Chromium Code Reviews
chromiumcodereview-hr@appspot.gserviceaccount.com (chromiumcodereview-hr) | Please choose your nickname with Settings | Help | Chromium Project | Gerrit Changes | Sign out
(321)

Issues Search
    My Issues | Starred     Open | Closed | All

Side by Side Diff: openssl/ssl/ssltest.c

Issue 2072073002: Delete bundled copy of OpenSSL and replace with README. (Closed) Base URL: https://chromium.googlesource.com/chromium/deps/openssl@master
Patch Set: Delete bundled copy of OpenSSL and replace with README. Created 4 years, 6 months ago
Use n/p to move between diff chunks; N/P to move between comments. Draft comments are only viewable by you.
Jump to:
View unified diff | Download patch
« no previous file with comments | « openssl/ssl/ssl_txt.c ('k') | openssl/ssl/t1_clnt.c » ('j') | no next file with comments »
Toggle Intra-line Diffs ('i') | Expand Comments ('e') | Collapse Comments ('c') | Show Comments Hide Comments ('s')
OLDNEW
(Empty)
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159 VMS (at least with DECompHP C). */
160 #endif
161
162 #include <ctype.h>
163
164 #include <openssl/bio.h>
165 #include <openssl/crypto.h>
166 #include <openssl/evp.h>
167 #include <openssl/x509.h>
168 #include <openssl/x509v3.h>
169 #include <openssl/ssl.h>
170 #ifndef OPENSSL_NO_ENGINE
171 #include <openssl/engine.h>
172 #endif
173 #include <openssl/err.h>
174 #include <openssl/rand.h>
175 #ifndef OPENSSL_NO_RSA
176 #include <openssl/rsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DSA
179 #include <openssl/dsa.h>
180 #endif
181 #ifndef OPENSSL_NO_DH
182 #include <openssl/dh.h>
183 #endif
184 #ifndef OPENSSL_NO_SRP
185 #include <openssl/srp.h>
186 #endif
187 #include <openssl/bn.h>
188
189 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
190 on Compaq platforms (at least with DEC C).
191 Do not try to put it earlier, or IPv6 inclu des
192 get screwed...
193 */
194
195 #ifdef OPENSSL_SYS_WINDOWS
196 #include <winsock.h>
197 #else
198 #include OPENSSL_UNISTD
199 #endif
200
201 #ifdef OPENSSL_SYS_VMS
202 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
203 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
204 #elif defined(OPENSSL_SYS_WINCE)
205 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
206 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
207 #elif defined(OPENSSL_SYS_NETWARE)
208 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
209 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
210 #else
211 # define TEST_SERVER_CERT "../apps/server.pem"
212 # define TEST_CLIENT_CERT "../apps/client.pem"
213 #endif
214
215 /* There is really no standard for this, so let's assign some tentative
216 numbers. In any case, these numbers are only for this test */
217 #define COMP_RLE 255
218 #define COMP_ZLIB 1
219
220 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
221 #ifndef OPENSSL_NO_RSA
222 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
223 static void free_tmp_rsa(void);
224 #endif
225 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
226 #define APP_CALLBACK_STRING "Test Callback Argument"
227 struct app_verify_arg
228 {
229 char *string;
230 int app_verify;
231 int allow_proxy_certs;
232 char *proxy_auth;
233 char *proxy_cond;
234 };
235
236 #ifndef OPENSSL_NO_DH
237 static DH *get_dh512(void);
238 static DH *get_dh1024(void);
239 static DH *get_dh1024dsa(void);
240 #endif
241
242
243 static char *psk_key=NULL; /* by default PSK is not used */
244 #ifndef OPENSSL_NO_PSK
245 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identi ty,
246 unsigned int max_identity_len, unsigned char *psk,
247 unsigned int max_psk_len);
248 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
249 unsigned int max_psk_len);
250 #endif
251
252 #ifndef OPENSSL_NO_SRP
253 /* SRP client */
254 /* This is a context that we pass to all callbacks */
255 typedef struct srp_client_arg_st
256 {
257 char *srppassin;
258 char *srplogin;
259 } SRP_CLIENT_ARG;
260
261 #define PWD_STRLEN 1024
262
263 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
264 {
265 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
266 return BUF_strdup((char *)srp_client_arg->srppassin);
267 }
268
269 /* SRP server */
270 /* This is a context that we pass to SRP server callbacks */
271 typedef struct srp_server_arg_st
272 {
273 char *expected_user;
274 char *pass;
275 } SRP_SERVER_ARG;
276
277 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
278 {
279 SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280
281 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282 {
283 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username( s));
284 return SSL3_AL_FATAL;
285 }
286 if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287 {
288 *ad = SSL_AD_INTERNAL_ERROR;
289 return SSL3_AL_FATAL;
290 }
291 return SSL_ERROR_NONE;
292 }
293 #endif
294
295 static BIO *bio_err=NULL;
296 static BIO *bio_stdout=NULL;
297
298 static char *cipher=NULL;
299 static int verbose=0;
300 static int debug=0;
301 #if 0
302 /* Not used yet. */
303 #ifdef FIONBIO
304 static int s_nbio=0;
305 #endif
306 #endif
307
308 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
309
310 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_tim e);
311 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
312 static int do_test_cipherlist(void);
313 static void sv_usage(void)
314 {
315 fprintf(stderr,"usage: ssltest [args ...]\n");
316 fprintf(stderr,"\n");
317 #ifdef OPENSSL_FIPS
318 fprintf(stderr,"-F - run test in FIPS mode\n");
319 #endif
320 fprintf(stderr," -server_auth - check server certificate\n");
321 fprintf(stderr," -client_auth - do client authentication\n");
322 fprintf(stderr," -proxy - allow proxy certificates\n");
323 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
324 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rig hts\n");
325 fprintf(stderr," -v - more output\n");
326 fprintf(stderr," -d - debug output\n");
327 fprintf(stderr," -reuse - use session-id reuse\n");
328 fprintf(stderr," -num <val> - number of connections to perform\n");
329 fprintf(stderr," -bytes <val> - number of bytes to swap between client/ server\n");
330 #ifndef OPENSSL_NO_DH
331 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n ");
332 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime ) for DHE\n");
333 fprintf(stderr," -no_dhe - disable DHE\n");
334 #endif
335 #ifndef OPENSSL_NO_ECDH
336 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
337 #endif
338 #ifndef OPENSSL_NO_PSK
339 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
340 #endif
341 #ifndef OPENSSL_NO_SRP
342 fprintf(stderr," -srpuser user - SRP username to use\n");
343 fprintf(stderr," -srppass arg - password for 'user'\n");
344 #endif
345 #ifndef OPENSSL_NO_SSL2
346 fprintf(stderr," -ssl2 - use SSLv2\n");
347 #endif
348 #ifndef OPENSSL_NO_SSL3
349 fprintf(stderr," -ssl3 - use SSLv3\n");
350 #endif
351 #ifndef OPENSSL_NO_TLS1
352 fprintf(stderr," -tls1 - use TLSv1\n");
353 #endif
354 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
355 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
356 fprintf(stderr," -cert arg - Server certificate file\n");
357 fprintf(stderr," -key arg - Server key file (default: same as -cert )\n");
358 fprintf(stderr," -c_cert arg - Client certificate file\n");
359 fprintf(stderr," -c_key arg - Client key file (default: same as -c_ce rt)\n");
360 fprintf(stderr," -cipher arg - The cipher list\n");
361 fprintf(stderr," -bio_pair - Use BIO pairs\n");
362 fprintf(stderr," -f - Test even cases that can't work\n");
363 fprintf(stderr," -time - measure processor time used by client a nd server\n");
364 fprintf(stderr," -zlib - use zlib compression\n");
365 fprintf(stderr," -rle - use rle compression\n");
366 #ifndef OPENSSL_NO_ECDH
367 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephe meral ECDH keys.\n" \
368 " Use \"openssl ecparam -list_curves\" fo r all names\n" \
369 " (default is sect163r2).\n");
370 #endif
371 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
372 fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for stro ng ciphers\n");
373 }
374
375 static void print_details(SSL *c_ssl, const char *prefix)
376 {
377 const SSL_CIPHER *ciph;
378 X509 *cert;
379
380 ciph=SSL_get_current_cipher(c_ssl);
381 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
382 prefix,
383 SSL_get_version(c_ssl),
384 SSL_CIPHER_get_version(ciph),
385 SSL_CIPHER_get_name(ciph));
386 cert=SSL_get_peer_certificate(c_ssl);
387 if (cert != NULL)
388 {
389 EVP_PKEY *pkey = X509_get_pubkey(cert);
390 if (pkey != NULL)
391 {
392 if (0)
393 ;
394 #ifndef OPENSSL_NO_RSA
395 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
396 && pkey->pkey.rsa->n != NULL)
397 {
398 BIO_printf(bio_stdout, ", %d bit RSA",
399 BN_num_bits(pkey->pkey.rsa->n));
400 }
401 #endif
402 #ifndef OPENSSL_NO_DSA
403 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
404 && pkey->pkey.dsa->p != NULL)
405 {
406 BIO_printf(bio_stdout, ", %d bit DSA",
407 BN_num_bits(pkey->pkey.dsa->p));
408 }
409 #endif
410 EVP_PKEY_free(pkey);
411 }
412 X509_free(cert);
413 }
414 /* The SSL API does not allow us to look at temporary RSA/DH keys,
415 * otherwise we should print their lengths too */
416 BIO_printf(bio_stdout,"\n");
417 }
418
419 static void lock_dbg_cb(int mode, int type, const char *file, int line)
420 {
421 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
422 const char *errstr = NULL;
423 int rw;
424
425 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
426 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
427 {
428 errstr = "invalid mode";
429 goto err;
430 }
431
432 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
433 {
434 errstr = "type out of bounds";
435 goto err;
436 }
437
438 if (mode & CRYPTO_LOCK)
439 {
440 if (modes[type])
441 {
442 errstr = "already locked";
443 /* must not happen in a single-threaded program
444 * (would deadlock) */
445 goto err;
446 }
447
448 modes[type] = rw;
449 }
450 else if (mode & CRYPTO_UNLOCK)
451 {
452 if (!modes[type])
453 {
454 errstr = "not locked";
455 goto err;
456 }
457
458 if (modes[type] != rw)
459 {
460 errstr = (rw == CRYPTO_READ) ?
461 "CRYPTO_r_unlock on write lock" :
462 "CRYPTO_w_unlock on read lock";
463 }
464
465 modes[type] = 0;
466 }
467 else
468 {
469 errstr = "invalid mode";
470 goto err;
471 }
472
473 err:
474 if (errstr)
475 {
476 /* we cannot use bio_err here */
477 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
478 errstr, mode, type, file, line);
479 }
480 }
481
482 #ifdef TLSEXT_TYPE_opaque_prf_input
483 struct cb_info_st { void *input; size_t len; int ret; };
484 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
485 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
486 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
487 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
488
489 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
490 {
491 struct cb_info_st *arg = arg_;
492
493 if (arg == NULL)
494 return 1;
495
496 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
497 return 0;
498 return arg->ret;
499 }
500 #endif
501
502 int main(int argc, char *argv[])
503 {
504 char *CApath=NULL,*CAfile=NULL;
505 int badop=0;
506 int bio_pair=0;
507 int force=0;
508 int tls1=0,ssl2=0,ssl3=0,ret=1;
509 int client_auth=0;
510 int server_auth=0,i;
511 struct app_verify_arg app_verify_arg =
512 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
513 char *server_cert=TEST_SERVER_CERT;
514 char *server_key=NULL;
515 char *client_cert=TEST_CLIENT_CERT;
516 char *client_key=NULL;
517 #ifndef OPENSSL_NO_ECDH
518 char *named_curve = NULL;
519 #endif
520 SSL_CTX *s_ctx=NULL;
521 SSL_CTX *c_ctx=NULL;
522 const SSL_METHOD *meth=NULL;
523 SSL *c_ssl,*s_ssl;
524 int number=1,reuse=0;
525 long bytes=256L;
526 #ifndef OPENSSL_NO_DH
527 DH *dh;
528 int dhe1024 = 0, dhe1024dsa = 0;
529 #endif
530 #ifndef OPENSSL_NO_ECDH
531 EC_KEY *ecdh = NULL;
532 #endif
533 #ifndef OPENSSL_NO_SRP
534 /* client */
535 SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
536 /* server */
537 SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
538 #endif
539 int no_dhe = 0;
540 int no_ecdhe = 0;
541 int no_psk = 0;
542 int print_time = 0;
543 clock_t s_time = 0, c_time = 0;
544 int comp = 0;
545 #ifndef OPENSSL_NO_COMP
546 COMP_METHOD *cm = NULL;
547 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
548 #endif
549 int test_cipherlist = 0;
550 #ifdef OPENSSL_FIPS
551 int fips_mode=0;
552 #endif
553 int cutthrough = 0;
554
555 verbose = 0;
556 debug = 0;
557 cipher = 0;
558
559 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
560
561 CRYPTO_set_locking_callback(lock_dbg_cb);
562
563 /* enable memory leak checking unless explicitly disabled */
564 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("O PENSSL_DEBUG_MEMORY"), "off"))))
565 {
566 CRYPTO_malloc_debug_init();
567 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
568 }
569 else
570 {
571 /* OPENSSL_DEBUG_MEMORY=off */
572 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
573 }
574 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
575
576 RAND_seed(rnd_seed, sizeof rnd_seed);
577
578 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
579
580 argc--;
581 argv++;
582
583 while (argc >= 1)
584 {
585 if(!strcmp(*argv,"-F"))
586 {
587 #ifdef OPENSSL_FIPS
588 fips_mode=1;
589 #else
590 fprintf(stderr,"not compiled with FIPS support, so exitt ing without running.\n");
591 EXIT(0);
592 #endif
593 }
594 else if (strcmp(*argv,"-server_auth") == 0)
595 server_auth=1;
596 else if (strcmp(*argv,"-client_auth") == 0)
597 client_auth=1;
598 else if (strcmp(*argv,"-proxy_auth") == 0)
599 {
600 if (--argc < 1) goto bad;
601 app_verify_arg.proxy_auth= *(++argv);
602 }
603 else if (strcmp(*argv,"-proxy_cond") == 0)
604 {
605 if (--argc < 1) goto bad;
606 app_verify_arg.proxy_cond= *(++argv);
607 }
608 else if (strcmp(*argv,"-v") == 0)
609 verbose=1;
610 else if (strcmp(*argv,"-d") == 0)
611 debug=1;
612 else if (strcmp(*argv,"-reuse") == 0)
613 reuse=1;
614 else if (strcmp(*argv,"-dhe1024") == 0)
615 {
616 #ifndef OPENSSL_NO_DH
617 dhe1024=1;
618 #else
619 fprintf(stderr,"ignoring -dhe1024, since I'm compiled wi thout DH\n");
620 #endif
621 }
622 else if (strcmp(*argv,"-dhe1024dsa") == 0)
623 {
624 #ifndef OPENSSL_NO_DH
625 dhe1024dsa=1;
626 #else
627 fprintf(stderr,"ignoring -dhe1024, since I'm compiled wi thout DH\n");
628 #endif
629 }
630 else if (strcmp(*argv,"-no_dhe") == 0)
631 no_dhe=1;
632 else if (strcmp(*argv,"-no_ecdhe") == 0)
633 no_ecdhe=1;
634 else if (strcmp(*argv,"-psk") == 0)
635 {
636 if (--argc < 1) goto bad;
637 psk_key=*(++argv);
638 #ifndef OPENSSL_NO_PSK
639 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen( psk_key))
640 {
641 BIO_printf(bio_err,"Not a hex number '%s'\n",*ar gv);
642 goto bad;
643 }
644 #else
645 no_psk=1;
646 #endif
647 }
648 #ifndef OPENSSL_NO_SRP
649 else if (strcmp(*argv,"-srpuser") == 0)
650 {
651 if (--argc < 1) goto bad;
652 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
653 tls1=1;
654 }
655 else if (strcmp(*argv,"-srppass") == 0)
656 {
657 if (--argc < 1) goto bad;
658 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv );
659 tls1=1;
660 }
661 #endif
662 else if (strcmp(*argv,"-ssl2") == 0)
663 ssl2=1;
664 else if (strcmp(*argv,"-tls1") == 0)
665 tls1=1;
666 else if (strcmp(*argv,"-ssl3") == 0)
667 ssl3=1;
668 else if (strncmp(*argv,"-num",4) == 0)
669 {
670 if (--argc < 1) goto bad;
671 number= atoi(*(++argv));
672 if (number == 0) number=1;
673 }
674 else if (strcmp(*argv,"-bytes") == 0)
675 {
676 if (--argc < 1) goto bad;
677 bytes= atol(*(++argv));
678 if (bytes == 0L) bytes=1L;
679 i=strlen(argv[0]);
680 if (argv[0][i-1] == 'k') bytes*=1024L;
681 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
682 }
683 else if (strcmp(*argv,"-cert") == 0)
684 {
685 if (--argc < 1) goto bad;
686 server_cert= *(++argv);
687 }
688 else if (strcmp(*argv,"-s_cert") == 0)
689 {
690 if (--argc < 1) goto bad;
691 server_cert= *(++argv);
692 }
693 else if (strcmp(*argv,"-key") == 0)
694 {
695 if (--argc < 1) goto bad;
696 server_key= *(++argv);
697 }
698 else if (strcmp(*argv,"-s_key") == 0)
699 {
700 if (--argc < 1) goto bad;
701 server_key= *(++argv);
702 }
703 else if (strcmp(*argv,"-c_cert") == 0)
704 {
705 if (--argc < 1) goto bad;
706 client_cert= *(++argv);
707 }
708 else if (strcmp(*argv,"-c_key") == 0)
709 {
710 if (--argc < 1) goto bad;
711 client_key= *(++argv);
712 }
713 else if (strcmp(*argv,"-cipher") == 0)
714 {
715 if (--argc < 1) goto bad;
716 cipher= *(++argv);
717 }
718 else if (strcmp(*argv,"-CApath") == 0)
719 {
720 if (--argc < 1) goto bad;
721 CApath= *(++argv);
722 }
723 else if (strcmp(*argv,"-CAfile") == 0)
724 {
725 if (--argc < 1) goto bad;
726 CAfile= *(++argv);
727 }
728 else if (strcmp(*argv,"-bio_pair") == 0)
729 {
730 bio_pair = 1;
731 }
732 else if (strcmp(*argv,"-f") == 0)
733 {
734 force = 1;
735 }
736 else if (strcmp(*argv,"-time") == 0)
737 {
738 print_time = 1;
739 }
740 else if (strcmp(*argv,"-zlib") == 0)
741 {
742 comp = COMP_ZLIB;
743 }
744 else if (strcmp(*argv,"-rle") == 0)
745 {
746 comp = COMP_RLE;
747 }
748 else if (strcmp(*argv,"-named_curve") == 0)
749 {
750 if (--argc < 1) goto bad;
751 #ifndef OPENSSL_NO_ECDH
752 named_curve = *(++argv);
753 #else
754 fprintf(stderr,"ignoring -named_curve, since I'm compile d without ECDH\n");
755 ++argv;
756 #endif
757 }
758 else if (strcmp(*argv,"-app_verify") == 0)
759 {
760 app_verify_arg.app_verify = 1;
761 }
762 else if (strcmp(*argv,"-proxy") == 0)
763 {
764 app_verify_arg.allow_proxy_certs = 1;
765 }
766 else if (strcmp(*argv,"-test_cipherlist") == 0)
767 {
768 test_cipherlist = 1;
769 }
770 else if (strcmp(*argv, "-cutthrough") == 0)
771 {
772 cutthrough = 1;
773 }
774 else
775 {
776 fprintf(stderr,"unknown option %s\n",*argv);
777 badop=1;
778 break;
779 }
780 argc--;
781 argv++;
782 }
783 if (badop)
784 {
785 bad:
786 sv_usage();
787 goto end;
788 }
789
790 if (test_cipherlist == 1)
791 {
792 /* ensure that the cipher list are correctly sorted and exit */
793 if (do_test_cipherlist() == 0)
794 EXIT(1);
795 ret = 0;
796 goto end;
797 }
798
799 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
800 {
801 fprintf(stderr, "This case cannot work. Use -f to perform "
802 "the test anyway (and\n-d to see what happens), "
803 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
804 "to avoid protocol mismatch.\n");
805 EXIT(1);
806 }
807
808 #ifdef OPENSSL_FIPS
809 if(fips_mode)
810 {
811 if(!FIPS_mode_set(1))
812 {
813 ERR_load_crypto_strings();
814 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
815 EXIT(1);
816 }
817 else
818 fprintf(stderr,"*** IN FIPS MODE ***\n");
819 }
820 #endif
821
822 if (print_time)
823 {
824 if (!bio_pair)
825 {
826 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
827 bio_pair = 1;
828 }
829 if (number < 50 && !force)
830 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
831 }
832
833 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
834
835 SSL_library_init();
836 SSL_load_error_strings();
837
838 #ifndef OPENSSL_NO_COMP
839 if (comp == COMP_ZLIB) cm = COMP_zlib();
840 if (comp == COMP_RLE) cm = COMP_rle();
841 if (cm != NULL)
842 {
843 if (cm->type != NID_undef)
844 {
845 if (SSL_COMP_add_compression_method(comp, cm) != 0)
846 {
847 fprintf(stderr,
848 "Failed to add compression method\n");
849 ERR_print_errors_fp(stderr);
850 }
851 }
852 else
853 {
854 fprintf(stderr,
855 "Warning: %s compression not supported\n",
856 (comp == COMP_RLE ? "rle" :
857 (comp == COMP_ZLIB ? "zlib" :
858 "unknown")));
859 ERR_print_errors_fp(stderr);
860 }
861 }
862 ssl_comp_methods = SSL_COMP_get_compression_methods();
863 fprintf(stderr, "Available compression methods:\n");
864 {
865 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
866 if (n == 0)
867 fprintf(stderr, " NONE\n");
868 else
869 for (j = 0; j < n; j++)
870 {
871 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
872 fprintf(stderr, " %d: %s\n", c->id, c->name);
873 }
874 }
875 #endif
876
877 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
878 if (ssl2)
879 meth=SSLv2_method();
880 else
881 if (tls1)
882 meth=TLSv1_method();
883 else
884 if (ssl3)
885 meth=SSLv3_method();
886 else
887 meth=SSLv23_method();
888 #else
889 #ifdef OPENSSL_NO_SSL2
890 meth=SSLv3_method();
891 #else
892 meth=SSLv2_method();
893 #endif
894 #endif
895
896 c_ctx=SSL_CTX_new(meth);
897 s_ctx=SSL_CTX_new(meth);
898 if ((c_ctx == NULL) || (s_ctx == NULL))
899 {
900 ERR_print_errors(bio_err);
901 goto end;
902 }
903
904 if (cipher != NULL)
905 {
906 SSL_CTX_set_cipher_list(c_ctx,cipher);
907 SSL_CTX_set_cipher_list(s_ctx,cipher);
908 }
909 if (cutthrough)
910 {
911 int ssl_mode = SSL_CTX_get_mode(c_ctx);
912 ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH;
913 SSL_CTX_set_mode(c_ctx, ssl_mode);
914 }
915
916 #ifndef OPENSSL_NO_DH
917 if (!no_dhe)
918 {
919 if (dhe1024dsa)
920 {
921 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup atta cks */
922 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
923 dh=get_dh1024dsa();
924 }
925 else if (dhe1024)
926 dh=get_dh1024();
927 else
928 dh=get_dh512();
929 SSL_CTX_set_tmp_dh(s_ctx,dh);
930 DH_free(dh);
931 }
932 #else
933 (void)no_dhe;
934 #endif
935
936 #ifndef OPENSSL_NO_ECDH
937 if (!no_ecdhe)
938 {
939 int nid;
940
941 if (named_curve != NULL)
942 {
943 nid = OBJ_sn2nid(named_curve);
944 if (nid == 0)
945 {
946 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
947 goto end;
948 }
949 }
950 else
951 #ifdef OPENSSL_NO_EC2M
952 nid = NID_X9_62_prime256v1;
953 #else
954 nid = NID_sect163r2;
955 #endif
956
957 ecdh = EC_KEY_new_by_curve_name(nid);
958 if (ecdh == NULL)
959 {
960 BIO_printf(bio_err, "unable to create curve\n");
961 goto end;
962 }
963
964 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
965 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
966 EC_KEY_free(ecdh);
967 }
968 #else
969 (void)no_ecdhe;
970 #endif
971
972 #ifndef OPENSSL_NO_RSA
973 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
974 #endif
975
976 #ifdef TLSEXT_TYPE_opaque_prf_input
977 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb) ;
978 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb) ;
979 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co 2 or NULL */
980 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so 2 or NULL */
981 #endif
982
983 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
984 {
985 ERR_print_errors(bio_err);
986 }
987 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
988 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
989 {
990 ERR_print_errors(bio_err);
991 goto end;
992 }
993
994 if (client_auth)
995 {
996 SSL_CTX_use_certificate_file(c_ctx,client_cert,
997 SSL_FILETYPE_PEM);
998 SSL_CTX_use_PrivateKey_file(c_ctx,
999 (client_key?client_key:client_cert),
1000 SSL_FILETYPE_PEM);
1001 }
1002
1003 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
1004 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
1005 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
1006 (!SSL_CTX_set_default_verify_paths(c_ctx)))
1007 {
1008 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
1009 ERR_print_errors(bio_err);
1010 /* goto end; */
1011 }
1012
1013 if (client_auth)
1014 {
1015 BIO_printf(bio_err,"client authentication\n");
1016 SSL_CTX_set_verify(s_ctx,
1017 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1018 verify_callback);
1019 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &ap p_verify_arg);
1020 }
1021 if (server_auth)
1022 {
1023 BIO_printf(bio_err,"server authentication\n");
1024 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1025 verify_callback);
1026 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &ap p_verify_arg);
1027 }
1028
1029 {
1030 int session_id_context = 0;
1031 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_contex t, sizeof session_id_context);
1032 }
1033
1034 /* Use PSK only if PSK key is given */
1035 if (psk_key != NULL)
1036 {
1037 /* no_psk is used to avoid putting psk command to openssl tool * /
1038 if (no_psk)
1039 {
1040 /* if PSK is not compiled in and psk key is
1041 * given, do nothing and exit successfully */
1042 ret=0;
1043 goto end;
1044 }
1045 #ifndef OPENSSL_NO_PSK
1046 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1047 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1048 if (debug)
1049 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n ");
1050 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_h int"))
1051 {
1052 BIO_printf(bio_err,"error setting PSK identity hint to s _ctx\n");
1053 ERR_print_errors(bio_err);
1054 goto end;
1055 }
1056 #endif
1057 }
1058 #ifndef OPENSSL_NO_SRP
1059 if (srp_client_arg.srplogin)
1060 {
1061 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1062 {
1063 BIO_printf(bio_err,"Unable to set SRP username\n");
1064 goto end;
1065 }
1066 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1067 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_p wd_cb);
1068 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1069 }
1070
1071 if (srp_server_arg.expected_user != NULL)
1072 {
1073 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1074 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1075 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb );
1076 }
1077 #endif
1078
1079 c_ssl=SSL_new(c_ctx);
1080 s_ssl=SSL_new(s_ctx);
1081
1082 #ifndef OPENSSL_NO_KRB5
1083 if (c_ssl && c_ssl->kssl_ctx)
1084 {
1085 char localhost[MAXHOSTNAMELEN+2];
1086
1087 if (gethostname(localhost, sizeof localhost-1) == 0)
1088 {
1089 localhost[sizeof localhost-1]='\0';
1090 if(strlen(localhost) == sizeof localhost-1)
1091 {
1092 BIO_printf(bio_err,"localhost name too long\n");
1093 goto end;
1094 }
1095 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1096 localhost);
1097 }
1098 }
1099 #endif /* OPENSSL_NO_KRB5 */
1100
1101 for (i=0; i<number; i++)
1102 {
1103 if (!reuse) SSL_set_session(c_ssl,NULL);
1104 if (bio_pair)
1105 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1106 else
1107 ret=doit(s_ssl,c_ssl,bytes);
1108 }
1109
1110 if (!verbose)
1111 {
1112 print_details(c_ssl, "");
1113 }
1114 if ((number > 1) || (bytes > 1L))
1115 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",numbe r,bytes);
1116 if (print_time)
1117 {
1118 #ifdef CLOCKS_PER_SEC
1119 /* "To determine the time in seconds, the value returned
1120 * by the clock function should be divided by the value
1121 * of the macro CLOCKS_PER_SEC."
1122 * -- ISO/IEC 9899 */
1123 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n "
1124 "Approximate total client time: %6.2f s\n",
1125 (double)s_time/CLOCKS_PER_SEC,
1126 (double)c_time/CLOCKS_PER_SEC);
1127 #else
1128 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1129 * -- cc on NeXTstep/OpenStep */
1130 BIO_printf(bio_stdout,
1131 "Approximate total server time: %6.2f units\n"
1132 "Approximate total client time: %6.2f units\n",
1133 (double)s_time,
1134 (double)c_time);
1135 #endif
1136 }
1137
1138 SSL_free(s_ssl);
1139 SSL_free(c_ssl);
1140
1141 end:
1142 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1143 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1144
1145 if (bio_stdout != NULL) BIO_free(bio_stdout);
1146
1147 #ifndef OPENSSL_NO_RSA
1148 free_tmp_rsa();
1149 #endif
1150 #ifndef OPENSSL_NO_ENGINE
1151 ENGINE_cleanup();
1152 #endif
1153 CRYPTO_cleanup_all_ex_data();
1154 ERR_free_strings();
1155 ERR_remove_thread_state(NULL);
1156 EVP_cleanup();
1157 CRYPTO_mem_leaks(bio_err);
1158 if (bio_err != NULL) BIO_free(bio_err);
1159 EXIT(ret);
1160 return ret;
1161 }
1162
1163 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1164 clock_t *s_time, clock_t *c_time)
1165 {
1166 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1167 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1168 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL ;
1169 int ret = 1;
1170
1171 size_t bufsiz = 256; /* small buffer for testing */
1172
1173 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1174 goto err;
1175 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1176 goto err;
1177
1178 s_ssl_bio = BIO_new(BIO_f_ssl());
1179 if (!s_ssl_bio)
1180 goto err;
1181
1182 c_ssl_bio = BIO_new(BIO_f_ssl());
1183 if (!c_ssl_bio)
1184 goto err;
1185
1186 SSL_set_connect_state(c_ssl);
1187 SSL_set_bio(c_ssl, client, client);
1188 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1189
1190 SSL_set_accept_state(s_ssl);
1191 SSL_set_bio(s_ssl, server, server);
1192 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1193
1194 do
1195 {
1196 /* c_ssl_bio: SSL filter BIO
1197 *
1198 * client: pseudo-I/O for SSL library
1199 *
1200 * client_io: client's SSL communication; usually to be
1201 * relayed over some I/O facility, but in th is
1202 * test program, we're the server, too:
1203 *
1204 * server_io: server's SSL communication
1205 *
1206 * server: pseudo-I/O for SSL library
1207 *
1208 * s_ssl_bio: SSL filter BIO
1209 *
1210 * The client and the server each employ a "BIO pair":
1211 * client + client_io, server + server_io.
1212 * BIO pairs are symmetric. A BIO pair behaves similar
1213 * to a non-blocking socketpair (but both endpoints must
1214 * be handled by the same thread).
1215 * [Here we could connect client and server to the ends
1216 * of a single BIO pair, but then this code would be less
1217 * suitable as an example for BIO pairs in general.]
1218 *
1219 * Useful functions for querying the state of BIO pair endpoints :
1220 *
1221 * BIO_ctrl_pending(bio) number of bytes we can rea d now
1222 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1223 * other side's read attemp t
1224 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can wr ite now
1225 *
1226 * ..._read_request is never more than ..._write_guarantee;
1227 * it depends on the application which one you should use.
1228 */
1229
1230 /* We have non-blocking behaviour throughout this test program, but
1231 * can be sure that there is *some* progress in each iteration; so
1232 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WR ITE
1233 * -- we just try everything in each iteration
1234 */
1235
1236 {
1237 /* CLIENT */
1238
1239 MS_STATIC char cbuf[1024*8];
1240 int i, r;
1241 clock_t c_clock = clock();
1242
1243 memset(cbuf, 0, sizeof(cbuf));
1244
1245 if (debug)
1246 if (SSL_in_init(c_ssl))
1247 printf("client waiting in SSL_connect - %s\n",
1248 SSL_state_string_long(c_ssl));
1249
1250 if (cw_num > 0)
1251 {
1252 /* Write to server. */
1253
1254 if (cw_num > (long)sizeof cbuf)
1255 i = sizeof cbuf;
1256 else
1257 i = (int)cw_num;
1258 r = BIO_write(c_ssl_bio, cbuf, i);
1259 if (r < 0)
1260 {
1261 if (!BIO_should_retry(c_ssl_bio))
1262 {
1263 fprintf(stderr,"ERROR in CLIENT\ n");
1264 goto err;
1265 }
1266 /* BIO_should_retry(...) can just be ign ored here.
1267 * The library expects us to call BIO_wr ite with
1268 * the same arguments again, and that's what we will
1269 * do in the next iteration. */
1270 }
1271 else if (r == 0)
1272 {
1273 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1274 goto err;
1275 }
1276 else
1277 {
1278 if (debug)
1279 printf("client wrote %d\n", r);
1280 cw_num -= r;
1281 }
1282 }
1283
1284 if (cr_num > 0)
1285 {
1286 /* Read from server. */
1287
1288 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1289 if (r < 0)
1290 {
1291 if (!BIO_should_retry(c_ssl_bio))
1292 {
1293 fprintf(stderr,"ERROR in CLIENT\ n");
1294 goto err;
1295 }
1296 /* Again, "BIO_should_retry" can be igno red. */
1297 }
1298 else if (r == 0)
1299 {
1300 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1301 goto err;
1302 }
1303 else
1304 {
1305 if (debug)
1306 printf("client read %d\n", r);
1307 cr_num -= r;
1308 }
1309 }
1310
1311 /* c_time and s_time increments will typically be very s mall
1312 * (depending on machine speed and clock tick intervals) ,
1313 * but sampling over a large number of connections shoul d
1314 * result in fairly accurate figures. We cannot guarant ee
1315 * a lot, however -- if each connection lasts for exactl y
1316 * one clock tick, it will be counted only for the clien t
1317 * or only for the server or even not at all.
1318 */
1319 *c_time += (clock() - c_clock);
1320 }
1321
1322 {
1323 /* SERVER */
1324
1325 MS_STATIC char sbuf[1024*8];
1326 int i, r;
1327 clock_t s_clock = clock();
1328
1329 memset(sbuf, 0, sizeof(sbuf));
1330
1331 if (debug)
1332 if (SSL_in_init(s_ssl))
1333 printf("server waiting in SSL_accept - % s\n",
1334 SSL_state_string_long(s_ssl));
1335
1336 if (sw_num > 0)
1337 {
1338 /* Write to client. */
1339
1340 if (sw_num > (long)sizeof sbuf)
1341 i = sizeof sbuf;
1342 else
1343 i = (int)sw_num;
1344 r = BIO_write(s_ssl_bio, sbuf, i);
1345 if (r < 0)
1346 {
1347 if (!BIO_should_retry(s_ssl_bio))
1348 {
1349 fprintf(stderr,"ERROR in SERVER\ n");
1350 goto err;
1351 }
1352 /* Ignore "BIO_should_retry". */
1353 }
1354 else if (r == 0)
1355 {
1356 fprintf(stderr,"SSL SERVER STARTUP FAILE D\n");
1357 goto err;
1358 }
1359 else
1360 {
1361 if (debug)
1362 printf("server wrote %d\n", r);
1363 sw_num -= r;
1364 }
1365 }
1366
1367 if (sr_num > 0)
1368 {
1369 /* Read from client. */
1370
1371 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1372 if (r < 0)
1373 {
1374 if (!BIO_should_retry(s_ssl_bio))
1375 {
1376 fprintf(stderr,"ERROR in SERVER\ n");
1377 goto err;
1378 }
1379 /* blah, blah */
1380 }
1381 else if (r == 0)
1382 {
1383 fprintf(stderr,"SSL SERVER STARTUP FAILE D\n");
1384 goto err;
1385 }
1386 else
1387 {
1388 if (debug)
1389 printf("server read %d\n", r);
1390 sr_num -= r;
1391 }
1392 }
1393
1394 *s_time += (clock() - s_clock);
1395 }
1396
1397 {
1398 /* "I/O" BETWEEN CLIENT AND SERVER. */
1399
1400 size_t r1, r2;
1401 BIO *io1 = server_io, *io2 = client_io;
1402 /* we use the non-copying interface for io1
1403 * and the standard BIO_write/BIO_read interface for io2
1404 */
1405
1406 static int prev_progress = 1;
1407 int progress = 0;
1408
1409 /* io1 to io2 */
1410 do
1411 {
1412 size_t num;
1413 int r;
1414
1415 r1 = BIO_ctrl_pending(io1);
1416 r2 = BIO_ctrl_get_write_guarantee(io2);
1417
1418 num = r1;
1419 if (r2 < num)
1420 num = r2;
1421 if (num)
1422 {
1423 char *dataptr;
1424
1425 if (INT_MAX < num) /* yeah, right */
1426 num = INT_MAX;
1427
1428 r = BIO_nread(io1, &dataptr, (int)num);
1429 assert(r > 0);
1430 assert(r <= (int)num);
1431 /* possibly r < num (non-contiguous data ) */
1432 num = r;
1433 r = BIO_write(io2, dataptr, (int)num);
1434 if (r != (int)num) /* can't happen */
1435 {
1436 fprintf(stderr, "ERROR: BIO_writ e could not write "
1437 "BIO_ctrl_get_write_guar antee() bytes");
1438 goto err;
1439 }
1440 progress = 1;
1441
1442 if (debug)
1443 printf((io1 == client_io) ?
1444 "C->S relaying: %d bytes \n" :
1445 "S->C relaying: %d bytes \n",
1446 (int)num);
1447 }
1448 }
1449 while (r1 && r2);
1450
1451 /* io2 to io1 */
1452 {
1453 size_t num;
1454 int r;
1455
1456 r1 = BIO_ctrl_pending(io2);
1457 r2 = BIO_ctrl_get_read_request(io1);
1458 /* here we could use ..._get_write_guarantee ins tead of
1459 * ..._get_read_request, but by using the latter
1460 * we test restartability of the SSL implementat ion
1461 * more thoroughly */
1462 num = r1;
1463 if (r2 < num)
1464 num = r2;
1465 if (num)
1466 {
1467 char *dataptr;
1468
1469 if (INT_MAX < num)
1470 num = INT_MAX;
1471
1472 if (num > 1)
1473 --num; /* test restartability ev en more thoroughly */
1474
1475 r = BIO_nwrite0(io1, &dataptr);
1476 assert(r > 0);
1477 if (r < (int)num)
1478 num = r;
1479 r = BIO_read(io2, dataptr, (int)num);
1480 if (r != (int)num) /* can't happen */
1481 {
1482 fprintf(stderr, "ERROR: BIO_read could not read "
1483 "BIO_ctrl_pending() byte s");
1484 goto err;
1485 }
1486 progress = 1;
1487 r = BIO_nwrite(io1, &dataptr, (int)num);
1488 if (r != (int)num) /* can't happen */
1489 {
1490 fprintf(stderr, "ERROR: BIO_nwri te() did not accept "
1491 "BIO_nwrite0() bytes");
1492 goto err;
1493 }
1494
1495 if (debug)
1496 printf((io2 == client_io) ?
1497 "C->S relaying: %d bytes \n" :
1498 "S->C relaying: %d bytes \n",
1499 (int)num);
1500 }
1501 } /* no loop, BIO_ctrl_get_read_request now returns 0 an yway */
1502
1503 if (!progress && !prev_progress)
1504 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr _num > 0)
1505 {
1506 fprintf(stderr, "ERROR: got stuck\n");
1507 if (strcmp("SSLv2", SSL_get_version(c_ss l)) == 0)
1508 {
1509 fprintf(stderr, "This can happen for SSL2 because "
1510 "CLIENT-FINISHED and SER VER-VERIFY are written \n"
1511 "concurrently ...");
1512 if (strncmp("2SCF", SSL_state_st ring(c_ssl), 4) == 0
1513 && strncmp("2SSV", SSL_s tate_string(s_ssl), 4) == 0)
1514 {
1515 fprintf(stderr, " ok.\n" );
1516 goto end;
1517 }
1518 }
1519 fprintf(stderr, " ERROR.\n");
1520 goto err;
1521 }
1522 prev_progress = progress;
1523 }
1524 }
1525 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1526
1527 if (verbose)
1528 print_details(c_ssl, "DONE via BIO pair: ");
1529 end:
1530 ret = 0;
1531
1532 err:
1533 ERR_print_errors(bio_err);
1534
1535 if (server)
1536 BIO_free(server);
1537 if (server_io)
1538 BIO_free(server_io);
1539 if (client)
1540 BIO_free(client);
1541 if (client_io)
1542 BIO_free(client_io);
1543 if (s_ssl_bio)
1544 BIO_free(s_ssl_bio);
1545 if (c_ssl_bio)
1546 BIO_free(c_ssl_bio);
1547
1548 return ret;
1549 }
1550
1551
1552 #define W_READ 1
1553 #define W_WRITE 2
1554 #define C_DONE 1
1555 #define S_DONE 2
1556
1557 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1558 {
1559 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1560 long cw_num=count,cr_num=count;
1561 long sw_num=count,sr_num=count;
1562 int ret=1;
1563 BIO *c_to_s=NULL;
1564 BIO *s_to_c=NULL;
1565 BIO *c_bio=NULL;
1566 BIO *s_bio=NULL;
1567 int c_r,c_w,s_r,s_w;
1568 int i,j;
1569 int done=0;
1570 int c_write,s_write;
1571 int do_server=0,do_client=0;
1572
1573 memset(cbuf,0,sizeof(cbuf));
1574 memset(sbuf,0,sizeof(sbuf));
1575
1576 c_to_s=BIO_new(BIO_s_mem());
1577 s_to_c=BIO_new(BIO_s_mem());
1578 if ((s_to_c == NULL) || (c_to_s == NULL))
1579 {
1580 ERR_print_errors(bio_err);
1581 goto err;
1582 }
1583
1584 c_bio=BIO_new(BIO_f_ssl());
1585 s_bio=BIO_new(BIO_f_ssl());
1586 if ((c_bio == NULL) || (s_bio == NULL))
1587 {
1588 ERR_print_errors(bio_err);
1589 goto err;
1590 }
1591
1592 SSL_set_connect_state(c_ssl);
1593 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1594 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1595
1596 SSL_set_accept_state(s_ssl);
1597 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1598 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1599
1600 c_r=0; s_r=1;
1601 c_w=1; s_w=0;
1602 c_write=1,s_write=0;
1603
1604 /* We can always do writes */
1605 for (;;)
1606 {
1607 do_server=0;
1608 do_client=0;
1609
1610 i=(int)BIO_pending(s_bio);
1611 if ((i && s_r) || s_w) do_server=1;
1612
1613 i=(int)BIO_pending(c_bio);
1614 if ((i && c_r) || c_w) do_client=1;
1615
1616 if (do_server && debug)
1617 {
1618 if (SSL_in_init(s_ssl))
1619 printf("server waiting in SSL_accept - %s\n",
1620 SSL_state_string_long(s_ssl));
1621 /* else if (s_write)
1622 printf("server:SSL_write()\n");
1623 else
1624 printf("server:SSL_read()\n"); */
1625 }
1626
1627 if (do_client && debug)
1628 {
1629 if (SSL_in_init(c_ssl))
1630 printf("client waiting in SSL_connect - %s\n",
1631 SSL_state_string_long(c_ssl));
1632 /* else if (c_write)
1633 printf("client:SSL_write()\n");
1634 else
1635 printf("client:SSL_read()\n"); */
1636 }
1637
1638 if (!do_client && !do_server)
1639 {
1640 fprintf(stdout,"ERROR IN STARTUP\n");
1641 ERR_print_errors(bio_err);
1642 break;
1643 }
1644 if (do_client && !(done & C_DONE))
1645 {
1646 if (c_write)
1647 {
1648 j = (cw_num > (long)sizeof(cbuf)) ?
1649 (int)sizeof(cbuf) : (int)cw_num;
1650 i=BIO_write(c_bio,cbuf,j);
1651 if (i < 0)
1652 {
1653 c_r=0;
1654 c_w=0;
1655 if (BIO_should_retry(c_bio))
1656 {
1657 if (BIO_should_read(c_bio))
1658 c_r=1;
1659 if (BIO_should_write(c_bio))
1660 c_w=1;
1661 }
1662 else
1663 {
1664 fprintf(stderr,"ERROR in CLIENT\ n");
1665 ERR_print_errors(bio_err);
1666 goto err;
1667 }
1668 }
1669 else if (i == 0)
1670 {
1671 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1672 goto err;
1673 }
1674 else
1675 {
1676 if (debug)
1677 printf("client wrote %d\n",i);
1678 /* ok */
1679 s_r=1;
1680 c_write=0;
1681 cw_num-=i;
1682 }
1683 }
1684 else
1685 {
1686 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1687 if (i < 0)
1688 {
1689 c_r=0;
1690 c_w=0;
1691 if (BIO_should_retry(c_bio))
1692 {
1693 if (BIO_should_read(c_bio))
1694 c_r=1;
1695 if (BIO_should_write(c_bio))
1696 c_w=1;
1697 }
1698 else
1699 {
1700 fprintf(stderr,"ERROR in CLIENT\ n");
1701 ERR_print_errors(bio_err);
1702 goto err;
1703 }
1704 }
1705 else if (i == 0)
1706 {
1707 fprintf(stderr,"SSL CLIENT STARTUP FAILE D\n");
1708 goto err;
1709 }
1710 else
1711 {
1712 if (debug)
1713 printf("client read %d\n",i);
1714 cr_num-=i;
1715 if (sw_num > 0)
1716 {
1717 s_write=1;
1718 s_w=1;
1719 }
1720 if (cr_num <= 0)
1721 {
1722 s_write=1;
1723 s_w=1;
1724 done=S_DONE|C_DONE;
1725 }
1726 }
1727 }
1728 }
1729
1730 if (do_server && !(done & S_DONE))
1731 {
1732 if (!s_write)
1733 {
1734 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1735 if (i < 0)
1736 {
1737 s_r=0;
1738 s_w=0;
1739 if (BIO_should_retry(s_bio))
1740 {
1741 if (BIO_should_read(s_bio))
1742 s_r=1;
1743 if (BIO_should_write(s_bio))
1744 s_w=1;
1745 }
1746 else
1747 {
1748 fprintf(stderr,"ERROR in SERVER\ n");
1749 ERR_print_errors(bio_err);
1750 goto err;
1751 }
1752 }
1753 else if (i == 0)
1754 {
1755 ERR_print_errors(bio_err);
1756 fprintf(stderr,"SSL SERVER STARTUP FAILE D in SSL_read\n");
1757 goto err;
1758 }
1759 else
1760 {
1761 if (debug)
1762 printf("server read %d\n",i);
1763 sr_num-=i;
1764 if (cw_num > 0)
1765 {
1766 c_write=1;
1767 c_w=1;
1768 }
1769 if (sr_num <= 0)
1770 {
1771 s_write=1;
1772 s_w=1;
1773 c_write=0;
1774 }
1775 }
1776 }
1777 else
1778 {
1779 j = (sw_num > (long)sizeof(sbuf)) ?
1780 (int)sizeof(sbuf) : (int)sw_num;
1781 i=BIO_write(s_bio,sbuf,j);
1782 if (i < 0)
1783 {
1784 s_r=0;
1785 s_w=0;
1786 if (BIO_should_retry(s_bio))
1787 {
1788 if (BIO_should_read(s_bio))
1789 s_r=1;
1790 if (BIO_should_write(s_bio))
1791 s_w=1;
1792 }
1793 else
1794 {
1795 fprintf(stderr,"ERROR in SERVER\ n");
1796 ERR_print_errors(bio_err);
1797 goto err;
1798 }
1799 }
1800 else if (i == 0)
1801 {
1802 ERR_print_errors(bio_err);
1803 fprintf(stderr,"SSL SERVER STARTUP FAILE D in SSL_write\n");
1804 goto err;
1805 }
1806 else
1807 {
1808 if (debug)
1809 printf("server wrote %d\n",i);
1810 sw_num-=i;
1811 s_write=0;
1812 c_r=1;
1813 if (sw_num <= 0)
1814 done|=S_DONE;
1815 }
1816 }
1817 }
1818
1819 if ((done & S_DONE) && (done & C_DONE)) break;
1820 }
1821
1822 if (verbose)
1823 print_details(c_ssl, "DONE: ");
1824 ret=0;
1825 err:
1826 /* We have to set the BIO's to NULL otherwise they will be
1827 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1828 * again when c_ssl is SSL_free()ed.
1829 * This is a hack required because s_ssl and c_ssl are sharing the same
1830 * BIO structure and SSL_set_bio() and SSL_free() automatically
1831 * BIO_free non NULL entries.
1832 * You should not normally do this or be required to do this */
1833 if (s_ssl != NULL)
1834 {
1835 s_ssl->rbio=NULL;
1836 s_ssl->wbio=NULL;
1837 }
1838 if (c_ssl != NULL)
1839 {
1840 c_ssl->rbio=NULL;
1841 c_ssl->wbio=NULL;
1842 }
1843
1844 if (c_to_s != NULL) BIO_free(c_to_s);
1845 if (s_to_c != NULL) BIO_free(s_to_c);
1846 if (c_bio != NULL) BIO_free_all(c_bio);
1847 if (s_bio != NULL) BIO_free_all(s_bio);
1848 return(ret);
1849 }
1850
1851 static int get_proxy_auth_ex_data_idx(void)
1852 {
1853 static volatile int idx = -1;
1854 if (idx < 0)
1855 {
1856 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1857 if (idx < 0)
1858 {
1859 idx = X509_STORE_CTX_get_ex_new_index(0,
1860 "SSLtest for verify callback", NULL,NULL,NULL);
1861 }
1862 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1863 }
1864 return idx;
1865 }
1866
1867 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1868 {
1869 char *s,buf[256];
1870
1871 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1872 sizeof buf);
1873 if (s != NULL)
1874 {
1875 if (ok)
1876 fprintf(stderr,"depth=%d %s\n",
1877 ctx->error_depth,buf);
1878 else
1879 {
1880 fprintf(stderr,"depth=%d error=%d %s\n",
1881 ctx->error_depth,ctx->error,buf);
1882 }
1883 }
1884
1885 if (ok == 0)
1886 {
1887 fprintf(stderr,"Error string: %s\n",
1888 X509_verify_cert_error_string(ctx->error));
1889 switch (ctx->error)
1890 {
1891 case X509_V_ERR_CERT_NOT_YET_VALID:
1892 case X509_V_ERR_CERT_HAS_EXPIRED:
1893 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1894 fprintf(stderr," ... ignored.\n");
1895 ok=1;
1896 }
1897 }
1898
1899 if (ok == 1)
1900 {
1901 X509 *xs = ctx->current_cert;
1902 #if 0
1903 X509 *xi = ctx->current_issuer;
1904 #endif
1905
1906 if (xs->ex_flags & EXFLAG_PROXY)
1907 {
1908 unsigned int *letters =
1909 X509_STORE_CTX_get_ex_data(ctx,
1910 get_proxy_auth_ex_data_idx());
1911
1912 if (letters)
1913 {
1914 int found_any = 0;
1915 int i;
1916 PROXY_CERT_INFO_EXTENSION *pci =
1917 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1918 NULL, NULL);
1919
1920 switch (OBJ_obj2nid(pci->proxyPolicy->policyLang uage))
1921 {
1922 case NID_Independent:
1923 /* Completely meaningless in this
1924 program, as there's no way to
1925 grant explicit rights to a
1926 specific PrC. Basically, using
1927 id-ppl-Independent is the perfect
1928 way to grant no rights at all. */
1929 fprintf(stderr, " Independent proxy cer tificate");
1930 for (i = 0; i < 26; i++)
1931 letters[i] = 0;
1932 break;
1933 case NID_id_ppl_inheritAll:
1934 /* This is basically a NOP, we
1935 simply let the current rights
1936 stand as they are. */
1937 fprintf(stderr, " Proxy certificate inh erits all");
1938 break;
1939 default:
1940 s = (char *)
1941 pci->proxyPolicy->policy->data;
1942 i = pci->proxyPolicy->policy->length;
1943
1944 /* The algorithm works as follows:
1945 it is assumed that previous
1946 iterations or the initial granted
1947 rights has already set some elements
1948 of `letters'. What we need to do is
1949 to clear those that weren't granted
1950 by the current PrC as well. The
1951 easiest way to do this is to add 1
1952 to all the elements whose letters
1953 are given with the current policy.
1954 That way, all elements that are set
1955 by the current policy and were
1956 already set by earlier policies and
1957 through the original grant of rights
1958 will get the value 2 or higher.
1959 The last thing to do is to sweep
1960 through `letters' and keep the
1961 elements having the value 2 as set,
1962 and clear all the others. */
1963
1964 fprintf(stderr, " Certificate proxy rig hts = %*.*s", i, i, s);
1965 while(i-- > 0)
1966 {
1967 int c = *s++;
1968 if (isascii(c) && isalpha(c))
1969 {
1970 if (islower(c))
1971 c = toupper(c);
1972 letters[c - 'A']++;
1973 }
1974 }
1975 for (i = 0; i < 26; i++)
1976 if (letters[i] < 2)
1977 letters[i] = 0;
1978 else
1979 letters[i] = 1;
1980 }
1981
1982 found_any = 0;
1983 fprintf(stderr,
1984 ", resulting proxy rights = ");
1985 for(i = 0; i < 26; i++)
1986 if (letters[i])
1987 {
1988 fprintf(stderr, "%c", i + 'A');
1989 found_any = 1;
1990 }
1991 if (!found_any)
1992 fprintf(stderr, "none");
1993 fprintf(stderr, "\n");
1994
1995 PROXY_CERT_INFO_EXTENSION_free(pci);
1996 }
1997 }
1998 }
1999
2000 return(ok);
2001 }
2002
2003 static void process_proxy_debug(int indent, const char *format, ...)
2004 {
2005 static const char indentation[] =
2006 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2007 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2008 char my_format[256];
2009 va_list args;
2010
2011 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2012 indent, indent, indentation, format);
2013
2014 va_start(args, format);
2015 vfprintf(stderr, my_format, args);
2016 va_end(args);
2017 }
2018 /* Priority levels:
2019 0 [!]var, ()
2020 1 & ^
2021 2 |
2022 */
2023 static int process_proxy_cond_adders(unsigned int letters[26],
2024 const char *cond, const char **cond_end, int *pos, int indent);
2025 static int process_proxy_cond_val(unsigned int letters[26],
2026 const char *cond, const char **cond_end, int *pos, int indent)
2027 {
2028 int c;
2029 int ok = 1;
2030 int negate = 0;
2031
2032 while(isspace((int)*cond))
2033 {
2034 cond++; (*pos)++;
2035 }
2036 c = *cond;
2037
2038 if (debug)
2039 process_proxy_debug(indent,
2040 "Start process_proxy_cond_val at position %d: %s\n",
2041 *pos, cond);
2042
2043 while(c == '!')
2044 {
2045 negate = !negate;
2046 cond++; (*pos)++;
2047 while(isspace((int)*cond))
2048 {
2049 cond++; (*pos)++;
2050 }
2051 c = *cond;
2052 }
2053
2054 if (c == '(')
2055 {
2056 cond++; (*pos)++;
2057 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2058 indent + 1);
2059 cond = *cond_end;
2060 if (ok < 0)
2061 goto end;
2062 while(isspace((int)*cond))
2063 {
2064 cond++; (*pos)++;
2065 }
2066 c = *cond;
2067 if (c != ')')
2068 {
2069 fprintf(stderr,
2070 "Weird condition character in position %d: "
2071 "%c\n", *pos, c);
2072 ok = -1;
2073 goto end;
2074 }
2075 cond++; (*pos)++;
2076 }
2077 else if (isascii(c) && isalpha(c))
2078 {
2079 if (islower(c))
2080 c = toupper(c);
2081 ok = letters[c - 'A'];
2082 cond++; (*pos)++;
2083 }
2084 else
2085 {
2086 fprintf(stderr,
2087 "Weird condition character in position %d: "
2088 "%c\n", *pos, c);
2089 ok = -1;
2090 goto end;
2091 }
2092 end:
2093 *cond_end = cond;
2094 if (ok >= 0 && negate)
2095 ok = !ok;
2096
2097 if (debug)
2098 process_proxy_debug(indent,
2099 "End process_proxy_cond_val at position %d: %s, returnin g %d\n",
2100 *pos, cond, ok);
2101
2102 return ok;
2103 }
2104 static int process_proxy_cond_multipliers(unsigned int letters[26],
2105 const char *cond, const char **cond_end, int *pos, int indent)
2106 {
2107 int ok;
2108 char c;
2109
2110 if (debug)
2111 process_proxy_debug(indent,
2112 "Start process_proxy_cond_multipliers at position %d: %s \n",
2113 *pos, cond);
2114
2115 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2116 cond = *cond_end;
2117 if (ok < 0)
2118 goto end;
2119
2120 while(ok >= 0)
2121 {
2122 while(isspace((int)*cond))
2123 {
2124 cond++; (*pos)++;
2125 }
2126 c = *cond;
2127
2128 switch(c)
2129 {
2130 case '&':
2131 case '^':
2132 {
2133 int save_ok = ok;
2134
2135 cond++; (*pos)++;
2136 ok = process_proxy_cond_val(letters,
2137 cond, cond_end, pos, indent + 1);
2138 cond = *cond_end;
2139 if (ok < 0)
2140 break;
2141
2142 switch(c)
2143 {
2144 case '&':
2145 ok &= save_ok;
2146 break;
2147 case '^':
2148 ok ^= save_ok;
2149 break;
2150 default:
2151 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2152 " STOPPING\n");
2153 EXIT(1);
2154 }
2155 }
2156 break;
2157 default:
2158 goto end;
2159 }
2160 }
2161 end:
2162 if (debug)
2163 process_proxy_debug(indent,
2164 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2165 *pos, cond, ok);
2166
2167 *cond_end = cond;
2168 return ok;
2169 }
2170 static int process_proxy_cond_adders(unsigned int letters[26],
2171 const char *cond, const char **cond_end, int *pos, int indent)
2172 {
2173 int ok;
2174 char c;
2175
2176 if (debug)
2177 process_proxy_debug(indent,
2178 "Start process_proxy_cond_adders at position %d: %s\n",
2179 *pos, cond);
2180
2181 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2182 indent + 1);
2183 cond = *cond_end;
2184 if (ok < 0)
2185 goto end;
2186
2187 while(ok >= 0)
2188 {
2189 while(isspace((int)*cond))
2190 {
2191 cond++; (*pos)++;
2192 }
2193 c = *cond;
2194
2195 switch(c)
2196 {
2197 case '|':
2198 {
2199 int save_ok = ok;
2200
2201 cond++; (*pos)++;
2202 ok = process_proxy_cond_multipliers(letters,
2203 cond, cond_end, pos, indent + 1);
2204 cond = *cond_end;
2205 if (ok < 0)
2206 break;
2207
2208 switch(c)
2209 {
2210 case '|':
2211 ok |= save_ok;
2212 break;
2213 default:
2214 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2215 " STOPPING\n");
2216 EXIT(1);
2217 }
2218 }
2219 break;
2220 default:
2221 goto end;
2222 }
2223 }
2224 end:
2225 if (debug)
2226 process_proxy_debug(indent,
2227 "End process_proxy_cond_adders at position %d: %s, retur ning %d\n",
2228 *pos, cond, ok);
2229
2230 *cond_end = cond;
2231 return ok;
2232 }
2233
2234 static int process_proxy_cond(unsigned int letters[26],
2235 const char *cond, const char **cond_end)
2236 {
2237 int pos = 1;
2238 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2239 }
2240
2241 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2242 {
2243 int ok=1;
2244 struct app_verify_arg *cb_arg = arg;
2245 unsigned int letters[26]; /* only used with proxy_auth */
2246
2247 if (cb_arg->app_verify)
2248 {
2249 char *s = NULL,buf[256];
2250
2251 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2252 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2253 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2254 (void *)ctx, (void *)ctx->cert);
2255 if (ctx->cert)
2256 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf ,256);
2257 if (s != NULL)
2258 {
2259 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf );
2260 }
2261 return(1);
2262 }
2263 if (cb_arg->proxy_auth)
2264 {
2265 int found_any = 0, i;
2266 char *sp;
2267
2268 for(i = 0; i < 26; i++)
2269 letters[i] = 0;
2270 for(sp = cb_arg->proxy_auth; *sp; sp++)
2271 {
2272 int c = *sp;
2273 if (isascii(c) && isalpha(c))
2274 {
2275 if (islower(c))
2276 c = toupper(c);
2277 letters[c - 'A'] = 1;
2278 }
2279 }
2280
2281 fprintf(stderr,
2282 " Initial proxy rights = ");
2283 for(i = 0; i < 26; i++)
2284 if (letters[i])
2285 {
2286 fprintf(stderr, "%c", i + 'A');
2287 found_any = 1;
2288 }
2289 if (!found_any)
2290 fprintf(stderr, "none");
2291 fprintf(stderr, "\n");
2292
2293 X509_STORE_CTX_set_ex_data(ctx,
2294 get_proxy_auth_ex_data_idx(),letters);
2295 }
2296 if (cb_arg->allow_proxy_certs)
2297 {
2298 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2299 }
2300
2301 #ifndef OPENSSL_NO_X509_VERIFY
2302 ok = X509_verify_cert(ctx);
2303 #endif
2304
2305 if (cb_arg->proxy_auth)
2306 {
2307 if (ok > 0)
2308 {
2309 const char *cond_end = NULL;
2310
2311 ok = process_proxy_cond(letters,
2312 cb_arg->proxy_cond, &cond_end);
2313
2314 if (ok < 0)
2315 EXIT(3);
2316 if (*cond_end)
2317 {
2318 fprintf(stderr, "Stopped processing condition be fore it's end.\n");
2319 ok = 0;
2320 }
2321 if (!ok)
2322 fprintf(stderr, "Proxy rights check with conditi on '%s' proved invalid\n",
2323 cb_arg->proxy_cond);
2324 else
2325 fprintf(stderr, "Proxy rights check with conditi on '%s' proved valid\n",
2326 cb_arg->proxy_cond);
2327 }
2328 }
2329 return(ok);
2330 }
2331
2332 #ifndef OPENSSL_NO_RSA
2333 static RSA *rsa_tmp=NULL;
2334
2335 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2336 {
2337 BIGNUM *bn = NULL;
2338 if (rsa_tmp == NULL)
2339 {
2340 bn = BN_new();
2341 rsa_tmp = RSA_new();
2342 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2343 {
2344 BIO_printf(bio_err, "Memory error...");
2345 goto end;
2346 }
2347 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keyleng th);
2348 (void)BIO_flush(bio_err);
2349 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2350 {
2351 BIO_printf(bio_err, "Error generating key.");
2352 RSA_free(rsa_tmp);
2353 rsa_tmp = NULL;
2354 }
2355 end:
2356 BIO_printf(bio_err,"\n");
2357 (void)BIO_flush(bio_err);
2358 }
2359 if(bn) BN_free(bn);
2360 return(rsa_tmp);
2361 }
2362
2363 static void free_tmp_rsa(void)
2364 {
2365 if (rsa_tmp != NULL)
2366 {
2367 RSA_free(rsa_tmp);
2368 rsa_tmp = NULL;
2369 }
2370 }
2371 #endif
2372
2373 #ifndef OPENSSL_NO_DH
2374 /* These DH parameters have been generated as follows:
2375 * $ openssl dhparam -C -noout 512
2376 * $ openssl dhparam -C -noout 1024
2377 * $ openssl dhparam -C -noout -dsaparam 1024
2378 * (The third function has been renamed to avoid name conflicts.)
2379 */
2380 static DH *get_dh512()
2381 {
2382 static unsigned char dh512_p[]={
2383 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2384 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2385 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2386 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2387 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2388 0x02,0xC5,0xAE,0x23,
2389 };
2390 static unsigned char dh512_g[]={
2391 0x02,
2392 };
2393 DH *dh;
2394
2395 if ((dh=DH_new()) == NULL) return(NULL);
2396 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2397 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2398 if ((dh->p == NULL) || (dh->g == NULL))
2399 { DH_free(dh); return(NULL); }
2400 return(dh);
2401 }
2402
2403 static DH *get_dh1024()
2404 {
2405 static unsigned char dh1024_p[]={
2406 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2407 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2408 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2409 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2410 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2411 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2412 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2413 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2414 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2415 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2416 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2417 };
2418 static unsigned char dh1024_g[]={
2419 0x02,
2420 };
2421 DH *dh;
2422
2423 if ((dh=DH_new()) == NULL) return(NULL);
2424 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2425 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2426 if ((dh->p == NULL) || (dh->g == NULL))
2427 { DH_free(dh); return(NULL); }
2428 return(dh);
2429 }
2430
2431 static DH *get_dh1024dsa()
2432 {
2433 static unsigned char dh1024_p[]={
2434 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2435 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2436 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2437 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2438 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2439 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2440 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2441 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2442 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2443 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2444 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2445 };
2446 static unsigned char dh1024_g[]={
2447 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2448 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2449 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2450 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2451 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2452 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2453 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2454 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2455 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2456 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2457 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2458 };
2459 DH *dh;
2460
2461 if ((dh=DH_new()) == NULL) return(NULL);
2462 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2463 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2464 if ((dh->p == NULL) || (dh->g == NULL))
2465 { DH_free(dh); return(NULL); }
2466 dh->length = 160;
2467 return(dh);
2468 }
2469 #endif
2470
2471 #ifndef OPENSSL_NO_PSK
2472 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2473 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2474 unsigned int max_psk_len)
2475 {
2476 int ret;
2477 BIGNUM *bn = NULL;
2478
2479 ret = BN_hex2bn(&bn, pskkey);
2480 if (!ret)
2481 {
2482 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2483 if (bn)
2484 BN_free(bn);
2485 return 0;
2486 }
2487 if (BN_num_bytes(bn) > (int)max_psk_len)
2488 {
2489 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2490 max_psk_len, BN_num_bytes(bn));
2491 BN_free(bn);
2492 return 0;
2493 }
2494 ret = BN_bn2bin(bn, psk);
2495 BN_free(bn);
2496 return ret;
2497 }
2498
2499 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identi ty,
2500 unsigned int max_identity_len, unsigned char *psk,
2501 unsigned int max_psk_len)
2502 {
2503 int ret;
2504 unsigned int psk_len = 0;
2505
2506 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2507 if (ret < 0)
2508 goto out_err;
2509 if (debug)
2510 fprintf(stderr, "client: created identity '%s' len=%d\n", identi ty, ret);
2511 ret = psk_key2bn(psk_key, psk, max_psk_len);
2512 if (ret < 0)
2513 goto out_err;
2514 psk_len = ret;
2515 out_err:
2516 return psk_len;
2517 }
2518
2519 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2520 unsigned char *psk, unsigned int max_psk_len)
2521 {
2522 unsigned int psk_len=0;
2523
2524 if (strcmp(identity, "Client_identity") != 0)
2525 {
2526 BIO_printf(bio_err, "server: PSK error: client identity not foun d\n");
2527 return 0;
2528 }
2529 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2530 return psk_len;
2531 }
2532 #endif
2533
2534 static int do_test_cipherlist(void)
2535 {
2536 int i = 0;
2537 const SSL_METHOD *meth;
2538 const SSL_CIPHER *ci, *tci = NULL;
2539
2540 #ifndef OPENSSL_NO_SSL2
2541 fprintf(stderr, "testing SSLv2 cipher list order: ");
2542 meth = SSLv2_method();
2543 while ((ci = meth->get_cipher(i++)) != NULL)
2544 {
2545 if (tci != NULL)
2546 if (ci->id >= tci->id)
2547 {
2548 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2549 return 0;
2550 }
2551 tci = ci;
2552 }
2553 fprintf(stderr, "ok\n");
2554 #endif
2555 #ifndef OPENSSL_NO_SSL3
2556 fprintf(stderr, "testing SSLv3 cipher list order: ");
2557 meth = SSLv3_method();
2558 tci = NULL;
2559 while ((ci = meth->get_cipher(i++)) != NULL)
2560 {
2561 if (tci != NULL)
2562 if (ci->id >= tci->id)
2563 {
2564 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2565 return 0;
2566 }
2567 tci = ci;
2568 }
2569 fprintf(stderr, "ok\n");
2570 #endif
2571 #ifndef OPENSSL_NO_TLS1
2572 fprintf(stderr, "testing TLSv1 cipher list order: ");
2573 meth = TLSv1_method();
2574 tci = NULL;
2575 while ((ci = meth->get_cipher(i++)) != NULL)
2576 {
2577 if (tci != NULL)
2578 if (ci->id >= tci->id)
2579 {
2580 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2581 return 0;
2582 }
2583 tci = ci;
2584 }
2585 fprintf(stderr, "ok\n");
2586 #endif
2587
2588 return 1;
2589 }
OLDNEW
« no previous file with comments | « openssl/ssl/ssl_txt.c ('k') | openssl/ssl/t1_clnt.c » ('j') | no next file with comments »

Powered by Google App Engine
This is Rietveld 408576698