• Home
  • Line#
  • Scopes#
  • Navigate#
  • Raw
  • Download
1 /*
2  *  SSL client with options
3  *
4  *  Copyright The Mbed TLS Contributors
5  *  SPDX-License-Identifier: Apache-2.0
6  *
7  *  Licensed under the Apache License, Version 2.0 (the "License"); you may
8  *  not use this file except in compliance with the License.
9  *  You may obtain a copy of the License at
10  *
11  *  http://www.apache.org/licenses/LICENSE-2.0
12  *
13  *  Unless required by applicable law or agreed to in writing, software
14  *  distributed under the License is distributed on an "AS IS" BASIS, WITHOUT
15  *  WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
16  *  See the License for the specific language governing permissions and
17  *  limitations under the License.
18  */
19 
20 #define MBEDTLS_ALLOW_PRIVATE_ACCESS
21 
22 #include "ssl_test_lib.h"
23 
24 #if defined(MBEDTLS_SSL_TEST_IMPOSSIBLE)
main(void)25 int main(void)
26 {
27     mbedtls_printf(MBEDTLS_SSL_TEST_IMPOSSIBLE);
28     mbedtls_exit(0);
29 }
30 #elif !defined(MBEDTLS_SSL_SRV_C)
main(void)31 int main(void)
32 {
33     mbedtls_printf("MBEDTLS_SSL_SRV_C not defined.\n");
34     mbedtls_exit(0);
35 }
36 #else /* !MBEDTLS_SSL_TEST_IMPOSSIBLE && MBEDTLS_SSL_SRV_C */
37 
38 #include <stdint.h>
39 
40 #if !defined(_MSC_VER)
41 #include <inttypes.h>
42 #endif
43 
44 #if !defined(_WIN32)
45 #include <signal.h>
46 #endif
47 
48 #if defined(MBEDTLS_SSL_CACHE_C)
49 #include "mbedtls/ssl_cache.h"
50 #endif
51 
52 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
53 #include "mbedtls/ssl_ticket.h"
54 #endif
55 
56 #if defined(MBEDTLS_SSL_COOKIE_C)
57 #include "mbedtls/ssl_cookie.h"
58 #endif
59 
60 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION) && defined(MBEDTLS_FS_IO)
61 #define SNI_OPTION
62 #endif
63 
64 #if defined(_WIN32)
65 #include <windows.h>
66 #endif
67 
68 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
69 #include "test/psa_crypto_helpers.h"
70 #endif
71 
72 #include "mbedtls/pk.h"
73 
74 /* Size of memory to be allocated for the heap, when using the library's memory
75  * management and MBEDTLS_MEMORY_BUFFER_ALLOC_C is enabled. */
76 #define MEMORY_HEAP_SIZE        120000
77 
78 #define DFL_SERVER_ADDR         NULL
79 #define DFL_SERVER_PORT         "4433"
80 #define DFL_RESPONSE_SIZE       -1
81 #define DFL_DEBUG_LEVEL         0
82 #define DFL_NBIO                0
83 #define DFL_EVENT               0
84 #define DFL_READ_TIMEOUT        0
85 #define DFL_CA_FILE             ""
86 #define DFL_CA_PATH             ""
87 #define DFL_CRT_FILE            ""
88 #define DFL_KEY_FILE            ""
89 #define DFL_KEY_OPAQUE          0
90 #define DFL_KEY_PWD             ""
91 #define DFL_CRT_FILE2           ""
92 #define DFL_KEY_FILE2           ""
93 #define DFL_KEY_PWD2            ""
94 #define DFL_ASYNC_OPERATIONS    "-"
95 #define DFL_ASYNC_PRIVATE_DELAY1 (-1)
96 #define DFL_ASYNC_PRIVATE_DELAY2 (-1)
97 #define DFL_ASYNC_PRIVATE_ERROR  (0)
98 #define DFL_PSK                 ""
99 #define DFL_PSK_OPAQUE          0
100 #define DFL_PSK_LIST_OPAQUE     0
101 #define DFL_PSK_IDENTITY        "Client_identity"
102 #define DFL_ECJPAKE_PW          NULL
103 #define DFL_ECJPAKE_PW_OPAQUE   0
104 #define DFL_PSK_LIST            NULL
105 #define DFL_FORCE_CIPHER        0
106 #define DFL_TLS1_3_KEX_MODES    MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL
107 #define DFL_RENEGOTIATION       MBEDTLS_SSL_RENEGOTIATION_DISABLED
108 #define DFL_ALLOW_LEGACY        -2
109 #define DFL_RENEGOTIATE         0
110 #define DFL_RENEGO_DELAY        -2
111 #define DFL_RENEGO_PERIOD       ((uint64_t) -1)
112 #define DFL_EXCHANGES           1
113 #define DFL_MIN_VERSION         -1
114 #define DFL_MAX_VERSION         -1
115 #define DFL_SHA1                -1
116 #define DFL_CID_ENABLED         0
117 #define DFL_CID_VALUE           ""
118 #define DFL_CID_ENABLED_RENEGO  -1
119 #define DFL_CID_VALUE_RENEGO    NULL
120 #define DFL_AUTH_MODE           -1
121 #define DFL_CERT_REQ_CA_LIST    MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED
122 #define DFL_CERT_REQ_DN_HINT    0
123 #define DFL_MFL_CODE            MBEDTLS_SSL_MAX_FRAG_LEN_NONE
124 #define DFL_TRUNC_HMAC          -1
125 #define DFL_TICKETS             MBEDTLS_SSL_SESSION_TICKETS_ENABLED
126 #define DFL_DUMMY_TICKET        0
127 #define DFL_TICKET_ROTATE       0
128 #define DFL_TICKET_TIMEOUT      86400
129 #define DFL_TICKET_AEAD         MBEDTLS_CIPHER_AES_256_GCM
130 #define DFL_CACHE_MAX           -1
131 #define DFL_CACHE_TIMEOUT       -1
132 #define DFL_CACHE_REMOVE        0
133 #define DFL_SNI                 NULL
134 #define DFL_ALPN_STRING         NULL
135 #define DFL_CURVES              NULL
136 #define DFL_MAX_EARLY_DATA_SIZE 0
137 #define DFL_SIG_ALGS            NULL
138 #define DFL_DHM_FILE            NULL
139 #define DFL_TRANSPORT           MBEDTLS_SSL_TRANSPORT_STREAM
140 #define DFL_COOKIES             1
141 #define DFL_ANTI_REPLAY         -1
142 #define DFL_HS_TO_MIN           0
143 #define DFL_HS_TO_MAX           0
144 #define DFL_DTLS_MTU            -1
145 #define DFL_BADMAC_LIMIT        -1
146 #define DFL_DGRAM_PACKING        1
147 #define DFL_EXTENDED_MS         -1
148 #define DFL_ETM                 -1
149 #define DFL_SERIALIZE           0
150 #define DFL_CONTEXT_FILE        ""
151 #define DFL_EXTENDED_MS_ENFORCE -1
152 #define DFL_CA_CALLBACK         0
153 #define DFL_EAP_TLS             0
154 #define DFL_REPRODUCIBLE        0
155 #define DFL_NSS_KEYLOG          0
156 #define DFL_NSS_KEYLOG_FILE     NULL
157 #define DFL_QUERY_CONFIG_MODE   0
158 #define DFL_USE_SRTP            0
159 #define DFL_SRTP_FORCE_PROFILE  0
160 #define DFL_SRTP_SUPPORT_MKI    0
161 #define DFL_KEY_OPAQUE_ALG      "none"
162 
163 #define LONG_RESPONSE "<p>01-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n" \
164                       "02-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
165                       "03-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
166                       "04-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
167                       "05-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
168                       "06-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah\r\n"  \
169                       "07-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah-blah</p>\r\n"
170 
171 /* Uncomment LONG_RESPONSE at the end of HTTP_RESPONSE to test sending longer
172  * packets (for fragmentation purposes) */
173 #define HTTP_RESPONSE \
174     "HTTP/1.0 200 OK\r\nContent-Type: text/html\r\n\r\n" \
175     "<h2>mbed TLS Test Server</h2>\r\n" \
176     "<p>Successful connection using: %s</p>\r\n" // LONG_RESPONSE
177 
178 /*
179  * Size of the basic I/O buffer. Able to hold our default response.
180  */
181 #define DFL_IO_BUF_LEN      200
182 
183 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
184 #if defined(MBEDTLS_FS_IO)
185 #define USAGE_IO \
186     "    ca_file=%%s          The single file containing the top-level CA(s) you fully trust\n" \
187     "                        default: \"\" (pre-loaded)\n" \
188     "                        use \"none\" to skip loading any top-level CAs.\n" \
189     "    ca_path=%%s          The path containing the top-level CA(s) you fully trust\n" \
190     "                        default: \"\" (pre-loaded) (overrides ca_file)\n" \
191     "                        use \"none\" to skip loading any top-level CAs.\n" \
192     "    crt_file=%%s         Your own cert and chain (in bottom to top order, top may be omitted)\n" \
193     "                        default: see note after key_file2\n" \
194     "    key_file=%%s         default: see note after key_file2\n" \
195     "    key_pwd=%%s          Password for key specified by key_file argument\n" \
196     "                        default: none\n" \
197     "    crt_file2=%%s        Your second cert and chain (in bottom to top order, top may be omitted)\n" \
198     "                        default: see note after key_file2\n" \
199     "    key_file2=%%s        default: see note below\n" \
200     "                        note: if neither crt_file/key_file nor crt_file2/key_file2 are used,\n" \
201     "                              preloaded certificate(s) and key(s) are used if available\n" \
202     "    key_pwd2=%%s         Password for key specified by key_file2 argument\n" \
203     "                        default: none\n" \
204     "    dhm_file=%%s        File containing Diffie-Hellman parameters\n" \
205     "                       default: preloaded parameters\n"
206 #else
207 #define USAGE_IO \
208     "\n"                                                    \
209     "    No file operations available (MBEDTLS_FS_IO not defined)\n" \
210     "\n"
211 #endif /* MBEDTLS_FS_IO */
212 #else
213 #define USAGE_IO ""
214 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
215 #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
216 #define USAGE_KEY_OPAQUE \
217     "    key_opaque=%%d       Handle your private keys as if they were opaque\n" \
218     "                        default: 0 (disabled)\n"
219 #else
220 #define USAGE_KEY_OPAQUE ""
221 #endif
222 
223 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
224 #define USAGE_SSL_ASYNC \
225     "    async_operations=%%c...   d=decrypt, s=sign (default: -=off)\n" \
226     "    async_private_delay1=%%d  Asynchronous delay for key_file or preloaded key\n" \
227     "    async_private_delay2=%%d  Asynchronous delay for key_file2 and sni\n" \
228     "                              default: -1 (not asynchronous)\n" \
229     "    async_private_error=%%d   Async callback error injection (default=0=none,\n" \
230     "                              1=start, 2=cancel, 3=resume, negative=first time only)"
231 #else
232 #define USAGE_SSL_ASYNC ""
233 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
234 
235 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
236 #define USAGE_CID \
237     "    cid=%%d             Disable (0) or enable (1) the use of the DTLS Connection ID extension.\n" \
238     "                       default: 0 (disabled)\n"     \
239     "    cid_renego=%%d      Disable (0) or enable (1) the use of the DTLS Connection ID extension during renegotiation.\n" \
240     "                       default: same as 'cid' parameter\n"     \
241     "    cid_val=%%s          The CID to use for incoming messages (in hex, without 0x).\n"  \
242     "                        default: \"\"\n" \
243     "    cid_val_renego=%%s   The CID to use for incoming messages (in hex, without 0x) after renegotiation.\n"  \
244     "                        default: same as 'cid_val' parameter\n"
245 #else /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
246 #define USAGE_CID ""
247 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
248 
249 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
250 #define USAGE_PSK_RAW                                               \
251     "    psk=%%s              default: \"\" (disabled)\n"     \
252     "                          The PSK values are in hex, without 0x.\n" \
253     "    psk_list=%%s         default: \"\"\n"                          \
254     "                          A list of (PSK identity, PSK value) pairs.\n" \
255     "                          The PSK values are in hex, without 0x.\n" \
256     "                          id1,psk1[,id2,psk2[,...]]\n"             \
257     "    psk_identity=%%s     default: \"Client_identity\"\n"
258 #if defined(MBEDTLS_USE_PSA_CRYPTO)
259 #define USAGE_PSK_SLOT                          \
260     "    psk_opaque=%%d       default: 0 (don't use opaque static PSK)\n"     \
261     "                          Enable this to store the PSK configured through command line\n" \
262     "                          parameter `psk` in a PSA-based key slot.\n" \
263     "                          Note: Currently only supported in conjunction with\n"                  \
264     "                          the use of min_version to force TLS 1.2 and force_ciphersuite \n"      \
265     "                          to force a particular PSK-only ciphersuite.\n"                         \
266     "                          Note: This is to test integration of PSA-based opaque PSKs with\n"     \
267     "                          Mbed TLS only. Production systems are likely to configure Mbed TLS\n"  \
268     "                          with prepopulated key slots instead of importing raw key material.\n" \
269     "    psk_list_opaque=%%d  default: 0 (don't use opaque dynamic PSKs)\n"     \
270     "                          Enable this to store the list of dynamically chosen PSKs configured\n" \
271     "                          through the command line parameter `psk_list` in PSA-based key slots.\n" \
272     "                          Note: Currently only supported in conjunction with\n" \
273     "                          the use of min_version to force TLS 1.2 and force_ciphersuite \n" \
274     "                          to force a particular PSK-only ciphersuite.\n" \
275     "                          Note: This is to test integration of PSA-based opaque PSKs with\n" \
276     "                          Mbed TLS only. Production systems are likely to configure Mbed TLS\n" \
277     "                          with prepopulated key slots instead of importing raw key material.\n"
278 #else
279 #define USAGE_PSK_SLOT ""
280 #endif /* MBEDTLS_USE_PSA_CRYPTO */
281 #define USAGE_PSK USAGE_PSK_RAW USAGE_PSK_SLOT
282 #else
283 #define USAGE_PSK ""
284 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
285 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
286 #define USAGE_CA_CALLBACK                       \
287     "   ca_callback=%%d       default: 0 (disabled)\n"      \
288     "                         Enable this to use the trusted certificate callback function\n"
289 #else
290 #define USAGE_CA_CALLBACK ""
291 #endif /* MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK */
292 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
293 #define USAGE_TICKETS                                       \
294     "    tickets=%%d          default: 1 (enabled)\n"       \
295     "    ticket_rotate=%%d    default: 0 (disabled)\n"      \
296     "    ticket_timeout=%%d   default: 86400 (one day)\n"   \
297     "    ticket_aead=%%s      default: \"AES-256-GCM\"\n"
298 #else
299 #define USAGE_TICKETS ""
300 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
301 
302 #define USAGE_EAP_TLS                                       \
303     "    eap_tls=%%d          default: 0 (disabled)\n"
304 #define USAGE_NSS_KEYLOG                                    \
305     "    nss_keylog=%%d          default: 0 (disabled)\n"   \
306     "                             This cannot be used with eap_tls=1\n"
307 #define USAGE_NSS_KEYLOG_FILE                               \
308     "    nss_keylog_file=%%s\n"
309 #if defined(MBEDTLS_SSL_DTLS_SRTP)
310 #define USAGE_SRTP \
311     "    use_srtp=%%d         default: 0 (disabled)\n" \
312     "    srtp_force_profile=%%d  default: 0 (all enabled)\n"   \
313     "                        available profiles:\n"       \
314     "                        1 - SRTP_AES128_CM_HMAC_SHA1_80\n"  \
315     "                        2 - SRTP_AES128_CM_HMAC_SHA1_32\n"  \
316     "                        3 - SRTP_NULL_HMAC_SHA1_80\n"       \
317     "                        4 - SRTP_NULL_HMAC_SHA1_32\n"       \
318     "    support_mki=%%d     default: 0 (not supported)\n"
319 #else /* MBEDTLS_SSL_DTLS_SRTP */
320 #define USAGE_SRTP ""
321 #endif
322 
323 #if defined(MBEDTLS_SSL_CACHE_C)
324 #define USAGE_CACHE                                             \
325     "    cache_max=%%d        default: cache default (50)\n"    \
326     "    cache_remove=%%d     default: 0 (don't remove)\n"
327 #if defined(MBEDTLS_HAVE_TIME)
328 #define USAGE_CACHE_TIME \
329     "    cache_timeout=%%d    default: cache default (1d)\n"
330 #else
331 #define USAGE_CACHE_TIME ""
332 #endif
333 #else
334 #define USAGE_CACHE ""
335 #define USAGE_CACHE_TIME ""
336 #endif /* MBEDTLS_SSL_CACHE_C */
337 
338 #if defined(SNI_OPTION)
339 #if defined(MBEDTLS_X509_CRL_PARSE_C)
340 #define SNI_CRL              ",crl"
341 #else
342 #define SNI_CRL              ""
343 #endif
344 
345 #define USAGE_SNI                                                           \
346     "    sni=%%s              name1,cert1,key1,ca1"SNI_CRL ",auth1[,...]\n"  \
347                                                            "                        default: disabled\n"
348 #else
349 #define USAGE_SNI ""
350 #endif /* SNI_OPTION */
351 
352 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
353 #define USAGE_MAX_FRAG_LEN                                      \
354     "    max_frag_len=%%d     default: 16384 (tls default)\n"   \
355     "                        options: 512, 1024, 2048, 4096\n"
356 #else
357 #define USAGE_MAX_FRAG_LEN ""
358 #endif /* MBEDTLS_SSL_MAX_FRAGMENT_LENGTH */
359 
360 #if defined(MBEDTLS_SSL_ALPN)
361 #define USAGE_ALPN \
362     "    alpn=%%s             default: \"\" (disabled)\n"   \
363     "                        example: spdy/1,http/1.1\n"
364 #else
365 #define USAGE_ALPN ""
366 #endif /* MBEDTLS_SSL_ALPN */
367 
368 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
369 #define USAGE_COOKIES \
370     "    cookies=0/1/-1      default: 1 (enabled)\n"        \
371     "                        0: disabled, -1: library default (broken)\n"
372 #else
373 #define USAGE_COOKIES ""
374 #endif
375 
376 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
377 #define USAGE_ANTI_REPLAY \
378     "    anti_replay=0/1     default: (library default: enabled)\n"
379 #else
380 #define USAGE_ANTI_REPLAY ""
381 #endif
382 
383 #define USAGE_BADMAC_LIMIT \
384     "    badmac_limit=%%d     default: (library default: disabled)\n"
385 
386 #if defined(MBEDTLS_SSL_PROTO_DTLS)
387 #define USAGE_DTLS \
388     "    dtls=%%d             default: 0 (TLS)\n"                           \
389     "    hs_timeout=%%d-%%d    default: (library default: 1000-60000)\n"    \
390     "                        range of DTLS handshake timeouts in millisecs\n" \
391     "    mtu=%%d              default: (library default: unlimited)\n"  \
392     "    dgram_packing=%%d    default: 1 (allowed)\n"                   \
393     "                        allow or forbid packing of multiple\n" \
394     "                        records within a single datgram.\n"
395 #else
396 #define USAGE_DTLS ""
397 #endif
398 
399 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
400 #define USAGE_EMS \
401     "    extended_ms=0/1     default: (library default: on)\n"
402 #else
403 #define USAGE_EMS ""
404 #endif
405 
406 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
407 #define USAGE_ETM \
408     "    etm=0/1             default: (library default: on)\n"
409 #else
410 #define USAGE_ETM ""
411 #endif
412 
413 #define USAGE_REPRODUCIBLE \
414     "    reproducible=0/1     default: 0 (disabled)\n"
415 
416 #if defined(MBEDTLS_SSL_RENEGOTIATION)
417 #define USAGE_RENEGO \
418     "    renegotiation=%%d    default: 0 (disabled)\n"      \
419     "    renegotiate=%%d      default: 0 (disabled)\n"      \
420     "    renego_delay=%%d     default: -2 (library default)\n" \
421     "    renego_period=%%d    default: (2^64 - 1 for TLS, 2^48 - 1 for DTLS)\n"
422 #else
423 #define USAGE_RENEGO ""
424 #endif
425 
426 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
427 #if defined(MBEDTLS_USE_PSA_CRYPTO)
428 #define USAGE_ECJPAKE \
429     "    ecjpake_pw=%%s           default: none (disabled)\n"   \
430     "    ecjpake_pw_opaque=%%d    default: 0 (disabled)\n"
431 #else /* MBEDTLS_USE_PSA_CRYPTO */
432 #define USAGE_ECJPAKE \
433     "    ecjpake_pw=%%s           default: none (disabled)\n"
434 #endif /* MBEDTLS_USE_PSA_CRYPTO */
435 #else /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
436 #define USAGE_ECJPAKE ""
437 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
438 
439 #if defined(MBEDTLS_SSL_EARLY_DATA)
440 #define USAGE_EARLY_DATA \
441     "    max_early_data_size=%%d default: -1 (disabled)\n"             \
442     "                            options: -1 (disabled), "           \
443     "                                     >= 0 (enabled, max amount of early data )\n"
444 #else
445 #define USAGE_EARLY_DATA ""
446 #endif /* MBEDTLS_SSL_EARLY_DATA */
447 
448 #if defined(MBEDTLS_ECP_C)
449 #define USAGE_CURVES \
450     "    curves=a,b,c,d      default: \"default\" (library default)\n"  \
451     "                        example: \"secp521r1,brainpoolP512r1\"\n"  \
452     "                        - use \"none\" for empty list\n"           \
453     "                        - see mbedtls_ecp_curve_list()\n"          \
454     "                          for acceptable curve names\n"
455 #else
456 #define USAGE_CURVES ""
457 #endif
458 
459 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
460 #define USAGE_SIG_ALGS \
461     "    sig_algs=a,b,c,d      default: \"default\" (library default)\n"  \
462     "                          example: \"ecdsa_secp256r1_sha256,ecdsa_secp384r1_sha384\"\n"
463 #else
464 #define USAGE_SIG_ALGS ""
465 #endif
466 
467 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
468 #define USAGE_SERIALIZATION \
469     "    serialize=%%d        default: 0 (do not serialize/deserialize)\n"     \
470     "                        options: 1 (serialize)\n"                         \
471     "                                 2 (serialize with re-initialization)\n"  \
472     "    context_file=%%s     The file path to write a serialized connection\n" \
473     "                        in the form of base64 code (serialize option\n"   \
474     "                        must be set)\n"                                   \
475     "                         default: \"\" (do nothing)\n"                    \
476     "                         option: a file path\n"
477 #else
478 #define USAGE_SERIALIZATION ""
479 #endif
480 
481 #define USAGE_KEY_OPAQUE_ALGS \
482     "    key_opaque_algs=%%s  Allowed opaque key 1 algorithms.\n"                      \
483     "                        comma-separated pair of values among the following:\n"    \
484     "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n"     \
485     "                        rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
486     "                        ecdsa-sign, ecdh, none (only acceptable for\n"            \
487     "                        the second value).\n"                                     \
488     "    key_opaque_algs2=%%s Allowed opaque key 2 algorithms.\n"                      \
489     "                        comma-separated pair of values among the following:\n"    \
490     "                        rsa-sign-pkcs1, rsa-sign-pss, rsa-sign-pss-sha256,\n"     \
491     "                        rsa-sign-pss-sha384, rsa-sign-pss-sha512, rsa-decrypt,\n" \
492     "                        ecdsa-sign, ecdh, none (only acceptable for\n"            \
493     "                        the second value).\n"
494 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
495 #define USAGE_TLS1_3_KEY_EXCHANGE_MODES \
496     "    tls13_kex_modes=%%s   default: all\n"     \
497     "                          options: psk, psk_ephemeral, psk_all, ephemeral,\n"  \
498     "                                   ephemeral_all, all, psk_or_ephemeral\n"
499 #else
500 #define USAGE_TLS1_3_KEY_EXCHANGE_MODES ""
501 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
502 
503 
504 /* USAGE is arbitrarily split to stay under the portable string literal
505  * length limit: 4095 bytes in C99. */
506 #define USAGE1 \
507     "\n usage: ssl_server2 param=<>...\n"                   \
508     "\n acceptable parameters:\n"                           \
509     "    server_addr=%%s      default: (all interfaces)\n"  \
510     "    server_port=%%d      default: 4433\n"              \
511     "    debug_level=%%d      default: 0 (disabled)\n"      \
512     "    build_version=%%d    default: none (disabled)\n"                     \
513     "                        option: 1 (print build version only and stop)\n" \
514     "    buffer_size=%%d      default: 200 \n" \
515     "                         (minimum: 1)\n" \
516     "    response_size=%%d    default: about 152 (basic response)\n" \
517     "                          (minimum: 0, max: 16384)\n" \
518     "                          increases buffer_size if bigger\n" \
519     "    nbio=%%d             default: 0 (blocking I/O)\n"  \
520     "                        options: 1 (non-blocking), 2 (added delays)\n" \
521     "    event=%%d            default: 0 (loop)\n"                            \
522     "                        options: 1 (level-triggered, implies nbio=1),\n" \
523     "    read_timeout=%%d     default: 0 ms (no timeout)\n"    \
524     "\n"                                                    \
525     USAGE_DTLS                                              \
526     USAGE_SRTP                                              \
527     USAGE_COOKIES                                           \
528     USAGE_ANTI_REPLAY                                       \
529     USAGE_BADMAC_LIMIT                                      \
530     "\n"
531 #define USAGE2 \
532     "    auth_mode=%%s        default: (library default: none)\n"      \
533     "                        options: none, optional, required\n" \
534     "    cert_req_ca_list=%%d default: 1 (send ca list)\n"  \
535     "                        options: 1 (send ca list), 0 (don't send)\n" \
536     "                                 2 (send conf dn hint), 3 (send hs dn hint)\n" \
537     USAGE_IO                                                \
538     USAGE_KEY_OPAQUE                                        \
539     "\n"                                                    \
540     USAGE_PSK                                               \
541     USAGE_CA_CALLBACK                                       \
542     USAGE_ECJPAKE                                           \
543     "\n"
544 #define USAGE3 \
545     "    allow_legacy=%%d     default: (library default: no)\n"      \
546     USAGE_RENEGO                                            \
547     "    exchanges=%%d        default: 1\n"                 \
548     "\n"                                                    \
549     USAGE_TICKETS                                           \
550     USAGE_EAP_TLS                                           \
551     USAGE_REPRODUCIBLE                                      \
552     USAGE_NSS_KEYLOG                                        \
553     USAGE_NSS_KEYLOG_FILE                                   \
554     USAGE_CACHE                                             \
555     USAGE_CACHE_TIME                                        \
556     USAGE_MAX_FRAG_LEN                                      \
557     USAGE_ALPN                                              \
558     USAGE_EMS                                               \
559     USAGE_ETM                                               \
560     USAGE_CURVES                                            \
561     USAGE_SIG_ALGS                                          \
562     USAGE_KEY_OPAQUE_ALGS                                   \
563     "\n"
564 
565 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
566 #define TLS1_3_VERSION_OPTIONS  ", tls13"
567 #else /* MBEDTLS_SSL_PROTO_TLS1_3 */
568 #define TLS1_3_VERSION_OPTIONS  ""
569 #endif /* !MBEDTLS_SSL_PROTO_TLS1_3 */
570 
571 #define USAGE4 \
572     USAGE_SSL_ASYNC                                         \
573     USAGE_SNI                                               \
574     "    allow_sha1=%%d       default: 0\n"                                   \
575     "    min_version=%%s      default: (library default: tls12)\n"            \
576     "    max_version=%%s      default: (library default: tls12)\n"            \
577     "    force_version=%%s    default: \"\" (none)\n"                         \
578     "                         options: tls12, dtls12" TLS1_3_VERSION_OPTIONS  \
579     "\n\n"                                                                    \
580     "    force_ciphersuite=<name>    default: all enabled\n"                  \
581     USAGE_TLS1_3_KEY_EXCHANGE_MODES                                           \
582     "    query_config=<name>         return 0 if the specified\n"             \
583     "                                configuration macro is defined and 1\n"  \
584     "                                otherwise. The expansion of the macro\n" \
585     "                                is printed if it is defined\n"           \
586     USAGE_SERIALIZATION                                                       \
587     " acceptable ciphersuite names:\n"
588 
589 #define ALPN_LIST_SIZE    10
590 #define CURVE_LIST_SIZE   20
591 #define SIG_ALG_LIST_SIZE 5
592 
593 #define PUT_UINT64_BE(out_be, in_le, i)                                   \
594     {                                                                       \
595         (out_be)[(i) + 0] = (unsigned char) (((in_le) >> 56) & 0xFF);    \
596         (out_be)[(i) + 1] = (unsigned char) (((in_le) >> 48) & 0xFF);    \
597         (out_be)[(i) + 2] = (unsigned char) (((in_le) >> 40) & 0xFF);    \
598         (out_be)[(i) + 3] = (unsigned char) (((in_le) >> 32) & 0xFF);    \
599         (out_be)[(i) + 4] = (unsigned char) (((in_le) >> 24) & 0xFF);    \
600         (out_be)[(i) + 5] = (unsigned char) (((in_le) >> 16) & 0xFF);    \
601         (out_be)[(i) + 6] = (unsigned char) (((in_le) >> 8) & 0xFF);    \
602         (out_be)[(i) + 7] = (unsigned char) (((in_le) >> 0) & 0xFF);    \
603     }
604 
605 /* This is global so it can be easily accessed by callback functions */
606 rng_context_t rng;
607 
608 /*
609  * global options
610  */
611 struct options {
612     const char *server_addr;    /* address on which the ssl service runs    */
613     const char *server_port;    /* port on which the ssl service runs       */
614     int debug_level;            /* level of debugging                       */
615     int nbio;                   /* should I/O be blocking?                  */
616     int event;                  /* loop or event-driven IO? level or edge triggered? */
617     uint32_t read_timeout;      /* timeout on mbedtls_ssl_read() in milliseconds    */
618     int response_size;          /* pad response with header to requested size */
619     uint16_t buffer_size;       /* IO buffer size */
620     const char *ca_file;        /* the file with the CA certificate(s)      */
621     const char *ca_path;        /* the path with the CA certificate(s) reside */
622     const char *crt_file;       /* the file with the server certificate     */
623     const char *key_file;       /* the file with the server key             */
624     int key_opaque;             /* handle private key as if it were opaque  */
625     const char *key_pwd;        /* the password for the server key          */
626     const char *crt_file2;      /* the file with the 2nd server certificate */
627     const char *key_file2;      /* the file with the 2nd server key         */
628     const char *key_pwd2;       /* the password for the 2nd server key      */
629     const char *async_operations; /* supported SSL asynchronous operations  */
630     int async_private_delay1;   /* number of times f_async_resume needs to be called for key 1, or -1 for no async */
631     int async_private_delay2;   /* number of times f_async_resume needs to be called for key 2, or -1 for no async */
632     int async_private_error;    /* inject error in async private callback */
633 #if defined(MBEDTLS_USE_PSA_CRYPTO)
634     int psk_opaque;
635     int psk_list_opaque;
636 #endif
637 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
638     int ca_callback;            /* Use callback for trusted certificate list */
639 #endif
640     const char *psk;            /* the pre-shared key                       */
641     const char *psk_identity;   /* the pre-shared key identity              */
642     char *psk_list;             /* list of PSK id/key pairs for callback    */
643     const char *ecjpake_pw;     /* the EC J-PAKE password                   */
644 #if defined(MBEDTLS_USE_PSA_CRYPTO)
645     int ecjpake_pw_opaque;      /* set to 1 to use the opaque method for setting the password */
646 #endif
647     int force_ciphersuite[2];   /* protocol/ciphersuite to use, or all      */
648 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
649     int tls13_kex_modes;        /* supported TLS 1.3 key exchange modes     */
650 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
651     int renegotiation;          /* enable / disable renegotiation           */
652     int allow_legacy;           /* allow legacy renegotiation               */
653     int renegotiate;            /* attempt renegotiation?                   */
654     int renego_delay;           /* delay before enforcing renegotiation     */
655     uint64_t renego_period;     /* period for automatic renegotiation       */
656     int exchanges;              /* number of data exchanges                 */
657     int min_version;            /* minimum protocol version accepted        */
658     int max_version;            /* maximum protocol version accepted        */
659     int allow_sha1;             /* flag for SHA-1 support                   */
660     int auth_mode;              /* verify mode for connection               */
661     int cert_req_ca_list;       /* should we send the CA list?              */
662     int cert_req_dn_hint;       /* mode to set DN hints for CA list to send */
663     unsigned char mfl_code;     /* code for maximum fragment length         */
664     int trunc_hmac;             /* accept truncated hmac?                   */
665     int tickets;                /* enable / disable session tickets         */
666     int dummy_ticket;           /* enable / disable dummy ticket generator  */
667     int ticket_rotate;          /* session ticket rotate (code coverage)    */
668     int ticket_timeout;         /* session ticket lifetime                  */
669     int ticket_aead;            /* session ticket protection                */
670     int cache_max;              /* max number of session cache entries      */
671 #if defined(MBEDTLS_HAVE_TIME)
672     int cache_timeout;          /* expiration delay of session cache entries*/
673 #endif
674     int cache_remove;           /* enable / disable cache removement        */
675     char *sni;                  /* string describing sni information        */
676     const char *curves;         /* list of supported elliptic curves        */
677     const char *sig_algs;       /* supported TLS 1.3 signature algorithms   */
678     const char *alpn_string;    /* ALPN supported protocols                 */
679     const char *dhm_file;       /* the file with the DH parameters          */
680     int extended_ms;            /* allow negotiation of extended MS?        */
681     int etm;                    /* allow negotiation of encrypt-then-MAC?   */
682     int transport;              /* TLS or DTLS?                             */
683     int cookies;                /* Use cookies for DTLS? -1 to break them   */
684     int anti_replay;            /* Use anti-replay for DTLS? -1 for default */
685     uint32_t hs_to_min;         /* Initial value of DTLS handshake timer    */
686     uint32_t hs_to_max;         /* Max value of DTLS handshake timer        */
687     int dtls_mtu;               /* UDP Maximum transport unit for DTLS       */
688     int dgram_packing;          /* allow/forbid datagram packing            */
689     int badmac_limit;           /* Limit of records with bad MAC            */
690     int eap_tls;                /* derive EAP-TLS keying material?          */
691     int nss_keylog;             /* export NSS key log material              */
692     const char *nss_keylog_file; /* NSS key log file                        */
693     int cid_enabled;            /* whether to use the CID extension or not  */
694     int cid_enabled_renego;     /* whether to use the CID extension or not
695                                  * during renegotiation                     */
696     const char *cid_val;        /* the CID to use for incoming messages     */
697     int serialize;              /* serialize/deserialize connection         */
698     const char *context_file;   /* the file to write a serialized connection
699                                  * in the form of base64 code (serialize
700                                  * option must be set)                      */
701     const char *cid_val_renego; /* the CID to use for incoming messages
702                                  * after renegotiation                      */
703     int reproducible;           /* make communication reproducible          */
704     uint32_t max_early_data_size; /* max amount of early data               */
705     int query_config_mode;      /* whether to read config                   */
706     int use_srtp;               /* Support SRTP                             */
707     int force_srtp_profile;     /* SRTP protection profile to use or all    */
708     int support_mki;            /* The dtls mki mki support                 */
709     const char *key1_opaque_alg1; /* Allowed opaque key 1 alg 1            */
710     const char *key1_opaque_alg2; /* Allowed opaque key 1 alg 2            */
711     const char *key2_opaque_alg1; /* Allowed opaque key 2 alg 1            */
712     const char *key2_opaque_alg2; /* Allowed opaque key 2 alg 2            */
713 } opt;
714 
715 #include "ssl_test_common_source.c"
716 
717 /*
718  * Return authmode from string, or -1 on error
719  */
get_auth_mode(const char * s)720 static int get_auth_mode(const char *s)
721 {
722     if (strcmp(s, "none") == 0) {
723         return MBEDTLS_SSL_VERIFY_NONE;
724     }
725     if (strcmp(s, "optional") == 0) {
726         return MBEDTLS_SSL_VERIFY_OPTIONAL;
727     }
728     if (strcmp(s, "required") == 0) {
729         return MBEDTLS_SSL_VERIFY_REQUIRED;
730     }
731 
732     return -1;
733 }
734 
735 /*
736  * Used by sni_parse and psk_parse to handle comma-separated lists
737  */
738 #define GET_ITEM(dst)         \
739     do                          \
740     {                           \
741         (dst) = p;              \
742         while (*p != ',')      \
743         if (++p > end)     \
744         goto error;     \
745         *p++ = '\0';            \
746     } while (0)
747 
748 #if defined(SNI_OPTION)
749 typedef struct _sni_entry sni_entry;
750 
751 struct _sni_entry {
752     const char *name;
753     mbedtls_x509_crt *cert;
754     mbedtls_pk_context *key;
755     mbedtls_x509_crt *ca;
756     mbedtls_x509_crl *crl;
757     int authmode;
758     sni_entry *next;
759 };
760 
sni_free(sni_entry * head)761 void sni_free(sni_entry *head)
762 {
763     sni_entry *cur = head, *next;
764 
765     while (cur != NULL) {
766         mbedtls_x509_crt_free(cur->cert);
767         mbedtls_free(cur->cert);
768 
769         mbedtls_pk_free(cur->key);
770         mbedtls_free(cur->key);
771 
772         mbedtls_x509_crt_free(cur->ca);
773         mbedtls_free(cur->ca);
774 #if defined(MBEDTLS_X509_CRL_PARSE_C)
775         mbedtls_x509_crl_free(cur->crl);
776         mbedtls_free(cur->crl);
777 #endif
778         next = cur->next;
779         mbedtls_free(cur);
780         cur = next;
781     }
782 }
783 
784 /*
785  * Parse a string of sextuples name1,crt1,key1,ca1,crl1,auth1[,...]
786  * into a usable sni_entry list. For ca1, crl1, auth1, the special value
787  * '-' means unset. If ca1 is unset, then crl1 is ignored too.
788  *
789  * Modifies the input string! This is not production quality!
790  */
sni_parse(char * sni_string)791 sni_entry *sni_parse(char *sni_string)
792 {
793     sni_entry *cur = NULL, *new = NULL;
794     char *p = sni_string;
795     char *end = p;
796     char *crt_file, *key_file, *ca_file, *auth_str;
797 #if defined(MBEDTLS_X509_CRL_PARSE_C)
798     char *crl_file;
799 #endif
800 
801     while (*end != '\0') {
802         ++end;
803     }
804     *end = ',';
805 
806     while (p <= end) {
807         if ((new = mbedtls_calloc(1, sizeof(sni_entry))) == NULL) {
808             sni_free(cur);
809             return NULL;
810         }
811 
812         GET_ITEM(new->name);
813         GET_ITEM(crt_file);
814         GET_ITEM(key_file);
815         GET_ITEM(ca_file);
816 #if defined(MBEDTLS_X509_CRL_PARSE_C)
817         GET_ITEM(crl_file);
818 #endif
819         GET_ITEM(auth_str);
820 
821         if ((new->cert = mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL ||
822             (new->key = mbedtls_calloc(1, sizeof(mbedtls_pk_context))) == NULL) {
823             goto error;
824         }
825 
826         mbedtls_x509_crt_init(new->cert);
827         mbedtls_pk_init(new->key);
828 
829         if (mbedtls_x509_crt_parse_file(new->cert, crt_file) != 0 ||
830             mbedtls_pk_parse_keyfile(new->key, key_file, "", rng_get, &rng) != 0) {
831             goto error;
832         }
833 
834         if (strcmp(ca_file, "-") != 0) {
835             if ((new->ca = mbedtls_calloc(1, sizeof(mbedtls_x509_crt))) == NULL) {
836                 goto error;
837             }
838 
839             mbedtls_x509_crt_init(new->ca);
840 
841             if (mbedtls_x509_crt_parse_file(new->ca, ca_file) != 0) {
842                 goto error;
843             }
844         }
845 
846 #if defined(MBEDTLS_X509_CRL_PARSE_C)
847         if (strcmp(crl_file, "-") != 0) {
848             if ((new->crl = mbedtls_calloc(1, sizeof(mbedtls_x509_crl))) == NULL) {
849                 goto error;
850             }
851 
852             mbedtls_x509_crl_init(new->crl);
853 
854             if (mbedtls_x509_crl_parse_file(new->crl, crl_file) != 0) {
855                 goto error;
856             }
857         }
858 #endif
859 
860         if (strcmp(auth_str, "-") != 0) {
861             if ((new->authmode = get_auth_mode(auth_str)) < 0) {
862                 goto error;
863             }
864         } else {
865             new->authmode = DFL_AUTH_MODE;
866         }
867 
868         new->next = cur;
869         cur = new;
870     }
871 
872     return cur;
873 
874 error:
875     sni_free(new);
876     sni_free(cur);
877     return NULL;
878 }
879 
880 /*
881  * SNI callback.
882  */
sni_callback(void * p_info,mbedtls_ssl_context * ssl,const unsigned char * name,size_t name_len)883 int sni_callback(void *p_info, mbedtls_ssl_context *ssl,
884                  const unsigned char *name, size_t name_len)
885 {
886     const sni_entry *cur = (const sni_entry *) p_info;
887 
888     /* preserve behavior which checks for SNI match in sni_callback() for
889      * the benefits of tests using sni_callback(), even though the actual
890      * certificate assignment has moved to certificate selection callback
891      * in this application.  This exercises sni_callback and cert_callback
892      * even though real applications might choose to do this differently.
893      * Application might choose to save name and name_len in user_data for
894      * later use in certificate selection callback.
895      */
896     while (cur != NULL) {
897         if (name_len == strlen(cur->name) &&
898             memcmp(name, cur->name, name_len) == 0) {
899             void *p;
900             *(const void **)&p = cur;
901             mbedtls_ssl_set_user_data_p(ssl, p);
902             return 0;
903         }
904 
905         cur = cur->next;
906     }
907 
908     return -1;
909 }
910 
911 /*
912  * server certificate selection callback.
913  */
cert_callback(mbedtls_ssl_context * ssl)914 int cert_callback(mbedtls_ssl_context *ssl)
915 {
916     const sni_entry *cur = (sni_entry *) mbedtls_ssl_get_user_data_p(ssl);
917     if (cur != NULL) {
918         /*(exercise mbedtls_ssl_get_hs_sni(); not otherwise used here)*/
919         size_t name_len;
920         const unsigned char *name = mbedtls_ssl_get_hs_sni(ssl, &name_len);
921         if (strlen(cur->name) != name_len ||
922             memcmp(cur->name, name, name_len) != 0) {
923             return MBEDTLS_ERR_SSL_DECODE_ERROR;
924         }
925 
926         if (cur->ca != NULL) {
927             mbedtls_ssl_set_hs_ca_chain(ssl, cur->ca, cur->crl);
928         }
929 
930         if (cur->authmode != DFL_AUTH_MODE) {
931             mbedtls_ssl_set_hs_authmode(ssl, cur->authmode);
932         }
933 
934         return mbedtls_ssl_set_hs_own_cert(ssl, cur->cert, cur->key);
935     }
936 
937     return 0;
938 }
939 
940 #endif /* SNI_OPTION */
941 
942 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
943 
944 typedef struct _psk_entry psk_entry;
945 
946 struct _psk_entry {
947     const char *name;
948     size_t key_len;
949     unsigned char key[MBEDTLS_PSK_MAX_LEN];
950 #if defined(MBEDTLS_USE_PSA_CRYPTO)
951     mbedtls_svc_key_id_t slot;
952 #endif /* MBEDTLS_USE_PSA_CRYPTO */
953     psk_entry *next;
954 };
955 
956 /*
957  * Free a list of psk_entry's
958  */
psk_free(psk_entry * head)959 int psk_free(psk_entry *head)
960 {
961     psk_entry *next;
962 
963     while (head != NULL) {
964 #if defined(MBEDTLS_USE_PSA_CRYPTO)
965         psa_status_t status;
966         mbedtls_svc_key_id_t const slot = head->slot;
967 
968         if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(slot) != 0) {
969             status = psa_destroy_key(slot);
970             if (status != PSA_SUCCESS) {
971                 return status;
972             }
973         }
974 #endif /* MBEDTLS_USE_PSA_CRYPTO */
975 
976         next = head->next;
977         mbedtls_free(head);
978         head = next;
979     }
980 
981     return 0;
982 }
983 
984 /*
985  * Parse a string of pairs name1,key1[,name2,key2[,...]]
986  * into a usable psk_entry list.
987  *
988  * Modifies the input string! This is not production quality!
989  */
psk_parse(char * psk_string)990 psk_entry *psk_parse(char *psk_string)
991 {
992     psk_entry *cur = NULL, *new = NULL;
993     char *p = psk_string;
994     char *end = p;
995     char *key_hex;
996 
997     while (*end != '\0') {
998         ++end;
999     }
1000     *end = ',';
1001 
1002     while (p <= end) {
1003         if ((new = mbedtls_calloc(1, sizeof(psk_entry))) == NULL) {
1004             goto error;
1005         }
1006 
1007         memset(new, 0, sizeof(psk_entry));
1008 
1009         GET_ITEM(new->name);
1010         GET_ITEM(key_hex);
1011 
1012         if (mbedtls_test_unhexify(new->key, MBEDTLS_PSK_MAX_LEN,
1013                                   key_hex, &new->key_len) != 0) {
1014             goto error;
1015         }
1016 
1017         new->next = cur;
1018         cur = new;
1019     }
1020 
1021     return cur;
1022 
1023 error:
1024     psk_free(new);
1025     psk_free(cur);
1026     return 0;
1027 }
1028 
1029 /*
1030  * PSK callback
1031  */
psk_callback(void * p_info,mbedtls_ssl_context * ssl,const unsigned char * name,size_t name_len)1032 int psk_callback(void *p_info, mbedtls_ssl_context *ssl,
1033                  const unsigned char *name, size_t name_len)
1034 {
1035     psk_entry *cur = (psk_entry *) p_info;
1036 
1037     while (cur != NULL) {
1038         if (name_len == strlen(cur->name) &&
1039             memcmp(name, cur->name, name_len) == 0) {
1040 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1041             if (MBEDTLS_SVC_KEY_ID_GET_KEY_ID(cur->slot) != 0) {
1042                 return mbedtls_ssl_set_hs_psk_opaque(ssl, cur->slot);
1043             } else
1044 #endif
1045             return mbedtls_ssl_set_hs_psk(ssl, cur->key, cur->key_len);
1046         }
1047 
1048         cur = cur->next;
1049     }
1050 
1051     return -1;
1052 }
1053 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1054 
1055 static mbedtls_net_context listen_fd, client_fd;
1056 
1057 /* Interruption handler to ensure clean exit (for valgrind testing) */
1058 #if !defined(_WIN32)
1059 static int received_sigterm = 0;
term_handler(int sig)1060 void term_handler(int sig)
1061 {
1062     ((void) sig);
1063     received_sigterm = 1;
1064     mbedtls_net_free(&listen_fd);   /* causes mbedtls_net_accept() to abort */
1065     mbedtls_net_free(&client_fd);   /* causes net_read() to abort */
1066 }
1067 #endif
1068 
1069 /** Return true if \p ret is a status code indicating that there is an
1070  * operation in progress on an SSL connection, and false if it indicates
1071  * success or a fatal error.
1072  *
1073  * The possible operations in progress are:
1074  *
1075  * - A read, when the SSL input buffer does not contain a full message.
1076  * - A write, when the SSL output buffer contains some data that has not
1077  *   been sent over the network yet.
1078  * - An asynchronous callback that has not completed yet. */
mbedtls_status_is_ssl_in_progress(int ret)1079 static int mbedtls_status_is_ssl_in_progress(int ret)
1080 {
1081     return ret == MBEDTLS_ERR_SSL_WANT_READ ||
1082            ret == MBEDTLS_ERR_SSL_WANT_WRITE ||
1083            ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
1084 }
1085 
1086 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
1087 typedef struct {
1088     mbedtls_x509_crt *cert; /*!< Certificate corresponding to the key */
1089     mbedtls_pk_context *pk; /*!< Private key */
1090     unsigned delay; /*!< Number of resume steps to go through */
1091     unsigned pk_owned : 1; /*!< Whether to free the pk object on exit */
1092 } ssl_async_key_slot_t;
1093 
1094 typedef enum {
1095     SSL_ASYNC_INJECT_ERROR_NONE = 0, /*!< Let the callbacks succeed */
1096     SSL_ASYNC_INJECT_ERROR_START, /*!< Inject error during start */
1097     SSL_ASYNC_INJECT_ERROR_CANCEL, /*!< Close the connection after async start */
1098     SSL_ASYNC_INJECT_ERROR_RESUME, /*!< Inject error during resume */
1099 #define SSL_ASYNC_INJECT_ERROR_MAX SSL_ASYNC_INJECT_ERROR_RESUME
1100 } ssl_async_inject_error_t;
1101 
1102 typedef struct {
1103     ssl_async_key_slot_t slots[4]; /* key, key2, sni1, sni2 */
1104     size_t slots_used;
1105     ssl_async_inject_error_t inject_error;
1106     int (*f_rng)(void *, unsigned char *, size_t);
1107     void *p_rng;
1108 } ssl_async_key_context_t;
1109 
ssl_async_set_key(ssl_async_key_context_t * ctx,mbedtls_x509_crt * cert,mbedtls_pk_context * pk,int pk_take_ownership,unsigned delay)1110 int ssl_async_set_key(ssl_async_key_context_t *ctx,
1111                       mbedtls_x509_crt *cert,
1112                       mbedtls_pk_context *pk,
1113                       int pk_take_ownership,
1114                       unsigned delay)
1115 {
1116     if (ctx->slots_used >= sizeof(ctx->slots) / sizeof(*ctx->slots)) {
1117         return -1;
1118     }
1119     ctx->slots[ctx->slots_used].cert = cert;
1120     ctx->slots[ctx->slots_used].pk = pk;
1121     ctx->slots[ctx->slots_used].delay = delay;
1122     ctx->slots[ctx->slots_used].pk_owned = pk_take_ownership;
1123     ++ctx->slots_used;
1124     return 0;
1125 }
1126 
1127 #define SSL_ASYNC_INPUT_MAX_SIZE 512
1128 
1129 typedef enum {
1130     ASYNC_OP_SIGN,
1131     ASYNC_OP_DECRYPT,
1132 } ssl_async_operation_type_t;
1133 
1134 typedef struct {
1135     unsigned slot;
1136     ssl_async_operation_type_t operation_type;
1137     mbedtls_md_type_t md_alg;
1138     unsigned char input[SSL_ASYNC_INPUT_MAX_SIZE];
1139     size_t input_len;
1140     unsigned remaining_delay;
1141 } ssl_async_operation_context_t;
1142 
1143 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1144 
1145 /* Note that ssl_async_operation_type_t and the array below need to be kept in sync!
1146  * `ssl_async_operation_names[op]` is the name of op for each value `op`
1147  * of type `ssl_async_operation_type_t`. */
1148 static const char *const ssl_async_operation_names[] =
1149 {
1150     "sign",
1151     "decrypt",
1152 };
1153 
ssl_async_start(mbedtls_ssl_context * ssl,mbedtls_x509_crt * cert,ssl_async_operation_type_t op_type,mbedtls_md_type_t md_alg,const unsigned char * input,size_t input_len)1154 static int ssl_async_start(mbedtls_ssl_context *ssl,
1155                            mbedtls_x509_crt *cert,
1156                            ssl_async_operation_type_t op_type,
1157                            mbedtls_md_type_t md_alg,
1158                            const unsigned char *input,
1159                            size_t input_len)
1160 {
1161     ssl_async_key_context_t *config_data =
1162         mbedtls_ssl_conf_get_async_config_data(ssl->conf);
1163     unsigned slot;
1164     ssl_async_operation_context_t *ctx = NULL;
1165     const char *op_name = ssl_async_operation_names[op_type];
1166 
1167     {
1168         char dn[100];
1169         if (mbedtls_x509_dn_gets(dn, sizeof(dn), &cert->subject) > 0) {
1170             mbedtls_printf("Async %s callback: looking for DN=%s\n",
1171                            op_name, dn);
1172         }
1173     }
1174 
1175     /* Look for a private key that matches the public key in cert.
1176      * Since this test code has the private key inside Mbed TLS,
1177      * we call mbedtls_pk_check_pair to match a private key with the
1178      * public key. */
1179     for (slot = 0; slot < config_data->slots_used; slot++) {
1180         if (mbedtls_pk_check_pair(&cert->pk,
1181                                   config_data->slots[slot].pk,
1182                                   rng_get, &rng) == 0) {
1183             break;
1184         }
1185     }
1186     if (slot == config_data->slots_used) {
1187         mbedtls_printf("Async %s callback: no key matches this certificate.\n",
1188                        op_name);
1189         return MBEDTLS_ERR_SSL_HW_ACCEL_FALLTHROUGH;
1190     }
1191     mbedtls_printf("Async %s callback: using key slot %u, delay=%u.\n",
1192                    op_name, slot, config_data->slots[slot].delay);
1193 
1194     if (config_data->inject_error == SSL_ASYNC_INJECT_ERROR_START) {
1195         mbedtls_printf("Async %s callback: injected error\n", op_name);
1196         return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1197     }
1198 
1199     if (input_len > SSL_ASYNC_INPUT_MAX_SIZE) {
1200         return MBEDTLS_ERR_SSL_BAD_INPUT_DATA;
1201     }
1202 
1203     ctx = mbedtls_calloc(1, sizeof(*ctx));
1204     if (ctx == NULL) {
1205         return MBEDTLS_ERR_SSL_ALLOC_FAILED;
1206     }
1207     ctx->slot = slot;
1208     ctx->operation_type = op_type;
1209     ctx->md_alg = md_alg;
1210     memcpy(ctx->input, input, input_len);
1211     ctx->input_len = input_len;
1212     ctx->remaining_delay = config_data->slots[slot].delay;
1213     mbedtls_ssl_set_async_operation_data(ssl, ctx);
1214 
1215     if (ctx->remaining_delay == 0) {
1216         return 0;
1217     } else {
1218         return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
1219     }
1220 }
1221 
ssl_async_sign(mbedtls_ssl_context * ssl,mbedtls_x509_crt * cert,mbedtls_md_type_t md_alg,const unsigned char * hash,size_t hash_len)1222 static int ssl_async_sign(mbedtls_ssl_context *ssl,
1223                           mbedtls_x509_crt *cert,
1224                           mbedtls_md_type_t md_alg,
1225                           const unsigned char *hash,
1226                           size_t hash_len)
1227 {
1228     return ssl_async_start(ssl, cert,
1229                            ASYNC_OP_SIGN, md_alg,
1230                            hash, hash_len);
1231 }
1232 
ssl_async_decrypt(mbedtls_ssl_context * ssl,mbedtls_x509_crt * cert,const unsigned char * input,size_t input_len)1233 static int ssl_async_decrypt(mbedtls_ssl_context *ssl,
1234                              mbedtls_x509_crt *cert,
1235                              const unsigned char *input,
1236                              size_t input_len)
1237 {
1238     return ssl_async_start(ssl, cert,
1239                            ASYNC_OP_DECRYPT, MBEDTLS_MD_NONE,
1240                            input, input_len);
1241 }
1242 
ssl_async_resume(mbedtls_ssl_context * ssl,unsigned char * output,size_t * output_len,size_t output_size)1243 static int ssl_async_resume(mbedtls_ssl_context *ssl,
1244                             unsigned char *output,
1245                             size_t *output_len,
1246                             size_t output_size)
1247 {
1248     ssl_async_operation_context_t *ctx = mbedtls_ssl_get_async_operation_data(ssl);
1249     ssl_async_key_context_t *config_data =
1250         mbedtls_ssl_conf_get_async_config_data(ssl->conf);
1251     ssl_async_key_slot_t *key_slot = &config_data->slots[ctx->slot];
1252     int ret;
1253     const char *op_name;
1254 
1255     if (ctx->remaining_delay > 0) {
1256         --ctx->remaining_delay;
1257         mbedtls_printf("Async resume (slot %u): call %u more times.\n",
1258                        ctx->slot, ctx->remaining_delay);
1259         return MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS;
1260     }
1261 
1262     switch (ctx->operation_type) {
1263         case ASYNC_OP_DECRYPT:
1264             ret = mbedtls_pk_decrypt(key_slot->pk,
1265                                      ctx->input, ctx->input_len,
1266                                      output, output_len, output_size,
1267                                      config_data->f_rng, config_data->p_rng);
1268             break;
1269         case ASYNC_OP_SIGN:
1270             ret = mbedtls_pk_sign(key_slot->pk,
1271                                   ctx->md_alg,
1272                                   ctx->input, ctx->input_len,
1273                                   output, output_size, output_len,
1274                                   config_data->f_rng, config_data->p_rng);
1275             break;
1276         default:
1277             mbedtls_printf(
1278                 "Async resume (slot %u): unknown operation type %ld. This shouldn't happen.\n",
1279                 ctx->slot,
1280                 (long) ctx->operation_type);
1281             mbedtls_free(ctx);
1282             return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1283             break;
1284     }
1285 
1286     op_name = ssl_async_operation_names[ctx->operation_type];
1287 
1288     if (config_data->inject_error == SSL_ASYNC_INJECT_ERROR_RESUME) {
1289         mbedtls_printf("Async resume callback: %s done but injected error\n",
1290                        op_name);
1291         mbedtls_free(ctx);
1292         return MBEDTLS_ERR_PK_FEATURE_UNAVAILABLE;
1293     }
1294 
1295     mbedtls_printf("Async resume (slot %u): %s done, status=%d.\n",
1296                    ctx->slot, op_name, ret);
1297     mbedtls_free(ctx);
1298     return ret;
1299 }
1300 
ssl_async_cancel(mbedtls_ssl_context * ssl)1301 static void ssl_async_cancel(mbedtls_ssl_context *ssl)
1302 {
1303     ssl_async_operation_context_t *ctx = mbedtls_ssl_get_async_operation_data(ssl);
1304     mbedtls_printf("Async cancel callback.\n");
1305     mbedtls_free(ctx);
1306 }
1307 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1308 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1309 
1310 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1311 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
psa_setup_psk_key_slot(mbedtls_svc_key_id_t * slot,psa_algorithm_t alg,unsigned char * psk,size_t psk_len)1312 static psa_status_t psa_setup_psk_key_slot(mbedtls_svc_key_id_t *slot,
1313                                            psa_algorithm_t alg,
1314                                            unsigned char *psk,
1315                                            size_t psk_len)
1316 {
1317     psa_status_t status;
1318     psa_key_attributes_t key_attributes;
1319 
1320     key_attributes = psa_key_attributes_init();
1321     psa_set_key_usage_flags(&key_attributes, PSA_KEY_USAGE_DERIVE);
1322     psa_set_key_algorithm(&key_attributes, alg);
1323     psa_set_key_type(&key_attributes, PSA_KEY_TYPE_DERIVE);
1324 
1325     status = psa_import_key(&key_attributes, psk, psk_len, slot);
1326     if (status != PSA_SUCCESS) {
1327         fprintf(stderr, "IMPORT\n");
1328         return status;
1329     }
1330 
1331     return PSA_SUCCESS;
1332 }
1333 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
1334 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1335 
1336 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
report_cid_usage(mbedtls_ssl_context * ssl,const char * additional_description)1337 int report_cid_usage(mbedtls_ssl_context *ssl,
1338                      const char *additional_description)
1339 {
1340     int ret;
1341     unsigned char peer_cid[MBEDTLS_SSL_CID_OUT_LEN_MAX];
1342     size_t peer_cid_len;
1343     int cid_negotiated;
1344 
1345     if (opt.transport != MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
1346         return 0;
1347     }
1348 
1349     /* Check if the use of a CID has been negotiated */
1350     ret = mbedtls_ssl_get_peer_cid(ssl, &cid_negotiated,
1351                                    peer_cid, &peer_cid_len);
1352     if (ret != 0) {
1353         mbedtls_printf(" failed\n  ! mbedtls_ssl_get_peer_cid returned -0x%x\n\n",
1354                        (unsigned int) -ret);
1355         return ret;
1356     }
1357 
1358     if (cid_negotiated == MBEDTLS_SSL_CID_DISABLED) {
1359         if (opt.cid_enabled == MBEDTLS_SSL_CID_ENABLED) {
1360             mbedtls_printf("(%s) Use of Connection ID was not offered by client.\n",
1361                            additional_description);
1362         }
1363     } else {
1364         size_t idx = 0;
1365         mbedtls_printf("(%s) Use of Connection ID has been negotiated.\n",
1366                        additional_description);
1367         mbedtls_printf("(%s) Peer CID (length %u Bytes): ",
1368                        additional_description,
1369                        (unsigned) peer_cid_len);
1370         while (idx < peer_cid_len) {
1371             mbedtls_printf("%02x ", peer_cid[idx]);
1372             idx++;
1373         }
1374         mbedtls_printf("\n");
1375     }
1376 
1377     return 0;
1378 }
1379 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1380 
1381 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_HAVE_TIME)
put_unaligned_uint32(void * p,uint32_t x)1382 static inline void put_unaligned_uint32(void *p, uint32_t x)
1383 {
1384     memcpy(p, &x, sizeof(x));
1385 }
1386 
1387 /* Functions for session ticket tests */
dummy_ticket_write(void * p_ticket,const mbedtls_ssl_session * session,unsigned char * start,const unsigned char * end,size_t * tlen,uint32_t * ticket_lifetime)1388 int dummy_ticket_write(void *p_ticket, const mbedtls_ssl_session *session,
1389                        unsigned char *start, const unsigned char *end,
1390                        size_t *tlen, uint32_t *ticket_lifetime)
1391 {
1392     int ret;
1393     unsigned char *p = start;
1394     size_t clear_len;
1395     ((void) p_ticket);
1396 
1397     if (end - p < 4) {
1398         return MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL;
1399     }
1400     put_unaligned_uint32(p, 7 * 24 * 3600);
1401     *ticket_lifetime = 7 * 24 * 3600;
1402     p += 4;
1403 
1404     /* Dump session state */
1405     if ((ret = mbedtls_ssl_session_save(session, p, end - p,
1406                                         &clear_len)) != 0) {
1407         return ret;
1408     }
1409 
1410     *tlen = 4 + clear_len;
1411 
1412     return 0;
1413 }
1414 
dummy_ticket_parse(void * p_ticket,mbedtls_ssl_session * session,unsigned char * buf,size_t len)1415 int dummy_ticket_parse(void *p_ticket, mbedtls_ssl_session *session,
1416                        unsigned char *buf, size_t len)
1417 {
1418     int ret;
1419     ((void) p_ticket);
1420 
1421     if ((ret = mbedtls_ssl_session_load(session, buf + 4, len - 4)) != 0) {
1422         return ret;
1423     }
1424 
1425     switch (opt.dummy_ticket % 11) {
1426         case 1:
1427             return MBEDTLS_ERR_SSL_INVALID_MAC;
1428         case 2:
1429             return MBEDTLS_ERR_SSL_SESSION_TICKET_EXPIRED;
1430         case 3:
1431             session->start = mbedtls_time(NULL) + 10;
1432             break;
1433         case 4:
1434             session->start = mbedtls_time(NULL) - 10 - 7 * 24 * 3600;
1435             break;
1436         case 5:
1437             session->start = mbedtls_time(NULL) - 10;
1438             break;
1439         case 6:
1440             session->start = mbedtls_time(NULL);
1441 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1442             session->ticket_age_add -= 1000;
1443 #endif
1444             break;
1445 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1446         case 7:
1447             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_NONE;
1448             break;
1449         case 8:
1450             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1451             break;
1452         case 9:
1453             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1454             break;
1455         case 10:
1456             session->ticket_flags = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1457             break;
1458 #endif
1459         default:
1460             break;
1461     }
1462 
1463     return ret;
1464 }
1465 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_HAVE_TIME */
1466 
main(int argc,char * argv[])1467 int main(int argc, char *argv[])
1468 {
1469     int ret = 0, len, written, frags, exchanges_left;
1470     int query_config_ret = 0;
1471     io_ctx_t io_ctx;
1472     unsigned char *buf = 0;
1473 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
1474 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1475     psa_algorithm_t alg = 0;
1476     mbedtls_svc_key_id_t psk_slot = MBEDTLS_SVC_KEY_ID_INIT;
1477 #endif /* MBEDTLS_USE_PSA_CRYPTO */
1478     unsigned char psk[MBEDTLS_PSK_MAX_LEN];
1479     size_t psk_len = 0;
1480     psk_entry *psk_info = NULL;
1481 #endif
1482     const char *pers = "ssl_server2";
1483     unsigned char client_ip[16] = { 0 };
1484     size_t cliip_len;
1485 #if defined(MBEDTLS_SSL_COOKIE_C)
1486     mbedtls_ssl_cookie_ctx cookie_ctx;
1487 #endif
1488 
1489     mbedtls_ssl_context ssl;
1490     mbedtls_ssl_config conf;
1491 #if defined(MBEDTLS_TIMING_C)
1492     mbedtls_timing_delay_context timer;
1493 #endif
1494 #if defined(MBEDTLS_SSL_RENEGOTIATION)
1495     unsigned char renego_period[8] = { 0 };
1496 #endif
1497 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1498     uint32_t flags;
1499     mbedtls_x509_crt cacert;
1500     mbedtls_x509_crt srvcert;
1501     mbedtls_pk_context pkey;
1502     mbedtls_x509_crt srvcert2;
1503     mbedtls_pk_context pkey2;
1504     mbedtls_x509_crt_profile crt_profile_for_test = mbedtls_x509_crt_profile_default;
1505 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1506     mbedtls_svc_key_id_t key_slot = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
1507     mbedtls_svc_key_id_t key_slot2 = MBEDTLS_SVC_KEY_ID_INIT; /* invalid key slot */
1508 #endif
1509     int key_cert_init = 0, key_cert_init2 = 0;
1510 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
1511 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
1512     ssl_async_key_context_t ssl_async_keys;
1513 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1514 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
1515     mbedtls_dhm_context dhm;
1516 #endif
1517 #if defined(MBEDTLS_SSL_CACHE_C)
1518     mbedtls_ssl_cache_context cache;
1519 #endif
1520 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
1521     mbedtls_ssl_ticket_context ticket_ctx;
1522 #endif /* MBEDTLS_SSL_SESSION_TICKETS && MBEDTLS_SSL_TICKET_C */
1523 #if defined(SNI_OPTION)
1524     sni_entry *sni_info = NULL;
1525 #endif
1526 #if defined(MBEDTLS_ECP_C)
1527     uint16_t group_list[CURVE_LIST_SIZE];
1528     const mbedtls_ecp_curve_info *curve_cur;
1529 #endif
1530 #if defined(MBEDTLS_SSL_ALPN)
1531     const char *alpn_list[ALPN_LIST_SIZE];
1532 #endif
1533 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
1534     unsigned char alloc_buf[MEMORY_HEAP_SIZE];
1535 #endif
1536 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1537     unsigned char cid[MBEDTLS_SSL_CID_IN_LEN_MAX];
1538     unsigned char cid_renego[MBEDTLS_SSL_CID_IN_LEN_MAX];
1539     size_t cid_len = 0;
1540     size_t cid_renego_len = 0;
1541 #endif
1542 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
1543     unsigned char *context_buf = NULL;
1544     size_t context_buf_len = 0;
1545 #endif
1546 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
1547     defined(MBEDTLS_USE_PSA_CRYPTO)
1548     mbedtls_svc_key_id_t ecjpake_pw_slot = MBEDTLS_SVC_KEY_ID_INIT; /* ecjpake password key slot */
1549 #endif /* MBEDTLS_USE_PSA_CRYPTO && MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
1550 
1551 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1552     uint16_t sig_alg_list[SIG_ALG_LIST_SIZE];
1553 #endif
1554 
1555     int i;
1556     char *p, *q;
1557     const int *list;
1558 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
1559     psa_status_t status;
1560 #endif
1561     unsigned char eap_tls_keymaterial[16];
1562     unsigned char eap_tls_iv[8];
1563     const char *eap_tls_label = "client EAP encryption";
1564     eap_tls_keys eap_tls_keying;
1565 #if defined(MBEDTLS_SSL_DTLS_SRTP)
1566     /*! master keys and master salt for SRTP generated during handshake */
1567     unsigned char dtls_srtp_key_material[MBEDTLS_TLS_SRTP_MAX_KEY_MATERIAL_LENGTH];
1568     const char *dtls_srtp_label = "EXTRACTOR-dtls_srtp";
1569     dtls_srtp_keys dtls_srtp_keying;
1570     const mbedtls_ssl_srtp_profile default_profiles[] = {
1571         MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_80,
1572         MBEDTLS_TLS_SRTP_AES128_CM_HMAC_SHA1_32,
1573         MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_80,
1574         MBEDTLS_TLS_SRTP_NULL_HMAC_SHA1_32,
1575         MBEDTLS_TLS_SRTP_UNSET
1576     };
1577 #endif /* MBEDTLS_SSL_DTLS_SRTP */
1578 
1579 #if defined(MBEDTLS_SSL_EARLY_DATA)
1580     int tls13_early_data_enabled = MBEDTLS_SSL_EARLY_DATA_DISABLED;
1581 #endif
1582 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
1583     mbedtls_memory_buffer_alloc_init(alloc_buf, sizeof(alloc_buf));
1584 #if defined(MBEDTLS_MEMORY_DEBUG)
1585     size_t current_heap_memory, peak_heap_memory, heap_blocks;
1586 #endif  /* MBEDTLS_MEMORY_DEBUG */
1587 #endif  /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
1588 
1589 #if defined(MBEDTLS_TEST_HOOKS)
1590     test_hooks_init();
1591 #endif /* MBEDTLS_TEST_HOOKS */
1592 
1593     /*
1594      * Make sure memory references are valid in case we exit early.
1595      */
1596     mbedtls_net_init(&client_fd);
1597     mbedtls_net_init(&listen_fd);
1598     mbedtls_ssl_init(&ssl);
1599     mbedtls_ssl_config_init(&conf);
1600     rng_init(&rng);
1601 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1602     mbedtls_x509_crt_init(&cacert);
1603     mbedtls_x509_crt_init(&srvcert);
1604     mbedtls_pk_init(&pkey);
1605     mbedtls_x509_crt_init(&srvcert2);
1606     mbedtls_pk_init(&pkey2);
1607 #endif
1608 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
1609     memset(&ssl_async_keys, 0, sizeof(ssl_async_keys));
1610 #endif
1611 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
1612     mbedtls_dhm_init(&dhm);
1613 #endif
1614 #if defined(MBEDTLS_SSL_CACHE_C)
1615     mbedtls_ssl_cache_init(&cache);
1616 #endif
1617 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
1618     mbedtls_ssl_ticket_init(&ticket_ctx);
1619 #endif
1620 #if defined(MBEDTLS_SSL_ALPN)
1621     memset((void *) alpn_list, 0, sizeof(alpn_list));
1622 #endif
1623 #if defined(MBEDTLS_SSL_COOKIE_C)
1624     mbedtls_ssl_cookie_init(&cookie_ctx);
1625 #endif
1626 
1627 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
1628     status = psa_crypto_init();
1629     if (status != PSA_SUCCESS) {
1630         mbedtls_fprintf(stderr, "Failed to initialize PSA Crypto implementation: %d\n",
1631                         (int) status);
1632         ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
1633         goto exit;
1634     }
1635 #endif  /* MBEDTLS_USE_PSA_CRYPTO */
1636 #if defined(MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG)
1637     mbedtls_test_enable_insecure_external_rng();
1638 #endif  /* MBEDTLS_PSA_CRYPTO_EXTERNAL_RNG */
1639 
1640 #if !defined(_WIN32)
1641     /* Abort cleanly on SIGTERM and SIGINT */
1642     signal(SIGTERM, term_handler);
1643     signal(SIGINT, term_handler);
1644 #endif
1645 
1646     if (argc < 2) {
1647 usage:
1648         if (ret == 0) {
1649             ret = 1;
1650         }
1651 
1652         mbedtls_printf(USAGE1);
1653         mbedtls_printf(USAGE2);
1654         mbedtls_printf(USAGE3);
1655         mbedtls_printf(USAGE4);
1656 
1657         list = mbedtls_ssl_list_ciphersuites();
1658         while (*list) {
1659             mbedtls_printf(" %-42s", mbedtls_ssl_get_ciphersuite_name(*list));
1660             list++;
1661             if (!*list) {
1662                 break;
1663             }
1664             mbedtls_printf(" %s\n", mbedtls_ssl_get_ciphersuite_name(*list));
1665             list++;
1666         }
1667         mbedtls_printf("\n");
1668         goto exit;
1669     }
1670 
1671     opt.buffer_size         = DFL_IO_BUF_LEN;
1672     opt.server_addr         = DFL_SERVER_ADDR;
1673     opt.server_port         = DFL_SERVER_PORT;
1674     opt.debug_level         = DFL_DEBUG_LEVEL;
1675     opt.event               = DFL_EVENT;
1676     opt.response_size       = DFL_RESPONSE_SIZE;
1677     opt.nbio                = DFL_NBIO;
1678     opt.cid_enabled         = DFL_CID_ENABLED;
1679     opt.cid_enabled_renego  = DFL_CID_ENABLED_RENEGO;
1680     opt.cid_val             = DFL_CID_VALUE;
1681     opt.cid_val_renego      = DFL_CID_VALUE_RENEGO;
1682     opt.read_timeout        = DFL_READ_TIMEOUT;
1683     opt.ca_file             = DFL_CA_FILE;
1684     opt.ca_path             = DFL_CA_PATH;
1685     opt.crt_file            = DFL_CRT_FILE;
1686     opt.key_file            = DFL_KEY_FILE;
1687     opt.key_opaque          = DFL_KEY_OPAQUE;
1688     opt.key_pwd             = DFL_KEY_PWD;
1689     opt.crt_file2           = DFL_CRT_FILE2;
1690     opt.key_file2           = DFL_KEY_FILE2;
1691     opt.key_pwd2            = DFL_KEY_PWD2;
1692     opt.async_operations    = DFL_ASYNC_OPERATIONS;
1693     opt.async_private_delay1 = DFL_ASYNC_PRIVATE_DELAY1;
1694     opt.async_private_delay2 = DFL_ASYNC_PRIVATE_DELAY2;
1695     opt.async_private_error = DFL_ASYNC_PRIVATE_ERROR;
1696     opt.psk                 = DFL_PSK;
1697 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1698     opt.psk_opaque          = DFL_PSK_OPAQUE;
1699     opt.psk_list_opaque     = DFL_PSK_LIST_OPAQUE;
1700 #endif
1701 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1702     opt.ca_callback         = DFL_CA_CALLBACK;
1703 #endif
1704     opt.psk_identity        = DFL_PSK_IDENTITY;
1705     opt.psk_list            = DFL_PSK_LIST;
1706     opt.ecjpake_pw          = DFL_ECJPAKE_PW;
1707 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1708     opt.ecjpake_pw_opaque   = DFL_ECJPAKE_PW_OPAQUE;
1709 #endif
1710     opt.force_ciphersuite[0] = DFL_FORCE_CIPHER;
1711 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1712     opt.tls13_kex_modes     = DFL_TLS1_3_KEX_MODES;
1713 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
1714     opt.renegotiation       = DFL_RENEGOTIATION;
1715     opt.allow_legacy        = DFL_ALLOW_LEGACY;
1716     opt.renegotiate         = DFL_RENEGOTIATE;
1717     opt.renego_delay        = DFL_RENEGO_DELAY;
1718     opt.renego_period       = DFL_RENEGO_PERIOD;
1719     opt.exchanges           = DFL_EXCHANGES;
1720     opt.min_version         = DFL_MIN_VERSION;
1721     opt.max_version         = DFL_MAX_VERSION;
1722     opt.allow_sha1          = DFL_SHA1;
1723     opt.auth_mode           = DFL_AUTH_MODE;
1724     opt.cert_req_ca_list    = DFL_CERT_REQ_CA_LIST;
1725     opt.cert_req_dn_hint    = DFL_CERT_REQ_DN_HINT;
1726     opt.mfl_code            = DFL_MFL_CODE;
1727     opt.trunc_hmac          = DFL_TRUNC_HMAC;
1728     opt.tickets             = DFL_TICKETS;
1729     opt.dummy_ticket        = DFL_DUMMY_TICKET;
1730     opt.ticket_rotate       = DFL_TICKET_ROTATE;
1731     opt.ticket_timeout      = DFL_TICKET_TIMEOUT;
1732     opt.ticket_aead         = DFL_TICKET_AEAD;
1733     opt.cache_max           = DFL_CACHE_MAX;
1734 #if defined(MBEDTLS_HAVE_TIME)
1735     opt.cache_timeout       = DFL_CACHE_TIMEOUT;
1736 #endif
1737     opt.cache_remove        = DFL_CACHE_REMOVE;
1738     opt.sni                 = DFL_SNI;
1739     opt.alpn_string         = DFL_ALPN_STRING;
1740     opt.curves              = DFL_CURVES;
1741     opt.max_early_data_size = DFL_MAX_EARLY_DATA_SIZE;
1742     opt.sig_algs            = DFL_SIG_ALGS;
1743     opt.dhm_file            = DFL_DHM_FILE;
1744     opt.transport           = DFL_TRANSPORT;
1745     opt.cookies             = DFL_COOKIES;
1746     opt.anti_replay         = DFL_ANTI_REPLAY;
1747     opt.hs_to_min           = DFL_HS_TO_MIN;
1748     opt.hs_to_max           = DFL_HS_TO_MAX;
1749     opt.dtls_mtu            = DFL_DTLS_MTU;
1750     opt.dgram_packing       = DFL_DGRAM_PACKING;
1751     opt.badmac_limit        = DFL_BADMAC_LIMIT;
1752     opt.extended_ms         = DFL_EXTENDED_MS;
1753     opt.etm                 = DFL_ETM;
1754     opt.serialize           = DFL_SERIALIZE;
1755     opt.context_file        = DFL_CONTEXT_FILE;
1756     opt.eap_tls             = DFL_EAP_TLS;
1757     opt.reproducible        = DFL_REPRODUCIBLE;
1758     opt.nss_keylog          = DFL_NSS_KEYLOG;
1759     opt.nss_keylog_file     = DFL_NSS_KEYLOG_FILE;
1760     opt.query_config_mode   = DFL_QUERY_CONFIG_MODE;
1761     opt.use_srtp            = DFL_USE_SRTP;
1762     opt.force_srtp_profile  = DFL_SRTP_FORCE_PROFILE;
1763     opt.support_mki         = DFL_SRTP_SUPPORT_MKI;
1764     opt.key1_opaque_alg1   = DFL_KEY_OPAQUE_ALG;
1765     opt.key1_opaque_alg2   = DFL_KEY_OPAQUE_ALG;
1766     opt.key2_opaque_alg1   = DFL_KEY_OPAQUE_ALG;
1767     opt.key2_opaque_alg2   = DFL_KEY_OPAQUE_ALG;
1768 
1769     for (i = 1; i < argc; i++) {
1770         p = argv[i];
1771         if ((q = strchr(p, '=')) == NULL) {
1772             goto usage;
1773         }
1774         *q++ = '\0';
1775 
1776         if (strcmp(p, "server_port") == 0) {
1777             opt.server_port = q;
1778         } else if (strcmp(p, "server_addr") == 0) {
1779             opt.server_addr = q;
1780         } else if (strcmp(p, "dtls") == 0) {
1781             int t = atoi(q);
1782             if (t == 0) {
1783                 opt.transport = MBEDTLS_SSL_TRANSPORT_STREAM;
1784             } else if (t == 1) {
1785                 opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM;
1786             } else {
1787                 goto usage;
1788             }
1789         } else if (strcmp(p, "debug_level") == 0) {
1790             opt.debug_level = atoi(q);
1791             if (opt.debug_level < 0 || opt.debug_level > 65535) {
1792                 goto usage;
1793             }
1794         } else if (strcmp(p, "build_version") == 0) {
1795             if (strcmp(q, "1") == 0) {
1796                 mbedtls_printf("build version: %s (build %d)\n",
1797                                MBEDTLS_VERSION_STRING_FULL,
1798                                MBEDTLS_VERSION_NUMBER);
1799                 goto exit;
1800             }
1801         } else if (strcmp(p, "nbio") == 0) {
1802             opt.nbio = atoi(q);
1803             if (opt.nbio < 0 || opt.nbio > 2) {
1804                 goto usage;
1805             }
1806         } else if (strcmp(p, "event") == 0) {
1807             opt.event = atoi(q);
1808             if (opt.event < 0 || opt.event > 2) {
1809                 goto usage;
1810             }
1811         } else if (strcmp(p, "read_timeout") == 0) {
1812             opt.read_timeout = atoi(q);
1813         } else if (strcmp(p, "buffer_size") == 0) {
1814             opt.buffer_size = atoi(q);
1815             if (opt.buffer_size < 1) {
1816                 goto usage;
1817             }
1818         } else if (strcmp(p, "response_size") == 0) {
1819             opt.response_size = atoi(q);
1820             if (opt.response_size < 0 || opt.response_size > MBEDTLS_SSL_OUT_CONTENT_LEN) {
1821                 goto usage;
1822             }
1823             if (opt.buffer_size < opt.response_size) {
1824                 opt.buffer_size = opt.response_size;
1825             }
1826         } else if (strcmp(p, "ca_file") == 0) {
1827             opt.ca_file = q;
1828         } else if (strcmp(p, "ca_path") == 0) {
1829             opt.ca_path = q;
1830         } else if (strcmp(p, "crt_file") == 0) {
1831             opt.crt_file = q;
1832         } else if (strcmp(p, "key_file") == 0) {
1833             opt.key_file = q;
1834         } else if (strcmp(p, "key_pwd") == 0) {
1835             opt.key_pwd = q;
1836         }
1837 #if defined(MBEDTLS_USE_PSA_CRYPTO) && defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1838         else if (strcmp(p, "key_opaque") == 0) {
1839             opt.key_opaque = atoi(q);
1840         }
1841 #endif
1842         else if (strcmp(p, "crt_file2") == 0) {
1843             opt.crt_file2 = q;
1844         } else if (strcmp(p, "key_file2") == 0) {
1845             opt.key_file2 = q;
1846         } else if (strcmp(p, "key_pwd2") == 0) {
1847             opt.key_pwd2 = q;
1848         } else if (strcmp(p, "dhm_file") == 0) {
1849             opt.dhm_file = q;
1850         }
1851 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
1852         else if (strcmp(p, "async_operations") == 0) {
1853             opt.async_operations = q;
1854         } else if (strcmp(p, "async_private_delay1") == 0) {
1855             opt.async_private_delay1 = atoi(q);
1856         } else if (strcmp(p, "async_private_delay2") == 0) {
1857             opt.async_private_delay2 = atoi(q);
1858         } else if (strcmp(p, "async_private_error") == 0) {
1859             int n = atoi(q);
1860             if (n < -SSL_ASYNC_INJECT_ERROR_MAX ||
1861                 n > SSL_ASYNC_INJECT_ERROR_MAX) {
1862                 ret = 2;
1863                 goto usage;
1864             }
1865             opt.async_private_error = n;
1866         }
1867 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
1868 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
1869         else if (strcmp(p, "cid") == 0) {
1870             opt.cid_enabled = atoi(q);
1871             if (opt.cid_enabled != 0 && opt.cid_enabled != 1) {
1872                 goto usage;
1873             }
1874         } else if (strcmp(p, "cid_renego") == 0) {
1875             opt.cid_enabled_renego = atoi(q);
1876             if (opt.cid_enabled_renego != 0 && opt.cid_enabled_renego != 1) {
1877                 goto usage;
1878             }
1879         } else if (strcmp(p, "cid_val") == 0) {
1880             opt.cid_val = q;
1881         } else if (strcmp(p, "cid_val_renego") == 0) {
1882             opt.cid_val_renego = q;
1883         }
1884 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
1885         else if (strcmp(p, "psk") == 0) {
1886             opt.psk = q;
1887         }
1888 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1889         else if (strcmp(p, "psk_opaque") == 0) {
1890             opt.psk_opaque = atoi(q);
1891         } else if (strcmp(p, "psk_list_opaque") == 0) {
1892             opt.psk_list_opaque = atoi(q);
1893         }
1894 #endif
1895 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
1896         else if (strcmp(p, "ca_callback") == 0) {
1897             opt.ca_callback = atoi(q);
1898         }
1899 #endif
1900         else if (strcmp(p, "psk_identity") == 0) {
1901             opt.psk_identity = q;
1902         } else if (strcmp(p, "psk_list") == 0) {
1903             opt.psk_list = q;
1904         } else if (strcmp(p, "ecjpake_pw") == 0) {
1905             opt.ecjpake_pw = q;
1906         }
1907 #if defined(MBEDTLS_USE_PSA_CRYPTO)
1908         else if (strcmp(p, "ecjpake_pw_opaque") == 0) {
1909             opt.ecjpake_pw_opaque = atoi(q);
1910         }
1911 #endif
1912         else if (strcmp(p, "force_ciphersuite") == 0) {
1913             opt.force_ciphersuite[0] = mbedtls_ssl_get_ciphersuite_id(q);
1914 
1915             if (opt.force_ciphersuite[0] == 0) {
1916                 ret = 2;
1917                 goto usage;
1918             }
1919             opt.force_ciphersuite[1] = 0;
1920         } else if (strcmp(p, "curves") == 0) {
1921             opt.curves = q;
1922         }
1923 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
1924         else if (strcmp(p, "sig_algs") == 0) {
1925             opt.sig_algs = q;
1926         }
1927 #endif
1928 #if defined(MBEDTLS_SSL_EARLY_DATA)
1929         else if (strcmp(p, "max_early_data_size") == 0) {
1930             long long value = atoll(q);
1931             tls13_early_data_enabled =
1932                 value >= 0 ? MBEDTLS_SSL_EARLY_DATA_ENABLED :
1933                 MBEDTLS_SSL_EARLY_DATA_DISABLED;
1934             if (tls13_early_data_enabled) {
1935                 opt.max_early_data_size = atoi(q);
1936             }
1937         }
1938 #endif /* MBEDTLS_SSL_EARLY_DATA */
1939         else if (strcmp(p, "renegotiation") == 0) {
1940             opt.renegotiation = (atoi(q)) ?
1941                                 MBEDTLS_SSL_RENEGOTIATION_ENABLED :
1942                                 MBEDTLS_SSL_RENEGOTIATION_DISABLED;
1943         } else if (strcmp(p, "allow_legacy") == 0) {
1944             switch (atoi(q)) {
1945                 case -1:
1946                     opt.allow_legacy = MBEDTLS_SSL_LEGACY_BREAK_HANDSHAKE;
1947                     break;
1948                 case 0:
1949                     opt.allow_legacy = MBEDTLS_SSL_LEGACY_NO_RENEGOTIATION;
1950                     break;
1951                 case 1:
1952                     opt.allow_legacy = MBEDTLS_SSL_LEGACY_ALLOW_RENEGOTIATION;
1953                     break;
1954                 default: goto usage;
1955             }
1956         } else if (strcmp(p, "renegotiate") == 0) {
1957             opt.renegotiate = atoi(q);
1958             if (opt.renegotiate < 0 || opt.renegotiate > 1) {
1959                 goto usage;
1960             }
1961         } else if (strcmp(p, "renego_delay") == 0) {
1962             opt.renego_delay = atoi(q);
1963         } else if (strcmp(p, "renego_period") == 0) {
1964 #if defined(_MSC_VER)
1965             opt.renego_period = _strtoui64(q, NULL, 10);
1966 #else
1967             if (sscanf(q, "%" SCNu64, &opt.renego_period) != 1) {
1968                 goto usage;
1969             }
1970 #endif /* _MSC_VER */
1971             if (opt.renego_period < 2) {
1972                 goto usage;
1973             }
1974         } else if (strcmp(p, "exchanges") == 0) {
1975             opt.exchanges = atoi(q);
1976             if (opt.exchanges < 0) {
1977                 goto usage;
1978             }
1979         }
1980 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
1981         else if (strcmp(p, "tls13_kex_modes") == 0) {
1982             if (strcmp(q, "psk") == 0) {
1983                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK;
1984             } else if (strcmp(q, "psk_ephemeral") == 0) {
1985                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_EPHEMERAL;
1986             } else if (strcmp(q, "ephemeral") == 0) {
1987                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
1988             } else if (strcmp(q, "ephemeral_all") == 0) {
1989                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL_ALL;
1990             } else if (strcmp(q, "psk_all") == 0) {
1991                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK_ALL;
1992             } else if (strcmp(q, "all") == 0) {
1993                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_ALL;
1994             }
1995             /* The purpose of `psk_or_ephemeral` is to improve test coverage. That
1996              * is not recommended in practice.
1997              * `psk_or_ephemeral` exists in theory, we need this mode to test if
1998              * this setting work correctly. With this key exchange setting, server
1999              * should always perform `ephemeral` handshake. `psk` or `psk_ephemeral`
2000              * is not expected.
2001              */
2002             else if (strcmp(q, "psk_or_ephemeral") == 0) {
2003                 opt.tls13_kex_modes = MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_PSK |
2004                                       MBEDTLS_SSL_TLS1_3_KEY_EXCHANGE_MODE_EPHEMERAL;
2005             } else {
2006                 goto usage;
2007             }
2008         }
2009 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2010 
2011         else if (strcmp(p, "min_version") == 0) {
2012             if (strcmp(q, "tls12") == 0 ||
2013                 strcmp(q, "dtls12") == 0) {
2014                 opt.min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2015             }
2016 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2017             else if (strcmp(q, "tls13") == 0) {
2018                 opt.min_version = MBEDTLS_SSL_VERSION_TLS1_3;
2019             }
2020 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2021             else {
2022                 goto usage;
2023             }
2024         } else if (strcmp(p, "max_version") == 0) {
2025             if (strcmp(q, "tls12") == 0 ||
2026                 strcmp(q, "dtls12") == 0) {
2027                 opt.max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2028             }
2029 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2030             else if (strcmp(q, "tls13") == 0) {
2031                 opt.max_version = MBEDTLS_SSL_VERSION_TLS1_3;
2032             }
2033 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2034             else {
2035                 goto usage;
2036             }
2037         } else if (strcmp(p, "allow_sha1") == 0) {
2038             switch (atoi(q)) {
2039                 case 0:     opt.allow_sha1 = 0;   break;
2040                 case 1:     opt.allow_sha1 = 1;    break;
2041                 default:    goto usage;
2042             }
2043         } else if (strcmp(p, "force_version") == 0) {
2044             if (strcmp(q, "tls12") == 0) {
2045                 opt.min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2046                 opt.max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2047             } else if (strcmp(q, "dtls12") == 0) {
2048                 opt.min_version = MBEDTLS_SSL_VERSION_TLS1_2;
2049                 opt.max_version = MBEDTLS_SSL_VERSION_TLS1_2;
2050                 opt.transport = MBEDTLS_SSL_TRANSPORT_DATAGRAM;
2051             }
2052 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2053             else if (strcmp(q, "tls13") == 0) {
2054                 opt.min_version = MBEDTLS_SSL_VERSION_TLS1_3;
2055                 opt.max_version = MBEDTLS_SSL_VERSION_TLS1_3;
2056             }
2057 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
2058             else {
2059                 goto usage;
2060             }
2061         } else if (strcmp(p, "auth_mode") == 0) {
2062             if ((opt.auth_mode = get_auth_mode(q)) < 0) {
2063                 goto usage;
2064             }
2065         } else if (strcmp(p, "cert_req_ca_list") == 0) {
2066             opt.cert_req_ca_list = atoi(q);
2067             if (opt.cert_req_ca_list < 0 || opt.cert_req_ca_list > 3) {
2068                 goto usage;
2069             }
2070             if (opt.cert_req_ca_list > 1) {
2071                 opt.cert_req_dn_hint = opt.cert_req_ca_list;
2072                 opt.cert_req_ca_list = MBEDTLS_SSL_CERT_REQ_CA_LIST_ENABLED;
2073             }
2074         } else if (strcmp(p, "max_frag_len") == 0) {
2075             if (strcmp(q, "512") == 0) {
2076                 opt.mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_512;
2077             } else if (strcmp(q, "1024") == 0) {
2078                 opt.mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_1024;
2079             } else if (strcmp(q, "2048") == 0) {
2080                 opt.mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_2048;
2081             } else if (strcmp(q, "4096") == 0) {
2082                 opt.mfl_code = MBEDTLS_SSL_MAX_FRAG_LEN_4096;
2083             } else {
2084                 goto usage;
2085             }
2086         } else if (strcmp(p, "alpn") == 0) {
2087             opt.alpn_string = q;
2088         } else if (strcmp(p, "trunc_hmac") == 0) {
2089             switch (atoi(q)) {
2090                 case 0: opt.trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_DISABLED; break;
2091                 case 1: opt.trunc_hmac = MBEDTLS_SSL_TRUNC_HMAC_ENABLED; break;
2092                 default: goto usage;
2093             }
2094         } else if (strcmp(p, "extended_ms") == 0) {
2095             switch (atoi(q)) {
2096                 case 0:
2097                     opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_DISABLED;
2098                     break;
2099                 case 1:
2100                     opt.extended_ms = MBEDTLS_SSL_EXTENDED_MS_ENABLED;
2101                     break;
2102                 default: goto usage;
2103             }
2104         } else if (strcmp(p, "etm") == 0) {
2105             switch (atoi(q)) {
2106                 case 0: opt.etm = MBEDTLS_SSL_ETM_DISABLED; break;
2107                 case 1: opt.etm = MBEDTLS_SSL_ETM_ENABLED; break;
2108                 default: goto usage;
2109             }
2110         } else if (strcmp(p, "tickets") == 0) {
2111             opt.tickets = atoi(q);
2112             if (opt.tickets < 0) {
2113                 goto usage;
2114             }
2115         } else if (strcmp(p, "dummy_ticket") == 0) {
2116             opt.dummy_ticket = atoi(q);
2117             if (opt.dummy_ticket < 0) {
2118                 goto usage;
2119             }
2120         } else if (strcmp(p, "ticket_rotate") == 0) {
2121             opt.ticket_rotate = atoi(q);
2122             if (opt.ticket_rotate < 0 || opt.ticket_rotate > 1) {
2123                 goto usage;
2124             }
2125         } else if (strcmp(p, "ticket_timeout") == 0) {
2126             opt.ticket_timeout = atoi(q);
2127             if (opt.ticket_timeout < 0) {
2128                 goto usage;
2129             }
2130         } else if (strcmp(p, "ticket_aead") == 0) {
2131             const mbedtls_cipher_info_t *ci = mbedtls_cipher_info_from_string(q);
2132 
2133             if (ci == NULL) {
2134                 goto usage;
2135             }
2136             opt.ticket_aead = mbedtls_cipher_info_get_type(ci);
2137         } else if (strcmp(p, "cache_max") == 0) {
2138             opt.cache_max = atoi(q);
2139             if (opt.cache_max < 0) {
2140                 goto usage;
2141             }
2142         }
2143 #if defined(MBEDTLS_HAVE_TIME)
2144         else if (strcmp(p, "cache_timeout") == 0) {
2145             opt.cache_timeout = atoi(q);
2146             if (opt.cache_timeout < 0) {
2147                 goto usage;
2148             }
2149         }
2150 #endif
2151         else if (strcmp(p, "cache_remove") == 0) {
2152             opt.cache_remove = atoi(q);
2153             if (opt.cache_remove < 0 || opt.cache_remove > 1) {
2154                 goto usage;
2155             }
2156         } else if (strcmp(p, "cookies") == 0) {
2157             opt.cookies = atoi(q);
2158             if (opt.cookies < -1 || opt.cookies > 1) {
2159                 goto usage;
2160             }
2161         } else if (strcmp(p, "anti_replay") == 0) {
2162             opt.anti_replay = atoi(q);
2163             if (opt.anti_replay < 0 || opt.anti_replay > 1) {
2164                 goto usage;
2165             }
2166         } else if (strcmp(p, "badmac_limit") == 0) {
2167             opt.badmac_limit = atoi(q);
2168             if (opt.badmac_limit < 0) {
2169                 goto usage;
2170             }
2171         } else if (strcmp(p, "hs_timeout") == 0) {
2172             if ((p = strchr(q, '-')) == NULL) {
2173                 goto usage;
2174             }
2175             *p++ = '\0';
2176             opt.hs_to_min = atoi(q);
2177             opt.hs_to_max = atoi(p);
2178             if (opt.hs_to_min == 0 || opt.hs_to_max < opt.hs_to_min) {
2179                 goto usage;
2180             }
2181         } else if (strcmp(p, "mtu") == 0) {
2182             opt.dtls_mtu = atoi(q);
2183             if (opt.dtls_mtu < 0) {
2184                 goto usage;
2185             }
2186         } else if (strcmp(p, "dgram_packing") == 0) {
2187             opt.dgram_packing = atoi(q);
2188             if (opt.dgram_packing != 0 &&
2189                 opt.dgram_packing != 1) {
2190                 goto usage;
2191             }
2192         } else if (strcmp(p, "sni") == 0) {
2193             opt.sni = q;
2194         } else if (strcmp(p, "query_config") == 0) {
2195             opt.query_config_mode = 1;
2196             query_config_ret = query_config(q);
2197             goto exit;
2198         } else if (strcmp(p, "serialize") == 0) {
2199             opt.serialize = atoi(q);
2200             if (opt.serialize < 0 || opt.serialize > 2) {
2201                 goto usage;
2202             }
2203         } else if (strcmp(p, "context_file") == 0) {
2204             opt.context_file = q;
2205         } else if (strcmp(p, "eap_tls") == 0) {
2206             opt.eap_tls = atoi(q);
2207             if (opt.eap_tls < 0 || opt.eap_tls > 1) {
2208                 goto usage;
2209             }
2210         } else if (strcmp(p, "reproducible") == 0) {
2211             opt.reproducible = 1;
2212         } else if (strcmp(p, "nss_keylog") == 0) {
2213             opt.nss_keylog = atoi(q);
2214             if (opt.nss_keylog < 0 || opt.nss_keylog > 1) {
2215                 goto usage;
2216             }
2217         } else if (strcmp(p, "nss_keylog_file") == 0) {
2218             opt.nss_keylog_file = q;
2219         } else if (strcmp(p, "use_srtp") == 0) {
2220             opt.use_srtp = atoi(q);
2221         } else if (strcmp(p, "srtp_force_profile") == 0) {
2222             opt.force_srtp_profile = atoi(q);
2223         } else if (strcmp(p, "support_mki") == 0) {
2224             opt.support_mki = atoi(q);
2225         } else if (strcmp(p, "key_opaque_algs") == 0) {
2226             if (key_opaque_alg_parse(q, &opt.key1_opaque_alg1,
2227                                      &opt.key1_opaque_alg2) != 0) {
2228                 goto usage;
2229             }
2230         } else if (strcmp(p, "key_opaque_algs2") == 0) {
2231             if (key_opaque_alg_parse(q, &opt.key2_opaque_alg1,
2232                                      &opt.key2_opaque_alg2) != 0) {
2233                 goto usage;
2234             }
2235         } else {
2236             goto usage;
2237         }
2238     }
2239 
2240     if (opt.nss_keylog != 0 && opt.eap_tls != 0) {
2241         mbedtls_printf("Error: eap_tls and nss_keylog options cannot be used together.\n");
2242         goto usage;
2243     }
2244 
2245     /* Event-driven IO is incompatible with the above custom
2246      * receive and send functions, as the polling builds on
2247      * refers to the underlying net_context. */
2248     if (opt.event == 1 && opt.nbio != 1) {
2249         mbedtls_printf("Warning: event-driven IO mandates nbio=1 - overwrite\n");
2250         opt.nbio = 1;
2251     }
2252 
2253 #if defined(MBEDTLS_DEBUG_C)
2254     mbedtls_debug_set_threshold(opt.debug_level);
2255 #endif
2256 
2257     /* buf will alternatively contain the input read from the client and the
2258      * response that's about to be sent, plus a null byte in each case. */
2259     size_t buf_content_size = opt.buffer_size;
2260     /* The default response contains the ciphersuite name. Leave enough
2261      * room for that plus some margin. */
2262     if (buf_content_size < strlen(HTTP_RESPONSE) + 80) {
2263         buf_content_size = strlen(HTTP_RESPONSE) + 80;
2264     }
2265     if (opt.response_size != DFL_RESPONSE_SIZE &&
2266         buf_content_size < (size_t) opt.response_size) {
2267         buf_content_size = opt.response_size;
2268     }
2269     buf = mbedtls_calloc(1, buf_content_size + 1);
2270     if (buf == NULL) {
2271         mbedtls_printf("Could not allocate %lu bytes\n",
2272                        (unsigned long) buf_content_size + 1);
2273         ret = 3;
2274         goto exit;
2275     }
2276 
2277 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2278     if (opt.psk_opaque != 0) {
2279         if (strlen(opt.psk) == 0) {
2280             mbedtls_printf("psk_opaque set but no psk to be imported specified.\n");
2281             ret = 2;
2282             goto usage;
2283         }
2284 
2285         if (opt.force_ciphersuite[0] <= 0) {
2286             mbedtls_printf(
2287                 "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n");
2288             ret = 2;
2289             goto usage;
2290         }
2291     }
2292 
2293     if (opt.psk_list_opaque != 0) {
2294         if (opt.psk_list == NULL) {
2295             mbedtls_printf("psk_slot set but no psk to be imported specified.\n");
2296             ret = 2;
2297             goto usage;
2298         }
2299 
2300         if (opt.force_ciphersuite[0] <= 0) {
2301             mbedtls_printf(
2302                 "opaque PSKs are only supported in conjunction with forcing TLS 1.2 and a PSK-only ciphersuite through the 'force_ciphersuite' option.\n");
2303             ret = 2;
2304             goto usage;
2305         }
2306     }
2307 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2308 
2309     if (opt.force_ciphersuite[0] > 0) {
2310         const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
2311         ciphersuite_info =
2312             mbedtls_ssl_ciphersuite_from_id(opt.force_ciphersuite[0]);
2313 
2314         if (opt.max_version != -1 &&
2315             ciphersuite_info->min_tls_version > opt.max_version) {
2316             mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
2317             ret = 2;
2318             goto usage;
2319         }
2320         if (opt.min_version != -1 &&
2321             ciphersuite_info->max_tls_version < opt.min_version) {
2322             mbedtls_printf("forced ciphersuite not allowed with this protocol version\n");
2323             ret = 2;
2324             goto usage;
2325         }
2326 
2327         /* If we select a version that's not supported by
2328          * this suite, then there will be no common ciphersuite... */
2329         if (opt.max_version == -1 ||
2330             opt.max_version > ciphersuite_info->max_tls_version) {
2331             opt.max_version = ciphersuite_info->max_tls_version;
2332         }
2333         if (opt.min_version < ciphersuite_info->min_tls_version) {
2334             opt.min_version = ciphersuite_info->min_tls_version;
2335         }
2336 
2337 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2338 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
2339         if (opt.psk_opaque != 0 || opt.psk_list_opaque != 0) {
2340             /* Determine KDF algorithm the opaque PSK will be used in. */
2341 #if defined(MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA)
2342             if (ciphersuite_info->mac == MBEDTLS_MD_SHA384) {
2343                 alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_384);
2344             } else
2345 #endif /* MBEDTLS_HAS_ALG_SHA_384_VIA_MD_OR_PSA_BASED_ON_USE_PSA */
2346             alg = PSA_ALG_TLS12_PSK_TO_MS(PSA_ALG_SHA_256);
2347         }
2348 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2349 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2350     }
2351 
2352 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2353     if (mbedtls_test_unhexify(cid, sizeof(cid),
2354                               opt.cid_val, &cid_len) != 0) {
2355         mbedtls_printf("CID not valid hex\n");
2356         goto exit;
2357     }
2358 
2359     /* Keep CID settings for renegotiation unless
2360      * specified otherwise. */
2361     if (opt.cid_enabled_renego == DFL_CID_ENABLED_RENEGO) {
2362         opt.cid_enabled_renego = opt.cid_enabled;
2363     }
2364     if (opt.cid_val_renego == DFL_CID_VALUE_RENEGO) {
2365         opt.cid_val_renego = opt.cid_val;
2366     }
2367 
2368     if (mbedtls_test_unhexify(cid_renego, sizeof(cid_renego),
2369                               opt.cid_val_renego, &cid_renego_len) != 0) {
2370         mbedtls_printf("CID not valid hex\n");
2371         goto exit;
2372     }
2373 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2374 
2375 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
2376     /*
2377      * Unhexify the pre-shared key and parse the list if any given
2378      */
2379     if (mbedtls_test_unhexify(psk, sizeof(psk),
2380                               opt.psk, &psk_len) != 0) {
2381         mbedtls_printf("pre-shared key not valid hex\n");
2382         goto exit;
2383     }
2384 
2385     if (opt.psk_list != NULL) {
2386         if ((psk_info = psk_parse(opt.psk_list)) == NULL) {
2387             mbedtls_printf("psk_list invalid");
2388             goto exit;
2389         }
2390     }
2391 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED */
2392 
2393 #if defined(MBEDTLS_ECP_C)
2394     if (opt.curves != NULL) {
2395         p = (char *) opt.curves;
2396         i = 0;
2397 
2398         if (strcmp(p, "none") == 0) {
2399             group_list[0] = 0;
2400         } else if (strcmp(p, "default") != 0) {
2401             /* Leave room for a final NULL in curve list */
2402             while (i < CURVE_LIST_SIZE - 1 && *p != '\0') {
2403                 q = p;
2404 
2405                 /* Terminate the current string */
2406                 while (*p != ',' && *p != '\0') {
2407                     p++;
2408                 }
2409                 if (*p == ',') {
2410                     *p++ = '\0';
2411                 }
2412 
2413                 if ((curve_cur = mbedtls_ecp_curve_info_from_name(q)) != NULL) {
2414                     group_list[i++] = curve_cur->tls_id;
2415                 } else {
2416                     mbedtls_printf("unknown curve %s\n", q);
2417                     mbedtls_printf("supported curves: ");
2418                     for (curve_cur = mbedtls_ecp_curve_list();
2419                          curve_cur->grp_id != MBEDTLS_ECP_DP_NONE;
2420                          curve_cur++) {
2421                         mbedtls_printf("%s ", curve_cur->name);
2422                     }
2423                     mbedtls_printf("\n");
2424                     goto exit;
2425                 }
2426             }
2427 
2428             mbedtls_printf("Number of curves: %d\n", i);
2429 
2430             if (i == CURVE_LIST_SIZE - 1 && *p != '\0') {
2431                 mbedtls_printf("curves list too long, maximum %d",
2432                                CURVE_LIST_SIZE - 1);
2433                 goto exit;
2434             }
2435 
2436             group_list[i] = 0;
2437         }
2438     }
2439 #endif /* MBEDTLS_ECP_C */
2440 
2441 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2442     if (opt.sig_algs != NULL) {
2443         p = (char *) opt.sig_algs;
2444         i = 0;
2445 
2446         /* Leave room for a final MBEDTLS_TLS1_3_SIG_NONE in signature algorithm list (sig_alg_list). */
2447         while (i < SIG_ALG_LIST_SIZE - 1 && *p != '\0') {
2448             q = p;
2449 
2450             /* Terminate the current string */
2451             while (*p != ',' && *p != '\0') {
2452                 p++;
2453             }
2454             if (*p == ',') {
2455                 *p++ = '\0';
2456             }
2457 
2458             if (strcmp(q, "rsa_pkcs1_sha256") == 0) {
2459                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA256;
2460             } else if (strcmp(q, "rsa_pkcs1_sha384") == 0) {
2461                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA384;
2462             } else if (strcmp(q, "rsa_pkcs1_sha512") == 0) {
2463                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA512;
2464             } else if (strcmp(q, "ecdsa_secp256r1_sha256") == 0) {
2465                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP256R1_SHA256;
2466             } else if (strcmp(q, "ecdsa_secp384r1_sha384") == 0) {
2467                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP384R1_SHA384;
2468             } else if (strcmp(q, "ecdsa_secp521r1_sha512") == 0) {
2469                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SECP521R1_SHA512;
2470             } else if (strcmp(q, "rsa_pss_rsae_sha256") == 0) {
2471                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA256;
2472             } else if (strcmp(q, "rsa_pss_rsae_sha384") == 0) {
2473                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA384;
2474             } else if (strcmp(q, "rsa_pss_rsae_sha512") == 0) {
2475                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_RSAE_SHA512;
2476             } else if (strcmp(q, "ed25519") == 0) {
2477                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED25519;
2478             } else if (strcmp(q, "ed448") == 0) {
2479                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ED448;
2480             } else if (strcmp(q, "rsa_pss_pss_sha256") == 0) {
2481                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA256;
2482             } else if (strcmp(q, "rsa_pss_pss_sha384") == 0) {
2483                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA384;
2484             } else if (strcmp(q, "rsa_pss_pss_sha512") == 0) {
2485                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PSS_PSS_SHA512;
2486             } else if (strcmp(q, "rsa_pkcs1_sha1") == 0) {
2487                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_RSA_PKCS1_SHA1;
2488             } else if (strcmp(q, "ecdsa_sha1") == 0) {
2489                 sig_alg_list[i++] = MBEDTLS_TLS1_3_SIG_ECDSA_SHA1;
2490             } else {
2491                 ret = -1;
2492                 mbedtls_printf("unknown signature algorithm \"%s\"\n", q);
2493                 mbedtls_print_supported_sig_algs();
2494                 goto exit;
2495             }
2496         }
2497 
2498         if (i == (SIG_ALG_LIST_SIZE - 1) && *p != '\0') {
2499             mbedtls_printf("signature algorithm list too long, maximum %d",
2500                            SIG_ALG_LIST_SIZE - 1);
2501             goto exit;
2502         }
2503 
2504         sig_alg_list[i] = MBEDTLS_TLS1_3_SIG_NONE;
2505     }
2506 #endif
2507 
2508 #if defined(MBEDTLS_SSL_ALPN)
2509     if (opt.alpn_string != NULL) {
2510         p = (char *) opt.alpn_string;
2511         i = 0;
2512 
2513         /* Leave room for a final NULL in alpn_list */
2514         while (i < ALPN_LIST_SIZE - 1 && *p != '\0') {
2515             alpn_list[i++] = p;
2516 
2517             /* Terminate the current string and move on to next one */
2518             while (*p != ',' && *p != '\0') {
2519                 p++;
2520             }
2521             if (*p == ',') {
2522                 *p++ = '\0';
2523             }
2524         }
2525     }
2526 #endif /* MBEDTLS_SSL_ALPN */
2527 
2528     mbedtls_printf("build version: %s (build %d)\n",
2529                    MBEDTLS_VERSION_STRING_FULL, MBEDTLS_VERSION_NUMBER);
2530 
2531     /*
2532      * 0. Initialize the RNG and the session data
2533      */
2534     mbedtls_printf("\n  . Seeding the random number generator...");
2535     fflush(stdout);
2536 
2537     ret = rng_seed(&rng, opt.reproducible, pers);
2538     if (ret != 0) {
2539         goto exit;
2540     }
2541     mbedtls_printf(" ok\n");
2542 
2543 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2544     /*
2545      * 1.1. Load the trusted CA
2546      */
2547     mbedtls_printf("  . Loading the CA root certificate ...");
2548     fflush(stdout);
2549 
2550     if (strcmp(opt.ca_path, "none") == 0 ||
2551         strcmp(opt.ca_file, "none") == 0) {
2552         ret = 0;
2553     } else
2554 #if defined(MBEDTLS_FS_IO)
2555     if (strlen(opt.ca_path)) {
2556         ret = mbedtls_x509_crt_parse_path(&cacert, opt.ca_path);
2557     } else if (strlen(opt.ca_file)) {
2558         ret = mbedtls_x509_crt_parse_file(&cacert, opt.ca_file);
2559     } else
2560 #endif
2561     {
2562 #if defined(MBEDTLS_PEM_PARSE_C)
2563         for (i = 0; mbedtls_test_cas[i] != NULL; i++) {
2564             ret = mbedtls_x509_crt_parse(&cacert,
2565                                          (const unsigned char *) mbedtls_test_cas[i],
2566                                          mbedtls_test_cas_len[i]);
2567             if (ret != 0) {
2568                 break;
2569             }
2570         }
2571 #endif /* MBEDTLS_PEM_PARSE_C */
2572         if (ret == 0) {
2573             for (i = 0; mbedtls_test_cas_der[i] != NULL; i++) {
2574                 ret = mbedtls_x509_crt_parse_der(&cacert,
2575                                                  (const unsigned char *) mbedtls_test_cas_der[i],
2576                                                  mbedtls_test_cas_der_len[i]);
2577                 if (ret != 0) {
2578                     break;
2579                 }
2580             }
2581         }
2582     }
2583     if (ret < 0) {
2584         mbedtls_printf(" failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n",
2585                        (unsigned int) -ret);
2586         goto exit;
2587     }
2588 
2589     mbedtls_printf(" ok (%d skipped)\n", ret);
2590 
2591     /*
2592      * 1.2. Load own certificate and private key
2593      */
2594     mbedtls_printf("  . Loading the server cert. and key...");
2595     fflush(stdout);
2596 
2597 #if defined(MBEDTLS_FS_IO)
2598     if (strlen(opt.crt_file) && strcmp(opt.crt_file, "none") != 0) {
2599         key_cert_init++;
2600         if ((ret = mbedtls_x509_crt_parse_file(&srvcert, opt.crt_file)) != 0) {
2601             mbedtls_printf(" failed\n  !  mbedtls_x509_crt_parse_file returned -0x%x\n\n",
2602                            (unsigned int) -ret);
2603             goto exit;
2604         }
2605     }
2606     if (strlen(opt.key_file) && strcmp(opt.key_file, "none") != 0) {
2607         key_cert_init++;
2608         if ((ret = mbedtls_pk_parse_keyfile(&pkey, opt.key_file,
2609                                             opt.key_pwd, rng_get, &rng)) != 0) {
2610             mbedtls_printf(" failed\n  !  mbedtls_pk_parse_keyfile returned -0x%x\n\n",
2611                            (unsigned int) -ret);
2612             goto exit;
2613         }
2614     }
2615     if (key_cert_init == 1) {
2616         mbedtls_printf(" failed\n  !  crt_file without key_file or vice-versa\n\n");
2617         goto exit;
2618     }
2619 
2620     if (strlen(opt.crt_file2) && strcmp(opt.crt_file2, "none") != 0) {
2621         key_cert_init2++;
2622         if ((ret = mbedtls_x509_crt_parse_file(&srvcert2, opt.crt_file2)) != 0) {
2623             mbedtls_printf(" failed\n  !  mbedtls_x509_crt_parse_file(2) returned -0x%x\n\n",
2624                            (unsigned int) -ret);
2625             goto exit;
2626         }
2627     }
2628     if (strlen(opt.key_file2) && strcmp(opt.key_file2, "none") != 0) {
2629         key_cert_init2++;
2630         if ((ret = mbedtls_pk_parse_keyfile(&pkey2, opt.key_file2,
2631                                             opt.key_pwd2, rng_get, &rng)) != 0) {
2632             mbedtls_printf(" failed\n  !  mbedtls_pk_parse_keyfile(2) returned -0x%x\n\n",
2633                            (unsigned int) -ret);
2634             goto exit;
2635         }
2636     }
2637     if (key_cert_init2 == 1) {
2638         mbedtls_printf(" failed\n  !  crt_file2 without key_file2 or vice-versa\n\n");
2639         goto exit;
2640     }
2641 #endif
2642     if (key_cert_init == 0 &&
2643         strcmp(opt.crt_file, "none") != 0 &&
2644         strcmp(opt.key_file, "none") != 0 &&
2645         key_cert_init2 == 0 &&
2646         strcmp(opt.crt_file2, "none") != 0 &&
2647         strcmp(opt.key_file2, "none") != 0) {
2648 #if defined(MBEDTLS_RSA_C)
2649         if ((ret = mbedtls_x509_crt_parse(&srvcert,
2650                                           (const unsigned char *) mbedtls_test_srv_crt_rsa,
2651                                           mbedtls_test_srv_crt_rsa_len)) != 0) {
2652             mbedtls_printf(" failed\n  !  mbedtls_x509_crt_parse returned -0x%x\n\n",
2653                            (unsigned int) -ret);
2654             goto exit;
2655         }
2656         if ((ret = mbedtls_pk_parse_key(&pkey,
2657                                         (const unsigned char *) mbedtls_test_srv_key_rsa,
2658                                         mbedtls_test_srv_key_rsa_len, NULL, 0,
2659                                         rng_get, &rng)) != 0) {
2660             mbedtls_printf(" failed\n  !  mbedtls_pk_parse_key returned -0x%x\n\n",
2661                            (unsigned int) -ret);
2662             goto exit;
2663         }
2664         key_cert_init = 2;
2665 #endif /* MBEDTLS_RSA_C */
2666 #if defined(MBEDTLS_PK_CAN_ECDSA_SOME)
2667         if ((ret = mbedtls_x509_crt_parse(&srvcert2,
2668                                           (const unsigned char *) mbedtls_test_srv_crt_ec,
2669                                           mbedtls_test_srv_crt_ec_len)) != 0) {
2670             mbedtls_printf(" failed\n  !  x509_crt_parse2 returned -0x%x\n\n",
2671                            (unsigned int) -ret);
2672             goto exit;
2673         }
2674         if ((ret = mbedtls_pk_parse_key(&pkey2,
2675                                         (const unsigned char *) mbedtls_test_srv_key_ec,
2676                                         mbedtls_test_srv_key_ec_len, NULL, 0,
2677                                         rng_get, &rng)) != 0) {
2678             mbedtls_printf(" failed\n  !  pk_parse_key2 returned -0x%x\n\n",
2679                            (unsigned int) -ret);
2680             goto exit;
2681         }
2682         key_cert_init2 = 2;
2683 #endif /* MBEDTLS_PK_CAN_ECDSA_SOME */
2684     }
2685 
2686 #if defined(MBEDTLS_USE_PSA_CRYPTO)
2687     if (opt.key_opaque != 0) {
2688         psa_algorithm_t psa_alg, psa_alg2 = PSA_ALG_NONE;
2689         psa_key_usage_t psa_usage = 0;
2690 
2691         if (key_opaque_set_alg_usage(opt.key1_opaque_alg1,
2692                                      opt.key1_opaque_alg2,
2693                                      &psa_alg, &psa_alg2,
2694                                      &psa_usage,
2695                                      mbedtls_pk_get_type(&pkey)) == 0) {
2696             ret = mbedtls_pk_wrap_as_opaque(&pkey, &key_slot,
2697                                             psa_alg, psa_usage, psa_alg2);
2698 
2699             if (ret != 0) {
2700                 mbedtls_printf(" failed\n  !  "
2701                                "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n",
2702                                (unsigned int)  -ret);
2703                 goto exit;
2704             }
2705         }
2706 
2707         psa_alg = PSA_ALG_NONE; psa_alg2 = PSA_ALG_NONE;
2708         psa_usage = 0;
2709 
2710         if (key_opaque_set_alg_usage(opt.key2_opaque_alg1,
2711                                      opt.key2_opaque_alg2,
2712                                      &psa_alg, &psa_alg2,
2713                                      &psa_usage,
2714                                      mbedtls_pk_get_type(&pkey2)) == 0) {
2715             ret = mbedtls_pk_wrap_as_opaque(&pkey2, &key_slot2,
2716                                             psa_alg, psa_usage, psa_alg2);
2717 
2718             if (ret != 0) {
2719                 mbedtls_printf(" failed\n  !  "
2720                                "mbedtls_pk_wrap_as_opaque returned -0x%x\n\n",
2721                                (unsigned int)  -ret);
2722                 goto exit;
2723             }
2724         }
2725     }
2726 #endif /* MBEDTLS_USE_PSA_CRYPTO */
2727 
2728     mbedtls_printf(" ok (key types: %s, %s)\n",
2729                    key_cert_init ? mbedtls_pk_get_name(&pkey) : "none",
2730                    key_cert_init2 ? mbedtls_pk_get_name(&pkey2) : "none");
2731 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2732 
2733 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
2734     if (opt.dhm_file != NULL) {
2735         mbedtls_printf("  . Loading DHM parameters...");
2736         fflush(stdout);
2737 
2738         if ((ret = mbedtls_dhm_parse_dhmfile(&dhm, opt.dhm_file)) != 0) {
2739             mbedtls_printf(" failed\n  ! mbedtls_dhm_parse_dhmfile returned -0x%04X\n\n",
2740                            (unsigned int) -ret);
2741             goto exit;
2742         }
2743 
2744         mbedtls_printf(" ok\n");
2745     }
2746 #endif
2747 
2748 #if defined(SNI_OPTION)
2749     if (opt.sni != NULL) {
2750         mbedtls_printf("  . Setting up SNI information...");
2751         fflush(stdout);
2752 
2753         if ((sni_info = sni_parse(opt.sni)) == NULL) {
2754             mbedtls_printf(" failed\n");
2755             goto exit;
2756         }
2757 
2758         mbedtls_printf(" ok\n");
2759     }
2760 #endif /* SNI_OPTION */
2761 
2762     /*
2763      * 2. Setup stuff
2764      */
2765     mbedtls_printf("  . Setting up the SSL/TLS structure...");
2766     fflush(stdout);
2767 
2768     if ((ret = mbedtls_ssl_config_defaults(&conf,
2769                                            MBEDTLS_SSL_IS_SERVER,
2770                                            opt.transport,
2771                                            MBEDTLS_SSL_PRESET_DEFAULT)) != 0) {
2772         mbedtls_printf(" failed\n  ! mbedtls_ssl_config_defaults returned -0x%x\n\n",
2773                        (unsigned int) -ret);
2774         goto exit;
2775     }
2776 
2777 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
2778     /* The default algorithms profile disables SHA-1, but our tests still
2779        rely on it heavily. Hence we allow it here. A real-world server
2780        should use the default profile unless there is a good reason not to. */
2781     if (opt.allow_sha1 > 0) {
2782         crt_profile_for_test.allowed_mds |= MBEDTLS_X509_ID_FLAG(MBEDTLS_MD_SHA1);
2783         mbedtls_ssl_conf_cert_profile(&conf, &crt_profile_for_test);
2784         mbedtls_ssl_conf_sig_algs(&conf, ssl_sig_algs_for_test);
2785     }
2786 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
2787 
2788     if (opt.auth_mode != DFL_AUTH_MODE) {
2789         mbedtls_ssl_conf_authmode(&conf, opt.auth_mode);
2790     }
2791 
2792     if (opt.cert_req_ca_list != DFL_CERT_REQ_CA_LIST) {
2793         mbedtls_ssl_conf_cert_req_ca_list(&conf, opt.cert_req_ca_list);
2794     }
2795 
2796 #if defined(MBEDTLS_SSL_EARLY_DATA)
2797     mbedtls_ssl_tls13_conf_early_data(&conf, tls13_early_data_enabled);
2798     if (tls13_early_data_enabled == MBEDTLS_SSL_EARLY_DATA_ENABLED) {
2799         mbedtls_ssl_tls13_conf_max_early_data_size(
2800             &conf, opt.max_early_data_size);
2801     }
2802 #endif /* MBEDTLS_SSL_EARLY_DATA */
2803 
2804 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
2805     /* exercise setting DN hints for server certificate request
2806      * (Intended for use where the client cert expected has been signed by
2807      *  a specific CA which is an intermediate in a CA chain, not the root) */
2808     if (opt.cert_req_dn_hint == 2 && key_cert_init2) {
2809         mbedtls_ssl_conf_dn_hints(&conf, &srvcert2);
2810     }
2811 #endif
2812 
2813 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2814     if (opt.hs_to_min != DFL_HS_TO_MIN || opt.hs_to_max != DFL_HS_TO_MAX) {
2815         mbedtls_ssl_conf_handshake_timeout(&conf, opt.hs_to_min, opt.hs_to_max);
2816     }
2817 
2818     if (opt.dgram_packing != DFL_DGRAM_PACKING) {
2819         mbedtls_ssl_set_datagram_packing(&ssl, opt.dgram_packing);
2820     }
2821 #endif /* MBEDTLS_SSL_PROTO_DTLS */
2822 
2823 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
2824     if ((ret = mbedtls_ssl_conf_max_frag_len(&conf, opt.mfl_code)) != 0) {
2825         mbedtls_printf(" failed\n  ! mbedtls_ssl_conf_max_frag_len returned %d\n\n", ret);
2826         goto exit;
2827     }
2828 #endif
2829 
2830 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
2831     if (opt.cid_enabled == 1 || opt.cid_enabled_renego == 1) {
2832         if (opt.cid_enabled == 1        &&
2833             opt.cid_enabled_renego == 1 &&
2834             cid_len != cid_renego_len) {
2835             mbedtls_printf("CID length must not change during renegotiation\n");
2836             goto usage;
2837         }
2838 
2839         if (opt.cid_enabled == 1) {
2840             ret = mbedtls_ssl_conf_cid(&conf, cid_len,
2841                                        MBEDTLS_SSL_UNEXPECTED_CID_IGNORE);
2842         } else {
2843             ret = mbedtls_ssl_conf_cid(&conf, cid_renego_len,
2844                                        MBEDTLS_SSL_UNEXPECTED_CID_IGNORE);
2845         }
2846 
2847         if (ret != 0) {
2848             mbedtls_printf(" failed\n  ! mbedtls_ssl_conf_cid_len returned -%#04x\n\n",
2849                            (unsigned int) -ret);
2850             goto exit;
2851         }
2852     }
2853 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
2854 
2855 #if defined(MBEDTLS_SSL_DTLS_SRTP)
2856     const mbedtls_ssl_srtp_profile forced_profile[] =
2857     { opt.force_srtp_profile, MBEDTLS_TLS_SRTP_UNSET };
2858     if (opt.use_srtp == 1) {
2859         if (opt.force_srtp_profile != 0) {
2860             ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles(&conf, forced_profile);
2861         } else {
2862             ret = mbedtls_ssl_conf_dtls_srtp_protection_profiles(&conf, default_profiles);
2863         }
2864 
2865         if (ret != 0) {
2866             mbedtls_printf(
2867                 " failed\n  ! mbedtls_ssl_conf_dtls_srtp_protection_profiles returned %d\n\n",
2868                 ret);
2869             goto exit;
2870         }
2871 
2872         mbedtls_ssl_conf_srtp_mki_value_supported(&conf,
2873                                                   opt.support_mki ?
2874                                                   MBEDTLS_SSL_DTLS_SRTP_MKI_SUPPORTED :
2875                                                   MBEDTLS_SSL_DTLS_SRTP_MKI_UNSUPPORTED);
2876 
2877     } else if (opt.force_srtp_profile != 0) {
2878         mbedtls_printf(" failed\n  ! must enable use_srtp to force srtp profile\n\n");
2879         goto exit;
2880     }
2881 #endif /* MBEDTLS_SSL_DTLS_SRTP */
2882 
2883 #if defined(MBEDTLS_SSL_EXTENDED_MASTER_SECRET)
2884     if (opt.extended_ms != DFL_EXTENDED_MS) {
2885         mbedtls_ssl_conf_extended_master_secret(&conf, opt.extended_ms);
2886     }
2887 #endif
2888 
2889 #if defined(MBEDTLS_SSL_ENCRYPT_THEN_MAC)
2890     if (opt.etm != DFL_ETM) {
2891         mbedtls_ssl_conf_encrypt_then_mac(&conf, opt.etm);
2892     }
2893 #endif
2894 
2895 #if defined(MBEDTLS_SSL_ALPN)
2896     if (opt.alpn_string != NULL) {
2897         if ((ret = mbedtls_ssl_conf_alpn_protocols(&conf, alpn_list)) != 0) {
2898             mbedtls_printf(" failed\n  ! mbedtls_ssl_conf_alpn_protocols returned %d\n\n", ret);
2899             goto exit;
2900         }
2901     }
2902 #endif
2903 
2904     if (opt.reproducible) {
2905 #if defined(MBEDTLS_HAVE_TIME)
2906 #if defined(MBEDTLS_PLATFORM_TIME_ALT)
2907         mbedtls_platform_set_time(dummy_constant_time);
2908 #else
2909         fprintf(stderr, "Warning: reproducible option used without constant time\n");
2910 #endif
2911 #endif  /* MBEDTLS_HAVE_TIME */
2912     }
2913     mbedtls_ssl_conf_rng(&conf, rng_get, &rng);
2914     mbedtls_ssl_conf_dbg(&conf, my_debug, stdout);
2915 
2916 #if defined(MBEDTLS_SSL_CACHE_C)
2917     if (opt.cache_max != -1) {
2918         mbedtls_ssl_cache_set_max_entries(&cache, opt.cache_max);
2919     }
2920 
2921 #if defined(MBEDTLS_HAVE_TIME)
2922     if (opt.cache_timeout != -1) {
2923         mbedtls_ssl_cache_set_timeout(&cache, opt.cache_timeout);
2924     }
2925 #endif
2926 
2927     mbedtls_ssl_conf_session_cache(&conf, &cache,
2928                                    mbedtls_ssl_cache_get,
2929                                    mbedtls_ssl_cache_set);
2930 #endif
2931 
2932 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
2933     if (opt.tickets != MBEDTLS_SSL_SESSION_TICKETS_DISABLED) {
2934 #if defined(MBEDTLS_HAVE_TIME)
2935         if (opt.dummy_ticket) {
2936             mbedtls_ssl_conf_session_tickets_cb(&conf,
2937                                                 dummy_ticket_write,
2938                                                 dummy_ticket_parse,
2939                                                 NULL);
2940         } else
2941 #endif /* MBEDTLS_HAVE_TIME */
2942         {
2943             if ((ret = mbedtls_ssl_ticket_setup(&ticket_ctx,
2944                                                 rng_get, &rng,
2945                                                 opt.ticket_aead,
2946                                                 opt.ticket_timeout)) != 0) {
2947                 mbedtls_printf(
2948                     " failed\n  ! mbedtls_ssl_ticket_setup returned %d\n\n",
2949                     ret);
2950                 goto exit;
2951             }
2952 
2953             mbedtls_ssl_conf_session_tickets_cb(&conf,
2954                                                 mbedtls_ssl_ticket_write,
2955                                                 mbedtls_ssl_ticket_parse,
2956                                                 &ticket_ctx);
2957         }
2958 
2959 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
2960         mbedtls_ssl_conf_new_session_tickets(&conf, opt.tickets);
2961 #endif
2962         /* exercise manual ticket rotation (not required for typical use)
2963          * (used for external synchronization of session ticket encryption keys)
2964          */
2965         if (opt.ticket_rotate) {
2966             unsigned char kbuf[MBEDTLS_SSL_TICKET_MAX_KEY_BYTES];
2967             unsigned char name[MBEDTLS_SSL_TICKET_KEY_NAME_BYTES];
2968             if ((ret = rng_get(&rng, name, sizeof(name))) != 0 ||
2969                 (ret = rng_get(&rng, kbuf, sizeof(kbuf))) != 0 ||
2970                 (ret = mbedtls_ssl_ticket_rotate(&ticket_ctx,
2971                                                  name, sizeof(name), kbuf, sizeof(kbuf),
2972                                                  opt.ticket_timeout)) != 0) {
2973                 mbedtls_printf(" failed\n  ! mbedtls_ssl_ticket_rotate returned %d\n\n", ret);
2974                 goto exit;
2975             }
2976         }
2977     }
2978 #endif
2979 
2980 #if defined(MBEDTLS_SSL_PROTO_DTLS)
2981     if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
2982 #if defined(MBEDTLS_SSL_COOKIE_C)
2983         if (opt.cookies > 0) {
2984             if ((ret = mbedtls_ssl_cookie_setup(&cookie_ctx,
2985                                                 rng_get, &rng)) != 0) {
2986                 mbedtls_printf(" failed\n  ! mbedtls_ssl_cookie_setup returned %d\n\n", ret);
2987                 goto exit;
2988             }
2989 
2990             mbedtls_ssl_conf_dtls_cookies(&conf, mbedtls_ssl_cookie_write, mbedtls_ssl_cookie_check,
2991                                           &cookie_ctx);
2992         } else
2993 #endif /* MBEDTLS_SSL_COOKIE_C */
2994 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
2995         if (opt.cookies == 0) {
2996             mbedtls_ssl_conf_dtls_cookies(&conf, NULL, NULL, NULL);
2997         } else
2998 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
2999         {
3000             ; /* Nothing to do */
3001         }
3002 
3003 #if defined(MBEDTLS_SSL_DTLS_ANTI_REPLAY)
3004         if (opt.anti_replay != DFL_ANTI_REPLAY) {
3005             mbedtls_ssl_conf_dtls_anti_replay(&conf, opt.anti_replay);
3006         }
3007 #endif
3008 
3009         if (opt.badmac_limit != DFL_BADMAC_LIMIT) {
3010             mbedtls_ssl_conf_dtls_badmac_limit(&conf, opt.badmac_limit);
3011         }
3012     }
3013 #endif /* MBEDTLS_SSL_PROTO_DTLS */
3014 
3015     if (opt.force_ciphersuite[0] != DFL_FORCE_CIPHER) {
3016         mbedtls_ssl_conf_ciphersuites(&conf, opt.force_ciphersuite);
3017     }
3018 
3019 #if defined(MBEDTLS_SSL_PROTO_TLS1_3)
3020     mbedtls_ssl_conf_tls13_key_exchange_modes(&conf, opt.tls13_kex_modes);
3021 #endif /* MBEDTLS_SSL_PROTO_TLS1_3 */
3022 
3023     if (opt.allow_legacy != DFL_ALLOW_LEGACY) {
3024         mbedtls_ssl_conf_legacy_renegotiation(&conf, opt.allow_legacy);
3025     }
3026 #if defined(MBEDTLS_SSL_RENEGOTIATION)
3027     mbedtls_ssl_conf_renegotiation(&conf, opt.renegotiation);
3028 
3029     if (opt.renego_delay != DFL_RENEGO_DELAY) {
3030         mbedtls_ssl_conf_renegotiation_enforced(&conf, opt.renego_delay);
3031     }
3032 
3033     if (opt.renego_period != DFL_RENEGO_PERIOD) {
3034         PUT_UINT64_BE(renego_period, opt.renego_period, 0);
3035         mbedtls_ssl_conf_renegotiation_period(&conf, renego_period);
3036     }
3037 #endif
3038 
3039 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
3040     if (strcmp(opt.ca_path, "none") != 0 &&
3041         strcmp(opt.ca_file, "none") != 0) {
3042 #if defined(MBEDTLS_X509_TRUSTED_CERTIFICATE_CALLBACK)
3043         if (opt.ca_callback != 0) {
3044             mbedtls_ssl_conf_ca_cb(&conf, ca_callback, &cacert);
3045         } else
3046 #endif
3047         mbedtls_ssl_conf_ca_chain(&conf, &cacert, NULL);
3048     }
3049     if (key_cert_init) {
3050         mbedtls_pk_context *pk = &pkey;
3051 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3052         if (opt.async_private_delay1 >= 0) {
3053             ret = ssl_async_set_key(&ssl_async_keys, &srvcert, pk, 0,
3054                                     opt.async_private_delay1);
3055             if (ret < 0) {
3056                 mbedtls_printf("  Test error: ssl_async_set_key failed (%d)\n",
3057                                ret);
3058                 goto exit;
3059             }
3060             pk = NULL;
3061         }
3062 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3063         if ((ret = mbedtls_ssl_conf_own_cert(&conf, &srvcert, pk)) != 0) {
3064             mbedtls_printf(" failed\n  ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
3065             goto exit;
3066         }
3067     }
3068     if (key_cert_init2) {
3069         mbedtls_pk_context *pk = &pkey2;
3070 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3071         if (opt.async_private_delay2 >= 0) {
3072             ret = ssl_async_set_key(&ssl_async_keys, &srvcert2, pk, 0,
3073                                     opt.async_private_delay2);
3074             if (ret < 0) {
3075                 mbedtls_printf("  Test error: ssl_async_set_key failed (%d)\n",
3076                                ret);
3077                 goto exit;
3078             }
3079             pk = NULL;
3080         }
3081 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3082         if ((ret = mbedtls_ssl_conf_own_cert(&conf, &srvcert2, pk)) != 0) {
3083             mbedtls_printf(" failed\n  ! mbedtls_ssl_conf_own_cert returned %d\n\n", ret);
3084             goto exit;
3085         }
3086     }
3087 
3088 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3089     if (opt.async_operations[0] != '-') {
3090         mbedtls_ssl_async_sign_t *sign = NULL;
3091         mbedtls_ssl_async_decrypt_t *decrypt = NULL;
3092         const char *r;
3093         for (r = opt.async_operations; *r; r++) {
3094             switch (*r) {
3095                 case 'd':
3096                     decrypt = ssl_async_decrypt;
3097                     break;
3098                 case 's':
3099                     sign = ssl_async_sign;
3100                     break;
3101             }
3102         }
3103         ssl_async_keys.inject_error = (opt.async_private_error < 0 ?
3104                                        -opt.async_private_error :
3105                                        opt.async_private_error);
3106         ssl_async_keys.f_rng = rng_get;
3107         ssl_async_keys.p_rng = &rng;
3108         mbedtls_ssl_conf_async_private_cb(&conf,
3109                                           sign,
3110                                           decrypt,
3111                                           ssl_async_resume,
3112                                           ssl_async_cancel,
3113                                           &ssl_async_keys);
3114     }
3115 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3116 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
3117 
3118 #if defined(SNI_OPTION)
3119     if (opt.sni != NULL) {
3120         mbedtls_ssl_conf_sni(&conf, sni_callback, sni_info);
3121         mbedtls_ssl_conf_cert_cb(&conf, cert_callback);
3122 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3123         if (opt.async_private_delay2 >= 0) {
3124             sni_entry *cur;
3125             for (cur = sni_info; cur != NULL; cur = cur->next) {
3126                 ret = ssl_async_set_key(&ssl_async_keys,
3127                                         cur->cert, cur->key, 1,
3128                                         opt.async_private_delay2);
3129                 if (ret < 0) {
3130                     mbedtls_printf("  Test error: ssl_async_set_key failed (%d)\n",
3131                                    ret);
3132                     goto exit;
3133                 }
3134                 cur->key = NULL;
3135             }
3136         }
3137 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3138     }
3139 #endif
3140 
3141 #if defined(MBEDTLS_ECP_C)
3142     if (opt.curves != NULL &&
3143         strcmp(opt.curves, "default") != 0) {
3144         mbedtls_ssl_conf_groups(&conf, group_list);
3145     }
3146 #endif
3147 
3148 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
3149     if (opt.sig_algs != NULL) {
3150         mbedtls_ssl_conf_sig_algs(&conf, sig_alg_list);
3151     }
3152 #endif
3153 
3154 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
3155 
3156     if (strlen(opt.psk) != 0 && strlen(opt.psk_identity) != 0) {
3157 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3158         if (opt.psk_opaque != 0) {
3159             /* The algorithm has already been determined earlier. */
3160             status = psa_setup_psk_key_slot(&psk_slot, alg, psk, psk_len);
3161             if (status != PSA_SUCCESS) {
3162                 fprintf(stderr, "SETUP FAIL\n");
3163                 ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3164                 goto exit;
3165             }
3166             if ((ret = mbedtls_ssl_conf_psk_opaque(&conf, psk_slot,
3167                                                    (const unsigned char *) opt.psk_identity,
3168                                                    strlen(opt.psk_identity))) != 0) {
3169                 mbedtls_printf(" failed\n  ! mbedtls_ssl_conf_psk_opaque returned %d\n\n",
3170                                ret);
3171                 goto exit;
3172             }
3173         } else
3174 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3175         if (psk_len > 0) {
3176             ret = mbedtls_ssl_conf_psk(&conf, psk, psk_len,
3177                                        (const unsigned char *) opt.psk_identity,
3178                                        strlen(opt.psk_identity));
3179             if (ret != 0) {
3180                 mbedtls_printf("  failed\n  mbedtls_ssl_conf_psk returned -0x%04X\n\n",
3181                                (unsigned int) -ret);
3182                 goto exit;
3183             }
3184         }
3185     }
3186 
3187     if (opt.psk_list != NULL) {
3188 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3189         if (opt.psk_list_opaque != 0) {
3190             psk_entry *cur_psk;
3191             for (cur_psk = psk_info; cur_psk != NULL; cur_psk = cur_psk->next) {
3192 
3193                 status = psa_setup_psk_key_slot(&cur_psk->slot, alg,
3194                                                 cur_psk->key,
3195                                                 cur_psk->key_len);
3196                 if (status != PSA_SUCCESS) {
3197                     ret = MBEDTLS_ERR_SSL_HW_ACCEL_FAILED;
3198                     goto exit;
3199                 }
3200             }
3201         }
3202 #endif /* MBEDTLS_USE_PSA_CRYPTO */
3203 
3204         mbedtls_ssl_conf_psk_cb(&conf, psk_callback, psk_info);
3205     }
3206 #endif
3207 
3208 #if defined(MBEDTLS_DHM_C)
3209     /*
3210      * Use different group than default DHM group
3211      */
3212 #if defined(MBEDTLS_FS_IO)
3213     if (opt.dhm_file != NULL) {
3214         ret = mbedtls_ssl_conf_dh_param_ctx(&conf, &dhm);
3215     }
3216 #endif
3217     if (ret != 0) {
3218         mbedtls_printf("  failed\n  mbedtls_ssl_conf_dh_param returned -0x%04X\n\n",
3219                        (unsigned int) -ret);
3220         goto exit;
3221     }
3222 #endif
3223 
3224     if (opt.min_version != DFL_MIN_VERSION) {
3225         mbedtls_ssl_conf_min_tls_version(&conf, opt.min_version);
3226     }
3227 
3228     if (opt.max_version != DFL_MIN_VERSION) {
3229         mbedtls_ssl_conf_max_tls_version(&conf, opt.max_version);
3230     }
3231 
3232     if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
3233         mbedtls_printf(" failed\n  ! mbedtls_ssl_setup returned -0x%x\n\n", (unsigned int) -ret);
3234         goto exit;
3235     }
3236 
3237     if (opt.eap_tls != 0) {
3238         mbedtls_ssl_set_export_keys_cb(&ssl, eap_tls_key_derivation,
3239                                        &eap_tls_keying);
3240     } else if (opt.nss_keylog != 0) {
3241         mbedtls_ssl_set_export_keys_cb(&ssl,
3242                                        nss_keylog_export,
3243                                        NULL);
3244     }
3245 #if defined(MBEDTLS_SSL_DTLS_SRTP)
3246     else if (opt.use_srtp != 0) {
3247         mbedtls_ssl_set_export_keys_cb(&ssl, dtls_srtp_key_derivation,
3248                                        &dtls_srtp_keying);
3249     }
3250 #endif /* MBEDTLS_SSL_DTLS_SRTP */
3251 
3252     io_ctx.ssl = &ssl;
3253     io_ctx.net = &client_fd;
3254     mbedtls_ssl_set_bio(&ssl, &io_ctx, send_cb, recv_cb,
3255                         opt.nbio == 0 ? recv_timeout_cb : NULL);
3256 
3257 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3258     if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3259         if ((ret = mbedtls_ssl_set_cid(&ssl, opt.cid_enabled,
3260                                        cid, cid_len)) != 0) {
3261             mbedtls_printf(" failed\n  ! mbedtls_ssl_set_cid returned %d\n\n",
3262                            ret);
3263             goto exit;
3264         }
3265     }
3266 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3267 
3268 #if defined(MBEDTLS_SSL_PROTO_DTLS)
3269     if (opt.dtls_mtu != DFL_DTLS_MTU) {
3270         mbedtls_ssl_set_mtu(&ssl, opt.dtls_mtu);
3271     }
3272 #endif
3273 
3274 #if defined(MBEDTLS_TIMING_C)
3275     mbedtls_ssl_set_timer_cb(&ssl, &timer, mbedtls_timing_set_delay,
3276                              mbedtls_timing_get_delay);
3277 #endif
3278 
3279     mbedtls_printf(" ok\n");
3280 
3281     /*
3282      * 3. Setup the listening TCP socket
3283      */
3284     mbedtls_printf("  . Bind on %s://%s:%s/ ...",
3285                    opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ? "tcp" : "udp",
3286                    opt.server_addr ? opt.server_addr : "*",
3287                    opt.server_port);
3288     fflush(stdout);
3289 
3290     if ((ret = mbedtls_net_bind(&listen_fd, opt.server_addr, opt.server_port,
3291                                 opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM ?
3292                                 MBEDTLS_NET_PROTO_TCP : MBEDTLS_NET_PROTO_UDP)) != 0) {
3293         mbedtls_printf(" failed\n  ! mbedtls_net_bind returned -0x%x\n\n", (unsigned int) -ret);
3294         goto exit;
3295     }
3296     mbedtls_printf(" ok\n");
3297 
3298 reset:
3299 #if !defined(_WIN32)
3300     if (received_sigterm) {
3301         mbedtls_printf(" interrupted by SIGTERM (not in net_accept())\n");
3302         if (ret == MBEDTLS_ERR_NET_INVALID_CONTEXT) {
3303             ret = 0;
3304         }
3305 
3306         goto exit;
3307     }
3308 #endif
3309 
3310     if (ret == MBEDTLS_ERR_SSL_CLIENT_RECONNECT) {
3311         mbedtls_printf("  ! Client initiated reconnection from same port\n");
3312         goto handshake;
3313     }
3314 
3315 #ifdef MBEDTLS_ERROR_C
3316     if (ret != 0) {
3317         char error_buf[100];
3318         mbedtls_strerror(ret, error_buf, 100);
3319         mbedtls_printf("Last error was: %d - %s\n\n", ret, error_buf);
3320     }
3321 #endif
3322 
3323     mbedtls_net_free(&client_fd);
3324 
3325     mbedtls_ssl_session_reset(&ssl);
3326 
3327     /*
3328      * 3. Wait until a client connects
3329      */
3330     mbedtls_printf("  . Waiting for a remote connection ...");
3331     fflush(stdout);
3332 
3333     if ((ret = mbedtls_net_accept(&listen_fd, &client_fd,
3334                                   client_ip, sizeof(client_ip), &cliip_len)) != 0) {
3335 #if !defined(_WIN32)
3336         if (received_sigterm) {
3337             mbedtls_printf(" interrupted by SIGTERM (in net_accept())\n");
3338             if (ret == MBEDTLS_ERR_NET_ACCEPT_FAILED) {
3339                 ret = 0;
3340             }
3341 
3342             goto exit;
3343         }
3344 #endif
3345 
3346         mbedtls_printf(" failed\n  ! mbedtls_net_accept returned -0x%x\n\n", (unsigned int) -ret);
3347         goto exit;
3348     }
3349 
3350     if (opt.nbio > 0) {
3351         ret = mbedtls_net_set_nonblock(&client_fd);
3352     } else {
3353         ret = mbedtls_net_set_block(&client_fd);
3354     }
3355     if (ret != 0) {
3356         mbedtls_printf(" failed\n  ! net_set_(non)block() returned -0x%x\n\n", (unsigned int) -ret);
3357         goto exit;
3358     }
3359 
3360     mbedtls_ssl_conf_read_timeout(&conf, opt.read_timeout);
3361 
3362 #if defined(MBEDTLS_SSL_DTLS_HELLO_VERIFY)
3363     if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3364         if ((ret = mbedtls_ssl_set_client_transport_id(&ssl,
3365                                                        client_ip, cliip_len)) != 0) {
3366             mbedtls_printf(" failed\n  ! mbedtls_ssl_set_client_transport_id() returned -0x%x\n\n",
3367                            (unsigned int) -ret);
3368             goto exit;
3369         }
3370     }
3371 #endif /* MBEDTLS_SSL_DTLS_HELLO_VERIFY */
3372 
3373 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED)
3374     if (opt.ecjpake_pw != DFL_ECJPAKE_PW) {
3375 #if defined(MBEDTLS_USE_PSA_CRYPTO)
3376         if (opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE) {
3377             psa_key_attributes_t attributes = PSA_KEY_ATTRIBUTES_INIT;
3378 
3379             psa_set_key_usage_flags(&attributes, PSA_KEY_USAGE_DERIVE);
3380             psa_set_key_algorithm(&attributes, PSA_ALG_JPAKE);
3381             psa_set_key_type(&attributes, PSA_KEY_TYPE_PASSWORD);
3382 
3383             status = psa_import_key(&attributes,
3384                                     (const unsigned char *) opt.ecjpake_pw,
3385                                     strlen(opt.ecjpake_pw),
3386                                     &ecjpake_pw_slot);
3387             if (status != PSA_SUCCESS) {
3388                 mbedtls_printf(" failed\n  ! psa_import_key returned %d\n\n",
3389                                status);
3390                 goto exit;
3391             }
3392             if ((ret = mbedtls_ssl_set_hs_ecjpake_password_opaque(&ssl,
3393                                                                   ecjpake_pw_slot)) != 0) {
3394                 mbedtls_printf(
3395                     " failed\n  ! mbedtls_ssl_set_hs_ecjpake_password_opaque returned %d\n\n",
3396                     ret);
3397                 goto exit;
3398             }
3399             mbedtls_printf("using opaque password\n");
3400         } else
3401 #endif  /* MBEDTLS_USE_PSA_CRYPTO */
3402         {
3403             if ((ret = mbedtls_ssl_set_hs_ecjpake_password(&ssl,
3404                                                            (const unsigned char *) opt.ecjpake_pw,
3405                                                            strlen(opt.ecjpake_pw))) != 0) {
3406                 mbedtls_printf(" failed\n  ! mbedtls_ssl_set_hs_ecjpake_password returned %d\n\n",
3407                                ret);
3408                 goto exit;
3409             }
3410         }
3411     }
3412 #endif /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED */
3413 
3414 #if defined(MBEDTLS_SSL_SERVER_NAME_INDICATION)
3415 #if defined(MBEDTLS_KEY_EXCHANGE_CERT_REQ_ALLOWED_ENABLED)
3416     /* exercise setting DN hints for server certificate request
3417      * (Intended for use where the client cert expected has been signed by
3418      *  a specific CA which is an intermediate in a CA chain, not the root)
3419      * (Additionally, the CA choice would typically be influenced by SNI
3420      *  if being set per-handshake using mbedtls_ssl_set_hs_dn_hints()) */
3421     if (opt.cert_req_dn_hint == 3 && key_cert_init2) {
3422         mbedtls_ssl_set_hs_dn_hints(&ssl, &srvcert2);
3423     }
3424 #endif
3425 #endif
3426 
3427     mbedtls_printf(" ok\n");
3428 
3429     /*
3430      * 4. Handshake
3431      */
3432 handshake:
3433     mbedtls_printf("  . Performing the SSL/TLS handshake...");
3434     fflush(stdout);
3435 
3436     while ((ret = mbedtls_ssl_handshake(&ssl)) != 0) {
3437 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3438         if (ret == MBEDTLS_ERR_SSL_ASYNC_IN_PROGRESS &&
3439             ssl_async_keys.inject_error == SSL_ASYNC_INJECT_ERROR_CANCEL) {
3440             mbedtls_printf(" cancelling on injected error\n");
3441             break;
3442         }
3443 #endif /* MBEDTLS_SSL_ASYNC_PRIVATE */
3444 
3445         if (!mbedtls_status_is_ssl_in_progress(ret)) {
3446             break;
3447         }
3448 
3449         /* For event-driven IO, wait for socket to become available */
3450         if (opt.event == 1 /* level triggered IO */) {
3451 #if defined(MBEDTLS_TIMING_C)
3452             ret = idle(&client_fd, &timer, ret);
3453 #else
3454             ret = idle(&client_fd, ret);
3455 #endif
3456             if (ret != 0) {
3457                 goto reset;
3458             }
3459         }
3460     }
3461 
3462     if (ret == MBEDTLS_ERR_SSL_HELLO_VERIFY_REQUIRED) {
3463         mbedtls_printf(" hello verification requested\n");
3464         ret = 0;
3465         goto reset;
3466     } else if (ret != 0) {
3467         mbedtls_printf(" failed\n  ! mbedtls_ssl_handshake returned -0x%x\n\n",
3468                        (unsigned int) -ret);
3469 
3470 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
3471         if (ret == MBEDTLS_ERR_X509_CERT_VERIFY_FAILED) {
3472             char vrfy_buf[512];
3473             flags = mbedtls_ssl_get_verify_result(&ssl);
3474 
3475             x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
3476 
3477             mbedtls_printf("%s\n", vrfy_buf);
3478         }
3479 #endif
3480 
3481 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
3482         if (opt.async_private_error < 0) {
3483             /* Injected error only the first time round, to test reset */
3484             ssl_async_keys.inject_error = SSL_ASYNC_INJECT_ERROR_NONE;
3485         }
3486 #endif
3487         goto reset;
3488     } else { /* ret == 0 */
3489         int suite_id = mbedtls_ssl_get_ciphersuite_id_from_ssl(&ssl);
3490         const mbedtls_ssl_ciphersuite_t *ciphersuite_info;
3491         ciphersuite_info = mbedtls_ssl_ciphersuite_from_id(suite_id);
3492 
3493         mbedtls_printf(" ok\n    [ Protocol is %s ]\n"
3494                        "    [ Ciphersuite is %s ]\n"
3495                        "    [ Key size is %u ]\n",
3496                        mbedtls_ssl_get_version(&ssl),
3497                        mbedtls_ssl_ciphersuite_get_name(ciphersuite_info),
3498                        (unsigned int)
3499                        mbedtls_ssl_ciphersuite_get_cipher_key_bitlen(ciphersuite_info));
3500     }
3501 
3502     if ((ret = mbedtls_ssl_get_record_expansion(&ssl)) >= 0) {
3503         mbedtls_printf("    [ Record expansion is %d ]\n", ret);
3504     } else {
3505         mbedtls_printf("    [ Record expansion is unknown ]\n");
3506     }
3507 
3508 #if defined(MBEDTLS_SSL_MAX_FRAGMENT_LENGTH)
3509     mbedtls_printf("    [ Maximum incoming record payload length is %u ]\n",
3510                    (unsigned int) mbedtls_ssl_get_max_in_record_payload(&ssl));
3511     mbedtls_printf("    [ Maximum outgoing record payload length is %u ]\n",
3512                    (unsigned int) mbedtls_ssl_get_max_out_record_payload(&ssl));
3513 #endif
3514 
3515 #if defined(MBEDTLS_SSL_ALPN)
3516     if (opt.alpn_string != NULL) {
3517         const char *alp = mbedtls_ssl_get_alpn_protocol(&ssl);
3518         mbedtls_printf("    [ Application Layer Protocol is %s ]\n",
3519                        alp ? alp : "(none)");
3520     }
3521 #endif
3522 
3523 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
3524     /*
3525      * 5. Verify the client certificate
3526      */
3527     mbedtls_printf("  . Verifying peer X.509 certificate...");
3528 
3529     if ((flags = mbedtls_ssl_get_verify_result(&ssl)) != 0) {
3530         char vrfy_buf[512];
3531 
3532         mbedtls_printf(" failed\n");
3533 
3534         x509_crt_verify_info(vrfy_buf, sizeof(vrfy_buf), "  ! ", flags);
3535         mbedtls_printf("%s\n", vrfy_buf);
3536     } else {
3537         mbedtls_printf(" ok\n");
3538     }
3539 
3540 #if !defined(MBEDTLS_X509_REMOVE_INFO)
3541     if (mbedtls_ssl_get_peer_cert(&ssl) != NULL) {
3542         char crt_buf[512];
3543 
3544         mbedtls_printf("  . Peer certificate information    ...\n");
3545         mbedtls_x509_crt_info(crt_buf, sizeof(crt_buf), "      ",
3546                               mbedtls_ssl_get_peer_cert(&ssl));
3547         mbedtls_printf("%s\n", crt_buf);
3548     }
3549 #endif /* MBEDTLS_X509_REMOVE_INFO */
3550 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED */
3551 
3552     if (opt.eap_tls != 0) {
3553         size_t j = 0;
3554 
3555         if ((ret = mbedtls_ssl_tls_prf(eap_tls_keying.tls_prf_type,
3556                                        eap_tls_keying.master_secret,
3557                                        sizeof(eap_tls_keying.master_secret),
3558                                        eap_tls_label,
3559                                        eap_tls_keying.randbytes,
3560                                        sizeof(eap_tls_keying.randbytes),
3561                                        eap_tls_keymaterial,
3562                                        sizeof(eap_tls_keymaterial)))
3563             != 0) {
3564             mbedtls_printf(" failed\n  ! mbedtls_ssl_tls_prf returned -0x%x\n\n",
3565                            (unsigned int) -ret);
3566             goto reset;
3567         }
3568 
3569         mbedtls_printf("    EAP-TLS key material is:");
3570         for (j = 0; j < sizeof(eap_tls_keymaterial); j++) {
3571             if (j % 8 == 0) {
3572                 mbedtls_printf("\n    ");
3573             }
3574             mbedtls_printf("%02x ", eap_tls_keymaterial[j]);
3575         }
3576         mbedtls_printf("\n");
3577 
3578         if ((ret = mbedtls_ssl_tls_prf(eap_tls_keying.tls_prf_type, NULL, 0,
3579                                        eap_tls_label,
3580                                        eap_tls_keying.randbytes,
3581                                        sizeof(eap_tls_keying.randbytes),
3582                                        eap_tls_iv,
3583                                        sizeof(eap_tls_iv))) != 0) {
3584             mbedtls_printf(" failed\n  ! mbedtls_ssl_tls_prf returned -0x%x\n\n",
3585                            (unsigned int) -ret);
3586             goto reset;
3587         }
3588 
3589         mbedtls_printf("    EAP-TLS IV is:");
3590         for (j = 0; j < sizeof(eap_tls_iv); j++) {
3591             if (j % 8 == 0) {
3592                 mbedtls_printf("\n    ");
3593             }
3594             mbedtls_printf("%02x ", eap_tls_iv[j]);
3595         }
3596         mbedtls_printf("\n");
3597     }
3598 
3599 #if defined(MBEDTLS_SSL_DTLS_SRTP)
3600     else if (opt.use_srtp != 0) {
3601         size_t j = 0;
3602         mbedtls_dtls_srtp_info dtls_srtp_negotiation_result;
3603         mbedtls_ssl_get_dtls_srtp_negotiation_result(&ssl, &dtls_srtp_negotiation_result);
3604 
3605         if (dtls_srtp_negotiation_result.chosen_dtls_srtp_profile
3606             == MBEDTLS_TLS_SRTP_UNSET) {
3607             mbedtls_printf("    Unable to negotiate "
3608                            "the use of DTLS-SRTP\n");
3609         } else {
3610             if ((ret = mbedtls_ssl_tls_prf(dtls_srtp_keying.tls_prf_type,
3611                                            dtls_srtp_keying.master_secret,
3612                                            sizeof(dtls_srtp_keying.master_secret),
3613                                            dtls_srtp_label,
3614                                            dtls_srtp_keying.randbytes,
3615                                            sizeof(dtls_srtp_keying.randbytes),
3616                                            dtls_srtp_key_material,
3617                                            sizeof(dtls_srtp_key_material)))
3618                 != 0) {
3619                 mbedtls_printf(" failed\n  ! mbedtls_ssl_tls_prf returned -0x%x\n\n",
3620                                (unsigned int) -ret);
3621                 goto exit;
3622             }
3623 
3624             mbedtls_printf("    DTLS-SRTP key material is:");
3625             for (j = 0; j < sizeof(dtls_srtp_key_material); j++) {
3626                 if (j % 8 == 0) {
3627                     mbedtls_printf("\n    ");
3628                 }
3629                 mbedtls_printf("%02x ", dtls_srtp_key_material[j]);
3630             }
3631             mbedtls_printf("\n");
3632 
3633             /* produce a less readable output used to perform automatic checks
3634              * - compare client and server output
3635              * - interop test with openssl which client produces this kind of output
3636              */
3637             mbedtls_printf("    Keying material: ");
3638             for (j = 0; j < sizeof(dtls_srtp_key_material); j++) {
3639                 mbedtls_printf("%02X", dtls_srtp_key_material[j]);
3640             }
3641             mbedtls_printf("\n");
3642 
3643             if (dtls_srtp_negotiation_result.mki_len > 0) {
3644                 mbedtls_printf("    DTLS-SRTP mki value: ");
3645                 for (j = 0; j < dtls_srtp_negotiation_result.mki_len; j++) {
3646                     mbedtls_printf("%02X", dtls_srtp_negotiation_result.mki_value[j]);
3647                 }
3648             } else {
3649                 mbedtls_printf("    DTLS-SRTP no mki value negotiated");
3650             }
3651             mbedtls_printf("\n");
3652 
3653         }
3654     }
3655 #endif /* MBEDTLS_SSL_DTLS_SRTP */
3656 
3657 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3658     ret = report_cid_usage(&ssl, "initial handshake");
3659     if (ret != 0) {
3660         goto exit;
3661     }
3662 
3663     if (opt.transport == MBEDTLS_SSL_TRANSPORT_DATAGRAM) {
3664         if ((ret = mbedtls_ssl_set_cid(&ssl, opt.cid_enabled_renego,
3665                                        cid_renego, cid_renego_len)) != 0) {
3666             mbedtls_printf(" failed\n  ! mbedtls_ssl_set_cid returned %d\n\n",
3667                            ret);
3668             goto exit;
3669         }
3670     }
3671 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3672 
3673 #if defined(MBEDTLS_MEMORY_DEBUG)
3674     mbedtls_memory_buffer_alloc_cur_get(&current_heap_memory, &heap_blocks);
3675     mbedtls_memory_buffer_alloc_max_get(&peak_heap_memory, &heap_blocks);
3676     mbedtls_printf("Heap memory usage after handshake: %lu bytes. Peak memory usage was %lu\n",
3677                    (unsigned long) current_heap_memory, (unsigned long) peak_heap_memory);
3678 #endif  /* MBEDTLS_MEMORY_DEBUG */
3679 
3680     if (opt.exchanges == 0) {
3681         goto close_notify;
3682     }
3683 
3684     exchanges_left = opt.exchanges;
3685 data_exchange:
3686     /*
3687      * 6. Read the HTTP Request
3688      */
3689     mbedtls_printf("  < Read from client:");
3690     fflush(stdout);
3691 
3692     /*
3693      * TLS and DTLS need different reading styles (stream vs datagram)
3694      */
3695     if (opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
3696         do {
3697             int terminated = 0;
3698             len = opt.buffer_size;
3699             memset(buf, 0, opt.buffer_size);
3700             ret = mbedtls_ssl_read(&ssl, buf, len);
3701 
3702             if (mbedtls_status_is_ssl_in_progress(ret)) {
3703                 if (opt.event == 1 /* level triggered IO */) {
3704 #if defined(MBEDTLS_TIMING_C)
3705                     idle(&client_fd, &timer, ret);
3706 #else
3707                     idle(&client_fd, ret);
3708 #endif
3709                 }
3710 
3711                 continue;
3712             }
3713 
3714             if (ret <= 0) {
3715                 switch (ret) {
3716                     case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
3717                         mbedtls_printf(" connection was closed gracefully\n");
3718                         goto close_notify;
3719 
3720                     case 0:
3721                     case MBEDTLS_ERR_NET_CONN_RESET:
3722                         mbedtls_printf(" connection was reset by peer\n");
3723                         ret = MBEDTLS_ERR_NET_CONN_RESET;
3724                         goto reset;
3725 
3726                     default:
3727                         mbedtls_printf(" mbedtls_ssl_read returned -0x%x\n", (unsigned int) -ret);
3728                         goto reset;
3729                 }
3730             }
3731 
3732             if (mbedtls_ssl_get_bytes_avail(&ssl) == 0) {
3733                 len = ret;
3734                 buf[len] = '\0';
3735                 mbedtls_printf(" %d bytes read\n\n%s\n", len, (char *) buf);
3736 
3737                 /* End of message should be detected according to the syntax of the
3738                  * application protocol (eg HTTP), just use a dummy test here. */
3739                 if (buf[len - 1] == '\n') {
3740                     terminated = 1;
3741                 }
3742             } else {
3743                 int extra_len, ori_len;
3744                 unsigned char *larger_buf;
3745 
3746                 ori_len = ret;
3747                 extra_len = (int) mbedtls_ssl_get_bytes_avail(&ssl);
3748 
3749                 larger_buf = mbedtls_calloc(1, ori_len + extra_len + 1);
3750                 if (larger_buf == NULL) {
3751                     mbedtls_printf("  ! memory allocation failed\n");
3752                     ret = 1;
3753                     goto reset;
3754                 }
3755 
3756                 memset(larger_buf, 0, ori_len + extra_len);
3757                 memcpy(larger_buf, buf, ori_len);
3758 
3759                 /* This read should never fail and get the whole cached data */
3760                 ret = mbedtls_ssl_read(&ssl, larger_buf + ori_len, extra_len);
3761                 if (ret != extra_len ||
3762                     mbedtls_ssl_get_bytes_avail(&ssl) != 0) {
3763                     mbedtls_printf("  ! mbedtls_ssl_read failed on cached data\n");
3764                     ret = 1;
3765                     goto reset;
3766                 }
3767 
3768                 larger_buf[ori_len + extra_len] = '\0';
3769                 mbedtls_printf(" %d bytes read (%d + %d)\n\n%s\n",
3770                                ori_len + extra_len, ori_len, extra_len,
3771                                (char *) larger_buf);
3772 
3773                 /* End of message should be detected according to the syntax of the
3774                  * application protocol (eg HTTP), just use a dummy test here. */
3775                 if (larger_buf[ori_len + extra_len - 1] == '\n') {
3776                     terminated = 1;
3777                 }
3778 
3779                 mbedtls_free(larger_buf);
3780             }
3781 
3782             if (terminated) {
3783                 ret = 0;
3784                 break;
3785             }
3786         } while (1);
3787     } else { /* Not stream, so datagram */
3788         len = opt.buffer_size;
3789         memset(buf, 0, opt.buffer_size);
3790 
3791         do {
3792             /* Without the call to `mbedtls_ssl_check_pending`, it might
3793              * happen that the client sends application data in the same
3794              * datagram as the Finished message concluding the handshake.
3795              * In this case, the application data would be ready to be
3796              * processed while the underlying transport wouldn't signal
3797              * any further incoming data.
3798              *
3799              * See the test 'Event-driven I/O: session-id resume, UDP packing'
3800              * in tests/ssl-opt.sh.
3801              */
3802 
3803             /* For event-driven IO, wait for socket to become available */
3804             if (mbedtls_ssl_check_pending(&ssl) == 0 &&
3805                 opt.event == 1 /* level triggered IO */) {
3806 #if defined(MBEDTLS_TIMING_C)
3807                 idle(&client_fd, &timer, MBEDTLS_ERR_SSL_WANT_READ);
3808 #else
3809                 idle(&client_fd, MBEDTLS_ERR_SSL_WANT_READ);
3810 #endif
3811             }
3812 
3813             ret = mbedtls_ssl_read(&ssl, buf, len);
3814 
3815             /* Note that even if `mbedtls_ssl_check_pending` returns true,
3816              * it can happen that the subsequent call to `mbedtls_ssl_read`
3817              * returns `MBEDTLS_ERR_SSL_WANT_READ`, because the pending messages
3818              * might be discarded (e.g. because they are retransmissions). */
3819         } while (mbedtls_status_is_ssl_in_progress(ret));
3820 
3821         if (ret <= 0) {
3822             switch (ret) {
3823                 case MBEDTLS_ERR_SSL_PEER_CLOSE_NOTIFY:
3824                     mbedtls_printf(" connection was closed gracefully\n");
3825                     ret = 0;
3826                     goto close_notify;
3827 
3828                 default:
3829                     mbedtls_printf(" mbedtls_ssl_read returned -0x%x\n", (unsigned int) -ret);
3830                     goto reset;
3831             }
3832         }
3833 
3834         len = ret;
3835         buf[len] = '\0';
3836         mbedtls_printf(" %d bytes read\n\n%s", len, (char *) buf);
3837         ret = 0;
3838     }
3839 
3840     /*
3841      * 7a. Request renegotiation while client is waiting for input from us.
3842      * (only on the first exchange, to be able to test retransmission)
3843      */
3844 #if defined(MBEDTLS_SSL_RENEGOTIATION)
3845     if (opt.renegotiate && exchanges_left == opt.exchanges) {
3846         mbedtls_printf("  . Requestion renegotiation...");
3847         fflush(stdout);
3848 
3849         while ((ret = mbedtls_ssl_renegotiate(&ssl)) != 0) {
3850             if (!mbedtls_status_is_ssl_in_progress(ret)) {
3851                 mbedtls_printf(" failed\n  ! mbedtls_ssl_renegotiate returned %d\n\n", ret);
3852                 goto reset;
3853             }
3854 
3855             /* For event-driven IO, wait for socket to become available */
3856             if (opt.event == 1 /* level triggered IO */) {
3857 #if defined(MBEDTLS_TIMING_C)
3858                 idle(&client_fd, &timer, ret);
3859 #else
3860                 idle(&client_fd, ret);
3861 #endif
3862             }
3863         }
3864 
3865         mbedtls_printf(" ok\n");
3866     }
3867 #endif /* MBEDTLS_SSL_RENEGOTIATION */
3868 
3869 #if defined(MBEDTLS_SSL_DTLS_CONNECTION_ID)
3870     ret = report_cid_usage(&ssl, "after renegotiation");
3871     if (ret != 0) {
3872         goto exit;
3873     }
3874 #endif /* MBEDTLS_SSL_DTLS_CONNECTION_ID */
3875 
3876     /*
3877      * 7. Write the 200 Response
3878      */
3879     mbedtls_printf("  > Write to client:");
3880     fflush(stdout);
3881 
3882     /* If the format of the response changes, make sure there is enough
3883      * room in buf (buf_content_size calculation above). */
3884     len = sprintf((char *) buf, HTTP_RESPONSE,
3885                   mbedtls_ssl_get_ciphersuite(&ssl));
3886 
3887     /* Add padding to the response to reach opt.response_size in length */
3888     if (opt.response_size != DFL_RESPONSE_SIZE &&
3889         len < opt.response_size) {
3890         memset(buf + len, 'B', opt.response_size - len);
3891         len += opt.response_size - len;
3892     }
3893 
3894     /* Truncate if response size is smaller than the "natural" size */
3895     if (opt.response_size != DFL_RESPONSE_SIZE &&
3896         len > opt.response_size) {
3897         len = opt.response_size;
3898 
3899         /* Still end with \r\n unless that's really not possible */
3900         if (len >= 2) {
3901             buf[len - 2] = '\r';
3902         }
3903         if (len >= 1) {
3904             buf[len - 1] = '\n';
3905         }
3906     }
3907 
3908     if (opt.transport == MBEDTLS_SSL_TRANSPORT_STREAM) {
3909         for (written = 0, frags = 0; written < len; written += ret, frags++) {
3910             while ((ret = mbedtls_ssl_write(&ssl, buf + written, len - written))
3911                    <= 0) {
3912                 if (ret == MBEDTLS_ERR_NET_CONN_RESET) {
3913                     mbedtls_printf(" failed\n  ! peer closed the connection\n\n");
3914                     goto reset;
3915                 }
3916 
3917                 if (!mbedtls_status_is_ssl_in_progress(ret)) {
3918                     mbedtls_printf(" failed\n  ! mbedtls_ssl_write returned %d\n\n", ret);
3919                     goto reset;
3920                 }
3921 
3922                 /* For event-driven IO, wait for socket to become available */
3923                 if (opt.event == 1 /* level triggered IO */) {
3924 #if defined(MBEDTLS_TIMING_C)
3925                     idle(&client_fd, &timer, ret);
3926 #else
3927                     idle(&client_fd, ret);
3928 #endif
3929                 }
3930             }
3931         }
3932     } else { /* Not stream, so datagram */
3933         while (1) {
3934             ret = mbedtls_ssl_write(&ssl, buf, len);
3935 
3936             if (!mbedtls_status_is_ssl_in_progress(ret)) {
3937                 break;
3938             }
3939 
3940             /* For event-driven IO, wait for socket to become available */
3941             if (opt.event == 1 /* level triggered IO */) {
3942 #if defined(MBEDTLS_TIMING_C)
3943                 idle(&client_fd, &timer, ret);
3944 #else
3945                 idle(&client_fd, ret);
3946 #endif
3947             }
3948         }
3949 
3950         if (ret < 0) {
3951             mbedtls_printf(" failed\n  ! mbedtls_ssl_write returned %d\n\n", ret);
3952             goto reset;
3953         }
3954 
3955         frags = 1;
3956         written = ret;
3957     }
3958 
3959     buf[written] = '\0';
3960     mbedtls_printf(" %d bytes written in %d fragments\n\n%s\n", written, frags, (char *) buf);
3961     ret = 0;
3962 
3963     /*
3964      * 7b. Simulate serialize/deserialize and go back to data exchange
3965      */
3966 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
3967     if (opt.serialize != 0) {
3968         size_t buf_len;
3969 
3970         mbedtls_printf("  . Serializing live connection...");
3971 
3972         ret = mbedtls_ssl_context_save(&ssl, NULL, 0, &buf_len);
3973         if (ret != MBEDTLS_ERR_SSL_BUFFER_TOO_SMALL) {
3974             mbedtls_printf(" failed\n  ! mbedtls_ssl_context_save returned "
3975                            "-0x%x\n\n", (unsigned int) -ret);
3976 
3977             goto exit;
3978         }
3979 
3980         if ((context_buf = mbedtls_calloc(1, buf_len)) == NULL) {
3981             mbedtls_printf(" failed\n  ! Couldn't allocate buffer for "
3982                            "serialized context");
3983 
3984             goto exit;
3985         }
3986         context_buf_len = buf_len;
3987 
3988         if ((ret = mbedtls_ssl_context_save(&ssl, context_buf,
3989                                             buf_len, &buf_len)) != 0) {
3990             mbedtls_printf(" failed\n  ! mbedtls_ssl_context_save returned "
3991                            "-0x%x\n\n", (unsigned int) -ret);
3992 
3993             goto exit;
3994         }
3995 
3996         mbedtls_printf(" ok\n");
3997 
3998         /* Save serialized context to the 'opt.context_file' as a base64 code */
3999         if (0 < strlen(opt.context_file)) {
4000             FILE *b64_file;
4001             uint8_t *b64_buf;
4002             size_t b64_len;
4003 
4004             mbedtls_printf("  . Save serialized context to a file... ");
4005 
4006             mbedtls_base64_encode(NULL, 0, &b64_len, context_buf, buf_len);
4007 
4008             if ((b64_buf = mbedtls_calloc(1, b64_len)) == NULL) {
4009                 mbedtls_printf("failed\n  ! Couldn't allocate buffer for "
4010                                "the base64 code\n");
4011                 goto exit;
4012             }
4013 
4014             if ((ret = mbedtls_base64_encode(b64_buf, b64_len, &b64_len,
4015                                              context_buf, buf_len)) != 0) {
4016                 mbedtls_printf("failed\n  ! mbedtls_base64_encode returned "
4017                                "-0x%x\n", (unsigned int) -ret);
4018                 mbedtls_free(b64_buf);
4019                 goto exit;
4020             }
4021 
4022             if ((b64_file = fopen(opt.context_file, "w")) == NULL) {
4023                 mbedtls_printf("failed\n  ! Cannot open '%s' for writing.\n",
4024                                opt.context_file);
4025                 mbedtls_free(b64_buf);
4026                 goto exit;
4027             }
4028 
4029             if (b64_len != fwrite(b64_buf, 1, b64_len, b64_file)) {
4030                 mbedtls_printf("failed\n  ! fwrite(%ld bytes) failed\n",
4031                                (long) b64_len);
4032                 mbedtls_free(b64_buf);
4033                 fclose(b64_file);
4034                 goto exit;
4035             }
4036 
4037             mbedtls_free(b64_buf);
4038             fclose(b64_file);
4039 
4040             mbedtls_printf("ok\n");
4041         }
4042 
4043         /*
4044          * This simulates a workflow where you have a long-lived server
4045          * instance, potentially with a pool of ssl_context objects, and you
4046          * just want to re-use one while the connection is inactive: in that
4047          * case you can just reset() it, and then it's ready to receive
4048          * serialized data from another connection (or the same here).
4049          */
4050         if (opt.serialize == 1) {
4051             /* nothing to do here, done by context_save() already */
4052             mbedtls_printf("  . Context has been reset... ok\n");
4053         }
4054 
4055         /*
4056          * This simulates a workflow where you have one server instance per
4057          * connection, and want to release it entire when the connection is
4058          * inactive, and spawn it again when needed again - this would happen
4059          * between ssl_free() and ssl_init() below, together with any other
4060          * teardown/startup code needed - for example, preparing the
4061          * ssl_config again (see section 3 "setup stuff" in this file).
4062          */
4063         if (opt.serialize == 2) {
4064             mbedtls_printf("  . Freeing and reinitializing context...");
4065 
4066             mbedtls_ssl_free(&ssl);
4067 
4068             mbedtls_ssl_init(&ssl);
4069 
4070             if ((ret = mbedtls_ssl_setup(&ssl, &conf)) != 0) {
4071                 mbedtls_printf(" failed\n  ! mbedtls_ssl_setup returned "
4072                                "-0x%x\n\n", (unsigned int) -ret);
4073                 goto exit;
4074             }
4075 
4076             /*
4077              * This illustrates the minimum amount of things you need to set
4078              * up, however you could set up much more if desired, for example
4079              * if you want to share your set up code between the case of
4080              * establishing a new connection and this case.
4081              */
4082             if (opt.nbio == 2) {
4083                 mbedtls_ssl_set_bio(&ssl, &client_fd, delayed_send,
4084                                     delayed_recv, NULL);
4085             } else {
4086                 mbedtls_ssl_set_bio(&ssl, &client_fd, mbedtls_net_send,
4087                                     mbedtls_net_recv,
4088                                     opt.nbio == 0 ? mbedtls_net_recv_timeout : NULL);
4089             }
4090 
4091 #if defined(MBEDTLS_TIMING_C)
4092             mbedtls_ssl_set_timer_cb(&ssl, &timer,
4093                                      mbedtls_timing_set_delay,
4094                                      mbedtls_timing_get_delay);
4095 #endif /* MBEDTLS_TIMING_C */
4096 
4097             mbedtls_printf(" ok\n");
4098         }
4099 
4100         mbedtls_printf("  . Deserializing connection...");
4101 
4102         if ((ret = mbedtls_ssl_context_load(&ssl, context_buf,
4103                                             buf_len)) != 0) {
4104             mbedtls_printf("failed\n  ! mbedtls_ssl_context_load returned "
4105                            "-0x%x\n\n", (unsigned int) -ret);
4106 
4107             goto exit;
4108         }
4109 
4110         mbedtls_free(context_buf);
4111         context_buf = NULL;
4112         context_buf_len = 0;
4113 
4114         mbedtls_printf(" ok\n");
4115     }
4116 #endif /* MBEDTLS_SSL_CONTEXT_SERIALIZATION */
4117 
4118     /*
4119      * 7c. Continue doing data exchanges?
4120      */
4121     if (--exchanges_left > 0) {
4122         goto data_exchange;
4123     }
4124 
4125     /*
4126      * 8. Done, cleanly close the connection
4127      */
4128 close_notify:
4129     mbedtls_printf("  . Closing the connection...");
4130 
4131     /* No error checking, the connection might be closed already */
4132     do {
4133         ret = mbedtls_ssl_close_notify(&ssl);
4134     } while (ret == MBEDTLS_ERR_SSL_WANT_WRITE);
4135     ret = 0;
4136 
4137     mbedtls_printf(" done\n");
4138 
4139 #if defined(MBEDTLS_SSL_CACHE_C)
4140     if (opt.cache_remove > 0) {
4141         mbedtls_ssl_cache_remove(&cache, ssl.session->id, ssl.session->id_len);
4142     }
4143 #endif
4144 
4145     goto reset;
4146 
4147     /*
4148      * Cleanup and exit
4149      */
4150 exit:
4151 #ifdef MBEDTLS_ERROR_C
4152     if (ret != 0) {
4153         char error_buf[100];
4154         mbedtls_strerror(ret, error_buf, 100);
4155         mbedtls_printf("Last error was: -0x%X - %s\n\n", (unsigned int) -ret, error_buf);
4156     }
4157 #endif
4158 
4159     if (opt.query_config_mode == DFL_QUERY_CONFIG_MODE) {
4160         mbedtls_printf("  . Cleaning up...");
4161         fflush(stdout);
4162     }
4163 
4164     mbedtls_net_free(&client_fd);
4165     mbedtls_net_free(&listen_fd);
4166 
4167     mbedtls_ssl_free(&ssl);
4168     mbedtls_ssl_config_free(&conf);
4169 
4170 #if defined(MBEDTLS_SSL_CACHE_C)
4171     mbedtls_ssl_cache_free(&cache);
4172 #endif
4173 #if defined(MBEDTLS_SSL_SESSION_TICKETS) && defined(MBEDTLS_SSL_TICKET_C)
4174     mbedtls_ssl_ticket_free(&ticket_ctx);
4175 #endif
4176 #if defined(MBEDTLS_SSL_COOKIE_C)
4177     mbedtls_ssl_cookie_free(&cookie_ctx);
4178 #endif
4179 
4180 #if defined(MBEDTLS_SSL_CONTEXT_SERIALIZATION)
4181     if (context_buf != NULL) {
4182         mbedtls_platform_zeroize(context_buf, context_buf_len);
4183     }
4184     mbedtls_free(context_buf);
4185 #endif
4186 
4187 #if defined(SNI_OPTION)
4188     sni_free(sni_info);
4189 #endif
4190 
4191 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED)
4192     ret = psk_free(psk_info);
4193     if ((ret != 0) && (opt.query_config_mode == DFL_QUERY_CONFIG_MODE)) {
4194         mbedtls_printf("Failed to list of opaque PSKs - error was %d\n", ret);
4195     }
4196 #endif
4197 
4198 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_CERT_ENABLED)
4199     mbedtls_x509_crt_free(&cacert);
4200     mbedtls_x509_crt_free(&srvcert);
4201     mbedtls_pk_free(&pkey);
4202     mbedtls_x509_crt_free(&srvcert2);
4203     mbedtls_pk_free(&pkey2);
4204 #if defined(MBEDTLS_USE_PSA_CRYPTO)
4205     psa_destroy_key(key_slot);
4206     psa_destroy_key(key_slot2);
4207 #endif
4208 #endif
4209 
4210 #if defined(MBEDTLS_DHM_C) && defined(MBEDTLS_FS_IO)
4211     mbedtls_dhm_free(&dhm);
4212 #endif
4213 
4214 #if defined(MBEDTLS_SSL_ASYNC_PRIVATE)
4215     for (i = 0; (size_t) i < ssl_async_keys.slots_used; i++) {
4216         if (ssl_async_keys.slots[i].pk_owned) {
4217             mbedtls_pk_free(ssl_async_keys.slots[i].pk);
4218             mbedtls_free(ssl_async_keys.slots[i].pk);
4219             ssl_async_keys.slots[i].pk = NULL;
4220         }
4221     }
4222 #endif
4223 
4224 #if defined(MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED) && \
4225     defined(MBEDTLS_USE_PSA_CRYPTO)
4226     if (opt.psk_opaque != 0) {
4227         /* This is ok even if the slot hasn't been
4228          * initialized (we might have jumed here
4229          * immediately because of bad cmd line params,
4230          * for example). */
4231         status = psa_destroy_key(psk_slot);
4232         if ((status != PSA_SUCCESS) &&
4233             (opt.query_config_mode == DFL_QUERY_CONFIG_MODE)) {
4234             mbedtls_printf("Failed to destroy key slot %u - error was %d",
4235                            (unsigned) MBEDTLS_SVC_KEY_ID_GET_KEY_ID(psk_slot),
4236                            (int) status);
4237         }
4238     }
4239 #endif /* MBEDTLS_SSL_HANDSHAKE_WITH_PSK_ENABLED &&
4240           MBEDTLS_USE_PSA_CRYPTO */
4241 
4242 #if defined(MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED) && \
4243     defined(MBEDTLS_USE_PSA_CRYPTO)
4244     /*
4245      * In case opaque keys it's the user responsibility to keep the key valid
4246      * for the duration of the handshake and destroy it at the end
4247      */
4248     if ((opt.ecjpake_pw_opaque != DFL_ECJPAKE_PW_OPAQUE)) {
4249         psa_key_attributes_t check_attributes = PSA_KEY_ATTRIBUTES_INIT;
4250 
4251         /* Verify that the key is still valid before destroying it */
4252         if (psa_get_key_attributes(ecjpake_pw_slot, &check_attributes) !=
4253             PSA_SUCCESS) {
4254             if (ret == 0) {
4255                 ret = 1;
4256             }
4257             mbedtls_printf("The EC J-PAKE password key has unexpectedly been already destroyed\n");
4258         } else {
4259             psa_destroy_key(ecjpake_pw_slot);
4260         }
4261     }
4262 #endif  /* MBEDTLS_KEY_EXCHANGE_ECJPAKE_ENABLED && MBEDTLS_USE_PSA_CRYPTO */
4263 
4264 #if defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)
4265     const char *message = mbedtls_test_helper_is_psa_leaking();
4266     if (message) {
4267         if (ret == 0) {
4268             ret = 1;
4269         }
4270         mbedtls_printf("PSA memory leak detected: %s\n",  message);
4271     }
4272 #endif
4273 
4274     /* For builds with MBEDTLS_TEST_USE_PSA_CRYPTO_RNG psa crypto
4275      * resources are freed by rng_free(). */
4276 #if (defined(MBEDTLS_USE_PSA_CRYPTO) || defined(MBEDTLS_SSL_PROTO_TLS1_3)) \
4277     && !defined(MBEDTLS_TEST_USE_PSA_CRYPTO_RNG)
4278     mbedtls_psa_crypto_free();
4279 #endif
4280 
4281     rng_free(&rng);
4282 
4283     mbedtls_free(buf);
4284 
4285 #if defined(MBEDTLS_TEST_HOOKS)
4286     /* Let test hooks detect errors such as resource leaks.
4287      * Don't do it in query_config mode, because some test code prints
4288      * information to stdout and this gets mixed with the regular output. */
4289     if (opt.query_config_mode == DFL_QUERY_CONFIG_MODE) {
4290         if (test_hooks_failure_detected()) {
4291             if (ret == 0) {
4292                 ret = 1;
4293             }
4294             mbedtls_printf("Test hooks detected errors.\n");
4295         }
4296     }
4297     test_hooks_free();
4298 #endif /* MBEDTLS_TEST_HOOKS */
4299 
4300 #if defined(MBEDTLS_MEMORY_BUFFER_ALLOC_C)
4301 #if defined(MBEDTLS_MEMORY_DEBUG)
4302     mbedtls_memory_buffer_alloc_status();
4303 #endif
4304     mbedtls_memory_buffer_alloc_free();
4305 #endif  /* MBEDTLS_MEMORY_BUFFER_ALLOC_C */
4306 
4307     if (opt.query_config_mode == DFL_QUERY_CONFIG_MODE) {
4308         mbedtls_printf(" done.\n");
4309     }
4310 
4311     // Shell can not handle large exit numbers -> 1 for errors
4312     if (ret < 0) {
4313         ret = 1;
4314     }
4315 
4316     if (opt.query_config_mode == DFL_QUERY_CONFIG_MODE) {
4317         mbedtls_exit(ret);
4318     } else {
4319         mbedtls_exit(query_config_ret);
4320     }
4321 }
4322 #endif /* !MBEDTLS_SSL_TEST_IMPOSSIBLE && MBEDTLS_SSL_SRV_C */
4323