const SSL_CIPHER *cipher = NULL;
if (strlen(psk_identity) != identity_len
- || memcmp(psk_identity, identity, identity_len) != 0)
- return 0;
+ || memcmp(psk_identity, identity, identity_len) != 0) {
+ BIO_printf(bio_s_out,
+ "PSK warning: client identity not what we expected"
+ " (got '%s' expected '%s')\n", identity, psk_identity);
+ }
if (psksess != NULL) {
SSL_SESSION_up_ref(psksess);
cipher = SSL_CIPHER_find(ssl, tls13_aes128gcmsha256_id);
if (cipher == NULL) {
BIO_printf(bio_err, "Error finding suitable ciphersuite\n");
+ OPENSSL_free(key);
return 0;
}
OPT_ID_PREFIX, OPT_SERVERNAME, OPT_SERVERNAME_FATAL,
OPT_CERT2, OPT_KEY2, OPT_NEXTPROTONEG, OPT_ALPN,
OPT_SRTP_PROFILES, OPT_KEYMATEXPORT, OPT_KEYMATEXPORTLEN,
- OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_EARLY_DATA, OPT_S_NUM_TICKETS,
+ OPT_KEYLOG_FILE, OPT_MAX_EARLY, OPT_RECV_MAX_EARLY, OPT_EARLY_DATA,
+ OPT_S_NUM_TICKETS, OPT_ANTI_REPLAY, OPT_NO_ANTI_REPLAY,
OPT_R_ENUM,
OPT_S_ENUM,
OPT_V_ENUM,
#endif
{"keylogfile", OPT_KEYLOG_FILE, '>', "Write TLS secrets to file"},
{"max_early_data", OPT_MAX_EARLY, 'n',
- "The maximum number of bytes of early data"},
+ "The maximum number of bytes of early data as advertised in tickets"},
+ {"recv_max_early_data", OPT_RECV_MAX_EARLY, 'n',
+ "The maximum number of bytes of early data (hard limit)"},
{"early_data", OPT_EARLY_DATA, '-', "Attempt to read early data"},
{"num_tickets", OPT_S_NUM_TICKETS, 'n',
"The number of TLSv1.3 session tickets that a server will automatically issue" },
+ {"anti_replay", OPT_ANTI_REPLAY, '-', "Switch on anti-replay protection (default)"},
+ {"no_anti_replay", OPT_NO_ANTI_REPLAY, '-', "Switch off anti-replay protection"},
{NULL, OPT_EOF, 0, NULL}
};
unsigned int split_send_fragment = 0, max_pipelines = 0;
const char *s_serverinfo_file = NULL;
const char *keylog_file = NULL;
- int max_early_data = -1;
+ int max_early_data = -1, recv_max_early_data = -1;
char *psksessf = NULL;
/* Init of few remaining global variables */
break;
case OPT_S_CASES:
case OPT_S_NUM_TICKETS:
+ case OPT_ANTI_REPLAY:
+ case OPT_NO_ANTI_REPLAY:
if (ssl_args == NULL)
ssl_args = sk_OPENSSL_STRING_new_null();
if (ssl_args == NULL
goto end;
}
break;
+ case OPT_RECV_MAX_EARLY:
+ recv_max_early_data = atoi(opt_arg());
+ if (recv_max_early_data < 0) {
+ BIO_printf(bio_err, "Invalid value for recv_max_early_data\n");
+ goto end;
+ }
+ break;
case OPT_EARLY_DATA:
early_data = 1;
if (max_early_data == -1)
if (max_early_data >= 0)
SSL_CTX_set_max_early_data(ctx, max_early_data);
+ if (recv_max_early_data >= 0)
+ SSL_CTX_set_recv_max_early_data(ctx, recv_max_early_data);
if (rev)
server_cb = rev_body;