]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/ssltest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
RT3548: Remove unsupported platforms
[thirdparty/openssl.git] / ssl / ssltest.c
CommitLineData
d02b48c6 1/* ssl/ssltest.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
3ac82faa
BM		 58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ea262260
BM		 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
ddac1974
NL		 116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
d02b48c6 142
4fbe40c5 143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
37289744 144 on Linux and GNU platforms. */
37289744 145
6f7af152
BM		 146#include <assert.h>
147#include <errno.h>
148#include <limits.h>
d02b48c6
RE		 149#include <stdio.h>
150#include <stdlib.h>
151#include <string.h>
563f1503 152#include <time.h>
17e3dd1c 153
e7a28569 154#define USE_SOCKETS
41d2a336 155#include "e_os.h"
17e3dd1c 156
bc120a54
DSH		 157#ifdef OPENSSL_SYS_VMS
158#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159 VMS (at least with DECompHP C). */
160#endif
161
a963395a
RL		 162#include <ctype.h>
163
ec577822
BM		 164#include <openssl/bio.h>
165#include <openssl/crypto.h>
563f1503 166#include <openssl/evp.h>
ec577822 167#include <openssl/x509.h>
a7201e9a 168#include <openssl/x509v3.h>
ec577822 169#include <openssl/ssl.h>
0b13e9f0 170#ifndef OPENSSL_NO_ENGINE
b8e2f83a 171#include <openssl/engine.h>
0b13e9f0 172#endif
ec577822 173#include <openssl/err.h>
b9d82f47 174#include <openssl/rand.h>
3eeaab4b 175#ifndef OPENSSL_NO_RSA
60a938c6 176#include <openssl/rsa.h>
3eeaab4b
NL		 177#endif
178#ifndef OPENSSL_NO_DSA
60a938c6 179#include <openssl/dsa.h>
3eeaab4b
NL		 180#endif
181#ifndef OPENSSL_NO_DH
60a938c6 182#include <openssl/dh.h>
3eeaab4b 183#endif
edc032b5
BL		 184#ifndef OPENSSL_NO_SRP
185#include <openssl/srp.h>
186#endif
d095b68d 187#include <openssl/bn.h>
09867a47
RL		 188
189#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
190 on Compaq platforms (at least with DEC C).
191 Do not try to put it earlier, or IPv6 includes
192 get screwed...
193 */
194
bc36ee62 195#ifdef OPENSSL_SYS_WINDOWS
f9b3bff6 196#include <winsock.h>
37289744
RL		 197#else
198#include OPENSSL_UNISTD
d02b48c6
RE		 199#endif
200
bc36ee62 201#ifdef OPENSSL_SYS_VMS
7d7d2cbc
UM		 202# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
203# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
0bf23d9b
RL		 204#elif defined(OPENSSL_SYS_WINCE)
205# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
206# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
4d8743f4
RL		 207#elif defined(OPENSSL_SYS_NETWARE)
208# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
209# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
7d7d2cbc
UM		 210#else
211# define TEST_SERVER_CERT "../apps/server.pem"
212# define TEST_CLIENT_CERT "../apps/client.pem"
213#endif
d02b48c6 214
23f80f46
RL		 215/* There is really no standard for this, so let's assign some tentative
216 numbers. In any case, these numbers are only for this test */
82423549
RL		 217#define COMP_RLE 255
218#define COMP_ZLIB 1
23f80f46 219
6d23cf97 220static int verify_callback(int ok, X509_STORE_CTX *ctx);
bc36ee62 221#ifndef OPENSSL_NO_RSA
6d23cf97 222static RSA *tmp_rsa_cb(SSL *s, int is_export,int keylength);
46b3bd54 223static void free_tmp_rsa(void);
79df9d62 224#endif
6d23cf97 225static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
a7201e9a
RL		 226#define APP_CALLBACK_STRING "Test Callback Argument"
227struct app_verify_arg
228 {
229 char *string;
230 int app_verify;
d9bfe4f9 231 int allow_proxy_certs;
a7201e9a
RL		 232 char *proxy_auth;
233 char *proxy_cond;
234 };
023ec151 235
bc36ee62 236#ifndef OPENSSL_NO_DH
d02b48c6 237static DH *get_dh512(void);
e4589582
BM		 238static DH *get_dh1024(void);
239static DH *get_dh1024dsa(void);
53002dc6
BM		 240#endif
241
ddac1974
NL		 242
243static char *psk_key=NULL; /* by default PSK is not used */
244#ifndef OPENSSL_NO_PSK
245static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
246 unsigned int max_identity_len, unsigned char *psk,
247 unsigned int max_psk_len);
248static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
249 unsigned int max_psk_len);
250#endif
251
edc032b5
BL		 252#ifndef OPENSSL_NO_SRP
253/* SRP client */
254/* This is a context that we pass to all callbacks */
255typedef struct srp_client_arg_st
256 {
257 char *srppassin;
258 char *srplogin;
259 } SRP_CLIENT_ARG;
260
261#define PWD_STRLEN 1024
262
6d23cf97 263static char * ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
edc032b5
BL		 264 {
265 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
266 return BUF_strdup((char *)srp_client_arg->srppassin);
267 }
268
edc032b5
BL		 269/* SRP server */
270/* This is a context that we pass to SRP server callbacks */
271typedef struct srp_server_arg_st
272 {
273 char *expected_user;
274 char *pass;
275 } SRP_SERVER_ARG;
276
6d23cf97 277static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
edc032b5
BL		 278 {
279 SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280
281 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282 {
283 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
284 return SSL3_AL_FATAL;
285 }
286 if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287 {
288 *ad = SSL_AD_INTERNAL_ERROR;
289 return SSL3_AL_FATAL;
290 }
291 return SSL_ERROR_NONE;
292 }
293#endif
294
396f6314
BM		 295static BIO *bio_err=NULL;
296static BIO *bio_stdout=NULL;
d02b48c6 297
2911575c 298#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 299/* Note that this code assumes that this is only a one element list: */
300static const char NEXT_PROTO_STRING[] = "\x09testproto";
301int npn_client = 0;
302int npn_server = 0;
303int npn_server_reject = 0;
304
305static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
306 {
307 /* This callback only returns the protocol string, rather than a length
308 prefixed set. We assume that NEXT_PROTO_STRING is a one element list and
309 remove the first byte to chop off the length prefix. */
310 *out = (unsigned char*) NEXT_PROTO_STRING + 1;
311 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
312 return SSL_TLSEXT_ERR_OK;
313 }
314
315static int cb_server_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
316 {
317 *data = (const unsigned char *) NEXT_PROTO_STRING;
318 *len = sizeof(NEXT_PROTO_STRING) - 1;
319 return SSL_TLSEXT_ERR_OK;
320 }
321
322static int cb_server_rejects_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
323 {
324 return SSL_TLSEXT_ERR_NOACK;
325 }
326
327static int verify_npn(SSL *client, SSL *server)
328 {
329 const unsigned char *client_s;
330 unsigned client_len;
331 const unsigned char *server_s;
332 unsigned server_len;
333
334 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
335 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
336
337 if (client_len)
338 {
339 BIO_printf(bio_stdout, "Client NPN: ");
340 BIO_write(bio_stdout, client_s, client_len);
341 BIO_printf(bio_stdout, "\n");
342 }
343
344 if (server_len)
345 {
346 BIO_printf(bio_stdout, "Server NPN: ");
347 BIO_write(bio_stdout, server_s, server_len);
348 BIO_printf(bio_stdout, "\n");
349 }
350
351 /* If an NPN string was returned, it must be the protocol that we
352 * expected to negotiate. */
353 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
354 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
355 return -1;
356 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
357 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
358 return -1;
359
360 if (!npn_client && client_len)
361 return -1;
362 if (!npn_server && server_len)
363 return -1;
364 if (npn_server_reject && server_len)
365 return -1;
366 if (npn_client && npn_server && (!client_len || !server_len))
367 return -1;
368
369 return 0;
370 }
371#endif
372
a8989362
AL		 373static const char *alpn_client;
374static const char *alpn_server;
375static const char *alpn_expected;
376static unsigned char *alpn_selected;
377
3a83462d
MC		 378/*-
379 * next_protos_parse parses a comma separated list of strings into a string
a8989362
AL		 380 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
381 * outlen: (output) set to the length of the resulting buffer on success.
382 * err: (maybe NULL) on failure, an error message line is written to this BIO.
4eadd11c 383 * in: a NUL terminated string like "abc,def,ghi"
a8989362
AL		 384 *
385 * returns: a malloced buffer or NULL on failure.
386 */
387static unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
388 {
389 size_t len;
390 unsigned char *out;
391 size_t i, start = 0;
392
393 len = strlen(in);
394 if (len >= 65535)
395 return NULL;
396
397 out = OPENSSL_malloc(strlen(in) + 1);
398 if (!out)
399 return NULL;
400
401 for (i = 0; i <= len; ++i)
402 {
403 if (i == len || in[i] == ',')
404 {
405 if (i - start > 255)
406 {
407 OPENSSL_free(out);
408 return NULL;
409 }
410 out[start] = i - start;
411 start = i + 1;
412 }
413 else
414 out[i+1] = in[i];
415 }
416
417 *outlen = len + 1;
418 return out;
419 }
420
421static int cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
422 {
423 unsigned char *protos;
424 unsigned short protos_len;
425
426 protos = next_protos_parse(&protos_len, alpn_server);
427 if (protos == NULL)
428 {
429 fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", alpn_server);
430 abort();
431 }
432
433 if (SSL_select_next_proto((unsigned char**) out, outlen, protos, protos_len, in, inlen) !=
434 OPENSSL_NPN_NEGOTIATED)
435 {
436 OPENSSL_free(protos);
437 return SSL_TLSEXT_ERR_NOACK;
438 }
439
440 /* Make a copy of the selected protocol which will be freed in verify_alpn. */
441 alpn_selected = OPENSSL_malloc(*outlen);
442 memcpy(alpn_selected, *out, *outlen);
443 *out = alpn_selected;
444
445 OPENSSL_free(protos);
446 return SSL_TLSEXT_ERR_OK;
447 }
448
449static int verify_alpn(SSL *client, SSL *server)
450 {
451 const unsigned char *client_proto, *server_proto;
452 unsigned int client_proto_len = 0, server_proto_len = 0;
453 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
454 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
455
456 if (alpn_selected != NULL)
457 {
458 OPENSSL_free(alpn_selected);
459 alpn_selected = NULL;
460 }
461
462 if (client_proto_len != server_proto_len ||
463 memcmp(client_proto, server_proto, client_proto_len) != 0)
464 {
465 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
466 goto err;
467 }
468
469 if (client_proto_len > 0 && alpn_expected == NULL)
470 {
471 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
472 goto err;
473 }
474
475 if (alpn_expected != NULL &&
476 (client_proto_len != strlen(alpn_expected) ||
477 memcmp(client_proto, alpn_expected, client_proto_len) != 0))
478 {
479 BIO_printf(bio_stdout, "ALPN selected protocols not equal to expected protocol: %s\n", alpn_expected);
480 goto err;
481 }
482
483 return 0;
484
485err:
486 BIO_printf(bio_stdout, "ALPN results: client: '");
487 BIO_write(bio_stdout, client_proto, client_proto_len);
488 BIO_printf(bio_stdout, "', server: '");
489 BIO_write(bio_stdout, server_proto, server_proto_len);
490 BIO_printf(bio_stdout, "'\n");
491 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", alpn_client, alpn_server);
492 return -1;
493 }
494
a398f821 495#define SCT_EXT_TYPE 18
9cd50f73
T		 496
497/* WARNING : below extension types are *NOT* IETF assigned, and
498 could conflict if these types are reassigned and handled
499 specially by OpenSSL in the future */
a398f821 500#define TACK_EXT_TYPE 62208
9cd50f73
T		 501#define CUSTOM_EXT_TYPE_0 1000
502#define CUSTOM_EXT_TYPE_1 1001
503#define CUSTOM_EXT_TYPE_2 1002
504#define CUSTOM_EXT_TYPE_3 1003
505
506const char custom_ext_cli_string[] = "abc";
507const char custom_ext_srv_string[] = "defg";
a398f821
T		 508
509/* These set from cmdline */
510char* serverinfo_file = NULL;
511int serverinfo_sct = 0;
512int serverinfo_tack = 0;
9cd50f73
T		 513
514/* These set based on extension callbacks */
a398f821
T		 515int serverinfo_sct_seen = 0;
516int serverinfo_tack_seen = 0;
517int serverinfo_other_seen = 0;
518
9cd50f73
T		 519/* This set from cmdline */
520int custom_ext = 0;
521
522/* This set based on extension callbacks */
523int custom_ext_error = 0;
524
0cfefe4b
DSH		 525static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
526 const unsigned char *in, size_t inlen,
527 int *al, void *arg)
a398f821 528 {
9cd50f73
T		 529 if (ext_type == SCT_EXT_TYPE)
530 serverinfo_sct_seen++;
531 else if (ext_type == TACK_EXT_TYPE)
532 serverinfo_tack_seen++;
533 else
534 serverinfo_other_seen++;
535 return 1;
a398f821
T		 536 }
537
538static int verify_serverinfo()
539 {
540 if (serverinfo_sct != serverinfo_sct_seen)
541 return -1;
542 if (serverinfo_tack != serverinfo_tack_seen)
543 return -1;
544 if (serverinfo_other_seen)
545 return -1;
546 return 0;
547 }
548
1d97c843
TH		 549/*-
550 * Four test cases for custom extensions:
9cd50f73
T		 551 * 0 - no ClientHello extension or ServerHello response
552 * 1 - ClientHello with "abc", no response
553 * 2 - ClientHello with "abc", empty response
554 * 3 - ClientHello with "abc", "defg" response
555 */
556
de2a9e38 557static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
0a602875 558 const unsigned char **out,
de2a9e38 559 size_t *outlen, int *al, void *arg)
9cd50f73
T		 560 {
561 if (ext_type != CUSTOM_EXT_TYPE_0)
562 custom_ext_error = 1;
33f653ad 563 return 0; /* Don't send an extension */
9cd50f73
T		 564 }
565
de2a9e38 566static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
0a602875 567 const unsigned char *in,
de2a9e38 568 size_t inlen, int *al,
0a602875 569 void *arg)
9cd50f73 570 {
9dabfce1 571 return 1;
9cd50f73
T		 572 }
573
de2a9e38 574static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
0a602875 575 const unsigned char **out,
de2a9e38 576 size_t *outlen, int *al, void *arg)
9cd50f73
T		 577 {
578 if (ext_type != CUSTOM_EXT_TYPE_1)
579 custom_ext_error = 1;
580 *out = (const unsigned char*)custom_ext_cli_string;
581 *outlen = strlen(custom_ext_cli_string);
582 return 1; /* Send "abc" */
583 }
584
de2a9e38 585static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
0a602875 586 const unsigned char *in,
de2a9e38 587 size_t inlen, int *al,
0a602875 588 void *arg)
9cd50f73 589 {
9dabfce1 590 return 1;
9cd50f73
T		 591 }
592
de2a9e38 593static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
0a602875 594 const unsigned char **out,
de2a9e38 595 size_t *outlen, int *al, void *arg)
9cd50f73
T		 596 {
597 if (ext_type != CUSTOM_EXT_TYPE_2)
598 custom_ext_error = 1;
599 *out = (const unsigned char*)custom_ext_cli_string;
600 *outlen = strlen(custom_ext_cli_string);
601 return 1; /* Send "abc" */
602 }
603
de2a9e38 604static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
0a602875 605 const unsigned char *in,
de2a9e38 606 size_t inlen, int *al,
0a602875 607 void *arg)
9cd50f73
T		 608 {
609 if (ext_type != CUSTOM_EXT_TYPE_2)
610 custom_ext_error = 1;
611 if (inlen != 0)
612 custom_ext_error = 1; /* Should be empty response */
613 return 1;
614 }
615
de2a9e38 616static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
0a602875 617 const unsigned char **out,
de2a9e38 618 size_t *outlen, int *al, void *arg)
9cd50f73
T		 619 {
620 if (ext_type != CUSTOM_EXT_TYPE_3)
621 custom_ext_error = 1;
622 *out = (const unsigned char*)custom_ext_cli_string;
623 *outlen = strlen(custom_ext_cli_string);
624 return 1; /* Send "abc" */
625 }
626
de2a9e38 627static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
0a602875 628 const unsigned char *in,
de2a9e38 629 size_t inlen, int *al,
0a602875 630 void *arg)
9cd50f73
T		 631 {
632 if (ext_type != CUSTOM_EXT_TYPE_3)
633 custom_ext_error = 1;
634 if (inlen != strlen(custom_ext_srv_string))
635 custom_ext_error = 1;
636 if (memcmp(custom_ext_srv_string, in, inlen) != 0)
637 custom_ext_error = 1; /* Check for "defg" */
638 return 1;
639 }
640
f47e2039 641/* custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback for this extension */
de2a9e38 642static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
0a602875 643 const unsigned char *in,
de2a9e38 644 size_t inlen, int *al,
0a602875 645 void *arg)
9cd50f73 646 {
f47e2039 647 custom_ext_error = 1;
9dabfce1 648 return 1;
9cd50f73
T		 649 }
650
f47e2039 651/* 'add' callbacks are only called if the 'parse' callback is called */
de2a9e38 652static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
0a602875 653 const unsigned char **out,
de2a9e38 654 size_t *outlen, int *al, void *arg)
9cd50f73 655 {
f47e2039
DSH		 656 /* Error: should not have been called */
657 custom_ext_error = 1;
33f653ad 658 return 0; /* Don't send an extension */
9cd50f73
T		 659 }
660
de2a9e38 661static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
e9add063 662 const unsigned char *in,
de2a9e38 663 size_t inlen, int *al,
e9add063 664 void *arg)
9cd50f73
T		 665 {
666 if (ext_type != CUSTOM_EXT_TYPE_1)
667 custom_ext_error = 1;
668 /* Check for "abc" */
669 if (inlen != strlen(custom_ext_cli_string))
670 custom_ext_error = 1;
671 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
672 custom_ext_error = 1;
673 return 1;
674 }
675
de2a9e38 676static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
0a602875 677 const unsigned char **out,
de2a9e38 678 size_t *outlen, int *al, void *arg)
9cd50f73 679 {
33f653ad 680 return 0; /* Don't send an extension */
9cd50f73
T		 681 }
682
de2a9e38 683static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
0a602875 684 const unsigned char *in,
de2a9e38 685 size_t inlen, int *al,
0a602875 686 void *arg)
9cd50f73
T		 687 {
688 if (ext_type != CUSTOM_EXT_TYPE_2)
689 custom_ext_error = 1;
690 /* Check for "abc" */
691 if (inlen != strlen(custom_ext_cli_string))
692 custom_ext_error = 1;
693 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
694 custom_ext_error = 1;
695 return 1;
696 }
697
de2a9e38 698static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
0a602875 699 const unsigned char **out,
de2a9e38 700 size_t *outlen, int *al, void *arg)
9cd50f73
T		 701 {
702 *out = NULL;
703 *outlen = 0;
704 return 1; /* Send empty extension */
705 }
706
de2a9e38 707static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
0a602875 708 const unsigned char *in,
de2a9e38 709 size_t inlen, int *al,
0a602875 710 void *arg)
9cd50f73
T		 711 {
712 if (ext_type != CUSTOM_EXT_TYPE_3)
713 custom_ext_error = 1;
714 /* Check for "abc" */
715 if (inlen != strlen(custom_ext_cli_string))
716 custom_ext_error = 1;
717 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
718 custom_ext_error = 1;
719 return 1;
720 }
721
de2a9e38 722static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
0a602875 723 const unsigned char **out,
de2a9e38 724 size_t *outlen, int *al, void *arg)
9cd50f73
T		 725 {
726 *out = (const unsigned char*)custom_ext_srv_string;
727 *outlen = strlen(custom_ext_srv_string);
728 return 1; /* Send "defg" */
729 }
730
d02b48c6 731static char *cipher=NULL;
79875776
BM		 732static int verbose=0;
733static int debug=0;
d58d092b
BM		 734#if 0
735/* Not used yet. */
d02b48c6
RE		 736#ifdef FIONBIO
737static int s_nbio=0;
738#endif
d58d092b 739#endif
d02b48c6 740
b9d82f47 741static const char rnd_seed[] = "string to make the random number generator think it has entropy";
d02b48c6 742
563f1503 743int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
58964a49 744int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
6e119bb0 745static int do_test_cipherlist(void);
6b691a5c 746static void sv_usage(void)
d02b48c6
RE		 747 {
748 fprintf(stderr,"usage: ssltest [args ...]\n");
749 fprintf(stderr,"\n");
086e32a6
DSH		 750#ifdef OPENSSL_FIPS
751 fprintf(stderr,"-F - run test in FIPS mode\n");
752#endif
d02b48c6
RE		 753 fprintf(stderr," -server_auth - check server certificate\n");
754 fprintf(stderr," -client_auth - do client authentication\n");
d9bfe4f9 755 fprintf(stderr," -proxy - allow proxy certificates\n");
a7201e9a 756 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
4eadd11c 757 fprintf(stderr," -proxy_cond <val> - expression to test proxy policy rights\n");
d02b48c6 758 fprintf(stderr," -v - more output\n");
58964a49
RE		 759 fprintf(stderr," -d - debug output\n");
760 fprintf(stderr," -reuse - use session-id reuse\n");
761 fprintf(stderr," -num <val> - number of connections to perform\n");
762 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
bc36ee62 763#ifndef OPENSSL_NO_DH
e4589582
BM		 764 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
765 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
77fa04a9
BM		 766 fprintf(stderr," -no_dhe - disable DHE\n");
767#endif
ea262260
BM		 768#ifndef OPENSSL_NO_ECDH
769 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
770#endif
ddac1974
NL		 771#ifndef OPENSSL_NO_PSK
772 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
773#endif
edc032b5
BL		 774#ifndef OPENSSL_NO_SRP
775 fprintf(stderr," -srpuser user - SRP username to use\n");
776 fprintf(stderr," -srppass arg - password for 'user'\n");
777#endif
3881d810 778#ifndef OPENSSL_NO_SSL3_METHOD
d02b48c6 779 fprintf(stderr," -ssl3 - use SSLv3\n");
58964a49 780#endif
bc36ee62 781#ifndef OPENSSL_NO_TLS1
58964a49 782 fprintf(stderr," -tls1 - use TLSv1\n");
d02b48c6
RE		 783#endif
784 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
785 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
7d2509b6
BM		 786 fprintf(stderr," -cert arg - Server certificate file\n");
787 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
788 fprintf(stderr," -c_cert arg - Client certificate file\n");
789 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
58964a49 790 fprintf(stderr," -cipher arg - The cipher list\n");
95d29597
BM		 791 fprintf(stderr," -bio_pair - Use BIO pairs\n");
792 fprintf(stderr," -f - Test even cases that can't work\n");
563f1503 793 fprintf(stderr," -time - measure processor time used by client and server\n");
23f80f46 794 fprintf(stderr," -zlib - use zlib compression\n");
ea262260
BM		 795 fprintf(stderr," -rle - use rle compression\n");
796#ifndef OPENSSL_NO_ECDH
797 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
798 " Use \"openssl ecparam -list_curves\" for all names\n" \
799 " (default is sect163r2).\n");
800#endif
fd28a41e
EK		 801 fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
802 " When this option is requested, the cipherlist\n"
803 " tests are run instead of handshake tests.\n");
2911575c 804#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 805 fprintf(stderr," -npn_client - have client side offer NPN\n");
806 fprintf(stderr," -npn_server - have server side offer NPN\n");
807 fprintf(stderr," -npn_server_reject - have server reject NPN\n");
808#endif
9cd50f73 809 fprintf(stderr," -serverinfo_file file - have server use this file\n");
a398f821
T		 810 fprintf(stderr," -serverinfo_sct - have client offer and expect SCT\n");
811 fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
9cd50f73 812 fprintf(stderr," -custom_ext - try various custom extension callbacks\n");
a8989362
AL		 813 fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
814 fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
815 fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
563f1503
BM		 816 }
817
f756f1fc
DSH		 818static void print_key_details(BIO *out, EVP_PKEY *key)
819 {
820 int keyid = EVP_PKEY_id(key);
821#ifndef OPENSSL_NO_EC
822 if (keyid == EVP_PKEY_EC)
823 {
824 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
825 int nid;
826 const char *cname;
827 nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
828 EC_KEY_free(ec);
829 cname = EC_curve_nid2nist(nid);
830 if (!cname)
831 cname = OBJ_nid2sn(nid);
832 BIO_printf(out, "%d bits EC (%s)",
833 EVP_PKEY_bits(key), cname);
834 }
835 else
836#endif
837 {
838 const char *algname;
839 switch (keyid)
840 {
841 case EVP_PKEY_RSA:
842 algname = "RSA";
843 break;
844 case EVP_PKEY_DSA:
845 algname = "DSA";
846 break;
847 case EVP_PKEY_DH:
848 algname = "DH";
849 break;
850 default:
851 algname = OBJ_nid2sn(keyid);
852 break;
853 }
854 BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname);
855 }
856 }
857
563f1503
BM		 858static void print_details(SSL *c_ssl, const char *prefix)
859 {
babb3798 860 const SSL_CIPHER *ciph;
f756f1fc 861 int mdnid;
563f1503 862 X509 *cert;
f756f1fc 863 EVP_PKEY *pkey;
563f1503
BM		 864
865 ciph=SSL_get_current_cipher(c_ssl);
866 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
867 prefix,
868 SSL_get_version(c_ssl),
869 SSL_CIPHER_get_version(ciph),
870 SSL_CIPHER_get_name(ciph));
871 cert=SSL_get_peer_certificate(c_ssl);
872 if (cert != NULL)
873 {
f756f1fc 874 pkey = X509_get_pubkey(cert);
563f1503
BM		 875 if (pkey != NULL)
876 {
f756f1fc
DSH		 877 BIO_puts(bio_stdout, ", ");
878 print_key_details(bio_stdout, pkey);
563f1503
BM		 879 EVP_PKEY_free(pkey);
880 }
881 X509_free(cert);
882 }
f756f1fc
DSH		 883 if (SSL_get_server_tmp_key(c_ssl, &pkey))
884 {
885 BIO_puts(bio_stdout, ", temp key: ");
886 print_key_details(bio_stdout, pkey);
887 EVP_PKEY_free(pkey);
888 }
889 if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
890 BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
563f1503 891 BIO_printf(bio_stdout,"\n");
d02b48c6
RE		 892 }
893
3ac82faa
BM		 894static void lock_dbg_cb(int mode, int type, const char *file, int line)
895 {
896 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
897 const char *errstr = NULL;
898 int rw;
899
900 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
901 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
902 {
903 errstr = "invalid mode";
904 goto err;
905 }
906
563c05e2 907 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
3ac82faa
BM		 908 {
909 errstr = "type out of bounds";
910 goto err;
911 }
912
913 if (mode & CRYPTO_LOCK)
914 {
915 if (modes[type])
916 {
917 errstr = "already locked";
918 /* must not happen in a single-threaded program
919 * (would deadlock) */
920 goto err;
921 }
922
923 modes[type] = rw;
924 }
925 else if (mode & CRYPTO_UNLOCK)
926 {
927 if (!modes[type])
928 {
929 errstr = "not locked";
930 goto err;
931 }
932
933 if (modes[type] != rw)
934 {
935 errstr = (rw == CRYPTO_READ) ?
936 "CRYPTO_r_unlock on write lock" :
937 "CRYPTO_w_unlock on read lock";
938 }
939
940 modes[type] = 0;
941 }
942 else
943 {
944 errstr = "invalid mode";
945 goto err;
946 }
947
948 err:
949 if (errstr)
950 {
951 /* we cannot use bio_err here */
952 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
953 errstr, mode, type, file, line);
954 }
955 }
956
761772d7
BM		 957#ifdef TLSEXT_TYPE_opaque_prf_input
958struct cb_info_st { void *input; size_t len; int ret; };
959struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
960struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
961struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
962struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
963
964int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
965 {
966 struct cb_info_st *arg = arg_;
967
968 if (arg == NULL)
969 return 1;
970
971 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
972 return 0;
973 return arg->ret;
974 }
975#endif
6e119bb0 976
6b691a5c 977int main(int argc, char *argv[])
d02b48c6
RE		 978 {
979 char *CApath=NULL,*CAfile=NULL;
980 int badop=0;
95d29597
BM		 981 int bio_pair=0;
982 int force=0;
45f55f6a 983 int tls1=0,ssl3=0,ret=1;
d02b48c6 984 int client_auth=0;
58964a49 985 int server_auth=0,i;
a7201e9a 986 struct app_verify_arg app_verify_arg =
d9bfe4f9 987 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
d02b48c6 988 char *server_cert=TEST_SERVER_CERT;
65b002f3 989 char *server_key=NULL;
d02b48c6 990 char *client_cert=TEST_CLIENT_CERT;
65b002f3 991 char *client_key=NULL;
3eeaab4b 992#ifndef OPENSSL_NO_ECDH
ea262260 993 char *named_curve = NULL;
3eeaab4b 994#endif
d02b48c6
RE		 995 SSL_CTX *s_ctx=NULL;
996 SSL_CTX *c_ctx=NULL;
4ebb342f 997 const SSL_METHOD *meth=NULL;
58964a49
RE		 998 SSL *c_ssl,*s_ssl;
999 int number=1,reuse=0;
82423549 1000 long bytes=256L;
bc36ee62 1001#ifndef OPENSSL_NO_DH
d02b48c6 1002 DH *dh;
e4589582 1003 int dhe1024 = 0, dhe1024dsa = 0;
ea262260
BM		 1004#endif
1005#ifndef OPENSSL_NO_ECDH
1006 EC_KEY *ecdh = NULL;
edc032b5
BL		 1007#endif
1008#ifndef OPENSSL_NO_SRP
1009 /* client */
edc032b5
BL		 1010 SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
1011 /* server */
1012 SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
58964a49 1013#endif
e4589582 1014 int no_dhe = 0;
ea262260 1015 int no_ecdhe = 0;
ddac1974 1016 int no_psk = 0;
563f1503
BM		 1017 int print_time = 0;
1018 clock_t s_time = 0, c_time = 0;
09b6c2ef 1019#ifndef OPENSSL_NO_COMP
a4c4a7d5 1020 int comp = 0;
8df788c9 1021 COMP_METHOD *cm = NULL;
82423549 1022 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
00a37b5a 1023#endif
6e119bb0 1024 int test_cipherlist = 0;
086e32a6
DSH		 1025#ifdef OPENSSL_FIPS
1026 int fips_mode=0;
1027#endif
fd28a41e 1028 int no_protocol = 0;
563f1503 1029
de94222d
DSH		 1030 SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
1031 STACK_OF(OPENSSL_STRING) *conf_args = NULL;
1032 const char *arg = NULL, *argn = NULL;
1033
79875776
BM		 1034 verbose = 0;
1035 debug = 0;
1036 cipher = 0;
1e3a9b65 1037
e9680894 1038 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
1e3a9b65 1039
3ac82faa
BM		 1040 CRYPTO_set_locking_callback(lock_dbg_cb);
1041
10654d3a
BM		 1042 /* enable memory leak checking unless explicitly disabled */
1043 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
1044 {
1045 CRYPTO_malloc_debug_init();
384eff87
BM		 1046 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
1047 }
1048 else
1049 {
1050 /* OPENSSL_DEBUG_MEMORY=off */
1051 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
10654d3a 1052 }
79875776 1053 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
d02b48c6 1054
b9d82f47
UM		 1055 RAND_seed(rnd_seed, sizeof rnd_seed);
1056
e9680894 1057 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
d02b48c6 1058
de94222d
DSH		 1059 s_cctx = SSL_CONF_CTX_new();
1060 c_cctx = SSL_CONF_CTX_new();
1061
1062 if (!s_cctx || !c_cctx)
1063 {
1064 ERR_print_errors(bio_err);
1065 goto end;
1066 }
1067
1068 SSL_CONF_CTX_set_flags(s_cctx,
1069 SSL_CONF_FLAG_CMDLINE|SSL_CONF_FLAG_SERVER);
1070 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_"))
1071 {
1072 ERR_print_errors(bio_err);
1073 goto end;
1074 }
1075
1076 SSL_CONF_CTX_set_flags(c_cctx,
1077 SSL_CONF_FLAG_CMDLINE|SSL_CONF_FLAG_CLIENT);
1078 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_"))
1079 {
1080 ERR_print_errors(bio_err);
1081 goto end;
1082 }
1083
d02b48c6
RE		 1084 argc--;
1085 argv++;
1086
1087 while (argc >= 1)
1088 {
086e32a6
DSH		 1089 if(!strcmp(*argv,"-F"))
1090 {
1091#ifdef OPENSSL_FIPS
1092 fips_mode=1;
1093#else
4eadd11c 1094 fprintf(stderr,"not compiled with FIPS support, so exiting without running.\n");
086e32a6
DSH		 1095 EXIT(0);
1096#endif
1097 }
1098 else if (strcmp(*argv,"-server_auth") == 0)
d02b48c6
RE		 1099 server_auth=1;
1100 else if (strcmp(*argv,"-client_auth") == 0)
1101 client_auth=1;
a7201e9a
RL		 1102 else if (strcmp(*argv,"-proxy_auth") == 0)
1103 {
1104 if (--argc < 1) goto bad;
1105 app_verify_arg.proxy_auth= *(++argv);
1106 }
1107 else if (strcmp(*argv,"-proxy_cond") == 0)
1108 {
1109 if (--argc < 1) goto bad;
1110 app_verify_arg.proxy_cond= *(++argv);
1111 }
d02b48c6
RE		 1112 else if (strcmp(*argv,"-v") == 0)
1113 verbose=1;
58964a49
RE		 1114 else if (strcmp(*argv,"-d") == 0)
1115 debug=1;
1116 else if (strcmp(*argv,"-reuse") == 0)
1117 reuse=1;
48c843c3 1118 else if (strcmp(*argv,"-dhe1024") == 0)
90f5a2b6
RL		 1119 {
1120#ifndef OPENSSL_NO_DH
48c843c3 1121 dhe1024=1;
90f5a2b6 1122#else
ba5ba549 1123 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
90f5a2b6
RL		 1124#endif
1125 }
e4589582 1126 else if (strcmp(*argv,"-dhe1024dsa") == 0)
90f5a2b6
RL		 1127 {
1128#ifndef OPENSSL_NO_DH
e4589582 1129 dhe1024dsa=1;
90f5a2b6 1130#else
ba5ba549 1131 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
e4589582 1132#endif
90f5a2b6 1133 }
77fa04a9
BM		 1134 else if (strcmp(*argv,"-no_dhe") == 0)
1135 no_dhe=1;
ea262260
BM		 1136 else if (strcmp(*argv,"-no_ecdhe") == 0)
1137 no_ecdhe=1;
ddac1974
NL		 1138 else if (strcmp(*argv,"-psk") == 0)
1139 {
1140 if (--argc < 1) goto bad;
1141 psk_key=*(++argv);
1142#ifndef OPENSSL_NO_PSK
1143 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
1144 {
1145 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
1146 goto bad;
1147 }
1148#else
1149 no_psk=1;
1150#endif
1151 }
edc032b5
BL		 1152#ifndef OPENSSL_NO_SRP
1153 else if (strcmp(*argv,"-srpuser") == 0)
1154 {
1155 if (--argc < 1) goto bad;
1156 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
1157 tls1=1;
1158 }
1159 else if (strcmp(*argv,"-srppass") == 0)
1160 {
1161 if (--argc < 1) goto bad;
1162 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
1163 tls1=1;
1164 }
1165#endif
58964a49 1166 else if (strcmp(*argv,"-tls1") == 0)
fd28a41e
EK		 1167 {
1168#ifdef OPENSSL_NO_TLS1
1169 no_protocol = 1;
1170#endif
1171 tls1 = 1;
1172 }
d02b48c6 1173 else if (strcmp(*argv,"-ssl3") == 0)
fd28a41e 1174 {
3881d810 1175#ifdef OPENSSL_NO_SSL3_METHOD
fd28a41e
EK		 1176 no_protocol = 1;
1177#endif
1178 ssl3 = 1;
1179 }
58964a49
RE		 1180 else if (strncmp(*argv,"-num",4) == 0)
1181 {
1182 if (--argc < 1) goto bad;
1183 number= atoi(*(++argv));
1184 if (number == 0) number=1;
1185 }
1186 else if (strcmp(*argv,"-bytes") == 0)
1187 {
1188 if (--argc < 1) goto bad;
1189 bytes= atol(*(++argv));
1190 if (bytes == 0L) bytes=1L;
1191 i=strlen(argv[0]);
1192 if (argv[0][i-1] == 'k') bytes*=1024L;
1193 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
1194 }
d02b48c6
RE		 1195 else if (strcmp(*argv,"-cert") == 0)
1196 {
1197 if (--argc < 1) goto bad;
1198 server_cert= *(++argv);
1199 }
1200 else if (strcmp(*argv,"-s_cert") == 0)
1201 {
1202 if (--argc < 1) goto bad;
1203 server_cert= *(++argv);
1204 }
65b002f3
BM		 1205 else if (strcmp(*argv,"-key") == 0)
1206 {
1207 if (--argc < 1) goto bad;
1208 server_key= *(++argv);
1209 }
1210 else if (strcmp(*argv,"-s_key") == 0)
1211 {
1212 if (--argc < 1) goto bad;
1213 server_key= *(++argv);
1214 }
d02b48c6
RE		 1215 else if (strcmp(*argv,"-c_cert") == 0)
1216 {
1217 if (--argc < 1) goto bad;
1218 client_cert= *(++argv);
1219 }
65b002f3
BM		 1220 else if (strcmp(*argv,"-c_key") == 0)
1221 {
1222 if (--argc < 1) goto bad;
1223 client_key= *(++argv);
1224 }
d02b48c6
RE		 1225 else if (strcmp(*argv,"-cipher") == 0)
1226 {
1227 if (--argc < 1) goto bad;
1228 cipher= *(++argv);
1229 }
1230 else if (strcmp(*argv,"-CApath") == 0)
1231 {
1232 if (--argc < 1) goto bad;
1233 CApath= *(++argv);
1234 }
1235 else if (strcmp(*argv,"-CAfile") == 0)
1236 {
1237 if (--argc < 1) goto bad;
1238 CAfile= *(++argv);
1239 }
95d29597
BM		 1240 else if (strcmp(*argv,"-bio_pair") == 0)
1241 {
1242 bio_pair = 1;
1243 }
1244 else if (strcmp(*argv,"-f") == 0)
1245 {
1246 force = 1;
1247 }
563f1503
BM		 1248 else if (strcmp(*argv,"-time") == 0)
1249 {
1250 print_time = 1;
1251 }
a4c4a7d5 1252#ifndef OPENSSL_NO_COMP
23f80f46
RL		 1253 else if (strcmp(*argv,"-zlib") == 0)
1254 {
1255 comp = COMP_ZLIB;
1256 }
1257 else if (strcmp(*argv,"-rle") == 0)
1258 {
1259 comp = COMP_RLE;
1260 }
a4c4a7d5 1261#endif
ea262260
BM		 1262 else if (strcmp(*argv,"-named_curve") == 0)
1263 {
1264 if (--argc < 1) goto bad;
90f5a2b6 1265#ifndef OPENSSL_NO_ECDH
ea262260 1266 named_curve = *(++argv);
90f5a2b6 1267#else
5e3247d8 1268 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
90f5a2b6 1269 ++argv;
ea262260 1270#endif
90f5a2b6 1271 }
023ec151
BM		 1272 else if (strcmp(*argv,"-app_verify") == 0)
1273 {
a7201e9a 1274 app_verify_arg.app_verify = 1;
023ec151 1275 }
d9bfe4f9
RL		 1276 else if (strcmp(*argv,"-proxy") == 0)
1277 {
1278 app_verify_arg.allow_proxy_certs = 1;
1279 }
6e119bb0
NL		 1280 else if (strcmp(*argv,"-test_cipherlist") == 0)
1281 {
1282 test_cipherlist = 1;
1283 }
2911575c 1284#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 1285 else if (strcmp(*argv,"-npn_client") == 0)
1286 {
1287 npn_client = 1;
1288 }
1289 else if (strcmp(*argv,"-npn_server") == 0)
1290 {
1291 npn_server = 1;
1292 }
1293 else if (strcmp(*argv,"-npn_server_reject") == 0)
1294 {
1295 npn_server_reject = 1;
1296 }
1297#endif
a398f821
T		 1298 else if (strcmp(*argv,"-serverinfo_sct") == 0)
1299 {
1300 serverinfo_sct = 1;
1301 }
1302 else if (strcmp(*argv,"-serverinfo_tack") == 0)
1303 {
1304 serverinfo_tack = 1;
1305 }
1306 else if (strcmp(*argv,"-serverinfo_file") == 0)
1307 {
1308 if (--argc < 1) goto bad;
1309 serverinfo_file = *(++argv);
1310 }
9cd50f73
T		 1311 else if (strcmp(*argv,"-custom_ext") == 0)
1312 {
1313 custom_ext = 1;
1314 }
a8989362
AL		 1315 else if (strcmp(*argv,"-alpn_client") == 0)
1316 {
1317 if (--argc < 1) goto bad;
1318 alpn_client = *(++argv);
1319 }
1320 else if (strcmp(*argv,"-alpn_server") == 0)
1321 {
1322 if (--argc < 1) goto bad;
1323 alpn_server = *(++argv);
1324 }
1325 else if (strcmp(*argv,"-alpn_expected") == 0)
1326 {
1327 if (--argc < 1) goto bad;
1328 alpn_expected = *(++argv);
1329 }
d02b48c6
RE		 1330 else
1331 {
de94222d
DSH		 1332 int rv;
1333 arg = argv[0];
1334 argn = argv[1];
1335 /* Try to process command using SSL_CONF */
1336 rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
1337 /* If not processed try server */
1338 if (rv == 0)
1339 rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
1340 /* Recognised: store it for later use */
1341 if (rv > 0)
1342 {
1343 if (rv == 1)
1344 argn = NULL;
1345 if (!conf_args)
1346 {
1347 conf_args = sk_OPENSSL_STRING_new_null();
1348 if (!conf_args)
1349 goto end;
1350 }
1351 if (!sk_OPENSSL_STRING_push(conf_args, arg))
1352 goto end;
1353 if (!sk_OPENSSL_STRING_push(conf_args, argn))
1354 goto end;
1355 continue;
1356 }
1357 if (rv == -3)
1358 BIO_printf(bio_err, "Missing argument for %s\n",
1359 arg);
1360 else if (rv < 0)
1361 BIO_printf(bio_err, "Error with command %s\n",
1362 arg);
1363 else if (rv == 0)
1364 BIO_printf(bio_err,"unknown option %s\n", arg);
1365 badop = 1;
d02b48c6
RE		 1366 break;
1367 }
1368 argc--;
1369 argv++;
1370 }
1371 if (badop)
1372 {
1373bad:
1374 sv_usage();
1375 goto end;
1376 }
1377
fd28a41e
EK		 1378 /*
1379 * test_cipherlist prevails over protocol switch: we test the cipherlist
1380 * for all enabled protocols.
1381 */
6e119bb0
NL		 1382 if (test_cipherlist == 1)
1383 {
1384 /* ensure that the cipher list are correctly sorted and exit */
fd28a41e
EK		 1385 fprintf(stdout, "Testing cipherlist order only. Ignoring all "
1386 "other options.\n");
6e119bb0
NL		 1387 if (do_test_cipherlist() == 0)
1388 EXIT(1);
1389 ret = 0;
1390 goto end;
1391 }
1392
45f55f6a 1393 if (ssl3 + tls1 > 1)
fd28a41e 1394 {
45f55f6a 1395 fprintf(stderr, "At most one of -ssl3, or -tls1 should "
fd28a41e
EK		 1396 "be requested.\n");
1397 EXIT(1);
1398 }
1399
1400 /*
45f55f6a 1401 * Testing was requested for a compiled-out protocol (e.g. SSLv3).
fd28a41e
EK		 1402 * Ideally, we would error out, but the generic test wrapper can't know
1403 * when to expect failure. So we do nothing and return success.
1404 */
1405 if (no_protocol)
1406 {
1407 fprintf(stderr, "Testing was requested for a disabled protocol. "
1408 "Skipping tests.\n");
1409 ret = 0;
1410 goto end;
1411 }
1412
45f55f6a 1413 if (!ssl3 && !tls1 && number > 1 && !reuse && !force)
95d29597 1414 {
563f1503
BM		 1415 fprintf(stderr, "This case cannot work. Use -f to perform "
1416 "the test anyway (and\n-d to see what happens), "
45f55f6a 1417 "or add one of -ssl3, -tls1, -reuse\n"
563f1503 1418 "to avoid protocol mismatch.\n");
55f78baf 1419 EXIT(1);
95d29597
BM		 1420 }
1421
086e32a6
DSH		 1422#ifdef OPENSSL_FIPS
1423 if(fips_mode)
1424 {
1425 if(!FIPS_mode_set(1))
1426 {
1427 ERR_load_crypto_strings();
1428 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
1429 EXIT(1);
1430 }
1431 else
1432 fprintf(stderr,"*** IN FIPS MODE ***\n");
1433 }
1434#endif
1435
563f1503
BM		 1436 if (print_time)
1437 {
1438 if (!bio_pair)
1439 {
1440 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
1441 bio_pair = 1;
1442 }
1443 if (number < 50 && !force)
1444 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
1445 }
1446
d02b48c6
RE		 1447/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
1448
413c4f45 1449 SSL_library_init();
d02b48c6
RE		 1450 SSL_load_error_strings();
1451
09b6c2ef 1452#ifndef OPENSSL_NO_COMP
bd68b6b1
RL		 1453 if (comp == COMP_ZLIB) cm = COMP_zlib();
1454 if (comp == COMP_RLE) cm = COMP_rle();
1455 if (cm != NULL)
23f80f46 1456 {
23f80f46 1457 if (cm->type != NID_undef)
f82ab534
RL		 1458 {
1459 if (SSL_COMP_add_compression_method(comp, cm) != 0)
1460 {
1461 fprintf(stderr,
1462 "Failed to add compression method\n");
1463 ERR_print_errors_fp(stderr);
1464 }
1465 }
23f80f46 1466 else
4751717c 1467 {
bd68b6b1
RL		 1468 fprintf(stderr,
1469 "Warning: %s compression not supported\n",
1470 (comp == COMP_RLE ? "rle" :
1471 (comp == COMP_ZLIB ? "zlib" :
1472 "unknown")));
4751717c
RL		 1473 ERR_print_errors_fp(stderr);
1474 }
23f80f46 1475 }
82423549
RL		 1476 ssl_comp_methods = SSL_COMP_get_compression_methods();
1477 fprintf(stderr, "Available compression methods:\n");
1478 {
a08ced78 1479 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
82423549
RL		 1480 if (n == 0)
1481 fprintf(stderr, " NONE\n");
1482 else
a08ced78 1483 for (j = 0; j < n; j++)
82423549 1484 {
a08ced78 1485 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
82423549
RL		 1486 fprintf(stderr, " %d: %s\n", c->id, c->name);
1487 }
1488 }
231b98a5 1489#endif
23f80f46 1490
45f55f6a 1491/* At this point, ssl3/tls1 is only set if the protocol is available.
fd28a41e
EK		 1492 * (Otherwise we exit early.)
1493 * However the compiler doesn't know this, so we ifdef. */
fd28a41e 1494#ifndef OPENSSL_NO_SSL3
d02b48c6
RE		 1495 if (ssl3)
1496 meth=SSLv3_method();
1497 else
fd28a41e
EK		 1498#endif
1499#ifndef OPENSSL_NO_TLS1
b7c37f2f
DSH		 1500 if (tls1)
1501 meth=TLSv1_method();
1502 else
d02b48c6 1503#endif
fd28a41e 1504 meth=SSLv23_method();
d02b48c6
RE		 1505
1506 c_ctx=SSL_CTX_new(meth);
1507 s_ctx=SSL_CTX_new(meth);
1508 if ((c_ctx == NULL) || (s_ctx == NULL))
1509 {
1510 ERR_print_errors(bio_err);
1511 goto end;
1512 }
77a926e6
DSH		 1513 /* Since we will use low security ciphersuites and keys for
1514 * testing set security level to zero.
1515 */
1516 SSL_CTX_set_security_level(c_ctx, 0);
1517 SSL_CTX_set_security_level(s_ctx, 0);
d02b48c6
RE		 1518
1519 if (cipher != NULL)
1520 {
1521 SSL_CTX_set_cipher_list(c_ctx,cipher);
1522 SSL_CTX_set_cipher_list(s_ctx,cipher);
1523 }
1524
de94222d
DSH		 1525 /* Process SSL_CONF arguments */
1526 SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
1527 SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
1528
1529 for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2)
1530 {
1531 int rv;
1532 arg = sk_OPENSSL_STRING_value(conf_args, i);
1533 argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
1534 rv = SSL_CONF_cmd(c_cctx, arg, argn);
1535 /* If not recognised use server context */
1536 if (rv == -2)
1537 rv = SSL_CONF_cmd(s_cctx, arg, argn);
1538 if (rv <= 0)
1539 {
1540 BIO_printf(bio_err, "Error processing %s %s\n",
1541 arg, argn ? argn : "");
1542 ERR_print_errors(bio_err);
1543 goto end;
1544 }
1545 }
1546
1547 if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx))
1548 {
1549 BIO_puts(bio_err, "Error finishing context\n");
1550 ERR_print_errors(bio_err);
1551 goto end;
1552 }
1553
bc36ee62 1554#ifndef OPENSSL_NO_DH
77fa04a9 1555 if (!no_dhe)
48c843c3 1556 {
e4589582 1557 if (dhe1024dsa)
48c843c3 1558 {
e4589582 1559 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
77fa04a9 1560 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
e4589582 1561 dh=get_dh1024dsa();
48c843c3 1562 }
e4589582
BM		 1563 else if (dhe1024)
1564 dh=get_dh1024();
77fa04a9 1565 else
77fa04a9
BM		 1566 dh=get_dh512();
1567 SSL_CTX_set_tmp_dh(s_ctx,dh);
1568 DH_free(dh);
1569 }
e4589582
BM		 1570#else
1571 (void)no_dhe;
58964a49
RE		 1572#endif
1573
ea262260
BM		 1574#ifndef OPENSSL_NO_ECDH
1575 if (!no_ecdhe)
1576 {
9dd84053
NL		 1577 int nid;
1578
1579 if (named_curve != NULL)
ea262260 1580 {
9dd84053
NL		 1581 nid = OBJ_sn2nid(named_curve);
1582 if (nid == 0)
1583 {
1584 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
1585 goto end;
ea262260 1586 }
9dd84053
NL		 1587 }
1588 else
b3310161
DSH		 1589#ifdef OPENSSL_NO_EC2M
1590 nid = NID_X9_62_prime256v1;
1591#else
9dd84053 1592 nid = NID_sect163r2;
b3310161 1593#endif
ea262260 1594
9dd84053
NL		 1595 ecdh = EC_KEY_new_by_curve_name(nid);
1596 if (ecdh == NULL)
1597 {
1598 BIO_printf(bio_err, "unable to create curve\n");
1599 goto end;
ea262260 1600 }
9dd84053
NL		 1601
1602 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
1603 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
1604 EC_KEY_free(ecdh);
ea262260
BM		 1605 }
1606#else
1607 (void)no_ecdhe;
1608#endif
1609
bc36ee62 1610#ifndef OPENSSL_NO_RSA
58964a49 1611 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
d02b48c6
RE		 1612#endif
1613
761772d7
BM		 1614#ifdef TLSEXT_TYPE_opaque_prf_input
1615 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
1616 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
1617 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
1618 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
1619#endif
1620
d02b48c6
RE		 1621 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
1622 {
1623 ERR_print_errors(bio_err);
1624 }
65b002f3
BM		 1625 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
1626 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
d02b48c6
RE		 1627 {
1628 ERR_print_errors(bio_err);
1629 goto end;
1630 }
1631
1632 if (client_auth)
1633 {
1634 SSL_CTX_use_certificate_file(c_ctx,client_cert,
1635 SSL_FILETYPE_PEM);
65b002f3
BM		 1636 SSL_CTX_use_PrivateKey_file(c_ctx,
1637 (client_key?client_key:client_cert),
d02b48c6
RE		 1638 SSL_FILETYPE_PEM);
1639 }
1640
1641 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
1642 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
1643 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
1644 (!SSL_CTX_set_default_verify_paths(c_ctx)))
1645 {
58964a49 1646 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
d02b48c6 1647 ERR_print_errors(bio_err);
58964a49 1648 /* goto end; */
d02b48c6
RE		 1649 }
1650
1651 if (client_auth)
1652 {
53002dc6 1653 BIO_printf(bio_err,"client authentication\n");
d02b48c6
RE		 1654 SSL_CTX_set_verify(s_ctx,
1655 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1656 verify_callback);
a7201e9a 1657 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
d02b48c6
RE		 1658 }
1659 if (server_auth)
1660 {
53002dc6 1661 BIO_printf(bio_err,"server authentication\n");
d02b48c6
RE		 1662 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1663 verify_callback);
a7201e9a 1664 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
d02b48c6 1665 }
b1fe6ca1
BM		 1666
1667 {
1668 int session_id_context = 0;
1669 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1670 }
d02b48c6 1671
ddac1974
NL		 1672 /* Use PSK only if PSK key is given */
1673 if (psk_key != NULL)
1674 {
1675 /* no_psk is used to avoid putting psk command to openssl tool */
1676 if (no_psk)
1677 {
1678 /* if PSK is not compiled in and psk key is
1679 * given, do nothing and exit successfully */
1680 ret=0;
1681 goto end;
1682 }
1683#ifndef OPENSSL_NO_PSK
1684 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1685 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1686 if (debug)
1687 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1688 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1689 {
1690 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1691 ERR_print_errors(bio_err);
1692 goto end;
1693 }
1694#endif
1695 }
edc032b5
BL		 1696#ifndef OPENSSL_NO_SRP
1697 if (srp_client_arg.srplogin)
1698 {
f2fc3075 1699 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
edc032b5
BL		 1700 {
1701 BIO_printf(bio_err,"Unable to set SRP username\n");
1702 goto end;
1703 }
1704 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1705 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1706 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1707 }
1708
1709 if (srp_server_arg.expected_user != NULL)
1710 {
1711 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1712 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1713 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1714 }
1715#endif
ddac1974 1716
2911575c 1717#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 1718 if (npn_client)
1719 {
1720 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1721 }
1722 if (npn_server)
1723 {
1724 if (npn_server_reject)
1725 {
1726 BIO_printf(bio_err, "Can't have both -npn_server and -npn_server_reject\n");
1727 goto end;
1728 }
1729 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
1730 }
1731 if (npn_server_reject)
1732 {
1733 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
1734 }
1735#endif
1736
a398f821 1737 if (serverinfo_sct)
8cafe9e8 1738 SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
0cfefe4b
DSH		 1739 NULL, NULL, NULL,
1740 serverinfo_cli_parse_cb, NULL);
a398f821 1741 if (serverinfo_tack)
8cafe9e8 1742 SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
0cfefe4b
DSH		 1743 NULL, NULL, NULL,
1744 serverinfo_cli_parse_cb, NULL);
a398f821
T		 1745
1746 if (serverinfo_file)
1747 if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file))
1748 {
1749 BIO_printf(bio_err, "missing serverinfo file\n");
1750 goto end;
1751 }
1752
9cd50f73
T		 1753 if (custom_ext)
1754 {
8cafe9e8 1755 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
0cfefe4b
DSH		 1756 custom_ext_0_cli_add_cb,
1757 NULL, NULL,
1758 custom_ext_0_cli_parse_cb, NULL);
8cafe9e8 1759 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
0cfefe4b
DSH		 1760 custom_ext_1_cli_add_cb,
1761 NULL, NULL,
1762 custom_ext_1_cli_parse_cb, NULL);
8cafe9e8 1763 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
0cfefe4b
DSH		 1764 custom_ext_2_cli_add_cb,
1765 NULL, NULL,
1766 custom_ext_2_cli_parse_cb, NULL);
8cafe9e8 1767 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
0cfefe4b
DSH		 1768 custom_ext_3_cli_add_cb,
1769 NULL, NULL,
1770 custom_ext_3_cli_parse_cb, NULL);
9cd50f73
T		 1771
1772
8cafe9e8 1773 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
0cfefe4b
DSH		 1774 custom_ext_0_srv_add_cb,
1775 NULL, NULL,
1776 custom_ext_0_srv_parse_cb, NULL);
8cafe9e8 1777 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
0cfefe4b
DSH		 1778 custom_ext_1_srv_add_cb,
1779 NULL, NULL,
1780 custom_ext_1_srv_parse_cb, NULL);
8cafe9e8 1781 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
0cfefe4b
DSH		 1782 custom_ext_2_srv_add_cb,
1783 NULL, NULL,
1784 custom_ext_2_srv_parse_cb, NULL);
8cafe9e8 1785 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
0cfefe4b
DSH		 1786 custom_ext_3_srv_add_cb,
1787 NULL, NULL,
1788 custom_ext_3_srv_parse_cb, NULL);
9cd50f73
T		 1789 }
1790
a8989362
AL		 1791 if (alpn_server)
1792 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL);
1793
1794 if (alpn_client)
1795 {
1796 unsigned short alpn_len;
1797 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
1798
1799 if (alpn == NULL)
1800 {
1801 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
1802 goto end;
1803 }
1804 SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
1805 OPENSSL_free(alpn);
1806 }
1807
58964a49
RE		 1808 c_ssl=SSL_new(c_ctx);
1809 s_ssl=SSL_new(s_ctx);
1810
bc36ee62 1811#ifndef OPENSSL_NO_KRB5
f9b3bff6
RL		 1812 if (c_ssl && c_ssl->kssl_ctx)
1813 {
54a656ef 1814 char localhost[MAXHOSTNAMELEN+2];
f9b3bff6 1815
54a656ef 1816 if (gethostname(localhost, sizeof localhost-1) == 0)
f9b3bff6 1817 {
54a656ef
BL		 1818 localhost[sizeof localhost-1]='\0';
1819 if(strlen(localhost) == sizeof localhost-1)
1820 {
1821 BIO_printf(bio_err,"localhost name too long\n");
31be2daa 1822 goto end;
54a656ef 1823 }
f9b3bff6
RL		 1824 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1825 localhost);
1826 }
1827 }
bc36ee62 1828#endif /* OPENSSL_NO_KRB5 */
f9b3bff6 1829
58964a49
RE		 1830 for (i=0; i<number; i++)
1831 {
1832 if (!reuse) SSL_set_session(c_ssl,NULL);
95d29597 1833 if (bio_pair)
563f1503 1834 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
95d29597
BM		 1835 else
1836 ret=doit(s_ssl,c_ssl,bytes);
58964a49
RE		 1837 }
1838
1839 if (!verbose)
1840 {
563f1503 1841 print_details(c_ssl, "");
58964a49
RE		 1842 }
1843 if ((number > 1) || (bytes > 1L))
53002dc6 1844 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
563f1503
BM		 1845 if (print_time)
1846 {
617d71bc
BM		 1847#ifdef CLOCKS_PER_SEC
1848 /* "To determine the time in seconds, the value returned
1849 * by the clock function should be divided by the value
1850 * of the macro CLOCKS_PER_SEC."
1851 * -- ISO/IEC 9899 */
563f1503
BM		 1852 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1853 "Approximate total client time: %6.2f s\n",
1854 (double)s_time/CLOCKS_PER_SEC,
1855 (double)c_time/CLOCKS_PER_SEC);
617d71bc 1856#else
617d71bc
BM		 1857 BIO_printf(bio_stdout,
1858 "Approximate total server time: %6.2f units\n"
1859 "Approximate total client time: %6.2f units\n",
1860 (double)s_time,
1861 (double)c_time);
1862#endif
563f1503 1863 }
58964a49
RE		 1864
1865 SSL_free(s_ssl);
1866 SSL_free(c_ssl);
1867
d02b48c6
RE		 1868end:
1869 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1870 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1871
de94222d
DSH		 1872 if (s_cctx)
1873 SSL_CONF_CTX_free(s_cctx);
1874 if (c_cctx)
1875 SSL_CONF_CTX_free(c_cctx);
1876 sk_OPENSSL_STRING_free(conf_args);
1877
d02b48c6
RE		 1878 if (bio_stdout != NULL) BIO_free(bio_stdout);
1879
bc36ee62 1880#ifndef OPENSSL_NO_RSA
46b3bd54
BM		 1881 free_tmp_rsa();
1882#endif
0b13e9f0 1883#ifndef OPENSSL_NO_ENGINE
b8e2f83a 1884 ENGINE_cleanup();
0b13e9f0 1885#endif
79aa04ef 1886 CRYPTO_cleanup_all_ex_data();
dfeab068 1887 ERR_free_strings();
4c329696 1888 ERR_remove_thread_state(NULL);
d02b48c6
RE		 1889 EVP_cleanup();
1890 CRYPTO_mem_leaks(bio_err);
79875776 1891 if (bio_err != NULL) BIO_free(bio_err);
d02b48c6 1892 EXIT(ret);
19bd66fe 1893 return ret;
d02b48c6
RE		 1894 }
1895
563f1503
BM		 1896int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1897 clock_t *s_time, clock_t *c_time)
95d29597
BM		 1898 {
1899 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1900 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1901 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
95d29597
BM		 1902 int ret = 1;
1903
1904 size_t bufsiz = 256; /* small buffer for testing */
1905
1906 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1907 goto err;
1908 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1909 goto err;
1910
1911 s_ssl_bio = BIO_new(BIO_f_ssl());
1912 if (!s_ssl_bio)
1913 goto err;
1914
1915 c_ssl_bio = BIO_new(BIO_f_ssl());
1916 if (!c_ssl_bio)
1917 goto err;
1918
1919 SSL_set_connect_state(c_ssl);
1920 SSL_set_bio(c_ssl, client, client);
1921 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1922
1923 SSL_set_accept_state(s_ssl);
1924 SSL_set_bio(s_ssl, server, server);
1925 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1926
1927 do
1928 {
1d97c843
TH		 1929 /*-
1930 * c_ssl_bio: SSL filter BIO
95d29597
BM		 1931 *
1932 * client: pseudo-I/O for SSL library
1933 *
1934 * client_io: client's SSL communication; usually to be
1935 * relayed over some I/O facility, but in this
1936 * test program, we're the server, too:
1937 *
1938 * server_io: server's SSL communication
1939 *
1940 * server: pseudo-I/O for SSL library
1941 *
1942 * s_ssl_bio: SSL filter BIO
1943 *
1944 * The client and the server each employ a "BIO pair":
1945 * client + client_io, server + server_io.
1946 * BIO pairs are symmetric. A BIO pair behaves similar
1947 * to a non-blocking socketpair (but both endpoints must
1948 * be handled by the same thread).
7eea36bb
BM		 1949 * [Here we could connect client and server to the ends
1950 * of a single BIO pair, but then this code would be less
1951 * suitable as an example for BIO pairs in general.]
95d29597
BM		 1952 *
1953 * Useful functions for querying the state of BIO pair endpoints:
1954 *
1955 * BIO_ctrl_pending(bio) number of bytes we can read now
f50c0497 1956 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
95d29597 1957 * other side's read attempt
657e60fa 1958 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
95d29597
BM		 1959 *
1960 * ..._read_request is never more than ..._write_guarantee;
1961 * it depends on the application which one you should use.
1962 */
1963
1964 /* We have non-blocking behaviour throughout this test program, but
1965 * can be sure that there is *some* progress in each iteration; so
1966 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1967 * -- we just try everything in each iteration
1968 */
1969
1970 {
1971 /* CLIENT */
1972
1973 MS_STATIC char cbuf[1024*8];
1974 int i, r;
563f1503 1975 clock_t c_clock = clock();
95d29597 1976
896e4fef
BM		 1977 memset(cbuf, 0, sizeof(cbuf));
1978
95d29597
BM		 1979 if (debug)
1980 if (SSL_in_init(c_ssl))
1981 printf("client waiting in SSL_connect - %s\n",
1982 SSL_state_string_long(c_ssl));
1983
1984 if (cw_num > 0)
1985 {
1986 /* Write to server. */
1987
1988 if (cw_num > (long)sizeof cbuf)
1989 i = sizeof cbuf;
1990 else
1991 i = (int)cw_num;
1992 r = BIO_write(c_ssl_bio, cbuf, i);
29159a42 1993 if (r < 0)
95d29597
BM		 1994 {
1995 if (!BIO_should_retry(c_ssl_bio))
1996 {
1997 fprintf(stderr,"ERROR in CLIENT\n");
1998 goto err;
1999 }
2000 /* BIO_should_retry(...) can just be ignored here.
2001 * The library expects us to call BIO_write with
2002 * the same arguments again, and that's what we will
2003 * do in the next iteration. */
2004 }
2005 else if (r == 0)
2006 {
2007 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2008 goto err;
2009 }
2010 else
2011 {
2012 if (debug)
2013 printf("client wrote %d\n", r);
2014 cw_num -= r;
2015 }
2016 }
2017
2018 if (cr_num > 0)
2019 {
2020 /* Read from server. */
2021
2022 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2023 if (r < 0)
2024 {
2025 if (!BIO_should_retry(c_ssl_bio))
2026 {
2027 fprintf(stderr,"ERROR in CLIENT\n");
2028 goto err;
2029 }
2030 /* Again, "BIO_should_retry" can be ignored. */
2031 }
2032 else if (r == 0)
2033 {
2034 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2035 goto err;
2036 }
2037 else
2038 {
2039 if (debug)
2040 printf("client read %d\n", r);
2041 cr_num -= r;
2042 }
2043 }
563f1503
BM		 2044
2045 /* c_time and s_time increments will typically be very small
2046 * (depending on machine speed and clock tick intervals),
2047 * but sampling over a large number of connections should
2048 * result in fairly accurate figures. We cannot guarantee
2049 * a lot, however -- if each connection lasts for exactly
2050 * one clock tick, it will be counted only for the client
2051 * or only for the server or even not at all.
2052 */
2053 *c_time += (clock() - c_clock);
95d29597
BM		 2054 }
2055
2056 {
2057 /* SERVER */
2058
2059 MS_STATIC char sbuf[1024*8];
2060 int i, r;
563f1503 2061 clock_t s_clock = clock();
95d29597 2062
896e4fef
BM		 2063 memset(sbuf, 0, sizeof(sbuf));
2064
95d29597
BM		 2065 if (debug)
2066 if (SSL_in_init(s_ssl))
2067 printf("server waiting in SSL_accept - %s\n",
2068 SSL_state_string_long(s_ssl));
2069
2070 if (sw_num > 0)
2071 {
2072 /* Write to client. */
2073
2074 if (sw_num > (long)sizeof sbuf)
2075 i = sizeof sbuf;
2076 else
2077 i = (int)sw_num;
2078 r = BIO_write(s_ssl_bio, sbuf, i);
29159a42 2079 if (r < 0)
95d29597
BM		 2080 {
2081 if (!BIO_should_retry(s_ssl_bio))
2082 {
2083 fprintf(stderr,"ERROR in SERVER\n");
2084 goto err;
2085 }
2086 /* Ignore "BIO_should_retry". */
2087 }
2088 else if (r == 0)
2089 {
2090 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
2091 goto err;
2092 }
2093 else
2094 {
2095 if (debug)
2096 printf("server wrote %d\n", r);
2097 sw_num -= r;
2098 }
2099 }
2100
2101 if (sr_num > 0)
2102 {
2103 /* Read from client. */
2104
2105 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2106 if (r < 0)
2107 {
2108 if (!BIO_should_retry(s_ssl_bio))
2109 {
2110 fprintf(stderr,"ERROR in SERVER\n");
2111 goto err;
2112 }
2113 /* blah, blah */
2114 }
2115 else if (r == 0)
2116 {
2117 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
2118 goto err;
2119 }
2120 else
2121 {
2122 if (debug)
2123 printf("server read %d\n", r);
2124 sr_num -= r;
2125 }
2126 }
563f1503
BM		 2127
2128 *s_time += (clock() - s_clock);
95d29597
BM		 2129 }
2130
2131 {
2132 /* "I/O" BETWEEN CLIENT AND SERVER. */
2133
95d29597 2134 size_t r1, r2;
6f7af152
BM		 2135 BIO *io1 = server_io, *io2 = client_io;
2136 /* we use the non-copying interface for io1
2137 * and the standard BIO_write/BIO_read interface for io2
2138 */
2139
95d29597
BM		 2140 static int prev_progress = 1;
2141 int progress = 0;
2142
6f7af152 2143 /* io1 to io2 */
95d29597
BM		 2144 do
2145 {
6f7af152 2146 size_t num;
b52f3818 2147 int r;
6f7af152
BM		 2148
2149 r1 = BIO_ctrl_pending(io1);
2150 r2 = BIO_ctrl_get_write_guarantee(io2);
95d29597
BM		 2151
2152 num = r1;
2153 if (r2 < num)
2154 num = r2;
2155 if (num)
2156 {
6f7af152
BM		 2157 char *dataptr;
2158
95d29597
BM		 2159 if (INT_MAX < num) /* yeah, right */
2160 num = INT_MAX;
2161
6f7af152
BM		 2162 r = BIO_nread(io1, &dataptr, (int)num);
2163 assert(r > 0);
2164 assert(r <= (int)num);
2165 /* possibly r < num (non-contiguous data) */
2166 num = r;
2167 r = BIO_write(io2, dataptr, (int)num);
95d29597
BM		 2168 if (r != (int)num) /* can't happen */
2169 {
2170 fprintf(stderr, "ERROR: BIO_write could not write "
2171 "BIO_ctrl_get_write_guarantee() bytes");
2172 goto err;
2173 }
2174 progress = 1;
2175
2176 if (debug)
6f7af152
BM		 2177 printf((io1 == client_io) ?
2178 "C->S relaying: %d bytes\n" :
2179 "S->C relaying: %d bytes\n",
2180 (int)num);
95d29597
BM		 2181 }
2182 }
2183 while (r1 && r2);
2184
6f7af152
BM		 2185 /* io2 to io1 */
2186 {
2187 size_t num;
2188 int r;
2189
2190 r1 = BIO_ctrl_pending(io2);
2191 r2 = BIO_ctrl_get_read_request(io1);
2192 /* here we could use ..._get_write_guarantee instead of
2193 * ..._get_read_request, but by using the latter
2194 * we test restartability of the SSL implementation
2195 * more thoroughly */
95d29597
BM		 2196 num = r1;
2197 if (r2 < num)
2198 num = r2;
2199 if (num)
2200 {
6f7af152
BM		 2201 char *dataptr;
2202
95d29597
BM		 2203 if (INT_MAX < num)
2204 num = INT_MAX;
6f7af152
BM		 2205
2206 if (num > 1)
cb0369d8 2207 --num; /* test restartability even more thoroughly */
95d29597 2208
234c7376 2209 r = BIO_nwrite0(io1, &dataptr);
6f7af152 2210 assert(r > 0);
cc129755 2211 if (r < (int)num)
234c7376 2212 num = r;
6f7af152 2213 r = BIO_read(io2, dataptr, (int)num);
95d29597
BM		 2214 if (r != (int)num) /* can't happen */
2215 {
2216 fprintf(stderr, "ERROR: BIO_read could not read "
2217 "BIO_ctrl_pending() bytes");
2218 goto err;
2219 }
95d29597 2220 progress = 1;
234c7376
BM		 2221 r = BIO_nwrite(io1, &dataptr, (int)num);
2222 if (r != (int)num) /* can't happen */
2223 {
2224 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
2225 "BIO_nwrite0() bytes");
2226 goto err;
2227 }
6f7af152 2228
95d29597 2229 if (debug)
6f7af152
BM		 2230 printf((io2 == client_io) ?
2231 "C->S relaying: %d bytes\n" :
2232 "S->C relaying: %d bytes\n",
2233 (int)num);
95d29597 2234 }
6f7af152 2235 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
95d29597
BM		 2236
2237 if (!progress && !prev_progress)
2238 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
95d29597
BM		 2239 {
2240 fprintf(stderr, "ERROR: got stuck\n");
d7fcc7f6 2241 fprintf(stderr, " ERROR.\n");
95d29597
BM		 2242 goto err;
2243 }
2244 prev_progress = progress;
2245 }
2246 }
2247 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2248
95d29597 2249 if (verbose)
563f1503 2250 print_details(c_ssl, "DONE via BIO pair: ");
2911575c 2251#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 2252 if (verify_npn(c_ssl, s_ssl) < 0)
2253 {
2254 ret = 1;
2255 goto end;
2256 }
2257#endif
a398f821
T		 2258 if (verify_serverinfo() < 0)
2259 {
06f5d12f 2260 fprintf(stderr, "Server info verify error\n");
a398f821
T		 2261 ret = 1;
2262 goto err;
2263 }
a8989362
AL		 2264 if (verify_alpn(c_ssl, s_ssl) < 0)
2265 {
2266 ret = 1;
2267 goto err;
2268 }
a398f821 2269
9cd50f73
T		 2270 if (custom_ext_error)
2271 {
06f5d12f 2272 fprintf(stderr, "Custom extension error\n");
9cd50f73
T		 2273 ret = 1;
2274 goto err;
2275 }
2276
563f1503 2277end:
95d29597
BM		 2278 ret = 0;
2279
2280 err:
2281 ERR_print_errors(bio_err);
2282
2283 if (server)
2284 BIO_free(server);
2285 if (server_io)
2286 BIO_free(server_io);
2287 if (client)
2288 BIO_free(client);
2289 if (client_io)
2290 BIO_free(client_io);
2291 if (s_ssl_bio)
2292 BIO_free(s_ssl_bio);
2293 if (c_ssl_bio)
2294 BIO_free(c_ssl_bio);
2295
2296 return ret;
2297 }
2298
2299
d02b48c6
RE		 2300#define W_READ 1
2301#define W_WRITE 2
2302#define C_DONE 1
2303#define S_DONE 2
2304
6b691a5c 2305int doit(SSL *s_ssl, SSL *c_ssl, long count)
d02b48c6 2306 {
77a27a50
AP		 2307 char *cbuf=NULL,*sbuf=NULL;
2308 long bufsiz;
58964a49
RE		 2309 long cw_num=count,cr_num=count;
2310 long sw_num=count,sr_num=count;
d02b48c6 2311 int ret=1;
d02b48c6
RE		 2312 BIO *c_to_s=NULL;
2313 BIO *s_to_c=NULL;
2314 BIO *c_bio=NULL;
2315 BIO *s_bio=NULL;
2316 int c_r,c_w,s_r,s_w;
58964a49 2317 int i,j;
d02b48c6
RE		 2318 int done=0;
2319 int c_write,s_write;
2320 int do_server=0,do_client=0;
77a27a50 2321 int max_frag = 5*1024;
d02b48c6 2322
77a27a50
AP		 2323 bufsiz = count>40*1024 ? 40*1024 : count;
2324
2325 if ((cbuf = OPENSSL_malloc(bufsiz))==NULL) goto err;
2326 if ((sbuf = OPENSSL_malloc(bufsiz))==NULL) goto err;
2327
2328 memset(cbuf,0,bufsiz);
2329 memset(sbuf,0,bufsiz);
896e4fef 2330
d02b48c6
RE		 2331 c_to_s=BIO_new(BIO_s_mem());
2332 s_to_c=BIO_new(BIO_s_mem());
2333 if ((s_to_c == NULL) || (c_to_s == NULL))
2334 {
2335 ERR_print_errors(bio_err);
2336 goto err;
2337 }
2338
2339 c_bio=BIO_new(BIO_f_ssl());
2340 s_bio=BIO_new(BIO_f_ssl());
2341 if ((c_bio == NULL) || (s_bio == NULL))
2342 {
2343 ERR_print_errors(bio_err);
2344 goto err;
2345 }
2346
2347 SSL_set_connect_state(c_ssl);
2348 SSL_set_bio(c_ssl,s_to_c,c_to_s);
77a27a50 2349 SSL_set_max_send_fragment(c_ssl,max_frag);
58964a49 2350 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
d02b48c6
RE		 2351
2352 SSL_set_accept_state(s_ssl);
2353 SSL_set_bio(s_ssl,c_to_s,s_to_c);
77a27a50 2354 SSL_set_max_send_fragment(s_ssl,max_frag);
58964a49 2355 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
d02b48c6
RE		 2356
2357 c_r=0; s_r=1;
2358 c_w=1; s_w=0;
d02b48c6
RE		 2359 c_write=1,s_write=0;
2360
2361 /* We can always do writes */
2362 for (;;)
2363 {
2364 do_server=0;
2365 do_client=0;
2366
2367 i=(int)BIO_pending(s_bio);
2368 if ((i && s_r) || s_w) do_server=1;
2369
2370 i=(int)BIO_pending(c_bio);
2371 if ((i && c_r) || c_w) do_client=1;
2372
58964a49 2373 if (do_server && debug)
d02b48c6
RE		 2374 {
2375 if (SSL_in_init(s_ssl))
2376 printf("server waiting in SSL_accept - %s\n",
2377 SSL_state_string_long(s_ssl));
3a83462d
MC		 2378/*-
2379 else if (s_write)
d02b48c6 2380 printf("server:SSL_write()\n");
58964a49
RE		 2381 else
2382 printf("server:SSL_read()\n"); */
d02b48c6
RE		 2383 }
2384
58964a49 2385 if (do_client && debug)
d02b48c6
RE		 2386 {
2387 if (SSL_in_init(c_ssl))
2388 printf("client waiting in SSL_connect - %s\n",
2389 SSL_state_string_long(c_ssl));
3a83462d
MC		 2390/*-
2391 else if (c_write)
d02b48c6
RE		 2392 printf("client:SSL_write()\n");
2393 else
58964a49 2394 printf("client:SSL_read()\n"); */
d02b48c6
RE		 2395 }
2396
2397 if (!do_client && !do_server)
2398 {
2399 fprintf(stdout,"ERROR IN STARTUP\n");
2400 ERR_print_errors(bio_err);
2401 break;
2402 }
2403 if (do_client && !(done & C_DONE))
2404 {
2405 if (c_write)
2406 {
77a27a50
AP		 2407 j = (cw_num > bufsiz) ?
2408 (int)bufsiz : (int)cw_num;
58964a49 2409 i=BIO_write(c_bio,cbuf,j);
d02b48c6
RE		 2410 if (i < 0)
2411 {
2412 c_r=0;
2413 c_w=0;
2414 if (BIO_should_retry(c_bio))
2415 {
2416 if (BIO_should_read(c_bio))
2417 c_r=1;
2418 if (BIO_should_write(c_bio))
2419 c_w=1;
2420 }
2421 else
2422 {
2423 fprintf(stderr,"ERROR in CLIENT\n");
2424 ERR_print_errors(bio_err);
2425 goto err;
2426 }
2427 }
2428 else if (i == 0)
2429 {
2430 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2431 goto err;
2432 }
2433 else
2434 {
58964a49
RE		 2435 if (debug)
2436 printf("client wrote %d\n",i);
d02b48c6 2437 /* ok */
58964a49 2438 s_r=1;
d02b48c6 2439 c_write=0;
58964a49 2440 cw_num-=i;
77a27a50
AP		 2441 if (max_frag>1029)
2442 SSL_set_max_send_fragment(c_ssl,max_frag-=5);
d02b48c6
RE		 2443 }
2444 }
2445 else
2446 {
77a27a50 2447 i=BIO_read(c_bio,cbuf,bufsiz);
d02b48c6
RE		 2448 if (i < 0)
2449 {
2450 c_r=0;
2451 c_w=0;
2452 if (BIO_should_retry(c_bio))
2453 {
2454 if (BIO_should_read(c_bio))
2455 c_r=1;
2456 if (BIO_should_write(c_bio))
2457 c_w=1;
2458 }
2459 else
2460 {
2461 fprintf(stderr,"ERROR in CLIENT\n");
2462 ERR_print_errors(bio_err);
2463 goto err;
2464 }
2465 }
2466 else if (i == 0)
2467 {
2468 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2469 goto err;
2470 }
2471 else
2472 {
58964a49
RE		 2473 if (debug)
2474 printf("client read %d\n",i);
2475 cr_num-=i;
2476 if (sw_num > 0)
2477 {
2478 s_write=1;
2479 s_w=1;
2480 }
2481 if (cr_num <= 0)
2482 {
2483 s_write=1;
2484 s_w=1;
2485 done=S_DONE|C_DONE;
2486 }
d02b48c6
RE		 2487 }
2488 }
2489 }
2490
2491 if (do_server && !(done & S_DONE))
2492 {
2493 if (!s_write)
2494 {
77a27a50 2495 i=BIO_read(s_bio,sbuf,bufsiz);
d02b48c6
RE		 2496 if (i < 0)
2497 {
2498 s_r=0;
2499 s_w=0;
2500 if (BIO_should_retry(s_bio))
2501 {
2502 if (BIO_should_read(s_bio))
2503 s_r=1;
2504 if (BIO_should_write(s_bio))
2505 s_w=1;
2506 }
2507 else
2508 {
2509 fprintf(stderr,"ERROR in SERVER\n");
2510 ERR_print_errors(bio_err);
2511 goto err;
2512 }
2513 }
2514 else if (i == 0)
2515 {
2516 ERR_print_errors(bio_err);
2517 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
2518 goto err;
2519 }
2520 else
2521 {
58964a49
RE		 2522 if (debug)
2523 printf("server read %d\n",i);
2524 sr_num-=i;
2525 if (cw_num > 0)
2526 {
2527 c_write=1;
2528 c_w=1;
2529 }
2530 if (sr_num <= 0)
2531 {
2532 s_write=1;
2533 s_w=1;
2534 c_write=0;
2535 }
d02b48c6
RE		 2536 }
2537 }
2538 else
2539 {
77a27a50
AP		 2540 j = (sw_num > bufsiz) ?
2541 (int)bufsiz : (int)sw_num;
58964a49 2542 i=BIO_write(s_bio,sbuf,j);
d02b48c6
RE		 2543 if (i < 0)
2544 {
2545 s_r=0;
2546 s_w=0;
2547 if (BIO_should_retry(s_bio))
2548 {
2549 if (BIO_should_read(s_bio))
2550 s_r=1;
2551 if (BIO_should_write(s_bio))
2552 s_w=1;
2553 }
2554 else
2555 {
2556 fprintf(stderr,"ERROR in SERVER\n");
2557 ERR_print_errors(bio_err);
2558 goto err;
2559 }
2560 }
2561 else if (i == 0)
2562 {
2563 ERR_print_errors(bio_err);
2564 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
2565 goto err;
2566 }
2567 else
2568 {
58964a49
RE		 2569 if (debug)
2570 printf("server wrote %d\n",i);
2571 sw_num-=i;
d02b48c6 2572 s_write=0;
58964a49
RE		 2573 c_r=1;
2574 if (sw_num <= 0)
2575 done|=S_DONE;
77a27a50
AP		 2576 if (max_frag>1029)
2577 SSL_set_max_send_fragment(s_ssl,max_frag-=5);
d02b48c6
RE		 2578 }
2579 }
2580 }
2581
2582 if ((done & S_DONE) && (done & C_DONE)) break;
2583 }
2584
58964a49 2585 if (verbose)
563f1503 2586 print_details(c_ssl, "DONE: ");
2911575c 2587#ifndef OPENSSL_NO_NEXTPROTONEG
d9a268b9
BL		 2588 if (verify_npn(c_ssl, s_ssl) < 0)
2589 {
2590 ret = 1;
2591 goto err;
2592 }
2593#endif
a398f821
T		 2594 if (verify_serverinfo() < 0)
2595 {
06f5d12f 2596 fprintf(stderr, "Server info verify error\n");
a398f821
T		 2597 ret = 1;
2598 goto err;
2599 }
9cd50f73
T		 2600 if (custom_ext_error)
2601 {
06f5d12f 2602 fprintf(stderr, "Custom extension error\n");
9cd50f73
T		 2603 ret = 1;
2604 goto err;
2605 }
d02b48c6
RE		 2606 ret=0;
2607err:
2608 /* We have to set the BIO's to NULL otherwise they will be
26a3a48d 2609 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
d02b48c6
RE		 2610 * again when c_ssl is SSL_free()ed.
2611 * This is a hack required because s_ssl and c_ssl are sharing the same
2612 * BIO structure and SSL_set_bio() and SSL_free() automatically
2613 * BIO_free non NULL entries.
2614 * You should not normally do this or be required to do this */
2615 if (s_ssl != NULL)
2616 {
2617 s_ssl->rbio=NULL;
2618 s_ssl->wbio=NULL;
2619 }
2620 if (c_ssl != NULL)
2621 {
2622 c_ssl->rbio=NULL;
2623 c_ssl->wbio=NULL;
2624 }
2625
2626 if (c_to_s != NULL) BIO_free(c_to_s);
2627 if (s_to_c != NULL) BIO_free(s_to_c);
58964a49
RE		 2628 if (c_bio != NULL) BIO_free_all(c_bio);
2629 if (s_bio != NULL) BIO_free_all(s_bio);
77a27a50
AP		 2630
2631 if (cbuf) OPENSSL_free(cbuf);
2632 if (sbuf) OPENSSL_free(sbuf);
2633
d02b48c6
RE		 2634 return(ret);
2635 }
2636
a7201e9a
RL		 2637static int get_proxy_auth_ex_data_idx(void)
2638 {
2639 static volatile int idx = -1;
2640 if (idx < 0)
2641 {
2642 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
2643 if (idx < 0)
2644 {
2645 idx = X509_STORE_CTX_get_ex_new_index(0,
2646 "SSLtest for verify callback", NULL,NULL,NULL);
2647 }
2648 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
2649 }
2650 return idx;
2651 }
2652
6d23cf97 2653static int verify_callback(int ok, X509_STORE_CTX *ctx)
d02b48c6
RE		 2654 {
2655 char *s,buf[256];
2656
54a656ef
BL		 2657 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
2658 sizeof buf);
d02b48c6
RE		 2659 if (s != NULL)
2660 {
2661 if (ok)
a7201e9a
RL		 2662 fprintf(stderr,"depth=%d %s\n",
2663 ctx->error_depth,buf);
d02b48c6 2664 else
d9bfe4f9 2665 {
d02b48c6
RE		 2666 fprintf(stderr,"depth=%d error=%d %s\n",
2667 ctx->error_depth,ctx->error,buf);
d9bfe4f9 2668 }
d02b48c6
RE		 2669 }
2670
2671 if (ok == 0)
2672 {
d9bfe4f9
RL		 2673 fprintf(stderr,"Error string: %s\n",
2674 X509_verify_cert_error_string(ctx->error));
d02b48c6
RE		 2675 switch (ctx->error)
2676 {
2677 case X509_V_ERR_CERT_NOT_YET_VALID:
2678 case X509_V_ERR_CERT_HAS_EXPIRED:
2679 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
d9bfe4f9 2680 fprintf(stderr," ... ignored.\n");
d02b48c6
RE		 2681 ok=1;
2682 }
2683 }
2684
a7201e9a
RL		 2685 if (ok == 1)
2686 {
2687 X509 *xs = ctx->current_cert;
2688#if 0
2689 X509 *xi = ctx->current_issuer;
2690#endif
2691
2692 if (xs->ex_flags & EXFLAG_PROXY)
2693 {
2694 unsigned int *letters =
2695 X509_STORE_CTX_get_ex_data(ctx,
2696 get_proxy_auth_ex_data_idx());
2697
2698 if (letters)
2699 {
2700 int found_any = 0;
2701 int i;
2702 PROXY_CERT_INFO_EXTENSION *pci =
2703 X509_get_ext_d2i(xs, NID_proxyCertInfo,
2704 NULL, NULL);
2705
2706 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
2707 {
2708 case NID_Independent:
2709 /* Completely meaningless in this
2710 program, as there's no way to
2711 grant explicit rights to a
2712 specific PrC. Basically, using
2713 id-ppl-Independent is the perfect
2714 way to grant no rights at all. */
2715 fprintf(stderr, " Independent proxy certificate");
2716 for (i = 0; i < 26; i++)
2717 letters[i] = 0;
2718 break;
2719 case NID_id_ppl_inheritAll:
2720 /* This is basically a NOP, we
2721 simply let the current rights
2722 stand as they are. */
2723 fprintf(stderr, " Proxy certificate inherits all");
2724 break;
2725 default:
2726 s = (char *)
2727 pci->proxyPolicy->policy->data;
2728 i = pci->proxyPolicy->policy->length;
2729
2730 /* The algorithm works as follows:
2731 it is assumed that previous
2732 iterations or the initial granted
2733 rights has already set some elements
2734 of `letters'. What we need to do is
2735 to clear those that weren't granted
2736 by the current PrC as well. The
2737 easiest way to do this is to add 1
2738 to all the elements whose letters
2739 are given with the current policy.
2740 That way, all elements that are set
2741 by the current policy and were
2742 already set by earlier policies and
2743 through the original grant of rights
2744 will get the value 2 or higher.
2745 The last thing to do is to sweep
2746 through `letters' and keep the
2747 elements having the value 2 as set,
2748 and clear all the others. */
2749
2750 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
2751 while(i-- > 0)
2752 {
a51a9726 2753 int c = *s++;
a7201e9a
RL		 2754 if (isascii(c) && isalpha(c))
2755 {
2756 if (islower(c))
2757 c = toupper(c);
2758 letters[c - 'A']++;
2759 }
2760 }
2761 for (i = 0; i < 26; i++)
2762 if (letters[i] < 2)
2763 letters[i] = 0;
2764 else
2765 letters[i] = 1;
2766 }
2767
2768 found_any = 0;
2769 fprintf(stderr,
2770 ", resulting proxy rights = ");
2771 for(i = 0; i < 26; i++)
2772 if (letters[i])
2773 {
2774 fprintf(stderr, "%c", i + 'A');
2775 found_any = 1;
2776 }
2777 if (!found_any)
2778 fprintf(stderr, "none");
2779 fprintf(stderr, "\n");
2780
2781 PROXY_CERT_INFO_EXTENSION_free(pci);
2782 }
2783 }
2784 }
2785
d02b48c6
RE		 2786 return(ok);
2787 }
2788
a7201e9a
RL		 2789static void process_proxy_debug(int indent, const char *format, ...)
2790 {
2791 static const char indentation[] =
2792 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2793 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2794 char my_format[256];
2795 va_list args;
2796
2797 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2798 indent, indent, indentation, format);
2799
2800 va_start(args, format);
2801 vfprintf(stderr, my_format, args);
2802 va_end(args);
2803 }
1d97c843
TH		 2804/*-
2805 * Priority levels:
2806 * 0 [!]var, ()
2807 * 1 & ^
2808 * 2 |
2809 */
a7201e9a
RL		 2810static int process_proxy_cond_adders(unsigned int letters[26],
2811 const char *cond, const char **cond_end, int *pos, int indent);
2812static int process_proxy_cond_val(unsigned int letters[26],
2813 const char *cond, const char **cond_end, int *pos, int indent)
2814 {
a51a9726 2815 int c;
a7201e9a
RL		 2816 int ok = 1;
2817 int negate = 0;
2818
a51a9726 2819 while(isspace((int)*cond))
a7201e9a
RL		 2820 {
2821 cond++; (*pos)++;
2822 }
2823 c = *cond;
2824
2825 if (debug)
2826 process_proxy_debug(indent,
2827 "Start process_proxy_cond_val at position %d: %s\n",
2828 *pos, cond);
2829
2830 while(c == '!')
2831 {
2832 negate = !negate;
2833 cond++; (*pos)++;
a51a9726 2834 while(isspace((int)*cond))
a7201e9a
RL		 2835 {
2836 cond++; (*pos)++;
2837 }
2838 c = *cond;
2839 }
2840
2841 if (c == '(')
2842 {
2843 cond++; (*pos)++;
2844 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2845 indent + 1);
2846 cond = *cond_end;
2847 if (ok < 0)
2848 goto end;
a51a9726 2849 while(isspace((int)*cond))
a7201e9a
RL		 2850 {
2851 cond++; (*pos)++;
2852 }
2853 c = *cond;
2854 if (c != ')')
2855 {
2856 fprintf(stderr,
2857 "Weird condition character in position %d: "
2858 "%c\n", *pos, c);
2859 ok = -1;
2860 goto end;
2861 }
2862 cond++; (*pos)++;
2863 }
2864 else if (isascii(c) && isalpha(c))
2865 {
2866 if (islower(c))
2867 c = toupper(c);
2868 ok = letters[c - 'A'];
2869 cond++; (*pos)++;
2870 }
2871 else
2872 {
2873 fprintf(stderr,
2874 "Weird condition character in position %d: "
2875 "%c\n", *pos, c);
2876 ok = -1;
2877 goto end;
2878 }
2879 end:
2880 *cond_end = cond;
2881 if (ok >= 0 && negate)
2882 ok = !ok;
2883
2884 if (debug)
2885 process_proxy_debug(indent,
2886 "End process_proxy_cond_val at position %d: %s, returning %d\n",
2887 *pos, cond, ok);
2888
2889 return ok;
2890 }
2891static int process_proxy_cond_multipliers(unsigned int letters[26],
2892 const char *cond, const char **cond_end, int *pos, int indent)
2893 {
2894 int ok;
2895 char c;
2896
2897 if (debug)
2898 process_proxy_debug(indent,
2899 "Start process_proxy_cond_multipliers at position %d: %s\n",
2900 *pos, cond);
2901
2902 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2903 cond = *cond_end;
2904 if (ok < 0)
2905 goto end;
2906
2907 while(ok >= 0)
2908 {
a51a9726 2909 while(isspace((int)*cond))
a7201e9a
RL		 2910 {
2911 cond++; (*pos)++;
2912 }
2913 c = *cond;
2914
2915 switch(c)
2916 {
2917 case '&':
2918 case '^':
2919 {
2920 int save_ok = ok;
2921
2922 cond++; (*pos)++;
2923 ok = process_proxy_cond_val(letters,
2924 cond, cond_end, pos, indent + 1);
2925 cond = *cond_end;
2926 if (ok < 0)
2927 break;
2928
2929 switch(c)
2930 {
2931 case '&':
2932 ok &= save_ok;
2933 break;
2934 case '^':
2935 ok ^= save_ok;
2936 break;
2937 default:
2938 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2939 " STOPPING\n");
2940 EXIT(1);
2941 }
2942 }
2943 break;
2944 default:
2945 goto end;
2946 }
2947 }
2948 end:
2949 if (debug)
2950 process_proxy_debug(indent,
2951 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2952 *pos, cond, ok);
2953
2954 *cond_end = cond;
2955 return ok;
2956 }
2957static int process_proxy_cond_adders(unsigned int letters[26],
2958 const char *cond, const char **cond_end, int *pos, int indent)
2959 {
2960 int ok;
2961 char c;
2962
2963 if (debug)
2964 process_proxy_debug(indent,
2965 "Start process_proxy_cond_adders at position %d: %s\n",
2966 *pos, cond);
2967
2968 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2969 indent + 1);
2970 cond = *cond_end;
2971 if (ok < 0)
2972 goto end;
2973
2974 while(ok >= 0)
2975 {
a51a9726 2976 while(isspace((int)*cond))
a7201e9a
RL		 2977 {
2978 cond++; (*pos)++;
2979 }
2980 c = *cond;
2981
2982 switch(c)
2983 {
2984 case '|':
2985 {
2986 int save_ok = ok;
2987
2988 cond++; (*pos)++;
2989 ok = process_proxy_cond_multipliers(letters,
2990 cond, cond_end, pos, indent + 1);
2991 cond = *cond_end;
2992 if (ok < 0)
2993 break;
2994
2995 switch(c)
2996 {
2997 case '|':
2998 ok |= save_ok;
2999 break;
3000 default:
3001 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
3002 " STOPPING\n");
3003 EXIT(1);
3004 }
3005 }
3006 break;
3007 default:
3008 goto end;
3009 }
3010 }
3011 end:
3012 if (debug)
3013 process_proxy_debug(indent,
3014 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
3015 *pos, cond, ok);
3016
3017 *cond_end = cond;
3018 return ok;
3019 }
3020
3021static int process_proxy_cond(unsigned int letters[26],
3022 const char *cond, const char **cond_end)
3023 {
3024 int pos = 1;
3025 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
3026 }
3027
6d23cf97 3028static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
023ec151 3029 {
023ec151 3030 int ok=1;
a7201e9a
RL		 3031 struct app_verify_arg *cb_arg = arg;
3032 unsigned int letters[26]; /* only used with proxy_auth */
023ec151 3033
a7201e9a 3034 if (cb_arg->app_verify)
023ec151 3035 {
a7201e9a
RL		 3036 char *s = NULL,buf[256];
3037
3038 fprintf(stderr, "In app_verify_callback, allowing cert. ");
3039 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
35e8510e 3040 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
f795123c 3041 (void *)ctx, (void *)ctx->cert);
a7201e9a
RL		 3042 if (ctx->cert)
3043 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
3044 if (s != NULL)
3045 {
023ec151 3046 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
a7201e9a
RL		 3047 }
3048 return(1);
3049 }
3050 if (cb_arg->proxy_auth)
3051 {
3052 int found_any = 0, i;
3053 char *sp;
3054
3055 for(i = 0; i < 26; i++)
3056 letters[i] = 0;
3057 for(sp = cb_arg->proxy_auth; *sp; sp++)
3058 {
a51a9726 3059 int c = *sp;
a7201e9a
RL		 3060 if (isascii(c) && isalpha(c))
3061 {
3062 if (islower(c))
3063 c = toupper(c);
3064 letters[c - 'A'] = 1;
3065 }
3066 }
3067
3068 fprintf(stderr,
3069 " Initial proxy rights = ");
3070 for(i = 0; i < 26; i++)
3071 if (letters[i])
3072 {
3073 fprintf(stderr, "%c", i + 'A');
3074 found_any = 1;
3075 }
3076 if (!found_any)
3077 fprintf(stderr, "none");
3078 fprintf(stderr, "\n");
3079
3080 X509_STORE_CTX_set_ex_data(ctx,
3081 get_proxy_auth_ex_data_idx(),letters);
023ec151 3082 }
d9bfe4f9
RL		 3083 if (cb_arg->allow_proxy_certs)
3084 {
3085 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
3086 }
023ec151 3087
a7201e9a 3088#ifndef OPENSSL_NO_X509_VERIFY
a7201e9a 3089 ok = X509_verify_cert(ctx);
a7201e9a
RL		 3090#endif
3091
3092 if (cb_arg->proxy_auth)
3093 {
bab53405 3094 if (ok > 0)
a7201e9a
RL		 3095 {
3096 const char *cond_end = NULL;
3097
3098 ok = process_proxy_cond(letters,
3099 cb_arg->proxy_cond, &cond_end);
3100
3101 if (ok < 0)
3102 EXIT(3);
3103 if (*cond_end)
3104 {
3105 fprintf(stderr, "Stopped processing condition before it's end.\n");
3106 ok = 0;
3107 }
3108 if (!ok)
3109 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
3110 cb_arg->proxy_cond);
3111 else
3112 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
3113 cb_arg->proxy_cond);
3114 }
3115 }
023ec151
BM		 3116 return(ok);
3117 }
3118
bc36ee62 3119#ifndef OPENSSL_NO_RSA
46b3bd54
BM		 3120static RSA *rsa_tmp=NULL;
3121
6d23cf97 3122static RSA *tmp_rsa_cb(SSL *s, int is_export, int keylength)
58964a49 3123 {
bcfea9fb 3124 BIGNUM *bn = NULL;
58964a49
RE		 3125 if (rsa_tmp == NULL)
3126 {
bcfea9fb 3127 bn = BN_new();
e9224c71 3128 rsa_tmp = RSA_new();
bcfea9fb 3129 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
e9224c71
GT		 3130 {
3131 BIO_printf(bio_err, "Memory error...");
3132 goto end;
3133 }
60e31c3a 3134 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
d58d092b 3135 (void)BIO_flush(bio_err);
bcfea9fb 3136 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
e9224c71 3137 {
3ae70939 3138 BIO_printf(bio_err, "Error generating key.");
e9224c71
GT		 3139 RSA_free(rsa_tmp);
3140 rsa_tmp = NULL;
3141 }
3142end:
58964a49 3143 BIO_printf(bio_err,"\n");
d58d092b 3144 (void)BIO_flush(bio_err);
58964a49 3145 }
bcfea9fb 3146 if(bn) BN_free(bn);
58964a49
RE		 3147 return(rsa_tmp);
3148 }
46b3bd54
BM		 3149
3150static void free_tmp_rsa(void)
3151 {
3152 if (rsa_tmp != NULL)
3153 {
3154 RSA_free(rsa_tmp);
3155 rsa_tmp = NULL;
3156 }
3157 }
79df9d62 3158#endif
53002dc6 3159
bc36ee62 3160#ifndef OPENSSL_NO_DH
1d97c843
TH		 3161/*-
3162 * These DH parameters have been generated as follows:
e4589582
BM		 3163 * $ openssl dhparam -C -noout 512
3164 * $ openssl dhparam -C -noout 1024
3165 * $ openssl dhparam -C -noout -dsaparam 1024
3166 * (The third function has been renamed to avoid name conflicts.)
3167 */
f3f316f1 3168static DH *get_dh512()
e4589582
BM		 3169 {
3170 static unsigned char dh512_p[]={
3171 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
3172 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
3173 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
3174 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
3175 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
3176 0x02,0xC5,0xAE,0x23,
3177 };
3178 static unsigned char dh512_g[]={
3179 0x02,
3180 };
3181 DH *dh;
3182
3183 if ((dh=DH_new()) == NULL) return(NULL);
3184 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
3185 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
3186 if ((dh->p == NULL) || (dh->g == NULL))
3187 { DH_free(dh); return(NULL); }
3188 return(dh);
3189 }
3190
f3f316f1 3191static DH *get_dh1024()
53002dc6 3192 {
e4589582
BM		 3193 static unsigned char dh1024_p[]={
3194 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
3195 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
3196 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
3197 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
3198 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
3199 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
3200 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
3201 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
3202 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
3203 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
3204 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
3205 };
3206 static unsigned char dh1024_g[]={
3207 0x02,
3208 };
3209 DH *dh;
3210
3211 if ((dh=DH_new()) == NULL) return(NULL);
3212 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
3213 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
3214 if ((dh->p == NULL) || (dh->g == NULL))
3215 { DH_free(dh); return(NULL); }
3216 return(dh);
3217 }
53002dc6 3218
f3f316f1 3219static DH *get_dh1024dsa()
e4589582
BM		 3220 {
3221 static unsigned char dh1024_p[]={
3222 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
3223 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
3224 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
3225 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
3226 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
3227 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
3228 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
3229 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
3230 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
3231 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
3232 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
3233 };
3234 static unsigned char dh1024_g[]={
3235 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
3236 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
3237 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
3238 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
3239 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
3240 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
3241 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
3242 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
3243 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
3244 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
3245 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
3246 };
3247 DH *dh;
53002dc6 3248
e4589582
BM		 3249 if ((dh=DH_new()) == NULL) return(NULL);
3250 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
3251 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
3252 if ((dh->p == NULL) || (dh->g == NULL))
3253 { DH_free(dh); return(NULL); }
3254 dh->length = 160;
3255 return(dh);
53002dc6 3256 }
f71165b5 3257#endif
6e119bb0 3258
ddac1974
NL		 3259#ifndef OPENSSL_NO_PSK
3260/* convert the PSK key (psk_key) in ascii to binary (psk) */
3261static int psk_key2bn(const char *pskkey, unsigned char *psk,
3262 unsigned int max_psk_len)
3263 {
3264 int ret;
3265 BIGNUM *bn = NULL;
3266
3267 ret = BN_hex2bn(&bn, pskkey);
3268 if (!ret)
3269 {
3270 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
3271 if (bn)
3272 BN_free(bn);
3273 return 0;
3274 }
3275 if (BN_num_bytes(bn) > (int)max_psk_len)
3276 {
3277 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
3278 max_psk_len, BN_num_bytes(bn));
3279 BN_free(bn);
3280 return 0;
3281 }
3282 ret = BN_bn2bin(bn, psk);
3283 BN_free(bn);
3284 return ret;
3285 }
3286
3287static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
3288 unsigned int max_identity_len, unsigned char *psk,
3289 unsigned int max_psk_len)
3290 {
3291 int ret;
3292 unsigned int psk_len = 0;
3293
e9680894 3294 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
ddac1974
NL		 3295 if (ret < 0)
3296 goto out_err;
3297 if (debug)
3298 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
3299 ret = psk_key2bn(psk_key, psk, max_psk_len);
3300 if (ret < 0)
3301 goto out_err;
3302 psk_len = ret;
3303out_err:
3304 return psk_len;
3305 }
3306
3307static unsigned int psk_server_callback(SSL *ssl, const char *identity,
3308 unsigned char *psk, unsigned int max_psk_len)
3309 {
3310 unsigned int psk_len=0;
3311
3312 if (strcmp(identity, "Client_identity") != 0)
3313 {
3314 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
3315 return 0;
3316 }
3317 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
3318 return psk_len;
3319 }
3320#endif
3321
6e119bb0
NL		 3322static int do_test_cipherlist(void)
3323 {
3324 int i = 0;
3325 const SSL_METHOD *meth;
babb3798 3326 const SSL_CIPHER *ci, *tci = NULL;
6e119bb0 3327
00fe865d 3328#ifndef OPENSSL_NO_SSL3
6e119bb0
NL		 3329 fprintf(stderr, "testing SSLv3 cipher list order: ");
3330 meth = SSLv3_method();
3331 tci = NULL;
3332 while ((ci = meth->get_cipher(i++)) != NULL)
3333 {
3334 if (tci != NULL)
3335 if (ci->id >= tci->id)
3336 {
3337 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
3338 return 0;
3339 }
3340 tci = ci;
3341 }
3342 fprintf(stderr, "ok\n");
00fe865d
NL		 3343#endif
3344#ifndef OPENSSL_NO_TLS1
6e119bb0
NL		 3345 fprintf(stderr, "testing TLSv1 cipher list order: ");
3346 meth = TLSv1_method();
3347 tci = NULL;
3348 while ((ci = meth->get_cipher(i++)) != NULL)
3349 {
3350 if (tci != NULL)
3351 if (ci->id >= tci->id)
3352 {
3353 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
3354 return 0;
3355 }
3356 tci = ci;
3357 }
3358 fprintf(stderr, "ok\n");
00fe865d 3359#endif
6e119bb0
NL		 3360
3361 return 1;
3362 }
A mirror of the official openssl repository