contrib/bearssl/tools/server.c

   1 /*
   2  * Copyright (c) 2016 Thomas Pornin <pornin@bolet.org>
   3  *
   4  * Permission is hereby granted, free of charge, to any person obtaining
   5  * a copy of this software and associated documentation files (the
   6  * "Software"), to deal in the Software without restriction, including
   7  * without limitation the rights to use, copy, modify, merge, publish,
   8  * distribute, sublicense, and/or sell copies of the Software, and to
   9  * permit persons to whom the Software is furnished to do so, subject to
  10  * the following conditions:
  11  *
  12  * The above copyright notice and this permission notice shall be
  13  * included in all copies or substantial portions of the Software.
  14  *
  15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
  16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
  17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
  18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
  19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
  20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
  21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
  22  * SOFTWARE.
  23  */
  24
  25 #include <stdio.h>
  26 #include <stdlib.h>
  27 #include <string.h>
  28 #include <stdint.h>
  29 #include <errno.h>
  30 #include <signal.h>
  31
  32 #ifdef _WIN32
  33 #include <winsock2.h>
  34 #include <ws2tcpip.h>
  35 #else
  36 #include <sys/types.h>
  37 #include <sys/socket.h>
  38 #include <netdb.h>
  39 #include <netinet/in.h>
  40 #include <arpa/inet.h>
  41 #include <unistd.h>
  42 #include <fcntl.h>
  43
  44 #define SOCKET             int
  45 #define INVALID_SOCKET     (-1)
  46 #define SOCKADDR_STORAGE   struct sockaddr_storage
  47 #endif
  48
  49 #include "brssl.h"
  50
  51 static SOCKET
  52 host_bind(const char *host, const char *port, int verbose)
  53 {
  54         struct addrinfo hints, *si, *p;
  55         SOCKET fd;
  56         int err;
  57
  58         memset(&hints, 0, sizeof hints);
  59         hints.ai_family = PF_UNSPEC;
  60         hints.ai_socktype = SOCK_STREAM;
  61         err = getaddrinfo(host, port, &hints, &si);
  62         if (err != 0) {
  63                 fprintf(stderr, "ERROR: getaddrinfo(): %s\n",
  64                         gai_strerror(err));
  65                 return INVALID_SOCKET;
  66         }
  67         fd = INVALID_SOCKET;
  68         for (p = si; p != NULL; p = p->ai_next) {
  69                 struct sockaddr *sa;
  70                 struct sockaddr_in sa4;
  71                 struct sockaddr_in6 sa6;
  72                 size_t sa_len;
  73                 void *addr;
  74                 int opt;
  75
  76                 sa = (struct sockaddr *)p->ai_addr;
  77                 if (sa->sa_family == AF_INET) {
  78                         memcpy(&sa4, sa, sizeof sa4);
  79                         sa = (struct sockaddr *)&sa4;
  80                         sa_len = sizeof sa4;
  81                         addr = &sa4.sin_addr;
  82                         if (host == NULL) {
  83                                 sa4.sin_addr.s_addr = INADDR_ANY;
  84                         }
  85                 } else if (sa->sa_family == AF_INET6) {
  86                         memcpy(&sa6, sa, sizeof sa6);
  87                         sa = (struct sockaddr *)&sa6;
  88                         sa_len = sizeof sa6;
  89                         addr = &sa6.sin6_addr;
  90                         if (host == NULL) {
  91                                 sa6.sin6_addr = in6addr_any;
  92                         }
  93                 } else {
  94                         addr = NULL;
  95                         sa_len = p->ai_addrlen;
  96                 }
  97                 if (verbose) {
  98                         char tmp[INET6_ADDRSTRLEN + 50];
  99
 100                         if (addr != NULL) {
 101                                 if (!inet_ntop(p->ai_family, addr,
 102                                         tmp, sizeof tmp))
 103                                 {
 104                                         strcpy(tmp, "<invalid>");
 105                                 }
 106                         } else {
 107                                 sprintf(tmp, "<unknown family: %d>",
 108                                         (int)sa->sa_family);
 109                         }
 110                         fprintf(stderr, "binding to: %s\n", tmp);
 111                 }
 112                 fd = socket(p->ai_family, p->ai_socktype, p->ai_protocol);
 113                 if (fd == INVALID_SOCKET) {
 114                         if (verbose) {
 115                                 perror("socket()");
 116                         }
 117                         continue;
 118                 }
 119                 opt = 1;
 120                 setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
 121                         (void *)&opt, sizeof opt);
 122 #ifdef IPV6_V6ONLY
 123                 /*
 124                  * We want to make sure that the server socket works for
 125                  * both IPv4 and IPv6. But IPV6_V6ONLY is not defined on
 126                  * some very old systems.
 127                  */
 128                 opt = 0;
 129                 setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
 130                         (void *)&opt, sizeof opt);
 131 #endif
 132                 if (bind(fd, sa, sa_len) < 0) {
 133                         if (verbose) {
 134                                 perror("bind()");
 135                         }
 136 #ifdef _WIN32
 137                         closesocket(fd);
 138 #else
 139                         close(fd);
 140 #endif
 141                         continue;
 142                 }
 143                 break;
 144         }
 145         if (p == NULL) {
 146                 freeaddrinfo(si);
 147                 fprintf(stderr, "ERROR: failed to bind\n");
 148                 return INVALID_SOCKET;
 149         }
 150         freeaddrinfo(si);
 151         if (listen(fd, 5) < 0) {
 152                 if (verbose) {
 153                         perror("listen()");
 154                 }
 155 #ifdef _WIN32
 156                 closesocket(fd);
 157 #else
 158                 close(fd);
 159 #endif
 160                 return INVALID_SOCKET;
 161         }
 162         if (verbose) {
 163                 fprintf(stderr, "bound.\n");
 164         }
 165         return fd;
 166 }
 167
 168 static SOCKET
 169 accept_client(SOCKET server_fd, int verbose, int nonblock)
 170 {
 171         int fd;
 172         SOCKADDR_STORAGE sa;
 173         socklen_t sa_len;
 174
 175         sa_len = sizeof sa;
 176         fd = accept(server_fd, (struct sockaddr *)&sa, &sa_len);
 177         if (fd == INVALID_SOCKET) {
 178                 if (verbose) {
 179                         perror("accept()");
 180                 }
 181                 return INVALID_SOCKET;
 182         }
 183         if (verbose) {
 184                 char tmp[INET6_ADDRSTRLEN + 50];
 185                 const char *name;
 186
 187                 name = NULL;
 188                 switch (((struct sockaddr *)&sa)->sa_family) {
 189                 case AF_INET:
 190                         name = inet_ntop(AF_INET,
 191                                 &((struct sockaddr_in *)&sa)->sin_addr,
 192                                 tmp, sizeof tmp);
 193                         break;
 194                 case AF_INET6:
 195                         name = inet_ntop(AF_INET6,
 196                                 &((struct sockaddr_in6 *)&sa)->sin6_addr,
 197                                 tmp, sizeof tmp);
 198                         break;
 199                 }
 200                 if (name == NULL) {
 201                         sprintf(tmp, "<unknown: %lu>", (unsigned long)
 202                                 ((struct sockaddr *)&sa)->sa_family);
 203                         name = tmp;
 204                 }
 205                 fprintf(stderr, "accepting connection from: %s\n", name);
 206         }
 207
 208         /*
 209          * We make the socket non-blocking, since we are going to use
 210          * poll() or select() to organise I/O.
 211          */
 212         if (nonblock) {
 213 #ifdef _WIN32
 214                 u_long arg;
 215
 216                 arg = 1;
 217                 ioctlsocket(fd, FIONBIO, &arg);
 218 #else
 219                 fcntl(fd, F_SETFL, O_NONBLOCK);
 220 #endif
 221         }
 222         return fd;
 223 }
 224
 225 static void
 226 usage_server(void)
 227 {
 228         fprintf(stderr,
 229 "usage: brssl server [ options ]\n");
 230         fprintf(stderr,
 231 "options:\n");
 232         fprintf(stderr,
 233 "   -q              suppress verbose messages\n");
 234         fprintf(stderr,
 235 "   -trace          activate extra debug messages (dump of all packets)\n");
 236         fprintf(stderr,
 237 "   -b name         bind to a specific address or host name\n");
 238         fprintf(stderr,
 239 "   -p port         bind to a specific port (default: 4433)\n");
 240         fprintf(stderr,
 241 "   -mono           use monodirectional buffering\n");
 242         fprintf(stderr,
 243 "   -buf length     set the I/O buffer length (in bytes)\n");
 244         fprintf(stderr,
 245 "   -cache length   set the session cache storage length (in bytes)\n");
 246         fprintf(stderr,
 247 "   -cert fname     read certificate chain from file 'fname'\n");
 248         fprintf(stderr,
 249 "   -key fname      read private key from file 'fname'\n");
 250         fprintf(stderr,
 251 "   -CA file        add trust anchors from 'file' (for client auth)\n");
 252         fprintf(stderr,
 253 "   -anon_ok        request but do not require a client certificate\n");
 254         fprintf(stderr,
 255 "   -list           list supported names (protocols, algorithms...)\n");
 256         fprintf(stderr,
 257 "   -vmin name      set minimum supported version (default: TLS-1.0)\n");
 258         fprintf(stderr,
 259 "   -vmax name      set maximum supported version (default: TLS-1.2)\n");
 260         fprintf(stderr,
 261 "   -cs names       set list of supported cipher suites (comma-separated)\n");
 262         fprintf(stderr,
 263 "   -hf names       add support for some hash functions (comma-separated)\n");
 264         fprintf(stderr,
 265 "   -cbhash         test hashing in policy callback\n");
 266         fprintf(stderr,
 267 "   -serverpref     enforce server's preferences for cipher suites\n");
 268         fprintf(stderr,
 269 "   -noreneg        prohibit renegotiations\n");
 270         fprintf(stderr,
 271 "   -alpn name      add protocol name to list of protocols (ALPN extension)\n");
 272         fprintf(stderr,
 273 "   -strictalpn     fail on ALPN mismatch\n");
 274         exit(EXIT_FAILURE);
 275 }
 276
 277 typedef struct {
 278         const br_ssl_server_policy_class *vtable;
 279         int verbose;
 280         br_x509_certificate *chain;
 281         size_t chain_len;
 282         int cert_signer_algo;
 283         private_key *sk;
 284         int cbhash;
 285 } policy_context;
 286
 287 static void
 288 print_hashes(unsigned chashes)
 289 {
 290         int i;
 291
 292         for (i = 2; i <= 6; i ++) {
 293                 if ((chashes >> i) & 1) {
 294                         int z;
 295
 296                         switch (i) {
 297                         case 3: z = 224; break;
 298                         case 4: z = 256; break;
 299                         case 5: z = 384; break;
 300                         case 6: z = 512; break;
 301                         default:
 302                                 z = 1;
 303                                 break;
 304                         }
 305                         fprintf(stderr, " sha%d", z);
 306                 }
 307         }
 308 }
 309
 310 static unsigned
 311 choose_hash(unsigned chashes)
 312 {
 313         unsigned hash_id;
 314
 315         for (hash_id = 6; hash_id >= 2; hash_id --) {
 316                 if (((chashes >> hash_id) & 1) != 0) {
 317                         return hash_id;
 318                 }
 319         }
 320         /*
 321          * Normally unreachable.
 322          */
 323         return 0;
 324 }
 325
 326 static int
 327 sp_choose(const br_ssl_server_policy_class **pctx,
 328         const br_ssl_server_context *cc,
 329         br_ssl_server_choices *choices)
 330 {
 331         policy_context *pc;
 332         const br_suite_translated *st;
 333         size_t u, st_num;
 334         unsigned chashes;
 335
 336         pc = (policy_context *)pctx;
 337         st = br_ssl_server_get_client_suites(cc, &st_num);
 338         chashes = br_ssl_server_get_client_hashes(cc);
 339         if (pc->verbose) {
 340                 fprintf(stderr, "Client parameters:\n");
 341                 fprintf(stderr, "   Maximum version:      ");
 342                 switch (cc->client_max_version) {
 343                 case BR_SSL30:
 344                         fprintf(stderr, "SSL 3.0");
 345                         break;
 346                 case BR_TLS10:
 347                         fprintf(stderr, "TLS 1.0");
 348                         break;
 349                 case BR_TLS11:
 350                         fprintf(stderr, "TLS 1.1");
 351                         break;
 352                 case BR_TLS12:
 353                         fprintf(stderr, "TLS 1.2");
 354                         break;
 355                 default:
 356                         fprintf(stderr, "unknown (0x%04X)",
 357                                 (unsigned)cc->client_max_version);
 358                         break;
 359                 }
 360                 fprintf(stderr, "\n");
 361                 fprintf(stderr, "   Compatible cipher suites:\n");
 362                 for (u = 0; u < st_num; u ++) {
 363                         char csn[80];
 364
 365                         get_suite_name_ext(st[u][0], csn, sizeof csn);
 366                         fprintf(stderr, "      %s\n", csn);
 367                 }
 368                 fprintf(stderr, "   Common sign+hash functions:\n");
 369                 if ((chashes & 0xFF) != 0) {
 370                         fprintf(stderr, "      with RSA:");
 371                         print_hashes(chashes);
 372                         fprintf(stderr, "\n");
 373                 }
 374                 if ((chashes >> 8) != 0) {
 375                         fprintf(stderr, "      with ECDSA:");
 376                         print_hashes(chashes >> 8);
 377                         fprintf(stderr, "\n");
 378                 }
 379         }
 380         for (u = 0; u < st_num; u ++) {
 381                 unsigned tt;
 382
 383                 tt = st[u][1];
 384                 switch (tt >> 12) {
 385                 case BR_SSLKEYX_RSA:
 386                         if (pc->sk->key_type == BR_KEYTYPE_RSA) {
 387                                 choices->cipher_suite = st[u][0];
 388                                 goto choose_ok;
 389                         }
 390                         break;
 391                 case BR_SSLKEYX_ECDHE_RSA:
 392                         if (pc->sk->key_type == BR_KEYTYPE_RSA) {
 393                                 choices->cipher_suite = st[u][0];
 394                                 if (br_ssl_engine_get_version(&cc->eng)
 395                                         < BR_TLS12)
 396                                 {
 397                                         if (pc->cbhash) {
 398                                                 choices->algo_id = 0x0001;
 399                                         } else {
 400                                                 choices->algo_id = 0xFF00;
 401                                         }
 402                                 } else {
 403                                         unsigned id;
 404
 405                                         id = choose_hash(chashes);
 406                                         if (pc->cbhash) {
 407                                                 choices->algo_id =
 408                                                         (id << 8) + 0x01;
 409                                         } else {
 410                                                 choices->algo_id = 0xFF00 + id;
 411                                         }
 412                                 }
 413                                 goto choose_ok;
 414                         }
 415                         break;
 416                 case BR_SSLKEYX_ECDHE_ECDSA:
 417                         if (pc->sk->key_type == BR_KEYTYPE_EC) {
 418                                 choices->cipher_suite = st[u][0];
 419                                 if (br_ssl_engine_get_version(&cc->eng)
 420                                         < BR_TLS12)
 421                                 {
 422                                         if (pc->cbhash) {
 423                                                 choices->algo_id = 0x0203;
 424                                         } else {
 425                                                 choices->algo_id =
 426                                                         0xFF00 + br_sha1_ID;
 427                                         }
 428                                 } else {
 429                                         unsigned id;
 430
 431                                         id = choose_hash(chashes >> 8);
 432                                         if (pc->cbhash) {
 433                                                 choices->algo_id =
 434                                                         (id << 8) + 0x03;
 435                                         } else {
 436                                                 choices->algo_id =
 437                                                         0xFF00 + id;
 438                                         }
 439                                 }
 440                                 goto choose_ok;
 441                         }
 442                         break;
 443                 case BR_SSLKEYX_ECDH_RSA:
 444                         if (pc->sk->key_type == BR_KEYTYPE_EC
 445                                 && pc->cert_signer_algo == BR_KEYTYPE_RSA)
 446                         {
 447                                 choices->cipher_suite = st[u][0];
 448                                 goto choose_ok;
 449                         }
 450                         break;
 451                 case BR_SSLKEYX_ECDH_ECDSA:
 452                         if (pc->sk->key_type == BR_KEYTYPE_EC
 453                                 && pc->cert_signer_algo == BR_KEYTYPE_EC)
 454                         {
 455                                 choices->cipher_suite = st[u][0];
 456                                 goto choose_ok;
 457                         }
 458                         break;
 459                 }
 460         }
 461         return 0;
 462
 463 choose_ok:
 464         choices->chain = pc->chain;
 465         choices->chain_len = pc->chain_len;
 466         if (pc->verbose) {
 467                 char csn[80];
 468
 469                 get_suite_name_ext(choices->cipher_suite, csn, sizeof csn);
 470                 fprintf(stderr, "Using: %s\n", csn);
 471         }
 472         return 1;
 473 }
 474
 475 static uint32_t
 476 sp_do_keyx(const br_ssl_server_policy_class **pctx,
 477         unsigned char *data, size_t *len)
 478 {
 479         policy_context *pc;
 480         uint32_t r;
 481         size_t xoff, xlen;
 482
 483         pc = (policy_context *)pctx;
 484         switch (pc->sk->key_type) {
 485                 const br_ec_impl *iec;
 486
 487         case BR_KEYTYPE_RSA:
 488                 return br_rsa_ssl_decrypt(
 489                         br_rsa_private_get_default(),
 490                         &pc->sk->key.rsa, data, *len);
 491         case BR_KEYTYPE_EC:
 492                 iec = br_ec_get_default();
 493                 r = iec->mul(data, *len, pc->sk->key.ec.x,
 494                         pc->sk->key.ec.xlen, pc->sk->key.ec.curve);
 495                 xoff = iec->xoff(pc->sk->key.ec.curve, &xlen);
 496                 memmove(data, data + xoff, xlen);
 497                 *len = xlen;
 498                 return r;
 499         default:
 500                 fprintf(stderr, "ERROR: unknown private key type (%d)\n",
 501                         (int)pc->sk->key_type);
 502                 return 0;
 503         }
 504 }
 505
 506 static size_t
 507 sp_do_sign(const br_ssl_server_policy_class **pctx,
 508         unsigned algo_id, unsigned char *data, size_t hv_len, size_t len)
 509 {
 510         policy_context *pc;
 511         unsigned char hv[64];
 512
 513         pc = (policy_context *)pctx;
 514         if (algo_id >= 0xFF00) {
 515                 algo_id &= 0xFF;
 516                 memcpy(hv, data, hv_len);
 517         } else {
 518                 const br_hash_class *hc;
 519                 br_hash_compat_context zc;
 520
 521                 if (pc->verbose) {
 522                         fprintf(stderr, "Callback hashing, algo = 0x%04X,"
 523                                 " data_len = %lu\n",
 524                                 algo_id, (unsigned long)hv_len);
 525                 }
 526                 algo_id >>= 8;
 527                 hc = get_hash_impl(algo_id);
 528                 if (hc == NULL) {
 529                         if (pc->verbose) {
 530                                 fprintf(stderr,
 531                                         "ERROR: unsupported hash function %u\n",
 532                                         algo_id);
 533                         }
 534                         return 0;
 535                 }
 536                 hc->init(&zc.vtable);
 537                 hc->update(&zc.vtable, data, hv_len);
 538                 hc->out(&zc.vtable, hv);
 539                 hv_len = (hc->desc >> BR_HASHDESC_OUT_OFF)
 540                         & BR_HASHDESC_OUT_MASK;
 541         }
 542         switch (pc->sk->key_type) {
 543                 size_t sig_len;
 544                 uint32_t x;
 545                 const unsigned char *hash_oid;
 546                 const br_hash_class *hc;
 547
 548         case BR_KEYTYPE_RSA:
 549                 hash_oid = get_hash_oid(algo_id);
 550                 if (hash_oid == NULL && algo_id != 0) {
 551                         if (pc->verbose) {
 552                                 fprintf(stderr, "ERROR: cannot RSA-sign with"
 553                                         " unknown hash function: %u\n",
 554                                         algo_id);
 555                         }
 556                         return 0;
 557                 }
 558                 sig_len = (pc->sk->key.rsa.n_bitlen + 7) >> 3;
 559                 if (len < sig_len) {
 560                         if (pc->verbose) {
 561                                 fprintf(stderr, "ERROR: cannot RSA-sign,"
 562                                         " buffer is too small"
 563                                         " (sig=%lu, buf=%lu)\n",
 564                                         (unsigned long)sig_len,
 565                                         (unsigned long)len);
 566                         }
 567                         return 0;
 568                 }
 569                 x = br_rsa_pkcs1_sign_get_default()(
 570                         hash_oid, hv, hv_len, &pc->sk->key.rsa, data);
 571                 if (!x) {
 572                         if (pc->verbose) {
 573                                 fprintf(stderr, "ERROR: RSA-sign failure\n");
 574                         }
 575                         return 0;
 576                 }
 577                 return sig_len;
 578
 579         case BR_KEYTYPE_EC:
 580                 hc = get_hash_impl(algo_id);
 581                 if (hc == NULL) {
 582                         if (pc->verbose) {
 583                                 fprintf(stderr, "ERROR: cannot ECDSA-sign with"
 584                                         " unknown hash function: %u\n",
 585                                         algo_id);
 586                         }
 587                         return 0;
 588                 }
 589                 if (len < 139) {
 590                         if (pc->verbose) {
 591                                 fprintf(stderr, "ERROR: cannot ECDSA-sign"
 592                                         " (output buffer = %lu)\n",
 593                                         (unsigned long)len);
 594                         }
 595                         return 0;
 596                 }
 597                 sig_len = br_ecdsa_sign_asn1_get_default()(
 598                         br_ec_get_default(), hc, hv, &pc->sk->key.ec, data);
 599                 if (sig_len == 0) {
 600                         if (pc->verbose) {
 601                                 fprintf(stderr, "ERROR: ECDSA-sign failure\n");
 602                         }
 603                         return 0;
 604                 }
 605                 return sig_len;
 606
 607         default:
 608                 return 0;
 609         }
 610 }
 611
 612 static const br_ssl_server_policy_class policy_vtable = {
 613         sizeof(policy_context),
 614         sp_choose,
 615         sp_do_keyx,
 616         sp_do_sign
 617 };
 618
 619 void
 620 free_alpn(void *alpn)
 621 {
 622         xfree(*(char **)alpn);
 623 }
 624
 625 /* see brssl.h */
 626 int
 627 do_server(int argc, char *argv[])
 628 {
 629         int retcode;
 630         int verbose;
 631         int trace;
 632         int i, bidi;
 633         const char *bind_name;
 634         const char *port;
 635         unsigned vmin, vmax;
 636         cipher_suite *suites;
 637         size_t num_suites;
 638         uint16_t *suite_ids;
 639         unsigned hfuns;
 640         int cbhash;
 641         br_x509_certificate *chain;
 642         size_t chain_len;
 643         int cert_signer_algo;
 644         private_key *sk;
 645         anchor_list anchors = VEC_INIT;
 646         VECTOR(char *) alpn_names = VEC_INIT;
 647         br_x509_minimal_context xc;
 648         const br_hash_class *dnhash;
 649         size_t u;
 650         br_ssl_server_context cc;
 651         policy_context pc;
 652         br_ssl_session_cache_lru lru;
 653         unsigned char *iobuf, *cache;
 654         size_t iobuf_len, cache_len;
 655         uint32_t flags;
 656         SOCKET server_fd, fd;
 657
 658         retcode = 0;
 659         verbose = 1;
 660         trace = 0;
 661         bind_name = NULL;
 662         port = NULL;
 663         bidi = 1;
 664         vmin = 0;
 665         vmax = 0;
 666         suites = NULL;
 667         num_suites = 0;
 668         hfuns = 0;
 669         cbhash = 0;
 670         suite_ids = NULL;
 671         chain = NULL;
 672         chain_len = 0;
 673         sk = NULL;
 674         iobuf = NULL;
 675         iobuf_len = 0;
 676         cache = NULL;
 677         cache_len = (size_t)-1;
 678         flags = 0;
 679         server_fd = INVALID_SOCKET;
 680         fd = INVALID_SOCKET;
 681         for (i = 0; i < argc; i ++) {
 682                 const char *arg;
 683
 684                 arg = argv[i];
 685                 if (arg[0] != '-') {
 686                         usage_server();
 687                         goto server_exit_error;
 688                 }
 689                 if (eqstr(arg, "-v") || eqstr(arg, "-verbose")) {
 690                         verbose = 1;
 691                 } else if (eqstr(arg, "-q") || eqstr(arg, "-quiet")) {
 692                         verbose = 0;
 693                 } else if (eqstr(arg, "-trace")) {
 694                         trace = 1;
 695                 } else if (eqstr(arg, "-b")) {
 696                         if (++ i >= argc) {
 697                                 fprintf(stderr,
 698                                         "ERROR: no argument for '-b'\n");
 699                                 usage_server();
 700                                 goto server_exit_error;
 701                         }
 702                         if (bind_name != NULL) {
 703                                 fprintf(stderr, "ERROR: duplicate bind host\n");
 704                                 usage_server();
 705                                 goto server_exit_error;
 706                         }
 707                         bind_name = argv[i];
 708                 } else if (eqstr(arg, "-p")) {
 709                         if (++ i >= argc) {
 710                                 fprintf(stderr,
 711                                         "ERROR: no argument for '-p'\n");
 712                                 usage_server();
 713                                 goto server_exit_error;
 714                         }
 715                         if (port != NULL) {
 716                                 fprintf(stderr, "ERROR: duplicate bind port\n");
 717                                 usage_server();
 718                                 goto server_exit_error;
 719                         }
 720                         port = argv[i];
 721                 } else if (eqstr(arg, "-mono")) {
 722                         bidi = 0;
 723                 } else if (eqstr(arg, "-buf")) {
 724                         if (++ i >= argc) {
 725                                 fprintf(stderr,
 726                                         "ERROR: no argument for '-buf'\n");
 727                                 usage_server();
 728                                 goto server_exit_error;
 729                         }
 730                         arg = argv[i];
 731                         if (iobuf_len != 0) {
 732                                 fprintf(stderr,
 733                                         "ERROR: duplicate I/O buffer length\n");
 734                                 usage_server();
 735                                 goto server_exit_error;
 736                         }
 737                         iobuf_len = parse_size(arg);
 738                         if (iobuf_len == (size_t)-1) {
 739                                 usage_server();
 740                                 goto server_exit_error;
 741                         }
 742                 } else if (eqstr(arg, "-cache")) {
 743                         if (++ i >= argc) {
 744                                 fprintf(stderr,
 745                                         "ERROR: no argument for '-cache'\n");
 746                                 usage_server();
 747                                 goto server_exit_error;
 748                         }
 749                         arg = argv[i];
 750                         if (cache_len != (size_t)-1) {
 751                                 fprintf(stderr, "ERROR: duplicate session"
 752                                         " cache length\n");
 753                                 usage_server();
 754                                 goto server_exit_error;
 755                         }
 756                         cache_len = parse_size(arg);
 757                         if (cache_len == (size_t)-1) {
 758                                 usage_server();
 759                                 goto server_exit_error;
 760                         }
 761                 } else if (eqstr(arg, "-cert")) {
 762                         if (++ i >= argc) {
 763                                 fprintf(stderr,
 764                                         "ERROR: no argument for '-cert'\n");
 765                                 usage_server();
 766                                 goto server_exit_error;
 767                         }
 768                         if (chain != NULL) {
 769                                 fprintf(stderr,
 770                                         "ERROR: duplicate certificate chain\n");
 771                                 usage_server();
 772                                 goto server_exit_error;
 773                         }
 774                         arg = argv[i];
 775                         chain = read_certificates(arg, &chain_len);
 776                         if (chain == NULL || chain_len == 0) {
 777                                 goto server_exit_error;
 778                         }
 779                 } else if (eqstr(arg, "-key")) {
 780                         if (++ i >= argc) {
 781                                 fprintf(stderr,
 782                                         "ERROR: no argument for '-key'\n");
 783                                 usage_server();
 784                                 goto server_exit_error;
 785                         }
 786                         if (sk != NULL) {
 787                                 fprintf(stderr,
 788                                         "ERROR: duplicate private key\n");
 789                                 usage_server();
 790                                 goto server_exit_error;
 791                         }
 792                         arg = argv[i];
 793                         sk = read_private_key(arg);
 794                         if (sk == NULL) {
 795                                 goto server_exit_error;
 796                         }
 797                 } else if (eqstr(arg, "-CA")) {
 798                         if (++ i >= argc) {
 799                                 fprintf(stderr,
 800                                         "ERROR: no argument for '-CA'\n");
 801                                 usage_server();
 802                                 goto server_exit_error;
 803                         }
 804                         arg = argv[i];
 805                         if (read_trust_anchors(&anchors, arg) == 0) {
 806                                 usage_server();
 807                                 goto server_exit_error;
 808                         }
 809                 } else if (eqstr(arg, "-anon_ok")) {
 810                         flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH;
 811                 } else if (eqstr(arg, "-list")) {
 812                         list_names();
 813                         goto server_exit;
 814                 } else if (eqstr(arg, "-vmin")) {
 815                         if (++ i >= argc) {
 816                                 fprintf(stderr,
 817                                         "ERROR: no argument for '-vmin'\n");
 818                                 usage_server();
 819                                 goto server_exit_error;
 820                         }
 821                         arg = argv[i];
 822                         if (vmin != 0) {
 823                                 fprintf(stderr,
 824                                         "ERROR: duplicate minimum version\n");
 825                                 usage_server();
 826                                 goto server_exit_error;
 827                         }
 828                         vmin = parse_version(arg, strlen(arg));
 829                         if (vmin == 0) {
 830                                 fprintf(stderr,
 831                                         "ERROR: unrecognised version '%s'\n",
 832                                         arg);
 833                                 usage_server();
 834                                 goto server_exit_error;
 835                         }
 836                 } else if (eqstr(arg, "-vmax")) {
 837                         if (++ i >= argc) {
 838                                 fprintf(stderr,
 839                                         "ERROR: no argument for '-vmax'\n");
 840                                 usage_server();
 841                                 goto server_exit_error;
 842                         }
 843                         arg = argv[i];
 844                         if (vmax != 0) {
 845                                 fprintf(stderr,
 846                                         "ERROR: duplicate maximum version\n");
 847                                 usage_server();
 848                                 goto server_exit_error;
 849                         }
 850                         vmax = parse_version(arg, strlen(arg));
 851                         if (vmax == 0) {
 852                                 fprintf(stderr,
 853                                         "ERROR: unrecognised version '%s'\n",
 854                                         arg);
 855                                 usage_server();
 856                                 goto server_exit_error;
 857                         }
 858                 } else if (eqstr(arg, "-cs")) {
 859                         if (++ i >= argc) {
 860                                 fprintf(stderr,
 861                                         "ERROR: no argument for '-cs'\n");
 862                                 usage_server();
 863                                 goto server_exit_error;
 864                         }
 865                         arg = argv[i];
 866                         if (suites != NULL) {
 867                                 fprintf(stderr, "ERROR: duplicate list"
 868                                         " of cipher suites\n");
 869                                 usage_server();
 870                                 goto server_exit_error;
 871                         }
 872                         suites = parse_suites(arg, &num_suites);
 873                         if (suites == NULL) {
 874                                 usage_server();
 875                                 goto server_exit_error;
 876                         }
 877                 } else if (eqstr(arg, "-hf")) {
 878                         unsigned x;
 879
 880                         if (++ i >= argc) {
 881                                 fprintf(stderr,
 882                                         "ERROR: no argument for '-hf'\n");
 883                                 usage_server();
 884                                 goto server_exit_error;
 885                         }
 886                         arg = argv[i];
 887                         x = parse_hash_functions(arg);
 888                         if (x == 0) {
 889                                 usage_server();
 890                                 goto server_exit_error;
 891                         }
 892                         hfuns |= x;
 893                 } else if (eqstr(arg, "-cbhash")) {
 894                         cbhash = 1;
 895                 } else if (eqstr(arg, "-serverpref")) {
 896                         flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES;
 897                 } else if (eqstr(arg, "-noreneg")) {
 898                         flags |= BR_OPT_NO_RENEGOTIATION;
 899                 } else if (eqstr(arg, "-alpn")) {
 900                         if (++ i >= argc) {
 901                                 fprintf(stderr,
 902                                         "ERROR: no argument for '-alpn'\n");
 903                                 usage_server();
 904                                 goto server_exit_error;
 905                         }
 906                         VEC_ADD(alpn_names, xstrdup(argv[i]));
 907                 } else if (eqstr(arg, "-strictalpn")) {
 908                         flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH;
 909                 } else {
 910                         fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
 911                         usage_server();
 912                         goto server_exit_error;
 913                 }
 914         }
 915         if (port == NULL) {
 916                 port = "4433";
 917         }
 918         if (vmin == 0) {
 919                 vmin = BR_TLS10;
 920         }
 921         if (vmax == 0) {
 922                 vmax = BR_TLS12;
 923         }
 924         if (vmax < vmin) {
 925                 fprintf(stderr, "ERROR: impossible minimum/maximum protocol"
 926                         " version combination\n");
 927                 usage_server();
 928                 goto server_exit_error;
 929         }
 930         if (suites == NULL) {
 931                 num_suites = 0;
 932
 933                 for (u = 0; cipher_suites[u].name; u ++) {
 934                         if ((cipher_suites[u].req & REQ_TLS12) == 0
 935                                 || vmax >= BR_TLS12)
 936                         {
 937                                 num_suites ++;
 938                         }
 939                 }
 940                 suites = xmalloc(num_suites * sizeof *suites);
 941                 num_suites = 0;
 942                 for (u = 0; cipher_suites[u].name; u ++) {
 943                         if ((cipher_suites[u].req & REQ_TLS12) == 0
 944                                 || vmax >= BR_TLS12)
 945                         {
 946                                 suites[num_suites ++] = cipher_suites[u];
 947                         }
 948                 }
 949         }
 950         if (hfuns == 0) {
 951                 hfuns = (unsigned)-1;
 952         }
 953         if (chain == NULL || chain_len == 0) {
 954                 fprintf(stderr, "ERROR: no certificate chain provided\n");
 955                 goto server_exit_error;
 956         }
 957         if (sk == NULL) {
 958                 fprintf(stderr, "ERROR: no private key provided\n");
 959                 goto server_exit_error;
 960         }
 961         switch (sk->key_type) {
 962                 int curve;
 963                 uint32_t supp;
 964
 965         case BR_KEYTYPE_RSA:
 966                 break;
 967         case BR_KEYTYPE_EC:
 968                 curve = sk->key.ec.curve;
 969                 supp = br_ec_get_default()->supported_curves;
 970                 if (curve > 31 || !((supp >> curve) & 1)) {
 971                         fprintf(stderr, "ERROR: private key curve (%d)"
 972                                 " is not supported\n", curve);
 973                         goto server_exit_error;
 974                 }
 975                 break;
 976         default:
 977                 fprintf(stderr, "ERROR: unsupported private key type (%d)\n",
 978                         sk->key_type);
 979                 break;
 980         }
 981         cert_signer_algo = get_cert_signer_algo(chain);
 982         if (cert_signer_algo == 0) {
 983                 goto server_exit_error;
 984         }
 985         if (verbose) {
 986                 const char *csas;
 987
 988                 switch (cert_signer_algo) {
 989                 case BR_KEYTYPE_RSA: csas = "RSA"; break;
 990                 case BR_KEYTYPE_EC:  csas = "EC"; break;
 991                 default:
 992                         csas = "unknown";
 993                         break;
 994                 }
 995                 fprintf(stderr, "Issuing CA key type: %d (%s)\n",
 996                         cert_signer_algo, csas);
 997         }
 998         if (iobuf_len == 0) {
 999                 if (bidi) {
1000                         iobuf_len = BR_SSL_BUFSIZE_BIDI;
1001                 } else {
1002                         iobuf_len = BR_SSL_BUFSIZE_MONO;
1003                 }
1004         }
1005         iobuf = xmalloc(iobuf_len);
1006         if (cache_len == (size_t)-1) {
1007                 cache_len = 5000;
1008         }
1009         cache = xmalloc(cache_len);
1010
1011         /*
1012          * Compute implementation requirements and inject implementations.
1013          */
1014         suite_ids = xmalloc(num_suites * sizeof *suite_ids);
1015         br_ssl_server_zero(&cc);
1016         br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
1017         br_ssl_engine_set_all_flags(&cc.eng, flags);
1018         if (vmin <= BR_TLS11) {
1019                 if (!(hfuns & (1 << br_md5_ID))) {
1020                         fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need MD5\n");
1021                         goto server_exit_error;
1022                 }
1023                 if (!(hfuns & (1 << br_sha1_ID))) {
1024                         fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need SHA-1\n");
1025                         goto server_exit_error;
1026                 }
1027         }
1028         for (u = 0; u < num_suites; u ++) {
1029                 unsigned req;
1030
1031                 req = suites[u].req;
1032                 suite_ids[u] = suites[u].suite;
1033                 if ((req & REQ_TLS12) != 0 && vmax < BR_TLS12) {
1034                         fprintf(stderr,
1035                                 "ERROR: cipher suite %s requires TLS 1.2\n",
1036                                 suites[u].name);
1037                         goto server_exit_error;
1038                 }
1039                 if ((req & REQ_SHA1) != 0 && !(hfuns & (1 << br_sha1_ID))) {
1040                         fprintf(stderr,
1041                                 "ERROR: cipher suite %s requires SHA-1\n",
1042                                 suites[u].name);
1043                         goto server_exit_error;
1044                 }
1045                 if ((req & REQ_SHA256) != 0 && !(hfuns & (1 << br_sha256_ID))) {
1046                         fprintf(stderr,
1047                                 "ERROR: cipher suite %s requires SHA-256\n",
1048                                 suites[u].name);
1049                         goto server_exit_error;
1050                 }
1051                 if ((req & REQ_SHA384) != 0 && !(hfuns & (1 << br_sha384_ID))) {
1052                         fprintf(stderr,
1053                                 "ERROR: cipher suite %s requires SHA-384\n",
1054                                 suites[u].name);
1055                         goto server_exit_error;
1056                 }
1057                 /* TODO: algorithm implementation selection */
1058                 if ((req & REQ_AESCBC) != 0) {
1059                         br_ssl_engine_set_default_aes_cbc(&cc.eng);
1060                 }
1061                 if ((req & REQ_AESCCM) != 0) {
1062                         br_ssl_engine_set_default_aes_ccm(&cc.eng);
1063                 }
1064                 if ((req & REQ_AESGCM) != 0) {
1065                         br_ssl_engine_set_default_aes_gcm(&cc.eng);
1066                 }
1067                 if ((req & REQ_CHAPOL) != 0) {
1068                         br_ssl_engine_set_default_chapol(&cc.eng);
1069                 }
1070                 if ((req & REQ_3DESCBC) != 0) {
1071                         br_ssl_engine_set_default_des_cbc(&cc.eng);
1072                 }
1073                 if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) {
1074                         br_ssl_engine_set_default_ec(&cc.eng);
1075                 }
1076         }
1077         br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
1078
1079         dnhash = NULL;
1080         for (u = 0; hash_functions[u].name; u ++) {
1081                 const br_hash_class *hc;
1082                 int id;
1083
1084                 hc = hash_functions[u].hclass;
1085                 id = (hc->desc >> BR_HASHDESC_ID_OFF) & BR_HASHDESC_ID_MASK;
1086                 if ((hfuns & ((unsigned)1 << id)) != 0) {
1087                         dnhash = hc;
1088                         br_ssl_engine_set_hash(&cc.eng, id, hc);
1089                 }
1090         }
1091         if (vmin <= BR_TLS11) {
1092                 br_ssl_engine_set_prf10(&cc.eng, &br_tls10_prf);
1093         }
1094         if (vmax >= BR_TLS12) {
1095                 if ((hfuns & ((unsigned)1 << br_sha256_ID)) != 0) {
1096                         br_ssl_engine_set_prf_sha256(&cc.eng,
1097                                 &br_tls12_sha256_prf);
1098                 }
1099                 if ((hfuns & ((unsigned)1 << br_sha384_ID)) != 0) {
1100                         br_ssl_engine_set_prf_sha384(&cc.eng,
1101                                 &br_tls12_sha384_prf);
1102                 }
1103         }
1104
1105         br_ssl_session_cache_lru_init(&lru, cache, cache_len);
1106         br_ssl_server_set_cache(&cc, &lru.vtable);
1107
1108         if (VEC_LEN(alpn_names) != 0) {
1109                 br_ssl_engine_set_protocol_names(&cc.eng,
1110                         (const char **)&VEC_ELT(alpn_names, 0),
1111                         VEC_LEN(alpn_names));
1112         }
1113
1114         /*
1115          * Set the policy handler (that chooses the actual cipher suite,
1116          * selects the certificate chain, and runs the private key
1117          * operations).
1118          */
1119         pc.vtable = &policy_vtable;
1120         pc.verbose = verbose;
1121         pc.chain = chain;
1122         pc.chain_len = chain_len;
1123         pc.cert_signer_algo = cert_signer_algo;
1124         pc.sk = sk;
1125         pc.cbhash = cbhash;
1126         br_ssl_server_set_policy(&cc, &pc.vtable);
1127
1128         /*
1129          * If trust anchors have been configured, then set an X.509
1130          * validation engine and activate client certificate
1131          * authentication.
1132          */
1133         if (VEC_LEN(anchors) != 0) {
1134                 br_x509_minimal_init(&xc, dnhash,
1135                         &VEC_ELT(anchors, 0), VEC_LEN(anchors));
1136                 for (u = 0; hash_functions[u].name; u ++) {
1137                         const br_hash_class *hc;
1138                         int id;
1139
1140                         hc = hash_functions[u].hclass;
1141                         id = (hc->desc >> BR_HASHDESC_ID_OFF)
1142                                 & BR_HASHDESC_ID_MASK;
1143                         if ((hfuns & ((unsigned)1 << id)) != 0) {
1144                                 br_x509_minimal_set_hash(&xc, id, hc);
1145                         }
1146                 }
1147                 br_ssl_engine_set_default_rsavrfy(&cc.eng);
1148                 br_ssl_engine_set_default_ecdsa(&cc.eng);
1149                 br_x509_minimal_set_rsa(&xc, br_rsa_pkcs1_vrfy_get_default());
1150                 br_x509_minimal_set_ecdsa(&xc,
1151                         br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
1152                 br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
1153                 br_ssl_server_set_trust_anchor_names_alt(&cc,
1154                         &VEC_ELT(anchors, 0), VEC_LEN(anchors));
1155         }
1156
1157         br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
1158
1159         /*
1160          * On Unix systems, we need to ignore SIGPIPE.
1161          */
1162 #ifndef _WIN32
1163         signal(SIGPIPE, SIG_IGN);
1164 #endif
1165
1166         /*
1167          * Open the server socket.
1168          */
1169         server_fd = host_bind(bind_name, port, verbose);
1170         if (server_fd == INVALID_SOCKET) {
1171                 goto server_exit_error;
1172         }
1173
1174         /*
1175          * Process incoming clients, one at a time. Note that we do not
1176          * accept any client until the previous connection has finished:
1177          * this is voluntary, since the tool uses stdin/stdout for
1178          * application data, and thus cannot really run two connections
1179          * simultaneously.
1180          */
1181         for (;;) {
1182                 int x;
1183                 unsigned run_flags;
1184
1185                 fd = accept_client(server_fd, verbose, 1);
1186                 if (fd == INVALID_SOCKET) {
1187                         goto server_exit_error;
1188                 }
1189                 br_ssl_server_reset(&cc);
1190                 run_flags = (verbose ? RUN_ENGINE_VERBOSE : 0)
1191                         | (trace ? RUN_ENGINE_TRACE : 0);
1192                 x = run_ssl_engine(&cc.eng, fd, run_flags);
1193 #ifdef _WIN32
1194                 closesocket(fd);
1195 #else
1196                 close(fd);
1197 #endif
1198                 fd = INVALID_SOCKET;
1199                 if (x < -1) {
1200                         goto server_exit_error;
1201                 }
1202         }
1203
1204         /*
1205          * Release allocated structures.
1206          */
1207 server_exit:
1208         xfree(suites);
1209         xfree(suite_ids);
1210         free_certificates(chain, chain_len);
1211         free_private_key(sk);
1212         VEC_CLEAREXT(anchors, &free_ta_contents);
1213         VEC_CLEAREXT(alpn_names, &free_alpn);
1214         xfree(iobuf);
1215         xfree(cache);
1216         if (fd != INVALID_SOCKET) {
1217 #ifdef _WIN32
1218                 closesocket(fd);
1219 #else
1220                 close(fd);
1221 #endif
1222         }
1223         if (server_fd != INVALID_SOCKET) {
1224 #ifdef _WIN32
1225                 closesocket(server_fd);
1226 #else
1227                 close(server_fd);
1228 #endif
1229         }
1230         return retcode;
1231
1232 server_exit_error:
1233         retcode = -1;
1234         goto server_exit;
1235 }