]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/ssltest_old.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix stacks of OPENSSL_STRING, OPENSSL_CSTRING and OPENSSL_BLOCK
[thirdparty/openssl.git] / test / ssltest_old.c
1 /*
2 * Copyright 1995-2020 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 /*
13 * DH low level APIs are deprecated for public use, but still ok for
14 * internal use.
15 */
16 #include "internal/deprecated.h"
17
18 #include "e_os.h"
19
20 /* Or gethostname won't be declared properly on Linux and GNU platforms. */
21 #ifndef _BSD_SOURCE
22 # define _BSD_SOURCE 1
23 #endif
24 #ifndef _DEFAULT_SOURCE
25 # define _DEFAULT_SOURCE 1
26 #endif
27
28 #include <assert.h>
29 #include <errno.h>
30 #include <limits.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <time.h>
35
36 #include "internal/nelem.h"
37
38 #ifdef OPENSSL_SYS_VMS
39 /*
40 * Or isascii won't be declared properly on VMS (at least with DECompHP C).
41 */
42 # define _XOPEN_SOURCE 500
43 #endif
44
45 #include <ctype.h>
46
47 #include <openssl/bio.h>
48 #include <openssl/crypto.h>
49 #include <openssl/evp.h>
50 #include <openssl/x509.h>
51 #include <openssl/x509v3.h>
52 #include <openssl/ssl.h>
53 #include <openssl/err.h>
54 #include <openssl/rand.h>
55 #ifndef OPENSSL_NO_RSA
56 # include <openssl/rsa.h>
57 #endif
58 #ifndef OPENSSL_NO_DSA
59 # include <openssl/dsa.h>
60 #endif
61 #ifndef OPENSSL_NO_DH
62 # include <openssl/dh.h>
63 #endif
64 #include <openssl/bn.h>
65 #ifndef OPENSSL_NO_CT
66 # include <openssl/ct.h>
67 #endif
68 #include <openssl/provider.h>
69
70 /*
71 * Or gethostname won't be declared properly
72 * on Compaq platforms (at least with DEC C).
73 * Do not try to put it earlier, or IPv6 includes
74 * get screwed...
75 */
76 #define _XOPEN_SOURCE_EXTENDED 1
77
78 #ifdef OPENSSL_SYS_WINDOWS
79 # include <winsock.h>
80 #else
81 # include <unistd.h>
82 #endif
83
84 static SSL_CTX *s_ctx = NULL;
85 static SSL_CTX *s_ctx2 = NULL;
86
87 /*
88 * There is really no standard for this, so let's assign something
89 * only for this test
90 */
91 #define COMP_ZLIB 1
92
93 static int verify_callback(int ok, X509_STORE_CTX *ctx);
94 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
95 #define APP_CALLBACK_STRING "Test Callback Argument"
96 struct app_verify_arg {
97 char *string;
98 int app_verify;
99 };
100
101 #ifndef OPENSSL_NO_DH
102 static DH *get_dh512(void);
103 static DH *get_dh1024(void);
104 static DH *get_dh1024dsa(void);
105 #endif
106
107 static char *psk_key = NULL; /* by default PSK is not used */
108 #ifndef OPENSSL_NO_PSK
109 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
110 char *identity,
111 unsigned int max_identity_len,
112 unsigned char *psk,
113 unsigned int max_psk_len);
114 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
115 unsigned char *psk,
116 unsigned int max_psk_len);
117 #endif
118
119 static BIO *bio_err = NULL;
120 static BIO *bio_stdout = NULL;
121
122 #ifndef OPENSSL_NO_NEXTPROTONEG
123 /* Note that this code assumes that this is only a one element list: */
124 static const char NEXT_PROTO_STRING[] = "\x09testproto";
125 static int npn_client = 0;
126 static int npn_server = 0;
127 static int npn_server_reject = 0;
128
129 static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen,
130 const unsigned char *in, unsigned int inlen,
131 void *arg)
132 {
133 /*
134 * This callback only returns the protocol string, rather than a length
135 * prefixed set. We assume that NEXT_PROTO_STRING is a one element list
136 * and remove the first byte to chop off the length prefix.
137 */
138 *out = (unsigned char *)NEXT_PROTO_STRING + 1;
139 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
140 return SSL_TLSEXT_ERR_OK;
141 }
142
143 static int cb_server_npn(SSL *s, const unsigned char **data,
144 unsigned int *len, void *arg)
145 {
146 *data = (const unsigned char *)NEXT_PROTO_STRING;
147 *len = sizeof(NEXT_PROTO_STRING) - 1;
148 return SSL_TLSEXT_ERR_OK;
149 }
150
151 static int cb_server_rejects_npn(SSL *s, const unsigned char **data,
152 unsigned int *len, void *arg)
153 {
154 return SSL_TLSEXT_ERR_NOACK;
155 }
156
157 static int verify_npn(SSL *client, SSL *server)
158 {
159 const unsigned char *client_s;
160 unsigned client_len;
161 const unsigned char *server_s;
162 unsigned server_len;
163
164 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
165 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
166
167 if (client_len) {
168 BIO_printf(bio_stdout, "Client NPN: ");
169 BIO_write(bio_stdout, client_s, client_len);
170 BIO_printf(bio_stdout, "\n");
171 }
172
173 if (server_len) {
174 BIO_printf(bio_stdout, "Server NPN: ");
175 BIO_write(bio_stdout, server_s, server_len);
176 BIO_printf(bio_stdout, "\n");
177 }
178
179 /*
180 * If an NPN string was returned, it must be the protocol that we
181 * expected to negotiate.
182 */
183 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
184 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
185 return -1;
186 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
187 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
188 return -1;
189
190 if (!npn_client && client_len)
191 return -1;
192 if (!npn_server && server_len)
193 return -1;
194 if (npn_server_reject && server_len)
195 return -1;
196 if (npn_client && npn_server && (!client_len || !server_len))
197 return -1;
198
199 return 0;
200 }
201 #endif
202
203 static const char *alpn_client;
204 static char *alpn_server;
205 static char *alpn_server2;
206 static const char *alpn_expected;
207 static unsigned char *alpn_selected;
208 static const char *server_min_proto;
209 static const char *server_max_proto;
210 static const char *client_min_proto;
211 static const char *client_max_proto;
212 static const char *should_negotiate;
213 static const char *sn_client;
214 static const char *sn_server1;
215 static const char *sn_server2;
216 static int sn_expect = 0;
217 static const char *server_sess_out;
218 static const char *server_sess_in;
219 static const char *client_sess_out;
220 static const char *client_sess_in;
221 static SSL_SESSION *server_sess;
222 static SSL_SESSION *client_sess;
223
224 static int servername_cb(SSL *s, int *ad, void *arg)
225 {
226 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
227 if (sn_server2 == NULL) {
228 BIO_printf(bio_stdout, "Servername 2 is NULL\n");
229 return SSL_TLSEXT_ERR_NOACK;
230 }
231
232 if (servername) {
233 if (s_ctx2 != NULL && sn_server2 != NULL &&
234 !strcasecmp(servername, sn_server2)) {
235 BIO_printf(bio_stdout, "Switching server context.\n");
236 SSL_set_SSL_CTX(s, s_ctx2);
237 }
238 }
239 return SSL_TLSEXT_ERR_OK;
240 }
241 static int verify_servername(SSL *client, SSL *server)
242 {
243 /* just need to see if sn_context is what we expect */
244 SSL_CTX* ctx = SSL_get_SSL_CTX(server);
245 if (sn_expect == 0)
246 return 0;
247 if (sn_expect == 1 && ctx == s_ctx)
248 return 0;
249 if (sn_expect == 2 && ctx == s_ctx2)
250 return 0;
251 BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect);
252 if (ctx == s_ctx2)
253 BIO_printf(bio_stdout, "Servername: context is 2\n");
254 else if (ctx == s_ctx)
255 BIO_printf(bio_stdout, "Servername: context is 1\n");
256 else
257 BIO_printf(bio_stdout, "Servername: context is unknown\n");
258 return -1;
259 }
260
261
262 /*-
263 * next_protos_parse parses a comma separated list of strings into a string
264 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
265 * outlen: (output) set to the length of the resulting buffer on success.
266 * in: a NUL terminated string like "abc,def,ghi"
267 *
268 * returns: a malloced buffer or NULL on failure.
269 */
270 static unsigned char *next_protos_parse(size_t *outlen,
271 const char *in)
272 {
273 size_t len;
274 unsigned char *out;
275 size_t i, start = 0;
276
277 len = strlen(in);
278 if (len >= 65535)
279 return NULL;
280
281 out = OPENSSL_malloc(strlen(in) + 1);
282 if (!out)
283 return NULL;
284
285 for (i = 0; i <= len; ++i) {
286 if (i == len || in[i] == ',') {
287 if (i - start > 255) {
288 OPENSSL_free(out);
289 return NULL;
290 }
291 out[start] = (unsigned char)(i - start);
292 start = i + 1;
293 } else
294 out[i + 1] = in[i];
295 }
296
297 *outlen = len + 1;
298 return out;
299 }
300
301 static int cb_server_alpn(SSL *s, const unsigned char **out,
302 unsigned char *outlen, const unsigned char *in,
303 unsigned int inlen, void *arg)
304 {
305 unsigned char *protos;
306 size_t protos_len;
307 char* alpn_str = arg;
308
309 protos = next_protos_parse(&protos_len, alpn_str);
310 if (protos == NULL) {
311 fprintf(stderr, "failed to parser ALPN server protocol string: %s\n",
312 alpn_str);
313 abort();
314 }
315
316 if (SSL_select_next_proto
317 ((unsigned char **)out, outlen, protos, protos_len, in,
318 inlen) != OPENSSL_NPN_NEGOTIATED) {
319 OPENSSL_free(protos);
320 return SSL_TLSEXT_ERR_NOACK;
321 }
322
323 /*
324 * Make a copy of the selected protocol which will be freed in
325 * verify_alpn.
326 */
327 alpn_selected = OPENSSL_malloc(*outlen);
328 memcpy(alpn_selected, *out, *outlen);
329 *out = alpn_selected;
330
331 OPENSSL_free(protos);
332 return SSL_TLSEXT_ERR_OK;
333 }
334
335 static int verify_alpn(SSL *client, SSL *server)
336 {
337 const unsigned char *client_proto, *server_proto;
338 unsigned int client_proto_len = 0, server_proto_len = 0;
339 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
340 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
341
342 OPENSSL_free(alpn_selected);
343 alpn_selected = NULL;
344
345 if (client_proto_len != server_proto_len) {
346 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
347 goto err;
348 }
349
350 if (client_proto != NULL &&
351 memcmp(client_proto, server_proto, client_proto_len) != 0) {
352 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
353 goto err;
354 }
355
356 if (client_proto_len > 0 && alpn_expected == NULL) {
357 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
358 goto err;
359 }
360
361 if (alpn_expected != NULL &&
362 (client_proto_len != strlen(alpn_expected) ||
363 memcmp(client_proto, alpn_expected, client_proto_len) != 0)) {
364 BIO_printf(bio_stdout,
365 "ALPN selected protocols not equal to expected protocol: %s\n",
366 alpn_expected);
367 goto err;
368 }
369
370 return 0;
371
372 err:
373 BIO_printf(bio_stdout, "ALPN results: client: '");
374 BIO_write(bio_stdout, client_proto, client_proto_len);
375 BIO_printf(bio_stdout, "', server: '");
376 BIO_write(bio_stdout, server_proto, server_proto_len);
377 BIO_printf(bio_stdout, "'\n");
378 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '",
379 alpn_client);
380 if (SSL_get_SSL_CTX(server) == s_ctx2) {
381 BIO_printf(bio_stdout, "%s'\n",
382 alpn_server2);
383 } else {
384 BIO_printf(bio_stdout, "%s'\n",
385 alpn_server);
386 }
387 return -1;
388 }
389
390 /*
391 * WARNING : below extension types are *NOT* IETF assigned, and could
392 * conflict if these types are reassigned and handled specially by OpenSSL
393 * in the future
394 */
395 #define TACK_EXT_TYPE 62208
396 #define CUSTOM_EXT_TYPE_0 1000
397 #define CUSTOM_EXT_TYPE_1 1001
398 #define CUSTOM_EXT_TYPE_2 1002
399 #define CUSTOM_EXT_TYPE_3 1003
400
401 static const char custom_ext_cli_string[] = "abc";
402 static const char custom_ext_srv_string[] = "defg";
403
404 /* These set from cmdline */
405 static char *serverinfo_file = NULL;
406 static int serverinfo_sct = 0;
407 static int serverinfo_tack = 0;
408
409 /* These set based on extension callbacks */
410 static int serverinfo_sct_seen = 0;
411 static int serverinfo_tack_seen = 0;
412 static int serverinfo_other_seen = 0;
413
414 /* This set from cmdline */
415 static int custom_ext = 0;
416
417 /* This set based on extension callbacks */
418 static int custom_ext_error = 0;
419
420 static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
421 const unsigned char *in, size_t inlen,
422 int *al, void *arg)
423 {
424 if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
425 serverinfo_sct_seen++;
426 else if (ext_type == TACK_EXT_TYPE)
427 serverinfo_tack_seen++;
428 else
429 serverinfo_other_seen++;
430 return 1;
431 }
432
433 static int verify_serverinfo(void)
434 {
435 if (serverinfo_sct != serverinfo_sct_seen)
436 return -1;
437 if (serverinfo_tack != serverinfo_tack_seen)
438 return -1;
439 if (serverinfo_other_seen)
440 return -1;
441 return 0;
442 }
443
444 /*-
445 * Four test cases for custom extensions:
446 * 0 - no ClientHello extension or ServerHello response
447 * 1 - ClientHello with "abc", no response
448 * 2 - ClientHello with "abc", empty response
449 * 3 - ClientHello with "abc", "defg" response
450 */
451
452 static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
453 const unsigned char **out,
454 size_t *outlen, int *al, void *arg)
455 {
456 if (ext_type != CUSTOM_EXT_TYPE_0)
457 custom_ext_error = 1;
458 return 0; /* Don't send an extension */
459 }
460
461 static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
462 const unsigned char *in,
463 size_t inlen, int *al, void *arg)
464 {
465 return 1;
466 }
467
468 static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
469 const unsigned char **out,
470 size_t *outlen, int *al, void *arg)
471 {
472 if (ext_type != CUSTOM_EXT_TYPE_1)
473 custom_ext_error = 1;
474 *out = (const unsigned char *)custom_ext_cli_string;
475 *outlen = strlen(custom_ext_cli_string);
476 return 1; /* Send "abc" */
477 }
478
479 static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
480 const unsigned char *in,
481 size_t inlen, int *al, void *arg)
482 {
483 return 1;
484 }
485
486 static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
487 const unsigned char **out,
488 size_t *outlen, int *al, void *arg)
489 {
490 if (ext_type != CUSTOM_EXT_TYPE_2)
491 custom_ext_error = 1;
492 *out = (const unsigned char *)custom_ext_cli_string;
493 *outlen = strlen(custom_ext_cli_string);
494 return 1; /* Send "abc" */
495 }
496
497 static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
498 const unsigned char *in,
499 size_t inlen, int *al, void *arg)
500 {
501 if (ext_type != CUSTOM_EXT_TYPE_2)
502 custom_ext_error = 1;
503 if (inlen != 0)
504 custom_ext_error = 1; /* Should be empty response */
505 return 1;
506 }
507
508 static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
509 const unsigned char **out,
510 size_t *outlen, int *al, void *arg)
511 {
512 if (ext_type != CUSTOM_EXT_TYPE_3)
513 custom_ext_error = 1;
514 *out = (const unsigned char *)custom_ext_cli_string;
515 *outlen = strlen(custom_ext_cli_string);
516 return 1; /* Send "abc" */
517 }
518
519 static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
520 const unsigned char *in,
521 size_t inlen, int *al, void *arg)
522 {
523 if (ext_type != CUSTOM_EXT_TYPE_3)
524 custom_ext_error = 1;
525 if (inlen != strlen(custom_ext_srv_string))
526 custom_ext_error = 1;
527 if (memcmp(custom_ext_srv_string, in, inlen) != 0)
528 custom_ext_error = 1; /* Check for "defg" */
529 return 1;
530 }
531
532 /*
533 * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback
534 * for this extension
535 */
536 static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
537 const unsigned char *in,
538 size_t inlen, int *al, void *arg)
539 {
540 custom_ext_error = 1;
541 return 1;
542 }
543
544 /* 'add' callbacks are only called if the 'parse' callback is called */
545 static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
546 const unsigned char **out,
547 size_t *outlen, int *al, void *arg)
548 {
549 /* Error: should not have been called */
550 custom_ext_error = 1;
551 return 0; /* Don't send an extension */
552 }
553
554 static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
555 const unsigned char *in,
556 size_t inlen, int *al, void *arg)
557 {
558 if (ext_type != CUSTOM_EXT_TYPE_1)
559 custom_ext_error = 1;
560 /* Check for "abc" */
561 if (inlen != strlen(custom_ext_cli_string))
562 custom_ext_error = 1;
563 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
564 custom_ext_error = 1;
565 return 1;
566 }
567
568 static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
569 const unsigned char **out,
570 size_t *outlen, int *al, void *arg)
571 {
572 return 0; /* Don't send an extension */
573 }
574
575 static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
576 const unsigned char *in,
577 size_t inlen, int *al, void *arg)
578 {
579 if (ext_type != CUSTOM_EXT_TYPE_2)
580 custom_ext_error = 1;
581 /* Check for "abc" */
582 if (inlen != strlen(custom_ext_cli_string))
583 custom_ext_error = 1;
584 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
585 custom_ext_error = 1;
586 return 1;
587 }
588
589 static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
590 const unsigned char **out,
591 size_t *outlen, int *al, void *arg)
592 {
593 *out = NULL;
594 *outlen = 0;
595 return 1; /* Send empty extension */
596 }
597
598 static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
599 const unsigned char *in,
600 size_t inlen, int *al, void *arg)
601 {
602 if (ext_type != CUSTOM_EXT_TYPE_3)
603 custom_ext_error = 1;
604 /* Check for "abc" */
605 if (inlen != strlen(custom_ext_cli_string))
606 custom_ext_error = 1;
607 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
608 custom_ext_error = 1;
609 return 1;
610 }
611
612 static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
613 const unsigned char **out,
614 size_t *outlen, int *al, void *arg)
615 {
616 *out = (const unsigned char *)custom_ext_srv_string;
617 *outlen = strlen(custom_ext_srv_string);
618 return 1; /* Send "defg" */
619 }
620
621 static char *cipher = NULL;
622 static char *ciphersuites = NULL;
623 static int verbose = 0;
624 static int debug = 0;
625
626 int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family,
627 long bytes, clock_t *s_time, clock_t *c_time);
628 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
629 clock_t *c_time);
630 int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
631
632 static void sv_usage(void)
633 {
634 fprintf(stderr, "usage: ssltest [args ...]\n");
635 fprintf(stderr, "\n");
636 fprintf(stderr, " -server_auth - check server certificate\n");
637 fprintf(stderr, " -client_auth - do client authentication\n");
638 fprintf(stderr, " -v - more output\n");
639 fprintf(stderr, " -d - debug output\n");
640 fprintf(stderr, " -reuse - use session-id reuse\n");
641 fprintf(stderr, " -num <val> - number of connections to perform\n");
642 fprintf(stderr,
643 " -bytes <val> - number of bytes to swap between client/server\n");
644 #ifndef OPENSSL_NO_DH
645 fprintf(stderr,
646 " -dhe512 - use 512 bit key for DHE (to test failure)\n");
647 fprintf(stderr,
648 " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
649 fprintf(stderr,
650 " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
651 fprintf(stderr, " -no_dhe - disable DHE\n");
652 #endif
653 #ifndef OPENSSL_NO_EC
654 fprintf(stderr, " -no_ecdhe - disable ECDHE\nTODO(openssl-team): no_ecdhe was broken by auto ecdh. Make this work again.\n");
655 #endif
656 #ifndef OPENSSL_NO_PSK
657 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
658 #endif
659 #ifndef OPENSSL_NO_SSL3
660 fprintf(stderr, " -ssl3 - use SSLv3\n");
661 #endif
662 #ifndef OPENSSL_NO_TLS1
663 fprintf(stderr, " -tls1 - use TLSv1\n");
664 #endif
665 #ifndef OPENSSL_NO_DTLS
666 fprintf(stderr, " -dtls - use DTLS\n");
667 #ifndef OPENSSL_NO_DTLS1
668 fprintf(stderr, " -dtls1 - use DTLSv1\n");
669 #endif
670 #ifndef OPENSSL_NO_DTLS1_2
671 fprintf(stderr, " -dtls12 - use DTLSv1.2\n");
672 #endif
673 #endif
674 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
675 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
676 fprintf(stderr, " -cert arg - Server certificate file\n");
677 fprintf(stderr,
678 " -key arg - Server key file (default: same as -cert)\n");
679 fprintf(stderr, " -c_cert arg - Client certificate file\n");
680 fprintf(stderr,
681 " -c_key arg - Client key file (default: same as -c_cert)\n");
682 fprintf(stderr, " -cipher arg - The TLSv1.2 and below cipher list\n");
683 fprintf(stderr, " -ciphersuites arg - The TLSv1.3 ciphersuites\n");
684 fprintf(stderr, " -bio_pair - Use BIO pairs\n");
685 fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n");
686 fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n");
687 fprintf(stderr, " -f - Test even cases that can't work\n");
688 fprintf(stderr,
689 " -time - measure processor time used by client and server\n");
690 fprintf(stderr, " -zlib - use zlib compression\n");
691 #ifndef OPENSSL_NO_NEXTPROTONEG
692 fprintf(stderr, " -npn_client - have client side offer NPN\n");
693 fprintf(stderr, " -npn_server - have server side offer NPN\n");
694 fprintf(stderr, " -npn_server_reject - have server reject NPN\n");
695 #endif
696 fprintf(stderr, " -serverinfo_file file - have server use this file\n");
697 fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n");
698 fprintf(stderr,
699 " -serverinfo_tack - have client offer and expect TACK\n");
700 fprintf(stderr,
701 " -custom_ext - try various custom extension callbacks\n");
702 fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n");
703 fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
704 fprintf(stderr, " -alpn_server1 <string> - alias for -alpn_server\n");
705 fprintf(stderr, " -alpn_server2 <string> - have server side context 2 offer ALPN\n");
706 fprintf(stderr,
707 " -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
708 fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n");
709 fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n");
710 fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
711 fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
712 fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
713 #ifndef OPENSSL_NO_CT
714 fprintf(stderr, " -noct - no certificate transparency\n");
715 fprintf(stderr, " -requestct - request certificate transparency\n");
716 fprintf(stderr, " -requirect - require certificate transparency\n");
717 #endif
718 fprintf(stderr, " -sn_client <string> - have client request this servername\n");
719 fprintf(stderr, " -sn_server1 <string> - have server context 1 respond to this servername\n");
720 fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
721 fprintf(stderr, " -sn_expect1 - expected server 1\n");
722 fprintf(stderr, " -sn_expect2 - expected server 2\n");
723 fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n");
724 fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n");
725 fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n");
726 fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n");
727 fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n");
728 fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n");
729 fprintf(stderr, " -provider <name> - Load the given provider into the library context\n");
730 fprintf(stderr, " -config <cnf> - Load the given config file into the library context\n");
731 }
732
733 static void print_key_details(BIO *out, EVP_PKEY *key)
734 {
735 int keyid = EVP_PKEY_id(key);
736 #ifndef OPENSSL_NO_EC
737 if (keyid == EVP_PKEY_EC) {
738 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
739 int nid;
740 const char *cname;
741 nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
742 EC_KEY_free(ec);
743 cname = EC_curve_nid2nist(nid);
744 if (!cname)
745 cname = OBJ_nid2sn(nid);
746 BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_bits(key), cname);
747 } else
748 #endif
749 {
750 const char *algname;
751 switch (keyid) {
752 case EVP_PKEY_RSA:
753 algname = "RSA";
754 break;
755 case EVP_PKEY_DSA:
756 algname = "DSA";
757 break;
758 case EVP_PKEY_DH:
759 algname = "DH";
760 break;
761 default:
762 algname = OBJ_nid2sn(keyid);
763 break;
764 }
765 BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname);
766 }
767 }
768
769 static void print_details(SSL *c_ssl, const char *prefix)
770 {
771 const SSL_CIPHER *ciph;
772 int mdnid;
773 X509 *cert;
774 EVP_PKEY *pkey;
775
776 ciph = SSL_get_current_cipher(c_ssl);
777 BIO_printf(bio_stdout, "%s%s, cipher %s %s",
778 prefix,
779 SSL_get_version(c_ssl),
780 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
781 cert = SSL_get0_peer_certificate(c_ssl);
782 if (cert != NULL) {
783 EVP_PKEY* pubkey = X509_get0_pubkey(cert);
784
785 if (pubkey != NULL) {
786 BIO_puts(bio_stdout, ", ");
787 print_key_details(bio_stdout, pubkey);
788 }
789 }
790 if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
791 BIO_puts(bio_stdout, ", temp key: ");
792 print_key_details(bio_stdout, pkey);
793 EVP_PKEY_free(pkey);
794 }
795 if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
796 BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
797 BIO_printf(bio_stdout, "\n");
798 }
799
800 /*
801 * protocol_from_string - converts a protocol version string to a number
802 *
803 * Returns -1 on failure or the version on success
804 */
805 static int protocol_from_string(const char *value)
806 {
807 struct protocol_versions {
808 const char *name;
809 int version;
810 };
811 static const struct protocol_versions versions[] = {
812 {"ssl3", SSL3_VERSION},
813 {"tls1", TLS1_VERSION},
814 {"tls1.1", TLS1_1_VERSION},
815 {"tls1.2", TLS1_2_VERSION},
816 {"tls1.3", TLS1_3_VERSION},
817 {"dtls1", DTLS1_VERSION},
818 {"dtls1.2", DTLS1_2_VERSION}};
819 size_t i;
820 size_t n = OSSL_NELEM(versions);
821
822 for (i = 0; i < n; i++)
823 if (strcmp(versions[i].name, value) == 0)
824 return versions[i].version;
825 return -1;
826 }
827
828 static SSL_SESSION *read_session(const char *filename)
829 {
830 SSL_SESSION *sess;
831 BIO *f = BIO_new_file(filename, "r");
832
833 if (f == NULL) {
834 BIO_printf(bio_err, "Can't open session file %s\n", filename);
835 ERR_print_errors(bio_err);
836 return NULL;
837 }
838 sess = PEM_read_bio_SSL_SESSION(f, NULL, 0, NULL);
839 if (sess == NULL) {
840 BIO_printf(bio_err, "Can't parse session file %s\n", filename);
841 ERR_print_errors(bio_err);
842 }
843 BIO_free(f);
844 return sess;
845 }
846
847 static int write_session(const char *filename, SSL_SESSION *sess)
848 {
849 BIO *f = BIO_new_file(filename, "w");
850
851 if (sess == NULL) {
852 BIO_printf(bio_err, "No session information\n");
853 return 0;
854 }
855 if (f == NULL) {
856 BIO_printf(bio_err, "Can't open session file %s\n", filename);
857 ERR_print_errors(bio_err);
858 return 0;
859 }
860 PEM_write_bio_SSL_SESSION(f, sess);
861 BIO_free(f);
862 return 1;
863 }
864
865 /*
866 * set_protocol_version - Sets protocol version minimum or maximum
867 *
868 * Returns 0 on failure and 1 on success
869 */
870 static int set_protocol_version(const char *version, SSL *ssl, int setting)
871 {
872 if (version != NULL) {
873 int ver = protocol_from_string(version);
874 if (ver < 0) {
875 BIO_printf(bio_err, "Error parsing: %s\n", version);
876 return 0;
877 }
878 return SSL_ctrl(ssl, setting, ver, NULL);
879 }
880 return 1;
881 }
882
883 int main(int argc, char *argv[])
884 {
885 const char *CApath = NULL, *CAfile = NULL;
886 int badop = 0;
887 enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
888 int force = 0;
889 int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0;
890 int ret = EXIT_FAILURE;
891 int client_auth = 0;
892 int server_auth = 0, i;
893 struct app_verify_arg app_verify_arg =
894 { APP_CALLBACK_STRING, 0 };
895 SSL_CTX *c_ctx = NULL;
896 const SSL_METHOD *meth = NULL;
897 SSL *c_ssl, *s_ssl;
898 int number = 1, reuse = 0;
899 int should_reuse = -1;
900 int no_ticket = 0;
901 long bytes = 256L;
902 #ifndef OPENSSL_NO_DH
903 DH *dh;
904 int dhe512 = 0, dhe1024dsa = 0;
905 #endif
906 int no_dhe = 0;
907 int no_psk = 0;
908 int print_time = 0;
909 clock_t s_time = 0, c_time = 0;
910 #ifndef OPENSSL_NO_COMP
911 int n, comp = 0;
912 COMP_METHOD *cm = NULL;
913 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
914 #endif
915 int no_protocol;
916 int min_version = 0, max_version = 0;
917 #ifndef OPENSSL_NO_CT
918 /*
919 * Disable CT validation by default, because it will interfere with
920 * anything using custom extension handlers to deal with SCT extensions.
921 */
922 int ct_validation = 0;
923 #endif
924 SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
925 STACK_OF(OPENSSL_STRING) *conf_args = NULL;
926 char *arg = NULL, *argn = NULL;
927 const char *provider = NULL, *config = NULL;
928 OSSL_PROVIDER *thisprov = NULL, *defctxnull = NULL;
929 OPENSSL_CTX *libctx = NULL;
930
931 verbose = 0;
932 debug = 0;
933
934 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
935 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
936
937 s_cctx = SSL_CONF_CTX_new();
938 s_cctx2 = SSL_CONF_CTX_new();
939 c_cctx = SSL_CONF_CTX_new();
940
941 if (!s_cctx || !c_cctx || !s_cctx2) {
942 ERR_print_errors(bio_err);
943 goto end;
944 }
945
946 SSL_CONF_CTX_set_flags(s_cctx,
947 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
948 SSL_CONF_FLAG_CERTIFICATE |
949 SSL_CONF_FLAG_REQUIRE_PRIVATE);
950 SSL_CONF_CTX_set_flags(s_cctx2,
951 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
952 SSL_CONF_FLAG_CERTIFICATE |
953 SSL_CONF_FLAG_REQUIRE_PRIVATE);
954 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
955 ERR_print_errors(bio_err);
956 goto end;
957 }
958 if (!SSL_CONF_CTX_set1_prefix(s_cctx2, "-s_")) {
959 ERR_print_errors(bio_err);
960 goto end;
961 }
962
963 SSL_CONF_CTX_set_flags(c_cctx,
964 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
965 SSL_CONF_FLAG_CERTIFICATE |
966 SSL_CONF_FLAG_REQUIRE_PRIVATE);
967 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
968 ERR_print_errors(bio_err);
969 goto end;
970 }
971
972 argc--;
973 argv++;
974
975 while (argc >= 1) {
976 if (strcmp(*argv, "-F") == 0) {
977 fprintf(stderr,
978 "not compiled with FIPS support, so exiting without running.\n");
979 EXIT(0);
980 } else if (strcmp(*argv, "-server_auth") == 0)
981 server_auth = 1;
982 else if (strcmp(*argv, "-client_auth") == 0)
983 client_auth = 1;
984 else if (strcmp(*argv, "-v") == 0)
985 verbose = 1;
986 else if (strcmp(*argv, "-d") == 0)
987 debug = 1;
988 else if (strcmp(*argv, "-reuse") == 0)
989 reuse = 1;
990 else if (strcmp(*argv, "-dhe512") == 0) {
991 #ifndef OPENSSL_NO_DH
992 dhe512 = 1;
993 #else
994 fprintf(stderr,
995 "ignoring -dhe512, since I'm compiled without DH\n");
996 #endif
997 } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
998 #ifndef OPENSSL_NO_DH
999 dhe1024dsa = 1;
1000 #else
1001 fprintf(stderr,
1002 "ignoring -dhe1024dsa, since I'm compiled without DH\n");
1003 #endif
1004 } else if (strcmp(*argv, "-no_dhe") == 0)
1005 no_dhe = 1;
1006 else if (strcmp(*argv, "-no_ecdhe") == 0)
1007 /* obsolete */;
1008 else if (strcmp(*argv, "-psk") == 0) {
1009 if (--argc < 1)
1010 goto bad;
1011 psk_key = *(++argv);
1012 #ifndef OPENSSL_NO_PSK
1013 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) {
1014 BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
1015 goto bad;
1016 }
1017 #else
1018 no_psk = 1;
1019 #endif
1020 }
1021 else if (strcmp(*argv, "-tls1_2") == 0) {
1022 tls1_2 = 1;
1023 } else if (strcmp(*argv, "-tls1") == 0) {
1024 tls1 = 1;
1025 } else if (strcmp(*argv, "-ssl3") == 0) {
1026 ssl3 = 1;
1027 } else if (strcmp(*argv, "-dtls1") == 0) {
1028 dtls1 = 1;
1029 } else if (strcmp(*argv, "-dtls12") == 0) {
1030 dtls12 = 1;
1031 } else if (strcmp(*argv, "-dtls") == 0) {
1032 dtls = 1;
1033 } else if (strncmp(*argv, "-num", 4) == 0) {
1034 if (--argc < 1)
1035 goto bad;
1036 number = atoi(*(++argv));
1037 if (number == 0)
1038 number = 1;
1039 } else if (strcmp(*argv, "-bytes") == 0) {
1040 if (--argc < 1)
1041 goto bad;
1042 bytes = atol(*(++argv));
1043 if (bytes == 0L)
1044 bytes = 1L;
1045 i = strlen(argv[0]);
1046 if (argv[0][i - 1] == 'k')
1047 bytes *= 1024L;
1048 if (argv[0][i - 1] == 'm')
1049 bytes *= 1024L * 1024L;
1050 } else if (strcmp(*argv, "-cipher") == 0) {
1051 if (--argc < 1)
1052 goto bad;
1053 cipher = *(++argv);
1054 } else if (strcmp(*argv, "-ciphersuites") == 0) {
1055 if (--argc < 1)
1056 goto bad;
1057 ciphersuites = *(++argv);
1058 } else if (strcmp(*argv, "-CApath") == 0) {
1059 if (--argc < 1)
1060 goto bad;
1061 CApath = *(++argv);
1062 } else if (strcmp(*argv, "-CAfile") == 0) {
1063 if (--argc < 1)
1064 goto bad;
1065 CAfile = *(++argv);
1066 } else if (strcmp(*argv, "-bio_pair") == 0) {
1067 bio_type = BIO_PAIR;
1068 }
1069 #ifndef OPENSSL_NO_SOCK
1070 else if (strcmp(*argv, "-ipv4") == 0) {
1071 bio_type = BIO_IPV4;
1072 } else if (strcmp(*argv, "-ipv6") == 0) {
1073 bio_type = BIO_IPV6;
1074 }
1075 #endif
1076 else if (strcmp(*argv, "-f") == 0) {
1077 force = 1;
1078 } else if (strcmp(*argv, "-time") == 0) {
1079 print_time = 1;
1080 }
1081 #ifndef OPENSSL_NO_CT
1082 else if (strcmp(*argv, "-noct") == 0) {
1083 ct_validation = 0;
1084 }
1085 else if (strcmp(*argv, "-ct") == 0) {
1086 ct_validation = 1;
1087 }
1088 #endif
1089 #ifndef OPENSSL_NO_COMP
1090 else if (strcmp(*argv, "-zlib") == 0) {
1091 comp = COMP_ZLIB;
1092 }
1093 #endif
1094 else if (strcmp(*argv, "-app_verify") == 0) {
1095 app_verify_arg.app_verify = 1;
1096 }
1097 #ifndef OPENSSL_NO_NEXTPROTONEG
1098 else if (strcmp(*argv, "-npn_client") == 0) {
1099 npn_client = 1;
1100 } else if (strcmp(*argv, "-npn_server") == 0) {
1101 npn_server = 1;
1102 } else if (strcmp(*argv, "-npn_server_reject") == 0) {
1103 npn_server_reject = 1;
1104 }
1105 #endif
1106 else if (strcmp(*argv, "-serverinfo_sct") == 0) {
1107 serverinfo_sct = 1;
1108 } else if (strcmp(*argv, "-serverinfo_tack") == 0) {
1109 serverinfo_tack = 1;
1110 } else if (strcmp(*argv, "-serverinfo_file") == 0) {
1111 if (--argc < 1)
1112 goto bad;
1113 serverinfo_file = *(++argv);
1114 } else if (strcmp(*argv, "-custom_ext") == 0) {
1115 custom_ext = 1;
1116 } else if (strcmp(*argv, "-alpn_client") == 0) {
1117 if (--argc < 1)
1118 goto bad;
1119 alpn_client = *(++argv);
1120 } else if (strcmp(*argv, "-alpn_server") == 0 ||
1121 strcmp(*argv, "-alpn_server1") == 0) {
1122 if (--argc < 1)
1123 goto bad;
1124 alpn_server = *(++argv);
1125 } else if (strcmp(*argv, "-alpn_server2") == 0) {
1126 if (--argc < 1)
1127 goto bad;
1128 alpn_server2 = *(++argv);
1129 } else if (strcmp(*argv, "-alpn_expected") == 0) {
1130 if (--argc < 1)
1131 goto bad;
1132 alpn_expected = *(++argv);
1133 } else if (strcmp(*argv, "-server_min_proto") == 0) {
1134 if (--argc < 1)
1135 goto bad;
1136 server_min_proto = *(++argv);
1137 } else if (strcmp(*argv, "-server_max_proto") == 0) {
1138 if (--argc < 1)
1139 goto bad;
1140 server_max_proto = *(++argv);
1141 } else if (strcmp(*argv, "-client_min_proto") == 0) {
1142 if (--argc < 1)
1143 goto bad;
1144 client_min_proto = *(++argv);
1145 } else if (strcmp(*argv, "-client_max_proto") == 0) {
1146 if (--argc < 1)
1147 goto bad;
1148 client_max_proto = *(++argv);
1149 } else if (strcmp(*argv, "-should_negotiate") == 0) {
1150 if (--argc < 1)
1151 goto bad;
1152 should_negotiate = *(++argv);
1153 } else if (strcmp(*argv, "-sn_client") == 0) {
1154 if (--argc < 1)
1155 goto bad;
1156 sn_client = *(++argv);
1157 } else if (strcmp(*argv, "-sn_server1") == 0) {
1158 if (--argc < 1)
1159 goto bad;
1160 sn_server1 = *(++argv);
1161 } else if (strcmp(*argv, "-sn_server2") == 0) {
1162 if (--argc < 1)
1163 goto bad;
1164 sn_server2 = *(++argv);
1165 } else if (strcmp(*argv, "-sn_expect1") == 0) {
1166 sn_expect = 1;
1167 } else if (strcmp(*argv, "-sn_expect2") == 0) {
1168 sn_expect = 2;
1169 } else if (strcmp(*argv, "-server_sess_out") == 0) {
1170 if (--argc < 1)
1171 goto bad;
1172 server_sess_out = *(++argv);
1173 } else if (strcmp(*argv, "-server_sess_in") == 0) {
1174 if (--argc < 1)
1175 goto bad;
1176 server_sess_in = *(++argv);
1177 } else if (strcmp(*argv, "-client_sess_out") == 0) {
1178 if (--argc < 1)
1179 goto bad;
1180 client_sess_out = *(++argv);
1181 } else if (strcmp(*argv, "-client_sess_in") == 0) {
1182 if (--argc < 1)
1183 goto bad;
1184 client_sess_in = *(++argv);
1185 } else if (strcmp(*argv, "-should_reuse") == 0) {
1186 if (--argc < 1)
1187 goto bad;
1188 should_reuse = !!atoi(*(++argv));
1189 } else if (strcmp(*argv, "-no_ticket") == 0) {
1190 no_ticket = 1;
1191 } else if (strcmp(*argv, "-provider") == 0) {
1192 if (--argc < 1)
1193 goto bad;
1194 provider = *(++argv);
1195 } else if (strcmp(*argv, "-config") == 0) {
1196 if (--argc < 1)
1197 goto bad;
1198 config = *(++argv);
1199 } else {
1200 int rv;
1201 arg = argv[0];
1202 argn = argv[1];
1203 /* Try to process command using SSL_CONF */
1204 rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
1205 /* If not processed try server */
1206 if (rv == 0)
1207 rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
1208 /* Recognised: store it for later use */
1209 if (rv > 0) {
1210 if (rv == 1)
1211 argn = NULL;
1212 if (!conf_args) {
1213 conf_args = sk_OPENSSL_STRING_new_null();
1214 if (!conf_args)
1215 goto end;
1216 }
1217 if (!sk_OPENSSL_STRING_push(conf_args, arg))
1218 goto end;
1219 if (!sk_OPENSSL_STRING_push(conf_args, argn))
1220 goto end;
1221 continue;
1222 }
1223 if (rv == -3)
1224 BIO_printf(bio_err, "Missing argument for %s\n", arg);
1225 else if (rv < 0)
1226 BIO_printf(bio_err, "Error with command %s\n", arg);
1227 else if (rv == 0)
1228 BIO_printf(bio_err, "unknown option %s\n", arg);
1229 badop = 1;
1230 break;
1231 }
1232 argc--;
1233 argv++;
1234 }
1235 if (badop) {
1236 bad:
1237 sv_usage();
1238 goto end;
1239 }
1240
1241 if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
1242 fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
1243 "be requested.\n");
1244 EXIT(1);
1245 }
1246
1247 #ifdef OPENSSL_NO_SSL3
1248 if (ssl3)
1249 no_protocol = 1;
1250 else
1251 #endif
1252 #ifdef OPENSSL_NO_TLS1
1253 if (tls1)
1254 no_protocol = 1;
1255 else
1256 #endif
1257 #ifdef OPENSSL_NO_TLS1_2
1258 if (tls1_2)
1259 no_protocol = 1;
1260 else
1261 #endif
1262 #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
1263 if (dtls1)
1264 no_protocol = 1;
1265 else
1266 #endif
1267 #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2)
1268 if (dtls12)
1269 no_protocol = 1;
1270 else
1271 #endif
1272 no_protocol = 0;
1273
1274 /*
1275 * Testing was requested for a compiled-out protocol (e.g. SSLv3).
1276 * Ideally, we would error out, but the generic test wrapper can't know
1277 * when to expect failure. So we do nothing and return success.
1278 */
1279 if (no_protocol) {
1280 fprintf(stderr, "Testing was requested for a disabled protocol. "
1281 "Skipping tests.\n");
1282 ret = EXIT_SUCCESS;
1283 goto end;
1284 }
1285
1286 if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
1287 && !reuse && !force) {
1288 fprintf(stderr, "This case cannot work. Use -f to perform "
1289 "the test anyway (and\n-d to see what happens), "
1290 "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
1291 "to avoid protocol mismatch.\n");
1292 EXIT(1);
1293 }
1294
1295 if (print_time) {
1296 if (bio_type != BIO_PAIR) {
1297 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
1298 bio_type = BIO_PAIR;
1299 }
1300 if (number < 50 && !force)
1301 fprintf(stderr,
1302 "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
1303 }
1304
1305 #ifndef OPENSSL_NO_COMP
1306 if (comp == COMP_ZLIB)
1307 cm = COMP_zlib();
1308 if (cm != NULL) {
1309 if (COMP_get_type(cm) != NID_undef) {
1310 if (SSL_COMP_add_compression_method(comp, cm) != 0) {
1311 fprintf(stderr, "Failed to add compression method\n");
1312 ERR_print_errors_fp(stderr);
1313 }
1314 } else {
1315 fprintf(stderr,
1316 "Warning: %s compression not supported\n",
1317 comp == COMP_ZLIB ? "zlib" : "unknown");
1318 ERR_print_errors_fp(stderr);
1319 }
1320 }
1321 ssl_comp_methods = SSL_COMP_get_compression_methods();
1322 n = sk_SSL_COMP_num(ssl_comp_methods);
1323 if (n) {
1324 int j;
1325 printf("Available compression methods:");
1326 for (j = 0; j < n; j++) {
1327 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
1328 printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c));
1329 }
1330 printf("\n");
1331 }
1332 #endif
1333
1334 #ifndef OPENSSL_NO_TLS
1335 meth = TLS_method();
1336 if (ssl3) {
1337 min_version = SSL3_VERSION;
1338 max_version = SSL3_VERSION;
1339 } else if (tls1) {
1340 min_version = TLS1_VERSION;
1341 max_version = TLS1_VERSION;
1342 } else if (tls1_2) {
1343 min_version = TLS1_2_VERSION;
1344 max_version = TLS1_2_VERSION;
1345 } else {
1346 min_version = 0;
1347 max_version = 0;
1348 }
1349 #endif
1350 #ifndef OPENSSL_NO_DTLS
1351 if (dtls || dtls1 || dtls12) {
1352 meth = DTLS_method();
1353 if (dtls1) {
1354 min_version = DTLS1_VERSION;
1355 max_version = DTLS1_VERSION;
1356 } else if (dtls12) {
1357 min_version = DTLS1_2_VERSION;
1358 max_version = DTLS1_2_VERSION;
1359 } else {
1360 min_version = 0;
1361 max_version = 0;
1362 }
1363 }
1364 #endif
1365
1366 if (provider != NULL) {
1367 defctxnull = OSSL_PROVIDER_load(NULL, "null");
1368 if (defctxnull == NULL)
1369 goto end;
1370 libctx = OPENSSL_CTX_new();
1371 if (libctx == NULL)
1372 goto end;
1373
1374 if (config != NULL
1375 && !OPENSSL_CTX_load_config(libctx, config))
1376 goto end;
1377
1378 thisprov = OSSL_PROVIDER_load(libctx, provider);
1379 if (thisprov == NULL)
1380 goto end;
1381 }
1382
1383 c_ctx = SSL_CTX_new_with_libctx(libctx, NULL, meth);
1384 s_ctx = SSL_CTX_new_with_libctx(libctx, NULL, meth);
1385 s_ctx2 = SSL_CTX_new_with_libctx(libctx, NULL, meth); /* no SSL_CTX_dup! */
1386 if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) {
1387 ERR_print_errors(bio_err);
1388 goto end;
1389 }
1390 /*
1391 * Since we will use low security ciphersuites and keys for testing set
1392 * security level to zero by default. Tests can override this by adding
1393 * "@SECLEVEL=n" to the cipher string.
1394 */
1395 SSL_CTX_set_security_level(c_ctx, 0);
1396 SSL_CTX_set_security_level(s_ctx, 0);
1397 SSL_CTX_set_security_level(s_ctx2, 0);
1398
1399 if (no_ticket) {
1400 SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
1401 SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
1402 }
1403
1404 if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
1405 goto end;
1406 if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
1407 goto end;
1408 if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
1409 goto end;
1410 if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
1411 goto end;
1412
1413 if (cipher != NULL) {
1414 if (strcmp(cipher, "") == 0) {
1415 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)) {
1416 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1417 ERR_clear_error();
1418 } else {
1419 ERR_print_errors(bio_err);
1420 goto end;
1421 }
1422 } else {
1423 /* Should have failed when clearing all TLSv1.2 ciphers. */
1424 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1425 goto end;
1426 }
1427
1428 if (!SSL_CTX_set_cipher_list(s_ctx, cipher)) {
1429 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1430 ERR_clear_error();
1431 } else {
1432 ERR_print_errors(bio_err);
1433 goto end;
1434 }
1435 } else {
1436 /* Should have failed when clearing all TLSv1.2 ciphers. */
1437 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1438 goto end;
1439 }
1440
1441 if (!SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
1442 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1443 ERR_clear_error();
1444 } else {
1445 ERR_print_errors(bio_err);
1446 goto end;
1447 }
1448 } else {
1449 /* Should have failed when clearing all TLSv1.2 ciphers. */
1450 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1451 goto end;
1452 }
1453 } else {
1454 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
1455 || !SSL_CTX_set_cipher_list(s_ctx, cipher)
1456 || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
1457 ERR_print_errors(bio_err);
1458 goto end;
1459 }
1460 }
1461 }
1462 if (ciphersuites != NULL) {
1463 if (!SSL_CTX_set_ciphersuites(c_ctx, ciphersuites)
1464 || !SSL_CTX_set_ciphersuites(s_ctx, ciphersuites)
1465 || !SSL_CTX_set_ciphersuites(s_ctx2, ciphersuites)) {
1466 ERR_print_errors(bio_err);
1467 goto end;
1468 }
1469 }
1470
1471 #ifndef OPENSSL_NO_CT
1472 if (ct_validation &&
1473 !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) {
1474 ERR_print_errors(bio_err);
1475 goto end;
1476 }
1477 #endif
1478
1479 /* Process SSL_CONF arguments */
1480 SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
1481 SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
1482 SSL_CONF_CTX_set_ssl_ctx(s_cctx2, s_ctx2);
1483
1484 for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2) {
1485 int rv;
1486 arg = sk_OPENSSL_STRING_value(conf_args, i);
1487 argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
1488 rv = SSL_CONF_cmd(c_cctx, arg, argn);
1489 /* If not recognised use server context */
1490 if (rv == -2) {
1491 rv = SSL_CONF_cmd(s_cctx2, arg, argn);
1492 if (rv > 0)
1493 rv = SSL_CONF_cmd(s_cctx, arg, argn);
1494 }
1495 if (rv <= 0) {
1496 BIO_printf(bio_err, "Error processing %s %s\n",
1497 arg, argn ? argn : "");
1498 ERR_print_errors(bio_err);
1499 goto end;
1500 }
1501 }
1502
1503 if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx) || !SSL_CONF_CTX_finish(s_cctx2)) {
1504 BIO_puts(bio_err, "Error finishing context\n");
1505 ERR_print_errors(bio_err);
1506 goto end;
1507 }
1508 #ifndef OPENSSL_NO_DH
1509 if (!no_dhe) {
1510 if (dhe1024dsa) {
1511 dh = get_dh1024dsa();
1512 } else if (dhe512)
1513 dh = get_dh512();
1514 else
1515 dh = get_dh1024();
1516 SSL_CTX_set_tmp_dh(s_ctx, dh);
1517 SSL_CTX_set_tmp_dh(s_ctx2, dh);
1518 DH_free(dh);
1519 }
1520 #else
1521 (void)no_dhe;
1522 #endif
1523
1524 if (!(SSL_CTX_load_verify_file(s_ctx, CAfile)
1525 || SSL_CTX_load_verify_dir(s_ctx, CApath))
1526 || !SSL_CTX_set_default_verify_paths(s_ctx)
1527 || !(SSL_CTX_load_verify_file(s_ctx2, CAfile)
1528 || SSL_CTX_load_verify_dir(s_ctx2, CApath))
1529 || !SSL_CTX_set_default_verify_paths(s_ctx2)
1530 || !(SSL_CTX_load_verify_file(c_ctx, CAfile)
1531 || SSL_CTX_load_verify_dir(c_ctx, CApath))
1532 || !SSL_CTX_set_default_verify_paths(c_ctx)) {
1533 ERR_print_errors(bio_err);
1534 }
1535
1536 #ifndef OPENSSL_NO_CT
1537 if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
1538 !SSL_CTX_set_default_ctlog_list_file(s_ctx2) ||
1539 !SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
1540 ERR_print_errors(bio_err);
1541 }
1542 #endif
1543
1544 if (client_auth) {
1545 printf("client authentication\n");
1546 SSL_CTX_set_verify(s_ctx,
1547 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1548 verify_callback);
1549 SSL_CTX_set_verify(s_ctx2,
1550 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1551 verify_callback);
1552 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
1553 &app_verify_arg);
1554 SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback,
1555 &app_verify_arg);
1556 }
1557 if (server_auth) {
1558 printf("server authentication\n");
1559 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
1560 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
1561 &app_verify_arg);
1562 }
1563
1564 {
1565 int session_id_context = 0;
1566 if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
1567 sizeof(session_id_context)) ||
1568 !SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context,
1569 sizeof(session_id_context))) {
1570 ERR_print_errors(bio_err);
1571 goto end;
1572 }
1573 }
1574
1575 /* Use PSK only if PSK key is given */
1576 if (psk_key != NULL) {
1577 /*
1578 * no_psk is used to avoid putting psk command to openssl tool
1579 */
1580 if (no_psk) {
1581 /*
1582 * if PSK is not compiled in and psk key is given, do nothing and
1583 * exit successfully
1584 */
1585 ret = EXIT_SUCCESS;
1586 goto end;
1587 }
1588 #ifndef OPENSSL_NO_PSK
1589 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1590 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1591 SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback);
1592 if (debug)
1593 BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n");
1594 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint") ||
1595 !SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) {
1596 BIO_printf(bio_err, "error setting PSK identity hint to s_ctx\n");
1597 ERR_print_errors(bio_err);
1598 goto end;
1599 }
1600 #endif
1601 }
1602
1603 #ifndef OPENSSL_NO_NEXTPROTONEG
1604 if (npn_client) {
1605 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1606 }
1607 if (npn_server) {
1608 if (npn_server_reject) {
1609 BIO_printf(bio_err,
1610 "Can't have both -npn_server and -npn_server_reject\n");
1611 goto end;
1612 }
1613 SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL);
1614 SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL);
1615 }
1616 if (npn_server_reject) {
1617 SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
1618 SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL);
1619 }
1620 #endif
1621
1622 if (serverinfo_sct) {
1623 if (!SSL_CTX_add_client_custom_ext(c_ctx,
1624 TLSEXT_TYPE_signed_certificate_timestamp,
1625 NULL, NULL, NULL,
1626 serverinfo_cli_parse_cb, NULL)) {
1627 BIO_printf(bio_err, "Error adding SCT extension\n");
1628 goto end;
1629 }
1630 }
1631 if (serverinfo_tack) {
1632 if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
1633 NULL, NULL, NULL,
1634 serverinfo_cli_parse_cb, NULL)) {
1635 BIO_printf(bio_err, "Error adding TACK extension\n");
1636 goto end;
1637 }
1638 }
1639 if (serverinfo_file)
1640 if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file) ||
1641 !SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) {
1642 BIO_printf(bio_err, "missing serverinfo file\n");
1643 goto end;
1644 }
1645
1646 if (custom_ext) {
1647 if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
1648 custom_ext_0_cli_add_cb,
1649 NULL, NULL,
1650 custom_ext_0_cli_parse_cb, NULL)
1651 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
1652 custom_ext_1_cli_add_cb,
1653 NULL, NULL,
1654 custom_ext_1_cli_parse_cb, NULL)
1655 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
1656 custom_ext_2_cli_add_cb,
1657 NULL, NULL,
1658 custom_ext_2_cli_parse_cb, NULL)
1659 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
1660 custom_ext_3_cli_add_cb,
1661 NULL, NULL,
1662 custom_ext_3_cli_parse_cb, NULL)
1663 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
1664 custom_ext_0_srv_add_cb,
1665 NULL, NULL,
1666 custom_ext_0_srv_parse_cb, NULL)
1667 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0,
1668 custom_ext_0_srv_add_cb,
1669 NULL, NULL,
1670 custom_ext_0_srv_parse_cb, NULL)
1671 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
1672 custom_ext_1_srv_add_cb,
1673 NULL, NULL,
1674 custom_ext_1_srv_parse_cb, NULL)
1675 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1,
1676 custom_ext_1_srv_add_cb,
1677 NULL, NULL,
1678 custom_ext_1_srv_parse_cb, NULL)
1679 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
1680 custom_ext_2_srv_add_cb,
1681 NULL, NULL,
1682 custom_ext_2_srv_parse_cb, NULL)
1683 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2,
1684 custom_ext_2_srv_add_cb,
1685 NULL, NULL,
1686 custom_ext_2_srv_parse_cb, NULL)
1687 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
1688 custom_ext_3_srv_add_cb,
1689 NULL, NULL,
1690 custom_ext_3_srv_parse_cb, NULL)
1691 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3,
1692 custom_ext_3_srv_add_cb,
1693 NULL, NULL,
1694 custom_ext_3_srv_parse_cb, NULL)) {
1695 BIO_printf(bio_err, "Error setting custom extensions\n");
1696 goto end;
1697 }
1698 }
1699
1700 if (alpn_server)
1701 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server);
1702 if (alpn_server2)
1703 SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2);
1704
1705 if (alpn_client) {
1706 size_t alpn_len;
1707 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
1708
1709 if (alpn == NULL) {
1710 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
1711 goto end;
1712 }
1713 /* Returns 0 on success!! */
1714 if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
1715 BIO_printf(bio_err, "Error setting ALPN\n");
1716 OPENSSL_free(alpn);
1717 goto end;
1718 }
1719 OPENSSL_free(alpn);
1720 }
1721
1722 if (server_sess_in != NULL) {
1723 server_sess = read_session(server_sess_in);
1724 if (server_sess == NULL)
1725 goto end;
1726 }
1727 if (client_sess_in != NULL) {
1728 client_sess = read_session(client_sess_in);
1729 if (client_sess == NULL)
1730 goto end;
1731 }
1732
1733 if (server_sess_out != NULL || server_sess_in != NULL) {
1734 char *keys;
1735 long size;
1736
1737 /* Use a fixed key so that we can decrypt the ticket. */
1738 size = SSL_CTX_set_tlsext_ticket_keys(s_ctx, NULL, 0);
1739 keys = OPENSSL_zalloc(size);
1740 SSL_CTX_set_tlsext_ticket_keys(s_ctx, keys, size);
1741 OPENSSL_free(keys);
1742 }
1743
1744 if (sn_server1 != NULL || sn_server2 != NULL)
1745 SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
1746
1747 c_ssl = SSL_new(c_ctx);
1748 s_ssl = SSL_new(s_ctx);
1749
1750 if (sn_client)
1751 SSL_set_tlsext_host_name(c_ssl, sn_client);
1752
1753 if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1754 goto end;
1755 if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1756 goto end;
1757 if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1758 goto end;
1759 if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1760 goto end;
1761
1762 if (server_sess) {
1763 if (SSL_CTX_add_session(s_ctx, server_sess) == 0) {
1764 BIO_printf(bio_err, "Can't add server session\n");
1765 ERR_print_errors(bio_err);
1766 goto end;
1767 }
1768 }
1769
1770 BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
1771 for (i = 0; i < number; i++) {
1772 if (!reuse) {
1773 if (!SSL_set_session(c_ssl, NULL)) {
1774 BIO_printf(bio_err, "Failed to set session\n");
1775 goto end;
1776 }
1777 }
1778 if (client_sess_in != NULL) {
1779 if (SSL_set_session(c_ssl, client_sess) == 0) {
1780 BIO_printf(bio_err, "Can't set client session\n");
1781 ERR_print_errors(bio_err);
1782 goto end;
1783 }
1784 }
1785 switch (bio_type) {
1786 case BIO_MEM:
1787 ret = doit(s_ssl, c_ssl, bytes);
1788 break;
1789 case BIO_PAIR:
1790 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
1791 break;
1792 #ifndef OPENSSL_NO_SOCK
1793 case BIO_IPV4:
1794 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV4,
1795 bytes, &s_time, &c_time);
1796 break;
1797 case BIO_IPV6:
1798 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV6,
1799 bytes, &s_time, &c_time);
1800 break;
1801 #else
1802 case BIO_IPV4:
1803 case BIO_IPV6:
1804 ret = EXIT_FAILURE;
1805 goto err;
1806 #endif
1807 }
1808 if (ret != EXIT_SUCCESS) break;
1809 }
1810
1811 if (should_negotiate && ret == EXIT_SUCCESS &&
1812 strcmp(should_negotiate, "fail-server") != 0 &&
1813 strcmp(should_negotiate, "fail-client") != 0) {
1814 int version = protocol_from_string(should_negotiate);
1815 if (version < 0) {
1816 BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
1817 ret = EXIT_FAILURE;
1818 goto err;
1819 }
1820 if (SSL_version(c_ssl) != version) {
1821 BIO_printf(bio_err, "Unexpected version negotiated. "
1822 "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
1823 ret = EXIT_FAILURE;
1824 goto err;
1825 }
1826 }
1827
1828 if (should_reuse != -1) {
1829 if (SSL_session_reused(s_ssl) != should_reuse ||
1830 SSL_session_reused(c_ssl) != should_reuse) {
1831 BIO_printf(bio_err, "Unexpected session reuse state. "
1832 "Expected: %d, server: %d, client: %d\n", should_reuse,
1833 SSL_session_reused(s_ssl), SSL_session_reused(c_ssl));
1834 ret = EXIT_FAILURE;
1835 goto err;
1836 }
1837 }
1838
1839 if (server_sess_out != NULL) {
1840 if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) {
1841 ret = EXIT_FAILURE;
1842 goto err;
1843 }
1844 }
1845 if (client_sess_out != NULL) {
1846 if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) {
1847 ret = EXIT_FAILURE;
1848 goto err;
1849 }
1850 }
1851
1852 if (!verbose) {
1853 print_details(c_ssl, "");
1854 }
1855 if (print_time) {
1856 #ifdef CLOCKS_PER_SEC
1857 /*
1858 * "To determine the time in seconds, the value returned by the clock
1859 * function should be divided by the value of the macro
1860 * CLOCKS_PER_SEC." -- ISO/IEC 9899
1861 */
1862 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1863 "Approximate total client time: %6.2f s\n",
1864 (double)s_time / CLOCKS_PER_SEC,
1865 (double)c_time / CLOCKS_PER_SEC);
1866 #else
1867 BIO_printf(bio_stdout,
1868 "Approximate total server time: %6.2f units\n"
1869 "Approximate total client time: %6.2f units\n",
1870 (double)s_time, (double)c_time);
1871 #endif
1872 }
1873
1874 err:
1875 SSL_free(s_ssl);
1876 SSL_free(c_ssl);
1877
1878 end:
1879 SSL_CTX_free(s_ctx);
1880 SSL_CTX_free(s_ctx2);
1881 SSL_CTX_free(c_ctx);
1882 SSL_CONF_CTX_free(s_cctx);
1883 SSL_CONF_CTX_free(s_cctx2);
1884 SSL_CONF_CTX_free(c_cctx);
1885 sk_OPENSSL_STRING_free(conf_args);
1886
1887 BIO_free(bio_stdout);
1888
1889 SSL_SESSION_free(server_sess);
1890 SSL_SESSION_free(client_sess);
1891
1892 OSSL_PROVIDER_unload(defctxnull);
1893 OSSL_PROVIDER_unload(thisprov);
1894 OPENSSL_CTX_free(libctx);
1895
1896 BIO_free(bio_err);
1897 EXIT(ret);
1898 }
1899
1900 #ifndef OPENSSL_NO_SOCK
1901 int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count,
1902 clock_t *s_time, clock_t *c_time)
1903 {
1904 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1905 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1906 BIO *acpt = NULL, *server = NULL, *client = NULL;
1907 char addr_str[40];
1908 int ret = EXIT_FAILURE;
1909 int err_in_client = 0;
1910 int err_in_server = 0;
1911
1912 acpt = BIO_new_accept(family == BIO_FAMILY_IPV4 ? "127.0.0.1:0"
1913 : "[::1]:0");
1914 if (acpt == NULL)
1915 goto err;
1916 BIO_set_accept_ip_family(acpt, family);
1917 BIO_set_bind_mode(acpt, BIO_SOCK_NONBLOCK | BIO_SOCK_REUSEADDR);
1918 if (BIO_do_accept(acpt) <= 0)
1919 goto err;
1920
1921 BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt));
1922
1923 client = BIO_new_connect(addr_str);
1924 BIO_set_conn_ip_family(client, family);
1925 if (!client)
1926 goto err;
1927
1928 if (BIO_set_nbio(client, 1) <= 0)
1929 goto err;
1930 if (BIO_set_nbio(acpt, 1) <= 0)
1931 goto err;
1932
1933 {
1934 int st_connect = 0, st_accept = 0;
1935
1936 while(!st_connect || !st_accept) {
1937 if (!st_connect) {
1938 if (BIO_do_connect(client) <= 0) {
1939 if (!BIO_should_retry(client))
1940 goto err;
1941 } else {
1942 st_connect = 1;
1943 }
1944 }
1945 if (!st_accept) {
1946 if (BIO_do_accept(acpt) <= 0) {
1947 if (!BIO_should_retry(acpt))
1948 goto err;
1949 } else {
1950 st_accept = 1;
1951 }
1952 }
1953 }
1954 }
1955 /* We're not interested in accepting further connects */
1956 server = BIO_pop(acpt);
1957 BIO_free_all(acpt);
1958 acpt = NULL;
1959
1960 s_ssl_bio = BIO_new(BIO_f_ssl());
1961 if (!s_ssl_bio)
1962 goto err;
1963
1964 c_ssl_bio = BIO_new(BIO_f_ssl());
1965 if (!c_ssl_bio)
1966 goto err;
1967
1968 SSL_set_connect_state(c_ssl);
1969 SSL_set_bio(c_ssl, client, client);
1970 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1971
1972 SSL_set_accept_state(s_ssl);
1973 SSL_set_bio(s_ssl, server, server);
1974 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1975
1976 do {
1977 /*-
1978 * c_ssl_bio: SSL filter BIO
1979 *
1980 * client: I/O for SSL library
1981 *
1982 *
1983 * server: I/O for SSL library
1984 *
1985 * s_ssl_bio: SSL filter BIO
1986 */
1987
1988 /*
1989 * We have non-blocking behaviour throughout this test program, but
1990 * can be sure that there is *some* progress in each iteration; so we
1991 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
1992 * we just try everything in each iteration
1993 */
1994
1995 {
1996 /* CLIENT */
1997
1998 char cbuf[1024 * 8];
1999 int i, r;
2000 clock_t c_clock = clock();
2001
2002 memset(cbuf, 0, sizeof(cbuf));
2003
2004 if (debug)
2005 if (SSL_in_init(c_ssl))
2006 printf("client waiting in SSL_connect - %s\n",
2007 SSL_state_string_long(c_ssl));
2008
2009 if (cw_num > 0) {
2010 /* Write to server. */
2011
2012 if (cw_num > (long)sizeof(cbuf))
2013 i = sizeof(cbuf);
2014 else
2015 i = (int)cw_num;
2016 r = BIO_write(c_ssl_bio, cbuf, i);
2017 if (r < 0) {
2018 if (!BIO_should_retry(c_ssl_bio)) {
2019 fprintf(stderr, "ERROR in CLIENT\n");
2020 err_in_client = 1;
2021 goto err;
2022 }
2023 /*
2024 * BIO_should_retry(...) can just be ignored here. The
2025 * library expects us to call BIO_write with the same
2026 * arguments again, and that's what we will do in the
2027 * next iteration.
2028 */
2029 } else if (r == 0) {
2030 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2031 goto err;
2032 } else {
2033 if (debug)
2034 printf("client wrote %d\n", r);
2035 cw_num -= r;
2036 }
2037 }
2038
2039 if (cr_num > 0) {
2040 /* Read from server. */
2041
2042 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2043 if (r < 0) {
2044 if (!BIO_should_retry(c_ssl_bio)) {
2045 fprintf(stderr, "ERROR in CLIENT\n");
2046 err_in_client = 1;
2047 goto err;
2048 }
2049 /*
2050 * Again, "BIO_should_retry" can be ignored.
2051 */
2052 } else if (r == 0) {
2053 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2054 goto err;
2055 } else {
2056 if (debug)
2057 printf("client read %d\n", r);
2058 cr_num -= r;
2059 }
2060 }
2061
2062 /*
2063 * c_time and s_time increments will typically be very small
2064 * (depending on machine speed and clock tick intervals), but
2065 * sampling over a large number of connections should result in
2066 * fairly accurate figures. We cannot guarantee a lot, however
2067 * -- if each connection lasts for exactly one clock tick, it
2068 * will be counted only for the client or only for the server or
2069 * even not at all.
2070 */
2071 *c_time += (clock() - c_clock);
2072 }
2073
2074 {
2075 /* SERVER */
2076
2077 char sbuf[1024 * 8];
2078 int i, r;
2079 clock_t s_clock = clock();
2080
2081 memset(sbuf, 0, sizeof(sbuf));
2082
2083 if (debug)
2084 if (SSL_in_init(s_ssl))
2085 printf("server waiting in SSL_accept - %s\n",
2086 SSL_state_string_long(s_ssl));
2087
2088 if (sw_num > 0) {
2089 /* Write to client. */
2090
2091 if (sw_num > (long)sizeof(sbuf))
2092 i = sizeof(sbuf);
2093 else
2094 i = (int)sw_num;
2095 r = BIO_write(s_ssl_bio, sbuf, i);
2096 if (r < 0) {
2097 if (!BIO_should_retry(s_ssl_bio)) {
2098 fprintf(stderr, "ERROR in SERVER\n");
2099 err_in_server = 1;
2100 goto err;
2101 }
2102 /* Ignore "BIO_should_retry". */
2103 } else if (r == 0) {
2104 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2105 goto err;
2106 } else {
2107 if (debug)
2108 printf("server wrote %d\n", r);
2109 sw_num -= r;
2110 }
2111 }
2112
2113 if (sr_num > 0) {
2114 /* Read from client. */
2115
2116 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2117 if (r < 0) {
2118 if (!BIO_should_retry(s_ssl_bio)) {
2119 fprintf(stderr, "ERROR in SERVER\n");
2120 err_in_server = 1;
2121 goto err;
2122 }
2123 /* blah, blah */
2124 } else if (r == 0) {
2125 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2126 goto err;
2127 } else {
2128 if (debug)
2129 printf("server read %d\n", r);
2130 sr_num -= r;
2131 }
2132 }
2133
2134 *s_time += (clock() - s_clock);
2135 }
2136 }
2137 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2138
2139 if (verbose)
2140 print_details(c_ssl, "DONE via TCP connect: ");
2141 # ifndef OPENSSL_NO_NEXTPROTONEG
2142 if (verify_npn(c_ssl, s_ssl) < 0)
2143 goto end;
2144 # endif
2145 if (verify_serverinfo() < 0) {
2146 fprintf(stderr, "Server info verify error\n");
2147 goto err;
2148 }
2149 if (verify_alpn(c_ssl, s_ssl) < 0
2150 || verify_servername(c_ssl, s_ssl) < 0)
2151 goto err;
2152
2153 if (custom_ext_error) {
2154 fprintf(stderr, "Custom extension error\n");
2155 goto err;
2156 }
2157
2158 # ifndef OPENSSL_NO_NEXTPROTONEG
2159 end:
2160 # endif
2161 ret = EXIT_SUCCESS;
2162
2163 err:
2164 ERR_print_errors(bio_err);
2165
2166 BIO_free_all(acpt);
2167 BIO_free(server);
2168 BIO_free(client);
2169 BIO_free(s_ssl_bio);
2170 BIO_free(c_ssl_bio);
2171
2172 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2173 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2174 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2175 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2176
2177 return ret;
2178 }
2179 #endif
2180
2181 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
2182 clock_t *s_time, clock_t *c_time)
2183 {
2184 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
2185 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
2186 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
2187 int ret = EXIT_FAILURE;
2188 int err_in_client = 0;
2189 int err_in_server = 0;
2190
2191 size_t bufsiz = 256; /* small buffer for testing */
2192
2193 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
2194 goto err;
2195 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
2196 goto err;
2197
2198 s_ssl_bio = BIO_new(BIO_f_ssl());
2199 if (!s_ssl_bio)
2200 goto err;
2201
2202 c_ssl_bio = BIO_new(BIO_f_ssl());
2203 if (!c_ssl_bio)
2204 goto err;
2205
2206 SSL_set_connect_state(c_ssl);
2207 SSL_set_bio(c_ssl, client, client);
2208 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2209
2210 SSL_set_accept_state(s_ssl);
2211 SSL_set_bio(s_ssl, server, server);
2212 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2213
2214 do {
2215 /*-
2216 * c_ssl_bio: SSL filter BIO
2217 *
2218 * client: pseudo-I/O for SSL library
2219 *
2220 * client_io: client's SSL communication; usually to be
2221 * relayed over some I/O facility, but in this
2222 * test program, we're the server, too:
2223 *
2224 * server_io: server's SSL communication
2225 *
2226 * server: pseudo-I/O for SSL library
2227 *
2228 * s_ssl_bio: SSL filter BIO
2229 *
2230 * The client and the server each employ a "BIO pair":
2231 * client + client_io, server + server_io.
2232 * BIO pairs are symmetric. A BIO pair behaves similar
2233 * to a non-blocking socketpair (but both endpoints must
2234 * be handled by the same thread).
2235 * [Here we could connect client and server to the ends
2236 * of a single BIO pair, but then this code would be less
2237 * suitable as an example for BIO pairs in general.]
2238 *
2239 * Useful functions for querying the state of BIO pair endpoints:
2240 *
2241 * BIO_ctrl_pending(bio) number of bytes we can read now
2242 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfill
2243 * other side's read attempt
2244 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
2245 *
2246 * ..._read_request is never more than ..._write_guarantee;
2247 * it depends on the application which one you should use.
2248 */
2249
2250 /*
2251 * We have non-blocking behaviour throughout this test program, but
2252 * can be sure that there is *some* progress in each iteration; so we
2253 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2254 * we just try everything in each iteration
2255 */
2256
2257 {
2258 /* CLIENT */
2259
2260 char cbuf[1024 * 8];
2261 int i, r;
2262 clock_t c_clock = clock();
2263
2264 memset(cbuf, 0, sizeof(cbuf));
2265
2266 if (debug)
2267 if (SSL_in_init(c_ssl))
2268 printf("client waiting in SSL_connect - %s\n",
2269 SSL_state_string_long(c_ssl));
2270
2271 if (cw_num > 0) {
2272 /* Write to server. */
2273
2274 if (cw_num > (long)sizeof(cbuf))
2275 i = sizeof(cbuf);
2276 else
2277 i = (int)cw_num;
2278 r = BIO_write(c_ssl_bio, cbuf, i);
2279 if (r < 0) {
2280 if (!BIO_should_retry(c_ssl_bio)) {
2281 fprintf(stderr, "ERROR in CLIENT\n");
2282 err_in_client = 1;
2283 goto err;
2284 }
2285 /*
2286 * BIO_should_retry(...) can just be ignored here. The
2287 * library expects us to call BIO_write with the same
2288 * arguments again, and that's what we will do in the
2289 * next iteration.
2290 */
2291 } else if (r == 0) {
2292 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2293 goto err;
2294 } else {
2295 if (debug)
2296 printf("client wrote %d\n", r);
2297 cw_num -= r;
2298 }
2299 }
2300
2301 if (cr_num > 0) {
2302 /* Read from server. */
2303
2304 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2305 if (r < 0) {
2306 if (!BIO_should_retry(c_ssl_bio)) {
2307 fprintf(stderr, "ERROR in CLIENT\n");
2308 err_in_client = 1;
2309 goto err;
2310 }
2311 /*
2312 * Again, "BIO_should_retry" can be ignored.
2313 */
2314 } else if (r == 0) {
2315 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2316 goto err;
2317 } else {
2318 if (debug)
2319 printf("client read %d\n", r);
2320 cr_num -= r;
2321 }
2322 }
2323
2324 /*
2325 * c_time and s_time increments will typically be very small
2326 * (depending on machine speed and clock tick intervals), but
2327 * sampling over a large number of connections should result in
2328 * fairly accurate figures. We cannot guarantee a lot, however
2329 * -- if each connection lasts for exactly one clock tick, it
2330 * will be counted only for the client or only for the server or
2331 * even not at all.
2332 */
2333 *c_time += (clock() - c_clock);
2334 }
2335
2336 {
2337 /* SERVER */
2338
2339 char sbuf[1024 * 8];
2340 int i, r;
2341 clock_t s_clock = clock();
2342
2343 memset(sbuf, 0, sizeof(sbuf));
2344
2345 if (debug)
2346 if (SSL_in_init(s_ssl))
2347 printf("server waiting in SSL_accept - %s\n",
2348 SSL_state_string_long(s_ssl));
2349
2350 if (sw_num > 0) {
2351 /* Write to client. */
2352
2353 if (sw_num > (long)sizeof(sbuf))
2354 i = sizeof(sbuf);
2355 else
2356 i = (int)sw_num;
2357 r = BIO_write(s_ssl_bio, sbuf, i);
2358 if (r < 0) {
2359 if (!BIO_should_retry(s_ssl_bio)) {
2360 fprintf(stderr, "ERROR in SERVER\n");
2361 err_in_server = 1;
2362 goto err;
2363 }
2364 /* Ignore "BIO_should_retry". */
2365 } else if (r == 0) {
2366 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2367 goto err;
2368 } else {
2369 if (debug)
2370 printf("server wrote %d\n", r);
2371 sw_num -= r;
2372 }
2373 }
2374
2375 if (sr_num > 0) {
2376 /* Read from client. */
2377
2378 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2379 if (r < 0) {
2380 if (!BIO_should_retry(s_ssl_bio)) {
2381 fprintf(stderr, "ERROR in SERVER\n");
2382 err_in_server = 1;
2383 goto err;
2384 }
2385 /* blah, blah */
2386 } else if (r == 0) {
2387 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2388 goto err;
2389 } else {
2390 if (debug)
2391 printf("server read %d\n", r);
2392 sr_num -= r;
2393 }
2394 }
2395
2396 *s_time += (clock() - s_clock);
2397 }
2398
2399 {
2400 /* "I/O" BETWEEN CLIENT AND SERVER. */
2401
2402 size_t r1, r2;
2403 BIO *io1 = server_io, *io2 = client_io;
2404 /*
2405 * we use the non-copying interface for io1 and the standard
2406 * BIO_write/BIO_read interface for io2
2407 */
2408
2409 static int prev_progress = 1;
2410 int progress = 0;
2411
2412 /* io1 to io2 */
2413 do {
2414 size_t num;
2415 int r;
2416
2417 r1 = BIO_ctrl_pending(io1);
2418 r2 = BIO_ctrl_get_write_guarantee(io2);
2419
2420 num = r1;
2421 if (r2 < num)
2422 num = r2;
2423 if (num) {
2424 char *dataptr;
2425
2426 if (INT_MAX < num) /* yeah, right */
2427 num = INT_MAX;
2428
2429 r = BIO_nread(io1, &dataptr, (int)num);
2430 assert(r > 0);
2431 assert(r <= (int)num);
2432 /*
2433 * possibly r < num (non-contiguous data)
2434 */
2435 num = r;
2436 r = BIO_write(io2, dataptr, (int)num);
2437 if (r != (int)num) { /* can't happen */
2438 fprintf(stderr, "ERROR: BIO_write could not write "
2439 "BIO_ctrl_get_write_guarantee() bytes");
2440 goto err;
2441 }
2442 progress = 1;
2443
2444 if (debug)
2445 printf((io1 == client_io) ?
2446 "C->S relaying: %d bytes\n" :
2447 "S->C relaying: %d bytes\n", (int)num);
2448 }
2449 }
2450 while (r1 && r2);
2451
2452 /* io2 to io1 */
2453 {
2454 size_t num;
2455 int r;
2456
2457 r1 = BIO_ctrl_pending(io2);
2458 r2 = BIO_ctrl_get_read_request(io1);
2459 /*
2460 * here we could use ..._get_write_guarantee instead of
2461 * ..._get_read_request, but by using the latter we test
2462 * restartability of the SSL implementation more thoroughly
2463 */
2464 num = r1;
2465 if (r2 < num)
2466 num = r2;
2467 if (num) {
2468 char *dataptr;
2469
2470 if (INT_MAX < num)
2471 num = INT_MAX;
2472
2473 if (num > 1)
2474 --num; /* test restartability even more thoroughly */
2475
2476 r = BIO_nwrite0(io1, &dataptr);
2477 assert(r > 0);
2478 if (r < (int)num)
2479 num = r;
2480 r = BIO_read(io2, dataptr, (int)num);
2481 if (r != (int)num) { /* can't happen */
2482 fprintf(stderr, "ERROR: BIO_read could not read "
2483 "BIO_ctrl_pending() bytes");
2484 goto err;
2485 }
2486 progress = 1;
2487 r = BIO_nwrite(io1, &dataptr, (int)num);
2488 if (r != (int)num) { /* can't happen */
2489 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
2490 "BIO_nwrite0() bytes");
2491 goto err;
2492 }
2493
2494 if (debug)
2495 printf((io2 == client_io) ?
2496 "C->S relaying: %d bytes\n" :
2497 "S->C relaying: %d bytes\n", (int)num);
2498 }
2499 } /* no loop, BIO_ctrl_get_read_request now
2500 * returns 0 anyway */
2501
2502 if (!progress && !prev_progress)
2503 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) {
2504 fprintf(stderr, "ERROR: got stuck\n");
2505 fprintf(stderr, " ERROR.\n");
2506 goto err;
2507 }
2508 prev_progress = progress;
2509 }
2510 }
2511 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2512
2513 if (verbose)
2514 print_details(c_ssl, "DONE via BIO pair: ");
2515 #ifndef OPENSSL_NO_NEXTPROTONEG
2516 if (verify_npn(c_ssl, s_ssl) < 0)
2517 goto end;
2518 #endif
2519 if (verify_serverinfo() < 0) {
2520 fprintf(stderr, "Server info verify error\n");
2521 goto err;
2522 }
2523 if (verify_alpn(c_ssl, s_ssl) < 0
2524 || verify_servername(c_ssl, s_ssl) < 0)
2525 goto err;
2526
2527 if (custom_ext_error) {
2528 fprintf(stderr, "Custom extension error\n");
2529 goto err;
2530 }
2531
2532 #ifndef OPENSSL_NO_NEXTPROTONEG
2533 end:
2534 #endif
2535 ret = EXIT_SUCCESS;
2536
2537 err:
2538 ERR_print_errors(bio_err);
2539
2540 BIO_free(server);
2541 BIO_free(server_io);
2542 BIO_free(client);
2543 BIO_free(client_io);
2544 BIO_free(s_ssl_bio);
2545 BIO_free(c_ssl_bio);
2546
2547 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2548 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2549 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2550 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2551
2552 return ret;
2553 }
2554
2555 #define W_READ 1
2556 #define W_WRITE 2
2557 #define C_DONE 1
2558 #define S_DONE 2
2559
2560 int doit(SSL *s_ssl, SSL *c_ssl, long count)
2561 {
2562 char *cbuf = NULL, *sbuf = NULL;
2563 long bufsiz;
2564 long cw_num = count, cr_num = count;
2565 long sw_num = count, sr_num = count;
2566 int ret = EXIT_FAILURE;
2567 BIO *c_to_s = NULL;
2568 BIO *s_to_c = NULL;
2569 BIO *c_bio = NULL;
2570 BIO *s_bio = NULL;
2571 int c_r, c_w, s_r, s_w;
2572 int i, j;
2573 int done = 0;
2574 int c_write, s_write;
2575 int do_server = 0, do_client = 0;
2576 int max_frag = 5 * 1024;
2577 int err_in_client = 0;
2578 int err_in_server = 0;
2579
2580 bufsiz = count > 40 * 1024 ? 40 * 1024 : count;
2581
2582 if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL)
2583 goto err;
2584 if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL)
2585 goto err;
2586
2587 c_to_s = BIO_new(BIO_s_mem());
2588 s_to_c = BIO_new(BIO_s_mem());
2589 if ((s_to_c == NULL) || (c_to_s == NULL)) {
2590 ERR_print_errors(bio_err);
2591 goto err;
2592 }
2593
2594 c_bio = BIO_new(BIO_f_ssl());
2595 s_bio = BIO_new(BIO_f_ssl());
2596 if ((c_bio == NULL) || (s_bio == NULL)) {
2597 ERR_print_errors(bio_err);
2598 goto err;
2599 }
2600
2601 SSL_set_connect_state(c_ssl);
2602 SSL_set_bio(c_ssl, s_to_c, c_to_s);
2603 SSL_set_max_send_fragment(c_ssl, max_frag);
2604 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
2605
2606 /*
2607 * We've just given our ref to these BIOs to c_ssl. We need another one to
2608 * give to s_ssl
2609 */
2610 if (!BIO_up_ref(c_to_s)) {
2611 /* c_to_s and s_to_c will get freed when we free c_ssl */
2612 c_to_s = NULL;
2613 s_to_c = NULL;
2614 goto err;
2615 }
2616 if (!BIO_up_ref(s_to_c)) {
2617 /* s_to_c will get freed when we free c_ssl */
2618 s_to_c = NULL;
2619 goto err;
2620 }
2621
2622 SSL_set_accept_state(s_ssl);
2623 SSL_set_bio(s_ssl, c_to_s, s_to_c);
2624
2625 /* We've used up all our refs to these now */
2626 c_to_s = NULL;
2627 s_to_c = NULL;
2628
2629 SSL_set_max_send_fragment(s_ssl, max_frag);
2630 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
2631
2632 c_r = 0;
2633 s_r = 1;
2634 c_w = 1;
2635 s_w = 0;
2636 c_write = 1, s_write = 0;
2637
2638 /* We can always do writes */
2639 for (;;) {
2640 do_server = 0;
2641 do_client = 0;
2642
2643 i = (int)BIO_pending(s_bio);
2644 if ((i && s_r) || s_w)
2645 do_server = 1;
2646
2647 i = (int)BIO_pending(c_bio);
2648 if ((i && c_r) || c_w)
2649 do_client = 1;
2650
2651 if (do_server && debug) {
2652 if (SSL_in_init(s_ssl))
2653 printf("server waiting in SSL_accept - %s\n",
2654 SSL_state_string_long(s_ssl));
2655 }
2656
2657 if (do_client && debug) {
2658 if (SSL_in_init(c_ssl))
2659 printf("client waiting in SSL_connect - %s\n",
2660 SSL_state_string_long(c_ssl));
2661 }
2662
2663 if (!do_client && !do_server) {
2664 fprintf(stdout, "ERROR IN STARTUP\n");
2665 ERR_print_errors(bio_err);
2666 goto err;
2667 }
2668 if (do_client && !(done & C_DONE)) {
2669 if (c_write) {
2670 j = (cw_num > bufsiz) ? (int)bufsiz : (int)cw_num;
2671 i = BIO_write(c_bio, cbuf, j);
2672 if (i < 0) {
2673 c_r = 0;
2674 c_w = 0;
2675 if (BIO_should_retry(c_bio)) {
2676 if (BIO_should_read(c_bio))
2677 c_r = 1;
2678 if (BIO_should_write(c_bio))
2679 c_w = 1;
2680 } else {
2681 fprintf(stderr, "ERROR in CLIENT\n");
2682 err_in_client = 1;
2683 ERR_print_errors(bio_err);
2684 goto err;
2685 }
2686 } else if (i == 0) {
2687 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2688 goto err;
2689 } else {
2690 if (debug)
2691 printf("client wrote %d\n", i);
2692 /* ok */
2693 s_r = 1;
2694 c_write = 0;
2695 cw_num -= i;
2696 if (max_frag > 1029)
2697 SSL_set_max_send_fragment(c_ssl, max_frag -= 5);
2698 }
2699 } else {
2700 i = BIO_read(c_bio, cbuf, bufsiz);
2701 if (i < 0) {
2702 c_r = 0;
2703 c_w = 0;
2704 if (BIO_should_retry(c_bio)) {
2705 if (BIO_should_read(c_bio))
2706 c_r = 1;
2707 if (BIO_should_write(c_bio))
2708 c_w = 1;
2709 } else {
2710 fprintf(stderr, "ERROR in CLIENT\n");
2711 err_in_client = 1;
2712 ERR_print_errors(bio_err);
2713 goto err;
2714 }
2715 } else if (i == 0) {
2716 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2717 goto err;
2718 } else {
2719 if (debug)
2720 printf("client read %d\n", i);
2721 cr_num -= i;
2722 if (sw_num > 0) {
2723 s_write = 1;
2724 s_w = 1;
2725 }
2726 if (cr_num <= 0) {
2727 s_write = 1;
2728 s_w = 1;
2729 done = S_DONE | C_DONE;
2730 }
2731 }
2732 }
2733 }
2734
2735 if (do_server && !(done & S_DONE)) {
2736 if (!s_write) {
2737 i = BIO_read(s_bio, sbuf, bufsiz);
2738 if (i < 0) {
2739 s_r = 0;
2740 s_w = 0;
2741 if (BIO_should_retry(s_bio)) {
2742 if (BIO_should_read(s_bio))
2743 s_r = 1;
2744 if (BIO_should_write(s_bio))
2745 s_w = 1;
2746 } else {
2747 fprintf(stderr, "ERROR in SERVER\n");
2748 err_in_server = 1;
2749 ERR_print_errors(bio_err);
2750 goto err;
2751 }
2752 } else if (i == 0) {
2753 ERR_print_errors(bio_err);
2754 fprintf(stderr,
2755 "SSL SERVER STARTUP FAILED in SSL_read\n");
2756 goto err;
2757 } else {
2758 if (debug)
2759 printf("server read %d\n", i);
2760 sr_num -= i;
2761 if (cw_num > 0) {
2762 c_write = 1;
2763 c_w = 1;
2764 }
2765 if (sr_num <= 0) {
2766 s_write = 1;
2767 s_w = 1;
2768 c_write = 0;
2769 }
2770 }
2771 } else {
2772 j = (sw_num > bufsiz) ? (int)bufsiz : (int)sw_num;
2773 i = BIO_write(s_bio, sbuf, j);
2774 if (i < 0) {
2775 s_r = 0;
2776 s_w = 0;
2777 if (BIO_should_retry(s_bio)) {
2778 if (BIO_should_read(s_bio))
2779 s_r = 1;
2780 if (BIO_should_write(s_bio))
2781 s_w = 1;
2782 } else {
2783 fprintf(stderr, "ERROR in SERVER\n");
2784 err_in_server = 1;
2785 ERR_print_errors(bio_err);
2786 goto err;
2787 }
2788 } else if (i == 0) {
2789 ERR_print_errors(bio_err);
2790 fprintf(stderr,
2791 "SSL SERVER STARTUP FAILED in SSL_write\n");
2792 goto err;
2793 } else {
2794 if (debug)
2795 printf("server wrote %d\n", i);
2796 sw_num -= i;
2797 s_write = 0;
2798 c_r = 1;
2799 if (sw_num <= 0)
2800 done |= S_DONE;
2801 if (max_frag > 1029)
2802 SSL_set_max_send_fragment(s_ssl, max_frag -= 5);
2803 }
2804 }
2805 }
2806
2807 if ((done & S_DONE) && (done & C_DONE))
2808 break;
2809 }
2810
2811 if (verbose)
2812 print_details(c_ssl, "DONE: ");
2813 #ifndef OPENSSL_NO_NEXTPROTONEG
2814 if (verify_npn(c_ssl, s_ssl) < 0)
2815 goto err;
2816 #endif
2817 if (verify_serverinfo() < 0) {
2818 fprintf(stderr, "Server info verify error\n");
2819 goto err;
2820 }
2821 if (custom_ext_error) {
2822 fprintf(stderr, "Custom extension error\n");
2823 goto err;
2824 }
2825 ret = EXIT_SUCCESS;
2826 err:
2827 BIO_free(c_to_s);
2828 BIO_free(s_to_c);
2829 BIO_free_all(c_bio);
2830 BIO_free_all(s_bio);
2831 OPENSSL_free(cbuf);
2832 OPENSSL_free(sbuf);
2833
2834 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2835 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2836 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2837 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2838
2839 return ret;
2840 }
2841
2842 static int verify_callback(int ok, X509_STORE_CTX *ctx)
2843 {
2844 char *s, buf[256];
2845
2846 s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
2847 buf, sizeof(buf));
2848 if (s != NULL) {
2849 if (ok)
2850 printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
2851 else {
2852 fprintf(stderr, "depth=%d error=%d %s\n",
2853 X509_STORE_CTX_get_error_depth(ctx),
2854 X509_STORE_CTX_get_error(ctx), buf);
2855 }
2856 }
2857
2858 if (ok == 0) {
2859 int i = X509_STORE_CTX_get_error(ctx);
2860
2861 switch (i) {
2862 default:
2863 fprintf(stderr, "Error string: %s\n",
2864 X509_verify_cert_error_string(i));
2865 break;
2866 case X509_V_ERR_CERT_NOT_YET_VALID:
2867 case X509_V_ERR_CERT_HAS_EXPIRED:
2868 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2869 ok = 1;
2870 break;
2871 }
2872 }
2873
2874 return ok;
2875 }
2876
2877 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2878 {
2879 int ok = 1;
2880 struct app_verify_arg *cb_arg = arg;
2881
2882 if (cb_arg->app_verify) {
2883 char *s = NULL, buf[256];
2884 X509 *c = X509_STORE_CTX_get0_cert(ctx);
2885
2886 printf("In app_verify_callback, allowing cert. ");
2887 printf("Arg is: %s\n", cb_arg->string);
2888 printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2889 (void *)ctx, (void *)c);
2890 if (c)
2891 s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256);
2892 if (s != NULL) {
2893 printf("cert depth=%d %s\n",
2894 X509_STORE_CTX_get_error_depth(ctx), buf);
2895 }
2896 return 1;
2897 }
2898
2899 ok = X509_verify_cert(ctx);
2900
2901 return ok;
2902 }
2903
2904 #ifndef OPENSSL_NO_DH
2905 /*-
2906 * These DH parameters have been generated as follows:
2907 * $ openssl dhparam -C -noout 512
2908 * $ openssl dhparam -C -noout 1024
2909 * $ openssl dhparam -C -noout -dsaparam 1024
2910 * (The third function has been renamed to avoid name conflicts.)
2911 */
2912 static DH *get_dh512(void)
2913 {
2914 static unsigned char dh512_p[] = {
2915 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0,
2916 0xC6,
2917 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04,
2918 0xB0,
2919 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9,
2920 0x5F,
2921 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33,
2922 0xB8,
2923 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21,
2924 0x33,
2925 0x02, 0xC5, 0xAE, 0x23,
2926 };
2927 static unsigned char dh512_g[] = {
2928 0x02,
2929 };
2930 DH *dh;
2931 BIGNUM *p, *g;
2932
2933 if ((dh = DH_new()) == NULL)
2934 return NULL;
2935 p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
2936 g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
2937 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
2938 DH_free(dh);
2939 BN_free(p);
2940 BN_free(g);
2941 return NULL;
2942 }
2943 return dh;
2944 }
2945
2946 static DH *get_dh1024(void)
2947 {
2948 static unsigned char dh1024_p[] = {
2949 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
2950 0x3A,
2951 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56,
2952 0xA2,
2953 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F,
2954 0xB0,
2955 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87,
2956 0xC2,
2957 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0,
2958 0x8C,
2959 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F,
2960 0xB8,
2961 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D,
2962 0x52,
2963 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC,
2964 0xC1,
2965 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB,
2966 0xB1,
2967 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89,
2968 0xAB,
2969 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
2970 };
2971 static unsigned char dh1024_g[] = {
2972 0x02,
2973 };
2974 DH *dh;
2975 BIGNUM *p, *g;
2976
2977 if ((dh = DH_new()) == NULL)
2978 return NULL;
2979 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
2980 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
2981 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
2982 DH_free(dh);
2983 BN_free(p);
2984 BN_free(g);
2985 return NULL;
2986 }
2987 return dh;
2988 }
2989
2990 static DH *get_dh1024dsa(void)
2991 {
2992 static unsigned char dh1024_p[] = {
2993 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5,
2994 0x00,
2995 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87,
2996 0x19,
2997 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65,
2998 0xD2,
2999 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6,
3000 0x55,
3001 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF,
3002 0xFC,
3003 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52,
3004 0x97,
3005 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28,
3006 0x8D,
3007 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD,
3008 0xBB,
3009 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C,
3010 0xF6,
3011 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26,
3012 0x9E,
3013 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39,
3014 };
3015 static unsigned char dh1024_g[] = {
3016 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80,
3017 0x05,
3018 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03,
3019 0xF3,
3020 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A,
3021 0xE9,
3022 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85,
3023 0x3C,
3024 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B,
3025 0x65,
3026 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF,
3027 0x60,
3028 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E,
3029 0xF6,
3030 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB,
3031 0xA7,
3032 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72,
3033 0xA1,
3034 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E,
3035 0x60,
3036 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2,
3037 };
3038 DH *dh;
3039 BIGNUM *p, *g;
3040
3041 if ((dh = DH_new()) == NULL)
3042 return NULL;
3043 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
3044 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
3045 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
3046 DH_free(dh);
3047 BN_free(p);
3048 BN_free(g);
3049 return NULL;
3050 }
3051 DH_set_length(dh, 160);
3052 return dh;
3053 }
3054 #endif
3055
3056 #ifndef OPENSSL_NO_PSK
3057 /* convert the PSK key (psk_key) in ascii to binary (psk) */
3058 static int psk_key2bn(const char *pskkey, unsigned char *psk,
3059 unsigned int max_psk_len)
3060 {
3061 int ret;
3062 BIGNUM *bn = NULL;
3063
3064 ret = BN_hex2bn(&bn, pskkey);
3065 if (!ret) {
3066 BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
3067 pskkey);
3068 BN_free(bn);
3069 return 0;
3070 }
3071 if (BN_num_bytes(bn) > (int)max_psk_len) {
3072 BIO_printf(bio_err,
3073 "psk buffer of callback is too small (%d) for key (%d)\n",
3074 max_psk_len, BN_num_bytes(bn));
3075 BN_free(bn);
3076 return 0;
3077 }
3078 ret = BN_bn2bin(bn, psk);
3079 BN_free(bn);
3080 return ret;
3081 }
3082
3083 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
3084 char *identity,
3085 unsigned int max_identity_len,
3086 unsigned char *psk,
3087 unsigned int max_psk_len)
3088 {
3089 int ret;
3090 unsigned int psk_len = 0;
3091
3092 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
3093 if (ret < 0)
3094 goto out_err;
3095 if (debug)
3096 fprintf(stderr, "client: created identity '%s' len=%d\n", identity,
3097 ret);
3098 ret = psk_key2bn(psk_key, psk, max_psk_len);
3099 if (ret < 0)
3100 goto out_err;
3101 psk_len = ret;
3102 out_err:
3103 return psk_len;
3104 }
3105
3106 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
3107 unsigned char *psk,
3108 unsigned int max_psk_len)
3109 {
3110 unsigned int psk_len = 0;
3111
3112 if (strcmp(identity, "Client_identity") != 0) {
3113 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
3114 return 0;
3115 }
3116 psk_len = psk_key2bn(psk_key, psk, max_psk_len);
3117 return psk_len;
3118 }
3119 #endif
A mirror of the official openssl repository