1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143 #define _BSD_SOURCE 1 /* Or gethostname won't be declared properly
144 on Linux and GNU platforms. */
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 #define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on
159 VMS (at least with DECompHP C). */
160 #endif
161
162 #include <ctype.h>
163
164 #include <openssl/bio.h>
165 #include <openssl/crypto.h>
166 #include <openssl/evp.h>
167 #include <openssl/x509.h>
168 #include <openssl/x509v3.h>
169 #include <openssl/ssl.h>
170 #ifndef OPENSSL_NO_ENGINE
171 #include <openssl/engine.h>
172 #endif
173 #include <openssl/err.h>
174 #include <openssl/rand.h>
175 #ifndef OPENSSL_NO_RSA
176 #include <openssl/rsa.h>
177 #endif
178 #ifndef OPENSSL_NO_DSA
179 #include <openssl/dsa.h>
180 #endif
181 #ifndef OPENSSL_NO_DH
182 #include <openssl/dh.h>
183 #endif
184 #ifndef OPENSSL_NO_SRP
185 #include <openssl/srp.h>
186 #endif
187 #include <openssl/bn.h>
188
189 #define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly
190 on Compaq platforms (at least with DEC C).
191 Do not try to put it earlier, or IPv6 includes
192 get screwed...
193 */
194
195 #ifdef OPENSSL_SYS_WINDOWS
196 #include <winsock.h>
197 #else
198 #include OPENSSL_UNISTD
199 #endif
200
201 #ifdef OPENSSL_SYS_VMS
202 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
203 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
204 #elif defined(OPENSSL_SYS_WINCE)
205 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
206 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
207 #elif defined(OPENSSL_SYS_NETWARE)
208 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
209 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
210 #else
211 # define TEST_SERVER_CERT "../apps/server.pem"
212 # define TEST_CLIENT_CERT "../apps/client.pem"
213 #endif
214
215 /* There is really no standard for this, so let's assign some tentative
216 numbers. In any case, these numbers are only for this test */
217 #define COMP_RLE 255
218 #define COMP_ZLIB 1
219
220 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
221 #ifndef OPENSSL_NO_RSA
222 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength);
223 static void free_tmp_rsa(void);
224 #endif
225 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
226 #define APP_CALLBACK_STRING "Test Callback Argument"
227 struct app_verify_arg
228 {
229 char *string;
230 int app_verify;
231 int allow_proxy_certs;
232 char *proxy_auth;
233 char *proxy_cond;
234 };
235
236 #ifndef OPENSSL_NO_DH
237 static DH *get_dh512(void);
238 static DH *get_dh1024(void);
239 static DH *get_dh1024dsa(void);
240 #endif
241
242
243 static char *psk_key=NULL; /* by default PSK is not used */
244 #ifndef OPENSSL_NO_PSK
245 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
246 unsigned int max_identity_len, unsigned char *psk,
247 unsigned int max_psk_len);
248 static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk,
249 unsigned int max_psk_len);
250 #endif
251
252 #ifndef OPENSSL_NO_SRP
253 /* SRP client */
254 /* This is a context that we pass to all callbacks */
255 typedef struct srp_client_arg_st
256 {
257 char *srppassin;
258 char *srplogin;
259 } SRP_CLIENT_ARG;
260
261 #define PWD_STRLEN 1024
262
ssl_give_srp_client_pwd_cb(SSL * s,void * arg)263 static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
264 {
265 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
266 return BUF_strdup((char *)srp_client_arg->srppassin);
267 }
268
269 /* SRP server */
270 /* This is a context that we pass to SRP server callbacks */
271 typedef struct srp_server_arg_st
272 {
273 char *expected_user;
274 char *pass;
275 } SRP_SERVER_ARG;
276
ssl_srp_server_param_cb(SSL * s,int * ad,void * arg)277 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
278 {
279 SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg;
280
281 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0)
282 {
283 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
284 return SSL3_AL_FATAL;
285 }
286 if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0)
287 {
288 *ad = SSL_AD_INTERNAL_ERROR;
289 return SSL3_AL_FATAL;
290 }
291 return SSL_ERROR_NONE;
292 }
293 #endif
294
295 static BIO *bio_err=NULL;
296 static BIO *bio_stdout=NULL;
297
298 static char *cipher=NULL;
299 static int verbose=0;
300 static int debug=0;
301 #if 0
302 /* Not used yet. */
303 #ifdef FIONBIO
304 static int s_nbio=0;
305 #endif
306 #endif
307
308 static const char rnd_seed[] = "string to make the random number generator think it has entropy";
309
310 int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time);
311 int doit(SSL *s_ssl,SSL *c_ssl,long bytes);
312 static int do_test_cipherlist(void);
sv_usage(void)313 static void sv_usage(void)
314 {
315 fprintf(stderr,"usage: ssltest [args ...]\n");
316 fprintf(stderr,"\n");
317 #ifdef OPENSSL_FIPS
318 fprintf(stderr,"-F - run test in FIPS mode\n");
319 #endif
320 fprintf(stderr," -server_auth - check server certificate\n");
321 fprintf(stderr," -client_auth - do client authentication\n");
322 fprintf(stderr," -proxy - allow proxy certificates\n");
323 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n");
324 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n");
325 fprintf(stderr," -v - more output\n");
326 fprintf(stderr," -d - debug output\n");
327 fprintf(stderr," -reuse - use session-id reuse\n");
328 fprintf(stderr," -num <val> - number of connections to perform\n");
329 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n");
330 #ifndef OPENSSL_NO_DH
331 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n");
332 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
333 fprintf(stderr," -no_dhe - disable DHE\n");
334 #endif
335 #ifndef OPENSSL_NO_ECDH
336 fprintf(stderr," -no_ecdhe - disable ECDHE\n");
337 #endif
338 #ifndef OPENSSL_NO_PSK
339 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n");
340 #endif
341 #ifndef OPENSSL_NO_SRP
342 fprintf(stderr," -srpuser user - SRP username to use\n");
343 fprintf(stderr," -srppass arg - password for 'user'\n");
344 #endif
345 #ifndef OPENSSL_NO_SSL2
346 fprintf(stderr," -ssl2 - use SSLv2\n");
347 #endif
348 #ifndef OPENSSL_NO_SSL3
349 fprintf(stderr," -ssl3 - use SSLv3\n");
350 #endif
351 #ifndef OPENSSL_NO_TLS1
352 fprintf(stderr," -tls1 - use TLSv1\n");
353 #endif
354 fprintf(stderr," -CApath arg - PEM format directory of CA's\n");
355 fprintf(stderr," -CAfile arg - PEM format file of CA's\n");
356 fprintf(stderr," -cert arg - Server certificate file\n");
357 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n");
358 fprintf(stderr," -c_cert arg - Client certificate file\n");
359 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n");
360 fprintf(stderr," -cipher arg - The cipher list\n");
361 fprintf(stderr," -bio_pair - Use BIO pairs\n");
362 fprintf(stderr," -f - Test even cases that can't work\n");
363 fprintf(stderr," -time - measure processor time used by client and server\n");
364 fprintf(stderr," -zlib - use zlib compression\n");
365 fprintf(stderr," -rle - use rle compression\n");
366 #ifndef OPENSSL_NO_ECDH
367 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \
368 " Use \"openssl ecparam -list_curves\" for all names\n" \
369 " (default is sect163r2).\n");
370 #endif
371 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n");
372 fprintf(stderr," -c_small_records - enable client side use of small SSL record buffers\n");
373 fprintf(stderr," -s_small_records - enable server side use of small SSL record buffers\n");
374 fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n");
375 }
376
print_details(SSL * c_ssl,const char * prefix)377 static void print_details(SSL *c_ssl, const char *prefix)
378 {
379 const SSL_CIPHER *ciph;
380 X509 *cert;
381
382 ciph=SSL_get_current_cipher(c_ssl);
383 BIO_printf(bio_stdout,"%s%s, cipher %s %s",
384 prefix,
385 SSL_get_version(c_ssl),
386 SSL_CIPHER_get_version(ciph),
387 SSL_CIPHER_get_name(ciph));
388 cert=SSL_get_peer_certificate(c_ssl);
389 if (cert != NULL)
390 {
391 EVP_PKEY *pkey = X509_get_pubkey(cert);
392 if (pkey != NULL)
393 {
394 if (0)
395 ;
396 #ifndef OPENSSL_NO_RSA
397 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
398 && pkey->pkey.rsa->n != NULL)
399 {
400 BIO_printf(bio_stdout, ", %d bit RSA",
401 BN_num_bits(pkey->pkey.rsa->n));
402 }
403 #endif
404 #ifndef OPENSSL_NO_DSA
405 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
406 && pkey->pkey.dsa->p != NULL)
407 {
408 BIO_printf(bio_stdout, ", %d bit DSA",
409 BN_num_bits(pkey->pkey.dsa->p));
410 }
411 #endif
412 EVP_PKEY_free(pkey);
413 }
414 X509_free(cert);
415 }
416 /* The SSL API does not allow us to look at temporary RSA/DH keys,
417 * otherwise we should print their lengths too */
418 BIO_printf(bio_stdout,"\n");
419 }
420
lock_dbg_cb(int mode,int type,const char * file,int line)421 static void lock_dbg_cb(int mode, int type, const char *file, int line)
422 {
423 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
424 const char *errstr = NULL;
425 int rw;
426
427 rw = mode & (CRYPTO_READ|CRYPTO_WRITE);
428 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE)))
429 {
430 errstr = "invalid mode";
431 goto err;
432 }
433
434 if (type < 0 || type >= CRYPTO_NUM_LOCKS)
435 {
436 errstr = "type out of bounds";
437 goto err;
438 }
439
440 if (mode & CRYPTO_LOCK)
441 {
442 if (modes[type])
443 {
444 errstr = "already locked";
445 /* must not happen in a single-threaded program
446 * (would deadlock) */
447 goto err;
448 }
449
450 modes[type] = rw;
451 }
452 else if (mode & CRYPTO_UNLOCK)
453 {
454 if (!modes[type])
455 {
456 errstr = "not locked";
457 goto err;
458 }
459
460 if (modes[type] != rw)
461 {
462 errstr = (rw == CRYPTO_READ) ?
463 "CRYPTO_r_unlock on write lock" :
464 "CRYPTO_w_unlock on read lock";
465 }
466
467 modes[type] = 0;
468 }
469 else
470 {
471 errstr = "invalid mode";
472 goto err;
473 }
474
475 err:
476 if (errstr)
477 {
478 /* we cannot use bio_err here */
479 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
480 errstr, mode, type, file, line);
481 }
482 }
483
484 #ifdef TLSEXT_TYPE_opaque_prf_input
485 struct cb_info_st { void *input; size_t len; int ret; };
486 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
487 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
488 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
489 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
490
opaque_prf_input_cb(SSL * ssl,void * peerinput,size_t len,void * arg_)491 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
492 {
493 struct cb_info_st *arg = arg_;
494
495 if (arg == NULL)
496 return 1;
497
498 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
499 return 0;
500 return arg->ret;
501 }
502 #endif
503 int ssl_mode = 0;
504 int c_small_records=0;
505 int s_small_records=0;
506 int cutthrough = 0;
507
main(int argc,char * argv[])508 int main(int argc, char *argv[])
509 {
510 char *CApath=NULL,*CAfile=NULL;
511 int badop=0;
512 int bio_pair=0;
513 int force=0;
514 int tls1=0,ssl2=0,ssl3=0,ret=1;
515 int client_auth=0;
516 int server_auth=0,i;
517 struct app_verify_arg app_verify_arg =
518 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
519 char *server_cert=TEST_SERVER_CERT;
520 char *server_key=NULL;
521 char *client_cert=TEST_CLIENT_CERT;
522 char *client_key=NULL;
523 #ifndef OPENSSL_NO_ECDH
524 char *named_curve = NULL;
525 #endif
526 SSL_CTX *s_ctx=NULL;
527 SSL_CTX *c_ctx=NULL;
528 const SSL_METHOD *meth=NULL;
529 SSL *c_ssl,*s_ssl;
530 int number=1,reuse=0;
531 long bytes=256L;
532 #ifndef OPENSSL_NO_DH
533 DH *dh;
534 int dhe1024 = 0, dhe1024dsa = 0;
535 #endif
536 #ifndef OPENSSL_NO_ECDH
537 EC_KEY *ecdh = NULL;
538 #endif
539 #ifndef OPENSSL_NO_SRP
540 /* client */
541 SRP_CLIENT_ARG srp_client_arg = {NULL,NULL};
542 /* server */
543 SRP_SERVER_ARG srp_server_arg = {NULL,NULL};
544 #endif
545 int no_dhe = 0;
546 int no_ecdhe = 0;
547 int no_psk = 0;
548 int print_time = 0;
549 clock_t s_time = 0, c_time = 0;
550 int comp = 0;
551 #ifndef OPENSSL_NO_COMP
552 COMP_METHOD *cm = NULL;
553 #endif
554 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
555 int test_cipherlist = 0;
556 #ifdef OPENSSL_FIPS
557 int fips_mode=0;
558 #endif
559
560 verbose = 0;
561 debug = 0;
562 cipher = 0;
563
564 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT);
565
566 CRYPTO_set_locking_callback(lock_dbg_cb);
567
568 /* enable memory leak checking unless explicitly disabled */
569 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off"))))
570 {
571 CRYPTO_malloc_debug_init();
572 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
573 }
574 else
575 {
576 /* OPENSSL_DEBUG_MEMORY=off */
577 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
578 }
579 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
580
581 RAND_seed(rnd_seed, sizeof rnd_seed);
582
583 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT);
584
585 argc--;
586 argv++;
587
588 while (argc >= 1)
589 {
590 if(!strcmp(*argv,"-F"))
591 {
592 #ifdef OPENSSL_FIPS
593 fips_mode=1;
594 #else
595 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n");
596 EXIT(0);
597 #endif
598 }
599 else if (strcmp(*argv,"-server_auth") == 0)
600 server_auth=1;
601 else if (strcmp(*argv,"-client_auth") == 0)
602 client_auth=1;
603 else if (strcmp(*argv,"-proxy_auth") == 0)
604 {
605 if (--argc < 1) goto bad;
606 app_verify_arg.proxy_auth= *(++argv);
607 }
608 else if (strcmp(*argv,"-proxy_cond") == 0)
609 {
610 if (--argc < 1) goto bad;
611 app_verify_arg.proxy_cond= *(++argv);
612 }
613 else if (strcmp(*argv,"-v") == 0)
614 verbose=1;
615 else if (strcmp(*argv,"-d") == 0)
616 debug=1;
617 else if (strcmp(*argv,"-reuse") == 0)
618 reuse=1;
619 else if (strcmp(*argv,"-dhe1024") == 0)
620 {
621 #ifndef OPENSSL_NO_DH
622 dhe1024=1;
623 #else
624 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
625 #endif
626 }
627 else if (strcmp(*argv,"-dhe1024dsa") == 0)
628 {
629 #ifndef OPENSSL_NO_DH
630 dhe1024dsa=1;
631 #else
632 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n");
633 #endif
634 }
635 else if (strcmp(*argv,"-no_dhe") == 0)
636 no_dhe=1;
637 else if (strcmp(*argv,"-no_ecdhe") == 0)
638 no_ecdhe=1;
639 else if (strcmp(*argv,"-psk") == 0)
640 {
641 if (--argc < 1) goto bad;
642 psk_key=*(++argv);
643 #ifndef OPENSSL_NO_PSK
644 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key))
645 {
646 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv);
647 goto bad;
648 }
649 #else
650 no_psk=1;
651 #endif
652 }
653 #ifndef OPENSSL_NO_SRP
654 else if (strcmp(*argv,"-srpuser") == 0)
655 {
656 if (--argc < 1) goto bad;
657 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv);
658 tls1=1;
659 }
660 else if (strcmp(*argv,"-srppass") == 0)
661 {
662 if (--argc < 1) goto bad;
663 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv);
664 tls1=1;
665 }
666 #endif
667 else if (strcmp(*argv,"-ssl2") == 0)
668 ssl2=1;
669 else if (strcmp(*argv,"-tls1") == 0)
670 tls1=1;
671 else if (strcmp(*argv,"-ssl3") == 0)
672 ssl3=1;
673 else if (strncmp(*argv,"-num",4) == 0)
674 {
675 if (--argc < 1) goto bad;
676 number= atoi(*(++argv));
677 if (number == 0) number=1;
678 }
679 else if (strcmp(*argv,"-bytes") == 0)
680 {
681 if (--argc < 1) goto bad;
682 bytes= atol(*(++argv));
683 if (bytes == 0L) bytes=1L;
684 i=strlen(argv[0]);
685 if (argv[0][i-1] == 'k') bytes*=1024L;
686 if (argv[0][i-1] == 'm') bytes*=1024L*1024L;
687 }
688 else if (strcmp(*argv,"-cert") == 0)
689 {
690 if (--argc < 1) goto bad;
691 server_cert= *(++argv);
692 }
693 else if (strcmp(*argv,"-s_cert") == 0)
694 {
695 if (--argc < 1) goto bad;
696 server_cert= *(++argv);
697 }
698 else if (strcmp(*argv,"-key") == 0)
699 {
700 if (--argc < 1) goto bad;
701 server_key= *(++argv);
702 }
703 else if (strcmp(*argv,"-s_key") == 0)
704 {
705 if (--argc < 1) goto bad;
706 server_key= *(++argv);
707 }
708 else if (strcmp(*argv,"-c_cert") == 0)
709 {
710 if (--argc < 1) goto bad;
711 client_cert= *(++argv);
712 }
713 else if (strcmp(*argv,"-c_key") == 0)
714 {
715 if (--argc < 1) goto bad;
716 client_key= *(++argv);
717 }
718 else if (strcmp(*argv,"-cipher") == 0)
719 {
720 if (--argc < 1) goto bad;
721 cipher= *(++argv);
722 }
723 else if (strcmp(*argv,"-CApath") == 0)
724 {
725 if (--argc < 1) goto bad;
726 CApath= *(++argv);
727 }
728 else if (strcmp(*argv,"-CAfile") == 0)
729 {
730 if (--argc < 1) goto bad;
731 CAfile= *(++argv);
732 }
733 else if (strcmp(*argv,"-bio_pair") == 0)
734 {
735 bio_pair = 1;
736 }
737 else if (strcmp(*argv,"-f") == 0)
738 {
739 force = 1;
740 }
741 else if (strcmp(*argv,"-time") == 0)
742 {
743 print_time = 1;
744 }
745 else if (strcmp(*argv,"-zlib") == 0)
746 {
747 comp = COMP_ZLIB;
748 }
749 else if (strcmp(*argv,"-rle") == 0)
750 {
751 comp = COMP_RLE;
752 }
753 else if (strcmp(*argv,"-named_curve") == 0)
754 {
755 if (--argc < 1) goto bad;
756 #ifndef OPENSSL_NO_ECDH
757 named_curve = *(++argv);
758 #else
759 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n");
760 ++argv;
761 #endif
762 }
763 else if (strcmp(*argv,"-app_verify") == 0)
764 {
765 app_verify_arg.app_verify = 1;
766 }
767 else if (strcmp(*argv,"-proxy") == 0)
768 {
769 app_verify_arg.allow_proxy_certs = 1;
770 }
771 else if (strcmp(*argv,"-test_cipherlist") == 0)
772 {
773 test_cipherlist = 1;
774 }
775 else if (strcmp(*argv, "-c_small_records") == 0)
776 {
777 c_small_records = 1;
778 }
779 else if (strcmp(*argv, "-s_small_records") == 0)
780 {
781 s_small_records = 1;
782 }
783 else if (strcmp(*argv, "-cutthrough") == 0)
784 {
785 cutthrough = 1;
786 }
787 else
788 {
789 fprintf(stderr,"unknown option %s\n",*argv);
790 badop=1;
791 break;
792 }
793 argc--;
794 argv++;
795 }
796 if (badop)
797 {
798 bad:
799 sv_usage();
800 goto end;
801 }
802
803 if (test_cipherlist == 1)
804 {
805 /* ensure that the cipher list are correctly sorted and exit */
806 if (do_test_cipherlist() == 0)
807 EXIT(1);
808 ret = 0;
809 goto end;
810 }
811
812 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force)
813 {
814 fprintf(stderr, "This case cannot work. Use -f to perform "
815 "the test anyway (and\n-d to see what happens), "
816 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
817 "to avoid protocol mismatch.\n");
818 EXIT(1);
819 }
820
821 #ifdef OPENSSL_FIPS
822 if(fips_mode)
823 {
824 if(!FIPS_mode_set(1))
825 {
826 ERR_load_crypto_strings();
827 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE));
828 EXIT(1);
829 }
830 else
831 fprintf(stderr,"*** IN FIPS MODE ***\n");
832 }
833 #endif
834
835 if (print_time)
836 {
837 if (!bio_pair)
838 {
839 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
840 bio_pair = 1;
841 }
842 if (number < 50 && !force)
843 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
844 }
845
846 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
847
848 SSL_library_init();
849 SSL_load_error_strings();
850
851 #ifndef OPENSSL_NO_COMP
852 if (comp == COMP_ZLIB) cm = COMP_zlib();
853 if (comp == COMP_RLE) cm = COMP_rle();
854 if (cm != NULL)
855 {
856 if (cm->type != NID_undef)
857 {
858 if (SSL_COMP_add_compression_method(comp, cm) != 0)
859 {
860 fprintf(stderr,
861 "Failed to add compression method\n");
862 ERR_print_errors_fp(stderr);
863 }
864 }
865 else
866 {
867 fprintf(stderr,
868 "Warning: %s compression not supported\n",
869 (comp == COMP_RLE ? "rle" :
870 (comp == COMP_ZLIB ? "zlib" :
871 "unknown")));
872 ERR_print_errors_fp(stderr);
873 }
874 }
875 ssl_comp_methods = SSL_COMP_get_compression_methods();
876 fprintf(stderr, "Available compression methods:\n");
877 {
878 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
879 if (n == 0)
880 fprintf(stderr, " NONE\n");
881 else
882 for (j = 0; j < n; j++)
883 {
884 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
885 fprintf(stderr, " %d: %s\n", c->id, c->name);
886 }
887 }
888 #endif
889
890 #if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3)
891 if (ssl2)
892 meth=SSLv2_method();
893 else
894 if (tls1)
895 meth=TLSv1_method();
896 else
897 if (ssl3)
898 meth=SSLv3_method();
899 else
900 meth=SSLv23_method();
901 #else
902 #ifdef OPENSSL_NO_SSL2
903 meth=SSLv3_method();
904 #else
905 meth=SSLv2_method();
906 #endif
907 #endif
908
909 c_ctx=SSL_CTX_new(meth);
910 s_ctx=SSL_CTX_new(meth);
911 if ((c_ctx == NULL) || (s_ctx == NULL))
912 {
913 ERR_print_errors(bio_err);
914 goto end;
915 }
916
917 if (cipher != NULL)
918 {
919 SSL_CTX_set_cipher_list(c_ctx,cipher);
920 SSL_CTX_set_cipher_list(s_ctx,cipher);
921 }
922
923 ssl_mode = 0;
924 if (c_small_records)
925 {
926 ssl_mode = SSL_CTX_get_mode(c_ctx);
927 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
928 SSL_CTX_set_mode(c_ctx, ssl_mode);
929 }
930 ssl_mode = 0;
931 if (s_small_records)
932 {
933 ssl_mode = SSL_CTX_get_mode(s_ctx);
934 ssl_mode |= SSL_MODE_SMALL_BUFFERS;
935 SSL_CTX_set_mode(s_ctx, ssl_mode);
936 }
937 ssl_mode = 0;
938 if (cutthrough)
939 {
940 ssl_mode = SSL_CTX_get_mode(c_ctx);
941 ssl_mode = SSL_MODE_HANDSHAKE_CUTTHROUGH;
942 SSL_CTX_set_mode(c_ctx, ssl_mode);
943 }
944
945 #ifndef OPENSSL_NO_DH
946 if (!no_dhe)
947 {
948 if (dhe1024dsa)
949 {
950 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */
951 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
952 dh=get_dh1024dsa();
953 }
954 else if (dhe1024)
955 dh=get_dh1024();
956 else
957 dh=get_dh512();
958 SSL_CTX_set_tmp_dh(s_ctx,dh);
959 DH_free(dh);
960 }
961 #else
962 (void)no_dhe;
963 #endif
964
965 #ifndef OPENSSL_NO_ECDH
966 if (!no_ecdhe)
967 {
968 int nid;
969
970 if (named_curve != NULL)
971 {
972 nid = OBJ_sn2nid(named_curve);
973 if (nid == 0)
974 {
975 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
976 goto end;
977 }
978 }
979 else
980 #ifdef OPENSSL_NO_EC2M
981 nid = NID_X9_62_prime256v1;
982 #else
983 nid = NID_sect163r2;
984 #endif
985
986 ecdh = EC_KEY_new_by_curve_name(nid);
987 if (ecdh == NULL)
988 {
989 BIO_printf(bio_err, "unable to create curve\n");
990 goto end;
991 }
992
993 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
994 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
995 EC_KEY_free(ecdh);
996 }
997 #else
998 (void)no_ecdhe;
999 #endif
1000
1001 #ifndef OPENSSL_NO_RSA
1002 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb);
1003 #endif
1004
1005 #ifdef TLSEXT_TYPE_opaque_prf_input
1006 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
1007 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
1008 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */
1009 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */
1010 #endif
1011
1012 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM))
1013 {
1014 ERR_print_errors(bio_err);
1015 }
1016 else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
1017 (server_key?server_key:server_cert), SSL_FILETYPE_PEM))
1018 {
1019 ERR_print_errors(bio_err);
1020 goto end;
1021 }
1022
1023 if (client_auth)
1024 {
1025 SSL_CTX_use_certificate_file(c_ctx,client_cert,
1026 SSL_FILETYPE_PEM);
1027 SSL_CTX_use_PrivateKey_file(c_ctx,
1028 (client_key?client_key:client_cert),
1029 SSL_FILETYPE_PEM);
1030 }
1031
1032 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) ||
1033 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
1034 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) ||
1035 (!SSL_CTX_set_default_verify_paths(c_ctx)))
1036 {
1037 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
1038 ERR_print_errors(bio_err);
1039 /* goto end; */
1040 }
1041
1042 if (client_auth)
1043 {
1044 BIO_printf(bio_err,"client authentication\n");
1045 SSL_CTX_set_verify(s_ctx,
1046 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
1047 verify_callback);
1048 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg);
1049 }
1050 if (server_auth)
1051 {
1052 BIO_printf(bio_err,"server authentication\n");
1053 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER,
1054 verify_callback);
1055 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg);
1056 }
1057
1058 {
1059 int session_id_context = 0;
1060 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context);
1061 }
1062
1063 /* Use PSK only if PSK key is given */
1064 if (psk_key != NULL)
1065 {
1066 /* no_psk is used to avoid putting psk command to openssl tool */
1067 if (no_psk)
1068 {
1069 /* if PSK is not compiled in and psk key is
1070 * given, do nothing and exit successfully */
1071 ret=0;
1072 goto end;
1073 }
1074 #ifndef OPENSSL_NO_PSK
1075 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1076 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1077 if (debug)
1078 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n");
1079 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint"))
1080 {
1081 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n");
1082 ERR_print_errors(bio_err);
1083 goto end;
1084 }
1085 #endif
1086 }
1087 #ifndef OPENSSL_NO_SRP
1088 if (srp_client_arg.srplogin)
1089 {
1090 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin))
1091 {
1092 BIO_printf(bio_err,"Unable to set SRP username\n");
1093 goto end;
1094 }
1095 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg);
1096 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb);
1097 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/
1098 }
1099
1100 if (srp_server_arg.expected_user != NULL)
1101 {
1102 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback);
1103 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1104 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1105 }
1106 #endif
1107
1108 c_ssl=SSL_new(c_ctx);
1109 s_ssl=SSL_new(s_ctx);
1110
1111 #ifndef OPENSSL_NO_KRB5
1112 if (c_ssl && c_ssl->kssl_ctx)
1113 {
1114 char localhost[MAXHOSTNAMELEN+2];
1115
1116 if (gethostname(localhost, sizeof localhost-1) == 0)
1117 {
1118 localhost[sizeof localhost-1]='\0';
1119 if(strlen(localhost) == sizeof localhost-1)
1120 {
1121 BIO_printf(bio_err,"localhost name too long\n");
1122 goto end;
1123 }
1124 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER,
1125 localhost);
1126 }
1127 }
1128 #endif /* OPENSSL_NO_KRB5 */
1129
1130 for (i=0; i<number; i++)
1131 {
1132 if (!reuse) SSL_set_session(c_ssl,NULL);
1133 if (bio_pair)
1134 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time);
1135 else
1136 ret=doit(s_ssl,c_ssl,bytes);
1137 }
1138
1139 if (!verbose)
1140 {
1141 print_details(c_ssl, "");
1142 }
1143 if ((number > 1) || (bytes > 1L))
1144 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes);
1145 if (print_time)
1146 {
1147 #ifdef CLOCKS_PER_SEC
1148 /* "To determine the time in seconds, the value returned
1149 * by the clock function should be divided by the value
1150 * of the macro CLOCKS_PER_SEC."
1151 * -- ISO/IEC 9899 */
1152 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1153 "Approximate total client time: %6.2f s\n",
1154 (double)s_time/CLOCKS_PER_SEC,
1155 (double)c_time/CLOCKS_PER_SEC);
1156 #else
1157 /* "`CLOCKS_PER_SEC' undeclared (first use this function)"
1158 * -- cc on NeXTstep/OpenStep */
1159 BIO_printf(bio_stdout,
1160 "Approximate total server time: %6.2f units\n"
1161 "Approximate total client time: %6.2f units\n",
1162 (double)s_time,
1163 (double)c_time);
1164 #endif
1165 }
1166
1167 SSL_free(s_ssl);
1168 SSL_free(c_ssl);
1169
1170 end:
1171 if (s_ctx != NULL) SSL_CTX_free(s_ctx);
1172 if (c_ctx != NULL) SSL_CTX_free(c_ctx);
1173
1174 if (bio_stdout != NULL) BIO_free(bio_stdout);
1175
1176 #ifndef OPENSSL_NO_RSA
1177 free_tmp_rsa();
1178 #endif
1179 #ifndef OPENSSL_NO_ENGINE
1180 ENGINE_cleanup();
1181 #endif
1182 CRYPTO_cleanup_all_ex_data();
1183 ERR_free_strings();
1184 ERR_remove_thread_state(NULL);
1185 EVP_cleanup();
1186 CRYPTO_mem_leaks(bio_err);
1187 if (bio_err != NULL) BIO_free(bio_err);
1188 EXIT(ret);
1189 return ret;
1190 }
1191
doit_biopair(SSL * s_ssl,SSL * c_ssl,long count,clock_t * s_time,clock_t * c_time)1192 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1193 clock_t *s_time, clock_t *c_time)
1194 {
1195 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1196 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1197 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1198 int ret = 1;
1199
1200 size_t bufsiz = 256; /* small buffer for testing */
1201
1202 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1203 goto err;
1204 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1205 goto err;
1206
1207 s_ssl_bio = BIO_new(BIO_f_ssl());
1208 if (!s_ssl_bio)
1209 goto err;
1210
1211 c_ssl_bio = BIO_new(BIO_f_ssl());
1212 if (!c_ssl_bio)
1213 goto err;
1214
1215 SSL_set_connect_state(c_ssl);
1216 SSL_set_bio(c_ssl, client, client);
1217 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1218
1219 SSL_set_accept_state(s_ssl);
1220 SSL_set_bio(s_ssl, server, server);
1221 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1222
1223 do
1224 {
1225 /* c_ssl_bio: SSL filter BIO
1226 *
1227 * client: pseudo-I/O for SSL library
1228 *
1229 * client_io: client's SSL communication; usually to be
1230 * relayed over some I/O facility, but in this
1231 * test program, we're the server, too:
1232 *
1233 * server_io: server's SSL communication
1234 *
1235 * server: pseudo-I/O for SSL library
1236 *
1237 * s_ssl_bio: SSL filter BIO
1238 *
1239 * The client and the server each employ a "BIO pair":
1240 * client + client_io, server + server_io.
1241 * BIO pairs are symmetric. A BIO pair behaves similar
1242 * to a non-blocking socketpair (but both endpoints must
1243 * be handled by the same thread).
1244 * [Here we could connect client and server to the ends
1245 * of a single BIO pair, but then this code would be less
1246 * suitable as an example for BIO pairs in general.]
1247 *
1248 * Useful functions for querying the state of BIO pair endpoints:
1249 *
1250 * BIO_ctrl_pending(bio) number of bytes we can read now
1251 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1252 * other side's read attempt
1253 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1254 *
1255 * ..._read_request is never more than ..._write_guarantee;
1256 * it depends on the application which one you should use.
1257 */
1258
1259 /* We have non-blocking behaviour throughout this test program, but
1260 * can be sure that there is *some* progress in each iteration; so
1261 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE
1262 * -- we just try everything in each iteration
1263 */
1264
1265 {
1266 /* CLIENT */
1267
1268 MS_STATIC char cbuf[1024*8];
1269 int i, r;
1270 clock_t c_clock = clock();
1271
1272 memset(cbuf, 0, sizeof(cbuf));
1273
1274 if (debug)
1275 if (SSL_in_init(c_ssl))
1276 printf("client waiting in SSL_connect - %s\n",
1277 SSL_state_string_long(c_ssl));
1278
1279 if (cw_num > 0)
1280 {
1281 /* Write to server. */
1282
1283 if (cw_num > (long)sizeof cbuf)
1284 i = sizeof cbuf;
1285 else
1286 i = (int)cw_num;
1287 r = BIO_write(c_ssl_bio, cbuf, i);
1288 if (r < 0)
1289 {
1290 if (!BIO_should_retry(c_ssl_bio))
1291 {
1292 fprintf(stderr,"ERROR in CLIENT\n");
1293 goto err;
1294 }
1295 /* BIO_should_retry(...) can just be ignored here.
1296 * The library expects us to call BIO_write with
1297 * the same arguments again, and that's what we will
1298 * do in the next iteration. */
1299 }
1300 else if (r == 0)
1301 {
1302 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1303 goto err;
1304 }
1305 else
1306 {
1307 if (debug)
1308 printf("client wrote %d\n", r);
1309 cw_num -= r;
1310 }
1311 }
1312
1313 if (cr_num > 0)
1314 {
1315 /* Read from server. */
1316
1317 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1318 if (r < 0)
1319 {
1320 if (!BIO_should_retry(c_ssl_bio))
1321 {
1322 fprintf(stderr,"ERROR in CLIENT\n");
1323 goto err;
1324 }
1325 /* Again, "BIO_should_retry" can be ignored. */
1326 }
1327 else if (r == 0)
1328 {
1329 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1330 goto err;
1331 }
1332 else
1333 {
1334 if (debug)
1335 printf("client read %d\n", r);
1336 cr_num -= r;
1337 }
1338 }
1339
1340 /* c_time and s_time increments will typically be very small
1341 * (depending on machine speed and clock tick intervals),
1342 * but sampling over a large number of connections should
1343 * result in fairly accurate figures. We cannot guarantee
1344 * a lot, however -- if each connection lasts for exactly
1345 * one clock tick, it will be counted only for the client
1346 * or only for the server or even not at all.
1347 */
1348 *c_time += (clock() - c_clock);
1349 }
1350
1351 {
1352 /* SERVER */
1353
1354 MS_STATIC char sbuf[1024*8];
1355 int i, r;
1356 clock_t s_clock = clock();
1357
1358 memset(sbuf, 0, sizeof(sbuf));
1359
1360 if (debug)
1361 if (SSL_in_init(s_ssl))
1362 printf("server waiting in SSL_accept - %s\n",
1363 SSL_state_string_long(s_ssl));
1364
1365 if (sw_num > 0)
1366 {
1367 /* Write to client. */
1368
1369 if (sw_num > (long)sizeof sbuf)
1370 i = sizeof sbuf;
1371 else
1372 i = (int)sw_num;
1373 r = BIO_write(s_ssl_bio, sbuf, i);
1374 if (r < 0)
1375 {
1376 if (!BIO_should_retry(s_ssl_bio))
1377 {
1378 fprintf(stderr,"ERROR in SERVER\n");
1379 goto err;
1380 }
1381 /* Ignore "BIO_should_retry". */
1382 }
1383 else if (r == 0)
1384 {
1385 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1386 goto err;
1387 }
1388 else
1389 {
1390 if (debug)
1391 printf("server wrote %d\n", r);
1392 sw_num -= r;
1393 }
1394 }
1395
1396 if (sr_num > 0)
1397 {
1398 /* Read from client. */
1399
1400 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1401 if (r < 0)
1402 {
1403 if (!BIO_should_retry(s_ssl_bio))
1404 {
1405 fprintf(stderr,"ERROR in SERVER\n");
1406 goto err;
1407 }
1408 /* blah, blah */
1409 }
1410 else if (r == 0)
1411 {
1412 fprintf(stderr,"SSL SERVER STARTUP FAILED\n");
1413 goto err;
1414 }
1415 else
1416 {
1417 if (debug)
1418 printf("server read %d\n", r);
1419 sr_num -= r;
1420 }
1421 }
1422
1423 *s_time += (clock() - s_clock);
1424 }
1425
1426 {
1427 /* "I/O" BETWEEN CLIENT AND SERVER. */
1428
1429 size_t r1, r2;
1430 BIO *io1 = server_io, *io2 = client_io;
1431 /* we use the non-copying interface for io1
1432 * and the standard BIO_write/BIO_read interface for io2
1433 */
1434
1435 static int prev_progress = 1;
1436 int progress = 0;
1437
1438 /* io1 to io2 */
1439 do
1440 {
1441 size_t num;
1442 int r;
1443
1444 r1 = BIO_ctrl_pending(io1);
1445 r2 = BIO_ctrl_get_write_guarantee(io2);
1446
1447 num = r1;
1448 if (r2 < num)
1449 num = r2;
1450 if (num)
1451 {
1452 char *dataptr;
1453
1454 if (INT_MAX < num) /* yeah, right */
1455 num = INT_MAX;
1456
1457 r = BIO_nread(io1, &dataptr, (int)num);
1458 assert(r > 0);
1459 assert(r <= (int)num);
1460 /* possibly r < num (non-contiguous data) */
1461 num = r;
1462 r = BIO_write(io2, dataptr, (int)num);
1463 if (r != (int)num) /* can't happen */
1464 {
1465 fprintf(stderr, "ERROR: BIO_write could not write "
1466 "BIO_ctrl_get_write_guarantee() bytes");
1467 goto err;
1468 }
1469 progress = 1;
1470
1471 if (debug)
1472 printf((io1 == client_io) ?
1473 "C->S relaying: %d bytes\n" :
1474 "S->C relaying: %d bytes\n",
1475 (int)num);
1476 }
1477 }
1478 while (r1 && r2);
1479
1480 /* io2 to io1 */
1481 {
1482 size_t num;
1483 int r;
1484
1485 r1 = BIO_ctrl_pending(io2);
1486 r2 = BIO_ctrl_get_read_request(io1);
1487 /* here we could use ..._get_write_guarantee instead of
1488 * ..._get_read_request, but by using the latter
1489 * we test restartability of the SSL implementation
1490 * more thoroughly */
1491 num = r1;
1492 if (r2 < num)
1493 num = r2;
1494 if (num)
1495 {
1496 char *dataptr;
1497
1498 if (INT_MAX < num)
1499 num = INT_MAX;
1500
1501 if (num > 1)
1502 --num; /* test restartability even more thoroughly */
1503
1504 r = BIO_nwrite0(io1, &dataptr);
1505 assert(r > 0);
1506 if (r < (int)num)
1507 num = r;
1508 r = BIO_read(io2, dataptr, (int)num);
1509 if (r != (int)num) /* can't happen */
1510 {
1511 fprintf(stderr, "ERROR: BIO_read could not read "
1512 "BIO_ctrl_pending() bytes");
1513 goto err;
1514 }
1515 progress = 1;
1516 r = BIO_nwrite(io1, &dataptr, (int)num);
1517 if (r != (int)num) /* can't happen */
1518 {
1519 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1520 "BIO_nwrite0() bytes");
1521 goto err;
1522 }
1523
1524 if (debug)
1525 printf((io2 == client_io) ?
1526 "C->S relaying: %d bytes\n" :
1527 "S->C relaying: %d bytes\n",
1528 (int)num);
1529 }
1530 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */
1531
1532 if (!progress && !prev_progress)
1533 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0)
1534 {
1535 fprintf(stderr, "ERROR: got stuck\n");
1536 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0)
1537 {
1538 fprintf(stderr, "This can happen for SSL2 because "
1539 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1540 "concurrently ...");
1541 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1542 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0)
1543 {
1544 fprintf(stderr, " ok.\n");
1545 goto end;
1546 }
1547 }
1548 fprintf(stderr, " ERROR.\n");
1549 goto err;
1550 }
1551 prev_progress = progress;
1552 }
1553 }
1554 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1555
1556 if (verbose)
1557 print_details(c_ssl, "DONE via BIO pair: ");
1558 end:
1559 ret = 0;
1560
1561 err:
1562 ERR_print_errors(bio_err);
1563
1564 if (server)
1565 BIO_free(server);
1566 if (server_io)
1567 BIO_free(server_io);
1568 if (client)
1569 BIO_free(client);
1570 if (client_io)
1571 BIO_free(client_io);
1572 if (s_ssl_bio)
1573 BIO_free(s_ssl_bio);
1574 if (c_ssl_bio)
1575 BIO_free(c_ssl_bio);
1576
1577 return ret;
1578 }
1579
1580
1581 #define W_READ 1
1582 #define W_WRITE 2
1583 #define C_DONE 1
1584 #define S_DONE 2
1585
doit(SSL * s_ssl,SSL * c_ssl,long count)1586 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1587 {
1588 MS_STATIC char cbuf[1024*8],sbuf[1024*8];
1589 long cw_num=count,cr_num=count;
1590 long sw_num=count,sr_num=count;
1591 int ret=1;
1592 BIO *c_to_s=NULL;
1593 BIO *s_to_c=NULL;
1594 BIO *c_bio=NULL;
1595 BIO *s_bio=NULL;
1596 int c_r,c_w,s_r,s_w;
1597 int i,j;
1598 int done=0;
1599 int c_write,s_write;
1600 int do_server=0,do_client=0;
1601
1602 memset(cbuf,0,sizeof(cbuf));
1603 memset(sbuf,0,sizeof(sbuf));
1604
1605 c_to_s=BIO_new(BIO_s_mem());
1606 s_to_c=BIO_new(BIO_s_mem());
1607 if ((s_to_c == NULL) || (c_to_s == NULL))
1608 {
1609 ERR_print_errors(bio_err);
1610 goto err;
1611 }
1612
1613 c_bio=BIO_new(BIO_f_ssl());
1614 s_bio=BIO_new(BIO_f_ssl());
1615 if ((c_bio == NULL) || (s_bio == NULL))
1616 {
1617 ERR_print_errors(bio_err);
1618 goto err;
1619 }
1620
1621 SSL_set_connect_state(c_ssl);
1622 SSL_set_bio(c_ssl,s_to_c,c_to_s);
1623 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE);
1624
1625 SSL_set_accept_state(s_ssl);
1626 SSL_set_bio(s_ssl,c_to_s,s_to_c);
1627 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE);
1628
1629 c_r=0; s_r=1;
1630 c_w=1; s_w=0;
1631 c_write=1,s_write=0;
1632
1633 /* We can always do writes */
1634 for (;;)
1635 {
1636 do_server=0;
1637 do_client=0;
1638
1639 i=(int)BIO_pending(s_bio);
1640 if ((i && s_r) || s_w) do_server=1;
1641
1642 i=(int)BIO_pending(c_bio);
1643 if ((i && c_r) || c_w) do_client=1;
1644
1645 if (do_server && debug)
1646 {
1647 if (SSL_in_init(s_ssl))
1648 printf("server waiting in SSL_accept - %s\n",
1649 SSL_state_string_long(s_ssl));
1650 /* else if (s_write)
1651 printf("server:SSL_write()\n");
1652 else
1653 printf("server:SSL_read()\n"); */
1654 }
1655
1656 if (do_client && debug)
1657 {
1658 if (SSL_in_init(c_ssl))
1659 printf("client waiting in SSL_connect - %s\n",
1660 SSL_state_string_long(c_ssl));
1661 /* else if (c_write)
1662 printf("client:SSL_write()\n");
1663 else
1664 printf("client:SSL_read()\n"); */
1665 }
1666
1667 if (!do_client && !do_server)
1668 {
1669 fprintf(stdout,"ERROR IN STARTUP\n");
1670 ERR_print_errors(bio_err);
1671 break;
1672 }
1673 if (do_client && !(done & C_DONE))
1674 {
1675 if (c_write)
1676 {
1677 j = (cw_num > (long)sizeof(cbuf)) ?
1678 (int)sizeof(cbuf) : (int)cw_num;
1679 i=BIO_write(c_bio,cbuf,j);
1680 if (i < 0)
1681 {
1682 c_r=0;
1683 c_w=0;
1684 if (BIO_should_retry(c_bio))
1685 {
1686 if (BIO_should_read(c_bio))
1687 c_r=1;
1688 if (BIO_should_write(c_bio))
1689 c_w=1;
1690 }
1691 else
1692 {
1693 fprintf(stderr,"ERROR in CLIENT\n");
1694 ERR_print_errors(bio_err);
1695 goto err;
1696 }
1697 }
1698 else if (i == 0)
1699 {
1700 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1701 goto err;
1702 }
1703 else
1704 {
1705 if (debug)
1706 printf("client wrote %d\n",i);
1707 /* ok */
1708 s_r=1;
1709 c_write=0;
1710 cw_num-=i;
1711 }
1712 }
1713 else
1714 {
1715 i=BIO_read(c_bio,cbuf,sizeof(cbuf));
1716 if (i < 0)
1717 {
1718 c_r=0;
1719 c_w=0;
1720 if (BIO_should_retry(c_bio))
1721 {
1722 if (BIO_should_read(c_bio))
1723 c_r=1;
1724 if (BIO_should_write(c_bio))
1725 c_w=1;
1726 }
1727 else
1728 {
1729 fprintf(stderr,"ERROR in CLIENT\n");
1730 ERR_print_errors(bio_err);
1731 goto err;
1732 }
1733 }
1734 else if (i == 0)
1735 {
1736 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n");
1737 goto err;
1738 }
1739 else
1740 {
1741 if (debug)
1742 printf("client read %d\n",i);
1743 cr_num-=i;
1744 if (sw_num > 0)
1745 {
1746 s_write=1;
1747 s_w=1;
1748 }
1749 if (cr_num <= 0)
1750 {
1751 s_write=1;
1752 s_w=1;
1753 done=S_DONE|C_DONE;
1754 }
1755 }
1756 }
1757 }
1758
1759 if (do_server && !(done & S_DONE))
1760 {
1761 if (!s_write)
1762 {
1763 i=BIO_read(s_bio,sbuf,sizeof(cbuf));
1764 if (i < 0)
1765 {
1766 s_r=0;
1767 s_w=0;
1768 if (BIO_should_retry(s_bio))
1769 {
1770 if (BIO_should_read(s_bio))
1771 s_r=1;
1772 if (BIO_should_write(s_bio))
1773 s_w=1;
1774 }
1775 else
1776 {
1777 fprintf(stderr,"ERROR in SERVER\n");
1778 ERR_print_errors(bio_err);
1779 goto err;
1780 }
1781 }
1782 else if (i == 0)
1783 {
1784 ERR_print_errors(bio_err);
1785 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n");
1786 goto err;
1787 }
1788 else
1789 {
1790 if (debug)
1791 printf("server read %d\n",i);
1792 sr_num-=i;
1793 if (cw_num > 0)
1794 {
1795 c_write=1;
1796 c_w=1;
1797 }
1798 if (sr_num <= 0)
1799 {
1800 s_write=1;
1801 s_w=1;
1802 c_write=0;
1803 }
1804 }
1805 }
1806 else
1807 {
1808 j = (sw_num > (long)sizeof(sbuf)) ?
1809 (int)sizeof(sbuf) : (int)sw_num;
1810 i=BIO_write(s_bio,sbuf,j);
1811 if (i < 0)
1812 {
1813 s_r=0;
1814 s_w=0;
1815 if (BIO_should_retry(s_bio))
1816 {
1817 if (BIO_should_read(s_bio))
1818 s_r=1;
1819 if (BIO_should_write(s_bio))
1820 s_w=1;
1821 }
1822 else
1823 {
1824 fprintf(stderr,"ERROR in SERVER\n");
1825 ERR_print_errors(bio_err);
1826 goto err;
1827 }
1828 }
1829 else if (i == 0)
1830 {
1831 ERR_print_errors(bio_err);
1832 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n");
1833 goto err;
1834 }
1835 else
1836 {
1837 if (debug)
1838 printf("server wrote %d\n",i);
1839 sw_num-=i;
1840 s_write=0;
1841 c_r=1;
1842 if (sw_num <= 0)
1843 done|=S_DONE;
1844 }
1845 }
1846 }
1847
1848 if ((done & S_DONE) && (done & C_DONE)) break;
1849 }
1850
1851 if (verbose)
1852 print_details(c_ssl, "DONE: ");
1853 ret=0;
1854 err:
1855 /* We have to set the BIO's to NULL otherwise they will be
1856 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and
1857 * again when c_ssl is SSL_free()ed.
1858 * This is a hack required because s_ssl and c_ssl are sharing the same
1859 * BIO structure and SSL_set_bio() and SSL_free() automatically
1860 * BIO_free non NULL entries.
1861 * You should not normally do this or be required to do this */
1862 if (s_ssl != NULL)
1863 {
1864 s_ssl->rbio=NULL;
1865 s_ssl->wbio=NULL;
1866 }
1867 if (c_ssl != NULL)
1868 {
1869 c_ssl->rbio=NULL;
1870 c_ssl->wbio=NULL;
1871 }
1872
1873 if (c_to_s != NULL) BIO_free(c_to_s);
1874 if (s_to_c != NULL) BIO_free(s_to_c);
1875 if (c_bio != NULL) BIO_free_all(c_bio);
1876 if (s_bio != NULL) BIO_free_all(s_bio);
1877 return(ret);
1878 }
1879
get_proxy_auth_ex_data_idx(void)1880 static int get_proxy_auth_ex_data_idx(void)
1881 {
1882 static volatile int idx = -1;
1883 if (idx < 0)
1884 {
1885 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1886 if (idx < 0)
1887 {
1888 idx = X509_STORE_CTX_get_ex_new_index(0,
1889 "SSLtest for verify callback", NULL,NULL,NULL);
1890 }
1891 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1892 }
1893 return idx;
1894 }
1895
verify_callback(int ok,X509_STORE_CTX * ctx)1896 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1897 {
1898 char *s,buf[256];
1899
1900 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf,
1901 sizeof buf);
1902 if (s != NULL)
1903 {
1904 if (ok)
1905 fprintf(stderr,"depth=%d %s\n",
1906 ctx->error_depth,buf);
1907 else
1908 {
1909 fprintf(stderr,"depth=%d error=%d %s\n",
1910 ctx->error_depth,ctx->error,buf);
1911 }
1912 }
1913
1914 if (ok == 0)
1915 {
1916 fprintf(stderr,"Error string: %s\n",
1917 X509_verify_cert_error_string(ctx->error));
1918 switch (ctx->error)
1919 {
1920 case X509_V_ERR_CERT_NOT_YET_VALID:
1921 case X509_V_ERR_CERT_HAS_EXPIRED:
1922 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1923 fprintf(stderr," ... ignored.\n");
1924 ok=1;
1925 }
1926 }
1927
1928 if (ok == 1)
1929 {
1930 X509 *xs = ctx->current_cert;
1931 #if 0
1932 X509 *xi = ctx->current_issuer;
1933 #endif
1934
1935 if (xs->ex_flags & EXFLAG_PROXY)
1936 {
1937 unsigned int *letters =
1938 X509_STORE_CTX_get_ex_data(ctx,
1939 get_proxy_auth_ex_data_idx());
1940
1941 if (letters)
1942 {
1943 int found_any = 0;
1944 int i;
1945 PROXY_CERT_INFO_EXTENSION *pci =
1946 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1947 NULL, NULL);
1948
1949 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage))
1950 {
1951 case NID_Independent:
1952 /* Completely meaningless in this
1953 program, as there's no way to
1954 grant explicit rights to a
1955 specific PrC. Basically, using
1956 id-ppl-Independent is the perfect
1957 way to grant no rights at all. */
1958 fprintf(stderr, " Independent proxy certificate");
1959 for (i = 0; i < 26; i++)
1960 letters[i] = 0;
1961 break;
1962 case NID_id_ppl_inheritAll:
1963 /* This is basically a NOP, we
1964 simply let the current rights
1965 stand as they are. */
1966 fprintf(stderr, " Proxy certificate inherits all");
1967 break;
1968 default:
1969 s = (char *)
1970 pci->proxyPolicy->policy->data;
1971 i = pci->proxyPolicy->policy->length;
1972
1973 /* The algorithm works as follows:
1974 it is assumed that previous
1975 iterations or the initial granted
1976 rights has already set some elements
1977 of `letters'. What we need to do is
1978 to clear those that weren't granted
1979 by the current PrC as well. The
1980 easiest way to do this is to add 1
1981 to all the elements whose letters
1982 are given with the current policy.
1983 That way, all elements that are set
1984 by the current policy and were
1985 already set by earlier policies and
1986 through the original grant of rights
1987 will get the value 2 or higher.
1988 The last thing to do is to sweep
1989 through `letters' and keep the
1990 elements having the value 2 as set,
1991 and clear all the others. */
1992
1993 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s);
1994 while(i-- > 0)
1995 {
1996 int c = *s++;
1997 if (isascii(c) && isalpha(c))
1998 {
1999 if (islower(c))
2000 c = toupper(c);
2001 letters[c - 'A']++;
2002 }
2003 }
2004 for (i = 0; i < 26; i++)
2005 if (letters[i] < 2)
2006 letters[i] = 0;
2007 else
2008 letters[i] = 1;
2009 }
2010
2011 found_any = 0;
2012 fprintf(stderr,
2013 ", resulting proxy rights = ");
2014 for(i = 0; i < 26; i++)
2015 if (letters[i])
2016 {
2017 fprintf(stderr, "%c", i + 'A');
2018 found_any = 1;
2019 }
2020 if (!found_any)
2021 fprintf(stderr, "none");
2022 fprintf(stderr, "\n");
2023
2024 PROXY_CERT_INFO_EXTENSION_free(pci);
2025 }
2026 }
2027 }
2028
2029 return(ok);
2030 }
2031
process_proxy_debug(int indent,const char * format,...)2032 static void process_proxy_debug(int indent, const char *format, ...)
2033 {
2034 static const char indentation[] =
2035 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
2036 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */
2037 char my_format[256];
2038 va_list args;
2039
2040 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
2041 indent, indent, indentation, format);
2042
2043 va_start(args, format);
2044 vfprintf(stderr, my_format, args);
2045 va_end(args);
2046 }
2047 /* Priority levels:
2048 0 [!]var, ()
2049 1 & ^
2050 2 |
2051 */
2052 static int process_proxy_cond_adders(unsigned int letters[26],
2053 const char *cond, const char **cond_end, int *pos, int indent);
process_proxy_cond_val(unsigned int letters[26],const char * cond,const char ** cond_end,int * pos,int indent)2054 static int process_proxy_cond_val(unsigned int letters[26],
2055 const char *cond, const char **cond_end, int *pos, int indent)
2056 {
2057 int c;
2058 int ok = 1;
2059 int negate = 0;
2060
2061 while(isspace((int)*cond))
2062 {
2063 cond++; (*pos)++;
2064 }
2065 c = *cond;
2066
2067 if (debug)
2068 process_proxy_debug(indent,
2069 "Start process_proxy_cond_val at position %d: %s\n",
2070 *pos, cond);
2071
2072 while(c == '!')
2073 {
2074 negate = !negate;
2075 cond++; (*pos)++;
2076 while(isspace((int)*cond))
2077 {
2078 cond++; (*pos)++;
2079 }
2080 c = *cond;
2081 }
2082
2083 if (c == '(')
2084 {
2085 cond++; (*pos)++;
2086 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
2087 indent + 1);
2088 cond = *cond_end;
2089 if (ok < 0)
2090 goto end;
2091 while(isspace((int)*cond))
2092 {
2093 cond++; (*pos)++;
2094 }
2095 c = *cond;
2096 if (c != ')')
2097 {
2098 fprintf(stderr,
2099 "Weird condition character in position %d: "
2100 "%c\n", *pos, c);
2101 ok = -1;
2102 goto end;
2103 }
2104 cond++; (*pos)++;
2105 }
2106 else if (isascii(c) && isalpha(c))
2107 {
2108 if (islower(c))
2109 c = toupper(c);
2110 ok = letters[c - 'A'];
2111 cond++; (*pos)++;
2112 }
2113 else
2114 {
2115 fprintf(stderr,
2116 "Weird condition character in position %d: "
2117 "%c\n", *pos, c);
2118 ok = -1;
2119 goto end;
2120 }
2121 end:
2122 *cond_end = cond;
2123 if (ok >= 0 && negate)
2124 ok = !ok;
2125
2126 if (debug)
2127 process_proxy_debug(indent,
2128 "End process_proxy_cond_val at position %d: %s, returning %d\n",
2129 *pos, cond, ok);
2130
2131 return ok;
2132 }
process_proxy_cond_multipliers(unsigned int letters[26],const char * cond,const char ** cond_end,int * pos,int indent)2133 static int process_proxy_cond_multipliers(unsigned int letters[26],
2134 const char *cond, const char **cond_end, int *pos, int indent)
2135 {
2136 int ok;
2137 char c;
2138
2139 if (debug)
2140 process_proxy_debug(indent,
2141 "Start process_proxy_cond_multipliers at position %d: %s\n",
2142 *pos, cond);
2143
2144 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2145 cond = *cond_end;
2146 if (ok < 0)
2147 goto end;
2148
2149 while(ok >= 0)
2150 {
2151 while(isspace((int)*cond))
2152 {
2153 cond++; (*pos)++;
2154 }
2155 c = *cond;
2156
2157 switch(c)
2158 {
2159 case '&':
2160 case '^':
2161 {
2162 int save_ok = ok;
2163
2164 cond++; (*pos)++;
2165 ok = process_proxy_cond_val(letters,
2166 cond, cond_end, pos, indent + 1);
2167 cond = *cond_end;
2168 if (ok < 0)
2169 break;
2170
2171 switch(c)
2172 {
2173 case '&':
2174 ok &= save_ok;
2175 break;
2176 case '^':
2177 ok ^= save_ok;
2178 break;
2179 default:
2180 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2181 " STOPPING\n");
2182 EXIT(1);
2183 }
2184 }
2185 break;
2186 default:
2187 goto end;
2188 }
2189 }
2190 end:
2191 if (debug)
2192 process_proxy_debug(indent,
2193 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2194 *pos, cond, ok);
2195
2196 *cond_end = cond;
2197 return ok;
2198 }
process_proxy_cond_adders(unsigned int letters[26],const char * cond,const char ** cond_end,int * pos,int indent)2199 static int process_proxy_cond_adders(unsigned int letters[26],
2200 const char *cond, const char **cond_end, int *pos, int indent)
2201 {
2202 int ok;
2203 char c;
2204
2205 if (debug)
2206 process_proxy_debug(indent,
2207 "Start process_proxy_cond_adders at position %d: %s\n",
2208 *pos, cond);
2209
2210 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2211 indent + 1);
2212 cond = *cond_end;
2213 if (ok < 0)
2214 goto end;
2215
2216 while(ok >= 0)
2217 {
2218 while(isspace((int)*cond))
2219 {
2220 cond++; (*pos)++;
2221 }
2222 c = *cond;
2223
2224 switch(c)
2225 {
2226 case '|':
2227 {
2228 int save_ok = ok;
2229
2230 cond++; (*pos)++;
2231 ok = process_proxy_cond_multipliers(letters,
2232 cond, cond_end, pos, indent + 1);
2233 cond = *cond_end;
2234 if (ok < 0)
2235 break;
2236
2237 switch(c)
2238 {
2239 case '|':
2240 ok |= save_ok;
2241 break;
2242 default:
2243 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2244 " STOPPING\n");
2245 EXIT(1);
2246 }
2247 }
2248 break;
2249 default:
2250 goto end;
2251 }
2252 }
2253 end:
2254 if (debug)
2255 process_proxy_debug(indent,
2256 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2257 *pos, cond, ok);
2258
2259 *cond_end = cond;
2260 return ok;
2261 }
2262
process_proxy_cond(unsigned int letters[26],const char * cond,const char ** cond_end)2263 static int process_proxy_cond(unsigned int letters[26],
2264 const char *cond, const char **cond_end)
2265 {
2266 int pos = 1;
2267 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2268 }
2269
app_verify_callback(X509_STORE_CTX * ctx,void * arg)2270 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2271 {
2272 int ok=1;
2273 struct app_verify_arg *cb_arg = arg;
2274 unsigned int letters[26]; /* only used with proxy_auth */
2275
2276 if (cb_arg->app_verify)
2277 {
2278 char *s = NULL,buf[256];
2279
2280 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2281 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2282 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2283 (void *)ctx, (void *)ctx->cert);
2284 if (ctx->cert)
2285 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256);
2286 if (s != NULL)
2287 {
2288 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf);
2289 }
2290 return(1);
2291 }
2292 if (cb_arg->proxy_auth)
2293 {
2294 int found_any = 0, i;
2295 char *sp;
2296
2297 for(i = 0; i < 26; i++)
2298 letters[i] = 0;
2299 for(sp = cb_arg->proxy_auth; *sp; sp++)
2300 {
2301 int c = *sp;
2302 if (isascii(c) && isalpha(c))
2303 {
2304 if (islower(c))
2305 c = toupper(c);
2306 letters[c - 'A'] = 1;
2307 }
2308 }
2309
2310 fprintf(stderr,
2311 " Initial proxy rights = ");
2312 for(i = 0; i < 26; i++)
2313 if (letters[i])
2314 {
2315 fprintf(stderr, "%c", i + 'A');
2316 found_any = 1;
2317 }
2318 if (!found_any)
2319 fprintf(stderr, "none");
2320 fprintf(stderr, "\n");
2321
2322 X509_STORE_CTX_set_ex_data(ctx,
2323 get_proxy_auth_ex_data_idx(),letters);
2324 }
2325 if (cb_arg->allow_proxy_certs)
2326 {
2327 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2328 }
2329
2330 #ifndef OPENSSL_NO_X509_VERIFY
2331 ok = X509_verify_cert(ctx);
2332 #endif
2333
2334 if (cb_arg->proxy_auth)
2335 {
2336 if (ok > 0)
2337 {
2338 const char *cond_end = NULL;
2339
2340 ok = process_proxy_cond(letters,
2341 cb_arg->proxy_cond, &cond_end);
2342
2343 if (ok < 0)
2344 EXIT(3);
2345 if (*cond_end)
2346 {
2347 fprintf(stderr, "Stopped processing condition before it's end.\n");
2348 ok = 0;
2349 }
2350 if (!ok)
2351 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n",
2352 cb_arg->proxy_cond);
2353 else
2354 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n",
2355 cb_arg->proxy_cond);
2356 }
2357 }
2358 return(ok);
2359 }
2360
2361 #ifndef OPENSSL_NO_RSA
2362 static RSA *rsa_tmp=NULL;
2363
tmp_rsa_cb(SSL * s,int is_export,int keylength)2364 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2365 {
2366 BIGNUM *bn = NULL;
2367 if (rsa_tmp == NULL)
2368 {
2369 bn = BN_new();
2370 rsa_tmp = RSA_new();
2371 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4))
2372 {
2373 BIO_printf(bio_err, "Memory error...");
2374 goto end;
2375 }
2376 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength);
2377 (void)BIO_flush(bio_err);
2378 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL))
2379 {
2380 BIO_printf(bio_err, "Error generating key.");
2381 RSA_free(rsa_tmp);
2382 rsa_tmp = NULL;
2383 }
2384 end:
2385 BIO_printf(bio_err,"\n");
2386 (void)BIO_flush(bio_err);
2387 }
2388 if(bn) BN_free(bn);
2389 return(rsa_tmp);
2390 }
2391
free_tmp_rsa(void)2392 static void free_tmp_rsa(void)
2393 {
2394 if (rsa_tmp != NULL)
2395 {
2396 RSA_free(rsa_tmp);
2397 rsa_tmp = NULL;
2398 }
2399 }
2400 #endif
2401
2402 #ifndef OPENSSL_NO_DH
2403 /* These DH parameters have been generated as follows:
2404 * $ openssl dhparam -C -noout 512
2405 * $ openssl dhparam -C -noout 1024
2406 * $ openssl dhparam -C -noout -dsaparam 1024
2407 * (The third function has been renamed to avoid name conflicts.)
2408 */
get_dh512()2409 static DH *get_dh512()
2410 {
2411 static unsigned char dh512_p[]={
2412 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6,
2413 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0,
2414 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F,
2415 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8,
2416 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33,
2417 0x02,0xC5,0xAE,0x23,
2418 };
2419 static unsigned char dh512_g[]={
2420 0x02,
2421 };
2422 DH *dh;
2423
2424 if ((dh=DH_new()) == NULL) return(NULL);
2425 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL);
2426 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL);
2427 if ((dh->p == NULL) || (dh->g == NULL))
2428 { DH_free(dh); return(NULL); }
2429 return(dh);
2430 }
2431
get_dh1024()2432 static DH *get_dh1024()
2433 {
2434 static unsigned char dh1024_p[]={
2435 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A,
2436 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2,
2437 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0,
2438 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2,
2439 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C,
2440 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8,
2441 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52,
2442 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1,
2443 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1,
2444 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB,
2445 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53,
2446 };
2447 static unsigned char dh1024_g[]={
2448 0x02,
2449 };
2450 DH *dh;
2451
2452 if ((dh=DH_new()) == NULL) return(NULL);
2453 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2454 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2455 if ((dh->p == NULL) || (dh->g == NULL))
2456 { DH_free(dh); return(NULL); }
2457 return(dh);
2458 }
2459
get_dh1024dsa()2460 static DH *get_dh1024dsa()
2461 {
2462 static unsigned char dh1024_p[]={
2463 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00,
2464 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19,
2465 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2,
2466 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55,
2467 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC,
2468 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97,
2469 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D,
2470 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB,
2471 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6,
2472 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E,
2473 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39,
2474 };
2475 static unsigned char dh1024_g[]={
2476 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05,
2477 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3,
2478 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9,
2479 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C,
2480 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65,
2481 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60,
2482 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6,
2483 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7,
2484 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1,
2485 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60,
2486 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2,
2487 };
2488 DH *dh;
2489
2490 if ((dh=DH_new()) == NULL) return(NULL);
2491 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL);
2492 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL);
2493 if ((dh->p == NULL) || (dh->g == NULL))
2494 { DH_free(dh); return(NULL); }
2495 dh->length = 160;
2496 return(dh);
2497 }
2498 #endif
2499
2500 #ifndef OPENSSL_NO_PSK
2501 /* convert the PSK key (psk_key) in ascii to binary (psk) */
psk_key2bn(const char * pskkey,unsigned char * psk,unsigned int max_psk_len)2502 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2503 unsigned int max_psk_len)
2504 {
2505 int ret;
2506 BIGNUM *bn = NULL;
2507
2508 ret = BN_hex2bn(&bn, pskkey);
2509 if (!ret)
2510 {
2511 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey);
2512 if (bn)
2513 BN_free(bn);
2514 return 0;
2515 }
2516 if (BN_num_bytes(bn) > (int)max_psk_len)
2517 {
2518 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n",
2519 max_psk_len, BN_num_bytes(bn));
2520 BN_free(bn);
2521 return 0;
2522 }
2523 ret = BN_bn2bin(bn, psk);
2524 BN_free(bn);
2525 return ret;
2526 }
2527
psk_client_callback(SSL * ssl,const char * hint,char * identity,unsigned int max_identity_len,unsigned char * psk,unsigned int max_psk_len)2528 static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity,
2529 unsigned int max_identity_len, unsigned char *psk,
2530 unsigned int max_psk_len)
2531 {
2532 int ret;
2533 unsigned int psk_len = 0;
2534
2535 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2536 if (ret < 0)
2537 goto out_err;
2538 if (debug)
2539 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret);
2540 ret = psk_key2bn(psk_key, psk, max_psk_len);
2541 if (ret < 0)
2542 goto out_err;
2543 psk_len = ret;
2544 out_err:
2545 return psk_len;
2546 }
2547
psk_server_callback(SSL * ssl,const char * identity,unsigned char * psk,unsigned int max_psk_len)2548 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2549 unsigned char *psk, unsigned int max_psk_len)
2550 {
2551 unsigned int psk_len=0;
2552
2553 if (strcmp(identity, "Client_identity") != 0)
2554 {
2555 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2556 return 0;
2557 }
2558 psk_len=psk_key2bn(psk_key, psk, max_psk_len);
2559 return psk_len;
2560 }
2561 #endif
2562
do_test_cipherlist(void)2563 static int do_test_cipherlist(void)
2564 {
2565 int i = 0;
2566 const SSL_METHOD *meth;
2567 const SSL_CIPHER *ci, *tci = NULL;
2568
2569 #ifndef OPENSSL_NO_SSL2
2570 fprintf(stderr, "testing SSLv2 cipher list order: ");
2571 meth = SSLv2_method();
2572 while ((ci = meth->get_cipher(i++)) != NULL)
2573 {
2574 if (tci != NULL)
2575 if (ci->id >= tci->id)
2576 {
2577 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2578 return 0;
2579 }
2580 tci = ci;
2581 }
2582 fprintf(stderr, "ok\n");
2583 #endif
2584 #ifndef OPENSSL_NO_SSL3
2585 fprintf(stderr, "testing SSLv3 cipher list order: ");
2586 meth = SSLv3_method();
2587 tci = NULL;
2588 while ((ci = meth->get_cipher(i++)) != NULL)
2589 {
2590 if (tci != NULL)
2591 if (ci->id >= tci->id)
2592 {
2593 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2594 return 0;
2595 }
2596 tci = ci;
2597 }
2598 fprintf(stderr, "ok\n");
2599 #endif
2600 #ifndef OPENSSL_NO_TLS1
2601 fprintf(stderr, "testing TLSv1 cipher list order: ");
2602 meth = TLSv1_method();
2603 tci = NULL;
2604 while ((ci = meth->get_cipher(i++)) != NULL)
2605 {
2606 if (tci != NULL)
2607 if (ci->id >= tci->id)
2608 {
2609 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2610 return 0;
2611 }
2612 tci = ci;
2613 }
2614 fprintf(stderr, "ok\n");
2615 #endif
2616
2617 return 1;
2618 }
2619