]> git.ipfire.org Git - thirdparty/openssl.git/blob - ssl/ssltest.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Added restrictions on the use of proxy certificates, as they may pose
[thirdparty/openssl.git] / ssl / ssltest.c
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
119
120 #include <assert.h>
121 #include <errno.h>
122 #include <limits.h>
123 #include <stdio.h>
124 #include <stdlib.h>
125 #include <string.h>
126 #include <time.h>
127
128 #define USE_SOCKETS
129 #include "e_os.h"
130
131 #define _XOPEN_SOURCE 1 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
133 #include <ctype.h>
134
135 #include <openssl/bio.h>
136 #include <openssl/crypto.h>
137 #include <openssl/evp.h>
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/ssl.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
143 #endif
144 #include <openssl/err.h>
145 #include <openssl/rand.h>
146 #include <openssl/rsa.h>
147 #include <openssl/dsa.h>
148 #include <openssl/dh.h>
149 #include <openssl/bn.h>
150
151 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
152 on Compaq platforms (at least with DEC C).
153 Do not try to put it earlier, or IPv6 includes
154 get screwed...
155 */
156
157 #ifdef OPENSSL_SYS_WINDOWS
158 #include <winsock.h>
159 #else
160 #include OPENSSL_UNISTD
161 #endif
162
163 #ifdef OPENSSL_SYS_VMS
164 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
165 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
166 #elif defined(OPENSSL_SYS_WINCE)
167 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
168 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
169 #elif defined(OPENSSL_SYS_NETWARE)
170 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
171 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
172 #else
173 # define TEST_SERVER_CERT "../apps/server.pem"
174 # define TEST_CLIENT_CERT "../apps/client.pem"
175 #endif
176
177 /* There is really no standard for this, so let's assign some tentative
178 numbers. In any case, these numbers are only for this test */
179 #define COMP_RLE 255
180 #define COMP_ZLIB 1
181
182 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
183 #ifndef OPENSSL_NO_RSA
184 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
185 static void free_tmp_rsa(void);
186 #endif
187 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
188 #define APP_CALLBACK_STRING "Test Callback Argument"
189 struct app_verify_arg
190 {
191 char *string;
192 int app_verify;
193 int allow_proxy_certs;
194 char *proxy_auth;
195 char *proxy_cond;
196 };
197
198 #ifndef OPENSSL_NO_DH
199 static DH *get_dh512(void);
200 static DH *get_dh1024(void);
201 static DH *get_dh1024dsa(void);
202 #endif
203
204 static BIO *bio_err=NULL;
205 static BIO *bio_stdout=NULL;
206
207 static char *cipher=NULL;
208 static int verbose=0;
209 static int debug=0;
210 #if 0
211 /* Not used yet. */
212 #ifdef FIONBIO
213 static int s_nbio=0;
214 #endif
215 #endif
216
217 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
218
219 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
220 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
221 static void sv_usage(void)
222 {
223 fprintf(stderr,"usage: ssltest [args ...]\n");
224 fprintf(stderr,"\n");
225 fprintf(stderr," -server_auth - check server certificate\n");
226 fprintf(stderr," -client_auth - do client authentication\n");
227 fprintf(stderr," -proxy - allow proxy certificates\n");
228 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
229 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
230 fprintf(stderr," -v - more output\n");
231 fprintf(stderr," -d - debug output\n");
232 fprintf(stderr," -reuse - use session-id reuse\n");
233 fprintf(stderr," -num <val> - number of connections to perform\n");
234 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
235 #ifndef OPENSSL_NO_DH
236 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
237 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
238 fprintf(stderr," -no_dhe - disable DHE\n");
239 #endif
240 #ifndef OPENSSL_NO_ECDH
241 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
242 #endif
243 #ifndef OPENSSL_NO_SSL2
244 fprintf(stderr," -ssl2 - use SSLv2\n");
245 #endif
246 #ifndef OPENSSL_NO_SSL3
247 fprintf(stderr," -ssl3 - use SSLv3\n");
248 #endif
249 #ifndef OPENSSL_NO_TLS1
250 fprintf(stderr," -tls1 - use TLSv1\n");
251 #endif
252 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
253 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
254 fprintf(stderr," -cert arg - Server certificate file\n");
255 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
256 fprintf(stderr," -c_cert arg - Client certificate file\n");
257 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
258 fprintf(stderr," -cipher arg - The cipher list\n");
259 fprintf(stderr," -bio_pair - Use BIO pairs\n");
260 fprintf(stderr," -f - Test even cases that can't work\n");
261 fprintf(stderr," -time - measure processor time used by client and server\n");
262 fprintf(stderr," -zlib - use zlib compression\n");
263 fprintf(stderr," -rle - use rle compression\n");
264 #ifndef OPENSSL_NO_ECDH
265 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
266 " Use \"openssl ecparam -list_curves\" for all names\n" \
267 " (default is sect163r2).\n");
268 #endif
269 }
270
271 static void print_details(SSL *c_ssl, const char *prefix)
272 {
273 SSL_CIPHER *ciph;
274 X509 *cert;
275
276 ciph=SSL_get_current_cipher(c_ssl);
277 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
278 prefix,
279 SSL_get_version(c_ssl),
280 SSL_CIPHER_get_version(ciph),
281 SSL_CIPHER_get_name(ciph));
282 cert=SSL_get_peer_certificate(c_ssl);
283 if (cert != NULL)
284 {
285 EVP_PKEY *pkey = X509_get_pubkey(cert);
286 if (pkey != NULL)
287 {
288 if (0)
289 ;
290 #ifndef OPENSSL_NO_RSA
291 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
292 && pkey->pkey.rsa->n != NULL)
293 {
294 BIO_printf(bio_stdout, ", %d bit RSA",
295 BN_num_bits(pkey->pkey.rsa->n));
296 }
297 #endif
298 #ifndef OPENSSL_NO_DSA
299 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
300 && pkey->pkey.dsa->p != NULL)
301 {
302 BIO_printf(bio_stdout, ", %d bit DSA",
303 BN_num_bits(pkey->pkey.dsa->p));
304 }
305 #endif
306 EVP_PKEY_free(pkey);
307 }
308 X509_free(cert);
309 }
310 /* The SSL API does not allow us to look at temporary RSA/DH keys,
311 * otherwise we should print their lengths too */
312 BIO_printf(bio_stdout,"\n");
313 }
314
315 static void lock_dbg_cb(int mode, int type, const char *file, int line)
316 {
317 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
318 const char *errstr = NULL;
319 int rw;
320
321 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
322 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
323 {
324 errstr = "invalid mode";
325 goto err;
326 }
327
328 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
329 {
330 errstr = "type out of bounds";
331 goto err;
332 }
333
334 if (mode & CRYPTO_LOCK)
335 {
336 if (modes[type])
337 {
338 errstr = "already locked";
339 /* must not happen in a single-threaded program
340 * (would deadlock) */
341 goto err;
342 }
343
344 modes[type] = rw;
345 }
346 else if (mode & CRYPTO_UNLOCK)
347 {
348 if (!modes[type])
349 {
350 errstr = "not locked";
351 goto err;
352 }
353
354 if (modes[type] != rw)
355 {
356 errstr = (rw == CRYPTO_READ) ?
357 "CRYPTO_r_unlock on write lock" :
358 "CRYPTO_w_unlock on read lock";
359 }
360
361 modes[type] = 0;
362 }
363 else
364 {
365 errstr = "invalid mode";
366 goto err;
367 }
368
369 err:
370 if (errstr)
371 {
372 /* we cannot use bio_err here */
373 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
374 errstr, mode, type, file, line);
375 }
376 }
377
378 int main(int argc, char *argv[])
379 {
380 char *CApath=NULL,*CAfile=NULL;
381 int badop=0;
382 int bio_pair=0;
383 int force=0;
384 int tls1=0,ssl2=0,ssl3=0,ret=1;
385 int client_auth=0;
386 int server_auth=0,i;
387 struct app_verify_arg app_verify_arg =
388 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
389 char *server_cert=TEST_SERVER_CERT;
390 char *server_key=NULL;
391 char *client_cert=TEST_CLIENT_CERT;
392 char *client_key=NULL;
393 char *named_curve = NULL;
394 SSL_CTX *s_ctx=NULL;
395 SSL_CTX *c_ctx=NULL;
396 SSL_METHOD *meth=NULL;
397 SSL *c_ssl,*s_ssl;
398 int number=1,reuse=0;
399 long bytes=256L;
400 #ifndef OPENSSL_NO_DH
401 DH *dh;
402 int dhe1024 = 0, dhe1024dsa = 0;
403 #endif
404 #ifndef OPENSSL_NO_ECDH
405 EC_KEY *ecdh = NULL;
406 #endif
407 int no_dhe = 0;
408 int no_ecdhe = 0;
409 int print_time = 0;
410 clock_t s_time = 0, c_time = 0;
411 int comp = 0;
412 COMP_METHOD *cm = NULL;
413 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
414
415 verbose = 0;
416 debug = 0;
417 cipher = 0;
418
419 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
420
421 CRYPTO_set_locking_callback(lock_dbg_cb);
422
423 /* enable memory leak checking unless explicitly disabled */
424 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
425 {
426 CRYPTO_malloc_debug_init();
427 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
428 }
429 else
430 {
431 /* OPENSSL_DEBUG_MEMORY=off */
432 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
433 }
434 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
435
436 RAND_seed(rnd_seed, sizeof rnd_seed);
437
438 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
439
440 argc--;
441 argv++;
442
443 while (argc >= 1)
444 {
445 if (strcmp(*argv,"-server_auth") == 0)
446 server_auth=1;
447 else if (strcmp(*argv,"-client_auth") == 0)
448 client_auth=1;
449 else if (strcmp(*argv,"-proxy_auth") == 0)
450 {
451 if (--argc < 1) goto bad;
452 app_verify_arg.proxy_auth= *(++argv);
453 }
454 else if (strcmp(*argv,"-proxy_cond") == 0)
455 {
456 if (--argc < 1) goto bad;
457 app_verify_arg.proxy_cond= *(++argv);
458 }
459 else if (strcmp(*argv,"-v") == 0)
460 verbose=1;
461 else if (strcmp(*argv,"-d") == 0)
462 debug=1;
463 else if (strcmp(*argv,"-reuse") == 0)
464 reuse=1;
465 else if (strcmp(*argv,"-dhe1024") == 0)
466 {
467 #ifndef OPENSSL_NO_DH
468 dhe1024=1;
469 #else
470 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
471 #endif
472 }
473 else if (strcmp(*argv,"-dhe1024dsa") == 0)
474 {
475 #ifndef OPENSSL_NO_DH
476 dhe1024dsa=1;
477 #else
478 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
479 #endif
480 }
481 else if (strcmp(*argv,"-no_dhe") == 0)
482 no_dhe=1;
483 else if (strcmp(*argv,"-no_ecdhe") == 0)
484 no_ecdhe=1;
485 else if (strcmp(*argv,"-ssl2") == 0)
486 ssl2=1;
487 else if (strcmp(*argv,"-tls1") == 0)
488 tls1=1;
489 else if (strcmp(*argv,"-ssl3") == 0)
490 ssl3=1;
491 else if (strncmp(*argv,"-num",4) == 0)
492 {
493 if (--argc < 1) goto bad;
494 number= atoi(*(++argv));
495 if (number == 0) number=1;
496 }
497 else if (strcmp(*argv,"-bytes") == 0)
498 {
499 if (--argc < 1) goto bad;
500 bytes= atol(*(++argv));
501 if (bytes == 0L) bytes=1L;
502 i=strlen(argv[0]);
503 if (argv[0][i-1] == 'k') bytes*=1024L;
504 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
505 }
506 else if (strcmp(*argv,"-cert") == 0)
507 {
508 if (--argc < 1) goto bad;
509 server_cert= *(++argv);
510 }
511 else if (strcmp(*argv,"-s_cert") == 0)
512 {
513 if (--argc < 1) goto bad;
514 server_cert= *(++argv);
515 }
516 else if (strcmp(*argv,"-key") == 0)
517 {
518 if (--argc < 1) goto bad;
519 server_key= *(++argv);
520 }
521 else if (strcmp(*argv,"-s_key") == 0)
522 {
523 if (--argc < 1) goto bad;
524 server_key= *(++argv);
525 }
526 else if (strcmp(*argv,"-c_cert") == 0)
527 {
528 if (--argc < 1) goto bad;
529 client_cert= *(++argv);
530 }
531 else if (strcmp(*argv,"-c_key") == 0)
532 {
533 if (--argc < 1) goto bad;
534 client_key= *(++argv);
535 }
536 else if (strcmp(*argv,"-cipher") == 0)
537 {
538 if (--argc < 1) goto bad;
539 cipher= *(++argv);
540 }
541 else if (strcmp(*argv,"-CApath") == 0)
542 {
543 if (--argc < 1) goto bad;
544 CApath= *(++argv);
545 }
546 else if (strcmp(*argv,"-CAfile") == 0)
547 {
548 if (--argc < 1) goto bad;
549 CAfile= *(++argv);
550 }
551 else if (strcmp(*argv,"-bio_pair") == 0)
552 {
553 bio_pair = 1;
554 }
555 else if (strcmp(*argv,"-f") == 0)
556 {
557 force = 1;
558 }
559 else if (strcmp(*argv,"-time") == 0)
560 {
561 print_time = 1;
562 }
563 else if (strcmp(*argv,"-zlib") == 0)
564 {
565 comp = COMP_ZLIB;
566 }
567 else if (strcmp(*argv,"-rle") == 0)
568 {
569 comp = COMP_RLE;
570 }
571 else if (strcmp(*argv,"-named_curve") == 0)
572 {
573 if (--argc < 1) goto bad;
574 #ifndef OPENSSL_NO_ECDH
575 named_curve = *(++argv);
576 #else
577 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
578 ++argv;
579 #endif
580 }
581 else if (strcmp(*argv,"-app_verify") == 0)
582 {
583 app_verify_arg.app_verify = 1;
584 }
585 else if (strcmp(*argv,"-proxy") == 0)
586 {
587 app_verify_arg.allow_proxy_certs = 1;
588 }
589 else
590 {
591 fprintf(stderr,"unknown option %s\n",*argv);
592 badop=1;
593 break;
594 }
595 argc--;
596 argv++;
597 }
598 if (badop)
599 {
600 bad:
601 sv_usage();
602 goto end;
603 }
604
605 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
606 {
607 fprintf(stderr, "This case cannot work. Use -f to perform "
608 "the test anyway (and\n-d to see what happens), "
609 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
610 "to avoid protocol mismatch.\n");
611 EXIT(1);
612 }
613
614 if (print_time)
615 {
616 if (!bio_pair)
617 {
618 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
619 bio_pair = 1;
620 }
621 if (number < 50 && !force)
622 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
623 }
624
625 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
626
627 SSL_library_init();
628 SSL_load_error_strings();
629
630 if (comp == COMP_ZLIB) cm = COMP_zlib();
631 if (comp == COMP_RLE) cm = COMP_rle();
632 if (cm != NULL)
633 {
634 if (cm->type != NID_undef)
635 {
636 if (SSL_COMP_add_compression_method(comp, cm) != 0)
637 {
638 fprintf(stderr,
639 "Failed to add compression method\n");
640 ERR_print_errors_fp(stderr);
641 }
642 }
643 else
644 {
645 fprintf(stderr,
646 "Warning: %s compression not supported\n",
647 (comp == COMP_RLE ? "rle" :
648 (comp == COMP_ZLIB ? "zlib" :
649 "unknown")));
650 ERR_print_errors_fp(stderr);
651 }
652 }
653 ssl_comp_methods = SSL_COMP_get_compression_methods();
654 fprintf(stderr, "Available compression methods:\n");
655 {
656 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
657 if (n == 0)
658 fprintf(stderr, " NONE\n");
659 else
660 for (j = 0; j < n; j++)
661 {
662 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
663 fprintf(stderr, " %d: %s\n", c->id, c->name);
664 }
665 }
666
667 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
668 if (ssl2)
669 meth=SSLv2_method();
670 else
671 if (tls1)
672 meth=TLSv1_method();
673 else
674 if (ssl3)
675 meth=SSLv3_method();
676 else
677 meth=SSLv23_method();
678 #else
679 #ifdef OPENSSL_NO_SSL2
680 meth=SSLv3_method();
681 #else
682 meth=SSLv2_method();
683 #endif
684 #endif
685
686 c_ctx=SSL_CTX_new(meth);
687 s_ctx=SSL_CTX_new(meth);
688 if ((c_ctx == NULL) || (s_ctx == NULL))
689 {
690 ERR_print_errors(bio_err);
691 goto end;
692 }
693
694 if (cipher != NULL)
695 {
696 SSL_CTX_set_cipher_list(c_ctx,cipher);
697 SSL_CTX_set_cipher_list(s_ctx,cipher);
698 }
699
700 #ifndef OPENSSL_NO_DH
701 if (!no_dhe)
702 {
703 if (dhe1024dsa)
704 {
705 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
706 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
707 dh=get_dh1024dsa();
708 }
709 else if (dhe1024)
710 dh=get_dh1024();
711 else
712 dh=get_dh512();
713 SSL_CTX_set_tmp_dh(s_ctx,dh);
714 DH_free(dh);
715 }
716 #else
717 (void)no_dhe;
718 #endif
719
720 #ifndef OPENSSL_NO_ECDH
721 if (!no_ecdhe)
722 {
723 ecdh = EC_KEY_new();
724 if (ecdh != NULL)
725 {
726 if (named_curve)
727 {
728 int nid = OBJ_sn2nid(named_curve);
729
730 if (nid == 0)
731 {
732 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
733 EC_KEY_free(ecdh);
734 goto end;
735 }
736
737 ecdh->group = EC_GROUP_new_by_nid(nid);
738 if (ecdh->group == NULL)
739 {
740 BIO_printf(bio_err, "unable to create curve (%s)\n", named_curve);
741 EC_KEY_free(ecdh);
742 goto end;
743 }
744 }
745
746 if (ecdh->group == NULL)
747 ecdh->group=EC_GROUP_new_by_nid(NID_sect163r2);
748
749 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
750 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
751 EC_KEY_free(ecdh);
752 }
753 }
754 #else
755 (void)no_ecdhe;
756 #endif
757
758 #ifndef OPENSSL_NO_RSA
759 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
760 #endif
761
762 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
763 {
764 ERR_print_errors(bio_err);
765 }
766 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
767 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
768 {
769 ERR_print_errors(bio_err);
770 goto end;
771 }
772
773 if (client_auth)
774 {
775 SSL_CTX_use_certificate_file(c_ctx,client_cert,
776 SSL_FILETYPE_PEM);
777 SSL_CTX_use_PrivateKey_file(c_ctx,
778 (client_key?client_key:client_cert),
779 SSL_FILETYPE_PEM);
780 }
781
782 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
783 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
784 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
785 (!SSL_CTX_set_default_verify_paths(c_ctx)))
786 {
787 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
788 ERR_print_errors(bio_err);
789 /* goto end; */
790 }
791
792 if (client_auth)
793 {
794 BIO_printf(bio_err,"client authentication\n");
795 SSL_CTX_set_verify(s_ctx,
796 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
797 verify_callback);
798 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
799 }
800 if (server_auth)
801 {
802 BIO_printf(bio_err,"server authentication\n");
803 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
804 verify_callback);
805 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
806 }
807
808 {
809 int session_id_context = 0;
810 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
811 }
812
813 c_ssl=SSL_new(c_ctx);
814 s_ssl=SSL_new(s_ctx);
815
816 #ifndef OPENSSL_NO_KRB5
817 if (c_ssl && c_ssl->kssl_ctx)
818 {
819 char localhost[MAXHOSTNAMELEN+2];
820
821 if (gethostname(localhost, sizeof localhost-1) == 0)
822 {
823 localhost[sizeof localhost-1]='\0';
824 if(strlen(localhost) == sizeof localhost-1)
825 {
826 BIO_printf(bio_err,"localhost name too long\n");
827 goto end;
828 }
829 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
830 localhost);
831 }
832 }
833 #endif /* OPENSSL_NO_KRB5 */
834
835 for (i=0; i<number; i++)
836 {
837 if (!reuse) SSL_set_session(c_ssl,NULL);
838 if (bio_pair)
839 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
840 else
841 ret=doit(s_ssl,c_ssl,bytes);
842 }
843
844 if (!verbose)
845 {
846 print_details(c_ssl, "");
847 }
848 if ((number > 1) || (bytes > 1L))
849 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
850 if (print_time)
851 {
852 #ifdef CLOCKS_PER_SEC
853 /* "To determine the time in seconds, the value returned
854 * by the clock function should be divided by the value
855 * of the macro CLOCKS_PER_SEC."
856 * -- ISO/IEC 9899 */
857 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
858 "Approximate total client time: %6.2f s\n",
859 (double)s_time/CLOCKS_PER_SEC,
860 (double)c_time/CLOCKS_PER_SEC);
861 #else
862 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
863 * -- cc on NeXTstep/OpenStep */
864 BIO_printf(bio_stdout,
865 "Approximate total server time: %6.2f units\n"
866 "Approximate total client time: %6.2f units\n",
867 (double)s_time,
868 (double)c_time);
869 #endif
870 }
871
872 SSL_free(s_ssl);
873 SSL_free(c_ssl);
874
875 end:
876 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
877 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
878
879 if (bio_stdout != NULL) BIO_free(bio_stdout);
880
881 #ifndef OPENSSL_NO_RSA
882 free_tmp_rsa();
883 #endif
884 #ifndef OPENSSL_NO_ENGINE
885 ENGINE_cleanup();
886 #endif
887 CRYPTO_cleanup_all_ex_data();
888 ERR_free_strings();
889 ERR_remove_state(0);
890 EVP_cleanup();
891 CRYPTO_mem_leaks(bio_err);
892 if (bio_err != NULL) BIO_free(bio_err);
893 EXIT(ret);
894 }
895
896 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
897 clock_t *s_time, clock_t *c_time)
898 {
899 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
900 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
901 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
902 int ret = 1;
903
904 size_t bufsiz = 256; /* small buffer for testing */
905
906 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
907 goto err;
908 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
909 goto err;
910
911 s_ssl_bio = BIO_new(BIO_f_ssl());
912 if (!s_ssl_bio)
913 goto err;
914
915 c_ssl_bio = BIO_new(BIO_f_ssl());
916 if (!c_ssl_bio)
917 goto err;
918
919 SSL_set_connect_state(c_ssl);
920 SSL_set_bio(c_ssl, client, client);
921 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
922
923 SSL_set_accept_state(s_ssl);
924 SSL_set_bio(s_ssl, server, server);
925 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
926
927 do
928 {
929 /* c_ssl_bio: SSL filter BIO
930 *
931 * client: pseudo-I/O for SSL library
932 *
933 * client_io: client's SSL communication; usually to be
934 * relayed over some I/O facility, but in this
935 * test program, we're the server, too:
936 *
937 * server_io: server's SSL communication
938 *
939 * server: pseudo-I/O for SSL library
940 *
941 * s_ssl_bio: SSL filter BIO
942 *
943 * The client and the server each employ a "BIO pair":
944 * client + client_io, server + server_io.
945 * BIO pairs are symmetric. A BIO pair behaves similar
946 * to a non-blocking socketpair (but both endpoints must
947 * be handled by the same thread).
948 * [Here we could connect client and server to the ends
949 * of a single BIO pair, but then this code would be less
950 * suitable as an example for BIO pairs in general.]
951 *
952 * Useful functions for querying the state of BIO pair endpoints:
953 *
954 * BIO_ctrl_pending(bio) number of bytes we can read now
955 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
956 * other side's read attempt
957 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
958 *
959 * ..._read_request is never more than ..._write_guarantee;
960 * it depends on the application which one you should use.
961 */
962
963 /* We have non-blocking behaviour throughout this test program, but
964 * can be sure that there is *some* progress in each iteration; so
965 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
966 * -- we just try everything in each iteration
967 */
968
969 {
970 /* CLIENT */
971
972 MS_STATIC char cbuf[1024*8];
973 int i, r;
974 clock_t c_clock = clock();
975
976 memset(cbuf, 0, sizeof(cbuf));
977
978 if (debug)
979 if (SSL_in_init(c_ssl))
980 printf("client waiting in SSL_connect - %s\n",
981 SSL_state_string_long(c_ssl));
982
983 if (cw_num > 0)
984 {
985 /* Write to server. */
986
987 if (cw_num > (long)sizeof cbuf)
988 i = sizeof cbuf;
989 else
990 i = (int)cw_num;
991 r = BIO_write(c_ssl_bio, cbuf, i);
992 if (r < 0)
993 {
994 if (!BIO_should_retry(c_ssl_bio))
995 {
996 fprintf(stderr,"ERROR in CLIENT\n");
997 goto err;
998 }
999 /* BIO_should_retry(...) can just be ignored here.
1000 * The library expects us to call BIO_write with
1001 * the same arguments again, and that's what we will
1002 * do in the next iteration. */
1003 }
1004 else if (r == 0)
1005 {
1006 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1007 goto err;
1008 }
1009 else
1010 {
1011 if (debug)
1012 printf("client wrote %d\n", r);
1013 cw_num -= r;
1014 }
1015 }
1016
1017 if (cr_num > 0)
1018 {
1019 /* Read from server. */
1020
1021 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1022 if (r < 0)
1023 {
1024 if (!BIO_should_retry(c_ssl_bio))
1025 {
1026 fprintf(stderr,"ERROR in CLIENT\n");
1027 goto err;
1028 }
1029 /* Again, "BIO_should_retry" can be ignored. */
1030 }
1031 else if (r == 0)
1032 {
1033 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1034 goto err;
1035 }
1036 else
1037 {
1038 if (debug)
1039 printf("client read %d\n", r);
1040 cr_num -= r;
1041 }
1042 }
1043
1044 /* c_time and s_time increments will typically be very small
1045 * (depending on machine speed and clock tick intervals),
1046 * but sampling over a large number of connections should
1047 * result in fairly accurate figures. We cannot guarantee
1048 * a lot, however -- if each connection lasts for exactly
1049 * one clock tick, it will be counted only for the client
1050 * or only for the server or even not at all.
1051 */
1052 *c_time += (clock() - c_clock);
1053 }
1054
1055 {
1056 /* SERVER */
1057
1058 MS_STATIC char sbuf[1024*8];
1059 int i, r;
1060 clock_t s_clock = clock();
1061
1062 memset(sbuf, 0, sizeof(sbuf));
1063
1064 if (debug)
1065 if (SSL_in_init(s_ssl))
1066 printf("server waiting in SSL_accept - %s\n",
1067 SSL_state_string_long(s_ssl));
1068
1069 if (sw_num > 0)
1070 {
1071 /* Write to client. */
1072
1073 if (sw_num > (long)sizeof sbuf)
1074 i = sizeof sbuf;
1075 else
1076 i = (int)sw_num;
1077 r = BIO_write(s_ssl_bio, sbuf, i);
1078 if (r < 0)
1079 {
1080 if (!BIO_should_retry(s_ssl_bio))
1081 {
1082 fprintf(stderr,"ERROR in SERVER\n");
1083 goto err;
1084 }
1085 /* Ignore "BIO_should_retry". */
1086 }
1087 else if (r == 0)
1088 {
1089 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1090 goto err;
1091 }
1092 else
1093 {
1094 if (debug)
1095 printf("server wrote %d\n", r);
1096 sw_num -= r;
1097 }
1098 }
1099
1100 if (sr_num > 0)
1101 {
1102 /* Read from client. */
1103
1104 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1105 if (r < 0)
1106 {
1107 if (!BIO_should_retry(s_ssl_bio))
1108 {
1109 fprintf(stderr,"ERROR in SERVER\n");
1110 goto err;
1111 }
1112 /* blah, blah */
1113 }
1114 else if (r == 0)
1115 {
1116 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1117 goto err;
1118 }
1119 else
1120 {
1121 if (debug)
1122 printf("server read %d\n", r);
1123 sr_num -= r;
1124 }
1125 }
1126
1127 *s_time += (clock() - s_clock);
1128 }
1129
1130 {
1131 /* "I/O" BETWEEN CLIENT AND SERVER. */
1132
1133 size_t r1, r2;
1134 BIO *io1 = server_io, *io2 = client_io;
1135 /* we use the non-copying interface for io1
1136 * and the standard BIO_write/BIO_read interface for io2
1137 */
1138
1139 static int prev_progress = 1;
1140 int progress = 0;
1141
1142 /* io1 to io2 */
1143 do
1144 {
1145 size_t num;
1146 int r;
1147
1148 r1 = BIO_ctrl_pending(io1);
1149 r2 = BIO_ctrl_get_write_guarantee(io2);
1150
1151 num = r1;
1152 if (r2 < num)
1153 num = r2;
1154 if (num)
1155 {
1156 char *dataptr;
1157
1158 if (INT_MAX < num) /* yeah, right */
1159 num = INT_MAX;
1160
1161 r = BIO_nread(io1, &dataptr, (int)num);
1162 assert(r > 0);
1163 assert(r <= (int)num);
1164 /* possibly r < num (non-contiguous data) */
1165 num = r;
1166 r = BIO_write(io2, dataptr, (int)num);
1167 if (r != (int)num) /* can't happen */
1168 {
1169 fprintf(stderr, "ERROR: BIO_write could not write "
1170 "BIO_ctrl_get_write_guarantee() bytes");
1171 goto err;
1172 }
1173 progress = 1;
1174
1175 if (debug)
1176 printf((io1 == client_io) ?
1177 "C->S relaying: %d bytes\n" :
1178 "S->C relaying: %d bytes\n",
1179 (int)num);
1180 }
1181 }
1182 while (r1 && r2);
1183
1184 /* io2 to io1 */
1185 {
1186 size_t num;
1187 int r;
1188
1189 r1 = BIO_ctrl_pending(io2);
1190 r2 = BIO_ctrl_get_read_request(io1);
1191 /* here we could use ..._get_write_guarantee instead of
1192 * ..._get_read_request, but by using the latter
1193 * we test restartability of the SSL implementation
1194 * more thoroughly */
1195 num = r1;
1196 if (r2 < num)
1197 num = r2;
1198 if (num)
1199 {
1200 char *dataptr;
1201
1202 if (INT_MAX < num)
1203 num = INT_MAX;
1204
1205 if (num > 1)
1206 --num; /* test restartability even more thoroughly */
1207
1208 r = BIO_nwrite0(io1, &dataptr);
1209 assert(r > 0);
1210 if (r < (int)num)
1211 num = r;
1212 r = BIO_read(io2, dataptr, (int)num);
1213 if (r != (int)num) /* can't happen */
1214 {
1215 fprintf(stderr, "ERROR: BIO_read could not read "
1216 "BIO_ctrl_pending() bytes");
1217 goto err;
1218 }
1219 progress = 1;
1220 r = BIO_nwrite(io1, &dataptr, (int)num);
1221 if (r != (int)num) /* can't happen */
1222 {
1223 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1224 "BIO_nwrite0() bytes");
1225 goto err;
1226 }
1227
1228 if (debug)
1229 printf((io2 == client_io) ?
1230 "C->S relaying: %d bytes\n" :
1231 "S->C relaying: %d bytes\n",
1232 (int)num);
1233 }
1234 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1235
1236 if (!progress && !prev_progress)
1237 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1238 {
1239 fprintf(stderr, "ERROR: got stuck\n");
1240 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1241 {
1242 fprintf(stderr, "This can happen for SSL2 because "
1243 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1244 "concurrently ...");
1245 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1246 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1247 {
1248 fprintf(stderr, " ok.\n");
1249 goto end;
1250 }
1251 }
1252 fprintf(stderr, " ERROR.\n");
1253 goto err;
1254 }
1255 prev_progress = progress;
1256 }
1257 }
1258 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1259
1260 if (verbose)
1261 print_details(c_ssl, "DONE via BIO pair: ");
1262 end:
1263 ret = 0;
1264
1265 err:
1266 ERR_print_errors(bio_err);
1267
1268 if (server)
1269 BIO_free(server);
1270 if (server_io)
1271 BIO_free(server_io);
1272 if (client)
1273 BIO_free(client);
1274 if (client_io)
1275 BIO_free(client_io);
1276 if (s_ssl_bio)
1277 BIO_free(s_ssl_bio);
1278 if (c_ssl_bio)
1279 BIO_free(c_ssl_bio);
1280
1281 return ret;
1282 }
1283
1284
1285 #define W_READ 1
1286 #define W_WRITE 2
1287 #define C_DONE 1
1288 #define S_DONE 2
1289
1290 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1291 {
1292 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1293 long cw_num=count,cr_num=count;
1294 long sw_num=count,sr_num=count;
1295 int ret=1;
1296 BIO *c_to_s=NULL;
1297 BIO *s_to_c=NULL;
1298 BIO *c_bio=NULL;
1299 BIO *s_bio=NULL;
1300 int c_r,c_w,s_r,s_w;
1301 int c_want,s_want;
1302 int i,j;
1303 int done=0;
1304 int c_write,s_write;
1305 int do_server=0,do_client=0;
1306
1307 memset(cbuf,0,sizeof(cbuf));
1308 memset(sbuf,0,sizeof(sbuf));
1309
1310 c_to_s=BIO_new(BIO_s_mem());
1311 s_to_c=BIO_new(BIO_s_mem());
1312 if ((s_to_c == NULL) || (c_to_s == NULL))
1313 {
1314 ERR_print_errors(bio_err);
1315 goto err;
1316 }
1317
1318 c_bio=BIO_new(BIO_f_ssl());
1319 s_bio=BIO_new(BIO_f_ssl());
1320 if ((c_bio == NULL) || (s_bio == NULL))
1321 {
1322 ERR_print_errors(bio_err);
1323 goto err;
1324 }
1325
1326 SSL_set_connect_state(c_ssl);
1327 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1328 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1329
1330 SSL_set_accept_state(s_ssl);
1331 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1332 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1333
1334 c_r=0; s_r=1;
1335 c_w=1; s_w=0;
1336 c_want=W_WRITE;
1337 s_want=0;
1338 c_write=1,s_write=0;
1339
1340 /* We can always do writes */
1341 for (;;)
1342 {
1343 do_server=0;
1344 do_client=0;
1345
1346 i=(int)BIO_pending(s_bio);
1347 if ((i && s_r) || s_w) do_server=1;
1348
1349 i=(int)BIO_pending(c_bio);
1350 if ((i && c_r) || c_w) do_client=1;
1351
1352 if (do_server && debug)
1353 {
1354 if (SSL_in_init(s_ssl))
1355 printf("server waiting in SSL_accept - %s\n",
1356 SSL_state_string_long(s_ssl));
1357 /* else if (s_write)
1358 printf("server:SSL_write()\n");
1359 else
1360 printf("server:SSL_read()\n"); */
1361 }
1362
1363 if (do_client && debug)
1364 {
1365 if (SSL_in_init(c_ssl))
1366 printf("client waiting in SSL_connect - %s\n",
1367 SSL_state_string_long(c_ssl));
1368 /* else if (c_write)
1369 printf("client:SSL_write()\n");
1370 else
1371 printf("client:SSL_read()\n"); */
1372 }
1373
1374 if (!do_client && !do_server)
1375 {
1376 fprintf(stdout,"ERROR IN STARTUP\n");
1377 ERR_print_errors(bio_err);
1378 break;
1379 }
1380 if (do_client && !(done & C_DONE))
1381 {
1382 if (c_write)
1383 {
1384 j = (cw_num > (long)sizeof(cbuf)) ?
1385 (int)sizeof(cbuf) : (int)cw_num;
1386 i=BIO_write(c_bio,cbuf,j);
1387 if (i < 0)
1388 {
1389 c_r=0;
1390 c_w=0;
1391 if (BIO_should_retry(c_bio))
1392 {
1393 if (BIO_should_read(c_bio))
1394 c_r=1;
1395 if (BIO_should_write(c_bio))
1396 c_w=1;
1397 }
1398 else
1399 {
1400 fprintf(stderr,"ERROR in CLIENT\n");
1401 ERR_print_errors(bio_err);
1402 goto err;
1403 }
1404 }
1405 else if (i == 0)
1406 {
1407 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1408 goto err;
1409 }
1410 else
1411 {
1412 if (debug)
1413 printf("client wrote %d\n",i);
1414 /* ok */
1415 s_r=1;
1416 c_write=0;
1417 cw_num-=i;
1418 }
1419 }
1420 else
1421 {
1422 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1423 if (i < 0)
1424 {
1425 c_r=0;
1426 c_w=0;
1427 if (BIO_should_retry(c_bio))
1428 {
1429 if (BIO_should_read(c_bio))
1430 c_r=1;
1431 if (BIO_should_write(c_bio))
1432 c_w=1;
1433 }
1434 else
1435 {
1436 fprintf(stderr,"ERROR in CLIENT\n");
1437 ERR_print_errors(bio_err);
1438 goto err;
1439 }
1440 }
1441 else if (i == 0)
1442 {
1443 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1444 goto err;
1445 }
1446 else
1447 {
1448 if (debug)
1449 printf("client read %d\n",i);
1450 cr_num-=i;
1451 if (sw_num > 0)
1452 {
1453 s_write=1;
1454 s_w=1;
1455 }
1456 if (cr_num <= 0)
1457 {
1458 s_write=1;
1459 s_w=1;
1460 done=S_DONE|C_DONE;
1461 }
1462 }
1463 }
1464 }
1465
1466 if (do_server && !(done & S_DONE))
1467 {
1468 if (!s_write)
1469 {
1470 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1471 if (i < 0)
1472 {
1473 s_r=0;
1474 s_w=0;
1475 if (BIO_should_retry(s_bio))
1476 {
1477 if (BIO_should_read(s_bio))
1478 s_r=1;
1479 if (BIO_should_write(s_bio))
1480 s_w=1;
1481 }
1482 else
1483 {
1484 fprintf(stderr,"ERROR in SERVER\n");
1485 ERR_print_errors(bio_err);
1486 goto err;
1487 }
1488 }
1489 else if (i == 0)
1490 {
1491 ERR_print_errors(bio_err);
1492 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1493 goto err;
1494 }
1495 else
1496 {
1497 if (debug)
1498 printf("server read %d\n",i);
1499 sr_num-=i;
1500 if (cw_num > 0)
1501 {
1502 c_write=1;
1503 c_w=1;
1504 }
1505 if (sr_num <= 0)
1506 {
1507 s_write=1;
1508 s_w=1;
1509 c_write=0;
1510 }
1511 }
1512 }
1513 else
1514 {
1515 j = (sw_num > (long)sizeof(sbuf)) ?
1516 (int)sizeof(sbuf) : (int)sw_num;
1517 i=BIO_write(s_bio,sbuf,j);
1518 if (i < 0)
1519 {
1520 s_r=0;
1521 s_w=0;
1522 if (BIO_should_retry(s_bio))
1523 {
1524 if (BIO_should_read(s_bio))
1525 s_r=1;
1526 if (BIO_should_write(s_bio))
1527 s_w=1;
1528 }
1529 else
1530 {
1531 fprintf(stderr,"ERROR in SERVER\n");
1532 ERR_print_errors(bio_err);
1533 goto err;
1534 }
1535 }
1536 else if (i == 0)
1537 {
1538 ERR_print_errors(bio_err);
1539 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1540 goto err;
1541 }
1542 else
1543 {
1544 if (debug)
1545 printf("server wrote %d\n",i);
1546 sw_num-=i;
1547 s_write=0;
1548 c_r=1;
1549 if (sw_num <= 0)
1550 done|=S_DONE;
1551 }
1552 }
1553 }
1554
1555 if ((done & S_DONE) && (done & C_DONE)) break;
1556 }
1557
1558 if (verbose)
1559 print_details(c_ssl, "DONE: ");
1560 ret=0;
1561 err:
1562 /* We have to set the BIO's to NULL otherwise they will be
1563 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1564 * again when c_ssl is SSL_free()ed.
1565 * This is a hack required because s_ssl and c_ssl are sharing the same
1566 * BIO structure and SSL_set_bio() and SSL_free() automatically
1567 * BIO_free non NULL entries.
1568 * You should not normally do this or be required to do this */
1569 if (s_ssl != NULL)
1570 {
1571 s_ssl->rbio=NULL;
1572 s_ssl->wbio=NULL;
1573 }
1574 if (c_ssl != NULL)
1575 {
1576 c_ssl->rbio=NULL;
1577 c_ssl->wbio=NULL;
1578 }
1579
1580 if (c_to_s != NULL) BIO_free(c_to_s);
1581 if (s_to_c != NULL) BIO_free(s_to_c);
1582 if (c_bio != NULL) BIO_free_all(c_bio);
1583 if (s_bio != NULL) BIO_free_all(s_bio);
1584 return(ret);
1585 }
1586
1587 static int get_proxy_auth_ex_data_idx(void)
1588 {
1589 static volatile int idx = -1;
1590 if (idx < 0)
1591 {
1592 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1593 if (idx < 0)
1594 {
1595 idx = X509_STORE_CTX_get_ex_new_index(0,
1596 "SSLtest for verify callback", NULL,NULL,NULL);
1597 }
1598 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1599 }
1600 return idx;
1601 }
1602
1603 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1604 {
1605 char *s,buf[256];
1606
1607 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1608 sizeof buf);
1609 if (s != NULL)
1610 {
1611 if (ok)
1612 fprintf(stderr,"depth=%d %s\n",
1613 ctx->error_depth,buf);
1614 else
1615 {
1616 fprintf(stderr,"depth=%d error=%d %s\n",
1617 ctx->error_depth,ctx->error,buf);
1618 }
1619 }
1620
1621 if (ok == 0)
1622 {
1623 fprintf(stderr,"Error string: %s\n",
1624 X509_verify_cert_error_string(ctx->error));
1625 switch (ctx->error)
1626 {
1627 case X509_V_ERR_CERT_NOT_YET_VALID:
1628 case X509_V_ERR_CERT_HAS_EXPIRED:
1629 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1630 fprintf(stderr," ... ignored.\n");
1631 ok=1;
1632 }
1633 }
1634
1635 if (ok == 1)
1636 {
1637 X509 *xs = ctx->current_cert;
1638 #if 0
1639 X509 *xi = ctx->current_issuer;
1640 #endif
1641
1642 if (xs->ex_flags & EXFLAG_PROXY)
1643 {
1644 unsigned int *letters =
1645 X509_STORE_CTX_get_ex_data(ctx,
1646 get_proxy_auth_ex_data_idx());
1647
1648 if (letters)
1649 {
1650 int found_any = 0;
1651 int i;
1652 PROXY_CERT_INFO_EXTENSION *pci =
1653 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1654 NULL, NULL);
1655
1656 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1657 {
1658 case NID_Independent:
1659 /* Completely meaningless in this
1660 program, as there's no way to
1661 grant explicit rights to a
1662 specific PrC. Basically, using
1663 id-ppl-Independent is the perfect
1664 way to grant no rights at all. */
1665 fprintf(stderr, " Independent proxy certificate");
1666 for (i = 0; i < 26; i++)
1667 letters[i] = 0;
1668 break;
1669 case NID_id_ppl_inheritAll:
1670 /* This is basically a NOP, we
1671 simply let the current rights
1672 stand as they are. */
1673 fprintf(stderr, " Proxy certificate inherits all");
1674 break;
1675 default:
1676 s = (char *)
1677 pci->proxyPolicy->policy->data;
1678 i = pci->proxyPolicy->policy->length;
1679
1680 /* The algorithm works as follows:
1681 it is assumed that previous
1682 iterations or the initial granted
1683 rights has already set some elements
1684 of `letters'. What we need to do is
1685 to clear those that weren't granted
1686 by the current PrC as well. The
1687 easiest way to do this is to add 1
1688 to all the elements whose letters
1689 are given with the current policy.
1690 That way, all elements that are set
1691 by the current policy and were
1692 already set by earlier policies and
1693 through the original grant of rights
1694 will get the value 2 or higher.
1695 The last thing to do is to sweep
1696 through `letters' and keep the
1697 elements having the value 2 as set,
1698 and clear all the others. */
1699
1700 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1701 while(i-- > 0)
1702 {
1703 char c = *s++;
1704 if (isascii(c) && isalpha(c))
1705 {
1706 if (islower(c))
1707 c = toupper(c);
1708 letters[c - 'A']++;
1709 }
1710 }
1711 for (i = 0; i < 26; i++)
1712 if (letters[i] < 2)
1713 letters[i] = 0;
1714 else
1715 letters[i] = 1;
1716 }
1717
1718 found_any = 0;
1719 fprintf(stderr,
1720 ", resulting proxy rights = ");
1721 for(i = 0; i < 26; i++)
1722 if (letters[i])
1723 {
1724 fprintf(stderr, "%c", i + 'A');
1725 found_any = 1;
1726 }
1727 if (!found_any)
1728 fprintf(stderr, "none");
1729 fprintf(stderr, "\n");
1730
1731 PROXY_CERT_INFO_EXTENSION_free(pci);
1732 }
1733 }
1734 }
1735
1736 return(ok);
1737 }
1738
1739 static void process_proxy_debug(int indent, const char *format, ...)
1740 {
1741 static const char indentation[] =
1742 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1743 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1744 char my_format[256];
1745 va_list args;
1746
1747 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1748 indent, indent, indentation, format);
1749
1750 va_start(args, format);
1751 vfprintf(stderr, my_format, args);
1752 va_end(args);
1753 }
1754 /* Priority levels:
1755 0 [!]var, ()
1756 1 & ^
1757 2 |
1758 */
1759 static int process_proxy_cond_adders(unsigned int letters[26],
1760 const char *cond, const char **cond_end, int *pos, int indent);
1761 static int process_proxy_cond_val(unsigned int letters[26],
1762 const char *cond, const char **cond_end, int *pos, int indent)
1763 {
1764 char c;
1765 int ok = 1;
1766 int negate = 0;
1767
1768 while(isspace(*cond))
1769 {
1770 cond++; (*pos)++;
1771 }
1772 c = *cond;
1773
1774 if (debug)
1775 process_proxy_debug(indent,
1776 "Start process_proxy_cond_val at position %d: %s\n",
1777 *pos, cond);
1778
1779 while(c == '!')
1780 {
1781 negate = !negate;
1782 cond++; (*pos)++;
1783 while(isspace(*cond))
1784 {
1785 cond++; (*pos)++;
1786 }
1787 c = *cond;
1788 }
1789
1790 if (c == '(')
1791 {
1792 cond++; (*pos)++;
1793 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1794 indent + 1);
1795 cond = *cond_end;
1796 if (ok < 0)
1797 goto end;
1798 while(isspace(*cond))
1799 {
1800 cond++; (*pos)++;
1801 }
1802 c = *cond;
1803 if (c != ')')
1804 {
1805 fprintf(stderr,
1806 "Weird condition character in position %d: "
1807 "%c\n", *pos, c);
1808 ok = -1;
1809 goto end;
1810 }
1811 cond++; (*pos)++;
1812 }
1813 else if (isascii(c) && isalpha(c))
1814 {
1815 if (islower(c))
1816 c = toupper(c);
1817 ok = letters[c - 'A'];
1818 cond++; (*pos)++;
1819 }
1820 else
1821 {
1822 fprintf(stderr,
1823 "Weird condition character in position %d: "
1824 "%c\n", *pos, c);
1825 ok = -1;
1826 goto end;
1827 }
1828 end:
1829 *cond_end = cond;
1830 if (ok >= 0 && negate)
1831 ok = !ok;
1832
1833 if (debug)
1834 process_proxy_debug(indent,
1835 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1836 *pos, cond, ok);
1837
1838 return ok;
1839 }
1840 static int process_proxy_cond_multipliers(unsigned int letters[26],
1841 const char *cond, const char **cond_end, int *pos, int indent)
1842 {
1843 int ok;
1844 char c;
1845
1846 if (debug)
1847 process_proxy_debug(indent,
1848 "Start process_proxy_cond_multipliers at position %d: %s\n",
1849 *pos, cond);
1850
1851 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1852 cond = *cond_end;
1853 if (ok < 0)
1854 goto end;
1855
1856 while(ok >= 0)
1857 {
1858 while(isspace(*cond))
1859 {
1860 cond++; (*pos)++;
1861 }
1862 c = *cond;
1863
1864 switch(c)
1865 {
1866 case '&':
1867 case '^':
1868 {
1869 int save_ok = ok;
1870
1871 cond++; (*pos)++;
1872 ok = process_proxy_cond_val(letters,
1873 cond, cond_end, pos, indent + 1);
1874 cond = *cond_end;
1875 if (ok < 0)
1876 break;
1877
1878 switch(c)
1879 {
1880 case '&':
1881 ok &= save_ok;
1882 break;
1883 case '^':
1884 ok ^= save_ok;
1885 break;
1886 default:
1887 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1888 " STOPPING\n");
1889 EXIT(1);
1890 }
1891 }
1892 break;
1893 default:
1894 goto end;
1895 }
1896 }
1897 end:
1898 if (debug)
1899 process_proxy_debug(indent,
1900 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1901 *pos, cond, ok);
1902
1903 *cond_end = cond;
1904 return ok;
1905 }
1906 static int process_proxy_cond_adders(unsigned int letters[26],
1907 const char *cond, const char **cond_end, int *pos, int indent)
1908 {
1909 int ok;
1910 char c;
1911
1912 if (debug)
1913 process_proxy_debug(indent,
1914 "Start process_proxy_cond_adders at position %d: %s\n",
1915 *pos, cond);
1916
1917 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1918 indent + 1);
1919 cond = *cond_end;
1920 if (ok < 0)
1921 goto end;
1922
1923 while(ok >= 0)
1924 {
1925 while(isspace(*cond))
1926 {
1927 cond++; (*pos)++;
1928 }
1929 c = *cond;
1930
1931 switch(c)
1932 {
1933 case '|':
1934 {
1935 int save_ok = ok;
1936
1937 cond++; (*pos)++;
1938 ok = process_proxy_cond_multipliers(letters,
1939 cond, cond_end, pos, indent + 1);
1940 cond = *cond_end;
1941 if (ok < 0)
1942 break;
1943
1944 switch(c)
1945 {
1946 case '|':
1947 ok |= save_ok;
1948 break;
1949 default:
1950 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1951 " STOPPING\n");
1952 EXIT(1);
1953 }
1954 }
1955 break;
1956 default:
1957 goto end;
1958 }
1959 }
1960 end:
1961 if (debug)
1962 process_proxy_debug(indent,
1963 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1964 *pos, cond, ok);
1965
1966 *cond_end = cond;
1967 return ok;
1968 }
1969
1970 static int process_proxy_cond(unsigned int letters[26],
1971 const char *cond, const char **cond_end)
1972 {
1973 int pos = 1;
1974 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1975 }
1976
1977 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
1978 {
1979 int ok=1;
1980 struct app_verify_arg *cb_arg = arg;
1981 unsigned int letters[26]; /* only used with proxy_auth */
1982
1983 if (cb_arg->app_verify)
1984 {
1985 char *s = NULL,buf[256];
1986
1987 fprintf(stderr, "In app_verify_callback, allowing cert. ");
1988 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
1989 fprintf(stderr, "Finished printing do we have a context? 0x%x a cert? 0x%x\n",
1990 (unsigned int)ctx, (unsigned int)ctx->cert);
1991 if (ctx->cert)
1992 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
1993 if (s != NULL)
1994 {
1995 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
1996 }
1997 return(1);
1998 }
1999 if (cb_arg->proxy_auth)
2000 {
2001 int found_any = 0, i;
2002 char *sp;
2003
2004 for(i = 0; i < 26; i++)
2005 letters[i] = 0;
2006 for(sp = cb_arg->proxy_auth; *sp; sp++)
2007 {
2008 char c = *sp;
2009 if (isascii(c) && isalpha(c))
2010 {
2011 if (islower(c))
2012 c = toupper(c);
2013 letters[c - 'A'] = 1;
2014 }
2015 }
2016
2017 fprintf(stderr,
2018 " Initial proxy rights = ");
2019 for(i = 0; i < 26; i++)
2020 if (letters[i])
2021 {
2022 fprintf(stderr, "%c", i + 'A');
2023 found_any = 1;
2024 }
2025 if (!found_any)
2026 fprintf(stderr, "none");
2027 fprintf(stderr, "\n");
2028
2029 X509_STORE_CTX_set_ex_data(ctx,
2030 get_proxy_auth_ex_data_idx(),letters);
2031 }
2032 if (cb_arg->allow_proxy_certs)
2033 {
2034 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2035 }
2036
2037 #ifndef OPENSSL_NO_X509_VERIFY
2038 # ifdef OPENSSL_FIPS
2039 if(s->version == TLS1_VERSION)
2040 FIPS_allow_md5(1);
2041 # endif
2042 ok = X509_verify_cert(ctx);
2043 # ifdef OPENSSL_FIPS
2044 if(s->version == TLS1_VERSION)
2045 FIPS_allow_md5(0);
2046 # endif
2047 #endif
2048
2049 if (cb_arg->proxy_auth)
2050 {
2051 if (ok)
2052 {
2053 const char *cond_end = NULL;
2054
2055 ok = process_proxy_cond(letters,
2056 cb_arg->proxy_cond, &cond_end);
2057
2058 if (ok < 0)
2059 EXIT(3);
2060 if (*cond_end)
2061 {
2062 fprintf(stderr, "Stopped processing condition before it's end.\n");
2063 ok = 0;
2064 }
2065 if (!ok)
2066 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2067 cb_arg->proxy_cond);
2068 else
2069 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2070 cb_arg->proxy_cond);
2071 }
2072 }
2073 return(ok);
2074 }
2075
2076 #ifndef OPENSSL_NO_RSA
2077 static RSA *rsa_tmp=NULL;
2078
2079 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2080 {
2081 BIGNUM *bn = NULL;
2082 if (rsa_tmp == NULL)
2083 {
2084 bn = BN_new();
2085 rsa_tmp = RSA_new();
2086 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2087 {
2088 BIO_printf(bio_err, "Memory error...");
2089 goto end;
2090 }
2091 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2092 (void)BIO_flush(bio_err);
2093 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2094 {
2095 BIO_printf(bio_err, "Error generating key.");
2096 RSA_free(rsa_tmp);
2097 rsa_tmp = NULL;
2098 }
2099 end:
2100 BIO_printf(bio_err,"\n");
2101 (void)BIO_flush(bio_err);
2102 }
2103 if(bn) BN_free(bn);
2104 return(rsa_tmp);
2105 }
2106
2107 static void free_tmp_rsa(void)
2108 {
2109 if (rsa_tmp != NULL)
2110 {
2111 RSA_free(rsa_tmp);
2112 rsa_tmp = NULL;
2113 }
2114 }
2115 #endif
2116
2117 #ifndef OPENSSL_NO_DH
2118 /* These DH parameters have been generated as follows:
2119 * $ openssl dhparam -C -noout 512
2120 * $ openssl dhparam -C -noout 1024
2121 * $ openssl dhparam -C -noout -dsaparam 1024
2122 * (The third function has been renamed to avoid name conflicts.)
2123 */
2124 static DH *get_dh512()
2125 {
2126 static unsigned char dh512_p[]={
2127 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2128 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2129 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2130 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2131 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2132 0x02,0xC5,0xAE,0x23,
2133 };
2134 static unsigned char dh512_g[]={
2135 0x02,
2136 };
2137 DH *dh;
2138
2139 if ((dh=DH_new()) == NULL) return(NULL);
2140 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2141 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2142 if ((dh->p == NULL) || (dh->g == NULL))
2143 { DH_free(dh); return(NULL); }
2144 return(dh);
2145 }
2146
2147 static DH *get_dh1024()
2148 {
2149 static unsigned char dh1024_p[]={
2150 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2151 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2152 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2153 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2154 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2155 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2156 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2157 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2158 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2159 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2160 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2161 };
2162 static unsigned char dh1024_g[]={
2163 0x02,
2164 };
2165 DH *dh;
2166
2167 if ((dh=DH_new()) == NULL) return(NULL);
2168 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2169 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2170 if ((dh->p == NULL) || (dh->g == NULL))
2171 { DH_free(dh); return(NULL); }
2172 return(dh);
2173 }
2174
2175 static DH *get_dh1024dsa()
2176 {
2177 static unsigned char dh1024_p[]={
2178 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2179 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2180 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2181 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2182 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2183 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2184 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2185 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2186 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2187 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2188 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2189 };
2190 static unsigned char dh1024_g[]={
2191 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2192 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2193 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2194 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2195 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2196 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2197 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2198 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2199 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2200 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2201 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2202 };
2203 DH *dh;
2204
2205 if ((dh=DH_new()) == NULL) return(NULL);
2206 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2207 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2208 if ((dh->p == NULL) || (dh->g == NULL))
2209 { DH_free(dh); return(NULL); }
2210 dh->length = 160;
2211 return(dh);
2212 }
2213 #endif
A mirror of the official openssl repository