1/* ssl/ssltest.c */ 2/* Copyright (C) 1995-1998 Eric Young (eay@cryptsoft.com) 3 * All rights reserved. 4 * 5 * This package is an SSL implementation written 6 * by Eric Young (eay@cryptsoft.com). 7 * The implementation was written so as to conform with Netscapes SSL. 8 * 9 * This library is free for commercial and non-commercial use as long as 10 * the following conditions are aheared to. The following conditions 11 * apply to all code found in this distribution, be it the RC4, RSA, 12 * lhash, DES, etc., code; not just the SSL code. The SSL documentation 13 * included with this distribution is covered by the same copyright terms 14 * except that the holder is Tim Hudson (tjh@cryptsoft.com). 15 * 16 * Copyright remains Eric Young's, and as such any Copyright notices in 17 * the code are not to be removed. 18 * If this package is used in a product, Eric Young should be given attribution 19 * as the author of the parts of the library used. 20 * This can be in the form of a textual message at program startup or 21 * in documentation (online or textual) provided with the package. 22 * 23 * Redistribution and use in source and binary forms, with or without 24 * modification, are permitted provided that the following conditions 25 * are met: 26 * 1. Redistributions of source code must retain the copyright 27 * notice, this list of conditions and the following disclaimer. 28 * 2. Redistributions in binary form must reproduce the above copyright 29 * notice, this list of conditions and the following disclaimer in the 30 * documentation and/or other materials provided with the distribution. 31 * 3. All advertising materials mentioning features or use of this software 32 * must display the following acknowledgement: 33 * "This product includes cryptographic software written by 34 * Eric Young (eay@cryptsoft.com)" 35 * The word 'cryptographic' can be left out if the rouines from the library 36 * being used are not cryptographic related :-). 37 * 4. If you include any Windows specific code (or a derivative thereof) from 38 * the apps directory (application code) you must include an acknowledgement: 39 * "This product includes software written by Tim Hudson (tjh@cryptsoft.com)" 40 * 41 * THIS SOFTWARE IS PROVIDED BY ERIC YOUNG ``AS IS'' AND 42 * ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 43 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE 44 * ARE DISCLAIMED. IN NO EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE 45 * FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR CONSEQUENTIAL 46 * DAMAGES (INCLUDING, BUT NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS 47 * OR SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 48 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, STRICT 49 * LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY 50 * OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF 51 * SUCH DAMAGE. 52 * 53 * The licence and distribution terms for any publically available version or 54 * derivative of this code cannot be changed. i.e. this code cannot simply be 55 * copied and put under another distribution licence 56 * [including the GNU Public Licence.] 57 */ 58/* ==================================================================== 59 * Copyright (c) 1998-2000 The OpenSSL Project. All rights reserved. 60 * 61 * Redistribution and use in source and binary forms, with or without 62 * modification, are permitted provided that the following conditions 63 * are met: 64 * 65 * 1. Redistributions of source code must retain the above copyright 66 * notice, this list of conditions and the following disclaimer. 67 * 68 * 2. Redistributions in binary form must reproduce the above copyright 69 * notice, this list of conditions and the following disclaimer in 70 * the documentation and/or other materials provided with the 71 * distribution. 72 * 73 * 3. All advertising materials mentioning features or use of this 74 * software must display the following acknowledgment: 75 * "This product includes software developed by the OpenSSL Project 76 * for use in the OpenSSL Toolkit. (http://www.openssl.org/)" 77 * 78 * 4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not be used to 79 * endorse or promote products derived from this software without 80 * prior written permission. For written permission, please contact 81 * openssl-core@openssl.org. 82 * 83 * 5. Products derived from this software may not be called "OpenSSL" 84 * nor may "OpenSSL" appear in their names without prior written 85 * permission of the OpenSSL Project. 86 * 87 * 6. Redistributions of any form whatsoever must retain the following 88 * acknowledgment: 89 * "This product includes software developed by the OpenSSL Project 90 * for use in the OpenSSL Toolkit (http://www.openssl.org/)" 91 * 92 * THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT ``AS IS'' AND ANY 93 * EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE 94 * IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR 95 * PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL THE OpenSSL PROJECT OR 96 * ITS CONTRIBUTORS BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, 97 * SPECIAL, EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT 98 * NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; 99 * LOSS OF USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) 100 * HOWEVER CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN CONTRACT, 101 * STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE OR OTHERWISE) 102 * ARISING IN ANY WAY OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED 103 * OF THE POSSIBILITY OF SUCH DAMAGE. 104 * ==================================================================== 105 * 106 * This product includes cryptographic software written by Eric Young 107 * (eay@cryptsoft.com). This product includes software written by Tim 108 * Hudson (tjh@cryptsoft.com). 109 * 110 */ 111/* ==================================================================== 112 * Copyright 2002 Sun Microsystems, Inc. ALL RIGHTS RESERVED. 113 * ECC cipher suite support in OpenSSL originally developed by 114 * SUN MICROSYSTEMS, INC., and contributed to the OpenSSL project. 115 */ 116 117#define _BSD_SOURCE 1 /* Or gethostname won't be declared properly 118 on Linux and GNU platforms. */ 119 120#include <assert.h> 121#include <errno.h> 122#include <limits.h> 123#include <stdio.h> 124#include <stdlib.h> 125#include <string.h> 126#include <time.h> 127 128#define USE_SOCKETS 129#include "e_os.h" 130 131#define _XOPEN_SOURCE 500 /* Or isascii won't be declared properly on 132 VMS (at least with DECompHP C). */ 133#include <ctype.h> 134 135#include <openssl/bio.h> 136#include <openssl/crypto.h> 137#include <openssl/evp.h> 138#include <openssl/x509.h> 139#include <openssl/x509v3.h> 140#include <openssl/ssl.h> 141#ifndef OPENSSL_NO_ENGINE 142#include <openssl/engine.h> 143#endif 144#include <openssl/err.h> 145#include <openssl/rand.h> 146#ifndef OPENSSL_NO_RSA 147#include <openssl/rsa.h> 148#endif 149#ifndef OPENSSL_NO_DSA 150#include <openssl/dsa.h> 151#endif 152#ifndef OPENSSL_NO_DH 153#include <openssl/dh.h> 154#endif 155#include <openssl/bn.h> 156 157#define _XOPEN_SOURCE_EXTENDED 1 /* Or gethostname won't be declared properly 158 on Compaq platforms (at least with DEC C). 159 Do not try to put it earlier, or IPv6 includes 160 get screwed... 161 */ 162 163#ifdef OPENSSL_SYS_WINDOWS 164#include <winsock.h> 165#else 166#include OPENSSL_UNISTD 167#endif 168 169#ifdef OPENSSL_SYS_VMS 170# define TEST_SERVER_CERT "SYS$DISK:[-.APPS]SERVER.PEM" 171# define TEST_CLIENT_CERT "SYS$DISK:[-.APPS]CLIENT.PEM" 172#elif defined(OPENSSL_SYS_WINCE) 173# define TEST_SERVER_CERT "\\OpenSSL\\server.pem" 174# define TEST_CLIENT_CERT "\\OpenSSL\\client.pem" 175#elif defined(OPENSSL_SYS_NETWARE) 176# define TEST_SERVER_CERT "\\openssl\\apps\\server.pem" 177# define TEST_CLIENT_CERT "\\openssl\\apps\\client.pem" 178#else 179# define TEST_SERVER_CERT "../apps/server.pem" 180# define TEST_CLIENT_CERT "../apps/client.pem" 181#endif 182 183/* There is really no standard for this, so let's assign some tentative 184 numbers. In any case, these numbers are only for this test */ 185#define COMP_RLE 255 186#define COMP_ZLIB 1 187 188static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx); 189#ifndef OPENSSL_NO_RSA 190static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export,int keylength); 191static void free_tmp_rsa(void); 192#endif 193static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg); 194#define APP_CALLBACK_STRING "Test Callback Argument" 195struct app_verify_arg 196 { 197 char *string; 198 int app_verify; 199 int allow_proxy_certs; 200 char *proxy_auth; 201 char *proxy_cond; 202 }; 203 204#ifndef OPENSSL_NO_DH 205static DH *get_dh512(void); 206static DH *get_dh1024(void); 207static DH *get_dh1024dsa(void); 208#endif 209 210static BIO *bio_err=NULL; 211static BIO *bio_stdout=NULL; 212 213static char *cipher=NULL; 214static int verbose=0; 215static int debug=0; 216#if 0 217/* Not used yet. */ 218#ifdef FIONBIO 219static int s_nbio=0; 220#endif 221#endif 222 223static const char rnd_seed[] = "string to make the random number generator think it has entropy"; 224 225int doit_biopair(SSL *s_ssl,SSL *c_ssl,long bytes,clock_t *s_time,clock_t *c_time); 226int doit(SSL *s_ssl,SSL *c_ssl,long bytes); 227static int do_test_cipherlist(void); 228static void sv_usage(void) 229 { 230 fprintf(stderr,"usage: ssltest [args ...]\n"); 231 fprintf(stderr,"\n"); 232#ifdef OPENSSL_FIPS 233 fprintf(stderr,"-F - run test in FIPS mode\n"); 234#endif 235 fprintf(stderr," -server_auth - check server certificate\n"); 236 fprintf(stderr," -client_auth - do client authentication\n"); 237 fprintf(stderr," -proxy - allow proxy certificates\n"); 238 fprintf(stderr," -proxy_auth <val> - set proxy policy rights\n"); 239 fprintf(stderr," -proxy_cond <val> - experssion to test proxy policy rights\n"); 240 fprintf(stderr," -v - more output\n"); 241 fprintf(stderr," -d - debug output\n"); 242 fprintf(stderr," -reuse - use session-id reuse\n"); 243 fprintf(stderr," -num <val> - number of connections to perform\n"); 244 fprintf(stderr," -bytes <val> - number of bytes to swap between client/server\n"); 245#ifndef OPENSSL_NO_DH 246 fprintf(stderr," -dhe1024 - use 1024 bit key (safe prime) for DHE\n"); 247 fprintf(stderr," -dhe1024dsa - use 1024 bit key (with 160-bit subprime) for DHE\n"); 248 fprintf(stderr," -no_dhe - disable DHE\n"); 249#endif 250#ifndef OPENSSL_NO_ECDH 251 fprintf(stderr," -no_ecdhe - disable ECDHE\n"); 252#endif 253#ifndef OPENSSL_NO_SSL2 254 fprintf(stderr," -ssl2 - use SSLv2\n"); 255#endif 256#ifndef OPENSSL_NO_SSL3 257 fprintf(stderr," -ssl3 - use SSLv3\n"); 258#endif 259#ifndef OPENSSL_NO_TLS1 260 fprintf(stderr," -tls1 - use TLSv1\n"); 261#endif 262 fprintf(stderr," -CApath arg - PEM format directory of CA's\n"); 263 fprintf(stderr," -CAfile arg - PEM format file of CA's\n"); 264 fprintf(stderr," -cert arg - Server certificate file\n"); 265 fprintf(stderr," -key arg - Server key file (default: same as -cert)\n"); 266 fprintf(stderr," -c_cert arg - Client certificate file\n"); 267 fprintf(stderr," -c_key arg - Client key file (default: same as -c_cert)\n"); 268 fprintf(stderr," -cipher arg - The cipher list\n"); 269 fprintf(stderr," -bio_pair - Use BIO pairs\n"); 270 fprintf(stderr," -f - Test even cases that can't work\n"); 271 fprintf(stderr," -time - measure processor time used by client and server\n"); 272 fprintf(stderr," -zlib - use zlib compression\n"); 273 fprintf(stderr," -rle - use rle compression\n"); 274#ifndef OPENSSL_NO_ECDH 275 fprintf(stderr," -named_curve arg - Elliptic curve name to use for ephemeral ECDH keys.\n" \ 276 " Use \"openssl ecparam -list_curves\" for all names\n" \ 277 " (default is sect163r2).\n"); 278#endif 279 fprintf(stderr," -test_cipherlist - verifies the order of the ssl cipher lists\n"); 280 } 281 282static void print_details(SSL *c_ssl, const char *prefix) 283 { 284 SSL_CIPHER *ciph; 285 X509 *cert; 286 287 ciph=SSL_get_current_cipher(c_ssl); 288 BIO_printf(bio_stdout,"%s%s, cipher %s %s", 289 prefix, 290 SSL_get_version(c_ssl), 291 SSL_CIPHER_get_version(ciph), 292 SSL_CIPHER_get_name(ciph)); 293 cert=SSL_get_peer_certificate(c_ssl); 294 if (cert != NULL) 295 { 296 EVP_PKEY *pkey = X509_get_pubkey(cert); 297 if (pkey != NULL) 298 { 299 if (0) 300 ; 301#ifndef OPENSSL_NO_RSA 302 else if (pkey->type == EVP_PKEY_RSA && pkey->pkey.rsa != NULL 303 && pkey->pkey.rsa->n != NULL) 304 { 305 BIO_printf(bio_stdout, ", %d bit RSA", 306 BN_num_bits(pkey->pkey.rsa->n)); 307 } 308#endif 309#ifndef OPENSSL_NO_DSA 310 else if (pkey->type == EVP_PKEY_DSA && pkey->pkey.dsa != NULL 311 && pkey->pkey.dsa->p != NULL) 312 { 313 BIO_printf(bio_stdout, ", %d bit DSA", 314 BN_num_bits(pkey->pkey.dsa->p)); 315 } 316#endif 317 EVP_PKEY_free(pkey); 318 } 319 X509_free(cert); 320 } 321 /* The SSL API does not allow us to look at temporary RSA/DH keys, 322 * otherwise we should print their lengths too */ 323 BIO_printf(bio_stdout,"\n"); 324 } 325 326static void lock_dbg_cb(int mode, int type, const char *file, int line) 327 { 328 static int modes[CRYPTO_NUM_LOCKS]; /* = {0, 0, ... } */ 329 const char *errstr = NULL; 330 int rw; 331 332 rw = mode & (CRYPTO_READ|CRYPTO_WRITE); 333 if (!((rw == CRYPTO_READ) || (rw == CRYPTO_WRITE))) 334 { 335 errstr = "invalid mode"; 336 goto err; 337 } 338 339 if (type < 0 || type >= CRYPTO_NUM_LOCKS) 340 { 341 errstr = "type out of bounds"; 342 goto err; 343 } 344 345 if (mode & CRYPTO_LOCK) 346 { 347 if (modes[type]) 348 { 349 errstr = "already locked"; 350 /* must not happen in a single-threaded program 351 * (would deadlock) */ 352 goto err; 353 } 354 355 modes[type] = rw; 356 } 357 else if (mode & CRYPTO_UNLOCK) 358 { 359 if (!modes[type]) 360 { 361 errstr = "not locked"; 362 goto err; 363 } 364 365 if (modes[type] != rw) 366 { 367 errstr = (rw == CRYPTO_READ) ? 368 "CRYPTO_r_unlock on write lock" : 369 "CRYPTO_w_unlock on read lock"; 370 } 371 372 modes[type] = 0; 373 } 374 else 375 { 376 errstr = "invalid mode"; 377 goto err; 378 } 379 380 err: 381 if (errstr) 382 { 383 /* we cannot use bio_err here */ 384 fprintf(stderr, "openssl (lock_dbg_cb): %s (mode=%d, type=%d) at %s:%d\n", 385 errstr, mode, type, file, line); 386 } 387 } 388 389 390int main(int argc, char *argv[]) 391 { 392 char *CApath=NULL,*CAfile=NULL; 393 int badop=0; 394 int bio_pair=0; 395 int force=0; 396 int tls1=0,ssl2=0,ssl3=0,ret=1; 397 int client_auth=0; 398 int server_auth=0,i; 399 struct app_verify_arg app_verify_arg = 400 { APP_CALLBACK_STRING, 0, 0, NULL, NULL }; 401 char *server_cert=TEST_SERVER_CERT; 402 char *server_key=NULL; 403 char *client_cert=TEST_CLIENT_CERT; 404 char *client_key=NULL; 405#ifndef OPENSSL_NO_ECDH 406 char *named_curve = NULL; 407#endif 408 SSL_CTX *s_ctx=NULL; 409 SSL_CTX *c_ctx=NULL; 410 SSL_METHOD *meth=NULL; 411 SSL *c_ssl,*s_ssl; 412 int number=1,reuse=0; 413 long bytes=256L; 414#ifndef OPENSSL_NO_DH 415 DH *dh; 416 int dhe1024 = 1, dhe1024dsa = 0; 417#endif 418#ifndef OPENSSL_NO_ECDH 419 EC_KEY *ecdh = NULL; 420#endif 421 int no_dhe = 0; 422 int no_ecdhe = 0; 423 int print_time = 0; 424 clock_t s_time = 0, c_time = 0; 425 int comp = 0; 426#ifndef OPENSSL_NO_COMP 427 COMP_METHOD *cm = NULL; 428#endif 429 STACK_OF(SSL_COMP) *ssl_comp_methods = NULL; 430 int test_cipherlist = 0; 431#ifdef OPENSSL_FIPS 432 int fips_mode=0; 433#endif 434 435 verbose = 0; 436 debug = 0; 437 cipher = 0; 438 439 bio_err=BIO_new_fp(stderr,BIO_NOCLOSE); 440 441 CRYPTO_set_locking_callback(lock_dbg_cb); 442 443 /* enable memory leak checking unless explicitly disabled */ 444 if (!((getenv("OPENSSL_DEBUG_MEMORY") != NULL) && (0 == strcmp(getenv("OPENSSL_DEBUG_MEMORY"), "off")))) 445 { 446 CRYPTO_malloc_debug_init(); 447 CRYPTO_set_mem_debug_options(V_CRYPTO_MDEBUG_ALL); 448 } 449 else 450 { 451 /* OPENSSL_DEBUG_MEMORY=off */ 452 CRYPTO_set_mem_debug_functions(0, 0, 0, 0, 0); 453 } 454 CRYPTO_mem_ctrl(CRYPTO_MEM_CHECK_ON); 455 456 RAND_seed(rnd_seed, sizeof rnd_seed); 457 458 bio_stdout=BIO_new_fp(stdout,BIO_NOCLOSE); 459 460 argc--; 461 argv++; 462 463 while (argc >= 1) 464 { 465 if(!strcmp(*argv,"-F")) 466 { 467#ifdef OPENSSL_FIPS 468 fips_mode=1; 469#else 470 fprintf(stderr,"not compiled with FIPS support, so exitting without running.\n"); 471 EXIT(0); 472#endif 473 } 474 else if (strcmp(*argv,"-server_auth") == 0) 475 server_auth=1; 476 else if (strcmp(*argv,"-client_auth") == 0) 477 client_auth=1; 478 else if (strcmp(*argv,"-proxy_auth") == 0) 479 { 480 if (--argc < 1) goto bad; 481 app_verify_arg.proxy_auth= *(++argv); 482 } 483 else if (strcmp(*argv,"-proxy_cond") == 0) 484 { 485 if (--argc < 1) goto bad; 486 app_verify_arg.proxy_cond= *(++argv); 487 } 488 else if (strcmp(*argv,"-v") == 0) 489 verbose=1; 490 else if (strcmp(*argv,"-d") == 0) 491 debug=1; 492 else if (strcmp(*argv,"-reuse") == 0) 493 reuse=1; 494 else if (strcmp(*argv,"-dhe1024") == 0) 495 { 496#ifndef OPENSSL_NO_DH 497 dhe1024=1; 498#else 499 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 500#endif 501 } 502 else if (strcmp(*argv,"-dhe1024dsa") == 0) 503 { 504#ifndef OPENSSL_NO_DH 505 dhe1024dsa=1; 506#else 507 fprintf(stderr,"ignoring -dhe1024, since I'm compiled without DH\n"); 508#endif 509 } 510 else if (strcmp(*argv,"-no_dhe") == 0) 511 no_dhe=1; 512 else if (strcmp(*argv,"-no_ecdhe") == 0) 513 no_ecdhe=1; 514 else if (strcmp(*argv,"-ssl2") == 0) 515 ssl2=1; 516 else if (strcmp(*argv,"-tls1") == 0) 517 tls1=1; 518 else if (strcmp(*argv,"-ssl3") == 0) 519 ssl3=1; 520 else if (strncmp(*argv,"-num",4) == 0) 521 { 522 if (--argc < 1) goto bad; 523 number= atoi(*(++argv)); 524 if (number == 0) number=1; 525 } 526 else if (strcmp(*argv,"-bytes") == 0) 527 { 528 if (--argc < 1) goto bad; 529 bytes= atol(*(++argv)); 530 if (bytes == 0L) bytes=1L; 531 i=strlen(argv[0]); 532 if (argv[0][i-1] == 'k') bytes*=1024L; 533 if (argv[0][i-1] == 'm') bytes*=1024L*1024L; 534 } 535 else if (strcmp(*argv,"-cert") == 0) 536 { 537 if (--argc < 1) goto bad; 538 server_cert= *(++argv); 539 } 540 else if (strcmp(*argv,"-s_cert") == 0) 541 { 542 if (--argc < 1) goto bad; 543 server_cert= *(++argv); 544 } 545 else if (strcmp(*argv,"-key") == 0) 546 { 547 if (--argc < 1) goto bad; 548 server_key= *(++argv); 549 } 550 else if (strcmp(*argv,"-s_key") == 0) 551 { 552 if (--argc < 1) goto bad; 553 server_key= *(++argv); 554 } 555 else if (strcmp(*argv,"-c_cert") == 0) 556 { 557 if (--argc < 1) goto bad; 558 client_cert= *(++argv); 559 } 560 else if (strcmp(*argv,"-c_key") == 0) 561 { 562 if (--argc < 1) goto bad; 563 client_key= *(++argv); 564 } 565 else if (strcmp(*argv,"-cipher") == 0) 566 { 567 if (--argc < 1) goto bad; 568 cipher= *(++argv); 569 } 570 else if (strcmp(*argv,"-CApath") == 0) 571 { 572 if (--argc < 1) goto bad; 573 CApath= *(++argv); 574 } 575 else if (strcmp(*argv,"-CAfile") == 0) 576 { 577 if (--argc < 1) goto bad; 578 CAfile= *(++argv); 579 } 580 else if (strcmp(*argv,"-bio_pair") == 0) 581 { 582 bio_pair = 1; 583 } 584 else if (strcmp(*argv,"-f") == 0) 585 { 586 force = 1; 587 } 588 else if (strcmp(*argv,"-time") == 0) 589 { 590 print_time = 1; 591 } 592 else if (strcmp(*argv,"-zlib") == 0) 593 { 594 comp = COMP_ZLIB; 595 } 596 else if (strcmp(*argv,"-rle") == 0) 597 { 598 comp = COMP_RLE; 599 } 600 else if (strcmp(*argv,"-named_curve") == 0) 601 { 602 if (--argc < 1) goto bad; 603#ifndef OPENSSL_NO_ECDH 604 named_curve = *(++argv); 605#else 606 fprintf(stderr,"ignoring -named_curve, since I'm compiled without ECDH\n"); 607 ++argv; 608#endif 609 } 610 else if (strcmp(*argv,"-app_verify") == 0) 611 { 612 app_verify_arg.app_verify = 1; 613 } 614 else if (strcmp(*argv,"-proxy") == 0) 615 { 616 app_verify_arg.allow_proxy_certs = 1; 617 } 618 else if (strcmp(*argv,"-test_cipherlist") == 0) 619 { 620 test_cipherlist = 1; 621 } 622 else 623 { 624 fprintf(stderr,"unknown option %s\n",*argv); 625 badop=1; 626 break; 627 } 628 argc--; 629 argv++; 630 } 631 if (badop) 632 { 633bad: 634 sv_usage(); 635 goto end; 636 } 637 638 if (test_cipherlist == 1) 639 { 640 /* ensure that the cipher list are correctly sorted and exit */ 641 if (do_test_cipherlist() == 0) 642 EXIT(1); 643 ret = 0; 644 goto end; 645 } 646 647 if (!ssl2 && !ssl3 && !tls1 && number > 1 && !reuse && !force) 648 { 649 fprintf(stderr, "This case cannot work. Use -f to perform " 650 "the test anyway (and\n-d to see what happens), " 651 "or add one of -ssl2, -ssl3, -tls1, -reuse\n" 652 "to avoid protocol mismatch.\n"); 653 EXIT(1); 654 } 655 656#ifdef OPENSSL_FIPS 657 if(fips_mode) 658 { 659 if(!FIPS_mode_set(1)) 660 { 661 ERR_load_crypto_strings(); 662 ERR_print_errors(BIO_new_fp(stderr,BIO_NOCLOSE)); 663 EXIT(1); 664 } 665 else 666 fprintf(stderr,"*** IN FIPS MODE ***\n"); 667 } 668#endif 669 670 if (print_time) 671 { 672 if (!bio_pair) 673 { 674 fprintf(stderr, "Using BIO pair (-bio_pair)\n"); 675 bio_pair = 1; 676 } 677 if (number < 50 && !force) 678 fprintf(stderr, "Warning: For accurate timings, use more connections (e.g. -num 1000)\n"); 679 } 680 681/* if (cipher == NULL) cipher=getenv("SSL_CIPHER"); */ 682 683 SSL_library_init(); 684 SSL_load_error_strings(); 685 686#ifndef OPENSSL_NO_COMP 687 if (comp == COMP_ZLIB) cm = COMP_zlib(); 688 if (comp == COMP_RLE) cm = COMP_rle(); 689 if (cm != NULL) 690 { 691 if (cm->type != NID_undef) 692 { 693 if (SSL_COMP_add_compression_method(comp, cm) != 0) 694 { 695 fprintf(stderr, 696 "Failed to add compression method\n"); 697 ERR_print_errors_fp(stderr); 698 } 699 } 700 else 701 { 702 fprintf(stderr, 703 "Warning: %s compression not supported\n", 704 (comp == COMP_RLE ? "rle" : 705 (comp == COMP_ZLIB ? "zlib" : 706 "unknown"))); 707 ERR_print_errors_fp(stderr); 708 } 709 } 710 ssl_comp_methods = SSL_COMP_get_compression_methods(); 711 fprintf(stderr, "Available compression methods:\n"); 712 { 713 int j, n = sk_SSL_COMP_num(ssl_comp_methods); 714 if (n == 0) 715 fprintf(stderr, " NONE\n"); 716 else 717 for (j = 0; j < n; j++) 718 { 719 SSL_COMP *c = sk_SSL_COMP_value(ssl_comp_methods, j); 720 fprintf(stderr, " %d: %s\n", c->id, c->name); 721 } 722 } 723#endif 724 725#if !defined(OPENSSL_NO_SSL2) && !defined(OPENSSL_NO_SSL3) 726 if (ssl2) 727 meth=SSLv2_method(); 728 else 729 if (tls1) 730 meth=TLSv1_method(); 731 else 732 if (ssl3) 733 meth=SSLv3_method(); 734 else 735 meth=SSLv23_method(); 736#else 737#ifdef OPENSSL_NO_SSL2 738 if (tls1) 739 meth=TLSv1_method(); 740 else 741 if (ssl3) 742 meth=SSLv3_method(); 743 else 744 meth=SSLv23_method(); 745#else 746 meth=SSLv2_method(); 747#endif 748#endif 749 750 c_ctx=SSL_CTX_new(meth); 751 s_ctx=SSL_CTX_new(meth); 752 if ((c_ctx == NULL) || (s_ctx == NULL)) 753 { 754 ERR_print_errors(bio_err); 755 goto end; 756 } 757 758 if (cipher != NULL) 759 { 760 SSL_CTX_set_cipher_list(c_ctx,cipher); 761 SSL_CTX_set_cipher_list(s_ctx,cipher); 762 } 763 764#ifndef OPENSSL_NO_DH 765 if (!no_dhe) 766 { 767 if (dhe1024dsa) 768 { 769 /* use SSL_OP_SINGLE_DH_USE to avoid small subgroup attacks */ 770 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_DH_USE); 771 dh=get_dh1024dsa(); 772 } 773 else if (dhe1024) 774 dh=get_dh1024(); 775 else 776 dh=get_dh512(); 777 SSL_CTX_set_tmp_dh(s_ctx,dh); 778 DH_free(dh); 779 } 780#else 781 (void)no_dhe; 782#endif 783 784#ifndef OPENSSL_NO_ECDH 785 if (!no_ecdhe) 786 { 787 int nid; 788 789 if (named_curve != NULL) 790 { 791 nid = OBJ_sn2nid(named_curve); 792 if (nid == 0) 793 { 794 BIO_printf(bio_err, "unknown curve name (%s)\n", named_curve); 795 goto end; 796 } 797 } 798 else 799 nid = NID_sect163r2; 800 801 ecdh = EC_KEY_new_by_curve_name(nid); 802 if (ecdh == NULL) 803 { 804 BIO_printf(bio_err, "unable to create curve\n"); 805 goto end; 806 } 807 808 SSL_CTX_set_tmp_ecdh(s_ctx, ecdh); 809 SSL_CTX_set_options(s_ctx, SSL_OP_SINGLE_ECDH_USE); 810 EC_KEY_free(ecdh); 811 } 812#else 813 (void)no_ecdhe; 814#endif 815 816#ifndef OPENSSL_NO_RSA 817 SSL_CTX_set_tmp_rsa_callback(s_ctx,tmp_rsa_cb); 818#endif 819 820 if (!SSL_CTX_use_certificate_file(s_ctx,server_cert,SSL_FILETYPE_PEM)) 821 { 822 ERR_print_errors(bio_err); 823 } 824 else if (!SSL_CTX_use_PrivateKey_file(s_ctx, 825 (server_key?server_key:server_cert), SSL_FILETYPE_PEM)) 826 { 827 ERR_print_errors(bio_err); 828 goto end; 829 } 830 831 if (client_auth) 832 { 833 SSL_CTX_use_certificate_file(c_ctx,client_cert, 834 SSL_FILETYPE_PEM); 835 SSL_CTX_use_PrivateKey_file(c_ctx, 836 (client_key?client_key:client_cert), 837 SSL_FILETYPE_PEM); 838 } 839 840 if ( (!SSL_CTX_load_verify_locations(s_ctx,CAfile,CApath)) || 841 (!SSL_CTX_set_default_verify_paths(s_ctx)) || 842 (!SSL_CTX_load_verify_locations(c_ctx,CAfile,CApath)) || 843 (!SSL_CTX_set_default_verify_paths(c_ctx))) 844 { 845 /* fprintf(stderr,"SSL_load_verify_locations\n"); */ 846 ERR_print_errors(bio_err); 847 /* goto end; */ 848 } 849 850 if (client_auth) 851 { 852 BIO_printf(bio_err,"client authentication\n"); 853 SSL_CTX_set_verify(s_ctx, 854 SSL_VERIFY_PEER|SSL_VERIFY_FAIL_IF_NO_PEER_CERT, 855 verify_callback); 856 SSL_CTX_set_cert_verify_callback(s_ctx, app_verify_callback, &app_verify_arg); 857 } 858 if (server_auth) 859 { 860 BIO_printf(bio_err,"server authentication\n"); 861 SSL_CTX_set_verify(c_ctx,SSL_VERIFY_PEER, 862 verify_callback); 863 SSL_CTX_set_cert_verify_callback(c_ctx, app_verify_callback, &app_verify_arg); 864 } 865 866 { 867 int session_id_context = 0; 868 SSL_CTX_set_session_id_context(s_ctx, (void *)&session_id_context, sizeof session_id_context); 869 } 870 871 c_ssl=SSL_new(c_ctx); 872 s_ssl=SSL_new(s_ctx); 873 874#ifndef OPENSSL_NO_KRB5 875 if (c_ssl && c_ssl->kssl_ctx) 876 { 877 char localhost[MAXHOSTNAMELEN+2]; 878 879 if (gethostname(localhost, sizeof localhost-1) == 0) 880 { 881 localhost[sizeof localhost-1]='\0'; 882 if(strlen(localhost) == sizeof localhost-1) 883 { 884 BIO_printf(bio_err,"localhost name too long\n"); 885 goto end; 886 } 887 kssl_ctx_setstring(c_ssl->kssl_ctx, KSSL_SERVER, 888 localhost); 889 } 890 } 891#endif /* OPENSSL_NO_KRB5 */ 892 893 for (i=0; i<number; i++) 894 { 895 if (!reuse) SSL_set_session(c_ssl,NULL); 896 if (bio_pair) 897 ret=doit_biopair(s_ssl,c_ssl,bytes,&s_time,&c_time); 898 else 899 ret=doit(s_ssl,c_ssl,bytes); 900 } 901 902 if (!verbose) 903 { 904 print_details(c_ssl, ""); 905 } 906 if ((number > 1) || (bytes > 1L)) 907 BIO_printf(bio_stdout, "%d handshakes of %ld bytes done\n",number,bytes); 908 if (print_time) 909 { 910#ifdef CLOCKS_PER_SEC 911 /* "To determine the time in seconds, the value returned 912 * by the clock function should be divided by the value 913 * of the macro CLOCKS_PER_SEC." 914 * -- ISO/IEC 9899 */ 915 BIO_printf(bio_stdout, "Approximate total server time: %6.2f s\n" 916 "Approximate total client time: %6.2f s\n", 917 (double)s_time/CLOCKS_PER_SEC, 918 (double)c_time/CLOCKS_PER_SEC); 919#else 920 /* "`CLOCKS_PER_SEC' undeclared (first use this function)" 921 * -- cc on NeXTstep/OpenStep */ 922 BIO_printf(bio_stdout, 923 "Approximate total server time: %6.2f units\n" 924 "Approximate total client time: %6.2f units\n", 925 (double)s_time, 926 (double)c_time); 927#endif 928 } 929 930 SSL_free(s_ssl); 931 SSL_free(c_ssl); 932 933end: 934 if (s_ctx != NULL) SSL_CTX_free(s_ctx); 935 if (c_ctx != NULL) SSL_CTX_free(c_ctx); 936 937 if (bio_stdout != NULL) BIO_free(bio_stdout); 938 939#ifndef OPENSSL_NO_RSA 940 free_tmp_rsa(); 941#endif 942#ifndef OPENSSL_NO_ENGINE 943 ENGINE_cleanup(); 944#endif 945 CRYPTO_cleanup_all_ex_data(); 946 ERR_free_strings(); 947 ERR_remove_state(0); 948 EVP_cleanup(); 949 CRYPTO_mem_leaks(bio_err); 950 if (bio_err != NULL) BIO_free(bio_err); 951 EXIT(ret); 952 return ret; 953 } 954 955int doit_biopair(SSL *s_ssl, SSL *c_ssl, long count, 956 clock_t *s_time, clock_t *c_time) 957 { 958 long cw_num = count, cr_num = count, sw_num = count, sr_num = count; 959 BIO *s_ssl_bio = NULL, *c_ssl_bio = NULL; 960 BIO *server = NULL, *server_io = NULL, *client = NULL, *client_io = NULL; 961 int ret = 1; 962 963 size_t bufsiz = 256; /* small buffer for testing */ 964 965 if (!BIO_new_bio_pair(&server, bufsiz, &server_io, bufsiz)) 966 goto err; 967 if (!BIO_new_bio_pair(&client, bufsiz, &client_io, bufsiz)) 968 goto err; 969 970 s_ssl_bio = BIO_new(BIO_f_ssl()); 971 if (!s_ssl_bio) 972 goto err; 973 974 c_ssl_bio = BIO_new(BIO_f_ssl()); 975 if (!c_ssl_bio) 976 goto err; 977 978 SSL_set_connect_state(c_ssl); 979 SSL_set_bio(c_ssl, client, client); 980 (void)BIO_set_ssl(c_ssl_bio, c_ssl, BIO_NOCLOSE); 981 982 SSL_set_accept_state(s_ssl); 983 SSL_set_bio(s_ssl, server, server); 984 (void)BIO_set_ssl(s_ssl_bio, s_ssl, BIO_NOCLOSE); 985 986 do 987 { 988 /* c_ssl_bio: SSL filter BIO 989 * 990 * client: pseudo-I/O for SSL library 991 * 992 * client_io: client's SSL communication; usually to be 993 * relayed over some I/O facility, but in this 994 * test program, we're the server, too: 995 * 996 * server_io: server's SSL communication 997 * 998 * server: pseudo-I/O for SSL library 999 * 1000 * s_ssl_bio: SSL filter BIO 1001 * 1002 * The client and the server each employ a "BIO pair": 1003 * client + client_io, server + server_io. 1004 * BIO pairs are symmetric. A BIO pair behaves similar 1005 * to a non-blocking socketpair (but both endpoints must 1006 * be handled by the same thread). 1007 * [Here we could connect client and server to the ends 1008 * of a single BIO pair, but then this code would be less 1009 * suitable as an example for BIO pairs in general.] 1010 * 1011 * Useful functions for querying the state of BIO pair endpoints: 1012 * 1013 * BIO_ctrl_pending(bio) number of bytes we can read now 1014 * BIO_ctrl_get_read_request(bio) number of bytes needed to fulfil 1015 * other side's read attempt 1016 * BIO_ctrl_get_write_guarantee(bio) number of bytes we can write now 1017 * 1018 * ..._read_request is never more than ..._write_guarantee; 1019 * it depends on the application which one you should use. 1020 */ 1021 1022 /* We have non-blocking behaviour throughout this test program, but 1023 * can be sure that there is *some* progress in each iteration; so 1024 * we don't have to worry about ..._SHOULD_READ or ..._SHOULD_WRITE 1025 * -- we just try everything in each iteration 1026 */ 1027 1028 { 1029 /* CLIENT */ 1030 1031 MS_STATIC char cbuf[1024*8]; 1032 int i, r; 1033 clock_t c_clock = clock(); 1034 1035 memset(cbuf, 0, sizeof(cbuf)); 1036 1037 if (debug) 1038 if (SSL_in_init(c_ssl)) 1039 printf("client waiting in SSL_connect - %s\n", 1040 SSL_state_string_long(c_ssl)); 1041 1042 if (cw_num > 0) 1043 { 1044 /* Write to server. */ 1045 1046 if (cw_num > (long)sizeof cbuf) 1047 i = sizeof cbuf; 1048 else 1049 i = (int)cw_num; 1050 r = BIO_write(c_ssl_bio, cbuf, i); 1051 if (r < 0) 1052 { 1053 if (!BIO_should_retry(c_ssl_bio)) 1054 { 1055 fprintf(stderr,"ERROR in CLIENT\n"); 1056 goto err; 1057 } 1058 /* BIO_should_retry(...) can just be ignored here. 1059 * The library expects us to call BIO_write with 1060 * the same arguments again, and that's what we will 1061 * do in the next iteration. */ 1062 } 1063 else if (r == 0) 1064 { 1065 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1066 goto err; 1067 } 1068 else 1069 { 1070 if (debug) 1071 printf("client wrote %d\n", r); 1072 cw_num -= r; 1073 } 1074 } 1075 1076 if (cr_num > 0) 1077 { 1078 /* Read from server. */ 1079 1080 r = BIO_read(c_ssl_bio, cbuf, sizeof(cbuf)); 1081 if (r < 0) 1082 { 1083 if (!BIO_should_retry(c_ssl_bio)) 1084 { 1085 fprintf(stderr,"ERROR in CLIENT\n"); 1086 goto err; 1087 } 1088 /* Again, "BIO_should_retry" can be ignored. */ 1089 } 1090 else if (r == 0) 1091 { 1092 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1093 goto err; 1094 } 1095 else 1096 { 1097 if (debug) 1098 printf("client read %d\n", r); 1099 cr_num -= r; 1100 } 1101 } 1102 1103 /* c_time and s_time increments will typically be very small 1104 * (depending on machine speed and clock tick intervals), 1105 * but sampling over a large number of connections should 1106 * result in fairly accurate figures. We cannot guarantee 1107 * a lot, however -- if each connection lasts for exactly 1108 * one clock tick, it will be counted only for the client 1109 * or only for the server or even not at all. 1110 */ 1111 *c_time += (clock() - c_clock); 1112 } 1113 1114 { 1115 /* SERVER */ 1116 1117 MS_STATIC char sbuf[1024*8]; 1118 int i, r; 1119 clock_t s_clock = clock(); 1120 1121 memset(sbuf, 0, sizeof(sbuf)); 1122 1123 if (debug) 1124 if (SSL_in_init(s_ssl)) 1125 printf("server waiting in SSL_accept - %s\n", 1126 SSL_state_string_long(s_ssl)); 1127 1128 if (sw_num > 0) 1129 { 1130 /* Write to client. */ 1131 1132 if (sw_num > (long)sizeof sbuf) 1133 i = sizeof sbuf; 1134 else 1135 i = (int)sw_num; 1136 r = BIO_write(s_ssl_bio, sbuf, i); 1137 if (r < 0) 1138 { 1139 if (!BIO_should_retry(s_ssl_bio)) 1140 { 1141 fprintf(stderr,"ERROR in SERVER\n"); 1142 goto err; 1143 } 1144 /* Ignore "BIO_should_retry". */ 1145 } 1146 else if (r == 0) 1147 { 1148 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1149 goto err; 1150 } 1151 else 1152 { 1153 if (debug) 1154 printf("server wrote %d\n", r); 1155 sw_num -= r; 1156 } 1157 } 1158 1159 if (sr_num > 0) 1160 { 1161 /* Read from client. */ 1162 1163 r = BIO_read(s_ssl_bio, sbuf, sizeof(sbuf)); 1164 if (r < 0) 1165 { 1166 if (!BIO_should_retry(s_ssl_bio)) 1167 { 1168 fprintf(stderr,"ERROR in SERVER\n"); 1169 goto err; 1170 } 1171 /* blah, blah */ 1172 } 1173 else if (r == 0) 1174 { 1175 fprintf(stderr,"SSL SERVER STARTUP FAILED\n"); 1176 goto err; 1177 } 1178 else 1179 { 1180 if (debug) 1181 printf("server read %d\n", r); 1182 sr_num -= r; 1183 } 1184 } 1185 1186 *s_time += (clock() - s_clock); 1187 } 1188 1189 { 1190 /* "I/O" BETWEEN CLIENT AND SERVER. */ 1191 1192 size_t r1, r2; 1193 BIO *io1 = server_io, *io2 = client_io; 1194 /* we use the non-copying interface for io1 1195 * and the standard BIO_write/BIO_read interface for io2 1196 */ 1197 1198 static int prev_progress = 1; 1199 int progress = 0; 1200 1201 /* io1 to io2 */ 1202 do 1203 { 1204 size_t num; 1205 int r; 1206 1207 r1 = BIO_ctrl_pending(io1); 1208 r2 = BIO_ctrl_get_write_guarantee(io2); 1209 1210 num = r1; 1211 if (r2 < num) 1212 num = r2; 1213 if (num) 1214 { 1215 char *dataptr; 1216 1217 if (INT_MAX < num) /* yeah, right */ 1218 num = INT_MAX; 1219 1220 r = BIO_nread(io1, &dataptr, (int)num); 1221 assert(r > 0); 1222 assert(r <= (int)num); 1223 /* possibly r < num (non-contiguous data) */ 1224 num = r; 1225 r = BIO_write(io2, dataptr, (int)num); 1226 if (r != (int)num) /* can't happen */ 1227 { 1228 fprintf(stderr, "ERROR: BIO_write could not write " 1229 "BIO_ctrl_get_write_guarantee() bytes"); 1230 goto err; 1231 } 1232 progress = 1; 1233 1234 if (debug) 1235 printf((io1 == client_io) ? 1236 "C->S relaying: %d bytes\n" : 1237 "S->C relaying: %d bytes\n", 1238 (int)num); 1239 } 1240 } 1241 while (r1 && r2); 1242 1243 /* io2 to io1 */ 1244 { 1245 size_t num; 1246 int r; 1247 1248 r1 = BIO_ctrl_pending(io2); 1249 r2 = BIO_ctrl_get_read_request(io1); 1250 /* here we could use ..._get_write_guarantee instead of 1251 * ..._get_read_request, but by using the latter 1252 * we test restartability of the SSL implementation 1253 * more thoroughly */ 1254 num = r1; 1255 if (r2 < num) 1256 num = r2; 1257 if (num) 1258 { 1259 char *dataptr; 1260 1261 if (INT_MAX < num) 1262 num = INT_MAX; 1263 1264 if (num > 1) 1265 --num; /* test restartability even more thoroughly */ 1266 1267 r = BIO_nwrite0(io1, &dataptr); 1268 assert(r > 0); 1269 if (r < (int)num) 1270 num = r; 1271 r = BIO_read(io2, dataptr, (int)num); 1272 if (r != (int)num) /* can't happen */ 1273 { 1274 fprintf(stderr, "ERROR: BIO_read could not read " 1275 "BIO_ctrl_pending() bytes"); 1276 goto err; 1277 } 1278 progress = 1; 1279 r = BIO_nwrite(io1, &dataptr, (int)num); 1280 if (r != (int)num) /* can't happen */ 1281 { 1282 fprintf(stderr, "ERROR: BIO_nwrite() did not accept " 1283 "BIO_nwrite0() bytes"); 1284 goto err; 1285 } 1286 1287 if (debug) 1288 printf((io2 == client_io) ? 1289 "C->S relaying: %d bytes\n" : 1290 "S->C relaying: %d bytes\n", 1291 (int)num); 1292 } 1293 } /* no loop, BIO_ctrl_get_read_request now returns 0 anyway */ 1294 1295 if (!progress && !prev_progress) 1296 if (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0) 1297 { 1298 fprintf(stderr, "ERROR: got stuck\n"); 1299 if (strcmp("SSLv2", SSL_get_version(c_ssl)) == 0) 1300 { 1301 fprintf(stderr, "This can happen for SSL2 because " 1302 "CLIENT-FINISHED and SERVER-VERIFY are written \n" 1303 "concurrently ..."); 1304 if (strncmp("2SCF", SSL_state_string(c_ssl), 4) == 0 1305 && strncmp("2SSV", SSL_state_string(s_ssl), 4) == 0) 1306 { 1307 fprintf(stderr, " ok.\n"); 1308 goto end; 1309 } 1310 } 1311 fprintf(stderr, " ERROR.\n"); 1312 goto err; 1313 } 1314 prev_progress = progress; 1315 } 1316 } 1317 while (cw_num > 0 || cr_num > 0 || sw_num > 0 || sr_num > 0); 1318 1319 if (verbose) 1320 print_details(c_ssl, "DONE via BIO pair: "); 1321end: 1322 ret = 0; 1323 1324 err: 1325 ERR_print_errors(bio_err); 1326 1327 if (server) 1328 BIO_free(server); 1329 if (server_io) 1330 BIO_free(server_io); 1331 if (client) 1332 BIO_free(client); 1333 if (client_io) 1334 BIO_free(client_io); 1335 if (s_ssl_bio) 1336 BIO_free(s_ssl_bio); 1337 if (c_ssl_bio) 1338 BIO_free(c_ssl_bio); 1339 1340 return ret; 1341 } 1342 1343 1344#define W_READ 1 1345#define W_WRITE 2 1346#define C_DONE 1 1347#define S_DONE 2 1348 1349int doit(SSL *s_ssl, SSL *c_ssl, long count) 1350 { 1351 MS_STATIC char cbuf[1024*8],sbuf[1024*8]; 1352 long cw_num=count,cr_num=count; 1353 long sw_num=count,sr_num=count; 1354 int ret=1; 1355 BIO *c_to_s=NULL; 1356 BIO *s_to_c=NULL; 1357 BIO *c_bio=NULL; 1358 BIO *s_bio=NULL; 1359 int c_r,c_w,s_r,s_w; 1360 int i,j; 1361 int done=0; 1362 int c_write,s_write; 1363 int do_server=0,do_client=0; 1364 1365 memset(cbuf,0,sizeof(cbuf)); 1366 memset(sbuf,0,sizeof(sbuf)); 1367 1368 c_to_s=BIO_new(BIO_s_mem()); 1369 s_to_c=BIO_new(BIO_s_mem()); 1370 if ((s_to_c == NULL) || (c_to_s == NULL)) 1371 { 1372 ERR_print_errors(bio_err); 1373 goto err; 1374 } 1375 1376 c_bio=BIO_new(BIO_f_ssl()); 1377 s_bio=BIO_new(BIO_f_ssl()); 1378 if ((c_bio == NULL) || (s_bio == NULL)) 1379 { 1380 ERR_print_errors(bio_err); 1381 goto err; 1382 } 1383 1384 SSL_set_connect_state(c_ssl); 1385 SSL_set_bio(c_ssl,s_to_c,c_to_s); 1386 BIO_set_ssl(c_bio,c_ssl,BIO_NOCLOSE); 1387 1388 SSL_set_accept_state(s_ssl); 1389 SSL_set_bio(s_ssl,c_to_s,s_to_c); 1390 BIO_set_ssl(s_bio,s_ssl,BIO_NOCLOSE); 1391 1392 c_r=0; s_r=1; 1393 c_w=1; s_w=0; 1394 c_write=1,s_write=0; 1395 1396 /* We can always do writes */ 1397 for (;;) 1398 { 1399 do_server=0; 1400 do_client=0; 1401 1402 i=(int)BIO_pending(s_bio); 1403 if ((i && s_r) || s_w) do_server=1; 1404 1405 i=(int)BIO_pending(c_bio); 1406 if ((i && c_r) || c_w) do_client=1; 1407 1408 if (do_server && debug) 1409 { 1410 if (SSL_in_init(s_ssl)) 1411 printf("server waiting in SSL_accept - %s\n", 1412 SSL_state_string_long(s_ssl)); 1413/* else if (s_write) 1414 printf("server:SSL_write()\n"); 1415 else 1416 printf("server:SSL_read()\n"); */ 1417 } 1418 1419 if (do_client && debug) 1420 { 1421 if (SSL_in_init(c_ssl)) 1422 printf("client waiting in SSL_connect - %s\n", 1423 SSL_state_string_long(c_ssl)); 1424/* else if (c_write) 1425 printf("client:SSL_write()\n"); 1426 else 1427 printf("client:SSL_read()\n"); */ 1428 } 1429 1430 if (!do_client && !do_server) 1431 { 1432 fprintf(stdout,"ERROR IN STARTUP\n"); 1433 ERR_print_errors(bio_err); 1434 break; 1435 } 1436 if (do_client && !(done & C_DONE)) 1437 { 1438 if (c_write) 1439 { 1440 j = (cw_num > (long)sizeof(cbuf)) ? 1441 (int)sizeof(cbuf) : (int)cw_num; 1442 i=BIO_write(c_bio,cbuf,j); 1443 if (i < 0) 1444 { 1445 c_r=0; 1446 c_w=0; 1447 if (BIO_should_retry(c_bio)) 1448 { 1449 if (BIO_should_read(c_bio)) 1450 c_r=1; 1451 if (BIO_should_write(c_bio)) 1452 c_w=1; 1453 } 1454 else 1455 { 1456 fprintf(stderr,"ERROR in CLIENT\n"); 1457 ERR_print_errors(bio_err); 1458 goto err; 1459 } 1460 } 1461 else if (i == 0) 1462 { 1463 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1464 goto err; 1465 } 1466 else 1467 { 1468 if (debug) 1469 printf("client wrote %d\n",i); 1470 /* ok */ 1471 s_r=1; 1472 c_write=0; 1473 cw_num-=i; 1474 } 1475 } 1476 else 1477 { 1478 i=BIO_read(c_bio,cbuf,sizeof(cbuf)); 1479 if (i < 0) 1480 { 1481 c_r=0; 1482 c_w=0; 1483 if (BIO_should_retry(c_bio)) 1484 { 1485 if (BIO_should_read(c_bio)) 1486 c_r=1; 1487 if (BIO_should_write(c_bio)) 1488 c_w=1; 1489 } 1490 else 1491 { 1492 fprintf(stderr,"ERROR in CLIENT\n"); 1493 ERR_print_errors(bio_err); 1494 goto err; 1495 } 1496 } 1497 else if (i == 0) 1498 { 1499 fprintf(stderr,"SSL CLIENT STARTUP FAILED\n"); 1500 goto err; 1501 } 1502 else 1503 { 1504 if (debug) 1505 printf("client read %d\n",i); 1506 cr_num-=i; 1507 if (sw_num > 0) 1508 { 1509 s_write=1; 1510 s_w=1; 1511 } 1512 if (cr_num <= 0) 1513 { 1514 s_write=1; 1515 s_w=1; 1516 done=S_DONE|C_DONE; 1517 } 1518 } 1519 } 1520 } 1521 1522 if (do_server && !(done & S_DONE)) 1523 { 1524 if (!s_write) 1525 { 1526 i=BIO_read(s_bio,sbuf,sizeof(cbuf)); 1527 if (i < 0) 1528 { 1529 s_r=0; 1530 s_w=0; 1531 if (BIO_should_retry(s_bio)) 1532 { 1533 if (BIO_should_read(s_bio)) 1534 s_r=1; 1535 if (BIO_should_write(s_bio)) 1536 s_w=1; 1537 } 1538 else 1539 { 1540 fprintf(stderr,"ERROR in SERVER\n"); 1541 ERR_print_errors(bio_err); 1542 goto err; 1543 } 1544 } 1545 else if (i == 0) 1546 { 1547 ERR_print_errors(bio_err); 1548 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_read\n"); 1549 goto err; 1550 } 1551 else 1552 { 1553 if (debug) 1554 printf("server read %d\n",i); 1555 sr_num-=i; 1556 if (cw_num > 0) 1557 { 1558 c_write=1; 1559 c_w=1; 1560 } 1561 if (sr_num <= 0) 1562 { 1563 s_write=1; 1564 s_w=1; 1565 c_write=0; 1566 } 1567 } 1568 } 1569 else 1570 { 1571 j = (sw_num > (long)sizeof(sbuf)) ? 1572 (int)sizeof(sbuf) : (int)sw_num; 1573 i=BIO_write(s_bio,sbuf,j); 1574 if (i < 0) 1575 { 1576 s_r=0; 1577 s_w=0; 1578 if (BIO_should_retry(s_bio)) 1579 { 1580 if (BIO_should_read(s_bio)) 1581 s_r=1; 1582 if (BIO_should_write(s_bio)) 1583 s_w=1; 1584 } 1585 else 1586 { 1587 fprintf(stderr,"ERROR in SERVER\n"); 1588 ERR_print_errors(bio_err); 1589 goto err; 1590 } 1591 } 1592 else if (i == 0) 1593 { 1594 ERR_print_errors(bio_err); 1595 fprintf(stderr,"SSL SERVER STARTUP FAILED in SSL_write\n"); 1596 goto err; 1597 } 1598 else 1599 { 1600 if (debug) 1601 printf("server wrote %d\n",i); 1602 sw_num-=i; 1603 s_write=0; 1604 c_r=1; 1605 if (sw_num <= 0) 1606 done|=S_DONE; 1607 } 1608 } 1609 } 1610 1611 if ((done & S_DONE) && (done & C_DONE)) break; 1612 } 1613 1614 if (verbose) 1615 print_details(c_ssl, "DONE: "); 1616 ret=0; 1617err: 1618 /* We have to set the BIO's to NULL otherwise they will be 1619 * OPENSSL_free()ed twice. Once when th s_ssl is SSL_free()ed and 1620 * again when c_ssl is SSL_free()ed. 1621 * This is a hack required because s_ssl and c_ssl are sharing the same 1622 * BIO structure and SSL_set_bio() and SSL_free() automatically 1623 * BIO_free non NULL entries. 1624 * You should not normally do this or be required to do this */ 1625 if (s_ssl != NULL) 1626 { 1627 s_ssl->rbio=NULL; 1628 s_ssl->wbio=NULL; 1629 } 1630 if (c_ssl != NULL) 1631 { 1632 c_ssl->rbio=NULL; 1633 c_ssl->wbio=NULL; 1634 } 1635 1636 if (c_to_s != NULL) BIO_free(c_to_s); 1637 if (s_to_c != NULL) BIO_free(s_to_c); 1638 if (c_bio != NULL) BIO_free_all(c_bio); 1639 if (s_bio != NULL) BIO_free_all(s_bio); 1640 return(ret); 1641 } 1642 1643static int get_proxy_auth_ex_data_idx(void) 1644 { 1645 static volatile int idx = -1; 1646 if (idx < 0) 1647 { 1648 CRYPTO_w_lock(CRYPTO_LOCK_SSL_CTX); 1649 if (idx < 0) 1650 { 1651 idx = X509_STORE_CTX_get_ex_new_index(0, 1652 "SSLtest for verify callback", NULL,NULL,NULL); 1653 } 1654 CRYPTO_w_unlock(CRYPTO_LOCK_SSL_CTX); 1655 } 1656 return idx; 1657 } 1658 1659static int MS_CALLBACK verify_callback(int ok, X509_STORE_CTX *ctx) 1660 { 1661 char *s,buf[256]; 1662 1663 s=X509_NAME_oneline(X509_get_subject_name(ctx->current_cert),buf, 1664 sizeof buf); 1665 if (s != NULL) 1666 { 1667 if (ok) 1668 fprintf(stderr,"depth=%d %s\n", 1669 ctx->error_depth,buf); 1670 else 1671 { 1672 fprintf(stderr,"depth=%d error=%d %s\n", 1673 ctx->error_depth,ctx->error,buf); 1674 } 1675 } 1676 1677 if (ok == 0) 1678 { 1679 fprintf(stderr,"Error string: %s\n", 1680 X509_verify_cert_error_string(ctx->error)); 1681 switch (ctx->error) 1682 { 1683 case X509_V_ERR_CERT_NOT_YET_VALID: 1684 case X509_V_ERR_CERT_HAS_EXPIRED: 1685 case X509_V_ERR_DEPTH_ZERO_SELF_SIGNED_CERT: 1686 fprintf(stderr," ... ignored.\n"); 1687 ok=1; 1688 } 1689 } 1690 1691 if (ok == 1) 1692 { 1693 X509 *xs = ctx->current_cert; 1694#if 0 1695 X509 *xi = ctx->current_issuer; 1696#endif 1697 1698 if (xs->ex_flags & EXFLAG_PROXY) 1699 { 1700 unsigned int *letters = 1701 X509_STORE_CTX_get_ex_data(ctx, 1702 get_proxy_auth_ex_data_idx()); 1703 1704 if (letters) 1705 { 1706 int found_any = 0; 1707 int i; 1708 PROXY_CERT_INFO_EXTENSION *pci = 1709 X509_get_ext_d2i(xs, NID_proxyCertInfo, 1710 NULL, NULL); 1711 1712 switch (OBJ_obj2nid(pci->proxyPolicy->policyLanguage)) 1713 { 1714 case NID_Independent: 1715 /* Completely meaningless in this 1716 program, as there's no way to 1717 grant explicit rights to a 1718 specific PrC. Basically, using 1719 id-ppl-Independent is the perfect 1720 way to grant no rights at all. */ 1721 fprintf(stderr, " Independent proxy certificate"); 1722 for (i = 0; i < 26; i++) 1723 letters[i] = 0; 1724 break; 1725 case NID_id_ppl_inheritAll: 1726 /* This is basically a NOP, we 1727 simply let the current rights 1728 stand as they are. */ 1729 fprintf(stderr, " Proxy certificate inherits all"); 1730 break; 1731 default: 1732 s = (char *) 1733 pci->proxyPolicy->policy->data; 1734 i = pci->proxyPolicy->policy->length; 1735 1736 /* The algorithm works as follows: 1737 it is assumed that previous 1738 iterations or the initial granted 1739 rights has already set some elements 1740 of `letters'. What we need to do is 1741 to clear those that weren't granted 1742 by the current PrC as well. The 1743 easiest way to do this is to add 1 1744 to all the elements whose letters 1745 are given with the current policy. 1746 That way, all elements that are set 1747 by the current policy and were 1748 already set by earlier policies and 1749 through the original grant of rights 1750 will get the value 2 or higher. 1751 The last thing to do is to sweep 1752 through `letters' and keep the 1753 elements having the value 2 as set, 1754 and clear all the others. */ 1755 1756 fprintf(stderr, " Certificate proxy rights = %*.*s", i, i, s); 1757 while(i-- > 0) 1758 { 1759 int c = *s++; 1760 if (isascii(c) && isalpha(c)) 1761 { 1762 if (islower(c)) 1763 c = toupper(c); 1764 letters[c - 'A']++; 1765 } 1766 } 1767 for (i = 0; i < 26; i++) 1768 if (letters[i] < 2) 1769 letters[i] = 0; 1770 else 1771 letters[i] = 1; 1772 } 1773 1774 found_any = 0; 1775 fprintf(stderr, 1776 ", resulting proxy rights = "); 1777 for(i = 0; i < 26; i++) 1778 if (letters[i]) 1779 { 1780 fprintf(stderr, "%c", i + 'A'); 1781 found_any = 1; 1782 } 1783 if (!found_any) 1784 fprintf(stderr, "none"); 1785 fprintf(stderr, "\n"); 1786 1787 PROXY_CERT_INFO_EXTENSION_free(pci); 1788 } 1789 } 1790 } 1791 1792 return(ok); 1793 } 1794 1795static void process_proxy_debug(int indent, const char *format, ...) 1796 { 1797 static const char indentation[] = 1798 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>" 1799 ">>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>"; /* That's 80 > */ 1800 char my_format[256]; 1801 va_list args; 1802 1803 BIO_snprintf(my_format, sizeof(my_format), "%*.*s %s", 1804 indent, indent, indentation, format); 1805 1806 va_start(args, format); 1807 vfprintf(stderr, my_format, args); 1808 va_end(args); 1809 } 1810/* Priority levels: 1811 0 [!]var, () 1812 1 & ^ 1813 2 | 1814*/ 1815static int process_proxy_cond_adders(unsigned int letters[26], 1816 const char *cond, const char **cond_end, int *pos, int indent); 1817static int process_proxy_cond_val(unsigned int letters[26], 1818 const char *cond, const char **cond_end, int *pos, int indent) 1819 { 1820 int c; 1821 int ok = 1; 1822 int negate = 0; 1823 1824 while(isspace((int)*cond)) 1825 { 1826 cond++; (*pos)++; 1827 } 1828 c = *cond; 1829 1830 if (debug) 1831 process_proxy_debug(indent, 1832 "Start process_proxy_cond_val at position %d: %s\n", 1833 *pos, cond); 1834 1835 while(c == '!') 1836 { 1837 negate = !negate; 1838 cond++; (*pos)++; 1839 while(isspace((int)*cond)) 1840 { 1841 cond++; (*pos)++; 1842 } 1843 c = *cond; 1844 } 1845 1846 if (c == '(') 1847 { 1848 cond++; (*pos)++; 1849 ok = process_proxy_cond_adders(letters, cond, cond_end, pos, 1850 indent + 1); 1851 cond = *cond_end; 1852 if (ok < 0) 1853 goto end; 1854 while(isspace((int)*cond)) 1855 { 1856 cond++; (*pos)++; 1857 } 1858 c = *cond; 1859 if (c != ')') 1860 { 1861 fprintf(stderr, 1862 "Weird condition character in position %d: " 1863 "%c\n", *pos, c); 1864 ok = -1; 1865 goto end; 1866 } 1867 cond++; (*pos)++; 1868 } 1869 else if (isascii(c) && isalpha(c)) 1870 { 1871 if (islower(c)) 1872 c = toupper(c); 1873 ok = letters[c - 'A']; 1874 cond++; (*pos)++; 1875 } 1876 else 1877 { 1878 fprintf(stderr, 1879 "Weird condition character in position %d: " 1880 "%c\n", *pos, c); 1881 ok = -1; 1882 goto end; 1883 } 1884 end: 1885 *cond_end = cond; 1886 if (ok >= 0 && negate) 1887 ok = !ok; 1888 1889 if (debug) 1890 process_proxy_debug(indent, 1891 "End process_proxy_cond_val at position %d: %s, returning %d\n", 1892 *pos, cond, ok); 1893 1894 return ok; 1895 } 1896static int process_proxy_cond_multipliers(unsigned int letters[26], 1897 const char *cond, const char **cond_end, int *pos, int indent) 1898 { 1899 int ok; 1900 char c; 1901 1902 if (debug) 1903 process_proxy_debug(indent, 1904 "Start process_proxy_cond_multipliers at position %d: %s\n", 1905 *pos, cond); 1906 1907 ok = process_proxy_cond_val(letters, cond, cond_end, pos, indent + 1); 1908 cond = *cond_end; 1909 if (ok < 0) 1910 goto end; 1911 1912 while(ok >= 0) 1913 { 1914 while(isspace((int)*cond)) 1915 { 1916 cond++; (*pos)++; 1917 } 1918 c = *cond; 1919 1920 switch(c) 1921 { 1922 case '&': 1923 case '^': 1924 { 1925 int save_ok = ok; 1926 1927 cond++; (*pos)++; 1928 ok = process_proxy_cond_val(letters, 1929 cond, cond_end, pos, indent + 1); 1930 cond = *cond_end; 1931 if (ok < 0) 1932 break; 1933 1934 switch(c) 1935 { 1936 case '&': 1937 ok &= save_ok; 1938 break; 1939 case '^': 1940 ok ^= save_ok; 1941 break; 1942 default: 1943 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 1944 " STOPPING\n"); 1945 EXIT(1); 1946 } 1947 } 1948 break; 1949 default: 1950 goto end; 1951 } 1952 } 1953 end: 1954 if (debug) 1955 process_proxy_debug(indent, 1956 "End process_proxy_cond_multipliers at position %d: %s, returning %d\n", 1957 *pos, cond, ok); 1958 1959 *cond_end = cond; 1960 return ok; 1961 } 1962static int process_proxy_cond_adders(unsigned int letters[26], 1963 const char *cond, const char **cond_end, int *pos, int indent) 1964 { 1965 int ok; 1966 char c; 1967 1968 if (debug) 1969 process_proxy_debug(indent, 1970 "Start process_proxy_cond_adders at position %d: %s\n", 1971 *pos, cond); 1972 1973 ok = process_proxy_cond_multipliers(letters, cond, cond_end, pos, 1974 indent + 1); 1975 cond = *cond_end; 1976 if (ok < 0) 1977 goto end; 1978 1979 while(ok >= 0) 1980 { 1981 while(isspace((int)*cond)) 1982 { 1983 cond++; (*pos)++; 1984 } 1985 c = *cond; 1986 1987 switch(c) 1988 { 1989 case '|': 1990 { 1991 int save_ok = ok; 1992 1993 cond++; (*pos)++; 1994 ok = process_proxy_cond_multipliers(letters, 1995 cond, cond_end, pos, indent + 1); 1996 cond = *cond_end; 1997 if (ok < 0) 1998 break; 1999 2000 switch(c) 2001 { 2002 case '|': 2003 ok |= save_ok; 2004 break; 2005 default: 2006 fprintf(stderr, "SOMETHING IS SERIOUSLY WRONG!" 2007 " STOPPING\n"); 2008 EXIT(1); 2009 } 2010 } 2011 break; 2012 default: 2013 goto end; 2014 } 2015 } 2016 end: 2017 if (debug) 2018 process_proxy_debug(indent, 2019 "End process_proxy_cond_adders at position %d: %s, returning %d\n", 2020 *pos, cond, ok); 2021 2022 *cond_end = cond; 2023 return ok; 2024 } 2025 2026static int process_proxy_cond(unsigned int letters[26], 2027 const char *cond, const char **cond_end) 2028 { 2029 int pos = 1; 2030 return process_proxy_cond_adders(letters, cond, cond_end, &pos, 1); 2031 } 2032 2033static int MS_CALLBACK app_verify_callback(X509_STORE_CTX *ctx, void *arg) 2034 { 2035 int ok=1; 2036 struct app_verify_arg *cb_arg = arg; 2037 unsigned int letters[26]; /* only used with proxy_auth */ 2038 2039 if (cb_arg->app_verify) 2040 { 2041 char *s = NULL,buf[256]; 2042 2043 fprintf(stderr, "In app_verify_callback, allowing cert. "); 2044 fprintf(stderr, "Arg is: %s\n", cb_arg->string); 2045 fprintf(stderr, "Finished printing do we have a context? 0x%p a cert? 0x%p\n", 2046 (void *)ctx, (void *)ctx->cert); 2047 if (ctx->cert) 2048 s=X509_NAME_oneline(X509_get_subject_name(ctx->cert),buf,256); 2049 if (s != NULL) 2050 { 2051 fprintf(stderr,"cert depth=%d %s\n",ctx->error_depth,buf); 2052 } 2053 return(1); 2054 } 2055 if (cb_arg->proxy_auth) 2056 { 2057 int found_any = 0, i; 2058 char *sp; 2059 2060 for(i = 0; i < 26; i++) 2061 letters[i] = 0; 2062 for(sp = cb_arg->proxy_auth; *sp; sp++) 2063 { 2064 int c = *sp; 2065 if (isascii(c) && isalpha(c)) 2066 { 2067 if (islower(c)) 2068 c = toupper(c); 2069 letters[c - 'A'] = 1; 2070 } 2071 } 2072 2073 fprintf(stderr, 2074 " Initial proxy rights = "); 2075 for(i = 0; i < 26; i++) 2076 if (letters[i]) 2077 { 2078 fprintf(stderr, "%c", i + 'A'); 2079 found_any = 1; 2080 } 2081 if (!found_any) 2082 fprintf(stderr, "none"); 2083 fprintf(stderr, "\n"); 2084 2085 X509_STORE_CTX_set_ex_data(ctx, 2086 get_proxy_auth_ex_data_idx(),letters); 2087 } 2088 if (cb_arg->allow_proxy_certs) 2089 { 2090 X509_STORE_CTX_set_flags(ctx, X509_V_FLAG_ALLOW_PROXY_CERTS); 2091 } 2092 2093#ifndef OPENSSL_NO_X509_VERIFY 2094 ok = X509_verify_cert(ctx); 2095#endif 2096 2097 if (cb_arg->proxy_auth) 2098 { 2099 if (ok > 0) 2100 { 2101 const char *cond_end = NULL; 2102 2103 ok = process_proxy_cond(letters, 2104 cb_arg->proxy_cond, &cond_end); 2105 2106 if (ok < 0) 2107 EXIT(3); 2108 if (*cond_end) 2109 { 2110 fprintf(stderr, "Stopped processing condition before it's end.\n"); 2111 ok = 0; 2112 } 2113 if (!ok) 2114 fprintf(stderr, "Proxy rights check with condition '%s' proved invalid\n", 2115 cb_arg->proxy_cond); 2116 else 2117 fprintf(stderr, "Proxy rights check with condition '%s' proved valid\n", 2118 cb_arg->proxy_cond); 2119 } 2120 } 2121 return(ok); 2122 } 2123 2124#ifndef OPENSSL_NO_RSA 2125static RSA *rsa_tmp=NULL; 2126 2127static RSA MS_CALLBACK *tmp_rsa_cb(SSL *s, int is_export, int keylength) 2128 { 2129 BIGNUM *bn = NULL; 2130 if (rsa_tmp == NULL) 2131 { 2132 bn = BN_new(); 2133 rsa_tmp = RSA_new(); 2134 if(!bn || !rsa_tmp || !BN_set_word(bn, RSA_F4)) 2135 { 2136 BIO_printf(bio_err, "Memory error..."); 2137 goto end; 2138 } 2139 BIO_printf(bio_err,"Generating temp (%d bit) RSA key...",keylength); 2140 (void)BIO_flush(bio_err); 2141 if(!RSA_generate_key_ex(rsa_tmp,keylength,bn,NULL)) 2142 { 2143 BIO_printf(bio_err, "Error generating key."); 2144 RSA_free(rsa_tmp); 2145 rsa_tmp = NULL; 2146 } 2147end: 2148 BIO_printf(bio_err,"\n"); 2149 (void)BIO_flush(bio_err); 2150 } 2151 if(bn) BN_free(bn); 2152 return(rsa_tmp); 2153 } 2154 2155static void free_tmp_rsa(void) 2156 { 2157 if (rsa_tmp != NULL) 2158 { 2159 RSA_free(rsa_tmp); 2160 rsa_tmp = NULL; 2161 } 2162 } 2163#endif 2164 2165#ifndef OPENSSL_NO_DH 2166/* These DH parameters have been generated as follows: 2167 * $ openssl dhparam -C -noout 512 2168 * $ openssl dhparam -C -noout 1024 2169 * $ openssl dhparam -C -noout -dsaparam 1024 2170 * (The third function has been renamed to avoid name conflicts.) 2171 */ 2172static DH *get_dh512() 2173 { 2174 static unsigned char dh512_p[]={ 2175 0xCB,0xC8,0xE1,0x86,0xD0,0x1F,0x94,0x17,0xA6,0x99,0xF0,0xC6, 2176 0x1F,0x0D,0xAC,0xB6,0x25,0x3E,0x06,0x39,0xCA,0x72,0x04,0xB0, 2177 0x6E,0xDA,0xC0,0x61,0xE6,0x7A,0x77,0x25,0xE8,0x3B,0xB9,0x5F, 2178 0x9A,0xB6,0xB5,0xFE,0x99,0x0B,0xA1,0x93,0x4E,0x35,0x33,0xB8, 2179 0xE1,0xF1,0x13,0x4F,0x59,0x1A,0xD2,0x57,0xC0,0x26,0x21,0x33, 2180 0x02,0xC5,0xAE,0x23, 2181 }; 2182 static unsigned char dh512_g[]={ 2183 0x02, 2184 }; 2185 DH *dh; 2186 2187 if ((dh=DH_new()) == NULL) return(NULL); 2188 dh->p=BN_bin2bn(dh512_p,sizeof(dh512_p),NULL); 2189 dh->g=BN_bin2bn(dh512_g,sizeof(dh512_g),NULL); 2190 if ((dh->p == NULL) || (dh->g == NULL)) 2191 { DH_free(dh); return(NULL); } 2192 return(dh); 2193 } 2194 2195static DH *get_dh1024() 2196 { 2197 static unsigned char dh1024_p[]={ 2198 0xF8,0x81,0x89,0x7D,0x14,0x24,0xC5,0xD1,0xE6,0xF7,0xBF,0x3A, 2199 0xE4,0x90,0xF4,0xFC,0x73,0xFB,0x34,0xB5,0xFA,0x4C,0x56,0xA2, 2200 0xEA,0xA7,0xE9,0xC0,0xC0,0xCE,0x89,0xE1,0xFA,0x63,0x3F,0xB0, 2201 0x6B,0x32,0x66,0xF1,0xD1,0x7B,0xB0,0x00,0x8F,0xCA,0x87,0xC2, 2202 0xAE,0x98,0x89,0x26,0x17,0xC2,0x05,0xD2,0xEC,0x08,0xD0,0x8C, 2203 0xFF,0x17,0x52,0x8C,0xC5,0x07,0x93,0x03,0xB1,0xF6,0x2F,0xB8, 2204 0x1C,0x52,0x47,0x27,0x1B,0xDB,0xD1,0x8D,0x9D,0x69,0x1D,0x52, 2205 0x4B,0x32,0x81,0xAA,0x7F,0x00,0xC8,0xDC,0xE6,0xD9,0xCC,0xC1, 2206 0x11,0x2D,0x37,0x34,0x6C,0xEA,0x02,0x97,0x4B,0x0E,0xBB,0xB1, 2207 0x71,0x33,0x09,0x15,0xFD,0xDD,0x23,0x87,0x07,0x5E,0x89,0xAB, 2208 0x6B,0x7C,0x5F,0xEC,0xA6,0x24,0xDC,0x53, 2209 }; 2210 static unsigned char dh1024_g[]={ 2211 0x02, 2212 }; 2213 DH *dh; 2214 2215 if ((dh=DH_new()) == NULL) return(NULL); 2216 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2217 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2218 if ((dh->p == NULL) || (dh->g == NULL)) 2219 { DH_free(dh); return(NULL); } 2220 return(dh); 2221 } 2222 2223static DH *get_dh1024dsa() 2224 { 2225 static unsigned char dh1024_p[]={ 2226 0xC8,0x00,0xF7,0x08,0x07,0x89,0x4D,0x90,0x53,0xF3,0xD5,0x00, 2227 0x21,0x1B,0xF7,0x31,0xA6,0xA2,0xDA,0x23,0x9A,0xC7,0x87,0x19, 2228 0x3B,0x47,0xB6,0x8C,0x04,0x6F,0xFF,0xC6,0x9B,0xB8,0x65,0xD2, 2229 0xC2,0x5F,0x31,0x83,0x4A,0xA7,0x5F,0x2F,0x88,0x38,0xB6,0x55, 2230 0xCF,0xD9,0x87,0x6D,0x6F,0x9F,0xDA,0xAC,0xA6,0x48,0xAF,0xFC, 2231 0x33,0x84,0x37,0x5B,0x82,0x4A,0x31,0x5D,0xE7,0xBD,0x52,0x97, 2232 0xA1,0x77,0xBF,0x10,0x9E,0x37,0xEA,0x64,0xFA,0xCA,0x28,0x8D, 2233 0x9D,0x3B,0xD2,0x6E,0x09,0x5C,0x68,0xC7,0x45,0x90,0xFD,0xBB, 2234 0x70,0xC9,0x3A,0xBB,0xDF,0xD4,0x21,0x0F,0xC4,0x6A,0x3C,0xF6, 2235 0x61,0xCF,0x3F,0xD6,0x13,0xF1,0x5F,0xBC,0xCF,0xBC,0x26,0x9E, 2236 0xBC,0x0B,0xBD,0xAB,0x5D,0xC9,0x54,0x39, 2237 }; 2238 static unsigned char dh1024_g[]={ 2239 0x3B,0x40,0x86,0xE7,0xF3,0x6C,0xDE,0x67,0x1C,0xCC,0x80,0x05, 2240 0x5A,0xDF,0xFE,0xBD,0x20,0x27,0x74,0x6C,0x24,0xC9,0x03,0xF3, 2241 0xE1,0x8D,0xC3,0x7D,0x98,0x27,0x40,0x08,0xB8,0x8C,0x6A,0xE9, 2242 0xBB,0x1A,0x3A,0xD6,0x86,0x83,0x5E,0x72,0x41,0xCE,0x85,0x3C, 2243 0xD2,0xB3,0xFC,0x13,0xCE,0x37,0x81,0x9E,0x4C,0x1C,0x7B,0x65, 2244 0xD3,0xE6,0xA6,0x00,0xF5,0x5A,0x95,0x43,0x5E,0x81,0xCF,0x60, 2245 0xA2,0x23,0xFC,0x36,0xA7,0x5D,0x7A,0x4C,0x06,0x91,0x6E,0xF6, 2246 0x57,0xEE,0x36,0xCB,0x06,0xEA,0xF5,0x3D,0x95,0x49,0xCB,0xA7, 2247 0xDD,0x81,0xDF,0x80,0x09,0x4A,0x97,0x4D,0xA8,0x22,0x72,0xA1, 2248 0x7F,0xC4,0x70,0x56,0x70,0xE8,0x20,0x10,0x18,0x8F,0x2E,0x60, 2249 0x07,0xE7,0x68,0x1A,0x82,0x5D,0x32,0xA2, 2250 }; 2251 DH *dh; 2252 2253 if ((dh=DH_new()) == NULL) return(NULL); 2254 dh->p=BN_bin2bn(dh1024_p,sizeof(dh1024_p),NULL); 2255 dh->g=BN_bin2bn(dh1024_g,sizeof(dh1024_g),NULL); 2256 if ((dh->p == NULL) || (dh->g == NULL)) 2257 { DH_free(dh); return(NULL); } 2258 dh->length = 160; 2259 return(dh); 2260 } 2261#endif 2262 2263static int do_test_cipherlist(void) 2264 { 2265 int i = 0; 2266 const SSL_METHOD *meth; 2267 SSL_CIPHER *ci, *tci = NULL; 2268 2269#ifndef OPENSSL_NO_SSL2 2270 fprintf(stderr, "testing SSLv2 cipher list order: "); 2271 meth = SSLv2_method(); 2272 while ((ci = meth->get_cipher(i++)) != NULL) 2273 { 2274 if (tci != NULL) 2275 if (ci->id >= tci->id) 2276 { 2277 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2278 return 0; 2279 } 2280 tci = ci; 2281 } 2282 fprintf(stderr, "ok\n"); 2283#endif 2284#ifndef OPENSSL_NO_SSL3 2285 fprintf(stderr, "testing SSLv3 cipher list order: "); 2286 meth = SSLv3_method(); 2287 tci = NULL; 2288 while ((ci = meth->get_cipher(i++)) != NULL) 2289 { 2290 if (tci != NULL) 2291 if (ci->id >= tci->id) 2292 { 2293 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2294 return 0; 2295 } 2296 tci = ci; 2297 } 2298 fprintf(stderr, "ok\n"); 2299#endif 2300#ifndef OPENSSL_NO_TLS1 2301 fprintf(stderr, "testing TLSv1 cipher list order: "); 2302 meth = TLSv1_method(); 2303 tci = NULL; 2304 while ((ci = meth->get_cipher(i++)) != NULL) 2305 { 2306 if (tci != NULL) 2307 if (ci->id >= tci->id) 2308 { 2309 fprintf(stderr, "failed %lx vs. %lx\n", ci->id, tci->id); 2310 return 0; 2311 } 2312 tci = ci; 2313 } 2314 fprintf(stderr, "ok\n"); 2315#endif 2316 2317 return 1; 2318 } 2319