]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/ssltest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
give EC_GROUP_new_by_nid a more meanigful name:
[thirdparty/openssl.git] / ssl / ssltest.c
CommitLineData
d02b48c6 1/* ssl/ssltest.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
3ac82faa
BM		 58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ea262260
BM		 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
d02b48c6 116
4fbe40c5 117#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
37289744 118 on Linux and GNU platforms. */
37289744 119
6f7af152
BM		 120#include <assert.h>
121#include <errno.h>
122#include <limits.h>
d02b48c6
RE		 123#include <stdio.h>
124#include <stdlib.h>
125#include <string.h>
563f1503 126#include <time.h>
17e3dd1c 127
e7a28569 128#define USE_SOCKETS
41d2a336 129#include "e_os.h"
17e3dd1c 130
a963395a
RL		 131#define _XOPEN_SOURCE 1 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
133#include <ctype.h>
134
ec577822
BM		 135#include <openssl/bio.h>
136#include <openssl/crypto.h>
563f1503 137#include <openssl/evp.h>
ec577822 138#include <openssl/x509.h>
a7201e9a 139#include <openssl/x509v3.h>
ec577822 140#include <openssl/ssl.h>
0b13e9f0 141#ifndef OPENSSL_NO_ENGINE
b8e2f83a 142#include <openssl/engine.h>
0b13e9f0 143#endif
ec577822 144#include <openssl/err.h>
b9d82f47 145#include <openssl/rand.h>
60a938c6
GT		 146#include <openssl/rsa.h>
147#include <openssl/dsa.h>
148#include <openssl/dh.h>
d095b68d 149#include <openssl/bn.h>
09867a47
RL		 150
151#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
152 on Compaq platforms (at least with DEC C).
153 Do not try to put it earlier, or IPv6 includes
154 get screwed...
155 */
156
bc36ee62 157#ifdef OPENSSL_SYS_WINDOWS
f9b3bff6 158#include <winsock.h>
37289744
RL		 159#else
160#include OPENSSL_UNISTD
d02b48c6
RE		 161#endif
162
bc36ee62 163#ifdef OPENSSL_SYS_VMS
7d7d2cbc
UM		 164# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
165# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
0bf23d9b
RL		 166#elif defined(OPENSSL_SYS_WINCE)
167# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
168# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
4d8743f4
RL		 169#elif defined(OPENSSL_SYS_NETWARE)
170# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
171# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
7d7d2cbc
UM		 172#else
173# define TEST_SERVER_CERT "../apps/server.pem"
174# define TEST_CLIENT_CERT "../apps/client.pem"
175#endif
d02b48c6 176
23f80f46
RL		 177/* There is really no standard for this, so let's assign some tentative
178 numbers. In any case, these numbers are only for this test */
82423549
RL		 179#define COMP_RLE 255
180#define COMP_ZLIB 1
23f80f46 181
396f6314 182static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
bc36ee62 183#ifndef OPENSSL_NO_RSA
df63a389 184static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
46b3bd54 185static void free_tmp_rsa(void);
79df9d62 186#endif
023ec151 187static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
a7201e9a
RL		 188#define APP_CALLBACK_STRING "Test Callback Argument"
189struct app_verify_arg
190 {
191 char *string;
192 int app_verify;
d9bfe4f9 193 int allow_proxy_certs;
a7201e9a
RL		 194 char *proxy_auth;
195 char *proxy_cond;
196 };
023ec151 197
bc36ee62 198#ifndef OPENSSL_NO_DH
d02b48c6 199static DH *get_dh512(void);
e4589582
BM		 200static DH *get_dh1024(void);
201static DH *get_dh1024dsa(void);
53002dc6
BM		 202#endif
203
396f6314
BM		 204static BIO *bio_err=NULL;
205static BIO *bio_stdout=NULL;
d02b48c6
RE		 206
207static char *cipher=NULL;
79875776
BM		 208static int verbose=0;
209static int debug=0;
d58d092b
BM		 210#if 0
211/* Not used yet. */
d02b48c6
RE		 212#ifdef FIONBIO
213static int s_nbio=0;
214#endif
d58d092b 215#endif
d02b48c6 216
b9d82f47 217static const char rnd_seed[] = "string to make the random number generator think it has entropy";
d02b48c6 218
563f1503 219int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
58964a49 220int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
6b691a5c 221static void sv_usage(void)
d02b48c6
RE		 222 {
223 fprintf(stderr,"usage: ssltest [args ...]\n");
224 fprintf(stderr,"\n");
225 fprintf(stderr," -server_auth - check server certificate\n");
226 fprintf(stderr," -client_auth - do client authentication\n");
d9bfe4f9 227 fprintf(stderr," -proxy - allow proxy certificates\n");
a7201e9a
RL		 228 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
229 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
d02b48c6 230 fprintf(stderr," -v - more output\n");
58964a49
RE		 231 fprintf(stderr," -d - debug output\n");
232 fprintf(stderr," -reuse - use session-id reuse\n");
233 fprintf(stderr," -num <val> - number of connections to perform\n");
234 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
bc36ee62 235#ifndef OPENSSL_NO_DH
e4589582
BM		 236 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
237 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
77fa04a9
BM		 238 fprintf(stderr," -no_dhe - disable DHE\n");
239#endif
ea262260
BM		 240#ifndef OPENSSL_NO_ECDH
241 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
242#endif
bc36ee62 243#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 244 fprintf(stderr," -ssl2 - use SSLv2\n");
245#endif
bc36ee62 246#ifndef OPENSSL_NO_SSL3
d02b48c6 247 fprintf(stderr," -ssl3 - use SSLv3\n");
58964a49 248#endif
bc36ee62 249#ifndef OPENSSL_NO_TLS1
58964a49 250 fprintf(stderr," -tls1 - use TLSv1\n");
d02b48c6
RE		 251#endif
252 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
253 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
7d2509b6
BM		 254 fprintf(stderr," -cert arg - Server certificate file\n");
255 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
256 fprintf(stderr," -c_cert arg - Client certificate file\n");
257 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
58964a49 258 fprintf(stderr," -cipher arg - The cipher list\n");
95d29597
BM		 259 fprintf(stderr," -bio_pair - Use BIO pairs\n");
260 fprintf(stderr," -f - Test even cases that can't work\n");
563f1503 261 fprintf(stderr," -time - measure processor time used by client and server\n");
23f80f46 262 fprintf(stderr," -zlib - use zlib compression\n");
ea262260
BM		 263 fprintf(stderr," -rle - use rle compression\n");
264#ifndef OPENSSL_NO_ECDH
265 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
266 " Use \"openssl ecparam -list_curves\" for all names\n" \
267 " (default is sect163r2).\n");
268#endif
563f1503
BM		 269 }
270
271static void print_details(SSL *c_ssl, const char *prefix)
272 {
273 SSL_CIPHER *ciph;
274 X509 *cert;
275
276 ciph=SSL_get_current_cipher(c_ssl);
277 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
278 prefix,
279 SSL_get_version(c_ssl),
280 SSL_CIPHER_get_version(ciph),
281 SSL_CIPHER_get_name(ciph));
282 cert=SSL_get_peer_certificate(c_ssl);
283 if (cert != NULL)
284 {
285 EVP_PKEY *pkey = X509_get_pubkey(cert);
286 if (pkey != NULL)
287 {
288 if (0)
289 ;
bc36ee62 290#ifndef OPENSSL_NO_RSA
563f1503
BM		 291 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
292 && pkey->pkey.rsa->n != NULL)
293 {
294 BIO_printf(bio_stdout, ", %d bit RSA",
295 BN_num_bits(pkey->pkey.rsa->n));
296 }
297#endif
bc36ee62 298#ifndef OPENSSL_NO_DSA
563f1503
BM		 299 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
300 && pkey->pkey.dsa->p != NULL)
301 {
302 BIO_printf(bio_stdout, ", %d bit DSA",
303 BN_num_bits(pkey->pkey.dsa->p));
304 }
305#endif
306 EVP_PKEY_free(pkey);
307 }
308 X509_free(cert);
309 }
310 /* The SSL API does not allow us to look at temporary RSA/DH keys,
311 * otherwise we should print their lengths too */
312 BIO_printf(bio_stdout,"\n");
d02b48c6
RE		 313 }
314
3ac82faa
BM		 315static void lock_dbg_cb(int mode, int type, const char *file, int line)
316 {
317 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
318 const char *errstr = NULL;
319 int rw;
320
321 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
322 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
323 {
324 errstr = "invalid mode";
325 goto err;
326 }
327
563c05e2 328 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
3ac82faa
BM		 329 {
330 errstr = "type out of bounds";
331 goto err;
332 }
333
334 if (mode & CRYPTO_LOCK)
335 {
336 if (modes[type])
337 {
338 errstr = "already locked";
339 /* must not happen in a single-threaded program
340 * (would deadlock) */
341 goto err;
342 }
343
344 modes[type] = rw;
345 }
346 else if (mode & CRYPTO_UNLOCK)
347 {
348 if (!modes[type])
349 {
350 errstr = "not locked";
351 goto err;
352 }
353
354 if (modes[type] != rw)
355 {
356 errstr = (rw == CRYPTO_READ) ?
357 "CRYPTO_r_unlock on write lock" :
358 "CRYPTO_w_unlock on read lock";
359 }
360
361 modes[type] = 0;
362 }
363 else
364 {
365 errstr = "invalid mode";
366 goto err;
367 }
368
369 err:
370 if (errstr)
371 {
372 /* we cannot use bio_err here */
373 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
374 errstr, mode, type, file, line);
375 }
376 }
377
6b691a5c 378int main(int argc, char *argv[])
d02b48c6
RE		 379 {
380 char *CApath=NULL,*CAfile=NULL;
381 int badop=0;
95d29597
BM		 382 int bio_pair=0;
383 int force=0;
58964a49 384 int tls1=0,ssl2=0,ssl3=0,ret=1;
d02b48c6 385 int client_auth=0;
58964a49 386 int server_auth=0,i;
a7201e9a 387 struct app_verify_arg app_verify_arg =
d9bfe4f9 388 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
d02b48c6 389 char *server_cert=TEST_SERVER_CERT;
65b002f3 390 char *server_key=NULL;
d02b48c6 391 char *client_cert=TEST_CLIENT_CERT;
65b002f3 392 char *client_key=NULL;
ea262260 393 char *named_curve = NULL;
d02b48c6
RE		 394 SSL_CTX *s_ctx=NULL;
395 SSL_CTX *c_ctx=NULL;
396 SSL_METHOD *meth=NULL;
58964a49
RE		 397 SSL *c_ssl,*s_ssl;
398 int number=1,reuse=0;
82423549 399 long bytes=256L;
bc36ee62 400#ifndef OPENSSL_NO_DH
d02b48c6 401 DH *dh;
e4589582 402 int dhe1024 = 0, dhe1024dsa = 0;
ea262260
BM		 403#endif
404#ifndef OPENSSL_NO_ECDH
405 EC_KEY *ecdh = NULL;
58964a49 406#endif
e4589582 407 int no_dhe = 0;
ea262260 408 int no_ecdhe = 0;
563f1503
BM		 409 int print_time = 0;
410 clock_t s_time = 0, c_time = 0;
23f80f46 411 int comp = 0;
8df788c9 412 COMP_METHOD *cm = NULL;
82423549 413 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
563f1503 414
79875776
BM		 415 verbose = 0;
416 debug = 0;
417 cipher = 0;
1e3a9b65
BM		 418
419 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
420
3ac82faa
BM		 421 CRYPTO_set_locking_callback(lock_dbg_cb);
422
10654d3a
BM		 423 /* enable memory leak checking unless explicitly disabled */
424 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
425 {
426 CRYPTO_malloc_debug_init();
384eff87
BM		 427 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
428 }
429 else
430 {
431 /* OPENSSL_DEBUG_MEMORY=off */
432 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
10654d3a 433 }
79875776 434 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
d02b48c6 435
b9d82f47
UM		 436 RAND_seed(rnd_seed, sizeof rnd_seed);
437
d02b48c6
RE		 438 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
439
d02b48c6
RE		 440 argc--;
441 argv++;
442
443 while (argc >= 1)
444 {
445 if (strcmp(*argv,"-server_auth") == 0)
446 server_auth=1;
447 else if (strcmp(*argv,"-client_auth") == 0)
448 client_auth=1;
a7201e9a
RL		 449 else if (strcmp(*argv,"-proxy_auth") == 0)
450 {
451 if (--argc < 1) goto bad;
452 app_verify_arg.proxy_auth= *(++argv);
453 }
454 else if (strcmp(*argv,"-proxy_cond") == 0)
455 {
456 if (--argc < 1) goto bad;
457 app_verify_arg.proxy_cond= *(++argv);
458 }
d02b48c6
RE		 459 else if (strcmp(*argv,"-v") == 0)
460 verbose=1;
58964a49
RE		 461 else if (strcmp(*argv,"-d") == 0)
462 debug=1;
463 else if (strcmp(*argv,"-reuse") == 0)
464 reuse=1;
48c843c3 465 else if (strcmp(*argv,"-dhe1024") == 0)
90f5a2b6
RL		 466 {
467#ifndef OPENSSL_NO_DH
48c843c3 468 dhe1024=1;
90f5a2b6 469#else
ba5ba549 470 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
90f5a2b6
RL		 471#endif
472 }
e4589582 473 else if (strcmp(*argv,"-dhe1024dsa") == 0)
90f5a2b6
RL		 474 {
475#ifndef OPENSSL_NO_DH
e4589582 476 dhe1024dsa=1;
90f5a2b6 477#else
ba5ba549 478 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
e4589582 479#endif
90f5a2b6 480 }
77fa04a9
BM		 481 else if (strcmp(*argv,"-no_dhe") == 0)
482 no_dhe=1;
ea262260
BM		 483 else if (strcmp(*argv,"-no_ecdhe") == 0)
484 no_ecdhe=1;
d02b48c6
RE		 485 else if (strcmp(*argv,"-ssl2") == 0)
486 ssl2=1;
58964a49
RE		 487 else if (strcmp(*argv,"-tls1") == 0)
488 tls1=1;
d02b48c6
RE		 489 else if (strcmp(*argv,"-ssl3") == 0)
490 ssl3=1;
58964a49
RE		 491 else if (strncmp(*argv,"-num",4) == 0)
492 {
493 if (--argc < 1) goto bad;
494 number= atoi(*(++argv));
495 if (number == 0) number=1;
496 }
497 else if (strcmp(*argv,"-bytes") == 0)
498 {
499 if (--argc < 1) goto bad;
500 bytes= atol(*(++argv));
501 if (bytes == 0L) bytes=1L;
502 i=strlen(argv[0]);
503 if (argv[0][i-1] == 'k') bytes*=1024L;
504 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
505 }
d02b48c6
RE		 506 else if (strcmp(*argv,"-cert") == 0)
507 {
508 if (--argc < 1) goto bad;
509 server_cert= *(++argv);
510 }
511 else if (strcmp(*argv,"-s_cert") == 0)
512 {
513 if (--argc < 1) goto bad;
514 server_cert= *(++argv);
515 }
65b002f3
BM		 516 else if (strcmp(*argv,"-key") == 0)
517 {
518 if (--argc < 1) goto bad;
519 server_key= *(++argv);
520 }
521 else if (strcmp(*argv,"-s_key") == 0)
522 {
523 if (--argc < 1) goto bad;
524 server_key= *(++argv);
525 }
d02b48c6
RE		 526 else if (strcmp(*argv,"-c_cert") == 0)
527 {
528 if (--argc < 1) goto bad;
529 client_cert= *(++argv);
530 }
65b002f3
BM		 531 else if (strcmp(*argv,"-c_key") == 0)
532 {
533 if (--argc < 1) goto bad;
534 client_key= *(++argv);
535 }
d02b48c6
RE		 536 else if (strcmp(*argv,"-cipher") == 0)
537 {
538 if (--argc < 1) goto bad;
539 cipher= *(++argv);
540 }
541 else if (strcmp(*argv,"-CApath") == 0)
542 {
543 if (--argc < 1) goto bad;
544 CApath= *(++argv);
545 }
546 else if (strcmp(*argv,"-CAfile") == 0)
547 {
548 if (--argc < 1) goto bad;
549 CAfile= *(++argv);
550 }
95d29597
BM		 551 else if (strcmp(*argv,"-bio_pair") == 0)
552 {
553 bio_pair = 1;
554 }
555 else if (strcmp(*argv,"-f") == 0)
556 {
557 force = 1;
558 }
563f1503
BM		 559 else if (strcmp(*argv,"-time") == 0)
560 {
561 print_time = 1;
562 }
23f80f46
RL		 563 else if (strcmp(*argv,"-zlib") == 0)
564 {
565 comp = COMP_ZLIB;
566 }
567 else if (strcmp(*argv,"-rle") == 0)
568 {
569 comp = COMP_RLE;
570 }
ea262260
BM		 571 else if (strcmp(*argv,"-named_curve") == 0)
572 {
573 if (--argc < 1) goto bad;
90f5a2b6 574#ifndef OPENSSL_NO_ECDH
ea262260 575 named_curve = *(++argv);
90f5a2b6 576#else
5e3247d8 577 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
90f5a2b6 578 ++argv;
ea262260 579#endif
90f5a2b6 580 }
023ec151
BM		 581 else if (strcmp(*argv,"-app_verify") == 0)
582 {
a7201e9a 583 app_verify_arg.app_verify = 1;
023ec151 584 }
d9bfe4f9
RL		 585 else if (strcmp(*argv,"-proxy") == 0)
586 {
587 app_verify_arg.allow_proxy_certs = 1;
588 }
d02b48c6
RE		 589 else
590 {
591 fprintf(stderr,"unknown option %s\n",*argv);
592 badop=1;
593 break;
594 }
595 argc--;
596 argv++;
597 }
598 if (badop)
599 {
600bad:
601 sv_usage();
602 goto end;
603 }
604
95d29597
BM		 605 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
606 {
563f1503
BM		 607 fprintf(stderr, "This case cannot work. Use -f to perform "
608 "the test anyway (and\n-d to see what happens), "
609 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
610 "to avoid protocol mismatch.\n");
55f78baf 611 EXIT(1);
95d29597
BM		 612 }
613
563f1503
BM		 614 if (print_time)
615 {
616 if (!bio_pair)
617 {
618 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
619 bio_pair = 1;
620 }
621 if (number < 50 && !force)
622 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
623 }
624
d02b48c6
RE		 625/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
626
413c4f45 627 SSL_library_init();
d02b48c6
RE		 628 SSL_load_error_strings();
629
bd68b6b1
RL		 630 if (comp == COMP_ZLIB) cm = COMP_zlib();
631 if (comp == COMP_RLE) cm = COMP_rle();
632 if (cm != NULL)
23f80f46 633 {
23f80f46 634 if (cm->type != NID_undef)
f82ab534
RL		 635 {
636 if (SSL_COMP_add_compression_method(comp, cm) != 0)
637 {
638 fprintf(stderr,
639 "Failed to add compression method\n");
640 ERR_print_errors_fp(stderr);
641 }
642 }
23f80f46 643 else
4751717c 644 {
bd68b6b1
RL		 645 fprintf(stderr,
646 "Warning: %s compression not supported\n",
647 (comp == COMP_RLE ? "rle" :
648 (comp == COMP_ZLIB ? "zlib" :
649 "unknown")));
4751717c
RL		 650 ERR_print_errors_fp(stderr);
651 }
23f80f46 652 }
82423549
RL		 653 ssl_comp_methods = SSL_COMP_get_compression_methods();
654 fprintf(stderr, "Available compression methods:\n");
655 {
a08ced78 656 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
82423549
RL		 657 if (n == 0)
658 fprintf(stderr, " NONE\n");
659 else
a08ced78 660 for (j = 0; j < n; j++)
82423549 661 {
a08ced78 662 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
82423549
RL		 663 fprintf(stderr, " %d: %s\n", c->id, c->name);
664 }
665 }
23f80f46 666
bc36ee62 667#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
d02b48c6
RE		 668 if (ssl2)
669 meth=SSLv2_method();
670 else
58964a49
RE		 671 if (tls1)
672 meth=TLSv1_method();
673 else
d02b48c6
RE		 674 if (ssl3)
675 meth=SSLv3_method();
676 else
677 meth=SSLv23_method();
678#else
bc36ee62 679#ifdef OPENSSL_NO_SSL2
d02b48c6
RE		 680 meth=SSLv3_method();
681#else
682 meth=SSLv2_method();
683#endif
684#endif
685
686 c_ctx=SSL_CTX_new(meth);
687 s_ctx=SSL_CTX_new(meth);
688 if ((c_ctx == NULL) || (s_ctx == NULL))
689 {
690 ERR_print_errors(bio_err);
691 goto end;
692 }
693
694 if (cipher != NULL)
695 {
696 SSL_CTX_set_cipher_list(c_ctx,cipher);
697 SSL_CTX_set_cipher_list(s_ctx,cipher);
698 }
699
bc36ee62 700#ifndef OPENSSL_NO_DH
77fa04a9 701 if (!no_dhe)
48c843c3 702 {
e4589582 703 if (dhe1024dsa)
48c843c3 704 {
e4589582 705 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
77fa04a9 706 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
e4589582 707 dh=get_dh1024dsa();
48c843c3 708 }
e4589582
BM		 709 else if (dhe1024)
710 dh=get_dh1024();
77fa04a9 711 else
77fa04a9
BM		 712 dh=get_dh512();
713 SSL_CTX_set_tmp_dh(s_ctx,dh);
714 DH_free(dh);
715 }
e4589582
BM		 716#else
717 (void)no_dhe;
58964a49
RE		 718#endif
719
ea262260
BM		 720#ifndef OPENSSL_NO_ECDH
721 if (!no_ecdhe)
722 {
723 ecdh = EC_KEY_new();
724 if (ecdh != NULL)
725 {
726 if (named_curve)
727 {
728 int nid = OBJ_sn2nid(named_curve);
729
730 if (nid == 0)
731 {
732 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
733 EC_KEY_free(ecdh);
734 goto end;
735 }
736
8b15c740 737 ecdh->group = EC_GROUP_new_by_curve_name(nid);
ea262260
BM		 738 if (ecdh->group == NULL)
739 {
740 BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve);
741 EC_KEY_free(ecdh);
742 goto end;
743 }
744 }
745
746 if (ecdh->group == NULL)
8b15c740 747 ecdh->group=EC_GROUP_new_by_curve_name(NID_sect163r2);
ea262260
BM		 748
749 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
750 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
751 EC_KEY_free(ecdh);
752 }
753 }
754#else
755 (void)no_ecdhe;
756#endif
757
bc36ee62 758#ifndef OPENSSL_NO_RSA
58964a49 759 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
d02b48c6
RE		 760#endif
761
762 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
763 {
764 ERR_print_errors(bio_err);
765 }
65b002f3
BM		 766 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
767 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
d02b48c6
RE		 768 {
769 ERR_print_errors(bio_err);
770 goto end;
771 }
772
773 if (client_auth)
774 {
775 SSL_CTX_use_certificate_file(c_ctx,client_cert,
776 SSL_FILETYPE_PEM);
65b002f3
BM		 777 SSL_CTX_use_PrivateKey_file(c_ctx,
778 (client_key?client_key:client_cert),
d02b48c6
RE		 779 SSL_FILETYPE_PEM);
780 }
781
782 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
783 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
784 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
785 (!SSL_CTX_set_default_verify_paths(c_ctx)))
786 {
58964a49 787 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
d02b48c6 788 ERR_print_errors(bio_err);
58964a49 789 /* goto end; */
d02b48c6
RE		 790 }
791
792 if (client_auth)
793 {
53002dc6 794 BIO_printf(bio_err,"client authentication\n");
d02b48c6
RE		 795 SSL_CTX_set_verify(s_ctx,
796 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
797 verify_callback);
a7201e9a 798 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
d02b48c6
RE		 799 }
800 if (server_auth)
801 {
53002dc6 802 BIO_printf(bio_err,"server authentication\n");
d02b48c6
RE		 803 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
804 verify_callback);
a7201e9a 805 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
d02b48c6 806 }
b1fe6ca1
BM		 807
808 {
809 int session_id_context = 0;
810 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
811 }
d02b48c6 812
58964a49
RE		 813 c_ssl=SSL_new(c_ctx);
814 s_ssl=SSL_new(s_ctx);
815
bc36ee62 816#ifndef OPENSSL_NO_KRB5
f9b3bff6
RL		 817 if (c_ssl && c_ssl->kssl_ctx)
818 {
54a656ef 819 char localhost[MAXHOSTNAMELEN+2];
f9b3bff6 820
54a656ef 821 if (gethostname(localhost, sizeof localhost-1) == 0)
f9b3bff6 822 {
54a656ef
BL		 823 localhost[sizeof localhost-1]='\0';
824 if(strlen(localhost) == sizeof localhost-1)
825 {
826 BIO_printf(bio_err,"localhost name too long\n");
31be2daa 827 goto end;
54a656ef 828 }
f9b3bff6
RL		 829 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
830 localhost);
831 }
832 }
bc36ee62 833#endif /* OPENSSL_NO_KRB5 */
f9b3bff6 834
58964a49
RE		 835 for (i=0; i<number; i++)
836 {
837 if (!reuse) SSL_set_session(c_ssl,NULL);
95d29597 838 if (bio_pair)
563f1503 839 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
95d29597
BM		 840 else
841 ret=doit(s_ssl,c_ssl,bytes);
58964a49
RE		 842 }
843
844 if (!verbose)
845 {
563f1503 846 print_details(c_ssl, "");
58964a49
RE		 847 }
848 if ((number > 1) || (bytes > 1L))
53002dc6 849 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
563f1503
BM		 850 if (print_time)
851 {
617d71bc
BM		 852#ifdef CLOCKS_PER_SEC
853 /* "To determine the time in seconds, the value returned
854 * by the clock function should be divided by the value
855 * of the macro CLOCKS_PER_SEC."
856 * -- ISO/IEC 9899 */
563f1503
BM		 857 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
858 "Approximate total client time: %6.2f s\n",
859 (double)s_time/CLOCKS_PER_SEC,
860 (double)c_time/CLOCKS_PER_SEC);
617d71bc
BM		 861#else
862 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
863 * -- cc on NeXTstep/OpenStep */
864 BIO_printf(bio_stdout,
865 "Approximate total server time: %6.2f units\n"
866 "Approximate total client time: %6.2f units\n",
867 (double)s_time,
868 (double)c_time);
869#endif
563f1503 870 }
58964a49
RE		 871
872 SSL_free(s_ssl);
873 SSL_free(c_ssl);
874
d02b48c6
RE		 875end:
876 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
877 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
878
879 if (bio_stdout != NULL) BIO_free(bio_stdout);
880
bc36ee62 881#ifndef OPENSSL_NO_RSA
46b3bd54
BM		 882 free_tmp_rsa();
883#endif
0b13e9f0 884#ifndef OPENSSL_NO_ENGINE
b8e2f83a 885 ENGINE_cleanup();
0b13e9f0 886#endif
79aa04ef 887 CRYPTO_cleanup_all_ex_data();
dfeab068 888 ERR_free_strings();
d02b48c6
RE		 889 ERR_remove_state(0);
890 EVP_cleanup();
891 CRYPTO_mem_leaks(bio_err);
79875776 892 if (bio_err != NULL) BIO_free(bio_err);
d02b48c6
RE		 893 EXIT(ret);
894 }
895
563f1503
BM		 896int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
897 clock_t *s_time, clock_t *c_time)
95d29597
BM		 898 {
899 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
900 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
901 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
95d29597
BM		 902 int ret = 1;
903
904 size_t bufsiz = 256; /* small buffer for testing */
905
906 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
907 goto err;
908 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
909 goto err;
910
911 s_ssl_bio = BIO_new(BIO_f_ssl());
912 if (!s_ssl_bio)
913 goto err;
914
915 c_ssl_bio = BIO_new(BIO_f_ssl());
916 if (!c_ssl_bio)
917 goto err;
918
919 SSL_set_connect_state(c_ssl);
920 SSL_set_bio(c_ssl, client, client);
921 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
922
923 SSL_set_accept_state(s_ssl);
924 SSL_set_bio(s_ssl, server, server);
925 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
926
927 do
928 {
929 /* c_ssl_bio: SSL filter BIO
930 *
931 * client: pseudo-I/O for SSL library
932 *
933 * client_io: client's SSL communication; usually to be
934 * relayed over some I/O facility, but in this
935 * test program, we're the server, too:
936 *
937 * server_io: server's SSL communication
938 *
939 * server: pseudo-I/O for SSL library
940 *
941 * s_ssl_bio: SSL filter BIO
942 *
943 * The client and the server each employ a "BIO pair":
944 * client + client_io, server + server_io.
945 * BIO pairs are symmetric. A BIO pair behaves similar
946 * to a non-blocking socketpair (but both endpoints must
947 * be handled by the same thread).
7eea36bb
BM		 948 * [Here we could connect client and server to the ends
949 * of a single BIO pair, but then this code would be less
950 * suitable as an example for BIO pairs in general.]
95d29597
BM		 951 *
952 * Useful functions for querying the state of BIO pair endpoints:
953 *
954 * BIO_ctrl_pending(bio) number of bytes we can read now
f50c0497 955 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
95d29597 956 * other side's read attempt
657e60fa 957 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
95d29597
BM		 958 *
959 * ..._read_request is never more than ..._write_guarantee;
960 * it depends on the application which one you should use.
961 */
962
963 /* We have non-blocking behaviour throughout this test program, but
964 * can be sure that there is *some* progress in each iteration; so
965 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
966 * -- we just try everything in each iteration
967 */
968
969 {
970 /* CLIENT */
971
972 MS_STATIC char cbuf[1024*8];
973 int i, r;
563f1503 974 clock_t c_clock = clock();
95d29597 975
896e4fef
BM		 976 memset(cbuf, 0, sizeof(cbuf));
977
95d29597
BM		 978 if (debug)
979 if (SSL_in_init(c_ssl))
980 printf("client waiting in SSL_connect - %s\n",
981 SSL_state_string_long(c_ssl));
982
983 if (cw_num > 0)
984 {
985 /* Write to server. */
986
987 if (cw_num > (long)sizeof cbuf)
988 i = sizeof cbuf;
989 else
990 i = (int)cw_num;
991 r = BIO_write(c_ssl_bio, cbuf, i);
29159a42 992 if (r < 0)
95d29597
BM		 993 {
994 if (!BIO_should_retry(c_ssl_bio))
995 {
996 fprintf(stderr,"ERROR in CLIENT\n");
997 goto err;
998 }
999 /* BIO_should_retry(...) can just be ignored here.
1000 * The library expects us to call BIO_write with
1001 * the same arguments again, and that's what we will
1002 * do in the next iteration. */
1003 }
1004 else if (r == 0)
1005 {
1006 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1007 goto err;
1008 }
1009 else
1010 {
1011 if (debug)
1012 printf("client wrote %d\n", r);
1013 cw_num -= r;
1014 }
1015 }
1016
1017 if (cr_num > 0)
1018 {
1019 /* Read from server. */
1020
1021 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1022 if (r < 0)
1023 {
1024 if (!BIO_should_retry(c_ssl_bio))
1025 {
1026 fprintf(stderr,"ERROR in CLIENT\n");
1027 goto err;
1028 }
1029 /* Again, "BIO_should_retry" can be ignored. */
1030 }
1031 else if (r == 0)
1032 {
1033 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1034 goto err;
1035 }
1036 else
1037 {
1038 if (debug)
1039 printf("client read %d\n", r);
1040 cr_num -= r;
1041 }
1042 }
563f1503
BM		 1043
1044 /* c_time and s_time increments will typically be very small
1045 * (depending on machine speed and clock tick intervals),
1046 * but sampling over a large number of connections should
1047 * result in fairly accurate figures. We cannot guarantee
1048 * a lot, however -- if each connection lasts for exactly
1049 * one clock tick, it will be counted only for the client
1050 * or only for the server or even not at all.
1051 */
1052 *c_time += (clock() - c_clock);
95d29597
BM		 1053 }
1054
1055 {
1056 /* SERVER */
1057
1058 MS_STATIC char sbuf[1024*8];
1059 int i, r;
563f1503 1060 clock_t s_clock = clock();
95d29597 1061
896e4fef
BM		 1062 memset(sbuf, 0, sizeof(sbuf));
1063
95d29597
BM		 1064 if (debug)
1065 if (SSL_in_init(s_ssl))
1066 printf("server waiting in SSL_accept - %s\n",
1067 SSL_state_string_long(s_ssl));
1068
1069 if (sw_num > 0)
1070 {
1071 /* Write to client. */
1072
1073 if (sw_num > (long)sizeof sbuf)
1074 i = sizeof sbuf;
1075 else
1076 i = (int)sw_num;
1077 r = BIO_write(s_ssl_bio, sbuf, i);
29159a42 1078 if (r < 0)
95d29597
BM		 1079 {
1080 if (!BIO_should_retry(s_ssl_bio))
1081 {
1082 fprintf(stderr,"ERROR in SERVER\n");
1083 goto err;
1084 }
1085 /* Ignore "BIO_should_retry". */
1086 }
1087 else if (r == 0)
1088 {
1089 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1090 goto err;
1091 }
1092 else
1093 {
1094 if (debug)
1095 printf("server wrote %d\n", r);
1096 sw_num -= r;
1097 }
1098 }
1099
1100 if (sr_num > 0)
1101 {
1102 /* Read from client. */
1103
1104 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1105 if (r < 0)
1106 {
1107 if (!BIO_should_retry(s_ssl_bio))
1108 {
1109 fprintf(stderr,"ERROR in SERVER\n");
1110 goto err;
1111 }
1112 /* blah, blah */
1113 }
1114 else if (r == 0)
1115 {
1116 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1117 goto err;
1118 }
1119 else
1120 {
1121 if (debug)
1122 printf("server read %d\n", r);
1123 sr_num -= r;
1124 }
1125 }
563f1503
BM		 1126
1127 *s_time += (clock() - s_clock);
95d29597
BM		 1128 }
1129
1130 {
1131 /* "I/O" BETWEEN CLIENT AND SERVER. */
1132
95d29597 1133 size_t r1, r2;
6f7af152
BM		 1134 BIO *io1 = server_io, *io2 = client_io;
1135 /* we use the non-copying interface for io1
1136 * and the standard BIO_write/BIO_read interface for io2
1137 */
1138
95d29597
BM		 1139 static int prev_progress = 1;
1140 int progress = 0;
1141
6f7af152 1142 /* io1 to io2 */
95d29597
BM		 1143 do
1144 {
6f7af152 1145 size_t num;
b52f3818 1146 int r;
6f7af152
BM		 1147
1148 r1 = BIO_ctrl_pending(io1);
1149 r2 = BIO_ctrl_get_write_guarantee(io2);
95d29597
BM		 1150
1151 num = r1;
1152 if (r2 < num)
1153 num = r2;
1154 if (num)
1155 {
6f7af152
BM		 1156 char *dataptr;
1157
95d29597
BM		 1158 if (INT_MAX < num) /* yeah, right */
1159 num = INT_MAX;
1160
6f7af152
BM		 1161 r = BIO_nread(io1, &dataptr, (int)num);
1162 assert(r > 0);
1163 assert(r <= (int)num);
1164 /* possibly r < num (non-contiguous data) */
1165 num = r;
1166 r = BIO_write(io2, dataptr, (int)num);
95d29597
BM		 1167 if (r != (int)num) /* can't happen */
1168 {
1169 fprintf(stderr, "ERROR: BIO_write could not write "
1170 "BIO_ctrl_get_write_guarantee() bytes");
1171 goto err;
1172 }
1173 progress = 1;
1174
1175 if (debug)
6f7af152
BM		 1176 printf((io1 == client_io) ?
1177 "C->S relaying: %d bytes\n" :
1178 "S->C relaying: %d bytes\n",
1179 (int)num);
95d29597
BM		 1180 }
1181 }
1182 while (r1 && r2);
1183
6f7af152
BM		 1184 /* io2 to io1 */
1185 {
1186 size_t num;
1187 int r;
1188
1189 r1 = BIO_ctrl_pending(io2);
1190 r2 = BIO_ctrl_get_read_request(io1);
1191 /* here we could use ..._get_write_guarantee instead of
1192 * ..._get_read_request, but by using the latter
1193 * we test restartability of the SSL implementation
1194 * more thoroughly */
95d29597
BM		 1195 num = r1;
1196 if (r2 < num)
1197 num = r2;
1198 if (num)
1199 {
6f7af152
BM		 1200 char *dataptr;
1201
95d29597
BM		 1202 if (INT_MAX < num)
1203 num = INT_MAX;
6f7af152
BM		 1204
1205 if (num > 1)
cb0369d8 1206 --num; /* test restartability even more thoroughly */
95d29597 1207
234c7376 1208 r = BIO_nwrite0(io1, &dataptr);
6f7af152 1209 assert(r > 0);
cc129755 1210 if (r < (int)num)
234c7376 1211 num = r;
6f7af152 1212 r = BIO_read(io2, dataptr, (int)num);
95d29597
BM		 1213 if (r != (int)num) /* can't happen */
1214 {
1215 fprintf(stderr, "ERROR: BIO_read could not read "
1216 "BIO_ctrl_pending() bytes");
1217 goto err;
1218 }
95d29597 1219 progress = 1;
234c7376
BM		 1220 r = BIO_nwrite(io1, &dataptr, (int)num);
1221 if (r != (int)num) /* can't happen */
1222 {
1223 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1224 "BIO_nwrite0() bytes");
1225 goto err;
1226 }
6f7af152 1227
95d29597 1228 if (debug)
6f7af152
BM		 1229 printf((io2 == client_io) ?
1230 "C->S relaying: %d bytes\n" :
1231 "S->C relaying: %d bytes\n",
1232 (int)num);
95d29597 1233 }
6f7af152 1234 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
95d29597
BM		 1235
1236 if (!progress && !prev_progress)
1237 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
95d29597
BM		 1238 {
1239 fprintf(stderr, "ERROR: got stuck\n");
d7fcc7f6
BM		 1240 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1241 {
1242 fprintf(stderr, "This can happen for SSL2 because "
1243 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1244 "concurrently ...");
1245 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1246 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1247 {
1248 fprintf(stderr, " ok.\n");
1249 goto end;
1250 }
1251 }
1252 fprintf(stderr, " ERROR.\n");
95d29597
BM		 1253 goto err;
1254 }
1255 prev_progress = progress;
1256 }
1257 }
1258 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1259
95d29597 1260 if (verbose)
563f1503
BM		 1261 print_details(c_ssl, "DONE via BIO pair: ");
1262end:
95d29597
BM		 1263 ret = 0;
1264
1265 err:
1266 ERR_print_errors(bio_err);
1267
1268 if (server)
1269 BIO_free(server);
1270 if (server_io)
1271 BIO_free(server_io);
1272 if (client)
1273 BIO_free(client);
1274 if (client_io)
1275 BIO_free(client_io);
1276 if (s_ssl_bio)
1277 BIO_free(s_ssl_bio);
1278 if (c_ssl_bio)
1279 BIO_free(c_ssl_bio);
1280
1281 return ret;
1282 }
1283
1284
d02b48c6
RE		 1285#define W_READ 1
1286#define W_WRITE 2
1287#define C_DONE 1
1288#define S_DONE 2
1289
6b691a5c 1290int doit(SSL *s_ssl, SSL *c_ssl, long count)
d02b48c6 1291 {
58964a49
RE		 1292 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1293 long cw_num=count,cr_num=count;
1294 long sw_num=count,sr_num=count;
d02b48c6 1295 int ret=1;
d02b48c6
RE		 1296 BIO *c_to_s=NULL;
1297 BIO *s_to_c=NULL;
1298 BIO *c_bio=NULL;
1299 BIO *s_bio=NULL;
1300 int c_r,c_w,s_r,s_w;
1301 int c_want,s_want;
58964a49 1302 int i,j;
d02b48c6
RE		 1303 int done=0;
1304 int c_write,s_write;
1305 int do_server=0,do_client=0;
d02b48c6 1306
896e4fef
BM		 1307 memset(cbuf,0,sizeof(cbuf));
1308 memset(sbuf,0,sizeof(sbuf));
1309
d02b48c6
RE		 1310 c_to_s=BIO_new(BIO_s_mem());
1311 s_to_c=BIO_new(BIO_s_mem());
1312 if ((s_to_c == NULL) || (c_to_s == NULL))
1313 {
1314 ERR_print_errors(bio_err);
1315 goto err;
1316 }
1317
1318 c_bio=BIO_new(BIO_f_ssl());
1319 s_bio=BIO_new(BIO_f_ssl());
1320 if ((c_bio == NULL) || (s_bio == NULL))
1321 {
1322 ERR_print_errors(bio_err);
1323 goto err;
1324 }
1325
1326 SSL_set_connect_state(c_ssl);
1327 SSL_set_bio(c_ssl,s_to_c,c_to_s);
58964a49 1328 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
d02b48c6
RE		 1329
1330 SSL_set_accept_state(s_ssl);
1331 SSL_set_bio(s_ssl,c_to_s,s_to_c);
58964a49 1332 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
d02b48c6
RE		 1333
1334 c_r=0; s_r=1;
1335 c_w=1; s_w=0;
1336 c_want=W_WRITE;
1337 s_want=0;
1338 c_write=1,s_write=0;
1339
1340 /* We can always do writes */
1341 for (;;)
1342 {
1343 do_server=0;
1344 do_client=0;
1345
1346 i=(int)BIO_pending(s_bio);
1347 if ((i && s_r) || s_w) do_server=1;
1348
1349 i=(int)BIO_pending(c_bio);
1350 if ((i && c_r) || c_w) do_client=1;
1351
58964a49 1352 if (do_server && debug)
d02b48c6
RE		 1353 {
1354 if (SSL_in_init(s_ssl))
1355 printf("server waiting in SSL_accept - %s\n",
1356 SSL_state_string_long(s_ssl));
58964a49 1357/* else if (s_write)
d02b48c6 1358 printf("server:SSL_write()\n");
58964a49
RE		 1359 else
1360 printf("server:SSL_read()\n"); */
d02b48c6
RE		 1361 }
1362
58964a49 1363 if (do_client && debug)
d02b48c6
RE		 1364 {
1365 if (SSL_in_init(c_ssl))
1366 printf("client waiting in SSL_connect - %s\n",
1367 SSL_state_string_long(c_ssl));
58964a49 1368/* else if (c_write)
d02b48c6
RE		 1369 printf("client:SSL_write()\n");
1370 else
58964a49 1371 printf("client:SSL_read()\n"); */
d02b48c6
RE		 1372 }
1373
1374 if (!do_client && !do_server)
1375 {
1376 fprintf(stdout,"ERROR IN STARTUP\n");
1377 ERR_print_errors(bio_err);
1378 break;
1379 }
1380 if (do_client && !(done & C_DONE))
1381 {
1382 if (c_write)
1383 {
27545970
GT		 1384 j = (cw_num > (long)sizeof(cbuf)) ?
1385 (int)sizeof(cbuf) : (int)cw_num;
58964a49 1386 i=BIO_write(c_bio,cbuf,j);
d02b48c6
RE		 1387 if (i < 0)
1388 {
1389 c_r=0;
1390 c_w=0;
1391 if (BIO_should_retry(c_bio))
1392 {
1393 if (BIO_should_read(c_bio))
1394 c_r=1;
1395 if (BIO_should_write(c_bio))
1396 c_w=1;
1397 }
1398 else
1399 {
1400 fprintf(stderr,"ERROR in CLIENT\n");
1401 ERR_print_errors(bio_err);
1402 goto err;
1403 }
1404 }
1405 else if (i == 0)
1406 {
1407 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1408 goto err;
1409 }
1410 else
1411 {
58964a49
RE		 1412 if (debug)
1413 printf("client wrote %d\n",i);
d02b48c6 1414 /* ok */
58964a49 1415 s_r=1;
d02b48c6 1416 c_write=0;
58964a49 1417 cw_num-=i;
d02b48c6
RE		 1418 }
1419 }
1420 else
1421 {
58964a49 1422 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
d02b48c6
RE		 1423 if (i < 0)
1424 {
1425 c_r=0;
1426 c_w=0;
1427 if (BIO_should_retry(c_bio))
1428 {
1429 if (BIO_should_read(c_bio))
1430 c_r=1;
1431 if (BIO_should_write(c_bio))
1432 c_w=1;
1433 }
1434 else
1435 {
1436 fprintf(stderr,"ERROR in CLIENT\n");
1437 ERR_print_errors(bio_err);
1438 goto err;
1439 }
1440 }
1441 else if (i == 0)
1442 {
1443 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1444 goto err;
1445 }
1446 else
1447 {
58964a49
RE		 1448 if (debug)
1449 printf("client read %d\n",i);
1450 cr_num-=i;
1451 if (sw_num > 0)
1452 {
1453 s_write=1;
1454 s_w=1;
1455 }
1456 if (cr_num <= 0)
1457 {
1458 s_write=1;
1459 s_w=1;
1460 done=S_DONE|C_DONE;
1461 }
d02b48c6
RE		 1462 }
1463 }
1464 }
1465
1466 if (do_server && !(done & S_DONE))
1467 {
1468 if (!s_write)
1469 {
58964a49 1470 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
d02b48c6
RE		 1471 if (i < 0)
1472 {
1473 s_r=0;
1474 s_w=0;
1475 if (BIO_should_retry(s_bio))
1476 {
1477 if (BIO_should_read(s_bio))
1478 s_r=1;
1479 if (BIO_should_write(s_bio))
1480 s_w=1;
1481 }
1482 else
1483 {
1484 fprintf(stderr,"ERROR in SERVER\n");
1485 ERR_print_errors(bio_err);
1486 goto err;
1487 }
1488 }
1489 else if (i == 0)
1490 {
1491 ERR_print_errors(bio_err);
1492 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1493 goto err;
1494 }
1495 else
1496 {
58964a49
RE		 1497 if (debug)
1498 printf("server read %d\n",i);
1499 sr_num-=i;
1500 if (cw_num > 0)
1501 {
1502 c_write=1;
1503 c_w=1;
1504 }
1505 if (sr_num <= 0)
1506 {
1507 s_write=1;
1508 s_w=1;
1509 c_write=0;
1510 }
d02b48c6
RE		 1511 }
1512 }
1513 else
1514 {
27545970
GT		 1515 j = (sw_num > (long)sizeof(sbuf)) ?
1516 (int)sizeof(sbuf) : (int)sw_num;
58964a49 1517 i=BIO_write(s_bio,sbuf,j);
d02b48c6
RE		 1518 if (i < 0)
1519 {
1520 s_r=0;
1521 s_w=0;
1522 if (BIO_should_retry(s_bio))
1523 {
1524 if (BIO_should_read(s_bio))
1525 s_r=1;
1526 if (BIO_should_write(s_bio))
1527 s_w=1;
1528 }
1529 else
1530 {
1531 fprintf(stderr,"ERROR in SERVER\n");
1532 ERR_print_errors(bio_err);
1533 goto err;
1534 }
1535 }
1536 else if (i == 0)
1537 {
1538 ERR_print_errors(bio_err);
1539 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1540 goto err;
1541 }
1542 else
1543 {
58964a49
RE		 1544 if (debug)
1545 printf("server wrote %d\n",i);
1546 sw_num-=i;
d02b48c6 1547 s_write=0;
58964a49
RE		 1548 c_r=1;
1549 if (sw_num <= 0)
1550 done|=S_DONE;
d02b48c6
RE		 1551 }
1552 }
1553 }
1554
1555 if ((done & S_DONE) && (done & C_DONE)) break;
1556 }
1557
58964a49 1558 if (verbose)
563f1503 1559 print_details(c_ssl, "DONE: ");
d02b48c6
RE		 1560 ret=0;
1561err:
1562 /* We have to set the BIO's to NULL otherwise they will be
26a3a48d 1563 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
d02b48c6
RE		 1564 * again when c_ssl is SSL_free()ed.
1565 * This is a hack required because s_ssl and c_ssl are sharing the same
1566 * BIO structure and SSL_set_bio() and SSL_free() automatically
1567 * BIO_free non NULL entries.
1568 * You should not normally do this or be required to do this */
1569 if (s_ssl != NULL)
1570 {
1571 s_ssl->rbio=NULL;
1572 s_ssl->wbio=NULL;
1573 }
1574 if (c_ssl != NULL)
1575 {
1576 c_ssl->rbio=NULL;
1577 c_ssl->wbio=NULL;
1578 }
1579
1580 if (c_to_s != NULL) BIO_free(c_to_s);
1581 if (s_to_c != NULL) BIO_free(s_to_c);
58964a49
RE		 1582 if (c_bio != NULL) BIO_free_all(c_bio);
1583 if (s_bio != NULL) BIO_free_all(s_bio);
d02b48c6
RE		 1584 return(ret);
1585 }
1586
a7201e9a
RL		 1587static int get_proxy_auth_ex_data_idx(void)
1588 {
1589 static volatile int idx = -1;
1590 if (idx < 0)
1591 {
1592 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1593 if (idx < 0)
1594 {
1595 idx = X509_STORE_CTX_get_ex_new_index(0,
1596 "SSLtest for verify callback", NULL,NULL,NULL);
1597 }
1598 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1599 }
1600 return idx;
1601 }
1602
396f6314 1603static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
d02b48c6
RE		 1604 {
1605 char *s,buf[256];
1606
54a656ef
BL		 1607 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1608 sizeof buf);
d02b48c6
RE		 1609 if (s != NULL)
1610 {
1611 if (ok)
a7201e9a
RL		 1612 fprintf(stderr,"depth=%d %s\n",
1613 ctx->error_depth,buf);
d02b48c6 1614 else
d9bfe4f9 1615 {
d02b48c6
RE		 1616 fprintf(stderr,"depth=%d error=%d %s\n",
1617 ctx->error_depth,ctx->error,buf);
d9bfe4f9 1618 }
d02b48c6
RE		 1619 }
1620
1621 if (ok == 0)
1622 {
d9bfe4f9
RL		 1623 fprintf(stderr,"Error string: %s\n",
1624 X509_verify_cert_error_string(ctx->error));
d02b48c6
RE		 1625 switch (ctx->error)
1626 {
1627 case X509_V_ERR_CERT_NOT_YET_VALID:
1628 case X509_V_ERR_CERT_HAS_EXPIRED:
1629 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
d9bfe4f9 1630 fprintf(stderr," ... ignored.\n");
d02b48c6
RE		 1631 ok=1;
1632 }
1633 }
1634
a7201e9a
RL		 1635 if (ok == 1)
1636 {
1637 X509 *xs = ctx->current_cert;
1638#if 0
1639 X509 *xi = ctx->current_issuer;
1640#endif
1641
1642 if (xs->ex_flags & EXFLAG_PROXY)
1643 {
1644 unsigned int *letters =
1645 X509_STORE_CTX_get_ex_data(ctx,
1646 get_proxy_auth_ex_data_idx());
1647
1648 if (letters)
1649 {
1650 int found_any = 0;
1651 int i;
1652 PROXY_CERT_INFO_EXTENSION *pci =
1653 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1654 NULL, NULL);
1655
1656 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1657 {
1658 case NID_Independent:
1659 /* Completely meaningless in this
1660 program, as there's no way to
1661 grant explicit rights to a
1662 specific PrC. Basically, using
1663 id-ppl-Independent is the perfect
1664 way to grant no rights at all. */
1665 fprintf(stderr, " Independent proxy certificate");
1666 for (i = 0; i < 26; i++)
1667 letters[i] = 0;
1668 break;
1669 case NID_id_ppl_inheritAll:
1670 /* This is basically a NOP, we
1671 simply let the current rights
1672 stand as they are. */
1673 fprintf(stderr, " Proxy certificate inherits all");
1674 break;
1675 default:
1676 s = (char *)
1677 pci->proxyPolicy->policy->data;
1678 i = pci->proxyPolicy->policy->length;
1679
1680 /* The algorithm works as follows:
1681 it is assumed that previous
1682 iterations or the initial granted
1683 rights has already set some elements
1684 of `letters'. What we need to do is
1685 to clear those that weren't granted
1686 by the current PrC as well. The
1687 easiest way to do this is to add 1
1688 to all the elements whose letters
1689 are given with the current policy.
1690 That way, all elements that are set
1691 by the current policy and were
1692 already set by earlier policies and
1693 through the original grant of rights
1694 will get the value 2 or higher.
1695 The last thing to do is to sweep
1696 through `letters' and keep the
1697 elements having the value 2 as set,
1698 and clear all the others. */
1699
1700 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1701 while(i-- > 0)
1702 {
1703 char c = *s++;
1704 if (isascii(c) && isalpha(c))
1705 {
1706 if (islower(c))
1707 c = toupper(c);
1708 letters[c - 'A']++;
1709 }
1710 }
1711 for (i = 0; i < 26; i++)
1712 if (letters[i] < 2)
1713 letters[i] = 0;
1714 else
1715 letters[i] = 1;
1716 }
1717
1718 found_any = 0;
1719 fprintf(stderr,
1720 ", resulting proxy rights = ");
1721 for(i = 0; i < 26; i++)
1722 if (letters[i])
1723 {
1724 fprintf(stderr, "%c", i + 'A');
1725 found_any = 1;
1726 }
1727 if (!found_any)
1728 fprintf(stderr, "none");
1729 fprintf(stderr, "\n");
1730
1731 PROXY_CERT_INFO_EXTENSION_free(pci);
1732 }
1733 }
1734 }
1735
d02b48c6
RE		 1736 return(ok);
1737 }
1738
a7201e9a
RL		 1739static void process_proxy_debug(int indent, const char *format, ...)
1740 {
1741 static const char indentation[] =
1742 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1743 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1744 char my_format[256];
1745 va_list args;
1746
1747 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1748 indent, indent, indentation, format);
1749
1750 va_start(args, format);
1751 vfprintf(stderr, my_format, args);
1752 va_end(args);
1753 }
1754/* Priority levels:
1755 0 [!]var, ()
1756 1 & ^
1757 2 |
1758*/
1759static int process_proxy_cond_adders(unsigned int letters[26],
1760 const char *cond, const char **cond_end, int *pos, int indent);
1761static int process_proxy_cond_val(unsigned int letters[26],
1762 const char *cond, const char **cond_end, int *pos, int indent)
1763 {
1764 char c;
1765 int ok = 1;
1766 int negate = 0;
1767
1768 while(isspace(*cond))
1769 {
1770 cond++; (*pos)++;
1771 }
1772 c = *cond;
1773
1774 if (debug)
1775 process_proxy_debug(indent,
1776 "Start process_proxy_cond_val at position %d: %s\n",
1777 *pos, cond);
1778
1779 while(c == '!')
1780 {
1781 negate = !negate;
1782 cond++; (*pos)++;
1783 while(isspace(*cond))
1784 {
1785 cond++; (*pos)++;
1786 }
1787 c = *cond;
1788 }
1789
1790 if (c == '(')
1791 {
1792 cond++; (*pos)++;
1793 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1794 indent + 1);
1795 cond = *cond_end;
1796 if (ok < 0)
1797 goto end;
1798 while(isspace(*cond))
1799 {
1800 cond++; (*pos)++;
1801 }
1802 c = *cond;
1803 if (c != ')')
1804 {
1805 fprintf(stderr,
1806 "Weird condition character in position %d: "
1807 "%c\n", *pos, c);
1808 ok = -1;
1809 goto end;
1810 }
1811 cond++; (*pos)++;
1812 }
1813 else if (isascii(c) && isalpha(c))
1814 {
1815 if (islower(c))
1816 c = toupper(c);
1817 ok = letters[c - 'A'];
1818 cond++; (*pos)++;
1819 }
1820 else
1821 {
1822 fprintf(stderr,
1823 "Weird condition character in position %d: "
1824 "%c\n", *pos, c);
1825 ok = -1;
1826 goto end;
1827 }
1828 end:
1829 *cond_end = cond;
1830 if (ok >= 0 && negate)
1831 ok = !ok;
1832
1833 if (debug)
1834 process_proxy_debug(indent,
1835 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1836 *pos, cond, ok);
1837
1838 return ok;
1839 }
1840static int process_proxy_cond_multipliers(unsigned int letters[26],
1841 const char *cond, const char **cond_end, int *pos, int indent)
1842 {
1843 int ok;
1844 char c;
1845
1846 if (debug)
1847 process_proxy_debug(indent,
1848 "Start process_proxy_cond_multipliers at position %d: %s\n",
1849 *pos, cond);
1850
1851 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1852 cond = *cond_end;
1853 if (ok < 0)
1854 goto end;
1855
1856 while(ok >= 0)
1857 {
1858 while(isspace(*cond))
1859 {
1860 cond++; (*pos)++;
1861 }
1862 c = *cond;
1863
1864 switch(c)
1865 {
1866 case '&':
1867 case '^':
1868 {
1869 int save_ok = ok;
1870
1871 cond++; (*pos)++;
1872 ok = process_proxy_cond_val(letters,
1873 cond, cond_end, pos, indent + 1);
1874 cond = *cond_end;
1875 if (ok < 0)
1876 break;
1877
1878 switch(c)
1879 {
1880 case '&':
1881 ok &= save_ok;
1882 break;
1883 case '^':
1884 ok ^= save_ok;
1885 break;
1886 default:
1887 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1888 " STOPPING\n");
1889 EXIT(1);
1890 }
1891 }
1892 break;
1893 default:
1894 goto end;
1895 }
1896 }
1897 end:
1898 if (debug)
1899 process_proxy_debug(indent,
1900 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1901 *pos, cond, ok);
1902
1903 *cond_end = cond;
1904 return ok;
1905 }
1906static int process_proxy_cond_adders(unsigned int letters[26],
1907 const char *cond, const char **cond_end, int *pos, int indent)
1908 {
1909 int ok;
1910 char c;
1911
1912 if (debug)
1913 process_proxy_debug(indent,
1914 "Start process_proxy_cond_adders at position %d: %s\n",
1915 *pos, cond);
1916
1917 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1918 indent + 1);
1919 cond = *cond_end;
1920 if (ok < 0)
1921 goto end;
1922
1923 while(ok >= 0)
1924 {
1925 while(isspace(*cond))
1926 {
1927 cond++; (*pos)++;
1928 }
1929 c = *cond;
1930
1931 switch(c)
1932 {
1933 case '|':
1934 {
1935 int save_ok = ok;
1936
1937 cond++; (*pos)++;
1938 ok = process_proxy_cond_multipliers(letters,
1939 cond, cond_end, pos, indent + 1);
1940 cond = *cond_end;
1941 if (ok < 0)
1942 break;
1943
1944 switch(c)
1945 {
1946 case '|':
1947 ok |= save_ok;
1948 break;
1949 default:
1950 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1951 " STOPPING\n");
1952 EXIT(1);
1953 }
1954 }
1955 break;
1956 default:
1957 goto end;
1958 }
1959 }
1960 end:
1961 if (debug)
1962 process_proxy_debug(indent,
1963 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1964 *pos, cond, ok);
1965
1966 *cond_end = cond;
1967 return ok;
1968 }
1969
1970static int process_proxy_cond(unsigned int letters[26],
1971 const char *cond, const char **cond_end)
1972 {
1973 int pos = 1;
1974 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1975 }
1976
023ec151
BM		 1977static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
1978 {
023ec151 1979 int ok=1;
a7201e9a
RL		 1980 struct app_verify_arg *cb_arg = arg;
1981 unsigned int letters[26]; /* only used with proxy_auth */
023ec151 1982
a7201e9a 1983 if (cb_arg->app_verify)
023ec151 1984 {
a7201e9a
RL		 1985 char *s = NULL,buf[256];
1986
1987 fprintf(stderr, "In app_verify_callback, allowing cert. ");
1988 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
1989 fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
1990 (unsigned int)ctx, (unsigned int)ctx->cert);
1991 if (ctx->cert)
1992 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
1993 if (s != NULL)
1994 {
023ec151 1995 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
a7201e9a
RL		 1996 }
1997 return(1);
1998 }
1999 if (cb_arg->proxy_auth)
2000 {
2001 int found_any = 0, i;
2002 char *sp;
2003
2004 for(i = 0; i < 26; i++)
2005 letters[i] = 0;
2006 for(sp = cb_arg->proxy_auth; *sp; sp++)
2007 {
2008 char c = *sp;
2009 if (isascii(c) && isalpha(c))
2010 {
2011 if (islower(c))
2012 c = toupper(c);
2013 letters[c - 'A'] = 1;
2014 }
2015 }
2016
2017 fprintf(stderr,
2018 " Initial proxy rights = ");
2019 for(i = 0; i < 26; i++)
2020 if (letters[i])
2021 {
2022 fprintf(stderr, "%c", i + 'A');
2023 found_any = 1;
2024 }
2025 if (!found_any)
2026 fprintf(stderr, "none");
2027 fprintf(stderr, "\n");
2028
2029 X509_STORE_CTX_set_ex_data(ctx,
2030 get_proxy_auth_ex_data_idx(),letters);
023ec151 2031 }
d9bfe4f9
RL		 2032 if (cb_arg->allow_proxy_certs)
2033 {
2034 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2035 }
023ec151 2036
a7201e9a
RL		 2037#ifndef OPENSSL_NO_X509_VERIFY
2038# ifdef OPENSSL_FIPS
2039 if(s->version == TLS1_VERSION)
2040 FIPS_allow_md5(1);
2041# endif
2042 ok = X509_verify_cert(ctx);
2043# ifdef OPENSSL_FIPS
2044 if(s->version == TLS1_VERSION)
2045 FIPS_allow_md5(0);
2046# endif
2047#endif
2048
2049 if (cb_arg->proxy_auth)
2050 {
2051 if (ok)
2052 {
2053 const char *cond_end = NULL;
2054
2055 ok = process_proxy_cond(letters,
2056 cb_arg->proxy_cond, &cond_end);
2057
2058 if (ok < 0)
2059 EXIT(3);
2060 if (*cond_end)
2061 {
2062 fprintf(stderr, "Stopped processing condition before it's end.\n");
2063 ok = 0;
2064 }
2065 if (!ok)
2066 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2067 cb_arg->proxy_cond);
2068 else
2069 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2070 cb_arg->proxy_cond);
2071 }
2072 }
023ec151
BM		 2073 return(ok);
2074 }
2075
bc36ee62 2076#ifndef OPENSSL_NO_RSA
46b3bd54
BM		 2077static RSA *rsa_tmp=NULL;
2078
df63a389 2079static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
58964a49 2080 {
bcfea9fb 2081 BIGNUM *bn = NULL;
58964a49
RE		 2082 if (rsa_tmp == NULL)
2083 {
bcfea9fb 2084 bn = BN_new();
e9224c71 2085 rsa_tmp = RSA_new();
bcfea9fb 2086 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
e9224c71
GT		 2087 {
2088 BIO_printf(bio_err, "Memory error...");
2089 goto end;
2090 }
60e31c3a 2091 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
d58d092b 2092 (void)BIO_flush(bio_err);
bcfea9fb 2093 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
e9224c71 2094 {
3ae70939 2095 BIO_printf(bio_err, "Error generating key.");
e9224c71
GT		 2096 RSA_free(rsa_tmp);
2097 rsa_tmp = NULL;
2098 }
2099end:
58964a49 2100 BIO_printf(bio_err,"\n");
d58d092b 2101 (void)BIO_flush(bio_err);
58964a49 2102 }
bcfea9fb 2103 if(bn) BN_free(bn);
58964a49
RE		 2104 return(rsa_tmp);
2105 }
46b3bd54
BM		 2106
2107static void free_tmp_rsa(void)
2108 {
2109 if (rsa_tmp != NULL)
2110 {
2111 RSA_free(rsa_tmp);
2112 rsa_tmp = NULL;
2113 }
2114 }
79df9d62 2115#endif
53002dc6 2116
bc36ee62 2117#ifndef OPENSSL_NO_DH
e4589582
BM		 2118/* These DH parameters have been generated as follows:
2119 * $ openssl dhparam -C -noout 512
2120 * $ openssl dhparam -C -noout 1024
2121 * $ openssl dhparam -C -noout -dsaparam 1024
2122 * (The third function has been renamed to avoid name conflicts.)
2123 */
f3f316f1 2124static DH *get_dh512()
e4589582
BM		 2125 {
2126 static unsigned char dh512_p[]={
2127 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2128 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2129 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2130 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2131 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2132 0x02,0xC5,0xAE,0x23,
2133 };
2134 static unsigned char dh512_g[]={
2135 0x02,
2136 };
2137 DH *dh;
2138
2139 if ((dh=DH_new()) == NULL) return(NULL);
2140 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2141 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2142 if ((dh->p == NULL) || (dh->g == NULL))
2143 { DH_free(dh); return(NULL); }
2144 return(dh);
2145 }
2146
f3f316f1 2147static DH *get_dh1024()
53002dc6 2148 {
e4589582
BM		 2149 static unsigned char dh1024_p[]={
2150 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2151 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2152 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2153 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2154 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2155 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2156 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2157 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2158 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2159 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2160 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2161 };
2162 static unsigned char dh1024_g[]={
2163 0x02,
2164 };
2165 DH *dh;
2166
2167 if ((dh=DH_new()) == NULL) return(NULL);
2168 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2169 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2170 if ((dh->p == NULL) || (dh->g == NULL))
2171 { DH_free(dh); return(NULL); }
2172 return(dh);
2173 }
53002dc6 2174
f3f316f1 2175static DH *get_dh1024dsa()
e4589582
BM		 2176 {
2177 static unsigned char dh1024_p[]={
2178 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2179 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2180 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2181 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2182 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2183 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2184 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2185 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2186 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2187 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2188 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2189 };
2190 static unsigned char dh1024_g[]={
2191 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2192 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2193 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2194 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2195 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2196 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2197 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2198 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2199 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2200 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2201 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2202 };
2203 DH *dh;
53002dc6 2204
e4589582
BM		 2205 if ((dh=DH_new()) == NULL) return(NULL);
2206 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2207 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2208 if ((dh->p == NULL) || (dh->g == NULL))
2209 { DH_free(dh); return(NULL); }
2210 dh->length = 160;
2211 return(dh);
53002dc6
BM		 2212 }
2213#endif
A mirror of the official openssl repository