ssltest.c revision 160814
1/* ssl/ssltest.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * ECC cipher suite support in OpenSSL originally developed by 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115 */ 116 117#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly 118 on Linux and GNU platforms. */ 119 120#include <assert.h> 121#include <errno.h> 122#include <limits.h> 123#include <stdio.h> 124#include <stdlib.h> 125#include <string.h> 126#include <time.h> 127 128#define USE_SOCKETS 129#include "e_os.h" 130 131#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on 132 VMS (at least with DECompHP C). */ 133#include <ctype.h> 134 135#include <openssl/bio.h> 136#include <openssl/crypto.h> 137#include <openssl/evp.h> 138#include <openssl/x509.h> 139#include <openssl/x509v3.h> 140#include <openssl/ssl.h> 141#ifndef OPENSSL_NO_ENGINE 142#include <openssl/engine.h> 143#endif 144#include <openssl/err.h> 145#include <openssl/rand.h> 146#ifndef OPENSSL_NO_RSA 147#include <openssl/rsa.h> 148#endif 149#ifndef OPENSSL_NO_DSA 150#include <openssl/dsa.h> 151#endif 152#ifndef OPENSSL_NO_DH 153#include <openssl/dh.h> 154#endif 155#include <openssl/bn.h> 156 157#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly 158 on Compaq platforms (at least with DEC C). 159 Do not try to put it earlier, or IPv6 includes 160 get screwed... 161 */ 162 163#ifdef OPENSSL_SYS_WINDOWS 164#include <winsock.h> 165#else 166#include OPENSSL_UNISTD 167#endif 168 169#ifdef OPENSSL_SYS_VMS 170# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" 171# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" 172#elif defined(OPENSSL_SYS_WINCE) 173# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" 174# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" 175#elif defined(OPENSSL_SYS_NETWARE) 176# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" 177# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" 178#else 179# define TEST_SERVER_CERT "../apps/server.pem" 180# define TEST_CLIENT_CERT "../apps/client.pem" 181#endif 182 183/* There is really no standard for this, so let's assign some tentative 184 numbers. In any case, these numbers are only for this test */ 185#define COMP_RLE 255 186#define COMP_ZLIB 1 187 188static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); 189#ifndef OPENSSL_NO_RSA 190static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); 191static void free_tmp_rsa(void); 192#endif 193static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); 194#define APP_CALLBACK_STRING "Test Callback Argument" 195struct app_verify_arg 196 { 197 char *string; 198 int app_verify; 199 int allow_proxy_certs; 200 char *proxy_auth; 201 char *proxy_cond; 202 }; 203 204#ifndef OPENSSL_NO_DH 205static DH *get_dh512(void); 206static DH *get_dh1024(void); 207static DH *get_dh1024dsa(void); 208#endif 209 210static BIO *bio_err=NULL; 211static BIO *bio_stdout=NULL; 212 213static char *cipher=NULL; 214static int verbose=0; 215static int debug=0; 216#if 0 217/* Not used yet. */ 218#ifdef FIONBIO 219static int s_nbio=0; 220#endif 221#endif 222 223static const char rnd_seed[] = "string to make the random number generator think it has entropy"; 224 225int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time); 226int doit(SSL *s_ssl,SSL *c_ssl,long bytes); 227static int do_test_cipherlist(void); 228static void sv_usage(void) 229 { 230 fprintf(stderr,"usage: ssltest [args ...]\n"); 231 fprintf(stderr,"\n"); 232 fprintf(stderr," -server_auth - check server certificate\n"); 233 fprintf(stderr," -client_auth - do client authentication\n"); 234 fprintf(stderr," -proxy - allow proxy certificates\n"); 235 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n"); 236 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n"); 237 fprintf(stderr," -v - more output\n"); 238 fprintf(stderr," -d - debug output\n"); 239 fprintf(stderr," -reuse - use session-id reuse\n"); 240 fprintf(stderr," -num <val> - number of connections to perform\n"); 241 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n"); 242#ifndef OPENSSL_NO_DH 243 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); 244 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); 245 fprintf(stderr," -no_dhe - disable DHE\n"); 246#endif 247#ifndef OPENSSL_NO_ECDH 248 fprintf(stderr," -no_ecdhe - disable ECDHE\n"); 249#endif 250#ifndef OPENSSL_NO_SSL2 251 fprintf(stderr," -ssl2 - use SSLv2\n"); 252#endif 253#ifndef OPENSSL_NO_SSL3 254 fprintf(stderr," -ssl3 - use SSLv3\n"); 255#endif 256#ifndef OPENSSL_NO_TLS1 257 fprintf(stderr," -tls1 - use TLSv1\n"); 258#endif 259 fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); 260 fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); 261 fprintf(stderr," -cert arg - Server certificate file\n"); 262 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n"); 263 fprintf(stderr," -c_cert arg - Client certificate file\n"); 264 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n"); 265 fprintf(stderr," -cipher arg - The cipher list\n"); 266 fprintf(stderr," -bio_pair - Use BIO pairs\n"); 267 fprintf(stderr," -f - Test even cases that can't work\n"); 268 fprintf(stderr," -time - measure processor time used by client and server\n"); 269 fprintf(stderr," -zlib - use zlib compression\n"); 270 fprintf(stderr," -rle - use rle compression\n"); 271#ifndef OPENSSL_NO_ECDH 272 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 273 " Use \"openssl ecparam -list_curves\" for all names\n" \ 274 " (default is sect163r2).\n"); 275#endif 276 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n"); 277 } 278 279static void print_details(SSL *c_ssl, const char *prefix) 280 { 281 SSL_CIPHER *ciph; 282 X509 *cert; 283 284 ciph=SSL_get_current_cipher(c_ssl); 285 BIO_printf(bio_stdout,"%s%s, cipher %s %s", 286 prefix, 287 SSL_get_version(c_ssl), 288 SSL_CIPHER_get_version(ciph), 289 SSL_CIPHER_get_name(ciph)); 290 cert=SSL_get_peer_certificate(c_ssl); 291 if (cert != NULL) 292 { 293 EVP_PKEY *pkey = X509_get_pubkey(cert); 294 if (pkey != NULL) 295 { 296 if (0) 297 ; 298#ifndef OPENSSL_NO_RSA 299 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL 300 && pkey->pkey.rsa->n != NULL) 301 { 302 BIO_printf(bio_stdout, ", %d bit RSA", 303 BN_num_bits(pkey->pkey.rsa->n)); 304 } 305#endif 306#ifndef OPENSSL_NO_DSA 307 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL 308 && pkey->pkey.dsa->p != NULL) 309 { 310 BIO_printf(bio_stdout, ", %d bit DSA", 311 BN_num_bits(pkey->pkey.dsa->p)); 312 } 313#endif 314 EVP_PKEY_free(pkey); 315 } 316 X509_free(cert); 317 } 318 /* The SSL API does not allow us to look at temporary RSA/DH keys, 319 * otherwise we should print their lengths too */ 320 BIO_printf(bio_stdout,"\n"); 321 } 322 323static void lock_dbg_cb(int mode, int type, const char *file, int line) 324 { 325 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ 326 const char *errstr = NULL; 327 int rw; 328 329 rw = mode & (CRYPTO_READ|CRYPTO_WRITE); 330 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) 331 { 332 errstr = "invalid mode"; 333 goto err; 334 } 335 336 if (type < 0 || type >= CRYPTO_NUM_LOCKS) 337 { 338 errstr = "type out of bounds"; 339 goto err; 340 } 341 342 if (mode & CRYPTO_LOCK) 343 { 344 if (modes[type]) 345 { 346 errstr = "already locked"; 347 /* must not happen in a single-threaded program 348 * (would deadlock) */ 349 goto err; 350 } 351 352 modes[type] = rw; 353 } 354 else if (mode & CRYPTO_UNLOCK) 355 { 356 if (!modes[type]) 357 { 358 errstr = "not locked"; 359 goto err; 360 } 361 362 if (modes[type] != rw) 363 { 364 errstr = (rw == CRYPTO_READ) ? 365 "CRYPTO_r_unlock on write lock" : 366 "CRYPTO_w_unlock on read lock"; 367 } 368 369 modes[type] = 0; 370 } 371 else 372 { 373 errstr = "invalid mode"; 374 goto err; 375 } 376 377 err: 378 if (errstr) 379 { 380 /* we cannot use bio_err here */ 381 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", 382 errstr, mode, type, file, line); 383 } 384 } 385 386 387int main(int argc, char *argv[]) 388 { 389 char *CApath=NULL,*CAfile=NULL; 390 int badop=0; 391 int bio_pair=0; 392 int force=0; 393 int tls1=0,ssl2=0,ssl3=0,ret=1; 394 int client_auth=0; 395 int server_auth=0,i; 396 struct app_verify_arg app_verify_arg = 397 { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; 398 char *server_cert=TEST_SERVER_CERT; 399 char *server_key=NULL; 400 char *client_cert=TEST_CLIENT_CERT; 401 char *client_key=NULL; 402#ifndef OPENSSL_NO_ECDH 403 char *named_curve = NULL; 404#endif 405 SSL_CTX *s_ctx=NULL; 406 SSL_CTX *c_ctx=NULL; 407 SSL_METHOD *meth=NULL; 408 SSL *c_ssl,*s_ssl; 409 int number=1,reuse=0; 410 long bytes=256L; 411#ifndef OPENSSL_NO_DH 412 DH *dh; 413 int dhe1024 = 0, dhe1024dsa = 0; 414#endif 415#ifndef OPENSSL_NO_ECDH 416 EC_KEY *ecdh = NULL; 417#endif 418 int no_dhe = 0; 419 int no_ecdhe = 0; 420 int print_time = 0; 421 clock_t s_time = 0, c_time = 0; 422 int comp = 0; 423#ifndef OPENSSL_NO_COMP 424 COMP_METHOD *cm = NULL; 425#endif 426 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; 427 int test_cipherlist = 0; 428 429 verbose = 0; 430 debug = 0; 431 cipher = 0; 432 433 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 434 435 CRYPTO_set_locking_callback(lock_dbg_cb); 436 437 /* enable memory leak checking unless explicitly disabled */ 438 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) 439 { 440 CRYPTO_malloc_debug_init(); 441 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); 442 } 443 else 444 { 445 /* OPENSSL_DEBUG_MEMORY=off */ 446 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); 447 } 448 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 449 450 RAND_seed(rnd_seed, sizeof rnd_seed); 451 452 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); 453 454 argc--; 455 argv++; 456 457 while (argc >= 1) 458 { 459 if (strcmp(*argv,"-server_auth") == 0) 460 server_auth=1; 461 else if (strcmp(*argv,"-client_auth") == 0) 462 client_auth=1; 463 else if (strcmp(*argv,"-proxy_auth") == 0) 464 { 465 if (--argc < 1) goto bad; 466 app_verify_arg.proxy_auth= *(++argv); 467 } 468 else if (strcmp(*argv,"-proxy_cond") == 0) 469 { 470 if (--argc < 1) goto bad; 471 app_verify_arg.proxy_cond= *(++argv); 472 } 473 else if (strcmp(*argv,"-v") == 0) 474 verbose=1; 475 else if (strcmp(*argv,"-d") == 0) 476 debug=1; 477 else if (strcmp(*argv,"-reuse") == 0) 478 reuse=1; 479 else if (strcmp(*argv,"-dhe1024") == 0) 480 { 481#ifndef OPENSSL_NO_DH 482 dhe1024=1; 483#else 484 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 485#endif 486 } 487 else if (strcmp(*argv,"-dhe1024dsa") == 0) 488 { 489#ifndef OPENSSL_NO_DH 490 dhe1024dsa=1; 491#else 492 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 493#endif 494 } 495 else if (strcmp(*argv,"-no_dhe") == 0) 496 no_dhe=1; 497 else if (strcmp(*argv,"-no_ecdhe") == 0) 498 no_ecdhe=1; 499 else if (strcmp(*argv,"-ssl2") == 0) 500 ssl2=1; 501 else if (strcmp(*argv,"-tls1") == 0) 502 tls1=1; 503 else if (strcmp(*argv,"-ssl3") == 0) 504 ssl3=1; 505 else if (strncmp(*argv,"-num",4) == 0) 506 { 507 if (--argc < 1) goto bad; 508 number= atoi(*(++argv)); 509 if (number == 0) number=1; 510 } 511 else if (strcmp(*argv,"-bytes") == 0) 512 { 513 if (--argc < 1) goto bad; 514 bytes= atol(*(++argv)); 515 if (bytes == 0L) bytes=1L; 516 i=strlen(argv[0]); 517 if (argv[0][i-1] == 'k') bytes*=1024L; 518 if (argv[0][i-1] == 'm') bytes*=1024L*1024L; 519 } 520 else if (strcmp(*argv,"-cert") == 0) 521 { 522 if (--argc < 1) goto bad; 523 server_cert= *(++argv); 524 } 525 else if (strcmp(*argv,"-s_cert") == 0) 526 { 527 if (--argc < 1) goto bad; 528 server_cert= *(++argv); 529 } 530 else if (strcmp(*argv,"-key") == 0) 531 { 532 if (--argc < 1) goto bad; 533 server_key= *(++argv); 534 } 535 else if (strcmp(*argv,"-s_key") == 0) 536 { 537 if (--argc < 1) goto bad; 538 server_key= *(++argv); 539 } 540 else if (strcmp(*argv,"-c_cert") == 0) 541 { 542 if (--argc < 1) goto bad; 543 client_cert= *(++argv); 544 } 545 else if (strcmp(*argv,"-c_key") == 0) 546 { 547 if (--argc < 1) goto bad; 548 client_key= *(++argv); 549 } 550 else if (strcmp(*argv,"-cipher") == 0) 551 { 552 if (--argc < 1) goto bad; 553 cipher= *(++argv); 554 } 555 else if (strcmp(*argv,"-CApath") == 0) 556 { 557 if (--argc < 1) goto bad; 558 CApath= *(++argv); 559 } 560 else if (strcmp(*argv,"-CAfile") == 0) 561 { 562 if (--argc < 1) goto bad; 563 CAfile= *(++argv); 564 } 565 else if (strcmp(*argv,"-bio_pair") == 0) 566 { 567 bio_pair = 1; 568 } 569 else if (strcmp(*argv,"-f") == 0) 570 { 571 force = 1; 572 } 573 else if (strcmp(*argv,"-time") == 0) 574 { 575 print_time = 1; 576 } 577 else if (strcmp(*argv,"-zlib") == 0) 578 { 579 comp = COMP_ZLIB; 580 } 581 else if (strcmp(*argv,"-rle") == 0) 582 { 583 comp = COMP_RLE; 584 } 585 else if (strcmp(*argv,"-named_curve") == 0) 586 { 587 if (--argc < 1) goto bad; 588#ifndef OPENSSL_NO_ECDH 589 named_curve = *(++argv); 590#else 591 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n"); 592 ++argv; 593#endif 594 } 595 else if (strcmp(*argv,"-app_verify") == 0) 596 { 597 app_verify_arg.app_verify = 1; 598 } 599 else if (strcmp(*argv,"-proxy") == 0) 600 { 601 app_verify_arg.allow_proxy_certs = 1; 602 } 603 else if (strcmp(*argv,"-test_cipherlist") == 0) 604 { 605 test_cipherlist = 1; 606 } 607 else 608 { 609 fprintf(stderr,"unknown option %s\n",*argv); 610 badop=1; 611 break; 612 } 613 argc--; 614 argv++; 615 } 616 if (badop) 617 { 618bad: 619 sv_usage(); 620 goto end; 621 } 622 623 if (test_cipherlist == 1) 624 { 625 /* ensure that the cipher list are correctly sorted and exit */ 626 if (do_test_cipherlist() == 0) 627 EXIT(1); 628 ret = 0; 629 goto end; 630 } 631 632 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) 633 { 634 fprintf(stderr, "This case cannot work. Use -f to perform " 635 "the test anyway (and\n-d to see what happens), " 636 "or add one of -ssl2, -ssl3, -tls1, -reuse\n" 637 "to avoid protocol mismatch.\n"); 638 EXIT(1); 639 } 640 641 if (print_time) 642 { 643 if (!bio_pair) 644 { 645 fprintf(stderr, "Using BIO pair (-bio_pair)\n"); 646 bio_pair = 1; 647 } 648 if (number < 50 && !force) 649 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); 650 } 651 652/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ 653 654 SSL_library_init(); 655 SSL_load_error_strings(); 656 657#ifndef OPENSSL_NO_COMP 658 if (comp == COMP_ZLIB) cm = COMP_zlib(); 659 if (comp == COMP_RLE) cm = COMP_rle(); 660 if (cm != NULL) 661 { 662 if (cm->type != NID_undef) 663 { 664 if (SSL_COMP_add_compression_method(comp, cm) != 0) 665 { 666 fprintf(stderr, 667 "Failed to add compression method\n"); 668 ERR_print_errors_fp(stderr); 669 } 670 } 671 else 672 { 673 fprintf(stderr, 674 "Warning: %s compression not supported\n", 675 (comp == COMP_RLE ? "rle" : 676 (comp == COMP_ZLIB ? "zlib" : 677 "unknown"))); 678 ERR_print_errors_fp(stderr); 679 } 680 } 681 ssl_comp_methods = SSL_COMP_get_compression_methods(); 682 fprintf(stderr, "Available compression methods:\n"); 683 { 684 int j, n = sk_SSL_COMP_num(ssl_comp_methods); 685 if (n == 0) 686 fprintf(stderr, " NONE\n"); 687 else 688 for (j = 0; j < n; j++) 689 { 690 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); 691 fprintf(stderr, " %d: %s\n", c->id, c->name); 692 } 693 } 694#endif 695 696#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 697 if (ssl2) 698 meth=SSLv2_method(); 699 else 700 if (tls1) 701 meth=TLSv1_method(); 702 else 703 if (ssl3) 704 meth=SSLv3_method(); 705 else 706 meth=SSLv23_method(); 707#else 708#ifdef OPENSSL_NO_SSL2 709 meth=SSLv3_method(); 710#else 711 meth=SSLv2_method(); 712#endif 713#endif 714 715 c_ctx=SSL_CTX_new(meth); 716 s_ctx=SSL_CTX_new(meth); 717 if ((c_ctx == NULL) || (s_ctx == NULL)) 718 { 719 ERR_print_errors(bio_err); 720 goto end; 721 } 722 723 if (cipher != NULL) 724 { 725 SSL_CTX_set_cipher_list(c_ctx,cipher); 726 SSL_CTX_set_cipher_list(s_ctx,cipher); 727 } 728 729#ifndef OPENSSL_NO_DH 730 if (!no_dhe) 731 { 732 if (dhe1024dsa) 733 { 734 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ 735 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 736 dh=get_dh1024dsa(); 737 } 738 else if (dhe1024) 739 dh=get_dh1024(); 740 else 741 dh=get_dh512(); 742 SSL_CTX_set_tmp_dh(s_ctx,dh); 743 DH_free(dh); 744 } 745#else 746 (void)no_dhe; 747#endif 748 749#ifndef OPENSSL_NO_ECDH 750 if (!no_ecdhe) 751 { 752 int nid; 753 754 if (named_curve != NULL) 755 { 756 nid = OBJ_sn2nid(named_curve); 757 if (nid == 0) 758 { 759 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); 760 goto end; 761 } 762 } 763 else 764 nid = NID_sect163r2; 765 766 ecdh = EC_KEY_new_by_curve_name(nid); 767 if (ecdh == NULL) 768 { 769 BIO_printf(bio_err, "unable to create curve\n"); 770 goto end; 771 } 772 773 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); 774 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); 775 EC_KEY_free(ecdh); 776 } 777#else 778 (void)no_ecdhe; 779#endif 780 781#ifndef OPENSSL_NO_RSA 782 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); 783#endif 784 785 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM)) 786 { 787 ERR_print_errors(bio_err); 788 } 789 else if (!SSL_CTX_use_PrivateKey_file(s_ctx, 790 (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) 791 { 792 ERR_print_errors(bio_err); 793 goto end; 794 } 795 796 if (client_auth) 797 { 798 SSL_CTX_use_certificate_file(c_ctx,client_cert, 799 SSL_FILETYPE_PEM); 800 SSL_CTX_use_PrivateKey_file(c_ctx, 801 (client_key?client_key:client_cert), 802 SSL_FILETYPE_PEM); 803 } 804 805 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || 806 (!SSL_CTX_set_default_verify_paths(s_ctx)) || 807 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || 808 (!SSL_CTX_set_default_verify_paths(c_ctx))) 809 { 810 /* fprintf(stderr,"SSL_load_verify_locations\n"); */ 811 ERR_print_errors(bio_err); 812 /* goto end; */ 813 } 814 815 if (client_auth) 816 { 817 BIO_printf(bio_err,"client authentication\n"); 818 SSL_CTX_set_verify(s_ctx, 819 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 820 verify_callback); 821 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); 822 } 823 if (server_auth) 824 { 825 BIO_printf(bio_err,"server authentication\n"); 826 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, 827 verify_callback); 828 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); 829 } 830 831 { 832 int session_id_context = 0; 833 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); 834 } 835 836 c_ssl=SSL_new(c_ctx); 837 s_ssl=SSL_new(s_ctx); 838 839#ifndef OPENSSL_NO_KRB5 840 if (c_ssl && c_ssl->kssl_ctx) 841 { 842 char localhost[MAXHOSTNAMELEN+2]; 843 844 if (gethostname(localhost, sizeof localhost-1) == 0) 845 { 846 localhost[sizeof localhost-1]='\0'; 847 if(strlen(localhost) == sizeof localhost-1) 848 { 849 BIO_printf(bio_err,"localhost name too long\n"); 850 goto end; 851 } 852 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, 853 localhost); 854 } 855 } 856#endif /* OPENSSL_NO_KRB5 */ 857 858 for (i=0; i<number; i++) 859 { 860 if (!reuse) SSL_set_session(c_ssl,NULL); 861 if (bio_pair) 862 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time); 863 else 864 ret=doit(s_ssl,c_ssl,bytes); 865 } 866 867 if (!verbose) 868 { 869 print_details(c_ssl, ""); 870 } 871 if ((number > 1) || (bytes > 1L)) 872 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes); 873 if (print_time) 874 { 875#ifdef CLOCKS_PER_SEC 876 /* "To determine the time in seconds, the value returned 877 * by the clock function should be divided by the value 878 * of the macro CLOCKS_PER_SEC." 879 * -- ISO/IEC 9899 */ 880 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" 881 "Approximate total client time: %6.2f s\n", 882 (double)s_time/CLOCKS_PER_SEC, 883 (double)c_time/CLOCKS_PER_SEC); 884#else 885 /* "`CLOCKS_PER_SEC' undeclared (first use this function)" 886 * -- cc on NeXTstep/OpenStep */ 887 BIO_printf(bio_stdout, 888 "Approximate total server time: %6.2f units\n" 889 "Approximate total client time: %6.2f units\n", 890 (double)s_time, 891 (double)c_time); 892#endif 893 } 894 895 SSL_free(s_ssl); 896 SSL_free(c_ssl); 897 898end: 899 if (s_ctx != NULL) SSL_CTX_free(s_ctx); 900 if (c_ctx != NULL) SSL_CTX_free(c_ctx); 901 902 if (bio_stdout != NULL) BIO_free(bio_stdout); 903 904#ifndef OPENSSL_NO_RSA 905 free_tmp_rsa(); 906#endif 907#ifndef OPENSSL_NO_ENGINE 908 ENGINE_cleanup(); 909#endif 910 CRYPTO_cleanup_all_ex_data(); 911 ERR_free_strings(); 912 ERR_remove_state(0); 913 EVP_cleanup(); 914 CRYPTO_mem_leaks(bio_err); 915 if (bio_err != NULL) BIO_free(bio_err); 916 EXIT(ret); 917 return ret; 918 } 919 920int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, 921 clock_t *s_time, clock_t *c_time) 922 { 923 long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 924 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 925 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; 926 int ret = 1; 927 928 size_t bufsiz = 256; /* small buffer for testing */ 929 930 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) 931 goto err; 932 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) 933 goto err; 934 935 s_ssl_bio = BIO_new(BIO_f_ssl()); 936 if (!s_ssl_bio) 937 goto err; 938 939 c_ssl_bio = BIO_new(BIO_f_ssl()); 940 if (!c_ssl_bio) 941 goto err; 942 943 SSL_set_connect_state(c_ssl); 944 SSL_set_bio(c_ssl, client, client); 945 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 946 947 SSL_set_accept_state(s_ssl); 948 SSL_set_bio(s_ssl, server, server); 949 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 950 951 do 952 { 953 /* c_ssl_bio: SSL filter BIO 954 * 955 * client: pseudo-I/O for SSL library 956 * 957 * client_io: client's SSL communication; usually to be 958 * relayed over some I/O facility, but in this 959 * test program, we're the server, too: 960 * 961 * server_io: server's SSL communication 962 * 963 * server: pseudo-I/O for SSL library 964 * 965 * s_ssl_bio: SSL filter BIO 966 * 967 * The client and the server each employ a "BIO pair": 968 * client + client_io, server + server_io. 969 * BIO pairs are symmetric. A BIO pair behaves similar 970 * to a non-blocking socketpair (but both endpoints must 971 * be handled by the same thread). 972 * [Here we could connect client and server to the ends 973 * of a single BIO pair, but then this code would be less 974 * suitable as an example for BIO pairs in general.] 975 * 976 * Useful functions for querying the state of BIO pair endpoints: 977 * 978 * BIO_ctrl_pending(bio) number of bytes we can read now 979 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil 980 * other side's read attempt 981 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now 982 * 983 * ..._read_request is never more than ..._write_guarantee; 984 * it depends on the application which one you should use. 985 */ 986 987 /* We have non-blocking behaviour throughout this test program, but 988 * can be sure that there is *some* progress in each iteration; so 989 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE 990 * -- we just try everything in each iteration 991 */ 992 993 { 994 /* CLIENT */ 995 996 MS_STATIC char cbuf[1024*8]; 997 int i, r; 998 clock_t c_clock = clock(); 999 1000 memset(cbuf, 0, sizeof(cbuf)); 1001 1002 if (debug) 1003 if (SSL_in_init(c_ssl)) 1004 printf("client waiting in SSL_connect - %s\n", 1005 SSL_state_string_long(c_ssl)); 1006 1007 if (cw_num > 0) 1008 { 1009 /* Write to server. */ 1010 1011 if (cw_num > (long)sizeof cbuf) 1012 i = sizeof cbuf; 1013 else 1014 i = (int)cw_num; 1015 r = BIO_write(c_ssl_bio, cbuf, i); 1016 if (r < 0) 1017 { 1018 if (!BIO_should_retry(c_ssl_bio)) 1019 { 1020 fprintf(stderr,"ERROR in CLIENT\n"); 1021 goto err; 1022 } 1023 /* BIO_should_retry(...) can just be ignored here. 1024 * The library expects us to call BIO_write with 1025 * the same arguments again, and that's what we will 1026 * do in the next iteration. */ 1027 } 1028 else if (r == 0) 1029 { 1030 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1031 goto err; 1032 } 1033 else 1034 { 1035 if (debug) 1036 printf("client wrote %d\n", r); 1037 cw_num -= r; 1038 } 1039 } 1040 1041 if (cr_num > 0) 1042 { 1043 /* Read from server. */ 1044 1045 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 1046 if (r < 0) 1047 { 1048 if (!BIO_should_retry(c_ssl_bio)) 1049 { 1050 fprintf(stderr,"ERROR in CLIENT\n"); 1051 goto err; 1052 } 1053 /* Again, "BIO_should_retry" can be ignored. */ 1054 } 1055 else if (r == 0) 1056 { 1057 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1058 goto err; 1059 } 1060 else 1061 { 1062 if (debug) 1063 printf("client read %d\n", r); 1064 cr_num -= r; 1065 } 1066 } 1067 1068 /* c_time and s_time increments will typically be very small 1069 * (depending on machine speed and clock tick intervals), 1070 * but sampling over a large number of connections should 1071 * result in fairly accurate figures. We cannot guarantee 1072 * a lot, however -- if each connection lasts for exactly 1073 * one clock tick, it will be counted only for the client 1074 * or only for the server or even not at all. 1075 */ 1076 *c_time += (clock() - c_clock); 1077 } 1078 1079 { 1080 /* SERVER */ 1081 1082 MS_STATIC char sbuf[1024*8]; 1083 int i, r; 1084 clock_t s_clock = clock(); 1085 1086 memset(sbuf, 0, sizeof(sbuf)); 1087 1088 if (debug) 1089 if (SSL_in_init(s_ssl)) 1090 printf("server waiting in SSL_accept - %s\n", 1091 SSL_state_string_long(s_ssl)); 1092 1093 if (sw_num > 0) 1094 { 1095 /* Write to client. */ 1096 1097 if (sw_num > (long)sizeof sbuf) 1098 i = sizeof sbuf; 1099 else 1100 i = (int)sw_num; 1101 r = BIO_write(s_ssl_bio, sbuf, i); 1102 if (r < 0) 1103 { 1104 if (!BIO_should_retry(s_ssl_bio)) 1105 { 1106 fprintf(stderr,"ERROR in SERVER\n"); 1107 goto err; 1108 } 1109 /* Ignore "BIO_should_retry". */ 1110 } 1111 else if (r == 0) 1112 { 1113 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1114 goto err; 1115 } 1116 else 1117 { 1118 if (debug) 1119 printf("server wrote %d\n", r); 1120 sw_num -= r; 1121 } 1122 } 1123 1124 if (sr_num > 0) 1125 { 1126 /* Read from client. */ 1127 1128 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 1129 if (r < 0) 1130 { 1131 if (!BIO_should_retry(s_ssl_bio)) 1132 { 1133 fprintf(stderr,"ERROR in SERVER\n"); 1134 goto err; 1135 } 1136 /* blah, blah */ 1137 } 1138 else if (r == 0) 1139 { 1140 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1141 goto err; 1142 } 1143 else 1144 { 1145 if (debug) 1146 printf("server read %d\n", r); 1147 sr_num -= r; 1148 } 1149 } 1150 1151 *s_time += (clock() - s_clock); 1152 } 1153 1154 { 1155 /* "I/O" BETWEEN CLIENT AND SERVER. */ 1156 1157 size_t r1, r2; 1158 BIO *io1 = server_io, *io2 = client_io; 1159 /* we use the non-copying interface for io1 1160 * and the standard BIO_write/BIO_read interface for io2 1161 */ 1162 1163 static int prev_progress = 1; 1164 int progress = 0; 1165 1166 /* io1 to io2 */ 1167 do 1168 { 1169 size_t num; 1170 int r; 1171 1172 r1 = BIO_ctrl_pending(io1); 1173 r2 = BIO_ctrl_get_write_guarantee(io2); 1174 1175 num = r1; 1176 if (r2 < num) 1177 num = r2; 1178 if (num) 1179 { 1180 char *dataptr; 1181 1182 if (INT_MAX < num) /* yeah, right */ 1183 num = INT_MAX; 1184 1185 r = BIO_nread(io1, &dataptr, (int)num); 1186 assert(r > 0); 1187 assert(r <= (int)num); 1188 /* possibly r < num (non-contiguous data) */ 1189 num = r; 1190 r = BIO_write(io2, dataptr, (int)num); 1191 if (r != (int)num) /* can't happen */ 1192 { 1193 fprintf(stderr, "ERROR: BIO_write could not write " 1194 "BIO_ctrl_get_write_guarantee() bytes"); 1195 goto err; 1196 } 1197 progress = 1; 1198 1199 if (debug) 1200 printf((io1 == client_io) ? 1201 "C->S relaying: %d bytes\n" : 1202 "S->C relaying: %d bytes\n", 1203 (int)num); 1204 } 1205 } 1206 while (r1 && r2); 1207 1208 /* io2 to io1 */ 1209 { 1210 size_t num; 1211 int r; 1212 1213 r1 = BIO_ctrl_pending(io2); 1214 r2 = BIO_ctrl_get_read_request(io1); 1215 /* here we could use ..._get_write_guarantee instead of 1216 * ..._get_read_request, but by using the latter 1217 * we test restartability of the SSL implementation 1218 * more thoroughly */ 1219 num = r1; 1220 if (r2 < num) 1221 num = r2; 1222 if (num) 1223 { 1224 char *dataptr; 1225 1226 if (INT_MAX < num) 1227 num = INT_MAX; 1228 1229 if (num > 1) 1230 --num; /* test restartability even more thoroughly */ 1231 1232 r = BIO_nwrite0(io1, &dataptr); 1233 assert(r > 0); 1234 if (r < (int)num) 1235 num = r; 1236 r = BIO_read(io2, dataptr, (int)num); 1237 if (r != (int)num) /* can't happen */ 1238 { 1239 fprintf(stderr, "ERROR: BIO_read could not read " 1240 "BIO_ctrl_pending() bytes"); 1241 goto err; 1242 } 1243 progress = 1; 1244 r = BIO_nwrite(io1, &dataptr, (int)num); 1245 if (r != (int)num) /* can't happen */ 1246 { 1247 fprintf(stderr, "ERROR: BIO_nwrite() did not accept " 1248 "BIO_nwrite0() bytes"); 1249 goto err; 1250 } 1251 1252 if (debug) 1253 printf((io2 == client_io) ? 1254 "C->S relaying: %d bytes\n" : 1255 "S->C relaying: %d bytes\n", 1256 (int)num); 1257 } 1258 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ 1259 1260 if (!progress && !prev_progress) 1261 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) 1262 { 1263 fprintf(stderr, "ERROR: got stuck\n"); 1264 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) 1265 { 1266 fprintf(stderr, "This can happen for SSL2 because " 1267 "CLIENT-FINISHED and SERVER-VERIFY are written \n" 1268 "concurrently ..."); 1269 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 1270 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) 1271 { 1272 fprintf(stderr, " ok.\n"); 1273 goto end; 1274 } 1275 } 1276 fprintf(stderr, " ERROR.\n"); 1277 goto err; 1278 } 1279 prev_progress = progress; 1280 } 1281 } 1282 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 1283 1284 if (verbose) 1285 print_details(c_ssl, "DONE via BIO pair: "); 1286end: 1287 ret = 0; 1288 1289 err: 1290 ERR_print_errors(bio_err); 1291 1292 if (server) 1293 BIO_free(server); 1294 if (server_io) 1295 BIO_free(server_io); 1296 if (client) 1297 BIO_free(client); 1298 if (client_io) 1299 BIO_free(client_io); 1300 if (s_ssl_bio) 1301 BIO_free(s_ssl_bio); 1302 if (c_ssl_bio) 1303 BIO_free(c_ssl_bio); 1304 1305 return ret; 1306 } 1307 1308 1309#define W_READ 1 1310#define W_WRITE 2 1311#define C_DONE 1 1312#define S_DONE 2 1313 1314int doit(SSL *s_ssl, SSL *c_ssl, long count) 1315 { 1316 MS_STATIC char cbuf[1024*8],sbuf[1024*8]; 1317 long cw_num=count,cr_num=count; 1318 long sw_num=count,sr_num=count; 1319 int ret=1; 1320 BIO *c_to_s=NULL; 1321 BIO *s_to_c=NULL; 1322 BIO *c_bio=NULL; 1323 BIO *s_bio=NULL; 1324 int c_r,c_w,s_r,s_w; 1325 int c_want,s_want; 1326 int i,j; 1327 int done=0; 1328 int c_write,s_write; 1329 int do_server=0,do_client=0; 1330 1331 memset(cbuf,0,sizeof(cbuf)); 1332 memset(sbuf,0,sizeof(sbuf)); 1333 1334 c_to_s=BIO_new(BIO_s_mem()); 1335 s_to_c=BIO_new(BIO_s_mem()); 1336 if ((s_to_c == NULL) || (c_to_s == NULL)) 1337 { 1338 ERR_print_errors(bio_err); 1339 goto err; 1340 } 1341 1342 c_bio=BIO_new(BIO_f_ssl()); 1343 s_bio=BIO_new(BIO_f_ssl()); 1344 if ((c_bio == NULL) || (s_bio == NULL)) 1345 { 1346 ERR_print_errors(bio_err); 1347 goto err; 1348 } 1349 1350 SSL_set_connect_state(c_ssl); 1351 SSL_set_bio(c_ssl,s_to_c,c_to_s); 1352 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE); 1353 1354 SSL_set_accept_state(s_ssl); 1355 SSL_set_bio(s_ssl,c_to_s,s_to_c); 1356 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE); 1357 1358 c_r=0; s_r=1; 1359 c_w=1; s_w=0; 1360 c_want=W_WRITE; 1361 s_want=0; 1362 c_write=1,s_write=0; 1363 1364 /* We can always do writes */ 1365 for (;;) 1366 { 1367 do_server=0; 1368 do_client=0; 1369 1370 i=(int)BIO_pending(s_bio); 1371 if ((i && s_r) || s_w) do_server=1; 1372 1373 i=(int)BIO_pending(c_bio); 1374 if ((i && c_r) || c_w) do_client=1; 1375 1376 if (do_server && debug) 1377 { 1378 if (SSL_in_init(s_ssl)) 1379 printf("server waiting in SSL_accept - %s\n", 1380 SSL_state_string_long(s_ssl)); 1381/* else if (s_write) 1382 printf("server:SSL_write()\n"); 1383 else 1384 printf("server:SSL_read()\n"); */ 1385 } 1386 1387 if (do_client && debug) 1388 { 1389 if (SSL_in_init(c_ssl)) 1390 printf("client waiting in SSL_connect - %s\n", 1391 SSL_state_string_long(c_ssl)); 1392/* else if (c_write) 1393 printf("client:SSL_write()\n"); 1394 else 1395 printf("client:SSL_read()\n"); */ 1396 } 1397 1398 if (!do_client && !do_server) 1399 { 1400 fprintf(stdout,"ERROR IN STARTUP\n"); 1401 ERR_print_errors(bio_err); 1402 break; 1403 } 1404 if (do_client && !(done & C_DONE)) 1405 { 1406 if (c_write) 1407 { 1408 j = (cw_num > (long)sizeof(cbuf)) ? 1409 (int)sizeof(cbuf) : (int)cw_num; 1410 i=BIO_write(c_bio,cbuf,j); 1411 if (i < 0) 1412 { 1413 c_r=0; 1414 c_w=0; 1415 if (BIO_should_retry(c_bio)) 1416 { 1417 if (BIO_should_read(c_bio)) 1418 c_r=1; 1419 if (BIO_should_write(c_bio)) 1420 c_w=1; 1421 } 1422 else 1423 { 1424 fprintf(stderr,"ERROR in CLIENT\n"); 1425 ERR_print_errors(bio_err); 1426 goto err; 1427 } 1428 } 1429 else if (i == 0) 1430 { 1431 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1432 goto err; 1433 } 1434 else 1435 { 1436 if (debug) 1437 printf("client wrote %d\n",i); 1438 /* ok */ 1439 s_r=1; 1440 c_write=0; 1441 cw_num-=i; 1442 } 1443 } 1444 else 1445 { 1446 i=BIO_read(c_bio,cbuf,sizeof(cbuf)); 1447 if (i < 0) 1448 { 1449 c_r=0; 1450 c_w=0; 1451 if (BIO_should_retry(c_bio)) 1452 { 1453 if (BIO_should_read(c_bio)) 1454 c_r=1; 1455 if (BIO_should_write(c_bio)) 1456 c_w=1; 1457 } 1458 else 1459 { 1460 fprintf(stderr,"ERROR in CLIENT\n"); 1461 ERR_print_errors(bio_err); 1462 goto err; 1463 } 1464 } 1465 else if (i == 0) 1466 { 1467 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1468 goto err; 1469 } 1470 else 1471 { 1472 if (debug) 1473 printf("client read %d\n",i); 1474 cr_num-=i; 1475 if (sw_num > 0) 1476 { 1477 s_write=1; 1478 s_w=1; 1479 } 1480 if (cr_num <= 0) 1481 { 1482 s_write=1; 1483 s_w=1; 1484 done=S_DONE|C_DONE; 1485 } 1486 } 1487 } 1488 } 1489 1490 if (do_server && !(done & S_DONE)) 1491 { 1492 if (!s_write) 1493 { 1494 i=BIO_read(s_bio,sbuf,sizeof(cbuf)); 1495 if (i < 0) 1496 { 1497 s_r=0; 1498 s_w=0; 1499 if (BIO_should_retry(s_bio)) 1500 { 1501 if (BIO_should_read(s_bio)) 1502 s_r=1; 1503 if (BIO_should_write(s_bio)) 1504 s_w=1; 1505 } 1506 else 1507 { 1508 fprintf(stderr,"ERROR in SERVER\n"); 1509 ERR_print_errors(bio_err); 1510 goto err; 1511 } 1512 } 1513 else if (i == 0) 1514 { 1515 ERR_print_errors(bio_err); 1516 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n"); 1517 goto err; 1518 } 1519 else 1520 { 1521 if (debug) 1522 printf("server read %d\n",i); 1523 sr_num-=i; 1524 if (cw_num > 0) 1525 { 1526 c_write=1; 1527 c_w=1; 1528 } 1529 if (sr_num <= 0) 1530 { 1531 s_write=1; 1532 s_w=1; 1533 c_write=0; 1534 } 1535 } 1536 } 1537 else 1538 { 1539 j = (sw_num > (long)sizeof(sbuf)) ? 1540 (int)sizeof(sbuf) : (int)sw_num; 1541 i=BIO_write(s_bio,sbuf,j); 1542 if (i < 0) 1543 { 1544 s_r=0; 1545 s_w=0; 1546 if (BIO_should_retry(s_bio)) 1547 { 1548 if (BIO_should_read(s_bio)) 1549 s_r=1; 1550 if (BIO_should_write(s_bio)) 1551 s_w=1; 1552 } 1553 else 1554 { 1555 fprintf(stderr,"ERROR in SERVER\n"); 1556 ERR_print_errors(bio_err); 1557 goto err; 1558 } 1559 } 1560 else if (i == 0) 1561 { 1562 ERR_print_errors(bio_err); 1563 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n"); 1564 goto err; 1565 } 1566 else 1567 { 1568 if (debug) 1569 printf("server wrote %d\n",i); 1570 sw_num-=i; 1571 s_write=0; 1572 c_r=1; 1573 if (sw_num <= 0) 1574 done|=S_DONE; 1575 } 1576 } 1577 } 1578 1579 if ((done & S_DONE) && (done & C_DONE)) break; 1580 } 1581 1582 if (verbose) 1583 print_details(c_ssl, "DONE: "); 1584 ret=0; 1585err: 1586 /* We have to set the BIO's to NULL otherwise they will be 1587 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and 1588 * again when c_ssl is SSL_free()ed. 1589 * This is a hack required because s_ssl and c_ssl are sharing the same 1590 * BIO structure and SSL_set_bio() and SSL_free() automatically 1591 * BIO_free non NULL entries. 1592 * You should not normally do this or be required to do this */ 1593 if (s_ssl != NULL) 1594 { 1595 s_ssl->rbio=NULL; 1596 s_ssl->wbio=NULL; 1597 } 1598 if (c_ssl != NULL) 1599 { 1600 c_ssl->rbio=NULL; 1601 c_ssl->wbio=NULL; 1602 } 1603 1604 if (c_to_s != NULL) BIO_free(c_to_s); 1605 if (s_to_c != NULL) BIO_free(s_to_c); 1606 if (c_bio != NULL) BIO_free_all(c_bio); 1607 if (s_bio != NULL) BIO_free_all(s_bio); 1608 return(ret); 1609 } 1610 1611static int get_proxy_auth_ex_data_idx(void) 1612 { 1613 static volatile int idx = -1; 1614 if (idx < 0) 1615 { 1616 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 1617 if (idx < 0) 1618 { 1619 idx = X509_STORE_CTX_get_ex_new_index(0, 1620 "SSLtest for verify callback", NULL,NULL,NULL); 1621 } 1622 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 1623 } 1624 return idx; 1625 } 1626 1627static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) 1628 { 1629 char *s,buf[256]; 1630 1631 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf, 1632 sizeof buf); 1633 if (s != NULL) 1634 { 1635 if (ok) 1636 fprintf(stderr,"depth=%d %s\n", 1637 ctx->error_depth,buf); 1638 else 1639 { 1640 fprintf(stderr,"depth=%d error=%d %s\n", 1641 ctx->error_depth,ctx->error,buf); 1642 } 1643 } 1644 1645 if (ok == 0) 1646 { 1647 fprintf(stderr,"Error string: %s\n", 1648 X509_verify_cert_error_string(ctx->error)); 1649 switch (ctx->error) 1650 { 1651 case X509_V_ERR_CERT_NOT_YET_VALID: 1652 case X509_V_ERR_CERT_HAS_EXPIRED: 1653 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 1654 fprintf(stderr," ... ignored.\n"); 1655 ok=1; 1656 } 1657 } 1658 1659 if (ok == 1) 1660 { 1661 X509 *xs = ctx->current_cert; 1662#if 0 1663 X509 *xi = ctx->current_issuer; 1664#endif 1665 1666 if (xs->ex_flags & EXFLAG_PROXY) 1667 { 1668 unsigned int *letters = 1669 X509_STORE_CTX_get_ex_data(ctx, 1670 get_proxy_auth_ex_data_idx()); 1671 1672 if (letters) 1673 { 1674 int found_any = 0; 1675 int i; 1676 PROXY_CERT_INFO_EXTENSION *pci = 1677 X509_get_ext_d2i(xs, NID_proxyCertInfo, 1678 NULL, NULL); 1679 1680 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) 1681 { 1682 case NID_Independent: 1683 /* Completely meaningless in this 1684 program, as there's no way to 1685 grant explicit rights to a 1686 specific PrC. Basically, using 1687 id-ppl-Independent is the perfect 1688 way to grant no rights at all. */ 1689 fprintf(stderr, " Independent proxy certificate"); 1690 for (i = 0; i < 26; i++) 1691 letters[i] = 0; 1692 break; 1693 case NID_id_ppl_inheritAll: 1694 /* This is basically a NOP, we 1695 simply let the current rights 1696 stand as they are. */ 1697 fprintf(stderr, " Proxy certificate inherits all"); 1698 break; 1699 default: 1700 s = (char *) 1701 pci->proxyPolicy->policy->data; 1702 i = pci->proxyPolicy->policy->length; 1703 1704 /* The algorithm works as follows: 1705 it is assumed that previous 1706 iterations or the initial granted 1707 rights has already set some elements 1708 of `letters'. What we need to do is 1709 to clear those that weren't granted 1710 by the current PrC as well. The 1711 easiest way to do this is to add 1 1712 to all the elements whose letters 1713 are given with the current policy. 1714 That way, all elements that are set 1715 by the current policy and were 1716 already set by earlier policies and 1717 through the original grant of rights 1718 will get the value 2 or higher. 1719 The last thing to do is to sweep 1720 through `letters' and keep the 1721 elements having the value 2 as set, 1722 and clear all the others. */ 1723 1724 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); 1725 while(i-- > 0) 1726 { 1727 int c = *s++; 1728 if (isascii(c) && isalpha(c)) 1729 { 1730 if (islower(c)) 1731 c = toupper(c); 1732 letters[c - 'A']++; 1733 } 1734 } 1735 for (i = 0; i < 26; i++) 1736 if (letters[i] < 2) 1737 letters[i] = 0; 1738 else 1739 letters[i] = 1; 1740 } 1741 1742 found_any = 0; 1743 fprintf(stderr, 1744 ", resulting proxy rights = "); 1745 for(i = 0; i < 26; i++) 1746 if (letters[i]) 1747 { 1748 fprintf(stderr, "%c", i + 'A'); 1749 found_any = 1; 1750 } 1751 if (!found_any) 1752 fprintf(stderr, "none"); 1753 fprintf(stderr, "\n"); 1754 1755 PROXY_CERT_INFO_EXTENSION_free(pci); 1756 } 1757 } 1758 } 1759 1760 return(ok); 1761 } 1762 1763static void process_proxy_debug(int indent, const char *format, ...) 1764 { 1765 static const char indentation[] = 1766 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" 1767 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ 1768 char my_format[256]; 1769 va_list args; 1770 1771 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", 1772 indent, indent, indentation, format); 1773 1774 va_start(args, format); 1775 vfprintf(stderr, my_format, args); 1776 va_end(args); 1777 } 1778/* Priority levels: 1779 0 [!]var, () 1780 1 & ^ 1781 2 | 1782*/ 1783static int process_proxy_cond_adders(unsigned int letters[26], 1784 const char *cond, const char **cond_end, int *pos, int indent); 1785static int process_proxy_cond_val(unsigned int letters[26], 1786 const char *cond, const char **cond_end, int *pos, int indent) 1787 { 1788 int c; 1789 int ok = 1; 1790 int negate = 0; 1791 1792 while(isspace((int)*cond)) 1793 { 1794 cond++; (*pos)++; 1795 } 1796 c = *cond; 1797 1798 if (debug) 1799 process_proxy_debug(indent, 1800 "Start process_proxy_cond_val at position %d: %s\n", 1801 *pos, cond); 1802 1803 while(c == '!') 1804 { 1805 negate = !negate; 1806 cond++; (*pos)++; 1807 while(isspace((int)*cond)) 1808 { 1809 cond++; (*pos)++; 1810 } 1811 c = *cond; 1812 } 1813 1814 if (c == '(') 1815 { 1816 cond++; (*pos)++; 1817 ok = process_proxy_cond_adders(letters, cond, cond_end, pos, 1818 indent + 1); 1819 cond = *cond_end; 1820 if (ok < 0) 1821 goto end; 1822 while(isspace((int)*cond)) 1823 { 1824 cond++; (*pos)++; 1825 } 1826 c = *cond; 1827 if (c != ')') 1828 { 1829 fprintf(stderr, 1830 "Weird condition character in position %d: " 1831 "%c\n", *pos, c); 1832 ok = -1; 1833 goto end; 1834 } 1835 cond++; (*pos)++; 1836 } 1837 else if (isascii(c) && isalpha(c)) 1838 { 1839 if (islower(c)) 1840 c = toupper(c); 1841 ok = letters[c - 'A']; 1842 cond++; (*pos)++; 1843 } 1844 else 1845 { 1846 fprintf(stderr, 1847 "Weird condition character in position %d: " 1848 "%c\n", *pos, c); 1849 ok = -1; 1850 goto end; 1851 } 1852 end: 1853 *cond_end = cond; 1854 if (ok >= 0 && negate) 1855 ok = !ok; 1856 1857 if (debug) 1858 process_proxy_debug(indent, 1859 "End process_proxy_cond_val at position %d: %s, returning %d\n", 1860 *pos, cond, ok); 1861 1862 return ok; 1863 } 1864static int process_proxy_cond_multipliers(unsigned int letters[26], 1865 const char *cond, const char **cond_end, int *pos, int indent) 1866 { 1867 int ok; 1868 char c; 1869 1870 if (debug) 1871 process_proxy_debug(indent, 1872 "Start process_proxy_cond_multipliers at position %d: %s\n", 1873 *pos, cond); 1874 1875 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); 1876 cond = *cond_end; 1877 if (ok < 0) 1878 goto end; 1879 1880 while(ok >= 0) 1881 { 1882 while(isspace((int)*cond)) 1883 { 1884 cond++; (*pos)++; 1885 } 1886 c = *cond; 1887 1888 switch(c) 1889 { 1890 case '&': 1891 case '^': 1892 { 1893 int save_ok = ok; 1894 1895 cond++; (*pos)++; 1896 ok = process_proxy_cond_val(letters, 1897 cond, cond_end, pos, indent + 1); 1898 cond = *cond_end; 1899 if (ok < 0) 1900 break; 1901 1902 switch(c) 1903 { 1904 case '&': 1905 ok &= save_ok; 1906 break; 1907 case '^': 1908 ok ^= save_ok; 1909 break; 1910 default: 1911 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 1912 " STOPPING\n"); 1913 EXIT(1); 1914 } 1915 } 1916 break; 1917 default: 1918 goto end; 1919 } 1920 } 1921 end: 1922 if (debug) 1923 process_proxy_debug(indent, 1924 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", 1925 *pos, cond, ok); 1926 1927 *cond_end = cond; 1928 return ok; 1929 } 1930static int process_proxy_cond_adders(unsigned int letters[26], 1931 const char *cond, const char **cond_end, int *pos, int indent) 1932 { 1933 int ok; 1934 char c; 1935 1936 if (debug) 1937 process_proxy_debug(indent, 1938 "Start process_proxy_cond_adders at position %d: %s\n", 1939 *pos, cond); 1940 1941 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, 1942 indent + 1); 1943 cond = *cond_end; 1944 if (ok < 0) 1945 goto end; 1946 1947 while(ok >= 0) 1948 { 1949 while(isspace((int)*cond)) 1950 { 1951 cond++; (*pos)++; 1952 } 1953 c = *cond; 1954 1955 switch(c) 1956 { 1957 case '|': 1958 { 1959 int save_ok = ok; 1960 1961 cond++; (*pos)++; 1962 ok = process_proxy_cond_multipliers(letters, 1963 cond, cond_end, pos, indent + 1); 1964 cond = *cond_end; 1965 if (ok < 0) 1966 break; 1967 1968 switch(c) 1969 { 1970 case '|': 1971 ok |= save_ok; 1972 break; 1973 default: 1974 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 1975 " STOPPING\n"); 1976 EXIT(1); 1977 } 1978 } 1979 break; 1980 default: 1981 goto end; 1982 } 1983 } 1984 end: 1985 if (debug) 1986 process_proxy_debug(indent, 1987 "End process_proxy_cond_adders at position %d: %s, returning %d\n", 1988 *pos, cond, ok); 1989 1990 *cond_end = cond; 1991 return ok; 1992 } 1993 1994static int process_proxy_cond(unsigned int letters[26], 1995 const char *cond, const char **cond_end) 1996 { 1997 int pos = 1; 1998 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); 1999 } 2000 2001static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) 2002 { 2003 int ok=1; 2004 struct app_verify_arg *cb_arg = arg; 2005 unsigned int letters[26]; /* only used with proxy_auth */ 2006 2007 if (cb_arg->app_verify) 2008 { 2009 char *s = NULL,buf[256]; 2010 2011 fprintf(stderr, "In app_verify_callback, allowing cert. "); 2012 fprintf(stderr, "Arg is: %s\n", cb_arg->string); 2013 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", 2014 (void *)ctx, (void *)ctx->cert); 2015 if (ctx->cert) 2016 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); 2017 if (s != NULL) 2018 { 2019 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); 2020 } 2021 return(1); 2022 } 2023 if (cb_arg->proxy_auth) 2024 { 2025 int found_any = 0, i; 2026 char *sp; 2027 2028 for(i = 0; i < 26; i++) 2029 letters[i] = 0; 2030 for(sp = cb_arg->proxy_auth; *sp; sp++) 2031 { 2032 int c = *sp; 2033 if (isascii(c) && isalpha(c)) 2034 { 2035 if (islower(c)) 2036 c = toupper(c); 2037 letters[c - 'A'] = 1; 2038 } 2039 } 2040 2041 fprintf(stderr, 2042 " Initial proxy rights = "); 2043 for(i = 0; i < 26; i++) 2044 if (letters[i]) 2045 { 2046 fprintf(stderr, "%c", i + 'A'); 2047 found_any = 1; 2048 } 2049 if (!found_any) 2050 fprintf(stderr, "none"); 2051 fprintf(stderr, "\n"); 2052 2053 X509_STORE_CTX_set_ex_data(ctx, 2054 get_proxy_auth_ex_data_idx(),letters); 2055 } 2056 if (cb_arg->allow_proxy_certs) 2057 { 2058 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); 2059 } 2060 2061#ifndef OPENSSL_NO_X509_VERIFY 2062# ifdef OPENSSL_FIPS 2063 if(s->version == TLS1_VERSION) 2064 FIPS_allow_md5(1); 2065# endif 2066 ok = X509_verify_cert(ctx); 2067# ifdef OPENSSL_FIPS 2068 if(s->version == TLS1_VERSION) 2069 FIPS_allow_md5(0); 2070# endif 2071#endif 2072 2073 if (cb_arg->proxy_auth) 2074 { 2075 if (ok) 2076 { 2077 const char *cond_end = NULL; 2078 2079 ok = process_proxy_cond(letters, 2080 cb_arg->proxy_cond, &cond_end); 2081 2082 if (ok < 0) 2083 EXIT(3); 2084 if (*cond_end) 2085 { 2086 fprintf(stderr, "Stopped processing condition before it's end.\n"); 2087 ok = 0; 2088 } 2089 if (!ok) 2090 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", 2091 cb_arg->proxy_cond); 2092 else 2093 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", 2094 cb_arg->proxy_cond); 2095 } 2096 } 2097 return(ok); 2098 } 2099 2100#ifndef OPENSSL_NO_RSA 2101static RSA *rsa_tmp=NULL; 2102 2103static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) 2104 { 2105 BIGNUM *bn = NULL; 2106 if (rsa_tmp == NULL) 2107 { 2108 bn = BN_new(); 2109 rsa_tmp = RSA_new(); 2110 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) 2111 { 2112 BIO_printf(bio_err, "Memory error..."); 2113 goto end; 2114 } 2115 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); 2116 (void)BIO_flush(bio_err); 2117 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL)) 2118 { 2119 BIO_printf(bio_err, "Error generating key."); 2120 RSA_free(rsa_tmp); 2121 rsa_tmp = NULL; 2122 } 2123end: 2124 BIO_printf(bio_err,"\n"); 2125 (void)BIO_flush(bio_err); 2126 } 2127 if(bn) BN_free(bn); 2128 return(rsa_tmp); 2129 } 2130 2131static void free_tmp_rsa(void) 2132 { 2133 if (rsa_tmp != NULL) 2134 { 2135 RSA_free(rsa_tmp); 2136 rsa_tmp = NULL; 2137 } 2138 } 2139#endif 2140 2141#ifndef OPENSSL_NO_DH 2142/* These DH parameters have been generated as follows: 2143 * $ openssl dhparam -C -noout 512 2144 * $ openssl dhparam -C -noout 1024 2145 * $ openssl dhparam -C -noout -dsaparam 1024 2146 * (The third function has been renamed to avoid name conflicts.) 2147 */ 2148static DH *get_dh512() 2149 { 2150 static unsigned char dh512_p[]={ 2151 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6, 2152 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0, 2153 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F, 2154 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8, 2155 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33, 2156 0x02,0xC5,0xAE,0x23, 2157 }; 2158 static unsigned char dh512_g[]={ 2159 0x02, 2160 }; 2161 DH *dh; 2162 2163 if ((dh=DH_new()) == NULL) return(NULL); 2164 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); 2165 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); 2166 if ((dh->p == NULL) || (dh->g == NULL)) 2167 { DH_free(dh); return(NULL); } 2168 return(dh); 2169 } 2170 2171static DH *get_dh1024() 2172 { 2173 static unsigned char dh1024_p[]={ 2174 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A, 2175 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2, 2176 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0, 2177 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2, 2178 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C, 2179 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8, 2180 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52, 2181 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1, 2182 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1, 2183 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB, 2184 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53, 2185 }; 2186 static unsigned char dh1024_g[]={ 2187 0x02, 2188 }; 2189 DH *dh; 2190 2191 if ((dh=DH_new()) == NULL) return(NULL); 2192 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2193 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2194 if ((dh->p == NULL) || (dh->g == NULL)) 2195 { DH_free(dh); return(NULL); } 2196 return(dh); 2197 } 2198 2199static DH *get_dh1024dsa() 2200 { 2201 static unsigned char dh1024_p[]={ 2202 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00, 2203 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19, 2204 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2, 2205 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55, 2206 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC, 2207 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97, 2208 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D, 2209 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB, 2210 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6, 2211 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E, 2212 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39, 2213 }; 2214 static unsigned char dh1024_g[]={ 2215 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05, 2216 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3, 2217 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9, 2218 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C, 2219 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65, 2220 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60, 2221 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6, 2222 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7, 2223 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1, 2224 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60, 2225 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2, 2226 }; 2227 DH *dh; 2228 2229 if ((dh=DH_new()) == NULL) return(NULL); 2230 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2231 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2232 if ((dh->p == NULL) || (dh->g == NULL)) 2233 { DH_free(dh); return(NULL); } 2234 dh->length = 160; 2235 return(dh); 2236 } 2237#endif 2238 2239static int do_test_cipherlist(void) 2240 { 2241 int i = 0; 2242 const SSL_METHOD *meth; 2243 SSL_CIPHER *ci, *tci = NULL; 2244 2245#ifndef OPENSSL_NO_SSL2 2246 fprintf(stderr, "testing SSLv2 cipher list order: "); 2247 meth = SSLv2_method(); 2248 while ((ci = meth->get_cipher(i++)) != NULL) 2249 { 2250 if (tci != NULL) 2251 if (ci->id >= tci->id) 2252 { 2253 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2254 return 0; 2255 } 2256 tci = ci; 2257 } 2258 fprintf(stderr, "ok\n"); 2259#endif 2260#ifndef OPENSSL_NO_SSL3 2261 fprintf(stderr, "testing SSLv3 cipher list order: "); 2262 meth = SSLv3_method(); 2263 tci = NULL; 2264 while ((ci = meth->get_cipher(i++)) != NULL) 2265 { 2266 if (tci != NULL) 2267 if (ci->id >= tci->id) 2268 { 2269 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2270 return 0; 2271 } 2272 tci = ci; 2273 } 2274 fprintf(stderr, "ok\n"); 2275#endif 2276#ifndef OPENSSL_NO_TLS1 2277 fprintf(stderr, "testing TLSv1 cipher list order: "); 2278 meth = TLSv1_method(); 2279 tci = NULL; 2280 while ((ci = meth->get_cipher(i++)) != NULL) 2281 { 2282 if (tci != NULL) 2283 if (ci->id >= tci->id) 2284 { 2285 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2286 return 0; 2287 } 2288 tci = ci; 2289 } 2290 fprintf(stderr, "ok\n"); 2291#endif 2292 2293 return 1; 2294 } 2295