Port SRP tests to the new test framework

Also add negative tests for password mismatch. Reviewed-by: Richard Levitte <levitte@openssl.org>
2025-03-31 20:10:45 +08:00 · 2017-03-14 13:48:54 +01:00 · 2017-03-14 13:48:54 +01:00 · ea1ecd9831
commit ea1ecd9831
parent 4b5f7e7555
9 changed files with 330 additions and 115 deletions
--- a/test/README.ssltest.md
+++ b/test/README.ssltest.md
@ -179,6 +179,9 @@ client => {
  protocols can be specified as a comma-separated list, and a callback with the
  recommended behaviour will be installed automatically.

+* SRPUser, SRPPassword - SRP settings. For client, this is the SRP user to
+  connect as; for server, this is a known SRP user.
+
 ### Default server and client configurations

 The default server certificate and CA files are added to the configurations
--- a/test/handshake_helper.c
+++ b/test/handshake_helper.c
@ -12,6 +12,9 @@
 #include <openssl/bio.h>
 #include <openssl/x509_vfy.h>
 #include <openssl/ssl.h>
+#ifndef OPENSSL_NO_SRP
+#include <openssl/srp.h>
+#endif

 #include "handshake_helper.h"
 #include "testutil.h"
@ -52,6 +55,8 @@ typedef struct ctx_data_st {
    size_t npn_protocols_len;
    unsigned char *alpn_protocols;
    size_t alpn_protocols_len;
+    char *srp_user;
+    char *srp_password;
 } CTX_DATA;

 /* |ctx_data| itself is stack-allocated. */
@ -61,6 +66,10 @@ static void ctx_data_free_data(CTX_DATA *ctx_data)
    ctx_data->npn_protocols = NULL;
    OPENSSL_free(ctx_data->alpn_protocols);
    ctx_data->alpn_protocols = NULL;
+    OPENSSL_free(ctx_data->srp_user);
+    ctx_data->srp_user = NULL;
+    OPENSSL_free(ctx_data->srp_password);
+    ctx_data->srp_password = NULL;
 }

 static int ex_data_idx;
@ -405,6 +414,28 @@ static int server_alpn_cb(SSL *s, const unsigned char **out,
        : SSL_TLSEXT_ERR_NOACK;
 }

+#ifndef OPENSSL_NO_SRP
+static char *client_srp_cb(SSL *s, void *arg)
+{
+    CTX_DATA *ctx_data = (CTX_DATA*)(arg);
+    return OPENSSL_strdup(ctx_data->srp_password);
+}
+
+static int server_srp_cb(SSL *s, int *ad, void *arg)
+{
+    CTX_DATA *ctx_data = (CTX_DATA*)(arg);
+    if (strcmp(ctx_data->srp_user, SSL_get_srp_username(s)) != 0)
+        return SSL3_AL_FATAL;
+    if (SSL_set_srp_server_param_pw(s, ctx_data->srp_user,
+                                    ctx_data->srp_password,
+                                    "2048" /* known group */) < 0) {
+        *ad = SSL_AD_INTERNAL_ERROR;
+        return SSL3_AL_FATAL;
+    }
+    return SSL_ERROR_NONE;
+}
+#endif  /* !OPENSSL_NO_SRP */
+
 /*
 * Configure callbacks and other properties that can't be set directly
 * in the server/client CONF.
@ -562,6 +593,27 @@ static void configure_handshake_ctx(SSL_CTX *server_ctx, SSL_CTX *server2_ctx,
        break;
    }
 #endif
+#ifndef OPENSSL_NO_SRP
+    if (extra->server.srp_user != NULL) {
+        SSL_CTX_set_srp_username_callback(server_ctx, server_srp_cb);
+        server_ctx_data->srp_user = OPENSSL_strdup(extra->server.srp_user);
+        server_ctx_data->srp_password = OPENSSL_strdup(extra->server.srp_password);
+        SSL_CTX_set_srp_cb_arg(server_ctx, server_ctx_data);
+    }
+    if (extra->server2.srp_user != NULL) {
+        TEST_check(server2_ctx != NULL);
+        SSL_CTX_set_srp_username_callback(server2_ctx, server_srp_cb);
+        server2_ctx_data->srp_user = OPENSSL_strdup(extra->server2.srp_user);
+        server2_ctx_data->srp_password = OPENSSL_strdup(extra->server2.srp_password);
+        SSL_CTX_set_srp_cb_arg(server2_ctx, server2_ctx_data);
+    }
+    if (extra->client.srp_user != NULL) {
+        TEST_check(SSL_CTX_set_srp_username(client_ctx, extra->client.srp_user));
+        SSL_CTX_set_srp_client_pwd_callback(client_ctx, client_srp_cb);
+        client_ctx_data->srp_password = OPENSSL_strdup(extra->client.srp_password);
+        SSL_CTX_set_srp_cb_arg(client_ctx, client_ctx_data);
+    }
+#endif  /* !OPENSSL_NO_SRP */
 }

 /* Configure per-SSL callbacks and other properties. */
--- a/test/recipes/80-test_ssl_new.t
+++ b/test/recipes/80-test_ssl_new.t
@ -29,7 +29,7 @@ map { s/\^// } @conf_files if $^O eq "VMS";

 # We hard-code the number of tests to double-check that the globbing above
 # finds all files as expected.
-plan tests => 22;  # = scalar @conf_srcs
+plan tests => 23;  # = scalar @conf_srcs

 # Some test results depend on the configuration of enabled protocols. We only
 # verify generated sources in the default configuration.
@ -90,6 +90,8 @@ my %skip = (
  "20-cert-select.conf" => disabled("tls1_2") || $no_ec,
  "21-key-update.conf" => disabled("tls1_3"),
  "22-compression.conf" => disabled("zlib") || $no_tls,
+  "23-srp.conf" => (disabled("tls1") && disabled ("tls1_1")
+                    && disabled("tls1_2")) || disabled("srp"),
 );

 foreach my $conf (@conf_files) {
--- a/test/recipes/80-test_ssl_old.t
+++ b/test/recipes/80-test_ssl_old.t
@ -20,10 +20,10 @@ setup("test_ssl");

 $ENV{CTLOG_FILE} = srctop_file("test", "ct", "log_list.conf");

-my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_srp, $no_psk,
+my ($no_rsa, $no_dsa, $no_dh, $no_ec, $no_psk,
    $no_ssl3, $no_tls1, $no_tls1_1, $no_tls1_2, $no_tls1_3,
    $no_dtls, $no_dtls1, $no_dtls1_2, $no_ct) =
-    anydisabled qw/rsa dsa dh ec srp psk
+    anydisabled qw/rsa dsa dh ec psk
                   ssl3 tls1 tls1_1 tls1_2 tls1_3
                   dtls dtls1 dtls1_2 ct/;
 my $no_anytls = alldisabled(available_protocols("tls"));
@ -79,7 +79,7 @@ my $client_sess="client.ss";
 # new format in ssl_test.c and add recipes to 80-test_ssl_new.t instead.
 plan tests =>
    1				# For testss
-    +6  			# For the first testssl
+    +5  			# For the first testssl
    ;

 subtest 'test_ss' => sub {
@ -568,28 +568,6 @@ sub testssl {
 	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-custom_ext", "-serverinfo_file", $serverinfo, "-serverinfo_sct", "-serverinfo_tack"])));
 	}
    };
-
-    subtest 'SRP tests' => sub {
-
-	plan tests => 4;
-
-      SKIP: {
-	  skip "skipping SRP tests", 4
-	      if $no_srp || alldisabled(grep !/^ssl3/, available_protocols("tls"));
-
-	  ok(run(test([@ssltest, "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
-	     'test tls1 with SRP');
-
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "SRP", "-srpuser", "test", "-srppass", "abc123"])),
-	     'test tls1 with SRP via BIO pair');
-
-	  ok(run(test([@ssltest, "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
-	     'test tls1 with SRP auth');
-
-	  ok(run(test([@ssltest, "-bio_pair", "-tls1", "-cipher", "aSRP", "-srpuser", "test", "-srppass", "abc123"])),
-	     'test tls1 with SRP auth via BIO pair');
-	}
-    };
 }

 unlink $CAkey;
--- a/test/ssl-tests/23-srp.conf
+++ b/test/ssl-tests/23-srp.conf
@ -0,0 +1,144 @@
+# Generated with generate_ssl_tests.pl
+
+num_tests = 4
+
+test-0 = 0-srp
+test-1 = 1-srp-bad-password
+test-2 = 2-srp-auth
+test-3 = 3-srp-auth-bad-password
+# ===========================================================
+
+[0-srp]
+ssl_conf = 0-srp-ssl
+
+[0-srp-ssl]
+server = 0-srp-server
+client = 0-srp-client
+
+[0-srp-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = SRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[0-srp-client]
+CipherString = SRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-0]
+ExpectedResult = Success
+server = 0-srp-server-extra
+client = 0-srp-client-extra
+
+[0-srp-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[0-srp-client-extra]
+SRPPassword = password
+SRPUser = user
+
+
+# ===========================================================
+
+[1-srp-bad-password]
+ssl_conf = 1-srp-bad-password-ssl
+
+[1-srp-bad-password-ssl]
+server = 1-srp-bad-password-server
+client = 1-srp-bad-password-client
+
+[1-srp-bad-password-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = SRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[1-srp-bad-password-client]
+CipherString = SRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-1]
+ExpectedResult = ServerFail
+server = 1-srp-bad-password-server-extra
+client = 1-srp-bad-password-client-extra
+
+[1-srp-bad-password-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[1-srp-bad-password-client-extra]
+SRPPassword = passw0rd
+SRPUser = user
+
+
+# ===========================================================
+
+[2-srp-auth]
+ssl_conf = 2-srp-auth-ssl
+
+[2-srp-auth-ssl]
+server = 2-srp-auth-server
+client = 2-srp-auth-client
+
+[2-srp-auth-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aSRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[2-srp-auth-client]
+CipherString = aSRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-2]
+ExpectedResult = Success
+server = 2-srp-auth-server-extra
+client = 2-srp-auth-client-extra
+
+[2-srp-auth-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[2-srp-auth-client-extra]
+SRPPassword = password
+SRPUser = user
+
+
+# ===========================================================
+
+[3-srp-auth-bad-password]
+ssl_conf = 3-srp-auth-bad-password-ssl
+
+[3-srp-auth-bad-password-ssl]
+server = 3-srp-auth-bad-password-server
+client = 3-srp-auth-bad-password-client
+
+[3-srp-auth-bad-password-server]
+Certificate = ${ENV::TEST_CERTS_DIR}/servercert.pem
+CipherString = aSRP
+PrivateKey = ${ENV::TEST_CERTS_DIR}/serverkey.pem
+
+[3-srp-auth-bad-password-client]
+CipherString = aSRP
+MaxProtocol = TLSv1.2
+VerifyCAFile = ${ENV::TEST_CERTS_DIR}/rootcert.pem
+VerifyMode = Peer
+
+[test-3]
+ExpectedResult = ServerFail
+server = 3-srp-auth-bad-password-server-extra
+client = 3-srp-auth-bad-password-client-extra
+
+[3-srp-auth-bad-password-server-extra]
+SRPPassword = password
+SRPUser = user
+
+[3-srp-auth-bad-password-client-extra]
+SRPPassword = passw0rd
+SRPUser = user
+
+
--- a/test/ssl-tests/23-srp.conf.in
+++ b/test/ssl-tests/23-srp.conf.in
@ -0,0 +1,103 @@
+# -*- mode: perl; -*-
+# Copyright 2017 The OpenSSL Project Authors. All Rights Reserved.
+#
+# Licensed under the OpenSSL license (the "License").  You may not use
+# this file except in compliance with the License.  You can obtain a copy
+# in the file LICENSE in the source distribution or at
+# https://www.openssl.org/source/license.html
+
+use strict;
+use warnings;
+
+package ssltests;
+
+# SRP is only supported up to TLSv1.2
+
+our @tests = (
+    {
+	name => "srp",
+	server => {
+	    "CipherString" => "SRP",
+	    extra => {
+	       	"SRPUser" => "user",
+		"SRPPassword" => "password",
+	    },
+        },
+	client => {
+	    "CipherString" => "SRP",
+	    "MaxProtocol" => "TLSv1.2",
+	    extra => {
+	        "SRPUser" => "user",
+		"SRPPassword" => "password",
+	    },
+	},
+	test => {
+	    "ExpectedResult" => "Success"
+	},
+    },
+    {
+	name => "srp-bad-password",
+	server => {
+	    "CipherString" => "SRP",
+	    extra => {
+	       	"SRPUser" => "user",
+		"SRPPassword" => "password",
+	    },
+        },
+	client => {
+	    "CipherString" => "SRP",
+	    "MaxProtocol" => "TLSv1.2",
+	    extra => {
+	        "SRPUser" => "user",
+		"SRPPassword" => "passw0rd",
+	    },
+	},
+	test => {
+	    # Server fails first with bad client Finished.
+	    "ExpectedResult" => "ServerFail"
+	},
+    },
+    {
+	name => "srp-auth",
+	server => {
+	    "CipherString" => "aSRP",
+	    extra => {
+	       	"SRPUser" => "user",
+		"SRPPassword" => "password",
+	    },
+        },
+	client => {
+	    "CipherString" => "aSRP",
+	    "MaxProtocol" => "TLSv1.2",
+	    extra => {
+	        "SRPUser" => "user",
+		"SRPPassword" => "password",
+	    },
+	},
+	test => {
+	    "ExpectedResult" => "Success"
+	},
+    },
+    {
+	name => "srp-auth-bad-password",
+	server => {
+	    "CipherString" => "aSRP",
+	    extra => {
+	       	"SRPUser" => "user",
+		"SRPPassword" => "password",
+	    },
+        },
+	client => {
+	    "CipherString" => "aSRP",
+	    "MaxProtocol" => "TLSv1.2",
+	    extra => {
+	        "SRPUser" => "user",
+		"SRPPassword" => "passw0rd",
+	    },
+	},
+	test => {
+	    # Server fails first with bad client Finished.
+	    "ExpectedResult" => "ServerFail"
+	},
+    },
+);
--- a/test/ssl_test_ctx.c
+++ b/test/ssl_test_ctx.c
@ -322,6 +322,12 @@ IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, alpn_protocols)
 IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, alpn_protocols)
 IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CTX, test, expected_alpn_protocol)

+/* SRP options */
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, srp_user)
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, srp_user)
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_CLIENT_CONF, client, srp_password)
+IMPLEMENT_SSL_TEST_STRING_OPTION(SSL_TEST_SERVER_CONF, server, srp_password)
+
 /* Handshake mode */

 static const test_enum ssl_handshake_modes[] = {
@ -576,6 +582,8 @@ static const ssl_test_client_option ssl_test_client_options[] = {
    { "ALPNProtocols", &parse_client_alpn_protocols },
    { "CTValidation", &parse_ct_validation },
    { "RenegotiateCiphers", &parse_client_reneg_ciphers},
+    { "SRPUser", &parse_client_srp_user },
+    { "SRPPassword", &parse_client_srp_password },
 };

 /* Nested server options. */
@ -590,6 +598,8 @@ static const ssl_test_server_option ssl_test_server_options[] = {
    { "ALPNProtocols", &parse_server_alpn_protocols },
    { "BrokenSessionTicket", &parse_server_broken_session_ticket },
    { "CertStatus", &parse_certstatus },
+    { "SRPUser", &parse_server_srp_user },
+    { "SRPPassword", &parse_server_srp_password },
 };

 /*
@ -615,6 +625,12 @@ static void ssl_test_extra_conf_free_data(SSL_TEST_EXTRA_CONF *conf)
    OPENSSL_free(conf->server.alpn_protocols);
    OPENSSL_free(conf->server2.alpn_protocols);
    OPENSSL_free(conf->client.reneg_ciphers);
+    OPENSSL_free(conf->server.srp_user);
+    OPENSSL_free(conf->server.srp_password);
+    OPENSSL_free(conf->server2.srp_user);
+    OPENSSL_free(conf->server2.srp_password);
+    OPENSSL_free(conf->client.srp_user);
+    OPENSSL_free(conf->client.srp_password);
 }

 static void ssl_test_ctx_free_extra_data(SSL_TEST_CTX *ctx)
--- a/test/ssl_test_ctx.h
+++ b/test/ssl_test_ctx.h
@ -81,6 +81,7 @@ typedef enum {
    SSL_TEST_CERT_STATUS_GOOD_RESPONSE,
    SSL_TEST_CERT_STATUS_BAD_RESPONSE
 } ssl_cert_status_t;
+
 /*
 * Server/client settings that aren't supported by the SSL CONF library,
 * such as callbacks.
@ -96,6 +97,8 @@ typedef struct {
    ssl_ct_validation_t ct_validation;
    /* Ciphersuites to set on a renegotiation */
    char *reneg_ciphers;
+    char *srp_user;
+    char *srp_password;
 } SSL_TEST_CLIENT_CONF;

 typedef struct {
@ -108,6 +111,9 @@ typedef struct {
    int broken_session_ticket;
    /* Should we send a CertStatus message? */
    ssl_cert_status_t cert_status;
+    /* An SRP user known to the server. */
+    char *srp_user;
+    char *srp_password;
 } SSL_TEST_SERVER_CONF;

 typedef struct {
--- a/test/ssltest_old.c
+++ b/test/ssltest_old.c
@ -84,9 +84,6 @@
 #ifndef OPENSSL_NO_DH
 # include <openssl/dh.h>
 #endif
-#ifndef OPENSSL_NO_SRP
-# include <openssl/srp.h>
-#endif
 #include <openssl/bn.h>
 #ifndef OPENSSL_NO_CT
 # include <openssl/ct.h>
@ -141,45 +138,6 @@ static unsigned int psk_server_callback(SSL *ssl, const char *identity,
                                        unsigned int max_psk_len);
 #endif

-#ifndef OPENSSL_NO_SRP
-/* SRP client */
-/* This is a context that we pass to all callbacks */
-typedef struct srp_client_arg_st {
-    char *srppassin;
-    char *srplogin;
-} SRP_CLIENT_ARG;
-
-# define PWD_STRLEN 1024
-
-static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
-{
-    SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
-    return OPENSSL_strdup((char *)srp_client_arg->srppassin);
-}
-
-/* SRP server */
-/* This is a context that we pass to SRP server callbacks */
-typedef struct srp_server_arg_st {
-    char *expected_user;
-    char *pass;
-} SRP_SERVER_ARG;
-
-static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
-{
-    SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg;
-
-    if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
-        fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
-        return SSL3_AL_FATAL;
-    }
-    if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
-        *ad = SSL_AD_INTERNAL_ERROR;
-        return SSL3_AL_FATAL;
-    }
-    return SSL_ERROR_NONE;
-}
-#endif
-
 static BIO *bio_err = NULL;
 static BIO *bio_stdout = NULL;

@ -722,10 +680,6 @@ static void sv_usage(void)
 #ifndef OPENSSL_NO_PSK
    fprintf(stderr, " -psk arg      - PSK in hex (without 0x)\n");
 #endif
-#ifndef OPENSSL_NO_SRP
-    fprintf(stderr, " -srpuser user - SRP username to use\n");
-    fprintf(stderr, " -srppass arg  - password for 'user'\n");
-#endif
 #ifndef OPENSSL_NO_SSL3
    fprintf(stderr, " -ssl3         - use SSLv3\n");
 #endif
@ -970,12 +924,6 @@ int main(int argc, char *argv[])
 #ifndef OPENSSL_NO_DH
    DH *dh;
    int dhe512 = 0, dhe1024dsa = 0;
-#endif
-#ifndef OPENSSL_NO_SRP
-    /* client */
-    SRP_CLIENT_ARG srp_client_arg = { NULL, NULL };
-    /* server */
-    SRP_SERVER_ARG srp_server_arg = { NULL, NULL };
 #endif
    int no_dhe = 0;
    int no_psk = 0;
@ -1098,20 +1046,6 @@ int main(int argc, char *argv[])
            no_psk = 1;
 #endif
        }
-#ifndef OPENSSL_NO_SRP
-        else if (strcmp(*argv, "-srpuser") == 0) {
-            if (--argc < 1)
-                goto bad;
-            srp_server_arg.expected_user = srp_client_arg.srplogin =
-                *(++argv);
-            min_version = TLS1_VERSION;
-        } else if (strcmp(*argv, "-srppass") == 0) {
-            if (--argc < 1)
-                goto bad;
-            srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
-            min_version = TLS1_VERSION;
-        }
-#endif
        else if (strcmp(*argv, "-tls1_2") == 0) {
            tls1_2 = 1;
        } else if (strcmp(*argv, "-tls1") == 0) {
@ -1605,29 +1539,6 @@ int main(int argc, char *argv[])
        }
 #endif
    }
-#ifndef OPENSSL_NO_SRP
-    if (srp_client_arg.srplogin) {
-        if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
-            BIO_printf(bio_err, "Unable to set SRP username\n");
-            goto end;
-        }
-        SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
-        SSL_CTX_set_srp_client_pwd_callback(c_ctx,
-                                            ssl_give_srp_client_pwd_cb);
-        /*
-         * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);
-         */
-    }
-
-    if (srp_server_arg.expected_user != NULL) {
-        SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
-        SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback);
-        SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
-        SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg);
-        SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
-        SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb);
-    }
-#endif

 #ifndef OPENSSL_NO_NEXTPROTONEG
    if (npn_client) {