Improved modular exponentiation (automatic window optimisation if there is enough...
[BearSSL] / tools / server.c
index 7fdf524..fbc7786 100644 (file)
 #include <errno.h>
 #include <signal.h>
 
 #include <errno.h>
 #include <signal.h>
 
+#ifdef _WIN32
+#include <winsock2.h>
+#include <ws2tcpip.h>
+#else
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
 #include <sys/types.h>
 #include <sys/socket.h>
 #include <netdb.h>
 #include <unistd.h>
 #include <fcntl.h>
 
 #include <unistd.h>
 #include <fcntl.h>
 
+#define SOCKET             int
+#define INVALID_SOCKET     (-1)
+#define SOCKADDR_STORAGE   struct sockaddr_storage
+#endif
+
 #include "brssl.h"
 #include "brssl.h"
-#include "bearssl.h"
 
 
-static int
+static SOCKET
 host_bind(const char *host, const char *port, int verbose)
 {
        struct addrinfo hints, *si, *p;
 host_bind(const char *host, const char *port, int verbose)
 {
        struct addrinfo hints, *si, *p;
-       int fd;
+       SOCKET fd;
        int err;
 
        memset(&hints, 0, sizeof hints);
        int err;
 
        memset(&hints, 0, sizeof hints);
@@ -54,9 +62,9 @@ host_bind(const char *host, const char *port, int verbose)
        if (err != 0) {
                fprintf(stderr, "ERROR: getaddrinfo(): %s\n",
                        gai_strerror(err));
        if (err != 0) {
                fprintf(stderr, "ERROR: getaddrinfo(): %s\n",
                        gai_strerror(err));
-               return -1;
+               return INVALID_SOCKET;
        }
        }
-       fd = -1;
+       fd = INVALID_SOCKET;
        for (p = si; p != NULL; p = p->ai_next) {
                struct sockaddr *sa;
                struct sockaddr_in sa4;
        for (p = si; p != NULL; p = p->ai_next) {
                struct sockaddr *sa;
                struct sockaddr_in sa4;
@@ -102,21 +110,27 @@ host_bind(const char *host, const char *port, int verbose)
                        fprintf(stderr, "binding to: %s\n", tmp);
                }
                fd = socket(p->ai_family, p->ai_socktype, p->ai_protocol);
                        fprintf(stderr, "binding to: %s\n", tmp);
                }
                fd = socket(p->ai_family, p->ai_socktype, p->ai_protocol);
-               if (fd < 0) {
+               if (fd == INVALID_SOCKET) {
                        if (verbose) {
                                perror("socket()");
                        }
                        continue;
                }
                opt = 1;
                        if (verbose) {
                                perror("socket()");
                        }
                        continue;
                }
                opt = 1;
-               setsockopt(fd, SOL_SOCKET, SO_REUSEADDR, &opt, sizeof opt);
+               setsockopt(fd, SOL_SOCKET, SO_REUSEADDR,
+                       (void *)&opt, sizeof opt);
                opt = 0;
                opt = 0;
-               setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY, &opt, sizeof opt);
+               setsockopt(fd, IPPROTO_IPV6, IPV6_V6ONLY,
+                       (void *)&opt, sizeof opt);
                if (bind(fd, sa, sa_len) < 0) {
                        if (verbose) {
                                perror("bind()");
                        }
                if (bind(fd, sa, sa_len) < 0) {
                        if (verbose) {
                                perror("bind()");
                        }
+#ifdef _WIN32
+                       closesocket(fd);
+#else
                        close(fd);
                        close(fd);
+#endif
                        continue;
                }
                break;
                        continue;
                }
                break;
@@ -124,15 +138,19 @@ host_bind(const char *host, const char *port, int verbose)
        if (p == NULL) {
                freeaddrinfo(si);
                fprintf(stderr, "ERROR: failed to bind\n");
        if (p == NULL) {
                freeaddrinfo(si);
                fprintf(stderr, "ERROR: failed to bind\n");
-               return -1;
+               return INVALID_SOCKET;
        }
        freeaddrinfo(si);
        if (listen(fd, 5) < 0) {
                if (verbose) {
                        perror("listen()");
                }
        }
        freeaddrinfo(si);
        if (listen(fd, 5) < 0) {
                if (verbose) {
                        perror("listen()");
                }
+#ifdef _WIN32
+               closesocket(fd);
+#else
                close(fd);
                close(fd);
-               return -1;
+#endif
+               return INVALID_SOCKET;
        }
        if (verbose) {
                fprintf(stderr, "bound.\n");
        }
        if (verbose) {
                fprintf(stderr, "bound.\n");
@@ -140,27 +158,27 @@ host_bind(const char *host, const char *port, int verbose)
        return fd;
 }
 
        return fd;
 }
 
-static int
-accept_client(int server_fd, int verbose)
+static SOCKET
+accept_client(SOCKET server_fd, int verbose)
 {
        int fd;
 {
        int fd;
-       struct sockaddr sa;
+       SOCKADDR_STORAGE sa;
        socklen_t sa_len;
 
        sa_len = sizeof sa;
        socklen_t sa_len;
 
        sa_len = sizeof sa;
-       fd = accept(server_fd, &sa, &sa_len);
-       if (fd < 0) {
+       fd = accept(server_fd, (struct sockaddr *)&sa, &sa_len);
+       if (fd == INVALID_SOCKET) {
                if (verbose) {
                        perror("accept()");
                }
                if (verbose) {
                        perror("accept()");
                }
-               return -1;
+               return INVALID_SOCKET;
        }
        if (verbose) {
                char tmp[INET6_ADDRSTRLEN + 50];
                const char *name;
 
                name = NULL;
        }
        if (verbose) {
                char tmp[INET6_ADDRSTRLEN + 50];
                const char *name;
 
                name = NULL;
-               switch (sa.sa_family) {
+               switch (((struct sockaddr *)&sa)->sa_family) {
                case AF_INET:
                        name = inet_ntop(AF_INET,
                                &((struct sockaddr_in *)&sa)->sin_addr,
                case AF_INET:
                        name = inet_ntop(AF_INET,
                                &((struct sockaddr_in *)&sa)->sin_addr,
@@ -173,8 +191,8 @@ accept_client(int server_fd, int verbose)
                        break;
                }
                if (name == NULL) {
                        break;
                }
                if (name == NULL) {
-                       sprintf(tmp, "<unknown: %lu>",
-                               (unsigned long)sa.sa_family);
+                       sprintf(tmp, "<unknown: %lu>", (unsigned long)
+                               ((struct sockaddr *)&sa)->sa_family);
                        name = tmp;
                }
                fprintf(stderr, "accepting connection from: %s\n", name);
                        name = tmp;
                }
                fprintf(stderr, "accepting connection from: %s\n", name);
@@ -182,9 +200,18 @@ accept_client(int server_fd, int verbose)
 
        /*
         * We make the socket non-blocking, since we are going to use
 
        /*
         * We make the socket non-blocking, since we are going to use
-        * poll() to organise I/O.
+        * poll() or select() to organise I/O.
         */
         */
+#ifdef _WIN32
+       {
+               u_long arg;
+
+               arg = 1;
+               ioctlsocket(fd, FIONBIO, &arg);
+       }
+#else
        fcntl(fd, F_SETFL, O_NONBLOCK);
        fcntl(fd, F_SETFL, O_NONBLOCK);
+#endif
        return fd;
 }
 
        return fd;
 }
 
@@ -228,6 +255,8 @@ usage_server(void)
        fprintf(stderr,
 "   -hf names       add support for some hash functions (comma-separated)\n");
        fprintf(stderr,
        fprintf(stderr,
 "   -hf names       add support for some hash functions (comma-separated)\n");
        fprintf(stderr,
+"   -cbhash         test hashing in policy callback\n");
+       fprintf(stderr,
 "   -serverpref     enforce server's preferences for cipher suites\n");
        fprintf(stderr,
 "   -noreneg        prohibit renegotiations\n");
 "   -serverpref     enforce server's preferences for cipher suites\n");
        fprintf(stderr,
 "   -noreneg        prohibit renegotiations\n");
@@ -245,6 +274,7 @@ typedef struct {
        size_t chain_len;
        int cert_signer_algo;
        private_key *sk;
        size_t chain_len;
        int cert_signer_algo;
        private_key *sk;
+       int cbhash;
 } policy_context;
 
 static void
 } policy_context;
 
 static void
@@ -270,10 +300,10 @@ print_hashes(unsigned chashes)
        }
 }
 
        }
 }
 
-static int
+static unsigned
 choose_hash(unsigned chashes)
 {
 choose_hash(unsigned chashes)
 {
-       int hash_id;
+       unsigned hash_id;
 
        for (hash_id = 6; hash_id >= 2; hash_id --) {
                if (((chashes >> hash_id) & 1) != 0) {
 
        for (hash_id = 6; hash_id >= 2; hash_id --) {
                if (((chashes >> hash_id) & 1) != 0) {
@@ -357,9 +387,21 @@ sp_choose(const br_ssl_server_policy_class **pctx,
                                if (br_ssl_engine_get_version(&cc->eng)
                                        < BR_TLS12)
                                {
                                if (br_ssl_engine_get_version(&cc->eng)
                                        < BR_TLS12)
                                {
-                                       choices->hash_id = 0;
+                                       if (pc->cbhash) {
+                                               choices->algo_id = 0x0001;
+                                       } else {
+                                               choices->algo_id = 0xFF00;
+                                       }
                                } else {
                                } else {
-                                       choices->hash_id = choose_hash(chashes);
+                                       unsigned id;
+
+                                       id = choose_hash(chashes);
+                                       if (pc->cbhash) {
+                                               choices->algo_id =
+                                                       (id << 8) + 0x01;
+                                       } else {
+                                               choices->algo_id = 0xFF00 + id;
+                                       }
                                }
                                goto choose_ok;
                        }
                                }
                                goto choose_ok;
                        }
@@ -370,10 +412,23 @@ sp_choose(const br_ssl_server_policy_class **pctx,
                                if (br_ssl_engine_get_version(&cc->eng)
                                        < BR_TLS12)
                                {
                                if (br_ssl_engine_get_version(&cc->eng)
                                        < BR_TLS12)
                                {
-                                       choices->hash_id = br_sha1_ID;
+                                       if (pc->cbhash) {
+                                               choices->algo_id = 0x0203;
+                                       } else {
+                                               choices->algo_id =
+                                                       0xFF00 + br_sha1_ID;
+                                       }
                                } else {
                                } else {
-                                       choices->hash_id =
-                                               choose_hash(chashes >> 8);
+                                       unsigned id;
+
+                                       id = choose_hash(chashes >> 8);
+                                       if (pc->cbhash) {
+                                               choices->algo_id =
+                                                       (id << 8) + 0x03;
+                                       } else {
+                                               choices->algo_id =
+                                                       0xFF00 + id;
+                                       }
                                }
                                goto choose_ok;
                        }
                                }
                                goto choose_ok;
                        }
@@ -412,19 +467,25 @@ choose_ok:
 
 static uint32_t
 sp_do_keyx(const br_ssl_server_policy_class **pctx,
 
 static uint32_t
 sp_do_keyx(const br_ssl_server_policy_class **pctx,
-       unsigned char *data, size_t len)
+       unsigned char *data, size_t *len)
 {
        policy_context *pc;
 {
        policy_context *pc;
+       uint32_t r;
+       size_t xoff, xlen;
 
        pc = (policy_context *)pctx;
        switch (pc->sk->key_type) {
        case BR_KEYTYPE_RSA:
                return br_rsa_ssl_decrypt(
                        &br_rsa_i31_private, &pc->sk->key.rsa,
 
        pc = (policy_context *)pctx;
        switch (pc->sk->key_type) {
        case BR_KEYTYPE_RSA:
                return br_rsa_ssl_decrypt(
                        &br_rsa_i31_private, &pc->sk->key.rsa,
-                       data, len);
+                       data, *len);
        case BR_KEYTYPE_EC:
        case BR_KEYTYPE_EC:
-               return br_ec_prime_i31.mul(data, len, pc->sk->key.ec.x,
+               r = br_ec_all_m15.mul(data, *len, pc->sk->key.ec.x,
                        pc->sk->key.ec.xlen, pc->sk->key.ec.curve);
                        pc->sk->key.ec.xlen, pc->sk->key.ec.curve);
+               xoff = br_ec_all_m15.xoff(pc->sk->key.ec.curve, &xlen);
+               memmove(data, data + xoff, xlen);
+               *len = xlen;
+               return r;
        default:
                fprintf(stderr, "ERROR: unknown private key type (%d)\n",
                        (int)pc->sk->key_type);
        default:
                fprintf(stderr, "ERROR: unknown private key type (%d)\n",
                        (int)pc->sk->key_type);
@@ -434,13 +495,40 @@ sp_do_keyx(const br_ssl_server_policy_class **pctx,
 
 static size_t
 sp_do_sign(const br_ssl_server_policy_class **pctx,
 
 static size_t
 sp_do_sign(const br_ssl_server_policy_class **pctx,
-       int hash_id, size_t hv_len, unsigned char *data, size_t len)
+       unsigned algo_id, unsigned char *data, size_t hv_len, size_t len)
 {
        policy_context *pc;
        unsigned char hv[64];
 
        pc = (policy_context *)pctx;
 {
        policy_context *pc;
        unsigned char hv[64];
 
        pc = (policy_context *)pctx;
-       memcpy(hv, data, hv_len);
+       if (algo_id >= 0xFF00) {
+               algo_id &= 0xFF;
+               memcpy(hv, data, hv_len);
+       } else {
+               const br_hash_class *hc;
+               br_hash_compat_context zc;
+
+               if (pc->verbose) {
+                       fprintf(stderr, "Callback hashing, algo = 0x%04X,"
+                               " data_len = %lu\n",
+                               algo_id, (unsigned long)hv_len);
+               }
+               algo_id >>= 8;
+               hc = get_hash_impl(algo_id);
+               if (hc == NULL) {
+                       if (pc->verbose) {
+                               fprintf(stderr,
+                                       "ERROR: unsupported hash function %u\n",
+                                       algo_id);
+                       }
+                       return 0;
+               }
+               hc->init(&zc.vtable);
+               hc->update(&zc.vtable, data, hv_len);
+               hc->out(&zc.vtable, hv);
+               hv_len = (hc->desc >> BR_HASHDESC_OUT_OFF)
+                       & BR_HASHDESC_OUT_MASK;
+       }
        switch (pc->sk->key_type) {
                size_t sig_len;
                uint32_t x;
        switch (pc->sk->key_type) {
                size_t sig_len;
                uint32_t x;
@@ -448,12 +536,12 @@ sp_do_sign(const br_ssl_server_policy_class **pctx,
                const br_hash_class *hc;
 
        case BR_KEYTYPE_RSA:
                const br_hash_class *hc;
 
        case BR_KEYTYPE_RSA:
-               hash_oid = get_hash_oid(hash_id);
-               if (hash_oid == NULL && hash_id != 0) {
+               hash_oid = get_hash_oid(algo_id);
+               if (hash_oid == NULL && algo_id != 0) {
                        if (pc->verbose) {
                                fprintf(stderr, "ERROR: cannot RSA-sign with"
                        if (pc->verbose) {
                                fprintf(stderr, "ERROR: cannot RSA-sign with"
-                                       " unknown hash function: %d\n",
-                                       hash_id);
+                                       " unknown hash function: %u\n",
+                                       algo_id);
                        }
                        return 0;
                }
                        }
                        return 0;
                }
@@ -479,12 +567,12 @@ sp_do_sign(const br_ssl_server_policy_class **pctx,
                return sig_len;
 
        case BR_KEYTYPE_EC:
                return sig_len;
 
        case BR_KEYTYPE_EC:
-               hc = get_hash_impl(hash_id);
+               hc = get_hash_impl(algo_id);
                if (hc == NULL) {
                        if (pc->verbose) {
                                fprintf(stderr, "ERROR: cannot ECDSA-sign with"
                if (hc == NULL) {
                        if (pc->verbose) {
                                fprintf(stderr, "ERROR: cannot ECDSA-sign with"
-                                       " unknown hash function: %d\n",
-                                       hash_id);
+                                       " unknown hash function: %u\n",
+                                       algo_id);
                        }
                        return 0;
                }
                        }
                        return 0;
                }
@@ -496,7 +584,7 @@ sp_do_sign(const br_ssl_server_policy_class **pctx,
                        }
                        return 0;
                }
                        }
                        return 0;
                }
-               sig_len = br_ecdsa_i31_sign_asn1(&br_ec_prime_i31
+               sig_len = br_ecdsa_i31_sign_asn1(&br_ec_all_m15
                        hc, hv, &pc->sk->key.ec, data);
                if (sig_len == 0) {
                        if (pc->verbose) {
                        hc, hv, &pc->sk->key.ec, data);
                if (sig_len == 0) {
                        if (pc->verbose) {
@@ -539,12 +627,13 @@ do_server(int argc, char *argv[])
        size_t num_suites;
        uint16_t *suite_ids;
        unsigned hfuns;
        size_t num_suites;
        uint16_t *suite_ids;
        unsigned hfuns;
+       int cbhash;
        br_x509_certificate *chain;
        size_t chain_len;
        int cert_signer_algo;
        private_key *sk;
        anchor_list anchors = VEC_INIT;
        br_x509_certificate *chain;
        size_t chain_len;
        int cert_signer_algo;
        private_key *sk;
        anchor_list anchors = VEC_INIT;
-       VECTOR(const char *) alpn_names = VEC_INIT;
+       VECTOR(char *) alpn_names = VEC_INIT;
        br_x509_minimal_context xc;
        const br_hash_class *dnhash;
        size_t u;
        br_x509_minimal_context xc;
        const br_hash_class *dnhash;
        size_t u;
@@ -554,7 +643,7 @@ do_server(int argc, char *argv[])
        unsigned char *iobuf, *cache;
        size_t iobuf_len, cache_len;
        uint32_t flags;
        unsigned char *iobuf, *cache;
        size_t iobuf_len, cache_len;
        uint32_t flags;
-       int server_fd, fd;
+       SOCKET server_fd, fd;
 
        retcode = 0;
        verbose = 1;
 
        retcode = 0;
        verbose = 1;
@@ -567,6 +656,7 @@ do_server(int argc, char *argv[])
        suites = NULL;
        num_suites = 0;
        hfuns = 0;
        suites = NULL;
        num_suites = 0;
        hfuns = 0;
+       cbhash = 0;
        suite_ids = NULL;
        chain = NULL;
        chain_len = 0;
        suite_ids = NULL;
        chain = NULL;
        chain_len = 0;
@@ -576,8 +666,8 @@ do_server(int argc, char *argv[])
        cache = NULL;
        cache_len = (size_t)-1;
        flags = 0;
        cache = NULL;
        cache_len = (size_t)-1;
        flags = 0;
-       server_fd = -1;
-       fd = -1;
+       server_fd = INVALID_SOCKET;
+       fd = INVALID_SOCKET;
        for (i = 0; i < argc; i ++) {
                const char *arg;
 
        for (i = 0; i < argc; i ++) {
                const char *arg;
 
@@ -790,6 +880,8 @@ do_server(int argc, char *argv[])
                                goto server_exit_error;
                        }
                        hfuns |= x;
                                goto server_exit_error;
                        }
                        hfuns |= x;
+               } else if (eqstr(arg, "-cbhash")) {
+                       cbhash = 1;
                } else if (eqstr(arg, "-serverpref")) {
                        flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES;
                } else if (eqstr(arg, "-noreneg")) {
                } else if (eqstr(arg, "-serverpref")) {
                        flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES;
                } else if (eqstr(arg, "-noreneg")) {
@@ -864,7 +956,7 @@ do_server(int argc, char *argv[])
                break;
        case BR_KEYTYPE_EC:
                curve = sk->key.ec.curve;
                break;
        case BR_KEYTYPE_EC:
                curve = sk->key.ec.curve;
-               supp = br_ec_prime_i31.supported_curves;
+               supp = br_ec_all_m15.supported_curves;
                if (curve > 31 || !((supp >> curve) & 1)) {
                        fprintf(stderr, "ERROR: private key curve (%d)"
                                " is not supported\n", curve);
                if (curve > 31 || !((supp >> curve) & 1)) {
                        fprintf(stderr, "ERROR: private key curve (%d)"
                                " is not supported\n", curve);
@@ -988,7 +1080,7 @@ do_server(int argc, char *argv[])
                                &br_sslrec_out_cbc_vtable);
                }
                if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) {
                                &br_sslrec_out_cbc_vtable);
                }
                if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) {
-                       br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
+                       br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15);
                }
        }
        br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
                }
        }
        br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
@@ -1024,7 +1116,8 @@ do_server(int argc, char *argv[])
 
        if (VEC_LEN(alpn_names) != 0) {
                br_ssl_engine_set_protocol_names(&cc.eng,
 
        if (VEC_LEN(alpn_names) != 0) {
                br_ssl_engine_set_protocol_names(&cc.eng,
-                       &VEC_ELT(alpn_names, 0), VEC_LEN(alpn_names));
+                       (const char **)&VEC_ELT(alpn_names, 0),
+                       VEC_LEN(alpn_names));
        }
 
        /*
        }
 
        /*
@@ -1038,6 +1131,7 @@ do_server(int argc, char *argv[])
        pc.chain_len = chain_len;
        pc.cert_signer_algo = cert_signer_algo;
        pc.sk = sk;
        pc.chain_len = chain_len;
        pc.cert_signer_algo = cert_signer_algo;
        pc.sk = sk;
+       pc.cbhash = cbhash;
        br_ssl_server_set_policy(&cc, &pc.vtable);
 
        /*
        br_ssl_server_set_policy(&cc, &pc.vtable);
 
        /*
@@ -1060,11 +1154,11 @@ do_server(int argc, char *argv[])
                        }
                }
                br_ssl_engine_set_rsavrfy(&cc.eng, &br_rsa_i31_pkcs1_vrfy);
                        }
                }
                br_ssl_engine_set_rsavrfy(&cc.eng, &br_rsa_i31_pkcs1_vrfy);
-               br_ssl_engine_set_ec(&cc.eng, &br_ec_prime_i31);
+               br_ssl_engine_set_ec(&cc.eng, &br_ec_all_m15);
                br_ssl_engine_set_ecdsa(&cc.eng, &br_ecdsa_i31_vrfy_asn1);
                br_x509_minimal_set_rsa(&xc, &br_rsa_i31_pkcs1_vrfy);
                br_x509_minimal_set_ecdsa(&xc,
                br_ssl_engine_set_ecdsa(&cc.eng, &br_ecdsa_i31_vrfy_asn1);
                br_x509_minimal_set_rsa(&xc, &br_rsa_i31_pkcs1_vrfy);
                br_x509_minimal_set_ecdsa(&xc,
-                       &br_ec_prime_i31, &br_ecdsa_i31_vrfy_asn1);
+                       &br_ec_all_m15, &br_ecdsa_i31_vrfy_asn1);
                br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
                br_ssl_server_set_trust_anchor_names_alt(&cc,
                        &VEC_ELT(anchors, 0), VEC_LEN(anchors));
                br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
                br_ssl_server_set_trust_anchor_names_alt(&cc,
                        &VEC_ELT(anchors, 0), VEC_LEN(anchors));
@@ -1073,15 +1167,17 @@ do_server(int argc, char *argv[])
        br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
 
        /*
        br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
 
        /*
-        * We need to ignore SIGPIPE.
+        * On Unix systems, we need to ignore SIGPIPE.
         */
         */
+#ifndef _WIN32
        signal(SIGPIPE, SIG_IGN);
        signal(SIGPIPE, SIG_IGN);
+#endif
 
        /*
         * Open the server socket.
         */
        server_fd = host_bind(bind_name, port, verbose);
 
        /*
         * Open the server socket.
         */
        server_fd = host_bind(bind_name, port, verbose);
-       if (server_fd < 0) {
+       if (server_fd == INVALID_SOCKET) {
                goto server_exit_error;
        }
 
                goto server_exit_error;
        }
 
@@ -1096,15 +1192,19 @@ do_server(int argc, char *argv[])
                int x;
 
                fd = accept_client(server_fd, verbose);
                int x;
 
                fd = accept_client(server_fd, verbose);
-               if (fd < 0) {
+               if (fd == INVALID_SOCKET) {
                        goto server_exit_error;
                }
                br_ssl_server_reset(&cc);
                x = run_ssl_engine(&cc.eng, fd,
                        (verbose ? RUN_ENGINE_VERBOSE : 0)
                        | (trace ? RUN_ENGINE_TRACE : 0));
                        goto server_exit_error;
                }
                br_ssl_server_reset(&cc);
                x = run_ssl_engine(&cc.eng, fd,
                        (verbose ? RUN_ENGINE_VERBOSE : 0)
                        | (trace ? RUN_ENGINE_TRACE : 0));
+#ifdef _WIN32
+               closesocket(fd);
+#else
                close(fd);
                close(fd);
-               fd = -1;
+#endif
+               fd = INVALID_SOCKET;
                if (x < -1) {
                        goto server_exit_error;
                }
                if (x < -1) {
                        goto server_exit_error;
                }
@@ -1122,8 +1222,12 @@ server_exit:
        VEC_CLEAREXT(alpn_names, &free_alpn);
        xfree(iobuf);
        xfree(cache);
        VEC_CLEAREXT(alpn_names, &free_alpn);
        xfree(iobuf);
        xfree(cache);
-       if (fd >= 0) {
+       if (fd != INVALID_SOCKET) {
+#ifdef _WIN32
+               closesocket(fd);
+#else
                close(fd);
                close(fd);
+#endif
        }
        return retcode;
 
        }
        return retcode;