Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(739)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: openssl/ssl/ssltest.c.orig

Issue 9254031: Upgrade chrome's OpenSSL to same version Android ships with. (Closed) Base URL: http://src.chromium.org/svn/trunk/deps/third_party/openssl/
Patch Set: '' Created 8 years, 11 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch | Annotate | Revision Log
« openssl.gyp ('K') | « openssl/ssl/ssltest.c ('k') | openssl/ssl/t1_clnt.c » ('j') | patches/x509_hash_name_algorithm_change.patch » ('J')
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159 VMS (at least with DECompHP C). */
160 #endif
161
162 #include <ctype.h>
163
164 #include <openssl/bio.h>
165 #include <openssl/crypto.h>
166 #include <openssl/evp.h>
167 #include <openssl/x509.h>
168 #include <openssl/x509v3.h>
169 #include <openssl/ssl.h>
170 #ifndef OPENSSL_NO_ENGINE
171 #include <openssl/engine.h>
172 #endif
173 #include <openssl/err.h>
174 #include <openssl/rand.h>
175 #ifndef OPENSSL_NO_RSA
176 #include <openssl/rsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DSA
179 #include <openssl/dsa.h>
180 #endif
181 #ifndef OPENSSL_NO_DH
182 #include <openssl/dh.h>
183 #endif
184 #include <openssl/bn.h>
185
186 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
187 on Compaq platforms (at least with DEC C).
188 Do not try to put it earlier, or IPv6 inclu des
189 get screwed...
190 */
191
192 #ifdef OPENSSL_SYS_WINDOWS
193 #include <winsock.h>
194 #else
195 #include OPENSSL_UNISTD
196 #endif
197
198 #ifdef OPENSSL_SYS_VMS
199 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
200 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
201 #elif defined(OPENSSL_SYS_WINCE)
202 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
203 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
204 #elif defined(OPENSSL_SYS_NETWARE)
205 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
206 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
207 #else
208 # define TEST_SERVER_CERT "../apps/server.pem"
209 # define TEST_CLIENT_CERT "../apps/client.pem"
210 #endif
211
212 /* There is really no standard for this, so let's assign some tentative
213 numbers. In any case, these numbers are only for this test */
214 #define COMP_RLE 255
215 #define COMP_ZLIB 1
216
217 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
218 #ifndef OPENSSL_NO_RSA
219 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
220 static void free_tmp_rsa(void);
221 #endif
222 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
223 #define APP_CALLBACK_STRING "Test Callback Argument"
224 struct app_verify_arg
225 {
226 char *string;
227 int app_verify;
228 int allow_proxy_certs;
229 char *proxy_auth;
230 char *proxy_cond;
231 };
232
233 #ifndef OPENSSL_NO_DH
234 static DH *get_dh512(void);
235 static DH *get_dh1024(void);
236 static DH *get_dh1024dsa(void);
237 #endif
238
239
240 static char *psk_key=NULL; /* by default PSK is not used */
241 #ifndef OPENSSL_NO_PSK
242 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identi ty,
243 unsigned int max_identity_len, unsigned char *psk,
244 unsigned int max_psk_len);
245 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
246 unsigned int max_psk_len);
247 #endif
248
249 static BIO *bio_err=NULL;
250 static BIO *bio_stdout=NULL;
251
252 static char *cipher=NULL;
253 static int verbose=0;
254 static int debug=0;
255 #if 0
256 /* Not used yet. */
257 #ifdef FIONBIO
258 static int s_nbio=0;
259 #endif
260 #endif
261
262 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
263
264 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_tim e);
265 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
266 static int do_test_cipherlist(void);
267 static void sv_usage(void)
268 {
269 fprintf(stderr,"usage: ssltest [args ...]\n");
270 fprintf(stderr,"\n");
271 fprintf(stderr," -server_auth - check server certificate\n");
272 fprintf(stderr," -client_auth - do client authentication\n");
273 fprintf(stderr," -proxy - allow proxy certificates\n");
274 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
275 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rig hts\n");
276 fprintf(stderr," -v - more output\n");
277 fprintf(stderr," -d - debug output\n");
278 fprintf(stderr," -reuse - use session-id reuse\n");
279 fprintf(stderr," -num <val> - number of connections to perform\n");
280 fprintf(stderr," -bytes <val> - number of bytes to swap between client/ server\n");
281 #ifndef OPENSSL_NO_DH
282 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n ");
283 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime ) for DHE\n");
284 fprintf(stderr," -no_dhe - disable DHE\n");
285 #endif
286 #ifndef OPENSSL_NO_ECDH
287 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
288 #endif
289 #ifndef OPENSSL_NO_PSK
290 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
291 #endif
292 #ifndef OPENSSL_NO_SSL2
293 fprintf(stderr," -ssl2 - use SSLv2\n");
294 #endif
295 #ifndef OPENSSL_NO_SSL3
296 fprintf(stderr," -ssl3 - use SSLv3\n");
297 #endif
298 #ifndef OPENSSL_NO_TLS1
299 fprintf(stderr," -tls1 - use TLSv1\n");
300 #endif
301 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
302 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
303 fprintf(stderr," -cert arg - Server certificate file\n");
304 fprintf(stderr," -key arg - Server key file (default: same as -cert )\n");
305 fprintf(stderr," -c_cert arg - Client certificate file\n");
306 fprintf(stderr," -c_key arg - Client key file (default: same as -c_ce rt)\n");
307 fprintf(stderr," -cipher arg - The cipher list\n");
308 fprintf(stderr," -bio_pair - Use BIO pairs\n");
309 fprintf(stderr," -f - Test even cases that can't work\n");
310 fprintf(stderr," -time - measure processor time used by client a nd server\n");
311 fprintf(stderr," -zlib - use zlib compression\n");
312 fprintf(stderr," -rle - use rle compression\n");
313 #ifndef OPENSSL_NO_ECDH
314 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephe meral ECDH keys.\n" \
315 " Use \"openssl ecparam -list_curves\" fo r all names\n" \
316 " (default is sect163r2).\n");
317 #endif
318 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
319 fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for stro ng ciphers\n");
320 }
321
322 static void print_details(SSL *c_ssl, const char *prefix)
323 {
324 const SSL_CIPHER *ciph;
325 X509 *cert;
326
327 ciph=SSL_get_current_cipher(c_ssl);
328 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
329 prefix,
330 SSL_get_version(c_ssl),
331 SSL_CIPHER_get_version(ciph),
332 SSL_CIPHER_get_name(ciph));
333 cert=SSL_get_peer_certificate(c_ssl);
334 if (cert != NULL)
335 {
336 EVP_PKEY *pkey = X509_get_pubkey(cert);
337 if (pkey != NULL)
338 {
339 if (0)
340 ;
341 #ifndef OPENSSL_NO_RSA
342 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
343 && pkey->pkey.rsa->n != NULL)
344 {
345 BIO_printf(bio_stdout, ", %d bit RSA",
346 BN_num_bits(pkey->pkey.rsa->n));
347 }
348 #endif
349 #ifndef OPENSSL_NO_DSA
350 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
351 && pkey->pkey.dsa->p != NULL)
352 {
353 BIO_printf(bio_stdout, ", %d bit DSA",
354 BN_num_bits(pkey->pkey.dsa->p));
355 }
356 #endif
357 EVP_PKEY_free(pkey);
358 }
359 X509_free(cert);
360 }
361 /* The SSL API does not allow us to look at temporary RSA/DH keys,
362 * otherwise we should print their lengths too */
363 BIO_printf(bio_stdout,"\n");
364 }
365
366 static void lock_dbg_cb(int mode, int type, const char *file, int line)
367 {
368 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
369 const char *errstr = NULL;
370 int rw;
371
372 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
373 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
374 {
375 errstr = "invalid mode";
376 goto err;
377 }
378
379 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
380 {
381 errstr = "type out of bounds";
382 goto err;
383 }
384
385 if (mode & CRYPTO_LOCK)
386 {
387 if (modes[type])
388 {
389 errstr = "already locked";
390 /* must not happen in a single-threaded program
391 * (would deadlock) */
392 goto err;
393 }
394
395 modes[type] = rw;
396 }
397 else if (mode & CRYPTO_UNLOCK)
398 {
399 if (!modes[type])
400 {
401 errstr = "not locked";
402 goto err;
403 }
404
405 if (modes[type] != rw)
406 {
407 errstr = (rw == CRYPTO_READ) ?
408 "CRYPTO_r_unlock on write lock" :
409 "CRYPTO_w_unlock on read lock";
410 }
411
412 modes[type] = 0;
413 }
414 else
415 {
416 errstr = "invalid mode";
417 goto err;
418 }
419
420 err:
421 if (errstr)
422 {
423 /* we cannot use bio_err here */
424 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
425 errstr, mode, type, file, line);
426 }
427 }
428
429 #ifdef TLSEXT_TYPE_opaque_prf_input
430 struct cb_info_st { void *input; size_t len; int ret; };
431 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
432 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
433 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
434 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
435
436 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
437 {
438 struct cb_info_st *arg = arg_;
439
440 if (arg == NULL)
441 return 1;
442
443 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
444 return 0;
445 return arg->ret;
446 }
447 #endif
448
449 int cutthrough = 0;
450
451 int main(int argc, char *argv[])
452 {
453 char *CApath=NULL,*CAfile=NULL;
454 int badop=0;
455 int bio_pair=0;
456 int force=0;
457 int tls1=0,ssl2=0,ssl3=0,ret=1;
458 int client_auth=0;
459 int server_auth=0,i;
460 struct app_verify_arg app_verify_arg =
461 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
462 char *server_cert=TEST_SERVER_CERT;
463 char *server_key=NULL;
464 char *client_cert=TEST_CLIENT_CERT;
465 char *client_key=NULL;
466 #ifndef OPENSSL_NO_ECDH
467 char *named_curve = NULL;
468 #endif
469 SSL_CTX *s_ctx=NULL;
470 SSL_CTX *c_ctx=NULL;
471 const SSL_METHOD *meth=NULL;
472 SSL *c_ssl,*s_ssl;
473 int number=1,reuse=0;
474 long bytes=256L;
475 #ifndef OPENSSL_NO_DH
476 DH *dh;
477 int dhe1024 = 0, dhe1024dsa = 0;
478 #endif
479 #ifndef OPENSSL_NO_ECDH
480 EC_KEY *ecdh = NULL;
481 #endif
482 int no_dhe = 0;
483 int no_ecdhe = 0;
484 int no_psk = 0;
485 int print_time = 0;
486 clock_t s_time = 0, c_time = 0;
487 int comp = 0;
488 #ifndef OPENSSL_NO_COMP
489 COMP_METHOD *cm = NULL;
490 #endif
491 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
492 int test_cipherlist = 0;
493
494 verbose = 0;
495 debug = 0;
496 cipher = 0;
497
498 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
499
500 CRYPTO_set_locking_callback(lock_dbg_cb);
501
502 /* enable memory leak checking unless explicitly disabled */
503 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("O PENSSL_DEBUG_MEMORY"), "off"))))
504 {
505 CRYPTO_malloc_debug_init();
506 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
507 }
508 else
509 {
510 /* OPENSSL_DEBUG_MEMORY=off */
511 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
512 }
513 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
514
515 RAND_seed(rnd_seed, sizeof rnd_seed);
516
517 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
518
519 argc--;
520 argv++;
521
522 while (argc >= 1)
523 {
524 if (strcmp(*argv,"-server_auth") == 0)
525 server_auth=1;
526 else if (strcmp(*argv,"-client_auth") == 0)
527 client_auth=1;
528 else if (strcmp(*argv,"-proxy_auth") == 0)
529 {
530 if (--argc < 1) goto bad;
531 app_verify_arg.proxy_auth= *(++argv);
532 }
533 else if (strcmp(*argv,"-proxy_cond") == 0)
534 {
535 if (--argc < 1) goto bad;
536 app_verify_arg.proxy_cond= *(++argv);
537 }
538 else if (strcmp(*argv,"-v") == 0)
539 verbose=1;
540 else if (strcmp(*argv,"-d") == 0)
541 debug=1;
542 else if (strcmp(*argv,"-reuse") == 0)
543 reuse=1;
544 else if (strcmp(*argv,"-dhe1024") == 0)
545 {
546 #ifndef OPENSSL_NO_DH
547 dhe1024=1;
548 #else
549 fprintf(stderr,"ignoring -dhe1024, since I'm compiled wi thout DH\n");
550 #endif
551 }
552 else if (strcmp(*argv,"-dhe1024dsa") == 0)
553 {
554 #ifndef OPENSSL_NO_DH
555 dhe1024dsa=1;
556 #else
557 fprintf(stderr,"ignoring -dhe1024, since I'm compiled wi thout DH\n");
558 #endif
559 }
560 else if (strcmp(*argv,"-no_dhe") == 0)
561 no_dhe=1;
562 else if (strcmp(*argv,"-no_ecdhe") == 0)
563 no_ecdhe=1;
564 else if (strcmp(*argv,"-psk") == 0)
565 {
566 if (--argc < 1) goto bad;
567 psk_key=*(++argv);
568 #ifndef OPENSSL_NO_PSK
569 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen( psk_key))
570 {
571 BIO_printf(bio_err,"Not a hex number '%s'\n",*ar gv);
572 goto bad;
573 }
574 #else
575 no_psk=1;
576 #endif
577 }
578 else if (strcmp(*argv,"-ssl2") == 0)
579 ssl2=1;
580 else if (strcmp(*argv,"-tls1") == 0)
581 tls1=1;
582 else if (strcmp(*argv,"-ssl3") == 0)
583 ssl3=1;
584 else if (strncmp(*argv,"-num",4) == 0)
585 {
586 if (--argc < 1) goto bad;
587 number= atoi(*(++argv));
588 if (number == 0) number=1;
589 }
590 else if (strcmp(*argv,"-bytes") == 0)
591 {
592 if (--argc < 1) goto bad;
593 bytes= atol(*(++argv));
594 if (bytes == 0L) bytes=1L;
595 i=strlen(argv[0]);
596 if (argv[0][i-1] == 'k') bytes*=1024L;
597 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
598 }
599 else if (strcmp(*argv,"-cert") == 0)
600 {
601 if (--argc < 1) goto bad;
602 server_cert= *(++argv);
603 }
604 else if (strcmp(*argv,"-s_cert") == 0)
605 {
606 if (--argc < 1) goto bad;
607 server_cert= *(++argv);
608 }
609 else if (strcmp(*argv,"-key") == 0)
610 {
611 if (--argc < 1) goto bad;
612 server_key= *(++argv);
613 }
614 else if (strcmp(*argv,"-s_key") == 0)
615 {
616 if (--argc < 1) goto bad;
617 server_key= *(++argv);
618 }
619 else if (strcmp(*argv,"-c_cert") == 0)
620 {
621 if (--argc < 1) goto bad;
622 client_cert= *(++argv);
623 }
624 else if (strcmp(*argv,"-c_key") == 0)
625 {
626 if (--argc < 1) goto bad;
627 client_key= *(++argv);
628 }
629 else if (strcmp(*argv,"-cipher") == 0)
630 {
631 if (--argc < 1) goto bad;
632 cipher= *(++argv);
633 }
634 else if (strcmp(*argv,"-CApath") == 0)
635 {
636 if (--argc < 1) goto bad;
637 CApath= *(++argv);
638 }
639 else if (strcmp(*argv,"-CAfile") == 0)
640 {
641 if (--argc < 1) goto bad;
642 CAfile= *(++argv);
643 }
644 else if (strcmp(*argv,"-bio_pair") == 0)
645 {
646 bio_pair = 1;
647 }
648 else if (strcmp(*argv,"-f") == 0)
649 {
650 force = 1;
651 }
652 else if (strcmp(*argv,"-time") == 0)
653 {
654 print_time = 1;
655 }
656 else if (strcmp(*argv,"-zlib") == 0)
657 {
658 comp = COMP_ZLIB;
659 }
660 else if (strcmp(*argv,"-rle") == 0)
661 {
662 comp = COMP_RLE;
663 }
664 else if (strcmp(*argv,"-named_curve") == 0)
665 {
666 if (--argc < 1) goto bad;
667 #ifndef OPENSSL_NO_ECDH
668 named_curve = *(++argv);
669 #else
670 fprintf(stderr,"ignoring -named_curve, since I'm compile d without ECDH\n");
671 ++argv;
672 #endif
673 }
674 else if (strcmp(*argv,"-app_verify") == 0)
675 {
676 app_verify_arg.app_verify = 1;
677 }
678 else if (strcmp(*argv,"-proxy") == 0)
679 {
680 app_verify_arg.allow_proxy_certs = 1;
681 }
682 else if (strcmp(*argv,"-test_cipherlist") == 0)
683 {
684 test_cipherlist = 1;
685 }
686 else if (strcmp(*argv, "-cutthrough") == 0)
687 {
688 cutthrough = 1;
689 }
690 else
691 {
692 fprintf(stderr,"unknown option %s\n",*argv);
693 badop=1;
694 break;
695 }
696 argc--;
697 argv++;
698 }
699 if (badop)
700 {
701 bad:
702 sv_usage();
703 goto end;
704 }
705
706 if (test_cipherlist == 1)
707 {
708 /* ensure that the cipher list are correctly sorted and exit */
709 if (do_test_cipherlist() == 0)
710 EXIT(1);
711 ret = 0;
712 goto end;
713 }
714
715 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
716 {
717 fprintf(stderr, "This case cannot work. Use -f to perform "
718 "the test anyway (and\n-d to see what happens), "
719 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
720 "to avoid protocol mismatch.\n");
721 EXIT(1);
722 }
723
724 if (print_time)
725 {
726 if (!bio_pair)
727 {
728 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
729 bio_pair = 1;
730 }
731 if (number < 50 && !force)
732 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
733 }
734
735 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
736
737 SSL_library_init();
738 SSL_load_error_strings();
739
740 #ifndef OPENSSL_NO_COMP
741 if (comp == COMP_ZLIB) cm = COMP_zlib();
742 if (comp == COMP_RLE) cm = COMP_rle();
743 if (cm != NULL)
744 {
745 if (cm->type != NID_undef)
746 {
747 if (SSL_COMP_add_compression_method(comp, cm) != 0)
748 {
749 fprintf(stderr,
750 "Failed to add compression method\n");
751 ERR_print_errors_fp(stderr);
752 }
753 }
754 else
755 {
756 fprintf(stderr,
757 "Warning: %s compression not supported\n",
758 (comp == COMP_RLE ? "rle" :
759 (comp == COMP_ZLIB ? "zlib" :
760 "unknown")));
761 ERR_print_errors_fp(stderr);
762 }
763 }
764 ssl_comp_methods = SSL_COMP_get_compression_methods();
765 fprintf(stderr, "Available compression methods:\n");
766 {
767 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
768 if (n == 0)
769 fprintf(stderr, " NONE\n");
770 else
771 for (j = 0; j < n; j++)
772 {
773 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
774 fprintf(stderr, " %d: %s\n", c->id, c->name);
775 }
776 }
777 #endif
778
779 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
780 if (ssl2)
781 meth=SSLv2_method();
782 else
783 if (tls1)
784 meth=TLSv1_method();
785 else
786 if (ssl3)
787 meth=SSLv3_method();
788 else
789 meth=SSLv23_method();
790 #else
791 #ifdef OPENSSL_NO_SSL2
792 meth=SSLv3_method();
793 #else
794 meth=SSLv2_method();
795 #endif
796 #endif
797
798 c_ctx=SSL_CTX_new(meth);
799 s_ctx=SSL_CTX_new(meth);
800 if ((c_ctx == NULL) || (s_ctx == NULL))
801 {
802 ERR_print_errors(bio_err);
803 goto end;
804 }
805
806 if (cipher != NULL)
807 {
808 SSL_CTX_set_cipher_list(c_ctx,cipher);
809 SSL_CTX_set_cipher_list(s_ctx,cipher);
810 }
811 ssl_mode = 0;
812 if (cutthrough)
813 {
814 ssl_mode = SSL_CTX_get_mode(c_ctx);
815 ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
816 SSL_CTX_set_mode(c_ctx, ssl_mode);
817 }
818
819 #ifndef OPENSSL_NO_DH
820 if (!no_dhe)
821 {
822 if (dhe1024dsa)
823 {
824 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup atta cks */
825 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
826 dh=get_dh1024dsa();
827 }
828 else if (dhe1024)
829 dh=get_dh1024();
830 else
831 dh=get_dh512();
832 SSL_CTX_set_tmp_dh(s_ctx,dh);
833 DH_free(dh);
834 }
835 #else
836 (void)no_dhe;
837 #endif
838
839 #ifndef OPENSSL_NO_ECDH
840 if (!no_ecdhe)
841 {
842 int nid;
843
844 if (named_curve != NULL)
845 {
846 nid = OBJ_sn2nid(named_curve);
847 if (nid == 0)
848 {
849 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
850 goto end;
851 }
852 }
853 else
854 nid = NID_sect163r2;
855
856 ecdh = EC_KEY_new_by_curve_name(nid);
857 if (ecdh == NULL)
858 {
859 BIO_printf(bio_err, "unable to create curve\n");
860 goto end;
861 }
862
863 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
864 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
865 EC_KEY_free(ecdh);
866 }
867 #else
868 (void)no_ecdhe;
869 #endif
870
871 #ifndef OPENSSL_NO_RSA
872 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
873 #endif
874
875 #ifdef TLSEXT_TYPE_opaque_prf_input
876 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb) ;
877 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb) ;
878 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co 2 or NULL */
879 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so 2 or NULL */
880 #endif
881
882 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
883 {
884 ERR_print_errors(bio_err);
885 }
886 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
887 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
888 {
889 ERR_print_errors(bio_err);
890 goto end;
891 }
892
893 if (client_auth)
894 {
895 SSL_CTX_use_certificate_file(c_ctx,client_cert,
896 SSL_FILETYPE_PEM);
897 SSL_CTX_use_PrivateKey_file(c_ctx,
898 (client_key?client_key:client_cert),
899 SSL_FILETYPE_PEM);
900 }
901
902 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
903 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
904 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
905 (!SSL_CTX_set_default_verify_paths(c_ctx)))
906 {
907 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
908 ERR_print_errors(bio_err);
909 /* goto end; */
910 }
911
912 if (client_auth)
913 {
914 BIO_printf(bio_err,"client authentication\n");
915 SSL_CTX_set_verify(s_ctx,
916 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
917 verify_callback);
918 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &ap p_verify_arg);
919 }
920 if (server_auth)
921 {
922 BIO_printf(bio_err,"server authentication\n");
923 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
924 verify_callback);
925 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &ap p_verify_arg);
926 }
927
928 {
929 int session_id_context = 0;
930 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_contex t, sizeof session_id_context);
931 }
932
933 /* Use PSK only if PSK key is given */
934 if (psk_key != NULL)
935 {
936 /* no_psk is used to avoid putting psk command to openssl tool * /
937 if (no_psk)
938 {
939 /* if PSK is not compiled in and psk key is
940 * given, do nothing and exit successfully */
941 ret=0;
942 goto end;
943 }
944 #ifndef OPENSSL_NO_PSK
945 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
946 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
947 if (debug)
948 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n ");
949 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_h int"))
950 {
951 BIO_printf(bio_err,"error setting PSK identity hint to s _ctx\n");
952 ERR_print_errors(bio_err);
953 goto end;
954 }
955 #endif
956 }
957
958 c_ssl=SSL_new(c_ctx);
959 s_ssl=SSL_new(s_ctx);
960
961 #ifndef OPENSSL_NO_KRB5
962 if (c_ssl && c_ssl->kssl_ctx)
963 {
964 char localhost[MAXHOSTNAMELEN+2];
965
966 if (gethostname(localhost, sizeof localhost-1) == 0)
967 {
968 localhost[sizeof localhost-1]='\0';
969 if(strlen(localhost) == sizeof localhost-1)
970 {
971 BIO_printf(bio_err,"localhost name too long\n");
972 goto end;
973 }
974 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
975 localhost);
976 }
977 }
978 #endif /* OPENSSL_NO_KRB5 */
979
980 for (i=0; i<number; i++)
981 {
982 if (!reuse) SSL_set_session(c_ssl,NULL);
983 if (bio_pair)
984 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
985 else
986 ret=doit(s_ssl,c_ssl,bytes);
987 }
988
989 if (!verbose)
990 {
991 print_details(c_ssl, "");
992 }
993 if ((number > 1) || (bytes > 1L))
994 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",numbe r,bytes);
995 if (print_time)
996 {
997 #ifdef CLOCKS_PER_SEC
998 /* "To determine the time in seconds, the value returned
999 * by the clock function should be divided by the value
1000 * of the macro CLOCKS_PER_SEC."
1001 * -- ISO/IEC 9899 */
1002 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n "
1003 "Approximate total client time: %6.2f s\n",
1004 (double)s_time/CLOCKS_PER_SEC,
1005 (double)c_time/CLOCKS_PER_SEC);
1006 #else
1007 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1008 * -- cc on NeXTstep/OpenStep */
1009 BIO_printf(bio_stdout,
1010 "Approximate total server time: %6.2f units\n"
1011 "Approximate total client time: %6.2f units\n",
1012 (double)s_time,
1013 (double)c_time);
1014 #endif
1015 }
1016
1017 SSL_free(s_ssl);
1018 SSL_free(c_ssl);
1019
1020 end:
1021 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1022 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1023
1024 if (bio_stdout != NULL) BIO_free(bio_stdout);
1025
1026 #ifndef OPENSSL_NO_RSA
1027 free_tmp_rsa();
1028 #endif
1029 #ifndef OPENSSL_NO_ENGINE
1030 ENGINE_cleanup();
1031 #endif
1032 CRYPTO_cleanup_all_ex_data();
1033 ERR_free_strings();
1034 ERR_remove_thread_state(NULL);
1035 EVP_cleanup();
1036 CRYPTO_mem_leaks(bio_err);
1037 if (bio_err != NULL) BIO_free(bio_err);
1038 EXIT(ret);
1039 return ret;
1040 }
1041
1042 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1043 clock_t *s_time, clock_t *c_time)
1044 {
1045 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1046 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1047 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL ;
1048 int ret = 1;
1049
1050 size_t bufsiz = 256; /* small buffer for testing */
1051
1052 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1053 goto err;
1054 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1055 goto err;
1056
1057 s_ssl_bio = BIO_new(BIO_f_ssl());
1058 if (!s_ssl_bio)
1059 goto err;
1060
1061 c_ssl_bio = BIO_new(BIO_f_ssl());
1062 if (!c_ssl_bio)
1063 goto err;
1064
1065 SSL_set_connect_state(c_ssl);
1066 SSL_set_bio(c_ssl, client, client);
1067 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1068
1069 SSL_set_accept_state(s_ssl);
1070 SSL_set_bio(s_ssl, server, server);
1071 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1072
1073 do
1074 {
1075 /* c_ssl_bio: SSL filter BIO
1076 *
1077 * client: pseudo-I/O for SSL library
1078 *
1079 * client_io: client's SSL communication; usually to be
1080 * relayed over some I/O facility, but in th is
1081 * test program, we're the server, too:
1082 *
1083 * server_io: server's SSL communication
1084 *
1085 * server: pseudo-I/O for SSL library
1086 *
1087 * s_ssl_bio: SSL filter BIO
1088 *
1089 * The client and the server each employ a "BIO pair":
1090 * client + client_io, server + server_io.
1091 * BIO pairs are symmetric. A BIO pair behaves similar
1092 * to a non-blocking socketpair (but both endpoints must
1093 * be handled by the same thread).
1094 * [Here we could connect client and server to the ends
1095 * of a single BIO pair, but then this code would be less
1096 * suitable as an example for BIO pairs in general.]
1097 *
1098 * Useful functions for querying the state of BIO pair endpoints :
1099 *
1100 * BIO_ctrl_pending(bio) number of bytes we can rea d now
1101 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1102 * other side's read attemp t
1103 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can wr ite now
1104 *
1105 * ..._read_request is never more than ..._write_guarantee;
1106 * it depends on the application which one you should use.
1107 */
1108
1109 /* We have non-blocking behaviour throughout this test program, but
1110 * can be sure that there is *some* progress in each iteration; so
1111 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WR ITE
1112 * -- we just try everything in each iteration
1113 */
1114
1115 {
1116 /* CLIENT */
1117
1118 MS_STATIC char cbuf[1024*8];
1119 int i, r;
1120 clock_t c_clock = clock();
1121
1122 memset(cbuf, 0, sizeof(cbuf));
1123
1124 if (debug)
1125 if (SSL_in_init(c_ssl))
1126 printf("client waiting in SSL_connect - %s\n",
1127 SSL_state_string_long(c_ssl));
1128
1129 if (cw_num > 0)
1130 {
1131 /* Write to server. */
1132
1133 if (cw_num > (long)sizeof cbuf)
1134 i = sizeof cbuf;
1135 else
1136 i = (int)cw_num;
1137 r = BIO_write(c_ssl_bio, cbuf, i);
1138 if (r < 0)
1139 {
1140 if (!BIO_should_retry(c_ssl_bio))
1141 {
1142 fprintf(stderr,"ERROR in CLIENT\ n");
1143 goto err;
1144 }
1145 /* BIO_should_retry(...) can just be ign ored here.
1146 * The library expects us to call BIO_wr ite with
1147 * the same arguments again, and that's what we will
1148 * do in the next iteration. */
1149 }
1150 else if (r == 0)
1151 {
1152 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1153 goto err;
1154 }
1155 else
1156 {
1157 if (debug)
1158 printf("client wrote %d\n", r);
1159 cw_num -= r;
1160 }
1161 }
1162
1163 if (cr_num > 0)
1164 {
1165 /* Read from server. */
1166
1167 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1168 if (r < 0)
1169 {
1170 if (!BIO_should_retry(c_ssl_bio))
1171 {
1172 fprintf(stderr,"ERROR in CLIENT\ n");
1173 goto err;
1174 }
1175 /* Again, "BIO_should_retry" can be igno red. */
1176 }
1177 else if (r == 0)
1178 {
1179 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1180 goto err;
1181 }
1182 else
1183 {
1184 if (debug)
1185 printf("client read %d\n", r);
1186 cr_num -= r;
1187 }
1188 }
1189
1190 /* c_time and s_time increments will typically be very s mall
1191 * (depending on machine speed and clock tick intervals) ,
1192 * but sampling over a large number of connections shoul d
1193 * result in fairly accurate figures. We cannot guarant ee
1194 * a lot, however -- if each connection lasts for exactl y
1195 * one clock tick, it will be counted only for the clien t
1196 * or only for the server or even not at all.
1197 */
1198 *c_time += (clock() - c_clock);
1199 }
1200
1201 {
1202 /* SERVER */
1203
1204 MS_STATIC char sbuf[1024*8];
1205 int i, r;
1206 clock_t s_clock = clock();
1207
1208 memset(sbuf, 0, sizeof(sbuf));
1209
1210 if (debug)
1211 if (SSL_in_init(s_ssl))
1212 printf("server waiting in SSL_accept - % s\n",
1213 SSL_state_string_long(s_ssl));
1214
1215 if (sw_num > 0)
1216 {
1217 /* Write to client. */
1218
1219 if (sw_num > (long)sizeof sbuf)
1220 i = sizeof sbuf;
1221 else
1222 i = (int)sw_num;
1223 r = BIO_write(s_ssl_bio, sbuf, i);
1224 if (r < 0)
1225 {
1226 if (!BIO_should_retry(s_ssl_bio))
1227 {
1228 fprintf(stderr,"ERROR in SERVER\ n");
1229 goto err;
1230 }
1231 /* Ignore "BIO_should_retry". */
1232 }
1233 else if (r == 0)
1234 {
1235 fprintf(stderr,"SSL SERVER STARTUP FAILE D\n");
1236 goto err;
1237 }
1238 else
1239 {
1240 if (debug)
1241 printf("server wrote %d\n", r);
1242 sw_num -= r;
1243 }
1244 }
1245
1246 if (sr_num > 0)
1247 {
1248 /* Read from client. */
1249
1250 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1251 if (r < 0)
1252 {
1253 if (!BIO_should_retry(s_ssl_bio))
1254 {
1255 fprintf(stderr,"ERROR in SERVER\ n");
1256 goto err;
1257 }
1258 /* blah, blah */
1259 }
1260 else if (r == 0)
1261 {
1262 fprintf(stderr,"SSL SERVER STARTUP FAILE D\n");
1263 goto err;
1264 }
1265 else
1266 {
1267 if (debug)
1268 printf("server read %d\n", r);
1269 sr_num -= r;
1270 }
1271 }
1272
1273 *s_time += (clock() - s_clock);
1274 }
1275
1276 {
1277 /* "I/O" BETWEEN CLIENT AND SERVER. */
1278
1279 size_t r1, r2;
1280 BIO *io1 = server_io, *io2 = client_io;
1281 /* we use the non-copying interface for io1
1282 * and the standard BIO_write/BIO_read interface for io2
1283 */
1284
1285 static int prev_progress = 1;
1286 int progress = 0;
1287
1288 /* io1 to io2 */
1289 do
1290 {
1291 size_t num;
1292 int r;
1293
1294 r1 = BIO_ctrl_pending(io1);
1295 r2 = BIO_ctrl_get_write_guarantee(io2);
1296
1297 num = r1;
1298 if (r2 < num)
1299 num = r2;
1300 if (num)
1301 {
1302 char *dataptr;
1303
1304 if (INT_MAX < num) /* yeah, right */
1305 num = INT_MAX;
1306
1307 r = BIO_nread(io1, &dataptr, (int)num);
1308 assert(r > 0);
1309 assert(r <= (int)num);
1310 /* possibly r < num (non-contiguous data ) */
1311 num = r;
1312 r = BIO_write(io2, dataptr, (int)num);
1313 if (r != (int)num) /* can't happen */
1314 {
1315 fprintf(stderr, "ERROR: BIO_writ e could not write "
1316 "BIO_ctrl_get_write_guar antee() bytes");
1317 goto err;
1318 }
1319 progress = 1;
1320
1321 if (debug)
1322 printf((io1 == client_io) ?
1323 "C->S relaying: %d bytes \n" :
1324 "S->C relaying: %d bytes \n",
1325 (int)num);
1326 }
1327 }
1328 while (r1 && r2);
1329
1330 /* io2 to io1 */
1331 {
1332 size_t num;
1333 int r;
1334
1335 r1 = BIO_ctrl_pending(io2);
1336 r2 = BIO_ctrl_get_read_request(io1);
1337 /* here we could use ..._get_write_guarantee ins tead of
1338 * ..._get_read_request, but by using the latter
1339 * we test restartability of the SSL implementat ion
1340 * more thoroughly */
1341 num = r1;
1342 if (r2 < num)
1343 num = r2;
1344 if (num)
1345 {
1346 char *dataptr;
1347
1348 if (INT_MAX < num)
1349 num = INT_MAX;
1350
1351 if (num > 1)
1352 --num; /* test restartability ev en more thoroughly */
1353
1354 r = BIO_nwrite0(io1, &dataptr);
1355 assert(r > 0);
1356 if (r < (int)num)
1357 num = r;
1358 r = BIO_read(io2, dataptr, (int)num);
1359 if (r != (int)num) /* can't happen */
1360 {
1361 fprintf(stderr, "ERROR: BIO_read could not read "
1362 "BIO_ctrl_pending() byte s");
1363 goto err;
1364 }
1365 progress = 1;
1366 r = BIO_nwrite(io1, &dataptr, (int)num);
1367 if (r != (int)num) /* can't happen */
1368 {
1369 fprintf(stderr, "ERROR: BIO_nwri te() did not accept "
1370 "BIO_nwrite0() bytes");
1371 goto err;
1372 }
1373
1374 if (debug)
1375 printf((io2 == client_io) ?
1376 "C->S relaying: %d bytes \n" :
1377 "S->C relaying: %d bytes \n",
1378 (int)num);
1379 }
1380 } /* no loop, BIO_ctrl_get_read_request now returns 0 an yway */
1381
1382 if (!progress && !prev_progress)
1383 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr _num > 0)
1384 {
1385 fprintf(stderr, "ERROR: got stuck\n");
1386 if (strcmp("SSLv2", SSL_get_version(c_ss l)) == 0)
1387 {
1388 fprintf(stderr, "This can happen for SSL2 because "
1389 "CLIENT-FINISHED and SER VER-VERIFY are written \n"
1390 "concurrently ...");
1391 if (strncmp("2SCF", SSL_state_st ring(c_ssl), 4) == 0
1392 && strncmp("2SSV", SSL_s tate_string(s_ssl), 4) == 0)
1393 {
1394 fprintf(stderr, " ok.\n" );
1395 goto end;
1396 }
1397 }
1398 fprintf(stderr, " ERROR.\n");
1399 goto err;
1400 }
1401 prev_progress = progress;
1402 }
1403 }
1404 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1405
1406 if (verbose)
1407 print_details(c_ssl, "DONE via BIO pair: ");
1408 end:
1409 ret = 0;
1410
1411 err:
1412 ERR_print_errors(bio_err);
1413
1414 if (server)
1415 BIO_free(server);
1416 if (server_io)
1417 BIO_free(server_io);
1418 if (client)
1419 BIO_free(client);
1420 if (client_io)
1421 BIO_free(client_io);
1422 if (s_ssl_bio)
1423 BIO_free(s_ssl_bio);
1424 if (c_ssl_bio)
1425 BIO_free(c_ssl_bio);
1426
1427 return ret;
1428 }
1429
1430
1431 #define W_READ 1
1432 #define W_WRITE 2
1433 #define C_DONE 1
1434 #define S_DONE 2
1435
1436 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1437 {
1438 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1439 long cw_num=count,cr_num=count;
1440 long sw_num=count,sr_num=count;
1441 int ret=1;
1442 BIO *c_to_s=NULL;
1443 BIO *s_to_c=NULL;
1444 BIO *c_bio=NULL;
1445 BIO *s_bio=NULL;
1446 int c_r,c_w,s_r,s_w;
1447 int i,j;
1448 int done=0;
1449 int c_write,s_write;
1450 int do_server=0,do_client=0;
1451
1452 memset(cbuf,0,sizeof(cbuf));
1453 memset(sbuf,0,sizeof(sbuf));
1454
1455 c_to_s=BIO_new(BIO_s_mem());
1456 s_to_c=BIO_new(BIO_s_mem());
1457 if ((s_to_c == NULL) || (c_to_s == NULL))
1458 {
1459 ERR_print_errors(bio_err);
1460 goto err;
1461 }
1462
1463 c_bio=BIO_new(BIO_f_ssl());
1464 s_bio=BIO_new(BIO_f_ssl());
1465 if ((c_bio == NULL) || (s_bio == NULL))
1466 {
1467 ERR_print_errors(bio_err);
1468 goto err;
1469 }
1470
1471 SSL_set_connect_state(c_ssl);
1472 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1473 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1474
1475 SSL_set_accept_state(s_ssl);
1476 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1477 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1478
1479 c_r=0; s_r=1;
1480 c_w=1; s_w=0;
1481 c_write=1,s_write=0;
1482
1483 /* We can always do writes */
1484 for (;;)
1485 {
1486 do_server=0;
1487 do_client=0;
1488
1489 i=(int)BIO_pending(s_bio);
1490 if ((i && s_r) || s_w) do_server=1;
1491
1492 i=(int)BIO_pending(c_bio);
1493 if ((i && c_r) || c_w) do_client=1;
1494
1495 if (do_server && debug)
1496 {
1497 if (SSL_in_init(s_ssl))
1498 printf("server waiting in SSL_accept - %s\n",
1499 SSL_state_string_long(s_ssl));
1500 /* else if (s_write)
1501 printf("server:SSL_write()\n");
1502 else
1503 printf("server:SSL_read()\n"); */
1504 }
1505
1506 if (do_client && debug)
1507 {
1508 if (SSL_in_init(c_ssl))
1509 printf("client waiting in SSL_connect - %s\n",
1510 SSL_state_string_long(c_ssl));
1511 /* else if (c_write)
1512 printf("client:SSL_write()\n");
1513 else
1514 printf("client:SSL_read()\n"); */
1515 }
1516
1517 if (!do_client && !do_server)
1518 {
1519 fprintf(stdout,"ERROR IN STARTUP\n");
1520 ERR_print_errors(bio_err);
1521 break;
1522 }
1523 if (do_client && !(done & C_DONE))
1524 {
1525 if (c_write)
1526 {
1527 j = (cw_num > (long)sizeof(cbuf)) ?
1528 (int)sizeof(cbuf) : (int)cw_num;
1529 i=BIO_write(c_bio,cbuf,j);
1530 if (i < 0)
1531 {
1532 c_r=0;
1533 c_w=0;
1534 if (BIO_should_retry(c_bio))
1535 {
1536 if (BIO_should_read(c_bio))
1537 c_r=1;
1538 if (BIO_should_write(c_bio))
1539 c_w=1;
1540 }
1541 else
1542 {
1543 fprintf(stderr,"ERROR in CLIENT\ n");
1544 ERR_print_errors(bio_err);
1545 goto err;
1546 }
1547 }
1548 else if (i == 0)
1549 {
1550 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1551 goto err;
1552 }
1553 else
1554 {
1555 if (debug)
1556 printf("client wrote %d\n",i);
1557 /* ok */
1558 s_r=1;
1559 c_write=0;
1560 cw_num-=i;
1561 }
1562 }
1563 else
1564 {
1565 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1566 if (i < 0)
1567 {
1568 c_r=0;
1569 c_w=0;
1570 if (BIO_should_retry(c_bio))
1571 {
1572 if (BIO_should_read(c_bio))
1573 c_r=1;
1574 if (BIO_should_write(c_bio))
1575 c_w=1;
1576 }
1577 else
1578 {
1579 fprintf(stderr,"ERROR in CLIENT\ n");
1580 ERR_print_errors(bio_err);
1581 goto err;
1582 }
1583 }
1584 else if (i == 0)
1585 {
1586 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1587 goto err;
1588 }
1589 else
1590 {
1591 if (debug)
1592 printf("client read %d\n",i);
1593 cr_num-=i;
1594 if (sw_num > 0)
1595 {
1596 s_write=1;
1597 s_w=1;
1598 }
1599 if (cr_num <= 0)
1600 {
1601 s_write=1;
1602 s_w=1;
1603 done=S_DONE|C_DONE;
1604 }
1605 }
1606 }
1607 }
1608
1609 if (do_server && !(done & S_DONE))
1610 {
1611 if (!s_write)
1612 {
1613 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1614 if (i < 0)
1615 {
1616 s_r=0;
1617 s_w=0;
1618 if (BIO_should_retry(s_bio))
1619 {
1620 if (BIO_should_read(s_bio))
1621 s_r=1;
1622 if (BIO_should_write(s_bio))
1623 s_w=1;
1624 }
1625 else
1626 {
1627 fprintf(stderr,"ERROR in SERVER\ n");
1628 ERR_print_errors(bio_err);
1629 goto err;
1630 }
1631 }
1632 else if (i == 0)
1633 {
1634 ERR_print_errors(bio_err);
1635 fprintf(stderr,"SSL SERVER STARTUP FAILE D in SSL_read\n");
1636 goto err;
1637 }
1638 else
1639 {
1640 if (debug)
1641 printf("server read %d\n",i);
1642 sr_num-=i;
1643 if (cw_num > 0)
1644 {
1645 c_write=1;
1646 c_w=1;
1647 }
1648 if (sr_num <= 0)
1649 {
1650 s_write=1;
1651 s_w=1;
1652 c_write=0;
1653 }
1654 }
1655 }
1656 else
1657 {
1658 j = (sw_num > (long)sizeof(sbuf)) ?
1659 (int)sizeof(sbuf) : (int)sw_num;
1660 i=BIO_write(s_bio,sbuf,j);
1661 if (i < 0)
1662 {
1663 s_r=0;
1664 s_w=0;
1665 if (BIO_should_retry(s_bio))
1666 {
1667 if (BIO_should_read(s_bio))
1668 s_r=1;
1669 if (BIO_should_write(s_bio))
1670 s_w=1;
1671 }
1672 else
1673 {
1674 fprintf(stderr,"ERROR in SERVER\ n");
1675 ERR_print_errors(bio_err);
1676 goto err;
1677 }
1678 }
1679 else if (i == 0)
1680 {
1681 ERR_print_errors(bio_err);
1682 fprintf(stderr,"SSL SERVER STARTUP FAILE D in SSL_write\n");
1683 goto err;
1684 }
1685 else
1686 {
1687 if (debug)
1688 printf("server wrote %d\n",i);
1689 sw_num-=i;
1690 s_write=0;
1691 c_r=1;
1692 if (sw_num <= 0)
1693 done|=S_DONE;
1694 }
1695 }
1696 }
1697
1698 if ((done & S_DONE) && (done & C_DONE)) break;
1699 }
1700
1701 if (verbose)
1702 print_details(c_ssl, "DONE: ");
1703 ret=0;
1704 err:
1705 /* We have to set the BIO's to NULL otherwise they will be
1706 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1707 * again when c_ssl is SSL_free()ed.
1708 * This is a hack required because s_ssl and c_ssl are sharing the same
1709 * BIO structure and SSL_set_bio() and SSL_free() automatically
1710 * BIO_free non NULL entries.
1711 * You should not normally do this or be required to do this */
1712 if (s_ssl != NULL)
1713 {
1714 s_ssl->rbio=NULL;
1715 s_ssl->wbio=NULL;
1716 }
1717 if (c_ssl != NULL)
1718 {
1719 c_ssl->rbio=NULL;
1720 c_ssl->wbio=NULL;
1721 }
1722
1723 if (c_to_s != NULL) BIO_free(c_to_s);
1724 if (s_to_c != NULL) BIO_free(s_to_c);
1725 if (c_bio != NULL) BIO_free_all(c_bio);
1726 if (s_bio != NULL) BIO_free_all(s_bio);
1727 return(ret);
1728 }
1729
1730 static int get_proxy_auth_ex_data_idx(void)
1731 {
1732 static volatile int idx = -1;
1733 if (idx < 0)
1734 {
1735 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1736 if (idx < 0)
1737 {
1738 idx = X509_STORE_CTX_get_ex_new_index(0,
1739 "SSLtest for verify callback", NULL,NULL,NULL);
1740 }
1741 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1742 }
1743 return idx;
1744 }
1745
1746 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1747 {
1748 char *s,buf[256];
1749
1750 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1751 sizeof buf);
1752 if (s != NULL)
1753 {
1754 if (ok)
1755 fprintf(stderr,"depth=%d %s\n",
1756 ctx->error_depth,buf);
1757 else
1758 {
1759 fprintf(stderr,"depth=%d error=%d %s\n",
1760 ctx->error_depth,ctx->error,buf);
1761 }
1762 }
1763
1764 if (ok == 0)
1765 {
1766 fprintf(stderr,"Error string: %s\n",
1767 X509_verify_cert_error_string(ctx->error));
1768 switch (ctx->error)
1769 {
1770 case X509_V_ERR_CERT_NOT_YET_VALID:
1771 case X509_V_ERR_CERT_HAS_EXPIRED:
1772 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1773 fprintf(stderr," ... ignored.\n");
1774 ok=1;
1775 }
1776 }
1777
1778 if (ok == 1)
1779 {
1780 X509 *xs = ctx->current_cert;
1781 #if 0
1782 X509 *xi = ctx->current_issuer;
1783 #endif
1784
1785 if (xs->ex_flags & EXFLAG_PROXY)
1786 {
1787 unsigned int *letters =
1788 X509_STORE_CTX_get_ex_data(ctx,
1789 get_proxy_auth_ex_data_idx());
1790
1791 if (letters)
1792 {
1793 int found_any = 0;
1794 int i;
1795 PROXY_CERT_INFO_EXTENSION *pci =
1796 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1797 NULL, NULL);
1798
1799 switch (OBJ_obj2nid(pci->proxyPolicy->policyLang uage))
1800 {
1801 case NID_Independent:
1802 /* Completely meaningless in this
1803 program, as there's no way to
1804 grant explicit rights to a
1805 specific PrC. Basically, using
1806 id-ppl-Independent is the perfect
1807 way to grant no rights at all. */
1808 fprintf(stderr, " Independent proxy cer tificate");
1809 for (i = 0; i < 26; i++)
1810 letters[i] = 0;
1811 break;
1812 case NID_id_ppl_inheritAll:
1813 /* This is basically a NOP, we
1814 simply let the current rights
1815 stand as they are. */
1816 fprintf(stderr, " Proxy certificate inh erits all");
1817 break;
1818 default:
1819 s = (char *)
1820 pci->proxyPolicy->policy->data;
1821 i = pci->proxyPolicy->policy->length;
1822
1823 /* The algorithm works as follows:
1824 it is assumed that previous
1825 iterations or the initial granted
1826 rights has already set some elements
1827 of `letters'. What we need to do is
1828 to clear those that weren't granted
1829 by the current PrC as well. The
1830 easiest way to do this is to add 1
1831 to all the elements whose letters
1832 are given with the current policy.
1833 That way, all elements that are set
1834 by the current policy and were
1835 already set by earlier policies and
1836 through the original grant of rights
1837 will get the value 2 or higher.
1838 The last thing to do is to sweep
1839 through `letters' and keep the
1840 elements having the value 2 as set,
1841 and clear all the others. */
1842
1843 fprintf(stderr, " Certificate proxy rig hts = %*.*s", i, i, s);
1844 while(i-- > 0)
1845 {
1846 int c = *s++;
1847 if (isascii(c) && isalpha(c))
1848 {
1849 if (islower(c))
1850 c = toupper(c);
1851 letters[c - 'A']++;
1852 }
1853 }
1854 for (i = 0; i < 26; i++)
1855 if (letters[i] < 2)
1856 letters[i] = 0;
1857 else
1858 letters[i] = 1;
1859 }
1860
1861 found_any = 0;
1862 fprintf(stderr,
1863 ", resulting proxy rights = ");
1864 for(i = 0; i < 26; i++)
1865 if (letters[i])
1866 {
1867 fprintf(stderr, "%c", i + 'A');
1868 found_any = 1;
1869 }
1870 if (!found_any)
1871 fprintf(stderr, "none");
1872 fprintf(stderr, "\n");
1873
1874 PROXY_CERT_INFO_EXTENSION_free(pci);
1875 }
1876 }
1877 }
1878
1879 return(ok);
1880 }
1881
1882 static void process_proxy_debug(int indent, const char *format, ...)
1883 {
1884 static const char indentation[] =
1885 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1886 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1887 char my_format[256];
1888 va_list args;
1889
1890 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1891 indent, indent, indentation, format);
1892
1893 va_start(args, format);
1894 vfprintf(stderr, my_format, args);
1895 va_end(args);
1896 }
1897 /* Priority levels:
1898 0 [!]var, ()
1899 1 & ^
1900 2 |
1901 */
1902 static int process_proxy_cond_adders(unsigned int letters[26],
1903 const char *cond, const char **cond_end, int *pos, int indent);
1904 static int process_proxy_cond_val(unsigned int letters[26],
1905 const char *cond, const char **cond_end, int *pos, int indent)
1906 {
1907 int c;
1908 int ok = 1;
1909 int negate = 0;
1910
1911 while(isspace((int)*cond))
1912 {
1913 cond++; (*pos)++;
1914 }
1915 c = *cond;
1916
1917 if (debug)
1918 process_proxy_debug(indent,
1919 "Start process_proxy_cond_val at position %d: %s\n",
1920 *pos, cond);
1921
1922 while(c == '!')
1923 {
1924 negate = !negate;
1925 cond++; (*pos)++;
1926 while(isspace((int)*cond))
1927 {
1928 cond++; (*pos)++;
1929 }
1930 c = *cond;
1931 }
1932
1933 if (c == '(')
1934 {
1935 cond++; (*pos)++;
1936 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1937 indent + 1);
1938 cond = *cond_end;
1939 if (ok < 0)
1940 goto end;
1941 while(isspace((int)*cond))
1942 {
1943 cond++; (*pos)++;
1944 }
1945 c = *cond;
1946 if (c != ')')
1947 {
1948 fprintf(stderr,
1949 "Weird condition character in position %d: "
1950 "%c\n", *pos, c);
1951 ok = -1;
1952 goto end;
1953 }
1954 cond++; (*pos)++;
1955 }
1956 else if (isascii(c) && isalpha(c))
1957 {
1958 if (islower(c))
1959 c = toupper(c);
1960 ok = letters[c - 'A'];
1961 cond++; (*pos)++;
1962 }
1963 else
1964 {
1965 fprintf(stderr,
1966 "Weird condition character in position %d: "
1967 "%c\n", *pos, c);
1968 ok = -1;
1969 goto end;
1970 }
1971 end:
1972 *cond_end = cond;
1973 if (ok >= 0 && negate)
1974 ok = !ok;
1975
1976 if (debug)
1977 process_proxy_debug(indent,
1978 "End process_proxy_cond_val at position %d: %s, returnin g %d\n",
1979 *pos, cond, ok);
1980
1981 return ok;
1982 }
1983 static int process_proxy_cond_multipliers(unsigned int letters[26],
1984 const char *cond, const char **cond_end, int *pos, int indent)
1985 {
1986 int ok;
1987 char c;
1988
1989 if (debug)
1990 process_proxy_debug(indent,
1991 "Start process_proxy_cond_multipliers at position %d: %s \n",
1992 *pos, cond);
1993
1994 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1995 cond = *cond_end;
1996 if (ok < 0)
1997 goto end;
1998
1999 while(ok >= 0)
2000 {
2001 while(isspace((int)*cond))
2002 {
2003 cond++; (*pos)++;
2004 }
2005 c = *cond;
2006
2007 switch(c)
2008 {
2009 case '&':
2010 case '^':
2011 {
2012 int save_ok = ok;
2013
2014 cond++; (*pos)++;
2015 ok = process_proxy_cond_val(letters,
2016 cond, cond_end, pos, indent + 1);
2017 cond = *cond_end;
2018 if (ok < 0)
2019 break;
2020
2021 switch(c)
2022 {
2023 case '&':
2024 ok &= save_ok;
2025 break;
2026 case '^':
2027 ok ^= save_ok;
2028 break;
2029 default:
2030 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2031 " STOPPING\n");
2032 EXIT(1);
2033 }
2034 }
2035 break;
2036 default:
2037 goto end;
2038 }
2039 }
2040 end:
2041 if (debug)
2042 process_proxy_debug(indent,
2043 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2044 *pos, cond, ok);
2045
2046 *cond_end = cond;
2047 return ok;
2048 }
2049 static int process_proxy_cond_adders(unsigned int letters[26],
2050 const char *cond, const char **cond_end, int *pos, int indent)
2051 {
2052 int ok;
2053 char c;
2054
2055 if (debug)
2056 process_proxy_debug(indent,
2057 "Start process_proxy_cond_adders at position %d: %s\n",
2058 *pos, cond);
2059
2060 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2061 indent + 1);
2062 cond = *cond_end;
2063 if (ok < 0)
2064 goto end;
2065
2066 while(ok >= 0)
2067 {
2068 while(isspace((int)*cond))
2069 {
2070 cond++; (*pos)++;
2071 }
2072 c = *cond;
2073
2074 switch(c)
2075 {
2076 case '|':
2077 {
2078 int save_ok = ok;
2079
2080 cond++; (*pos)++;
2081 ok = process_proxy_cond_multipliers(letters,
2082 cond, cond_end, pos, indent + 1);
2083 cond = *cond_end;
2084 if (ok < 0)
2085 break;
2086
2087 switch(c)
2088 {
2089 case '|':
2090 ok |= save_ok;
2091 break;
2092 default:
2093 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2094 " STOPPING\n");
2095 EXIT(1);
2096 }
2097 }
2098 break;
2099 default:
2100 goto end;
2101 }
2102 }
2103 end:
2104 if (debug)
2105 process_proxy_debug(indent,
2106 "End process_proxy_cond_adders at position %d: %s, retur ning %d\n",
2107 *pos, cond, ok);
2108
2109 *cond_end = cond;
2110 return ok;
2111 }
2112
2113 static int process_proxy_cond(unsigned int letters[26],
2114 const char *cond, const char **cond_end)
2115 {
2116 int pos = 1;
2117 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2118 }
2119
2120 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2121 {
2122 int ok=1;
2123 struct app_verify_arg *cb_arg = arg;
2124 unsigned int letters[26]; /* only used with proxy_auth */
2125
2126 if (cb_arg->app_verify)
2127 {
2128 char *s = NULL,buf[256];
2129
2130 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2131 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2132 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2133 (void *)ctx, (void *)ctx->cert);
2134 if (ctx->cert)
2135 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf ,256);
2136 if (s != NULL)
2137 {
2138 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf );
2139 }
2140 return(1);
2141 }
2142 if (cb_arg->proxy_auth)
2143 {
2144 int found_any = 0, i;
2145 char *sp;
2146
2147 for(i = 0; i < 26; i++)
2148 letters[i] = 0;
2149 for(sp = cb_arg->proxy_auth; *sp; sp++)
2150 {
2151 int c = *sp;
2152 if (isascii(c) && isalpha(c))
2153 {
2154 if (islower(c))
2155 c = toupper(c);
2156 letters[c - 'A'] = 1;
2157 }
2158 }
2159
2160 fprintf(stderr,
2161 " Initial proxy rights = ");
2162 for(i = 0; i < 26; i++)
2163 if (letters[i])
2164 {
2165 fprintf(stderr, "%c", i + 'A');
2166 found_any = 1;
2167 }
2168 if (!found_any)
2169 fprintf(stderr, "none");
2170 fprintf(stderr, "\n");
2171
2172 X509_STORE_CTX_set_ex_data(ctx,
2173 get_proxy_auth_ex_data_idx(),letters);
2174 }
2175 if (cb_arg->allow_proxy_certs)
2176 {
2177 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2178 }
2179
2180 #ifndef OPENSSL_NO_X509_VERIFY
2181 # ifdef OPENSSL_FIPS
2182 if(s->version == TLS1_VERSION)
2183 FIPS_allow_md5(1);
2184 # endif
2185 ok = X509_verify_cert(ctx);
2186 # ifdef OPENSSL_FIPS
2187 if(s->version == TLS1_VERSION)
2188 FIPS_allow_md5(0);
2189 # endif
2190 #endif
2191
2192 if (cb_arg->proxy_auth)
2193 {
2194 if (ok > 0)
2195 {
2196 const char *cond_end = NULL;
2197
2198 ok = process_proxy_cond(letters,
2199 cb_arg->proxy_cond, &cond_end);
2200
2201 if (ok < 0)
2202 EXIT(3);
2203 if (*cond_end)
2204 {
2205 fprintf(stderr, "Stopped processing condition be fore it's end.\n");
2206 ok = 0;
2207 }
2208 if (!ok)
2209 fprintf(stderr, "Proxy rights check with conditi on '%s' proved invalid\n",
2210 cb_arg->proxy_cond);
2211 else
2212 fprintf(stderr, "Proxy rights check with conditi on '%s' proved valid\n",
2213 cb_arg->proxy_cond);
2214 }
2215 }
2216 return(ok);
2217 }
2218
2219 #ifndef OPENSSL_NO_RSA
2220 static RSA *rsa_tmp=NULL;
2221
2222 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2223 {
2224 BIGNUM *bn = NULL;
2225 if (rsa_tmp == NULL)
2226 {
2227 bn = BN_new();
2228 rsa_tmp = RSA_new();
2229 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2230 {
2231 BIO_printf(bio_err, "Memory error...");
2232 goto end;
2233 }
2234 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keyleng th);
2235 (void)BIO_flush(bio_err);
2236 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2237 {
2238 BIO_printf(bio_err, "Error generating key.");
2239 RSA_free(rsa_tmp);
2240 rsa_tmp = NULL;
2241 }
2242 end:
2243 BIO_printf(bio_err,"\n");
2244 (void)BIO_flush(bio_err);
2245 }
2246 if(bn) BN_free(bn);
2247 return(rsa_tmp);
2248 }
2249
2250 static void free_tmp_rsa(void)
2251 {
2252 if (rsa_tmp != NULL)
2253 {
2254 RSA_free(rsa_tmp);
2255 rsa_tmp = NULL;
2256 }
2257 }
2258 #endif
2259
2260 #ifndef OPENSSL_NO_DH
2261 /* These DH parameters have been generated as follows:
2262 * $ openssl dhparam -C -noout 512
2263 * $ openssl dhparam -C -noout 1024
2264 * $ openssl dhparam -C -noout -dsaparam 1024
2265 * (The third function has been renamed to avoid name conflicts.)
2266 */
2267 static DH *get_dh512()
2268 {
2269 static unsigned char dh512_p[]={
2270 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2271 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2272 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2273 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2274 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2275 0x02,0xC5,0xAE,0x23,
2276 };
2277 static unsigned char dh512_g[]={
2278 0x02,
2279 };
2280 DH *dh;
2281
2282 if ((dh=DH_new()) == NULL) return(NULL);
2283 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2284 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2285 if ((dh->p == NULL) || (dh->g == NULL))
2286 { DH_free(dh); return(NULL); }
2287 return(dh);
2288 }
2289
2290 static DH *get_dh1024()
2291 {
2292 static unsigned char dh1024_p[]={
2293 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2294 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2295 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2296 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2297 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2298 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2299 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2300 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2301 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2302 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2303 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2304 };
2305 static unsigned char dh1024_g[]={
2306 0x02,
2307 };
2308 DH *dh;
2309
2310 if ((dh=DH_new()) == NULL) return(NULL);
2311 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2312 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2313 if ((dh->p == NULL) || (dh->g == NULL))
2314 { DH_free(dh); return(NULL); }
2315 return(dh);
2316 }
2317
2318 static DH *get_dh1024dsa()
2319 {
2320 static unsigned char dh1024_p[]={
2321 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2322 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2323 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2324 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2325 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2326 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2327 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2328 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2329 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2330 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2331 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2332 };
2333 static unsigned char dh1024_g[]={
2334 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2335 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2336 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2337 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2338 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2339 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2340 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2341 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2342 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2343 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2344 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2345 };
2346 DH *dh;
2347
2348 if ((dh=DH_new()) == NULL) return(NULL);
2349 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2350 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2351 if ((dh->p == NULL) || (dh->g == NULL))
2352 { DH_free(dh); return(NULL); }
2353 dh->length = 160;
2354 return(dh);
2355 }
2356 #endif
2357
2358 #ifndef OPENSSL_NO_PSK
2359 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2360 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2361 unsigned int max_psk_len)
2362 {
2363 int ret;
2364 BIGNUM *bn = NULL;
2365
2366 ret = BN_hex2bn(&bn, pskkey);
2367 if (!ret)
2368 {
2369 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2370 if (bn)
2371 BN_free(bn);
2372 return 0;
2373 }
2374 if (BN_num_bytes(bn) > (int)max_psk_len)
2375 {
2376 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2377 max_psk_len, BN_num_bytes(bn));
2378 BN_free(bn);
2379 return 0;
2380 }
2381 ret = BN_bn2bin(bn, psk);
2382 BN_free(bn);
2383 return ret;
2384 }
2385
2386 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identi ty,
2387 unsigned int max_identity_len, unsigned char *psk,
2388 unsigned int max_psk_len)
2389 {
2390 int ret;
2391 unsigned int psk_len = 0;
2392
2393 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2394 if (ret < 0)
2395 goto out_err;
2396 if (debug)
2397 fprintf(stderr, "client: created identity '%s' len=%d\n", identi ty, ret);
2398 ret = psk_key2bn(psk_key, psk, max_psk_len);
2399 if (ret < 0)
2400 goto out_err;
2401 psk_len = ret;
2402 out_err:
2403 return psk_len;
2404 }
2405
2406 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2407 unsigned char *psk, unsigned int max_psk_len)
2408 {
2409 unsigned int psk_len=0;
2410
2411 if (strcmp(identity, "Client_identity") != 0)
2412 {
2413 BIO_printf(bio_err, "server: PSK error: client identity not foun d\n");
2414 return 0;
2415 }
2416 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2417 return psk_len;
2418 }
2419 #endif
2420
2421 static int do_test_cipherlist(void)
2422 {
2423 int i = 0;
2424 const SSL_METHOD *meth;
2425 const SSL_CIPHER *ci, *tci = NULL;
2426
2427 #ifndef OPENSSL_NO_SSL2
2428 fprintf(stderr, "testing SSLv2 cipher list order: ");
2429 meth = SSLv2_method();
2430 while ((ci = meth->get_cipher(i++)) != NULL)
2431 {
2432 if (tci != NULL)
2433 if (ci->id >= tci->id)
2434 {
2435 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2436 return 0;
2437 }
2438 tci = ci;
2439 }
2440 fprintf(stderr, "ok\n");
2441 #endif
2442 #ifndef OPENSSL_NO_SSL3
2443 fprintf(stderr, "testing SSLv3 cipher list order: ");
2444 meth = SSLv3_method();
2445 tci = NULL;
2446 while ((ci = meth->get_cipher(i++)) != NULL)
2447 {
2448 if (tci != NULL)
2449 if (ci->id >= tci->id)
2450 {
2451 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2452 return 0;
2453 }
2454 tci = ci;
2455 }
2456 fprintf(stderr, "ok\n");
2457 #endif
2458 #ifndef OPENSSL_NO_TLS1
2459 fprintf(stderr, "testing TLSv1 cipher list order: ");
2460 meth = TLSv1_method();
2461 tci = NULL;
2462 while ((ci = meth->get_cipher(i++)) != NULL)
2463 {
2464 if (tci != NULL)
2465 if (ci->id >= tci->id)
2466 {
2467 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2468 return 0;
2469 }
2470 tci = ci;
2471 }
2472 fprintf(stderr, "ok\n");
2473 #endif
2474
2475 return 1;
2476 }
OLDNEW
« openssl.gyp ('K') | « openssl/ssl/ssltest.c ('k') | openssl/ssl/t1_clnt.c » ('j') | patches/x509_hash_name_algorithm_change.patch » ('J')

Powered by Google App Engine
This is Rietveld 408576698