kris
/
boringssl
1
0
Çatalla 0
Kod Konular 0 Değişiklik İstekleri 0 Sürümler 0 Wiki Aktivite
25'ten fazla konu seçemezsiniz Konular bir harf veya rakamla başlamalı, kısa çizgiler ('-') içerebilir ve en fazla 35 karakter uzunluğunda olabilir.
490 İşleme
12 Dallar
38 MiB
 
 
 
 
 
 
Ağaç: b0c8db7347
Dallar Biçim İmleri
${ item.name }
${ searchTerm } dalı oluştur
'b0c8db7347'den
${ noResults }
boringssl/ssl/test/bssl_shim.cc

615 satır
17 KiB
Ham Suçlama Geçmiş 

  1. /* Copyright (c) 2014, Google Inc.

  2.  *

  3.  * Permission to use, copy, modify, and/or distribute this software for any

  4.  * purpose with or without fee is hereby granted, provided that the above

  5.  * copyright notice and this permission notice appear in all copies.

  6.  *

  7.  * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES

  8.  * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF

  9.  * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR ANY

  10.  * SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES

  11.  * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN ACTION

  12.  * OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF OR IN

  13.  * CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE. */

  14. 

  15. #include <openssl/base.h>

  16. 

  17. #if !defined(OPENSSL_WINDOWS)

  18. #include <arpa/inet.h>

  19. #include <netinet/in.h>

  20. #include <signal.h>

  21. #include <sys/socket.h>

  22. #include <unistd.h>

  23. #endif

  24. 

  25. #include <sys/types.h>

  26. 

  27. #include <openssl/bio.h>

  28. #include <openssl/bytestring.h>

  29. #include <openssl/ssl.h>

  30. 

  31. #include "async_bio.h"

  32. #include "packeted_bio.h"

  33. #include "test_config.h"

  34. 

  35. static int usage(const char *program) {

  36.   fprintf(stderr, "Usage: %s [flags...]\n",

  37.           program);

  38.   return 1;

  39. }

  40. 

  41. static int g_ex_data_index = 0;

  42. 

  43. static void SetConfigPtr(SSL *ssl, const TestConfig *config) {

  44.   SSL_set_ex_data(ssl, g_ex_data_index, (void *)config);

  45. }

  46. 

  47. static const TestConfig *GetConfigPtr(SSL *ssl) {

  48.   return (const TestConfig *)SSL_get_ex_data(ssl, g_ex_data_index);

  49. }

  50. 

  51. static EVP_PKEY *LoadPrivateKey(const std::string &file) {

  52.   BIO *bio = BIO_new(BIO_s_file());

  53.   if (bio == NULL) {

  54.     return NULL;

  55.   }

  56.   if (!BIO_read_filename(bio, file.c_str())) {

  57.     BIO_free(bio);

  58.     return NULL;

  59.   }

  60.   EVP_PKEY *pkey = PEM_read_bio_PrivateKey(bio, NULL, NULL, NULL);

  61.   BIO_free(bio);

  62.   return pkey;

  63. }

  64. 

  65. static int early_callback_called = 0;

  66. 

  67. static int select_certificate_callback(const struct ssl_early_callback_ctx *ctx) {

  68.   early_callback_called = 1;

  69. 

  70.   const TestConfig *config = GetConfigPtr(ctx->ssl);

  71. 

  72.   if (config->expected_server_name.empty()) {

  73.     return 1;

  74.   }

  75. 

  76.   const uint8_t *extension_data;

  77.   size_t extension_len;

  78.   CBS extension, server_name_list, host_name;

  79.   uint8_t name_type;

  80. 

  81.   if (!SSL_early_callback_ctx_extension_get(ctx, TLSEXT_TYPE_server_name,

  82.                                             &extension_data,

  83.                                             &extension_len)) {

  84.     fprintf(stderr, "Could not find server_name extension.\n");

  85.     return -1;

  86.   }

  87. 

  88.   CBS_init(&extension, extension_data, extension_len);

  89.   if (!CBS_get_u16_length_prefixed(&extension, &server_name_list) ||

  90.       CBS_len(&extension) != 0 ||

  91.       !CBS_get_u8(&server_name_list, &name_type) ||

  92.       name_type != TLSEXT_NAMETYPE_host_name ||

  93.       !CBS_get_u16_length_prefixed(&server_name_list, &host_name) ||

  94.       CBS_len(&server_name_list) != 0) {

  95.     fprintf(stderr, "Could not decode server_name extension.\n");

  96.     return -1;

  97.   }

  98. 

  99.   if (!CBS_mem_equal(&host_name,

  100.                      (const uint8_t*)config->expected_server_name.data(),

  101.                      config->expected_server_name.size())) {

  102.     fprintf(stderr, "Server name mismatch.\n");

  103.   }

  104. 

  105.   return 1;

  106. }

  107. 

  108. static int skip_verify(int preverify_ok, X509_STORE_CTX *store_ctx) {

  109.   return 1;

  110. }

  111. 

  112. static int next_protos_advertised_callback(SSL *ssl,

  113.                                            const uint8_t **out,

  114.                                            unsigned int *out_len,

  115.                                            void *arg) {

  116.   const TestConfig *config = GetConfigPtr(ssl);

  117.   if (config->advertise_npn.empty())

  118.     return SSL_TLSEXT_ERR_NOACK;

  119. 

  120.   // TODO(davidben): Support passing byte strings with NULs to the

  121.   // test shim.

  122.   *out = (const uint8_t*)config->advertise_npn.data();

  123.   *out_len = config->advertise_npn.size();

  124.   return SSL_TLSEXT_ERR_OK;

  125. }

  126. 

  127. static int next_proto_select_callback(SSL* ssl,

  128.                                       uint8_t** out,

  129.                                       uint8_t* outlen,

  130.                                       const uint8_t* in,

  131.                                       unsigned inlen,

  132.                                       void* arg) {

  133.   const TestConfig *config = GetConfigPtr(ssl);

  134.   if (config->select_next_proto.empty())

  135.     return SSL_TLSEXT_ERR_NOACK;

  136. 

  137.   *out = (uint8_t*)config->select_next_proto.data();

  138.   *outlen = config->select_next_proto.size();

  139.   return SSL_TLSEXT_ERR_OK;

  140. }

  141. 

  142. static int alpn_select_callback(SSL* ssl,

  143.                                 const uint8_t** out,

  144.                                 uint8_t* outlen,

  145.                                 const uint8_t* in,

  146.                                 unsigned inlen,

  147.                                 void* arg) {

  148.   const TestConfig *config = GetConfigPtr(ssl);

  149.   if (config->select_alpn.empty())

  150.     return SSL_TLSEXT_ERR_NOACK;

  151. 

  152.   if (!config->expected_advertised_alpn.empty() &&

  153.       (config->expected_advertised_alpn.size() != inlen ||

  154.        memcmp(config->expected_advertised_alpn.data(),

  155.               in, inlen) != 0)) {

  156.     fprintf(stderr, "bad ALPN select callback inputs\n");

  157.     exit(1);

  158.   }

  159. 

  160.   *out = (const uint8_t*)config->select_alpn.data();

  161.   *outlen = config->select_alpn.size();

  162.   return SSL_TLSEXT_ERR_OK;

  163. }

  164. 

  165. static int cookie_generate_callback(SSL *ssl, uint8_t *cookie, size_t *cookie_len) {

  166.   *cookie_len = 32;

  167.   memset(cookie, 42, *cookie_len);

  168.   return 1;

  169. }

  170. 

  171. static int cookie_verify_callback(SSL *ssl, const uint8_t *cookie, size_t cookie_len) {

  172.   if (cookie_len != 32) {

  173.     fprintf(stderr, "Cookie length mismatch.\n");

  174.     return 0;

  175.   }

  176.   for (size_t i = 0; i < cookie_len; i++) {

  177.     if (cookie[i] != 42) {

  178.       fprintf(stderr, "Cookie mismatch.\n");

  179.       return 0;

  180.     }

  181.   }

  182.   return 1;

  183. }

  184. 

  185. static SSL_CTX *setup_ctx(const TestConfig *config) {

  186.   SSL_CTX *ssl_ctx = NULL;

  187.   DH *dh = NULL;

  188. 

  189.   const SSL_METHOD *method;

  190.   if (config->is_dtls) {

  191.     // TODO(davidben): Get DTLS 1.2 working and test the version negotiation

  192.     // codepath. This doesn't currently work because

  193.     // - Session resumption is broken: https://crbug.com/403378

  194.     // - DTLS hasn't been updated for EVP_AEAD.

  195.     if (config->is_server) {

  196.       method = DTLSv1_server_method();

  197.     } else {

  198.       method = DTLSv1_client_method();

  199.     }

  200.   } else {

  201.     if (config->is_server) {

  202.       method = SSLv23_server_method();

  203.     } else {

  204.       method = SSLv23_client_method();

  205.     }

  206.   }

  207.   ssl_ctx = SSL_CTX_new(method);

  208.   if (ssl_ctx == NULL) {

  209.     goto err;

  210.   }

  211. 

  212.   if (config->is_dtls) {

  213.     // DTLS needs read-ahead to function on a datagram BIO.

  214.     //

  215.     // TODO(davidben): this should not be necessary. DTLS code should only

  216.     // expect a datagram BIO.

  217.     SSL_CTX_set_read_ahead(ssl_ctx, 1);

  218.   }

  219. 

  220.   if (!SSL_CTX_set_ecdh_auto(ssl_ctx, 1)) {

  221.     goto err;

  222.   }

  223. 

  224.   if (!SSL_CTX_set_cipher_list(ssl_ctx, "ALL")) {

  225.     goto err;

  226.   }

  227. 

  228.   dh = DH_get_2048_256(NULL);

  229.   if (!SSL_CTX_set_tmp_dh(ssl_ctx, dh)) {

  230.     goto err;

  231.   }

  232. 

  233.   SSL_CTX_set_session_cache_mode(ssl_ctx, SSL_SESS_CACHE_BOTH);

  234. 

  235.   ssl_ctx->select_certificate_cb = select_certificate_callback;

  236. 

  237.   SSL_CTX_set_next_protos_advertised_cb(

  238.       ssl_ctx, next_protos_advertised_callback, NULL);

  239.   if (!config->select_next_proto.empty()) {

  240.     SSL_CTX_set_next_proto_select_cb(ssl_ctx, next_proto_select_callback, NULL);

  241.   }

  242. 

  243.   if (!config->select_alpn.empty()) {

  244.     SSL_CTX_set_alpn_select_cb(ssl_ctx, alpn_select_callback, NULL);

  245.   }

  246. 

  247.   SSL_CTX_set_cookie_generate_cb(ssl_ctx, cookie_generate_callback);

  248.   SSL_CTX_set_cookie_verify_cb(ssl_ctx, cookie_verify_callback);

  249. 

  250.   ssl_ctx->tlsext_channel_id_enabled_new = 1;

  251. 

  252.   DH_free(dh);

  253.   return ssl_ctx;

  254. 

  255.  err:

  256.   if (dh != NULL) {

  257.     DH_free(dh);

  258.   }

  259.   if (ssl_ctx != NULL) {

  260.     SSL_CTX_free(ssl_ctx);

  261.   }

  262.   return NULL;

  263. }

  264. 

  265. static int retry_async(SSL *ssl, int ret, BIO *bio) {

  266.   // No error; don't retry.

  267.   if (ret >= 0) {

  268.     return 0;

  269.   }

  270.   // See if we needed to read or write more. If so, allow one byte through on

  271.   // the appropriate end to maximally stress the state machine.

  272.   int err = SSL_get_error(ssl, ret);

  273.   if (err == SSL_ERROR_WANT_READ) {

  274.     async_bio_allow_read(bio, 1);

  275.     return 1;

  276.   } else if (err == SSL_ERROR_WANT_WRITE) {

  277.     async_bio_allow_write(bio, 1);

  278.     return 1;

  279.   }

  280.   return 0;

  281. }

  282. 

  283. static int do_exchange(SSL_SESSION **out_session,

  284.                        SSL_CTX *ssl_ctx,

  285.                        const TestConfig *config,

  286.                        bool is_resume,

  287.                        int fd,

  288.                        SSL_SESSION *session) {

  289.   early_callback_called = 0;

  290. 

  291.   SSL *ssl = SSL_new(ssl_ctx);

  292.   if (ssl == NULL) {

  293.     BIO_print_errors_fp(stdout);

  294.     return 1;

  295.   }

  296. 

  297.   SetConfigPtr(ssl, config);

  298. 

  299.   if (config->fallback_scsv) {

  300.     if (!SSL_enable_fallback_scsv(ssl)) {

  301.       BIO_print_errors_fp(stdout);

  302.       return 1;

  303.     }

  304.   }

  305.   if (!config->key_file.empty()) {

  306.     if (!SSL_use_PrivateKey_file(ssl, config->key_file.c_str(),

  307.                                  SSL_FILETYPE_PEM)) {

  308.       BIO_print_errors_fp(stdout);

  309.       return 1;

  310.     }

  311.   }

  312.   if (!config->cert_file.empty()) {

  313.     if (!SSL_use_certificate_file(ssl, config->cert_file.c_str(),

  314.                                   SSL_FILETYPE_PEM)) {

  315.       BIO_print_errors_fp(stdout);

  316.       return 1;

  317.     }

  318.   }

  319.   if (config->require_any_client_certificate) {

  320.     SSL_set_verify(ssl, SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,

  321.                    skip_verify);

  322.   }

  323.   if (config->false_start) {

  324.     SSL_set_mode(ssl, SSL_MODE_HANDSHAKE_CUTTHROUGH);

  325.   }

  326.   if (config->cbc_record_splitting) {

  327.     SSL_set_mode(ssl, SSL_MODE_CBC_RECORD_SPLITTING);

  328.   }

  329.   if (config->partial_write) {

  330.     SSL_set_mode(ssl, SSL_MODE_ENABLE_PARTIAL_WRITE);

  331.   }

  332.   if (config->no_tls12) {

  333.     SSL_set_options(ssl, SSL_OP_NO_TLSv1_2);

  334.   }

  335.   if (config->no_tls11) {

  336.     SSL_set_options(ssl, SSL_OP_NO_TLSv1_1);

  337.   }

  338.   if (config->no_tls1) {

  339.     SSL_set_options(ssl, SSL_OP_NO_TLSv1);

  340.   }

  341.   if (config->no_ssl3) {

  342.     SSL_set_options(ssl, SSL_OP_NO_SSLv3);

  343.   }

  344.   if (config->cookie_exchange) {

  345.     SSL_set_options(ssl, SSL_OP_COOKIE_EXCHANGE);

  346.   }

  347.   if (config->tls_d5_bug) {

  348.     SSL_set_options(ssl, SSL_OP_TLS_D5_BUG);

  349.   }

  350.   if (!config->expected_channel_id.empty()) {

  351.     SSL_enable_tls_channel_id(ssl);

  352.   }

  353.   if (!config->send_channel_id.empty()) {

  354.     EVP_PKEY *pkey = LoadPrivateKey(config->send_channel_id);

  355.     if (pkey == NULL) {

  356.       BIO_print_errors_fp(stdout);

  357.       return 1;

  358.     }

  359.     SSL_enable_tls_channel_id(ssl);

  360.     if (!SSL_set1_tls_channel_id(ssl, pkey)) {

  361.       EVP_PKEY_free(pkey);

  362.       BIO_print_errors_fp(stdout);

  363.       return 1;

  364.     }

  365.     EVP_PKEY_free(pkey);

  366.   }

  367.   if (!config->host_name.empty()) {

  368.     SSL_set_tlsext_host_name(ssl, config->host_name.c_str());

  369.   }

  370.   if (!config->advertise_alpn.empty()) {

  371.     SSL_set_alpn_protos(ssl, (const uint8_t *)config->advertise_alpn.data(),

  372.                         config->advertise_alpn.size());

  373.   }

  374. 

  375.   BIO *bio = BIO_new_fd(fd, 1 /* take ownership */);

  376.   if (bio == NULL) {

  377.     BIO_print_errors_fp(stdout);

  378.     return 1;

  379.   }

  380.   if (config->is_dtls) {

  381.     BIO *packeted = packeted_bio_create();

  382.     BIO_push(packeted, bio);

  383.     bio = packeted;

  384.   }

  385.   if (config->async) {

  386.     BIO *async =

  387.         config->is_dtls ? async_bio_create_datagram() : async_bio_create();

  388.     BIO_push(async, bio);

  389.     bio = async;

  390.   }

  391.   SSL_set_bio(ssl, bio, bio);

  392. 

  393.   if (session != NULL) {

  394.     if (SSL_set_session(ssl, session) != 1) {

  395.       fprintf(stderr, "failed to set session\n");

  396.       return 2;

  397.     }

  398.   }

  399. 

  400.   int ret;

  401.   do {

  402.     if (config->is_server) {

  403.       ret = SSL_accept(ssl);

  404.     } else {

  405.       ret = SSL_connect(ssl);

  406.     }

  407.   } while (config->async && retry_async(ssl, ret, bio));

  408.   if (ret != 1) {

  409.     SSL_free(ssl);

  410.     BIO_print_errors_fp(stdout);

  411.     return 2;

  412.   }

  413. 

  414.   if (is_resume && !SSL_session_reused(ssl)) {

  415.     fprintf(stderr, "session was not reused\n");

  416.     return 2;

  417.   }

  418. 

  419.   if (!config->expected_server_name.empty()) {

  420.     const char *server_name =

  421.         SSL_get_servername(ssl, TLSEXT_NAMETYPE_host_name);

  422.     if (server_name != config->expected_server_name) {

  423.       fprintf(stderr, "servername mismatch (got %s; want %s)\n",

  424.               server_name, config->expected_server_name.c_str());

  425.       return 2;

  426.     }

  427. 

  428.     if (!early_callback_called) {

  429.       fprintf(stderr, "early callback not called\n");

  430.       return 2;

  431.     }

  432.   }

  433. 

  434.   if (!config->expected_certificate_types.empty()) {

  435.     uint8_t *certificate_types;

  436.     int num_certificate_types =

  437.         SSL_get0_certificate_types(ssl, &certificate_types);

  438.     if (num_certificate_types !=

  439.         (int)config->expected_certificate_types.size() ||

  440.         memcmp(certificate_types,

  441.                config->expected_certificate_types.data(),

  442.                num_certificate_types) != 0) {

  443.       fprintf(stderr, "certificate types mismatch\n");

  444.       return 2;

  445.     }

  446.   }

  447. 

  448.   if (!config->expected_next_proto.empty()) {

  449.     const uint8_t *next_proto;

  450.     unsigned next_proto_len;

  451.     SSL_get0_next_proto_negotiated(ssl, &next_proto, &next_proto_len);

  452.     if (next_proto_len != config->expected_next_proto.size() ||

  453.         memcmp(next_proto, config->expected_next_proto.data(),

  454.                next_proto_len) != 0) {

  455.       fprintf(stderr, "negotiated next proto mismatch\n");

  456.       return 2;

  457.     }

  458.   }

  459. 

  460.   if (!config->expected_alpn.empty()) {

  461.     const uint8_t *alpn_proto;

  462.     unsigned alpn_proto_len;

  463.     SSL_get0_alpn_selected(ssl, &alpn_proto, &alpn_proto_len);

  464.     if (alpn_proto_len != config->expected_alpn.size() ||

  465.         memcmp(alpn_proto, config->expected_alpn.data(),

  466.                alpn_proto_len) != 0) {

  467.       fprintf(stderr, "negotiated alpn proto mismatch\n");

  468.       return 2;

  469.     }

  470.   }

  471. 

  472.   if (!config->expected_channel_id.empty()) {

  473.     uint8_t channel_id[64];

  474.     if (!SSL_get_tls_channel_id(ssl, channel_id, sizeof(channel_id))) {

  475.       fprintf(stderr, "no channel id negotiated\n");

  476.       return 2;

  477.     }

  478.     if (config->expected_channel_id.size() != 64 ||

  479.         memcmp(config->expected_channel_id.data(),

  480.                channel_id, 64) != 0) {

  481.       fprintf(stderr, "channel id mismatch\n");

  482.       return 2;

  483.     }

  484.   }

  485. 

  486.   if (config->write_different_record_sizes) {

  487.     if (config->is_dtls) {

  488.       fprintf(stderr, "write_different_record_sizes not supported for DTLS\n");

  489.       return 6;

  490.     }

  491.     // This mode writes a number of different record sizes in an attempt to

  492.     // trip up the CBC record splitting code.

  493.     uint8_t buf[32769];

  494.     memset(buf, 0x42, sizeof(buf));

  495.     static const size_t kRecordSizes[] = {

  496.         0, 1, 255, 256, 257, 16383, 16384, 16385, 32767, 32768, 32769};

  497.     for (size_t i = 0; i < sizeof(kRecordSizes) / sizeof(kRecordSizes[0]);

  498.          i++) {

  499.       int w;

  500.       const size_t len = kRecordSizes[i];

  501.       size_t off = 0;

  502. 

  503.       if (len > sizeof(buf)) {

  504.         fprintf(stderr, "Bad kRecordSizes value.\n");

  505.         return 5;

  506.       }

  507. 

  508.       do {

  509.         w = SSL_write(ssl, buf + off, len - off);

  510.         if (w > 0) {

  511.           off += (size_t) w;

  512.         }

  513.       } while ((config->async && retry_async(ssl, w, bio)) ||

  514.                (w > 0 && off < len));

  515. 

  516.       if (w < 0 || off != len) {

  517.         SSL_free(ssl);

  518.         BIO_print_errors_fp(stdout);

  519.         return 4;

  520.       }

  521.     }

  522.   } else {

  523.     if (config->shim_writes_first) {

  524.       int w;

  525.       do {

  526.         w = SSL_write(ssl, "hello", 5);

  527.       } while (config->async && retry_async(ssl, w, bio));

  528.     }

  529.     for (;;) {

  530.       uint8_t buf[512];

  531.       int n;

  532.       do {

  533.         n = SSL_read(ssl, buf, sizeof(buf));

  534.       } while (config->async && retry_async(ssl, n, bio));

  535.       if (n < 0) {

  536.         SSL_free(ssl);

  537.         BIO_print_errors_fp(stdout);

  538.         return 3;

  539.       } else if (n == 0) {

  540.         break;

  541.       } else {

  542.         for (int i = 0; i < n; i++) {

  543.           buf[i] ^= 0xff;

  544.         }

  545.         int w;

  546.         do {

  547.           w = SSL_write(ssl, buf, n);

  548.         } while (config->async && retry_async(ssl, w, bio));

  549.         if (w != n) {

  550.           SSL_free(ssl);

  551.           BIO_print_errors_fp(stdout);

  552.           return 4;

  553.         }

  554.       }

  555.     }

  556.   }

  557. 

  558.   if (out_session) {

  559.     *out_session = SSL_get1_session(ssl);

  560.   }

  561. 

  562.   SSL_shutdown(ssl);

  563.   SSL_free(ssl);

  564.   return 0;

  565. }

  566. 

  567. int main(int argc, char **argv) {

  568. #if !defined(OPENSSL_WINDOWS)

  569.   signal(SIGPIPE, SIG_IGN);

  570. #endif

  571. 

  572.   if (!SSL_library_init()) {

  573.     return 1;

  574.   }

  575.   g_ex_data_index = SSL_get_ex_new_index(0, NULL, NULL, NULL, NULL);

  576. 

  577.   TestConfig config;

  578.   if (!ParseConfig(argc - 1, argv + 1, &config)) {

  579.     return usage(argv[0]);

  580.   }

  581. 

  582.   SSL_CTX *ssl_ctx = setup_ctx(&config);

  583.   if (ssl_ctx == NULL) {

  584.     BIO_print_errors_fp(stdout);

  585.     return 1;

  586.   }

  587. 

  588.   SSL_SESSION *session = NULL;

  589.   int ret = do_exchange(&session,

  590.                         ssl_ctx, &config,

  591.                         false /* is_resume */,

  592.                         3 /* fd */, NULL /* session */);

  593.   if (ret != 0) {

  594.     goto out;

  595.   }

  596. 

  597.   if (config.resume) {

  598.     ret = do_exchange(NULL,

  599.                       ssl_ctx, &config,

  600.                       true /* is_resume */,

  601.                       4 /* fd */,

  602.                       config.is_server ? NULL : session);

  603.     if (ret != 0) {

  604.       goto out;

  605.     }

  606.   }

  607. 

  608.   ret = 0;

  609. 

  610. out:

  611.   SSL_SESSION_free(session);

  612.   SSL_CTX_free(ssl_ctx);

  613.   return ret;

  614. }