]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/ssltest_old.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Teach ssl_test_old how to run tests in a non-default library context
[thirdparty/openssl.git] / test / ssltest_old.c
1 /*
2 * Copyright 1995-2018 The OpenSSL Project Authors. All Rights Reserved.
3 * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved
4 * Copyright 2005 Nokia. All rights reserved.
5 *
6 * Licensed under the Apache License 2.0 (the "License"). You may not use
7 * this file except in compliance with the License. You can obtain a copy
8 * in the file LICENSE in the source distribution or at
9 * https://www.openssl.org/source/license.html
10 */
11
12 /*
13 * DH low level APIs are deprecated for public use, but still ok for
14 * internal use.
15 */
16 #include "internal/deprecated.h"
17
18 #include "e_os.h"
19
20 /* Or gethostname won't be declared properly on Linux and GNU platforms. */
21 #ifndef _BSD_SOURCE
22 # define _BSD_SOURCE 1
23 #endif
24 #ifndef _DEFAULT_SOURCE
25 # define _DEFAULT_SOURCE 1
26 #endif
27
28 #include <assert.h>
29 #include <errno.h>
30 #include <limits.h>
31 #include <stdio.h>
32 #include <stdlib.h>
33 #include <string.h>
34 #include <time.h>
35
36 #include "internal/nelem.h"
37
38 #ifdef OPENSSL_SYS_VMS
39 /*
40 * Or isascii won't be declared properly on VMS (at least with DECompHP C).
41 */
42 # define _XOPEN_SOURCE 500
43 #endif
44
45 #include <ctype.h>
46
47 #include <openssl/bio.h>
48 #include <openssl/crypto.h>
49 #include <openssl/evp.h>
50 #include <openssl/x509.h>
51 #include <openssl/x509v3.h>
52 #include <openssl/ssl.h>
53 #include <openssl/err.h>
54 #include <openssl/rand.h>
55 #ifndef OPENSSL_NO_RSA
56 # include <openssl/rsa.h>
57 #endif
58 #ifndef OPENSSL_NO_DSA
59 # include <openssl/dsa.h>
60 #endif
61 #ifndef OPENSSL_NO_DH
62 # include <openssl/dh.h>
63 #endif
64 #include <openssl/bn.h>
65 #ifndef OPENSSL_NO_CT
66 # include <openssl/ct.h>
67 #endif
68 #include <openssl/provider.h>
69
70 /*
71 * Or gethostname won't be declared properly
72 * on Compaq platforms (at least with DEC C).
73 * Do not try to put it earlier, or IPv6 includes
74 * get screwed...
75 */
76 #define _XOPEN_SOURCE_EXTENDED 1
77
78 #ifdef OPENSSL_SYS_WINDOWS
79 # include <winsock.h>
80 #else
81 # include <unistd.h>
82 #endif
83
84 static SSL_CTX *s_ctx = NULL;
85 static SSL_CTX *s_ctx2 = NULL;
86
87 /*
88 * There is really no standard for this, so let's assign something
89 * only for this test
90 */
91 #define COMP_ZLIB 1
92
93 static int verify_callback(int ok, X509_STORE_CTX *ctx);
94 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
95 #define APP_CALLBACK_STRING "Test Callback Argument"
96 struct app_verify_arg {
97 char *string;
98 int app_verify;
99 };
100
101 #ifndef OPENSSL_NO_DH
102 static DH *get_dh512(void);
103 static DH *get_dh1024(void);
104 static DH *get_dh1024dsa(void);
105 #endif
106
107 static char *psk_key = NULL; /* by default PSK is not used */
108 #ifndef OPENSSL_NO_PSK
109 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
110 char *identity,
111 unsigned int max_identity_len,
112 unsigned char *psk,
113 unsigned int max_psk_len);
114 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
115 unsigned char *psk,
116 unsigned int max_psk_len);
117 #endif
118
119 static BIO *bio_err = NULL;
120 static BIO *bio_stdout = NULL;
121
122 #ifndef OPENSSL_NO_NEXTPROTONEG
123 /* Note that this code assumes that this is only a one element list: */
124 static const char NEXT_PROTO_STRING[] = "\x09testproto";
125 static int npn_client = 0;
126 static int npn_server = 0;
127 static int npn_server_reject = 0;
128
129 static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen,
130 const unsigned char *in, unsigned int inlen,
131 void *arg)
132 {
133 /*
134 * This callback only returns the protocol string, rather than a length
135 * prefixed set. We assume that NEXT_PROTO_STRING is a one element list
136 * and remove the first byte to chop off the length prefix.
137 */
138 *out = (unsigned char *)NEXT_PROTO_STRING + 1;
139 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
140 return SSL_TLSEXT_ERR_OK;
141 }
142
143 static int cb_server_npn(SSL *s, const unsigned char **data,
144 unsigned int *len, void *arg)
145 {
146 *data = (const unsigned char *)NEXT_PROTO_STRING;
147 *len = sizeof(NEXT_PROTO_STRING) - 1;
148 return SSL_TLSEXT_ERR_OK;
149 }
150
151 static int cb_server_rejects_npn(SSL *s, const unsigned char **data,
152 unsigned int *len, void *arg)
153 {
154 return SSL_TLSEXT_ERR_NOACK;
155 }
156
157 static int verify_npn(SSL *client, SSL *server)
158 {
159 const unsigned char *client_s;
160 unsigned client_len;
161 const unsigned char *server_s;
162 unsigned server_len;
163
164 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
165 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
166
167 if (client_len) {
168 BIO_printf(bio_stdout, "Client NPN: ");
169 BIO_write(bio_stdout, client_s, client_len);
170 BIO_printf(bio_stdout, "\n");
171 }
172
173 if (server_len) {
174 BIO_printf(bio_stdout, "Server NPN: ");
175 BIO_write(bio_stdout, server_s, server_len);
176 BIO_printf(bio_stdout, "\n");
177 }
178
179 /*
180 * If an NPN string was returned, it must be the protocol that we
181 * expected to negotiate.
182 */
183 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
184 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
185 return -1;
186 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
187 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
188 return -1;
189
190 if (!npn_client && client_len)
191 return -1;
192 if (!npn_server && server_len)
193 return -1;
194 if (npn_server_reject && server_len)
195 return -1;
196 if (npn_client && npn_server && (!client_len || !server_len))
197 return -1;
198
199 return 0;
200 }
201 #endif
202
203 static const char *alpn_client;
204 static char *alpn_server;
205 static char *alpn_server2;
206 static const char *alpn_expected;
207 static unsigned char *alpn_selected;
208 static const char *server_min_proto;
209 static const char *server_max_proto;
210 static const char *client_min_proto;
211 static const char *client_max_proto;
212 static const char *should_negotiate;
213 static const char *sn_client;
214 static const char *sn_server1;
215 static const char *sn_server2;
216 static int sn_expect = 0;
217 static const char *server_sess_out;
218 static const char *server_sess_in;
219 static const char *client_sess_out;
220 static const char *client_sess_in;
221 static SSL_SESSION *server_sess;
222 static SSL_SESSION *client_sess;
223
224 static int servername_cb(SSL *s, int *ad, void *arg)
225 {
226 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
227 if (sn_server2 == NULL) {
228 BIO_printf(bio_stdout, "Servername 2 is NULL\n");
229 return SSL_TLSEXT_ERR_NOACK;
230 }
231
232 if (servername) {
233 if (s_ctx2 != NULL && sn_server2 != NULL &&
234 !strcasecmp(servername, sn_server2)) {
235 BIO_printf(bio_stdout, "Switching server context.\n");
236 SSL_set_SSL_CTX(s, s_ctx2);
237 }
238 }
239 return SSL_TLSEXT_ERR_OK;
240 }
241 static int verify_servername(SSL *client, SSL *server)
242 {
243 /* just need to see if sn_context is what we expect */
244 SSL_CTX* ctx = SSL_get_SSL_CTX(server);
245 if (sn_expect == 0)
246 return 0;
247 if (sn_expect == 1 && ctx == s_ctx)
248 return 0;
249 if (sn_expect == 2 && ctx == s_ctx2)
250 return 0;
251 BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect);
252 if (ctx == s_ctx2)
253 BIO_printf(bio_stdout, "Servername: context is 2\n");
254 else if (ctx == s_ctx)
255 BIO_printf(bio_stdout, "Servername: context is 1\n");
256 else
257 BIO_printf(bio_stdout, "Servername: context is unknown\n");
258 return -1;
259 }
260
261
262 /*-
263 * next_protos_parse parses a comma separated list of strings into a string
264 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
265 * outlen: (output) set to the length of the resulting buffer on success.
266 * in: a NUL terminated string like "abc,def,ghi"
267 *
268 * returns: a malloced buffer or NULL on failure.
269 */
270 static unsigned char *next_protos_parse(size_t *outlen,
271 const char *in)
272 {
273 size_t len;
274 unsigned char *out;
275 size_t i, start = 0;
276
277 len = strlen(in);
278 if (len >= 65535)
279 return NULL;
280
281 out = OPENSSL_malloc(strlen(in) + 1);
282 if (!out)
283 return NULL;
284
285 for (i = 0; i <= len; ++i) {
286 if (i == len || in[i] == ',') {
287 if (i - start > 255) {
288 OPENSSL_free(out);
289 return NULL;
290 }
291 out[start] = (unsigned char)(i - start);
292 start = i + 1;
293 } else
294 out[i + 1] = in[i];
295 }
296
297 *outlen = len + 1;
298 return out;
299 }
300
301 static int cb_server_alpn(SSL *s, const unsigned char **out,
302 unsigned char *outlen, const unsigned char *in,
303 unsigned int inlen, void *arg)
304 {
305 unsigned char *protos;
306 size_t protos_len;
307 char* alpn_str = arg;
308
309 protos = next_protos_parse(&protos_len, alpn_str);
310 if (protos == NULL) {
311 fprintf(stderr, "failed to parser ALPN server protocol string: %s\n",
312 alpn_str);
313 abort();
314 }
315
316 if (SSL_select_next_proto
317 ((unsigned char **)out, outlen, protos, protos_len, in,
318 inlen) != OPENSSL_NPN_NEGOTIATED) {
319 OPENSSL_free(protos);
320 return SSL_TLSEXT_ERR_NOACK;
321 }
322
323 /*
324 * Make a copy of the selected protocol which will be freed in
325 * verify_alpn.
326 */
327 alpn_selected = OPENSSL_malloc(*outlen);
328 memcpy(alpn_selected, *out, *outlen);
329 *out = alpn_selected;
330
331 OPENSSL_free(protos);
332 return SSL_TLSEXT_ERR_OK;
333 }
334
335 static int verify_alpn(SSL *client, SSL *server)
336 {
337 const unsigned char *client_proto, *server_proto;
338 unsigned int client_proto_len = 0, server_proto_len = 0;
339 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
340 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
341
342 OPENSSL_free(alpn_selected);
343 alpn_selected = NULL;
344
345 if (client_proto_len != server_proto_len) {
346 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
347 goto err;
348 }
349
350 if (client_proto != NULL &&
351 memcmp(client_proto, server_proto, client_proto_len) != 0) {
352 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
353 goto err;
354 }
355
356 if (client_proto_len > 0 && alpn_expected == NULL) {
357 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
358 goto err;
359 }
360
361 if (alpn_expected != NULL &&
362 (client_proto_len != strlen(alpn_expected) ||
363 memcmp(client_proto, alpn_expected, client_proto_len) != 0)) {
364 BIO_printf(bio_stdout,
365 "ALPN selected protocols not equal to expected protocol: %s\n",
366 alpn_expected);
367 goto err;
368 }
369
370 return 0;
371
372 err:
373 BIO_printf(bio_stdout, "ALPN results: client: '");
374 BIO_write(bio_stdout, client_proto, client_proto_len);
375 BIO_printf(bio_stdout, "', server: '");
376 BIO_write(bio_stdout, server_proto, server_proto_len);
377 BIO_printf(bio_stdout, "'\n");
378 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '",
379 alpn_client);
380 if (SSL_get_SSL_CTX(server) == s_ctx2) {
381 BIO_printf(bio_stdout, "%s'\n",
382 alpn_server2);
383 } else {
384 BIO_printf(bio_stdout, "%s'\n",
385 alpn_server);
386 }
387 return -1;
388 }
389
390 /*
391 * WARNING : below extension types are *NOT* IETF assigned, and could
392 * conflict if these types are reassigned and handled specially by OpenSSL
393 * in the future
394 */
395 #define TACK_EXT_TYPE 62208
396 #define CUSTOM_EXT_TYPE_0 1000
397 #define CUSTOM_EXT_TYPE_1 1001
398 #define CUSTOM_EXT_TYPE_2 1002
399 #define CUSTOM_EXT_TYPE_3 1003
400
401 static const char custom_ext_cli_string[] = "abc";
402 static const char custom_ext_srv_string[] = "defg";
403
404 /* These set from cmdline */
405 static char *serverinfo_file = NULL;
406 static int serverinfo_sct = 0;
407 static int serverinfo_tack = 0;
408
409 /* These set based on extension callbacks */
410 static int serverinfo_sct_seen = 0;
411 static int serverinfo_tack_seen = 0;
412 static int serverinfo_other_seen = 0;
413
414 /* This set from cmdline */
415 static int custom_ext = 0;
416
417 /* This set based on extension callbacks */
418 static int custom_ext_error = 0;
419
420 static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
421 const unsigned char *in, size_t inlen,
422 int *al, void *arg)
423 {
424 if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
425 serverinfo_sct_seen++;
426 else if (ext_type == TACK_EXT_TYPE)
427 serverinfo_tack_seen++;
428 else
429 serverinfo_other_seen++;
430 return 1;
431 }
432
433 static int verify_serverinfo(void)
434 {
435 if (serverinfo_sct != serverinfo_sct_seen)
436 return -1;
437 if (serverinfo_tack != serverinfo_tack_seen)
438 return -1;
439 if (serverinfo_other_seen)
440 return -1;
441 return 0;
442 }
443
444 /*-
445 * Four test cases for custom extensions:
446 * 0 - no ClientHello extension or ServerHello response
447 * 1 - ClientHello with "abc", no response
448 * 2 - ClientHello with "abc", empty response
449 * 3 - ClientHello with "abc", "defg" response
450 */
451
452 static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
453 const unsigned char **out,
454 size_t *outlen, int *al, void *arg)
455 {
456 if (ext_type != CUSTOM_EXT_TYPE_0)
457 custom_ext_error = 1;
458 return 0; /* Don't send an extension */
459 }
460
461 static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
462 const unsigned char *in,
463 size_t inlen, int *al, void *arg)
464 {
465 return 1;
466 }
467
468 static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
469 const unsigned char **out,
470 size_t *outlen, int *al, void *arg)
471 {
472 if (ext_type != CUSTOM_EXT_TYPE_1)
473 custom_ext_error = 1;
474 *out = (const unsigned char *)custom_ext_cli_string;
475 *outlen = strlen(custom_ext_cli_string);
476 return 1; /* Send "abc" */
477 }
478
479 static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
480 const unsigned char *in,
481 size_t inlen, int *al, void *arg)
482 {
483 return 1;
484 }
485
486 static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
487 const unsigned char **out,
488 size_t *outlen, int *al, void *arg)
489 {
490 if (ext_type != CUSTOM_EXT_TYPE_2)
491 custom_ext_error = 1;
492 *out = (const unsigned char *)custom_ext_cli_string;
493 *outlen = strlen(custom_ext_cli_string);
494 return 1; /* Send "abc" */
495 }
496
497 static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
498 const unsigned char *in,
499 size_t inlen, int *al, void *arg)
500 {
501 if (ext_type != CUSTOM_EXT_TYPE_2)
502 custom_ext_error = 1;
503 if (inlen != 0)
504 custom_ext_error = 1; /* Should be empty response */
505 return 1;
506 }
507
508 static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
509 const unsigned char **out,
510 size_t *outlen, int *al, void *arg)
511 {
512 if (ext_type != CUSTOM_EXT_TYPE_3)
513 custom_ext_error = 1;
514 *out = (const unsigned char *)custom_ext_cli_string;
515 *outlen = strlen(custom_ext_cli_string);
516 return 1; /* Send "abc" */
517 }
518
519 static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
520 const unsigned char *in,
521 size_t inlen, int *al, void *arg)
522 {
523 if (ext_type != CUSTOM_EXT_TYPE_3)
524 custom_ext_error = 1;
525 if (inlen != strlen(custom_ext_srv_string))
526 custom_ext_error = 1;
527 if (memcmp(custom_ext_srv_string, in, inlen) != 0)
528 custom_ext_error = 1; /* Check for "defg" */
529 return 1;
530 }
531
532 /*
533 * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback
534 * for this extension
535 */
536 static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
537 const unsigned char *in,
538 size_t inlen, int *al, void *arg)
539 {
540 custom_ext_error = 1;
541 return 1;
542 }
543
544 /* 'add' callbacks are only called if the 'parse' callback is called */
545 static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
546 const unsigned char **out,
547 size_t *outlen, int *al, void *arg)
548 {
549 /* Error: should not have been called */
550 custom_ext_error = 1;
551 return 0; /* Don't send an extension */
552 }
553
554 static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
555 const unsigned char *in,
556 size_t inlen, int *al, void *arg)
557 {
558 if (ext_type != CUSTOM_EXT_TYPE_1)
559 custom_ext_error = 1;
560 /* Check for "abc" */
561 if (inlen != strlen(custom_ext_cli_string))
562 custom_ext_error = 1;
563 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
564 custom_ext_error = 1;
565 return 1;
566 }
567
568 static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
569 const unsigned char **out,
570 size_t *outlen, int *al, void *arg)
571 {
572 return 0; /* Don't send an extension */
573 }
574
575 static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
576 const unsigned char *in,
577 size_t inlen, int *al, void *arg)
578 {
579 if (ext_type != CUSTOM_EXT_TYPE_2)
580 custom_ext_error = 1;
581 /* Check for "abc" */
582 if (inlen != strlen(custom_ext_cli_string))
583 custom_ext_error = 1;
584 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
585 custom_ext_error = 1;
586 return 1;
587 }
588
589 static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
590 const unsigned char **out,
591 size_t *outlen, int *al, void *arg)
592 {
593 *out = NULL;
594 *outlen = 0;
595 return 1; /* Send empty extension */
596 }
597
598 static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
599 const unsigned char *in,
600 size_t inlen, int *al, void *arg)
601 {
602 if (ext_type != CUSTOM_EXT_TYPE_3)
603 custom_ext_error = 1;
604 /* Check for "abc" */
605 if (inlen != strlen(custom_ext_cli_string))
606 custom_ext_error = 1;
607 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
608 custom_ext_error = 1;
609 return 1;
610 }
611
612 static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
613 const unsigned char **out,
614 size_t *outlen, int *al, void *arg)
615 {
616 *out = (const unsigned char *)custom_ext_srv_string;
617 *outlen = strlen(custom_ext_srv_string);
618 return 1; /* Send "defg" */
619 }
620
621 static char *cipher = NULL;
622 static char *ciphersuites = NULL;
623 static int verbose = 0;
624 static int debug = 0;
625
626 int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family,
627 long bytes, clock_t *s_time, clock_t *c_time);
628 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
629 clock_t *c_time);
630 int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
631
632 static void sv_usage(void)
633 {
634 fprintf(stderr, "usage: ssltest [args ...]\n");
635 fprintf(stderr, "\n");
636 fprintf(stderr, " -server_auth - check server certificate\n");
637 fprintf(stderr, " -client_auth - do client authentication\n");
638 fprintf(stderr, " -v - more output\n");
639 fprintf(stderr, " -d - debug output\n");
640 fprintf(stderr, " -reuse - use session-id reuse\n");
641 fprintf(stderr, " -num <val> - number of connections to perform\n");
642 fprintf(stderr,
643 " -bytes <val> - number of bytes to swap between client/server\n");
644 #ifndef OPENSSL_NO_DH
645 fprintf(stderr,
646 " -dhe512 - use 512 bit key for DHE (to test failure)\n");
647 fprintf(stderr,
648 " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
649 fprintf(stderr,
650 " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
651 fprintf(stderr, " -no_dhe - disable DHE\n");
652 #endif
653 #ifndef OPENSSL_NO_EC
654 fprintf(stderr, " -no_ecdhe - disable ECDHE\nTODO(openssl-team): no_ecdhe was broken by auto ecdh. Make this work again.\n");
655 #endif
656 #ifndef OPENSSL_NO_PSK
657 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
658 #endif
659 #ifndef OPENSSL_NO_SSL3
660 fprintf(stderr, " -ssl3 - use SSLv3\n");
661 #endif
662 #ifndef OPENSSL_NO_TLS1
663 fprintf(stderr, " -tls1 - use TLSv1\n");
664 #endif
665 #ifndef OPENSSL_NO_DTLS
666 fprintf(stderr, " -dtls - use DTLS\n");
667 #ifndef OPENSSL_NO_DTLS1
668 fprintf(stderr, " -dtls1 - use DTLSv1\n");
669 #endif
670 #ifndef OPENSSL_NO_DTLS1_2
671 fprintf(stderr, " -dtls12 - use DTLSv1.2\n");
672 #endif
673 #endif
674 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
675 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
676 fprintf(stderr, " -cert arg - Server certificate file\n");
677 fprintf(stderr,
678 " -key arg - Server key file (default: same as -cert)\n");
679 fprintf(stderr, " -c_cert arg - Client certificate file\n");
680 fprintf(stderr,
681 " -c_key arg - Client key file (default: same as -c_cert)\n");
682 fprintf(stderr, " -cipher arg - The TLSv1.2 and below cipher list\n");
683 fprintf(stderr, " -ciphersuites arg - The TLSv1.3 ciphersuites\n");
684 fprintf(stderr, " -bio_pair - Use BIO pairs\n");
685 fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n");
686 fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n");
687 fprintf(stderr, " -f - Test even cases that can't work\n");
688 fprintf(stderr,
689 " -time - measure processor time used by client and server\n");
690 fprintf(stderr, " -zlib - use zlib compression\n");
691 #ifndef OPENSSL_NO_NEXTPROTONEG
692 fprintf(stderr, " -npn_client - have client side offer NPN\n");
693 fprintf(stderr, " -npn_server - have server side offer NPN\n");
694 fprintf(stderr, " -npn_server_reject - have server reject NPN\n");
695 #endif
696 fprintf(stderr, " -serverinfo_file file - have server use this file\n");
697 fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n");
698 fprintf(stderr,
699 " -serverinfo_tack - have client offer and expect TACK\n");
700 fprintf(stderr,
701 " -custom_ext - try various custom extension callbacks\n");
702 fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n");
703 fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
704 fprintf(stderr, " -alpn_server1 <string> - alias for -alpn_server\n");
705 fprintf(stderr, " -alpn_server2 <string> - have server side context 2 offer ALPN\n");
706 fprintf(stderr,
707 " -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
708 fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n");
709 fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n");
710 fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
711 fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
712 fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
713 #ifndef OPENSSL_NO_CT
714 fprintf(stderr, " -noct - no certificate transparency\n");
715 fprintf(stderr, " -requestct - request certificate transparency\n");
716 fprintf(stderr, " -requirect - require certificate transparency\n");
717 #endif
718 fprintf(stderr, " -sn_client <string> - have client request this servername\n");
719 fprintf(stderr, " -sn_server1 <string> - have server context 1 respond to this servername\n");
720 fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
721 fprintf(stderr, " -sn_expect1 - expected server 1\n");
722 fprintf(stderr, " -sn_expect2 - expected server 2\n");
723 fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n");
724 fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n");
725 fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n");
726 fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n");
727 fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n");
728 fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n");
729 fprintf(stderr, " -provider <name> - Load the given provider into the library context\n");
730 }
731
732 static void print_key_details(BIO *out, EVP_PKEY *key)
733 {
734 int keyid = EVP_PKEY_id(key);
735 #ifndef OPENSSL_NO_EC
736 if (keyid == EVP_PKEY_EC) {
737 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
738 int nid;
739 const char *cname;
740 nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
741 EC_KEY_free(ec);
742 cname = EC_curve_nid2nist(nid);
743 if (!cname)
744 cname = OBJ_nid2sn(nid);
745 BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_bits(key), cname);
746 } else
747 #endif
748 {
749 const char *algname;
750 switch (keyid) {
751 case EVP_PKEY_RSA:
752 algname = "RSA";
753 break;
754 case EVP_PKEY_DSA:
755 algname = "DSA";
756 break;
757 case EVP_PKEY_DH:
758 algname = "DH";
759 break;
760 default:
761 algname = OBJ_nid2sn(keyid);
762 break;
763 }
764 BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname);
765 }
766 }
767
768 static void print_details(SSL *c_ssl, const char *prefix)
769 {
770 const SSL_CIPHER *ciph;
771 int mdnid;
772 X509 *cert;
773 EVP_PKEY *pkey;
774
775 ciph = SSL_get_current_cipher(c_ssl);
776 BIO_printf(bio_stdout, "%s%s, cipher %s %s",
777 prefix,
778 SSL_get_version(c_ssl),
779 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
780 cert = SSL_get_peer_certificate(c_ssl);
781 if (cert != NULL) {
782 EVP_PKEY* pubkey = X509_get0_pubkey(cert);
783
784 if (pubkey != NULL) {
785 BIO_puts(bio_stdout, ", ");
786 print_key_details(bio_stdout, pubkey);
787 }
788 X509_free(cert);
789 }
790 if (SSL_get_peer_tmp_key(c_ssl, &pkey)) {
791 BIO_puts(bio_stdout, ", temp key: ");
792 print_key_details(bio_stdout, pkey);
793 EVP_PKEY_free(pkey);
794 }
795 if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
796 BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
797 BIO_printf(bio_stdout, "\n");
798 }
799
800 /*
801 * protocol_from_string - converts a protocol version string to a number
802 *
803 * Returns -1 on failure or the version on success
804 */
805 static int protocol_from_string(const char *value)
806 {
807 struct protocol_versions {
808 const char *name;
809 int version;
810 };
811 static const struct protocol_versions versions[] = {
812 {"ssl3", SSL3_VERSION},
813 {"tls1", TLS1_VERSION},
814 {"tls1.1", TLS1_1_VERSION},
815 {"tls1.2", TLS1_2_VERSION},
816 {"tls1.3", TLS1_3_VERSION},
817 {"dtls1", DTLS1_VERSION},
818 {"dtls1.2", DTLS1_2_VERSION}};
819 size_t i;
820 size_t n = OSSL_NELEM(versions);
821
822 for (i = 0; i < n; i++)
823 if (strcmp(versions[i].name, value) == 0)
824 return versions[i].version;
825 return -1;
826 }
827
828 static SSL_SESSION *read_session(const char *filename)
829 {
830 SSL_SESSION *sess;
831 BIO *f = BIO_new_file(filename, "r");
832
833 if (f == NULL) {
834 BIO_printf(bio_err, "Can't open session file %s\n", filename);
835 ERR_print_errors(bio_err);
836 return NULL;
837 }
838 sess = PEM_read_bio_SSL_SESSION(f, NULL, 0, NULL);
839 if (sess == NULL) {
840 BIO_printf(bio_err, "Can't parse session file %s\n", filename);
841 ERR_print_errors(bio_err);
842 }
843 BIO_free(f);
844 return sess;
845 }
846
847 static int write_session(const char *filename, SSL_SESSION *sess)
848 {
849 BIO *f = BIO_new_file(filename, "w");
850
851 if (sess == NULL) {
852 BIO_printf(bio_err, "No session information\n");
853 return 0;
854 }
855 if (f == NULL) {
856 BIO_printf(bio_err, "Can't open session file %s\n", filename);
857 ERR_print_errors(bio_err);
858 return 0;
859 }
860 PEM_write_bio_SSL_SESSION(f, sess);
861 BIO_free(f);
862 return 1;
863 }
864
865 /*
866 * set_protocol_version - Sets protocol version minimum or maximum
867 *
868 * Returns 0 on failure and 1 on success
869 */
870 static int set_protocol_version(const char *version, SSL *ssl, int setting)
871 {
872 if (version != NULL) {
873 int ver = protocol_from_string(version);
874 if (ver < 0) {
875 BIO_printf(bio_err, "Error parsing: %s\n", version);
876 return 0;
877 }
878 return SSL_ctrl(ssl, setting, ver, NULL);
879 }
880 return 1;
881 }
882
883 int main(int argc, char *argv[])
884 {
885 const char *CApath = NULL, *CAfile = NULL;
886 int badop = 0;
887 enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
888 int force = 0;
889 int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_2 = 0, ssl3 = 0;
890 int ret = EXIT_FAILURE;
891 int client_auth = 0;
892 int server_auth = 0, i;
893 struct app_verify_arg app_verify_arg =
894 { APP_CALLBACK_STRING, 0 };
895 SSL_CTX *c_ctx = NULL;
896 const SSL_METHOD *meth = NULL;
897 SSL *c_ssl, *s_ssl;
898 int number = 1, reuse = 0;
899 int should_reuse = -1;
900 int no_ticket = 0;
901 long bytes = 256L;
902 #ifndef OPENSSL_NO_DH
903 DH *dh;
904 int dhe512 = 0, dhe1024dsa = 0;
905 #endif
906 int no_dhe = 0;
907 int no_psk = 0;
908 int print_time = 0;
909 clock_t s_time = 0, c_time = 0;
910 #ifndef OPENSSL_NO_COMP
911 int n, comp = 0;
912 COMP_METHOD *cm = NULL;
913 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
914 #endif
915 int no_protocol;
916 int min_version = 0, max_version = 0;
917 #ifndef OPENSSL_NO_CT
918 /*
919 * Disable CT validation by default, because it will interfere with
920 * anything using custom extension handlers to deal with SCT extensions.
921 */
922 int ct_validation = 0;
923 #endif
924 SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
925 STACK_OF(OPENSSL_STRING) *conf_args = NULL;
926 char *arg = NULL, *argn = NULL;
927 const char *provider = NULL, *config = NULL;
928 OSSL_PROVIDER *thisprov = NULL, *defctxnull = NULL;
929 OPENSSL_CTX *libctx = NULL;
930
931 verbose = 0;
932 debug = 0;
933
934 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
935 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
936
937 s_cctx = SSL_CONF_CTX_new();
938 s_cctx2 = SSL_CONF_CTX_new();
939 c_cctx = SSL_CONF_CTX_new();
940
941 if (!s_cctx || !c_cctx || !s_cctx2) {
942 ERR_print_errors(bio_err);
943 goto end;
944 }
945
946 SSL_CONF_CTX_set_flags(s_cctx,
947 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
948 SSL_CONF_FLAG_CERTIFICATE |
949 SSL_CONF_FLAG_REQUIRE_PRIVATE);
950 SSL_CONF_CTX_set_flags(s_cctx2,
951 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
952 SSL_CONF_FLAG_CERTIFICATE |
953 SSL_CONF_FLAG_REQUIRE_PRIVATE);
954 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
955 ERR_print_errors(bio_err);
956 goto end;
957 }
958 if (!SSL_CONF_CTX_set1_prefix(s_cctx2, "-s_")) {
959 ERR_print_errors(bio_err);
960 goto end;
961 }
962
963 SSL_CONF_CTX_set_flags(c_cctx,
964 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
965 SSL_CONF_FLAG_CERTIFICATE |
966 SSL_CONF_FLAG_REQUIRE_PRIVATE);
967 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
968 ERR_print_errors(bio_err);
969 goto end;
970 }
971
972 argc--;
973 argv++;
974
975 while (argc >= 1) {
976 if (strcmp(*argv, "-F") == 0) {
977 fprintf(stderr,
978 "not compiled with FIPS support, so exiting without running.\n");
979 EXIT(0);
980 } else if (strcmp(*argv, "-server_auth") == 0)
981 server_auth = 1;
982 else if (strcmp(*argv, "-client_auth") == 0)
983 client_auth = 1;
984 else if (strcmp(*argv, "-v") == 0)
985 verbose = 1;
986 else if (strcmp(*argv, "-d") == 0)
987 debug = 1;
988 else if (strcmp(*argv, "-reuse") == 0)
989 reuse = 1;
990 else if (strcmp(*argv, "-dhe512") == 0) {
991 #ifndef OPENSSL_NO_DH
992 dhe512 = 1;
993 #else
994 fprintf(stderr,
995 "ignoring -dhe512, since I'm compiled without DH\n");
996 #endif
997 } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
998 #ifndef OPENSSL_NO_DH
999 dhe1024dsa = 1;
1000 #else
1001 fprintf(stderr,
1002 "ignoring -dhe1024dsa, since I'm compiled without DH\n");
1003 #endif
1004 } else if (strcmp(*argv, "-no_dhe") == 0)
1005 no_dhe = 1;
1006 else if (strcmp(*argv, "-no_ecdhe") == 0)
1007 /* obsolete */;
1008 else if (strcmp(*argv, "-psk") == 0) {
1009 if (--argc < 1)
1010 goto bad;
1011 psk_key = *(++argv);
1012 #ifndef OPENSSL_NO_PSK
1013 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) {
1014 BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
1015 goto bad;
1016 }
1017 #else
1018 no_psk = 1;
1019 #endif
1020 }
1021 else if (strcmp(*argv, "-tls1_2") == 0) {
1022 tls1_2 = 1;
1023 } else if (strcmp(*argv, "-tls1") == 0) {
1024 tls1 = 1;
1025 } else if (strcmp(*argv, "-ssl3") == 0) {
1026 ssl3 = 1;
1027 } else if (strcmp(*argv, "-dtls1") == 0) {
1028 dtls1 = 1;
1029 } else if (strcmp(*argv, "-dtls12") == 0) {
1030 dtls12 = 1;
1031 } else if (strcmp(*argv, "-dtls") == 0) {
1032 dtls = 1;
1033 } else if (strncmp(*argv, "-num", 4) == 0) {
1034 if (--argc < 1)
1035 goto bad;
1036 number = atoi(*(++argv));
1037 if (number == 0)
1038 number = 1;
1039 } else if (strcmp(*argv, "-bytes") == 0) {
1040 if (--argc < 1)
1041 goto bad;
1042 bytes = atol(*(++argv));
1043 if (bytes == 0L)
1044 bytes = 1L;
1045 i = strlen(argv[0]);
1046 if (argv[0][i - 1] == 'k')
1047 bytes *= 1024L;
1048 if (argv[0][i - 1] == 'm')
1049 bytes *= 1024L * 1024L;
1050 } else if (strcmp(*argv, "-cipher") == 0) {
1051 if (--argc < 1)
1052 goto bad;
1053 cipher = *(++argv);
1054 } else if (strcmp(*argv, "-ciphersuites") == 0) {
1055 if (--argc < 1)
1056 goto bad;
1057 ciphersuites = *(++argv);
1058 } else if (strcmp(*argv, "-CApath") == 0) {
1059 if (--argc < 1)
1060 goto bad;
1061 CApath = *(++argv);
1062 } else if (strcmp(*argv, "-CAfile") == 0) {
1063 if (--argc < 1)
1064 goto bad;
1065 CAfile = *(++argv);
1066 } else if (strcmp(*argv, "-bio_pair") == 0) {
1067 bio_type = BIO_PAIR;
1068 }
1069 #ifndef OPENSSL_NO_SOCK
1070 else if (strcmp(*argv, "-ipv4") == 0) {
1071 bio_type = BIO_IPV4;
1072 } else if (strcmp(*argv, "-ipv6") == 0) {
1073 bio_type = BIO_IPV6;
1074 }
1075 #endif
1076 else if (strcmp(*argv, "-f") == 0) {
1077 force = 1;
1078 } else if (strcmp(*argv, "-time") == 0) {
1079 print_time = 1;
1080 }
1081 #ifndef OPENSSL_NO_CT
1082 else if (strcmp(*argv, "-noct") == 0) {
1083 ct_validation = 0;
1084 }
1085 else if (strcmp(*argv, "-ct") == 0) {
1086 ct_validation = 1;
1087 }
1088 #endif
1089 #ifndef OPENSSL_NO_COMP
1090 else if (strcmp(*argv, "-zlib") == 0) {
1091 comp = COMP_ZLIB;
1092 }
1093 #endif
1094 else if (strcmp(*argv, "-app_verify") == 0) {
1095 app_verify_arg.app_verify = 1;
1096 }
1097 #ifndef OPENSSL_NO_NEXTPROTONEG
1098 else if (strcmp(*argv, "-npn_client") == 0) {
1099 npn_client = 1;
1100 } else if (strcmp(*argv, "-npn_server") == 0) {
1101 npn_server = 1;
1102 } else if (strcmp(*argv, "-npn_server_reject") == 0) {
1103 npn_server_reject = 1;
1104 }
1105 #endif
1106 else if (strcmp(*argv, "-serverinfo_sct") == 0) {
1107 serverinfo_sct = 1;
1108 } else if (strcmp(*argv, "-serverinfo_tack") == 0) {
1109 serverinfo_tack = 1;
1110 } else if (strcmp(*argv, "-serverinfo_file") == 0) {
1111 if (--argc < 1)
1112 goto bad;
1113 serverinfo_file = *(++argv);
1114 } else if (strcmp(*argv, "-custom_ext") == 0) {
1115 custom_ext = 1;
1116 } else if (strcmp(*argv, "-alpn_client") == 0) {
1117 if (--argc < 1)
1118 goto bad;
1119 alpn_client = *(++argv);
1120 } else if (strcmp(*argv, "-alpn_server") == 0 ||
1121 strcmp(*argv, "-alpn_server1") == 0) {
1122 if (--argc < 1)
1123 goto bad;
1124 alpn_server = *(++argv);
1125 } else if (strcmp(*argv, "-alpn_server2") == 0) {
1126 if (--argc < 1)
1127 goto bad;
1128 alpn_server2 = *(++argv);
1129 } else if (strcmp(*argv, "-alpn_expected") == 0) {
1130 if (--argc < 1)
1131 goto bad;
1132 alpn_expected = *(++argv);
1133 } else if (strcmp(*argv, "-server_min_proto") == 0) {
1134 if (--argc < 1)
1135 goto bad;
1136 server_min_proto = *(++argv);
1137 } else if (strcmp(*argv, "-server_max_proto") == 0) {
1138 if (--argc < 1)
1139 goto bad;
1140 server_max_proto = *(++argv);
1141 } else if (strcmp(*argv, "-client_min_proto") == 0) {
1142 if (--argc < 1)
1143 goto bad;
1144 client_min_proto = *(++argv);
1145 } else if (strcmp(*argv, "-client_max_proto") == 0) {
1146 if (--argc < 1)
1147 goto bad;
1148 client_max_proto = *(++argv);
1149 } else if (strcmp(*argv, "-should_negotiate") == 0) {
1150 if (--argc < 1)
1151 goto bad;
1152 should_negotiate = *(++argv);
1153 } else if (strcmp(*argv, "-sn_client") == 0) {
1154 if (--argc < 1)
1155 goto bad;
1156 sn_client = *(++argv);
1157 } else if (strcmp(*argv, "-sn_server1") == 0) {
1158 if (--argc < 1)
1159 goto bad;
1160 sn_server1 = *(++argv);
1161 } else if (strcmp(*argv, "-sn_server2") == 0) {
1162 if (--argc < 1)
1163 goto bad;
1164 sn_server2 = *(++argv);
1165 } else if (strcmp(*argv, "-sn_expect1") == 0) {
1166 sn_expect = 1;
1167 } else if (strcmp(*argv, "-sn_expect2") == 0) {
1168 sn_expect = 2;
1169 } else if (strcmp(*argv, "-server_sess_out") == 0) {
1170 if (--argc < 1)
1171 goto bad;
1172 server_sess_out = *(++argv);
1173 } else if (strcmp(*argv, "-server_sess_in") == 0) {
1174 if (--argc < 1)
1175 goto bad;
1176 server_sess_in = *(++argv);
1177 } else if (strcmp(*argv, "-client_sess_out") == 0) {
1178 if (--argc < 1)
1179 goto bad;
1180 client_sess_out = *(++argv);
1181 } else if (strcmp(*argv, "-client_sess_in") == 0) {
1182 if (--argc < 1)
1183 goto bad;
1184 client_sess_in = *(++argv);
1185 } else if (strcmp(*argv, "-should_reuse") == 0) {
1186 if (--argc < 1)
1187 goto bad;
1188 should_reuse = !!atoi(*(++argv));
1189 } else if (strcmp(*argv, "-no_ticket") == 0) {
1190 no_ticket = 1;
1191 } else if (strcmp(*argv, "-provider") == 0) {
1192 if (--argc < 1)
1193 goto bad;
1194 provider = *(++argv);
1195 } else {
1196 int rv;
1197 arg = argv[0];
1198 argn = argv[1];
1199 /* Try to process command using SSL_CONF */
1200 rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
1201 /* If not processed try server */
1202 if (rv == 0)
1203 rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
1204 /* Recognised: store it for later use */
1205 if (rv > 0) {
1206 if (rv == 1)
1207 argn = NULL;
1208 if (!conf_args) {
1209 conf_args = sk_OPENSSL_STRING_new_null();
1210 if (!conf_args)
1211 goto end;
1212 }
1213 if (!sk_OPENSSL_STRING_push(conf_args, arg))
1214 goto end;
1215 if (!sk_OPENSSL_STRING_push(conf_args, argn))
1216 goto end;
1217 continue;
1218 }
1219 if (rv == -3)
1220 BIO_printf(bio_err, "Missing argument for %s\n", arg);
1221 else if (rv < 0)
1222 BIO_printf(bio_err, "Error with command %s\n", arg);
1223 else if (rv == 0)
1224 BIO_printf(bio_err, "unknown option %s\n", arg);
1225 badop = 1;
1226 break;
1227 }
1228 argc--;
1229 argv++;
1230 }
1231 if (badop) {
1232 bad:
1233 sv_usage();
1234 goto end;
1235 }
1236
1237 if (ssl3 + tls1 + tls1_2 + dtls + dtls1 + dtls12 > 1) {
1238 fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1 or -dtls12 should "
1239 "be requested.\n");
1240 EXIT(1);
1241 }
1242
1243 #ifdef OPENSSL_NO_SSL3
1244 if (ssl3)
1245 no_protocol = 1;
1246 else
1247 #endif
1248 #ifdef OPENSSL_NO_TLS1
1249 if (tls1)
1250 no_protocol = 1;
1251 else
1252 #endif
1253 #ifdef OPENSSL_NO_TLS1_2
1254 if (tls1_2)
1255 no_protocol = 1;
1256 else
1257 #endif
1258 #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
1259 if (dtls1)
1260 no_protocol = 1;
1261 else
1262 #endif
1263 #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2)
1264 if (dtls12)
1265 no_protocol = 1;
1266 else
1267 #endif
1268 no_protocol = 0;
1269
1270 /*
1271 * Testing was requested for a compiled-out protocol (e.g. SSLv3).
1272 * Ideally, we would error out, but the generic test wrapper can't know
1273 * when to expect failure. So we do nothing and return success.
1274 */
1275 if (no_protocol) {
1276 fprintf(stderr, "Testing was requested for a disabled protocol. "
1277 "Skipping tests.\n");
1278 ret = EXIT_SUCCESS;
1279 goto end;
1280 }
1281
1282 if (!ssl3 && !tls1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1
1283 && !reuse && !force) {
1284 fprintf(stderr, "This case cannot work. Use -f to perform "
1285 "the test anyway (and\n-d to see what happens), "
1286 "or add one of -ssl3, -tls1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n"
1287 "to avoid protocol mismatch.\n");
1288 EXIT(1);
1289 }
1290
1291 if (print_time) {
1292 if (bio_type != BIO_PAIR) {
1293 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
1294 bio_type = BIO_PAIR;
1295 }
1296 if (number < 50 && !force)
1297 fprintf(stderr,
1298 "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
1299 }
1300
1301 #ifndef OPENSSL_NO_COMP
1302 if (comp == COMP_ZLIB)
1303 cm = COMP_zlib();
1304 if (cm != NULL) {
1305 if (COMP_get_type(cm) != NID_undef) {
1306 if (SSL_COMP_add_compression_method(comp, cm) != 0) {
1307 fprintf(stderr, "Failed to add compression method\n");
1308 ERR_print_errors_fp(stderr);
1309 }
1310 } else {
1311 fprintf(stderr,
1312 "Warning: %s compression not supported\n",
1313 comp == COMP_ZLIB ? "zlib" : "unknown");
1314 ERR_print_errors_fp(stderr);
1315 }
1316 }
1317 ssl_comp_methods = SSL_COMP_get_compression_methods();
1318 n = sk_SSL_COMP_num(ssl_comp_methods);
1319 if (n) {
1320 int j;
1321 printf("Available compression methods:");
1322 for (j = 0; j < n; j++) {
1323 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
1324 printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c));
1325 }
1326 printf("\n");
1327 }
1328 #endif
1329
1330 #ifndef OPENSSL_NO_TLS
1331 meth = TLS_method();
1332 if (ssl3) {
1333 min_version = SSL3_VERSION;
1334 max_version = SSL3_VERSION;
1335 } else if (tls1) {
1336 min_version = TLS1_VERSION;
1337 max_version = TLS1_VERSION;
1338 } else if (tls1_2) {
1339 min_version = TLS1_2_VERSION;
1340 max_version = TLS1_2_VERSION;
1341 } else {
1342 min_version = 0;
1343 max_version = 0;
1344 }
1345 #endif
1346 #ifndef OPENSSL_NO_DTLS
1347 if (dtls || dtls1 || dtls12) {
1348 meth = DTLS_method();
1349 if (dtls1) {
1350 min_version = DTLS1_VERSION;
1351 max_version = DTLS1_VERSION;
1352 } else if (dtls12) {
1353 min_version = DTLS1_2_VERSION;
1354 max_version = DTLS1_2_VERSION;
1355 } else {
1356 min_version = 0;
1357 max_version = 0;
1358 }
1359 }
1360 #endif
1361
1362 if (provider != NULL) {
1363 defctxnull = OSSL_PROVIDER_load(NULL, "null");
1364 if (defctxnull == NULL)
1365 goto end;
1366 libctx = OPENSSL_CTX_new();
1367 if (libctx == NULL)
1368 goto end;
1369
1370 thisprov = OSSL_PROVIDER_load(libctx, provider);
1371 if (thisprov == NULL)
1372 goto end;
1373 }
1374
1375 c_ctx = SSL_CTX_new_with_libctx(libctx, NULL, meth);
1376 s_ctx = SSL_CTX_new_with_libctx(libctx, NULL, meth);
1377 s_ctx2 = SSL_CTX_new_with_libctx(libctx, NULL, meth); /* no SSL_CTX_dup! */
1378 if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) {
1379 ERR_print_errors(bio_err);
1380 goto end;
1381 }
1382 /*
1383 * Since we will use low security ciphersuites and keys for testing set
1384 * security level to zero by default. Tests can override this by adding
1385 * "@SECLEVEL=n" to the cipher string.
1386 */
1387 SSL_CTX_set_security_level(c_ctx, 0);
1388 SSL_CTX_set_security_level(s_ctx, 0);
1389 SSL_CTX_set_security_level(s_ctx2, 0);
1390
1391 if (no_ticket) {
1392 SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
1393 SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
1394 }
1395
1396 if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
1397 goto end;
1398 if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
1399 goto end;
1400 if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
1401 goto end;
1402 if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
1403 goto end;
1404
1405 if (cipher != NULL) {
1406 if (strcmp(cipher, "") == 0) {
1407 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)) {
1408 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1409 ERR_clear_error();
1410 } else {
1411 ERR_print_errors(bio_err);
1412 goto end;
1413 }
1414 } else {
1415 /* Should have failed when clearing all TLSv1.2 ciphers. */
1416 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1417 goto end;
1418 }
1419
1420 if (!SSL_CTX_set_cipher_list(s_ctx, cipher)) {
1421 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1422 ERR_clear_error();
1423 } else {
1424 ERR_print_errors(bio_err);
1425 goto end;
1426 }
1427 } else {
1428 /* Should have failed when clearing all TLSv1.2 ciphers. */
1429 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1430 goto end;
1431 }
1432
1433 if (!SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
1434 if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) {
1435 ERR_clear_error();
1436 } else {
1437 ERR_print_errors(bio_err);
1438 goto end;
1439 }
1440 } else {
1441 /* Should have failed when clearing all TLSv1.2 ciphers. */
1442 fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n");
1443 goto end;
1444 }
1445 } else {
1446 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
1447 || !SSL_CTX_set_cipher_list(s_ctx, cipher)
1448 || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
1449 ERR_print_errors(bio_err);
1450 goto end;
1451 }
1452 }
1453 }
1454 if (ciphersuites != NULL) {
1455 if (!SSL_CTX_set_ciphersuites(c_ctx, ciphersuites)
1456 || !SSL_CTX_set_ciphersuites(s_ctx, ciphersuites)
1457 || !SSL_CTX_set_ciphersuites(s_ctx2, ciphersuites)) {
1458 ERR_print_errors(bio_err);
1459 goto end;
1460 }
1461 }
1462
1463 #ifndef OPENSSL_NO_CT
1464 if (ct_validation &&
1465 !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) {
1466 ERR_print_errors(bio_err);
1467 goto end;
1468 }
1469 #endif
1470
1471 /* Process SSL_CONF arguments */
1472 SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
1473 SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
1474 SSL_CONF_CTX_set_ssl_ctx(s_cctx2, s_ctx2);
1475
1476 for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2) {
1477 int rv;
1478 arg = sk_OPENSSL_STRING_value(conf_args, i);
1479 argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
1480 rv = SSL_CONF_cmd(c_cctx, arg, argn);
1481 /* If not recognised use server context */
1482 if (rv == -2) {
1483 rv = SSL_CONF_cmd(s_cctx2, arg, argn);
1484 if (rv > 0)
1485 rv = SSL_CONF_cmd(s_cctx, arg, argn);
1486 }
1487 if (rv <= 0) {
1488 BIO_printf(bio_err, "Error processing %s %s\n",
1489 arg, argn ? argn : "");
1490 ERR_print_errors(bio_err);
1491 goto end;
1492 }
1493 }
1494
1495 if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx) || !SSL_CONF_CTX_finish(s_cctx2)) {
1496 BIO_puts(bio_err, "Error finishing context\n");
1497 ERR_print_errors(bio_err);
1498 goto end;
1499 }
1500 #ifndef OPENSSL_NO_DH
1501 if (!no_dhe) {
1502 if (dhe1024dsa) {
1503 dh = get_dh1024dsa();
1504 } else if (dhe512)
1505 dh = get_dh512();
1506 else
1507 dh = get_dh1024();
1508 SSL_CTX_set_tmp_dh(s_ctx, dh);
1509 SSL_CTX_set_tmp_dh(s_ctx2, dh);
1510 DH_free(dh);
1511 }
1512 #else
1513 (void)no_dhe;
1514 #endif
1515
1516 if (!(SSL_CTX_load_verify_file(s_ctx, CAfile)
1517 || SSL_CTX_load_verify_dir(s_ctx, CApath))
1518 || !SSL_CTX_set_default_verify_paths(s_ctx)
1519 || !(SSL_CTX_load_verify_file(s_ctx2, CAfile)
1520 || SSL_CTX_load_verify_dir(s_ctx2, CApath))
1521 || !SSL_CTX_set_default_verify_paths(s_ctx2)
1522 || !(SSL_CTX_load_verify_file(c_ctx, CAfile)
1523 || SSL_CTX_load_verify_dir(c_ctx, CApath))
1524 || !SSL_CTX_set_default_verify_paths(c_ctx)) {
1525 ERR_print_errors(bio_err);
1526 }
1527
1528 #ifndef OPENSSL_NO_CT
1529 if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
1530 !SSL_CTX_set_default_ctlog_list_file(s_ctx2) ||
1531 !SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
1532 ERR_print_errors(bio_err);
1533 }
1534 #endif
1535
1536 if (client_auth) {
1537 printf("client authentication\n");
1538 SSL_CTX_set_verify(s_ctx,
1539 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1540 verify_callback);
1541 SSL_CTX_set_verify(s_ctx2,
1542 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1543 verify_callback);
1544 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
1545 &app_verify_arg);
1546 SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback,
1547 &app_verify_arg);
1548 }
1549 if (server_auth) {
1550 printf("server authentication\n");
1551 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
1552 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
1553 &app_verify_arg);
1554 }
1555
1556 {
1557 int session_id_context = 0;
1558 if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
1559 sizeof(session_id_context)) ||
1560 !SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context,
1561 sizeof(session_id_context))) {
1562 ERR_print_errors(bio_err);
1563 goto end;
1564 }
1565 }
1566
1567 /* Use PSK only if PSK key is given */
1568 if (psk_key != NULL) {
1569 /*
1570 * no_psk is used to avoid putting psk command to openssl tool
1571 */
1572 if (no_psk) {
1573 /*
1574 * if PSK is not compiled in and psk key is given, do nothing and
1575 * exit successfully
1576 */
1577 ret = EXIT_SUCCESS;
1578 goto end;
1579 }
1580 #ifndef OPENSSL_NO_PSK
1581 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1582 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1583 SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback);
1584 if (debug)
1585 BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n");
1586 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint") ||
1587 !SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) {
1588 BIO_printf(bio_err, "error setting PSK identity hint to s_ctx\n");
1589 ERR_print_errors(bio_err);
1590 goto end;
1591 }
1592 #endif
1593 }
1594
1595 #ifndef OPENSSL_NO_NEXTPROTONEG
1596 if (npn_client) {
1597 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1598 }
1599 if (npn_server) {
1600 if (npn_server_reject) {
1601 BIO_printf(bio_err,
1602 "Can't have both -npn_server and -npn_server_reject\n");
1603 goto end;
1604 }
1605 SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL);
1606 SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL);
1607 }
1608 if (npn_server_reject) {
1609 SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
1610 SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL);
1611 }
1612 #endif
1613
1614 if (serverinfo_sct) {
1615 if (!SSL_CTX_add_client_custom_ext(c_ctx,
1616 TLSEXT_TYPE_signed_certificate_timestamp,
1617 NULL, NULL, NULL,
1618 serverinfo_cli_parse_cb, NULL)) {
1619 BIO_printf(bio_err, "Error adding SCT extension\n");
1620 goto end;
1621 }
1622 }
1623 if (serverinfo_tack) {
1624 if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
1625 NULL, NULL, NULL,
1626 serverinfo_cli_parse_cb, NULL)) {
1627 BIO_printf(bio_err, "Error adding TACK extension\n");
1628 goto end;
1629 }
1630 }
1631 if (serverinfo_file)
1632 if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file) ||
1633 !SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) {
1634 BIO_printf(bio_err, "missing serverinfo file\n");
1635 goto end;
1636 }
1637
1638 if (custom_ext) {
1639 if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
1640 custom_ext_0_cli_add_cb,
1641 NULL, NULL,
1642 custom_ext_0_cli_parse_cb, NULL)
1643 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
1644 custom_ext_1_cli_add_cb,
1645 NULL, NULL,
1646 custom_ext_1_cli_parse_cb, NULL)
1647 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
1648 custom_ext_2_cli_add_cb,
1649 NULL, NULL,
1650 custom_ext_2_cli_parse_cb, NULL)
1651 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
1652 custom_ext_3_cli_add_cb,
1653 NULL, NULL,
1654 custom_ext_3_cli_parse_cb, NULL)
1655 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
1656 custom_ext_0_srv_add_cb,
1657 NULL, NULL,
1658 custom_ext_0_srv_parse_cb, NULL)
1659 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0,
1660 custom_ext_0_srv_add_cb,
1661 NULL, NULL,
1662 custom_ext_0_srv_parse_cb, NULL)
1663 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
1664 custom_ext_1_srv_add_cb,
1665 NULL, NULL,
1666 custom_ext_1_srv_parse_cb, NULL)
1667 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1,
1668 custom_ext_1_srv_add_cb,
1669 NULL, NULL,
1670 custom_ext_1_srv_parse_cb, NULL)
1671 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
1672 custom_ext_2_srv_add_cb,
1673 NULL, NULL,
1674 custom_ext_2_srv_parse_cb, NULL)
1675 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2,
1676 custom_ext_2_srv_add_cb,
1677 NULL, NULL,
1678 custom_ext_2_srv_parse_cb, NULL)
1679 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
1680 custom_ext_3_srv_add_cb,
1681 NULL, NULL,
1682 custom_ext_3_srv_parse_cb, NULL)
1683 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3,
1684 custom_ext_3_srv_add_cb,
1685 NULL, NULL,
1686 custom_ext_3_srv_parse_cb, NULL)) {
1687 BIO_printf(bio_err, "Error setting custom extensions\n");
1688 goto end;
1689 }
1690 }
1691
1692 if (alpn_server)
1693 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server);
1694 if (alpn_server2)
1695 SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2);
1696
1697 if (alpn_client) {
1698 size_t alpn_len;
1699 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
1700
1701 if (alpn == NULL) {
1702 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
1703 goto end;
1704 }
1705 /* Returns 0 on success!! */
1706 if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
1707 BIO_printf(bio_err, "Error setting ALPN\n");
1708 OPENSSL_free(alpn);
1709 goto end;
1710 }
1711 OPENSSL_free(alpn);
1712 }
1713
1714 if (server_sess_in != NULL) {
1715 server_sess = read_session(server_sess_in);
1716 if (server_sess == NULL)
1717 goto end;
1718 }
1719 if (client_sess_in != NULL) {
1720 client_sess = read_session(client_sess_in);
1721 if (client_sess == NULL)
1722 goto end;
1723 }
1724
1725 if (server_sess_out != NULL || server_sess_in != NULL) {
1726 char *keys;
1727 long size;
1728
1729 /* Use a fixed key so that we can decrypt the ticket. */
1730 size = SSL_CTX_set_tlsext_ticket_keys(s_ctx, NULL, 0);
1731 keys = OPENSSL_zalloc(size);
1732 SSL_CTX_set_tlsext_ticket_keys(s_ctx, keys, size);
1733 OPENSSL_free(keys);
1734 }
1735
1736 if (sn_server1 != NULL || sn_server2 != NULL)
1737 SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
1738
1739 c_ssl = SSL_new(c_ctx);
1740 s_ssl = SSL_new(s_ctx);
1741
1742 if (sn_client)
1743 SSL_set_tlsext_host_name(c_ssl, sn_client);
1744
1745 if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1746 goto end;
1747 if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1748 goto end;
1749 if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1750 goto end;
1751 if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1752 goto end;
1753
1754 if (server_sess) {
1755 if (SSL_CTX_add_session(s_ctx, server_sess) == 0) {
1756 BIO_printf(bio_err, "Can't add server session\n");
1757 ERR_print_errors(bio_err);
1758 goto end;
1759 }
1760 }
1761
1762 BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
1763 for (i = 0; i < number; i++) {
1764 if (!reuse) {
1765 if (!SSL_set_session(c_ssl, NULL)) {
1766 BIO_printf(bio_err, "Failed to set session\n");
1767 goto end;
1768 }
1769 }
1770 if (client_sess_in != NULL) {
1771 if (SSL_set_session(c_ssl, client_sess) == 0) {
1772 BIO_printf(bio_err, "Can't set client session\n");
1773 ERR_print_errors(bio_err);
1774 goto end;
1775 }
1776 }
1777 switch (bio_type) {
1778 case BIO_MEM:
1779 ret = doit(s_ssl, c_ssl, bytes);
1780 break;
1781 case BIO_PAIR:
1782 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
1783 break;
1784 #ifndef OPENSSL_NO_SOCK
1785 case BIO_IPV4:
1786 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV4,
1787 bytes, &s_time, &c_time);
1788 break;
1789 case BIO_IPV6:
1790 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV6,
1791 bytes, &s_time, &c_time);
1792 break;
1793 #else
1794 case BIO_IPV4:
1795 case BIO_IPV6:
1796 ret = EXIT_FAILURE;
1797 goto err;
1798 #endif
1799 }
1800 if (ret != EXIT_SUCCESS) break;
1801 }
1802
1803 if (should_negotiate && ret == EXIT_SUCCESS &&
1804 strcmp(should_negotiate, "fail-server") != 0 &&
1805 strcmp(should_negotiate, "fail-client") != 0) {
1806 int version = protocol_from_string(should_negotiate);
1807 if (version < 0) {
1808 BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
1809 ret = EXIT_FAILURE;
1810 goto err;
1811 }
1812 if (SSL_version(c_ssl) != version) {
1813 BIO_printf(bio_err, "Unexpected version negotiated. "
1814 "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
1815 ret = EXIT_FAILURE;
1816 goto err;
1817 }
1818 }
1819
1820 if (should_reuse != -1) {
1821 if (SSL_session_reused(s_ssl) != should_reuse ||
1822 SSL_session_reused(c_ssl) != should_reuse) {
1823 BIO_printf(bio_err, "Unexpected session reuse state. "
1824 "Expected: %d, server: %d, client: %d\n", should_reuse,
1825 SSL_session_reused(s_ssl), SSL_session_reused(c_ssl));
1826 ret = EXIT_FAILURE;
1827 goto err;
1828 }
1829 }
1830
1831 if (server_sess_out != NULL) {
1832 if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) {
1833 ret = EXIT_FAILURE;
1834 goto err;
1835 }
1836 }
1837 if (client_sess_out != NULL) {
1838 if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) {
1839 ret = EXIT_FAILURE;
1840 goto err;
1841 }
1842 }
1843
1844 if (!verbose) {
1845 print_details(c_ssl, "");
1846 }
1847 if (print_time) {
1848 #ifdef CLOCKS_PER_SEC
1849 /*
1850 * "To determine the time in seconds, the value returned by the clock
1851 * function should be divided by the value of the macro
1852 * CLOCKS_PER_SEC." -- ISO/IEC 9899
1853 */
1854 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1855 "Approximate total client time: %6.2f s\n",
1856 (double)s_time / CLOCKS_PER_SEC,
1857 (double)c_time / CLOCKS_PER_SEC);
1858 #else
1859 BIO_printf(bio_stdout,
1860 "Approximate total server time: %6.2f units\n"
1861 "Approximate total client time: %6.2f units\n",
1862 (double)s_time, (double)c_time);
1863 #endif
1864 }
1865
1866 err:
1867 SSL_free(s_ssl);
1868 SSL_free(c_ssl);
1869
1870 end:
1871 SSL_CTX_free(s_ctx);
1872 SSL_CTX_free(s_ctx2);
1873 SSL_CTX_free(c_ctx);
1874 SSL_CONF_CTX_free(s_cctx);
1875 SSL_CONF_CTX_free(s_cctx2);
1876 SSL_CONF_CTX_free(c_cctx);
1877 sk_OPENSSL_STRING_free(conf_args);
1878
1879 BIO_free(bio_stdout);
1880
1881 SSL_SESSION_free(server_sess);
1882 SSL_SESSION_free(client_sess);
1883
1884 OSSL_PROVIDER_unload(defctxnull);
1885 OSSL_PROVIDER_unload(thisprov);
1886 OPENSSL_CTX_free(libctx);
1887
1888 BIO_free(bio_err);
1889 EXIT(ret);
1890 }
1891
1892 #ifndef OPENSSL_NO_SOCK
1893 int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count,
1894 clock_t *s_time, clock_t *c_time)
1895 {
1896 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1897 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1898 BIO *acpt = NULL, *server = NULL, *client = NULL;
1899 char addr_str[40];
1900 int ret = EXIT_FAILURE;
1901 int err_in_client = 0;
1902 int err_in_server = 0;
1903
1904 acpt = BIO_new_accept(family == BIO_FAMILY_IPV4 ? "127.0.0.1:0"
1905 : "[::1]:0");
1906 if (acpt == NULL)
1907 goto err;
1908 BIO_set_accept_ip_family(acpt, family);
1909 BIO_set_bind_mode(acpt, BIO_SOCK_NONBLOCK | BIO_SOCK_REUSEADDR);
1910 if (BIO_do_accept(acpt) <= 0)
1911 goto err;
1912
1913 BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt));
1914
1915 client = BIO_new_connect(addr_str);
1916 BIO_set_conn_ip_family(client, family);
1917 if (!client)
1918 goto err;
1919
1920 if (BIO_set_nbio(client, 1) <= 0)
1921 goto err;
1922 if (BIO_set_nbio(acpt, 1) <= 0)
1923 goto err;
1924
1925 {
1926 int st_connect = 0, st_accept = 0;
1927
1928 while(!st_connect || !st_accept) {
1929 if (!st_connect) {
1930 if (BIO_do_connect(client) <= 0) {
1931 if (!BIO_should_retry(client))
1932 goto err;
1933 } else {
1934 st_connect = 1;
1935 }
1936 }
1937 if (!st_accept) {
1938 if (BIO_do_accept(acpt) <= 0) {
1939 if (!BIO_should_retry(acpt))
1940 goto err;
1941 } else {
1942 st_accept = 1;
1943 }
1944 }
1945 }
1946 }
1947 /* We're not interested in accepting further connects */
1948 server = BIO_pop(acpt);
1949 BIO_free_all(acpt);
1950 acpt = NULL;
1951
1952 s_ssl_bio = BIO_new(BIO_f_ssl());
1953 if (!s_ssl_bio)
1954 goto err;
1955
1956 c_ssl_bio = BIO_new(BIO_f_ssl());
1957 if (!c_ssl_bio)
1958 goto err;
1959
1960 SSL_set_connect_state(c_ssl);
1961 SSL_set_bio(c_ssl, client, client);
1962 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1963
1964 SSL_set_accept_state(s_ssl);
1965 SSL_set_bio(s_ssl, server, server);
1966 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1967
1968 do {
1969 /*-
1970 * c_ssl_bio: SSL filter BIO
1971 *
1972 * client: I/O for SSL library
1973 *
1974 *
1975 * server: I/O for SSL library
1976 *
1977 * s_ssl_bio: SSL filter BIO
1978 */
1979
1980 /*
1981 * We have non-blocking behaviour throughout this test program, but
1982 * can be sure that there is *some* progress in each iteration; so we
1983 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
1984 * we just try everything in each iteration
1985 */
1986
1987 {
1988 /* CLIENT */
1989
1990 char cbuf[1024 * 8];
1991 int i, r;
1992 clock_t c_clock = clock();
1993
1994 memset(cbuf, 0, sizeof(cbuf));
1995
1996 if (debug)
1997 if (SSL_in_init(c_ssl))
1998 printf("client waiting in SSL_connect - %s\n",
1999 SSL_state_string_long(c_ssl));
2000
2001 if (cw_num > 0) {
2002 /* Write to server. */
2003
2004 if (cw_num > (long)sizeof(cbuf))
2005 i = sizeof(cbuf);
2006 else
2007 i = (int)cw_num;
2008 r = BIO_write(c_ssl_bio, cbuf, i);
2009 if (r < 0) {
2010 if (!BIO_should_retry(c_ssl_bio)) {
2011 fprintf(stderr, "ERROR in CLIENT\n");
2012 err_in_client = 1;
2013 goto err;
2014 }
2015 /*
2016 * BIO_should_retry(...) can just be ignored here. The
2017 * library expects us to call BIO_write with the same
2018 * arguments again, and that's what we will do in the
2019 * next iteration.
2020 */
2021 } else if (r == 0) {
2022 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2023 goto err;
2024 } else {
2025 if (debug)
2026 printf("client wrote %d\n", r);
2027 cw_num -= r;
2028 }
2029 }
2030
2031 if (cr_num > 0) {
2032 /* Read from server. */
2033
2034 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2035 if (r < 0) {
2036 if (!BIO_should_retry(c_ssl_bio)) {
2037 fprintf(stderr, "ERROR in CLIENT\n");
2038 err_in_client = 1;
2039 goto err;
2040 }
2041 /*
2042 * Again, "BIO_should_retry" can be ignored.
2043 */
2044 } else if (r == 0) {
2045 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2046 goto err;
2047 } else {
2048 if (debug)
2049 printf("client read %d\n", r);
2050 cr_num -= r;
2051 }
2052 }
2053
2054 /*
2055 * c_time and s_time increments will typically be very small
2056 * (depending on machine speed and clock tick intervals), but
2057 * sampling over a large number of connections should result in
2058 * fairly accurate figures. We cannot guarantee a lot, however
2059 * -- if each connection lasts for exactly one clock tick, it
2060 * will be counted only for the client or only for the server or
2061 * even not at all.
2062 */
2063 *c_time += (clock() - c_clock);
2064 }
2065
2066 {
2067 /* SERVER */
2068
2069 char sbuf[1024 * 8];
2070 int i, r;
2071 clock_t s_clock = clock();
2072
2073 memset(sbuf, 0, sizeof(sbuf));
2074
2075 if (debug)
2076 if (SSL_in_init(s_ssl))
2077 printf("server waiting in SSL_accept - %s\n",
2078 SSL_state_string_long(s_ssl));
2079
2080 if (sw_num > 0) {
2081 /* Write to client. */
2082
2083 if (sw_num > (long)sizeof(sbuf))
2084 i = sizeof(sbuf);
2085 else
2086 i = (int)sw_num;
2087 r = BIO_write(s_ssl_bio, sbuf, i);
2088 if (r < 0) {
2089 if (!BIO_should_retry(s_ssl_bio)) {
2090 fprintf(stderr, "ERROR in SERVER\n");
2091 err_in_server = 1;
2092 goto err;
2093 }
2094 /* Ignore "BIO_should_retry". */
2095 } else if (r == 0) {
2096 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2097 goto err;
2098 } else {
2099 if (debug)
2100 printf("server wrote %d\n", r);
2101 sw_num -= r;
2102 }
2103 }
2104
2105 if (sr_num > 0) {
2106 /* Read from client. */
2107
2108 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2109 if (r < 0) {
2110 if (!BIO_should_retry(s_ssl_bio)) {
2111 fprintf(stderr, "ERROR in SERVER\n");
2112 err_in_server = 1;
2113 goto err;
2114 }
2115 /* blah, blah */
2116 } else if (r == 0) {
2117 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2118 goto err;
2119 } else {
2120 if (debug)
2121 printf("server read %d\n", r);
2122 sr_num -= r;
2123 }
2124 }
2125
2126 *s_time += (clock() - s_clock);
2127 }
2128 }
2129 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2130
2131 if (verbose)
2132 print_details(c_ssl, "DONE via TCP connect: ");
2133 # ifndef OPENSSL_NO_NEXTPROTONEG
2134 if (verify_npn(c_ssl, s_ssl) < 0)
2135 goto end;
2136 # endif
2137 if (verify_serverinfo() < 0) {
2138 fprintf(stderr, "Server info verify error\n");
2139 goto err;
2140 }
2141 if (verify_alpn(c_ssl, s_ssl) < 0
2142 || verify_servername(c_ssl, s_ssl) < 0)
2143 goto err;
2144
2145 if (custom_ext_error) {
2146 fprintf(stderr, "Custom extension error\n");
2147 goto err;
2148 }
2149
2150 # ifndef OPENSSL_NO_NEXTPROTONEG
2151 end:
2152 # endif
2153 ret = EXIT_SUCCESS;
2154
2155 err:
2156 ERR_print_errors(bio_err);
2157
2158 BIO_free_all(acpt);
2159 BIO_free(server);
2160 BIO_free(client);
2161 BIO_free(s_ssl_bio);
2162 BIO_free(c_ssl_bio);
2163
2164 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2165 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2166 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2167 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2168
2169 return ret;
2170 }
2171 #endif
2172
2173 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
2174 clock_t *s_time, clock_t *c_time)
2175 {
2176 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
2177 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
2178 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
2179 int ret = EXIT_FAILURE;
2180 int err_in_client = 0;
2181 int err_in_server = 0;
2182
2183 size_t bufsiz = 256; /* small buffer for testing */
2184
2185 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
2186 goto err;
2187 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
2188 goto err;
2189
2190 s_ssl_bio = BIO_new(BIO_f_ssl());
2191 if (!s_ssl_bio)
2192 goto err;
2193
2194 c_ssl_bio = BIO_new(BIO_f_ssl());
2195 if (!c_ssl_bio)
2196 goto err;
2197
2198 SSL_set_connect_state(c_ssl);
2199 SSL_set_bio(c_ssl, client, client);
2200 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2201
2202 SSL_set_accept_state(s_ssl);
2203 SSL_set_bio(s_ssl, server, server);
2204 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2205
2206 do {
2207 /*-
2208 * c_ssl_bio: SSL filter BIO
2209 *
2210 * client: pseudo-I/O for SSL library
2211 *
2212 * client_io: client's SSL communication; usually to be
2213 * relayed over some I/O facility, but in this
2214 * test program, we're the server, too:
2215 *
2216 * server_io: server's SSL communication
2217 *
2218 * server: pseudo-I/O for SSL library
2219 *
2220 * s_ssl_bio: SSL filter BIO
2221 *
2222 * The client and the server each employ a "BIO pair":
2223 * client + client_io, server + server_io.
2224 * BIO pairs are symmetric. A BIO pair behaves similar
2225 * to a non-blocking socketpair (but both endpoints must
2226 * be handled by the same thread).
2227 * [Here we could connect client and server to the ends
2228 * of a single BIO pair, but then this code would be less
2229 * suitable as an example for BIO pairs in general.]
2230 *
2231 * Useful functions for querying the state of BIO pair endpoints:
2232 *
2233 * BIO_ctrl_pending(bio) number of bytes we can read now
2234 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfill
2235 * other side's read attempt
2236 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
2237 *
2238 * ..._read_request is never more than ..._write_guarantee;
2239 * it depends on the application which one you should use.
2240 */
2241
2242 /*
2243 * We have non-blocking behaviour throughout this test program, but
2244 * can be sure that there is *some* progress in each iteration; so we
2245 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2246 * we just try everything in each iteration
2247 */
2248
2249 {
2250 /* CLIENT */
2251
2252 char cbuf[1024 * 8];
2253 int i, r;
2254 clock_t c_clock = clock();
2255
2256 memset(cbuf, 0, sizeof(cbuf));
2257
2258 if (debug)
2259 if (SSL_in_init(c_ssl))
2260 printf("client waiting in SSL_connect - %s\n",
2261 SSL_state_string_long(c_ssl));
2262
2263 if (cw_num > 0) {
2264 /* Write to server. */
2265
2266 if (cw_num > (long)sizeof(cbuf))
2267 i = sizeof(cbuf);
2268 else
2269 i = (int)cw_num;
2270 r = BIO_write(c_ssl_bio, cbuf, i);
2271 if (r < 0) {
2272 if (!BIO_should_retry(c_ssl_bio)) {
2273 fprintf(stderr, "ERROR in CLIENT\n");
2274 err_in_client = 1;
2275 goto err;
2276 }
2277 /*
2278 * BIO_should_retry(...) can just be ignored here. The
2279 * library expects us to call BIO_write with the same
2280 * arguments again, and that's what we will do in the
2281 * next iteration.
2282 */
2283 } else if (r == 0) {
2284 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2285 goto err;
2286 } else {
2287 if (debug)
2288 printf("client wrote %d\n", r);
2289 cw_num -= r;
2290 }
2291 }
2292
2293 if (cr_num > 0) {
2294 /* Read from server. */
2295
2296 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2297 if (r < 0) {
2298 if (!BIO_should_retry(c_ssl_bio)) {
2299 fprintf(stderr, "ERROR in CLIENT\n");
2300 err_in_client = 1;
2301 goto err;
2302 }
2303 /*
2304 * Again, "BIO_should_retry" can be ignored.
2305 */
2306 } else if (r == 0) {
2307 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2308 goto err;
2309 } else {
2310 if (debug)
2311 printf("client read %d\n", r);
2312 cr_num -= r;
2313 }
2314 }
2315
2316 /*
2317 * c_time and s_time increments will typically be very small
2318 * (depending on machine speed and clock tick intervals), but
2319 * sampling over a large number of connections should result in
2320 * fairly accurate figures. We cannot guarantee a lot, however
2321 * -- if each connection lasts for exactly one clock tick, it
2322 * will be counted only for the client or only for the server or
2323 * even not at all.
2324 */
2325 *c_time += (clock() - c_clock);
2326 }
2327
2328 {
2329 /* SERVER */
2330
2331 char sbuf[1024 * 8];
2332 int i, r;
2333 clock_t s_clock = clock();
2334
2335 memset(sbuf, 0, sizeof(sbuf));
2336
2337 if (debug)
2338 if (SSL_in_init(s_ssl))
2339 printf("server waiting in SSL_accept - %s\n",
2340 SSL_state_string_long(s_ssl));
2341
2342 if (sw_num > 0) {
2343 /* Write to client. */
2344
2345 if (sw_num > (long)sizeof(sbuf))
2346 i = sizeof(sbuf);
2347 else
2348 i = (int)sw_num;
2349 r = BIO_write(s_ssl_bio, sbuf, i);
2350 if (r < 0) {
2351 if (!BIO_should_retry(s_ssl_bio)) {
2352 fprintf(stderr, "ERROR in SERVER\n");
2353 err_in_server = 1;
2354 goto err;
2355 }
2356 /* Ignore "BIO_should_retry". */
2357 } else if (r == 0) {
2358 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2359 goto err;
2360 } else {
2361 if (debug)
2362 printf("server wrote %d\n", r);
2363 sw_num -= r;
2364 }
2365 }
2366
2367 if (sr_num > 0) {
2368 /* Read from client. */
2369
2370 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2371 if (r < 0) {
2372 if (!BIO_should_retry(s_ssl_bio)) {
2373 fprintf(stderr, "ERROR in SERVER\n");
2374 err_in_server = 1;
2375 goto err;
2376 }
2377 /* blah, blah */
2378 } else if (r == 0) {
2379 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2380 goto err;
2381 } else {
2382 if (debug)
2383 printf("server read %d\n", r);
2384 sr_num -= r;
2385 }
2386 }
2387
2388 *s_time += (clock() - s_clock);
2389 }
2390
2391 {
2392 /* "I/O" BETWEEN CLIENT AND SERVER. */
2393
2394 size_t r1, r2;
2395 BIO *io1 = server_io, *io2 = client_io;
2396 /*
2397 * we use the non-copying interface for io1 and the standard
2398 * BIO_write/BIO_read interface for io2
2399 */
2400
2401 static int prev_progress = 1;
2402 int progress = 0;
2403
2404 /* io1 to io2 */
2405 do {
2406 size_t num;
2407 int r;
2408
2409 r1 = BIO_ctrl_pending(io1);
2410 r2 = BIO_ctrl_get_write_guarantee(io2);
2411
2412 num = r1;
2413 if (r2 < num)
2414 num = r2;
2415 if (num) {
2416 char *dataptr;
2417
2418 if (INT_MAX < num) /* yeah, right */
2419 num = INT_MAX;
2420
2421 r = BIO_nread(io1, &dataptr, (int)num);
2422 assert(r > 0);
2423 assert(r <= (int)num);
2424 /*
2425 * possibly r < num (non-contiguous data)
2426 */
2427 num = r;
2428 r = BIO_write(io2, dataptr, (int)num);
2429 if (r != (int)num) { /* can't happen */
2430 fprintf(stderr, "ERROR: BIO_write could not write "
2431 "BIO_ctrl_get_write_guarantee() bytes");
2432 goto err;
2433 }
2434 progress = 1;
2435
2436 if (debug)
2437 printf((io1 == client_io) ?
2438 "C->S relaying: %d bytes\n" :
2439 "S->C relaying: %d bytes\n", (int)num);
2440 }
2441 }
2442 while (r1 && r2);
2443
2444 /* io2 to io1 */
2445 {
2446 size_t num;
2447 int r;
2448
2449 r1 = BIO_ctrl_pending(io2);
2450 r2 = BIO_ctrl_get_read_request(io1);
2451 /*
2452 * here we could use ..._get_write_guarantee instead of
2453 * ..._get_read_request, but by using the latter we test
2454 * restartability of the SSL implementation more thoroughly
2455 */
2456 num = r1;
2457 if (r2 < num)
2458 num = r2;
2459 if (num) {
2460 char *dataptr;
2461
2462 if (INT_MAX < num)
2463 num = INT_MAX;
2464
2465 if (num > 1)
2466 --num; /* test restartability even more thoroughly */
2467
2468 r = BIO_nwrite0(io1, &dataptr);
2469 assert(r > 0);
2470 if (r < (int)num)
2471 num = r;
2472 r = BIO_read(io2, dataptr, (int)num);
2473 if (r != (int)num) { /* can't happen */
2474 fprintf(stderr, "ERROR: BIO_read could not read "
2475 "BIO_ctrl_pending() bytes");
2476 goto err;
2477 }
2478 progress = 1;
2479 r = BIO_nwrite(io1, &dataptr, (int)num);
2480 if (r != (int)num) { /* can't happen */
2481 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
2482 "BIO_nwrite0() bytes");
2483 goto err;
2484 }
2485
2486 if (debug)
2487 printf((io2 == client_io) ?
2488 "C->S relaying: %d bytes\n" :
2489 "S->C relaying: %d bytes\n", (int)num);
2490 }
2491 } /* no loop, BIO_ctrl_get_read_request now
2492 * returns 0 anyway */
2493
2494 if (!progress && !prev_progress)
2495 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) {
2496 fprintf(stderr, "ERROR: got stuck\n");
2497 fprintf(stderr, " ERROR.\n");
2498 goto err;
2499 }
2500 prev_progress = progress;
2501 }
2502 }
2503 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2504
2505 if (verbose)
2506 print_details(c_ssl, "DONE via BIO pair: ");
2507 #ifndef OPENSSL_NO_NEXTPROTONEG
2508 if (verify_npn(c_ssl, s_ssl) < 0)
2509 goto end;
2510 #endif
2511 if (verify_serverinfo() < 0) {
2512 fprintf(stderr, "Server info verify error\n");
2513 goto err;
2514 }
2515 if (verify_alpn(c_ssl, s_ssl) < 0
2516 || verify_servername(c_ssl, s_ssl) < 0)
2517 goto err;
2518
2519 if (custom_ext_error) {
2520 fprintf(stderr, "Custom extension error\n");
2521 goto err;
2522 }
2523
2524 #ifndef OPENSSL_NO_NEXTPROTONEG
2525 end:
2526 #endif
2527 ret = EXIT_SUCCESS;
2528
2529 err:
2530 ERR_print_errors(bio_err);
2531
2532 BIO_free(server);
2533 BIO_free(server_io);
2534 BIO_free(client);
2535 BIO_free(client_io);
2536 BIO_free(s_ssl_bio);
2537 BIO_free(c_ssl_bio);
2538
2539 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2540 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2541 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2542 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2543
2544 return ret;
2545 }
2546
2547 #define W_READ 1
2548 #define W_WRITE 2
2549 #define C_DONE 1
2550 #define S_DONE 2
2551
2552 int doit(SSL *s_ssl, SSL *c_ssl, long count)
2553 {
2554 char *cbuf = NULL, *sbuf = NULL;
2555 long bufsiz;
2556 long cw_num = count, cr_num = count;
2557 long sw_num = count, sr_num = count;
2558 int ret = EXIT_FAILURE;
2559 BIO *c_to_s = NULL;
2560 BIO *s_to_c = NULL;
2561 BIO *c_bio = NULL;
2562 BIO *s_bio = NULL;
2563 int c_r, c_w, s_r, s_w;
2564 int i, j;
2565 int done = 0;
2566 int c_write, s_write;
2567 int do_server = 0, do_client = 0;
2568 int max_frag = 5 * 1024;
2569 int err_in_client = 0;
2570 int err_in_server = 0;
2571
2572 bufsiz = count > 40 * 1024 ? 40 * 1024 : count;
2573
2574 if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL)
2575 goto err;
2576 if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL)
2577 goto err;
2578
2579 c_to_s = BIO_new(BIO_s_mem());
2580 s_to_c = BIO_new(BIO_s_mem());
2581 if ((s_to_c == NULL) || (c_to_s == NULL)) {
2582 ERR_print_errors(bio_err);
2583 goto err;
2584 }
2585
2586 c_bio = BIO_new(BIO_f_ssl());
2587 s_bio = BIO_new(BIO_f_ssl());
2588 if ((c_bio == NULL) || (s_bio == NULL)) {
2589 ERR_print_errors(bio_err);
2590 goto err;
2591 }
2592
2593 SSL_set_connect_state(c_ssl);
2594 SSL_set_bio(c_ssl, s_to_c, c_to_s);
2595 SSL_set_max_send_fragment(c_ssl, max_frag);
2596 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
2597
2598 /*
2599 * We've just given our ref to these BIOs to c_ssl. We need another one to
2600 * give to s_ssl
2601 */
2602 if (!BIO_up_ref(c_to_s)) {
2603 /* c_to_s and s_to_c will get freed when we free c_ssl */
2604 c_to_s = NULL;
2605 s_to_c = NULL;
2606 goto err;
2607 }
2608 if (!BIO_up_ref(s_to_c)) {
2609 /* s_to_c will get freed when we free c_ssl */
2610 s_to_c = NULL;
2611 goto err;
2612 }
2613
2614 SSL_set_accept_state(s_ssl);
2615 SSL_set_bio(s_ssl, c_to_s, s_to_c);
2616
2617 /* We've used up all our refs to these now */
2618 c_to_s = NULL;
2619 s_to_c = NULL;
2620
2621 SSL_set_max_send_fragment(s_ssl, max_frag);
2622 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
2623
2624 c_r = 0;
2625 s_r = 1;
2626 c_w = 1;
2627 s_w = 0;
2628 c_write = 1, s_write = 0;
2629
2630 /* We can always do writes */
2631 for (;;) {
2632 do_server = 0;
2633 do_client = 0;
2634
2635 i = (int)BIO_pending(s_bio);
2636 if ((i && s_r) || s_w)
2637 do_server = 1;
2638
2639 i = (int)BIO_pending(c_bio);
2640 if ((i && c_r) || c_w)
2641 do_client = 1;
2642
2643 if (do_server && debug) {
2644 if (SSL_in_init(s_ssl))
2645 printf("server waiting in SSL_accept - %s\n",
2646 SSL_state_string_long(s_ssl));
2647 }
2648
2649 if (do_client && debug) {
2650 if (SSL_in_init(c_ssl))
2651 printf("client waiting in SSL_connect - %s\n",
2652 SSL_state_string_long(c_ssl));
2653 }
2654
2655 if (!do_client && !do_server) {
2656 fprintf(stdout, "ERROR IN STARTUP\n");
2657 ERR_print_errors(bio_err);
2658 goto err;
2659 }
2660 if (do_client && !(done & C_DONE)) {
2661 if (c_write) {
2662 j = (cw_num > bufsiz) ? (int)bufsiz : (int)cw_num;
2663 i = BIO_write(c_bio, cbuf, j);
2664 if (i < 0) {
2665 c_r = 0;
2666 c_w = 0;
2667 if (BIO_should_retry(c_bio)) {
2668 if (BIO_should_read(c_bio))
2669 c_r = 1;
2670 if (BIO_should_write(c_bio))
2671 c_w = 1;
2672 } else {
2673 fprintf(stderr, "ERROR in CLIENT\n");
2674 err_in_client = 1;
2675 ERR_print_errors(bio_err);
2676 goto err;
2677 }
2678 } else if (i == 0) {
2679 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2680 goto err;
2681 } else {
2682 if (debug)
2683 printf("client wrote %d\n", i);
2684 /* ok */
2685 s_r = 1;
2686 c_write = 0;
2687 cw_num -= i;
2688 if (max_frag > 1029)
2689 SSL_set_max_send_fragment(c_ssl, max_frag -= 5);
2690 }
2691 } else {
2692 i = BIO_read(c_bio, cbuf, bufsiz);
2693 if (i < 0) {
2694 c_r = 0;
2695 c_w = 0;
2696 if (BIO_should_retry(c_bio)) {
2697 if (BIO_should_read(c_bio))
2698 c_r = 1;
2699 if (BIO_should_write(c_bio))
2700 c_w = 1;
2701 } else {
2702 fprintf(stderr, "ERROR in CLIENT\n");
2703 err_in_client = 1;
2704 ERR_print_errors(bio_err);
2705 goto err;
2706 }
2707 } else if (i == 0) {
2708 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2709 goto err;
2710 } else {
2711 if (debug)
2712 printf("client read %d\n", i);
2713 cr_num -= i;
2714 if (sw_num > 0) {
2715 s_write = 1;
2716 s_w = 1;
2717 }
2718 if (cr_num <= 0) {
2719 s_write = 1;
2720 s_w = 1;
2721 done = S_DONE | C_DONE;
2722 }
2723 }
2724 }
2725 }
2726
2727 if (do_server && !(done & S_DONE)) {
2728 if (!s_write) {
2729 i = BIO_read(s_bio, sbuf, bufsiz);
2730 if (i < 0) {
2731 s_r = 0;
2732 s_w = 0;
2733 if (BIO_should_retry(s_bio)) {
2734 if (BIO_should_read(s_bio))
2735 s_r = 1;
2736 if (BIO_should_write(s_bio))
2737 s_w = 1;
2738 } else {
2739 fprintf(stderr, "ERROR in SERVER\n");
2740 err_in_server = 1;
2741 ERR_print_errors(bio_err);
2742 goto err;
2743 }
2744 } else if (i == 0) {
2745 ERR_print_errors(bio_err);
2746 fprintf(stderr,
2747 "SSL SERVER STARTUP FAILED in SSL_read\n");
2748 goto err;
2749 } else {
2750 if (debug)
2751 printf("server read %d\n", i);
2752 sr_num -= i;
2753 if (cw_num > 0) {
2754 c_write = 1;
2755 c_w = 1;
2756 }
2757 if (sr_num <= 0) {
2758 s_write = 1;
2759 s_w = 1;
2760 c_write = 0;
2761 }
2762 }
2763 } else {
2764 j = (sw_num > bufsiz) ? (int)bufsiz : (int)sw_num;
2765 i = BIO_write(s_bio, sbuf, j);
2766 if (i < 0) {
2767 s_r = 0;
2768 s_w = 0;
2769 if (BIO_should_retry(s_bio)) {
2770 if (BIO_should_read(s_bio))
2771 s_r = 1;
2772 if (BIO_should_write(s_bio))
2773 s_w = 1;
2774 } else {
2775 fprintf(stderr, "ERROR in SERVER\n");
2776 err_in_server = 1;
2777 ERR_print_errors(bio_err);
2778 goto err;
2779 }
2780 } else if (i == 0) {
2781 ERR_print_errors(bio_err);
2782 fprintf(stderr,
2783 "SSL SERVER STARTUP FAILED in SSL_write\n");
2784 goto err;
2785 } else {
2786 if (debug)
2787 printf("server wrote %d\n", i);
2788 sw_num -= i;
2789 s_write = 0;
2790 c_r = 1;
2791 if (sw_num <= 0)
2792 done |= S_DONE;
2793 if (max_frag > 1029)
2794 SSL_set_max_send_fragment(s_ssl, max_frag -= 5);
2795 }
2796 }
2797 }
2798
2799 if ((done & S_DONE) && (done & C_DONE))
2800 break;
2801 }
2802
2803 if (verbose)
2804 print_details(c_ssl, "DONE: ");
2805 #ifndef OPENSSL_NO_NEXTPROTONEG
2806 if (verify_npn(c_ssl, s_ssl) < 0)
2807 goto err;
2808 #endif
2809 if (verify_serverinfo() < 0) {
2810 fprintf(stderr, "Server info verify error\n");
2811 goto err;
2812 }
2813 if (custom_ext_error) {
2814 fprintf(stderr, "Custom extension error\n");
2815 goto err;
2816 }
2817 ret = EXIT_SUCCESS;
2818 err:
2819 BIO_free(c_to_s);
2820 BIO_free(s_to_c);
2821 BIO_free_all(c_bio);
2822 BIO_free_all(s_bio);
2823 OPENSSL_free(cbuf);
2824 OPENSSL_free(sbuf);
2825
2826 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2827 ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2828 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2829 ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE;
2830
2831 return ret;
2832 }
2833
2834 static int verify_callback(int ok, X509_STORE_CTX *ctx)
2835 {
2836 char *s, buf[256];
2837
2838 s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
2839 buf, sizeof(buf));
2840 if (s != NULL) {
2841 if (ok)
2842 printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
2843 else {
2844 fprintf(stderr, "depth=%d error=%d %s\n",
2845 X509_STORE_CTX_get_error_depth(ctx),
2846 X509_STORE_CTX_get_error(ctx), buf);
2847 }
2848 }
2849
2850 if (ok == 0) {
2851 int i = X509_STORE_CTX_get_error(ctx);
2852
2853 switch (i) {
2854 default:
2855 fprintf(stderr, "Error string: %s\n",
2856 X509_verify_cert_error_string(i));
2857 break;
2858 case X509_V_ERR_CERT_NOT_YET_VALID:
2859 case X509_V_ERR_CERT_HAS_EXPIRED:
2860 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2861 ok = 1;
2862 break;
2863 }
2864 }
2865
2866 return ok;
2867 }
2868
2869 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2870 {
2871 int ok = 1;
2872 struct app_verify_arg *cb_arg = arg;
2873
2874 if (cb_arg->app_verify) {
2875 char *s = NULL, buf[256];
2876 X509 *c = X509_STORE_CTX_get0_cert(ctx);
2877
2878 printf("In app_verify_callback, allowing cert. ");
2879 printf("Arg is: %s\n", cb_arg->string);
2880 printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2881 (void *)ctx, (void *)c);
2882 if (c)
2883 s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256);
2884 if (s != NULL) {
2885 printf("cert depth=%d %s\n",
2886 X509_STORE_CTX_get_error_depth(ctx), buf);
2887 }
2888 return 1;
2889 }
2890
2891 ok = X509_verify_cert(ctx);
2892
2893 return ok;
2894 }
2895
2896 #ifndef OPENSSL_NO_DH
2897 /*-
2898 * These DH parameters have been generated as follows:
2899 * $ openssl dhparam -C -noout 512
2900 * $ openssl dhparam -C -noout 1024
2901 * $ openssl dhparam -C -noout -dsaparam 1024
2902 * (The third function has been renamed to avoid name conflicts.)
2903 */
2904 static DH *get_dh512(void)
2905 {
2906 static unsigned char dh512_p[] = {
2907 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0,
2908 0xC6,
2909 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04,
2910 0xB0,
2911 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9,
2912 0x5F,
2913 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33,
2914 0xB8,
2915 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21,
2916 0x33,
2917 0x02, 0xC5, 0xAE, 0x23,
2918 };
2919 static unsigned char dh512_g[] = {
2920 0x02,
2921 };
2922 DH *dh;
2923 BIGNUM *p, *g;
2924
2925 if ((dh = DH_new()) == NULL)
2926 return NULL;
2927 p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
2928 g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
2929 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
2930 DH_free(dh);
2931 BN_free(p);
2932 BN_free(g);
2933 return NULL;
2934 }
2935 return dh;
2936 }
2937
2938 static DH *get_dh1024(void)
2939 {
2940 static unsigned char dh1024_p[] = {
2941 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
2942 0x3A,
2943 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56,
2944 0xA2,
2945 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F,
2946 0xB0,
2947 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87,
2948 0xC2,
2949 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0,
2950 0x8C,
2951 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F,
2952 0xB8,
2953 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D,
2954 0x52,
2955 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC,
2956 0xC1,
2957 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB,
2958 0xB1,
2959 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89,
2960 0xAB,
2961 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
2962 };
2963 static unsigned char dh1024_g[] = {
2964 0x02,
2965 };
2966 DH *dh;
2967 BIGNUM *p, *g;
2968
2969 if ((dh = DH_new()) == NULL)
2970 return NULL;
2971 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
2972 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
2973 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
2974 DH_free(dh);
2975 BN_free(p);
2976 BN_free(g);
2977 return NULL;
2978 }
2979 return dh;
2980 }
2981
2982 static DH *get_dh1024dsa(void)
2983 {
2984 static unsigned char dh1024_p[] = {
2985 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5,
2986 0x00,
2987 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87,
2988 0x19,
2989 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65,
2990 0xD2,
2991 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6,
2992 0x55,
2993 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF,
2994 0xFC,
2995 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52,
2996 0x97,
2997 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28,
2998 0x8D,
2999 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD,
3000 0xBB,
3001 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C,
3002 0xF6,
3003 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26,
3004 0x9E,
3005 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39,
3006 };
3007 static unsigned char dh1024_g[] = {
3008 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80,
3009 0x05,
3010 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03,
3011 0xF3,
3012 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A,
3013 0xE9,
3014 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85,
3015 0x3C,
3016 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B,
3017 0x65,
3018 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF,
3019 0x60,
3020 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E,
3021 0xF6,
3022 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB,
3023 0xA7,
3024 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72,
3025 0xA1,
3026 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E,
3027 0x60,
3028 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2,
3029 };
3030 DH *dh;
3031 BIGNUM *p, *g;
3032
3033 if ((dh = DH_new()) == NULL)
3034 return NULL;
3035 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
3036 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
3037 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
3038 DH_free(dh);
3039 BN_free(p);
3040 BN_free(g);
3041 return NULL;
3042 }
3043 DH_set_length(dh, 160);
3044 return dh;
3045 }
3046 #endif
3047
3048 #ifndef OPENSSL_NO_PSK
3049 /* convert the PSK key (psk_key) in ascii to binary (psk) */
3050 static int psk_key2bn(const char *pskkey, unsigned char *psk,
3051 unsigned int max_psk_len)
3052 {
3053 int ret;
3054 BIGNUM *bn = NULL;
3055
3056 ret = BN_hex2bn(&bn, pskkey);
3057 if (!ret) {
3058 BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
3059 pskkey);
3060 BN_free(bn);
3061 return 0;
3062 }
3063 if (BN_num_bytes(bn) > (int)max_psk_len) {
3064 BIO_printf(bio_err,
3065 "psk buffer of callback is too small (%d) for key (%d)\n",
3066 max_psk_len, BN_num_bytes(bn));
3067 BN_free(bn);
3068 return 0;
3069 }
3070 ret = BN_bn2bin(bn, psk);
3071 BN_free(bn);
3072 return ret;
3073 }
3074
3075 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
3076 char *identity,
3077 unsigned int max_identity_len,
3078 unsigned char *psk,
3079 unsigned int max_psk_len)
3080 {
3081 int ret;
3082 unsigned int psk_len = 0;
3083
3084 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
3085 if (ret < 0)
3086 goto out_err;
3087 if (debug)
3088 fprintf(stderr, "client: created identity '%s' len=%d\n", identity,
3089 ret);
3090 ret = psk_key2bn(psk_key, psk, max_psk_len);
3091 if (ret < 0)
3092 goto out_err;
3093 psk_len = ret;
3094 out_err:
3095 return psk_len;
3096 }
3097
3098 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
3099 unsigned char *psk,
3100 unsigned int max_psk_len)
3101 {
3102 unsigned int psk_len = 0;
3103
3104 if (strcmp(identity, "Client_identity") != 0) {
3105 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
3106 return 0;
3107 }
3108 psk_len = psk_key2bn(psk_key, psk, max_psk_len);
3109 return psk_len;
3110 }
3111 #endif
A mirror of the official openssl repository