]> git.ipfire.org Git - thirdparty/openssl.git/blob - test/ssltest_old.c
projects / thirdparty / openssl.git / blob
? search:
summary | shortlog | log | commit | commitdiff | tree
blame | history | raw | HEAD
Make many X509_xxx types opaque.
[thirdparty/openssl.git] / test / ssltest_old.c
1 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
2 * All rights reserved.
3 *
4 * This package is an SSL implementation written
5 * by Eric Young (eay@cryptsoft.com).
6 * The implementation was written so as to conform with Netscapes SSL.
7 *
8 * This library is free for commercial and non-commercial use as long as
9 * the following conditions are aheared to. The following conditions
10 * apply to all code found in this distribution, be it the RC4, RSA,
11 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
12 * included with this distribution is covered by the same copyright terms
13 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
14 *
15 * Copyright remains Eric Young's, and as such any Copyright notices in
16 * the code are not to be removed.
17 * If this package is used in a product, Eric Young should be given attribution
18 * as the author of the parts of the library used.
19 * This can be in the form of a textual message at program startup or
20 * in documentation (online or textual) provided with the package.
21 *
22 * Redistribution and use in source and binary forms, with or without
23 * modification, are permitted provided that the following conditions
24 * are met:
25 * 1. Redistributions of source code must retain the copyright
26 * notice, this list of conditions and the following disclaimer.
27 * 2. Redistributions in binary form must reproduce the above copyright
28 * notice, this list of conditions and the following disclaimer in the
29 * documentation and/or other materials provided with the distribution.
30 * 3. All advertising materials mentioning features or use of this software
31 * must display the following acknowledgement:
32 * "This product includes cryptographic software written by
33 * Eric Young (eay@cryptsoft.com)"
34 * The word 'cryptographic' can be left out if the rouines from the library
35 * being used are not cryptographic related :-).
36 * 4. If you include any Windows specific code (or a derivative thereof) from
37 * the apps directory (application code) you must include an acknowledgement:
38 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
39 *
40 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
41 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
42 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
43 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
44 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
45 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
46 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
47 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
48 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
49 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
50 * SUCH DAMAGE.
51 *
52 * The licence and distribution terms for any publically available version or
53 * derivative of this code cannot be changed. i.e. this code cannot simply be
54 * copied and put under another distribution licence
55 * [including the GNU Public Licence.]
56 */
57 /* ====================================================================
58 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
59 *
60 * Redistribution and use in source and binary forms, with or without
61 * modification, are permitted provided that the following conditions
62 * are met:
63 *
64 * 1. Redistributions of source code must retain the above copyright
65 * notice, this list of conditions and the following disclaimer.
66 *
67 * 2. Redistributions in binary form must reproduce the above copyright
68 * notice, this list of conditions and the following disclaimer in
69 * the documentation and/or other materials provided with the
70 * distribution.
71 *
72 * 3. All advertising materials mentioning features or use of this
73 * software must display the following acknowledgment:
74 * "This product includes software developed by the OpenSSL Project
75 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
76 *
77 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
78 * endorse or promote products derived from this software without
79 * prior written permission. For written permission, please contact
80 * openssl-core@openssl.org.
81 *
82 * 5. Products derived from this software may not be called "OpenSSL"
83 * nor may "OpenSSL" appear in their names without prior written
84 * permission of the OpenSSL Project.
85 *
86 * 6. Redistributions of any form whatsoever must retain the following
87 * acknowledgment:
88 * "This product includes software developed by the OpenSSL Project
89 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
90 *
91 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
92 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
93 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
94 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
95 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
96 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
97 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
98 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
99 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
100 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
101 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
102 * OF THE POSSIBILITY OF SUCH DAMAGE.
103 * ====================================================================
104 *
105 * This product includes cryptographic software written by Eric Young
106 * (eay@cryptsoft.com). This product includes software written by Tim
107 * Hudson (tjh@cryptsoft.com).
108 *
109 */
110 /* ====================================================================
111 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
112 * ECC cipher suite support in OpenSSL originally developed by
113 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
114 */
115 /* ====================================================================
116 * Copyright 2005 Nokia. All rights reserved.
117 *
118 * The portions of the attached software ("Contribution") is developed by
119 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
120 * license.
121 *
122 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
123 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
124 * support (see RFC 4279) to OpenSSL.
125 *
126 * No patent licenses or other rights except those expressly stated in
127 * the OpenSSL open source license shall be deemed granted or received
128 * expressly, by implication, estoppel, or otherwise.
129 *
130 * No assurances are provided by Nokia that the Contribution does not
131 * infringe the patent or other intellectual property rights of any third
132 * party or that the license provides you with all the necessary rights
133 * to make use of the Contribution.
134 *
135 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
136 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
137 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
138 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
139 * OTHERWISE.
140 */
141
142 /* Or gethostname won't be declared properly on Linux and GNU platforms. */
143 #define _BSD_SOURCE 1
144 #define _DEFAULT_SOURCE 1
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 /*
159 * Or isascii won't be declared properly on VMS (at least with DECompHP C).
160 */
161 # define _XOPEN_SOURCE 500
162 #endif
163
164 #include <ctype.h>
165
166 #include <openssl/bio.h>
167 #include <openssl/crypto.h>
168 #include <openssl/evp.h>
169 #include <openssl/x509.h>
170 #include <openssl/x509v3.h>
171 #include <openssl/ssl.h>
172 #ifndef OPENSSL_NO_ENGINE
173 # include <openssl/engine.h>
174 #endif
175 #include <openssl/err.h>
176 #include <openssl/rand.h>
177 #ifndef OPENSSL_NO_RSA
178 # include <openssl/rsa.h>
179 #endif
180 #ifndef OPENSSL_NO_DSA
181 # include <openssl/dsa.h>
182 #endif
183 #ifndef OPENSSL_NO_DH
184 # include <openssl/dh.h>
185 #endif
186 #ifndef OPENSSL_NO_SRP
187 # include <openssl/srp.h>
188 #endif
189 #include <openssl/bn.h>
190 #ifndef OPENSSL_NO_CT
191 # include <openssl/ct.h>
192 #endif
193
194 #include "internal/threads.h"
195 #include "../ssl/ssl_locl.h"
196
197 /*
198 * Or gethostname won't be declared properly
199 * on Compaq platforms (at least with DEC C).
200 * Do not try to put it earlier, or IPv6 includes
201 * get screwed...
202 */
203 #define _XOPEN_SOURCE_EXTENDED 1
204
205 #ifdef OPENSSL_SYS_WINDOWS
206 # include <winsock.h>
207 #else
208 # include OPENSSL_UNISTD
209 #endif
210
211 static SSL_CTX *s_ctx = NULL;
212 static SSL_CTX *s_ctx2 = NULL;
213
214 /*
215 * There is really no standard for this, so let's assign something
216 * only for this test
217 */
218 #define COMP_ZLIB 1
219
220 static int verify_callback(int ok, X509_STORE_CTX *ctx);
221 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg);
222 #define APP_CALLBACK_STRING "Test Callback Argument"
223 struct app_verify_arg {
224 char *string;
225 int app_verify;
226 int allow_proxy_certs;
227 char *proxy_auth;
228 char *proxy_cond;
229 };
230
231 #ifndef OPENSSL_NO_DH
232 static DH *get_dh512(void);
233 static DH *get_dh1024(void);
234 static DH *get_dh1024dsa(void);
235 #endif
236
237 static char *psk_key = NULL; /* by default PSK is not used */
238 #ifndef OPENSSL_NO_PSK
239 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
240 char *identity,
241 unsigned int max_identity_len,
242 unsigned char *psk,
243 unsigned int max_psk_len);
244 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
245 unsigned char *psk,
246 unsigned int max_psk_len);
247 #endif
248
249 #ifndef OPENSSL_NO_SRP
250 /* SRP client */
251 /* This is a context that we pass to all callbacks */
252 typedef struct srp_client_arg_st {
253 char *srppassin;
254 char *srplogin;
255 } SRP_CLIENT_ARG;
256
257 # define PWD_STRLEN 1024
258
259 static char *ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
260 {
261 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
262 return OPENSSL_strdup((char *)srp_client_arg->srppassin);
263 }
264
265 /* SRP server */
266 /* This is a context that we pass to SRP server callbacks */
267 typedef struct srp_server_arg_st {
268 char *expected_user;
269 char *pass;
270 } SRP_SERVER_ARG;
271
272 static int ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
273 {
274 SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg;
275
276 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
277 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
278 return SSL3_AL_FATAL;
279 }
280 if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
281 *ad = SSL_AD_INTERNAL_ERROR;
282 return SSL3_AL_FATAL;
283 }
284 return SSL_ERROR_NONE;
285 }
286 #endif
287
288 static BIO *bio_err = NULL;
289 static BIO *bio_stdout = NULL;
290
291 #ifndef OPENSSL_NO_NEXTPROTONEG
292 /* Note that this code assumes that this is only a one element list: */
293 static const char NEXT_PROTO_STRING[] = "\x09testproto";
294 static int npn_client = 0;
295 static int npn_server = 0;
296 static int npn_server_reject = 0;
297
298 static int cb_client_npn(SSL *s, unsigned char **out, unsigned char *outlen,
299 const unsigned char *in, unsigned int inlen,
300 void *arg)
301 {
302 /*
303 * This callback only returns the protocol string, rather than a length
304 * prefixed set. We assume that NEXT_PROTO_STRING is a one element list
305 * and remove the first byte to chop off the length prefix.
306 */
307 *out = (unsigned char *)NEXT_PROTO_STRING + 1;
308 *outlen = sizeof(NEXT_PROTO_STRING) - 2;
309 return SSL_TLSEXT_ERR_OK;
310 }
311
312 static int cb_server_npn(SSL *s, const unsigned char **data,
313 unsigned int *len, void *arg)
314 {
315 *data = (const unsigned char *)NEXT_PROTO_STRING;
316 *len = sizeof(NEXT_PROTO_STRING) - 1;
317 return SSL_TLSEXT_ERR_OK;
318 }
319
320 static int cb_server_rejects_npn(SSL *s, const unsigned char **data,
321 unsigned int *len, void *arg)
322 {
323 return SSL_TLSEXT_ERR_NOACK;
324 }
325
326 static int verify_npn(SSL *client, SSL *server)
327 {
328 const unsigned char *client_s;
329 unsigned client_len;
330 const unsigned char *server_s;
331 unsigned server_len;
332
333 SSL_get0_next_proto_negotiated(client, &client_s, &client_len);
334 SSL_get0_next_proto_negotiated(server, &server_s, &server_len);
335
336 if (client_len) {
337 BIO_printf(bio_stdout, "Client NPN: ");
338 BIO_write(bio_stdout, client_s, client_len);
339 BIO_printf(bio_stdout, "\n");
340 }
341
342 if (server_len) {
343 BIO_printf(bio_stdout, "Server NPN: ");
344 BIO_write(bio_stdout, server_s, server_len);
345 BIO_printf(bio_stdout, "\n");
346 }
347
348 /*
349 * If an NPN string was returned, it must be the protocol that we
350 * expected to negotiate.
351 */
352 if (client_len && (client_len != sizeof(NEXT_PROTO_STRING) - 2 ||
353 memcmp(client_s, NEXT_PROTO_STRING + 1, client_len)))
354 return -1;
355 if (server_len && (server_len != sizeof(NEXT_PROTO_STRING) - 2 ||
356 memcmp(server_s, NEXT_PROTO_STRING + 1, server_len)))
357 return -1;
358
359 if (!npn_client && client_len)
360 return -1;
361 if (!npn_server && server_len)
362 return -1;
363 if (npn_server_reject && server_len)
364 return -1;
365 if (npn_client && npn_server && (!client_len || !server_len))
366 return -1;
367
368 return 0;
369 }
370 #endif
371
372 static const char *alpn_client;
373 static char *alpn_server;
374 static char *alpn_server2;
375 static const char *alpn_expected;
376 static unsigned char *alpn_selected;
377 static const char *server_min_proto;
378 static const char *server_max_proto;
379 static const char *client_min_proto;
380 static const char *client_max_proto;
381 static const char *should_negotiate;
382 static const char *sn_client;
383 static const char *sn_server1;
384 static const char *sn_server2;
385 static int sn_expect = 0;
386 static const char *server_sess_out;
387 static const char *server_sess_in;
388 static const char *client_sess_out;
389 static const char *client_sess_in;
390 static SSL_SESSION *server_sess;
391 static SSL_SESSION *client_sess;
392
393 static int servername_cb(SSL *s, int *ad, void *arg)
394 {
395 const char *servername = SSL_get_servername(s, TLSEXT_NAMETYPE_host_name);
396 if (sn_server2 == NULL) {
397 BIO_printf(bio_stdout, "Servername 2 is NULL\n");
398 return SSL_TLSEXT_ERR_NOACK;
399 }
400
401 if (servername) {
402 if (s_ctx2 != NULL && sn_server2 != NULL &&
403 !strcasecmp(servername, sn_server2)) {
404 BIO_printf(bio_stdout, "Switching server context.\n");
405 SSL_set_SSL_CTX(s, s_ctx2);
406 }
407 }
408 return SSL_TLSEXT_ERR_OK;
409 }
410 static int verify_servername(SSL *client, SSL *server)
411 {
412 /* just need to see if sn_context is what we expect */
413 SSL_CTX* ctx = SSL_get_SSL_CTX(server);
414 if (sn_expect == 0)
415 return 0;
416 if (sn_expect == 1 && ctx == s_ctx)
417 return 0;
418 if (sn_expect == 2 && ctx == s_ctx2)
419 return 0;
420 BIO_printf(bio_stdout, "Servername: expected context %d\n", sn_expect);
421 if (ctx == s_ctx2)
422 BIO_printf(bio_stdout, "Servername: context is 2\n");
423 else if (ctx == s_ctx)
424 BIO_printf(bio_stdout, "Servername: context is 1\n");
425 else
426 BIO_printf(bio_stdout, "Servername: context is unknown\n");
427 return -1;
428 }
429
430
431 /*-
432 * next_protos_parse parses a comma separated list of strings into a string
433 * in a format suitable for passing to SSL_CTX_set_next_protos_advertised.
434 * outlen: (output) set to the length of the resulting buffer on success.
435 * err: (maybe NULL) on failure, an error message line is written to this BIO.
436 * in: a NUL terminated string like "abc,def,ghi"
437 *
438 * returns: a malloced buffer or NULL on failure.
439 */
440 static unsigned char *next_protos_parse(size_t *outlen,
441 const char *in)
442 {
443 size_t len;
444 unsigned char *out;
445 size_t i, start = 0;
446
447 len = strlen(in);
448 if (len >= 65535)
449 return NULL;
450
451 out = OPENSSL_malloc(strlen(in) + 1);
452 if (!out)
453 return NULL;
454
455 for (i = 0; i <= len; ++i) {
456 if (i == len || in[i] == ',') {
457 if (i - start > 255) {
458 OPENSSL_free(out);
459 return NULL;
460 }
461 out[start] = i - start;
462 start = i + 1;
463 } else
464 out[i + 1] = in[i];
465 }
466
467 *outlen = len + 1;
468 return out;
469 }
470
471 static int cb_server_alpn(SSL *s, const unsigned char **out,
472 unsigned char *outlen, const unsigned char *in,
473 unsigned int inlen, void *arg)
474 {
475 unsigned char *protos;
476 size_t protos_len;
477 char* alpn_str = arg;
478
479 protos = next_protos_parse(&protos_len, alpn_str);
480 if (protos == NULL) {
481 fprintf(stderr, "failed to parser ALPN server protocol string: %s\n",
482 alpn_str);
483 abort();
484 }
485
486 if (SSL_select_next_proto
487 ((unsigned char **)out, outlen, protos, protos_len, in,
488 inlen) != OPENSSL_NPN_NEGOTIATED) {
489 OPENSSL_free(protos);
490 return SSL_TLSEXT_ERR_NOACK;
491 }
492
493 /*
494 * Make a copy of the selected protocol which will be freed in
495 * verify_alpn.
496 */
497 alpn_selected = OPENSSL_malloc(*outlen);
498 memcpy(alpn_selected, *out, *outlen);
499 *out = alpn_selected;
500
501 OPENSSL_free(protos);
502 return SSL_TLSEXT_ERR_OK;
503 }
504
505 static int verify_alpn(SSL *client, SSL *server)
506 {
507 const unsigned char *client_proto, *server_proto;
508 unsigned int client_proto_len = 0, server_proto_len = 0;
509 SSL_get0_alpn_selected(client, &client_proto, &client_proto_len);
510 SSL_get0_alpn_selected(server, &server_proto, &server_proto_len);
511
512 OPENSSL_free(alpn_selected);
513 alpn_selected = NULL;
514
515 if (client_proto_len != server_proto_len) {
516 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
517 goto err;
518 }
519
520 if (client_proto != NULL &&
521 memcmp(client_proto, server_proto, client_proto_len) != 0) {
522 BIO_printf(bio_stdout, "ALPN selected protocols differ!\n");
523 goto err;
524 }
525
526 if (client_proto_len > 0 && alpn_expected == NULL) {
527 BIO_printf(bio_stdout, "ALPN unexpectedly negotiated\n");
528 goto err;
529 }
530
531 if (alpn_expected != NULL &&
532 (client_proto_len != strlen(alpn_expected) ||
533 memcmp(client_proto, alpn_expected, client_proto_len) != 0)) {
534 BIO_printf(bio_stdout,
535 "ALPN selected protocols not equal to expected protocol: %s\n",
536 alpn_expected);
537 goto err;
538 }
539
540 return 0;
541
542 err:
543 BIO_printf(bio_stdout, "ALPN results: client: '");
544 BIO_write(bio_stdout, client_proto, client_proto_len);
545 BIO_printf(bio_stdout, "', server: '");
546 BIO_write(bio_stdout, server_proto, server_proto_len);
547 BIO_printf(bio_stdout, "'\n");
548 BIO_printf(bio_stdout, "ALPN configured: client: '%s', server: '",
549 alpn_client);
550 if (SSL_get_SSL_CTX(server) == s_ctx2) {
551 BIO_printf(bio_stdout, "%s'\n",
552 alpn_server2);
553 } else {
554 BIO_printf(bio_stdout, "%s'\n",
555 alpn_server);
556 }
557 return -1;
558 }
559
560 /*
561 * WARNING : below extension types are *NOT* IETF assigned, and could
562 * conflict if these types are reassigned and handled specially by OpenSSL
563 * in the future
564 */
565 #define TACK_EXT_TYPE 62208
566 #define CUSTOM_EXT_TYPE_0 1000
567 #define CUSTOM_EXT_TYPE_1 1001
568 #define CUSTOM_EXT_TYPE_2 1002
569 #define CUSTOM_EXT_TYPE_3 1003
570
571 static const char custom_ext_cli_string[] = "abc";
572 static const char custom_ext_srv_string[] = "defg";
573
574 /* These set from cmdline */
575 static char *serverinfo_file = NULL;
576 static int serverinfo_sct = 0;
577 static int serverinfo_tack = 0;
578
579 /* These set based on extension callbacks */
580 static int serverinfo_sct_seen = 0;
581 static int serverinfo_tack_seen = 0;
582 static int serverinfo_other_seen = 0;
583
584 /* This set from cmdline */
585 static int custom_ext = 0;
586
587 /* This set based on extension callbacks */
588 static int custom_ext_error = 0;
589
590 static int serverinfo_cli_parse_cb(SSL *s, unsigned int ext_type,
591 const unsigned char *in, size_t inlen,
592 int *al, void *arg)
593 {
594 if (ext_type == TLSEXT_TYPE_signed_certificate_timestamp)
595 serverinfo_sct_seen++;
596 else if (ext_type == TACK_EXT_TYPE)
597 serverinfo_tack_seen++;
598 else
599 serverinfo_other_seen++;
600 return 1;
601 }
602
603 static int verify_serverinfo()
604 {
605 if (serverinfo_sct != serverinfo_sct_seen)
606 return -1;
607 if (serverinfo_tack != serverinfo_tack_seen)
608 return -1;
609 if (serverinfo_other_seen)
610 return -1;
611 return 0;
612 }
613
614 /*-
615 * Four test cases for custom extensions:
616 * 0 - no ClientHello extension or ServerHello response
617 * 1 - ClientHello with "abc", no response
618 * 2 - ClientHello with "abc", empty response
619 * 3 - ClientHello with "abc", "defg" response
620 */
621
622 static int custom_ext_0_cli_add_cb(SSL *s, unsigned int ext_type,
623 const unsigned char **out,
624 size_t *outlen, int *al, void *arg)
625 {
626 if (ext_type != CUSTOM_EXT_TYPE_0)
627 custom_ext_error = 1;
628 return 0; /* Don't send an extension */
629 }
630
631 static int custom_ext_0_cli_parse_cb(SSL *s, unsigned int ext_type,
632 const unsigned char *in,
633 size_t inlen, int *al, void *arg)
634 {
635 return 1;
636 }
637
638 static int custom_ext_1_cli_add_cb(SSL *s, unsigned int ext_type,
639 const unsigned char **out,
640 size_t *outlen, int *al, void *arg)
641 {
642 if (ext_type != CUSTOM_EXT_TYPE_1)
643 custom_ext_error = 1;
644 *out = (const unsigned char *)custom_ext_cli_string;
645 *outlen = strlen(custom_ext_cli_string);
646 return 1; /* Send "abc" */
647 }
648
649 static int custom_ext_1_cli_parse_cb(SSL *s, unsigned int ext_type,
650 const unsigned char *in,
651 size_t inlen, int *al, void *arg)
652 {
653 return 1;
654 }
655
656 static int custom_ext_2_cli_add_cb(SSL *s, unsigned int ext_type,
657 const unsigned char **out,
658 size_t *outlen, int *al, void *arg)
659 {
660 if (ext_type != CUSTOM_EXT_TYPE_2)
661 custom_ext_error = 1;
662 *out = (const unsigned char *)custom_ext_cli_string;
663 *outlen = strlen(custom_ext_cli_string);
664 return 1; /* Send "abc" */
665 }
666
667 static int custom_ext_2_cli_parse_cb(SSL *s, unsigned int ext_type,
668 const unsigned char *in,
669 size_t inlen, int *al, void *arg)
670 {
671 if (ext_type != CUSTOM_EXT_TYPE_2)
672 custom_ext_error = 1;
673 if (inlen != 0)
674 custom_ext_error = 1; /* Should be empty response */
675 return 1;
676 }
677
678 static int custom_ext_3_cli_add_cb(SSL *s, unsigned int ext_type,
679 const unsigned char **out,
680 size_t *outlen, int *al, void *arg)
681 {
682 if (ext_type != CUSTOM_EXT_TYPE_3)
683 custom_ext_error = 1;
684 *out = (const unsigned char *)custom_ext_cli_string;
685 *outlen = strlen(custom_ext_cli_string);
686 return 1; /* Send "abc" */
687 }
688
689 static int custom_ext_3_cli_parse_cb(SSL *s, unsigned int ext_type,
690 const unsigned char *in,
691 size_t inlen, int *al, void *arg)
692 {
693 if (ext_type != CUSTOM_EXT_TYPE_3)
694 custom_ext_error = 1;
695 if (inlen != strlen(custom_ext_srv_string))
696 custom_ext_error = 1;
697 if (memcmp(custom_ext_srv_string, in, inlen) != 0)
698 custom_ext_error = 1; /* Check for "defg" */
699 return 1;
700 }
701
702 /*
703 * custom_ext_0_cli_add_cb returns 0 - the server won't receive a callback
704 * for this extension
705 */
706 static int custom_ext_0_srv_parse_cb(SSL *s, unsigned int ext_type,
707 const unsigned char *in,
708 size_t inlen, int *al, void *arg)
709 {
710 custom_ext_error = 1;
711 return 1;
712 }
713
714 /* 'add' callbacks are only called if the 'parse' callback is called */
715 static int custom_ext_0_srv_add_cb(SSL *s, unsigned int ext_type,
716 const unsigned char **out,
717 size_t *outlen, int *al, void *arg)
718 {
719 /* Error: should not have been called */
720 custom_ext_error = 1;
721 return 0; /* Don't send an extension */
722 }
723
724 static int custom_ext_1_srv_parse_cb(SSL *s, unsigned int ext_type,
725 const unsigned char *in,
726 size_t inlen, int *al, void *arg)
727 {
728 if (ext_type != CUSTOM_EXT_TYPE_1)
729 custom_ext_error = 1;
730 /* Check for "abc" */
731 if (inlen != strlen(custom_ext_cli_string))
732 custom_ext_error = 1;
733 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
734 custom_ext_error = 1;
735 return 1;
736 }
737
738 static int custom_ext_1_srv_add_cb(SSL *s, unsigned int ext_type,
739 const unsigned char **out,
740 size_t *outlen, int *al, void *arg)
741 {
742 return 0; /* Don't send an extension */
743 }
744
745 static int custom_ext_2_srv_parse_cb(SSL *s, unsigned int ext_type,
746 const unsigned char *in,
747 size_t inlen, int *al, void *arg)
748 {
749 if (ext_type != CUSTOM_EXT_TYPE_2)
750 custom_ext_error = 1;
751 /* Check for "abc" */
752 if (inlen != strlen(custom_ext_cli_string))
753 custom_ext_error = 1;
754 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
755 custom_ext_error = 1;
756 return 1;
757 }
758
759 static int custom_ext_2_srv_add_cb(SSL *s, unsigned int ext_type,
760 const unsigned char **out,
761 size_t *outlen, int *al, void *arg)
762 {
763 *out = NULL;
764 *outlen = 0;
765 return 1; /* Send empty extension */
766 }
767
768 static int custom_ext_3_srv_parse_cb(SSL *s, unsigned int ext_type,
769 const unsigned char *in,
770 size_t inlen, int *al, void *arg)
771 {
772 if (ext_type != CUSTOM_EXT_TYPE_3)
773 custom_ext_error = 1;
774 /* Check for "abc" */
775 if (inlen != strlen(custom_ext_cli_string))
776 custom_ext_error = 1;
777 if (memcmp(in, custom_ext_cli_string, inlen) != 0)
778 custom_ext_error = 1;
779 return 1;
780 }
781
782 static int custom_ext_3_srv_add_cb(SSL *s, unsigned int ext_type,
783 const unsigned char **out,
784 size_t *outlen, int *al, void *arg)
785 {
786 *out = (const unsigned char *)custom_ext_srv_string;
787 *outlen = strlen(custom_ext_srv_string);
788 return 1; /* Send "defg" */
789 }
790
791 static char *cipher = NULL;
792 static int verbose = 0;
793 static int debug = 0;
794 static const char rnd_seed[] =
795 "string to make the random number generator think it has entropy";
796
797 int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family,
798 long bytes, clock_t *s_time, clock_t *c_time);
799 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
800 clock_t *c_time);
801 int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
802 static int do_test_cipherlist(void);
803
804 static void sv_usage(void)
805 {
806 fprintf(stderr, "usage: ssltest [args ...]\n");
807 fprintf(stderr, "\n");
808 #ifdef OPENSSL_FIPS
809 fprintf(stderr, "-F - run test in FIPS mode\n");
810 #endif
811 fprintf(stderr, " -server_auth - check server certificate\n");
812 fprintf(stderr, " -client_auth - do client authentication\n");
813 fprintf(stderr, " -proxy - allow proxy certificates\n");
814 fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n");
815 fprintf(stderr,
816 " -proxy_cond <val> - expression to test proxy policy rights\n");
817 fprintf(stderr, " -v - more output\n");
818 fprintf(stderr, " -d - debug output\n");
819 fprintf(stderr, " -reuse - use session-id reuse\n");
820 fprintf(stderr, " -num <val> - number of connections to perform\n");
821 fprintf(stderr,
822 " -bytes <val> - number of bytes to swap between client/server\n");
823 #ifndef OPENSSL_NO_DH
824 fprintf(stderr,
825 " -dhe512 - use 512 bit key for DHE (to test failure)\n");
826 fprintf(stderr,
827 " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
828 fprintf(stderr,
829 " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
830 fprintf(stderr, " -no_dhe - disable DHE\n");
831 #endif
832 #ifndef OPENSSL_NO_EC
833 fprintf(stderr, " -no_ecdhe - disable ECDHE\nTODO(openssl-team): no_ecdhe was broken by auto ecdh. Make this work again.\n");
834 #endif
835 #ifndef OPENSSL_NO_PSK
836 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
837 #endif
838 #ifndef OPENSSL_NO_SRP
839 fprintf(stderr, " -srpuser user - SRP username to use\n");
840 fprintf(stderr, " -srppass arg - password for 'user'\n");
841 #endif
842 #ifndef OPENSSL_NO_SSL3
843 fprintf(stderr, " -ssl3 - use SSLv3\n");
844 #endif
845 #ifndef OPENSSL_NO_TLS1
846 fprintf(stderr, " -tls1 - use TLSv1\n");
847 #endif
848 #ifndef OPENSSL_NO_DTLS
849 fprintf(stderr, " -dtls - use DTLS\n");
850 #ifndef OPENSSL_NO_DTLS1
851 fprintf(stderr, " -dtls1 - use DTLSv1\n");
852 #endif
853 #ifndef OPENSSL_NO_DTLS1_2
854 fprintf(stderr, " -dtls12 - use DTLSv1.2\n");
855 #endif
856 #endif
857 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
858 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
859 fprintf(stderr, " -cert arg - Server certificate file\n");
860 fprintf(stderr,
861 " -key arg - Server key file (default: same as -cert)\n");
862 fprintf(stderr, " -c_cert arg - Client certificate file\n");
863 fprintf(stderr,
864 " -c_key arg - Client key file (default: same as -c_cert)\n");
865 fprintf(stderr, " -cipher arg - The cipher list\n");
866 fprintf(stderr, " -bio_pair - Use BIO pairs\n");
867 fprintf(stderr, " -ipv4 - Use IPv4 connection on localhost\n");
868 fprintf(stderr, " -ipv6 - Use IPv6 connection on localhost\n");
869 fprintf(stderr, " -f - Test even cases that can't work\n");
870 fprintf(stderr,
871 " -time - measure processor time used by client and server\n");
872 fprintf(stderr, " -zlib - use zlib compression\n");
873 fprintf(stderr,
874 " -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
875 " When this option is requested, the cipherlist\n"
876 " tests are run instead of handshake tests.\n");
877 #ifndef OPENSSL_NO_NEXTPROTONEG
878 fprintf(stderr, " -npn_client - have client side offer NPN\n");
879 fprintf(stderr, " -npn_server - have server side offer NPN\n");
880 fprintf(stderr, " -npn_server_reject - have server reject NPN\n");
881 #endif
882 fprintf(stderr, " -serverinfo_file file - have server use this file\n");
883 fprintf(stderr, " -serverinfo_sct - have client offer and expect SCT\n");
884 fprintf(stderr,
885 " -serverinfo_tack - have client offer and expect TACK\n");
886 fprintf(stderr,
887 " -custom_ext - try various custom extension callbacks\n");
888 fprintf(stderr, " -alpn_client <string> - have client side offer ALPN\n");
889 fprintf(stderr, " -alpn_server <string> - have server side offer ALPN\n");
890 fprintf(stderr, " -alpn_server1 <string> - alias for -alpn_server\n");
891 fprintf(stderr, " -alpn_server2 <string> - have server side context 2 offer ALPN\n");
892 fprintf(stderr,
893 " -alpn_expected <string> - the ALPN protocol that should be negotiated\n");
894 fprintf(stderr, " -server_min_proto <string> - Minimum version the server should support\n");
895 fprintf(stderr, " -server_max_proto <string> - Maximum version the server should support\n");
896 fprintf(stderr, " -client_min_proto <string> - Minimum version the client should support\n");
897 fprintf(stderr, " -client_max_proto <string> - Maximum version the client should support\n");
898 fprintf(stderr, " -should_negotiate <string> - The version that should be negotiated, fail-client or fail-server\n");
899 #ifndef OPENSSL_NO_CT
900 fprintf(stderr, " -noct - no certificate transparency\n");
901 fprintf(stderr, " -requestct - request certificate transparency\n");
902 fprintf(stderr, " -requirect - require certificate transparency\n");
903 #endif
904 fprintf(stderr, " -sn_client <string> - have client request this servername\n");
905 fprintf(stderr, " -sn_server1 <string> - have server context 1 respond to this servername\n");
906 fprintf(stderr, " -sn_server2 <string> - have server context 2 respond to this servername\n");
907 fprintf(stderr, " -sn_expect1 - expected server 1\n");
908 fprintf(stderr, " -sn_expect2 - expected server 2\n");
909 fprintf(stderr, " -server_sess_out <file> - Save the server session to a file\n");
910 fprintf(stderr, " -server_sess_in <file> - Read the server session from a file\n");
911 fprintf(stderr, " -client_sess_out <file> - Save the client session to a file\n");
912 fprintf(stderr, " -client_sess_in <file> - Read the client session from a file\n");
913 fprintf(stderr, " -should_reuse <number> - The expected state of reusing the session\n");
914 fprintf(stderr, " -no_ticket - do not issue TLS session ticket\n");
915 }
916
917 static void print_key_details(BIO *out, EVP_PKEY *key)
918 {
919 int keyid = EVP_PKEY_id(key);
920 #ifndef OPENSSL_NO_EC
921 if (keyid == EVP_PKEY_EC) {
922 EC_KEY *ec = EVP_PKEY_get1_EC_KEY(key);
923 int nid;
924 const char *cname;
925 nid = EC_GROUP_get_curve_name(EC_KEY_get0_group(ec));
926 EC_KEY_free(ec);
927 cname = EC_curve_nid2nist(nid);
928 if (!cname)
929 cname = OBJ_nid2sn(nid);
930 BIO_printf(out, "%d bits EC (%s)", EVP_PKEY_bits(key), cname);
931 } else
932 #endif
933 {
934 const char *algname;
935 switch (keyid) {
936 case EVP_PKEY_RSA:
937 algname = "RSA";
938 break;
939 case EVP_PKEY_DSA:
940 algname = "DSA";
941 break;
942 case EVP_PKEY_DH:
943 algname = "DH";
944 break;
945 default:
946 algname = OBJ_nid2sn(keyid);
947 break;
948 }
949 BIO_printf(out, "%d bits %s", EVP_PKEY_bits(key), algname);
950 }
951 }
952
953 static void print_details(SSL *c_ssl, const char *prefix)
954 {
955 const SSL_CIPHER *ciph;
956 int mdnid;
957 X509 *cert;
958 EVP_PKEY *pkey;
959
960 ciph = SSL_get_current_cipher(c_ssl);
961 BIO_printf(bio_stdout, "%s%s, cipher %s %s",
962 prefix,
963 SSL_get_version(c_ssl),
964 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
965 cert = SSL_get_peer_certificate(c_ssl);
966 if (cert != NULL) {
967 pkey = X509_get_pubkey(cert);
968 if (pkey != NULL) {
969 BIO_puts(bio_stdout, ", ");
970 print_key_details(bio_stdout, pkey);
971 EVP_PKEY_free(pkey);
972 }
973 X509_free(cert);
974 }
975 if (SSL_get_server_tmp_key(c_ssl, &pkey)) {
976 BIO_puts(bio_stdout, ", temp key: ");
977 print_key_details(bio_stdout, pkey);
978 EVP_PKEY_free(pkey);
979 }
980 if (SSL_get_peer_signature_nid(c_ssl, &mdnid))
981 BIO_printf(bio_stdout, ", digest=%s", OBJ_nid2sn(mdnid));
982 BIO_printf(bio_stdout, "\n");
983 }
984
985 /*
986 * protocol_from_string - converts a protocol version string to a number
987 *
988 * Returns -1 on failure or the version on success
989 */
990 static int protocol_from_string(const char *value)
991 {
992 struct protocol_versions {
993 const char *name;
994 int version;
995 };
996 static const struct protocol_versions versions[] = {
997 {"ssl3", SSL3_VERSION},
998 {"tls1", TLS1_VERSION},
999 {"tls1.1", TLS1_1_VERSION},
1000 {"tls1.2", TLS1_2_VERSION},
1001 {"dtls1", DTLS1_VERSION},
1002 {"dtls1.2", DTLS1_2_VERSION}};
1003 size_t i;
1004 size_t n = OSSL_NELEM(versions);
1005
1006 for (i = 0; i < n; i++)
1007 if (strcmp(versions[i].name, value) == 0)
1008 return versions[i].version;
1009 return -1;
1010 }
1011
1012 static SSL_SESSION *read_session(const char *filename)
1013 {
1014 SSL_SESSION *sess;
1015 BIO *f = BIO_new_file(filename, "r");
1016
1017 if (f == NULL) {
1018 BIO_printf(bio_err, "Can't open session file %s\n", filename);
1019 ERR_print_errors(bio_err);
1020 return NULL;
1021 }
1022 sess = PEM_read_bio_SSL_SESSION(f, NULL, 0, NULL);
1023 if (sess == NULL) {
1024 BIO_printf(bio_err, "Can't parse session file %s\n", filename);
1025 ERR_print_errors(bio_err);
1026 }
1027 BIO_free(f);
1028 return sess;
1029 }
1030
1031 static int write_session(const char *filename, SSL_SESSION *sess)
1032 {
1033 BIO *f = BIO_new_file(filename, "w");
1034
1035 if (sess == NULL) {
1036 BIO_printf(bio_err, "No session information\n");
1037 return 0;
1038 }
1039 if (f == NULL) {
1040 BIO_printf(bio_err, "Can't open session file %s\n", filename);
1041 ERR_print_errors(bio_err);
1042 return 0;
1043 }
1044 PEM_write_bio_SSL_SESSION(f, sess);
1045 BIO_free(f);
1046 return 1;
1047 }
1048
1049 /*
1050 * set_protocol_version - Sets protocol version minimum or maximum
1051 *
1052 * Returns 0 on failure and 1 on success
1053 */
1054 static int set_protocol_version(const char *version, SSL *ssl, int setting)
1055 {
1056 if (version != NULL) {
1057 int ver = protocol_from_string(version);
1058 if (ver < 0) {
1059 BIO_printf(bio_err, "Error parsing: %s\n", version);
1060 return 0;
1061 }
1062 return SSL_ctrl(ssl, setting, ver, NULL);
1063 }
1064 return 1;
1065 }
1066
1067 int main(int argc, char *argv[])
1068 {
1069 char *CApath = NULL, *CAfile = NULL;
1070 int badop = 0;
1071 enum { BIO_MEM, BIO_PAIR, BIO_IPV4, BIO_IPV6 } bio_type = BIO_MEM;
1072 int force = 0;
1073 int dtls1 = 0, dtls12 = 0, dtls = 0, tls1 = 0, ssl3 = 0, ret = 1;
1074 int client_auth = 0;
1075 int server_auth = 0, i;
1076 struct app_verify_arg app_verify_arg =
1077 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
1078 char *p;
1079 SSL_CTX *c_ctx = NULL;
1080 const SSL_METHOD *meth = NULL;
1081 SSL *c_ssl, *s_ssl;
1082 int number = 1, reuse = 0;
1083 int should_reuse = -1;
1084 int no_ticket = 0;
1085 long bytes = 256L;
1086 #ifndef OPENSSL_NO_DH
1087 DH *dh;
1088 int dhe512 = 0, dhe1024dsa = 0;
1089 #endif
1090 #ifndef OPENSSL_NO_SRP
1091 /* client */
1092 SRP_CLIENT_ARG srp_client_arg = { NULL, NULL };
1093 /* server */
1094 SRP_SERVER_ARG srp_server_arg = { NULL, NULL };
1095 #endif
1096 int no_dhe = 0;
1097 int no_psk = 0;
1098 int print_time = 0;
1099 clock_t s_time = 0, c_time = 0;
1100 #ifndef OPENSSL_NO_COMP
1101 int n, comp = 0;
1102 COMP_METHOD *cm = NULL;
1103 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
1104 #endif
1105 int test_cipherlist = 0;
1106 #ifdef OPENSSL_FIPS
1107 int fips_mode = 0;
1108 #endif
1109 int no_protocol;
1110 int min_version = 0, max_version = 0;
1111 #ifndef OPENSSL_NO_CT
1112 /*
1113 * Disable CT validation by default, because it will interfere with
1114 * anything using custom extension handlers to deal with SCT extensions.
1115 */
1116 int ct_validation = 0;
1117 #endif
1118 SSL_CONF_CTX *s_cctx = NULL, *c_cctx = NULL, *s_cctx2 = NULL;
1119 STACK_OF(OPENSSL_STRING) *conf_args = NULL;
1120 char *arg = NULL, *argn = NULL;
1121
1122 verbose = 0;
1123 debug = 0;
1124 cipher = 0;
1125
1126 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
1127
1128 p = getenv("OPENSSL_DEBUG_MEMORY");
1129 if (p != NULL && strcmp(p, "on") == 0)
1130 CRYPTO_set_mem_debug(1);
1131 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
1132
1133 RAND_seed(rnd_seed, sizeof rnd_seed);
1134
1135 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
1136
1137 s_cctx = SSL_CONF_CTX_new();
1138 s_cctx2 = SSL_CONF_CTX_new();
1139 c_cctx = SSL_CONF_CTX_new();
1140
1141 if (!s_cctx || !c_cctx || !s_cctx2) {
1142 ERR_print_errors(bio_err);
1143 goto end;
1144 }
1145
1146 SSL_CONF_CTX_set_flags(s_cctx,
1147 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
1148 SSL_CONF_FLAG_CERTIFICATE |
1149 SSL_CONF_FLAG_REQUIRE_PRIVATE);
1150 SSL_CONF_CTX_set_flags(s_cctx2,
1151 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_SERVER |
1152 SSL_CONF_FLAG_CERTIFICATE |
1153 SSL_CONF_FLAG_REQUIRE_PRIVATE);
1154 if (!SSL_CONF_CTX_set1_prefix(s_cctx, "-s_")) {
1155 ERR_print_errors(bio_err);
1156 goto end;
1157 }
1158 if (!SSL_CONF_CTX_set1_prefix(s_cctx2, "-s_")) {
1159 ERR_print_errors(bio_err);
1160 goto end;
1161 }
1162
1163 SSL_CONF_CTX_set_flags(c_cctx,
1164 SSL_CONF_FLAG_CMDLINE | SSL_CONF_FLAG_CLIENT |
1165 SSL_CONF_FLAG_CERTIFICATE |
1166 SSL_CONF_FLAG_REQUIRE_PRIVATE);
1167 if (!SSL_CONF_CTX_set1_prefix(c_cctx, "-c_")) {
1168 ERR_print_errors(bio_err);
1169 goto end;
1170 }
1171
1172 argc--;
1173 argv++;
1174
1175 while (argc >= 1) {
1176 if (strcmp(*argv, "-F") == 0) {
1177 #ifdef OPENSSL_FIPS
1178 fips_mode = 1;
1179 #else
1180 fprintf(stderr,
1181 "not compiled with FIPS support, so exiting without running.\n");
1182 EXIT(0);
1183 #endif
1184 } else if (strcmp(*argv, "-server_auth") == 0)
1185 server_auth = 1;
1186 else if (strcmp(*argv, "-client_auth") == 0)
1187 client_auth = 1;
1188 else if (strcmp(*argv, "-proxy_auth") == 0) {
1189 if (--argc < 1)
1190 goto bad;
1191 app_verify_arg.proxy_auth = *(++argv);
1192 } else if (strcmp(*argv, "-proxy_cond") == 0) {
1193 if (--argc < 1)
1194 goto bad;
1195 app_verify_arg.proxy_cond = *(++argv);
1196 } else if (strcmp(*argv, "-v") == 0)
1197 verbose = 1;
1198 else if (strcmp(*argv, "-d") == 0)
1199 debug = 1;
1200 else if (strcmp(*argv, "-reuse") == 0)
1201 reuse = 1;
1202 else if (strcmp(*argv, "-dhe512") == 0) {
1203 #ifndef OPENSSL_NO_DH
1204 dhe512 = 1;
1205 #else
1206 fprintf(stderr,
1207 "ignoring -dhe512, since I'm compiled without DH\n");
1208 #endif
1209 } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
1210 #ifndef OPENSSL_NO_DH
1211 dhe1024dsa = 1;
1212 #else
1213 fprintf(stderr,
1214 "ignoring -dhe1024dsa, since I'm compiled without DH\n");
1215 #endif
1216 } else if (strcmp(*argv, "-no_dhe") == 0)
1217 no_dhe = 1;
1218 else if (strcmp(*argv, "-no_ecdhe") == 0)
1219 /* obsolete */;
1220 else if (strcmp(*argv, "-psk") == 0) {
1221 if (--argc < 1)
1222 goto bad;
1223 psk_key = *(++argv);
1224 #ifndef OPENSSL_NO_PSK
1225 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) {
1226 BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
1227 goto bad;
1228 }
1229 #else
1230 no_psk = 1;
1231 #endif
1232 }
1233 #ifndef OPENSSL_NO_SRP
1234 else if (strcmp(*argv, "-srpuser") == 0) {
1235 if (--argc < 1)
1236 goto bad;
1237 srp_server_arg.expected_user = srp_client_arg.srplogin =
1238 *(++argv);
1239 min_version = TLS1_VERSION;
1240 } else if (strcmp(*argv, "-srppass") == 0) {
1241 if (--argc < 1)
1242 goto bad;
1243 srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
1244 min_version = TLS1_VERSION;
1245 }
1246 #endif
1247 else if (strcmp(*argv, "-tls1") == 0) {
1248 tls1 = 1;
1249 } else if (strcmp(*argv, "-ssl3") == 0) {
1250 ssl3 = 1;
1251 } else if (strcmp(*argv, "-dtls1") == 0) {
1252 dtls1 = 1;
1253 } else if (strcmp(*argv, "-dtls12") == 0) {
1254 dtls12 = 1;
1255 } else if (strcmp(*argv, "-dtls") == 0) {
1256 dtls = 1;
1257 } else if (strncmp(*argv, "-num", 4) == 0) {
1258 if (--argc < 1)
1259 goto bad;
1260 number = atoi(*(++argv));
1261 if (number == 0)
1262 number = 1;
1263 } else if (strcmp(*argv, "-bytes") == 0) {
1264 if (--argc < 1)
1265 goto bad;
1266 bytes = atol(*(++argv));
1267 if (bytes == 0L)
1268 bytes = 1L;
1269 i = strlen(argv[0]);
1270 if (argv[0][i - 1] == 'k')
1271 bytes *= 1024L;
1272 if (argv[0][i - 1] == 'm')
1273 bytes *= 1024L * 1024L;
1274 } else if (strcmp(*argv, "-cipher") == 0) {
1275 if (--argc < 1)
1276 goto bad;
1277 cipher = *(++argv);
1278 } else if (strcmp(*argv, "-CApath") == 0) {
1279 if (--argc < 1)
1280 goto bad;
1281 CApath = *(++argv);
1282 } else if (strcmp(*argv, "-CAfile") == 0) {
1283 if (--argc < 1)
1284 goto bad;
1285 CAfile = *(++argv);
1286 } else if (strcmp(*argv, "-bio_pair") == 0) {
1287 bio_type = BIO_PAIR;
1288 }
1289 #ifndef OPENSSL_NO_SOCK
1290 else if (strcmp(*argv, "-ipv4") == 0) {
1291 bio_type = BIO_IPV4;
1292 } else if (strcmp(*argv, "-ipv6") == 0) {
1293 bio_type = BIO_IPV6;
1294 }
1295 #endif
1296 else if (strcmp(*argv, "-f") == 0) {
1297 force = 1;
1298 } else if (strcmp(*argv, "-time") == 0) {
1299 print_time = 1;
1300 }
1301 #ifndef OPENSSL_NO_CT
1302 else if (strcmp(*argv, "-noct") == 0) {
1303 ct_validation = 0;
1304 }
1305 else if (strcmp(*argv, "-ct") == 0) {
1306 ct_validation = 1;
1307 }
1308 #endif
1309 #ifndef OPENSSL_NO_COMP
1310 else if (strcmp(*argv, "-zlib") == 0) {
1311 comp = COMP_ZLIB;
1312 }
1313 #endif
1314 else if (strcmp(*argv, "-app_verify") == 0) {
1315 app_verify_arg.app_verify = 1;
1316 } else if (strcmp(*argv, "-proxy") == 0) {
1317 app_verify_arg.allow_proxy_certs = 1;
1318 } else if (strcmp(*argv, "-test_cipherlist") == 0) {
1319 test_cipherlist = 1;
1320 }
1321 #ifndef OPENSSL_NO_NEXTPROTONEG
1322 else if (strcmp(*argv, "-npn_client") == 0) {
1323 npn_client = 1;
1324 } else if (strcmp(*argv, "-npn_server") == 0) {
1325 npn_server = 1;
1326 } else if (strcmp(*argv, "-npn_server_reject") == 0) {
1327 npn_server_reject = 1;
1328 }
1329 #endif
1330 else if (strcmp(*argv, "-serverinfo_sct") == 0) {
1331 serverinfo_sct = 1;
1332 } else if (strcmp(*argv, "-serverinfo_tack") == 0) {
1333 serverinfo_tack = 1;
1334 } else if (strcmp(*argv, "-serverinfo_file") == 0) {
1335 if (--argc < 1)
1336 goto bad;
1337 serverinfo_file = *(++argv);
1338 } else if (strcmp(*argv, "-custom_ext") == 0) {
1339 custom_ext = 1;
1340 } else if (strcmp(*argv, "-alpn_client") == 0) {
1341 if (--argc < 1)
1342 goto bad;
1343 alpn_client = *(++argv);
1344 } else if (strcmp(*argv, "-alpn_server") == 0 ||
1345 strcmp(*argv, "-alpn_server1") == 0) {
1346 if (--argc < 1)
1347 goto bad;
1348 alpn_server = *(++argv);
1349 } else if (strcmp(*argv, "-alpn_server2") == 0) {
1350 if (--argc < 1)
1351 goto bad;
1352 alpn_server2 = *(++argv);
1353 } else if (strcmp(*argv, "-alpn_expected") == 0) {
1354 if (--argc < 1)
1355 goto bad;
1356 alpn_expected = *(++argv);
1357 } else if (strcmp(*argv, "-server_min_proto") == 0) {
1358 if (--argc < 1)
1359 goto bad;
1360 server_min_proto = *(++argv);
1361 } else if (strcmp(*argv, "-server_max_proto") == 0) {
1362 if (--argc < 1)
1363 goto bad;
1364 server_max_proto = *(++argv);
1365 } else if (strcmp(*argv, "-client_min_proto") == 0) {
1366 if (--argc < 1)
1367 goto bad;
1368 client_min_proto = *(++argv);
1369 } else if (strcmp(*argv, "-client_max_proto") == 0) {
1370 if (--argc < 1)
1371 goto bad;
1372 client_max_proto = *(++argv);
1373 } else if (strcmp(*argv, "-should_negotiate") == 0) {
1374 if (--argc < 1)
1375 goto bad;
1376 should_negotiate = *(++argv);
1377 } else if (strcmp(*argv, "-sn_client") == 0) {
1378 if (--argc < 1)
1379 goto bad;
1380 sn_client = *(++argv);
1381 } else if (strcmp(*argv, "-sn_server1") == 0) {
1382 if (--argc < 1)
1383 goto bad;
1384 sn_server1 = *(++argv);
1385 } else if (strcmp(*argv, "-sn_server2") == 0) {
1386 if (--argc < 1)
1387 goto bad;
1388 sn_server2 = *(++argv);
1389 } else if (strcmp(*argv, "-sn_expect1") == 0) {
1390 sn_expect = 1;
1391 } else if (strcmp(*argv, "-sn_expect2") == 0) {
1392 sn_expect = 2;
1393 } else if (strcmp(*argv, "-server_sess_out") == 0) {
1394 if (--argc < 1)
1395 goto bad;
1396 server_sess_out = *(++argv);
1397 } else if (strcmp(*argv, "-server_sess_in") == 0) {
1398 if (--argc < 1)
1399 goto bad;
1400 server_sess_in = *(++argv);
1401 } else if (strcmp(*argv, "-client_sess_out") == 0) {
1402 if (--argc < 1)
1403 goto bad;
1404 client_sess_out = *(++argv);
1405 } else if (strcmp(*argv, "-client_sess_in") == 0) {
1406 if (--argc < 1)
1407 goto bad;
1408 client_sess_in = *(++argv);
1409 } else if (strcmp(*argv, "-should_reuse") == 0) {
1410 if (--argc < 1)
1411 goto bad;
1412 should_reuse = !!atoi(*(++argv));
1413 } else if (strcmp(*argv, "-no_ticket") == 0) {
1414 no_ticket = 1;
1415 } else {
1416 int rv;
1417 arg = argv[0];
1418 argn = argv[1];
1419 /* Try to process command using SSL_CONF */
1420 rv = SSL_CONF_cmd_argv(c_cctx, &argc, &argv);
1421 /* If not processed try server */
1422 if (rv == 0)
1423 rv = SSL_CONF_cmd_argv(s_cctx, &argc, &argv);
1424 /* Recognised: store it for later use */
1425 if (rv > 0) {
1426 if (rv == 1)
1427 argn = NULL;
1428 if (!conf_args) {
1429 conf_args = sk_OPENSSL_STRING_new_null();
1430 if (!conf_args)
1431 goto end;
1432 }
1433 if (!sk_OPENSSL_STRING_push(conf_args, arg))
1434 goto end;
1435 if (!sk_OPENSSL_STRING_push(conf_args, argn))
1436 goto end;
1437 continue;
1438 }
1439 if (rv == -3)
1440 BIO_printf(bio_err, "Missing argument for %s\n", arg);
1441 else if (rv < 0)
1442 BIO_printf(bio_err, "Error with command %s\n", arg);
1443 else if (rv == 0)
1444 BIO_printf(bio_err, "unknown option %s\n", arg);
1445 badop = 1;
1446 break;
1447 }
1448 argc--;
1449 argv++;
1450 }
1451 if (badop) {
1452 bad:
1453 sv_usage();
1454 goto end;
1455 }
1456
1457 /*
1458 * test_cipherlist prevails over protocol switch: we test the cipherlist
1459 * for all enabled protocols.
1460 */
1461 if (test_cipherlist == 1) {
1462 /*
1463 * ensure that the cipher list are correctly sorted and exit
1464 */
1465 fprintf(stdout, "Testing cipherlist order only. Ignoring all "
1466 "other options.\n");
1467 if (do_test_cipherlist() == 0)
1468 EXIT(1);
1469 ret = 0;
1470 goto end;
1471 }
1472
1473 if (ssl3 + tls1 + dtls + dtls1 + dtls12 > 1) {
1474 fprintf(stderr, "At most one of -ssl3, -tls1, -dtls, -dtls1 or -dtls12 should "
1475 "be requested.\n");
1476 EXIT(1);
1477 }
1478
1479 #ifdef OPENSSL_NO_SSL3
1480 if (ssl3)
1481 no_protocol = 1;
1482 else
1483 #endif
1484 #ifdef OPENSSL_NO_TLS1
1485 if (tls1)
1486 no_protocol = 1;
1487 else
1488 #endif
1489 #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1)
1490 if (dtls1)
1491 no_protocol = 1;
1492 else
1493 #endif
1494 #if defined(OPENSSL_NO_DTLS) || defined(OPENSSL_NO_DTLS1_2)
1495 if (dtls12)
1496 no_protocol = 1;
1497 else
1498 #endif
1499 no_protocol = 0;
1500
1501 /*
1502 * Testing was requested for a compiled-out protocol (e.g. SSLv3).
1503 * Ideally, we would error out, but the generic test wrapper can't know
1504 * when to expect failure. So we do nothing and return success.
1505 */
1506 if (no_protocol) {
1507 fprintf(stderr, "Testing was requested for a disabled protocol. "
1508 "Skipping tests.\n");
1509 ret = 0;
1510 goto end;
1511 }
1512
1513 if (!ssl3 && !tls1 && !dtls && !dtls1 && !dtls12 && number > 1 && !reuse && !force) {
1514 fprintf(stderr, "This case cannot work. Use -f to perform "
1515 "the test anyway (and\n-d to see what happens), "
1516 "or add one of -ssl3, -tls1, -dtls, -dtls1, -dtls12, -reuse\n"
1517 "to avoid protocol mismatch.\n");
1518 EXIT(1);
1519 }
1520 #ifdef OPENSSL_FIPS
1521 if (fips_mode) {
1522 if (!FIPS_mode_set(1)) {
1523 ERR_print_errors(bio_err);
1524 EXIT(1);
1525 } else
1526 fprintf(stderr, "*** IN FIPS MODE ***\n");
1527 }
1528 #endif
1529
1530 if (print_time) {
1531 if (bio_type != BIO_PAIR) {
1532 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
1533 bio_type = BIO_PAIR;
1534 }
1535 if (number < 50 && !force)
1536 fprintf(stderr,
1537 "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
1538 }
1539
1540 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
1541
1542 #ifndef OPENSSL_NO_COMP
1543 if (comp == COMP_ZLIB)
1544 cm = COMP_zlib();
1545 if (cm != NULL) {
1546 if (COMP_get_type(cm) != NID_undef) {
1547 if (SSL_COMP_add_compression_method(comp, cm) != 0) {
1548 fprintf(stderr, "Failed to add compression method\n");
1549 ERR_print_errors_fp(stderr);
1550 }
1551 } else {
1552 fprintf(stderr,
1553 "Warning: %s compression not supported\n",
1554 comp == COMP_ZLIB ? "zlib" : "unknown");
1555 ERR_print_errors_fp(stderr);
1556 }
1557 }
1558 ssl_comp_methods = SSL_COMP_get_compression_methods();
1559 n = sk_SSL_COMP_num(ssl_comp_methods);
1560 if (n) {
1561 int j;
1562 printf("Available compression methods:");
1563 for (j = 0; j < n; j++) {
1564 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
1565 printf(" %s:%d", c->name, c->id);
1566 }
1567 printf("\n");
1568 }
1569 #endif
1570
1571 #ifndef OPENSSL_NO_TLS
1572 meth = TLS_method();
1573 if (ssl3) {
1574 min_version = SSL3_VERSION;
1575 max_version = SSL3_VERSION;
1576 } else if (tls1) {
1577 min_version = TLS1_VERSION;
1578 max_version = TLS1_VERSION;
1579 }
1580 #endif
1581 #ifndef OPENSSL_NO_DTLS
1582 if (dtls || dtls1 || dtls12)
1583 meth = DTLS_method();
1584 if (dtls1) {
1585 min_version = DTLS1_VERSION;
1586 max_version = DTLS1_VERSION;
1587 } else if (dtls12) {
1588 min_version = DTLS1_2_VERSION;
1589 max_version = DTLS1_2_VERSION;
1590 }
1591 #endif
1592
1593 c_ctx = SSL_CTX_new(meth);
1594 s_ctx = SSL_CTX_new(meth);
1595 s_ctx2 = SSL_CTX_new(meth); /* no SSL_CTX_dup! */
1596 if ((c_ctx == NULL) || (s_ctx == NULL) || (s_ctx2 == NULL)) {
1597 ERR_print_errors(bio_err);
1598 goto end;
1599 }
1600 /*
1601 * Since we will use low security ciphersuites and keys for testing set
1602 * security level to zero by default. Tests can override this by adding
1603 * "@SECLEVEL=n" to the cipher string.
1604 */
1605 SSL_CTX_set_security_level(c_ctx, 0);
1606 SSL_CTX_set_security_level(s_ctx, 0);
1607 SSL_CTX_set_security_level(s_ctx2, 0);
1608
1609 if (no_ticket) {
1610 SSL_CTX_set_options(c_ctx, SSL_OP_NO_TICKET);
1611 SSL_CTX_set_options(s_ctx, SSL_OP_NO_TICKET);
1612 }
1613
1614 if (SSL_CTX_set_min_proto_version(c_ctx, min_version) == 0)
1615 goto end;
1616 if (SSL_CTX_set_max_proto_version(c_ctx, max_version) == 0)
1617 goto end;
1618 if (SSL_CTX_set_min_proto_version(s_ctx, min_version) == 0)
1619 goto end;
1620 if (SSL_CTX_set_max_proto_version(s_ctx, max_version) == 0)
1621 goto end;
1622
1623 if (cipher != NULL) {
1624 if (!SSL_CTX_set_cipher_list(c_ctx, cipher)
1625 || !SSL_CTX_set_cipher_list(s_ctx, cipher)
1626 || !SSL_CTX_set_cipher_list(s_ctx2, cipher)) {
1627 ERR_print_errors(bio_err);
1628 goto end;
1629 }
1630 }
1631
1632 #ifndef OPENSSL_NO_CT
1633 if (ct_validation &&
1634 !SSL_CTX_enable_ct(c_ctx, SSL_CT_VALIDATION_STRICT)) {
1635 ERR_print_errors(bio_err);
1636 goto end;
1637 }
1638 #endif
1639
1640 /* Process SSL_CONF arguments */
1641 SSL_CONF_CTX_set_ssl_ctx(c_cctx, c_ctx);
1642 SSL_CONF_CTX_set_ssl_ctx(s_cctx, s_ctx);
1643 SSL_CONF_CTX_set_ssl_ctx(s_cctx2, s_ctx2);
1644
1645 for (i = 0; i < sk_OPENSSL_STRING_num(conf_args); i += 2) {
1646 int rv;
1647 arg = sk_OPENSSL_STRING_value(conf_args, i);
1648 argn = sk_OPENSSL_STRING_value(conf_args, i + 1);
1649 rv = SSL_CONF_cmd(c_cctx, arg, argn);
1650 /* If not recognised use server context */
1651 if (rv == -2) {
1652 rv = SSL_CONF_cmd(s_cctx2, arg, argn);
1653 if (rv > 0)
1654 rv = SSL_CONF_cmd(s_cctx, arg, argn);
1655 }
1656 if (rv <= 0) {
1657 BIO_printf(bio_err, "Error processing %s %s\n",
1658 arg, argn ? argn : "");
1659 ERR_print_errors(bio_err);
1660 goto end;
1661 }
1662 }
1663
1664 if (!SSL_CONF_CTX_finish(s_cctx) || !SSL_CONF_CTX_finish(c_cctx) || !SSL_CONF_CTX_finish(s_cctx2)) {
1665 BIO_puts(bio_err, "Error finishing context\n");
1666 ERR_print_errors(bio_err);
1667 goto end;
1668 }
1669 #ifndef OPENSSL_NO_DH
1670 if (!no_dhe) {
1671 if (dhe1024dsa) {
1672 dh = get_dh1024dsa();
1673 } else if (dhe512)
1674 dh = get_dh512();
1675 else
1676 dh = get_dh1024();
1677 SSL_CTX_set_tmp_dh(s_ctx, dh);
1678 SSL_CTX_set_tmp_dh(s_ctx2, dh);
1679 DH_free(dh);
1680 }
1681 #else
1682 (void)no_dhe;
1683 #endif
1684
1685 if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
1686 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
1687 (!SSL_CTX_load_verify_locations(s_ctx2, CAfile, CApath)) ||
1688 (!SSL_CTX_set_default_verify_paths(s_ctx2)) ||
1689 (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
1690 (!SSL_CTX_set_default_verify_paths(c_ctx))) {
1691 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
1692 ERR_print_errors(bio_err);
1693 /* goto end; */
1694 }
1695
1696 #ifndef OPENSSL_NO_CT
1697 if (!SSL_CTX_set_default_ctlog_list_file(s_ctx) ||
1698 !SSL_CTX_set_default_ctlog_list_file(s_ctx2) ||
1699 !SSL_CTX_set_default_ctlog_list_file(c_ctx)) {
1700 ERR_print_errors(bio_err);
1701 }
1702 #endif
1703
1704 if (client_auth) {
1705 printf("client authentication\n");
1706 SSL_CTX_set_verify(s_ctx,
1707 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1708 verify_callback);
1709 SSL_CTX_set_verify(s_ctx2,
1710 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1711 verify_callback);
1712 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
1713 &app_verify_arg);
1714 SSL_CTX_set_cert_verify_callback(s_ctx2, app_verify_callback,
1715 &app_verify_arg);
1716 }
1717 if (server_auth) {
1718 printf("server authentication\n");
1719 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
1720 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
1721 &app_verify_arg);
1722 }
1723
1724 {
1725 int session_id_context = 0;
1726 if (!SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
1727 sizeof session_id_context) ||
1728 !SSL_CTX_set_session_id_context(s_ctx2, (void *)&session_id_context,
1729 sizeof session_id_context)) {
1730 ERR_print_errors(bio_err);
1731 goto end;
1732 }
1733 }
1734
1735 /* Use PSK only if PSK key is given */
1736 if (psk_key != NULL) {
1737 /*
1738 * no_psk is used to avoid putting psk command to openssl tool
1739 */
1740 if (no_psk) {
1741 /*
1742 * if PSK is not compiled in and psk key is given, do nothing and
1743 * exit successfully
1744 */
1745 ret = 0;
1746 goto end;
1747 }
1748 #ifndef OPENSSL_NO_PSK
1749 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1750 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1751 SSL_CTX_set_psk_server_callback(s_ctx2, psk_server_callback);
1752 if (debug)
1753 BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n");
1754 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint") ||
1755 !SSL_CTX_use_psk_identity_hint(s_ctx2, "ctx server identity_hint")) {
1756 BIO_printf(bio_err, "error setting PSK identity hint to s_ctx\n");
1757 ERR_print_errors(bio_err);
1758 goto end;
1759 }
1760 #endif
1761 }
1762 #ifndef OPENSSL_NO_SRP
1763 if (srp_client_arg.srplogin) {
1764 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
1765 BIO_printf(bio_err, "Unable to set SRP username\n");
1766 goto end;
1767 }
1768 SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
1769 SSL_CTX_set_srp_client_pwd_callback(c_ctx,
1770 ssl_give_srp_client_pwd_cb);
1771 /*
1772 * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);
1773 */
1774 }
1775
1776 if (srp_server_arg.expected_user != NULL) {
1777 SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
1778 SSL_CTX_set_verify(s_ctx2, SSL_VERIFY_NONE, verify_callback);
1779 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1780 SSL_CTX_set_srp_cb_arg(s_ctx2, &srp_server_arg);
1781 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1782 SSL_CTX_set_srp_username_callback(s_ctx2, ssl_srp_server_param_cb);
1783 }
1784 #endif
1785
1786 #ifndef OPENSSL_NO_NEXTPROTONEG
1787 if (npn_client) {
1788 SSL_CTX_set_next_proto_select_cb(c_ctx, cb_client_npn, NULL);
1789 }
1790 if (npn_server) {
1791 if (npn_server_reject) {
1792 BIO_printf(bio_err,
1793 "Can't have both -npn_server and -npn_server_reject\n");
1794 goto end;
1795 }
1796 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_npn, NULL);
1797 SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_npn, NULL);
1798 }
1799 if (npn_server_reject) {
1800 SSL_CTX_set_next_protos_advertised_cb(s_ctx, cb_server_rejects_npn,
1801 NULL);
1802 SSL_CTX_set_next_protos_advertised_cb(s_ctx2, cb_server_rejects_npn,
1803 NULL);
1804 }
1805 #endif
1806
1807 if (serverinfo_sct) {
1808 if (!SSL_CTX_add_client_custom_ext(c_ctx,
1809 TLSEXT_TYPE_signed_certificate_timestamp,
1810 NULL, NULL, NULL,
1811 serverinfo_cli_parse_cb, NULL)) {
1812 BIO_printf(bio_err, "Error adding SCT extension\n");
1813 goto end;
1814 }
1815 }
1816 if (serverinfo_tack) {
1817 if (!SSL_CTX_add_client_custom_ext(c_ctx, TACK_EXT_TYPE,
1818 NULL, NULL, NULL,
1819 serverinfo_cli_parse_cb, NULL)) {
1820 BIO_printf(bio_err, "Error adding TACK extension\n");
1821 goto end;
1822 }
1823 }
1824 if (serverinfo_file)
1825 if (!SSL_CTX_use_serverinfo_file(s_ctx, serverinfo_file) ||
1826 !SSL_CTX_use_serverinfo_file(s_ctx2, serverinfo_file)) {
1827 BIO_printf(bio_err, "missing serverinfo file\n");
1828 goto end;
1829 }
1830
1831 if (custom_ext) {
1832 if (!SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_0,
1833 custom_ext_0_cli_add_cb,
1834 NULL, NULL,
1835 custom_ext_0_cli_parse_cb, NULL)
1836 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_1,
1837 custom_ext_1_cli_add_cb,
1838 NULL, NULL,
1839 custom_ext_1_cli_parse_cb, NULL)
1840 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_2,
1841 custom_ext_2_cli_add_cb,
1842 NULL, NULL,
1843 custom_ext_2_cli_parse_cb, NULL)
1844 || !SSL_CTX_add_client_custom_ext(c_ctx, CUSTOM_EXT_TYPE_3,
1845 custom_ext_3_cli_add_cb,
1846 NULL, NULL,
1847 custom_ext_3_cli_parse_cb, NULL)
1848 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_0,
1849 custom_ext_0_srv_add_cb,
1850 NULL, NULL,
1851 custom_ext_0_srv_parse_cb, NULL)
1852 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_0,
1853 custom_ext_0_srv_add_cb,
1854 NULL, NULL,
1855 custom_ext_0_srv_parse_cb, NULL)
1856 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_1,
1857 custom_ext_1_srv_add_cb,
1858 NULL, NULL,
1859 custom_ext_1_srv_parse_cb, NULL)
1860 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_1,
1861 custom_ext_1_srv_add_cb,
1862 NULL, NULL,
1863 custom_ext_1_srv_parse_cb, NULL)
1864 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_2,
1865 custom_ext_2_srv_add_cb,
1866 NULL, NULL,
1867 custom_ext_2_srv_parse_cb, NULL)
1868 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_2,
1869 custom_ext_2_srv_add_cb,
1870 NULL, NULL,
1871 custom_ext_2_srv_parse_cb, NULL)
1872 || !SSL_CTX_add_server_custom_ext(s_ctx, CUSTOM_EXT_TYPE_3,
1873 custom_ext_3_srv_add_cb,
1874 NULL, NULL,
1875 custom_ext_3_srv_parse_cb, NULL)
1876 || !SSL_CTX_add_server_custom_ext(s_ctx2, CUSTOM_EXT_TYPE_3,
1877 custom_ext_3_srv_add_cb,
1878 NULL, NULL,
1879 custom_ext_3_srv_parse_cb, NULL)) {
1880 BIO_printf(bio_err, "Error setting custom extensions\n");
1881 goto end;
1882 }
1883 }
1884
1885 if (alpn_server)
1886 SSL_CTX_set_alpn_select_cb(s_ctx, cb_server_alpn, alpn_server);
1887 if (alpn_server2)
1888 SSL_CTX_set_alpn_select_cb(s_ctx2, cb_server_alpn, alpn_server2);
1889
1890 if (alpn_client) {
1891 size_t alpn_len;
1892 unsigned char *alpn = next_protos_parse(&alpn_len, alpn_client);
1893
1894 if (alpn == NULL) {
1895 BIO_printf(bio_err, "Error parsing -alpn_client argument\n");
1896 goto end;
1897 }
1898 /* Returns 0 on success!! */
1899 if (SSL_CTX_set_alpn_protos(c_ctx, alpn, alpn_len)) {
1900 BIO_printf(bio_err, "Error setting ALPN\n");
1901 OPENSSL_free(alpn);
1902 goto end;
1903 }
1904 OPENSSL_free(alpn);
1905 }
1906
1907 if (server_sess_in != NULL) {
1908 server_sess = read_session(server_sess_in);
1909 if (server_sess == NULL)
1910 goto end;
1911 }
1912 if (client_sess_in != NULL) {
1913 client_sess = read_session(client_sess_in);
1914 if (client_sess == NULL)
1915 goto end;
1916 }
1917
1918 if (server_sess_out != NULL || server_sess_in != NULL) {
1919 char *keys;
1920 long size;
1921
1922 /* Use a fixed key so that we can decrypt the ticket. */
1923 size = SSL_CTX_set_tlsext_ticket_keys(s_ctx, NULL, 0);
1924 keys = OPENSSL_zalloc(size);
1925 SSL_CTX_set_tlsext_ticket_keys(s_ctx, keys, size);
1926 OPENSSL_free(keys);
1927 }
1928
1929 if (sn_server1 != NULL || sn_server2 != NULL)
1930 SSL_CTX_set_tlsext_servername_callback(s_ctx, servername_cb);
1931
1932 c_ssl = SSL_new(c_ctx);
1933 s_ssl = SSL_new(s_ctx);
1934
1935 if (sn_client)
1936 SSL_set_tlsext_host_name(c_ssl, sn_client);
1937
1938 if (!set_protocol_version(server_min_proto, s_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1939 goto end;
1940 if (!set_protocol_version(server_max_proto, s_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1941 goto end;
1942 if (!set_protocol_version(client_min_proto, c_ssl, SSL_CTRL_SET_MIN_PROTO_VERSION))
1943 goto end;
1944 if (!set_protocol_version(client_max_proto, c_ssl, SSL_CTRL_SET_MAX_PROTO_VERSION))
1945 goto end;
1946
1947 if (server_sess) {
1948 if (SSL_CTX_add_session(s_ctx, server_sess) == 0) {
1949 BIO_printf(bio_err, "Can't add server session\n");
1950 ERR_print_errors(bio_err);
1951 goto end;
1952 }
1953 }
1954
1955 BIO_printf(bio_stdout, "Doing handshakes=%d bytes=%ld\n", number, bytes);
1956 for (i = 0; i < number; i++) {
1957 if (!reuse) {
1958 if (!SSL_set_session(c_ssl, NULL)) {
1959 BIO_printf(bio_err, "Failed to set session\n");
1960 goto end;
1961 }
1962 }
1963 if (client_sess_in != NULL) {
1964 if (SSL_set_session(c_ssl, client_sess) == 0) {
1965 BIO_printf(bio_err, "Can't set client session\n");
1966 ERR_print_errors(bio_err);
1967 goto end;
1968 }
1969 }
1970 switch (bio_type) {
1971 case BIO_MEM:
1972 ret = doit(s_ssl, c_ssl, bytes);
1973 break;
1974 case BIO_PAIR:
1975 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
1976 break;
1977 #ifndef OPENSSL_NO_SOCK
1978 case BIO_IPV4:
1979 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV4,
1980 bytes, &s_time, &c_time);
1981 break;
1982 case BIO_IPV6:
1983 ret = doit_localhost(s_ssl, c_ssl, BIO_FAMILY_IPV6,
1984 bytes, &s_time, &c_time);
1985 break;
1986 #else
1987 case BIO_IPV4:
1988 case BIO_IPV6:
1989 ret = 1;
1990 goto err;
1991 #endif
1992 }
1993 if (ret) break;
1994 }
1995
1996 if (should_negotiate && ret == 0 &&
1997 strcmp(should_negotiate, "fail-server") != 0 &&
1998 strcmp(should_negotiate, "fail-client") != 0) {
1999 int version = protocol_from_string(should_negotiate);
2000 if (version < 0) {
2001 BIO_printf(bio_err, "Error parsing: %s\n", should_negotiate);
2002 ret = 1;
2003 goto err;
2004 }
2005 if (SSL_version(c_ssl) != version) {
2006 BIO_printf(bio_err, "Unxpected version negotiated. "
2007 "Expected: %s, got %s\n", should_negotiate, SSL_get_version(c_ssl));
2008 ret = 1;
2009 goto err;
2010 }
2011 }
2012
2013 if (should_reuse != -1) {
2014 if (SSL_session_reused(s_ssl) != should_reuse ||
2015 SSL_session_reused(c_ssl) != should_reuse) {
2016 BIO_printf(bio_err, "Unexpected session reuse state. "
2017 "Expected: %d, server: %d, client: %d\n", should_reuse,
2018 SSL_session_reused(s_ssl), SSL_session_reused(c_ssl));
2019 ret = 1;
2020 goto err;
2021 }
2022 }
2023
2024 if (server_sess_out != NULL) {
2025 if (write_session(server_sess_out, SSL_get_session(s_ssl)) == 0) {
2026 ret = 1;
2027 goto err;
2028 }
2029 }
2030 if (client_sess_out != NULL) {
2031 if (write_session(client_sess_out, SSL_get_session(c_ssl)) == 0) {
2032 ret = 1;
2033 goto err;
2034 }
2035 }
2036
2037 if (!verbose) {
2038 print_details(c_ssl, "");
2039 }
2040 if (print_time) {
2041 #ifdef CLOCKS_PER_SEC
2042 /*
2043 * "To determine the time in seconds, the value returned by the clock
2044 * function should be divided by the value of the macro
2045 * CLOCKS_PER_SEC." -- ISO/IEC 9899
2046 */
2047 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
2048 "Approximate total client time: %6.2f s\n",
2049 (double)s_time / CLOCKS_PER_SEC,
2050 (double)c_time / CLOCKS_PER_SEC);
2051 #else
2052 BIO_printf(bio_stdout,
2053 "Approximate total server time: %6.2f units\n"
2054 "Approximate total client time: %6.2f units\n",
2055 (double)s_time, (double)c_time);
2056 #endif
2057 }
2058
2059 err:
2060 SSL_free(s_ssl);
2061 SSL_free(c_ssl);
2062
2063 end:
2064 SSL_CTX_free(s_ctx);
2065 SSL_CTX_free(s_ctx2);
2066 SSL_CTX_free(c_ctx);
2067 SSL_CONF_CTX_free(s_cctx);
2068 SSL_CONF_CTX_free(s_cctx2);
2069 SSL_CONF_CTX_free(c_cctx);
2070 sk_OPENSSL_STRING_free(conf_args);
2071
2072 BIO_free(bio_stdout);
2073
2074 SSL_SESSION_free(server_sess);
2075 SSL_SESSION_free(client_sess);
2076
2077 #ifndef OPENSSL_NO_CRYPTO_MDEBUG
2078 if (CRYPTO_mem_leaks(bio_err) <= 0)
2079 ret = 1;
2080 #endif
2081 BIO_free(bio_err);
2082 EXIT(ret);
2083 }
2084
2085 #ifndef OPENSSL_NO_SOCK
2086 int doit_localhost(SSL *s_ssl, SSL *c_ssl, int family, long count,
2087 clock_t *s_time, clock_t *c_time)
2088 {
2089 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
2090 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
2091 BIO *acpt = NULL, *server = NULL, *client = NULL;
2092 char addr_str[40];
2093 int ret = 1;
2094 int err_in_client = 0;
2095 int err_in_server = 0;
2096
2097 acpt = BIO_new_accept("0");
2098 if (acpt == NULL)
2099 goto err;
2100 BIO_set_accept_ip_family(acpt, family);
2101 BIO_set_bind_mode(acpt, BIO_SOCK_NONBLOCK | BIO_SOCK_REUSEADDR);
2102 if (BIO_do_accept(acpt) <= 0)
2103 goto err;
2104
2105 BIO_snprintf(addr_str, sizeof(addr_str), ":%s", BIO_get_accept_port(acpt));
2106
2107 client = BIO_new_connect(addr_str);
2108 BIO_set_conn_ip_family(client, family);
2109 if (!client)
2110 goto err;
2111
2112 if (BIO_set_nbio(client, 1) <= 0)
2113 goto err;
2114 if (BIO_set_nbio(acpt, 1) <= 0)
2115 goto err;
2116
2117 {
2118 int st_connect = 0, st_accept = 0;
2119
2120 while(!st_connect || !st_accept) {
2121 if (!st_connect) {
2122 if (BIO_do_connect(client) <= 0) {
2123 if (!BIO_should_retry(client))
2124 goto err;
2125 } else {
2126 st_connect = 1;
2127 }
2128 }
2129 if (!st_accept) {
2130 if (BIO_do_accept(acpt) <= 0) {
2131 if (!BIO_should_retry(acpt))
2132 goto err;
2133 } else {
2134 st_accept = 1;
2135 }
2136 }
2137 }
2138 }
2139 /* We're not interested in accepting further connects */
2140 server = BIO_pop(acpt);
2141 BIO_free_all(acpt);
2142 acpt = NULL;
2143
2144 s_ssl_bio = BIO_new(BIO_f_ssl());
2145 if (!s_ssl_bio)
2146 goto err;
2147
2148 c_ssl_bio = BIO_new(BIO_f_ssl());
2149 if (!c_ssl_bio)
2150 goto err;
2151
2152 SSL_set_connect_state(c_ssl);
2153 SSL_set_bio(c_ssl, client, client);
2154 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2155
2156 SSL_set_accept_state(s_ssl);
2157 SSL_set_bio(s_ssl, server, server);
2158 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2159
2160 do {
2161 /*-
2162 * c_ssl_bio: SSL filter BIO
2163 *
2164 * client: I/O for SSL library
2165 *
2166 *
2167 * server: I/O for SSL library
2168 *
2169 * s_ssl_bio: SSL filter BIO
2170 */
2171
2172 /*
2173 * We have non-blocking behaviour throughout this test program, but
2174 * can be sure that there is *some* progress in each iteration; so we
2175 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2176 * we just try everything in each iteration
2177 */
2178
2179 {
2180 /* CLIENT */
2181
2182 char cbuf[1024 * 8];
2183 int i, r;
2184 clock_t c_clock = clock();
2185
2186 memset(cbuf, 0, sizeof(cbuf));
2187
2188 if (debug)
2189 if (SSL_in_init(c_ssl))
2190 printf("client waiting in SSL_connect - %s\n",
2191 SSL_state_string_long(c_ssl));
2192
2193 if (cw_num > 0) {
2194 /* Write to server. */
2195
2196 if (cw_num > (long)sizeof cbuf)
2197 i = sizeof cbuf;
2198 else
2199 i = (int)cw_num;
2200 r = BIO_write(c_ssl_bio, cbuf, i);
2201 if (r < 0) {
2202 if (!BIO_should_retry(c_ssl_bio)) {
2203 fprintf(stderr, "ERROR in CLIENT\n");
2204 err_in_client = 1;
2205 goto err;
2206 }
2207 /*
2208 * BIO_should_retry(...) can just be ignored here. The
2209 * library expects us to call BIO_write with the same
2210 * arguments again, and that's what we will do in the
2211 * next iteration.
2212 */
2213 } else if (r == 0) {
2214 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2215 goto err;
2216 } else {
2217 if (debug)
2218 printf("client wrote %d\n", r);
2219 cw_num -= r;
2220 }
2221 }
2222
2223 if (cr_num > 0) {
2224 /* Read from server. */
2225
2226 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2227 if (r < 0) {
2228 if (!BIO_should_retry(c_ssl_bio)) {
2229 fprintf(stderr, "ERROR in CLIENT\n");
2230 err_in_client = 1;
2231 goto err;
2232 }
2233 /*
2234 * Again, "BIO_should_retry" can be ignored.
2235 */
2236 } else if (r == 0) {
2237 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2238 goto err;
2239 } else {
2240 if (debug)
2241 printf("client read %d\n", r);
2242 cr_num -= r;
2243 }
2244 }
2245
2246 /*
2247 * c_time and s_time increments will typically be very small
2248 * (depending on machine speed and clock tick intervals), but
2249 * sampling over a large number of connections should result in
2250 * fairly accurate figures. We cannot guarantee a lot, however
2251 * -- if each connection lasts for exactly one clock tick, it
2252 * will be counted only for the client or only for the server or
2253 * even not at all.
2254 */
2255 *c_time += (clock() - c_clock);
2256 }
2257
2258 {
2259 /* SERVER */
2260
2261 char sbuf[1024 * 8];
2262 int i, r;
2263 clock_t s_clock = clock();
2264
2265 memset(sbuf, 0, sizeof(sbuf));
2266
2267 if (debug)
2268 if (SSL_in_init(s_ssl))
2269 printf("server waiting in SSL_accept - %s\n",
2270 SSL_state_string_long(s_ssl));
2271
2272 if (sw_num > 0) {
2273 /* Write to client. */
2274
2275 if (sw_num > (long)sizeof sbuf)
2276 i = sizeof sbuf;
2277 else
2278 i = (int)sw_num;
2279 r = BIO_write(s_ssl_bio, sbuf, i);
2280 if (r < 0) {
2281 if (!BIO_should_retry(s_ssl_bio)) {
2282 fprintf(stderr, "ERROR in SERVER\n");
2283 err_in_server = 1;
2284 goto err;
2285 }
2286 /* Ignore "BIO_should_retry". */
2287 } else if (r == 0) {
2288 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2289 goto err;
2290 } else {
2291 if (debug)
2292 printf("server wrote %d\n", r);
2293 sw_num -= r;
2294 }
2295 }
2296
2297 if (sr_num > 0) {
2298 /* Read from client. */
2299
2300 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2301 if (r < 0) {
2302 if (!BIO_should_retry(s_ssl_bio)) {
2303 fprintf(stderr, "ERROR in SERVER\n");
2304 err_in_server = 1;
2305 goto err;
2306 }
2307 /* blah, blah */
2308 } else if (r == 0) {
2309 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2310 goto err;
2311 } else {
2312 if (debug)
2313 printf("server read %d\n", r);
2314 sr_num -= r;
2315 }
2316 }
2317
2318 *s_time += (clock() - s_clock);
2319 }
2320 }
2321 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2322
2323 if (verbose)
2324 print_details(c_ssl, "DONE via TCP connect: ");
2325 # ifndef OPENSSL_NO_NEXTPROTONEG
2326 if (verify_npn(c_ssl, s_ssl) < 0) {
2327 ret = 1;
2328 goto end;
2329 }
2330 # endif
2331 if (verify_serverinfo() < 0) {
2332 fprintf(stderr, "Server info verify error\n");
2333 ret = 1;
2334 goto err;
2335 }
2336 if (verify_alpn(c_ssl, s_ssl) < 0) {
2337 ret = 1;
2338 goto err;
2339 }
2340 if (verify_servername(c_ssl, s_ssl) < 0) {
2341 ret = 1;
2342 goto err;
2343 }
2344
2345 if (custom_ext_error) {
2346 fprintf(stderr, "Custom extension error\n");
2347 ret = 1;
2348 goto err;
2349 }
2350
2351 # ifndef OPENSSL_NO_NEXTPROTONEG
2352 end:
2353 # endif
2354 ret = 0;
2355
2356 err:
2357 ERR_print_errors(bio_err);
2358
2359 BIO_free_all(acpt);
2360 BIO_free(server);
2361 BIO_free(client);
2362 BIO_free(s_ssl_bio);
2363 BIO_free(c_ssl_bio);
2364
2365 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2366 ret = (err_in_client != 0) ? 0 : 1;
2367 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2368 ret = (err_in_server != 0) ? 0 : 1;
2369
2370 return ret;
2371 }
2372 #endif
2373
2374 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
2375 clock_t *s_time, clock_t *c_time)
2376 {
2377 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
2378 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
2379 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
2380 int ret = 1;
2381 int err_in_client = 0;
2382 int err_in_server = 0;
2383
2384 size_t bufsiz = 256; /* small buffer for testing */
2385
2386 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
2387 goto err;
2388 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
2389 goto err;
2390
2391 s_ssl_bio = BIO_new(BIO_f_ssl());
2392 if (!s_ssl_bio)
2393 goto err;
2394
2395 c_ssl_bio = BIO_new(BIO_f_ssl());
2396 if (!c_ssl_bio)
2397 goto err;
2398
2399 SSL_set_connect_state(c_ssl);
2400 SSL_set_bio(c_ssl, client, client);
2401 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
2402
2403 SSL_set_accept_state(s_ssl);
2404 SSL_set_bio(s_ssl, server, server);
2405 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
2406
2407 do {
2408 /*-
2409 * c_ssl_bio: SSL filter BIO
2410 *
2411 * client: pseudo-I/O for SSL library
2412 *
2413 * client_io: client's SSL communication; usually to be
2414 * relayed over some I/O facility, but in this
2415 * test program, we're the server, too:
2416 *
2417 * server_io: server's SSL communication
2418 *
2419 * server: pseudo-I/O for SSL library
2420 *
2421 * s_ssl_bio: SSL filter BIO
2422 *
2423 * The client and the server each employ a "BIO pair":
2424 * client + client_io, server + server_io.
2425 * BIO pairs are symmetric. A BIO pair behaves similar
2426 * to a non-blocking socketpair (but both endpoints must
2427 * be handled by the same thread).
2428 * [Here we could connect client and server to the ends
2429 * of a single BIO pair, but then this code would be less
2430 * suitable as an example for BIO pairs in general.]
2431 *
2432 * Useful functions for querying the state of BIO pair endpoints:
2433 *
2434 * BIO_ctrl_pending(bio) number of bytes we can read now
2435 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
2436 * other side's read attempt
2437 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
2438 *
2439 * ..._read_request is never more than ..._write_guarantee;
2440 * it depends on the application which one you should use.
2441 */
2442
2443 /*
2444 * We have non-blocking behaviour throughout this test program, but
2445 * can be sure that there is *some* progress in each iteration; so we
2446 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
2447 * we just try everything in each iteration
2448 */
2449
2450 {
2451 /* CLIENT */
2452
2453 char cbuf[1024 * 8];
2454 int i, r;
2455 clock_t c_clock = clock();
2456
2457 memset(cbuf, 0, sizeof(cbuf));
2458
2459 if (debug)
2460 if (SSL_in_init(c_ssl))
2461 printf("client waiting in SSL_connect - %s\n",
2462 SSL_state_string_long(c_ssl));
2463
2464 if (cw_num > 0) {
2465 /* Write to server. */
2466
2467 if (cw_num > (long)sizeof cbuf)
2468 i = sizeof cbuf;
2469 else
2470 i = (int)cw_num;
2471 r = BIO_write(c_ssl_bio, cbuf, i);
2472 if (r < 0) {
2473 if (!BIO_should_retry(c_ssl_bio)) {
2474 fprintf(stderr, "ERROR in CLIENT\n");
2475 err_in_client = 1;
2476 goto err;
2477 }
2478 /*
2479 * BIO_should_retry(...) can just be ignored here. The
2480 * library expects us to call BIO_write with the same
2481 * arguments again, and that's what we will do in the
2482 * next iteration.
2483 */
2484 } else if (r == 0) {
2485 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2486 goto err;
2487 } else {
2488 if (debug)
2489 printf("client wrote %d\n", r);
2490 cw_num -= r;
2491 }
2492 }
2493
2494 if (cr_num > 0) {
2495 /* Read from server. */
2496
2497 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
2498 if (r < 0) {
2499 if (!BIO_should_retry(c_ssl_bio)) {
2500 fprintf(stderr, "ERROR in CLIENT\n");
2501 err_in_client = 1;
2502 goto err;
2503 }
2504 /*
2505 * Again, "BIO_should_retry" can be ignored.
2506 */
2507 } else if (r == 0) {
2508 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2509 goto err;
2510 } else {
2511 if (debug)
2512 printf("client read %d\n", r);
2513 cr_num -= r;
2514 }
2515 }
2516
2517 /*
2518 * c_time and s_time increments will typically be very small
2519 * (depending on machine speed and clock tick intervals), but
2520 * sampling over a large number of connections should result in
2521 * fairly accurate figures. We cannot guarantee a lot, however
2522 * -- if each connection lasts for exactly one clock tick, it
2523 * will be counted only for the client or only for the server or
2524 * even not at all.
2525 */
2526 *c_time += (clock() - c_clock);
2527 }
2528
2529 {
2530 /* SERVER */
2531
2532 char sbuf[1024 * 8];
2533 int i, r;
2534 clock_t s_clock = clock();
2535
2536 memset(sbuf, 0, sizeof(sbuf));
2537
2538 if (debug)
2539 if (SSL_in_init(s_ssl))
2540 printf("server waiting in SSL_accept - %s\n",
2541 SSL_state_string_long(s_ssl));
2542
2543 if (sw_num > 0) {
2544 /* Write to client. */
2545
2546 if (sw_num > (long)sizeof sbuf)
2547 i = sizeof sbuf;
2548 else
2549 i = (int)sw_num;
2550 r = BIO_write(s_ssl_bio, sbuf, i);
2551 if (r < 0) {
2552 if (!BIO_should_retry(s_ssl_bio)) {
2553 fprintf(stderr, "ERROR in SERVER\n");
2554 err_in_server = 1;
2555 goto err;
2556 }
2557 /* Ignore "BIO_should_retry". */
2558 } else if (r == 0) {
2559 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2560 goto err;
2561 } else {
2562 if (debug)
2563 printf("server wrote %d\n", r);
2564 sw_num -= r;
2565 }
2566 }
2567
2568 if (sr_num > 0) {
2569 /* Read from client. */
2570
2571 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
2572 if (r < 0) {
2573 if (!BIO_should_retry(s_ssl_bio)) {
2574 fprintf(stderr, "ERROR in SERVER\n");
2575 err_in_server = 1;
2576 goto err;
2577 }
2578 /* blah, blah */
2579 } else if (r == 0) {
2580 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
2581 goto err;
2582 } else {
2583 if (debug)
2584 printf("server read %d\n", r);
2585 sr_num -= r;
2586 }
2587 }
2588
2589 *s_time += (clock() - s_clock);
2590 }
2591
2592 {
2593 /* "I/O" BETWEEN CLIENT AND SERVER. */
2594
2595 size_t r1, r2;
2596 BIO *io1 = server_io, *io2 = client_io;
2597 /*
2598 * we use the non-copying interface for io1 and the standard
2599 * BIO_write/BIO_read interface for io2
2600 */
2601
2602 static int prev_progress = 1;
2603 int progress = 0;
2604
2605 /* io1 to io2 */
2606 do {
2607 size_t num;
2608 int r;
2609
2610 r1 = BIO_ctrl_pending(io1);
2611 r2 = BIO_ctrl_get_write_guarantee(io2);
2612
2613 num = r1;
2614 if (r2 < num)
2615 num = r2;
2616 if (num) {
2617 char *dataptr;
2618
2619 if (INT_MAX < num) /* yeah, right */
2620 num = INT_MAX;
2621
2622 r = BIO_nread(io1, &dataptr, (int)num);
2623 assert(r > 0);
2624 assert(r <= (int)num);
2625 /*
2626 * possibly r < num (non-contiguous data)
2627 */
2628 num = r;
2629 r = BIO_write(io2, dataptr, (int)num);
2630 if (r != (int)num) { /* can't happen */
2631 fprintf(stderr, "ERROR: BIO_write could not write "
2632 "BIO_ctrl_get_write_guarantee() bytes");
2633 goto err;
2634 }
2635 progress = 1;
2636
2637 if (debug)
2638 printf((io1 == client_io) ?
2639 "C->S relaying: %d bytes\n" :
2640 "S->C relaying: %d bytes\n", (int)num);
2641 }
2642 }
2643 while (r1 && r2);
2644
2645 /* io2 to io1 */
2646 {
2647 size_t num;
2648 int r;
2649
2650 r1 = BIO_ctrl_pending(io2);
2651 r2 = BIO_ctrl_get_read_request(io1);
2652 /*
2653 * here we could use ..._get_write_guarantee instead of
2654 * ..._get_read_request, but by using the latter we test
2655 * restartability of the SSL implementation more thoroughly
2656 */
2657 num = r1;
2658 if (r2 < num)
2659 num = r2;
2660 if (num) {
2661 char *dataptr;
2662
2663 if (INT_MAX < num)
2664 num = INT_MAX;
2665
2666 if (num > 1)
2667 --num; /* test restartability even more thoroughly */
2668
2669 r = BIO_nwrite0(io1, &dataptr);
2670 assert(r > 0);
2671 if (r < (int)num)
2672 num = r;
2673 r = BIO_read(io2, dataptr, (int)num);
2674 if (r != (int)num) { /* can't happen */
2675 fprintf(stderr, "ERROR: BIO_read could not read "
2676 "BIO_ctrl_pending() bytes");
2677 goto err;
2678 }
2679 progress = 1;
2680 r = BIO_nwrite(io1, &dataptr, (int)num);
2681 if (r != (int)num) { /* can't happen */
2682 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
2683 "BIO_nwrite0() bytes");
2684 goto err;
2685 }
2686
2687 if (debug)
2688 printf((io2 == client_io) ?
2689 "C->S relaying: %d bytes\n" :
2690 "S->C relaying: %d bytes\n", (int)num);
2691 }
2692 } /* no loop, BIO_ctrl_get_read_request now
2693 * returns 0 anyway */
2694
2695 if (!progress && !prev_progress)
2696 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) {
2697 fprintf(stderr, "ERROR: got stuck\n");
2698 fprintf(stderr, " ERROR.\n");
2699 goto err;
2700 }
2701 prev_progress = progress;
2702 }
2703 }
2704 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
2705
2706 if (verbose)
2707 print_details(c_ssl, "DONE via BIO pair: ");
2708 #ifndef OPENSSL_NO_NEXTPROTONEG
2709 if (verify_npn(c_ssl, s_ssl) < 0) {
2710 ret = 1;
2711 goto end;
2712 }
2713 #endif
2714 if (verify_serverinfo() < 0) {
2715 fprintf(stderr, "Server info verify error\n");
2716 ret = 1;
2717 goto err;
2718 }
2719 if (verify_alpn(c_ssl, s_ssl) < 0) {
2720 ret = 1;
2721 goto err;
2722 }
2723 if (verify_servername(c_ssl, s_ssl) < 0) {
2724 ret = 1;
2725 goto err;
2726 }
2727
2728 if (custom_ext_error) {
2729 fprintf(stderr, "Custom extension error\n");
2730 ret = 1;
2731 goto err;
2732 }
2733
2734 #ifndef OPENSSL_NO_NEXTPROTONEG
2735 end:
2736 #endif
2737 ret = 0;
2738
2739 err:
2740 ERR_print_errors(bio_err);
2741
2742 BIO_free(server);
2743 BIO_free(server_io);
2744 BIO_free(client);
2745 BIO_free(client_io);
2746 BIO_free(s_ssl_bio);
2747 BIO_free(c_ssl_bio);
2748
2749 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
2750 ret = (err_in_client != 0) ? 0 : 1;
2751 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
2752 ret = (err_in_server != 0) ? 0 : 1;
2753
2754 return ret;
2755 }
2756
2757 #define W_READ 1
2758 #define W_WRITE 2
2759 #define C_DONE 1
2760 #define S_DONE 2
2761
2762 int doit(SSL *s_ssl, SSL *c_ssl, long count)
2763 {
2764 char *cbuf = NULL, *sbuf = NULL;
2765 long bufsiz;
2766 long cw_num = count, cr_num = count;
2767 long sw_num = count, sr_num = count;
2768 int ret = 1;
2769 BIO *c_to_s = NULL;
2770 BIO *s_to_c = NULL;
2771 BIO *c_bio = NULL;
2772 BIO *s_bio = NULL;
2773 int c_r, c_w, s_r, s_w;
2774 int i, j;
2775 int done = 0;
2776 int c_write, s_write;
2777 int do_server = 0, do_client = 0;
2778 int max_frag = 5 * 1024;
2779 int err_in_client = 0;
2780 int err_in_server = 0;
2781
2782 bufsiz = count > 40 * 1024 ? 40 * 1024 : count;
2783
2784 if ((cbuf = OPENSSL_zalloc(bufsiz)) == NULL)
2785 goto err;
2786 if ((sbuf = OPENSSL_zalloc(bufsiz)) == NULL)
2787 goto err;
2788
2789 c_to_s = BIO_new(BIO_s_mem());
2790 s_to_c = BIO_new(BIO_s_mem());
2791 if ((s_to_c == NULL) || (c_to_s == NULL)) {
2792 ERR_print_errors(bio_err);
2793 goto err;
2794 }
2795
2796 c_bio = BIO_new(BIO_f_ssl());
2797 s_bio = BIO_new(BIO_f_ssl());
2798 if ((c_bio == NULL) || (s_bio == NULL)) {
2799 ERR_print_errors(bio_err);
2800 goto err;
2801 }
2802
2803 SSL_set_connect_state(c_ssl);
2804 SSL_set_bio(c_ssl, s_to_c, c_to_s);
2805 SSL_set_max_send_fragment(c_ssl, max_frag);
2806 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
2807
2808 SSL_set_accept_state(s_ssl);
2809 SSL_set_bio(s_ssl, c_to_s, s_to_c);
2810 SSL_set_max_send_fragment(s_ssl, max_frag);
2811 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
2812
2813 c_r = 0;
2814 s_r = 1;
2815 c_w = 1;
2816 s_w = 0;
2817 c_write = 1, s_write = 0;
2818
2819 /* We can always do writes */
2820 for (;;) {
2821 do_server = 0;
2822 do_client = 0;
2823
2824 i = (int)BIO_pending(s_bio);
2825 if ((i && s_r) || s_w)
2826 do_server = 1;
2827
2828 i = (int)BIO_pending(c_bio);
2829 if ((i && c_r) || c_w)
2830 do_client = 1;
2831
2832 if (do_server && debug) {
2833 if (SSL_in_init(s_ssl))
2834 printf("server waiting in SSL_accept - %s\n",
2835 SSL_state_string_long(s_ssl));
2836 /*-
2837 else if (s_write)
2838 printf("server:SSL_write()\n");
2839 else
2840 printf("server:SSL_read()\n"); */
2841 }
2842
2843 if (do_client && debug) {
2844 if (SSL_in_init(c_ssl))
2845 printf("client waiting in SSL_connect - %s\n",
2846 SSL_state_string_long(c_ssl));
2847 /*-
2848 else if (c_write)
2849 printf("client:SSL_write()\n");
2850 else
2851 printf("client:SSL_read()\n"); */
2852 }
2853
2854 if (!do_client && !do_server) {
2855 fprintf(stdout, "ERROR IN STARTUP\n");
2856 ERR_print_errors(bio_err);
2857 goto err;
2858 }
2859 if (do_client && !(done & C_DONE)) {
2860 if (c_write) {
2861 j = (cw_num > bufsiz) ? (int)bufsiz : (int)cw_num;
2862 i = BIO_write(c_bio, cbuf, j);
2863 if (i < 0) {
2864 c_r = 0;
2865 c_w = 0;
2866 if (BIO_should_retry(c_bio)) {
2867 if (BIO_should_read(c_bio))
2868 c_r = 1;
2869 if (BIO_should_write(c_bio))
2870 c_w = 1;
2871 } else {
2872 fprintf(stderr, "ERROR in CLIENT\n");
2873 err_in_client = 1;
2874 ERR_print_errors(bio_err);
2875 goto err;
2876 }
2877 } else if (i == 0) {
2878 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2879 goto err;
2880 } else {
2881 if (debug)
2882 printf("client wrote %d\n", i);
2883 /* ok */
2884 s_r = 1;
2885 c_write = 0;
2886 cw_num -= i;
2887 if (max_frag > 1029)
2888 SSL_set_max_send_fragment(c_ssl, max_frag -= 5);
2889 }
2890 } else {
2891 i = BIO_read(c_bio, cbuf, bufsiz);
2892 if (i < 0) {
2893 c_r = 0;
2894 c_w = 0;
2895 if (BIO_should_retry(c_bio)) {
2896 if (BIO_should_read(c_bio))
2897 c_r = 1;
2898 if (BIO_should_write(c_bio))
2899 c_w = 1;
2900 } else {
2901 fprintf(stderr, "ERROR in CLIENT\n");
2902 err_in_client = 1;
2903 ERR_print_errors(bio_err);
2904 goto err;
2905 }
2906 } else if (i == 0) {
2907 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
2908 goto err;
2909 } else {
2910 if (debug)
2911 printf("client read %d\n", i);
2912 cr_num -= i;
2913 if (sw_num > 0) {
2914 s_write = 1;
2915 s_w = 1;
2916 }
2917 if (cr_num <= 0) {
2918 s_write = 1;
2919 s_w = 1;
2920 done = S_DONE | C_DONE;
2921 }
2922 }
2923 }
2924 }
2925
2926 if (do_server && !(done & S_DONE)) {
2927 if (!s_write) {
2928 i = BIO_read(s_bio, sbuf, bufsiz);
2929 if (i < 0) {
2930 s_r = 0;
2931 s_w = 0;
2932 if (BIO_should_retry(s_bio)) {
2933 if (BIO_should_read(s_bio))
2934 s_r = 1;
2935 if (BIO_should_write(s_bio))
2936 s_w = 1;
2937 } else {
2938 fprintf(stderr, "ERROR in SERVER\n");
2939 err_in_server = 1;
2940 ERR_print_errors(bio_err);
2941 goto err;
2942 }
2943 } else if (i == 0) {
2944 ERR_print_errors(bio_err);
2945 fprintf(stderr,
2946 "SSL SERVER STARTUP FAILED in SSL_read\n");
2947 goto err;
2948 } else {
2949 if (debug)
2950 printf("server read %d\n", i);
2951 sr_num -= i;
2952 if (cw_num > 0) {
2953 c_write = 1;
2954 c_w = 1;
2955 }
2956 if (sr_num <= 0) {
2957 s_write = 1;
2958 s_w = 1;
2959 c_write = 0;
2960 }
2961 }
2962 } else {
2963 j = (sw_num > bufsiz) ? (int)bufsiz : (int)sw_num;
2964 i = BIO_write(s_bio, sbuf, j);
2965 if (i < 0) {
2966 s_r = 0;
2967 s_w = 0;
2968 if (BIO_should_retry(s_bio)) {
2969 if (BIO_should_read(s_bio))
2970 s_r = 1;
2971 if (BIO_should_write(s_bio))
2972 s_w = 1;
2973 } else {
2974 fprintf(stderr, "ERROR in SERVER\n");
2975 err_in_server = 1;
2976 ERR_print_errors(bio_err);
2977 goto err;
2978 }
2979 } else if (i == 0) {
2980 ERR_print_errors(bio_err);
2981 fprintf(stderr,
2982 "SSL SERVER STARTUP FAILED in SSL_write\n");
2983 goto err;
2984 } else {
2985 if (debug)
2986 printf("server wrote %d\n", i);
2987 sw_num -= i;
2988 s_write = 0;
2989 c_r = 1;
2990 if (sw_num <= 0)
2991 done |= S_DONE;
2992 if (max_frag > 1029)
2993 SSL_set_max_send_fragment(s_ssl, max_frag -= 5);
2994 }
2995 }
2996 }
2997
2998 if ((done & S_DONE) && (done & C_DONE))
2999 break;
3000 }
3001
3002 if (verbose)
3003 print_details(c_ssl, "DONE: ");
3004 #ifndef OPENSSL_NO_NEXTPROTONEG
3005 if (verify_npn(c_ssl, s_ssl) < 0) {
3006 ret = 1;
3007 goto err;
3008 }
3009 #endif
3010 if (verify_serverinfo() < 0) {
3011 fprintf(stderr, "Server info verify error\n");
3012 ret = 1;
3013 goto err;
3014 }
3015 if (custom_ext_error) {
3016 fprintf(stderr, "Custom extension error\n");
3017 ret = 1;
3018 goto err;
3019 }
3020 ret = 0;
3021 err:
3022 /*
3023 * We have to set the BIO's to NULL otherwise they will be
3024 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again
3025 * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and
3026 * c_ssl are sharing the same BIO structure and SSL_set_bio() and
3027 * SSL_free() automatically BIO_free non NULL entries. You should not
3028 * normally do this or be required to do this
3029 */
3030 if (s_ssl != NULL) {
3031 s_ssl->rbio = NULL;
3032 s_ssl->wbio = NULL;
3033 }
3034 if (c_ssl != NULL) {
3035 c_ssl->rbio = NULL;
3036 c_ssl->wbio = NULL;
3037 }
3038
3039 BIO_free(c_to_s);
3040 BIO_free(s_to_c);
3041 BIO_free_all(c_bio);
3042 BIO_free_all(s_bio);
3043 OPENSSL_free(cbuf);
3044 OPENSSL_free(sbuf);
3045
3046 if (should_negotiate != NULL && strcmp(should_negotiate, "fail-client") == 0)
3047 ret = (err_in_client != 0) ? 0 : 1;
3048 else if (should_negotiate != NULL && strcmp(should_negotiate, "fail-server") == 0)
3049 ret = (err_in_server != 0) ? 0 : 1;
3050
3051 return (ret);
3052 }
3053
3054 static CRYPTO_ONCE proxy_auth_ex_data_once = CRYPTO_ONCE_STATIC_INIT;
3055 static volatile int proxy_auth_ex_data_idx = -1;
3056
3057 static void do_get_proxy_auth_ex_data_idx(void)
3058 {
3059 proxy_auth_ex_data_idx = X509_STORE_CTX_get_ex_new_index(0,
3060 "SSLtest for verify callback",
3061 NULL, NULL, NULL);
3062 }
3063
3064 static int get_proxy_auth_ex_data_idx(void)
3065 {
3066 CRYPTO_THREAD_run_once(&proxy_auth_ex_data_once,
3067 do_get_proxy_auth_ex_data_idx);
3068 return proxy_auth_ex_data_idx;
3069 }
3070
3071 static int verify_callback(int ok, X509_STORE_CTX *ctx)
3072 {
3073 char *s, buf[256];
3074
3075 s = X509_NAME_oneline(X509_get_subject_name(X509_STORE_CTX_get_current_cert(ctx)),
3076 buf, sizeof buf);
3077 if (s != NULL) {
3078 if (ok)
3079 printf("depth=%d %s\n", X509_STORE_CTX_get_error_depth(ctx), buf);
3080 else {
3081 fprintf(stderr, "depth=%d error=%d %s\n",
3082 X509_STORE_CTX_get_error_depth(ctx),
3083 X509_STORE_CTX_get_error(ctx), buf);
3084 }
3085 }
3086
3087 if (ok == 0) {
3088 int i = X509_STORE_CTX_get_error(ctx);
3089
3090 switch (i) {
3091 default:
3092 fprintf(stderr, "Error string: %s\n",
3093 X509_verify_cert_error_string(i));
3094 break;
3095 case X509_V_ERR_CERT_NOT_YET_VALID:
3096 case X509_V_ERR_CERT_HAS_EXPIRED:
3097 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
3098 ok = 1;
3099 break;
3100 }
3101 }
3102
3103 if (ok == 1) {
3104 X509 *xs = X509_STORE_CTX_get_current_cert(ctx);
3105 if (X509_get_extension_flags(xs) & EXFLAG_PROXY) {
3106 unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
3107 get_proxy_auth_ex_data_idx
3108 ());
3109
3110 if (letters) {
3111 int found_any = 0;
3112 int i;
3113 PROXY_CERT_INFO_EXTENSION *pci =
3114 X509_get_ext_d2i(xs, NID_proxyCertInfo,
3115 NULL, NULL);
3116
3117 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
3118 case NID_Independent:
3119 /*
3120 * Completely meaningless in this program, as there's no
3121 * way to grant explicit rights to a specific PrC.
3122 * Basically, using id-ppl-Independent is the perfect way
3123 * to grant no rights at all.
3124 */
3125 fprintf(stderr, " Independent proxy certificate");
3126 for (i = 0; i < 26; i++)
3127 letters[i] = 0;
3128 break;
3129 case NID_id_ppl_inheritAll:
3130 /*
3131 * This is basically a NOP, we simply let the current
3132 * rights stand as they are.
3133 */
3134 fprintf(stderr, " Proxy certificate inherits all");
3135 break;
3136 default:
3137 s = (char *)
3138 pci->proxyPolicy->policy->data;
3139 i = pci->proxyPolicy->policy->length;
3140
3141 /*
3142 * The algorithm works as follows: it is assumed that
3143 * previous iterations or the initial granted rights has
3144 * already set some elements of `letters'. What we need
3145 * to do is to clear those that weren't granted by the
3146 * current PrC as well. The easiest way to do this is to
3147 * add 1 to all the elements whose letters are given with
3148 * the current policy. That way, all elements that are
3149 * set by the current policy and were already set by
3150 * earlier policies and through the original grant of
3151 * rights will get the value 2 or higher. The last thing
3152 * to do is to sweep through `letters' and keep the
3153 * elements having the value 2 as set, and clear all the
3154 * others.
3155 */
3156
3157 printf(" Certificate proxy rights = %*.*s", i,
3158 i, s);
3159 while (i-- > 0) {
3160 int c = *s++;
3161 if (isascii(c) && isalpha(c)) {
3162 if (islower(c))
3163 c = toupper(c);
3164 letters[c - 'A']++;
3165 }
3166 }
3167 for (i = 0; i < 26; i++)
3168 if (letters[i] < 2)
3169 letters[i] = 0;
3170 else
3171 letters[i] = 1;
3172 }
3173
3174 found_any = 0;
3175 printf(", resulting proxy rights = ");
3176 for (i = 0; i < 26; i++)
3177 if (letters[i]) {
3178 printf("%c", i + 'A');
3179 found_any = 1;
3180 }
3181 if (!found_any)
3182 printf("none");
3183 printf("\n");
3184
3185 PROXY_CERT_INFO_EXTENSION_free(pci);
3186 }
3187 }
3188 }
3189
3190 return (ok);
3191 }
3192
3193 static void process_proxy_debug(int indent, const char *format, ...)
3194 {
3195 /* That's 80 > */
3196 static const char indentation[] =
3197 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
3198 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>";
3199 char my_format[256];
3200 va_list args;
3201
3202 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
3203 indent, indent, indentation, format);
3204
3205 va_start(args, format);
3206 vfprintf(stderr, my_format, args);
3207 va_end(args);
3208 }
3209
3210 /*-
3211 * Priority levels:
3212 * 0 [!]var, ()
3213 * 1 & ^
3214 * 2 |
3215 */
3216 static int process_proxy_cond_adders(unsigned int letters[26],
3217 const char *cond, const char **cond_end,
3218 int *pos, int indent);
3219 static int process_proxy_cond_val(unsigned int letters[26], const char *cond,
3220 const char **cond_end, int *pos, int indent)
3221 {
3222 int c;
3223 int ok = 1;
3224 int negate = 0;
3225
3226 while (isspace((int)*cond)) {
3227 cond++;
3228 (*pos)++;
3229 }
3230 c = *cond;
3231
3232 if (debug)
3233 process_proxy_debug(indent,
3234 "Start process_proxy_cond_val at position %d: %s\n",
3235 *pos, cond);
3236
3237 while (c == '!') {
3238 negate = !negate;
3239 cond++;
3240 (*pos)++;
3241 while (isspace((int)*cond)) {
3242 cond++;
3243 (*pos)++;
3244 }
3245 c = *cond;
3246 }
3247
3248 if (c == '(') {
3249 cond++;
3250 (*pos)++;
3251 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
3252 indent + 1);
3253 cond = *cond_end;
3254 if (ok < 0)
3255 goto end;
3256 while (isspace((int)*cond)) {
3257 cond++;
3258 (*pos)++;
3259 }
3260 c = *cond;
3261 if (c != ')') {
3262 fprintf(stderr,
3263 "Weird condition character in position %d: "
3264 "%c\n", *pos, c);
3265 ok = -1;
3266 goto end;
3267 }
3268 cond++;
3269 (*pos)++;
3270 } else if (isascii(c) && isalpha(c)) {
3271 if (islower(c))
3272 c = toupper(c);
3273 ok = letters[c - 'A'];
3274 cond++;
3275 (*pos)++;
3276 } else {
3277 fprintf(stderr,
3278 "Weird condition character in position %d: " "%c\n", *pos, c);
3279 ok = -1;
3280 goto end;
3281 }
3282 end:
3283 *cond_end = cond;
3284 if (ok >= 0 && negate)
3285 ok = !ok;
3286
3287 if (debug)
3288 process_proxy_debug(indent,
3289 "End process_proxy_cond_val at position %d: %s, returning %d\n",
3290 *pos, cond, ok);
3291
3292 return ok;
3293 }
3294
3295 static int process_proxy_cond_multipliers(unsigned int letters[26],
3296 const char *cond,
3297 const char **cond_end, int *pos,
3298 int indent)
3299 {
3300 int ok;
3301 char c;
3302
3303 if (debug)
3304 process_proxy_debug(indent,
3305 "Start process_proxy_cond_multipliers at position %d: %s\n",
3306 *pos, cond);
3307
3308 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
3309 cond = *cond_end;
3310 if (ok < 0)
3311 goto end;
3312
3313 while (ok >= 0) {
3314 while (isspace((int)*cond)) {
3315 cond++;
3316 (*pos)++;
3317 }
3318 c = *cond;
3319
3320 switch (c) {
3321 case '&':
3322 case '^':
3323 {
3324 int save_ok = ok;
3325
3326 cond++;
3327 (*pos)++;
3328 ok = process_proxy_cond_val(letters,
3329 cond, cond_end, pos, indent + 1);
3330 cond = *cond_end;
3331 if (ok < 0)
3332 break;
3333
3334 switch (c) {
3335 case '&':
3336 ok &= save_ok;
3337 break;
3338 case '^':
3339 ok ^= save_ok;
3340 break;
3341 default:
3342 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
3343 " STOPPING\n");
3344 EXIT(1);
3345 }
3346 }
3347 break;
3348 default:
3349 goto end;
3350 }
3351 }
3352 end:
3353 if (debug)
3354 process_proxy_debug(indent,
3355 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
3356 *pos, cond, ok);
3357
3358 *cond_end = cond;
3359 return ok;
3360 }
3361
3362 static int process_proxy_cond_adders(unsigned int letters[26],
3363 const char *cond, const char **cond_end,
3364 int *pos, int indent)
3365 {
3366 int ok;
3367 char c;
3368
3369 if (debug)
3370 process_proxy_debug(indent,
3371 "Start process_proxy_cond_adders at position %d: %s\n",
3372 *pos, cond);
3373
3374 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
3375 indent + 1);
3376 cond = *cond_end;
3377 if (ok < 0)
3378 goto end;
3379
3380 while (ok >= 0) {
3381 while (isspace((int)*cond)) {
3382 cond++;
3383 (*pos)++;
3384 }
3385 c = *cond;
3386
3387 switch (c) {
3388 case '|':
3389 {
3390 int save_ok = ok;
3391
3392 cond++;
3393 (*pos)++;
3394 ok = process_proxy_cond_multipliers(letters,
3395 cond, cond_end, pos,
3396 indent + 1);
3397 cond = *cond_end;
3398 if (ok < 0)
3399 break;
3400
3401 switch (c) {
3402 case '|':
3403 ok |= save_ok;
3404 break;
3405 default:
3406 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
3407 " STOPPING\n");
3408 EXIT(1);
3409 }
3410 }
3411 break;
3412 default:
3413 goto end;
3414 }
3415 }
3416 end:
3417 if (debug)
3418 process_proxy_debug(indent,
3419 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
3420 *pos, cond, ok);
3421
3422 *cond_end = cond;
3423 return ok;
3424 }
3425
3426 static int process_proxy_cond(unsigned int letters[26],
3427 const char *cond, const char **cond_end)
3428 {
3429 int pos = 1;
3430 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
3431 }
3432
3433 static int app_verify_callback(X509_STORE_CTX *ctx, void *arg)
3434 {
3435 int ok = 1;
3436 struct app_verify_arg *cb_arg = arg;
3437 unsigned int letters[26]; /* only used with proxy_auth */
3438
3439 if (cb_arg->app_verify) {
3440 char *s = NULL, buf[256];
3441 X509 *c = X509_STORE_CTX_get0_cert(ctx);
3442
3443 printf("In app_verify_callback, allowing cert. ");
3444 printf("Arg is: %s\n", cb_arg->string);
3445 printf("Finished printing do we have a context? 0x%p a cert? 0x%p\n",
3446 (void *)ctx, (void *)c);
3447 if (c)
3448 s = X509_NAME_oneline(X509_get_subject_name(c), buf, 256);
3449 if (s != NULL) {
3450 printf("cert depth=%d %s\n",
3451 X509_STORE_CTX_get_error_depth(ctx), buf);
3452 }
3453 return (1);
3454 }
3455 if (cb_arg->proxy_auth) {
3456 int found_any = 0, i;
3457 char *sp;
3458
3459 for (i = 0; i < 26; i++)
3460 letters[i] = 0;
3461 for (sp = cb_arg->proxy_auth; *sp; sp++) {
3462 int c = *sp;
3463 if (isascii(c) && isalpha(c)) {
3464 if (islower(c))
3465 c = toupper(c);
3466 letters[c - 'A'] = 1;
3467 }
3468 }
3469
3470 printf(" Initial proxy rights = ");
3471 for (i = 0; i < 26; i++)
3472 if (letters[i]) {
3473 printf("%c", i + 'A');
3474 found_any = 1;
3475 }
3476 if (!found_any)
3477 printf("none");
3478 printf("\n");
3479
3480 X509_STORE_CTX_set_ex_data(ctx,
3481 get_proxy_auth_ex_data_idx(), letters);
3482 }
3483 if (cb_arg->allow_proxy_certs) {
3484 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
3485 }
3486 ok = X509_verify_cert(ctx);
3487
3488 if (cb_arg->proxy_auth) {
3489 if (ok > 0) {
3490 const char *cond_end = NULL;
3491
3492 ok = process_proxy_cond(letters, cb_arg->proxy_cond, &cond_end);
3493
3494 if (ok < 0)
3495 EXIT(3);
3496 if (*cond_end) {
3497 fprintf(stderr,
3498 "Stopped processing condition before it's end.\n");
3499 ok = 0;
3500 }
3501 if (!ok)
3502 fprintf(stderr,
3503 "Proxy rights check with condition '%s' invalid\n",
3504 cb_arg->proxy_cond);
3505 else
3506 printf("Proxy rights check with condition '%s' ok\n",
3507 cb_arg->proxy_cond);
3508 }
3509 }
3510 return (ok);
3511 }
3512
3513 #ifndef OPENSSL_NO_DH
3514 /*-
3515 * These DH parameters have been generated as follows:
3516 * $ openssl dhparam -C -noout 512
3517 * $ openssl dhparam -C -noout 1024
3518 * $ openssl dhparam -C -noout -dsaparam 1024
3519 * (The third function has been renamed to avoid name conflicts.)
3520 */
3521 static DH *get_dh512()
3522 {
3523 static unsigned char dh512_p[] = {
3524 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0,
3525 0xC6,
3526 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04,
3527 0xB0,
3528 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9,
3529 0x5F,
3530 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33,
3531 0xB8,
3532 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21,
3533 0x33,
3534 0x02, 0xC5, 0xAE, 0x23,
3535 };
3536 static unsigned char dh512_g[] = {
3537 0x02,
3538 };
3539 DH *dh;
3540 BIGNUM *p, *g;
3541
3542 if ((dh = DH_new()) == NULL)
3543 return (NULL);
3544 p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
3545 g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
3546 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
3547 DH_free(dh);
3548 BN_free(p);
3549 BN_free(g);
3550 return (NULL);
3551 }
3552 return (dh);
3553 }
3554
3555 static DH *get_dh1024()
3556 {
3557 static unsigned char dh1024_p[] = {
3558 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
3559 0x3A,
3560 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56,
3561 0xA2,
3562 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F,
3563 0xB0,
3564 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87,
3565 0xC2,
3566 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0,
3567 0x8C,
3568 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F,
3569 0xB8,
3570 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D,
3571 0x52,
3572 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC,
3573 0xC1,
3574 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB,
3575 0xB1,
3576 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89,
3577 0xAB,
3578 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
3579 };
3580 static unsigned char dh1024_g[] = {
3581 0x02,
3582 };
3583 DH *dh;
3584 BIGNUM *p, *g;
3585
3586 if ((dh = DH_new()) == NULL)
3587 return (NULL);
3588 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
3589 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
3590 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
3591 DH_free(dh);
3592 BN_free(p);
3593 BN_free(g);
3594 return (NULL);
3595 }
3596 return (dh);
3597 }
3598
3599 static DH *get_dh1024dsa()
3600 {
3601 static unsigned char dh1024_p[] = {
3602 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5,
3603 0x00,
3604 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87,
3605 0x19,
3606 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65,
3607 0xD2,
3608 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6,
3609 0x55,
3610 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF,
3611 0xFC,
3612 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52,
3613 0x97,
3614 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28,
3615 0x8D,
3616 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD,
3617 0xBB,
3618 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C,
3619 0xF6,
3620 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26,
3621 0x9E,
3622 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39,
3623 };
3624 static unsigned char dh1024_g[] = {
3625 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80,
3626 0x05,
3627 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03,
3628 0xF3,
3629 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A,
3630 0xE9,
3631 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85,
3632 0x3C,
3633 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B,
3634 0x65,
3635 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF,
3636 0x60,
3637 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E,
3638 0xF6,
3639 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB,
3640 0xA7,
3641 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72,
3642 0xA1,
3643 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E,
3644 0x60,
3645 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2,
3646 };
3647 DH *dh;
3648 BIGNUM *p, *g;
3649
3650 if ((dh = DH_new()) == NULL)
3651 return (NULL);
3652 p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
3653 g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
3654 if ((p == NULL) || (g == NULL) || !DH_set0_pqg(dh, p, NULL, g)) {
3655 DH_free(dh);
3656 BN_free(p);
3657 BN_free(g);
3658 return (NULL);
3659 }
3660 DH_set_length(dh, 160);
3661 return (dh);
3662 }
3663 #endif
3664
3665 #ifndef OPENSSL_NO_PSK
3666 /* convert the PSK key (psk_key) in ascii to binary (psk) */
3667 static int psk_key2bn(const char *pskkey, unsigned char *psk,
3668 unsigned int max_psk_len)
3669 {
3670 int ret;
3671 BIGNUM *bn = NULL;
3672
3673 ret = BN_hex2bn(&bn, pskkey);
3674 if (!ret) {
3675 BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
3676 pskkey);
3677 BN_free(bn);
3678 return 0;
3679 }
3680 if (BN_num_bytes(bn) > (int)max_psk_len) {
3681 BIO_printf(bio_err,
3682 "psk buffer of callback is too small (%d) for key (%d)\n",
3683 max_psk_len, BN_num_bytes(bn));
3684 BN_free(bn);
3685 return 0;
3686 }
3687 ret = BN_bn2bin(bn, psk);
3688 BN_free(bn);
3689 return ret;
3690 }
3691
3692 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
3693 char *identity,
3694 unsigned int max_identity_len,
3695 unsigned char *psk,
3696 unsigned int max_psk_len)
3697 {
3698 int ret;
3699 unsigned int psk_len = 0;
3700
3701 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
3702 if (ret < 0)
3703 goto out_err;
3704 if (debug)
3705 fprintf(stderr, "client: created identity '%s' len=%d\n", identity,
3706 ret);
3707 ret = psk_key2bn(psk_key, psk, max_psk_len);
3708 if (ret < 0)
3709 goto out_err;
3710 psk_len = ret;
3711 out_err:
3712 return psk_len;
3713 }
3714
3715 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
3716 unsigned char *psk,
3717 unsigned int max_psk_len)
3718 {
3719 unsigned int psk_len = 0;
3720
3721 if (strcmp(identity, "Client_identity") != 0) {
3722 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
3723 return 0;
3724 }
3725 psk_len = psk_key2bn(psk_key, psk, max_psk_len);
3726 return psk_len;
3727 }
3728 #endif
3729
3730 static int do_test_cipherlist(void)
3731 {
3732 #ifndef OPENSSL_NO_TLS
3733 int i = 0;
3734 const SSL_METHOD *meth;
3735 const SSL_CIPHER *ci, *tci = NULL;
3736
3737 /*
3738 * This is required because ssltest "cheats" and uses internal headers to
3739 * call functions, thus avoiding auto-init
3740 */
3741 OPENSSL_init_crypto(0, NULL);
3742 OPENSSL_init_ssl(0, NULL);
3743
3744 meth = TLS_method();
3745 tci = NULL;
3746 while ((ci = meth->get_cipher(i++)) != NULL) {
3747 if (tci != NULL)
3748 if (ci->id >= tci->id) {
3749 fprintf(stderr, "testing SSLv3 cipher list order: ");
3750 fprintf(stderr, "failed %x vs. %x\n", ci->id, tci->id);
3751 return 0;
3752 }
3753 tci = ci;
3754 }
3755 #endif
3756
3757 return 1;
3758 }
A mirror of the official openssl repository