summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/ssl/ssltest.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/ssl/ssltest.c')
-rw-r--r--src/lib/libssl/src/ssl/ssltest.c2317
1 files changed, 2317 insertions, 0 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
new file mode 100644
index 0000000000..f409f3dc76
--- /dev/null
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -0,0 +1,2317 @@
1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
119
120#include <assert.h>
121#include <errno.h>
122#include <limits.h>
123#include <stdio.h>
124#include <stdlib.h>
125#include <string.h>
126#include <time.h>
127#include <inttypes.h>
128#include <ctype.h>
129
130#define USE_SOCKETS
131#include "e_os.h"
132
133#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
134 VMS (at least with DECompHP C). */
135#include <ctype.h>
136
137#include <openssl/bio.h>
138#include <openssl/crypto.h>
139#include <openssl/evp.h>
140#include <openssl/x509.h>
141#include <openssl/x509v3.h>
142#include <openssl/ssl.h>
143#ifndef OPENSSL_NO_ENGINE
144#include <openssl/engine.h>
145#endif
146#include <openssl/err.h>
147#include <openssl/rand.h>
148#ifndef OPENSSL_NO_RSA
149#include <openssl/rsa.h>
150#endif
151#ifndef OPENSSL_NO_DSA
152#include <openssl/dsa.h>
153#endif
154#ifndef OPENSSL_NO_DH
155#include <openssl/dh.h>
156#endif
157#include <openssl/bn.h>
158
159#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
160 on Compaq platforms (at least with DEC C).
161 Do not try to put it earlier, or IPv6 includes
162 get screwed...
163 */
164
165#ifdef OPENSSL_SYS_WINDOWS
166#include <winsock.h>
167#else
168#include OPENSSL_UNISTD
169#endif
170
171#ifdef OPENSSL_SYS_VMS
172# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
173# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
174#elif defined(OPENSSL_SYS_WINCE)
175# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
176# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
177#elif defined(OPENSSL_SYS_NETWARE)
178# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
179# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
180#else
181# define TEST_SERVER_CERT "../apps/server.pem"
182# define TEST_CLIENT_CERT "../apps/client.pem"
183#endif
184
185/* There is really no standard for this, so let's assign some tentative
186 numbers. In any case, these numbers are only for this test */
187#define COMP_RLE 255
188#define COMP_ZLIB 1
189
190static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
191#ifndef OPENSSL_NO_RSA
192static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
193static void free_tmp_rsa(void);
194#endif
195static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
196#define APP_CALLBACK_STRING "Test Callback Argument"
197struct app_verify_arg
198 {
199 char *string;
200 int app_verify;
201 int allow_proxy_certs;
202 char *proxy_auth;
203 char *proxy_cond;
204 };
205
206#ifndef OPENSSL_NO_DH
207static DH *get_dh512(void);
208static DH *get_dh1024(void);
209static DH *get_dh1024dsa(void);
210#endif
211
212static BIO *bio_err=NULL;
213static BIO *bio_stdout=NULL;
214
215static char *cipher=NULL;
216static int verbose=0;
217static int debug=0;
218#if 0
219/* Not used yet. */
220#ifdef FIONBIO
221static int s_nbio=0;
222#endif
223#endif
224
225static const char rnd_seed[] = "string to make the random number generator think it has entropy";
226
227int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
228int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
229static int do_test_cipherlist(void);
230static void sv_usage(void)
231 {
232 fprintf(stderr,"usage: ssltest [args ...]\n");
233 fprintf(stderr,"\n");
234#ifdef OPENSSL_FIPS
235 fprintf(stderr,"-F - run test in FIPS mode\n");
236#endif
237 fprintf(stderr," -server_auth - check server certificate\n");
238 fprintf(stderr," -client_auth - do client authentication\n");
239 fprintf(stderr," -proxy - allow proxy certificates\n");
240 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
241 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
242 fprintf(stderr," -v - more output\n");
243 fprintf(stderr," -d - debug output\n");
244 fprintf(stderr," -reuse - use session-id reuse\n");
245 fprintf(stderr," -num <val> - number of connections to perform\n");
246 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
247#ifndef OPENSSL_NO_DH
248 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
249 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
250 fprintf(stderr," -no_dhe - disable DHE\n");
251#endif
252#ifndef OPENSSL_NO_ECDH
253 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
254#endif
255#ifndef OPENSSL_NO_SSL2
256 fprintf(stderr," -ssl2 - use SSLv2\n");
257#endif
258#ifndef OPENSSL_NO_SSL3
259 fprintf(stderr," -ssl3 - use SSLv3\n");
260#endif
261#ifndef OPENSSL_NO_TLS1
262 fprintf(stderr," -tls1 - use TLSv1\n");
263#endif
264 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
265 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
266 fprintf(stderr," -cert arg - Server certificate file\n");
267 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
268 fprintf(stderr," -c_cert arg - Client certificate file\n");
269 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
270 fprintf(stderr," -cipher arg - The cipher list\n");
271 fprintf(stderr," -bio_pair - Use BIO pairs\n");
272 fprintf(stderr," -f - Test even cases that can't work\n");
273 fprintf(stderr," -time - measure processor time used by client and server\n");
274 fprintf(stderr," -zlib - use zlib compression\n");
275 fprintf(stderr," -rle - use rle compression\n");
276#ifndef OPENSSL_NO_ECDH
277 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
278 " Use \"openssl ecparam -list_curves\" for all names\n" \
279 " (default is sect163r2).\n");
280#endif
281 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
282 }
283
284static void print_details(SSL *c_ssl, const char *prefix)
285 {
286 SSL_CIPHER *ciph;
287 X509 *cert;
288
289 ciph=SSL_get_current_cipher(c_ssl);
290 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
291 prefix,
292 SSL_get_version(c_ssl),
293 SSL_CIPHER_get_version(ciph),
294 SSL_CIPHER_get_name(ciph));
295 cert=SSL_get_peer_certificate(c_ssl);
296 if (cert != NULL)
297 {
298 EVP_PKEY *pkey = X509_get_pubkey(cert);
299 if (pkey != NULL)
300 {
301 if (0)
302 ;
303#ifndef OPENSSL_NO_RSA
304 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
305 && pkey->pkey.rsa->n != NULL)
306 {
307 BIO_printf(bio_stdout, ", %d bit RSA",
308 BN_num_bits(pkey->pkey.rsa->n));
309 }
310#endif
311#ifndef OPENSSL_NO_DSA
312 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
313 && pkey->pkey.dsa->p != NULL)
314 {
315 BIO_printf(bio_stdout, ", %d bit DSA",
316 BN_num_bits(pkey->pkey.dsa->p));
317 }
318#endif
319 EVP_PKEY_free(pkey);
320 }
321 X509_free(cert);
322 }
323 /* The SSL API does not allow us to look at temporary RSA/DH keys,
324 * otherwise we should print their lengths too */
325 BIO_printf(bio_stdout,"\n");
326 }
327
328static void lock_dbg_cb(int mode, int type, const char *file, int line)
329 {
330 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
331 const char *errstr = NULL;
332 int rw;
333
334 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
335 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
336 {
337 errstr = "invalid mode";
338 goto err;
339 }
340
341 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
342 {
343 errstr = "type out of bounds";
344 goto err;
345 }
346
347 if (mode & CRYPTO_LOCK)
348 {
349 if (modes[type])
350 {
351 errstr = "already locked";
352 /* must not happen in a single-threaded program
353 * (would deadlock) */
354 goto err;
355 }
356
357 modes[type] = rw;
358 }
359 else if (mode & CRYPTO_UNLOCK)
360 {
361 if (!modes[type])
362 {
363 errstr = "not locked";
364 goto err;
365 }
366
367 if (modes[type] != rw)
368 {
369 errstr = (rw == CRYPTO_READ) ?
370 "CRYPTO_r_unlock on write lock" :
371 "CRYPTO_w_unlock on read lock";
372 }
373
374 modes[type] = 0;
375 }
376 else
377 {
378 errstr = "invalid mode";
379 goto err;
380 }
381
382 err:
383 if (errstr)
384 {
385 /* we cannot use bio_err here */
386 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
387 errstr, mode, type, file, line);
388 }
389 }
390
391
392int main(int argc, char *argv[])
393 {
394 char *CApath=NULL,*CAfile=NULL;
395 int badop=0;
396 int bio_pair=0;
397 int force=0;
398 int tls1=0,ssl2=0,ssl3=0,ret=1;
399 int client_auth=0;
400 int server_auth=0,i;
401 struct app_verify_arg app_verify_arg =
402 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
403 char *server_cert=TEST_SERVER_CERT;
404 char *server_key=NULL;
405 char *client_cert=TEST_CLIENT_CERT;
406 char *client_key=NULL;
407#ifndef OPENSSL_NO_ECDH
408 char *named_curve = NULL;
409#endif
410 SSL_CTX *s_ctx=NULL;
411 SSL_CTX *c_ctx=NULL;
412 SSL_METHOD *meth=NULL;
413 SSL *c_ssl,*s_ssl;
414 int number=1,reuse=0;
415 long bytes=256L;
416#ifndef OPENSSL_NO_DH
417 DH *dh;
418 int dhe1024 = 1, dhe1024dsa = 0;
419#endif
420#ifndef OPENSSL_NO_ECDH
421 EC_KEY *ecdh = NULL;
422#endif
423 int no_dhe = 0;
424 int no_ecdhe = 0;
425 int print_time = 0;
426 clock_t s_time = 0, c_time = 0;
427 int comp = 0;
428#ifndef OPENSSL_NO_COMP
429 COMP_METHOD *cm = NULL;
430#endif
431 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
432 int test_cipherlist = 0;
433#ifdef OPENSSL_FIPS
434 int fips_mode=0;
435#endif
436
437 verbose = 0;
438 debug = 0;
439 cipher = 0;
440
441 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
442
443 CRYPTO_set_locking_callback(lock_dbg_cb);
444
445 /* enable memory leak checking unless explicitly disabled */
446 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
447 {
448 CRYPTO_malloc_debug_init();
449 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
450 }
451 else
452 {
453 /* OPENSSL_DEBUG_MEMORY=off */
454 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
455 }
456 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
457
458 RAND_seed(rnd_seed, sizeof rnd_seed);
459
460 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
461
462 argc--;
463 argv++;
464
465 while (argc >= 1)
466 {
467 if(!strcmp(*argv,"-F"))
468 {
469#ifdef OPENSSL_FIPS
470 fips_mode=1;
471#else
472 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
473 EXIT(0);
474#endif
475 }
476 else if (strcmp(*argv,"-server_auth") == 0)
477 server_auth=1;
478 else if (strcmp(*argv,"-client_auth") == 0)
479 client_auth=1;
480 else if (strcmp(*argv,"-proxy_auth") == 0)
481 {
482 if (--argc < 1) goto bad;
483 app_verify_arg.proxy_auth= *(++argv);
484 }
485 else if (strcmp(*argv,"-proxy_cond") == 0)
486 {
487 if (--argc < 1) goto bad;
488 app_verify_arg.proxy_cond= *(++argv);
489 }
490 else if (strcmp(*argv,"-v") == 0)
491 verbose=1;
492 else if (strcmp(*argv,"-d") == 0)
493 debug=1;
494 else if (strcmp(*argv,"-reuse") == 0)
495 reuse=1;
496 else if (strcmp(*argv,"-dhe1024") == 0)
497 {
498#ifndef OPENSSL_NO_DH
499 dhe1024=1;
500#else
501 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
502#endif
503 }
504 else if (strcmp(*argv,"-dhe1024dsa") == 0)
505 {
506#ifndef OPENSSL_NO_DH
507 dhe1024dsa=1;
508#else
509 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
510#endif
511 }
512 else if (strcmp(*argv,"-no_dhe") == 0)
513 no_dhe=1;
514 else if (strcmp(*argv,"-no_ecdhe") == 0)
515 no_ecdhe=1;
516 else if (strcmp(*argv,"-ssl2") == 0)
517 ssl2=1;
518 else if (strcmp(*argv,"-tls1") == 0)
519 tls1=1;
520 else if (strcmp(*argv,"-ssl3") == 0)
521 ssl3=1;
522 else if (strncmp(*argv,"-num",4) == 0)
523 {
524 if (--argc < 1) goto bad;
525 number= atoi(*(++argv));
526 if (number == 0) number=1;
527 }
528 else if (strcmp(*argv,"-bytes") == 0)
529 {
530 if (--argc < 1) goto bad;
531 bytes= atol(*(++argv));
532 if (bytes == 0L) bytes=1L;
533 i=strlen(argv[0]);
534 if (argv[0][i-1] == 'k') bytes*=1024L;
535 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
536 }
537 else if (strcmp(*argv,"-cert") == 0)
538 {
539 if (--argc < 1) goto bad;
540 server_cert= *(++argv);
541 }
542 else if (strcmp(*argv,"-s_cert") == 0)
543 {
544 if (--argc < 1) goto bad;
545 server_cert= *(++argv);
546 }
547 else if (strcmp(*argv,"-key") == 0)
548 {
549 if (--argc < 1) goto bad;
550 server_key= *(++argv);
551 }
552 else if (strcmp(*argv,"-s_key") == 0)
553 {
554 if (--argc < 1) goto bad;
555 server_key= *(++argv);
556 }
557 else if (strcmp(*argv,"-c_cert") == 0)
558 {
559 if (--argc < 1) goto bad;
560 client_cert= *(++argv);
561 }
562 else if (strcmp(*argv,"-c_key") == 0)
563 {
564 if (--argc < 1) goto bad;
565 client_key= *(++argv);
566 }
567 else if (strcmp(*argv,"-cipher") == 0)
568 {
569 if (--argc < 1) goto bad;
570 cipher= *(++argv);
571 }
572 else if (strcmp(*argv,"-CApath") == 0)
573 {
574 if (--argc < 1) goto bad;
575 CApath= *(++argv);
576 }
577 else if (strcmp(*argv,"-CAfile") == 0)
578 {
579 if (--argc < 1) goto bad;
580 CAfile= *(++argv);
581 }
582 else if (strcmp(*argv,"-bio_pair") == 0)
583 {
584 bio_pair = 1;
585 }
586 else if (strcmp(*argv,"-f") == 0)
587 {
588 force = 1;
589 }
590 else if (strcmp(*argv,"-time") == 0)
591 {
592 print_time = 1;
593 }
594 else if (strcmp(*argv,"-zlib") == 0)
595 {
596 comp = COMP_ZLIB;
597 }
598 else if (strcmp(*argv,"-rle") == 0)
599 {
600 comp = COMP_RLE;
601 }
602 else if (strcmp(*argv,"-named_curve") == 0)
603 {
604 if (--argc < 1) goto bad;
605#ifndef OPENSSL_NO_ECDH
606 named_curve = *(++argv);
607#else
608 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
609 ++argv;
610#endif
611 }
612 else if (strcmp(*argv,"-app_verify") == 0)
613 {
614 app_verify_arg.app_verify = 1;
615 }
616 else if (strcmp(*argv,"-proxy") == 0)
617 {
618 app_verify_arg.allow_proxy_certs = 1;
619 }
620 else if (strcmp(*argv,"-test_cipherlist") == 0)
621 {
622 test_cipherlist = 1;
623 }
624 else
625 {
626 fprintf(stderr,"unknown option %s\n",*argv);
627 badop=1;
628 break;
629 }
630 argc--;
631 argv++;
632 }
633 if (badop)
634 {
635bad:
636 sv_usage();
637 goto end;
638 }
639
640 if (test_cipherlist == 1)
641 {
642 /* ensure that the cipher list are correctly sorted and exit */
643 if (do_test_cipherlist() == 0)
644 EXIT(1);
645 ret = 0;
646 goto end;
647 }
648
649 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
650 {
651 fprintf(stderr, "This case cannot work. Use -f to perform "
652 "the test anyway (and\n-d to see what happens), "
653 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
654 "to avoid protocol mismatch.\n");
655 EXIT(1);
656 }
657
658#ifdef OPENSSL_FIPS
659 if(fips_mode)
660 {
661 if(!FIPS_mode_set(1))
662 {
663 ERR_load_crypto_strings();
664 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
665 EXIT(1);
666 }
667 else
668 fprintf(stderr,"*** IN FIPS MODE ***\n");
669 }
670#endif
671
672 if (print_time)
673 {
674 if (!bio_pair)
675 {
676 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
677 bio_pair = 1;
678 }
679 if (number < 50 && !force)
680 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
681 }
682
683/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
684
685 SSL_library_init();
686 SSL_load_error_strings();
687
688#ifndef OPENSSL_NO_COMP
689 if (comp == COMP_ZLIB) cm = COMP_zlib();
690 if (comp == COMP_RLE) cm = COMP_rle();
691 if (cm != NULL)
692 {
693 if (cm->type != NID_undef)
694 {
695 if (SSL_COMP_add_compression_method(comp, cm) != 0)
696 {
697 fprintf(stderr,
698 "Failed to add compression method\n");
699 ERR_print_errors_fp(stderr);
700 }
701 }
702 else
703 {
704 fprintf(stderr,
705 "Warning: %s compression not supported\n",
706 (comp == COMP_RLE ? "rle" :
707 (comp == COMP_ZLIB ? "zlib" :
708 "unknown")));
709 ERR_print_errors_fp(stderr);
710 }
711 }
712 ssl_comp_methods = SSL_COMP_get_compression_methods();
713 fprintf(stderr, "Available compression methods:\n");
714 {
715 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
716 if (n == 0)
717 fprintf(stderr, " NONE\n");
718 else
719 for (j = 0; j < n; j++)
720 {
721 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
722 fprintf(stderr, " %d: %s\n", c->id, c->name);
723 }
724 }
725#endif
726
727#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
728 if (ssl2)
729 meth=SSLv2_method();
730 else
731 if (tls1)
732 meth=TLSv1_method();
733 else
734 if (ssl3)
735 meth=SSLv3_method();
736 else
737 meth=SSLv23_method();
738#else
739#ifdef OPENSSL_NO_SSL2
740 meth=SSLv3_method();
741#else
742 meth=SSLv2_method();
743#endif
744#endif
745
746 c_ctx=SSL_CTX_new(meth);
747 s_ctx=SSL_CTX_new(meth);
748 if ((c_ctx == NULL) || (s_ctx == NULL))
749 {
750 ERR_print_errors(bio_err);
751 goto end;
752 }
753
754 if (cipher != NULL)
755 {
756 SSL_CTX_set_cipher_list(c_ctx,cipher);
757 SSL_CTX_set_cipher_list(s_ctx,cipher);
758 }
759
760#ifndef OPENSSL_NO_DH
761 if (!no_dhe)
762 {
763 if (dhe1024dsa)
764 {
765 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
766 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
767 dh=get_dh1024dsa();
768 }
769 else if (dhe1024)
770 dh=get_dh1024();
771 else
772 dh=get_dh512();
773 SSL_CTX_set_tmp_dh(s_ctx,dh);
774 DH_free(dh);
775 }
776#else
777 (void)no_dhe;
778#endif
779
780#ifndef OPENSSL_NO_ECDH
781 if (!no_ecdhe)
782 {
783 int nid;
784
785 if (named_curve != NULL)
786 {
787 nid = OBJ_sn2nid(named_curve);
788 if (nid == 0)
789 {
790 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
791 goto end;
792 }
793 }
794 else
795 nid = NID_sect163r2;
796
797 ecdh = EC_KEY_new_by_curve_name(nid);
798 if (ecdh == NULL)
799 {
800 BIO_printf(bio_err, "unable to create curve\n");
801 goto end;
802 }
803
804 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
805 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
806 EC_KEY_free(ecdh);
807 }
808#else
809 (void)no_ecdhe;
810#endif
811
812#ifndef OPENSSL_NO_RSA
813 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
814#endif
815
816 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
817 {
818 ERR_print_errors(bio_err);
819 }
820 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
821 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
822 {
823 ERR_print_errors(bio_err);
824 goto end;
825 }
826
827 if (client_auth)
828 {
829 SSL_CTX_use_certificate_file(c_ctx,client_cert,
830 SSL_FILETYPE_PEM);
831 SSL_CTX_use_PrivateKey_file(c_ctx,
832 (client_key?client_key:client_cert),
833 SSL_FILETYPE_PEM);
834 }
835
836 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
837 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
838 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
839 (!SSL_CTX_set_default_verify_paths(c_ctx)))
840 {
841 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
842 ERR_print_errors(bio_err);
843 /* goto end; */
844 }
845
846 if (client_auth)
847 {
848 BIO_printf(bio_err,"client authentication\n");
849 SSL_CTX_set_verify(s_ctx,
850 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
851 verify_callback);
852 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
853 }
854 if (server_auth)
855 {
856 BIO_printf(bio_err,"server authentication\n");
857 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
858 verify_callback);
859 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
860 }
861
862 {
863 int session_id_context = 0;
864 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
865 }
866
867 c_ssl=SSL_new(c_ctx);
868 s_ssl=SSL_new(s_ctx);
869
870#ifndef OPENSSL_NO_KRB5
871 if (c_ssl && c_ssl->kssl_ctx)
872 {
873 char localhost[MAXHOSTNAMELEN+2];
874
875 if (gethostname(localhost, sizeof localhost-1) == 0)
876 {
877 localhost[sizeof localhost-1]='\0';
878 if(strlen(localhost) == sizeof localhost-1)
879 {
880 BIO_printf(bio_err,"localhost name too long\n");
881 goto end;
882 }
883 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
884 localhost);
885 }
886 }
887#endif /* OPENSSL_NO_KRB5 */
888
889 for (i=0; i<number; i++)
890 {
891 if (!reuse) SSL_set_session(c_ssl,NULL);
892 if (bio_pair)
893 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
894 else
895 ret=doit(s_ssl,c_ssl,bytes);
896 }
897
898 if (!verbose)
899 {
900 print_details(c_ssl, "");
901 }
902 if ((number > 1) || (bytes > 1L))
903 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
904 if (print_time)
905 {
906#ifdef CLOCKS_PER_SEC
907 /* "To determine the time in seconds, the value returned
908 * by the clock function should be divided by the value
909 * of the macro CLOCKS_PER_SEC."
910 * -- ISO/IEC 9899 */
911 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
912 "Approximate total client time: %6.2f s\n",
913 (double)s_time/CLOCKS_PER_SEC,
914 (double)c_time/CLOCKS_PER_SEC);
915#else
916 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
917 * -- cc on NeXTstep/OpenStep */
918 BIO_printf(bio_stdout,
919 "Approximate total server time: %6.2f units\n"
920 "Approximate total client time: %6.2f units\n",
921 (double)s_time,
922 (double)c_time);
923#endif
924 }
925
926 SSL_free(s_ssl);
927 SSL_free(c_ssl);
928
929end:
930 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
931 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
932
933 if (bio_stdout != NULL) BIO_free(bio_stdout);
934
935#ifndef OPENSSL_NO_RSA
936 free_tmp_rsa();
937#endif
938#ifndef OPENSSL_NO_ENGINE
939 ENGINE_cleanup();
940#endif
941 CRYPTO_cleanup_all_ex_data();
942 ERR_free_strings();
943 ERR_remove_state(0);
944 EVP_cleanup();
945 CRYPTO_mem_leaks(bio_err);
946 if (bio_err != NULL) BIO_free(bio_err);
947 EXIT(ret);
948 return ret;
949 }
950
951int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
952 clock_t *s_time, clock_t *c_time)
953 {
954 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
955 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
956 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
957 int ret = 1;
958
959 size_t bufsiz = 256; /* small buffer for testing */
960
961 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
962 goto err;
963 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
964 goto err;
965
966 s_ssl_bio = BIO_new(BIO_f_ssl());
967 if (!s_ssl_bio)
968 goto err;
969
970 c_ssl_bio = BIO_new(BIO_f_ssl());
971 if (!c_ssl_bio)
972 goto err;
973
974 SSL_set_connect_state(c_ssl);
975 SSL_set_bio(c_ssl, client, client);
976 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
977
978 SSL_set_accept_state(s_ssl);
979 SSL_set_bio(s_ssl, server, server);
980 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
981
982 do
983 {
984 /* c_ssl_bio: SSL filter BIO
985 *
986 * client: pseudo-I/O for SSL library
987 *
988 * client_io: client's SSL communication; usually to be
989 * relayed over some I/O facility, but in this
990 * test program, we're the server, too:
991 *
992 * server_io: server's SSL communication
993 *
994 * server: pseudo-I/O for SSL library
995 *
996 * s_ssl_bio: SSL filter BIO
997 *
998 * The client and the server each employ a "BIO pair":
999 * client + client_io, server + server_io.
1000 * BIO pairs are symmetric. A BIO pair behaves similar
1001 * to a non-blocking socketpair (but both endpoints must
1002 * be handled by the same thread).
1003 * [Here we could connect client and server to the ends
1004 * of a single BIO pair, but then this code would be less
1005 * suitable as an example for BIO pairs in general.]
1006 *
1007 * Useful functions for querying the state of BIO pair endpoints:
1008 *
1009 * BIO_ctrl_pending(bio) number of bytes we can read now
1010 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1011 * other side's read attempt
1012 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1013 *
1014 * ..._read_request is never more than ..._write_guarantee;
1015 * it depends on the application which one you should use.
1016 */
1017
1018 /* We have non-blocking behaviour throughout this test program, but
1019 * can be sure that there is *some* progress in each iteration; so
1020 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1021 * -- we just try everything in each iteration
1022 */
1023
1024 {
1025 /* CLIENT */
1026
1027 MS_STATIC char cbuf[1024*8];
1028 int i, r;
1029 clock_t c_clock = clock();
1030
1031 memset(cbuf, 0, sizeof(cbuf));
1032
1033 if (debug)
1034 if (SSL_in_init(c_ssl))
1035 printf("client waiting in SSL_connect - %s\n",
1036 SSL_state_string_long(c_ssl));
1037
1038 if (cw_num > 0)
1039 {
1040 /* Write to server. */
1041
1042 if (cw_num > (long)sizeof cbuf)
1043 i = sizeof cbuf;
1044 else
1045 i = (int)cw_num;
1046 r = BIO_write(c_ssl_bio, cbuf, i);
1047 if (r < 0)
1048 {
1049 if (!BIO_should_retry(c_ssl_bio))
1050 {
1051 fprintf(stderr,"ERROR in CLIENT\n");
1052 goto err;
1053 }
1054 /* BIO_should_retry(...) can just be ignored here.
1055 * The library expects us to call BIO_write with
1056 * the same arguments again, and that's what we will
1057 * do in the next iteration. */
1058 }
1059 else if (r == 0)
1060 {
1061 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1062 goto err;
1063 }
1064 else
1065 {
1066 if (debug)
1067 printf("client wrote %d\n", r);
1068 cw_num -= r;
1069 }
1070 }
1071
1072 if (cr_num > 0)
1073 {
1074 /* Read from server. */
1075
1076 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1077 if (r < 0)
1078 {
1079 if (!BIO_should_retry(c_ssl_bio))
1080 {
1081 fprintf(stderr,"ERROR in CLIENT\n");
1082 goto err;
1083 }
1084 /* Again, "BIO_should_retry" can be ignored. */
1085 }
1086 else if (r == 0)
1087 {
1088 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1089 goto err;
1090 }
1091 else
1092 {
1093 if (debug)
1094 printf("client read %d\n", r);
1095 cr_num -= r;
1096 }
1097 }
1098
1099 /* c_time and s_time increments will typically be very small
1100 * (depending on machine speed and clock tick intervals),
1101 * but sampling over a large number of connections should
1102 * result in fairly accurate figures. We cannot guarantee
1103 * a lot, however -- if each connection lasts for exactly
1104 * one clock tick, it will be counted only for the client
1105 * or only for the server or even not at all.
1106 */
1107 *c_time += (clock() - c_clock);
1108 }
1109
1110 {
1111 /* SERVER */
1112
1113 MS_STATIC char sbuf[1024*8];
1114 int i, r;
1115 clock_t s_clock = clock();
1116
1117 memset(sbuf, 0, sizeof(sbuf));
1118
1119 if (debug)
1120 if (SSL_in_init(s_ssl))
1121 printf("server waiting in SSL_accept - %s\n",
1122 SSL_state_string_long(s_ssl));
1123
1124 if (sw_num > 0)
1125 {
1126 /* Write to client. */
1127
1128 if (sw_num > (long)sizeof sbuf)
1129 i = sizeof sbuf;
1130 else
1131 i = (int)sw_num;
1132 r = BIO_write(s_ssl_bio, sbuf, i);
1133 if (r < 0)
1134 {
1135 if (!BIO_should_retry(s_ssl_bio))
1136 {
1137 fprintf(stderr,"ERROR in SERVER\n");
1138 goto err;
1139 }
1140 /* Ignore "BIO_should_retry". */
1141 }
1142 else if (r == 0)
1143 {
1144 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1145 goto err;
1146 }
1147 else
1148 {
1149 if (debug)
1150 printf("server wrote %d\n", r);
1151 sw_num -= r;
1152 }
1153 }
1154
1155 if (sr_num > 0)
1156 {
1157 /* Read from client. */
1158
1159 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1160 if (r < 0)
1161 {
1162 if (!BIO_should_retry(s_ssl_bio))
1163 {
1164 fprintf(stderr,"ERROR in SERVER\n");
1165 goto err;
1166 }
1167 /* blah, blah */
1168 }
1169 else if (r == 0)
1170 {
1171 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1172 goto err;
1173 }
1174 else
1175 {
1176 if (debug)
1177 printf("server read %d\n", r);
1178 sr_num -= r;
1179 }
1180 }
1181
1182 *s_time += (clock() - s_clock);
1183 }
1184
1185 {
1186 /* "I/O" BETWEEN CLIENT AND SERVER. */
1187
1188 size_t r1, r2;
1189 BIO *io1 = server_io, *io2 = client_io;
1190 /* we use the non-copying interface for io1
1191 * and the standard BIO_write/BIO_read interface for io2
1192 */
1193
1194 static int prev_progress = 1;
1195 int progress = 0;
1196
1197 /* io1 to io2 */
1198 do
1199 {
1200 size_t num;
1201 int r;
1202
1203 r1 = BIO_ctrl_pending(io1);
1204 r2 = BIO_ctrl_get_write_guarantee(io2);
1205
1206 num = r1;
1207 if (r2 < num)
1208 num = r2;
1209 if (num)
1210 {
1211 char *dataptr;
1212
1213 if (INT_MAX < num) /* yeah, right */
1214 num = INT_MAX;
1215
1216 r = BIO_nread(io1, &dataptr, (int)num);
1217 assert(r > 0);
1218 assert(r <= (int)num);
1219 /* possibly r < num (non-contiguous data) */
1220 num = r;
1221 r = BIO_write(io2, dataptr, (int)num);
1222 if (r != (int)num) /* can't happen */
1223 {
1224 fprintf(stderr, "ERROR: BIO_write could not write "
1225 "BIO_ctrl_get_write_guarantee() bytes");
1226 goto err;
1227 }
1228 progress = 1;
1229
1230 if (debug)
1231 printf((io1 == client_io) ?
1232 "C->S relaying: %d bytes\n" :
1233 "S->C relaying: %d bytes\n",
1234 (int)num);
1235 }
1236 }
1237 while (r1 && r2);
1238
1239 /* io2 to io1 */
1240 {
1241 size_t num;
1242 int r;
1243
1244 r1 = BIO_ctrl_pending(io2);
1245 r2 = BIO_ctrl_get_read_request(io1);
1246 /* here we could use ..._get_write_guarantee instead of
1247 * ..._get_read_request, but by using the latter
1248 * we test restartability of the SSL implementation
1249 * more thoroughly */
1250 num = r1;
1251 if (r2 < num)
1252 num = r2;
1253 if (num)
1254 {
1255 char *dataptr;
1256
1257 if (INT_MAX < num)
1258 num = INT_MAX;
1259
1260 if (num > 1)
1261 --num; /* test restartability even more thoroughly */
1262
1263 r = BIO_nwrite0(io1, &dataptr);
1264 assert(r > 0);
1265 if (r < (int)num)
1266 num = r;
1267 r = BIO_read(io2, dataptr, (int)num);
1268 if (r != (int)num) /* can't happen */
1269 {
1270 fprintf(stderr, "ERROR: BIO_read could not read "
1271 "BIO_ctrl_pending() bytes");
1272 goto err;
1273 }
1274 progress = 1;
1275 r = BIO_nwrite(io1, &dataptr, (int)num);
1276 if (r != (int)num) /* can't happen */
1277 {
1278 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1279 "BIO_nwrite0() bytes");
1280 goto err;
1281 }
1282
1283 if (debug)
1284 printf((io2 == client_io) ?
1285 "C->S relaying: %d bytes\n" :
1286 "S->C relaying: %d bytes\n",
1287 (int)num);
1288 }
1289 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1290
1291 if (!progress && !prev_progress)
1292 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1293 {
1294 fprintf(stderr, "ERROR: got stuck\n");
1295 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1296 {
1297 fprintf(stderr, "This can happen for SSL2 because "
1298 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1299 "concurrently ...");
1300 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1301 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1302 {
1303 fprintf(stderr, " ok.\n");
1304 goto end;
1305 }
1306 }
1307 fprintf(stderr, " ERROR.\n");
1308 goto err;
1309 }
1310 prev_progress = progress;
1311 }
1312 }
1313 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1314
1315 if (verbose)
1316 print_details(c_ssl, "DONE via BIO pair: ");
1317end:
1318 ret = 0;
1319
1320 err:
1321 ERR_print_errors(bio_err);
1322
1323 if (server)
1324 BIO_free(server);
1325 if (server_io)
1326 BIO_free(server_io);
1327 if (client)
1328 BIO_free(client);
1329 if (client_io)
1330 BIO_free(client_io);
1331 if (s_ssl_bio)
1332 BIO_free(s_ssl_bio);
1333 if (c_ssl_bio)
1334 BIO_free(c_ssl_bio);
1335
1336 return ret;
1337 }
1338
1339
1340#define W_READ 1
1341#define W_WRITE 2
1342#define C_DONE 1
1343#define S_DONE 2
1344
1345int doit(SSL *s_ssl, SSL *c_ssl, long count)
1346 {
1347 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1348 long cw_num=count,cr_num=count;
1349 long sw_num=count,sr_num=count;
1350 int ret=1;
1351 BIO *c_to_s=NULL;
1352 BIO *s_to_c=NULL;
1353 BIO *c_bio=NULL;
1354 BIO *s_bio=NULL;
1355 int c_r,c_w,s_r,s_w;
1356 int c_want,s_want;
1357 int i,j;
1358 int done=0;
1359 int c_write,s_write;
1360 int do_server=0,do_client=0;
1361
1362 memset(cbuf,0,sizeof(cbuf));
1363 memset(sbuf,0,sizeof(sbuf));
1364
1365 c_to_s=BIO_new(BIO_s_mem());
1366 s_to_c=BIO_new(BIO_s_mem());
1367 if ((s_to_c == NULL) || (c_to_s == NULL))
1368 {
1369 ERR_print_errors(bio_err);
1370 goto err;
1371 }
1372
1373 c_bio=BIO_new(BIO_f_ssl());
1374 s_bio=BIO_new(BIO_f_ssl());
1375 if ((c_bio == NULL) || (s_bio == NULL))
1376 {
1377 ERR_print_errors(bio_err);
1378 goto err;
1379 }
1380
1381 SSL_set_connect_state(c_ssl);
1382 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1383 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1384
1385 SSL_set_accept_state(s_ssl);
1386 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1387 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1388
1389 c_r=0; s_r=1;
1390 c_w=1; s_w=0;
1391 c_want=W_WRITE;
1392 s_want=0;
1393 c_write=1,s_write=0;
1394
1395 /* We can always do writes */
1396 for (;;)
1397 {
1398 do_server=0;
1399 do_client=0;
1400
1401 i=(int)BIO_pending(s_bio);
1402 if ((i && s_r) || s_w) do_server=1;
1403
1404 i=(int)BIO_pending(c_bio);
1405 if ((i && c_r) || c_w) do_client=1;
1406
1407 if (do_server && debug)
1408 {
1409 if (SSL_in_init(s_ssl))
1410 printf("server waiting in SSL_accept - %s\n",
1411 SSL_state_string_long(s_ssl));
1412/* else if (s_write)
1413 printf("server:SSL_write()\n");
1414 else
1415 printf("server:SSL_read()\n"); */
1416 }
1417
1418 if (do_client && debug)
1419 {
1420 if (SSL_in_init(c_ssl))
1421 printf("client waiting in SSL_connect - %s\n",
1422 SSL_state_string_long(c_ssl));
1423/* else if (c_write)
1424 printf("client:SSL_write()\n");
1425 else
1426 printf("client:SSL_read()\n"); */
1427 }
1428
1429 if (!do_client && !do_server)
1430 {
1431 fprintf(stdout,"ERROR IN STARTUP\n");
1432 ERR_print_errors(bio_err);
1433 break;
1434 }
1435 if (do_client && !(done & C_DONE))
1436 {
1437 if (c_write)
1438 {
1439 j = (cw_num > (long)sizeof(cbuf)) ?
1440 (int)sizeof(cbuf) : (int)cw_num;
1441 i=BIO_write(c_bio,cbuf,j);
1442 if (i < 0)
1443 {
1444 c_r=0;
1445 c_w=0;
1446 if (BIO_should_retry(c_bio))
1447 {
1448 if (BIO_should_read(c_bio))
1449 c_r=1;
1450 if (BIO_should_write(c_bio))
1451 c_w=1;
1452 }
1453 else
1454 {
1455 fprintf(stderr,"ERROR in CLIENT\n");
1456 ERR_print_errors(bio_err);
1457 goto err;
1458 }
1459 }
1460 else if (i == 0)
1461 {
1462 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1463 goto err;
1464 }
1465 else
1466 {
1467 if (debug)
1468 printf("client wrote %d\n",i);
1469 /* ok */
1470 s_r=1;
1471 c_write=0;
1472 cw_num-=i;
1473 }
1474 }
1475 else
1476 {
1477 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1478 if (i < 0)
1479 {
1480 c_r=0;
1481 c_w=0;
1482 if (BIO_should_retry(c_bio))
1483 {
1484 if (BIO_should_read(c_bio))
1485 c_r=1;
1486 if (BIO_should_write(c_bio))
1487 c_w=1;
1488 }
1489 else
1490 {
1491 fprintf(stderr,"ERROR in CLIENT\n");
1492 ERR_print_errors(bio_err);
1493 goto err;
1494 }
1495 }
1496 else if (i == 0)
1497 {
1498 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1499 goto err;
1500 }
1501 else
1502 {
1503 if (debug)
1504 printf("client read %d\n",i);
1505 cr_num-=i;
1506 if (sw_num > 0)
1507 {
1508 s_write=1;
1509 s_w=1;
1510 }
1511 if (cr_num <= 0)
1512 {
1513 s_write=1;
1514 s_w=1;
1515 done=S_DONE|C_DONE;
1516 }
1517 }
1518 }
1519 }
1520
1521 if (do_server && !(done & S_DONE))
1522 {
1523 if (!s_write)
1524 {
1525 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1526 if (i < 0)
1527 {
1528 s_r=0;
1529 s_w=0;
1530 if (BIO_should_retry(s_bio))
1531 {
1532 if (BIO_should_read(s_bio))
1533 s_r=1;
1534 if (BIO_should_write(s_bio))
1535 s_w=1;
1536 }
1537 else
1538 {
1539 fprintf(stderr,"ERROR in SERVER\n");
1540 ERR_print_errors(bio_err);
1541 goto err;
1542 }
1543 }
1544 else if (i == 0)
1545 {
1546 ERR_print_errors(bio_err);
1547 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1548 goto err;
1549 }
1550 else
1551 {
1552 if (debug)
1553 printf("server read %d\n",i);
1554 sr_num-=i;
1555 if (cw_num > 0)
1556 {
1557 c_write=1;
1558 c_w=1;
1559 }
1560 if (sr_num <= 0)
1561 {
1562 s_write=1;
1563 s_w=1;
1564 c_write=0;
1565 }
1566 }
1567 }
1568 else
1569 {
1570 j = (sw_num > (long)sizeof(sbuf)) ?
1571 (int)sizeof(sbuf) : (int)sw_num;
1572 i=BIO_write(s_bio,sbuf,j);
1573 if (i < 0)
1574 {
1575 s_r=0;
1576 s_w=0;
1577 if (BIO_should_retry(s_bio))
1578 {
1579 if (BIO_should_read(s_bio))
1580 s_r=1;
1581 if (BIO_should_write(s_bio))
1582 s_w=1;
1583 }
1584 else
1585 {
1586 fprintf(stderr,"ERROR in SERVER\n");
1587 ERR_print_errors(bio_err);
1588 goto err;
1589 }
1590 }
1591 else if (i == 0)
1592 {
1593 ERR_print_errors(bio_err);
1594 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1595 goto err;
1596 }
1597 else
1598 {
1599 if (debug)
1600 printf("server wrote %d\n",i);
1601 sw_num-=i;
1602 s_write=0;
1603 c_r=1;
1604 if (sw_num <= 0)
1605 done|=S_DONE;
1606 }
1607 }
1608 }
1609
1610 if ((done & S_DONE) && (done & C_DONE)) break;
1611 }
1612
1613 if (verbose)
1614 print_details(c_ssl, "DONE: ");
1615 ret=0;
1616err:
1617 /* We have to set the BIO's to NULL otherwise they will be
1618 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1619 * again when c_ssl is SSL_free()ed.
1620 * This is a hack required because s_ssl and c_ssl are sharing the same
1621 * BIO structure and SSL_set_bio() and SSL_free() automatically
1622 * BIO_free non NULL entries.
1623 * You should not normally do this or be required to do this */
1624 if (s_ssl != NULL)
1625 {
1626 s_ssl->rbio=NULL;
1627 s_ssl->wbio=NULL;
1628 }
1629 if (c_ssl != NULL)
1630 {
1631 c_ssl->rbio=NULL;
1632 c_ssl->wbio=NULL;
1633 }
1634
1635 if (c_to_s != NULL) BIO_free(c_to_s);
1636 if (s_to_c != NULL) BIO_free(s_to_c);
1637 if (c_bio != NULL) BIO_free_all(c_bio);
1638 if (s_bio != NULL) BIO_free_all(s_bio);
1639 return(ret);
1640 }
1641
1642static int get_proxy_auth_ex_data_idx(void)
1643 {
1644 static volatile int idx = -1;
1645 if (idx < 0)
1646 {
1647 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1648 if (idx < 0)
1649 {
1650 idx = X509_STORE_CTX_get_ex_new_index(0,
1651 "SSLtest for verify callback", NULL,NULL,NULL);
1652 }
1653 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1654 }
1655 return idx;
1656 }
1657
1658static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1659 {
1660 char *s,buf[256];
1661
1662 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1663 sizeof buf);
1664 if (s != NULL)
1665 {
1666 if (ok)
1667 fprintf(stderr,"depth=%d %s\n",
1668 ctx->error_depth,buf);
1669 else
1670 {
1671 fprintf(stderr,"depth=%d error=%d %s\n",
1672 ctx->error_depth,ctx->error,buf);
1673 }
1674 }
1675
1676 if (ok == 0)
1677 {
1678 fprintf(stderr,"Error string: %s\n",
1679 X509_verify_cert_error_string(ctx->error));
1680 switch (ctx->error)
1681 {
1682 case X509_V_ERR_CERT_NOT_YET_VALID:
1683 case X509_V_ERR_CERT_HAS_EXPIRED:
1684 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1685 fprintf(stderr," ... ignored.\n");
1686 ok=1;
1687 }
1688 }
1689
1690 if (ok == 1)
1691 {
1692 X509 *xs = ctx->current_cert;
1693#if 0
1694 X509 *xi = ctx->current_issuer;
1695#endif
1696
1697 if (xs->ex_flags & EXFLAG_PROXY)
1698 {
1699 unsigned int *letters =
1700 X509_STORE_CTX_get_ex_data(ctx,
1701 get_proxy_auth_ex_data_idx());
1702
1703 if (letters)
1704 {
1705 int found_any = 0;
1706 int i;
1707 PROXY_CERT_INFO_EXTENSION *pci =
1708 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1709 NULL, NULL);
1710
1711 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1712 {
1713 case NID_Independent:
1714 /* Completely meaningless in this
1715 program, as there's no way to
1716 grant explicit rights to a
1717 specific PrC. Basically, using
1718 id-ppl-Independent is the perfect
1719 way to grant no rights at all. */
1720 fprintf(stderr, " Independent proxy certificate");
1721 for (i = 0; i < 26; i++)
1722 letters[i] = 0;
1723 break;
1724 case NID_id_ppl_inheritAll:
1725 /* This is basically a NOP, we
1726 simply let the current rights
1727 stand as they are. */
1728 fprintf(stderr, " Proxy certificate inherits all");
1729 break;
1730 default:
1731 s = (char *)
1732 pci->proxyPolicy->policy->data;
1733 i = pci->proxyPolicy->policy->length;
1734
1735 /* The algorithm works as follows:
1736 it is assumed that previous
1737 iterations or the initial granted
1738 rights has already set some elements
1739 of `letters'. What we need to do is
1740 to clear those that weren't granted
1741 by the current PrC as well. The
1742 easiest way to do this is to add 1
1743 to all the elements whose letters
1744 are given with the current policy.
1745 That way, all elements that are set
1746 by the current policy and were
1747 already set by earlier policies and
1748 through the original grant of rights
1749 will get the value 2 or higher.
1750 The last thing to do is to sweep
1751 through `letters' and keep the
1752 elements having the value 2 as set,
1753 and clear all the others. */
1754
1755 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1756 while(i-- > 0)
1757 {
1758 int c = *s++;
1759 if (isascii(c) && isalpha(c))
1760 {
1761 if (islower(c))
1762 c = toupper(c);
1763 letters[c - 'A']++;
1764 }
1765 }
1766 for (i = 0; i < 26; i++)
1767 if (letters[i] < 2)
1768 letters[i] = 0;
1769 else
1770 letters[i] = 1;
1771 }
1772
1773 found_any = 0;
1774 fprintf(stderr,
1775 ", resulting proxy rights = ");
1776 for(i = 0; i < 26; i++)
1777 if (letters[i])
1778 {
1779 fprintf(stderr, "%c", i + 'A');
1780 found_any = 1;
1781 }
1782 if (!found_any)
1783 fprintf(stderr, "none");
1784 fprintf(stderr, "\n");
1785
1786 PROXY_CERT_INFO_EXTENSION_free(pci);
1787 }
1788 }
1789 }
1790
1791 return(ok);
1792 }
1793
1794static void process_proxy_debug(int indent, const char *format, ...)
1795 {
1796 static const char indentation[] =
1797 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1798 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1799 char my_format[256];
1800 va_list args;
1801
1802 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1803 indent, indent, indentation, format);
1804
1805 va_start(args, format);
1806 vfprintf(stderr, my_format, args);
1807 va_end(args);
1808 }
1809/* Priority levels:
1810 0 [!]var, ()
1811 1 & ^
1812 2 |
1813*/
1814static int process_proxy_cond_adders(unsigned int letters[26],
1815 const char *cond, const char **cond_end, int *pos, int indent);
1816static int process_proxy_cond_val(unsigned int letters[26],
1817 const char *cond, const char **cond_end, int *pos, int indent)
1818 {
1819 int c;
1820 int ok = 1;
1821 int negate = 0;
1822
1823 while(isspace((int)*cond))
1824 {
1825 cond++; (*pos)++;
1826 }
1827 c = *cond;
1828
1829 if (debug)
1830 process_proxy_debug(indent,
1831 "Start process_proxy_cond_val at position %d: %s\n",
1832 *pos, cond);
1833
1834 while(c == '!')
1835 {
1836 negate = !negate;
1837 cond++; (*pos)++;
1838 while(isspace((int)*cond))
1839 {
1840 cond++; (*pos)++;
1841 }
1842 c = *cond;
1843 }
1844
1845 if (c == '(')
1846 {
1847 cond++; (*pos)++;
1848 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1849 indent + 1);
1850 cond = *cond_end;
1851 if (ok < 0)
1852 goto end;
1853 while(isspace((int)*cond))
1854 {
1855 cond++; (*pos)++;
1856 }
1857 c = *cond;
1858 if (c != ')')
1859 {
1860 fprintf(stderr,
1861 "Weird condition character in position %d: "
1862 "%c\n", *pos, c);
1863 ok = -1;
1864 goto end;
1865 }
1866 cond++; (*pos)++;
1867 }
1868 else if (isascii(c) && isalpha(c))
1869 {
1870 if (islower(c))
1871 c = toupper(c);
1872 ok = letters[c - 'A'];
1873 cond++; (*pos)++;
1874 }
1875 else
1876 {
1877 fprintf(stderr,
1878 "Weird condition character in position %d: "
1879 "%c\n", *pos, c);
1880 ok = -1;
1881 goto end;
1882 }
1883 end:
1884 *cond_end = cond;
1885 if (ok >= 0 && negate)
1886 ok = !ok;
1887
1888 if (debug)
1889 process_proxy_debug(indent,
1890 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1891 *pos, cond, ok);
1892
1893 return ok;
1894 }
1895static int process_proxy_cond_multipliers(unsigned int letters[26],
1896 const char *cond, const char **cond_end, int *pos, int indent)
1897 {
1898 int ok;
1899 char c;
1900
1901 if (debug)
1902 process_proxy_debug(indent,
1903 "Start process_proxy_cond_multipliers at position %d: %s\n",
1904 *pos, cond);
1905
1906 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1907 cond = *cond_end;
1908 if (ok < 0)
1909 goto end;
1910
1911 while(ok >= 0)
1912 {
1913 while(isspace((int)*cond))
1914 {
1915 cond++; (*pos)++;
1916 }
1917 c = *cond;
1918
1919 switch(c)
1920 {
1921 case '&':
1922 case '^':
1923 {
1924 int save_ok = ok;
1925
1926 cond++; (*pos)++;
1927 ok = process_proxy_cond_val(letters,
1928 cond, cond_end, pos, indent + 1);
1929 cond = *cond_end;
1930 if (ok < 0)
1931 break;
1932
1933 switch(c)
1934 {
1935 case '&':
1936 ok &= save_ok;
1937 break;
1938 case '^':
1939 ok ^= save_ok;
1940 break;
1941 default:
1942 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1943 " STOPPING\n");
1944 EXIT(1);
1945 }
1946 }
1947 break;
1948 default:
1949 goto end;
1950 }
1951 }
1952 end:
1953 if (debug)
1954 process_proxy_debug(indent,
1955 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1956 *pos, cond, ok);
1957
1958 *cond_end = cond;
1959 return ok;
1960 }
1961static int process_proxy_cond_adders(unsigned int letters[26],
1962 const char *cond, const char **cond_end, int *pos, int indent)
1963 {
1964 int ok;
1965 char c;
1966
1967 if (debug)
1968 process_proxy_debug(indent,
1969 "Start process_proxy_cond_adders at position %d: %s\n",
1970 *pos, cond);
1971
1972 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1973 indent + 1);
1974 cond = *cond_end;
1975 if (ok < 0)
1976 goto end;
1977
1978 while(ok >= 0)
1979 {
1980 while(isspace((int)*cond))
1981 {
1982 cond++; (*pos)++;
1983 }
1984 c = *cond;
1985
1986 switch(c)
1987 {
1988 case '|':
1989 {
1990 int save_ok = ok;
1991
1992 cond++; (*pos)++;
1993 ok = process_proxy_cond_multipliers(letters,
1994 cond, cond_end, pos, indent + 1);
1995 cond = *cond_end;
1996 if (ok < 0)
1997 break;
1998
1999 switch(c)
2000 {
2001 case '|':
2002 ok |= save_ok;
2003 break;
2004 default:
2005 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2006 " STOPPING\n");
2007 EXIT(1);
2008 }
2009 }
2010 break;
2011 default:
2012 goto end;
2013 }
2014 }
2015 end:
2016 if (debug)
2017 process_proxy_debug(indent,
2018 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2019 *pos, cond, ok);
2020
2021 *cond_end = cond;
2022 return ok;
2023 }
2024
2025static int process_proxy_cond(unsigned int letters[26],
2026 const char *cond, const char **cond_end)
2027 {
2028 int pos = 1;
2029 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2030 }
2031
2032static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2033 {
2034 int ok=1;
2035 struct app_verify_arg *cb_arg = arg;
2036 unsigned int letters[26]; /* only used with proxy_auth */
2037
2038 if (cb_arg->app_verify)
2039 {
2040 char *s = NULL,buf[256];
2041
2042 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2043 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2044 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2045 (void *)ctx, (void *)ctx->cert);
2046 if (ctx->cert)
2047 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2048 if (s != NULL)
2049 {
2050 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2051 }
2052 return(1);
2053 }
2054 if (cb_arg->proxy_auth)
2055 {
2056 int found_any = 0, i;
2057 char *sp;
2058
2059 for(i = 0; i < 26; i++)
2060 letters[i] = 0;
2061 for(sp = cb_arg->proxy_auth; *sp; sp++)
2062 {
2063 int c = *sp;
2064 if (isascii(c) && isalpha(c))
2065 {
2066 if (islower(c))
2067 c = toupper(c);
2068 letters[c - 'A'] = 1;
2069 }
2070 }
2071
2072 fprintf(stderr,
2073 " Initial proxy rights = ");
2074 for(i = 0; i < 26; i++)
2075 if (letters[i])
2076 {
2077 fprintf(stderr, "%c", i + 'A');
2078 found_any = 1;
2079 }
2080 if (!found_any)
2081 fprintf(stderr, "none");
2082 fprintf(stderr, "\n");
2083
2084 X509_STORE_CTX_set_ex_data(ctx,
2085 get_proxy_auth_ex_data_idx(),letters);
2086 }
2087 if (cb_arg->allow_proxy_certs)
2088 {
2089 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2090 }
2091
2092#ifndef OPENSSL_NO_X509_VERIFY
2093 ok = X509_verify_cert(ctx);
2094#endif
2095
2096 if (cb_arg->proxy_auth)
2097 {
2098 if (ok)
2099 {
2100 const char *cond_end = NULL;
2101
2102 ok = process_proxy_cond(letters,
2103 cb_arg->proxy_cond, &cond_end);
2104
2105 if (ok < 0)
2106 EXIT(3);
2107 if (*cond_end)
2108 {
2109 fprintf(stderr, "Stopped processing condition before it's end.\n");
2110 ok = 0;
2111 }
2112 if (!ok)
2113 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2114 cb_arg->proxy_cond);
2115 else
2116 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2117 cb_arg->proxy_cond);
2118 }
2119 }
2120 return(ok);
2121 }
2122
2123#ifndef OPENSSL_NO_RSA
2124static RSA *rsa_tmp=NULL;
2125
2126static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2127 {
2128 BIGNUM *bn = NULL;
2129 if (rsa_tmp == NULL)
2130 {
2131 bn = BN_new();
2132 rsa_tmp = RSA_new();
2133 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2134 {
2135 BIO_printf(bio_err, "Memory error...");
2136 goto end;
2137 }
2138 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2139 (void)BIO_flush(bio_err);
2140 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2141 {
2142 BIO_printf(bio_err, "Error generating key.");
2143 RSA_free(rsa_tmp);
2144 rsa_tmp = NULL;
2145 }
2146end:
2147 BIO_printf(bio_err,"\n");
2148 (void)BIO_flush(bio_err);
2149 }
2150 if(bn) BN_free(bn);
2151 return(rsa_tmp);
2152 }
2153
2154static void free_tmp_rsa(void)
2155 {
2156 if (rsa_tmp != NULL)
2157 {
2158 RSA_free(rsa_tmp);
2159 rsa_tmp = NULL;
2160 }
2161 }
2162#endif
2163
2164#ifndef OPENSSL_NO_DH
2165/* These DH parameters have been generated as follows:
2166 * $ openssl dhparam -C -noout 512
2167 * $ openssl dhparam -C -noout 1024
2168 * $ openssl dhparam -C -noout -dsaparam 1024
2169 * (The third function has been renamed to avoid name conflicts.)
2170 */
2171static DH *get_dh512()
2172 {
2173 static unsigned char dh512_p[]={
2174 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2175 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2176 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2177 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2178 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2179 0x02,0xC5,0xAE,0x23,
2180 };
2181 static unsigned char dh512_g[]={
2182 0x02,
2183 };
2184 DH *dh;
2185
2186 if ((dh=DH_new()) == NULL) return(NULL);
2187 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2188 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2189 if ((dh->p == NULL) || (dh->g == NULL))
2190 { DH_free(dh); return(NULL); }
2191 return(dh);
2192 }
2193
2194static DH *get_dh1024()
2195 {
2196 static unsigned char dh1024_p[]={
2197 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2198 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2199 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2200 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2201 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2202 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2203 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2204 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2205 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2206 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2207 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2208 };
2209 static unsigned char dh1024_g[]={
2210 0x02,
2211 };
2212 DH *dh;
2213
2214 if ((dh=DH_new()) == NULL) return(NULL);
2215 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2216 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2217 if ((dh->p == NULL) || (dh->g == NULL))
2218 { DH_free(dh); return(NULL); }
2219 return(dh);
2220 }
2221
2222static DH *get_dh1024dsa()
2223 {
2224 static unsigned char dh1024_p[]={
2225 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2226 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2227 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2228 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2229 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2230 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2231 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2232 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2233 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2234 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2235 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2236 };
2237 static unsigned char dh1024_g[]={
2238 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2239 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2240 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2241 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2242 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2243 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2244 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2245 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2246 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2247 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2248 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2249 };
2250 DH *dh;
2251
2252 if ((dh=DH_new()) == NULL) return(NULL);
2253 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2254 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2255 if ((dh->p == NULL) || (dh->g == NULL))
2256 { DH_free(dh); return(NULL); }
2257 dh->length = 160;
2258 return(dh);
2259 }
2260#endif
2261
2262static int do_test_cipherlist(void)
2263 {
2264 int i = 0;
2265 const SSL_METHOD *meth;
2266 SSL_CIPHER *ci, *tci = NULL;
2267
2268#ifndef OPENSSL_NO_SSL2
2269 fprintf(stderr, "testing SSLv2 cipher list order: ");
2270 meth = SSLv2_method();
2271 while ((ci = meth->get_cipher(i++)) != NULL)
2272 {
2273 if (tci != NULL)
2274 if (ci->id >= tci->id)
2275 {
2276 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2277 return 0;
2278 }
2279 tci = ci;
2280 }
2281 fprintf(stderr, "ok\n");
2282#endif
2283#ifndef OPENSSL_NO_SSL3
2284 fprintf(stderr, "testing SSLv3 cipher list order: ");
2285 meth = SSLv3_method();
2286 tci = NULL;
2287 while ((ci = meth->get_cipher(i++)) != NULL)
2288 {
2289 if (tci != NULL)
2290 if (ci->id >= tci->id)
2291 {
2292 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2293 return 0;
2294 }
2295 tci = ci;
2296 }
2297 fprintf(stderr, "ok\n");
2298#endif
2299#ifndef OPENSSL_NO_TLS1
2300 fprintf(stderr, "testing TLSv1 cipher list order: ");
2301 meth = TLSv1_method();
2302 tci = NULL;
2303 while ((ci = meth->get_cipher(i++)) != NULL)
2304 {
2305 if (tci != NULL)
2306 if (ci->id >= tci->id)
2307 {
2308 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2309 return 0;
2310 }
2311 tci = ci;
2312 }
2313 fprintf(stderr, "ok\n");
2314#endif
2315
2316 return 1;
2317 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-05 14:13:24 +0000