]> git.ipfire.org Git - thirdparty/openssl.git/blame - ssl/ssltest.c
projects / thirdparty / openssl.git / blame
? search:
summary | shortlog | log | commit | commitdiff | tree
blob | blame (incremental) | history | HEAD
NPN tests.
[thirdparty/openssl.git] / ssl / ssltest.c
CommitLineData
d02b48c6 1/* ssl/ssltest.c */
58964a49 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
d02b48c6
RE		 3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
3ac82faa
BM		 58/* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
ea262260
BM		 111/* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
ddac1974
NL		 116/* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
d02b48c6 142
4fbe40c5 143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
37289744 144 on Linux and GNU platforms. */
37289744 145
6f7af152
BM		 146#include <assert.h>
147#include <errno.h>
148#include <limits.h>
d02b48c6
RE		 149#include <stdio.h>
150#include <stdlib.h>
151#include <string.h>
563f1503 152#include <time.h>
17e3dd1c 153
e7a28569 154#define USE_SOCKETS
41d2a336 155#include "e_os.h"
17e3dd1c 156
bc120a54
DSH		 157#ifdef OPENSSL_SYS_VMS
158#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159 VMS (at least with DECompHP C). */
160#endif
161
a963395a
RL		 162#include <ctype.h>
163
ec577822
BM		 164#include <openssl/bio.h>
165#include <openssl/crypto.h>
563f1503 166#include <openssl/evp.h>
ec577822 167#include <openssl/x509.h>
a7201e9a 168#include <openssl/x509v3.h>
ec577822 169#include <openssl/ssl.h>
0b13e9f0 170#ifndef OPENSSL_NO_ENGINE
b8e2f83a 171#include <openssl/engine.h>
0b13e9f0 172#endif
ec577822 173#include <openssl/err.h>
b9d82f47 174#include <openssl/rand.h>
3eeaab4b 175#ifndef OPENSSL_NO_RSA
60a938c6 176#include <openssl/rsa.h>
3eeaab4b
NL		 177#endif
178#ifndef OPENSSL_NO_DSA
60a938c6 179#include <openssl/dsa.h>
3eeaab4b
NL		 180#endif
181#ifndef OPENSSL_NO_DH
60a938c6 182#include <openssl/dh.h>
3eeaab4b 183#endif
d095b68d 184#include <openssl/bn.h>
09867a47
RL		 185
186#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
187 on Compaq platforms (at least with DEC C).
188 Do not try to put it earlier, or IPv6 includes
189 get screwed...
190 */
191
bc36ee62 192#ifdef OPENSSL_SYS_WINDOWS
f9b3bff6 193#include <winsock.h>
37289744
RL		 194#else
195#include OPENSSL_UNISTD
d02b48c6
RE		 196#endif
197
bc36ee62 198#ifdef OPENSSL_SYS_VMS
7d7d2cbc
UM		 199# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
200# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
0bf23d9b
RL		 201#elif defined(OPENSSL_SYS_WINCE)
202# define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
203# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
4d8743f4
RL		 204#elif defined(OPENSSL_SYS_NETWARE)
205# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
206# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
7d7d2cbc
UM		 207#else
208# define TEST_SERVER_CERT "../apps/server.pem"
209# define TEST_CLIENT_CERT "../apps/client.pem"
210#endif
d02b48c6 211
23f80f46
RL		 212/* There is really no standard for this, so let's assign some tentative
213 numbers. In any case, these numbers are only for this test */
82423549
RL		 214#define COMP_RLE 255
215#define COMP_ZLIB 1
23f80f46 216
396f6314 217static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
bc36ee62 218#ifndef OPENSSL_NO_RSA
df63a389 219static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
46b3bd54 220static void free_tmp_rsa(void);
79df9d62 221#endif
023ec151 222static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
a7201e9a
RL		 223#define APP_CALLBACK_STRING "Test Callback Argument"
224struct app_verify_arg
225 {
226 char *string;
227 int app_verify;
d9bfe4f9 228 int allow_proxy_certs;
a7201e9a
RL		 229 char *proxy_auth;
230 char *proxy_cond;
231 };
023ec151 232
bc36ee62 233#ifndef OPENSSL_NO_DH
d02b48c6 234static DH *get_dh512(void);
e4589582
BM		 235static DH *get_dh1024(void);
236static DH *get_dh1024dsa(void);
53002dc6
BM		 237#endif
238
ddac1974
NL		 239
240static char *psk_key=NULL; /* by default PSK is not used */
241#ifndef OPENSSL_NO_PSK
242static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
243 unsigned int max_identity_len, unsigned char *psk,
244 unsigned int max_psk_len);
245static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
246 unsigned int max_psk_len);
247#endif
248
396f6314
BM		 249static BIO *bio_err=NULL;
250static BIO *bio_stdout=NULL;
d02b48c6 251
d9a268b9
BL		 252#ifndef OPENSSL_NO_NPN
253/* Note that this code assumes that this is only a one element list: */
254static const char NEXT_PROTO_STRING[] = "\x09testproto";
255int npn_client = 0;
256int npn_server = 0;
257int npn_server_reject = 0;
258
259static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
260 {
261 /* This callback only returns the protocol string, rather than a length
262 prefixed set. We assume that NEXT_PROTO_STRING is a one element list and
263 remove the first byte to chop off the length prefix. */
264 *out = (unsigned char*) NEXT_PROTO_STRING + 1;
265 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
266 return SSL_TLSEXT_ERR_OK;
267 }
268
269static int cb_server_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
270 {
271 *data = (const unsigned char *) NEXT_PROTO_STRING;
272 *len = sizeof(NEXT_PROTO_STRING) - 1;
273 return SSL_TLSEXT_ERR_OK;
274 }
275
276static int cb_server_rejects_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
277 {
278 return SSL_TLSEXT_ERR_NOACK;
279 }
280
281static int verify_npn(SSL *client, SSL *server)
282 {
283 const unsigned char *client_s;
284 unsigned client_len;
285 const unsigned char *server_s;
286 unsigned server_len;
287
288 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
289 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
290
291 if (client_len)
292 {
293 BIO_printf(bio_stdout, "Client NPN: ");
294 BIO_write(bio_stdout, client_s, client_len);
295 BIO_printf(bio_stdout, "\n");
296 }
297
298 if (server_len)
299 {
300 BIO_printf(bio_stdout, "Server NPN: ");
301 BIO_write(bio_stdout, server_s, server_len);
302 BIO_printf(bio_stdout, "\n");
303 }
304
305 /* If an NPN string was returned, it must be the protocol that we
306 * expected to negotiate. */
307 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
308 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
309 return -1;
310 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
311 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
312 return -1;
313
314 if (!npn_client && client_len)
315 return -1;
316 if (!npn_server && server_len)
317 return -1;
318 if (npn_server_reject && server_len)
319 return -1;
320 if (npn_client && npn_server && (!client_len || !server_len))
321 return -1;
322
323 return 0;
324 }
325#endif
326
d02b48c6 327static char *cipher=NULL;
79875776
BM		 328static int verbose=0;
329static int debug=0;
d58d092b
BM		 330#if 0
331/* Not used yet. */
d02b48c6
RE		 332#ifdef FIONBIO
333static int s_nbio=0;
334#endif
d58d092b 335#endif
d02b48c6 336
b9d82f47 337static const char rnd_seed[] = "string to make the random number generator think it has entropy";
d02b48c6 338
563f1503 339int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
58964a49 340int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
6e119bb0 341static int do_test_cipherlist(void);
6b691a5c 342static void sv_usage(void)
d02b48c6
RE		 343 {
344 fprintf(stderr,"usage: ssltest [args ...]\n");
345 fprintf(stderr,"\n");
346 fprintf(stderr," -server_auth - check server certificate\n");
347 fprintf(stderr," -client_auth - do client authentication\n");
d9bfe4f9 348 fprintf(stderr," -proxy - allow proxy certificates\n");
a7201e9a
RL		 349 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
350 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
d02b48c6 351 fprintf(stderr," -v - more output\n");
58964a49
RE		 352 fprintf(stderr," -d - debug output\n");
353 fprintf(stderr," -reuse - use session-id reuse\n");
354 fprintf(stderr," -num <val> - number of connections to perform\n");
355 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
bc36ee62 356#ifndef OPENSSL_NO_DH
e4589582
BM		 357 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
358 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
77fa04a9
BM		 359 fprintf(stderr," -no_dhe - disable DHE\n");
360#endif
ea262260
BM		 361#ifndef OPENSSL_NO_ECDH
362 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
363#endif
ddac1974
NL		 364#ifndef OPENSSL_NO_PSK
365 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
366#endif
bc36ee62 367#ifndef OPENSSL_NO_SSL2
d02b48c6
RE		 368 fprintf(stderr," -ssl2 - use SSLv2\n");
369#endif
bc36ee62 370#ifndef OPENSSL_NO_SSL3
d02b48c6 371 fprintf(stderr," -ssl3 - use SSLv3\n");
58964a49 372#endif
bc36ee62 373#ifndef OPENSSL_NO_TLS1
58964a49 374 fprintf(stderr," -tls1 - use TLSv1\n");
d02b48c6
RE		 375#endif
376 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
377 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
7d2509b6
BM		 378 fprintf(stderr," -cert arg - Server certificate file\n");
379 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
380 fprintf(stderr," -c_cert arg - Client certificate file\n");
381 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
58964a49 382 fprintf(stderr," -cipher arg - The cipher list\n");
95d29597
BM		 383 fprintf(stderr," -bio_pair - Use BIO pairs\n");
384 fprintf(stderr," -f - Test even cases that can't work\n");
563f1503 385 fprintf(stderr," -time - measure processor time used by client and server\n");
23f80f46 386 fprintf(stderr," -zlib - use zlib compression\n");
ea262260
BM		 387 fprintf(stderr," -rle - use rle compression\n");
388#ifndef OPENSSL_NO_ECDH
389 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
390 " Use \"openssl ecparam -list_curves\" for all names\n" \
391 " (default is sect163r2).\n");
392#endif
6e119bb0 393 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
d9a268b9
BL		 394#ifndef OPENSSL_NO_NPN
395 fprintf(stderr," -npn_client - have client side offer NPN\n");
396 fprintf(stderr," -npn_server - have server side offer NPN\n");
397 fprintf(stderr," -npn_server_reject - have server reject NPN\n");
398#endif
563f1503
BM		 399 }
400
401static void print_details(SSL *c_ssl, const char *prefix)
402 {
babb3798 403 const SSL_CIPHER *ciph;
563f1503
BM		 404 X509 *cert;
405
406 ciph=SSL_get_current_cipher(c_ssl);
407 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
408 prefix,
409 SSL_get_version(c_ssl),
410 SSL_CIPHER_get_version(ciph),
411 SSL_CIPHER_get_name(ciph));
412 cert=SSL_get_peer_certificate(c_ssl);
413 if (cert != NULL)
414 {
415 EVP_PKEY *pkey = X509_get_pubkey(cert);
416 if (pkey != NULL)
417 {
418 if (0)
419 ;
bc36ee62 420#ifndef OPENSSL_NO_RSA
563f1503
BM		 421 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
422 && pkey->pkey.rsa->n != NULL)
423 {
424 BIO_printf(bio_stdout, ", %d bit RSA",
425 BN_num_bits(pkey->pkey.rsa->n));
426 }
427#endif
bc36ee62 428#ifndef OPENSSL_NO_DSA
563f1503
BM		 429 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
430 && pkey->pkey.dsa->p != NULL)
431 {
432 BIO_printf(bio_stdout, ", %d bit DSA",
433 BN_num_bits(pkey->pkey.dsa->p));
434 }
435#endif
436 EVP_PKEY_free(pkey);
437 }
438 X509_free(cert);
439 }
440 /* The SSL API does not allow us to look at temporary RSA/DH keys,
441 * otherwise we should print their lengths too */
442 BIO_printf(bio_stdout,"\n");
d02b48c6
RE		 443 }
444
3ac82faa
BM		 445static void lock_dbg_cb(int mode, int type, const char *file, int line)
446 {
447 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
448 const char *errstr = NULL;
449 int rw;
450
451 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
452 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
453 {
454 errstr = "invalid mode";
455 goto err;
456 }
457
563c05e2 458 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
3ac82faa
BM		 459 {
460 errstr = "type out of bounds";
461 goto err;
462 }
463
464 if (mode & CRYPTO_LOCK)
465 {
466 if (modes[type])
467 {
468 errstr = "already locked";
469 /* must not happen in a single-threaded program
470 * (would deadlock) */
471 goto err;
472 }
473
474 modes[type] = rw;
475 }
476 else if (mode & CRYPTO_UNLOCK)
477 {
478 if (!modes[type])
479 {
480 errstr = "not locked";
481 goto err;
482 }
483
484 if (modes[type] != rw)
485 {
486 errstr = (rw == CRYPTO_READ) ?
487 "CRYPTO_r_unlock on write lock" :
488 "CRYPTO_w_unlock on read lock";
489 }
490
491 modes[type] = 0;
492 }
493 else
494 {
495 errstr = "invalid mode";
496 goto err;
497 }
498
499 err:
500 if (errstr)
501 {
502 /* we cannot use bio_err here */
503 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
504 errstr, mode, type, file, line);
505 }
506 }
507
761772d7
BM		 508#ifdef TLSEXT_TYPE_opaque_prf_input
509struct cb_info_st { void *input; size_t len; int ret; };
510struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
511struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
512struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
513struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
514
515int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
516 {
517 struct cb_info_st *arg = arg_;
518
519 if (arg == NULL)
520 return 1;
521
522 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
523 return 0;
524 return arg->ret;
525 }
526#endif
6e119bb0 527
6b691a5c 528int main(int argc, char *argv[])
d02b48c6
RE		 529 {
530 char *CApath=NULL,*CAfile=NULL;
531 int badop=0;
95d29597
BM		 532 int bio_pair=0;
533 int force=0;
58964a49 534 int tls1=0,ssl2=0,ssl3=0,ret=1;
d02b48c6 535 int client_auth=0;
58964a49 536 int server_auth=0,i;
a7201e9a 537 struct app_verify_arg app_verify_arg =
d9bfe4f9 538 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
d02b48c6 539 char *server_cert=TEST_SERVER_CERT;
65b002f3 540 char *server_key=NULL;
d02b48c6 541 char *client_cert=TEST_CLIENT_CERT;
65b002f3 542 char *client_key=NULL;
3eeaab4b 543#ifndef OPENSSL_NO_ECDH
ea262260 544 char *named_curve = NULL;
3eeaab4b 545#endif
d02b48c6
RE		 546 SSL_CTX *s_ctx=NULL;
547 SSL_CTX *c_ctx=NULL;
4ebb342f 548 const SSL_METHOD *meth=NULL;
58964a49
RE		 549 SSL *c_ssl,*s_ssl;
550 int number=1,reuse=0;
82423549 551 long bytes=256L;
bc36ee62 552#ifndef OPENSSL_NO_DH
d02b48c6 553 DH *dh;
e4589582 554 int dhe1024 = 0, dhe1024dsa = 0;
ea262260
BM		 555#endif
556#ifndef OPENSSL_NO_ECDH
557 EC_KEY *ecdh = NULL;
58964a49 558#endif
e4589582 559 int no_dhe = 0;
ea262260 560 int no_ecdhe = 0;
ddac1974 561 int no_psk = 0;
563f1503
BM		 562 int print_time = 0;
563 clock_t s_time = 0, c_time = 0;
23f80f46 564 int comp = 0;
09b6c2ef 565#ifndef OPENSSL_NO_COMP
8df788c9 566 COMP_METHOD *cm = NULL;
82423549 567 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
00a37b5a 568#endif
6e119bb0 569 int test_cipherlist = 0;
563f1503 570
79875776
BM		 571 verbose = 0;
572 debug = 0;
573 cipher = 0;
1e3a9b65 574
e9680894 575 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
1e3a9b65 576
3ac82faa
BM		 577 CRYPTO_set_locking_callback(lock_dbg_cb);
578
10654d3a
BM		 579 /* enable memory leak checking unless explicitly disabled */
580 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
581 {
582 CRYPTO_malloc_debug_init();
384eff87
BM		 583 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
584 }
585 else
586 {
587 /* OPENSSL_DEBUG_MEMORY=off */
588 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
10654d3a 589 }
79875776 590 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
d02b48c6 591
b9d82f47
UM		 592 RAND_seed(rnd_seed, sizeof rnd_seed);
593
e9680894 594 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
d02b48c6 595
d02b48c6
RE		 596 argc--;
597 argv++;
598
599 while (argc >= 1)
600 {
601 if (strcmp(*argv,"-server_auth") == 0)
602 server_auth=1;
603 else if (strcmp(*argv,"-client_auth") == 0)
604 client_auth=1;
a7201e9a
RL		 605 else if (strcmp(*argv,"-proxy_auth") == 0)
606 {
607 if (--argc < 1) goto bad;
608 app_verify_arg.proxy_auth= *(++argv);
609 }
610 else if (strcmp(*argv,"-proxy_cond") == 0)
611 {
612 if (--argc < 1) goto bad;
613 app_verify_arg.proxy_cond= *(++argv);
614 }
d02b48c6
RE		 615 else if (strcmp(*argv,"-v") == 0)
616 verbose=1;
58964a49
RE		 617 else if (strcmp(*argv,"-d") == 0)
618 debug=1;
619 else if (strcmp(*argv,"-reuse") == 0)
620 reuse=1;
48c843c3 621 else if (strcmp(*argv,"-dhe1024") == 0)
90f5a2b6
RL		 622 {
623#ifndef OPENSSL_NO_DH
48c843c3 624 dhe1024=1;
90f5a2b6 625#else
ba5ba549 626 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
90f5a2b6
RL		 627#endif
628 }
e4589582 629 else if (strcmp(*argv,"-dhe1024dsa") == 0)
90f5a2b6
RL		 630 {
631#ifndef OPENSSL_NO_DH
e4589582 632 dhe1024dsa=1;
90f5a2b6 633#else
ba5ba549 634 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
e4589582 635#endif
90f5a2b6 636 }
77fa04a9
BM		 637 else if (strcmp(*argv,"-no_dhe") == 0)
638 no_dhe=1;
ea262260
BM		 639 else if (strcmp(*argv,"-no_ecdhe") == 0)
640 no_ecdhe=1;
ddac1974
NL		 641 else if (strcmp(*argv,"-psk") == 0)
642 {
643 if (--argc < 1) goto bad;
644 psk_key=*(++argv);
645#ifndef OPENSSL_NO_PSK
646 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
647 {
648 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
649 goto bad;
650 }
651#else
652 no_psk=1;
653#endif
654 }
d02b48c6
RE		 655 else if (strcmp(*argv,"-ssl2") == 0)
656 ssl2=1;
58964a49
RE		 657 else if (strcmp(*argv,"-tls1") == 0)
658 tls1=1;
d02b48c6
RE		 659 else if (strcmp(*argv,"-ssl3") == 0)
660 ssl3=1;
58964a49
RE		 661 else if (strncmp(*argv,"-num",4) == 0)
662 {
663 if (--argc < 1) goto bad;
664 number= atoi(*(++argv));
665 if (number == 0) number=1;
666 }
667 else if (strcmp(*argv,"-bytes") == 0)
668 {
669 if (--argc < 1) goto bad;
670 bytes= atol(*(++argv));
671 if (bytes == 0L) bytes=1L;
672 i=strlen(argv[0]);
673 if (argv[0][i-1] == 'k') bytes*=1024L;
674 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
675 }
d02b48c6
RE		 676 else if (strcmp(*argv,"-cert") == 0)
677 {
678 if (--argc < 1) goto bad;
679 server_cert= *(++argv);
680 }
681 else if (strcmp(*argv,"-s_cert") == 0)
682 {
683 if (--argc < 1) goto bad;
684 server_cert= *(++argv);
685 }
65b002f3
BM		 686 else if (strcmp(*argv,"-key") == 0)
687 {
688 if (--argc < 1) goto bad;
689 server_key= *(++argv);
690 }
691 else if (strcmp(*argv,"-s_key") == 0)
692 {
693 if (--argc < 1) goto bad;
694 server_key= *(++argv);
695 }
d02b48c6
RE		 696 else if (strcmp(*argv,"-c_cert") == 0)
697 {
698 if (--argc < 1) goto bad;
699 client_cert= *(++argv);
700 }
65b002f3
BM		 701 else if (strcmp(*argv,"-c_key") == 0)
702 {
703 if (--argc < 1) goto bad;
704 client_key= *(++argv);
705 }
d02b48c6
RE		 706 else if (strcmp(*argv,"-cipher") == 0)
707 {
708 if (--argc < 1) goto bad;
709 cipher= *(++argv);
710 }
711 else if (strcmp(*argv,"-CApath") == 0)
712 {
713 if (--argc < 1) goto bad;
714 CApath= *(++argv);
715 }
716 else if (strcmp(*argv,"-CAfile") == 0)
717 {
718 if (--argc < 1) goto bad;
719 CAfile= *(++argv);
720 }
95d29597
BM		 721 else if (strcmp(*argv,"-bio_pair") == 0)
722 {
723 bio_pair = 1;
724 }
725 else if (strcmp(*argv,"-f") == 0)
726 {
727 force = 1;
728 }
563f1503
BM		 729 else if (strcmp(*argv,"-time") == 0)
730 {
731 print_time = 1;
732 }
23f80f46
RL		 733 else if (strcmp(*argv,"-zlib") == 0)
734 {
735 comp = COMP_ZLIB;
736 }
737 else if (strcmp(*argv,"-rle") == 0)
738 {
739 comp = COMP_RLE;
740 }
ea262260
BM		 741 else if (strcmp(*argv,"-named_curve") == 0)
742 {
743 if (--argc < 1) goto bad;
90f5a2b6 744#ifndef OPENSSL_NO_ECDH
ea262260 745 named_curve = *(++argv);
90f5a2b6 746#else
5e3247d8 747 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
90f5a2b6 748 ++argv;
ea262260 749#endif
90f5a2b6 750 }
023ec151
BM		 751 else if (strcmp(*argv,"-app_verify") == 0)
752 {
a7201e9a 753 app_verify_arg.app_verify = 1;
023ec151 754 }
d9bfe4f9
RL		 755 else if (strcmp(*argv,"-proxy") == 0)
756 {
757 app_verify_arg.allow_proxy_certs = 1;
758 }
6e119bb0
NL		 759 else if (strcmp(*argv,"-test_cipherlist") == 0)
760 {
761 test_cipherlist = 1;
762 }
d9a268b9
BL		 763#ifndef OPENSSL_NO_NPN
764 else if (strcmp(*argv,"-npn_client") == 0)
765 {
766 npn_client = 1;
767 }
768 else if (strcmp(*argv,"-npn_server") == 0)
769 {
770 npn_server = 1;
771 }
772 else if (strcmp(*argv,"-npn_server_reject") == 0)
773 {
774 npn_server_reject = 1;
775 }
776#endif
d02b48c6
RE		 777 else
778 {
779 fprintf(stderr,"unknown option %s\n",*argv);
780 badop=1;
781 break;
782 }
783 argc--;
784 argv++;
785 }
786 if (badop)
787 {
788bad:
789 sv_usage();
790 goto end;
791 }
792
6e119bb0
NL		 793 if (test_cipherlist == 1)
794 {
795 /* ensure that the cipher list are correctly sorted and exit */
796 if (do_test_cipherlist() == 0)
797 EXIT(1);
798 ret = 0;
799 goto end;
800 }
801
95d29597
BM		 802 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
803 {
563f1503
BM		 804 fprintf(stderr, "This case cannot work. Use -f to perform "
805 "the test anyway (and\n-d to see what happens), "
806 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
807 "to avoid protocol mismatch.\n");
55f78baf 808 EXIT(1);
95d29597
BM		 809 }
810
563f1503
BM		 811 if (print_time)
812 {
813 if (!bio_pair)
814 {
815 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
816 bio_pair = 1;
817 }
818 if (number < 50 && !force)
819 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
820 }
821
d02b48c6
RE		 822/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
823
413c4f45 824 SSL_library_init();
d02b48c6
RE		 825 SSL_load_error_strings();
826
09b6c2ef 827#ifndef OPENSSL_NO_COMP
bd68b6b1
RL		 828 if (comp == COMP_ZLIB) cm = COMP_zlib();
829 if (comp == COMP_RLE) cm = COMP_rle();
830 if (cm != NULL)
23f80f46 831 {
23f80f46 832 if (cm->type != NID_undef)
f82ab534
RL		 833 {
834 if (SSL_COMP_add_compression_method(comp, cm) != 0)
835 {
836 fprintf(stderr,
837 "Failed to add compression method\n");
838 ERR_print_errors_fp(stderr);
839 }
840 }
23f80f46 841 else
4751717c 842 {
bd68b6b1
RL		 843 fprintf(stderr,
844 "Warning: %s compression not supported\n",
845 (comp == COMP_RLE ? "rle" :
846 (comp == COMP_ZLIB ? "zlib" :
847 "unknown")));
4751717c
RL		 848 ERR_print_errors_fp(stderr);
849 }
23f80f46 850 }
82423549
RL		 851 ssl_comp_methods = SSL_COMP_get_compression_methods();
852 fprintf(stderr, "Available compression methods:\n");
853 {
a08ced78 854 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
82423549
RL		 855 if (n == 0)
856 fprintf(stderr, " NONE\n");
857 else
a08ced78 858 for (j = 0; j < n; j++)
82423549 859 {
a08ced78 860 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
82423549
RL		 861 fprintf(stderr, " %d: %s\n", c->id, c->name);
862 }
863 }
231b98a5 864#endif
23f80f46 865
bc36ee62 866#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
d02b48c6
RE		 867 if (ssl2)
868 meth=SSLv2_method();
869 else
58964a49
RE		 870 if (tls1)
871 meth=TLSv1_method();
872 else
d02b48c6
RE		 873 if (ssl3)
874 meth=SSLv3_method();
875 else
876 meth=SSLv23_method();
877#else
bc36ee62 878#ifdef OPENSSL_NO_SSL2
d02b48c6
RE		 879 meth=SSLv3_method();
880#else
881 meth=SSLv2_method();
882#endif
883#endif
884
885 c_ctx=SSL_CTX_new(meth);
886 s_ctx=SSL_CTX_new(meth);
887 if ((c_ctx == NULL) || (s_ctx == NULL))
888 {
889 ERR_print_errors(bio_err);
890 goto end;
891 }
892
893 if (cipher != NULL)
894 {
895 SSL_CTX_set_cipher_list(c_ctx,cipher);
896 SSL_CTX_set_cipher_list(s_ctx,cipher);
897 }
898
bc36ee62 899#ifndef OPENSSL_NO_DH
77fa04a9 900 if (!no_dhe)
48c843c3 901 {
e4589582 902 if (dhe1024dsa)
48c843c3 903 {
e4589582 904 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
77fa04a9 905 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
e4589582 906 dh=get_dh1024dsa();
48c843c3 907 }
e4589582
BM		 908 else if (dhe1024)
909 dh=get_dh1024();
77fa04a9 910 else
77fa04a9
BM		 911 dh=get_dh512();
912 SSL_CTX_set_tmp_dh(s_ctx,dh);
913 DH_free(dh);
914 }
e4589582
BM		 915#else
916 (void)no_dhe;
58964a49
RE		 917#endif
918
ea262260
BM		 919#ifndef OPENSSL_NO_ECDH
920 if (!no_ecdhe)
921 {
9dd84053
NL		 922 int nid;
923
924 if (named_curve != NULL)
ea262260 925 {
9dd84053
NL		 926 nid = OBJ_sn2nid(named_curve);
927 if (nid == 0)
928 {
929 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
930 goto end;
ea262260 931 }
9dd84053
NL		 932 }
933 else
934 nid = NID_sect163r2;
ea262260 935
9dd84053
NL		 936 ecdh = EC_KEY_new_by_curve_name(nid);
937 if (ecdh == NULL)
938 {
939 BIO_printf(bio_err, "unable to create curve\n");
940 goto end;
ea262260 941 }
9dd84053
NL		 942
943 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
944 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
945 EC_KEY_free(ecdh);
ea262260
BM		 946 }
947#else
948 (void)no_ecdhe;
949#endif
950
bc36ee62 951#ifndef OPENSSL_NO_RSA
58964a49 952 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
d02b48c6
RE		 953#endif
954
761772d7
BM		 955#ifdef TLSEXT_TYPE_opaque_prf_input
956 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
957 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
958 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
959 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
960#endif
961
d02b48c6
RE		 962 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
963 {
964 ERR_print_errors(bio_err);
965 }
65b002f3
BM		 966 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
967 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
d02b48c6
RE		 968 {
969 ERR_print_errors(bio_err);
970 goto end;
971 }
972
973 if (client_auth)
974 {
975 SSL_CTX_use_certificate_file(c_ctx,client_cert,
976 SSL_FILETYPE_PEM);
65b002f3
BM		 977 SSL_CTX_use_PrivateKey_file(c_ctx,
978 (client_key?client_key:client_cert),
d02b48c6
RE		 979 SSL_FILETYPE_PEM);
980 }
981
982 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
983 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
984 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
985 (!SSL_CTX_set_default_verify_paths(c_ctx)))
986 {
58964a49 987 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
d02b48c6 988 ERR_print_errors(bio_err);
58964a49 989 /* goto end; */
d02b48c6
RE		 990 }
991
992 if (client_auth)
993 {
53002dc6 994 BIO_printf(bio_err,"client authentication\n");
d02b48c6
RE		 995 SSL_CTX_set_verify(s_ctx,
996 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
997 verify_callback);
a7201e9a 998 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
d02b48c6
RE		 999 }
1000 if (server_auth)
1001 {
53002dc6 1002 BIO_printf(bio_err,"server authentication\n");
d02b48c6
RE		 1003 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1004 verify_callback);
a7201e9a 1005 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
d02b48c6 1006 }
b1fe6ca1
BM		 1007
1008 {
1009 int session_id_context = 0;
1010 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1011 }
d02b48c6 1012
ddac1974
NL		 1013 /* Use PSK only if PSK key is given */
1014 if (psk_key != NULL)
1015 {
1016 /* no_psk is used to avoid putting psk command to openssl tool */
1017 if (no_psk)
1018 {
1019 /* if PSK is not compiled in and psk key is
1020 * given, do nothing and exit successfully */
1021 ret=0;
1022 goto end;
1023 }
1024#ifndef OPENSSL_NO_PSK
1025 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1026 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1027 if (debug)
1028 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1029 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1030 {
1031 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1032 ERR_print_errors(bio_err);
1033 goto end;
1034 }
1035#endif
1036 }
1037
d9a268b9
BL		 1038#ifndef OPENSSL_NO_NPN
1039 if (npn_client)
1040 {
1041 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1042 }
1043 if (npn_server)
1044 {
1045 if (npn_server_reject)
1046 {
1047 BIO_printf(bio_err, "Can't have both -npn_server and -npn_server_reject\n");
1048 goto end;
1049 }
1050 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
1051 }
1052 if (npn_server_reject)
1053 {
1054 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
1055 }
1056#endif
1057
58964a49
RE		 1058 c_ssl=SSL_new(c_ctx);
1059 s_ssl=SSL_new(s_ctx);
1060
bc36ee62 1061#ifndef OPENSSL_NO_KRB5
f9b3bff6
RL		 1062 if (c_ssl && c_ssl->kssl_ctx)
1063 {
54a656ef 1064 char localhost[MAXHOSTNAMELEN+2];
f9b3bff6 1065
54a656ef 1066 if (gethostname(localhost, sizeof localhost-1) == 0)
f9b3bff6 1067 {
54a656ef
BL		 1068 localhost[sizeof localhost-1]='\0';
1069 if(strlen(localhost) == sizeof localhost-1)
1070 {
1071 BIO_printf(bio_err,"localhost name too long\n");
31be2daa 1072 goto end;
54a656ef 1073 }
f9b3bff6
RL		 1074 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1075 localhost);
1076 }
1077 }
bc36ee62 1078#endif /* OPENSSL_NO_KRB5 */
f9b3bff6 1079
58964a49
RE		 1080 for (i=0; i<number; i++)
1081 {
1082 if (!reuse) SSL_set_session(c_ssl,NULL);
95d29597 1083 if (bio_pair)
563f1503 1084 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
95d29597
BM		 1085 else
1086 ret=doit(s_ssl,c_ssl,bytes);
58964a49
RE		 1087 }
1088
1089 if (!verbose)
1090 {
563f1503 1091 print_details(c_ssl, "");
58964a49
RE		 1092 }
1093 if ((number > 1) || (bytes > 1L))
53002dc6 1094 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
563f1503
BM		 1095 if (print_time)
1096 {
617d71bc
BM		 1097#ifdef CLOCKS_PER_SEC
1098 /* "To determine the time in seconds, the value returned
1099 * by the clock function should be divided by the value
1100 * of the macro CLOCKS_PER_SEC."
1101 * -- ISO/IEC 9899 */
563f1503
BM		 1102 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1103 "Approximate total client time: %6.2f s\n",
1104 (double)s_time/CLOCKS_PER_SEC,
1105 (double)c_time/CLOCKS_PER_SEC);
617d71bc
BM		 1106#else
1107 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1108 * -- cc on NeXTstep/OpenStep */
1109 BIO_printf(bio_stdout,
1110 "Approximate total server time: %6.2f units\n"
1111 "Approximate total client time: %6.2f units\n",
1112 (double)s_time,
1113 (double)c_time);
1114#endif
563f1503 1115 }
58964a49
RE		 1116
1117 SSL_free(s_ssl);
1118 SSL_free(c_ssl);
1119
d02b48c6
RE		 1120end:
1121 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1122 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1123
1124 if (bio_stdout != NULL) BIO_free(bio_stdout);
1125
bc36ee62 1126#ifndef OPENSSL_NO_RSA
46b3bd54
BM		 1127 free_tmp_rsa();
1128#endif
0b13e9f0 1129#ifndef OPENSSL_NO_ENGINE
b8e2f83a 1130 ENGINE_cleanup();
0b13e9f0 1131#endif
79aa04ef 1132 CRYPTO_cleanup_all_ex_data();
dfeab068 1133 ERR_free_strings();
4c329696 1134 ERR_remove_thread_state(NULL);
d02b48c6
RE		 1135 EVP_cleanup();
1136 CRYPTO_mem_leaks(bio_err);
79875776 1137 if (bio_err != NULL) BIO_free(bio_err);
d02b48c6 1138 EXIT(ret);
19bd66fe 1139 return ret;
d02b48c6
RE		 1140 }
1141
563f1503
BM		 1142int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1143 clock_t *s_time, clock_t *c_time)
95d29597
BM		 1144 {
1145 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1146 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1147 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
95d29597
BM		 1148 int ret = 1;
1149
1150 size_t bufsiz = 256; /* small buffer for testing */
1151
1152 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1153 goto err;
1154 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1155 goto err;
1156
1157 s_ssl_bio = BIO_new(BIO_f_ssl());
1158 if (!s_ssl_bio)
1159 goto err;
1160
1161 c_ssl_bio = BIO_new(BIO_f_ssl());
1162 if (!c_ssl_bio)
1163 goto err;
1164
1165 SSL_set_connect_state(c_ssl);
1166 SSL_set_bio(c_ssl, client, client);
1167 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1168
1169 SSL_set_accept_state(s_ssl);
1170 SSL_set_bio(s_ssl, server, server);
1171 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1172
1173 do
1174 {
1175 /* c_ssl_bio: SSL filter BIO
1176 *
1177 * client: pseudo-I/O for SSL library
1178 *
1179 * client_io: client's SSL communication; usually to be
1180 * relayed over some I/O facility, but in this
1181 * test program, we're the server, too:
1182 *
1183 * server_io: server's SSL communication
1184 *
1185 * server: pseudo-I/O for SSL library
1186 *
1187 * s_ssl_bio: SSL filter BIO
1188 *
1189 * The client and the server each employ a "BIO pair":
1190 * client + client_io, server + server_io.
1191 * BIO pairs are symmetric. A BIO pair behaves similar
1192 * to a non-blocking socketpair (but both endpoints must
1193 * be handled by the same thread).
7eea36bb
BM		 1194 * [Here we could connect client and server to the ends
1195 * of a single BIO pair, but then this code would be less
1196 * suitable as an example for BIO pairs in general.]
95d29597
BM		 1197 *
1198 * Useful functions for querying the state of BIO pair endpoints:
1199 *
1200 * BIO_ctrl_pending(bio) number of bytes we can read now
f50c0497 1201 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
95d29597 1202 * other side's read attempt
657e60fa 1203 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
95d29597
BM		 1204 *
1205 * ..._read_request is never more than ..._write_guarantee;
1206 * it depends on the application which one you should use.
1207 */
1208
1209 /* We have non-blocking behaviour throughout this test program, but
1210 * can be sure that there is *some* progress in each iteration; so
1211 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1212 * -- we just try everything in each iteration
1213 */
1214
1215 {
1216 /* CLIENT */
1217
1218 MS_STATIC char cbuf[1024*8];
1219 int i, r;
563f1503 1220 clock_t c_clock = clock();
95d29597 1221
896e4fef
BM		 1222 memset(cbuf, 0, sizeof(cbuf));
1223
95d29597
BM		 1224 if (debug)
1225 if (SSL_in_init(c_ssl))
1226 printf("client waiting in SSL_connect - %s\n",
1227 SSL_state_string_long(c_ssl));
1228
1229 if (cw_num > 0)
1230 {
1231 /* Write to server. */
1232
1233 if (cw_num > (long)sizeof cbuf)
1234 i = sizeof cbuf;
1235 else
1236 i = (int)cw_num;
1237 r = BIO_write(c_ssl_bio, cbuf, i);
29159a42 1238 if (r < 0)
95d29597
BM		 1239 {
1240 if (!BIO_should_retry(c_ssl_bio))
1241 {
1242 fprintf(stderr,"ERROR in CLIENT\n");
1243 goto err;
1244 }
1245 /* BIO_should_retry(...) can just be ignored here.
1246 * The library expects us to call BIO_write with
1247 * the same arguments again, and that's what we will
1248 * do in the next iteration. */
1249 }
1250 else if (r == 0)
1251 {
1252 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1253 goto err;
1254 }
1255 else
1256 {
1257 if (debug)
1258 printf("client wrote %d\n", r);
1259 cw_num -= r;
1260 }
1261 }
1262
1263 if (cr_num > 0)
1264 {
1265 /* Read from server. */
1266
1267 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1268 if (r < 0)
1269 {
1270 if (!BIO_should_retry(c_ssl_bio))
1271 {
1272 fprintf(stderr,"ERROR in CLIENT\n");
1273 goto err;
1274 }
1275 /* Again, "BIO_should_retry" can be ignored. */
1276 }
1277 else if (r == 0)
1278 {
1279 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1280 goto err;
1281 }
1282 else
1283 {
1284 if (debug)
1285 printf("client read %d\n", r);
1286 cr_num -= r;
1287 }
1288 }
563f1503
BM		 1289
1290 /* c_time and s_time increments will typically be very small
1291 * (depending on machine speed and clock tick intervals),
1292 * but sampling over a large number of connections should
1293 * result in fairly accurate figures. We cannot guarantee
1294 * a lot, however -- if each connection lasts for exactly
1295 * one clock tick, it will be counted only for the client
1296 * or only for the server or even not at all.
1297 */
1298 *c_time += (clock() - c_clock);
95d29597
BM		 1299 }
1300
1301 {
1302 /* SERVER */
1303
1304 MS_STATIC char sbuf[1024*8];
1305 int i, r;
563f1503 1306 clock_t s_clock = clock();
95d29597 1307
896e4fef
BM		 1308 memset(sbuf, 0, sizeof(sbuf));
1309
95d29597
BM		 1310 if (debug)
1311 if (SSL_in_init(s_ssl))
1312 printf("server waiting in SSL_accept - %s\n",
1313 SSL_state_string_long(s_ssl));
1314
1315 if (sw_num > 0)
1316 {
1317 /* Write to client. */
1318
1319 if (sw_num > (long)sizeof sbuf)
1320 i = sizeof sbuf;
1321 else
1322 i = (int)sw_num;
1323 r = BIO_write(s_ssl_bio, sbuf, i);
29159a42 1324 if (r < 0)
95d29597
BM		 1325 {
1326 if (!BIO_should_retry(s_ssl_bio))
1327 {
1328 fprintf(stderr,"ERROR in SERVER\n");
1329 goto err;
1330 }
1331 /* Ignore "BIO_should_retry". */
1332 }
1333 else if (r == 0)
1334 {
1335 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1336 goto err;
1337 }
1338 else
1339 {
1340 if (debug)
1341 printf("server wrote %d\n", r);
1342 sw_num -= r;
1343 }
1344 }
1345
1346 if (sr_num > 0)
1347 {
1348 /* Read from client. */
1349
1350 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1351 if (r < 0)
1352 {
1353 if (!BIO_should_retry(s_ssl_bio))
1354 {
1355 fprintf(stderr,"ERROR in SERVER\n");
1356 goto err;
1357 }
1358 /* blah, blah */
1359 }
1360 else if (r == 0)
1361 {
1362 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1363 goto err;
1364 }
1365 else
1366 {
1367 if (debug)
1368 printf("server read %d\n", r);
1369 sr_num -= r;
1370 }
1371 }
563f1503
BM		 1372
1373 *s_time += (clock() - s_clock);
95d29597
BM		 1374 }
1375
1376 {
1377 /* "I/O" BETWEEN CLIENT AND SERVER. */
1378
95d29597 1379 size_t r1, r2;
6f7af152
BM		 1380 BIO *io1 = server_io, *io2 = client_io;
1381 /* we use the non-copying interface for io1
1382 * and the standard BIO_write/BIO_read interface for io2
1383 */
1384
95d29597
BM		 1385 static int prev_progress = 1;
1386 int progress = 0;
1387
6f7af152 1388 /* io1 to io2 */
95d29597
BM		 1389 do
1390 {
6f7af152 1391 size_t num;
b52f3818 1392 int r;
6f7af152
BM		 1393
1394 r1 = BIO_ctrl_pending(io1);
1395 r2 = BIO_ctrl_get_write_guarantee(io2);
95d29597
BM		 1396
1397 num = r1;
1398 if (r2 < num)
1399 num = r2;
1400 if (num)
1401 {
6f7af152
BM		 1402 char *dataptr;
1403
95d29597
BM		 1404 if (INT_MAX < num) /* yeah, right */
1405 num = INT_MAX;
1406
6f7af152
BM		 1407 r = BIO_nread(io1, &dataptr, (int)num);
1408 assert(r > 0);
1409 assert(r <= (int)num);
1410 /* possibly r < num (non-contiguous data) */
1411 num = r;
1412 r = BIO_write(io2, dataptr, (int)num);
95d29597
BM		 1413 if (r != (int)num) /* can't happen */
1414 {
1415 fprintf(stderr, "ERROR: BIO_write could not write "
1416 "BIO_ctrl_get_write_guarantee() bytes");
1417 goto err;
1418 }
1419 progress = 1;
1420
1421 if (debug)
6f7af152
BM		 1422 printf((io1 == client_io) ?
1423 "C->S relaying: %d bytes\n" :
1424 "S->C relaying: %d bytes\n",
1425 (int)num);
95d29597
BM		 1426 }
1427 }
1428 while (r1 && r2);
1429
6f7af152
BM		 1430 /* io2 to io1 */
1431 {
1432 size_t num;
1433 int r;
1434
1435 r1 = BIO_ctrl_pending(io2);
1436 r2 = BIO_ctrl_get_read_request(io1);
1437 /* here we could use ..._get_write_guarantee instead of
1438 * ..._get_read_request, but by using the latter
1439 * we test restartability of the SSL implementation
1440 * more thoroughly */
95d29597
BM		 1441 num = r1;
1442 if (r2 < num)
1443 num = r2;
1444 if (num)
1445 {
6f7af152
BM		 1446 char *dataptr;
1447
95d29597
BM		 1448 if (INT_MAX < num)
1449 num = INT_MAX;
6f7af152
BM		 1450
1451 if (num > 1)
cb0369d8 1452 --num; /* test restartability even more thoroughly */
95d29597 1453
234c7376 1454 r = BIO_nwrite0(io1, &dataptr);
6f7af152 1455 assert(r > 0);
cc129755 1456 if (r < (int)num)
234c7376 1457 num = r;
6f7af152 1458 r = BIO_read(io2, dataptr, (int)num);
95d29597
BM		 1459 if (r != (int)num) /* can't happen */
1460 {
1461 fprintf(stderr, "ERROR: BIO_read could not read "
1462 "BIO_ctrl_pending() bytes");
1463 goto err;
1464 }
95d29597 1465 progress = 1;
234c7376
BM		 1466 r = BIO_nwrite(io1, &dataptr, (int)num);
1467 if (r != (int)num) /* can't happen */
1468 {
1469 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1470 "BIO_nwrite0() bytes");
1471 goto err;
1472 }
6f7af152 1473
95d29597 1474 if (debug)
6f7af152
BM		 1475 printf((io2 == client_io) ?
1476 "C->S relaying: %d bytes\n" :
1477 "S->C relaying: %d bytes\n",
1478 (int)num);
95d29597 1479 }
6f7af152 1480 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
95d29597
BM		 1481
1482 if (!progress && !prev_progress)
1483 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
95d29597
BM		 1484 {
1485 fprintf(stderr, "ERROR: got stuck\n");
d7fcc7f6
BM		 1486 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1487 {
1488 fprintf(stderr, "This can happen for SSL2 because "
1489 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1490 "concurrently ...");
1491 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1492 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1493 {
1494 fprintf(stderr, " ok.\n");
1495 goto end;
1496 }
1497 }
1498 fprintf(stderr, " ERROR.\n");
95d29597
BM		 1499 goto err;
1500 }
1501 prev_progress = progress;
1502 }
1503 }
1504 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1505
95d29597 1506 if (verbose)
563f1503 1507 print_details(c_ssl, "DONE via BIO pair: ");
d9a268b9
BL		 1508#ifndef OPENSSL_NO_NPN
1509 if (verify_npn(c_ssl, s_ssl) < 0)
1510 {
1511 ret = 1;
1512 goto end;
1513 }
1514#endif
563f1503 1515end:
95d29597
BM		 1516 ret = 0;
1517
1518 err:
1519 ERR_print_errors(bio_err);
1520
1521 if (server)
1522 BIO_free(server);
1523 if (server_io)
1524 BIO_free(server_io);
1525 if (client)
1526 BIO_free(client);
1527 if (client_io)
1528 BIO_free(client_io);
1529 if (s_ssl_bio)
1530 BIO_free(s_ssl_bio);
1531 if (c_ssl_bio)
1532 BIO_free(c_ssl_bio);
1533
1534 return ret;
1535 }
1536
1537
d02b48c6
RE		 1538#define W_READ 1
1539#define W_WRITE 2
1540#define C_DONE 1
1541#define S_DONE 2
1542
6b691a5c 1543int doit(SSL *s_ssl, SSL *c_ssl, long count)
d02b48c6 1544 {
58964a49
RE		 1545 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1546 long cw_num=count,cr_num=count;
1547 long sw_num=count,sr_num=count;
d02b48c6 1548 int ret=1;
d02b48c6
RE		 1549 BIO *c_to_s=NULL;
1550 BIO *s_to_c=NULL;
1551 BIO *c_bio=NULL;
1552 BIO *s_bio=NULL;
1553 int c_r,c_w,s_r,s_w;
58964a49 1554 int i,j;
d02b48c6
RE		 1555 int done=0;
1556 int c_write,s_write;
1557 int do_server=0,do_client=0;
d02b48c6 1558
896e4fef
BM		 1559 memset(cbuf,0,sizeof(cbuf));
1560 memset(sbuf,0,sizeof(sbuf));
1561
d02b48c6
RE		 1562 c_to_s=BIO_new(BIO_s_mem());
1563 s_to_c=BIO_new(BIO_s_mem());
1564 if ((s_to_c == NULL) || (c_to_s == NULL))
1565 {
1566 ERR_print_errors(bio_err);
1567 goto err;
1568 }
1569
1570 c_bio=BIO_new(BIO_f_ssl());
1571 s_bio=BIO_new(BIO_f_ssl());
1572 if ((c_bio == NULL) || (s_bio == NULL))
1573 {
1574 ERR_print_errors(bio_err);
1575 goto err;
1576 }
1577
1578 SSL_set_connect_state(c_ssl);
1579 SSL_set_bio(c_ssl,s_to_c,c_to_s);
58964a49 1580 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
d02b48c6
RE		 1581
1582 SSL_set_accept_state(s_ssl);
1583 SSL_set_bio(s_ssl,c_to_s,s_to_c);
58964a49 1584 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
d02b48c6
RE		 1585
1586 c_r=0; s_r=1;
1587 c_w=1; s_w=0;
d02b48c6
RE		 1588 c_write=1,s_write=0;
1589
1590 /* We can always do writes */
1591 for (;;)
1592 {
1593 do_server=0;
1594 do_client=0;
1595
1596 i=(int)BIO_pending(s_bio);
1597 if ((i && s_r) || s_w) do_server=1;
1598
1599 i=(int)BIO_pending(c_bio);
1600 if ((i && c_r) || c_w) do_client=1;
1601
58964a49 1602 if (do_server && debug)
d02b48c6
RE		 1603 {
1604 if (SSL_in_init(s_ssl))
1605 printf("server waiting in SSL_accept - %s\n",
1606 SSL_state_string_long(s_ssl));
58964a49 1607/* else if (s_write)
d02b48c6 1608 printf("server:SSL_write()\n");
58964a49
RE		 1609 else
1610 printf("server:SSL_read()\n"); */
d02b48c6
RE		 1611 }
1612
58964a49 1613 if (do_client && debug)
d02b48c6
RE		 1614 {
1615 if (SSL_in_init(c_ssl))
1616 printf("client waiting in SSL_connect - %s\n",
1617 SSL_state_string_long(c_ssl));
58964a49 1618/* else if (c_write)
d02b48c6
RE		 1619 printf("client:SSL_write()\n");
1620 else
58964a49 1621 printf("client:SSL_read()\n"); */
d02b48c6
RE		 1622 }
1623
1624 if (!do_client && !do_server)
1625 {
1626 fprintf(stdout,"ERROR IN STARTUP\n");
1627 ERR_print_errors(bio_err);
1628 break;
1629 }
1630 if (do_client && !(done & C_DONE))
1631 {
1632 if (c_write)
1633 {
27545970
GT		 1634 j = (cw_num > (long)sizeof(cbuf)) ?
1635 (int)sizeof(cbuf) : (int)cw_num;
58964a49 1636 i=BIO_write(c_bio,cbuf,j);
d02b48c6
RE		 1637 if (i < 0)
1638 {
1639 c_r=0;
1640 c_w=0;
1641 if (BIO_should_retry(c_bio))
1642 {
1643 if (BIO_should_read(c_bio))
1644 c_r=1;
1645 if (BIO_should_write(c_bio))
1646 c_w=1;
1647 }
1648 else
1649 {
1650 fprintf(stderr,"ERROR in CLIENT\n");
1651 ERR_print_errors(bio_err);
1652 goto err;
1653 }
1654 }
1655 else if (i == 0)
1656 {
1657 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1658 goto err;
1659 }
1660 else
1661 {
58964a49
RE		 1662 if (debug)
1663 printf("client wrote %d\n",i);
d02b48c6 1664 /* ok */
58964a49 1665 s_r=1;
d02b48c6 1666 c_write=0;
58964a49 1667 cw_num-=i;
d02b48c6
RE		 1668 }
1669 }
1670 else
1671 {
58964a49 1672 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
d02b48c6
RE		 1673 if (i < 0)
1674 {
1675 c_r=0;
1676 c_w=0;
1677 if (BIO_should_retry(c_bio))
1678 {
1679 if (BIO_should_read(c_bio))
1680 c_r=1;
1681 if (BIO_should_write(c_bio))
1682 c_w=1;
1683 }
1684 else
1685 {
1686 fprintf(stderr,"ERROR in CLIENT\n");
1687 ERR_print_errors(bio_err);
1688 goto err;
1689 }
1690 }
1691 else if (i == 0)
1692 {
1693 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1694 goto err;
1695 }
1696 else
1697 {
58964a49
RE		 1698 if (debug)
1699 printf("client read %d\n",i);
1700 cr_num-=i;
1701 if (sw_num > 0)
1702 {
1703 s_write=1;
1704 s_w=1;
1705 }
1706 if (cr_num <= 0)
1707 {
1708 s_write=1;
1709 s_w=1;
1710 done=S_DONE|C_DONE;
1711 }
d02b48c6
RE		 1712 }
1713 }
1714 }
1715
1716 if (do_server && !(done & S_DONE))
1717 {
1718 if (!s_write)
1719 {
58964a49 1720 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
d02b48c6
RE		 1721 if (i < 0)
1722 {
1723 s_r=0;
1724 s_w=0;
1725 if (BIO_should_retry(s_bio))
1726 {
1727 if (BIO_should_read(s_bio))
1728 s_r=1;
1729 if (BIO_should_write(s_bio))
1730 s_w=1;
1731 }
1732 else
1733 {
1734 fprintf(stderr,"ERROR in SERVER\n");
1735 ERR_print_errors(bio_err);
1736 goto err;
1737 }
1738 }
1739 else if (i == 0)
1740 {
1741 ERR_print_errors(bio_err);
1742 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1743 goto err;
1744 }
1745 else
1746 {
58964a49
RE		 1747 if (debug)
1748 printf("server read %d\n",i);
1749 sr_num-=i;
1750 if (cw_num > 0)
1751 {
1752 c_write=1;
1753 c_w=1;
1754 }
1755 if (sr_num <= 0)
1756 {
1757 s_write=1;
1758 s_w=1;
1759 c_write=0;
1760 }
d02b48c6
RE		 1761 }
1762 }
1763 else
1764 {
27545970
GT		 1765 j = (sw_num > (long)sizeof(sbuf)) ?
1766 (int)sizeof(sbuf) : (int)sw_num;
58964a49 1767 i=BIO_write(s_bio,sbuf,j);
d02b48c6
RE		 1768 if (i < 0)
1769 {
1770 s_r=0;
1771 s_w=0;
1772 if (BIO_should_retry(s_bio))
1773 {
1774 if (BIO_should_read(s_bio))
1775 s_r=1;
1776 if (BIO_should_write(s_bio))
1777 s_w=1;
1778 }
1779 else
1780 {
1781 fprintf(stderr,"ERROR in SERVER\n");
1782 ERR_print_errors(bio_err);
1783 goto err;
1784 }
1785 }
1786 else if (i == 0)
1787 {
1788 ERR_print_errors(bio_err);
1789 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1790 goto err;
1791 }
1792 else
1793 {
58964a49
RE		 1794 if (debug)
1795 printf("server wrote %d\n",i);
1796 sw_num-=i;
d02b48c6 1797 s_write=0;
58964a49
RE		 1798 c_r=1;
1799 if (sw_num <= 0)
1800 done|=S_DONE;
d02b48c6
RE		 1801 }
1802 }
1803 }
1804
1805 if ((done & S_DONE) && (done & C_DONE)) break;
1806 }
1807
58964a49 1808 if (verbose)
563f1503 1809 print_details(c_ssl, "DONE: ");
d9a268b9
BL		 1810#ifndef OPENSSL_NO_NPN
1811 if (verify_npn(c_ssl, s_ssl) < 0)
1812 {
1813 ret = 1;
1814 goto err;
1815 }
1816#endif
d02b48c6
RE		 1817 ret=0;
1818err:
1819 /* We have to set the BIO's to NULL otherwise they will be
26a3a48d 1820 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
d02b48c6
RE		 1821 * again when c_ssl is SSL_free()ed.
1822 * This is a hack required because s_ssl and c_ssl are sharing the same
1823 * BIO structure and SSL_set_bio() and SSL_free() automatically
1824 * BIO_free non NULL entries.
1825 * You should not normally do this or be required to do this */
1826 if (s_ssl != NULL)
1827 {
1828 s_ssl->rbio=NULL;
1829 s_ssl->wbio=NULL;
1830 }
1831 if (c_ssl != NULL)
1832 {
1833 c_ssl->rbio=NULL;
1834 c_ssl->wbio=NULL;
1835 }
1836
1837 if (c_to_s != NULL) BIO_free(c_to_s);
1838 if (s_to_c != NULL) BIO_free(s_to_c);
58964a49
RE		 1839 if (c_bio != NULL) BIO_free_all(c_bio);
1840 if (s_bio != NULL) BIO_free_all(s_bio);
d02b48c6
RE		 1841 return(ret);
1842 }
1843
a7201e9a
RL		 1844static int get_proxy_auth_ex_data_idx(void)
1845 {
1846 static volatile int idx = -1;
1847 if (idx < 0)
1848 {
1849 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1850 if (idx < 0)
1851 {
1852 idx = X509_STORE_CTX_get_ex_new_index(0,
1853 "SSLtest for verify callback", NULL,NULL,NULL);
1854 }
1855 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1856 }
1857 return idx;
1858 }
1859
396f6314 1860static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
d02b48c6
RE		 1861 {
1862 char *s,buf[256];
1863
54a656ef
BL		 1864 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1865 sizeof buf);
d02b48c6
RE		 1866 if (s != NULL)
1867 {
1868 if (ok)
a7201e9a
RL		 1869 fprintf(stderr,"depth=%d %s\n",
1870 ctx->error_depth,buf);
d02b48c6 1871 else
d9bfe4f9 1872 {
d02b48c6
RE		 1873 fprintf(stderr,"depth=%d error=%d %s\n",
1874 ctx->error_depth,ctx->error,buf);
d9bfe4f9 1875 }
d02b48c6
RE		 1876 }
1877
1878 if (ok == 0)
1879 {
d9bfe4f9
RL		 1880 fprintf(stderr,"Error string: %s\n",
1881 X509_verify_cert_error_string(ctx->error));
d02b48c6
RE		 1882 switch (ctx->error)
1883 {
1884 case X509_V_ERR_CERT_NOT_YET_VALID:
1885 case X509_V_ERR_CERT_HAS_EXPIRED:
1886 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
d9bfe4f9 1887 fprintf(stderr," ... ignored.\n");
d02b48c6
RE		 1888 ok=1;
1889 }
1890 }
1891
a7201e9a
RL		 1892 if (ok == 1)
1893 {
1894 X509 *xs = ctx->current_cert;
1895#if 0
1896 X509 *xi = ctx->current_issuer;
1897#endif
1898
1899 if (xs->ex_flags & EXFLAG_PROXY)
1900 {
1901 unsigned int *letters =
1902 X509_STORE_CTX_get_ex_data(ctx,
1903 get_proxy_auth_ex_data_idx());
1904
1905 if (letters)
1906 {
1907 int found_any = 0;
1908 int i;
1909 PROXY_CERT_INFO_EXTENSION *pci =
1910 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1911 NULL, NULL);
1912
1913 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1914 {
1915 case NID_Independent:
1916 /* Completely meaningless in this
1917 program, as there's no way to
1918 grant explicit rights to a
1919 specific PrC. Basically, using
1920 id-ppl-Independent is the perfect
1921 way to grant no rights at all. */
1922 fprintf(stderr, " Independent proxy certificate");
1923 for (i = 0; i < 26; i++)
1924 letters[i] = 0;
1925 break;
1926 case NID_id_ppl_inheritAll:
1927 /* This is basically a NOP, we
1928 simply let the current rights
1929 stand as they are. */
1930 fprintf(stderr, " Proxy certificate inherits all");
1931 break;
1932 default:
1933 s = (char *)
1934 pci->proxyPolicy->policy->data;
1935 i = pci->proxyPolicy->policy->length;
1936
1937 /* The algorithm works as follows:
1938 it is assumed that previous
1939 iterations or the initial granted
1940 rights has already set some elements
1941 of `letters'. What we need to do is
1942 to clear those that weren't granted
1943 by the current PrC as well. The
1944 easiest way to do this is to add 1
1945 to all the elements whose letters
1946 are given with the current policy.
1947 That way, all elements that are set
1948 by the current policy and were
1949 already set by earlier policies and
1950 through the original grant of rights
1951 will get the value 2 or higher.
1952 The last thing to do is to sweep
1953 through `letters' and keep the
1954 elements having the value 2 as set,
1955 and clear all the others. */
1956
1957 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1958 while(i-- > 0)
1959 {
a51a9726 1960 int c = *s++;
a7201e9a
RL		 1961 if (isascii(c) && isalpha(c))
1962 {
1963 if (islower(c))
1964 c = toupper(c);
1965 letters[c - 'A']++;
1966 }
1967 }
1968 for (i = 0; i < 26; i++)
1969 if (letters[i] < 2)
1970 letters[i] = 0;
1971 else
1972 letters[i] = 1;
1973 }
1974
1975 found_any = 0;
1976 fprintf(stderr,
1977 ", resulting proxy rights = ");
1978 for(i = 0; i < 26; i++)
1979 if (letters[i])
1980 {
1981 fprintf(stderr, "%c", i + 'A');
1982 found_any = 1;
1983 }
1984 if (!found_any)
1985 fprintf(stderr, "none");
1986 fprintf(stderr, "\n");
1987
1988 PROXY_CERT_INFO_EXTENSION_free(pci);
1989 }
1990 }
1991 }
1992
d02b48c6
RE		 1993 return(ok);
1994 }
1995
a7201e9a
RL		 1996static void process_proxy_debug(int indent, const char *format, ...)
1997 {
1998 static const char indentation[] =
1999 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2000 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2001 char my_format[256];
2002 va_list args;
2003
2004 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2005 indent, indent, indentation, format);
2006
2007 va_start(args, format);
2008 vfprintf(stderr, my_format, args);
2009 va_end(args);
2010 }
2011/* Priority levels:
2012 0 [!]var, ()
2013 1 & ^
2014 2 |
2015*/
2016static int process_proxy_cond_adders(unsigned int letters[26],
2017 const char *cond, const char **cond_end, int *pos, int indent);
2018static int process_proxy_cond_val(unsigned int letters[26],
2019 const char *cond, const char **cond_end, int *pos, int indent)
2020 {
a51a9726 2021 int c;
a7201e9a
RL		 2022 int ok = 1;
2023 int negate = 0;
2024
a51a9726 2025 while(isspace((int)*cond))
a7201e9a
RL		 2026 {
2027 cond++; (*pos)++;
2028 }
2029 c = *cond;
2030
2031 if (debug)
2032 process_proxy_debug(indent,
2033 "Start process_proxy_cond_val at position %d: %s\n",
2034 *pos, cond);
2035
2036 while(c == '!')
2037 {
2038 negate = !negate;
2039 cond++; (*pos)++;
a51a9726 2040 while(isspace((int)*cond))
a7201e9a
RL		 2041 {
2042 cond++; (*pos)++;
2043 }
2044 c = *cond;
2045 }
2046
2047 if (c == '(')
2048 {
2049 cond++; (*pos)++;
2050 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2051 indent + 1);
2052 cond = *cond_end;
2053 if (ok < 0)
2054 goto end;
a51a9726 2055 while(isspace((int)*cond))
a7201e9a
RL		 2056 {
2057 cond++; (*pos)++;
2058 }
2059 c = *cond;
2060 if (c != ')')
2061 {
2062 fprintf(stderr,
2063 "Weird condition character in position %d: "
2064 "%c\n", *pos, c);
2065 ok = -1;
2066 goto end;
2067 }
2068 cond++; (*pos)++;
2069 }
2070 else if (isascii(c) && isalpha(c))
2071 {
2072 if (islower(c))
2073 c = toupper(c);
2074 ok = letters[c - 'A'];
2075 cond++; (*pos)++;
2076 }
2077 else
2078 {
2079 fprintf(stderr,
2080 "Weird condition character in position %d: "
2081 "%c\n", *pos, c);
2082 ok = -1;
2083 goto end;
2084 }
2085 end:
2086 *cond_end = cond;
2087 if (ok >= 0 && negate)
2088 ok = !ok;
2089
2090 if (debug)
2091 process_proxy_debug(indent,
2092 "End process_proxy_cond_val at position %d: %s, returning %d\n",
2093 *pos, cond, ok);
2094
2095 return ok;
2096 }
2097static int process_proxy_cond_multipliers(unsigned int letters[26],
2098 const char *cond, const char **cond_end, int *pos, int indent)
2099 {
2100 int ok;
2101 char c;
2102
2103 if (debug)
2104 process_proxy_debug(indent,
2105 "Start process_proxy_cond_multipliers at position %d: %s\n",
2106 *pos, cond);
2107
2108 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2109 cond = *cond_end;
2110 if (ok < 0)
2111 goto end;
2112
2113 while(ok >= 0)
2114 {
a51a9726 2115 while(isspace((int)*cond))
a7201e9a
RL		 2116 {
2117 cond++; (*pos)++;
2118 }
2119 c = *cond;
2120
2121 switch(c)
2122 {
2123 case '&':
2124 case '^':
2125 {
2126 int save_ok = ok;
2127
2128 cond++; (*pos)++;
2129 ok = process_proxy_cond_val(letters,
2130 cond, cond_end, pos, indent + 1);
2131 cond = *cond_end;
2132 if (ok < 0)
2133 break;
2134
2135 switch(c)
2136 {
2137 case '&':
2138 ok &= save_ok;
2139 break;
2140 case '^':
2141 ok ^= save_ok;
2142 break;
2143 default:
2144 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2145 " STOPPING\n");
2146 EXIT(1);
2147 }
2148 }
2149 break;
2150 default:
2151 goto end;
2152 }
2153 }
2154 end:
2155 if (debug)
2156 process_proxy_debug(indent,
2157 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2158 *pos, cond, ok);
2159
2160 *cond_end = cond;
2161 return ok;
2162 }
2163static int process_proxy_cond_adders(unsigned int letters[26],
2164 const char *cond, const char **cond_end, int *pos, int indent)
2165 {
2166 int ok;
2167 char c;
2168
2169 if (debug)
2170 process_proxy_debug(indent,
2171 "Start process_proxy_cond_adders at position %d: %s\n",
2172 *pos, cond);
2173
2174 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2175 indent + 1);
2176 cond = *cond_end;
2177 if (ok < 0)
2178 goto end;
2179
2180 while(ok >= 0)
2181 {
a51a9726 2182 while(isspace((int)*cond))
a7201e9a
RL		 2183 {
2184 cond++; (*pos)++;
2185 }
2186 c = *cond;
2187
2188 switch(c)
2189 {
2190 case '|':
2191 {
2192 int save_ok = ok;
2193
2194 cond++; (*pos)++;
2195 ok = process_proxy_cond_multipliers(letters,
2196 cond, cond_end, pos, indent + 1);
2197 cond = *cond_end;
2198 if (ok < 0)
2199 break;
2200
2201 switch(c)
2202 {
2203 case '|':
2204 ok |= save_ok;
2205 break;
2206 default:
2207 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2208 " STOPPING\n");
2209 EXIT(1);
2210 }
2211 }
2212 break;
2213 default:
2214 goto end;
2215 }
2216 }
2217 end:
2218 if (debug)
2219 process_proxy_debug(indent,
2220 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2221 *pos, cond, ok);
2222
2223 *cond_end = cond;
2224 return ok;
2225 }
2226
2227static int process_proxy_cond(unsigned int letters[26],
2228 const char *cond, const char **cond_end)
2229 {
2230 int pos = 1;
2231 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2232 }
2233
023ec151
BM		 2234static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2235 {
023ec151 2236 int ok=1;
a7201e9a
RL		 2237 struct app_verify_arg *cb_arg = arg;
2238 unsigned int letters[26]; /* only used with proxy_auth */
023ec151 2239
a7201e9a 2240 if (cb_arg->app_verify)
023ec151 2241 {
a7201e9a
RL		 2242 char *s = NULL,buf[256];
2243
2244 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2245 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
35e8510e 2246 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
f795123c 2247 (void *)ctx, (void *)ctx->cert);
a7201e9a
RL		 2248 if (ctx->cert)
2249 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2250 if (s != NULL)
2251 {
023ec151 2252 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
a7201e9a
RL		 2253 }
2254 return(1);
2255 }
2256 if (cb_arg->proxy_auth)
2257 {
2258 int found_any = 0, i;
2259 char *sp;
2260
2261 for(i = 0; i < 26; i++)
2262 letters[i] = 0;
2263 for(sp = cb_arg->proxy_auth; *sp; sp++)
2264 {
a51a9726 2265 int c = *sp;
a7201e9a
RL		 2266 if (isascii(c) && isalpha(c))
2267 {
2268 if (islower(c))
2269 c = toupper(c);
2270 letters[c - 'A'] = 1;
2271 }
2272 }
2273
2274 fprintf(stderr,
2275 " Initial proxy rights = ");
2276 for(i = 0; i < 26; i++)
2277 if (letters[i])
2278 {
2279 fprintf(stderr, "%c", i + 'A');
2280 found_any = 1;
2281 }
2282 if (!found_any)
2283 fprintf(stderr, "none");
2284 fprintf(stderr, "\n");
2285
2286 X509_STORE_CTX_set_ex_data(ctx,
2287 get_proxy_auth_ex_data_idx(),letters);
023ec151 2288 }
d9bfe4f9
RL		 2289 if (cb_arg->allow_proxy_certs)
2290 {
2291 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2292 }
023ec151 2293
a7201e9a
RL		 2294#ifndef OPENSSL_NO_X509_VERIFY
2295# ifdef OPENSSL_FIPS
2296 if(s->version == TLS1_VERSION)
2297 FIPS_allow_md5(1);
2298# endif
2299 ok = X509_verify_cert(ctx);
2300# ifdef OPENSSL_FIPS
2301 if(s->version == TLS1_VERSION)
2302 FIPS_allow_md5(0);
2303# endif
2304#endif
2305
2306 if (cb_arg->proxy_auth)
2307 {
bab53405 2308 if (ok > 0)
a7201e9a
RL		 2309 {
2310 const char *cond_end = NULL;
2311
2312 ok = process_proxy_cond(letters,
2313 cb_arg->proxy_cond, &cond_end);
2314
2315 if (ok < 0)
2316 EXIT(3);
2317 if (*cond_end)
2318 {
2319 fprintf(stderr, "Stopped processing condition before it's end.\n");
2320 ok = 0;
2321 }
2322 if (!ok)
2323 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2324 cb_arg->proxy_cond);
2325 else
2326 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2327 cb_arg->proxy_cond);
2328 }
2329 }
023ec151
BM		 2330 return(ok);
2331 }
2332
bc36ee62 2333#ifndef OPENSSL_NO_RSA
46b3bd54
BM		 2334static RSA *rsa_tmp=NULL;
2335
df63a389 2336static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
58964a49 2337 {
bcfea9fb 2338 BIGNUM *bn = NULL;
58964a49
RE		 2339 if (rsa_tmp == NULL)
2340 {
bcfea9fb 2341 bn = BN_new();
e9224c71 2342 rsa_tmp = RSA_new();
bcfea9fb 2343 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
e9224c71
GT		 2344 {
2345 BIO_printf(bio_err, "Memory error...");
2346 goto end;
2347 }
60e31c3a 2348 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
d58d092b 2349 (void)BIO_flush(bio_err);
bcfea9fb 2350 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
e9224c71 2351 {
3ae70939 2352 BIO_printf(bio_err, "Error generating key.");
e9224c71
GT		 2353 RSA_free(rsa_tmp);
2354 rsa_tmp = NULL;
2355 }
2356end:
58964a49 2357 BIO_printf(bio_err,"\n");
d58d092b 2358 (void)BIO_flush(bio_err);
58964a49 2359 }
bcfea9fb 2360 if(bn) BN_free(bn);
58964a49
RE		 2361 return(rsa_tmp);
2362 }
46b3bd54
BM		 2363
2364static void free_tmp_rsa(void)
2365 {
2366 if (rsa_tmp != NULL)
2367 {
2368 RSA_free(rsa_tmp);
2369 rsa_tmp = NULL;
2370 }
2371 }
79df9d62 2372#endif
53002dc6 2373
bc36ee62 2374#ifndef OPENSSL_NO_DH
e4589582
BM		 2375/* These DH parameters have been generated as follows:
2376 * $ openssl dhparam -C -noout 512
2377 * $ openssl dhparam -C -noout 1024
2378 * $ openssl dhparam -C -noout -dsaparam 1024
2379 * (The third function has been renamed to avoid name conflicts.)
2380 */
f3f316f1 2381static DH *get_dh512()
e4589582
BM		 2382 {
2383 static unsigned char dh512_p[]={
2384 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2385 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2386 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2387 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2388 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2389 0x02,0xC5,0xAE,0x23,
2390 };
2391 static unsigned char dh512_g[]={
2392 0x02,
2393 };
2394 DH *dh;
2395
2396 if ((dh=DH_new()) == NULL) return(NULL);
2397 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2398 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2399 if ((dh->p == NULL) || (dh->g == NULL))
2400 { DH_free(dh); return(NULL); }
2401 return(dh);
2402 }
2403
f3f316f1 2404static DH *get_dh1024()
53002dc6 2405 {
e4589582
BM		 2406 static unsigned char dh1024_p[]={
2407 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2408 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2409 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2410 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2411 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2412 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2413 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2414 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2415 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2416 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2417 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2418 };
2419 static unsigned char dh1024_g[]={
2420 0x02,
2421 };
2422 DH *dh;
2423
2424 if ((dh=DH_new()) == NULL) return(NULL);
2425 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2426 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2427 if ((dh->p == NULL) || (dh->g == NULL))
2428 { DH_free(dh); return(NULL); }
2429 return(dh);
2430 }
53002dc6 2431
f3f316f1 2432static DH *get_dh1024dsa()
e4589582
BM		 2433 {
2434 static unsigned char dh1024_p[]={
2435 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2436 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2437 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2438 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2439 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2440 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2441 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2442 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2443 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2444 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2445 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2446 };
2447 static unsigned char dh1024_g[]={
2448 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2449 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2450 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2451 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2452 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2453 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2454 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2455 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2456 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2457 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2458 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2459 };
2460 DH *dh;
53002dc6 2461
e4589582
BM		 2462 if ((dh=DH_new()) == NULL) return(NULL);
2463 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2464 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2465 if ((dh->p == NULL) || (dh->g == NULL))
2466 { DH_free(dh); return(NULL); }
2467 dh->length = 160;
2468 return(dh);
53002dc6 2469 }
f71165b5 2470#endif
6e119bb0 2471
ddac1974
NL		 2472#ifndef OPENSSL_NO_PSK
2473/* convert the PSK key (psk_key) in ascii to binary (psk) */
2474static int psk_key2bn(const char *pskkey, unsigned char *psk,
2475 unsigned int max_psk_len)
2476 {
2477 int ret;
2478 BIGNUM *bn = NULL;
2479
2480 ret = BN_hex2bn(&bn, pskkey);
2481 if (!ret)
2482 {
2483 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2484 if (bn)
2485 BN_free(bn);
2486 return 0;
2487 }
2488 if (BN_num_bytes(bn) > (int)max_psk_len)
2489 {
2490 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2491 max_psk_len, BN_num_bytes(bn));
2492 BN_free(bn);
2493 return 0;
2494 }
2495 ret = BN_bn2bin(bn, psk);
2496 BN_free(bn);
2497 return ret;
2498 }
2499
2500static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2501 unsigned int max_identity_len, unsigned char *psk,
2502 unsigned int max_psk_len)
2503 {
2504 int ret;
2505 unsigned int psk_len = 0;
2506
e9680894 2507 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
ddac1974
NL		 2508 if (ret < 0)
2509 goto out_err;
2510 if (debug)
2511 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2512 ret = psk_key2bn(psk_key, psk, max_psk_len);
2513 if (ret < 0)
2514 goto out_err;
2515 psk_len = ret;
2516out_err:
2517 return psk_len;
2518 }
2519
2520static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2521 unsigned char *psk, unsigned int max_psk_len)
2522 {
2523 unsigned int psk_len=0;
2524
2525 if (strcmp(identity, "Client_identity") != 0)
2526 {
2527 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2528 return 0;
2529 }
2530 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2531 return psk_len;
2532 }
2533#endif
2534
6e119bb0
NL		 2535static int do_test_cipherlist(void)
2536 {
2537 int i = 0;
2538 const SSL_METHOD *meth;
babb3798 2539 const SSL_CIPHER *ci, *tci = NULL;
6e119bb0 2540
00fe865d 2541#ifndef OPENSSL_NO_SSL2
6e119bb0
NL		 2542 fprintf(stderr, "testing SSLv2 cipher list order: ");
2543 meth = SSLv2_method();
2544 while ((ci = meth->get_cipher(i++)) != NULL)
2545 {
2546 if (tci != NULL)
2547 if (ci->id >= tci->id)
2548 {
2549 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2550 return 0;
2551 }
2552 tci = ci;
2553 }
2554 fprintf(stderr, "ok\n");
00fe865d
NL		 2555#endif
2556#ifndef OPENSSL_NO_SSL3
6e119bb0
NL		 2557 fprintf(stderr, "testing SSLv3 cipher list order: ");
2558 meth = SSLv3_method();
2559 tci = NULL;
2560 while ((ci = meth->get_cipher(i++)) != NULL)
2561 {
2562 if (tci != NULL)
2563 if (ci->id >= tci->id)
2564 {
2565 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2566 return 0;
2567 }
2568 tci = ci;
2569 }
2570 fprintf(stderr, "ok\n");
00fe865d
NL		 2571#endif
2572#ifndef OPENSSL_NO_TLS1
6e119bb0
NL		 2573 fprintf(stderr, "testing TLSv1 cipher list order: ");
2574 meth = TLSv1_method();
2575 tci = NULL;
2576 while ((ci = meth->get_cipher(i++)) != NULL)
2577 {
2578 if (tci != NULL)
2579 if (ci->id >= tci->id)
2580 {
2581 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2582 return 0;
2583 }
2584 tci = ci;
2585 }
2586 fprintf(stderr, "ok\n");
00fe865d 2587#endif
6e119bb0
NL		 2588
2589 return 1;
2590 }
A mirror of the official openssl repository