summaryrefslogtreecommitdiff
path: root/src/regress/lib/libssl/ssl/ssltest.c
diff options
context:
space:
mode:
authorcvs2svn <admin@example.com>2019-11-19 19:57:05 +0000
committercvs2svn <admin@example.com>2019-11-19 19:57:05 +0000
commite9f9eb6198f1757b7c0dfef043fadf1fa8243022 (patch)
treeb5a648f6ccaf6c1cd9915ddb45503d1fccfeba0e /src/regress/lib/libssl/ssl/ssltest.c
parentab72e3a6f7e8d5c71bbba034410468781d5923b6 (diff)
downloadopenbsd-bluhm_20191119.tar.gz
openbsd-bluhm_20191119.tar.bz2
openbsd-bluhm_20191119.zip
This commit was manufactured by cvs2git to create tag 'bluhm_20191119'.bluhm_20191119
Diffstat (limited to 'src/regress/lib/libssl/ssl/ssltest.c')
-rw-r--r--src/regress/lib/libssl/ssl/ssltest.c1988
1 files changed, 0 insertions, 1988 deletions
diff --git a/src/regress/lib/libssl/ssl/ssltest.c b/src/regress/lib/libssl/ssl/ssltest.c
deleted file mode 100644
index 0c9a03c84b..0000000000
--- a/src/regress/lib/libssl/ssl/ssltest.c
+++ /dev/null
@@ -1,1988 +0,0 @@
1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145#include <sys/types.h>
146#include <sys/param.h>
147#include <sys/socket.h>
148
149#include <netinet/in.h>
150
151#include <assert.h>
152#include <errno.h>
153#include <limits.h>
154#include <netdb.h>
155#include <stdio.h>
156#include <stdlib.h>
157#include <string.h>
158#include <time.h>
159#include <unistd.h>
160
161#include <ctype.h>
162
163#include <openssl/opensslconf.h>
164#include <openssl/bio.h>
165#include <openssl/crypto.h>
166#include <openssl/evp.h>
167#include <openssl/x509.h>
168#include <openssl/x509v3.h>
169#include <openssl/ssl.h>
170#ifndef OPENSSL_NO_ENGINE
171#include <openssl/engine.h>
172#endif
173#include <openssl/err.h>
174#include <openssl/rand.h>
175#include <openssl/rsa.h>
176#include <openssl/dsa.h>
177#include <openssl/dh.h>
178#include <openssl/bn.h>
179
180#define TEST_SERVER_CERT "../apps/server.pem"
181#define TEST_CLIENT_CERT "../apps/client.pem"
182
183static int verify_callback(int ok, X509_STORE_CTX *ctx);
184static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength);
185static void free_tmp_rsa(void);
186static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
187#define APP_CALLBACK_STRING "Test Callback Argument"
188struct app_verify_arg {
189 char *string;
190 int app_verify;
191 int allow_proxy_certs;
192 char *proxy_auth;
193 char *proxy_cond;
194};
195
196static DH *get_dh1024(void);
197static DH *get_dh1024dsa(void);
198
199static BIO *bio_err = NULL;
200static BIO *bio_stdout = NULL;
201
202static const char *alpn_client;
203static const char *alpn_server;
204static const char *alpn_expected;
205static unsigned char *alpn_selected;
206
207/*
208 * next_protos_parse parses a comma separated list of strings into a string
209 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
210 * outlen: (output) set to the length of the resulting buffer on success.
211 * err: (maybe NULL) on failure, an error message line is written to this BIO.
212 * in: a NUL terminated string like "abc,def,ghi"
213 *
214 * returns: a malloced buffer or NULL on failure.
215 */
216static unsigned char *
217next_protos_parse(unsigned short *outlen, const char *in)
218{
219 size_t i, len, start = 0;
220 unsigned char *out;
221
222 len = strlen(in);
223 if (len >= 65535)
224 return (NULL);
225
226 if ((out = malloc(strlen(in) + 1)) == NULL)
227 return (NULL);
228
229 for (i = 0; i <= len; ++i) {
230 if (i == len || in[i] == ',') {
231 if (i - start > 255) {
232 free(out);
233 return (NULL);
234 }
235 out[start] = i - start;
236 start = i + 1;
237 } else
238 out[i+1] = in[i];
239 }
240 *outlen = len + 1;
241 return (out);
242}
243
244static int
245cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen,
246 const unsigned char *in, unsigned int inlen, void *arg)
247{
248 unsigned char *protos;
249 unsigned short protos_len;
250
251 if ((protos = next_protos_parse(&protos_len, alpn_server)) == NULL) {
252 fprintf(stderr,
253 "failed to parser ALPN server protocol string: %s\n",
254 alpn_server);
255 abort();
256 }
257
258 if (SSL_select_next_proto((unsigned char **)out, outlen, protos,
259 protos_len, in, inlen) != OPENSSL_NPN_NEGOTIATED) {
260 free(protos);
261 return (SSL_TLSEXT_ERR_NOACK);
262 }
263
264 /*
265 * Make a copy of the selected protocol which will be freed in
266 * verify_alpn.
267 */
268 if ((alpn_selected = malloc(*outlen)) == NULL) {
269 fprintf(stderr, "malloc failed\n");
270 abort();
271 }
272 memcpy(alpn_selected, *out, *outlen);
273 *out = alpn_selected;
274 free(protos);
275
276 return (SSL_TLSEXT_ERR_OK);
277}
278
279static int
280verify_alpn(SSL *client, SSL *server)
281{
282 const unsigned char *client_proto, *server_proto;
283 unsigned int client_proto_len = 0, server_proto_len = 0;
284
285 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
286 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
287
288 free(alpn_selected);
289 alpn_selected = NULL;
290
291 if (client_proto_len != server_proto_len ||
292 memcmp(client_proto, server_proto, client_proto_len) != 0) {
293 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
294 goto err;
295 }
296
297 if (client_proto_len > 0 && alpn_expected == NULL) {
298 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
299 goto err;
300 }
301
302 if (alpn_expected != NULL &&
303 (client_proto_len != strlen(alpn_expected) ||
304 memcmp(client_proto, alpn_expected, client_proto_len) != 0)) {
305 BIO_printf(bio_stdout, "ALPN selected protocols not equal to "
306 "expected protocol: %s\n", alpn_expected);
307 goto err;
308 }
309
310 return (0);
311
312err:
313 BIO_printf(bio_stdout, "ALPN results: client: '");
314 BIO_write(bio_stdout, client_proto, client_proto_len);
315 BIO_printf(bio_stdout, "', server: '");
316 BIO_write(bio_stdout, server_proto, server_proto_len);
317 BIO_printf(bio_stdout, "'\n");
318 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n",
319 alpn_client, alpn_server);
320
321 return (-1);
322}
323
324static char *cipher = NULL;
325static int verbose = 0;
326static int debug = 0;
327
328int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
329 clock_t *c_time);
330int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
331static int do_test_cipherlist(void);
332
333static void
334sv_usage(void)
335{
336 fprintf(stderr, "usage: ssltest [args ...]\n");
337 fprintf(stderr, "\n");
338 fprintf(stderr, " -server_auth - check server certificate\n");
339 fprintf(stderr, " -client_auth - do client authentication\n");
340 fprintf(stderr, " -proxy - allow proxy certificates\n");
341 fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n");
342 fprintf(stderr, " -proxy_cond <val> - experssion to test proxy policy rights\n");
343 fprintf(stderr, " -v - more output\n");
344 fprintf(stderr, " -d - debug output\n");
345 fprintf(stderr, " -reuse - use session-id reuse\n");
346 fprintf(stderr, " -num <val> - number of connections to perform\n");
347 fprintf(stderr, " -bytes <val> - number of bytes to swap between client/server\n");
348 fprintf(stderr, " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
349 fprintf(stderr, " -no_dhe - disable DHE\n");
350 fprintf(stderr, " -no_ecdhe - disable ECDHE\n");
351 fprintf(stderr, " -dtls1 - use DTLSv1\n");
352 fprintf(stderr, " -tls1 - use TLSv1\n");
353 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
354 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
355 fprintf(stderr, " -cert arg - Server certificate file\n");
356 fprintf(stderr, " -key arg - Server key file (default: same as -cert)\n");
357 fprintf(stderr, " -c_cert arg - Client certificate file\n");
358 fprintf(stderr, " -c_key arg - Client key file (default: same as -c_cert)\n");
359 fprintf(stderr, " -cipher arg - The cipher list\n");
360 fprintf(stderr, " -bio_pair - Use BIO pairs\n");
361 fprintf(stderr, " -f - Test even cases that can't work\n");
362 fprintf(stderr, " -time - measure processor time used by client and server\n");
363 fprintf(stderr, " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
364 " Use \"openssl ecparam -list_curves\" for all names\n" \
365 " (default is sect163r2).\n");
366 fprintf(stderr, " -test_cipherlist - verifies the order of the ssl cipher lists\n");
367 fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n");
368 fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
369 fprintf(stderr, " -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
370}
371
372static void
373print_details(SSL *c_ssl, const char *prefix)
374{
375 const SSL_CIPHER *ciph;
376 X509 *cert;
377
378 ciph = SSL_get_current_cipher(c_ssl);
379 BIO_printf(bio_stdout, "%s%s, cipher %s %s",
380 prefix, SSL_get_version(c_ssl), SSL_CIPHER_get_version(ciph),
381 SSL_CIPHER_get_name(ciph));
382 cert = SSL_get_peer_certificate(c_ssl);
383 if (cert != NULL) {
384 EVP_PKEY *pkey = X509_get_pubkey(cert);
385 if (pkey != NULL) {
386 if (pkey->type == EVP_PKEY_RSA &&
387 pkey->pkey.rsa != NULL &&
388 pkey->pkey.rsa->n != NULL) {
389 BIO_printf(bio_stdout, ", %d bit RSA",
390 BN_num_bits(pkey->pkey.rsa->n));
391 } else if (pkey->type == EVP_PKEY_DSA &&
392 pkey->pkey.dsa != NULL &&
393 pkey->pkey.dsa->p != NULL) {
394 BIO_printf(bio_stdout, ", %d bit DSA",
395 BN_num_bits(pkey->pkey.dsa->p));
396 }
397 EVP_PKEY_free(pkey);
398 }
399 X509_free(cert);
400 }
401 /* The SSL API does not allow us to look at temporary RSA/DH keys,
402 * otherwise we should print their lengths too */
403 BIO_printf(bio_stdout, "\n");
404}
405
406int
407main(int argc, char *argv[])
408{
409 char *CApath = NULL, *CAfile = NULL;
410 int badop = 0;
411 int bio_pair = 0;
412 int force = 0;
413 int tls1 = 0, dtls1 = 0, ret = 1;
414 int client_auth = 0;
415 int server_auth = 0, i;
416 struct app_verify_arg app_verify_arg =
417 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
418 char *server_cert = TEST_SERVER_CERT;
419 char *server_key = NULL;
420 char *client_cert = TEST_CLIENT_CERT;
421 char *client_key = NULL;
422 char *named_curve = NULL;
423 SSL_CTX *s_ctx = NULL;
424 SSL_CTX *c_ctx = NULL;
425 const SSL_METHOD *meth = NULL;
426 SSL *c_ssl, *s_ssl;
427 int number = 1, reuse = 0;
428 long bytes = 256L;
429 DH *dh;
430 int dhe1024dsa = 0;
431 EC_KEY *ecdh = NULL;
432 int no_dhe = 0;
433 int no_ecdhe = 0;
434 int print_time = 0;
435 clock_t s_time = 0, c_time = 0;
436 int test_cipherlist = 0;
437
438 verbose = 0;
439 debug = 0;
440 cipher = 0;
441
442 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE|BIO_FP_TEXT);
443
444 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE|BIO_FP_TEXT);
445
446 argc--;
447 argv++;
448
449 while (argc >= 1) {
450 if (!strcmp(*argv, "-F")) {
451 fprintf(stderr, "not compiled with FIPS support, so exiting without running.\n");
452 exit(0);
453 } else if (strcmp(*argv, "-server_auth") == 0)
454 server_auth = 1;
455 else if (strcmp(*argv, "-client_auth") == 0)
456 client_auth = 1;
457 else if (strcmp(*argv, "-proxy_auth") == 0) {
458 if (--argc < 1)
459 goto bad;
460 app_verify_arg.proxy_auth= *(++argv);
461 } else if (strcmp(*argv, "-proxy_cond") == 0) {
462 if (--argc < 1)
463 goto bad;
464 app_verify_arg.proxy_cond= *(++argv);
465 } else if (strcmp(*argv, "-v") == 0)
466 verbose = 1;
467 else if (strcmp(*argv, "-d") == 0)
468 debug = 1;
469 else if (strcmp(*argv, "-reuse") == 0)
470 reuse = 1;
471 else if (strcmp(*argv, "-dhe1024dsa") == 0) {
472 dhe1024dsa = 1;
473 } else if (strcmp(*argv, "-no_dhe") == 0)
474 no_dhe = 1;
475 else if (strcmp(*argv, "-no_ecdhe") == 0)
476 no_ecdhe = 1;
477 else if (strcmp(*argv, "-dtls1") == 0)
478 dtls1 = 1;
479 else if (strcmp(*argv, "-tls1") == 0)
480 tls1 = 1;
481 else if (strncmp(*argv, "-num", 4) == 0) {
482 if (--argc < 1)
483 goto bad;
484 number = atoi(*(++argv));
485 if (number == 0)
486 number = 1;
487 } else if (strcmp(*argv, "-bytes") == 0) {
488 if (--argc < 1)
489 goto bad;
490 bytes = atol(*(++argv));
491 if (bytes == 0L)
492 bytes = 1L;
493 i = strlen(argv[0]);
494 if (argv[0][i - 1] == 'k')
495 bytes*=1024L;
496 if (argv[0][i - 1] == 'm')
497 bytes*=1024L*1024L;
498 } else if (strcmp(*argv, "-cert") == 0) {
499 if (--argc < 1)
500 goto bad;
501 server_cert= *(++argv);
502 } else if (strcmp(*argv, "-s_cert") == 0) {
503 if (--argc < 1)
504 goto bad;
505 server_cert= *(++argv);
506 } else if (strcmp(*argv, "-key") == 0) {
507 if (--argc < 1)
508 goto bad;
509 server_key= *(++argv);
510 } else if (strcmp(*argv, "-s_key") == 0) {
511 if (--argc < 1)
512 goto bad;
513 server_key= *(++argv);
514 } else if (strcmp(*argv, "-c_cert") == 0) {
515 if (--argc < 1)
516 goto bad;
517 client_cert= *(++argv);
518 } else if (strcmp(*argv, "-c_key") == 0) {
519 if (--argc < 1)
520 goto bad;
521 client_key= *(++argv);
522 } else if (strcmp(*argv, "-cipher") == 0) {
523 if (--argc < 1)
524 goto bad;
525 cipher= *(++argv);
526 } else if (strcmp(*argv, "-CApath") == 0) {
527 if (--argc < 1)
528 goto bad;
529 CApath= *(++argv);
530 } else if (strcmp(*argv, "-CAfile") == 0) {
531 if (--argc < 1)
532 goto bad;
533 CAfile= *(++argv);
534 } else if (strcmp(*argv, "-bio_pair") == 0) {
535 bio_pair = 1;
536 } else if (strcmp(*argv, "-f") == 0) {
537 force = 1;
538 } else if (strcmp(*argv, "-time") == 0) {
539 print_time = 1;
540 } else if (strcmp(*argv, "-named_curve") == 0) {
541 if (--argc < 1)
542 goto bad;
543 named_curve = *(++argv);
544 } else if (strcmp(*argv, "-app_verify") == 0) {
545 app_verify_arg.app_verify = 1;
546 } else if (strcmp(*argv, "-proxy") == 0) {
547 app_verify_arg.allow_proxy_certs = 1;
548 } else if (strcmp(*argv, "-test_cipherlist") == 0) {
549 test_cipherlist = 1;
550 } else if (strcmp(*argv, "-alpn_client") == 0) {
551 if (--argc < 1)
552 goto bad;
553 alpn_client = *(++argv);
554 } else if (strcmp(*argv, "-alpn_server") == 0) {
555 if (--argc < 1)
556 goto bad;
557 alpn_server = *(++argv);
558 } else if (strcmp(*argv, "-alpn_expected") == 0) {
559 if (--argc < 1)
560 goto bad;
561 alpn_expected = *(++argv);
562 } else {
563 fprintf(stderr, "unknown option %s\n", *argv);
564 badop = 1;
565 break;
566 }
567 argc--;
568 argv++;
569 }
570 if (badop) {
571bad:
572 sv_usage();
573 goto end;
574 }
575
576 if (test_cipherlist == 1) {
577 /* ensure that the cipher list are correctly sorted and exit */
578 if (do_test_cipherlist() == 0)
579 exit(1);
580 ret = 0;
581 goto end;
582 }
583
584 if (!dtls1 && !tls1 &&
585 number > 1 && !reuse && !force) {
586 fprintf(stderr,
587 "This case cannot work. Use -f to perform "
588 "the test anyway (and\n-d to see what happens), "
589 "or add one of -dtls1, -tls1, -reuse\n"
590 "to avoid protocol mismatch.\n");
591 exit(1);
592 }
593
594 if (print_time) {
595 if (!bio_pair) {
596 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
597 bio_pair = 1;
598 }
599 if (number < 50 && !force)
600 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
601 }
602
603/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
604
605 SSL_library_init();
606 SSL_load_error_strings();
607
608 if (dtls1)
609 meth = DTLSv1_method();
610 else if (tls1)
611 meth = TLSv1_method();
612 else
613 meth = SSLv23_method();
614
615 c_ctx = SSL_CTX_new(meth);
616 s_ctx = SSL_CTX_new(meth);
617 if ((c_ctx == NULL) || (s_ctx == NULL)) {
618 ERR_print_errors(bio_err);
619 goto end;
620 }
621
622 if (cipher != NULL) {
623 SSL_CTX_set_cipher_list(c_ctx, cipher);
624 SSL_CTX_set_cipher_list(s_ctx, cipher);
625 }
626
627 if (!no_dhe) {
628 if (dhe1024dsa) {
629 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
630 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
631 dh = get_dh1024dsa();
632 } else
633 dh = get_dh1024();
634 SSL_CTX_set_tmp_dh(s_ctx, dh);
635 DH_free(dh);
636 }
637
638 if (!no_ecdhe) {
639 int nid;
640
641 if (named_curve != NULL) {
642 nid = OBJ_sn2nid(named_curve);
643 if (nid == 0) {
644 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
645 goto end;
646 }
647 } else
648 nid = NID_X9_62_prime256v1;
649
650 ecdh = EC_KEY_new_by_curve_name(nid);
651 if (ecdh == NULL) {
652 BIO_printf(bio_err, "unable to create curve\n");
653 goto end;
654 }
655
656 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
657 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
658 EC_KEY_free(ecdh);
659 }
660
661 SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
662
663 if (!SSL_CTX_use_certificate_file(s_ctx, server_cert,
664 SSL_FILETYPE_PEM)) {
665 ERR_print_errors(bio_err);
666 } else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
667 (server_key ? server_key : server_cert), SSL_FILETYPE_PEM)) {
668 ERR_print_errors(bio_err);
669 goto end;
670 }
671
672 if (client_auth) {
673 SSL_CTX_use_certificate_file(c_ctx, client_cert,
674 SSL_FILETYPE_PEM);
675 SSL_CTX_use_PrivateKey_file(c_ctx,
676 (client_key ? client_key : client_cert),
677 SSL_FILETYPE_PEM);
678 }
679
680 if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
681 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
682 (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
683 (!SSL_CTX_set_default_verify_paths(c_ctx))) {
684 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
685 ERR_print_errors(bio_err);
686 /* goto end; */
687 }
688
689 if (client_auth) {
690 BIO_printf(bio_err, "client authentication\n");
691 SSL_CTX_set_verify(s_ctx,
692 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
693 verify_callback);
694 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
695 &app_verify_arg);
696 }
697 if (server_auth) {
698 BIO_printf(bio_err, "server authentication\n");
699 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER,
700 verify_callback);
701 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
702 &app_verify_arg);
703 }
704
705 {
706 int session_id_context = 0;
707 SSL_CTX_set_session_id_context(s_ctx,
708 (void *)&session_id_context, sizeof(session_id_context));
709 }
710
711 if (alpn_server != NULL)
712 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL);
713
714 if (alpn_client != NULL) {
715 unsigned short alpn_len;
716 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
717
718 if (alpn == NULL) {
719 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
720 goto end;
721 }
722 SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
723 free(alpn);
724 }
725
726 c_ssl = SSL_new(c_ctx);
727 s_ssl = SSL_new(s_ctx);
728
729 for (i = 0; i < number; i++) {
730 if (!reuse)
731 SSL_set_session(c_ssl, NULL);
732 if (bio_pair)
733 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time,
734 &c_time);
735 else
736 ret = doit(s_ssl, c_ssl, bytes);
737 }
738
739 if (!verbose) {
740 print_details(c_ssl, "");
741 }
742 if ((number > 1) || (bytes > 1L))
743 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",
744 number, bytes);
745 if (print_time) {
746#ifdef CLOCKS_PER_SEC
747 /* "To determine the time in seconds, the value returned
748 * by the clock function should be divided by the value
749 * of the macro CLOCKS_PER_SEC."
750 * -- ISO/IEC 9899 */
751 BIO_printf(bio_stdout,
752 "Approximate total server time: %6.2f s\n"
753 "Approximate total client time: %6.2f s\n",
754 (double)s_time/CLOCKS_PER_SEC,
755 (double)c_time/CLOCKS_PER_SEC);
756#else
757 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
758 * -- cc on NeXTstep/OpenStep */
759 BIO_printf(bio_stdout,
760 "Approximate total server time: %6.2f units\n"
761 "Approximate total client time: %6.2f units\n",
762 (double)s_time,
763 (double)c_time);
764#endif
765 }
766
767 SSL_free(s_ssl);
768 SSL_free(c_ssl);
769
770end:
771 SSL_CTX_free(s_ctx);
772 SSL_CTX_free(c_ctx);
773 BIO_free(bio_stdout);
774
775 free_tmp_rsa();
776#ifndef OPENSSL_NO_ENGINE
777 ENGINE_cleanup();
778#endif
779 CRYPTO_cleanup_all_ex_data();
780 ERR_free_strings();
781 ERR_remove_thread_state(NULL);
782 EVP_cleanup();
783 CRYPTO_mem_leaks(bio_err);
784 BIO_free(bio_err);
785
786 exit(ret);
787 return ret;
788}
789
790int
791doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, clock_t *s_time,
792 clock_t *c_time)
793{
794 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
795 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
796 BIO *server = NULL, *server_io = NULL;
797 BIO *client = NULL, *client_io = NULL;
798 int ret = 1;
799
800 size_t bufsiz = 256; /* small buffer for testing */
801
802 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
803 goto err;
804 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
805 goto err;
806
807 s_ssl_bio = BIO_new(BIO_f_ssl());
808 if (!s_ssl_bio)
809 goto err;
810
811 c_ssl_bio = BIO_new(BIO_f_ssl());
812 if (!c_ssl_bio)
813 goto err;
814
815 SSL_set_connect_state(c_ssl);
816 SSL_set_bio(c_ssl, client, client);
817 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
818
819 SSL_set_accept_state(s_ssl);
820 SSL_set_bio(s_ssl, server, server);
821 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
822
823 do {
824 /* c_ssl_bio: SSL filter BIO
825 *
826 * client: pseudo-I/O for SSL library
827 *
828 * client_io: client's SSL communication; usually to be
829 * relayed over some I/O facility, but in this
830 * test program, we're the server, too:
831 *
832 * server_io: server's SSL communication
833 *
834 * server: pseudo-I/O for SSL library
835 *
836 * s_ssl_bio: SSL filter BIO
837 *
838 * The client and the server each employ a "BIO pair":
839 * client + client_io, server + server_io.
840 * BIO pairs are symmetric. A BIO pair behaves similar
841 * to a non-blocking socketpair (but both endpoints must
842 * be handled by the same thread).
843 * [Here we could connect client and server to the ends
844 * of a single BIO pair, but then this code would be less
845 * suitable as an example for BIO pairs in general.]
846 *
847 * Useful functions for querying the state of BIO pair endpoints:
848 *
849 * BIO_ctrl_pending(bio) number of bytes we can read now
850 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
851 * other side's read attempt
852 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
853 *
854 * ..._read_request is never more than ..._write_guarantee;
855 * it depends on the application which one you should use.
856 */
857
858 /* We have non-blocking behaviour throughout this test program, but
859 * can be sure that there is *some* progress in each iteration; so
860 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
861 * -- we just try everything in each iteration
862 */
863
864 {
865 /* CLIENT */
866
867 char cbuf[1024*8];
868 int i, r;
869 clock_t c_clock = clock();
870
871 memset(cbuf, 0, sizeof(cbuf));
872
873 if (debug)
874 if (SSL_in_init(c_ssl))
875 printf("client waiting in SSL_connect - %s\n",
876 SSL_state_string_long(c_ssl));
877
878 if (cw_num > 0) {
879 /* Write to server. */
880
881 if (cw_num > (long)sizeof cbuf)
882 i = sizeof cbuf;
883 else
884 i = (int)cw_num;
885 r = BIO_write(c_ssl_bio, cbuf, i);
886 if (r < 0) {
887 if (!BIO_should_retry(c_ssl_bio)) {
888 fprintf(stderr, "ERROR in CLIENT\n");
889 goto err;
890 }
891 /* BIO_should_retry(...) can just be ignored here.
892 * The library expects us to call BIO_write with
893 * the same arguments again, and that's what we will
894 * do in the next iteration. */
895 } else if (r == 0) {
896 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
897 goto err;
898 } else {
899 if (debug)
900 printf("client wrote %d\n", r);
901 cw_num -= r;
902
903 }
904 }
905
906 if (cr_num > 0) {
907 /* Read from server. */
908
909 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
910 if (r < 0) {
911 if (!BIO_should_retry(c_ssl_bio)) {
912 fprintf(stderr, "ERROR in CLIENT\n");
913 goto err;
914 }
915 /* Again, "BIO_should_retry" can be ignored. */
916 } else if (r == 0) {
917 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
918 goto err;
919 } else {
920 if (debug)
921 printf("client read %d\n", r);
922 cr_num -= r;
923 }
924 }
925
926 /* c_time and s_time increments will typically be very small
927 * (depending on machine speed and clock tick intervals),
928 * but sampling over a large number of connections should
929 * result in fairly accurate figures. We cannot guarantee
930 * a lot, however -- if each connection lasts for exactly
931 * one clock tick, it will be counted only for the client
932 * or only for the server or even not at all.
933 */
934 *c_time += (clock() - c_clock);
935 }
936
937 {
938 /* SERVER */
939
940 char sbuf[1024*8];
941 int i, r;
942 clock_t s_clock = clock();
943
944 memset(sbuf, 0, sizeof(sbuf));
945
946 if (debug)
947 if (SSL_in_init(s_ssl))
948 printf("server waiting in SSL_accept - %s\n",
949 SSL_state_string_long(s_ssl));
950
951 if (sw_num > 0) {
952 /* Write to client. */
953
954 if (sw_num > (long)sizeof sbuf)
955 i = sizeof sbuf;
956 else
957 i = (int)sw_num;
958 r = BIO_write(s_ssl_bio, sbuf, i);
959 if (r < 0) {
960 if (!BIO_should_retry(s_ssl_bio)) {
961 fprintf(stderr, "ERROR in SERVER\n");
962 goto err;
963 }
964 /* Ignore "BIO_should_retry". */
965 } else if (r == 0) {
966 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
967 goto err;
968 } else {
969 if (debug)
970 printf("server wrote %d\n", r);
971 sw_num -= r;
972
973 }
974 }
975
976 if (sr_num > 0) {
977 /* Read from client. */
978
979 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
980 if (r < 0) {
981 if (!BIO_should_retry(s_ssl_bio)) {
982 fprintf(stderr, "ERROR in SERVER\n");
983 goto err;
984 }
985 /* blah, blah */
986 } else if (r == 0) {
987 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
988 goto err;
989 } else {
990 if (debug)
991 printf("server read %d\n", r);
992 sr_num -= r;
993 }
994 }
995
996 *s_time += (clock() - s_clock);
997 }
998
999 {
1000 /* "I/O" BETWEEN CLIENT AND SERVER. */
1001
1002 size_t r1, r2;
1003 BIO *io1 = server_io, *io2 = client_io;
1004 /* we use the non-copying interface for io1
1005 * and the standard BIO_write/BIO_read interface for io2
1006 */
1007
1008 static int prev_progress = 1;
1009 int progress = 0;
1010
1011 /* io1 to io2 */
1012 do {
1013 size_t num;
1014 int r;
1015
1016 r1 = BIO_ctrl_pending(io1);
1017 r2 = BIO_ctrl_get_write_guarantee(io2);
1018
1019 num = r1;
1020 if (r2 < num)
1021 num = r2;
1022 if (num) {
1023 char *dataptr;
1024
1025 if (INT_MAX < num) /* yeah, right */
1026 num = INT_MAX;
1027
1028 r = BIO_nread(io1, &dataptr, (int)num);
1029 assert(r > 0);
1030 assert(r <= (int)num);
1031 /* possibly r < num (non-contiguous data) */
1032 num = r;
1033 r = BIO_write(io2, dataptr, (int)num);
1034 if (r != (int)num) /* can't happen */
1035 {
1036 fprintf(stderr, "ERROR: BIO_write could not write "
1037 "BIO_ctrl_get_write_guarantee() bytes");
1038 goto err;
1039 }
1040 progress = 1;
1041
1042 if (debug)
1043 printf((io1 == client_io) ?
1044 "C->S relaying: %d bytes\n" :
1045 "S->C relaying: %d bytes\n",
1046 (int)num);
1047 }
1048 } while (r1 && r2);
1049
1050 /* io2 to io1 */
1051 {
1052 size_t num;
1053 int r;
1054
1055 r1 = BIO_ctrl_pending(io2);
1056 r2 = BIO_ctrl_get_read_request(io1);
1057 /* here we could use ..._get_write_guarantee instead of
1058 * ..._get_read_request, but by using the latter
1059 * we test restartability of the SSL implementation
1060 * more thoroughly */
1061 num = r1;
1062 if (r2 < num)
1063 num = r2;
1064 if (num) {
1065 char *dataptr;
1066
1067 if (INT_MAX < num)
1068 num = INT_MAX;
1069
1070 if (num > 1)
1071 --num; /* test restartability even more thoroughly */
1072
1073 r = BIO_nwrite0(io1, &dataptr);
1074 assert(r > 0);
1075 if (r < (int)num)
1076 num = r;
1077 r = BIO_read(io2, dataptr, (int)num);
1078 if (r != (int)num) /* can't happen */
1079 {
1080 fprintf(stderr, "ERROR: BIO_read could not read "
1081 "BIO_ctrl_pending() bytes");
1082 goto err;
1083 }
1084 progress = 1;
1085 r = BIO_nwrite(io1, &dataptr, (int)num);
1086 if (r != (int)num) /* can't happen */
1087 {
1088 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1089 "BIO_nwrite0() bytes");
1090 goto err;
1091 }
1092
1093 if (debug)
1094 printf((io2 == client_io) ?
1095 "C->S relaying: %d bytes\n" :
1096 "S->C relaying: %d bytes\n",
1097 (int)num);
1098 }
1099 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1100
1101 if (!progress && !prev_progress) {
1102 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) {
1103 fprintf(stderr, "ERROR: got stuck\n");
1104 goto err;
1105 }
1106 }
1107 prev_progress = progress;
1108 }
1109 } while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1110
1111 if (verbose)
1112 print_details(c_ssl, "DONE via BIO pair: ");
1113
1114 if (verify_alpn(c_ssl, s_ssl) < 0) {
1115 ret = 1;
1116 goto err;
1117 }
1118
1119 ret = 0;
1120
1121err:
1122 ERR_print_errors(bio_err);
1123
1124 BIO_free(server);
1125 BIO_free(server_io);
1126 BIO_free(client);
1127 BIO_free(client_io);
1128 BIO_free(s_ssl_bio);
1129 BIO_free(c_ssl_bio);
1130
1131 return ret;
1132}
1133
1134
1135#define W_READ 1
1136#define W_WRITE 2
1137#define C_DONE 1
1138#define S_DONE 2
1139
1140int
1141doit(SSL *s_ssl, SSL *c_ssl, long count)
1142{
1143 char cbuf[1024*8], sbuf[1024*8];
1144 long cw_num = count, cr_num = count;
1145 long sw_num = count, sr_num = count;
1146 int ret = 1;
1147 BIO *c_to_s = NULL;
1148 BIO *s_to_c = NULL;
1149 BIO *c_bio = NULL;
1150 BIO *s_bio = NULL;
1151 int c_r, c_w, s_r, s_w;
1152 int i, j;
1153 int done = 0;
1154 int c_write, s_write;
1155 int do_server = 0, do_client = 0;
1156
1157 memset(cbuf, 0, sizeof(cbuf));
1158 memset(sbuf, 0, sizeof(sbuf));
1159
1160 c_to_s = BIO_new(BIO_s_mem());
1161 s_to_c = BIO_new(BIO_s_mem());
1162 if ((s_to_c == NULL) || (c_to_s == NULL)) {
1163 ERR_print_errors(bio_err);
1164 goto err;
1165 }
1166
1167 c_bio = BIO_new(BIO_f_ssl());
1168 s_bio = BIO_new(BIO_f_ssl());
1169 if ((c_bio == NULL) || (s_bio == NULL)) {
1170 ERR_print_errors(bio_err);
1171 goto err;
1172 }
1173
1174 SSL_set_connect_state(c_ssl);
1175 SSL_set_bio(c_ssl, s_to_c, c_to_s);
1176 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
1177
1178 SSL_set_accept_state(s_ssl);
1179 SSL_set_bio(s_ssl, c_to_s, s_to_c);
1180 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
1181
1182 c_r = 0;
1183 s_r = 1;
1184 c_w = 1;
1185 s_w = 0;
1186 c_write = 1, s_write = 0;
1187
1188 /* We can always do writes */
1189 for (;;) {
1190 do_server = 0;
1191 do_client = 0;
1192
1193 i = (int)BIO_pending(s_bio);
1194 if ((i && s_r) || s_w)
1195 do_server = 1;
1196
1197 i = (int)BIO_pending(c_bio);
1198 if ((i && c_r) || c_w)
1199 do_client = 1;
1200
1201 if (do_server && debug) {
1202 if (SSL_in_init(s_ssl))
1203 printf("server waiting in SSL_accept - %s\n",
1204 SSL_state_string_long(s_ssl));
1205 }
1206
1207 if (do_client && debug) {
1208 if (SSL_in_init(c_ssl))
1209 printf("client waiting in SSL_connect - %s\n",
1210 SSL_state_string_long(c_ssl));
1211 }
1212
1213 if (!do_client && !do_server) {
1214 fprintf(stdout, "ERROR in STARTUP\n");
1215 ERR_print_errors(bio_err);
1216 goto err;
1217 }
1218
1219 if (do_client && !(done & C_DONE)) {
1220 if (c_write) {
1221 j = (cw_num > (long)sizeof(cbuf)) ?
1222 (int)sizeof(cbuf) : (int)cw_num;
1223 i = BIO_write(c_bio, cbuf, j);
1224 if (i < 0) {
1225 c_r = 0;
1226 c_w = 0;
1227 if (BIO_should_retry(c_bio)) {
1228 if (BIO_should_read(c_bio))
1229 c_r = 1;
1230 if (BIO_should_write(c_bio))
1231 c_w = 1;
1232 } else {
1233 fprintf(stderr, "ERROR in CLIENT\n");
1234 ERR_print_errors(bio_err);
1235 goto err;
1236 }
1237 } else if (i == 0) {
1238 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
1239 goto err;
1240 } else {
1241 if (debug)
1242 printf("client wrote %d\n", i);
1243 /* ok */
1244 s_r = 1;
1245 c_write = 0;
1246 cw_num -= i;
1247 }
1248 } else {
1249 i = BIO_read(c_bio, cbuf, sizeof(cbuf));
1250 if (i < 0) {
1251 c_r = 0;
1252 c_w = 0;
1253 if (BIO_should_retry(c_bio)) {
1254 if (BIO_should_read(c_bio))
1255 c_r = 1;
1256 if (BIO_should_write(c_bio))
1257 c_w = 1;
1258 } else {
1259 fprintf(stderr, "ERROR in CLIENT\n");
1260 ERR_print_errors(bio_err);
1261 goto err;
1262 }
1263 } else if (i == 0) {
1264 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
1265 goto err;
1266 } else {
1267 if (debug)
1268 printf("client read %d\n", i);
1269 cr_num -= i;
1270 if (sw_num > 0) {
1271 s_write = 1;
1272 s_w = 1;
1273 }
1274 if (cr_num <= 0) {
1275 s_write = 1;
1276 s_w = 1;
1277 done = S_DONE|C_DONE;
1278 }
1279 }
1280 }
1281 }
1282
1283 if (do_server && !(done & S_DONE)) {
1284 if (!s_write) {
1285 i = BIO_read(s_bio, sbuf, sizeof(cbuf));
1286 if (i < 0) {
1287 s_r = 0;
1288 s_w = 0;
1289 if (BIO_should_retry(s_bio)) {
1290 if (BIO_should_read(s_bio))
1291 s_r = 1;
1292 if (BIO_should_write(s_bio))
1293 s_w = 1;
1294 } else {
1295 fprintf(stderr, "ERROR in SERVER\n");
1296 ERR_print_errors(bio_err);
1297 goto err;
1298 }
1299 } else if (i == 0) {
1300 ERR_print_errors(bio_err);
1301 fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_read\n");
1302 goto err;
1303 } else {
1304 if (debug)
1305 printf("server read %d\n", i);
1306 sr_num -= i;
1307 if (cw_num > 0) {
1308 c_write = 1;
1309 c_w = 1;
1310 }
1311 if (sr_num <= 0) {
1312 s_write = 1;
1313 s_w = 1;
1314 c_write = 0;
1315 }
1316 }
1317 } else {
1318 j = (sw_num > (long)sizeof(sbuf)) ?
1319 (int)sizeof(sbuf) : (int)sw_num;
1320 i = BIO_write(s_bio, sbuf, j);
1321 if (i < 0) {
1322 s_r = 0;
1323 s_w = 0;
1324 if (BIO_should_retry(s_bio)) {
1325 if (BIO_should_read(s_bio))
1326 s_r = 1;
1327 if (BIO_should_write(s_bio))
1328 s_w = 1;
1329 } else {
1330 fprintf(stderr, "ERROR in SERVER\n");
1331 ERR_print_errors(bio_err);
1332 goto err;
1333 }
1334 } else if (i == 0) {
1335 ERR_print_errors(bio_err);
1336 fprintf(stderr, "SSL SERVER STARTUP FAILED in SSL_write\n");
1337 goto err;
1338 } else {
1339 if (debug)
1340 printf("server wrote %d\n", i);
1341 sw_num -= i;
1342 s_write = 0;
1343 c_r = 1;
1344 if (sw_num <= 0)
1345 done |= S_DONE;
1346 }
1347 }
1348 }
1349
1350 if ((done & S_DONE) && (done & C_DONE))
1351 break;
1352 }
1353
1354 if (verbose)
1355 print_details(c_ssl, "DONE: ");
1356
1357 if (verify_alpn(c_ssl, s_ssl) < 0) {
1358 ret = 1;
1359 goto err;
1360 }
1361
1362 ret = 0;
1363err:
1364 /* We have to set the BIO's to NULL otherwise they will be
1365 * free()ed twice. Once when th s_ssl is SSL_free()ed and
1366 * again when c_ssl is SSL_free()ed.
1367 * This is a hack required because s_ssl and c_ssl are sharing the same
1368 * BIO structure and SSL_set_bio() and SSL_free() automatically
1369 * BIO_free non NULL entries.
1370 * You should not normally do this or be required to do this */
1371 if (s_ssl != NULL) {
1372 s_ssl->rbio = NULL;
1373 s_ssl->wbio = NULL;
1374 }
1375 if (c_ssl != NULL) {
1376 c_ssl->rbio = NULL;
1377 c_ssl->wbio = NULL;
1378 }
1379
1380 BIO_free(c_to_s);
1381 BIO_free(s_to_c);
1382 BIO_free_all(c_bio);
1383 BIO_free_all(s_bio);
1384
1385 return (ret);
1386}
1387
1388static int
1389get_proxy_auth_ex_data_idx(void)
1390{
1391 static volatile int idx = -1;
1392 if (idx < 0) {
1393 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1394 if (idx < 0) {
1395 idx = X509_STORE_CTX_get_ex_new_index(0,
1396 "SSLtest for verify callback", NULL, NULL, NULL);
1397 }
1398 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1399 }
1400 return idx;
1401}
1402
1403static int
1404verify_callback(int ok, X509_STORE_CTX *ctx)
1405{
1406 char *s, buf[256];
1407
1408 s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf,
1409 sizeof buf);
1410 if (s != NULL) {
1411 if (ok)
1412 fprintf(stderr, "depth=%d %s\n",
1413 ctx->error_depth, buf);
1414 else {
1415 fprintf(stderr, "depth=%d error=%d %s\n",
1416 ctx->error_depth, ctx->error, buf);
1417 }
1418 }
1419
1420 if (ok == 0) {
1421 fprintf(stderr, "Error string: %s\n",
1422 X509_verify_cert_error_string(ctx->error));
1423 switch (ctx->error) {
1424 case X509_V_ERR_CERT_NOT_YET_VALID:
1425 case X509_V_ERR_CERT_HAS_EXPIRED:
1426 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1427 fprintf(stderr, " ... ignored.\n");
1428 ok = 1;
1429 }
1430 }
1431
1432 if (ok == 1) {
1433 X509 *xs = ctx->current_cert;
1434#if 0
1435 X509 *xi = ctx->current_issuer;
1436#endif
1437
1438 if (xs->ex_flags & EXFLAG_PROXY) {
1439 unsigned int *letters =
1440 X509_STORE_CTX_get_ex_data(ctx,
1441 get_proxy_auth_ex_data_idx());
1442
1443 if (letters) {
1444 int found_any = 0;
1445 int i;
1446 PROXY_CERT_INFO_EXTENSION *pci =
1447 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1448 NULL, NULL);
1449
1450 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
1451 case NID_Independent:
1452 /* Completely meaningless in this
1453 program, as there's no way to
1454 grant explicit rights to a
1455 specific PrC. Basically, using
1456 id-ppl-Independent is the perfect
1457 way to grant no rights at all. */
1458 fprintf(stderr, " Independent proxy certificate");
1459 for (i = 0; i < 26; i++)
1460 letters[i] = 0;
1461 break;
1462 case NID_id_ppl_inheritAll:
1463 /* This is basically a NOP, we
1464 simply let the current rights
1465 stand as they are. */
1466 fprintf(stderr, " Proxy certificate inherits all");
1467 break;
1468 default:
1469 s = (char *)
1470 pci->proxyPolicy->policy->data;
1471 i = pci->proxyPolicy->policy->length;
1472
1473 /* The algorithm works as follows:
1474 it is assumed that previous
1475 iterations or the initial granted
1476 rights has already set some elements
1477 of `letters'. What we need to do is
1478 to clear those that weren't granted
1479 by the current PrC as well. The
1480 easiest way to do this is to add 1
1481 to all the elements whose letters
1482 are given with the current policy.
1483 That way, all elements that are set
1484 by the current policy and were
1485 already set by earlier policies and
1486 through the original grant of rights
1487 will get the value 2 or higher.
1488 The last thing to do is to sweep
1489 through `letters' and keep the
1490 elements having the value 2 as set,
1491 and clear all the others. */
1492
1493 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1494 while (i-- > 0) {
1495 int c = *s++;
1496 if (isascii(c) && isalpha(c)) {
1497 if (islower(c))
1498 c = toupper(c);
1499 letters[c - 'A']++;
1500 }
1501 }
1502 for (i = 0; i < 26; i++)
1503 if (letters[i] < 2)
1504 letters[i] = 0;
1505 else
1506 letters[i] = 1;
1507 }
1508
1509 found_any = 0;
1510 fprintf(stderr, ", resulting proxy rights = ");
1511 for (i = 0; i < 26; i++)
1512 if (letters[i]) {
1513 fprintf(stderr, "%c", i + 'A');
1514 found_any = 1;
1515 }
1516 if (!found_any)
1517 fprintf(stderr, "none");
1518 fprintf(stderr, "\n");
1519
1520 PROXY_CERT_INFO_EXTENSION_free(pci);
1521 }
1522 }
1523 }
1524
1525 return (ok);
1526}
1527
1528static void
1529process_proxy_debug(int indent, const char *format, ...)
1530{
1531 static const char indentation[] =
1532 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1533 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1534 char my_format[256];
1535 va_list args;
1536
1537 (void) snprintf(my_format, sizeof(my_format), "%*.*s %s",
1538 indent, indent, indentation, format);
1539
1540 va_start(args, format);
1541 vfprintf(stderr, my_format, args);
1542 va_end(args);
1543}
1544/* Priority levels:
1545 0 [!]var, ()
1546 1 & ^
1547 2 |
1548*/
1549static int process_proxy_cond_adders(unsigned int letters[26],
1550 const char *cond, const char **cond_end, int *pos, int indent);
1551
1552static int
1553process_proxy_cond_val(unsigned int letters[26], const char *cond,
1554 const char **cond_end, int *pos, int indent)
1555{
1556 int c;
1557 int ok = 1;
1558 int negate = 0;
1559
1560 while (isspace((int)*cond)) {
1561 cond++;
1562 (*pos)++;
1563 }
1564 c = *cond;
1565
1566 if (debug)
1567 process_proxy_debug(indent,
1568 "Start process_proxy_cond_val at position %d: %s\n",
1569 *pos, cond);
1570
1571 while (c == '!') {
1572 negate = !negate;
1573 cond++;
1574 (*pos)++;
1575 while (isspace((int)*cond)) {
1576 cond++;
1577 (*pos)++;
1578 }
1579 c = *cond;
1580 }
1581
1582 if (c == '(') {
1583 cond++;
1584 (*pos)++;
1585 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1586 indent + 1);
1587 cond = *cond_end;
1588 if (ok < 0)
1589 goto end;
1590 while (isspace((int)*cond)) {
1591 cond++;
1592 (*pos)++;
1593 }
1594 c = *cond;
1595 if (c != ')') {
1596 fprintf(stderr,
1597 "Weird condition character in position %d: "
1598 "%c\n", *pos, c);
1599 ok = -1;
1600 goto end;
1601 }
1602 cond++;
1603 (*pos)++;
1604 } else if (isascii(c) && isalpha(c)) {
1605 if (islower(c))
1606 c = toupper(c);
1607 ok = letters[c - 'A'];
1608 cond++;
1609 (*pos)++;
1610 } else {
1611 fprintf(stderr,
1612 "Weird condition character in position %d: "
1613 "%c\n", *pos, c);
1614 ok = -1;
1615 goto end;
1616 }
1617end:
1618 *cond_end = cond;
1619 if (ok >= 0 && negate)
1620 ok = !ok;
1621
1622 if (debug)
1623 process_proxy_debug(indent,
1624 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1625 *pos, cond, ok);
1626
1627 return ok;
1628}
1629
1630static int
1631process_proxy_cond_multipliers(unsigned int letters[26], const char *cond,
1632 const char **cond_end, int *pos, int indent)
1633{
1634 int ok;
1635 char c;
1636
1637 if (debug)
1638 process_proxy_debug(indent,
1639 "Start process_proxy_cond_multipliers at position %d: %s\n",
1640 *pos, cond);
1641
1642 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1643 cond = *cond_end;
1644 if (ok < 0)
1645 goto end;
1646
1647 while (ok >= 0) {
1648 while (isspace((int)*cond)) {
1649 cond++;
1650 (*pos)++;
1651 }
1652 c = *cond;
1653
1654 switch (c) {
1655 case '&':
1656 case '^':
1657 {
1658 int save_ok = ok;
1659
1660 cond++;
1661 (*pos)++;
1662 ok = process_proxy_cond_val(letters,
1663 cond, cond_end, pos, indent + 1);
1664 cond = *cond_end;
1665 if (ok < 0)
1666 break;
1667
1668 switch (c) {
1669 case '&':
1670 ok &= save_ok;
1671 break;
1672 case '^':
1673 ok ^= save_ok;
1674 break;
1675 default:
1676 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1677 " STOPPING\n");
1678 exit(1);
1679 }
1680 }
1681 break;
1682 default:
1683 goto end;
1684 }
1685 }
1686end:
1687 if (debug)
1688 process_proxy_debug(indent,
1689 "End process_proxy_cond_multipliers at position %d: %s, "
1690 "returning %d\n",
1691 *pos, cond, ok);
1692
1693 *cond_end = cond;
1694 return ok;
1695}
1696
1697static int
1698process_proxy_cond_adders(unsigned int letters[26], const char *cond,
1699 const char **cond_end, int *pos, int indent)
1700{
1701 int ok;
1702 char c;
1703
1704 if (debug)
1705 process_proxy_debug(indent,
1706 "Start process_proxy_cond_adders at position %d: %s\n",
1707 *pos, cond);
1708
1709 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1710 indent + 1);
1711 cond = *cond_end;
1712 if (ok < 0)
1713 goto end;
1714
1715 while (ok >= 0) {
1716 while (isspace((int)*cond)) {
1717 cond++;
1718 (*pos)++;
1719 }
1720 c = *cond;
1721
1722 switch (c) {
1723 case '|':
1724 {
1725 int save_ok = ok;
1726
1727 cond++;
1728 (*pos)++;
1729 ok = process_proxy_cond_multipliers(letters,
1730 cond, cond_end, pos, indent + 1);
1731 cond = *cond_end;
1732 if (ok < 0)
1733 break;
1734
1735 switch (c) {
1736 case '|':
1737 ok |= save_ok;
1738 break;
1739 default:
1740 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1741 " STOPPING\n");
1742 exit(1);
1743 }
1744 }
1745 break;
1746 default:
1747 goto end;
1748 }
1749 }
1750end:
1751 if (debug)
1752 process_proxy_debug(indent,
1753 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1754 *pos, cond, ok);
1755
1756 *cond_end = cond;
1757 return ok;
1758}
1759
1760static int
1761process_proxy_cond(unsigned int letters[26], const char *cond,
1762 const char **cond_end)
1763{
1764 int pos = 1;
1765 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1766}
1767
1768static int
1769app_verify_callback(X509_STORE_CTX *ctx, void *arg)
1770{
1771 int ok = 1;
1772 struct app_verify_arg *cb_arg = arg;
1773 unsigned int letters[26]; /* only used with proxy_auth */
1774
1775 if (cb_arg->app_verify) {
1776 char *s = NULL, buf[256];
1777
1778 fprintf(stderr, "In app_verify_callback, allowing cert. ");
1779 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
1780 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
1781 (void *)ctx, (void *)ctx->cert);
1782 if (ctx->cert)
1783 s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256);
1784 if (s != NULL) {
1785 fprintf(stderr, "cert depth=%d %s\n", ctx->error_depth, buf);
1786 }
1787 return (1);
1788 }
1789 if (cb_arg->proxy_auth) {
1790 int found_any = 0, i;
1791 char *sp;
1792
1793 for (i = 0; i < 26; i++)
1794 letters[i] = 0;
1795 for (sp = cb_arg->proxy_auth; *sp; sp++) {
1796 int c = *sp;
1797 if (isascii(c) && isalpha(c)) {
1798 if (islower(c))
1799 c = toupper(c);
1800 letters[c - 'A'] = 1;
1801 }
1802 }
1803
1804 fprintf(stderr, " Initial proxy rights = ");
1805 for (i = 0; i < 26; i++)
1806 if (letters[i]) {
1807 fprintf(stderr, "%c", i + 'A');
1808 found_any = 1;
1809 }
1810 if (!found_any)
1811 fprintf(stderr, "none");
1812 fprintf(stderr, "\n");
1813
1814 X509_STORE_CTX_set_ex_data(ctx,
1815 get_proxy_auth_ex_data_idx(), letters);
1816 }
1817 if (cb_arg->allow_proxy_certs) {
1818 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
1819 }
1820
1821 ok = X509_verify_cert(ctx);
1822
1823 if (cb_arg->proxy_auth) {
1824 if (ok > 0) {
1825 const char *cond_end = NULL;
1826
1827 ok = process_proxy_cond(letters,
1828 cb_arg->proxy_cond, &cond_end);
1829
1830 if (ok < 0)
1831 exit(3);
1832 if (*cond_end) {
1833 fprintf(stderr, "Stopped processing condition before it's end.\n");
1834 ok = 0;
1835 }
1836 if (!ok)
1837 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
1838 cb_arg->proxy_cond);
1839 else
1840 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
1841 cb_arg->proxy_cond);
1842 }
1843 }
1844 return (ok);
1845}
1846
1847static RSA *rsa_tmp = NULL;
1848
1849static RSA *
1850tmp_rsa_cb(SSL *s, int is_export, int keylength)
1851{
1852 BIGNUM *bn = NULL;
1853 if (rsa_tmp == NULL) {
1854 bn = BN_new();
1855 rsa_tmp = RSA_new();
1856 if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
1857 BIO_printf(bio_err, "Memory error...");
1858 goto end;
1859 }
1860 BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength);
1861 (void)BIO_flush(bio_err);
1862 if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
1863 BIO_printf(bio_err, "Error generating key.");
1864 RSA_free(rsa_tmp);
1865 rsa_tmp = NULL;
1866 }
1867end:
1868 BIO_printf(bio_err, "\n");
1869 (void)BIO_flush(bio_err);
1870 }
1871 if (bn)
1872 BN_free(bn);
1873 return (rsa_tmp);
1874}
1875
1876static void
1877free_tmp_rsa(void)
1878{
1879 if (rsa_tmp != NULL) {
1880 RSA_free(rsa_tmp);
1881 rsa_tmp = NULL;
1882 }
1883}
1884
1885/* These DH parameters have been generated as follows:
1886 * $ openssl dhparam -C -noout 1024
1887 * $ openssl dhparam -C -noout -dsaparam 1024
1888 * (The second function has been renamed to avoid name conflicts.)
1889 */
1890static DH *
1891get_dh1024()
1892{
1893 static unsigned char dh1024_p[] = {
1894 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF, 0x3A,
1895 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56, 0xA2,
1896 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F, 0xB0,
1897 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87, 0xC2,
1898 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0, 0x8C,
1899 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F, 0xB8,
1900 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D, 0x52,
1901 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC, 0xC1,
1902 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB, 0xB1,
1903 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89, 0xAB,
1904 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
1905 };
1906 static unsigned char dh1024_g[] = {
1907 0x02,
1908 };
1909 DH *dh;
1910
1911 if ((dh = DH_new()) == NULL)
1912 return (NULL);
1913 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
1914 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
1915 if ((dh->p == NULL) || (dh->g == NULL)) {
1916 DH_free(dh);
1917 return (NULL);
1918 }
1919 return (dh);
1920}
1921
1922static DH *
1923get_dh1024dsa()
1924{
1925 static unsigned char dh1024_p[] = {
1926 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5, 0x00,
1927 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87, 0x19,
1928 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65, 0xD2,
1929 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6, 0x55,
1930 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF, 0xFC,
1931 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52, 0x97,
1932 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28, 0x8D,
1933 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD, 0xBB,
1934 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C, 0xF6,
1935 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26, 0x9E,
1936 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39,
1937 };
1938 static unsigned char dh1024_g[] = {
1939 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80, 0x05,
1940 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03, 0xF3,
1941 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A, 0xE9,
1942 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85, 0x3C,
1943 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B, 0x65,
1944 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF, 0x60,
1945 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E, 0xF6,
1946 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB, 0xA7,
1947 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72, 0xA1,
1948 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E, 0x60,
1949 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2,
1950 };
1951 DH *dh;
1952
1953 if ((dh = DH_new()) == NULL)
1954 return (NULL);
1955 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
1956 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
1957 if ((dh->p == NULL) || (dh->g == NULL)) {
1958 DH_free(dh);
1959 return (NULL);
1960 }
1961 dh->length = 160;
1962 return (dh);
1963}
1964
1965static int
1966do_test_cipherlist(void)
1967{
1968 int i = 0;
1969 const SSL_METHOD *meth;
1970 const SSL_CIPHER *ci, *tci = NULL;
1971
1972 fprintf(stderr, "testing TLSv1 cipher list order: ");
1973 meth = TLSv1_method();
1974 tci = NULL;
1975 while ((ci = meth->get_cipher(i++)) != NULL) {
1976 if (tci != NULL) {
1977 if (ci->id >= tci->id) {
1978 fprintf(stderr,
1979 "failed %lx vs. %lx\n", ci->id, tci->id);
1980 return 0;
1981 }
1982 }
1983 tci = ci;
1984 }
1985 fprintf(stderr, "ok\n");
1986
1987 return 1;
1988}
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-12-27 12:32:42 +0000