Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / openssl / 8a903428736d72d6272cb91d66fb8ed46aaaeb1f / . / ssl / ssltest.c
blob: 438f3abc206184161b458af6131f3cfbbaec64db [file] [log] [blame]
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
119
120#include <assert.h>
121#include <errno.h>
122#include <limits.h>
123#include <stdio.h>
124#include <stdlib.h>
125#include <string.h>
126#include <time.h>
127
128#define USE_SOCKETS
129#include "e_os.h"
130
131#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
133#include <ctype.h>
134
135#include <openssl/bio.h>
136#include <openssl/crypto.h>
137#include <openssl/evp.h>
138#include <openssl/x509.h>
139#include <openssl/x509v3.h>
140#include <openssl/ssl.h>
141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
144#include <openssl/err.h>
145#include <openssl/rand.h>
146#ifndef OPENSSL_NO_RSA
147#include <openssl/rsa.h>
148#endif
149#ifndef OPENSSL_NO_DSA
150#include <openssl/dsa.h>
151#endif
152#ifndef OPENSSL_NO_DH
153#include <openssl/dh.h>
154#endif
155#include <openssl/bn.h>
156
157#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
158 on Compaq platforms (at least with DEC C).
159 Do not try to put it earlier, or IPv6 includes
160 get screwed...
161 */
162
163#ifdef OPENSSL_SYS_WINDOWS
164#include <winsock.h>
165#else
166#include OPENSSL_UNISTD
167#endif
168
169#ifdef OPENSSL_SYS_VMS
170# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
171# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
172#elif defined(OPENSSL_SYS_WINCE)
173# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
174# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
175#elif defined(OPENSSL_SYS_NETWARE)
176# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
177# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
178#else
179# define TEST_SERVER_CERT "../apps/server.pem"
180# define TEST_CLIENT_CERT "../apps/client.pem"
181#endif
182
183/* There is really no standard for this, so let's assign some tentative
184 numbers. In any case, these numbers are only for this test */
185#define COMP_RLE 255
186#define COMP_ZLIB 1
187
188static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
189#ifndef OPENSSL_NO_RSA
190static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
191static void free_tmp_rsa(void);
192#endif
193static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
194#define APP_CALLBACK_STRING "Test Callback Argument"
195struct app_verify_arg
196 {
197 char *string;
198 int app_verify;
199 int allow_proxy_certs;
200 char *proxy_auth;
201 char *proxy_cond;
202 };
203
204#ifndef OPENSSL_NO_DH
205static DH *get_dh512(void);
206static DH *get_dh1024(void);
207static DH *get_dh1024dsa(void);
208#endif
209
210static BIO *bio_err=NULL;
211static BIO *bio_stdout=NULL;
212
213static char *cipher=NULL;
214static int verbose=0;
215static int debug=0;
216#if 0
217/* Not used yet. */
218#ifdef FIONBIO
219static int s_nbio=0;
220#endif
221#endif
222
223static const char rnd_seed[] = "string to make the random number generator think it has entropy";
224
225int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
226int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
227static int do_test_cipherlist(void);
228static void sv_usage(void)
229 {
230 fprintf(stderr,"usage: ssltest [args ...]\n");
231 fprintf(stderr,"\n");
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]232#ifdef OPENSSL_FIPS
233 fprintf(stderr,"-F - run test in FIPS mode\n");
234#endif
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]235 fprintf(stderr," -server_auth - check server certificate\n");
236 fprintf(stderr," -client_auth - do client authentication\n");
237 fprintf(stderr," -proxy - allow proxy certificates\n");
238 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
239 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
240 fprintf(stderr," -v - more output\n");
241 fprintf(stderr," -d - debug output\n");
242 fprintf(stderr," -reuse - use session-id reuse\n");
243 fprintf(stderr," -num <val> - number of connections to perform\n");
244 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
245#ifndef OPENSSL_NO_DH
246 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
247 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
248 fprintf(stderr," -no_dhe - disable DHE\n");
249#endif
250#ifndef OPENSSL_NO_ECDH
251 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
252#endif
253#ifndef OPENSSL_NO_SSL2
254 fprintf(stderr," -ssl2 - use SSLv2\n");
255#endif
256#ifndef OPENSSL_NO_SSL3
257 fprintf(stderr," -ssl3 - use SSLv3\n");
258#endif
259#ifndef OPENSSL_NO_TLS1
260 fprintf(stderr," -tls1 - use TLSv1\n");
261#endif
262 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
263 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
264 fprintf(stderr," -cert arg - Server certificate file\n");
265 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
266 fprintf(stderr," -c_cert arg - Client certificate file\n");
267 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
268 fprintf(stderr," -cipher arg - The cipher list\n");
269 fprintf(stderr," -bio_pair - Use BIO pairs\n");
270 fprintf(stderr," -f - Test even cases that can't work\n");
271 fprintf(stderr," -time - measure processor time used by client and server\n");
272 fprintf(stderr," -zlib - use zlib compression\n");
273 fprintf(stderr," -rle - use rle compression\n");
274#ifndef OPENSSL_NO_ECDH
275 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
276 " Use \"openssl ecparam -list_curves\" for all names\n" \
277 " (default is sect163r2).\n");
278#endif
279 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]280 fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
281 fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame^]282 fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]283 }
284
285static void print_details(SSL *c_ssl, const char *prefix)
286 {
287 SSL_CIPHER *ciph;
288 X509 *cert;
289
290 ciph=SSL_get_current_cipher(c_ssl);
291 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
292 prefix,
293 SSL_get_version(c_ssl),
294 SSL_CIPHER_get_version(ciph),
295 SSL_CIPHER_get_name(ciph));
296 cert=SSL_get_peer_certificate(c_ssl);
297 if (cert != NULL)
298 {
299 EVP_PKEY *pkey = X509_get_pubkey(cert);
300 if (pkey != NULL)
301 {
302 if (0)
303 ;
304#ifndef OPENSSL_NO_RSA
305 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
306 && pkey->pkey.rsa->n != NULL)
307 {
308 BIO_printf(bio_stdout, ", %d bit RSA",
309 BN_num_bits(pkey->pkey.rsa->n));
310 }
311#endif
312#ifndef OPENSSL_NO_DSA
313 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
314 && pkey->pkey.dsa->p != NULL)
315 {
316 BIO_printf(bio_stdout, ", %d bit DSA",
317 BN_num_bits(pkey->pkey.dsa->p));
318 }
319#endif
320 EVP_PKEY_free(pkey);
321 }
322 X509_free(cert);
323 }
324 /* The SSL API does not allow us to look at temporary RSA/DH keys,
325 * otherwise we should print their lengths too */
326 BIO_printf(bio_stdout,"\n");
327 }
328
329static void lock_dbg_cb(int mode, int type, const char *file, int line)
330 {
331 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
332 const char *errstr = NULL;
333 int rw;
334
335 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
336 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
337 {
338 errstr = "invalid mode";
339 goto err;
340 }
341
342 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
343 {
344 errstr = "type out of bounds";
345 goto err;
346 }
347
348 if (mode & CRYPTO_LOCK)
349 {
350 if (modes[type])
351 {
352 errstr = "already locked";
353 /* must not happen in a single-threaded program
354 * (would deadlock) */
355 goto err;
356 }
357
358 modes[type] = rw;
359 }
360 else if (mode & CRYPTO_UNLOCK)
361 {
362 if (!modes[type])
363 {
364 errstr = "not locked";
365 goto err;
366 }
367
368 if (modes[type] != rw)
369 {
370 errstr = (rw == CRYPTO_READ) ?
371 "CRYPTO_r_unlock on write lock" :
372 "CRYPTO_w_unlock on read lock";
373 }
374
375 modes[type] = 0;
376 }
377 else
378 {
379 errstr = "invalid mode";
380 goto err;
381 }
382
383 err:
384 if (errstr)
385 {
386 /* we cannot use bio_err here */
387 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
388 errstr, mode, type, file, line);
389 }
390 }
391
392
393int main(int argc, char *argv[])
394 {
395 char *CApath=NULL,*CAfile=NULL;
396 int badop=0;
397 int bio_pair=0;
398 int force=0;
399 int tls1=0,ssl2=0,ssl3=0,ret=1;
400 int client_auth=0;
401 int server_auth=0,i;
402 struct app_verify_arg app_verify_arg =
403 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
404 char *server_cert=TEST_SERVER_CERT;
405 char *server_key=NULL;
406 char *client_cert=TEST_CLIENT_CERT;
407 char *client_key=NULL;
408#ifndef OPENSSL_NO_ECDH
409 char *named_curve = NULL;
410#endif
411 SSL_CTX *s_ctx=NULL;
412 SSL_CTX *c_ctx=NULL;
413 SSL_METHOD *meth=NULL;
414 SSL *c_ssl,*s_ssl;
415 int number=1,reuse=0;
416 long bytes=256L;
417#ifndef OPENSSL_NO_DH
418 DH *dh;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]419 int dhe1024 = 1, dhe1024dsa = 0;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]420#endif
421#ifndef OPENSSL_NO_ECDH
422 EC_KEY *ecdh = NULL;
423#endif
424 int no_dhe = 0;
425 int no_ecdhe = 0;
426 int print_time = 0;
427 clock_t s_time = 0, c_time = 0;
428 int comp = 0;
429#ifndef OPENSSL_NO_COMP
430 COMP_METHOD *cm = NULL;
431#endif
432 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
433 int test_cipherlist = 0;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]434#ifdef OPENSSL_FIPS
435 int fips_mode=0;
436#endif
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]437 int ssl_mode = 0;
438 int c_small_records=0;
439 int s_small_records=0;
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame^]440 int cutthrough = 0;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]441
442 verbose = 0;
443 debug = 0;
444 cipher = 0;
445
446 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
447
448 CRYPTO_set_locking_callback(lock_dbg_cb);
449
450 /* enable memory leak checking unless explicitly disabled */
451 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
452 {
453 CRYPTO_malloc_debug_init();
454 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
455 }
456 else
457 {
458 /* OPENSSL_DEBUG_MEMORY=off */
459 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
460 }
461 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
462
463 RAND_seed(rnd_seed, sizeof rnd_seed);
464
465 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
466
467 argc--;
468 argv++;
469
470 while (argc >= 1)
471 {
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]472 if(!strcmp(*argv,"-F"))
473 {
474#ifdef OPENSSL_FIPS
475 fips_mode=1;
476#else
477 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
478 EXIT(0);
479#endif
480 }
481 else if (strcmp(*argv,"-server_auth") == 0)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]482 server_auth=1;
483 else if (strcmp(*argv,"-client_auth") == 0)
484 client_auth=1;
485 else if (strcmp(*argv,"-proxy_auth") == 0)
486 {
487 if (--argc < 1) goto bad;
488 app_verify_arg.proxy_auth= *(++argv);
489 }
490 else if (strcmp(*argv,"-proxy_cond") == 0)
491 {
492 if (--argc < 1) goto bad;
493 app_verify_arg.proxy_cond= *(++argv);
494 }
495 else if (strcmp(*argv,"-v") == 0)
496 verbose=1;
497 else if (strcmp(*argv,"-d") == 0)
498 debug=1;
499 else if (strcmp(*argv,"-reuse") == 0)
500 reuse=1;
501 else if (strcmp(*argv,"-dhe1024") == 0)
502 {
503#ifndef OPENSSL_NO_DH
504 dhe1024=1;
505#else
506 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
507#endif
508 }
509 else if (strcmp(*argv,"-dhe1024dsa") == 0)
510 {
511#ifndef OPENSSL_NO_DH
512 dhe1024dsa=1;
513#else
514 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
515#endif
516 }
517 else if (strcmp(*argv,"-no_dhe") == 0)
518 no_dhe=1;
519 else if (strcmp(*argv,"-no_ecdhe") == 0)
520 no_ecdhe=1;
521 else if (strcmp(*argv,"-ssl2") == 0)
522 ssl2=1;
523 else if (strcmp(*argv,"-tls1") == 0)
524 tls1=1;
525 else if (strcmp(*argv,"-ssl3") == 0)
526 ssl3=1;
527 else if (strncmp(*argv,"-num",4) == 0)
528 {
529 if (--argc < 1) goto bad;
530 number= atoi(*(++argv));
531 if (number == 0) number=1;
532 }
533 else if (strcmp(*argv,"-bytes") == 0)
534 {
535 if (--argc < 1) goto bad;
536 bytes= atol(*(++argv));
537 if (bytes == 0L) bytes=1L;
538 i=strlen(argv[0]);
539 if (argv[0][i-1] == 'k') bytes*=1024L;
540 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
541 }
542 else if (strcmp(*argv,"-cert") == 0)
543 {
544 if (--argc < 1) goto bad;
545 server_cert= *(++argv);
546 }
547 else if (strcmp(*argv,"-s_cert") == 0)
548 {
549 if (--argc < 1) goto bad;
550 server_cert= *(++argv);
551 }
552 else if (strcmp(*argv,"-key") == 0)
553 {
554 if (--argc < 1) goto bad;
555 server_key= *(++argv);
556 }
557 else if (strcmp(*argv,"-s_key") == 0)
558 {
559 if (--argc < 1) goto bad;
560 server_key= *(++argv);
561 }
562 else if (strcmp(*argv,"-c_cert") == 0)
563 {
564 if (--argc < 1) goto bad;
565 client_cert= *(++argv);
566 }
567 else if (strcmp(*argv,"-c_key") == 0)
568 {
569 if (--argc < 1) goto bad;
570 client_key= *(++argv);
571 }
572 else if (strcmp(*argv,"-cipher") == 0)
573 {
574 if (--argc < 1) goto bad;
575 cipher= *(++argv);
576 }
577 else if (strcmp(*argv,"-CApath") == 0)
578 {
579 if (--argc < 1) goto bad;
580 CApath= *(++argv);
581 }
582 else if (strcmp(*argv,"-CAfile") == 0)
583 {
584 if (--argc < 1) goto bad;
585 CAfile= *(++argv);
586 }
587 else if (strcmp(*argv,"-bio_pair") == 0)
588 {
589 bio_pair = 1;
590 }
591 else if (strcmp(*argv,"-f") == 0)
592 {
593 force = 1;
594 }
595 else if (strcmp(*argv,"-time") == 0)
596 {
597 print_time = 1;
598 }
599 else if (strcmp(*argv,"-zlib") == 0)
600 {
601 comp = COMP_ZLIB;
602 }
603 else if (strcmp(*argv,"-rle") == 0)
604 {
605 comp = COMP_RLE;
606 }
607 else if (strcmp(*argv,"-named_curve") == 0)
608 {
609 if (--argc < 1) goto bad;
610#ifndef OPENSSL_NO_ECDH
611 named_curve = *(++argv);
612#else
613 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
614 ++argv;
615#endif
616 }
617 else if (strcmp(*argv,"-app_verify") == 0)
618 {
619 app_verify_arg.app_verify = 1;
620 }
621 else if (strcmp(*argv,"-proxy") == 0)
622 {
623 app_verify_arg.allow_proxy_certs = 1;
624 }
625 else if (strcmp(*argv,"-test_cipherlist") == 0)
626 {
627 test_cipherlist = 1;
628 }
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]629 else if (strcmp(*argv, "-c_small_records") == 0)
630 {
631 c_small_records = 1;
632 }
633 else if (strcmp(*argv, "-s_small_records") == 0)
634 {
635 s_small_records = 1;
636 }
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame^]637 else if (strcmp(*argv, "-cutthrough") == 0)
638 {
639 cutthrough = 1;
640 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]641 else
642 {
643 fprintf(stderr,"unknown option %s\n",*argv);
644 badop=1;
645 break;
646 }
647 argc--;
648 argv++;
649 }
650 if (badop)
651 {
652bad:
653 sv_usage();
654 goto end;
655 }
656
657 if (test_cipherlist == 1)
658 {
659 /* ensure that the cipher list are correctly sorted and exit */
660 if (do_test_cipherlist() == 0)
661 EXIT(1);
662 ret = 0;
663 goto end;
664 }
665
666 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
667 {
668 fprintf(stderr, "This case cannot work. Use -f to perform "
669 "the test anyway (and\n-d to see what happens), "
670 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
671 "to avoid protocol mismatch.\n");
672 EXIT(1);
673 }
674
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]675#ifdef OPENSSL_FIPS
676 if(fips_mode)
677 {
678 if(!FIPS_mode_set(1))
679 {
680 ERR_load_crypto_strings();
681 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
682 EXIT(1);
683 }
684 else
685 fprintf(stderr,"*** IN FIPS MODE ***\n");
686 }
687#endif
688
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]689 if (print_time)
690 {
691 if (!bio_pair)
692 {
693 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
694 bio_pair = 1;
695 }
696 if (number < 50 && !force)
697 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
698 }
699
700/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
701
702 SSL_library_init();
703 SSL_load_error_strings();
704
705#ifndef OPENSSL_NO_COMP
706 if (comp == COMP_ZLIB) cm = COMP_zlib();
707 if (comp == COMP_RLE) cm = COMP_rle();
708 if (cm != NULL)
709 {
710 if (cm->type != NID_undef)
711 {
712 if (SSL_COMP_add_compression_method(comp, cm) != 0)
713 {
714 fprintf(stderr,
715 "Failed to add compression method\n");
716 ERR_print_errors_fp(stderr);
717 }
718 }
719 else
720 {
721 fprintf(stderr,
722 "Warning: %s compression not supported\n",
723 (comp == COMP_RLE ? "rle" :
724 (comp == COMP_ZLIB ? "zlib" :
725 "unknown")));
726 ERR_print_errors_fp(stderr);
727 }
728 }
729 ssl_comp_methods = SSL_COMP_get_compression_methods();
730 fprintf(stderr, "Available compression methods:\n");
731 {
732 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
733 if (n == 0)
734 fprintf(stderr, " NONE\n");
735 else
736 for (j = 0; j < n; j++)
737 {
738 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
739 fprintf(stderr, " %d: %s\n", c->id, c->name);
740 }
741 }
742#endif
743
744#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
745 if (ssl2)
746 meth=SSLv2_method();
747 else
748 if (tls1)
749 meth=TLSv1_method();
750 else
751 if (ssl3)
752 meth=SSLv3_method();
753 else
754 meth=SSLv23_method();
755#else
756#ifdef OPENSSL_NO_SSL2
757 meth=SSLv3_method();
758#else
759 meth=SSLv2_method();
760#endif
761#endif
762
763 c_ctx=SSL_CTX_new(meth);
764 s_ctx=SSL_CTX_new(meth);
765 if ((c_ctx == NULL) || (s_ctx == NULL))
766 {
767 ERR_print_errors(bio_err);
768 goto end;
769 }
770
771 if (cipher != NULL)
772 {
773 SSL_CTX_set_cipher_list(c_ctx,cipher);
774 SSL_CTX_set_cipher_list(s_ctx,cipher);
775 }
776
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]777 ssl_mode = 0;
778 if (c_small_records)
779 {
780 ssl_mode = SSL_CTX_get_mode(c_ctx);
781 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
782 SSL_CTX_set_mode(c_ctx, ssl_mode);
783 }
784 ssl_mode = 0;
785 if (s_small_records)
786 {
787 ssl_mode = SSL_CTX_get_mode(s_ctx);
788 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
789 SSL_CTX_set_mode(s_ctx, ssl_mode);
790 }
Nagendra Modadugu8a903422009-10-05 17:41:48 -0700[diff] [blame^]791 ssl_mode = 0;
792 if (cutthrough)
793 {
794 ssl_mode = SSL_CTX_get_mode(c_ctx);
795 ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
796 SSL_CTX_set_mode(c_ctx, ssl_mode);
797 }
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]798
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]799#ifndef OPENSSL_NO_DH
800 if (!no_dhe)
801 {
802 if (dhe1024dsa)
803 {
804 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
805 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
806 dh=get_dh1024dsa();
807 }
808 else if (dhe1024)
809 dh=get_dh1024();
810 else
811 dh=get_dh512();
812 SSL_CTX_set_tmp_dh(s_ctx,dh);
813 DH_free(dh);
814 }
815#else
816 (void)no_dhe;
817#endif
818
819#ifndef OPENSSL_NO_ECDH
820 if (!no_ecdhe)
821 {
822 int nid;
823
824 if (named_curve != NULL)
825 {
826 nid = OBJ_sn2nid(named_curve);
827 if (nid == 0)
828 {
829 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
830 goto end;
831 }
832 }
833 else
834 nid = NID_sect163r2;
835
836 ecdh = EC_KEY_new_by_curve_name(nid);
837 if (ecdh == NULL)
838 {
839 BIO_printf(bio_err, "unable to create curve\n");
840 goto end;
841 }
842
843 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
844 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
845 EC_KEY_free(ecdh);
846 }
847#else
848 (void)no_ecdhe;
849#endif
850
851#ifndef OPENSSL_NO_RSA
852 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
853#endif
854
855 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
856 {
857 ERR_print_errors(bio_err);
858 }
859 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
860 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
861 {
862 ERR_print_errors(bio_err);
863 goto end;
864 }
865
866 if (client_auth)
867 {
868 SSL_CTX_use_certificate_file(c_ctx,client_cert,
869 SSL_FILETYPE_PEM);
870 SSL_CTX_use_PrivateKey_file(c_ctx,
871 (client_key?client_key:client_cert),
872 SSL_FILETYPE_PEM);
873 }
874
875 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
876 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
877 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
878 (!SSL_CTX_set_default_verify_paths(c_ctx)))
879 {
880 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
881 ERR_print_errors(bio_err);
882 /* goto end; */
883 }
884
885 if (client_auth)
886 {
887 BIO_printf(bio_err,"client authentication\n");
888 SSL_CTX_set_verify(s_ctx,
889 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
890 verify_callback);
891 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
892 }
893 if (server_auth)
894 {
895 BIO_printf(bio_err,"server authentication\n");
896 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
897 verify_callback);
898 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
899 }
900
901 {
902 int session_id_context = 0;
903 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
904 }
905
906 c_ssl=SSL_new(c_ctx);
907 s_ssl=SSL_new(s_ctx);
908
909#ifndef OPENSSL_NO_KRB5
910 if (c_ssl && c_ssl->kssl_ctx)
911 {
912 char localhost[MAXHOSTNAMELEN+2];
913
914 if (gethostname(localhost, sizeof localhost-1) == 0)
915 {
916 localhost[sizeof localhost-1]='\0';
917 if(strlen(localhost) == sizeof localhost-1)
918 {
919 BIO_printf(bio_err,"localhost name too long\n");
920 goto end;
921 }
922 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
923 localhost);
924 }
925 }
926#endif /* OPENSSL_NO_KRB5 */
927
928 for (i=0; i<number; i++)
929 {
930 if (!reuse) SSL_set_session(c_ssl,NULL);
931 if (bio_pair)
932 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
933 else
934 ret=doit(s_ssl,c_ssl,bytes);
935 }
936
937 if (!verbose)
938 {
939 print_details(c_ssl, "");
940 }
941 if ((number > 1) || (bytes > 1L))
942 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
943 if (print_time)
944 {
945#ifdef CLOCKS_PER_SEC
946 /* "To determine the time in seconds, the value returned
947 * by the clock function should be divided by the value
948 * of the macro CLOCKS_PER_SEC."
949 * -- ISO/IEC 9899 */
950 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
951 "Approximate total client time: %6.2f s\n",
952 (double)s_time/CLOCKS_PER_SEC,
953 (double)c_time/CLOCKS_PER_SEC);
954#else
955 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
956 * -- cc on NeXTstep/OpenStep */
957 BIO_printf(bio_stdout,
958 "Approximate total server time: %6.2f units\n"
959 "Approximate total client time: %6.2f units\n",
960 (double)s_time,
961 (double)c_time);
962#endif
963 }
964
965 SSL_free(s_ssl);
966 SSL_free(c_ssl);
967
968end:
969 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
970 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
971
972 if (bio_stdout != NULL) BIO_free(bio_stdout);
973
974#ifndef OPENSSL_NO_RSA
975 free_tmp_rsa();
976#endif
977#ifndef OPENSSL_NO_ENGINE
978 ENGINE_cleanup();
979#endif
980 CRYPTO_cleanup_all_ex_data();
981 ERR_free_strings();
982 ERR_remove_state(0);
983 EVP_cleanup();
984 CRYPTO_mem_leaks(bio_err);
985 if (bio_err != NULL) BIO_free(bio_err);
986 EXIT(ret);
987 return ret;
988 }
989
990int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
991 clock_t *s_time, clock_t *c_time)
992 {
993 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
994 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
995 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
996 int ret = 1;
997
998 size_t bufsiz = 256; /* small buffer for testing */
999
1000 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1001 goto err;
1002 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1003 goto err;
1004
1005 s_ssl_bio = BIO_new(BIO_f_ssl());
1006 if (!s_ssl_bio)
1007 goto err;
1008
1009 c_ssl_bio = BIO_new(BIO_f_ssl());
1010 if (!c_ssl_bio)
1011 goto err;
1012
1013 SSL_set_connect_state(c_ssl);
1014 SSL_set_bio(c_ssl, client, client);
1015 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1016
1017 SSL_set_accept_state(s_ssl);
1018 SSL_set_bio(s_ssl, server, server);
1019 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1020
1021 do
1022 {
1023 /* c_ssl_bio: SSL filter BIO
1024 *
1025 * client: pseudo-I/O for SSL library
1026 *
1027 * client_io: client's SSL communication; usually to be
1028 * relayed over some I/O facility, but in this
1029 * test program, we're the server, too:
1030 *
1031 * server_io: server's SSL communication
1032 *
1033 * server: pseudo-I/O for SSL library
1034 *
1035 * s_ssl_bio: SSL filter BIO
1036 *
1037 * The client and the server each employ a "BIO pair":
1038 * client + client_io, server + server_io.
1039 * BIO pairs are symmetric. A BIO pair behaves similar
1040 * to a non-blocking socketpair (but both endpoints must
1041 * be handled by the same thread).
1042 * [Here we could connect client and server to the ends
1043 * of a single BIO pair, but then this code would be less
1044 * suitable as an example for BIO pairs in general.]
1045 *
1046 * Useful functions for querying the state of BIO pair endpoints:
1047 *
1048 * BIO_ctrl_pending(bio) number of bytes we can read now
1049 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1050 * other side's read attempt
1051 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1052 *
1053 * ..._read_request is never more than ..._write_guarantee;
1054 * it depends on the application which one you should use.
1055 */
1056
1057 /* We have non-blocking behaviour throughout this test program, but
1058 * can be sure that there is *some* progress in each iteration; so
1059 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1060 * -- we just try everything in each iteration
1061 */
1062
1063 {
1064 /* CLIENT */
1065
1066 MS_STATIC char cbuf[1024*8];
1067 int i, r;
1068 clock_t c_clock = clock();
1069
1070 memset(cbuf, 0, sizeof(cbuf));
1071
1072 if (debug)
1073 if (SSL_in_init(c_ssl))
1074 printf("client waiting in SSL_connect - %s\n",
1075 SSL_state_string_long(c_ssl));
1076
1077 if (cw_num > 0)
1078 {
1079 /* Write to server. */
1080
1081 if (cw_num > (long)sizeof cbuf)
1082 i = sizeof cbuf;
1083 else
1084 i = (int)cw_num;
1085 r = BIO_write(c_ssl_bio, cbuf, i);
1086 if (r < 0)
1087 {
1088 if (!BIO_should_retry(c_ssl_bio))
1089 {
1090 fprintf(stderr,"ERROR in CLIENT\n");
1091 goto err;
1092 }
1093 /* BIO_should_retry(...) can just be ignored here.
1094 * The library expects us to call BIO_write with
1095 * the same arguments again, and that's what we will
1096 * do in the next iteration. */
1097 }
1098 else if (r == 0)
1099 {
1100 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1101 goto err;
1102 }
1103 else
1104 {
1105 if (debug)
1106 printf("client wrote %d\n", r);
1107 cw_num -= r;
1108 }
1109 }
1110
1111 if (cr_num > 0)
1112 {
1113 /* Read from server. */
1114
1115 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1116 if (r < 0)
1117 {
1118 if (!BIO_should_retry(c_ssl_bio))
1119 {
1120 fprintf(stderr,"ERROR in CLIENT\n");
1121 goto err;
1122 }
1123 /* Again, "BIO_should_retry" can be ignored. */
1124 }
1125 else if (r == 0)
1126 {
1127 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1128 goto err;
1129 }
1130 else
1131 {
1132 if (debug)
1133 printf("client read %d\n", r);
1134 cr_num -= r;
1135 }
1136 }
1137
1138 /* c_time and s_time increments will typically be very small
1139 * (depending on machine speed and clock tick intervals),
1140 * but sampling over a large number of connections should
1141 * result in fairly accurate figures. We cannot guarantee
1142 * a lot, however -- if each connection lasts for exactly
1143 * one clock tick, it will be counted only for the client
1144 * or only for the server or even not at all.
1145 */
1146 *c_time += (clock() - c_clock);
1147 }
1148
1149 {
1150 /* SERVER */
1151
1152 MS_STATIC char sbuf[1024*8];
1153 int i, r;
1154 clock_t s_clock = clock();
1155
1156 memset(sbuf, 0, sizeof(sbuf));
1157
1158 if (debug)
1159 if (SSL_in_init(s_ssl))
1160 printf("server waiting in SSL_accept - %s\n",
1161 SSL_state_string_long(s_ssl));
1162
1163 if (sw_num > 0)
1164 {
1165 /* Write to client. */
1166
1167 if (sw_num > (long)sizeof sbuf)
1168 i = sizeof sbuf;
1169 else
1170 i = (int)sw_num;
1171 r = BIO_write(s_ssl_bio, sbuf, i);
1172 if (r < 0)
1173 {
1174 if (!BIO_should_retry(s_ssl_bio))
1175 {
1176 fprintf(stderr,"ERROR in SERVER\n");
1177 goto err;
1178 }
1179 /* Ignore "BIO_should_retry". */
1180 }
1181 else if (r == 0)
1182 {
1183 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1184 goto err;
1185 }
1186 else
1187 {
1188 if (debug)
1189 printf("server wrote %d\n", r);
1190 sw_num -= r;
1191 }
1192 }
1193
1194 if (sr_num > 0)
1195 {
1196 /* Read from client. */
1197
1198 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1199 if (r < 0)
1200 {
1201 if (!BIO_should_retry(s_ssl_bio))
1202 {
1203 fprintf(stderr,"ERROR in SERVER\n");
1204 goto err;
1205 }
1206 /* blah, blah */
1207 }
1208 else if (r == 0)
1209 {
1210 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1211 goto err;
1212 }
1213 else
1214 {
1215 if (debug)
1216 printf("server read %d\n", r);
1217 sr_num -= r;
1218 }
1219 }
1220
1221 *s_time += (clock() - s_clock);
1222 }
1223
1224 {
1225 /* "I/O" BETWEEN CLIENT AND SERVER. */
1226
1227 size_t r1, r2;
1228 BIO *io1 = server_io, *io2 = client_io;
1229 /* we use the non-copying interface for io1
1230 * and the standard BIO_write/BIO_read interface for io2
1231 */
1232
1233 static int prev_progress = 1;
1234 int progress = 0;
1235
1236 /* io1 to io2 */
1237 do
1238 {
1239 size_t num;
1240 int r;
1241
1242 r1 = BIO_ctrl_pending(io1);
1243 r2 = BIO_ctrl_get_write_guarantee(io2);
1244
1245 num = r1;
1246 if (r2 < num)
1247 num = r2;
1248 if (num)
1249 {
1250 char *dataptr;
1251
1252 if (INT_MAX < num) /* yeah, right */
1253 num = INT_MAX;
1254
1255 r = BIO_nread(io1, &dataptr, (int)num);
1256 assert(r > 0);
1257 assert(r <= (int)num);
1258 /* possibly r < num (non-contiguous data) */
1259 num = r;
1260 r = BIO_write(io2, dataptr, (int)num);
1261 if (r != (int)num) /* can't happen */
1262 {
1263 fprintf(stderr, "ERROR: BIO_write could not write "
1264 "BIO_ctrl_get_write_guarantee() bytes");
1265 goto err;
1266 }
1267 progress = 1;
1268
1269 if (debug)
1270 printf((io1 == client_io) ?
1271 "C->S relaying: %d bytes\n" :
1272 "S->C relaying: %d bytes\n",
1273 (int)num);
1274 }
1275 }
1276 while (r1 && r2);
1277
1278 /* io2 to io1 */
1279 {
1280 size_t num;
1281 int r;
1282
1283 r1 = BIO_ctrl_pending(io2);
1284 r2 = BIO_ctrl_get_read_request(io1);
1285 /* here we could use ..._get_write_guarantee instead of
1286 * ..._get_read_request, but by using the latter
1287 * we test restartability of the SSL implementation
1288 * more thoroughly */
1289 num = r1;
1290 if (r2 < num)
1291 num = r2;
1292 if (num)
1293 {
1294 char *dataptr;
1295
1296 if (INT_MAX < num)
1297 num = INT_MAX;
1298
1299 if (num > 1)
1300 --num; /* test restartability even more thoroughly */
1301
1302 r = BIO_nwrite0(io1, &dataptr);
1303 assert(r > 0);
1304 if (r < (int)num)
1305 num = r;
1306 r = BIO_read(io2, dataptr, (int)num);
1307 if (r != (int)num) /* can't happen */
1308 {
1309 fprintf(stderr, "ERROR: BIO_read could not read "
1310 "BIO_ctrl_pending() bytes");
1311 goto err;
1312 }
1313 progress = 1;
1314 r = BIO_nwrite(io1, &dataptr, (int)num);
1315 if (r != (int)num) /* can't happen */
1316 {
1317 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1318 "BIO_nwrite0() bytes");
1319 goto err;
1320 }
1321
1322 if (debug)
1323 printf((io2 == client_io) ?
1324 "C->S relaying: %d bytes\n" :
1325 "S->C relaying: %d bytes\n",
1326 (int)num);
1327 }
1328 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1329
1330 if (!progress && !prev_progress)
1331 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1332 {
1333 fprintf(stderr, "ERROR: got stuck\n");
1334 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1335 {
1336 fprintf(stderr, "This can happen for SSL2 because "
1337 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1338 "concurrently ...");
1339 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1340 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1341 {
1342 fprintf(stderr, " ok.\n");
1343 goto end;
1344 }
1345 }
1346 fprintf(stderr, " ERROR.\n");
1347 goto err;
1348 }
1349 prev_progress = progress;
1350 }
1351 }
1352 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1353
1354 if (verbose)
1355 print_details(c_ssl, "DONE via BIO pair: ");
1356end:
1357 ret = 0;
1358
1359 err:
1360 ERR_print_errors(bio_err);
1361
1362 if (server)
1363 BIO_free(server);
1364 if (server_io)
1365 BIO_free(server_io);
1366 if (client)
1367 BIO_free(client);
1368 if (client_io)
1369 BIO_free(client_io);
1370 if (s_ssl_bio)
1371 BIO_free(s_ssl_bio);
1372 if (c_ssl_bio)
1373 BIO_free(c_ssl_bio);
1374
1375 return ret;
1376 }
1377
1378
1379#define W_READ 1
1380#define W_WRITE 2
1381#define C_DONE 1
1382#define S_DONE 2
1383
1384int doit(SSL *s_ssl, SSL *c_ssl, long count)
1385 {
1386 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1387 long cw_num=count,cr_num=count;
1388 long sw_num=count,sr_num=count;
1389 int ret=1;
1390 BIO *c_to_s=NULL;
1391 BIO *s_to_c=NULL;
1392 BIO *c_bio=NULL;
1393 BIO *s_bio=NULL;
1394 int c_r,c_w,s_r,s_w;
1395 int c_want,s_want;
1396 int i,j;
1397 int done=0;
1398 int c_write,s_write;
1399 int do_server=0,do_client=0;
1400
1401 memset(cbuf,0,sizeof(cbuf));
1402 memset(sbuf,0,sizeof(sbuf));
1403
1404 c_to_s=BIO_new(BIO_s_mem());
1405 s_to_c=BIO_new(BIO_s_mem());
1406 if ((s_to_c == NULL) || (c_to_s == NULL))
1407 {
1408 ERR_print_errors(bio_err);
1409 goto err;
1410 }
1411
1412 c_bio=BIO_new(BIO_f_ssl());
1413 s_bio=BIO_new(BIO_f_ssl());
1414 if ((c_bio == NULL) || (s_bio == NULL))
1415 {
1416 ERR_print_errors(bio_err);
1417 goto err;
1418 }
1419
1420 SSL_set_connect_state(c_ssl);
1421 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1422 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1423
1424 SSL_set_accept_state(s_ssl);
1425 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1426 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1427
1428 c_r=0; s_r=1;
1429 c_w=1; s_w=0;
1430 c_want=W_WRITE;
1431 s_want=0;
1432 c_write=1,s_write=0;
1433
1434 /* We can always do writes */
1435 for (;;)
1436 {
1437 do_server=0;
1438 do_client=0;
1439
1440 i=(int)BIO_pending(s_bio);
1441 if ((i && s_r) || s_w) do_server=1;
1442
1443 i=(int)BIO_pending(c_bio);
1444 if ((i && c_r) || c_w) do_client=1;
1445
1446 if (do_server && debug)
1447 {
1448 if (SSL_in_init(s_ssl))
1449 printf("server waiting in SSL_accept - %s\n",
1450 SSL_state_string_long(s_ssl));
1451/* else if (s_write)
1452 printf("server:SSL_write()\n");
1453 else
1454 printf("server:SSL_read()\n"); */
1455 }
1456
1457 if (do_client && debug)
1458 {
1459 if (SSL_in_init(c_ssl))
1460 printf("client waiting in SSL_connect - %s\n",
1461 SSL_state_string_long(c_ssl));
1462/* else if (c_write)
1463 printf("client:SSL_write()\n");
1464 else
1465 printf("client:SSL_read()\n"); */
1466 }
1467
1468 if (!do_client && !do_server)
1469 {
1470 fprintf(stdout,"ERROR IN STARTUP\n");
1471 ERR_print_errors(bio_err);
1472 break;
1473 }
1474 if (do_client && !(done & C_DONE))
1475 {
1476 if (c_write)
1477 {
1478 j = (cw_num > (long)sizeof(cbuf)) ?
1479 (int)sizeof(cbuf) : (int)cw_num;
1480 i=BIO_write(c_bio,cbuf,j);
1481 if (i < 0)
1482 {
1483 c_r=0;
1484 c_w=0;
1485 if (BIO_should_retry(c_bio))
1486 {
1487 if (BIO_should_read(c_bio))
1488 c_r=1;
1489 if (BIO_should_write(c_bio))
1490 c_w=1;
1491 }
1492 else
1493 {
1494 fprintf(stderr,"ERROR in CLIENT\n");
1495 ERR_print_errors(bio_err);
1496 goto err;
1497 }
1498 }
1499 else if (i == 0)
1500 {
1501 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1502 goto err;
1503 }
1504 else
1505 {
1506 if (debug)
1507 printf("client wrote %d\n",i);
1508 /* ok */
1509 s_r=1;
1510 c_write=0;
1511 cw_num-=i;
1512 }
1513 }
1514 else
1515 {
1516 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1517 if (i < 0)
1518 {
1519 c_r=0;
1520 c_w=0;
1521 if (BIO_should_retry(c_bio))
1522 {
1523 if (BIO_should_read(c_bio))
1524 c_r=1;
1525 if (BIO_should_write(c_bio))
1526 c_w=1;
1527 }
1528 else
1529 {
1530 fprintf(stderr,"ERROR in CLIENT\n");
1531 ERR_print_errors(bio_err);
1532 goto err;
1533 }
1534 }
1535 else if (i == 0)
1536 {
1537 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1538 goto err;
1539 }
1540 else
1541 {
1542 if (debug)
1543 printf("client read %d\n",i);
1544 cr_num-=i;
1545 if (sw_num > 0)
1546 {
1547 s_write=1;
1548 s_w=1;
1549 }
1550 if (cr_num <= 0)
1551 {
1552 s_write=1;
1553 s_w=1;
1554 done=S_DONE|C_DONE;
1555 }
1556 }
1557 }
1558 }
1559
1560 if (do_server && !(done & S_DONE))
1561 {
1562 if (!s_write)
1563 {
1564 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1565 if (i < 0)
1566 {
1567 s_r=0;
1568 s_w=0;
1569 if (BIO_should_retry(s_bio))
1570 {
1571 if (BIO_should_read(s_bio))
1572 s_r=1;
1573 if (BIO_should_write(s_bio))
1574 s_w=1;
1575 }
1576 else
1577 {
1578 fprintf(stderr,"ERROR in SERVER\n");
1579 ERR_print_errors(bio_err);
1580 goto err;
1581 }
1582 }
1583 else if (i == 0)
1584 {
1585 ERR_print_errors(bio_err);
1586 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1587 goto err;
1588 }
1589 else
1590 {
1591 if (debug)
1592 printf("server read %d\n",i);
1593 sr_num-=i;
1594 if (cw_num > 0)
1595 {
1596 c_write=1;
1597 c_w=1;
1598 }
1599 if (sr_num <= 0)
1600 {
1601 s_write=1;
1602 s_w=1;
1603 c_write=0;
1604 }
1605 }
1606 }
1607 else
1608 {
1609 j = (sw_num > (long)sizeof(sbuf)) ?
1610 (int)sizeof(sbuf) : (int)sw_num;
1611 i=BIO_write(s_bio,sbuf,j);
1612 if (i < 0)
1613 {
1614 s_r=0;
1615 s_w=0;
1616 if (BIO_should_retry(s_bio))
1617 {
1618 if (BIO_should_read(s_bio))
1619 s_r=1;
1620 if (BIO_should_write(s_bio))
1621 s_w=1;
1622 }
1623 else
1624 {
1625 fprintf(stderr,"ERROR in SERVER\n");
1626 ERR_print_errors(bio_err);
1627 goto err;
1628 }
1629 }
1630 else if (i == 0)
1631 {
1632 ERR_print_errors(bio_err);
1633 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1634 goto err;
1635 }
1636 else
1637 {
1638 if (debug)
1639 printf("server wrote %d\n",i);
1640 sw_num-=i;
1641 s_write=0;
1642 c_r=1;
1643 if (sw_num <= 0)
1644 done|=S_DONE;
1645 }
1646 }
1647 }
1648
1649 if ((done & S_DONE) && (done & C_DONE)) break;
1650 }
1651
1652 if (verbose)
1653 print_details(c_ssl, "DONE: ");
1654 ret=0;
1655err:
1656 /* We have to set the BIO's to NULL otherwise they will be
1657 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1658 * again when c_ssl is SSL_free()ed.
1659 * This is a hack required because s_ssl and c_ssl are sharing the same
1660 * BIO structure and SSL_set_bio() and SSL_free() automatically
1661 * BIO_free non NULL entries.
1662 * You should not normally do this or be required to do this */
1663 if (s_ssl != NULL)
1664 {
1665 s_ssl->rbio=NULL;
1666 s_ssl->wbio=NULL;
1667 }
1668 if (c_ssl != NULL)
1669 {
1670 c_ssl->rbio=NULL;
1671 c_ssl->wbio=NULL;
1672 }
1673
1674 if (c_to_s != NULL) BIO_free(c_to_s);
1675 if (s_to_c != NULL) BIO_free(s_to_c);
1676 if (c_bio != NULL) BIO_free_all(c_bio);
1677 if (s_bio != NULL) BIO_free_all(s_bio);
1678 return(ret);
1679 }
1680
1681static int get_proxy_auth_ex_data_idx(void)
1682 {
1683 static volatile int idx = -1;
1684 if (idx < 0)
1685 {
1686 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1687 if (idx < 0)
1688 {
1689 idx = X509_STORE_CTX_get_ex_new_index(0,
1690 "SSLtest for verify callback", NULL,NULL,NULL);
1691 }
1692 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1693 }
1694 return idx;
1695 }
1696
1697static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1698 {
1699 char *s,buf[256];
1700
1701 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1702 sizeof buf);
1703 if (s != NULL)
1704 {
1705 if (ok)
1706 fprintf(stderr,"depth=%d %s\n",
1707 ctx->error_depth,buf);
1708 else
1709 {
1710 fprintf(stderr,"depth=%d error=%d %s\n",
1711 ctx->error_depth,ctx->error,buf);
1712 }
1713 }
1714
1715 if (ok == 0)
1716 {
1717 fprintf(stderr,"Error string: %s\n",
1718 X509_verify_cert_error_string(ctx->error));
1719 switch (ctx->error)
1720 {
1721 case X509_V_ERR_CERT_NOT_YET_VALID:
1722 case X509_V_ERR_CERT_HAS_EXPIRED:
1723 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1724 fprintf(stderr," ... ignored.\n");
1725 ok=1;
1726 }
1727 }
1728
1729 if (ok == 1)
1730 {
1731 X509 *xs = ctx->current_cert;
1732#if 0
1733 X509 *xi = ctx->current_issuer;
1734#endif
1735
1736 if (xs->ex_flags & EXFLAG_PROXY)
1737 {
1738 unsigned int *letters =
1739 X509_STORE_CTX_get_ex_data(ctx,
1740 get_proxy_auth_ex_data_idx());
1741
1742 if (letters)
1743 {
1744 int found_any = 0;
1745 int i;
1746 PROXY_CERT_INFO_EXTENSION *pci =
1747 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1748 NULL, NULL);
1749
1750 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1751 {
1752 case NID_Independent:
1753 /* Completely meaningless in this
1754 program, as there's no way to
1755 grant explicit rights to a
1756 specific PrC. Basically, using
1757 id-ppl-Independent is the perfect
1758 way to grant no rights at all. */
1759 fprintf(stderr, " Independent proxy certificate");
1760 for (i = 0; i < 26; i++)
1761 letters[i] = 0;
1762 break;
1763 case NID_id_ppl_inheritAll:
1764 /* This is basically a NOP, we
1765 simply let the current rights
1766 stand as they are. */
1767 fprintf(stderr, " Proxy certificate inherits all");
1768 break;
1769 default:
1770 s = (char *)
1771 pci->proxyPolicy->policy->data;
1772 i = pci->proxyPolicy->policy->length;
1773
1774 /* The algorithm works as follows:
1775 it is assumed that previous
1776 iterations or the initial granted
1777 rights has already set some elements
1778 of `letters'. What we need to do is
1779 to clear those that weren't granted
1780 by the current PrC as well. The
1781 easiest way to do this is to add 1
1782 to all the elements whose letters
1783 are given with the current policy.
1784 That way, all elements that are set
1785 by the current policy and were
1786 already set by earlier policies and
1787 through the original grant of rights
1788 will get the value 2 or higher.
1789 The last thing to do is to sweep
1790 through `letters' and keep the
1791 elements having the value 2 as set,
1792 and clear all the others. */
1793
1794 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1795 while(i-- > 0)
1796 {
1797 int c = *s++;
1798 if (isascii(c) && isalpha(c))
1799 {
1800 if (islower(c))
1801 c = toupper(c);
1802 letters[c - 'A']++;
1803 }
1804 }
1805 for (i = 0; i < 26; i++)
1806 if (letters[i] < 2)
1807 letters[i] = 0;
1808 else
1809 letters[i] = 1;
1810 }
1811
1812 found_any = 0;
1813 fprintf(stderr,
1814 ", resulting proxy rights = ");
1815 for(i = 0; i < 26; i++)
1816 if (letters[i])
1817 {
1818 fprintf(stderr, "%c", i + 'A');
1819 found_any = 1;
1820 }
1821 if (!found_any)
1822 fprintf(stderr, "none");
1823 fprintf(stderr, "\n");
1824
1825 PROXY_CERT_INFO_EXTENSION_free(pci);
1826 }
1827 }
1828 }
1829
1830 return(ok);
1831 }
1832
1833static void process_proxy_debug(int indent, const char *format, ...)
1834 {
1835 static const char indentation[] =
1836 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1837 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1838 char my_format[256];
1839 va_list args;
1840
1841 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1842 indent, indent, indentation, format);
1843
1844 va_start(args, format);
1845 vfprintf(stderr, my_format, args);
1846 va_end(args);
1847 }
1848/* Priority levels:
1849 0 [!]var, ()
1850 1 & ^
1851 2 |
1852*/
1853static int process_proxy_cond_adders(unsigned int letters[26],
1854 const char *cond, const char **cond_end, int *pos, int indent);
1855static int process_proxy_cond_val(unsigned int letters[26],
1856 const char *cond, const char **cond_end, int *pos, int indent)
1857 {
1858 int c;
1859 int ok = 1;
1860 int negate = 0;
1861
1862 while(isspace((int)*cond))
1863 {
1864 cond++; (*pos)++;
1865 }
1866 c = *cond;
1867
1868 if (debug)
1869 process_proxy_debug(indent,
1870 "Start process_proxy_cond_val at position %d: %s\n",
1871 *pos, cond);
1872
1873 while(c == '!')
1874 {
1875 negate = !negate;
1876 cond++; (*pos)++;
1877 while(isspace((int)*cond))
1878 {
1879 cond++; (*pos)++;
1880 }
1881 c = *cond;
1882 }
1883
1884 if (c == '(')
1885 {
1886 cond++; (*pos)++;
1887 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1888 indent + 1);
1889 cond = *cond_end;
1890 if (ok < 0)
1891 goto end;
1892 while(isspace((int)*cond))
1893 {
1894 cond++; (*pos)++;
1895 }
1896 c = *cond;
1897 if (c != ')')
1898 {
1899 fprintf(stderr,
1900 "Weird condition character in position %d: "
1901 "%c\n", *pos, c);
1902 ok = -1;
1903 goto end;
1904 }
1905 cond++; (*pos)++;
1906 }
1907 else if (isascii(c) && isalpha(c))
1908 {
1909 if (islower(c))
1910 c = toupper(c);
1911 ok = letters[c - 'A'];
1912 cond++; (*pos)++;
1913 }
1914 else
1915 {
1916 fprintf(stderr,
1917 "Weird condition character in position %d: "
1918 "%c\n", *pos, c);
1919 ok = -1;
1920 goto end;
1921 }
1922 end:
1923 *cond_end = cond;
1924 if (ok >= 0 && negate)
1925 ok = !ok;
1926
1927 if (debug)
1928 process_proxy_debug(indent,
1929 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1930 *pos, cond, ok);
1931
1932 return ok;
1933 }
1934static int process_proxy_cond_multipliers(unsigned int letters[26],
1935 const char *cond, const char **cond_end, int *pos, int indent)
1936 {
1937 int ok;
1938 char c;
1939
1940 if (debug)
1941 process_proxy_debug(indent,
1942 "Start process_proxy_cond_multipliers at position %d: %s\n",
1943 *pos, cond);
1944
1945 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1946 cond = *cond_end;
1947 if (ok < 0)
1948 goto end;
1949
1950 while(ok >= 0)
1951 {
1952 while(isspace((int)*cond))
1953 {
1954 cond++; (*pos)++;
1955 }
1956 c = *cond;
1957
1958 switch(c)
1959 {
1960 case '&':
1961 case '^':
1962 {
1963 int save_ok = ok;
1964
1965 cond++; (*pos)++;
1966 ok = process_proxy_cond_val(letters,
1967 cond, cond_end, pos, indent + 1);
1968 cond = *cond_end;
1969 if (ok < 0)
1970 break;
1971
1972 switch(c)
1973 {
1974 case '&':
1975 ok &= save_ok;
1976 break;
1977 case '^':
1978 ok ^= save_ok;
1979 break;
1980 default:
1981 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1982 " STOPPING\n");
1983 EXIT(1);
1984 }
1985 }
1986 break;
1987 default:
1988 goto end;
1989 }
1990 }
1991 end:
1992 if (debug)
1993 process_proxy_debug(indent,
1994 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1995 *pos, cond, ok);
1996
1997 *cond_end = cond;
1998 return ok;
1999 }
2000static int process_proxy_cond_adders(unsigned int letters[26],
2001 const char *cond, const char **cond_end, int *pos, int indent)
2002 {
2003 int ok;
2004 char c;
2005
2006 if (debug)
2007 process_proxy_debug(indent,
2008 "Start process_proxy_cond_adders at position %d: %s\n",
2009 *pos, cond);
2010
2011 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2012 indent + 1);
2013 cond = *cond_end;
2014 if (ok < 0)
2015 goto end;
2016
2017 while(ok >= 0)
2018 {
2019 while(isspace((int)*cond))
2020 {
2021 cond++; (*pos)++;
2022 }
2023 c = *cond;
2024
2025 switch(c)
2026 {
2027 case '|':
2028 {
2029 int save_ok = ok;
2030
2031 cond++; (*pos)++;
2032 ok = process_proxy_cond_multipliers(letters,
2033 cond, cond_end, pos, indent + 1);
2034 cond = *cond_end;
2035 if (ok < 0)
2036 break;
2037
2038 switch(c)
2039 {
2040 case '|':
2041 ok |= save_ok;
2042 break;
2043 default:
2044 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2045 " STOPPING\n");
2046 EXIT(1);
2047 }
2048 }
2049 break;
2050 default:
2051 goto end;
2052 }
2053 }
2054 end:
2055 if (debug)
2056 process_proxy_debug(indent,
2057 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2058 *pos, cond, ok);
2059
2060 *cond_end = cond;
2061 return ok;
2062 }
2063
2064static int process_proxy_cond(unsigned int letters[26],
2065 const char *cond, const char **cond_end)
2066 {
2067 int pos = 1;
2068 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2069 }
2070
2071static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2072 {
2073 int ok=1;
2074 struct app_verify_arg *cb_arg = arg;
2075 unsigned int letters[26]; /* only used with proxy_auth */
2076
2077 if (cb_arg->app_verify)
2078 {
2079 char *s = NULL,buf[256];
2080
2081 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2082 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2083 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2084 (void *)ctx, (void *)ctx->cert);
2085 if (ctx->cert)
2086 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2087 if (s != NULL)
2088 {
2089 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2090 }
2091 return(1);
2092 }
2093 if (cb_arg->proxy_auth)
2094 {
2095 int found_any = 0, i;
2096 char *sp;
2097
2098 for(i = 0; i < 26; i++)
2099 letters[i] = 0;
2100 for(sp = cb_arg->proxy_auth; *sp; sp++)
2101 {
2102 int c = *sp;
2103 if (isascii(c) && isalpha(c))
2104 {
2105 if (islower(c))
2106 c = toupper(c);
2107 letters[c - 'A'] = 1;
2108 }
2109 }
2110
2111 fprintf(stderr,
2112 " Initial proxy rights = ");
2113 for(i = 0; i < 26; i++)
2114 if (letters[i])
2115 {
2116 fprintf(stderr, "%c", i + 'A');
2117 found_any = 1;
2118 }
2119 if (!found_any)
2120 fprintf(stderr, "none");
2121 fprintf(stderr, "\n");
2122
2123 X509_STORE_CTX_set_ex_data(ctx,
2124 get_proxy_auth_ex_data_idx(),letters);
2125 }
2126 if (cb_arg->allow_proxy_certs)
2127 {
2128 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2129 }
2130
2131#ifndef OPENSSL_NO_X509_VERIFY
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2132 ok = X509_verify_cert(ctx);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2133#endif
2134
2135 if (cb_arg->proxy_auth)
2136 {
2137 if (ok > 0)
2138 {
2139 const char *cond_end = NULL;
2140
2141 ok = process_proxy_cond(letters,
2142 cb_arg->proxy_cond, &cond_end);
2143
2144 if (ok < 0)
2145 EXIT(3);
2146 if (*cond_end)
2147 {
2148 fprintf(stderr, "Stopped processing condition before it's end.\n");
2149 ok = 0;
2150 }
2151 if (!ok)
2152 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2153 cb_arg->proxy_cond);
2154 else
2155 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2156 cb_arg->proxy_cond);
2157 }
2158 }
2159 return(ok);
2160 }
2161
2162#ifndef OPENSSL_NO_RSA
2163static RSA *rsa_tmp=NULL;
2164
2165static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2166 {
2167 BIGNUM *bn = NULL;
2168 if (rsa_tmp == NULL)
2169 {
2170 bn = BN_new();
2171 rsa_tmp = RSA_new();
2172 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2173 {
2174 BIO_printf(bio_err, "Memory error...");
2175 goto end;
2176 }
2177 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2178 (void)BIO_flush(bio_err);
2179 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2180 {
2181 BIO_printf(bio_err, "Error generating key.");
2182 RSA_free(rsa_tmp);
2183 rsa_tmp = NULL;
2184 }
2185end:
2186 BIO_printf(bio_err,"\n");
2187 (void)BIO_flush(bio_err);
2188 }
2189 if(bn) BN_free(bn);
2190 return(rsa_tmp);
2191 }
2192
2193static void free_tmp_rsa(void)
2194 {
2195 if (rsa_tmp != NULL)
2196 {
2197 RSA_free(rsa_tmp);
2198 rsa_tmp = NULL;
2199 }
2200 }
2201#endif
2202
2203#ifndef OPENSSL_NO_DH
2204/* These DH parameters have been generated as follows:
2205 * $ openssl dhparam -C -noout 512
2206 * $ openssl dhparam -C -noout 1024
2207 * $ openssl dhparam -C -noout -dsaparam 1024
2208 * (The third function has been renamed to avoid name conflicts.)
2209 */
2210static DH *get_dh512()
2211 {
2212 static unsigned char dh512_p[]={
2213 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2214 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2215 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2216 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2217 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2218 0x02,0xC5,0xAE,0x23,
2219 };
2220 static unsigned char dh512_g[]={
2221 0x02,
2222 };
2223 DH *dh;
2224
2225 if ((dh=DH_new()) == NULL) return(NULL);
2226 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2227 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2228 if ((dh->p == NULL) || (dh->g == NULL))
2229 { DH_free(dh); return(NULL); }
2230 return(dh);
2231 }
2232
2233static DH *get_dh1024()
2234 {
2235 static unsigned char dh1024_p[]={
2236 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2237 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2238 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2239 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2240 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2241 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2242 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2243 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2244 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2245 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2246 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2247 };
2248 static unsigned char dh1024_g[]={
2249 0x02,
2250 };
2251 DH *dh;
2252
2253 if ((dh=DH_new()) == NULL) return(NULL);
2254 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2255 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2256 if ((dh->p == NULL) || (dh->g == NULL))
2257 { DH_free(dh); return(NULL); }
2258 return(dh);
2259 }
2260
2261static DH *get_dh1024dsa()
2262 {
2263 static unsigned char dh1024_p[]={
2264 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2265 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2266 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2267 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2268 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2269 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2270 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2271 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2272 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2273 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2274 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2275 };
2276 static unsigned char dh1024_g[]={
2277 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2278 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2279 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2280 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2281 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2282 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2283 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2284 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2285 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2286 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2287 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2288 };
2289 DH *dh;
2290
2291 if ((dh=DH_new()) == NULL) return(NULL);
2292 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2293 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2294 if ((dh->p == NULL) || (dh->g == NULL))
2295 { DH_free(dh); return(NULL); }
2296 dh->length = 160;
2297 return(dh);
2298 }
2299#endif
2300
2301static int do_test_cipherlist(void)
2302 {
2303 int i = 0;
2304 const SSL_METHOD *meth;
2305 SSL_CIPHER *ci, *tci = NULL;
2306
2307#ifndef OPENSSL_NO_SSL2
2308 fprintf(stderr, "testing SSLv2 cipher list order: ");
2309 meth = SSLv2_method();
2310 while ((ci = meth->get_cipher(i++)) != NULL)
2311 {
2312 if (tci != NULL)
2313 if (ci->id >= tci->id)
2314 {
2315 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2316 return 0;
2317 }
2318 tci = ci;
2319 }
2320 fprintf(stderr, "ok\n");
2321#endif
2322#ifndef OPENSSL_NO_SSL3
2323 fprintf(stderr, "testing SSLv3 cipher list order: ");
2324 meth = SSLv3_method();
2325 tci = NULL;
2326 while ((ci = meth->get_cipher(i++)) != NULL)
2327 {
2328 if (tci != NULL)
2329 if (ci->id >= tci->id)
2330 {
2331 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2332 return 0;
2333 }
2334 tci = ci;
2335 }
2336 fprintf(stderr, "ok\n");
2337#endif
2338#ifndef OPENSSL_NO_TLS1
2339 fprintf(stderr, "testing TLSv1 cipher list order: ");
2340 meth = TLSv1_method();
2341 tci = NULL;
2342 while ((ci = meth->get_cipher(i++)) != NULL)
2343 {
2344 if (tci != NULL)
2345 if (ci->id >= tci->id)
2346 {
2347 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2348 return 0;
2349 }
2350 tci = ci;
2351 }
2352 fprintf(stderr, "ok\n");
2353#endif
2354
2355 return 1;
2356 }