ssltest.c revision 264331
1/* ssl/ssltest.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * ECC cipher suite support in OpenSSL originally developed by 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115 */ 116/* ==================================================================== 117 * Copyright 2005 Nokia. All rights reserved. 118 * 119 * The portions of the attached software ("Contribution") is developed by 120 * Nokia Corporation and is licensed pursuant to the OpenSSL open source 121 * license. 122 * 123 * The Contribution, originally written by Mika Kousa and Pasi Eronen of 124 * Nokia Corporation, consists of the "PSK" (Pre-Shared Key) ciphersuites 125 * support (see RFC 4279) to OpenSSL. 126 * 127 * No patent licenses or other rights except those expressly stated in 128 * the OpenSSL open source license shall be deemed granted or received 129 * expressly, by implication, estoppel, or otherwise. 130 * 131 * No assurances are provided by Nokia that the Contribution does not 132 * infringe the patent or other intellectual property rights of any third 133 * party or that the license provides you with all the necessary rights 134 * to make use of the Contribution. 135 * 136 * THE SOFTWARE IS PROVIDED "AS IS" WITHOUT WARRANTY OF ANY KIND. IN 137 * ADDITION TO THE DISCLAIMERS INCLUDED IN THE LICENSE, NOKIA 138 * SPECIFICALLY DISCLAIMS ANY LIABILITY FOR CLAIMS BROUGHT BY YOU OR ANY 139 * OTHER ENTITY BASED ON INFRINGEMENT OF INTELLECTUAL PROPERTY RIGHTS OR 140 * OTHERWISE. 141 */ 142 143#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly 144 on Linux and GNU platforms. */ 145 146#include <assert.h> 147#include <errno.h> 148#include <limits.h> 149#include <stdio.h> 150#include <stdlib.h> 151#include <string.h> 152#include <time.h> 153 154#define USE_SOCKETS 155#include "e_os.h" 156 157#ifdef OPENSSL_SYS_VMS 158#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on 159 VMS (at least with DECompHP C). */ 160#endif 161 162#include <ctype.h> 163 164#include <openssl/bio.h> 165#include <openssl/crypto.h> 166#include <openssl/evp.h> 167#include <openssl/x509.h> 168#include <openssl/x509v3.h> 169#include <openssl/ssl.h> 170#ifndef OPENSSL_NO_ENGINE 171#include <openssl/engine.h> 172#endif 173#include <openssl/err.h> 174#include <openssl/rand.h> 175#ifndef OPENSSL_NO_RSA 176#include <openssl/rsa.h> 177#endif 178#ifndef OPENSSL_NO_DSA 179#include <openssl/dsa.h> 180#endif 181#ifndef OPENSSL_NO_DH 182#include <openssl/dh.h> 183#endif 184#ifndef OPENSSL_NO_SRP 185#include <openssl/srp.h> 186#endif 187#include <openssl/bn.h> 188 189#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly 190 on Compaq platforms (at least with DEC C). 191 Do not try to put it earlier, or IPv6 includes 192 get screwed... 193 */ 194 195#ifdef OPENSSL_SYS_WINDOWS 196#include <winsock.h> 197#else 198#include OPENSSL_UNISTD 199#endif 200 201#ifdef OPENSSL_SYS_VMS 202# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" 203# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" 204#elif defined(OPENSSL_SYS_WINCE) 205# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" 206# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" 207#elif defined(OPENSSL_SYS_NETWARE) 208# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" 209# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" 210#else 211# define TEST_SERVER_CERT "../apps/server.pem" 212# define TEST_CLIENT_CERT "../apps/client.pem" 213#endif 214 215/* There is really no standard for this, so let's assign some tentative 216 numbers. In any case, these numbers are only for this test */ 217#define COMP_RLE 255 218#define COMP_ZLIB 1 219 220static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); 221#ifndef OPENSSL_NO_RSA 222static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); 223static void free_tmp_rsa(void); 224#endif 225static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); 226#define APP_CALLBACK_STRING "Test Callback Argument" 227struct app_verify_arg 228 { 229 char *string; 230 int app_verify; 231 int allow_proxy_certs; 232 char *proxy_auth; 233 char *proxy_cond; 234 }; 235 236#ifndef OPENSSL_NO_DH 237static DH *get_dh512(void); 238static DH *get_dh1024(void); 239static DH *get_dh1024dsa(void); 240#endif 241 242 243static char *psk_key=NULL; /* by default PSK is not used */ 244#ifndef OPENSSL_NO_PSK 245static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, 246 unsigned int max_identity_len, unsigned char *psk, 247 unsigned int max_psk_len); 248static unsigned int psk_server_callback(SSL *ssl, const char *identity, unsigned char *psk, 249 unsigned int max_psk_len); 250#endif 251 252#ifndef OPENSSL_NO_SRP 253/* SRP client */ 254/* This is a context that we pass to all callbacks */ 255typedef struct srp_client_arg_st 256 { 257 char *srppassin; 258 char *srplogin; 259 } SRP_CLIENT_ARG; 260 261#define PWD_STRLEN 1024 262 263static char * MS_CALLBACK ssl_give_srp_client_pwd_cb(SSL *s, void *arg) 264 { 265 SRP_CLIENT_ARG *srp_client_arg = (SRP_CLIENT_ARG *)arg; 266 return BUF_strdup((char *)srp_client_arg->srppassin); 267 } 268 269/* SRP server */ 270/* This is a context that we pass to SRP server callbacks */ 271typedef struct srp_server_arg_st 272 { 273 char *expected_user; 274 char *pass; 275 } SRP_SERVER_ARG; 276 277static int MS_CALLBACK ssl_srp_server_param_cb(SSL *s, int *ad, void *arg) 278 { 279 SRP_SERVER_ARG * p = (SRP_SERVER_ARG *) arg; 280 281 if (strcmp(p->expected_user, SSL_get_srp_username(s)) != 0) 282 { 283 fprintf(stderr, "User %s doesn't exist\n", SSL_get_srp_username(s)); 284 return SSL3_AL_FATAL; 285 } 286 if (SSL_set_srp_server_param_pw(s,p->expected_user,p->pass,"1024")<0) 287 { 288 *ad = SSL_AD_INTERNAL_ERROR; 289 return SSL3_AL_FATAL; 290 } 291 return SSL_ERROR_NONE; 292 } 293#endif 294 295static BIO *bio_err=NULL; 296static BIO *bio_stdout=NULL; 297 298static char *cipher=NULL; 299static int verbose=0; 300static int debug=0; 301#if 0 302/* Not used yet. */ 303#ifdef FIONBIO 304static int s_nbio=0; 305#endif 306#endif 307 308static const char rnd_seed[] = "string to make the random number generator think it has entropy"; 309 310int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time); 311int doit(SSL *s_ssl,SSL *c_ssl,long bytes); 312static int do_test_cipherlist(void); 313static void sv_usage(void) 314 { 315 fprintf(stderr,"usage: ssltest [args ...]\n"); 316 fprintf(stderr,"\n"); 317#ifdef OPENSSL_FIPS 318 fprintf(stderr,"-F - run test in FIPS mode\n"); 319#endif 320 fprintf(stderr," -server_auth - check server certificate\n"); 321 fprintf(stderr," -client_auth - do client authentication\n"); 322 fprintf(stderr," -proxy - allow proxy certificates\n"); 323 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n"); 324 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n"); 325 fprintf(stderr," -v - more output\n"); 326 fprintf(stderr," -d - debug output\n"); 327 fprintf(stderr," -reuse - use session-id reuse\n"); 328 fprintf(stderr," -num <val> - number of connections to perform\n"); 329 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n"); 330#ifndef OPENSSL_NO_DH 331 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); 332 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); 333 fprintf(stderr," -no_dhe - disable DHE\n"); 334#endif 335#ifndef OPENSSL_NO_ECDH 336 fprintf(stderr," -no_ecdhe - disable ECDHE\n"); 337#endif 338#ifndef OPENSSL_NO_PSK 339 fprintf(stderr," -psk arg - PSK in hex (without 0x)\n"); 340#endif 341#ifndef OPENSSL_NO_SRP 342 fprintf(stderr," -srpuser user - SRP username to use\n"); 343 fprintf(stderr," -srppass arg - password for 'user'\n"); 344#endif 345#ifndef OPENSSL_NO_SSL2 346 fprintf(stderr," -ssl2 - use SSLv2\n"); 347#endif 348#ifndef OPENSSL_NO_SSL3 349 fprintf(stderr," -ssl3 - use SSLv3\n"); 350#endif 351#ifndef OPENSSL_NO_TLS1 352 fprintf(stderr," -tls1 - use TLSv1\n"); 353#endif 354 fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); 355 fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); 356 fprintf(stderr," -cert arg - Server certificate file\n"); 357 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n"); 358 fprintf(stderr," -c_cert arg - Client certificate file\n"); 359 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n"); 360 fprintf(stderr," -cipher arg - The cipher list\n"); 361 fprintf(stderr," -bio_pair - Use BIO pairs\n"); 362 fprintf(stderr," -f - Test even cases that can't work\n"); 363 fprintf(stderr," -time - measure processor time used by client and server\n"); 364 fprintf(stderr," -zlib - use zlib compression\n"); 365 fprintf(stderr," -rle - use rle compression\n"); 366#ifndef OPENSSL_NO_ECDH 367 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 368 " Use \"openssl ecparam -list_curves\" for all names\n" \ 369 " (default is sect163r2).\n"); 370#endif 371 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n"); 372 } 373 374static void print_details(SSL *c_ssl, const char *prefix) 375 { 376 const SSL_CIPHER *ciph; 377 X509 *cert; 378 379 ciph=SSL_get_current_cipher(c_ssl); 380 BIO_printf(bio_stdout,"%s%s, cipher %s %s", 381 prefix, 382 SSL_get_version(c_ssl), 383 SSL_CIPHER_get_version(ciph), 384 SSL_CIPHER_get_name(ciph)); 385 cert=SSL_get_peer_certificate(c_ssl); 386 if (cert != NULL) 387 { 388 EVP_PKEY *pkey = X509_get_pubkey(cert); 389 if (pkey != NULL) 390 { 391 if (0) 392 ; 393#ifndef OPENSSL_NO_RSA 394 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL 395 && pkey->pkey.rsa->n != NULL) 396 { 397 BIO_printf(bio_stdout, ", %d bit RSA", 398 BN_num_bits(pkey->pkey.rsa->n)); 399 } 400#endif 401#ifndef OPENSSL_NO_DSA 402 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL 403 && pkey->pkey.dsa->p != NULL) 404 { 405 BIO_printf(bio_stdout, ", %d bit DSA", 406 BN_num_bits(pkey->pkey.dsa->p)); 407 } 408#endif 409 EVP_PKEY_free(pkey); 410 } 411 X509_free(cert); 412 } 413 /* The SSL API does not allow us to look at temporary RSA/DH keys, 414 * otherwise we should print their lengths too */ 415 BIO_printf(bio_stdout,"\n"); 416 } 417 418static void lock_dbg_cb(int mode, int type, const char *file, int line) 419 { 420 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ 421 const char *errstr = NULL; 422 int rw; 423 424 rw = mode & (CRYPTO_READ|CRYPTO_WRITE); 425 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) 426 { 427 errstr = "invalid mode"; 428 goto err; 429 } 430 431 if (type < 0 || type >= CRYPTO_NUM_LOCKS) 432 { 433 errstr = "type out of bounds"; 434 goto err; 435 } 436 437 if (mode & CRYPTO_LOCK) 438 { 439 if (modes[type]) 440 { 441 errstr = "already locked"; 442 /* must not happen in a single-threaded program 443 * (would deadlock) */ 444 goto err; 445 } 446 447 modes[type] = rw; 448 } 449 else if (mode & CRYPTO_UNLOCK) 450 { 451 if (!modes[type]) 452 { 453 errstr = "not locked"; 454 goto err; 455 } 456 457 if (modes[type] != rw) 458 { 459 errstr = (rw == CRYPTO_READ) ? 460 "CRYPTO_r_unlock on write lock" : 461 "CRYPTO_w_unlock on read lock"; 462 } 463 464 modes[type] = 0; 465 } 466 else 467 { 468 errstr = "invalid mode"; 469 goto err; 470 } 471 472 err: 473 if (errstr) 474 { 475 /* we cannot use bio_err here */ 476 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", 477 errstr, mode, type, file, line); 478 } 479 } 480 481#ifdef TLSEXT_TYPE_opaque_prf_input 482struct cb_info_st { void *input; size_t len; int ret; }; 483struct cb_info_st co1 = { "C", 1, 1 }; /* try to negotiate oqaque PRF input */ 484struct cb_info_st co2 = { "C", 1, 2 }; /* insist on oqaque PRF input */ 485struct cb_info_st so1 = { "S", 1, 1 }; /* try to negotiate oqaque PRF input */ 486struct cb_info_st so2 = { "S", 1, 2 }; /* insist on oqaque PRF input */ 487 488int opaque_prf_input_cb(SSL *ssl, void *peerinput, size_t len, void *arg_) 489 { 490 struct cb_info_st *arg = arg_; 491 492 if (arg == NULL) 493 return 1; 494 495 if (!SSL_set_tlsext_opaque_prf_input(ssl, arg->input, arg->len)) 496 return 0; 497 return arg->ret; 498 } 499#endif 500 501int main(int argc, char *argv[]) 502 { 503 char *CApath=NULL,*CAfile=NULL; 504 int badop=0; 505 int bio_pair=0; 506 int force=0; 507 int tls1=0,ssl2=0,ssl3=0,ret=1; 508 int client_auth=0; 509 int server_auth=0,i; 510 struct app_verify_arg app_verify_arg = 511 { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; 512 char *server_cert=TEST_SERVER_CERT; 513 char *server_key=NULL; 514 char *client_cert=TEST_CLIENT_CERT; 515 char *client_key=NULL; 516#ifndef OPENSSL_NO_ECDH 517 char *named_curve = NULL; 518#endif 519 SSL_CTX *s_ctx=NULL; 520 SSL_CTX *c_ctx=NULL; 521 const SSL_METHOD *meth=NULL; 522 SSL *c_ssl,*s_ssl; 523 int number=1,reuse=0; 524 long bytes=256L; 525#ifndef OPENSSL_NO_DH 526 DH *dh; 527 int dhe1024 = 0, dhe1024dsa = 0; 528#endif 529#ifndef OPENSSL_NO_ECDH 530 EC_KEY *ecdh = NULL; 531#endif 532#ifndef OPENSSL_NO_SRP 533 /* client */ 534 SRP_CLIENT_ARG srp_client_arg = {NULL,NULL}; 535 /* server */ 536 SRP_SERVER_ARG srp_server_arg = {NULL,NULL}; 537#endif 538 int no_dhe = 0; 539 int no_ecdhe = 0; 540 int no_psk = 0; 541 int print_time = 0; 542 clock_t s_time = 0, c_time = 0; 543 int comp = 0; 544#ifndef OPENSSL_NO_COMP 545 COMP_METHOD *cm = NULL; 546 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; 547#endif 548 int test_cipherlist = 0; 549#ifdef OPENSSL_FIPS 550 int fips_mode=0; 551#endif 552 553 verbose = 0; 554 debug = 0; 555 cipher = 0; 556 557 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE|BIO_FP_TEXT); 558 559 CRYPTO_set_locking_callback(lock_dbg_cb); 560 561 /* enable memory leak checking unless explicitly disabled */ 562 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) 563 { 564 CRYPTO_malloc_debug_init(); 565 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); 566 } 567 else 568 { 569 /* OPENSSL_DEBUG_MEMORY=off */ 570 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); 571 } 572 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 573 574 RAND_seed(rnd_seed, sizeof rnd_seed); 575 576 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE|BIO_FP_TEXT); 577 578 argc--; 579 argv++; 580 581 while (argc >= 1) 582 { 583 if(!strcmp(*argv,"-F")) 584 { 585#ifdef OPENSSL_FIPS 586 fips_mode=1; 587#else 588 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); 589 EXIT(0); 590#endif 591 } 592 else if (strcmp(*argv,"-server_auth") == 0) 593 server_auth=1; 594 else if (strcmp(*argv,"-client_auth") == 0) 595 client_auth=1; 596 else if (strcmp(*argv,"-proxy_auth") == 0) 597 { 598 if (--argc < 1) goto bad; 599 app_verify_arg.proxy_auth= *(++argv); 600 } 601 else if (strcmp(*argv,"-proxy_cond") == 0) 602 { 603 if (--argc < 1) goto bad; 604 app_verify_arg.proxy_cond= *(++argv); 605 } 606 else if (strcmp(*argv,"-v") == 0) 607 verbose=1; 608 else if (strcmp(*argv,"-d") == 0) 609 debug=1; 610 else if (strcmp(*argv,"-reuse") == 0) 611 reuse=1; 612 else if (strcmp(*argv,"-dhe1024") == 0) 613 { 614#ifndef OPENSSL_NO_DH 615 dhe1024=1; 616#else 617 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 618#endif 619 } 620 else if (strcmp(*argv,"-dhe1024dsa") == 0) 621 { 622#ifndef OPENSSL_NO_DH 623 dhe1024dsa=1; 624#else 625 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 626#endif 627 } 628 else if (strcmp(*argv,"-no_dhe") == 0) 629 no_dhe=1; 630 else if (strcmp(*argv,"-no_ecdhe") == 0) 631 no_ecdhe=1; 632 else if (strcmp(*argv,"-psk") == 0) 633 { 634 if (--argc < 1) goto bad; 635 psk_key=*(++argv); 636#ifndef OPENSSL_NO_PSK 637 if (strspn(psk_key, "abcdefABCDEF1234567890") != strlen(psk_key)) 638 { 639 BIO_printf(bio_err,"Not a hex number '%s'\n",*argv); 640 goto bad; 641 } 642#else 643 no_psk=1; 644#endif 645 } 646#ifndef OPENSSL_NO_SRP 647 else if (strcmp(*argv,"-srpuser") == 0) 648 { 649 if (--argc < 1) goto bad; 650 srp_server_arg.expected_user = srp_client_arg.srplogin= *(++argv); 651 tls1=1; 652 } 653 else if (strcmp(*argv,"-srppass") == 0) 654 { 655 if (--argc < 1) goto bad; 656 srp_server_arg.pass = srp_client_arg.srppassin= *(++argv); 657 tls1=1; 658 } 659#endif 660 else if (strcmp(*argv,"-ssl2") == 0) 661 ssl2=1; 662 else if (strcmp(*argv,"-tls1") == 0) 663 tls1=1; 664 else if (strcmp(*argv,"-ssl3") == 0) 665 ssl3=1; 666 else if (strncmp(*argv,"-num",4) == 0) 667 { 668 if (--argc < 1) goto bad; 669 number= atoi(*(++argv)); 670 if (number == 0) number=1; 671 } 672 else if (strcmp(*argv,"-bytes") == 0) 673 { 674 if (--argc < 1) goto bad; 675 bytes= atol(*(++argv)); 676 if (bytes == 0L) bytes=1L; 677 i=strlen(argv[0]); 678 if (argv[0][i-1] == 'k') bytes*=1024L; 679 if (argv[0][i-1] == 'm') bytes*=1024L*1024L; 680 } 681 else if (strcmp(*argv,"-cert") == 0) 682 { 683 if (--argc < 1) goto bad; 684 server_cert= *(++argv); 685 } 686 else if (strcmp(*argv,"-s_cert") == 0) 687 { 688 if (--argc < 1) goto bad; 689 server_cert= *(++argv); 690 } 691 else if (strcmp(*argv,"-key") == 0) 692 { 693 if (--argc < 1) goto bad; 694 server_key= *(++argv); 695 } 696 else if (strcmp(*argv,"-s_key") == 0) 697 { 698 if (--argc < 1) goto bad; 699 server_key= *(++argv); 700 } 701 else if (strcmp(*argv,"-c_cert") == 0) 702 { 703 if (--argc < 1) goto bad; 704 client_cert= *(++argv); 705 } 706 else if (strcmp(*argv,"-c_key") == 0) 707 { 708 if (--argc < 1) goto bad; 709 client_key= *(++argv); 710 } 711 else if (strcmp(*argv,"-cipher") == 0) 712 { 713 if (--argc < 1) goto bad; 714 cipher= *(++argv); 715 } 716 else if (strcmp(*argv,"-CApath") == 0) 717 { 718 if (--argc < 1) goto bad; 719 CApath= *(++argv); 720 } 721 else if (strcmp(*argv,"-CAfile") == 0) 722 { 723 if (--argc < 1) goto bad; 724 CAfile= *(++argv); 725 } 726 else if (strcmp(*argv,"-bio_pair") == 0) 727 { 728 bio_pair = 1; 729 } 730 else if (strcmp(*argv,"-f") == 0) 731 { 732 force = 1; 733 } 734 else if (strcmp(*argv,"-time") == 0) 735 { 736 print_time = 1; 737 } 738 else if (strcmp(*argv,"-zlib") == 0) 739 { 740 comp = COMP_ZLIB; 741 } 742 else if (strcmp(*argv,"-rle") == 0) 743 { 744 comp = COMP_RLE; 745 } 746 else if (strcmp(*argv,"-named_curve") == 0) 747 { 748 if (--argc < 1) goto bad; 749#ifndef OPENSSL_NO_ECDH 750 named_curve = *(++argv); 751#else 752 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n"); 753 ++argv; 754#endif 755 } 756 else if (strcmp(*argv,"-app_verify") == 0) 757 { 758 app_verify_arg.app_verify = 1; 759 } 760 else if (strcmp(*argv,"-proxy") == 0) 761 { 762 app_verify_arg.allow_proxy_certs = 1; 763 } 764 else if (strcmp(*argv,"-test_cipherlist") == 0) 765 { 766 test_cipherlist = 1; 767 } 768 else 769 { 770 fprintf(stderr,"unknown option %s\n",*argv); 771 badop=1; 772 break; 773 } 774 argc--; 775 argv++; 776 } 777 if (badop) 778 { 779bad: 780 sv_usage(); 781 goto end; 782 } 783 784 if (test_cipherlist == 1) 785 { 786 /* ensure that the cipher list are correctly sorted and exit */ 787 if (do_test_cipherlist() == 0) 788 EXIT(1); 789 ret = 0; 790 goto end; 791 } 792 793 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) 794 { 795 fprintf(stderr, "This case cannot work. Use -f to perform " 796 "the test anyway (and\n-d to see what happens), " 797 "or add one of -ssl2, -ssl3, -tls1, -reuse\n" 798 "to avoid protocol mismatch.\n"); 799 EXIT(1); 800 } 801 802#ifdef OPENSSL_FIPS 803 if(fips_mode) 804 { 805 if(!FIPS_mode_set(1)) 806 { 807 ERR_load_crypto_strings(); 808 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); 809 EXIT(1); 810 } 811 else 812 fprintf(stderr,"*** IN FIPS MODE ***\n"); 813 } 814#endif 815 816 if (print_time) 817 { 818 if (!bio_pair) 819 { 820 fprintf(stderr, "Using BIO pair (-bio_pair)\n"); 821 bio_pair = 1; 822 } 823 if (number < 50 && !force) 824 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); 825 } 826 827/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ 828 829 SSL_library_init(); 830 SSL_load_error_strings(); 831 832#ifndef OPENSSL_NO_COMP 833 if (comp == COMP_ZLIB) cm = COMP_zlib(); 834 if (comp == COMP_RLE) cm = COMP_rle(); 835 if (cm != NULL) 836 { 837 if (cm->type != NID_undef) 838 { 839 if (SSL_COMP_add_compression_method(comp, cm) != 0) 840 { 841 fprintf(stderr, 842 "Failed to add compression method\n"); 843 ERR_print_errors_fp(stderr); 844 } 845 } 846 else 847 { 848 fprintf(stderr, 849 "Warning: %s compression not supported\n", 850 (comp == COMP_RLE ? "rle" : 851 (comp == COMP_ZLIB ? "zlib" : 852 "unknown"))); 853 ERR_print_errors_fp(stderr); 854 } 855 } 856 ssl_comp_methods = SSL_COMP_get_compression_methods(); 857 fprintf(stderr, "Available compression methods:\n"); 858 { 859 int j, n = sk_SSL_COMP_num(ssl_comp_methods); 860 if (n == 0) 861 fprintf(stderr, " NONE\n"); 862 else 863 for (j = 0; j < n; j++) 864 { 865 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); 866 fprintf(stderr, " %d: %s\n", c->id, c->name); 867 } 868 } 869#endif 870 871#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 872 if (ssl2) 873 meth=SSLv2_method(); 874 else 875 if (tls1) 876 meth=TLSv1_method(); 877 else 878 if (ssl3) 879 meth=SSLv3_method(); 880 else 881 meth=SSLv23_method(); 882#else 883#ifdef OPENSSL_NO_SSL2 884 if (tls1) 885 meth=TLSv1_method(); 886 else 887 if (ssl3) 888 meth=SSLv3_method(); 889 else 890 meth=SSLv23_method(); 891#else 892 meth=SSLv2_method(); 893#endif 894#endif 895 896 c_ctx=SSL_CTX_new(meth); 897 s_ctx=SSL_CTX_new(meth); 898 if ((c_ctx == NULL) || (s_ctx == NULL)) 899 { 900 ERR_print_errors(bio_err); 901 goto end; 902 } 903 904 if (cipher != NULL) 905 { 906 SSL_CTX_set_cipher_list(c_ctx,cipher); 907 SSL_CTX_set_cipher_list(s_ctx,cipher); 908 } 909 910#ifndef OPENSSL_NO_DH 911 if (!no_dhe) 912 { 913 if (dhe1024dsa) 914 { 915 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ 916 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 917 dh=get_dh1024dsa(); 918 } 919 else if (dhe1024) 920 dh=get_dh1024(); 921 else 922 dh=get_dh512(); 923 SSL_CTX_set_tmp_dh(s_ctx,dh); 924 DH_free(dh); 925 } 926#else 927 (void)no_dhe; 928#endif 929 930#ifndef OPENSSL_NO_ECDH 931 if (!no_ecdhe) 932 { 933 int nid; 934 935 if (named_curve != NULL) 936 { 937 nid = OBJ_sn2nid(named_curve); 938 if (nid == 0) 939 { 940 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); 941 goto end; 942 } 943 } 944 else 945#ifdef OPENSSL_NO_EC2M 946 nid = NID_X9_62_prime256v1; 947#else 948 nid = NID_sect163r2; 949#endif 950 951 ecdh = EC_KEY_new_by_curve_name(nid); 952 if (ecdh == NULL) 953 { 954 BIO_printf(bio_err, "unable to create curve\n"); 955 goto end; 956 } 957 958 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); 959 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); 960 EC_KEY_free(ecdh); 961 } 962#else 963 (void)no_ecdhe; 964#endif 965 966#ifndef OPENSSL_NO_RSA 967 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); 968#endif 969 970#ifdef TLSEXT_TYPE_opaque_prf_input 971 SSL_CTX_set_tlsext_opaque_prf_input_callback(c_ctx, opaque_prf_input_cb); 972 SSL_CTX_set_tlsext_opaque_prf_input_callback(s_ctx, opaque_prf_input_cb); 973 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(c_ctx, &co1); /* or &co2 or NULL */ 974 SSL_CTX_set_tlsext_opaque_prf_input_callback_arg(s_ctx, &so1); /* or &so2 or NULL */ 975#endif 976 977 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM)) 978 { 979 ERR_print_errors(bio_err); 980 } 981 else if (!SSL_CTX_use_PrivateKey_file(s_ctx, 982 (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) 983 { 984 ERR_print_errors(bio_err); 985 goto end; 986 } 987 988 if (client_auth) 989 { 990 SSL_CTX_use_certificate_file(c_ctx,client_cert, 991 SSL_FILETYPE_PEM); 992 SSL_CTX_use_PrivateKey_file(c_ctx, 993 (client_key?client_key:client_cert), 994 SSL_FILETYPE_PEM); 995 } 996 997 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || 998 (!SSL_CTX_set_default_verify_paths(s_ctx)) || 999 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || 1000 (!SSL_CTX_set_default_verify_paths(c_ctx))) 1001 { 1002 /* fprintf(stderr,"SSL_load_verify_locations\n"); */ 1003 ERR_print_errors(bio_err); 1004 /* goto end; */ 1005 } 1006 1007 if (client_auth) 1008 { 1009 BIO_printf(bio_err,"client authentication\n"); 1010 SSL_CTX_set_verify(s_ctx, 1011 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 1012 verify_callback); 1013 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); 1014 } 1015 if (server_auth) 1016 { 1017 BIO_printf(bio_err,"server authentication\n"); 1018 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, 1019 verify_callback); 1020 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); 1021 } 1022 1023 { 1024 int session_id_context = 0; 1025 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); 1026 } 1027 1028 /* Use PSK only if PSK key is given */ 1029 if (psk_key != NULL) 1030 { 1031 /* no_psk is used to avoid putting psk command to openssl tool */ 1032 if (no_psk) 1033 { 1034 /* if PSK is not compiled in and psk key is 1035 * given, do nothing and exit successfully */ 1036 ret=0; 1037 goto end; 1038 } 1039#ifndef OPENSSL_NO_PSK 1040 SSL_CTX_set_psk_client_callback(c_ctx, psk_client_callback); 1041 SSL_CTX_set_psk_server_callback(s_ctx, psk_server_callback); 1042 if (debug) 1043 BIO_printf(bio_err,"setting PSK identity hint to s_ctx\n"); 1044 if (!SSL_CTX_use_psk_identity_hint(s_ctx, "ctx server identity_hint")) 1045 { 1046 BIO_printf(bio_err,"error setting PSK identity hint to s_ctx\n"); 1047 ERR_print_errors(bio_err); 1048 goto end; 1049 } 1050#endif 1051 } 1052#ifndef OPENSSL_NO_SRP 1053 if (srp_client_arg.srplogin) 1054 { 1055 if (!SSL_CTX_set_srp_username(c_ctx, srp_client_arg.srplogin)) 1056 { 1057 BIO_printf(bio_err,"Unable to set SRP username\n"); 1058 goto end; 1059 } 1060 SSL_CTX_set_srp_cb_arg(c_ctx,&srp_client_arg); 1061 SSL_CTX_set_srp_client_pwd_callback(c_ctx, ssl_give_srp_client_pwd_cb); 1062 /*SSL_CTX_set_srp_strength(c_ctx, srp_client_arg.strength);*/ 1063 } 1064 1065 if (srp_server_arg.expected_user != NULL) 1066 { 1067 SSL_CTX_set_verify(s_ctx,SSL_VERIFY_NONE,verify_callback); 1068 SSL_CTX_set_srp_cb_arg(s_ctx, &srp_server_arg); 1069 SSL_CTX_set_srp_username_callback(s_ctx, ssl_srp_server_param_cb); 1070 } 1071#endif 1072 1073 c_ssl=SSL_new(c_ctx); 1074 s_ssl=SSL_new(s_ctx); 1075 1076#ifndef OPENSSL_NO_KRB5 1077 if (c_ssl && c_ssl->kssl_ctx) 1078 { 1079 char localhost[MAXHOSTNAMELEN+2]; 1080 1081 if (gethostname(localhost, sizeof localhost-1) == 0) 1082 { 1083 localhost[sizeof localhost-1]='\0'; 1084 if(strlen(localhost) == sizeof localhost-1) 1085 { 1086 BIO_printf(bio_err,"localhost name too long\n"); 1087 goto end; 1088 } 1089 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, 1090 localhost); 1091 } 1092 } 1093#endif /* OPENSSL_NO_KRB5 */ 1094 1095 for (i=0; i<number; i++) 1096 { 1097 if (!reuse) SSL_set_session(c_ssl,NULL); 1098 if (bio_pair) 1099 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time); 1100 else 1101 ret=doit(s_ssl,c_ssl,bytes); 1102 } 1103 1104 if (!verbose) 1105 { 1106 print_details(c_ssl, ""); 1107 } 1108 if ((number > 1) || (bytes > 1L)) 1109 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes); 1110 if (print_time) 1111 { 1112#ifdef CLOCKS_PER_SEC 1113 /* "To determine the time in seconds, the value returned 1114 * by the clock function should be divided by the value 1115 * of the macro CLOCKS_PER_SEC." 1116 * -- ISO/IEC 9899 */ 1117 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" 1118 "Approximate total client time: %6.2f s\n", 1119 (double)s_time/CLOCKS_PER_SEC, 1120 (double)c_time/CLOCKS_PER_SEC); 1121#else 1122 /* "`CLOCKS_PER_SEC' undeclared (first use this function)" 1123 * -- cc on NeXTstep/OpenStep */ 1124 BIO_printf(bio_stdout, 1125 "Approximate total server time: %6.2f units\n" 1126 "Approximate total client time: %6.2f units\n", 1127 (double)s_time, 1128 (double)c_time); 1129#endif 1130 } 1131 1132 SSL_free(s_ssl); 1133 SSL_free(c_ssl); 1134 1135end: 1136 if (s_ctx != NULL) SSL_CTX_free(s_ctx); 1137 if (c_ctx != NULL) SSL_CTX_free(c_ctx); 1138 1139 if (bio_stdout != NULL) BIO_free(bio_stdout); 1140 1141#ifndef OPENSSL_NO_RSA 1142 free_tmp_rsa(); 1143#endif 1144#ifndef OPENSSL_NO_ENGINE 1145 ENGINE_cleanup(); 1146#endif 1147 CRYPTO_cleanup_all_ex_data(); 1148 ERR_free_strings(); 1149 ERR_remove_thread_state(NULL); 1150 EVP_cleanup(); 1151 CRYPTO_mem_leaks(bio_err); 1152 if (bio_err != NULL) BIO_free(bio_err); 1153 EXIT(ret); 1154 return ret; 1155 } 1156 1157int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, 1158 clock_t *s_time, clock_t *c_time) 1159 { 1160 long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 1161 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 1162 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; 1163 int ret = 1; 1164 1165 size_t bufsiz = 256; /* small buffer for testing */ 1166 1167 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) 1168 goto err; 1169 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) 1170 goto err; 1171 1172 s_ssl_bio = BIO_new(BIO_f_ssl()); 1173 if (!s_ssl_bio) 1174 goto err; 1175 1176 c_ssl_bio = BIO_new(BIO_f_ssl()); 1177 if (!c_ssl_bio) 1178 goto err; 1179 1180 SSL_set_connect_state(c_ssl); 1181 SSL_set_bio(c_ssl, client, client); 1182 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 1183 1184 SSL_set_accept_state(s_ssl); 1185 SSL_set_bio(s_ssl, server, server); 1186 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 1187 1188 do 1189 { 1190 /* c_ssl_bio: SSL filter BIO 1191 * 1192 * client: pseudo-I/O for SSL library 1193 * 1194 * client_io: client's SSL communication; usually to be 1195 * relayed over some I/O facility, but in this 1196 * test program, we're the server, too: 1197 * 1198 * server_io: server's SSL communication 1199 * 1200 * server: pseudo-I/O for SSL library 1201 * 1202 * s_ssl_bio: SSL filter BIO 1203 * 1204 * The client and the server each employ a "BIO pair": 1205 * client + client_io, server + server_io. 1206 * BIO pairs are symmetric. A BIO pair behaves similar 1207 * to a non-blocking socketpair (but both endpoints must 1208 * be handled by the same thread). 1209 * [Here we could connect client and server to the ends 1210 * of a single BIO pair, but then this code would be less 1211 * suitable as an example for BIO pairs in general.] 1212 * 1213 * Useful functions for querying the state of BIO pair endpoints: 1214 * 1215 * BIO_ctrl_pending(bio) number of bytes we can read now 1216 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil 1217 * other side's read attempt 1218 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now 1219 * 1220 * ..._read_request is never more than ..._write_guarantee; 1221 * it depends on the application which one you should use. 1222 */ 1223 1224 /* We have non-blocking behaviour throughout this test program, but 1225 * can be sure that there is *some* progress in each iteration; so 1226 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE 1227 * -- we just try everything in each iteration 1228 */ 1229 1230 { 1231 /* CLIENT */ 1232 1233 MS_STATIC char cbuf[1024*8]; 1234 int i, r; 1235 clock_t c_clock = clock(); 1236 1237 memset(cbuf, 0, sizeof(cbuf)); 1238 1239 if (debug) 1240 if (SSL_in_init(c_ssl)) 1241 printf("client waiting in SSL_connect - %s\n", 1242 SSL_state_string_long(c_ssl)); 1243 1244 if (cw_num > 0) 1245 { 1246 /* Write to server. */ 1247 1248 if (cw_num > (long)sizeof cbuf) 1249 i = sizeof cbuf; 1250 else 1251 i = (int)cw_num; 1252 r = BIO_write(c_ssl_bio, cbuf, i); 1253 if (r < 0) 1254 { 1255 if (!BIO_should_retry(c_ssl_bio)) 1256 { 1257 fprintf(stderr,"ERROR in CLIENT\n"); 1258 goto err; 1259 } 1260 /* BIO_should_retry(...) can just be ignored here. 1261 * The library expects us to call BIO_write with 1262 * the same arguments again, and that's what we will 1263 * do in the next iteration. */ 1264 } 1265 else if (r == 0) 1266 { 1267 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1268 goto err; 1269 } 1270 else 1271 { 1272 if (debug) 1273 printf("client wrote %d\n", r); 1274 cw_num -= r; 1275 } 1276 } 1277 1278 if (cr_num > 0) 1279 { 1280 /* Read from server. */ 1281 1282 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 1283 if (r < 0) 1284 { 1285 if (!BIO_should_retry(c_ssl_bio)) 1286 { 1287 fprintf(stderr,"ERROR in CLIENT\n"); 1288 goto err; 1289 } 1290 /* Again, "BIO_should_retry" can be ignored. */ 1291 } 1292 else if (r == 0) 1293 { 1294 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1295 goto err; 1296 } 1297 else 1298 { 1299 if (debug) 1300 printf("client read %d\n", r); 1301 cr_num -= r; 1302 } 1303 } 1304 1305 /* c_time and s_time increments will typically be very small 1306 * (depending on machine speed and clock tick intervals), 1307 * but sampling over a large number of connections should 1308 * result in fairly accurate figures. We cannot guarantee 1309 * a lot, however -- if each connection lasts for exactly 1310 * one clock tick, it will be counted only for the client 1311 * or only for the server or even not at all. 1312 */ 1313 *c_time += (clock() - c_clock); 1314 } 1315 1316 { 1317 /* SERVER */ 1318 1319 MS_STATIC char sbuf[1024*8]; 1320 int i, r; 1321 clock_t s_clock = clock(); 1322 1323 memset(sbuf, 0, sizeof(sbuf)); 1324 1325 if (debug) 1326 if (SSL_in_init(s_ssl)) 1327 printf("server waiting in SSL_accept - %s\n", 1328 SSL_state_string_long(s_ssl)); 1329 1330 if (sw_num > 0) 1331 { 1332 /* Write to client. */ 1333 1334 if (sw_num > (long)sizeof sbuf) 1335 i = sizeof sbuf; 1336 else 1337 i = (int)sw_num; 1338 r = BIO_write(s_ssl_bio, sbuf, i); 1339 if (r < 0) 1340 { 1341 if (!BIO_should_retry(s_ssl_bio)) 1342 { 1343 fprintf(stderr,"ERROR in SERVER\n"); 1344 goto err; 1345 } 1346 /* Ignore "BIO_should_retry". */ 1347 } 1348 else if (r == 0) 1349 { 1350 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1351 goto err; 1352 } 1353 else 1354 { 1355 if (debug) 1356 printf("server wrote %d\n", r); 1357 sw_num -= r; 1358 } 1359 } 1360 1361 if (sr_num > 0) 1362 { 1363 /* Read from client. */ 1364 1365 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 1366 if (r < 0) 1367 { 1368 if (!BIO_should_retry(s_ssl_bio)) 1369 { 1370 fprintf(stderr,"ERROR in SERVER\n"); 1371 goto err; 1372 } 1373 /* blah, blah */ 1374 } 1375 else if (r == 0) 1376 { 1377 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1378 goto err; 1379 } 1380 else 1381 { 1382 if (debug) 1383 printf("server read %d\n", r); 1384 sr_num -= r; 1385 } 1386 } 1387 1388 *s_time += (clock() - s_clock); 1389 } 1390 1391 { 1392 /* "I/O" BETWEEN CLIENT AND SERVER. */ 1393 1394 size_t r1, r2; 1395 BIO *io1 = server_io, *io2 = client_io; 1396 /* we use the non-copying interface for io1 1397 * and the standard BIO_write/BIO_read interface for io2 1398 */ 1399 1400 static int prev_progress = 1; 1401 int progress = 0; 1402 1403 /* io1 to io2 */ 1404 do 1405 { 1406 size_t num; 1407 int r; 1408 1409 r1 = BIO_ctrl_pending(io1); 1410 r2 = BIO_ctrl_get_write_guarantee(io2); 1411 1412 num = r1; 1413 if (r2 < num) 1414 num = r2; 1415 if (num) 1416 { 1417 char *dataptr; 1418 1419 if (INT_MAX < num) /* yeah, right */ 1420 num = INT_MAX; 1421 1422 r = BIO_nread(io1, &dataptr, (int)num); 1423 assert(r > 0); 1424 assert(r <= (int)num); 1425 /* possibly r < num (non-contiguous data) */ 1426 num = r; 1427 r = BIO_write(io2, dataptr, (int)num); 1428 if (r != (int)num) /* can't happen */ 1429 { 1430 fprintf(stderr, "ERROR: BIO_write could not write " 1431 "BIO_ctrl_get_write_guarantee() bytes"); 1432 goto err; 1433 } 1434 progress = 1; 1435 1436 if (debug) 1437 printf((io1 == client_io) ? 1438 "C->S relaying: %d bytes\n" : 1439 "S->C relaying: %d bytes\n", 1440 (int)num); 1441 } 1442 } 1443 while (r1 && r2); 1444 1445 /* io2 to io1 */ 1446 { 1447 size_t num; 1448 int r; 1449 1450 r1 = BIO_ctrl_pending(io2); 1451 r2 = BIO_ctrl_get_read_request(io1); 1452 /* here we could use ..._get_write_guarantee instead of 1453 * ..._get_read_request, but by using the latter 1454 * we test restartability of the SSL implementation 1455 * more thoroughly */ 1456 num = r1; 1457 if (r2 < num) 1458 num = r2; 1459 if (num) 1460 { 1461 char *dataptr; 1462 1463 if (INT_MAX < num) 1464 num = INT_MAX; 1465 1466 if (num > 1) 1467 --num; /* test restartability even more thoroughly */ 1468 1469 r = BIO_nwrite0(io1, &dataptr); 1470 assert(r > 0); 1471 if (r < (int)num) 1472 num = r; 1473 r = BIO_read(io2, dataptr, (int)num); 1474 if (r != (int)num) /* can't happen */ 1475 { 1476 fprintf(stderr, "ERROR: BIO_read could not read " 1477 "BIO_ctrl_pending() bytes"); 1478 goto err; 1479 } 1480 progress = 1; 1481 r = BIO_nwrite(io1, &dataptr, (int)num); 1482 if (r != (int)num) /* can't happen */ 1483 { 1484 fprintf(stderr, "ERROR: BIO_nwrite() did not accept " 1485 "BIO_nwrite0() bytes"); 1486 goto err; 1487 } 1488 1489 if (debug) 1490 printf((io2 == client_io) ? 1491 "C->S relaying: %d bytes\n" : 1492 "S->C relaying: %d bytes\n", 1493 (int)num); 1494 } 1495 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ 1496 1497 if (!progress && !prev_progress) 1498 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) 1499 { 1500 fprintf(stderr, "ERROR: got stuck\n"); 1501 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) 1502 { 1503 fprintf(stderr, "This can happen for SSL2 because " 1504 "CLIENT-FINISHED and SERVER-VERIFY are written \n" 1505 "concurrently ..."); 1506 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 1507 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) 1508 { 1509 fprintf(stderr, " ok.\n"); 1510 goto end; 1511 } 1512 } 1513 fprintf(stderr, " ERROR.\n"); 1514 goto err; 1515 } 1516 prev_progress = progress; 1517 } 1518 } 1519 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 1520 1521 if (verbose) 1522 print_details(c_ssl, "DONE via BIO pair: "); 1523end: 1524 ret = 0; 1525 1526 err: 1527 ERR_print_errors(bio_err); 1528 1529 if (server) 1530 BIO_free(server); 1531 if (server_io) 1532 BIO_free(server_io); 1533 if (client) 1534 BIO_free(client); 1535 if (client_io) 1536 BIO_free(client_io); 1537 if (s_ssl_bio) 1538 BIO_free(s_ssl_bio); 1539 if (c_ssl_bio) 1540 BIO_free(c_ssl_bio); 1541 1542 return ret; 1543 } 1544 1545 1546#define W_READ 1 1547#define W_WRITE 2 1548#define C_DONE 1 1549#define S_DONE 2 1550 1551int doit(SSL *s_ssl, SSL *c_ssl, long count) 1552 { 1553 MS_STATIC char cbuf[1024*8],sbuf[1024*8]; 1554 long cw_num=count,cr_num=count; 1555 long sw_num=count,sr_num=count; 1556 int ret=1; 1557 BIO *c_to_s=NULL; 1558 BIO *s_to_c=NULL; 1559 BIO *c_bio=NULL; 1560 BIO *s_bio=NULL; 1561 int c_r,c_w,s_r,s_w; 1562 int i,j; 1563 int done=0; 1564 int c_write,s_write; 1565 int do_server=0,do_client=0; 1566 1567 memset(cbuf,0,sizeof(cbuf)); 1568 memset(sbuf,0,sizeof(sbuf)); 1569 1570 c_to_s=BIO_new(BIO_s_mem()); 1571 s_to_c=BIO_new(BIO_s_mem()); 1572 if ((s_to_c == NULL) || (c_to_s == NULL)) 1573 { 1574 ERR_print_errors(bio_err); 1575 goto err; 1576 } 1577 1578 c_bio=BIO_new(BIO_f_ssl()); 1579 s_bio=BIO_new(BIO_f_ssl()); 1580 if ((c_bio == NULL) || (s_bio == NULL)) 1581 { 1582 ERR_print_errors(bio_err); 1583 goto err; 1584 } 1585 1586 SSL_set_connect_state(c_ssl); 1587 SSL_set_bio(c_ssl,s_to_c,c_to_s); 1588 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE); 1589 1590 SSL_set_accept_state(s_ssl); 1591 SSL_set_bio(s_ssl,c_to_s,s_to_c); 1592 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE); 1593 1594 c_r=0; s_r=1; 1595 c_w=1; s_w=0; 1596 c_write=1,s_write=0; 1597 1598 /* We can always do writes */ 1599 for (;;) 1600 { 1601 do_server=0; 1602 do_client=0; 1603 1604 i=(int)BIO_pending(s_bio); 1605 if ((i && s_r) || s_w) do_server=1; 1606 1607 i=(int)BIO_pending(c_bio); 1608 if ((i && c_r) || c_w) do_client=1; 1609 1610 if (do_server && debug) 1611 { 1612 if (SSL_in_init(s_ssl)) 1613 printf("server waiting in SSL_accept - %s\n", 1614 SSL_state_string_long(s_ssl)); 1615/* else if (s_write) 1616 printf("server:SSL_write()\n"); 1617 else 1618 printf("server:SSL_read()\n"); */ 1619 } 1620 1621 if (do_client && debug) 1622 { 1623 if (SSL_in_init(c_ssl)) 1624 printf("client waiting in SSL_connect - %s\n", 1625 SSL_state_string_long(c_ssl)); 1626/* else if (c_write) 1627 printf("client:SSL_write()\n"); 1628 else 1629 printf("client:SSL_read()\n"); */ 1630 } 1631 1632 if (!do_client && !do_server) 1633 { 1634 fprintf(stdout,"ERROR IN STARTUP\n"); 1635 ERR_print_errors(bio_err); 1636 break; 1637 } 1638 if (do_client && !(done & C_DONE)) 1639 { 1640 if (c_write) 1641 { 1642 j = (cw_num > (long)sizeof(cbuf)) ? 1643 (int)sizeof(cbuf) : (int)cw_num; 1644 i=BIO_write(c_bio,cbuf,j); 1645 if (i < 0) 1646 { 1647 c_r=0; 1648 c_w=0; 1649 if (BIO_should_retry(c_bio)) 1650 { 1651 if (BIO_should_read(c_bio)) 1652 c_r=1; 1653 if (BIO_should_write(c_bio)) 1654 c_w=1; 1655 } 1656 else 1657 { 1658 fprintf(stderr,"ERROR in CLIENT\n"); 1659 ERR_print_errors(bio_err); 1660 goto err; 1661 } 1662 } 1663 else if (i == 0) 1664 { 1665 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1666 goto err; 1667 } 1668 else 1669 { 1670 if (debug) 1671 printf("client wrote %d\n",i); 1672 /* ok */ 1673 s_r=1; 1674 c_write=0; 1675 cw_num-=i; 1676 } 1677 } 1678 else 1679 { 1680 i=BIO_read(c_bio,cbuf,sizeof(cbuf)); 1681 if (i < 0) 1682 { 1683 c_r=0; 1684 c_w=0; 1685 if (BIO_should_retry(c_bio)) 1686 { 1687 if (BIO_should_read(c_bio)) 1688 c_r=1; 1689 if (BIO_should_write(c_bio)) 1690 c_w=1; 1691 } 1692 else 1693 { 1694 fprintf(stderr,"ERROR in CLIENT\n"); 1695 ERR_print_errors(bio_err); 1696 goto err; 1697 } 1698 } 1699 else if (i == 0) 1700 { 1701 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1702 goto err; 1703 } 1704 else 1705 { 1706 if (debug) 1707 printf("client read %d\n",i); 1708 cr_num-=i; 1709 if (sw_num > 0) 1710 { 1711 s_write=1; 1712 s_w=1; 1713 } 1714 if (cr_num <= 0) 1715 { 1716 s_write=1; 1717 s_w=1; 1718 done=S_DONE|C_DONE; 1719 } 1720 } 1721 } 1722 } 1723 1724 if (do_server && !(done & S_DONE)) 1725 { 1726 if (!s_write) 1727 { 1728 i=BIO_read(s_bio,sbuf,sizeof(cbuf)); 1729 if (i < 0) 1730 { 1731 s_r=0; 1732 s_w=0; 1733 if (BIO_should_retry(s_bio)) 1734 { 1735 if (BIO_should_read(s_bio)) 1736 s_r=1; 1737 if (BIO_should_write(s_bio)) 1738 s_w=1; 1739 } 1740 else 1741 { 1742 fprintf(stderr,"ERROR in SERVER\n"); 1743 ERR_print_errors(bio_err); 1744 goto err; 1745 } 1746 } 1747 else if (i == 0) 1748 { 1749 ERR_print_errors(bio_err); 1750 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n"); 1751 goto err; 1752 } 1753 else 1754 { 1755 if (debug) 1756 printf("server read %d\n",i); 1757 sr_num-=i; 1758 if (cw_num > 0) 1759 { 1760 c_write=1; 1761 c_w=1; 1762 } 1763 if (sr_num <= 0) 1764 { 1765 s_write=1; 1766 s_w=1; 1767 c_write=0; 1768 } 1769 } 1770 } 1771 else 1772 { 1773 j = (sw_num > (long)sizeof(sbuf)) ? 1774 (int)sizeof(sbuf) : (int)sw_num; 1775 i=BIO_write(s_bio,sbuf,j); 1776 if (i < 0) 1777 { 1778 s_r=0; 1779 s_w=0; 1780 if (BIO_should_retry(s_bio)) 1781 { 1782 if (BIO_should_read(s_bio)) 1783 s_r=1; 1784 if (BIO_should_write(s_bio)) 1785 s_w=1; 1786 } 1787 else 1788 { 1789 fprintf(stderr,"ERROR in SERVER\n"); 1790 ERR_print_errors(bio_err); 1791 goto err; 1792 } 1793 } 1794 else if (i == 0) 1795 { 1796 ERR_print_errors(bio_err); 1797 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n"); 1798 goto err; 1799 } 1800 else 1801 { 1802 if (debug) 1803 printf("server wrote %d\n",i); 1804 sw_num-=i; 1805 s_write=0; 1806 c_r=1; 1807 if (sw_num <= 0) 1808 done|=S_DONE; 1809 } 1810 } 1811 } 1812 1813 if ((done & S_DONE) && (done & C_DONE)) break; 1814 } 1815 1816 if (verbose) 1817 print_details(c_ssl, "DONE: "); 1818 ret=0; 1819err: 1820 /* We have to set the BIO's to NULL otherwise they will be 1821 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and 1822 * again when c_ssl is SSL_free()ed. 1823 * This is a hack required because s_ssl and c_ssl are sharing the same 1824 * BIO structure and SSL_set_bio() and SSL_free() automatically 1825 * BIO_free non NULL entries. 1826 * You should not normally do this or be required to do this */ 1827 if (s_ssl != NULL) 1828 { 1829 s_ssl->rbio=NULL; 1830 s_ssl->wbio=NULL; 1831 } 1832 if (c_ssl != NULL) 1833 { 1834 c_ssl->rbio=NULL; 1835 c_ssl->wbio=NULL; 1836 } 1837 1838 if (c_to_s != NULL) BIO_free(c_to_s); 1839 if (s_to_c != NULL) BIO_free(s_to_c); 1840 if (c_bio != NULL) BIO_free_all(c_bio); 1841 if (s_bio != NULL) BIO_free_all(s_bio); 1842 return(ret); 1843 } 1844 1845static int get_proxy_auth_ex_data_idx(void) 1846 { 1847 static volatile int idx = -1; 1848 if (idx < 0) 1849 { 1850 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 1851 if (idx < 0) 1852 { 1853 idx = X509_STORE_CTX_get_ex_new_index(0, 1854 "SSLtest for verify callback", NULL,NULL,NULL); 1855 } 1856 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 1857 } 1858 return idx; 1859 } 1860 1861static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) 1862 { 1863 char *s,buf[256]; 1864 1865 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf, 1866 sizeof buf); 1867 if (s != NULL) 1868 { 1869 if (ok) 1870 fprintf(stderr,"depth=%d %s\n", 1871 ctx->error_depth,buf); 1872 else 1873 { 1874 fprintf(stderr,"depth=%d error=%d %s\n", 1875 ctx->error_depth,ctx->error,buf); 1876 } 1877 } 1878 1879 if (ok == 0) 1880 { 1881 fprintf(stderr,"Error string: %s\n", 1882 X509_verify_cert_error_string(ctx->error)); 1883 switch (ctx->error) 1884 { 1885 case X509_V_ERR_CERT_NOT_YET_VALID: 1886 case X509_V_ERR_CERT_HAS_EXPIRED: 1887 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 1888 fprintf(stderr," ... ignored.\n"); 1889 ok=1; 1890 } 1891 } 1892 1893 if (ok == 1) 1894 { 1895 X509 *xs = ctx->current_cert; 1896#if 0 1897 X509 *xi = ctx->current_issuer; 1898#endif 1899 1900 if (xs->ex_flags & EXFLAG_PROXY) 1901 { 1902 unsigned int *letters = 1903 X509_STORE_CTX_get_ex_data(ctx, 1904 get_proxy_auth_ex_data_idx()); 1905 1906 if (letters) 1907 { 1908 int found_any = 0; 1909 int i; 1910 PROXY_CERT_INFO_EXTENSION *pci = 1911 X509_get_ext_d2i(xs, NID_proxyCertInfo, 1912 NULL, NULL); 1913 1914 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) 1915 { 1916 case NID_Independent: 1917 /* Completely meaningless in this 1918 program, as there's no way to 1919 grant explicit rights to a 1920 specific PrC. Basically, using 1921 id-ppl-Independent is the perfect 1922 way to grant no rights at all. */ 1923 fprintf(stderr, " Independent proxy certificate"); 1924 for (i = 0; i < 26; i++) 1925 letters[i] = 0; 1926 break; 1927 case NID_id_ppl_inheritAll: 1928 /* This is basically a NOP, we 1929 simply let the current rights 1930 stand as they are. */ 1931 fprintf(stderr, " Proxy certificate inherits all"); 1932 break; 1933 default: 1934 s = (char *) 1935 pci->proxyPolicy->policy->data; 1936 i = pci->proxyPolicy->policy->length; 1937 1938 /* The algorithm works as follows: 1939 it is assumed that previous 1940 iterations or the initial granted 1941 rights has already set some elements 1942 of `letters'. What we need to do is 1943 to clear those that weren't granted 1944 by the current PrC as well. The 1945 easiest way to do this is to add 1 1946 to all the elements whose letters 1947 are given with the current policy. 1948 That way, all elements that are set 1949 by the current policy and were 1950 already set by earlier policies and 1951 through the original grant of rights 1952 will get the value 2 or higher. 1953 The last thing to do is to sweep 1954 through `letters' and keep the 1955 elements having the value 2 as set, 1956 and clear all the others. */ 1957 1958 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); 1959 while(i-- > 0) 1960 { 1961 int c = *s++; 1962 if (isascii(c) && isalpha(c)) 1963 { 1964 if (islower(c)) 1965 c = toupper(c); 1966 letters[c - 'A']++; 1967 } 1968 } 1969 for (i = 0; i < 26; i++) 1970 if (letters[i] < 2) 1971 letters[i] = 0; 1972 else 1973 letters[i] = 1; 1974 } 1975 1976 found_any = 0; 1977 fprintf(stderr, 1978 ", resulting proxy rights = "); 1979 for(i = 0; i < 26; i++) 1980 if (letters[i]) 1981 { 1982 fprintf(stderr, "%c", i + 'A'); 1983 found_any = 1; 1984 } 1985 if (!found_any) 1986 fprintf(stderr, "none"); 1987 fprintf(stderr, "\n"); 1988 1989 PROXY_CERT_INFO_EXTENSION_free(pci); 1990 } 1991 } 1992 } 1993 1994 return(ok); 1995 } 1996 1997static void process_proxy_debug(int indent, const char *format, ...) 1998 { 1999 static const char indentation[] = 2000 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" 2001 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ 2002 char my_format[256]; 2003 va_list args; 2004 2005 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", 2006 indent, indent, indentation, format); 2007 2008 va_start(args, format); 2009 vfprintf(stderr, my_format, args); 2010 va_end(args); 2011 } 2012/* Priority levels: 2013 0 [!]var, () 2014 1 & ^ 2015 2 | 2016*/ 2017static int process_proxy_cond_adders(unsigned int letters[26], 2018 const char *cond, const char **cond_end, int *pos, int indent); 2019static int process_proxy_cond_val(unsigned int letters[26], 2020 const char *cond, const char **cond_end, int *pos, int indent) 2021 { 2022 int c; 2023 int ok = 1; 2024 int negate = 0; 2025 2026 while(isspace((int)*cond)) 2027 { 2028 cond++; (*pos)++; 2029 } 2030 c = *cond; 2031 2032 if (debug) 2033 process_proxy_debug(indent, 2034 "Start process_proxy_cond_val at position %d: %s\n", 2035 *pos, cond); 2036 2037 while(c == '!') 2038 { 2039 negate = !negate; 2040 cond++; (*pos)++; 2041 while(isspace((int)*cond)) 2042 { 2043 cond++; (*pos)++; 2044 } 2045 c = *cond; 2046 } 2047 2048 if (c == '(') 2049 { 2050 cond++; (*pos)++; 2051 ok = process_proxy_cond_adders(letters, cond, cond_end, pos, 2052 indent + 1); 2053 cond = *cond_end; 2054 if (ok < 0) 2055 goto end; 2056 while(isspace((int)*cond)) 2057 { 2058 cond++; (*pos)++; 2059 } 2060 c = *cond; 2061 if (c != ')') 2062 { 2063 fprintf(stderr, 2064 "Weird condition character in position %d: " 2065 "%c\n", *pos, c); 2066 ok = -1; 2067 goto end; 2068 } 2069 cond++; (*pos)++; 2070 } 2071 else if (isascii(c) && isalpha(c)) 2072 { 2073 if (islower(c)) 2074 c = toupper(c); 2075 ok = letters[c - 'A']; 2076 cond++; (*pos)++; 2077 } 2078 else 2079 { 2080 fprintf(stderr, 2081 "Weird condition character in position %d: " 2082 "%c\n", *pos, c); 2083 ok = -1; 2084 goto end; 2085 } 2086 end: 2087 *cond_end = cond; 2088 if (ok >= 0 && negate) 2089 ok = !ok; 2090 2091 if (debug) 2092 process_proxy_debug(indent, 2093 "End process_proxy_cond_val at position %d: %s, returning %d\n", 2094 *pos, cond, ok); 2095 2096 return ok; 2097 } 2098static int process_proxy_cond_multipliers(unsigned int letters[26], 2099 const char *cond, const char **cond_end, int *pos, int indent) 2100 { 2101 int ok; 2102 char c; 2103 2104 if (debug) 2105 process_proxy_debug(indent, 2106 "Start process_proxy_cond_multipliers at position %d: %s\n", 2107 *pos, cond); 2108 2109 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); 2110 cond = *cond_end; 2111 if (ok < 0) 2112 goto end; 2113 2114 while(ok >= 0) 2115 { 2116 while(isspace((int)*cond)) 2117 { 2118 cond++; (*pos)++; 2119 } 2120 c = *cond; 2121 2122 switch(c) 2123 { 2124 case '&': 2125 case '^': 2126 { 2127 int save_ok = ok; 2128 2129 cond++; (*pos)++; 2130 ok = process_proxy_cond_val(letters, 2131 cond, cond_end, pos, indent + 1); 2132 cond = *cond_end; 2133 if (ok < 0) 2134 break; 2135 2136 switch(c) 2137 { 2138 case '&': 2139 ok &= save_ok; 2140 break; 2141 case '^': 2142 ok ^= save_ok; 2143 break; 2144 default: 2145 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 2146 " STOPPING\n"); 2147 EXIT(1); 2148 } 2149 } 2150 break; 2151 default: 2152 goto end; 2153 } 2154 } 2155 end: 2156 if (debug) 2157 process_proxy_debug(indent, 2158 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", 2159 *pos, cond, ok); 2160 2161 *cond_end = cond; 2162 return ok; 2163 } 2164static int process_proxy_cond_adders(unsigned int letters[26], 2165 const char *cond, const char **cond_end, int *pos, int indent) 2166 { 2167 int ok; 2168 char c; 2169 2170 if (debug) 2171 process_proxy_debug(indent, 2172 "Start process_proxy_cond_adders at position %d: %s\n", 2173 *pos, cond); 2174 2175 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, 2176 indent + 1); 2177 cond = *cond_end; 2178 if (ok < 0) 2179 goto end; 2180 2181 while(ok >= 0) 2182 { 2183 while(isspace((int)*cond)) 2184 { 2185 cond++; (*pos)++; 2186 } 2187 c = *cond; 2188 2189 switch(c) 2190 { 2191 case '|': 2192 { 2193 int save_ok = ok; 2194 2195 cond++; (*pos)++; 2196 ok = process_proxy_cond_multipliers(letters, 2197 cond, cond_end, pos, indent + 1); 2198 cond = *cond_end; 2199 if (ok < 0) 2200 break; 2201 2202 switch(c) 2203 { 2204 case '|': 2205 ok |= save_ok; 2206 break; 2207 default: 2208 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 2209 " STOPPING\n"); 2210 EXIT(1); 2211 } 2212 } 2213 break; 2214 default: 2215 goto end; 2216 } 2217 } 2218 end: 2219 if (debug) 2220 process_proxy_debug(indent, 2221 "End process_proxy_cond_adders at position %d: %s, returning %d\n", 2222 *pos, cond, ok); 2223 2224 *cond_end = cond; 2225 return ok; 2226 } 2227 2228static int process_proxy_cond(unsigned int letters[26], 2229 const char *cond, const char **cond_end) 2230 { 2231 int pos = 1; 2232 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); 2233 } 2234 2235static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) 2236 { 2237 int ok=1; 2238 struct app_verify_arg *cb_arg = arg; 2239 unsigned int letters[26]; /* only used with proxy_auth */ 2240 2241 if (cb_arg->app_verify) 2242 { 2243 char *s = NULL,buf[256]; 2244 2245 fprintf(stderr, "In app_verify_callback, allowing cert. "); 2246 fprintf(stderr, "Arg is: %s\n", cb_arg->string); 2247 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", 2248 (void *)ctx, (void *)ctx->cert); 2249 if (ctx->cert) 2250 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); 2251 if (s != NULL) 2252 { 2253 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); 2254 } 2255 return(1); 2256 } 2257 if (cb_arg->proxy_auth) 2258 { 2259 int found_any = 0, i; 2260 char *sp; 2261 2262 for(i = 0; i < 26; i++) 2263 letters[i] = 0; 2264 for(sp = cb_arg->proxy_auth; *sp; sp++) 2265 { 2266 int c = *sp; 2267 if (isascii(c) && isalpha(c)) 2268 { 2269 if (islower(c)) 2270 c = toupper(c); 2271 letters[c - 'A'] = 1; 2272 } 2273 } 2274 2275 fprintf(stderr, 2276 " Initial proxy rights = "); 2277 for(i = 0; i < 26; i++) 2278 if (letters[i]) 2279 { 2280 fprintf(stderr, "%c", i + 'A'); 2281 found_any = 1; 2282 } 2283 if (!found_any) 2284 fprintf(stderr, "none"); 2285 fprintf(stderr, "\n"); 2286 2287 X509_STORE_CTX_set_ex_data(ctx, 2288 get_proxy_auth_ex_data_idx(),letters); 2289 } 2290 if (cb_arg->allow_proxy_certs) 2291 { 2292 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); 2293 } 2294 2295#ifndef OPENSSL_NO_X509_VERIFY 2296 ok = X509_verify_cert(ctx); 2297#endif 2298 2299 if (cb_arg->proxy_auth) 2300 { 2301 if (ok > 0) 2302 { 2303 const char *cond_end = NULL; 2304 2305 ok = process_proxy_cond(letters, 2306 cb_arg->proxy_cond, &cond_end); 2307 2308 if (ok < 0) 2309 EXIT(3); 2310 if (*cond_end) 2311 { 2312 fprintf(stderr, "Stopped processing condition before it's end.\n"); 2313 ok = 0; 2314 } 2315 if (!ok) 2316 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", 2317 cb_arg->proxy_cond); 2318 else 2319 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", 2320 cb_arg->proxy_cond); 2321 } 2322 } 2323 return(ok); 2324 } 2325 2326#ifndef OPENSSL_NO_RSA 2327static RSA *rsa_tmp=NULL; 2328 2329static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) 2330 { 2331 BIGNUM *bn = NULL; 2332 if (rsa_tmp == NULL) 2333 { 2334 bn = BN_new(); 2335 rsa_tmp = RSA_new(); 2336 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) 2337 { 2338 BIO_printf(bio_err, "Memory error..."); 2339 goto end; 2340 } 2341 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); 2342 (void)BIO_flush(bio_err); 2343 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL)) 2344 { 2345 BIO_printf(bio_err, "Error generating key."); 2346 RSA_free(rsa_tmp); 2347 rsa_tmp = NULL; 2348 } 2349end: 2350 BIO_printf(bio_err,"\n"); 2351 (void)BIO_flush(bio_err); 2352 } 2353 if(bn) BN_free(bn); 2354 return(rsa_tmp); 2355 } 2356 2357static void free_tmp_rsa(void) 2358 { 2359 if (rsa_tmp != NULL) 2360 { 2361 RSA_free(rsa_tmp); 2362 rsa_tmp = NULL; 2363 } 2364 } 2365#endif 2366 2367#ifndef OPENSSL_NO_DH 2368/* These DH parameters have been generated as follows: 2369 * $ openssl dhparam -C -noout 512 2370 * $ openssl dhparam -C -noout 1024 2371 * $ openssl dhparam -C -noout -dsaparam 1024 2372 * (The third function has been renamed to avoid name conflicts.) 2373 */ 2374static DH *get_dh512() 2375 { 2376 static unsigned char dh512_p[]={ 2377 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6, 2378 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0, 2379 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F, 2380 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8, 2381 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33, 2382 0x02,0xC5,0xAE,0x23, 2383 }; 2384 static unsigned char dh512_g[]={ 2385 0x02, 2386 }; 2387 DH *dh; 2388 2389 if ((dh=DH_new()) == NULL) return(NULL); 2390 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); 2391 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); 2392 if ((dh->p == NULL) || (dh->g == NULL)) 2393 { DH_free(dh); return(NULL); } 2394 return(dh); 2395 } 2396 2397static DH *get_dh1024() 2398 { 2399 static unsigned char dh1024_p[]={ 2400 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A, 2401 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2, 2402 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0, 2403 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2, 2404 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C, 2405 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8, 2406 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52, 2407 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1, 2408 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1, 2409 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB, 2410 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53, 2411 }; 2412 static unsigned char dh1024_g[]={ 2413 0x02, 2414 }; 2415 DH *dh; 2416 2417 if ((dh=DH_new()) == NULL) return(NULL); 2418 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2419 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2420 if ((dh->p == NULL) || (dh->g == NULL)) 2421 { DH_free(dh); return(NULL); } 2422 return(dh); 2423 } 2424 2425static DH *get_dh1024dsa() 2426 { 2427 static unsigned char dh1024_p[]={ 2428 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00, 2429 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19, 2430 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2, 2431 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55, 2432 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC, 2433 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97, 2434 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D, 2435 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB, 2436 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6, 2437 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E, 2438 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39, 2439 }; 2440 static unsigned char dh1024_g[]={ 2441 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05, 2442 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3, 2443 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9, 2444 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C, 2445 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65, 2446 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60, 2447 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6, 2448 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7, 2449 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1, 2450 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60, 2451 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2, 2452 }; 2453 DH *dh; 2454 2455 if ((dh=DH_new()) == NULL) return(NULL); 2456 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2457 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2458 if ((dh->p == NULL) || (dh->g == NULL)) 2459 { DH_free(dh); return(NULL); } 2460 dh->length = 160; 2461 return(dh); 2462 } 2463#endif 2464 2465#ifndef OPENSSL_NO_PSK 2466/* convert the PSK key (psk_key) in ascii to binary (psk) */ 2467static int psk_key2bn(const char *pskkey, unsigned char *psk, 2468 unsigned int max_psk_len) 2469 { 2470 int ret; 2471 BIGNUM *bn = NULL; 2472 2473 ret = BN_hex2bn(&bn, pskkey); 2474 if (!ret) 2475 { 2476 BIO_printf(bio_err,"Could not convert PSK key '%s' to BIGNUM\n", pskkey); 2477 if (bn) 2478 BN_free(bn); 2479 return 0; 2480 } 2481 if (BN_num_bytes(bn) > (int)max_psk_len) 2482 { 2483 BIO_printf(bio_err,"psk buffer of callback is too small (%d) for key (%d)\n", 2484 max_psk_len, BN_num_bytes(bn)); 2485 BN_free(bn); 2486 return 0; 2487 } 2488 ret = BN_bn2bin(bn, psk); 2489 BN_free(bn); 2490 return ret; 2491 } 2492 2493static unsigned int psk_client_callback(SSL *ssl, const char *hint, char *identity, 2494 unsigned int max_identity_len, unsigned char *psk, 2495 unsigned int max_psk_len) 2496 { 2497 int ret; 2498 unsigned int psk_len = 0; 2499 2500 ret = BIO_snprintf(identity, max_identity_len, "Client_identity"); 2501 if (ret < 0) 2502 goto out_err; 2503 if (debug) 2504 fprintf(stderr, "client: created identity '%s' len=%d\n", identity, ret); 2505 ret = psk_key2bn(psk_key, psk, max_psk_len); 2506 if (ret < 0) 2507 goto out_err; 2508 psk_len = ret; 2509out_err: 2510 return psk_len; 2511 } 2512 2513static unsigned int psk_server_callback(SSL *ssl, const char *identity, 2514 unsigned char *psk, unsigned int max_psk_len) 2515 { 2516 unsigned int psk_len=0; 2517 2518 if (strcmp(identity, "Client_identity") != 0) 2519 { 2520 BIO_printf(bio_err, "server: PSK error: client identity not found\n"); 2521 return 0; 2522 } 2523 psk_len=psk_key2bn(psk_key, psk, max_psk_len); 2524 return psk_len; 2525 } 2526#endif 2527 2528static int do_test_cipherlist(void) 2529 { 2530 int i = 0; 2531 const SSL_METHOD *meth; 2532 const SSL_CIPHER *ci, *tci = NULL; 2533 2534#ifndef OPENSSL_NO_SSL2 2535 fprintf(stderr, "testing SSLv2 cipher list order: "); 2536 meth = SSLv2_method(); 2537 while ((ci = meth->get_cipher(i++)) != NULL) 2538 { 2539 if (tci != NULL) 2540 if (ci->id >= tci->id) 2541 { 2542 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2543 return 0; 2544 } 2545 tci = ci; 2546 } 2547 fprintf(stderr, "ok\n"); 2548#endif 2549#ifndef OPENSSL_NO_SSL3 2550 fprintf(stderr, "testing SSLv3 cipher list order: "); 2551 meth = SSLv3_method(); 2552 tci = NULL; 2553 while ((ci = meth->get_cipher(i++)) != NULL) 2554 { 2555 if (tci != NULL) 2556 if (ci->id >= tci->id) 2557 { 2558 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2559 return 0; 2560 } 2561 tci = ci; 2562 } 2563 fprintf(stderr, "ok\n"); 2564#endif 2565#ifndef OPENSSL_NO_TLS1 2566 fprintf(stderr, "testing TLSv1 cipher list order: "); 2567 meth = TLSv1_method(); 2568 tci = NULL; 2569 while ((ci = meth->get_cipher(i++)) != NULL) 2570 { 2571 if (tci != NULL) 2572 if (ci->id >= tci->id) 2573 { 2574 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2575 return 0; 2576 } 2577 tci = ci; 2578 } 2579 fprintf(stderr, "ok\n"); 2580#endif 2581 2582 return 1; 2583 } 2584