51 "   -trace          dump all packets on stderr\n");  in usage_twrch()
53 "   -v              verbose error messages on stderr\n");  in usage_twrch()
55 "   -server         act as an SSL server\n");  in usage_twrch()
57 "   -client         act as an SSL client\n");  in usage_twrch()
59 "   -sni name       use specified name for SNI\n");  in usage_twrch()
61 "   -mono           use monodirectional buffering\n");  in usage_twrch()
63 "   -buf length     set the I/O buffer length (in bytes)\n");  in usage_twrch()
65 "   -cache length   set the session cache storage length (in bytes)\n");  in usage_twrch()
67 "   -cert fname     read certificate chain from file 'fname'\n");  in usage_twrch()
69 "   -key fname      read private key from file 'fname'\n");  in usage_twrch()
71 "   -CA file        add trust anchors from 'file' (for peer auth)\n");  in usage_twrch()
73 "   -anon_ok        request but do not require a client certificate\n");  in usage_twrch()
75 "   -nostaticecdh   prohibit full-static ECDH (client only)\n");  in usage_twrch()
77 "   -list           list supported names (protocols, algorithms...)\n");  in usage_twrch()
79 "   -vmin name      set minimum supported version (default: TLS-1.0)\n");  in usage_twrch()
81 "   -vmax name      set maximum supported version (default: TLS-1.2)\n");  in usage_twrch()
83 "   -cs names       set list of supported cipher suites (comma-separated)\n");  in usage_twrch()
85 "   -hf names       add support for some hash functions (comma-separated)\n");  in usage_twrch()
87 "   -minhello len   set minimum ClientHello length (in bytes)\n");  in usage_twrch()
89 "   -serverpref     enforce server's preferences for cipher suites\n");  in usage_twrch()
91 "   -noreneg        prohibit renegotiations\n");  in usage_twrch()
93 "   -alpn name      add protocol name to list of protocols (ALPN extension)\n");  in usage_twrch()
95 "   -strictalpn     fail on ALPN mismatch\n");  in usage_twrch()
146 			eof = 1;  in stdin_read()
157 			return -1;  in stdin_read()
184 		wlen = write(1, buf, len);  in stdout_write()
189 			eof = 1;  in stdout_write()
200 			return -1;  in stdout_write()
223 			err, err - BR_ERR_RECV_FATAL_ALERT);  in print_error()
230 			err, err - BR_ERR_SEND_FATAL_ALERT);  in print_error()
263 		br_ssl_engine_context eng;  in do_twrch()  member
279 	bidi = 1;  in do_twrch()
294 	cache_len = (size_t)-1;  in do_twrch()
295 	minhello_len = (size_t)-1;  in do_twrch()
302 		if (arg[0] != '-') {  in do_twrch()
306 		if (eqstr(arg, "-trace")) {  in do_twrch()
307 			trace = 1;  in do_twrch()
308 		} else if (eqstr(arg, "-v")) {  in do_twrch()
309 			verbose = 1;  in do_twrch()
310 		} else if (eqstr(arg, "-server")) {  in do_twrch()
311 			is_server = 1;  in do_twrch()
312 		} else if (eqstr(arg, "-client")) {  in do_twrch()
313 			is_client = 1;  in do_twrch()
314 		} else if (eqstr(arg, "-sni")) {  in do_twrch()
317 					"ERROR: no argument for '-sni'\n");  in do_twrch()
328 		} else if (eqstr(arg, "-mono")) {  in do_twrch()
330 		} else if (eqstr(arg, "-buf")) {  in do_twrch()
333 					"ERROR: no argument for '-buf'\n");  in do_twrch()
345 			if (iobuf_len == (size_t)-1) {  in do_twrch()
349 		} else if (eqstr(arg, "-cache")) {  in do_twrch()
352 					"ERROR: no argument for '-cache'\n");  in do_twrch()
357 			if (cache_len != (size_t)-1) {  in do_twrch()
364 			if (cache_len == (size_t)-1) {  in do_twrch()
368 		} else if (eqstr(arg, "-cert")) {  in do_twrch()
371 					"ERROR: no argument for '-cert'\n");  in do_twrch()
386 		} else if (eqstr(arg, "-key")) {  in do_twrch()
389 					"ERROR: no argument for '-key'\n");  in do_twrch()
404 		} else if (eqstr(arg, "-CA")) {  in do_twrch()
407 					"ERROR: no argument for '-CA'\n");  in do_twrch()
416 		} else if (eqstr(arg, "-anon_ok")) {  in do_twrch()
418 		} else if (eqstr(arg, "-nostaticecdh")) {  in do_twrch()
419 			nostaticecdh = 1;  in do_twrch()
420 		} else if (eqstr(arg, "-list")) {  in do_twrch()
423 		} else if (eqstr(arg, "-vmin")) {  in do_twrch()
426 					"ERROR: no argument for '-vmin'\n");  in do_twrch()
445 		} else if (eqstr(arg, "-vmax")) {  in do_twrch()
448 					"ERROR: no argument for '-vmax'\n");  in do_twrch()
467 		} else if (eqstr(arg, "-cs")) {  in do_twrch()
470 					"ERROR: no argument for '-cs'\n");  in do_twrch()
486 		} else if (eqstr(arg, "-hf")) {  in do_twrch()
491 					"ERROR: no argument for '-hf'\n");  in do_twrch()
502 		} else if (eqstr(arg, "-minhello")) {  in do_twrch()
505 					"ERROR: no argument for '-minhello'\n");  in do_twrch()
510 			if (minhello_len != (size_t)-1) {  in do_twrch()
520 			if (minhello_len == (size_t)-1  in do_twrch()
526 		} else if (eqstr(arg, "-serverpref")) {  in do_twrch()
528 		} else if (eqstr(arg, "-noreneg")) {  in do_twrch()
530 		} else if (eqstr(arg, "-alpn")) {  in do_twrch()
533 					"ERROR: no argument for '-alpn'\n");  in do_twrch()
538 		} else if (eqstr(arg, "-strictalpn")) {  in do_twrch()
552 			" one of -server and -client must be specified\n");  in do_twrch()
558 			" -server and -client may not be both specified\n");  in do_twrch()
578 				" for server (-cert)\n");  in do_twrch()
584 				" for server (-key)\n");  in do_twrch()
590 			fprintf(stderr, "ERROR: private key (-key)"  in do_twrch()
591 				" but no certificate (-cert)");  in do_twrch()
596 			fprintf(stderr, "ERROR: certificate (-cert)"  in do_twrch()
597 				" but no private key (-key)");  in do_twrch()
623 		hfuns = (unsigned)-1;  in do_twrch()
626 		switch (sk->key_type) {  in do_twrch()
633 			curve = sk->key.ec.curve;  in do_twrch()
634 			supp = br_ec_get_default()->supported_curves;  in do_twrch()
635 			if (curve > 31 || !((supp >> curve) & 1)) {  in do_twrch()
643 				" private key type (%d)\n", sk->key_type);  in do_twrch()
662 		if (cache_len == (size_t)-1) {  in do_twrch()
681 	br_ssl_engine_set_versions(&cc.eng, vmin, vmax);  in do_twrch()
682 	br_ssl_engine_set_all_flags(&cc.eng, flags);  in do_twrch()
684 		if (!(hfuns & (1 << br_md5_ID))) {  in do_twrch()
688 		if (!(hfuns & (1 << br_sha1_ID))) {  in do_twrch()
689 			fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need SHA-1\n");  in do_twrch()
704 		if ((req & REQ_SHA1) != 0 && !(hfuns & (1 << br_sha1_ID))) {  in do_twrch()
706 				"ERROR: cipher suite %s requires SHA-1\n",  in do_twrch()
710 		if ((req & REQ_SHA256) != 0 && !(hfuns & (1 << br_sha256_ID))) {  in do_twrch()
712 				"ERROR: cipher suite %s requires SHA-256\n",  in do_twrch()
716 		if ((req & REQ_SHA384) != 0 && !(hfuns & (1 << br_sha384_ID))) {  in do_twrch()
718 				"ERROR: cipher suite %s requires SHA-384\n",  in do_twrch()
724 			br_ssl_engine_set_default_aes_cbc(&cc.eng);  in do_twrch()
727 			br_ssl_engine_set_default_aes_ccm(&cc.eng);  in do_twrch()
730 			br_ssl_engine_set_default_aes_gcm(&cc.eng);  in do_twrch()
733 			br_ssl_engine_set_default_chapol(&cc.eng);  in do_twrch()
736 			br_ssl_engine_set_default_des_cbc(&cc.eng);  in do_twrch()
742 			br_ssl_engine_set_default_rsavrfy(&cc.eng);  in do_twrch()
745 			br_ssl_engine_set_default_ec(&cc.eng);  in do_twrch()
748 			br_ssl_engine_set_default_ec(&cc.eng);  in do_twrch()
751 	br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);  in do_twrch()
759 		id = (hc->desc >> BR_HASHDESC_ID_OFF) & BR_HASHDESC_ID_MASK;  in do_twrch()
760 		if ((hfuns & ((unsigned)1 << id)) != 0) {  in do_twrch()
762 			br_ssl_engine_set_hash(&cc.eng, id, hc);  in do_twrch()
766 		br_ssl_engine_set_prf10(&cc.eng, &br_tls10_prf);  in do_twrch()
769 		if ((hfuns & ((unsigned)1 << br_sha256_ID)) != 0) {  in do_twrch()
770 			br_ssl_engine_set_prf_sha256(&cc.eng,  in do_twrch()
773 		if ((hfuns & ((unsigned)1 << br_sha384_ID)) != 0) {  in do_twrch()
774 			br_ssl_engine_set_prf_sha384(&cc.eng,  in do_twrch()
779 		br_ssl_engine_set_protocol_names(&cc.eng,  in do_twrch()
797 		switch (sk->key_type) {  in do_twrch()
800 				chain, chain_len, &sk->key.rsa,  in do_twrch()
807 				chain, chain_len, &sk->key.ec,  in do_twrch()
815 				" private key type (%d)\n", sk->key_type);  in do_twrch()
824 		switch (sk->key_type) {  in do_twrch()
829 				chain, chain_len, &sk->key.rsa,  in do_twrch()
840 				chain, chain_len, &sk->key.ec,  in do_twrch()
847 				" private key type (%d)\n", sk->key_type);  in do_twrch()
865 			id = (hc->desc >> BR_HASHDESC_ID_OFF)  in do_twrch()
867 			if ((hfuns & ((unsigned)1 << id)) != 0) {  in do_twrch()
871 		br_ssl_engine_set_default_rsavrfy(&cc.eng);  in do_twrch()
872 		br_ssl_engine_set_default_ecdsa(&cc.eng);  in do_twrch()
876 		br_ssl_engine_set_x509(&cc.eng, &xc.vtable);  in do_twrch()
880 			br_ssl_engine_set_x509(&cc.eng, &xwc.vtable);  in do_twrch()
882 			br_ssl_engine_set_x509(&cc.eng, &xc.vtable);  in do_twrch()
893 	br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);  in do_twrch()
908 	 * as a "normal" error (exit code = 1).  in do_twrch()
918 	br_sslio_init(&ioc, &cc.eng, stdin_read, &trace, stdout_write, &trace);  in do_twrch()
938 			if (br_sslio_read(&ioc, &x, 1) < 0) {  in do_twrch()
946 							&cc.cnt, sni, 1);  in do_twrch()
951 					br_sslio_init(&ioc, &cc.eng,  in do_twrch()
964 			br_sha1_update(&sc, &x, 1);  in do_twrch()
967 		if (count == 1) {  in do_twrch()
977 					br_ssl_client_reset(&cc.cnt, sni, 1);  in do_twrch()
982 				br_sslio_init(&ioc, &cc.eng,  in do_twrch()
987 				if (!br_ssl_engine_renegotiate(&cc.eng)) {  in do_twrch()
996 				reconnect = 1;  in do_twrch()
1008 						&cc.eng, &pp);  in do_twrch()
1024 			tmp[(i << 1) + 0] = "0123456789abcdef"[x >> 4];  in do_twrch()
1025 			tmp[(i << 1) + 1] = "0123456789abcdef"[x & 15];  in do_twrch()
1033 	if (br_ssl_engine_current_state(&cc.eng) == BR_SSL_CLOSED) {  in do_twrch()
1036 		err = br_ssl_engine_last_error(&cc.eng);  in do_twrch()
1043 			retcode = 1;  in do_twrch()
1049 		retcode = 1;  in do_twrch()
1067 	retcode = -1;  in do_twrch()