = s_nbio_test = 0;
1063	www = 0;
1064	bio_s_out = NULL((void*)0);
1065	s_debug = 0;
1066	s_msg = 0;
1067	s_quiet = 0;
1068	s_brief = 0;
1069	async = 0;
1070	use_sendfile = 0;
1071
1072	port = OPENSSL_strdup(PORT)CRYPTO_strdup("4433", "../deps/openssl/openssl/apps/s_server.c" , 1072);
1073	cctx = SSL_CONF_CTX_new();
1074	vpm = X509_VERIFY_PARAM_new();
1075	if (port == NULL((void)0) \|\| cctx == NULL((void)0) \|\| vpm == NULL((void*)0))
1076	goto end;
1077	SSL_CONF_CTX_set_flags(cctx,
1078	SSL_CONF_FLAG_SERVER0x8 \| SSL_CONF_FLAG_CMDLINE0x1);
1079
1080	prog = opt_init(argc, argv, s_server_options);
1081	while ((o = opt_next()) != OPT_EOF) {
1082	if (IS_PROT_FLAG(o)(o == OPT_SSL3 \|\| o == OPT_TLS1 \|\| o == OPT_TLS1_1 \|\| o == OPT_TLS1_2 \|\| o == OPT_TLS1_3 \|\| o == OPT_DTLS \|\| o == OPT_DTLS1 \|\| o == OPT_DTLS1_2) && ++prot_opt > 1) {
1083	BIO_printf(bio_err, "Cannot supply multiple protocol flags\n");
1084	goto end;
1085	}
1086	if (IS_NO_PROT_FLAG(o)(o == OPT_S_NOSSL3 \|\| o == OPT_S_NOTLS1 \|\| o == OPT_S_NOTLS1_1 \|\| o == OPT_S_NOTLS1_2 \|\| o == OPT_S_NOTLS1_3))
1087	no_prot_opt++;
1088	if (prot_opt == 1 && no_prot_opt) {
1089	BIO_printf(bio_err,
1090	"Cannot supply both a protocol flag and '-no_<prot>'\n");
1091	goto end;
1092	}
1093	switch (o) {
1094	case OPT_EOF:
1095	case OPT_ERR:
1096	opthelp:
1097	BIO_printf(bio_err, "%s: Use -help for summary.\n", prog);
1098	goto end;
1099	case OPT_HELP:
1100	opt_help(s_server_options);
1101	ret = 0;
1102	goto end;
1103
1104	case OPT_4:
1105	#ifdef AF_UNIX1
1106	if (socket_family == AF_UNIX1) {
1107	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1107 ); host = NULL((void*)0);
1108	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1108 ); port = NULL((void*)0);
1109	}
1110	#endif
1111	socket_family = AF_INET2;
1112	break;
1113	case OPT_6:
1114	if (1) {
1115	#ifdef AF_INET610
1116	#ifdef AF_UNIX1
1117	if (socket_family == AF_UNIX1) {
1118	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1118 ); host = NULL((void*)0);
1119	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1119 ); port = NULL((void*)0);
1120	}
1121	#endif
1122	socket_family = AF_INET610;
1123	} else {
1124	#endif
1125	BIO_printf(bio_err, "%s: IPv6 domain sockets unsupported\n", prog);
1126	goto end;
1127	}
1128	break;
1129	case OPT_PORT:
1130	#ifdef AF_UNIX1
1131	if (socket_family == AF_UNIX1) {
1132	socket_family = AF_UNSPEC0;
1133	}
1134	#endif
1135	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1135 ); port = NULL((void*)0);
1136	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1136 ); host = NULL((void*)0);
1137	if (BIO_parse_hostserv(opt_arg(), NULL((void*)0), &port, BIO_PARSE_PRIO_SERV) < 1) {
1138	BIO_printf(bio_err,
1139	"%s: -port argument malformed or ambiguous\n",
1140	port);
1141	goto end;
1142	}
1143	break;
1144	case OPT_ACCEPT:
1145	#ifdef AF_UNIX1
1146	if (socket_family == AF_UNIX1) {
1147	socket_family = AF_UNSPEC0;
1148	}
1149	#endif
1150	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1150 ); port = NULL((void*)0);
1151	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1151 ); host = NULL((void*)0);
1152	if (BIO_parse_hostserv(opt_arg(), &host, &port, BIO_PARSE_PRIO_SERV) < 1) {
1153	BIO_printf(bio_err,
1154	"%s: -accept argument malformed or ambiguous\n",
1155	port);
1156	goto end;
1157	}
1158	break;
1159	#ifdef AF_UNIX1
1160	case OPT_UNIX:
1161	socket_family = AF_UNIX1;
1162	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 1162 ); host = OPENSSL_strdup(opt_arg())CRYPTO_strdup(opt_arg(), "../deps/openssl/openssl/apps/s_server.c" , 1162);
1163	if (host == NULL((void*)0))
1164	goto end;
1165	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 1165 ); port = NULL((void*)0);
1166	break;
1167	case OPT_UNLINK:
1168	unlink_unix_path = 1;
1169	break;
1170	#endif
1171	case OPT_NACCEPT:
1172	naccept = atol(opt_arg());
1173	break;
1174	case OPT_VERIFY:
1175	s_server_verify = SSL_VERIFY_PEER0x01 \| SSL_VERIFY_CLIENT_ONCE0x04;
1176	verify_args.depth = atoi(opt_arg());
1177	if (!s_quiet)
1178	BIO_printf(bio_err, "verify depth is %d\n", verify_args.depth);
1179	break;
1180	case OPT_UPPER_V_VERIFY:
1181	s_server_verify =
1182	SSL_VERIFY_PEER0x01 \| SSL_VERIFY_FAIL_IF_NO_PEER_CERT0x02 \|
1183	SSL_VERIFY_CLIENT_ONCE0x04;
1184	verify_args.depth = atoi(opt_arg());
1185	if (!s_quiet)
1186	BIO_printf(bio_err,
1187	"verify depth is %d, must return a certificate\n",
1188	verify_args.depth);
1189	break;
1190	case OPT_CONTEXT:
1191	context = (unsigned char *)opt_arg();
1192	break;
1193	case OPT_CERT:
1194	s_cert_file = opt_arg();
1195	break;
1196	case OPT_NAMEOPT:
1197	if (!set_nameopt(opt_arg()))
1198	goto end;
1199	break;
1200	case OPT_CRL:
1201	crl_file = opt_arg();
1202	break;
1203	case OPT_CRL_DOWNLOAD:
1204	crl_download = 1;
1205	break;
1206	case OPT_SERVERINFO:
1207	s_serverinfo_file = opt_arg();
1208	break;
1209	case OPT_CERTFORM:
1210	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_cert_format))
1211	goto opthelp;
1212	break;
1213	case OPT_KEY:
1214	s_key_file = opt_arg();
1215	break;
1216	case OPT_KEYFORM:
1217	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_key_format))
1218	goto opthelp;
1219	break;
1220	case OPT_PASS:
1221	passarg = opt_arg();
1222	break;
1223	case OPT_CERT_CHAIN:
1224	s_chain_file = opt_arg();
1225	break;
1226	case OPT_DHPARAM:
1227	dhfile = opt_arg();
1228	break;
1229	case OPT_DCERTFORM:
1230	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_dcert_format))
1231	goto opthelp;
1232	break;
1233	case OPT_DCERT:
1234	s_dcert_file = opt_arg();
1235	break;
1236	case OPT_DKEYFORM:
1237	if (!opt_format(opt_arg(), OPT_FMT_ANY( (1L << 1) \| (1L << 2) \| (1L << 3) \| (1L << 4) \| (1L << 5) \| (1L << 7) \| (1L << 8) \| ( 1L << 9) \| (1L << 10)), &s_dkey_format))
1238	goto opthelp;
1239	break;
1240	case OPT_DPASS:
1241	dpassarg = opt_arg();
1242	break;
1243	case OPT_DKEY:
1244	s_dkey_file = opt_arg();
1245	break;
1246	case OPT_DCERT_CHAIN:
1247	s_dchain_file = opt_arg();
1248	break;
1249	case OPT_NOCERT:
1250	nocert = 1;
1251	break;
1252	case OPT_CAPATH:
1253	CApath = opt_arg();
1254	break;
1255	case OPT_NOCAPATH:
1256	noCApath = 1;
1257	break;
1258	case OPT_CHAINCAPATH:
1259	chCApath = opt_arg();
1260	break;
1261	case OPT_VERIFYCAPATH:
1262	vfyCApath = opt_arg();
1263	break;
1264	case OPT_CASTORE:
1265	CAstore = opt_arg();
1266	break;
1267	case OPT_NOCASTORE:
1268	noCAstore = 1;
1269	break;
1270	case OPT_CHAINCASTORE:
1271	chCAstore = opt_arg();
1272	break;
1273	case OPT_VERIFYCASTORE:
1274	vfyCAstore = opt_arg();
1275	break;
1276	case OPT_NO_CACHE:
1277	no_cache = 1;
1278	break;
1279	case OPT_EXT_CACHE:
1280	ext_cache = 1;
1281	break;
1282	case OPT_CRLFORM:
1283	if (!opt_format(opt_arg(), OPT_FMT_PEMDER(1L << 1), &crl_format))
1284	goto opthelp;
1285	break;
1286	case OPT_S_CASESOPT_S__FIRST: case OPT_S__LAST: break; case OPT_S_NOSSL3: case OPT_S_NOTLS1: case OPT_S_NOTLS1_1: case OPT_S_NOTLS1_2: case OPT_S_NOTLS1_3: case OPT_S_BUGS: case OPT_S_NO_COMP: case OPT_S_COMP : case OPT_S_NOTICKET: case OPT_S_SERVERPREF: case OPT_S_LEGACYRENEG : case OPT_S_CLIENTRENEG: case OPT_S_LEGACYCONN: case OPT_S_ONRESUMP : case OPT_S_NOLEGACYCONN: case OPT_S_ALLOW_NO_DHE_KEX: case OPT_S_PRIORITIZE_CHACHA : case OPT_S_STRICT: case OPT_S_SIGALGS: case OPT_S_CLIENTSIGALGS : case OPT_S_GROUPS: case OPT_S_CURVES: case OPT_S_NAMEDCURVE : case OPT_S_CIPHER: case OPT_S_CIPHERSUITES: case OPT_S_RECORD_PADDING : case OPT_S_NO_RENEGOTIATION: case OPT_S_MINPROTO: case OPT_S_MAXPROTO : case OPT_S_DEBUGBROKE: case OPT_S_NO_MIDDLEBOX: case OPT_S_NO_ETM:
1287	case OPT_S_NUM_TICKETS:
1288	case OPT_ANTI_REPLAY:
1289	case OPT_NO_ANTI_REPLAY:
1290	if (ssl_args == NULL((void*)0))
1291	ssl_args = sk_OPENSSL_STRING_new_null()((struct stack_st_OPENSSL_STRING *)OPENSSL_sk_new_null());
1292	if (ssl_args == NULL((void*)0)
1293	\|\| !sk_OPENSSL_STRING_push(ssl_args, opt_flag())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type (opt_flag()))
1294	\|\| !sk_OPENSSL_STRING_push(ssl_args, opt_arg())OPENSSL_sk_push(ossl_check_OPENSSL_STRING_sk_type(ssl_args), ossl_check_OPENSSL_STRING_type (opt_arg()))) {
1295	BIO_printf(bio_err, "%s: Memory allocation failure\n", prog);
1296	goto end;
1297	}
1298	break;
1299	case OPT_V_CASESOPT_V__FIRST: case OPT_V__LAST: break; case OPT_V_POLICY: case OPT_V_PURPOSE: case OPT_V_VERIFY_NAME: case OPT_V_VERIFY_DEPTH : case OPT_V_VERIFY_AUTH_LEVEL: case OPT_V_ATTIME: case OPT_V_VERIFY_HOSTNAME : case OPT_V_VERIFY_EMAIL: case OPT_V_VERIFY_IP: case OPT_V_IGNORE_CRITICAL : case OPT_V_ISSUER_CHECKS: case OPT_V_CRL_CHECK: case OPT_V_CRL_CHECK_ALL : case OPT_V_POLICY_CHECK: case OPT_V_EXPLICIT_POLICY: case OPT_V_INHIBIT_ANY : case OPT_V_INHIBIT_MAP: case OPT_V_X509_STRICT: case OPT_V_EXTENDED_CRL : case OPT_V_USE_DELTAS: case OPT_V_POLICY_PRINT: case OPT_V_CHECK_SS_SIG : case OPT_V_TRUSTED_FIRST: case OPT_V_SUITEB_128_ONLY: case OPT_V_SUITEB_128 : case OPT_V_SUITEB_192: case OPT_V_PARTIAL_CHAIN: case OPT_V_NO_ALT_CHAINS : case OPT_V_NO_CHECK_TIME: case OPT_V_ALLOW_PROXY_CERTS:
1300	if (!opt_verify(o, vpm))
1301	goto end;
1302	vpmtouched++;
1303	break;
1304	case OPT_X_CASESOPT_X__FIRST: case OPT_X__LAST: break; case OPT_X_KEY: case OPT_X_CERT : case OPT_X_CHAIN: case OPT_X_CHAIN_BUILD: case OPT_X_CERTFORM : case OPT_X_KEYFORM:
1305	if (!args_excert(o, &exc))
1306	goto end;
1307	break;
1308	case OPT_VERIFY_RET_ERROR:
1309	verify_args.return_error = 1;
1310	break;
1311	case OPT_VERIFY_QUIET:
1312	verify_args.quiet = 1;
1313	break;
1314	case OPT_BUILD_CHAIN:
1315	build_chain = 1;
1316	break;
1317	case OPT_CAFILE:
1318	CAfile = opt_arg();
1319	break;
1320	case OPT_NOCAFILE:
1321	noCAfile = 1;
1322	break;
1323	case OPT_CHAINCAFILE:
1324	chCAfile = opt_arg();
1325	break;
1326	case OPT_VERIFYCAFILE:
1327	vfyCAfile = opt_arg();
1328	break;
1329	case OPT_NBIO:
1330	s_nbio = 1;
1331	break;
1332	case OPT_NBIO_TEST:
1333	s_nbio = s_nbio_test = 1;
1334	break;
1335	case OPT_IGN_EOF:
1336	s_ign_eof = 1;
1337	break;
1338	case OPT_NO_IGN_EOF:
1339	s_ign_eof = 0;
1340	break;
1341	case OPT_DEBUG:
1342	s_debug = 1;
1343	break;
1344	case OPT_TLSEXTDEBUG:
1345	s_tlsextdebug = 1;
1346	break;
1347	case OPT_STATUS:
1348	#ifndef OPENSSL_NO_OCSP
1349	s_tlsextstatus = 1;
1350	#endif
1351	break;
1352	case OPT_STATUS_VERBOSE:
1353	#ifndef OPENSSL_NO_OCSP
1354	s_tlsextstatus = tlscstatp.verbose = 1;
1355	#endif
1356	break;
1357	case OPT_STATUS_TIMEOUT:
1358	#ifndef OPENSSL_NO_OCSP
1359	s_tlsextstatus = 1;
1360	tlscstatp.timeout = atoi(opt_arg());
1361	#endif
1362	break;
1363	case OPT_PROXY:
1364	#ifndef OPENSSL_NO_OCSP
1365	tlscstatp.proxy = opt_arg();
1366	#endif
1367	break;
1368	case OPT_NO_PROXY:
1369	#ifndef OPENSSL_NO_OCSP
1370	tlscstatp.no_proxy = opt_arg();
1371	#endif
1372	break;
1373	case OPT_STATUS_URL:
1374	#ifndef OPENSSL_NO_OCSP
1375	s_tlsextstatus = 1;
1376	if (!OSSL_HTTP_parse_url(opt_arg(), &tlscstatp.use_ssl, NULL((void*)0),
1377	&tlscstatp.host, &tlscstatp.port, NULL((void*)0),
1378	&tlscstatp.path, NULL((void)0), NULL((void)0))) {
1379	BIO_printf(bio_err, "Error parsing -status_url argument\n");
1380	goto end;
1381	}
1382	#endif
1383	break;
1384	case OPT_STATUS_FILE:
1385	#ifndef OPENSSL_NO_OCSP
1386	s_tlsextstatus = 1;
1387	tlscstatp.respin = opt_arg();
1388	#endif
1389	break;
1390	case OPT_MSG:
1391	s_msg = 1;
1392	break;
1393	case OPT_MSGFILE:
1394	bio_s_msg = BIO_new_file(opt_arg(), "w");
1395	if (bio_s_msg == NULL((void*)0)) {
1396	BIO_printf(bio_err, "Error writing file %s\n", opt_arg());
1397	goto end;
1398	}
1399	break;
1400	case OPT_TRACE:
1401	#ifndef OPENSSL_NO_SSL_TRACE
1402	s_msg = 2;
1403	#endif
1404	break;
1405	case OPT_SECURITY_DEBUG:
1406	sdebug = 1;
1407	break;
1408	case OPT_SECURITY_DEBUG_VERBOSE:
1409	sdebug = 2;
1410	break;
1411	case OPT_STATE:
1412	state = 1;
1413	break;
1414	case OPT_CRLF:
1415	s_crlf = 1;
1416	break;
1417	case OPT_QUIET:
1418	s_quiet = 1;
1419	break;
1420	case OPT_BRIEF:
1421	s_quiet = s_brief = verify_args.quiet = 1;
1422	break;
1423	case OPT_NO_DHE:
1424	no_dhe = 1;
1425	break;
1426	case OPT_NO_RESUME_EPHEMERAL:
1427	no_resume_ephemeral = 1;
1428	break;
1429	case OPT_PSK_IDENTITY:
1430	psk_identity = opt_arg();
1431	break;
1432	case OPT_PSK_HINT:
1433	#ifndef OPENSSL_NO_PSK
1434	psk_identity_hint = opt_arg();
1435	#endif
1436	break;
1437	case OPT_PSK:
1438	for (p = psk_key = opt_arg(); *p; p++) {
1439	if (isxdigit(_UC(p))((__ctype_b_loc ())[(int) ((((unsigned char)(*p))))] & ( unsigned short int) _ISxdigit))
1440	continue;
1441	BIO_printf(bio_err, "Not a hex number '%s'\n", psk_key);
1442	goto end;
1443	}
1444	break;
1445	case OPT_PSK_SESS:
1446	psksessf = opt_arg();
1447	break;
1448	case OPT_SRPVFILE:
1449	#ifndef OPENSSL_NO_SRP
1450	srp_verifier_file = opt_arg();
1451	if (min_version < TLS1_VERSION0x0301)
1452	min_version = TLS1_VERSION0x0301;
1453	#endif
1454	break;
1455	case OPT_SRPUSERSEED:
1456	#ifndef OPENSSL_NO_SRP
1457	srpuserseed = opt_arg();
1458	if (min_version < TLS1_VERSION0x0301)
1459	min_version = TLS1_VERSION0x0301;
1460	#endif
1461	break;
1462	case OPT_REV:
1463	rev = 1;
1464	break;
1465	case OPT_WWW:
1466	www = 1;
1467	break;
1468	case OPT_UPPER_WWW:
1469	www = 2;
1470	break;
1471	case OPT_HTTP:
1472	www = 3;
1473	break;
1474	case OPT_SSL_CONFIG:
1475	ssl_config = opt_arg();
1476	break;
1477	case OPT_SSL3:
1478	min_version = SSL3_VERSION0x0300;
1479	max_version = SSL3_VERSION0x0300;
1480	break;
1481	case OPT_TLS1_3:
1482	min_version = TLS1_3_VERSION0x0304;
1483	max_version = TLS1_3_VERSION0x0304;
1484	break;
1485	case OPT_TLS1_2:
1486	min_version = TLS1_2_VERSION0x0303;
1487	max_version = TLS1_2_VERSION0x0303;
1488	break;
1489	case OPT_TLS1_1:
1490	min_version = TLS1_1_VERSION0x0302;
1491	max_version = TLS1_1_VERSION0x0302;
1492	break;
1493	case OPT_TLS1:
1494	min_version = TLS1_VERSION0x0301;
1495	max_version = TLS1_VERSION0x0301;
1496	break;
1497	case OPT_DTLS:
1498	#ifndef OPENSSL_NO_DTLS
1499	meth = DTLS_server_method();
1500	socket_type = SOCK_DGRAMSOCK_DGRAM;
1501	#endif
1502	break;
1503	case OPT_DTLS1:
1504	#ifndef OPENSSL_NO_DTLS
1505	meth = DTLS_server_method();
1506	min_version = DTLS1_VERSION0xFEFF;
1507	max_version = DTLS1_VERSION0xFEFF;
1508	socket_type = SOCK_DGRAMSOCK_DGRAM;
1509	#endif
1510	break;
1511	case OPT_DTLS1_2:
1512	#ifndef OPENSSL_NO_DTLS
1513	meth = DTLS_server_method();
1514	min_version = DTLS1_2_VERSION0xFEFD;
1515	max_version = DTLS1_2_VERSION0xFEFD;
1516	socket_type = SOCK_DGRAMSOCK_DGRAM;
1517	#endif
1518	break;
1519	case OPT_SCTP:
1520	#ifndef OPENSSL_NO_SCTP
1521	protocol = IPPROTO_SCTPIPPROTO_SCTP;
1522	#endif
1523	break;
1524	case OPT_SCTP_LABEL_BUG:
1525	#ifndef OPENSSL_NO_SCTP
1526	sctp_label_bug = 1;
1527	#endif
1528	break;
1529	case OPT_TIMEOUT:
1530	#ifndef OPENSSL_NO_DTLS
1531	enable_timeouts = 1;
1532	#endif
1533	break;
1534	case OPT_MTU:
1535	#ifndef OPENSSL_NO_DTLS
1536	socket_mtu = atol(opt_arg());
1537	#endif
1538	break;
1539	case OPT_LISTEN:
1540	#ifndef OPENSSL_NO_DTLS
1541	dtlslisten = 1;
1542	#endif
1543	break;
1544	case OPT_STATELESS:
1545	stateless = 1;
1546	break;
1547	case OPT_ID_PREFIX:
1548	session_id_prefix = opt_arg();
1549	break;
1550	case OPT_ENGINE:
1551	#ifndef OPENSSL_NO_ENGINE
1552	engine = setup_engine(opt_arg(), s_debug)setup_engine_methods(opt_arg(), (unsigned int)-1, s_debug);
1553	#endif
1554	break;
1555	case OPT_R_CASESOPT_R__FIRST: case OPT_R__LAST: break; case OPT_R_RAND: case OPT_R_WRITERAND:
1556	if (!opt_rand(o))
1557	goto end;
1558	break;
1559	case OPT_PROV_CASESOPT_PROV__FIRST: case OPT_PROV__LAST: break; case OPT_PROV_PROVIDER : case OPT_PROV_PROVIDER_PATH: case OPT_PROV_PROPQUERY:
1560	if (!opt_provider(o))
1561	goto end;
1562	break;
1563	case OPT_SERVERNAME:
1564	tlsextcbp.servername = opt_arg();
1565	break;
1566	case OPT_SERVERNAME_FATAL:
1567	tlsextcbp.extension_error = SSL_TLSEXT_ERR_ALERT_FATAL2;
1568	break;
1569	case OPT_CERT2:
1570	s_cert_file2 = opt_arg();
1571	break;
1572	case OPT_KEY2:
1573	s_key_file2 = opt_arg();
1574	break;
1575	case OPT_NEXTPROTONEG:
1576	# ifndef OPENSSL_NO_NEXTPROTONEG
1577	next_proto_neg_in = opt_arg();
1578	#endif
1579	break;
1580	case OPT_ALPN:
1581	alpn_in = opt_arg();
1582	break;
1583	case OPT_SRTP_PROFILES:
1584	#ifndef OPENSSL_NO_SRTP
1585	srtp_profiles = opt_arg();
1586	#endif
1587	break;
1588	case OPT_KEYMATEXPORT:
1589	keymatexportlabel = opt_arg();
1590	break;
1591	case OPT_KEYMATEXPORTLEN:
1592	keymatexportlen = atoi(opt_arg());
1593	break;
1594	case OPT_ASYNC:
1595	async = 1;
1596	break;
1597	case OPT_MAX_SEND_FRAG:
1598	max_send_fragment = atoi(opt_arg());
1599	break;
1600	case OPT_SPLIT_SEND_FRAG:
1601	split_send_fragment = atoi(opt_arg());
1602	break;
1603	case OPT_MAX_PIPELINES:
1604	max_pipelines = atoi(opt_arg());
1605	break;
1606	case OPT_READ_BUF:
1607	read_buf_len = atoi(opt_arg());
1608	break;
1609	case OPT_KEYLOG_FILE:
1610	keylog_file = opt_arg();
1611	break;
1612	case OPT_MAX_EARLY:
1613	max_early_data = atoi(opt_arg());
1614	if (max_early_data < 0) {
1615	BIO_printf(bio_err, "Invalid value for max_early_data\n");
1616	goto end;
1617	}
1618	break;
1619	case OPT_RECV_MAX_EARLY:
1620	recv_max_early_data = atoi(opt_arg());
1621	if (recv_max_early_data < 0) {
1622	BIO_printf(bio_err, "Invalid value for recv_max_early_data\n");
1623	goto end;
1624	}
1625	break;
1626	case OPT_EARLY_DATA:
1627	early_data = 1;
1628	if (max_early_data == -1)
1629	max_early_data = SSL3_RT_MAX_PLAIN_LENGTH16384;
1630	break;
1631	case OPT_HTTP_SERVER_BINMODE:
1632	http_server_binmode = 1;
1633	break;
1634	case OPT_NOCANAMES:
1635	no_ca_names = 1;
1636	break;
1637	case OPT_SENDFILE:
1638	#ifndef OPENSSL_NO_KTLS
1639	use_sendfile = 1;
1640	#endif
1641	break;
1642	case OPT_IGNORE_UNEXPECTED_EOF:
1643	ignore_unexpected_eof = 1;
1644	break;
1645	}
1646	}
1647
1648	/* No extra arguments. */
1649	argc = opt_num_rest();
1650	if (argc != 0)
1651	goto opthelp;
1652
1653	if (!app_RAND_load())
1654	goto end;
1655
1656	#ifndef OPENSSL_NO_NEXTPROTONEG
1657	if (min_version == TLS1_3_VERSION0x0304 && next_proto_neg_in != NULL((void*)0)) {
1658	BIO_printf(bio_err, "Cannot supply -nextprotoneg with TLSv1.3\n");
1659	goto opthelp;
1660	}
1661	#endif
1662	#ifndef OPENSSL_NO_DTLS
1663	if (www && socket_type == SOCK_DGRAMSOCK_DGRAM) {
1664	BIO_printf(bio_err, "Can't use -HTTP, -www or -WWW with DTLS\n");
1665	goto end;
1666	}
1667
1668	if (dtlslisten && socket_type != SOCK_DGRAMSOCK_DGRAM) {
1669	BIO_printf(bio_err, "Can only use -listen with DTLS\n");
1670	goto end;
1671	}
1672	#endif
1673
1674	if (stateless && socket_type != SOCK_STREAMSOCK_STREAM) {
1675	BIO_printf(bio_err, "Can only use --stateless with TLS\n");
1676	goto end;
1677	}
1678
1679	#ifdef AF_UNIX1
1680	if (socket_family == AF_UNIX1 && socket_type != SOCK_STREAMSOCK_STREAM) {
1681	BIO_printf(bio_err,
1682	"Can't use unix sockets and datagrams together\n");
1683	goto end;
1684	}
1685	#endif
1686	if (early_data && (www > 0 \|\| rev)) {
1687	BIO_printf(bio_err,
1688	"Can't use -early_data in combination with -www, -WWW, -HTTP, or -rev\n");
1689	goto end;
1690	}
1691
1692	#ifndef OPENSSL_NO_SCTP
1693	if (protocol == IPPROTO_SCTPIPPROTO_SCTP) {
1694	if (socket_type != SOCK_DGRAMSOCK_DGRAM) {
1695	BIO_printf(bio_err, "Can't use -sctp without DTLS\n");
1696	goto end;
1697	}
1698	/* SCTP is unusual. It uses DTLS over a SOCK_STREAM protocol */
1699	socket_type = SOCK_STREAMSOCK_STREAM;
1700	}
1701	#endif
1702
1703	#ifndef OPENSSL_NO_KTLS
1704	if (use_sendfile && www <= 1) {
1705	BIO_printf(bio_err, "Can't use -sendfile without -WWW or -HTTP\n");
1706	goto end;
1707	}
1708	#endif
1709
1710	if (!app_passwd(passarg, dpassarg, &pass, &dpass)) {
1711	BIO_printf(bio_err, "Error getting password\n");
1712	goto end;
1713	}
1714
1715	if (s_key_file == NULL((void*)0))
1716	s_key_file = s_cert_file;
1717
1718	if (s_key_file2 == NULL((void*)0))
1719	s_key_file2 = s_cert_file2;
1720
1721	if (!load_excert(&exc))
1722	goto end;
1723
1724	if (nocert == 0) {
1725	s_key = load_key(s_key_file, s_key_format, 0, pass, engine,
1726	"server certificate private key");
1727	if (s_key == NULL((void*)0))
1728	goto end;
1729
1730	s_cert = load_cert_pass(s_cert_file, s_cert_format, 1, pass,
1731	"server certificate");
1732
1733	if (s_cert == NULL((void*)0))
1734	goto end;
1735	if (s_chain_file != NULL((void*)0)) {
1736	if (!load_certs(s_chain_file, 0, &s_chain, NULL((void*)0),
1737	"server certificate chain"))
1738	goto end;
1739	}
1740
1741	if (tlsextcbp.servername != NULL((void*)0)) {
1742	s_key2 = load_key(s_key_file2, s_key_format, 0, pass, engine,
1743	"second server certificate private key");
1744	if (s_key2 == NULL((void*)0))
1745	goto end;
1746
1747	s_cert2 = load_cert_pass(s_cert_file2, s_cert_format, 1, pass,
1748	"second server certificate");
1749
1750	if (s_cert2 == NULL((void*)0))
1751	goto end;
1752	}
1753	}
1754	#if !defined(OPENSSL_NO_NEXTPROTONEG)
1755	if (next_proto_neg_in) {
1756	next_proto.data = next_protos_parse(&next_proto.len, next_proto_neg_in);
1757	if (next_proto.data == NULL((void*)0))
1758	goto end;
1759	}
1760	#endif
1761	alpn_ctx.data = NULL((void*)0);
1762	if (alpn_in) {
1763	alpn_ctx.data = next_protos_parse(&alpn_ctx.len, alpn_in);
1764	if (alpn_ctx.data == NULL((void*)0))
1765	goto end;
1766	}
1767
1768	if (crl_file != NULL((void*)0)) {
1769	X509_CRL *crl;
1770	crl = load_crl(crl_file, crl_format, 0, "CRL");
1771	if (crl == NULL((void*)0))
1772	goto end;
1773	crls = sk_X509_CRL_new_null()((struct stack_st_X509_CRL *)OPENSSL_sk_new_null());
1774	if (crls == NULL((void*)0) \|\| !sk_X509_CRL_push(crls, crl)OPENSSL_sk_push(ossl_check_X509_CRL_sk_type(crls), ossl_check_X509_CRL_type (crl))) {
1775	BIO_puts(bio_err, "Error adding CRL\n");
1776	ERR_print_errors(bio_err);
1777	X509_CRL_free(crl);
1778	goto end;
1779	}
1780	}
1781
1782	if (s_dcert_file != NULL((void*)0)) {
1783
1784	if (s_dkey_file == NULL((void*)0))
1785	s_dkey_file = s_dcert_file;
1786
1787	s_dkey = load_key(s_dkey_file, s_dkey_format,
1788	0, dpass, engine, "second certificate private key");
1789	if (s_dkey == NULL((void*)0))
1790	goto end;
1791
1792	s_dcert = load_cert_pass(s_dcert_file, s_dcert_format, 1, dpass,
1793	"second server certificate");
1794
1795	if (s_dcert == NULL((void*)0)) {
1796	ERR_print_errors(bio_err);
1797	goto end;
1798	}
1799	if (s_dchain_file != NULL((void*)0)) {
1800	if (!load_certs(s_dchain_file, 0, &s_dchain, NULL((void*)0),
1801	"second server certificate chain"))
1802	goto end;
1803	}
1804
1805	}
1806
1807	if (bio_s_out == NULL((void*)0)) {
1808	if (s_quiet && !s_debug) {
1809	bio_s_out = BIO_new(BIO_s_null());
1810	if (s_msg && bio_s_msg == NULL((void*)0)) {
1811	bio_s_msg = dup_bio_out(FORMAT_TEXT(1 \| 0x8000));
1812	if (bio_s_msg == NULL((void*)0)) {
1813	BIO_printf(bio_err, "Out of memory\n");
1814	goto end;
1815	}
1816	}
1817	} else {
1818	bio_s_out = dup_bio_out(FORMAT_TEXT(1 \| 0x8000));
1819	}
1820	}
1821
1822	if (bio_s_out == NULL((void*)0))
1823	goto end;
1824
1825	if (nocert) {
1826	s_cert_file = NULL((void*)0);
1827	s_key_file = NULL((void*)0);
1828	s_dcert_file = NULL((void*)0);
1829	s_dkey_file = NULL((void*)0);
1830	s_cert_file2 = NULL((void*)0);
1831	s_key_file2 = NULL((void*)0);
1832	}
1833
1834	ctx = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
1835	if (ctx == NULL((void*)0)) {
1836	ERR_print_errors(bio_err);
1837	goto end;
1838	}
1839
1840	SSL_CTX_clear_mode(ctx, SSL_MODE_AUTO_RETRY)SSL_CTX_ctrl((ctx),78,(0x00000004U),((void*)0));
1841
1842	if (sdebug)
1843	ssl_ctx_security_debug(ctx, sdebug);
1844
1845	if (!config_ctx(cctx, ssl_args, ctx))
1846	goto end;
1847
1848	if (ssl_config) {
1849	if (SSL_CTX_config(ctx, ssl_config) == 0) {
1850	BIO_printf(bio_err, "Error using configuration \"%s\"\n",
1851	ssl_config);
1852	ERR_print_errors(bio_err);
1853	goto end;
1854	}
1855	}
1856	#ifndef OPENSSL_NO_SCTP
1857	if (protocol == IPPROTO_SCTPIPPROTO_SCTP && sctp_label_bug == 1)
1858	SSL_CTX_set_mode(ctx, SSL_MODE_DTLS_SCTP_LABEL_LENGTH_BUG)SSL_CTX_ctrl((ctx),33,(0x00000400U),((void*)0));
1859	#endif
1860
1861	if (min_version != 0
1862	&& SSL_CTX_set_min_proto_version(ctx, min_version)SSL_CTX_ctrl(ctx, 123, min_version, ((void*)0)) == 0)
1863	goto end;
1864	if (max_version != 0
1865	&& SSL_CTX_set_max_proto_version(ctx, max_version)SSL_CTX_ctrl(ctx, 124, max_version, ((void*)0)) == 0)
1866	goto end;
1867
1868	if (session_id_prefix) {
1869	if (strlen(session_id_prefix) >= 32)
1870	BIO_printf(bio_err,
1871	"warning: id_prefix is too long, only one new session will be possible\n");
1872	if (!SSL_CTX_set_generate_session_id(ctx, generate_session_id)) {
1873	BIO_printf(bio_err, "error setting 'id_prefix'\n");
1874	ERR_print_errors(bio_err);
1875	goto end;
1876	}
1877	BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1878	}
1879	if (exc != NULL((void*)0))
1880	ssl_ctx_set_excert(ctx, exc);
1881
1882	if (state)
1883	SSL_CTX_set_info_callback(ctx, apps_ssl_info_callback);
1884	if (no_cache)
1885	SSL_CTX_set_session_cache_mode(ctx, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx,44,0x0000,((void*)0));
1886	else if (ext_cache)
1887	init_session_cache_ctx(ctx);
1888	else
1889	SSL_CTX_sess_set_cache_size(ctx, 128)SSL_CTX_ctrl(ctx,42,128,((void*)0));
1890
1891	if (async) {
1892	SSL_CTX_set_mode(ctx, SSL_MODE_ASYNC)SSL_CTX_ctrl((ctx),33,(0x00000100U),((void*)0));
1893	}
1894
1895	if (no_ca_names) {
1896	SSL_CTX_set_options(ctx, SSL_OP_DISABLE_TLSEXT_CA_NAMES((uint64_t)1 << (uint64_t)9));
1897	}
1898
1899	if (ignore_unexpected_eof)
1900	SSL_CTX_set_options(ctx, SSL_OP_IGNORE_UNEXPECTED_EOF((uint64_t)1 << (uint64_t)7));
1901
1902	if (max_send_fragment > 0
1903	&& !SSL_CTX_set_max_send_fragment(ctx, max_send_fragment)SSL_CTX_ctrl(ctx,52,max_send_fragment,((void*)0))) {
1904	BIO_printf(bio_err, "%s: Max send fragment size %u is out of permitted range\n",
1905	prog, max_send_fragment);
1906	goto end;
1907	}
1908
1909	if (split_send_fragment > 0
1910	&& !SSL_CTX_set_split_send_fragment(ctx, split_send_fragment)SSL_CTX_ctrl(ctx,125,split_send_fragment,((void*)0))) {
1911	BIO_printf(bio_err, "%s: Split send fragment size %u is out of permitted range\n",
1912	prog, split_send_fragment);
1913	goto end;
1914	}
1915	if (max_pipelines > 0
1916	&& !SSL_CTX_set_max_pipelines(ctx, max_pipelines)SSL_CTX_ctrl(ctx,126,max_pipelines,((void*)0))) {
1917	BIO_printf(bio_err, "%s: Max pipelines %u is out of permitted range\n",
1918	prog, max_pipelines);
1919	goto end;
1920	}
1921
1922	if (read_buf_len > 0) {
1923	SSL_CTX_set_default_read_buffer_len(ctx, read_buf_len);
1924	}
1925	#ifndef OPENSSL_NO_SRTP
1926	if (srtp_profiles != NULL((void*)0)) {
1927	/* Returns 0 on success! */
1928	if (SSL_CTX_set_tlsext_use_srtp(ctx, srtp_profiles) != 0) {
1929	BIO_printf(bio_err, "Error setting SRTP profile\n");
1930	ERR_print_errors(bio_err);
1931	goto end;
1932	}
1933	}
1934	#endif
1935
1936	if (!ctx_set_verify_locations(ctx, CAfile, noCAfile, CApath, noCApath,
1937	CAstore, noCAstore)) {
1938	ERR_print_errors(bio_err);
1939	goto end;
1940	}
1941	if (vpmtouched && !SSL_CTX_set1_param(ctx, vpm)) {
1942	BIO_printf(bio_err, "Error setting verify params\n");
1943	ERR_print_errors(bio_err);
1944	goto end;
1945	}
1946
1947	ssl_ctx_add_crls(ctx, crls, 0);
1948
1949	if (!ssl_load_stores(ctx,
1950	vfyCApath, vfyCAfile, vfyCAstore,
1951	chCApath, chCAfile, chCAstore,
1952	crls, crl_download)) {
1953	BIO_printf(bio_err, "Error loading store locations\n");
1954	ERR_print_errors(bio_err);
1955	goto end;
1956	}
1957
1958	if (s_cert2) {
1959	ctx2 = SSL_CTX_new_ex(app_get0_libctx(), app_get0_propq(), meth);
1960	if (ctx2 == NULL((void*)0)) {
1961	ERR_print_errors(bio_err);
1962	goto end;
1963	}
1964	}
1965
1966	if (ctx2 != NULL((void*)0)) {
1967	BIO_printf(bio_s_out, "Setting secondary ctx parameters\n");
1968
1969	if (sdebug)
1970	ssl_ctx_security_debug(ctx2, sdebug);
1971
1972	if (session_id_prefix) {
1973	if (strlen(session_id_prefix) >= 32)
1974	BIO_printf(bio_err,
1975	"warning: id_prefix is too long, only one new session will be possible\n");
1976	if (!SSL_CTX_set_generate_session_id(ctx2, generate_session_id)) {
1977	BIO_printf(bio_err, "error setting 'id_prefix'\n");
1978	ERR_print_errors(bio_err);
1979	goto end;
1980	}
1981	BIO_printf(bio_err, "id_prefix '%s' set.\n", session_id_prefix);
1982	}
1983	if (exc != NULL((void*)0))
1984	ssl_ctx_set_excert(ctx2, exc);
1985
1986	if (state)
1987	SSL_CTX_set_info_callback(ctx2, apps_ssl_info_callback);
1988
1989	if (no_cache)
1990	SSL_CTX_set_session_cache_mode(ctx2, SSL_SESS_CACHE_OFF)SSL_CTX_ctrl(ctx2,44,0x0000,((void*)0));
1991	else if (ext_cache)
1992	init_session_cache_ctx(ctx2);
1993	else
1994	SSL_CTX_sess_set_cache_size(ctx2, 128)SSL_CTX_ctrl(ctx2,42,128,((void*)0));
1995
1996	if (async)
1997	SSL_CTX_set_mode(ctx2, SSL_MODE_ASYNC)SSL_CTX_ctrl((ctx2),33,(0x00000100U),((void*)0));
1998
1999	if (!ctx_set_verify_locations(ctx2, CAfile, noCAfile, CApath,
2000	noCApath, CAstore, noCAstore)) {
2001	ERR_print_errors(bio_err);
2002	goto end;
2003	}
2004	if (vpmtouched && !SSL_CTX_set1_param(ctx2, vpm)) {
2005	BIO_printf(bio_err, "Error setting verify params\n");
2006	ERR_print_errors(bio_err);
2007	goto end;
2008	}
2009
2010	ssl_ctx_add_crls(ctx2, crls, 0);
2011	if (!config_ctx(cctx, ssl_args, ctx2))
2012	goto end;
2013	}
2014	#ifndef OPENSSL_NO_NEXTPROTONEG
2015	if (next_proto.data)
2016	SSL_CTX_set_next_protos_advertised_cb(ctx, next_proto_cb,
2017	&next_proto);
2018	#endif
2019	if (alpn_ctx.data)
2020	SSL_CTX_set_alpn_select_cb(ctx, alpn_cb, &alpn_ctx);
2021
2022	if (!no_dhe) {
2023	EVP_PKEY dhpkey = NULL((void)0);
2024
2025	if (dhfile != NULL((void*)0))
2026	dhpkey = load_keyparams(dhfile, FORMAT_UNDEF0, 0, "DH", "DH parameters");
2027	else if (s_cert_file != NULL((void*)0))
2028	dhpkey = load_keyparams_suppress(s_cert_file, FORMAT_UNDEF0, 0, "DH",
2029	"DH parameters", 1);
2030
2031	if (dhpkey != NULL((void*)0)) {
2032	BIO_printf(bio_s_out, "Setting temp DH parameters\n");
2033	} else {
2034	BIO_printf(bio_s_out, "Using default temp DH parameters\n");
2035	}
2036	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2037
2038	if (dhpkey == NULL((void*)0)) {
2039	SSL_CTX_set_dh_auto(ctx, 1)SSL_CTX_ctrl(ctx,118,1,((void*)0));
2040	} else {
2041	/*
2042	* We need 2 references: one for use by ctx and one for use by
2043	* ctx2
2044	*/
2045	if (!EVP_PKEY_up_ref(dhpkey)) {
2046	EVP_PKEY_free(dhpkey);
2047	goto end;
2048	}
2049	if (!SSL_CTX_set0_tmp_dh_pkey(ctx, dhpkey)) {
2050	BIO_puts(bio_err, "Error setting temp DH parameters\n");
2051	ERR_print_errors(bio_err);
2052	/* Free 2 references */
2053	EVP_PKEY_free(dhpkey);
2054	EVP_PKEY_free(dhpkey);
2055	goto end;
2056	}
2057	}
2058
2059	if (ctx2 != NULL((void*)0)) {
2060	if (dhfile != NULL((void*)0)) {
2061	EVP_PKEY *dhpkey2 = load_keyparams_suppress(s_cert_file2,
2062	FORMAT_UNDEF0,
2063	0, "DH",
2064	"DH parameters", 1);
2065
2066	if (dhpkey2 != NULL((void*)0)) {
2067	BIO_printf(bio_s_out, "Setting temp DH parameters\n");
2068	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2069
2070	EVP_PKEY_free(dhpkey);
2071	dhpkey = dhpkey2;
2072	}
2073	}
2074	if (dhpkey == NULL((void*)0)) {
2075	SSL_CTX_set_dh_auto(ctx2, 1)SSL_CTX_ctrl(ctx2,118,1,((void*)0));
2076	} else if (!SSL_CTX_set0_tmp_dh_pkey(ctx2, dhpkey)) {
2077	BIO_puts(bio_err, "Error setting temp DH parameters\n");
2078	ERR_print_errors(bio_err);
2079	EVP_PKEY_free(dhpkey);
2080	goto end;
2081	}
2082	dhpkey = NULL((void*)0);
2083	}
2084	EVP_PKEY_free(dhpkey);
2085	}
2086
2087	if (!set_cert_key_stuff(ctx, s_cert, s_key, s_chain, build_chain))
2088	goto end;
2089
2090	if (s_serverinfo_file != NULL((void*)0)
2091	&& !SSL_CTX_use_serverinfo_file(ctx, s_serverinfo_file)) {
2092	ERR_print_errors(bio_err);
2093	goto end;
2094	}
2095
2096	if (ctx2 != NULL((void*)0)
2097	&& !set_cert_key_stuff(ctx2, s_cert2, s_key2, NULL((void*)0), build_chain))
2098	goto end;
2099
2100	if (s_dcert != NULL((void*)0)) {
2101	if (!set_cert_key_stuff(ctx, s_dcert, s_dkey, s_dchain, build_chain))
2102	goto end;
2103	}
2104
2105	if (no_resume_ephemeral) {
2106	SSL_CTX_set_not_resumable_session_callback(ctx,
2107	not_resumable_sess_cb);
2108
2109	if (ctx2 != NULL((void*)0))
2110	SSL_CTX_set_not_resumable_session_callback(ctx2,
2111	not_resumable_sess_cb);
2112	}
2113	#ifndef OPENSSL_NO_PSK
2114	if (psk_key != NULL((void*)0)) {
2115	if (s_debug)
2116	BIO_printf(bio_s_out, "PSK key given, setting server callback\n");
2117	SSL_CTX_set_psk_server_callback(ctx, psk_server_cb);
2118	}
2119
2120	if (psk_identity_hint != NULL((void*)0)) {
2121	if (min_version == TLS1_3_VERSION0x0304) {
2122	BIO_printf(bio_s_out, "PSK warning: there is NO identity hint in TLSv1.3\n");
2123	} else {
2124	if (!SSL_CTX_use_psk_identity_hint(ctx, psk_identity_hint)) {
2125	BIO_printf(bio_err, "error setting PSK identity hint to context\n");
2126	ERR_print_errors(bio_err);
2127	goto end;
2128	}
2129	}
2130	}
2131	#endif
2132	if (psksessf != NULL((void*)0)) {
2133	BIO *stmp = BIO_new_file(psksessf, "r");
2134
2135	if (stmp == NULL((void*)0)) {
2136	BIO_printf(bio_err, "Can't open PSK session file %s\n", psksessf);
2137	ERR_print_errors(bio_err);
2138	goto end;
2139	}
2140	psksess = PEM_read_bio_SSL_SESSION(stmp, NULL((void)0), 0, NULL((void)0));
2141	BIO_free(stmp);
2142	if (psksess == NULL((void*)0)) {
2143	BIO_printf(bio_err, "Can't read PSK session file %s\n", psksessf);
2144	ERR_print_errors(bio_err);
2145	goto end;
2146	}
2147
2148	}
2149
2150	if (psk_key != NULL((void)0) \|\| psksess != NULL((void)0))
2151	SSL_CTX_set_psk_find_session_callback(ctx, psk_find_session_cb);
2152
2153	SSL_CTX_set_verify(ctx, s_server_verify, verify_callback);
2154	if (!SSL_CTX_set_session_id_context(ctx,
2155	(void *)&s_server_session_id_context,
2156	sizeof(s_server_session_id_context))) {
2157	BIO_printf(bio_err, "error setting session id context\n");
2158	ERR_print_errors(bio_err);
2159	goto end;
2160	}
2161
2162	/* Set DTLS cookie generation and verification callbacks */
2163	SSL_CTX_set_cookie_generate_cb(ctx, generate_cookie_callback);
2164	SSL_CTX_set_cookie_verify_cb(ctx, verify_cookie_callback);
2165
2166	/* Set TLS1.3 cookie generation and verification callbacks */
2167	SSL_CTX_set_stateless_cookie_generate_cb(ctx, generate_stateless_cookie_callback);
2168	SSL_CTX_set_stateless_cookie_verify_cb(ctx, verify_stateless_cookie_callback);
2169
2170	if (ctx2 != NULL((void*)0)) {
2171	SSL_CTX_set_verify(ctx2, s_server_verify, verify_callback);
2172	if (!SSL_CTX_set_session_id_context(ctx2,
2173	(void *)&s_server_session_id_context,
2174	sizeof(s_server_session_id_context))) {
2175	BIO_printf(bio_err, "error setting session id context\n");
2176	ERR_print_errors(bio_err);
2177	goto end;
2178	}
2179	tlsextcbp.biodebug = bio_s_out;
2180	SSL_CTX_set_tlsext_servername_callback(ctx2, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx2,53, (void (*)(void))ssl_servername_cb );
2181	SSL_CTX_set_tlsext_servername_arg(ctx2, &tlsextcbp)SSL_CTX_ctrl(ctx2,54,0,&tlsextcbp);
2182	SSL_CTX_set_tlsext_servername_callback(ctx, ssl_servername_cb)SSL_CTX_callback_ctrl(ctx,53, (void (*)(void))ssl_servername_cb );
2183	SSL_CTX_set_tlsext_servername_arg(ctx, &tlsextcbp)SSL_CTX_ctrl(ctx,54,0,&tlsextcbp);
2184	}
2185
2186	#ifndef OPENSSL_NO_SRP
2187	if (srp_verifier_file != NULL((void*)0)) {
2188	if (!set_up_srp_verifier_file(ctx, &srp_callback_parm, srpuserseed,
2189	srp_verifier_file))
2190	goto end;
2191	} else
2192	#endif
2193	if (CAfile != NULL((void*)0)) {
2194	SSL_CTX_set_client_CA_list(ctx, SSL_load_client_CA_file(CAfile));
2195
2196	if (ctx2)
2197	SSL_CTX_set_client_CA_list(ctx2, SSL_load_client_CA_file(CAfile));
2198	}
2199	#ifndef OPENSSL_NO_OCSP
2200	if (s_tlsextstatus) {
2201	SSL_CTX_set_tlsext_status_cb(ctx, cert_status_cb)SSL_CTX_callback_ctrl(ctx,63, (void (*)(void))cert_status_cb);
2202	SSL_CTX_set_tlsext_status_arg(ctx, &tlscstatp)SSL_CTX_ctrl(ctx,64,0,&tlscstatp);
2203	if (ctx2) {
2204	SSL_CTX_set_tlsext_status_cb(ctx2, cert_status_cb)SSL_CTX_callback_ctrl(ctx2,63, (void (*)(void))cert_status_cb );
2205	SSL_CTX_set_tlsext_status_arg(ctx2, &tlscstatp)SSL_CTX_ctrl(ctx2,64,0,&tlscstatp);
2206	}
2207	}
2208	#endif
2209	if (set_keylog_file(ctx, keylog_file))
2210	goto end;
2211
2212	if (max_early_data >= 0)
2213	SSL_CTX_set_max_early_data(ctx, max_early_data);
2214	if (recv_max_early_data >= 0)
2215	SSL_CTX_set_recv_max_early_data(ctx, recv_max_early_data);
2216
2217	if (rev)
2218	server_cb = rev_body;
2219	else if (www)
2220	server_cb = www_body;
2221	else
2222	server_cb = sv_body;
2223	#ifdef AF_UNIX1
2224	if (socket_family == AF_UNIX1
2225	&& unlink_unix_path)
2226	unlink(host);
2227	#endif
2228	do_server(&accept_socket, host, port, socket_family, socket_type, protocol,
2229	server_cb, context, naccept, bio_s_out);
2230	print_stats(bio_s_out, ctx);
2231	ret = 0;
2232	end:
2233	SSL_CTX_free(ctx);
2234	SSL_SESSION_free(psksess);
2235	set_keylog_file(NULL((void)0), NULL((void)0));
2236	X509_free(s_cert);
2237	sk_X509_CRL_pop_free(crls, X509_CRL_free)OPENSSL_sk_pop_free(ossl_check_X509_CRL_sk_type(crls),ossl_check_X509_CRL_freefunc_type (X509_CRL_free));
2238	X509_free(s_dcert);
2239	EVP_PKEY_free(s_key);
2240	EVP_PKEY_free(s_dkey);
2241	sk_X509_pop_free(s_chain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s_chain),ossl_check_X509_freefunc_type (X509_free));
2242	sk_X509_pop_free(s_dchain, X509_free)OPENSSL_sk_pop_free(ossl_check_X509_sk_type(s_dchain),ossl_check_X509_freefunc_type (X509_free));
2243	OPENSSL_free(pass)CRYPTO_free(pass, "../deps/openssl/openssl/apps/s_server.c", 2243 );
2244	OPENSSL_free(dpass)CRYPTO_free(dpass, "../deps/openssl/openssl/apps/s_server.c", 2244);
2245	OPENSSL_free(host)CRYPTO_free(host, "../deps/openssl/openssl/apps/s_server.c", 2245 );
2246	OPENSSL_free(port)CRYPTO_free(port, "../deps/openssl/openssl/apps/s_server.c", 2246 );
2247	X509_VERIFY_PARAM_free(vpm);
2248	free_sessions();
2249	OPENSSL_free(tlscstatp.host)CRYPTO_free(tlscstatp.host, "../deps/openssl/openssl/apps/s_server.c" , 2249);
2250	OPENSSL_free(tlscstatp.port)CRYPTO_free(tlscstatp.port, "../deps/openssl/openssl/apps/s_server.c" , 2250);
2251	OPENSSL_free(tlscstatp.path)CRYPTO_free(tlscstatp.path, "../deps/openssl/openssl/apps/s_server.c" , 2251);
2252	SSL_CTX_free(ctx2);
2253	X509_free(s_cert2);
2254	EVP_PKEY_free(s_key2);
2255	#ifndef OPENSSL_NO_NEXTPROTONEG
2256	OPENSSL_free(next_proto.data)CRYPTO_free(next_proto.data, "../deps/openssl/openssl/apps/s_server.c" , 2256);
2257	#endif
2258	OPENSSL_free(alpn_ctx.data)CRYPTO_free(alpn_ctx.data, "../deps/openssl/openssl/apps/s_server.c" , 2258);
2259	ssl_excert_free(exc);
2260	sk_OPENSSL_STRING_free(ssl_args)OPENSSL_sk_free(ossl_check_OPENSSL_STRING_sk_type(ssl_args));
2261	SSL_CONF_CTX_free(cctx);
2262	release_engine(engine);
2263	BIO_free(bio_s_out);
2264	bio_s_out = NULL((void*)0);
2265	BIO_free(bio_s_msg);
2266	bio_s_msg = NULL((void*)0);
2267	#ifdef CHARSET_EBCDIC
2268	BIO_meth_free(methods_ebcdic);
2269	#endif
2270	return ret;
2271	}
2272
2273	static void print_stats(BIO bio, SSL_CTX ssl_ctx)
2274	{
2275	BIO_printf(bio, "%4ld items in the session cache\n",
2276	SSL_CTX_sess_number(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,20,0,((void*)0)));
2277	BIO_printf(bio, "%4ld client connects (SSL_connect())\n",
2278	SSL_CTX_sess_connect(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,21,0,((void*)0)));
2279	BIO_printf(bio, "%4ld client renegotiates (SSL_connect())\n",
2280	SSL_CTX_sess_connect_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,23,0,((void*)0)));
2281	BIO_printf(bio, "%4ld client connects that finished\n",
2282	SSL_CTX_sess_connect_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,22,0,((void*)0)));
2283	BIO_printf(bio, "%4ld server accepts (SSL_accept())\n",
2284	SSL_CTX_sess_accept(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,24,0,((void*)0)));
2285	BIO_printf(bio, "%4ld server renegotiates (SSL_accept())\n",
2286	SSL_CTX_sess_accept_renegotiate(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,26,0,((void*)0)));
2287	BIO_printf(bio, "%4ld server accepts that finished\n",
2288	SSL_CTX_sess_accept_good(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,25,0,((void*)0)));
2289	BIO_printf(bio, "%4ld session cache hits\n", SSL_CTX_sess_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,27,0,((void*)0)));
2290	BIO_printf(bio, "%4ld session cache misses\n",
2291	SSL_CTX_sess_misses(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,29,0,((void*)0)));
2292	BIO_printf(bio, "%4ld session cache timeouts\n",
2293	SSL_CTX_sess_timeouts(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,30,0,((void*)0)));
2294	BIO_printf(bio, "%4ld callback cache hits\n",
2295	SSL_CTX_sess_cb_hits(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,28,0,((void*)0)));
2296	BIO_printf(bio, "%4ld cache full overflows (%ld allowed)\n",
2297	SSL_CTX_sess_cache_full(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,31,0,((void*)0)),
2298	SSL_CTX_sess_get_cache_size(ssl_ctx)SSL_CTX_ctrl(ssl_ctx,43,0,((void*)0)));
2299	}
2300
2301	static long int count_reads_callback(BIO bio, int cmd, const char argp, size_t len,
2302	int argi, long argl, int ret, size_t *processed)
2303	{
2304	unsigned int p_counter = (unsigned int )BIO_get_callback_arg(bio);
2305
2306	switch (cmd) {
2307	case BIO_CB_READ0x02: /* No break here */
2308	case BIO_CB_GETS0x05:
2309	if (p_counter != NULL((void*)0))
2310	++*p_counter;
2311	break;
2312	default:
2313	break;
2314	}
2315
2316	if (s_debug) {
2317	BIO_set_callback_arg(bio, (char *)bio_s_out);
2318	ret = (int)bio_dump_callback(bio, cmd, argp, len, argi, argl, ret, processed);
2319	BIO_set_callback_arg(bio, (char *)p_counter);
2320	}
2321
2322	return ret;
2323	}
2324
2325	static int sv_body(int s, int stype, int prot, unsigned char *context)
2326	{
2327	char buf = NULL((void)0);
2328	fd_set readfds;
2329	int ret = 1, width;
2330	int k, i;
2331	unsigned long l;
2332	SSL con = NULL((void)0);
2333	BIO *sbio;
2334	struct timeval timeout;
2335	#if !(defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS))
2336	struct timeval *timeoutp;
2337	#endif
2338	#ifndef OPENSSL_NO_DTLS
2339	# ifndef OPENSSL_NO_SCTP
2340	int isdtls = (stype == SOCK_DGRAMSOCK_DGRAM \|\| prot == IPPROTO_SCTPIPPROTO_SCTP);
2341	# else
2342	int isdtls = (stype == SOCK_DGRAMSOCK_DGRAM);
2343	# endif
2344	#endif
2345
2346	buf = app_malloc(bufsize, "server buffer");
2347	if (s_nbio) {
2348	if (!BIO_socket_nbio(s, 1))
2349	ERR_print_errors(bio_err);
2350	else if (!s_quiet)
2351	BIO_printf(bio_err, "Turned on non blocking io\n");
2352	}
2353
2354	con = SSL_new(ctx);
2355	if (con == NULL((void*)0)) {
2356	ret = -1;
2357	goto err;
2358	}
2359
2360	if (s_tlsextdebug) {
2361	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
2362	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
2363	}
2364
2365	if (context != NULL((void*)0)
2366	&& !SSL_set_session_id_context(con, context,
2367	strlen((char *)context))) {
2368	BIO_printf(bio_err, "Error setting session id context\n");
2369	ret = -1;
2370	goto err;
2371	}
2372
2373	if (!SSL_clear(con)) {
2374	BIO_printf(bio_err, "Error clearing SSL connection\n");
2375	ret = -1;
2376	goto err;
2377	}
2378	#ifndef OPENSSL_NO_DTLS
2379	if (isdtls) {
2380	# ifndef OPENSSL_NO_SCTP
2381	if (prot == IPPROTO_SCTPIPPROTO_SCTP)
2382	sbio = BIO_new_dgram_sctp(s, BIO_NOCLOSE0x00);
2383	else
2384	# endif
2385	sbio = BIO_new_dgram(s, BIO_NOCLOSE0x00);
2386	if (sbio == NULL((void*)0)) {
2387	BIO_printf(bio_err, "Unable to create BIO\n");
2388	ERR_print_errors(bio_err);
2389	goto err;
2390	}
2391
2392	if (enable_timeouts) {
2393	timeout.tv_sec = 0;
2394	timeout.tv_usec = DGRAM_RCV_TIMEOUT250000;
2395	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_RECV_TIMEOUT33, 0, &timeout);
2396
2397	timeout.tv_sec = 0;
2398	timeout.tv_usec = DGRAM_SND_TIMEOUT250000;
2399	BIO_ctrl(sbio, BIO_CTRL_DGRAM_SET_SEND_TIMEOUT35, 0, &timeout);
2400	}
2401
2402	if (socket_mtu) {
2403	if (socket_mtu < DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0))) {
2404	BIO_printf(bio_err, "MTU too small. Must be at least %ld\n",
2405	DTLS_get_link_min_mtu(con)SSL_ctrl((con),121,0,((void*)0)));
2406	ret = -1;
2407	BIO_free(sbio);
2408	goto err;
2409	}
2410	SSL_set_options(con, SSL_OP_NO_QUERY_MTU((uint64_t)1 << (uint64_t)12));
2411	if (!DTLS_set_link_mtu(con, socket_mtu)SSL_ctrl((con),120,(socket_mtu),((void*)0))) {
2412	BIO_printf(bio_err, "Failed to set MTU\n");
2413	ret = -1;
2414	BIO_free(sbio);
2415	goto err;
2416	}
2417	} else
2418	/* want to do MTU discovery */
2419	BIO_ctrl(sbio, BIO_CTRL_DGRAM_MTU_DISCOVER39, 0, NULL((void*)0));
2420
2421	# ifndef OPENSSL_NO_SCTP
2422	if (prot != IPPROTO_SCTPIPPROTO_SCTP)
2423	# endif
2424	/* Turn on cookie exchange. Not necessary for SCTP */
2425	SSL_set_options(con, SSL_OP_COOKIE_EXCHANGE((uint64_t)1 << (uint64_t)13));
2426	} else
2427	#endif
2428	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
2429
2430	if (sbio == NULL((void*)0)) {
2431	BIO_printf(bio_err, "Unable to create BIO\n");
2432	ERR_print_errors(bio_err);
2433	goto err;
2434	}
2435
2436	if (s_nbio_test) {
2437	BIO *test;
2438
2439	test = BIO_new(BIO_f_nbio_test());
2440	if (test == NULL((void*)0)) {
2441	BIO_printf(bio_err, "Unable to create BIO\n");
2442	ret = -1;
2443	BIO_free(sbio);
2444	goto err;
2445	}
2446
2447	sbio = BIO_push(test, sbio);
2448	}
2449
2450	SSL_set_bio(con, sbio, sbio);
2451	SSL_set_accept_state(con);
2452	/* SSL_set_fd(con,s); */
2453
2454	BIO_set_callback_ex(SSL_get_rbio(con), count_reads_callback);
2455	if (s_msg) {
2456	#ifndef OPENSSL_NO_SSL_TRACE
2457	if (s_msg == 2)
2458	SSL_set_msg_callback(con, SSL_trace);
2459	else
2460	#endif
2461	SSL_set_msg_callback(con, msg_cb);
2462	SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
2463	}
2464
2465	if (s_tlsextdebug) {
2466	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
2467	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
2468	}
2469
2470	if (early_data) {
2471	int write_header = 1, edret = SSL_READ_EARLY_DATA_ERROR0;
2472	size_t readbytes;
2473
2474	while (edret != SSL_READ_EARLY_DATA_FINISH2) {
2475	for (;;) {
2476	edret = SSL_read_early_data(con, buf, bufsize, &readbytes);
2477	if (edret != SSL_READ_EARLY_DATA_ERROR0)
2478	break;
2479
2480	switch (SSL_get_error(con, 0)) {
2481	case SSL_ERROR_WANT_WRITE3:
2482	case SSL_ERROR_WANT_ASYNC9:
2483	case SSL_ERROR_WANT_READ2:
2484	/* Just keep trying - busy waiting */
2485	continue;
2486	default:
2487	BIO_printf(bio_err, "Error reading early data\n");
2488	ERR_print_errors(bio_err);
2489	goto err;
2490	}
2491	}
2492	if (readbytes > 0) {
2493	if (write_header) {
2494	BIO_printf(bio_s_out, "Early data received:\n");
2495	write_header = 0;
2496	}
2497	raw_write_stdout(buf, (unsigned int)readbytes);
2498	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2499	}
2500	}
2501	if (write_header) {
2502	if (SSL_get_early_data_status(con) == SSL_EARLY_DATA_NOT_SENT0)
2503	BIO_printf(bio_s_out, "No early data received\n");
2504	else
2505	BIO_printf(bio_s_out, "Early data was rejected\n");
2506	} else {
2507	BIO_printf(bio_s_out, "\nEnd of early data\n");
2508	}
2509	if (SSL_is_init_finished(con))
2510	print_connection_info(con);
2511	}
2512
2513	if (fileno_stdin() > s)
2514	width = fileno_stdin() + 1;
2515	else
2516	width = s + 1;
2517	for (;;) {
2518	int read_from_terminal;
2519	int read_from_sslcon;
2520
2521	read_from_terminal = 0;
2522	read_from_sslcon = SSL_has_pending(con)
2523	\|\| (async && SSL_waiting_for_async(con));
2524
2525	if (!read_from_sslcon) {
2526	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
2527	#if !defined(OPENSSL_SYS_WINDOWS) && !defined(OPENSSL_SYS_MSDOS)
2528	openssl_fdset(fileno_stdin(), &readfds)((void) (((&readfds)->__fds_bits)[((fileno_stdin()) / ( 8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((fileno_stdin()) % (8 * (int) sizeof (__fd_mask)))))));
2529	#endif
2530	openssl_fdset(s, &readfds)((void) (((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((s) % (8 * (int ) sizeof (__fd_mask)))))));
2531	/*
2532	* Note: under VMS with SOCKETSHR the second parameter is
2533	* currently of type (int *) whereas under other systems it is
2534	* (void *) if you don't have a cast it will choke the compiler:
2535	* if you do have a cast then you can either go for (int *) or
2536	* (void *).
2537	*/
2538	#if defined(OPENSSL_SYS_WINDOWS) \|\| defined(OPENSSL_SYS_MSDOS)
2539	/*
2540	* Under DOS (non-djgpp) and Windows we can't select on stdin:
2541	* only on sockets. As a workaround we timeout the select every
2542	* second and check for any keypress. In a proper Windows
2543	* application we wouldn't do this because it is inefficient.
2544	*/
2545	timeout.tv_sec = 1;
2546	timeout.tv_usec = 0;
2547	i = select(width, (void )&readfds, NULL((void)0), NULL((void*)0), &timeout);
2548	if (has_stdin_waiting())
2549	read_from_terminal = 1;
2550	if ((i < 0) \|\| (!i && !read_from_terminal))
2551	continue;
2552	#else
2553	if (SSL_is_dtls(con) && DTLSv1_get_timeout(con, &timeout)SSL_ctrl(con,73,0, (void *)(&timeout)))
2554	timeoutp = &timeout;
2555	else
2556	timeoutp = NULL((void*)0);
2557
2558	i = select(width, (void )&readfds, NULL((void)0), NULL((void*)0), timeoutp);
2559
2560	if ((SSL_is_dtls(con)) && DTLSv1_handle_timeout(con)SSL_ctrl(con,74,0, ((void*)0)) > 0)
2561	BIO_printf(bio_err, "TIMEOUT occurred\n");
2562
2563	if (i <= 0)
2564	continue;
2565	if (FD_ISSET(fileno_stdin(), &readfds)((((&readfds)->__fds_bits)[((fileno_stdin()) / (8 * (int ) sizeof (__fd_mask)))] & ((__fd_mask) (1UL << ((fileno_stdin ()) % (8 * (int) sizeof (__fd_mask)))))) != 0))
2566	read_from_terminal = 1;
2567	#endif
2568	if (FD_ISSET(s, &readfds)((((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask )))] & ((__fd_mask) (1UL << ((s) % (8 * (int) sizeof (__fd_mask)))))) != 0))
2569	read_from_sslcon = 1;
2570	}
2571	if (read_from_terminal) {
2572	if (s_crlf) {
2573	int j, lf_num;
2574
2575	i = raw_read_stdin(buf, bufsize / 2);
2576	lf_num = 0;
2577	/* both loops are skipped when i <= 0 */
2578	for (j = 0; j < i; j++)
2579	if (buf[j] == '\n')
2580	lf_num++;
2581	for (j = i - 1; j >= 0; j--) {
2582	buf[j + lf_num] = buf[j];
2583	if (buf[j] == '\n') {
2584	lf_num--;
2585	i++;
2586	buf[j + lf_num] = '\r';
2587	}
2588	}
2589	assert(lf_num == 0)((void) (0));
2590	} else {
2591	i = raw_read_stdin(buf, bufsize);
2592	}
2593
2594	if (!s_quiet && !s_brief) {
2595	if ((i <= 0) \|\| (buf[0] == 'Q')) {
2596	BIO_printf(bio_s_out, "DONE\n");
2597	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2598	BIO_closesocket(s);
2599	close_accept_socket();
2600	ret = -11;
2601	goto err;
2602	}
2603	if ((i <= 0) \|\| (buf[0] == 'q')) {
2604	BIO_printf(bio_s_out, "DONE\n");
2605	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2606	if (SSL_version(con) != DTLS1_VERSION0xFEFF)
2607	BIO_closesocket(s);
2608	/*
2609	* close_accept_socket(); ret= -11;
2610	*/
2611	goto err;
2612	}
2613	if ((buf[0] == 'r') && ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2614	SSL_renegotiate(con);
2615	i = SSL_do_handshake(con);
2616	printf("SSL_do_handshake -> %d\n", i);
2617	i = 0; /* 13; */
2618	continue;
2619	}
2620	if ((buf[0] == 'R') && ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2621	SSL_set_verify(con,
2622	SSL_VERIFY_PEER0x01 \| SSL_VERIFY_CLIENT_ONCE0x04,
2623	NULL((void*)0));
2624	SSL_renegotiate(con);
2625	i = SSL_do_handshake(con);
2626	printf("SSL_do_handshake -> %d\n", i);
2627	i = 0; /* 13; */
2628	continue;
2629	}
2630	if ((buf[0] == 'K' \|\| buf[0] == 'k')
2631	&& ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2632	SSL_key_update(con, buf[0] == 'K' ?
2633	SSL_KEY_UPDATE_REQUESTED1
2634	: SSL_KEY_UPDATE_NOT_REQUESTED0);
2635	i = SSL_do_handshake(con);
2636	printf("SSL_do_handshake -> %d\n", i);
2637	i = 0;
2638	continue;
2639	}
2640	if (buf[0] == 'c' && ((buf[1] == '\n') \|\| (buf[1] == '\r'))) {
2641	SSL_set_verify(con, SSL_VERIFY_PEER0x01, NULL((void*)0));
2642	i = SSL_verify_client_post_handshake(con);
2643	if (i == 0) {
2644	printf("Failed to initiate request\n");
2645	ERR_print_errors(bio_err);
2646	} else {
2647	i = SSL_do_handshake(con);
2648	printf("SSL_do_handshake -> %d\n", i);
2649	i = 0;
2650	}
2651	continue;
2652	}
2653	if (buf[0] == 'P') {
2654	static const char str[] = "Lets print some clear text\n";
2655	BIO_write(SSL_get_wbio(con), str, sizeof(str) -1);
2656	}
2657	if (buf[0] == 'S') {
2658	print_stats(bio_s_out, SSL_get_SSL_CTX(con));
2659	}
2660	}
2661	#ifdef CHARSET_EBCDIC
2662	ebcdic2ascii(buf, buf, i);
2663	#endif
2664	l = k = 0;
	Although the value stored to 'k' is used in the enclosing expression, the value is never actually read from 'k'
2665	for (;;) {
2666	/* should do a select for the write */
2667	#ifdef RENEG
2668	static count = 0;
2669	if (++count == 100) {
2670	count = 0;
2671	SSL_renegotiate(con);
2672	}
2673	#endif
2674	k = SSL_write(con, &(buf[l]), (unsigned int)i);
2675	#ifndef OPENSSL_NO_SRP
2676	while (SSL_get_error(con, k) == SSL_ERROR_WANT_X509_LOOKUP4) {
2677	BIO_printf(bio_s_out, "LOOKUP renego during write\n");
2678
2679	lookup_srp_user(&srp_callback_parm, bio_s_out);
2680
2681	k = SSL_write(con, &(buf[l]), (unsigned int)i);
2682	}
2683	#endif
2684	switch (SSL_get_error(con, k)) {
2685	case SSL_ERROR_NONE0:
2686	break;
2687	case SSL_ERROR_WANT_ASYNC9:
2688	BIO_printf(bio_s_out, "Write BLOCK (Async)\n");
2689	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2690	wait_for_async(con);
2691	break;
2692	case SSL_ERROR_WANT_WRITE3:
2693	case SSL_ERROR_WANT_READ2:
2694	case SSL_ERROR_WANT_X509_LOOKUP4:
2695	BIO_printf(bio_s_out, "Write BLOCK\n");
2696	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2697	break;
2698	case SSL_ERROR_WANT_ASYNC_JOB10:
2699	/*
2700	* This shouldn't ever happen in s_server. Treat as an error
2701	*/
2702	case SSL_ERROR_SYSCALL5:
2703	case SSL_ERROR_SSL1:
2704	BIO_printf(bio_s_out, "ERROR\n");
2705	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2706	ERR_print_errors(bio_err);
2707	ret = 1;
2708	goto err;
2709	/* break; */
2710	case SSL_ERROR_ZERO_RETURN6:
2711	BIO_printf(bio_s_out, "DONE\n");
2712	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2713	ret = 1;
2714	goto err;
2715	}
2716	if (k > 0) {
2717	l += k;
2718	i -= k;
2719	}
2720	if (i <= 0)
2721	break;
2722	}
2723	}
2724	if (read_from_sslcon) {
2725	/*
2726	* init_ssl_connection handles all async events itself so if we're
2727	* waiting for async then we shouldn't go back into
2728	* init_ssl_connection
2729	*/
2730	if ((!async \|\| !SSL_waiting_for_async(con))
2731	&& !SSL_is_init_finished(con)) {
2732	/*
2733	* Count number of reads during init_ssl_connection.
2734	* It helps us to distinguish configuration errors from errors
2735	* caused by a client.
2736	*/
2737	unsigned int read_counter = 0;
2738
2739	BIO_set_callback_arg(SSL_get_rbio(con), (char *)&read_counter);
2740	i = init_ssl_connection(con);
2741	BIO_set_callback_arg(SSL_get_rbio(con), NULL((void*)0));
2742
2743	/*
2744	* If initialization fails without reads, then
2745	* there was a fatal error in configuration.
2746	*/
2747	if (i <= 0 && read_counter == 0) {
2748	ret = -1;
2749	goto err;
2750	}
2751	if (i < 0) {
2752	ret = 0;
2753	goto err;
2754	} else if (i == 0) {
2755	ret = 1;
2756	goto err;
2757	}
2758	} else {
2759	again:
2760	i = SSL_read(con, (char *)buf, bufsize);
2761	#ifndef OPENSSL_NO_SRP
2762	while (SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4) {
2763	BIO_printf(bio_s_out, "LOOKUP renego during read\n");
2764
2765	lookup_srp_user(&srp_callback_parm, bio_s_out);
2766
2767	i = SSL_read(con, (char *)buf, bufsize);
2768	}
2769	#endif
2770	switch (SSL_get_error(con, i)) {
2771	case SSL_ERROR_NONE0:
2772	#ifdef CHARSET_EBCDIC
2773	ascii2ebcdic(buf, buf, i);
2774	#endif
2775	raw_write_stdout(buf, (unsigned int)i);
2776	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2777	if (SSL_has_pending(con))
2778	goto again;
2779	break;
2780	case SSL_ERROR_WANT_ASYNC9:
2781	BIO_printf(bio_s_out, "Read BLOCK (Async)\n");
2782	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2783	wait_for_async(con);
2784	break;
2785	case SSL_ERROR_WANT_WRITE3:
2786	case SSL_ERROR_WANT_READ2:
2787	BIO_printf(bio_s_out, "Read BLOCK\n");
2788	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2789	break;
2790	case SSL_ERROR_WANT_ASYNC_JOB10:
2791	/*
2792	* This shouldn't ever happen in s_server. Treat as an error
2793	*/
2794	case SSL_ERROR_SYSCALL5:
2795	case SSL_ERROR_SSL1:
2796	BIO_printf(bio_s_out, "ERROR\n");
2797	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2798	ERR_print_errors(bio_err);
2799	ret = 1;
2800	goto err;
2801	case SSL_ERROR_ZERO_RETURN6:
2802	BIO_printf(bio_s_out, "DONE\n");
2803	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
2804	ret = 1;
2805	goto err;
2806	}
2807	}
2808	}
2809	}
2810	err:
2811	if (con != NULL((void*)0)) {
2812	BIO_printf(bio_s_out, "shutting down SSL\n");
2813	do_ssl_shutdown(con);
2814	SSL_free(con);
2815	}
2816	BIO_printf(bio_s_out, "CONNECTION CLOSED\n");
2817	OPENSSL_clear_free(buf, bufsize)CRYPTO_clear_free(buf, bufsize, "../deps/openssl/openssl/apps/s_server.c" , 2817);
2818	return ret;
2819	}
2820
2821	static void close_accept_socket(void)
2822	{
2823	BIO_printf(bio_err, "shutdown accept socket\n");
2824	if (accept_socket >= 0) {
2825	BIO_closesocket(accept_socket);
2826	}
2827	}
2828
2829	static int is_retryable(SSL *con, int i)
2830	{
2831	int err = SSL_get_error(con, i);
2832
2833	/* If it's not a fatal error, it must be retryable */
2834	return (err != SSL_ERROR_SSL1)
2835	&& (err != SSL_ERROR_SYSCALL5)
2836	&& (err != SSL_ERROR_ZERO_RETURN6);
2837	}
2838
2839	static int init_ssl_connection(SSL *con)
2840	{
2841	int i;
2842	long verify_err;
2843	int retry = 0;
2844
2845	if (dtlslisten \|\| stateless) {
2846	BIO_ADDR client = NULL((void)0);
2847
2848	if (dtlslisten) {
2849	if ((client = BIO_ADDR_new()) == NULL((void*)0)) {
2850	BIO_printf(bio_err, "ERROR - memory\n");
2851	return 0;
2852	}
2853	i = DTLSv1_listen(con, client);
2854	} else {
2855	i = SSL_stateless(con);
2856	}
2857	if (i > 0) {
2858	BIO *wbio;
2859	int fd = -1;
2860
2861	if (dtlslisten) {
2862	wbio = SSL_get_wbio(con);
2863	if (wbio) {
2864	BIO_get_fd(wbio, &fd)BIO_ctrl(wbio,105,0,(char *)(&fd));
2865	}
2866
2867	if (!wbio \|\| BIO_connect(fd, client, 0) == 0) {
2868	BIO_printf(bio_err, "ERROR - unable to connect\n");
2869	BIO_ADDR_free(client);
2870	return 0;
2871	}
2872
2873	(void)BIO_ctrl_set_connected(wbio, client)(int)BIO_ctrl(wbio, 32, 0, (char *)(client));
2874	BIO_ADDR_free(client);
2875	dtlslisten = 0;
2876	} else {
2877	stateless = 0;
2878	}
2879	i = SSL_accept(con);
2880	} else {
2881	BIO_ADDR_free(client);
2882	}
2883	} else {
2884	do {
2885	i = SSL_accept(con);
2886
2887	if (i <= 0)
2888	retry = is_retryable(con, i);
2889	#ifdef CERT_CB_TEST_RETRY
2890	{
2891	while (i <= 0
2892	&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4
2893	&& SSL_get_state(con) == TLS_ST_SR_CLNT_HELLO) {
2894	BIO_printf(bio_err,
2895	"LOOKUP from certificate callback during accept\n");
2896	i = SSL_accept(con);
2897	if (i <= 0)
2898	retry = is_retryable(con, i);
2899	}
2900	}
2901	#endif
2902
2903	#ifndef OPENSSL_NO_SRP
2904	while (i <= 0
2905	&& SSL_get_error(con, i) == SSL_ERROR_WANT_X509_LOOKUP4) {
2906	BIO_printf(bio_s_out, "LOOKUP during accept %s\n",
2907	srp_callback_parm.login);
2908
2909	lookup_srp_user(&srp_callback_parm, bio_s_out);
2910
2911	i = SSL_accept(con);
2912	if (i <= 0)
2913	retry = is_retryable(con, i);
2914	}
2915	#endif
2916	} while (i < 0 && SSL_waiting_for_async(con));
2917	}
2918
2919	if (i <= 0) {
2920	if (((dtlslisten \|\| stateless) && i == 0)
2921	\|\| (!dtlslisten && !stateless && retry)) {
2922	BIO_printf(bio_s_out, "DELAY\n");
2923	return 1;
2924	}
2925
2926	BIO_printf(bio_err, "ERROR\n");
2927
2928	verify_err = SSL_get_verify_result(con);
2929	if (verify_err != X509_V_OK0) {
2930	BIO_printf(bio_err, "verify error:%s\n",
2931	X509_verify_cert_error_string(verify_err));
2932	}
2933	/* Always print any error messages */
2934	ERR_print_errors(bio_err);
2935	return 0;
2936	}
2937
2938	print_connection_info(con);
2939	return 1;
2940	}
2941
2942	static void print_connection_info(SSL *con)
2943	{
2944	const char *str;
2945	X509 *peer;
2946	char buf[BUFSIZ8192];
2947	#if !defined(OPENSSL_NO_NEXTPROTONEG)
2948	const unsigned char *next_proto_neg;
2949	unsigned next_proto_neg_len;
2950	#endif
2951	unsigned char *exportedkeymat;
2952	int i;
2953
2954	if (s_brief)
2955	print_ssl_summary(con);
2956
2957	PEM_write_bio_SSL_SESSION(bio_s_out, SSL_get_session(con));
2958
2959	peer = SSL_get0_peer_certificate(con);
2960	if (peer != NULL((void*)0)) {
2961	BIO_printf(bio_s_out, "Client certificate\n");
2962	PEM_write_bio_X509(bio_s_out, peer);
2963	dump_cert_text(bio_s_out, peer);
2964	peer = NULL((void*)0);
2965	}
2966
2967	if (SSL_get_shared_ciphers(con, buf, sizeof(buf)) != NULL((void*)0))
2968	BIO_printf(bio_s_out, "Shared ciphers:%s\n", buf);
2969	str = SSL_CIPHER_get_name(SSL_get_current_cipher(con));
2970	ssl_print_sigalgs(bio_s_out, con);
2971	#ifndef OPENSSL_NO_EC
2972	ssl_print_point_formats(bio_s_out, con);
2973	ssl_print_groups(bio_s_out, con, 0);
2974	#endif
2975	print_ca_names(bio_s_out, con);
2976	BIO_printf(bio_s_out, "CIPHER is %s\n", (str != NULL((void*)0)) ? str : "(NONE)");
2977
2978	#if !defined(OPENSSL_NO_NEXTPROTONEG)
2979	SSL_get0_next_proto_negotiated(con, &next_proto_neg, &next_proto_neg_len);
2980	if (next_proto_neg) {
2981	BIO_printf(bio_s_out, "NEXTPROTO is ");
2982	BIO_write(bio_s_out, next_proto_neg, next_proto_neg_len);
2983	BIO_printf(bio_s_out, "\n");
2984	}
2985	#endif
2986	#ifndef OPENSSL_NO_SRTP
2987	{
2988	SRTP_PROTECTION_PROFILE *srtp_profile
2989	= SSL_get_selected_srtp_profile(con);
2990
2991	if (srtp_profile)
2992	BIO_printf(bio_s_out, "SRTP Extension negotiated, profile=%s\n",
2993	srtp_profile->name);
2994	}
2995	#endif
2996	if (SSL_session_reused(con))
2997	BIO_printf(bio_s_out, "Reused session-id\n");
2998	BIO_printf(bio_s_out, "Secure Renegotiation IS%s supported\n",
2999	SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ? "" : " NOT");
3000	if ((SSL_get_options(con) & SSL_OP_NO_RENEGOTIATION((uint64_t)1 << (uint64_t)30)))
3001	BIO_printf(bio_s_out, "Renegotiation is DISABLED\n");
3002
3003	if (keymatexportlabel != NULL((void*)0)) {
3004	BIO_printf(bio_s_out, "Keying material exporter:\n");
3005	BIO_printf(bio_s_out, " Label: '%s'\n", keymatexportlabel);
3006	BIO_printf(bio_s_out, " Length: %i bytes\n", keymatexportlen);
3007	exportedkeymat = app_malloc(keymatexportlen, "export key");
3008	if (SSL_export_keying_material(con, exportedkeymat,
3009	keymatexportlen,
3010	keymatexportlabel,
3011	strlen(keymatexportlabel),
3012	NULL((void*)0), 0, 0) <= 0) {
3013	BIO_printf(bio_s_out, " Error\n");
3014	} else {
3015	BIO_printf(bio_s_out, " Keying material: ");
3016	for (i = 0; i < keymatexportlen; i++)
3017	BIO_printf(bio_s_out, "%02X", exportedkeymat[i]);
3018	BIO_printf(bio_s_out, "\n");
3019	}
3020	OPENSSL_free(exportedkeymat)CRYPTO_free(exportedkeymat, "../deps/openssl/openssl/apps/s_server.c" , 3020);
3021	}
3022	#ifndef OPENSSL_NO_KTLS
3023	if (BIO_get_ktls_send(SSL_get_wbio(con))(0))
3024	BIO_printf(bio_err, "Using Kernel TLS for sending\n");
3025	if (BIO_get_ktls_recv(SSL_get_rbio(con))(0))
3026	BIO_printf(bio_err, "Using Kernel TLS for receiving\n");
3027	#endif
3028
3029	(void)BIO_flush(bio_s_out)(int)BIO_ctrl(bio_s_out,11,0,((void*)0));
3030	}
3031
3032	static int www_body(int s, int stype, int prot, unsigned char *context)
3033	{
3034	char buf = NULL((void)0);
3035	int ret = 1;
3036	int i, j, k, dot;
3037	SSL *con;
3038	const SSL_CIPHER *c;
3039	BIO io, ssl_bio, *sbio;
3040	#ifdef RENEG
3041	int total_bytes = 0;
3042	#endif
3043	int width;
3044	#ifndef OPENSSL_NO_KTLS
3045	int use_sendfile_for_req = use_sendfile;
3046	#endif
3047	fd_set readfds;
3048	const char *opmode;
3049	#ifdef CHARSET_EBCDIC
3050	BIO *filter;
3051	#endif
3052
3053	/* Set width for a select call if needed */
3054	width = s + 1;
3055
3056	/* as we use BIO_gets(), and it always null terminates data, we need
3057	* to allocate 1 byte longer buffer to fit the full 2^14 byte record */
3058	buf = app_malloc(bufsize + 1, "server www buffer");
3059	io = BIO_new(BIO_f_buffer());
3060	ssl_bio = BIO_new(BIO_f_ssl());
3061	if ((io == NULL((void)0)) \|\| (ssl_bio == NULL((void)0)))
3062	goto err;
3063
3064	if (s_nbio) {
3065	if (!BIO_socket_nbio(s, 1))
3066	ERR_print_errors(bio_err);
3067	else if (!s_quiet)
3068	BIO_printf(bio_err, "Turned on non blocking io\n");
3069	}
3070
3071	/* lets make the output buffer a reasonable size */
3072	if (!BIO_set_write_buffer_size(io, bufsize)BIO_int_ctrl(io,117,bufsize,1))
3073	goto err;
3074
3075	if ((con = SSL_new(ctx)) == NULL((void*)0))
3076	goto err;
3077
3078	if (s_tlsextdebug) {
3079	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
3080	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
3081	}
3082
3083	if (context != NULL((void*)0)
3084	&& !SSL_set_session_id_context(con, context,
3085	strlen((char *)context))) {
3086	SSL_free(con);
3087	goto err;
3088	}
3089
3090	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
3091	if (sbio == NULL((void*)0)) {
3092	SSL_free(con);
3093	goto err;
3094	}
3095
3096	if (s_nbio_test) {
3097	BIO *test;
3098
3099	test = BIO_new(BIO_f_nbio_test());
3100	if (test == NULL((void*)0)) {
3101	SSL_free(con);
3102	BIO_free(sbio);
3103	goto err;
3104	}
3105
3106	sbio = BIO_push(test, sbio);
3107	}
3108	SSL_set_bio(con, sbio, sbio);
3109	SSL_set_accept_state(con);
3110
3111	/* No need to free \|con\| after this. Done by BIO_free(ssl_bio) */
3112	BIO_set_ssl(ssl_bio, con, BIO_CLOSE)BIO_ctrl(ssl_bio,109,0x01,(char *)(con));
3113	BIO_push(io, ssl_bio);
3114	ssl_bio = NULL((void*)0);
3115	#ifdef CHARSET_EBCDIC
3116	filter = BIO_new(BIO_f_ebcdic_filter());
3117	if (filter == NULL((void*)0))
3118	goto err;
3119
3120	io = BIO_push(filter, io);
3121	#endif
3122
3123	if (s_debug) {
3124	BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
3125	BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
3126	}
3127	if (s_msg) {
3128	#ifndef OPENSSL_NO_SSL_TRACE
3129	if (s_msg == 2)
3130	SSL_set_msg_callback(con, SSL_trace);
3131	else
3132	#endif
3133	SSL_set_msg_callback(con, msg_cb);
3134	SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
3135	}
3136
3137	for (;;) {
3138	i = BIO_gets(io, buf, bufsize + 1);
3139	if (i < 0) { /* error */
3140	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08) && !SSL_waiting_for_async(con)) {
3141	if (!s_quiet)
3142	ERR_print_errors(bio_err);
3143	goto err;
3144	} else {
3145	BIO_printf(bio_s_out, "read R BLOCK\n");
3146	#ifndef OPENSSL_NO_SRP
3147	if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3148	&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3149	BIO_printf(bio_s_out, "LOOKUP renego during read\n");
3150
3151	lookup_srp_user(&srp_callback_parm, bio_s_out);
3152
3153	continue;
3154	}
3155	#endif
3156	ossl_sleep(1000);
3157	continue;
3158	}
3159	} else if (i == 0) { /* end of input */
3160	ret = 1;
3161	goto end;
3162	}
3163
3164	/* else we have data */
3165	if (((www == 1) && (strncmp("GET ", buf, 4) == 0)) \|\|
3166	((www == 2) && (strncmp("GET /stats ", buf, 11) == 0))) {
3167	char *p;
3168	X509 peer = NULL((void)0);
3169	STACK_OF(SSL_CIPHER)struct stack_st_SSL_CIPHER *sk;
3170	static const char *space = " ";
3171
3172	if (www == 1 && strncmp("GET /reneg", buf, 10) == 0) {
3173	if (strncmp("GET /renegcert", buf, 14) == 0)
3174	SSL_set_verify(con,
3175	SSL_VERIFY_PEER0x01 \| SSL_VERIFY_CLIENT_ONCE0x04,
3176	NULL((void*)0));
3177	i = SSL_renegotiate(con);
3178	BIO_printf(bio_s_out, "SSL_renegotiate -> %d\n", i);
3179	/* Send the HelloRequest */
3180	i = SSL_do_handshake(con);
3181	if (i <= 0) {
3182	BIO_printf(bio_s_out, "SSL_do_handshake() Retval %d\n",
3183	SSL_get_error(con, i));
3184	ERR_print_errors(bio_err);
3185	goto err;
3186	}
3187	/* Wait for a ClientHello to come back */
3188	FD_ZERO(&readfds)do { int __d0, __d1; __asm__ __volatile__ ("cld; rep; " "stosq" : "=c" (__d0), "=D" (__d1) : "a" (0), "0" (sizeof (fd_set) / sizeof (__fd_mask)), "1" (&((&readfds)->__fds_bits )[0]) : "memory"); } while (0);
3189	openssl_fdset(s, &readfds)((void) (((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask)))] \|= ((__fd_mask) (1UL << ((s) % (8 * (int ) sizeof (__fd_mask)))))));
3190	i = select(width, (void )&readfds, NULL((void)0), NULL((void)0), NULL((void)0));
3191	if (i <= 0 \|\| !FD_ISSET(s, &readfds)((((&readfds)->__fds_bits)[((s) / (8 * (int) sizeof (__fd_mask )))] & ((__fd_mask) (1UL << ((s) % (8 * (int) sizeof (__fd_mask)))))) != 0)) {
3192	BIO_printf(bio_s_out,
3193	"Error waiting for client response\n");
3194	ERR_print_errors(bio_err);
3195	goto err;
3196	}
3197	/*
3198	* We're not actually expecting any data here and we ignore
3199	* any that is sent. This is just to force the handshake that
3200	* we're expecting to come from the client. If they haven't
3201	* sent one there's not much we can do.
3202	*/
3203	BIO_gets(io, buf, bufsize + 1);
3204	}
3205
3206	BIO_puts(io,
3207	"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
3208	BIO_puts(io, "<HTML><BODY BGCOLOR=\"#ffffff\">\n");
3209	BIO_puts(io, "<pre>\n");
3210	/* BIO_puts(io, OpenSSL_version(OPENSSL_VERSION)); */
3211	BIO_puts(io, "\n");
3212	for (i = 0; i < local_argc; i++) {
3213	const char *myp;
3214	for (myp = local_argv[i]; *myp; myp++)
3215	switch (*myp) {
3216	case '<':
3217	BIO_puts(io, "<");
3218	break;
3219	case '>':
3220	BIO_puts(io, ">");
3221	break;
3222	case '&':
3223	BIO_puts(io, "&");
3224	break;
3225	default:
3226	BIO_write(io, myp, 1);
3227	break;
3228	}
3229	BIO_write(io, " ", 1);
3230	}
3231	BIO_puts(io, "\n");
3232
3233	BIO_printf(io,
3234	"Secure Renegotiation IS%s supported\n",
3235	SSL_get_secure_renegotiation_support(con)SSL_ctrl((con), 76, 0, ((void*)0)) ?
3236	"" : " NOT");
3237
3238	/*
3239	* The following is evil and should not really be done
3240	*/
3241	BIO_printf(io, "Ciphers supported in s_server binary\n");
3242	sk = SSL_get_ciphers(con);
3243	j = sk_SSL_CIPHER_num(sk)OPENSSL_sk_num(ossl_check_const_SSL_CIPHER_sk_type(sk));
3244	for (i = 0; i < j; i++) {
3245	c = sk_SSL_CIPHER_value(sk, i)((const SSL_CIPHER *)OPENSSL_sk_value(ossl_check_const_SSL_CIPHER_sk_type (sk), (i)));
3246	BIO_printf(io, "%-11s:%-25s ",
3247	SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
3248	if ((((i + 1) % 2) == 0) && (i + 1 != j))
3249	BIO_puts(io, "\n");
3250	}
3251	BIO_puts(io, "\n");
3252	p = SSL_get_shared_ciphers(con, buf, bufsize);
3253	if (p != NULL((void*)0)) {
3254	BIO_printf(io,
3255	"---\nCiphers common between both SSL end points:\n");
3256	j = i = 0;
3257	while (*p) {
3258	if (*p == ':') {
3259	BIO_write(io, space, 26 - j);
3260	i++;
3261	j = 0;
3262	BIO_write(io, ((i % 3) ? " " : "\n"), 1);
3263	} else {
3264	BIO_write(io, p, 1);
3265	j++;
3266	}
3267	p++;
3268	}
3269	BIO_puts(io, "\n");
3270	}
3271	ssl_print_sigalgs(io, con);
3272	#ifndef OPENSSL_NO_EC
3273	ssl_print_groups(io, con, 0);
3274	#endif
3275	print_ca_names(io, con);
3276	BIO_printf(io, (SSL_session_reused(con)
3277	? "---\nReused, " : "---\nNew, "));
3278	c = SSL_get_current_cipher(con);
3279	BIO_printf(io, "%s, Cipher is %s\n",
3280	SSL_CIPHER_get_version(c), SSL_CIPHER_get_name(c));
3281	SSL_SESSION_print(io, SSL_get_session(con));
3282	BIO_printf(io, "---\n");
3283	print_stats(io, SSL_get_SSL_CTX(con));
3284	BIO_printf(io, "---\n");
3285	peer = SSL_get0_peer_certificate(con);
3286	if (peer != NULL((void*)0)) {
3287	BIO_printf(io, "Client certificate\n");
3288	X509_print(io, peer);
3289	PEM_write_bio_X509(io, peer);
3290	peer = NULL((void*)0);
3291	} else {
3292	BIO_puts(io, "no client certificate available\n");
3293	}
3294	BIO_puts(io, "</pre></BODY></HTML>\r\n\r\n");
3295	break;
3296	} else if ((www == 2 \|\| www == 3)
3297	&& (strncmp("GET /", buf, 5) == 0)) {
3298	BIO *file;
3299	char p, e;
3300	static const char *text =
3301	"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n";
3302
3303	/* skip the '/' */
3304	p = &(buf[5]);
3305
3306	dot = 1;
3307	for (e = p; *e != '\0'; e++) {
3308	if (e[0] == ' ')
3309	break;
3310
3311	if (e[0] == ':') {
3312	/* Windows drive. We treat this the same way as ".." */
3313	dot = -1;
3314	break;
3315	}
3316
3317	switch (dot) {
3318	case 1:
3319	dot = (e[0] == '.') ? 2 : 0;
3320	break;
3321	case 2:
3322	dot = (e[0] == '.') ? 3 : 0;
3323	break;
3324	case 3:
3325	dot = (e[0] == '/' \|\| e[0] == '\\') ? -1 : 0;
3326	break;
3327	}
3328	if (dot == 0)
3329	dot = (e[0] == '/' \|\| e[0] == '\\') ? 1 : 0;
3330	}
3331	dot = (dot == 3) \|\| (dot == -1); /* filename contains ".."
3332	* component */
3333
3334	if (*e == '\0') {
3335	BIO_puts(io, text);
3336	BIO_printf(io, "'%s' is an invalid file name\r\n", p);
3337	break;
3338	}
3339	*e = '\0';
3340
3341	if (dot) {
3342	BIO_puts(io, text);
3343	BIO_printf(io, "'%s' contains '..' or ':'\r\n", p);
3344	break;
3345	}
3346
3347	if (p == '/' \|\| p == '\\') {
3348	BIO_puts(io, text);
3349	BIO_printf(io, "'%s' is an invalid path\r\n", p);
3350	break;
3351	}
3352
3353	/* if a directory, do the index thang */
3354	if (app_isdir(p) > 0) {
3355	BIO_puts(io, text);
3356	BIO_printf(io, "'%s' is a directory\r\n", p);
3357	break;
3358	}
3359
3360	opmode = (http_server_binmode == 1) ? "rb" : "r";
3361	if ((file = BIO_new_file(p, opmode)) == NULL((void*)0)) {
3362	BIO_puts(io, text);
3363	BIO_printf(io, "Error opening '%s' mode='%s'\r\n", p, opmode);
3364	ERR_print_errors(io);
3365	break;
3366	}
3367
3368	if (!s_quiet)
3369	BIO_printf(bio_err, "FILE:%s\n", p);
3370
3371	if (www == 2) {
3372	i = strlen(p);
3373	if (((i > 5) && (strcmp(&(p[i - 5]), ".html") == 0)) \|\|
3374	((i > 4) && (strcmp(&(p[i - 4]), ".php") == 0)) \|\|
3375	((i > 4) && (strcmp(&(p[i - 4]), ".htm") == 0)))
3376	BIO_puts(io,
3377	"HTTP/1.0 200 ok\r\nContent-type: text/html\r\n\r\n");
3378	else
3379	BIO_puts(io,
3380	"HTTP/1.0 200 ok\r\nContent-type: text/plain\r\n\r\n");
3381	}
3382	/* send the file */
3383	#ifndef OPENSSL_NO_KTLS
3384	if (use_sendfile_for_req && !BIO_get_ktls_send(SSL_get_wbio(con))(0)) {
3385	BIO_printf(bio_err, "Warning: sendfile requested but KTLS is not available\n");
3386	use_sendfile_for_req = 0;
3387	}
3388	if (use_sendfile_for_req) {
3389	FILE fp = NULL((void)0);
3390	int fd;
3391	struct stat st;
3392	off_t offset = 0;
3393	size_t filesize;
3394
3395	BIO_get_fp(file, &fp)BIO_ctrl(file,107,0,(char *)(&fp));
3396	fd = fileno(fp);
3397	if (fstat(fd, &st) < 0) {
3398	BIO_printf(io, "Error fstat '%s'\r\n", p);
3399	ERR_print_errors(io);
3400	goto write_error;
3401	}
3402
3403	filesize = st.st_size;
3404	if (((int)BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0))) < 0)
3405	goto write_error;
3406
3407	for (;;) {
3408	i = SSL_sendfile(con, fd, offset, filesize, 0);
3409	if (i < 0) {
3410	BIO_printf(io, "Error SSL_sendfile '%s'\r\n", p);
3411	ERR_print_errors(io);
3412	break;
3413	} else {
3414	offset += i;
3415	filesize -= i;
3416	}
3417
3418	if (filesize <= 0) {
3419	if (!s_quiet)
3420	BIO_printf(bio_err, "KTLS SENDFILE '%s' OK\n", p);
3421
3422	break;
3423	}
3424	}
3425	} else
3426	#endif
3427	{
3428	for (;;) {
3429	i = BIO_read(file, buf, bufsize);
3430	if (i <= 0)
3431	break;
3432
3433	#ifdef RENEG
3434	total_bytes += i;
3435	BIO_printf(bio_err, "%d\n", i);
3436	if (total_bytes > 3 * 1024) {
3437	total_bytes = 0;
3438	BIO_printf(bio_err, "RENEGOTIATE\n");
3439	SSL_renegotiate(con);
3440	}
3441	#endif
3442
3443	for (j = 0; j < i;) {
3444	#ifdef RENEG
3445	static count = 0;
3446	if (++count == 13)
3447	SSL_renegotiate(con);
3448	#endif
3449	k = BIO_write(io, &(buf[j]), i - j);
3450	if (k <= 0) {
3451	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)
3452	&& !SSL_waiting_for_async(con)) {
3453	goto write_error;
3454	} else {
3455	BIO_printf(bio_s_out, "rwrite W BLOCK\n");
3456	}
3457	} else {
3458	j += k;
3459	}
3460	}
3461	}
3462	}
3463	write_error:
3464	BIO_free(file);
3465	break;
3466	}
3467	}
3468
3469	for (;;) {
3470	i = (int)BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0));
3471	if (i <= 0) {
3472	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
3473	break;
3474	} else
3475	break;
3476	}
3477	end:
3478	/* make sure we re-use sessions */
3479	do_ssl_shutdown(con);
3480
3481	err:
3482	OPENSSL_free(buf)CRYPTO_free(buf, "../deps/openssl/openssl/apps/s_server.c", 3482 );
3483	BIO_free(ssl_bio);
3484	BIO_free_all(io);
3485	return ret;
3486	}
3487
3488	static int rev_body(int s, int stype, int prot, unsigned char *context)
3489	{
3490	char buf = NULL((void)0);
3491	int i;
3492	int ret = 1;
3493	SSL *con;
3494	BIO io, ssl_bio, *sbio;
3495	#ifdef CHARSET_EBCDIC
3496	BIO *filter;
3497	#endif
3498
3499	/* as we use BIO_gets(), and it always null terminates data, we need
3500	* to allocate 1 byte longer buffer to fit the full 2^14 byte record */
3501	buf = app_malloc(bufsize + 1, "server rev buffer");
3502	io = BIO_new(BIO_f_buffer());
3503	ssl_bio = BIO_new(BIO_f_ssl());
3504	if ((io == NULL((void)0)) \|\| (ssl_bio == NULL((void)0)))
3505	goto err;
3506
3507	/* lets make the output buffer a reasonable size */
3508	if (!BIO_set_write_buffer_size(io, bufsize)BIO_int_ctrl(io,117,bufsize,1))
3509	goto err;
3510
3511	if ((con = SSL_new(ctx)) == NULL((void*)0))
3512	goto err;
3513
3514	if (s_tlsextdebug) {
3515	SSL_set_tlsext_debug_callback(con, tlsext_cb)SSL_callback_ctrl(con,56, (void (*)(void))tlsext_cb);
3516	SSL_set_tlsext_debug_arg(con, bio_s_out)SSL_ctrl(con,57,0,bio_s_out);
3517	}
3518	if (context != NULL((void*)0)
3519	&& !SSL_set_session_id_context(con, context,
3520	strlen((char *)context))) {
3521	SSL_free(con);
3522	ERR_print_errors(bio_err);
3523	goto err;
3524	}
3525
3526	sbio = BIO_new_socket(s, BIO_NOCLOSE0x00);
3527	if (sbio == NULL((void*)0)) {
3528	SSL_free(con);
3529	ERR_print_errors(bio_err);
3530	goto err;
3531	}
3532
3533	SSL_set_bio(con, sbio, sbio);
3534	SSL_set_accept_state(con);
3535
3536	/* No need to free \|con\| after this. Done by BIO_free(ssl_bio) */
3537	BIO_set_ssl(ssl_bio, con, BIO_CLOSE)BIO_ctrl(ssl_bio,109,0x01,(char *)(con));
3538	BIO_push(io, ssl_bio);
3539	ssl_bio = NULL((void*)0);
3540	#ifdef CHARSET_EBCDIC
3541	filter = BIO_new(BIO_f_ebcdic_filter());
3542	if (filter == NULL((void*)0))
3543	goto err;
3544
3545	io = BIO_push(filter, io);
3546	#endif
3547
3548	if (s_debug) {
3549	BIO_set_callback_ex(SSL_get_rbio(con), bio_dump_callback);
3550	BIO_set_callback_arg(SSL_get_rbio(con), (char *)bio_s_out);
3551	}
3552	if (s_msg) {
3553	#ifndef OPENSSL_NO_SSL_TRACE
3554	if (s_msg == 2)
3555	SSL_set_msg_callback(con, SSL_trace);
3556	else
3557	#endif
3558	SSL_set_msg_callback(con, msg_cb);
3559	SSL_set_msg_callback_arg(con, bio_s_msg ? bio_s_msg : bio_s_out)SSL_ctrl((con), 16, 0, (bio_s_msg ? bio_s_msg : bio_s_out));
3560	}
3561
3562	for (;;) {
3563	i = BIO_do_handshake(io)BIO_ctrl(io,101,0,((void*)0));
3564	if (i > 0)
3565	break;
3566	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)) {
3567	BIO_puts(bio_err, "CONNECTION FAILURE\n");
3568	ERR_print_errors(bio_err);
3569	goto end;
3570	}
3571	#ifndef OPENSSL_NO_SRP
3572	if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3573	&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3574	BIO_printf(bio_s_out, "LOOKUP renego during accept\n");
3575
3576	lookup_srp_user(&srp_callback_parm, bio_s_out);
3577
3578	continue;
3579	}
3580	#endif
3581	}
3582	BIO_printf(bio_err, "CONNECTION ESTABLISHED\n");
3583	print_ssl_summary(con);
3584
3585	for (;;) {
3586	i = BIO_gets(io, buf, bufsize + 1);
3587	if (i < 0) { /* error */
3588	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08)) {
3589	if (!s_quiet)
3590	ERR_print_errors(bio_err);
3591	goto err;
3592	} else {
3593	BIO_printf(bio_s_out, "read R BLOCK\n");
3594	#ifndef OPENSSL_NO_SRP
3595	if (BIO_should_io_special(io)BIO_test_flags(io, 0x04)
3596	&& BIO_get_retry_reason(io) == BIO_RR_SSL_X509_LOOKUP0x01) {
3597	BIO_printf(bio_s_out, "LOOKUP renego during read\n");
3598
3599	lookup_srp_user(&srp_callback_parm, bio_s_out);
3600
3601	continue;
3602	}
3603	#endif
3604	ossl_sleep(1000);
3605	continue;
3606	}
3607	} else if (i == 0) { /* end of input */
3608	ret = 1;
3609	BIO_printf(bio_err, "CONNECTION CLOSED\n");
3610	goto end;
3611	} else {
3612	char *p = buf + i - 1;
3613	while (i && (p == '\n' \|\| p == '\r')) {
3614	p--;
3615	i--;
3616	}
3617	if (!s_ign_eof && (i == 5) && (strncmp(buf, "CLOSE", 5) == 0)) {
3618	ret = 1;
3619	BIO_printf(bio_err, "CONNECTION CLOSED\n");
3620	goto end;
3621	}
3622	BUF_reverse((unsigned char )buf, NULL((void)0), i);
3623	buf[i] = '\n';
3624	BIO_write(io, buf, i + 1);
3625	for (;;) {
3626	i = BIO_flush(io)(int)BIO_ctrl(io,11,0,((void*)0));
3627	if (i > 0)
3628	break;
3629	if (!BIO_should_retry(io)BIO_test_flags(io, 0x08))
3630	goto end;
3631	}
3632	}
3633	}
3634	end:
3635	/* make sure we re-use sessions */
3636	do_ssl_shutdown(con);
3637
3638	err:
3639
3640	OPENSSL_free(buf)CRYPTO_free(buf, "../deps/openssl/openssl/apps/s_server.c", 3640 );
3641	BIO_free(ssl_bio);
3642	BIO_free_all(io);
3643	return ret;
3644	}
3645
3646	#define MAX_SESSION_ID_ATTEMPTS10 10
3647	static int generate_session_id(SSL ssl, unsigned char id,
3648	unsigned int *id_len)
3649	{
3650	unsigned int count = 0;
3651	unsigned int session_id_prefix_len = strlen(session_id_prefix);
3652
3653	do {
3654	if (RAND_bytes(id, *id_len) <= 0)
3655	return 0;
3656	/*
3657	* Prefix the session_id with the required prefix. NB: If our prefix
3658	* is too long, clip it - but there will be worse effects anyway, eg.
3659	* the server could only possibly create 1 session ID (ie. the
3660	* prefix!) so all future session negotiations will fail due to
3661	* conflicts.
3662	*/
3663	memcpy(id, session_id_prefix,
3664	(session_id_prefix_len < *id_len) ?
3665	session_id_prefix_len : *id_len);
3666	}
3667	while (SSL_has_matching_session_id(ssl, id, *id_len) &&
3668	(++count < MAX_SESSION_ID_ATTEMPTS10));
3669	if (count >= MAX_SESSION_ID_ATTEMPTS10)
3670	return 0;
3671	return 1;
3672	}
3673
3674	/*
3675	* By default s_server uses an in-memory cache which caches SSL_SESSION
3676	* structures without any serialization. This hides some bugs which only
3677	* become apparent in deployed servers. By implementing a basic external
3678	* session cache some issues can be debugged using s_server.
3679	*/
3680
3681	typedef struct simple_ssl_session_st {
3682	unsigned char *id;
3683	unsigned int idlen;
3684	unsigned char *der;
3685	int derlen;
3686	struct simple_ssl_session_st *next;
3687	} simple_ssl_session;
3688
3689	static simple_ssl_session first = NULL((void)0);
3690
3691	static int add_session(SSL ssl, SSL_SESSION session)
3692	{
3693	simple_ssl_session sess = app_malloc(sizeof(sess), "get session");
3694	unsigned char *p;
3695
3696	SSL_SESSION_get_id(session, &sess->idlen);
3697	sess->derlen = i2d_SSL_SESSION(session, NULL((void*)0));
3698	if (sess->derlen < 0) {
3699	BIO_printf(bio_err, "Error encoding session\n");
3700	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3700 );
3701	return 0;
3702	}
3703
3704	sess->id = OPENSSL_memdup(SSL_SESSION_get_id(session, NULL), sess->idlen)CRYPTO_memdup((SSL_SESSION_get_id(session, ((void*)0))), sess ->idlen, "../deps/openssl/openssl/apps/s_server.c", 3704);
3705	sess->der = app_malloc(sess->derlen, "get session buffer");
3706	if (!sess->id) {
3707	BIO_printf(bio_err, "Out of memory adding to external cache\n");
3708	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3708);
3709	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3709);
3710	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3710 );
3711	return 0;
3712	}
3713	p = sess->der;
3714
3715	/* Assume it still works. */
3716	if (i2d_SSL_SESSION(session, &p) != sess->derlen) {
3717	BIO_printf(bio_err, "Unexpected session encoding length\n");
3718	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3718);
3719	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3719);
3720	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3720 );
3721	return 0;
3722	}
3723
3724	sess->next = first;
3725	first = sess;
3726	BIO_printf(bio_err, "New session added to external cache\n");
3727	return 0;
3728	}
3729
3730	static SSL_SESSION get_session(SSL ssl, const unsigned char *id, int idlen,
3731	int *do_copy)
3732	{
3733	simple_ssl_session *sess;
3734	*do_copy = 0;
3735	for (sess = first; sess; sess = sess->next) {
3736	if (idlen == (int)sess->idlen && !memcmp(sess->id, id, idlen)) {
3737	const unsigned char *p = sess->der;
3738	BIO_printf(bio_err, "Lookup session: cache hit\n");
3739	return d2i_SSL_SESSION(NULL((void*)0), &p, sess->derlen);
3740	}
3741	}
3742	BIO_printf(bio_err, "Lookup session: cache miss\n");
3743	return NULL((void*)0);
3744	}
3745
3746	static void del_session(SSL_CTX sctx, SSL_SESSION session)
3747	{
3748	simple_ssl_session sess, prev = NULL((void*)0);
3749	const unsigned char *id;
3750	unsigned int idlen;
3751	id = SSL_SESSION_get_id(session, &idlen);
3752	for (sess = first; sess; sess = sess->next) {
3753	if (idlen == sess->idlen && !memcmp(sess->id, id, idlen)) {
3754	if (prev)
3755	prev->next = sess->next;
3756	else
3757	first = sess->next;
3758	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3758);
3759	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3759);
3760	OPENSSL_free(sess)CRYPTO_free(sess, "../deps/openssl/openssl/apps/s_server.c", 3760 );
3761	return;
3762	}
3763	prev = sess;
3764	}
3765	}
3766
3767	static void init_session_cache_ctx(SSL_CTX *sctx)
3768	{
3769	SSL_CTX_set_session_cache_mode(sctx,SSL_CTX_ctrl(sctx,44,(0x0100\|0x0200) \| 0x0002,((void*)0))
3770	SSL_SESS_CACHE_NO_INTERNAL \|SSL_CTX_ctrl(sctx,44,(0x0100\|0x0200) \| 0x0002,((void*)0))
3771	SSL_SESS_CACHE_SERVER)SSL_CTX_ctrl(sctx,44,(0x0100\|0x0200) \| 0x0002,((void*)0));
3772	SSL_CTX_sess_set_new_cb(sctx, add_session);
3773	SSL_CTX_sess_set_get_cb(sctx, get_session);
3774	SSL_CTX_sess_set_remove_cb(sctx, del_session);
3775	}
3776
3777	static void free_sessions(void)
3778	{
3779	simple_ssl_session sess, tsess;
3780	for (sess = first; sess;) {
3781	OPENSSL_free(sess->id)CRYPTO_free(sess->id, "../deps/openssl/openssl/apps/s_server.c" , 3781);
3782	OPENSSL_free(sess->der)CRYPTO_free(sess->der, "../deps/openssl/openssl/apps/s_server.c" , 3782);
3783	tsess = sess;
3784	sess = sess->next;
3785	OPENSSL_free(tsess)CRYPTO_free(tsess, "../deps/openssl/openssl/apps/s_server.c", 3785);
3786	}
3787	first = NULL((void*)0);
3788	}
3789
3790	#endif /* OPENSSL_NO_SOCK */