2 * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
4 * Permission is hereby granted, free of charge, to any person obtaining
5 * a copy of this software and associated documentation files (the
6 * "Software"), to deal in the Software without restriction, including
7 * without limitation the rights to use, copy, modify, merge, publish,
8 * distribute, sublicense, and/or sell copies of the Software, and to
9 * permit persons to whom the Software is furnished to do so, subject to
10 * the following conditions:
12 * The above copyright notice and this permission notice shall be
13 * included in all copies or substantial portions of the Software.
15 * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16 * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17 * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18 * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19 * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20 * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21 * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
35 #include <sys/types.h>
41 static int verbose
= 0;
47 "usage: brssl twrch [ options ]\n");
51 " -trace dump all packets on stderr\n");
53 " -v verbose error messages on stderr\n");
55 " -server act as an SSL server\n");
57 " -client act as an SSL client\n");
59 " -sni name use specified name for SNI\n");
61 " -mono use monodirectional buffering\n");
63 " -buf length set the I/O buffer length (in bytes)\n");
65 " -cache length set the session cache storage length (in bytes)\n");
67 " -cert fname read certificate chain from file 'fname'\n");
69 " -key fname read private key from file 'fname'\n");
71 " -CA file add trust anchors from 'file' (for peer auth)\n");
73 " -anon_ok request but do not require a client certificate\n");
75 " -nostaticecdh prohibit full-static ECDH (client only)\n");
77 " -list list supported names (protocols, algorithms...)\n");
79 " -vmin name set minimum supported version (default: TLS-1.0)\n");
81 " -vmax name set maximum supported version (default: TLS-1.2)\n");
83 " -cs names set list of supported cipher suites (comma-separated)\n");
85 " -hf names add support for some hash functions (comma-separated)\n");
87 " -minhello len set minimum ClientHello length (in bytes)\n");
89 " -serverpref enforce server's preferences for cipher suites\n");
91 " -noreneg prohibit renegotiations\n");
93 " -alpn name add protocol name to list of protocols (ALPN extension)\n");
95 " -strictalpn fail on ALPN mismatch\n");
101 xfree(*(char **)alpn
);
105 dump_blob(const char *name
, const void *data
, size_t len
)
107 const unsigned char *buf
;
111 fprintf(stderr
, "%s (len = %lu)", name
, (unsigned long)len
);
112 for (u
= 0; u
< len
; u
++) {
114 fprintf(stderr
, "\n%08lX ", (unsigned long)u
);
115 } else if ((u
& 7) == 0) {
116 fprintf(stderr
, " ");
118 fprintf(stderr
, " %02x", buf
[u
]);
120 fprintf(stderr
, "\n");
124 * Callback for reading bytes from standard input.
127 stdin_read(void *ctx
, unsigned char *buf
, size_t len
)
138 eof
= !ReadFile(GetStdHandle(STD_INPUT_HANDLE
),
139 buf
, len
, &rlen
, NULL
) || rlen
== 0;
141 rlen
= read(0, buf
, len
);
143 if (rlen
< 0 && errno
== EINTR
) {
154 fprintf(stderr
, "recv: EOF\n");
160 dump_blob("recv", buf
, (size_t)rlen
);
167 * Callback for writing bytes on standard output.
170 stdout_write(void *ctx
, const unsigned char *buf
, size_t len
)
181 eof
= !WriteFile(GetStdHandle(STD_OUTPUT_HANDLE
),
182 buf
, len
, &wlen
, NULL
);
184 wlen
= write(1, buf
, len
);
186 if (wlen
< 0 && errno
== EINTR
) {
197 fprintf(stderr
, "send: EOF\n");
203 dump_blob("send", buf
, (size_t)wlen
);
212 const char *name
, *comment
;
214 name
= find_error_name(err
, &comment
);
216 fprintf(stderr
, "ERR %d: %s\n %s\n", err
, name
, comment
);
219 if (err
>= BR_ERR_RECV_FATAL_ALERT
220 && err
< BR_ERR_RECV_FATAL_ALERT
+ 256)
222 fprintf(stderr
, "ERR %d: received fatal alert %d\n",
223 err
, err
- BR_ERR_RECV_FATAL_ALERT
);
226 if (err
>= BR_ERR_SEND_FATAL_ALERT
227 && err
< BR_ERR_SEND_FATAL_ALERT
+ 256)
229 fprintf(stderr
, "ERR %d: sent fatal alert %d\n",
230 err
, err
- BR_ERR_SEND_FATAL_ALERT
);
233 fprintf(stderr
, "ERR %d: UNKNOWN\n", err
);
238 do_twrch(int argc
, char *argv
[])
247 cipher_suite
*suites
;
251 br_x509_certificate
*chain
;
253 int cert_signer_algo
;
256 anchor_list anchors
= VEC_INIT
;
257 VECTOR(char *) alpn_names
= VEC_INIT
;
258 br_x509_minimal_context xc
;
259 x509_noanchor_context xwc
;
260 const br_hash_class
*dnhash
;
263 br_ssl_engine_context eng
;
264 br_ssl_server_context srv
;
265 br_ssl_client_context cnt
;
267 br_ssl_session_cache_lru lru
;
268 unsigned char *iobuf
, *cache
;
269 size_t iobuf_len
, cache_len
, minhello_len
;
270 br_sslio_context ioc
;
288 cert_signer_algo
= 0;
294 cache_len
= (size_t)-1;
295 minhello_len
= (size_t)-1;
298 for (i
= 0; i
< argc
; i
++) {
304 goto twrch_exit_error
;
306 if (eqstr(arg
, "-trace")) {
308 } else if (eqstr(arg
, "-v")) {
310 } else if (eqstr(arg
, "-server")) {
312 } else if (eqstr(arg
, "-client")) {
314 } else if (eqstr(arg
, "-sni")) {
317 "ERROR: no argument for '-sni'\n");
319 goto twrch_exit_error
;
323 fprintf(stderr
, "ERROR: duplicate SNI\n");
325 goto twrch_exit_error
;
328 } else if (eqstr(arg
, "-mono")) {
330 } else if (eqstr(arg
, "-buf")) {
333 "ERROR: no argument for '-buf'\n");
335 goto twrch_exit_error
;
338 if (iobuf_len
!= 0) {
340 "ERROR: duplicate I/O buffer length\n");
342 goto twrch_exit_error
;
344 iobuf_len
= parse_size(arg
);
345 if (iobuf_len
== (size_t)-1) {
347 goto twrch_exit_error
;
349 } else if (eqstr(arg
, "-cache")) {
352 "ERROR: no argument for '-cache'\n");
354 goto twrch_exit_error
;
357 if (cache_len
!= (size_t)-1) {
358 fprintf(stderr
, "ERROR: duplicate session"
361 goto twrch_exit_error
;
363 cache_len
= parse_size(arg
);
364 if (cache_len
== (size_t)-1) {
366 goto twrch_exit_error
;
368 } else if (eqstr(arg
, "-cert")) {
371 "ERROR: no argument for '-cert'\n");
373 goto twrch_exit_error
;
377 "ERROR: duplicate certificate chain\n");
379 goto twrch_exit_error
;
382 chain
= read_certificates(arg
, &chain_len
);
383 if (chain
== NULL
|| chain_len
== 0) {
384 goto twrch_exit_error
;
386 } else if (eqstr(arg
, "-key")) {
389 "ERROR: no argument for '-key'\n");
391 goto twrch_exit_error
;
395 "ERROR: duplicate private key\n");
397 goto twrch_exit_error
;
400 sk
= read_private_key(arg
);
402 goto twrch_exit_error
;
404 } else if (eqstr(arg
, "-CA")) {
407 "ERROR: no argument for '-CA'\n");
409 goto twrch_exit_error
;
412 if (read_trust_anchors(&anchors
, arg
) == 0) {
414 goto twrch_exit_error
;
416 } else if (eqstr(arg
, "-anon_ok")) {
417 flags
|= BR_OPT_TOLERATE_NO_CLIENT_AUTH
;
418 } else if (eqstr(arg
, "-nostaticecdh")) {
420 } else if (eqstr(arg
, "-list")) {
423 } else if (eqstr(arg
, "-vmin")) {
426 "ERROR: no argument for '-vmin'\n");
428 goto twrch_exit_error
;
433 "ERROR: duplicate minimum version\n");
435 goto twrch_exit_error
;
437 vmin
= parse_version(arg
, strlen(arg
));
440 "ERROR: unrecognised version '%s'\n",
443 goto twrch_exit_error
;
445 } else if (eqstr(arg
, "-vmax")) {
448 "ERROR: no argument for '-vmax'\n");
450 goto twrch_exit_error
;
455 "ERROR: duplicate maximum version\n");
457 goto twrch_exit_error
;
459 vmax
= parse_version(arg
, strlen(arg
));
462 "ERROR: unrecognised version '%s'\n",
465 goto twrch_exit_error
;
467 } else if (eqstr(arg
, "-cs")) {
470 "ERROR: no argument for '-cs'\n");
472 goto twrch_exit_error
;
475 if (suites
!= NULL
) {
476 fprintf(stderr
, "ERROR: duplicate list"
477 " of cipher suites\n");
479 goto twrch_exit_error
;
481 suites
= parse_suites(arg
, &num_suites
);
482 if (suites
== NULL
) {
484 goto twrch_exit_error
;
486 } else if (eqstr(arg
, "-hf")) {
491 "ERROR: no argument for '-hf'\n");
493 goto twrch_exit_error
;
496 x
= parse_hash_functions(arg
);
499 goto twrch_exit_error
;
502 } else if (eqstr(arg
, "-minhello")) {
505 "ERROR: no argument for '-minhello'\n");
507 goto twrch_exit_error
;
510 if (minhello_len
!= (size_t)-1) {
511 fprintf(stderr
, "ERROR: duplicate minimum"
512 " ClientHello length\n");
514 goto twrch_exit_error
;
516 minhello_len
= parse_size(arg
);
518 * Minimum ClientHello length must fit on 16 bits.
520 if (minhello_len
== (size_t)-1
521 || (((minhello_len
>> 12) >> 4) != 0))
524 goto twrch_exit_error
;
526 } else if (eqstr(arg
, "-serverpref")) {
527 flags
|= BR_OPT_ENFORCE_SERVER_PREFERENCES
;
528 } else if (eqstr(arg
, "-noreneg")) {
529 flags
|= BR_OPT_NO_RENEGOTIATION
;
530 } else if (eqstr(arg
, "-alpn")) {
533 "ERROR: no argument for '-alpn'\n");
535 goto twrch_exit_error
;
537 VEC_ADD(alpn_names
, xstrdup(argv
[i
]));
538 } else if (eqstr(arg
, "-strictalpn")) {
539 flags
|= BR_OPT_FAIL_ON_ALPN_MISMATCH
;
541 fprintf(stderr
, "ERROR: unknown option: '%s'\n", arg
);
543 goto twrch_exit_error
;
548 * Verify consistency of options.
550 if (!is_client
&& !is_server
) {
551 fprintf(stderr
, "ERROR:"
552 " one of -server and -client must be specified\n");
554 goto twrch_exit_error
;
556 if (is_client
&& is_server
) {
557 fprintf(stderr
, "ERROR:"
558 " -server and -client may not be both specified\n");
560 goto twrch_exit_error
;
570 fprintf(stderr
, "ERROR: impossible minimum/maximum protocol"
571 " version combination\n");
573 goto twrch_exit_error
;
577 fprintf(stderr
, "ERROR: no certificate specified"
578 " for server (-cert)\n");
580 goto twrch_exit_error
;
583 fprintf(stderr
, "ERROR: no private key specified"
584 " for server (-key)\n");
586 goto twrch_exit_error
;
589 if (chain
== NULL
&& sk
!= NULL
) {
590 fprintf(stderr
, "ERROR: private key (-key)"
591 " but no certificate (-cert)");
593 goto twrch_exit_error
;
595 if (chain
!= NULL
&& sk
== NULL
) {
596 fprintf(stderr
, "ERROR: certificate (-cert)"
597 " but no private key (-key)");
599 goto twrch_exit_error
;
602 if (suites
== NULL
) {
605 for (u
= 0; cipher_suites
[u
].name
; u
++) {
606 if ((cipher_suites
[u
].req
& REQ_TLS12
) == 0
612 suites
= xmalloc(num_suites
* sizeof *suites
);
614 for (u
= 0; cipher_suites
[u
].name
; u
++) {
615 if ((cipher_suites
[u
].req
& REQ_TLS12
) == 0
618 suites
[num_suites
++] = cipher_suites
[u
];
623 hfuns
= (unsigned)-1;
626 switch (sk
->key_type
) {
633 curve
= sk
->key
.ec
.curve
;
634 supp
= br_ec_get_default()->supported_curves
;
635 if (curve
> 31 || !((supp
>> curve
) & 1)) {
636 fprintf(stderr
, "ERROR: private key curve (%d)"
637 " is not supported\n", curve
);
638 goto twrch_exit_error
;
642 fprintf(stderr
, "ERROR: unsupported"
643 " private key type (%d)\n", sk
->key_type
);
644 goto twrch_exit_error
;
648 cert_signer_algo
= get_cert_signer_algo(chain
);
649 if (cert_signer_algo
== 0) {
650 goto twrch_exit_error
;
653 if (iobuf_len
== 0) {
655 iobuf_len
= BR_SSL_BUFSIZE_BIDI
;
657 iobuf_len
= BR_SSL_BUFSIZE_MONO
;
660 iobuf
= xmalloc(iobuf_len
);
662 if (cache_len
== (size_t)-1) {
665 cache
= xmalloc(cache_len
);
669 * Initialise the relevant context.
672 br_ssl_client_zero(&cc
.cnt
);
674 br_ssl_server_zero(&cc
.srv
);
678 * Compute implementation requirements and inject implementations.
680 suite_ids
= xmalloc(num_suites
* sizeof *suite_ids
);
681 br_ssl_engine_set_versions(&cc
.eng
, vmin
, vmax
);
682 br_ssl_engine_set_all_flags(&cc
.eng
, flags
);
683 if (vmin
<= BR_TLS11
) {
684 if (!(hfuns
& (1 << br_md5_ID
))) {
685 fprintf(stderr
, "ERROR: TLS 1.0 and 1.1 need MD5\n");
686 goto twrch_exit_error
;
688 if (!(hfuns
& (1 << br_sha1_ID
))) {
689 fprintf(stderr
, "ERROR: TLS 1.0 and 1.1 need SHA-1\n");
690 goto twrch_exit_error
;
693 for (u
= 0; u
< num_suites
; u
++) {
697 suite_ids
[u
] = suites
[u
].suite
;
698 if ((req
& REQ_TLS12
) != 0 && vmax
< BR_TLS12
) {
700 "ERROR: cipher suite %s requires TLS 1.2\n",
702 goto twrch_exit_error
;
704 if ((req
& REQ_SHA1
) != 0 && !(hfuns
& (1 << br_sha1_ID
))) {
706 "ERROR: cipher suite %s requires SHA-1\n",
708 goto twrch_exit_error
;
710 if ((req
& REQ_SHA256
) != 0 && !(hfuns
& (1 << br_sha256_ID
))) {
712 "ERROR: cipher suite %s requires SHA-256\n",
714 goto twrch_exit_error
;
716 if ((req
& REQ_SHA384
) != 0 && !(hfuns
& (1 << br_sha384_ID
))) {
718 "ERROR: cipher suite %s requires SHA-384\n",
720 goto twrch_exit_error
;
722 /* TODO: algorithm implementation selection */
723 if ((req
& REQ_AESCBC
) != 0) {
724 br_ssl_engine_set_default_aes_cbc(&cc
.eng
);
726 if ((req
& REQ_AESGCM
) != 0) {
727 br_ssl_engine_set_default_aes_gcm(&cc
.eng
);
729 if ((req
& REQ_CHAPOL
) != 0) {
730 br_ssl_engine_set_default_chapol(&cc
.eng
);
732 if ((req
& REQ_3DESCBC
) != 0) {
733 br_ssl_engine_set_default_des_cbc(&cc
.eng
);
735 if (is_client
&& (req
& REQ_RSAKEYX
) != 0) {
736 br_ssl_client_set_default_rsapub(&cc
.cnt
);
738 if (is_client
&& (req
& REQ_ECDHE_RSA
) != 0) {
739 br_ssl_engine_set_default_rsavrfy(&cc
.eng
);
741 if (is_client
&& (req
& REQ_ECDH
) != 0) {
742 br_ssl_engine_set_default_ec(&cc
.eng
);
744 if ((req
& (REQ_ECDHE_RSA
| REQ_ECDHE_ECDSA
)) != 0) {
745 br_ssl_engine_set_default_ec(&cc
.eng
);
748 br_ssl_engine_set_suites(&cc
.eng
, suite_ids
, num_suites
);
751 for (u
= 0; hash_functions
[u
].name
; u
++) {
752 const br_hash_class
*hc
;
755 hc
= hash_functions
[u
].hclass
;
756 id
= (hc
->desc
>> BR_HASHDESC_ID_OFF
) & BR_HASHDESC_ID_MASK
;
757 if ((hfuns
& ((unsigned)1 << id
)) != 0) {
759 br_ssl_engine_set_hash(&cc
.eng
, id
, hc
);
762 if (vmin
<= BR_TLS11
) {
763 br_ssl_engine_set_prf10(&cc
.eng
, &br_tls10_prf
);
765 if (vmax
>= BR_TLS12
) {
766 if ((hfuns
& ((unsigned)1 << br_sha256_ID
)) != 0) {
767 br_ssl_engine_set_prf_sha256(&cc
.eng
,
768 &br_tls12_sha256_prf
);
770 if ((hfuns
& ((unsigned)1 << br_sha384_ID
)) != 0) {
771 br_ssl_engine_set_prf_sha384(&cc
.eng
,
772 &br_tls12_sha384_prf
);
775 if (VEC_LEN(alpn_names
) != 0) {
776 br_ssl_engine_set_protocol_names(&cc
.eng
,
777 (const char **)&VEC_ELT(alpn_names
, 0),
778 VEC_LEN(alpn_names
));
782 * In server role, we use a session cache (size can be
783 * specified; if size is zero, then no cache is set).
785 if (is_server
&& cache
!= NULL
) {
786 br_ssl_session_cache_lru_init(&lru
, cache
, cache_len
);
787 br_ssl_server_set_cache(&cc
.srv
, &lru
.vtable
);
791 * For a server, set the policy handler.
794 switch (sk
->key_type
) {
796 br_ssl_server_set_single_rsa(&cc
.srv
,
797 chain
, chain_len
, &sk
->key
.rsa
,
798 BR_KEYTYPE_KEYX
| BR_KEYTYPE_SIGN
,
799 br_rsa_private_get_default(),
800 br_rsa_pkcs1_sign_get_default());
803 br_ssl_server_set_single_ec(&cc
.srv
,
804 chain
, chain_len
, &sk
->key
.ec
,
805 BR_KEYTYPE_KEYX
| BR_KEYTYPE_SIGN
,
808 br_ecdsa_sign_asn1_get_default());
811 fprintf(stderr
, "ERROR: unsupported"
812 " private key type (%d)\n", sk
->key_type
);
813 goto twrch_exit_error
;
818 * For a client, if a certificate was specified, use it.
820 if (is_client
&& chain
!= NULL
) {
821 switch (sk
->key_type
) {
825 br_ssl_client_set_single_rsa(&cc
.cnt
,
826 chain
, chain_len
, &sk
->key
.rsa
,
827 br_rsa_pkcs1_sign_get_default());
831 cert_signer_algo
= 0;
832 usages
= BR_KEYTYPE_SIGN
;
834 usages
= BR_KEYTYPE_KEYX
| BR_KEYTYPE_SIGN
;
836 br_ssl_client_set_single_ec(&cc
.cnt
,
837 chain
, chain_len
, &sk
->key
.ec
,
838 usages
, cert_signer_algo
,
840 br_ecdsa_sign_asn1_get_default());
843 fprintf(stderr
, "ERROR: unsupported"
844 " private key type (%d)\n", sk
->key_type
);
845 goto twrch_exit_error
;
850 * On a client, or if trust anchors have been configured, then
851 * set an X.509 validation engine. If there are no trust anchors
852 * (client only), then a "no anchor" wrapper will be applied.
854 if (is_client
|| VEC_LEN(anchors
) != 0) {
855 br_x509_minimal_init(&xc
, dnhash
,
856 &VEC_ELT(anchors
, 0), VEC_LEN(anchors
));
857 for (u
= 0; hash_functions
[u
].name
; u
++) {
858 const br_hash_class
*hc
;
861 hc
= hash_functions
[u
].hclass
;
862 id
= (hc
->desc
>> BR_HASHDESC_ID_OFF
)
863 & BR_HASHDESC_ID_MASK
;
864 if ((hfuns
& ((unsigned)1 << id
)) != 0) {
865 br_x509_minimal_set_hash(&xc
, id
, hc
);
868 br_ssl_engine_set_default_rsavrfy(&cc
.eng
);
869 br_ssl_engine_set_default_ecdsa(&cc
.eng
);
870 br_x509_minimal_set_rsa(&xc
, br_rsa_pkcs1_vrfy_get_default());
871 br_x509_minimal_set_ecdsa(&xc
,
872 br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
873 br_ssl_engine_set_x509(&cc
.eng
, &xc
.vtable
);
875 if (VEC_LEN(anchors
) == 0) {
876 x509_noanchor_init(&xwc
, &xc
.vtable
);
877 br_ssl_engine_set_x509(&cc
.eng
, &xwc
.vtable
);
879 br_ssl_engine_set_x509(&cc
.eng
, &xc
.vtable
);
882 br_ssl_server_set_trust_anchor_names_alt(&cc
.srv
,
883 &VEC_ELT(anchors
, 0), VEC_LEN(anchors
));
890 br_ssl_engine_set_buffer(&cc
.eng
, iobuf
, iobuf_len
, bidi
);
896 br_ssl_client_reset(&cc
.cnt
, sni
, 0);
899 br_ssl_server_reset(&cc
.srv
);
903 * On Unix systems, we want to ignore SIGPIPE: if the peer
904 * closes the connection abruptly, then we want to report it
905 * as a "normal" error (exit code = 1).
908 signal(SIGPIPE
, SIG_IGN
);
912 * Initialize the callbacks for exchanging data over stdin and
915 br_sslio_init(&ioc
, &cc
.eng
, stdin_read
, &trace
, stdout_write
, &trace
);
918 * Run the Twrch protocol.
922 unsigned char hv
[20], tmp
[41];
927 * Read line, byte by byte, hashing it on the fly.
935 if (br_sslio_read(&ioc
, &x
, 1) < 0) {
936 if (count
== 0 && reconnect
) {
938 if (br_sslio_close(&ioc
) < 0) {
939 goto twrch_loop_finished
;
946 br_ssl_server_reset(&cc
.srv
);
948 br_sslio_init(&ioc
, &cc
.eng
,
950 stdout_write
, &trace
);
953 goto twrch_loop_finished
;
961 br_sha1_update(&sc
, &x
, 1);
967 br_sslio_close(&ioc
);
968 goto twrch_loop_finished
;
970 if (br_sslio_close(&ioc
) < 0) {
971 goto twrch_loop_finished
;
974 br_ssl_client_reset(&cc
.cnt
, sni
, 1);
977 br_ssl_server_reset(&cc
.srv
);
979 br_sslio_init(&ioc
, &cc
.eng
,
981 stdout_write
, &trace
);
984 if (!br_ssl_engine_renegotiate(&cc
.eng
)) {
985 br_sslio_write_all(&ioc
, "DENIED\n", 7);
986 br_sslio_flush(&ioc
);
988 br_sslio_write_all(&ioc
, "OK\n", 3);
989 br_sslio_flush(&ioc
);
994 br_sslio_write_all(&ioc
, "OK\n", 3);
995 br_sslio_flush(&ioc
);
999 br_ssl_client_forget_session(&cc
.cnt
);
1001 if (is_server
&& cache
!= NULL
) {
1002 br_ssl_session_parameters pp
;
1004 br_ssl_engine_get_session_parameters(
1006 if (pp
.session_id_len
== 32) {
1007 br_ssl_session_cache_lru_forget(
1008 &lru
, pp
.session_id
);
1011 br_sslio_write_all(&ioc
, "DONE\n", 5);
1012 br_sslio_flush(&ioc
);
1016 br_sha1_out(&sc
, hv
);
1017 for (i
= 0; i
< 20; i
++) {
1021 tmp
[(i
<< 1) + 0] = "0123456789abcdef"[x
>> 4];
1022 tmp
[(i
<< 1) + 1] = "0123456789abcdef"[x
& 15];
1025 br_sslio_write_all(&ioc
, tmp
, 41);
1026 br_sslio_flush(&ioc
);
1029 twrch_loop_finished
:
1030 if (br_ssl_engine_current_state(&cc
.eng
) == BR_SSL_CLOSED
) {
1033 err
= br_ssl_engine_last_error(&cc
.eng
);
1044 fprintf(stderr
, "Engine not closed!\n");
1050 * Release allocated structures.
1055 free_certificates(chain
, chain_len
);
1056 free_private_key(sk
);
1057 VEC_CLEAREXT(anchors
, &free_ta_contents
);
1058 VEC_CLEAREXT(alpn_names
, &free_alpn
);