search:
summary | log | graphiclog1 | graphiclog2 | commit | commitdiff | tree | refs | edit | fork
blame | history | raw | HEAD
etc/services - sync with NetBSD-8
[minix.git] / crypto / external / bsd / openssl / dist / ssl / ssltest.c
blob31dce4e37788f2f3ca81913d7519d3e376cb977e
1 /* ssl/ssltest.c */
2 /* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com)
3 * All rights reserved.
4 *
5 * This package is an SSL implementation written
6 * by Eric Young (eay@cryptsoft.com).
7 * The implementation was written so as to conform with Netscapes SSL.
8 *
9 * This library is free for commercial and non-commercial use as long as
10 * the following conditions are aheared to. The following conditions
11 * apply to all code found in this distribution, be it the RC4, RSA,
12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation
13 * included with this distribution is covered by the same copyright terms
14 * except that the holder is Tim Hudson (tjh@cryptsoft.com).
15 *
16 * Copyright remains Eric Young's, and as such any Copyright notices in
17 * the code are not to be removed.
18 * If this package is used in a product, Eric Young should be given attribution
19 * as the author of the parts of the library used.
20 * This can be in the form of a textual message at program startup or
21 * in documentation (online or textual) provided with the package.
22 *
23 * Redistribution and use in source and binary forms, with or without
24 * modification, are permitted provided that the following conditions
25 * are met:
26 * 1. Redistributions of source code must retain the copyright
27 * notice, this list of conditions and the following disclaimer.
28 * 2. Redistributions in binary form must reproduce the above copyright
29 * notice, this list of conditions and the following disclaimer in the
30 * documentation and/or other materials provided with the distribution.
31 * 3. All advertising materials mentioning features or use of this software
32 * must display the following acknowledgement:
33 * "This product includes cryptographic software written by
34 * Eric Young (eay@cryptsoft.com)"
35 * The word 'cryptographic' can be left out if the rouines from the library
36 * being used are not cryptographic related :-).
37 * 4. If you include any Windows specific code (or a derivative thereof) from
38 * the apps directory (application code) you must include an acknowledgement:
39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)"
40 *
41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND
42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE
44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE
45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL
46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS
47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT
49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY
50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF
51 * SUCH DAMAGE.
52 *
53 * The licence and distribution terms for any publically available version or
54 * derivative of this code cannot be changed. i.e. this code cannot simply be
55 * copied and put under another distribution licence
56 * [including the GNU Public Licence.]
57 */
58 /* ====================================================================
59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved.
60 *
61 * Redistribution and use in source and binary forms, with or without
62 * modification, are permitted provided that the following conditions
63 * are met:
64 *
65 * 1. Redistributions of source code must retain the above copyright
66 * notice, this list of conditions and the following disclaimer.
67 *
68 * 2. Redistributions in binary form must reproduce the above copyright
69 * notice, this list of conditions and the following disclaimer in
70 * the documentation and/or other materials provided with the
71 * distribution.
72 *
73 * 3. All advertising materials mentioning features or use of this
74 * software must display the following acknowledgment:
75 * "This product includes software developed by the OpenSSL Project
76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)"
77 *
78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to
79 * endorse or promote products derived from this software without
80 * prior written permission. For written permission, please contact
81 * openssl-core@openssl.org.
82 *
83 * 5. Products derived from this software may not be called "OpenSSL"
84 * nor may "OpenSSL" appear in their names without prior written
85 * permission of the OpenSSL Project.
86 *
87 * 6. Redistributions of any form whatsoever must retain the following
88 * acknowledgment:
89 * "This product includes software developed by the OpenSSL Project
90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)"
91 *
92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY
93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE
94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR
95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR
96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL,
97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT
98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES;
99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION)
100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT,
101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE)
102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED
103 * OF THE POSSIBILITY OF SUCH DAMAGE.
104 * ====================================================================
105 *
106 * This product includes cryptographic software written by Eric Young
107 * (eay@cryptsoft.com). This product includes software written by Tim
108 * Hudson (tjh@cryptsoft.com).
109 *
110 */
111 /* ====================================================================
112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED.
113 * ECC cipher suite support in OpenSSL originally developed by
114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project.
115 */
116 /* ====================================================================
117 * Copyright 2005 Nokia. All rights reserved.
118 *
119 * The portions of the attached software ("Contribution") is developed by
120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source
121 * license.
122 *
123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of
124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites
125 * support (see RFC 4279) to OpenSSL.
126 *
127 * No patent licenses or other rights except those expressly stated in
128 * the OpenSSL open source license shall be deemed granted or received
129 * expressly, by implication, estoppel, or otherwise.
130 *
131 * No assurances are provided by Nokia that the Contribution does not
132 * infringe the patent or other intellectual property rights of any third
133 * party or that the license provides you with all the necessary rights
134 * to make use of the Contribution.
135 *
136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN
137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA
138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY
139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR
140 * OTHERWISE.
141 */
142
143 /* Or gethostname won't be declared properly on Linux and GNU platforms. */
144 #define _BSD_SOURCE 1
145
146 #include <assert.h>
147 #include <errno.h>
148 #include <limits.h>
149 #include <stdio.h>
150 #include <stdlib.h>
151 #include <string.h>
152 #include <time.h>
153
154 #define USE_SOCKETS
155 #include "e_os.h"
156
157 #ifdef OPENSSL_SYS_VMS
158 /*
159 * Or isascii won't be declared properly on VMS (at least with DECompHP C).
160 */
161 # define _XOPEN_SOURCE 500
162 #endif
163
164 #include <ctype.h>
165
166 #include <openssl/bio.h>
167 #include <openssl/crypto.h>
168 #include <openssl/evp.h>
169 #include <openssl/x509.h>
170 #include <openssl/x509v3.h>
171 #include <openssl/ssl.h>
172 #ifndef OPENSSL_NO_ENGINE
173 # include <openssl/engine.h>
174 #endif
175 #include <openssl/err.h>
176 #include <openssl/rand.h>
177 #ifndef OPENSSL_NO_RSA
178 # include <openssl/rsa.h>
179 #endif
180 #ifndef OPENSSL_NO_DSA
181 # include <openssl/dsa.h>
182 #endif
183 #ifndef OPENSSL_NO_DH
184 # include <openssl/dh.h>
185 #endif
186 #ifndef OPENSSL_NO_SRP
187 # include <openssl/srp.h>
188 #endif
189 #include <openssl/bn.h>
190
191 /*
192 * Or gethostname won't be declared properly
193 * on Compaq platforms (at least with DEC C).
194 * Do not try to put it earlier, or IPv6 includes
195 * get screwed...
196 */
197 #define _XOPEN_SOURCE_EXTENDED 1
198
199 #ifdef OPENSSL_SYS_WINDOWS
200 # include <winsock.h>
201 #else
202 # include <unistd.h>
203 #endif
204
205 #ifdef OPENSSL_SYS_VMS
206 # define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM"
207 # define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM"
208 #elif defined(OPENSSL_SYS_WINCE)
209 # define TEST_SERVER_CERT "\\OpenSSL\\server.pem"
210 # define TEST_CLIENT_CERT "\\OpenSSL\\client.pem"
211 #elif defined(OPENSSL_SYS_NETWARE)
212 # define TEST_SERVER_CERT "\\openssl\\apps\\server.pem"
213 # define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem"
214 #else
215 # define TEST_SERVER_CERT "../apps/server.pem"
216 # define TEST_CLIENT_CERT "../apps/client.pem"
217 #endif
218
219 /*
220 * There is really no standard for this, so let's assign some tentative
221 * numbers. In any case, these numbers are only for this test
222 */
223 #define COMP_RLE 255
224 #define COMP_ZLIB 1
225
226 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx);
227 #ifndef OPENSSL_NO_RSA
228 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength);
229 static void free_tmp_rsa(void);
230 #endif
231 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg);
232 #define APP_CALLBACK_STRING "Test Callback Argument"
233 struct app_verify_arg {
234 char *string;
235 int app_verify;
236 int allow_proxy_certs;
237 char *proxy_auth;
238 char *proxy_cond;
239 };
240
241 #ifndef OPENSSL_NO_DH
242 static DH *get_dh512(void);
243 static DH *get_dh1024(void);
244 static DH *get_dh1024dsa(void);
245 #endif
246
247 static char *psk_key = NULL; /* by default PSK is not used */
248 #ifndef OPENSSL_NO_PSK
249 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
250 char *identity,
251 unsigned int max_identity_len,
252 unsigned char *psk,
253 unsigned int max_psk_len);
254 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
255 unsigned char *psk,
256 unsigned int max_psk_len);
257 #endif
258
259 #ifndef OPENSSL_NO_SRP
260 /* SRP client */
261 /* This is a context that we pass to all callbacks */
262 typedef struct srp_client_arg_st {
263 char *srppassin;
264 char *srplogin;
265 } SRP_CLIENT_ARG;
266
267 # define PWD_STRLEN 1024
268
269 static char *MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg)
270 {
271 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg;
272 return BUF_strdup((char *)srp_client_arg->srppassin);
273 }
274
275 /* SRP server */
276 /* This is a context that we pass to SRP server callbacks */
277 typedef struct srp_server_arg_st {
278 char *expected_user;
279 char *pass;
280 } SRP_SERVER_ARG;
281
282 static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg)
283 {
284 SRP_SERVER_ARG *p = (SRP_SERVER_ARG *)arg;
285
286 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) {
287 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s));
288 return SSL3_AL_FATAL;
289 }
290 if (SSL_set_srp_server_param_pw(s, p->expected_user, p->pass, "1024") < 0) {
291 *ad = SSL_AD_INTERNAL_ERROR;
292 return SSL3_AL_FATAL;
293 }
294 return SSL_ERROR_NONE;
295 }
296 #endif
297
298 static BIO *bio_err = NULL;
299 static BIO *bio_stdout = NULL;
300
301 static char *cipher = NULL;
302 static int verbose = 0;
303 static int debug = 0;
304 #if 0
305 /* Not used yet. */
306 # ifdef FIONBIO
307 static int s_nbio = 0;
308 # endif
309 #endif
310
311 static const char rnd_seed[] =
312 "string to make the random number generator think it has entropy";
313
314 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long bytes, clock_t *s_time,
315 clock_t *c_time);
316 int doit(SSL *s_ssl, SSL *c_ssl, long bytes);
317 static int do_test_cipherlist(void);
318 static void sv_usage(void)
319 {
320 fprintf(stderr, "usage: ssltest [args ...]\n");
321 fprintf(stderr, "\n");
322 #ifdef OPENSSL_FIPS
323 fprintf(stderr, "-F - run test in FIPS mode\n");
324 #endif
325 fprintf(stderr, " -server_auth - check server certificate\n");
326 fprintf(stderr, " -client_auth - do client authentication\n");
327 fprintf(stderr, " -proxy - allow proxy certificates\n");
328 fprintf(stderr, " -proxy_auth <val> - set proxy policy rights\n");
329 fprintf(stderr,
330 " -proxy_cond <val> - experssion to test proxy policy rights\n");
331 fprintf(stderr, " -v - more output\n");
332 fprintf(stderr, " -d - debug output\n");
333 fprintf(stderr, " -reuse - use session-id reuse\n");
334 fprintf(stderr, " -num <val> - number of connections to perform\n");
335 fprintf(stderr,
336 " -bytes <val> - number of bytes to swap between client/server\n");
337 #ifndef OPENSSL_NO_DH
338 fprintf(stderr,
339 " -dhe512 - use 512 bit key for DHE (to test failure)\n");
340 fprintf(stderr,
341 " -dhe1024 - use 1024 bit key (safe prime) for DHE (default, no-op)\n");
342 fprintf(stderr,
343 " -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n");
344 fprintf(stderr, " -no_dhe - disable DHE\n");
345 #endif
346 #ifndef OPENSSL_NO_ECDH
347 fprintf(stderr, " -no_ecdhe - disable ECDHE\n");
348 #endif
349 #ifndef OPENSSL_NO_PSK
350 fprintf(stderr, " -psk arg - PSK in hex (without 0x)\n");
351 #endif
352 #ifndef OPENSSL_NO_SRP
353 fprintf(stderr, " -srpuser user - SRP username to use\n");
354 fprintf(stderr, " -srppass arg - password for 'user'\n");
355 #endif
356 #ifndef OPENSSL_NO_SSL2
357 fprintf(stderr, " -ssl2 - use SSLv2\n");
358 #endif
359 #ifndef OPENSSL_NO_SSL3_METHOD
360 fprintf(stderr, " -ssl3 - use SSLv3\n");
361 #endif
362 #ifndef OPENSSL_NO_TLS1
363 fprintf(stderr, " -tls1 - use TLSv1\n");
364 #endif
365 fprintf(stderr, " -CApath arg - PEM format directory of CA's\n");
366 fprintf(stderr, " -CAfile arg - PEM format file of CA's\n");
367 fprintf(stderr, " -cert arg - Server certificate file\n");
368 fprintf(stderr,
369 " -key arg - Server key file (default: same as -cert)\n");
370 fprintf(stderr, " -c_cert arg - Client certificate file\n");
371 fprintf(stderr,
372 " -c_key arg - Client key file (default: same as -c_cert)\n");
373 fprintf(stderr, " -cipher arg - The cipher list\n");
374 fprintf(stderr, " -bio_pair - Use BIO pairs\n");
375 fprintf(stderr, " -f - Test even cases that can't work\n");
376 fprintf(stderr,
377 " -time - measure processor time used by client and server\n");
378 fprintf(stderr, " -zlib - use zlib compression\n");
379 fprintf(stderr, " -rle - use rle compression\n");
380 #ifndef OPENSSL_NO_ECDH
381 fprintf(stderr,
382 " -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n"
383 " Use \"openssl ecparam -list_curves\" for all names\n"
384 " (default is sect163r2).\n");
385 #endif
386 fprintf(stderr,
387 " -test_cipherlist - Verifies the order of the ssl cipher lists.\n"
388 " When this option is requested, the cipherlist\n"
389 " tests are run instead of handshake tests.\n");
390 }
391
392 static void print_details(SSL *c_ssl, const char *prefix)
393 {
394 const SSL_CIPHER *ciph;
395 X509 *cert;
396
397 ciph = SSL_get_current_cipher(c_ssl);
398 BIO_printf(bio_stdout, "%s%s, cipher %s %s",
399 prefix,
400 SSL_get_version(c_ssl),
401 SSL_CIPHER_get_version(ciph), SSL_CIPHER_get_name(ciph));
402 cert = SSL_get_peer_certificate(c_ssl);
403 if (cert != NULL) {
404 EVP_PKEY *pkey = X509_get_pubkey(cert);
405 if (pkey != NULL) {
406 if (0) ;
407 #ifndef OPENSSL_NO_RSA
408 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL
409 && pkey->pkey.rsa->n != NULL) {
410 BIO_printf(bio_stdout, ", %d bit RSA",
411 BN_num_bits(pkey->pkey.rsa->n));
412 }
413 #endif
414 #ifndef OPENSSL_NO_DSA
415 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL
416 && pkey->pkey.dsa->p != NULL) {
417 BIO_printf(bio_stdout, ", %d bit DSA",
418 BN_num_bits(pkey->pkey.dsa->p));
419 }
420 #endif
421 EVP_PKEY_free(pkey);
422 }
423 X509_free(cert);
424 }
425 /*
426 * The SSL API does not allow us to look at temporary RSA/DH keys,
427 * otherwise we should print their lengths too
428 */
429 BIO_printf(bio_stdout, "\n");
430 }
431
432 static void lock_dbg_cb(int mode, int type, const char *file, int line)
433 {
434 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */
435 const char *errstr = NULL;
436 int rw;
437
438 rw = mode & (CRYPTO_READ | CRYPTO_WRITE);
439 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) {
440 errstr = "invalid mode";
441 goto err;
442 }
443
444 if (type < 0 || type >= CRYPTO_NUM_LOCKS) {
445 errstr = "type out of bounds";
446 goto err;
447 }
448
449 if (mode & CRYPTO_LOCK) {
450 if (modes[type]) {
451 errstr = "already locked";
452 /*
453 * must not happen in a single-threaded program (would deadlock)
454 */
455 goto err;
456 }
457
458 modes[type] = rw;
459 } else if (mode & CRYPTO_UNLOCK) {
460 if (!modes[type]) {
461 errstr = "not locked";
462 goto err;
463 }
464
465 if (modes[type] != rw) {
466 errstr = (rw == CRYPTO_READ) ?
467 "CRYPTO_r_unlock on write lock" :
468 "CRYPTO_w_unlock on read lock";
469 }
470
471 modes[type] = 0;
472 } else {
473 errstr = "invalid mode";
474 goto err;
475 }
476
477 err:
478 if (errstr) {
479 /* we cannot use bio_err here */
480 fprintf(stderr,
481 "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n",
482 errstr, mode, type, file, line);
483 }
484 }
485
486 #ifdef TLSEXT_TYPE_opaque_prf_input
487 struct cb_info_st {
488 void *input;
489 size_t len;
490 int ret;
491 };
492 struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */
493 struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */
494 struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */
495 struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */
496
497 int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_)
498 {
499 struct cb_info_st *arg = arg_;
500
501 if (arg == NULL)
502 return 1;
503
504 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len))
505 return 0;
506 return arg->ret;
507 }
508 #endif
509
510 int main(int argc, char *argv[])
511 {
512 char *CApath = NULL, *CAfile = NULL;
513 int badop = 0;
514 int bio_pair = 0;
515 int force = 0;
516 int tls1 = 0, ssl2 = 0, ssl3 = 0, ret = 1;
517 int client_auth = 0;
518 int server_auth = 0, i;
519 struct app_verify_arg app_verify_arg =
520 { APP_CALLBACK_STRING, 0, 0, NULL, NULL };
521 char *server_cert = TEST_SERVER_CERT;
522 char *server_key = NULL;
523 char *client_cert = TEST_CLIENT_CERT;
524 char *client_key = NULL;
525 #ifndef OPENSSL_NO_ECDH
526 char *named_curve = NULL;
527 #endif
528 SSL_CTX *s_ctx = NULL;
529 SSL_CTX *c_ctx = NULL;
530 const SSL_METHOD *meth = NULL;
531 SSL *c_ssl, *s_ssl;
532 int number = 1, reuse = 0;
533 long bytes = 256L;
534 #ifndef OPENSSL_NO_DH
535 DH *dh;
536 int dhe512 = 0, dhe1024dsa = 0;
537 #endif
538 #ifndef OPENSSL_NO_ECDH
539 EC_KEY *ecdh = NULL;
540 #endif
541 #ifndef OPENSSL_NO_SRP
542 /* client */
543 SRP_CLIENT_ARG srp_client_arg = { NULL, NULL };
544 /* server */
545 SRP_SERVER_ARG srp_server_arg = { NULL, NULL };
546 #endif
547 int no_dhe = 0;
548 int no_ecdhe = 0;
549 int no_psk = 0;
550 int print_time = 0;
551 clock_t s_time = 0, c_time = 0;
552 int comp = 0;
553 #ifndef OPENSSL_NO_COMP
554 COMP_METHOD *cm = NULL;
555 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL;
556 #endif
557 int test_cipherlist = 0;
558 #ifdef OPENSSL_FIPS
559 int fips_mode = 0;
560 #endif
561 int no_protocol = 0;
562
563 verbose = 0;
564 debug = 0;
565 cipher = 0;
566
567 bio_err = BIO_new_fp(stderr, BIO_NOCLOSE | BIO_FP_TEXT);
568
569 CRYPTO_set_locking_callback(lock_dbg_cb);
570
571 /* enable memory leak checking unless explicitly disabled */
572 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL)
573 && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) {
574 CRYPTO_malloc_debug_init();
575 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL);
576 } else {
577 /* OPENSSL_DEBUG_MEMORY=off */
578 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0);
579 }
580 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON);
581
582 RAND_seed(rnd_seed, sizeof rnd_seed);
583
584 bio_stdout = BIO_new_fp(stdout, BIO_NOCLOSE | BIO_FP_TEXT);
585
586 argc--;
587 argv++;
588
589 while (argc >= 1) {
590 if (!strcmp(*argv, "-F")) {
591 #ifdef OPENSSL_FIPS
592 fips_mode = 1;
593 #else
594 fprintf(stderr,
595 "not compiled with FIPS support, so exitting without running.\n");
596 EXIT(0);
597 #endif
598 } else if (strcmp(*argv, "-server_auth") == 0)
599 server_auth = 1;
600 else if (strcmp(*argv, "-client_auth") == 0)
601 client_auth = 1;
602 else if (strcmp(*argv, "-proxy_auth") == 0) {
603 if (--argc < 1)
604 goto bad;
605 app_verify_arg.proxy_auth = *(++argv);
606 } else if (strcmp(*argv, "-proxy_cond") == 0) {
607 if (--argc < 1)
608 goto bad;
609 app_verify_arg.proxy_cond = *(++argv);
610 } else if (strcmp(*argv, "-v") == 0)
611 verbose = 1;
612 else if (strcmp(*argv, "-d") == 0)
613 debug = 1;
614 else if (strcmp(*argv, "-reuse") == 0)
615 reuse = 1;
616 else if (strcmp(*argv, "-dhe512") == 0) {
617 #ifndef OPENSSL_NO_DH
618 dhe512 = 1;
619 #else
620 fprintf(stderr,
621 "ignoring -dhe512, since I'm compiled without DH\n");
622 #endif
623 } else if (strcmp(*argv, "-dhe1024dsa") == 0) {
624 #ifndef OPENSSL_NO_DH
625 dhe1024dsa = 1;
626 #else
627 fprintf(stderr,
628 "ignoring -dhe1024dsa, since I'm compiled without DH\n");
629 #endif
630 } else if (strcmp(*argv, "-no_dhe") == 0)
631 no_dhe = 1;
632 else if (strcmp(*argv, "-no_ecdhe") == 0)
633 no_ecdhe = 1;
634 else if (strcmp(*argv, "-psk") == 0) {
635 if (--argc < 1)
636 goto bad;
637 psk_key = *(++argv);
638 #ifndef OPENSSL_NO_PSK
639 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) {
640 BIO_printf(bio_err, "Not a hex number '%s'\n", *argv);
641 goto bad;
642 }
643 #else
644 no_psk = 1;
645 #endif
646 }
647 #ifndef OPENSSL_NO_SRP
648 else if (strcmp(*argv, "-srpuser") == 0) {
649 if (--argc < 1)
650 goto bad;
651 srp_server_arg.expected_user = srp_client_arg.srplogin =
652 *(++argv);
653 tls1 = 1;
654 } else if (strcmp(*argv, "-srppass") == 0) {
655 if (--argc < 1)
656 goto bad;
657 srp_server_arg.pass = srp_client_arg.srppassin = *(++argv);
658 tls1 = 1;
659 }
660 #endif
661 else if (strcmp(*argv, "-ssl2") == 0) {
662 #ifdef OPENSSL_NO_SSL2
663 no_protocol = 1;
664 #endif
665 ssl2 = 1;
666 } else if (strcmp(*argv, "-tls1") == 0) {
667 #ifdef OPENSSL_NO_TLS1
668 no_protocol = 1;
669 #endif
670 tls1 = 1;
671 } else if (strcmp(*argv, "-ssl3") == 0) {
672 #ifdef OPENSSL_NO_SSL3_METHOD
673 no_protocol = 1;
674 #endif
675 ssl3 = 1;
676 } else if (strncmp(*argv, "-num", 4) == 0) {
677 if (--argc < 1)
678 goto bad;
679 number = atoi(*(++argv));
680 if (number == 0)
681 number = 1;
682 } else if (strcmp(*argv, "-bytes") == 0) {
683 if (--argc < 1)
684 goto bad;
685 bytes = atol(*(++argv));
686 if (bytes == 0L)
687 bytes = 1L;
688 i = strlen(argv[0]);
689 if (argv[0][i - 1] == 'k')
690 bytes *= 1024L;
691 if (argv[0][i - 1] == 'm')
692 bytes *= 1024L * 1024L;
693 } else if (strcmp(*argv, "-cert") == 0) {
694 if (--argc < 1)
695 goto bad;
696 server_cert = *(++argv);
697 } else if (strcmp(*argv, "-s_cert") == 0) {
698 if (--argc < 1)
699 goto bad;
700 server_cert = *(++argv);
701 } else if (strcmp(*argv, "-key") == 0) {
702 if (--argc < 1)
703 goto bad;
704 server_key = *(++argv);
705 } else if (strcmp(*argv, "-s_key") == 0) {
706 if (--argc < 1)
707 goto bad;
708 server_key = *(++argv);
709 } else if (strcmp(*argv, "-c_cert") == 0) {
710 if (--argc < 1)
711 goto bad;
712 client_cert = *(++argv);
713 } else if (strcmp(*argv, "-c_key") == 0) {
714 if (--argc < 1)
715 goto bad;
716 client_key = *(++argv);
717 } else if (strcmp(*argv, "-cipher") == 0) {
718 if (--argc < 1)
719 goto bad;
720 cipher = *(++argv);
721 } else if (strcmp(*argv, "-CApath") == 0) {
722 if (--argc < 1)
723 goto bad;
724 CApath = *(++argv);
725 } else if (strcmp(*argv, "-CAfile") == 0) {
726 if (--argc < 1)
727 goto bad;
728 CAfile = *(++argv);
729 } else if (strcmp(*argv, "-bio_pair") == 0) {
730 bio_pair = 1;
731 } else if (strcmp(*argv, "-f") == 0) {
732 force = 1;
733 } else if (strcmp(*argv, "-time") == 0) {
734 print_time = 1;
735 } else if (strcmp(*argv, "-zlib") == 0) {
736 comp = COMP_ZLIB;
737 } else if (strcmp(*argv, "-rle") == 0) {
738 comp = COMP_RLE;
739 } else if (strcmp(*argv, "-named_curve") == 0) {
740 if (--argc < 1)
741 goto bad;
742 #ifndef OPENSSL_NO_ECDH
743 named_curve = *(++argv);
744 #else
745 fprintf(stderr,
746 "ignoring -named_curve, since I'm compiled without ECDH\n");
747 ++argv;
748 #endif
749 } else if (strcmp(*argv, "-app_verify") == 0) {
750 app_verify_arg.app_verify = 1;
751 } else if (strcmp(*argv, "-proxy") == 0) {
752 app_verify_arg.allow_proxy_certs = 1;
753 } else if (strcmp(*argv, "-test_cipherlist") == 0) {
754 test_cipherlist = 1;
755 } else {
756 fprintf(stderr, "unknown option %s\n", *argv);
757 badop = 1;
758 break;
759 }
760 argc--;
761 argv++;
762 }
763 if (badop) {
764 bad:
765 sv_usage();
766 goto end;
767 }
768
769 /*
770 * test_cipherlist prevails over protocol switch: we test the cipherlist
771 * for all enabled protocols.
772 */
773 if (test_cipherlist == 1) {
774 /*
775 * ensure that the cipher list are correctly sorted and exit
776 */
777 fprintf(stdout, "Testing cipherlist order only. Ignoring all "
778 "other options.\n");
779 if (do_test_cipherlist() == 0)
780 EXIT(1);
781 ret = 0;
782 goto end;
783 }
784
785 if (ssl2 + ssl3 + tls1 > 1) {
786 fprintf(stderr, "At most one of -ssl2, -ssl3, or -tls1 should "
787 "be requested.\n");
788 EXIT(1);
789 }
790
791 /*
792 * Testing was requested for a compiled-out protocol (e.g. SSLv2).
793 * Ideally, we would error out, but the generic test wrapper can't know
794 * when to expect failure. So we do nothing and return success.
795 */
796 if (no_protocol) {
797 fprintf(stderr, "Testing was requested for a disabled protocol. "
798 "Skipping tests.\n");
799 ret = 0;
800 goto end;
801 }
802
803 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) {
804 fprintf(stderr, "This case cannot work. Use -f to perform "
805 "the test anyway (and\n-d to see what happens), "
806 "or add one of -ssl2, -ssl3, -tls1, -reuse\n"
807 "to avoid protocol mismatch.\n");
808 EXIT(1);
809 }
810 #ifdef OPENSSL_FIPS
811 if (fips_mode) {
812 if (!FIPS_mode_set(1)) {
813 ERR_load_crypto_strings();
814 ERR_print_errors(BIO_new_fp(stderr, BIO_NOCLOSE));
815 EXIT(1);
816 } else
817 fprintf(stderr, "*** IN FIPS MODE ***\n");
818 }
819 #endif
820
821 if (print_time) {
822 if (!bio_pair) {
823 fprintf(stderr, "Using BIO pair (-bio_pair)\n");
824 bio_pair = 1;
825 }
826 if (number < 50 && !force)
827 fprintf(stderr,
828 "Warning: For accurate timings, use more connections (e.g. -num 1000)\n");
829 }
830
831 /* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */
832
833 SSL_library_init();
834 SSL_load_error_strings();
835
836 #ifndef OPENSSL_NO_COMP
837 if (comp == COMP_ZLIB)
838 cm = COMP_zlib();
839 if (comp == COMP_RLE)
840 cm = COMP_rle();
841 if (cm != NULL) {
842 if (cm->type != NID_undef) {
843 if (SSL_COMP_add_compression_method(comp, cm) != 0) {
844 fprintf(stderr, "Failed to add compression method\n");
845 ERR_print_errors_fp(stderr);
846 }
847 } else {
848 fprintf(stderr,
849 "Warning: %s compression not supported\n",
850 (comp == COMP_RLE ? "rle" :
851 (comp == COMP_ZLIB ? "zlib" : "unknown")));
852 ERR_print_errors_fp(stderr);
853 }
854 }
855 ssl_comp_methods = SSL_COMP_get_compression_methods();
856 fprintf(stderr, "Available compression methods:\n");
857 {
858 int j, n = sk_SSL_COMP_num(ssl_comp_methods);
859 if (n == 0)
860 fprintf(stderr, " NONE\n");
861 else
862 for (j = 0; j < n; j++) {
863 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j);
864 fprintf(stderr, " %d: %s\n", c->id, c->name);
865 }
866 }
867 #endif
868
869 /*
870 * At this point, ssl2/ssl3/tls1 is only set if the protocol is
871 * available. (Otherwise we exit early.) However the compiler doesn't
872 * know this, so we ifdef.
873 */
874 #ifndef OPENSSL_NO_SSL2
875 if (ssl2)
876 meth = SSLv2_method();
877 else
878 #endif
879 #ifndef OPENSSL_NO_SSL3
880 if (ssl3)
881 meth = SSLv3_method();
882 else
883 #endif
884 #ifndef OPENSSL_NO_TLS1
885 if (tls1)
886 meth = TLSv1_method();
887 else
888 #endif
889 meth = SSLv23_method();
890
891 c_ctx = SSL_CTX_new(meth);
892 s_ctx = SSL_CTX_new(meth);
893 if ((c_ctx == NULL) || (s_ctx == NULL)) {
894 ERR_print_errors(bio_err);
895 goto end;
896 }
897
898 if (cipher != NULL) {
899 SSL_CTX_set_cipher_list(c_ctx, cipher);
900 SSL_CTX_set_cipher_list(s_ctx, cipher);
901 }
902 #ifndef OPENSSL_NO_DH
903 if (!no_dhe) {
904 if (dhe1024dsa) {
905 /*
906 * use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks
907 */
908 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE);
909 dh = get_dh1024dsa();
910 } else if (dhe512)
911 dh = get_dh512();
912 else
913 dh = get_dh1024();
914 SSL_CTX_set_tmp_dh(s_ctx, dh);
915 DH_free(dh);
916 }
917 #else
918 (void)no_dhe;
919 #endif
920
921 #ifndef OPENSSL_NO_ECDH
922 if (!no_ecdhe) {
923 int nid;
924
925 if (named_curve != NULL) {
926 nid = OBJ_sn2nid(named_curve);
927 if (nid == 0) {
928 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve);
929 goto end;
930 }
931 } else
932 # ifdef OPENSSL_NO_EC2M
933 nid = NID_X9_62_prime256v1;
934 # else
935 nid = NID_sect163r2;
936 # endif
937
938 ecdh = EC_KEY_new_by_curve_name(nid);
939 if (ecdh == NULL) {
940 BIO_printf(bio_err, "unable to create curve\n");
941 goto end;
942 }
943
944 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh);
945 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE);
946 EC_KEY_free(ecdh);
947 }
948 #else
949 (void)no_ecdhe;
950 #endif
951
952 #ifndef OPENSSL_NO_RSA
953 SSL_CTX_set_tmp_rsa_callback(s_ctx, tmp_rsa_cb);
954 #endif
955
956 #ifdef TLSEXT_TYPE_opaque_prf_input
957 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb);
958 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb);
959 /* or &co2 or NULL */
960 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1);
961 /* or &so2 or NULL */
962 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1);
963 #endif
964
965 if (!SSL_CTX_use_certificate_file(s_ctx, server_cert, SSL_FILETYPE_PEM)) {
966 ERR_print_errors(bio_err);
967 } else if (!SSL_CTX_use_PrivateKey_file(s_ctx,
968 (server_key ? server_key :
969 server_cert),
970 SSL_FILETYPE_PEM)) {
971 ERR_print_errors(bio_err);
972 goto end;
973 }
974
975 if (client_auth) {
976 SSL_CTX_use_certificate_file(c_ctx, client_cert, SSL_FILETYPE_PEM);
977 SSL_CTX_use_PrivateKey_file(c_ctx,
978 (client_key ? client_key : client_cert),
979 SSL_FILETYPE_PEM);
980 }
981
982 if ((!SSL_CTX_load_verify_locations(s_ctx, CAfile, CApath)) ||
983 (!SSL_CTX_set_default_verify_paths(s_ctx)) ||
984 (!SSL_CTX_load_verify_locations(c_ctx, CAfile, CApath)) ||
985 (!SSL_CTX_set_default_verify_paths(c_ctx))) {
986 /* fprintf(stderr,"SSL_load_verify_locations\n"); */
987 ERR_print_errors(bio_err);
988 /* goto end; */
989 }
990
991 if (client_auth) {
992 BIO_printf(bio_err, "client authentication\n");
993 SSL_CTX_set_verify(s_ctx,
994 SSL_VERIFY_PEER | SSL_VERIFY_FAIL_IF_NO_PEER_CERT,
995 verify_callback);
996 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback,
997 &app_verify_arg);
998 }
999 if (server_auth) {
1000 BIO_printf(bio_err, "server authentication\n");
1001 SSL_CTX_set_verify(c_ctx, SSL_VERIFY_PEER, verify_callback);
1002 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback,
1003 &app_verify_arg);
1004 }
1005
1006 {
1007 int session_id_context = 0;
1008 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context,
1009 sizeof session_id_context);
1010 }
1011
1012 /* Use PSK only if PSK key is given */
1013 if (psk_key != NULL) {
1014 /*
1015 * no_psk is used to avoid putting psk command to openssl tool
1016 */
1017 if (no_psk) {
1018 /*
1019 * if PSK is not compiled in and psk key is given, do nothing and
1020 * exit successfully
1021 */
1022 ret = 0;
1023 goto end;
1024 }
1025 #ifndef OPENSSL_NO_PSK
1026 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback);
1027 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback);
1028 if (debug)
1029 BIO_printf(bio_err, "setting PSK identity hint to s_ctx\n");
1030 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint")) {
1031 BIO_printf(bio_err, "error setting PSK identity hint to s_ctx\n");
1032 ERR_print_errors(bio_err);
1033 goto end;
1034 }
1035 #endif
1036 }
1037 #ifndef OPENSSL_NO_SRP
1038 if (srp_client_arg.srplogin) {
1039 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) {
1040 BIO_printf(bio_err, "Unable to set SRP username\n");
1041 goto end;
1042 }
1043 SSL_CTX_set_srp_cb_arg(c_ctx, &srp_client_arg);
1044 SSL_CTX_set_srp_client_pwd_callback(c_ctx,
1045 ssl_give_srp_client_pwd_cb);
1046 /*
1047 * SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);
1048 */
1049 }
1050
1051 if (srp_server_arg.expected_user != NULL) {
1052 SSL_CTX_set_verify(s_ctx, SSL_VERIFY_NONE, verify_callback);
1053 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg);
1054 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb);
1055 }
1056 #endif
1057
1058 c_ssl = SSL_new(c_ctx);
1059 s_ssl = SSL_new(s_ctx);
1060
1061 #ifndef OPENSSL_NO_KRB5
1062 if (c_ssl && c_ssl->kssl_ctx) {
1063 char localhost[MAXHOSTNAMELEN + 2];
1064
1065 if (gethostname(localhost, sizeof localhost - 1) == 0) {
1066 localhost[sizeof localhost - 1] = '\0';
1067 if (strlen(localhost) == sizeof localhost - 1) {
1068 BIO_printf(bio_err, "localhost name too long\n");
1069 goto end;
1070 }
1071 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, localhost);
1072 }
1073 }
1074 #endif /* OPENSSL_NO_KRB5 */
1075
1076 for (i = 0; i < number; i++) {
1077 if (!reuse)
1078 SSL_set_session(c_ssl, NULL);
1079 if (bio_pair)
1080 ret = doit_biopair(s_ssl, c_ssl, bytes, &s_time, &c_time);
1081 else
1082 ret = doit(s_ssl, c_ssl, bytes);
1083 }
1084
1085 if (!verbose) {
1086 print_details(c_ssl, "");
1087 }
1088 if ((number > 1) || (bytes > 1L))
1089 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n", number,
1090 bytes);
1091 if (print_time) {
1092 #ifdef CLOCKS_PER_SEC
1093 /*
1094 * "To determine the time in seconds, the value returned by the clock
1095 * function should be divided by the value of the macro
1096 * CLOCKS_PER_SEC." -- ISO/IEC 9899
1097 */
1098 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n"
1099 "Approximate total client time: %6.2f s\n",
1100 (double)s_time / CLOCKS_PER_SEC,
1101 (double)c_time / CLOCKS_PER_SEC);
1102 #else
1103 /*
1104 * "`CLOCKS_PER_SEC' undeclared (first use this function)" -- cc on
1105 * NeXTstep/OpenStep
1106 */
1107 BIO_printf(bio_stdout,
1108 "Approximate total server time: %6.2f units\n"
1109 "Approximate total client time: %6.2f units\n",
1110 (double)s_time, (double)c_time);
1111 #endif
1112 }
1113
1114 SSL_free(s_ssl);
1115 SSL_free(c_ssl);
1116
1117 end:
1118 if (s_ctx != NULL)
1119 SSL_CTX_free(s_ctx);
1120 if (c_ctx != NULL)
1121 SSL_CTX_free(c_ctx);
1122
1123 if (bio_stdout != NULL)
1124 BIO_free(bio_stdout);
1125
1126 #ifndef OPENSSL_NO_RSA
1127 free_tmp_rsa();
1128 #endif
1129 #ifndef OPENSSL_NO_ENGINE
1130 ENGINE_cleanup();
1131 #endif
1132 CRYPTO_cleanup_all_ex_data();
1133 ERR_free_strings();
1134 ERR_remove_thread_state(NULL);
1135 EVP_cleanup();
1136 CRYPTO_mem_leaks(bio_err);
1137 if (bio_err != NULL)
1138 BIO_free(bio_err);
1139 EXIT(ret);
1140 return ret;
1141 }
1142
1143 int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count,
1144 clock_t *s_time, clock_t *c_time)
1145 {
1146 long cw_num = count, cr_num = count, sw_num = count, sr_num = count;
1147 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL;
1148 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL;
1149 int ret = 1;
1150
1151 size_t bufsiz = 256; /* small buffer for testing */
1152
1153 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz))
1154 goto err;
1155 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz))
1156 goto err;
1157
1158 s_ssl_bio = BIO_new(BIO_f_ssl());
1159 if (!s_ssl_bio)
1160 goto err;
1161
1162 c_ssl_bio = BIO_new(BIO_f_ssl());
1163 if (!c_ssl_bio)
1164 goto err;
1165
1166 SSL_set_connect_state(c_ssl);
1167 SSL_set_bio(c_ssl, client, client);
1168 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE);
1169
1170 SSL_set_accept_state(s_ssl);
1171 SSL_set_bio(s_ssl, server, server);
1172 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE);
1173
1174 do {
1175 /*-
1176 * c_ssl_bio: SSL filter BIO
1177 *
1178 * client: pseudo-I/O for SSL library
1179 *
1180 * client_io: client's SSL communication; usually to be
1181 * relayed over some I/O facility, but in this
1182 * test program, we're the server, too:
1183 *
1184 * server_io: server's SSL communication
1185 *
1186 * server: pseudo-I/O for SSL library
1187 *
1188 * s_ssl_bio: SSL filter BIO
1189 *
1190 * The client and the server each employ a "BIO pair":
1191 * client + client_io, server + server_io.
1192 * BIO pairs are symmetric. A BIO pair behaves similar
1193 * to a non-blocking socketpair (but both endpoints must
1194 * be handled by the same thread).
1195 * [Here we could connect client and server to the ends
1196 * of a single BIO pair, but then this code would be less
1197 * suitable as an example for BIO pairs in general.]
1198 *
1199 * Useful functions for querying the state of BIO pair endpoints:
1200 *
1201 * BIO_ctrl_pending(bio) number of bytes we can read now
1202 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil
1203 * other side's read attempt
1204 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now
1205 *
1206 * ..._read_request is never more than ..._write_guarantee;
1207 * it depends on the application which one you should use.
1208 */
1209
1210 /*
1211 * We have non-blocking behaviour throughout this test program, but
1212 * can be sure that there is *some* progress in each iteration; so we
1213 * don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE --
1214 * we just try everything in each iteration
1215 */
1216
1217 {
1218 /* CLIENT */
1219
1220 MS_STATIC char cbuf[1024 * 8];
1221 int i, r;
1222 clock_t c_clock = clock();
1223
1224 memset(cbuf, 0, sizeof(cbuf));
1225
1226 if (debug)
1227 if (SSL_in_init(c_ssl))
1228 printf("client waiting in SSL_connect - %s\n",
1229 SSL_state_string_long(c_ssl));
1230
1231 if (cw_num > 0) {
1232 /* Write to server. */
1233
1234 if (cw_num > (long)sizeof cbuf)
1235 i = sizeof cbuf;
1236 else
1237 i = (int)cw_num;
1238 r = BIO_write(c_ssl_bio, cbuf, i);
1239 if (r < 0) {
1240 if (!BIO_should_retry(c_ssl_bio)) {
1241 fprintf(stderr, "ERROR in CLIENT\n");
1242 goto err;
1243 }
1244 /*
1245 * BIO_should_retry(...) can just be ignored here. The
1246 * library expects us to call BIO_write with the same
1247 * arguments again, and that's what we will do in the
1248 * next iteration.
1249 */
1250 } else if (r == 0) {
1251 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
1252 goto err;
1253 } else {
1254 if (debug)
1255 printf("client wrote %d\n", r);
1256 cw_num -= r;
1257 }
1258 }
1259
1260 if (cr_num > 0) {
1261 /* Read from server. */
1262
1263 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf));
1264 if (r < 0) {
1265 if (!BIO_should_retry(c_ssl_bio)) {
1266 fprintf(stderr, "ERROR in CLIENT\n");
1267 goto err;
1268 }
1269 /*
1270 * Again, "BIO_should_retry" can be ignored.
1271 */
1272 } else if (r == 0) {
1273 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
1274 goto err;
1275 } else {
1276 if (debug)
1277 printf("client read %d\n", r);
1278 cr_num -= r;
1279 }
1280 }
1281
1282 /*
1283 * c_time and s_time increments will typically be very small
1284 * (depending on machine speed and clock tick intervals), but
1285 * sampling over a large number of connections should result in
1286 * fairly accurate figures. We cannot guarantee a lot, however
1287 * -- if each connection lasts for exactly one clock tick, it
1288 * will be counted only for the client or only for the server or
1289 * even not at all.
1290 */
1291 *c_time += (clock() - c_clock);
1292 }
1293
1294 {
1295 /* SERVER */
1296
1297 MS_STATIC char sbuf[1024 * 8];
1298 int i, r;
1299 clock_t s_clock = clock();
1300
1301 memset(sbuf, 0, sizeof(sbuf));
1302
1303 if (debug)
1304 if (SSL_in_init(s_ssl))
1305 printf("server waiting in SSL_accept - %s\n",
1306 SSL_state_string_long(s_ssl));
1307
1308 if (sw_num > 0) {
1309 /* Write to client. */
1310
1311 if (sw_num > (long)sizeof sbuf)
1312 i = sizeof sbuf;
1313 else
1314 i = (int)sw_num;
1315 r = BIO_write(s_ssl_bio, sbuf, i);
1316 if (r < 0) {
1317 if (!BIO_should_retry(s_ssl_bio)) {
1318 fprintf(stderr, "ERROR in SERVER\n");
1319 goto err;
1320 }
1321 /* Ignore "BIO_should_retry". */
1322 } else if (r == 0) {
1323 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
1324 goto err;
1325 } else {
1326 if (debug)
1327 printf("server wrote %d\n", r);
1328 sw_num -= r;
1329 }
1330 }
1331
1332 if (sr_num > 0) {
1333 /* Read from client. */
1334
1335 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf));
1336 if (r < 0) {
1337 if (!BIO_should_retry(s_ssl_bio)) {
1338 fprintf(stderr, "ERROR in SERVER\n");
1339 goto err;
1340 }
1341 /* blah, blah */
1342 } else if (r == 0) {
1343 fprintf(stderr, "SSL SERVER STARTUP FAILED\n");
1344 goto err;
1345 } else {
1346 if (debug)
1347 printf("server read %d\n", r);
1348 sr_num -= r;
1349 }
1350 }
1351
1352 *s_time += (clock() - s_clock);
1353 }
1354
1355 {
1356 /* "I/O" BETWEEN CLIENT AND SERVER. */
1357
1358 size_t r1, r2;
1359 BIO *io1 = server_io, *io2 = client_io;
1360 /*
1361 * we use the non-copying interface for io1 and the standard
1362 * BIO_write/BIO_read interface for io2
1363 */
1364
1365 static int prev_progress = 1;
1366 int progress = 0;
1367
1368 /* io1 to io2 */
1369 do {
1370 size_t num;
1371 int r;
1372
1373 r1 = BIO_ctrl_pending(io1);
1374 r2 = BIO_ctrl_get_write_guarantee(io2);
1375
1376 num = r1;
1377 if (r2 < num)
1378 num = r2;
1379 if (num) {
1380 char *dataptr;
1381
1382 if (INT_MAX < num) /* yeah, right */
1383 num = INT_MAX;
1384
1385 r = BIO_nread(io1, &dataptr, (int)num);
1386 assert(r > 0);
1387 assert(r <= (int)num);
1388 /*
1389 * possibly r < num (non-contiguous data)
1390 */
1391 num = r;
1392 r = BIO_write(io2, dataptr, (int)num);
1393 if (r != (int)num) { /* can't happen */
1394 fprintf(stderr, "ERROR: BIO_write could not write "
1395 "BIO_ctrl_get_write_guarantee() bytes");
1396 goto err;
1397 }
1398 progress = 1;
1399
1400 if (debug)
1401 printf((io1 == client_io) ?
1402 "C->S relaying: %d bytes\n" :
1403 "S->C relaying: %d bytes\n", (int)num);
1404 }
1405 }
1406 while (r1 && r2);
1407
1408 /* io2 to io1 */
1409 {
1410 size_t num;
1411 int r;
1412
1413 r1 = BIO_ctrl_pending(io2);
1414 r2 = BIO_ctrl_get_read_request(io1);
1415 /*
1416 * here we could use ..._get_write_guarantee instead of
1417 * ..._get_read_request, but by using the latter we test
1418 * restartability of the SSL implementation more thoroughly
1419 */
1420 num = r1;
1421 if (r2 < num)
1422 num = r2;
1423 if (num) {
1424 char *dataptr;
1425
1426 if (INT_MAX < num)
1427 num = INT_MAX;
1428
1429 if (num > 1)
1430 --num; /* test restartability even more thoroughly */
1431
1432 r = BIO_nwrite0(io1, &dataptr);
1433 assert(r > 0);
1434 if (r < (int)num)
1435 num = r;
1436 r = BIO_read(io2, dataptr, (int)num);
1437 if (r != (int)num) { /* can't happen */
1438 fprintf(stderr, "ERROR: BIO_read could not read "
1439 "BIO_ctrl_pending() bytes");
1440 goto err;
1441 }
1442 progress = 1;
1443 r = BIO_nwrite(io1, &dataptr, (int)num);
1444 if (r != (int)num) { /* can't happen */
1445 fprintf(stderr, "ERROR: BIO_nwrite() did not accept "
1446 "BIO_nwrite0() bytes");
1447 goto err;
1448 }
1449
1450 if (debug)
1451 printf((io2 == client_io) ?
1452 "C->S relaying: %d bytes\n" :
1453 "S->C relaying: %d bytes\n", (int)num);
1454 }
1455 } /* no loop, BIO_ctrl_get_read_request now
1456 * returns 0 anyway */
1457
1458 if (!progress && !prev_progress)
1459 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) {
1460 fprintf(stderr, "ERROR: got stuck\n");
1461 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) {
1462 fprintf(stderr, "This can happen for SSL2 because "
1463 "CLIENT-FINISHED and SERVER-VERIFY are written \n"
1464 "concurrently ...");
1465 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0
1466 && strncmp("2SSV", SSL_state_string(s_ssl),
1467 4) == 0) {
1468 fprintf(stderr, " ok.\n");
1469 goto end;
1470 }
1471 }
1472 fprintf(stderr, " ERROR.\n");
1473 goto err;
1474 }
1475 prev_progress = progress;
1476 }
1477 }
1478 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0);
1479
1480 if (verbose)
1481 print_details(c_ssl, "DONE via BIO pair: ");
1482 end:
1483 ret = 0;
1484
1485 err:
1486 ERR_print_errors(bio_err);
1487
1488 if (server)
1489 BIO_free(server);
1490 if (server_io)
1491 BIO_free(server_io);
1492 if (client)
1493 BIO_free(client);
1494 if (client_io)
1495 BIO_free(client_io);
1496 if (s_ssl_bio)
1497 BIO_free(s_ssl_bio);
1498 if (c_ssl_bio)
1499 BIO_free(c_ssl_bio);
1500
1501 return ret;
1502 }
1503
1504 #define W_READ 1
1505 #define W_WRITE 2
1506 #define C_DONE 1
1507 #define S_DONE 2
1508
1509 int doit(SSL *s_ssl, SSL *c_ssl, long count)
1510 {
1511 MS_STATIC char cbuf[1024 * 8], sbuf[1024 * 8];
1512 long cw_num = count, cr_num = count;
1513 long sw_num = count, sr_num = count;
1514 int ret = 1;
1515 BIO *c_to_s = NULL;
1516 BIO *s_to_c = NULL;
1517 BIO *c_bio = NULL;
1518 BIO *s_bio = NULL;
1519 int c_r, c_w, s_r, s_w;
1520 int i, j;
1521 int done = 0;
1522 int c_write, s_write;
1523 int do_server = 0, do_client = 0;
1524
1525 memset(cbuf, 0, sizeof(cbuf));
1526 memset(sbuf, 0, sizeof(sbuf));
1527
1528 c_to_s = BIO_new(BIO_s_mem());
1529 s_to_c = BIO_new(BIO_s_mem());
1530 if ((s_to_c == NULL) || (c_to_s == NULL)) {
1531 ERR_print_errors(bio_err);
1532 goto err;
1533 }
1534
1535 c_bio = BIO_new(BIO_f_ssl());
1536 s_bio = BIO_new(BIO_f_ssl());
1537 if ((c_bio == NULL) || (s_bio == NULL)) {
1538 ERR_print_errors(bio_err);
1539 goto err;
1540 }
1541
1542 SSL_set_connect_state(c_ssl);
1543 SSL_set_bio(c_ssl, s_to_c, c_to_s);
1544 BIO_set_ssl(c_bio, c_ssl, BIO_NOCLOSE);
1545
1546 SSL_set_accept_state(s_ssl);
1547 SSL_set_bio(s_ssl, c_to_s, s_to_c);
1548 BIO_set_ssl(s_bio, s_ssl, BIO_NOCLOSE);
1549
1550 c_r = 0;
1551 s_r = 1;
1552 c_w = 1;
1553 s_w = 0;
1554 c_write = 1, s_write = 0;
1555
1556 /* We can always do writes */
1557 for (;;) {
1558 do_server = 0;
1559 do_client = 0;
1560
1561 i = (int)BIO_pending(s_bio);
1562 if ((i && s_r) || s_w)
1563 do_server = 1;
1564
1565 i = (int)BIO_pending(c_bio);
1566 if ((i && c_r) || c_w)
1567 do_client = 1;
1568
1569 if (do_server && debug) {
1570 if (SSL_in_init(s_ssl))
1571 printf("server waiting in SSL_accept - %s\n",
1572 SSL_state_string_long(s_ssl));
1573 /*-
1574 else if (s_write)
1575 printf("server:SSL_write()\n");
1576 else
1577 printf("server:SSL_read()\n"); */
1578 }
1579
1580 if (do_client && debug) {
1581 if (SSL_in_init(c_ssl))
1582 printf("client waiting in SSL_connect - %s\n",
1583 SSL_state_string_long(c_ssl));
1584 /*-
1585 else if (c_write)
1586 printf("client:SSL_write()\n");
1587 else
1588 printf("client:SSL_read()\n"); */
1589 }
1590
1591 if (!do_client && !do_server) {
1592 fprintf(stdout, "ERROR IN STARTUP\n");
1593 ERR_print_errors(bio_err);
1594 goto err;
1595 }
1596 if (do_client && !(done & C_DONE)) {
1597 if (c_write) {
1598 j = (cw_num > (long)sizeof(cbuf)) ?
1599 (int)sizeof(cbuf) : (int)cw_num;
1600 i = BIO_write(c_bio, cbuf, j);
1601 if (i < 0) {
1602 c_r = 0;
1603 c_w = 0;
1604 if (BIO_should_retry(c_bio)) {
1605 if (BIO_should_read(c_bio))
1606 c_r = 1;
1607 if (BIO_should_write(c_bio))
1608 c_w = 1;
1609 } else {
1610 fprintf(stderr, "ERROR in CLIENT\n");
1611 ERR_print_errors(bio_err);
1612 goto err;
1613 }
1614 } else if (i == 0) {
1615 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
1616 goto err;
1617 } else {
1618 if (debug)
1619 printf("client wrote %d\n", i);
1620 /* ok */
1621 s_r = 1;
1622 c_write = 0;
1623 cw_num -= i;
1624 }
1625 } else {
1626 i = BIO_read(c_bio, cbuf, sizeof(cbuf));
1627 if (i < 0) {
1628 c_r = 0;
1629 c_w = 0;
1630 if (BIO_should_retry(c_bio)) {
1631 if (BIO_should_read(c_bio))
1632 c_r = 1;
1633 if (BIO_should_write(c_bio))
1634 c_w = 1;
1635 } else {
1636 fprintf(stderr, "ERROR in CLIENT\n");
1637 ERR_print_errors(bio_err);
1638 goto err;
1639 }
1640 } else if (i == 0) {
1641 fprintf(stderr, "SSL CLIENT STARTUP FAILED\n");
1642 goto err;
1643 } else {
1644 if (debug)
1645 printf("client read %d\n", i);
1646 cr_num -= i;
1647 if (sw_num > 0) {
1648 s_write = 1;
1649 s_w = 1;
1650 }
1651 if (cr_num <= 0) {
1652 s_write = 1;
1653 s_w = 1;
1654 done = S_DONE | C_DONE;
1655 }
1656 }
1657 }
1658 }
1659
1660 if (do_server && !(done & S_DONE)) {
1661 if (!s_write) {
1662 i = BIO_read(s_bio, sbuf, sizeof(cbuf));
1663 if (i < 0) {
1664 s_r = 0;
1665 s_w = 0;
1666 if (BIO_should_retry(s_bio)) {
1667 if (BIO_should_read(s_bio))
1668 s_r = 1;
1669 if (BIO_should_write(s_bio))
1670 s_w = 1;
1671 } else {
1672 fprintf(stderr, "ERROR in SERVER\n");
1673 ERR_print_errors(bio_err);
1674 goto err;
1675 }
1676 } else if (i == 0) {
1677 ERR_print_errors(bio_err);
1678 fprintf(stderr,
1679 "SSL SERVER STARTUP FAILED in SSL_read\n");
1680 goto err;
1681 } else {
1682 if (debug)
1683 printf("server read %d\n", i);
1684 sr_num -= i;
1685 if (cw_num > 0) {
1686 c_write = 1;
1687 c_w = 1;
1688 }
1689 if (sr_num <= 0) {
1690 s_write = 1;
1691 s_w = 1;
1692 c_write = 0;
1693 }
1694 }
1695 } else {
1696 j = (sw_num > (long)sizeof(sbuf)) ?
1697 (int)sizeof(sbuf) : (int)sw_num;
1698 i = BIO_write(s_bio, sbuf, j);
1699 if (i < 0) {
1700 s_r = 0;
1701 s_w = 0;
1702 if (BIO_should_retry(s_bio)) {
1703 if (BIO_should_read(s_bio))
1704 s_r = 1;
1705 if (BIO_should_write(s_bio))
1706 s_w = 1;
1707 } else {
1708 fprintf(stderr, "ERROR in SERVER\n");
1709 ERR_print_errors(bio_err);
1710 goto err;
1711 }
1712 } else if (i == 0) {
1713 ERR_print_errors(bio_err);
1714 fprintf(stderr,
1715 "SSL SERVER STARTUP FAILED in SSL_write\n");
1716 goto err;
1717 } else {
1718 if (debug)
1719 printf("server wrote %d\n", i);
1720 sw_num -= i;
1721 s_write = 0;
1722 c_r = 1;
1723 if (sw_num <= 0)
1724 done |= S_DONE;
1725 }
1726 }
1727 }
1728
1729 if ((done & S_DONE) && (done & C_DONE))
1730 break;
1731 }
1732
1733 if (verbose)
1734 print_details(c_ssl, "DONE: ");
1735 ret = 0;
1736 err:
1737 /*
1738 * We have to set the BIO's to NULL otherwise they will be
1739 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and again
1740 * when c_ssl is SSL_free()ed. This is a hack required because s_ssl and
1741 * c_ssl are sharing the same BIO structure and SSL_set_bio() and
1742 * SSL_free() automatically BIO_free non NULL entries. You should not
1743 * normally do this or be required to do this
1744 */
1745 if (s_ssl != NULL) {
1746 s_ssl->rbio = NULL;
1747 s_ssl->wbio = NULL;
1748 }
1749 if (c_ssl != NULL) {
1750 c_ssl->rbio = NULL;
1751 c_ssl->wbio = NULL;
1752 }
1753
1754 if (c_to_s != NULL)
1755 BIO_free(c_to_s);
1756 if (s_to_c != NULL)
1757 BIO_free(s_to_c);
1758 if (c_bio != NULL)
1759 BIO_free_all(c_bio);
1760 if (s_bio != NULL)
1761 BIO_free_all(s_bio);
1762 return (ret);
1763 }
1764
1765 static int get_proxy_auth_ex_data_idx(void)
1766 {
1767 static volatile int idx = -1;
1768 if (idx < 0) {
1769 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX);
1770 if (idx < 0) {
1771 idx = X509_STORE_CTX_get_ex_new_index(0,
1772 "SSLtest for verify callback",
1773 NULL, NULL, NULL);
1774 }
1775 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX);
1776 }
1777 return idx;
1778 }
1779
1780 static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx)
1781 {
1782 char *s, buf[256];
1783
1784 s = X509_NAME_oneline(X509_get_subject_name(ctx->current_cert), buf,
1785 sizeof buf);
1786 if (s != NULL) {
1787 if (ok)
1788 fprintf(stderr, "depth=%d %s\n", ctx->error_depth, buf);
1789 else {
1790 fprintf(stderr, "depth=%d error=%d %s\n",
1791 ctx->error_depth, ctx->error, buf);
1792 }
1793 }
1794
1795 if (ok == 0) {
1796 fprintf(stderr, "Error string: %s\n",
1797 X509_verify_cert_error_string(ctx->error));
1798 switch (ctx->error) {
1799 case X509_V_ERR_CERT_NOT_YET_VALID:
1800 case X509_V_ERR_CERT_HAS_EXPIRED:
1801 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT:
1802 fprintf(stderr, " ... ignored.\n");
1803 ok = 1;
1804 }
1805 }
1806
1807 if (ok == 1) {
1808 X509 *xs = ctx->current_cert;
1809 #if 0
1810 X509 *xi = ctx->current_issuer;
1811 #endif
1812
1813 if (xs->ex_flags & EXFLAG_PROXY) {
1814 unsigned int *letters = X509_STORE_CTX_get_ex_data(ctx,
1815 get_proxy_auth_ex_data_idx
1816 ());
1817
1818 if (letters) {
1819 int found_any = 0;
1820 int i;
1821 PROXY_CERT_INFO_EXTENSION *pci =
1822 X509_get_ext_d2i(xs, NID_proxyCertInfo,
1823 NULL, NULL);
1824
1825 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) {
1826 case NID_Independent:
1827 /*
1828 * Completely meaningless in this program, as there's no
1829 * way to grant explicit rights to a specific PrC.
1830 * Basically, using id-ppl-Independent is the perfect way
1831 * to grant no rights at all.
1832 */
1833 fprintf(stderr, " Independent proxy certificate");
1834 for (i = 0; i < 26; i++)
1835 letters[i] = 0;
1836 break;
1837 case NID_id_ppl_inheritAll:
1838 /*
1839 * This is basically a NOP, we simply let the current
1840 * rights stand as they are.
1841 */
1842 fprintf(stderr, " Proxy certificate inherits all");
1843 break;
1844 default:
1845 s = (char *)
1846 pci->proxyPolicy->policy->data;
1847 i = pci->proxyPolicy->policy->length;
1848
1849 /*
1850 * The algorithm works as follows: it is assumed that
1851 * previous iterations or the initial granted rights has
1852 * already set some elements of `letters'. What we need
1853 * to do is to clear those that weren't granted by the
1854 * current PrC as well. The easiest way to do this is to
1855 * add 1 to all the elements whose letters are given with
1856 * the current policy. That way, all elements that are
1857 * set by the current policy and were already set by
1858 * earlier policies and through the original grant of
1859 * rights will get the value 2 or higher. The last thing
1860 * to do is to sweep through `letters' and keep the
1861 * elements having the value 2 as set, and clear all the
1862 * others.
1863 */
1864
1865 fprintf(stderr, " Certificate proxy rights = %*.*s", i,
1866 i, s);
1867 while (i-- > 0) {
1868 int c = *s++;
1869 if (isascii(c) && isalpha(c)) {
1870 if (islower(c))
1871 c = toupper(c);
1872 letters[c - 'A']++;
1873 }
1874 }
1875 for (i = 0; i < 26; i++)
1876 if (letters[i] < 2)
1877 letters[i] = 0;
1878 else
1879 letters[i] = 1;
1880 }
1881
1882 found_any = 0;
1883 fprintf(stderr, ", resulting proxy rights = ");
1884 for (i = 0; i < 26; i++)
1885 if (letters[i]) {
1886 fprintf(stderr, "%c", i + 'A');
1887 found_any = 1;
1888 }
1889 if (!found_any)
1890 fprintf(stderr, "none");
1891 fprintf(stderr, "\n");
1892
1893 PROXY_CERT_INFO_EXTENSION_free(pci);
1894 }
1895 }
1896 }
1897
1898 return (ok);
1899 }
1900
1901 static void process_proxy_debug(int indent, const char *format, ...)
1902 {
1903 /* That's 80 > */
1904 static const char indentation[] =
1905 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"
1906 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>";
1907 char my_format[256];
1908 va_list args;
1909
1910 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s",
1911 indent, indent, indentation, format);
1912
1913 va_start(args, format);
1914 vfprintf(stderr, my_format, args);
1915 va_end(args);
1916 }
1917
1918 /*-
1919 * Priority levels:
1920 * 0 [!]var, ()
1921 * 1 & ^
1922 * 2 |
1923 */
1924 static int process_proxy_cond_adders(unsigned int letters[26],
1925 const char *cond, const char **cond_end,
1926 int *pos, int indent);
1927 static int process_proxy_cond_val(unsigned int letters[26], const char *cond,
1928 const char **cond_end, int *pos, int indent)
1929 {
1930 int c;
1931 int ok = 1;
1932 int negate = 0;
1933
1934 while (isspace((int)*cond)) {
1935 cond++;
1936 (*pos)++;
1937 }
1938 c = *cond;
1939
1940 if (debug)
1941 process_proxy_debug(indent,
1942 "Start process_proxy_cond_val at position %d: %s\n",
1943 *pos, cond);
1944
1945 while (c == '!') {
1946 negate = !negate;
1947 cond++;
1948 (*pos)++;
1949 while (isspace((int)*cond)) {
1950 cond++;
1951 (*pos)++;
1952 }
1953 c = *cond;
1954 }
1955
1956 if (c == '(') {
1957 cond++;
1958 (*pos)++;
1959 ok = process_proxy_cond_adders(letters, cond, cond_end, pos,
1960 indent + 1);
1961 cond = *cond_end;
1962 if (ok < 0)
1963 goto end;
1964 while (isspace((int)*cond)) {
1965 cond++;
1966 (*pos)++;
1967 }
1968 c = *cond;
1969 if (c != ')') {
1970 fprintf(stderr,
1971 "Weird condition character in position %d: "
1972 "%c\n", *pos, c);
1973 ok = -1;
1974 goto end;
1975 }
1976 cond++;
1977 (*pos)++;
1978 } else if (isascii(c) && isalpha(c)) {
1979 if (islower(c))
1980 c = toupper(c);
1981 ok = letters[c - 'A'];
1982 cond++;
1983 (*pos)++;
1984 } else {
1985 fprintf(stderr,
1986 "Weird condition character in position %d: " "%c\n", *pos, c);
1987 ok = -1;
1988 goto end;
1989 }
1990 end:
1991 *cond_end = cond;
1992 if (ok >= 0 && negate)
1993 ok = !ok;
1994
1995 if (debug)
1996 process_proxy_debug(indent,
1997 "End process_proxy_cond_val at position %d: %s, returning %d\n",
1998 *pos, cond, ok);
1999
2000 return ok;
2001 }
2002
2003 static int process_proxy_cond_multipliers(unsigned int letters[26],
2004 const char *cond,
2005 const char **cond_end, int *pos,
2006 int indent)
2007 {
2008 int ok;
2009 char c;
2010
2011 if (debug)
2012 process_proxy_debug(indent,
2013 "Start process_proxy_cond_multipliers at position %d: %s\n",
2014 *pos, cond);
2015
2016 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1);
2017 cond = *cond_end;
2018 if (ok < 0)
2019 goto end;
2020
2021 while (ok >= 0) {
2022 while (isspace((int)*cond)) {
2023 cond++;
2024 (*pos)++;
2025 }
2026 c = *cond;
2027
2028 switch (c) {
2029 case '&':
2030 case '^':
2031 {
2032 int save_ok = ok;
2033
2034 cond++;
2035 (*pos)++;
2036 ok = process_proxy_cond_val(letters,
2037 cond, cond_end, pos, indent + 1);
2038 cond = *cond_end;
2039 if (ok < 0)
2040 break;
2041
2042 switch (c) {
2043 case '&':
2044 ok &= save_ok;
2045 break;
2046 case '^':
2047 ok ^= save_ok;
2048 break;
2049 default:
2050 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2051 " STOPPING\n");
2052 EXIT(1);
2053 }
2054 }
2055 break;
2056 default:
2057 goto end;
2058 }
2059 }
2060 end:
2061 if (debug)
2062 process_proxy_debug(indent,
2063 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n",
2064 *pos, cond, ok);
2065
2066 *cond_end = cond;
2067 return ok;
2068 }
2069
2070 static int process_proxy_cond_adders(unsigned int letters[26],
2071 const char *cond, const char **cond_end,
2072 int *pos, int indent)
2073 {
2074 int ok;
2075 char c;
2076
2077 if (debug)
2078 process_proxy_debug(indent,
2079 "Start process_proxy_cond_adders at position %d: %s\n",
2080 *pos, cond);
2081
2082 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos,
2083 indent + 1);
2084 cond = *cond_end;
2085 if (ok < 0)
2086 goto end;
2087
2088 while (ok >= 0) {
2089 while (isspace((int)*cond)) {
2090 cond++;
2091 (*pos)++;
2092 }
2093 c = *cond;
2094
2095 switch (c) {
2096 case '|':
2097 {
2098 int save_ok = ok;
2099
2100 cond++;
2101 (*pos)++;
2102 ok = process_proxy_cond_multipliers(letters,
2103 cond, cond_end, pos,
2104 indent + 1);
2105 cond = *cond_end;
2106 if (ok < 0)
2107 break;
2108
2109 switch (c) {
2110 case '|':
2111 ok |= save_ok;
2112 break;
2113 default:
2114 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!"
2115 " STOPPING\n");
2116 EXIT(1);
2117 }
2118 }
2119 break;
2120 default:
2121 goto end;
2122 }
2123 }
2124 end:
2125 if (debug)
2126 process_proxy_debug(indent,
2127 "End process_proxy_cond_adders at position %d: %s, returning %d\n",
2128 *pos, cond, ok);
2129
2130 *cond_end = cond;
2131 return ok;
2132 }
2133
2134 static int process_proxy_cond(unsigned int letters[26],
2135 const char *cond, const char **cond_end)
2136 {
2137 int pos = 1;
2138 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1);
2139 }
2140
2141 static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg)
2142 {
2143 int ok = 1;
2144 struct app_verify_arg *cb_arg = arg;
2145 unsigned int letters[26]; /* only used with proxy_auth */
2146
2147 if (cb_arg->app_verify) {
2148 char *s = NULL, buf[256];
2149
2150 fprintf(stderr, "In app_verify_callback, allowing cert. ");
2151 fprintf(stderr, "Arg is: %s\n", cb_arg->string);
2152 fprintf(stderr,
2153 "Finished printing do we have a context? 0x%p a cert? 0x%p\n",
2154 (void *)ctx, (void *)ctx->cert);
2155 if (ctx->cert)
2156 s = X509_NAME_oneline(X509_get_subject_name(ctx->cert), buf, 256);
2157 if (s != NULL) {
2158 fprintf(stderr, "cert depth=%d %s\n", ctx->error_depth, buf);
2159 }
2160 return (1);
2161 }
2162 if (cb_arg->proxy_auth) {
2163 int found_any = 0, i;
2164 char *sp;
2165
2166 for (i = 0; i < 26; i++)
2167 letters[i] = 0;
2168 for (sp = cb_arg->proxy_auth; *sp; sp++) {
2169 int c = *sp;
2170 if (isascii(c) && isalpha(c)) {
2171 if (islower(c))
2172 c = toupper(c);
2173 letters[c - 'A'] = 1;
2174 }
2175 }
2176
2177 fprintf(stderr, " Initial proxy rights = ");
2178 for (i = 0; i < 26; i++)
2179 if (letters[i]) {
2180 fprintf(stderr, "%c", i + 'A');
2181 found_any = 1;
2182 }
2183 if (!found_any)
2184 fprintf(stderr, "none");
2185 fprintf(stderr, "\n");
2186
2187 X509_STORE_CTX_set_ex_data(ctx,
2188 get_proxy_auth_ex_data_idx(), letters);
2189 }
2190 if (cb_arg->allow_proxy_certs) {
2191 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS);
2192 }
2193 #ifndef OPENSSL_NO_X509_VERIFY
2194 ok = X509_verify_cert(ctx);
2195 #endif
2196
2197 if (cb_arg->proxy_auth) {
2198 if (ok > 0) {
2199 const char *cond_end = NULL;
2200
2201 ok = process_proxy_cond(letters, cb_arg->proxy_cond, &cond_end);
2202
2203 if (ok < 0)
2204 EXIT(3);
2205 if (*cond_end) {
2206 fprintf(stderr,
2207 "Stopped processing condition before it's end.\n");
2208 ok = 0;
2209 }
2210 if (!ok)
2211 fprintf(stderr,
2212 "Proxy rights check with condition '%s' proved invalid\n",
2213 cb_arg->proxy_cond);
2214 else
2215 fprintf(stderr,
2216 "Proxy rights check with condition '%s' proved valid\n",
2217 cb_arg->proxy_cond);
2218 }
2219 }
2220 return (ok);
2221 }
2222
2223 #ifndef OPENSSL_NO_RSA
2224 static RSA *rsa_tmp = NULL;
2225
2226 static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength)
2227 {
2228 BIGNUM *bn = NULL;
2229 if (rsa_tmp == NULL) {
2230 bn = BN_new();
2231 rsa_tmp = RSA_new();
2232 if (!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) {
2233 BIO_printf(bio_err, "Memory error...");
2234 goto end;
2235 }
2236 BIO_printf(bio_err, "Generating temp (%d bit) RSA key...", keylength);
2237 (void)BIO_flush(bio_err);
2238 if (!RSA_generate_key_ex(rsa_tmp, keylength, bn, NULL)) {
2239 BIO_printf(bio_err, "Error generating key.");
2240 RSA_free(rsa_tmp);
2241 rsa_tmp = NULL;
2242 }
2243 end:
2244 BIO_printf(bio_err, "\n");
2245 (void)BIO_flush(bio_err);
2246 }
2247 if (bn)
2248 BN_free(bn);
2249 return (rsa_tmp);
2250 }
2251
2252 static void free_tmp_rsa(void)
2253 {
2254 if (rsa_tmp != NULL) {
2255 RSA_free(rsa_tmp);
2256 rsa_tmp = NULL;
2257 }
2258 }
2259 #endif
2260
2261 #ifndef OPENSSL_NO_DH
2262 /*-
2263 * These DH parameters have been generated as follows:
2264 * $ openssl dhparam -C -noout 512
2265 * $ openssl dhparam -C -noout 1024
2266 * $ openssl dhparam -C -noout -dsaparam 1024
2267 * (The third function has been renamed to avoid name conflicts.)
2268 */
2269 static DH *get_dh512()
2270 {
2271 static unsigned char dh512_p[] = {
2272 0xCB, 0xC8, 0xE1, 0x86, 0xD0, 0x1F, 0x94, 0x17, 0xA6, 0x99, 0xF0,
2273 0xC6,
2274 0x1F, 0x0D, 0xAC, 0xB6, 0x25, 0x3E, 0x06, 0x39, 0xCA, 0x72, 0x04,
2275 0xB0,
2276 0x6E, 0xDA, 0xC0, 0x61, 0xE6, 0x7A, 0x77, 0x25, 0xE8, 0x3B, 0xB9,
2277 0x5F,
2278 0x9A, 0xB6, 0xB5, 0xFE, 0x99, 0x0B, 0xA1, 0x93, 0x4E, 0x35, 0x33,
2279 0xB8,
2280 0xE1, 0xF1, 0x13, 0x4F, 0x59, 0x1A, 0xD2, 0x57, 0xC0, 0x26, 0x21,
2281 0x33,
2282 0x02, 0xC5, 0xAE, 0x23,
2283 };
2284 static unsigned char dh512_g[] = {
2285 0x02,
2286 };
2287 DH *dh;
2288
2289 if ((dh = DH_new()) == NULL)
2290 return (NULL);
2291 dh->p = BN_bin2bn(dh512_p, sizeof(dh512_p), NULL);
2292 dh->g = BN_bin2bn(dh512_g, sizeof(dh512_g), NULL);
2293 if ((dh->p == NULL) || (dh->g == NULL)) {
2294 DH_free(dh);
2295 return (NULL);
2296 }
2297 return (dh);
2298 }
2299
2300 static DH *get_dh1024()
2301 {
2302 static unsigned char dh1024_p[] = {
2303 0xF8, 0x81, 0x89, 0x7D, 0x14, 0x24, 0xC5, 0xD1, 0xE6, 0xF7, 0xBF,
2304 0x3A,
2305 0xE4, 0x90, 0xF4, 0xFC, 0x73, 0xFB, 0x34, 0xB5, 0xFA, 0x4C, 0x56,
2306 0xA2,
2307 0xEA, 0xA7, 0xE9, 0xC0, 0xC0, 0xCE, 0x89, 0xE1, 0xFA, 0x63, 0x3F,
2308 0xB0,
2309 0x6B, 0x32, 0x66, 0xF1, 0xD1, 0x7B, 0xB0, 0x00, 0x8F, 0xCA, 0x87,
2310 0xC2,
2311 0xAE, 0x98, 0x89, 0x26, 0x17, 0xC2, 0x05, 0xD2, 0xEC, 0x08, 0xD0,
2312 0x8C,
2313 0xFF, 0x17, 0x52, 0x8C, 0xC5, 0x07, 0x93, 0x03, 0xB1, 0xF6, 0x2F,
2314 0xB8,
2315 0x1C, 0x52, 0x47, 0x27, 0x1B, 0xDB, 0xD1, 0x8D, 0x9D, 0x69, 0x1D,
2316 0x52,
2317 0x4B, 0x32, 0x81, 0xAA, 0x7F, 0x00, 0xC8, 0xDC, 0xE6, 0xD9, 0xCC,
2318 0xC1,
2319 0x11, 0x2D, 0x37, 0x34, 0x6C, 0xEA, 0x02, 0x97, 0x4B, 0x0E, 0xBB,
2320 0xB1,
2321 0x71, 0x33, 0x09, 0x15, 0xFD, 0xDD, 0x23, 0x87, 0x07, 0x5E, 0x89,
2322 0xAB,
2323 0x6B, 0x7C, 0x5F, 0xEC, 0xA6, 0x24, 0xDC, 0x53,
2324 };
2325 static unsigned char dh1024_g[] = {
2326 0x02,
2327 };
2328 DH *dh;
2329
2330 if ((dh = DH_new()) == NULL)
2331 return (NULL);
2332 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
2333 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
2334 if ((dh->p == NULL) || (dh->g == NULL)) {
2335 DH_free(dh);
2336 return (NULL);
2337 }
2338 return (dh);
2339 }
2340
2341 static DH *get_dh1024dsa()
2342 {
2343 static unsigned char dh1024_p[] = {
2344 0xC8, 0x00, 0xF7, 0x08, 0x07, 0x89, 0x4D, 0x90, 0x53, 0xF3, 0xD5,
2345 0x00,
2346 0x21, 0x1B, 0xF7, 0x31, 0xA6, 0xA2, 0xDA, 0x23, 0x9A, 0xC7, 0x87,
2347 0x19,
2348 0x3B, 0x47, 0xB6, 0x8C, 0x04, 0x6F, 0xFF, 0xC6, 0x9B, 0xB8, 0x65,
2349 0xD2,
2350 0xC2, 0x5F, 0x31, 0x83, 0x4A, 0xA7, 0x5F, 0x2F, 0x88, 0x38, 0xB6,
2351 0x55,
2352 0xCF, 0xD9, 0x87, 0x6D, 0x6F, 0x9F, 0xDA, 0xAC, 0xA6, 0x48, 0xAF,
2353 0xFC,
2354 0x33, 0x84, 0x37, 0x5B, 0x82, 0x4A, 0x31, 0x5D, 0xE7, 0xBD, 0x52,
2355 0x97,
2356 0xA1, 0x77, 0xBF, 0x10, 0x9E, 0x37, 0xEA, 0x64, 0xFA, 0xCA, 0x28,
2357 0x8D,
2358 0x9D, 0x3B, 0xD2, 0x6E, 0x09, 0x5C, 0x68, 0xC7, 0x45, 0x90, 0xFD,
2359 0xBB,
2360 0x70, 0xC9, 0x3A, 0xBB, 0xDF, 0xD4, 0x21, 0x0F, 0xC4, 0x6A, 0x3C,
2361 0xF6,
2362 0x61, 0xCF, 0x3F, 0xD6, 0x13, 0xF1, 0x5F, 0xBC, 0xCF, 0xBC, 0x26,
2363 0x9E,
2364 0xBC, 0x0B, 0xBD, 0xAB, 0x5D, 0xC9, 0x54, 0x39,
2365 };
2366 static unsigned char dh1024_g[] = {
2367 0x3B, 0x40, 0x86, 0xE7, 0xF3, 0x6C, 0xDE, 0x67, 0x1C, 0xCC, 0x80,
2368 0x05,
2369 0x5A, 0xDF, 0xFE, 0xBD, 0x20, 0x27, 0x74, 0x6C, 0x24, 0xC9, 0x03,
2370 0xF3,
2371 0xE1, 0x8D, 0xC3, 0x7D, 0x98, 0x27, 0x40, 0x08, 0xB8, 0x8C, 0x6A,
2372 0xE9,
2373 0xBB, 0x1A, 0x3A, 0xD6, 0x86, 0x83, 0x5E, 0x72, 0x41, 0xCE, 0x85,
2374 0x3C,
2375 0xD2, 0xB3, 0xFC, 0x13, 0xCE, 0x37, 0x81, 0x9E, 0x4C, 0x1C, 0x7B,
2376 0x65,
2377 0xD3, 0xE6, 0xA6, 0x00, 0xF5, 0x5A, 0x95, 0x43, 0x5E, 0x81, 0xCF,
2378 0x60,
2379 0xA2, 0x23, 0xFC, 0x36, 0xA7, 0x5D, 0x7A, 0x4C, 0x06, 0x91, 0x6E,
2380 0xF6,
2381 0x57, 0xEE, 0x36, 0xCB, 0x06, 0xEA, 0xF5, 0x3D, 0x95, 0x49, 0xCB,
2382 0xA7,
2383 0xDD, 0x81, 0xDF, 0x80, 0x09, 0x4A, 0x97, 0x4D, 0xA8, 0x22, 0x72,
2384 0xA1,
2385 0x7F, 0xC4, 0x70, 0x56, 0x70, 0xE8, 0x20, 0x10, 0x18, 0x8F, 0x2E,
2386 0x60,
2387 0x07, 0xE7, 0x68, 0x1A, 0x82, 0x5D, 0x32, 0xA2,
2388 };
2389 DH *dh;
2390
2391 if ((dh = DH_new()) == NULL)
2392 return (NULL);
2393 dh->p = BN_bin2bn(dh1024_p, sizeof(dh1024_p), NULL);
2394 dh->g = BN_bin2bn(dh1024_g, sizeof(dh1024_g), NULL);
2395 if ((dh->p == NULL) || (dh->g == NULL)) {
2396 DH_free(dh);
2397 return (NULL);
2398 }
2399 dh->length = 160;
2400 return (dh);
2401 }
2402 #endif
2403
2404 #ifndef OPENSSL_NO_PSK
2405 /* convert the PSK key (psk_key) in ascii to binary (psk) */
2406 static int psk_key2bn(const char *pskkey, unsigned char *psk,
2407 unsigned int max_psk_len)
2408 {
2409 int ret;
2410 BIGNUM *bn = NULL;
2411
2412 ret = BN_hex2bn(&bn, pskkey);
2413 if (!ret) {
2414 BIO_printf(bio_err, "Could not convert PSK key '%s' to BIGNUM\n",
2415 pskkey);
2416 if (bn)
2417 BN_free(bn);
2418 return 0;
2419 }
2420 if (BN_num_bytes(bn) > (int)max_psk_len) {
2421 BIO_printf(bio_err,
2422 "psk buffer of callback is too small (%d) for key (%d)\n",
2423 max_psk_len, BN_num_bytes(bn));
2424 BN_free(bn);
2425 return 0;
2426 }
2427 ret = BN_bn2bin(bn, psk);
2428 BN_free(bn);
2429 return ret;
2430 }
2431
2432 static unsigned int psk_client_callback(SSL *ssl, const char *hint,
2433 char *identity,
2434 unsigned int max_identity_len,
2435 unsigned char *psk,
2436 unsigned int max_psk_len)
2437 {
2438 int ret;
2439 unsigned int psk_len = 0;
2440
2441 ret = BIO_snprintf(identity, max_identity_len, "Client_identity");
2442 if (ret < 0)
2443 goto out_err;
2444 if (debug)
2445 fprintf(stderr, "client: created identity '%s' len=%d\n", identity,
2446 ret);
2447 ret = psk_key2bn(psk_key, psk, max_psk_len);
2448 if (ret < 0)
2449 goto out_err;
2450 psk_len = ret;
2451 out_err:
2452 return psk_len;
2453 }
2454
2455 static unsigned int psk_server_callback(SSL *ssl, const char *identity,
2456 unsigned char *psk,
2457 unsigned int max_psk_len)
2458 {
2459 unsigned int psk_len = 0;
2460
2461 if (strcmp(identity, "Client_identity") != 0) {
2462 BIO_printf(bio_err, "server: PSK error: client identity not found\n");
2463 return 0;
2464 }
2465 psk_len = psk_key2bn(psk_key, psk, max_psk_len);
2466 return psk_len;
2467 }
2468 #endif
2469
2470 static int do_test_cipherlist(void)
2471 {
2472 int i = 0;
2473 const SSL_METHOD *meth;
2474 const SSL_CIPHER *ci, *tci = NULL;
2475
2476 #ifndef OPENSSL_NO_SSL2
2477 fprintf(stderr, "testing SSLv2 cipher list order: ");
2478 meth = SSLv2_method();
2479 while ((ci = meth->get_cipher(i++)) != NULL) {
2480 if (tci != NULL)
2481 if (ci->id >= tci->id) {
2482 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2483 return 0;
2484 }
2485 tci = ci;
2486 }
2487 fprintf(stderr, "ok\n");
2488 #endif
2489 #ifndef OPENSSL_NO_SSL3
2490 fprintf(stderr, "testing SSLv3 cipher list order: ");
2491 meth = SSLv3_method();
2492 tci = NULL;
2493 while ((ci = meth->get_cipher(i++)) != NULL) {
2494 if (tci != NULL)
2495 if (ci->id >= tci->id) {
2496 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2497 return 0;
2498 }
2499 tci = ci;
2500 }
2501 fprintf(stderr, "ok\n");
2502 #endif
2503 #ifndef OPENSSL_NO_TLS1
2504 fprintf(stderr, "testing TLSv1 cipher list order: ");
2505 meth = TLSv1_method();
2506 tci = NULL;
2507 while ((ci = meth->get_cipher(i++)) != NULL) {
2508 if (tci != NULL)
2509 if (ci->id >= tci->id) {
2510 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id);
2511 return 0;
2512 }
2513 tci = ci;
2514 }
2515 fprintf(stderr, "ok\n");
2516 #endif
2517
2518 return 1;
2519 }
MINIX 3 (repo.or.cz mirror)