Gitiles
Code Review Sign In
gerrit-public.fairphone.software / kernel / lk / 77318e05e5a7d4891ac8816a32773ba3d4d39881 / . / lib / openssl / ssl / ssltest.c
blob: e21ebda42ab2c407c91f4093a7e96680471d4911 [file] [log] [blame]
Kinson Chika8fa74c2011-07-29 11:33:41 -0700[diff] [blame]1/* ssl/ssltest.c */
2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146#include <assert.h>
147#include <errno.h>
148#include <limits.h>
149#include <stdio.h>
150#include <stdlib.h>
151#include <string.h>
152#include <time.h>
153
154#define USE_SOCKETS
155#include "e_os.h"
156
157#ifdef OPENSSL_SYS_VMS
158#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159 VMS (at least with DECompHP C). */
160#endif
161
162#include <ctype.h>
163
164#include <openssl/bio.h>
165#include <openssl/crypto.h>
166#include <openssl/evp.h>
167#include <openssl/x509.h>
168#include <openssl/x509v3.h>
169#include <openssl/ssl.h>
170#ifndef OPENSSL_NO_ENGINE
171#include <openssl/engine.h>
172#endif
173#include <openssl/err.h>
174#include <openssl/rand.h>
175#ifndef OPENSSL_NO_RSA
176#include <openssl/rsa.h>
177#endif
178#ifndef OPENSSL_NO_DSA
179#include <openssl/dsa.h>
180#endif
181#ifndef OPENSSL_NO_DH
182#include <openssl/dh.h>
183#endif
184#include <openssl/bn.h>
185
186#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
187 on Compaq platforms (at least with DEC C).
188 Do not try to put it earlier, or IPv6 includes
189 get screwed...
190 */
191
192#ifdef OPENSSL_SYS_WINDOWS
193#include <winsock.h>
194#else
195#include OPENSSL_UNISTD
196#endif
197
198#ifdef OPENSSL_SYS_VMS
199# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
200# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
201#elif defined(OPENSSL_SYS_WINCE)
202# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
203# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
204#elif defined(OPENSSL_SYS_NETWARE)
205# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
206# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
207#else
208# define TEST_SERVER_CERT "../apps/server.pem"
209# define TEST_CLIENT_CERT "../apps/client.pem"
210#endif
211
212/* There is really no standard for this, so let's assign some tentative
213 numbers. In any case, these numbers are only for this test */
214#define COMP_RLE 255
215#define COMP_ZLIB 1
216
217static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
218#ifndef OPENSSL_NO_RSA
219static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
220static void free_tmp_rsa(void);
221#endif
222static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
223#define APP_CALLBACK_STRING "Test Callback Argument"
224struct app_verify_arg
225 {
226 char *string;
227 int app_verify;
228 int allow_proxy_certs;
229 char *proxy_auth;
230 char *proxy_cond;
231 };
232
233#ifndef OPENSSL_NO_DH
234static DH *get_dh512(void);
235static DH *get_dh1024(void);
236static DH *get_dh1024dsa(void);
237#endif
238
239
240static char *psk_key=NULL; /* by default PSK is not used */
241#ifndef OPENSSL_NO_PSK
242static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
243 unsigned int max_identity_len, unsigned char *psk,
244 unsigned int max_psk_len);
245static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
246 unsigned int max_psk_len);
247#endif
248
249static BIO *bio_err=NULL;
250static BIO *bio_stdout=NULL;
251
252static char *cipher=NULL;
253static int verbose=0;
254static int debug=0;
255#if 0
256/* Not used yet. */
257#ifdef FIONBIO
258static int s_nbio=0;
259#endif
260#endif
261
262static const char rnd_seed[] = "string to make the random number generator think it has entropy";
263
264int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
265int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
266static int do_test_cipherlist(void);
267static void sv_usage(void)
268 {
269 fprintf(stderr,"usage: ssltest [args ...]\n");
270 fprintf(stderr,"\n");
271 fprintf(stderr," -server_auth - check server certificate\n");
272 fprintf(stderr," -client_auth - do client authentication\n");
273 fprintf(stderr," -proxy - allow proxy certificates\n");
274 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
275 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
276 fprintf(stderr," -v - more output\n");
277 fprintf(stderr," -d - debug output\n");
278 fprintf(stderr," -reuse - use session-id reuse\n");
279 fprintf(stderr," -num <val> - number of connections to perform\n");
280 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
281#ifndef OPENSSL_NO_DH
282 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
283 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
284 fprintf(stderr," -no_dhe - disable DHE\n");
285#endif
286#ifndef OPENSSL_NO_ECDH
287 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
288#endif
289#ifndef OPENSSL_NO_PSK
290 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
291#endif
292#ifndef OPENSSL_NO_SSL2
293 fprintf(stderr," -ssl2 - use SSLv2\n");
294#endif
295#ifndef OPENSSL_NO_SSL3
296 fprintf(stderr," -ssl3 - use SSLv3\n");
297#endif
298#ifndef OPENSSL_NO_TLS1
299 fprintf(stderr," -tls1 - use TLSv1\n");
300#endif
301 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
302 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
303 fprintf(stderr," -cert arg - Server certificate file\n");
304 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
305 fprintf(stderr," -c_cert arg - Client certificate file\n");
306 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
307 fprintf(stderr," -cipher arg - The cipher list\n");
308 fprintf(stderr," -bio_pair - Use BIO pairs\n");
309 fprintf(stderr," -f - Test even cases that can't work\n");
310 fprintf(stderr," -time - measure processor time used by client and server\n");
311 fprintf(stderr," -zlib - use zlib compression\n");
312 fprintf(stderr," -rle - use rle compression\n");
313#ifndef OPENSSL_NO_ECDH
314 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
315 " Use \"openssl ecparam -list_curves\" for all names\n" \
316 " (default is sect163r2).\n");
317#endif
318 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
319 fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
320 fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
321 fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
322 }
323
324static void print_details(SSL *c_ssl, const char *prefix)
325 {
326 const SSL_CIPHER *ciph;
327 X509 *cert;
328
329 ciph=SSL_get_current_cipher(c_ssl);
330 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
331 prefix,
332 SSL_get_version(c_ssl),
333 SSL_CIPHER_get_version(ciph),
334 SSL_CIPHER_get_name(ciph));
335 cert=SSL_get_peer_certificate(c_ssl);
336 if (cert != NULL)
337 {
338 EVP_PKEY *pkey = X509_get_pubkey(cert);
339 if (pkey != NULL)
340 {
341 if (0)
342 ;
343#ifndef OPENSSL_NO_RSA
344 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
345 && pkey->pkey.rsa->n != NULL)
346 {
347 BIO_printf(bio_stdout, ", %d bit RSA",
348 BN_num_bits(pkey->pkey.rsa->n));
349 }
350#endif
351#ifndef OPENSSL_NO_DSA
352 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
353 && pkey->pkey.dsa->p != NULL)
354 {
355 BIO_printf(bio_stdout, ", %d bit DSA",
356 BN_num_bits(pkey->pkey.dsa->p));
357 }
358#endif
359 EVP_PKEY_free(pkey);
360 }
361 X509_free(cert);
362 }
363 /* The SSL API does not allow us to look at temporary RSA/DH keys,
364 * otherwise we should print their lengths too */
365 BIO_printf(bio_stdout,"\n");
366 }
367
368static void lock_dbg_cb(int mode, int type, const char *file, int line)
369 {
370 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
371 const char *errstr = NULL;
372 int rw;
373
374 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
375 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
376 {
377 errstr = "invalid mode";
378 goto err;
379 }
380
381 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
382 {
383 errstr = "type out of bounds";
384 goto err;
385 }
386
387 if (mode & CRYPTO_LOCK)
388 {
389 if (modes[type])
390 {
391 errstr = "already locked";
392 /* must not happen in a single-threaded program
393 * (would deadlock) */
394 goto err;
395 }
396
397 modes[type] = rw;
398 }
399 else if (mode & CRYPTO_UNLOCK)
400 {
401 if (!modes[type])
402 {
403 errstr = "not locked";
404 goto err;
405 }
406
407 if (modes[type] != rw)
408 {
409 errstr = (rw == CRYPTO_READ) ?
410 "CRYPTO_r_unlock on write lock" :
411 "CRYPTO_w_unlock on read lock";
412 }
413
414 modes[type] = 0;
415 }
416 else
417 {
418 errstr = "invalid mode";
419 goto err;
420 }
421
422 err:
423 if (errstr)
424 {
425 /* we cannot use bio_err here */
426 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
427 errstr, mode, type, file, line);
428 }
429 }
430
431#ifdef TLSEXT_TYPE_opaque_prf_input
432struct cb_info_st { void *input; size_t len; int ret; };
433struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
434struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
435struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
436struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
437
438int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
439 {
440 struct cb_info_st *arg = arg_;
441
442 if (arg == NULL)
443 return 1;
444
445 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
446 return 0;
447 return arg->ret;
448 }
449#endif
450 int ssl_mode = 0;
451 int c_small_records=0;
452 int s_small_records=0;
453 int cutthrough = 0;
454
455int main(int argc, char *argv[])
456 {
457 char *CApath=NULL,*CAfile=NULL;
458 int badop=0;
459 int bio_pair=0;
460 int force=0;
461 int tls1=0,ssl2=0,ssl3=0,ret=1;
462 int client_auth=0;
463 int server_auth=0,i;
464 struct app_verify_arg app_verify_arg =
465 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
466 char *server_cert=TEST_SERVER_CERT;
467 char *server_key=NULL;
468 char *client_cert=TEST_CLIENT_CERT;
469 char *client_key=NULL;
470#ifndef OPENSSL_NO_ECDH
471 char *named_curve = NULL;
472#endif
473 SSL_CTX *s_ctx=NULL;
474 SSL_CTX *c_ctx=NULL;
475 const SSL_METHOD *meth=NULL;
476 SSL *c_ssl,*s_ssl;
477 int number=1,reuse=0;
478 long bytes=256L;
479#ifndef OPENSSL_NO_DH
480 DH *dh;
481 int dhe1024 = 0, dhe1024dsa = 0;
482#endif
483#ifndef OPENSSL_NO_ECDH
484 EC_KEY *ecdh = NULL;
485#endif
486 int no_dhe = 0;
487 int no_ecdhe = 0;
488 int no_psk = 0;
489 int print_time = 0;
490 clock_t s_time = 0, c_time = 0;
491 int comp = 0;
492#ifndef OPENSSL_NO_COMP
493 COMP_METHOD *cm = NULL;
494#endif
495 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
496 int test_cipherlist = 0;
497
498 verbose = 0;
499 debug = 0;
500 cipher = 0;
501
502 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
503
504 CRYPTO_set_locking_callback(lock_dbg_cb);
505
506 /* enable memory leak checking unless explicitly disabled */
507 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
508 {
509 CRYPTO_malloc_debug_init();
510 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
511 }
512 else
513 {
514 /* OPENSSL_DEBUG_MEMORY=off */
515 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
516 }
517 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
518
519 RAND_seed(rnd_seed, sizeof rnd_seed);
520
521 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
522
523 argc--;
524 argv++;
525
526 while (argc >= 1)
527 {
528 if (strcmp(*argv,"-server_auth") == 0)
529 server_auth=1;
530 else if (strcmp(*argv,"-client_auth") == 0)
531 client_auth=1;
532 else if (strcmp(*argv,"-proxy_auth") == 0)
533 {
534 if (--argc < 1) goto bad;
535 app_verify_arg.proxy_auth= *(++argv);
536 }
537 else if (strcmp(*argv,"-proxy_cond") == 0)
538 {
539 if (--argc < 1) goto bad;
540 app_verify_arg.proxy_cond= *(++argv);
541 }
542 else if (strcmp(*argv,"-v") == 0)
543 verbose=1;
544 else if (strcmp(*argv,"-d") == 0)
545 debug=1;
546 else if (strcmp(*argv,"-reuse") == 0)
547 reuse=1;
548 else if (strcmp(*argv,"-dhe1024") == 0)
549 {
550#ifndef OPENSSL_NO_DH
551 dhe1024=1;
552#else
553 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
554#endif
555 }
556 else if (strcmp(*argv,"-dhe1024dsa") == 0)
557 {
558#ifndef OPENSSL_NO_DH
559 dhe1024dsa=1;
560#else
561 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
562#endif
563 }
564 else if (strcmp(*argv,"-no_dhe") == 0)
565 no_dhe=1;
566 else if (strcmp(*argv,"-no_ecdhe") == 0)
567 no_ecdhe=1;
568 else if (strcmp(*argv,"-psk") == 0)
569 {
570 if (--argc < 1) goto bad;
571 psk_key=*(++argv);
572#ifndef OPENSSL_NO_PSK
573 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
574 {
575 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
576 goto bad;
577 }
578#else
579 no_psk=1;
580#endif
581 }
582 else if (strcmp(*argv,"-ssl2") == 0)
583 ssl2=1;
584 else if (strcmp(*argv,"-tls1") == 0)
585 tls1=1;
586 else if (strcmp(*argv,"-ssl3") == 0)
587 ssl3=1;
588 else if (strncmp(*argv,"-num",4) == 0)
589 {
590 if (--argc < 1) goto bad;
591 number= atoi(*(++argv));
592 if (number == 0) number=1;
593 }
594 else if (strcmp(*argv,"-bytes") == 0)
595 {
596 if (--argc < 1) goto bad;
597 bytes= atol(*(++argv));
598 if (bytes == 0L) bytes=1L;
599 i=strlen(argv[0]);
600 if (argv[0][i-1] == 'k') bytes*=1024L;
601 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
602 }
603 else if (strcmp(*argv,"-cert") == 0)
604 {
605 if (--argc < 1) goto bad;
606 server_cert= *(++argv);
607 }
608 else if (strcmp(*argv,"-s_cert") == 0)
609 {
610 if (--argc < 1) goto bad;
611 server_cert= *(++argv);
612 }
613 else if (strcmp(*argv,"-key") == 0)
614 {
615 if (--argc < 1) goto bad;
616 server_key= *(++argv);
617 }
618 else if (strcmp(*argv,"-s_key") == 0)
619 {
620 if (--argc < 1) goto bad;
621 server_key= *(++argv);
622 }
623 else if (strcmp(*argv,"-c_cert") == 0)
624 {
625 if (--argc < 1) goto bad;
626 client_cert= *(++argv);
627 }
628 else if (strcmp(*argv,"-c_key") == 0)
629 {
630 if (--argc < 1) goto bad;
631 client_key= *(++argv);
632 }
633 else if (strcmp(*argv,"-cipher") == 0)
634 {
635 if (--argc < 1) goto bad;
636 cipher= *(++argv);
637 }
638 else if (strcmp(*argv,"-CApath") == 0)
639 {
640 if (--argc < 1) goto bad;
641 CApath= *(++argv);
642 }
643 else if (strcmp(*argv,"-CAfile") == 0)
644 {
645 if (--argc < 1) goto bad;
646 CAfile= *(++argv);
647 }
648 else if (strcmp(*argv,"-bio_pair") == 0)
649 {
650 bio_pair = 1;
651 }
652 else if (strcmp(*argv,"-f") == 0)
653 {
654 force = 1;
655 }
656 else if (strcmp(*argv,"-time") == 0)
657 {
658 print_time = 1;
659 }
660 else if (strcmp(*argv,"-zlib") == 0)
661 {
662 comp = COMP_ZLIB;
663 }
664 else if (strcmp(*argv,"-rle") == 0)
665 {
666 comp = COMP_RLE;
667 }
668 else if (strcmp(*argv,"-named_curve") == 0)
669 {
670 if (--argc < 1) goto bad;
671#ifndef OPENSSL_NO_ECDH
672 named_curve = *(++argv);
673#else
674 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
675 ++argv;
676#endif
677 }
678 else if (strcmp(*argv,"-app_verify") == 0)
679 {
680 app_verify_arg.app_verify = 1;
681 }
682 else if (strcmp(*argv,"-proxy") == 0)
683 {
684 app_verify_arg.allow_proxy_certs = 1;
685 }
686 else if (strcmp(*argv,"-test_cipherlist") == 0)
687 {
688 test_cipherlist = 1;
689 }
690 else if (strcmp(*argv, "-c_small_records") == 0)
691 {
692 c_small_records = 1;
693 }
694 else if (strcmp(*argv, "-s_small_records") == 0)
695 {
696 s_small_records = 1;
697 }
698 else if (strcmp(*argv, "-cutthrough") == 0)
699 {
700 cutthrough = 1;
701 }
702 else
703 {
704 fprintf(stderr,"unknown option %s\n",*argv);
705 badop=1;
706 break;
707 }
708 argc--;
709 argv++;
710 }
711 if (badop)
712 {
713bad:
714 sv_usage();
715 goto end;
716 }
717
718 if (test_cipherlist == 1)
719 {
720 /* ensure that the cipher list are correctly sorted and exit */
721 if (do_test_cipherlist() == 0)
722 EXIT(1);
723 ret = 0;
724 goto end;
725 }
726
727 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
728 {
729 fprintf(stderr, "This case cannot work. Use -f to perform "
730 "the test anyway (and\n-d to see what happens), "
731 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
732 "to avoid protocol mismatch.\n");
733 EXIT(1);
734 }
735
736 if (print_time)
737 {
738 if (!bio_pair)
739 {
740 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
741 bio_pair = 1;
742 }
743 if (number < 50 && !force)
744 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
745 }
746
747/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
748
749 SSL_library_init();
750 SSL_load_error_strings();
751
752#ifndef OPENSSL_NO_COMP
753 if (comp == COMP_ZLIB) cm = COMP_zlib();
754 if (comp == COMP_RLE) cm = COMP_rle();
755 if (cm != NULL)
756 {
757 if (cm->type != NID_undef)
758 {
759 if (SSL_COMP_add_compression_method(comp, cm) != 0)
760 {
761 fprintf(stderr,
762 "Failed to add compression method\n");
763 ERR_print_errors_fp(stderr);
764 }
765 }
766 else
767 {
768 fprintf(stderr,
769 "Warning: %s compression not supported\n",
770 (comp == COMP_RLE ? "rle" :
771 (comp == COMP_ZLIB ? "zlib" :
772 "unknown")));
773 ERR_print_errors_fp(stderr);
774 }
775 }
776 ssl_comp_methods = SSL_COMP_get_compression_methods();
777 fprintf(stderr, "Available compression methods:\n");
778 {
779 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
780 if (n == 0)
781 fprintf(stderr, " NONE\n");
782 else
783 for (j = 0; j < n; j++)
784 {
785 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
786 fprintf(stderr, " %d: %s\n", c->id, c->name);
787 }
788 }
789#endif
790
791#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
792 if (ssl2)
793 meth=SSLv2_method();
794 else
795 if (tls1)
796 meth=TLSv1_method();
797 else
798 if (ssl3)
799 meth=SSLv3_method();
800 else
801 meth=SSLv23_method();
802#else
803#ifdef OPENSSL_NO_SSL2
804 meth=SSLv3_method();
805#else
806 meth=SSLv2_method();
807#endif
808#endif
809
810 c_ctx=SSL_CTX_new(meth);
811 s_ctx=SSL_CTX_new(meth);
812 if ((c_ctx == NULL) || (s_ctx == NULL))
813 {
814 ERR_print_errors(bio_err);
815 goto end;
816 }
817
818 if (cipher != NULL)
819 {
820 SSL_CTX_set_cipher_list(c_ctx,cipher);
821 SSL_CTX_set_cipher_list(s_ctx,cipher);
822 }
823
824 ssl_mode = 0;
825 if (c_small_records)
826 {
827 ssl_mode = SSL_CTX_get_mode(c_ctx);
828 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
829 SSL_CTX_set_mode(c_ctx, ssl_mode);
830 }
831 ssl_mode = 0;
832 if (s_small_records)
833 {
834 ssl_mode = SSL_CTX_get_mode(s_ctx);
835 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
836 SSL_CTX_set_mode(s_ctx, ssl_mode);
837 }
838 ssl_mode = 0;
839 if (cutthrough)
840 {
841 ssl_mode = SSL_CTX_get_mode(c_ctx);
842 ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
843 SSL_CTX_set_mode(c_ctx, ssl_mode);
844 }
845
846#ifndef OPENSSL_NO_DH
847 if (!no_dhe)
848 {
849 if (dhe1024dsa)
850 {
851 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
852 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
853 dh=get_dh1024dsa();
854 }
855 else if (dhe1024)
856 dh=get_dh1024();
857 else
858 dh=get_dh512();
859 SSL_CTX_set_tmp_dh(s_ctx,dh);
860 DH_free(dh);
861 }
862#else
863 (void)no_dhe;
864#endif
865
866#ifndef OPENSSL_NO_ECDH
867 if (!no_ecdhe)
868 {
869 int nid;
870
871 if (named_curve != NULL)
872 {
873 nid = OBJ_sn2nid(named_curve);
874 if (nid == 0)
875 {
876 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
877 goto end;
878 }
879 }
880 else
881 nid = NID_sect163r2;
882
883 ecdh = EC_KEY_new_by_curve_name(nid);
884 if (ecdh == NULL)
885 {
886 BIO_printf(bio_err, "unable to create curve\n");
887 goto end;
888 }
889
890 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
891 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
892 EC_KEY_free(ecdh);
893 }
894#else
895 (void)no_ecdhe;
896#endif
897
898#ifndef OPENSSL_NO_RSA
899 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
900#endif
901
902#ifdef TLSEXT_TYPE_opaque_prf_input
903 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
904 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
905 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
906 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
907#endif
908
909 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
910 {
911 ERR_print_errors(bio_err);
912 }
913 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
914 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
915 {
916 ERR_print_errors(bio_err);
917 goto end;
918 }
919
920 if (client_auth)
921 {
922 SSL_CTX_use_certificate_file(c_ctx,client_cert,
923 SSL_FILETYPE_PEM);
924 SSL_CTX_use_PrivateKey_file(c_ctx,
925 (client_key?client_key:client_cert),
926 SSL_FILETYPE_PEM);
927 }
928
929 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
930 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
931 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
932 (!SSL_CTX_set_default_verify_paths(c_ctx)))
933 {
934 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
935 ERR_print_errors(bio_err);
936 /* goto end; */
937 }
938
939 if (client_auth)
940 {
941 BIO_printf(bio_err,"client authentication\n");
942 SSL_CTX_set_verify(s_ctx,
943 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
944 verify_callback);
945 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
946 }
947 if (server_auth)
948 {
949 BIO_printf(bio_err,"server authentication\n");
950 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
951 verify_callback);
952 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
953 }
954
955 {
956 int session_id_context = 0;
957 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
958 }
959
960 /* Use PSK only if PSK key is given */
961 if (psk_key != NULL)
962 {
963 /* no_psk is used to avoid putting psk command to openssl tool */
964 if (no_psk)
965 {
966 /* if PSK is not compiled in and psk key is
967 * given, do nothing and exit successfully */
968 ret=0;
969 goto end;
970 }
971#ifndef OPENSSL_NO_PSK
972 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
973 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
974 if (debug)
975 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
976 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
977 {
978 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
979 ERR_print_errors(bio_err);
980 goto end;
981 }
982#endif
983 }
984
985 c_ssl=SSL_new(c_ctx);
986 s_ssl=SSL_new(s_ctx);
987
988#ifndef OPENSSL_NO_KRB5
989 if (c_ssl && c_ssl->kssl_ctx)
990 {
991 char localhost[MAXHOSTNAMELEN+2];
992
993 if (gethostname(localhost, sizeof localhost-1) == 0)
994 {
995 localhost[sizeof localhost-1]='\0';
996 if(strlen(localhost) == sizeof localhost-1)
997 {
998 BIO_printf(bio_err,"localhost name too long\n");
999 goto end;
1000 }
1001 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1002 localhost);
1003 }
1004 }
1005#endif /* OPENSSL_NO_KRB5 */
1006
1007 for (i=0; i<number; i++)
1008 {
1009 if (!reuse) SSL_set_session(c_ssl,NULL);
1010 if (bio_pair)
1011 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1012 else
1013 ret=doit(s_ssl,c_ssl,bytes);
1014 }
1015
1016 if (!verbose)
1017 {
1018 print_details(c_ssl, "");
1019 }
1020 if ((number > 1) || (bytes > 1L))
1021 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1022 if (print_time)
1023 {
1024#ifdef CLOCKS_PER_SEC
1025 /* "To determine the time in seconds, the value returned
1026 * by the clock function should be divided by the value
1027 * of the macro CLOCKS_PER_SEC."
1028 * -- ISO/IEC 9899 */
1029 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1030 "Approximate total client time: %6.2f s\n",
1031 (double)s_time/CLOCKS_PER_SEC,
1032 (double)c_time/CLOCKS_PER_SEC);
1033#else
1034 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1035 * -- cc on NeXTstep/OpenStep */
1036 BIO_printf(bio_stdout,
1037 "Approximate total server time: %6.2f units\n"
1038 "Approximate total client time: %6.2f units\n",
1039 (double)s_time,
1040 (double)c_time);
1041#endif
1042 }
1043
1044 SSL_free(s_ssl);
1045 SSL_free(c_ssl);
1046
1047end:
1048 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1049 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1050
1051 if (bio_stdout != NULL) BIO_free(bio_stdout);
1052
1053#ifndef OPENSSL_NO_RSA
1054 free_tmp_rsa();
1055#endif
1056#ifndef OPENSSL_NO_ENGINE
1057 ENGINE_cleanup();
1058#endif
1059 CRYPTO_cleanup_all_ex_data();
1060 ERR_free_strings();
1061 ERR_remove_thread_state(NULL);
1062 EVP_cleanup();
1063 CRYPTO_mem_leaks(bio_err);
1064 if (bio_err != NULL) BIO_free(bio_err);
1065 EXIT(ret);
1066 return ret;
1067 }
1068
1069int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1070 clock_t *s_time, clock_t *c_time)
1071 {
1072 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1073 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1074 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1075 int ret = 1;
1076
1077 size_t bufsiz = 256; /* small buffer for testing */
1078
1079 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1080 goto err;
1081 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1082 goto err;
1083
1084 s_ssl_bio = BIO_new(BIO_f_ssl());
1085 if (!s_ssl_bio)
1086 goto err;
1087
1088 c_ssl_bio = BIO_new(BIO_f_ssl());
1089 if (!c_ssl_bio)
1090 goto err;
1091
1092 SSL_set_connect_state(c_ssl);
1093 SSL_set_bio(c_ssl, client, client);
1094 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1095
1096 SSL_set_accept_state(s_ssl);
1097 SSL_set_bio(s_ssl, server, server);
1098 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1099
1100 do
1101 {
1102 /* c_ssl_bio: SSL filter BIO
1103 *
1104 * client: pseudo-I/O for SSL library
1105 *
1106 * client_io: client's SSL communication; usually to be
1107 * relayed over some I/O facility, but in this
1108 * test program, we're the server, too:
1109 *
1110 * server_io: server's SSL communication
1111 *
1112 * server: pseudo-I/O for SSL library
1113 *
1114 * s_ssl_bio: SSL filter BIO
1115 *
1116 * The client and the server each employ a "BIO pair":
1117 * client + client_io, server + server_io.
1118 * BIO pairs are symmetric. A BIO pair behaves similar
1119 * to a non-blocking socketpair (but both endpoints must
1120 * be handled by the same thread).
1121 * [Here we could connect client and server to the ends
1122 * of a single BIO pair, but then this code would be less
1123 * suitable as an example for BIO pairs in general.]
1124 *
1125 * Useful functions for querying the state of BIO pair endpoints:
1126 *
1127 * BIO_ctrl_pending(bio) number of bytes we can read now
1128 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1129 * other side's read attempt
1130 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1131 *
1132 * ..._read_request is never more than ..._write_guarantee;
1133 * it depends on the application which one you should use.
1134 */
1135
1136 /* We have non-blocking behaviour throughout this test program, but
1137 * can be sure that there is *some* progress in each iteration; so
1138 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1139 * -- we just try everything in each iteration
1140 */
1141
1142 {
1143 /* CLIENT */
1144
1145 MS_STATIC char cbuf[1024*8];
1146 int i, r;
1147 clock_t c_clock = clock();
1148
1149 memset(cbuf, 0, sizeof(cbuf));
1150
1151 if (debug)
1152 if (SSL_in_init(c_ssl))
1153 printf("client waiting in SSL_connect - %s\n",
1154 SSL_state_string_long(c_ssl));
1155
1156 if (cw_num > 0)
1157 {
1158 /* Write to server. */
1159
1160 if (cw_num > (long)sizeof cbuf)
1161 i = sizeof cbuf;
1162 else
1163 i = (int)cw_num;
1164 r = BIO_write(c_ssl_bio, cbuf, i);
1165 if (r < 0)
1166 {
1167 if (!BIO_should_retry(c_ssl_bio))
1168 {
1169 fprintf(stderr,"ERROR in CLIENT\n");
1170 goto err;
1171 }
1172 /* BIO_should_retry(...) can just be ignored here.
1173 * The library expects us to call BIO_write with
1174 * the same arguments again, and that's what we will
1175 * do in the next iteration. */
1176 }
1177 else if (r == 0)
1178 {
1179 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1180 goto err;
1181 }
1182 else
1183 {
1184 if (debug)
1185 printf("client wrote %d\n", r);
1186 cw_num -= r;
1187 }
1188 }
1189
1190 if (cr_num > 0)
1191 {
1192 /* Read from server. */
1193
1194 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1195 if (r < 0)
1196 {
1197 if (!BIO_should_retry(c_ssl_bio))
1198 {
1199 fprintf(stderr,"ERROR in CLIENT\n");
1200 goto err;
1201 }
1202 /* Again, "BIO_should_retry" can be ignored. */
1203 }
1204 else if (r == 0)
1205 {
1206 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1207 goto err;
1208 }
1209 else
1210 {
1211 if (debug)
1212 printf("client read %d\n", r);
1213 cr_num -= r;
1214 }
1215 }
1216
1217 /* c_time and s_time increments will typically be very small
1218 * (depending on machine speed and clock tick intervals),
1219 * but sampling over a large number of connections should
1220 * result in fairly accurate figures. We cannot guarantee
1221 * a lot, however -- if each connection lasts for exactly
1222 * one clock tick, it will be counted only for the client
1223 * or only for the server or even not at all.
1224 */
1225 *c_time += (clock() - c_clock);
1226 }
1227
1228 {
1229 /* SERVER */
1230
1231 MS_STATIC char sbuf[1024*8];
1232 int i, r;
1233 clock_t s_clock = clock();
1234
1235 memset(sbuf, 0, sizeof(sbuf));
1236
1237 if (debug)
1238 if (SSL_in_init(s_ssl))
1239 printf("server waiting in SSL_accept - %s\n",
1240 SSL_state_string_long(s_ssl));
1241
1242 if (sw_num > 0)
1243 {
1244 /* Write to client. */
1245
1246 if (sw_num > (long)sizeof sbuf)
1247 i = sizeof sbuf;
1248 else
1249 i = (int)sw_num;
1250 r = BIO_write(s_ssl_bio, sbuf, i);
1251 if (r < 0)
1252 {
1253 if (!BIO_should_retry(s_ssl_bio))
1254 {
1255 fprintf(stderr,"ERROR in SERVER\n");
1256 goto err;
1257 }
1258 /* Ignore "BIO_should_retry". */
1259 }
1260 else if (r == 0)
1261 {
1262 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1263 goto err;
1264 }
1265 else
1266 {
1267 if (debug)
1268 printf("server wrote %d\n", r);
1269 sw_num -= r;
1270 }
1271 }
1272
1273 if (sr_num > 0)
1274 {
1275 /* Read from client. */
1276
1277 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1278 if (r < 0)
1279 {
1280 if (!BIO_should_retry(s_ssl_bio))
1281 {
1282 fprintf(stderr,"ERROR in SERVER\n");
1283 goto err;
1284 }
1285 /* blah, blah */
1286 }
1287 else if (r == 0)
1288 {
1289 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1290 goto err;
1291 }
1292 else
1293 {
1294 if (debug)
1295 printf("server read %d\n", r);
1296 sr_num -= r;
1297 }
1298 }
1299
1300 *s_time += (clock() - s_clock);
1301 }
1302
1303 {
1304 /* "I/O" BETWEEN CLIENT AND SERVER. */
1305
1306 size_t r1, r2;
1307 BIO *io1 = server_io, *io2 = client_io;
1308 /* we use the non-copying interface for io1
1309 * and the standard BIO_write/BIO_read interface for io2
1310 */
1311
1312 static int prev_progress = 1;
1313 int progress = 0;
1314
1315 /* io1 to io2 */
1316 do
1317 {
1318 size_t num;
1319 int r;
1320
1321 r1 = BIO_ctrl_pending(io1);
1322 r2 = BIO_ctrl_get_write_guarantee(io2);
1323
1324 num = r1;
1325 if (r2 < num)
1326 num = r2;
1327 if (num)
1328 {
1329 char *dataptr;
1330
1331 if (INT_MAX < num) /* yeah, right */
1332 num = INT_MAX;
1333
1334 r = BIO_nread(io1, &dataptr, (int)num);
1335 assert(r > 0);
1336 assert(r <= (int)num);
1337 /* possibly r < num (non-contiguous data) */
1338 num = r;
1339 r = BIO_write(io2, dataptr, (int)num);
1340 if (r != (int)num) /* can't happen */
1341 {
1342 fprintf(stderr, "ERROR: BIO_write could not write "
1343 "BIO_ctrl_get_write_guarantee() bytes");
1344 goto err;
1345 }
1346 progress = 1;
1347
1348 if (debug)
1349 printf((io1 == client_io) ?
1350 "C->S relaying: %d bytes\n" :
1351 "S->C relaying: %d bytes\n",
1352 (int)num);
1353 }
1354 }
1355 while (r1 && r2);
1356
1357 /* io2 to io1 */
1358 {
1359 size_t num;
1360 int r;
1361
1362 r1 = BIO_ctrl_pending(io2);
1363 r2 = BIO_ctrl_get_read_request(io1);
1364 /* here we could use ..._get_write_guarantee instead of
1365 * ..._get_read_request, but by using the latter
1366 * we test restartability of the SSL implementation
1367 * more thoroughly */
1368 num = r1;
1369 if (r2 < num)
1370 num = r2;
1371 if (num)
1372 {
1373 char *dataptr;
1374
1375 if (INT_MAX < num)
1376 num = INT_MAX;
1377
1378 if (num > 1)
1379 --num; /* test restartability even more thoroughly */
1380
1381 r = BIO_nwrite0(io1, &dataptr);
1382 assert(r > 0);
1383 if (r < (int)num)
1384 num = r;
1385 r = BIO_read(io2, dataptr, (int)num);
1386 if (r != (int)num) /* can't happen */
1387 {
1388 fprintf(stderr, "ERROR: BIO_read could not read "
1389 "BIO_ctrl_pending() bytes");
1390 goto err;
1391 }
1392 progress = 1;
1393 r = BIO_nwrite(io1, &dataptr, (int)num);
1394 if (r != (int)num) /* can't happen */
1395 {
1396 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1397 "BIO_nwrite0() bytes");
1398 goto err;
1399 }
1400
1401 if (debug)
1402 printf((io2 == client_io) ?
1403 "C->S relaying: %d bytes\n" :
1404 "S->C relaying: %d bytes\n",
1405 (int)num);
1406 }
1407 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1408
1409 if (!progress && !prev_progress)
1410 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1411 {
1412 fprintf(stderr, "ERROR: got stuck\n");
1413 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1414 {
1415 fprintf(stderr, "This can happen for SSL2 because "
1416 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1417 "concurrently ...");
1418 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1419 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1420 {
1421 fprintf(stderr, " ok.\n");
1422 goto end;
1423 }
1424 }
1425 fprintf(stderr, " ERROR.\n");
1426 goto err;
1427 }
1428 prev_progress = progress;
1429 }
1430 }
1431 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1432
1433 if (verbose)
1434 print_details(c_ssl, "DONE via BIO pair: ");
1435end:
1436 ret = 0;
1437
1438 err:
1439 ERR_print_errors(bio_err);
1440
1441 if (server)
1442 BIO_free(server);
1443 if (server_io)
1444 BIO_free(server_io);
1445 if (client)
1446 BIO_free(client);
1447 if (client_io)
1448 BIO_free(client_io);
1449 if (s_ssl_bio)
1450 BIO_free(s_ssl_bio);
1451 if (c_ssl_bio)
1452 BIO_free(c_ssl_bio);
1453
1454 return ret;
1455 }
1456
1457
1458#define W_READ 1
1459#define W_WRITE 2
1460#define C_DONE 1
1461#define S_DONE 2
1462
1463int doit(SSL *s_ssl, SSL *c_ssl, long count)
1464 {
1465 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1466 long cw_num=count,cr_num=count;
1467 long sw_num=count,sr_num=count;
1468 int ret=1;
1469 BIO *c_to_s=NULL;
1470 BIO *s_to_c=NULL;
1471 BIO *c_bio=NULL;
1472 BIO *s_bio=NULL;
1473 int c_r,c_w,s_r,s_w;
1474 int c_want,s_want;
1475 int i,j;
1476 int done=0;
1477 int c_write,s_write;
1478 int do_server=0,do_client=0;
1479
1480 memset(cbuf,0,sizeof(cbuf));
1481 memset(sbuf,0,sizeof(sbuf));
1482
1483 c_to_s=BIO_new(BIO_s_mem());
1484 s_to_c=BIO_new(BIO_s_mem());
1485 if ((s_to_c == NULL) || (c_to_s == NULL))
1486 {
1487 ERR_print_errors(bio_err);
1488 goto err;
1489 }
1490
1491 c_bio=BIO_new(BIO_f_ssl());
1492 s_bio=BIO_new(BIO_f_ssl());
1493 if ((c_bio == NULL) || (s_bio == NULL))
1494 {
1495 ERR_print_errors(bio_err);
1496 goto err;
1497 }
1498
1499 SSL_set_connect_state(c_ssl);
1500 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1501 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1502
1503 SSL_set_accept_state(s_ssl);
1504 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1505 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1506
1507 c_r=0; s_r=1;
1508 c_w=1; s_w=0;
1509 c_want=W_WRITE;
1510 s_want=0;
1511 c_write=1,s_write=0;
1512
1513 /* We can always do writes */
1514 for (;;)
1515 {
1516 do_server=0;
1517 do_client=0;
1518
1519 i=(int)BIO_pending(s_bio);
1520 if ((i && s_r) || s_w) do_server=1;
1521
1522 i=(int)BIO_pending(c_bio);
1523 if ((i && c_r) || c_w) do_client=1;
1524
1525 if (do_server && debug)
1526 {
1527 if (SSL_in_init(s_ssl))
1528 printf("server waiting in SSL_accept - %s\n",
1529 SSL_state_string_long(s_ssl));
1530/* else if (s_write)
1531 printf("server:SSL_write()\n");
1532 else
1533 printf("server:SSL_read()\n"); */
1534 }
1535
1536 if (do_client && debug)
1537 {
1538 if (SSL_in_init(c_ssl))
1539 printf("client waiting in SSL_connect - %s\n",
1540 SSL_state_string_long(c_ssl));
1541/* else if (c_write)
1542 printf("client:SSL_write()\n");
1543 else
1544 printf("client:SSL_read()\n"); */
1545 }
1546
1547 if (!do_client && !do_server)
1548 {
1549 fprintf(stdout,"ERROR IN STARTUP\n");
1550 ERR_print_errors(bio_err);
1551 break;
1552 }
1553 if (do_client && !(done & C_DONE))
1554 {
1555 if (c_write)
1556 {
1557 j = (cw_num > (long)sizeof(cbuf)) ?
1558 (int)sizeof(cbuf) : (int)cw_num;
1559 i=BIO_write(c_bio,cbuf,j);
1560 if (i < 0)
1561 {
1562 c_r=0;
1563 c_w=0;
1564 if (BIO_should_retry(c_bio))
1565 {
1566 if (BIO_should_read(c_bio))
1567 c_r=1;
1568 if (BIO_should_write(c_bio))
1569 c_w=1;
1570 }
1571 else
1572 {
1573 fprintf(stderr,"ERROR in CLIENT\n");
1574 ERR_print_errors(bio_err);
1575 goto err;
1576 }
1577 }
1578 else if (i == 0)
1579 {
1580 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1581 goto err;
1582 }
1583 else
1584 {
1585 if (debug)
1586 printf("client wrote %d\n",i);
1587 /* ok */
1588 s_r=1;
1589 c_write=0;
1590 cw_num-=i;
1591 }
1592 }
1593 else
1594 {
1595 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1596 if (i < 0)
1597 {
1598 c_r=0;
1599 c_w=0;
1600 if (BIO_should_retry(c_bio))
1601 {
1602 if (BIO_should_read(c_bio))
1603 c_r=1;
1604 if (BIO_should_write(c_bio))
1605 c_w=1;
1606 }
1607 else
1608 {
1609 fprintf(stderr,"ERROR in CLIENT\n");
1610 ERR_print_errors(bio_err);
1611 goto err;
1612 }
1613 }
1614 else if (i == 0)
1615 {
1616 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1617 goto err;
1618 }
1619 else
1620 {
1621 if (debug)
1622 printf("client read %d\n",i);
1623 cr_num-=i;
1624 if (sw_num > 0)
1625 {
1626 s_write=1;
1627 s_w=1;
1628 }
1629 if (cr_num <= 0)
1630 {
1631 s_write=1;
1632 s_w=1;
1633 done=S_DONE|C_DONE;
1634 }
1635 }
1636 }
1637 }
1638
1639 if (do_server && !(done & S_DONE))
1640 {
1641 if (!s_write)
1642 {
1643 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1644 if (i < 0)
1645 {
1646 s_r=0;
1647 s_w=0;
1648 if (BIO_should_retry(s_bio))
1649 {
1650 if (BIO_should_read(s_bio))
1651 s_r=1;
1652 if (BIO_should_write(s_bio))
1653 s_w=1;
1654 }
1655 else
1656 {
1657 fprintf(stderr,"ERROR in SERVER\n");
1658 ERR_print_errors(bio_err);
1659 goto err;
1660 }
1661 }
1662 else if (i == 0)
1663 {
1664 ERR_print_errors(bio_err);
1665 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1666 goto err;
1667 }
1668 else
1669 {
1670 if (debug)
1671 printf("server read %d\n",i);
1672 sr_num-=i;
1673 if (cw_num > 0)
1674 {
1675 c_write=1;
1676 c_w=1;
1677 }
1678 if (sr_num <= 0)
1679 {
1680 s_write=1;
1681 s_w=1;
1682 c_write=0;
1683 }
1684 }
1685 }
1686 else
1687 {
1688 j = (sw_num > (long)sizeof(sbuf)) ?
1689 (int)sizeof(sbuf) : (int)sw_num;
1690 i=BIO_write(s_bio,sbuf,j);
1691 if (i < 0)
1692 {
1693 s_r=0;
1694 s_w=0;
1695 if (BIO_should_retry(s_bio))
1696 {
1697 if (BIO_should_read(s_bio))
1698 s_r=1;
1699 if (BIO_should_write(s_bio))
1700 s_w=1;
1701 }
1702 else
1703 {
1704 fprintf(stderr,"ERROR in SERVER\n");
1705 ERR_print_errors(bio_err);
1706 goto err;
1707 }
1708 }
1709 else if (i == 0)
1710 {
1711 ERR_print_errors(bio_err);
1712 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1713 goto err;
1714 }
1715 else
1716 {
1717 if (debug)
1718 printf("server wrote %d\n",i);
1719 sw_num-=i;
1720 s_write=0;
1721 c_r=1;
1722 if (sw_num <= 0)
1723 done|=S_DONE;
1724 }
1725 }
1726 }
1727
1728 if ((done & S_DONE) && (done & C_DONE)) break;
1729 }
1730
1731 if (verbose)
1732 print_details(c_ssl, "DONE: ");
1733 ret=0;
1734err:
1735 /* We have to set the BIO's to NULL otherwise they will be
1736 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1737 * again when c_ssl is SSL_free()ed.
1738 * This is a hack required because s_ssl and c_ssl are sharing the same
1739 * BIO structure and SSL_set_bio() and SSL_free() automatically
1740 * BIO_free non NULL entries.
1741 * You should not normally do this or be required to do this */
1742 if (s_ssl != NULL)
1743 {
1744 s_ssl->rbio=NULL;
1745 s_ssl->wbio=NULL;
1746 }
1747 if (c_ssl != NULL)
1748 {
1749 c_ssl->rbio=NULL;
1750 c_ssl->wbio=NULL;
1751 }
1752
1753 if (c_to_s != NULL) BIO_free(c_to_s);
1754 if (s_to_c != NULL) BIO_free(s_to_c);
1755 if (c_bio != NULL) BIO_free_all(c_bio);
1756 if (s_bio != NULL) BIO_free_all(s_bio);
1757 return(ret);
1758 }
1759
1760static int get_proxy_auth_ex_data_idx(void)
1761 {
1762 static volatile int idx = -1;
1763 if (idx < 0)
1764 {
1765 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1766 if (idx < 0)
1767 {
1768 idx = X509_STORE_CTX_get_ex_new_index(0,
1769 "SSLtest for verify callback", NULL,NULL,NULL);
1770 }
1771 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1772 }
1773 return idx;
1774 }
1775
1776static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1777 {
1778 char *s,buf[256];
1779
1780 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1781 sizeof buf);
1782 if (s != NULL)
1783 {
1784 if (ok)
1785 fprintf(stderr,"depth=%d %s\n",
1786 ctx->error_depth,buf);
1787 else
1788 {
1789 fprintf(stderr,"depth=%d error=%d %s\n",
1790 ctx->error_depth,ctx->error,buf);
1791 }
1792 }
1793
1794 if (ok == 0)
1795 {
1796 fprintf(stderr,"Error string: %s\n",
1797 X509_verify_cert_error_string(ctx->error));
1798 switch (ctx->error)
1799 {
1800 case X509_V_ERR_CERT_NOT_YET_VALID:
1801 case X509_V_ERR_CERT_HAS_EXPIRED:
1802 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1803 fprintf(stderr," ... ignored.\n");
1804 ok=1;
1805 }
1806 }
1807
1808 if (ok == 1)
1809 {
1810 X509 *xs = ctx->current_cert;
1811#if 0
1812 X509 *xi = ctx->current_issuer;
1813#endif
1814
1815 if (xs->ex_flags & EXFLAG_PROXY)
1816 {
1817 unsigned int *letters =
1818 X509_STORE_CTX_get_ex_data(ctx,
1819 get_proxy_auth_ex_data_idx());
1820
1821 if (letters)
1822 {
1823 int found_any = 0;
1824 int i;
1825 PROXY_CERT_INFO_EXTENSION *pci =
1826 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1827 NULL, NULL);
1828
1829 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1830 {
1831 case NID_Independent:
1832 /* Completely meaningless in this
1833 program, as there's no way to
1834 grant explicit rights to a
1835 specific PrC. Basically, using
1836 id-ppl-Independent is the perfect
1837 way to grant no rights at all. */
1838 fprintf(stderr, " Independent proxy certificate");
1839 for (i = 0; i < 26; i++)
1840 letters[i] = 0;
1841 break;
1842 case NID_id_ppl_inheritAll:
1843 /* This is basically a NOP, we
1844 simply let the current rights
1845 stand as they are. */
1846 fprintf(stderr, " Proxy certificate inherits all");
1847 break;
1848 default:
1849 s = (char *)
1850 pci->proxyPolicy->policy->data;
1851 i = pci->proxyPolicy->policy->length;
1852
1853 /* The algorithm works as follows:
1854 it is assumed that previous
1855 iterations or the initial granted
1856 rights has already set some elements
1857 of `letters'. What we need to do is
1858 to clear those that weren't granted
1859 by the current PrC as well. The
1860 easiest way to do this is to add 1
1861 to all the elements whose letters
1862 are given with the current policy.
1863 That way, all elements that are set
1864 by the current policy and were
1865 already set by earlier policies and
1866 through the original grant of rights
1867 will get the value 2 or higher.
1868 The last thing to do is to sweep
1869 through `letters' and keep the
1870 elements having the value 2 as set,
1871 and clear all the others. */
1872
1873 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1874 while(i-- > 0)
1875 {
1876 int c = *s++;
1877 if (isascii(c) && isalpha(c))
1878 {
1879 if (islower(c))
1880 c = toupper(c);
1881 letters[c - 'A']++;
1882 }
1883 }
1884 for (i = 0; i < 26; i++)
1885 if (letters[i] < 2)
1886 letters[i] = 0;
1887 else
1888 letters[i] = 1;
1889 }
1890
1891 found_any = 0;
1892 fprintf(stderr,
1893 ", resulting proxy rights = ");
1894 for(i = 0; i < 26; i++)
1895 if (letters[i])
1896 {
1897 fprintf(stderr, "%c", i + 'A');
1898 found_any = 1;
1899 }
1900 if (!found_any)
1901 fprintf(stderr, "none");
1902 fprintf(stderr, "\n");
1903
1904 PROXY_CERT_INFO_EXTENSION_free(pci);
1905 }
1906 }
1907 }
1908
1909 return(ok);
1910 }
1911
1912static void process_proxy_debug(int indent, const char *format, ...)
1913 {
1914 static const char indentation[] =
1915 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1916 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1917 char my_format[256];
1918 va_list args;
1919
1920 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1921 indent, indent, indentation, format);
1922
1923 va_start(args, format);
1924 vfprintf(stderr, my_format, args);
1925 va_end(args);
1926 }
1927/* Priority levels:
1928 0 [!]var, ()
1929 1 & ^
1930 2 |
1931*/
1932static int process_proxy_cond_adders(unsigned int letters[26],
1933 const char *cond, const char **cond_end, int *pos, int indent);
1934static int process_proxy_cond_val(unsigned int letters[26],
1935 const char *cond, const char **cond_end, int *pos, int indent)
1936 {
1937 int c;
1938 int ok = 1;
1939 int negate = 0;
1940
1941 while(isspace((int)*cond))
1942 {
1943 cond++; (*pos)++;
1944 }
1945 c = *cond;
1946
1947 if (debug)
1948 process_proxy_debug(indent,
1949 "Start process_proxy_cond_val at position %d: %s\n",
1950 *pos, cond);
1951
1952 while(c == '!')
1953 {
1954 negate = !negate;
1955 cond++; (*pos)++;
1956 while(isspace((int)*cond))
1957 {
1958 cond++; (*pos)++;
1959 }
1960 c = *cond;
1961 }
1962
1963 if (c == '(')
1964 {
1965 cond++; (*pos)++;
1966 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1967 indent + 1);
1968 cond = *cond_end;
1969 if (ok < 0)
1970 goto end;
1971 while(isspace((int)*cond))
1972 {
1973 cond++; (*pos)++;
1974 }
1975 c = *cond;
1976 if (c != ')')
1977 {
1978 fprintf(stderr,
1979 "Weird condition character in position %d: "
1980 "%c\n", *pos, c);
1981 ok = -1;
1982 goto end;
1983 }
1984 cond++; (*pos)++;
1985 }
1986 else if (isascii(c) && isalpha(c))
1987 {
1988 if (islower(c))
1989 c = toupper(c);
1990 ok = letters[c - 'A'];
1991 cond++; (*pos)++;
1992 }
1993 else
1994 {
1995 fprintf(stderr,
1996 "Weird condition character in position %d: "
1997 "%c\n", *pos, c);
1998 ok = -1;
1999 goto end;
2000 }
2001 end:
2002 *cond_end = cond;
2003 if (ok >= 0 && negate)
2004 ok = !ok;
2005
2006 if (debug)
2007 process_proxy_debug(indent,
2008 "End process_proxy_cond_val at position %d: %s, returning %d\n",
2009 *pos, cond, ok);
2010
2011 return ok;
2012 }
2013static int process_proxy_cond_multipliers(unsigned int letters[26],
2014 const char *cond, const char **cond_end, int *pos, int indent)
2015 {
2016 int ok;
2017 char c;
2018
2019 if (debug)
2020 process_proxy_debug(indent,
2021 "Start process_proxy_cond_multipliers at position %d: %s\n",
2022 *pos, cond);
2023
2024 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2025 cond = *cond_end;
2026 if (ok < 0)
2027 goto end;
2028
2029 while(ok >= 0)
2030 {
2031 while(isspace((int)*cond))
2032 {
2033 cond++; (*pos)++;
2034 }
2035 c = *cond;
2036
2037 switch(c)
2038 {
2039 case '&':
2040 case '^':
2041 {
2042 int save_ok = ok;
2043
2044 cond++; (*pos)++;
2045 ok = process_proxy_cond_val(letters,
2046 cond, cond_end, pos, indent + 1);
2047 cond = *cond_end;
2048 if (ok < 0)
2049 break;
2050
2051 switch(c)
2052 {
2053 case '&':
2054 ok &= save_ok;
2055 break;
2056 case '^':
2057 ok ^= save_ok;
2058 break;
2059 default:
2060 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2061 " STOPPING\n");
2062 EXIT(1);
2063 }
2064 }
2065 break;
2066 default:
2067 goto end;
2068 }
2069 }
2070 end:
2071 if (debug)
2072 process_proxy_debug(indent,
2073 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2074 *pos, cond, ok);
2075
2076 *cond_end = cond;
2077 return ok;
2078 }
2079static int process_proxy_cond_adders(unsigned int letters[26],
2080 const char *cond, const char **cond_end, int *pos, int indent)
2081 {
2082 int ok;
2083 char c;
2084
2085 if (debug)
2086 process_proxy_debug(indent,
2087 "Start process_proxy_cond_adders at position %d: %s\n",
2088 *pos, cond);
2089
2090 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2091 indent + 1);
2092 cond = *cond_end;
2093 if (ok < 0)
2094 goto end;
2095
2096 while(ok >= 0)
2097 {
2098 while(isspace((int)*cond))
2099 {
2100 cond++; (*pos)++;
2101 }
2102 c = *cond;
2103
2104 switch(c)
2105 {
2106 case '|':
2107 {
2108 int save_ok = ok;
2109
2110 cond++; (*pos)++;
2111 ok = process_proxy_cond_multipliers(letters,
2112 cond, cond_end, pos, indent + 1);
2113 cond = *cond_end;
2114 if (ok < 0)
2115 break;
2116
2117 switch(c)
2118 {
2119 case '|':
2120 ok |= save_ok;
2121 break;
2122 default:
2123 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2124 " STOPPING\n");
2125 EXIT(1);
2126 }
2127 }
2128 break;
2129 default:
2130 goto end;
2131 }
2132 }
2133 end:
2134 if (debug)
2135 process_proxy_debug(indent,
2136 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2137 *pos, cond, ok);
2138
2139 *cond_end = cond;
2140 return ok;
2141 }
2142
2143static int process_proxy_cond(unsigned int letters[26],
2144 const char *cond, const char **cond_end)
2145 {
2146 int pos = 1;
2147 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2148 }
2149
2150static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2151 {
2152 int ok=1;
2153 struct app_verify_arg *cb_arg = arg;
2154 unsigned int letters[26]; /* only used with proxy_auth */
2155
2156 if (cb_arg->app_verify)
2157 {
2158 char *s = NULL,buf[256];
2159
2160 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2161 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2162 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2163 (void *)ctx, (void *)ctx->cert);
2164 if (ctx->cert)
2165 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2166 if (s != NULL)
2167 {
2168 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2169 }
2170 return(1);
2171 }
2172 if (cb_arg->proxy_auth)
2173 {
2174 int found_any = 0, i;
2175 char *sp;
2176
2177 for(i = 0; i < 26; i++)
2178 letters[i] = 0;
2179 for(sp = cb_arg->proxy_auth; *sp; sp++)
2180 {
2181 int c = *sp;
2182 if (isascii(c) && isalpha(c))
2183 {
2184 if (islower(c))
2185 c = toupper(c);
2186 letters[c - 'A'] = 1;
2187 }
2188 }
2189
2190 fprintf(stderr,
2191 " Initial proxy rights = ");
2192 for(i = 0; i < 26; i++)
2193 if (letters[i])
2194 {
2195 fprintf(stderr, "%c", i + 'A');
2196 found_any = 1;
2197 }
2198 if (!found_any)
2199 fprintf(stderr, "none");
2200 fprintf(stderr, "\n");
2201
2202 X509_STORE_CTX_set_ex_data(ctx,
2203 get_proxy_auth_ex_data_idx(),letters);
2204 }
2205 if (cb_arg->allow_proxy_certs)
2206 {
2207 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2208 }
2209
2210#ifndef OPENSSL_NO_X509_VERIFY
2211# ifdef OPENSSL_FIPS
2212 if(s->version == TLS1_VERSION)
2213 FIPS_allow_md5(1);
2214# endif
2215 ok = X509_verify_cert(ctx);
2216# ifdef OPENSSL_FIPS
2217 if(s->version == TLS1_VERSION)
2218 FIPS_allow_md5(0);
2219# endif
2220#endif
2221
2222 if (cb_arg->proxy_auth)
2223 {
2224 if (ok > 0)
2225 {
2226 const char *cond_end = NULL;
2227
2228 ok = process_proxy_cond(letters,
2229 cb_arg->proxy_cond, &cond_end);
2230
2231 if (ok < 0)
2232 EXIT(3);
2233 if (*cond_end)
2234 {
2235 fprintf(stderr, "Stopped processing condition before it's end.\n");
2236 ok = 0;
2237 }
2238 if (!ok)
2239 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2240 cb_arg->proxy_cond);
2241 else
2242 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2243 cb_arg->proxy_cond);
2244 }
2245 }
2246 return(ok);
2247 }
2248
2249#ifndef OPENSSL_NO_RSA
2250static RSA *rsa_tmp=NULL;
2251
2252static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2253 {
2254 BIGNUM *bn = NULL;
2255 if (rsa_tmp == NULL)
2256 {
2257 bn = BN_new();
2258 rsa_tmp = RSA_new();
2259 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2260 {
2261 BIO_printf(bio_err, "Memory error...");
2262 goto end;
2263 }
2264 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2265 (void)BIO_flush(bio_err);
2266 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2267 {
2268 BIO_printf(bio_err, "Error generating key.");
2269 RSA_free(rsa_tmp);
2270 rsa_tmp = NULL;
2271 }
2272end:
2273 BIO_printf(bio_err,"\n");
2274 (void)BIO_flush(bio_err);
2275 }
2276 if(bn) BN_free(bn);
2277 return(rsa_tmp);
2278 }
2279
2280static void free_tmp_rsa(void)
2281 {
2282 if (rsa_tmp != NULL)
2283 {
2284 RSA_free(rsa_tmp);
2285 rsa_tmp = NULL;
2286 }
2287 }
2288#endif
2289
2290#ifndef OPENSSL_NO_DH
2291/* These DH parameters have been generated as follows:
2292 * $ openssl dhparam -C -noout 512
2293 * $ openssl dhparam -C -noout 1024
2294 * $ openssl dhparam -C -noout -dsaparam 1024
2295 * (The third function has been renamed to avoid name conflicts.)
2296 */
2297static DH *get_dh512()
2298 {
2299 static unsigned char dh512_p[]={
2300 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2301 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2302 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2303 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2304 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2305 0x02,0xC5,0xAE,0x23,
2306 };
2307 static unsigned char dh512_g[]={
2308 0x02,
2309 };
2310 DH *dh;
2311
2312 if ((dh=DH_new()) == NULL) return(NULL);
2313 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2314 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2315 if ((dh->p == NULL) || (dh->g == NULL))
2316 { DH_free(dh); return(NULL); }
2317 return(dh);
2318 }
2319
2320static DH *get_dh1024()
2321 {
2322 static unsigned char dh1024_p[]={
2323 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2324 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2325 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2326 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2327 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2328 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2329 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2330 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2331 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2332 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2333 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2334 };
2335 static unsigned char dh1024_g[]={
2336 0x02,
2337 };
2338 DH *dh;
2339
2340 if ((dh=DH_new()) == NULL) return(NULL);
2341 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2342 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2343 if ((dh->p == NULL) || (dh->g == NULL))
2344 { DH_free(dh); return(NULL); }
2345 return(dh);
2346 }
2347
2348static DH *get_dh1024dsa()
2349 {
2350 static unsigned char dh1024_p[]={
2351 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2352 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2353 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2354 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2355 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2356 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2357 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2358 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2359 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2360 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2361 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2362 };
2363 static unsigned char dh1024_g[]={
2364 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2365 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2366 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2367 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2368 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2369 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2370 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2371 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2372 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2373 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2374 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2375 };
2376 DH *dh;
2377
2378 if ((dh=DH_new()) == NULL) return(NULL);
2379 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2380 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2381 if ((dh->p == NULL) || (dh->g == NULL))
2382 { DH_free(dh); return(NULL); }
2383 dh->length = 160;
2384 return(dh);
2385 }
2386#endif
2387
2388#ifndef OPENSSL_NO_PSK
2389/* convert the PSK key (psk_key) in ascii to binary (psk) */
2390static int psk_key2bn(const char *pskkey, unsigned char *psk,
2391 unsigned int max_psk_len)
2392 {
2393 int ret;
2394 BIGNUM *bn = NULL;
2395
2396 ret = BN_hex2bn(&bn, pskkey);
2397 if (!ret)
2398 {
2399 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2400 if (bn)
2401 BN_free(bn);
2402 return 0;
2403 }
2404 if (BN_num_bytes(bn) > (int)max_psk_len)
2405 {
2406 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2407 max_psk_len, BN_num_bytes(bn));
2408 BN_free(bn);
2409 return 0;
2410 }
2411 ret = BN_bn2bin(bn, psk);
2412 BN_free(bn);
2413 return ret;
2414 }
2415
2416static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2417 unsigned int max_identity_len, unsigned char *psk,
2418 unsigned int max_psk_len)
2419 {
2420 int ret;
2421 unsigned int psk_len = 0;
2422
2423 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2424 if (ret < 0)
2425 goto out_err;
2426 if (debug)
2427 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2428 ret = psk_key2bn(psk_key, psk, max_psk_len);
2429 if (ret < 0)
2430 goto out_err;
2431 psk_len = ret;
2432out_err:
2433 return psk_len;
2434 }
2435
2436static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2437 unsigned char *psk, unsigned int max_psk_len)
2438 {
2439 unsigned int psk_len=0;
2440
2441 if (strcmp(identity, "Client_identity") != 0)
2442 {
2443 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2444 return 0;
2445 }
2446 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2447 return psk_len;
2448 }
2449#endif
2450
2451static int do_test_cipherlist(void)
2452 {
2453 int i = 0;
2454 const SSL_METHOD *meth;
2455 const SSL_CIPHER *ci, *tci = NULL;
2456
2457#ifndef OPENSSL_NO_SSL2
2458 fprintf(stderr, "testing SSLv2 cipher list order: ");
2459 meth = SSLv2_method();
2460 while ((ci = meth->get_cipher(i++)) != NULL)
2461 {
2462 if (tci != NULL)
2463 if (ci->id >= tci->id)
2464 {
2465 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2466 return 0;
2467 }
2468 tci = ci;
2469 }
2470 fprintf(stderr, "ok\n");
2471#endif
2472#ifndef OPENSSL_NO_SSL3
2473 fprintf(stderr, "testing SSLv3 cipher list order: ");
2474 meth = SSLv3_method();
2475 tci = NULL;
2476 while ((ci = meth->get_cipher(i++)) != NULL)
2477 {
2478 if (tci != NULL)
2479 if (ci->id >= tci->id)
2480 {
2481 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2482 return 0;
2483 }
2484 tci = ci;
2485 }
2486 fprintf(stderr, "ok\n");
2487#endif
2488#ifndef OPENSSL_NO_TLS1
2489 fprintf(stderr, "testing TLSv1 cipher list order: ");
2490 meth = TLSv1_method();
2491 tci = NULL;
2492 while ((ci = meth->get_cipher(i++)) != NULL)
2493 {
2494 if (tci != NULL)
2495 if (ci->id >= tci->id)
2496 {
2497 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2498 return 0;
2499 }
2500 tci = ci;
2501 }
2502 fprintf(stderr, "ok\n");
2503#endif
2504
2505 return 1;
2506 }