1
/*
2
 * Copyright (c) 2016 Thomas Pornin <[email protected]>
3
 *
4
 * Permission is hereby granted, free of charge, to any person obtaining 
5
 * a copy of this software and associated documentation files (the
6
 * "Software"), to deal in the Software without restriction, including
7
 * without limitation the rights to use, copy, modify, merge, publish,
8
 * distribute, sublicense, and/or sell copies of the Software, and to
9
 * permit persons to whom the Software is furnished to do so, subject to
10
 * the following conditions:
11
 *
12
 * The above copyright notice and this permission notice shall be 
13
 * included in all copies or substantial portions of the Software.
14
 *
15
 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND, 
16
 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17
 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND 
18
 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19
 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20
 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21
 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22
 * SOFTWARE.
23
 */
24

25
#include <stdio.h>
26
#include <stdlib.h>
27
#include <string.h>
28
#include <stdint.h>
29
#include <errno.h>
30
#include <signal.h>
31

32
#ifdef _WIN32
33
#include <winsock2.h>
34
#include <ws2tcpip.h>
35
#else
36
#include <sys/types.h>
37
#include <sys/socket.h>
38
#include <netdb.h>
39
#include <netinet/in.h>
40
#include <arpa/inet.h>
41
#include <unistd.h>
42
#include <fcntl.h>
43

44
#define SOCKET             int
45
#define INVALID_SOCKET     (-1)
46
#define SOCKADDR_STORAGE   struct sockaddr_storage
47
#endif
48

49
#include "brssl.h"
50

51
static SOCKET
52
host_bind(const char *host, const char *port, int verbose)
53
{
54
	struct addrinfo hints, *si, *p;
55
	SOCKET fd;
56
	int err;
57

58
	memset(&hints, 0, sizeof hints);
59
	hints.ai_family = PF_UNSPEC;
60
	hints.ai_socktype = SOCK_STREAM;
61
	err = getaddrinfo(host, port, &hints, &si);
62
	if (err != 0) {
63
		fprintf(stderr, "ERROR: getaddrinfo(): %s\n",
64
			gai_strerror(err));
65
		return INVALID_SOCKET;
66
	}
67
	fd = INVALID_SOCKET;
68
	for (p = si; p != NULL; p = p->ai_next) {
69
		struct sockaddr *sa;
70
		struct sockaddr_in sa4;
71
		struct sockaddr_in6 sa6;
72
		size_t sa_len;
73
		void *addr;
74
		int opt;
75

76
		sa = (struct sockaddr *)p->ai_addr;
77
		if (sa->sa_family == AF_INET) {
78
			memcpy(&sa4, sa, sizeof sa4);
79
			sa = (struct sockaddr *)&sa4;
80
			sa_len = sizeof sa4;
81
			addr = &sa4.sin_addr;
82
			if (host == NULL) {
83
				sa4.sin_addr.s_addr = INADDR_ANY;
84
			}
85
		} else if (sa->sa_family == AF_INET6) {
86
			memcpy(&sa6, sa, sizeof sa6);
87
			sa = (struct sockaddr *)&sa6;
88
			sa_len = sizeof sa6;
89
			addr = &sa6.sin6_addr;
90
			if (host == NULL) {
91
				sa6.sin6_addr = in6addr_any;
92
			}
93
		} else {
94
			addr = NULL;
95
			sa_len = p->ai_addrlen;
96
		}
97
		if (verbose) {
98
			char tmp[INET6_ADDRSTRLEN + 50];
99

100
			if (addr != NULL) {
101
				if (!inet_ntop(p->ai_family, addr,
102
					tmp, sizeof tmp))
103
				{
104
					strcpy(tmp, "<invalid>");
105
				}
106
			} else {
107
				sprintf(tmp, "<unknown family: %d>",
108
					(int)sa->sa_family);
109
			}
110
			fprintf(stderr, "binding to: %s\n", tmp);
111
		}
112
		fd = socket(p->ai_family, p->ai_socktype, p->ai_protocol);
113
		if (fd == INVALID_SOCKET) {
114
			if (verbose) {
115
				perror("socket()");
116
			}
117
			continue;
118
		}
119
		opt = 1;
120
		setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
121
			(void *)&opt, sizeof opt);
122
#ifdef IPV6_V6ONLY
123
		/*
124
		 * We want to make sure that the server socket works for
125
		 * both IPv4 and IPv6. But IPV6_V6ONLY is not defined on
126
		 * some very old systems.
127
		 */
128
		opt = 0;
129
		setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
130
			(void *)&opt, sizeof opt);
131
#endif
132
		if (bind(fd, sa, sa_len) < 0) {
133
			if (verbose) {
134
				perror("bind()");
135
			}
136
#ifdef _WIN32
137
			closesocket(fd);
138
#else
139
			close(fd);
140
#endif
141
			continue;
142
		}
143
		break;
144
	}
145
	if (p == NULL) {
146
		freeaddrinfo(si);
147
		fprintf(stderr, "ERROR: failed to bind\n");
148
		return INVALID_SOCKET;
149
	}
150
	freeaddrinfo(si);
151
	if (listen(fd, 5) < 0) {
152
		if (verbose) {
153
			perror("listen()");
154
		}
155
#ifdef _WIN32
156
		closesocket(fd);
157
#else
158
		close(fd);
159
#endif
160
		return INVALID_SOCKET;
161
	}
162
	if (verbose) {
163
		fprintf(stderr, "bound.\n");
164
	}
165
	return fd;
166
}
167

168
static SOCKET
169
accept_client(SOCKET server_fd, int verbose, int nonblock)
170
{
171
	int fd;
172
	SOCKADDR_STORAGE sa;
173
	socklen_t sa_len;
174

175
	sa_len = sizeof sa;
176
	fd = accept(server_fd, (struct sockaddr *)&sa, &sa_len);
177
	if (fd == INVALID_SOCKET) {
178
		if (verbose) {
179
			perror("accept()");
180
		}
181
		return INVALID_SOCKET;
182
	}
183
	if (verbose) {
184
		char tmp[INET6_ADDRSTRLEN + 50];
185
		const char *name;
186

187
		name = NULL;
188
		switch (((struct sockaddr *)&sa)->sa_family) {
189
		case AF_INET:
190
			name = inet_ntop(AF_INET,
191
				&((struct sockaddr_in *)&sa)->sin_addr,
192
				tmp, sizeof tmp);
193
			break;
194
		case AF_INET6:
195
			name = inet_ntop(AF_INET6,
196
				&((struct sockaddr_in6 *)&sa)->sin6_addr,
197
				tmp, sizeof tmp);
198
			break;
199
		}
200
		if (name == NULL) {
201
			sprintf(tmp, "<unknown: %lu>", (unsigned long)
202
				((struct sockaddr *)&sa)->sa_family);
203
			name = tmp;
204
		}
205
		fprintf(stderr, "accepting connection from: %s\n", name);
206
	}
207

208
	/*
209
	 * We make the socket non-blocking, since we are going to use
210
	 * poll() or select() to organise I/O.
211
	 */
212
	if (nonblock) {
213
#ifdef _WIN32
214
		u_long arg;
215

216
		arg = 1;
217
		ioctlsocket(fd, FIONBIO, &arg);
218
#else
219
		fcntl(fd, F_SETFL, O_NONBLOCK);
220
#endif
221
	}
222
	return fd;
223
}
224

225
static void
226
usage_server(void)
227
{
228
	fprintf(stderr,
229
"usage: brssl server [ options ]\n");
230
	fprintf(stderr,
231
"options:\n");
232
	fprintf(stderr,
233
"   -q              suppress verbose messages\n");
234
	fprintf(stderr,
235
"   -trace          activate extra debug messages (dump of all packets)\n");
236
	fprintf(stderr,
237
"   -b name         bind to a specific address or host name\n");
238
	fprintf(stderr,
239
"   -p port         bind to a specific port (default: 4433)\n");
240
	fprintf(stderr,
241
"   -mono           use monodirectional buffering\n");
242
	fprintf(stderr,
243
"   -buf length     set the I/O buffer length (in bytes)\n");
244
	fprintf(stderr,
245
"   -cache length   set the session cache storage length (in bytes)\n");
246
	fprintf(stderr,
247
"   -cert fname     read certificate chain from file 'fname'\n");
248
	fprintf(stderr,
249
"   -key fname      read private key from file 'fname'\n");
250
	fprintf(stderr,
251
"   -CA file        add trust anchors from 'file' (for client auth)\n");
252
	fprintf(stderr,
253
"   -anon_ok        request but do not require a client certificate\n");
254
	fprintf(stderr,
255
"   -list           list supported names (protocols, algorithms...)\n");
256
	fprintf(stderr,
257
"   -vmin name      set minimum supported version (default: TLS-1.0)\n");
258
	fprintf(stderr,
259
"   -vmax name      set maximum supported version (default: TLS-1.2)\n");
260
	fprintf(stderr,
261
"   -cs names       set list of supported cipher suites (comma-separated)\n");
262
	fprintf(stderr,
263
"   -hf names       add support for some hash functions (comma-separated)\n");
264
	fprintf(stderr,
265
"   -cbhash         test hashing in policy callback\n");
266
	fprintf(stderr,
267
"   -serverpref     enforce server's preferences for cipher suites\n");
268
	fprintf(stderr,
269
"   -noreneg        prohibit renegotiations\n");
270
	fprintf(stderr,
271
"   -alpn name      add protocol name to list of protocols (ALPN extension)\n");
272
	fprintf(stderr,
273
"   -strictalpn     fail on ALPN mismatch\n");
274
	exit(EXIT_FAILURE);
275
}
276

277
typedef struct {
278
	const br_ssl_server_policy_class *vtable;
279
	int verbose;
280
	br_x509_certificate *chain;
281
	size_t chain_len;
282
	int cert_signer_algo;
283
	private_key *sk;
284
	int cbhash;
285
} policy_context;
286

287
static void
288
print_hashes(unsigned chashes)
289
{
290
	int i;
291

292
	for (i = 2; i <= 6; i ++) {
293
		if ((chashes >> i) & 1) {
294
			int z;
295

296
			switch (i) {
297
			case 3: z = 224; break;
298
			case 4: z = 256; break;
299
			case 5: z = 384; break;
300
			case 6: z = 512; break;
301
			default:
302
				z = 1;
303
				break;
304
			}
305
			fprintf(stderr, " sha%d", z);
306
		}
307
	}
308
}
309

310
static unsigned
311
choose_hash(unsigned chashes)
312
{
313
	unsigned hash_id;
314

315
	for (hash_id = 6; hash_id >= 2; hash_id --) {
316
		if (((chashes >> hash_id) & 1) != 0) {
317
			return hash_id;
318
		}
319
	}
320
	/*
321
	 * Normally unreachable.
322
	 */
323
	return 0;
324
}
325

326
static int
327
sp_choose(const br_ssl_server_policy_class **pctx,
328
	const br_ssl_server_context *cc,
329
	br_ssl_server_choices *choices)
330
{
331
	policy_context *pc;
332
	const br_suite_translated *st;
333
	size_t u, st_num;
334
	unsigned chashes;
335

336
	pc = (policy_context *)pctx;
337
	st = br_ssl_server_get_client_suites(cc, &st_num);
338
	chashes = br_ssl_server_get_client_hashes(cc);
339
	if (pc->verbose) {
340
		fprintf(stderr, "Client parameters:\n");
341
		fprintf(stderr, "   Maximum version:      ");
342
		switch (cc->client_max_version) {
343
		case BR_SSL30:
344
			fprintf(stderr, "SSL 3.0");
345
			break;
346
		case BR_TLS10:
347
			fprintf(stderr, "TLS 1.0");
348
			break;
349
		case BR_TLS11:
350
			fprintf(stderr, "TLS 1.1");
351
			break;
352
		case BR_TLS12:
353
			fprintf(stderr, "TLS 1.2");
354
			break;
355
		default:
356
			fprintf(stderr, "unknown (0x%04X)",
357
				(unsigned)cc->client_max_version);
358
			break;
359
		}
360
		fprintf(stderr, "\n");
361
		fprintf(stderr, "   Compatible cipher suites:\n");
362
		for (u = 0; u < st_num; u ++) {
363
			char csn[80];
364

365
			get_suite_name_ext(st[u][0], csn, sizeof csn);
366
			fprintf(stderr, "      %s\n", csn);
367
		}
368
		fprintf(stderr, "   Common sign+hash functions:\n");
369
		if ((chashes & 0xFF) != 0) {
370
			fprintf(stderr, "      with RSA:");
371
			print_hashes(chashes);
372
			fprintf(stderr, "\n");
373
		}
374
		if ((chashes >> 8) != 0) {
375
			fprintf(stderr, "      with ECDSA:");
376
			print_hashes(chashes >> 8);
377
			fprintf(stderr, "\n");
378
		}
379
	}
380
	for (u = 0; u < st_num; u ++) {
381
		unsigned tt;
382

383
		tt = st[u][1];
384
		switch (tt >> 12) {
385
		case BR_SSLKEYX_RSA:
386
			if (pc->sk->key_type == BR_KEYTYPE_RSA) {
387
				choices->cipher_suite = st[u][0];
388
				goto choose_ok;
389
			}
390
			break;
391
		case BR_SSLKEYX_ECDHE_RSA:
392
			if (pc->sk->key_type == BR_KEYTYPE_RSA) {
393
				choices->cipher_suite = st[u][0];
394
				if (br_ssl_engine_get_version(&cc->eng)
395
					< BR_TLS12)
396
				{
397
					if (pc->cbhash) {
398
						choices->algo_id = 0x0001;
399
					} else {
400
						choices->algo_id = 0xFF00;
401
					}
402
				} else {
403
					unsigned id;
404

405
					id = choose_hash(chashes);
406
					if (pc->cbhash) {
407
						choices->algo_id =
408
							(id << 8) + 0x01;
409
					} else {
410
						choices->algo_id = 0xFF00 + id;
411
					}
412
				}
413
				goto choose_ok;
414
			}
415
			break;
416
		case BR_SSLKEYX_ECDHE_ECDSA:
417
			if (pc->sk->key_type == BR_KEYTYPE_EC) {
418
				choices->cipher_suite = st[u][0];
419
				if (br_ssl_engine_get_version(&cc->eng)
420
					< BR_TLS12)
421
				{
422
					if (pc->cbhash) {
423
						choices->algo_id = 0x0203;
424
					} else {
425
						choices->algo_id =
426
							0xFF00 + br_sha1_ID;
427
					}
428
				} else {
429
					unsigned id;
430

431
					id = choose_hash(chashes >> 8);
432
					if (pc->cbhash) {
433
						choices->algo_id =
434
							(id << 8) + 0x03;
435
					} else {
436
						choices->algo_id =
437
							0xFF00 + id;
438
					}
439
				}
440
				goto choose_ok;
441
			}
442
			break;
443
		case BR_SSLKEYX_ECDH_RSA:
444
			if (pc->sk->key_type == BR_KEYTYPE_EC
445
				&& pc->cert_signer_algo == BR_KEYTYPE_RSA)
446
			{
447
				choices->cipher_suite = st[u][0];
448
				goto choose_ok;
449
			}
450
			break;
451
		case BR_SSLKEYX_ECDH_ECDSA:
452
			if (pc->sk->key_type == BR_KEYTYPE_EC
453
				&& pc->cert_signer_algo == BR_KEYTYPE_EC)
454
			{
455
				choices->cipher_suite = st[u][0];
456
				goto choose_ok;
457
			}
458
			break;
459
		}
460
	}
461
	return 0;
462

463
choose_ok:
464
	choices->chain = pc->chain;
465
	choices->chain_len = pc->chain_len;
466
	if (pc->verbose) {
467
		char csn[80];
468

469
		get_suite_name_ext(choices->cipher_suite, csn, sizeof csn);
470
		fprintf(stderr, "Using: %s\n", csn);
471
	}
472
	return 1;
473
}
474

475
static uint32_t
476
sp_do_keyx(const br_ssl_server_policy_class **pctx,
477
	unsigned char *data, size_t *len)
478
{
479
	policy_context *pc;
480
	uint32_t r;
481
	size_t xoff, xlen;
482

483
	pc = (policy_context *)pctx;
484
	switch (pc->sk->key_type) {
485
		const br_ec_impl *iec;
486

487
	case BR_KEYTYPE_RSA:
488
		return br_rsa_ssl_decrypt(
489
			br_rsa_private_get_default(),
490
			&pc->sk->key.rsa, data, *len);
491
	case BR_KEYTYPE_EC:
492
		iec = br_ec_get_default();
493
		r = iec->mul(data, *len, pc->sk->key.ec.x,
494
			pc->sk->key.ec.xlen, pc->sk->key.ec.curve);
495
		xoff = iec->xoff(pc->sk->key.ec.curve, &xlen);
496
		memmove(data, data + xoff, xlen);
497
		*len = xlen;
498
		return r;
499
	default:
500
		fprintf(stderr, "ERROR: unknown private key type (%d)\n",
501
			(int)pc->sk->key_type);
502
		return 0;
503
	}
504
}
505

506
static size_t
507
sp_do_sign(const br_ssl_server_policy_class **pctx,
508
	unsigned algo_id, unsigned char *data, size_t hv_len, size_t len)
509
{
510
	policy_context *pc;
511
	unsigned char hv[64];
512

513
	pc = (policy_context *)pctx;
514
	if (algo_id >= 0xFF00) {
515
		algo_id &= 0xFF;
516
		memcpy(hv, data, hv_len);
517
	} else {
518
		const br_hash_class *hc;
519
		br_hash_compat_context zc;
520

521
		if (pc->verbose) {
522
			fprintf(stderr, "Callback hashing, algo = 0x%04X,"
523
				" data_len = %lu\n",
524
				algo_id, (unsigned long)hv_len);
525
		}
526
		algo_id >>= 8;
527
		hc = get_hash_impl(algo_id);
528
		if (hc == NULL) {
529
			if (pc->verbose) {
530
				fprintf(stderr,
531
					"ERROR: unsupported hash function %u\n",
532
					algo_id);
533
			}
534
			return 0;
535
		}
536
		hc->init(&zc.vtable);
537
		hc->update(&zc.vtable, data, hv_len);
538
		hc->out(&zc.vtable, hv);
539
		hv_len = (hc->desc >> BR_HASHDESC_OUT_OFF)
540
			& BR_HASHDESC_OUT_MASK;
541
	}
542
	switch (pc->sk->key_type) {
543
		size_t sig_len;
544
		uint32_t x;
545
		const unsigned char *hash_oid;
546
		const br_hash_class *hc;
547

548
	case BR_KEYTYPE_RSA:
549
		hash_oid = get_hash_oid(algo_id);
550
		if (hash_oid == NULL && algo_id != 0) {
551
			if (pc->verbose) {
552
				fprintf(stderr, "ERROR: cannot RSA-sign with"
553
					" unknown hash function: %u\n",
554
					algo_id);
555
			}
556
			return 0;
557
		}
558
		sig_len = (pc->sk->key.rsa.n_bitlen + 7) >> 3;
559
		if (len < sig_len) {
560
			if (pc->verbose) {
561
				fprintf(stderr, "ERROR: cannot RSA-sign,"
562
					" buffer is too small"
563
					" (sig=%lu, buf=%lu)\n",
564
					(unsigned long)sig_len,
565
					(unsigned long)len);
566
			}
567
			return 0;
568
		}
569
		x = br_rsa_pkcs1_sign_get_default()(
570
			hash_oid, hv, hv_len, &pc->sk->key.rsa, data);
571
		if (!x) {
572
			if (pc->verbose) {
573
				fprintf(stderr, "ERROR: RSA-sign failure\n");
574
			}
575
			return 0;
576
		}
577
		return sig_len;
578

579
	case BR_KEYTYPE_EC:
580
		hc = get_hash_impl(algo_id);
581
		if (hc == NULL) {
582
			if (pc->verbose) {
583
				fprintf(stderr, "ERROR: cannot ECDSA-sign with"
584
					" unknown hash function: %u\n",
585
					algo_id);
586
			}
587
			return 0;
588
		}
589
		if (len < 139) {
590
			if (pc->verbose) {
591
				fprintf(stderr, "ERROR: cannot ECDSA-sign"
592
					" (output buffer = %lu)\n",
593
					(unsigned long)len);
594
			}
595
			return 0;
596
		}
597
		sig_len = br_ecdsa_sign_asn1_get_default()(
598
			br_ec_get_default(), hc, hv, &pc->sk->key.ec, data);
599
		if (sig_len == 0) {
600
			if (pc->verbose) {
601
				fprintf(stderr, "ERROR: ECDSA-sign failure\n");
602
			}
603
			return 0;
604
		}
605
		return sig_len;
606

607
	default:
608
		return 0;
609
	}
610
}
611

612
static const br_ssl_server_policy_class policy_vtable = {
613
	sizeof(policy_context),
614
	sp_choose,
615
	sp_do_keyx,
616
	sp_do_sign
617
};
618

619
void
620
free_alpn(void *alpn)
621
{
622
	xfree(*(char **)alpn);
623
}
624

625
/* see brssl.h */
626
int
627
do_server(int argc, char *argv[])
628
{
629
	int retcode;
630
	int verbose;
631
	int trace;
632
	int i, bidi;
633
	const char *bind_name;
634
	const char *port;
635
	unsigned vmin, vmax;
636
	cipher_suite *suites;
637
	size_t num_suites;
638
	uint16_t *suite_ids;
639
	unsigned hfuns;
640
	int cbhash;
641
	br_x509_certificate *chain;
642
	size_t chain_len;
643
	int cert_signer_algo;
644
	private_key *sk;
645
	anchor_list anchors = VEC_INIT;
646
	VECTOR(char *) alpn_names = VEC_INIT;
647
	br_x509_minimal_context xc;
648
	const br_hash_class *dnhash;
649
	size_t u;
650
	br_ssl_server_context cc;
651
	policy_context pc;
652
	br_ssl_session_cache_lru lru;
653
	unsigned char *iobuf, *cache;
654
	size_t iobuf_len, cache_len;
655
	uint32_t flags;
656
	SOCKET server_fd, fd;
657

658
	retcode = 0;
659
	verbose = 1;
660
	trace = 0;
661
	bind_name = NULL;
662
	port = NULL;
663
	bidi = 1;
664
	vmin = 0;
665
	vmax = 0;
666
	suites = NULL;
667
	num_suites = 0;
668
	hfuns = 0;
669
	cbhash = 0;
670
	suite_ids = NULL;
671
	chain = NULL;
672
	chain_len = 0;
673
	sk = NULL;
674
	iobuf = NULL;
675
	iobuf_len = 0;
676
	cache = NULL;
677
	cache_len = (size_t)-1;
678
	flags = 0;
679
	server_fd = INVALID_SOCKET;
680
	fd = INVALID_SOCKET;
681
	for (i = 0; i < argc; i ++) {
682
		const char *arg;
683

684
		arg = argv[i];
685
		if (arg[0] != '-') {
686
			usage_server();
687
			goto server_exit_error;
688
		}
689
		if (eqstr(arg, "-v") || eqstr(arg, "-verbose")) {
690
			verbose = 1;
691
		} else if (eqstr(arg, "-q") || eqstr(arg, "-quiet")) {
692
			verbose = 0;
693
		} else if (eqstr(arg, "-trace")) {
694
			trace = 1;
695
		} else if (eqstr(arg, "-b")) {
696
			if (++ i >= argc) {
697
				fprintf(stderr,
698
					"ERROR: no argument for '-b'\n");
699
				usage_server();
700
				goto server_exit_error;
701
			}
702
			if (bind_name != NULL) {
703
				fprintf(stderr, "ERROR: duplicate bind host\n");
704
				usage_server();
705
				goto server_exit_error;
706
			}
707
			bind_name = argv[i];
708
		} else if (eqstr(arg, "-p")) {
709
			if (++ i >= argc) {
710
				fprintf(stderr,
711
					"ERROR: no argument for '-p'\n");
712
				usage_server();
713
				goto server_exit_error;
714
			}
715
			if (port != NULL) {
716
				fprintf(stderr, "ERROR: duplicate bind port\n");
717
				usage_server();
718
				goto server_exit_error;
719
			}
720
			port = argv[i];
721
		} else if (eqstr(arg, "-mono")) {
722
			bidi = 0;
723
		} else if (eqstr(arg, "-buf")) {
724
			if (++ i >= argc) {
725
				fprintf(stderr,
726
					"ERROR: no argument for '-buf'\n");
727
				usage_server();
728
				goto server_exit_error;
729
			}
730
			arg = argv[i];
731
			if (iobuf_len != 0) {
732
				fprintf(stderr,
733
					"ERROR: duplicate I/O buffer length\n");
734
				usage_server();
735
				goto server_exit_error;
736
			}
737
			iobuf_len = parse_size(arg);
738
			if (iobuf_len == (size_t)-1) {
739
				usage_server();
740
				goto server_exit_error;
741
			}
742
		} else if (eqstr(arg, "-cache")) {
743
			if (++ i >= argc) {
744
				fprintf(stderr,
745
					"ERROR: no argument for '-cache'\n");
746
				usage_server();
747
				goto server_exit_error;
748
			}
749
			arg = argv[i];
750
			if (cache_len != (size_t)-1) {
751
				fprintf(stderr, "ERROR: duplicate session"
752
					" cache length\n");
753
				usage_server();
754
				goto server_exit_error;
755
			}
756
			cache_len = parse_size(arg);
757
			if (cache_len == (size_t)-1) {
758
				usage_server();
759
				goto server_exit_error;
760
			}
761
		} else if (eqstr(arg, "-cert")) {
762
			if (++ i >= argc) {
763
				fprintf(stderr,
764
					"ERROR: no argument for '-cert'\n");
765
				usage_server();
766
				goto server_exit_error;
767
			}
768
			if (chain != NULL) {
769
				fprintf(stderr,
770
					"ERROR: duplicate certificate chain\n");
771
				usage_server();
772
				goto server_exit_error;
773
			}
774
			arg = argv[i];
775
			chain = read_certificates(arg, &chain_len);
776
			if (chain == NULL || chain_len == 0) {
777
				goto server_exit_error;
778
			}
779
		} else if (eqstr(arg, "-key")) {
780
			if (++ i >= argc) {
781
				fprintf(stderr,
782
					"ERROR: no argument for '-key'\n");
783
				usage_server();
784
				goto server_exit_error;
785
			}
786
			if (sk != NULL) {
787
				fprintf(stderr,
788
					"ERROR: duplicate private key\n");
789
				usage_server();
790
				goto server_exit_error;
791
			}
792
			arg = argv[i];
793
			sk = read_private_key(arg);
794
			if (sk == NULL) {
795
				goto server_exit_error;
796
			}
797
		} else if (eqstr(arg, "-CA")) {
798
			if (++ i >= argc) {
799
				fprintf(stderr,
800
					"ERROR: no argument for '-CA'\n");
801
				usage_server();
802
				goto server_exit_error;
803
			}
804
			arg = argv[i];
805
			if (read_trust_anchors(&anchors, arg) == 0) {
806
				usage_server();
807
				goto server_exit_error;
808
			}
809
		} else if (eqstr(arg, "-anon_ok")) {
810
			flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH;
811
		} else if (eqstr(arg, "-list")) {
812
			list_names();
813
			goto server_exit;
814
		} else if (eqstr(arg, "-vmin")) {
815
			if (++ i >= argc) {
816
				fprintf(stderr,
817
					"ERROR: no argument for '-vmin'\n");
818
				usage_server();
819
				goto server_exit_error;
820
			}
821
			arg = argv[i];
822
			if (vmin != 0) {
823
				fprintf(stderr,
824
					"ERROR: duplicate minimum version\n");
825
				usage_server();
826
				goto server_exit_error;
827
			}
828
			vmin = parse_version(arg, strlen(arg));
829
			if (vmin == 0) {
830
				fprintf(stderr,
831
					"ERROR: unrecognised version '%s'\n",
832
					arg);
833
				usage_server();
834
				goto server_exit_error;
835
			}
836
		} else if (eqstr(arg, "-vmax")) {
837
			if (++ i >= argc) {
838
				fprintf(stderr,
839
					"ERROR: no argument for '-vmax'\n");
840
				usage_server();
841
				goto server_exit_error;
842
			}
843
			arg = argv[i];
844
			if (vmax != 0) {
845
				fprintf(stderr,
846
					"ERROR: duplicate maximum version\n");
847
				usage_server();
848
				goto server_exit_error;
849
			}
850
			vmax = parse_version(arg, strlen(arg));
851
			if (vmax == 0) {
852
				fprintf(stderr,
853
					"ERROR: unrecognised version '%s'\n",
854
					arg);
855
				usage_server();
856
				goto server_exit_error;
857
			}
858
		} else if (eqstr(arg, "-cs")) {
859
			if (++ i >= argc) {
860
				fprintf(stderr,
861
					"ERROR: no argument for '-cs'\n");
862
				usage_server();
863
				goto server_exit_error;
864
			}
865
			arg = argv[i];
866
			if (suites != NULL) {
867
				fprintf(stderr, "ERROR: duplicate list"
868
					" of cipher suites\n");
869
				usage_server();
870
				goto server_exit_error;
871
			}
872
			suites = parse_suites(arg, &num_suites);
873
			if (suites == NULL) {
874
				usage_server();
875
				goto server_exit_error;
876
			}
877
		} else if (eqstr(arg, "-hf")) {
878
			unsigned x;
879

880
			if (++ i >= argc) {
881
				fprintf(stderr,
882
					"ERROR: no argument for '-hf'\n");
883
				usage_server();
884
				goto server_exit_error;
885
			}
886
			arg = argv[i];
887
			x = parse_hash_functions(arg);
888
			if (x == 0) {
889
				usage_server();
890
				goto server_exit_error;
891
			}
892
			hfuns |= x;
893
		} else if (eqstr(arg, "-cbhash")) {
894
			cbhash = 1;
895
		} else if (eqstr(arg, "-serverpref")) {
896
			flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES;
897
		} else if (eqstr(arg, "-noreneg")) {
898
			flags |= BR_OPT_NO_RENEGOTIATION;
899
		} else if (eqstr(arg, "-alpn")) {
900
			if (++ i >= argc) {
901
				fprintf(stderr,
902
					"ERROR: no argument for '-alpn'\n");
903
				usage_server();
904
				goto server_exit_error;
905
			}
906
			VEC_ADD(alpn_names, xstrdup(argv[i]));
907
		} else if (eqstr(arg, "-strictalpn")) {
908
			flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH;
909
		} else {
910
			fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
911
			usage_server();
912
			goto server_exit_error;
913
		}
914
	}
915
	if (port == NULL) {
916
		port = "4433";
917
	}
918
	if (vmin == 0) {
919
		vmin = BR_TLS10;
920
	}
921
	if (vmax == 0) {
922
		vmax = BR_TLS12;
923
	}
924
	if (vmax < vmin) {
925
		fprintf(stderr, "ERROR: impossible minimum/maximum protocol"
926
			" version combination\n");
927
		usage_server();
928
		goto server_exit_error;
929
	}
930
	if (suites == NULL) {
931
		num_suites = 0;
932

933
		for (u = 0; cipher_suites[u].name; u ++) {
934
			if ((cipher_suites[u].req & REQ_TLS12) == 0
935
				|| vmax >= BR_TLS12)
936
			{
937
				num_suites ++;
938
			}
939
		}
940
		suites = xmalloc(num_suites * sizeof *suites);
941
		num_suites = 0;
942
		for (u = 0; cipher_suites[u].name; u ++) {
943
			if ((cipher_suites[u].req & REQ_TLS12) == 0
944
				|| vmax >= BR_TLS12)
945
			{
946
				suites[num_suites ++] = cipher_suites[u];
947
			}
948
		}
949
	}
950
	if (hfuns == 0) {
951
		hfuns = (unsigned)-1;
952
	}
953
	if (chain == NULL || chain_len == 0) {
954
		fprintf(stderr, "ERROR: no certificate chain provided\n");
955
		goto server_exit_error;
956
	}
957
	if (sk == NULL) {
958
		fprintf(stderr, "ERROR: no private key provided\n");
959
		goto server_exit_error;
960
	}
961
	switch (sk->key_type) {
962
		int curve;
963
		uint32_t supp;
964

965
	case BR_KEYTYPE_RSA:
966
		break;
967
	case BR_KEYTYPE_EC:
968
		curve = sk->key.ec.curve;
969
		supp = br_ec_get_default()->supported_curves;
970
		if (curve > 31 || !((supp >> curve) & 1)) {
971
			fprintf(stderr, "ERROR: private key curve (%d)"
972
				" is not supported\n", curve);
973
			goto server_exit_error;
974
		}
975
		break;
976
	default:
977
		fprintf(stderr, "ERROR: unsupported private key type (%d)\n",
978
			sk->key_type);
979
		break;
980
	}
981
	cert_signer_algo = get_cert_signer_algo(chain);
982
	if (cert_signer_algo == 0) {
983
		goto server_exit_error;
984
	}
985
	if (verbose) {
986
		const char *csas;
987

988
		switch (cert_signer_algo) {
989
		case BR_KEYTYPE_RSA: csas = "RSA"; break;
990
		case BR_KEYTYPE_EC:  csas = "EC"; break;
991
		default:
992
			csas = "unknown";
993
			break;
994
		}
995
		fprintf(stderr, "Issuing CA key type: %d (%s)\n",
996
			cert_signer_algo, csas);
997
	}
998
	if (iobuf_len == 0) {
999
		if (bidi) {
1000
			iobuf_len = BR_SSL_BUFSIZE_BIDI;
1001
		} else {
1002
			iobuf_len = BR_SSL_BUFSIZE_MONO;
1003
		}
1004
	}
1005
	iobuf = xmalloc(iobuf_len);
1006
	if (cache_len == (size_t)-1) {
1007
		cache_len = 5000;
1008
	}
1009
	cache = xmalloc(cache_len);
1010

1011
	/*
1012
	 * Compute implementation requirements and inject implementations.
1013
	 */
1014
	suite_ids = xmalloc(num_suites * sizeof *suite_ids);
1015
	br_ssl_server_zero(&cc);
1016
	br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
1017
	br_ssl_engine_set_all_flags(&cc.eng, flags);
1018
	if (vmin <= BR_TLS11) {
1019
		if (!(hfuns & (1 << br_md5_ID))) {
1020
			fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need MD5\n");
1021
			goto server_exit_error;
1022
		}
1023
		if (!(hfuns & (1 << br_sha1_ID))) {
1024
			fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need SHA-1\n");
1025
			goto server_exit_error;
1026
		}
1027
	}
1028
	for (u = 0; u < num_suites; u ++) {
1029
		unsigned req;
1030

1031
		req = suites[u].req;
1032
		suite_ids[u] = suites[u].suite;
1033
		if ((req & REQ_TLS12) != 0 && vmax < BR_TLS12) {
1034
			fprintf(stderr,
1035
				"ERROR: cipher suite %s requires TLS 1.2\n",
1036
				suites[u].name);
1037
			goto server_exit_error;
1038
		}
1039
		if ((req & REQ_SHA1) != 0 && !(hfuns & (1 << br_sha1_ID))) {
1040
			fprintf(stderr,
1041
				"ERROR: cipher suite %s requires SHA-1\n",
1042
				suites[u].name);
1043
			goto server_exit_error;
1044
		}
1045
		if ((req & REQ_SHA256) != 0 && !(hfuns & (1 << br_sha256_ID))) {
1046
			fprintf(stderr,
1047
				"ERROR: cipher suite %s requires SHA-256\n",
1048
				suites[u].name);
1049
			goto server_exit_error;
1050
		}
1051
		if ((req & REQ_SHA384) != 0 && !(hfuns & (1 << br_sha384_ID))) {
1052
			fprintf(stderr,
1053
				"ERROR: cipher suite %s requires SHA-384\n",
1054
				suites[u].name);
1055
			goto server_exit_error;
1056
		}
1057
		/* TODO: algorithm implementation selection */
1058
		if ((req & REQ_AESCBC) != 0) {
1059
			br_ssl_engine_set_default_aes_cbc(&cc.eng);
1060
		}
1061
		if ((req & REQ_AESCCM) != 0) {
1062
			br_ssl_engine_set_default_aes_ccm(&cc.eng);
1063
		}
1064
		if ((req & REQ_AESGCM) != 0) {
1065
			br_ssl_engine_set_default_aes_gcm(&cc.eng);
1066
		}
1067
		if ((req & REQ_CHAPOL) != 0) {
1068
			br_ssl_engine_set_default_chapol(&cc.eng);
1069
		}
1070
		if ((req & REQ_3DESCBC) != 0) {
1071
			br_ssl_engine_set_default_des_cbc(&cc.eng);
1072
		}
1073
		if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) {
1074
			br_ssl_engine_set_default_ec(&cc.eng);
1075
		}
1076
	}
1077
	br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
1078

1079
	dnhash = NULL;
1080
	for (u = 0; hash_functions[u].name; u ++) {
1081
		const br_hash_class *hc;
1082
		int id;
1083

1084
		hc = hash_functions[u].hclass;
1085
		id = (hc->desc >> BR_HASHDESC_ID_OFF) & BR_HASHDESC_ID_MASK;
1086
		if ((hfuns & ((unsigned)1 << id)) != 0) {
1087
			dnhash = hc;
1088
			br_ssl_engine_set_hash(&cc.eng, id, hc);
1089
		}
1090
	}
1091
	if (vmin <= BR_TLS11) {
1092
		br_ssl_engine_set_prf10(&cc.eng, &br_tls10_prf);
1093
	}
1094
	if (vmax >= BR_TLS12) {
1095
		if ((hfuns & ((unsigned)1 << br_sha256_ID)) != 0) {
1096
			br_ssl_engine_set_prf_sha256(&cc.eng,
1097
				&br_tls12_sha256_prf);
1098
		}
1099
		if ((hfuns & ((unsigned)1 << br_sha384_ID)) != 0) {
1100
			br_ssl_engine_set_prf_sha384(&cc.eng,
1101
				&br_tls12_sha384_prf);
1102
		}
1103
	}
1104

1105
	br_ssl_session_cache_lru_init(&lru, cache, cache_len);
1106
	br_ssl_server_set_cache(&cc, &lru.vtable);
1107

1108
	if (VEC_LEN(alpn_names) != 0) {
1109
		br_ssl_engine_set_protocol_names(&cc.eng,
1110
			(const char **)&VEC_ELT(alpn_names, 0),
1111
			VEC_LEN(alpn_names));
1112
	}
1113

1114
	/*
1115
	 * Set the policy handler (that chooses the actual cipher suite,
1116
	 * selects the certificate chain, and runs the private key
1117
	 * operations).
1118
	 */
1119
	pc.vtable = &policy_vtable;
1120
	pc.verbose = verbose;
1121
	pc.chain = chain;
1122
	pc.chain_len = chain_len;
1123
	pc.cert_signer_algo = cert_signer_algo;
1124
	pc.sk = sk;
1125
	pc.cbhash = cbhash;
1126
	br_ssl_server_set_policy(&cc, &pc.vtable);
1127

1128
	/*
1129
	 * If trust anchors have been configured, then set an X.509
1130
	 * validation engine and activate client certificate
1131
	 * authentication.
1132
	 */
1133
	if (VEC_LEN(anchors) != 0) {
1134
		br_x509_minimal_init(&xc, dnhash,
1135
			&VEC_ELT(anchors, 0), VEC_LEN(anchors));
1136
		for (u = 0; hash_functions[u].name; u ++) {
1137
			const br_hash_class *hc;
1138
			int id;
1139

1140
			hc = hash_functions[u].hclass;
1141
			id = (hc->desc >> BR_HASHDESC_ID_OFF)
1142
				& BR_HASHDESC_ID_MASK;
1143
			if ((hfuns & ((unsigned)1 << id)) != 0) {
1144
				br_x509_minimal_set_hash(&xc, id, hc);
1145
			}
1146
		}
1147
		br_ssl_engine_set_default_rsavrfy(&cc.eng);
1148
		br_ssl_engine_set_default_ecdsa(&cc.eng);
1149
		br_x509_minimal_set_rsa(&xc, br_rsa_pkcs1_vrfy_get_default());
1150
		br_x509_minimal_set_ecdsa(&xc,
1151
			br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
1152
		br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
1153
		br_ssl_server_set_trust_anchor_names_alt(&cc,
1154
			&VEC_ELT(anchors, 0), VEC_LEN(anchors));
1155
	}
1156

1157
	br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
1158

1159
	/*
1160
	 * On Unix systems, we need to ignore SIGPIPE.
1161
	 */
1162
#ifndef _WIN32
1163
	signal(SIGPIPE, SIG_IGN);
1164
#endif
1165

1166
	/*
1167
	 * Open the server socket.
1168
	 */
1169
	server_fd = host_bind(bind_name, port, verbose);
1170
	if (server_fd == INVALID_SOCKET) {
1171
		goto server_exit_error;
1172
	}
1173

1174
	/*
1175
	 * Process incoming clients, one at a time. Note that we do not
1176
	 * accept any client until the previous connection has finished:
1177
	 * this is voluntary, since the tool uses stdin/stdout for
1178
	 * application data, and thus cannot really run two connections
1179
	 * simultaneously.
1180
	 */
1181
	for (;;) {
1182
		int x;
1183
		unsigned run_flags;
1184

1185
		fd = accept_client(server_fd, verbose, 1);
1186
		if (fd == INVALID_SOCKET) {
1187
			goto server_exit_error;
1188
		}
1189
		br_ssl_server_reset(&cc);
1190
		run_flags = (verbose ? RUN_ENGINE_VERBOSE : 0)
1191
			| (trace ? RUN_ENGINE_TRACE : 0);
1192
		x = run_ssl_engine(&cc.eng, fd, run_flags);
1193
#ifdef _WIN32
1194
		closesocket(fd);
1195
#else
1196
		close(fd);
1197
#endif
1198
		fd = INVALID_SOCKET;
1199
		if (x < -1) {
1200
			goto server_exit_error;
1201
		}
1202
	}
1203

1204
	/*
1205
	 * Release allocated structures.
1206
	 */
1207
server_exit:
1208
	xfree(suites);
1209
	xfree(suite_ids);
1210
	free_certificates(chain, chain_len);
1211
	free_private_key(sk);
1212
	VEC_CLEAREXT(anchors, &free_ta_contents);
1213
	VEC_CLEAREXT(alpn_names, &free_alpn);
1214
	xfree(iobuf);
1215
	xfree(cache);
1216
	if (fd != INVALID_SOCKET) {
1217
#ifdef _WIN32
1218
		closesocket(fd);
1219
#else
1220
		close(fd);
1221
#endif
1222
	}
1223
	if (server_fd != INVALID_SOCKET) {
1224
#ifdef _WIN32
1225
		closesocket(server_fd);
1226
#else
1227
		close(server_fd);
1228
#endif
1229
	}
1230
	return retcode;
1231

1232
server_exit_error:
1233
	retcode = -1;
1234
	goto server_exit;
1235
}
1236

1237