xref: /freebsd/contrib/bearssl/tools/twrch.c (revision 5ca8e32633c4ffbbcd6762e5888b6a4ba0708c6c)
1 /*
2  * Copyright (c) 2017 Thomas Pornin <pornin@bolet.org>
3  *
4  * Permission is hereby granted, free of charge, to any person obtaining
5  * a copy of this software and associated documentation files (the
6  * "Software"), to deal in the Software without restriction, including
7  * without limitation the rights to use, copy, modify, merge, publish,
8  * distribute, sublicense, and/or sell copies of the Software, and to
9  * permit persons to whom the Software is furnished to do so, subject to
10  * the following conditions:
11  *
12  * The above copyright notice and this permission notice shall be
13  * included in all copies or substantial portions of the Software.
14  *
15  * THE SOFTWARE IS PROVIDED "AS IS", WITHOUT WARRANTY OF ANY KIND,
16  * EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE WARRANTIES OF
17  * MERCHANTABILITY, FITNESS FOR A PARTICULAR PURPOSE AND
18  * NONINFRINGEMENT. IN NO EVENT SHALL THE AUTHORS OR COPYRIGHT HOLDERS
19  * BE LIABLE FOR ANY CLAIM, DAMAGES OR OTHER LIABILITY, WHETHER IN AN
20  * ACTION OF CONTRACT, TORT OR OTHERWISE, ARISING FROM, OUT OF OR IN
21  * CONNECTION WITH THE SOFTWARE OR THE USE OR OTHER DEALINGS IN THE
22  * SOFTWARE.
23  */
24 
25 #include <stdio.h>
26 #include <stdlib.h>
27 #include <string.h>
28 #include <stdint.h>
29 #include <errno.h>
30 
31 #ifdef _WIN32
32 #include <windows.h>
33 #else
34 #include <signal.h>
35 #include <sys/types.h>
36 #include <unistd.h>
37 #endif
38 
39 #include "brssl.h"
40 
41 static int verbose = 0;
42 
43 static void
44 usage_twrch(void)
45 {
46 	fprintf(stderr,
47 "usage: brssl twrch [ options ]\n");
48 	fprintf(stderr,
49 "options:\n");
50 	fprintf(stderr,
51 "   -trace          dump all packets on stderr\n");
52 	fprintf(stderr,
53 "   -v              verbose error messages on stderr\n");
54 	fprintf(stderr,
55 "   -server         act as an SSL server\n");
56 	fprintf(stderr,
57 "   -client         act as an SSL client\n");
58 	fprintf(stderr,
59 "   -sni name       use specified name for SNI\n");
60 	fprintf(stderr,
61 "   -mono           use monodirectional buffering\n");
62 	fprintf(stderr,
63 "   -buf length     set the I/O buffer length (in bytes)\n");
64 	fprintf(stderr,
65 "   -cache length   set the session cache storage length (in bytes)\n");
66 	fprintf(stderr,
67 "   -cert fname     read certificate chain from file 'fname'\n");
68 	fprintf(stderr,
69 "   -key fname      read private key from file 'fname'\n");
70 	fprintf(stderr,
71 "   -CA file        add trust anchors from 'file' (for peer auth)\n");
72 	fprintf(stderr,
73 "   -anon_ok        request but do not require a client certificate\n");
74 	fprintf(stderr,
75 "   -nostaticecdh   prohibit full-static ECDH (client only)\n");
76 	fprintf(stderr,
77 "   -list           list supported names (protocols, algorithms...)\n");
78 	fprintf(stderr,
79 "   -vmin name      set minimum supported version (default: TLS-1.0)\n");
80 	fprintf(stderr,
81 "   -vmax name      set maximum supported version (default: TLS-1.2)\n");
82 	fprintf(stderr,
83 "   -cs names       set list of supported cipher suites (comma-separated)\n");
84 	fprintf(stderr,
85 "   -hf names       add support for some hash functions (comma-separated)\n");
86 	fprintf(stderr,
87 "   -minhello len   set minimum ClientHello length (in bytes)\n");
88 	fprintf(stderr,
89 "   -serverpref     enforce server's preferences for cipher suites\n");
90 	fprintf(stderr,
91 "   -noreneg        prohibit renegotiations\n");
92 	fprintf(stderr,
93 "   -alpn name      add protocol name to list of protocols (ALPN extension)\n");
94 	fprintf(stderr,
95 "   -strictalpn     fail on ALPN mismatch\n");
96 }
97 
98 static void
99 free_alpn(void *alpn)
100 {
101 	xfree(*(char **)alpn);
102 }
103 
104 static void
105 dump_blob(const char *name, const void *data, size_t len)
106 {
107 	const unsigned char *buf;
108 	size_t u;
109 
110 	buf = data;
111 	fprintf(stderr, "%s (len = %lu)", name, (unsigned long)len);
112 	for (u = 0; u < len; u ++) {
113 		if ((u & 15) == 0) {
114 			fprintf(stderr, "\n%08lX  ", (unsigned long)u);
115 		} else if ((u & 7) == 0) {
116 			fprintf(stderr, " ");
117 		}
118 		fprintf(stderr, " %02x", buf[u]);
119 	}
120 	fprintf(stderr, "\n");
121 }
122 
123 /*
124  * Callback for reading bytes from standard input.
125  */
126 static int
127 stdin_read(void *ctx, unsigned char *buf, size_t len)
128 {
129 	for (;;) {
130 #ifdef _WIN32
131 		DWORD rlen;
132 #else
133 		ssize_t rlen;
134 #endif
135 		int eof;
136 
137 #ifdef _WIN32
138 		eof = !ReadFile(GetStdHandle(STD_INPUT_HANDLE),
139 			buf, len, &rlen, NULL) || rlen == 0;
140 #else
141 		rlen = read(0, buf, len);
142 		if (rlen <= 0) {
143 			if (rlen < 0 && errno == EINTR) {
144 				continue;
145 			}
146 			eof = 1;
147 		} else {
148 			eof = 0;
149 		}
150 #endif
151 		if (eof) {
152 			if (*(int *)ctx) {
153 				if (verbose) {
154 					fprintf(stderr, "recv: EOF\n");
155 				}
156 			}
157 			return -1;
158 		}
159 		if (*(int *)ctx) {
160 			dump_blob("recv", buf, (size_t)rlen);
161 		}
162 		return (int)rlen;
163 	}
164 }
165 
166 /*
167  * Callback for writing bytes on standard output.
168  */
169 static int
170 stdout_write(void *ctx, const unsigned char *buf, size_t len)
171 {
172 	for (;;) {
173 #ifdef _WIN32
174 		DWORD wlen;
175 #else
176 		ssize_t wlen;
177 #endif
178 		int eof;
179 
180 #ifdef _WIN32
181 		eof = !WriteFile(GetStdHandle(STD_OUTPUT_HANDLE),
182 			buf, len, &wlen, NULL);
183 #else
184 		wlen = write(1, buf, len);
185 		if (wlen <= 0) {
186 			if (wlen < 0 && errno == EINTR) {
187 				continue;
188 			}
189 			eof = 1;
190 		} else {
191 			eof = 0;
192 		}
193 #endif
194 		if (eof) {
195 			if (*(int *)ctx) {
196 				if (verbose) {
197 					fprintf(stderr, "send: EOF\n");
198 				}
199 			}
200 			return -1;
201 		}
202 		if (*(int *)ctx) {
203 			dump_blob("send", buf, (size_t)wlen);
204 		}
205 		return (int)wlen;
206 	}
207 }
208 
209 static void
210 print_error(int err)
211 {
212 	const char *name, *comment;
213 
214 	name = find_error_name(err, &comment);
215 	if (name != NULL) {
216 		fprintf(stderr, "ERR %d: %s\n   %s\n", err, name, comment);
217 		return;
218 	}
219 	if (err >= BR_ERR_RECV_FATAL_ALERT
220 		&& err < BR_ERR_RECV_FATAL_ALERT + 256)
221 	{
222 		fprintf(stderr, "ERR %d: received fatal alert %d\n",
223 			err, err - BR_ERR_RECV_FATAL_ALERT);
224 		return;
225 	}
226 	if (err >= BR_ERR_SEND_FATAL_ALERT
227 		&& err < BR_ERR_SEND_FATAL_ALERT + 256)
228 	{
229 		fprintf(stderr, "ERR %d: sent fatal alert %d\n",
230 			err, err - BR_ERR_SEND_FATAL_ALERT);
231 		return;
232 	}
233 	fprintf(stderr, "ERR %d: UNKNOWN\n", err);
234 }
235 
236 /* see brssl.h */
237 int
238 do_twrch(int argc, char *argv[])
239 {
240 	int retcode;
241 	int trace;
242 	int is_client;
243 	int is_server;
244 	const char *sni;
245 	int i, bidi;
246 	unsigned vmin, vmax;
247 	cipher_suite *suites;
248 	size_t num_suites;
249 	uint16_t *suite_ids;
250 	unsigned hfuns;
251 	br_x509_certificate *chain;
252 	size_t chain_len;
253 	int cert_signer_algo;
254 	private_key *sk;
255 	int nostaticecdh;
256 	anchor_list anchors = VEC_INIT;
257 	VECTOR(char *) alpn_names = VEC_INIT;
258 	br_x509_minimal_context xc;
259 	x509_noanchor_context xwc;
260 	const br_hash_class *dnhash;
261 	size_t u;
262 	union {
263 		br_ssl_engine_context eng;
264 		br_ssl_server_context srv;
265 		br_ssl_client_context cnt;
266 	} cc;
267 	br_ssl_session_cache_lru lru;
268 	unsigned char *iobuf, *cache;
269 	size_t iobuf_len, cache_len, minhello_len;
270 	br_sslio_context ioc;
271 	uint32_t flags;
272 	int reconnect;
273 
274 	retcode = 0;
275 	trace = 0;
276 	is_client = 0;
277 	is_server = 0;
278 	sni = NULL;
279 	bidi = 1;
280 	vmin = 0;
281 	vmax = 0;
282 	suites = NULL;
283 	num_suites = 0;
284 	suite_ids = NULL;
285 	hfuns = 0;
286 	chain = NULL;
287 	chain_len = 0;
288 	cert_signer_algo = 0;
289 	sk = NULL;
290 	nostaticecdh = 0;
291 	iobuf = NULL;
292 	iobuf_len = 0;
293 	cache = NULL;
294 	cache_len = (size_t)-1;
295 	minhello_len = (size_t)-1;
296 	flags = 0;
297 	reconnect = 0;
298 	for (i = 0; i < argc; i ++) {
299 		const char *arg;
300 
301 		arg = argv[i];
302 		if (arg[0] != '-') {
303 			usage_twrch();
304 			goto twrch_exit_error;
305 		}
306 		if (eqstr(arg, "-trace")) {
307 			trace = 1;
308 		} else if (eqstr(arg, "-v")) {
309 			verbose = 1;
310 		} else if (eqstr(arg, "-server")) {
311 			is_server = 1;
312 		} else if (eqstr(arg, "-client")) {
313 			is_client = 1;
314 		} else if (eqstr(arg, "-sni")) {
315 			if (++ i >= argc) {
316 				fprintf(stderr,
317 					"ERROR: no argument for '-sni'\n");
318 				usage_twrch();
319 				goto twrch_exit_error;
320 			}
321 			arg = argv[i];
322 			if (sni != NULL) {
323 				fprintf(stderr, "ERROR: duplicate SNI\n");
324 				usage_twrch();
325 				goto twrch_exit_error;
326 			}
327 			sni = arg;
328 		} else if (eqstr(arg, "-mono")) {
329 			bidi = 0;
330 		} else if (eqstr(arg, "-buf")) {
331 			if (++ i >= argc) {
332 				fprintf(stderr,
333 					"ERROR: no argument for '-buf'\n");
334 				usage_twrch();
335 				goto twrch_exit_error;
336 			}
337 			arg = argv[i];
338 			if (iobuf_len != 0) {
339 				fprintf(stderr,
340 					"ERROR: duplicate I/O buffer length\n");
341 				usage_twrch();
342 				goto twrch_exit_error;
343 			}
344 			iobuf_len = parse_size(arg);
345 			if (iobuf_len == (size_t)-1) {
346 				usage_twrch();
347 				goto twrch_exit_error;
348 			}
349 		} else if (eqstr(arg, "-cache")) {
350 			if (++ i >= argc) {
351 				fprintf(stderr,
352 					"ERROR: no argument for '-cache'\n");
353 				usage_twrch();
354 				goto twrch_exit_error;
355 			}
356 			arg = argv[i];
357 			if (cache_len != (size_t)-1) {
358 				fprintf(stderr, "ERROR: duplicate session"
359 					" cache length\n");
360 				usage_twrch();
361 				goto twrch_exit_error;
362 			}
363 			cache_len = parse_size(arg);
364 			if (cache_len == (size_t)-1) {
365 				usage_twrch();
366 				goto twrch_exit_error;
367 			}
368 		} else if (eqstr(arg, "-cert")) {
369 			if (++ i >= argc) {
370 				fprintf(stderr,
371 					"ERROR: no argument for '-cert'\n");
372 				usage_twrch();
373 				goto twrch_exit_error;
374 			}
375 			if (chain != NULL) {
376 				fprintf(stderr,
377 					"ERROR: duplicate certificate chain\n");
378 				usage_twrch();
379 				goto twrch_exit_error;
380 			}
381 			arg = argv[i];
382 			chain = read_certificates(arg, &chain_len);
383 			if (chain == NULL || chain_len == 0) {
384 				goto twrch_exit_error;
385 			}
386 		} else if (eqstr(arg, "-key")) {
387 			if (++ i >= argc) {
388 				fprintf(stderr,
389 					"ERROR: no argument for '-key'\n");
390 				usage_twrch();
391 				goto twrch_exit_error;
392 			}
393 			if (sk != NULL) {
394 				fprintf(stderr,
395 					"ERROR: duplicate private key\n");
396 				usage_twrch();
397 				goto twrch_exit_error;
398 			}
399 			arg = argv[i];
400 			sk = read_private_key(arg);
401 			if (sk == NULL) {
402 				goto twrch_exit_error;
403 			}
404 		} else if (eqstr(arg, "-CA")) {
405 			if (++ i >= argc) {
406 				fprintf(stderr,
407 					"ERROR: no argument for '-CA'\n");
408 				usage_twrch();
409 				goto twrch_exit_error;
410 			}
411 			arg = argv[i];
412 			if (read_trust_anchors(&anchors, arg) == 0) {
413 				usage_twrch();
414 				goto twrch_exit_error;
415 			}
416 		} else if (eqstr(arg, "-anon_ok")) {
417 			flags |= BR_OPT_TOLERATE_NO_CLIENT_AUTH;
418 		} else if (eqstr(arg, "-nostaticecdh")) {
419 			nostaticecdh = 1;
420 		} else if (eqstr(arg, "-list")) {
421 			list_names();
422 			goto twrch_exit;
423 		} else if (eqstr(arg, "-vmin")) {
424 			if (++ i >= argc) {
425 				fprintf(stderr,
426 					"ERROR: no argument for '-vmin'\n");
427 				usage_twrch();
428 				goto twrch_exit_error;
429 			}
430 			arg = argv[i];
431 			if (vmin != 0) {
432 				fprintf(stderr,
433 					"ERROR: duplicate minimum version\n");
434 				usage_twrch();
435 				goto twrch_exit_error;
436 			}
437 			vmin = parse_version(arg, strlen(arg));
438 			if (vmin == 0) {
439 				fprintf(stderr,
440 					"ERROR: unrecognised version '%s'\n",
441 					arg);
442 				usage_twrch();
443 				goto twrch_exit_error;
444 			}
445 		} else if (eqstr(arg, "-vmax")) {
446 			if (++ i >= argc) {
447 				fprintf(stderr,
448 					"ERROR: no argument for '-vmax'\n");
449 				usage_twrch();
450 				goto twrch_exit_error;
451 			}
452 			arg = argv[i];
453 			if (vmax != 0) {
454 				fprintf(stderr,
455 					"ERROR: duplicate maximum version\n");
456 				usage_twrch();
457 				goto twrch_exit_error;
458 			}
459 			vmax = parse_version(arg, strlen(arg));
460 			if (vmax == 0) {
461 				fprintf(stderr,
462 					"ERROR: unrecognised version '%s'\n",
463 					arg);
464 				usage_twrch();
465 				goto twrch_exit_error;
466 			}
467 		} else if (eqstr(arg, "-cs")) {
468 			if (++ i >= argc) {
469 				fprintf(stderr,
470 					"ERROR: no argument for '-cs'\n");
471 				usage_twrch();
472 				goto twrch_exit_error;
473 			}
474 			arg = argv[i];
475 			if (suites != NULL) {
476 				fprintf(stderr, "ERROR: duplicate list"
477 					" of cipher suites\n");
478 				usage_twrch();
479 				goto twrch_exit_error;
480 			}
481 			suites = parse_suites(arg, &num_suites);
482 			if (suites == NULL) {
483 				usage_twrch();
484 				goto twrch_exit_error;
485 			}
486 		} else if (eqstr(arg, "-hf")) {
487 			unsigned x;
488 
489 			if (++ i >= argc) {
490 				fprintf(stderr,
491 					"ERROR: no argument for '-hf'\n");
492 				usage_twrch();
493 				goto twrch_exit_error;
494 			}
495 			arg = argv[i];
496 			x = parse_hash_functions(arg);
497 			if (x == 0) {
498 				usage_twrch();
499 				goto twrch_exit_error;
500 			}
501 			hfuns |= x;
502 		} else if (eqstr(arg, "-minhello")) {
503 			if (++ i >= argc) {
504 				fprintf(stderr,
505 					"ERROR: no argument for '-minhello'\n");
506 				usage_twrch();
507 				goto twrch_exit_error;
508 			}
509 			arg = argv[i];
510 			if (minhello_len != (size_t)-1) {
511 				fprintf(stderr, "ERROR: duplicate minimum"
512 					" ClientHello length\n");
513 				usage_twrch();
514 				goto twrch_exit_error;
515 			}
516 			minhello_len = parse_size(arg);
517 			/*
518 			 * Minimum ClientHello length must fit on 16 bits.
519 			 */
520 			if (minhello_len == (size_t)-1
521 				|| (((minhello_len >> 12) >> 4) != 0))
522 			{
523 				usage_twrch();
524 				goto twrch_exit_error;
525 			}
526 		} else if (eqstr(arg, "-serverpref")) {
527 			flags |= BR_OPT_ENFORCE_SERVER_PREFERENCES;
528 		} else if (eqstr(arg, "-noreneg")) {
529 			flags |= BR_OPT_NO_RENEGOTIATION;
530 		} else if (eqstr(arg, "-alpn")) {
531 			if (++ i >= argc) {
532 				fprintf(stderr,
533 					"ERROR: no argument for '-alpn'\n");
534 				usage_twrch();
535 				goto twrch_exit_error;
536 			}
537 			VEC_ADD(alpn_names, xstrdup(argv[i]));
538 		} else if (eqstr(arg, "-strictalpn")) {
539 			flags |= BR_OPT_FAIL_ON_ALPN_MISMATCH;
540 		} else {
541 			fprintf(stderr, "ERROR: unknown option: '%s'\n", arg);
542 			usage_twrch();
543 			goto twrch_exit_error;
544 		}
545 	}
546 
547 	/*
548 	 * Verify consistency of options.
549 	 */
550 	if (!is_client && !is_server) {
551 		fprintf(stderr, "ERROR:"
552 			" one of -server and -client must be specified\n");
553 		usage_twrch();
554 		goto twrch_exit_error;
555 	}
556 	if (is_client && is_server) {
557 		fprintf(stderr, "ERROR:"
558 			" -server and -client may not be both specified\n");
559 		usage_twrch();
560 		goto twrch_exit_error;
561 	}
562 
563 	if (vmin == 0) {
564 		vmin = BR_TLS10;
565 	}
566 	if (vmax == 0) {
567 		vmax = BR_TLS12;
568 	}
569 	if (vmax < vmin) {
570 		fprintf(stderr, "ERROR: impossible minimum/maximum protocol"
571 			" version combination\n");
572 		usage_twrch();
573 		goto twrch_exit_error;
574 	}
575 	if (is_server) {
576 		if (chain == NULL) {
577 			fprintf(stderr, "ERROR: no certificate specified"
578 				" for server (-cert)\n");
579 			usage_twrch();
580 			goto twrch_exit_error;
581 		}
582 		if (sk == NULL) {
583 			fprintf(stderr, "ERROR: no private key specified"
584 				" for server (-key)\n");
585 			usage_twrch();
586 			goto twrch_exit_error;
587 		}
588 	} else {
589 		if (chain == NULL && sk != NULL) {
590 			fprintf(stderr, "ERROR: private key (-key)"
591 				" but no certificate (-cert)");
592 			usage_twrch();
593 			goto twrch_exit_error;
594 		}
595 		if (chain != NULL && sk == NULL) {
596 			fprintf(stderr, "ERROR: certificate (-cert)"
597 				" but no private key (-key)");
598 			usage_twrch();
599 			goto twrch_exit_error;
600 		}
601 	}
602 	if (suites == NULL) {
603 		num_suites = 0;
604 
605 		for (u = 0; cipher_suites[u].name; u ++) {
606 			if ((cipher_suites[u].req & REQ_TLS12) == 0
607 				|| vmax >= BR_TLS12)
608 			{
609 				num_suites ++;
610 			}
611 		}
612 		suites = xmalloc(num_suites * sizeof *suites);
613 		num_suites = 0;
614 		for (u = 0; cipher_suites[u].name; u ++) {
615 			if ((cipher_suites[u].req & REQ_TLS12) == 0
616 				|| vmax >= BR_TLS12)
617 			{
618 				suites[num_suites ++] = cipher_suites[u];
619 			}
620 		}
621 	}
622 	if (hfuns == 0) {
623 		hfuns = (unsigned)-1;
624 	}
625 	if (sk != NULL) {
626 		switch (sk->key_type) {
627 			int curve;
628 			uint32_t supp;
629 
630 		case BR_KEYTYPE_RSA:
631 			break;
632 		case BR_KEYTYPE_EC:
633 			curve = sk->key.ec.curve;
634 			supp = br_ec_get_default()->supported_curves;
635 			if (curve > 31 || !((supp >> curve) & 1)) {
636 				fprintf(stderr, "ERROR: private key curve (%d)"
637 					" is not supported\n", curve);
638 				goto twrch_exit_error;
639 			}
640 			break;
641 		default:
642 			fprintf(stderr, "ERROR: unsupported"
643 				" private key type (%d)\n", sk->key_type);
644 			goto twrch_exit_error;
645 		}
646 	}
647 	if (chain != NULL) {
648 		cert_signer_algo = get_cert_signer_algo(chain);
649 		if (cert_signer_algo == 0) {
650 			goto twrch_exit_error;
651 		}
652 	}
653 	if (iobuf_len == 0) {
654 		if (bidi) {
655 			iobuf_len = BR_SSL_BUFSIZE_BIDI;
656 		} else {
657 			iobuf_len = BR_SSL_BUFSIZE_MONO;
658 		}
659 	}
660 	iobuf = xmalloc(iobuf_len);
661 	if (is_server) {
662 		if (cache_len == (size_t)-1) {
663 			cache_len = 5000;
664 		}
665 		cache = xmalloc(cache_len);
666 	}
667 
668 	/*
669 	 * Initialise the relevant context.
670 	 */
671 	if (is_client) {
672 		br_ssl_client_zero(&cc.cnt);
673 	} else {
674 		br_ssl_server_zero(&cc.srv);
675 	}
676 
677 	/*
678 	 * Compute implementation requirements and inject implementations.
679 	 */
680 	suite_ids = xmalloc(num_suites * sizeof *suite_ids);
681 	br_ssl_engine_set_versions(&cc.eng, vmin, vmax);
682 	br_ssl_engine_set_all_flags(&cc.eng, flags);
683 	if (vmin <= BR_TLS11) {
684 		if (!(hfuns & (1 << br_md5_ID))) {
685 			fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need MD5\n");
686 			goto twrch_exit_error;
687 		}
688 		if (!(hfuns & (1 << br_sha1_ID))) {
689 			fprintf(stderr, "ERROR: TLS 1.0 and 1.1 need SHA-1\n");
690 			goto twrch_exit_error;
691 		}
692 	}
693 	for (u = 0; u < num_suites; u ++) {
694 		unsigned req;
695 
696 		req = suites[u].req;
697 		suite_ids[u] = suites[u].suite;
698 		if ((req & REQ_TLS12) != 0 && vmax < BR_TLS12) {
699 			fprintf(stderr,
700 				"ERROR: cipher suite %s requires TLS 1.2\n",
701 				suites[u].name);
702 			goto twrch_exit_error;
703 		}
704 		if ((req & REQ_SHA1) != 0 && !(hfuns & (1 << br_sha1_ID))) {
705 			fprintf(stderr,
706 				"ERROR: cipher suite %s requires SHA-1\n",
707 				suites[u].name);
708 			goto twrch_exit_error;
709 		}
710 		if ((req & REQ_SHA256) != 0 && !(hfuns & (1 << br_sha256_ID))) {
711 			fprintf(stderr,
712 				"ERROR: cipher suite %s requires SHA-256\n",
713 				suites[u].name);
714 			goto twrch_exit_error;
715 		}
716 		if ((req & REQ_SHA384) != 0 && !(hfuns & (1 << br_sha384_ID))) {
717 			fprintf(stderr,
718 				"ERROR: cipher suite %s requires SHA-384\n",
719 				suites[u].name);
720 			goto twrch_exit_error;
721 		}
722 		/* TODO: algorithm implementation selection */
723 		if ((req & REQ_AESCBC) != 0) {
724 			br_ssl_engine_set_default_aes_cbc(&cc.eng);
725 		}
726 		if ((req & REQ_AESCCM) != 0) {
727 			br_ssl_engine_set_default_aes_ccm(&cc.eng);
728 		}
729 		if ((req & REQ_AESGCM) != 0) {
730 			br_ssl_engine_set_default_aes_gcm(&cc.eng);
731 		}
732 		if ((req & REQ_CHAPOL) != 0) {
733 			br_ssl_engine_set_default_chapol(&cc.eng);
734 		}
735 		if ((req & REQ_3DESCBC) != 0) {
736 			br_ssl_engine_set_default_des_cbc(&cc.eng);
737 		}
738 		if (is_client && (req & REQ_RSAKEYX) != 0) {
739 			br_ssl_client_set_default_rsapub(&cc.cnt);
740 		}
741 		if (is_client && (req & REQ_ECDHE_RSA) != 0) {
742 			br_ssl_engine_set_default_rsavrfy(&cc.eng);
743 		}
744 		if (is_client && (req & REQ_ECDH) != 0) {
745 			br_ssl_engine_set_default_ec(&cc.eng);
746 		}
747 		if ((req & (REQ_ECDHE_RSA | REQ_ECDHE_ECDSA)) != 0) {
748 			br_ssl_engine_set_default_ec(&cc.eng);
749 		}
750 	}
751 	br_ssl_engine_set_suites(&cc.eng, suite_ids, num_suites);
752 
753 	dnhash = NULL;
754 	for (u = 0; hash_functions[u].name; u ++) {
755 		const br_hash_class *hc;
756 		int id;
757 
758 		hc = hash_functions[u].hclass;
759 		id = (hc->desc >> BR_HASHDESC_ID_OFF) & BR_HASHDESC_ID_MASK;
760 		if ((hfuns & ((unsigned)1 << id)) != 0) {
761 			dnhash = hc;
762 			br_ssl_engine_set_hash(&cc.eng, id, hc);
763 		}
764 	}
765 	if (vmin <= BR_TLS11) {
766 		br_ssl_engine_set_prf10(&cc.eng, &br_tls10_prf);
767 	}
768 	if (vmax >= BR_TLS12) {
769 		if ((hfuns & ((unsigned)1 << br_sha256_ID)) != 0) {
770 			br_ssl_engine_set_prf_sha256(&cc.eng,
771 				&br_tls12_sha256_prf);
772 		}
773 		if ((hfuns & ((unsigned)1 << br_sha384_ID)) != 0) {
774 			br_ssl_engine_set_prf_sha384(&cc.eng,
775 				&br_tls12_sha384_prf);
776 		}
777 	}
778 	if (VEC_LEN(alpn_names) != 0) {
779 		br_ssl_engine_set_protocol_names(&cc.eng,
780 			(const char **)&VEC_ELT(alpn_names, 0),
781 			VEC_LEN(alpn_names));
782 	}
783 
784 	/*
785 	 * In server role, we use a session cache (size can be
786 	 * specified; if size is zero, then no cache is set).
787 	 */
788 	if (is_server && cache != NULL) {
789 		br_ssl_session_cache_lru_init(&lru, cache, cache_len);
790 		br_ssl_server_set_cache(&cc.srv, &lru.vtable);
791 	}
792 
793 	/*
794 	 * For a server, set the policy handler.
795 	 */
796 	if (is_server) {
797 		switch (sk->key_type) {
798 		case BR_KEYTYPE_RSA:
799 			br_ssl_server_set_single_rsa(&cc.srv,
800 				chain, chain_len, &sk->key.rsa,
801 				BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
802 				br_rsa_private_get_default(),
803 				br_rsa_pkcs1_sign_get_default());
804 			break;
805 		case BR_KEYTYPE_EC:
806 			br_ssl_server_set_single_ec(&cc.srv,
807 				chain, chain_len, &sk->key.ec,
808 				BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN,
809 				cert_signer_algo,
810 				br_ec_get_default(),
811 				br_ecdsa_sign_asn1_get_default());
812 			break;
813 		default:
814 			fprintf(stderr, "ERROR: unsupported"
815 				" private key type (%d)\n", sk->key_type);
816 			goto twrch_exit_error;
817 		}
818 	}
819 
820 	/*
821 	 * For a client, if a certificate was specified, use it.
822 	 */
823 	if (is_client && chain != NULL) {
824 		switch (sk->key_type) {
825 			unsigned usages;
826 
827 		case BR_KEYTYPE_RSA:
828 			br_ssl_client_set_single_rsa(&cc.cnt,
829 				chain, chain_len, &sk->key.rsa,
830 				br_rsa_pkcs1_sign_get_default());
831 			break;
832 		case BR_KEYTYPE_EC:
833 			if (nostaticecdh) {
834 				cert_signer_algo = 0;
835 				usages = BR_KEYTYPE_SIGN;
836 			} else {
837 				usages = BR_KEYTYPE_KEYX | BR_KEYTYPE_SIGN;
838 			}
839 			br_ssl_client_set_single_ec(&cc.cnt,
840 				chain, chain_len, &sk->key.ec,
841 				usages, cert_signer_algo,
842 				br_ec_get_default(),
843 				br_ecdsa_sign_asn1_get_default());
844 			break;
845 		default:
846 			fprintf(stderr, "ERROR: unsupported"
847 				" private key type (%d)\n", sk->key_type);
848 			goto twrch_exit_error;
849 		}
850 	}
851 
852 	/*
853 	 * On a client, or if trust anchors have been configured, then
854 	 * set an X.509 validation engine. If there are no trust anchors
855 	 * (client only), then a "no anchor" wrapper will be applied.
856 	 */
857 	if (is_client || VEC_LEN(anchors) != 0) {
858 		br_x509_minimal_init(&xc, dnhash,
859 			&VEC_ELT(anchors, 0), VEC_LEN(anchors));
860 		for (u = 0; hash_functions[u].name; u ++) {
861 			const br_hash_class *hc;
862 			int id;
863 
864 			hc = hash_functions[u].hclass;
865 			id = (hc->desc >> BR_HASHDESC_ID_OFF)
866 				& BR_HASHDESC_ID_MASK;
867 			if ((hfuns & ((unsigned)1 << id)) != 0) {
868 				br_x509_minimal_set_hash(&xc, id, hc);
869 			}
870 		}
871 		br_ssl_engine_set_default_rsavrfy(&cc.eng);
872 		br_ssl_engine_set_default_ecdsa(&cc.eng);
873 		br_x509_minimal_set_rsa(&xc, br_rsa_pkcs1_vrfy_get_default());
874 		br_x509_minimal_set_ecdsa(&xc,
875 			br_ec_get_default(), br_ecdsa_vrfy_asn1_get_default());
876 		br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
877 
878 		if (VEC_LEN(anchors) == 0) {
879 			x509_noanchor_init(&xwc, &xc.vtable);
880 			br_ssl_engine_set_x509(&cc.eng, &xwc.vtable);
881 		} else {
882 			br_ssl_engine_set_x509(&cc.eng, &xc.vtable);
883 		}
884 		if (is_server) {
885 			br_ssl_server_set_trust_anchor_names_alt(&cc.srv,
886 				&VEC_ELT(anchors, 0), VEC_LEN(anchors));
887 		}
888 	}
889 
890 	/*
891 	 * Set I/O buffer.
892 	 */
893 	br_ssl_engine_set_buffer(&cc.eng, iobuf, iobuf_len, bidi);
894 
895 	/*
896 	 * Start the engine.
897 	 */
898 	if (is_client) {
899 		br_ssl_client_reset(&cc.cnt, sni, 0);
900 	}
901 	if (is_server) {
902 		br_ssl_server_reset(&cc.srv);
903 	}
904 
905 	/*
906 	 * On Unix systems, we want to ignore SIGPIPE: if the peer
907 	 * closes the connection abruptly, then we want to report it
908 	 * as a "normal" error (exit code = 1).
909 	 */
910 #ifndef _WIN32
911 	signal(SIGPIPE, SIG_IGN);
912 #endif
913 
914 	/*
915 	 * Initialize the callbacks for exchanging data over stdin and
916 	 * stdout.
917 	 */
918 	br_sslio_init(&ioc, &cc.eng, stdin_read, &trace, stdout_write, &trace);
919 
920 	/*
921 	 * Run the Twrch protocol.
922 	 */
923 	for (;;) {
924 		br_sha1_context sc;
925 		unsigned char hv[20], tmp[41];
926 		uint64_t count;
927 		int fb, i;
928 
929 		/*
930 		 * Read line, byte by byte, hashing it on the fly.
931 		 */
932 		br_sha1_init(&sc);
933 		count = 0;
934 		fb = 0;
935 		for (;;) {
936 			unsigned char x;
937 
938 			if (br_sslio_read(&ioc, &x, 1) < 0) {
939 				if (count == 0 && reconnect) {
940 					reconnect = 0;
941 					if (br_sslio_close(&ioc) < 0) {
942 						goto twrch_loop_finished;
943 					}
944 					if (is_client) {
945 						br_ssl_client_reset(
946 							&cc.cnt, sni, 1);
947 					}
948 					if (is_server) {
949 						br_ssl_server_reset(&cc.srv);
950 					}
951 					br_sslio_init(&ioc, &cc.eng,
952 						stdin_read, &trace,
953 						stdout_write, &trace);
954 					continue;
955 				}
956 				goto twrch_loop_finished;
957 			}
958 			if (count == 0) {
959 				fb = x;
960 			}
961 			if (x == 0x0A) {
962 				break;
963 			}
964 			br_sha1_update(&sc, &x, 1);
965 			count ++;
966 		}
967 		if (count == 1) {
968 			switch (fb) {
969 			case 'C':
970 				br_sslio_close(&ioc);
971 				goto twrch_loop_finished;
972 			case 'T':
973 				if (br_sslio_close(&ioc) < 0) {
974 					goto twrch_loop_finished;
975 				}
976 				if (is_client) {
977 					br_ssl_client_reset(&cc.cnt, sni, 1);
978 				}
979 				if (is_server) {
980 					br_ssl_server_reset(&cc.srv);
981 				}
982 				br_sslio_init(&ioc, &cc.eng,
983 					stdin_read, &trace,
984 					stdout_write, &trace);
985 				continue;
986 			case 'G':
987 				if (!br_ssl_engine_renegotiate(&cc.eng)) {
988 					br_sslio_write_all(&ioc, "DENIED\n", 7);
989 					br_sslio_flush(&ioc);
990 				} else {
991 					br_sslio_write_all(&ioc, "OK\n", 3);
992 					br_sslio_flush(&ioc);
993 				}
994 				continue;
995 			case 'R':
996 				reconnect = 1;
997 				br_sslio_write_all(&ioc, "OK\n", 3);
998 				br_sslio_flush(&ioc);
999 				continue;
1000 			case 'U':
1001 				if (is_client) {
1002 					br_ssl_client_forget_session(&cc.cnt);
1003 				}
1004 				if (is_server && cache != NULL) {
1005 					br_ssl_session_parameters pp;
1006 
1007 					br_ssl_engine_get_session_parameters(
1008 						&cc.eng, &pp);
1009 					if (pp.session_id_len == 32) {
1010 						br_ssl_session_cache_lru_forget(
1011 							&lru, pp.session_id);
1012 					}
1013 				}
1014 				br_sslio_write_all(&ioc, "DONE\n", 5);
1015 				br_sslio_flush(&ioc);
1016 				continue;
1017 			}
1018 		}
1019 		br_sha1_out(&sc, hv);
1020 		for (i = 0; i < 20; i ++) {
1021 			int x;
1022 
1023 			x = hv[i];
1024 			tmp[(i << 1) + 0] = "0123456789abcdef"[x >> 4];
1025 			tmp[(i << 1) + 1] = "0123456789abcdef"[x & 15];
1026 		}
1027 		tmp[40] = 0x0A;
1028 		br_sslio_write_all(&ioc, tmp, 41);
1029 		br_sslio_flush(&ioc);
1030 	}
1031 
1032 twrch_loop_finished:
1033 	if (br_ssl_engine_current_state(&cc.eng) == BR_SSL_CLOSED) {
1034 		int err;
1035 
1036 		err = br_ssl_engine_last_error(&cc.eng);
1037 		if (err == 0) {
1038 			retcode = 0;
1039 		} else {
1040 			if (verbose) {
1041 				print_error(err);
1042 			}
1043 			retcode = 1;
1044 		}
1045 	} else {
1046 		if (verbose) {
1047 			fprintf(stderr, "Engine not closed!\n");
1048 		}
1049 		retcode = 1;
1050 	}
1051 
1052 	/*
1053 	 * Release allocated structures.
1054 	 */
1055 twrch_exit:
1056 	xfree(suites);
1057 	xfree(suite_ids);
1058 	free_certificates(chain, chain_len);
1059 	free_private_key(sk);
1060 	VEC_CLEAREXT(anchors, &free_ta_contents);
1061 	VEC_CLEAREXT(alpn_names, &free_alpn);
1062 	xfree(iobuf);
1063 	xfree(cache);
1064 	return retcode;
1065 
1066 twrch_exit_error:
1067 	retcode = -1;
1068 	goto twrch_exit;
1069 }
1070