summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/ssl/ssltest.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/ssl/ssltest.c')
-rw-r--r--src/lib/libssl/src/ssl/ssltest.c2579
1 files changed, 2579 insertions, 0 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
new file mode 100644
index 0000000000..a0e2af6647
--- /dev/null
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -0,0 +1,2579 @@
1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146#include <assert.h>
147#include <errno.h>
148#include <limits.h>
149#include <stdio.h>
150#include <stdlib.h>
151#include <string.h>
152#include <time.h>
153#include <inttypes.h>
154#include <ctype.h>
155
156#define USE_SOCKETS
157#include "e_os.h"
158
159#ifdef OPENSSL_SYS_VMS
160#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
161 VMS (at least with DECompHP C). */
162#endif
163
164#include <ctype.h>
165
166#include <openssl/bio.h>
167#include <openssl/crypto.h>
168#include <openssl/evp.h>
169#include <openssl/x509.h>
170#include <openssl/x509v3.h>
171#include <openssl/ssl.h>
172#ifndef OPENSSL_NO_ENGINE
173#include <openssl/engine.h>
174#endif
175#include <openssl/err.h>
176#include <openssl/rand.h>
177#ifndef OPENSSL_NO_RSA
178#include <openssl/rsa.h>
179#endif
180#ifndef OPENSSL_NO_DSA
181#include <openssl/dsa.h>
182#endif
183#ifndef OPENSSL_NO_DH
184#include <openssl/dh.h>
185#endif
186#ifndef OPENSSL_NO_SRP
187#include <openssl/srp.h>
188#endif
189#include <openssl/bn.h>
190
191#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
192 on Compaq platforms (at least with DEC C).
193 Do not try to put it earlier, or IPv6 includes
194 get screwed...
195 */
196
197#ifdef OPENSSL_SYS_WINDOWS
198#include <winsock.h>
199#else
200#include OPENSSL_UNISTD
201#endif
202
203#ifdef OPENSSL_SYS_VMS
204# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
205# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
206#elif defined(OPENSSL_SYS_WINCE)
207# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
208# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
209#elif defined(OPENSSL_SYS_NETWARE)
210# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
211# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
212#else
213# define TEST_SERVER_CERT "../apps/server.pem"
214# define TEST_CLIENT_CERT "../apps/client.pem"
215#endif
216
217/* There is really no standard for this, so let's assign some tentative
218 numbers. In any case, these numbers are only for this test */
219#define COMP_RLE 255
220#define COMP_ZLIB 1
221
222static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
223#ifndef OPENSSL_NO_RSA
224static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
225static void free_tmp_rsa(void);
226#endif
227static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
228#define APP_CALLBACK_STRING "Test Callback Argument"
229struct app_verify_arg
230 {
231 char *string;
232 int app_verify;
233 int allow_proxy_certs;
234 char *proxy_auth;
235 char *proxy_cond;
236 };
237
238#ifndef OPENSSL_NO_DH
239static DH *get_dh512(void);
240static DH *get_dh1024(void);
241static DH *get_dh1024dsa(void);
242#endif
243
244
245static char *psk_key=NULL; /* by default PSK is not used */
246#ifndef OPENSSL_NO_PSK
247static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
248 unsigned int max_identity_len, unsigned char *psk,
249 unsigned int max_psk_len);
250static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
251 unsigned int max_psk_len);
252#endif
253
254#ifndef OPENSSL_NO_SRP
255/* SRP client */
256/* This is a context that we pass to all callbacks */
257typedef struct srp_client_arg_st
258 {
259 char *srppassin;
260 char *srplogin;
261 } SRP_CLIENT_ARG;
262
263#define PWD_STRLEN 1024
264
265static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
266 {
267 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
268 return BUF_strdup((char *)srp_client_arg->srppassin);
269 }
270
271/* SRP server */
272/* This is a context that we pass to SRP server callbacks */
273typedef struct srp_server_arg_st
274 {
275 char *expected_user;
276 char *pass;
277 } SRP_SERVER_ARG;
278
279static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
280 {
281 SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
282
283 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
284 {
285 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
286 return SSL3_AL_FATAL;
287 }
288 if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
289 {
290 *ad = SSL_AD_INTERNAL_ERROR;
291 return SSL3_AL_FATAL;
292 }
293 return SSL_ERROR_NONE;
294 }
295#endif
296
297static BIO *bio_err=NULL;
298static BIO *bio_stdout=NULL;
299
300static char *cipher=NULL;
301static int verbose=0;
302static int debug=0;
303#if 0
304/* Not used yet. */
305#ifdef FIONBIO
306static int s_nbio=0;
307#endif
308#endif
309
310static const char rnd_seed[] = "string to make the random number generator think it has entropy";
311
312int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
313int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
314static int do_test_cipherlist(void);
315static void sv_usage(void)
316 {
317 fprintf(stderr,"usage: ssltest [args ...]\n");
318 fprintf(stderr,"\n");
319#ifdef OPENSSL_FIPS
320 fprintf(stderr,"-F - run test in FIPS mode\n");
321#endif
322 fprintf(stderr," -server_auth - check server certificate\n");
323 fprintf(stderr," -client_auth - do client authentication\n");
324 fprintf(stderr," -proxy - allow proxy certificates\n");
325 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
326 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
327 fprintf(stderr," -v - more output\n");
328 fprintf(stderr," -d - debug output\n");
329 fprintf(stderr," -reuse - use session-id reuse\n");
330 fprintf(stderr," -num <val> - number of connections to perform\n");
331 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
332#ifndef OPENSSL_NO_DH
333 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
334 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
335 fprintf(stderr," -no_dhe - disable DHE\n");
336#endif
337#ifndef OPENSSL_NO_ECDH
338 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
339#endif
340#ifndef OPENSSL_NO_PSK
341 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
342#endif
343#ifndef OPENSSL_NO_SRP
344 fprintf(stderr," -srpuser user - SRP username to use\n");
345 fprintf(stderr," -srppass arg - password for 'user'\n");
346#endif
347#ifndef OPENSSL_NO_SSL2
348 fprintf(stderr," -ssl2 - use SSLv2\n");
349#endif
350#ifndef OPENSSL_NO_SSL3
351 fprintf(stderr," -ssl3 - use SSLv3\n");
352#endif
353#ifndef OPENSSL_NO_TLS1
354 fprintf(stderr," -tls1 - use TLSv1\n");
355#endif
356 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
357 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
358 fprintf(stderr," -cert arg - Server certificate file\n");
359 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
360 fprintf(stderr," -c_cert arg - Client certificate file\n");
361 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
362 fprintf(stderr," -cipher arg - The cipher list\n");
363 fprintf(stderr," -bio_pair - Use BIO pairs\n");
364 fprintf(stderr," -f - Test even cases that can't work\n");
365 fprintf(stderr," -time - measure processor time used by client and server\n");
366 fprintf(stderr," -zlib - use zlib compression\n");
367 fprintf(stderr," -rle - use rle compression\n");
368#ifndef OPENSSL_NO_ECDH
369 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
370 " Use \"openssl ecparam -list_curves\" for all names\n" \
371 " (default is sect163r2).\n");
372#endif
373 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
374 }
375
376static void print_details(SSL *c_ssl, const char *prefix)
377 {
378 const SSL_CIPHER *ciph;
379 X509 *cert;
380
381 ciph=SSL_get_current_cipher(c_ssl);
382 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
383 prefix,
384 SSL_get_version(c_ssl),
385 SSL_CIPHER_get_version(ciph),
386 SSL_CIPHER_get_name(ciph));
387 cert=SSL_get_peer_certificate(c_ssl);
388 if (cert != NULL)
389 {
390 EVP_PKEY *pkey = X509_get_pubkey(cert);
391 if (pkey != NULL)
392 {
393 if (0)
394 ;
395#ifndef OPENSSL_NO_RSA
396 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
397 && pkey->pkey.rsa->n != NULL)
398 {
399 BIO_printf(bio_stdout, ", %d bit RSA",
400 BN_num_bits(pkey->pkey.rsa->n));
401 }
402#endif
403#ifndef OPENSSL_NO_DSA
404 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
405 && pkey->pkey.dsa->p != NULL)
406 {
407 BIO_printf(bio_stdout, ", %d bit DSA",
408 BN_num_bits(pkey->pkey.dsa->p));
409 }
410#endif
411 EVP_PKEY_free(pkey);
412 }
413 X509_free(cert);
414 }
415 /* The SSL API does not allow us to look at temporary RSA/DH keys,
416 * otherwise we should print their lengths too */
417 BIO_printf(bio_stdout,"\n");
418 }
419
420static void lock_dbg_cb(int mode, int type, const char *file, int line)
421 {
422 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
423 const char *errstr = NULL;
424 int rw;
425
426 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
427 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
428 {
429 errstr = "invalid mode";
430 goto err;
431 }
432
433 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
434 {
435 errstr = "type out of bounds";
436 goto err;
437 }
438
439 if (mode & CRYPTO_LOCK)
440 {
441 if (modes[type])
442 {
443 errstr = "already locked";
444 /* must not happen in a single-threaded program
445 * (would deadlock) */
446 goto err;
447 }
448
449 modes[type] = rw;
450 }
451 else if (mode & CRYPTO_UNLOCK)
452 {
453 if (!modes[type])
454 {
455 errstr = "not locked";
456 goto err;
457 }
458
459 if (modes[type] != rw)
460 {
461 errstr = (rw == CRYPTO_READ) ?
462 "CRYPTO_r_unlock on write lock" :
463 "CRYPTO_w_unlock on read lock";
464 }
465
466 modes[type] = 0;
467 }
468 else
469 {
470 errstr = "invalid mode";
471 goto err;
472 }
473
474 err:
475 if (errstr)
476 {
477 /* we cannot use bio_err here */
478 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
479 errstr, mode, type, file, line);
480 }
481 }
482
483#ifdef TLSEXT_TYPE_opaque_prf_input
484struct cb_info_st { void *input; size_t len; int ret; };
485struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
486struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
487struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
488struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
489
490int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
491 {
492 struct cb_info_st *arg = arg_;
493
494 if (arg == NULL)
495 return 1;
496
497 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
498 return 0;
499 return arg->ret;
500 }
501#endif
502
503int main(int argc, char *argv[])
504 {
505 char *CApath=NULL,*CAfile=NULL;
506 int badop=0;
507 int bio_pair=0;
508 int force=0;
509 int tls1=0,ssl2=0,ssl3=0,ret=1;
510 int client_auth=0;
511 int server_auth=0,i;
512 struct app_verify_arg app_verify_arg =
513 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
514 char *server_cert=TEST_SERVER_CERT;
515 char *server_key=NULL;
516 char *client_cert=TEST_CLIENT_CERT;
517 char *client_key=NULL;
518#ifndef OPENSSL_NO_ECDH
519 char *named_curve = NULL;
520#endif
521 SSL_CTX *s_ctx=NULL;
522 SSL_CTX *c_ctx=NULL;
523 const SSL_METHOD *meth=NULL;
524 SSL *c_ssl,*s_ssl;
525 int number=1,reuse=0;
526 long bytes=256L;
527#ifndef OPENSSL_NO_DH
528 DH *dh;
529 int dhe1024 = 0, dhe1024dsa = 0;
530#endif
531#ifndef OPENSSL_NO_ECDH
532 EC_KEY *ecdh = NULL;
533#endif
534#ifndef OPENSSL_NO_SRP
535 /* client */
536 SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
537 /* server */
538 SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
539#endif
540 int no_dhe = 0;
541 int no_ecdhe = 0;
542 int no_psk = 0;
543 int print_time = 0;
544 clock_t s_time = 0, c_time = 0;
545 int comp = 0;
546#ifndef OPENSSL_NO_COMP
547 COMP_METHOD *cm = NULL;
548#endif
549 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
550 int test_cipherlist = 0;
551#ifdef OPENSSL_FIPS
552 int fips_mode=0;
553#endif
554
555 verbose = 0;
556 debug = 0;
557 cipher = 0;
558
559 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
560
561 CRYPTO_set_locking_callback(lock_dbg_cb);
562
563 /* enable memory leak checking unless explicitly disabled */
564 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
565 {
566 CRYPTO_malloc_debug_init();
567 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
568 }
569 else
570 {
571 /* OPENSSL_DEBUG_MEMORY=off */
572 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
573 }
574 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
575
576 RAND_seed(rnd_seed, sizeof rnd_seed);
577
578 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
579
580 argc--;
581 argv++;
582
583 while (argc >= 1)
584 {
585 if(!strcmp(*argv,"-F"))
586 {
587#ifdef OPENSSL_FIPS
588 fips_mode=1;
589#else
590 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
591 EXIT(0);
592#endif
593 }
594 else if (strcmp(*argv,"-server_auth") == 0)
595 server_auth=1;
596 else if (strcmp(*argv,"-client_auth") == 0)
597 client_auth=1;
598 else if (strcmp(*argv,"-proxy_auth") == 0)
599 {
600 if (--argc < 1) goto bad;
601 app_verify_arg.proxy_auth= *(++argv);
602 }
603 else if (strcmp(*argv,"-proxy_cond") == 0)
604 {
605 if (--argc < 1) goto bad;
606 app_verify_arg.proxy_cond= *(++argv);
607 }
608 else if (strcmp(*argv,"-v") == 0)
609 verbose=1;
610 else if (strcmp(*argv,"-d") == 0)
611 debug=1;
612 else if (strcmp(*argv,"-reuse") == 0)
613 reuse=1;
614 else if (strcmp(*argv,"-dhe1024") == 0)
615 {
616#ifndef OPENSSL_NO_DH
617 dhe1024=1;
618#else
619 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
620#endif
621 }
622 else if (strcmp(*argv,"-dhe1024dsa") == 0)
623 {
624#ifndef OPENSSL_NO_DH
625 dhe1024dsa=1;
626#else
627 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
628#endif
629 }
630 else if (strcmp(*argv,"-no_dhe") == 0)
631 no_dhe=1;
632 else if (strcmp(*argv,"-no_ecdhe") == 0)
633 no_ecdhe=1;
634 else if (strcmp(*argv,"-psk") == 0)
635 {
636 if (--argc < 1) goto bad;
637 psk_key=*(++argv);
638#ifndef OPENSSL_NO_PSK
639 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
640 {
641 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
642 goto bad;
643 }
644#else
645 no_psk=1;
646#endif
647 }
648#ifndef OPENSSL_NO_SRP
649 else if (strcmp(*argv,"-srpuser") == 0)
650 {
651 if (--argc < 1) goto bad;
652 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
653 tls1=1;
654 }
655 else if (strcmp(*argv,"-srppass") == 0)
656 {
657 if (--argc < 1) goto bad;
658 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
659 tls1=1;
660 }
661#endif
662 else if (strcmp(*argv,"-ssl2") == 0)
663 ssl2=1;
664 else if (strcmp(*argv,"-tls1") == 0)
665 tls1=1;
666 else if (strcmp(*argv,"-ssl3") == 0)
667 ssl3=1;
668 else if (strncmp(*argv,"-num",4) == 0)
669 {
670 if (--argc < 1) goto bad;
671 number= atoi(*(++argv));
672 if (number == 0) number=1;
673 }
674 else if (strcmp(*argv,"-bytes") == 0)
675 {
676 if (--argc < 1) goto bad;
677 bytes= atol(*(++argv));
678 if (bytes == 0L) bytes=1L;
679 i=strlen(argv[0]);
680 if (argv[0][i-1] == 'k') bytes*=1024L;
681 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
682 }
683 else if (strcmp(*argv,"-cert") == 0)
684 {
685 if (--argc < 1) goto bad;
686 server_cert= *(++argv);
687 }
688 else if (strcmp(*argv,"-s_cert") == 0)
689 {
690 if (--argc < 1) goto bad;
691 server_cert= *(++argv);
692 }
693 else if (strcmp(*argv,"-key") == 0)
694 {
695 if (--argc < 1) goto bad;
696 server_key= *(++argv);
697 }
698 else if (strcmp(*argv,"-s_key") == 0)
699 {
700 if (--argc < 1) goto bad;
701 server_key= *(++argv);
702 }
703 else if (strcmp(*argv,"-c_cert") == 0)
704 {
705 if (--argc < 1) goto bad;
706 client_cert= *(++argv);
707 }
708 else if (strcmp(*argv,"-c_key") == 0)
709 {
710 if (--argc < 1) goto bad;
711 client_key= *(++argv);
712 }
713 else if (strcmp(*argv,"-cipher") == 0)
714 {
715 if (--argc < 1) goto bad;
716 cipher= *(++argv);
717 }
718 else if (strcmp(*argv,"-CApath") == 0)
719 {
720 if (--argc < 1) goto bad;
721 CApath= *(++argv);
722 }
723 else if (strcmp(*argv,"-CAfile") == 0)
724 {
725 if (--argc < 1) goto bad;
726 CAfile= *(++argv);
727 }
728 else if (strcmp(*argv,"-bio_pair") == 0)
729 {
730 bio_pair = 1;
731 }
732 else if (strcmp(*argv,"-f") == 0)
733 {
734 force = 1;
735 }
736 else if (strcmp(*argv,"-time") == 0)
737 {
738 print_time = 1;
739 }
740 else if (strcmp(*argv,"-zlib") == 0)
741 {
742 comp = COMP_ZLIB;
743 }
744 else if (strcmp(*argv,"-rle") == 0)
745 {
746 comp = COMP_RLE;
747 }
748 else if (strcmp(*argv,"-named_curve") == 0)
749 {
750 if (--argc < 1) goto bad;
751#ifndef OPENSSL_NO_ECDH
752 named_curve = *(++argv);
753#else
754 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
755 ++argv;
756#endif
757 }
758 else if (strcmp(*argv,"-app_verify") == 0)
759 {
760 app_verify_arg.app_verify = 1;
761 }
762 else if (strcmp(*argv,"-proxy") == 0)
763 {
764 app_verify_arg.allow_proxy_certs = 1;
765 }
766 else if (strcmp(*argv,"-test_cipherlist") == 0)
767 {
768 test_cipherlist = 1;
769 }
770 else
771 {
772 fprintf(stderr,"unknown option %s\n",*argv);
773 badop=1;
774 break;
775 }
776 argc--;
777 argv++;
778 }
779 if (badop)
780 {
781bad:
782 sv_usage();
783 goto end;
784 }
785
786 if (test_cipherlist == 1)
787 {
788 /* ensure that the cipher list are correctly sorted and exit */
789 if (do_test_cipherlist() == 0)
790 EXIT(1);
791 ret = 0;
792 goto end;
793 }
794
795 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
796 {
797 fprintf(stderr, "This case cannot work. Use -f to perform "
798 "the test anyway (and\n-d to see what happens), "
799 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
800 "to avoid protocol mismatch.\n");
801 EXIT(1);
802 }
803
804#ifdef OPENSSL_FIPS
805 if(fips_mode)
806 {
807 if(!FIPS_mode_set(1))
808 {
809 ERR_load_crypto_strings();
810 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
811 EXIT(1);
812 }
813 else
814 fprintf(stderr,"*** IN FIPS MODE ***\n");
815 }
816#endif
817
818 if (print_time)
819 {
820 if (!bio_pair)
821 {
822 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
823 bio_pair = 1;
824 }
825 if (number < 50 && !force)
826 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
827 }
828
829/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
830
831 SSL_library_init();
832 SSL_load_error_strings();
833
834#ifndef OPENSSL_NO_COMP
835 if (comp == COMP_ZLIB) cm = COMP_zlib();
836 if (comp == COMP_RLE) cm = COMP_rle();
837 if (cm != NULL)
838 {
839 if (cm->type != NID_undef)
840 {
841 if (SSL_COMP_add_compression_method(comp, cm) != 0)
842 {
843 fprintf(stderr,
844 "Failed to add compression method\n");
845 ERR_print_errors_fp(stderr);
846 }
847 }
848 else
849 {
850 fprintf(stderr,
851 "Warning: %s compression not supported\n",
852 (comp == COMP_RLE ? "rle" :
853 (comp == COMP_ZLIB ? "zlib" :
854 "unknown")));
855 ERR_print_errors_fp(stderr);
856 }
857 }
858 ssl_comp_methods = SSL_COMP_get_compression_methods();
859 fprintf(stderr, "Available compression methods:\n");
860 {
861 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
862 if (n == 0)
863 fprintf(stderr, " NONE\n");
864 else
865 for (j = 0; j < n; j++)
866 {
867 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
868 fprintf(stderr, " %d: %s\n", c->id, c->name);
869 }
870 }
871#endif
872
873#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
874 if (ssl2)
875 meth=SSLv2_method();
876 else
877 if (tls1)
878 meth=TLSv1_method();
879 else
880 if (ssl3)
881 meth=SSLv3_method();
882 else
883 meth=SSLv23_method();
884#else
885#ifdef OPENSSL_NO_SSL2
886 meth=SSLv3_method();
887#else
888 meth=SSLv2_method();
889#endif
890#endif
891
892 c_ctx=SSL_CTX_new(meth);
893 s_ctx=SSL_CTX_new(meth);
894 if ((c_ctx == NULL) || (s_ctx == NULL))
895 {
896 ERR_print_errors(bio_err);
897 goto end;
898 }
899
900 if (cipher != NULL)
901 {
902 SSL_CTX_set_cipher_list(c_ctx,cipher);
903 SSL_CTX_set_cipher_list(s_ctx,cipher);
904 }
905
906#ifndef OPENSSL_NO_DH
907 if (!no_dhe)
908 {
909 if (dhe1024dsa)
910 {
911 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
912 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
913 dh=get_dh1024dsa();
914 }
915 else if (dhe1024)
916 dh=get_dh1024();
917 else
918 dh=get_dh512();
919 SSL_CTX_set_tmp_dh(s_ctx,dh);
920 DH_free(dh);
921 }
922#else
923 (void)no_dhe;
924#endif
925
926#ifndef OPENSSL_NO_ECDH
927 if (!no_ecdhe)
928 {
929 int nid;
930
931 if (named_curve != NULL)
932 {
933 nid = OBJ_sn2nid(named_curve);
934 if (nid == 0)
935 {
936 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
937 goto end;
938 }
939 }
940 else
941#ifdef OPENSSL_NO_EC2M
942 nid = NID_X9_62_prime256v1;
943#else
944 nid = NID_sect163r2;
945#endif
946
947 ecdh = EC_KEY_new_by_curve_name(nid);
948 if (ecdh == NULL)
949 {
950 BIO_printf(bio_err, "unable to create curve\n");
951 goto end;
952 }
953
954 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
955 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
956 EC_KEY_free(ecdh);
957 }
958#else
959 (void)no_ecdhe;
960#endif
961
962#ifndef OPENSSL_NO_RSA
963 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
964#endif
965
966#ifdef TLSEXT_TYPE_opaque_prf_input
967 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
968 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
969 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
970 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
971#endif
972
973 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
974 {
975 ERR_print_errors(bio_err);
976 }
977 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
978 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
979 {
980 ERR_print_errors(bio_err);
981 goto end;
982 }
983
984 if (client_auth)
985 {
986 SSL_CTX_use_certificate_file(c_ctx,client_cert,
987 SSL_FILETYPE_PEM);
988 SSL_CTX_use_PrivateKey_file(c_ctx,
989 (client_key?client_key:client_cert),
990 SSL_FILETYPE_PEM);
991 }
992
993 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
994 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
995 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
996 (!SSL_CTX_set_default_verify_paths(c_ctx)))
997 {
998 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
999 ERR_print_errors(bio_err);
1000 /* goto end; */
1001 }
1002
1003 if (client_auth)
1004 {
1005 BIO_printf(bio_err,"client authentication\n");
1006 SSL_CTX_set_verify(s_ctx,
1007 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1008 verify_callback);
1009 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
1010 }
1011 if (server_auth)
1012 {
1013 BIO_printf(bio_err,"server authentication\n");
1014 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1015 verify_callback);
1016 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1017 }
1018
1019 {
1020 int session_id_context = 0;
1021 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1022 }
1023
1024 /* Use PSK only if PSK key is given */
1025 if (psk_key != NULL)
1026 {
1027 /* no_psk is used to avoid putting psk command to openssl tool */
1028 if (no_psk)
1029 {
1030 /* if PSK is not compiled in and psk key is
1031 * given, do nothing and exit successfully */
1032 ret=0;
1033 goto end;
1034 }
1035#ifndef OPENSSL_NO_PSK
1036 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1037 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1038 if (debug)
1039 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1040 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1041 {
1042 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1043 ERR_print_errors(bio_err);
1044 goto end;
1045 }
1046#endif
1047 }
1048#ifndef OPENSSL_NO_SRP
1049 if (srp_client_arg.srplogin)
1050 {
1051 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1052 {
1053 BIO_printf(bio_err,"Unable to set SRP username\n");
1054 goto end;
1055 }
1056 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1057 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1058 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1059 }
1060
1061 if (srp_server_arg.expected_user != NULL)
1062 {
1063 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1064 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1065 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1066 }
1067#endif
1068
1069 c_ssl=SSL_new(c_ctx);
1070 s_ssl=SSL_new(s_ctx);
1071
1072#ifndef OPENSSL_NO_KRB5
1073 if (c_ssl && c_ssl->kssl_ctx)
1074 {
1075 char localhost[MAXHOSTNAMELEN+2];
1076
1077 if (gethostname(localhost, sizeof localhost-1) == 0)
1078 {
1079 localhost[sizeof localhost-1]='\0';
1080 if(strlen(localhost) == sizeof localhost-1)
1081 {
1082 BIO_printf(bio_err,"localhost name too long\n");
1083 goto end;
1084 }
1085 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1086 localhost);
1087 }
1088 }
1089#endif /* OPENSSL_NO_KRB5 */
1090
1091 for (i=0; i<number; i++)
1092 {
1093 if (!reuse) SSL_set_session(c_ssl,NULL);
1094 if (bio_pair)
1095 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1096 else
1097 ret=doit(s_ssl,c_ssl,bytes);
1098 }
1099
1100 if (!verbose)
1101 {
1102 print_details(c_ssl, "");
1103 }
1104 if ((number > 1) || (bytes > 1L))
1105 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1106 if (print_time)
1107 {
1108#ifdef CLOCKS_PER_SEC
1109 /* "To determine the time in seconds, the value returned
1110 * by the clock function should be divided by the value
1111 * of the macro CLOCKS_PER_SEC."
1112 * -- ISO/IEC 9899 */
1113 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1114 "Approximate total client time: %6.2f s\n",
1115 (double)s_time/CLOCKS_PER_SEC,
1116 (double)c_time/CLOCKS_PER_SEC);
1117#else
1118 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1119 * -- cc on NeXTstep/OpenStep */
1120 BIO_printf(bio_stdout,
1121 "Approximate total server time: %6.2f units\n"
1122 "Approximate total client time: %6.2f units\n",
1123 (double)s_time,
1124 (double)c_time);
1125#endif
1126 }
1127
1128 SSL_free(s_ssl);
1129 SSL_free(c_ssl);
1130
1131end:
1132 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1133 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1134
1135 if (bio_stdout != NULL) BIO_free(bio_stdout);
1136
1137#ifndef OPENSSL_NO_RSA
1138 free_tmp_rsa();
1139#endif
1140#ifndef OPENSSL_NO_ENGINE
1141 ENGINE_cleanup();
1142#endif
1143 CRYPTO_cleanup_all_ex_data();
1144 ERR_free_strings();
1145 ERR_remove_thread_state(NULL);
1146 EVP_cleanup();
1147 CRYPTO_mem_leaks(bio_err);
1148 if (bio_err != NULL) BIO_free(bio_err);
1149 EXIT(ret);
1150 return ret;
1151 }
1152
1153int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1154 clock_t *s_time, clock_t *c_time)
1155 {
1156 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1157 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1158 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1159 int ret = 1;
1160
1161 size_t bufsiz = 256; /* small buffer for testing */
1162
1163 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1164 goto err;
1165 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1166 goto err;
1167
1168 s_ssl_bio = BIO_new(BIO_f_ssl());
1169 if (!s_ssl_bio)
1170 goto err;
1171
1172 c_ssl_bio = BIO_new(BIO_f_ssl());
1173 if (!c_ssl_bio)
1174 goto err;
1175
1176 SSL_set_connect_state(c_ssl);
1177 SSL_set_bio(c_ssl, client, client);
1178 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1179
1180 SSL_set_accept_state(s_ssl);
1181 SSL_set_bio(s_ssl, server, server);
1182 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1183
1184 do
1185 {
1186 /* c_ssl_bio: SSL filter BIO
1187 *
1188 * client: pseudo-I/O for SSL library
1189 *
1190 * client_io: client's SSL communication; usually to be
1191 * relayed over some I/O facility, but in this
1192 * test program, we're the server, too:
1193 *
1194 * server_io: server's SSL communication
1195 *
1196 * server: pseudo-I/O for SSL library
1197 *
1198 * s_ssl_bio: SSL filter BIO
1199 *
1200 * The client and the server each employ a "BIO pair":
1201 * client + client_io, server + server_io.
1202 * BIO pairs are symmetric. A BIO pair behaves similar
1203 * to a non-blocking socketpair (but both endpoints must
1204 * be handled by the same thread).
1205 * [Here we could connect client and server to the ends
1206 * of a single BIO pair, but then this code would be less
1207 * suitable as an example for BIO pairs in general.]
1208 *
1209 * Useful functions for querying the state of BIO pair endpoints:
1210 *
1211 * BIO_ctrl_pending(bio) number of bytes we can read now
1212 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1213 * other side's read attempt
1214 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1215 *
1216 * ..._read_request is never more than ..._write_guarantee;
1217 * it depends on the application which one you should use.
1218 */
1219
1220 /* We have non-blocking behaviour throughout this test program, but
1221 * can be sure that there is *some* progress in each iteration; so
1222 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1223 * -- we just try everything in each iteration
1224 */
1225
1226 {
1227 /* CLIENT */
1228
1229 MS_STATIC char cbuf[1024*8];
1230 int i, r;
1231 clock_t c_clock = clock();
1232
1233 memset(cbuf, 0, sizeof(cbuf));
1234
1235 if (debug)
1236 if (SSL_in_init(c_ssl))
1237 printf("client waiting in SSL_connect - %s\n",
1238 SSL_state_string_long(c_ssl));
1239
1240 if (cw_num > 0)
1241 {
1242 /* Write to server. */
1243
1244 if (cw_num > (long)sizeof cbuf)
1245 i = sizeof cbuf;
1246 else
1247 i = (int)cw_num;
1248 r = BIO_write(c_ssl_bio, cbuf, i);
1249 if (r < 0)
1250 {
1251 if (!BIO_should_retry(c_ssl_bio))
1252 {
1253 fprintf(stderr,"ERROR in CLIENT\n");
1254 goto err;
1255 }
1256 /* BIO_should_retry(...) can just be ignored here.
1257 * The library expects us to call BIO_write with
1258 * the same arguments again, and that's what we will
1259 * do in the next iteration. */
1260 }
1261 else if (r == 0)
1262 {
1263 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1264 goto err;
1265 }
1266 else
1267 {
1268 if (debug)
1269 printf("client wrote %d\n", r);
1270 cw_num -= r;
1271 }
1272 }
1273
1274 if (cr_num > 0)
1275 {
1276 /* Read from server. */
1277
1278 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1279 if (r < 0)
1280 {
1281 if (!BIO_should_retry(c_ssl_bio))
1282 {
1283 fprintf(stderr,"ERROR in CLIENT\n");
1284 goto err;
1285 }
1286 /* Again, "BIO_should_retry" can be ignored. */
1287 }
1288 else if (r == 0)
1289 {
1290 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1291 goto err;
1292 }
1293 else
1294 {
1295 if (debug)
1296 printf("client read %d\n", r);
1297 cr_num -= r;
1298 }
1299 }
1300
1301 /* c_time and s_time increments will typically be very small
1302 * (depending on machine speed and clock tick intervals),
1303 * but sampling over a large number of connections should
1304 * result in fairly accurate figures. We cannot guarantee
1305 * a lot, however -- if each connection lasts for exactly
1306 * one clock tick, it will be counted only for the client
1307 * or only for the server or even not at all.
1308 */
1309 *c_time += (clock() - c_clock);
1310 }
1311
1312 {
1313 /* SERVER */
1314
1315 MS_STATIC char sbuf[1024*8];
1316 int i, r;
1317 clock_t s_clock = clock();
1318
1319 memset(sbuf, 0, sizeof(sbuf));
1320
1321 if (debug)
1322 if (SSL_in_init(s_ssl))
1323 printf("server waiting in SSL_accept - %s\n",
1324 SSL_state_string_long(s_ssl));
1325
1326 if (sw_num > 0)
1327 {
1328 /* Write to client. */
1329
1330 if (sw_num > (long)sizeof sbuf)
1331 i = sizeof sbuf;
1332 else
1333 i = (int)sw_num;
1334 r = BIO_write(s_ssl_bio, sbuf, i);
1335 if (r < 0)
1336 {
1337 if (!BIO_should_retry(s_ssl_bio))
1338 {
1339 fprintf(stderr,"ERROR in SERVER\n");
1340 goto err;
1341 }
1342 /* Ignore "BIO_should_retry". */
1343 }
1344 else if (r == 0)
1345 {
1346 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1347 goto err;
1348 }
1349 else
1350 {
1351 if (debug)
1352 printf("server wrote %d\n", r);
1353 sw_num -= r;
1354 }
1355 }
1356
1357 if (sr_num > 0)
1358 {
1359 /* Read from client. */
1360
1361 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1362 if (r < 0)
1363 {
1364 if (!BIO_should_retry(s_ssl_bio))
1365 {
1366 fprintf(stderr,"ERROR in SERVER\n");
1367 goto err;
1368 }
1369 /* blah, blah */
1370 }
1371 else if (r == 0)
1372 {
1373 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1374 goto err;
1375 }
1376 else
1377 {
1378 if (debug)
1379 printf("server read %d\n", r);
1380 sr_num -= r;
1381 }
1382 }
1383
1384 *s_time += (clock() - s_clock);
1385 }
1386
1387 {
1388 /* "I/O" BETWEEN CLIENT AND SERVER. */
1389
1390 size_t r1, r2;
1391 BIO *io1 = server_io, *io2 = client_io;
1392 /* we use the non-copying interface for io1
1393 * and the standard BIO_write/BIO_read interface for io2
1394 */
1395
1396 static int prev_progress = 1;
1397 int progress = 0;
1398
1399 /* io1 to io2 */
1400 do
1401 {
1402 size_t num;
1403 int r;
1404
1405 r1 = BIO_ctrl_pending(io1);
1406 r2 = BIO_ctrl_get_write_guarantee(io2);
1407
1408 num = r1;
1409 if (r2 < num)
1410 num = r2;
1411 if (num)
1412 {
1413 char *dataptr;
1414
1415 if (INT_MAX < num) /* yeah, right */
1416 num = INT_MAX;
1417
1418 r = BIO_nread(io1, &dataptr, (int)num);
1419 assert(r > 0);
1420 assert(r <= (int)num);
1421 /* possibly r < num (non-contiguous data) */
1422 num = r;
1423 r = BIO_write(io2, dataptr, (int)num);
1424 if (r != (int)num) /* can't happen */
1425 {
1426 fprintf(stderr, "ERROR: BIO_write could not write "
1427 "BIO_ctrl_get_write_guarantee() bytes");
1428 goto err;
1429 }
1430 progress = 1;
1431
1432 if (debug)
1433 printf((io1 == client_io) ?
1434 "C->S relaying: %d bytes\n" :
1435 "S->C relaying: %d bytes\n",
1436 (int)num);
1437 }
1438 }
1439 while (r1 && r2);
1440
1441 /* io2 to io1 */
1442 {
1443 size_t num;
1444 int r;
1445
1446 r1 = BIO_ctrl_pending(io2);
1447 r2 = BIO_ctrl_get_read_request(io1);
1448 /* here we could use ..._get_write_guarantee instead of
1449 * ..._get_read_request, but by using the latter
1450 * we test restartability of the SSL implementation
1451 * more thoroughly */
1452 num = r1;
1453 if (r2 < num)
1454 num = r2;
1455 if (num)
1456 {
1457 char *dataptr;
1458
1459 if (INT_MAX < num)
1460 num = INT_MAX;
1461
1462 if (num > 1)
1463 --num; /* test restartability even more thoroughly */
1464
1465 r = BIO_nwrite0(io1, &dataptr);
1466 assert(r > 0);
1467 if (r < (int)num)
1468 num = r;
1469 r = BIO_read(io2, dataptr, (int)num);
1470 if (r != (int)num) /* can't happen */
1471 {
1472 fprintf(stderr, "ERROR: BIO_read could not read "
1473 "BIO_ctrl_pending() bytes");
1474 goto err;
1475 }
1476 progress = 1;
1477 r = BIO_nwrite(io1, &dataptr, (int)num);
1478 if (r != (int)num) /* can't happen */
1479 {
1480 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1481 "BIO_nwrite0() bytes");
1482 goto err;
1483 }
1484
1485 if (debug)
1486 printf((io2 == client_io) ?
1487 "C->S relaying: %d bytes\n" :
1488 "S->C relaying: %d bytes\n",
1489 (int)num);
1490 }
1491 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1492
1493 if (!progress && !prev_progress)
1494 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1495 {
1496 fprintf(stderr, "ERROR: got stuck\n");
1497 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1498 {
1499 fprintf(stderr, "This can happen for SSL2 because "
1500 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1501 "concurrently ...");
1502 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1503 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1504 {
1505 fprintf(stderr, " ok.\n");
1506 goto end;
1507 }
1508 }
1509 fprintf(stderr, " ERROR.\n");
1510 goto err;
1511 }
1512 prev_progress = progress;
1513 }
1514 }
1515 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1516
1517 if (verbose)
1518 print_details(c_ssl, "DONE via BIO pair: ");
1519end:
1520 ret = 0;
1521
1522 err:
1523 ERR_print_errors(bio_err);
1524
1525 if (server)
1526 BIO_free(server);
1527 if (server_io)
1528 BIO_free(server_io);
1529 if (client)
1530 BIO_free(client);
1531 if (client_io)
1532 BIO_free(client_io);
1533 if (s_ssl_bio)
1534 BIO_free(s_ssl_bio);
1535 if (c_ssl_bio)
1536 BIO_free(c_ssl_bio);
1537
1538 return ret;
1539 }
1540
1541
1542#define W_READ 1
1543#define W_WRITE 2
1544#define C_DONE 1
1545#define S_DONE 2
1546
1547int doit(SSL *s_ssl, SSL *c_ssl, long count)
1548 {
1549 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1550 long cw_num=count,cr_num=count;
1551 long sw_num=count,sr_num=count;
1552 int ret=1;
1553 BIO *c_to_s=NULL;
1554 BIO *s_to_c=NULL;
1555 BIO *c_bio=NULL;
1556 BIO *s_bio=NULL;
1557 int c_r,c_w,s_r,s_w;
1558 int i,j;
1559 int done=0;
1560 int c_write,s_write;
1561 int do_server=0,do_client=0;
1562
1563 memset(cbuf,0,sizeof(cbuf));
1564 memset(sbuf,0,sizeof(sbuf));
1565
1566 c_to_s=BIO_new(BIO_s_mem());
1567 s_to_c=BIO_new(BIO_s_mem());
1568 if ((s_to_c == NULL) || (c_to_s == NULL))
1569 {
1570 ERR_print_errors(bio_err);
1571 goto err;
1572 }
1573
1574 c_bio=BIO_new(BIO_f_ssl());
1575 s_bio=BIO_new(BIO_f_ssl());
1576 if ((c_bio == NULL) || (s_bio == NULL))
1577 {
1578 ERR_print_errors(bio_err);
1579 goto err;
1580 }
1581
1582 SSL_set_connect_state(c_ssl);
1583 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1584 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1585
1586 SSL_set_accept_state(s_ssl);
1587 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1588 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1589
1590 c_r=0; s_r=1;
1591 c_w=1; s_w=0;
1592 c_write=1,s_write=0;
1593
1594 /* We can always do writes */
1595 for (;;)
1596 {
1597 do_server=0;
1598 do_client=0;
1599
1600 i=(int)BIO_pending(s_bio);
1601 if ((i && s_r) || s_w) do_server=1;
1602
1603 i=(int)BIO_pending(c_bio);
1604 if ((i && c_r) || c_w) do_client=1;
1605
1606 if (do_server && debug)
1607 {
1608 if (SSL_in_init(s_ssl))
1609 printf("server waiting in SSL_accept - %s\n",
1610 SSL_state_string_long(s_ssl));
1611/* else if (s_write)
1612 printf("server:SSL_write()\n");
1613 else
1614 printf("server:SSL_read()\n"); */
1615 }
1616
1617 if (do_client && debug)
1618 {
1619 if (SSL_in_init(c_ssl))
1620 printf("client waiting in SSL_connect - %s\n",
1621 SSL_state_string_long(c_ssl));
1622/* else if (c_write)
1623 printf("client:SSL_write()\n");
1624 else
1625 printf("client:SSL_read()\n"); */
1626 }
1627
1628 if (!do_client && !do_server)
1629 {
1630 fprintf(stdout,"ERROR IN STARTUP\n");
1631 ERR_print_errors(bio_err);
1632 break;
1633 }
1634 if (do_client && !(done & C_DONE))
1635 {
1636 if (c_write)
1637 {
1638 j = (cw_num > (long)sizeof(cbuf)) ?
1639 (int)sizeof(cbuf) : (int)cw_num;
1640 i=BIO_write(c_bio,cbuf,j);
1641 if (i < 0)
1642 {
1643 c_r=0;
1644 c_w=0;
1645 if (BIO_should_retry(c_bio))
1646 {
1647 if (BIO_should_read(c_bio))
1648 c_r=1;
1649 if (BIO_should_write(c_bio))
1650 c_w=1;
1651 }
1652 else
1653 {
1654 fprintf(stderr,"ERROR in CLIENT\n");
1655 ERR_print_errors(bio_err);
1656 goto err;
1657 }
1658 }
1659 else if (i == 0)
1660 {
1661 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1662 goto err;
1663 }
1664 else
1665 {
1666 if (debug)
1667 printf("client wrote %d\n",i);
1668 /* ok */
1669 s_r=1;
1670 c_write=0;
1671 cw_num-=i;
1672 }
1673 }
1674 else
1675 {
1676 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1677 if (i < 0)
1678 {
1679 c_r=0;
1680 c_w=0;
1681 if (BIO_should_retry(c_bio))
1682 {
1683 if (BIO_should_read(c_bio))
1684 c_r=1;
1685 if (BIO_should_write(c_bio))
1686 c_w=1;
1687 }
1688 else
1689 {
1690 fprintf(stderr,"ERROR in CLIENT\n");
1691 ERR_print_errors(bio_err);
1692 goto err;
1693 }
1694 }
1695 else if (i == 0)
1696 {
1697 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1698 goto err;
1699 }
1700 else
1701 {
1702 if (debug)
1703 printf("client read %d\n",i);
1704 cr_num-=i;
1705 if (sw_num > 0)
1706 {
1707 s_write=1;
1708 s_w=1;
1709 }
1710 if (cr_num <= 0)
1711 {
1712 s_write=1;
1713 s_w=1;
1714 done=S_DONE|C_DONE;
1715 }
1716 }
1717 }
1718 }
1719
1720 if (do_server && !(done & S_DONE))
1721 {
1722 if (!s_write)
1723 {
1724 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1725 if (i < 0)
1726 {
1727 s_r=0;
1728 s_w=0;
1729 if (BIO_should_retry(s_bio))
1730 {
1731 if (BIO_should_read(s_bio))
1732 s_r=1;
1733 if (BIO_should_write(s_bio))
1734 s_w=1;
1735 }
1736 else
1737 {
1738 fprintf(stderr,"ERROR in SERVER\n");
1739 ERR_print_errors(bio_err);
1740 goto err;
1741 }
1742 }
1743 else if (i == 0)
1744 {
1745 ERR_print_errors(bio_err);
1746 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1747 goto err;
1748 }
1749 else
1750 {
1751 if (debug)
1752 printf("server read %d\n",i);
1753 sr_num-=i;
1754 if (cw_num > 0)
1755 {
1756 c_write=1;
1757 c_w=1;
1758 }
1759 if (sr_num <= 0)
1760 {
1761 s_write=1;
1762 s_w=1;
1763 c_write=0;
1764 }
1765 }
1766 }
1767 else
1768 {
1769 j = (sw_num > (long)sizeof(sbuf)) ?
1770 (int)sizeof(sbuf) : (int)sw_num;
1771 i=BIO_write(s_bio,sbuf,j);
1772 if (i < 0)
1773 {
1774 s_r=0;
1775 s_w=0;
1776 if (BIO_should_retry(s_bio))
1777 {
1778 if (BIO_should_read(s_bio))
1779 s_r=1;
1780 if (BIO_should_write(s_bio))
1781 s_w=1;
1782 }
1783 else
1784 {
1785 fprintf(stderr,"ERROR in SERVER\n");
1786 ERR_print_errors(bio_err);
1787 goto err;
1788 }
1789 }
1790 else if (i == 0)
1791 {
1792 ERR_print_errors(bio_err);
1793 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1794 goto err;
1795 }
1796 else
1797 {
1798 if (debug)
1799 printf("server wrote %d\n",i);
1800 sw_num-=i;
1801 s_write=0;
1802 c_r=1;
1803 if (sw_num <= 0)
1804 done|=S_DONE;
1805 }
1806 }
1807 }
1808
1809 if ((done & S_DONE) && (done & C_DONE)) break;
1810 }
1811
1812 if (verbose)
1813 print_details(c_ssl, "DONE: ");
1814 ret=0;
1815err:
1816 /* We have to set the BIO's to NULL otherwise they will be
1817 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1818 * again when c_ssl is SSL_free()ed.
1819 * This is a hack required because s_ssl and c_ssl are sharing the same
1820 * BIO structure and SSL_set_bio() and SSL_free() automatically
1821 * BIO_free non NULL entries.
1822 * You should not normally do this or be required to do this */
1823 if (s_ssl != NULL)
1824 {
1825 s_ssl->rbio=NULL;
1826 s_ssl->wbio=NULL;
1827 }
1828 if (c_ssl != NULL)
1829 {
1830 c_ssl->rbio=NULL;
1831 c_ssl->wbio=NULL;
1832 }
1833
1834 if (c_to_s != NULL) BIO_free(c_to_s);
1835 if (s_to_c != NULL) BIO_free(s_to_c);
1836 if (c_bio != NULL) BIO_free_all(c_bio);
1837 if (s_bio != NULL) BIO_free_all(s_bio);
1838 return(ret);
1839 }
1840
1841static int get_proxy_auth_ex_data_idx(void)
1842 {
1843 static volatile int idx = -1;
1844 if (idx < 0)
1845 {
1846 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1847 if (idx < 0)
1848 {
1849 idx = X509_STORE_CTX_get_ex_new_index(0,
1850 "SSLtest for verify callback", NULL,NULL,NULL);
1851 }
1852 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1853 }
1854 return idx;
1855 }
1856
1857static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1858 {
1859 char *s,buf[256];
1860
1861 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1862 sizeof buf);
1863 if (s != NULL)
1864 {
1865 if (ok)
1866 fprintf(stderr,"depth=%d %s\n",
1867 ctx->error_depth,buf);
1868 else
1869 {
1870 fprintf(stderr,"depth=%d error=%d %s\n",
1871 ctx->error_depth,ctx->error,buf);
1872 }
1873 }
1874
1875 if (ok == 0)
1876 {
1877 fprintf(stderr,"Error string: %s\n",
1878 X509_verify_cert_error_string(ctx->error));
1879 switch (ctx->error)
1880 {
1881 case X509_V_ERR_CERT_NOT_YET_VALID:
1882 case X509_V_ERR_CERT_HAS_EXPIRED:
1883 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1884 fprintf(stderr," ... ignored.\n");
1885 ok=1;
1886 }
1887 }
1888
1889 if (ok == 1)
1890 {
1891 X509 *xs = ctx->current_cert;
1892#if 0
1893 X509 *xi = ctx->current_issuer;
1894#endif
1895
1896 if (xs->ex_flags & EXFLAG_PROXY)
1897 {
1898 unsigned int *letters =
1899 X509_STORE_CTX_get_ex_data(ctx,
1900 get_proxy_auth_ex_data_idx());
1901
1902 if (letters)
1903 {
1904 int found_any = 0;
1905 int i;
1906 PROXY_CERT_INFO_EXTENSION *pci =
1907 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1908 NULL, NULL);
1909
1910 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1911 {
1912 case NID_Independent:
1913 /* Completely meaningless in this
1914 program, as there's no way to
1915 grant explicit rights to a
1916 specific PrC. Basically, using
1917 id-ppl-Independent is the perfect
1918 way to grant no rights at all. */
1919 fprintf(stderr, " Independent proxy certificate");
1920 for (i = 0; i < 26; i++)
1921 letters[i] = 0;
1922 break;
1923 case NID_id_ppl_inheritAll:
1924 /* This is basically a NOP, we
1925 simply let the current rights
1926 stand as they are. */
1927 fprintf(stderr, " Proxy certificate inherits all");
1928 break;
1929 default:
1930 s = (char *)
1931 pci->proxyPolicy->policy->data;
1932 i = pci->proxyPolicy->policy->length;
1933
1934 /* The algorithm works as follows:
1935 it is assumed that previous
1936 iterations or the initial granted
1937 rights has already set some elements
1938 of `letters'. What we need to do is
1939 to clear those that weren't granted
1940 by the current PrC as well. The
1941 easiest way to do this is to add 1
1942 to all the elements whose letters
1943 are given with the current policy.
1944 That way, all elements that are set
1945 by the current policy and were
1946 already set by earlier policies and
1947 through the original grant of rights
1948 will get the value 2 or higher.
1949 The last thing to do is to sweep
1950 through `letters' and keep the
1951 elements having the value 2 as set,
1952 and clear all the others. */
1953
1954 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1955 while(i-- > 0)
1956 {
1957 int c = *s++;
1958 if (isascii(c) && isalpha(c))
1959 {
1960 if (islower(c))
1961 c = toupper(c);
1962 letters[c - 'A']++;
1963 }
1964 }
1965 for (i = 0; i < 26; i++)
1966 if (letters[i] < 2)
1967 letters[i] = 0;
1968 else
1969 letters[i] = 1;
1970 }
1971
1972 found_any = 0;
1973 fprintf(stderr,
1974 ", resulting proxy rights = ");
1975 for(i = 0; i < 26; i++)
1976 if (letters[i])
1977 {
1978 fprintf(stderr, "%c", i + 'A');
1979 found_any = 1;
1980 }
1981 if (!found_any)
1982 fprintf(stderr, "none");
1983 fprintf(stderr, "\n");
1984
1985 PROXY_CERT_INFO_EXTENSION_free(pci);
1986 }
1987 }
1988 }
1989
1990 return(ok);
1991 }
1992
1993static void process_proxy_debug(int indent, const char *format, ...)
1994 {
1995 static const char indentation[] =
1996 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1997 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1998 char my_format[256];
1999 va_list args;
2000
2001 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2002 indent, indent, indentation, format);
2003
2004 va_start(args, format);
2005 vfprintf(stderr, my_format, args);
2006 va_end(args);
2007 }
2008/* Priority levels:
2009 0 [!]var, ()
2010 1 & ^
2011 2 |
2012*/
2013static int process_proxy_cond_adders(unsigned int letters[26],
2014 const char *cond, const char **cond_end, int *pos, int indent);
2015static int process_proxy_cond_val(unsigned int letters[26],
2016 const char *cond, const char **cond_end, int *pos, int indent)
2017 {
2018 int c;
2019 int ok = 1;
2020 int negate = 0;
2021
2022 while(isspace((int)*cond))
2023 {
2024 cond++; (*pos)++;
2025 }
2026 c = *cond;
2027
2028 if (debug)
2029 process_proxy_debug(indent,
2030 "Start process_proxy_cond_val at position %d: %s\n",
2031 *pos, cond);
2032
2033 while(c == '!')
2034 {
2035 negate = !negate;
2036 cond++; (*pos)++;
2037 while(isspace((int)*cond))
2038 {
2039 cond++; (*pos)++;
2040 }
2041 c = *cond;
2042 }
2043
2044 if (c == '(')
2045 {
2046 cond++; (*pos)++;
2047 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2048 indent + 1);
2049 cond = *cond_end;
2050 if (ok < 0)
2051 goto end;
2052 while(isspace((int)*cond))
2053 {
2054 cond++; (*pos)++;
2055 }
2056 c = *cond;
2057 if (c != ')')
2058 {
2059 fprintf(stderr,
2060 "Weird condition character in position %d: "
2061 "%c\n", *pos, c);
2062 ok = -1;
2063 goto end;
2064 }
2065 cond++; (*pos)++;
2066 }
2067 else if (isascii(c) && isalpha(c))
2068 {
2069 if (islower(c))
2070 c = toupper(c);
2071 ok = letters[c - 'A'];
2072 cond++; (*pos)++;
2073 }
2074 else
2075 {
2076 fprintf(stderr,
2077 "Weird condition character in position %d: "
2078 "%c\n", *pos, c);
2079 ok = -1;
2080 goto end;
2081 }
2082 end:
2083 *cond_end = cond;
2084 if (ok >= 0 && negate)
2085 ok = !ok;
2086
2087 if (debug)
2088 process_proxy_debug(indent,
2089 "End process_proxy_cond_val at position %d: %s, returning %d\n",
2090 *pos, cond, ok);
2091
2092 return ok;
2093 }
2094static int process_proxy_cond_multipliers(unsigned int letters[26],
2095 const char *cond, const char **cond_end, int *pos, int indent)
2096 {
2097 int ok;
2098 char c;
2099
2100 if (debug)
2101 process_proxy_debug(indent,
2102 "Start process_proxy_cond_multipliers at position %d: %s\n",
2103 *pos, cond);
2104
2105 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2106 cond = *cond_end;
2107 if (ok < 0)
2108 goto end;
2109
2110 while(ok >= 0)
2111 {
2112 while(isspace((int)*cond))
2113 {
2114 cond++; (*pos)++;
2115 }
2116 c = *cond;
2117
2118 switch(c)
2119 {
2120 case '&':
2121 case '^':
2122 {
2123 int save_ok = ok;
2124
2125 cond++; (*pos)++;
2126 ok = process_proxy_cond_val(letters,
2127 cond, cond_end, pos, indent + 1);
2128 cond = *cond_end;
2129 if (ok < 0)
2130 break;
2131
2132 switch(c)
2133 {
2134 case '&':
2135 ok &= save_ok;
2136 break;
2137 case '^':
2138 ok ^= save_ok;
2139 break;
2140 default:
2141 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2142 " STOPPING\n");
2143 EXIT(1);
2144 }
2145 }
2146 break;
2147 default:
2148 goto end;
2149 }
2150 }
2151 end:
2152 if (debug)
2153 process_proxy_debug(indent,
2154 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2155 *pos, cond, ok);
2156
2157 *cond_end = cond;
2158 return ok;
2159 }
2160static int process_proxy_cond_adders(unsigned int letters[26],
2161 const char *cond, const char **cond_end, int *pos, int indent)
2162 {
2163 int ok;
2164 char c;
2165
2166 if (debug)
2167 process_proxy_debug(indent,
2168 "Start process_proxy_cond_adders at position %d: %s\n",
2169 *pos, cond);
2170
2171 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2172 indent + 1);
2173 cond = *cond_end;
2174 if (ok < 0)
2175 goto end;
2176
2177 while(ok >= 0)
2178 {
2179 while(isspace((int)*cond))
2180 {
2181 cond++; (*pos)++;
2182 }
2183 c = *cond;
2184
2185 switch(c)
2186 {
2187 case '|':
2188 {
2189 int save_ok = ok;
2190
2191 cond++; (*pos)++;
2192 ok = process_proxy_cond_multipliers(letters,
2193 cond, cond_end, pos, indent + 1);
2194 cond = *cond_end;
2195 if (ok < 0)
2196 break;
2197
2198 switch(c)
2199 {
2200 case '|':
2201 ok |= save_ok;
2202 break;
2203 default:
2204 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2205 " STOPPING\n");
2206 EXIT(1);
2207 }
2208 }
2209 break;
2210 default:
2211 goto end;
2212 }
2213 }
2214 end:
2215 if (debug)
2216 process_proxy_debug(indent,
2217 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2218 *pos, cond, ok);
2219
2220 *cond_end = cond;
2221 return ok;
2222 }
2223
2224static int process_proxy_cond(unsigned int letters[26],
2225 const char *cond, const char **cond_end)
2226 {
2227 int pos = 1;
2228 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2229 }
2230
2231static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2232 {
2233 int ok=1;
2234 struct app_verify_arg *cb_arg = arg;
2235 unsigned int letters[26]; /* only used with proxy_auth */
2236
2237 if (cb_arg->app_verify)
2238 {
2239 char *s = NULL,buf[256];
2240
2241 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2242 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2243 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2244 (void *)ctx, (void *)ctx->cert);
2245 if (ctx->cert)
2246 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2247 if (s != NULL)
2248 {
2249 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2250 }
2251 return(1);
2252 }
2253 if (cb_arg->proxy_auth)
2254 {
2255 int found_any = 0, i;
2256 char *sp;
2257
2258 for(i = 0; i < 26; i++)
2259 letters[i] = 0;
2260 for(sp = cb_arg->proxy_auth; *sp; sp++)
2261 {
2262 int c = *sp;
2263 if (isascii(c) && isalpha(c))
2264 {
2265 if (islower(c))
2266 c = toupper(c);
2267 letters[c - 'A'] = 1;
2268 }
2269 }
2270
2271 fprintf(stderr,
2272 " Initial proxy rights = ");
2273 for(i = 0; i < 26; i++)
2274 if (letters[i])
2275 {
2276 fprintf(stderr, "%c", i + 'A');
2277 found_any = 1;
2278 }
2279 if (!found_any)
2280 fprintf(stderr, "none");
2281 fprintf(stderr, "\n");
2282
2283 X509_STORE_CTX_set_ex_data(ctx,
2284 get_proxy_auth_ex_data_idx(),letters);
2285 }
2286 if (cb_arg->allow_proxy_certs)
2287 {
2288 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2289 }
2290
2291#ifndef OPENSSL_NO_X509_VERIFY
2292 ok = X509_verify_cert(ctx);
2293#endif
2294
2295 if (cb_arg->proxy_auth)
2296 {
2297 if (ok > 0)
2298 {
2299 const char *cond_end = NULL;
2300
2301 ok = process_proxy_cond(letters,
2302 cb_arg->proxy_cond, &cond_end);
2303
2304 if (ok < 0)
2305 EXIT(3);
2306 if (*cond_end)
2307 {
2308 fprintf(stderr, "Stopped processing condition before it's end.\n");
2309 ok = 0;
2310 }
2311 if (!ok)
2312 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2313 cb_arg->proxy_cond);
2314 else
2315 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2316 cb_arg->proxy_cond);
2317 }
2318 }
2319 return(ok);
2320 }
2321
2322#ifndef OPENSSL_NO_RSA
2323static RSA *rsa_tmp=NULL;
2324
2325static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2326 {
2327 BIGNUM *bn = NULL;
2328 if (rsa_tmp == NULL)
2329 {
2330 bn = BN_new();
2331 rsa_tmp = RSA_new();
2332 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2333 {
2334 BIO_printf(bio_err, "Memory error...");
2335 goto end;
2336 }
2337 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2338 (void)BIO_flush(bio_err);
2339 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2340 {
2341 BIO_printf(bio_err, "Error generating key.");
2342 RSA_free(rsa_tmp);
2343 rsa_tmp = NULL;
2344 }
2345end:
2346 BIO_printf(bio_err,"\n");
2347 (void)BIO_flush(bio_err);
2348 }
2349 if(bn) BN_free(bn);
2350 return(rsa_tmp);
2351 }
2352
2353static void free_tmp_rsa(void)
2354 {
2355 if (rsa_tmp != NULL)
2356 {
2357 RSA_free(rsa_tmp);
2358 rsa_tmp = NULL;
2359 }
2360 }
2361#endif
2362
2363#ifndef OPENSSL_NO_DH
2364/* These DH parameters have been generated as follows:
2365 * $ openssl dhparam -C -noout 512
2366 * $ openssl dhparam -C -noout 1024
2367 * $ openssl dhparam -C -noout -dsaparam 1024
2368 * (The third function has been renamed to avoid name conflicts.)
2369 */
2370static DH *get_dh512()
2371 {
2372 static unsigned char dh512_p[]={
2373 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2374 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2375 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2376 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2377 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2378 0x02,0xC5,0xAE,0x23,
2379 };
2380 static unsigned char dh512_g[]={
2381 0x02,
2382 };
2383 DH *dh;
2384
2385 if ((dh=DH_new()) == NULL) return(NULL);
2386 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2387 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2388 if ((dh->p == NULL) || (dh->g == NULL))
2389 { DH_free(dh); return(NULL); }
2390 return(dh);
2391 }
2392
2393static DH *get_dh1024()
2394 {
2395 static unsigned char dh1024_p[]={
2396 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2397 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2398 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2399 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2400 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2401 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2402 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2403 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2404 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2405 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2406 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2407 };
2408 static unsigned char dh1024_g[]={
2409 0x02,
2410 };
2411 DH *dh;
2412
2413 if ((dh=DH_new()) == NULL) return(NULL);
2414 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2415 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2416 if ((dh->p == NULL) || (dh->g == NULL))
2417 { DH_free(dh); return(NULL); }
2418 return(dh);
2419 }
2420
2421static DH *get_dh1024dsa()
2422 {
2423 static unsigned char dh1024_p[]={
2424 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2425 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2426 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2427 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2428 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2429 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2430 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2431 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2432 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2433 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2434 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2435 };
2436 static unsigned char dh1024_g[]={
2437 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2438 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2439 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2440 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2441 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2442 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2443 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2444 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2445 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2446 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2447 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2448 };
2449 DH *dh;
2450
2451 if ((dh=DH_new()) == NULL) return(NULL);
2452 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2453 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2454 if ((dh->p == NULL) || (dh->g == NULL))
2455 { DH_free(dh); return(NULL); }
2456 dh->length = 160;
2457 return(dh);
2458 }
2459#endif
2460
2461#ifndef OPENSSL_NO_PSK
2462/* convert the PSK key (psk_key) in ascii to binary (psk) */
2463static int psk_key2bn(const char *pskkey, unsigned char *psk,
2464 unsigned int max_psk_len)
2465 {
2466 int ret;
2467 BIGNUM *bn = NULL;
2468
2469 ret = BN_hex2bn(&bn, pskkey);
2470 if (!ret)
2471 {
2472 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2473 if (bn)
2474 BN_free(bn);
2475 return 0;
2476 }
2477 if (BN_num_bytes(bn) > (int)max_psk_len)
2478 {
2479 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2480 max_psk_len, BN_num_bytes(bn));
2481 BN_free(bn);
2482 return 0;
2483 }
2484 ret = BN_bn2bin(bn, psk);
2485 BN_free(bn);
2486 return ret;
2487 }
2488
2489static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2490 unsigned int max_identity_len, unsigned char *psk,
2491 unsigned int max_psk_len)
2492 {
2493 int ret;
2494 unsigned int psk_len = 0;
2495
2496 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2497 if (ret < 0)
2498 goto out_err;
2499 if (debug)
2500 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2501 ret = psk_key2bn(psk_key, psk, max_psk_len);
2502 if (ret < 0)
2503 goto out_err;
2504 psk_len = ret;
2505out_err:
2506 return psk_len;
2507 }
2508
2509static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2510 unsigned char *psk, unsigned int max_psk_len)
2511 {
2512 unsigned int psk_len=0;
2513
2514 if (strcmp(identity, "Client_identity") != 0)
2515 {
2516 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2517 return 0;
2518 }
2519 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2520 return psk_len;
2521 }
2522#endif
2523
2524static int do_test_cipherlist(void)
2525 {
2526 int i = 0;
2527 const SSL_METHOD *meth;
2528 const SSL_CIPHER *ci, *tci = NULL;
2529
2530#ifndef OPENSSL_NO_SSL2
2531 fprintf(stderr, "testing SSLv2 cipher list order: ");
2532 meth = SSLv2_method();
2533 while ((ci = meth->get_cipher(i++)) != NULL)
2534 {
2535 if (tci != NULL)
2536 if (ci->id >= tci->id)
2537 {
2538 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2539 return 0;
2540 }
2541 tci = ci;
2542 }
2543 fprintf(stderr, "ok\n");
2544#endif
2545#ifndef OPENSSL_NO_SSL3
2546 fprintf(stderr, "testing SSLv3 cipher list order: ");
2547 meth = SSLv3_method();
2548 tci = NULL;
2549 while ((ci = meth->get_cipher(i++)) != NULL)
2550 {
2551 if (tci != NULL)
2552 if (ci->id >= tci->id)
2553 {
2554 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2555 return 0;
2556 }
2557 tci = ci;
2558 }
2559 fprintf(stderr, "ok\n");
2560#endif
2561#ifndef OPENSSL_NO_TLS1
2562 fprintf(stderr, "testing TLSv1 cipher list order: ");
2563 meth = TLSv1_method();
2564 tci = NULL;
2565 while ((ci = meth->get_cipher(i++)) != NULL)
2566 {
2567 if (tci != NULL)
2568 if (ci->id >= tci->id)
2569 {
2570 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2571 return 0;
2572 }
2573 tci = ci;
2574 }
2575 fprintf(stderr, "ok\n");
2576#endif
2577
2578 return 1;
2579 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-04 20:32:01 +0000