1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116
117 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
118 on Linux and GNU platforms. */
119
120 #include <assert.h>
121 #include <errno.h>
122 #include <limits.h>
123 #include <stdio.h>
124 #include <stdlib.h>
125 #include <string.h>
126 #include <time.h>
127
128 #define USE_SOCKETS
129 #include "e_os.h"
130
131 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
132 VMS (at least with DECompHP C). */
133 #include <ctype.h>
134
135 #include <openssl/bio.h>
136 #include <openssl/crypto.h>
137 #include <openssl/evp.h>
138 #include <openssl/x509.h>
139 #include <openssl/x509v3.h>
140 #include <openssl/ssl.h>
141 #ifndef OPENSSL_NO_ENGINE
142 #include <openssl/engine.h>
143 #endif
144 #include <openssl/err.h>
145 #include <openssl/rand.h>
146 #ifndef OPENSSL_NO_RSA
147 #include <openssl/rsa.h>
148 #endif
149 #ifndef OPENSSL_NO_DSA
150 #include <openssl/dsa.h>
151 #endif
152 #ifndef OPENSSL_NO_DH
153 #include <openssl/dh.h>
154 #endif
155 #include <openssl/bn.h>
156
157 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
158 on Compaq platforms (at least with DEC C).
159 Do not try to put it earlier, or IPv6 includes
160 get screwed...
161 */
162
163 #ifdef OPENSSL_SYS_WINDOWS
164 #include <winsock.h>
165 #else
166 #include OPENSSL_UNISTD
167 #endif
168
169 #ifdef OPENSSL_SYS_VMS
170 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
171 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
172 #elif defined(OPENSSL_SYS_WINCE)
173 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
174 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
175 #elif defined(OPENSSL_SYS_NETWARE)
176 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
177 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
178 #else
179 # define TEST_SERVER_CERT "../apps/server.pem"
180 # define TEST_CLIENT_CERT "../apps/client.pem"
181 #endif
182
183 /* There is really no standard for this, so let's assign some tentative
184 numbers. In any case, these numbers are only for this test */
185 #define COMP_RLE 255
186 #define COMP_ZLIB 1
187
188 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
189 #ifndef OPENSSL_NO_RSA
190 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
191 static void free_tmp_rsa(void);
192 #endif
193 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
194 #define APP_CALLBACK_STRING "Test Callback Argument"
195 struct app_verify_arg
196 {
197 char *string;
198 int app_verify;
199 int allow_proxy_certs;
200 char *proxy_auth;
201 char *proxy_cond;
202 };
203
204 #ifndef OPENSSL_NO_DH
205 static DH *get_dh512(void);
206 static DH *get_dh1024(void);
207 static DH *get_dh1024dsa(void);
208 #endif
209
210 static BIO *bio_err=NULL;
211 static BIO *bio_stdout=NULL;
212
213 static char *cipher=NULL;
214 static int verbose=0;
215 static int debug=0;
216 #if 0
217 /* Not used yet. */
218 #ifdef FIONBIO
219 static int s_nbio=0;
220 #endif
221 #endif
222
223 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
224
225 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
226 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
227 static int do_test_cipherlist(void);
sv_usage(void)228 static void sv_usage(void)
229 {
230 fprintf(stderr,"usage: ssltest [args ...]\n");
231 fprintf(stderr,"\n");
232 fprintf(stderr," -server_auth - check server certificate\n");
233 fprintf(stderr," -client_auth - do client authentication\n");
234 fprintf(stderr," -proxy - allow proxy certificates\n");
235 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
236 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
237 fprintf(stderr," -v - more output\n");
238 fprintf(stderr," -d - debug output\n");
239 fprintf(stderr," -reuse - use session-id reuse\n");
240 fprintf(stderr," -num <val> - number of connections to perform\n");
241 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
242 #ifndef OPENSSL_NO_DH
243 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
244 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
245 fprintf(stderr," -no_dhe - disable DHE\n");
246 #endif
247 #ifndef OPENSSL_NO_ECDH
248 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
249 #endif
250 #ifndef OPENSSL_NO_SSL2
251 fprintf(stderr," -ssl2 - use SSLv2\n");
252 #endif
253 #ifndef OPENSSL_NO_SSL3
254 fprintf(stderr," -ssl3 - use SSLv3\n");
255 #endif
256 #ifndef OPENSSL_NO_TLS1
257 fprintf(stderr," -tls1 - use TLSv1\n");
258 #endif
259 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
260 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
261 fprintf(stderr," -cert arg - Server certificate file\n");
262 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
263 fprintf(stderr," -c_cert arg - Client certificate file\n");
264 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
265 fprintf(stderr," -cipher arg - The cipher list\n");
266 fprintf(stderr," -bio_pair - Use BIO pairs\n");
267 fprintf(stderr," -f - Test even cases that can't work\n");
268 fprintf(stderr," -time - measure processor time used by client and server\n");
269 fprintf(stderr," -zlib - use zlib compression\n");
270 fprintf(stderr," -rle - use rle compression\n");
271 #ifndef OPENSSL_NO_ECDH
272 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
273 " Use \"openssl ecparam -list_curves\" for all names\n" \
274 " (default is sect163r2).\n");
275 #endif
276 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
277 }
278
print_details(SSL * c_ssl,const char * prefix)279 static void print_details(SSL *c_ssl, const char *prefix)
280 {
281 SSL_CIPHER *ciph;
282 X509 *cert;
283
284 ciph=SSL_get_current_cipher(c_ssl);
285 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
286 prefix,
287 SSL_get_version(c_ssl),
288 SSL_CIPHER_get_version(ciph),
289 SSL_CIPHER_get_name(ciph));
290 cert=SSL_get_peer_certificate(c_ssl);
291 if (cert != NULL)
292 {
293 EVP_PKEY *pkey = X509_get_pubkey(cert);
294 if (pkey != NULL)
295 {
296 if (0)
297 ;
298 #ifndef OPENSSL_NO_RSA
299 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
300 && pkey->pkey.rsa->n != NULL)
301 {
302 BIO_printf(bio_stdout, ", %d bit RSA",
303 BN_num_bits(pkey->pkey.rsa->n));
304 }
305 #endif
306 #ifndef OPENSSL_NO_DSA
307 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
308 && pkey->pkey.dsa->p != NULL)
309 {
310 BIO_printf(bio_stdout, ", %d bit DSA",
311 BN_num_bits(pkey->pkey.dsa->p));
312 }
313 #endif
314 EVP_PKEY_free(pkey);
315 }
316 X509_free(cert);
317 }
318 /* The SSL API does not allow us to look at temporary RSA/DH keys,
319 * otherwise we should print their lengths too */
320 BIO_printf(bio_stdout,"\n");
321 }
322
lock_dbg_cb(int mode,int type,const char * file,int line)323 static void lock_dbg_cb(int mode, int type, const char *file, int line)
324 {
325 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
326 const char *errstr = NULL;
327 int rw;
328
329 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
330 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
331 {
332 errstr = "invalid mode";
333 goto err;
334 }
335
336 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
337 {
338 errstr = "type out of bounds";
339 goto err;
340 }
341
342 if (mode & CRYPTO_LOCK)
343 {
344 if (modes[type])
345 {
346 errstr = "already locked";
347 /* must not happen in a single-threaded program
348 * (would deadlock) */
349 goto err;
350 }
351
352 modes[type] = rw;
353 }
354 else if (mode & CRYPTO_UNLOCK)
355 {
356 if (!modes[type])
357 {
358 errstr = "not locked";
359 goto err;
360 }
361
362 if (modes[type] != rw)
363 {
364 errstr = (rw == CRYPTO_READ) ?
365 "CRYPTO_r_unlock on write lock" :
366 "CRYPTO_w_unlock on read lock";
367 }
368
369 modes[type] = 0;
370 }
371 else
372 {
373 errstr = "invalid mode";
374 goto err;
375 }
376
377 err:
378 if (errstr)
379 {
380 /* we cannot use bio_err here */
381 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
382 errstr, mode, type, file, line);
383 }
384 }
385
386
main(int argc,char * argv[])387 int main(int argc, char *argv[])
388 {
389 char *CApath=NULL,*CAfile=NULL;
390 int badop=0;
391 int bio_pair=0;
392 int force=0;
393 int tls1=0,ssl2=0,ssl3=0,ret=1;
394 int client_auth=0;
395 int server_auth=0,i;
396 struct app_verify_arg app_verify_arg =
397 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
398 char *server_cert=TEST_SERVER_CERT;
399 char *server_key=NULL;
400 char *client_cert=TEST_CLIENT_CERT;
401 char *client_key=NULL;
402 #ifndef OPENSSL_NO_ECDH
403 char *named_curve = NULL;
404 #endif
405 SSL_CTX *s_ctx=NULL;
406 SSL_CTX *c_ctx=NULL;
407 SSL_METHOD *meth=NULL;
408 SSL *c_ssl,*s_ssl;
409 int number=1,reuse=0;
410 long bytes=256L;
411 #ifndef OPENSSL_NO_DH
412 DH *dh;
413 int dhe1024 = 0, dhe1024dsa = 0;
414 #endif
415 #ifndef OPENSSL_NO_ECDH
416 EC_KEY *ecdh = NULL;
417 #endif
418 int no_dhe = 0;
419 int no_ecdhe = 0;
420 int print_time = 0;
421 clock_t s_time = 0, c_time = 0;
422 int comp = 0;
423 #ifndef OPENSSL_NO_COMP
424 COMP_METHOD *cm = NULL;
425 #endif
426 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
427 int test_cipherlist = 0;
428
429 verbose = 0;
430 debug = 0;
431 cipher = 0;
432
433 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE);
434
435 CRYPTO_set_locking_callback(lock_dbg_cb);
436
437 /* enable memory leak checking unless explicitly disabled */
438 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
439 {
440 CRYPTO_malloc_debug_init();
441 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
442 }
443 else
444 {
445 /* OPENSSL_DEBUG_MEMORY=off */
446 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
447 }
448 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
449
450 RAND_seed(rnd_seed, sizeof rnd_seed);
451
452 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE);
453
454 argc--;
455 argv++;
456
457 while (argc >= 1)
458 {
459 if (strcmp(*argv,"-server_auth") == 0)
460 server_auth=1;
461 else if (strcmp(*argv,"-client_auth") == 0)
462 client_auth=1;
463 else if (strcmp(*argv,"-proxy_auth") == 0)
464 {
465 if (--argc < 1) goto bad;
466 app_verify_arg.proxy_auth= *(++argv);
467 }
468 else if (strcmp(*argv,"-proxy_cond") == 0)
469 {
470 if (--argc < 1) goto bad;
471 app_verify_arg.proxy_cond= *(++argv);
472 }
473 else if (strcmp(*argv,"-v") == 0)
474 verbose=1;
475 else if (strcmp(*argv,"-d") == 0)
476 debug=1;
477 else if (strcmp(*argv,"-reuse") == 0)
478 reuse=1;
479 else if (strcmp(*argv,"-dhe1024") == 0)
480 {
481 #ifndef OPENSSL_NO_DH
482 dhe1024=1;
483 #else
484 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
485 #endif
486 }
487 else if (strcmp(*argv,"-dhe1024dsa") == 0)
488 {
489 #ifndef OPENSSL_NO_DH
490 dhe1024dsa=1;
491 #else
492 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
493 #endif
494 }
495 else if (strcmp(*argv,"-no_dhe") == 0)
496 no_dhe=1;
497 else if (strcmp(*argv,"-no_ecdhe") == 0)
498 no_ecdhe=1;
499 else if (strcmp(*argv,"-ssl2") == 0)
500 ssl2=1;
501 else if (strcmp(*argv,"-tls1") == 0)
502 tls1=1;
503 else if (strcmp(*argv,"-ssl3") == 0)
504 ssl3=1;
505 else if (strncmp(*argv,"-num",4) == 0)
506 {
507 if (--argc < 1) goto bad;
508 number= atoi(*(++argv));
509 if (number == 0) number=1;
510 }
511 else if (strcmp(*argv,"-bytes") == 0)
512 {
513 if (--argc < 1) goto bad;
514 bytes= atol(*(++argv));
515 if (bytes == 0L) bytes=1L;
516 i=strlen(argv[0]);
517 if (argv[0][i-1] == 'k') bytes*=1024L;
518 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
519 }
520 else if (strcmp(*argv,"-cert") == 0)
521 {
522 if (--argc < 1) goto bad;
523 server_cert= *(++argv);
524 }
525 else if (strcmp(*argv,"-s_cert") == 0)
526 {
527 if (--argc < 1) goto bad;
528 server_cert= *(++argv);
529 }
530 else if (strcmp(*argv,"-key") == 0)
531 {
532 if (--argc < 1) goto bad;
533 server_key= *(++argv);
534 }
535 else if (strcmp(*argv,"-s_key") == 0)
536 {
537 if (--argc < 1) goto bad;
538 server_key= *(++argv);
539 }
540 else if (strcmp(*argv,"-c_cert") == 0)
541 {
542 if (--argc < 1) goto bad;
543 client_cert= *(++argv);
544 }
545 else if (strcmp(*argv,"-c_key") == 0)
546 {
547 if (--argc < 1) goto bad;
548 client_key= *(++argv);
549 }
550 else if (strcmp(*argv,"-cipher") == 0)
551 {
552 if (--argc < 1) goto bad;
553 cipher= *(++argv);
554 }
555 else if (strcmp(*argv,"-CApath") == 0)
556 {
557 if (--argc < 1) goto bad;
558 CApath= *(++argv);
559 }
560 else if (strcmp(*argv,"-CAfile") == 0)
561 {
562 if (--argc < 1) goto bad;
563 CAfile= *(++argv);
564 }
565 else if (strcmp(*argv,"-bio_pair") == 0)
566 {
567 bio_pair = 1;
568 }
569 else if (strcmp(*argv,"-f") == 0)
570 {
571 force = 1;
572 }
573 else if (strcmp(*argv,"-time") == 0)
574 {
575 print_time = 1;
576 }
577 else if (strcmp(*argv,"-zlib") == 0)
578 {
579 comp = COMP_ZLIB;
580 }
581 else if (strcmp(*argv,"-rle") == 0)
582 {
583 comp = COMP_RLE;
584 }
585 else if (strcmp(*argv,"-named_curve") == 0)
586 {
587 if (--argc < 1) goto bad;
588 #ifndef OPENSSL_NO_ECDH
589 named_curve = *(++argv);
590 #else
591 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
592 ++argv;
593 #endif
594 }
595 else if (strcmp(*argv,"-app_verify") == 0)
596 {
597 app_verify_arg.app_verify = 1;
598 }
599 else if (strcmp(*argv,"-proxy") == 0)
600 {
601 app_verify_arg.allow_proxy_certs = 1;
602 }
603 else if (strcmp(*argv,"-test_cipherlist") == 0)
604 {
605 test_cipherlist = 1;
606 }
607 else
608 {
609 fprintf(stderr,"unknown option %s\n",*argv);
610 badop=1;
611 break;
612 }
613 argc--;
614 argv++;
615 }
616 if (badop)
617 {
618 bad:
619 sv_usage();
620 goto end;
621 }
622
623 if (test_cipherlist == 1)
624 {
625 /* ensure that the cipher list are correctly sorted and exit */
626 if (do_test_cipherlist() == 0)
627 EXIT(1);
628 ret = 0;
629 goto end;
630 }
631
632 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
633 {
634 fprintf(stderr, "This case cannot work. Use -f to perform "
635 "the test anyway (and\n-d to see what happens), "
636 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
637 "to avoid protocol mismatch.\n");
638 EXIT(1);
639 }
640
641 if (print_time)
642 {
643 if (!bio_pair)
644 {
645 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
646 bio_pair = 1;
647 }
648 if (number < 50 && !force)
649 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
650 }
651
652 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
653
654 SSL_library_init();
655 SSL_load_error_strings();
656
657 #ifndef OPENSSL_NO_COMP
658 if (comp == COMP_ZLIB) cm = COMP_zlib();
659 if (comp == COMP_RLE) cm = COMP_rle();
660 if (cm != NULL)
661 {
662 if (cm->type != NID_undef)
663 {
664 if (SSL_COMP_add_compression_method(comp, cm) != 0)
665 {
666 fprintf(stderr,
667 "Failed to add compression method\n");
668 ERR_print_errors_fp(stderr);
669 }
670 }
671 else
672 {
673 fprintf(stderr,
674 "Warning: %s compression not supported\n",
675 (comp == COMP_RLE ? "rle" :
676 (comp == COMP_ZLIB ? "zlib" :
677 "unknown")));
678 ERR_print_errors_fp(stderr);
679 }
680 }
681 ssl_comp_methods = SSL_COMP_get_compression_methods();
682 fprintf(stderr, "Available compression methods:\n");
683 {
684 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
685 if (n == 0)
686 fprintf(stderr, " NONE\n");
687 else
688 for (j = 0; j < n; j++)
689 {
690 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
691 fprintf(stderr, " %d: %s\n", c->id, c->name);
692 }
693 }
694 #endif
695
696 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
697 if (ssl2)
698 meth=SSLv2_method();
699 else
700 if (tls1)
701 meth=TLSv1_method();
702 else
703 if (ssl3)
704 meth=SSLv3_method();
705 else
706 meth=SSLv23_method();
707 #else
708 #ifdef OPENSSL_NO_SSL2
709 meth=SSLv3_method();
710 #else
711 meth=SSLv2_method();
712 #endif
713 #endif
714
715 c_ctx=SSL_CTX_new(meth);
716 s_ctx=SSL_CTX_new(meth);
717 if ((c_ctx == NULL) || (s_ctx == NULL))
718 {
719 ERR_print_errors(bio_err);
720 goto end;
721 }
722
723 if (cipher != NULL)
724 {
725 SSL_CTX_set_cipher_list(c_ctx,cipher);
726 SSL_CTX_set_cipher_list(s_ctx,cipher);
727 }
728
729 #ifndef OPENSSL_NO_DH
730 if (!no_dhe)
731 {
732 if (dhe1024dsa)
733 {
734 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
735 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
736 dh=get_dh1024dsa();
737 }
738 else if (dhe1024)
739 dh=get_dh1024();
740 else
741 dh=get_dh512();
742 SSL_CTX_set_tmp_dh(s_ctx,dh);
743 DH_free(dh);
744 }
745 #else
746 (void)no_dhe;
747 #endif
748
749 #ifndef OPENSSL_NO_ECDH
750 if (!no_ecdhe)
751 {
752 int nid;
753
754 if (named_curve != NULL)
755 {
756 nid = OBJ_sn2nid(named_curve);
757 if (nid == 0)
758 {
759 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
760 goto end;
761 }
762 }
763 else
764 nid = NID_sect163r2;
765
766 ecdh = EC_KEY_new_by_curve_name(nid);
767 if (ecdh == NULL)
768 {
769 BIO_printf(bio_err, "unable to create curve\n");
770 goto end;
771 }
772
773 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
774 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
775 EC_KEY_free(ecdh);
776 }
777 #else
778 (void)no_ecdhe;
779 #endif
780
781 #ifndef OPENSSL_NO_RSA
782 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
783 #endif
784
785 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
786 {
787 ERR_print_errors(bio_err);
788 }
789 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
790 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
791 {
792 ERR_print_errors(bio_err);
793 goto end;
794 }
795
796 if (client_auth)
797 {
798 SSL_CTX_use_certificate_file(c_ctx,client_cert,
799 SSL_FILETYPE_PEM);
800 SSL_CTX_use_PrivateKey_file(c_ctx,
801 (client_key?client_key:client_cert),
802 SSL_FILETYPE_PEM);
803 }
804
805 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
806 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
807 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
808 (!SSL_CTX_set_default_verify_paths(c_ctx)))
809 {
810 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
811 ERR_print_errors(bio_err);
812 /* goto end; */
813 }
814
815 if (client_auth)
816 {
817 BIO_printf(bio_err,"client authentication\n");
818 SSL_CTX_set_verify(s_ctx,
819 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
820 verify_callback);
821 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
822 }
823 if (server_auth)
824 {
825 BIO_printf(bio_err,"server authentication\n");
826 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
827 verify_callback);
828 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
829 }
830
831 {
832 int session_id_context = 0;
833 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
834 }
835
836 c_ssl=SSL_new(c_ctx);
837 s_ssl=SSL_new(s_ctx);
838
839 #ifndef OPENSSL_NO_KRB5
840 if (c_ssl && c_ssl->kssl_ctx)
841 {
842 char localhost[MAXHOSTNAMELEN+2];
843
844 if (gethostname(localhost, sizeof localhost-1) == 0)
845 {
846 localhost[sizeof localhost-1]='\0';
847 if(strlen(localhost) == sizeof localhost-1)
848 {
849 BIO_printf(bio_err,"localhost name too long\n");
850 goto end;
851 }
852 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
853 localhost);
854 }
855 }
856 #endif /* OPENSSL_NO_KRB5 */
857
858 for (i=0; i<number; i++)
859 {
860 if (!reuse) SSL_set_session(c_ssl,NULL);
861 if (bio_pair)
862 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
863 else
864 ret=doit(s_ssl,c_ssl,bytes);
865 }
866
867 if (!verbose)
868 {
869 print_details(c_ssl, "");
870 }
871 if ((number > 1) || (bytes > 1L))
872 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
873 if (print_time)
874 {
875 #ifdef CLOCKS_PER_SEC
876 /* "To determine the time in seconds, the value returned
877 * by the clock function should be divided by the value
878 * of the macro CLOCKS_PER_SEC."
879 * -- ISO/IEC 9899 */
880 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
881 "Approximate total client time: %6.2f s\n",
882 (double)s_time/CLOCKS_PER_SEC,
883 (double)c_time/CLOCKS_PER_SEC);
884 #else
885 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
886 * -- cc on NeXTstep/OpenStep */
887 BIO_printf(bio_stdout,
888 "Approximate total server time: %6.2f units\n"
889 "Approximate total client time: %6.2f units\n",
890 (double)s_time,
891 (double)c_time);
892 #endif
893 }
894
895 SSL_free(s_ssl);
896 SSL_free(c_ssl);
897
898 end:
899 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
900 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
901
902 if (bio_stdout != NULL) BIO_free(bio_stdout);
903
904 #ifndef OPENSSL_NO_RSA
905 free_tmp_rsa();
906 #endif
907 #ifndef OPENSSL_NO_ENGINE
908 ENGINE_cleanup();
909 #endif
910 CRYPTO_cleanup_all_ex_data();
911 ERR_free_strings();
912 ERR_remove_state(0);
913 EVP_cleanup();
914 CRYPTO_mem_leaks(bio_err);
915 if (bio_err != NULL) BIO_free(bio_err);
916 EXIT(ret);
917 return ret;
918 }
919
doit_biopair(SSL * s_ssl,SSL * c_ssl,long count,clock_t * s_time,clock_t * c_time)920 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
921 clock_t *s_time, clock_t *c_time)
922 {
923 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
924 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
925 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
926 int ret = 1;
927
928 size_t bufsiz = 256; /* small buffer for testing */
929
930 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
931 goto err;
932 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
933 goto err;
934
935 s_ssl_bio = BIO_new(BIO_f_ssl());
936 if (!s_ssl_bio)
937 goto err;
938
939 c_ssl_bio = BIO_new(BIO_f_ssl());
940 if (!c_ssl_bio)
941 goto err;
942
943 SSL_set_connect_state(c_ssl);
944 SSL_set_bio(c_ssl, client, client);
945 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
946
947 SSL_set_accept_state(s_ssl);
948 SSL_set_bio(s_ssl, server, server);
949 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
950
951 do
952 {
953 /* c_ssl_bio: SSL filter BIO
954 *
955 * client: pseudo-I/O for SSL library
956 *
957 * client_io: client's SSL communication; usually to be
958 * relayed over some I/O facility, but in this
959 * test program, we're the server, too:
960 *
961 * server_io: server's SSL communication
962 *
963 * server: pseudo-I/O for SSL library
964 *
965 * s_ssl_bio: SSL filter BIO
966 *
967 * The client and the server each employ a "BIO pair":
968 * client + client_io, server + server_io.
969 * BIO pairs are symmetric. A BIO pair behaves similar
970 * to a non-blocking socketpair (but both endpoints must
971 * be handled by the same thread).
972 * [Here we could connect client and server to the ends
973 * of a single BIO pair, but then this code would be less
974 * suitable as an example for BIO pairs in general.]
975 *
976 * Useful functions for querying the state of BIO pair endpoints:
977 *
978 * BIO_ctrl_pending(bio) number of bytes we can read now
979 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
980 * other side's read attempt
981 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
982 *
983 * ..._read_request is never more than ..._write_guarantee;
984 * it depends on the application which one you should use.
985 */
986
987 /* We have non-blocking behaviour throughout this test program, but
988 * can be sure that there is *some* progress in each iteration; so
989 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
990 * -- we just try everything in each iteration
991 */
992
993 {
994 /* CLIENT */
995
996 MS_STATIC char cbuf[1024*8];
997 int i, r;
998 clock_t c_clock = clock();
999
1000 memset(cbuf, 0, sizeof(cbuf));
1001
1002 if (debug)
1003 if (SSL_in_init(c_ssl))
1004 printf("client waiting in SSL_connect - %s\n",
1005 SSL_state_string_long(c_ssl));
1006
1007 if (cw_num > 0)
1008 {
1009 /* Write to server. */
1010
1011 if (cw_num > (long)sizeof cbuf)
1012 i = sizeof cbuf;
1013 else
1014 i = (int)cw_num;
1015 r = BIO_write(c_ssl_bio, cbuf, i);
1016 if (r < 0)
1017 {
1018 if (!BIO_should_retry(c_ssl_bio))
1019 {
1020 fprintf(stderr,"ERROR in CLIENT\n");
1021 goto err;
1022 }
1023 /* BIO_should_retry(...) can just be ignored here.
1024 * The library expects us to call BIO_write with
1025 * the same arguments again, and that's what we will
1026 * do in the next iteration. */
1027 }
1028 else if (r == 0)
1029 {
1030 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1031 goto err;
1032 }
1033 else
1034 {
1035 if (debug)
1036 printf("client wrote %d\n", r);
1037 cw_num -= r;
1038 }
1039 }
1040
1041 if (cr_num > 0)
1042 {
1043 /* Read from server. */
1044
1045 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1046 if (r < 0)
1047 {
1048 if (!BIO_should_retry(c_ssl_bio))
1049 {
1050 fprintf(stderr,"ERROR in CLIENT\n");
1051 goto err;
1052 }
1053 /* Again, "BIO_should_retry" can be ignored. */
1054 }
1055 else if (r == 0)
1056 {
1057 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1058 goto err;
1059 }
1060 else
1061 {
1062 if (debug)
1063 printf("client read %d\n", r);
1064 cr_num -= r;
1065 }
1066 }
1067
1068 /* c_time and s_time increments will typically be very small
1069 * (depending on machine speed and clock tick intervals),
1070 * but sampling over a large number of connections should
1071 * result in fairly accurate figures. We cannot guarantee
1072 * a lot, however -- if each connection lasts for exactly
1073 * one clock tick, it will be counted only for the client
1074 * or only for the server or even not at all.
1075 */
1076 *c_time += (clock() - c_clock);
1077 }
1078
1079 {
1080 /* SERVER */
1081
1082 MS_STATIC char sbuf[1024*8];
1083 int i, r;
1084 clock_t s_clock = clock();
1085
1086 memset(sbuf, 0, sizeof(sbuf));
1087
1088 if (debug)
1089 if (SSL_in_init(s_ssl))
1090 printf("server waiting in SSL_accept - %s\n",
1091 SSL_state_string_long(s_ssl));
1092
1093 if (sw_num > 0)
1094 {
1095 /* Write to client. */
1096
1097 if (sw_num > (long)sizeof sbuf)
1098 i = sizeof sbuf;
1099 else
1100 i = (int)sw_num;
1101 r = BIO_write(s_ssl_bio, sbuf, i);
1102 if (r < 0)
1103 {
1104 if (!BIO_should_retry(s_ssl_bio))
1105 {
1106 fprintf(stderr,"ERROR in SERVER\n");
1107 goto err;
1108 }
1109 /* Ignore "BIO_should_retry". */
1110 }
1111 else if (r == 0)
1112 {
1113 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1114 goto err;
1115 }
1116 else
1117 {
1118 if (debug)
1119 printf("server wrote %d\n", r);
1120 sw_num -= r;
1121 }
1122 }
1123
1124 if (sr_num > 0)
1125 {
1126 /* Read from client. */
1127
1128 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1129 if (r < 0)
1130 {
1131 if (!BIO_should_retry(s_ssl_bio))
1132 {
1133 fprintf(stderr,"ERROR in SERVER\n");
1134 goto err;
1135 }
1136 /* blah, blah */
1137 }
1138 else if (r == 0)
1139 {
1140 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1141 goto err;
1142 }
1143 else
1144 {
1145 if (debug)
1146 printf("server read %d\n", r);
1147 sr_num -= r;
1148 }
1149 }
1150
1151 *s_time += (clock() - s_clock);
1152 }
1153
1154 {
1155 /* "I/O" BETWEEN CLIENT AND SERVER. */
1156
1157 size_t r1, r2;
1158 BIO *io1 = server_io, *io2 = client_io;
1159 /* we use the non-copying interface for io1
1160 * and the standard BIO_write/BIO_read interface for io2
1161 */
1162
1163 static int prev_progress = 1;
1164 int progress = 0;
1165
1166 /* io1 to io2 */
1167 do
1168 {
1169 size_t num;
1170 int r;
1171
1172 r1 = BIO_ctrl_pending(io1);
1173 r2 = BIO_ctrl_get_write_guarantee(io2);
1174
1175 num = r1;
1176 if (r2 < num)
1177 num = r2;
1178 if (num)
1179 {
1180 char *dataptr;
1181
1182 if (INT_MAX < num) /* yeah, right */
1183 num = INT_MAX;
1184
1185 r = BIO_nread(io1, &dataptr, (int)num);
1186 assert(r > 0);
1187 assert(r <= (int)num);
1188 /* possibly r < num (non-contiguous data) */
1189 num = r;
1190 r = BIO_write(io2, dataptr, (int)num);
1191 if (r != (int)num) /* can't happen */
1192 {
1193 fprintf(stderr, "ERROR: BIO_write could not write "
1194 "BIO_ctrl_get_write_guarantee() bytes");
1195 goto err;
1196 }
1197 progress = 1;
1198
1199 if (debug)
1200 printf((io1 == client_io) ?
1201 "C->S relaying: %d bytes\n" :
1202 "S->C relaying: %d bytes\n",
1203 (int)num);
1204 }
1205 }
1206 while (r1 && r2);
1207
1208 /* io2 to io1 */
1209 {
1210 size_t num;
1211 int r;
1212
1213 r1 = BIO_ctrl_pending(io2);
1214 r2 = BIO_ctrl_get_read_request(io1);
1215 /* here we could use ..._get_write_guarantee instead of
1216 * ..._get_read_request, but by using the latter
1217 * we test restartability of the SSL implementation
1218 * more thoroughly */
1219 num = r1;
1220 if (r2 < num)
1221 num = r2;
1222 if (num)
1223 {
1224 char *dataptr;
1225
1226 if (INT_MAX < num)
1227 num = INT_MAX;
1228
1229 if (num > 1)
1230 --num; /* test restartability even more thoroughly */
1231
1232 r = BIO_nwrite0(io1, &dataptr);
1233 assert(r > 0);
1234 if (r < (int)num)
1235 num = r;
1236 r = BIO_read(io2, dataptr, (int)num);
1237 if (r != (int)num) /* can't happen */
1238 {
1239 fprintf(stderr, "ERROR: BIO_read could not read "
1240 "BIO_ctrl_pending() bytes");
1241 goto err;
1242 }
1243 progress = 1;
1244 r = BIO_nwrite(io1, &dataptr, (int)num);
1245 if (r != (int)num) /* can't happen */
1246 {
1247 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1248 "BIO_nwrite0() bytes");
1249 goto err;
1250 }
1251
1252 if (debug)
1253 printf((io2 == client_io) ?
1254 "C->S relaying: %d bytes\n" :
1255 "S->C relaying: %d bytes\n",
1256 (int)num);
1257 }
1258 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1259
1260 if (!progress && !prev_progress)
1261 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1262 {
1263 fprintf(stderr, "ERROR: got stuck\n");
1264 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1265 {
1266 fprintf(stderr, "This can happen for SSL2 because "
1267 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1268 "concurrently ...");
1269 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1270 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1271 {
1272 fprintf(stderr, " ok.\n");
1273 goto end;
1274 }
1275 }
1276 fprintf(stderr, " ERROR.\n");
1277 goto err;
1278 }
1279 prev_progress = progress;
1280 }
1281 }
1282 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1283
1284 if (verbose)
1285 print_details(c_ssl, "DONE via BIO pair: ");
1286 end:
1287 ret = 0;
1288
1289 err:
1290 ERR_print_errors(bio_err);
1291
1292 if (server)
1293 BIO_free(server);
1294 if (server_io)
1295 BIO_free(server_io);
1296 if (client)
1297 BIO_free(client);
1298 if (client_io)
1299 BIO_free(client_io);
1300 if (s_ssl_bio)
1301 BIO_free(s_ssl_bio);
1302 if (c_ssl_bio)
1303 BIO_free(c_ssl_bio);
1304
1305 return ret;
1306 }
1307
1308
1309 #define W_READ 1
1310 #define W_WRITE 2
1311 #define C_DONE 1
1312 #define S_DONE 2
1313
doit(SSL * s_ssl,SSL * c_ssl,long count)1314 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1315 {
1316 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1317 long cw_num=count,cr_num=count;
1318 long sw_num=count,sr_num=count;
1319 int ret=1;
1320 BIO *c_to_s=NULL;
1321 BIO *s_to_c=NULL;
1322 BIO *c_bio=NULL;
1323 BIO *s_bio=NULL;
1324 int c_r,c_w,s_r,s_w;
1325 int c_want,s_want;
1326 int i,j;
1327 int done=0;
1328 int c_write,s_write;
1329 int do_server=0,do_client=0;
1330
1331 memset(cbuf,0,sizeof(cbuf));
1332 memset(sbuf,0,sizeof(sbuf));
1333
1334 c_to_s=BIO_new(BIO_s_mem());
1335 s_to_c=BIO_new(BIO_s_mem());
1336 if ((s_to_c == NULL) || (c_to_s == NULL))
1337 {
1338 ERR_print_errors(bio_err);
1339 goto err;
1340 }
1341
1342 c_bio=BIO_new(BIO_f_ssl());
1343 s_bio=BIO_new(BIO_f_ssl());
1344 if ((c_bio == NULL) || (s_bio == NULL))
1345 {
1346 ERR_print_errors(bio_err);
1347 goto err;
1348 }
1349
1350 SSL_set_connect_state(c_ssl);
1351 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1352 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1353
1354 SSL_set_accept_state(s_ssl);
1355 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1356 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1357
1358 c_r=0; s_r=1;
1359 c_w=1; s_w=0;
1360 c_want=W_WRITE;
1361 s_want=0;
1362 c_write=1,s_write=0;
1363
1364 /* We can always do writes */
1365 for (;;)
1366 {
1367 do_server=0;
1368 do_client=0;
1369
1370 i=(int)BIO_pending(s_bio);
1371 if ((i && s_r) || s_w) do_server=1;
1372
1373 i=(int)BIO_pending(c_bio);
1374 if ((i && c_r) || c_w) do_client=1;
1375
1376 if (do_server && debug)
1377 {
1378 if (SSL_in_init(s_ssl))
1379 printf("server waiting in SSL_accept - %s\n",
1380 SSL_state_string_long(s_ssl));
1381 /* else if (s_write)
1382 printf("server:SSL_write()\n");
1383 else
1384 printf("server:SSL_read()\n"); */
1385 }
1386
1387 if (do_client && debug)
1388 {
1389 if (SSL_in_init(c_ssl))
1390 printf("client waiting in SSL_connect - %s\n",
1391 SSL_state_string_long(c_ssl));
1392 /* else if (c_write)
1393 printf("client:SSL_write()\n");
1394 else
1395 printf("client:SSL_read()\n"); */
1396 }
1397
1398 if (!do_client && !do_server)
1399 {
1400 fprintf(stdout,"ERROR IN STARTUP\n");
1401 ERR_print_errors(bio_err);
1402 break;
1403 }
1404 if (do_client && !(done & C_DONE))
1405 {
1406 if (c_write)
1407 {
1408 j = (cw_num > (long)sizeof(cbuf)) ?
1409 (int)sizeof(cbuf) : (int)cw_num;
1410 i=BIO_write(c_bio,cbuf,j);
1411 if (i < 0)
1412 {
1413 c_r=0;
1414 c_w=0;
1415 if (BIO_should_retry(c_bio))
1416 {
1417 if (BIO_should_read(c_bio))
1418 c_r=1;
1419 if (BIO_should_write(c_bio))
1420 c_w=1;
1421 }
1422 else
1423 {
1424 fprintf(stderr,"ERROR in CLIENT\n");
1425 ERR_print_errors(bio_err);
1426 goto err;
1427 }
1428 }
1429 else if (i == 0)
1430 {
1431 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1432 goto err;
1433 }
1434 else
1435 {
1436 if (debug)
1437 printf("client wrote %d\n",i);
1438 /* ok */
1439 s_r=1;
1440 c_write=0;
1441 cw_num-=i;
1442 }
1443 }
1444 else
1445 {
1446 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1447 if (i < 0)
1448 {
1449 c_r=0;
1450 c_w=0;
1451 if (BIO_should_retry(c_bio))
1452 {
1453 if (BIO_should_read(c_bio))
1454 c_r=1;
1455 if (BIO_should_write(c_bio))
1456 c_w=1;
1457 }
1458 else
1459 {
1460 fprintf(stderr,"ERROR in CLIENT\n");
1461 ERR_print_errors(bio_err);
1462 goto err;
1463 }
1464 }
1465 else if (i == 0)
1466 {
1467 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1468 goto err;
1469 }
1470 else
1471 {
1472 if (debug)
1473 printf("client read %d\n",i);
1474 cr_num-=i;
1475 if (sw_num > 0)
1476 {
1477 s_write=1;
1478 s_w=1;
1479 }
1480 if (cr_num <= 0)
1481 {
1482 s_write=1;
1483 s_w=1;
1484 done=S_DONE|C_DONE;
1485 }
1486 }
1487 }
1488 }
1489
1490 if (do_server && !(done & S_DONE))
1491 {
1492 if (!s_write)
1493 {
1494 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1495 if (i < 0)
1496 {
1497 s_r=0;
1498 s_w=0;
1499 if (BIO_should_retry(s_bio))
1500 {
1501 if (BIO_should_read(s_bio))
1502 s_r=1;
1503 if (BIO_should_write(s_bio))
1504 s_w=1;
1505 }
1506 else
1507 {
1508 fprintf(stderr,"ERROR in SERVER\n");
1509 ERR_print_errors(bio_err);
1510 goto err;
1511 }
1512 }
1513 else if (i == 0)
1514 {
1515 ERR_print_errors(bio_err);
1516 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1517 goto err;
1518 }
1519 else
1520 {
1521 if (debug)
1522 printf("server read %d\n",i);
1523 sr_num-=i;
1524 if (cw_num > 0)
1525 {
1526 c_write=1;
1527 c_w=1;
1528 }
1529 if (sr_num <= 0)
1530 {
1531 s_write=1;
1532 s_w=1;
1533 c_write=0;
1534 }
1535 }
1536 }
1537 else
1538 {
1539 j = (sw_num > (long)sizeof(sbuf)) ?
1540 (int)sizeof(sbuf) : (int)sw_num;
1541 i=BIO_write(s_bio,sbuf,j);
1542 if (i < 0)
1543 {
1544 s_r=0;
1545 s_w=0;
1546 if (BIO_should_retry(s_bio))
1547 {
1548 if (BIO_should_read(s_bio))
1549 s_r=1;
1550 if (BIO_should_write(s_bio))
1551 s_w=1;
1552 }
1553 else
1554 {
1555 fprintf(stderr,"ERROR in SERVER\n");
1556 ERR_print_errors(bio_err);
1557 goto err;
1558 }
1559 }
1560 else if (i == 0)
1561 {
1562 ERR_print_errors(bio_err);
1563 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1564 goto err;
1565 }
1566 else
1567 {
1568 if (debug)
1569 printf("server wrote %d\n",i);
1570 sw_num-=i;
1571 s_write=0;
1572 c_r=1;
1573 if (sw_num <= 0)
1574 done|=S_DONE;
1575 }
1576 }
1577 }
1578
1579 if ((done & S_DONE) && (done & C_DONE)) break;
1580 }
1581
1582 if (verbose)
1583 print_details(c_ssl, "DONE: ");
1584 ret=0;
1585 err:
1586 /* We have to set the BIO's to NULL otherwise they will be
1587 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1588 * again when c_ssl is SSL_free()ed.
1589 * This is a hack required because s_ssl and c_ssl are sharing the same
1590 * BIO structure and SSL_set_bio() and SSL_free() automatically
1591 * BIO_free non NULL entries.
1592 * You should not normally do this or be required to do this */
1593 if (s_ssl != NULL)
1594 {
1595 s_ssl->rbio=NULL;
1596 s_ssl->wbio=NULL;
1597 }
1598 if (c_ssl != NULL)
1599 {
1600 c_ssl->rbio=NULL;
1601 c_ssl->wbio=NULL;
1602 }
1603
1604 if (c_to_s != NULL) BIO_free(c_to_s);
1605 if (s_to_c != NULL) BIO_free(s_to_c);
1606 if (c_bio != NULL) BIO_free_all(c_bio);
1607 if (s_bio != NULL) BIO_free_all(s_bio);
1608 return(ret);
1609 }
1610
get_proxy_auth_ex_data_idx(void)1611 static int get_proxy_auth_ex_data_idx(void)
1612 {
1613 static volatile int idx = -1;
1614 if (idx < 0)
1615 {
1616 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1617 if (idx < 0)
1618 {
1619 idx = X509_STORE_CTX_get_ex_new_index(0,
1620 "SSLtest for verify callback", NULL,NULL,NULL);
1621 }
1622 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1623 }
1624 return idx;
1625 }
1626
verify_callback(int ok,X509_STORE_CTX * ctx)1627 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1628 {
1629 char *s,buf[256];
1630
1631 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1632 sizeof buf);
1633 if (s != NULL)
1634 {
1635 if (ok)
1636 fprintf(stderr,"depth=%d %s\n",
1637 ctx->error_depth,buf);
1638 else
1639 {
1640 fprintf(stderr,"depth=%d error=%d %s\n",
1641 ctx->error_depth,ctx->error,buf);
1642 }
1643 }
1644
1645 if (ok == 0)
1646 {
1647 fprintf(stderr,"Error string: %s\n",
1648 X509_verify_cert_error_string(ctx->error));
1649 switch (ctx->error)
1650 {
1651 case X509_V_ERR_CERT_NOT_YET_VALID:
1652 case X509_V_ERR_CERT_HAS_EXPIRED:
1653 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1654 fprintf(stderr," ... ignored.\n");
1655 ok=1;
1656 }
1657 }
1658
1659 if (ok == 1)
1660 {
1661 X509 *xs = ctx->current_cert;
1662 #if 0
1663 X509 *xi = ctx->current_issuer;
1664 #endif
1665
1666 if (xs->ex_flags & EXFLAG_PROXY)
1667 {
1668 unsigned int *letters =
1669 X509_STORE_CTX_get_ex_data(ctx,
1670 get_proxy_auth_ex_data_idx());
1671
1672 if (letters)
1673 {
1674 int found_any = 0;
1675 int i;
1676 PROXY_CERT_INFO_EXTENSION *pci =
1677 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1678 NULL, NULL);
1679
1680 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1681 {
1682 case NID_Independent:
1683 /* Completely meaningless in this
1684 program, as there's no way to
1685 grant explicit rights to a
1686 specific PrC. Basically, using
1687 id-ppl-Independent is the perfect
1688 way to grant no rights at all. */
1689 fprintf(stderr, " Independent proxy certificate");
1690 for (i = 0; i < 26; i++)
1691 letters[i] = 0;
1692 break;
1693 case NID_id_ppl_inheritAll:
1694 /* This is basically a NOP, we
1695 simply let the current rights
1696 stand as they are. */
1697 fprintf(stderr, " Proxy certificate inherits all");
1698 break;
1699 default:
1700 s = (char *)
1701 pci->proxyPolicy->policy->data;
1702 i = pci->proxyPolicy->policy->length;
1703
1704 /* The algorithm works as follows:
1705 it is assumed that previous
1706 iterations or the initial granted
1707 rights has already set some elements
1708 of `letters'. What we need to do is
1709 to clear those that weren't granted
1710 by the current PrC as well. The
1711 easiest way to do this is to add 1
1712 to all the elements whose letters
1713 are given with the current policy.
1714 That way, all elements that are set
1715 by the current policy and were
1716 already set by earlier policies and
1717 through the original grant of rights
1718 will get the value 2 or higher.
1719 The last thing to do is to sweep
1720 through `letters' and keep the
1721 elements having the value 2 as set,
1722 and clear all the others. */
1723
1724 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1725 while(i-- > 0)
1726 {
1727 int c = *s++;
1728 if (isascii(c) && isalpha(c))
1729 {
1730 if (islower(c))
1731 c = toupper(c);
1732 letters[c - 'A']++;
1733 }
1734 }
1735 for (i = 0; i < 26; i++)
1736 if (letters[i] < 2)
1737 letters[i] = 0;
1738 else
1739 letters[i] = 1;
1740 }
1741
1742 found_any = 0;
1743 fprintf(stderr,
1744 ", resulting proxy rights = ");
1745 for(i = 0; i < 26; i++)
1746 if (letters[i])
1747 {
1748 fprintf(stderr, "%c", i + 'A');
1749 found_any = 1;
1750 }
1751 if (!found_any)
1752 fprintf(stderr, "none");
1753 fprintf(stderr, "\n");
1754
1755 PROXY_CERT_INFO_EXTENSION_free(pci);
1756 }
1757 }
1758 }
1759
1760 return(ok);
1761 }
1762
process_proxy_debug(int indent,const char * format,...)1763 static void process_proxy_debug(int indent, const char *format, ...)
1764 {
1765 static const char indentation[] =
1766 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1767 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
1768 char my_format[256];
1769 va_list args;
1770
1771 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1772 indent, indent, indentation, format);
1773
1774 va_start(args, format);
1775 vfprintf(stderr, my_format, args);
1776 va_end(args);
1777 }
1778 /* Priority levels:
1779 0 [!]var, ()
1780 1 & ^
1781 2 |
1782 */
1783 static int process_proxy_cond_adders(unsigned int letters[26],
1784 const char *cond, const char **cond_end, int *pos, int indent);
process_proxy_cond_val(unsigned int letters[26],const char * cond,const char ** cond_end,int * pos,int indent)1785 static int process_proxy_cond_val(unsigned int letters[26],
1786 const char *cond, const char **cond_end, int *pos, int indent)
1787 {
1788 int c;
1789 int ok = 1;
1790 int negate = 0;
1791
1792 while(isspace((int)*cond))
1793 {
1794 cond++; (*pos)++;
1795 }
1796 c = *cond;
1797
1798 if (debug)
1799 process_proxy_debug(indent,
1800 "Start process_proxy_cond_val at position %d: %s\n",
1801 *pos, cond);
1802
1803 while(c == '!')
1804 {
1805 negate = !negate;
1806 cond++; (*pos)++;
1807 while(isspace((int)*cond))
1808 {
1809 cond++; (*pos)++;
1810 }
1811 c = *cond;
1812 }
1813
1814 if (c == '(')
1815 {
1816 cond++; (*pos)++;
1817 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1818 indent + 1);
1819 cond = *cond_end;
1820 if (ok < 0)
1821 goto end;
1822 while(isspace((int)*cond))
1823 {
1824 cond++; (*pos)++;
1825 }
1826 c = *cond;
1827 if (c != ')')
1828 {
1829 fprintf(stderr,
1830 "Weird condition character in position %d: "
1831 "%c\n", *pos, c);
1832 ok = -1;
1833 goto end;
1834 }
1835 cond++; (*pos)++;
1836 }
1837 else if (isascii(c) && isalpha(c))
1838 {
1839 if (islower(c))
1840 c = toupper(c);
1841 ok = letters[c - 'A'];
1842 cond++; (*pos)++;
1843 }
1844 else
1845 {
1846 fprintf(stderr,
1847 "Weird condition character in position %d: "
1848 "%c\n", *pos, c);
1849 ok = -1;
1850 goto end;
1851 }
1852 end:
1853 *cond_end = cond;
1854 if (ok >= 0 && negate)
1855 ok = !ok;
1856
1857 if (debug)
1858 process_proxy_debug(indent,
1859 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1860 *pos, cond, ok);
1861
1862 return ok;
1863 }
process_proxy_cond_multipliers(unsigned int letters[26],const char * cond,const char ** cond_end,int * pos,int indent)1864 static int process_proxy_cond_multipliers(unsigned int letters[26],
1865 const char *cond, const char **cond_end, int *pos, int indent)
1866 {
1867 int ok;
1868 char c;
1869
1870 if (debug)
1871 process_proxy_debug(indent,
1872 "Start process_proxy_cond_multipliers at position %d: %s\n",
1873 *pos, cond);
1874
1875 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
1876 cond = *cond_end;
1877 if (ok < 0)
1878 goto end;
1879
1880 while(ok >= 0)
1881 {
1882 while(isspace((int)*cond))
1883 {
1884 cond++; (*pos)++;
1885 }
1886 c = *cond;
1887
1888 switch(c)
1889 {
1890 case '&':
1891 case '^':
1892 {
1893 int save_ok = ok;
1894
1895 cond++; (*pos)++;
1896 ok = process_proxy_cond_val(letters,
1897 cond, cond_end, pos, indent + 1);
1898 cond = *cond_end;
1899 if (ok < 0)
1900 break;
1901
1902 switch(c)
1903 {
1904 case '&':
1905 ok &= save_ok;
1906 break;
1907 case '^':
1908 ok ^= save_ok;
1909 break;
1910 default:
1911 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1912 " STOPPING\n");
1913 EXIT(1);
1914 }
1915 }
1916 break;
1917 default:
1918 goto end;
1919 }
1920 }
1921 end:
1922 if (debug)
1923 process_proxy_debug(indent,
1924 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
1925 *pos, cond, ok);
1926
1927 *cond_end = cond;
1928 return ok;
1929 }
process_proxy_cond_adders(unsigned int letters[26],const char * cond,const char ** cond_end,int * pos,int indent)1930 static int process_proxy_cond_adders(unsigned int letters[26],
1931 const char *cond, const char **cond_end, int *pos, int indent)
1932 {
1933 int ok;
1934 char c;
1935
1936 if (debug)
1937 process_proxy_debug(indent,
1938 "Start process_proxy_cond_adders at position %d: %s\n",
1939 *pos, cond);
1940
1941 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
1942 indent + 1);
1943 cond = *cond_end;
1944 if (ok < 0)
1945 goto end;
1946
1947 while(ok >= 0)
1948 {
1949 while(isspace((int)*cond))
1950 {
1951 cond++; (*pos)++;
1952 }
1953 c = *cond;
1954
1955 switch(c)
1956 {
1957 case '|':
1958 {
1959 int save_ok = ok;
1960
1961 cond++; (*pos)++;
1962 ok = process_proxy_cond_multipliers(letters,
1963 cond, cond_end, pos, indent + 1);
1964 cond = *cond_end;
1965 if (ok < 0)
1966 break;
1967
1968 switch(c)
1969 {
1970 case '|':
1971 ok |= save_ok;
1972 break;
1973 default:
1974 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
1975 " STOPPING\n");
1976 EXIT(1);
1977 }
1978 }
1979 break;
1980 default:
1981 goto end;
1982 }
1983 }
1984 end:
1985 if (debug)
1986 process_proxy_debug(indent,
1987 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
1988 *pos, cond, ok);
1989
1990 *cond_end = cond;
1991 return ok;
1992 }
1993
process_proxy_cond(unsigned int letters[26],const char * cond,const char ** cond_end)1994 static int process_proxy_cond(unsigned int letters[26],
1995 const char *cond, const char **cond_end)
1996 {
1997 int pos = 1;
1998 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
1999 }
2000
app_verify_callback(X509_STORE_CTX * ctx,void * arg)2001 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2002 {
2003 int ok=1;
2004 struct app_verify_arg *cb_arg = arg;
2005 unsigned int letters[26]; /* only used with proxy_auth */
2006
2007 if (cb_arg->app_verify)
2008 {
2009 char *s = NULL,buf[256];
2010
2011 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2012 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2013 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2014 (void *)ctx, (void *)ctx->cert);
2015 if (ctx->cert)
2016 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2017 if (s != NULL)
2018 {
2019 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2020 }
2021 return(1);
2022 }
2023 if (cb_arg->proxy_auth)
2024 {
2025 int found_any = 0, i;
2026 char *sp;
2027
2028 for(i = 0; i < 26; i++)
2029 letters[i] = 0;
2030 for(sp = cb_arg->proxy_auth; *sp; sp++)
2031 {
2032 int c = *sp;
2033 if (isascii(c) && isalpha(c))
2034 {
2035 if (islower(c))
2036 c = toupper(c);
2037 letters[c - 'A'] = 1;
2038 }
2039 }
2040
2041 fprintf(stderr,
2042 " Initial proxy rights = ");
2043 for(i = 0; i < 26; i++)
2044 if (letters[i])
2045 {
2046 fprintf(stderr, "%c", i + 'A');
2047 found_any = 1;
2048 }
2049 if (!found_any)
2050 fprintf(stderr, "none");
2051 fprintf(stderr, "\n");
2052
2053 X509_STORE_CTX_set_ex_data(ctx,
2054 get_proxy_auth_ex_data_idx(),letters);
2055 }
2056 if (cb_arg->allow_proxy_certs)
2057 {
2058 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2059 }
2060
2061 #ifndef OPENSSL_NO_X509_VERIFY
2062 # ifdef OPENSSL_FIPS
2063 if(s->version == TLS1_VERSION)
2064 FIPS_allow_md5(1);
2065 # endif
2066 ok = X509_verify_cert(ctx);
2067 # ifdef OPENSSL_FIPS
2068 if(s->version == TLS1_VERSION)
2069 FIPS_allow_md5(0);
2070 # endif
2071 #endif
2072
2073 if (cb_arg->proxy_auth)
2074 {
2075 if (ok > 0)
2076 {
2077 const char *cond_end = NULL;
2078
2079 ok = process_proxy_cond(letters,
2080 cb_arg->proxy_cond, &cond_end);
2081
2082 if (ok < 0)
2083 EXIT(3);
2084 if (*cond_end)
2085 {
2086 fprintf(stderr, "Stopped processing condition before it's end.\n");
2087 ok = 0;
2088 }
2089 if (!ok)
2090 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2091 cb_arg->proxy_cond);
2092 else
2093 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2094 cb_arg->proxy_cond);
2095 }
2096 }
2097 return(ok);
2098 }
2099
2100 #ifndef OPENSSL_NO_RSA
2101 static RSA *rsa_tmp=NULL;
2102
tmp_rsa_cb(SSL * s,int is_export,int keylength)2103 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2104 {
2105 BIGNUM *bn = NULL;
2106 if (rsa_tmp == NULL)
2107 {
2108 bn = BN_new();
2109 rsa_tmp = RSA_new();
2110 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2111 {
2112 BIO_printf(bio_err, "Memory error...");
2113 goto end;
2114 }
2115 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2116 (void)BIO_flush(bio_err);
2117 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2118 {
2119 BIO_printf(bio_err, "Error generating key.");
2120 RSA_free(rsa_tmp);
2121 rsa_tmp = NULL;
2122 }
2123 end:
2124 BIO_printf(bio_err,"\n");
2125 (void)BIO_flush(bio_err);
2126 }
2127 if(bn) BN_free(bn);
2128 return(rsa_tmp);
2129 }
2130
free_tmp_rsa(void)2131 static void free_tmp_rsa(void)
2132 {
2133 if (rsa_tmp != NULL)
2134 {
2135 RSA_free(rsa_tmp);
2136 rsa_tmp = NULL;
2137 }
2138 }
2139 #endif
2140
2141 #ifndef OPENSSL_NO_DH
2142 /* These DH parameters have been generated as follows:
2143 * $ openssl dhparam -C -noout 512
2144 * $ openssl dhparam -C -noout 1024
2145 * $ openssl dhparam -C -noout -dsaparam 1024
2146 * (The third function has been renamed to avoid name conflicts.)
2147 */
get_dh512()2148 static DH *get_dh512()
2149 {
2150 static unsigned char dh512_p[]={
2151 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2152 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2153 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2154 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2155 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2156 0x02,0xC5,0xAE,0x23,
2157 };
2158 static unsigned char dh512_g[]={
2159 0x02,
2160 };
2161 DH *dh;
2162
2163 if ((dh=DH_new()) == NULL) return(NULL);
2164 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2165 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2166 if ((dh->p == NULL) || (dh->g == NULL))
2167 { DH_free(dh); return(NULL); }
2168 return(dh);
2169 }
2170
get_dh1024()2171 static DH *get_dh1024()
2172 {
2173 static unsigned char dh1024_p[]={
2174 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2175 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2176 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2177 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2178 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2179 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2180 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2181 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2182 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2183 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2184 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2185 };
2186 static unsigned char dh1024_g[]={
2187 0x02,
2188 };
2189 DH *dh;
2190
2191 if ((dh=DH_new()) == NULL) return(NULL);
2192 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2193 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2194 if ((dh->p == NULL) || (dh->g == NULL))
2195 { DH_free(dh); return(NULL); }
2196 return(dh);
2197 }
2198
get_dh1024dsa()2199 static DH *get_dh1024dsa()
2200 {
2201 static unsigned char dh1024_p[]={
2202 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2203 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2204 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2205 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2206 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2207 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2208 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2209 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2210 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2211 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2212 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2213 };
2214 static unsigned char dh1024_g[]={
2215 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2216 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2217 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2218 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2219 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2220 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2221 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2222 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2223 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2224 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2225 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2226 };
2227 DH *dh;
2228
2229 if ((dh=DH_new()) == NULL) return(NULL);
2230 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2231 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2232 if ((dh->p == NULL) || (dh->g == NULL))
2233 { DH_free(dh); return(NULL); }
2234 dh->length = 160;
2235 return(dh);
2236 }
2237 #endif
2238
do_test_cipherlist(void)2239 static int do_test_cipherlist(void)
2240 {
2241 int i = 0;
2242 const SSL_METHOD *meth;
2243 SSL_CIPHER *ci, *tci = NULL;
2244
2245 #ifndef OPENSSL_NO_SSL2
2246 fprintf(stderr, "testing SSLv2 cipher list order: ");
2247 meth = SSLv2_method();
2248 while ((ci = meth->get_cipher(i++)) != NULL)
2249 {
2250 if (tci != NULL)
2251 if (ci->id >= tci->id)
2252 {
2253 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2254 return 0;
2255 }
2256 tci = ci;
2257 }
2258 fprintf(stderr, "ok\n");
2259 #endif
2260 #ifndef OPENSSL_NO_SSL3
2261 fprintf(stderr, "testing SSLv3 cipher list order: ");
2262 meth = SSLv3_method();
2263 tci = NULL;
2264 while ((ci = meth->get_cipher(i++)) != NULL)
2265 {
2266 if (tci != NULL)
2267 if (ci->id >= tci->id)
2268 {
2269 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2270 return 0;
2271 }
2272 tci = ci;
2273 }
2274 fprintf(stderr, "ok\n");
2275 #endif
2276 #ifndef OPENSSL_NO_TLS1
2277 fprintf(stderr, "testing TLSv1 cipher list order: ");
2278 meth = TLSv1_method();
2279 tci = NULL;
2280 while ((ci = meth->get_cipher(i++)) != NULL)
2281 {
2282 if (tci != NULL)
2283 if (ci->id >= tci->id)
2284 {
2285 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2286 return 0;
2287 }
2288 tci = ci;
2289 }
2290 fprintf(stderr, "ok\n");
2291 #endif
2292
2293 return 1;
2294 }
2295