]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssltest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Fix source where indent will not be able to cope
[thirdparty/openssl.git] / ssl / ssltest.c
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
119
120 #include <assert.h>
121 #include <errno.h>
122 #include <limits.h>
123 #include <stdio.h>
124 #include <stdlib.h>
125 #include <string.h>
126 #include <time.h>
127
128 #define USE_SOCKETS
129 #include "e_os.h"
130
131 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
133 #include <ctype.h>
134
135 #include <openssl/bio.h>
136 #include <openssl/crypto.h>
137 #include <openssl/evp.h>
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/ssl.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
143 #endif
144 #include <openssl/err.h>
145 #include <openssl/rand.h>
146 #ifndef OPENSSL_NO_RSA
147 #include <openssl/rsa.h>
148 #endif
149 #ifndef OPENSSL_NO_DSA
150 #include <openssl/dsa.h>
151 #endif
152 #ifndef OPENSSL_NO_DH
153 #include <openssl/dh.h>
154 #endif
155 #include <openssl/bn.h>
156
157 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
158 on Compaq platforms (at least with DEC C).
159 Do not try to put it earlier, or IPv6 includes
160 get screwed...
161 */
162
163 #ifdef OPENSSL_SYS_WINDOWS
164 #include <winsock.h>
165 #else
166 #include OPENSSL_UNISTD
167 #endif
168
169 #ifdef OPENSSL_SYS_VMS
170 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
171 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
172 #elif defined(OPENSSL_SYS_WINCE)
173 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
174 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
175 #elif defined(OPENSSL_SYS_NETWARE)
176 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
177 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
178 #else
179 # define TEST_SERVER_CERT "../apps/server.pem"
180 # define TEST_CLIENT_CERT "../apps/client.pem"
181 #endif
182
183 /* There is really no standard for this, so let's assign some tentative
184 numbers. In any case, these numbers are only for this test */
185 #define COMP_RLE 255
186 #define COMP_ZLIB 1
187
188 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
189 #ifndef OPENSSL_NO_RSA
190 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
191 static void free_tmp_rsa(void);
192 #endif
193 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
194 #define APP_CALLBACK_STRING "Test Callback Argument"
195 struct app_verify_arg
196 {
197 char *string;
198 int app_verify;
199 int allow_proxy_certs;
200 char *proxy_auth;
201 char *proxy_cond;
202 };
203
204 #ifndef OPENSSL_NO_DH
205 static DH *get_dh512(void);
206 static DH *get_dh1024(void);
207 static DH *get_dh1024dsa(void);
208 #endif
209
210 static BIO *bio_err=NULL;
211 static BIO *bio_stdout=NULL;
212
213 static char *cipher=NULL;
214 static int verbose=0;
215 static int debug=0;
216 #if 0
217 /* Not used yet. */
218 #ifdef FIONBIO
219 static int s_nbio=0;
220 #endif
221 #endif
222
223 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
224
225 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
226 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
227 static int do_test_cipherlist(void);
228 static void sv_usage(void)
229 {
230 fprintf(stderr,"usage: ssltest [args ...]\n");
231 fprintf(stderr,"\n");
232 #ifdef OPENSSL_FIPS
233 fprintf(stderr,"-F - run test in FIPS mode\n");
234 #endif
235 fprintf(stderr," -server_auth - check server certificate\n");
236 fprintf(stderr," -client_auth - do client authentication\n");
237 fprintf(stderr," -proxy - allow proxy certificates\n");
238 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
239 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
240 fprintf(stderr," -v - more output\n");
241 fprintf(stderr," -d - debug output\n");
242 fprintf(stderr," -reuse - use session-id reuse\n");
243 fprintf(stderr," -num <val> - number of connections to perform\n");
244 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
245 #ifndef OPENSSL_NO_DH
246 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
247 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
248 fprintf(stderr," -no_dhe - disable DHE\n");
249 #endif
250 #ifndef OPENSSL_NO_ECDH
251 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
252 #endif
253 #ifndef OPENSSL_NO_SSL2
254 fprintf(stderr," -ssl2 - use SSLv2\n");
255 #endif
256 #ifndef OPENSSL_NO_SSL3
257 fprintf(stderr," -ssl3 - use SSLv3\n");
258 #endif
259 #ifndef OPENSSL_NO_TLS1
260 fprintf(stderr," -tls1 - use TLSv1\n");
261 #endif
262 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
263 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
264 fprintf(stderr," -cert arg - Server certificate file\n");
265 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
266 fprintf(stderr," -c_cert arg - Client certificate file\n");
267 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
268 fprintf(stderr," -cipher arg - The cipher list\n");
269 fprintf(stderr," -bio_pair - Use BIO pairs\n");
270 fprintf(stderr," -f - Test even cases that can't work\n");
271 fprintf(stderr," -time - measure processor time used by client and server\n");
272 fprintf(stderr," -zlib - use zlib compression\n");
273 fprintf(stderr," -rle - use rle compression\n");
274 #ifndef OPENSSL_NO_ECDH
275 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
276 " Use \"openssl ecparam -list_curves\" for all names\n" \
277 " (default is sect163r2).\n");
278 #endif
279 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
280 }
281
282 static void print_details(SSL *c_ssl, const char *prefix)
283 {
284 SSL_CIPHER *ciph;
285 X509 *cert;
286
287 ciph=SSL_get_current_cipher(c_ssl);
288 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
289 prefix,
290 SSL_get_version(c_ssl),
291 SSL_CIPHER_get_version(ciph),
292 SSL_CIPHER_get_name(ciph));
293 cert=SSL_get_peer_certificate(c_ssl);
294 if (cert != NULL)
295 {
296 EVP_PKEY *pkey = X509_get_pubkey(cert);
297 if (pkey != NULL)
298 {
299 if (0)
300 ;
301 #ifndef OPENSSL_NO_RSA
302 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
303 && pkey->pkey.rsa->n != NULL)
304 {
305 BIO_printf(bio_stdout, ", %d bit RSA",
306 BN_num_bits(pkey->pkey.rsa->n));
307 }
308 #endif
309 #ifndef OPENSSL_NO_DSA
310 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
311 && pkey->pkey.dsa->p != NULL)
312 {
313 BIO_printf(bio_stdout, ", %d bit DSA",
314 BN_num_bits(pkey->pkey.dsa->p));
315 }
316 #endif
317 EVP_PKEY_free(pkey);
318 }
319 X509_free(cert);
320 }
321 /* The SSL API does not allow us to look at temporary RSA/DH keys,
322 * otherwise we should print their lengths too */
323 BIO_printf(bio_stdout,"\n");
324 }
325
326 static void lock_dbg_cb(int mode, int type, const char *file, int line)
327 {
328 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
329 const char *errstr = NULL;
330 int rw;
331
332 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
333 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
334 {
335 errstr = "invalid mode";
336 goto err;
337 }
338
339 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
340 {
341 errstr = "type out of bounds";
342 goto err;
343 }
344
345 if (mode & CRYPTO_LOCK)
346 {
347 if (modes[type])
348 {
349 errstr = "already locked";
350 /* must not happen in a single-threaded program
351 * (would deadlock) */
352 goto err;
353 }
354
355 modes[type] = rw;
356 }
357 else if (mode & CRYPTO_UNLOCK)
358 {
359 if (!modes[type])
360 {
361 errstr = "not locked";
362 goto err;
363 }
364
365 if (modes[type] != rw)
366 {
367 errstr = (rw == CRYPTO_READ) ?
368 "CRYPTO_r_unlock on write lock" :
369 "CRYPTO_w_unlock on read lock";
370 }
371
372 modes[type] = 0;
373 }
374 else
375 {
376 errstr = "invalid mode";
377 goto err;
378 }
379
380 err:
381 if (errstr)
382 {
383 /* we cannot use bio_err here */
384 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
385 errstr, mode, type, file, line);
386 }
387 }
388
389
390 int main(int argc, char *argv[])
391 {
392 char *CApath=NULL,*CAfile=NULL;
393 int badop=0;
394 int bio_pair=0;
395 int force=0;
396 int tls1=0,ssl2=0,ssl3=0,ret=1;
397 int client_auth=0;
398 int server_auth=0,i;
399 struct app_verify_arg app_verify_arg =
400 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
401 char *server_cert=TEST_SERVER_CERT;
402 char *server_key=NULL;
403 char *client_cert=TEST_CLIENT_CERT;
404 char *client_key=NULL;
405 #ifndef OPENSSL_NO_ECDH
406 char *named_curve = NULL;
407 #endif
408 SSL_CTX *s_ctx=NULL;
409 SSL_CTX *c_ctx=NULL;
410 SSL_METHOD *meth=NULL;
411 SSL *c_ssl,*s_ssl;
412 int number=1,reuse=0;
413 long bytes=256L;
414 #ifndef OPENSSL_NO_DH
415 DH *dh;
416 int dhe1024 = 1, dhe1024dsa = 0;
417 #endif
418 #ifndef OPENSSL_NO_ECDH
419 EC_KEY *ecdh = NULL;
420 #endif
421 int no_dhe = 0;
422 int no_ecdhe = 0;
423 int print_time = 0;
424 clock_t s_time = 0, c_time = 0;
425 int comp = 0;
426 #ifndef OPENSSL_NO_COMP
427 COMP_METHOD *cm = NULL;
428 #endif
429 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
430 int test_cipherlist = 0;
431 #ifdef OPENSSL_FIPS
432 int fips_mode=0;
433 #endif
434
435 verbose = 0;
436 debug = 0;
437 cipher = 0;
438
439 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
440
441 CRYPTO_set_locking_callback(lock_dbg_cb);
442
443 /* enable memory leak checking unless explicitly disabled */
444 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
445 {
446 CRYPTO_malloc_debug_init();
447 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
448 }
449 else
450 {
451 /* OPENSSL_DEBUG_MEMORY=off */
452 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
453 }
454 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
455
456 RAND_seed(rnd_seed, sizeof rnd_seed);
457
458 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
459
460 argc--;
461 argv++;
462
463 while (argc >= 1)
464 {
465 if(!strcmp(*argv,"-F"))
466 {
467 #ifdef OPENSSL_FIPS
468 fips_mode=1;
469 #else
470 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
471 EXIT(0);
472 #endif
473 }
474 else if (strcmp(*argv,"-server_auth") == 0)
475 server_auth=1;
476 else if (strcmp(*argv,"-client_auth") == 0)
477 client_auth=1;
478 else if (strcmp(*argv,"-proxy_auth") == 0)
479 {
480 if (--argc < 1) goto bad;
481 app_verify_arg.proxy_auth= *(++argv);
482 }
483 else if (strcmp(*argv,"-proxy_cond") == 0)
484 {
485 if (--argc < 1) goto bad;
486 app_verify_arg.proxy_cond= *(++argv);
487 }
488 else if (strcmp(*argv,"-v") == 0)
489 verbose=1;
490 else if (strcmp(*argv,"-d") == 0)
491 debug=1;
492 else if (strcmp(*argv,"-reuse") == 0)
493 reuse=1;
494 else if (strcmp(*argv,"-dhe1024") == 0)
495 {
496 #ifndef OPENSSL_NO_DH
497 dhe1024=1;
498 #else
499 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
500 #endif
501 }
502 else if (strcmp(*argv,"-dhe1024dsa") == 0)
503 {
504 #ifndef OPENSSL_NO_DH
505 dhe1024dsa=1;
506 #else
507 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
508 #endif
509 }
510 else if (strcmp(*argv,"-no_dhe") == 0)
511 no_dhe=1;
512 else if (strcmp(*argv,"-no_ecdhe") == 0)
513 no_ecdhe=1;
514 else if (strcmp(*argv,"-ssl2") == 0)
515 ssl2=1;
516 else if (strcmp(*argv,"-tls1") == 0)
517 tls1=1;
518 else if (strcmp(*argv,"-ssl3") == 0)
519 ssl3=1;
520 else if (strncmp(*argv,"-num",4) == 0)
521 {
522 if (--argc < 1) goto bad;
523 number= atoi(*(++argv));
524 if (number == 0) number=1;
525 }
526 else if (strcmp(*argv,"-bytes") == 0)
527 {
528 if (--argc < 1) goto bad;
529 bytes= atol(*(++argv));
530 if (bytes == 0L) bytes=1L;
531 i=strlen(argv[0]);
532 if (argv[0][i-1] == 'k') bytes*=1024L;
533 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
534 }
535 else if (strcmp(*argv,"-cert") == 0)
536 {
537 if (--argc < 1) goto bad;
538 server_cert= *(++argv);
539 }
540 else if (strcmp(*argv,"-s_cert") == 0)
541 {
542 if (--argc < 1) goto bad;
543 server_cert= *(++argv);
544 }
545 else if (strcmp(*argv,"-key") == 0)
546 {
547 if (--argc < 1) goto bad;
548 server_key= *(++argv);
549 }
550 else if (strcmp(*argv,"-s_key") == 0)
551 {
552 if (--argc < 1) goto bad;
553 server_key= *(++argv);
554 }
555 else if (strcmp(*argv,"-c_cert") == 0)
556 {
557 if (--argc < 1) goto bad;
558 client_cert= *(++argv);
559 }
560 else if (strcmp(*argv,"-c_key") == 0)
561 {
562 if (--argc < 1) goto bad;
563 client_key= *(++argv);
564 }
565 else if (strcmp(*argv,"-cipher") == 0)
566 {
567 if (--argc < 1) goto bad;
568 cipher= *(++argv);
569 }
570 else if (strcmp(*argv,"-CApath") == 0)
571 {
572 if (--argc < 1) goto bad;
573 CApath= *(++argv);
574 }
575 else if (strcmp(*argv,"-CAfile") == 0)
576 {
577 if (--argc < 1) goto bad;
578 CAfile= *(++argv);
579 }
580 else if (strcmp(*argv,"-bio_pair") == 0)
581 {
582 bio_pair = 1;
583 }
584 else if (strcmp(*argv,"-f") == 0)
585 {
586 force = 1;
587 }
588 else if (strcmp(*argv,"-time") == 0)
589 {
590 print_time = 1;
591 }
592 else if (strcmp(*argv,"-zlib") == 0)
593 {
594 comp = COMP_ZLIB;
595 }
596 else if (strcmp(*argv,"-rle") == 0)
597 {
598 comp = COMP_RLE;
599 }
600 else if (strcmp(*argv,"-named_curve") == 0)
601 {
602 if (--argc < 1) goto bad;
603 #ifndef OPENSSL_NO_ECDH
604 named_curve = *(++argv);
605 #else
606 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
607 ++argv;
608 #endif
609 }
610 else if (strcmp(*argv,"-app_verify") == 0)
611 {
612 app_verify_arg.app_verify = 1;
613 }
614 else if (strcmp(*argv,"-proxy") == 0)
615 {
616 app_verify_arg.allow_proxy_certs = 1;
617 }
618 else if (strcmp(*argv,"-test_cipherlist") == 0)
619 {
620 test_cipherlist = 1;
621 }
622 else
623 {
624 fprintf(stderr,"unknown option %s\n",*argv);
625 badop=1;
626 break;
627 }
628 argc--;
629 argv++;
630 }
631 if (badop)
632 {
633 bad:
634 sv_usage();
635 goto end;
636 }
637
638 if (test_cipherlist == 1)
639 {
640 /* ensure that the cipher list are correctly sorted and exit */
641 if (do_test_cipherlist() == 0)
642 EXIT(1);
643 ret = 0;
644 goto end;
645 }
646
647 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
648 {
649 fprintf(stderr, "This case cannot work. Use -f to perform "
650 "the test anyway (and\n-d to see what happens), "
651 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
652 "to avoid protocol mismatch.\n");
653 EXIT(1);
654 }
655
656 #ifdef OPENSSL_FIPS
657 if(fips_mode)
658 {
659 if(!FIPS_mode_set(1))
660 {
661 ERR_load_crypto_strings();
662 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
663 EXIT(1);
664 }
665 else
666 fprintf(stderr,"*** IN FIPS MODE ***\n");
667 }
668 #endif
669
670 if (print_time)
671 {
672 if (!bio_pair)
673 {
674 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
675 bio_pair = 1;
676 }
677 if (number < 50 && !force)
678 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
679 }
680
681 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
682
683 SSL_library_init();
684 SSL_load_error_strings();
685
686 #ifndef OPENSSL_NO_COMP
687 if (comp == COMP_ZLIB) cm = COMP_zlib();
688 if (comp == COMP_RLE) cm = COMP_rle();
689 if (cm != NULL)
690 {
691 if (cm->type != NID_undef)
692 {
693 if (SSL_COMP_add_compression_method(comp, cm) != 0)
694 {
695 fprintf(stderr,
696 "Failed to add compression method\n");
697 ERR_print_errors_fp(stderr);
698 }
699 }
700 else
701 {
702 fprintf(stderr,
703 "Warning: %s compression not supported\n",
704 (comp == COMP_RLE ? "rle" :
705 (comp == COMP_ZLIB ? "zlib" :
706 "unknown")));
707 ERR_print_errors_fp(stderr);
708 }
709 }
710 ssl_comp_methods = SSL_COMP_get_compression_methods();
711 fprintf(stderr, "Available compression methods:\n");
712 {
713 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
714 if (n == 0)
715 fprintf(stderr, " NONE\n");
716 else
717 for (j = 0; j < n; j++)
718 {
719 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
720 fprintf(stderr, " %d: %s\n", c->id, c->name);
721 }
722 }
723 #endif
724
725 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
726 if (ssl2)
727 meth=SSLv2_method();
728 else
729 if (tls1)
730 meth=TLSv1_method();
731 else
732 if (ssl3)
733 meth=SSLv3_method();
734 else
735 meth=SSLv23_method();
736 #else
737 #ifdef OPENSSL_NO_SSL2
738 if (tls1)
739 meth=TLSv1_method();
740 else
741 if (ssl3)
742 meth=SSLv3_method();
743 else
744 meth=SSLv23_method();
745 #else
746 meth=SSLv2_method();
747 #endif
748 #endif
749
750 c_ctx=SSL_CTX_new(meth);
751 s_ctx=SSL_CTX_new(meth);
752 if ((c_ctx == NULL) || (s_ctx == NULL))
753 {
754 ERR_print_errors(bio_err);
755 goto end;
756 }
757
758 if (cipher != NULL)
759 {
760 SSL_CTX_set_cipher_list(c_ctx,cipher);
761 SSL_CTX_set_cipher_list(s_ctx,cipher);
762 }
763
764 #ifndef OPENSSL_NO_DH
765 if (!no_dhe)
766 {
767 if (dhe1024dsa)
768 {
769 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
770 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
771 dh=get_dh1024dsa();
772 }
773 else if (dhe1024)
774 dh=get_dh1024();
775 else
776 dh=get_dh512();
777 SSL_CTX_set_tmp_dh(s_ctx,dh);
778 DH_free(dh);
779 }
780 #else
781 (void)no_dhe;
782 #endif
783
784 #ifndef OPENSSL_NO_ECDH
785 if (!no_ecdhe)
786 {
787 int nid;
788
789 if (named_curve != NULL)
790 {
791 nid = OBJ_sn2nid(named_curve);
792 if (nid == 0)
793 {
794 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
795 goto end;
796 }
797 }
798 else
799 nid = NID_sect163r2;
800
801 ecdh = EC_KEY_new_by_curve_name(nid);
802 if (ecdh == NULL)
803 {
804 BIO_printf(bio_err, "unable to create curve\n");
805 goto end;
806 }
807
808 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
809 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
810 EC_KEY_free(ecdh);
811 }
812 #else
813 (void)no_ecdhe;
814 #endif
815
816 #ifndef OPENSSL_NO_RSA
817 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
818 #endif
819
820 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
821 {
822 ERR_print_errors(bio_err);
823 }
824 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
825 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
826 {
827 ERR_print_errors(bio_err);
828 goto end;
829 }
830
831 if (client_auth)
832 {
833 SSL_CTX_use_certificate_file(c_ctx,client_cert,
834 SSL_FILETYPE_PEM);
835 SSL_CTX_use_PrivateKey_file(c_ctx,
836 (client_key?client_key:client_cert),
837 SSL_FILETYPE_PEM);
838 }
839
840 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
841 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
842 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
843 (!SSL_CTX_set_default_verify_paths(c_ctx)))
844 {
845 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
846 ERR_print_errors(bio_err);
847 /* goto end; */
848 }
849
850 if (client_auth)
851 {
852 BIO_printf(bio_err,"client authentication\n");
853 SSL_CTX_set_verify(s_ctx,
854 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
855 verify_callback);
856 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
857 }
858 if (server_auth)
859 {
860 BIO_printf(bio_err,"server authentication\n");
861 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
862 verify_callback);
863 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
864 }
865
866 {
867 int session_id_context = 0;
868 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
869 }
870
871 c_ssl=SSL_new(c_ctx);
872 s_ssl=SSL_new(s_ctx);
873
874 #ifndef OPENSSL_NO_KRB5
875 if (c_ssl && c_ssl->kssl_ctx)
876 {
877 char localhost[MAXHOSTNAMELEN+2];
878
879 if (gethostname(localhost, sizeof localhost-1) == 0)
880 {
881 localhost[sizeof localhost-1]='\0';
882 if(strlen(localhost) == sizeof localhost-1)
883 {
884 BIO_printf(bio_err,"localhost name too long\n");
885 goto end;
886 }
887 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
888 localhost);
889 }
890 }
891 #endif /* OPENSSL_NO_KRB5 */
892
893 for (i=0; i<number; i++)
894 {
895 if (!reuse) SSL_set_session(c_ssl,NULL);
896 if (bio_pair)
897 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
898 else
899 ret=doit(s_ssl,c_ssl,bytes);
900 }
901
902 if (!verbose)
903 {
904 print_details(c_ssl, "");
905 }
906 if ((number > 1) || (bytes > 1L))
907 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
908 if (print_time)
909 {
910 #ifdef CLOCKS_PER_SEC
911 /* "To determine the time in seconds, the value returned
912 * by the clock function should be divided by the value
913 * of the macro CLOCKS_PER_SEC."
914 * -- ISO/IEC 9899 */
915 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
916 "Approximate total client time: %6.2f s\n",
917 (double)s_time/CLOCKS_PER_SEC,
918 (double)c_time/CLOCKS_PER_SEC);
919 #else
920 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
921 * -- cc on NeXTstep/OpenStep */
922 BIO_printf(bio_stdout,
923 "Approximate total server time: %6.2f units\n"
924 "Approximate total client time: %6.2f units\n",
925 (double)s_time,
926 (double)c_time);
927 #endif
928 }
929
930 SSL_free(s_ssl);
931 SSL_free(c_ssl);
932
933 end:
934 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
935 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
936
937 if (bio_stdout != NULL) BIO_free(bio_stdout);
938
939 #ifndef OPENSSL_NO_RSA
940 free_tmp_rsa();
941 #endif
942 #ifndef OPENSSL_NO_ENGINE
943 ENGINE_cleanup();
944 #endif
945 CRYPTO_cleanup_all_ex_data();
946 ERR_free_strings();
947 ERR_remove_state(0);
948 EVP_cleanup();
949 CRYPTO_mem_leaks(bio_err);
950 if (bio_err != NULL) BIO_free(bio_err);
951 EXIT(ret);
952 return ret;
953 }
954
955 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
956 clock_t *s_time, clock_t *c_time)
957 {
958 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
959 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
960 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
961 int ret = 1;
962
963 size_t bufsiz = 256; /* small buffer for testing */
964
965 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
966 goto err;
967 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
968 goto err;
969
970 s_ssl_bio = BIO_new(BIO_f_ssl());
971 if (!s_ssl_bio)
972 goto err;
973
974 c_ssl_bio = BIO_new(BIO_f_ssl());
975 if (!c_ssl_bio)
976 goto err;
977
978 SSL_set_connect_state(c_ssl);
979 SSL_set_bio(c_ssl, client, client);
980 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
981
982 SSL_set_accept_state(s_ssl);
983 SSL_set_bio(s_ssl, server, server);
984 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
985
986 do
987 {
988 /*-
989 * c_ssl_bio: SSL filter BIO
990 *
991 * client: pseudo-I/O for SSL library
992 *
993 * client_io: client's SSL communication; usually to be
994 * relayed over some I/O facility, but in this
995 * test program, we're the server, too:
996 *
997 * server_io: server's SSL communication
998 *
999 * server: pseudo-I/O for SSL library
1000 *
1001 * s_ssl_bio: SSL filter BIO
1002 *
1003 * The client and the server each employ a "BIO pair":
1004 * client + client_io, server + server_io.
1005 * BIO pairs are symmetric. A BIO pair behaves similar
1006 * to a non-blocking socketpair (but both endpoints must
1007 * be handled by the same thread).
1008 * [Here we could connect client and server to the ends
1009 * of a single BIO pair, but then this code would be less
1010 * suitable as an example for BIO pairs in general.]
1011 *
1012 * Useful functions for querying the state of BIO pair endpoints:
1013 *
1014 * BIO_ctrl_pending(bio) number of bytes we can read now
1015 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1016 * other side's read attempt
1017 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1018 *
1019 * ..._read_request is never more than ..._write_guarantee;
1020 * it depends on the application which one you should use.
1021 */
1022
1023 /* We have non-blocking behaviour throughout this test program, but
1024 * can be sure that there is *some* progress in each iteration; so
1025 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1026 * -- we just try everything in each iteration
1027 */
1028
1029 {
1030 /* CLIENT */
1031
1032 MS_STATIC char cbuf[1024*8];
1033 int i, r;
1034 clock_t c_clock = clock();
1035
1036 memset(cbuf, 0, sizeof(cbuf));
1037
1038 if (debug)
1039 if (SSL_in_init(c_ssl))
1040 printf("client waiting in SSL_connect - %s\n",
1041 SSL_state_string_long(c_ssl));
1042
1043 if (cw_num > 0)
1044 {
1045 /* Write to server. */
1046
1047 if (cw_num > (long)sizeof cbuf)
1048 i = sizeof cbuf;
1049 else
1050 i = (int)cw_num;
1051 r = BIO_write(c_ssl_bio, cbuf, i);
1052 if (r < 0)
1053 {
1054 if (!BIO_should_retry(c_ssl_bio))
1055 {
1056 fprintf(stderr,"ERROR in CLIENT\n");
1057 goto err;
1058 }
1059 /* BIO_should_retry(...) can just be ignored here.
1060 * The library expects us to call BIO_write with
1061 * the same arguments again, and that's what we will
1062 * do in the next iteration. */
1063 }
1064 else if (r == 0)
1065 {
1066 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1067 goto err;
1068 }
1069 else
1070 {
1071 if (debug)
1072 printf("client wrote %d\n", r);
1073 cw_num -= r;
1074 }
1075 }
1076
1077 if (cr_num > 0)
1078 {
1079 /* Read from server. */
1080
1081 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1082 if (r < 0)
1083 {
1084 if (!BIO_should_retry(c_ssl_bio))
1085 {
1086 fprintf(stderr,"ERROR in CLIENT\n");
1087 goto err;
1088 }
1089 /* Again, "BIO_should_retry" can be ignored. */
1090 }
1091 else if (r == 0)
1092 {
1093 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1094 goto err;
1095 }
1096 else
1097 {
1098 if (debug)
1099 printf("client read %d\n", r);
1100 cr_num -= r;
1101 }
1102 }
1103
1104 /* c_time and s_time increments will typically be very small
1105 * (depending on machine speed and clock tick intervals),
1106 * but sampling over a large number of connections should
1107 * result in fairly accurate figures. We cannot guarantee
1108 * a lot, however -- if each connection lasts for exactly
1109 * one clock tick, it will be counted only for the client
1110 * or only for the server or even not at all.
1111 */
1112 *c_time += (clock() - c_clock);
1113 }
1114
1115 {
1116 /* SERVER */
1117
1118 MS_STATIC char sbuf[1024*8];
1119 int i, r;
1120 clock_t s_clock = clock();
1121
1122 memset(sbuf, 0, sizeof(sbuf));
1123
1124 if (debug)
1125 if (SSL_in_init(s_ssl))
1126 printf("server waiting in SSL_accept - %s\n",
1127 SSL_state_string_long(s_ssl));
1128
1129 if (sw_num > 0)
1130 {
1131 /* Write to client. */
1132
1133 if (sw_num > (long)sizeof sbuf)
1134 i = sizeof sbuf;
1135 else
1136 i = (int)sw_num;
1137 r = BIO_write(s_ssl_bio, sbuf, i);
1138 if (r < 0)
1139 {
1140 if (!BIO_should_retry(s_ssl_bio))
1141 {
1142 fprintf(stderr,"ERROR in SERVER\n");
1143 goto err;
1144 }
1145 /* Ignore "BIO_should_retry". */
1146 }
1147 else if (r == 0)
1148 {
1149 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1150 goto err;
1151 }
1152 else
1153 {
1154 if (debug)
1155 printf("server wrote %d\n", r);
1156 sw_num -= r;
1157 }
1158 }
1159
1160 if (sr_num > 0)
1161 {
1162 /* Read from client. */
1163
1164 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1165 if (r < 0)
1166 {
1167 if (!BIO_should_retry(s_ssl_bio))
1168 {
1169 fprintf(stderr,"ERROR in SERVER\n");
1170 goto err;
1171 }
1172 /* blah, blah */
1173 }
1174 else if (r == 0)
1175 {
1176 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1177 goto err;
1178 }
1179 else
1180 {
1181 if (debug)
1182 printf("server read %d\n", r);
1183 sr_num -= r;
1184 }
1185 }
1186
1187 *s_time += (clock() - s_clock);
1188 }
1189
1190 {
1191 /* "I/O" BETWEEN CLIENT AND SERVER. */
1192
1193 size_t r1, r2;
1194 BIO *io1 = server_io, *io2 = client_io;
1195 /* we use the non-copying interface for io1
1196 * and the standard BIO_write/BIO_read interface for io2
1197 */
1198
1199 static int prev_progress = 1;
1200 int progress = 0;
1201
1202 /* io1 to io2 */
1203 do
1204 {
1205 size_t num;
1206 int r;
1207
1208 r1 = BIO_ctrl_pending(io1);
1209 r2 = BIO_ctrl_get_write_guarantee(io2);
1210
1211 num = r1;
1212 if (r2 < num)
1213 num = r2;
1214 if (num)
1215 {
1216 char *dataptr;
1217
1218 if (INT_MAX < num) /* yeah, right */
1219 num = INT_MAX;
1220
1221 r = BIO_nread(io1, &dataptr, (int)num);
1222 assert(r > 0);
1223 assert(r <= (int)num);
1224 /* possibly r < num (non-contiguous data) */
1225 num = r;
1226 r = BIO_write(io2, dataptr, (int)num);
1227 if (r != (int)num) /* can't happen */
1228 {
1229 fprintf(stderr, "ERROR: BIO_write could not write "
1230 "BIO_ctrl_get_write_guarantee() bytes");
1231 goto err;
1232 }
1233 progress = 1;
1234
1235 if (debug)
1236 printf((io1 == client_io) ?
1237 "C->S relaying: %d bytes\n" :
1238 "S->C relaying: %d bytes\n",
1239 (int)num);
1240 }
1241 }
1242 while (r1 && r2);
1243
1244 /* io2 to io1 */
1245 {
1246 size_t num;
1247 int r;
1248
1249 r1 = BIO_ctrl_pending(io2);
1250 r2 = BIO_ctrl_get_read_request(io1);
1251 /* here we could use ..._get_write_guarantee instead of
1252 * ..._get_read_request, but by using the latter
1253 * we test restartability of the SSL implementation
1254 * more thoroughly */
1255 num = r1;
1256 if (r2 < num)
1257 num = r2;
1258 if (num)
1259 {
1260 char *dataptr;
1261
1262 if (INT_MAX < num)
1263 num = INT_MAX;
1264
1265 if (num > 1)
1266 --num; /* test restartability even more thoroughly */
1267
1268 r = BIO_nwrite0(io1, &dataptr);
1269 assert(r > 0);
1270 if (r < (int)num)
1271 num = r;
1272 r = BIO_read(io2, dataptr, (int)num);
1273 if (r != (int)num) /* can't happen */
1274 {
1275 fprintf(stderr, "ERROR: BIO_read could not read "
1276 "BIO_ctrl_pending() bytes");
1277 goto err;
1278 }
1279 progress = 1;
1280 r = BIO_nwrite(io1, &dataptr, (int)num);
1281 if (r != (int)num) /* can't happen */
1282 {
1283 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1284 "BIO_nwrite0() bytes");
1285 goto err;
1286 }
1287
1288 if (debug)
1289 printf((io2 == client_io) ?
1290 "C->S relaying: %d bytes\n" :
1291 "S->C relaying: %d bytes\n",
1292 (int)num);
1293 }
1294 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1295
1296 if (!progress && !prev_progress)
1297 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1298 {
1299 fprintf(stderr, "ERROR: got stuck\n");
1300 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1301 {
1302 fprintf(stderr, "This can happen for SSL2 because "
1303 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1304 "concurrently ...");
1305 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1306 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1307 {
1308 fprintf(stderr, " ok.\n");
1309 goto end;
1310 }
1311 }
1312 fprintf(stderr, " ERROR.\n");
1313 goto err;
1314 }
1315 prev_progress = progress;
1316 }
1317 }
1318 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1319
1320 if (verbose)
1321 print_details(c_ssl, "DONE via BIO pair: ");
1322 end:
1323 ret = 0;
1324
1325 err:
1326 ERR_print_errors(bio_err);
1327
1328 if (server)
1329 BIO_free(server);
1330 if (server_io)
1331 BIO_free(server_io);
1332 if (client)
1333 BIO_free(client);
1334 if (client_io)
1335 BIO_free(client_io);
1336 if (s_ssl_bio)
1337 BIO_free(s_ssl_bio);
1338 if (c_ssl_bio)
1339 BIO_free(c_ssl_bio);
1340
1341 return ret;
1342 }
1343
1344
1345 #define W_READ 1
1346 #define W_WRITE 2
1347 #define C_DONE 1
1348 #define S_DONE 2
1349
1350 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1351 {
1352 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1353 long cw_num=count,cr_num=count;
1354 long sw_num=count,sr_num=count;
1355 int ret=1;
1356 BIO *c_to_s=NULL;
1357 BIO *s_to_c=NULL;
1358 BIO *c_bio=NULL;
1359 BIO *s_bio=NULL;
1360 int c_r,c_w,s_r,s_w;
1361 int i,j;
1362 int done=0;
1363 int c_write,s_write;
1364 int do_server=0,do_client=0;
1365
1366 memset(cbuf,0,sizeof(cbuf));
1367 memset(sbuf,0,sizeof(sbuf));
1368
1369 c_to_s=BIO_new(BIO_s_mem());
1370 s_to_c=BIO_new(BIO_s_mem());
1371 if ((s_to_c == NULL) || (c_to_s == NULL))
1372 {
1373 ERR_print_errors(bio_err);
1374 goto err;
1375 }
1376
1377 c_bio=BIO_new(BIO_f_ssl());
1378 s_bio=BIO_new(BIO_f_ssl());
1379 if ((c_bio == NULL) || (s_bio == NULL))
1380 {
1381 ERR_print_errors(bio_err);
1382 goto err;
1383 }
1384
1385 SSL_set_connect_state(c_ssl);
1386 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1387 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1388
1389 SSL_set_accept_state(s_ssl);
1390 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1391 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1392
1393 c_r=0; s_r=1;
1394 c_w=1; s_w=0;
1395 c_write=1,s_write=0;
1396
1397 /* We can always do writes */
1398 for (;;)
1399 {
1400 do_server=0;
1401 do_client=0;
1402
1403 i=(int)BIO_pending(s_bio);
1404 if ((i && s_r) || s_w) do_server=1;
1405
1406 i=(int)BIO_pending(c_bio);
1407 if ((i && c_r) || c_w) do_client=1;
1408
1409 if (do_server && debug)
1410 {
1411 if (SSL_in_init(s_ssl))
1412 printf("server waiting in SSL_accept - %s\n",
1413 SSL_state_string_long(s_ssl));
1414 /*-
1415 else if (s_write)
1416 printf("server:SSL_write()\n");
1417 else
1418 printf("server:SSL_read()\n"); */
1419 }
1420
1421 if (do_client && debug)
1422 {
1423 if (SSL_in_init(c_ssl))
1424 printf("client waiting in SSL_connect - %s\n",
1425 SSL_state_string_long(c_ssl));
1426 /*-
1427 else if (c_write)
1428 printf("client:SSL_write()\n");
1429 else
1430 printf("client:SSL_read()\n"); */
1431 }
1432
1433 if (!do_client && !do_server)
1434 {
1435 fprintf(stdout,"ERROR IN STARTUP\n");
1436 ERR_print_errors(bio_err);
1437 break;
1438 }
1439 if (do_client && !(done & C_DONE))
1440 {
1441 if (c_write)
1442 {
1443 j = (cw_num > (long)sizeof(cbuf)) ?
1444 (int)sizeof(cbuf) : (int)cw_num;
1445 i=BIO_write(c_bio,cbuf,j);
1446 if (i < 0)
1447 {
1448 c_r=0;
1449 c_w=0;
1450 if (BIO_should_retry(c_bio))
1451 {
1452 if (BIO_should_read(c_bio))
1453 c_r=1;
1454 if (BIO_should_write(c_bio))
1455 c_w=1;
1456 }
1457 else
1458 {
1459 fprintf(stderr,"ERROR in CLIENT\n");
1460 ERR_print_errors(bio_err);
1461 goto err;
1462 }
1463 }
1464 else if (i == 0)
1465 {
1466 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1467 goto err;
1468 }
1469 else
1470 {
1471 if (debug)
1472 printf("client wrote %d\n",i);
1473 /* ok */
1474 s_r=1;
1475 c_write=0;
1476 cw_num-=i;
1477 }
1478 }
1479 else
1480 {
1481 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1482 if (i < 0)
1483 {
1484 c_r=0;
1485 c_w=0;
1486 if (BIO_should_retry(c_bio))
1487 {
1488 if (BIO_should_read(c_bio))
1489 c_r=1;
1490 if (BIO_should_write(c_bio))
1491 c_w=1;
1492 }
1493 else
1494 {
1495 fprintf(stderr,"ERROR in CLIENT\n");
1496 ERR_print_errors(bio_err);
1497 goto err;
1498 }
1499 }
1500 else if (i == 0)
1501 {
1502 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1503 goto err;
1504 }
1505 else
1506 {
1507 if (debug)
1508 printf("client read %d\n",i);
1509 cr_num-=i;
1510 if (sw_num > 0)
1511 {
1512 s_write=1;
1513 s_w=1;
1514 }
1515 if (cr_num <= 0)
1516 {
1517 s_write=1;
1518 s_w=1;
1519 done=S_DONE|C_DONE;
1520 }
1521 }
1522 }
1523 }
1524
1525 if (do_server && !(done & S_DONE))
1526 {
1527 if (!s_write)
1528 {
1529 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1530 if (i < 0)
1531 {
1532 s_r=0;
1533 s_w=0;
1534 if (BIO_should_retry(s_bio))
1535 {
1536 if (BIO_should_read(s_bio))
1537 s_r=1;
1538 if (BIO_should_write(s_bio))
1539 s_w=1;
1540 }
1541 else
1542 {
1543 fprintf(stderr,"ERROR in SERVER\n");
1544 ERR_print_errors(bio_err);
1545 goto err;
1546 }
1547 }
1548 else if (i == 0)
1549 {
1550 ERR_print_errors(bio_err);
1551 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1552 goto err;
1553 }
1554 else
1555 {
1556 if (debug)
1557 printf("server read %d\n",i);
1558 sr_num-=i;
1559 if (cw_num > 0)
1560 {
1561 c_write=1;
1562 c_w=1;
1563 }
1564 if (sr_num <= 0)
1565 {
1566 s_write=1;
1567 s_w=1;
1568 c_write=0;
1569 }
1570 }
1571 }
1572 else
1573 {
1574 j = (sw_num > (long)sizeof(sbuf)) ?
1575 (int)sizeof(sbuf) : (int)sw_num;
1576 i=BIO_write(s_bio,sbuf,j);
1577 if (i < 0)
1578 {
1579 s_r=0;
1580 s_w=0;
1581 if (BIO_should_retry(s_bio))
1582 {
1583 if (BIO_should_read(s_bio))
1584 s_r=1;
1585 if (BIO_should_write(s_bio))
1586 s_w=1;
1587 }
1588 else
1589 {
1590 fprintf(stderr,"ERROR in SERVER\n");
1591 ERR_print_errors(bio_err);
1592 goto err;
1593 }
1594 }
1595 else if (i == 0)
1596 {
1597 ERR_print_errors(bio_err);
1598 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1599 goto err;
1600 }
1601 else
1602 {
1603 if (debug)
1604 printf("server wrote %d\n",i);
1605 sw_num-=i;
1606 s_write=0;
1607 c_r=1;
1608 if (sw_num <= 0)
1609 done|=S_DONE;
1610 }
1611 }
1612 }
1613
1614 if ((done & S_DONE) && (done & C_DONE)) break;
1615 }
1616
1617 if (verbose)
1618 print_details(c_ssl, "DONE: ");
1619 ret=0;
1620 err:
1621 /* We have to set the BIO's to NULL otherwise they will be
1622 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1623 * again when c_ssl is SSL_free()ed.
1624 * This is a hack required because s_ssl and c_ssl are sharing the same
1625 * BIO structure and SSL_set_bio() and SSL_free() automatically
1626 * BIO_free non NULL entries.
1627 * You should not normally do this or be required to do this */
1628 if (s_ssl != NULL)
1629 {
1630 s_ssl->rbio=NULL;
1631 s_ssl->wbio=NULL;
1632 }
1633 if (c_ssl != NULL)
1634 {
1635 c_ssl->rbio=NULL;
1636 c_ssl->wbio=NULL;
1637 }
1638
1639 if (c_to_s != NULL) BIO_free(c_to_s);
1640 if (s_to_c != NULL) BIO_free(s_to_c);
1641 if (c_bio != NULL) BIO_free_all(c_bio);
1642 if (s_bio != NULL) BIO_free_all(s_bio);
1643 return(ret);
1644 }
1645
1646 static int get_proxy_auth_ex_data_idx(void)
1647 {
1648 static volatile int idx = -1;
1649 if (idx < 0)
1650 {
1651 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1652 if (idx < 0)
1653 {
1654 idx = X509_STORE_CTX_get_ex_new_index(0,
1655 "SSLtest for verify callback", NULL,NULL,NULL);
1656 }
1657 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1658 }
1659 return idx;
1660 }
1661
1662 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1663 {
1664 char *s,buf[256];
1665
1666 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1667 sizeof buf);
1668 if (s != NULL)
1669 {
1670 if (ok)
1671 fprintf(stderr,"depth=%d %s\n",
1672 ctx->error_depth,buf);
1673 else
1674 {
1675 fprintf(stderr,"depth=%d error=%d %s\n",
1676 ctx->error_depth,ctx->error,buf);
1677 }
1678 }
1679
1680 if (ok == 0)
1681 {
1682 fprintf(stderr,"Error string: %s\n",
1683 X509_verify_cert_error_string(ctx->error));
1684 switch (ctx->error)
1685 {
1686 case X509_V_ERR_CERT_NOT_YET_VALID:
1687 case X509_V_ERR_CERT_HAS_EXPIRED:
1688 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1689 fprintf(stderr," ... ignored.\n");
1690 ok=1;
1691 }
1692 }
1693
1694 if (ok == 1)
1695 {
1696 X509 *xs = ctx->current_cert;
1697 #if 0
1698 X509 *xi = ctx->current_issuer;
1699 #endif
1700
1701 if (xs->ex_flags & EXFLAG_PROXY)
1702 {
1703 unsigned int *letters =
1704 X509_STORE_CTX_get_ex_data(ctx,
1705 get_proxy_auth_ex_data_idx());
1706
1707 if (letters)
1708 {
1709 int found_any = 0;
1710 int i;
1711 PROXY_CERT_INFO_EXTENSION *pci =
1712 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1713 NULL, NULL);
1714
1715 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1716 {
1717 case NID_Independent:
1718 /* Completely meaningless in this
1719 program, as there's no way to
1720 grant explicit rights to a
1721 specific PrC. Basically, using
1722 id-ppl-Independent is the perfect
1723 way to grant no rights at all. */
1724 fprintf(stderr, " Independent proxy certificate");
1725 for (i = 0; i < 26; i++)
1726 letters[i] = 0;
1727 break;
1728 case NID_id_ppl_inheritAll:
1729 /* This is basically a NOP, we
1730 simply let the current rights
1731 stand as they are. */
1732 fprintf(stderr, " Proxy certificate inherits all");
1733 break;
1734 default:
1735 s = (char *)
1736 pci->proxyPolicy->policy->data;
1737 i = pci->proxyPolicy->policy->length;
1738
1739 /* The algorithm works as follows:
1740 it is assumed that previous
1741 iterations or the initial granted
1742 rights has already set some elements
1743 of `letters'. What we need to do is
1744 to clear those that weren't granted
1745 by the current PrC as well. The
1746 easiest way to do this is to add 1
1747 to all the elements whose letters
1748 are given with the current policy.
1749 That way, all elements that are set
1750 by the current policy and were
1751 already set by earlier policies and
1752 through the original grant of rights
1753 will get the value 2 or higher.
1754 The last thing to do is to sweep
1755 through `letters' and keep the
1756 elements having the value 2 as set,
1757 and clear all the others. */
1758
1759 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1760 while(i-- > 0)
1761 {
1762 int c = *s++;
1763 if (isascii(c) && isalpha(c))
1764 {
1765 if (islower(c))
1766 c = toupper(c);
1767 letters[c - 'A']++;
1768 }
1769 }
1770 for (i = 0; i < 26; i++)
1771 if (letters[i] < 2)
1772 letters[i] = 0;
1773 else
1774 letters[i] = 1;
1775 }
1776
1777 found_any = 0;
1778 fprintf(stderr,
1779 ", resulting proxy rights = ");
1780 for(i = 0; i < 26; i++)
1781 if (letters[i])
1782 {
1783 fprintf(stderr, "%c", i + 'A');
1784 found_any = 1;
1785 }
1786 if (!found_any)
1787 fprintf(stderr, "none");
1788 fprintf(stderr, "\n");
1789
1790 PROXY_CERT_INFO_EXTENSION_free(pci);
1791 }
1792 }
1793 }
1794
1795 return(ok);
1796 }
1797
1798 static void process_proxy_debug(int indent, const char *format, ...)
1799 {
1800 /* That's 80 > */
1801 static const char indentation[] =
1802 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1803 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>";
1804 char my_format[256];
1805 va_list args;
1806
1807 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1808 indent, indent, indentation, format);
1809
1810 va_start(args, format);
1811 vfprintf(stderr, my_format, args);
1812 va_end(args);
1813 }
1814 /*-
1815 * Priority levels:
1816 * 0 [!]var, ()
1817 * 1 & ^
1818 * 2 |
1819 */
1820 static int process_proxy_cond_adders(unsigned int letters[26],
1821 const char *cond, const char **cond_end, int *pos, int indent);
1822 static int process_proxy_cond_val(unsigned int letters[26],
1823 const char *cond, const char **cond_end, int *pos, int indent)
1824 {
1825 int c;
1826 int ok = 1;
1827 int negate = 0;
1828
1829 while(isspace((int)*cond))
1830 {
1831 cond++; (*pos)++;
1832 }
1833 c = *cond;
1834
1835 if (debug)
1836 process_proxy_debug(indent,
1837 "Start process_proxy_cond_val at position %d: %s\n",
1838 *pos, cond);
1839
1840 while(c == '!')
1841 {
1842 negate = !negate;
1843 cond++; (*pos)++;
1844 while(isspace((int)*cond))
1845 {
1846 cond++; (*pos)++;
1847 }
1848 c = *cond;
1849 }
1850
1851 if (c == '(')
1852 {
1853 cond++; (*pos)++;
1854 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1855 indent + 1);
1856 cond = *cond_end;
1857 if (ok < 0)
1858 goto end;
1859 while(isspace((int)*cond))
1860 {
1861 cond++; (*pos)++;
1862 }
1863 c = *cond;
1864 if (c != ')')
1865 {
1866 fprintf(stderr,
1867 "Weird condition character in position %d: "
1868 "%c\n", *pos, c);
1869 ok = -1;
1870 goto end;
1871 }
1872 cond++; (*pos)++;
1873 }
1874 else if (isascii(c) && isalpha(c))
1875 {
1876 if (islower(c))
1877 c = toupper(c);
1878 ok = letters[c - 'A'];
1879 cond++; (*pos)++;
1880 }
1881 else
1882 {
1883 fprintf(stderr,
1884 "Weird condition character in position %d: "
1885 "%c\n", *pos, c);
1886 ok = -1;
1887 goto end;
1888 }
1889 end:
1890 *cond_end = cond;
1891 if (ok >= 0 && negate)
1892 ok = !ok;
1893
1894 if (debug)
1895 process_proxy_debug(indent,
1896 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1897 *pos, cond, ok);
1898
1899 return ok;
1900 }
1901 static int process_proxy_cond_multipliers(unsigned int letters[26],
1902 const char *cond, const char **cond_end, int *pos, int indent)
1903 {
1904 int ok;
1905 char c;
1906
1907 if (debug)
1908 process_proxy_debug(indent,
1909 "Start process_proxy_cond_multipliers at position %d: %s\n",
1910 *pos, cond);
1911
1912 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1913 cond = *cond_end;
1914 if (ok < 0)
1915 goto end;
1916
1917 while(ok >= 0)
1918 {
1919 while(isspace((int)*cond))
1920 {
1921 cond++; (*pos)++;
1922 }
1923 c = *cond;
1924
1925 switch(c)
1926 {
1927 case '&':
1928 case '^':
1929 {
1930 int save_ok = ok;
1931
1932 cond++; (*pos)++;
1933 ok = process_proxy_cond_val(letters,
1934 cond, cond_end, pos, indent + 1);
1935 cond = *cond_end;
1936 if (ok < 0)
1937 break;
1938
1939 switch(c)
1940 {
1941 case '&':
1942 ok &= save_ok;
1943 break;
1944 case '^':
1945 ok ^= save_ok;
1946 break;
1947 default:
1948 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1949 " STOPPING\n");
1950 EXIT(1);
1951 }
1952 }
1953 break;
1954 default:
1955 goto end;
1956 }
1957 }
1958 end:
1959 if (debug)
1960 process_proxy_debug(indent,
1961 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1962 *pos, cond, ok);
1963
1964 *cond_end = cond;
1965 return ok;
1966 }
1967 static int process_proxy_cond_adders(unsigned int letters[26],
1968 const char *cond, const char **cond_end, int *pos, int indent)
1969 {
1970 int ok;
1971 char c;
1972
1973 if (debug)
1974 process_proxy_debug(indent,
1975 "Start process_proxy_cond_adders at position %d: %s\n",
1976 *pos, cond);
1977
1978 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1979 indent + 1);
1980 cond = *cond_end;
1981 if (ok < 0)
1982 goto end;
1983
1984 while(ok >= 0)
1985 {
1986 while(isspace((int)*cond))
1987 {
1988 cond++; (*pos)++;
1989 }
1990 c = *cond;
1991
1992 switch(c)
1993 {
1994 case '|':
1995 {
1996 int save_ok = ok;
1997
1998 cond++; (*pos)++;
1999 ok = process_proxy_cond_multipliers(letters,
2000 cond, cond_end, pos, indent + 1);
2001 cond = *cond_end;
2002 if (ok < 0)
2003 break;
2004
2005 switch(c)
2006 {
2007 case '|':
2008 ok |= save_ok;
2009 break;
2010 default:
2011 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2012 " STOPPING\n");
2013 EXIT(1);
2014 }
2015 }
2016 break;
2017 default:
2018 goto end;
2019 }
2020 }
2021 end:
2022 if (debug)
2023 process_proxy_debug(indent,
2024 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2025 *pos, cond, ok);
2026
2027 *cond_end = cond;
2028 return ok;
2029 }
2030
2031 static int process_proxy_cond(unsigned int letters[26],
2032 const char *cond, const char **cond_end)
2033 {
2034 int pos = 1;
2035 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2036 }
2037
2038 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2039 {
2040 int ok=1;
2041 struct app_verify_arg *cb_arg = arg;
2042 unsigned int letters[26]; /* only used with proxy_auth */
2043
2044 if (cb_arg->app_verify)
2045 {
2046 char *s = NULL,buf[256];
2047
2048 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2049 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2050 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2051 (void *)ctx, (void *)ctx->cert);
2052 if (ctx->cert)
2053 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2054 if (s != NULL)
2055 {
2056 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2057 }
2058 return(1);
2059 }
2060 if (cb_arg->proxy_auth)
2061 {
2062 int found_any = 0, i;
2063 char *sp;
2064
2065 for(i = 0; i < 26; i++)
2066 letters[i] = 0;
2067 for(sp = cb_arg->proxy_auth; *sp; sp++)
2068 {
2069 int c = *sp;
2070 if (isascii(c) && isalpha(c))
2071 {
2072 if (islower(c))
2073 c = toupper(c);
2074 letters[c - 'A'] = 1;
2075 }
2076 }
2077
2078 fprintf(stderr,
2079 " Initial proxy rights = ");
2080 for(i = 0; i < 26; i++)
2081 if (letters[i])
2082 {
2083 fprintf(stderr, "%c", i + 'A');
2084 found_any = 1;
2085 }
2086 if (!found_any)
2087 fprintf(stderr, "none");
2088 fprintf(stderr, "\n");
2089
2090 X509_STORE_CTX_set_ex_data(ctx,
2091 get_proxy_auth_ex_data_idx(),letters);
2092 }
2093 if (cb_arg->allow_proxy_certs)
2094 {
2095 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2096 }
2097
2098 #ifndef OPENSSL_NO_X509_VERIFY
2099 ok = X509_verify_cert(ctx);
2100 #endif
2101
2102 if (cb_arg->proxy_auth)
2103 {
2104 if (ok > 0)
2105 {
2106 const char *cond_end = NULL;
2107
2108 ok = process_proxy_cond(letters,
2109 cb_arg->proxy_cond, &cond_end);
2110
2111 if (ok < 0)
2112 EXIT(3);
2113 if (*cond_end)
2114 {
2115 fprintf(stderr, "Stopped processing condition before it's end.\n");
2116 ok = 0;
2117 }
2118 if (!ok)
2119 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2120 cb_arg->proxy_cond);
2121 else
2122 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2123 cb_arg->proxy_cond);
2124 }
2125 }
2126 return(ok);
2127 }
2128
2129 #ifndef OPENSSL_NO_RSA
2130 static RSA *rsa_tmp=NULL;
2131
2132 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2133 {
2134 BIGNUM *bn = NULL;
2135 if (rsa_tmp == NULL)
2136 {
2137 bn = BN_new();
2138 rsa_tmp = RSA_new();
2139 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2140 {
2141 BIO_printf(bio_err, "Memory error...");
2142 goto end;
2143 }
2144 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2145 (void)BIO_flush(bio_err);
2146 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2147 {
2148 BIO_printf(bio_err, "Error generating key.");
2149 RSA_free(rsa_tmp);
2150 rsa_tmp = NULL;
2151 }
2152 end:
2153 BIO_printf(bio_err,"\n");
2154 (void)BIO_flush(bio_err);
2155 }
2156 if(bn) BN_free(bn);
2157 return(rsa_tmp);
2158 }
2159
2160 static void free_tmp_rsa(void)
2161 {
2162 if (rsa_tmp != NULL)
2163 {
2164 RSA_free(rsa_tmp);
2165 rsa_tmp = NULL;
2166 }
2167 }
2168 #endif
2169
2170 #ifndef OPENSSL_NO_DH
2171 /*-
2172 * These DH parameters have been generated as follows:
2173 * $ openssl dhparam -C -noout 512
2174 * $ openssl dhparam -C -noout 1024
2175 * $ openssl dhparam -C -noout -dsaparam 1024
2176 * (The third function has been renamed to avoid name conflicts.)
2177 */
2178 static DH *get_dh512()
2179 {
2180 static unsigned char dh512_p[]={
2181 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2182 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2183 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2184 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2185 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2186 0x02,0xC5,0xAE,0x23,
2187 };
2188 static unsigned char dh512_g[]={
2189 0x02,
2190 };
2191 DH *dh;
2192
2193 if ((dh=DH_new()) == NULL) return(NULL);
2194 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2195 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2196 if ((dh->p == NULL) || (dh->g == NULL))
2197 { DH_free(dh); return(NULL); }
2198 return(dh);
2199 }
2200
2201 static DH *get_dh1024()
2202 {
2203 static unsigned char dh1024_p[]={
2204 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2205 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2206 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2207 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2208 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2209 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2210 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2211 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2212 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2213 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2214 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2215 };
2216 static unsigned char dh1024_g[]={
2217 0x02,
2218 };
2219 DH *dh;
2220
2221 if ((dh=DH_new()) == NULL) return(NULL);
2222 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2223 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2224 if ((dh->p == NULL) || (dh->g == NULL))
2225 { DH_free(dh); return(NULL); }
2226 return(dh);
2227 }
2228
2229 static DH *get_dh1024dsa()
2230 {
2231 static unsigned char dh1024_p[]={
2232 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2233 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2234 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2235 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2236 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2237 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2238 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2239 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2240 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2241 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2242 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2243 };
2244 static unsigned char dh1024_g[]={
2245 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2246 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2247 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2248 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2249 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2250 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2251 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2252 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2253 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2254 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2255 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2256 };
2257 DH *dh;
2258
2259 if ((dh=DH_new()) == NULL) return(NULL);
2260 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2261 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2262 if ((dh->p == NULL) || (dh->g == NULL))
2263 { DH_free(dh); return(NULL); }
2264 dh->length = 160;
2265 return(dh);
2266 }
2267 #endif
2268
2269 static int do_test_cipherlist(void)
2270 {
2271 int i = 0;
2272 const SSL_METHOD *meth;
2273 SSL_CIPHER *ci, *tci = NULL;
2274
2275 #ifndef OPENSSL_NO_SSL2
2276 fprintf(stderr, "testing SSLv2 cipher list order: ");
2277 meth = SSLv2_method();
2278 while ((ci = meth->get_cipher(i++)) != NULL)
2279 {
2280 if (tci != NULL)
2281 if (ci->id >= tci->id)
2282 {
2283 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2284 return 0;
2285 }
2286 tci = ci;
2287 }
2288 fprintf(stderr, "ok\n");
2289 #endif
2290 #ifndef OPENSSL_NO_SSL3
2291 fprintf(stderr, "testing SSLv3 cipher list order: ");
2292 meth = SSLv3_method();
2293 tci = NULL;
2294 while ((ci = meth->get_cipher(i++)) != NULL)
2295 {
2296 if (tci != NULL)
2297 if (ci->id >= tci->id)
2298 {
2299 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2300 return 0;
2301 }
2302 tci = ci;
2303 }
2304 fprintf(stderr, "ok\n");
2305 #endif
2306 #ifndef OPENSSL_NO_TLS1
2307 fprintf(stderr, "testing TLSv1 cipher list order: ");
2308 meth = TLSv1_method();
2309 tci = NULL;
2310 while ((ci = meth->get_cipher(i++)) != NULL)
2311 {
2312 if (tci != NULL)
2313 if (ci->id >= tci->id)
2314 {
2315 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2316 return 0;
2317 }
2318 tci = ci;
2319 }
2320 fprintf(stderr, "ok\n");
2321 #endif
2322
2323 return 1;
2324 }
A mirror of the official openssl repository