1 1.1 christos /* 2 1.1 christos * Copyright 1995-2022 The OpenSSL Project Authors. All Rights Reserved. 3 1.1 christos * Copyright (c) 2002, Oracle and/or its affiliates. All rights reserved 4 1.1 christos * Copyright 2005 Nokia. All rights reserved. 5 1.1 christos * 6 1.1 christos * Licensed under the OpenSSL license (the "License"). You may not use 7 1.1 christos * this file except in compliance with the License. You can obtain a copy 8 1.1 christos * in the file LICENSE in the source distribution or at 9 1.1 christos * https://www.openssl.org/source/license.html 10 1.1 christos */ 11 1.1 christos 12 1.1 christos #include "e_os.h" 13 1.1 christos 14 1.1 christos /* Or gethostname won't be declared properly on Linux and GNU platforms. */ 15 1.1 christos #ifndef _BSD_SOURCE 16 1.1 christos # define _BSD_SOURCE 1 17 1.1 christos #endif 18 1.1 christos #ifndef _DEFAULT_SOURCE 19 1.1 christos # define _DEFAULT_SOURCE 1 20 1.1 christos #endif 21 1.1 christos 22 1.1 christos #include <assert.h> 23 1.1 christos #include <errno.h> 24 1.1 christos #include <limits.h> 25 1.1 christos #include <stdio.h> 26 1.1 christos #include <stdlib.h> 27 1.1 christos #include <string.h> 28 1.1 christos #include <time.h> 29 1.1 christos 30 1.1 christos #include "internal/nelem.h" 31 1.1 christos 32 1.1 christos #ifdef OPENSSL_SYS_VMS 33 1.1 christos /* 34 1.1 christos * Or isascii won't be declared properly on VMS (at least with DECompHP C). 35 1.1 christos */ 36 1.1 christos # define _XOPEN_SOURCE 500 37 1.1 christos #endif 38 1.1 christos 39 1.1 christos #include <ctype.h> 40 1.1 christos 41 1.1 christos #include <openssl/bio.h> 42 1.1 christos #include <openssl/crypto.h> 43 1.1 christos #include <openssl/evp.h> 44 1.1 christos #include <openssl/x509.h> 45 1.1 christos #include <openssl/x509v3.h> 46 1.1 christos #include <openssl/ssl.h> 47 1.1 christos #include <openssl/err.h> 48 1.1 christos #include <openssl/rand.h> 49 1.1 christos #ifndef OPENSSL_NO_RSA 50 1.1 christos # include <openssl/rsa.h> 51 1.1 christos #endif 52 1.1 christos #ifndef OPENSSL_NO_DSA 53 1.1 christos # include <openssl/dsa.h> 54 1.1 christos #endif 55 1.1 christos #ifndef OPENSSL_NO_DH 56 1.1 christos # include <openssl/dh.h> 57 1.1 christos #endif 58 1.1 christos #include <openssl/bn.h> 59 1.1 christos #ifndef OPENSSL_NO_CT 60 1.1 christos # include <openssl/ct.h> 61 1.1 christos #endif 62 1.1 christos 63 1.1 christos /* 64 1.1 christos * Or gethostname won't be declared properly 65 1.1 christos * on Compaq platforms (at least with DEC C). 66 1.1 christos * Do not try to put it earlier, or IPv6 includes 67 1.1 christos * get screwed... 68 1.1 christos */ 69 1.1 christos #define _XOPEN_SOURCE_EXTENDED 1 70 1.1 christos 71 1.1 christos #ifdef OPENSSL_SYS_WINDOWS 72 1.1 christos # include <winsock.h> 73 1.1 christos #else 74 1.1 christos # include OPENSSL_UNISTD 75 1.1 christos #endif 76 1.1 christos 77 1.1 christos static SSL_CTX *s_ctx = NULL; 78 1.1 christos static SSL_CTX *s_ctx2 = NULL; 79 1.1 christos 80 1.1 christos /* 81 1.1 christos * There is really no standard for this, so let's assign something 82 1.1 christos * only for this test 83 1.1 christos */ 84 1.1 christos #define COMP_ZLIB 1 85 1.1 christos 86 1.1 christos static int verify_callback(int ok, X509_STORE_CTX *ctx); 87 1.1 christos static int app_verify_callback(X509_STORE_CTX *ctx, void *arg); 88 1.1 christos #define APP_CALLBACK_STRING "Test Callback Argument" 89 1.1 christos struct app_verify_arg { 90 1.1 christos char *string; 91 1.1 christos int app_verify; 92 1.1 christos }; 93 1.1 christos 94 1.1 christos #ifndef OPENSSL_NO_DH 95 1.1 christos static DH *get_dh512(void); 96 1.1 christos static DH *get_dh1024(void); 97 1.1 christos static DH *get_dh1024dsa(void); 98 1.1 christos static DH *get_dh2048(void); 99 1.1 christos static DH *get_dh4096(void); 100 1.1 christos #endif 101 1.1 christos 102 1.1 christos static char *psk_key = NULL; /* by default PSK is not used */ 103 1.1 christos #ifndef OPENSSL_NO_PSK 104 1.1 christos static unsigned int psk_client_callback(SSL *ssl, const char *hint, 105 1.1 christos char *identity, 106 1.1 christos unsigned int max_identity_len, 107 1.1 christos unsigned char *psk, 108 1.1 christos unsigned int max_psk_len); 109 1.1 christos static unsigned int psk_server_callback(SSL *ssl, const char *identity, 110 1.1 christos unsigned char *psk, 111 1.1 christos unsigned int max_psk_len); 112 1.1 christos #endif 113 1.1 christos 114 1.1 christos static BIO *bio_err = NULL; 115 1.1 christos static BIO *bio_stdout = NULL; 116 1.1 christos 117 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 118 1.1 christos /* Note that this code assumes that this is only a one element list: */ 119 1.1 christos static const char NEXT_PROTO_STRING[] = "\x09testproto"; 120 1.1 christos static int npn_client = 0; 121 1.1 christos static int npn_server = 0; 122 1.1 christos static int npn_server_reject = 0; 123 1.1 christos 124 1.1 christos static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, 125 1.1 christos const unsigned char *in, unsigned int inlen, 126 1.1 christos void *arg) 127 1.1 christos { 128 1.1 christos /* 129 1.1 christos * This callback only returns the protocol string, rather than a length 130 1.1 christos * prefixed set. We assume that NEXT_PROTO_STRING is a one element list 131 1.1 christos * and remove the first byte to chop off the length prefix. 132 1.1 christos */ 133 1.1 christos *out = (unsigned char *)NEXT_PROTO_STRING + 1; 134 1.1 christos *outlen = sizeof(NEXT_PROTO_STRING) - 2; 135 1.1 christos return SSL_TLSEXT_ERR_OK; 136 1.1 christos } 137 1.1 christos 138 1.1 christos static int cb_server_npn(SSL *s, const unsigned char **data, 139 1.1 christos unsigned int *len, void *arg) 140 1.1 christos { 141 1.1 christos *data = (const unsigned char *)NEXT_PROTO_STRING; 142 1.1 christos *len = sizeof(NEXT_PROTO_STRING) - 1; 143 1.1 christos return SSL_TLSEXT_ERR_OK; 144 1.1 christos } 145 1.1 christos 146 1.1 christos static int cb_server_rejects_npn(SSL *s, const unsigned char **data, 147 1.1 christos unsigned int *len, void *arg) 148 1.1 christos { 149 1.1 christos return SSL_TLSEXT_ERR_NOACK; 150 1.1 christos } 151 1.1 christos 152 1.1 christos static int verify_npn(SSL *client, SSL *server) 153 1.1 christos { 154 1.1 christos const unsigned char *client_s; 155 1.1 christos unsigned client_len; 156 1.1 christos const unsigned char *server_s; 157 1.1 christos unsigned server_len; 158 1.1 christos 159 1.1 christos SSL_get0_next_proto_negotiated(client, &client_s, &client_len); 160 1.1 christos SSL_get0_next_proto_negotiated(server, &server_s, &server_len); 161 1.1 christos 162 1.1 christos if (client_len) { 163 1.1 christos BIO_printf(bio_stdout, "Client NPN: "); 164 1.1 christos BIO_write(bio_stdout, client_s, client_len); 165 1.1 christos BIO_printf(bio_stdout, "\n"); 166 1.1 christos } 167 1.1 christos 168 1.1 christos if (server_len) { 169 1.1 christos BIO_printf(bio_stdout, "Server NPN: "); 170 1.1 christos BIO_write(bio_stdout, server_s, server_len); 171 1.1 christos BIO_printf(bio_stdout, "\n"); 172 1.1 christos } 173 1.1 christos 174 1.1 christos /* 175 1.1 christos * If an NPN string was returned, it must be the protocol that we 176 1.1 christos * expected to negotiate. 177 1.1 christos */ 178 1.1 christos if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 || 179 1.1 christos memcmp(client_s, NEXT_PROTO_STRING + 1, client_len))) 180 1.1 christos return -1; 181 1.1 christos if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 || 182 1.1 christos memcmp(server_s, NEXT_PROTO_STRING + 1, server_len))) 183 1.1 christos return -1; 184 1.1 christos 185 1.1 christos if (!npn_client && client_len) 186 1.1 christos return -1; 187 1.1 christos if (!npn_server && server_len) 188 1.1 christos return -1; 189 1.1 christos if (npn_server_reject && server_len) 190 1.1 christos return -1; 191 1.1 christos if (npn_client && npn_server && (!client_len || !server_len)) 192 1.1 christos return -1; 193 1.1 christos 194 1.1 christos return 0; 195 1.1 christos } 196 1.1 christos #endif 197 1.1 christos 198 1.1 christos static const char *alpn_client; 199 1.1 christos static char *alpn_server; 200 1.1 christos static char *alpn_server2; 201 1.1 christos static const char *alpn_expected; 202 1.1 christos static unsigned char *alpn_selected; 203 1.1 christos static const char *server_min_proto; 204 1.1 christos static const char *server_max_proto; 205 1.1 christos static const char *client_min_proto; 206 1.1 christos static const char *client_max_proto; 207 1.1 christos static const char *should_negotiate; 208 1.1 christos static const char *sn_client; 209 1.1 christos static const char *sn_server1; 210 1.1 christos static const char *sn_server2; 211 1.1 christos static int sn_expect = 0; 212 1.1 christos static const char *server_sess_out; 213 1.1 christos static const char *server_sess_in; 214 1.1 christos static const char *client_sess_out; 215 1.1 christos static const char *client_sess_in; 216 1.1 christos static SSL_SESSION *server_sess; 217 1.1 christos static SSL_SESSION *client_sess; 218 1.1 christos 219 1.1 christos static int servername_cb(SSL *s, int *ad, void *arg) 220 1.1 christos { 221 1.1 christos const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name); 222 1.1 christos if (sn_server2 == NULL) { 223 1.1 christos BIO_printf(bio_stdout, "Servername 2 is NULL\n"); 224 1.1 christos return SSL_TLSEXT_ERR_NOACK; 225 1.1 christos } 226 1.1 christos 227 1.1 christos if (servername) { 228 1.1 christos if (s_ctx2 != NULL && sn_server2 != NULL && 229 1.1 christos !strcasecmp(servername, sn_server2)) { 230 1.1 christos BIO_printf(bio_stdout, "Switching server context.\n"); 231 1.1 christos SSL_set_SSL_CTX(s, s_ctx2); 232 1.1 christos } 233 1.1 christos } 234 1.1 christos return SSL_TLSEXT_ERR_OK; 235 1.1 christos } 236 1.1 christos static int verify_servername(SSL *client, SSL *server) 237 1.1 christos { 238 1.1 christos /* just need to see if sn_context is what we expect */ 239 1.1 christos SSL_CTX* ctx = SSL_get_SSL_CTX(server); 240 1.1 christos if (sn_expect == 0) 241 1.1 christos return 0; 242 1.1 christos if (sn_expect == 1 && ctx == s_ctx) 243 1.1 christos return 0; 244 1.1 christos if (sn_expect == 2 && ctx == s_ctx2) 245 1.1 christos return 0; 246 1.1 christos BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect); 247 1.1 christos if (ctx == s_ctx2) 248 1.1 christos BIO_printf(bio_stdout, "Servername: context is 2\n"); 249 1.1 christos else if (ctx == s_ctx) 250 1.1 christos BIO_printf(bio_stdout, "Servername: context is 1\n"); 251 1.1 christos else 252 1.1 christos BIO_printf(bio_stdout, "Servername: context is unknown\n"); 253 1.1 christos return -1; 254 1.1 christos } 255 1.1 christos 256 1.1 christos 257 1.1 christos /*- 258 1.1 christos * next_protos_parse parses a comma separated list of strings into a string 259 1.1 christos * in a format suitable for passing to SSL_CTX_set_next_protos_advertised. 260 1.1 christos * outlen: (output) set to the length of the resulting buffer on success. 261 1.1 christos * in: a NUL terminated string like "abc,def,ghi" 262 1.1 christos * 263 1.1 christos * returns: a malloced buffer or NULL on failure. 264 1.1 christos */ 265 1.1 christos static unsigned char *next_protos_parse(size_t *outlen, 266 1.1 christos const char *in) 267 1.1 christos { 268 1.1 christos size_t len; 269 1.1 christos unsigned char *out; 270 1.1 christos size_t i, start = 0; 271 1.1 christos 272 1.1 christos len = strlen(in); 273 1.1 christos if (len >= 65535) 274 1.1 christos return NULL; 275 1.1 christos 276 1.1 christos out = OPENSSL_malloc(strlen(in) + 1); 277 1.1 christos if (!out) 278 1.1 christos return NULL; 279 1.1 christos 280 1.1 christos for (i = 0; i <= len; ++i) { 281 1.1 christos if (i == len || in[i] == ',') { 282 1.1 christos if (i - start > 255) { 283 1.1 christos OPENSSL_free(out); 284 1.1 christos return NULL; 285 1.1 christos } 286 1.1 christos out[start] = (unsigned char)(i - start); 287 1.1 christos start = i + 1; 288 1.1 christos } else 289 1.1 christos out[i + 1] = in[i]; 290 1.1 christos } 291 1.1 christos 292 1.1 christos *outlen = len + 1; 293 1.1 christos return out; 294 1.1 christos } 295 1.1 christos 296 1.1 christos static int cb_server_alpn(SSL *s, const unsigned char **out, 297 1.1 christos unsigned char *outlen, const unsigned char *in, 298 1.1 christos unsigned int inlen, void *arg) 299 1.1 christos { 300 1.1 christos unsigned char *protos; 301 1.1 christos size_t protos_len; 302 1.1 christos char* alpn_str = arg; 303 1.1 christos 304 1.1 christos protos = next_protos_parse(&protos_len, alpn_str); 305 1.1 christos if (protos == NULL) { 306 1.1 christos fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", 307 1.1 christos alpn_str); 308 1.1 christos abort(); 309 1.1 christos } 310 1.1 christos 311 1.1 christos if (SSL_select_next_proto 312 1.1 christos ((unsigned char **)out, outlen, protos, protos_len, in, 313 1.1 christos inlen) != OPENSSL_NPN_NEGOTIATED) { 314 1.1 christos OPENSSL_free(protos); 315 1.1 christos return SSL_TLSEXT_ERR_NOACK; 316 1.1 christos } 317 1.1 christos 318 1.1 christos /* 319 1.1 christos * Make a copy of the selected protocol which will be freed in 320 1.1 christos * verify_alpn. 321 1.1 christos */ 322 1.1 christos alpn_selected = OPENSSL_malloc(*outlen); 323 1.1 christos memcpy(alpn_selected, *out, *outlen); 324 1.1 christos *out = alpn_selected; 325 1.1 christos 326 1.1 christos OPENSSL_free(protos); 327 1.1 christos return SSL_TLSEXT_ERR_OK; 328 1.1 christos } 329 1.1 christos 330 1.1 christos static int verify_alpn(SSL *client, SSL *server) 331 1.1 christos { 332 1.1 christos const unsigned char *client_proto, *server_proto; 333 1.1 christos unsigned int client_proto_len = 0, server_proto_len = 0; 334 1.1 christos SSL_get0_alpn_selected(client, &client_proto, &client_proto_len); 335 1.1 christos SSL_get0_alpn_selected(server, &server_proto, &server_proto_len); 336 1.1 christos 337 1.1 christos OPENSSL_free(alpn_selected); 338 1.1 christos alpn_selected = NULL; 339 1.1 christos 340 1.1 christos if (client_proto_len != server_proto_len) { 341 1.1 christos BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); 342 1.1 christos goto err; 343 1.1 christos } 344 1.1 christos 345 1.1 christos if (client_proto != NULL && 346 1.1 christos memcmp(client_proto, server_proto, client_proto_len) != 0) { 347 1.1 christos BIO_printf(bio_stdout, "ALPN selected protocols differ!\n"); 348 1.1 christos goto err; 349 1.1 christos } 350 1.1 christos 351 1.1 christos if (client_proto_len > 0 && alpn_expected == NULL) { 352 1.1 christos BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n"); 353 1.1 christos goto err; 354 1.1 christos } 355 1.1 christos 356 1.1 christos if (alpn_expected != NULL && 357 1.1 christos (client_proto_len != strlen(alpn_expected) || 358 1.1 christos memcmp(client_proto, alpn_expected, client_proto_len) != 0)) { 359 1.1 christos BIO_printf(bio_stdout, 360 1.1 christos "ALPN selected protocols not equal to expected protocol: %s\n", 361 1.1 christos alpn_expected); 362 1.1 christos goto err; 363 1.1 christos } 364 1.1 christos 365 1.1 christos return 0; 366 1.1 christos 367 1.1 christos err: 368 1.1 christos BIO_printf(bio_stdout, "ALPN results: client: '"); 369 1.1 christos BIO_write(bio_stdout, client_proto, client_proto_len); 370 1.1 christos BIO_printf(bio_stdout, "', server: '"); 371 1.1 christos BIO_write(bio_stdout, server_proto, server_proto_len); 372 1.1 christos BIO_printf(bio_stdout, "'\n"); 373 1.1 christos BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '", 374 1.1 christos alpn_client); 375 1.1 christos if (SSL_get_SSL_CTX(server) == s_ctx2) { 376 1.1 christos BIO_printf(bio_stdout, "%s'\n", 377 1.1 christos alpn_server2); 378 1.1 christos } else { 379 1.1 christos BIO_printf(bio_stdout, "%s'\n", 380 1.1 christos alpn_server); 381 1.1 christos } 382 1.1 christos return -1; 383 1.1 christos } 384 1.1 christos 385 1.1 christos /* 386 1.1 christos * WARNING : below extension types are *NOT* IETF assigned, and could 387 1.1 christos * conflict if these types are reassigned and handled specially by OpenSSL 388 1.1 christos * in the future 389 1.1 christos */ 390 1.1 christos #define TACK_EXT_TYPE 62208 391 1.1 christos #define CUSTOM_EXT_TYPE_0 1000 392 1.1 christos #define CUSTOM_EXT_TYPE_1 1001 393 1.1 christos #define CUSTOM_EXT_TYPE_2 1002 394 1.1 christos #define CUSTOM_EXT_TYPE_3 1003 395 1.1 christos 396 1.1 christos static const char custom_ext_cli_string[] = "abc"; 397 1.1 christos static const char custom_ext_srv_string[] = "defg"; 398 1.1 christos 399 1.1 christos /* These set from cmdline */ 400 1.1 christos static char *serverinfo_file = NULL; 401 1.1 christos static int serverinfo_sct = 0; 402 1.1 christos static int serverinfo_tack = 0; 403 1.1 christos 404 1.1 christos /* These set based on extension callbacks */ 405 1.1 christos static int serverinfo_sct_seen = 0; 406 1.1 christos static int serverinfo_tack_seen = 0; 407 1.1 christos static int serverinfo_other_seen = 0; 408 1.1 christos 409 1.1 christos /* This set from cmdline */ 410 1.1 christos static int custom_ext = 0; 411 1.1 christos 412 1.1 christos /* This set based on extension callbacks */ 413 1.1 christos static int custom_ext_error = 0; 414 1.1 christos 415 1.1 christos static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type, 416 1.1 christos const unsigned char *in, size_t inlen, 417 1.1 christos int *al, void *arg) 418 1.1 christos { 419 1.1 christos if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp) 420 1.1 christos serverinfo_sct_seen++; 421 1.1 christos else if (ext_type == TACK_EXT_TYPE) 422 1.1 christos serverinfo_tack_seen++; 423 1.1 christos else 424 1.1 christos serverinfo_other_seen++; 425 1.1 christos return 1; 426 1.1 christos } 427 1.1 christos 428 1.1 christos static int verify_serverinfo(void) 429 1.1 christos { 430 1.1 christos if (serverinfo_sct != serverinfo_sct_seen) 431 1.1 christos return -1; 432 1.1 christos if (serverinfo_tack != serverinfo_tack_seen) 433 1.1 christos return -1; 434 1.1 christos if (serverinfo_other_seen) 435 1.1 christos return -1; 436 1.1 christos return 0; 437 1.1 christos } 438 1.1 christos 439 1.1 christos /*- 440 1.1 christos * Four test cases for custom extensions: 441 1.1 christos * 0 - no ClientHello extension or ServerHello response 442 1.1 christos * 1 - ClientHello with "abc", no response 443 1.1 christos * 2 - ClientHello with "abc", empty response 444 1.1 christos * 3 - ClientHello with "abc", "defg" response 445 1.1 christos */ 446 1.1 christos 447 1.1 christos static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type, 448 1.1 christos const unsigned char **out, 449 1.1 christos size_t *outlen, int *al, void *arg) 450 1.1 christos { 451 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_0) 452 1.1 christos custom_ext_error = 1; 453 1.1 christos return 0; /* Don't send an extension */ 454 1.1 christos } 455 1.1 christos 456 1.1 christos static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type, 457 1.1 christos const unsigned char *in, 458 1.1 christos size_t inlen, int *al, void *arg) 459 1.1 christos { 460 1.1 christos return 1; 461 1.1 christos } 462 1.1 christos 463 1.1 christos static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type, 464 1.1 christos const unsigned char **out, 465 1.1 christos size_t *outlen, int *al, void *arg) 466 1.1 christos { 467 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_1) 468 1.1 christos custom_ext_error = 1; 469 1.1 christos *out = (const unsigned char *)custom_ext_cli_string; 470 1.1 christos *outlen = strlen(custom_ext_cli_string); 471 1.1 christos return 1; /* Send "abc" */ 472 1.1 christos } 473 1.1 christos 474 1.1 christos static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type, 475 1.1 christos const unsigned char *in, 476 1.1 christos size_t inlen, int *al, void *arg) 477 1.1 christos { 478 1.1 christos return 1; 479 1.1 christos } 480 1.1 christos 481 1.1 christos static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type, 482 1.1 christos const unsigned char **out, 483 1.1 christos size_t *outlen, int *al, void *arg) 484 1.1 christos { 485 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_2) 486 1.1 christos custom_ext_error = 1; 487 1.1 christos *out = (const unsigned char *)custom_ext_cli_string; 488 1.1 christos *outlen = strlen(custom_ext_cli_string); 489 1.1 christos return 1; /* Send "abc" */ 490 1.1 christos } 491 1.1 christos 492 1.1 christos static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type, 493 1.1 christos const unsigned char *in, 494 1.1 christos size_t inlen, int *al, void *arg) 495 1.1 christos { 496 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_2) 497 1.1 christos custom_ext_error = 1; 498 1.1 christos if (inlen != 0) 499 1.1 christos custom_ext_error = 1; /* Should be empty response */ 500 1.1 christos return 1; 501 1.1 christos } 502 1.1 christos 503 1.1 christos static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type, 504 1.1 christos const unsigned char **out, 505 1.1 christos size_t *outlen, int *al, void *arg) 506 1.1 christos { 507 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_3) 508 1.1 christos custom_ext_error = 1; 509 1.1 christos *out = (const unsigned char *)custom_ext_cli_string; 510 1.1 christos *outlen = strlen(custom_ext_cli_string); 511 1.1 christos return 1; /* Send "abc" */ 512 1.1 christos } 513 1.1 christos 514 1.1 christos static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type, 515 1.1 christos const unsigned char *in, 516 1.1 christos size_t inlen, int *al, void *arg) 517 1.1 christos { 518 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_3) 519 1.1 christos custom_ext_error = 1; 520 1.1 christos if (inlen != strlen(custom_ext_srv_string)) 521 1.1 christos custom_ext_error = 1; 522 1.1 christos if (memcmp(custom_ext_srv_string, in, inlen) != 0) 523 1.1 christos custom_ext_error = 1; /* Check for "defg" */ 524 1.1 christos return 1; 525 1.1 christos } 526 1.1 christos 527 1.1 christos /* 528 1.1 christos * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback 529 1.1 christos * for this extension 530 1.1 christos */ 531 1.1 christos static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type, 532 1.1 christos const unsigned char *in, 533 1.1 christos size_t inlen, int *al, void *arg) 534 1.1 christos { 535 1.1 christos custom_ext_error = 1; 536 1.1 christos return 1; 537 1.1 christos } 538 1.1 christos 539 1.1 christos /* 'add' callbacks are only called if the 'parse' callback is called */ 540 1.1 christos static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type, 541 1.1 christos const unsigned char **out, 542 1.1 christos size_t *outlen, int *al, void *arg) 543 1.1 christos { 544 1.1 christos /* Error: should not have been called */ 545 1.1 christos custom_ext_error = 1; 546 1.1 christos return 0; /* Don't send an extension */ 547 1.1 christos } 548 1.1 christos 549 1.1 christos static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type, 550 1.1 christos const unsigned char *in, 551 1.1 christos size_t inlen, int *al, void *arg) 552 1.1 christos { 553 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_1) 554 1.1 christos custom_ext_error = 1; 555 1.1 christos /* Check for "abc" */ 556 1.1 christos if (inlen != strlen(custom_ext_cli_string)) 557 1.1 christos custom_ext_error = 1; 558 1.1 christos if (memcmp(in, custom_ext_cli_string, inlen) != 0) 559 1.1 christos custom_ext_error = 1; 560 1.1 christos return 1; 561 1.1 christos } 562 1.1 christos 563 1.1 christos static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type, 564 1.1 christos const unsigned char **out, 565 1.1 christos size_t *outlen, int *al, void *arg) 566 1.1 christos { 567 1.1 christos return 0; /* Don't send an extension */ 568 1.1 christos } 569 1.1 christos 570 1.1 christos static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type, 571 1.1 christos const unsigned char *in, 572 1.1 christos size_t inlen, int *al, void *arg) 573 1.1 christos { 574 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_2) 575 1.1 christos custom_ext_error = 1; 576 1.1 christos /* Check for "abc" */ 577 1.1 christos if (inlen != strlen(custom_ext_cli_string)) 578 1.1 christos custom_ext_error = 1; 579 1.1 christos if (memcmp(in, custom_ext_cli_string, inlen) != 0) 580 1.1 christos custom_ext_error = 1; 581 1.1 christos return 1; 582 1.1 christos } 583 1.1 christos 584 1.1 christos static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type, 585 1.1 christos const unsigned char **out, 586 1.1 christos size_t *outlen, int *al, void *arg) 587 1.1 christos { 588 1.1 christos *out = NULL; 589 1.1 christos *outlen = 0; 590 1.1 christos return 1; /* Send empty extension */ 591 1.1 christos } 592 1.1 christos 593 1.1 christos static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type, 594 1.1 christos const unsigned char *in, 595 1.1 christos size_t inlen, int *al, void *arg) 596 1.1 christos { 597 1.1 christos if (ext_type != CUSTOM_EXT_TYPE_3) 598 1.1 christos custom_ext_error = 1; 599 1.1 christos /* Check for "abc" */ 600 1.1 christos if (inlen != strlen(custom_ext_cli_string)) 601 1.1 christos custom_ext_error = 1; 602 1.1 christos if (memcmp(in, custom_ext_cli_string, inlen) != 0) 603 1.1 christos custom_ext_error = 1; 604 1.1 christos return 1; 605 1.1 christos } 606 1.1 christos 607 1.1 christos static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type, 608 1.1 christos const unsigned char **out, 609 1.1 christos size_t *outlen, int *al, void *arg) 610 1.1 christos { 611 1.1 christos *out = (const unsigned char *)custom_ext_srv_string; 612 1.1 christos *outlen = strlen(custom_ext_srv_string); 613 1.1 christos return 1; /* Send "defg" */ 614 1.1 christos } 615 1.1 christos 616 1.1 christos static char *cipher = NULL; 617 1.1 christos static char *ciphersuites = NULL; 618 1.1 christos static int verbose = 0; 619 1.1 christos static int debug = 0; 620 1.1 christos 621 1.1 christos int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, 622 1.1 christos long bytes, clock_t *s_time, clock_t *c_time); 623 1.1 christos int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time, 624 1.1 christos clock_t *c_time); 625 1.1 christos int doit(SSL *s_ssl, SSL *c_ssl, long bytes); 626 1.1 christos 627 1.1 christos static void sv_usage(void) 628 1.1 christos { 629 1.1 christos fprintf(stderr, "usage: ssltest [args ...]\n"); 630 1.1 christos fprintf(stderr, "\n"); 631 1.1 christos fprintf(stderr, " -server_auth - check server certificate\n"); 632 1.1 christos fprintf(stderr, " -client_auth - do client authentication\n"); 633 1.1 christos fprintf(stderr, " -v - more output\n"); 634 1.1 christos fprintf(stderr, " -d - debug output\n"); 635 1.1 christos fprintf(stderr, " -reuse - use session-id reuse\n"); 636 1.1 christos fprintf(stderr, " -num <val> - number of connections to perform\n"); 637 1.1 christos fprintf(stderr, 638 1.1 christos " -bytes <val> - number of bytes to swap between client/server\n"); 639 1.1 christos #ifndef OPENSSL_NO_DH 640 1.1 christos fprintf(stderr, 641 1.1 christos " -dhe512 - use 512 bit key for DHE (to test failure)\n"); 642 1.1 christos fprintf(stderr, 643 1.1 christos " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n"); 644 1.1 christos fprintf(stderr, 645 1.1 christos " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); 646 1.1 christos fprintf(stderr, 647 1.1 christos " -dhe2048 - use 2048 bit key (rfc3526 prime) for DHE\n"); 648 1.1 christos fprintf(stderr, 649 1.1 christos " -dhe4096 - use 4096 bit key (rfc3526 prime) for DHE\n"); 650 1.1 christos fprintf(stderr, " -no_dhe - disable DHE\n"); 651 1.1 christos #endif 652 1.1 christos #ifndef OPENSSL_NO_EC 653 1.1 christos fprintf(stderr, " -no_ecdhe - disable ECDHE\nTODO(openssl-team): no_ecdhe was broken by auto ecdh. Make this work again.\n"); 654 1.1 christos #endif 655 1.1 christos #ifndef OPENSSL_NO_PSK 656 1.1 christos fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n"); 657 1.1 christos #endif 658 1.1 christos #ifndef OPENSSL_NO_SSL3 659 1.1 christos fprintf(stderr, " -ssl3 - use SSLv3\n"); 660 1.1 christos #endif 661 1.1 christos #ifndef OPENSSL_NO_TLS1 662 1.1 christos fprintf(stderr, " -tls1 - use TLSv1\n"); 663 1.1 christos #endif 664 1.1 christos #ifndef OPENSSL_NO_TLS1_1 665 1.1 christos fprintf(stderr, " -tls1_1 - use TLSv1.1\n"); 666 1.1 christos #endif 667 1.1 christos #ifndef OPENSSL_NO_TLS1_2 668 1.1 christos fprintf(stderr, " -tls1_2 - use TLSv1.2\n"); 669 1.1 christos #endif 670 1.1 christos #ifndef OPENSSL_NO_DTLS 671 1.1 christos fprintf(stderr, " -dtls - use DTLS\n"); 672 1.1 christos #ifndef OPENSSL_NO_DTLS1 673 1.1 christos fprintf(stderr, " -dtls1 - use DTLSv1\n"); 674 1.1 christos #endif 675 1.1 christos #ifndef OPENSSL_NO_DTLS1_2 676 1.1 christos fprintf(stderr, " -dtls12 - use DTLSv1.2\n"); 677 1.1 christos #endif 678 1.1 christos #endif 679 1.1 christos fprintf(stderr, " -CApath arg - PEM format directory of CA's\n"); 680 1.1 christos fprintf(stderr, " -CAfile arg - PEM format file of CA's\n"); 681 1.1 christos fprintf(stderr, " -cert arg - Server certificate file\n"); 682 1.1 christos fprintf(stderr, 683 1.1 christos " -key arg - Server key file (default: same as -cert)\n"); 684 1.1 christos fprintf(stderr, " -c_cert arg - Client certificate file\n"); 685 1.1 christos fprintf(stderr, 686 1.1 christos " -c_key arg - Client key file (default: same as -c_cert)\n"); 687 1.1 christos fprintf(stderr, " -cipher arg - The TLSv1.2 and below cipher list\n"); 688 1.1 christos fprintf(stderr, " -ciphersuites arg - The TLSv1.3 ciphersuites\n"); 689 1.1 christos fprintf(stderr, " -bio_pair - Use BIO pairs\n"); 690 1.1 christos fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n"); 691 1.1 christos fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n"); 692 1.1 christos fprintf(stderr, " -f - Test even cases that can't work\n"); 693 1.1 christos fprintf(stderr, 694 1.1 christos " -time - measure processor time used by client and server\n"); 695 1.1 christos fprintf(stderr, " -zlib - use zlib compression\n"); 696 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 697 1.1 christos fprintf(stderr, " -npn_client - have client side offer NPN\n"); 698 1.1 christos fprintf(stderr, " -npn_server - have server side offer NPN\n"); 699 1.1 christos fprintf(stderr, " -npn_server_reject - have server reject NPN\n"); 700 1.1 christos #endif 701 1.1 christos fprintf(stderr, " -serverinfo_file file - have server use this file\n"); 702 1.1 christos fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n"); 703 1.1 christos fprintf(stderr, 704 1.1 christos " -serverinfo_tack - have client offer and expect TACK\n"); 705 1.1 christos fprintf(stderr, 706 1.1 christos " -custom_ext - try various custom extension callbacks\n"); 707 1.1 christos fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n"); 708 1.1 christos fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n"); 709 1.1 christos fprintf(stderr, " -alpn_server1 <string> - alias for -alpn_server\n"); 710 1.1 christos fprintf(stderr, " -alpn_server2 <string> - have server side context 2 offer ALPN\n"); 711 1.1 christos fprintf(stderr, 712 1.1 christos " -alpn_expected <string> - the ALPN protocol that should be negotiated\n"); 713 1.1 christos fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n"); 714 1.1 christos fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n"); 715 1.1 christos fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n"); 716 1.1 christos fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n"); 717 1.1 christos fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n"); 718 1.1 christos #ifndef OPENSSL_NO_CT 719 1.1 christos fprintf(stderr, " -noct - no certificate transparency\n"); 720 1.1 christos fprintf(stderr, " -requestct - request certificate transparency\n"); 721 1.1 christos fprintf(stderr, " -requirect - require certificate transparency\n"); 722 1.1 christos #endif 723 1.1 christos fprintf(stderr, " -sn_client <string> - have client request this servername\n"); 724 1.1 christos fprintf(stderr, " -sn_server1 <string> - have server context 1 respond to this servername\n"); 725 1.1 christos fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n"); 726 1.1 christos fprintf(stderr, " -sn_expect1 - expected server 1\n"); 727 1.1 christos fprintf(stderr, " -sn_expect2 - expected server 2\n"); 728 1.1 christos fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n"); 729 1.1 christos fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n"); 730 1.1 christos fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n"); 731 1.1 christos fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n"); 732 1.1 christos fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n"); 733 1.1 christos fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n"); 734 1.1 christos } 735 1.1 christos 736 1.1 christos static void print_key_details(BIO *out, EVP_PKEY *key) 737 1.1 christos { 738 1.1 christos int keyid = EVP_PKEY_id(key); 739 1.1 christos #ifndef OPENSSL_NO_EC 740 1.1 christos if (keyid == EVP_PKEY_EC) { 741 1.1 christos EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key); 742 1.1 christos int nid; 743 1.1 christos const char *cname; 744 1.1 christos nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec)); 745 1.1 christos EC_KEY_free(ec); 746 1.1 christos cname = EC_curve_nid2nist(nid); 747 1.1 christos if (!cname) 748 1.1 christos cname = OBJ_nid2sn(nid); 749 1.1 christos BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_bits(key), cname); 750 1.1 christos } else 751 1.1 christos #endif 752 1.1 christos { 753 1.1 christos const char *algname; 754 1.1 christos switch (keyid) { 755 1.1 christos case EVP_PKEY_RSA: 756 1.1 christos algname = "RSA"; 757 1.1 christos break; 758 1.1 christos case EVP_PKEY_DSA: 759 1.1 christos algname = "DSA"; 760 1.1 christos break; 761 1.1 christos case EVP_PKEY_DH: 762 1.1 christos algname = "DH"; 763 1.1 christos break; 764 1.1 christos default: 765 1.1 christos algname = OBJ_nid2sn(keyid); 766 1.1 christos break; 767 1.1 christos } 768 1.1 christos BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname); 769 1.1 christos } 770 1.1 christos } 771 1.1 christos 772 1.1 christos static void print_details(SSL *c_ssl, const char *prefix) 773 1.1 christos { 774 1.1 christos const SSL_CIPHER *ciph; 775 1.1 christos int mdnid; 776 1.1 christos X509 *cert; 777 1.1 christos EVP_PKEY *pkey; 778 1.1 christos 779 1.1 christos ciph = SSL_get_current_cipher(c_ssl); 780 1.1 christos BIO_printf(bio_stdout, "%s%s, cipher %s %s", 781 1.1 christos prefix, 782 1.1 christos SSL_get_version(c_ssl), 783 1.1 christos SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph)); 784 1.1 christos cert = SSL_get_peer_certificate(c_ssl); 785 1.1 christos if (cert != NULL) { 786 1.1 christos EVP_PKEY* pubkey = X509_get0_pubkey(cert); 787 1.1 christos 788 1.1 christos if (pubkey != NULL) { 789 1.1 christos BIO_puts(bio_stdout, ", "); 790 1.1 christos print_key_details(bio_stdout, pubkey); 791 1.1 christos } 792 1.1 christos X509_free(cert); 793 1.1 christos } 794 1.1 christos if (SSL_get_peer_tmp_key(c_ssl, &pkey)) { 795 1.1 christos BIO_puts(bio_stdout, ", temp key: "); 796 1.1 christos print_key_details(bio_stdout, pkey); 797 1.1 christos EVP_PKEY_free(pkey); 798 1.1 christos } 799 1.1 christos if (SSL_get_peer_signature_nid(c_ssl, &mdnid)) 800 1.1 christos BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid)); 801 1.1 christos BIO_printf(bio_stdout, "\n"); 802 1.1 christos } 803 1.1 christos 804 1.1 christos /* 805 1.1 christos * protocol_from_string - converts a protocol version string to a number 806 1.1 christos * 807 1.1 christos * Returns -1 on failure or the version on success 808 1.1 christos */ 809 1.1 christos static int protocol_from_string(const char *value) 810 1.1 christos { 811 1.1 christos struct protocol_versions { 812 1.1 christos const char *name; 813 1.1 christos int version; 814 1.1 christos }; 815 1.1 christos static const struct protocol_versions versions[] = { 816 1.1 christos {"ssl3", SSL3_VERSION}, 817 1.1 christos {"tls1", TLS1_VERSION}, 818 1.1 christos {"tls1.1", TLS1_1_VERSION}, 819 1.1 christos {"tls1.2", TLS1_2_VERSION}, 820 1.1 christos {"tls1.3", TLS1_3_VERSION}, 821 1.1 christos {"dtls1", DTLS1_VERSION}, 822 1.1 christos {"dtls1.2", DTLS1_2_VERSION}}; 823 1.1 christos size_t i; 824 1.1 christos size_t n = OSSL_NELEM(versions); 825 1.1 christos 826 1.1 christos for (i = 0; i < n; i++) 827 1.1 christos if (strcmp(versions[i].name, value) == 0) 828 1.1 christos return versions[i].version; 829 1.1 christos return -1; 830 1.1 christos } 831 1.1 christos 832 1.1 christos static SSL_SESSION *read_session(const char *filename) 833 1.1 christos { 834 1.1 christos SSL_SESSION *sess; 835 1.1 christos BIO *f = BIO_new_file(filename, "r"); 836 1.1 christos 837 1.1 christos if (f == NULL) { 838 1.1 christos BIO_printf(bio_err, "Can't open session file %s\n", filename); 839 1.1 christos ERR_print_errors(bio_err); 840 1.1 christos return NULL; 841 1.1 christos } 842 1.1 christos sess = PEM_read_bio_SSL_SESSION(f, NULL, 0, NULL); 843 1.1 christos if (sess == NULL) { 844 1.1 christos BIO_printf(bio_err, "Can't parse session file %s\n", filename); 845 1.1 christos ERR_print_errors(bio_err); 846 1.1 christos } 847 1.1 christos BIO_free(f); 848 1.1 christos return sess; 849 1.1 christos } 850 1.1 christos 851 1.1 christos static int write_session(const char *filename, SSL_SESSION *sess) 852 1.1 christos { 853 1.1 christos BIO *f; 854 1.1 christos 855 1.1 christos if (sess == NULL) { 856 1.1 christos BIO_printf(bio_err, "No session information\n"); 857 1.1 christos return 0; 858 1.1 christos } 859 1.1 christos 860 1.1 christos f = BIO_new_file(filename, "w"); 861 1.1 christos if (f == NULL) { 862 1.1 christos BIO_printf(bio_err, "Can't open session file %s\n", filename); 863 1.1 christos ERR_print_errors(bio_err); 864 1.1 christos return 0; 865 1.1 christos } 866 1.1 christos PEM_write_bio_SSL_SESSION(f, sess); 867 1.1 christos BIO_free(f); 868 1.1 christos return 1; 869 1.1 christos } 870 1.1 christos 871 1.1 christos /* 872 1.1 christos * set_protocol_version - Sets protocol version minimum or maximum 873 1.1 christos * 874 1.1 christos * Returns 0 on failure and 1 on success 875 1.1 christos */ 876 1.1 christos static int set_protocol_version(const char *version, SSL *ssl, int setting) 877 1.1 christos { 878 1.1 christos if (version != NULL) { 879 1.1 christos int ver = protocol_from_string(version); 880 1.1 christos if (ver < 0) { 881 1.1 christos BIO_printf(bio_err, "Error parsing: %s\n", version); 882 1.1 christos return 0; 883 1.1 christos } 884 1.1 christos return SSL_ctrl(ssl, setting, ver, NULL); 885 1.1 christos } 886 1.1 christos return 1; 887 1.1 christos } 888 1.1 christos 889 1.1 christos int main(int argc, char *argv[]) 890 1.1 christos { 891 1.1 christos const char *CApath = NULL, *CAfile = NULL; 892 1.1 christos int badop = 0; 893 1.1 christos enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM; 894 1.1 christos int force = 0; 895 1.1 christos int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, tls1_1 = 0, tls1_2 = 0, ssl3 = 0; 896 1.1 christos int ret = EXIT_FAILURE; 897 1.1 christos int client_auth = 0; 898 1.1 christos int server_auth = 0, i; 899 1.1 christos struct app_verify_arg app_verify_arg = 900 1.1 christos { APP_CALLBACK_STRING, 0 }; 901 1.1 christos char *p; 902 1.1 christos SSL_CTX *c_ctx = NULL; 903 1.1 christos const SSL_METHOD *meth = NULL; 904 1.1 christos SSL *c_ssl, *s_ssl; 905 1.1 christos int number = 1, reuse = 0; 906 1.1 christos int should_reuse = -1; 907 1.1 christos int no_ticket = 0; 908 1.1 christos long bytes = 256L; 909 1.1 christos #ifndef OPENSSL_NO_DH 910 1.1 christos DH *dh; 911 1.1 christos int dhe512 = 0, dhe1024dsa = 0; 912 1.1 christos int dhe2048 = 0, dhe4096 = 0; 913 1.1 christos #endif 914 1.1 christos int no_dhe = 0; 915 1.1 christos int no_psk = 0; 916 1.1 christos int print_time = 0; 917 1.1 christos clock_t s_time = 0, c_time = 0; 918 1.1 christos #ifndef OPENSSL_NO_COMP 919 1.1 christos int n, comp = 0; 920 1.1 christos COMP_METHOD *cm = NULL; 921 1.1 christos STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; 922 1.1 christos #endif 923 1.1 christos int no_protocol; 924 1.1 christos int min_version = 0, max_version = 0; 925 1.1 christos #ifndef OPENSSL_NO_CT 926 1.1 christos /* 927 1.1 christos * Disable CT validation by default, because it will interfere with 928 1.1 christos * anything using custom extension handlers to deal with SCT extensions. 929 1.1 christos */ 930 1.1 christos int ct_validation = 0; 931 1.1 christos #endif 932 1.1 christos SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL; 933 1.1 christos STACK_OF(OPENSSL_STRING) *conf_args = NULL; 934 1.1 christos char *arg = NULL, *argn = NULL; 935 1.1 christos 936 1.1 christos verbose = 0; 937 1.1 christos debug = 0; 938 1.1 christos 939 1.1 christos bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT); 940 1.1 christos 941 1.1 christos p = getenv("OPENSSL_DEBUG_MEMORY"); 942 1.1 christos if (p != NULL && strcmp(p, "on") == 0) 943 1.1 christos CRYPTO_set_mem_debug(1); 944 1.1 christos CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 945 1.1 christos 946 1.1 christos bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT); 947 1.1 christos 948 1.1 christos s_cctx = SSL_CONF_CTX_new(); 949 1.1 christos s_cctx2 = SSL_CONF_CTX_new(); 950 1.1 christos c_cctx = SSL_CONF_CTX_new(); 951 1.1 christos 952 1.1 christos if (!s_cctx || !c_cctx || !s_cctx2) { 953 1.1 christos ERR_print_errors(bio_err); 954 1.1 christos goto end; 955 1.1 christos } 956 1.1 christos 957 1.1 christos SSL_CONF_CTX_set_flags(s_cctx, 958 1.1 christos SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER | 959 1.1 christos SSL_CONF_FLAG_CERTIFICATE | 960 1.1 christos SSL_CONF_FLAG_REQUIRE_PRIVATE); 961 1.1 christos SSL_CONF_CTX_set_flags(s_cctx2, 962 1.1 christos SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER | 963 1.1 christos SSL_CONF_FLAG_CERTIFICATE | 964 1.1 christos SSL_CONF_FLAG_REQUIRE_PRIVATE); 965 1.1 christos if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) { 966 1.1 christos ERR_print_errors(bio_err); 967 1.1 christos goto end; 968 1.1 christos } 969 1.1 christos if (!SSL_CONF_CTX_set1_prefix(s_cctx2, "-s_")) { 970 1.1 christos ERR_print_errors(bio_err); 971 1.1 christos goto end; 972 1.1 christos } 973 1.1 christos 974 1.1 christos SSL_CONF_CTX_set_flags(c_cctx, 975 1.1 christos SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT | 976 1.1 christos SSL_CONF_FLAG_CERTIFICATE | 977 1.1 christos SSL_CONF_FLAG_REQUIRE_PRIVATE); 978 1.1 christos if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) { 979 1.1 christos ERR_print_errors(bio_err); 980 1.1 christos goto end; 981 1.1 christos } 982 1.1 christos 983 1.1 christos argc--; 984 1.1 christos argv++; 985 1.1 christos 986 1.1 christos while (argc >= 1) { 987 1.1 christos if (strcmp(*argv, "-F") == 0) { 988 1.1 christos fprintf(stderr, 989 1.1 christos "not compiled with FIPS support, so exiting without running.\n"); 990 1.1 christos EXIT(0); 991 1.1 christos } else if (strcmp(*argv, "-server_auth") == 0) 992 1.1 christos server_auth = 1; 993 1.1 christos else if (strcmp(*argv, "-client_auth") == 0) 994 1.1 christos client_auth = 1; 995 1.1 christos else if (strcmp(*argv, "-v") == 0) 996 1.1 christos verbose = 1; 997 1.1 christos else if (strcmp(*argv, "-d") == 0) 998 1.1 christos debug = 1; 999 1.1 christos else if (strcmp(*argv, "-reuse") == 0) 1000 1.1 christos reuse = 1; 1001 1.1 christos else if (strcmp(*argv, "-dhe512") == 0) { 1002 1.1 christos #ifndef OPENSSL_NO_DH 1003 1.1 christos dhe512 = 1; 1004 1.1 christos #else 1005 1.1 christos fprintf(stderr, 1006 1.1 christos "ignoring -dhe512, since I'm compiled without DH\n"); 1007 1.1 christos #endif 1008 1.1 christos } else if (strcmp(*argv, "-dhe4096") == 0) { 1009 1.1 christos #ifndef OPENSSL_NO_DH 1010 1.1 christos dhe4096 = 1; 1011 1.1 christos #else 1012 1.1 christos fprintf(stderr, 1013 1.1 christos "ignoring -dhe4096, since I'm compiled without DH\n"); 1014 1.1 christos #endif 1015 1.1 christos } else if (strcmp(*argv, "-dhe2048") == 0) { 1016 1.1 christos #ifndef OPENSSL_NO_DH 1017 1.1 christos dhe2048 = 1; 1018 1.1 christos #else 1019 1.1 christos fprintf(stderr, 1020 1.1 christos "ignoring -dhe2048, since I'm compiled without DH\n"); 1021 1.1 christos #endif 1022 1.1 christos } else if (strcmp(*argv, "-dhe1024dsa") == 0) { 1023 1.1 christos #ifndef OPENSSL_NO_DH 1024 1.1 christos dhe1024dsa = 1; 1025 1.1 christos #else 1026 1.1 christos fprintf(stderr, 1027 1.1 christos "ignoring -dhe1024dsa, since I'm compiled without DH\n"); 1028 1.1 christos #endif 1029 1.1 christos } else if (strcmp(*argv, "-no_dhe") == 0) 1030 1.1 christos no_dhe = 1; 1031 1.1 christos else if (strcmp(*argv, "-no_ecdhe") == 0) 1032 1.1 christos /* obsolete */; 1033 1.1 christos else if (strcmp(*argv, "-psk") == 0) { 1034 1.1 christos if (--argc < 1) 1035 1.1 christos goto bad; 1036 1.1 christos psk_key = *(++argv); 1037 1.1 christos #ifndef OPENSSL_NO_PSK 1038 1.1 christos if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) { 1039 1.1 christos BIO_printf(bio_err, "Not a hex number '%s'\n", *argv); 1040 1.1 christos goto bad; 1041 1.1 christos } 1042 1.1 christos #else 1043 1.1 christos no_psk = 1; 1044 1.1 christos #endif 1045 1.1 christos } 1046 1.1 christos else if (strcmp(*argv, "-tls1_2") == 0) { 1047 1.1 christos tls1_2 = 1; 1048 1.1 christos } else if (strcmp(*argv, "-tls1_1") == 0) { 1049 1.1 christos tls1_1 = 1; 1050 1.1 christos } else if (strcmp(*argv, "-tls1") == 0) { 1051 1.1 christos tls1 = 1; 1052 1.1 christos } else if (strcmp(*argv, "-ssl3") == 0) { 1053 1.1 christos ssl3 = 1; 1054 1.1 christos } else if (strcmp(*argv, "-dtls1") == 0) { 1055 1.1 christos dtls1 = 1; 1056 1.1 christos } else if (strcmp(*argv, "-dtls12") == 0) { 1057 1.1 christos dtls12 = 1; 1058 1.1 christos } else if (strcmp(*argv, "-dtls") == 0) { 1059 1.1 christos dtls = 1; 1060 1.1 christos } else if (strncmp(*argv, "-num", 4) == 0) { 1061 1.1 christos if (--argc < 1) 1062 1.1 christos goto bad; 1063 1.1 christos number = atoi(*(++argv)); 1064 1.1 christos if (number == 0) 1065 1.1 christos number = 1; 1066 1.1 christos } else if (strcmp(*argv, "-bytes") == 0) { 1067 1.1 christos if (--argc < 1) 1068 1.1 christos goto bad; 1069 1.1 christos bytes = atol(*(++argv)); 1070 1.1 christos if (bytes == 0L) 1071 1.1 christos bytes = 1L; 1072 1.1 christos i = strlen(argv[0]); 1073 1.1 christos if (argv[0][i - 1] == 'k') 1074 1.1 christos bytes *= 1024L; 1075 1.1 christos if (argv[0][i - 1] == 'm') 1076 1.1 christos bytes *= 1024L * 1024L; 1077 1.1 christos } else if (strcmp(*argv, "-cipher") == 0) { 1078 1.1 christos if (--argc < 1) 1079 1.1 christos goto bad; 1080 1.1 christos cipher = *(++argv); 1081 1.1 christos } else if (strcmp(*argv, "-ciphersuites") == 0) { 1082 1.1 christos if (--argc < 1) 1083 1.1 christos goto bad; 1084 1.1 christos ciphersuites = *(++argv); 1085 1.1 christos } else if (strcmp(*argv, "-CApath") == 0) { 1086 1.1 christos if (--argc < 1) 1087 1.1 christos goto bad; 1088 1.1 christos CApath = *(++argv); 1089 1.1 christos } else if (strcmp(*argv, "-CAfile") == 0) { 1090 1.1 christos if (--argc < 1) 1091 1.1 christos goto bad; 1092 1.1 christos CAfile = *(++argv); 1093 1.1 christos } else if (strcmp(*argv, "-bio_pair") == 0) { 1094 1.1 christos bio_type = BIO_PAIR; 1095 1.1 christos } 1096 1.1 christos #ifndef OPENSSL_NO_SOCK 1097 1.1 christos else if (strcmp(*argv, "-ipv4") == 0) { 1098 1.1 christos bio_type = BIO_IPV4; 1099 1.1 christos } else if (strcmp(*argv, "-ipv6") == 0) { 1100 1.1 christos bio_type = BIO_IPV6; 1101 1.1 christos } 1102 1.1 christos #endif 1103 1.1 christos else if (strcmp(*argv, "-f") == 0) { 1104 1.1 christos force = 1; 1105 1.1 christos } else if (strcmp(*argv, "-time") == 0) { 1106 1.1 christos print_time = 1; 1107 1.1 christos } 1108 1.1 christos #ifndef OPENSSL_NO_CT 1109 1.1 christos else if (strcmp(*argv, "-noct") == 0) { 1110 1.1 christos ct_validation = 0; 1111 1.1 christos } 1112 1.1 christos else if (strcmp(*argv, "-ct") == 0) { 1113 1.1 christos ct_validation = 1; 1114 1.1 christos } 1115 1.1 christos #endif 1116 1.1 christos #ifndef OPENSSL_NO_COMP 1117 1.1 christos else if (strcmp(*argv, "-zlib") == 0) { 1118 1.1 christos comp = COMP_ZLIB; 1119 1.1 christos } 1120 1.1 christos #endif 1121 1.1 christos else if (strcmp(*argv, "-app_verify") == 0) { 1122 1.1 christos app_verify_arg.app_verify = 1; 1123 1.1 christos } 1124 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 1125 1.1 christos else if (strcmp(*argv, "-npn_client") == 0) { 1126 1.1 christos npn_client = 1; 1127 1.1 christos } else if (strcmp(*argv, "-npn_server") == 0) { 1128 1.1 christos npn_server = 1; 1129 1.1 christos } else if (strcmp(*argv, "-npn_server_reject") == 0) { 1130 1.1 christos npn_server_reject = 1; 1131 1.1 christos } 1132 1.1 christos #endif 1133 1.1 christos else if (strcmp(*argv, "-serverinfo_sct") == 0) { 1134 1.1 christos serverinfo_sct = 1; 1135 1.1 christos } else if (strcmp(*argv, "-serverinfo_tack") == 0) { 1136 1.1 christos serverinfo_tack = 1; 1137 1.1 christos } else if (strcmp(*argv, "-serverinfo_file") == 0) { 1138 1.1 christos if (--argc < 1) 1139 1.1 christos goto bad; 1140 1.1 christos serverinfo_file = *(++argv); 1141 1.1 christos } else if (strcmp(*argv, "-custom_ext") == 0) { 1142 1.1 christos custom_ext = 1; 1143 1.1 christos } else if (strcmp(*argv, "-alpn_client") == 0) { 1144 1.1 christos if (--argc < 1) 1145 1.1 christos goto bad; 1146 1.1 christos alpn_client = *(++argv); 1147 1.1 christos } else if (strcmp(*argv, "-alpn_server") == 0 || 1148 1.1 christos strcmp(*argv, "-alpn_server1") == 0) { 1149 1.1 christos if (--argc < 1) 1150 1.1 christos goto bad; 1151 1.1 christos alpn_server = *(++argv); 1152 1.1 christos } else if (strcmp(*argv, "-alpn_server2") == 0) { 1153 1.1 christos if (--argc < 1) 1154 1.1 christos goto bad; 1155 1.1 christos alpn_server2 = *(++argv); 1156 1.1 christos } else if (strcmp(*argv, "-alpn_expected") == 0) { 1157 1.1 christos if (--argc < 1) 1158 1.1 christos goto bad; 1159 1.1 christos alpn_expected = *(++argv); 1160 1.1 christos } else if (strcmp(*argv, "-server_min_proto") == 0) { 1161 1.1 christos if (--argc < 1) 1162 1.1 christos goto bad; 1163 1.1 christos server_min_proto = *(++argv); 1164 1.1 christos } else if (strcmp(*argv, "-server_max_proto") == 0) { 1165 1.1 christos if (--argc < 1) 1166 1.1 christos goto bad; 1167 1.1 christos server_max_proto = *(++argv); 1168 1.1 christos } else if (strcmp(*argv, "-client_min_proto") == 0) { 1169 1.1 christos if (--argc < 1) 1170 1.1 christos goto bad; 1171 1.1 christos client_min_proto = *(++argv); 1172 1.1 christos } else if (strcmp(*argv, "-client_max_proto") == 0) { 1173 1.1 christos if (--argc < 1) 1174 1.1 christos goto bad; 1175 1.1 christos client_max_proto = *(++argv); 1176 1.1 christos } else if (strcmp(*argv, "-should_negotiate") == 0) { 1177 1.1 christos if (--argc < 1) 1178 1.1 christos goto bad; 1179 1.1 christos should_negotiate = *(++argv); 1180 1.1 christos } else if (strcmp(*argv, "-sn_client") == 0) { 1181 1.1 christos if (--argc < 1) 1182 1.1 christos goto bad; 1183 1.1 christos sn_client = *(++argv); 1184 1.1 christos } else if (strcmp(*argv, "-sn_server1") == 0) { 1185 1.1 christos if (--argc < 1) 1186 1.1 christos goto bad; 1187 1.1 christos sn_server1 = *(++argv); 1188 1.1 christos } else if (strcmp(*argv, "-sn_server2") == 0) { 1189 1.1 christos if (--argc < 1) 1190 1.1 christos goto bad; 1191 1.1 christos sn_server2 = *(++argv); 1192 1.1 christos } else if (strcmp(*argv, "-sn_expect1") == 0) { 1193 1.1 christos sn_expect = 1; 1194 1.1 christos } else if (strcmp(*argv, "-sn_expect2") == 0) { 1195 1.1 christos sn_expect = 2; 1196 1.1 christos } else if (strcmp(*argv, "-server_sess_out") == 0) { 1197 1.1 christos if (--argc < 1) 1198 1.1 christos goto bad; 1199 1.1 christos server_sess_out = *(++argv); 1200 1.1 christos } else if (strcmp(*argv, "-server_sess_in") == 0) { 1201 1.1 christos if (--argc < 1) 1202 1.1 christos goto bad; 1203 1.1 christos server_sess_in = *(++argv); 1204 1.1 christos } else if (strcmp(*argv, "-client_sess_out") == 0) { 1205 1.1 christos if (--argc < 1) 1206 1.1 christos goto bad; 1207 1.1 christos client_sess_out = *(++argv); 1208 1.1 christos } else if (strcmp(*argv, "-client_sess_in") == 0) { 1209 1.1 christos if (--argc < 1) 1210 1.1 christos goto bad; 1211 1.1 christos client_sess_in = *(++argv); 1212 1.1 christos } else if (strcmp(*argv, "-should_reuse") == 0) { 1213 1.1 christos if (--argc < 1) 1214 1.1 christos goto bad; 1215 1.1 christos should_reuse = !!atoi(*(++argv)); 1216 1.1 christos } else if (strcmp(*argv, "-no_ticket") == 0) { 1217 1.1 christos no_ticket = 1; 1218 1.1 christos } else { 1219 1.1 christos int rv; 1220 1.1 christos arg = argv[0]; 1221 1.1 christos argn = argv[1]; 1222 1.1 christos /* Try to process command using SSL_CONF */ 1223 1.1 christos rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv); 1224 1.1 christos /* If not processed try server */ 1225 1.1 christos if (rv == 0) 1226 1.1 christos rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv); 1227 1.1 christos /* Recognised: store it for later use */ 1228 1.1 christos if (rv > 0) { 1229 1.1 christos if (rv == 1) 1230 1.1 christos argn = NULL; 1231 1.1 christos if (!conf_args) { 1232 1.1 christos conf_args = sk_OPENSSL_STRING_new_null(); 1233 1.1 christos if (!conf_args) 1234 1.1 christos goto end; 1235 1.1 christos } 1236 1.1 christos if (!sk_OPENSSL_STRING_push(conf_args, arg)) 1237 1.1 christos goto end; 1238 1.1 christos if (!sk_OPENSSL_STRING_push(conf_args, argn)) 1239 1.1 christos goto end; 1240 1.1 christos continue; 1241 1.1 christos } 1242 1.1 christos if (rv == -3) 1243 1.1 christos BIO_printf(bio_err, "Missing argument for %s\n", arg); 1244 1.1 christos else if (rv < 0) 1245 1.1 christos BIO_printf(bio_err, "Error with command %s\n", arg); 1246 1.1 christos else if (rv == 0) 1247 1.1 christos BIO_printf(bio_err, "unknown option %s\n", arg); 1248 1.1 christos badop = 1; 1249 1.1 christos break; 1250 1.1 christos } 1251 1.1 christos argc--; 1252 1.1 christos argv++; 1253 1.1 christos } 1254 1.1 christos if (badop) { 1255 1.1 christos bad: 1256 1.1 christos sv_usage(); 1257 1.1 christos goto end; 1258 1.1 christos } 1259 1.1 christos 1260 1.1 christos if (ssl3 + tls1 + tls1_1 + tls1_2 + dtls + dtls1 + dtls12 > 1) { 1261 1.1 christos fprintf(stderr, "At most one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1 or -dtls12 should " 1262 1.1 christos "be requested.\n"); 1263 1.1 christos EXIT(1); 1264 1.1 christos } 1265 1.1 christos 1266 1.1 christos #ifdef OPENSSL_NO_SSL3 1267 1.1 christos if (ssl3) 1268 1.1 christos no_protocol = 1; 1269 1.1 christos else 1270 1.1 christos #endif 1271 1.1 christos #ifdef OPENSSL_NO_TLS1 1272 1.1 christos if (tls1) 1273 1.1 christos no_protocol = 1; 1274 1.1 christos else 1275 1.1 christos #endif 1276 1.1 christos #ifdef OPENSSL_NO_TLS1_1 1277 1.1 christos if (tls1_1) 1278 1.1 christos no_protocol = 1; 1279 1.1 christos else 1280 1.1 christos #endif 1281 1.1 christos #ifdef OPENSSL_NO_TLS1_2 1282 1.1 christos if (tls1_2) 1283 1.1 christos no_protocol = 1; 1284 1.1 christos else 1285 1.1 christos #endif 1286 1.1 christos #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1) 1287 1.1 christos if (dtls1) 1288 1.1 christos no_protocol = 1; 1289 1.1 christos else 1290 1.1 christos #endif 1291 1.1 christos #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2) 1292 1.1 christos if (dtls12) 1293 1.1 christos no_protocol = 1; 1294 1.1 christos else 1295 1.1 christos #endif 1296 1.1 christos no_protocol = 0; 1297 1.1 christos 1298 1.1 christos /* 1299 1.1 christos * Testing was requested for a compiled-out protocol (e.g. SSLv3). 1300 1.1 christos * Ideally, we would error out, but the generic test wrapper can't know 1301 1.1 christos * when to expect failure. So we do nothing and return success. 1302 1.1 christos */ 1303 1.1 christos if (no_protocol) { 1304 1.1 christos fprintf(stderr, "Testing was requested for a disabled protocol. " 1305 1.1 christos "Skipping tests.\n"); 1306 1.1 christos ret = EXIT_SUCCESS; 1307 1.1 christos goto end; 1308 1.1 christos } 1309 1.1 christos 1310 1.1 christos if (!ssl3 && !tls1 && !tls1_1 && !tls1_2 && !dtls && !dtls1 && !dtls12 && number > 1 1311 1.1 christos && !reuse && !force) { 1312 1.1 christos fprintf(stderr, "This case cannot work. Use -f to perform " 1313 1.1 christos "the test anyway (and\n-d to see what happens), " 1314 1.1 christos "or add one of -ssl3, -tls1, -tls1_1, -tls1_2, -dtls, -dtls1, -dtls12, -reuse\n" 1315 1.1 christos "to avoid protocol mismatch.\n"); 1316 1.1 christos EXIT(1); 1317 1.1 christos } 1318 1.1 christos 1319 1.1 christos if (print_time) { 1320 1.1 christos if (bio_type != BIO_PAIR) { 1321 1.1 christos fprintf(stderr, "Using BIO pair (-bio_pair)\n"); 1322 1.1 christos bio_type = BIO_PAIR; 1323 1.1 christos } 1324 1.1 christos if (number < 50 && !force) 1325 1.1 christos fprintf(stderr, 1326 1.1 christos "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); 1327 1.1 christos } 1328 1.1 christos 1329 1.1 christos #ifndef OPENSSL_NO_COMP 1330 1.1 christos if (comp == COMP_ZLIB) 1331 1.1 christos cm = COMP_zlib(); 1332 1.1 christos if (cm != NULL) { 1333 1.1 christos if (COMP_get_type(cm) != NID_undef) { 1334 1.1 christos if (SSL_COMP_add_compression_method(comp, cm) != 0) { 1335 1.1 christos fprintf(stderr, "Failed to add compression method\n"); 1336 1.1 christos ERR_print_errors_fp(stderr); 1337 1.1 christos } 1338 1.1 christos } else { 1339 1.1 christos fprintf(stderr, 1340 1.1 christos "Warning: %s compression not supported\n", 1341 1.1 christos comp == COMP_ZLIB ? "zlib" : "unknown"); 1342 1.1 christos ERR_print_errors_fp(stderr); 1343 1.1 christos } 1344 1.1 christos } 1345 1.1 christos ssl_comp_methods = SSL_COMP_get_compression_methods(); 1346 1.1 christos n = sk_SSL_COMP_num(ssl_comp_methods); 1347 1.1 christos if (n) { 1348 1.1 christos int j; 1349 1.1 christos printf("Available compression methods:"); 1350 1.1 christos for (j = 0; j < n; j++) { 1351 1.1 christos SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); 1352 1.1 christos printf(" %s:%d", SSL_COMP_get0_name(c), SSL_COMP_get_id(c)); 1353 1.1 christos } 1354 1.1 christos printf("\n"); 1355 1.1 christos } 1356 1.1 christos #endif 1357 1.1 christos 1358 1.1 christos #ifndef OPENSSL_NO_TLS 1359 1.1 christos meth = TLS_method(); 1360 1.1 christos if (ssl3) { 1361 1.1 christos min_version = SSL3_VERSION; 1362 1.1 christos max_version = SSL3_VERSION; 1363 1.1 christos } else if (tls1) { 1364 1.1 christos min_version = TLS1_VERSION; 1365 1.1 christos max_version = TLS1_VERSION; 1366 1.1 christos } else if (tls1_1) { 1367 1.1 christos min_version = TLS1_1_VERSION; 1368 1.1 christos max_version = TLS1_1_VERSION; 1369 1.1 christos } else if (tls1_2) { 1370 1.1 christos min_version = TLS1_2_VERSION; 1371 1.1 christos max_version = TLS1_2_VERSION; 1372 1.1 christos } else { 1373 1.1 christos min_version = SSL3_VERSION; 1374 1.1 christos max_version = TLS_MAX_VERSION; 1375 1.1 christos } 1376 1.1 christos #endif 1377 1.1 christos #ifndef OPENSSL_NO_DTLS 1378 1.1 christos if (dtls || dtls1 || dtls12) { 1379 1.1 christos meth = DTLS_method(); 1380 1.1 christos if (dtls1) { 1381 1.1 christos min_version = DTLS1_VERSION; 1382 1.1 christos max_version = DTLS1_VERSION; 1383 1.1 christos } else if (dtls12) { 1384 1.1 christos min_version = DTLS1_2_VERSION; 1385 1.1 christos max_version = DTLS1_2_VERSION; 1386 1.1 christos } else { 1387 1.1 christos min_version = DTLS_MIN_VERSION; 1388 1.1 christos max_version = DTLS_MAX_VERSION; 1389 1.1 christos } 1390 1.1 christos } 1391 1.1 christos #endif 1392 1.1 christos 1393 1.1 christos c_ctx = SSL_CTX_new(meth); 1394 1.1 christos s_ctx = SSL_CTX_new(meth); 1395 1.1 christos s_ctx2 = SSL_CTX_new(meth); /* no SSL_CTX_dup! */ 1396 1.1 christos if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) { 1397 1.1 christos ERR_print_errors(bio_err); 1398 1.1 christos goto end; 1399 1.1 christos } 1400 1.1 christos /* 1401 1.1 christos * Since we will use low security ciphersuites and keys for testing set 1402 1.1 christos * security level to zero by default. Tests can override this by adding 1403 1.1 christos * "@SECLEVEL=n" to the cipher string. 1404 1.1 christos */ 1405 1.1 christos SSL_CTX_set_security_level(c_ctx, 0); 1406 1.1 christos SSL_CTX_set_security_level(s_ctx, 0); 1407 1.1 christos SSL_CTX_set_security_level(s_ctx2, 0); 1408 1.1 christos 1409 1.1 christos if (no_ticket) { 1410 1.1 christos SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET); 1411 1.1 christos SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET); 1412 1.1 christos } 1413 1.1 christos 1414 1.1 christos if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0) 1415 1.1 christos goto end; 1416 1.1 christos if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0) 1417 1.1 christos goto end; 1418 1.1 christos if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0) 1419 1.1 christos goto end; 1420 1.1 christos if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0) 1421 1.1 christos goto end; 1422 1.1 christos 1423 1.1 christos if (cipher != NULL) { 1424 1.1 christos if (strcmp(cipher, "") == 0) { 1425 1.1 christos if (!SSL_CTX_set_cipher_list(c_ctx, cipher)) { 1426 1.1 christos if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) { 1427 1.1 christos ERR_clear_error(); 1428 1.1 christos } else { 1429 1.1 christos ERR_print_errors(bio_err); 1430 1.1 christos goto end; 1431 1.1 christos } 1432 1.1 christos } else { 1433 1.1 christos /* Should have failed when clearing all TLSv1.2 ciphers. */ 1434 1.1 christos fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n"); 1435 1.1 christos goto end; 1436 1.1 christos } 1437 1.1 christos 1438 1.1 christos if (!SSL_CTX_set_cipher_list(s_ctx, cipher)) { 1439 1.1 christos if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) { 1440 1.1 christos ERR_clear_error(); 1441 1.1 christos } else { 1442 1.1 christos ERR_print_errors(bio_err); 1443 1.1 christos goto end; 1444 1.1 christos } 1445 1.1 christos } else { 1446 1.1 christos /* Should have failed when clearing all TLSv1.2 ciphers. */ 1447 1.1 christos fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n"); 1448 1.1 christos goto end; 1449 1.1 christos } 1450 1.1 christos 1451 1.1 christos if (!SSL_CTX_set_cipher_list(s_ctx2, cipher)) { 1452 1.1 christos if (ERR_GET_REASON(ERR_peek_error()) == SSL_R_NO_CIPHER_MATCH) { 1453 1.1 christos ERR_clear_error(); 1454 1.1 christos } else { 1455 1.1 christos ERR_print_errors(bio_err); 1456 1.1 christos goto end; 1457 1.1 christos } 1458 1.1 christos } else { 1459 1.1 christos /* Should have failed when clearing all TLSv1.2 ciphers. */ 1460 1.1 christos fprintf(stderr, "CLEARING ALL TLSv1.2 CIPHERS SHOULD FAIL\n"); 1461 1.1 christos goto end; 1462 1.1 christos } 1463 1.1 christos } else { 1464 1.1 christos if (!SSL_CTX_set_cipher_list(c_ctx, cipher) 1465 1.1 christos || !SSL_CTX_set_cipher_list(s_ctx, cipher) 1466 1.1 christos || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) { 1467 1.1 christos ERR_print_errors(bio_err); 1468 1.1 christos goto end; 1469 1.1 christos } 1470 1.1 christos } 1471 1.1 christos } 1472 1.1 christos if (ciphersuites != NULL) { 1473 1.1 christos if (!SSL_CTX_set_ciphersuites(c_ctx, ciphersuites) 1474 1.1 christos || !SSL_CTX_set_ciphersuites(s_ctx, ciphersuites) 1475 1.1 christos || !SSL_CTX_set_ciphersuites(s_ctx2, ciphersuites)) { 1476 1.1 christos ERR_print_errors(bio_err); 1477 1.1 christos goto end; 1478 1.1 christos } 1479 1.1 christos } 1480 1.1 christos 1481 1.1 christos #ifndef OPENSSL_NO_CT 1482 1.1 christos if (ct_validation && 1483 1.1 christos !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) { 1484 1.1 christos ERR_print_errors(bio_err); 1485 1.1 christos goto end; 1486 1.1 christos } 1487 1.1 christos #endif 1488 1.1 christos 1489 1.1 christos /* Process SSL_CONF arguments */ 1490 1.1 christos SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx); 1491 1.1 christos SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx); 1492 1.1 christos SSL_CONF_CTX_set_ssl_ctx(s_cctx2, s_ctx2); 1493 1.1 christos 1494 1.1 christos for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2) { 1495 1.1 christos int rv; 1496 1.1 christos arg = sk_OPENSSL_STRING_value(conf_args, i); 1497 1.1 christos argn = sk_OPENSSL_STRING_value(conf_args, i + 1); 1498 1.1 christos rv = SSL_CONF_cmd(c_cctx, arg, argn); 1499 1.1 christos /* If not recognised use server context */ 1500 1.1 christos if (rv == -2) { 1501 1.1 christos rv = SSL_CONF_cmd(s_cctx2, arg, argn); 1502 1.1 christos if (rv > 0) 1503 1.1 christos rv = SSL_CONF_cmd(s_cctx, arg, argn); 1504 1.1 christos } 1505 1.1 christos if (rv <= 0) { 1506 1.1 christos BIO_printf(bio_err, "Error processing %s %s\n", 1507 1.1 christos arg, argn ? argn : ""); 1508 1.1 christos ERR_print_errors(bio_err); 1509 1.1 christos goto end; 1510 1.1 christos } 1511 1.1 christos } 1512 1.1 christos 1513 1.1 christos if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx) || !SSL_CONF_CTX_finish(s_cctx2)) { 1514 1.1 christos BIO_puts(bio_err, "Error finishing context\n"); 1515 1.1 christos ERR_print_errors(bio_err); 1516 1.1 christos goto end; 1517 1.1 christos } 1518 1.1 christos #ifndef OPENSSL_NO_DH 1519 1.1 christos if (!no_dhe) { 1520 1.1 christos if (dhe1024dsa) { 1521 1.1 christos dh = get_dh1024dsa(); 1522 1.1 christos } else if (dhe512) 1523 1.1 christos dh = get_dh512(); 1524 1.1 christos else if (dhe2048) 1525 1.1 christos dh = get_dh2048(); 1526 1.1 christos else if (dhe4096) 1527 1.1 christos dh = get_dh4096(); 1528 1.1 christos else 1529 1.1 christos dh = get_dh1024(); 1530 1.1 christos SSL_CTX_set_tmp_dh(s_ctx, dh); 1531 1.1 christos SSL_CTX_set_tmp_dh(s_ctx2, dh); 1532 1.1 christos DH_free(dh); 1533 1.1 christos } 1534 1.1 christos #else 1535 1.1 christos (void)no_dhe; 1536 1.1 christos #endif 1537 1.1 christos 1538 1.1 christos if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) || 1539 1.1 christos (!SSL_CTX_set_default_verify_paths(s_ctx)) || 1540 1.1 christos (!SSL_CTX_load_verify_locations(s_ctx2, CAfile, CApath)) || 1541 1.1 christos (!SSL_CTX_set_default_verify_paths(s_ctx2)) || 1542 1.1 christos (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) || 1543 1.1 christos (!SSL_CTX_set_default_verify_paths(c_ctx))) { 1544 1.1 christos ERR_print_errors(bio_err); 1545 1.1 christos } 1546 1.1 christos 1547 1.1 christos #ifndef OPENSSL_NO_CT 1548 1.1 christos if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) || 1549 1.1 christos !SSL_CTX_set_default_ctlog_list_file(s_ctx2) || 1550 1.1 christos !SSL_CTX_set_default_ctlog_list_file(c_ctx)) { 1551 1.1 christos ERR_print_errors(bio_err); 1552 1.1 christos } 1553 1.1 christos #endif 1554 1.1 christos 1555 1.1 christos if (client_auth) { 1556 1.1 christos printf("client authentication\n"); 1557 1.1 christos SSL_CTX_set_verify(s_ctx, 1558 1.1 christos SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1559 1.1 christos verify_callback); 1560 1.1 christos SSL_CTX_set_verify(s_ctx2, 1561 1.1 christos SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1562 1.1 christos verify_callback); 1563 1.1 christos SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, 1564 1.1 christos &app_verify_arg); 1565 1.1 christos SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback, 1566 1.1 christos &app_verify_arg); 1567 1.1 christos } 1568 1.1 christos if (server_auth) { 1569 1.1 christos printf("server authentication\n"); 1570 1.1 christos SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback); 1571 1.1 christos SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, 1572 1.1 christos &app_verify_arg); 1573 1.1 christos } 1574 1.1 christos 1575 1.1 christos { 1576 1.1 christos int session_id_context = 0; 1577 1.1 christos if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, 1578 1.1 christos sizeof(session_id_context)) || 1579 1.1 christos !SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context, 1580 1.1 christos sizeof(session_id_context))) { 1581 1.1 christos ERR_print_errors(bio_err); 1582 1.1 christos goto end; 1583 1.1 christos } 1584 1.1 christos } 1585 1.1 christos 1586 1.1 christos /* Use PSK only if PSK key is given */ 1587 1.1 christos if (psk_key != NULL) { 1588 1.1 christos /* 1589 1.1 christos * no_psk is used to avoid putting psk command to openssl tool 1590 1.1 christos */ 1591 1.1 christos if (no_psk) { 1592 1.1 christos /* 1593 1.1 christos * if PSK is not compiled in and psk key is given, do nothing and 1594 1.1 christos * exit successfully 1595 1.1 christos */ 1596 1.1 christos ret = EXIT_SUCCESS; 1597 1.1 christos goto end; 1598 1.1 christos } 1599 1.1 christos #ifndef OPENSSL_NO_PSK 1600 1.1 christos SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback); 1601 1.1 christos SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback); 1602 1.1 christos SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback); 1603 1.1 christos if (debug) 1604 1.1 christos BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n"); 1605 1.1 christos if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint") || 1606 1.1 christos !SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) { 1607 1.1 christos BIO_printf(bio_err, "error setting PSK identity hint to s_ctx\n"); 1608 1.1 christos ERR_print_errors(bio_err); 1609 1.1 christos goto end; 1610 1.1 christos } 1611 1.1 christos #endif 1612 1.1 christos } 1613 1.1 christos 1614 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 1615 1.1 christos if (npn_client) { 1616 1.1 christos SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL); 1617 1.1 christos } 1618 1.1 christos if (npn_server) { 1619 1.1 christos if (npn_server_reject) { 1620 1.1 christos BIO_printf(bio_err, 1621 1.1 christos "Can't have both -npn_server and -npn_server_reject\n"); 1622 1.1 christos goto end; 1623 1.1 christos } 1624 1.1 christos SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_npn, NULL); 1625 1.1 christos SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_npn, NULL); 1626 1.1 christos } 1627 1.1 christos if (npn_server_reject) { 1628 1.1 christos SSL_CTX_set_npn_advertised_cb(s_ctx, cb_server_rejects_npn, NULL); 1629 1.1 christos SSL_CTX_set_npn_advertised_cb(s_ctx2, cb_server_rejects_npn, NULL); 1630 1.1 christos } 1631 1.1 christos #endif 1632 1.1 christos 1633 1.1 christos if (serverinfo_sct) { 1634 1.1 christos if (!SSL_CTX_add_client_custom_ext(c_ctx, 1635 1.1 christos TLSEXT_TYPE_signed_certificate_timestamp, 1636 1.1 christos NULL, NULL, NULL, 1637 1.1 christos serverinfo_cli_parse_cb, NULL)) { 1638 1.1 christos BIO_printf(bio_err, "Error adding SCT extension\n"); 1639 1.1 christos goto end; 1640 1.1 christos } 1641 1.1 christos } 1642 1.1 christos if (serverinfo_tack) { 1643 1.1 christos if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE, 1644 1.1 christos NULL, NULL, NULL, 1645 1.1 christos serverinfo_cli_parse_cb, NULL)) { 1646 1.1 christos BIO_printf(bio_err, "Error adding TACK extension\n"); 1647 1.1 christos goto end; 1648 1.1 christos } 1649 1.1 christos } 1650 1.1 christos if (serverinfo_file) 1651 1.1 christos if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file) || 1652 1.1 christos !SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) { 1653 1.1 christos BIO_printf(bio_err, "missing serverinfo file\n"); 1654 1.1 christos goto end; 1655 1.1 christos } 1656 1.1 christos 1657 1.1 christos if (custom_ext) { 1658 1.1 christos if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0, 1659 1.1 christos custom_ext_0_cli_add_cb, 1660 1.1 christos NULL, NULL, 1661 1.1 christos custom_ext_0_cli_parse_cb, NULL) 1662 1.1 christos || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1, 1663 1.1 christos custom_ext_1_cli_add_cb, 1664 1.1 christos NULL, NULL, 1665 1.1 christos custom_ext_1_cli_parse_cb, NULL) 1666 1.1 christos || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2, 1667 1.1 christos custom_ext_2_cli_add_cb, 1668 1.1 christos NULL, NULL, 1669 1.1 christos custom_ext_2_cli_parse_cb, NULL) 1670 1.1 christos || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3, 1671 1.1 christos custom_ext_3_cli_add_cb, 1672 1.1 christos NULL, NULL, 1673 1.1 christos custom_ext_3_cli_parse_cb, NULL) 1674 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0, 1675 1.1 christos custom_ext_0_srv_add_cb, 1676 1.1 christos NULL, NULL, 1677 1.1 christos custom_ext_0_srv_parse_cb, NULL) 1678 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0, 1679 1.1 christos custom_ext_0_srv_add_cb, 1680 1.1 christos NULL, NULL, 1681 1.1 christos custom_ext_0_srv_parse_cb, NULL) 1682 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1, 1683 1.1 christos custom_ext_1_srv_add_cb, 1684 1.1 christos NULL, NULL, 1685 1.1 christos custom_ext_1_srv_parse_cb, NULL) 1686 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1, 1687 1.1 christos custom_ext_1_srv_add_cb, 1688 1.1 christos NULL, NULL, 1689 1.1 christos custom_ext_1_srv_parse_cb, NULL) 1690 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2, 1691 1.1 christos custom_ext_2_srv_add_cb, 1692 1.1 christos NULL, NULL, 1693 1.1 christos custom_ext_2_srv_parse_cb, NULL) 1694 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2, 1695 1.1 christos custom_ext_2_srv_add_cb, 1696 1.1 christos NULL, NULL, 1697 1.1 christos custom_ext_2_srv_parse_cb, NULL) 1698 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3, 1699 1.1 christos custom_ext_3_srv_add_cb, 1700 1.1 christos NULL, NULL, 1701 1.1 christos custom_ext_3_srv_parse_cb, NULL) 1702 1.1 christos || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3, 1703 1.1 christos custom_ext_3_srv_add_cb, 1704 1.1 christos NULL, NULL, 1705 1.1 christos custom_ext_3_srv_parse_cb, NULL)) { 1706 1.1 christos BIO_printf(bio_err, "Error setting custom extensions\n"); 1707 1.1 christos goto end; 1708 1.1 christos } 1709 1.1 christos } 1710 1.1 christos 1711 1.1 christos if (alpn_server) 1712 1.1 christos SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server); 1713 1.1 christos if (alpn_server2) 1714 1.1 christos SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2); 1715 1.1 christos 1716 1.1 christos if (alpn_client) { 1717 1.1 christos size_t alpn_len; 1718 1.1 christos unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client); 1719 1.1 christos 1720 1.1 christos if (alpn == NULL) { 1721 1.1 christos BIO_printf(bio_err, "Error parsing -alpn_client argument\n"); 1722 1.1 christos goto end; 1723 1.1 christos } 1724 1.1 christos /* Returns 0 on success!! */ 1725 1.1 christos if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) { 1726 1.1 christos BIO_printf(bio_err, "Error setting ALPN\n"); 1727 1.1 christos OPENSSL_free(alpn); 1728 1.1 christos goto end; 1729 1.1 christos } 1730 1.1 christos OPENSSL_free(alpn); 1731 1.1 christos } 1732 1.1 christos 1733 1.1 christos if (server_sess_in != NULL) { 1734 1.1 christos server_sess = read_session(server_sess_in); 1735 1.1 christos if (server_sess == NULL) 1736 1.1 christos goto end; 1737 1.1 christos } 1738 1.1 christos if (client_sess_in != NULL) { 1739 1.1 christos client_sess = read_session(client_sess_in); 1740 1.1 christos if (client_sess == NULL) 1741 1.1 christos goto end; 1742 1.1 christos } 1743 1.1 christos 1744 1.1 christos if (server_sess_out != NULL || server_sess_in != NULL) { 1745 1.1 christos char *keys; 1746 1.1 christos long size; 1747 1.1 christos 1748 1.1 christos /* Use a fixed key so that we can decrypt the ticket. */ 1749 1.1 christos size = SSL_CTX_set_tlsext_ticket_keys(s_ctx, NULL, 0); 1750 1.1 christos keys = OPENSSL_zalloc(size); 1751 1.1 christos SSL_CTX_set_tlsext_ticket_keys(s_ctx, keys, size); 1752 1.1 christos OPENSSL_free(keys); 1753 1.1 christos } 1754 1.1 christos 1755 1.1 christos if (sn_server1 != NULL || sn_server2 != NULL) 1756 1.1 christos SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb); 1757 1.1 christos 1758 1.1 christos c_ssl = SSL_new(c_ctx); 1759 1.1 christos s_ssl = SSL_new(s_ctx); 1760 1.1 christos 1761 1.1 christos if (sn_client) 1762 1.1 christos SSL_set_tlsext_host_name(c_ssl, sn_client); 1763 1.1 christos 1764 1.1 christos if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) 1765 1.1 christos goto end; 1766 1.1 christos if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION)) 1767 1.1 christos goto end; 1768 1.1 christos if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION)) 1769 1.1 christos goto end; 1770 1.1 christos if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION)) 1771 1.1 christos goto end; 1772 1.1 christos 1773 1.1 christos if (server_sess) { 1774 1.1 christos if (SSL_CTX_add_session(s_ctx, server_sess) == 0) { 1775 1.1 christos BIO_printf(bio_err, "Can't add server session\n"); 1776 1.1 christos ERR_print_errors(bio_err); 1777 1.1 christos goto end; 1778 1.1 christos } 1779 1.1 christos } 1780 1.1 christos 1781 1.1 christos BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes); 1782 1.1 christos for (i = 0; i < number; i++) { 1783 1.1 christos if (!reuse) { 1784 1.1 christos if (!SSL_set_session(c_ssl, NULL)) { 1785 1.1 christos BIO_printf(bio_err, "Failed to set session\n"); 1786 1.1 christos goto end; 1787 1.1 christos } 1788 1.1 christos } 1789 1.1 christos if (client_sess_in != NULL) { 1790 1.1 christos if (SSL_set_session(c_ssl, client_sess) == 0) { 1791 1.1 christos BIO_printf(bio_err, "Can't set client session\n"); 1792 1.1 christos ERR_print_errors(bio_err); 1793 1.1 christos goto end; 1794 1.1 christos } 1795 1.1 christos } 1796 1.1 christos switch (bio_type) { 1797 1.1 christos case BIO_MEM: 1798 1.1 christos ret = doit(s_ssl, c_ssl, bytes); 1799 1.1 christos break; 1800 1.1 christos case BIO_PAIR: 1801 1.1 christos ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time); 1802 1.1 christos break; 1803 1.1 christos #ifndef OPENSSL_NO_SOCK 1804 1.1 christos case BIO_IPV4: 1805 1.1 christos ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV4, 1806 1.1 christos bytes, &s_time, &c_time); 1807 1.1 christos break; 1808 1.1 christos case BIO_IPV6: 1809 1.1 christos ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV6, 1810 1.1 christos bytes, &s_time, &c_time); 1811 1.1 christos break; 1812 1.1 christos #else 1813 1.1 christos case BIO_IPV4: 1814 1.1 christos case BIO_IPV6: 1815 1.1 christos ret = EXIT_FAILURE; 1816 1.1 christos goto err; 1817 1.1 christos #endif 1818 1.1 christos } 1819 1.1 christos if (ret != EXIT_SUCCESS) break; 1820 1.1 christos } 1821 1.1 christos 1822 1.1 christos if (should_negotiate && ret == EXIT_SUCCESS && 1823 1.1 christos strcmp(should_negotiate, "fail-server") != 0 && 1824 1.1 christos strcmp(should_negotiate, "fail-client") != 0) { 1825 1.1 christos int version = protocol_from_string(should_negotiate); 1826 1.1 christos if (version < 0) { 1827 1.1 christos BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate); 1828 1.1 christos ret = EXIT_FAILURE; 1829 1.1 christos goto err; 1830 1.1 christos } 1831 1.1 christos if (SSL_version(c_ssl) != version) { 1832 1.1 christos BIO_printf(bio_err, "Unexpected version negotiated. " 1833 1.1 christos "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl)); 1834 1.1 christos ret = EXIT_FAILURE; 1835 1.1 christos goto err; 1836 1.1 christos } 1837 1.1 christos } 1838 1.1 christos 1839 1.1 christos if (should_reuse != -1) { 1840 1.1 christos if (SSL_session_reused(s_ssl) != should_reuse || 1841 1.1 christos SSL_session_reused(c_ssl) != should_reuse) { 1842 1.1 christos BIO_printf(bio_err, "Unexpected session reuse state. " 1843 1.1 christos "Expected: %d, server: %d, client: %d\n", should_reuse, 1844 1.1 christos SSL_session_reused(s_ssl), SSL_session_reused(c_ssl)); 1845 1.1 christos ret = EXIT_FAILURE; 1846 1.1 christos goto err; 1847 1.1 christos } 1848 1.1 christos } 1849 1.1 christos 1850 1.1 christos if (server_sess_out != NULL) { 1851 1.1 christos if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) { 1852 1.1 christos ret = EXIT_FAILURE; 1853 1.1 christos goto err; 1854 1.1 christos } 1855 1.1 christos } 1856 1.1 christos if (client_sess_out != NULL) { 1857 1.1 christos if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) { 1858 1.1 christos ret = EXIT_FAILURE; 1859 1.1 christos goto err; 1860 1.1 christos } 1861 1.1 christos } 1862 1.1 christos 1863 1.1 christos if (!verbose) { 1864 1.1 christos print_details(c_ssl, ""); 1865 1.1 christos } 1866 1.1 christos if (print_time) { 1867 1.1 christos #ifdef CLOCKS_PER_SEC 1868 1.1 christos /* 1869 1.1 christos * "To determine the time in seconds, the value returned by the clock 1870 1.1 christos * function should be divided by the value of the macro 1871 1.1 christos * CLOCKS_PER_SEC." -- ISO/IEC 9899 1872 1.1 christos */ 1873 1.1 christos BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" 1874 1.1 christos "Approximate total client time: %6.2f s\n", 1875 1.1 christos (double)s_time / CLOCKS_PER_SEC, 1876 1.1 christos (double)c_time / CLOCKS_PER_SEC); 1877 1.1 christos #else 1878 1.1 christos BIO_printf(bio_stdout, 1879 1.1 christos "Approximate total server time: %6.2f units\n" 1880 1.1 christos "Approximate total client time: %6.2f units\n", 1881 1.1 christos (double)s_time, (double)c_time); 1882 1.1 christos #endif 1883 1.1 christos } 1884 1.1 christos 1885 1.1 christos err: 1886 1.1 christos SSL_free(s_ssl); 1887 1.1 christos SSL_free(c_ssl); 1888 1.1 christos 1889 1.1 christos end: 1890 1.1 christos SSL_CTX_free(s_ctx); 1891 1.1 christos SSL_CTX_free(s_ctx2); 1892 1.1 christos SSL_CTX_free(c_ctx); 1893 1.1 christos SSL_CONF_CTX_free(s_cctx); 1894 1.1 christos SSL_CONF_CTX_free(s_cctx2); 1895 1.1 christos SSL_CONF_CTX_free(c_cctx); 1896 1.1 christos sk_OPENSSL_STRING_free(conf_args); 1897 1.1 christos 1898 1.1 christos BIO_free(bio_stdout); 1899 1.1 christos 1900 1.1 christos SSL_SESSION_free(server_sess); 1901 1.1 christos SSL_SESSION_free(client_sess); 1902 1.1 christos 1903 1.1 christos #ifndef OPENSSL_NO_CRYPTO_MDEBUG 1904 1.1 christos if (CRYPTO_mem_leaks(bio_err) <= 0) 1905 1.1 christos ret = EXIT_FAILURE; 1906 1.1 christos #endif 1907 1.1 christos BIO_free(bio_err); 1908 1.1 christos EXIT(ret); 1909 1.1 christos } 1910 1.1 christos 1911 1.1 christos #ifndef OPENSSL_NO_SOCK 1912 1.1 christos int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count, 1913 1.1 christos clock_t *s_time, clock_t *c_time) 1914 1.1 christos { 1915 1.1 christos long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 1916 1.1 christos BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 1917 1.1 christos BIO *acpt = NULL, *server = NULL, *client = NULL; 1918 1.1 christos char addr_str[40]; 1919 1.1 christos int ret = EXIT_FAILURE; 1920 1.1 christos int err_in_client = 0; 1921 1.1 christos int err_in_server = 0; 1922 1.1 christos 1923 1.1 christos acpt = BIO_new_accept(family == BIO_FAMILY_IPV4 ? "127.0.0.1:0" 1924 1.1 christos : "[::1]:0"); 1925 1.1 christos if (acpt == NULL) 1926 1.1 christos goto err; 1927 1.1 christos BIO_set_accept_ip_family(acpt, family); 1928 1.1 christos BIO_set_bind_mode(acpt, BIO_SOCK_NONBLOCK | BIO_SOCK_REUSEADDR); 1929 1.1 christos if (BIO_do_accept(acpt) <= 0) 1930 1.1 christos goto err; 1931 1.1 christos 1932 1.1 christos BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt)); 1933 1.1 christos 1934 1.1 christos client = BIO_new_connect(addr_str); 1935 1.1 christos BIO_set_conn_ip_family(client, family); 1936 1.1 christos if (!client) 1937 1.1 christos goto err; 1938 1.1 christos 1939 1.1 christos if (BIO_set_nbio(client, 1) <= 0) 1940 1.1 christos goto err; 1941 1.1 christos if (BIO_set_nbio(acpt, 1) <= 0) 1942 1.1 christos goto err; 1943 1.1 christos 1944 1.1 christos { 1945 1.1 christos int st_connect = 0, st_accept = 0; 1946 1.1 christos 1947 1.1 christos while(!st_connect || !st_accept) { 1948 1.1 christos if (!st_connect) { 1949 1.1 christos if (BIO_do_connect(client) <= 0) { 1950 1.1 christos if (!BIO_should_retry(client)) 1951 1.1 christos goto err; 1952 1.1 christos } else { 1953 1.1 christos st_connect = 1; 1954 1.1 christos } 1955 1.1 christos } 1956 1.1 christos if (!st_accept) { 1957 1.1 christos if (BIO_do_accept(acpt) <= 0) { 1958 1.1 christos if (!BIO_should_retry(acpt)) 1959 1.1 christos goto err; 1960 1.1 christos } else { 1961 1.1 christos st_accept = 1; 1962 1.1 christos } 1963 1.1 christos } 1964 1.1 christos } 1965 1.1 christos } 1966 1.1 christos /* We're not interested in accepting further connects */ 1967 1.1 christos server = BIO_pop(acpt); 1968 1.1 christos BIO_free_all(acpt); 1969 1.1 christos acpt = NULL; 1970 1.1 christos 1971 1.1 christos s_ssl_bio = BIO_new(BIO_f_ssl()); 1972 1.1 christos if (!s_ssl_bio) 1973 1.1 christos goto err; 1974 1.1 christos 1975 1.1 christos c_ssl_bio = BIO_new(BIO_f_ssl()); 1976 1.1 christos if (!c_ssl_bio) 1977 1.1 christos goto err; 1978 1.1 christos 1979 1.1 christos SSL_set_connect_state(c_ssl); 1980 1.1 christos SSL_set_bio(c_ssl, client, client); 1981 1.1 christos (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 1982 1.1 christos 1983 1.1 christos SSL_set_accept_state(s_ssl); 1984 1.1 christos SSL_set_bio(s_ssl, server, server); 1985 1.1 christos (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 1986 1.1 christos 1987 1.1 christos do { 1988 1.1 christos /*- 1989 1.1 christos * c_ssl_bio: SSL filter BIO 1990 1.1 christos * 1991 1.1 christos * client: I/O for SSL library 1992 1.1 christos * 1993 1.1 christos * 1994 1.1 christos * server: I/O for SSL library 1995 1.1 christos * 1996 1.1 christos * s_ssl_bio: SSL filter BIO 1997 1.1 christos */ 1998 1.1 christos 1999 1.1 christos /* 2000 1.1 christos * We have non-blocking behaviour throughout this test program, but 2001 1.1 christos * can be sure that there is *some* progress in each iteration; so we 2002 1.1 christos * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE -- 2003 1.1 christos * we just try everything in each iteration 2004 1.1 christos */ 2005 1.1 christos 2006 1.1 christos { 2007 1.1 christos /* CLIENT */ 2008 1.1 christos 2009 1.1 christos char cbuf[1024 * 8]; 2010 1.1 christos int i, r; 2011 1.1 christos clock_t c_clock = clock(); 2012 1.1 christos 2013 1.1 christos memset(cbuf, 0, sizeof(cbuf)); 2014 1.1 christos 2015 1.1 christos if (debug) 2016 1.1 christos if (SSL_in_init(c_ssl)) 2017 1.1 christos printf("client waiting in SSL_connect - %s\n", 2018 1.1 christos SSL_state_string_long(c_ssl)); 2019 1.1 christos 2020 1.1 christos if (cw_num > 0) { 2021 1.1 christos /* Write to server. */ 2022 1.1 christos 2023 1.1 christos if (cw_num > (long)sizeof(cbuf)) 2024 1.1 christos i = sizeof(cbuf); 2025 1.1 christos else 2026 1.1 christos i = (int)cw_num; 2027 1.1 christos r = BIO_write(c_ssl_bio, cbuf, i); 2028 1.1 christos if (r < 0) { 2029 1.1 christos if (!BIO_should_retry(c_ssl_bio)) { 2030 1.1 christos fprintf(stderr, "ERROR in CLIENT\n"); 2031 1.1 christos err_in_client = 1; 2032 1.1 christos goto err; 2033 1.1 christos } 2034 1.1 christos /* 2035 1.1 christos * BIO_should_retry(...) can just be ignored here. The 2036 1.1 christos * library expects us to call BIO_write with the same 2037 1.1 christos * arguments again, and that's what we will do in the 2038 1.1 christos * next iteration. 2039 1.1 christos */ 2040 1.1 christos } else if (r == 0) { 2041 1.1 christos fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 2042 1.1 christos goto err; 2043 1.1 christos } else { 2044 1.1 christos if (debug) 2045 1.1 christos printf("client wrote %d\n", r); 2046 1.1 christos cw_num -= r; 2047 1.1 christos } 2048 1.1 christos } 2049 1.1 christos 2050 1.1 christos if (cr_num > 0) { 2051 1.1 christos /* Read from server. */ 2052 1.1 christos 2053 1.1 christos r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 2054 1.1 christos if (r < 0) { 2055 1.1 christos if (!BIO_should_retry(c_ssl_bio)) { 2056 1.1 christos fprintf(stderr, "ERROR in CLIENT\n"); 2057 1.1 christos err_in_client = 1; 2058 1.1 christos goto err; 2059 1.1 christos } 2060 1.1 christos /* 2061 1.1 christos * Again, "BIO_should_retry" can be ignored. 2062 1.1 christos */ 2063 1.1 christos } else if (r == 0) { 2064 1.1 christos fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 2065 1.1 christos goto err; 2066 1.1 christos } else { 2067 1.1 christos if (debug) 2068 1.1 christos printf("client read %d\n", r); 2069 1.1 christos cr_num -= r; 2070 1.1 christos } 2071 1.1 christos } 2072 1.1 christos 2073 1.1 christos /* 2074 1.1 christos * c_time and s_time increments will typically be very small 2075 1.1 christos * (depending on machine speed and clock tick intervals), but 2076 1.1 christos * sampling over a large number of connections should result in 2077 1.1 christos * fairly accurate figures. We cannot guarantee a lot, however 2078 1.1 christos * -- if each connection lasts for exactly one clock tick, it 2079 1.1 christos * will be counted only for the client or only for the server or 2080 1.1 christos * even not at all. 2081 1.1 christos */ 2082 1.1 christos *c_time += (clock() - c_clock); 2083 1.1 christos } 2084 1.1 christos 2085 1.1 christos { 2086 1.1 christos /* SERVER */ 2087 1.1 christos 2088 1.1 christos char sbuf[1024 * 8]; 2089 1.1 christos int i, r; 2090 1.1 christos clock_t s_clock = clock(); 2091 1.1 christos 2092 1.1 christos memset(sbuf, 0, sizeof(sbuf)); 2093 1.1 christos 2094 1.1 christos if (debug) 2095 1.1 christos if (SSL_in_init(s_ssl)) 2096 1.1 christos printf("server waiting in SSL_accept - %s\n", 2097 1.1 christos SSL_state_string_long(s_ssl)); 2098 1.1 christos 2099 1.1 christos if (sw_num > 0) { 2100 1.1 christos /* Write to client. */ 2101 1.1 christos 2102 1.1 christos if (sw_num > (long)sizeof(sbuf)) 2103 1.1 christos i = sizeof(sbuf); 2104 1.1 christos else 2105 1.1 christos i = (int)sw_num; 2106 1.1 christos r = BIO_write(s_ssl_bio, sbuf, i); 2107 1.1 christos if (r < 0) { 2108 1.1 christos if (!BIO_should_retry(s_ssl_bio)) { 2109 1.1 christos fprintf(stderr, "ERROR in SERVER\n"); 2110 1.1 christos err_in_server = 1; 2111 1.1 christos goto err; 2112 1.1 christos } 2113 1.1 christos /* Ignore "BIO_should_retry". */ 2114 1.1 christos } else if (r == 0) { 2115 1.1 christos fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 2116 1.1 christos goto err; 2117 1.1 christos } else { 2118 1.1 christos if (debug) 2119 1.1 christos printf("server wrote %d\n", r); 2120 1.1 christos sw_num -= r; 2121 1.1 christos } 2122 1.1 christos } 2123 1.1 christos 2124 1.1 christos if (sr_num > 0) { 2125 1.1 christos /* Read from client. */ 2126 1.1 christos 2127 1.1 christos r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 2128 1.1 christos if (r < 0) { 2129 1.1 christos if (!BIO_should_retry(s_ssl_bio)) { 2130 1.1 christos fprintf(stderr, "ERROR in SERVER\n"); 2131 1.1 christos err_in_server = 1; 2132 1.1 christos goto err; 2133 1.1 christos } 2134 1.1 christos /* blah, blah */ 2135 1.1 christos } else if (r == 0) { 2136 1.1 christos fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 2137 1.1 christos goto err; 2138 1.1 christos } else { 2139 1.1 christos if (debug) 2140 1.1 christos printf("server read %d\n", r); 2141 1.1 christos sr_num -= r; 2142 1.1 christos } 2143 1.1 christos } 2144 1.1 christos 2145 1.1 christos *s_time += (clock() - s_clock); 2146 1.1 christos } 2147 1.1 christos } 2148 1.1 christos while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 2149 1.1 christos 2150 1.1 christos if (verbose) 2151 1.1 christos print_details(c_ssl, "DONE via TCP connect: "); 2152 1.1 christos # ifndef OPENSSL_NO_NEXTPROTONEG 2153 1.1 christos if (verify_npn(c_ssl, s_ssl) < 0) 2154 1.1 christos goto end; 2155 1.1 christos # endif 2156 1.1 christos if (verify_serverinfo() < 0) { 2157 1.1 christos fprintf(stderr, "Server info verify error\n"); 2158 1.1 christos goto err; 2159 1.1 christos } 2160 1.1 christos if (verify_alpn(c_ssl, s_ssl) < 0 2161 1.1 christos || verify_servername(c_ssl, s_ssl) < 0) 2162 1.1 christos goto err; 2163 1.1 christos 2164 1.1 christos if (custom_ext_error) { 2165 1.1 christos fprintf(stderr, "Custom extension error\n"); 2166 1.1 christos goto err; 2167 1.1 christos } 2168 1.1 christos 2169 1.1 christos # ifndef OPENSSL_NO_NEXTPROTONEG 2170 1.1 christos end: 2171 1.1 christos # endif 2172 1.1 christos ret = EXIT_SUCCESS; 2173 1.1 christos 2174 1.1 christos err: 2175 1.1 christos ERR_print_errors(bio_err); 2176 1.1 christos 2177 1.1 christos BIO_free_all(acpt); 2178 1.1 christos BIO_free(server); 2179 1.1 christos BIO_free(client); 2180 1.1 christos BIO_free(s_ssl_bio); 2181 1.1 christos BIO_free(c_ssl_bio); 2182 1.1 christos 2183 1.1 christos if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) 2184 1.1 christos ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE; 2185 1.1 christos else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) 2186 1.1 christos ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE; 2187 1.1 christos 2188 1.1 christos return ret; 2189 1.1 christos } 2190 1.1 christos #endif 2191 1.1 christos 2192 1.1 christos int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, 2193 1.1 christos clock_t *s_time, clock_t *c_time) 2194 1.1 christos { 2195 1.1 christos long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 2196 1.1 christos BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 2197 1.1 christos BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; 2198 1.1 christos int ret = EXIT_FAILURE; 2199 1.1 christos int err_in_client = 0; 2200 1.1 christos int err_in_server = 0; 2201 1.1 christos 2202 1.1 christos size_t bufsiz = 256; /* small buffer for testing */ 2203 1.1 christos 2204 1.1 christos if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) 2205 1.1 christos goto err; 2206 1.1 christos if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) 2207 1.1 christos goto err; 2208 1.1 christos 2209 1.1 christos s_ssl_bio = BIO_new(BIO_f_ssl()); 2210 1.1 christos if (!s_ssl_bio) 2211 1.1 christos goto err; 2212 1.1 christos 2213 1.1 christos c_ssl_bio = BIO_new(BIO_f_ssl()); 2214 1.1 christos if (!c_ssl_bio) 2215 1.1 christos goto err; 2216 1.1 christos 2217 1.1 christos SSL_set_connect_state(c_ssl); 2218 1.1 christos SSL_set_bio(c_ssl, client, client); 2219 1.1 christos (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 2220 1.1 christos 2221 1.1 christos SSL_set_accept_state(s_ssl); 2222 1.1 christos SSL_set_bio(s_ssl, server, server); 2223 1.1 christos (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 2224 1.1 christos 2225 1.1 christos do { 2226 1.1 christos /*- 2227 1.1 christos * c_ssl_bio: SSL filter BIO 2228 1.1 christos * 2229 1.1 christos * client: pseudo-I/O for SSL library 2230 1.1 christos * 2231 1.1 christos * client_io: client's SSL communication; usually to be 2232 1.1 christos * relayed over some I/O facility, but in this 2233 1.1 christos * test program, we're the server, too: 2234 1.1 christos * 2235 1.1 christos * server_io: server's SSL communication 2236 1.1 christos * 2237 1.1 christos * server: pseudo-I/O for SSL library 2238 1.1 christos * 2239 1.1 christos * s_ssl_bio: SSL filter BIO 2240 1.1 christos * 2241 1.1 christos * The client and the server each employ a "BIO pair": 2242 1.1 christos * client + client_io, server + server_io. 2243 1.1 christos * BIO pairs are symmetric. A BIO pair behaves similar 2244 1.1 christos * to a non-blocking socketpair (but both endpoints must 2245 1.1 christos * be handled by the same thread). 2246 1.1 christos * [Here we could connect client and server to the ends 2247 1.1 christos * of a single BIO pair, but then this code would be less 2248 1.1 christos * suitable as an example for BIO pairs in general.] 2249 1.1 christos * 2250 1.1 christos * Useful functions for querying the state of BIO pair endpoints: 2251 1.1 christos * 2252 1.1 christos * BIO_ctrl_pending(bio) number of bytes we can read now 2253 1.1 christos * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfill 2254 1.1 christos * other side's read attempt 2255 1.1 christos * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now 2256 1.1 christos * 2257 1.1 christos * ..._read_request is never more than ..._write_guarantee; 2258 1.1 christos * it depends on the application which one you should use. 2259 1.1 christos */ 2260 1.1 christos 2261 1.1 christos /* 2262 1.1 christos * We have non-blocking behaviour throughout this test program, but 2263 1.1 christos * can be sure that there is *some* progress in each iteration; so we 2264 1.1 christos * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE -- 2265 1.1 christos * we just try everything in each iteration 2266 1.1 christos */ 2267 1.1 christos 2268 1.1 christos { 2269 1.1 christos /* CLIENT */ 2270 1.1 christos 2271 1.1 christos char cbuf[1024 * 8]; 2272 1.1 christos int i, r; 2273 1.1 christos clock_t c_clock = clock(); 2274 1.1 christos 2275 1.1 christos memset(cbuf, 0, sizeof(cbuf)); 2276 1.1 christos 2277 1.1 christos if (debug) 2278 1.1 christos if (SSL_in_init(c_ssl)) 2279 1.1 christos printf("client waiting in SSL_connect - %s\n", 2280 1.1 christos SSL_state_string_long(c_ssl)); 2281 1.1 christos 2282 1.1 christos if (cw_num > 0) { 2283 1.1 christos /* Write to server. */ 2284 1.1 christos 2285 1.1 christos if (cw_num > (long)sizeof(cbuf)) 2286 1.1 christos i = sizeof(cbuf); 2287 1.1 christos else 2288 1.1 christos i = (int)cw_num; 2289 1.1 christos r = BIO_write(c_ssl_bio, cbuf, i); 2290 1.1 christos if (r < 0) { 2291 1.1 christos if (!BIO_should_retry(c_ssl_bio)) { 2292 1.1 christos fprintf(stderr, "ERROR in CLIENT\n"); 2293 1.1 christos err_in_client = 1; 2294 1.1 christos goto err; 2295 1.1 christos } 2296 1.1 christos /* 2297 1.1 christos * BIO_should_retry(...) can just be ignored here. The 2298 1.1 christos * library expects us to call BIO_write with the same 2299 1.1 christos * arguments again, and that's what we will do in the 2300 1.1 christos * next iteration. 2301 1.1 christos */ 2302 1.1 christos } else if (r == 0) { 2303 1.1 christos fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 2304 1.1 christos goto err; 2305 1.1 christos } else { 2306 1.1 christos if (debug) 2307 1.1 christos printf("client wrote %d\n", r); 2308 1.1 christos cw_num -= r; 2309 1.1 christos } 2310 1.1 christos } 2311 1.1 christos 2312 1.1 christos if (cr_num > 0) { 2313 1.1 christos /* Read from server. */ 2314 1.1 christos 2315 1.1 christos r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 2316 1.1 christos if (r < 0) { 2317 1.1 christos if (!BIO_should_retry(c_ssl_bio)) { 2318 1.1 christos fprintf(stderr, "ERROR in CLIENT\n"); 2319 1.1 christos err_in_client = 1; 2320 1.1 christos goto err; 2321 1.1 christos } 2322 1.1 christos /* 2323 1.1 christos * Again, "BIO_should_retry" can be ignored. 2324 1.1 christos */ 2325 1.1 christos } else if (r == 0) { 2326 1.1 christos fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 2327 1.1 christos goto err; 2328 1.1 christos } else { 2329 1.1 christos if (debug) 2330 1.1 christos printf("client read %d\n", r); 2331 1.1 christos cr_num -= r; 2332 1.1 christos } 2333 1.1 christos } 2334 1.1 christos 2335 1.1 christos /* 2336 1.1 christos * c_time and s_time increments will typically be very small 2337 1.1 christos * (depending on machine speed and clock tick intervals), but 2338 1.1 christos * sampling over a large number of connections should result in 2339 1.1 christos * fairly accurate figures. We cannot guarantee a lot, however 2340 1.1 christos * -- if each connection lasts for exactly one clock tick, it 2341 1.1 christos * will be counted only for the client or only for the server or 2342 1.1 christos * even not at all. 2343 1.1 christos */ 2344 1.1 christos *c_time += (clock() - c_clock); 2345 1.1 christos } 2346 1.1 christos 2347 1.1 christos { 2348 1.1 christos /* SERVER */ 2349 1.1 christos 2350 1.1 christos char sbuf[1024 * 8]; 2351 1.1 christos int i, r; 2352 1.1 christos clock_t s_clock = clock(); 2353 1.1 christos 2354 1.1 christos memset(sbuf, 0, sizeof(sbuf)); 2355 1.1 christos 2356 1.1 christos if (debug) 2357 1.1 christos if (SSL_in_init(s_ssl)) 2358 1.1 christos printf("server waiting in SSL_accept - %s\n", 2359 1.1 christos SSL_state_string_long(s_ssl)); 2360 1.1 christos 2361 1.1 christos if (sw_num > 0) { 2362 1.1 christos /* Write to client. */ 2363 1.1 christos 2364 1.1 christos if (sw_num > (long)sizeof(sbuf)) 2365 1.1 christos i = sizeof(sbuf); 2366 1.1 christos else 2367 1.1 christos i = (int)sw_num; 2368 1.1 christos r = BIO_write(s_ssl_bio, sbuf, i); 2369 1.1 christos if (r < 0) { 2370 1.1 christos if (!BIO_should_retry(s_ssl_bio)) { 2371 1.1 christos fprintf(stderr, "ERROR in SERVER\n"); 2372 1.1 christos err_in_server = 1; 2373 1.1 christos goto err; 2374 1.1 christos } 2375 1.1 christos /* Ignore "BIO_should_retry". */ 2376 1.1 christos } else if (r == 0) { 2377 1.1 christos fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 2378 1.1 christos goto err; 2379 1.1 christos } else { 2380 1.1 christos if (debug) 2381 1.1 christos printf("server wrote %d\n", r); 2382 1.1 christos sw_num -= r; 2383 1.1 christos } 2384 1.1 christos } 2385 1.1 christos 2386 1.1 christos if (sr_num > 0) { 2387 1.1 christos /* Read from client. */ 2388 1.1 christos 2389 1.1 christos r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 2390 1.1 christos if (r < 0) { 2391 1.1 christos if (!BIO_should_retry(s_ssl_bio)) { 2392 1.1 christos fprintf(stderr, "ERROR in SERVER\n"); 2393 1.1 christos err_in_server = 1; 2394 1.1 christos goto err; 2395 1.1 christos } 2396 1.1 christos /* blah, blah */ 2397 1.1 christos } else if (r == 0) { 2398 1.1 christos fprintf(stderr, "SSL SERVER STARTUP FAILED\n"); 2399 1.1 christos goto err; 2400 1.1 christos } else { 2401 1.1 christos if (debug) 2402 1.1 christos printf("server read %d\n", r); 2403 1.1 christos sr_num -= r; 2404 1.1 christos } 2405 1.1 christos } 2406 1.1 christos 2407 1.1 christos *s_time += (clock() - s_clock); 2408 1.1 christos } 2409 1.1 christos 2410 1.1 christos { 2411 1.1 christos /* "I/O" BETWEEN CLIENT AND SERVER. */ 2412 1.1 christos 2413 1.1 christos size_t r1, r2; 2414 1.1 christos BIO *io1 = server_io, *io2 = client_io; 2415 1.1 christos /* 2416 1.1 christos * we use the non-copying interface for io1 and the standard 2417 1.1 christos * BIO_write/BIO_read interface for io2 2418 1.1 christos */ 2419 1.1 christos 2420 1.1 christos static int prev_progress = 1; 2421 1.1 christos int progress = 0; 2422 1.1 christos 2423 1.1 christos /* io1 to io2 */ 2424 1.1 christos do { 2425 1.1 christos size_t num; 2426 1.1 christos int r; 2427 1.1 christos 2428 1.1 christos r1 = BIO_ctrl_pending(io1); 2429 1.1 christos r2 = BIO_ctrl_get_write_guarantee(io2); 2430 1.1 christos 2431 1.1 christos num = r1; 2432 1.1 christos if (r2 < num) 2433 1.1 christos num = r2; 2434 1.1 christos if (num) { 2435 1.1 christos char *dataptr; 2436 1.1 christos 2437 1.1 christos if (INT_MAX < num) /* yeah, right */ 2438 1.1 christos num = INT_MAX; 2439 1.1 christos 2440 1.1 christos r = BIO_nread(io1, &dataptr, (int)num); 2441 1.1 christos assert(r > 0); 2442 1.1 christos assert(r <= (int)num); 2443 1.1 christos /* 2444 1.1 christos * possibly r < num (non-contiguous data) 2445 1.1 christos */ 2446 1.1 christos num = r; 2447 1.1 christos r = BIO_write(io2, dataptr, (int)num); 2448 1.1 christos if (r != (int)num) { /* can't happen */ 2449 1.1 christos fprintf(stderr, "ERROR: BIO_write could not write " 2450 1.1 christos "BIO_ctrl_get_write_guarantee() bytes"); 2451 1.1 christos goto err; 2452 1.1 christos } 2453 1.1 christos progress = 1; 2454 1.1 christos 2455 1.1 christos if (debug) 2456 1.1 christos printf((io1 == client_io) ? 2457 1.1 christos "C->S relaying: %d bytes\n" : 2458 1.1 christos "S->C relaying: %d bytes\n", (int)num); 2459 1.1 christos } 2460 1.1 christos } 2461 1.1 christos while (r1 && r2); 2462 1.1 christos 2463 1.1 christos /* io2 to io1 */ 2464 1.1 christos { 2465 1.1 christos size_t num; 2466 1.1 christos int r; 2467 1.1 christos 2468 1.1 christos r1 = BIO_ctrl_pending(io2); 2469 1.1 christos r2 = BIO_ctrl_get_read_request(io1); 2470 1.1 christos /* 2471 1.1 christos * here we could use ..._get_write_guarantee instead of 2472 1.1 christos * ..._get_read_request, but by using the latter we test 2473 1.1 christos * restartability of the SSL implementation more thoroughly 2474 1.1 christos */ 2475 1.1 christos num = r1; 2476 1.1 christos if (r2 < num) 2477 1.1 christos num = r2; 2478 1.1 christos if (num) { 2479 1.1 christos char *dataptr; 2480 1.1 christos 2481 1.1 christos if (INT_MAX < num) 2482 1.1 christos num = INT_MAX; 2483 1.1 christos 2484 1.1 christos if (num > 1) 2485 1.1 christos --num; /* test restartability even more thoroughly */ 2486 1.1 christos 2487 1.1 christos r = BIO_nwrite0(io1, &dataptr); 2488 1.1 christos assert(r > 0); 2489 1.1 christos if (r < (int)num) 2490 1.1 christos num = r; 2491 1.1 christos r = BIO_read(io2, dataptr, (int)num); 2492 1.1 christos if (r != (int)num) { /* can't happen */ 2493 1.1 christos fprintf(stderr, "ERROR: BIO_read could not read " 2494 1.1 christos "BIO_ctrl_pending() bytes"); 2495 1.1 christos goto err; 2496 1.1 christos } 2497 1.1 christos progress = 1; 2498 1.1 christos r = BIO_nwrite(io1, &dataptr, (int)num); 2499 1.1 christos if (r != (int)num) { /* can't happen */ 2500 1.1 christos fprintf(stderr, "ERROR: BIO_nwrite() did not accept " 2501 1.1 christos "BIO_nwrite0() bytes"); 2502 1.1 christos goto err; 2503 1.1 christos } 2504 1.1 christos 2505 1.1 christos if (debug) 2506 1.1 christos printf((io2 == client_io) ? 2507 1.1 christos "C->S relaying: %d bytes\n" : 2508 1.1 christos "S->C relaying: %d bytes\n", (int)num); 2509 1.1 christos } 2510 1.1 christos } /* no loop, BIO_ctrl_get_read_request now 2511 1.1 christos * returns 0 anyway */ 2512 1.1 christos 2513 1.1 christos if (!progress && !prev_progress) 2514 1.1 christos if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) { 2515 1.1 christos fprintf(stderr, "ERROR: got stuck\n"); 2516 1.1 christos fprintf(stderr, " ERROR.\n"); 2517 1.1 christos goto err; 2518 1.1 christos } 2519 1.1 christos prev_progress = progress; 2520 1.1 christos } 2521 1.1 christos } 2522 1.1 christos while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 2523 1.1 christos 2524 1.1 christos if (verbose) 2525 1.1 christos print_details(c_ssl, "DONE via BIO pair: "); 2526 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 2527 1.1 christos if (verify_npn(c_ssl, s_ssl) < 0) 2528 1.1 christos goto end; 2529 1.1 christos #endif 2530 1.1 christos if (verify_serverinfo() < 0) { 2531 1.1 christos fprintf(stderr, "Server info verify error\n"); 2532 1.1 christos goto err; 2533 1.1 christos } 2534 1.1 christos if (verify_alpn(c_ssl, s_ssl) < 0 2535 1.1 christos || verify_servername(c_ssl, s_ssl) < 0) 2536 1.1 christos goto err; 2537 1.1 christos 2538 1.1 christos if (custom_ext_error) { 2539 1.1 christos fprintf(stderr, "Custom extension error\n"); 2540 1.1 christos goto err; 2541 1.1 christos } 2542 1.1 christos 2543 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 2544 1.1 christos end: 2545 1.1 christos #endif 2546 1.1 christos ret = EXIT_SUCCESS; 2547 1.1 christos 2548 1.1 christos err: 2549 1.1 christos ERR_print_errors(bio_err); 2550 1.1 christos 2551 1.1 christos BIO_free(server); 2552 1.1 christos BIO_free(server_io); 2553 1.1 christos BIO_free(client); 2554 1.1 christos BIO_free(client_io); 2555 1.1 christos BIO_free(s_ssl_bio); 2556 1.1 christos BIO_free(c_ssl_bio); 2557 1.1 christos 2558 1.1 christos if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) 2559 1.1 christos ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE; 2560 1.1 christos else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) 2561 1.1 christos ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE; 2562 1.1 christos 2563 1.1 christos return ret; 2564 1.1 christos } 2565 1.1 christos 2566 1.1 christos #define W_READ 1 2567 1.1 christos #define W_WRITE 2 2568 1.1 christos #define C_DONE 1 2569 1.1 christos #define S_DONE 2 2570 1.1 christos 2571 1.1 christos int doit(SSL *s_ssl, SSL *c_ssl, long count) 2572 1.1 christos { 2573 1.1 christos char *cbuf = NULL, *sbuf = NULL; 2574 1.1 christos long bufsiz; 2575 1.1 christos long cw_num = count, cr_num = count; 2576 1.1 christos long sw_num = count, sr_num = count; 2577 1.1 christos int ret = EXIT_FAILURE; 2578 1.1 christos BIO *c_to_s = NULL; 2579 1.1 christos BIO *s_to_c = NULL; 2580 1.1 christos BIO *c_bio = NULL; 2581 1.1 christos BIO *s_bio = NULL; 2582 1.1 christos int c_r, c_w, s_r, s_w; 2583 1.1 christos int i, j; 2584 1.1 christos int done = 0; 2585 1.1 christos int c_write, s_write; 2586 1.1 christos int do_server = 0, do_client = 0; 2587 1.1 christos int max_frag = 5 * 1024; 2588 1.1 christos int err_in_client = 0; 2589 1.1 christos int err_in_server = 0; 2590 1.1 christos 2591 1.1 christos bufsiz = count > 40 * 1024 ? 40 * 1024 : count; 2592 1.1 christos 2593 1.1 christos if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL) 2594 1.1 christos goto err; 2595 1.1 christos if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL) 2596 1.1 christos goto err; 2597 1.1 christos 2598 1.1 christos c_to_s = BIO_new(BIO_s_mem()); 2599 1.1 christos s_to_c = BIO_new(BIO_s_mem()); 2600 1.1 christos if ((s_to_c == NULL) || (c_to_s == NULL)) { 2601 1.1 christos ERR_print_errors(bio_err); 2602 1.1 christos goto err; 2603 1.1 christos } 2604 1.1 christos 2605 1.1 christos c_bio = BIO_new(BIO_f_ssl()); 2606 1.1 christos s_bio = BIO_new(BIO_f_ssl()); 2607 1.1 christos if ((c_bio == NULL) || (s_bio == NULL)) { 2608 1.1 christos ERR_print_errors(bio_err); 2609 1.1 christos goto err; 2610 1.1 christos } 2611 1.1 christos 2612 1.1 christos SSL_set_connect_state(c_ssl); 2613 1.1 christos SSL_set_bio(c_ssl, s_to_c, c_to_s); 2614 1.1 christos SSL_set_max_send_fragment(c_ssl, max_frag); 2615 1.1 christos BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE); 2616 1.1 christos 2617 1.1 christos /* 2618 1.1 christos * We've just given our ref to these BIOs to c_ssl. We need another one to 2619 1.1 christos * give to s_ssl 2620 1.1 christos */ 2621 1.1 christos if (!BIO_up_ref(c_to_s)) { 2622 1.1 christos /* c_to_s and s_to_c will get freed when we free c_ssl */ 2623 1.1 christos c_to_s = NULL; 2624 1.1 christos s_to_c = NULL; 2625 1.1 christos goto err; 2626 1.1 christos } 2627 1.1 christos if (!BIO_up_ref(s_to_c)) { 2628 1.1 christos /* s_to_c will get freed when we free c_ssl */ 2629 1.1 christos s_to_c = NULL; 2630 1.1 christos goto err; 2631 1.1 christos } 2632 1.1 christos 2633 1.1 christos SSL_set_accept_state(s_ssl); 2634 1.1 christos SSL_set_bio(s_ssl, c_to_s, s_to_c); 2635 1.1 christos 2636 1.1 christos /* We've used up all our refs to these now */ 2637 1.1 christos c_to_s = NULL; 2638 1.1 christos s_to_c = NULL; 2639 1.1 christos 2640 1.1 christos SSL_set_max_send_fragment(s_ssl, max_frag); 2641 1.1 christos BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE); 2642 1.1 christos 2643 1.1 christos c_r = 0; 2644 1.1 christos s_r = 1; 2645 1.1 christos c_w = 1; 2646 1.1 christos s_w = 0; 2647 1.1 christos c_write = 1, s_write = 0; 2648 1.1 christos 2649 1.1 christos /* We can always do writes */ 2650 1.1 christos for (;;) { 2651 1.1 christos do_server = 0; 2652 1.1 christos do_client = 0; 2653 1.1 christos 2654 1.1 christos i = (int)BIO_pending(s_bio); 2655 1.1 christos if ((i && s_r) || s_w) 2656 1.1 christos do_server = 1; 2657 1.1 christos 2658 1.1 christos i = (int)BIO_pending(c_bio); 2659 1.1 christos if ((i && c_r) || c_w) 2660 1.1 christos do_client = 1; 2661 1.1 christos 2662 1.1 christos if (do_server && debug) { 2663 1.1 christos if (SSL_in_init(s_ssl)) 2664 1.1 christos printf("server waiting in SSL_accept - %s\n", 2665 1.1 christos SSL_state_string_long(s_ssl)); 2666 1.1 christos } 2667 1.1 christos 2668 1.1 christos if (do_client && debug) { 2669 1.1 christos if (SSL_in_init(c_ssl)) 2670 1.1 christos printf("client waiting in SSL_connect - %s\n", 2671 1.1 christos SSL_state_string_long(c_ssl)); 2672 1.1 christos } 2673 1.1 christos 2674 1.1 christos if (!do_client && !do_server) { 2675 1.1 christos fprintf(stdout, "ERROR IN STARTUP\n"); 2676 1.1 christos ERR_print_errors(bio_err); 2677 1.1 christos goto err; 2678 1.1 christos } 2679 1.1 christos if (do_client && !(done & C_DONE)) { 2680 1.1 christos if (c_write) { 2681 1.1 christos j = (cw_num > bufsiz) ? (int)bufsiz : (int)cw_num; 2682 1.1 christos i = BIO_write(c_bio, cbuf, j); 2683 1.1 christos if (i < 0) { 2684 1.1 christos c_r = 0; 2685 1.1 christos c_w = 0; 2686 1.1 christos if (BIO_should_retry(c_bio)) { 2687 1.1 christos if (BIO_should_read(c_bio)) 2688 1.1 christos c_r = 1; 2689 1.1 christos if (BIO_should_write(c_bio)) 2690 1.1 christos c_w = 1; 2691 1.1 christos } else { 2692 1.1 christos fprintf(stderr, "ERROR in CLIENT\n"); 2693 1.1 christos err_in_client = 1; 2694 1.1 christos ERR_print_errors(bio_err); 2695 1.1 christos goto err; 2696 1.1 christos } 2697 1.1 christos } else if (i == 0) { 2698 1.1 christos fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 2699 1.1 christos goto err; 2700 1.1 christos } else { 2701 1.1 christos if (debug) 2702 1.1 christos printf("client wrote %d\n", i); 2703 1.1 christos /* ok */ 2704 1.1 christos s_r = 1; 2705 1.1 christos c_write = 0; 2706 1.1 christos cw_num -= i; 2707 1.1 christos if (max_frag > 1029) 2708 1.1 christos SSL_set_max_send_fragment(c_ssl, max_frag -= 5); 2709 1.1 christos } 2710 1.1 christos } else { 2711 1.1 christos i = BIO_read(c_bio, cbuf, bufsiz); 2712 1.1 christos if (i < 0) { 2713 1.1 christos c_r = 0; 2714 1.1 christos c_w = 0; 2715 1.1 christos if (BIO_should_retry(c_bio)) { 2716 1.1 christos if (BIO_should_read(c_bio)) 2717 1.1 christos c_r = 1; 2718 1.1 christos if (BIO_should_write(c_bio)) 2719 1.1 christos c_w = 1; 2720 1.1 christos } else { 2721 1.1 christos fprintf(stderr, "ERROR in CLIENT\n"); 2722 1.1 christos err_in_client = 1; 2723 1.1 christos ERR_print_errors(bio_err); 2724 1.1 christos goto err; 2725 1.1 christos } 2726 1.1 christos } else if (i == 0) { 2727 1.1 christos fprintf(stderr, "SSL CLIENT STARTUP FAILED\n"); 2728 1.1 christos goto err; 2729 1.1 christos } else { 2730 1.1 christos if (debug) 2731 1.1 christos printf("client read %d\n", i); 2732 1.1 christos cr_num -= i; 2733 1.1 christos if (sw_num > 0) { 2734 1.1 christos s_write = 1; 2735 1.1 christos s_w = 1; 2736 1.1 christos } 2737 1.1 christos if (cr_num <= 0) { 2738 1.1 christos s_write = 1; 2739 1.1 christos s_w = 1; 2740 1.1 christos done = S_DONE | C_DONE; 2741 1.1 christos } 2742 1.1 christos } 2743 1.1 christos } 2744 1.1 christos } 2745 1.1 christos 2746 1.1 christos if (do_server && !(done & S_DONE)) { 2747 1.1 christos if (!s_write) { 2748 1.1 christos i = BIO_read(s_bio, sbuf, bufsiz); 2749 1.1 christos if (i < 0) { 2750 1.1 christos s_r = 0; 2751 1.1 christos s_w = 0; 2752 1.1 christos if (BIO_should_retry(s_bio)) { 2753 1.1 christos if (BIO_should_read(s_bio)) 2754 1.1 christos s_r = 1; 2755 1.1 christos if (BIO_should_write(s_bio)) 2756 1.1 christos s_w = 1; 2757 1.1 christos } else { 2758 1.1 christos fprintf(stderr, "ERROR in SERVER\n"); 2759 1.1 christos err_in_server = 1; 2760 1.1 christos ERR_print_errors(bio_err); 2761 1.1 christos goto err; 2762 1.1 christos } 2763 1.1 christos } else if (i == 0) { 2764 1.1 christos ERR_print_errors(bio_err); 2765 1.1 christos fprintf(stderr, 2766 1.1 christos "SSL SERVER STARTUP FAILED in SSL_read\n"); 2767 1.1 christos goto err; 2768 1.1 christos } else { 2769 1.1 christos if (debug) 2770 1.1 christos printf("server read %d\n", i); 2771 1.1 christos sr_num -= i; 2772 1.1 christos if (cw_num > 0) { 2773 1.1 christos c_write = 1; 2774 1.1 christos c_w = 1; 2775 1.1 christos } 2776 1.1 christos if (sr_num <= 0) { 2777 1.1 christos s_write = 1; 2778 1.1 christos s_w = 1; 2779 1.1 christos c_write = 0; 2780 1.1 christos } 2781 1.1 christos } 2782 1.1 christos } else { 2783 1.1 christos j = (sw_num > bufsiz) ? (int)bufsiz : (int)sw_num; 2784 1.1 christos i = BIO_write(s_bio, sbuf, j); 2785 1.1 christos if (i < 0) { 2786 1.1 christos s_r = 0; 2787 1.1 christos s_w = 0; 2788 1.1 christos if (BIO_should_retry(s_bio)) { 2789 1.1 christos if (BIO_should_read(s_bio)) 2790 1.1 christos s_r = 1; 2791 1.1 christos if (BIO_should_write(s_bio)) 2792 1.1 christos s_w = 1; 2793 1.1 christos } else { 2794 1.1 christos fprintf(stderr, "ERROR in SERVER\n"); 2795 1.1 christos err_in_server = 1; 2796 1.1 christos ERR_print_errors(bio_err); 2797 1.1 christos goto err; 2798 1.1 christos } 2799 1.1 christos } else if (i == 0) { 2800 1.1 christos ERR_print_errors(bio_err); 2801 1.1 christos fprintf(stderr, 2802 1.1 christos "SSL SERVER STARTUP FAILED in SSL_write\n"); 2803 1.1 christos goto err; 2804 1.1 christos } else { 2805 1.1 christos if (debug) 2806 1.1 christos printf("server wrote %d\n", i); 2807 1.1 christos sw_num -= i; 2808 1.1 christos s_write = 0; 2809 1.1 christos c_r = 1; 2810 1.1 christos if (sw_num <= 0) 2811 1.1 christos done |= S_DONE; 2812 1.1 christos if (max_frag > 1029) 2813 1.1 christos SSL_set_max_send_fragment(s_ssl, max_frag -= 5); 2814 1.1 christos } 2815 1.1 christos } 2816 1.1 christos } 2817 1.1 christos 2818 1.1 christos if ((done & S_DONE) && (done & C_DONE)) 2819 1.1 christos break; 2820 1.1 christos } 2821 1.1 christos 2822 1.1 christos if (verbose) 2823 1.1 christos print_details(c_ssl, "DONE: "); 2824 1.1 christos #ifndef OPENSSL_NO_NEXTPROTONEG 2825 1.1 christos if (verify_npn(c_ssl, s_ssl) < 0) 2826 1.1 christos goto err; 2827 1.1 christos #endif 2828 1.1 christos if (verify_serverinfo() < 0) { 2829 1.1 christos fprintf(stderr, "Server info verify error\n"); 2830 1.1 christos goto err; 2831 1.1 christos } 2832 1.1 christos if (custom_ext_error) { 2833 1.1 christos fprintf(stderr, "Custom extension error\n"); 2834 1.1 christos goto err; 2835 1.1 christos } 2836 1.1 christos ret = EXIT_SUCCESS; 2837 1.1 christos err: 2838 1.1 christos BIO_free(c_to_s); 2839 1.1 christos BIO_free(s_to_c); 2840 1.1 christos BIO_free_all(c_bio); 2841 1.1 christos BIO_free_all(s_bio); 2842 1.1 christos OPENSSL_free(cbuf); 2843 1.1 christos OPENSSL_free(sbuf); 2844 1.1 christos 2845 1.1 christos if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0) 2846 1.1 christos ret = (err_in_client != 0) ? EXIT_SUCCESS : EXIT_FAILURE; 2847 1.1 christos else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0) 2848 1.1 christos ret = (err_in_server != 0) ? EXIT_SUCCESS : EXIT_FAILURE; 2849 1.1 christos 2850 1.1 christos return ret; 2851 1.1 christos } 2852 1.1 christos 2853 1.1 christos static int verify_callback(int ok, X509_STORE_CTX *ctx) 2854 1.1 christos { 2855 1.1 christos char *s, buf[256]; 2856 1.1 christos 2857 1.1 christos s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)), 2858 1.1 christos buf, sizeof(buf)); 2859 1.1 christos if (s != NULL) { 2860 1.1 christos if (ok) 2861 1.1 christos printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf); 2862 1.1 christos else { 2863 1.1 christos fprintf(stderr, "depth=%d error=%d %s\n", 2864 1.1 christos X509_STORE_CTX_get_error_depth(ctx), 2865 1.1 christos X509_STORE_CTX_get_error(ctx), buf); 2866 1.1 christos } 2867 1.1 christos } 2868 1.1 christos 2869 1.1 christos if (ok == 0) { 2870 1.1 christos int i = X509_STORE_CTX_get_error(ctx); 2871 1.1 christos 2872 1.1 christos switch (i) { 2873 1.1 christos default: 2874 1.1 christos fprintf(stderr, "Error string: %s\n", 2875 1.1 christos X509_verify_cert_error_string(i)); 2876 1.1 christos break; 2877 1.1 christos case X509_V_ERR_CERT_NOT_YET_VALID: 2878 1.1 christos case X509_V_ERR_CERT_HAS_EXPIRED: 2879 1.1 christos case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 2880 1.1 christos ok = 1; 2881 1.1 christos break; 2882 1.1 christos } 2883 1.1 christos } 2884 1.1 christos 2885 1.1 christos return ok; 2886 1.1 christos } 2887 1.1 christos 2888 1.1 christos static int app_verify_callback(X509_STORE_CTX *ctx, void *arg) 2889 1.1 christos { 2890 1.1 christos int ok = 1; 2891 1.1 christos struct app_verify_arg *cb_arg = arg; 2892 1.1 christos 2893 1.1 christos if (cb_arg->app_verify) { 2894 1.1 christos char *s = NULL, buf[256]; 2895 1.1 christos X509 *c = X509_STORE_CTX_get0_cert(ctx); 2896 1.1 christos 2897 1.1 christos printf("In app_verify_callback, allowing cert. "); 2898 1.1 christos printf("Arg is: %s\n", cb_arg->string); 2899 1.1 christos printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n", 2900 1.1 christos (void *)ctx, (void *)c); 2901 1.1 christos if (c) 2902 1.1 christos s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256); 2903 1.1 christos if (s != NULL) { 2904 1.1 christos printf("cert depth=%d %s\n", 2905 1.1 christos X509_STORE_CTX_get_error_depth(ctx), buf); 2906 1.1 christos } 2907 1.1 christos return 1; 2908 1.1 christos } 2909 1.1 christos 2910 1.1 christos ok = X509_verify_cert(ctx); 2911 1.1 christos 2912 1.1 christos return ok; 2913 1.1 christos } 2914 1.1 christos 2915 1.1 christos #ifndef OPENSSL_NO_DH 2916 1.1 christos /*- 2917 1.1 christos * These DH parameters have been generated as follows: 2918 1.1 christos * $ openssl dhparam -C -noout 512 2919 1.1 christos * $ openssl dhparam -C -noout 1024 2920 1.1 christos * $ openssl dhparam -C -noout -dsaparam 1024 2921 1.1 christos * (The third function has been renamed to avoid name conflicts.) 2922 1.1 christos */ 2923 1.1 christos static DH *get_dh512(void) 2924 1.1 christos { 2925 1.1 christos static unsigned char dh512_p[] = { 2926 1.1 christos 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0, 2927 1.1 christos 0xC6, 2928 1.1 christos 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04, 2929 1.1 christos 0xB0, 2930 1.1 christos 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9, 2931 1.1 christos 0x5F, 2932 1.1 christos 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33, 2933 1.1 christos 0xB8, 2934 1.1 christos 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21, 2935 1.1 christos 0x33, 2936 1.1 christos 0x02, 0xC5, 0xAE, 0x23, 2937 1.1 christos }; 2938 1.1 christos static unsigned char dh512_g[] = { 2939 1.1 christos 0x02, 2940 1.1 christos }; 2941 1.1 christos DH *dh; 2942 1.1 christos BIGNUM *p, *g; 2943 1.1 christos 2944 1.1 christos if ((dh = DH_new()) == NULL) 2945 1.1 christos return NULL; 2946 1.1 christos p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL); 2947 1.1 christos g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL); 2948 1.1 christos if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { 2949 1.1 christos DH_free(dh); 2950 1.1 christos BN_free(p); 2951 1.1 christos BN_free(g); 2952 1.1 christos return NULL; 2953 1.1 christos } 2954 1.1 christos return dh; 2955 1.1 christos } 2956 1.1 christos 2957 1.1 christos static DH *get_dh1024(void) 2958 1.1 christos { 2959 1.1 christos static unsigned char dh1024_p[] = { 2960 1.1 christos 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF, 2961 1.1 christos 0x3A, 2962 1.1 christos 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56, 2963 1.1 christos 0xA2, 2964 1.1 christos 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F, 2965 1.1 christos 0xB0, 2966 1.1 christos 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87, 2967 1.1 christos 0xC2, 2968 1.1 christos 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0, 2969 1.1 christos 0x8C, 2970 1.1 christos 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F, 2971 1.1 christos 0xB8, 2972 1.1 christos 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D, 2973 1.1 christos 0x52, 2974 1.1 christos 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC, 2975 1.1 christos 0xC1, 2976 1.1 christos 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB, 2977 1.1 christos 0xB1, 2978 1.1 christos 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89, 2979 1.1 christos 0xAB, 2980 1.1 christos 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53, 2981 1.1 christos }; 2982 1.1 christos static unsigned char dh1024_g[] = { 2983 1.1 christos 0x02, 2984 1.1 christos }; 2985 1.1 christos DH *dh; 2986 1.1 christos BIGNUM *p, *g; 2987 1.1 christos 2988 1.1 christos if ((dh = DH_new()) == NULL) 2989 1.1 christos return NULL; 2990 1.1 christos p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); 2991 1.1 christos g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); 2992 1.1 christos if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { 2993 1.1 christos DH_free(dh); 2994 1.1 christos BN_free(p); 2995 1.1 christos BN_free(g); 2996 1.1 christos return NULL; 2997 1.1 christos } 2998 1.1 christos return dh; 2999 1.1 christos } 3000 1.1 christos 3001 1.1 christos static DH *get_dh1024dsa(void) 3002 1.1 christos { 3003 1.1 christos static unsigned char dh1024_p[] = { 3004 1.1 christos 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5, 3005 1.1 christos 0x00, 3006 1.1 christos 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87, 3007 1.1 christos 0x19, 3008 1.1 christos 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65, 3009 1.1 christos 0xD2, 3010 1.1 christos 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6, 3011 1.1 christos 0x55, 3012 1.1 christos 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF, 3013 1.1 christos 0xFC, 3014 1.1 christos 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52, 3015 1.1 christos 0x97, 3016 1.1 christos 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28, 3017 1.1 christos 0x8D, 3018 1.1 christos 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD, 3019 1.1 christos 0xBB, 3020 1.1 christos 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C, 3021 1.1 christos 0xF6, 3022 1.1 christos 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26, 3023 1.1 christos 0x9E, 3024 1.1 christos 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39, 3025 1.1 christos }; 3026 1.1 christos static unsigned char dh1024_g[] = { 3027 1.1 christos 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80, 3028 1.1 christos 0x05, 3029 1.1 christos 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03, 3030 1.1 christos 0xF3, 3031 1.1 christos 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A, 3032 1.1 christos 0xE9, 3033 1.1 christos 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85, 3034 1.1 christos 0x3C, 3035 1.1 christos 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B, 3036 1.1 christos 0x65, 3037 1.1 christos 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF, 3038 1.1 christos 0x60, 3039 1.1 christos 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E, 3040 1.1 christos 0xF6, 3041 1.1 christos 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB, 3042 1.1 christos 0xA7, 3043 1.1 christos 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72, 3044 1.1 christos 0xA1, 3045 1.1 christos 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E, 3046 1.1 christos 0x60, 3047 1.1 christos 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2, 3048 1.1 christos }; 3049 1.1 christos DH *dh; 3050 1.1 christos BIGNUM *p, *g; 3051 1.1 christos 3052 1.1 christos if ((dh = DH_new()) == NULL) 3053 1.1 christos return NULL; 3054 1.1 christos p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL); 3055 1.1 christos g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL); 3056 1.1 christos if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) { 3057 1.1 christos DH_free(dh); 3058 1.1 christos BN_free(p); 3059 1.1 christos BN_free(g); 3060 1.1 christos return NULL; 3061 1.1 christos } 3062 1.1 christos DH_set_length(dh, 160); 3063 1.1 christos return dh; 3064 1.1 christos } 3065 1.1 christos 3066 1.1 christos static DH *get_dh2048(void) 3067 1.1 christos { 3068 1.1 christos BIGNUM *p = NULL, *g = NULL; 3069 1.1 christos DH *dh = NULL; 3070 1.1 christos 3071 1.1 christos if ((dh = DH_new()) == NULL) 3072 1.1 christos return NULL; 3073 1.1 christos 3074 1.1 christos g = BN_new(); 3075 1.1 christos if (g == NULL || !BN_set_word(g, 2)) 3076 1.1 christos goto err; 3077 1.1 christos 3078 1.1 christos p = BN_get_rfc3526_prime_2048(NULL); 3079 1.1 christos if (p == NULL) 3080 1.1 christos goto err; 3081 1.1 christos 3082 1.1 christos if (!DH_set0_pqg(dh, p, NULL, g)) 3083 1.1 christos goto err; 3084 1.1 christos 3085 1.1 christos return dh; 3086 1.1 christos 3087 1.1 christos err: 3088 1.1 christos DH_free(dh); 3089 1.1 christos BN_free(p); 3090 1.1 christos BN_free(g); 3091 1.1 christos return NULL; 3092 1.1 christos } 3093 1.1 christos 3094 1.1 christos static DH *get_dh4096(void) 3095 1.1 christos { 3096 1.1 christos BIGNUM *p = NULL, *g = NULL; 3097 1.1 christos DH *dh = NULL; 3098 1.1 christos 3099 1.1 christos if ((dh = DH_new()) == NULL) 3100 1.1 christos return NULL; 3101 1.1 christos 3102 1.1 christos g = BN_new(); 3103 1.1 christos if (g == NULL || !BN_set_word(g, 2)) 3104 1.1 christos goto err; 3105 1.1 christos 3106 1.1 christos p = BN_get_rfc3526_prime_4096(NULL); 3107 1.1 christos if (p == NULL) 3108 1.1 christos goto err; 3109 1.1 christos 3110 1.1 christos if (!DH_set0_pqg(dh, p, NULL, g)) 3111 1.1 christos goto err; 3112 1.1 christos 3113 1.1 christos return dh; 3114 1.1 christos 3115 1.1 christos err: 3116 1.1 christos DH_free(dh); 3117 1.1 christos BN_free(p); 3118 1.1 christos BN_free(g); 3119 1.1 christos return NULL; 3120 1.1 christos } 3121 1.1 christos #endif 3122 1.1 christos 3123 1.1 christos #ifndef OPENSSL_NO_PSK 3124 1.1 christos /* convert the PSK key (psk_key) in ascii to binary (psk) */ 3125 1.1 christos static int psk_key2bn(const char *pskkey, unsigned char *psk, 3126 1.1 christos unsigned int max_psk_len) 3127 1.1 christos { 3128 1.1 christos int ret; 3129 1.1 christos BIGNUM *bn = NULL; 3130 1.1 christos 3131 1.1 christos ret = BN_hex2bn(&bn, pskkey); 3132 1.1 christos if (!ret) { 3133 1.1 christos BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n", 3134 1.1 christos pskkey); 3135 1.1 christos BN_free(bn); 3136 1.1 christos return 0; 3137 1.1 christos } 3138 1.1 christos if (BN_num_bytes(bn) > (int)max_psk_len) { 3139 1.1 christos BIO_printf(bio_err, 3140 1.1 christos "psk buffer of callback is too small (%d) for key (%d)\n", 3141 1.1 christos max_psk_len, BN_num_bytes(bn)); 3142 1.1 christos BN_free(bn); 3143 1.1 christos return 0; 3144 1.1 christos } 3145 1.1 christos ret = BN_bn2bin(bn, psk); 3146 1.1 christos BN_free(bn); 3147 1.1 christos return ret; 3148 1.1 christos } 3149 1.1 christos 3150 1.1 christos static unsigned int psk_client_callback(SSL *ssl, const char *hint, 3151 1.1 christos char *identity, 3152 1.1 christos unsigned int max_identity_len, 3153 1.1 christos unsigned char *psk, 3154 1.1 christos unsigned int max_psk_len) 3155 1.1 christos { 3156 1.1 christos int ret; 3157 1.1 christos unsigned int psk_len = 0; 3158 1.1 christos 3159 1.1 christos ret = BIO_snprintf(identity, max_identity_len, "Client_identity"); 3160 1.1 christos if (ret < 0) 3161 1.1 christos goto out_err; 3162 1.1 christos if (debug) 3163 1.1 christos fprintf(stderr, "client: created identity '%s' len=%d\n", identity, 3164 1.1 christos ret); 3165 1.1 christos ret = psk_key2bn(psk_key, psk, max_psk_len); 3166 1.1 christos if (ret < 0) 3167 1.1 christos goto out_err; 3168 1.1 christos psk_len = ret; 3169 1.1 christos out_err: 3170 1.1 christos return psk_len; 3171 1.1 christos } 3172 1.1 christos 3173 1.1 christos static unsigned int psk_server_callback(SSL *ssl, const char *identity, 3174 1.1 christos unsigned char *psk, 3175 1.1 christos unsigned int max_psk_len) 3176 1.1 christos { 3177 1.1 christos unsigned int psk_len = 0; 3178 1.1 christos 3179 1.1 christos if (strcmp(identity, "Client_identity") != 0) { 3180 1.1 christos BIO_printf(bio_err, "server: PSK error: client identity not found\n"); 3181 1.1 christos return 0; 3182 1.1 christos } 3183 1.1 christos psk_len = psk_key2bn(psk_key, psk, max_psk_len); 3184 1.1 christos return psk_len; 3185 1.1 christos } 3186 1.1 christos #endif 3187
Indexes created Sat Feb 28 05:31:39 UTC 2026