- verify_depth=0;
-#ifdef FIONBIO
- s_nbio=0;
-#endif
- s_nbio_test=0;
-
- argc--;
- argv++;
-
- while (argc >= 1)
- {
- if ((strcmp(*argv,"-port") == 0) ||
- (strcmp(*argv,"-accept") == 0))
- {
- if (--argc < 1) goto bad;
- if (!extract_port(*(++argv),&port))
- goto bad;
- }
- else if (strcmp(*argv,"-verify") == 0)
- {
- s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_CLIENT_ONCE;
- if (--argc < 1) goto bad;
- verify_depth=atoi(*(++argv));
- BIO_printf(bio_err,"verify depth is %d\n",verify_depth);
- }
- else if (strcmp(*argv,"-Verify") == 0)
- {
- s_server_verify=SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT|
- SSL_VERIFY_CLIENT_ONCE;
- if (--argc < 1) goto bad;
- verify_depth=atoi(*(++argv));
- BIO_printf(bio_err,"verify depth is %d, must return a certificate\n",verify_depth);
- }
- else if (strcmp(*argv,"-context") == 0)
- {
- if (--argc < 1) goto bad;
- context= (unsigned char *)*(++argv);
- }
- else if (strcmp(*argv,"-cert") == 0)
- {
- if (--argc < 1) goto bad;
- s_cert_file= *(++argv);
- }
- else if (strcmp(*argv,"-certform") == 0)
- {
- if (--argc < 1) goto bad;
- s_cert_format = str2fmt(*(++argv));
- }
- else if (strcmp(*argv,"-key") == 0)
- {
- if (--argc < 1) goto bad;
- s_key_file= *(++argv);
- }
- else if (strcmp(*argv,"-keyform") == 0)
- {
- if (--argc < 1) goto bad;
- s_key_format = str2fmt(*(++argv));
- }
- else if (strcmp(*argv,"-pass") == 0)
- {
- if (--argc < 1) goto bad;
- passarg = *(++argv);
- }
- else if (strcmp(*argv,"-dhparam") == 0)
- {
- if (--argc < 1) goto bad;
- dhfile = *(++argv);
- }
-#ifndef OPENSSL_NO_ECDH
- else if (strcmp(*argv,"-named_curve") == 0)
- {
- if (--argc < 1) goto bad;
- named_curve = *(++argv);
- }
-#endif
- else if (strcmp(*argv,"-dcertform") == 0)
- {
- if (--argc < 1) goto bad;
- s_dcert_format = str2fmt(*(++argv));
- }
- else if (strcmp(*argv,"-dcert") == 0)
- {
- if (--argc < 1) goto bad;
- s_dcert_file= *(++argv);
- }
- else if (strcmp(*argv,"-dkeyform") == 0)
- {
- if (--argc < 1) goto bad;
- s_dkey_format = str2fmt(*(++argv));
- }
- else if (strcmp(*argv,"-dpass") == 0)
- {
- if (--argc < 1) goto bad;
- dpassarg = *(++argv);
- }
- else if (strcmp(*argv,"-dkey") == 0)
- {
- if (--argc < 1) goto bad;
- s_dkey_file= *(++argv);
- }
- else if (strcmp(*argv,"-nocert") == 0)
- {
- nocert=1;
- }
- else if (strcmp(*argv,"-CApath") == 0)
- {
- if (--argc < 1) goto bad;
- CApath= *(++argv);
- }
- else if (strcmp(*argv,"-crl_check") == 0)
- {
- vflags |= X509_V_FLAG_CRL_CHECK;
- }
- else if (strcmp(*argv,"-crl_check_all") == 0)
- {
- vflags |= X509_V_FLAG_CRL_CHECK|X509_V_FLAG_CRL_CHECK_ALL;
- }
- else if (strcmp(*argv,"-verify_return_error") == 0)
- verify_return_error = 1;
- else if (strcmp(*argv,"-serverpref") == 0)
- { off|=SSL_OP_CIPHER_SERVER_PREFERENCE; }
- else if (strcmp(*argv,"-cipher") == 0)
- {
- if (--argc < 1) goto bad;
- cipher= *(++argv);
- }
- else if (strcmp(*argv,"-CAfile") == 0)
- {
- if (--argc < 1) goto bad;
- CAfile= *(++argv);
- }
-#ifdef FIONBIO
- else if (strcmp(*argv,"-nbio") == 0)
- { s_nbio=1; }
-#endif
- else if (strcmp(*argv,"-nbio_test") == 0)
- {
-#ifdef FIONBIO
- s_nbio=1;
-#endif
- s_nbio_test=1;
- }
- else if (strcmp(*argv,"-debug") == 0)
- { s_debug=1; }
+static int alpn_cb(SSL *s, const unsigned char **out, unsigned char *outlen,
+ const unsigned char *in, unsigned int inlen, void *arg)
+{
+ tlsextalpnctx *alpn_ctx = arg;
+
+ if (!s_quiet) {
+ /* We can assume that |in| is syntactically valid. */
+ unsigned i;
+ BIO_printf(bio_s_out, "ALPN protocols advertised by the client: ");
+ for (i = 0; i < inlen;) {
+ if (i)
+ BIO_write(bio_s_out, ", ", 2);
+ BIO_write(bio_s_out, &in[i + 1], in[i]);
+ i += in[i] + 1;
+ }
+ BIO_write(bio_s_out, "\n", 1);
+ }
+
+ if (SSL_select_next_proto
+ ((unsigned char **)out, outlen, alpn_ctx->data, alpn_ctx->len, in,
+ inlen) != OPENSSL_NPN_NEGOTIATED) {
+ return SSL_TLSEXT_ERR_NOACK;
+ }
+
+ if (!s_quiet) {
+ BIO_printf(bio_s_out, "ALPN protocols selected: ");
+ BIO_write(bio_s_out, *out, *outlen);
+ BIO_write(bio_s_out, "\n", 1);
+ }
+
+ return SSL_TLSEXT_ERR_OK;
+}
+#endif /* ndef OPENSSL_NO_TLSEXT */
+
+static int not_resumable_sess_cb(SSL *s, int is_forward_secure)
+{
+ /* disable resumption for sessions with forward secure ciphers */
+ return is_forward_secure;
+}
+
+static char *jpake_secret = NULL;
+#ifndef OPENSSL_NO_SRP
+static srpsrvparm srp_callback_parm;
+#endif
+#ifndef OPENSSL_NO_SRTP
+static char *srtp_profiles = NULL;
+#endif
+
+typedef enum OPTION_choice {
+ OPT_ERR = -1, OPT_EOF = 0, OPT_HELP,
+ OPT_ENGINE, OPT_PORT, OPT_UNIX, OPT_UNLINK, OPT_NACCEPT,
+ OPT_VERIFY, OPT_UPPER_V_VERIFY, OPT_CONTEXT, OPT_CERT, OPT_CRL,
+ OPT_CRL_DOWNLOAD, OPT_SERVERINFO, OPT_CERTFORM, OPT_KEY, OPT_KEYFORM,
+ OPT_PASS, OPT_CERT_CHAIN, OPT_DHPARAM, OPT_DCERTFORM, OPT_DCERT,
+ OPT_DKEYFORM, OPT_DPASS, OPT_DKEY, OPT_DCERT_CHAIN, OPT_NOCERT,
+ OPT_CAPATH, OPT_CHAINCAPATH, OPT_VERIFYCAPATH, OPT_NO_CACHE,
+ OPT_EXT_CACHE, OPT_CRLFORM, OPT_VERIFY_RET_ERROR, OPT_VERIFY_QUIET,
+ OPT_BUILD_CHAIN, OPT_CAFILE, OPT_CHAINCAFILE, OPT_VERIFYCAFILE,
+ OPT_NBIO, OPT_NBIO_TEST, OPT_IGN_EOF, OPT_NO_IGN_EOF, OPT_DEBUG,
+ OPT_TLSEXTDEBUG, OPT_STATUS, OPT_STATUS_VERBOSE, OPT_STATUS_TIMEOUT,
+ OPT_STATUS_URL, OPT_MSG, OPT_MSGFILE, OPT_TRACE, OPT_SECURITY_DEBUG,
+ OPT_SECURITY_DEBUG_VERBOSE, OPT_STATE, OPT_CRLF, OPT_QUIET,
+ OPT_BRIEF, OPT_NO_TMP_RSA, OPT_NO_DHE, OPT_NO_ECDHE,
+ OPT_NO_RESUME_EPHEMERAL, OPT_PSK_HINT, OPT_PSK, OPT_SRPVFILE,
+ OPT_SRPUSERSEED, OPT_REV, OPT_WWW, OPT_UPPER_WWW, OPT_HTTP,
+#ifndef OPENSSL_NO_SSL3
+ OPT_SSL3,
+#endif
+ OPT_TLS1_2, OPT_TLS1_1, OPT_TLS1, OPT_DTLS, OPT_DTLS1,
+ OPT_DTLS1_2, OPT_TIMEOUT, OPT_MTU, OPT_CHAIN,
+ OPT_ID_PREFIX, OPT_RAND, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
+ OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN, OPT_JPAKE,
+ OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
+ OPT_S_ENUM,
+ OPT_V_ENUM,
+ OPT_X_ENUM,
+ OPT_KRB5SVC, OPT_KRBTAB
+} OPTION_CHOICE;
+
+OPTIONS s_server_options[] = {
+ {"help", OPT_HELP, '-', "Display this summary"},
+
+ {"port", OPT_PORT, 'p'},
+ {"accept", OPT_PORT, 'p',
+ "TCP/IP port to accept on (default is " PORT_STR ")"},
+ {"unix", OPT_UNIX, 's', "Unix domain socket to accept on"},
+ {"unlink", OPT_UNLINK, '-', "For -unix, unlink existing socket first"},
+ {"context", OPT_CONTEXT, 's', "Set session ID context"},
+ {"verify", OPT_VERIFY, 'n', "Turn on peer certificate verification"},
+ {"Verify", OPT_UPPER_V_VERIFY, 'n',
+ "Turn on peer certificate verification, must have a cert"},
+ {"cert", OPT_CERT, '<', "Certificate file to use; default is " TEST_CERT},
+ {"naccept", OPT_NACCEPT, 'p', "Terminate after pnum connections"},