summaryrefslogtreecommitdiff
path: root/src/lib/libssl/src/ssl/ssltest.c
diff options
context:
space:
mode:
Diffstat (limited to 'src/lib/libssl/src/ssl/ssltest.c')
-rw-r--r--src/lib/libssl/src/ssl/ssltest.c2467
1 files changed, 2467 insertions, 0 deletions
diff --git a/src/lib/libssl/src/ssl/ssltest.c b/src/lib/libssl/src/ssl/ssltest.c
new file mode 100644
index 0000000000..1d8ba372bc
--- /dev/null
+++ b/src/lib/libssl/src/ssl/ssltest.c
@@ -0,0 +1,2467 @@
1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146#include <assert.h>
147#include <errno.h>
148#include <limits.h>
149#include <stdio.h>
150#include <stdlib.h>
151#include <string.h>
152#include <time.h>
153#include <inttypes.h>
154#include <ctype.h>
155
156#define USE_SOCKETS
157#include "e_os.h"
158
159#ifdef OPENSSL_SYS_VMS
160#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
161 VMS (at least with DECompHP C). */
162#endif
163
164#include <ctype.h>
165
166#include <openssl/bio.h>
167#include <openssl/crypto.h>
168#include <openssl/evp.h>
169#include <openssl/x509.h>
170#include <openssl/x509v3.h>
171#include <openssl/ssl.h>
172#ifndef OPENSSL_NO_ENGINE
173#include <openssl/engine.h>
174#endif
175#include <openssl/err.h>
176#include <openssl/rand.h>
177#ifndef OPENSSL_NO_RSA
178#include <openssl/rsa.h>
179#endif
180#ifndef OPENSSL_NO_DSA
181#include <openssl/dsa.h>
182#endif
183#ifndef OPENSSL_NO_DH
184#include <openssl/dh.h>
185#endif
186#include <openssl/bn.h>
187
188#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
189 on Compaq platforms (at least with DEC C).
190 Do not try to put it earlier, or IPv6 includes
191 get screwed...
192 */
193
194#ifdef OPENSSL_SYS_WINDOWS
195#include <winsock.h>
196#else
197#include OPENSSL_UNISTD
198#endif
199
200#ifdef OPENSSL_SYS_VMS
201# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
202# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
203#elif defined(OPENSSL_SYS_WINCE)
204# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
205# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
206#elif defined(OPENSSL_SYS_NETWARE)
207# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
208# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
209#else
210# define TEST_SERVER_CERT "../apps/server.pem"
211# define TEST_CLIENT_CERT "../apps/client.pem"
212#endif
213
214/* There is really no standard for this, so let's assign some tentative
215 numbers. In any case, these numbers are only for this test */
216#define COMP_RLE 255
217#define COMP_ZLIB 1
218
219static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
220#ifndef OPENSSL_NO_RSA
221static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
222static void free_tmp_rsa(void);
223#endif
224static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
225#define APP_CALLBACK_STRING "Test Callback Argument"
226struct app_verify_arg
227 {
228 char *string;
229 int app_verify;
230 int allow_proxy_certs;
231 char *proxy_auth;
232 char *proxy_cond;
233 };
234
235#ifndef OPENSSL_NO_DH
236static DH *get_dh512(void);
237static DH *get_dh1024(void);
238static DH *get_dh1024dsa(void);
239#endif
240
241
242static char *psk_key=NULL; /* by default PSK is not used */
243#ifndef OPENSSL_NO_PSK
244static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
245 unsigned int max_identity_len, unsigned char *psk,
246 unsigned int max_psk_len);
247static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
248 unsigned int max_psk_len);
249#endif
250
251static BIO *bio_err=NULL;
252static BIO *bio_stdout=NULL;
253
254static char *cipher=NULL;
255static int verbose=0;
256static int debug=0;
257#if 0
258/* Not used yet. */
259#ifdef FIONBIO
260static int s_nbio=0;
261#endif
262#endif
263
264static const char rnd_seed[] = "string to make the random number generator think it has entropy";
265
266int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
267int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
268static int do_test_cipherlist(void);
269static void sv_usage(void)
270 {
271 fprintf(stderr,"usage: ssltest [args ...]\n");
272 fprintf(stderr,"\n");
273 fprintf(stderr," -server_auth - check server certificate\n");
274 fprintf(stderr," -client_auth - do client authentication\n");
275 fprintf(stderr," -proxy - allow proxy certificates\n");
276 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
277 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
278 fprintf(stderr," -v - more output\n");
279 fprintf(stderr," -d - debug output\n");
280 fprintf(stderr," -reuse - use session-id reuse\n");
281 fprintf(stderr," -num <val> - number of connections to perform\n");
282 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
283#ifndef OPENSSL_NO_DH
284 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
285 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
286 fprintf(stderr," -no_dhe - disable DHE\n");
287#endif
288#ifndef OPENSSL_NO_ECDH
289 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
290#endif
291#ifndef OPENSSL_NO_PSK
292 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
293#endif
294#ifndef OPENSSL_NO_SSL2
295 fprintf(stderr," -ssl2 - use SSLv2\n");
296#endif
297#ifndef OPENSSL_NO_SSL3
298 fprintf(stderr," -ssl3 - use SSLv3\n");
299#endif
300#ifndef OPENSSL_NO_TLS1
301 fprintf(stderr," -tls1 - use TLSv1\n");
302#endif
303 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
304 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
305 fprintf(stderr," -cert arg - Server certificate file\n");
306 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
307 fprintf(stderr," -c_cert arg - Client certificate file\n");
308 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
309 fprintf(stderr," -cipher arg - The cipher list\n");
310 fprintf(stderr," -bio_pair - Use BIO pairs\n");
311 fprintf(stderr," -f - Test even cases that can't work\n");
312 fprintf(stderr," -time - measure processor time used by client and server\n");
313 fprintf(stderr," -zlib - use zlib compression\n");
314 fprintf(stderr," -rle - use rle compression\n");
315#ifndef OPENSSL_NO_ECDH
316 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
317 " Use \"openssl ecparam -list_curves\" for all names\n" \
318 " (default is sect163r2).\n");
319#endif
320 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
321 }
322
323static void print_details(SSL *c_ssl, const char *prefix)
324 {
325 const SSL_CIPHER *ciph;
326 X509 *cert;
327
328 ciph=SSL_get_current_cipher(c_ssl);
329 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
330 prefix,
331 SSL_get_version(c_ssl),
332 SSL_CIPHER_get_version(ciph),
333 SSL_CIPHER_get_name(ciph));
334 cert=SSL_get_peer_certificate(c_ssl);
335 if (cert != NULL)
336 {
337 EVP_PKEY *pkey = X509_get_pubkey(cert);
338 if (pkey != NULL)
339 {
340 if (0)
341 ;
342#ifndef OPENSSL_NO_RSA
343 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
344 && pkey->pkey.rsa->n != NULL)
345 {
346 BIO_printf(bio_stdout, ", %d bit RSA",
347 BN_num_bits(pkey->pkey.rsa->n));
348 }
349#endif
350#ifndef OPENSSL_NO_DSA
351 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
352 && pkey->pkey.dsa->p != NULL)
353 {
354 BIO_printf(bio_stdout, ", %d bit DSA",
355 BN_num_bits(pkey->pkey.dsa->p));
356 }
357#endif
358 EVP_PKEY_free(pkey);
359 }
360 X509_free(cert);
361 }
362 /* The SSL API does not allow us to look at temporary RSA/DH keys,
363 * otherwise we should print their lengths too */
364 BIO_printf(bio_stdout,"\n");
365 }
366
367static void lock_dbg_cb(int mode, int type, const char *file, int line)
368 {
369 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
370 const char *errstr = NULL;
371 int rw;
372
373 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
374 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
375 {
376 errstr = "invalid mode";
377 goto err;
378 }
379
380 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
381 {
382 errstr = "type out of bounds";
383 goto err;
384 }
385
386 if (mode & CRYPTO_LOCK)
387 {
388 if (modes[type])
389 {
390 errstr = "already locked";
391 /* must not happen in a single-threaded program
392 * (would deadlock) */
393 goto err;
394 }
395
396 modes[type] = rw;
397 }
398 else if (mode & CRYPTO_UNLOCK)
399 {
400 if (!modes[type])
401 {
402 errstr = "not locked";
403 goto err;
404 }
405
406 if (modes[type] != rw)
407 {
408 errstr = (rw == CRYPTO_READ) ?
409 "CRYPTO_r_unlock on write lock" :
410 "CRYPTO_w_unlock on read lock";
411 }
412
413 modes[type] = 0;
414 }
415 else
416 {
417 errstr = "invalid mode";
418 goto err;
419 }
420
421 err:
422 if (errstr)
423 {
424 /* we cannot use bio_err here */
425 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
426 errstr, mode, type, file, line);
427 }
428 }
429
430#ifdef TLSEXT_TYPE_opaque_prf_input
431struct cb_info_st { void *input; size_t len; int ret; };
432struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
433struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
434struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
435struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
436
437int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
438 {
439 struct cb_info_st *arg = arg_;
440
441 if (arg == NULL)
442 return 1;
443
444 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
445 return 0;
446 return arg->ret;
447 }
448#endif
449
450int main(int argc, char *argv[])
451 {
452 char *CApath=NULL,*CAfile=NULL;
453 int badop=0;
454 int bio_pair=0;
455 int force=0;
456 int tls1=0,ssl2=0,ssl3=0,ret=1;
457 int client_auth=0;
458 int server_auth=0,i;
459 struct app_verify_arg app_verify_arg =
460 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
461 char *server_cert=TEST_SERVER_CERT;
462 char *server_key=NULL;
463 char *client_cert=TEST_CLIENT_CERT;
464 char *client_key=NULL;
465#ifndef OPENSSL_NO_ECDH
466 char *named_curve = NULL;
467#endif
468 SSL_CTX *s_ctx=NULL;
469 SSL_CTX *c_ctx=NULL;
470 const SSL_METHOD *meth=NULL;
471 SSL *c_ssl,*s_ssl;
472 int number=1,reuse=0;
473 long bytes=256L;
474#ifndef OPENSSL_NO_DH
475 DH *dh;
476 int dhe1024 = 0, dhe1024dsa = 0;
477#endif
478#ifndef OPENSSL_NO_ECDH
479 EC_KEY *ecdh = NULL;
480#endif
481 int no_dhe = 0;
482 int no_ecdhe = 0;
483 int no_psk = 0;
484 int print_time = 0;
485 clock_t s_time = 0, c_time = 0;
486 int comp = 0;
487#ifndef OPENSSL_NO_COMP
488 COMP_METHOD *cm = NULL;
489#endif
490 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
491 int test_cipherlist = 0;
492
493 verbose = 0;
494 debug = 0;
495 cipher = 0;
496
497 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
498
499 CRYPTO_set_locking_callback(lock_dbg_cb);
500
501 /* enable memory leak checking unless explicitly disabled */
502 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
503 {
504 CRYPTO_malloc_debug_init();
505 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
506 }
507 else
508 {
509 /* OPENSSL_DEBUG_MEMORY=off */
510 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
511 }
512 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
513
514 RAND_seed(rnd_seed, sizeof rnd_seed);
515
516 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
517
518 argc--;
519 argv++;
520
521 while (argc >= 1)
522 {
523 if (strcmp(*argv,"-server_auth") == 0)
524 server_auth=1;
525 else if (strcmp(*argv,"-client_auth") == 0)
526 client_auth=1;
527 else if (strcmp(*argv,"-proxy_auth") == 0)
528 {
529 if (--argc < 1) goto bad;
530 app_verify_arg.proxy_auth= *(++argv);
531 }
532 else if (strcmp(*argv,"-proxy_cond") == 0)
533 {
534 if (--argc < 1) goto bad;
535 app_verify_arg.proxy_cond= *(++argv);
536 }
537 else if (strcmp(*argv,"-v") == 0)
538 verbose=1;
539 else if (strcmp(*argv,"-d") == 0)
540 debug=1;
541 else if (strcmp(*argv,"-reuse") == 0)
542 reuse=1;
543 else if (strcmp(*argv,"-dhe1024") == 0)
544 {
545#ifndef OPENSSL_NO_DH
546 dhe1024=1;
547#else
548 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
549#endif
550 }
551 else if (strcmp(*argv,"-dhe1024dsa") == 0)
552 {
553#ifndef OPENSSL_NO_DH
554 dhe1024dsa=1;
555#else
556 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
557#endif
558 }
559 else if (strcmp(*argv,"-no_dhe") == 0)
560 no_dhe=1;
561 else if (strcmp(*argv,"-no_ecdhe") == 0)
562 no_ecdhe=1;
563 else if (strcmp(*argv,"-psk") == 0)
564 {
565 if (--argc < 1) goto bad;
566 psk_key=*(++argv);
567#ifndef OPENSSL_NO_PSK
568 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
569 {
570 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
571 goto bad;
572 }
573#else
574 no_psk=1;
575#endif
576 }
577 else if (strcmp(*argv,"-ssl2") == 0)
578 ssl2=1;
579 else if (strcmp(*argv,"-tls1") == 0)
580 tls1=1;
581 else if (strcmp(*argv,"-ssl3") == 0)
582 ssl3=1;
583 else if (strncmp(*argv,"-num",4) == 0)
584 {
585 if (--argc < 1) goto bad;
586 number= atoi(*(++argv));
587 if (number == 0) number=1;
588 }
589 else if (strcmp(*argv,"-bytes") == 0)
590 {
591 if (--argc < 1) goto bad;
592 bytes= atol(*(++argv));
593 if (bytes == 0L) bytes=1L;
594 i=strlen(argv[0]);
595 if (argv[0][i-1] == 'k') bytes*=1024L;
596 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
597 }
598 else if (strcmp(*argv,"-cert") == 0)
599 {
600 if (--argc < 1) goto bad;
601 server_cert= *(++argv);
602 }
603 else if (strcmp(*argv,"-s_cert") == 0)
604 {
605 if (--argc < 1) goto bad;
606 server_cert= *(++argv);
607 }
608 else if (strcmp(*argv,"-key") == 0)
609 {
610 if (--argc < 1) goto bad;
611 server_key= *(++argv);
612 }
613 else if (strcmp(*argv,"-s_key") == 0)
614 {
615 if (--argc < 1) goto bad;
616 server_key= *(++argv);
617 }
618 else if (strcmp(*argv,"-c_cert") == 0)
619 {
620 if (--argc < 1) goto bad;
621 client_cert= *(++argv);
622 }
623 else if (strcmp(*argv,"-c_key") == 0)
624 {
625 if (--argc < 1) goto bad;
626 client_key= *(++argv);
627 }
628 else if (strcmp(*argv,"-cipher") == 0)
629 {
630 if (--argc < 1) goto bad;
631 cipher= *(++argv);
632 }
633 else if (strcmp(*argv,"-CApath") == 0)
634 {
635 if (--argc < 1) goto bad;
636 CApath= *(++argv);
637 }
638 else if (strcmp(*argv,"-CAfile") == 0)
639 {
640 if (--argc < 1) goto bad;
641 CAfile= *(++argv);
642 }
643 else if (strcmp(*argv,"-bio_pair") == 0)
644 {
645 bio_pair = 1;
646 }
647 else if (strcmp(*argv,"-f") == 0)
648 {
649 force = 1;
650 }
651 else if (strcmp(*argv,"-time") == 0)
652 {
653 print_time = 1;
654 }
655 else if (strcmp(*argv,"-zlib") == 0)
656 {
657 comp = COMP_ZLIB;
658 }
659 else if (strcmp(*argv,"-rle") == 0)
660 {
661 comp = COMP_RLE;
662 }
663 else if (strcmp(*argv,"-named_curve") == 0)
664 {
665 if (--argc < 1) goto bad;
666#ifndef OPENSSL_NO_ECDH
667 named_curve = *(++argv);
668#else
669 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
670 ++argv;
671#endif
672 }
673 else if (strcmp(*argv,"-app_verify") == 0)
674 {
675 app_verify_arg.app_verify = 1;
676 }
677 else if (strcmp(*argv,"-proxy") == 0)
678 {
679 app_verify_arg.allow_proxy_certs = 1;
680 }
681 else if (strcmp(*argv,"-test_cipherlist") == 0)
682 {
683 test_cipherlist = 1;
684 }
685 else
686 {
687 fprintf(stderr,"unknown option %s\n",*argv);
688 badop=1;
689 break;
690 }
691 argc--;
692 argv++;
693 }
694 if (badop)
695 {
696bad:
697 sv_usage();
698 goto end;
699 }
700
701 if (test_cipherlist == 1)
702 {
703 /* ensure that the cipher list are correctly sorted and exit */
704 if (do_test_cipherlist() == 0)
705 EXIT(1);
706 ret = 0;
707 goto end;
708 }
709
710 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
711 {
712 fprintf(stderr, "This case cannot work. Use -f to perform "
713 "the test anyway (and\n-d to see what happens), "
714 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
715 "to avoid protocol mismatch.\n");
716 EXIT(1);
717 }
718
719 if (print_time)
720 {
721 if (!bio_pair)
722 {
723 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
724 bio_pair = 1;
725 }
726 if (number < 50 && !force)
727 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
728 }
729
730/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
731
732 SSL_library_init();
733 SSL_load_error_strings();
734
735#ifndef OPENSSL_NO_COMP
736 if (comp == COMP_ZLIB) cm = COMP_zlib();
737 if (comp == COMP_RLE) cm = COMP_rle();
738 if (cm != NULL)
739 {
740 if (cm->type != NID_undef)
741 {
742 if (SSL_COMP_add_compression_method(comp, cm) != 0)
743 {
744 fprintf(stderr,
745 "Failed to add compression method\n");
746 ERR_print_errors_fp(stderr);
747 }
748 }
749 else
750 {
751 fprintf(stderr,
752 "Warning: %s compression not supported\n",
753 (comp == COMP_RLE ? "rle" :
754 (comp == COMP_ZLIB ? "zlib" :
755 "unknown")));
756 ERR_print_errors_fp(stderr);
757 }
758 }
759 ssl_comp_methods = SSL_COMP_get_compression_methods();
760 fprintf(stderr, "Available compression methods:\n");
761 {
762 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
763 if (n == 0)
764 fprintf(stderr, " NONE\n");
765 else
766 for (j = 0; j < n; j++)
767 {
768 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
769 fprintf(stderr, " %d: %s\n", c->id, c->name);
770 }
771 }
772#endif
773
774#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
775 if (ssl2)
776 meth=SSLv2_method();
777 else
778 if (tls1)
779 meth=TLSv1_method();
780 else
781 if (ssl3)
782 meth=SSLv3_method();
783 else
784 meth=SSLv23_method();
785#else
786#ifdef OPENSSL_NO_SSL2
787 meth=SSLv3_method();
788#else
789 meth=SSLv2_method();
790#endif
791#endif
792
793 c_ctx=SSL_CTX_new(meth);
794 s_ctx=SSL_CTX_new(meth);
795 if ((c_ctx == NULL) || (s_ctx == NULL))
796 {
797 ERR_print_errors(bio_err);
798 goto end;
799 }
800
801 if (cipher != NULL)
802 {
803 SSL_CTX_set_cipher_list(c_ctx,cipher);
804 SSL_CTX_set_cipher_list(s_ctx,cipher);
805 }
806
807#ifndef OPENSSL_NO_DH
808 if (!no_dhe)
809 {
810 if (dhe1024dsa)
811 {
812 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
813 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
814 dh=get_dh1024dsa();
815 }
816 else if (dhe1024)
817 dh=get_dh1024();
818 else
819 dh=get_dh512();
820 SSL_CTX_set_tmp_dh(s_ctx,dh);
821 DH_free(dh);
822 }
823#else
824 (void)no_dhe;
825#endif
826
827#ifndef OPENSSL_NO_ECDH
828 if (!no_ecdhe)
829 {
830 int nid;
831
832 if (named_curve != NULL)
833 {
834 nid = OBJ_sn2nid(named_curve);
835 if (nid == 0)
836 {
837 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
838 goto end;
839 }
840 }
841 else
842 nid = NID_sect163r2;
843
844 ecdh = EC_KEY_new_by_curve_name(nid);
845 if (ecdh == NULL)
846 {
847 BIO_printf(bio_err, "unable to create curve\n");
848 goto end;
849 }
850
851 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
852 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
853 EC_KEY_free(ecdh);
854 }
855#else
856 (void)no_ecdhe;
857#endif
858
859#ifndef OPENSSL_NO_RSA
860 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
861#endif
862
863#ifdef TLSEXT_TYPE_opaque_prf_input
864 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
865 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
866 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
867 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
868#endif
869
870 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
871 {
872 ERR_print_errors(bio_err);
873 }
874 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
875 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
876 {
877 ERR_print_errors(bio_err);
878 goto end;
879 }
880
881 if (client_auth)
882 {
883 SSL_CTX_use_certificate_file(c_ctx,client_cert,
884 SSL_FILETYPE_PEM);
885 SSL_CTX_use_PrivateKey_file(c_ctx,
886 (client_key?client_key:client_cert),
887 SSL_FILETYPE_PEM);
888 }
889
890 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
891 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
892 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
893 (!SSL_CTX_set_default_verify_paths(c_ctx)))
894 {
895 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
896 ERR_print_errors(bio_err);
897 /* goto end; */
898 }
899
900 if (client_auth)
901 {
902 BIO_printf(bio_err,"client authentication\n");
903 SSL_CTX_set_verify(s_ctx,
904 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
905 verify_callback);
906 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
907 }
908 if (server_auth)
909 {
910 BIO_printf(bio_err,"server authentication\n");
911 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
912 verify_callback);
913 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
914 }
915
916 {
917 int session_id_context = 0;
918 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
919 }
920
921 /* Use PSK only if PSK key is given */
922 if (psk_key != NULL)
923 {
924 /* no_psk is used to avoid putting psk command to openssl tool */
925 if (no_psk)
926 {
927 /* if PSK is not compiled in and psk key is
928 * given, do nothing and exit successfully */
929 ret=0;
930 goto end;
931 }
932#ifndef OPENSSL_NO_PSK
933 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
934 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
935 if (debug)
936 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
937 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
938 {
939 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
940 ERR_print_errors(bio_err);
941 goto end;
942 }
943#endif
944 }
945
946 c_ssl=SSL_new(c_ctx);
947 s_ssl=SSL_new(s_ctx);
948
949#ifndef OPENSSL_NO_KRB5
950 if (c_ssl && c_ssl->kssl_ctx)
951 {
952 char localhost[MAXHOSTNAMELEN+2];
953
954 if (gethostname(localhost, sizeof localhost-1) == 0)
955 {
956 localhost[sizeof localhost-1]='\0';
957 if(strlen(localhost) == sizeof localhost-1)
958 {
959 BIO_printf(bio_err,"localhost name too long\n");
960 goto end;
961 }
962 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
963 localhost);
964 }
965 }
966#endif /* OPENSSL_NO_KRB5 */
967
968 for (i=0; i<number; i++)
969 {
970 if (!reuse) SSL_set_session(c_ssl,NULL);
971 if (bio_pair)
972 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
973 else
974 ret=doit(s_ssl,c_ssl,bytes);
975 }
976
977 if (!verbose)
978 {
979 print_details(c_ssl, "");
980 }
981 if ((number > 1) || (bytes > 1L))
982 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
983 if (print_time)
984 {
985#ifdef CLOCKS_PER_SEC
986 /* "To determine the time in seconds, the value returned
987 * by the clock function should be divided by the value
988 * of the macro CLOCKS_PER_SEC."
989 * -- ISO/IEC 9899 */
990 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
991 "Approximate total client time: %6.2f s\n",
992 (double)s_time/CLOCKS_PER_SEC,
993 (double)c_time/CLOCKS_PER_SEC);
994#else
995 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
996 * -- cc on NeXTstep/OpenStep */
997 BIO_printf(bio_stdout,
998 "Approximate total server time: %6.2f units\n"
999 "Approximate total client time: %6.2f units\n",
1000 (double)s_time,
1001 (double)c_time);
1002#endif
1003 }
1004
1005 SSL_free(s_ssl);
1006 SSL_free(c_ssl);
1007
1008end:
1009 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1010 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1011
1012 if (bio_stdout != NULL) BIO_free(bio_stdout);
1013
1014#ifndef OPENSSL_NO_RSA
1015 free_tmp_rsa();
1016#endif
1017#ifndef OPENSSL_NO_ENGINE
1018 ENGINE_cleanup();
1019#endif
1020 CRYPTO_cleanup_all_ex_data();
1021 ERR_free_strings();
1022 ERR_remove_thread_state(NULL);
1023 EVP_cleanup();
1024 CRYPTO_mem_leaks(bio_err);
1025 if (bio_err != NULL) BIO_free(bio_err);
1026 EXIT(ret);
1027 return ret;
1028 }
1029
1030int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1031 clock_t *s_time, clock_t *c_time)
1032 {
1033 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1034 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1035 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1036 int ret = 1;
1037
1038 size_t bufsiz = 256; /* small buffer for testing */
1039
1040 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1041 goto err;
1042 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1043 goto err;
1044
1045 s_ssl_bio = BIO_new(BIO_f_ssl());
1046 if (!s_ssl_bio)
1047 goto err;
1048
1049 c_ssl_bio = BIO_new(BIO_f_ssl());
1050 if (!c_ssl_bio)
1051 goto err;
1052
1053 SSL_set_connect_state(c_ssl);
1054 SSL_set_bio(c_ssl, client, client);
1055 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1056
1057 SSL_set_accept_state(s_ssl);
1058 SSL_set_bio(s_ssl, server, server);
1059 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1060
1061 do
1062 {
1063 /* c_ssl_bio: SSL filter BIO
1064 *
1065 * client: pseudo-I/O for SSL library
1066 *
1067 * client_io: client's SSL communication; usually to be
1068 * relayed over some I/O facility, but in this
1069 * test program, we're the server, too:
1070 *
1071 * server_io: server's SSL communication
1072 *
1073 * server: pseudo-I/O for SSL library
1074 *
1075 * s_ssl_bio: SSL filter BIO
1076 *
1077 * The client and the server each employ a "BIO pair":
1078 * client + client_io, server + server_io.
1079 * BIO pairs are symmetric. A BIO pair behaves similar
1080 * to a non-blocking socketpair (but both endpoints must
1081 * be handled by the same thread).
1082 * [Here we could connect client and server to the ends
1083 * of a single BIO pair, but then this code would be less
1084 * suitable as an example for BIO pairs in general.]
1085 *
1086 * Useful functions for querying the state of BIO pair endpoints:
1087 *
1088 * BIO_ctrl_pending(bio) number of bytes we can read now
1089 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1090 * other side's read attempt
1091 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1092 *
1093 * ..._read_request is never more than ..._write_guarantee;
1094 * it depends on the application which one you should use.
1095 */
1096
1097 /* We have non-blocking behaviour throughout this test program, but
1098 * can be sure that there is *some* progress in each iteration; so
1099 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1100 * -- we just try everything in each iteration
1101 */
1102
1103 {
1104 /* CLIENT */
1105
1106 MS_STATIC char cbuf[1024*8];
1107 int i, r;
1108 clock_t c_clock = clock();
1109
1110 memset(cbuf, 0, sizeof(cbuf));
1111
1112 if (debug)
1113 if (SSL_in_init(c_ssl))
1114 printf("client waiting in SSL_connect - %s\n",
1115 SSL_state_string_long(c_ssl));
1116
1117 if (cw_num > 0)
1118 {
1119 /* Write to server. */
1120
1121 if (cw_num > (long)sizeof cbuf)
1122 i = sizeof cbuf;
1123 else
1124 i = (int)cw_num;
1125 r = BIO_write(c_ssl_bio, cbuf, i);
1126 if (r < 0)
1127 {
1128 if (!BIO_should_retry(c_ssl_bio))
1129 {
1130 fprintf(stderr,"ERROR in CLIENT\n");
1131 goto err;
1132 }
1133 /* BIO_should_retry(...) can just be ignored here.
1134 * The library expects us to call BIO_write with
1135 * the same arguments again, and that's what we will
1136 * do in the next iteration. */
1137 }
1138 else if (r == 0)
1139 {
1140 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1141 goto err;
1142 }
1143 else
1144 {
1145 if (debug)
1146 printf("client wrote %d\n", r);
1147 cw_num -= r;
1148 }
1149 }
1150
1151 if (cr_num > 0)
1152 {
1153 /* Read from server. */
1154
1155 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1156 if (r < 0)
1157 {
1158 if (!BIO_should_retry(c_ssl_bio))
1159 {
1160 fprintf(stderr,"ERROR in CLIENT\n");
1161 goto err;
1162 }
1163 /* Again, "BIO_should_retry" can be ignored. */
1164 }
1165 else if (r == 0)
1166 {
1167 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1168 goto err;
1169 }
1170 else
1171 {
1172 if (debug)
1173 printf("client read %d\n", r);
1174 cr_num -= r;
1175 }
1176 }
1177
1178 /* c_time and s_time increments will typically be very small
1179 * (depending on machine speed and clock tick intervals),
1180 * but sampling over a large number of connections should
1181 * result in fairly accurate figures. We cannot guarantee
1182 * a lot, however -- if each connection lasts for exactly
1183 * one clock tick, it will be counted only for the client
1184 * or only for the server or even not at all.
1185 */
1186 *c_time += (clock() - c_clock);
1187 }
1188
1189 {
1190 /* SERVER */
1191
1192 MS_STATIC char sbuf[1024*8];
1193 int i, r;
1194 clock_t s_clock = clock();
1195
1196 memset(sbuf, 0, sizeof(sbuf));
1197
1198 if (debug)
1199 if (SSL_in_init(s_ssl))
1200 printf("server waiting in SSL_accept - %s\n",
1201 SSL_state_string_long(s_ssl));
1202
1203 if (sw_num > 0)
1204 {
1205 /* Write to client. */
1206
1207 if (sw_num > (long)sizeof sbuf)
1208 i = sizeof sbuf;
1209 else
1210 i = (int)sw_num;
1211 r = BIO_write(s_ssl_bio, sbuf, i);
1212 if (r < 0)
1213 {
1214 if (!BIO_should_retry(s_ssl_bio))
1215 {
1216 fprintf(stderr,"ERROR in SERVER\n");
1217 goto err;
1218 }
1219 /* Ignore "BIO_should_retry". */
1220 }
1221 else if (r == 0)
1222 {
1223 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1224 goto err;
1225 }
1226 else
1227 {
1228 if (debug)
1229 printf("server wrote %d\n", r);
1230 sw_num -= r;
1231 }
1232 }
1233
1234 if (sr_num > 0)
1235 {
1236 /* Read from client. */
1237
1238 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1239 if (r < 0)
1240 {
1241 if (!BIO_should_retry(s_ssl_bio))
1242 {
1243 fprintf(stderr,"ERROR in SERVER\n");
1244 goto err;
1245 }
1246 /* blah, blah */
1247 }
1248 else if (r == 0)
1249 {
1250 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1251 goto err;
1252 }
1253 else
1254 {
1255 if (debug)
1256 printf("server read %d\n", r);
1257 sr_num -= r;
1258 }
1259 }
1260
1261 *s_time += (clock() - s_clock);
1262 }
1263
1264 {
1265 /* "I/O" BETWEEN CLIENT AND SERVER. */
1266
1267 size_t r1, r2;
1268 BIO *io1 = server_io, *io2 = client_io;
1269 /* we use the non-copying interface for io1
1270 * and the standard BIO_write/BIO_read interface for io2
1271 */
1272
1273 static int prev_progress = 1;
1274 int progress = 0;
1275
1276 /* io1 to io2 */
1277 do
1278 {
1279 size_t num;
1280 int r;
1281
1282 r1 = BIO_ctrl_pending(io1);
1283 r2 = BIO_ctrl_get_write_guarantee(io2);
1284
1285 num = r1;
1286 if (r2 < num)
1287 num = r2;
1288 if (num)
1289 {
1290 char *dataptr;
1291
1292 if (INT_MAX < num) /* yeah, right */
1293 num = INT_MAX;
1294
1295 r = BIO_nread(io1, &dataptr, (int)num);
1296 assert(r > 0);
1297 assert(r <= (int)num);
1298 /* possibly r < num (non-contiguous data) */
1299 num = r;
1300 r = BIO_write(io2, dataptr, (int)num);
1301 if (r != (int)num) /* can't happen */
1302 {
1303 fprintf(stderr, "ERROR: BIO_write could not write "
1304 "BIO_ctrl_get_write_guarantee() bytes");
1305 goto err;
1306 }
1307 progress = 1;
1308
1309 if (debug)
1310 printf((io1 == client_io) ?
1311 "C->S relaying: %d bytes\n" :
1312 "S->C relaying: %d bytes\n",
1313 (int)num);
1314 }
1315 }
1316 while (r1 && r2);
1317
1318 /* io2 to io1 */
1319 {
1320 size_t num;
1321 int r;
1322
1323 r1 = BIO_ctrl_pending(io2);
1324 r2 = BIO_ctrl_get_read_request(io1);
1325 /* here we could use ..._get_write_guarantee instead of
1326 * ..._get_read_request, but by using the latter
1327 * we test restartability of the SSL implementation
1328 * more thoroughly */
1329 num = r1;
1330 if (r2 < num)
1331 num = r2;
1332 if (num)
1333 {
1334 char *dataptr;
1335
1336 if (INT_MAX < num)
1337 num = INT_MAX;
1338
1339 if (num > 1)
1340 --num; /* test restartability even more thoroughly */
1341
1342 r = BIO_nwrite0(io1, &dataptr);
1343 assert(r > 0);
1344 if (r < (int)num)
1345 num = r;
1346 r = BIO_read(io2, dataptr, (int)num);
1347 if (r != (int)num) /* can't happen */
1348 {
1349 fprintf(stderr, "ERROR: BIO_read could not read "
1350 "BIO_ctrl_pending() bytes");
1351 goto err;
1352 }
1353 progress = 1;
1354 r = BIO_nwrite(io1, &dataptr, (int)num);
1355 if (r != (int)num) /* can't happen */
1356 {
1357 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1358 "BIO_nwrite0() bytes");
1359 goto err;
1360 }
1361
1362 if (debug)
1363 printf((io2 == client_io) ?
1364 "C->S relaying: %d bytes\n" :
1365 "S->C relaying: %d bytes\n",
1366 (int)num);
1367 }
1368 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1369
1370 if (!progress && !prev_progress)
1371 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1372 {
1373 fprintf(stderr, "ERROR: got stuck\n");
1374 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1375 {
1376 fprintf(stderr, "This can happen for SSL2 because "
1377 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1378 "concurrently ...");
1379 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1380 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1381 {
1382 fprintf(stderr, " ok.\n");
1383 goto end;
1384 }
1385 }
1386 fprintf(stderr, " ERROR.\n");
1387 goto err;
1388 }
1389 prev_progress = progress;
1390 }
1391 }
1392 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1393
1394 if (verbose)
1395 print_details(c_ssl, "DONE via BIO pair: ");
1396end:
1397 ret = 0;
1398
1399 err:
1400 ERR_print_errors(bio_err);
1401
1402 if (server)
1403 BIO_free(server);
1404 if (server_io)
1405 BIO_free(server_io);
1406 if (client)
1407 BIO_free(client);
1408 if (client_io)
1409 BIO_free(client_io);
1410 if (s_ssl_bio)
1411 BIO_free(s_ssl_bio);
1412 if (c_ssl_bio)
1413 BIO_free(c_ssl_bio);
1414
1415 return ret;
1416 }
1417
1418
1419#define W_READ 1
1420#define W_WRITE 2
1421#define C_DONE 1
1422#define S_DONE 2
1423
1424int doit(SSL *s_ssl, SSL *c_ssl, long count)
1425 {
1426 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1427 long cw_num=count,cr_num=count;
1428 long sw_num=count,sr_num=count;
1429 int ret=1;
1430 BIO *c_to_s=NULL;
1431 BIO *s_to_c=NULL;
1432 BIO *c_bio=NULL;
1433 BIO *s_bio=NULL;
1434 int c_r,c_w,s_r,s_w;
1435 int c_want,s_want;
1436 int i,j;
1437 int done=0;
1438 int c_write,s_write;
1439 int do_server=0,do_client=0;
1440
1441 memset(cbuf,0,sizeof(cbuf));
1442 memset(sbuf,0,sizeof(sbuf));
1443
1444 c_to_s=BIO_new(BIO_s_mem());
1445 s_to_c=BIO_new(BIO_s_mem());
1446 if ((s_to_c == NULL) || (c_to_s == NULL))
1447 {
1448 ERR_print_errors(bio_err);
1449 goto err;
1450 }
1451
1452 c_bio=BIO_new(BIO_f_ssl());
1453 s_bio=BIO_new(BIO_f_ssl());
1454 if ((c_bio == NULL) || (s_bio == NULL))
1455 {
1456 ERR_print_errors(bio_err);
1457 goto err;
1458 }
1459
1460 SSL_set_connect_state(c_ssl);
1461 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1462 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1463
1464 SSL_set_accept_state(s_ssl);
1465 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1466 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1467
1468 c_r=0; s_r=1;
1469 c_w=1; s_w=0;
1470 c_want=W_WRITE;
1471 s_want=0;
1472 c_write=1,s_write=0;
1473
1474 /* We can always do writes */
1475 for (;;)
1476 {
1477 do_server=0;
1478 do_client=0;
1479
1480 i=(int)BIO_pending(s_bio);
1481 if ((i && s_r) || s_w) do_server=1;
1482
1483 i=(int)BIO_pending(c_bio);
1484 if ((i && c_r) || c_w) do_client=1;
1485
1486 if (do_server && debug)
1487 {
1488 if (SSL_in_init(s_ssl))
1489 printf("server waiting in SSL_accept - %s\n",
1490 SSL_state_string_long(s_ssl));
1491/* else if (s_write)
1492 printf("server:SSL_write()\n");
1493 else
1494 printf("server:SSL_read()\n"); */
1495 }
1496
1497 if (do_client && debug)
1498 {
1499 if (SSL_in_init(c_ssl))
1500 printf("client waiting in SSL_connect - %s\n",
1501 SSL_state_string_long(c_ssl));
1502/* else if (c_write)
1503 printf("client:SSL_write()\n");
1504 else
1505 printf("client:SSL_read()\n"); */
1506 }
1507
1508 if (!do_client && !do_server)
1509 {
1510 fprintf(stdout,"ERROR IN STARTUP\n");
1511 ERR_print_errors(bio_err);
1512 break;
1513 }
1514 if (do_client && !(done & C_DONE))
1515 {
1516 if (c_write)
1517 {
1518 j = (cw_num > (long)sizeof(cbuf)) ?
1519 (int)sizeof(cbuf) : (int)cw_num;
1520 i=BIO_write(c_bio,cbuf,j);
1521 if (i < 0)
1522 {
1523 c_r=0;
1524 c_w=0;
1525 if (BIO_should_retry(c_bio))
1526 {
1527 if (BIO_should_read(c_bio))
1528 c_r=1;
1529 if (BIO_should_write(c_bio))
1530 c_w=1;
1531 }
1532 else
1533 {
1534 fprintf(stderr,"ERROR in CLIENT\n");
1535 ERR_print_errors(bio_err);
1536 goto err;
1537 }
1538 }
1539 else if (i == 0)
1540 {
1541 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1542 goto err;
1543 }
1544 else
1545 {
1546 if (debug)
1547 printf("client wrote %d\n",i);
1548 /* ok */
1549 s_r=1;
1550 c_write=0;
1551 cw_num-=i;
1552 }
1553 }
1554 else
1555 {
1556 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1557 if (i < 0)
1558 {
1559 c_r=0;
1560 c_w=0;
1561 if (BIO_should_retry(c_bio))
1562 {
1563 if (BIO_should_read(c_bio))
1564 c_r=1;
1565 if (BIO_should_write(c_bio))
1566 c_w=1;
1567 }
1568 else
1569 {
1570 fprintf(stderr,"ERROR in CLIENT\n");
1571 ERR_print_errors(bio_err);
1572 goto err;
1573 }
1574 }
1575 else if (i == 0)
1576 {
1577 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1578 goto err;
1579 }
1580 else
1581 {
1582 if (debug)
1583 printf("client read %d\n",i);
1584 cr_num-=i;
1585 if (sw_num > 0)
1586 {
1587 s_write=1;
1588 s_w=1;
1589 }
1590 if (cr_num <= 0)
1591 {
1592 s_write=1;
1593 s_w=1;
1594 done=S_DONE|C_DONE;
1595 }
1596 }
1597 }
1598 }
1599
1600 if (do_server && !(done & S_DONE))
1601 {
1602 if (!s_write)
1603 {
1604 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1605 if (i < 0)
1606 {
1607 s_r=0;
1608 s_w=0;
1609 if (BIO_should_retry(s_bio))
1610 {
1611 if (BIO_should_read(s_bio))
1612 s_r=1;
1613 if (BIO_should_write(s_bio))
1614 s_w=1;
1615 }
1616 else
1617 {
1618 fprintf(stderr,"ERROR in SERVER\n");
1619 ERR_print_errors(bio_err);
1620 goto err;
1621 }
1622 }
1623 else if (i == 0)
1624 {
1625 ERR_print_errors(bio_err);
1626 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1627 goto err;
1628 }
1629 else
1630 {
1631 if (debug)
1632 printf("server read %d\n",i);
1633 sr_num-=i;
1634 if (cw_num > 0)
1635 {
1636 c_write=1;
1637 c_w=1;
1638 }
1639 if (sr_num <= 0)
1640 {
1641 s_write=1;
1642 s_w=1;
1643 c_write=0;
1644 }
1645 }
1646 }
1647 else
1648 {
1649 j = (sw_num > (long)sizeof(sbuf)) ?
1650 (int)sizeof(sbuf) : (int)sw_num;
1651 i=BIO_write(s_bio,sbuf,j);
1652 if (i < 0)
1653 {
1654 s_r=0;
1655 s_w=0;
1656 if (BIO_should_retry(s_bio))
1657 {
1658 if (BIO_should_read(s_bio))
1659 s_r=1;
1660 if (BIO_should_write(s_bio))
1661 s_w=1;
1662 }
1663 else
1664 {
1665 fprintf(stderr,"ERROR in SERVER\n");
1666 ERR_print_errors(bio_err);
1667 goto err;
1668 }
1669 }
1670 else if (i == 0)
1671 {
1672 ERR_print_errors(bio_err);
1673 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1674 goto err;
1675 }
1676 else
1677 {
1678 if (debug)
1679 printf("server wrote %d\n",i);
1680 sw_num-=i;
1681 s_write=0;
1682 c_r=1;
1683 if (sw_num <= 0)
1684 done|=S_DONE;
1685 }
1686 }
1687 }
1688
1689 if ((done & S_DONE) && (done & C_DONE)) break;
1690 }
1691
1692 if (verbose)
1693 print_details(c_ssl, "DONE: ");
1694 ret=0;
1695err:
1696 /* We have to set the BIO's to NULL otherwise they will be
1697 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1698 * again when c_ssl is SSL_free()ed.
1699 * This is a hack required because s_ssl and c_ssl are sharing the same
1700 * BIO structure and SSL_set_bio() and SSL_free() automatically
1701 * BIO_free non NULL entries.
1702 * You should not normally do this or be required to do this */
1703 if (s_ssl != NULL)
1704 {
1705 s_ssl->rbio=NULL;
1706 s_ssl->wbio=NULL;
1707 }
1708 if (c_ssl != NULL)
1709 {
1710 c_ssl->rbio=NULL;
1711 c_ssl->wbio=NULL;
1712 }
1713
1714 if (c_to_s != NULL) BIO_free(c_to_s);
1715 if (s_to_c != NULL) BIO_free(s_to_c);
1716 if (c_bio != NULL) BIO_free_all(c_bio);
1717 if (s_bio != NULL) BIO_free_all(s_bio);
1718 return(ret);
1719 }
1720
1721static int get_proxy_auth_ex_data_idx(void)
1722 {
1723 static volatile int idx = -1;
1724 if (idx < 0)
1725 {
1726 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1727 if (idx < 0)
1728 {
1729 idx = X509_STORE_CTX_get_ex_new_index(0,
1730 "SSLtest for verify callback", NULL,NULL,NULL);
1731 }
1732 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1733 }
1734 return idx;
1735 }
1736
1737static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1738 {
1739 char *s,buf[256];
1740
1741 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1742 sizeof buf);
1743 if (s != NULL)
1744 {
1745 if (ok)
1746 fprintf(stderr,"depth=%d %s\n",
1747 ctx->error_depth,buf);
1748 else
1749 {
1750 fprintf(stderr,"depth=%d error=%d %s\n",
1751 ctx->error_depth,ctx->error,buf);
1752 }
1753 }
1754
1755 if (ok == 0)
1756 {
1757 fprintf(stderr,"Error string: %s\n",
1758 X509_verify_cert_error_string(ctx->error));
1759 switch (ctx->error)
1760 {
1761 case X509_V_ERR_CERT_NOT_YET_VALID:
1762 case X509_V_ERR_CERT_HAS_EXPIRED:
1763 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1764 fprintf(stderr," ... ignored.\n");
1765 ok=1;
1766 }
1767 }
1768
1769 if (ok == 1)
1770 {
1771 X509 *xs = ctx->current_cert;
1772#if 0
1773 X509 *xi = ctx->current_issuer;
1774#endif
1775
1776 if (xs->ex_flags & EXFLAG_PROXY)
1777 {
1778 unsigned int *letters =
1779 X509_STORE_CTX_get_ex_data(ctx,
1780 get_proxy_auth_ex_data_idx());
1781
1782 if (letters)
1783 {
1784 int found_any = 0;
1785 int i;
1786 PROXY_CERT_INFO_EXTENSION *pci =
1787 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1788 NULL, NULL);
1789
1790 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1791 {
1792 case NID_Independent:
1793 /* Completely meaningless in this
1794 program, as there's no way to
1795 grant explicit rights to a
1796 specific PrC. Basically, using
1797 id-ppl-Independent is the perfect
1798 way to grant no rights at all. */
1799 fprintf(stderr, " Independent proxy certificate");
1800 for (i = 0; i < 26; i++)
1801 letters[i] = 0;
1802 break;
1803 case NID_id_ppl_inheritAll:
1804 /* This is basically a NOP, we
1805 simply let the current rights
1806 stand as they are. */
1807 fprintf(stderr, " Proxy certificate inherits all");
1808 break;
1809 default:
1810 s = (char *)
1811 pci->proxyPolicy->policy->data;
1812 i = pci->proxyPolicy->policy->length;
1813
1814 /* The algorithm works as follows:
1815 it is assumed that previous
1816 iterations or the initial granted
1817 rights has already set some elements
1818 of `letters'. What we need to do is
1819 to clear those that weren't granted
1820 by the current PrC as well. The
1821 easiest way to do this is to add 1
1822 to all the elements whose letters
1823 are given with the current policy.
1824 That way, all elements that are set
1825 by the current policy and were
1826 already set by earlier policies and
1827 through the original grant of rights
1828 will get the value 2 or higher.
1829 The last thing to do is to sweep
1830 through `letters' and keep the
1831 elements having the value 2 as set,
1832 and clear all the others. */
1833
1834 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1835 while(i-- > 0)
1836 {
1837 int c = *s++;
1838 if (isascii(c) && isalpha(c))
1839 {
1840 if (islower(c))
1841 c = toupper(c);
1842 letters[c - 'A']++;
1843 }
1844 }
1845 for (i = 0; i < 26; i++)
1846 if (letters[i] < 2)
1847 letters[i] = 0;
1848 else
1849 letters[i] = 1;
1850 }
1851
1852 found_any = 0;
1853 fprintf(stderr,
1854 ", resulting proxy rights = ");
1855 for(i = 0; i < 26; i++)
1856 if (letters[i])
1857 {
1858 fprintf(stderr, "%c", i + 'A');
1859 found_any = 1;
1860 }
1861 if (!found_any)
1862 fprintf(stderr, "none");
1863 fprintf(stderr, "\n");
1864
1865 PROXY_CERT_INFO_EXTENSION_free(pci);
1866 }
1867 }
1868 }
1869
1870 return(ok);
1871 }
1872
1873static void process_proxy_debug(int indent, const char *format, ...)
1874 {
1875 static const char indentation[] =
1876 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1877 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1878 char my_format[256];
1879 va_list args;
1880
1881 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1882 indent, indent, indentation, format);
1883
1884 va_start(args, format);
1885 vfprintf(stderr, my_format, args);
1886 va_end(args);
1887 }
1888/* Priority levels:
1889 0 [!]var, ()
1890 1 & ^
1891 2 |
1892*/
1893static int process_proxy_cond_adders(unsigned int letters[26],
1894 const char *cond, const char **cond_end, int *pos, int indent);
1895static int process_proxy_cond_val(unsigned int letters[26],
1896 const char *cond, const char **cond_end, int *pos, int indent)
1897 {
1898 int c;
1899 int ok = 1;
1900 int negate = 0;
1901
1902 while(isspace((int)*cond))
1903 {
1904 cond++; (*pos)++;
1905 }
1906 c = *cond;
1907
1908 if (debug)
1909 process_proxy_debug(indent,
1910 "Start process_proxy_cond_val at position %d: %s\n",
1911 *pos, cond);
1912
1913 while(c == '!')
1914 {
1915 negate = !negate;
1916 cond++; (*pos)++;
1917 while(isspace((int)*cond))
1918 {
1919 cond++; (*pos)++;
1920 }
1921 c = *cond;
1922 }
1923
1924 if (c == '(')
1925 {
1926 cond++; (*pos)++;
1927 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1928 indent + 1);
1929 cond = *cond_end;
1930 if (ok < 0)
1931 goto end;
1932 while(isspace((int)*cond))
1933 {
1934 cond++; (*pos)++;
1935 }
1936 c = *cond;
1937 if (c != ')')
1938 {
1939 fprintf(stderr,
1940 "Weird condition character in position %d: "
1941 "%c\n", *pos, c);
1942 ok = -1;
1943 goto end;
1944 }
1945 cond++; (*pos)++;
1946 }
1947 else if (isascii(c) && isalpha(c))
1948 {
1949 if (islower(c))
1950 c = toupper(c);
1951 ok = letters[c - 'A'];
1952 cond++; (*pos)++;
1953 }
1954 else
1955 {
1956 fprintf(stderr,
1957 "Weird condition character in position %d: "
1958 "%c\n", *pos, c);
1959 ok = -1;
1960 goto end;
1961 }
1962 end:
1963 *cond_end = cond;
1964 if (ok >= 0 && negate)
1965 ok = !ok;
1966
1967 if (debug)
1968 process_proxy_debug(indent,
1969 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1970 *pos, cond, ok);
1971
1972 return ok;
1973 }
1974static int process_proxy_cond_multipliers(unsigned int letters[26],
1975 const char *cond, const char **cond_end, int *pos, int indent)
1976 {
1977 int ok;
1978 char c;
1979
1980 if (debug)
1981 process_proxy_debug(indent,
1982 "Start process_proxy_cond_multipliers at position %d: %s\n",
1983 *pos, cond);
1984
1985 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1986 cond = *cond_end;
1987 if (ok < 0)
1988 goto end;
1989
1990 while(ok >= 0)
1991 {
1992 while(isspace((int)*cond))
1993 {
1994 cond++; (*pos)++;
1995 }
1996 c = *cond;
1997
1998 switch(c)
1999 {
2000 case '&':
2001 case '^':
2002 {
2003 int save_ok = ok;
2004
2005 cond++; (*pos)++;
2006 ok = process_proxy_cond_val(letters,
2007 cond, cond_end, pos, indent + 1);
2008 cond = *cond_end;
2009 if (ok < 0)
2010 break;
2011
2012 switch(c)
2013 {
2014 case '&':
2015 ok &= save_ok;
2016 break;
2017 case '^':
2018 ok ^= save_ok;
2019 break;
2020 default:
2021 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2022 " STOPPING\n");
2023 EXIT(1);
2024 }
2025 }
2026 break;
2027 default:
2028 goto end;
2029 }
2030 }
2031 end:
2032 if (debug)
2033 process_proxy_debug(indent,
2034 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2035 *pos, cond, ok);
2036
2037 *cond_end = cond;
2038 return ok;
2039 }
2040static int process_proxy_cond_adders(unsigned int letters[26],
2041 const char *cond, const char **cond_end, int *pos, int indent)
2042 {
2043 int ok;
2044 char c;
2045
2046 if (debug)
2047 process_proxy_debug(indent,
2048 "Start process_proxy_cond_adders at position %d: %s\n",
2049 *pos, cond);
2050
2051 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2052 indent + 1);
2053 cond = *cond_end;
2054 if (ok < 0)
2055 goto end;
2056
2057 while(ok >= 0)
2058 {
2059 while(isspace((int)*cond))
2060 {
2061 cond++; (*pos)++;
2062 }
2063 c = *cond;
2064
2065 switch(c)
2066 {
2067 case '|':
2068 {
2069 int save_ok = ok;
2070
2071 cond++; (*pos)++;
2072 ok = process_proxy_cond_multipliers(letters,
2073 cond, cond_end, pos, indent + 1);
2074 cond = *cond_end;
2075 if (ok < 0)
2076 break;
2077
2078 switch(c)
2079 {
2080 case '|':
2081 ok |= save_ok;
2082 break;
2083 default:
2084 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2085 " STOPPING\n");
2086 EXIT(1);
2087 }
2088 }
2089 break;
2090 default:
2091 goto end;
2092 }
2093 }
2094 end:
2095 if (debug)
2096 process_proxy_debug(indent,
2097 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2098 *pos, cond, ok);
2099
2100 *cond_end = cond;
2101 return ok;
2102 }
2103
2104static int process_proxy_cond(unsigned int letters[26],
2105 const char *cond, const char **cond_end)
2106 {
2107 int pos = 1;
2108 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2109 }
2110
2111static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2112 {
2113 int ok=1;
2114 struct app_verify_arg *cb_arg = arg;
2115 unsigned int letters[26]; /* only used with proxy_auth */
2116
2117 if (cb_arg->app_verify)
2118 {
2119 char *s = NULL,buf[256];
2120
2121 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2122 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2123 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2124 (void *)ctx, (void *)ctx->cert);
2125 if (ctx->cert)
2126 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2127 if (s != NULL)
2128 {
2129 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2130 }
2131 return(1);
2132 }
2133 if (cb_arg->proxy_auth)
2134 {
2135 int found_any = 0, i;
2136 char *sp;
2137
2138 for(i = 0; i < 26; i++)
2139 letters[i] = 0;
2140 for(sp = cb_arg->proxy_auth; *sp; sp++)
2141 {
2142 int c = *sp;
2143 if (isascii(c) && isalpha(c))
2144 {
2145 if (islower(c))
2146 c = toupper(c);
2147 letters[c - 'A'] = 1;
2148 }
2149 }
2150
2151 fprintf(stderr,
2152 " Initial proxy rights = ");
2153 for(i = 0; i < 26; i++)
2154 if (letters[i])
2155 {
2156 fprintf(stderr, "%c", i + 'A');
2157 found_any = 1;
2158 }
2159 if (!found_any)
2160 fprintf(stderr, "none");
2161 fprintf(stderr, "\n");
2162
2163 X509_STORE_CTX_set_ex_data(ctx,
2164 get_proxy_auth_ex_data_idx(),letters);
2165 }
2166 if (cb_arg->allow_proxy_certs)
2167 {
2168 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2169 }
2170
2171#ifndef OPENSSL_NO_X509_VERIFY
2172# ifdef OPENSSL_FIPS
2173 if(s->version == TLS1_VERSION)
2174 FIPS_allow_md5(1);
2175# endif
2176 ok = X509_verify_cert(ctx);
2177# ifdef OPENSSL_FIPS
2178 if(s->version == TLS1_VERSION)
2179 FIPS_allow_md5(0);
2180# endif
2181#endif
2182
2183 if (cb_arg->proxy_auth)
2184 {
2185 if (ok > 0)
2186 {
2187 const char *cond_end = NULL;
2188
2189 ok = process_proxy_cond(letters,
2190 cb_arg->proxy_cond, &cond_end);
2191
2192 if (ok < 0)
2193 EXIT(3);
2194 if (*cond_end)
2195 {
2196 fprintf(stderr, "Stopped processing condition before it's end.\n");
2197 ok = 0;
2198 }
2199 if (!ok)
2200 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2201 cb_arg->proxy_cond);
2202 else
2203 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2204 cb_arg->proxy_cond);
2205 }
2206 }
2207 return(ok);
2208 }
2209
2210#ifndef OPENSSL_NO_RSA
2211static RSA *rsa_tmp=NULL;
2212
2213static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2214 {
2215 BIGNUM *bn = NULL;
2216 if (rsa_tmp == NULL)
2217 {
2218 bn = BN_new();
2219 rsa_tmp = RSA_new();
2220 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2221 {
2222 BIO_printf(bio_err, "Memory error...");
2223 goto end;
2224 }
2225 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2226 (void)BIO_flush(bio_err);
2227 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2228 {
2229 BIO_printf(bio_err, "Error generating key.");
2230 RSA_free(rsa_tmp);
2231 rsa_tmp = NULL;
2232 }
2233end:
2234 BIO_printf(bio_err,"\n");
2235 (void)BIO_flush(bio_err);
2236 }
2237 if(bn) BN_free(bn);
2238 return(rsa_tmp);
2239 }
2240
2241static void free_tmp_rsa(void)
2242 {
2243 if (rsa_tmp != NULL)
2244 {
2245 RSA_free(rsa_tmp);
2246 rsa_tmp = NULL;
2247 }
2248 }
2249#endif
2250
2251#ifndef OPENSSL_NO_DH
2252/* These DH parameters have been generated as follows:
2253 * $ openssl dhparam -C -noout 512
2254 * $ openssl dhparam -C -noout 1024
2255 * $ openssl dhparam -C -noout -dsaparam 1024
2256 * (The third function has been renamed to avoid name conflicts.)
2257 */
2258static DH *get_dh512()
2259 {
2260 static unsigned char dh512_p[]={
2261 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2262 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2263 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2264 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2265 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2266 0x02,0xC5,0xAE,0x23,
2267 };
2268 static unsigned char dh512_g[]={
2269 0x02,
2270 };
2271 DH *dh;
2272
2273 if ((dh=DH_new()) == NULL) return(NULL);
2274 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2275 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2276 if ((dh->p == NULL) || (dh->g == NULL))
2277 { DH_free(dh); return(NULL); }
2278 return(dh);
2279 }
2280
2281static DH *get_dh1024()
2282 {
2283 static unsigned char dh1024_p[]={
2284 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2285 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2286 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2287 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2288 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2289 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2290 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2291 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2292 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2293 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2294 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2295 };
2296 static unsigned char dh1024_g[]={
2297 0x02,
2298 };
2299 DH *dh;
2300
2301 if ((dh=DH_new()) == NULL) return(NULL);
2302 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2303 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2304 if ((dh->p == NULL) || (dh->g == NULL))
2305 { DH_free(dh); return(NULL); }
2306 return(dh);
2307 }
2308
2309static DH *get_dh1024dsa()
2310 {
2311 static unsigned char dh1024_p[]={
2312 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2313 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2314 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2315 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2316 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2317 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2318 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2319 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2320 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2321 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2322 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2323 };
2324 static unsigned char dh1024_g[]={
2325 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2326 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2327 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2328 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2329 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2330 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2331 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2332 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2333 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2334 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2335 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2336 };
2337 DH *dh;
2338
2339 if ((dh=DH_new()) == NULL) return(NULL);
2340 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2341 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2342 if ((dh->p == NULL) || (dh->g == NULL))
2343 { DH_free(dh); return(NULL); }
2344 dh->length = 160;
2345 return(dh);
2346 }
2347#endif
2348
2349#ifndef OPENSSL_NO_PSK
2350/* convert the PSK key (psk_key) in ascii to binary (psk) */
2351static int psk_key2bn(const char *pskkey, unsigned char *psk,
2352 unsigned int max_psk_len)
2353 {
2354 int ret;
2355 BIGNUM *bn = NULL;
2356
2357 ret = BN_hex2bn(&bn, pskkey);
2358 if (!ret)
2359 {
2360 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2361 if (bn)
2362 BN_free(bn);
2363 return 0;
2364 }
2365 if (BN_num_bytes(bn) > (int)max_psk_len)
2366 {
2367 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2368 max_psk_len, BN_num_bytes(bn));
2369 BN_free(bn);
2370 return 0;
2371 }
2372 ret = BN_bn2bin(bn, psk);
2373 BN_free(bn);
2374 return ret;
2375 }
2376
2377static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2378 unsigned int max_identity_len, unsigned char *psk,
2379 unsigned int max_psk_len)
2380 {
2381 int ret;
2382 unsigned int psk_len = 0;
2383
2384 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2385 if (ret < 0)
2386 goto out_err;
2387 if (debug)
2388 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2389 ret = psk_key2bn(psk_key, psk, max_psk_len);
2390 if (ret < 0)
2391 goto out_err;
2392 psk_len = ret;
2393out_err:
2394 return psk_len;
2395 }
2396
2397static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2398 unsigned char *psk, unsigned int max_psk_len)
2399 {
2400 unsigned int psk_len=0;
2401
2402 if (strcmp(identity, "Client_identity") != 0)
2403 {
2404 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2405 return 0;
2406 }
2407 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2408 return psk_len;
2409 }
2410#endif
2411
2412static int do_test_cipherlist(void)
2413 {
2414 int i = 0;
2415 const SSL_METHOD *meth;
2416 const SSL_CIPHER *ci, *tci = NULL;
2417
2418#ifndef OPENSSL_NO_SSL2
2419 fprintf(stderr, "testing SSLv2 cipher list order: ");
2420 meth = SSLv2_method();
2421 while ((ci = meth->get_cipher(i++)) != NULL)
2422 {
2423 if (tci != NULL)
2424 if (ci->id >= tci->id)
2425 {
2426 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2427 return 0;
2428 }
2429 tci = ci;
2430 }
2431 fprintf(stderr, "ok\n");
2432#endif
2433#ifndef OPENSSL_NO_SSL3
2434 fprintf(stderr, "testing SSLv3 cipher list order: ");
2435 meth = SSLv3_method();
2436 tci = NULL;
2437 while ((ci = meth->get_cipher(i++)) != NULL)
2438 {
2439 if (tci != NULL)
2440 if (ci->id >= tci->id)
2441 {
2442 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2443 return 0;
2444 }
2445 tci = ci;
2446 }
2447 fprintf(stderr, "ok\n");
2448#endif
2449#ifndef OPENSSL_NO_TLS1
2450 fprintf(stderr, "testing TLSv1 cipher list order: ");
2451 meth = TLSv1_method();
2452 tci = NULL;
2453 while ((ci = meth->get_cipher(i++)) != NULL)
2454 {
2455 if (tci != NULL)
2456 if (ci->id >= tci->id)
2457 {
2458 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2459 return 0;
2460 }
2461 tci = ci;
2462 }
2463 fprintf(stderr, "ok\n");
2464#endif
2465
2466 return 1;
2467 }
generated by cgit v1.2.3-55-g6feb (git 2.39.1) at 2025-04-28 03:01:38 +0000