]> git.ipfire.org Git - thirdparty/openssl.git/blame - test/ssltest_old.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
Appease ubsan
[thirdparty/openssl.git] / test / ssltest_old.c
CommitLineData
58964a49 1/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
0f113f3e 7 *
d02b48c6
RE		 8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
0f113f3e 14 *
d02b48c6
RE		 15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
0f113f3e 21 *
d02b48c6
RE		 22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
0f113f3e 36 * 4. If you include any Windows specific code (or a derivative thereof) from
d02b48c6
RE		 37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
0f113f3e 39 *
d02b48c6
RE		 40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
0f113f3e 51 *
d02b48c6
RE		 52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
3ac82faa
BM		 57/* ====================================================================
58 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
0f113f3e 65 * notice, this list of conditions and the following disclaimer.
3ac82faa
BM		 66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
ea262260
BM		 110/* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
0f113f3e 112 * ECC cipher suite support in OpenSSL originally developed by
ea262260
BM		 113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
ddac1974
NL		 115/* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE.
140 */
d02b48c6 141
dbd87ffc
MC		 142/* Or gethostname won't be declared properly on Linux and GNU platforms. */
143#define _BSD_SOURCE 1
f9fd3524 144#define _DEFAULT_SOURCE 1
37289744 145
6f7af152
BM		 146#include <assert.h>
147#include <errno.h>
148#include <limits.h>
d02b48c6
RE		 149#include <stdio.h>
150#include <stdlib.h>
151#include <string.h>
563f1503 152#include <time.h>
17e3dd1c 153
e7a28569 154#define USE_SOCKETS
41d2a336 155#include "e_os.h"
17e3dd1c 156
bc120a54 157#ifdef OPENSSL_SYS_VMS
0f113f3e
MC		 158/*
159 * Or isascii won't be declared properly on VMS (at least with DECompHP C).
160 */
161# define _XOPEN_SOURCE 500
bc120a54
DSH		 162#endif
163
a963395a
RL		 164#include <ctype.h>
165
ec577822
BM		 166#include <openssl/bio.h>
167#include <openssl/crypto.h>
563f1503 168#include <openssl/evp.h>
ec577822 169#include <openssl/x509.h>
a7201e9a 170#include <openssl/x509v3.h>
ec577822 171#include <openssl/ssl.h>
0b13e9f0 172#ifndef OPENSSL_NO_ENGINE
0f113f3e 173# include <openssl/engine.h>
0b13e9f0 174#endif
ec577822 175#include <openssl/err.h>
b9d82f47 176#include <openssl/rand.h>
3eeaab4b 177#ifndef OPENSSL_NO_RSA
0f113f3e 178# include <openssl/rsa.h>
3eeaab4b
NL		 179#endif
180#ifndef OPENSSL_NO_DSA
0f113f3e 181# include <openssl/dsa.h>
3eeaab4b
NL		 182#endif
183#ifndef OPENSSL_NO_DH
0f113f3e 184# include <openssl/dh.h>
3eeaab4b 185#endif
edc032b5 186#ifndef OPENSSL_NO_SRP
0f113f3e 187# include <openssl/srp.h>
edc032b5 188#endif
d095b68d 189#include <openssl/bn.h>
dd696a55
RP		 190#ifndef OPENSSL_NO_CT
191# include <openssl/ct.h>
192#endif
09867a47 193
16203f7b 194#include "internal/threads.h"
b6ba4014
MC		 195#include "../ssl/ssl_locl.h"
196
dbd87ffc
MC		 197/*
198 * Or gethostname won't be declared properly
199 * on Compaq platforms (at least with DEC C).
200 * Do not try to put it earlier, or IPv6 includes
201 * get screwed...
0f113f3e
MC		 202 */
203#define _XOPEN_SOURCE_EXTENDED 1
09867a47 204
bc36ee62 205#ifdef OPENSSL_SYS_WINDOWS
0f113f3e 206# include <winsock.h>
37289744 207#else
0f113f3e 208# include OPENSSL_UNISTD
d02b48c6
RE		 209#endif
210
b76998b8
RS		 211static SSL_CTX *s_ctx = NULL;
212static SSL_CTX *s_ctx2 = NULL;
817cd0d5 213
0f113f3e 214/*
45ddce21
RS		 215 * There is really no standard for this, so let's assign something
216 * only for this test
0f113f3e 217 */
0f113f3e 218#define COMP_ZLIB 1
23f80f46 219
6d23cf97 220static int verify_callback(int ok, X509_STORE_CTX *ctx);
6d23cf97 221static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
a7201e9a 222#define APP_CALLBACK_STRING "Test Callback Argument"
0f113f3e
MC		 223struct app_verify_arg {
224 char *string;
225 int app_verify;
226 int allow_proxy_certs;
227 char *proxy_auth;
228 char *proxy_cond;
229};
023ec151 230
bc36ee62 231#ifndef OPENSSL_NO_DH
d02b48c6 232static DH *get_dh512(void);
e4589582
BM		 233static DH *get_dh1024(void);
234static DH *get_dh1024dsa(void);
53002dc6
BM		 235#endif
236
0f113f3e 237static char *psk_key = NULL; /* by default PSK is not used */
ddac1974 238#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 239static unsigned int psk_client_callback(SSL *ssl, const char *hint,
240 char *identity,
241 unsigned int max_identity_len,
242 unsigned char *psk,
243 unsigned int max_psk_len);
244static unsigned int psk_server_callback(SSL *ssl, const char *identity,
245 unsigned char *psk,
246 unsigned int max_psk_len);
ddac1974
NL		 247#endif
248
edc032b5
BL		 249#ifndef OPENSSL_NO_SRP
250/* SRP client */
251/* This is a context that we pass to all callbacks */
0f113f3e
MC		 252typedef struct srp_client_arg_st {
253 char *srppassin;
254 char *srplogin;
255} SRP_CLIENT_ARG;
edc032b5 256
0f113f3e 257# define PWD_STRLEN 1024
edc032b5 258
0f113f3e
MC		 259static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
260{
261 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
7644a9ae 262 return OPENSSL_strdup((char *)srp_client_arg->srppassin);
0f113f3e 263}
edc032b5 264
edc032b5
BL		 265/* SRP server */
266/* This is a context that we pass to SRP server callbacks */
0f113f3e
MC		 267typedef struct srp_server_arg_st {
268 char *expected_user;
269 char *pass;
270} SRP_SERVER_ARG;
edc032b5 271
6d23cf97 272static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
0f113f3e
MC		 273{
274 SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg;
275
276 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
277 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
278 return SSL3_AL_FATAL;
279 }
280 if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
281 *ad = SSL_AD_INTERNAL_ERROR;
282 return SSL3_AL_FATAL;
283 }
284 return SSL_ERROR_NONE;
285}
286#endif
287
288static BIO *bio_err = NULL;
289static BIO *bio_stdout = NULL;
d02b48c6 290
2911575c 291#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 292/* Note that this code assumes that this is only a one element list: */
293static const char NEXT_PROTO_STRING[] = "\x09testproto";
df2ee0e2
BL		 294static int npn_client = 0;
295static int npn_server = 0;
296static int npn_server_reject = 0;
d9a268b9 297
0f113f3e
MC		 298static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen,
299 const unsigned char *in, unsigned int inlen,
300 void *arg)
301{
302 /*
303 * This callback only returns the protocol string, rather than a length
304 * prefixed set. We assume that NEXT_PROTO_STRING is a one element list
305 * and remove the first byte to chop off the length prefix.
306 */
307 *out = (unsigned char *)NEXT_PROTO_STRING + 1;
308 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
309 return SSL_TLSEXT_ERR_OK;
310}
311
312static int cb_server_npn(SSL *s, const unsigned char **data,
313 unsigned int *len, void *arg)
314{
315 *data = (const unsigned char *)NEXT_PROTO_STRING;
316 *len = sizeof(NEXT_PROTO_STRING) - 1;
317 return SSL_TLSEXT_ERR_OK;
318}
319
320static int cb_server_rejects_npn(SSL *s, const unsigned char **data,
321 unsigned int *len, void *arg)
322{
323 return SSL_TLSEXT_ERR_NOACK;
324}
d9a268b9
BL		 325
326static int verify_npn(SSL *client, SSL *server)
0f113f3e
MC		 327{
328 const unsigned char *client_s;
329 unsigned client_len;
330 const unsigned char *server_s;
331 unsigned server_len;
332
333 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
334 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
335
336 if (client_len) {
337 BIO_printf(bio_stdout, "Client NPN: ");
338 BIO_write(bio_stdout, client_s, client_len);
339 BIO_printf(bio_stdout, "\n");
340 }
341
342 if (server_len) {
343 BIO_printf(bio_stdout, "Server NPN: ");
344 BIO_write(bio_stdout, server_s, server_len);
345 BIO_printf(bio_stdout, "\n");
346 }
347
348 /*
349 * If an NPN string was returned, it must be the protocol that we
350 * expected to negotiate.
351 */
352 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
353 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
354 return -1;
355 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
356 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
357 return -1;
358
359 if (!npn_client && client_len)
360 return -1;
361 if (!npn_server && server_len)
362 return -1;
363 if (npn_server_reject && server_len)
364 return -1;
365 if (npn_client && npn_server && (!client_len || !server_len))
366 return -1;
367
368 return 0;
369}
d9a268b9
BL		 370#endif
371
a8989362 372static const char *alpn_client;
817cd0d5
TS		 373static char *alpn_server;
374static char *alpn_server2;
a8989362
AL		 375static const char *alpn_expected;
376static unsigned char *alpn_selected;
7946ab33
KR		 377static const char *server_min_proto;
378static const char *server_max_proto;
379static const char *client_min_proto;
380static const char *client_max_proto;
381static const char *should_negotiate;
817cd0d5
TS		 382static const char *sn_client;
383static const char *sn_server1;
384static const char *sn_server2;
385static int sn_expect = 0;
b7dffce0
KR		 386static const char *server_sess_out;
387static const char *server_sess_in;
388static const char *client_sess_out;
389static const char *client_sess_in;
390static SSL_SESSION *server_sess;
391static SSL_SESSION *client_sess;
817cd0d5
TS		 392
393static int servername_cb(SSL *s, int *ad, void *arg)
394{
395 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
396 if (sn_server2 == NULL) {
397 BIO_printf(bio_stdout, "Servername 2 is NULL\n");
398 return SSL_TLSEXT_ERR_NOACK;
399 }
400
401 if (servername) {
402 if (s_ctx2 != NULL && sn_server2 != NULL &&
403 !strcasecmp(servername, sn_server2)) {
404 BIO_printf(bio_stdout, "Switching server context.\n");
405 SSL_set_SSL_CTX(s, s_ctx2);
406 }
407 }
408 return SSL_TLSEXT_ERR_OK;
409}
410static int verify_servername(SSL *client, SSL *server)
411{
412 /* just need to see if sn_context is what we expect */
413 SSL_CTX* ctx = SSL_get_SSL_CTX(server);
414 if (sn_expect == 0)
415 return 0;
416 if (sn_expect == 1 && ctx == s_ctx)
417 return 0;
418 if (sn_expect == 2 && ctx == s_ctx2)
419 return 0;
420 BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect);
421 if (ctx == s_ctx2)
422 BIO_printf(bio_stdout, "Servername: context is 2\n");
423 else if (ctx == s_ctx)
424 BIO_printf(bio_stdout, "Servername: context is 1\n");
425 else
426 BIO_printf(bio_stdout, "Servername: context is unknown\n");
427 return -1;
428}
429
a8989362 430
3a83462d
MC		 431/*-
432 * next_protos_parse parses a comma separated list of strings into a string
a8989362
AL		 433 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
434 * outlen: (output) set to the length of the resulting buffer on success.
435 * err: (maybe NULL) on failure, an error message line is written to this BIO.
4eadd11c 436 * in: a NUL terminated string like "abc,def,ghi"
a8989362
AL		 437 *
438 * returns: a malloced buffer or NULL on failure.
439 */
817cd0d5 440static unsigned char *next_protos_parse(size_t *outlen,
0f113f3e
MC		 441 const char *in)
442{
443 size_t len;
444 unsigned char *out;
445 size_t i, start = 0;
446
447 len = strlen(in);
448 if (len >= 65535)
449 return NULL;
450
451 out = OPENSSL_malloc(strlen(in) + 1);
452 if (!out)
453 return NULL;
454
455 for (i = 0; i <= len; ++i) {
456 if (i == len || in[i] == ',') {
457 if (i - start > 255) {
458 OPENSSL_free(out);
459 return NULL;
460 }
461 out[start] = i - start;
462 start = i + 1;
463 } else
464 out[i + 1] = in[i];
465 }
466
467 *outlen = len + 1;
468 return out;
469}
470
471static int cb_server_alpn(SSL *s, const unsigned char **out,
472 unsigned char *outlen, const unsigned char *in,
473 unsigned int inlen, void *arg)
474{
475 unsigned char *protos;
817cd0d5
TS		 476 size_t protos_len;
477 char* alpn_str = arg;
0f113f3e 478
817cd0d5 479 protos = next_protos_parse(&protos_len, alpn_str);
0f113f3e
MC		 480 if (protos == NULL) {
481 fprintf(stderr, "failed to parser ALPN server protocol string: %s\n",
817cd0d5 482 alpn_str);
0f113f3e
MC		 483 abort();
484 }
485
486 if (SSL_select_next_proto
487 ((unsigned char **)out, outlen, protos, protos_len, in,
488 inlen) != OPENSSL_NPN_NEGOTIATED) {
489 OPENSSL_free(protos);
490 return SSL_TLSEXT_ERR_NOACK;
491 }
492
493 /*
494 * Make a copy of the selected protocol which will be freed in
495 * verify_alpn.
496 */
497 alpn_selected = OPENSSL_malloc(*outlen);
498 memcpy(alpn_selected, *out, *outlen);
499 *out = alpn_selected;
500
501 OPENSSL_free(protos);
502 return SSL_TLSEXT_ERR_OK;
503}
a8989362
AL		 504
505static int verify_alpn(SSL *client, SSL *server)
0f113f3e
MC		 506{
507 const unsigned char *client_proto, *server_proto;
508 unsigned int client_proto_len = 0, server_proto_len = 0;
509 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
510 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
511
b548a1f1
RS		 512 OPENSSL_free(alpn_selected);
513 alpn_selected = NULL;
0f113f3e 514
3003e0a4
AG		 515 if (client_proto_len != server_proto_len) {
516 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
517 goto err;
518 }
519
520 if (client_proto != NULL &&
0f113f3e
MC		 521 memcmp(client_proto, server_proto, client_proto_len) != 0) {
522 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
523 goto err;
524 }
525
526 if (client_proto_len > 0 && alpn_expected == NULL) {
527 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
528 goto err;
529 }
530
531 if (alpn_expected != NULL &&
532 (client_proto_len != strlen(alpn_expected) ||
533 memcmp(client_proto, alpn_expected, client_proto_len) != 0)) {
534 BIO_printf(bio_stdout,
535 "ALPN selected protocols not equal to expected protocol: %s\n",
536 alpn_expected);
537 goto err;
538 }
539
540 return 0;
541
542 err:
543 BIO_printf(bio_stdout, "ALPN results: client: '");
544 BIO_write(bio_stdout, client_proto, client_proto_len);
545 BIO_printf(bio_stdout, "', server: '");
546 BIO_write(bio_stdout, server_proto, server_proto_len);
547 BIO_printf(bio_stdout, "'\n");
817cd0d5
TS		 548 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '",
549 alpn_client);
550 if (SSL_get_SSL_CTX(server) == s_ctx2) {
551 BIO_printf(bio_stdout, "%s'\n",
552 alpn_server2);
553 } else {
554 BIO_printf(bio_stdout, "%s'\n",
555 alpn_server);
556 }
0f113f3e
MC		 557 return -1;
558}
a8989362 559
0f113f3e
MC		 560/*
561 * WARNING : below extension types are *NOT* IETF assigned, and could
562 * conflict if these types are reassigned and handled specially by OpenSSL
563 * in the future
564 */
a398f821 565#define TACK_EXT_TYPE 62208
9cd50f73
T		 566#define CUSTOM_EXT_TYPE_0 1000
567#define CUSTOM_EXT_TYPE_1 1001
568#define CUSTOM_EXT_TYPE_2 1002
569#define CUSTOM_EXT_TYPE_3 1003
570
df2ee0e2
BL		 571static const char custom_ext_cli_string[] = "abc";
572static const char custom_ext_srv_string[] = "defg";
a398f821
T		 573
574/* These set from cmdline */
df2ee0e2
BL		 575static char *serverinfo_file = NULL;
576static int serverinfo_sct = 0;
577static int serverinfo_tack = 0;
9cd50f73
T		 578
579/* These set based on extension callbacks */
df2ee0e2
BL		 580static int serverinfo_sct_seen = 0;
581static int serverinfo_tack_seen = 0;
582static int serverinfo_other_seen = 0;
a398f821 583
9cd50f73 584/* This set from cmdline */
df2ee0e2 585static int custom_ext = 0;
9cd50f73
T		 586
587/* This set based on extension callbacks */
df2ee0e2 588static int custom_ext_error = 0;
9cd50f73 589
0cfefe4b 590static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 591 const unsigned char *in, size_t inlen,
592 int *al, void *arg)
593{
dd696a55 594 if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
0f113f3e
MC		 595 serverinfo_sct_seen++;
596 else if (ext_type == TACK_EXT_TYPE)
597 serverinfo_tack_seen++;
598 else
599 serverinfo_other_seen++;
600 return 1;
601}
a398f821
T		 602
603static int verify_serverinfo()
0f113f3e
MC		 604{
605 if (serverinfo_sct != serverinfo_sct_seen)
606 return -1;
607 if (serverinfo_tack != serverinfo_tack_seen)
608 return -1;
609 if (serverinfo_other_seen)
610 return -1;
611 return 0;
612}
a398f821 613
1d97c843
TH		 614/*-
615 * Four test cases for custom extensions:
9cd50f73
T		 616 * 0 - no ClientHello extension or ServerHello response
617 * 1 - ClientHello with "abc", no response
618 * 2 - ClientHello with "abc", empty response
619 * 3 - ClientHello with "abc", "defg" response
620 */
621
de2a9e38 622static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 623 const unsigned char **out,
624 size_t *outlen, int *al, void *arg)
625{
626 if (ext_type != CUSTOM_EXT_TYPE_0)
627 custom_ext_error = 1;
628 return 0; /* Don't send an extension */
629}
9cd50f73 630
de2a9e38 631static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 632 const unsigned char *in,
633 size_t inlen, int *al, void *arg)
634{
635 return 1;
636}
9cd50f73 637
de2a9e38 638static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 639 const unsigned char **out,
640 size_t *outlen, int *al, void *arg)
641{
642 if (ext_type != CUSTOM_EXT_TYPE_1)
643 custom_ext_error = 1;
644 *out = (const unsigned char *)custom_ext_cli_string;
645 *outlen = strlen(custom_ext_cli_string);
646 return 1; /* Send "abc" */
647}
9cd50f73 648
de2a9e38 649static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 650 const unsigned char *in,
651 size_t inlen, int *al, void *arg)
652{
653 return 1;
654}
9cd50f73 655
de2a9e38 656static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 657 const unsigned char **out,
658 size_t *outlen, int *al, void *arg)
659{
660 if (ext_type != CUSTOM_EXT_TYPE_2)
661 custom_ext_error = 1;
662 *out = (const unsigned char *)custom_ext_cli_string;
663 *outlen = strlen(custom_ext_cli_string);
664 return 1; /* Send "abc" */
665}
9cd50f73 666
de2a9e38 667static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 668 const unsigned char *in,
669 size_t inlen, int *al, void *arg)
670{
671 if (ext_type != CUSTOM_EXT_TYPE_2)
672 custom_ext_error = 1;
673 if (inlen != 0)
674 custom_ext_error = 1; /* Should be empty response */
675 return 1;
676}
9cd50f73 677
de2a9e38 678static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 679 const unsigned char **out,
680 size_t *outlen, int *al, void *arg)
681{
682 if (ext_type != CUSTOM_EXT_TYPE_3)
683 custom_ext_error = 1;
684 *out = (const unsigned char *)custom_ext_cli_string;
685 *outlen = strlen(custom_ext_cli_string);
686 return 1; /* Send "abc" */
687}
9cd50f73 688
de2a9e38 689static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 690 const unsigned char *in,
691 size_t inlen, int *al, void *arg)
692{
693 if (ext_type != CUSTOM_EXT_TYPE_3)
694 custom_ext_error = 1;
695 if (inlen != strlen(custom_ext_srv_string))
696 custom_ext_error = 1;
697 if (memcmp(custom_ext_srv_string, in, inlen) != 0)
698 custom_ext_error = 1; /* Check for "defg" */
699 return 1;
700}
701
702/*
703 * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback
704 * for this extension
705 */
de2a9e38 706static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 707 const unsigned char *in,
708 size_t inlen, int *al, void *arg)
709{
710 custom_ext_error = 1;
711 return 1;
712}
9cd50f73 713
f47e2039 714/* 'add' callbacks are only called if the 'parse' callback is called */
de2a9e38 715static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 716 const unsigned char **out,
717 size_t *outlen, int *al, void *arg)
718{
719 /* Error: should not have been called */
720 custom_ext_error = 1;
721 return 0; /* Don't send an extension */
722}
9cd50f73 723
de2a9e38 724static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 725 const unsigned char *in,
726 size_t inlen, int *al, void *arg)
727{
728 if (ext_type != CUSTOM_EXT_TYPE_1)
729 custom_ext_error = 1;
730 /* Check for "abc" */
731 if (inlen != strlen(custom_ext_cli_string))
732 custom_ext_error = 1;
733 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
734 custom_ext_error = 1;
735 return 1;
736}
9cd50f73 737
de2a9e38 738static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 739 const unsigned char **out,
740 size_t *outlen, int *al, void *arg)
741{
742 return 0; /* Don't send an extension */
743}
9cd50f73 744
de2a9e38 745static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 746 const unsigned char *in,
747 size_t inlen, int *al, void *arg)
748{
749 if (ext_type != CUSTOM_EXT_TYPE_2)
750 custom_ext_error = 1;
751 /* Check for "abc" */
752 if (inlen != strlen(custom_ext_cli_string))
753 custom_ext_error = 1;
754 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
755 custom_ext_error = 1;
756 return 1;
757}
9cd50f73 758
de2a9e38 759static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 760 const unsigned char **out,
761 size_t *outlen, int *al, void *arg)
762{
763 *out = NULL;
764 *outlen = 0;
765 return 1; /* Send empty extension */
766}
9cd50f73 767
de2a9e38 768static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 769 const unsigned char *in,
770 size_t inlen, int *al, void *arg)
771{
772 if (ext_type != CUSTOM_EXT_TYPE_3)
773 custom_ext_error = 1;
774 /* Check for "abc" */
775 if (inlen != strlen(custom_ext_cli_string))
776 custom_ext_error = 1;
777 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
778 custom_ext_error = 1;
779 return 1;
780}
9cd50f73 781
de2a9e38 782static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
0f113f3e
MC		 783 const unsigned char **out,
784 size_t *outlen, int *al, void *arg)
785{
786 *out = (const unsigned char *)custom_ext_srv_string;
787 *outlen = strlen(custom_ext_srv_string);
788 return 1; /* Send "defg" */
789}
790
791static char *cipher = NULL;
792static int verbose = 0;
793static int debug = 0;
0f113f3e
MC		 794static const char rnd_seed[] =
795 "string to make the random number generator think it has entropy";
d02b48c6 796
75d5bd4e
RL		 797int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family,
798 long bytes, clock_t *s_time, clock_t *c_time);
0f113f3e
MC		 799int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
800 clock_t *c_time);
801int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
9ccc00ef 802
6b691a5c 803static void sv_usage(void)
0f113f3e
MC		 804{
805 fprintf(stderr, "usage: ssltest [args ...]\n");
806 fprintf(stderr, "\n");
086e32a6 807#ifdef OPENSSL_FIPS
0f113f3e
MC		 808 fprintf(stderr, "-F - run test in FIPS mode\n");
809#endif
810 fprintf(stderr, " -server_auth - check server certificate\n");
811 fprintf(stderr, " -client_auth - do client authentication\n");
812 fprintf(stderr, " -proxy - allow proxy certificates\n");
813 fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n");
814 fprintf(stderr,
815 " -proxy_cond <val> - expression to test proxy policy rights\n");
816 fprintf(stderr, " -v - more output\n");
817 fprintf(stderr, " -d - debug output\n");
818 fprintf(stderr, " -reuse - use session-id reuse\n");
819 fprintf(stderr, " -num <val> - number of connections to perform\n");
820 fprintf(stderr,
821 " -bytes <val> - number of bytes to swap between client/server\n");
bc36ee62 822#ifndef OPENSSL_NO_DH
0f113f3e 823 fprintf(stderr,
e8356e32
EK		 824 " -dhe512 - use 512 bit key for DHE (to test failure)\n");
825 fprintf(stderr,
826 " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
0f113f3e
MC		 827 fprintf(stderr,
828 " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
829 fprintf(stderr, " -no_dhe - disable DHE\n");
77fa04a9 830#endif
10bf4fc2 831#ifndef OPENSSL_NO_EC
817cd0d5 832 fprintf(stderr, " -no_ecdhe - disable ECDHE\nTODO(openssl-team): no_ecdhe was broken by auto ecdh. Make this work again.\n");
ea262260 833#endif
ddac1974 834#ifndef OPENSSL_NO_PSK
0f113f3e 835 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
ddac1974 836#endif
edc032b5 837#ifndef OPENSSL_NO_SRP
0d5301af
KR		 838 fprintf(stderr, " -srpuser user - SRP username to use\n");
839 fprintf(stderr, " -srppass arg - password for 'user'\n");
edc032b5 840#endif
6b01bed2 841#ifndef OPENSSL_NO_SSL3
0f113f3e 842 fprintf(stderr, " -ssl3 - use SSLv3\n");
58964a49 843#endif
6b01bed2 844#ifndef OPENSSL_NO_TLS1
0f113f3e 845 fprintf(stderr, " -tls1 - use TLSv1\n");
6b01bed2 846#endif
98b8cdd3 847#ifndef OPENSSL_NO_DTLS
0d5301af 848 fprintf(stderr, " -dtls - use DTLS\n");
6b01bed2 849#ifndef OPENSSL_NO_DTLS1
98b8cdd3 850 fprintf(stderr, " -dtls1 - use DTLSv1\n");
6b01bed2
VD		 851#endif
852#ifndef OPENSSL_NO_DTLS1_2
98b8cdd3 853 fprintf(stderr, " -dtls12 - use DTLSv1.2\n");
6b01bed2 854#endif
98b8cdd3 855#endif
0f113f3e
MC		 856 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
857 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
858 fprintf(stderr, " -cert arg - Server certificate file\n");
859 fprintf(stderr,
860 " -key arg - Server key file (default: same as -cert)\n");
861 fprintf(stderr, " -c_cert arg - Client certificate file\n");
862 fprintf(stderr,
863 " -c_key arg - Client key file (default: same as -c_cert)\n");
864 fprintf(stderr, " -cipher arg - The cipher list\n");
865 fprintf(stderr, " -bio_pair - Use BIO pairs\n");
75d5bd4e
RL		 866 fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n");
867 fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n");
0f113f3e
MC		 868 fprintf(stderr, " -f - Test even cases that can't work\n");
869 fprintf(stderr,
870 " -time - measure processor time used by client and server\n");
871 fprintf(stderr, " -zlib - use zlib compression\n");
2911575c 872#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 873 fprintf(stderr, " -npn_client - have client side offer NPN\n");
874 fprintf(stderr, " -npn_server - have server side offer NPN\n");
875 fprintf(stderr, " -npn_server_reject - have server reject NPN\n");
876#endif
877 fprintf(stderr, " -serverinfo_file file - have server use this file\n");
878 fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n");
879 fprintf(stderr,
880 " -serverinfo_tack - have client offer and expect TACK\n");
881 fprintf(stderr,
882 " -custom_ext - try various custom extension callbacks\n");
883 fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n");
884 fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
817cd0d5
TS		 885 fprintf(stderr, " -alpn_server1 <string> - alias for -alpn_server\n");
886 fprintf(stderr, " -alpn_server2 <string> - have server side context 2 offer ALPN\n");
0f113f3e
MC		 887 fprintf(stderr,
888 " -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
7946ab33
KR		 889 fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n");
890 fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n");
891 fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
892 fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
893 fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
dd696a55
RP		 894#ifndef OPENSSL_NO_CT
895 fprintf(stderr, " -noct - no certificate transparency\n");
896 fprintf(stderr, " -requestct - request certificate transparency\n");
897 fprintf(stderr, " -requirect - require certificate transparency\n");
898#endif
817cd0d5
TS		 899 fprintf(stderr, " -sn_client <string> - have client request this servername\n");
900 fprintf(stderr, " -sn_server1 <string> - have server context 1 respond to this servername\n");
901 fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
902 fprintf(stderr, " -sn_expect1 - expected server 1\n");
903 fprintf(stderr, " -sn_expect2 - expected server 2\n");
b7dffce0
KR		 904 fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n");
905 fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n");
906 fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n");
907 fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n");
908 fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n");
909 fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n");
0f113f3e 910}
563f1503 911
f756f1fc 912static void print_key_details(BIO *out, EVP_PKEY *key)
0f113f3e
MC		 913{
914 int keyid = EVP_PKEY_id(key);
f756f1fc 915#ifndef OPENSSL_NO_EC
0f113f3e
MC		 916 if (keyid == EVP_PKEY_EC) {
917 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
918 int nid;
919 const char *cname;
920 nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
921 EC_KEY_free(ec);
922 cname = EC_curve_nid2nist(nid);
923 if (!cname)
924 cname = OBJ_nid2sn(nid);
925 BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_bits(key), cname);
926 } else
927#endif
928 {
929 const char *algname;
930 switch (keyid) {
931 case EVP_PKEY_RSA:
932 algname = "RSA";
933 break;
934 case EVP_PKEY_DSA:
935 algname = "DSA";
936 break;
937 case EVP_PKEY_DH:
938 algname = "DH";
939 break;
940 default:
941 algname = OBJ_nid2sn(keyid);
942 break;
943 }
944 BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname);
945 }
946}
f756f1fc 947
563f1503 948static void print_details(SSL *c_ssl, const char *prefix)
0f113f3e
MC		 949{
950 const SSL_CIPHER *ciph;
951 int mdnid;
952 X509 *cert;
953 EVP_PKEY *pkey;
954
955 ciph = SSL_get_current_cipher(c_ssl);
956 BIO_printf(bio_stdout, "%s%s, cipher %s %s",
957 prefix,
958 SSL_get_version(c_ssl),
959 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
960 cert = SSL_get_peer_certificate(c_ssl);
961 if (cert != NULL) {
962 pkey = X509_get_pubkey(cert);
963 if (pkey != NULL) {
964 BIO_puts(bio_stdout, ", ");
965 print_key_details(bio_stdout, pkey);
966 EVP_PKEY_free(pkey);
967 }
968 X509_free(cert);
969 }
970 if (SSL_get_server_tmp_key(c_ssl, &pkey)) {
971 BIO_puts(bio_stdout, ", temp key: ");
972 print_key_details(bio_stdout, pkey);
973 EVP_PKEY_free(pkey);
974 }
975 if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
976 BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
977 BIO_printf(bio_stdout, "\n");
978}
d02b48c6 979
7946ab33
KR		 980/*
981 * protocol_from_string - converts a protocol version string to a number
982 *
983 * Returns -1 on failure or the version on success
984 */
985static int protocol_from_string(const char *value)
986{
987 struct protocol_versions {
988 const char *name;
989 int version;
990 };
991 static const struct protocol_versions versions[] = {
992 {"ssl3", SSL3_VERSION},
993 {"tls1", TLS1_VERSION},
994 {"tls1.1", TLS1_1_VERSION},
995 {"tls1.2", TLS1_2_VERSION},
996 {"dtls1", DTLS1_VERSION},
997 {"dtls1.2", DTLS1_2_VERSION}};
998 size_t i;
999 size_t n = OSSL_NELEM(versions);
1000
1001 for (i = 0; i < n; i++)
1002 if (strcmp(versions[i].name, value) == 0)
1003 return versions[i].version;
1004 return -1;
1005}
1006
b7dffce0
KR		 1007static SSL_SESSION *read_session(const char *filename)
1008{
1009 SSL_SESSION *sess;
1010 BIO *f = BIO_new_file(filename, "r");
1011
1012 if (f == NULL) {
1013 BIO_printf(bio_err, "Can't open session file %s\n", filename);
1014 ERR_print_errors(bio_err);
1015 return NULL;
1016 }
1017 sess = PEM_read_bio_SSL_SESSION(f, NULL, 0, NULL);
1018 if (sess == NULL) {
1019 BIO_printf(bio_err, "Can't parse session file %s\n", filename);
1020 ERR_print_errors(bio_err);
1021 }
1022 BIO_free(f);
1023 return sess;
1024}
1025
1026static int write_session(const char *filename, SSL_SESSION *sess)
1027{
1028 BIO *f = BIO_new_file(filename, "w");
1029
1030 if (sess == NULL) {
1031 BIO_printf(bio_err, "No session information\n");
1032 return 0;
1033 }
1034 if (f == NULL) {
1035 BIO_printf(bio_err, "Can't open session file %s\n", filename);
1036 ERR_print_errors(bio_err);
1037 return 0;
1038 }
1039 PEM_write_bio_SSL_SESSION(f, sess);
1040 BIO_free(f);
1041 return 1;
1042}
1043
7946ab33
KR		 1044/*
1045 * set_protocol_version - Sets protocol version minimum or maximum
1046 *
1047 * Returns 0 on failure and 1 on success
1048 */
1049static int set_protocol_version(const char *version, SSL *ssl, int setting)
1050{
1051 if (version != NULL) {
1052 int ver = protocol_from_string(version);
1053 if (ver < 0) {
1054 BIO_printf(bio_err, "Error parsing: %s\n", version);
1055 return 0;
1056 }
1057 return SSL_ctrl(ssl, setting, ver, NULL);
1058 }
1059 return 1;
1060}
1061
6b691a5c 1062int main(int argc, char *argv[])
0f113f3e
MC		 1063{
1064 char *CApath = NULL, *CAfile = NULL;
1065 int badop = 0;
75d5bd4e 1066 enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
0f113f3e 1067 int force = 0;
7946ab33 1068 int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1;
0f113f3e
MC		 1069 int client_auth = 0;
1070 int server_auth = 0, i;
1071 struct app_verify_arg app_verify_arg =
1072 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
bbd86bf5 1073 char *p;
0f113f3e
MC		 1074 SSL_CTX *c_ctx = NULL;
1075 const SSL_METHOD *meth = NULL;
1076 SSL *c_ssl, *s_ssl;
1077 int number = 1, reuse = 0;
b7dffce0
KR		 1078 int should_reuse = -1;
1079 int no_ticket = 0;
0f113f3e 1080 long bytes = 256L;
bc36ee62 1081#ifndef OPENSSL_NO_DH
0f113f3e 1082 DH *dh;
e8356e32 1083 int dhe512 = 0, dhe1024dsa = 0;
ea262260 1084#endif
edc032b5 1085#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1086 /* client */
1087 SRP_CLIENT_ARG srp_client_arg = { NULL, NULL };
1088 /* server */
1089 SRP_SERVER_ARG srp_server_arg = { NULL, NULL };
1090#endif
1091 int no_dhe = 0;
0f113f3e
MC		 1092 int no_psk = 0;
1093 int print_time = 0;
1094 clock_t s_time = 0, c_time = 0;
09b6c2ef 1095#ifndef OPENSSL_NO_COMP
9a555706 1096 int n, comp = 0;
0f113f3e
MC		 1097 COMP_METHOD *cm = NULL;
1098 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
00a37b5a 1099#endif
086e32a6 1100#ifdef OPENSSL_FIPS
0f113f3e
MC		 1101 int fips_mode = 0;
1102#endif
6b01bed2 1103 int no_protocol;
0d5301af 1104 int min_version = 0, max_version = 0;
dd696a55
RP		 1105#ifndef OPENSSL_NO_CT
1106 /*
1107 * Disable CT validation by default, because it will interfere with
1108 * anything using custom extension handlers to deal with SCT extensions.
1109 */
43341433 1110 int ct_validation = 0;
dd696a55 1111#endif
817cd0d5 1112 SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
0f113f3e 1113 STACK_OF(OPENSSL_STRING) *conf_args = NULL;
4a640fb6 1114 char *arg = NULL, *argn = NULL;
0f113f3e
MC		 1115
1116 verbose = 0;
1117 debug = 0;
1118 cipher = 0;
1119
1120 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
1121
bbd86bf5
RS		 1122 p = getenv("OPENSSL_DEBUG_MEMORY");
1123 if (p != NULL && strcmp(p, "on") == 0)
1124 CRYPTO_set_mem_debug(1);
0f113f3e
MC		 1125 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
1126
1127 RAND_seed(rnd_seed, sizeof rnd_seed);
1128
1129 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
1130
1131 s_cctx = SSL_CONF_CTX_new();
817cd0d5 1132 s_cctx2 = SSL_CONF_CTX_new();
0f113f3e
MC		 1133 c_cctx = SSL_CONF_CTX_new();
1134
817cd0d5 1135 if (!s_cctx || !c_cctx || !s_cctx2) {
0f113f3e
MC		 1136 ERR_print_errors(bio_err);
1137 goto end;
1138 }
1139
1140 SSL_CONF_CTX_set_flags(s_cctx,
6a096889
DSH		 1141 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
1142 SSL_CONF_FLAG_CERTIFICATE |
1143 SSL_CONF_FLAG_REQUIRE_PRIVATE);
817cd0d5
TS		 1144 SSL_CONF_CTX_set_flags(s_cctx2,
1145 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
1146 SSL_CONF_FLAG_CERTIFICATE |
1147 SSL_CONF_FLAG_REQUIRE_PRIVATE);
0f113f3e
MC		 1148 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
1149 ERR_print_errors(bio_err);
1150 goto end;
1151 }
817cd0d5
TS		 1152 if (!SSL_CONF_CTX_set1_prefix(s_cctx2, "-s_")) {
1153 ERR_print_errors(bio_err);
1154 goto end;
1155 }
0f113f3e
MC		 1156
1157 SSL_CONF_CTX_set_flags(c_cctx,
6a096889
DSH		 1158 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
1159 SSL_CONF_FLAG_CERTIFICATE |
1160 SSL_CONF_FLAG_REQUIRE_PRIVATE);
0f113f3e
MC		 1161 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
1162 ERR_print_errors(bio_err);
1163 goto end;
1164 }
1165
1166 argc--;
1167 argv++;
1168
1169 while (argc >= 1) {
86885c28 1170 if (strcmp(*argv, "-F") == 0) {
086e32a6 1171#ifdef OPENSSL_FIPS
0f113f3e 1172 fips_mode = 1;
086e32a6 1173#else
0f113f3e
MC		 1174 fprintf(stderr,
1175 "not compiled with FIPS support, so exiting without running.\n");
1176 EXIT(0);
1177#endif
1178 } else if (strcmp(*argv, "-server_auth") == 0)
1179 server_auth = 1;
1180 else if (strcmp(*argv, "-client_auth") == 0)
1181 client_auth = 1;
1182 else if (strcmp(*argv, "-proxy_auth") == 0) {
1183 if (--argc < 1)
1184 goto bad;
1185 app_verify_arg.proxy_auth = *(++argv);
1186 } else if (strcmp(*argv, "-proxy_cond") == 0) {
1187 if (--argc < 1)
1188 goto bad;
1189 app_verify_arg.proxy_cond = *(++argv);
1190 } else if (strcmp(*argv, "-v") == 0)
1191 verbose = 1;
1192 else if (strcmp(*argv, "-d") == 0)
1193 debug = 1;
1194 else if (strcmp(*argv, "-reuse") == 0)
1195 reuse = 1;
e8356e32 1196 else if (strcmp(*argv, "-dhe512") == 0) {
90f5a2b6 1197#ifndef OPENSSL_NO_DH
e8356e32 1198 dhe512 = 1;
90f5a2b6 1199#else
0f113f3e 1200 fprintf(stderr,
e8356e32 1201 "ignoring -dhe512, since I'm compiled without DH\n");
90f5a2b6 1202#endif
0f113f3e 1203 } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
90f5a2b6 1204#ifndef OPENSSL_NO_DH
0f113f3e 1205 dhe1024dsa = 1;
90f5a2b6 1206#else
0f113f3e 1207 fprintf(stderr,
e8356e32 1208 "ignoring -dhe1024dsa, since I'm compiled without DH\n");
0f113f3e
MC		 1209#endif
1210 } else if (strcmp(*argv, "-no_dhe") == 0)
1211 no_dhe = 1;
1212 else if (strcmp(*argv, "-no_ecdhe") == 0)
817cd0d5 1213 /* obsolete */;
0f113f3e
MC		 1214 else if (strcmp(*argv, "-psk") == 0) {
1215 if (--argc < 1)
1216 goto bad;
1217 psk_key = *(++argv);
ddac1974 1218#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 1219 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) {
1220 BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
1221 goto bad;
1222 }
ddac1974 1223#else
0f113f3e 1224 no_psk = 1;
ddac1974 1225#endif
0f113f3e 1226 }
edc032b5 1227#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1228 else if (strcmp(*argv, "-srpuser") == 0) {
1229 if (--argc < 1)
1230 goto bad;
1231 srp_server_arg.expected_user = srp_client_arg.srplogin =
1232 *(++argv);
0d5301af 1233 min_version = TLS1_VERSION;
0f113f3e
MC		 1234 } else if (strcmp(*argv, "-srppass") == 0) {
1235 if (--argc < 1)
1236 goto bad;
1237 srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
0d5301af 1238 min_version = TLS1_VERSION;
0f113f3e
MC		 1239 }
1240#endif
1241 else if (strcmp(*argv, "-tls1") == 0) {
0f113f3e
MC		 1242 tls1 = 1;
1243 } else if (strcmp(*argv, "-ssl3") == 0) {
0f113f3e 1244 ssl3 = 1;
98b8cdd3 1245 } else if (strcmp(*argv, "-dtls1") == 0) {
98b8cdd3
DW		 1246 dtls1 = 1;
1247 } else if (strcmp(*argv, "-dtls12") == 0) {
98b8cdd3 1248 dtls12 = 1;
7946ab33 1249 } else if (strcmp(*argv, "-dtls") == 0) {
7946ab33 1250 dtls = 1;
0f113f3e
MC		 1251 } else if (strncmp(*argv, "-num", 4) == 0) {
1252 if (--argc < 1)
1253 goto bad;
1254 number = atoi(*(++argv));
1255 if (number == 0)
1256 number = 1;
1257 } else if (strcmp(*argv, "-bytes") == 0) {
1258 if (--argc < 1)
1259 goto bad;
1260 bytes = atol(*(++argv));
1261 if (bytes == 0L)
1262 bytes = 1L;
1263 i = strlen(argv[0]);
1264 if (argv[0][i - 1] == 'k')
1265 bytes *= 1024L;
1266 if (argv[0][i - 1] == 'm')
1267 bytes *= 1024L * 1024L;
0f113f3e
MC		 1268 } else if (strcmp(*argv, "-cipher") == 0) {
1269 if (--argc < 1)
1270 goto bad;
1271 cipher = *(++argv);
1272 } else if (strcmp(*argv, "-CApath") == 0) {
1273 if (--argc < 1)
1274 goto bad;
1275 CApath = *(++argv);
1276 } else if (strcmp(*argv, "-CAfile") == 0) {
1277 if (--argc < 1)
1278 goto bad;
1279 CAfile = *(++argv);
1280 } else if (strcmp(*argv, "-bio_pair") == 0) {
75d5bd4e 1281 bio_type = BIO_PAIR;
f9e55034
MC		 1282 }
1283#ifndef OPENSSL_NO_SOCK
1284 else if (strcmp(*argv, "-ipv4") == 0) {
75d5bd4e
RL		 1285 bio_type = BIO_IPV4;
1286 } else if (strcmp(*argv, "-ipv6") == 0) {
1287 bio_type = BIO_IPV6;
f9e55034
MC		 1288 }
1289#endif
1290 else if (strcmp(*argv, "-f") == 0) {
0f113f3e
MC		 1291 force = 1;
1292 } else if (strcmp(*argv, "-time") == 0) {
1293 print_time = 1;
1294 }
dd696a55
RP		 1295#ifndef OPENSSL_NO_CT
1296 else if (strcmp(*argv, "-noct") == 0) {
43341433 1297 ct_validation = 0;
dd696a55 1298 }
43341433
VD		 1299 else if (strcmp(*argv, "-ct") == 0) {
1300 ct_validation = 1;
dd696a55
RP		 1301 }
1302#endif
a4c4a7d5 1303#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 1304 else if (strcmp(*argv, "-zlib") == 0) {
1305 comp = COMP_ZLIB;
0f113f3e
MC		 1306 }
1307#endif
817cd0d5 1308 else if (strcmp(*argv, "-app_verify") == 0) {
0f113f3e
MC		 1309 app_verify_arg.app_verify = 1;
1310 } else if (strcmp(*argv, "-proxy") == 0) {
1311 app_verify_arg.allow_proxy_certs = 1;
0f113f3e 1312 }
2911575c 1313#ifndef OPENSSL_NO_NEXTPROTONEG
5a22cf96 1314 else if (strcmp(*argv, "-npn_client") == 0) {
0f113f3e
MC		 1315 npn_client = 1;
1316 } else if (strcmp(*argv, "-npn_server") == 0) {
1317 npn_server = 1;
1318 } else if (strcmp(*argv, "-npn_server_reject") == 0) {
1319 npn_server_reject = 1;
1320 }
1321#endif
1322 else if (strcmp(*argv, "-serverinfo_sct") == 0) {
1323 serverinfo_sct = 1;
1324 } else if (strcmp(*argv, "-serverinfo_tack") == 0) {
1325 serverinfo_tack = 1;
1326 } else if (strcmp(*argv, "-serverinfo_file") == 0) {
1327 if (--argc < 1)
1328 goto bad;
1329 serverinfo_file = *(++argv);
1330 } else if (strcmp(*argv, "-custom_ext") == 0) {
1331 custom_ext = 1;
1332 } else if (strcmp(*argv, "-alpn_client") == 0) {
1333 if (--argc < 1)
1334 goto bad;
1335 alpn_client = *(++argv);
817cd0d5
TS		 1336 } else if (strcmp(*argv, "-alpn_server") == 0 ||
1337 strcmp(*argv, "-alpn_server1") == 0) {
0f113f3e
MC		 1338 if (--argc < 1)
1339 goto bad;
1340 alpn_server = *(++argv);
817cd0d5
TS		 1341 } else if (strcmp(*argv, "-alpn_server2") == 0) {
1342 if (--argc < 1)
1343 goto bad;
1344 alpn_server2 = *(++argv);
0f113f3e
MC		 1345 } else if (strcmp(*argv, "-alpn_expected") == 0) {
1346 if (--argc < 1)
1347 goto bad;
1348 alpn_expected = *(++argv);
7946ab33
KR		 1349 } else if (strcmp(*argv, "-server_min_proto") == 0) {
1350 if (--argc < 1)
1351 goto bad;
1352 server_min_proto = *(++argv);
1353 } else if (strcmp(*argv, "-server_max_proto") == 0) {
1354 if (--argc < 1)
1355 goto bad;
1356 server_max_proto = *(++argv);
1357 } else if (strcmp(*argv, "-client_min_proto") == 0) {
1358 if (--argc < 1)
1359 goto bad;
1360 client_min_proto = *(++argv);
1361 } else if (strcmp(*argv, "-client_max_proto") == 0) {
1362 if (--argc < 1)
1363 goto bad;
1364 client_max_proto = *(++argv);
1365 } else if (strcmp(*argv, "-should_negotiate") == 0) {
1366 if (--argc < 1)
1367 goto bad;
1368 should_negotiate = *(++argv);
817cd0d5
TS		 1369 } else if (strcmp(*argv, "-sn_client") == 0) {
1370 if (--argc < 1)
1371 goto bad;
1372 sn_client = *(++argv);
1373 } else if (strcmp(*argv, "-sn_server1") == 0) {
1374 if (--argc < 1)
1375 goto bad;
1376 sn_server1 = *(++argv);
1377 } else if (strcmp(*argv, "-sn_server2") == 0) {
1378 if (--argc < 1)
1379 goto bad;
1380 sn_server2 = *(++argv);
1381 } else if (strcmp(*argv, "-sn_expect1") == 0) {
1382 sn_expect = 1;
1383 } else if (strcmp(*argv, "-sn_expect2") == 0) {
1384 sn_expect = 2;
b7dffce0
KR		 1385 } else if (strcmp(*argv, "-server_sess_out") == 0) {
1386 if (--argc < 1)
1387 goto bad;
1388 server_sess_out = *(++argv);
1389 } else if (strcmp(*argv, "-server_sess_in") == 0) {
1390 if (--argc < 1)
1391 goto bad;
1392 server_sess_in = *(++argv);
1393 } else if (strcmp(*argv, "-client_sess_out") == 0) {
1394 if (--argc < 1)
1395 goto bad;
1396 client_sess_out = *(++argv);
1397 } else if (strcmp(*argv, "-client_sess_in") == 0) {
1398 if (--argc < 1)
1399 goto bad;
1400 client_sess_in = *(++argv);
1401 } else if (strcmp(*argv, "-should_reuse") == 0) {
1402 if (--argc < 1)
1403 goto bad;
1404 should_reuse = !!atoi(*(++argv));
1405 } else if (strcmp(*argv, "-no_ticket") == 0) {
1406 no_ticket = 1;
0f113f3e
MC		 1407 } else {
1408 int rv;
1409 arg = argv[0];
1410 argn = argv[1];
1411 /* Try to process command using SSL_CONF */
1412 rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
1413 /* If not processed try server */
1414 if (rv == 0)
1415 rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
1416 /* Recognised: store it for later use */
1417 if (rv > 0) {
1418 if (rv == 1)
1419 argn = NULL;
1420 if (!conf_args) {
1421 conf_args = sk_OPENSSL_STRING_new_null();
1422 if (!conf_args)
1423 goto end;
1424 }
1425 if (!sk_OPENSSL_STRING_push(conf_args, arg))
1426 goto end;
1427 if (!sk_OPENSSL_STRING_push(conf_args, argn))
1428 goto end;
1429 continue;
1430 }
1431 if (rv == -3)
1432 BIO_printf(bio_err, "Missing argument for %s\n", arg);
1433 else if (rv < 0)
1434 BIO_printf(bio_err, "Error with command %s\n", arg);
1435 else if (rv == 0)
1436 BIO_printf(bio_err, "unknown option %s\n", arg);
1437 badop = 1;
1438 break;
1439 }
1440 argc--;
1441 argv++;
1442 }
1443 if (badop) {
1444 bad:
1445 sv_usage();
1446 goto end;
1447 }
1448
7946ab33
KR		 1449 if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) {
1450 fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should "
0f113f3e
MC		 1451 "be requested.\n");
1452 EXIT(1);
1453 }
1454
6b01bed2
VD		 1455#ifdef OPENSSL_NO_SSL3
1456 if (ssl3)
1457 no_protocol = 1;
1458 else
1459#endif
1460#ifdef OPENSSL_NO_TLS1
1461 if (tls1)
1462 no_protocol = 1;
1463 else
1464#endif
1465#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
1466 if (dtls1)
1467 no_protocol = 1;
1468 else
1469#endif
1470#if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2)
1471 if (dtls12)
1472 no_protocol = 1;
1473 else
1474#endif
1475 no_protocol = 0;
1476
0f113f3e
MC		 1477 /*
1478 * Testing was requested for a compiled-out protocol (e.g. SSLv3).
1479 * Ideally, we would error out, but the generic test wrapper can't know
1480 * when to expect failure. So we do nothing and return success.
1481 */
1482 if (no_protocol) {
1483 fprintf(stderr, "Testing was requested for a disabled protocol. "
1484 "Skipping tests.\n");
1485 ret = 0;
1486 goto end;
1487 }
1488
7946ab33 1489 if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
0f113f3e
MC		 1490 fprintf(stderr, "This case cannot work. Use -f to perform "
1491 "the test anyway (and\n-d to see what happens), "
7946ab33 1492 "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n"
0f113f3e
MC		 1493 "to avoid protocol mismatch.\n");
1494 EXIT(1);
1495 }
086e32a6 1496#ifdef OPENSSL_FIPS
0f113f3e
MC		 1497 if (fips_mode) {
1498 if (!FIPS_mode_set(1)) {
0f81f5f7 1499 ERR_print_errors(bio_err);
0f113f3e
MC		 1500 EXIT(1);
1501 } else
1502 fprintf(stderr, "*** IN FIPS MODE ***\n");
1503 }
1504#endif
1505
1506 if (print_time) {
75d5bd4e 1507 if (bio_type != BIO_PAIR) {
0f113f3e 1508 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
75d5bd4e 1509 bio_type = BIO_PAIR;
0f113f3e
MC		 1510 }
1511 if (number < 50 && !force)
1512 fprintf(stderr,
1513 "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
1514 }
1515
1516/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
1517
09b6c2ef 1518#ifndef OPENSSL_NO_COMP
0f113f3e
MC		 1519 if (comp == COMP_ZLIB)
1520 cm = COMP_zlib();
0f113f3e 1521 if (cm != NULL) {
9a555706 1522 if (COMP_get_type(cm) != NID_undef) {
0f113f3e
MC		 1523 if (SSL_COMP_add_compression_method(comp, cm) != 0) {
1524 fprintf(stderr, "Failed to add compression method\n");
1525 ERR_print_errors_fp(stderr);
1526 }
1527 } else {
1528 fprintf(stderr,
1529 "Warning: %s compression not supported\n",
45ddce21 1530 comp == COMP_ZLIB ? "zlib" : "unknown");
0f113f3e
MC		 1531 ERR_print_errors_fp(stderr);
1532 }
1533 }
1534 ssl_comp_methods = SSL_COMP_get_compression_methods();
3dca57f8
RS		 1535 n = sk_SSL_COMP_num(ssl_comp_methods);
1536 if (n) {
1537 int j;
1538 printf("Available compression methods:");
1539 for (j = 0; j < n; j++) {
1540 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
1541 printf(" %s:%d", c->name, c->id);
22ebaae0 1542 }
3dca57f8 1543 printf("\n");
0f113f3e
MC		 1544 }
1545#endif
1546
0d5301af
KR		 1547#ifndef OPENSSL_NO_TLS
1548 meth = TLS_method();
1549 if (ssl3) {
1550 min_version = SSL3_VERSION;
1551 max_version = SSL3_VERSION;
1552 } else if (tls1) {
1553 min_version = TLS1_VERSION;
1554 max_version = TLS1_VERSION;
1555 }
6b01bed2 1556#endif
0d5301af
KR		 1557#ifndef OPENSSL_NO_DTLS
1558 if (dtls || dtls1 || dtls12)
7946ab33 1559 meth = DTLS_method();
0d5301af
KR		 1560 if (dtls1) {
1561 min_version = DTLS1_VERSION;
1562 max_version = DTLS1_VERSION;
1563 } else if (dtls12) {
1564 min_version = DTLS1_2_VERSION;
1565 max_version = DTLS1_2_VERSION;
1566 }
6b01bed2 1567#endif
0f113f3e
MC		 1568
1569 c_ctx = SSL_CTX_new(meth);
1570 s_ctx = SSL_CTX_new(meth);
817cd0d5
TS		 1571 s_ctx2 = SSL_CTX_new(meth); /* no SSL_CTX_dup! */
1572 if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) {
0f113f3e
MC		 1573 ERR_print_errors(bio_err);
1574 goto end;
1575 }
1576 /*
1577 * Since we will use low security ciphersuites and keys for testing set
15a06488
EK		 1578 * security level to zero by default. Tests can override this by adding
1579 * "@SECLEVEL=n" to the cipher string.
0f113f3e
MC		 1580 */
1581 SSL_CTX_set_security_level(c_ctx, 0);
1582 SSL_CTX_set_security_level(s_ctx, 0);
817cd0d5 1583 SSL_CTX_set_security_level(s_ctx2, 0);
0f113f3e 1584
b7dffce0
KR		 1585 if (no_ticket) {
1586 SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
1587 SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
1588 }
1589
0d5301af
KR		 1590 if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
1591 goto end;
1592 if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
1593 goto end;
1594 if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
1595 goto end;
1596 if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
1597 goto end;
1598
0f113f3e 1599 if (cipher != NULL) {
61986d32 1600 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
817cd0d5
TS		 1601 || !SSL_CTX_set_cipher_list(s_ctx, cipher)
1602 || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
69f68237
MC		 1603 ERR_print_errors(bio_err);
1604 goto end;
1605 }
0f113f3e
MC		 1606 }
1607
dd696a55 1608#ifndef OPENSSL_NO_CT
43341433
VD		 1609 if (ct_validation &&
1610 !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) {
dd696a55
RP		 1611 ERR_print_errors(bio_err);
1612 goto end;
1613 }
1614#endif
1615
0f113f3e
MC		 1616 /* Process SSL_CONF arguments */
1617 SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
1618 SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
817cd0d5 1619 SSL_CONF_CTX_set_ssl_ctx(s_cctx2, s_ctx2);
0f113f3e
MC		 1620
1621 for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2) {
1622 int rv;
1623 arg = sk_OPENSSL_STRING_value(conf_args, i);
1624 argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
1625 rv = SSL_CONF_cmd(c_cctx, arg, argn);
1626 /* If not recognised use server context */
817cd0d5 1627 if (rv == -2) {
b2d6aed4
MC		 1628 rv = SSL_CONF_cmd(s_cctx2, arg, argn);
1629 if (rv > 0)
1630 rv = SSL_CONF_cmd(s_cctx, arg, argn);
817cd0d5 1631 }
0f113f3e
MC		 1632 if (rv <= 0) {
1633 BIO_printf(bio_err, "Error processing %s %s\n",
1634 arg, argn ? argn : "");
1635 ERR_print_errors(bio_err);
1636 goto end;
1637 }
1638 }
1639
817cd0d5 1640 if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx) || !SSL_CONF_CTX_finish(s_cctx2)) {
0f113f3e
MC		 1641 BIO_puts(bio_err, "Error finishing context\n");
1642 ERR_print_errors(bio_err);
1643 goto end;
1644 }
bc36ee62 1645#ifndef OPENSSL_NO_DH
0f113f3e
MC		 1646 if (!no_dhe) {
1647 if (dhe1024dsa) {
0f113f3e 1648 dh = get_dh1024dsa();
e8356e32 1649 } else if (dhe512)
0f113f3e 1650 dh = get_dh512();
e8356e32
EK		 1651 else
1652 dh = get_dh1024();
0f113f3e 1653 SSL_CTX_set_tmp_dh(s_ctx, dh);
817cd0d5 1654 SSL_CTX_set_tmp_dh(s_ctx2, dh);
0f113f3e
MC		 1655 DH_free(dh);
1656 }
e4589582 1657#else
0f113f3e 1658 (void)no_dhe;
58964a49
RE		 1659#endif
1660
0f113f3e
MC		 1661 if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
1662 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
817cd0d5
TS		 1663 (!SSL_CTX_load_verify_locations(s_ctx2, CAfile, CApath)) ||
1664 (!SSL_CTX_set_default_verify_paths(s_ctx2)) ||
0f113f3e 1665 (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
dd696a55 1666 (!SSL_CTX_set_default_verify_paths(c_ctx))) {
0f113f3e
MC		 1667 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
1668 ERR_print_errors(bio_err);
1669 /* goto end; */
1670 }
1671
b5369582 1672#ifndef OPENSSL_NO_CT
dd696a55 1673 if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
817cd0d5 1674 !SSL_CTX_set_default_ctlog_list_file(s_ctx2) ||
dd696a55
RP		 1675 !SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
1676 ERR_print_errors(bio_err);
1677 }
b5369582 1678#endif
dd696a55 1679
0f113f3e 1680 if (client_auth) {
3dca57f8 1681 printf("client authentication\n");
0f113f3e
MC		 1682 SSL_CTX_set_verify(s_ctx,
1683 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1684 verify_callback);
817cd0d5
TS		 1685 SSL_CTX_set_verify(s_ctx2,
1686 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1687 verify_callback);
0f113f3e
MC		 1688 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
1689 &app_verify_arg);
817cd0d5
TS		 1690 SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback,
1691 &app_verify_arg);
0f113f3e
MC		 1692 }
1693 if (server_auth) {
3dca57f8 1694 printf("server authentication\n");
0f113f3e
MC		 1695 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
1696 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
1697 &app_verify_arg);
1698 }
1699
1700 {
1701 int session_id_context = 0;
61986d32 1702 if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
817cd0d5
TS		 1703 sizeof session_id_context) ||
1704 !SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context,
1705 sizeof session_id_context)) {
69f68237
MC		 1706 ERR_print_errors(bio_err);
1707 goto end;
1708 }
0f113f3e
MC		 1709 }
1710
1711 /* Use PSK only if PSK key is given */
1712 if (psk_key != NULL) {
1713 /*
1714 * no_psk is used to avoid putting psk command to openssl tool
1715 */
1716 if (no_psk) {
1717 /*
1718 * if PSK is not compiled in and psk key is given, do nothing and
1719 * exit successfully
1720 */
1721 ret = 0;
1722 goto end;
1723 }
ddac1974 1724#ifndef OPENSSL_NO_PSK
0f113f3e
MC		 1725 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1726 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
817cd0d5 1727 SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback);
0f113f3e
MC		 1728 if (debug)
1729 BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n");
817cd0d5
TS		 1730 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint") ||
1731 !SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) {
0f113f3e
MC		 1732 BIO_printf(bio_err, "error setting PSK identity hint to s_ctx\n");
1733 ERR_print_errors(bio_err);
1734 goto end;
1735 }
1736#endif
1737 }
edc032b5 1738#ifndef OPENSSL_NO_SRP
0f113f3e
MC		 1739 if (srp_client_arg.srplogin) {
1740 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
1741 BIO_printf(bio_err, "Unable to set SRP username\n");
1742 goto end;
1743 }
1744 SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
1745 SSL_CTX_set_srp_client_pwd_callback(c_ctx,
1746 ssl_give_srp_client_pwd_cb);
1747 /*
1748 * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);
1749 */
1750 }
1751
1752 if (srp_server_arg.expected_user != NULL) {
1753 SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
817cd0d5 1754 SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback);
0f113f3e 1755 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
817cd0d5 1756 SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg);
0f113f3e 1757 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
817cd0d5 1758 SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb);
0f113f3e 1759 }
edc032b5 1760#endif
ddac1974 1761
2911575c 1762#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 1763 if (npn_client) {
1764 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1765 }
1766 if (npn_server) {
1767 if (npn_server_reject) {
1768 BIO_printf(bio_err,
1769 "Can't have both -npn_server and -npn_server_reject\n");
1770 goto end;
1771 }
1772 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
817cd0d5 1773 SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL);
0f113f3e
MC		 1774 }
1775 if (npn_server_reject) {
1776 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn,
1777 NULL);
817cd0d5
TS		 1778 SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn,
1779 NULL);
0f113f3e
MC		 1780 }
1781#endif
1782
69f68237 1783 if (serverinfo_sct) {
dd696a55
RP		 1784 if (!SSL_CTX_add_client_custom_ext(c_ctx,
1785 TLSEXT_TYPE_signed_certificate_timestamp,
1786 NULL, NULL, NULL,
1787 serverinfo_cli_parse_cb, NULL)) {
69f68237
MC		 1788 BIO_printf(bio_err, "Error adding SCT extension\n");
1789 goto end;
1790 }
1791 }
1792 if (serverinfo_tack) {
61986d32 1793 if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
0f113f3e 1794 NULL, NULL, NULL,
69f68237
MC		 1795 serverinfo_cli_parse_cb, NULL)) {
1796 BIO_printf(bio_err, "Error adding TACK extension\n");
1797 goto end;
1798 }
1799 }
0f113f3e 1800 if (serverinfo_file)
817cd0d5
TS		 1801 if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file) ||
1802 !SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) {
0f113f3e
MC		 1803 BIO_printf(bio_err, "missing serverinfo file\n");
1804 goto end;
1805 }
1806
1807 if (custom_ext) {
61986d32 1808 if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
0f113f3e
MC		 1809 custom_ext_0_cli_add_cb,
1810 NULL, NULL,
69f68237 1811 custom_ext_0_cli_parse_cb, NULL)
61986d32 1812 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
0f113f3e
MC		 1813 custom_ext_1_cli_add_cb,
1814 NULL, NULL,
69f68237 1815 custom_ext_1_cli_parse_cb, NULL)
61986d32 1816 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
0f113f3e
MC		 1817 custom_ext_2_cli_add_cb,
1818 NULL, NULL,
69f68237 1819 custom_ext_2_cli_parse_cb, NULL)
61986d32 1820 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
0f113f3e
MC		 1821 custom_ext_3_cli_add_cb,
1822 NULL, NULL,
69f68237 1823 custom_ext_3_cli_parse_cb, NULL)
61986d32 1824 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
0f113f3e
MC		 1825 custom_ext_0_srv_add_cb,
1826 NULL, NULL,
69f68237 1827 custom_ext_0_srv_parse_cb, NULL)
817cd0d5
TS		 1828 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0,
1829 custom_ext_0_srv_add_cb,
1830 NULL, NULL,
1831 custom_ext_0_srv_parse_cb, NULL)
61986d32 1832 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
0f113f3e
MC		 1833 custom_ext_1_srv_add_cb,
1834 NULL, NULL,
69f68237 1835 custom_ext_1_srv_parse_cb, NULL)
817cd0d5
TS		 1836 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1,
1837 custom_ext_1_srv_add_cb,
1838 NULL, NULL,
1839 custom_ext_1_srv_parse_cb, NULL)
61986d32 1840 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
0f113f3e
MC		 1841 custom_ext_2_srv_add_cb,
1842 NULL, NULL,
69f68237 1843 custom_ext_2_srv_parse_cb, NULL)
817cd0d5
TS		 1844 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2,
1845 custom_ext_2_srv_add_cb,
1846 NULL, NULL,
1847 custom_ext_2_srv_parse_cb, NULL)
61986d32 1848 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
817cd0d5
TS		 1849 custom_ext_3_srv_add_cb,
1850 NULL, NULL,
1851 custom_ext_3_srv_parse_cb, NULL)
1852 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3,
0f113f3e
MC		 1853 custom_ext_3_srv_add_cb,
1854 NULL, NULL,
69f68237
MC		 1855 custom_ext_3_srv_parse_cb, NULL)) {
1856 BIO_printf(bio_err, "Error setting custom extensions\n");
1857 goto end;
1858 }
0f113f3e
MC		 1859 }
1860
1861 if (alpn_server)
817cd0d5
TS		 1862 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server);
1863 if (alpn_server2)
1864 SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2);
0f113f3e
MC		 1865
1866 if (alpn_client) {
817cd0d5 1867 size_t alpn_len;
0f113f3e
MC		 1868 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
1869
1870 if (alpn == NULL) {
1871 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
1872 goto end;
1873 }
69f68237 1874 /* Returns 0 on success!! */
61986d32 1875 if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
69f68237
MC		 1876 BIO_printf(bio_err, "Error setting ALPN\n");
1877 OPENSSL_free(alpn);
1878 goto end;
1879 }
0f113f3e
MC		 1880 OPENSSL_free(alpn);
1881 }
1882
b7dffce0
KR		 1883 if (server_sess_in != NULL) {
1884 server_sess = read_session(server_sess_in);
1885 if (server_sess == NULL)
1886 goto end;
1887 }
1888 if (client_sess_in != NULL) {
1889 client_sess = read_session(client_sess_in);
1890 if (client_sess == NULL)
1891 goto end;
1892 }
1893
1894 if (server_sess_out != NULL || server_sess_in != NULL) {
1895 char *keys;
1896 long size;
1897
1898 /* Use a fixed key so that we can decrypt the ticket. */
1899 size = SSL_CTX_set_tlsext_ticket_keys(s_ctx, NULL, 0);
1900 keys = OPENSSL_zalloc(size);
1901 SSL_CTX_set_tlsext_ticket_keys(s_ctx, keys, size);
1902 OPENSSL_free(keys);
1903 }
1904
817cd0d5
TS		 1905 if (sn_server1 != NULL || sn_server2 != NULL)
1906 SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
1907
0f113f3e
MC		 1908 c_ssl = SSL_new(c_ctx);
1909 s_ssl = SSL_new(s_ctx);
58964a49 1910
817cd0d5
TS		 1911 if (sn_client)
1912 SSL_set_tlsext_host_name(c_ssl, sn_client);
1913
7946ab33
KR		 1914 if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1915 goto end;
1916 if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1917 goto end;
1918 if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1919 goto end;
1920 if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1921 goto end;
1922
b7dffce0
KR		 1923 if (server_sess) {
1924 if (SSL_CTX_add_session(s_ctx, server_sess) == 0) {
1925 BIO_printf(bio_err, "Can't add server session\n");
1926 ERR_print_errors(bio_err);
1927 goto end;
1928 }
1929 }
1930
3dca57f8 1931 BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
0f113f3e 1932 for (i = 0; i < number; i++) {
69f68237 1933 if (!reuse) {
61986d32 1934 if (!SSL_set_session(c_ssl, NULL)) {
69f68237
MC		 1935 BIO_printf(bio_err, "Failed to set session\n");
1936 goto end;
1937 }
1938 }
b7dffce0
KR		 1939 if (client_sess_in != NULL) {
1940 if (SSL_set_session(c_ssl, client_sess) == 0) {
1941 BIO_printf(bio_err, "Can't set client session\n");
1942 ERR_print_errors(bio_err);
1943 goto end;
1944 }
1945 }
75d5bd4e
RL		 1946 switch (bio_type) {
1947 case BIO_MEM:
0f113f3e 1948 ret = doit(s_ssl, c_ssl, bytes);
75d5bd4e
RL		 1949 break;
1950 case BIO_PAIR:
1951 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
1952 break;
f9e55034 1953#ifndef OPENSSL_NO_SOCK
75d5bd4e
RL		 1954 case BIO_IPV4:
1955 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV4,
1956 bytes, &s_time, &c_time);
1957 break;
1958 case BIO_IPV6:
1959 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV6,
1960 bytes, &s_time, &c_time);
1961 break;
f9e55034
MC		 1962#else
1963 case BIO_IPV4:
1964 case BIO_IPV6:
1965 ret = 1;
1966 goto err;
1967#endif
75d5bd4e
RL		 1968 }
1969 if (ret) break;
0f113f3e
MC		 1970 }
1971
7946ab33
KR		 1972 if (should_negotiate && ret == 0 &&
1973 strcmp(should_negotiate, "fail-server") != 0 &&
1974 strcmp(should_negotiate, "fail-client") != 0) {
1975 int version = protocol_from_string(should_negotiate);
1976 if (version < 0) {
1977 BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
1978 ret = 1;
1979 goto err;
1980 }
1981 if (SSL_version(c_ssl) != version) {
1982 BIO_printf(bio_err, "Unxpected version negotiated. "
1983 "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
1984 ret = 1;
1985 goto err;
1986 }
1987 }
1988
b7dffce0
KR		 1989 if (should_reuse != -1) {
1990 if (SSL_session_reused(s_ssl) != should_reuse ||
1991 SSL_session_reused(c_ssl) != should_reuse) {
1992 BIO_printf(bio_err, "Unexpected session reuse state. "
1993 "Expected: %d, server: %d, client: %d\n", should_reuse,
1994 SSL_session_reused(s_ssl), SSL_session_reused(c_ssl));
1995 ret = 1;
1996 goto err;
1997 }
1998 }
1999
2000 if (server_sess_out != NULL) {
2001 if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) {
2002 ret = 1;
2003 goto err;
2004 }
2005 }
2006 if (client_sess_out != NULL) {
2007 if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) {
2008 ret = 1;
2009 goto err;
2010 }
2011 }
2012
0f113f3e
MC		 2013 if (!verbose) {
2014 print_details(c_ssl, "");
2015 }
0f113f3e 2016 if (print_time) {
617d71bc 2017#ifdef CLOCKS_PER_SEC
0f113f3e
MC		 2018 /*
2019 * "To determine the time in seconds, the value returned by the clock
2020 * function should be divided by the value of the macro
2021 * CLOCKS_PER_SEC." -- ISO/IEC 9899
2022 */
2023 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
2024 "Approximate total client time: %6.2f s\n",
2025 (double)s_time / CLOCKS_PER_SEC,
2026 (double)c_time / CLOCKS_PER_SEC);
617d71bc 2027#else
0f113f3e
MC		 2028 BIO_printf(bio_stdout,
2029 "Approximate total server time: %6.2f units\n"
2030 "Approximate total client time: %6.2f units\n",
2031 (double)s_time, (double)c_time);
617d71bc 2032#endif
0f113f3e 2033 }
58964a49 2034
7946ab33 2035 err:
0f113f3e
MC		 2036 SSL_free(s_ssl);
2037 SSL_free(c_ssl);
58964a49 2038
0f113f3e 2039 end:
62adbcee 2040 SSL_CTX_free(s_ctx);
817cd0d5 2041 SSL_CTX_free(s_ctx2);
62adbcee 2042 SSL_CTX_free(c_ctx);
62adbcee 2043 SSL_CONF_CTX_free(s_cctx);
817cd0d5 2044 SSL_CONF_CTX_free(s_cctx2);
62adbcee 2045 SSL_CONF_CTX_free(c_cctx);
0f113f3e 2046 sk_OPENSSL_STRING_free(conf_args);
de94222d 2047
ca3a82c3 2048 BIO_free(bio_stdout);
d02b48c6 2049
b7dffce0
KR		 2050 SSL_SESSION_free(server_sess);
2051 SSL_SESSION_free(client_sess);
2052
c2e27310 2053#ifndef OPENSSL_NO_CRYPTO_MDEBUG
541e9565
DSH		 2054 if (CRYPTO_mem_leaks(bio_err) <= 0)
2055 ret = 1;
bbd86bf5 2056#endif
ca3a82c3 2057 BIO_free(bio_err);
0f113f3e 2058 EXIT(ret);
0f113f3e 2059}
d02b48c6 2060
f9e55034 2061#ifndef OPENSSL_NO_SOCK
75d5bd4e
RL		 2062int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count,
2063 clock_t *s_time, clock_t *c_time)
2064{
2065 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
2066 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
2067 BIO *acpt = NULL, *server = NULL, *client = NULL;
2068 char addr_str[40];
2069 int ret = 1;
2070 int err_in_client = 0;
2071 int err_in_server = 0;
2072
2073 acpt = BIO_new_accept("0");
2074 if (acpt == NULL)
2075 goto err;
2076 BIO_set_accept_ip_family(acpt, family);
2077 BIO_set_bind_mode(acpt, BIO_SOCK_NONBLOCK | BIO_SOCK_REUSEADDR);
2078 if (BIO_do_accept(acpt) <= 0)
2079 goto err;
2080
6339ece1 2081 BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt));
75d5bd4e
RL		 2082
2083 client = BIO_new_connect(addr_str);
2084 BIO_set_conn_ip_family(client, family);
2085 if (!client)
2086 goto err;
2087
2088 if (BIO_set_nbio(client, 1) <= 0)
2089 goto err;
2090 if (BIO_set_nbio(acpt, 1) <= 0)
2091 goto err;
2092
2093 {
2094 int st_connect = 0, st_accept = 0;
2095
2096 while(!st_connect || !st_accept) {
2097 if (!st_connect) {
2098 if (BIO_do_connect(client) <= 0) {
2099 if (!BIO_should_retry(client))
2100 goto err;
2101 } else {
2102 st_connect = 1;
2103 }
2104 }
2105 if (!st_accept) {
2106 if (BIO_do_accept(acpt) <= 0) {
2107 if (!BIO_should_retry(acpt))
2108 goto err;
2109 } else {
2110 st_accept = 1;
2111 }
2112 }
2113 }
2114 }
2115 /* We're not interested in accepting further connects */
2116 server = BIO_pop(acpt);
2117 BIO_free_all(acpt);
2118 acpt = NULL;
2119
2120 s_ssl_bio = BIO_new(BIO_f_ssl());
2121 if (!s_ssl_bio)
2122 goto err;
2123
2124 c_ssl_bio = BIO_new(BIO_f_ssl());
2125 if (!c_ssl_bio)
2126 goto err;
2127
2128 SSL_set_connect_state(c_ssl);
2129 SSL_set_bio(c_ssl, client, client);
2130 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2131
2132 SSL_set_accept_state(s_ssl);
2133 SSL_set_bio(s_ssl, server, server);
2134 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2135
2136 do {
2137 /*-
2138 * c_ssl_bio: SSL filter BIO
2139 *
2140 * client: I/O for SSL library
2141 *
2142 *
2143 * server: I/O for SSL library
2144 *
2145 * s_ssl_bio: SSL filter BIO
2146 */
2147
2148 /*
2149 * We have non-blocking behaviour throughout this test program, but
2150 * can be sure that there is *some* progress in each iteration; so we
2151 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2152 * we just try everything in each iteration
2153 */
2154
2155 {
2156 /* CLIENT */
2157
2158 char cbuf[1024 * 8];
2159 int i, r;
2160 clock_t c_clock = clock();
2161
2162 memset(cbuf, 0, sizeof(cbuf));
2163
2164 if (debug)
2165 if (SSL_in_init(c_ssl))
2166 printf("client waiting in SSL_connect - %s\n",
2167 SSL_state_string_long(c_ssl));
2168
2169 if (cw_num > 0) {
2170 /* Write to server. */
2171
2172 if (cw_num > (long)sizeof cbuf)
2173 i = sizeof cbuf;
2174 else
2175 i = (int)cw_num;
2176 r = BIO_write(c_ssl_bio, cbuf, i);
2177 if (r < 0) {
2178 if (!BIO_should_retry(c_ssl_bio)) {
2179 fprintf(stderr, "ERROR in CLIENT\n");
2180 err_in_client = 1;
2181 goto err;
2182 }
2183 /*
2184 * BIO_should_retry(...) can just be ignored here. The
2185 * library expects us to call BIO_write with the same
2186 * arguments again, and that's what we will do in the
2187 * next iteration.
2188 */
2189 } else if (r == 0) {
2190 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2191 goto err;
2192 } else {
2193 if (debug)
2194 printf("client wrote %d\n", r);
2195 cw_num -= r;
2196 }
2197 }
2198
2199 if (cr_num > 0) {
2200 /* Read from server. */
2201
2202 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2203 if (r < 0) {
2204 if (!BIO_should_retry(c_ssl_bio)) {
2205 fprintf(stderr, "ERROR in CLIENT\n");
2206 err_in_client = 1;
2207 goto err;
2208 }
2209 /*
2210 * Again, "BIO_should_retry" can be ignored.
2211 */
2212 } else if (r == 0) {
2213 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2214 goto err;
2215 } else {
2216 if (debug)
2217 printf("client read %d\n", r);
2218 cr_num -= r;
2219 }
2220 }
2221
2222 /*
2223 * c_time and s_time increments will typically be very small
2224 * (depending on machine speed and clock tick intervals), but
2225 * sampling over a large number of connections should result in
2226 * fairly accurate figures. We cannot guarantee a lot, however
2227 * -- if each connection lasts for exactly one clock tick, it
2228 * will be counted only for the client or only for the server or
2229 * even not at all.
2230 */
2231 *c_time += (clock() - c_clock);
2232 }
2233
2234 {
2235 /* SERVER */
2236
2237 char sbuf[1024 * 8];
2238 int i, r;
2239 clock_t s_clock = clock();
2240
2241 memset(sbuf, 0, sizeof(sbuf));
2242
2243 if (debug)
2244 if (SSL_in_init(s_ssl))
2245 printf("server waiting in SSL_accept - %s\n",
2246 SSL_state_string_long(s_ssl));
2247
2248 if (sw_num > 0) {
2249 /* Write to client. */
2250
2251 if (sw_num > (long)sizeof sbuf)
2252 i = sizeof sbuf;
2253 else
2254 i = (int)sw_num;
2255 r = BIO_write(s_ssl_bio, sbuf, i);
2256 if (r < 0) {
2257 if (!BIO_should_retry(s_ssl_bio)) {
2258 fprintf(stderr, "ERROR in SERVER\n");
2259 err_in_server = 1;
2260 goto err;
2261 }
2262 /* Ignore "BIO_should_retry". */
2263 } else if (r == 0) {
2264 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2265 goto err;
2266 } else {
2267 if (debug)
2268 printf("server wrote %d\n", r);
2269 sw_num -= r;
2270 }
2271 }
2272
2273 if (sr_num > 0) {
2274 /* Read from client. */
2275
2276 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2277 if (r < 0) {
2278 if (!BIO_should_retry(s_ssl_bio)) {
2279 fprintf(stderr, "ERROR in SERVER\n");
2280 err_in_server = 1;
2281 goto err;
2282 }
2283 /* blah, blah */
2284 } else if (r == 0) {
2285 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2286 goto err;
2287 } else {
2288 if (debug)
2289 printf("server read %d\n", r);
2290 sr_num -= r;
2291 }
2292 }
2293
2294 *s_time += (clock() - s_clock);
2295 }
2296 }
2297 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2298
2299 if (verbose)
2300 print_details(c_ssl, "DONE via TCP connect: ");
f9e55034 2301# ifndef OPENSSL_NO_NEXTPROTONEG
75d5bd4e
RL		 2302 if (verify_npn(c_ssl, s_ssl) < 0) {
2303 ret = 1;
2304 goto end;
2305 }
f9e55034 2306# endif
75d5bd4e
RL		 2307 if (verify_serverinfo() < 0) {
2308 fprintf(stderr, "Server info verify error\n");
2309 ret = 1;
2310 goto err;
2311 }
2312 if (verify_alpn(c_ssl, s_ssl) < 0) {
2313 ret = 1;
2314 goto err;
2315 }
817cd0d5
TS		 2316 if (verify_servername(c_ssl, s_ssl) < 0) {
2317 ret = 1;
2318 goto err;
2319 }
75d5bd4e
RL		 2320
2321 if (custom_ext_error) {
2322 fprintf(stderr, "Custom extension error\n");
2323 ret = 1;
2324 goto err;
2325 }
2326
1595ca02 2327# ifndef OPENSSL_NO_NEXTPROTONEG
75d5bd4e 2328 end:
1595ca02 2329# endif
75d5bd4e
RL		 2330 ret = 0;
2331
2332 err:
2333 ERR_print_errors(bio_err);
2334
2335 BIO_free_all(acpt);
2336 BIO_free(server);
2337 BIO_free(client);
2338 BIO_free(s_ssl_bio);
2339 BIO_free(c_ssl_bio);
2340
2341 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2342 ret = (err_in_client != 0) ? 0 : 1;
2343 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2344 ret = (err_in_server != 0) ? 0 : 1;
2345
2346 return ret;
2347}
f9e55034 2348#endif
75d5bd4e 2349
563f1503 2350int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
0f113f3e
MC		 2351 clock_t *s_time, clock_t *c_time)
2352{
2353 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
2354 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
2355 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
2356 int ret = 1;
7946ab33
KR		 2357 int err_in_client = 0;
2358 int err_in_server = 0;
0f113f3e
MC		 2359
2360 size_t bufsiz = 256; /* small buffer for testing */
2361
2362 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
2363 goto err;
2364 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
2365 goto err;
2366
2367 s_ssl_bio = BIO_new(BIO_f_ssl());
2368 if (!s_ssl_bio)
2369 goto err;
2370
2371 c_ssl_bio = BIO_new(BIO_f_ssl());
2372 if (!c_ssl_bio)
2373 goto err;
2374
2375 SSL_set_connect_state(c_ssl);
2376 SSL_set_bio(c_ssl, client, client);
2377 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2378
2379 SSL_set_accept_state(s_ssl);
2380 SSL_set_bio(s_ssl, server, server);
2381 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2382
2383 do {
35a1cc90
MC		 2384 /*-
2385 * c_ssl_bio: SSL filter BIO
2386 *
2387 * client: pseudo-I/O for SSL library
2388 *
2389 * client_io: client's SSL communication; usually to be
2390 * relayed over some I/O facility, but in this
2391 * test program, we're the server, too:
2392 *
2393 * server_io: server's SSL communication
2394 *
2395 * server: pseudo-I/O for SSL library
2396 *
2397 * s_ssl_bio: SSL filter BIO
2398 *
2399 * The client and the server each employ a "BIO pair":
2400 * client + client_io, server + server_io.
2401 * BIO pairs are symmetric. A BIO pair behaves similar
2402 * to a non-blocking socketpair (but both endpoints must
2403 * be handled by the same thread).
2404 * [Here we could connect client and server to the ends
2405 * of a single BIO pair, but then this code would be less
2406 * suitable as an example for BIO pairs in general.]
2407 *
2408 * Useful functions for querying the state of BIO pair endpoints:
2409 *
2410 * BIO_ctrl_pending(bio) number of bytes we can read now
2411 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
2412 * other side's read attempt
2413 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
2414 *
2415 * ..._read_request is never more than ..._write_guarantee;
2416 * it depends on the application which one you should use.
2417 */
0f113f3e
MC		 2418
2419 /*
2420 * We have non-blocking behaviour throughout this test program, but
2421 * can be sure that there is *some* progress in each iteration; so we
2422 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2423 * we just try everything in each iteration
2424 */
2425
2426 {
2427 /* CLIENT */
2428
68b00c23 2429 char cbuf[1024 * 8];
0f113f3e
MC		 2430 int i, r;
2431 clock_t c_clock = clock();
2432
2433 memset(cbuf, 0, sizeof(cbuf));
2434
2435 if (debug)
2436 if (SSL_in_init(c_ssl))
2437 printf("client waiting in SSL_connect - %s\n",
2438 SSL_state_string_long(c_ssl));
2439
2440 if (cw_num > 0) {
2441 /* Write to server. */
2442
2443 if (cw_num > (long)sizeof cbuf)
2444 i = sizeof cbuf;
2445 else
2446 i = (int)cw_num;
2447 r = BIO_write(c_ssl_bio, cbuf, i);
2448 if (r < 0) {
2449 if (!BIO_should_retry(c_ssl_bio)) {
2450 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2451 err_in_client = 1;
0f113f3e
MC		 2452 goto err;
2453 }
2454 /*
2455 * BIO_should_retry(...) can just be ignored here. The
2456 * library expects us to call BIO_write with the same
2457 * arguments again, and that's what we will do in the
2458 * next iteration.
2459 */
2460 } else if (r == 0) {
2461 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2462 goto err;
2463 } else {
2464 if (debug)
2465 printf("client wrote %d\n", r);
2466 cw_num -= r;
2467 }
2468 }
2469
2470 if (cr_num > 0) {
2471 /* Read from server. */
2472
2473 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2474 if (r < 0) {
2475 if (!BIO_should_retry(c_ssl_bio)) {
2476 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2477 err_in_client = 1;
0f113f3e
MC		 2478 goto err;
2479 }
2480 /*
2481 * Again, "BIO_should_retry" can be ignored.
2482 */
2483 } else if (r == 0) {
2484 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2485 goto err;
2486 } else {
2487 if (debug)
2488 printf("client read %d\n", r);
2489 cr_num -= r;
2490 }
2491 }
2492
2493 /*
2494 * c_time and s_time increments will typically be very small
2495 * (depending on machine speed and clock tick intervals), but
2496 * sampling over a large number of connections should result in
2497 * fairly accurate figures. We cannot guarantee a lot, however
2498 * -- if each connection lasts for exactly one clock tick, it
2499 * will be counted only for the client or only for the server or
2500 * even not at all.
2501 */
2502 *c_time += (clock() - c_clock);
2503 }
2504
2505 {
2506 /* SERVER */
2507
68b00c23 2508 char sbuf[1024 * 8];
0f113f3e
MC		 2509 int i, r;
2510 clock_t s_clock = clock();
2511
2512 memset(sbuf, 0, sizeof(sbuf));
2513
2514 if (debug)
2515 if (SSL_in_init(s_ssl))
2516 printf("server waiting in SSL_accept - %s\n",
2517 SSL_state_string_long(s_ssl));
2518
2519 if (sw_num > 0) {
2520 /* Write to client. */
2521
2522 if (sw_num > (long)sizeof sbuf)
2523 i = sizeof sbuf;
2524 else
2525 i = (int)sw_num;
2526 r = BIO_write(s_ssl_bio, sbuf, i);
2527 if (r < 0) {
2528 if (!BIO_should_retry(s_ssl_bio)) {
2529 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2530 err_in_server = 1;
0f113f3e
MC		 2531 goto err;
2532 }
2533 /* Ignore "BIO_should_retry". */
2534 } else if (r == 0) {
2535 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2536 goto err;
2537 } else {
2538 if (debug)
2539 printf("server wrote %d\n", r);
2540 sw_num -= r;
2541 }
2542 }
2543
2544 if (sr_num > 0) {
2545 /* Read from client. */
2546
2547 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2548 if (r < 0) {
2549 if (!BIO_should_retry(s_ssl_bio)) {
2550 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2551 err_in_server = 1;
0f113f3e
MC		 2552 goto err;
2553 }
2554 /* blah, blah */
2555 } else if (r == 0) {
2556 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2557 goto err;
2558 } else {
2559 if (debug)
2560 printf("server read %d\n", r);
2561 sr_num -= r;
2562 }
2563 }
2564
2565 *s_time += (clock() - s_clock);
2566 }
2567
2568 {
2569 /* "I/O" BETWEEN CLIENT AND SERVER. */
2570
2571 size_t r1, r2;
2572 BIO *io1 = server_io, *io2 = client_io;
2573 /*
2574 * we use the non-copying interface for io1 and the standard
2575 * BIO_write/BIO_read interface for io2
2576 */
2577
2578 static int prev_progress = 1;
2579 int progress = 0;
2580
2581 /* io1 to io2 */
2582 do {
2583 size_t num;
2584 int r;
2585
2586 r1 = BIO_ctrl_pending(io1);
2587 r2 = BIO_ctrl_get_write_guarantee(io2);
2588
2589 num = r1;
2590 if (r2 < num)
2591 num = r2;
2592 if (num) {
2593 char *dataptr;
2594
2595 if (INT_MAX < num) /* yeah, right */
2596 num = INT_MAX;
2597
2598 r = BIO_nread(io1, &dataptr, (int)num);
2599 assert(r > 0);
2600 assert(r <= (int)num);
2601 /*
2602 * possibly r < num (non-contiguous data)
2603 */
2604 num = r;
2605 r = BIO_write(io2, dataptr, (int)num);
2606 if (r != (int)num) { /* can't happen */
2607 fprintf(stderr, "ERROR: BIO_write could not write "
2608 "BIO_ctrl_get_write_guarantee() bytes");
2609 goto err;
2610 }
2611 progress = 1;
2612
2613 if (debug)
2614 printf((io1 == client_io) ?
2615 "C->S relaying: %d bytes\n" :
2616 "S->C relaying: %d bytes\n", (int)num);
2617 }
2618 }
2619 while (r1 && r2);
2620
2621 /* io2 to io1 */
2622 {
2623 size_t num;
2624 int r;
2625
2626 r1 = BIO_ctrl_pending(io2);
2627 r2 = BIO_ctrl_get_read_request(io1);
2628 /*
2629 * here we could use ..._get_write_guarantee instead of
2630 * ..._get_read_request, but by using the latter we test
2631 * restartability of the SSL implementation more thoroughly
2632 */
2633 num = r1;
2634 if (r2 < num)
2635 num = r2;
2636 if (num) {
2637 char *dataptr;
2638
2639 if (INT_MAX < num)
2640 num = INT_MAX;
2641
2642 if (num > 1)
2643 --num; /* test restartability even more thoroughly */
2644
2645 r = BIO_nwrite0(io1, &dataptr);
2646 assert(r > 0);
2647 if (r < (int)num)
2648 num = r;
2649 r = BIO_read(io2, dataptr, (int)num);
2650 if (r != (int)num) { /* can't happen */
2651 fprintf(stderr, "ERROR: BIO_read could not read "
2652 "BIO_ctrl_pending() bytes");
2653 goto err;
2654 }
2655 progress = 1;
2656 r = BIO_nwrite(io1, &dataptr, (int)num);
2657 if (r != (int)num) { /* can't happen */
2658 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
2659 "BIO_nwrite0() bytes");
2660 goto err;
2661 }
2662
2663 if (debug)
2664 printf((io2 == client_io) ?
2665 "C->S relaying: %d bytes\n" :
2666 "S->C relaying: %d bytes\n", (int)num);
2667 }
2668 } /* no loop, BIO_ctrl_get_read_request now
2669 * returns 0 anyway */
2670
2671 if (!progress && !prev_progress)
2672 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) {
2673 fprintf(stderr, "ERROR: got stuck\n");
2674 fprintf(stderr, " ERROR.\n");
2675 goto err;
2676 }
2677 prev_progress = progress;
2678 }
2679 }
2680 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2681
2682 if (verbose)
2683 print_details(c_ssl, "DONE via BIO pair: ");
2911575c 2684#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2685 if (verify_npn(c_ssl, s_ssl) < 0) {
2686 ret = 1;
2687 goto end;
2688 }
2689#endif
2690 if (verify_serverinfo() < 0) {
2691 fprintf(stderr, "Server info verify error\n");
2692 ret = 1;
2693 goto err;
2694 }
2695 if (verify_alpn(c_ssl, s_ssl) < 0) {
2696 ret = 1;
2697 goto err;
817cd0d5
TS		 2698 }
2699 if (verify_servername(c_ssl, s_ssl) < 0) {
2700 ret = 1;
2701 goto err;
0f113f3e
MC		 2702 }
2703
2704 if (custom_ext_error) {
2705 fprintf(stderr, "Custom extension error\n");
2706 ret = 1;
2707 goto err;
2708 }
2709
1595ca02 2710#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e 2711 end:
1595ca02 2712#endif
0f113f3e 2713 ret = 0;
95d29597
BM		 2714
2715 err:
0f113f3e
MC		 2716 ERR_print_errors(bio_err);
2717
ca3a82c3
RS		 2718 BIO_free(server);
2719 BIO_free(server_io);
2720 BIO_free(client);
2721 BIO_free(client_io);
2722 BIO_free(s_ssl_bio);
2723 BIO_free(c_ssl_bio);
0f113f3e 2724
7946ab33
KR		 2725 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2726 ret = (err_in_client != 0) ? 0 : 1;
2727 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2728 ret = (err_in_server != 0) ? 0 : 1;
2729
0f113f3e
MC		 2730 return ret;
2731}
2732
2733#define W_READ 1
2734#define W_WRITE 2
2735#define C_DONE 1
2736#define S_DONE 2
d02b48c6 2737
6b691a5c 2738int doit(SSL *s_ssl, SSL *c_ssl, long count)
0f113f3e
MC		 2739{
2740 char *cbuf = NULL, *sbuf = NULL;
2741 long bufsiz;
2742 long cw_num = count, cr_num = count;
2743 long sw_num = count, sr_num = count;
2744 int ret = 1;
2745 BIO *c_to_s = NULL;
2746 BIO *s_to_c = NULL;
2747 BIO *c_bio = NULL;
2748 BIO *s_bio = NULL;
2749 int c_r, c_w, s_r, s_w;
2750 int i, j;
2751 int done = 0;
2752 int c_write, s_write;
2753 int do_server = 0, do_client = 0;
2754 int max_frag = 5 * 1024;
7946ab33
KR		 2755 int err_in_client = 0;
2756 int err_in_server = 0;
0f113f3e
MC		 2757
2758 bufsiz = count > 40 * 1024 ? 40 * 1024 : count;
2759
b51bce94 2760 if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL)
0f113f3e 2761 goto err;
b51bce94 2762 if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL)
0f113f3e
MC		 2763 goto err;
2764
0f113f3e
MC		 2765 c_to_s = BIO_new(BIO_s_mem());
2766 s_to_c = BIO_new(BIO_s_mem());
2767 if ((s_to_c == NULL) || (c_to_s == NULL)) {
2768 ERR_print_errors(bio_err);
2769 goto err;
2770 }
2771
2772 c_bio = BIO_new(BIO_f_ssl());
2773 s_bio = BIO_new(BIO_f_ssl());
2774 if ((c_bio == NULL) || (s_bio == NULL)) {
2775 ERR_print_errors(bio_err);
2776 goto err;
2777 }
2778
2779 SSL_set_connect_state(c_ssl);
2780 SSL_set_bio(c_ssl, s_to_c, c_to_s);
2781 SSL_set_max_send_fragment(c_ssl, max_frag);
2782 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
2783
2784 SSL_set_accept_state(s_ssl);
2785 SSL_set_bio(s_ssl, c_to_s, s_to_c);
2786 SSL_set_max_send_fragment(s_ssl, max_frag);
2787 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
2788
2789 c_r = 0;
2790 s_r = 1;
2791 c_w = 1;
2792 s_w = 0;
2793 c_write = 1, s_write = 0;
2794
2795 /* We can always do writes */
2796 for (;;) {
2797 do_server = 0;
2798 do_client = 0;
2799
2800 i = (int)BIO_pending(s_bio);
2801 if ((i && s_r) || s_w)
2802 do_server = 1;
2803
2804 i = (int)BIO_pending(c_bio);
2805 if ((i && c_r) || c_w)
2806 do_client = 1;
2807
2808 if (do_server && debug) {
2809 if (SSL_in_init(s_ssl))
2810 printf("server waiting in SSL_accept - %s\n",
2811 SSL_state_string_long(s_ssl));
3a83462d 2812/*-
35a1cc90
MC		 2813 else if (s_write)
2814 printf("server:SSL_write()\n");
2815 else
2816 printf("server:SSL_read()\n"); */
0f113f3e
MC		 2817 }
2818
2819 if (do_client && debug) {
2820 if (SSL_in_init(c_ssl))
2821 printf("client waiting in SSL_connect - %s\n",
2822 SSL_state_string_long(c_ssl));
3a83462d 2823/*-
35a1cc90
MC		 2824 else if (c_write)
2825 printf("client:SSL_write()\n");
2826 else
2827 printf("client:SSL_read()\n"); */
0f113f3e
MC		 2828 }
2829
2830 if (!do_client && !do_server) {
2831 fprintf(stdout, "ERROR IN STARTUP\n");
2832 ERR_print_errors(bio_err);
ae632974 2833 goto err;
0f113f3e
MC		 2834 }
2835 if (do_client && !(done & C_DONE)) {
2836 if (c_write) {
2837 j = (cw_num > bufsiz) ? (int)bufsiz : (int)cw_num;
2838 i = BIO_write(c_bio, cbuf, j);
2839 if (i < 0) {
2840 c_r = 0;
2841 c_w = 0;
2842 if (BIO_should_retry(c_bio)) {
2843 if (BIO_should_read(c_bio))
2844 c_r = 1;
2845 if (BIO_should_write(c_bio))
2846 c_w = 1;
2847 } else {
2848 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2849 err_in_client = 1;
0f113f3e
MC		 2850 ERR_print_errors(bio_err);
2851 goto err;
2852 }
2853 } else if (i == 0) {
2854 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2855 goto err;
2856 } else {
2857 if (debug)
2858 printf("client wrote %d\n", i);
2859 /* ok */
2860 s_r = 1;
2861 c_write = 0;
2862 cw_num -= i;
2863 if (max_frag > 1029)
2864 SSL_set_max_send_fragment(c_ssl, max_frag -= 5);
2865 }
2866 } else {
2867 i = BIO_read(c_bio, cbuf, bufsiz);
2868 if (i < 0) {
2869 c_r = 0;
2870 c_w = 0;
2871 if (BIO_should_retry(c_bio)) {
2872 if (BIO_should_read(c_bio))
2873 c_r = 1;
2874 if (BIO_should_write(c_bio))
2875 c_w = 1;
2876 } else {
2877 fprintf(stderr, "ERROR in CLIENT\n");
7946ab33 2878 err_in_client = 1;
0f113f3e
MC		 2879 ERR_print_errors(bio_err);
2880 goto err;
2881 }
2882 } else if (i == 0) {
2883 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2884 goto err;
2885 } else {
2886 if (debug)
2887 printf("client read %d\n", i);
2888 cr_num -= i;
2889 if (sw_num > 0) {
2890 s_write = 1;
2891 s_w = 1;
2892 }
2893 if (cr_num <= 0) {
2894 s_write = 1;
2895 s_w = 1;
2896 done = S_DONE | C_DONE;
2897 }
2898 }
2899 }
2900 }
2901
2902 if (do_server && !(done & S_DONE)) {
2903 if (!s_write) {
2904 i = BIO_read(s_bio, sbuf, bufsiz);
2905 if (i < 0) {
2906 s_r = 0;
2907 s_w = 0;
2908 if (BIO_should_retry(s_bio)) {
2909 if (BIO_should_read(s_bio))
2910 s_r = 1;
2911 if (BIO_should_write(s_bio))
2912 s_w = 1;
2913 } else {
2914 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2915 err_in_server = 1;
0f113f3e
MC		 2916 ERR_print_errors(bio_err);
2917 goto err;
2918 }
2919 } else if (i == 0) {
2920 ERR_print_errors(bio_err);
2921 fprintf(stderr,
2922 "SSL SERVER STARTUP FAILED in SSL_read\n");
2923 goto err;
2924 } else {
2925 if (debug)
2926 printf("server read %d\n", i);
2927 sr_num -= i;
2928 if (cw_num > 0) {
2929 c_write = 1;
2930 c_w = 1;
2931 }
2932 if (sr_num <= 0) {
2933 s_write = 1;
2934 s_w = 1;
2935 c_write = 0;
2936 }
2937 }
2938 } else {
2939 j = (sw_num > bufsiz) ? (int)bufsiz : (int)sw_num;
2940 i = BIO_write(s_bio, sbuf, j);
2941 if (i < 0) {
2942 s_r = 0;
2943 s_w = 0;
2944 if (BIO_should_retry(s_bio)) {
2945 if (BIO_should_read(s_bio))
2946 s_r = 1;
2947 if (BIO_should_write(s_bio))
2948 s_w = 1;
2949 } else {
2950 fprintf(stderr, "ERROR in SERVER\n");
7946ab33 2951 err_in_server = 1;
0f113f3e
MC		 2952 ERR_print_errors(bio_err);
2953 goto err;
2954 }
2955 } else if (i == 0) {
2956 ERR_print_errors(bio_err);
2957 fprintf(stderr,
2958 "SSL SERVER STARTUP FAILED in SSL_write\n");
2959 goto err;
2960 } else {
2961 if (debug)
2962 printf("server wrote %d\n", i);
2963 sw_num -= i;
2964 s_write = 0;
2965 c_r = 1;
2966 if (sw_num <= 0)
2967 done |= S_DONE;
2968 if (max_frag > 1029)
2969 SSL_set_max_send_fragment(s_ssl, max_frag -= 5);
2970 }
2971 }
2972 }
2973
2974 if ((done & S_DONE) && (done & C_DONE))
2975 break;
2976 }
2977
2978 if (verbose)
2979 print_details(c_ssl, "DONE: ");
2911575c 2980#ifndef OPENSSL_NO_NEXTPROTONEG
0f113f3e
MC		 2981 if (verify_npn(c_ssl, s_ssl) < 0) {
2982 ret = 1;
2983 goto err;
2984 }
2985#endif
2986 if (verify_serverinfo() < 0) {
2987 fprintf(stderr, "Server info verify error\n");
2988 ret = 1;
2989 goto err;
2990 }
2991 if (custom_ext_error) {
2992 fprintf(stderr, "Custom extension error\n");
2993 ret = 1;
2994 goto err;
2995 }
2996 ret = 0;
2997 err:
2998 /*
2999 * We have to set the BIO's to NULL otherwise they will be
3000 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again
3001 * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and
3002 * c_ssl are sharing the same BIO structure and SSL_set_bio() and
3003 * SSL_free() automatically BIO_free non NULL entries. You should not
3004 * normally do this or be required to do this
3005 */
3006 if (s_ssl != NULL) {
3007 s_ssl->rbio = NULL;
3008 s_ssl->wbio = NULL;
3009 }
3010 if (c_ssl != NULL) {
3011 c_ssl->rbio = NULL;
3012 c_ssl->wbio = NULL;
3013 }
3014
ca3a82c3
RS		 3015 BIO_free(c_to_s);
3016 BIO_free(s_to_c);
3017 BIO_free_all(c_bio);
3018 BIO_free_all(s_bio);
b548a1f1
RS		 3019 OPENSSL_free(cbuf);
3020 OPENSSL_free(sbuf);
0f113f3e 3021
7946ab33
KR		 3022 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
3023 ret = (err_in_client != 0) ? 0 : 1;
3024 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
3025 ret = (err_in_server != 0) ? 0 : 1;
3026
0f113f3e
MC		 3027 return (ret);
3028}
d02b48c6 3029
16203f7b
AG		 3030static CRYPTO_ONCE proxy_auth_ex_data_once = CRYPTO_ONCE_STATIC_INIT;
3031static volatile int proxy_auth_ex_data_idx = -1;
3032
3033static void do_get_proxy_auth_ex_data_idx(void)
3034{
3035 proxy_auth_ex_data_idx = X509_STORE_CTX_get_ex_new_index(0,
3036 "SSLtest for verify callback",
3037 NULL, NULL, NULL);
3038}
3039
a7201e9a 3040static int get_proxy_auth_ex_data_idx(void)
0f113f3e 3041{
16203f7b
AG		 3042 CRYPTO_THREAD_run_once(&proxy_auth_ex_data_once,
3043 do_get_proxy_auth_ex_data_idx);
3044 return proxy_auth_ex_data_idx;
0f113f3e 3045}
a7201e9a 3046
6d23cf97 3047static int verify_callback(int ok, X509_STORE_CTX *ctx)
0f113f3e
MC		 3048{
3049 char *s, buf[256];
3050
f0e0fd51
RS		 3051 s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
3052 buf, sizeof buf);
0f113f3e
MC		 3053 if (s != NULL) {
3054 if (ok)
f0e0fd51 3055 printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
0f113f3e
MC		 3056 else {
3057 fprintf(stderr, "depth=%d error=%d %s\n",
f0e0fd51
RS		 3058 X509_STORE_CTX_get_error_depth(ctx),
3059 X509_STORE_CTX_get_error(ctx), buf);
0f113f3e
MC		 3060 }
3061 }
3062
3063 if (ok == 0) {
f0e0fd51
RS		 3064 int i = X509_STORE_CTX_get_error(ctx);
3065
3066 switch (i) {
3dca57f8
RS		 3067 default:
3068 fprintf(stderr, "Error string: %s\n",
f0e0fd51 3069 X509_verify_cert_error_string(i));
3dca57f8 3070 break;
0f113f3e
MC		 3071 case X509_V_ERR_CERT_NOT_YET_VALID:
3072 case X509_V_ERR_CERT_HAS_EXPIRED:
3073 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
0f113f3e 3074 ok = 1;
f0e0fd51 3075 break;
0f113f3e
MC		 3076 }
3077 }
3078
3079 if (ok == 1) {
f0e0fd51 3080 X509 *xs = X509_STORE_CTX_get_current_cert(ctx);
a8d8e06b 3081 if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
0f113f3e
MC		 3082 unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
3083 get_proxy_auth_ex_data_idx
3084 ());
3085
3086 if (letters) {
3087 int found_any = 0;
3088 int i;
3089 PROXY_CERT_INFO_EXTENSION *pci =
3090 X509_get_ext_d2i(xs, NID_proxyCertInfo,
3091 NULL, NULL);
3092
3093 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
3094 case NID_Independent:
3095 /*
3096 * Completely meaningless in this program, as there's no
3097 * way to grant explicit rights to a specific PrC.
3098 * Basically, using id-ppl-Independent is the perfect way
3099 * to grant no rights at all.
3100 */
3101 fprintf(stderr, " Independent proxy certificate");
3102 for (i = 0; i < 26; i++)
3103 letters[i] = 0;
3104 break;
3105 case NID_id_ppl_inheritAll:
3106 /*
3107 * This is basically a NOP, we simply let the current
3108 * rights stand as they are.
3109 */
3110 fprintf(stderr, " Proxy certificate inherits all");
3111 break;
3112 default:
3113 s = (char *)
3114 pci->proxyPolicy->policy->data;
3115 i = pci->proxyPolicy->policy->length;
3116
3117 /*
3118 * The algorithm works as follows: it is assumed that
3119 * previous iterations or the initial granted rights has
3120 * already set some elements of `letters'. What we need
3121 * to do is to clear those that weren't granted by the
3122 * current PrC as well. The easiest way to do this is to
3123 * add 1 to all the elements whose letters are given with
3124 * the current policy. That way, all elements that are
3125 * set by the current policy and were already set by
3126 * earlier policies and through the original grant of
3127 * rights will get the value 2 or higher. The last thing
3128 * to do is to sweep through `letters' and keep the
3129 * elements having the value 2 as set, and clear all the
3130 * others.
3131 */
3132
3dca57f8 3133 printf(" Certificate proxy rights = %*.*s", i,
0f113f3e
MC		 3134 i, s);
3135 while (i-- > 0) {
3136 int c = *s++;
3137 if (isascii(c) && isalpha(c)) {
3138 if (islower(c))
3139 c = toupper(c);
3140 letters[c - 'A']++;
3141 }
3142 }
3143 for (i = 0; i < 26; i++)
3144 if (letters[i] < 2)
3145 letters[i] = 0;
3146 else
3147 letters[i] = 1;
3148 }
3149
3150 found_any = 0;
3dca57f8 3151 printf(", resulting proxy rights = ");
0f113f3e
MC		 3152 for (i = 0; i < 26; i++)
3153 if (letters[i]) {
3dca57f8 3154 printf("%c", i + 'A');
0f113f3e
MC		 3155 found_any = 1;
3156 }
3157 if (!found_any)
3dca57f8
RS		 3158 printf("none");
3159 printf("\n");
0f113f3e
MC		 3160
3161 PROXY_CERT_INFO_EXTENSION_free(pci);
3162 }
3163 }
3164 }
3165
3166 return (ok);
3167}
d02b48c6 3168
a7201e9a 3169static void process_proxy_debug(int indent, const char *format, ...)
0f113f3e
MC		 3170{
3171 /* That's 80 > */
3172 static const char indentation[] =
3173 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
3174 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>";
3175 char my_format[256];
3176 va_list args;
3177
3178 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
3179 indent, indent, indentation, format);
3180
3181 va_start(args, format);
3182 vfprintf(stderr, my_format, args);
3183 va_end(args);
3184}
3185
1d97c843
TH		 3186/*-
3187 * Priority levels:
0f113f3e
MC		 3188 * 0 [!]var, ()
3189 * 1 & ^
3190 * 2 |
1d97c843 3191 */
a7201e9a 3192static int process_proxy_cond_adders(unsigned int letters[26],
0f113f3e
MC		 3193 const char *cond, const char **cond_end,
3194 int *pos, int indent);
3195static int process_proxy_cond_val(unsigned int letters[26], const char *cond,
3196 const char **cond_end, int *pos, int indent)
3197{
3198 int c;
3199 int ok = 1;
3200 int negate = 0;
3201
3202 while (isspace((int)*cond)) {
3203 cond++;
3204 (*pos)++;
3205 }
3206 c = *cond;
3207
3208 if (debug)
3209 process_proxy_debug(indent,
3210 "Start process_proxy_cond_val at position %d: %s\n",
3211 *pos, cond);
3212
3213 while (c == '!') {
3214 negate = !negate;
3215 cond++;
3216 (*pos)++;
3217 while (isspace((int)*cond)) {
3218 cond++;
3219 (*pos)++;
3220 }
3221 c = *cond;
3222 }
3223
3224 if (c == '(') {
3225 cond++;
3226 (*pos)++;
3227 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
3228 indent + 1);
3229 cond = *cond_end;
3230 if (ok < 0)
3231 goto end;
3232 while (isspace((int)*cond)) {
3233 cond++;
3234 (*pos)++;
3235 }
3236 c = *cond;
3237 if (c != ')') {
3238 fprintf(stderr,
3239 "Weird condition character in position %d: "
3240 "%c\n", *pos, c);
3241 ok = -1;
3242 goto end;
3243 }
3244 cond++;
3245 (*pos)++;
3246 } else if (isascii(c) && isalpha(c)) {
3247 if (islower(c))
3248 c = toupper(c);
3249 ok = letters[c - 'A'];
3250 cond++;
3251 (*pos)++;
3252 } else {
3253 fprintf(stderr,
3254 "Weird condition character in position %d: " "%c\n", *pos, c);
3255 ok = -1;
3256 goto end;
3257 }
a7201e9a 3258 end:
0f113f3e
MC		 3259 *cond_end = cond;
3260 if (ok >= 0 && negate)
3261 ok = !ok;
a7201e9a 3262
0f113f3e
MC		 3263 if (debug)
3264 process_proxy_debug(indent,
3265 "End process_proxy_cond_val at position %d: %s, returning %d\n",
3266 *pos, cond, ok);
3267
3268 return ok;
3269}
a7201e9a 3270
a7201e9a 3271static int process_proxy_cond_multipliers(unsigned int letters[26],
0f113f3e
MC		 3272 const char *cond,
3273 const char **cond_end, int *pos,
3274 int indent)
3275{
3276 int ok;
3277 char c;
3278
3279 if (debug)
3280 process_proxy_debug(indent,
3281 "Start process_proxy_cond_multipliers at position %d: %s\n",
3282 *pos, cond);
3283
3284 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
3285 cond = *cond_end;
3286 if (ok < 0)
3287 goto end;
3288
3289 while (ok >= 0) {
3290 while (isspace((int)*cond)) {
3291 cond++;
3292 (*pos)++;
3293 }
3294 c = *cond;
3295
3296 switch (c) {
3297 case '&':
3298 case '^':
3299 {
3300 int save_ok = ok;
3301
3302 cond++;
3303 (*pos)++;
3304 ok = process_proxy_cond_val(letters,
3305 cond, cond_end, pos, indent + 1);
3306 cond = *cond_end;
3307 if (ok < 0)
3308 break;
3309
3310 switch (c) {
3311 case '&':
3312 ok &= save_ok;
3313 break;
3314 case '^':
3315 ok ^= save_ok;
3316 break;
3317 default:
3318 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
3319 " STOPPING\n");
3320 EXIT(1);
3321 }
3322 }
3323 break;
3324 default:
3325 goto end;
3326 }
3327 }
a7201e9a 3328 end:
0f113f3e
MC		 3329 if (debug)
3330 process_proxy_debug(indent,
3331 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
3332 *pos, cond, ok);
3333
3334 *cond_end = cond;
3335 return ok;
3336}
3337
a7201e9a 3338static int process_proxy_cond_adders(unsigned int letters[26],
0f113f3e
MC		 3339 const char *cond, const char **cond_end,
3340 int *pos, int indent)
3341{
3342 int ok;
3343 char c;
3344
3345 if (debug)
3346 process_proxy_debug(indent,
3347 "Start process_proxy_cond_adders at position %d: %s\n",
3348 *pos, cond);
3349
3350 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
3351 indent + 1);
3352 cond = *cond_end;
3353 if (ok < 0)
3354 goto end;
3355
3356 while (ok >= 0) {
3357 while (isspace((int)*cond)) {
3358 cond++;
3359 (*pos)++;
3360 }
3361 c = *cond;
3362
3363 switch (c) {
3364 case '|':
3365 {
3366 int save_ok = ok;
3367
3368 cond++;
3369 (*pos)++;
3370 ok = process_proxy_cond_multipliers(letters,
3371 cond, cond_end, pos,
3372 indent + 1);
3373 cond = *cond_end;
3374 if (ok < 0)
3375 break;
3376
3377 switch (c) {
3378 case '|':
3379 ok |= save_ok;
3380 break;
3381 default:
3382 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
3383 " STOPPING\n");
3384 EXIT(1);
3385 }
3386 }
3387 break;
3388 default:
3389 goto end;
3390 }
3391 }
a7201e9a 3392 end:
0f113f3e
MC		 3393 if (debug)
3394 process_proxy_debug(indent,
3395 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
3396 *pos, cond, ok);
a7201e9a 3397
0f113f3e
MC		 3398 *cond_end = cond;
3399 return ok;
3400}
a7201e9a
RL		 3401
3402static int process_proxy_cond(unsigned int letters[26],
0f113f3e
MC		 3403 const char *cond, const char **cond_end)
3404{
3405 int pos = 1;
3406 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
3407}
a7201e9a 3408
6d23cf97 3409static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
0f113f3e
MC		 3410{
3411 int ok = 1;
3412 struct app_verify_arg *cb_arg = arg;
3413 unsigned int letters[26]; /* only used with proxy_auth */
3414
3415 if (cb_arg->app_verify) {
3416 char *s = NULL, buf[256];
f0e0fd51 3417 X509 *c = X509_STORE_CTX_get0_cert(ctx);
0f113f3e 3418
3dca57f8
RS		 3419 printf("In app_verify_callback, allowing cert. ");
3420 printf("Arg is: %s\n", cb_arg->string);
3421 printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n",
f0e0fd51
RS		 3422 (void *)ctx, (void *)c);
3423 if (c)
3424 s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256);
0f113f3e 3425 if (s != NULL) {
f0e0fd51
RS		 3426 printf("cert depth=%d %s\n",
3427 X509_STORE_CTX_get_error_depth(ctx), buf);
0f113f3e
MC		 3428 }
3429 return (1);
3430 }
3431 if (cb_arg->proxy_auth) {
3432 int found_any = 0, i;
3433 char *sp;
3434
3435 for (i = 0; i < 26; i++)
3436 letters[i] = 0;
3437 for (sp = cb_arg->proxy_auth; *sp; sp++) {
3438 int c = *sp;
3439 if (isascii(c) && isalpha(c)) {
3440 if (islower(c))
3441 c = toupper(c);
3442 letters[c - 'A'] = 1;
3443 }
3444 }
3445
3dca57f8 3446 printf(" Initial proxy rights = ");
0f113f3e
MC		 3447 for (i = 0; i < 26; i++)
3448 if (letters[i]) {
3dca57f8 3449 printf("%c", i + 'A');
0f113f3e
MC		 3450 found_any = 1;
3451 }
3452 if (!found_any)
3dca57f8
RS		 3453 printf("none");
3454 printf("\n");
0f113f3e
MC		 3455
3456 X509_STORE_CTX_set_ex_data(ctx,
3457 get_proxy_auth_ex_data_idx(), letters);
3458 }
3459 if (cb_arg->allow_proxy_certs) {
3460 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
3461 }
0f113f3e 3462 ok = X509_verify_cert(ctx);
0f113f3e
MC		 3463
3464 if (cb_arg->proxy_auth) {
3465 if (ok > 0) {
3466 const char *cond_end = NULL;
3467
3468 ok = process_proxy_cond(letters, cb_arg->proxy_cond, &cond_end);
3469
3470 if (ok < 0)
3471 EXIT(3);
3472 if (*cond_end) {
3473 fprintf(stderr,
3474 "Stopped processing condition before it's end.\n");
3475 ok = 0;
3476 }
3477 if (!ok)
3478 fprintf(stderr,
3dca57f8 3479 "Proxy rights check with condition '%s' invalid\n",
0f113f3e
MC		 3480 cb_arg->proxy_cond);
3481 else
3dca57f8 3482 printf("Proxy rights check with condition '%s' ok\n",
0f113f3e
MC		 3483 cb_arg->proxy_cond);
3484 }
3485 }
3486 return (ok);
3487}
023ec151 3488
bc36ee62 3489#ifndef OPENSSL_NO_DH
1d97c843
TH		 3490/*-
3491 * These DH parameters have been generated as follows:
e4589582
BM		 3492 * $ openssl dhparam -C -noout 512
3493 * $ openssl dhparam -C -noout 1024
3494 * $ openssl dhparam -C -noout -dsaparam 1024
3495 * (The third function has been renamed to avoid name conflicts.)
3496 */
f3f316f1 3497static DH *get_dh512()
0f113f3e
MC		 3498{
3499 static unsigned char dh512_p[] = {
3500 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0,
3501 0xC6,
3502 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04,
3503 0xB0,
3504 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9,
3505 0x5F,
3506 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33,
3507 0xB8,
3508 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21,
3509 0x33,
3510 0x02, 0xC5, 0xAE, 0x23,
3511 };
3512 static unsigned char dh512_g[] = {
3513 0x02,
3514 };
3515 DH *dh;
0aeddcfa 3516 BIGNUM *p, *g;
0f113f3e
MC		 3517
3518 if ((dh = DH_new()) == NULL)
3519 return (NULL);
0aeddcfa
MC		 3520 p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
3521 g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
3522 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
0f113f3e 3523 DH_free(dh);
0aeddcfa
MC		 3524 BN_free(p);
3525 BN_free(g);
0f113f3e
MC		 3526 return (NULL);
3527 }
3528 return (dh);
3529}
e4589582 3530
f3f316f1 3531static DH *get_dh1024()
0f113f3e
MC		 3532{
3533 static unsigned char dh1024_p[] = {
3534 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
3535 0x3A,
3536 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56,
3537 0xA2,
3538 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F,
3539 0xB0,
3540 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87,
3541 0xC2,
3542 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0,
3543 0x8C,
3544 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F,
3545 0xB8,
3546 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D,
3547 0x52,
3548 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC,
3549 0xC1,
3550 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB,
3551 0xB1,
3552 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89,
3553 0xAB,
3554 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
3555 };
3556 static unsigned char dh1024_g[] = {
3557 0x02,
3558 };
3559 DH *dh;
0aeddcfa 3560 BIGNUM *p, *g;
0f113f3e
MC		 3561
3562 if ((dh = DH_new()) == NULL)
3563 return (NULL);
0aeddcfa
MC		 3564 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
3565 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
3566 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
0f113f3e 3567 DH_free(dh);
0aeddcfa
MC		 3568 BN_free(p);
3569 BN_free(g);
0f113f3e
MC		 3570 return (NULL);
3571 }
3572 return (dh);
3573}
53002dc6 3574
f3f316f1 3575static DH *get_dh1024dsa()
0f113f3e
MC		 3576{
3577 static unsigned char dh1024_p[] = {
3578 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5,
3579 0x00,
3580 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87,
3581 0x19,
3582 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65,
3583 0xD2,
3584 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6,
3585 0x55,
3586 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF,
3587 0xFC,
3588 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52,
3589 0x97,
3590 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28,
3591 0x8D,
3592 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD,
3593 0xBB,
3594 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C,
3595 0xF6,
3596 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26,
3597 0x9E,
3598 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39,
3599 };
3600 static unsigned char dh1024_g[] = {
3601 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80,
3602 0x05,
3603 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03,
3604 0xF3,
3605 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A,
3606 0xE9,
3607 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85,
3608 0x3C,
3609 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B,
3610 0x65,
3611 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF,
3612 0x60,
3613 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E,
3614 0xF6,
3615 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB,
3616 0xA7,
3617 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72,
3618 0xA1,
3619 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E,
3620 0x60,
3621 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2,
3622 };
3623 DH *dh;
0aeddcfa 3624 BIGNUM *p, *g;
0f113f3e
MC		 3625
3626 if ((dh = DH_new()) == NULL)
3627 return (NULL);
0aeddcfa
MC		 3628 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
3629 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
3630 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
0f113f3e 3631 DH_free(dh);
0aeddcfa
MC		 3632 BN_free(p);
3633 BN_free(g);
0f113f3e
MC		 3634 return (NULL);
3635 }
0aeddcfa 3636 DH_set_length(dh, 160);
0f113f3e
MC		 3637 return (dh);
3638}
f71165b5 3639#endif
6e119bb0 3640
ddac1974
NL		 3641#ifndef OPENSSL_NO_PSK
3642/* convert the PSK key (psk_key) in ascii to binary (psk) */
3643static int psk_key2bn(const char *pskkey, unsigned char *psk,
0f113f3e
MC		 3644 unsigned int max_psk_len)
3645{
3646 int ret;
3647 BIGNUM *bn = NULL;
3648
3649 ret = BN_hex2bn(&bn, pskkey);
3650 if (!ret) {
3651 BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
3652 pskkey);
23a1d5e9 3653 BN_free(bn);
0f113f3e
MC		 3654 return 0;
3655 }
3656 if (BN_num_bytes(bn) > (int)max_psk_len) {
3657 BIO_printf(bio_err,
3658 "psk buffer of callback is too small (%d) for key (%d)\n",
3659 max_psk_len, BN_num_bytes(bn));
3660 BN_free(bn);
3661 return 0;
3662 }
3663 ret = BN_bn2bin(bn, psk);
3664 BN_free(bn);
3665 return ret;
3666}
3667
3668static unsigned int psk_client_callback(SSL *ssl, const char *hint,
3669 char *identity,
3670 unsigned int max_identity_len,
3671 unsigned char *psk,
3672 unsigned int max_psk_len)
3673{
3674 int ret;
3675 unsigned int psk_len = 0;
3676
3677 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
3678 if (ret < 0)
3679 goto out_err;
3680 if (debug)
3681 fprintf(stderr, "client: created identity '%s' len=%d\n", identity,
3682 ret);
3683 ret = psk_key2bn(psk_key, psk, max_psk_len);
3684 if (ret < 0)
3685 goto out_err;
3686 psk_len = ret;
3687 out_err:
3688 return psk_len;
3689}
ddac1974
NL		 3690
3691static unsigned int psk_server_callback(SSL *ssl, const char *identity,
0f113f3e
MC		 3692 unsigned char *psk,
3693 unsigned int max_psk_len)
3694{
3695 unsigned int psk_len = 0;
ddac1974 3696
0f113f3e
MC		 3697 if (strcmp(identity, "Client_identity") != 0) {
3698 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
3699 return 0;
3700 }
3701 psk_len = psk_key2bn(psk_key, psk, max_psk_len);
3702 return psk_len;
3703}
ddac1974 3704#endif
Mirror of https://github.com/openssl/openssl.git