]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssltest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
add initial support for RFC 4279 PSK SSL ciphersuites
[thirdparty/openssl.git] / ssl / ssltest.c
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
158 VMS (at least with DECompHP C). */
159 #include <ctype.h>
160
161 #include <openssl/bio.h>
162 #include <openssl/crypto.h>
163 #include <openssl/evp.h>
164 #include <openssl/x509.h>
165 #include <openssl/x509v3.h>
166 #include <openssl/ssl.h>
167 #ifndef OPENSSL_NO_ENGINE
168 #include <openssl/engine.h>
169 #endif
170 #include <openssl/err.h>
171 #include <openssl/rand.h>
172 #ifndef OPENSSL_NO_RSA
173 #include <openssl/rsa.h>
174 #endif
175 #ifndef OPENSSL_NO_DSA
176 #include <openssl/dsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DH
179 #include <openssl/dh.h>
180 #endif
181 #include <openssl/bn.h>
182
183 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
184 on Compaq platforms (at least with DEC C).
185 Do not try to put it earlier, or IPv6 includes
186 get screwed...
187 */
188
189 #ifdef OPENSSL_SYS_WINDOWS
190 #include <winsock.h>
191 #else
192 #include OPENSSL_UNISTD
193 #endif
194
195 #ifdef OPENSSL_SYS_VMS
196 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
197 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
198 #elif defined(OPENSSL_SYS_WINCE)
199 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
200 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
201 #elif defined(OPENSSL_SYS_NETWARE)
202 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
203 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
204 #else
205 # define TEST_SERVER_CERT "../apps/server.pem"
206 # define TEST_CLIENT_CERT "../apps/client.pem"
207 #endif
208
209 /* There is really no standard for this, so let's assign some tentative
210 numbers. In any case, these numbers are only for this test */
211 #define COMP_RLE 255
212 #define COMP_ZLIB 1
213
214 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
215 #ifndef OPENSSL_NO_RSA
216 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
217 static void free_tmp_rsa(void);
218 #endif
219 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
220 #define APP_CALLBACK_STRING "Test Callback Argument"
221 struct app_verify_arg
222 {
223 char *string;
224 int app_verify;
225 int allow_proxy_certs;
226 char *proxy_auth;
227 char *proxy_cond;
228 };
229
230 #ifndef OPENSSL_NO_DH
231 static DH *get_dh512(void);
232 static DH *get_dh1024(void);
233 static DH *get_dh1024dsa(void);
234 #endif
235
236
237 static char *psk_key=NULL; /* by default PSK is not used */
238 #ifndef OPENSSL_NO_PSK
239 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
240 unsigned int max_identity_len, unsigned char *psk,
241 unsigned int max_psk_len);
242 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
243 unsigned int max_psk_len);
244 #endif
245
246 static BIO *bio_err=NULL;
247 static BIO *bio_stdout=NULL;
248
249 static char *cipher=NULL;
250 static int verbose=0;
251 static int debug=0;
252 #if 0
253 /* Not used yet. */
254 #ifdef FIONBIO
255 static int s_nbio=0;
256 #endif
257 #endif
258
259 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
260
261 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
262 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
263 static int do_test_cipherlist(void);
264 static void sv_usage(void)
265 {
266 fprintf(stderr,"usage: ssltest [args ...]\n");
267 fprintf(stderr,"\n");
268 fprintf(stderr," -server_auth - check server certificate\n");
269 fprintf(stderr," -client_auth - do client authentication\n");
270 fprintf(stderr," -proxy - allow proxy certificates\n");
271 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
272 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
273 fprintf(stderr," -v - more output\n");
274 fprintf(stderr," -d - debug output\n");
275 fprintf(stderr," -reuse - use session-id reuse\n");
276 fprintf(stderr," -num <val> - number of connections to perform\n");
277 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
278 #ifndef OPENSSL_NO_DH
279 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
280 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
281 fprintf(stderr," -no_dhe - disable DHE\n");
282 #endif
283 #ifndef OPENSSL_NO_ECDH
284 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
285 #endif
286 #ifndef OPENSSL_NO_PSK
287 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
288 #endif
289 #ifndef OPENSSL_NO_SSL2
290 fprintf(stderr," -ssl2 - use SSLv2\n");
291 #endif
292 #ifndef OPENSSL_NO_SSL3
293 fprintf(stderr," -ssl3 - use SSLv3\n");
294 #endif
295 #ifndef OPENSSL_NO_TLS1
296 fprintf(stderr," -tls1 - use TLSv1\n");
297 #endif
298 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
299 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
300 fprintf(stderr," -cert arg - Server certificate file\n");
301 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
302 fprintf(stderr," -c_cert arg - Client certificate file\n");
303 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
304 fprintf(stderr," -cipher arg - The cipher list\n");
305 fprintf(stderr," -bio_pair - Use BIO pairs\n");
306 fprintf(stderr," -f - Test even cases that can't work\n");
307 fprintf(stderr," -time - measure processor time used by client and server\n");
308 fprintf(stderr," -zlib - use zlib compression\n");
309 fprintf(stderr," -rle - use rle compression\n");
310 #ifndef OPENSSL_NO_ECDH
311 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
312 " Use \"openssl ecparam -list_curves\" for all names\n" \
313 " (default is sect163r2).\n");
314 #endif
315 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
316 }
317
318 static void print_details(SSL *c_ssl, const char *prefix)
319 {
320 SSL_CIPHER *ciph;
321 X509 *cert;
322
323 ciph=SSL_get_current_cipher(c_ssl);
324 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
325 prefix,
326 SSL_get_version(c_ssl),
327 SSL_CIPHER_get_version(ciph),
328 SSL_CIPHER_get_name(ciph));
329 cert=SSL_get_peer_certificate(c_ssl);
330 if (cert != NULL)
331 {
332 EVP_PKEY *pkey = X509_get_pubkey(cert);
333 if (pkey != NULL)
334 {
335 if (0)
336 ;
337 #ifndef OPENSSL_NO_RSA
338 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
339 && pkey->pkey.rsa->n != NULL)
340 {
341 BIO_printf(bio_stdout, ", %d bit RSA",
342 BN_num_bits(pkey->pkey.rsa->n));
343 }
344 #endif
345 #ifndef OPENSSL_NO_DSA
346 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
347 && pkey->pkey.dsa->p != NULL)
348 {
349 BIO_printf(bio_stdout, ", %d bit DSA",
350 BN_num_bits(pkey->pkey.dsa->p));
351 }
352 #endif
353 EVP_PKEY_free(pkey);
354 }
355 X509_free(cert);
356 }
357 /* The SSL API does not allow us to look at temporary RSA/DH keys,
358 * otherwise we should print their lengths too */
359 BIO_printf(bio_stdout,"\n");
360 }
361
362 static void lock_dbg_cb(int mode, int type, const char *file, int line)
363 {
364 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
365 const char *errstr = NULL;
366 int rw;
367
368 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
369 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
370 {
371 errstr = "invalid mode";
372 goto err;
373 }
374
375 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
376 {
377 errstr = "type out of bounds";
378 goto err;
379 }
380
381 if (mode & CRYPTO_LOCK)
382 {
383 if (modes[type])
384 {
385 errstr = "already locked";
386 /* must not happen in a single-threaded program
387 * (would deadlock) */
388 goto err;
389 }
390
391 modes[type] = rw;
392 }
393 else if (mode & CRYPTO_UNLOCK)
394 {
395 if (!modes[type])
396 {
397 errstr = "not locked";
398 goto err;
399 }
400
401 if (modes[type] != rw)
402 {
403 errstr = (rw == CRYPTO_READ) ?
404 "CRYPTO_r_unlock on write lock" :
405 "CRYPTO_w_unlock on read lock";
406 }
407
408 modes[type] = 0;
409 }
410 else
411 {
412 errstr = "invalid mode";
413 goto err;
414 }
415
416 err:
417 if (errstr)
418 {
419 /* we cannot use bio_err here */
420 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
421 errstr, mode, type, file, line);
422 }
423 }
424
425
426 int main(int argc, char *argv[])
427 {
428 char *CApath=NULL,*CAfile=NULL;
429 int badop=0;
430 int bio_pair=0;
431 int force=0;
432 int tls1=0,ssl2=0,ssl3=0,ret=1;
433 int client_auth=0;
434 int server_auth=0,i;
435 struct app_verify_arg app_verify_arg =
436 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
437 char *server_cert=TEST_SERVER_CERT;
438 char *server_key=NULL;
439 char *client_cert=TEST_CLIENT_CERT;
440 char *client_key=NULL;
441 #ifndef OPENSSL_NO_ECDH
442 char *named_curve = NULL;
443 #endif
444 SSL_CTX *s_ctx=NULL;
445 SSL_CTX *c_ctx=NULL;
446 const SSL_METHOD *meth=NULL;
447 SSL *c_ssl,*s_ssl;
448 int number=1,reuse=0;
449 long bytes=256L;
450 #ifndef OPENSSL_NO_DH
451 DH *dh;
452 int dhe1024 = 0, dhe1024dsa = 0;
453 #endif
454 #ifndef OPENSSL_NO_ECDH
455 EC_KEY *ecdh = NULL;
456 #endif
457 int no_dhe = 0;
458 int no_ecdhe = 0;
459 int no_psk = 0;
460 int print_time = 0;
461 clock_t s_time = 0, c_time = 0;
462 int comp = 0;
463 #ifndef OPENSSL_NO_COMP
464 COMP_METHOD *cm = NULL;
465 #endif
466 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
467 int test_cipherlist = 0;
468
469 verbose = 0;
470 debug = 0;
471 cipher = 0;
472
473 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
474
475 CRYPTO_set_locking_callback(lock_dbg_cb);
476
477 /* enable memory leak checking unless explicitly disabled */
478 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
479 {
480 CRYPTO_malloc_debug_init();
481 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
482 }
483 else
484 {
485 /* OPENSSL_DEBUG_MEMORY=off */
486 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
487 }
488 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
489
490 RAND_seed(rnd_seed, sizeof rnd_seed);
491
492 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
493
494 argc--;
495 argv++;
496
497 while (argc >= 1)
498 {
499 if (strcmp(*argv,"-server_auth") == 0)
500 server_auth=1;
501 else if (strcmp(*argv,"-client_auth") == 0)
502 client_auth=1;
503 else if (strcmp(*argv,"-proxy_auth") == 0)
504 {
505 if (--argc < 1) goto bad;
506 app_verify_arg.proxy_auth= *(++argv);
507 }
508 else if (strcmp(*argv,"-proxy_cond") == 0)
509 {
510 if (--argc < 1) goto bad;
511 app_verify_arg.proxy_cond= *(++argv);
512 }
513 else if (strcmp(*argv,"-v") == 0)
514 verbose=1;
515 else if (strcmp(*argv,"-d") == 0)
516 debug=1;
517 else if (strcmp(*argv,"-reuse") == 0)
518 reuse=1;
519 else if (strcmp(*argv,"-dhe1024") == 0)
520 {
521 #ifndef OPENSSL_NO_DH
522 dhe1024=1;
523 #else
524 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
525 #endif
526 }
527 else if (strcmp(*argv,"-dhe1024dsa") == 0)
528 {
529 #ifndef OPENSSL_NO_DH
530 dhe1024dsa=1;
531 #else
532 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
533 #endif
534 }
535 else if (strcmp(*argv,"-no_dhe") == 0)
536 no_dhe=1;
537 else if (strcmp(*argv,"-no_ecdhe") == 0)
538 no_ecdhe=1;
539 else if (strcmp(*argv,"-psk") == 0)
540 {
541 if (--argc < 1) goto bad;
542 psk_key=*(++argv);
543 #ifndef OPENSSL_NO_PSK
544 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
545 {
546 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
547 goto bad;
548 }
549 #else
550 no_psk=1;
551 #endif
552 }
553 else if (strcmp(*argv,"-ssl2") == 0)
554 ssl2=1;
555 else if (strcmp(*argv,"-tls1") == 0)
556 tls1=1;
557 else if (strcmp(*argv,"-ssl3") == 0)
558 ssl3=1;
559 else if (strncmp(*argv,"-num",4) == 0)
560 {
561 if (--argc < 1) goto bad;
562 number= atoi(*(++argv));
563 if (number == 0) number=1;
564 }
565 else if (strcmp(*argv,"-bytes") == 0)
566 {
567 if (--argc < 1) goto bad;
568 bytes= atol(*(++argv));
569 if (bytes == 0L) bytes=1L;
570 i=strlen(argv[0]);
571 if (argv[0][i-1] == 'k') bytes*=1024L;
572 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
573 }
574 else if (strcmp(*argv,"-cert") == 0)
575 {
576 if (--argc < 1) goto bad;
577 server_cert= *(++argv);
578 }
579 else if (strcmp(*argv,"-s_cert") == 0)
580 {
581 if (--argc < 1) goto bad;
582 server_cert= *(++argv);
583 }
584 else if (strcmp(*argv,"-key") == 0)
585 {
586 if (--argc < 1) goto bad;
587 server_key= *(++argv);
588 }
589 else if (strcmp(*argv,"-s_key") == 0)
590 {
591 if (--argc < 1) goto bad;
592 server_key= *(++argv);
593 }
594 else if (strcmp(*argv,"-c_cert") == 0)
595 {
596 if (--argc < 1) goto bad;
597 client_cert= *(++argv);
598 }
599 else if (strcmp(*argv,"-c_key") == 0)
600 {
601 if (--argc < 1) goto bad;
602 client_key= *(++argv);
603 }
604 else if (strcmp(*argv,"-cipher") == 0)
605 {
606 if (--argc < 1) goto bad;
607 cipher= *(++argv);
608 }
609 else if (strcmp(*argv,"-CApath") == 0)
610 {
611 if (--argc < 1) goto bad;
612 CApath= *(++argv);
613 }
614 else if (strcmp(*argv,"-CAfile") == 0)
615 {
616 if (--argc < 1) goto bad;
617 CAfile= *(++argv);
618 }
619 else if (strcmp(*argv,"-bio_pair") == 0)
620 {
621 bio_pair = 1;
622 }
623 else if (strcmp(*argv,"-f") == 0)
624 {
625 force = 1;
626 }
627 else if (strcmp(*argv,"-time") == 0)
628 {
629 print_time = 1;
630 }
631 else if (strcmp(*argv,"-zlib") == 0)
632 {
633 comp = COMP_ZLIB;
634 }
635 else if (strcmp(*argv,"-rle") == 0)
636 {
637 comp = COMP_RLE;
638 }
639 else if (strcmp(*argv,"-named_curve") == 0)
640 {
641 if (--argc < 1) goto bad;
642 #ifndef OPENSSL_NO_ECDH
643 named_curve = *(++argv);
644 #else
645 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
646 ++argv;
647 #endif
648 }
649 else if (strcmp(*argv,"-app_verify") == 0)
650 {
651 app_verify_arg.app_verify = 1;
652 }
653 else if (strcmp(*argv,"-proxy") == 0)
654 {
655 app_verify_arg.allow_proxy_certs = 1;
656 }
657 else if (strcmp(*argv,"-test_cipherlist") == 0)
658 {
659 test_cipherlist = 1;
660 }
661 else
662 {
663 fprintf(stderr,"unknown option %s\n",*argv);
664 badop=1;
665 break;
666 }
667 argc--;
668 argv++;
669 }
670 if (badop)
671 {
672 bad:
673 sv_usage();
674 goto end;
675 }
676
677 if (test_cipherlist == 1)
678 {
679 /* ensure that the cipher list are correctly sorted and exit */
680 if (do_test_cipherlist() == 0)
681 EXIT(1);
682 ret = 0;
683 goto end;
684 }
685
686 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
687 {
688 fprintf(stderr, "This case cannot work. Use -f to perform "
689 "the test anyway (and\n-d to see what happens), "
690 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
691 "to avoid protocol mismatch.\n");
692 EXIT(1);
693 }
694
695 if (print_time)
696 {
697 if (!bio_pair)
698 {
699 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
700 bio_pair = 1;
701 }
702 if (number < 50 && !force)
703 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
704 }
705
706 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
707
708 SSL_library_init();
709 SSL_load_error_strings();
710
711 #ifndef OPENSSL_NO_COMP
712 if (comp == COMP_ZLIB) cm = COMP_zlib();
713 if (comp == COMP_RLE) cm = COMP_rle();
714 if (cm != NULL)
715 {
716 if (cm->type != NID_undef)
717 {
718 if (SSL_COMP_add_compression_method(comp, cm) != 0)
719 {
720 fprintf(stderr,
721 "Failed to add compression method\n");
722 ERR_print_errors_fp(stderr);
723 }
724 }
725 else
726 {
727 fprintf(stderr,
728 "Warning: %s compression not supported\n",
729 (comp == COMP_RLE ? "rle" :
730 (comp == COMP_ZLIB ? "zlib" :
731 "unknown")));
732 ERR_print_errors_fp(stderr);
733 }
734 }
735 ssl_comp_methods = SSL_COMP_get_compression_methods();
736 fprintf(stderr, "Available compression methods:\n");
737 {
738 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
739 if (n == 0)
740 fprintf(stderr, " NONE\n");
741 else
742 for (j = 0; j < n; j++)
743 {
744 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
745 fprintf(stderr, " %d: %s\n", c->id, c->name);
746 }
747 }
748 #endif
749
750 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
751 if (ssl2)
752 meth=SSLv2_method();
753 else
754 if (tls1)
755 meth=TLSv1_method();
756 else
757 if (ssl3)
758 meth=SSLv3_method();
759 else
760 meth=SSLv23_method();
761 #else
762 #ifdef OPENSSL_NO_SSL2
763 meth=SSLv3_method();
764 #else
765 meth=SSLv2_method();
766 #endif
767 #endif
768
769 c_ctx=SSL_CTX_new(meth);
770 s_ctx=SSL_CTX_new(meth);
771 if ((c_ctx == NULL) || (s_ctx == NULL))
772 {
773 ERR_print_errors(bio_err);
774 goto end;
775 }
776
777 if (cipher != NULL)
778 {
779 SSL_CTX_set_cipher_list(c_ctx,cipher);
780 SSL_CTX_set_cipher_list(s_ctx,cipher);
781 }
782
783 #ifndef OPENSSL_NO_DH
784 if (!no_dhe)
785 {
786 if (dhe1024dsa)
787 {
788 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
789 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
790 dh=get_dh1024dsa();
791 }
792 else if (dhe1024)
793 dh=get_dh1024();
794 else
795 dh=get_dh512();
796 SSL_CTX_set_tmp_dh(s_ctx,dh);
797 DH_free(dh);
798 }
799 #else
800 (void)no_dhe;
801 #endif
802
803 #ifndef OPENSSL_NO_ECDH
804 if (!no_ecdhe)
805 {
806 int nid;
807
808 if (named_curve != NULL)
809 {
810 nid = OBJ_sn2nid(named_curve);
811 if (nid == 0)
812 {
813 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
814 goto end;
815 }
816 }
817 else
818 nid = NID_sect163r2;
819
820 ecdh = EC_KEY_new_by_curve_name(nid);
821 if (ecdh == NULL)
822 {
823 BIO_printf(bio_err, "unable to create curve\n");
824 goto end;
825 }
826
827 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
828 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
829 EC_KEY_free(ecdh);
830 }
831 #else
832 (void)no_ecdhe;
833 #endif
834
835 #ifndef OPENSSL_NO_RSA
836 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
837 #endif
838
839 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
840 {
841 ERR_print_errors(bio_err);
842 }
843 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
844 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
845 {
846 ERR_print_errors(bio_err);
847 goto end;
848 }
849
850 if (client_auth)
851 {
852 SSL_CTX_use_certificate_file(c_ctx,client_cert,
853 SSL_FILETYPE_PEM);
854 SSL_CTX_use_PrivateKey_file(c_ctx,
855 (client_key?client_key:client_cert),
856 SSL_FILETYPE_PEM);
857 }
858
859 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
860 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
861 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
862 (!SSL_CTX_set_default_verify_paths(c_ctx)))
863 {
864 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
865 ERR_print_errors(bio_err);
866 /* goto end; */
867 }
868
869 if (client_auth)
870 {
871 BIO_printf(bio_err,"client authentication\n");
872 SSL_CTX_set_verify(s_ctx,
873 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
874 verify_callback);
875 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
876 }
877 if (server_auth)
878 {
879 BIO_printf(bio_err,"server authentication\n");
880 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
881 verify_callback);
882 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
883 }
884
885 {
886 int session_id_context = 0;
887 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
888 }
889
890 /* Use PSK only if PSK key is given */
891 if (psk_key != NULL)
892 {
893 /* no_psk is used to avoid putting psk command to openssl tool */
894 if (no_psk)
895 {
896 /* if PSK is not compiled in and psk key is
897 * given, do nothing and exit successfully */
898 ret=0;
899 goto end;
900 }
901 #ifndef OPENSSL_NO_PSK
902 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
903 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
904 if (debug)
905 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
906 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
907 {
908 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
909 ERR_print_errors(bio_err);
910 goto end;
911 }
912 #endif
913 }
914
915 c_ssl=SSL_new(c_ctx);
916 s_ssl=SSL_new(s_ctx);
917
918 #ifndef OPENSSL_NO_KRB5
919 if (c_ssl && c_ssl->kssl_ctx)
920 {
921 char localhost[MAXHOSTNAMELEN+2];
922
923 if (gethostname(localhost, sizeof localhost-1) == 0)
924 {
925 localhost[sizeof localhost-1]='\0';
926 if(strlen(localhost) == sizeof localhost-1)
927 {
928 BIO_printf(bio_err,"localhost name too long\n");
929 goto end;
930 }
931 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
932 localhost);
933 }
934 }
935 #endif /* OPENSSL_NO_KRB5 */
936
937 for (i=0; i<number; i++)
938 {
939 if (!reuse) SSL_set_session(c_ssl,NULL);
940 if (bio_pair)
941 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
942 else
943 ret=doit(s_ssl,c_ssl,bytes);
944 }
945
946 if (!verbose)
947 {
948 print_details(c_ssl, "");
949 }
950 if ((number > 1) || (bytes > 1L))
951 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
952 if (print_time)
953 {
954 #ifdef CLOCKS_PER_SEC
955 /* "To determine the time in seconds, the value returned
956 * by the clock function should be divided by the value
957 * of the macro CLOCKS_PER_SEC."
958 * -- ISO/IEC 9899 */
959 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
960 "Approximate total client time: %6.2f s\n",
961 (double)s_time/CLOCKS_PER_SEC,
962 (double)c_time/CLOCKS_PER_SEC);
963 #else
964 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
965 * -- cc on NeXTstep/OpenStep */
966 BIO_printf(bio_stdout,
967 "Approximate total server time: %6.2f units\n"
968 "Approximate total client time: %6.2f units\n",
969 (double)s_time,
970 (double)c_time);
971 #endif
972 }
973
974 SSL_free(s_ssl);
975 SSL_free(c_ssl);
976
977 end:
978 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
979 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
980
981 if (bio_stdout != NULL) BIO_free(bio_stdout);
982
983 #ifndef OPENSSL_NO_RSA
984 free_tmp_rsa();
985 #endif
986 #ifndef OPENSSL_NO_ENGINE
987 ENGINE_cleanup();
988 #endif
989 CRYPTO_cleanup_all_ex_data();
990 ERR_free_strings();
991 ERR_remove_state(0);
992 EVP_cleanup();
993 CRYPTO_mem_leaks(bio_err);
994 if (bio_err != NULL) BIO_free(bio_err);
995 EXIT(ret);
996 return ret;
997 }
998
999 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1000 clock_t *s_time, clock_t *c_time)
1001 {
1002 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1003 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1004 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1005 int ret = 1;
1006
1007 size_t bufsiz = 256; /* small buffer for testing */
1008
1009 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1010 goto err;
1011 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1012 goto err;
1013
1014 s_ssl_bio = BIO_new(BIO_f_ssl());
1015 if (!s_ssl_bio)
1016 goto err;
1017
1018 c_ssl_bio = BIO_new(BIO_f_ssl());
1019 if (!c_ssl_bio)
1020 goto err;
1021
1022 SSL_set_connect_state(c_ssl);
1023 SSL_set_bio(c_ssl, client, client);
1024 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1025
1026 SSL_set_accept_state(s_ssl);
1027 SSL_set_bio(s_ssl, server, server);
1028 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1029
1030 do
1031 {
1032 /* c_ssl_bio: SSL filter BIO
1033 *
1034 * client: pseudo-I/O for SSL library
1035 *
1036 * client_io: client's SSL communication; usually to be
1037 * relayed over some I/O facility, but in this
1038 * test program, we're the server, too:
1039 *
1040 * server_io: server's SSL communication
1041 *
1042 * server: pseudo-I/O for SSL library
1043 *
1044 * s_ssl_bio: SSL filter BIO
1045 *
1046 * The client and the server each employ a "BIO pair":
1047 * client + client_io, server + server_io.
1048 * BIO pairs are symmetric. A BIO pair behaves similar
1049 * to a non-blocking socketpair (but both endpoints must
1050 * be handled by the same thread).
1051 * [Here we could connect client and server to the ends
1052 * of a single BIO pair, but then this code would be less
1053 * suitable as an example for BIO pairs in general.]
1054 *
1055 * Useful functions for querying the state of BIO pair endpoints:
1056 *
1057 * BIO_ctrl_pending(bio) number of bytes we can read now
1058 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1059 * other side's read attempt
1060 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1061 *
1062 * ..._read_request is never more than ..._write_guarantee;
1063 * it depends on the application which one you should use.
1064 */
1065
1066 /* We have non-blocking behaviour throughout this test program, but
1067 * can be sure that there is *some* progress in each iteration; so
1068 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1069 * -- we just try everything in each iteration
1070 */
1071
1072 {
1073 /* CLIENT */
1074
1075 MS_STATIC char cbuf[1024*8];
1076 int i, r;
1077 clock_t c_clock = clock();
1078
1079 memset(cbuf, 0, sizeof(cbuf));
1080
1081 if (debug)
1082 if (SSL_in_init(c_ssl))
1083 printf("client waiting in SSL_connect - %s\n",
1084 SSL_state_string_long(c_ssl));
1085
1086 if (cw_num > 0)
1087 {
1088 /* Write to server. */
1089
1090 if (cw_num > (long)sizeof cbuf)
1091 i = sizeof cbuf;
1092 else
1093 i = (int)cw_num;
1094 r = BIO_write(c_ssl_bio, cbuf, i);
1095 if (r < 0)
1096 {
1097 if (!BIO_should_retry(c_ssl_bio))
1098 {
1099 fprintf(stderr,"ERROR in CLIENT\n");
1100 goto err;
1101 }
1102 /* BIO_should_retry(...) can just be ignored here.
1103 * The library expects us to call BIO_write with
1104 * the same arguments again, and that's what we will
1105 * do in the next iteration. */
1106 }
1107 else if (r == 0)
1108 {
1109 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1110 goto err;
1111 }
1112 else
1113 {
1114 if (debug)
1115 printf("client wrote %d\n", r);
1116 cw_num -= r;
1117 }
1118 }
1119
1120 if (cr_num > 0)
1121 {
1122 /* Read from server. */
1123
1124 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1125 if (r < 0)
1126 {
1127 if (!BIO_should_retry(c_ssl_bio))
1128 {
1129 fprintf(stderr,"ERROR in CLIENT\n");
1130 goto err;
1131 }
1132 /* Again, "BIO_should_retry" can be ignored. */
1133 }
1134 else if (r == 0)
1135 {
1136 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1137 goto err;
1138 }
1139 else
1140 {
1141 if (debug)
1142 printf("client read %d\n", r);
1143 cr_num -= r;
1144 }
1145 }
1146
1147 /* c_time and s_time increments will typically be very small
1148 * (depending on machine speed and clock tick intervals),
1149 * but sampling over a large number of connections should
1150 * result in fairly accurate figures. We cannot guarantee
1151 * a lot, however -- if each connection lasts for exactly
1152 * one clock tick, it will be counted only for the client
1153 * or only for the server or even not at all.
1154 */
1155 *c_time += (clock() - c_clock);
1156 }
1157
1158 {
1159 /* SERVER */
1160
1161 MS_STATIC char sbuf[1024*8];
1162 int i, r;
1163 clock_t s_clock = clock();
1164
1165 memset(sbuf, 0, sizeof(sbuf));
1166
1167 if (debug)
1168 if (SSL_in_init(s_ssl))
1169 printf("server waiting in SSL_accept - %s\n",
1170 SSL_state_string_long(s_ssl));
1171
1172 if (sw_num > 0)
1173 {
1174 /* Write to client. */
1175
1176 if (sw_num > (long)sizeof sbuf)
1177 i = sizeof sbuf;
1178 else
1179 i = (int)sw_num;
1180 r = BIO_write(s_ssl_bio, sbuf, i);
1181 if (r < 0)
1182 {
1183 if (!BIO_should_retry(s_ssl_bio))
1184 {
1185 fprintf(stderr,"ERROR in SERVER\n");
1186 goto err;
1187 }
1188 /* Ignore "BIO_should_retry". */
1189 }
1190 else if (r == 0)
1191 {
1192 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1193 goto err;
1194 }
1195 else
1196 {
1197 if (debug)
1198 printf("server wrote %d\n", r);
1199 sw_num -= r;
1200 }
1201 }
1202
1203 if (sr_num > 0)
1204 {
1205 /* Read from client. */
1206
1207 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1208 if (r < 0)
1209 {
1210 if (!BIO_should_retry(s_ssl_bio))
1211 {
1212 fprintf(stderr,"ERROR in SERVER\n");
1213 goto err;
1214 }
1215 /* blah, blah */
1216 }
1217 else if (r == 0)
1218 {
1219 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1220 goto err;
1221 }
1222 else
1223 {
1224 if (debug)
1225 printf("server read %d\n", r);
1226 sr_num -= r;
1227 }
1228 }
1229
1230 *s_time += (clock() - s_clock);
1231 }
1232
1233 {
1234 /* "I/O" BETWEEN CLIENT AND SERVER. */
1235
1236 size_t r1, r2;
1237 BIO *io1 = server_io, *io2 = client_io;
1238 /* we use the non-copying interface for io1
1239 * and the standard BIO_write/BIO_read interface for io2
1240 */
1241
1242 static int prev_progress = 1;
1243 int progress = 0;
1244
1245 /* io1 to io2 */
1246 do
1247 {
1248 size_t num;
1249 int r;
1250
1251 r1 = BIO_ctrl_pending(io1);
1252 r2 = BIO_ctrl_get_write_guarantee(io2);
1253
1254 num = r1;
1255 if (r2 < num)
1256 num = r2;
1257 if (num)
1258 {
1259 char *dataptr;
1260
1261 if (INT_MAX < num) /* yeah, right */
1262 num = INT_MAX;
1263
1264 r = BIO_nread(io1, &dataptr, (int)num);
1265 assert(r > 0);
1266 assert(r <= (int)num);
1267 /* possibly r < num (non-contiguous data) */
1268 num = r;
1269 r = BIO_write(io2, dataptr, (int)num);
1270 if (r != (int)num) /* can't happen */
1271 {
1272 fprintf(stderr, "ERROR: BIO_write could not write "
1273 "BIO_ctrl_get_write_guarantee() bytes");
1274 goto err;
1275 }
1276 progress = 1;
1277
1278 if (debug)
1279 printf((io1 == client_io) ?
1280 "C->S relaying: %d bytes\n" :
1281 "S->C relaying: %d bytes\n",
1282 (int)num);
1283 }
1284 }
1285 while (r1 && r2);
1286
1287 /* io2 to io1 */
1288 {
1289 size_t num;
1290 int r;
1291
1292 r1 = BIO_ctrl_pending(io2);
1293 r2 = BIO_ctrl_get_read_request(io1);
1294 /* here we could use ..._get_write_guarantee instead of
1295 * ..._get_read_request, but by using the latter
1296 * we test restartability of the SSL implementation
1297 * more thoroughly */
1298 num = r1;
1299 if (r2 < num)
1300 num = r2;
1301 if (num)
1302 {
1303 char *dataptr;
1304
1305 if (INT_MAX < num)
1306 num = INT_MAX;
1307
1308 if (num > 1)
1309 --num; /* test restartability even more thoroughly */
1310
1311 r = BIO_nwrite0(io1, &dataptr);
1312 assert(r > 0);
1313 if (r < (int)num)
1314 num = r;
1315 r = BIO_read(io2, dataptr, (int)num);
1316 if (r != (int)num) /* can't happen */
1317 {
1318 fprintf(stderr, "ERROR: BIO_read could not read "
1319 "BIO_ctrl_pending() bytes");
1320 goto err;
1321 }
1322 progress = 1;
1323 r = BIO_nwrite(io1, &dataptr, (int)num);
1324 if (r != (int)num) /* can't happen */
1325 {
1326 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1327 "BIO_nwrite0() bytes");
1328 goto err;
1329 }
1330
1331 if (debug)
1332 printf((io2 == client_io) ?
1333 "C->S relaying: %d bytes\n" :
1334 "S->C relaying: %d bytes\n",
1335 (int)num);
1336 }
1337 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1338
1339 if (!progress && !prev_progress)
1340 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1341 {
1342 fprintf(stderr, "ERROR: got stuck\n");
1343 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1344 {
1345 fprintf(stderr, "This can happen for SSL2 because "
1346 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1347 "concurrently ...");
1348 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1349 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1350 {
1351 fprintf(stderr, " ok.\n");
1352 goto end;
1353 }
1354 }
1355 fprintf(stderr, " ERROR.\n");
1356 goto err;
1357 }
1358 prev_progress = progress;
1359 }
1360 }
1361 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1362
1363 if (verbose)
1364 print_details(c_ssl, "DONE via BIO pair: ");
1365 end:
1366 ret = 0;
1367
1368 err:
1369 ERR_print_errors(bio_err);
1370
1371 if (server)
1372 BIO_free(server);
1373 if (server_io)
1374 BIO_free(server_io);
1375 if (client)
1376 BIO_free(client);
1377 if (client_io)
1378 BIO_free(client_io);
1379 if (s_ssl_bio)
1380 BIO_free(s_ssl_bio);
1381 if (c_ssl_bio)
1382 BIO_free(c_ssl_bio);
1383
1384 return ret;
1385 }
1386
1387
1388 #define W_READ 1
1389 #define W_WRITE 2
1390 #define C_DONE 1
1391 #define S_DONE 2
1392
1393 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1394 {
1395 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1396 long cw_num=count,cr_num=count;
1397 long sw_num=count,sr_num=count;
1398 int ret=1;
1399 BIO *c_to_s=NULL;
1400 BIO *s_to_c=NULL;
1401 BIO *c_bio=NULL;
1402 BIO *s_bio=NULL;
1403 int c_r,c_w,s_r,s_w;
1404 int c_want,s_want;
1405 int i,j;
1406 int done=0;
1407 int c_write,s_write;
1408 int do_server=0,do_client=0;
1409
1410 memset(cbuf,0,sizeof(cbuf));
1411 memset(sbuf,0,sizeof(sbuf));
1412
1413 c_to_s=BIO_new(BIO_s_mem());
1414 s_to_c=BIO_new(BIO_s_mem());
1415 if ((s_to_c == NULL) || (c_to_s == NULL))
1416 {
1417 ERR_print_errors(bio_err);
1418 goto err;
1419 }
1420
1421 c_bio=BIO_new(BIO_f_ssl());
1422 s_bio=BIO_new(BIO_f_ssl());
1423 if ((c_bio == NULL) || (s_bio == NULL))
1424 {
1425 ERR_print_errors(bio_err);
1426 goto err;
1427 }
1428
1429 SSL_set_connect_state(c_ssl);
1430 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1431 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1432
1433 SSL_set_accept_state(s_ssl);
1434 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1435 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1436
1437 c_r=0; s_r=1;
1438 c_w=1; s_w=0;
1439 c_want=W_WRITE;
1440 s_want=0;
1441 c_write=1,s_write=0;
1442
1443 /* We can always do writes */
1444 for (;;)
1445 {
1446 do_server=0;
1447 do_client=0;
1448
1449 i=(int)BIO_pending(s_bio);
1450 if ((i && s_r) || s_w) do_server=1;
1451
1452 i=(int)BIO_pending(c_bio);
1453 if ((i && c_r) || c_w) do_client=1;
1454
1455 if (do_server && debug)
1456 {
1457 if (SSL_in_init(s_ssl))
1458 printf("server waiting in SSL_accept - %s\n",
1459 SSL_state_string_long(s_ssl));
1460 /* else if (s_write)
1461 printf("server:SSL_write()\n");
1462 else
1463 printf("server:SSL_read()\n"); */
1464 }
1465
1466 if (do_client && debug)
1467 {
1468 if (SSL_in_init(c_ssl))
1469 printf("client waiting in SSL_connect - %s\n",
1470 SSL_state_string_long(c_ssl));
1471 /* else if (c_write)
1472 printf("client:SSL_write()\n");
1473 else
1474 printf("client:SSL_read()\n"); */
1475 }
1476
1477 if (!do_client && !do_server)
1478 {
1479 fprintf(stdout,"ERROR IN STARTUP\n");
1480 ERR_print_errors(bio_err);
1481 break;
1482 }
1483 if (do_client && !(done & C_DONE))
1484 {
1485 if (c_write)
1486 {
1487 j = (cw_num > (long)sizeof(cbuf)) ?
1488 (int)sizeof(cbuf) : (int)cw_num;
1489 i=BIO_write(c_bio,cbuf,j);
1490 if (i < 0)
1491 {
1492 c_r=0;
1493 c_w=0;
1494 if (BIO_should_retry(c_bio))
1495 {
1496 if (BIO_should_read(c_bio))
1497 c_r=1;
1498 if (BIO_should_write(c_bio))
1499 c_w=1;
1500 }
1501 else
1502 {
1503 fprintf(stderr,"ERROR in CLIENT\n");
1504 ERR_print_errors(bio_err);
1505 goto err;
1506 }
1507 }
1508 else if (i == 0)
1509 {
1510 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1511 goto err;
1512 }
1513 else
1514 {
1515 if (debug)
1516 printf("client wrote %d\n",i);
1517 /* ok */
1518 s_r=1;
1519 c_write=0;
1520 cw_num-=i;
1521 }
1522 }
1523 else
1524 {
1525 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1526 if (i < 0)
1527 {
1528 c_r=0;
1529 c_w=0;
1530 if (BIO_should_retry(c_bio))
1531 {
1532 if (BIO_should_read(c_bio))
1533 c_r=1;
1534 if (BIO_should_write(c_bio))
1535 c_w=1;
1536 }
1537 else
1538 {
1539 fprintf(stderr,"ERROR in CLIENT\n");
1540 ERR_print_errors(bio_err);
1541 goto err;
1542 }
1543 }
1544 else if (i == 0)
1545 {
1546 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1547 goto err;
1548 }
1549 else
1550 {
1551 if (debug)
1552 printf("client read %d\n",i);
1553 cr_num-=i;
1554 if (sw_num > 0)
1555 {
1556 s_write=1;
1557 s_w=1;
1558 }
1559 if (cr_num <= 0)
1560 {
1561 s_write=1;
1562 s_w=1;
1563 done=S_DONE|C_DONE;
1564 }
1565 }
1566 }
1567 }
1568
1569 if (do_server && !(done & S_DONE))
1570 {
1571 if (!s_write)
1572 {
1573 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1574 if (i < 0)
1575 {
1576 s_r=0;
1577 s_w=0;
1578 if (BIO_should_retry(s_bio))
1579 {
1580 if (BIO_should_read(s_bio))
1581 s_r=1;
1582 if (BIO_should_write(s_bio))
1583 s_w=1;
1584 }
1585 else
1586 {
1587 fprintf(stderr,"ERROR in SERVER\n");
1588 ERR_print_errors(bio_err);
1589 goto err;
1590 }
1591 }
1592 else if (i == 0)
1593 {
1594 ERR_print_errors(bio_err);
1595 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1596 goto err;
1597 }
1598 else
1599 {
1600 if (debug)
1601 printf("server read %d\n",i);
1602 sr_num-=i;
1603 if (cw_num > 0)
1604 {
1605 c_write=1;
1606 c_w=1;
1607 }
1608 if (sr_num <= 0)
1609 {
1610 s_write=1;
1611 s_w=1;
1612 c_write=0;
1613 }
1614 }
1615 }
1616 else
1617 {
1618 j = (sw_num > (long)sizeof(sbuf)) ?
1619 (int)sizeof(sbuf) : (int)sw_num;
1620 i=BIO_write(s_bio,sbuf,j);
1621 if (i < 0)
1622 {
1623 s_r=0;
1624 s_w=0;
1625 if (BIO_should_retry(s_bio))
1626 {
1627 if (BIO_should_read(s_bio))
1628 s_r=1;
1629 if (BIO_should_write(s_bio))
1630 s_w=1;
1631 }
1632 else
1633 {
1634 fprintf(stderr,"ERROR in SERVER\n");
1635 ERR_print_errors(bio_err);
1636 goto err;
1637 }
1638 }
1639 else if (i == 0)
1640 {
1641 ERR_print_errors(bio_err);
1642 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1643 goto err;
1644 }
1645 else
1646 {
1647 if (debug)
1648 printf("server wrote %d\n",i);
1649 sw_num-=i;
1650 s_write=0;
1651 c_r=1;
1652 if (sw_num <= 0)
1653 done|=S_DONE;
1654 }
1655 }
1656 }
1657
1658 if ((done & S_DONE) && (done & C_DONE)) break;
1659 }
1660
1661 if (verbose)
1662 print_details(c_ssl, "DONE: ");
1663 ret=0;
1664 err:
1665 /* We have to set the BIO's to NULL otherwise they will be
1666 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1667 * again when c_ssl is SSL_free()ed.
1668 * This is a hack required because s_ssl and c_ssl are sharing the same
1669 * BIO structure and SSL_set_bio() and SSL_free() automatically
1670 * BIO_free non NULL entries.
1671 * You should not normally do this or be required to do this */
1672 if (s_ssl != NULL)
1673 {
1674 s_ssl->rbio=NULL;
1675 s_ssl->wbio=NULL;
1676 }
1677 if (c_ssl != NULL)
1678 {
1679 c_ssl->rbio=NULL;
1680 c_ssl->wbio=NULL;
1681 }
1682
1683 if (c_to_s != NULL) BIO_free(c_to_s);
1684 if (s_to_c != NULL) BIO_free(s_to_c);
1685 if (c_bio != NULL) BIO_free_all(c_bio);
1686 if (s_bio != NULL) BIO_free_all(s_bio);
1687 return(ret);
1688 }
1689
1690 static int get_proxy_auth_ex_data_idx(void)
1691 {
1692 static volatile int idx = -1;
1693 if (idx < 0)
1694 {
1695 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1696 if (idx < 0)
1697 {
1698 idx = X509_STORE_CTX_get_ex_new_index(0,
1699 "SSLtest for verify callback", NULL,NULL,NULL);
1700 }
1701 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1702 }
1703 return idx;
1704 }
1705
1706 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1707 {
1708 char *s,buf[256];
1709
1710 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1711 sizeof buf);
1712 if (s != NULL)
1713 {
1714 if (ok)
1715 fprintf(stderr,"depth=%d %s\n",
1716 ctx->error_depth,buf);
1717 else
1718 {
1719 fprintf(stderr,"depth=%d error=%d %s\n",
1720 ctx->error_depth,ctx->error,buf);
1721 }
1722 }
1723
1724 if (ok == 0)
1725 {
1726 fprintf(stderr,"Error string: %s\n",
1727 X509_verify_cert_error_string(ctx->error));
1728 switch (ctx->error)
1729 {
1730 case X509_V_ERR_CERT_NOT_YET_VALID:
1731 case X509_V_ERR_CERT_HAS_EXPIRED:
1732 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1733 fprintf(stderr," ... ignored.\n");
1734 ok=1;
1735 }
1736 }
1737
1738 if (ok == 1)
1739 {
1740 X509 *xs = ctx->current_cert;
1741 #if 0
1742 X509 *xi = ctx->current_issuer;
1743 #endif
1744
1745 if (xs->ex_flags & EXFLAG_PROXY)
1746 {
1747 unsigned int *letters =
1748 X509_STORE_CTX_get_ex_data(ctx,
1749 get_proxy_auth_ex_data_idx());
1750
1751 if (letters)
1752 {
1753 int found_any = 0;
1754 int i;
1755 PROXY_CERT_INFO_EXTENSION *pci =
1756 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1757 NULL, NULL);
1758
1759 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1760 {
1761 case NID_Independent:
1762 /* Completely meaningless in this
1763 program, as there's no way to
1764 grant explicit rights to a
1765 specific PrC. Basically, using
1766 id-ppl-Independent is the perfect
1767 way to grant no rights at all. */
1768 fprintf(stderr, " Independent proxy certificate");
1769 for (i = 0; i < 26; i++)
1770 letters[i] = 0;
1771 break;
1772 case NID_id_ppl_inheritAll:
1773 /* This is basically a NOP, we
1774 simply let the current rights
1775 stand as they are. */
1776 fprintf(stderr, " Proxy certificate inherits all");
1777 break;
1778 default:
1779 s = (char *)
1780 pci->proxyPolicy->policy->data;
1781 i = pci->proxyPolicy->policy->length;
1782
1783 /* The algorithm works as follows:
1784 it is assumed that previous
1785 iterations or the initial granted
1786 rights has already set some elements
1787 of `letters'. What we need to do is
1788 to clear those that weren't granted
1789 by the current PrC as well. The
1790 easiest way to do this is to add 1
1791 to all the elements whose letters
1792 are given with the current policy.
1793 That way, all elements that are set
1794 by the current policy and were
1795 already set by earlier policies and
1796 through the original grant of rights
1797 will get the value 2 or higher.
1798 The last thing to do is to sweep
1799 through `letters' and keep the
1800 elements having the value 2 as set,
1801 and clear all the others. */
1802
1803 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1804 while(i-- > 0)
1805 {
1806 int c = *s++;
1807 if (isascii(c) && isalpha(c))
1808 {
1809 if (islower(c))
1810 c = toupper(c);
1811 letters[c - 'A']++;
1812 }
1813 }
1814 for (i = 0; i < 26; i++)
1815 if (letters[i] < 2)
1816 letters[i] = 0;
1817 else
1818 letters[i] = 1;
1819 }
1820
1821 found_any = 0;
1822 fprintf(stderr,
1823 ", resulting proxy rights = ");
1824 for(i = 0; i < 26; i++)
1825 if (letters[i])
1826 {
1827 fprintf(stderr, "%c", i + 'A');
1828 found_any = 1;
1829 }
1830 if (!found_any)
1831 fprintf(stderr, "none");
1832 fprintf(stderr, "\n");
1833
1834 PROXY_CERT_INFO_EXTENSION_free(pci);
1835 }
1836 }
1837 }
1838
1839 return(ok);
1840 }
1841
1842 static void process_proxy_debug(int indent, const char *format, ...)
1843 {
1844 static const char indentation[] =
1845 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1846 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1847 char my_format[256];
1848 va_list args;
1849
1850 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1851 indent, indent, indentation, format);
1852
1853 va_start(args, format);
1854 vfprintf(stderr, my_format, args);
1855 va_end(args);
1856 }
1857 /* Priority levels:
1858 0 [!]var, ()
1859 1 & ^
1860 2 |
1861 */
1862 static int process_proxy_cond_adders(unsigned int letters[26],
1863 const char *cond, const char **cond_end, int *pos, int indent);
1864 static int process_proxy_cond_val(unsigned int letters[26],
1865 const char *cond, const char **cond_end, int *pos, int indent)
1866 {
1867 int c;
1868 int ok = 1;
1869 int negate = 0;
1870
1871 while(isspace((int)*cond))
1872 {
1873 cond++; (*pos)++;
1874 }
1875 c = *cond;
1876
1877 if (debug)
1878 process_proxy_debug(indent,
1879 "Start process_proxy_cond_val at position %d: %s\n",
1880 *pos, cond);
1881
1882 while(c == '!')
1883 {
1884 negate = !negate;
1885 cond++; (*pos)++;
1886 while(isspace((int)*cond))
1887 {
1888 cond++; (*pos)++;
1889 }
1890 c = *cond;
1891 }
1892
1893 if (c == '(')
1894 {
1895 cond++; (*pos)++;
1896 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1897 indent + 1);
1898 cond = *cond_end;
1899 if (ok < 0)
1900 goto end;
1901 while(isspace((int)*cond))
1902 {
1903 cond++; (*pos)++;
1904 }
1905 c = *cond;
1906 if (c != ')')
1907 {
1908 fprintf(stderr,
1909 "Weird condition character in position %d: "
1910 "%c\n", *pos, c);
1911 ok = -1;
1912 goto end;
1913 }
1914 cond++; (*pos)++;
1915 }
1916 else if (isascii(c) && isalpha(c))
1917 {
1918 if (islower(c))
1919 c = toupper(c);
1920 ok = letters[c - 'A'];
1921 cond++; (*pos)++;
1922 }
1923 else
1924 {
1925 fprintf(stderr,
1926 "Weird condition character in position %d: "
1927 "%c\n", *pos, c);
1928 ok = -1;
1929 goto end;
1930 }
1931 end:
1932 *cond_end = cond;
1933 if (ok >= 0 && negate)
1934 ok = !ok;
1935
1936 if (debug)
1937 process_proxy_debug(indent,
1938 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1939 *pos, cond, ok);
1940
1941 return ok;
1942 }
1943 static int process_proxy_cond_multipliers(unsigned int letters[26],
1944 const char *cond, const char **cond_end, int *pos, int indent)
1945 {
1946 int ok;
1947 char c;
1948
1949 if (debug)
1950 process_proxy_debug(indent,
1951 "Start process_proxy_cond_multipliers at position %d: %s\n",
1952 *pos, cond);
1953
1954 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1955 cond = *cond_end;
1956 if (ok < 0)
1957 goto end;
1958
1959 while(ok >= 0)
1960 {
1961 while(isspace((int)*cond))
1962 {
1963 cond++; (*pos)++;
1964 }
1965 c = *cond;
1966
1967 switch(c)
1968 {
1969 case '&':
1970 case '^':
1971 {
1972 int save_ok = ok;
1973
1974 cond++; (*pos)++;
1975 ok = process_proxy_cond_val(letters,
1976 cond, cond_end, pos, indent + 1);
1977 cond = *cond_end;
1978 if (ok < 0)
1979 break;
1980
1981 switch(c)
1982 {
1983 case '&':
1984 ok &= save_ok;
1985 break;
1986 case '^':
1987 ok ^= save_ok;
1988 break;
1989 default:
1990 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1991 " STOPPING\n");
1992 EXIT(1);
1993 }
1994 }
1995 break;
1996 default:
1997 goto end;
1998 }
1999 }
2000 end:
2001 if (debug)
2002 process_proxy_debug(indent,
2003 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2004 *pos, cond, ok);
2005
2006 *cond_end = cond;
2007 return ok;
2008 }
2009 static int process_proxy_cond_adders(unsigned int letters[26],
2010 const char *cond, const char **cond_end, int *pos, int indent)
2011 {
2012 int ok;
2013 char c;
2014
2015 if (debug)
2016 process_proxy_debug(indent,
2017 "Start process_proxy_cond_adders at position %d: %s\n",
2018 *pos, cond);
2019
2020 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2021 indent + 1);
2022 cond = *cond_end;
2023 if (ok < 0)
2024 goto end;
2025
2026 while(ok >= 0)
2027 {
2028 while(isspace((int)*cond))
2029 {
2030 cond++; (*pos)++;
2031 }
2032 c = *cond;
2033
2034 switch(c)
2035 {
2036 case '|':
2037 {
2038 int save_ok = ok;
2039
2040 cond++; (*pos)++;
2041 ok = process_proxy_cond_multipliers(letters,
2042 cond, cond_end, pos, indent + 1);
2043 cond = *cond_end;
2044 if (ok < 0)
2045 break;
2046
2047 switch(c)
2048 {
2049 case '|':
2050 ok |= save_ok;
2051 break;
2052 default:
2053 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2054 " STOPPING\n");
2055 EXIT(1);
2056 }
2057 }
2058 break;
2059 default:
2060 goto end;
2061 }
2062 }
2063 end:
2064 if (debug)
2065 process_proxy_debug(indent,
2066 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2067 *pos, cond, ok);
2068
2069 *cond_end = cond;
2070 return ok;
2071 }
2072
2073 static int process_proxy_cond(unsigned int letters[26],
2074 const char *cond, const char **cond_end)
2075 {
2076 int pos = 1;
2077 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2078 }
2079
2080 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2081 {
2082 int ok=1;
2083 struct app_verify_arg *cb_arg = arg;
2084 unsigned int letters[26]; /* only used with proxy_auth */
2085
2086 if (cb_arg->app_verify)
2087 {
2088 char *s = NULL,buf[256];
2089
2090 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2091 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2092 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2093 (void *)ctx, (void *)ctx->cert);
2094 if (ctx->cert)
2095 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2096 if (s != NULL)
2097 {
2098 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2099 }
2100 return(1);
2101 }
2102 if (cb_arg->proxy_auth)
2103 {
2104 int found_any = 0, i;
2105 char *sp;
2106
2107 for(i = 0; i < 26; i++)
2108 letters[i] = 0;
2109 for(sp = cb_arg->proxy_auth; *sp; sp++)
2110 {
2111 int c = *sp;
2112 if (isascii(c) && isalpha(c))
2113 {
2114 if (islower(c))
2115 c = toupper(c);
2116 letters[c - 'A'] = 1;
2117 }
2118 }
2119
2120 fprintf(stderr,
2121 " Initial proxy rights = ");
2122 for(i = 0; i < 26; i++)
2123 if (letters[i])
2124 {
2125 fprintf(stderr, "%c", i + 'A');
2126 found_any = 1;
2127 }
2128 if (!found_any)
2129 fprintf(stderr, "none");
2130 fprintf(stderr, "\n");
2131
2132 X509_STORE_CTX_set_ex_data(ctx,
2133 get_proxy_auth_ex_data_idx(),letters);
2134 }
2135 if (cb_arg->allow_proxy_certs)
2136 {
2137 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2138 }
2139
2140 #ifndef OPENSSL_NO_X509_VERIFY
2141 # ifdef OPENSSL_FIPS
2142 if(s->version == TLS1_VERSION)
2143 FIPS_allow_md5(1);
2144 # endif
2145 ok = X509_verify_cert(ctx);
2146 # ifdef OPENSSL_FIPS
2147 if(s->version == TLS1_VERSION)
2148 FIPS_allow_md5(0);
2149 # endif
2150 #endif
2151
2152 if (cb_arg->proxy_auth)
2153 {
2154 if (ok)
2155 {
2156 const char *cond_end = NULL;
2157
2158 ok = process_proxy_cond(letters,
2159 cb_arg->proxy_cond, &cond_end);
2160
2161 if (ok < 0)
2162 EXIT(3);
2163 if (*cond_end)
2164 {
2165 fprintf(stderr, "Stopped processing condition before it's end.\n");
2166 ok = 0;
2167 }
2168 if (!ok)
2169 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2170 cb_arg->proxy_cond);
2171 else
2172 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2173 cb_arg->proxy_cond);
2174 }
2175 }
2176 return(ok);
2177 }
2178
2179 #ifndef OPENSSL_NO_RSA
2180 static RSA *rsa_tmp=NULL;
2181
2182 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2183 {
2184 BIGNUM *bn = NULL;
2185 if (rsa_tmp == NULL)
2186 {
2187 bn = BN_new();
2188 rsa_tmp = RSA_new();
2189 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2190 {
2191 BIO_printf(bio_err, "Memory error...");
2192 goto end;
2193 }
2194 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2195 (void)BIO_flush(bio_err);
2196 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2197 {
2198 BIO_printf(bio_err, "Error generating key.");
2199 RSA_free(rsa_tmp);
2200 rsa_tmp = NULL;
2201 }
2202 end:
2203 BIO_printf(bio_err,"\n");
2204 (void)BIO_flush(bio_err);
2205 }
2206 if(bn) BN_free(bn);
2207 return(rsa_tmp);
2208 }
2209
2210 static void free_tmp_rsa(void)
2211 {
2212 if (rsa_tmp != NULL)
2213 {
2214 RSA_free(rsa_tmp);
2215 rsa_tmp = NULL;
2216 }
2217 }
2218 #endif
2219
2220 #ifndef OPENSSL_NO_DH
2221 /* These DH parameters have been generated as follows:
2222 * $ openssl dhparam -C -noout 512
2223 * $ openssl dhparam -C -noout 1024
2224 * $ openssl dhparam -C -noout -dsaparam 1024
2225 * (The third function has been renamed to avoid name conflicts.)
2226 */
2227 static DH *get_dh512()
2228 {
2229 static unsigned char dh512_p[]={
2230 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2231 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2232 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2233 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2234 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2235 0x02,0xC5,0xAE,0x23,
2236 };
2237 static unsigned char dh512_g[]={
2238 0x02,
2239 };
2240 DH *dh;
2241
2242 if ((dh=DH_new()) == NULL) return(NULL);
2243 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2244 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2245 if ((dh->p == NULL) || (dh->g == NULL))
2246 { DH_free(dh); return(NULL); }
2247 return(dh);
2248 }
2249
2250 static DH *get_dh1024()
2251 {
2252 static unsigned char dh1024_p[]={
2253 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2254 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2255 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2256 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2257 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2258 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2259 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2260 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2261 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2262 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2263 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2264 };
2265 static unsigned char dh1024_g[]={
2266 0x02,
2267 };
2268 DH *dh;
2269
2270 if ((dh=DH_new()) == NULL) return(NULL);
2271 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2272 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2273 if ((dh->p == NULL) || (dh->g == NULL))
2274 { DH_free(dh); return(NULL); }
2275 return(dh);
2276 }
2277
2278 static DH *get_dh1024dsa()
2279 {
2280 static unsigned char dh1024_p[]={
2281 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2282 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2283 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2284 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2285 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2286 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2287 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2288 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2289 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2290 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2291 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2292 };
2293 static unsigned char dh1024_g[]={
2294 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2295 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2296 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2297 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2298 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2299 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2300 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2301 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2302 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2303 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2304 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2305 };
2306 DH *dh;
2307
2308 if ((dh=DH_new()) == NULL) return(NULL);
2309 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2310 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2311 if ((dh->p == NULL) || (dh->g == NULL))
2312 { DH_free(dh); return(NULL); }
2313 dh->length = 160;
2314 return(dh);
2315 }
2316 #endif
2317
2318 #ifndef OPENSSL_NO_PSK
2319 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2320 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2321 unsigned int max_psk_len)
2322 {
2323 int ret;
2324 BIGNUM *bn = NULL;
2325
2326 ret = BN_hex2bn(&bn, pskkey);
2327 if (!ret)
2328 {
2329 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2330 if (bn)
2331 BN_free(bn);
2332 return 0;
2333 }
2334 if (BN_num_bytes(bn) > (int)max_psk_len)
2335 {
2336 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2337 max_psk_len, BN_num_bytes(bn));
2338 BN_free(bn);
2339 return 0;
2340 }
2341 ret = BN_bn2bin(bn, psk);
2342 BN_free(bn);
2343 return ret;
2344 }
2345
2346 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2347 unsigned int max_identity_len, unsigned char *psk,
2348 unsigned int max_psk_len)
2349 {
2350 int ret;
2351 unsigned int psk_len = 0;
2352
2353 ret = snprintf(identity, max_identity_len, "Client_identity");
2354 if (ret < 0)
2355 goto out_err;
2356 if (debug)
2357 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2358 ret = psk_key2bn(psk_key, psk, max_psk_len);
2359 if (ret < 0)
2360 goto out_err;
2361 psk_len = ret;
2362 out_err:
2363 return psk_len;
2364 }
2365
2366 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2367 unsigned char *psk, unsigned int max_psk_len)
2368 {
2369 unsigned int psk_len=0;
2370
2371 if (strcmp(identity, "Client_identity") != 0)
2372 {
2373 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2374 return 0;
2375 }
2376 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2377 return psk_len;
2378 }
2379 #endif
2380
2381 static int do_test_cipherlist(void)
2382 {
2383 int i = 0;
2384 const SSL_METHOD *meth;
2385 SSL_CIPHER *ci, *tci = NULL;
2386
2387 #ifndef OPENSSL_NO_SSL2
2388 fprintf(stderr, "testing SSLv2 cipher list order: ");
2389 meth = SSLv2_method();
2390 while ((ci = meth->get_cipher(i++)) != NULL)
2391 {
2392 if (tci != NULL)
2393 if (ci->id >= tci->id)
2394 {
2395 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2396 return 0;
2397 }
2398 tci = ci;
2399 }
2400 fprintf(stderr, "ok\n");
2401 #endif
2402 #ifndef OPENSSL_NO_SSL3
2403 fprintf(stderr, "testing SSLv3 cipher list order: ");
2404 meth = SSLv3_method();
2405 tci = NULL;
2406 while ((ci = meth->get_cipher(i++)) != NULL)
2407 {
2408 if (tci != NULL)
2409 if (ci->id >= tci->id)
2410 {
2411 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2412 return 0;
2413 }
2414 tci = ci;
2415 }
2416 fprintf(stderr, "ok\n");
2417 #endif
2418 #ifndef OPENSSL_NO_TLS1
2419 fprintf(stderr, "testing TLSv1 cipher list order: ");
2420 meth = TLSv1_method();
2421 tci = NULL;
2422 while ((ci = meth->get_cipher(i++)) != NULL)
2423 {
2424 if (tci != NULL)
2425 if (ci->id >= tci->id)
2426 {
2427 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2428 return 0;
2429 }
2430 tci = ci;
2431 }
2432 fprintf(stderr, "ok\n");
2433 #endif
2434
2435 return 1;
2436 }
A mirror of the official openssl repository