Gitiles
Code Review Sign In
gerrit-public.fairphone.software / fp2-dev / platform / external / openssl / f2ee5ff35ed7f2d8743bf56059a1d6d88a2383c3 / . / ssl / ssltest.c
blob: 09d350246f549e0c9f94e578c7d5e4a6cb48c4cb [file] [log] [blame]
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
119
120#include <assert.h>
121#include <errno.h>
122#include <limits.h>
123#include <stdio.h>
124#include <stdlib.h>
125#include <string.h>
126#include <time.h>
127
128#define USE_SOCKETS
129#include "e_os.h"
130
131#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
133#include <ctype.h>
134
135#include <openssl/bio.h>
136#include <openssl/crypto.h>
137#include <openssl/evp.h>
138#include <openssl/x509.h>
139#include <openssl/x509v3.h>
140#include <openssl/ssl.h>
141#ifndef OPENSSL_NO_ENGINE
142#include <openssl/engine.h>
143#endif
144#include <openssl/err.h>
145#include <openssl/rand.h>
146#ifndef OPENSSL_NO_RSA
147#include <openssl/rsa.h>
148#endif
149#ifndef OPENSSL_NO_DSA
150#include <openssl/dsa.h>
151#endif
152#ifndef OPENSSL_NO_DH
153#include <openssl/dh.h>
154#endif
155#include <openssl/bn.h>
156
157#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
158 on Compaq platforms (at least with DEC C).
159 Do not try to put it earlier, or IPv6 includes
160 get screwed...
161 */
162
163#ifdef OPENSSL_SYS_WINDOWS
164#include <winsock.h>
165#else
166#include OPENSSL_UNISTD
167#endif
168
169#ifdef OPENSSL_SYS_VMS
170# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
171# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
172#elif defined(OPENSSL_SYS_WINCE)
173# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
174# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
175#elif defined(OPENSSL_SYS_NETWARE)
176# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
177# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
178#else
179# define TEST_SERVER_CERT "../apps/server.pem"
180# define TEST_CLIENT_CERT "../apps/client.pem"
181#endif
182
183/* There is really no standard for this, so let's assign some tentative
184 numbers. In any case, these numbers are only for this test */
185#define COMP_RLE 255
186#define COMP_ZLIB 1
187
188static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
189#ifndef OPENSSL_NO_RSA
190static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
191static void free_tmp_rsa(void);
192#endif
193static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
194#define APP_CALLBACK_STRING "Test Callback Argument"
195struct app_verify_arg
196 {
197 char *string;
198 int app_verify;
199 int allow_proxy_certs;
200 char *proxy_auth;
201 char *proxy_cond;
202 };
203
204#ifndef OPENSSL_NO_DH
205static DH *get_dh512(void);
206static DH *get_dh1024(void);
207static DH *get_dh1024dsa(void);
208#endif
209
210static BIO *bio_err=NULL;
211static BIO *bio_stdout=NULL;
212
213static char *cipher=NULL;
214static int verbose=0;
215static int debug=0;
216#if 0
217/* Not used yet. */
218#ifdef FIONBIO
219static int s_nbio=0;
220#endif
221#endif
222
223static const char rnd_seed[] = "string to make the random number generator think it has entropy";
224
225int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
226int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
227static int do_test_cipherlist(void);
228static void sv_usage(void)
229 {
230 fprintf(stderr,"usage: ssltest [args ...]\n");
231 fprintf(stderr,"\n");
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]232#ifdef OPENSSL_FIPS
233 fprintf(stderr,"-F - run test in FIPS mode\n");
234#endif
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]235 fprintf(stderr," -server_auth - check server certificate\n");
236 fprintf(stderr," -client_auth - do client authentication\n");
237 fprintf(stderr," -proxy - allow proxy certificates\n");
238 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
239 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
240 fprintf(stderr," -v - more output\n");
241 fprintf(stderr," -d - debug output\n");
242 fprintf(stderr," -reuse - use session-id reuse\n");
243 fprintf(stderr," -num <val> - number of connections to perform\n");
244 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
245#ifndef OPENSSL_NO_DH
246 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
247 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
248 fprintf(stderr," -no_dhe - disable DHE\n");
249#endif
250#ifndef OPENSSL_NO_ECDH
251 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
252#endif
253#ifndef OPENSSL_NO_SSL2
254 fprintf(stderr," -ssl2 - use SSLv2\n");
255#endif
256#ifndef OPENSSL_NO_SSL3
257 fprintf(stderr," -ssl3 - use SSLv3\n");
258#endif
259#ifndef OPENSSL_NO_TLS1
260 fprintf(stderr," -tls1 - use TLSv1\n");
261#endif
262 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
263 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
264 fprintf(stderr," -cert arg - Server certificate file\n");
265 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
266 fprintf(stderr," -c_cert arg - Client certificate file\n");
267 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
268 fprintf(stderr," -cipher arg - The cipher list\n");
269 fprintf(stderr," -bio_pair - Use BIO pairs\n");
270 fprintf(stderr," -f - Test even cases that can't work\n");
271 fprintf(stderr," -time - measure processor time used by client and server\n");
272 fprintf(stderr," -zlib - use zlib compression\n");
273 fprintf(stderr," -rle - use rle compression\n");
274#ifndef OPENSSL_NO_ECDH
275 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
276 " Use \"openssl ecparam -list_curves\" for all names\n" \
277 " (default is sect163r2).\n");
278#endif
279 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]280 fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
281 fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]282 }
283
284static void print_details(SSL *c_ssl, const char *prefix)
285 {
286 SSL_CIPHER *ciph;
287 X509 *cert;
288
289 ciph=SSL_get_current_cipher(c_ssl);
290 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
291 prefix,
292 SSL_get_version(c_ssl),
293 SSL_CIPHER_get_version(ciph),
294 SSL_CIPHER_get_name(ciph));
295 cert=SSL_get_peer_certificate(c_ssl);
296 if (cert != NULL)
297 {
298 EVP_PKEY *pkey = X509_get_pubkey(cert);
299 if (pkey != NULL)
300 {
301 if (0)
302 ;
303#ifndef OPENSSL_NO_RSA
304 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
305 && pkey->pkey.rsa->n != NULL)
306 {
307 BIO_printf(bio_stdout, ", %d bit RSA",
308 BN_num_bits(pkey->pkey.rsa->n));
309 }
310#endif
311#ifndef OPENSSL_NO_DSA
312 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
313 && pkey->pkey.dsa->p != NULL)
314 {
315 BIO_printf(bio_stdout, ", %d bit DSA",
316 BN_num_bits(pkey->pkey.dsa->p));
317 }
318#endif
319 EVP_PKEY_free(pkey);
320 }
321 X509_free(cert);
322 }
323 /* The SSL API does not allow us to look at temporary RSA/DH keys,
324 * otherwise we should print their lengths too */
325 BIO_printf(bio_stdout,"\n");
326 }
327
328static void lock_dbg_cb(int mode, int type, const char *file, int line)
329 {
330 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
331 const char *errstr = NULL;
332 int rw;
333
334 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
335 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
336 {
337 errstr = "invalid mode";
338 goto err;
339 }
340
341 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
342 {
343 errstr = "type out of bounds";
344 goto err;
345 }
346
347 if (mode & CRYPTO_LOCK)
348 {
349 if (modes[type])
350 {
351 errstr = "already locked";
352 /* must not happen in a single-threaded program
353 * (would deadlock) */
354 goto err;
355 }
356
357 modes[type] = rw;
358 }
359 else if (mode & CRYPTO_UNLOCK)
360 {
361 if (!modes[type])
362 {
363 errstr = "not locked";
364 goto err;
365 }
366
367 if (modes[type] != rw)
368 {
369 errstr = (rw == CRYPTO_READ) ?
370 "CRYPTO_r_unlock on write lock" :
371 "CRYPTO_w_unlock on read lock";
372 }
373
374 modes[type] = 0;
375 }
376 else
377 {
378 errstr = "invalid mode";
379 goto err;
380 }
381
382 err:
383 if (errstr)
384 {
385 /* we cannot use bio_err here */
386 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
387 errstr, mode, type, file, line);
388 }
389 }
390
391
392int main(int argc, char *argv[])
393 {
394 char *CApath=NULL,*CAfile=NULL;
395 int badop=0;
396 int bio_pair=0;
397 int force=0;
398 int tls1=0,ssl2=0,ssl3=0,ret=1;
399 int client_auth=0;
400 int server_auth=0,i;
401 struct app_verify_arg app_verify_arg =
402 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
403 char *server_cert=TEST_SERVER_CERT;
404 char *server_key=NULL;
405 char *client_cert=TEST_CLIENT_CERT;
406 char *client_key=NULL;
407#ifndef OPENSSL_NO_ECDH
408 char *named_curve = NULL;
409#endif
410 SSL_CTX *s_ctx=NULL;
411 SSL_CTX *c_ctx=NULL;
412 SSL_METHOD *meth=NULL;
413 SSL *c_ssl,*s_ssl;
414 int number=1,reuse=0;
415 long bytes=256L;
416#ifndef OPENSSL_NO_DH
417 DH *dh;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]418 int dhe1024 = 1, dhe1024dsa = 0;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]419#endif
420#ifndef OPENSSL_NO_ECDH
421 EC_KEY *ecdh = NULL;
422#endif
423 int no_dhe = 0;
424 int no_ecdhe = 0;
425 int print_time = 0;
426 clock_t s_time = 0, c_time = 0;
427 int comp = 0;
428#ifndef OPENSSL_NO_COMP
429 COMP_METHOD *cm = NULL;
430#endif
431 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
432 int test_cipherlist = 0;
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]433#ifdef OPENSSL_FIPS
434 int fips_mode=0;
435#endif
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]436 int ssl_mode = 0;
437 int c_small_records=0;
438 int s_small_records=0;
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]439
440 verbose = 0;
441 debug = 0;
442 cipher = 0;
443
444 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
445
446 CRYPTO_set_locking_callback(lock_dbg_cb);
447
448 /* enable memory leak checking unless explicitly disabled */
449 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
450 {
451 CRYPTO_malloc_debug_init();
452 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
453 }
454 else
455 {
456 /* OPENSSL_DEBUG_MEMORY=off */
457 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
458 }
459 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
460
461 RAND_seed(rnd_seed, sizeof rnd_seed);
462
463 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
464
465 argc--;
466 argv++;
467
468 while (argc >= 1)
469 {
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]470 if(!strcmp(*argv,"-F"))
471 {
472#ifdef OPENSSL_FIPS
473 fips_mode=1;
474#else
475 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
476 EXIT(0);
477#endif
478 }
479 else if (strcmp(*argv,"-server_auth") == 0)
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]480 server_auth=1;
481 else if (strcmp(*argv,"-client_auth") == 0)
482 client_auth=1;
483 else if (strcmp(*argv,"-proxy_auth") == 0)
484 {
485 if (--argc < 1) goto bad;
486 app_verify_arg.proxy_auth= *(++argv);
487 }
488 else if (strcmp(*argv,"-proxy_cond") == 0)
489 {
490 if (--argc < 1) goto bad;
491 app_verify_arg.proxy_cond= *(++argv);
492 }
493 else if (strcmp(*argv,"-v") == 0)
494 verbose=1;
495 else if (strcmp(*argv,"-d") == 0)
496 debug=1;
497 else if (strcmp(*argv,"-reuse") == 0)
498 reuse=1;
499 else if (strcmp(*argv,"-dhe1024") == 0)
500 {
501#ifndef OPENSSL_NO_DH
502 dhe1024=1;
503#else
504 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
505#endif
506 }
507 else if (strcmp(*argv,"-dhe1024dsa") == 0)
508 {
509#ifndef OPENSSL_NO_DH
510 dhe1024dsa=1;
511#else
512 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
513#endif
514 }
515 else if (strcmp(*argv,"-no_dhe") == 0)
516 no_dhe=1;
517 else if (strcmp(*argv,"-no_ecdhe") == 0)
518 no_ecdhe=1;
519 else if (strcmp(*argv,"-ssl2") == 0)
520 ssl2=1;
521 else if (strcmp(*argv,"-tls1") == 0)
522 tls1=1;
523 else if (strcmp(*argv,"-ssl3") == 0)
524 ssl3=1;
525 else if (strncmp(*argv,"-num",4) == 0)
526 {
527 if (--argc < 1) goto bad;
528 number= atoi(*(++argv));
529 if (number == 0) number=1;
530 }
531 else if (strcmp(*argv,"-bytes") == 0)
532 {
533 if (--argc < 1) goto bad;
534 bytes= atol(*(++argv));
535 if (bytes == 0L) bytes=1L;
536 i=strlen(argv[0]);
537 if (argv[0][i-1] == 'k') bytes*=1024L;
538 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
539 }
540 else if (strcmp(*argv,"-cert") == 0)
541 {
542 if (--argc < 1) goto bad;
543 server_cert= *(++argv);
544 }
545 else if (strcmp(*argv,"-s_cert") == 0)
546 {
547 if (--argc < 1) goto bad;
548 server_cert= *(++argv);
549 }
550 else if (strcmp(*argv,"-key") == 0)
551 {
552 if (--argc < 1) goto bad;
553 server_key= *(++argv);
554 }
555 else if (strcmp(*argv,"-s_key") == 0)
556 {
557 if (--argc < 1) goto bad;
558 server_key= *(++argv);
559 }
560 else if (strcmp(*argv,"-c_cert") == 0)
561 {
562 if (--argc < 1) goto bad;
563 client_cert= *(++argv);
564 }
565 else if (strcmp(*argv,"-c_key") == 0)
566 {
567 if (--argc < 1) goto bad;
568 client_key= *(++argv);
569 }
570 else if (strcmp(*argv,"-cipher") == 0)
571 {
572 if (--argc < 1) goto bad;
573 cipher= *(++argv);
574 }
575 else if (strcmp(*argv,"-CApath") == 0)
576 {
577 if (--argc < 1) goto bad;
578 CApath= *(++argv);
579 }
580 else if (strcmp(*argv,"-CAfile") == 0)
581 {
582 if (--argc < 1) goto bad;
583 CAfile= *(++argv);
584 }
585 else if (strcmp(*argv,"-bio_pair") == 0)
586 {
587 bio_pair = 1;
588 }
589 else if (strcmp(*argv,"-f") == 0)
590 {
591 force = 1;
592 }
593 else if (strcmp(*argv,"-time") == 0)
594 {
595 print_time = 1;
596 }
597 else if (strcmp(*argv,"-zlib") == 0)
598 {
599 comp = COMP_ZLIB;
600 }
601 else if (strcmp(*argv,"-rle") == 0)
602 {
603 comp = COMP_RLE;
604 }
605 else if (strcmp(*argv,"-named_curve") == 0)
606 {
607 if (--argc < 1) goto bad;
608#ifndef OPENSSL_NO_ECDH
609 named_curve = *(++argv);
610#else
611 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
612 ++argv;
613#endif
614 }
615 else if (strcmp(*argv,"-app_verify") == 0)
616 {
617 app_verify_arg.app_verify = 1;
618 }
619 else if (strcmp(*argv,"-proxy") == 0)
620 {
621 app_verify_arg.allow_proxy_certs = 1;
622 }
623 else if (strcmp(*argv,"-test_cipherlist") == 0)
624 {
625 test_cipherlist = 1;
626 }
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]627 else if (strcmp(*argv, "-c_small_records") == 0)
628 {
629 c_small_records = 1;
630 }
631 else if (strcmp(*argv, "-s_small_records") == 0)
632 {
633 s_small_records = 1;
634 }
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]635 else
636 {
637 fprintf(stderr,"unknown option %s\n",*argv);
638 badop=1;
639 break;
640 }
641 argc--;
642 argv++;
643 }
644 if (badop)
645 {
646bad:
647 sv_usage();
648 goto end;
649 }
650
651 if (test_cipherlist == 1)
652 {
653 /* ensure that the cipher list are correctly sorted and exit */
654 if (do_test_cipherlist() == 0)
655 EXIT(1);
656 ret = 0;
657 goto end;
658 }
659
660 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
661 {
662 fprintf(stderr, "This case cannot work. Use -f to perform "
663 "the test anyway (and\n-d to see what happens), "
664 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
665 "to avoid protocol mismatch.\n");
666 EXIT(1);
667 }
668
Nagendra Modadugue45f1062009-09-30 11:36:48 -0700[diff] [blame]669#ifdef OPENSSL_FIPS
670 if(fips_mode)
671 {
672 if(!FIPS_mode_set(1))
673 {
674 ERR_load_crypto_strings();
675 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
676 EXIT(1);
677 }
678 else
679 fprintf(stderr,"*** IN FIPS MODE ***\n");
680 }
681#endif
682
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]683 if (print_time)
684 {
685 if (!bio_pair)
686 {
687 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
688 bio_pair = 1;
689 }
690 if (number < 50 && !force)
691 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
692 }
693
694/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
695
696 SSL_library_init();
697 SSL_load_error_strings();
698
699#ifndef OPENSSL_NO_COMP
700 if (comp == COMP_ZLIB) cm = COMP_zlib();
701 if (comp == COMP_RLE) cm = COMP_rle();
702 if (cm != NULL)
703 {
704 if (cm->type != NID_undef)
705 {
706 if (SSL_COMP_add_compression_method(comp, cm) != 0)
707 {
708 fprintf(stderr,
709 "Failed to add compression method\n");
710 ERR_print_errors_fp(stderr);
711 }
712 }
713 else
714 {
715 fprintf(stderr,
716 "Warning: %s compression not supported\n",
717 (comp == COMP_RLE ? "rle" :
718 (comp == COMP_ZLIB ? "zlib" :
719 "unknown")));
720 ERR_print_errors_fp(stderr);
721 }
722 }
723 ssl_comp_methods = SSL_COMP_get_compression_methods();
724 fprintf(stderr, "Available compression methods:\n");
725 {
726 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
727 if (n == 0)
728 fprintf(stderr, " NONE\n");
729 else
730 for (j = 0; j < n; j++)
731 {
732 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
733 fprintf(stderr, " %d: %s\n", c->id, c->name);
734 }
735 }
736#endif
737
738#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
739 if (ssl2)
740 meth=SSLv2_method();
741 else
742 if (tls1)
743 meth=TLSv1_method();
744 else
745 if (ssl3)
746 meth=SSLv3_method();
747 else
748 meth=SSLv23_method();
749#else
750#ifdef OPENSSL_NO_SSL2
751 meth=SSLv3_method();
752#else
753 meth=SSLv2_method();
754#endif
755#endif
756
757 c_ctx=SSL_CTX_new(meth);
758 s_ctx=SSL_CTX_new(meth);
759 if ((c_ctx == NULL) || (s_ctx == NULL))
760 {
761 ERR_print_errors(bio_err);
762 goto end;
763 }
764
765 if (cipher != NULL)
766 {
767 SSL_CTX_set_cipher_list(c_ctx,cipher);
768 SSL_CTX_set_cipher_list(s_ctx,cipher);
769 }
770
Nagendra Modadugu1fada292009-10-01 11:02:45 -0700[diff] [blame]771 ssl_mode = 0;
772 if (c_small_records)
773 {
774 ssl_mode = SSL_CTX_get_mode(c_ctx);
775 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
776 SSL_CTX_set_mode(c_ctx, ssl_mode);
777 }
778 ssl_mode = 0;
779 if (s_small_records)
780 {
781 ssl_mode = SSL_CTX_get_mode(s_ctx);
782 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
783 SSL_CTX_set_mode(s_ctx, ssl_mode);
784 }
785
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]786#ifndef OPENSSL_NO_DH
787 if (!no_dhe)
788 {
789 if (dhe1024dsa)
790 {
791 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
792 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
793 dh=get_dh1024dsa();
794 }
795 else if (dhe1024)
796 dh=get_dh1024();
797 else
798 dh=get_dh512();
799 SSL_CTX_set_tmp_dh(s_ctx,dh);
800 DH_free(dh);
801 }
802#else
803 (void)no_dhe;
804#endif
805
806#ifndef OPENSSL_NO_ECDH
807 if (!no_ecdhe)
808 {
809 int nid;
810
811 if (named_curve != NULL)
812 {
813 nid = OBJ_sn2nid(named_curve);
814 if (nid == 0)
815 {
816 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
817 goto end;
818 }
819 }
820 else
821 nid = NID_sect163r2;
822
823 ecdh = EC_KEY_new_by_curve_name(nid);
824 if (ecdh == NULL)
825 {
826 BIO_printf(bio_err, "unable to create curve\n");
827 goto end;
828 }
829
830 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
831 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
832 EC_KEY_free(ecdh);
833 }
834#else
835 (void)no_ecdhe;
836#endif
837
838#ifndef OPENSSL_NO_RSA
839 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
840#endif
841
842 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
843 {
844 ERR_print_errors(bio_err);
845 }
846 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
847 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
848 {
849 ERR_print_errors(bio_err);
850 goto end;
851 }
852
853 if (client_auth)
854 {
855 SSL_CTX_use_certificate_file(c_ctx,client_cert,
856 SSL_FILETYPE_PEM);
857 SSL_CTX_use_PrivateKey_file(c_ctx,
858 (client_key?client_key:client_cert),
859 SSL_FILETYPE_PEM);
860 }
861
862 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
863 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
864 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
865 (!SSL_CTX_set_default_verify_paths(c_ctx)))
866 {
867 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
868 ERR_print_errors(bio_err);
869 /* goto end; */
870 }
871
872 if (client_auth)
873 {
874 BIO_printf(bio_err,"client authentication\n");
875 SSL_CTX_set_verify(s_ctx,
876 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
877 verify_callback);
878 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
879 }
880 if (server_auth)
881 {
882 BIO_printf(bio_err,"server authentication\n");
883 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
884 verify_callback);
885 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
886 }
887
888 {
889 int session_id_context = 0;
890 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
891 }
892
893 c_ssl=SSL_new(c_ctx);
894 s_ssl=SSL_new(s_ctx);
895
896#ifndef OPENSSL_NO_KRB5
897 if (c_ssl && c_ssl->kssl_ctx)
898 {
899 char localhost[MAXHOSTNAMELEN+2];
900
901 if (gethostname(localhost, sizeof localhost-1) == 0)
902 {
903 localhost[sizeof localhost-1]='\0';
904 if(strlen(localhost) == sizeof localhost-1)
905 {
906 BIO_printf(bio_err,"localhost name too long\n");
907 goto end;
908 }
909 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
910 localhost);
911 }
912 }
913#endif /* OPENSSL_NO_KRB5 */
914
915 for (i=0; i<number; i++)
916 {
917 if (!reuse) SSL_set_session(c_ssl,NULL);
918 if (bio_pair)
919 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
920 else
921 ret=doit(s_ssl,c_ssl,bytes);
922 }
923
924 if (!verbose)
925 {
926 print_details(c_ssl, "");
927 }
928 if ((number > 1) || (bytes > 1L))
929 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
930 if (print_time)
931 {
932#ifdef CLOCKS_PER_SEC
933 /* "To determine the time in seconds, the value returned
934 * by the clock function should be divided by the value
935 * of the macro CLOCKS_PER_SEC."
936 * -- ISO/IEC 9899 */
937 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
938 "Approximate total client time: %6.2f s\n",
939 (double)s_time/CLOCKS_PER_SEC,
940 (double)c_time/CLOCKS_PER_SEC);
941#else
942 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
943 * -- cc on NeXTstep/OpenStep */
944 BIO_printf(bio_stdout,
945 "Approximate total server time: %6.2f units\n"
946 "Approximate total client time: %6.2f units\n",
947 (double)s_time,
948 (double)c_time);
949#endif
950 }
951
952 SSL_free(s_ssl);
953 SSL_free(c_ssl);
954
955end:
956 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
957 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
958
959 if (bio_stdout != NULL) BIO_free(bio_stdout);
960
961#ifndef OPENSSL_NO_RSA
962 free_tmp_rsa();
963#endif
964#ifndef OPENSSL_NO_ENGINE
965 ENGINE_cleanup();
966#endif
967 CRYPTO_cleanup_all_ex_data();
968 ERR_free_strings();
969 ERR_remove_state(0);
970 EVP_cleanup();
971 CRYPTO_mem_leaks(bio_err);
972 if (bio_err != NULL) BIO_free(bio_err);
973 EXIT(ret);
974 return ret;
975 }
976
977int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
978 clock_t *s_time, clock_t *c_time)
979 {
980 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
981 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
982 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
983 int ret = 1;
984
985 size_t bufsiz = 256; /* small buffer for testing */
986
987 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
988 goto err;
989 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
990 goto err;
991
992 s_ssl_bio = BIO_new(BIO_f_ssl());
993 if (!s_ssl_bio)
994 goto err;
995
996 c_ssl_bio = BIO_new(BIO_f_ssl());
997 if (!c_ssl_bio)
998 goto err;
999
1000 SSL_set_connect_state(c_ssl);
1001 SSL_set_bio(c_ssl, client, client);
1002 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1003
1004 SSL_set_accept_state(s_ssl);
1005 SSL_set_bio(s_ssl, server, server);
1006 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1007
1008 do
1009 {
1010 /* c_ssl_bio: SSL filter BIO
1011 *
1012 * client: pseudo-I/O for SSL library
1013 *
1014 * client_io: client's SSL communication; usually to be
1015 * relayed over some I/O facility, but in this
1016 * test program, we're the server, too:
1017 *
1018 * server_io: server's SSL communication
1019 *
1020 * server: pseudo-I/O for SSL library
1021 *
1022 * s_ssl_bio: SSL filter BIO
1023 *
1024 * The client and the server each employ a "BIO pair":
1025 * client + client_io, server + server_io.
1026 * BIO pairs are symmetric. A BIO pair behaves similar
1027 * to a non-blocking socketpair (but both endpoints must
1028 * be handled by the same thread).
1029 * [Here we could connect client and server to the ends
1030 * of a single BIO pair, but then this code would be less
1031 * suitable as an example for BIO pairs in general.]
1032 *
1033 * Useful functions for querying the state of BIO pair endpoints:
1034 *
1035 * BIO_ctrl_pending(bio) number of bytes we can read now
1036 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1037 * other side's read attempt
1038 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1039 *
1040 * ..._read_request is never more than ..._write_guarantee;
1041 * it depends on the application which one you should use.
1042 */
1043
1044 /* We have non-blocking behaviour throughout this test program, but
1045 * can be sure that there is *some* progress in each iteration; so
1046 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1047 * -- we just try everything in each iteration
1048 */
1049
1050 {
1051 /* CLIENT */
1052
1053 MS_STATIC char cbuf[1024*8];
1054 int i, r;
1055 clock_t c_clock = clock();
1056
1057 memset(cbuf, 0, sizeof(cbuf));
1058
1059 if (debug)
1060 if (SSL_in_init(c_ssl))
1061 printf("client waiting in SSL_connect - %s\n",
1062 SSL_state_string_long(c_ssl));
1063
1064 if (cw_num > 0)
1065 {
1066 /* Write to server. */
1067
1068 if (cw_num > (long)sizeof cbuf)
1069 i = sizeof cbuf;
1070 else
1071 i = (int)cw_num;
1072 r = BIO_write(c_ssl_bio, cbuf, i);
1073 if (r < 0)
1074 {
1075 if (!BIO_should_retry(c_ssl_bio))
1076 {
1077 fprintf(stderr,"ERROR in CLIENT\n");
1078 goto err;
1079 }
1080 /* BIO_should_retry(...) can just be ignored here.
1081 * The library expects us to call BIO_write with
1082 * the same arguments again, and that's what we will
1083 * do in the next iteration. */
1084 }
1085 else if (r == 0)
1086 {
1087 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1088 goto err;
1089 }
1090 else
1091 {
1092 if (debug)
1093 printf("client wrote %d\n", r);
1094 cw_num -= r;
1095 }
1096 }
1097
1098 if (cr_num > 0)
1099 {
1100 /* Read from server. */
1101
1102 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1103 if (r < 0)
1104 {
1105 if (!BIO_should_retry(c_ssl_bio))
1106 {
1107 fprintf(stderr,"ERROR in CLIENT\n");
1108 goto err;
1109 }
1110 /* Again, "BIO_should_retry" can be ignored. */
1111 }
1112 else if (r == 0)
1113 {
1114 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1115 goto err;
1116 }
1117 else
1118 {
1119 if (debug)
1120 printf("client read %d\n", r);
1121 cr_num -= r;
1122 }
1123 }
1124
1125 /* c_time and s_time increments will typically be very small
1126 * (depending on machine speed and clock tick intervals),
1127 * but sampling over a large number of connections should
1128 * result in fairly accurate figures. We cannot guarantee
1129 * a lot, however -- if each connection lasts for exactly
1130 * one clock tick, it will be counted only for the client
1131 * or only for the server or even not at all.
1132 */
1133 *c_time += (clock() - c_clock);
1134 }
1135
1136 {
1137 /* SERVER */
1138
1139 MS_STATIC char sbuf[1024*8];
1140 int i, r;
1141 clock_t s_clock = clock();
1142
1143 memset(sbuf, 0, sizeof(sbuf));
1144
1145 if (debug)
1146 if (SSL_in_init(s_ssl))
1147 printf("server waiting in SSL_accept - %s\n",
1148 SSL_state_string_long(s_ssl));
1149
1150 if (sw_num > 0)
1151 {
1152 /* Write to client. */
1153
1154 if (sw_num > (long)sizeof sbuf)
1155 i = sizeof sbuf;
1156 else
1157 i = (int)sw_num;
1158 r = BIO_write(s_ssl_bio, sbuf, i);
1159 if (r < 0)
1160 {
1161 if (!BIO_should_retry(s_ssl_bio))
1162 {
1163 fprintf(stderr,"ERROR in SERVER\n");
1164 goto err;
1165 }
1166 /* Ignore "BIO_should_retry". */
1167 }
1168 else if (r == 0)
1169 {
1170 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1171 goto err;
1172 }
1173 else
1174 {
1175 if (debug)
1176 printf("server wrote %d\n", r);
1177 sw_num -= r;
1178 }
1179 }
1180
1181 if (sr_num > 0)
1182 {
1183 /* Read from client. */
1184
1185 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1186 if (r < 0)
1187 {
1188 if (!BIO_should_retry(s_ssl_bio))
1189 {
1190 fprintf(stderr,"ERROR in SERVER\n");
1191 goto err;
1192 }
1193 /* blah, blah */
1194 }
1195 else if (r == 0)
1196 {
1197 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1198 goto err;
1199 }
1200 else
1201 {
1202 if (debug)
1203 printf("server read %d\n", r);
1204 sr_num -= r;
1205 }
1206 }
1207
1208 *s_time += (clock() - s_clock);
1209 }
1210
1211 {
1212 /* "I/O" BETWEEN CLIENT AND SERVER. */
1213
1214 size_t r1, r2;
1215 BIO *io1 = server_io, *io2 = client_io;
1216 /* we use the non-copying interface for io1
1217 * and the standard BIO_write/BIO_read interface for io2
1218 */
1219
1220 static int prev_progress = 1;
1221 int progress = 0;
1222
1223 /* io1 to io2 */
1224 do
1225 {
1226 size_t num;
1227 int r;
1228
1229 r1 = BIO_ctrl_pending(io1);
1230 r2 = BIO_ctrl_get_write_guarantee(io2);
1231
1232 num = r1;
1233 if (r2 < num)
1234 num = r2;
1235 if (num)
1236 {
1237 char *dataptr;
1238
1239 if (INT_MAX < num) /* yeah, right */
1240 num = INT_MAX;
1241
1242 r = BIO_nread(io1, &dataptr, (int)num);
1243 assert(r > 0);
1244 assert(r <= (int)num);
1245 /* possibly r < num (non-contiguous data) */
1246 num = r;
1247 r = BIO_write(io2, dataptr, (int)num);
1248 if (r != (int)num) /* can't happen */
1249 {
1250 fprintf(stderr, "ERROR: BIO_write could not write "
1251 "BIO_ctrl_get_write_guarantee() bytes");
1252 goto err;
1253 }
1254 progress = 1;
1255
1256 if (debug)
1257 printf((io1 == client_io) ?
1258 "C->S relaying: %d bytes\n" :
1259 "S->C relaying: %d bytes\n",
1260 (int)num);
1261 }
1262 }
1263 while (r1 && r2);
1264
1265 /* io2 to io1 */
1266 {
1267 size_t num;
1268 int r;
1269
1270 r1 = BIO_ctrl_pending(io2);
1271 r2 = BIO_ctrl_get_read_request(io1);
1272 /* here we could use ..._get_write_guarantee instead of
1273 * ..._get_read_request, but by using the latter
1274 * we test restartability of the SSL implementation
1275 * more thoroughly */
1276 num = r1;
1277 if (r2 < num)
1278 num = r2;
1279 if (num)
1280 {
1281 char *dataptr;
1282
1283 if (INT_MAX < num)
1284 num = INT_MAX;
1285
1286 if (num > 1)
1287 --num; /* test restartability even more thoroughly */
1288
1289 r = BIO_nwrite0(io1, &dataptr);
1290 assert(r > 0);
1291 if (r < (int)num)
1292 num = r;
1293 r = BIO_read(io2, dataptr, (int)num);
1294 if (r != (int)num) /* can't happen */
1295 {
1296 fprintf(stderr, "ERROR: BIO_read could not read "
1297 "BIO_ctrl_pending() bytes");
1298 goto err;
1299 }
1300 progress = 1;
1301 r = BIO_nwrite(io1, &dataptr, (int)num);
1302 if (r != (int)num) /* can't happen */
1303 {
1304 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1305 "BIO_nwrite0() bytes");
1306 goto err;
1307 }
1308
1309 if (debug)
1310 printf((io2 == client_io) ?
1311 "C->S relaying: %d bytes\n" :
1312 "S->C relaying: %d bytes\n",
1313 (int)num);
1314 }
1315 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1316
1317 if (!progress && !prev_progress)
1318 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1319 {
1320 fprintf(stderr, "ERROR: got stuck\n");
1321 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1322 {
1323 fprintf(stderr, "This can happen for SSL2 because "
1324 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1325 "concurrently ...");
1326 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1327 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1328 {
1329 fprintf(stderr, " ok.\n");
1330 goto end;
1331 }
1332 }
1333 fprintf(stderr, " ERROR.\n");
1334 goto err;
1335 }
1336 prev_progress = progress;
1337 }
1338 }
1339 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1340
1341 if (verbose)
1342 print_details(c_ssl, "DONE via BIO pair: ");
1343end:
1344 ret = 0;
1345
1346 err:
1347 ERR_print_errors(bio_err);
1348
1349 if (server)
1350 BIO_free(server);
1351 if (server_io)
1352 BIO_free(server_io);
1353 if (client)
1354 BIO_free(client);
1355 if (client_io)
1356 BIO_free(client_io);
1357 if (s_ssl_bio)
1358 BIO_free(s_ssl_bio);
1359 if (c_ssl_bio)
1360 BIO_free(c_ssl_bio);
1361
1362 return ret;
1363 }
1364
1365
1366#define W_READ 1
1367#define W_WRITE 2
1368#define C_DONE 1
1369#define S_DONE 2
1370
1371int doit(SSL *s_ssl, SSL *c_ssl, long count)
1372 {
1373 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1374 long cw_num=count,cr_num=count;
1375 long sw_num=count,sr_num=count;
1376 int ret=1;
1377 BIO *c_to_s=NULL;
1378 BIO *s_to_c=NULL;
1379 BIO *c_bio=NULL;
1380 BIO *s_bio=NULL;
1381 int c_r,c_w,s_r,s_w;
1382 int c_want,s_want;
1383 int i,j;
1384 int done=0;
1385 int c_write,s_write;
1386 int do_server=0,do_client=0;
1387
1388 memset(cbuf,0,sizeof(cbuf));
1389 memset(sbuf,0,sizeof(sbuf));
1390
1391 c_to_s=BIO_new(BIO_s_mem());
1392 s_to_c=BIO_new(BIO_s_mem());
1393 if ((s_to_c == NULL) || (c_to_s == NULL))
1394 {
1395 ERR_print_errors(bio_err);
1396 goto err;
1397 }
1398
1399 c_bio=BIO_new(BIO_f_ssl());
1400 s_bio=BIO_new(BIO_f_ssl());
1401 if ((c_bio == NULL) || (s_bio == NULL))
1402 {
1403 ERR_print_errors(bio_err);
1404 goto err;
1405 }
1406
1407 SSL_set_connect_state(c_ssl);
1408 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1409 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1410
1411 SSL_set_accept_state(s_ssl);
1412 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1413 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1414
1415 c_r=0; s_r=1;
1416 c_w=1; s_w=0;
1417 c_want=W_WRITE;
1418 s_want=0;
1419 c_write=1,s_write=0;
1420
1421 /* We can always do writes */
1422 for (;;)
1423 {
1424 do_server=0;
1425 do_client=0;
1426
1427 i=(int)BIO_pending(s_bio);
1428 if ((i && s_r) || s_w) do_server=1;
1429
1430 i=(int)BIO_pending(c_bio);
1431 if ((i && c_r) || c_w) do_client=1;
1432
1433 if (do_server && debug)
1434 {
1435 if (SSL_in_init(s_ssl))
1436 printf("server waiting in SSL_accept - %s\n",
1437 SSL_state_string_long(s_ssl));
1438/* else if (s_write)
1439 printf("server:SSL_write()\n");
1440 else
1441 printf("server:SSL_read()\n"); */
1442 }
1443
1444 if (do_client && debug)
1445 {
1446 if (SSL_in_init(c_ssl))
1447 printf("client waiting in SSL_connect - %s\n",
1448 SSL_state_string_long(c_ssl));
1449/* else if (c_write)
1450 printf("client:SSL_write()\n");
1451 else
1452 printf("client:SSL_read()\n"); */
1453 }
1454
1455 if (!do_client && !do_server)
1456 {
1457 fprintf(stdout,"ERROR IN STARTUP\n");
1458 ERR_print_errors(bio_err);
1459 break;
1460 }
1461 if (do_client && !(done & C_DONE))
1462 {
1463 if (c_write)
1464 {
1465 j = (cw_num > (long)sizeof(cbuf)) ?
1466 (int)sizeof(cbuf) : (int)cw_num;
1467 i=BIO_write(c_bio,cbuf,j);
1468 if (i < 0)
1469 {
1470 c_r=0;
1471 c_w=0;
1472 if (BIO_should_retry(c_bio))
1473 {
1474 if (BIO_should_read(c_bio))
1475 c_r=1;
1476 if (BIO_should_write(c_bio))
1477 c_w=1;
1478 }
1479 else
1480 {
1481 fprintf(stderr,"ERROR in CLIENT\n");
1482 ERR_print_errors(bio_err);
1483 goto err;
1484 }
1485 }
1486 else if (i == 0)
1487 {
1488 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1489 goto err;
1490 }
1491 else
1492 {
1493 if (debug)
1494 printf("client wrote %d\n",i);
1495 /* ok */
1496 s_r=1;
1497 c_write=0;
1498 cw_num-=i;
1499 }
1500 }
1501 else
1502 {
1503 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1504 if (i < 0)
1505 {
1506 c_r=0;
1507 c_w=0;
1508 if (BIO_should_retry(c_bio))
1509 {
1510 if (BIO_should_read(c_bio))
1511 c_r=1;
1512 if (BIO_should_write(c_bio))
1513 c_w=1;
1514 }
1515 else
1516 {
1517 fprintf(stderr,"ERROR in CLIENT\n");
1518 ERR_print_errors(bio_err);
1519 goto err;
1520 }
1521 }
1522 else if (i == 0)
1523 {
1524 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1525 goto err;
1526 }
1527 else
1528 {
1529 if (debug)
1530 printf("client read %d\n",i);
1531 cr_num-=i;
1532 if (sw_num > 0)
1533 {
1534 s_write=1;
1535 s_w=1;
1536 }
1537 if (cr_num <= 0)
1538 {
1539 s_write=1;
1540 s_w=1;
1541 done=S_DONE|C_DONE;
1542 }
1543 }
1544 }
1545 }
1546
1547 if (do_server && !(done & S_DONE))
1548 {
1549 if (!s_write)
1550 {
1551 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1552 if (i < 0)
1553 {
1554 s_r=0;
1555 s_w=0;
1556 if (BIO_should_retry(s_bio))
1557 {
1558 if (BIO_should_read(s_bio))
1559 s_r=1;
1560 if (BIO_should_write(s_bio))
1561 s_w=1;
1562 }
1563 else
1564 {
1565 fprintf(stderr,"ERROR in SERVER\n");
1566 ERR_print_errors(bio_err);
1567 goto err;
1568 }
1569 }
1570 else if (i == 0)
1571 {
1572 ERR_print_errors(bio_err);
1573 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1574 goto err;
1575 }
1576 else
1577 {
1578 if (debug)
1579 printf("server read %d\n",i);
1580 sr_num-=i;
1581 if (cw_num > 0)
1582 {
1583 c_write=1;
1584 c_w=1;
1585 }
1586 if (sr_num <= 0)
1587 {
1588 s_write=1;
1589 s_w=1;
1590 c_write=0;
1591 }
1592 }
1593 }
1594 else
1595 {
1596 j = (sw_num > (long)sizeof(sbuf)) ?
1597 (int)sizeof(sbuf) : (int)sw_num;
1598 i=BIO_write(s_bio,sbuf,j);
1599 if (i < 0)
1600 {
1601 s_r=0;
1602 s_w=0;
1603 if (BIO_should_retry(s_bio))
1604 {
1605 if (BIO_should_read(s_bio))
1606 s_r=1;
1607 if (BIO_should_write(s_bio))
1608 s_w=1;
1609 }
1610 else
1611 {
1612 fprintf(stderr,"ERROR in SERVER\n");
1613 ERR_print_errors(bio_err);
1614 goto err;
1615 }
1616 }
1617 else if (i == 0)
1618 {
1619 ERR_print_errors(bio_err);
1620 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1621 goto err;
1622 }
1623 else
1624 {
1625 if (debug)
1626 printf("server wrote %d\n",i);
1627 sw_num-=i;
1628 s_write=0;
1629 c_r=1;
1630 if (sw_num <= 0)
1631 done|=S_DONE;
1632 }
1633 }
1634 }
1635
1636 if ((done & S_DONE) && (done & C_DONE)) break;
1637 }
1638
1639 if (verbose)
1640 print_details(c_ssl, "DONE: ");
1641 ret=0;
1642err:
1643 /* We have to set the BIO's to NULL otherwise they will be
1644 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1645 * again when c_ssl is SSL_free()ed.
1646 * This is a hack required because s_ssl and c_ssl are sharing the same
1647 * BIO structure and SSL_set_bio() and SSL_free() automatically
1648 * BIO_free non NULL entries.
1649 * You should not normally do this or be required to do this */
1650 if (s_ssl != NULL)
1651 {
1652 s_ssl->rbio=NULL;
1653 s_ssl->wbio=NULL;
1654 }
1655 if (c_ssl != NULL)
1656 {
1657 c_ssl->rbio=NULL;
1658 c_ssl->wbio=NULL;
1659 }
1660
1661 if (c_to_s != NULL) BIO_free(c_to_s);
1662 if (s_to_c != NULL) BIO_free(s_to_c);
1663 if (c_bio != NULL) BIO_free_all(c_bio);
1664 if (s_bio != NULL) BIO_free_all(s_bio);
1665 return(ret);
1666 }
1667
1668static int get_proxy_auth_ex_data_idx(void)
1669 {
1670 static volatile int idx = -1;
1671 if (idx < 0)
1672 {
1673 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1674 if (idx < 0)
1675 {
1676 idx = X509_STORE_CTX_get_ex_new_index(0,
1677 "SSLtest for verify callback", NULL,NULL,NULL);
1678 }
1679 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1680 }
1681 return idx;
1682 }
1683
1684static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1685 {
1686 char *s,buf[256];
1687
1688 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1689 sizeof buf);
1690 if (s != NULL)
1691 {
1692 if (ok)
1693 fprintf(stderr,"depth=%d %s\n",
1694 ctx->error_depth,buf);
1695 else
1696 {
1697 fprintf(stderr,"depth=%d error=%d %s\n",
1698 ctx->error_depth,ctx->error,buf);
1699 }
1700 }
1701
1702 if (ok == 0)
1703 {
1704 fprintf(stderr,"Error string: %s\n",
1705 X509_verify_cert_error_string(ctx->error));
1706 switch (ctx->error)
1707 {
1708 case X509_V_ERR_CERT_NOT_YET_VALID:
1709 case X509_V_ERR_CERT_HAS_EXPIRED:
1710 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1711 fprintf(stderr," ... ignored.\n");
1712 ok=1;
1713 }
1714 }
1715
1716 if (ok == 1)
1717 {
1718 X509 *xs = ctx->current_cert;
1719#if 0
1720 X509 *xi = ctx->current_issuer;
1721#endif
1722
1723 if (xs->ex_flags & EXFLAG_PROXY)
1724 {
1725 unsigned int *letters =
1726 X509_STORE_CTX_get_ex_data(ctx,
1727 get_proxy_auth_ex_data_idx());
1728
1729 if (letters)
1730 {
1731 int found_any = 0;
1732 int i;
1733 PROXY_CERT_INFO_EXTENSION *pci =
1734 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1735 NULL, NULL);
1736
1737 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1738 {
1739 case NID_Independent:
1740 /* Completely meaningless in this
1741 program, as there's no way to
1742 grant explicit rights to a
1743 specific PrC. Basically, using
1744 id-ppl-Independent is the perfect
1745 way to grant no rights at all. */
1746 fprintf(stderr, " Independent proxy certificate");
1747 for (i = 0; i < 26; i++)
1748 letters[i] = 0;
1749 break;
1750 case NID_id_ppl_inheritAll:
1751 /* This is basically a NOP, we
1752 simply let the current rights
1753 stand as they are. */
1754 fprintf(stderr, " Proxy certificate inherits all");
1755 break;
1756 default:
1757 s = (char *)
1758 pci->proxyPolicy->policy->data;
1759 i = pci->proxyPolicy->policy->length;
1760
1761 /* The algorithm works as follows:
1762 it is assumed that previous
1763 iterations or the initial granted
1764 rights has already set some elements
1765 of `letters'. What we need to do is
1766 to clear those that weren't granted
1767 by the current PrC as well. The
1768 easiest way to do this is to add 1
1769 to all the elements whose letters
1770 are given with the current policy.
1771 That way, all elements that are set
1772 by the current policy and were
1773 already set by earlier policies and
1774 through the original grant of rights
1775 will get the value 2 or higher.
1776 The last thing to do is to sweep
1777 through `letters' and keep the
1778 elements having the value 2 as set,
1779 and clear all the others. */
1780
1781 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1782 while(i-- > 0)
1783 {
1784 int c = *s++;
1785 if (isascii(c) && isalpha(c))
1786 {
1787 if (islower(c))
1788 c = toupper(c);
1789 letters[c - 'A']++;
1790 }
1791 }
1792 for (i = 0; i < 26; i++)
1793 if (letters[i] < 2)
1794 letters[i] = 0;
1795 else
1796 letters[i] = 1;
1797 }
1798
1799 found_any = 0;
1800 fprintf(stderr,
1801 ", resulting proxy rights = ");
1802 for(i = 0; i < 26; i++)
1803 if (letters[i])
1804 {
1805 fprintf(stderr, "%c", i + 'A');
1806 found_any = 1;
1807 }
1808 if (!found_any)
1809 fprintf(stderr, "none");
1810 fprintf(stderr, "\n");
1811
1812 PROXY_CERT_INFO_EXTENSION_free(pci);
1813 }
1814 }
1815 }
1816
1817 return(ok);
1818 }
1819
1820static void process_proxy_debug(int indent, const char *format, ...)
1821 {
1822 static const char indentation[] =
1823 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1824 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1825 char my_format[256];
1826 va_list args;
1827
1828 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1829 indent, indent, indentation, format);
1830
1831 va_start(args, format);
1832 vfprintf(stderr, my_format, args);
1833 va_end(args);
1834 }
1835/* Priority levels:
1836 0 [!]var, ()
1837 1 & ^
1838 2 |
1839*/
1840static int process_proxy_cond_adders(unsigned int letters[26],
1841 const char *cond, const char **cond_end, int *pos, int indent);
1842static int process_proxy_cond_val(unsigned int letters[26],
1843 const char *cond, const char **cond_end, int *pos, int indent)
1844 {
1845 int c;
1846 int ok = 1;
1847 int negate = 0;
1848
1849 while(isspace((int)*cond))
1850 {
1851 cond++; (*pos)++;
1852 }
1853 c = *cond;
1854
1855 if (debug)
1856 process_proxy_debug(indent,
1857 "Start process_proxy_cond_val at position %d: %s\n",
1858 *pos, cond);
1859
1860 while(c == '!')
1861 {
1862 negate = !negate;
1863 cond++; (*pos)++;
1864 while(isspace((int)*cond))
1865 {
1866 cond++; (*pos)++;
1867 }
1868 c = *cond;
1869 }
1870
1871 if (c == '(')
1872 {
1873 cond++; (*pos)++;
1874 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1875 indent + 1);
1876 cond = *cond_end;
1877 if (ok < 0)
1878 goto end;
1879 while(isspace((int)*cond))
1880 {
1881 cond++; (*pos)++;
1882 }
1883 c = *cond;
1884 if (c != ')')
1885 {
1886 fprintf(stderr,
1887 "Weird condition character in position %d: "
1888 "%c\n", *pos, c);
1889 ok = -1;
1890 goto end;
1891 }
1892 cond++; (*pos)++;
1893 }
1894 else if (isascii(c) && isalpha(c))
1895 {
1896 if (islower(c))
1897 c = toupper(c);
1898 ok = letters[c - 'A'];
1899 cond++; (*pos)++;
1900 }
1901 else
1902 {
1903 fprintf(stderr,
1904 "Weird condition character in position %d: "
1905 "%c\n", *pos, c);
1906 ok = -1;
1907 goto end;
1908 }
1909 end:
1910 *cond_end = cond;
1911 if (ok >= 0 && negate)
1912 ok = !ok;
1913
1914 if (debug)
1915 process_proxy_debug(indent,
1916 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1917 *pos, cond, ok);
1918
1919 return ok;
1920 }
1921static int process_proxy_cond_multipliers(unsigned int letters[26],
1922 const char *cond, const char **cond_end, int *pos, int indent)
1923 {
1924 int ok;
1925 char c;
1926
1927 if (debug)
1928 process_proxy_debug(indent,
1929 "Start process_proxy_cond_multipliers at position %d: %s\n",
1930 *pos, cond);
1931
1932 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1933 cond = *cond_end;
1934 if (ok < 0)
1935 goto end;
1936
1937 while(ok >= 0)
1938 {
1939 while(isspace((int)*cond))
1940 {
1941 cond++; (*pos)++;
1942 }
1943 c = *cond;
1944
1945 switch(c)
1946 {
1947 case '&':
1948 case '^':
1949 {
1950 int save_ok = ok;
1951
1952 cond++; (*pos)++;
1953 ok = process_proxy_cond_val(letters,
1954 cond, cond_end, pos, indent + 1);
1955 cond = *cond_end;
1956 if (ok < 0)
1957 break;
1958
1959 switch(c)
1960 {
1961 case '&':
1962 ok &= save_ok;
1963 break;
1964 case '^':
1965 ok ^= save_ok;
1966 break;
1967 default:
1968 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1969 " STOPPING\n");
1970 EXIT(1);
1971 }
1972 }
1973 break;
1974 default:
1975 goto end;
1976 }
1977 }
1978 end:
1979 if (debug)
1980 process_proxy_debug(indent,
1981 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1982 *pos, cond, ok);
1983
1984 *cond_end = cond;
1985 return ok;
1986 }
1987static int process_proxy_cond_adders(unsigned int letters[26],
1988 const char *cond, const char **cond_end, int *pos, int indent)
1989 {
1990 int ok;
1991 char c;
1992
1993 if (debug)
1994 process_proxy_debug(indent,
1995 "Start process_proxy_cond_adders at position %d: %s\n",
1996 *pos, cond);
1997
1998 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1999 indent + 1);
2000 cond = *cond_end;
2001 if (ok < 0)
2002 goto end;
2003
2004 while(ok >= 0)
2005 {
2006 while(isspace((int)*cond))
2007 {
2008 cond++; (*pos)++;
2009 }
2010 c = *cond;
2011
2012 switch(c)
2013 {
2014 case '|':
2015 {
2016 int save_ok = ok;
2017
2018 cond++; (*pos)++;
2019 ok = process_proxy_cond_multipliers(letters,
2020 cond, cond_end, pos, indent + 1);
2021 cond = *cond_end;
2022 if (ok < 0)
2023 break;
2024
2025 switch(c)
2026 {
2027 case '|':
2028 ok |= save_ok;
2029 break;
2030 default:
2031 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2032 " STOPPING\n");
2033 EXIT(1);
2034 }
2035 }
2036 break;
2037 default:
2038 goto end;
2039 }
2040 }
2041 end:
2042 if (debug)
2043 process_proxy_debug(indent,
2044 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2045 *pos, cond, ok);
2046
2047 *cond_end = cond;
2048 return ok;
2049 }
2050
2051static int process_proxy_cond(unsigned int letters[26],
2052 const char *cond, const char **cond_end)
2053 {
2054 int pos = 1;
2055 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2056 }
2057
2058static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2059 {
2060 int ok=1;
2061 struct app_verify_arg *cb_arg = arg;
2062 unsigned int letters[26]; /* only used with proxy_auth */
2063
2064 if (cb_arg->app_verify)
2065 {
2066 char *s = NULL,buf[256];
2067
2068 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2069 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2070 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2071 (void *)ctx, (void *)ctx->cert);
2072 if (ctx->cert)
2073 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2074 if (s != NULL)
2075 {
2076 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2077 }
2078 return(1);
2079 }
2080 if (cb_arg->proxy_auth)
2081 {
2082 int found_any = 0, i;
2083 char *sp;
2084
2085 for(i = 0; i < 26; i++)
2086 letters[i] = 0;
2087 for(sp = cb_arg->proxy_auth; *sp; sp++)
2088 {
2089 int c = *sp;
2090 if (isascii(c) && isalpha(c))
2091 {
2092 if (islower(c))
2093 c = toupper(c);
2094 letters[c - 'A'] = 1;
2095 }
2096 }
2097
2098 fprintf(stderr,
2099 " Initial proxy rights = ");
2100 for(i = 0; i < 26; i++)
2101 if (letters[i])
2102 {
2103 fprintf(stderr, "%c", i + 'A');
2104 found_any = 1;
2105 }
2106 if (!found_any)
2107 fprintf(stderr, "none");
2108 fprintf(stderr, "\n");
2109
2110 X509_STORE_CTX_set_ex_data(ctx,
2111 get_proxy_auth_ex_data_idx(),letters);
2112 }
2113 if (cb_arg->allow_proxy_certs)
2114 {
2115 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2116 }
2117
2118#ifndef OPENSSL_NO_X509_VERIFY
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2119 ok = X509_verify_cert(ctx);
The Android Open Source Project656d9c72009-03-03 19:30:25 -0800[diff] [blame]2120#endif
2121
2122 if (cb_arg->proxy_auth)
2123 {
2124 if (ok > 0)
2125 {
2126 const char *cond_end = NULL;
2127
2128 ok = process_proxy_cond(letters,
2129 cb_arg->proxy_cond, &cond_end);
2130
2131 if (ok < 0)
2132 EXIT(3);
2133 if (*cond_end)
2134 {
2135 fprintf(stderr, "Stopped processing condition before it's end.\n");
2136 ok = 0;
2137 }
2138 if (!ok)
2139 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2140 cb_arg->proxy_cond);
2141 else
2142 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2143 cb_arg->proxy_cond);
2144 }
2145 }
2146 return(ok);
2147 }
2148
2149#ifndef OPENSSL_NO_RSA
2150static RSA *rsa_tmp=NULL;
2151
2152static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2153 {
2154 BIGNUM *bn = NULL;
2155 if (rsa_tmp == NULL)
2156 {
2157 bn = BN_new();
2158 rsa_tmp = RSA_new();
2159 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2160 {
2161 BIO_printf(bio_err, "Memory error...");
2162 goto end;
2163 }
2164 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2165 (void)BIO_flush(bio_err);
2166 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2167 {
2168 BIO_printf(bio_err, "Error generating key.");
2169 RSA_free(rsa_tmp);
2170 rsa_tmp = NULL;
2171 }
2172end:
2173 BIO_printf(bio_err,"\n");
2174 (void)BIO_flush(bio_err);
2175 }
2176 if(bn) BN_free(bn);
2177 return(rsa_tmp);
2178 }
2179
2180static void free_tmp_rsa(void)
2181 {
2182 if (rsa_tmp != NULL)
2183 {
2184 RSA_free(rsa_tmp);
2185 rsa_tmp = NULL;
2186 }
2187 }
2188#endif
2189
2190#ifndef OPENSSL_NO_DH
2191/* These DH parameters have been generated as follows:
2192 * $ openssl dhparam -C -noout 512
2193 * $ openssl dhparam -C -noout 1024
2194 * $ openssl dhparam -C -noout -dsaparam 1024
2195 * (The third function has been renamed to avoid name conflicts.)
2196 */
2197static DH *get_dh512()
2198 {
2199 static unsigned char dh512_p[]={
2200 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2201 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2202 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2203 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2204 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2205 0x02,0xC5,0xAE,0x23,
2206 };
2207 static unsigned char dh512_g[]={
2208 0x02,
2209 };
2210 DH *dh;
2211
2212 if ((dh=DH_new()) == NULL) return(NULL);
2213 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2214 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2215 if ((dh->p == NULL) || (dh->g == NULL))
2216 { DH_free(dh); return(NULL); }
2217 return(dh);
2218 }
2219
2220static DH *get_dh1024()
2221 {
2222 static unsigned char dh1024_p[]={
2223 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2224 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2225 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2226 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2227 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2228 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2229 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2230 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2231 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2232 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2233 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2234 };
2235 static unsigned char dh1024_g[]={
2236 0x02,
2237 };
2238 DH *dh;
2239
2240 if ((dh=DH_new()) == NULL) return(NULL);
2241 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2242 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2243 if ((dh->p == NULL) || (dh->g == NULL))
2244 { DH_free(dh); return(NULL); }
2245 return(dh);
2246 }
2247
2248static DH *get_dh1024dsa()
2249 {
2250 static unsigned char dh1024_p[]={
2251 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2252 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2253 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2254 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2255 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2256 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2257 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2258 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2259 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2260 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2261 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2262 };
2263 static unsigned char dh1024_g[]={
2264 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2265 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2266 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2267 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2268 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2269 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2270 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2271 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2272 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2273 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2274 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2275 };
2276 DH *dh;
2277
2278 if ((dh=DH_new()) == NULL) return(NULL);
2279 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2280 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2281 if ((dh->p == NULL) || (dh->g == NULL))
2282 { DH_free(dh); return(NULL); }
2283 dh->length = 160;
2284 return(dh);
2285 }
2286#endif
2287
2288static int do_test_cipherlist(void)
2289 {
2290 int i = 0;
2291 const SSL_METHOD *meth;
2292 SSL_CIPHER *ci, *tci = NULL;
2293
2294#ifndef OPENSSL_NO_SSL2
2295 fprintf(stderr, "testing SSLv2 cipher list order: ");
2296 meth = SSLv2_method();
2297 while ((ci = meth->get_cipher(i++)) != NULL)
2298 {
2299 if (tci != NULL)
2300 if (ci->id >= tci->id)
2301 {
2302 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2303 return 0;
2304 }
2305 tci = ci;
2306 }
2307 fprintf(stderr, "ok\n");
2308#endif
2309#ifndef OPENSSL_NO_SSL3
2310 fprintf(stderr, "testing SSLv3 cipher list order: ");
2311 meth = SSLv3_method();
2312 tci = NULL;
2313 while ((ci = meth->get_cipher(i++)) != NULL)
2314 {
2315 if (tci != NULL)
2316 if (ci->id >= tci->id)
2317 {
2318 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2319 return 0;
2320 }
2321 tci = ci;
2322 }
2323 fprintf(stderr, "ok\n");
2324#endif
2325#ifndef OPENSSL_NO_TLS1
2326 fprintf(stderr, "testing TLSv1 cipher list order: ");
2327 meth = TLSv1_method();
2328 tci = NULL;
2329 while ((ci = meth->get_cipher(i++)) != NULL)
2330 {
2331 if (tci != NULL)
2332 if (ci->id >= tci->id)
2333 {
2334 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2335 return 0;
2336 }
2337 tci = ci;
2338 }
2339 fprintf(stderr, "ok\n");
2340#endif
2341
2342 return 1;
2343 }