]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssltest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Further comment amendments to preserve formatting prior to source reformat
[thirdparty/openssl.git] / ssl / ssltest.c
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159 VMS (at least with DECompHP C). */
160 #endif
161
162 #include <ctype.h>
163
164 #include <openssl/bio.h>
165 #include <openssl/crypto.h>
166 #include <openssl/evp.h>
167 #include <openssl/x509.h>
168 #include <openssl/x509v3.h>
169 #include <openssl/ssl.h>
170 #ifndef OPENSSL_NO_ENGINE
171 #include <openssl/engine.h>
172 #endif
173 #include <openssl/err.h>
174 #include <openssl/rand.h>
175 #ifndef OPENSSL_NO_RSA
176 #include <openssl/rsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DSA
179 #include <openssl/dsa.h>
180 #endif
181 #ifndef OPENSSL_NO_DH
182 #include <openssl/dh.h>
183 #endif
184 #ifndef OPENSSL_NO_SRP
185 #include <openssl/srp.h>
186 #endif
187 #include <openssl/bn.h>
188
189 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
190 on Compaq platforms (at least with DEC C).
191 Do not try to put it earlier, or IPv6 includes
192 get screwed...
193 */
194
195 #ifdef OPENSSL_SYS_WINDOWS
196 #include <winsock.h>
197 #else
198 #include OPENSSL_UNISTD
199 #endif
200
201 #ifdef OPENSSL_SYS_VMS
202 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
203 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
204 #elif defined(OPENSSL_SYS_WINCE)
205 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
206 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
207 #elif defined(OPENSSL_SYS_NETWARE)
208 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
209 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
210 #else
211 # define TEST_SERVER_CERT "../apps/server.pem"
212 # define TEST_CLIENT_CERT "../apps/client.pem"
213 #endif
214
215 /* There is really no standard for this, so let's assign some tentative
216 numbers. In any case, these numbers are only for this test */
217 #define COMP_RLE 255
218 #define COMP_ZLIB 1
219
220 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
221 #ifndef OPENSSL_NO_RSA
222 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
223 static void free_tmp_rsa(void);
224 #endif
225 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
226 #define APP_CALLBACK_STRING "Test Callback Argument"
227 struct app_verify_arg
228 {
229 char *string;
230 int app_verify;
231 int allow_proxy_certs;
232 char *proxy_auth;
233 char *proxy_cond;
234 };
235
236 #ifndef OPENSSL_NO_DH
237 static DH *get_dh512(void);
238 static DH *get_dh1024(void);
239 static DH *get_dh1024dsa(void);
240 #endif
241
242
243 static char *psk_key=NULL; /* by default PSK is not used */
244 #ifndef OPENSSL_NO_PSK
245 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
246 unsigned int max_identity_len, unsigned char *psk,
247 unsigned int max_psk_len);
248 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
249 unsigned int max_psk_len);
250 #endif
251
252 #ifndef OPENSSL_NO_SRP
253 /* SRP client */
254 /* This is a context that we pass to all callbacks */
255 typedef struct srp_client_arg_st
256 {
257 char *srppassin;
258 char *srplogin;
259 } SRP_CLIENT_ARG;
260
261 #define PWD_STRLEN 1024
262
263 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
264 {
265 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
266 return BUF_strdup((char *)srp_client_arg->srppassin);
267 }
268
269 /* SRP server */
270 /* This is a context that we pass to SRP server callbacks */
271 typedef struct srp_server_arg_st
272 {
273 char *expected_user;
274 char *pass;
275 } SRP_SERVER_ARG;
276
277 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
278 {
279 SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280
281 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282 {
283 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
284 return SSL3_AL_FATAL;
285 }
286 if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287 {
288 *ad = SSL_AD_INTERNAL_ERROR;
289 return SSL3_AL_FATAL;
290 }
291 return SSL_ERROR_NONE;
292 }
293 #endif
294
295 static BIO *bio_err=NULL;
296 static BIO *bio_stdout=NULL;
297
298 #ifndef OPENSSL_NO_NEXTPROTONEG
299 /* Note that this code assumes that this is only a one element list: */
300 static const char NEXT_PROTO_STRING[] = "\x09testproto";
301 int npn_client = 0;
302 int npn_server = 0;
303 int npn_server_reject = 0;
304
305 static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
306 {
307 /* This callback only returns the protocol string, rather than a length
308 prefixed set. We assume that NEXT_PROTO_STRING is a one element list and
309 remove the first byte to chop off the length prefix. */
310 *out = (unsigned char*) NEXT_PROTO_STRING + 1;
311 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
312 return SSL_TLSEXT_ERR_OK;
313 }
314
315 static int cb_server_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
316 {
317 *data = (const unsigned char *) NEXT_PROTO_STRING;
318 *len = sizeof(NEXT_PROTO_STRING) - 1;
319 return SSL_TLSEXT_ERR_OK;
320 }
321
322 static int cb_server_rejects_npn(SSL *s, const unsigned char **data, unsigned int *len, void *arg)
323 {
324 return SSL_TLSEXT_ERR_NOACK;
325 }
326
327 static int verify_npn(SSL *client, SSL *server)
328 {
329 const unsigned char *client_s;
330 unsigned client_len;
331 const unsigned char *server_s;
332 unsigned server_len;
333
334 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
335 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
336
337 if (client_len)
338 {
339 BIO_printf(bio_stdout, "Client NPN: ");
340 BIO_write(bio_stdout, client_s, client_len);
341 BIO_printf(bio_stdout, "\n");
342 }
343
344 if (server_len)
345 {
346 BIO_printf(bio_stdout, "Server NPN: ");
347 BIO_write(bio_stdout, server_s, server_len);
348 BIO_printf(bio_stdout, "\n");
349 }
350
351 /* If an NPN string was returned, it must be the protocol that we
352 * expected to negotiate. */
353 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
354 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
355 return -1;
356 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
357 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
358 return -1;
359
360 if (!npn_client && client_len)
361 return -1;
362 if (!npn_server && server_len)
363 return -1;
364 if (npn_server_reject && server_len)
365 return -1;
366 if (npn_client && npn_server && (!client_len || !server_len))
367 return -1;
368
369 return 0;
370 }
371 #endif
372
373 static const char *alpn_client;
374 static const char *alpn_server;
375 static const char *alpn_expected;
376 static unsigned char *alpn_selected;
377
378 /*-
379 * next_protos_parse parses a comma separated list of strings into a string
380 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
381 * outlen: (output) set to the length of the resulting buffer on success.
382 * err: (maybe NULL) on failure, an error message line is written to this BIO.
383 * in: a NUL terminated string like "abc,def,ghi"
384 *
385 * returns: a malloced buffer or NULL on failure.
386 */
387 static unsigned char *next_protos_parse(unsigned short *outlen, const char *in)
388 {
389 size_t len;
390 unsigned char *out;
391 size_t i, start = 0;
392
393 len = strlen(in);
394 if (len >= 65535)
395 return NULL;
396
397 out = OPENSSL_malloc(strlen(in) + 1);
398 if (!out)
399 return NULL;
400
401 for (i = 0; i <= len; ++i)
402 {
403 if (i == len || in[i] == ',')
404 {
405 if (i - start > 255)
406 {
407 OPENSSL_free(out);
408 return NULL;
409 }
410 out[start] = i - start;
411 start = i + 1;
412 }
413 else
414 out[i+1] = in[i];
415 }
416
417 *outlen = len + 1;
418 return out;
419 }
420
421 static int cb_server_alpn(SSL *s, const unsigned char **out, unsigned char *outlen, const unsigned char *in, unsigned int inlen, void *arg)
422 {
423 unsigned char *protos;
424 unsigned short protos_len;
425
426 protos = next_protos_parse(&protos_len, alpn_server);
427 if (protos == NULL)
428 {
429 fprintf(stderr, "failed to parser ALPN server protocol string: %s\n", alpn_server);
430 abort();
431 }
432
433 if (SSL_select_next_proto((unsigned char**) out, outlen, protos, protos_len, in, inlen) !=
434 OPENSSL_NPN_NEGOTIATED)
435 {
436 OPENSSL_free(protos);
437 return SSL_TLSEXT_ERR_NOACK;
438 }
439
440 /* Make a copy of the selected protocol which will be freed in verify_alpn. */
441 alpn_selected = OPENSSL_malloc(*outlen);
442 memcpy(alpn_selected, *out, *outlen);
443 *out = alpn_selected;
444
445 OPENSSL_free(protos);
446 return SSL_TLSEXT_ERR_OK;
447 }
448
449 static int verify_alpn(SSL *client, SSL *server)
450 {
451 const unsigned char *client_proto, *server_proto;
452 unsigned int client_proto_len = 0, server_proto_len = 0;
453 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
454 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
455
456 if (alpn_selected != NULL)
457 {
458 OPENSSL_free(alpn_selected);
459 alpn_selected = NULL;
460 }
461
462 if (client_proto_len != server_proto_len ||
463 memcmp(client_proto, server_proto, client_proto_len) != 0)
464 {
465 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
466 goto err;
467 }
468
469 if (client_proto_len > 0 && alpn_expected == NULL)
470 {
471 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
472 goto err;
473 }
474
475 if (alpn_expected != NULL &&
476 (client_proto_len != strlen(alpn_expected) ||
477 memcmp(client_proto, alpn_expected, client_proto_len) != 0))
478 {
479 BIO_printf(bio_stdout, "ALPN selected protocols not equal to expected protocol: %s\n", alpn_expected);
480 goto err;
481 }
482
483 return 0;
484
485 err:
486 BIO_printf(bio_stdout, "ALPN results: client: '");
487 BIO_write(bio_stdout, client_proto, client_proto_len);
488 BIO_printf(bio_stdout, "', server: '");
489 BIO_write(bio_stdout, server_proto, server_proto_len);
490 BIO_printf(bio_stdout, "'\n");
491 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '%s'\n", alpn_client, alpn_server);
492 return -1;
493 }
494
495 #define SCT_EXT_TYPE 18
496
497 /* WARNING : below extension types are *NOT* IETF assigned, and
498 could conflict if these types are reassigned and handled
499 specially by OpenSSL in the future */
500 #define TACK_EXT_TYPE 62208
501 #define CUSTOM_EXT_TYPE_0 1000
502 #define CUSTOM_EXT_TYPE_1 1001
503 #define CUSTOM_EXT_TYPE_2 1002
504 #define CUSTOM_EXT_TYPE_3 1003
505
506 const char custom_ext_cli_string[] = "abc";
507 const char custom_ext_srv_string[] = "defg";
508
509 /* These set from cmdline */
510 char* serverinfo_file = NULL;
511 int serverinfo_sct = 0;
512 int serverinfo_tack = 0;
513
514 /* These set based on extension callbacks */
515 int serverinfo_sct_seen = 0;
516 int serverinfo_tack_seen = 0;
517 int serverinfo_other_seen = 0;
518
519 /* This set from cmdline */
520 int custom_ext = 0;
521
522 /* This set based on extension callbacks */
523 int custom_ext_error = 0;
524
525 static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
526 const unsigned char *in, size_t inlen,
527 int *al, void *arg)
528 {
529 if (ext_type == SCT_EXT_TYPE)
530 serverinfo_sct_seen++;
531 else if (ext_type == TACK_EXT_TYPE)
532 serverinfo_tack_seen++;
533 else
534 serverinfo_other_seen++;
535 return 1;
536 }
537
538 static int verify_serverinfo()
539 {
540 if (serverinfo_sct != serverinfo_sct_seen)
541 return -1;
542 if (serverinfo_tack != serverinfo_tack_seen)
543 return -1;
544 if (serverinfo_other_seen)
545 return -1;
546 return 0;
547 }
548
549 /*-
550 * Four test cases for custom extensions:
551 * 0 - no ClientHello extension or ServerHello response
552 * 1 - ClientHello with "abc", no response
553 * 2 - ClientHello with "abc", empty response
554 * 3 - ClientHello with "abc", "defg" response
555 */
556
557 static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
558 const unsigned char **out,
559 size_t *outlen, int *al, void *arg)
560 {
561 if (ext_type != CUSTOM_EXT_TYPE_0)
562 custom_ext_error = 1;
563 return 0; /* Don't send an extension */
564 }
565
566 static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
567 const unsigned char *in,
568 size_t inlen, int *al,
569 void *arg)
570 {
571 return 1;
572 }
573
574 static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
575 const unsigned char **out,
576 size_t *outlen, int *al, void *arg)
577 {
578 if (ext_type != CUSTOM_EXT_TYPE_1)
579 custom_ext_error = 1;
580 *out = (const unsigned char*)custom_ext_cli_string;
581 *outlen = strlen(custom_ext_cli_string);
582 return 1; /* Send "abc" */
583 }
584
585 static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
586 const unsigned char *in,
587 size_t inlen, int *al,
588 void *arg)
589 {
590 return 1;
591 }
592
593 static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
594 const unsigned char **out,
595 size_t *outlen, int *al, void *arg)
596 {
597 if (ext_type != CUSTOM_EXT_TYPE_2)
598 custom_ext_error = 1;
599 *out = (const unsigned char*)custom_ext_cli_string;
600 *outlen = strlen(custom_ext_cli_string);
601 return 1; /* Send "abc" */
602 }
603
604 static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
605 const unsigned char *in,
606 size_t inlen, int *al,
607 void *arg)
608 {
609 if (ext_type != CUSTOM_EXT_TYPE_2)
610 custom_ext_error = 1;
611 if (inlen != 0)
612 custom_ext_error = 1; /* Should be empty response */
613 return 1;
614 }
615
616 static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
617 const unsigned char **out,
618 size_t *outlen, int *al, void *arg)
619 {
620 if (ext_type != CUSTOM_EXT_TYPE_3)
621 custom_ext_error = 1;
622 *out = (const unsigned char*)custom_ext_cli_string;
623 *outlen = strlen(custom_ext_cli_string);
624 return 1; /* Send "abc" */
625 }
626
627 static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
628 const unsigned char *in,
629 size_t inlen, int *al,
630 void *arg)
631 {
632 if (ext_type != CUSTOM_EXT_TYPE_3)
633 custom_ext_error = 1;
634 if (inlen != strlen(custom_ext_srv_string))
635 custom_ext_error = 1;
636 if (memcmp(custom_ext_srv_string, in, inlen) != 0)
637 custom_ext_error = 1; /* Check for "defg" */
638 return 1;
639 }
640
641 /* custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback for this extension */
642 static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
643 const unsigned char *in,
644 size_t inlen, int *al,
645 void *arg)
646 {
647 custom_ext_error = 1;
648 return 1;
649 }
650
651 /* 'add' callbacks are only called if the 'parse' callback is called */
652 static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
653 const unsigned char **out,
654 size_t *outlen, int *al, void *arg)
655 {
656 /* Error: should not have been called */
657 custom_ext_error = 1;
658 return 0; /* Don't send an extension */
659 }
660
661 static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
662 const unsigned char *in,
663 size_t inlen, int *al,
664 void *arg)
665 {
666 if (ext_type != CUSTOM_EXT_TYPE_1)
667 custom_ext_error = 1;
668 /* Check for "abc" */
669 if (inlen != strlen(custom_ext_cli_string))
670 custom_ext_error = 1;
671 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
672 custom_ext_error = 1;
673 return 1;
674 }
675
676 static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
677 const unsigned char **out,
678 size_t *outlen, int *al, void *arg)
679 {
680 return 0; /* Don't send an extension */
681 }
682
683 static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
684 const unsigned char *in,
685 size_t inlen, int *al,
686 void *arg)
687 {
688 if (ext_type != CUSTOM_EXT_TYPE_2)
689 custom_ext_error = 1;
690 /* Check for "abc" */
691 if (inlen != strlen(custom_ext_cli_string))
692 custom_ext_error = 1;
693 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
694 custom_ext_error = 1;
695 return 1;
696 }
697
698 static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
699 const unsigned char **out,
700 size_t *outlen, int *al, void *arg)
701 {
702 *out = NULL;
703 *outlen = 0;
704 return 1; /* Send empty extension */
705 }
706
707 static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
708 const unsigned char *in,
709 size_t inlen, int *al,
710 void *arg)
711 {
712 if (ext_type != CUSTOM_EXT_TYPE_3)
713 custom_ext_error = 1;
714 /* Check for "abc" */
715 if (inlen != strlen(custom_ext_cli_string))
716 custom_ext_error = 1;
717 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
718 custom_ext_error = 1;
719 return 1;
720 }
721
722 static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
723 const unsigned char **out,
724 size_t *outlen, int *al, void *arg)
725 {
726 *out = (const unsigned char*)custom_ext_srv_string;
727 *outlen = strlen(custom_ext_srv_string);
728 return 1; /* Send "defg" */
729 }
730
731 static char *cipher=NULL;
732 static int verbose=0;
733 static int debug=0;
734 #if 0
735 /* Not used yet. */
736 #ifdef FIONBIO
737 static int s_nbio=0;
738 #endif
739 #endif
740
741 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
742
743 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
744 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
745 static int do_test_cipherlist(void);
746 static void sv_usage(void)
747 {
748 fprintf(stderr,"usage: ssltest [args ...]\n");
749 fprintf(stderr,"\n");
750 #ifdef OPENSSL_FIPS
751 fprintf(stderr,"-F - run test in FIPS mode\n");
752 #endif
753 fprintf(stderr," -server_auth - check server certificate\n");
754 fprintf(stderr," -client_auth - do client authentication\n");
755 fprintf(stderr," -proxy - allow proxy certificates\n");
756 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
757 fprintf(stderr," -proxy_cond <val> - expression to test proxy policy rights\n");
758 fprintf(stderr," -v - more output\n");
759 fprintf(stderr," -d - debug output\n");
760 fprintf(stderr," -reuse - use session-id reuse\n");
761 fprintf(stderr," -num <val> - number of connections to perform\n");
762 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
763 #ifndef OPENSSL_NO_DH
764 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
765 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
766 fprintf(stderr," -no_dhe - disable DHE\n");
767 #endif
768 #ifndef OPENSSL_NO_ECDH
769 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
770 #endif
771 #ifndef OPENSSL_NO_PSK
772 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
773 #endif
774 #ifndef OPENSSL_NO_SRP
775 fprintf(stderr," -srpuser user - SRP username to use\n");
776 fprintf(stderr," -srppass arg - password for 'user'\n");
777 #endif
778 #ifndef OPENSSL_NO_SSL3_METHOD
779 fprintf(stderr," -ssl3 - use SSLv3\n");
780 #endif
781 #ifndef OPENSSL_NO_TLS1
782 fprintf(stderr," -tls1 - use TLSv1\n");
783 #endif
784 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
785 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
786 fprintf(stderr," -cert arg - Server certificate file\n");
787 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
788 fprintf(stderr," -c_cert arg - Client certificate file\n");
789 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
790 fprintf(stderr," -cipher arg - The cipher list\n");
791 fprintf(stderr," -bio_pair - Use BIO pairs\n");
792 fprintf(stderr," -f - Test even cases that can't work\n");
793 fprintf(stderr," -time - measure processor time used by client and server\n");
794 fprintf(stderr," -zlib - use zlib compression\n");
795 fprintf(stderr," -rle - use rle compression\n");
796 #ifndef OPENSSL_NO_ECDH
797 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
798 " Use \"openssl ecparam -list_curves\" for all names\n" \
799 " (default is sect163r2).\n");
800 #endif
801 fprintf(stderr," -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
802 " When this option is requested, the cipherlist\n"
803 " tests are run instead of handshake tests.\n");
804 #ifndef OPENSSL_NO_NEXTPROTONEG
805 fprintf(stderr," -npn_client - have client side offer NPN\n");
806 fprintf(stderr," -npn_server - have server side offer NPN\n");
807 fprintf(stderr," -npn_server_reject - have server reject NPN\n");
808 #endif
809 fprintf(stderr," -serverinfo_file file - have server use this file\n");
810 fprintf(stderr," -serverinfo_sct - have client offer and expect SCT\n");
811 fprintf(stderr," -serverinfo_tack - have client offer and expect TACK\n");
812 fprintf(stderr," -custom_ext - try various custom extension callbacks\n");
813 fprintf(stderr," -alpn_client <string> - have client side offer ALPN\n");
814 fprintf(stderr," -alpn_server <string> - have server side offer ALPN\n");
815 fprintf(stderr," -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
816 }
817
818 static void print_key_details(BIO *out, EVP_PKEY *key)
819 {
820 int keyid = EVP_PKEY_id(key);
821 #ifndef OPENSSL_NO_EC
822 if (keyid == EVP_PKEY_EC)
823 {
824 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
825 int nid;
826 const char *cname;
827 nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
828 EC_KEY_free(ec);
829 cname = EC_curve_nid2nist(nid);
830 if (!cname)
831 cname = OBJ_nid2sn(nid);
832 BIO_printf(out, "%d bits EC (%s)",
833 EVP_PKEY_bits(key), cname);
834 }
835 else
836 #endif
837 {
838 const char *algname;
839 switch (keyid)
840 {
841 case EVP_PKEY_RSA:
842 algname = "RSA";
843 break;
844 case EVP_PKEY_DSA:
845 algname = "DSA";
846 break;
847 case EVP_PKEY_DH:
848 algname = "DH";
849 break;
850 default:
851 algname = OBJ_nid2sn(keyid);
852 break;
853 }
854 BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname);
855 }
856 }
857
858 static void print_details(SSL *c_ssl, const char *prefix)
859 {
860 const SSL_CIPHER *ciph;
861 int mdnid;
862 X509 *cert;
863 EVP_PKEY *pkey;
864
865 ciph=SSL_get_current_cipher(c_ssl);
866 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
867 prefix,
868 SSL_get_version(c_ssl),
869 SSL_CIPHER_get_version(ciph),
870 SSL_CIPHER_get_name(ciph));
871 cert=SSL_get_peer_certificate(c_ssl);
872 if (cert != NULL)
873 {
874 pkey = X509_get_pubkey(cert);
875 if (pkey != NULL)
876 {
877 BIO_puts(bio_stdout, ", ");
878 print_key_details(bio_stdout, pkey);
879 EVP_PKEY_free(pkey);
880 }
881 X509_free(cert);
882 }
883 if (SSL_get_server_tmp_key(c_ssl, &pkey))
884 {
885 BIO_puts(bio_stdout, ", temp key: ");
886 print_key_details(bio_stdout, pkey);
887 EVP_PKEY_free(pkey);
888 }
889 if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
890 BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
891 BIO_printf(bio_stdout,"\n");
892 }
893
894 static void lock_dbg_cb(int mode, int type, const char *file, int line)
895 {
896 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
897 const char *errstr = NULL;
898 int rw;
899
900 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
901 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
902 {
903 errstr = "invalid mode";
904 goto err;
905 }
906
907 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
908 {
909 errstr = "type out of bounds";
910 goto err;
911 }
912
913 if (mode & CRYPTO_LOCK)
914 {
915 if (modes[type])
916 {
917 errstr = "already locked";
918 /* must not happen in a single-threaded program
919 * (would deadlock) */
920 goto err;
921 }
922
923 modes[type] = rw;
924 }
925 else if (mode & CRYPTO_UNLOCK)
926 {
927 if (!modes[type])
928 {
929 errstr = "not locked";
930 goto err;
931 }
932
933 if (modes[type] != rw)
934 {
935 errstr = (rw == CRYPTO_READ) ?
936 "CRYPTO_r_unlock on write lock" :
937 "CRYPTO_w_unlock on read lock";
938 }
939
940 modes[type] = 0;
941 }
942 else
943 {
944 errstr = "invalid mode";
945 goto err;
946 }
947
948 err:
949 if (errstr)
950 {
951 /* we cannot use bio_err here */
952 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
953 errstr, mode, type, file, line);
954 }
955 }
956
957 #ifdef TLSEXT_TYPE_opaque_prf_input
958 struct cb_info_st { void *input; size_t len; int ret; };
959 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
960 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
961 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
962 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
963
964 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
965 {
966 struct cb_info_st *arg = arg_;
967
968 if (arg == NULL)
969 return 1;
970
971 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
972 return 0;
973 return arg->ret;
974 }
975 #endif
976
977 int main(int argc, char *argv[])
978 {
979 char *CApath=NULL,*CAfile=NULL;
980 int badop=0;
981 int bio_pair=0;
982 int force=0;
983 int tls1=0,ssl3=0,ret=1;
984 int client_auth=0;
985 int server_auth=0,i;
986 struct app_verify_arg app_verify_arg =
987 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
988 char *server_cert=TEST_SERVER_CERT;
989 char *server_key=NULL;
990 char *client_cert=TEST_CLIENT_CERT;
991 char *client_key=NULL;
992 #ifndef OPENSSL_NO_ECDH
993 char *named_curve = NULL;
994 #endif
995 SSL_CTX *s_ctx=NULL;
996 SSL_CTX *c_ctx=NULL;
997 const SSL_METHOD *meth=NULL;
998 SSL *c_ssl,*s_ssl;
999 int number=1,reuse=0;
1000 long bytes=256L;
1001 #ifndef OPENSSL_NO_DH
1002 DH *dh;
1003 int dhe1024 = 0, dhe1024dsa = 0;
1004 #endif
1005 #ifndef OPENSSL_NO_ECDH
1006 EC_KEY *ecdh = NULL;
1007 #endif
1008 #ifndef OPENSSL_NO_SRP
1009 /* client */
1010 SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
1011 /* server */
1012 SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
1013 #endif
1014 int no_dhe = 0;
1015 int no_ecdhe = 0;
1016 int no_psk = 0;
1017 int print_time = 0;
1018 clock_t s_time = 0, c_time = 0;
1019 #ifndef OPENSSL_NO_COMP
1020 int comp = 0;
1021 COMP_METHOD *cm = NULL;
1022 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
1023 #endif
1024 int test_cipherlist = 0;
1025 #ifdef OPENSSL_FIPS
1026 int fips_mode=0;
1027 #endif
1028 int no_protocol = 0;
1029
1030 SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL;
1031 STACK_OF(OPENSSL_STRING) *conf_args = NULL;
1032 const char *arg = NULL, *argn = NULL;
1033
1034 verbose = 0;
1035 debug = 0;
1036 cipher = 0;
1037
1038 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
1039
1040 CRYPTO_set_locking_callback(lock_dbg_cb);
1041
1042 /* enable memory leak checking unless explicitly disabled */
1043 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
1044 {
1045 CRYPTO_malloc_debug_init();
1046 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
1047 }
1048 else
1049 {
1050 /* OPENSSL_DEBUG_MEMORY=off */
1051 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
1052 }
1053 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
1054
1055 RAND_seed(rnd_seed, sizeof rnd_seed);
1056
1057 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
1058
1059 s_cctx = SSL_CONF_CTX_new();
1060 c_cctx = SSL_CONF_CTX_new();
1061
1062 if (!s_cctx || !c_cctx)
1063 {
1064 ERR_print_errors(bio_err);
1065 goto end;
1066 }
1067
1068 SSL_CONF_CTX_set_flags(s_cctx,
1069 SSL_CONF_FLAG_CMDLINE|SSL_CONF_FLAG_SERVER);
1070 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_"))
1071 {
1072 ERR_print_errors(bio_err);
1073 goto end;
1074 }
1075
1076 SSL_CONF_CTX_set_flags(c_cctx,
1077 SSL_CONF_FLAG_CMDLINE|SSL_CONF_FLAG_CLIENT);
1078 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_"))
1079 {
1080 ERR_print_errors(bio_err);
1081 goto end;
1082 }
1083
1084 argc--;
1085 argv++;
1086
1087 while (argc >= 1)
1088 {
1089 if(!strcmp(*argv,"-F"))
1090 {
1091 #ifdef OPENSSL_FIPS
1092 fips_mode=1;
1093 #else
1094 fprintf(stderr,"not compiled with FIPS support, so exiting without running.\n");
1095 EXIT(0);
1096 #endif
1097 }
1098 else if (strcmp(*argv,"-server_auth") == 0)
1099 server_auth=1;
1100 else if (strcmp(*argv,"-client_auth") == 0)
1101 client_auth=1;
1102 else if (strcmp(*argv,"-proxy_auth") == 0)
1103 {
1104 if (--argc < 1) goto bad;
1105 app_verify_arg.proxy_auth= *(++argv);
1106 }
1107 else if (strcmp(*argv,"-proxy_cond") == 0)
1108 {
1109 if (--argc < 1) goto bad;
1110 app_verify_arg.proxy_cond= *(++argv);
1111 }
1112 else if (strcmp(*argv,"-v") == 0)
1113 verbose=1;
1114 else if (strcmp(*argv,"-d") == 0)
1115 debug=1;
1116 else if (strcmp(*argv,"-reuse") == 0)
1117 reuse=1;
1118 else if (strcmp(*argv,"-dhe1024") == 0)
1119 {
1120 #ifndef OPENSSL_NO_DH
1121 dhe1024=1;
1122 #else
1123 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
1124 #endif
1125 }
1126 else if (strcmp(*argv,"-dhe1024dsa") == 0)
1127 {
1128 #ifndef OPENSSL_NO_DH
1129 dhe1024dsa=1;
1130 #else
1131 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
1132 #endif
1133 }
1134 else if (strcmp(*argv,"-no_dhe") == 0)
1135 no_dhe=1;
1136 else if (strcmp(*argv,"-no_ecdhe") == 0)
1137 no_ecdhe=1;
1138 else if (strcmp(*argv,"-psk") == 0)
1139 {
1140 if (--argc < 1) goto bad;
1141 psk_key=*(++argv);
1142 #ifndef OPENSSL_NO_PSK
1143 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
1144 {
1145 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
1146 goto bad;
1147 }
1148 #else
1149 no_psk=1;
1150 #endif
1151 }
1152 #ifndef OPENSSL_NO_SRP
1153 else if (strcmp(*argv,"-srpuser") == 0)
1154 {
1155 if (--argc < 1) goto bad;
1156 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
1157 tls1=1;
1158 }
1159 else if (strcmp(*argv,"-srppass") == 0)
1160 {
1161 if (--argc < 1) goto bad;
1162 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
1163 tls1=1;
1164 }
1165 #endif
1166 else if (strcmp(*argv,"-tls1") == 0)
1167 {
1168 #ifdef OPENSSL_NO_TLS1
1169 no_protocol = 1;
1170 #endif
1171 tls1 = 1;
1172 }
1173 else if (strcmp(*argv,"-ssl3") == 0)
1174 {
1175 #ifdef OPENSSL_NO_SSL3_METHOD
1176 no_protocol = 1;
1177 #endif
1178 ssl3 = 1;
1179 }
1180 else if (strncmp(*argv,"-num",4) == 0)
1181 {
1182 if (--argc < 1) goto bad;
1183 number= atoi(*(++argv));
1184 if (number == 0) number=1;
1185 }
1186 else if (strcmp(*argv,"-bytes") == 0)
1187 {
1188 if (--argc < 1) goto bad;
1189 bytes= atol(*(++argv));
1190 if (bytes == 0L) bytes=1L;
1191 i=strlen(argv[0]);
1192 if (argv[0][i-1] == 'k') bytes*=1024L;
1193 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
1194 }
1195 else if (strcmp(*argv,"-cert") == 0)
1196 {
1197 if (--argc < 1) goto bad;
1198 server_cert= *(++argv);
1199 }
1200 else if (strcmp(*argv,"-s_cert") == 0)
1201 {
1202 if (--argc < 1) goto bad;
1203 server_cert= *(++argv);
1204 }
1205 else if (strcmp(*argv,"-key") == 0)
1206 {
1207 if (--argc < 1) goto bad;
1208 server_key= *(++argv);
1209 }
1210 else if (strcmp(*argv,"-s_key") == 0)
1211 {
1212 if (--argc < 1) goto bad;
1213 server_key= *(++argv);
1214 }
1215 else if (strcmp(*argv,"-c_cert") == 0)
1216 {
1217 if (--argc < 1) goto bad;
1218 client_cert= *(++argv);
1219 }
1220 else if (strcmp(*argv,"-c_key") == 0)
1221 {
1222 if (--argc < 1) goto bad;
1223 client_key= *(++argv);
1224 }
1225 else if (strcmp(*argv,"-cipher") == 0)
1226 {
1227 if (--argc < 1) goto bad;
1228 cipher= *(++argv);
1229 }
1230 else if (strcmp(*argv,"-CApath") == 0)
1231 {
1232 if (--argc < 1) goto bad;
1233 CApath= *(++argv);
1234 }
1235 else if (strcmp(*argv,"-CAfile") == 0)
1236 {
1237 if (--argc < 1) goto bad;
1238 CAfile= *(++argv);
1239 }
1240 else if (strcmp(*argv,"-bio_pair") == 0)
1241 {
1242 bio_pair = 1;
1243 }
1244 else if (strcmp(*argv,"-f") == 0)
1245 {
1246 force = 1;
1247 }
1248 else if (strcmp(*argv,"-time") == 0)
1249 {
1250 print_time = 1;
1251 }
1252 #ifndef OPENSSL_NO_COMP
1253 else if (strcmp(*argv,"-zlib") == 0)
1254 {
1255 comp = COMP_ZLIB;
1256 }
1257 else if (strcmp(*argv,"-rle") == 0)
1258 {
1259 comp = COMP_RLE;
1260 }
1261 #endif
1262 else if (strcmp(*argv,"-named_curve") == 0)
1263 {
1264 if (--argc < 1) goto bad;
1265 #ifndef OPENSSL_NO_ECDH
1266 named_curve = *(++argv);
1267 #else
1268 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
1269 ++argv;
1270 #endif
1271 }
1272 else if (strcmp(*argv,"-app_verify") == 0)
1273 {
1274 app_verify_arg.app_verify = 1;
1275 }
1276 else if (strcmp(*argv,"-proxy") == 0)
1277 {
1278 app_verify_arg.allow_proxy_certs = 1;
1279 }
1280 else if (strcmp(*argv,"-test_cipherlist") == 0)
1281 {
1282 test_cipherlist = 1;
1283 }
1284 #ifndef OPENSSL_NO_NEXTPROTONEG
1285 else if (strcmp(*argv,"-npn_client") == 0)
1286 {
1287 npn_client = 1;
1288 }
1289 else if (strcmp(*argv,"-npn_server") == 0)
1290 {
1291 npn_server = 1;
1292 }
1293 else if (strcmp(*argv,"-npn_server_reject") == 0)
1294 {
1295 npn_server_reject = 1;
1296 }
1297 #endif
1298 else if (strcmp(*argv,"-serverinfo_sct") == 0)
1299 {
1300 serverinfo_sct = 1;
1301 }
1302 else if (strcmp(*argv,"-serverinfo_tack") == 0)
1303 {
1304 serverinfo_tack = 1;
1305 }
1306 else if (strcmp(*argv,"-serverinfo_file") == 0)
1307 {
1308 if (--argc < 1) goto bad;
1309 serverinfo_file = *(++argv);
1310 }
1311 else if (strcmp(*argv,"-custom_ext") == 0)
1312 {
1313 custom_ext = 1;
1314 }
1315 else if (strcmp(*argv,"-alpn_client") == 0)
1316 {
1317 if (--argc < 1) goto bad;
1318 alpn_client = *(++argv);
1319 }
1320 else if (strcmp(*argv,"-alpn_server") == 0)
1321 {
1322 if (--argc < 1) goto bad;
1323 alpn_server = *(++argv);
1324 }
1325 else if (strcmp(*argv,"-alpn_expected") == 0)
1326 {
1327 if (--argc < 1) goto bad;
1328 alpn_expected = *(++argv);
1329 }
1330 else
1331 {
1332 int rv;
1333 arg = argv[0];
1334 argn = argv[1];
1335 /* Try to process command using SSL_CONF */
1336 rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
1337 /* If not processed try server */
1338 if (rv == 0)
1339 rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
1340 /* Recognised: store it for later use */
1341 if (rv > 0)
1342 {
1343 if (rv == 1)
1344 argn = NULL;
1345 if (!conf_args)
1346 {
1347 conf_args = sk_OPENSSL_STRING_new_null();
1348 if (!conf_args)
1349 goto end;
1350 }
1351 if (!sk_OPENSSL_STRING_push(conf_args, arg))
1352 goto end;
1353 if (!sk_OPENSSL_STRING_push(conf_args, argn))
1354 goto end;
1355 continue;
1356 }
1357 if (rv == -3)
1358 BIO_printf(bio_err, "Missing argument for %s\n",
1359 arg);
1360 else if (rv < 0)
1361 BIO_printf(bio_err, "Error with command %s\n",
1362 arg);
1363 else if (rv == 0)
1364 BIO_printf(bio_err,"unknown option %s\n", arg);
1365 badop = 1;
1366 break;
1367 }
1368 argc--;
1369 argv++;
1370 }
1371 if (badop)
1372 {
1373 bad:
1374 sv_usage();
1375 goto end;
1376 }
1377
1378 /*
1379 * test_cipherlist prevails over protocol switch: we test the cipherlist
1380 * for all enabled protocols.
1381 */
1382 if (test_cipherlist == 1)
1383 {
1384 /* ensure that the cipher list are correctly sorted and exit */
1385 fprintf(stdout, "Testing cipherlist order only. Ignoring all "
1386 "other options.\n");
1387 if (do_test_cipherlist() == 0)
1388 EXIT(1);
1389 ret = 0;
1390 goto end;
1391 }
1392
1393 if (ssl3 + tls1 > 1)
1394 {
1395 fprintf(stderr, "At most one of -ssl3, or -tls1 should "
1396 "be requested.\n");
1397 EXIT(1);
1398 }
1399
1400 /*
1401 * Testing was requested for a compiled-out protocol (e.g. SSLv3).
1402 * Ideally, we would error out, but the generic test wrapper can't know
1403 * when to expect failure. So we do nothing and return success.
1404 */
1405 if (no_protocol)
1406 {
1407 fprintf(stderr, "Testing was requested for a disabled protocol. "
1408 "Skipping tests.\n");
1409 ret = 0;
1410 goto end;
1411 }
1412
1413 if (!ssl3 && !tls1 && number > 1 && !reuse && !force)
1414 {
1415 fprintf(stderr, "This case cannot work. Use -f to perform "
1416 "the test anyway (and\n-d to see what happens), "
1417 "or add one of -ssl3, -tls1, -reuse\n"
1418 "to avoid protocol mismatch.\n");
1419 EXIT(1);
1420 }
1421
1422 #ifdef OPENSSL_FIPS
1423 if(fips_mode)
1424 {
1425 if(!FIPS_mode_set(1))
1426 {
1427 ERR_load_crypto_strings();
1428 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
1429 EXIT(1);
1430 }
1431 else
1432 fprintf(stderr,"*** IN FIPS MODE ***\n");
1433 }
1434 #endif
1435
1436 if (print_time)
1437 {
1438 if (!bio_pair)
1439 {
1440 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
1441 bio_pair = 1;
1442 }
1443 if (number < 50 && !force)
1444 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
1445 }
1446
1447 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
1448
1449 SSL_library_init();
1450 SSL_load_error_strings();
1451
1452 #ifndef OPENSSL_NO_COMP
1453 if (comp == COMP_ZLIB) cm = COMP_zlib();
1454 if (comp == COMP_RLE) cm = COMP_rle();
1455 if (cm != NULL)
1456 {
1457 if (cm->type != NID_undef)
1458 {
1459 if (SSL_COMP_add_compression_method(comp, cm) != 0)
1460 {
1461 fprintf(stderr,
1462 "Failed to add compression method\n");
1463 ERR_print_errors_fp(stderr);
1464 }
1465 }
1466 else
1467 {
1468 fprintf(stderr,
1469 "Warning: %s compression not supported\n",
1470 (comp == COMP_RLE ? "rle" :
1471 (comp == COMP_ZLIB ? "zlib" :
1472 "unknown")));
1473 ERR_print_errors_fp(stderr);
1474 }
1475 }
1476 ssl_comp_methods = SSL_COMP_get_compression_methods();
1477 fprintf(stderr, "Available compression methods:\n");
1478 {
1479 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
1480 if (n == 0)
1481 fprintf(stderr, " NONE\n");
1482 else
1483 for (j = 0; j < n; j++)
1484 {
1485 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
1486 fprintf(stderr, " %d: %s\n", c->id, c->name);
1487 }
1488 }
1489 #endif
1490
1491 /* At this point, ssl3/tls1 is only set if the protocol is available.
1492 * (Otherwise we exit early.)
1493 * However the compiler doesn't know this, so we ifdef. */
1494 #ifndef OPENSSL_NO_SSL3
1495 if (ssl3)
1496 meth=SSLv3_method();
1497 else
1498 #endif
1499 #ifndef OPENSSL_NO_TLS1
1500 if (tls1)
1501 meth=TLSv1_method();
1502 else
1503 #endif
1504 meth=SSLv23_method();
1505
1506 c_ctx=SSL_CTX_new(meth);
1507 s_ctx=SSL_CTX_new(meth);
1508 if ((c_ctx == NULL) || (s_ctx == NULL))
1509 {
1510 ERR_print_errors(bio_err);
1511 goto end;
1512 }
1513 /* Since we will use low security ciphersuites and keys for
1514 * testing set security level to zero.
1515 */
1516 SSL_CTX_set_security_level(c_ctx, 0);
1517 SSL_CTX_set_security_level(s_ctx, 0);
1518
1519 if (cipher != NULL)
1520 {
1521 SSL_CTX_set_cipher_list(c_ctx,cipher);
1522 SSL_CTX_set_cipher_list(s_ctx,cipher);
1523 }
1524
1525 /* Process SSL_CONF arguments */
1526 SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
1527 SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
1528
1529 for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2)
1530 {
1531 int rv;
1532 arg = sk_OPENSSL_STRING_value(conf_args, i);
1533 argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
1534 rv = SSL_CONF_cmd(c_cctx, arg, argn);
1535 /* If not recognised use server context */
1536 if (rv == -2)
1537 rv = SSL_CONF_cmd(s_cctx, arg, argn);
1538 if (rv <= 0)
1539 {
1540 BIO_printf(bio_err, "Error processing %s %s\n",
1541 arg, argn ? argn : "");
1542 ERR_print_errors(bio_err);
1543 goto end;
1544 }
1545 }
1546
1547 if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx))
1548 {
1549 BIO_puts(bio_err, "Error finishing context\n");
1550 ERR_print_errors(bio_err);
1551 goto end;
1552 }
1553
1554 #ifndef OPENSSL_NO_DH
1555 if (!no_dhe)
1556 {
1557 if (dhe1024dsa)
1558 {
1559 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
1560 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
1561 dh=get_dh1024dsa();
1562 }
1563 else if (dhe1024)
1564 dh=get_dh1024();
1565 else
1566 dh=get_dh512();
1567 SSL_CTX_set_tmp_dh(s_ctx,dh);
1568 DH_free(dh);
1569 }
1570 #else
1571 (void)no_dhe;
1572 #endif
1573
1574 #ifndef OPENSSL_NO_ECDH
1575 if (!no_ecdhe)
1576 {
1577 int nid;
1578
1579 if (named_curve != NULL)
1580 {
1581 nid = OBJ_sn2nid(named_curve);
1582 if (nid == 0)
1583 {
1584 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
1585 goto end;
1586 }
1587 }
1588 else
1589 #ifdef OPENSSL_NO_EC2M
1590 nid = NID_X9_62_prime256v1;
1591 #else
1592 nid = NID_sect163r2;
1593 #endif
1594
1595 ecdh = EC_KEY_new_by_curve_name(nid);
1596 if (ecdh == NULL)
1597 {
1598 BIO_printf(bio_err, "unable to create curve\n");
1599 goto end;
1600 }
1601
1602 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
1603 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
1604 EC_KEY_free(ecdh);
1605 }
1606 #else
1607 (void)no_ecdhe;
1608 #endif
1609
1610 #ifndef OPENSSL_NO_RSA
1611 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
1612 #endif
1613
1614 #ifdef TLSEXT_TYPE_opaque_prf_input
1615 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
1616 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
1617 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
1618 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
1619 #endif
1620
1621 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
1622 {
1623 ERR_print_errors(bio_err);
1624 }
1625 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
1626 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
1627 {
1628 ERR_print_errors(bio_err);
1629 goto end;
1630 }
1631
1632 if (client_auth)
1633 {
1634 SSL_CTX_use_certificate_file(c_ctx,client_cert,
1635 SSL_FILETYPE_PEM);
1636 SSL_CTX_use_PrivateKey_file(c_ctx,
1637 (client_key?client_key:client_cert),
1638 SSL_FILETYPE_PEM);
1639 }
1640
1641 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
1642 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
1643 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
1644 (!SSL_CTX_set_default_verify_paths(c_ctx)))
1645 {
1646 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
1647 ERR_print_errors(bio_err);
1648 /* goto end; */
1649 }
1650
1651 if (client_auth)
1652 {
1653 BIO_printf(bio_err,"client authentication\n");
1654 SSL_CTX_set_verify(s_ctx,
1655 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1656 verify_callback);
1657 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
1658 }
1659 if (server_auth)
1660 {
1661 BIO_printf(bio_err,"server authentication\n");
1662 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1663 verify_callback);
1664 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1665 }
1666
1667 {
1668 int session_id_context = 0;
1669 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1670 }
1671
1672 /* Use PSK only if PSK key is given */
1673 if (psk_key != NULL)
1674 {
1675 /* no_psk is used to avoid putting psk command to openssl tool */
1676 if (no_psk)
1677 {
1678 /* if PSK is not compiled in and psk key is
1679 * given, do nothing and exit successfully */
1680 ret=0;
1681 goto end;
1682 }
1683 #ifndef OPENSSL_NO_PSK
1684 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1685 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1686 if (debug)
1687 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1688 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1689 {
1690 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1691 ERR_print_errors(bio_err);
1692 goto end;
1693 }
1694 #endif
1695 }
1696 #ifndef OPENSSL_NO_SRP
1697 if (srp_client_arg.srplogin)
1698 {
1699 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1700 {
1701 BIO_printf(bio_err,"Unable to set SRP username\n");
1702 goto end;
1703 }
1704 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1705 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1706 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1707 }
1708
1709 if (srp_server_arg.expected_user != NULL)
1710 {
1711 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1712 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1713 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1714 }
1715 #endif
1716
1717 #ifndef OPENSSL_NO_NEXTPROTONEG
1718 if (npn_client)
1719 {
1720 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1721 }
1722 if (npn_server)
1723 {
1724 if (npn_server_reject)
1725 {
1726 BIO_printf(bio_err, "Can't have both -npn_server and -npn_server_reject\n");
1727 goto end;
1728 }
1729 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
1730 }
1731 if (npn_server_reject)
1732 {
1733 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn, NULL);
1734 }
1735 #endif
1736
1737 if (serverinfo_sct)
1738 SSL_CTX_add_client_custom_ext(c_ctx, SCT_EXT_TYPE,
1739 NULL, NULL, NULL,
1740 serverinfo_cli_parse_cb, NULL);
1741 if (serverinfo_tack)
1742 SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
1743 NULL, NULL, NULL,
1744 serverinfo_cli_parse_cb, NULL);
1745
1746 if (serverinfo_file)
1747 if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file))
1748 {
1749 BIO_printf(bio_err, "missing serverinfo file\n");
1750 goto end;
1751 }
1752
1753 if (custom_ext)
1754 {
1755 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
1756 custom_ext_0_cli_add_cb,
1757 NULL, NULL,
1758 custom_ext_0_cli_parse_cb, NULL);
1759 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
1760 custom_ext_1_cli_add_cb,
1761 NULL, NULL,
1762 custom_ext_1_cli_parse_cb, NULL);
1763 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
1764 custom_ext_2_cli_add_cb,
1765 NULL, NULL,
1766 custom_ext_2_cli_parse_cb, NULL);
1767 SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
1768 custom_ext_3_cli_add_cb,
1769 NULL, NULL,
1770 custom_ext_3_cli_parse_cb, NULL);
1771
1772
1773 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
1774 custom_ext_0_srv_add_cb,
1775 NULL, NULL,
1776 custom_ext_0_srv_parse_cb, NULL);
1777 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
1778 custom_ext_1_srv_add_cb,
1779 NULL, NULL,
1780 custom_ext_1_srv_parse_cb, NULL);
1781 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
1782 custom_ext_2_srv_add_cb,
1783 NULL, NULL,
1784 custom_ext_2_srv_parse_cb, NULL);
1785 SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
1786 custom_ext_3_srv_add_cb,
1787 NULL, NULL,
1788 custom_ext_3_srv_parse_cb, NULL);
1789 }
1790
1791 if (alpn_server)
1792 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, NULL);
1793
1794 if (alpn_client)
1795 {
1796 unsigned short alpn_len;
1797 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
1798
1799 if (alpn == NULL)
1800 {
1801 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
1802 goto end;
1803 }
1804 SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len);
1805 OPENSSL_free(alpn);
1806 }
1807
1808 c_ssl=SSL_new(c_ctx);
1809 s_ssl=SSL_new(s_ctx);
1810
1811 #ifndef OPENSSL_NO_KRB5
1812 if (c_ssl && c_ssl->kssl_ctx)
1813 {
1814 char localhost[MAXHOSTNAMELEN+2];
1815
1816 if (gethostname(localhost, sizeof localhost-1) == 0)
1817 {
1818 localhost[sizeof localhost-1]='\0';
1819 if(strlen(localhost) == sizeof localhost-1)
1820 {
1821 BIO_printf(bio_err,"localhost name too long\n");
1822 goto end;
1823 }
1824 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1825 localhost);
1826 }
1827 }
1828 #endif /* OPENSSL_NO_KRB5 */
1829
1830 for (i=0; i<number; i++)
1831 {
1832 if (!reuse) SSL_set_session(c_ssl,NULL);
1833 if (bio_pair)
1834 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1835 else
1836 ret=doit(s_ssl,c_ssl,bytes);
1837 }
1838
1839 if (!verbose)
1840 {
1841 print_details(c_ssl, "");
1842 }
1843 if ((number > 1) || (bytes > 1L))
1844 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1845 if (print_time)
1846 {
1847 #ifdef CLOCKS_PER_SEC
1848 /* "To determine the time in seconds, the value returned
1849 * by the clock function should be divided by the value
1850 * of the macro CLOCKS_PER_SEC."
1851 * -- ISO/IEC 9899 */
1852 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1853 "Approximate total client time: %6.2f s\n",
1854 (double)s_time/CLOCKS_PER_SEC,
1855 (double)c_time/CLOCKS_PER_SEC);
1856 #else
1857 BIO_printf(bio_stdout,
1858 "Approximate total server time: %6.2f units\n"
1859 "Approximate total client time: %6.2f units\n",
1860 (double)s_time,
1861 (double)c_time);
1862 #endif
1863 }
1864
1865 SSL_free(s_ssl);
1866 SSL_free(c_ssl);
1867
1868 end:
1869 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1870 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1871
1872 if (s_cctx)
1873 SSL_CONF_CTX_free(s_cctx);
1874 if (c_cctx)
1875 SSL_CONF_CTX_free(c_cctx);
1876 sk_OPENSSL_STRING_free(conf_args);
1877
1878 if (bio_stdout != NULL) BIO_free(bio_stdout);
1879
1880 #ifndef OPENSSL_NO_RSA
1881 free_tmp_rsa();
1882 #endif
1883 #ifndef OPENSSL_NO_ENGINE
1884 ENGINE_cleanup();
1885 #endif
1886 CRYPTO_cleanup_all_ex_data();
1887 ERR_free_strings();
1888 ERR_remove_thread_state(NULL);
1889 EVP_cleanup();
1890 CRYPTO_mem_leaks(bio_err);
1891 if (bio_err != NULL) BIO_free(bio_err);
1892 EXIT(ret);
1893 return ret;
1894 }
1895
1896 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1897 clock_t *s_time, clock_t *c_time)
1898 {
1899 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1900 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1901 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1902 int ret = 1;
1903
1904 size_t bufsiz = 256; /* small buffer for testing */
1905
1906 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1907 goto err;
1908 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1909 goto err;
1910
1911 s_ssl_bio = BIO_new(BIO_f_ssl());
1912 if (!s_ssl_bio)
1913 goto err;
1914
1915 c_ssl_bio = BIO_new(BIO_f_ssl());
1916 if (!c_ssl_bio)
1917 goto err;
1918
1919 SSL_set_connect_state(c_ssl);
1920 SSL_set_bio(c_ssl, client, client);
1921 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1922
1923 SSL_set_accept_state(s_ssl);
1924 SSL_set_bio(s_ssl, server, server);
1925 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1926
1927 do
1928 {
1929 /*-
1930 * c_ssl_bio: SSL filter BIO
1931 *
1932 * client: pseudo-I/O for SSL library
1933 *
1934 * client_io: client's SSL communication; usually to be
1935 * relayed over some I/O facility, but in this
1936 * test program, we're the server, too:
1937 *
1938 * server_io: server's SSL communication
1939 *
1940 * server: pseudo-I/O for SSL library
1941 *
1942 * s_ssl_bio: SSL filter BIO
1943 *
1944 * The client and the server each employ a "BIO pair":
1945 * client + client_io, server + server_io.
1946 * BIO pairs are symmetric. A BIO pair behaves similar
1947 * to a non-blocking socketpair (but both endpoints must
1948 * be handled by the same thread).
1949 * [Here we could connect client and server to the ends
1950 * of a single BIO pair, but then this code would be less
1951 * suitable as an example for BIO pairs in general.]
1952 *
1953 * Useful functions for querying the state of BIO pair endpoints:
1954 *
1955 * BIO_ctrl_pending(bio) number of bytes we can read now
1956 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1957 * other side's read attempt
1958 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1959 *
1960 * ..._read_request is never more than ..._write_guarantee;
1961 * it depends on the application which one you should use.
1962 */
1963
1964 /* We have non-blocking behaviour throughout this test program, but
1965 * can be sure that there is *some* progress in each iteration; so
1966 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1967 * -- we just try everything in each iteration
1968 */
1969
1970 {
1971 /* CLIENT */
1972
1973 MS_STATIC char cbuf[1024*8];
1974 int i, r;
1975 clock_t c_clock = clock();
1976
1977 memset(cbuf, 0, sizeof(cbuf));
1978
1979 if (debug)
1980 if (SSL_in_init(c_ssl))
1981 printf("client waiting in SSL_connect - %s\n",
1982 SSL_state_string_long(c_ssl));
1983
1984 if (cw_num > 0)
1985 {
1986 /* Write to server. */
1987
1988 if (cw_num > (long)sizeof cbuf)
1989 i = sizeof cbuf;
1990 else
1991 i = (int)cw_num;
1992 r = BIO_write(c_ssl_bio, cbuf, i);
1993 if (r < 0)
1994 {
1995 if (!BIO_should_retry(c_ssl_bio))
1996 {
1997 fprintf(stderr,"ERROR in CLIENT\n");
1998 goto err;
1999 }
2000 /* BIO_should_retry(...) can just be ignored here.
2001 * The library expects us to call BIO_write with
2002 * the same arguments again, and that's what we will
2003 * do in the next iteration. */
2004 }
2005 else if (r == 0)
2006 {
2007 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2008 goto err;
2009 }
2010 else
2011 {
2012 if (debug)
2013 printf("client wrote %d\n", r);
2014 cw_num -= r;
2015 }
2016 }
2017
2018 if (cr_num > 0)
2019 {
2020 /* Read from server. */
2021
2022 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2023 if (r < 0)
2024 {
2025 if (!BIO_should_retry(c_ssl_bio))
2026 {
2027 fprintf(stderr,"ERROR in CLIENT\n");
2028 goto err;
2029 }
2030 /* Again, "BIO_should_retry" can be ignored. */
2031 }
2032 else if (r == 0)
2033 {
2034 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2035 goto err;
2036 }
2037 else
2038 {
2039 if (debug)
2040 printf("client read %d\n", r);
2041 cr_num -= r;
2042 }
2043 }
2044
2045 /* c_time and s_time increments will typically be very small
2046 * (depending on machine speed and clock tick intervals),
2047 * but sampling over a large number of connections should
2048 * result in fairly accurate figures. We cannot guarantee
2049 * a lot, however -- if each connection lasts for exactly
2050 * one clock tick, it will be counted only for the client
2051 * or only for the server or even not at all.
2052 */
2053 *c_time += (clock() - c_clock);
2054 }
2055
2056 {
2057 /* SERVER */
2058
2059 MS_STATIC char sbuf[1024*8];
2060 int i, r;
2061 clock_t s_clock = clock();
2062
2063 memset(sbuf, 0, sizeof(sbuf));
2064
2065 if (debug)
2066 if (SSL_in_init(s_ssl))
2067 printf("server waiting in SSL_accept - %s\n",
2068 SSL_state_string_long(s_ssl));
2069
2070 if (sw_num > 0)
2071 {
2072 /* Write to client. */
2073
2074 if (sw_num > (long)sizeof sbuf)
2075 i = sizeof sbuf;
2076 else
2077 i = (int)sw_num;
2078 r = BIO_write(s_ssl_bio, sbuf, i);
2079 if (r < 0)
2080 {
2081 if (!BIO_should_retry(s_ssl_bio))
2082 {
2083 fprintf(stderr,"ERROR in SERVER\n");
2084 goto err;
2085 }
2086 /* Ignore "BIO_should_retry". */
2087 }
2088 else if (r == 0)
2089 {
2090 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
2091 goto err;
2092 }
2093 else
2094 {
2095 if (debug)
2096 printf("server wrote %d\n", r);
2097 sw_num -= r;
2098 }
2099 }
2100
2101 if (sr_num > 0)
2102 {
2103 /* Read from client. */
2104
2105 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2106 if (r < 0)
2107 {
2108 if (!BIO_should_retry(s_ssl_bio))
2109 {
2110 fprintf(stderr,"ERROR in SERVER\n");
2111 goto err;
2112 }
2113 /* blah, blah */
2114 }
2115 else if (r == 0)
2116 {
2117 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
2118 goto err;
2119 }
2120 else
2121 {
2122 if (debug)
2123 printf("server read %d\n", r);
2124 sr_num -= r;
2125 }
2126 }
2127
2128 *s_time += (clock() - s_clock);
2129 }
2130
2131 {
2132 /* "I/O" BETWEEN CLIENT AND SERVER. */
2133
2134 size_t r1, r2;
2135 BIO *io1 = server_io, *io2 = client_io;
2136 /* we use the non-copying interface for io1
2137 * and the standard BIO_write/BIO_read interface for io2
2138 */
2139
2140 static int prev_progress = 1;
2141 int progress = 0;
2142
2143 /* io1 to io2 */
2144 do
2145 {
2146 size_t num;
2147 int r;
2148
2149 r1 = BIO_ctrl_pending(io1);
2150 r2 = BIO_ctrl_get_write_guarantee(io2);
2151
2152 num = r1;
2153 if (r2 < num)
2154 num = r2;
2155 if (num)
2156 {
2157 char *dataptr;
2158
2159 if (INT_MAX < num) /* yeah, right */
2160 num = INT_MAX;
2161
2162 r = BIO_nread(io1, &dataptr, (int)num);
2163 assert(r > 0);
2164 assert(r <= (int)num);
2165 /* possibly r < num (non-contiguous data) */
2166 num = r;
2167 r = BIO_write(io2, dataptr, (int)num);
2168 if (r != (int)num) /* can't happen */
2169 {
2170 fprintf(stderr, "ERROR: BIO_write could not write "
2171 "BIO_ctrl_get_write_guarantee() bytes");
2172 goto err;
2173 }
2174 progress = 1;
2175
2176 if (debug)
2177 printf((io1 == client_io) ?
2178 "C->S relaying: %d bytes\n" :
2179 "S->C relaying: %d bytes\n",
2180 (int)num);
2181 }
2182 }
2183 while (r1 && r2);
2184
2185 /* io2 to io1 */
2186 {
2187 size_t num;
2188 int r;
2189
2190 r1 = BIO_ctrl_pending(io2);
2191 r2 = BIO_ctrl_get_read_request(io1);
2192 /* here we could use ..._get_write_guarantee instead of
2193 * ..._get_read_request, but by using the latter
2194 * we test restartability of the SSL implementation
2195 * more thoroughly */
2196 num = r1;
2197 if (r2 < num)
2198 num = r2;
2199 if (num)
2200 {
2201 char *dataptr;
2202
2203 if (INT_MAX < num)
2204 num = INT_MAX;
2205
2206 if (num > 1)
2207 --num; /* test restartability even more thoroughly */
2208
2209 r = BIO_nwrite0(io1, &dataptr);
2210 assert(r > 0);
2211 if (r < (int)num)
2212 num = r;
2213 r = BIO_read(io2, dataptr, (int)num);
2214 if (r != (int)num) /* can't happen */
2215 {
2216 fprintf(stderr, "ERROR: BIO_read could not read "
2217 "BIO_ctrl_pending() bytes");
2218 goto err;
2219 }
2220 progress = 1;
2221 r = BIO_nwrite(io1, &dataptr, (int)num);
2222 if (r != (int)num) /* can't happen */
2223 {
2224 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
2225 "BIO_nwrite0() bytes");
2226 goto err;
2227 }
2228
2229 if (debug)
2230 printf((io2 == client_io) ?
2231 "C->S relaying: %d bytes\n" :
2232 "S->C relaying: %d bytes\n",
2233 (int)num);
2234 }
2235 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
2236
2237 if (!progress && !prev_progress)
2238 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
2239 {
2240 fprintf(stderr, "ERROR: got stuck\n");
2241 fprintf(stderr, " ERROR.\n");
2242 goto err;
2243 }
2244 prev_progress = progress;
2245 }
2246 }
2247 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2248
2249 if (verbose)
2250 print_details(c_ssl, "DONE via BIO pair: ");
2251 #ifndef OPENSSL_NO_NEXTPROTONEG
2252 if (verify_npn(c_ssl, s_ssl) < 0)
2253 {
2254 ret = 1;
2255 goto end;
2256 }
2257 #endif
2258 if (verify_serverinfo() < 0)
2259 {
2260 fprintf(stderr, "Server info verify error\n");
2261 ret = 1;
2262 goto err;
2263 }
2264 if (verify_alpn(c_ssl, s_ssl) < 0)
2265 {
2266 ret = 1;
2267 goto err;
2268 }
2269
2270 if (custom_ext_error)
2271 {
2272 fprintf(stderr, "Custom extension error\n");
2273 ret = 1;
2274 goto err;
2275 }
2276
2277 end:
2278 ret = 0;
2279
2280 err:
2281 ERR_print_errors(bio_err);
2282
2283 if (server)
2284 BIO_free(server);
2285 if (server_io)
2286 BIO_free(server_io);
2287 if (client)
2288 BIO_free(client);
2289 if (client_io)
2290 BIO_free(client_io);
2291 if (s_ssl_bio)
2292 BIO_free(s_ssl_bio);
2293 if (c_ssl_bio)
2294 BIO_free(c_ssl_bio);
2295
2296 return ret;
2297 }
2298
2299
2300 #define W_READ 1
2301 #define W_WRITE 2
2302 #define C_DONE 1
2303 #define S_DONE 2
2304
2305 int doit(SSL *s_ssl, SSL *c_ssl, long count)
2306 {
2307 char *cbuf=NULL,*sbuf=NULL;
2308 long bufsiz;
2309 long cw_num=count,cr_num=count;
2310 long sw_num=count,sr_num=count;
2311 int ret=1;
2312 BIO *c_to_s=NULL;
2313 BIO *s_to_c=NULL;
2314 BIO *c_bio=NULL;
2315 BIO *s_bio=NULL;
2316 int c_r,c_w,s_r,s_w;
2317 int i,j;
2318 int done=0;
2319 int c_write,s_write;
2320 int do_server=0,do_client=0;
2321 int max_frag = 5*1024;
2322
2323 bufsiz = count>40*1024 ? 40*1024 : count;
2324
2325 if ((cbuf = OPENSSL_malloc(bufsiz))==NULL) goto err;
2326 if ((sbuf = OPENSSL_malloc(bufsiz))==NULL) goto err;
2327
2328 memset(cbuf,0,bufsiz);
2329 memset(sbuf,0,bufsiz);
2330
2331 c_to_s=BIO_new(BIO_s_mem());
2332 s_to_c=BIO_new(BIO_s_mem());
2333 if ((s_to_c == NULL) || (c_to_s == NULL))
2334 {
2335 ERR_print_errors(bio_err);
2336 goto err;
2337 }
2338
2339 c_bio=BIO_new(BIO_f_ssl());
2340 s_bio=BIO_new(BIO_f_ssl());
2341 if ((c_bio == NULL) || (s_bio == NULL))
2342 {
2343 ERR_print_errors(bio_err);
2344 goto err;
2345 }
2346
2347 SSL_set_connect_state(c_ssl);
2348 SSL_set_bio(c_ssl,s_to_c,c_to_s);
2349 SSL_set_max_send_fragment(c_ssl,max_frag);
2350 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
2351
2352 SSL_set_accept_state(s_ssl);
2353 SSL_set_bio(s_ssl,c_to_s,s_to_c);
2354 SSL_set_max_send_fragment(s_ssl,max_frag);
2355 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
2356
2357 c_r=0; s_r=1;
2358 c_w=1; s_w=0;
2359 c_write=1,s_write=0;
2360
2361 /* We can always do writes */
2362 for (;;)
2363 {
2364 do_server=0;
2365 do_client=0;
2366
2367 i=(int)BIO_pending(s_bio);
2368 if ((i && s_r) || s_w) do_server=1;
2369
2370 i=(int)BIO_pending(c_bio);
2371 if ((i && c_r) || c_w) do_client=1;
2372
2373 if (do_server && debug)
2374 {
2375 if (SSL_in_init(s_ssl))
2376 printf("server waiting in SSL_accept - %s\n",
2377 SSL_state_string_long(s_ssl));
2378 /*-
2379 else if (s_write)
2380 printf("server:SSL_write()\n");
2381 else
2382 printf("server:SSL_read()\n"); */
2383 }
2384
2385 if (do_client && debug)
2386 {
2387 if (SSL_in_init(c_ssl))
2388 printf("client waiting in SSL_connect - %s\n",
2389 SSL_state_string_long(c_ssl));
2390 /*-
2391 else if (c_write)
2392 printf("client:SSL_write()\n");
2393 else
2394 printf("client:SSL_read()\n"); */
2395 }
2396
2397 if (!do_client && !do_server)
2398 {
2399 fprintf(stdout,"ERROR IN STARTUP\n");
2400 ERR_print_errors(bio_err);
2401 break;
2402 }
2403 if (do_client && !(done & C_DONE))
2404 {
2405 if (c_write)
2406 {
2407 j = (cw_num > bufsiz) ?
2408 (int)bufsiz : (int)cw_num;
2409 i=BIO_write(c_bio,cbuf,j);
2410 if (i < 0)
2411 {
2412 c_r=0;
2413 c_w=0;
2414 if (BIO_should_retry(c_bio))
2415 {
2416 if (BIO_should_read(c_bio))
2417 c_r=1;
2418 if (BIO_should_write(c_bio))
2419 c_w=1;
2420 }
2421 else
2422 {
2423 fprintf(stderr,"ERROR in CLIENT\n");
2424 ERR_print_errors(bio_err);
2425 goto err;
2426 }
2427 }
2428 else if (i == 0)
2429 {
2430 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2431 goto err;
2432 }
2433 else
2434 {
2435 if (debug)
2436 printf("client wrote %d\n",i);
2437 /* ok */
2438 s_r=1;
2439 c_write=0;
2440 cw_num-=i;
2441 if (max_frag>1029)
2442 SSL_set_max_send_fragment(c_ssl,max_frag-=5);
2443 }
2444 }
2445 else
2446 {
2447 i=BIO_read(c_bio,cbuf,bufsiz);
2448 if (i < 0)
2449 {
2450 c_r=0;
2451 c_w=0;
2452 if (BIO_should_retry(c_bio))
2453 {
2454 if (BIO_should_read(c_bio))
2455 c_r=1;
2456 if (BIO_should_write(c_bio))
2457 c_w=1;
2458 }
2459 else
2460 {
2461 fprintf(stderr,"ERROR in CLIENT\n");
2462 ERR_print_errors(bio_err);
2463 goto err;
2464 }
2465 }
2466 else if (i == 0)
2467 {
2468 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
2469 goto err;
2470 }
2471 else
2472 {
2473 if (debug)
2474 printf("client read %d\n",i);
2475 cr_num-=i;
2476 if (sw_num > 0)
2477 {
2478 s_write=1;
2479 s_w=1;
2480 }
2481 if (cr_num <= 0)
2482 {
2483 s_write=1;
2484 s_w=1;
2485 done=S_DONE|C_DONE;
2486 }
2487 }
2488 }
2489 }
2490
2491 if (do_server && !(done & S_DONE))
2492 {
2493 if (!s_write)
2494 {
2495 i=BIO_read(s_bio,sbuf,bufsiz);
2496 if (i < 0)
2497 {
2498 s_r=0;
2499 s_w=0;
2500 if (BIO_should_retry(s_bio))
2501 {
2502 if (BIO_should_read(s_bio))
2503 s_r=1;
2504 if (BIO_should_write(s_bio))
2505 s_w=1;
2506 }
2507 else
2508 {
2509 fprintf(stderr,"ERROR in SERVER\n");
2510 ERR_print_errors(bio_err);
2511 goto err;
2512 }
2513 }
2514 else if (i == 0)
2515 {
2516 ERR_print_errors(bio_err);
2517 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
2518 goto err;
2519 }
2520 else
2521 {
2522 if (debug)
2523 printf("server read %d\n",i);
2524 sr_num-=i;
2525 if (cw_num > 0)
2526 {
2527 c_write=1;
2528 c_w=1;
2529 }
2530 if (sr_num <= 0)
2531 {
2532 s_write=1;
2533 s_w=1;
2534 c_write=0;
2535 }
2536 }
2537 }
2538 else
2539 {
2540 j = (sw_num > bufsiz) ?
2541 (int)bufsiz : (int)sw_num;
2542 i=BIO_write(s_bio,sbuf,j);
2543 if (i < 0)
2544 {
2545 s_r=0;
2546 s_w=0;
2547 if (BIO_should_retry(s_bio))
2548 {
2549 if (BIO_should_read(s_bio))
2550 s_r=1;
2551 if (BIO_should_write(s_bio))
2552 s_w=1;
2553 }
2554 else
2555 {
2556 fprintf(stderr,"ERROR in SERVER\n");
2557 ERR_print_errors(bio_err);
2558 goto err;
2559 }
2560 }
2561 else if (i == 0)
2562 {
2563 ERR_print_errors(bio_err);
2564 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
2565 goto err;
2566 }
2567 else
2568 {
2569 if (debug)
2570 printf("server wrote %d\n",i);
2571 sw_num-=i;
2572 s_write=0;
2573 c_r=1;
2574 if (sw_num <= 0)
2575 done|=S_DONE;
2576 if (max_frag>1029)
2577 SSL_set_max_send_fragment(s_ssl,max_frag-=5);
2578 }
2579 }
2580 }
2581
2582 if ((done & S_DONE) && (done & C_DONE)) break;
2583 }
2584
2585 if (verbose)
2586 print_details(c_ssl, "DONE: ");
2587 #ifndef OPENSSL_NO_NEXTPROTONEG
2588 if (verify_npn(c_ssl, s_ssl) < 0)
2589 {
2590 ret = 1;
2591 goto err;
2592 }
2593 #endif
2594 if (verify_serverinfo() < 0)
2595 {
2596 fprintf(stderr, "Server info verify error\n");
2597 ret = 1;
2598 goto err;
2599 }
2600 if (custom_ext_error)
2601 {
2602 fprintf(stderr, "Custom extension error\n");
2603 ret = 1;
2604 goto err;
2605 }
2606 ret=0;
2607 err:
2608 /* We have to set the BIO's to NULL otherwise they will be
2609 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
2610 * again when c_ssl is SSL_free()ed.
2611 * This is a hack required because s_ssl and c_ssl are sharing the same
2612 * BIO structure and SSL_set_bio() and SSL_free() automatically
2613 * BIO_free non NULL entries.
2614 * You should not normally do this or be required to do this */
2615 if (s_ssl != NULL)
2616 {
2617 s_ssl->rbio=NULL;
2618 s_ssl->wbio=NULL;
2619 }
2620 if (c_ssl != NULL)
2621 {
2622 c_ssl->rbio=NULL;
2623 c_ssl->wbio=NULL;
2624 }
2625
2626 if (c_to_s != NULL) BIO_free(c_to_s);
2627 if (s_to_c != NULL) BIO_free(s_to_c);
2628 if (c_bio != NULL) BIO_free_all(c_bio);
2629 if (s_bio != NULL) BIO_free_all(s_bio);
2630
2631 if (cbuf) OPENSSL_free(cbuf);
2632 if (sbuf) OPENSSL_free(sbuf);
2633
2634 return(ret);
2635 }
2636
2637 static int get_proxy_auth_ex_data_idx(void)
2638 {
2639 static volatile int idx = -1;
2640 if (idx < 0)
2641 {
2642 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
2643 if (idx < 0)
2644 {
2645 idx = X509_STORE_CTX_get_ex_new_index(0,
2646 "SSLtest for verify callback", NULL,NULL,NULL);
2647 }
2648 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
2649 }
2650 return idx;
2651 }
2652
2653 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
2654 {
2655 char *s,buf[256];
2656
2657 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
2658 sizeof buf);
2659 if (s != NULL)
2660 {
2661 if (ok)
2662 fprintf(stderr,"depth=%d %s\n",
2663 ctx->error_depth,buf);
2664 else
2665 {
2666 fprintf(stderr,"depth=%d error=%d %s\n",
2667 ctx->error_depth,ctx->error,buf);
2668 }
2669 }
2670
2671 if (ok == 0)
2672 {
2673 fprintf(stderr,"Error string: %s\n",
2674 X509_verify_cert_error_string(ctx->error));
2675 switch (ctx->error)
2676 {
2677 case X509_V_ERR_CERT_NOT_YET_VALID:
2678 case X509_V_ERR_CERT_HAS_EXPIRED:
2679 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
2680 fprintf(stderr," ... ignored.\n");
2681 ok=1;
2682 }
2683 }
2684
2685 if (ok == 1)
2686 {
2687 X509 *xs = ctx->current_cert;
2688 #if 0
2689 X509 *xi = ctx->current_issuer;
2690 #endif
2691
2692 if (xs->ex_flags & EXFLAG_PROXY)
2693 {
2694 unsigned int *letters =
2695 X509_STORE_CTX_get_ex_data(ctx,
2696 get_proxy_auth_ex_data_idx());
2697
2698 if (letters)
2699 {
2700 int found_any = 0;
2701 int i;
2702 PROXY_CERT_INFO_EXTENSION *pci =
2703 X509_get_ext_d2i(xs, NID_proxyCertInfo,
2704 NULL, NULL);
2705
2706 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
2707 {
2708 case NID_Independent:
2709 /* Completely meaningless in this
2710 program, as there's no way to
2711 grant explicit rights to a
2712 specific PrC. Basically, using
2713 id-ppl-Independent is the perfect
2714 way to grant no rights at all. */
2715 fprintf(stderr, " Independent proxy certificate");
2716 for (i = 0; i < 26; i++)
2717 letters[i] = 0;
2718 break;
2719 case NID_id_ppl_inheritAll:
2720 /* This is basically a NOP, we
2721 simply let the current rights
2722 stand as they are. */
2723 fprintf(stderr, " Proxy certificate inherits all");
2724 break;
2725 default:
2726 s = (char *)
2727 pci->proxyPolicy->policy->data;
2728 i = pci->proxyPolicy->policy->length;
2729
2730 /* The algorithm works as follows:
2731 it is assumed that previous
2732 iterations or the initial granted
2733 rights has already set some elements
2734 of `letters'. What we need to do is
2735 to clear those that weren't granted
2736 by the current PrC as well. The
2737 easiest way to do this is to add 1
2738 to all the elements whose letters
2739 are given with the current policy.
2740 That way, all elements that are set
2741 by the current policy and were
2742 already set by earlier policies and
2743 through the original grant of rights
2744 will get the value 2 or higher.
2745 The last thing to do is to sweep
2746 through `letters' and keep the
2747 elements having the value 2 as set,
2748 and clear all the others. */
2749
2750 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
2751 while(i-- > 0)
2752 {
2753 int c = *s++;
2754 if (isascii(c) && isalpha(c))
2755 {
2756 if (islower(c))
2757 c = toupper(c);
2758 letters[c - 'A']++;
2759 }
2760 }
2761 for (i = 0; i < 26; i++)
2762 if (letters[i] < 2)
2763 letters[i] = 0;
2764 else
2765 letters[i] = 1;
2766 }
2767
2768 found_any = 0;
2769 fprintf(stderr,
2770 ", resulting proxy rights = ");
2771 for(i = 0; i < 26; i++)
2772 if (letters[i])
2773 {
2774 fprintf(stderr, "%c", i + 'A');
2775 found_any = 1;
2776 }
2777 if (!found_any)
2778 fprintf(stderr, "none");
2779 fprintf(stderr, "\n");
2780
2781 PROXY_CERT_INFO_EXTENSION_free(pci);
2782 }
2783 }
2784 }
2785
2786 return(ok);
2787 }
2788
2789 static void process_proxy_debug(int indent, const char *format, ...)
2790 {
2791 static const char indentation[] =
2792 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2793 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2794 char my_format[256];
2795 va_list args;
2796
2797 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2798 indent, indent, indentation, format);
2799
2800 va_start(args, format);
2801 vfprintf(stderr, my_format, args);
2802 va_end(args);
2803 }
2804 /*-
2805 * Priority levels:
2806 * 0 [!]var, ()
2807 * 1 & ^
2808 * 2 |
2809 */
2810 static int process_proxy_cond_adders(unsigned int letters[26],
2811 const char *cond, const char **cond_end, int *pos, int indent);
2812 static int process_proxy_cond_val(unsigned int letters[26],
2813 const char *cond, const char **cond_end, int *pos, int indent)
2814 {
2815 int c;
2816 int ok = 1;
2817 int negate = 0;
2818
2819 while(isspace((int)*cond))
2820 {
2821 cond++; (*pos)++;
2822 }
2823 c = *cond;
2824
2825 if (debug)
2826 process_proxy_debug(indent,
2827 "Start process_proxy_cond_val at position %d: %s\n",
2828 *pos, cond);
2829
2830 while(c == '!')
2831 {
2832 negate = !negate;
2833 cond++; (*pos)++;
2834 while(isspace((int)*cond))
2835 {
2836 cond++; (*pos)++;
2837 }
2838 c = *cond;
2839 }
2840
2841 if (c == '(')
2842 {
2843 cond++; (*pos)++;
2844 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2845 indent + 1);
2846 cond = *cond_end;
2847 if (ok < 0)
2848 goto end;
2849 while(isspace((int)*cond))
2850 {
2851 cond++; (*pos)++;
2852 }
2853 c = *cond;
2854 if (c != ')')
2855 {
2856 fprintf(stderr,
2857 "Weird condition character in position %d: "
2858 "%c\n", *pos, c);
2859 ok = -1;
2860 goto end;
2861 }
2862 cond++; (*pos)++;
2863 }
2864 else if (isascii(c) && isalpha(c))
2865 {
2866 if (islower(c))
2867 c = toupper(c);
2868 ok = letters[c - 'A'];
2869 cond++; (*pos)++;
2870 }
2871 else
2872 {
2873 fprintf(stderr,
2874 "Weird condition character in position %d: "
2875 "%c\n", *pos, c);
2876 ok = -1;
2877 goto end;
2878 }
2879 end:
2880 *cond_end = cond;
2881 if (ok >= 0 && negate)
2882 ok = !ok;
2883
2884 if (debug)
2885 process_proxy_debug(indent,
2886 "End process_proxy_cond_val at position %d: %s, returning %d\n",
2887 *pos, cond, ok);
2888
2889 return ok;
2890 }
2891 static int process_proxy_cond_multipliers(unsigned int letters[26],
2892 const char *cond, const char **cond_end, int *pos, int indent)
2893 {
2894 int ok;
2895 char c;
2896
2897 if (debug)
2898 process_proxy_debug(indent,
2899 "Start process_proxy_cond_multipliers at position %d: %s\n",
2900 *pos, cond);
2901
2902 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2903 cond = *cond_end;
2904 if (ok < 0)
2905 goto end;
2906
2907 while(ok >= 0)
2908 {
2909 while(isspace((int)*cond))
2910 {
2911 cond++; (*pos)++;
2912 }
2913 c = *cond;
2914
2915 switch(c)
2916 {
2917 case '&':
2918 case '^':
2919 {
2920 int save_ok = ok;
2921
2922 cond++; (*pos)++;
2923 ok = process_proxy_cond_val(letters,
2924 cond, cond_end, pos, indent + 1);
2925 cond = *cond_end;
2926 if (ok < 0)
2927 break;
2928
2929 switch(c)
2930 {
2931 case '&':
2932 ok &= save_ok;
2933 break;
2934 case '^':
2935 ok ^= save_ok;
2936 break;
2937 default:
2938 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2939 " STOPPING\n");
2940 EXIT(1);
2941 }
2942 }
2943 break;
2944 default:
2945 goto end;
2946 }
2947 }
2948 end:
2949 if (debug)
2950 process_proxy_debug(indent,
2951 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2952 *pos, cond, ok);
2953
2954 *cond_end = cond;
2955 return ok;
2956 }
2957 static int process_proxy_cond_adders(unsigned int letters[26],
2958 const char *cond, const char **cond_end, int *pos, int indent)
2959 {
2960 int ok;
2961 char c;
2962
2963 if (debug)
2964 process_proxy_debug(indent,
2965 "Start process_proxy_cond_adders at position %d: %s\n",
2966 *pos, cond);
2967
2968 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2969 indent + 1);
2970 cond = *cond_end;
2971 if (ok < 0)
2972 goto end;
2973
2974 while(ok >= 0)
2975 {
2976 while(isspace((int)*cond))
2977 {
2978 cond++; (*pos)++;
2979 }
2980 c = *cond;
2981
2982 switch(c)
2983 {
2984 case '|':
2985 {
2986 int save_ok = ok;
2987
2988 cond++; (*pos)++;
2989 ok = process_proxy_cond_multipliers(letters,
2990 cond, cond_end, pos, indent + 1);
2991 cond = *cond_end;
2992 if (ok < 0)
2993 break;
2994
2995 switch(c)
2996 {
2997 case '|':
2998 ok |= save_ok;
2999 break;
3000 default:
3001 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
3002 " STOPPING\n");
3003 EXIT(1);
3004 }
3005 }
3006 break;
3007 default:
3008 goto end;
3009 }
3010 }
3011 end:
3012 if (debug)
3013 process_proxy_debug(indent,
3014 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
3015 *pos, cond, ok);
3016
3017 *cond_end = cond;
3018 return ok;
3019 }
3020
3021 static int process_proxy_cond(unsigned int letters[26],
3022 const char *cond, const char **cond_end)
3023 {
3024 int pos = 1;
3025 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
3026 }
3027
3028 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
3029 {
3030 int ok=1;
3031 struct app_verify_arg *cb_arg = arg;
3032 unsigned int letters[26]; /* only used with proxy_auth */
3033
3034 if (cb_arg->app_verify)
3035 {
3036 char *s = NULL,buf[256];
3037
3038 fprintf(stderr, "In app_verify_callback, allowing cert. ");
3039 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
3040 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
3041 (void *)ctx, (void *)ctx->cert);
3042 if (ctx->cert)
3043 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
3044 if (s != NULL)
3045 {
3046 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
3047 }
3048 return(1);
3049 }
3050 if (cb_arg->proxy_auth)
3051 {
3052 int found_any = 0, i;
3053 char *sp;
3054
3055 for(i = 0; i < 26; i++)
3056 letters[i] = 0;
3057 for(sp = cb_arg->proxy_auth; *sp; sp++)
3058 {
3059 int c = *sp;
3060 if (isascii(c) && isalpha(c))
3061 {
3062 if (islower(c))
3063 c = toupper(c);
3064 letters[c - 'A'] = 1;
3065 }
3066 }
3067
3068 fprintf(stderr,
3069 " Initial proxy rights = ");
3070 for(i = 0; i < 26; i++)
3071 if (letters[i])
3072 {
3073 fprintf(stderr, "%c", i + 'A');
3074 found_any = 1;
3075 }
3076 if (!found_any)
3077 fprintf(stderr, "none");
3078 fprintf(stderr, "\n");
3079
3080 X509_STORE_CTX_set_ex_data(ctx,
3081 get_proxy_auth_ex_data_idx(),letters);
3082 }
3083 if (cb_arg->allow_proxy_certs)
3084 {
3085 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
3086 }
3087
3088 #ifndef OPENSSL_NO_X509_VERIFY
3089 ok = X509_verify_cert(ctx);
3090 #endif
3091
3092 if (cb_arg->proxy_auth)
3093 {
3094 if (ok > 0)
3095 {
3096 const char *cond_end = NULL;
3097
3098 ok = process_proxy_cond(letters,
3099 cb_arg->proxy_cond, &cond_end);
3100
3101 if (ok < 0)
3102 EXIT(3);
3103 if (*cond_end)
3104 {
3105 fprintf(stderr, "Stopped processing condition before it's end.\n");
3106 ok = 0;
3107 }
3108 if (!ok)
3109 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
3110 cb_arg->proxy_cond);
3111 else
3112 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
3113 cb_arg->proxy_cond);
3114 }
3115 }
3116 return(ok);
3117 }
3118
3119 #ifndef OPENSSL_NO_RSA
3120 static RSA *rsa_tmp=NULL;
3121
3122 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
3123 {
3124 BIGNUM *bn = NULL;
3125 if (rsa_tmp == NULL)
3126 {
3127 bn = BN_new();
3128 rsa_tmp = RSA_new();
3129 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
3130 {
3131 BIO_printf(bio_err, "Memory error...");
3132 goto end;
3133 }
3134 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
3135 (void)BIO_flush(bio_err);
3136 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
3137 {
3138 BIO_printf(bio_err, "Error generating key.");
3139 RSA_free(rsa_tmp);
3140 rsa_tmp = NULL;
3141 }
3142 end:
3143 BIO_printf(bio_err,"\n");
3144 (void)BIO_flush(bio_err);
3145 }
3146 if(bn) BN_free(bn);
3147 return(rsa_tmp);
3148 }
3149
3150 static void free_tmp_rsa(void)
3151 {
3152 if (rsa_tmp != NULL)
3153 {
3154 RSA_free(rsa_tmp);
3155 rsa_tmp = NULL;
3156 }
3157 }
3158 #endif
3159
3160 #ifndef OPENSSL_NO_DH
3161 /*-
3162 * These DH parameters have been generated as follows:
3163 * $ openssl dhparam -C -noout 512
3164 * $ openssl dhparam -C -noout 1024
3165 * $ openssl dhparam -C -noout -dsaparam 1024
3166 * (The third function has been renamed to avoid name conflicts.)
3167 */
3168 static DH *get_dh512()
3169 {
3170 static unsigned char dh512_p[]={
3171 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
3172 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
3173 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
3174 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
3175 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
3176 0x02,0xC5,0xAE,0x23,
3177 };
3178 static unsigned char dh512_g[]={
3179 0x02,
3180 };
3181 DH *dh;
3182
3183 if ((dh=DH_new()) == NULL) return(NULL);
3184 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
3185 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
3186 if ((dh->p == NULL) || (dh->g == NULL))
3187 { DH_free(dh); return(NULL); }
3188 return(dh);
3189 }
3190
3191 static DH *get_dh1024()
3192 {
3193 static unsigned char dh1024_p[]={
3194 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
3195 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
3196 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
3197 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
3198 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
3199 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
3200 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
3201 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
3202 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
3203 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
3204 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
3205 };
3206 static unsigned char dh1024_g[]={
3207 0x02,
3208 };
3209 DH *dh;
3210
3211 if ((dh=DH_new()) == NULL) return(NULL);
3212 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
3213 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
3214 if ((dh->p == NULL) || (dh->g == NULL))
3215 { DH_free(dh); return(NULL); }
3216 return(dh);
3217 }
3218
3219 static DH *get_dh1024dsa()
3220 {
3221 static unsigned char dh1024_p[]={
3222 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
3223 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
3224 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
3225 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
3226 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
3227 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
3228 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
3229 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
3230 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
3231 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
3232 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
3233 };
3234 static unsigned char dh1024_g[]={
3235 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
3236 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
3237 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
3238 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
3239 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
3240 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
3241 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
3242 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
3243 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
3244 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
3245 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
3246 };
3247 DH *dh;
3248
3249 if ((dh=DH_new()) == NULL) return(NULL);
3250 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
3251 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
3252 if ((dh->p == NULL) || (dh->g == NULL))
3253 { DH_free(dh); return(NULL); }
3254 dh->length = 160;
3255 return(dh);
3256 }
3257 #endif
3258
3259 #ifndef OPENSSL_NO_PSK
3260 /* convert the PSK key (psk_key) in ascii to binary (psk) */
3261 static int psk_key2bn(const char *pskkey, unsigned char *psk,
3262 unsigned int max_psk_len)
3263 {
3264 int ret;
3265 BIGNUM *bn = NULL;
3266
3267 ret = BN_hex2bn(&bn, pskkey);
3268 if (!ret)
3269 {
3270 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
3271 if (bn)
3272 BN_free(bn);
3273 return 0;
3274 }
3275 if (BN_num_bytes(bn) > (int)max_psk_len)
3276 {
3277 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
3278 max_psk_len, BN_num_bytes(bn));
3279 BN_free(bn);
3280 return 0;
3281 }
3282 ret = BN_bn2bin(bn, psk);
3283 BN_free(bn);
3284 return ret;
3285 }
3286
3287 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
3288 unsigned int max_identity_len, unsigned char *psk,
3289 unsigned int max_psk_len)
3290 {
3291 int ret;
3292 unsigned int psk_len = 0;
3293
3294 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
3295 if (ret < 0)
3296 goto out_err;
3297 if (debug)
3298 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
3299 ret = psk_key2bn(psk_key, psk, max_psk_len);
3300 if (ret < 0)
3301 goto out_err;
3302 psk_len = ret;
3303 out_err:
3304 return psk_len;
3305 }
3306
3307 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
3308 unsigned char *psk, unsigned int max_psk_len)
3309 {
3310 unsigned int psk_len=0;
3311
3312 if (strcmp(identity, "Client_identity") != 0)
3313 {
3314 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
3315 return 0;
3316 }
3317 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
3318 return psk_len;
3319 }
3320 #endif
3321
3322 static int do_test_cipherlist(void)
3323 {
3324 int i = 0;
3325 const SSL_METHOD *meth;
3326 const SSL_CIPHER *ci, *tci = NULL;
3327
3328 #ifndef OPENSSL_NO_SSL3
3329 fprintf(stderr, "testing SSLv3 cipher list order: ");
3330 meth = SSLv3_method();
3331 tci = NULL;
3332 while ((ci = meth->get_cipher(i++)) != NULL)
3333 {
3334 if (tci != NULL)
3335 if (ci->id >= tci->id)
3336 {
3337 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
3338 return 0;
3339 }
3340 tci = ci;
3341 }
3342 fprintf(stderr, "ok\n");
3343 #endif
3344 #ifndef OPENSSL_NO_TLS1
3345 fprintf(stderr, "testing TLSv1 cipher list order: ");
3346 meth = TLSv1_method();
3347 tci = NULL;
3348 while ((ci = meth->get_cipher(i++)) != NULL)
3349 {
3350 if (tci != NULL)
3351 if (ci->id >= tci->id)
3352 {
3353 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
3354 return 0;
3355 }
3356 tci = ci;
3357 }
3358 fprintf(stderr, "ok\n");
3359 #endif
3360
3361 return 1;
3362 }
A mirror of the official openssl repository