summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/ssl/ssltest.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/ssl/ssltest.c')
-rw-r--r--src/lib/libssl/src/ssl/ssltest.c2464
1 files changed, 2464 insertions, 0 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
new file mode 100644
index 0000000000..08c90478f4
--- /dev/null
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -0,0 +1,2464 @@
1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146#include <assert.h>
147#include <errno.h>
148#include <limits.h>
149#include <stdio.h>
150#include <stdlib.h>
151#include <string.h>
152#include <time.h>
153#include <inttypes.h>
154#include <ctype.h>
155
156#define USE_SOCKETS
157#include "e_os.h"
158
159#ifdef OPENSSL_SYS_VMS
160#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
161 VMS (at least with DECompHP C). */
162#endif
163
164#include <ctype.h>
165
166#include <openssl/bio.h>
167#include <openssl/crypto.h>
168#include <openssl/evp.h>
169#include <openssl/x509.h>
170#include <openssl/x509v3.h>
171#include <openssl/ssl.h>
172#ifndef OPENSSL_NO_ENGINE
173#include <openssl/engine.h>
174#endif
175#include <openssl/err.h>
176#include <openssl/rand.h>
177#ifndef OPENSSL_NO_RSA
178#include <openssl/rsa.h>
179#endif
180#ifndef OPENSSL_NO_DSA
181#include <openssl/dsa.h>
182#endif
183#ifndef OPENSSL_NO_DH
184#include <openssl/dh.h>
185#endif
186#include <openssl/bn.h>
187
188#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
189 on Compaq platforms (at least with DEC C).
190 Do not try to put it earlier, or IPv6 includes
191 get screwed...
192 */
193
194#ifdef OPENSSL_SYS_WINDOWS
195#include <winsock.h>
196#else
197#include OPENSSL_UNISTD
198#endif
199
200#ifdef OPENSSL_SYS_VMS
201# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
202# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
203#elif defined(OPENSSL_SYS_WINCE)
204# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
205# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
206#elif defined(OPENSSL_SYS_NETWARE)
207# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
208# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
209#else
210# define TEST_SERVER_CERT "../apps/server.pem"
211# define TEST_CLIENT_CERT "../apps/client.pem"
212#endif
213
214/* There is really no standard for this, so let's assign some tentative
215 numbers. In any case, these numbers are only for this test */
216#define COMP_RLE 255
217#define COMP_ZLIB 1
218
219static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
220#ifndef OPENSSL_NO_RSA
221static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
222static void free_tmp_rsa(void);
223#endif
224static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
225#define APP_CALLBACK_STRING "Test Callback Argument"
226struct app_verify_arg
227 {
228 char *string;
229 int app_verify;
230 int allow_proxy_certs;
231 char *proxy_auth;
232 char *proxy_cond;
233 };
234
235#ifndef OPENSSL_NO_DH
236static DH *get_dh512(void);
237static DH *get_dh1024(void);
238static DH *get_dh1024dsa(void);
239#endif
240
241
242static char *psk_key=NULL; /* by default PSK is not used */
243#ifndef OPENSSL_NO_PSK
244static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
245 unsigned int max_identity_len, unsigned char *psk,
246 unsigned int max_psk_len);
247static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
248 unsigned int max_psk_len);
249#endif
250
251static BIO *bio_err=NULL;
252static BIO *bio_stdout=NULL;
253
254static char *cipher=NULL;
255static int verbose=0;
256static int debug=0;
257#if 0
258/* Not used yet. */
259#ifdef FIONBIO
260static int s_nbio=0;
261#endif
262#endif
263
264static const char rnd_seed[] = "string to make the random number generator think it has entropy";
265
266int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
267int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
268static int do_test_cipherlist(void);
269static void sv_usage(void)
270 {
271 fprintf(stderr,"usage: ssltest [args ...]\n");
272 fprintf(stderr,"\n");
273 fprintf(stderr," -server_auth - check server certificate\n");
274 fprintf(stderr," -client_auth - do client authentication\n");
275 fprintf(stderr," -proxy - allow proxy certificates\n");
276 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
277 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
278 fprintf(stderr," -v - more output\n");
279 fprintf(stderr," -d - debug output\n");
280 fprintf(stderr," -reuse - use session-id reuse\n");
281 fprintf(stderr," -num <val> - number of connections to perform\n");
282 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
283#ifndef OPENSSL_NO_DH
284 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
285 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
286 fprintf(stderr," -no_dhe - disable DHE\n");
287#endif
288#ifndef OPENSSL_NO_ECDH
289 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
290#endif
291#ifndef OPENSSL_NO_PSK
292 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
293#endif
294#ifndef OPENSSL_NO_SSL2
295 fprintf(stderr," -ssl2 - use SSLv2\n");
296#endif
297#ifndef OPENSSL_NO_SSL3
298 fprintf(stderr," -ssl3 - use SSLv3\n");
299#endif
300#ifndef OPENSSL_NO_TLS1
301 fprintf(stderr," -tls1 - use TLSv1\n");
302#endif
303 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
304 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
305 fprintf(stderr," -cert arg - Server certificate file\n");
306 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
307 fprintf(stderr," -c_cert arg - Client certificate file\n");
308 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
309 fprintf(stderr," -cipher arg - The cipher list\n");
310 fprintf(stderr," -bio_pair - Use BIO pairs\n");
311 fprintf(stderr," -f - Test even cases that can't work\n");
312 fprintf(stderr," -time - measure processor time used by client and server\n");
313 fprintf(stderr," -zlib - use zlib compression\n");
314 fprintf(stderr," -rle - use rle compression\n");
315#ifndef OPENSSL_NO_ECDH
316 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
317 " Use \"openssl ecparam -list_curves\" for all names\n" \
318 " (default is sect163r2).\n");
319#endif
320 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
321 }
322
323static void print_details(SSL *c_ssl, const char *prefix)
324 {
325 const SSL_CIPHER *ciph;
326 X509 *cert;
327
328 ciph=SSL_get_current_cipher(c_ssl);
329 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
330 prefix,
331 SSL_get_version(c_ssl),
332 SSL_CIPHER_get_version(ciph),
333 SSL_CIPHER_get_name(ciph));
334 cert=SSL_get_peer_certificate(c_ssl);
335 if (cert != NULL)
336 {
337 EVP_PKEY *pkey = X509_get_pubkey(cert);
338 if (pkey != NULL)
339 {
340 if (0)
341 ;
342#ifndef OPENSSL_NO_RSA
343 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
344 && pkey->pkey.rsa->n != NULL)
345 {
346 BIO_printf(bio_stdout, ", %d bit RSA",
347 BN_num_bits(pkey->pkey.rsa->n));
348 }
349#endif
350#ifndef OPENSSL_NO_DSA
351 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
352 && pkey->pkey.dsa->p != NULL)
353 {
354 BIO_printf(bio_stdout, ", %d bit DSA",
355 BN_num_bits(pkey->pkey.dsa->p));
356 }
357#endif
358 EVP_PKEY_free(pkey);
359 }
360 X509_free(cert);
361 }
362 /* The SSL API does not allow us to look at temporary RSA/DH keys,
363 * otherwise we should print their lengths too */
364 BIO_printf(bio_stdout,"\n");
365 }
366
367static void lock_dbg_cb(int mode, int type, const char *file, int line)
368 {
369 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
370 const char *errstr = NULL;
371 int rw;
372
373 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
374 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
375 {
376 errstr = "invalid mode";
377 goto err;
378 }
379
380 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
381 {
382 errstr = "type out of bounds";
383 goto err;
384 }
385
386 if (mode & CRYPTO_LOCK)
387 {
388 if (modes[type])
389 {
390 errstr = "already locked";
391 /* must not happen in a single-threaded program
392 * (would deadlock) */
393 goto err;
394 }
395
396 modes[type] = rw;
397 }
398 else if (mode & CRYPTO_UNLOCK)
399 {
400 if (!modes[type])
401 {
402 errstr = "not locked";
403 goto err;
404 }
405
406 if (modes[type] != rw)
407 {
408 errstr = (rw == CRYPTO_READ) ?
409 "CRYPTO_r_unlock on write lock" :
410 "CRYPTO_w_unlock on read lock";
411 }
412
413 modes[type] = 0;
414 }
415 else
416 {
417 errstr = "invalid mode";
418 goto err;
419 }
420
421 err:
422 if (errstr)
423 {
424 /* we cannot use bio_err here */
425 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
426 errstr, mode, type, file, line);
427 }
428 }
429
430#ifdef TLSEXT_TYPE_opaque_prf_input
431struct cb_info_st { void *input; size_t len; int ret; };
432struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
433struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
434struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
435struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
436
437int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
438 {
439 struct cb_info_st *arg = arg_;
440
441 if (arg == NULL)
442 return 1;
443
444 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
445 return 0;
446 return arg->ret;
447 }
448#endif
449
450int main(int argc, char *argv[])
451 {
452 char *CApath=NULL,*CAfile=NULL;
453 int badop=0;
454 int bio_pair=0;
455 int force=0;
456 int tls1=0,ssl2=0,ssl3=0,ret=1;
457 int client_auth=0;
458 int server_auth=0,i;
459 struct app_verify_arg app_verify_arg =
460 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
461 char *server_cert=TEST_SERVER_CERT;
462 char *server_key=NULL;
463 char *client_cert=TEST_CLIENT_CERT;
464 char *client_key=NULL;
465#ifndef OPENSSL_NO_ECDH
466 char *named_curve = NULL;
467#endif
468 SSL_CTX *s_ctx=NULL;
469 SSL_CTX *c_ctx=NULL;
470 const SSL_METHOD *meth=NULL;
471 SSL *c_ssl,*s_ssl;
472 int number=1,reuse=0;
473 long bytes=256L;
474#ifndef OPENSSL_NO_DH
475 DH *dh;
476 int dhe1024 = 0, dhe1024dsa = 0;
477#endif
478#ifndef OPENSSL_NO_ECDH
479 EC_KEY *ecdh = NULL;
480#endif
481 int no_dhe = 0;
482 int no_ecdhe = 0;
483 int no_psk = 0;
484 int print_time = 0;
485 clock_t s_time = 0, c_time = 0;
486 int comp = 0;
487#ifndef OPENSSL_NO_COMP
488 COMP_METHOD *cm = NULL;
489#endif
490 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
491 int test_cipherlist = 0;
492
493 verbose = 0;
494 debug = 0;
495 cipher = 0;
496
497 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
498
499 CRYPTO_set_locking_callback(lock_dbg_cb);
500
501 /* enable memory leak checking unless explicitly disabled */
502 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
503 {
504 CRYPTO_malloc_debug_init();
505 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
506 }
507 else
508 {
509 /* OPENSSL_DEBUG_MEMORY=off */
510 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
511 }
512 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
513
514 RAND_seed(rnd_seed, sizeof rnd_seed);
515
516 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
517
518 argc--;
519 argv++;
520
521 while (argc >= 1)
522 {
523 if (strcmp(*argv,"-server_auth") == 0)
524 server_auth=1;
525 else if (strcmp(*argv,"-client_auth") == 0)
526 client_auth=1;
527 else if (strcmp(*argv,"-proxy_auth") == 0)
528 {
529 if (--argc < 1) goto bad;
530 app_verify_arg.proxy_auth= *(++argv);
531 }
532 else if (strcmp(*argv,"-proxy_cond") == 0)
533 {
534 if (--argc < 1) goto bad;
535 app_verify_arg.proxy_cond= *(++argv);
536 }
537 else if (strcmp(*argv,"-v") == 0)
538 verbose=1;
539 else if (strcmp(*argv,"-d") == 0)
540 debug=1;
541 else if (strcmp(*argv,"-reuse") == 0)
542 reuse=1;
543 else if (strcmp(*argv,"-dhe1024") == 0)
544 {
545#ifndef OPENSSL_NO_DH
546 dhe1024=1;
547#else
548 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
549#endif
550 }
551 else if (strcmp(*argv,"-dhe1024dsa") == 0)
552 {
553#ifndef OPENSSL_NO_DH
554 dhe1024dsa=1;
555#else
556 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
557#endif
558 }
559 else if (strcmp(*argv,"-no_dhe") == 0)
560 no_dhe=1;
561 else if (strcmp(*argv,"-no_ecdhe") == 0)
562 no_ecdhe=1;
563 else if (strcmp(*argv,"-psk") == 0)
564 {
565 if (--argc < 1) goto bad;
566 psk_key=*(++argv);
567#ifndef OPENSSL_NO_PSK
568 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
569 {
570 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
571 goto bad;
572 }
573#else
574 no_psk=1;
575#endif
576 }
577 else if (strcmp(*argv,"-ssl2") == 0)
578 ssl2=1;
579 else if (strcmp(*argv,"-tls1") == 0)
580 tls1=1;
581 else if (strcmp(*argv,"-ssl3") == 0)
582 ssl3=1;
583 else if (strncmp(*argv,"-num",4) == 0)
584 {
585 if (--argc < 1) goto bad;
586 number= atoi(*(++argv));
587 if (number == 0) number=1;
588 }
589 else if (strcmp(*argv,"-bytes") == 0)
590 {
591 if (--argc < 1) goto bad;
592 bytes= atol(*(++argv));
593 if (bytes == 0L) bytes=1L;
594 i=strlen(argv[0]);
595 if (argv[0][i-1] == 'k') bytes*=1024L;
596 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
597 }
598 else if (strcmp(*argv,"-cert") == 0)
599 {
600 if (--argc < 1) goto bad;
601 server_cert= *(++argv);
602 }
603 else if (strcmp(*argv,"-s_cert") == 0)
604 {
605 if (--argc < 1) goto bad;
606 server_cert= *(++argv);
607 }
608 else if (strcmp(*argv,"-key") == 0)
609 {
610 if (--argc < 1) goto bad;
611 server_key= *(++argv);
612 }
613 else if (strcmp(*argv,"-s_key") == 0)
614 {
615 if (--argc < 1) goto bad;
616 server_key= *(++argv);
617 }
618 else if (strcmp(*argv,"-c_cert") == 0)
619 {
620 if (--argc < 1) goto bad;
621 client_cert= *(++argv);
622 }
623 else if (strcmp(*argv,"-c_key") == 0)
624 {
625 if (--argc < 1) goto bad;
626 client_key= *(++argv);
627 }
628 else if (strcmp(*argv,"-cipher") == 0)
629 {
630 if (--argc < 1) goto bad;
631 cipher= *(++argv);
632 }
633 else if (strcmp(*argv,"-CApath") == 0)
634 {
635 if (--argc < 1) goto bad;
636 CApath= *(++argv);
637 }
638 else if (strcmp(*argv,"-CAfile") == 0)
639 {
640 if (--argc < 1) goto bad;
641 CAfile= *(++argv);
642 }
643 else if (strcmp(*argv,"-bio_pair") == 0)
644 {
645 bio_pair = 1;
646 }
647 else if (strcmp(*argv,"-f") == 0)
648 {
649 force = 1;
650 }
651 else if (strcmp(*argv,"-time") == 0)
652 {
653 print_time = 1;
654 }
655 else if (strcmp(*argv,"-zlib") == 0)
656 {
657 comp = COMP_ZLIB;
658 }
659 else if (strcmp(*argv,"-rle") == 0)
660 {
661 comp = COMP_RLE;
662 }
663 else if (strcmp(*argv,"-named_curve") == 0)
664 {
665 if (--argc < 1) goto bad;
666#ifndef OPENSSL_NO_ECDH
667 named_curve = *(++argv);
668#else
669 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
670 ++argv;
671#endif
672 }
673 else if (strcmp(*argv,"-app_verify") == 0)
674 {
675 app_verify_arg.app_verify = 1;
676 }
677 else if (strcmp(*argv,"-proxy") == 0)
678 {
679 app_verify_arg.allow_proxy_certs = 1;
680 }
681 else if (strcmp(*argv,"-test_cipherlist") == 0)
682 {
683 test_cipherlist = 1;
684 }
685 else
686 {
687 fprintf(stderr,"unknown option %s\n",*argv);
688 badop=1;
689 break;
690 }
691 argc--;
692 argv++;
693 }
694 if (badop)
695 {
696bad:
697 sv_usage();
698 goto end;
699 }
700
701 if (test_cipherlist == 1)
702 {
703 /* ensure that the cipher list are correctly sorted and exit */
704 if (do_test_cipherlist() == 0)
705 EXIT(1);
706 ret = 0;
707 goto end;
708 }
709
710 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
711 {
712 fprintf(stderr, "This case cannot work. Use -f to perform "
713 "the test anyway (and\n-d to see what happens), "
714 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
715 "to avoid protocol mismatch.\n");
716 EXIT(1);
717 }
718
719 if (print_time)
720 {
721 if (!bio_pair)
722 {
723 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
724 bio_pair = 1;
725 }
726 if (number < 50 && !force)
727 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
728 }
729
730/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
731
732 SSL_library_init();
733 SSL_load_error_strings();
734
735#ifndef OPENSSL_NO_COMP
736 if (comp == COMP_ZLIB) cm = COMP_zlib();
737 if (comp == COMP_RLE) cm = COMP_rle();
738 if (cm != NULL)
739 {
740 if (cm->type != NID_undef)
741 {
742 if (SSL_COMP_add_compression_method(comp, cm) != 0)
743 {
744 fprintf(stderr,
745 "Failed to add compression method\n");
746 ERR_print_errors_fp(stderr);
747 }
748 }
749 else
750 {
751 fprintf(stderr,
752 "Warning: %s compression not supported\n",
753 (comp == COMP_RLE ? "rle" :
754 (comp == COMP_ZLIB ? "zlib" :
755 "unknown")));
756 ERR_print_errors_fp(stderr);
757 }
758 }
759 ssl_comp_methods = SSL_COMP_get_compression_methods();
760 fprintf(stderr, "Available compression methods:\n");
761 {
762 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
763 if (n == 0)
764 fprintf(stderr, " NONE\n");
765 else
766 for (j = 0; j < n; j++)
767 {
768 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
769 fprintf(stderr, " %d: %s\n", c->id, c->name);
770 }
771 }
772#endif
773
774#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
775 if (ssl2)
776 meth=SSLv2_method();
777 else
778 if (tls1)
779 meth=TLSv1_method();
780 else
781 if (ssl3)
782 meth=SSLv3_method();
783 else
784 meth=SSLv23_method();
785#else
786#ifdef OPENSSL_NO_SSL2
787 meth=SSLv3_method();
788#else
789 meth=SSLv2_method();
790#endif
791#endif
792
793 c_ctx=SSL_CTX_new(meth);
794 s_ctx=SSL_CTX_new(meth);
795 if ((c_ctx == NULL) || (s_ctx == NULL))
796 {
797 ERR_print_errors(bio_err);
798 goto end;
799 }
800
801 if (cipher != NULL)
802 {
803 SSL_CTX_set_cipher_list(c_ctx,cipher);
804 SSL_CTX_set_cipher_list(s_ctx,cipher);
805 }
806
807#ifndef OPENSSL_NO_DH
808 if (!no_dhe)
809 {
810 if (dhe1024dsa)
811 {
812 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
813 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
814 dh=get_dh1024dsa();
815 }
816 else if (dhe1024)
817 dh=get_dh1024();
818 else
819 dh=get_dh512();
820 SSL_CTX_set_tmp_dh(s_ctx,dh);
821 DH_free(dh);
822 }
823#else
824 (void)no_dhe;
825#endif
826
827#ifndef OPENSSL_NO_ECDH
828 if (!no_ecdhe)
829 {
830 int nid;
831
832 if (named_curve != NULL)
833 {
834 nid = OBJ_sn2nid(named_curve);
835 if (nid == 0)
836 {
837 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
838 goto end;
839 }
840 }
841 else
842 nid = NID_sect163r2;
843
844 ecdh = EC_KEY_new_by_curve_name(nid);
845 if (ecdh == NULL)
846 {
847 BIO_printf(bio_err, "unable to create curve\n");
848 goto end;
849 }
850
851 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
852 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
853 EC_KEY_free(ecdh);
854 }
855#else
856 (void)no_ecdhe;
857#endif
858
859#ifndef OPENSSL_NO_RSA
860 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
861#endif
862
863#ifdef TLSEXT_TYPE_opaque_prf_input
864 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
865 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
866 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
867 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
868#endif
869
870 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
871 {
872 ERR_print_errors(bio_err);
873 }
874 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
875 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
876 {
877 ERR_print_errors(bio_err);
878 goto end;
879 }
880
881 if (client_auth)
882 {
883 SSL_CTX_use_certificate_file(c_ctx,client_cert,
884 SSL_FILETYPE_PEM);
885 SSL_CTX_use_PrivateKey_file(c_ctx,
886 (client_key?client_key:client_cert),
887 SSL_FILETYPE_PEM);
888 }
889
890 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
891 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
892 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
893 (!SSL_CTX_set_default_verify_paths(c_ctx)))
894 {
895 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
896 ERR_print_errors(bio_err);
897 /* goto end; */
898 }
899
900 if (client_auth)
901 {
902 BIO_printf(bio_err,"client authentication\n");
903 SSL_CTX_set_verify(s_ctx,
904 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
905 verify_callback);
906 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
907 }
908 if (server_auth)
909 {
910 BIO_printf(bio_err,"server authentication\n");
911 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
912 verify_callback);
913 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
914 }
915
916 {
917 int session_id_context = 0;
918 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
919 }
920
921 /* Use PSK only if PSK key is given */
922 if (psk_key != NULL)
923 {
924 /* no_psk is used to avoid putting psk command to openssl tool */
925 if (no_psk)
926 {
927 /* if PSK is not compiled in and psk key is
928 * given, do nothing and exit successfully */
929 ret=0;
930 goto end;
931 }
932#ifndef OPENSSL_NO_PSK
933 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
934 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
935 if (debug)
936 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
937 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
938 {
939 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
940 ERR_print_errors(bio_err);
941 goto end;
942 }
943#endif
944 }
945
946 c_ssl=SSL_new(c_ctx);
947 s_ssl=SSL_new(s_ctx);
948
949#ifndef OPENSSL_NO_KRB5
950 if (c_ssl && c_ssl->kssl_ctx)
951 {
952 char localhost[MAXHOSTNAMELEN+2];
953
954 if (gethostname(localhost, sizeof localhost-1) == 0)
955 {
956 localhost[sizeof localhost-1]='\0';
957 if(strlen(localhost) == sizeof localhost-1)
958 {
959 BIO_printf(bio_err,"localhost name too long\n");
960 goto end;
961 }
962 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
963 localhost);
964 }
965 }
966#endif /* OPENSSL_NO_KRB5 */
967
968 for (i=0; i<number; i++)
969 {
970 if (!reuse) SSL_set_session(c_ssl,NULL);
971 if (bio_pair)
972 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
973 else
974 ret=doit(s_ssl,c_ssl,bytes);
975 }
976
977 if (!verbose)
978 {
979 print_details(c_ssl, "");
980 }
981 if ((number > 1) || (bytes > 1L))
982 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
983 if (print_time)
984 {
985#ifdef CLOCKS_PER_SEC
986 /* "To determine the time in seconds, the value returned
987 * by the clock function should be divided by the value
988 * of the macro CLOCKS_PER_SEC."
989 * -- ISO/IEC 9899 */
990 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
991 "Approximate total client time: %6.2f s\n",
992 (double)s_time/CLOCKS_PER_SEC,
993 (double)c_time/CLOCKS_PER_SEC);
994#else
995 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
996 * -- cc on NeXTstep/OpenStep */
997 BIO_printf(bio_stdout,
998 "Approximate total server time: %6.2f units\n"
999 "Approximate total client time: %6.2f units\n",
1000 (double)s_time,
1001 (double)c_time);
1002#endif
1003 }
1004
1005 SSL_free(s_ssl);
1006 SSL_free(c_ssl);
1007
1008end:
1009 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1010 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1011
1012 if (bio_stdout != NULL) BIO_free(bio_stdout);
1013
1014#ifndef OPENSSL_NO_RSA
1015 free_tmp_rsa();
1016#endif
1017#ifndef OPENSSL_NO_ENGINE
1018 ENGINE_cleanup();
1019#endif
1020 CRYPTO_cleanup_all_ex_data();
1021 ERR_free_strings();
1022 ERR_remove_thread_state(NULL);
1023 EVP_cleanup();
1024 CRYPTO_mem_leaks(bio_err);
1025 if (bio_err != NULL) BIO_free(bio_err);
1026 EXIT(ret);
1027 return ret;
1028 }
1029
1030int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1031 clock_t *s_time, clock_t *c_time)
1032 {
1033 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1034 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1035 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1036 int ret = 1;
1037
1038 size_t bufsiz = 256; /* small buffer for testing */
1039
1040 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1041 goto err;
1042 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1043 goto err;
1044
1045 s_ssl_bio = BIO_new(BIO_f_ssl());
1046 if (!s_ssl_bio)
1047 goto err;
1048
1049 c_ssl_bio = BIO_new(BIO_f_ssl());
1050 if (!c_ssl_bio)
1051 goto err;
1052
1053 SSL_set_connect_state(c_ssl);
1054 SSL_set_bio(c_ssl, client, client);
1055 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1056
1057 SSL_set_accept_state(s_ssl);
1058 SSL_set_bio(s_ssl, server, server);
1059 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1060
1061 do
1062 {
1063 /* c_ssl_bio: SSL filter BIO
1064 *
1065 * client: pseudo-I/O for SSL library
1066 *
1067 * client_io: client's SSL communication; usually to be
1068 * relayed over some I/O facility, but in this
1069 * test program, we're the server, too:
1070 *
1071 * server_io: server's SSL communication
1072 *
1073 * server: pseudo-I/O for SSL library
1074 *
1075 * s_ssl_bio: SSL filter BIO
1076 *
1077 * The client and the server each employ a "BIO pair":
1078 * client + client_io, server + server_io.
1079 * BIO pairs are symmetric. A BIO pair behaves similar
1080 * to a non-blocking socketpair (but both endpoints must
1081 * be handled by the same thread).
1082 * [Here we could connect client and server to the ends
1083 * of a single BIO pair, but then this code would be less
1084 * suitable as an example for BIO pairs in general.]
1085 *
1086 * Useful functions for querying the state of BIO pair endpoints:
1087 *
1088 * BIO_ctrl_pending(bio) number of bytes we can read now
1089 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1090 * other side's read attempt
1091 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1092 *
1093 * ..._read_request is never more than ..._write_guarantee;
1094 * it depends on the application which one you should use.
1095 */
1096
1097 /* We have non-blocking behaviour throughout this test program, but
1098 * can be sure that there is *some* progress in each iteration; so
1099 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1100 * -- we just try everything in each iteration
1101 */
1102
1103 {
1104 /* CLIENT */
1105
1106 MS_STATIC char cbuf[1024*8];
1107 int i, r;
1108 clock_t c_clock = clock();
1109
1110 memset(cbuf, 0, sizeof(cbuf));
1111
1112 if (debug)
1113 if (SSL_in_init(c_ssl))
1114 printf("client waiting in SSL_connect - %s\n",
1115 SSL_state_string_long(c_ssl));
1116
1117 if (cw_num > 0)
1118 {
1119 /* Write to server. */
1120
1121 if (cw_num > (long)sizeof cbuf)
1122 i = sizeof cbuf;
1123 else
1124 i = (int)cw_num;
1125 r = BIO_write(c_ssl_bio, cbuf, i);
1126 if (r < 0)
1127 {
1128 if (!BIO_should_retry(c_ssl_bio))
1129 {
1130 fprintf(stderr,"ERROR in CLIENT\n");
1131 goto err;
1132 }
1133 /* BIO_should_retry(...) can just be ignored here.
1134 * The library expects us to call BIO_write with
1135 * the same arguments again, and that's what we will
1136 * do in the next iteration. */
1137 }
1138 else if (r == 0)
1139 {
1140 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1141 goto err;
1142 }
1143 else
1144 {
1145 if (debug)
1146 printf("client wrote %d\n", r);
1147 cw_num -= r;
1148 }
1149 }
1150
1151 if (cr_num > 0)
1152 {
1153 /* Read from server. */
1154
1155 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1156 if (r < 0)
1157 {
1158 if (!BIO_should_retry(c_ssl_bio))
1159 {
1160 fprintf(stderr,"ERROR in CLIENT\n");
1161 goto err;
1162 }
1163 /* Again, "BIO_should_retry" can be ignored. */
1164 }
1165 else if (r == 0)
1166 {
1167 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1168 goto err;
1169 }
1170 else
1171 {
1172 if (debug)
1173 printf("client read %d\n", r);
1174 cr_num -= r;
1175 }
1176 }
1177
1178 /* c_time and s_time increments will typically be very small
1179 * (depending on machine speed and clock tick intervals),
1180 * but sampling over a large number of connections should
1181 * result in fairly accurate figures. We cannot guarantee
1182 * a lot, however -- if each connection lasts for exactly
1183 * one clock tick, it will be counted only for the client
1184 * or only for the server or even not at all.
1185 */
1186 *c_time += (clock() - c_clock);
1187 }
1188
1189 {
1190 /* SERVER */
1191
1192 MS_STATIC char sbuf[1024*8];
1193 int i, r;
1194 clock_t s_clock = clock();
1195
1196 memset(sbuf, 0, sizeof(sbuf));
1197
1198 if (debug)
1199 if (SSL_in_init(s_ssl))
1200 printf("server waiting in SSL_accept - %s\n",
1201 SSL_state_string_long(s_ssl));
1202
1203 if (sw_num > 0)
1204 {
1205 /* Write to client. */
1206
1207 if (sw_num > (long)sizeof sbuf)
1208 i = sizeof sbuf;
1209 else
1210 i = (int)sw_num;
1211 r = BIO_write(s_ssl_bio, sbuf, i);
1212 if (r < 0)
1213 {
1214 if (!BIO_should_retry(s_ssl_bio))
1215 {
1216 fprintf(stderr,"ERROR in SERVER\n");
1217 goto err;
1218 }
1219 /* Ignore "BIO_should_retry". */
1220 }
1221 else if (r == 0)
1222 {
1223 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1224 goto err;
1225 }
1226 else
1227 {
1228 if (debug)
1229 printf("server wrote %d\n", r);
1230 sw_num -= r;
1231 }
1232 }
1233
1234 if (sr_num > 0)
1235 {
1236 /* Read from client. */
1237
1238 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1239 if (r < 0)
1240 {
1241 if (!BIO_should_retry(s_ssl_bio))
1242 {
1243 fprintf(stderr,"ERROR in SERVER\n");
1244 goto err;
1245 }
1246 /* blah, blah */
1247 }
1248 else if (r == 0)
1249 {
1250 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1251 goto err;
1252 }
1253 else
1254 {
1255 if (debug)
1256 printf("server read %d\n", r);
1257 sr_num -= r;
1258 }
1259 }
1260
1261 *s_time += (clock() - s_clock);
1262 }
1263
1264 {
1265 /* "I/O" BETWEEN CLIENT AND SERVER. */
1266
1267 size_t r1, r2;
1268 BIO *io1 = server_io, *io2 = client_io;
1269 /* we use the non-copying interface for io1
1270 * and the standard BIO_write/BIO_read interface for io2
1271 */
1272
1273 static int prev_progress = 1;
1274 int progress = 0;
1275
1276 /* io1 to io2 */
1277 do
1278 {
1279 size_t num;
1280 int r;
1281
1282 r1 = BIO_ctrl_pending(io1);
1283 r2 = BIO_ctrl_get_write_guarantee(io2);
1284
1285 num = r1;
1286 if (r2 < num)
1287 num = r2;
1288 if (num)
1289 {
1290 char *dataptr;
1291
1292 if (INT_MAX < num) /* yeah, right */
1293 num = INT_MAX;
1294
1295 r = BIO_nread(io1, &dataptr, (int)num);
1296 assert(r > 0);
1297 assert(r <= (int)num);
1298 /* possibly r < num (non-contiguous data) */
1299 num = r;
1300 r = BIO_write(io2, dataptr, (int)num);
1301 if (r != (int)num) /* can't happen */
1302 {
1303 fprintf(stderr, "ERROR: BIO_write could not write "
1304 "BIO_ctrl_get_write_guarantee() bytes");
1305 goto err;
1306 }
1307 progress = 1;
1308
1309 if (debug)
1310 printf((io1 == client_io) ?
1311 "C->S relaying: %d bytes\n" :
1312 "S->C relaying: %d bytes\n",
1313 (int)num);
1314 }
1315 }
1316 while (r1 && r2);
1317
1318 /* io2 to io1 */
1319 {
1320 size_t num;
1321 int r;
1322
1323 r1 = BIO_ctrl_pending(io2);
1324 r2 = BIO_ctrl_get_read_request(io1);
1325 /* here we could use ..._get_write_guarantee instead of
1326 * ..._get_read_request, but by using the latter
1327 * we test restartability of the SSL implementation
1328 * more thoroughly */
1329 num = r1;
1330 if (r2 < num)
1331 num = r2;
1332 if (num)
1333 {
1334 char *dataptr;
1335
1336 if (INT_MAX < num)
1337 num = INT_MAX;
1338
1339 if (num > 1)
1340 --num; /* test restartability even more thoroughly */
1341
1342 r = BIO_nwrite0(io1, &dataptr);
1343 assert(r > 0);
1344 if (r < (int)num)
1345 num = r;
1346 r = BIO_read(io2, dataptr, (int)num);
1347 if (r != (int)num) /* can't happen */
1348 {
1349 fprintf(stderr, "ERROR: BIO_read could not read "
1350 "BIO_ctrl_pending() bytes");
1351 goto err;
1352 }
1353 progress = 1;
1354 r = BIO_nwrite(io1, &dataptr, (int)num);
1355 if (r != (int)num) /* can't happen */
1356 {
1357 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1358 "BIO_nwrite0() bytes");
1359 goto err;
1360 }
1361
1362 if (debug)
1363 printf((io2 == client_io) ?
1364 "C->S relaying: %d bytes\n" :
1365 "S->C relaying: %d bytes\n",
1366 (int)num);
1367 }
1368 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1369
1370 if (!progress && !prev_progress)
1371 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1372 {
1373 fprintf(stderr, "ERROR: got stuck\n");
1374 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1375 {
1376 fprintf(stderr, "This can happen for SSL2 because "
1377 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1378 "concurrently ...");
1379 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1380 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1381 {
1382 fprintf(stderr, " ok.\n");
1383 goto end;
1384 }
1385 }
1386 fprintf(stderr, " ERROR.\n");
1387 goto err;
1388 }
1389 prev_progress = progress;
1390 }
1391 }
1392 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1393
1394 if (verbose)
1395 print_details(c_ssl, "DONE via BIO pair: ");
1396end:
1397 ret = 0;
1398
1399 err:
1400 ERR_print_errors(bio_err);
1401
1402 if (server)
1403 BIO_free(server);
1404 if (server_io)
1405 BIO_free(server_io);
1406 if (client)
1407 BIO_free(client);
1408 if (client_io)
1409 BIO_free(client_io);
1410 if (s_ssl_bio)
1411 BIO_free(s_ssl_bio);
1412 if (c_ssl_bio)
1413 BIO_free(c_ssl_bio);
1414
1415 return ret;
1416 }
1417
1418
1419#define W_READ 1
1420#define W_WRITE 2
1421#define C_DONE 1
1422#define S_DONE 2
1423
1424int doit(SSL *s_ssl, SSL *c_ssl, long count)
1425 {
1426 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1427 long cw_num=count,cr_num=count;
1428 long sw_num=count,sr_num=count;
1429 int ret=1;
1430 BIO *c_to_s=NULL;
1431 BIO *s_to_c=NULL;
1432 BIO *c_bio=NULL;
1433 BIO *s_bio=NULL;
1434 int c_r,c_w,s_r,s_w;
1435 int i,j;
1436 int done=0;
1437 int c_write,s_write;
1438 int do_server=0,do_client=0;
1439
1440 memset(cbuf,0,sizeof(cbuf));
1441 memset(sbuf,0,sizeof(sbuf));
1442
1443 c_to_s=BIO_new(BIO_s_mem());
1444 s_to_c=BIO_new(BIO_s_mem());
1445 if ((s_to_c == NULL) || (c_to_s == NULL))
1446 {
1447 ERR_print_errors(bio_err);
1448 goto err;
1449 }
1450
1451 c_bio=BIO_new(BIO_f_ssl());
1452 s_bio=BIO_new(BIO_f_ssl());
1453 if ((c_bio == NULL) || (s_bio == NULL))
1454 {
1455 ERR_print_errors(bio_err);
1456 goto err;
1457 }
1458
1459 SSL_set_connect_state(c_ssl);
1460 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1461 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1462
1463 SSL_set_accept_state(s_ssl);
1464 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1465 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1466
1467 c_r=0; s_r=1;
1468 c_w=1; s_w=0;
1469 c_write=1,s_write=0;
1470
1471 /* We can always do writes */
1472 for (;;)
1473 {
1474 do_server=0;
1475 do_client=0;
1476
1477 i=(int)BIO_pending(s_bio);
1478 if ((i && s_r) || s_w) do_server=1;
1479
1480 i=(int)BIO_pending(c_bio);
1481 if ((i && c_r) || c_w) do_client=1;
1482
1483 if (do_server && debug)
1484 {
1485 if (SSL_in_init(s_ssl))
1486 printf("server waiting in SSL_accept - %s\n",
1487 SSL_state_string_long(s_ssl));
1488/* else if (s_write)
1489 printf("server:SSL_write()\n");
1490 else
1491 printf("server:SSL_read()\n"); */
1492 }
1493
1494 if (do_client && debug)
1495 {
1496 if (SSL_in_init(c_ssl))
1497 printf("client waiting in SSL_connect - %s\n",
1498 SSL_state_string_long(c_ssl));
1499/* else if (c_write)
1500 printf("client:SSL_write()\n");
1501 else
1502 printf("client:SSL_read()\n"); */
1503 }
1504
1505 if (!do_client && !do_server)
1506 {
1507 fprintf(stdout,"ERROR IN STARTUP\n");
1508 ERR_print_errors(bio_err);
1509 break;
1510 }
1511 if (do_client && !(done & C_DONE))
1512 {
1513 if (c_write)
1514 {
1515 j = (cw_num > (long)sizeof(cbuf)) ?
1516 (int)sizeof(cbuf) : (int)cw_num;
1517 i=BIO_write(c_bio,cbuf,j);
1518 if (i < 0)
1519 {
1520 c_r=0;
1521 c_w=0;
1522 if (BIO_should_retry(c_bio))
1523 {
1524 if (BIO_should_read(c_bio))
1525 c_r=1;
1526 if (BIO_should_write(c_bio))
1527 c_w=1;
1528 }
1529 else
1530 {
1531 fprintf(stderr,"ERROR in CLIENT\n");
1532 ERR_print_errors(bio_err);
1533 goto err;
1534 }
1535 }
1536 else if (i == 0)
1537 {
1538 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1539 goto err;
1540 }
1541 else
1542 {
1543 if (debug)
1544 printf("client wrote %d\n",i);
1545 /* ok */
1546 s_r=1;
1547 c_write=0;
1548 cw_num-=i;
1549 }
1550 }
1551 else
1552 {
1553 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1554 if (i < 0)
1555 {
1556 c_r=0;
1557 c_w=0;
1558 if (BIO_should_retry(c_bio))
1559 {
1560 if (BIO_should_read(c_bio))
1561 c_r=1;
1562 if (BIO_should_write(c_bio))
1563 c_w=1;
1564 }
1565 else
1566 {
1567 fprintf(stderr,"ERROR in CLIENT\n");
1568 ERR_print_errors(bio_err);
1569 goto err;
1570 }
1571 }
1572 else if (i == 0)
1573 {
1574 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1575 goto err;
1576 }
1577 else
1578 {
1579 if (debug)
1580 printf("client read %d\n",i);
1581 cr_num-=i;
1582 if (sw_num > 0)
1583 {
1584 s_write=1;
1585 s_w=1;
1586 }
1587 if (cr_num <= 0)
1588 {
1589 s_write=1;
1590 s_w=1;
1591 done=S_DONE|C_DONE;
1592 }
1593 }
1594 }
1595 }
1596
1597 if (do_server && !(done & S_DONE))
1598 {
1599 if (!s_write)
1600 {
1601 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1602 if (i < 0)
1603 {
1604 s_r=0;
1605 s_w=0;
1606 if (BIO_should_retry(s_bio))
1607 {
1608 if (BIO_should_read(s_bio))
1609 s_r=1;
1610 if (BIO_should_write(s_bio))
1611 s_w=1;
1612 }
1613 else
1614 {
1615 fprintf(stderr,"ERROR in SERVER\n");
1616 ERR_print_errors(bio_err);
1617 goto err;
1618 }
1619 }
1620 else if (i == 0)
1621 {
1622 ERR_print_errors(bio_err);
1623 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1624 goto err;
1625 }
1626 else
1627 {
1628 if (debug)
1629 printf("server read %d\n",i);
1630 sr_num-=i;
1631 if (cw_num > 0)
1632 {
1633 c_write=1;
1634 c_w=1;
1635 }
1636 if (sr_num <= 0)
1637 {
1638 s_write=1;
1639 s_w=1;
1640 c_write=0;
1641 }
1642 }
1643 }
1644 else
1645 {
1646 j = (sw_num > (long)sizeof(sbuf)) ?
1647 (int)sizeof(sbuf) : (int)sw_num;
1648 i=BIO_write(s_bio,sbuf,j);
1649 if (i < 0)
1650 {
1651 s_r=0;
1652 s_w=0;
1653 if (BIO_should_retry(s_bio))
1654 {
1655 if (BIO_should_read(s_bio))
1656 s_r=1;
1657 if (BIO_should_write(s_bio))
1658 s_w=1;
1659 }
1660 else
1661 {
1662 fprintf(stderr,"ERROR in SERVER\n");
1663 ERR_print_errors(bio_err);
1664 goto err;
1665 }
1666 }
1667 else if (i == 0)
1668 {
1669 ERR_print_errors(bio_err);
1670 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1671 goto err;
1672 }
1673 else
1674 {
1675 if (debug)
1676 printf("server wrote %d\n",i);
1677 sw_num-=i;
1678 s_write=0;
1679 c_r=1;
1680 if (sw_num <= 0)
1681 done|=S_DONE;
1682 }
1683 }
1684 }
1685
1686 if ((done & S_DONE) && (done & C_DONE)) break;
1687 }
1688
1689 if (verbose)
1690 print_details(c_ssl, "DONE: ");
1691 ret=0;
1692err:
1693 /* We have to set the BIO's to NULL otherwise they will be
1694 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1695 * again when c_ssl is SSL_free()ed.
1696 * This is a hack required because s_ssl and c_ssl are sharing the same
1697 * BIO structure and SSL_set_bio() and SSL_free() automatically
1698 * BIO_free non NULL entries.
1699 * You should not normally do this or be required to do this */
1700 if (s_ssl != NULL)
1701 {
1702 s_ssl->rbio=NULL;
1703 s_ssl->wbio=NULL;
1704 }
1705 if (c_ssl != NULL)
1706 {
1707 c_ssl->rbio=NULL;
1708 c_ssl->wbio=NULL;
1709 }
1710
1711 if (c_to_s != NULL) BIO_free(c_to_s);
1712 if (s_to_c != NULL) BIO_free(s_to_c);
1713 if (c_bio != NULL) BIO_free_all(c_bio);
1714 if (s_bio != NULL) BIO_free_all(s_bio);
1715 return(ret);
1716 }
1717
1718static int get_proxy_auth_ex_data_idx(void)
1719 {
1720 static volatile int idx = -1;
1721 if (idx < 0)
1722 {
1723 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1724 if (idx < 0)
1725 {
1726 idx = X509_STORE_CTX_get_ex_new_index(0,
1727 "SSLtest for verify callback", NULL,NULL,NULL);
1728 }
1729 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1730 }
1731 return idx;
1732 }
1733
1734static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1735 {
1736 char *s,buf[256];
1737
1738 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1739 sizeof buf);
1740 if (s != NULL)
1741 {
1742 if (ok)
1743 fprintf(stderr,"depth=%d %s\n",
1744 ctx->error_depth,buf);
1745 else
1746 {
1747 fprintf(stderr,"depth=%d error=%d %s\n",
1748 ctx->error_depth,ctx->error,buf);
1749 }
1750 }
1751
1752 if (ok == 0)
1753 {
1754 fprintf(stderr,"Error string: %s\n",
1755 X509_verify_cert_error_string(ctx->error));
1756 switch (ctx->error)
1757 {
1758 case X509_V_ERR_CERT_NOT_YET_VALID:
1759 case X509_V_ERR_CERT_HAS_EXPIRED:
1760 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1761 fprintf(stderr," ... ignored.\n");
1762 ok=1;
1763 }
1764 }
1765
1766 if (ok == 1)
1767 {
1768 X509 *xs = ctx->current_cert;
1769#if 0
1770 X509 *xi = ctx->current_issuer;
1771#endif
1772
1773 if (xs->ex_flags & EXFLAG_PROXY)
1774 {
1775 unsigned int *letters =
1776 X509_STORE_CTX_get_ex_data(ctx,
1777 get_proxy_auth_ex_data_idx());
1778
1779 if (letters)
1780 {
1781 int found_any = 0;
1782 int i;
1783 PROXY_CERT_INFO_EXTENSION *pci =
1784 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1785 NULL, NULL);
1786
1787 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1788 {
1789 case NID_Independent:
1790 /* Completely meaningless in this
1791 program, as there's no way to
1792 grant explicit rights to a
1793 specific PrC. Basically, using
1794 id-ppl-Independent is the perfect
1795 way to grant no rights at all. */
1796 fprintf(stderr, " Independent proxy certificate");
1797 for (i = 0; i < 26; i++)
1798 letters[i] = 0;
1799 break;
1800 case NID_id_ppl_inheritAll:
1801 /* This is basically a NOP, we
1802 simply let the current rights
1803 stand as they are. */
1804 fprintf(stderr, " Proxy certificate inherits all");
1805 break;
1806 default:
1807 s = (char *)
1808 pci->proxyPolicy->policy->data;
1809 i = pci->proxyPolicy->policy->length;
1810
1811 /* The algorithm works as follows:
1812 it is assumed that previous
1813 iterations or the initial granted
1814 rights has already set some elements
1815 of `letters'. What we need to do is
1816 to clear those that weren't granted
1817 by the current PrC as well. The
1818 easiest way to do this is to add 1
1819 to all the elements whose letters
1820 are given with the current policy.
1821 That way, all elements that are set
1822 by the current policy and were
1823 already set by earlier policies and
1824 through the original grant of rights
1825 will get the value 2 or higher.
1826 The last thing to do is to sweep
1827 through `letters' and keep the
1828 elements having the value 2 as set,
1829 and clear all the others. */
1830
1831 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1832 while(i-- > 0)
1833 {
1834 int c = *s++;
1835 if (isascii(c) && isalpha(c))
1836 {
1837 if (islower(c))
1838 c = toupper(c);
1839 letters[c - 'A']++;
1840 }
1841 }
1842 for (i = 0; i < 26; i++)
1843 if (letters[i] < 2)
1844 letters[i] = 0;
1845 else
1846 letters[i] = 1;
1847 }
1848
1849 found_any = 0;
1850 fprintf(stderr,
1851 ", resulting proxy rights = ");
1852 for(i = 0; i < 26; i++)
1853 if (letters[i])
1854 {
1855 fprintf(stderr, "%c", i + 'A');
1856 found_any = 1;
1857 }
1858 if (!found_any)
1859 fprintf(stderr, "none");
1860 fprintf(stderr, "\n");
1861
1862 PROXY_CERT_INFO_EXTENSION_free(pci);
1863 }
1864 }
1865 }
1866
1867 return(ok);
1868 }
1869
1870static void process_proxy_debug(int indent, const char *format, ...)
1871 {
1872 static const char indentation[] =
1873 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1874 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1875 char my_format[256];
1876 va_list args;
1877
1878 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1879 indent, indent, indentation, format);
1880
1881 va_start(args, format);
1882 vfprintf(stderr, my_format, args);
1883 va_end(args);
1884 }
1885/* Priority levels:
1886 0 [!]var, ()
1887 1 & ^
1888 2 |
1889*/
1890static int process_proxy_cond_adders(unsigned int letters[26],
1891 const char *cond, const char **cond_end, int *pos, int indent);
1892static int process_proxy_cond_val(unsigned int letters[26],
1893 const char *cond, const char **cond_end, int *pos, int indent)
1894 {
1895 int c;
1896 int ok = 1;
1897 int negate = 0;
1898
1899 while(isspace((int)*cond))
1900 {
1901 cond++; (*pos)++;
1902 }
1903 c = *cond;
1904
1905 if (debug)
1906 process_proxy_debug(indent,
1907 "Start process_proxy_cond_val at position %d: %s\n",
1908 *pos, cond);
1909
1910 while(c == '!')
1911 {
1912 negate = !negate;
1913 cond++; (*pos)++;
1914 while(isspace((int)*cond))
1915 {
1916 cond++; (*pos)++;
1917 }
1918 c = *cond;
1919 }
1920
1921 if (c == '(')
1922 {
1923 cond++; (*pos)++;
1924 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1925 indent + 1);
1926 cond = *cond_end;
1927 if (ok < 0)
1928 goto end;
1929 while(isspace((int)*cond))
1930 {
1931 cond++; (*pos)++;
1932 }
1933 c = *cond;
1934 if (c != ')')
1935 {
1936 fprintf(stderr,
1937 "Weird condition character in position %d: "
1938 "%c\n", *pos, c);
1939 ok = -1;
1940 goto end;
1941 }
1942 cond++; (*pos)++;
1943 }
1944 else if (isascii(c) && isalpha(c))
1945 {
1946 if (islower(c))
1947 c = toupper(c);
1948 ok = letters[c - 'A'];
1949 cond++; (*pos)++;
1950 }
1951 else
1952 {
1953 fprintf(stderr,
1954 "Weird condition character in position %d: "
1955 "%c\n", *pos, c);
1956 ok = -1;
1957 goto end;
1958 }
1959 end:
1960 *cond_end = cond;
1961 if (ok >= 0 && negate)
1962 ok = !ok;
1963
1964 if (debug)
1965 process_proxy_debug(indent,
1966 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1967 *pos, cond, ok);
1968
1969 return ok;
1970 }
1971static int process_proxy_cond_multipliers(unsigned int letters[26],
1972 const char *cond, const char **cond_end, int *pos, int indent)
1973 {
1974 int ok;
1975 char c;
1976
1977 if (debug)
1978 process_proxy_debug(indent,
1979 "Start process_proxy_cond_multipliers at position %d: %s\n",
1980 *pos, cond);
1981
1982 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1983 cond = *cond_end;
1984 if (ok < 0)
1985 goto end;
1986
1987 while(ok >= 0)
1988 {
1989 while(isspace((int)*cond))
1990 {
1991 cond++; (*pos)++;
1992 }
1993 c = *cond;
1994
1995 switch(c)
1996 {
1997 case '&':
1998 case '^':
1999 {
2000 int save_ok = ok;
2001
2002 cond++; (*pos)++;
2003 ok = process_proxy_cond_val(letters,
2004 cond, cond_end, pos, indent + 1);
2005 cond = *cond_end;
2006 if (ok < 0)
2007 break;
2008
2009 switch(c)
2010 {
2011 case '&':
2012 ok &= save_ok;
2013 break;
2014 case '^':
2015 ok ^= save_ok;
2016 break;
2017 default:
2018 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2019 " STOPPING\n");
2020 EXIT(1);
2021 }
2022 }
2023 break;
2024 default:
2025 goto end;
2026 }
2027 }
2028 end:
2029 if (debug)
2030 process_proxy_debug(indent,
2031 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2032 *pos, cond, ok);
2033
2034 *cond_end = cond;
2035 return ok;
2036 }
2037static int process_proxy_cond_adders(unsigned int letters[26],
2038 const char *cond, const char **cond_end, int *pos, int indent)
2039 {
2040 int ok;
2041 char c;
2042
2043 if (debug)
2044 process_proxy_debug(indent,
2045 "Start process_proxy_cond_adders at position %d: %s\n",
2046 *pos, cond);
2047
2048 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2049 indent + 1);
2050 cond = *cond_end;
2051 if (ok < 0)
2052 goto end;
2053
2054 while(ok >= 0)
2055 {
2056 while(isspace((int)*cond))
2057 {
2058 cond++; (*pos)++;
2059 }
2060 c = *cond;
2061
2062 switch(c)
2063 {
2064 case '|':
2065 {
2066 int save_ok = ok;
2067
2068 cond++; (*pos)++;
2069 ok = process_proxy_cond_multipliers(letters,
2070 cond, cond_end, pos, indent + 1);
2071 cond = *cond_end;
2072 if (ok < 0)
2073 break;
2074
2075 switch(c)
2076 {
2077 case '|':
2078 ok |= save_ok;
2079 break;
2080 default:
2081 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2082 " STOPPING\n");
2083 EXIT(1);
2084 }
2085 }
2086 break;
2087 default:
2088 goto end;
2089 }
2090 }
2091 end:
2092 if (debug)
2093 process_proxy_debug(indent,
2094 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2095 *pos, cond, ok);
2096
2097 *cond_end = cond;
2098 return ok;
2099 }
2100
2101static int process_proxy_cond(unsigned int letters[26],
2102 const char *cond, const char **cond_end)
2103 {
2104 int pos = 1;
2105 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2106 }
2107
2108static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2109 {
2110 int ok=1;
2111 struct app_verify_arg *cb_arg = arg;
2112 unsigned int letters[26]; /* only used with proxy_auth */
2113
2114 if (cb_arg->app_verify)
2115 {
2116 char *s = NULL,buf[256];
2117
2118 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2119 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2120 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2121 (void *)ctx, (void *)ctx->cert);
2122 if (ctx->cert)
2123 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2124 if (s != NULL)
2125 {
2126 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2127 }
2128 return(1);
2129 }
2130 if (cb_arg->proxy_auth)
2131 {
2132 int found_any = 0, i;
2133 char *sp;
2134
2135 for(i = 0; i < 26; i++)
2136 letters[i] = 0;
2137 for(sp = cb_arg->proxy_auth; *sp; sp++)
2138 {
2139 int c = *sp;
2140 if (isascii(c) && isalpha(c))
2141 {
2142 if (islower(c))
2143 c = toupper(c);
2144 letters[c - 'A'] = 1;
2145 }
2146 }
2147
2148 fprintf(stderr,
2149 " Initial proxy rights = ");
2150 for(i = 0; i < 26; i++)
2151 if (letters[i])
2152 {
2153 fprintf(stderr, "%c", i + 'A');
2154 found_any = 1;
2155 }
2156 if (!found_any)
2157 fprintf(stderr, "none");
2158 fprintf(stderr, "\n");
2159
2160 X509_STORE_CTX_set_ex_data(ctx,
2161 get_proxy_auth_ex_data_idx(),letters);
2162 }
2163 if (cb_arg->allow_proxy_certs)
2164 {
2165 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2166 }
2167
2168#ifndef OPENSSL_NO_X509_VERIFY
2169# ifdef OPENSSL_FIPS
2170 if(s->version == TLS1_VERSION)
2171 FIPS_allow_md5(1);
2172# endif
2173 ok = X509_verify_cert(ctx);
2174# ifdef OPENSSL_FIPS
2175 if(s->version == TLS1_VERSION)
2176 FIPS_allow_md5(0);
2177# endif
2178#endif
2179
2180 if (cb_arg->proxy_auth)
2181 {
2182 if (ok > 0)
2183 {
2184 const char *cond_end = NULL;
2185
2186 ok = process_proxy_cond(letters,
2187 cb_arg->proxy_cond, &cond_end);
2188
2189 if (ok < 0)
2190 EXIT(3);
2191 if (*cond_end)
2192 {
2193 fprintf(stderr, "Stopped processing condition before it's end.\n");
2194 ok = 0;
2195 }
2196 if (!ok)
2197 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2198 cb_arg->proxy_cond);
2199 else
2200 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2201 cb_arg->proxy_cond);
2202 }
2203 }
2204 return(ok);
2205 }
2206
2207#ifndef OPENSSL_NO_RSA
2208static RSA *rsa_tmp=NULL;
2209
2210static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2211 {
2212 BIGNUM *bn = NULL;
2213 if (rsa_tmp == NULL)
2214 {
2215 bn = BN_new();
2216 rsa_tmp = RSA_new();
2217 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2218 {
2219 BIO_printf(bio_err, "Memory error...");
2220 goto end;
2221 }
2222 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2223 (void)BIO_flush(bio_err);
2224 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2225 {
2226 BIO_printf(bio_err, "Error generating key.");
2227 RSA_free(rsa_tmp);
2228 rsa_tmp = NULL;
2229 }
2230end:
2231 BIO_printf(bio_err,"\n");
2232 (void)BIO_flush(bio_err);
2233 }
2234 if(bn) BN_free(bn);
2235 return(rsa_tmp);
2236 }
2237
2238static void free_tmp_rsa(void)
2239 {
2240 if (rsa_tmp != NULL)
2241 {
2242 RSA_free(rsa_tmp);
2243 rsa_tmp = NULL;
2244 }
2245 }
2246#endif
2247
2248#ifndef OPENSSL_NO_DH
2249/* These DH parameters have been generated as follows:
2250 * $ openssl dhparam -C -noout 512
2251 * $ openssl dhparam -C -noout 1024
2252 * $ openssl dhparam -C -noout -dsaparam 1024
2253 * (The third function has been renamed to avoid name conflicts.)
2254 */
2255static DH *get_dh512()
2256 {
2257 static unsigned char dh512_p[]={
2258 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2259 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2260 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2261 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2262 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2263 0x02,0xC5,0xAE,0x23,
2264 };
2265 static unsigned char dh512_g[]={
2266 0x02,
2267 };
2268 DH *dh;
2269
2270 if ((dh=DH_new()) == NULL) return(NULL);
2271 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2272 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2273 if ((dh->p == NULL) || (dh->g == NULL))
2274 { DH_free(dh); return(NULL); }
2275 return(dh);
2276 }
2277
2278static DH *get_dh1024()
2279 {
2280 static unsigned char dh1024_p[]={
2281 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2282 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2283 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2284 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2285 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2286 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2287 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2288 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2289 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2290 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2291 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2292 };
2293 static unsigned char dh1024_g[]={
2294 0x02,
2295 };
2296 DH *dh;
2297
2298 if ((dh=DH_new()) == NULL) return(NULL);
2299 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2300 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2301 if ((dh->p == NULL) || (dh->g == NULL))
2302 { DH_free(dh); return(NULL); }
2303 return(dh);
2304 }
2305
2306static DH *get_dh1024dsa()
2307 {
2308 static unsigned char dh1024_p[]={
2309 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2310 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2311 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2312 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2313 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2314 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2315 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2316 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2317 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2318 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2319 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2320 };
2321 static unsigned char dh1024_g[]={
2322 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2323 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2324 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2325 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2326 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2327 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2328 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2329 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2330 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2331 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2332 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2333 };
2334 DH *dh;
2335
2336 if ((dh=DH_new()) == NULL) return(NULL);
2337 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2338 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2339 if ((dh->p == NULL) || (dh->g == NULL))
2340 { DH_free(dh); return(NULL); }
2341 dh->length = 160;
2342 return(dh);
2343 }
2344#endif
2345
2346#ifndef OPENSSL_NO_PSK
2347/* convert the PSK key (psk_key) in ascii to binary (psk) */
2348static int psk_key2bn(const char *pskkey, unsigned char *psk,
2349 unsigned int max_psk_len)
2350 {
2351 int ret;
2352 BIGNUM *bn = NULL;
2353
2354 ret = BN_hex2bn(&bn, pskkey);
2355 if (!ret)
2356 {
2357 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2358 if (bn)
2359 BN_free(bn);
2360 return 0;
2361 }
2362 if (BN_num_bytes(bn) > (int)max_psk_len)
2363 {
2364 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2365 max_psk_len, BN_num_bytes(bn));
2366 BN_free(bn);
2367 return 0;
2368 }
2369 ret = BN_bn2bin(bn, psk);
2370 BN_free(bn);
2371 return ret;
2372 }
2373
2374static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2375 unsigned int max_identity_len, unsigned char *psk,
2376 unsigned int max_psk_len)
2377 {
2378 int ret;
2379 unsigned int psk_len = 0;
2380
2381 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2382 if (ret < 0)
2383 goto out_err;
2384 if (debug)
2385 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2386 ret = psk_key2bn(psk_key, psk, max_psk_len);
2387 if (ret < 0)
2388 goto out_err;
2389 psk_len = ret;
2390out_err:
2391 return psk_len;
2392 }
2393
2394static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2395 unsigned char *psk, unsigned int max_psk_len)
2396 {
2397 unsigned int psk_len=0;
2398
2399 if (strcmp(identity, "Client_identity") != 0)
2400 {
2401 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2402 return 0;
2403 }
2404 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2405 return psk_len;
2406 }
2407#endif
2408
2409static int do_test_cipherlist(void)
2410 {
2411 int i = 0;
2412 const SSL_METHOD *meth;
2413 const SSL_CIPHER *ci, *tci = NULL;
2414
2415#ifndef OPENSSL_NO_SSL2
2416 fprintf(stderr, "testing SSLv2 cipher list order: ");
2417 meth = SSLv2_method();
2418 while ((ci = meth->get_cipher(i++)) != NULL)
2419 {
2420 if (tci != NULL)
2421 if (ci->id >= tci->id)
2422 {
2423 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2424 return 0;
2425 }
2426 tci = ci;
2427 }
2428 fprintf(stderr, "ok\n");
2429#endif
2430#ifndef OPENSSL_NO_SSL3
2431 fprintf(stderr, "testing SSLv3 cipher list order: ");
2432 meth = SSLv3_method();
2433 tci = NULL;
2434 while ((ci = meth->get_cipher(i++)) != NULL)
2435 {
2436 if (tci != NULL)
2437 if (ci->id >= tci->id)
2438 {
2439 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2440 return 0;
2441 }
2442 tci = ci;
2443 }
2444 fprintf(stderr, "ok\n");
2445#endif
2446#ifndef OPENSSL_NO_TLS1
2447 fprintf(stderr, "testing TLSv1 cipher list order: ");
2448 meth = TLSv1_method();
2449 tci = NULL;
2450 while ((ci = meth->get_cipher(i++)) != NULL)
2451 {
2452 if (tci != NULL)
2453 if (ci->id >= tci->id)
2454 {
2455 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2456 return 0;
2457 }
2458 tci = ci;
2459 }
2460 fprintf(stderr, "ok\n");
2461#endif
2462
2463 return 1;
2464 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-10-05 06:19:16 +0000