1/* ssl/ssltest.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * ECC cipher suite support in OpenSSL originally developed by 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115 */ 116/* ==================================================================== 117 * Copyright 2005 Nokia. All rights reserved. 118 * 119 * The portions of the attached software ("Contribution") is developed by 120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 121 * license. 122 * 123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 125 * support (see RFC 4279) to OpenSSL. 126 * 127 * No patent licenses or other rights except those expressly stated in 128 * the OpenSSL open source license shall be deemed granted or received 129 * expressly, by implication, estoppel, or otherwise. 130 * 131 * No assurances are provided by Nokia that the Contribution does not 132 * infringe the patent or other intellectual property rights of any third 133 * party or that the license provides you with all the necessary rights 134 * to make use of the Contribution. 135 * 136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 140 * OTHERWISE. 141 */ 142 143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly 144 on Linux and GNU platforms. */ 145 146#include <assert.h> 147#include <errno.h> 148#include <limits.h> 149#include <stdio.h> 150#include <stdlib.h> 151#include <string.h> 152#include <time.h> 153 154#define USE_SOCKETS 155#include "e_os.h" 156 157#ifdef OPENSSL_SYS_VMS 158#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on 159 VMS (at least with DECompHP C). */ 160#endif 161 162#include <ctype.h> 163 164#include <openssl/bio.h> 165#include <openssl/crypto.h> 166#include <openssl/evp.h> 167#include <openssl/x509.h> 168#include <openssl/x509v3.h> 169#include <openssl/ssl.h> 170#ifndef OPENSSL_NO_ENGINE 171#include <openssl/engine.h> 172#endif 173#include <openssl/err.h> 174#include <openssl/rand.h> 175#ifndef OPENSSL_NO_RSA 176#include <openssl/rsa.h> 177#endif 178#ifndef OPENSSL_NO_DSA 179#include <openssl/dsa.h> 180#endif 181#ifndef OPENSSL_NO_DH 182#include <openssl/dh.h> 183#endif 184#ifndef OPENSSL_NO_SRP 185#include <openssl/srp.h> 186#endif 187#include <openssl/bn.h> 188 189#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly 190 on Compaq platforms (at least with DEC C). 191 Do not try to put it earlier, or IPv6 includes 192 get screwed... 193 */ 194 195#ifdef OPENSSL_SYS_WINDOWS 196#include <winsock.h> 197#else 198#include OPENSSL_UNISTD 199#endif 200 201#ifdef OPENSSL_SYS_VMS 202# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" 203# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" 204#elif defined(OPENSSL_SYS_WINCE) 205# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" 206# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" 207#elif defined(OPENSSL_SYS_NETWARE) 208# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" 209# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" 210#else 211# define TEST_SERVER_CERT "../apps/server.pem" 212# define TEST_CLIENT_CERT "../apps/client.pem" 213#endif 214 215/* There is really no standard for this, so let's assign some tentative 216 numbers. In any case, these numbers are only for this test */ 217#define COMP_RLE 255 218#define COMP_ZLIB 1 219 220static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); 221#ifndef OPENSSL_NO_RSA 222static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); 223static void free_tmp_rsa(void); 224#endif 225static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); 226#define APP_CALLBACK_STRING "Test Callback Argument" 227struct app_verify_arg 228 { 229 char *string; 230 int app_verify; 231 int allow_proxy_certs; 232 char *proxy_auth; 233 char *proxy_cond; 234 }; 235 236#ifndef OPENSSL_NO_DH 237static DH *get_dh512(void); 238static DH *get_dh1024(void); 239static DH *get_dh1024dsa(void); 240#endif 241 242 243static char *psk_key=NULL; /* by default PSK is not used */ 244#ifndef OPENSSL_NO_PSK 245static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, 246 unsigned int max_identity_len, unsigned char *psk, 247 unsigned int max_psk_len); 248static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, 249 unsigned int max_psk_len); 250#endif 251 252#ifndef OPENSSL_NO_SRP 253/* SRP client */ 254/* This is a context that we pass to all callbacks */ 255typedef struct srp_client_arg_st 256 { 257 char *srppassin; 258 char *srplogin; 259 } SRP_CLIENT_ARG; 260 261#define PWD_STRLEN 1024 262 263static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) 264 { 265 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; 266 return BUF_strdup((char *)srp_client_arg->srppassin); 267 } 268 269/* SRP server */ 270/* This is a context that we pass to SRP server callbacks */ 271typedef struct srp_server_arg_st 272 { 273 char *expected_user; 274 char *pass; 275 } SRP_SERVER_ARG; 276 277static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) 278 { 279 SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg; 280 281 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) 282 { 283 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s)); 284 return SSL3_AL_FATAL; 285 } 286 if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0) 287 { 288 *ad = SSL_AD_INTERNAL_ERROR; 289 return SSL3_AL_FATAL; 290 } 291 return SSL_ERROR_NONE; 292 } 293#endif 294 295static BIO *bio_err=NULL; 296static BIO *bio_stdout=NULL; 297 298static char *cipher=NULL; 299static int verbose=0; 300static int debug=0; 301#if 0 302/* Not used yet. */ 303#ifdef FIONBIO 304static int s_nbio=0; 305#endif 306#endif 307 308static const char rnd_seed[] = "string to make the random number generator think it has entropy"; 309 310int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time); 311int doit(SSL *s_ssl,SSL *c_ssl,long bytes); 312static int do_test_cipherlist(void); 313static void sv_usage(void) 314 { 315 fprintf(stderr,"usage: ssltest [args ...]\n"); 316 fprintf(stderr,"\n"); 317#ifdef OPENSSL_FIPS 318 fprintf(stderr,"-F - run test in FIPS mode\n"); 319#endif 320 fprintf(stderr," -server_auth - check server certificate\n"); 321 fprintf(stderr," -client_auth - do client authentication\n"); 322 fprintf(stderr," -proxy - allow proxy certificates\n"); 323 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n"); 324 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n"); 325 fprintf(stderr," -v - more output\n"); 326 fprintf(stderr," -d - debug output\n"); 327 fprintf(stderr," -reuse - use session-id reuse\n"); 328 fprintf(stderr," -num <val> - number of connections to perform\n"); 329 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n"); 330#ifndef OPENSSL_NO_DH 331 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); 332 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); 333 fprintf(stderr," -no_dhe - disable DHE\n"); 334#endif 335#ifndef OPENSSL_NO_ECDH 336 fprintf(stderr," -no_ecdhe - disable ECDHE\n"); 337#endif 338#ifndef OPENSSL_NO_PSK 339 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n"); 340#endif 341#ifndef OPENSSL_NO_SRP 342 fprintf(stderr," -srpuser user - SRP username to use\n"); 343 fprintf(stderr," -srppass arg - password for 'user'\n"); 344#endif 345#ifndef OPENSSL_NO_SSL2 346 fprintf(stderr," -ssl2 - use SSLv2\n"); 347#endif 348#ifndef OPENSSL_NO_SSL3 349 fprintf(stderr," -ssl3 - use SSLv3\n"); 350#endif 351#ifndef OPENSSL_NO_TLS1 352 fprintf(stderr," -tls1 - use TLSv1\n"); 353#endif 354 fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); 355 fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); 356 fprintf(stderr," -cert arg - Server certificate file\n"); 357 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n"); 358 fprintf(stderr," -c_cert arg - Client certificate file\n"); 359 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n"); 360 fprintf(stderr," -cipher arg - The cipher list\n"); 361 fprintf(stderr," -bio_pair - Use BIO pairs\n"); 362 fprintf(stderr," -f - Test even cases that can't work\n"); 363 fprintf(stderr," -time - measure processor time used by client and server\n"); 364 fprintf(stderr," -zlib - use zlib compression\n"); 365 fprintf(stderr," -rle - use rle compression\n"); 366#ifndef OPENSSL_NO_ECDH 367 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 368 " Use \"openssl ecparam -list_curves\" for all names\n" \ 369 " (default is sect163r2).\n"); 370#endif 371 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n"); 372 fprintf(stderr," -cutthrough - enable 1-RTT full-handshake for strong ciphers\n"); 373 } 374 375static void print_details(SSL *c_ssl, const char *prefix) 376 { 377 const SSL_CIPHER *ciph; 378 X509 *cert; 379 380 ciph=SSL_get_current_cipher(c_ssl); 381 BIO_printf(bio_stdout,"%s%s, cipher %s %s", 382 prefix, 383 SSL_get_version(c_ssl), 384 SSL_CIPHER_get_version(ciph), 385 SSL_CIPHER_get_name(ciph)); 386 cert=SSL_get_peer_certificate(c_ssl); 387 if (cert != NULL) 388 { 389 EVP_PKEY *pkey = X509_get_pubkey(cert); 390 if (pkey != NULL) 391 { 392 if (0) 393 ; 394#ifndef OPENSSL_NO_RSA 395 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL 396 && pkey->pkey.rsa->n != NULL) 397 { 398 BIO_printf(bio_stdout, ", %d bit RSA", 399 BN_num_bits(pkey->pkey.rsa->n)); 400 } 401#endif 402#ifndef OPENSSL_NO_DSA 403 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL 404 && pkey->pkey.dsa->p != NULL) 405 { 406 BIO_printf(bio_stdout, ", %d bit DSA", 407 BN_num_bits(pkey->pkey.dsa->p)); 408 } 409#endif 410 EVP_PKEY_free(pkey); 411 } 412 X509_free(cert); 413 } 414 /* The SSL API does not allow us to look at temporary RSA/DH keys, 415 * otherwise we should print their lengths too */ 416 BIO_printf(bio_stdout,"\n"); 417 } 418 419static void lock_dbg_cb(int mode, int type, const char *file, int line) 420 { 421 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ 422 const char *errstr = NULL; 423 int rw; 424 425 rw = mode & (CRYPTO_READ|CRYPTO_WRITE); 426 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) 427 { 428 errstr = "invalid mode"; 429 goto err; 430 } 431 432 if (type < 0 || type >= CRYPTO_NUM_LOCKS) 433 { 434 errstr = "type out of bounds"; 435 goto err; 436 } 437 438 if (mode & CRYPTO_LOCK) 439 { 440 if (modes[type]) 441 { 442 errstr = "already locked"; 443 /* must not happen in a single-threaded program 444 * (would deadlock) */ 445 goto err; 446 } 447 448 modes[type] = rw; 449 } 450 else if (mode & CRYPTO_UNLOCK) 451 { 452 if (!modes[type]) 453 { 454 errstr = "not locked"; 455 goto err; 456 } 457 458 if (modes[type] != rw) 459 { 460 errstr = (rw == CRYPTO_READ) ? 461 "CRYPTO_r_unlock on write lock" : 462 "CRYPTO_w_unlock on read lock"; 463 } 464 465 modes[type] = 0; 466 } 467 else 468 { 469 errstr = "invalid mode"; 470 goto err; 471 } 472 473 err: 474 if (errstr) 475 { 476 /* we cannot use bio_err here */ 477 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", 478 errstr, mode, type, file, line); 479 } 480 } 481 482#ifdef TLSEXT_TYPE_opaque_prf_input 483struct cb_info_st { void *input; size_t len; int ret; }; 484struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */ 485struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */ 486struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */ 487struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */ 488 489int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_) 490 { 491 struct cb_info_st *arg = arg_; 492 493 if (arg == NULL) 494 return 1; 495 496 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len)) 497 return 0; 498 return arg->ret; 499 } 500#endif 501 502int main(int argc, char *argv[]) 503 { 504 char *CApath=NULL,*CAfile=NULL; 505 int badop=0; 506 int bio_pair=0; 507 int force=0; 508 int tls1=0,ssl2=0,ssl3=0,ret=1; 509 int client_auth=0; 510 int server_auth=0,i; 511 struct app_verify_arg app_verify_arg = 512 { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; 513 char *server_cert=TEST_SERVER_CERT; 514 char *server_key=NULL; 515 char *client_cert=TEST_CLIENT_CERT; 516 char *client_key=NULL; 517#ifndef OPENSSL_NO_ECDH 518 char *named_curve = NULL; 519#endif 520 SSL_CTX *s_ctx=NULL; 521 SSL_CTX *c_ctx=NULL; 522 const SSL_METHOD *meth=NULL; 523 SSL *c_ssl,*s_ssl; 524 int number=1,reuse=0; 525 long bytes=256L; 526#ifndef OPENSSL_NO_DH 527 DH *dh; 528 int dhe1024 = 0, dhe1024dsa = 0; 529#endif 530#ifndef OPENSSL_NO_ECDH 531 EC_KEY *ecdh = NULL; 532#endif 533#ifndef OPENSSL_NO_SRP 534 /* client */ 535 SRP_CLIENT_ARG srp_client_arg = {NULL,NULL}; 536 /* server */ 537 SRP_SERVER_ARG srp_server_arg = {NULL,NULL}; 538#endif 539 int no_dhe = 0; 540 int no_ecdhe = 0; 541 int no_psk = 0; 542 int print_time = 0; 543 clock_t s_time = 0, c_time = 0; 544 int comp = 0; 545#ifndef OPENSSL_NO_COMP 546 COMP_METHOD *cm = NULL; 547 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; 548#endif 549 int test_cipherlist = 0; 550#ifdef OPENSSL_FIPS 551 int fips_mode=0; 552#endif 553 int cutthrough = 0; 554 555 verbose = 0; 556 debug = 0; 557 cipher = 0; 558 559 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT); 560 561 CRYPTO_set_locking_callback(lock_dbg_cb); 562 563 /* enable memory leak checking unless explicitly disabled */ 564 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) 565 { 566 CRYPTO_malloc_debug_init(); 567 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); 568 } 569 else 570 { 571 /* OPENSSL_DEBUG_MEMORY=off */ 572 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); 573 } 574 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 575 576 RAND_seed(rnd_seed, sizeof rnd_seed); 577 578 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT); 579 580 argc--; 581 argv++; 582 583 while (argc >= 1) 584 { 585 if(!strcmp(*argv,"-F")) 586 { 587#ifdef OPENSSL_FIPS 588 fips_mode=1; 589#else 590 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); 591 EXIT(0); 592#endif 593 } 594 else if (strcmp(*argv,"-server_auth") == 0) 595 server_auth=1; 596 else if (strcmp(*argv,"-client_auth") == 0) 597 client_auth=1; 598 else if (strcmp(*argv,"-proxy_auth") == 0) 599 { 600 if (--argc < 1) goto bad; 601 app_verify_arg.proxy_auth= *(++argv); 602 } 603 else if (strcmp(*argv,"-proxy_cond") == 0) 604 { 605 if (--argc < 1) goto bad; 606 app_verify_arg.proxy_cond= *(++argv); 607 } 608 else if (strcmp(*argv,"-v") == 0) 609 verbose=1; 610 else if (strcmp(*argv,"-d") == 0) 611 debug=1; 612 else if (strcmp(*argv,"-reuse") == 0) 613 reuse=1; 614 else if (strcmp(*argv,"-dhe1024") == 0) 615 { 616#ifndef OPENSSL_NO_DH 617 dhe1024=1; 618#else 619 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 620#endif 621 } 622 else if (strcmp(*argv,"-dhe1024dsa") == 0) 623 { 624#ifndef OPENSSL_NO_DH 625 dhe1024dsa=1; 626#else 627 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 628#endif 629 } 630 else if (strcmp(*argv,"-no_dhe") == 0) 631 no_dhe=1; 632 else if (strcmp(*argv,"-no_ecdhe") == 0) 633 no_ecdhe=1; 634 else if (strcmp(*argv,"-psk") == 0) 635 { 636 if (--argc < 1) goto bad; 637 psk_key=*(++argv); 638#ifndef OPENSSL_NO_PSK 639 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) 640 { 641 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); 642 goto bad; 643 } 644#else 645 no_psk=1; 646#endif 647 } 648#ifndef OPENSSL_NO_SRP 649 else if (strcmp(*argv,"-srpuser") == 0) 650 { 651 if (--argc < 1) goto bad; 652 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv); 653 tls1=1; 654 } 655 else if (strcmp(*argv,"-srppass") == 0) 656 { 657 if (--argc < 1) goto bad; 658 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv); 659 tls1=1; 660 } 661#endif 662 else if (strcmp(*argv,"-ssl2") == 0) 663 ssl2=1; 664 else if (strcmp(*argv,"-tls1") == 0) 665 tls1=1; 666 else if (strcmp(*argv,"-ssl3") == 0) 667 ssl3=1; 668 else if (strncmp(*argv,"-num",4) == 0) 669 { 670 if (--argc < 1) goto bad; 671 number= atoi(*(++argv)); 672 if (number == 0) number=1; 673 } 674 else if (strcmp(*argv,"-bytes") == 0) 675 { 676 if (--argc < 1) goto bad; 677 bytes= atol(*(++argv)); 678 if (bytes == 0L) bytes=1L; 679 i=strlen(argv[0]); 680 if (argv[0][i-1] == 'k') bytes*=1024L; 681 if (argv[0][i-1] == 'm') bytes*=1024L*1024L; 682 } 683 else if (strcmp(*argv,"-cert") == 0) 684 { 685 if (--argc < 1) goto bad; 686 server_cert= *(++argv); 687 } 688 else if (strcmp(*argv,"-s_cert") == 0) 689 { 690 if (--argc < 1) goto bad; 691 server_cert= *(++argv); 692 } 693 else if (strcmp(*argv,"-key") == 0) 694 { 695 if (--argc < 1) goto bad; 696 server_key= *(++argv); 697 } 698 else if (strcmp(*argv,"-s_key") == 0) 699 { 700 if (--argc < 1) goto bad; 701 server_key= *(++argv); 702 } 703 else if (strcmp(*argv,"-c_cert") == 0) 704 { 705 if (--argc < 1) goto bad; 706 client_cert= *(++argv); 707 } 708 else if (strcmp(*argv,"-c_key") == 0) 709 { 710 if (--argc < 1) goto bad; 711 client_key= *(++argv); 712 } 713 else if (strcmp(*argv,"-cipher") == 0) 714 { 715 if (--argc < 1) goto bad; 716 cipher= *(++argv); 717 } 718 else if (strcmp(*argv,"-CApath") == 0) 719 { 720 if (--argc < 1) goto bad; 721 CApath= *(++argv); 722 } 723 else if (strcmp(*argv,"-CAfile") == 0) 724 { 725 if (--argc < 1) goto bad; 726 CAfile= *(++argv); 727 } 728 else if (strcmp(*argv,"-bio_pair") == 0) 729 { 730 bio_pair = 1; 731 } 732 else if (strcmp(*argv,"-f") == 0) 733 { 734 force = 1; 735 } 736 else if (strcmp(*argv,"-time") == 0) 737 { 738 print_time = 1; 739 } 740 else if (strcmp(*argv,"-zlib") == 0) 741 { 742 comp = COMP_ZLIB; 743 } 744 else if (strcmp(*argv,"-rle") == 0) 745 { 746 comp = COMP_RLE; 747 } 748 else if (strcmp(*argv,"-named_curve") == 0) 749 { 750 if (--argc < 1) goto bad; 751#ifndef OPENSSL_NO_ECDH 752 named_curve = *(++argv); 753#else 754 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n"); 755 ++argv; 756#endif 757 } 758 else if (strcmp(*argv,"-app_verify") == 0) 759 { 760 app_verify_arg.app_verify = 1; 761 } 762 else if (strcmp(*argv,"-proxy") == 0) 763 { 764 app_verify_arg.allow_proxy_certs = 1; 765 } 766 else if (strcmp(*argv,"-test_cipherlist") == 0) 767 { 768 test_cipherlist = 1; 769 } 770 else if (strcmp(*argv, "-cutthrough") == 0) 771 { 772 cutthrough = 1; 773 } 774 else 775 { 776 fprintf(stderr,"unknown option %s\n",*argv); 777 badop=1; 778 break; 779 } 780 argc--; 781 argv++; 782 } 783 if (badop) 784 { 785bad: 786 sv_usage(); 787 goto end; 788 } 789 790 if (test_cipherlist == 1) 791 { 792 /* ensure that the cipher list are correctly sorted and exit */ 793 if (do_test_cipherlist() == 0) 794 EXIT(1); 795 ret = 0; 796 goto end; 797 } 798 799 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) 800 { 801 fprintf(stderr, "This case cannot work. Use -f to perform " 802 "the test anyway (and\n-d to see what happens), " 803 "or add one of -ssl2, -ssl3, -tls1, -reuse\n" 804 "to avoid protocol mismatch.\n"); 805 EXIT(1); 806 } 807 808#ifdef OPENSSL_FIPS 809 if(fips_mode) 810 { 811 if(!FIPS_mode_set(1)) 812 { 813 ERR_load_crypto_strings(); 814 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); 815 EXIT(1); 816 } 817 else 818 fprintf(stderr,"*** IN FIPS MODE ***\n"); 819 } 820#endif 821 822 if (print_time) 823 { 824 if (!bio_pair) 825 { 826 fprintf(stderr, "Using BIO pair (-bio_pair)\n"); 827 bio_pair = 1; 828 } 829 if (number < 50 && !force) 830 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); 831 } 832 833/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ 834 835 SSL_library_init(); 836 SSL_load_error_strings(); 837 838#ifndef OPENSSL_NO_COMP 839 if (comp == COMP_ZLIB) cm = COMP_zlib(); 840 if (comp == COMP_RLE) cm = COMP_rle(); 841 if (cm != NULL) 842 { 843 if (cm->type != NID_undef) 844 { 845 if (SSL_COMP_add_compression_method(comp, cm) != 0) 846 { 847 fprintf(stderr, 848 "Failed to add compression method\n"); 849 ERR_print_errors_fp(stderr); 850 } 851 } 852 else 853 { 854 fprintf(stderr, 855 "Warning: %s compression not supported\n", 856 (comp == COMP_RLE ? "rle" : 857 (comp == COMP_ZLIB ? "zlib" : 858 "unknown"))); 859 ERR_print_errors_fp(stderr); 860 } 861 } 862 ssl_comp_methods = SSL_COMP_get_compression_methods(); 863 fprintf(stderr, "Available compression methods:\n"); 864 { 865 int j, n = sk_SSL_COMP_num(ssl_comp_methods); 866 if (n == 0) 867 fprintf(stderr, " NONE\n"); 868 else 869 for (j = 0; j < n; j++) 870 { 871 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); 872 fprintf(stderr, " %d: %s\n", c->id, c->name); 873 } 874 } 875#endif 876 877#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 878 if (ssl2) 879 meth=SSLv2_method(); 880 else 881 if (tls1) 882 meth=TLSv1_method(); 883 else 884 if (ssl3) 885 meth=SSLv3_method(); 886 else 887 meth=SSLv23_method(); 888#else 889#ifdef OPENSSL_NO_SSL2 890 if (tls1) 891 meth=TLSv1_method(); 892 else 893 if (ssl3) 894 meth=SSLv3_method(); 895 else 896 meth=SSLv23_method(); 897#else 898 meth=SSLv2_method(); 899#endif 900#endif 901 902 c_ctx=SSL_CTX_new(meth); 903 s_ctx=SSL_CTX_new(meth); 904 if ((c_ctx == NULL) || (s_ctx == NULL)) 905 { 906 ERR_print_errors(bio_err); 907 goto end; 908 } 909 910 if (cipher != NULL) 911 { 912 SSL_CTX_set_cipher_list(c_ctx,cipher); 913 SSL_CTX_set_cipher_list(s_ctx,cipher); 914 } 915 if (cutthrough) 916 { 917 int ssl_mode = SSL_CTX_get_mode(c_ctx); 918 ssl_mode |= SSL_MODE_HANDSHAKE_CUTTHROUGH; 919 SSL_CTX_set_mode(c_ctx, ssl_mode); 920 } 921 922#ifndef OPENSSL_NO_DH 923 if (!no_dhe) 924 { 925 if (dhe1024dsa) 926 { 927 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ 928 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 929 dh=get_dh1024dsa(); 930 } 931 else if (dhe1024) 932 dh=get_dh1024(); 933 else 934 dh=get_dh512(); 935 SSL_CTX_set_tmp_dh(s_ctx,dh); 936 DH_free(dh); 937 } 938#else 939 (void)no_dhe; 940#endif 941 942#ifndef OPENSSL_NO_ECDH 943 if (!no_ecdhe) 944 { 945 int nid; 946 947 if (named_curve != NULL) 948 { 949 nid = OBJ_sn2nid(named_curve); 950 if (nid == 0) 951 { 952 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); 953 goto end; 954 } 955 } 956 else 957#ifdef OPENSSL_NO_EC2M 958 nid = NID_X9_62_prime256v1; 959#else 960 nid = NID_sect163r2; 961#endif 962 963 ecdh = EC_KEY_new_by_curve_name(nid); 964 if (ecdh == NULL) 965 { 966 BIO_printf(bio_err, "unable to create curve\n"); 967 goto end; 968 } 969 970 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); 971 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); 972 EC_KEY_free(ecdh); 973 } 974#else 975 (void)no_ecdhe; 976#endif 977 978#ifndef OPENSSL_NO_RSA 979 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); 980#endif 981 982#ifdef TLSEXT_TYPE_opaque_prf_input 983 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb); 984 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb); 985 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */ 986 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */ 987#endif 988 989 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM)) 990 { 991 ERR_print_errors(bio_err); 992 } 993 else if (!SSL_CTX_use_PrivateKey_file(s_ctx, 994 (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) 995 { 996 ERR_print_errors(bio_err); 997 goto end; 998 } 999 1000 if (client_auth) 1001 { 1002 SSL_CTX_use_certificate_file(c_ctx,client_cert, 1003 SSL_FILETYPE_PEM); 1004 SSL_CTX_use_PrivateKey_file(c_ctx, 1005 (client_key?client_key:client_cert), 1006 SSL_FILETYPE_PEM); 1007 } 1008 1009 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || 1010 (!SSL_CTX_set_default_verify_paths(s_ctx)) || 1011 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || 1012 (!SSL_CTX_set_default_verify_paths(c_ctx))) 1013 { 1014 /* fprintf(stderr,"SSL_load_verify_locations\n"); */ 1015 ERR_print_errors(bio_err); 1016 /* goto end; */ 1017 } 1018 1019 if (client_auth) 1020 { 1021 BIO_printf(bio_err,"client authentication\n"); 1022 SSL_CTX_set_verify(s_ctx, 1023 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1024 verify_callback); 1025 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); 1026 } 1027 if (server_auth) 1028 { 1029 BIO_printf(bio_err,"server authentication\n"); 1030 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, 1031 verify_callback); 1032 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); 1033 } 1034 1035 { 1036 int session_id_context = 0; 1037 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); 1038 } 1039 1040 /* Use PSK only if PSK key is given */ 1041 if (psk_key != NULL) 1042 { 1043 /* no_psk is used to avoid putting psk command to openssl tool */ 1044 if (no_psk) 1045 { 1046 /* if PSK is not compiled in and psk key is 1047 * given, do nothing and exit successfully */ 1048 ret=0; 1049 goto end; 1050 } 1051#ifndef OPENSSL_NO_PSK 1052 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback); 1053 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback); 1054 if (debug) 1055 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n"); 1056 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint")) 1057 { 1058 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n"); 1059 ERR_print_errors(bio_err); 1060 goto end; 1061 } 1062#endif 1063 } 1064#ifndef OPENSSL_NO_SRP 1065 if (srp_client_arg.srplogin) 1066 { 1067 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) 1068 { 1069 BIO_printf(bio_err,"Unable to set SRP username\n"); 1070 goto end; 1071 } 1072 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg); 1073 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb); 1074 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/ 1075 } 1076 1077 if (srp_server_arg.expected_user != NULL) 1078 { 1079 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback); 1080 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); 1081 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); 1082 } 1083#endif 1084 1085 c_ssl=SSL_new(c_ctx); 1086 s_ssl=SSL_new(s_ctx); 1087 1088#ifndef OPENSSL_NO_KRB5 1089 if (c_ssl && c_ssl->kssl_ctx) 1090 { 1091 char localhost[MAXHOSTNAMELEN+2]; 1092 1093 if (gethostname(localhost, sizeof localhost-1) == 0) 1094 { 1095 localhost[sizeof localhost-1]='\0'; 1096 if(strlen(localhost) == sizeof localhost-1) 1097 { 1098 BIO_printf(bio_err,"localhost name too long\n"); 1099 goto end; 1100 } 1101 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, 1102 localhost); 1103 } 1104 } 1105#endif /* OPENSSL_NO_KRB5 */ 1106 1107 for (i=0; i<number; i++) 1108 { 1109 if (!reuse) SSL_set_session(c_ssl,NULL); 1110 if (bio_pair) 1111 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time); 1112 else 1113 ret=doit(s_ssl,c_ssl,bytes); 1114 } 1115 1116 if (!verbose) 1117 { 1118 print_details(c_ssl, ""); 1119 } 1120 if ((number > 1) || (bytes > 1L)) 1121 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes); 1122 if (print_time) 1123 { 1124#ifdef CLOCKS_PER_SEC 1125 /* "To determine the time in seconds, the value returned 1126 * by the clock function should be divided by the value 1127 * of the macro CLOCKS_PER_SEC." 1128 * -- ISO/IEC 9899 */ 1129 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" 1130 "Approximate total client time: %6.2f s\n", 1131 (double)s_time/CLOCKS_PER_SEC, 1132 (double)c_time/CLOCKS_PER_SEC); 1133#else 1134 /* "`CLOCKS_PER_SEC' undeclared (first use this function)" 1135 * -- cc on NeXTstep/OpenStep */ 1136 BIO_printf(bio_stdout, 1137 "Approximate total server time: %6.2f units\n" 1138 "Approximate total client time: %6.2f units\n", 1139 (double)s_time, 1140 (double)c_time); 1141#endif 1142 } 1143 1144 SSL_free(s_ssl); 1145 SSL_free(c_ssl); 1146 1147end: 1148 if (s_ctx != NULL) SSL_CTX_free(s_ctx); 1149 if (c_ctx != NULL) SSL_CTX_free(c_ctx); 1150 1151 if (bio_stdout != NULL) BIO_free(bio_stdout); 1152 1153#ifndef OPENSSL_NO_RSA 1154 free_tmp_rsa(); 1155#endif 1156#ifndef OPENSSL_NO_ENGINE 1157 ENGINE_cleanup(); 1158#endif 1159 CRYPTO_cleanup_all_ex_data(); 1160 ERR_free_strings(); 1161 ERR_remove_thread_state(NULL); 1162 EVP_cleanup(); 1163 CRYPTO_mem_leaks(bio_err); 1164 if (bio_err != NULL) BIO_free(bio_err); 1165 EXIT(ret); 1166 return ret; 1167 } 1168 1169int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, 1170 clock_t *s_time, clock_t *c_time) 1171 { 1172 long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 1173 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 1174 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; 1175 int ret = 1; 1176 1177 size_t bufsiz = 256; /* small buffer for testing */ 1178 1179 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) 1180 goto err; 1181 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) 1182 goto err; 1183 1184 s_ssl_bio = BIO_new(BIO_f_ssl()); 1185 if (!s_ssl_bio) 1186 goto err; 1187 1188 c_ssl_bio = BIO_new(BIO_f_ssl()); 1189 if (!c_ssl_bio) 1190 goto err; 1191 1192 SSL_set_connect_state(c_ssl); 1193 SSL_set_bio(c_ssl, client, client); 1194 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 1195 1196 SSL_set_accept_state(s_ssl); 1197 SSL_set_bio(s_ssl, server, server); 1198 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 1199 1200 do 1201 { 1202 /* c_ssl_bio: SSL filter BIO 1203 * 1204 * client: pseudo-I/O for SSL library 1205 * 1206 * client_io: client's SSL communication; usually to be 1207 * relayed over some I/O facility, but in this 1208 * test program, we're the server, too: 1209 * 1210 * server_io: server's SSL communication 1211 * 1212 * server: pseudo-I/O for SSL library 1213 * 1214 * s_ssl_bio: SSL filter BIO 1215 * 1216 * The client and the server each employ a "BIO pair": 1217 * client + client_io, server + server_io. 1218 * BIO pairs are symmetric. A BIO pair behaves similar 1219 * to a non-blocking socketpair (but both endpoints must 1220 * be handled by the same thread). 1221 * [Here we could connect client and server to the ends 1222 * of a single BIO pair, but then this code would be less 1223 * suitable as an example for BIO pairs in general.] 1224 * 1225 * Useful functions for querying the state of BIO pair endpoints: 1226 * 1227 * BIO_ctrl_pending(bio) number of bytes we can read now 1228 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil 1229 * other side's read attempt 1230 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now 1231 * 1232 * ..._read_request is never more than ..._write_guarantee; 1233 * it depends on the application which one you should use. 1234 */ 1235 1236 /* We have non-blocking behaviour throughout this test program, but 1237 * can be sure that there is *some* progress in each iteration; so 1238 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE 1239 * -- we just try everything in each iteration 1240 */ 1241 1242 { 1243 /* CLIENT */ 1244 1245 MS_STATIC char cbuf[1024*8]; 1246 int i, r; 1247 clock_t c_clock = clock(); 1248 1249 memset(cbuf, 0, sizeof(cbuf)); 1250 1251 if (debug) 1252 if (SSL_in_init(c_ssl)) 1253 printf("client waiting in SSL_connect - %s\n", 1254 SSL_state_string_long(c_ssl)); 1255 1256 if (cw_num > 0) 1257 { 1258 /* Write to server. */ 1259 1260 if (cw_num > (long)sizeof cbuf) 1261 i = sizeof cbuf; 1262 else 1263 i = (int)cw_num; 1264 r = BIO_write(c_ssl_bio, cbuf, i); 1265 if (r < 0) 1266 { 1267 if (!BIO_should_retry(c_ssl_bio)) 1268 { 1269 fprintf(stderr,"ERROR in CLIENT\n"); 1270 goto err; 1271 } 1272 /* BIO_should_retry(...) can just be ignored here. 1273 * The library expects us to call BIO_write with 1274 * the same arguments again, and that's what we will 1275 * do in the next iteration. */ 1276 } 1277 else if (r == 0) 1278 { 1279 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1280 goto err; 1281 } 1282 else 1283 { 1284 if (debug) 1285 printf("client wrote %d\n", r); 1286 cw_num -= r; 1287 } 1288 } 1289 1290 if (cr_num > 0) 1291 { 1292 /* Read from server. */ 1293 1294 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 1295 if (r < 0) 1296 { 1297 if (!BIO_should_retry(c_ssl_bio)) 1298 { 1299 fprintf(stderr,"ERROR in CLIENT\n"); 1300 goto err; 1301 } 1302 /* Again, "BIO_should_retry" can be ignored. */ 1303 } 1304 else if (r == 0) 1305 { 1306 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1307 goto err; 1308 } 1309 else 1310 { 1311 if (debug) 1312 printf("client read %d\n", r); 1313 cr_num -= r; 1314 } 1315 } 1316 1317 /* c_time and s_time increments will typically be very small 1318 * (depending on machine speed and clock tick intervals), 1319 * but sampling over a large number of connections should 1320 * result in fairly accurate figures. We cannot guarantee 1321 * a lot, however -- if each connection lasts for exactly 1322 * one clock tick, it will be counted only for the client 1323 * or only for the server or even not at all. 1324 */ 1325 *c_time += (clock() - c_clock); 1326 } 1327 1328 { 1329 /* SERVER */ 1330 1331 MS_STATIC char sbuf[1024*8]; 1332 int i, r; 1333 clock_t s_clock = clock(); 1334 1335 memset(sbuf, 0, sizeof(sbuf)); 1336 1337 if (debug) 1338 if (SSL_in_init(s_ssl)) 1339 printf("server waiting in SSL_accept - %s\n", 1340 SSL_state_string_long(s_ssl)); 1341 1342 if (sw_num > 0) 1343 { 1344 /* Write to client. */ 1345 1346 if (sw_num > (long)sizeof sbuf) 1347 i = sizeof sbuf; 1348 else 1349 i = (int)sw_num; 1350 r = BIO_write(s_ssl_bio, sbuf, i); 1351 if (r < 0) 1352 { 1353 if (!BIO_should_retry(s_ssl_bio)) 1354 { 1355 fprintf(stderr,"ERROR in SERVER\n"); 1356 goto err; 1357 } 1358 /* Ignore "BIO_should_retry". */ 1359 } 1360 else if (r == 0) 1361 { 1362 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1363 goto err; 1364 } 1365 else 1366 { 1367 if (debug) 1368 printf("server wrote %d\n", r); 1369 sw_num -= r; 1370 } 1371 } 1372 1373 if (sr_num > 0) 1374 { 1375 /* Read from client. */ 1376 1377 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 1378 if (r < 0) 1379 { 1380 if (!BIO_should_retry(s_ssl_bio)) 1381 { 1382 fprintf(stderr,"ERROR in SERVER\n"); 1383 goto err; 1384 } 1385 /* blah, blah */ 1386 } 1387 else if (r == 0) 1388 { 1389 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1390 goto err; 1391 } 1392 else 1393 { 1394 if (debug) 1395 printf("server read %d\n", r); 1396 sr_num -= r; 1397 } 1398 } 1399 1400 *s_time += (clock() - s_clock); 1401 } 1402 1403 { 1404 /* "I/O" BETWEEN CLIENT AND SERVER. */ 1405 1406 size_t r1, r2; 1407 BIO *io1 = server_io, *io2 = client_io; 1408 /* we use the non-copying interface for io1 1409 * and the standard BIO_write/BIO_read interface for io2 1410 */ 1411 1412 static int prev_progress = 1; 1413 int progress = 0; 1414 1415 /* io1 to io2 */ 1416 do 1417 { 1418 size_t num; 1419 int r; 1420 1421 r1 = BIO_ctrl_pending(io1); 1422 r2 = BIO_ctrl_get_write_guarantee(io2); 1423 1424 num = r1; 1425 if (r2 < num) 1426 num = r2; 1427 if (num) 1428 { 1429 char *dataptr; 1430 1431 if (INT_MAX < num) /* yeah, right */ 1432 num = INT_MAX; 1433 1434 r = BIO_nread(io1, &dataptr, (int)num); 1435 assert(r > 0); 1436 assert(r <= (int)num); 1437 /* possibly r < num (non-contiguous data) */ 1438 num = r; 1439 r = BIO_write(io2, dataptr, (int)num); 1440 if (r != (int)num) /* can't happen */ 1441 { 1442 fprintf(stderr, "ERROR: BIO_write could not write " 1443 "BIO_ctrl_get_write_guarantee() bytes"); 1444 goto err; 1445 } 1446 progress = 1; 1447 1448 if (debug) 1449 printf((io1 == client_io) ? 1450 "C->S relaying: %d bytes\n" : 1451 "S->C relaying: %d bytes\n", 1452 (int)num); 1453 } 1454 } 1455 while (r1 && r2); 1456 1457 /* io2 to io1 */ 1458 { 1459 size_t num; 1460 int r; 1461 1462 r1 = BIO_ctrl_pending(io2); 1463 r2 = BIO_ctrl_get_read_request(io1); 1464 /* here we could use ..._get_write_guarantee instead of 1465 * ..._get_read_request, but by using the latter 1466 * we test restartability of the SSL implementation 1467 * more thoroughly */ 1468 num = r1; 1469 if (r2 < num) 1470 num = r2; 1471 if (num) 1472 { 1473 char *dataptr; 1474 1475 if (INT_MAX < num) 1476 num = INT_MAX; 1477 1478 if (num > 1) 1479 --num; /* test restartability even more thoroughly */ 1480 1481 r = BIO_nwrite0(io1, &dataptr); 1482 assert(r > 0); 1483 if (r < (int)num) 1484 num = r; 1485 r = BIO_read(io2, dataptr, (int)num); 1486 if (r != (int)num) /* can't happen */ 1487 { 1488 fprintf(stderr, "ERROR: BIO_read could not read " 1489 "BIO_ctrl_pending() bytes"); 1490 goto err; 1491 } 1492 progress = 1; 1493 r = BIO_nwrite(io1, &dataptr, (int)num); 1494 if (r != (int)num) /* can't happen */ 1495 { 1496 fprintf(stderr, "ERROR: BIO_nwrite() did not accept " 1497 "BIO_nwrite0() bytes"); 1498 goto err; 1499 } 1500 1501 if (debug) 1502 printf((io2 == client_io) ? 1503 "C->S relaying: %d bytes\n" : 1504 "S->C relaying: %d bytes\n", 1505 (int)num); 1506 } 1507 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ 1508 1509 if (!progress && !prev_progress) 1510 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) 1511 { 1512 fprintf(stderr, "ERROR: got stuck\n"); 1513 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) 1514 { 1515 fprintf(stderr, "This can happen for SSL2 because " 1516 "CLIENT-FINISHED and SERVER-VERIFY are written \n" 1517 "concurrently ..."); 1518 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 1519 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) 1520 { 1521 fprintf(stderr, " ok.\n"); 1522 goto end; 1523 } 1524 } 1525 fprintf(stderr, " ERROR.\n"); 1526 goto err; 1527 } 1528 prev_progress = progress; 1529 } 1530 } 1531 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 1532 1533 if (verbose) 1534 print_details(c_ssl, "DONE via BIO pair: "); 1535end: 1536 ret = 0; 1537 1538 err: 1539 ERR_print_errors(bio_err); 1540 1541 if (server) 1542 BIO_free(server); 1543 if (server_io) 1544 BIO_free(server_io); 1545 if (client) 1546 BIO_free(client); 1547 if (client_io) 1548 BIO_free(client_io); 1549 if (s_ssl_bio) 1550 BIO_free(s_ssl_bio); 1551 if (c_ssl_bio) 1552 BIO_free(c_ssl_bio); 1553 1554 return ret; 1555 } 1556 1557 1558#define W_READ 1 1559#define W_WRITE 2 1560#define C_DONE 1 1561#define S_DONE 2 1562 1563int doit(SSL *s_ssl, SSL *c_ssl, long count) 1564 { 1565 MS_STATIC char cbuf[1024*8],sbuf[1024*8]; 1566 long cw_num=count,cr_num=count; 1567 long sw_num=count,sr_num=count; 1568 int ret=1; 1569 BIO *c_to_s=NULL; 1570 BIO *s_to_c=NULL; 1571 BIO *c_bio=NULL; 1572 BIO *s_bio=NULL; 1573 int c_r,c_w,s_r,s_w; 1574 int i,j; 1575 int done=0; 1576 int c_write,s_write; 1577 int do_server=0,do_client=0; 1578 1579 memset(cbuf,0,sizeof(cbuf)); 1580 memset(sbuf,0,sizeof(sbuf)); 1581 1582 c_to_s=BIO_new(BIO_s_mem()); 1583 s_to_c=BIO_new(BIO_s_mem()); 1584 if ((s_to_c == NULL) || (c_to_s == NULL)) 1585 { 1586 ERR_print_errors(bio_err); 1587 goto err; 1588 } 1589 1590 c_bio=BIO_new(BIO_f_ssl()); 1591 s_bio=BIO_new(BIO_f_ssl()); 1592 if ((c_bio == NULL) || (s_bio == NULL)) 1593 { 1594 ERR_print_errors(bio_err); 1595 goto err; 1596 } 1597 1598 SSL_set_connect_state(c_ssl); 1599 SSL_set_bio(c_ssl,s_to_c,c_to_s); 1600 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE); 1601 1602 SSL_set_accept_state(s_ssl); 1603 SSL_set_bio(s_ssl,c_to_s,s_to_c); 1604 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE); 1605 1606 c_r=0; s_r=1; 1607 c_w=1; s_w=0; 1608 c_write=1,s_write=0; 1609 1610 /* We can always do writes */ 1611 for (;;) 1612 { 1613 do_server=0; 1614 do_client=0; 1615 1616 i=(int)BIO_pending(s_bio); 1617 if ((i && s_r) || s_w) do_server=1; 1618 1619 i=(int)BIO_pending(c_bio); 1620 if ((i && c_r) || c_w) do_client=1; 1621 1622 if (do_server && debug) 1623 { 1624 if (SSL_in_init(s_ssl)) 1625 printf("server waiting in SSL_accept - %s\n", 1626 SSL_state_string_long(s_ssl)); 1627/* else if (s_write) 1628 printf("server:SSL_write()\n"); 1629 else 1630 printf("server:SSL_read()\n"); */ 1631 } 1632 1633 if (do_client && debug) 1634 { 1635 if (SSL_in_init(c_ssl)) 1636 printf("client waiting in SSL_connect - %s\n", 1637 SSL_state_string_long(c_ssl)); 1638/* else if (c_write) 1639 printf("client:SSL_write()\n"); 1640 else 1641 printf("client:SSL_read()\n"); */ 1642 } 1643 1644 if (!do_client && !do_server) 1645 { 1646 fprintf(stdout,"ERROR IN STARTUP\n"); 1647 ERR_print_errors(bio_err); 1648 break; 1649 } 1650 if (do_client && !(done & C_DONE)) 1651 { 1652 if (c_write) 1653 { 1654 j = (cw_num > (long)sizeof(cbuf)) ? 1655 (int)sizeof(cbuf) : (int)cw_num; 1656 i=BIO_write(c_bio,cbuf,j); 1657 if (i < 0) 1658 { 1659 c_r=0; 1660 c_w=0; 1661 if (BIO_should_retry(c_bio)) 1662 { 1663 if (BIO_should_read(c_bio)) 1664 c_r=1; 1665 if (BIO_should_write(c_bio)) 1666 c_w=1; 1667 } 1668 else 1669 { 1670 fprintf(stderr,"ERROR in CLIENT\n"); 1671 ERR_print_errors(bio_err); 1672 goto err; 1673 } 1674 } 1675 else if (i == 0) 1676 { 1677 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1678 goto err; 1679 } 1680 else 1681 { 1682 if (debug) 1683 printf("client wrote %d\n",i); 1684 /* ok */ 1685 s_r=1; 1686 c_write=0; 1687 cw_num-=i; 1688 } 1689 } 1690 else 1691 { 1692 i=BIO_read(c_bio,cbuf,sizeof(cbuf)); 1693 if (i < 0) 1694 { 1695 c_r=0; 1696 c_w=0; 1697 if (BIO_should_retry(c_bio)) 1698 { 1699 if (BIO_should_read(c_bio)) 1700 c_r=1; 1701 if (BIO_should_write(c_bio)) 1702 c_w=1; 1703 } 1704 else 1705 { 1706 fprintf(stderr,"ERROR in CLIENT\n"); 1707 ERR_print_errors(bio_err); 1708 goto err; 1709 } 1710 } 1711 else if (i == 0) 1712 { 1713 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1714 goto err; 1715 } 1716 else 1717 { 1718 if (debug) 1719 printf("client read %d\n",i); 1720 cr_num-=i; 1721 if (sw_num > 0) 1722 { 1723 s_write=1; 1724 s_w=1; 1725 } 1726 if (cr_num <= 0) 1727 { 1728 s_write=1; 1729 s_w=1; 1730 done=S_DONE|C_DONE; 1731 } 1732 } 1733 } 1734 } 1735 1736 if (do_server && !(done & S_DONE)) 1737 { 1738 if (!s_write) 1739 { 1740 i=BIO_read(s_bio,sbuf,sizeof(cbuf)); 1741 if (i < 0) 1742 { 1743 s_r=0; 1744 s_w=0; 1745 if (BIO_should_retry(s_bio)) 1746 { 1747 if (BIO_should_read(s_bio)) 1748 s_r=1; 1749 if (BIO_should_write(s_bio)) 1750 s_w=1; 1751 } 1752 else 1753 { 1754 fprintf(stderr,"ERROR in SERVER\n"); 1755 ERR_print_errors(bio_err); 1756 goto err; 1757 } 1758 } 1759 else if (i == 0) 1760 { 1761 ERR_print_errors(bio_err); 1762 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n"); 1763 goto err; 1764 } 1765 else 1766 { 1767 if (debug) 1768 printf("server read %d\n",i); 1769 sr_num-=i; 1770 if (cw_num > 0) 1771 { 1772 c_write=1; 1773 c_w=1; 1774 } 1775 if (sr_num <= 0) 1776 { 1777 s_write=1; 1778 s_w=1; 1779 c_write=0; 1780 } 1781 } 1782 } 1783 else 1784 { 1785 j = (sw_num > (long)sizeof(sbuf)) ? 1786 (int)sizeof(sbuf) : (int)sw_num; 1787 i=BIO_write(s_bio,sbuf,j); 1788 if (i < 0) 1789 { 1790 s_r=0; 1791 s_w=0; 1792 if (BIO_should_retry(s_bio)) 1793 { 1794 if (BIO_should_read(s_bio)) 1795 s_r=1; 1796 if (BIO_should_write(s_bio)) 1797 s_w=1; 1798 } 1799 else 1800 { 1801 fprintf(stderr,"ERROR in SERVER\n"); 1802 ERR_print_errors(bio_err); 1803 goto err; 1804 } 1805 } 1806 else if (i == 0) 1807 { 1808 ERR_print_errors(bio_err); 1809 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n"); 1810 goto err; 1811 } 1812 else 1813 { 1814 if (debug) 1815 printf("server wrote %d\n",i); 1816 sw_num-=i; 1817 s_write=0; 1818 c_r=1; 1819 if (sw_num <= 0) 1820 done|=S_DONE; 1821 } 1822 } 1823 } 1824 1825 if ((done & S_DONE) && (done & C_DONE)) break; 1826 } 1827 1828 if (verbose) 1829 print_details(c_ssl, "DONE: "); 1830 ret=0; 1831err: 1832 /* We have to set the BIO's to NULL otherwise they will be 1833 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and 1834 * again when c_ssl is SSL_free()ed. 1835 * This is a hack required because s_ssl and c_ssl are sharing the same 1836 * BIO structure and SSL_set_bio() and SSL_free() automatically 1837 * BIO_free non NULL entries. 1838 * You should not normally do this or be required to do this */ 1839 if (s_ssl != NULL) 1840 { 1841 s_ssl->rbio=NULL; 1842 s_ssl->wbio=NULL; 1843 } 1844 if (c_ssl != NULL) 1845 { 1846 c_ssl->rbio=NULL; 1847 c_ssl->wbio=NULL; 1848 } 1849 1850 if (c_to_s != NULL) BIO_free(c_to_s); 1851 if (s_to_c != NULL) BIO_free(s_to_c); 1852 if (c_bio != NULL) BIO_free_all(c_bio); 1853 if (s_bio != NULL) BIO_free_all(s_bio); 1854 return(ret); 1855 } 1856 1857static int get_proxy_auth_ex_data_idx(void) 1858 { 1859 static volatile int idx = -1; 1860 if (idx < 0) 1861 { 1862 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 1863 if (idx < 0) 1864 { 1865 idx = X509_STORE_CTX_get_ex_new_index(0, 1866 "SSLtest for verify callback", NULL,NULL,NULL); 1867 } 1868 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 1869 } 1870 return idx; 1871 } 1872 1873static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) 1874 { 1875 char *s,buf[256]; 1876 1877 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf, 1878 sizeof buf); 1879 if (s != NULL) 1880 { 1881 if (ok) 1882 fprintf(stderr,"depth=%d %s\n", 1883 ctx->error_depth,buf); 1884 else 1885 { 1886 fprintf(stderr,"depth=%d error=%d %s\n", 1887 ctx->error_depth,ctx->error,buf); 1888 } 1889 } 1890 1891 if (ok == 0) 1892 { 1893 fprintf(stderr,"Error string: %s\n", 1894 X509_verify_cert_error_string(ctx->error)); 1895 switch (ctx->error) 1896 { 1897 case X509_V_ERR_CERT_NOT_YET_VALID: 1898 case X509_V_ERR_CERT_HAS_EXPIRED: 1899 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 1900 fprintf(stderr," ... ignored.\n"); 1901 ok=1; 1902 } 1903 } 1904 1905 if (ok == 1) 1906 { 1907 X509 *xs = ctx->current_cert; 1908#if 0 1909 X509 *xi = ctx->current_issuer; 1910#endif 1911 1912 if (xs->ex_flags & EXFLAG_PROXY) 1913 { 1914 unsigned int *letters = 1915 X509_STORE_CTX_get_ex_data(ctx, 1916 get_proxy_auth_ex_data_idx()); 1917 1918 if (letters) 1919 { 1920 int found_any = 0; 1921 int i; 1922 PROXY_CERT_INFO_EXTENSION *pci = 1923 X509_get_ext_d2i(xs, NID_proxyCertInfo, 1924 NULL, NULL); 1925 1926 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) 1927 { 1928 case NID_Independent: 1929 /* Completely meaningless in this 1930 program, as there's no way to 1931 grant explicit rights to a 1932 specific PrC. Basically, using 1933 id-ppl-Independent is the perfect 1934 way to grant no rights at all. */ 1935 fprintf(stderr, " Independent proxy certificate"); 1936 for (i = 0; i < 26; i++) 1937 letters[i] = 0; 1938 break; 1939 case NID_id_ppl_inheritAll: 1940 /* This is basically a NOP, we 1941 simply let the current rights 1942 stand as they are. */ 1943 fprintf(stderr, " Proxy certificate inherits all"); 1944 break; 1945 default: 1946 s = (char *) 1947 pci->proxyPolicy->policy->data; 1948 i = pci->proxyPolicy->policy->length; 1949 1950 /* The algorithm works as follows: 1951 it is assumed that previous 1952 iterations or the initial granted 1953 rights has already set some elements 1954 of `letters'. What we need to do is 1955 to clear those that weren't granted 1956 by the current PrC as well. The 1957 easiest way to do this is to add 1 1958 to all the elements whose letters 1959 are given with the current policy. 1960 That way, all elements that are set 1961 by the current policy and were 1962 already set by earlier policies and 1963 through the original grant of rights 1964 will get the value 2 or higher. 1965 The last thing to do is to sweep 1966 through `letters' and keep the 1967 elements having the value 2 as set, 1968 and clear all the others. */ 1969 1970 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); 1971 while(i-- > 0) 1972 { 1973 int c = *s++; 1974 if (isascii(c) && isalpha(c)) 1975 { 1976 if (islower(c)) 1977 c = toupper(c); 1978 letters[c - 'A']++; 1979 } 1980 } 1981 for (i = 0; i < 26; i++) 1982 if (letters[i] < 2) 1983 letters[i] = 0; 1984 else 1985 letters[i] = 1; 1986 } 1987 1988 found_any = 0; 1989 fprintf(stderr, 1990 ", resulting proxy rights = "); 1991 for(i = 0; i < 26; i++) 1992 if (letters[i]) 1993 { 1994 fprintf(stderr, "%c", i + 'A'); 1995 found_any = 1; 1996 } 1997 if (!found_any) 1998 fprintf(stderr, "none"); 1999 fprintf(stderr, "\n"); 2000 2001 PROXY_CERT_INFO_EXTENSION_free(pci); 2002 } 2003 } 2004 } 2005 2006 return(ok); 2007 } 2008 2009static void process_proxy_debug(int indent, const char *format, ...) 2010 { 2011 static const char indentation[] = 2012 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" 2013 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ 2014 char my_format[256]; 2015 va_list args; 2016 2017 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", 2018 indent, indent, indentation, format); 2019 2020 va_start(args, format); 2021 vfprintf(stderr, my_format, args); 2022 va_end(args); 2023 } 2024/* Priority levels: 2025 0 [!]var, () 2026 1 & ^ 2027 2 | 2028*/ 2029static int process_proxy_cond_adders(unsigned int letters[26], 2030 const char *cond, const char **cond_end, int *pos, int indent); 2031static int process_proxy_cond_val(unsigned int letters[26], 2032 const char *cond, const char **cond_end, int *pos, int indent) 2033 { 2034 int c; 2035 int ok = 1; 2036 int negate = 0; 2037 2038 while(isspace((int)*cond)) 2039 { 2040 cond++; (*pos)++; 2041 } 2042 c = *cond; 2043 2044 if (debug) 2045 process_proxy_debug(indent, 2046 "Start process_proxy_cond_val at position %d: %s\n", 2047 *pos, cond); 2048 2049 while(c == '!') 2050 { 2051 negate = !negate; 2052 cond++; (*pos)++; 2053 while(isspace((int)*cond)) 2054 { 2055 cond++; (*pos)++; 2056 } 2057 c = *cond; 2058 } 2059 2060 if (c == '(') 2061 { 2062 cond++; (*pos)++; 2063 ok = process_proxy_cond_adders(letters, cond, cond_end, pos, 2064 indent + 1); 2065 cond = *cond_end; 2066 if (ok < 0) 2067 goto end; 2068 while(isspace((int)*cond)) 2069 { 2070 cond++; (*pos)++; 2071 } 2072 c = *cond; 2073 if (c != ')') 2074 { 2075 fprintf(stderr, 2076 "Weird condition character in position %d: " 2077 "%c\n", *pos, c); 2078 ok = -1; 2079 goto end; 2080 } 2081 cond++; (*pos)++; 2082 } 2083 else if (isascii(c) && isalpha(c)) 2084 { 2085 if (islower(c)) 2086 c = toupper(c); 2087 ok = letters[c - 'A']; 2088 cond++; (*pos)++; 2089 } 2090 else 2091 { 2092 fprintf(stderr, 2093 "Weird condition character in position %d: " 2094 "%c\n", *pos, c); 2095 ok = -1; 2096 goto end; 2097 } 2098 end: 2099 *cond_end = cond; 2100 if (ok >= 0 && negate) 2101 ok = !ok; 2102 2103 if (debug) 2104 process_proxy_debug(indent, 2105 "End process_proxy_cond_val at position %d: %s, returning %d\n", 2106 *pos, cond, ok); 2107 2108 return ok; 2109 } 2110static int process_proxy_cond_multipliers(unsigned int letters[26], 2111 const char *cond, const char **cond_end, int *pos, int indent) 2112 { 2113 int ok; 2114 char c; 2115 2116 if (debug) 2117 process_proxy_debug(indent, 2118 "Start process_proxy_cond_multipliers at position %d: %s\n", 2119 *pos, cond); 2120 2121 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); 2122 cond = *cond_end; 2123 if (ok < 0) 2124 goto end; 2125 2126 while(ok >= 0) 2127 { 2128 while(isspace((int)*cond)) 2129 { 2130 cond++; (*pos)++; 2131 } 2132 c = *cond; 2133 2134 switch(c) 2135 { 2136 case '&': 2137 case '^': 2138 { 2139 int save_ok = ok; 2140 2141 cond++; (*pos)++; 2142 ok = process_proxy_cond_val(letters, 2143 cond, cond_end, pos, indent + 1); 2144 cond = *cond_end; 2145 if (ok < 0) 2146 break; 2147 2148 switch(c) 2149 { 2150 case '&': 2151 ok &= save_ok; 2152 break; 2153 case '^': 2154 ok ^= save_ok; 2155 break; 2156 default: 2157 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 2158 " STOPPING\n"); 2159 EXIT(1); 2160 } 2161 } 2162 break; 2163 default: 2164 goto end; 2165 } 2166 } 2167 end: 2168 if (debug) 2169 process_proxy_debug(indent, 2170 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", 2171 *pos, cond, ok); 2172 2173 *cond_end = cond; 2174 return ok; 2175 } 2176static int process_proxy_cond_adders(unsigned int letters[26], 2177 const char *cond, const char **cond_end, int *pos, int indent) 2178 { 2179 int ok; 2180 char c; 2181 2182 if (debug) 2183 process_proxy_debug(indent, 2184 "Start process_proxy_cond_adders at position %d: %s\n", 2185 *pos, cond); 2186 2187 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, 2188 indent + 1); 2189 cond = *cond_end; 2190 if (ok < 0) 2191 goto end; 2192 2193 while(ok >= 0) 2194 { 2195 while(isspace((int)*cond)) 2196 { 2197 cond++; (*pos)++; 2198 } 2199 c = *cond; 2200 2201 switch(c) 2202 { 2203 case '|': 2204 { 2205 int save_ok = ok; 2206 2207 cond++; (*pos)++; 2208 ok = process_proxy_cond_multipliers(letters, 2209 cond, cond_end, pos, indent + 1); 2210 cond = *cond_end; 2211 if (ok < 0) 2212 break; 2213 2214 switch(c) 2215 { 2216 case '|': 2217 ok |= save_ok; 2218 break; 2219 default: 2220 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 2221 " STOPPING\n"); 2222 EXIT(1); 2223 } 2224 } 2225 break; 2226 default: 2227 goto end; 2228 } 2229 } 2230 end: 2231 if (debug) 2232 process_proxy_debug(indent, 2233 "End process_proxy_cond_adders at position %d: %s, returning %d\n", 2234 *pos, cond, ok); 2235 2236 *cond_end = cond; 2237 return ok; 2238 } 2239 2240static int process_proxy_cond(unsigned int letters[26], 2241 const char *cond, const char **cond_end) 2242 { 2243 int pos = 1; 2244 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); 2245 } 2246 2247static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) 2248 { 2249 int ok=1; 2250 struct app_verify_arg *cb_arg = arg; 2251 unsigned int letters[26]; /* only used with proxy_auth */ 2252 2253 if (cb_arg->app_verify) 2254 { 2255 char *s = NULL,buf[256]; 2256 2257 fprintf(stderr, "In app_verify_callback, allowing cert. "); 2258 fprintf(stderr, "Arg is: %s\n", cb_arg->string); 2259 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", 2260 (void *)ctx, (void *)ctx->cert); 2261 if (ctx->cert) 2262 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); 2263 if (s != NULL) 2264 { 2265 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); 2266 } 2267 return(1); 2268 } 2269 if (cb_arg->proxy_auth) 2270 { 2271 int found_any = 0, i; 2272 char *sp; 2273 2274 for(i = 0; i < 26; i++) 2275 letters[i] = 0; 2276 for(sp = cb_arg->proxy_auth; *sp; sp++) 2277 { 2278 int c = *sp; 2279 if (isascii(c) && isalpha(c)) 2280 { 2281 if (islower(c)) 2282 c = toupper(c); 2283 letters[c - 'A'] = 1; 2284 } 2285 } 2286 2287 fprintf(stderr, 2288 " Initial proxy rights = "); 2289 for(i = 0; i < 26; i++) 2290 if (letters[i]) 2291 { 2292 fprintf(stderr, "%c", i + 'A'); 2293 found_any = 1; 2294 } 2295 if (!found_any) 2296 fprintf(stderr, "none"); 2297 fprintf(stderr, "\n"); 2298 2299 X509_STORE_CTX_set_ex_data(ctx, 2300 get_proxy_auth_ex_data_idx(),letters); 2301 } 2302 if (cb_arg->allow_proxy_certs) 2303 { 2304 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); 2305 } 2306 2307#ifndef OPENSSL_NO_X509_VERIFY 2308 ok = X509_verify_cert(ctx); 2309#endif 2310 2311 if (cb_arg->proxy_auth) 2312 { 2313 if (ok > 0) 2314 { 2315 const char *cond_end = NULL; 2316 2317 ok = process_proxy_cond(letters, 2318 cb_arg->proxy_cond, &cond_end); 2319 2320 if (ok < 0) 2321 EXIT(3); 2322 if (*cond_end) 2323 { 2324 fprintf(stderr, "Stopped processing condition before it's end.\n"); 2325 ok = 0; 2326 } 2327 if (!ok) 2328 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", 2329 cb_arg->proxy_cond); 2330 else 2331 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", 2332 cb_arg->proxy_cond); 2333 } 2334 } 2335 return(ok); 2336 } 2337 2338#ifndef OPENSSL_NO_RSA 2339static RSA *rsa_tmp=NULL; 2340 2341static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) 2342 { 2343 BIGNUM *bn = NULL; 2344 if (rsa_tmp == NULL) 2345 { 2346 bn = BN_new(); 2347 rsa_tmp = RSA_new(); 2348 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) 2349 { 2350 BIO_printf(bio_err, "Memory error..."); 2351 goto end; 2352 } 2353 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); 2354 (void)BIO_flush(bio_err); 2355 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL)) 2356 { 2357 BIO_printf(bio_err, "Error generating key."); 2358 RSA_free(rsa_tmp); 2359 rsa_tmp = NULL; 2360 } 2361end: 2362 BIO_printf(bio_err,"\n"); 2363 (void)BIO_flush(bio_err); 2364 } 2365 if(bn) BN_free(bn); 2366 return(rsa_tmp); 2367 } 2368 2369static void free_tmp_rsa(void) 2370 { 2371 if (rsa_tmp != NULL) 2372 { 2373 RSA_free(rsa_tmp); 2374 rsa_tmp = NULL; 2375 } 2376 } 2377#endif 2378 2379#ifndef OPENSSL_NO_DH 2380/* These DH parameters have been generated as follows: 2381 * $ openssl dhparam -C -noout 512 2382 * $ openssl dhparam -C -noout 1024 2383 * $ openssl dhparam -C -noout -dsaparam 1024 2384 * (The third function has been renamed to avoid name conflicts.) 2385 */ 2386static DH *get_dh512() 2387 { 2388 static unsigned char dh512_p[]={ 2389 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6, 2390 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0, 2391 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F, 2392 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8, 2393 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33, 2394 0x02,0xC5,0xAE,0x23, 2395 }; 2396 static unsigned char dh512_g[]={ 2397 0x02, 2398 }; 2399 DH *dh; 2400 2401 if ((dh=DH_new()) == NULL) return(NULL); 2402 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); 2403 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); 2404 if ((dh->p == NULL) || (dh->g == NULL)) 2405 { DH_free(dh); return(NULL); } 2406 return(dh); 2407 } 2408 2409static DH *get_dh1024() 2410 { 2411 static unsigned char dh1024_p[]={ 2412 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A, 2413 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2, 2414 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0, 2415 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2, 2416 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C, 2417 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8, 2418 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52, 2419 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1, 2420 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1, 2421 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB, 2422 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53, 2423 }; 2424 static unsigned char dh1024_g[]={ 2425 0x02, 2426 }; 2427 DH *dh; 2428 2429 if ((dh=DH_new()) == NULL) return(NULL); 2430 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2431 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2432 if ((dh->p == NULL) || (dh->g == NULL)) 2433 { DH_free(dh); return(NULL); } 2434 return(dh); 2435 } 2436 2437static DH *get_dh1024dsa() 2438 { 2439 static unsigned char dh1024_p[]={ 2440 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00, 2441 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19, 2442 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2, 2443 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55, 2444 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC, 2445 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97, 2446 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D, 2447 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB, 2448 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6, 2449 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E, 2450 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39, 2451 }; 2452 static unsigned char dh1024_g[]={ 2453 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05, 2454 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3, 2455 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9, 2456 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C, 2457 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65, 2458 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60, 2459 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6, 2460 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7, 2461 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1, 2462 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60, 2463 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2, 2464 }; 2465 DH *dh; 2466 2467 if ((dh=DH_new()) == NULL) return(NULL); 2468 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2469 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2470 if ((dh->p == NULL) || (dh->g == NULL)) 2471 { DH_free(dh); return(NULL); } 2472 dh->length = 160; 2473 return(dh); 2474 } 2475#endif 2476 2477#ifndef OPENSSL_NO_PSK 2478/* convert the PSK key (psk_key) in ascii to binary (psk) */ 2479static int psk_key2bn(const char *pskkey, unsigned char *psk, 2480 unsigned int max_psk_len) 2481 { 2482 int ret; 2483 BIGNUM *bn = NULL; 2484 2485 ret = BN_hex2bn(&bn, pskkey); 2486 if (!ret) 2487 { 2488 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey); 2489 if (bn) 2490 BN_free(bn); 2491 return 0; 2492 } 2493 if (BN_num_bytes(bn) > (int)max_psk_len) 2494 { 2495 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", 2496 max_psk_len, BN_num_bytes(bn)); 2497 BN_free(bn); 2498 return 0; 2499 } 2500 ret = BN_bn2bin(bn, psk); 2501 BN_free(bn); 2502 return ret; 2503 } 2504 2505static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, 2506 unsigned int max_identity_len, unsigned char *psk, 2507 unsigned int max_psk_len) 2508 { 2509 int ret; 2510 unsigned int psk_len = 0; 2511 2512 ret = BIO_snprintf(identity, max_identity_len, "Client_identity"); 2513 if (ret < 0) 2514 goto out_err; 2515 if (debug) 2516 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret); 2517 ret = psk_key2bn(psk_key, psk, max_psk_len); 2518 if (ret < 0) 2519 goto out_err; 2520 psk_len = ret; 2521out_err: 2522 return psk_len; 2523 } 2524 2525static unsigned int psk_server_callback(SSL *ssl, const char *identity, 2526 unsigned char *psk, unsigned int max_psk_len) 2527 { 2528 unsigned int psk_len=0; 2529 2530 if (strcmp(identity, "Client_identity") != 0) 2531 { 2532 BIO_printf(bio_err, "server: PSK error: client identity not found\n"); 2533 return 0; 2534 } 2535 psk_len=psk_key2bn(psk_key, psk, max_psk_len); 2536 return psk_len; 2537 } 2538#endif 2539 2540static int do_test_cipherlist(void) 2541 { 2542 int i = 0; 2543 const SSL_METHOD *meth; 2544 const SSL_CIPHER *ci, *tci = NULL; 2545 2546#ifndef OPENSSL_NO_SSL2 2547 fprintf(stderr, "testing SSLv2 cipher list order: "); 2548 meth = SSLv2_method(); 2549 while ((ci = meth->get_cipher(i++)) != NULL) 2550 { 2551 if (tci != NULL) 2552 if (ci->id >= tci->id) 2553 { 2554 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2555 return 0; 2556 } 2557 tci = ci; 2558 } 2559 fprintf(stderr, "ok\n"); 2560#endif 2561#ifndef OPENSSL_NO_SSL3 2562 fprintf(stderr, "testing SSLv3 cipher list order: "); 2563 meth = SSLv3_method(); 2564 tci = NULL; 2565 while ((ci = meth->get_cipher(i++)) != NULL) 2566 { 2567 if (tci != NULL) 2568 if (ci->id >= tci->id) 2569 { 2570 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2571 return 0; 2572 } 2573 tci = ci; 2574 } 2575 fprintf(stderr, "ok\n"); 2576#endif 2577#ifndef OPENSSL_NO_TLS1 2578 fprintf(stderr, "testing TLSv1 cipher list order: "); 2579 meth = TLSv1_method(); 2580 tci = NULL; 2581 while ((ci = meth->get_cipher(i++)) != NULL) 2582 { 2583 if (tci != NULL) 2584 if (ci->id >= tci->id) 2585 { 2586 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2587 return 0; 2588 } 2589 tci = ci; 2590 } 2591 fprintf(stderr, "ok\n"); 2592#endif 2593 2594 return 1; 2595 } 2596