10 files changed, 549 insertions, 0 deletions

diff --git a/src/regress/lib/libssl/interop/LICENSE b/src/regress/lib/libssl/interop/LICENSE
new file mode 100644
index 0000000000..8695620495
--- /dev/null
+++ b/src/regress/lib/libssl/interop/LICENSE
@@ -0,0 +1,15 @@
+/*
+ * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
diff --git a/src/regress/lib/libssl/interop/Makefile b/src/regress/lib/libssl/interop/Makefile
new file mode 100644
index 0000000000..997cad2949
--- /dev/null
+++ b/src/regress/lib/libssl/interop/Makefile
@@ -0,0 +1,5 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $
+
+SUBDIR =        libressl openssl
+
+.include <bsd.subdir.mk>
diff --git a/src/regress/lib/libssl/interop/Makefile.inc b/src/regress/lib/libssl/interop/Makefile.inc
new file mode 100644
index 0000000000..fc282bea88
--- /dev/null
+++ b/src/regress/lib/libssl/interop/Makefile.inc
@@ -0,0 +1,62 @@
+# $OpenBSD: Makefile.inc,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $
+
+.PATH:                  ${.CURDIR}/..
+
+SRCS_client =           client.c util.c
+SRCS_server =           server.c util.c
+WARNINGS =              yes
+REGRESS_TARGETS =
+
+# check that program is linked with correct libraries
+
+.for p in ${PROGS}
+CLEANFILES +=           ldd-$p.out
+REGRESS_TARGETS +=      run-ldd-$p
+ldd-$p.out: $p
+        LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ldd $p >$@
+.endfor
+
+# run netcat server and connect with test client
+
+CLEANFILES +=           client.out netcat-l.out netcat-l.fstat
+REGRESS_TARGETS +=      run-client
+run-client: client 127.0.0.1.crt
+        @echo '\n======== $@ ========'
+        echo "greeting" | nc -l -c -C 127.0.0.1.crt -K 127.0.0.1.key \
+            127.0.0.1 0 >netcat-l.out & \
+            sleep 1; fstat -p $$! >netcat-l.fstat
+        LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./client \
+            `sed -n 's/.* stream tcp .*:/127.0.0.1 /p' netcat-l.fstat` \
+            >client.out
+        # check that the client run successfully to the end
+        grep -q '^success$$' client.out
+        # client must have read server greeting
+        grep -q '^<<< greeting$$' client.out
+        # netstat server must have read client hello
+        grep -q '^hello$$' netcat-l.out
+
+# run test server and connect with netcat client
+
+CLEANFILES +=           server.out netcat.out
+REGRESS_TARGETS +=      run-server
+run-server: server 127.0.0.1.crt
+        @echo '\n======== $@ ========'
+        LD_LIBRARY_PATH=${LD_LIBRARY_PATH} ./server 127.0.0.1 0 >server.out
+        echo "hello" | nc -c -T noverify \
+            `sed -n 's/listen sock: //p' server.out` \
+            >netcat.out
+        # check that the server child run successfully to the end
+        grep -q '^success$$' server.out
+        # server must have read client hello
+        grep -q '^<<< hello$$' server.out
+        # client must have read server greeting
+        grep -q '^greeting$$' netcat.out
+
+# create certificates for TLS
+
+CLEANFILES +=           127.0.0.1.crt 127.0.0.1.key
+
+127.0.0.1.crt:
+        openssl req -batch -new \
+            -subj /L=OpenBSD/O=tls-regress/OU=server/CN=127.0.0.1/ \
+            -nodes -newkey rsa -keyout 127.0.0.1.key -x509 -out $@
diff --git a/src/regress/lib/libssl/interop/README b/src/regress/lib/libssl/interop/README
new file mode 100644
index 0000000000..d1ecc7e683
--- /dev/null
+++ b/src/regress/lib/libssl/interop/README
@@ -0,0 +1,9 @@
+Test TLS interoperability between LibreSSL and OpenSSL.
+
+Implement simple SSL client and server in C.  Create four binaries
+by linking them with LibreSSL or OpenSSL.  This way API compatibility
+is tested.  Connect and accept with netcat to test protocol
+compatibility with libtls.
+
+Currently OpenSSL 1.0.2p from ports is used.  Plan is to move to
+OpenSSL 1.1 and and test TLS 1.3.
diff --git a/src/regress/lib/libssl/interop/client.c b/src/regress/lib/libssl/interop/client.c
new file mode 100644
index 0000000000..d4d4f1e94d
--- /dev/null
+++ b/src/regress/lib/libssl/interop/client.c
@@ -0,0 +1,136 @@
+/*      $OpenBSD: client.c,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $    */
+/*
+ * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <err.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#include "util.h"
+
+void __dead usage(void);
+
+void __dead
+usage(void)
+{
+        fprintf(stderr, "usage: client host port");
+        exit(2);
+}
+
+int
+main(int argc, char *argv[])
+{
+        const SSL_METHOD *method;
+        SSL_CTX *ctx;
+        SSL *ssl;
+        BIO *bio;
+        SSL_SESSION *session;
+        int error;
+        char buf[256];
+        char *host_port, *host, *port;
+
+        if (argc == 3) {
+                host = argv[1];
+                port = argv[2];
+        } else {
+                usage();
+        }
+        if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
+            host, port) == -1)
+                err(1, "asprintf host port");
+
+        SSL_library_init();
+        SSL_load_error_strings();
+
+        /* setup method and context */
+        method = SSLv23_client_method();
+        if (method == NULL)
+                err_ssl(1, "SSLv23_client_method");
+        ctx = SSL_CTX_new(method);
+        if (ctx == NULL)
+                err_ssl(1, "SSL_CTX_new");
+
+        /* setup ssl and bio for socket operations */
+        ssl = SSL_new(ctx);
+        if (ssl == NULL)
+                err_ssl(1, "SSL_new");
+        bio = BIO_new_connect(host_port);
+        if (bio == NULL)
+                err_ssl(1, "BIO_new_connect");
+
+        print_ciphers(SSL_get_ciphers(ssl));
+
+        /* connect */
+        if (BIO_do_connect(bio) <= 0)
+                err_ssl(1, "BIO_do_connect");
+        printf("connect ");
+        print_sockname(bio);
+        printf("connect ");
+        print_peername(bio);
+
+        /* do ssl client handshake */
+        SSL_set_bio(ssl, bio, bio);
+        if ((error = SSL_connect(ssl)) <= 0)
+                err_ssl(1, "SSL_connect %d", error);
+
+        /* print session statistics */
+        session = SSL_get_session(ssl);
+        if (session == NULL)
+                err_ssl(1, "SSL_get_session");
+        if (SSL_SESSION_print_fp(stdout, session) <= 0)
+                err_ssl(1, "SSL_SESSION_print_fp");
+
+        /* read server greeting and write client hello over TLS connection */
+        if ((error = SSL_read(ssl, buf, 9)) <= 0)
+                err_ssl(1, "SSL_read %d", error);
+        if (error != 9)
+                errx(1, "read not 9 bytes greeting: %d", error);
+        buf[9] = '\0';
+        printf("<<< %s", buf);
+        if (fflush(stdout) != 0)
+                err(1, "fflush stdout");
+        strlcpy(buf, "hello\n", sizeof(buf));
+        printf(">>> %s", buf);
+        if (fflush(stdout) != 0)
+                err(1, "fflush stdout");
+        if ((error = SSL_write(ssl, buf, 6)) <= 0)
+                err_ssl(1, "SSL_write %d", error);
+        if (error != 6)
+                errx(1, "write not 6 bytes hello: %d", error);
+
+        /* shutdown connection */
+        if ((error = SSL_shutdown(ssl)) < 0)
+                err_ssl(1, "SSL_shutdown unidirectional %d", error);
+        if (error <= 0) {
+                if ((error = SSL_shutdown(ssl)) <= 0)
+                        err_ssl(1, "SSL_shutdown bidirectional %d", error);
+        }
+
+        /* cleanup and free resources */
+        SSL_free(ssl);
+        SSL_CTX_free(ctx);
+
+        printf("success\n");
+
+        return 0;
+}
diff --git a/src/regress/lib/libssl/interop/libressl/Makefile b/src/regress/lib/libssl/interop/libressl/Makefile
new file mode 100644
index 0000000000..2d8ef78922
--- /dev/null
+++ b/src/regress/lib/libssl/interop/libressl/Makefile
@@ -0,0 +1,20 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $
+
+PROGS =                 client server
+CPPFLAGS =
+LDFLAGS =
+LDADD =                 -lssl -lcrypto
+DPADD =                 ${LIBSSL} ${LIBCRYPTO}
+LD_LIBRARY_PATH =
+
+.for p in ${PROGS}
+run-ldd-$p: ldd-$p.out
+        @echo '\n======== $@ ========'
+        # check that $p is linked with LibreSSL
+        grep -q /usr/lib/libcrypto.so ldd-$p.out
+        grep -q /usr/lib/libssl.so ldd-$p.out
+        # check that $p is not linked with OpenSSL
+        ! grep /usr/local/lib/ ldd-$p.out
+.endfor
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/openssl/Makefile b/src/regress/lib/libssl/interop/openssl/Makefile
new file mode 100644
index 0000000000..26095d0019
--- /dev/null
+++ b/src/regress/lib/libssl/interop/openssl/Makefile
@@ -0,0 +1,27 @@
+# $OpenBSD: Makefile,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $
+
+.if ! exists(/usr/local/bin/eopenssl)
+regress:
+        # install openssl-1.0.2p from ports for interop tests
+        @echo SKIPPED
+.endif
+
+PROGS =                 client server
+CPPFLAGS =              -I /usr/local/include/eopenssl
+LDFLAGS =               -L /usr/local/lib/eopenssl
+LDADD =                 -lssl -lcrypto
+DPADD =                 /usr/local/lib/eopenssl/libssl.a \
+                        /usr/local/lib/eopenssl/libcrypto.a
+LD_LIBRARY_PATH =       /usr/local/lib/eopenssl
+
+.for p in ${PROGS}
+run-ldd-$p: ldd-$p.out
+        @echo '\n======== $@ ========'
+        # check that $p is linked with OpenSSL
+        grep -q /usr/local/lib/eopenssl/libcrypto.so ldd-$p.out
+        grep -q /usr/local/lib/eopenssl/libssl.so ldd-$p.out
+        # check that $p is not linked with LibreSSL
+        ! grep -v libc.so ldd-$p.out | grep /usr/lib/
+.endfor
+
+.include <bsd.regress.mk>
diff --git a/src/regress/lib/libssl/interop/server.c b/src/regress/lib/libssl/interop/server.c
new file mode 100644
index 0000000000..862ca21fcb
--- /dev/null
+++ b/src/regress/lib/libssl/interop/server.c
@@ -0,0 +1,161 @@
+/*      $OpenBSD: server.c,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $    */
+/*
+ * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <err.h>
+#include <netdb.h>
+#include <stdio.h>
+#include <unistd.h>
+
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#include "util.h"
+
+void __dead usage(void);
+
+void __dead
+usage(void)
+{
+        fprintf(stderr, "usage: server [host port]");
+        exit(2);
+}
+
+int
+main(int argc, char *argv[])
+{
+        const SSL_METHOD *method;
+        SSL_CTX *ctx;
+        SSL *ssl;
+        BIO *bio;
+        SSL_SESSION *session;
+        int error;
+        char buf[256];
+        char *crt, *key, *host_port, *host = "127.0.0.1", *port = "0";
+
+        if (argc == 3) {
+                host = argv[1];
+                port = argv[2];
+        } else if (argc != 1) {
+                usage();
+        }
+        if (asprintf(&host_port, strchr(host, ':') ? "[%s]:%s" : "%s:%s",
+            host, port) == -1)
+                err(1, "asprintf host port");
+        if (asprintf(&crt, "%s.crt", host) == -1)
+                err(1, "asprintf crt");
+        if (asprintf(&key, "%s.key", host) == -1)
+                err(1, "asprintf key");
+
+        SSL_library_init();
+        SSL_load_error_strings();
+
+        /* setup method and context */
+        method = SSLv23_server_method();
+        if (method == NULL)
+                err_ssl(1, "SSLv23_server_method");
+        ctx = SSL_CTX_new(method);
+        if (ctx == NULL)
+                err_ssl(1, "SSL_CTX_new");
+
+        /* needed when linking with OpenSSL 1.0.2p */
+        if (SSL_CTX_set_ecdh_auto(ctx, 1) <= 0)
+                err_ssl(1, "SSL_CTX_set_ecdh_auto");
+
+        /* load server certificate */
+        if (SSL_CTX_use_certificate_file(ctx, crt, SSL_FILETYPE_PEM) <= 0)
+                err_ssl(1, "SSL_CTX_use_certificate_file");
+        if (SSL_CTX_use_PrivateKey_file(ctx, key, SSL_FILETYPE_PEM) <= 0)
+                err_ssl(1, "SSL_CTX_use_PrivateKey_file");
+        if (SSL_CTX_check_private_key(ctx) <= 0)
+                err_ssl(1, "SSL_CTX_check_private_key");
+
+        /* setup ssl and bio for socket operations */
+        ssl = SSL_new(ctx);
+        if (ssl == NULL)
+                err_ssl(1, "SSL_new");
+        bio = BIO_new_accept(host_port);
+        if (bio == NULL)
+                err_ssl(1, "BIO_new_accept");
+
+        print_ciphers(SSL_get_ciphers(ssl));
+
+        /* bind, listen */
+        if (BIO_do_accept(bio) <= 0)
+                err_ssl(1, "BIO_do_accept setup");
+        printf("listen ");
+        print_sockname(bio);
+
+        /* fork to background and accept */
+        if (daemon(1, 1) == -1)
+                err(1, "daemon");
+        if (BIO_do_accept(bio) <= 0)
+                err_ssl(1, "BIO_do_accept wait");
+        bio = BIO_pop(bio);
+        printf("accept ");
+        print_sockname(bio);
+        printf("accept ");
+        print_peername(bio);
+
+        /* do ssl server handshake */
+        SSL_set_bio(ssl, bio, bio);
+        if ((error = SSL_accept(ssl)) <= 0)
+                err_ssl(1, "SSL_accept %d", error);
+
+        /* print session statistics */
+        session = SSL_get_session(ssl);
+        if (session == NULL)
+                err_ssl(1, "SSL_get_session");
+        if (SSL_SESSION_print_fp(stdout, session) <= 0)
+                err_ssl(1, "SSL_SESSION_print_fp");
+
+        /* write server greeting and read client hello over TLS connection */
+        strlcpy(buf, "greeting\n", sizeof(buf));
+        printf(">>> %s", buf);
+        if (fflush(stdout) != 0)
+                err(1, "fflush stdout");
+        if ((error = SSL_write(ssl, buf, 9)) <= 0)
+                err_ssl(1, "SSL_write %d", error);
+        if (error != 9)
+                errx(1, "write not 9 bytes greeting: %d", error);
+        if ((error = SSL_read(ssl, buf, 6)) <= 0)
+                err_ssl(1, "SSL_read %d", error);
+        if (error != 6)
+                errx(1, "read not 6 bytes hello: %d", error);
+        buf[6] = '\0';
+        printf("<<< %s", buf);
+        if (fflush(stdout) != 0)
+                err(1, "fflush stdout");
+
+        /* shutdown connection */
+        if ((error = SSL_shutdown(ssl)) < 0)
+                err_ssl(1, "SSL_shutdown unidirectional %d", error);
+        if (error <= 0) {
+                if ((error = SSL_shutdown(ssl)) <= 0)
+                        err_ssl(1, "SSL_shutdown bidirectional %d", error);
+        }
+
+        /* cleanup and free resources */
+        SSL_free(ssl);
+        SSL_CTX_free(ctx);
+
+        printf("success\n");
+
+        return 0;
+}
diff --git a/src/regress/lib/libssl/interop/util.c b/src/regress/lib/libssl/interop/util.c
new file mode 100644
index 0000000000..3f1c221d51
--- /dev/null
+++ b/src/regress/lib/libssl/interop/util.c
@@ -0,0 +1,93 @@
+/*      $OpenBSD: util.c,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $      */
+/*
+ * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+#include <sys/types.h>
+#include <sys/socket.h>
+
+#include <err.h>
+#include <netdb.h>
+#include <stdio.h>
+
+#include <openssl/err.h>
+#include <openssl/ssl.h>
+
+#include "util.h"
+
+void
+print_ciphers(STACK_OF(SSL_CIPHER) *cstack)
+{
+        SSL_CIPHER *cipher;
+        int i;
+
+        for (i = 0; (cipher = sk_SSL_CIPHER_value(cstack, i)) != NULL; i++)
+                printf("cipher %s\n", SSL_CIPHER_get_name(cipher));
+        if (fflush(stdout) != 0)
+                err(1, "fflush stdout");
+}
+
+void
+print_sockname(BIO *bio)
+{
+        struct sockaddr_storage ss;
+        socklen_t slen;
+        char host[NI_MAXHOST], port[NI_MAXSERV];
+        int fd;
+
+        if (BIO_get_fd(bio, &fd) <= 0)
+                err_ssl(1, "BIO_get_fd");
+        slen = sizeof(ss);
+        if (getsockname(fd, (struct sockaddr *)&ss, &slen) == -1)
+                err(1, "getsockname");
+        if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
+            sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
+                errx(1, "getnameinfo");
+        printf("sock: %s %s\n", host, port);
+        if (fflush(stdout) != 0)
+                err(1, "fflush stdout");
+}
+
+void
+print_peername(BIO *bio)
+{
+        struct sockaddr_storage ss;
+        socklen_t slen;
+        char host[NI_MAXHOST], port[NI_MAXSERV];
+        int fd;
+
+        if (BIO_get_fd(bio, &fd) <= 0)
+                err_ssl(1, "BIO_get_fd");
+        slen = sizeof(ss);
+        if (getpeername(fd, (struct sockaddr *)&ss, &slen) == -1)
+                err(1, "getpeername");
+        if (getnameinfo((struct sockaddr *)&ss, ss.ss_len, host,
+            sizeof(host), port, sizeof(port), NI_NUMERICHOST | NI_NUMERICSERV))
+                errx(1, "getnameinfo");
+        printf("peer: %s %s\n", host, port);
+        if (fflush(stdout) != 0)
+                err(1, "fflush stdout");
+}
+
+void
+err_ssl(int eval, const char *fmt, ...)
+{
+        va_list ap;
+
+        ERR_print_errors_fp(stderr);
+        va_start(ap, fmt);
+        verrx(eval, fmt, ap);
+        va_end(ap);
+}
diff --git a/src/regress/lib/libssl/interop/util.h b/src/regress/lib/libssl/interop/util.h
new file mode 100644
index 0000000000..2fdebf34b3
--- /dev/null
+++ b/src/regress/lib/libssl/interop/util.h
@@ -0,0 +1,21 @@
+/*      $OpenBSD: util.h,v 1.1.1.1 2018/11/07 01:08:49 bluhm Exp $      */
+/*
+ * Copyright (c) 2018 Alexander Bluhm <bluhm@openbsd.org>
+ *
+ * Permission to use, copy, modify, and distribute this software for any
+ * purpose with or without fee is hereby granted, provided that the above
+ * copyright notice and this permission notice appear in all copies.
+ *
+ * THE SOFTWARE IS PROVIDED "AS IS" AND THE AUTHOR DISCLAIMS ALL WARRANTIES
+ * WITH REGARD TO THIS SOFTWARE INCLUDING ALL IMPLIED WARRANTIES OF
+ * MERCHANTABILITY AND FITNESS. IN NO EVENT SHALL THE AUTHOR BE LIABLE FOR
+ * ANY SPECIAL, DIRECT, INDIRECT, OR CONSEQUENTIAL DAMAGES OR ANY DAMAGES
+ * WHATSOEVER RESULTING FROM LOSS OF USE, DATA OR PROFITS, WHETHER IN AN
+ * ACTION OF CONTRACT, NEGLIGENCE OR OTHER TORTIOUS ACTION, ARISING OUT OF
+ * OR IN CONNECTION WITH THE USE OR PERFORMANCE OF THIS SOFTWARE.
+ */
+
+void print_ciphers(STACK_OF(SSL_CIPHER) *);
+void print_sockname(BIO *);
+void print_peername(BIO *);
+void err_ssl(int, const char *, ...);