]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/ssl_old_test.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Clarify the PKCS12 docs
[thirdparty/openssl.git] / test / ssl_old_test.c
CommitLineData
440e5d80 1/*
da1c088f 2 * Copyright 1995-2023 The OpenSSL Project Authors. All Rights Reserved.
aa8f3d76 3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
c80149d9 4 * Copyright 2005 Nokia. All rights reserved.
3ac82faa 5 *
909f1a2e 6 * Licensed under the Apache License 2.0 (the "License"). You may not use
440e5d80
RS		 7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
3ac82faa 10 */
440e5d80 11
d5f9166b 12#include "internal/e_os.h"
07016a8a 13
dbd87ffc 14/* Or gethostname won't be declared properly on Linux and GNU platforms. */
2a7de0fd
JW		 15#ifndef _BSD_SOURCE
16# define _BSD_SOURCE 1
17#endif
18#ifndef _DEFAULT_SOURCE
19# define _DEFAULT_SOURCE 1
20#endif
37289744 21
6f7af152
BM		 22#include <assert.h>
23#include <errno.h>
24#include <limits.h>
d02b48c6
RE		 25#include <stdio.h>
26#include <stdlib.h>
27#include <string.h>
563f1503 28#include <time.h>
17e3dd1c 29
176db6dc 30#include "internal/nelem.h"
b99fe5f4 31
bc120a54 32#ifdef OPENSSL_SYS_VMS
0f113f3e
MC		 33/*
34 * Or isascii won't be declared properly on VMS (at least with DECompHP C).
35 */
36# define _XOPEN_SOURCE 500
bc120a54
DSH		 37#endif
38
a963395a
RL		 39#include <ctype.h>
40
ec577822
BM		 41#include <openssl/bio.h>
42#include <openssl/crypto.h>
563f1503 43#include <openssl/evp.h>
ec577822 44#include <openssl/x509.h>
a7201e9a 45#include <openssl/x509v3.h>
ec577822
BM		 46#include <openssl/ssl.h>
47#include <openssl/err.h>
b9d82f47 48#include <openssl/rand.h>
3a1ee3c1 49#include <openssl/rsa.h>
3eeaab4b 50#ifndef OPENSSL_NO_DSA
0f113f3e 51# include <openssl/dsa.h>
3eeaab4b 52#endif
d095b68d 53#include <openssl/bn.h>
dd696a55
RP		 54#ifndef OPENSSL_NO_CT
55# include <openssl/ct.h>
56#endif
63215d04 57#include <openssl/provider.h>
bca7ad6e 58#include "testutil.h"
09867a47 59
dbd87ffc
MC		 60/*
61 * Or gethostname won't be declared properly
62 * on Compaq platforms (at least with DEC C).
63 * Do not try to put it earlier, or IPv6 includes
64 * get screwed...
0f113f3e
MC		 65 */
66#define _XOPEN_SOURCE_EXTENDED 1
09867a47 67
bc36ee62 68#ifdef OPENSSL_SYS_WINDOWS
0f113f3e 69# include <winsock.h>
37289744 70#else
6b10d29c 71# include <unistd.h>
d02b48c6
RE		 72#endif
73
20f8bc72 74#include "helpers/predefined_dhparams.h"
5658470c 75
b76998b8
RS		 76static SSL_CTX *s_ctx = NULL;
77static SSL_CTX *s_ctx2 = NULL;
817cd0d5 78
0f113f3e 79/*
45ddce21
RS		 80 * There is really no standard for this, so let's assign something
81 * only for this test
0f113f3e 82 */
0f113f3e 83#define COMP_ZLIB 1
23f80f46 84
6d23cf97 85static int verify_callback(int ok, X509_STORE_CTX *ctx);
6d23cf97 86static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
a7201e9a 87#define APP_CALLBACK_STRING "Test Callback Argument"
0f113f3e
MC		 88struct app_verify_arg {
89 char *string;
90 int app_verify;
0f113f3e 91};
023ec151 92
0f113f3e 93static char *psk_key = NULL; /* by default PSK is not used */
ddac1974 94#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 95static unsigned int psk_client_callback(SSL *ssl, const char *hint,
96 char *identity,
97 unsigned int max_identity_len,
98 unsigned char *psk,
99 unsigned int max_psk_len);
100static unsigned int psk_server_callback(SSL *ssl, const char *identity,
101 unsigned char *psk,
102 unsigned int max_psk_len);
ddac1974
NL		 103#endif
104
0f113f3e 105static BIO *bio_stdout = NULL;
d02b48c6 106
2911575c 107#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 108/* Note that this code assumes that this is only a one element list: */
109static const char NEXT_PROTO_STRING[] = "\x09testproto";
df2ee0e2
BL		 110static int npn_client = 0;
111static int npn_server = 0;
112static int npn_server_reject = 0;
d9a268b9 113
0f113f3e
MC		 114static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen,
115 const unsigned char *in, unsigned int inlen,
116 void *arg)
117{
118 /*
119 * This callback only returns the protocol string, rather than a length
120 * prefixed set. We assume that NEXT_PROTO_STRING is a one element list
121 * and remove the first byte to chop off the length prefix.
122 */
123 *out = (unsigned char *)NEXT_PROTO_STRING + 1;
124 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
125 return SSL_TLSEXT_ERR_OK;
126}
127
128static int cb_server_npn(SSL *s, const unsigned char **data,
129 unsigned int *len, void *arg)
130{
131 *data = (const unsigned char *)NEXT_PROTO_STRING;
132 *len = sizeof(NEXT_PROTO_STRING) - 1;
133 return SSL_TLSEXT_ERR_OK;
134}
135
136static int cb_server_rejects_npn(SSL *s, const unsigned char **data,
137 unsigned int *len, void *arg)
138{
139 return SSL_TLSEXT_ERR_NOACK;
140}
d9a268b9
BL		 141
142static int verify_npn(SSL *client, SSL *server)
0f113f3e
MC		 143{
144 const unsigned char *client_s;
145 unsigned client_len;
146 const unsigned char *server_s;
147 unsigned server_len;
148
149 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
150 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
151
152 if (client_len) {
153 BIO_printf(bio_stdout, "Client NPN: ");
154 BIO_write(bio_stdout, client_s, client_len);
155 BIO_printf(bio_stdout, "\n");
156 }
157
158 if (server_len) {
159 BIO_printf(bio_stdout, "Server NPN: ");
160 BIO_write(bio_stdout, server_s, server_len);
161 BIO_printf(bio_stdout, "\n");
162 }
163
164 /*
165 * If an NPN string was returned, it must be the protocol that we
166 * expected to negotiate.
167 */
168 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
169 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
170 return -1;
171 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
172 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
173 return -1;
174
175 if (!npn_client && client_len)
176 return -1;
177 if (!npn_server && server_len)
178 return -1;
179 if (npn_server_reject && server_len)
180 return -1;
181 if (npn_client && npn_server && (!client_len || !server_len))
182 return -1;
183
184 return 0;
185}
d9a268b9
BL		 186#endif
187
a8989362 188static const char *alpn_client;
817cd0d5
TS		 189static char *alpn_server;
190static char *alpn_server2;
a8989362
AL		 191static const char *alpn_expected;
192static unsigned char *alpn_selected;
7946ab33
KR		 193static const char *server_min_proto;
194static const char *server_max_proto;
195static const char *client_min_proto;
196static const char *client_max_proto;
197static const char *should_negotiate;
817cd0d5
TS		 198static const char *sn_client;
199static const char *sn_server1;
200static const char *sn_server2;
201static int sn_expect = 0;
b7dffce0
KR		 202static const char *server_sess_out;
203static const char *server_sess_in;
204static const char *client_sess_out;
205static const char *client_sess_in;
206static SSL_SESSION *server_sess;
207static SSL_SESSION *client_sess;
817cd0d5
TS		 208
209static int servername_cb(SSL *s, int *ad, void *arg)
210{
211 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
212 if (sn_server2 == NULL) {
213 BIO_printf(bio_stdout, "Servername 2 is NULL\n");
214 return SSL_TLSEXT_ERR_NOACK;
215 }
216
217 if (servername) {
218 if (s_ctx2 != NULL && sn_server2 != NULL &&
fba140c7 219 !OPENSSL_strcasecmp(servername, sn_server2)) {
817cd0d5
TS		 220 BIO_printf(bio_stdout, "Switching server context.\n");
221 SSL_set_SSL_CTX(s, s_ctx2);
222 }
223 }
224 return SSL_TLSEXT_ERR_OK;
225}
226static int verify_servername(SSL *client, SSL *server)
227{
228 /* just need to see if sn_context is what we expect */
229 SSL_CTX* ctx = SSL_get_SSL_CTX(server);
230 if (sn_expect == 0)
231 return 0;
232 if (sn_expect == 1 && ctx == s_ctx)
233 return 0;
234 if (sn_expect == 2 && ctx == s_ctx2)
235 return 0;
236 BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect);
237 if (ctx == s_ctx2)
238 BIO_printf(bio_stdout, "Servername: context is 2\n");
239 else if (ctx == s_ctx)
240 BIO_printf(bio_stdout, "Servername: context is 1\n");
241 else
242 BIO_printf(bio_stdout, "Servername: context is unknown\n");
243 return -1;
244}
245
a8989362 246
3a83462d
MC		 247/*-
248 * next_protos_parse parses a comma separated list of strings into a string
a8989362
AL		 249 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
250 * outlen: (output) set to the length of the resulting buffer on success.
4eadd11c 251 * in: a NUL terminated string like "abc,def,ghi"
a8989362
AL		 252 *
253 * returns: a malloced buffer or NULL on failure.
254 */
817cd0d5 255static unsigned char *next_protos_parse(size_t *outlen,
0f113f3e
MC		 256 const char *in)
257{
258 size_t len;
259 unsigned char *out;
260 size_t i, start = 0;
261
262 len = strlen(in);
263 if (len >= 65535)
264 return NULL;
265
266 out = OPENSSL_malloc(strlen(in) + 1);
267 if (!out)
268 return NULL;
269
270 for (i = 0; i <= len; ++i) {
271 if (i == len || in[i] == ',') {
272 if (i - start > 255) {
273 OPENSSL_free(out);
274 return NULL;
275 }
3a63c0ed 276 out[start] = (unsigned char)(i - start);
0f113f3e
MC		 277 start = i + 1;
278 } else
279 out[i + 1] = in[i];
280 }
281
282 *outlen = len + 1;
283 return out;
284}
285
286static int cb_server_alpn(SSL *s, const unsigned char **out,
287 unsigned char *outlen, const unsigned char *in,
288 unsigned int inlen, void *arg)
289{
290 unsigned char *protos;
817cd0d5
TS		 291 size_t protos_len;
292 char* alpn_str = arg;
0f113f3e 293
817cd0d5 294 protos = next_protos_parse(&protos_len, alpn_str);
0f113f3e
MC		 295 if (protos == NULL) {
296 fprintf(stderr, "failed to parser ALPN server protocol string: %s\n",
817cd0d5 297 alpn_str);
0f113f3e
MC		 298 abort();
299 }
300
301 if (SSL_select_next_proto
302 ((unsigned char **)out, outlen, protos, protos_len, in,
303 inlen) != OPENSSL_NPN_NEGOTIATED) {
304 OPENSSL_free(protos);
305 return SSL_TLSEXT_ERR_NOACK;
306 }
307
308 /*
309 * Make a copy of the selected protocol which will be freed in
310 * verify_alpn.
311 */
312 alpn_selected = OPENSSL_malloc(*outlen);
b2feb9f0
JJ		 313 if (alpn_selected == NULL) {
314 fprintf(stderr, "failed to allocate memory\n");
315 OPENSSL_free(protos);
316 abort();
317 }
0f113f3e
MC		 318 memcpy(alpn_selected, *out, *outlen);
319 *out = alpn_selected;
320
321 OPENSSL_free(protos);
322 return SSL_TLSEXT_ERR_OK;
323}
a8989362
AL		 324
325static int verify_alpn(SSL *client, SSL *server)
0f113f3e
MC		 326{
327 const unsigned char *client_proto, *server_proto;
328 unsigned int client_proto_len = 0, server_proto_len = 0;
329 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
330 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
331
b548a1f1
RS		 332 OPENSSL_free(alpn_selected);
333 alpn_selected = NULL;
0f113f3e 334
8b940b69
TM		 335 if (client_proto == NULL && client_proto_len != 0) {
336 BIO_printf(bio_stdout,
337 "Inconsistent SSL_get0_alpn_selected() for client!\n");
338 goto err;
339 }
340
341 if (server_proto == NULL && server_proto_len != 0) {
342 BIO_printf(bio_stdout,
343 "Inconsistent SSL_get0_alpn_selected() for server!\n");
344 goto err;
345 }
346
3003e0a4
AG		 347 if (client_proto_len != server_proto_len) {
348 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
349 goto err;
350 }
351
352 if (client_proto != NULL &&
0f113f3e
MC		 353 memcmp(client_proto, server_proto, client_proto_len) != 0) {
354 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
355 goto err;
356 }
357
358 if (client_proto_len > 0 && alpn_expected == NULL) {
359 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
360 goto err;
361 }
362
363 if (alpn_expected != NULL &&
364 (client_proto_len != strlen(alpn_expected) ||
365 memcmp(client_proto, alpn_expected, client_proto_len) != 0)) {
366 BIO_printf(bio_stdout,
367 "ALPN selected protocols not equal to expected protocol: %s\n",
368 alpn_expected);
369 goto err;
370 }
371
372 return 0;
373
374 err:
375 BIO_printf(bio_stdout, "ALPN results: client: '");
376 BIO_write(bio_stdout, client_proto, client_proto_len);
377 BIO_printf(bio_stdout, "', server: '");
378 BIO_write(bio_stdout, server_proto, server_proto_len);
379 BIO_printf(bio_stdout, "'\n");
817cd0d5
TS		 380 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '",
381 alpn_client);
382 if (SSL_get_SSL_CTX(server) == s_ctx2) {
383 BIO_printf(bio_stdout, "%s'\n",
384 alpn_server2);
385 } else {
386 BIO_printf(bio_stdout, "%s'\n",
387 alpn_server);
388 }
0f113f3e
MC		 389 return -1;
390}
a8989362 391
0f113f3e
MC		 392/*
393 * WARNING : below extension types are *NOT* IETF assigned, and could
394 * conflict if these types are reassigned and handled specially by OpenSSL
395 * in the future
396 */
a398f821 397#define TACK_EXT_TYPE 62208
9cd50f73
T		 398#define CUSTOM_EXT_TYPE_0 1000
399#define CUSTOM_EXT_TYPE_1 1001
400#define CUSTOM_EXT_TYPE_2 1002
401#define CUSTOM_EXT_TYPE_3 1003
402
df2ee0e2
BL		 403static const char custom_ext_cli_string[] = "abc";
404static const char custom_ext_srv_string[] = "defg";
a398f821
T		 405
406/* These set from cmdline */
df2ee0e2
BL		 407static char *serverinfo_file = NULL;
408static int serverinfo_sct = 0;
409static int serverinfo_tack = 0;
9cd50f73
T		 410
411/* These set based on extension callbacks */
df2ee0e2
BL		 412static int serverinfo_sct_seen = 0;
413static int serverinfo_tack_seen = 0;
414static int serverinfo_other_seen = 0;
a398f821 415
9cd50f73 416/* This set from cmdline */
df2ee0e2 417static int custom_ext = 0;
9cd50f73
T		 418
419/* This set based on extension callbacks */
df2ee0e2 420static int custom_ext_error = 0;
9cd50f73 421
0cfefe4b 422static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 423 const unsigned char *in, size_t inlen,
424 int *al, void *arg)
425{
dd696a55 426 if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
0f113f3e
MC		 427 serverinfo_sct_seen++;
428 else if (ext_type == TACK_EXT_TYPE)
429 serverinfo_tack_seen++;
430 else
431 serverinfo_other_seen++;
432 return 1;
433}
a398f821 434
3cb7c5cf 435static int verify_serverinfo(void)
0f113f3e
MC		 436{
437 if (serverinfo_sct != serverinfo_sct_seen)
438 return -1;
439 if (serverinfo_tack != serverinfo_tack_seen)
440 return -1;
441 if (serverinfo_other_seen)
442 return -1;
443 return 0;
444}
a398f821 445
1d97c843
TH		 446/*-
447 * Four test cases for custom extensions:
9cd50f73
T		 448 * 0 - no ClientHello extension or ServerHello response
449 * 1 - ClientHello with "abc", no response
450 * 2 - ClientHello with "abc", empty response
451 * 3 - ClientHello with "abc", "defg" response
452 */
453
de2a9e38 454static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 455 const unsigned char **out,
456 size_t *outlen, int *al, void *arg)
457{
458 if (ext_type != CUSTOM_EXT_TYPE_0)
459 custom_ext_error = 1;
460 return 0; /* Don't send an extension */
461}
9cd50f73 462
de2a9e38 463static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 464 const unsigned char *in,
465 size_t inlen, int *al, void *arg)
466{
467 return 1;
468}
9cd50f73 469
de2a9e38 470static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 471 const unsigned char **out,
472 size_t *outlen, int *al, void *arg)
473{
474 if (ext_type != CUSTOM_EXT_TYPE_1)
475 custom_ext_error = 1;
476 *out = (const unsigned char *)custom_ext_cli_string;
477 *outlen = strlen(custom_ext_cli_string);
478 return 1; /* Send "abc" */
479}
9cd50f73 480
de2a9e38 481static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 482 const unsigned char *in,
483 size_t inlen, int *al, void *arg)
484{
485 return 1;
486}
9cd50f73 487
de2a9e38 488static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 489 const unsigned char **out,
490 size_t *outlen, int *al, void *arg)
491{
492 if (ext_type != CUSTOM_EXT_TYPE_2)
493 custom_ext_error = 1;
494 *out = (const unsigned char *)custom_ext_cli_string;
495 *outlen = strlen(custom_ext_cli_string);
496 return 1; /* Send "abc" */
497}
9cd50f73 498
de2a9e38 499static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 500 const unsigned char *in,
501 size_t inlen, int *al, void *arg)
502{
503 if (ext_type != CUSTOM_EXT_TYPE_2)
504 custom_ext_error = 1;
505 if (inlen != 0)
506 custom_ext_error = 1; /* Should be empty response */
507 return 1;
508}
9cd50f73 509
de2a9e38 510static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 511 const unsigned char **out,
512 size_t *outlen, int *al, void *arg)
513{
514 if (ext_type != CUSTOM_EXT_TYPE_3)
515 custom_ext_error = 1;
516 *out = (const unsigned char *)custom_ext_cli_string;
517 *outlen = strlen(custom_ext_cli_string);
518 return 1; /* Send "abc" */
519}
9cd50f73 520
de2a9e38 521static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 522 const unsigned char *in,
523 size_t inlen, int *al, void *arg)
524{
525 if (ext_type != CUSTOM_EXT_TYPE_3)
526 custom_ext_error = 1;
527 if (inlen != strlen(custom_ext_srv_string))
528 custom_ext_error = 1;
529 if (memcmp(custom_ext_srv_string, in, inlen) != 0)
530 custom_ext_error = 1; /* Check for "defg" */
531 return 1;
532}
533
534/*
535 * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback
536 * for this extension
537 */
de2a9e38 538static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 539 const unsigned char *in,
540 size_t inlen, int *al, void *arg)
541{
542 custom_ext_error = 1;
543 return 1;
544}
9cd50f73 545
f47e2039 546/* 'add' callbacks are only called if the 'parse' callback is called */
de2a9e38 547static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 548 const unsigned char **out,
549 size_t *outlen, int *al, void *arg)
550{
551 /* Error: should not have been called */
552 custom_ext_error = 1;
553 return 0; /* Don't send an extension */
554}
9cd50f73 555
de2a9e38 556static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 557 const unsigned char *in,
558 size_t inlen, int *al, void *arg)
559{
560 if (ext_type != CUSTOM_EXT_TYPE_1)
561 custom_ext_error = 1;
562 /* Check for "abc" */
563 if (inlen != strlen(custom_ext_cli_string))
564 custom_ext_error = 1;
565 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
566 custom_ext_error = 1;
567 return 1;
568}
9cd50f73 569
de2a9e38 570static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 571 const unsigned char **out,
572 size_t *outlen, int *al, void *arg)
573{
574 return 0; /* Don't send an extension */
575}
9cd50f73 576
de2a9e38 577static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 578 const unsigned char *in,
579 size_t inlen, int *al, void *arg)
580{
581 if (ext_type != CUSTOM_EXT_TYPE_2)
582 custom_ext_error = 1;
583 /* Check for "abc" */
584 if (inlen != strlen(custom_ext_cli_string))
585 custom_ext_error = 1;
586 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
587 custom_ext_error = 1;
588 return 1;
589}
9cd50f73 590
de2a9e38 591static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 592 const unsigned char **out,
593 size_t *outlen, int *al, void *arg)
594{
595 *out = NULL;
596 *outlen = 0;
597 return 1; /* Send empty extension */
598}
9cd50f73 599
de2a9e38 600static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 601 const unsigned char *in,
602 size_t inlen, int *al, void *arg)
603{
604 if (ext_type != CUSTOM_EXT_TYPE_3)
605 custom_ext_error = 1;
606 /* Check for "abc" */
607 if (inlen != strlen(custom_ext_cli_string))
608 custom_ext_error = 1;
609 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
610 custom_ext_error = 1;
611 return 1;
612}
9cd50f73 613
de2a9e38 614static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 615 const unsigned char **out,
616 size_t *outlen, int *al, void *arg)
617{
618 *out = (const unsigned char *)custom_ext_srv_string;
619 *outlen = strlen(custom_ext_srv_string);
620 return 1; /* Send "defg" */
621}
622
623static char *cipher = NULL;
f865b081 624static char *ciphersuites = NULL;
0f113f3e
MC		 625static int verbose = 0;
626static int debug = 0;
d02b48c6 627
75d5bd4e
RL		 628int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family,
629 long bytes, clock_t *s_time, clock_t *c_time);
0f113f3e
MC		 630int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
631 clock_t *c_time);
632int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
9ccc00ef 633
6b691a5c 634static void sv_usage(void)
0f113f3e
MC		 635{
636 fprintf(stderr, "usage: ssltest [args ...]\n");
637 fprintf(stderr, "\n");
0f113f3e
MC		 638 fprintf(stderr, " -server_auth - check server certificate\n");
639 fprintf(stderr, " -client_auth - do client authentication\n");
0f113f3e
MC		 640 fprintf(stderr, " -v - more output\n");
641 fprintf(stderr, " -d - debug output\n");
642 fprintf(stderr, " -reuse - use session-id reuse\n");
643 fprintf(stderr, " -num <val> - number of connections to perform\n");
644 fprintf(stderr,
645 " -bytes <val> - number of bytes to swap between client/server\n");
5658470c 646#ifndef OPENSSL_NO_DH
0f113f3e 647 fprintf(stderr,
e8356e32 648 " -dhe512 - use 512 bit key for DHE (to test failure)\n");
0f113f3e
MC		 649 fprintf(stderr,
650 " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
d71151ae
NT		 651 fprintf(stderr,
652 " -dhe2048 - use 2048 bit key (safe prime) for DHE (default, no-op)\n");
653 fprintf(stderr,
654 " -dhe4096 - use 4096 bit key (safe prime) for DHE\n");
5658470c 655#endif
0f113f3e 656 fprintf(stderr, " -no_dhe - disable DHE\n");
10bf4fc2 657#ifndef OPENSSL_NO_EC
fd009d76 658 fprintf(stderr, " -no_ecdhe - disable ECDHE\n");
ea262260 659#endif
ddac1974 660#ifndef OPENSSL_NO_PSK
0f113f3e 661 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
ddac1974 662#endif
6b01bed2 663#ifndef OPENSSL_NO_SSL3
0f113f3e 664 fprintf(stderr, " -ssl3 - use SSLv3\n");
58964a49 665#endif
6b01bed2 666#ifndef OPENSSL_NO_TLS1
0f113f3e 667 fprintf(stderr, " -tls1 - use TLSv1\n");
6b01bed2 668#endif
d71151ae
NT		 669#ifndef OPENSSL_NO_TLS1_1
670 fprintf(stderr, " -tls1_1 - use TLSv1.1\n");
671#endif
672#ifndef OPENSSL_NO_TLS1_2
673 fprintf(stderr, " -tls1_2 - use TLSv1.2\n");
674#endif
98b8cdd3 675#ifndef OPENSSL_NO_DTLS
0d5301af 676 fprintf(stderr, " -dtls - use DTLS\n");
6b01bed2 677#ifndef OPENSSL_NO_DTLS1
98b8cdd3 678 fprintf(stderr, " -dtls1 - use DTLSv1\n");
6b01bed2
VD		 679#endif
680#ifndef OPENSSL_NO_DTLS1_2
98b8cdd3 681 fprintf(stderr, " -dtls12 - use DTLSv1.2\n");
6b01bed2 682#endif
98b8cdd3 683#endif
0f113f3e
MC		 684 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
685 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
598bd774 686 fprintf(stderr, " -s_cert arg - Server certificate file\n");
0f113f3e 687 fprintf(stderr,
598bd774 688 " -s_key arg - Server key file (default: same as -cert)\n");
0f113f3e
MC		 689 fprintf(stderr, " -c_cert arg - Client certificate file\n");
690 fprintf(stderr,
691 " -c_key arg - Client key file (default: same as -c_cert)\n");
f865b081
MC		 692 fprintf(stderr, " -cipher arg - The TLSv1.2 and below cipher list\n");
693 fprintf(stderr, " -ciphersuites arg - The TLSv1.3 ciphersuites\n");
0f113f3e 694 fprintf(stderr, " -bio_pair - Use BIO pairs\n");
75d5bd4e
RL		 695 fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n");
696 fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n");
0f113f3e
MC		 697 fprintf(stderr, " -f - Test even cases that can't work\n");
698 fprintf(stderr,
699 " -time - measure processor time used by client and server\n");
700 fprintf(stderr, " -zlib - use zlib compression\n");
2911575c 701#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 702 fprintf(stderr, " -npn_client - have client side offer NPN\n");
703 fprintf(stderr, " -npn_server - have server side offer NPN\n");
704 fprintf(stderr, " -npn_server_reject - have server reject NPN\n");
705#endif
706 fprintf(stderr, " -serverinfo_file file - have server use this file\n");
707 fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n");
708 fprintf(stderr,
709 " -serverinfo_tack - have client offer and expect TACK\n");
710 fprintf(stderr,
711 " -custom_ext - try various custom extension callbacks\n");
712 fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n");
713 fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
817cd0d5
TS		 714 fprintf(stderr, " -alpn_server1 <string> - alias for -alpn_server\n");
715 fprintf(stderr, " -alpn_server2 <string> - have server side context 2 offer ALPN\n");
0f113f3e
MC		 716 fprintf(stderr,
717 " -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
7946ab33
KR		 718 fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n");
719 fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n");
720 fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
721 fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
722 fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
dd696a55
RP		 723#ifndef OPENSSL_NO_CT
724 fprintf(stderr, " -noct - no certificate transparency\n");
725 fprintf(stderr, " -requestct - request certificate transparency\n");
726 fprintf(stderr, " -requirect - require certificate transparency\n");
727#endif
817cd0d5
TS		 728 fprintf(stderr, " -sn_client <string> - have client request this servername\n");
729 fprintf(stderr, " -sn_server1 <string> - have server context 1 respond to this servername\n");
730 fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
731 fprintf(stderr, " -sn_expect1 - expected server 1\n");
732 fprintf(stderr, " -sn_expect2 - expected server 2\n");
b7dffce0
KR		 733 fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n");
734 fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n");
735 fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n");
736 fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n");
737 fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n");
738 fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n");
8fff986d
BE		 739 fprintf(stderr, " -client_ktls - try to enable client KTLS\n");
740 fprintf(stderr, " -server_ktls - try to enable server KTLS\n");
63215d04 741 fprintf(stderr, " -provider <name> - Load the given provider into the library context\n");
be9d82bb 742 fprintf(stderr, " -config <cnf> - Load the given config file into the library context\n");
0f113f3e 743}
563f1503 744
f756f1fc 745static void print_key_details(BIO *out, EVP_PKEY *key)
0f113f3e 746{
ed576acd 747 int keyid = EVP_PKEY_get_id(key);
59b64259 748
f756f1fc 749#ifndef OPENSSL_NO_EC
0f113f3e 750 if (keyid == EVP_PKEY_EC) {
59b64259
TM		 751 char group[80];
752 size_t size;
753
754 if (!EVP_PKEY_get_group_name(key, group, sizeof(group), &size))
755 strcpy(group, "unknown group");
ed576acd 756 BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_get_bits(key), group);
0f113f3e
MC		 757 } else
758#endif
759 {
760 const char *algname;
761 switch (keyid) {
762 case EVP_PKEY_RSA:
763 algname = "RSA";
764 break;
765 case EVP_PKEY_DSA:
766 algname = "DSA";
767 break;
768 case EVP_PKEY_DH:
769 algname = "DH";
770 break;
771 default:
772 algname = OBJ_nid2sn(keyid);
773 break;
774 }
ed576acd 775 BIO_printf(out, "%d bits %s", EVP_PKEY_get_bits(key), algname);
0f113f3e
MC		 776 }
777}
f756f1fc 778
563f1503 779static void print_details(SSL *c_ssl, const char *prefix)
0f113f3e
MC		 780{
781 const SSL_CIPHER *ciph;
782 int mdnid;
783 X509 *cert;
784 EVP_PKEY *pkey;
785
786 ciph = SSL_get_current_cipher(c_ssl);
787 BIO_printf(bio_stdout, "%s%s, cipher %s %s",
788 prefix,
789 SSL_get_version(c_ssl),
790 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
8c2bfd25 791 cert = SSL_get0_peer_certificate(c_ssl);
0f113f3e 792 if (cert != NULL) {
1c72f70d
F		 793 EVP_PKEY* pubkey = X509_get0_pubkey(cert);
794
795 if (pubkey != NULL) {
0f113f3e 796 BIO_puts(bio_stdout, ", ");
1c72f70d 797 print_key_details(bio_stdout, pubkey);
0f113f3e 798 }
0f113f3e 799 }
a51c9f63 800 if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
0f113f3e
MC		 801 BIO_puts(bio_stdout, ", temp key: ");
802 print_key_details(bio_stdout, pkey);
803 EVP_PKEY_free(pkey);
804 }
805 if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
806 BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
807 BIO_printf(bio_stdout, "\n");
808}
d02b48c6 809
7946ab33
KR		 810/*
811 * protocol_from_string - converts a protocol version string to a number
812 *
813 * Returns -1 on failure or the version on success
814 */
815static int protocol_from_string(const char *value)
816{
817 struct protocol_versions {
818 const char *name;
819 int version;
820 };
821 static const struct protocol_versions versions[] = {
822 {"ssl3", SSL3_VERSION},
823 {"tls1", TLS1_VERSION},
824 {"tls1.1", TLS1_1_VERSION},
825 {"tls1.2", TLS1_2_VERSION},
582a17d6 826 {"tls1.3", TLS1_3_VERSION},
7946ab33
KR		 827 {"dtls1", DTLS1_VERSION},
828 {"dtls1.2", DTLS1_2_VERSION}};
829 size_t i;
830 size_t n = OSSL_NELEM(versions);
831
832 for (i = 0; i < n; i++)
833 if (strcmp(versions[i].name, value) == 0)
834 return versions[i].version;
835 return -1;
836}
837
b7dffce0
KR		 838static SSL_SESSION *read_session(const char *filename)
839{
840 SSL_SESSION *sess;
841 BIO *f = BIO_new_file(filename, "r");
842
843 if (f == NULL) {
844 BIO_printf(bio_err, "Can't open session file %s\n", filename);
845 ERR_print_errors(bio_err);
846 return NULL;
847 }
848 sess = PEM_read_bio_SSL_SESSION(f, NULL, 0, NULL);
849 if (sess == NULL) {
850 BIO_printf(bio_err, "Can't parse session file %s\n", filename);
851 ERR_print_errors(bio_err);
852 }
853 BIO_free(f);
854 return sess;
855}
856
857static int write_session(const char *filename, SSL_SESSION *sess)
858{
34563be5 859 BIO *f;
b7dffce0
KR		 860
861 if (sess == NULL) {
862 BIO_printf(bio_err, "No session information\n");
863 return 0;
864 }
34563be5
PH		 865
866 f = BIO_new_file(filename, "w");
b7dffce0
KR		 867 if (f == NULL) {
868 BIO_printf(bio_err, "Can't open session file %s\n", filename);
869 ERR_print_errors(bio_err);
870 return 0;
871 }
872 PEM_write_bio_SSL_SESSION(f, sess);
873 BIO_free(f);
874 return 1;
875}
876
7946ab33
KR		 877/*
878 * set_protocol_version - Sets protocol version minimum or maximum
879 *
880 * Returns 0 on failure and 1 on success
881 */
882static int set_protocol_version(const char *version, SSL *ssl, int setting)
883{
884 if (version != NULL) {
885 int ver = protocol_from_string(version);
886 if (ver < 0) {
887 BIO_printf(bio_err, "Error parsing: %s\n", version);
888 return 0;
889 }
890 return SSL_ctrl(ssl, setting, ver, NULL);
891 }
892 return 1;
893}
894
6b691a5c 895int main(int argc, char *argv[])
0f113f3e 896{
cc696296 897 const char *CApath = NULL, *CAfile = NULL;
0f113f3e 898 int badop = 0;
75d5bd4e 899 enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
0f113f3e 900 int force = 0;
d71151ae 901 int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_1 = 0, tls1_2 = 0, ssl3 = 0;
c2500f65 902 int ret = EXIT_FAILURE;
0f113f3e
MC		 903 int client_auth = 0;
904 int server_auth = 0, i;
905 struct app_verify_arg app_verify_arg =
a263f320 906 { APP_CALLBACK_STRING, 0 };
0f113f3e
MC		 907 SSL_CTX *c_ctx = NULL;
908 const SSL_METHOD *meth = NULL;
42772df5
TS		 909 SSL *c_ssl = NULL;
910 SSL *s_ssl = NULL;
0f113f3e 911 int number = 1, reuse = 0;
b7dffce0
KR		 912 int should_reuse = -1;
913 int no_ticket = 0;
8fff986d 914 int client_ktls = 0, server_ktls = 0;
0f113f3e 915 long bytes = 256L;
5658470c 916#ifndef OPENSSL_NO_DH
d3d2c0dc 917 EVP_PKEY *dhpkey;
d71151ae 918 int dhe512 = 0, dhe1024dsa = 0, dhe4096 = 0;
0f113f3e 919 int no_dhe = 0;
d3d2c0dc 920#endif
0f113f3e
MC		 921 int no_psk = 0;
922 int print_time = 0;
923 clock_t s_time = 0, c_time = 0;
09b6c2ef 924#ifndef OPENSSL_NO_COMP
9a555706 925 int n, comp = 0;
0f113f3e
MC		 926 COMP_METHOD *cm = NULL;
927 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
0f113f3e 928#endif
6b01bed2 929 int no_protocol;
0d5301af 930 int min_version = 0, max_version = 0;
dd696a55
RP		 931#ifndef OPENSSL_NO_CT
932 /*
933 * Disable CT validation by default, because it will interfere with
934 * anything using custom extension handlers to deal with SCT extensions.
935 */
43341433 936 int ct_validation = 0;
dd696a55 937#endif
817cd0d5 938 SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
0f113f3e 939 STACK_OF(OPENSSL_STRING) *conf_args = NULL;
4a640fb6 940 char *arg = NULL, *argn = NULL;
63215d04
MC		 941 const char *provider = NULL, *config = NULL;
942 OSSL_PROVIDER *thisprov = NULL, *defctxnull = NULL;
b4250010 943 OSSL_LIB_CTX *libctx = NULL;
0f113f3e
MC		 944
945 verbose = 0;
946 debug = 0;
0f113f3e
MC		 947
948 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
0f113f3e
MC		 949 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
950
951 s_cctx = SSL_CONF_CTX_new();
817cd0d5 952 s_cctx2 = SSL_CONF_CTX_new();
0f113f3e
MC		 953 c_cctx = SSL_CONF_CTX_new();
954
817cd0d5 955 if (!s_cctx || !c_cctx || !s_cctx2) {
0f113f3e
MC		 956 ERR_print_errors(bio_err);
957 goto end;
958 }
959
960 SSL_CONF_CTX_set_flags(s_cctx,
6a096889
DSH		 961 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
962 SSL_CONF_FLAG_CERTIFICATE |
963 SSL_CONF_FLAG_REQUIRE_PRIVATE);
817cd0d5
TS		 964 SSL_CONF_CTX_set_flags(s_cctx2,
965 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
966 SSL_CONF_FLAG_CERTIFICATE |
967 SSL_CONF_FLAG_REQUIRE_PRIVATE);
0f113f3e
MC		 968 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
969 ERR_print_errors(bio_err);
970 goto end;
971 }
817cd0d5
TS		 972 if (!SSL_CONF_CTX_set1_prefix(s_cctx2, "-s_")) {
973 ERR_print_errors(bio_err);
974 goto end;
975 }
0f113f3e
MC		 976
977 SSL_CONF_CTX_set_flags(c_cctx,
6a096889
DSH		 978 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
979 SSL_CONF_FLAG_CERTIFICATE |
980 SSL_CONF_FLAG_REQUIRE_PRIVATE);
0f113f3e
MC		 981 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
982 ERR_print_errors(bio_err);
983 goto end;
984 }
985
986 argc--;
987 argv++;
988
989 while (argc >= 1) {
86885c28 990 if (strcmp(*argv, "-F") == 0) {
0f113f3e
MC		 991 fprintf(stderr,
992 "not compiled with FIPS support, so exiting without running.\n");
993 EXIT(0);
0f113f3e
MC		 994 } else if (strcmp(*argv, "-server_auth") == 0)
995 server_auth = 1;
996 else if (strcmp(*argv, "-client_auth") == 0)
997 client_auth = 1;
a263f320 998 else if (strcmp(*argv, "-v") == 0)
0f113f3e
MC		 999 verbose = 1;
1000 else if (strcmp(*argv, "-d") == 0)
1001 debug = 1;
1002 else if (strcmp(*argv, "-reuse") == 0)
1003 reuse = 1;
5658470c
DDO		 1004 else if (strcmp(*argv, "-no_dhe") == 0)
1005#ifdef OPENSSL_NO_DH
1006 /* unused in this case */;
1007#else
1008 no_dhe = 1;
1009 else if (strcmp(*argv, "-dhe512") == 0)
e8356e32 1010 dhe512 = 1;
5658470c 1011 else if (strcmp(*argv, "-dhe1024dsa") == 0)
0f113f3e 1012 dhe1024dsa = 1;
d71151ae
NT		 1013 else if (strcmp(*argv, "-dhe4096") == 0)
1014 dhe4096 = 1;
5658470c 1015#endif
0f113f3e 1016 else if (strcmp(*argv, "-no_ecdhe") == 0)
817cd0d5 1017 /* obsolete */;
0f113f3e
MC		 1018 else if (strcmp(*argv, "-psk") == 0) {
1019 if (--argc < 1)
1020 goto bad;
1021 psk_key = *(++argv);
ddac1974 1022#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 1023 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) {
1024 BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
1025 goto bad;
1026 }
ddac1974 1027#else
0f113f3e 1028 no_psk = 1;
ddac1974 1029#endif
0f113f3e 1030 }
582a17d6
MC		 1031 else if (strcmp(*argv, "-tls1_2") == 0) {
1032 tls1_2 = 1;
d71151ae
NT		 1033 } else if (strcmp(*argv, "-tls1_1") == 0) {
1034 tls1_1 = 1;
582a17d6 1035 } else if (strcmp(*argv, "-tls1") == 0) {
0f113f3e
MC		 1036 tls1 = 1;
1037 } else if (strcmp(*argv, "-ssl3") == 0) {
0f113f3e 1038 ssl3 = 1;
98b8cdd3 1039 } else if (strcmp(*argv, "-dtls1") == 0) {
98b8cdd3
DW		 1040 dtls1 = 1;
1041 } else if (strcmp(*argv, "-dtls12") == 0) {
98b8cdd3 1042 dtls12 = 1;
7946ab33 1043 } else if (strcmp(*argv, "-dtls") == 0) {
7946ab33 1044 dtls = 1;
2ff286c2 1045 } else if (HAS_PREFIX(*argv, "-num")) {
0f113f3e
MC		 1046 if (--argc < 1)
1047 goto bad;
1048 number = atoi(*(++argv));
1049 if (number == 0)
1050 number = 1;
1051 } else if (strcmp(*argv, "-bytes") == 0) {
1052 if (--argc < 1)
1053 goto bad;
1054 bytes = atol(*(++argv));
1055 if (bytes == 0L)
1056 bytes = 1L;
1057 i = strlen(argv[0]);
1058 if (argv[0][i - 1] == 'k')
1059 bytes *= 1024L;
1060 if (argv[0][i - 1] == 'm')
1061 bytes *= 1024L * 1024L;
0f113f3e
MC		 1062 } else if (strcmp(*argv, "-cipher") == 0) {
1063 if (--argc < 1)
1064 goto bad;
1065 cipher = *(++argv);
f865b081
MC		 1066 } else if (strcmp(*argv, "-ciphersuites") == 0) {
1067 if (--argc < 1)
1068 goto bad;
1069 ciphersuites = *(++argv);
0f113f3e
MC		 1070 } else if (strcmp(*argv, "-CApath") == 0) {
1071 if (--argc < 1)
1072 goto bad;
1073 CApath = *(++argv);
1074 } else if (strcmp(*argv, "-CAfile") == 0) {
1075 if (--argc < 1)
1076 goto bad;
1077 CAfile = *(++argv);
1078 } else if (strcmp(*argv, "-bio_pair") == 0) {
75d5bd4e 1079 bio_type = BIO_PAIR;
f9e55034
MC		 1080 }
1081#ifndef OPENSSL_NO_SOCK
1082 else if (strcmp(*argv, "-ipv4") == 0) {
75d5bd4e
RL		 1083 bio_type = BIO_IPV4;
1084 } else if (strcmp(*argv, "-ipv6") == 0) {
1085 bio_type = BIO_IPV6;
f9e55034
MC		 1086 }
1087#endif
1088 else if (strcmp(*argv, "-f") == 0) {
0f113f3e
MC		 1089 force = 1;
1090 } else if (strcmp(*argv, "-time") == 0) {
1091 print_time = 1;
1092 }
dd696a55
RP		 1093#ifndef OPENSSL_NO_CT
1094 else if (strcmp(*argv, "-noct") == 0) {
43341433 1095 ct_validation = 0;
dd696a55 1096 }
43341433
VD		 1097 else if (strcmp(*argv, "-ct") == 0) {
1098 ct_validation = 1;
dd696a55
RP		 1099 }
1100#endif
a4c4a7d5 1101#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 1102 else if (strcmp(*argv, "-zlib") == 0) {
1103 comp = COMP_ZLIB;
0f113f3e
MC		 1104 }
1105#endif
817cd0d5 1106 else if (strcmp(*argv, "-app_verify") == 0) {
0f113f3e 1107 app_verify_arg.app_verify = 1;
0f113f3e 1108 }
2911575c 1109#ifndef OPENSSL_NO_NEXTPROTONEG
5a22cf96 1110 else if (strcmp(*argv, "-npn_client") == 0) {
0f113f3e
MC		 1111 npn_client = 1;
1112 } else if (strcmp(*argv, "-npn_server") == 0) {
1113 npn_server = 1;
1114 } else if (strcmp(*argv, "-npn_server_reject") == 0) {
1115 npn_server_reject = 1;
1116 }
1117#endif
1118 else if (strcmp(*argv, "-serverinfo_sct") == 0) {
1119 serverinfo_sct = 1;
1120 } else if (strcmp(*argv, "-serverinfo_tack") == 0) {
1121 serverinfo_tack = 1;
1122 } else if (strcmp(*argv, "-serverinfo_file") == 0) {
1123 if (--argc < 1)
1124 goto bad;
1125 serverinfo_file = *(++argv);
1126 } else if (strcmp(*argv, "-custom_ext") == 0) {
1127 custom_ext = 1;
1128 } else if (strcmp(*argv, "-alpn_client") == 0) {
1129 if (--argc < 1)
1130 goto bad;
1131 alpn_client = *(++argv);
817cd0d5
TS		 1132 } else if (strcmp(*argv, "-alpn_server") == 0 ||
1133 strcmp(*argv, "-alpn_server1") == 0) {
0f113f3e
MC		 1134 if (--argc < 1)
1135 goto bad;
1136 alpn_server = *(++argv);
817cd0d5
TS		 1137 } else if (strcmp(*argv, "-alpn_server2") == 0) {
1138 if (--argc < 1)
1139 goto bad;
1140 alpn_server2 = *(++argv);
0f113f3e
MC		 1141 } else if (strcmp(*argv, "-alpn_expected") == 0) {
1142 if (--argc < 1)
1143 goto bad;
1144 alpn_expected = *(++argv);
7946ab33
KR		 1145 } else if (strcmp(*argv, "-server_min_proto") == 0) {
1146 if (--argc < 1)
1147 goto bad;
1148 server_min_proto = *(++argv);
1149 } else if (strcmp(*argv, "-server_max_proto") == 0) {
1150 if (--argc < 1)
1151 goto bad;
1152 server_max_proto = *(++argv);
1153 } else if (strcmp(*argv, "-client_min_proto") == 0) {
1154 if (--argc < 1)
1155 goto bad;
1156 client_min_proto = *(++argv);
1157 } else if (strcmp(*argv, "-client_max_proto") == 0) {
1158 if (--argc < 1)
1159 goto bad;
1160 client_max_proto = *(++argv);
1161 } else if (strcmp(*argv, "-should_negotiate") == 0) {
1162 if (--argc < 1)
1163 goto bad;
1164 should_negotiate = *(++argv);
817cd0d5
TS		 1165 } else if (strcmp(*argv, "-sn_client") == 0) {
1166 if (--argc < 1)
1167 goto bad;
1168 sn_client = *(++argv);
1169 } else if (strcmp(*argv, "-sn_server1") == 0) {
1170 if (--argc < 1)
1171 goto bad;
1172 sn_server1 = *(++argv);
1173 } else if (strcmp(*argv, "-sn_server2") == 0) {
1174 if (--argc < 1)
1175 goto bad;
1176 sn_server2 = *(++argv);
1177 } else if (strcmp(*argv, "-sn_expect1") == 0) {
1178 sn_expect = 1;
1179 } else if (strcmp(*argv, "-sn_expect2") == 0) {
1180 sn_expect = 2;
b7dffce0
KR		 1181 } else if (strcmp(*argv, "-server_sess_out") == 0) {
1182 if (--argc < 1)
1183 goto bad;
1184 server_sess_out = *(++argv);
1185 } else if (strcmp(*argv, "-server_sess_in") == 0) {
1186 if (--argc < 1)
1187 goto bad;
1188 server_sess_in = *(++argv);
1189 } else if (strcmp(*argv, "-client_sess_out") == 0) {
1190 if (--argc < 1)
1191 goto bad;
1192 client_sess_out = *(++argv);
1193 } else if (strcmp(*argv, "-client_sess_in") == 0) {
1194 if (--argc < 1)
1195 goto bad;
1196 client_sess_in = *(++argv);
1197 } else if (strcmp(*argv, "-should_reuse") == 0) {
1198 if (--argc < 1)
1199 goto bad;
1200 should_reuse = !!atoi(*(++argv));
1201 } else if (strcmp(*argv, "-no_ticket") == 0) {
1202 no_ticket = 1;
8fff986d
BE		 1203 } else if (strcmp(*argv, "-client_ktls") == 0) {
1204 client_ktls = 1;
1205 } else if (strcmp(*argv, "-server_ktls") == 0) {
1206 server_ktls = 1;
63215d04
MC		 1207 } else if (strcmp(*argv, "-provider") == 0) {
1208 if (--argc < 1)
1209 goto bad;
1210 provider = *(++argv);
be9d82bb
MC		 1211 } else if (strcmp(*argv, "-config") == 0) {
1212 if (--argc < 1)
1213 goto bad;
1214 config = *(++argv);
0f113f3e
MC		 1215 } else {
1216 int rv;
1217 arg = argv[0];
1218 argn = argv[1];
1219 /* Try to process command using SSL_CONF */
1220 rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
1221 /* If not processed try server */
1222 if (rv == 0)
1223 rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
1224 /* Recognised: store it for later use */
1225 if (rv > 0) {
1226 if (rv == 1)
1227 argn = NULL;
1228 if (!conf_args) {
1229 conf_args = sk_OPENSSL_STRING_new_null();
1230 if (!conf_args)
1231 goto end;
1232 }
1233 if (!sk_OPENSSL_STRING_push(conf_args, arg))
1234 goto end;
1235 if (!sk_OPENSSL_STRING_push(conf_args, argn))
1236 goto end;
1237 continue;
1238 }
1239 if (rv == -3)
1240 BIO_printf(bio_err, "Missing argument for %s\n", arg);
1241 else if (rv < 0)
1242 BIO_printf(bio_err, "Error with command %s\n", arg);
1243 else if (rv == 0)
1244 BIO_printf(bio_err, "unknown option %s\n", arg);
1245 badop = 1;
1246 break;
1247 }
1248 argc--;
1249 argv++;
1250 }
1251 if (badop) {
1252 bad:
1253 sv_usage();
1254 goto end;
1255 }
1256
d71151ae
NT		 1257 if (ssl3 + tls1 + tls1_1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
1258 fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
0f113f3e
MC		 1259 "be requested.\n");
1260 EXIT(1);
1261 }
1262
6b01bed2
VD		 1263#ifdef OPENSSL_NO_SSL3
1264 if (ssl3)
1265 no_protocol = 1;
1266 else
1267#endif
1268#ifdef OPENSSL_NO_TLS1
1269 if (tls1)
1270 no_protocol = 1;
1271 else
1272#endif
d71151ae
NT		 1273#ifdef OPENSSL_NO_TLS1_1
1274 if (tls1_1)
1275 no_protocol = 1;
1276 else
1277#endif
582a17d6
MC		 1278#ifdef OPENSSL_NO_TLS1_2
1279 if (tls1_2)
1280 no_protocol = 1;
1281 else
1282#endif
6b01bed2
VD		 1283#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
1284 if (dtls1)
1285 no_protocol = 1;
1286 else
1287#endif
1288#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2)
1289 if (dtls12)
1290 no_protocol = 1;
1291 else
1292#endif
1293 no_protocol = 0;
1294
0f113f3e
MC		 1295 /*
1296 * Testing was requested for a compiled-out protocol (e.g. SSLv3).
1297 * Ideally, we would error out, but the generic test wrapper can't know
1298 * when to expect failure. So we do nothing and return success.
1299 */
1300 if (no_protocol) {
1301 fprintf(stderr, "Testing was requested for a disabled protocol. "
1302 "Skipping tests.\n");
c2500f65 1303 ret = EXIT_SUCCESS;
0f113f3e
MC		 1304 goto end;
1305 }
1306
d71151ae 1307 if (!ssl3 && !tls1 && !tls1_1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
582a17d6 1308 && !reuse && !force) {
0f113f3e
MC		 1309 fprintf(stderr, "This case cannot work. Use -f to perform "
1310 "the test anyway (and\n-d to see what happens), "
d71151ae 1311 "or add one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
0f113f3e
MC		 1312 "to avoid protocol mismatch.\n");
1313 EXIT(1);
1314 }
0f113f3e
MC		 1315
1316 if (print_time) {
598bd774 1317 if (bio_type == BIO_MEM) {
0f113f3e 1318 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
75d5bd4e 1319 bio_type = BIO_PAIR;
0f113f3e
MC		 1320 }
1321 if (number < 50 && !force)
1322 fprintf(stderr,
1323 "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
1324 }
1325
09b6c2ef 1326#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 1327 if (comp == COMP_ZLIB)
1328 cm = COMP_zlib();
0f113f3e 1329 if (cm != NULL) {
7e3cacac
TS		 1330 if (SSL_COMP_add_compression_method(comp, cm) != 0) {
1331 fprintf(stderr, "Failed to add compression method\n");
0f113f3e
MC		 1332 ERR_print_errors_fp(stderr);
1333 }
7e3cacac
TS		 1334 } else {
1335 fprintf(stderr,
1336 "Warning: %s compression not supported\n",
1337 comp == COMP_ZLIB ? "zlib" : "unknown");
1338 ERR_print_errors_fp(stderr);
0f113f3e
MC		 1339 }
1340 ssl_comp_methods = SSL_COMP_get_compression_methods();
3dca57f8
RS		 1341 n = sk_SSL_COMP_num(ssl_comp_methods);
1342 if (n) {
1343 int j;
1344 printf("Available compression methods:");
1345 for (j = 0; j < n; j++) {
1346 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
e304d3e2 1347 printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c));
22ebaae0 1348 }
3dca57f8 1349 printf("\n");
0f113f3e
MC		 1350 }
1351#endif
1352
0d5301af
KR		 1353#ifndef OPENSSL_NO_TLS
1354 meth = TLS_method();
1355 if (ssl3) {
1356 min_version = SSL3_VERSION;
1357 max_version = SSL3_VERSION;
1358 } else if (tls1) {
1359 min_version = TLS1_VERSION;
1360 max_version = TLS1_VERSION;
d71151ae
NT		 1361 } else if (tls1_1) {
1362 min_version = TLS1_1_VERSION;
1363 max_version = TLS1_1_VERSION;
582a17d6
MC		 1364 } else if (tls1_2) {
1365 min_version = TLS1_2_VERSION;
1366 max_version = TLS1_2_VERSION;
7d7f6834 1367 } else {
5c587fb6 1368 min_version = 0;
a763ca11
MC		 1369# if defined(OPENSSL_NO_EC) && defined(OPENSSL_NO_DH)
1370 /* We only have ec and dh based built-in groups for TLSv1.3 */
1371 max_version = TLS1_2_VERSION;
1372# else
5c587fb6 1373 max_version = 0;
a763ca11 1374# endif
0d5301af 1375 }
6b01bed2 1376#endif
0d5301af 1377#ifndef OPENSSL_NO_DTLS
7d7f6834 1378 if (dtls || dtls1 || dtls12) {
7946ab33 1379 meth = DTLS_method();
7d7f6834
RL		 1380 if (dtls1) {
1381 min_version = DTLS1_VERSION;
1382 max_version = DTLS1_VERSION;
1383 } else if (dtls12) {
1384 min_version = DTLS1_2_VERSION;
1385 max_version = DTLS1_2_VERSION;
1386 } else {
5c587fb6
KR		 1387 min_version = 0;
1388 max_version = 0;
7d7f6834 1389 }
0d5301af 1390 }
6b01bed2 1391#endif
0f113f3e 1392
bca7ad6e
DDO		 1393 if (provider != NULL
1394 && !test_get_libctx(&libctx, &defctxnull, config, &thisprov, provider))
1395 goto end;
63215d04 1396
d8652be0
MC		 1397 c_ctx = SSL_CTX_new_ex(libctx, NULL, meth);
1398 s_ctx = SSL_CTX_new_ex(libctx, NULL, meth);
1399 s_ctx2 = SSL_CTX_new_ex(libctx, NULL, meth); /* no SSL_CTX_dup! */
817cd0d5 1400 if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) {
0f113f3e
MC		 1401 ERR_print_errors(bio_err);
1402 goto end;
1403 }
1404 /*
1405 * Since we will use low security ciphersuites and keys for testing set
15a06488
EK		 1406 * security level to zero by default. Tests can override this by adding
1407 * "@SECLEVEL=n" to the cipher string.
0f113f3e
MC		 1408 */
1409 SSL_CTX_set_security_level(c_ctx, 0);
1410 SSL_CTX_set_security_level(s_ctx, 0);
817cd0d5 1411 SSL_CTX_set_security_level(s_ctx2, 0);
0f113f3e 1412
b7dffce0
KR		 1413 if (no_ticket) {
1414 SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
1415 SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
1416 }
1417
0d5301af
KR		 1418 if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
1419 goto end;
1420 if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
1421 goto end;
1422 if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
1423 goto end;
1424 if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
1425 goto end;
1426
0f113f3e 1427 if (cipher != NULL) {
3c83c5ba
SR		 1428 if (strcmp(cipher, "") == 0) {
1429 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)) {
1430 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1431 ERR_clear_error();
1432 } else {
1433 ERR_print_errors(bio_err);
1434 goto end;
1435 }
1436 } else {
1437 /* Should have failed when clearing all TLSv1.2 ciphers. */
1438 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1439 goto end;
1440 }
1441
1442 if (!SSL_CTX_set_cipher_list(s_ctx, cipher)) {
1443 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1444 ERR_clear_error();
1445 } else {
1446 ERR_print_errors(bio_err);
1447 goto end;
1448 }
1449 } else {
1450 /* Should have failed when clearing all TLSv1.2 ciphers. */
1451 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1452 goto end;
1453 }
1454
1455 if (!SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
1456 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1457 ERR_clear_error();
1458 } else {
1459 ERR_print_errors(bio_err);
1460 goto end;
1461 }
1462 } else {
1463 /* Should have failed when clearing all TLSv1.2 ciphers. */
1464 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1465 goto end;
1466 }
1467 } else {
1468 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
1469 || !SSL_CTX_set_cipher_list(s_ctx, cipher)
1470 || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
1471 ERR_print_errors(bio_err);
1472 goto end;
1473 }
f865b081
MC		 1474 }
1475 }
1476 if (ciphersuites != NULL) {
1477 if (!SSL_CTX_set_ciphersuites(c_ctx, ciphersuites)
1478 || !SSL_CTX_set_ciphersuites(s_ctx, ciphersuites)
1479 || !SSL_CTX_set_ciphersuites(s_ctx2, ciphersuites)) {
1480 ERR_print_errors(bio_err);
69f68237
MC		 1481 goto end;
1482 }
0f113f3e
MC		 1483 }
1484
dd696a55 1485#ifndef OPENSSL_NO_CT
43341433
VD		 1486 if (ct_validation &&
1487 !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) {
dd696a55
RP		 1488 ERR_print_errors(bio_err);
1489 goto end;
1490 }
1491#endif
1492
0f113f3e
MC		 1493 /* Process SSL_CONF arguments */
1494 SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
1495 SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
817cd0d5 1496 SSL_CONF_CTX_set_ssl_ctx(s_cctx2, s_ctx2);
0f113f3e
MC		 1497
1498 for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2) {
1499 int rv;
1500 arg = sk_OPENSSL_STRING_value(conf_args, i);
1501 argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
1502 rv = SSL_CONF_cmd(c_cctx, arg, argn);
1503 /* If not recognised use server context */
817cd0d5 1504 if (rv == -2) {
b2d6aed4
MC		 1505 rv = SSL_CONF_cmd(s_cctx2, arg, argn);
1506 if (rv > 0)
1507 rv = SSL_CONF_cmd(s_cctx, arg, argn);
817cd0d5 1508 }
0f113f3e
MC		 1509 if (rv <= 0) {
1510 BIO_printf(bio_err, "Error processing %s %s\n",
1511 arg, argn ? argn : "");
1512 ERR_print_errors(bio_err);
1513 goto end;
1514 }
1515 }
1516
817cd0d5 1517 if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx) || !SSL_CONF_CTX_finish(s_cctx2)) {
0f113f3e
MC		 1518 BIO_puts(bio_err, "Error finishing context\n");
1519 ERR_print_errors(bio_err);
1520 goto end;
1521 }
5658470c 1522#ifndef OPENSSL_NO_DH
0f113f3e 1523 if (!no_dhe) {
6955e3f7 1524 if (dhe1024dsa)
d3d2c0dc 1525 dhpkey = get_dh1024dsa(libctx);
6955e3f7 1526 else if (dhe512)
d3d2c0dc 1527 dhpkey = get_dh512(libctx);
d71151ae
NT		 1528 else if (dhe4096)
1529 dhpkey = get_dh4096(libctx);
e8356e32 1530 else
6955e3f7
MC		 1531 dhpkey = get_dh2048(libctx);
1532
d3d2c0dc
MC		 1533 if (dhpkey == NULL || !EVP_PKEY_up_ref(dhpkey)) {
1534 EVP_PKEY_free(dhpkey);
1535 BIO_puts(bio_err, "Error getting DH parameters\n");
1536 ERR_print_errors(bio_err);
1537 goto end;
1538 }
21f0b80c
BE		 1539 if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx, dhpkey))
1540 EVP_PKEY_free(dhpkey);
1541 if (!SSL_CTX_set0_tmp_dh_pkey(s_ctx2, dhpkey))
1542 EVP_PKEY_free(dhpkey);
0f113f3e 1543 }
5658470c 1544#endif
58964a49 1545
573e4bf0
RL		 1546 if (!(SSL_CTX_load_verify_file(s_ctx, CAfile)
1547 || SSL_CTX_load_verify_dir(s_ctx, CApath))
1548 || !SSL_CTX_set_default_verify_paths(s_ctx)
1549 || !(SSL_CTX_load_verify_file(s_ctx2, CAfile)
1550 || SSL_CTX_load_verify_dir(s_ctx2, CApath))
1551 || !SSL_CTX_set_default_verify_paths(s_ctx2)
1552 || !(SSL_CTX_load_verify_file(c_ctx, CAfile)
1553 || SSL_CTX_load_verify_dir(c_ctx, CApath))
1554 || !SSL_CTX_set_default_verify_paths(c_ctx)) {
0f113f3e 1555 ERR_print_errors(bio_err);
0f113f3e
MC		 1556 }
1557
b5369582 1558#ifndef OPENSSL_NO_CT
dd696a55 1559 if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
817cd0d5 1560 !SSL_CTX_set_default_ctlog_list_file(s_ctx2) ||
dd696a55
RP		 1561 !SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
1562 ERR_print_errors(bio_err);
1563 }
b5369582 1564#endif
dd696a55 1565
0f113f3e 1566 if (client_auth) {
3dca57f8 1567 printf("client authentication\n");
0f113f3e
MC		 1568 SSL_CTX_set_verify(s_ctx,
1569 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1570 verify_callback);
817cd0d5
TS		 1571 SSL_CTX_set_verify(s_ctx2,
1572 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1573 verify_callback);
0f113f3e
MC		 1574 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
1575 &app_verify_arg);
817cd0d5
TS		 1576 SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback,
1577 &app_verify_arg);
0f113f3e
MC		 1578 }
1579 if (server_auth) {
3dca57f8 1580 printf("server authentication\n");
0f113f3e
MC		 1581 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
1582 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
1583 &app_verify_arg);
1584 }
1585
1586 {
1587 int session_id_context = 0;
61986d32 1588 if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
cbe29648 1589 sizeof(session_id_context)) ||
817cd0d5 1590 !SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context,
cbe29648 1591 sizeof(session_id_context))) {
69f68237
MC		 1592 ERR_print_errors(bio_err);
1593 goto end;
1594 }
0f113f3e
MC		 1595 }
1596
1597 /* Use PSK only if PSK key is given */
1598 if (psk_key != NULL) {
1599 /*
1600 * no_psk is used to avoid putting psk command to openssl tool
1601 */
1602 if (no_psk) {
1603 /*
1604 * if PSK is not compiled in and psk key is given, do nothing and
1605 * exit successfully
1606 */
c2500f65 1607 ret = EXIT_SUCCESS;
0f113f3e
MC		 1608 goto end;
1609 }
ddac1974 1610#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 1611 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1612 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
817cd0d5 1613 SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback);
0f113f3e
MC		 1614 if (debug)
1615 BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n");
817cd0d5
TS		 1616 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint") ||
1617 !SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) {
0f113f3e
MC		 1618 BIO_printf(bio_err, "error setting PSK identity hint to s_ctx\n");
1619 ERR_print_errors(bio_err);
1620 goto end;
1621 }
1622#endif
1623 }
ddac1974 1624
2911575c 1625#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1626 if (npn_client) {
1627 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1628 }
1629 if (npn_server) {
1630 if (npn_server_reject) {
1631 BIO_printf(bio_err,
1632 "Can't have both -npn_server and -npn_server_reject\n");
1633 goto end;
1634 }
aff8c126
RS		 1635 SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL);
1636 SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL);
0f113f3e
MC		 1637 }
1638 if (npn_server_reject) {
aff8c126
RS		 1639 SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
1640 SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL);
0f113f3e
MC		 1641 }
1642#endif
1643
69f68237 1644 if (serverinfo_sct) {
dd696a55
RP		 1645 if (!SSL_CTX_add_client_custom_ext(c_ctx,
1646 TLSEXT_TYPE_signed_certificate_timestamp,
1647 NULL, NULL, NULL,
1648 serverinfo_cli_parse_cb, NULL)) {
69f68237
MC		 1649 BIO_printf(bio_err, "Error adding SCT extension\n");
1650 goto end;
1651 }
1652 }
1653 if (serverinfo_tack) {
61986d32 1654 if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
0f113f3e 1655 NULL, NULL, NULL,
69f68237
MC		 1656 serverinfo_cli_parse_cb, NULL)) {
1657 BIO_printf(bio_err, "Error adding TACK extension\n");
1658 goto end;
1659 }
1660 }
0f113f3e 1661 if (serverinfo_file)
817cd0d5
TS		 1662 if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file) ||
1663 !SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) {
0f113f3e
MC		 1664 BIO_printf(bio_err, "missing serverinfo file\n");
1665 goto end;
1666 }
1667
1668 if (custom_ext) {
61986d32 1669 if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
0f113f3e
MC		 1670 custom_ext_0_cli_add_cb,
1671 NULL, NULL,
69f68237 1672 custom_ext_0_cli_parse_cb, NULL)
61986d32 1673 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
0f113f3e
MC		 1674 custom_ext_1_cli_add_cb,
1675 NULL, NULL,
69f68237 1676 custom_ext_1_cli_parse_cb, NULL)
61986d32 1677 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
0f113f3e
MC		 1678 custom_ext_2_cli_add_cb,
1679 NULL, NULL,
69f68237 1680 custom_ext_2_cli_parse_cb, NULL)
61986d32 1681 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
0f113f3e
MC		 1682 custom_ext_3_cli_add_cb,
1683 NULL, NULL,
69f68237 1684 custom_ext_3_cli_parse_cb, NULL)
61986d32 1685 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
0f113f3e
MC		 1686 custom_ext_0_srv_add_cb,
1687 NULL, NULL,
69f68237 1688 custom_ext_0_srv_parse_cb, NULL)
817cd0d5
TS		 1689 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0,
1690 custom_ext_0_srv_add_cb,
1691 NULL, NULL,
1692 custom_ext_0_srv_parse_cb, NULL)
61986d32 1693 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
0f113f3e
MC		 1694 custom_ext_1_srv_add_cb,
1695 NULL, NULL,
69f68237 1696 custom_ext_1_srv_parse_cb, NULL)
817cd0d5
TS		 1697 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1,
1698 custom_ext_1_srv_add_cb,
1699 NULL, NULL,
1700 custom_ext_1_srv_parse_cb, NULL)
61986d32 1701 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
0f113f3e
MC		 1702 custom_ext_2_srv_add_cb,
1703 NULL, NULL,
69f68237 1704 custom_ext_2_srv_parse_cb, NULL)
817cd0d5
TS		 1705 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2,
1706 custom_ext_2_srv_add_cb,
1707 NULL, NULL,
1708 custom_ext_2_srv_parse_cb, NULL)
61986d32 1709 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
817cd0d5
TS		 1710 custom_ext_3_srv_add_cb,
1711 NULL, NULL,
1712 custom_ext_3_srv_parse_cb, NULL)
1713 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3,
0f113f3e
MC		 1714 custom_ext_3_srv_add_cb,
1715 NULL, NULL,
69f68237
MC		 1716 custom_ext_3_srv_parse_cb, NULL)) {
1717 BIO_printf(bio_err, "Error setting custom extensions\n");
1718 goto end;
1719 }
0f113f3e
MC		 1720 }
1721
1722 if (alpn_server)
817cd0d5
TS		 1723 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server);
1724 if (alpn_server2)
1725 SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2);
0f113f3e
MC		 1726
1727 if (alpn_client) {
817cd0d5 1728 size_t alpn_len;
0f113f3e
MC		 1729 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
1730
1731 if (alpn == NULL) {
1732 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
1733 goto end;
1734 }
69f68237 1735 /* Returns 0 on success!! */
61986d32 1736 if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
69f68237
MC		 1737 BIO_printf(bio_err, "Error setting ALPN\n");
1738 OPENSSL_free(alpn);
1739 goto end;
1740 }
0f113f3e
MC		 1741 OPENSSL_free(alpn);
1742 }
1743
b7dffce0
KR		 1744 if (server_sess_in != NULL) {
1745 server_sess = read_session(server_sess_in);
1746 if (server_sess == NULL)
1747 goto end;
1748 }
1749 if (client_sess_in != NULL) {
1750 client_sess = read_session(client_sess_in);
1751 if (client_sess == NULL)
1752 goto end;
1753 }
1754
1755 if (server_sess_out != NULL || server_sess_in != NULL) {
1756 char *keys;
1757 long size;
1758
1759 /* Use a fixed key so that we can decrypt the ticket. */
1760 size = SSL_CTX_set_tlsext_ticket_keys(s_ctx, NULL, 0);
1761 keys = OPENSSL_zalloc(size);
4f4942a1
JJ		 1762 if (keys == NULL)
1763 goto end;
b7dffce0
KR		 1764 SSL_CTX_set_tlsext_ticket_keys(s_ctx, keys, size);
1765 OPENSSL_free(keys);
1766 }
1767
817cd0d5
TS		 1768 if (sn_server1 != NULL || sn_server2 != NULL)
1769 SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
1770
0f113f3e
MC		 1771 c_ssl = SSL_new(c_ctx);
1772 s_ssl = SSL_new(s_ctx);
42772df5
TS		 1773 if (c_ssl == NULL || s_ssl == NULL)
1774 goto end;
58964a49 1775
817cd0d5
TS		 1776 if (sn_client)
1777 SSL_set_tlsext_host_name(c_ssl, sn_client);
8fff986d
BE		 1778 if (client_ktls)
1779 SSL_set_options(c_ssl, SSL_OP_ENABLE_KTLS);
1780 if (server_ktls)
1781 SSL_set_options(s_ssl, SSL_OP_ENABLE_KTLS);
817cd0d5 1782
7946ab33
KR		 1783 if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1784 goto end;
1785 if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1786 goto end;
1787 if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1788 goto end;
1789 if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1790 goto end;
1791
b7dffce0
KR		 1792 if (server_sess) {
1793 if (SSL_CTX_add_session(s_ctx, server_sess) == 0) {
1794 BIO_printf(bio_err, "Can't add server session\n");
1795 ERR_print_errors(bio_err);
1796 goto end;
1797 }
1798 }
1799
3dca57f8 1800 BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
0f113f3e 1801 for (i = 0; i < number; i++) {
69f68237 1802 if (!reuse) {
61986d32 1803 if (!SSL_set_session(c_ssl, NULL)) {
69f68237
MC		 1804 BIO_printf(bio_err, "Failed to set session\n");
1805 goto end;
1806 }
1807 }
b7dffce0
KR		 1808 if (client_sess_in != NULL) {
1809 if (SSL_set_session(c_ssl, client_sess) == 0) {
1810 BIO_printf(bio_err, "Can't set client session\n");
1811 ERR_print_errors(bio_err);
1812 goto end;
1813 }
1814 }
75d5bd4e
RL		 1815 switch (bio_type) {
1816 case BIO_MEM:
0f113f3e 1817 ret = doit(s_ssl, c_ssl, bytes);
75d5bd4e
RL		 1818 break;
1819 case BIO_PAIR:
1820 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
1821 break;
f9e55034 1822#ifndef OPENSSL_NO_SOCK
75d5bd4e
RL		 1823 case BIO_IPV4:
1824 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV4,
1825 bytes, &s_time, &c_time);
1826 break;
1827 case BIO_IPV6:
1828 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV6,
1829 bytes, &s_time, &c_time);
1830 break;
f9e55034
MC		 1831#else
1832 case BIO_IPV4:
1833 case BIO_IPV6:
c2500f65 1834 ret = EXIT_FAILURE;
42772df5 1835 goto end;
f9e55034 1836#endif
75d5bd4e 1837 }
42772df5
TS		 1838 if (ret != EXIT_SUCCESS)
1839 break;
0f113f3e
MC		 1840 }
1841
c2500f65 1842 if (should_negotiate && ret == EXIT_SUCCESS &&
7946ab33
KR		 1843 strcmp(should_negotiate, "fail-server") != 0 &&
1844 strcmp(should_negotiate, "fail-client") != 0) {
1845 int version = protocol_from_string(should_negotiate);
1846 if (version < 0) {
1847 BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
c2500f65 1848 ret = EXIT_FAILURE;
42772df5 1849 goto end;
7946ab33
KR		 1850 }
1851 if (SSL_version(c_ssl) != version) {
69687aa8 1852 BIO_printf(bio_err, "Unexpected version negotiated. "
7946ab33 1853 "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
c2500f65 1854 ret = EXIT_FAILURE;
42772df5 1855 goto end;
7946ab33
KR		 1856 }
1857 }
1858
b7dffce0
KR		 1859 if (should_reuse != -1) {
1860 if (SSL_session_reused(s_ssl) != should_reuse ||
1861 SSL_session_reused(c_ssl) != should_reuse) {
1862 BIO_printf(bio_err, "Unexpected session reuse state. "
1863 "Expected: %d, server: %d, client: %d\n", should_reuse,
1864 SSL_session_reused(s_ssl), SSL_session_reused(c_ssl));
c2500f65 1865 ret = EXIT_FAILURE;
42772df5 1866 goto end;
b7dffce0
KR		 1867 }
1868 }
1869
1870 if (server_sess_out != NULL) {
1871 if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) {
c2500f65 1872 ret = EXIT_FAILURE;
42772df5 1873 goto end;
b7dffce0
KR		 1874 }
1875 }
1876 if (client_sess_out != NULL) {
1877 if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) {
c2500f65 1878 ret = EXIT_FAILURE;
42772df5 1879 goto end;
b7dffce0
KR		 1880 }
1881 }
1882
0f113f3e
MC		 1883 if (!verbose) {
1884 print_details(c_ssl, "");
1885 }
0f113f3e 1886 if (print_time) {
617d71bc 1887#ifdef CLOCKS_PER_SEC
0f113f3e
MC		 1888 /*
1889 * "To determine the time in seconds, the value returned by the clock
1890 * function should be divided by the value of the macro
1891 * CLOCKS_PER_SEC." -- ISO/IEC 9899
1892 */
1893 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1894 "Approximate total client time: %6.2f s\n",
1895 (double)s_time / CLOCKS_PER_SEC,
1896 (double)c_time / CLOCKS_PER_SEC);
617d71bc 1897#else
0f113f3e
MC		 1898 BIO_printf(bio_stdout,
1899 "Approximate total server time: %6.2f units\n"
1900 "Approximate total client time: %6.2f units\n",
1901 (double)s_time, (double)c_time);
617d71bc 1902#endif
0f113f3e 1903 }
58964a49 1904
42772df5 1905 end:
0f113f3e
MC		 1906 SSL_free(s_ssl);
1907 SSL_free(c_ssl);
62adbcee 1908 SSL_CTX_free(s_ctx);
817cd0d5 1909 SSL_CTX_free(s_ctx2);
62adbcee 1910 SSL_CTX_free(c_ctx);
62adbcee 1911 SSL_CONF_CTX_free(s_cctx);
817cd0d5 1912 SSL_CONF_CTX_free(s_cctx2);
62adbcee 1913 SSL_CONF_CTX_free(c_cctx);
0f113f3e 1914 sk_OPENSSL_STRING_free(conf_args);
de94222d 1915
ca3a82c3 1916 BIO_free(bio_stdout);
d02b48c6 1917
b7dffce0
KR		 1918 SSL_SESSION_free(server_sess);
1919 SSL_SESSION_free(client_sess);
1920
63215d04
MC		 1921 OSSL_PROVIDER_unload(defctxnull);
1922 OSSL_PROVIDER_unload(thisprov);
b4250010 1923 OSSL_LIB_CTX_free(libctx);
63215d04 1924
ca3a82c3 1925 BIO_free(bio_err);
0f113f3e 1926 EXIT(ret);
0f113f3e 1927}
d02b48c6 1928
f9e55034 1929#ifndef OPENSSL_NO_SOCK
75d5bd4e
RL		 1930int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count,
1931 clock_t *s_time, clock_t *c_time)
1932{
1933 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1934 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1935 BIO *acpt = NULL, *server = NULL, *client = NULL;
1936 char addr_str[40];
c2500f65 1937 int ret = EXIT_FAILURE;
75d5bd4e
RL		 1938 int err_in_client = 0;
1939 int err_in_server = 0;
1940
de5b3a86
AP		 1941 acpt = BIO_new_accept(family == BIO_FAMILY_IPV4 ? "127.0.0.1:0"
1942 : "[::1]:0");
75d5bd4e
RL		 1943 if (acpt == NULL)
1944 goto err;
1945 BIO_set_accept_ip_family(acpt, family);
1946 BIO_set_bind_mode(acpt, BIO_SOCK_NONBLOCK | BIO_SOCK_REUSEADDR);
1947 if (BIO_do_accept(acpt) <= 0)
1948 goto err;
1949
6339ece1 1950 BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt));
75d5bd4e
RL		 1951
1952 client = BIO_new_connect(addr_str);
75d5bd4e
RL		 1953 if (!client)
1954 goto err;
8c590a21 1955 BIO_set_conn_ip_family(client, family);
75d5bd4e
RL		 1956
1957 if (BIO_set_nbio(client, 1) <= 0)
1958 goto err;
1959 if (BIO_set_nbio(acpt, 1) <= 0)
1960 goto err;
1961
1962 {
1963 int st_connect = 0, st_accept = 0;
1964
1287dabd 1965 while (!st_connect || !st_accept) {
75d5bd4e
RL		 1966 if (!st_connect) {
1967 if (BIO_do_connect(client) <= 0) {
1968 if (!BIO_should_retry(client))
1969 goto err;
1970 } else {
1971 st_connect = 1;
1972 }
1973 }
1974 if (!st_accept) {
1975 if (BIO_do_accept(acpt) <= 0) {
1976 if (!BIO_should_retry(acpt))
1977 goto err;
1978 } else {
1979 st_accept = 1;
1980 }
1981 }
1982 }
1983 }
1984 /* We're not interested in accepting further connects */
1985 server = BIO_pop(acpt);
1986 BIO_free_all(acpt);
1987 acpt = NULL;
1988
1989 s_ssl_bio = BIO_new(BIO_f_ssl());
1990 if (!s_ssl_bio)
1991 goto err;
1992
1993 c_ssl_bio = BIO_new(BIO_f_ssl());
1994 if (!c_ssl_bio)
1995 goto err;
1996
1997 SSL_set_connect_state(c_ssl);
1998 SSL_set_bio(c_ssl, client, client);
1999 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2000
2001 SSL_set_accept_state(s_ssl);
2002 SSL_set_bio(s_ssl, server, server);
2003 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2004
2005 do {
2006 /*-
2007 * c_ssl_bio: SSL filter BIO
2008 *
2009 * client: I/O for SSL library
2010 *
2011 *
2012 * server: I/O for SSL library
2013 *
2014 * s_ssl_bio: SSL filter BIO
2015 */
2016
2017 /*
2018 * We have non-blocking behaviour throughout this test program, but
2019 * can be sure that there is *some* progress in each iteration; so we
2020 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2021 * we just try everything in each iteration
2022 */
2023
2024 {
2025 /* CLIENT */
2026
2027 char cbuf[1024 * 8];
2028 int i, r;
2029 clock_t c_clock = clock();
2030
2031 memset(cbuf, 0, sizeof(cbuf));
2032
2033 if (debug)
2034 if (SSL_in_init(c_ssl))
2035 printf("client waiting in SSL_connect - %s\n",
2036 SSL_state_string_long(c_ssl));
2037
2038 if (cw_num > 0) {
2039 /* Write to server. */
2040
cbe29648
RS		 2041 if (cw_num > (long)sizeof(cbuf))
2042 i = sizeof(cbuf);
75d5bd4e
RL		 2043 else
2044 i = (int)cw_num;
2045 r = BIO_write(c_ssl_bio, cbuf, i);
2046 if (r < 0) {
2047 if (!BIO_should_retry(c_ssl_bio)) {
598bd774 2048 fprintf(stderr, "ERROR in CLIENT (write)\n");
75d5bd4e
RL		 2049 err_in_client = 1;
2050 goto err;
2051 }
2052 /*
2053 * BIO_should_retry(...) can just be ignored here. The
2054 * library expects us to call BIO_write with the same
2055 * arguments again, and that's what we will do in the
2056 * next iteration.
2057 */
2058 } else if (r == 0) {
2059 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2060 goto err;
2061 } else {
2062 if (debug)
2063 printf("client wrote %d\n", r);
2064 cw_num -= r;
2065 }
2066 }
2067
2068 if (cr_num > 0) {
2069 /* Read from server. */
2070
2071 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2072 if (r < 0) {
2073 if (!BIO_should_retry(c_ssl_bio)) {
598bd774 2074 fprintf(stderr, "ERROR in CLIENT (read)\n");
75d5bd4e
RL		 2075 err_in_client = 1;
2076 goto err;
2077 }
2078 /*
2079 * Again, "BIO_should_retry" can be ignored.
2080 */
2081 } else if (r == 0) {
2082 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2083 goto err;
2084 } else {
2085 if (debug)
2086 printf("client read %d\n", r);
2087 cr_num -= r;
2088 }
2089 }
2090
2091 /*
2092 * c_time and s_time increments will typically be very small
2093 * (depending on machine speed and clock tick intervals), but
2094 * sampling over a large number of connections should result in
2095 * fairly accurate figures. We cannot guarantee a lot, however
2096 * -- if each connection lasts for exactly one clock tick, it
2097 * will be counted only for the client or only for the server or
2098 * even not at all.
2099 */
2100 *c_time += (clock() - c_clock);
2101 }
2102
2103 {
2104 /* SERVER */
2105
2106 char sbuf[1024 * 8];
2107 int i, r;
2108 clock_t s_clock = clock();
2109
2110 memset(sbuf, 0, sizeof(sbuf));
2111
2112 if (debug)
2113 if (SSL_in_init(s_ssl))
2114 printf("server waiting in SSL_accept - %s\n",
2115 SSL_state_string_long(s_ssl));
2116
2117 if (sw_num > 0) {
2118 /* Write to client. */
2119
cbe29648
RS		 2120 if (sw_num > (long)sizeof(sbuf))
2121 i = sizeof(sbuf);
75d5bd4e
RL		 2122 else
2123 i = (int)sw_num;
2124 r = BIO_write(s_ssl_bio, sbuf, i);
2125 if (r < 0) {
2126 if (!BIO_should_retry(s_ssl_bio)) {
598bd774 2127 fprintf(stderr, "ERROR in SERVER (write)\n");
75d5bd4e
RL		 2128 err_in_server = 1;
2129 goto err;
2130 }
2131 /* Ignore "BIO_should_retry". */
2132 } else if (r == 0) {
2133 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2134 goto err;
2135 } else {
2136 if (debug)
2137 printf("server wrote %d\n", r);
2138 sw_num -= r;
2139 }
2140 }
2141
2142 if (sr_num > 0) {
2143 /* Read from client. */
2144
2145 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2146 if (r < 0) {
2147 if (!BIO_should_retry(s_ssl_bio)) {
598bd774 2148 fprintf(stderr, "ERROR in SERVER (read)\n");
75d5bd4e
RL		 2149 err_in_server = 1;
2150 goto err;
2151 }
2152 /* blah, blah */
2153 } else if (r == 0) {
2154 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2155 goto err;
2156 } else {
2157 if (debug)
2158 printf("server read %d\n", r);
2159 sr_num -= r;
2160 }
2161 }
2162
2163 *s_time += (clock() - s_clock);
2164 }
2165 }
2166 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2167
598bd774 2168 if (verbose) {
75d5bd4e 2169 print_details(c_ssl, "DONE via TCP connect: ");
598bd774
BE		 2170
2171 if (BIO_get_ktls_send(SSL_get_wbio(s_ssl))
2172 && BIO_get_ktls_recv(SSL_get_rbio(s_ssl)))
2173 BIO_printf(bio_stdout, "Server using Kernel TLS in both directions\n");
2174 else if (BIO_get_ktls_send(SSL_get_wbio(s_ssl)))
2175 BIO_printf(bio_stdout, "Server using Kernel TLS for sending\n");
2176 else if (BIO_get_ktls_recv(SSL_get_rbio(s_ssl)))
2177 BIO_printf(bio_stdout, "Server using Kernel TLS for receiving\n");
2178
2179 if (BIO_get_ktls_send(SSL_get_wbio(c_ssl))
2180 && BIO_get_ktls_recv(SSL_get_rbio(c_ssl)))
2181 BIO_printf(bio_stdout, "Client using Kernel TLS in both directions\n");
2182 else if (BIO_get_ktls_send(SSL_get_wbio(c_ssl)))
2183 BIO_printf(bio_stdout, "Client using Kernel TLS for sending\n");
2184 else if (BIO_get_ktls_recv(SSL_get_rbio(c_ssl)))
2185 BIO_printf(bio_stdout, "Client using Kernel TLS for receiving\n");
2186 }
f9e55034 2187# ifndef OPENSSL_NO_NEXTPROTONEG
c2500f65 2188 if (verify_npn(c_ssl, s_ssl) < 0)
75d5bd4e 2189 goto end;
f9e55034 2190# endif
75d5bd4e
RL		 2191 if (verify_serverinfo() < 0) {
2192 fprintf(stderr, "Server info verify error\n");
75d5bd4e
RL		 2193 goto err;
2194 }
c2500f65
P		 2195 if (verify_alpn(c_ssl, s_ssl) < 0
2196 || verify_servername(c_ssl, s_ssl) < 0)
817cd0d5 2197 goto err;
75d5bd4e
RL		 2198
2199 if (custom_ext_error) {
2200 fprintf(stderr, "Custom extension error\n");
75d5bd4e
RL		 2201 goto err;
2202 }
2203
1595ca02 2204# ifndef OPENSSL_NO_NEXTPROTONEG
75d5bd4e 2205 end:
1595ca02 2206# endif
c2500f65 2207 ret = EXIT_SUCCESS;
75d5bd4e
RL		 2208
2209 err:
2210 ERR_print_errors(bio_err);
2211
2212 BIO_free_all(acpt);
2213 BIO_free(server);
2214 BIO_free(client);
2215 BIO_free(s_ssl_bio);
2216 BIO_free(c_ssl_bio);
2217
2218 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
c2500f65 2219 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
75d5bd4e 2220 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
c2500f65 2221 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
75d5bd4e
RL		 2222
2223 return ret;
2224}
f9e55034 2225#endif
75d5bd4e 2226
563f1503 2227int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
0f113f3e
MC		 2228 clock_t *s_time, clock_t *c_time)
2229{
2230 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
2231 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
2232 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
c2500f65 2233 int ret = EXIT_FAILURE;
7946ab33
KR		 2234 int err_in_client = 0;
2235 int err_in_server = 0;
0f113f3e
MC		 2236
2237 size_t bufsiz = 256; /* small buffer for testing */
2238
2239 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
2240 goto err;
2241 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
2242 goto err;
2243
2244 s_ssl_bio = BIO_new(BIO_f_ssl());
2245 if (!s_ssl_bio)
2246 goto err;
2247
2248 c_ssl_bio = BIO_new(BIO_f_ssl());
2249 if (!c_ssl_bio)
2250 goto err;
2251
2252 SSL_set_connect_state(c_ssl);
2253 SSL_set_bio(c_ssl, client, client);
2254 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2255
2256 SSL_set_accept_state(s_ssl);
2257 SSL_set_bio(s_ssl, server, server);
2258 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2259
2260 do {
35a1cc90
MC		 2261 /*-
2262 * c_ssl_bio: SSL filter BIO
2263 *
2264 * client: pseudo-I/O for SSL library
2265 *
2266 * client_io: client's SSL communication; usually to be
2267 * relayed over some I/O facility, but in this
2268 * test program, we're the server, too:
2269 *
2270 * server_io: server's SSL communication
2271 *
2272 * server: pseudo-I/O for SSL library
2273 *
2274 * s_ssl_bio: SSL filter BIO
2275 *
2276 * The client and the server each employ a "BIO pair":
2277 * client + client_io, server + server_io.
2278 * BIO pairs are symmetric. A BIO pair behaves similar
2279 * to a non-blocking socketpair (but both endpoints must
2280 * be handled by the same thread).
2281 * [Here we could connect client and server to the ends
2282 * of a single BIO pair, but then this code would be less
2283 * suitable as an example for BIO pairs in general.]
2284 *
2285 * Useful functions for querying the state of BIO pair endpoints:
2286 *
2287 * BIO_ctrl_pending(bio) number of bytes we can read now
44e69951 2288 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfill
35a1cc90
MC		 2289 * other side's read attempt
2290 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
2291 *
2292 * ..._read_request is never more than ..._write_guarantee;
2293 * it depends on the application which one you should use.
2294 */
0f113f3e
MC		 2295
2296 /*
2297 * We have non-blocking behaviour throughout this test program, but
2298 * can be sure that there is *some* progress in each iteration; so we
2299 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2300 * we just try everything in each iteration
2301 */
2302
2303 {
2304 /* CLIENT */
2305
68b00c23 2306 char cbuf[1024 * 8];
0f113f3e
MC		 2307 int i, r;
2308 clock_t c_clock = clock();
2309
2310 memset(cbuf, 0, sizeof(cbuf));
2311
2312 if (debug)
2313 if (SSL_in_init(c_ssl))
2314 printf("client waiting in SSL_connect - %s\n",
2315 SSL_state_string_long(c_ssl));
2316
2317 if (cw_num > 0) {
2318 /* Write to server. */
2319
cbe29648
RS		 2320 if (cw_num > (long)sizeof(cbuf))
2321 i = sizeof(cbuf);
0f113f3e
MC		 2322 else
2323 i = (int)cw_num;
2324 r = BIO_write(c_ssl_bio, cbuf, i);
2325 if (r < 0) {
2326 if (!BIO_should_retry(c_ssl_bio)) {
2327 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2328 err_in_client = 1;
0f113f3e
MC		 2329 goto err;
2330 }
2331 /*
2332 * BIO_should_retry(...) can just be ignored here. The
2333 * library expects us to call BIO_write with the same
2334 * arguments again, and that's what we will do in the
2335 * next iteration.
2336 */
2337 } else if (r == 0) {
2338 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2339 goto err;
2340 } else {
2341 if (debug)
2342 printf("client wrote %d\n", r);
2343 cw_num -= r;
2344 }
2345 }
2346
2347 if (cr_num > 0) {
2348 /* Read from server. */
2349
2350 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2351 if (r < 0) {
2352 if (!BIO_should_retry(c_ssl_bio)) {
2353 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2354 err_in_client = 1;
0f113f3e
MC		 2355 goto err;
2356 }
2357 /*
2358 * Again, "BIO_should_retry" can be ignored.
2359 */
2360 } else if (r == 0) {
2361 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2362 goto err;
2363 } else {
2364 if (debug)
2365 printf("client read %d\n", r);
2366 cr_num -= r;
2367 }
2368 }
2369
2370 /*
2371 * c_time and s_time increments will typically be very small
2372 * (depending on machine speed and clock tick intervals), but
2373 * sampling over a large number of connections should result in
2374 * fairly accurate figures. We cannot guarantee a lot, however
2375 * -- if each connection lasts for exactly one clock tick, it
2376 * will be counted only for the client or only for the server or
2377 * even not at all.
2378 */
2379 *c_time += (clock() - c_clock);
2380 }
2381
2382 {
2383 /* SERVER */
2384
68b00c23 2385 char sbuf[1024 * 8];
0f113f3e
MC		 2386 int i, r;
2387 clock_t s_clock = clock();
2388
2389 memset(sbuf, 0, sizeof(sbuf));
2390
2391 if (debug)
2392 if (SSL_in_init(s_ssl))
2393 printf("server waiting in SSL_accept - %s\n",
2394 SSL_state_string_long(s_ssl));
2395
2396 if (sw_num > 0) {
2397 /* Write to client. */
2398
cbe29648
RS		 2399 if (sw_num > (long)sizeof(sbuf))
2400 i = sizeof(sbuf);
0f113f3e
MC		 2401 else
2402 i = (int)sw_num;
2403 r = BIO_write(s_ssl_bio, sbuf, i);
2404 if (r < 0) {
2405 if (!BIO_should_retry(s_ssl_bio)) {
2406 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2407 err_in_server = 1;
0f113f3e
MC		 2408 goto err;
2409 }
2410 /* Ignore "BIO_should_retry". */
2411 } else if (r == 0) {
2412 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2413 goto err;
2414 } else {
2415 if (debug)
2416 printf("server wrote %d\n", r);
2417 sw_num -= r;
2418 }
2419 }
2420
2421 if (sr_num > 0) {
2422 /* Read from client. */
2423
2424 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2425 if (r < 0) {
2426 if (!BIO_should_retry(s_ssl_bio)) {
2427 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2428 err_in_server = 1;
0f113f3e
MC		 2429 goto err;
2430 }
2431 /* blah, blah */
2432 } else if (r == 0) {
2433 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2434 goto err;
2435 } else {
2436 if (debug)
2437 printf("server read %d\n", r);
2438 sr_num -= r;
2439 }
2440 }
2441
2442 *s_time += (clock() - s_clock);
2443 }
2444
2445 {
2446 /* "I/O" BETWEEN CLIENT AND SERVER. */
2447
2448 size_t r1, r2;
2449 BIO *io1 = server_io, *io2 = client_io;
2450 /*
2451 * we use the non-copying interface for io1 and the standard
2452 * BIO_write/BIO_read interface for io2
2453 */
2454
2455 static int prev_progress = 1;
2456 int progress = 0;
2457
2458 /* io1 to io2 */
2459 do {
2460 size_t num;
2461 int r;
2462
2463 r1 = BIO_ctrl_pending(io1);
2464 r2 = BIO_ctrl_get_write_guarantee(io2);
2465
2466 num = r1;
2467 if (r2 < num)
2468 num = r2;
2469 if (num) {
2470 char *dataptr;
2471
2472 if (INT_MAX < num) /* yeah, right */
2473 num = INT_MAX;
2474
2475 r = BIO_nread(io1, &dataptr, (int)num);
2476 assert(r > 0);
2477 assert(r <= (int)num);
2478 /*
2479 * possibly r < num (non-contiguous data)
2480 */
2481 num = r;
2482 r = BIO_write(io2, dataptr, (int)num);
2483 if (r != (int)num) { /* can't happen */
2484 fprintf(stderr, "ERROR: BIO_write could not write "
2485 "BIO_ctrl_get_write_guarantee() bytes");
2486 goto err;
2487 }
2488 progress = 1;
2489
2490 if (debug)
2491 printf((io1 == client_io) ?
2492 "C->S relaying: %d bytes\n" :
2493 "S->C relaying: %d bytes\n", (int)num);
2494 }
2495 }
2496 while (r1 && r2);
2497
2498 /* io2 to io1 */
2499 {
2500 size_t num;
2501 int r;
2502
2503 r1 = BIO_ctrl_pending(io2);
2504 r2 = BIO_ctrl_get_read_request(io1);
2505 /*
2506 * here we could use ..._get_write_guarantee instead of
2507 * ..._get_read_request, but by using the latter we test
2508 * restartability of the SSL implementation more thoroughly
2509 */
2510 num = r1;
2511 if (r2 < num)
2512 num = r2;
2513 if (num) {
2514 char *dataptr;
2515
2516 if (INT_MAX < num)
2517 num = INT_MAX;
2518
2519 if (num > 1)
2520 --num; /* test restartability even more thoroughly */
2521
2522 r = BIO_nwrite0(io1, &dataptr);
2523 assert(r > 0);
2524 if (r < (int)num)
2525 num = r;
2526 r = BIO_read(io2, dataptr, (int)num);
2527 if (r != (int)num) { /* can't happen */
2528 fprintf(stderr, "ERROR: BIO_read could not read "
2529 "BIO_ctrl_pending() bytes");
2530 goto err;
2531 }
2532 progress = 1;
2533 r = BIO_nwrite(io1, &dataptr, (int)num);
2534 if (r != (int)num) { /* can't happen */
2535 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
2536 "BIO_nwrite0() bytes");
2537 goto err;
2538 }
2539
2540 if (debug)
2541 printf((io2 == client_io) ?
2542 "C->S relaying: %d bytes\n" :
2543 "S->C relaying: %d bytes\n", (int)num);
2544 }
2545 } /* no loop, BIO_ctrl_get_read_request now
2546 * returns 0 anyway */
2547
2548 if (!progress && !prev_progress)
2549 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) {
2550 fprintf(stderr, "ERROR: got stuck\n");
2551 fprintf(stderr, " ERROR.\n");
2552 goto err;
2553 }
2554 prev_progress = progress;
2555 }
2556 }
2557 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2558
2559 if (verbose)
2560 print_details(c_ssl, "DONE via BIO pair: ");
2911575c 2561#ifndef OPENSSL_NO_NEXTPROTONEG
c2500f65 2562 if (verify_npn(c_ssl, s_ssl) < 0)
0f113f3e 2563 goto end;
0f113f3e
MC		 2564#endif
2565 if (verify_serverinfo() < 0) {
2566 fprintf(stderr, "Server info verify error\n");
0f113f3e 2567 goto err;
817cd0d5 2568 }
c2500f65
P		 2569 if (verify_alpn(c_ssl, s_ssl) < 0
2570 || verify_servername(c_ssl, s_ssl) < 0)
817cd0d5 2571 goto err;
0f113f3e
MC		 2572
2573 if (custom_ext_error) {
2574 fprintf(stderr, "Custom extension error\n");
0f113f3e
MC		 2575 goto err;
2576 }
2577
1595ca02 2578#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2579 end:
1595ca02 2580#endif
c2500f65 2581 ret = EXIT_SUCCESS;
95d29597
BM		 2582
2583 err:
0f113f3e
MC		 2584 ERR_print_errors(bio_err);
2585
ca3a82c3
RS		 2586 BIO_free(server);
2587 BIO_free(server_io);
2588 BIO_free(client);
2589 BIO_free(client_io);
2590 BIO_free(s_ssl_bio);
2591 BIO_free(c_ssl_bio);
0f113f3e 2592
7946ab33 2593 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
c2500f65 2594 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
7946ab33 2595 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
c2500f65 2596 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
7946ab33 2597
0f113f3e
MC		 2598 return ret;
2599}
2600
2601#define W_READ 1
2602#define W_WRITE 2
2603#define C_DONE 1
2604#define S_DONE 2
d02b48c6 2605
6b691a5c 2606int doit(SSL *s_ssl, SSL *c_ssl, long count)
0f113f3e
MC		 2607{
2608 char *cbuf = NULL, *sbuf = NULL;
2609 long bufsiz;
2610 long cw_num = count, cr_num = count;
2611 long sw_num = count, sr_num = count;
c2500f65 2612 int ret = EXIT_FAILURE;
0f113f3e
MC		 2613 BIO *c_to_s = NULL;
2614 BIO *s_to_c = NULL;
2615 BIO *c_bio = NULL;
2616 BIO *s_bio = NULL;
2617 int c_r, c_w, s_r, s_w;
2618 int i, j;
2619 int done = 0;
2620 int c_write, s_write;
2621 int do_server = 0, do_client = 0;
2622 int max_frag = 5 * 1024;
7946ab33
KR		 2623 int err_in_client = 0;
2624 int err_in_server = 0;
0f113f3e
MC		 2625
2626 bufsiz = count > 40 * 1024 ? 40 * 1024 : count;
2627
b51bce94 2628 if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL)
0f113f3e 2629 goto err;
b51bce94 2630 if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL)
0f113f3e
MC		 2631 goto err;
2632
0f113f3e
MC		 2633 c_to_s = BIO_new(BIO_s_mem());
2634 s_to_c = BIO_new(BIO_s_mem());
2635 if ((s_to_c == NULL) || (c_to_s == NULL)) {
2636 ERR_print_errors(bio_err);
2637 goto err;
2638 }
2639
2640 c_bio = BIO_new(BIO_f_ssl());
2641 s_bio = BIO_new(BIO_f_ssl());
2642 if ((c_bio == NULL) || (s_bio == NULL)) {
2643 ERR_print_errors(bio_err);
2644 goto err;
2645 }
2646
2647 SSL_set_connect_state(c_ssl);
2648 SSL_set_bio(c_ssl, s_to_c, c_to_s);
2649 SSL_set_max_send_fragment(c_ssl, max_frag);
2650 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
2651
e304d3e2
MC		 2652 /*
2653 * We've just given our ref to these BIOs to c_ssl. We need another one to
2654 * give to s_ssl
2655 */
2656 if (!BIO_up_ref(c_to_s)) {
2657 /* c_to_s and s_to_c will get freed when we free c_ssl */
2658 c_to_s = NULL;
2659 s_to_c = NULL;
2660 goto err;
2661 }
2662 if (!BIO_up_ref(s_to_c)) {
2663 /* s_to_c will get freed when we free c_ssl */
2664 s_to_c = NULL;
2665 goto err;
2666 }
2667
0f113f3e
MC		 2668 SSL_set_accept_state(s_ssl);
2669 SSL_set_bio(s_ssl, c_to_s, s_to_c);
e304d3e2
MC		 2670
2671 /* We've used up all our refs to these now */
2672 c_to_s = NULL;
2673 s_to_c = NULL;
2674
0f113f3e
MC		 2675 SSL_set_max_send_fragment(s_ssl, max_frag);
2676 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
2677
2678 c_r = 0;
2679 s_r = 1;
2680 c_w = 1;
2681 s_w = 0;
2682 c_write = 1, s_write = 0;
2683
2684 /* We can always do writes */
2685 for (;;) {
2686 do_server = 0;
2687 do_client = 0;
2688
2689 i = (int)BIO_pending(s_bio);
2690 if ((i && s_r) || s_w)
2691 do_server = 1;
2692
2693 i = (int)BIO_pending(c_bio);
2694 if ((i && c_r) || c_w)
2695 do_client = 1;
2696
2697 if (do_server && debug) {
2698 if (SSL_in_init(s_ssl))
2699 printf("server waiting in SSL_accept - %s\n",
2700 SSL_state_string_long(s_ssl));
0f113f3e
MC		 2701 }
2702
2703 if (do_client && debug) {
2704 if (SSL_in_init(c_ssl))
2705 printf("client waiting in SSL_connect - %s\n",
2706 SSL_state_string_long(c_ssl));
0f113f3e
MC		 2707 }
2708
2709 if (!do_client && !do_server) {
2710 fprintf(stdout, "ERROR IN STARTUP\n");
2711 ERR_print_errors(bio_err);
ae632974 2712 goto err;
0f113f3e
MC		 2713 }
2714 if (do_client && !(done & C_DONE)) {
2715 if (c_write) {
2716 j = (cw_num > bufsiz) ? (int)bufsiz : (int)cw_num;
2717 i = BIO_write(c_bio, cbuf, j);
2718 if (i < 0) {
2719 c_r = 0;
2720 c_w = 0;
2721 if (BIO_should_retry(c_bio)) {
2722 if (BIO_should_read(c_bio))
2723 c_r = 1;
2724 if (BIO_should_write(c_bio))
2725 c_w = 1;
2726 } else {
2727 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2728 err_in_client = 1;
0f113f3e
MC		 2729 ERR_print_errors(bio_err);
2730 goto err;
2731 }
2732 } else if (i == 0) {
2733 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2734 goto err;
2735 } else {
2736 if (debug)
2737 printf("client wrote %d\n", i);
2738 /* ok */
2739 s_r = 1;
2740 c_write = 0;
2741 cw_num -= i;
2742 if (max_frag > 1029)
2743 SSL_set_max_send_fragment(c_ssl, max_frag -= 5);
2744 }
2745 } else {
2746 i = BIO_read(c_bio, cbuf, bufsiz);
2747 if (i < 0) {
2748 c_r = 0;
2749 c_w = 0;
2750 if (BIO_should_retry(c_bio)) {
2751 if (BIO_should_read(c_bio))
2752 c_r = 1;
2753 if (BIO_should_write(c_bio))
2754 c_w = 1;
2755 } else {
2756 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2757 err_in_client = 1;
0f113f3e
MC		 2758 ERR_print_errors(bio_err);
2759 goto err;
2760 }
2761 } else if (i == 0) {
2762 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2763 goto err;
2764 } else {
2765 if (debug)
2766 printf("client read %d\n", i);
2767 cr_num -= i;
2768 if (sw_num > 0) {
2769 s_write = 1;
2770 s_w = 1;
2771 }
2772 if (cr_num <= 0) {
2773 s_write = 1;
2774 s_w = 1;
2775 done = S_DONE | C_DONE;
2776 }
2777 }
2778 }
2779 }
2780
2781 if (do_server && !(done & S_DONE)) {
2782 if (!s_write) {
2783 i = BIO_read(s_bio, sbuf, bufsiz);
2784 if (i < 0) {
2785 s_r = 0;
2786 s_w = 0;
2787 if (BIO_should_retry(s_bio)) {
2788 if (BIO_should_read(s_bio))
2789 s_r = 1;
2790 if (BIO_should_write(s_bio))
2791 s_w = 1;
2792 } else {
2793 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2794 err_in_server = 1;
0f113f3e
MC		 2795 ERR_print_errors(bio_err);
2796 goto err;
2797 }
2798 } else if (i == 0) {
2799 ERR_print_errors(bio_err);
2800 fprintf(stderr,
2801 "SSL SERVER STARTUP FAILED in SSL_read\n");
2802 goto err;
2803 } else {
2804 if (debug)
2805 printf("server read %d\n", i);
2806 sr_num -= i;
2807 if (cw_num > 0) {
2808 c_write = 1;
2809 c_w = 1;
2810 }
2811 if (sr_num <= 0) {
2812 s_write = 1;
2813 s_w = 1;
2814 c_write = 0;
2815 }
2816 }
2817 } else {
2818 j = (sw_num > bufsiz) ? (int)bufsiz : (int)sw_num;
2819 i = BIO_write(s_bio, sbuf, j);
2820 if (i < 0) {
2821 s_r = 0;
2822 s_w = 0;
2823 if (BIO_should_retry(s_bio)) {
2824 if (BIO_should_read(s_bio))
2825 s_r = 1;
2826 if (BIO_should_write(s_bio))
2827 s_w = 1;
2828 } else {
2829 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2830 err_in_server = 1;
0f113f3e
MC		 2831 ERR_print_errors(bio_err);
2832 goto err;
2833 }
2834 } else if (i == 0) {
2835 ERR_print_errors(bio_err);
2836 fprintf(stderr,
2837 "SSL SERVER STARTUP FAILED in SSL_write\n");
2838 goto err;
2839 } else {
2840 if (debug)
2841 printf("server wrote %d\n", i);
2842 sw_num -= i;
2843 s_write = 0;
2844 c_r = 1;
2845 if (sw_num <= 0)
2846 done |= S_DONE;
2847 if (max_frag > 1029)
2848 SSL_set_max_send_fragment(s_ssl, max_frag -= 5);
2849 }
2850 }
2851 }
2852
2853 if ((done & S_DONE) && (done & C_DONE))
2854 break;
2855 }
2856
2857 if (verbose)
2858 print_details(c_ssl, "DONE: ");
2911575c 2859#ifndef OPENSSL_NO_NEXTPROTONEG
c2500f65 2860 if (verify_npn(c_ssl, s_ssl) < 0)
0f113f3e 2861 goto err;
0f113f3e
MC		 2862#endif
2863 if (verify_serverinfo() < 0) {
2864 fprintf(stderr, "Server info verify error\n");
0f113f3e
MC		 2865 goto err;
2866 }
2867 if (custom_ext_error) {
2868 fprintf(stderr, "Custom extension error\n");
0f113f3e
MC		 2869 goto err;
2870 }
c2500f65 2871 ret = EXIT_SUCCESS;
0f113f3e 2872 err:
ca3a82c3
RS		 2873 BIO_free(c_to_s);
2874 BIO_free(s_to_c);
2875 BIO_free_all(c_bio);
2876 BIO_free_all(s_bio);
b548a1f1
RS		 2877 OPENSSL_free(cbuf);
2878 OPENSSL_free(sbuf);
0f113f3e 2879
7946ab33 2880 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
c2500f65 2881 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
7946ab33 2882 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
c2500f65 2883 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
7946ab33 2884
c2500f65 2885 return ret;
0f113f3e 2886}
d02b48c6 2887
6d23cf97 2888static int verify_callback(int ok, X509_STORE_CTX *ctx)
0f113f3e
MC		 2889{
2890 char *s, buf[256];
2891
f0e0fd51 2892 s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
cbe29648 2893 buf, sizeof(buf));
0f113f3e
MC		 2894 if (s != NULL) {
2895 if (ok)
f0e0fd51 2896 printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
0f113f3e
MC		 2897 else {
2898 fprintf(stderr, "depth=%d error=%d %s\n",
f0e0fd51
RS		 2899 X509_STORE_CTX_get_error_depth(ctx),
2900 X509_STORE_CTX_get_error(ctx), buf);
0f113f3e
MC		 2901 }
2902 }
2903
2904 if (ok == 0) {
f0e0fd51
RS		 2905 int i = X509_STORE_CTX_get_error(ctx);
2906
2907 switch (i) {
3dca57f8
RS		 2908 default:
2909 fprintf(stderr, "Error string: %s\n",
f0e0fd51 2910 X509_verify_cert_error_string(i));
3dca57f8 2911 break;
0f113f3e
MC		 2912 case X509_V_ERR_CERT_NOT_YET_VALID:
2913 case X509_V_ERR_CERT_HAS_EXPIRED:
2914 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
0f113f3e 2915 ok = 1;
f0e0fd51 2916 break;
0f113f3e
MC		 2917 }
2918 }
2919
c2500f65 2920 return ok;
0f113f3e 2921}
d02b48c6 2922
6d23cf97 2923static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
0f113f3e
MC		 2924{
2925 int ok = 1;
2926 struct app_verify_arg *cb_arg = arg;
0f113f3e
MC		 2927
2928 if (cb_arg->app_verify) {
2929 char *s = NULL, buf[256];
f0e0fd51 2930 X509 *c = X509_STORE_CTX_get0_cert(ctx);
0f113f3e 2931
3dca57f8
RS		 2932 printf("In app_verify_callback, allowing cert. ");
2933 printf("Arg is: %s\n", cb_arg->string);
2934 printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n",
f0e0fd51
RS		 2935 (void *)ctx, (void *)c);
2936 if (c)
2937 s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256);
0f113f3e 2938 if (s != NULL) {
f0e0fd51
RS		 2939 printf("cert depth=%d %s\n",
2940 X509_STORE_CTX_get_error_depth(ctx), buf);
0f113f3e 2941 }
c2500f65 2942 return 1;
0f113f3e 2943 }
0f113f3e 2944
0f113f3e 2945 ok = X509_verify_cert(ctx);
0f113f3e 2946
c2500f65 2947 return ok;
0f113f3e 2948}
023ec151 2949
ddac1974
NL		 2950#ifndef OPENSSL_NO_PSK
2951/* convert the PSK key (psk_key) in ascii to binary (psk) */
2952static int psk_key2bn(const char *pskkey, unsigned char *psk,
0f113f3e
MC		 2953 unsigned int max_psk_len)
2954{
2955 int ret;
2956 BIGNUM *bn = NULL;
2957
2958 ret = BN_hex2bn(&bn, pskkey);
2959 if (!ret) {
2960 BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
2961 pskkey);
23a1d5e9 2962 BN_free(bn);
0f113f3e
MC		 2963 return 0;
2964 }
2965 if (BN_num_bytes(bn) > (int)max_psk_len) {
2966 BIO_printf(bio_err,
2967 "psk buffer of callback is too small (%d) for key (%d)\n",
2968 max_psk_len, BN_num_bytes(bn));
2969 BN_free(bn);
2970 return 0;
2971 }
2972 ret = BN_bn2bin(bn, psk);
2973 BN_free(bn);
2974 return ret;
2975}
2976
2977static unsigned int psk_client_callback(SSL *ssl, const char *hint,
2978 char *identity,
2979 unsigned int max_identity_len,
2980 unsigned char *psk,
2981 unsigned int max_psk_len)
2982{
2983 int ret;
2984 unsigned int psk_len = 0;
2985
2986 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2987 if (ret < 0)
2988 goto out_err;
2989 if (debug)
2990 fprintf(stderr, "client: created identity '%s' len=%d\n", identity,
2991 ret);
2992 ret = psk_key2bn(psk_key, psk, max_psk_len);
2993 if (ret < 0)
2994 goto out_err;
2995 psk_len = ret;
2996 out_err:
2997 return psk_len;
2998}
ddac1974
NL		 2999
3000static unsigned int psk_server_callback(SSL *ssl, const char *identity,
0f113f3e
MC		 3001 unsigned char *psk,
3002 unsigned int max_psk_len)
3003{
3004 unsigned int psk_len = 0;
ddac1974 3005
0f113f3e
MC		 3006 if (strcmp(identity, "Client_identity") != 0) {
3007 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
3008 return 0;
3009 }
3010 psk_len = psk_key2bn(psk_key, psk, max_psk_len);
3011 return psk_len;
3012}
ddac1974 3013#endif
A mirror of the official openssl repository